From 575a7c8f2b7d24cab3f409df2c39c8f7b9e8c296 Mon Sep 17 00:00:00 2001
From: Cory Bullinger <cory.bullinger@mongodb.com>
Date: Sat, 18 Apr 2026 09:34:12 -0400
Subject: [PATCH 01/20] feat(operator): add audit wiring and token-protected
 operator UI

Wire MongoDB copy audit events after target uploads; add /operator
dashboard with audit feed, deployment metadata, and optional tag API.

Made-with: Cursor
---
 app.go                                  |   7 +
 configs/environment.go                  |  15 ++
 services/audit_logger.go                |  30 +--
 services/github_write_to_target.go      |  85 +++++-
 services/github_write_to_target_test.go |  18 +-
 services/operator_ui.go                 | 329 ++++++++++++++++++++++++
 services/web/operator/index.html        | 163 ++++++++++++
 services/webhook_handler_new.go         |   2 +-
 services/workflow_processor.go          |   9 +-
 types/types.go                          |  26 +-
 10 files changed, 649 insertions(+), 35 deletions(-)
 create mode 100644 services/operator_ui.go
 create mode 100644 services/web/operator/index.html

diff --git a/app.go b/app.go
index 00c50b4..22a70ab 100644
--- a/app.go
+++ b/app.go
@@ -174,6 +174,10 @@ func startWebServer(config *configs.Config, container *services.ServiceContainer
 	// Config diagnostic endpoint — shows resolved config with secrets redacted
 	mux.HandleFunc("/config", services.ConfigDiagnosticHandler(container, version))
 
+	if config.OperatorUIToken != "" {
+		services.RegisterOperatorRoutes(mux, config, container, version)
+	}
+
 	// Info endpoint
 	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
 		if r.URL.Path != "/" {
@@ -189,6 +193,9 @@ func startWebServer(config *configs.Config, container *services.ServiceContainer
 		if config.MetricsEnabled {
 			_, _ = fmt.Fprintf(w, "Metrics: /metrics\n")
 		}
+		if config.OperatorUIToken != "" {
+			_, _ = fmt.Fprintf(w, "Operator UI: /operator/\n")
+		}
 	})
 
 	// Create server
diff --git a/configs/environment.go b/configs/environment.go
index f9f5b01..e76dc07 100644
--- a/configs/environment.go
+++ b/configs/environment.go
@@ -69,6 +69,12 @@ type Config struct {
 	// Webhook retry configuration
 	WebhookMaxRetries        int // max retry attempts for failed webhook processing
 	WebhookRetryInitialDelay int // initial delay between retries in seconds (doubles each attempt)
+
+	// Operator web UI (optional) — protected by OPERATOR_UI_TOKEN when set
+	OperatorUIToken             string
+	OperatorRepoSlug            string // "owner/repo" for GitHub links and optional tag API
+	OperatorReleaseGitHubToken  string // PAT with contents:write to create a version tag (optional)
+	OperatorReleaseTargetBranch string // branch SHA used when creating a tag (default main)
 }
 
 const (
@@ -117,6 +123,10 @@ const (
 	WebhookProcessingTimeoutSeconds = "WEBHOOK_PROCESSING_TIMEOUT_SECONDS"
 	WebhookMaxRetries               = "WEBHOOK_MAX_RETRIES"
 	WebhookRetryInitialDelay        = "WEBHOOK_RETRY_INITIAL_DELAY" //nolint:gosec // env var name, not a credential
+	OperatorUIToken                 = "OPERATOR_UI_TOKEN"           // #nosec G101 -- env var name
+	OperatorRepoSlug                = "OPERATOR_REPO_SLUG"
+	OperatorReleaseGitHubToken      = "OPERATOR_RELEASE_GITHUB_TOKEN" // #nosec G101 -- env var name
+	OperatorReleaseTargetBranch     = "OPERATOR_RELEASE_TARGET_BRANCH"
 )
 
 // NewConfig returns a new Config instance with default values
@@ -235,6 +245,11 @@ func LoadEnvironment(envFile string) (*Config, error) {
 	config.WebhookMaxRetries = getIntEnvWithDefault(WebhookMaxRetries, config.WebhookMaxRetries)
 	config.WebhookRetryInitialDelay = getIntEnvWithDefault(WebhookRetryInitialDelay, config.WebhookRetryInitialDelay)
 
+	config.OperatorUIToken = os.Getenv(OperatorUIToken)
+	config.OperatorRepoSlug = os.Getenv(OperatorRepoSlug)
+	config.OperatorReleaseGitHubToken = os.Getenv(OperatorReleaseGitHubToken)
+	config.OperatorReleaseTargetBranch = getEnvWithDefault(OperatorReleaseTargetBranch, "main")
+
 	if err := validateConfig(config); err != nil {
 		return nil, err
 	}
diff --git a/services/audit_logger.go b/services/audit_logger.go
index 7fa6fca..dc606ca 100644
--- a/services/audit_logger.go
+++ b/services/audit_logger.go
@@ -21,21 +21,21 @@ const (
 
 // AuditEvent represents an audit log entry
 type AuditEvent struct {
-	ID             string         `bson:"_id,omitempty"`
-	Timestamp      time.Time      `bson:"timestamp"`
-	EventType      AuditEventType `bson:"event_type"`
-	RuleName       string         `bson:"rule_name,omitempty"`
-	SourceRepo     string         `bson:"source_repo"`
-	SourcePath     string         `bson:"source_path"`
-	TargetRepo     string         `bson:"target_repo,omitempty"`
-	TargetPath     string         `bson:"target_path,omitempty"`
-	CommitSHA      string         `bson:"commit_sha,omitempty"`
-	PRNumber       int            `bson:"pr_number,omitempty"`
-	Success        bool           `bson:"success"`
-	ErrorMessage   string         `bson:"error_message,omitempty"`
-	DurationMs     int64          `bson:"duration_ms,omitempty"`
-	FileSize       int64          `bson:"file_size,omitempty"`
-	AdditionalData map[string]any `bson:"additional_data,omitempty"`
+	ID             string         `bson:"_id,omitempty" json:"id,omitempty"`
+	Timestamp      time.Time      `bson:"timestamp" json:"timestamp"`
+	EventType      AuditEventType `bson:"event_type" json:"event_type"`
+	RuleName       string         `bson:"rule_name,omitempty" json:"rule_name,omitempty"`
+	SourceRepo     string         `bson:"source_repo" json:"source_repo"`
+	SourcePath     string         `bson:"source_path" json:"source_path"`
+	TargetRepo     string         `bson:"target_repo,omitempty" json:"target_repo,omitempty"`
+	TargetPath     string         `bson:"target_path,omitempty" json:"target_path,omitempty"`
+	CommitSHA      string         `bson:"commit_sha,omitempty" json:"commit_sha,omitempty"`
+	PRNumber       int            `bson:"pr_number,omitempty" json:"pr_number,omitempty"`
+	Success        bool           `bson:"success" json:"success"`
+	ErrorMessage   string         `bson:"error_message,omitempty" json:"error_message,omitempty"`
+	DurationMs     int64          `bson:"duration_ms,omitempty" json:"duration_ms,omitempty"`
+	FileSize       int64          `bson:"file_size,omitempty" json:"file_size,omitempty"`
+	AdditionalData map[string]any `bson:"additional_data,omitempty" json:"additional_data,omitempty"`
 }
 
 // AuditLogger handles audit logging to MongoDB
diff --git a/services/github_write_to_target.go b/services/github_write_to_target.go
index 2159c51..bde8b6d 100644
--- a/services/github_write_to_target.go
+++ b/services/github_write_to_target.go
@@ -54,7 +54,8 @@ func normalizeRefPath(branchPath string, fullPath bool) string {
 
 // AddFilesToTargetRepos uploads files to target repository branches.
 // It accepts the upload map as a parameter for concurrency safety.
-func AddFilesToTargetRepos(ctx context.Context, config *configs.Config, filesToUpload map[types.UploadKey]types.UploadFileContent, prTemplateFetcher PRTemplateFetcher, metricsCollector *MetricsCollector) {
+// When auditLogger is non-nil, each file copy is recorded (success or failure) for MongoDB audit.
+func AddFilesToTargetRepos(ctx context.Context, config *configs.Config, filesToUpload map[types.UploadKey]types.UploadFileContent, prTemplateFetcher PRTemplateFetcher, metricsCollector *MetricsCollector, auditLogger AuditLogger) {
 	if config.DryRun {
 		for key, value := range filesToUpload {
 			LogInfo("[DRY-RUN] Would upload files to target repo",
@@ -71,13 +72,95 @@ func AddFilesToTargetRepos(ctx context.Context, config *configs.Config, filesToU
 	}
 
 	for key, value := range filesToUpload {
+		batchStart := time.Now()
 		if err := uploadToTarget(ctx, config, key, value, prTemplateFetcher); err != nil {
 			LogCritical("Failed to upload files", "repo", key.RepoName, "error", err)
 			recordBatchFailure(metricsCollector, len(value.Content))
+			auditLogCopyBatchFailure(ctx, auditLogger, key, value, err)
+		} else {
+			auditLogCopyBatchSuccess(ctx, auditLogger, key, value, time.Since(batchStart))
 		}
 	}
 }
 
+func auditLogCopyBatchSuccess(ctx context.Context, auditLogger AuditLogger, key types.UploadKey, value types.UploadFileContent, elapsed time.Duration) {
+	if auditLogger == nil || len(value.Content) == 0 {
+		return
+	}
+	n := len(value.Content)
+	perFileMs := elapsed.Milliseconds() / int64(n)
+	if perFileMs == 0 && elapsed > 0 {
+		perFileMs = 1
+	}
+	for i := range value.Content {
+		f := value.Content[i]
+		meta := types.CopierFileMeta{}
+		if i < len(value.FileMeta) {
+			meta = value.FileMeta[i]
+		}
+		srcPath := meta.SourcePath
+		if srcPath == "" {
+			srcPath = f.GetPath()
+		}
+		ev := &AuditEvent{
+			RuleName:   meta.RuleName,
+			SourceRepo: meta.SourceRepo,
+			SourcePath: srcPath,
+			TargetRepo: key.RepoName,
+			TargetPath: f.GetName(),
+			PRNumber:   meta.PRNumber,
+			Success:    true,
+			DurationMs: perFileMs,
+			FileSize:   int64(decodedFileBytes(&f)),
+		}
+		if err := auditLogger.LogCopyEvent(ctx, ev); err != nil {
+			LogWarning("audit LogCopyEvent failed", "error", err)
+		}
+	}
+}
+
+func auditLogCopyBatchFailure(ctx context.Context, auditLogger AuditLogger, key types.UploadKey, value types.UploadFileContent, batchErr error) {
+	if auditLogger == nil || len(value.Content) == 0 {
+		return
+	}
+	msg := batchErr.Error()
+	for i := range value.Content {
+		f := value.Content[i]
+		meta := types.CopierFileMeta{}
+		if i < len(value.FileMeta) {
+			meta = value.FileMeta[i]
+		}
+		srcPath := meta.SourcePath
+		if srcPath == "" {
+			srcPath = f.GetPath()
+		}
+		ev := &AuditEvent{
+			RuleName:     meta.RuleName,
+			SourceRepo:   meta.SourceRepo,
+			SourcePath:   srcPath,
+			TargetRepo:   key.RepoName,
+			TargetPath:   f.GetName(),
+			PRNumber:     meta.PRNumber,
+			Success:      false,
+			ErrorMessage: msg,
+		}
+		if err := auditLogger.LogCopyEvent(ctx, ev); err != nil {
+			LogWarning("audit LogCopyEvent (failure) failed", "error", err)
+		}
+	}
+}
+
+func decodedFileBytes(f *github.RepositoryContent) int {
+	if f == nil {
+		return 0
+	}
+	c, err := f.GetContent()
+	if err != nil {
+		return 0
+	}
+	return len(c)
+}
+
 // uploadToTarget handles a single upload-key: authenticates for the target org,
 // resolves commit parameters, and dispatches to the appropriate strategy.
 func uploadToTarget(ctx context.Context, config *configs.Config, key types.UploadKey, value types.UploadFileContent, prTemplateFetcher PRTemplateFetcher) error {
diff --git a/services/github_write_to_target_test.go b/services/github_write_to_target_test.go
index 05e1383..e61221f 100644
--- a/services/github_write_to_target_test.go
+++ b/services/github_write_to_target_test.go
@@ -83,7 +83,7 @@ func TestAddFilesToTargetRepos_Direct_Succeeds(t *testing.T) {
 		},
 	}
 
-	services.AddFilesToTargetRepos(context.Background(), test.TestConfig(), filesToUpload, nil, nil)
+	services.AddFilesToTargetRepos(context.Background(), test.TestConfig(), filesToUpload, nil, nil, nil)
 
 	info := httpmock.GetCallCountInfo()
 	require.Equal(t, 1, info["GET "+baseRefURL])
@@ -173,7 +173,7 @@ func TestAddFilesToTargetRepos_ViaPR_Succeeds(t *testing.T) {
 		},
 	}
 
-	services.AddFilesToTargetRepos(context.Background(), cfg, filesToUpload, nil, nil)
+	services.AddFilesToTargetRepos(context.Background(), cfg, filesToUpload, nil, nil, nil)
 
 	require.Equal(t, 1, test.CountByMethodAndURLRegexp("POST",
 		regexp.MustCompile(`/app/installations/`+regexp.QuoteMeta(cfg.InstallationId)+`/access_tokens$`),
@@ -244,7 +244,7 @@ func TestAddFilesToTargetRepos_Direct_SkipsEmptyCommit(t *testing.T) {
 		},
 	}
 
-	services.AddFilesToTargetRepos(context.Background(), test.TestConfig(), filesToUpload, nil, nil)
+	services.AddFilesToTargetRepos(context.Background(), test.TestConfig(), filesToUpload, nil, nil, nil)
 
 	info := httpmock.GetCallCountInfo()
 	// Should still fetch the ref and create the tree
@@ -284,7 +284,7 @@ func TestAddFiles_DirectConflict_NonFastForward(t *testing.T) {
 		},
 	}
 
-	services.AddFilesToTargetRepos(context.Background(), test.TestConfig(), filesToUpload, nil, nil)
+	services.AddFilesToTargetRepos(context.Background(), test.TestConfig(), filesToUpload, nil, nil, nil)
 
 	info := httpmock.GetCallCountInfo()
 	require.Equal(t, 1, info["GET "+baseRefURL])
@@ -364,7 +364,7 @@ func TestAddFiles_ViaPR_MergeConflict_Dirty_NotMerged(t *testing.T) {
 		},
 	}
 
-	services.AddFilesToTargetRepos(context.Background(), cfg, filesToUpload, nil, nil)
+	services.AddFilesToTargetRepos(context.Background(), cfg, filesToUpload, nil, nil, nil)
 
 	info := httpmock.GetCallCountInfo()
 	require.Equal(t, 1, info["POST "+createRefURL])
@@ -417,7 +417,7 @@ func TestPriority_Strategy_ConfigOverridesEnv_And_MessageFallbacks(t *testing.T)
 		{RepoName: repo, BranchPath: "refs/heads/" + baseBranch, CommitStrategy: typeCfg.CopierCommitStrategy}: {TargetBranch: baseBranch, Content: files},
 	}
 
-	services.AddFilesToTargetRepos(context.Background(), testCfg, filesToUpload, nil, nil)
+	services.AddFilesToTargetRepos(context.Background(), testCfg, filesToUpload, nil, nil, nil)
 
 	info := httpmock.GetCallCountInfo()
 	require.Equal(t, 1, info["GET "+baseRefURL])
@@ -495,7 +495,7 @@ func TestPriority_PRTitleDefaultsToCommitMessage_And_NoAutoMergeWhenConfigPresen
 		{RepoName: repo, BranchPath: "refs/heads/" + baseBranch, RuleName: "", CommitStrategy: "pr"}: {TargetBranch: baseBranch, Content: files, CommitStrategy: "pr"},
 	}
 
-	services.AddFilesToTargetRepos(context.Background(), cfg, filesToUpload, nil, nil)
+	services.AddFilesToTargetRepos(context.Background(), cfg, filesToUpload, nil, nil, nil)
 
 	require.Equal(t, 1, test.CountByMethodAndURLRegexp("POST", regexp.MustCompile(`/pulls$`)))
 	require.Equal(t, 0, test.CountByMethodAndURLRegexp("PUT", regexp.MustCompile(`/pulls/5/merge$`)))
@@ -564,7 +564,7 @@ func TestAddFilesToTargetRepos_MixedStrategies_ProducesSeparateOperations(t *tes
 		},
 	}
 
-	services.AddFilesToTargetRepos(context.Background(), cfg, filesToUpload, nil, nil)
+	services.AddFilesToTargetRepos(context.Background(), cfg, filesToUpload, nil, nil, nil)
 
 	info := httpmock.GetCallCountInfo()
 
@@ -647,7 +647,7 @@ func TestAddFilesViaPR_ReusesExistingCopierPR(t *testing.T) {
 		},
 	}
 
-	services.AddFilesToTargetRepos(context.Background(), cfg, filesToUpload, nil, nil)
+	services.AddFilesToTargetRepos(context.Background(), cfg, filesToUpload, nil, nil, nil)
 
 	info := httpmock.GetCallCountInfo()
 
diff --git a/services/operator_ui.go b/services/operator_ui.go
new file mode 100644
index 0000000..c90b304
--- /dev/null
+++ b/services/operator_ui.go
@@ -0,0 +1,329 @@
+package services
+
+import (
+	"bytes"
+	"context"
+	"crypto/subtle"
+	_ "embed"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"regexp"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/grove-platform/github-copier/configs"
+)
+
+//go:embed web/operator/index.html
+var operatorIndexHTML []byte
+
+var operatorVersionTagRe = regexp.MustCompile(`^v[0-9]+\.[0-9]+\.[0-9]+$`)
+
+// RegisterOperatorRoutes mounts the operator HTML UI and JSON APIs under /operator/.
+// cfg.OperatorUIToken must be non-empty before calling (caller checks).
+func RegisterOperatorRoutes(mux *http.ServeMux, cfg *configs.Config, container *ServiceContainer, version string) {
+	o := &operatorUI{
+		cfg:       cfg,
+		container: container,
+		version:   version,
+	}
+	mux.HandleFunc("/operator/api/audit/events", o.wrapAPI(o.handleAuditEvents))
+	mux.HandleFunc("/operator/api/deployment", o.wrapAPI(o.handleDeployment))
+	mux.HandleFunc("/operator/api/release", o.wrapAPI(o.handleRelease))
+	mux.HandleFunc("/operator/", o.serveIndex)
+	mux.HandleFunc("/operator", func(w http.ResponseWriter, r *http.Request) {
+		http.Redirect(w, r, "/operator/", http.StatusFound)
+	})
+}
+
+type operatorUI struct {
+	cfg       *configs.Config
+	container *ServiceContainer
+	version   string
+}
+
+func (o *operatorUI) wrapAPI(next http.HandlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		if !operatorAuthOK(o.cfg.OperatorUIToken, bearerToken(r)) {
+			w.WriteHeader(http.StatusUnauthorized)
+			_ = json.NewEncoder(w).Encode(map[string]string{"error": "unauthorized"})
+			return
+		}
+		next(w, r)
+	}
+}
+
+func bearerToken(r *http.Request) string {
+	h := r.Header.Get("Authorization")
+	const p = "Bearer "
+	if len(h) > len(p) && strings.EqualFold(h[:len(p)], p) {
+		return strings.TrimSpace(h[len(p):])
+	}
+	return ""
+}
+
+func operatorAuthOK(expected, got string) bool {
+	if expected == "" {
+		return false
+	}
+	e := []byte(expected)
+	g := []byte(got)
+	if len(e) != len(g) {
+		return false
+	}
+	return subtle.ConstantTimeCompare(e, g) == 1
+}
+
+func (o *operatorUI) serveIndex(w http.ResponseWriter, r *http.Request) {
+	if r.URL.Path != "/operator/" {
+		http.NotFound(w, r)
+		return
+	}
+	if r.Method != http.MethodGet {
+		w.WriteHeader(http.StatusMethodNotAllowed)
+		return
+	}
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	_, _ = w.Write(operatorIndexHTML)
+}
+
+func (o *operatorUI) handleAuditEvents(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		w.WriteHeader(http.StatusMethodNotAllowed)
+		_ = json.NewEncoder(w).Encode(map[string]string{"error": "method not allowed"})
+		return
+	}
+	limit := 50
+	if q := r.URL.Query().Get("limit"); q != "" {
+		if n, err := strconv.Atoi(q); err == nil && n > 0 {
+			limit = n
+		}
+	}
+	if limit > 200 {
+		limit = 200
+	}
+	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
+	defer cancel()
+	if o.container.AuditLogger == nil {
+		_ = json.NewEncoder(w).Encode(map[string]any{"events": []any{}})
+		return
+	}
+	events, err := o.container.AuditLogger.GetRecentEvents(ctx, limit)
+	if err != nil {
+		w.WriteHeader(http.StatusBadGateway)
+		_ = json.NewEncoder(w).Encode(map[string]string{"error": err.Error()})
+		return
+	}
+	_ = json.NewEncoder(w).Encode(map[string]any{"events": events})
+}
+
+// OperatorDeploymentInfo is non-secret runtime and platform metadata for the operator UI.
+type OperatorDeploymentInfo struct {
+	Version            string            `json:"version"`
+	GoogleCloudRegion  string            `json:"google_cloud_region,omitempty"`
+	CloudRunService    string            `json:"cloud_run_service,omitempty"`
+	CloudRunRevision   string            `json:"cloud_run_revision,omitempty"`
+	CloudRunConfig     string            `json:"cloud_run_configuration,omitempty"`
+	GoogleCloudProject string            `json:"google_cloud_project,omitempty"`
+	Port               string            `json:"port"`
+	WebhookPath        string            `json:"webhook_path"`
+	DryRun             bool              `json:"dry_run"`
+	AuditEnabled       bool              `json:"audit_enabled"`
+	AuditDatabase      string            `json:"audit_database,omitempty"`
+	AuditCollection    string            `json:"audit_collection,omitempty"`
+	ConfigRepo         string            `json:"config_repo,omitempty"`
+	EffectiveConfig    string            `json:"effective_config_file,omitempty"`
+	OperatorRepoSlug   string            `json:"operator_repo_slug,omitempty"`
+	ReleaseAPIMode     string            `json:"release_api_mode"`
+	Env                map[string]string `json:"cloud_env,omitempty"`
+}
+
+func (o *operatorUI) handleDeployment(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		w.WriteHeader(http.StatusMethodNotAllowed)
+		_ = json.NewEncoder(w).Encode(map[string]string{"error": "method not allowed"})
+		return
+	}
+	releaseMode := "disabled"
+	if o.cfg.OperatorReleaseGitHubToken != "" && o.cfg.OperatorRepoSlug != "" {
+		releaseMode = "tag_create_enabled"
+	}
+	info := OperatorDeploymentInfo{
+		Version:            o.version,
+		CloudRunService:    os.Getenv("K_SERVICE"),
+		CloudRunRevision:   os.Getenv("K_REVISION"),
+		CloudRunConfig:     os.Getenv("K_CONFIGURATION"),
+		GoogleCloudProject: o.cfg.GoogleCloudProjectId,
+		Port:               o.cfg.Port,
+		WebhookPath:        o.cfg.WebserverPath,
+		DryRun:             o.cfg.DryRun,
+		AuditEnabled:       o.cfg.AuditEnabled,
+		AuditDatabase:      o.cfg.AuditDatabase,
+		AuditCollection:    o.cfg.AuditCollection,
+		ConfigRepo:         o.cfg.ConfigRepoOwner + "/" + o.cfg.ConfigRepoName,
+		EffectiveConfig:    o.cfg.EffectiveConfigFile(),
+		OperatorRepoSlug:   o.cfg.OperatorRepoSlug,
+		ReleaseAPIMode:     releaseMode,
+		Env: map[string]string{
+			"ENV": firstEnv("ENV"),
+		},
+	}
+	if region := os.Getenv("GOOGLE_CLOUD_REGION"); region != "" {
+		info.GoogleCloudRegion = region
+	}
+	_ = json.NewEncoder(w).Encode(info)
+}
+
+type operatorReleaseRequest struct {
+	Version string `json:"version"`
+}
+
+type operatorReleaseResponse struct {
+	OK      bool   `json:"ok,omitempty"`
+	Ref     string `json:"ref,omitempty"`
+	TagSHA  string `json:"tag_sha,omitempty"`
+	Message string `json:"message,omitempty"`
+	Error   string `json:"error,omitempty"`
+	Notice  string `json:"notice,omitempty"`
+}
+
+func (o *operatorUI) handleRelease(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		w.WriteHeader(http.StatusMethodNotAllowed)
+		_ = json.NewEncoder(w).Encode(map[string]string{"error": "method not allowed"})
+		return
+	}
+	body, err := io.ReadAll(io.LimitReader(r.Body, 4096))
+	if err != nil {
+		w.WriteHeader(http.StatusBadRequest)
+		_ = json.NewEncoder(w).Encode(operatorReleaseResponse{Error: "read body"})
+		return
+	}
+	var req operatorReleaseRequest
+	if err := json.Unmarshal(body, &req); err != nil {
+		w.WriteHeader(http.StatusBadRequest)
+		_ = json.NewEncoder(w).Encode(operatorReleaseResponse{Error: "invalid json"})
+		return
+	}
+	v := strings.TrimSpace(req.Version)
+	if !operatorVersionTagRe.MatchString(v) {
+		w.WriteHeader(http.StatusBadRequest)
+		_ = json.NewEncoder(w).Encode(operatorReleaseResponse{Error: "version must match vMAJOR.MINOR.PATCH"})
+		return
+	}
+	if o.cfg.OperatorReleaseGitHubToken == "" || o.cfg.OperatorRepoSlug == "" {
+		w.WriteHeader(http.StatusNotImplemented)
+		_ = json.NewEncoder(w).Encode(operatorReleaseResponse{
+			Error:  "set OPERATOR_RELEASE_GITHUB_TOKEN and OPERATOR_REPO_SLUG to enable tag creation from the UI",
+			Notice: "Full releases (changelog + GitHub Release) still use ./scripts/release.sh locally.",
+		})
+		return
+	}
+	ctx, cancel := context.WithTimeout(r.Context(), 30*time.Second)
+	defer cancel()
+	ref, sha, err := githubCreateVersionTag(ctx, o.cfg.OperatorReleaseGitHubToken, o.cfg.OperatorRepoSlug, o.cfg.OperatorReleaseTargetBranch, v)
+	if err != nil {
+		w.WriteHeader(http.StatusBadGateway)
+		_ = json.NewEncoder(w).Encode(operatorReleaseResponse{Error: err.Error()})
+		return
+	}
+	_ = json.NewEncoder(w).Encode(operatorReleaseResponse{
+		OK:      true,
+		Ref:     ref,
+		TagSHA:  sha,
+		Message: "Tag pushed to GitHub; if CI is configured for tag deploys, the pipeline should start shortly.",
+		Notice:  "This does not update CHANGELOG.md — use scripts/release.sh for a documented release.",
+	})
+}
+
+func firstEnv(keys ...string) string {
+	for _, k := range keys {
+		if v := os.Getenv(k); v != "" {
+			return v
+		}
+	}
+	return ""
+}
+
+func githubCreateVersionTag(ctx context.Context, pat, repoSlug, baseBranch, version string) (ref string, sha string, err error) {
+	parts := strings.SplitN(strings.TrimSpace(repoSlug), "/", 2)
+	if len(parts) != 2 || parts[0] == "" || parts[1] == "" {
+		return "", "", fmt.Errorf("invalid OPERATOR_REPO_SLUG (want owner/repo)")
+	}
+	owner, repo := parts[0], parts[1]
+	baseURL := fmt.Sprintf("https://api.github.com/repos/%s/%s/git/ref/heads/%s", owner, repo, baseBranch)
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, baseURL, nil)
+	if err != nil {
+		return "", "", err
+	}
+	req.Header.Set("Authorization", "Bearer "+pat)
+	req.Header.Set("Accept", "application/vnd.github+json")
+	req.Header.Set("X-GitHub-Api-Version", "2022-11-28")
+
+	resp, err := githubHTTPClient().Do(req)
+	if err != nil {
+		return "", "", err
+	}
+	defer func() { _ = resp.Body.Close() }()
+	baseBody, _ := io.ReadAll(io.LimitReader(resp.Body, 1<<20))
+	if resp.StatusCode != http.StatusOK {
+		return "", "", fmt.Errorf("github get branch ref: %s: %s", resp.Status, strings.TrimSpace(string(baseBody)))
+	}
+	var refObj struct {
+		Object struct {
+			SHA string `json:"sha"`
+		} `json:"object"`
+	}
+	if err := json.Unmarshal(baseBody, &refObj); err != nil {
+		return "", "", fmt.Errorf("parse branch ref: %w", err)
+	}
+	headSHA := refObj.Object.SHA
+	if headSHA == "" {
+		return "", "", fmt.Errorf("empty base sha for branch %s", baseBranch)
+	}
+
+	tagRef := "refs/tags/" + version
+	payload := map[string]string{"ref": tagRef, "sha": headSHA}
+	buf, err := json.Marshal(payload)
+	if err != nil {
+		return "", "", err
+	}
+	postURL := fmt.Sprintf("https://api.github.com/repos/%s/%s/git/refs", owner, repo)
+	postReq, err := http.NewRequestWithContext(ctx, http.MethodPost, postURL, bytes.NewReader(buf))
+	if err != nil {
+		return "", "", err
+	}
+	postReq.Header.Set("Authorization", "Bearer "+pat)
+	postReq.Header.Set("Accept", "application/vnd.github+json")
+	postReq.Header.Set("Content-Type", "application/json")
+	postReq.Header.Set("X-GitHub-Api-Version", "2022-11-28")
+
+	postResp, err := githubHTTPClient().Do(postReq)
+	if err != nil {
+		return "", "", err
+	}
+	defer func() { _ = postResp.Body.Close() }()
+	postBody, _ := io.ReadAll(io.LimitReader(postResp.Body, 1<<20))
+	if postResp.StatusCode != http.StatusCreated {
+		return "", "", fmt.Errorf("github create tag ref: %s: %s", postResp.Status, strings.TrimSpace(string(postBody)))
+	}
+	var created struct {
+		Ref    string `json:"ref"`
+		Object struct {
+			SHA string `json:"sha"`
+		} `json:"object"`
+	}
+	if err := json.Unmarshal(postBody, &created); err != nil {
+		return "", "", fmt.Errorf("parse create ref response: %w", err)
+	}
+	return created.Ref, created.Object.SHA, nil
+}
+
+func githubHTTPClient() *http.Client {
+	return &http.Client{Timeout: 25 * time.Second}
+}
diff --git a/services/web/operator/index.html b/services/web/operator/index.html
new file mode 100644
index 0000000..8cb433e
--- /dev/null
+++ b/services/web/operator/index.html
@@ -0,0 +1,163 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <title>GitHub Copier — Operator</title>
+  <style>
+    :root { font-family: system-ui, sans-serif; line-height: 1.45; color: #1a1a1a; background: #f6f7f9; }
+    body { margin: 0; padding: 1.25rem 1.5rem 3rem; max-width: 1100px; margin-inline: auto; }
+    h1 { font-size: 1.35rem; margin: 0 0 0.25rem; }
+    p.sub { margin: 0 0 1.25rem; color: #555; font-size: 0.95rem; }
+    section { background: #fff; border-radius: 10px; padding: 1rem 1.25rem; margin-bottom: 1.25rem; box-shadow: 0 1px 2px rgba(0,0,0,.06); }
+    h2 { font-size: 1.05rem; margin: 0 0 0.75rem; }
+    label { display: block; font-size: 0.85rem; color: #444; margin-bottom: 0.35rem; }
+    input[type="password"], input[type="text"] { width: 100%; max-width: 28rem; padding: 0.45rem 0.55rem; border: 1px solid #ccc; border-radius: 6px; font-size: 0.95rem; }
+    button { padding: 0.45rem 0.85rem; border-radius: 6px; border: 1px solid #2563eb; background: #2563eb; color: #fff; font-size: 0.9rem; cursor: pointer; }
+    button.secondary { background: #fff; color: #2563eb; }
+    button:disabled { opacity: 0.55; cursor: not-allowed; }
+    .row { display: flex; flex-wrap: wrap; gap: 0.75rem; align-items: flex-end; margin-top: 0.5rem; }
+    table { width: 100%; border-collapse: collapse; font-size: 0.88rem; }
+    th, td { text-align: left; padding: 0.45rem 0.35rem; border-bottom: 1px solid #eee; vertical-align: top; }
+    th { color: #555; font-weight: 600; }
+    .ok { color: #15803d; font-weight: 600; }
+    .fail { color: #b91c1c; font-weight: 600; }
+    pre { background: #f1f5f9; padding: 0.75rem; border-radius: 8px; overflow: auto; font-size: 0.8rem; max-height: 320px; }
+    .err { color: #b91c1c; font-size: 0.9rem; margin-top: 0.5rem; }
+    .hint { font-size: 0.82rem; color: #64748b; margin-top: 0.5rem; }
+  </style>
+</head>
+<body>
+  <h1>GitHub Copier — Operator</h1>
+  <p class="sub">Recent copy audit events, deployment metadata, and optional tag-based release (same trigger as CI on version tags).</p>
+
+  <section>
+    <h2>Access</h2>
+    <label for="token">Operator token (<code>OPERATOR_UI_TOKEN</code>)</label>
+    <div class="row">
+      <input id="token" type="password" autocomplete="off" placeholder="Paste token" style="flex:1;min-width:220px" />
+      <button type="button" id="saveToken">Save in session</button>
+      <button type="button" class="secondary" id="clearToken">Clear</button>
+    </div>
+    <p class="hint">Stored only in <code>sessionStorage</code> for this browser tab. Send <code>Authorization: Bearer …</code> on API calls.</p>
+  </section>
+
+  <section>
+    <h2>Recent copy events</h2>
+    <div class="row">
+      <div>
+        <label for="limit">Limit</label>
+        <input id="limit" type="text" value="50" style="width:4rem" />
+      </div>
+      <button type="button" id="loadAudit">Refresh</button>
+    </div>
+    <p id="auditErr" class="err" hidden></p>
+    <div style="overflow:auto;margin-top:0.75rem">
+      <table>
+        <thead>
+          <tr>
+            <th>Time</th>
+            <th>Status</th>
+            <th>Rule</th>
+            <th>Source</th>
+            <th>Target</th>
+            <th>PR</th>
+            <th>Error</th>
+          </tr>
+        </thead>
+        <tbody id="auditBody"></tbody>
+      </table>
+    </div>
+  </section>
+
+  <section>
+    <h2>Deployment</h2>
+    <button type="button" id="loadDeploy">Load</button>
+    <p id="deployErr" class="err" hidden></p>
+    <pre id="deployJson" hidden></pre>
+  </section>
+
+  <section>
+    <h2>Release (tag → deploy)</h2>
+    <p class="hint">Production deploy runs on <strong>version tag</strong> pushes (<code>vMAJOR.MINOR.PATCH</code>). Changelog updates still require <code>scripts/release.sh</code> locally unless you only create a tag.</p>
+    <label for="version">Version tag</label>
+    <div class="row">
+      <input id="version" type="text" placeholder="v0.4.0" style="max-width:10rem" />
+      <button type="button" id="doRelease">Create tag via API</button>
+    </div>
+    <p id="relErr" class="err" hidden></p>
+    <pre id="relJson" hidden></pre>
+  </section>
+
+  <script>
+    const TKEY = 'github-copier-operator-token';
+    function authHeaders() {
+      const t = sessionStorage.getItem(TKEY) || '';
+      const h = { 'Accept': 'application/json' };
+      if (t) h['Authorization'] = 'Bearer ' + t;
+      return h;
+    }
+    function showErr(id, msg) {
+      const el = document.getElementById(id);
+      if (!msg) { el.hidden = true; el.textContent = ''; return; }
+      el.hidden = false; el.textContent = msg;
+    }
+    document.getElementById('saveToken').onclick = () => {
+      sessionStorage.setItem(TKEY, document.getElementById('token').value.trim());
+    };
+    document.getElementById('clearToken').onclick = () => {
+      sessionStorage.removeItem(TKEY);
+      document.getElementById('token').value = '';
+    };
+    document.getElementById('token').value = sessionStorage.getItem(TKEY) || '';
+
+    async function loadAudit() {
+      showErr('auditErr', '');
+      const lim = parseInt(document.getElementById('limit').value, 10) || 50;
+      const res = await fetch('/operator/api/audit/events?limit=' + encodeURIComponent(lim), { headers: authHeaders() });
+      const body = await res.json().catch(() => ({}));
+      if (!res.ok) { showErr('auditErr', body.error || res.statusText); return; }
+      const tb = document.getElementById('auditBody');
+      tb.innerHTML = '';
+      (body.events || []).forEach(ev => {
+        const tr = document.createElement('tr');
+        const st = ev.success ? '<span class="ok">copied</span>' : '<span class="fail">failed</span>';
+        const err = ev.error_message ? escapeHtml(ev.error_message.slice(0, 200)) : '';
+        tr.innerHTML = '<td>' + escapeHtml(ev.timestamp || '') + '</td><td>' + st + '</td><td>' + escapeHtml(ev.rule_name || '') + '</td><td>' + escapeHtml((ev.source_repo || '') + ':' + (ev.source_path || '')) + '</td><td>' + escapeHtml((ev.target_repo || '') + ':' + (ev.target_path || '')) + '</td><td>' + (ev.pr_number || '') + '</td><td>' + err + '</td>';
+        tb.appendChild(tr);
+      });
+    }
+    function escapeHtml(s) {
+      return String(s).replace(/[&<>"']/g, c => ({'&':'&amp;','<':'&lt;','>':'&gt;','"':'&quot;',"'":'&#39;'}[c]));
+    }
+    document.getElementById('loadAudit').onclick = loadAudit;
+
+    document.getElementById('loadDeploy').onclick = async () => {
+      showErr('deployErr', '');
+      const res = await fetch('/operator/api/deployment', { headers: authHeaders() });
+      const body = await res.json().catch(() => ({}));
+      if (!res.ok) { showErr('deployErr', body.error || res.statusText); return; }
+      const pre = document.getElementById('deployJson');
+      pre.hidden = false;
+      pre.textContent = JSON.stringify(body, null, 2);
+    };
+
+    document.getElementById('doRelease').onclick = async () => {
+      showErr('relErr', '');
+      const version = document.getElementById('version').value.trim();
+      const res = await fetch('/operator/api/release', {
+        method: 'POST',
+        headers: Object.assign({ 'Content-Type': 'application/json' }, authHeaders()),
+        body: JSON.stringify({ version })
+      });
+      const body = await res.json().catch(() => ({}));
+      const pre = document.getElementById('relJson');
+      pre.hidden = false;
+      pre.textContent = JSON.stringify(body, null, 2);
+      if (!res.ok) { showErr('relErr', body.error || res.statusText); }
+    };
+
+    loadAudit();
+  </script>
+</body>
+</html>
diff --git a/services/webhook_handler_new.go b/services/webhook_handler_new.go
index 9d8f4aa..23513e8 100644
--- a/services/webhook_handler_new.go
+++ b/services/webhook_handler_new.go
@@ -464,7 +464,7 @@ func fetchChangedFiles(ctx context.Context, config *configs.Config, container *S
 func uploadAndDeprecateFiles(ctx context.Context, config *configs.Config, container *ServiceContainer, sourceRepoOwner, sourceRepoName, sourceBranch string, prNumber int) {
 	// Upload queued files
 	filesToUpload := container.FileStateService.GetFilesToUpload()
-	AddFilesToTargetRepos(ctx, config, filesToUpload, container.PRTemplateFetcher, container.MetricsCollector)
+	AddFilesToTargetRepos(ctx, config, filesToUpload, container.PRTemplateFetcher, container.MetricsCollector, container.AuditLogger)
 	container.FileStateService.ClearFilesToUpload()
 
 	// Build deprecation map and update file in the source repo
diff --git a/services/workflow_processor.go b/services/workflow_processor.go
index c29d1b1..15a862b 100644
--- a/services/workflow_processor.go
+++ b/services/workflow_processor.go
@@ -150,7 +150,7 @@ func (wp *workflowProcessor) ProcessWorkflow(
 			continue // fetch failed — already logged
 		}
 		mr.fileContent.Name = github.Ptr(mr.targetPath)
-		wp.queueUpload(ctx, mr.workflow, mr.fileContent, mr.targetPath, mr.prNumber, mr.sourceCommitSHA)
+		wp.queueUpload(ctx, mr.workflow, mr.fileContent, mr.targetPath, mr.prNumber, mr.sourceCommitSHA, mr.file.Path)
 		filesMatched++
 	}
 
@@ -411,6 +411,7 @@ func (wp *workflowProcessor) queueUpload(
 	targetPath string,
 	prNumber int,
 	sourceCommitSHA string,
+	sourcePath string,
 ) {
 
 	// Create upload key — includes CommitStrategy so that workflows with
@@ -454,6 +455,12 @@ func (wp *workflowProcessor) queueUpload(
 
 	// Add file to content
 	content.Content = append(content.Content, *fileContent)
+	content.FileMeta = append(content.FileMeta, types.CopierFileMeta{
+		RuleName:   workflow.Name,
+		SourceRepo: workflow.Source.Repo,
+		SourcePath: sourcePath,
+		PRNumber:   prNumber,
+	})
 
 	// Render templates with message context
 	msgCtx := types.NewMessageContext()
diff --git a/types/types.go b/types/types.go
index 5f1a3c3..7a026f0 100644
--- a/types/types.go
+++ b/types/types.go
@@ -110,14 +110,24 @@ type UploadKey struct {
 }
 
 type UploadFileContent struct {
-	TargetBranch   string                     `json:"target_branch"`
-	Content        []github.RepositoryContent `json:"content"`
-	CommitStrategy CommitStrategy             `json:"commit_strategy,omitempty"`
-	CommitMessage  string                     `json:"commit_message,omitempty"`
-	PRTitle        string                     `json:"pr_title,omitempty"`
-	PRBody         string                     `json:"pr_body,omitempty"`
-	UsePRTemplate  bool                       `json:"use_pr_template,omitempty"` // If true, fetch and merge PR template from target repo
-	AutoMergePR    bool                       `json:"auto_merge_pr,omitempty"`
+	TargetBranch string                     `json:"target_branch"`
+	Content      []github.RepositoryContent `json:"content"`
+	// FileMeta aligns 1:1 with Content — provenance for each file (audit, Slack, diagnostics).
+	FileMeta       []CopierFileMeta `json:"file_meta,omitempty"`
+	CommitStrategy CommitStrategy   `json:"commit_strategy,omitempty"`
+	CommitMessage  string           `json:"commit_message,omitempty"`
+	PRTitle        string           `json:"pr_title,omitempty"`
+	PRBody         string           `json:"pr_body,omitempty"`
+	UsePRTemplate  bool             `json:"use_pr_template,omitempty"` // If true, fetch and merge PR template from target repo
+	AutoMergePR    bool             `json:"auto_merge_pr,omitempty"`
+}
+
+// CopierFileMeta carries per-file provenance for uploads (order matches UploadFileContent.Content).
+type CopierFileMeta struct {
+	RuleName   string `json:"rule_name,omitempty"`
+	SourceRepo string `json:"source_repo,omitempty"`
+	SourcePath string `json:"source_path,omitempty"`
+	PRNumber   int    `json:"pr_number,omitempty"`
 }
 
 // CommitStrategy represents the strategy for committing changes

From 539d43cbe87ed08bb823fee9ac72182bdd7b1373 Mon Sep 17 00:00:00 2001
From: Cory Bullinger <cory.bullinger@mongodb.com>
Date: Mon, 20 Apr 2026 14:09:52 -0400
Subject: [PATCH 02/20] feat(operator): comprehensive operator UI with
 writer-facing features

Backend:
- Add workflow config API (GET /operator/api/workflows) serving parsed config
- Add webhook replay API (POST /operator/api/replay) with safety guards
  (in-flight dedup, merged-PR check, synthetic delivery ID)
- Add per-delivery log viewer (GET /operator/api/logs) with context-tagged
  log capture via DeliveryLogBuffer ring buffer
- Add PR number and file path filters to audit query API
- Fix ObjectID decoding for mongo-driver v2 (ObjectIDAsHexString)
- Fix constant-time token comparison leaking token length
- Fix empty-commit PR creation bug (errTreeUnchanged sentinel)
- Add CommitSHA to WebhookTraceEntry and CopierFileMeta
- Enrich webhook trace detail with target repos and file counts
- Add uptime + MongoDB health check to deployment API

Frontend - operator UI rewrite:
- 5-tab layout: Overview, Webhooks, Audit, Workflows, System
- Writer/Operator mode toggle (hides infrastructure tabs for writers)
- Sticky status bar: version, uptime, MongoDB health, last webhook, connection
- Dark mode with full CSS variable theming
- Collapsible sections with localStorage persistence
- Grouped metrics with delta indicators, sparklines, health accent borders
- Grouped deployment cards with copy-to-clipboard
- Structured detail badges in webhook trace Detail column
- Audit event detail drawer with all fields + replay button
- File match tester: client-side glob/regex/move/copy matching against
  loaded workflow config with target path computation
- PR lookup combining traces + audit into unified timeline view
- Recent copies card-based feed
- Workflow browser with search and visual cards
- In-app help / getting started documentation
- CSV export for audit events
- Toast notifications for background auto-refresh errors
- Connection heartbeat (60s ping with disconnected indicator)
- Auto-refresh with persisted checkbox state
- Shareable state URLs via history.replaceState
- Deep-linkable filters, tabs, and mode (?tab=audit&pr=123&mode=writer)
- Keyboard shortcuts (1-5 tabs, R refresh, D dark, T time, W mode, ? help)
- Empty state messages, expandable errors, GitHub links throughout
- Responsive audit table (hides SHA/Type columns on narrow screens)
- Token show/hide toggle, release confirmation dialog, inline favicon
- Relative/absolute time toggle with periodic update
---
 app.go                             |   26 +-
 configs/environment.go             |   35 +-
 env-cloudrun.yaml                  |    4 +
 services/audit_logger.go           |   84 +-
 services/audit_logger_test.go      |   12 +
 services/delivery_tracker.go       |   57 +
 services/delivery_tracker_test.go  |    7 +
 services/github_write_to_target.go |   21 +-
 services/log_buffer.go             |  116 ++
 services/logger.go                 |   18 +
 services/operator_ui.go            |  449 +++++++-
 services/service_container.go      |    8 +
 services/web/operator/index.html   | 1609 +++++++++++++++++++++++++---
 services/webhook_handler_new.go    |  133 ++-
 services/webhook_trace_buffer.go   |   97 ++
 services/workflow_processor.go     |    1 +
 types/types.go                     |    1 +
 17 files changed, 2483 insertions(+), 195 deletions(-)
 create mode 100644 services/log_buffer.go
 create mode 100644 services/webhook_trace_buffer.go

diff --git a/app.go b/app.go
index 22a70ab..df300b1 100644
--- a/app.go
+++ b/app.go
@@ -155,29 +155,23 @@ func startWebServer(config *configs.Config, container *services.ServiceContainer
 	// Create HTTP handler with all routes
 	mux := http.NewServeMux()
 
-	// Webhook endpoint
-	mux.HandleFunc(config.WebserverPath, func(w http.ResponseWriter, r *http.Request) {
-		handleWebhook(w, r, config, container)
-	})
-
-	// Liveness probe — lightweight, always 200 if process is running
+	// Register built-in paths before the configurable webhook route so a mis-set
+	// WEBSERVER_PATH can never shadow /health, /ready, /metrics, /config, or /operator.
 	mux.HandleFunc("/health", services.HealthHandler(container.StartTime, version))
-
-	// Readiness probe — checks GitHub auth, MongoDB connectivity
 	mux.HandleFunc("/ready", services.ReadinessHandler(container))
-
-	// Metrics endpoint (if enabled)
 	if config.MetricsEnabled {
 		mux.HandleFunc("/metrics", services.MetricsHandler(container.MetricsCollector, container.FileStateService))
 	}
-
-	// Config diagnostic endpoint — shows resolved config with secrets redacted
 	mux.HandleFunc("/config", services.ConfigDiagnosticHandler(container, version))
-
-	if config.OperatorUIToken != "" {
+	if config.OperatorUIEnabled {
 		services.RegisterOperatorRoutes(mux, config, container, version)
 	}
 
+	// GitHub webhook (configurable path, typically /events)
+	mux.HandleFunc(config.WebserverPath, func(w http.ResponseWriter, r *http.Request) {
+		handleWebhook(w, r, config, container)
+	})
+
 	// Info endpoint
 	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
 		if r.URL.Path != "/" {
@@ -193,8 +187,8 @@ func startWebServer(config *configs.Config, container *services.ServiceContainer
 		if config.MetricsEnabled {
 			_, _ = fmt.Fprintf(w, "Metrics: /metrics\n")
 		}
-		if config.OperatorUIToken != "" {
-			_, _ = fmt.Fprintf(w, "Operator UI: /operator/\n")
+		if config.OperatorUIEnabled {
+			_, _ = fmt.Fprintf(w, "Operator UI: /operator/ (set OPERATOR_UI_TOKEN for secured APIs)\n")
 		}
 	})
 
diff --git a/configs/environment.go b/configs/environment.go
index e76dc07..42e246f 100644
--- a/configs/environment.go
+++ b/configs/environment.go
@@ -70,7 +70,8 @@ type Config struct {
 	WebhookMaxRetries        int // max retry attempts for failed webhook processing
 	WebhookRetryInitialDelay int // initial delay between retries in seconds (doubles each attempt)
 
-	// Operator web UI (optional) — protected by OPERATOR_UI_TOKEN when set
+	// Operator web UI — off unless OPERATOR_UI_ENABLED=true (intended for local dev).
+	OperatorUIEnabled           bool
 	OperatorUIToken             string
 	OperatorRepoSlug            string // "owner/repo" for GitHub links and optional tag API
 	OperatorReleaseGitHubToken  string // PAT with contents:write to create a version tag (optional)
@@ -123,7 +124,8 @@ const (
 	WebhookProcessingTimeoutSeconds = "WEBHOOK_PROCESSING_TIMEOUT_SECONDS"
 	WebhookMaxRetries               = "WEBHOOK_MAX_RETRIES"
 	WebhookRetryInitialDelay        = "WEBHOOK_RETRY_INITIAL_DELAY" //nolint:gosec // env var name, not a credential
-	OperatorUIToken                 = "OPERATOR_UI_TOKEN"           // #nosec G101 -- env var name
+	OperatorUIEnabled               = "OPERATOR_UI_ENABLED"
+	OperatorUIToken                 = "OPERATOR_UI_TOKEN" // #nosec G101 -- env var name
 	OperatorRepoSlug                = "OPERATOR_REPO_SLUG"
 	OperatorReleaseGitHubToken      = "OPERATOR_RELEASE_GITHUB_TOKEN" // #nosec G101 -- env var name
 	OperatorReleaseTargetBranch     = "OPERATOR_RELEASE_TARGET_BRANCH"
@@ -245,6 +247,7 @@ func LoadEnvironment(envFile string) (*Config, error) {
 	config.WebhookMaxRetries = getIntEnvWithDefault(WebhookMaxRetries, config.WebhookMaxRetries)
 	config.WebhookRetryInitialDelay = getIntEnvWithDefault(WebhookRetryInitialDelay, config.WebhookRetryInitialDelay)
 
+	config.OperatorUIEnabled = getBoolEnvWithDefault(OperatorUIEnabled, false)
 	config.OperatorUIToken = os.Getenv(OperatorUIToken)
 	config.OperatorRepoSlug = os.Getenv(OperatorRepoSlug)
 	config.OperatorReleaseGitHubToken = os.Getenv(OperatorReleaseGitHubToken)
@@ -338,5 +341,33 @@ func validateConfig(config *Config) error {
 		}
 	}
 
+	if err := validateWebserverPath(config.WebserverPath); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// validateWebserverPath rejects values that would collide with built-in HTTP routes.
+func validateWebserverPath(p string) error {
+	p = strings.TrimSpace(p)
+	if p == "" {
+		return fmt.Errorf("WEBSERVER_PATH cannot be empty")
+	}
+	if !strings.HasPrefix(p, "/") {
+		return fmt.Errorf("WEBSERVER_PATH must start with / (got %q)", p)
+	}
+	if p == "/" {
+		return fmt.Errorf("WEBSERVER_PATH cannot be / (reserved; use a dedicated path such as /events)")
+	}
+	for _, reserved := range []string{"/health", "/ready", "/metrics", "/config", "/operator"} {
+		if strings.EqualFold(p, reserved) {
+			return fmt.Errorf("WEBSERVER_PATH cannot be %s (reserved for a built-in route)", reserved)
+		}
+	}
+	norm := strings.TrimSuffix(strings.ToLower(p), "/") + "/"
+	if strings.HasPrefix(norm, "/operator/") {
+		return fmt.Errorf("WEBSERVER_PATH cannot be under /operator/ (reserved for the operator UI)")
+	}
 	return nil
 }
diff --git a/env-cloudrun.yaml b/env-cloudrun.yaml
index 2829e5e..b61726a 100644
--- a/env-cloudrun.yaml
+++ b/env-cloudrun.yaml
@@ -33,3 +33,7 @@ COPIER_LOG_NAME: "code-copier-log"
 # Feature Flags
 AUDIT_ENABLED: "true"
 METRICS_ENABLED: "true"
+
+# Operator UI is disabled by default (OPERATOR_UI_ENABLED unset/false). Intended for
+# local runs only — do not set OPERATOR_UI_ENABLED in Cloud Run unless you explicitly
+# want this surface on the internet-facing service.
diff --git a/services/audit_logger.go b/services/audit_logger.go
index dc606ca..0c264bb 100644
--- a/services/audit_logger.go
+++ b/services/audit_logger.go
@@ -48,25 +48,37 @@ type AuditLogger interface {
 	GetEventsByRule(ctx context.Context, ruleName string, limit int) ([]AuditEvent, error)
 	GetStatsByRule(ctx context.Context) (map[string]RuleStats, error)
 	GetDailyVolume(ctx context.Context, days int) ([]DailyStats, error)
+	QueryAuditEvents(ctx context.Context, q AuditListQuery) ([]AuditEvent, error)
 	Ping(ctx context.Context) error
 	Close(ctx context.Context) error
 }
 
+// AuditListQuery filters audit rows for operator dashboards and APIs.
+type AuditListQuery struct {
+	Limit      int
+	EventType  string     // empty = any; otherwise copy | deprecation | error
+	Success    *bool      // nil = any
+	RuleName   string     // exact match when non-empty
+	PRNumber   *int       // nil = any; exact match when set
+	PathSearch string     // substring match on source_path OR target_path when non-empty
+	Since      *time.Time // inclusive lower bound on timestamp when set
+}
+
 // RuleStats represents statistics for a specific rule
 type RuleStats struct {
-	RuleName     string  `bson:"_id"`
-	TotalCopies  int     `bson:"total_copies"`
-	SuccessCount int     `bson:"success_count"`
-	FailureCount int     `bson:"failure_count"`
-	AvgDuration  float64 `bson:"avg_duration"`
+	RuleName     string  `bson:"_id" json:"rule_name"`
+	TotalCopies  int     `bson:"total_copies" json:"total_copies"`
+	SuccessCount int     `bson:"success_count" json:"success_count"`
+	FailureCount int     `bson:"failure_count" json:"failure_count"`
+	AvgDuration  float64 `bson:"avg_duration" json:"avg_duration_ms"`
 }
 
 // DailyStats represents daily copy volume statistics
 type DailyStats struct {
-	Date         string `bson:"_id"`
-	TotalCopies  int    `bson:"total_copies"`
-	SuccessCount int    `bson:"success_count"`
-	FailureCount int    `bson:"failure_count"`
+	Date         string `bson:"_id" json:"date"`
+	TotalCopies  int    `bson:"total_copies" json:"total_copies"`
+	SuccessCount int    `bson:"success_count" json:"success_count"`
+	FailureCount int    `bson:"failure_count" json:"failure_count"`
 }
 
 // MongoAuditLogger implements AuditLogger using MongoDB
@@ -92,7 +104,10 @@ func NewMongoAuditLogger(ctx context.Context, mongoURI, database, collection str
 		SetConnectTimeout(5 * time.Second).
 		SetTimeout(10 * time.Second).
 		SetMaxPoolSize(10).
-		SetRetryWrites(true)
+		SetRetryWrites(true).
+		SetBSONOptions(&options.BSONOptions{
+			ObjectIDAsHexString: true,
+		})
 	client, err := mongo.Connect(clientOptions)
 	if err != nil {
 		return nil, fmt.Errorf("failed to connect to MongoDB: %w", err)
@@ -168,7 +183,51 @@ func (mal *MongoAuditLogger) LogErrorEvent(ctx context.Context, event *AuditEven
 	return err
 }
 
-// GetRecentEvents retrieves recent audit events
+// QueryAuditEvents retrieves audit events matching the given filter criteria.
+func (mal *MongoAuditLogger) QueryAuditEvents(ctx context.Context, q AuditListQuery) ([]AuditEvent, error) {
+	limit := q.Limit
+	if limit <= 0 {
+		limit = 50
+	}
+	if limit > 200 {
+		limit = 200
+	}
+	filter := bson.M{}
+	if q.EventType != "" {
+		filter["event_type"] = AuditEventType(q.EventType)
+	}
+	if q.Success != nil {
+		filter["success"] = *q.Success
+	}
+	if q.RuleName != "" {
+		filter["rule_name"] = q.RuleName
+	}
+	if q.PRNumber != nil {
+		filter["pr_number"] = *q.PRNumber
+	}
+	if q.PathSearch != "" {
+		filter["$or"] = bson.A{
+			bson.M{"source_path": bson.M{"$regex": q.PathSearch, "$options": "i"}},
+			bson.M{"target_path": bson.M{"$regex": q.PathSearch, "$options": "i"}},
+		}
+	}
+	if q.Since != nil {
+		filter["timestamp"] = bson.M{"$gte": *q.Since}
+	}
+	opts := options.Find().SetSort(bson.D{{Key: "timestamp", Value: -1}}).SetLimit(int64(limit))
+	cursor, err := mal.collection.Find(ctx, filter, opts)
+	if err != nil {
+		return nil, err
+	}
+	defer func() { _ = cursor.Close(ctx) }()
+
+	var events []AuditEvent
+	if err := cursor.All(ctx, &events); err != nil {
+		return nil, err
+	}
+	return events, nil
+}
+
 func (mal *MongoAuditLogger) GetRecentEvents(ctx context.Context, limit int) ([]AuditEvent, error) {
 	opts := options.Find().SetSort(bson.D{{Key: "timestamp", Value: -1}}).SetLimit(int64(limit))
 	cursor, err := mal.collection.Find(ctx, bson.M{}, opts)
@@ -318,5 +377,8 @@ func (nal *NoOpAuditLogger) GetStatsByRule(ctx context.Context) (map[string]Rule
 func (nal *NoOpAuditLogger) GetDailyVolume(ctx context.Context, days int) ([]DailyStats, error) {
 	return []DailyStats{}, nil
 }
+func (nal *NoOpAuditLogger) QueryAuditEvents(ctx context.Context, q AuditListQuery) ([]AuditEvent, error) {
+	return []AuditEvent{}, nil
+}
 func (nal *NoOpAuditLogger) Ping(ctx context.Context) error  { return nil }
 func (nal *NoOpAuditLogger) Close(ctx context.Context) error { return nil }
diff --git a/services/audit_logger_test.go b/services/audit_logger_test.go
index 1f89afa..7a1a3eb 100644
--- a/services/audit_logger_test.go
+++ b/services/audit_logger_test.go
@@ -173,6 +173,18 @@ func TestNoOpAuditLogger_GetStatsByRule(t *testing.T) {
 	}
 }
 
+func TestNoOpAuditLogger_QueryAuditEvents(t *testing.T) {
+	ctx := context.Background()
+	logger := &NoOpAuditLogger{}
+	got, err := logger.QueryAuditEvents(ctx, AuditListQuery{Limit: 10, EventType: string(AuditEventCopy)})
+	if err != nil {
+		t.Fatalf("QueryAuditEvents: %v", err)
+	}
+	if len(got) != 0 {
+		t.Errorf("expected empty slice, got %d events", len(got))
+	}
+}
+
 func TestNoOpAuditLogger_GetDailyVolume(t *testing.T) {
 	logger := &NoOpAuditLogger{}
 	ctx := context.Background()
diff --git a/services/delivery_tracker.go b/services/delivery_tracker.go
index fe36de0..0f46944 100644
--- a/services/delivery_tracker.go
+++ b/services/delivery_tracker.go
@@ -5,6 +5,15 @@ import (
 	"time"
 )
 
+const deliveryHistoryMax = 200
+
+// DeliverySnapshot is one observed webhook delivery ID for operator diagnostics.
+type DeliverySnapshot struct {
+	DeliveryID string    `json:"delivery_id"`
+	SeenAt     time.Time `json:"seen_at"`
+	Duplicate  bool      `json:"duplicate"`
+}
+
 // DeliveryTracker tracks processed GitHub webhook delivery IDs to prevent
 // duplicate processing. GitHub retries deliveries on timeout or error, and
 // the X-GitHub-Delivery header uniquely identifies each delivery.
@@ -16,6 +25,9 @@ type DeliveryTracker struct {
 	entries map[string]time.Time
 	ttl     time.Duration
 
+	// history is a bounded ring of recent TryRecord outcomes (new vs duplicate) for diagnostics.
+	history []DeliverySnapshot
+
 	// stopCleanup signals the background goroutine to stop
 	stopCleanup chan struct{}
 }
@@ -26,6 +38,7 @@ func NewDeliveryTracker(ttl time.Duration) *DeliveryTracker {
 	dt := &DeliveryTracker{
 		entries:     make(map[string]time.Time),
 		ttl:         ttl,
+		history:     make([]DeliverySnapshot, 0, 32),
 		stopCleanup: make(chan struct{}),
 	}
 	go dt.cleanupLoop()
@@ -40,15 +53,59 @@ func (dt *DeliveryTracker) TryRecord(deliveryID string) bool {
 
 	if seenAt, exists := dt.entries[deliveryID]; exists {
 		if time.Since(seenAt) < dt.ttl {
+			dt.appendHistoryLocked(deliveryID, true)
 			return false // duplicate within TTL
 		}
 		// Expired entry — allow reprocessing
 	}
 
 	dt.entries[deliveryID] = time.Now()
+	dt.appendHistoryLocked(deliveryID, false)
 	return true
 }
 
+func (dt *DeliveryTracker) appendHistoryLocked(deliveryID string, duplicate bool) {
+	if deliveryID == "" {
+		return
+	}
+	dt.history = append(dt.history, DeliverySnapshot{
+		DeliveryID: deliveryID,
+		SeenAt:     time.Now().UTC(),
+		Duplicate:  duplicate,
+	})
+	if len(dt.history) > deliveryHistoryMax {
+		dt.history = dt.history[len(dt.history)-deliveryHistoryMax:]
+	}
+}
+
+// HistoryLen returns how many recent delivery observations are buffered for diagnostics.
+func (dt *DeliveryTracker) HistoryLen() int {
+	dt.mu.Lock()
+	defer dt.mu.Unlock()
+	return len(dt.history)
+}
+
+// RecentDeliveries returns the last up to max observations (newest at end).
+func (dt *DeliveryTracker) RecentDeliveries(max int) []DeliverySnapshot {
+	dt.mu.Lock()
+	defer dt.mu.Unlock()
+	if len(dt.history) == 0 {
+		return nil
+	}
+	if max <= 0 {
+		max = 100
+	}
+	if max > deliveryHistoryMax {
+		max = deliveryHistoryMax
+	}
+	if len(dt.history) <= max {
+		out := make([]DeliverySnapshot, len(dt.history))
+		copy(out, dt.history)
+		return out
+	}
+	return append([]DeliverySnapshot(nil), dt.history[len(dt.history)-max:]...)
+}
+
 // Len returns the current number of tracked delivery IDs (for diagnostics).
 func (dt *DeliveryTracker) Len() int {
 	dt.mu.Lock()
diff --git a/services/delivery_tracker_test.go b/services/delivery_tracker_test.go
index 0ebb725..e3d7483 100644
--- a/services/delivery_tracker_test.go
+++ b/services/delivery_tracker_test.go
@@ -20,6 +20,13 @@ func TestDeliveryTracker_TryRecord(t *testing.T) {
 	if dt.TryRecord("delivery-1") {
 		t.Error("expected duplicate TryRecord to return false")
 	}
+	hist := dt.RecentDeliveries(10)
+	if len(hist) < 2 {
+		t.Fatalf("expected history len >= 2, got %d", len(hist))
+	}
+	if !hist[len(hist)-1].Duplicate {
+		t.Error("expected last history entry to be duplicate")
+	}
 
 	// Different ID should succeed
 	if !dt.TryRecord("delivery-2") {
diff --git a/services/github_write_to_target.go b/services/github_write_to_target.go
index bde8b6d..a88fb6b 100644
--- a/services/github_write_to_target.go
+++ b/services/github_write_to_target.go
@@ -2,6 +2,7 @@ package services
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"net/http"
 	"strings"
@@ -12,6 +13,10 @@ import (
 	"github.com/grove-platform/github-copier/types"
 )
 
+// errTreeUnchanged is returned by commitFilesToBranch when the new file tree is
+// identical to the branch HEAD, meaning there is nothing to commit.
+var errTreeUnchanged = errors.New("tree unchanged — nothing to commit")
+
 // parseRepoPath parses a repository path in the format "owner/repo" and returns owner and repo separately.
 // If the path doesn't contain a slash, it returns defaultOwner and the path as repo name.
 func parseRepoPath(repoPath string, defaultOwner string) (owner, repo string) {
@@ -106,6 +111,7 @@ func auditLogCopyBatchSuccess(ctx context.Context, auditLogger AuditLogger, key
 			RuleName:   meta.RuleName,
 			SourceRepo: meta.SourceRepo,
 			SourcePath: srcPath,
+			CommitSHA:  meta.CommitSHA,
 			TargetRepo: key.RepoName,
 			TargetPath: f.GetName(),
 			PRNumber:   meta.PRNumber,
@@ -138,6 +144,7 @@ func auditLogCopyBatchFailure(ctx context.Context, auditLogger AuditLogger, key
 			RuleName:     meta.RuleName,
 			SourceRepo:   meta.SourceRepo,
 			SourcePath:   srcPath,
+			CommitSHA:    meta.CommitSHA,
 			TargetRepo:   key.RepoName,
 			TargetPath:   f.GetName(),
 			PRNumber:     meta.PRNumber,
@@ -313,6 +320,11 @@ func addFilesViaPR(ctx context.Context, config *configs.Config, client *github.C
 
 		// Push new files to the existing branch
 		if err := commitFilesToBranch(ctx, config, client, key, files, existingBranch, commitMessage); err != nil {
+			if errors.Is(err, errTreeUnchanged) {
+				LogInfo("No changes to push to existing copier PR — files already up to date",
+					"pr_number", existingPR.GetNumber(), "repo", key.RepoName)
+				return nil
+			}
 			return fmt.Errorf("commit to existing copier branch %s: %w", existingBranch, err)
 		}
 
@@ -342,6 +354,13 @@ func addFilesViaPR(ctx context.Context, config *configs.Config, client *github.C
 
 	// 2. Commit files to temp branch
 	if err := commitFilesToBranch(ctx, config, client, key, files, tempBranch, commitMessage); err != nil {
+		if errors.Is(err, errTreeUnchanged) {
+			LogInfo("No changes to commit — files already match target. Cleaning up temp branch.",
+				"repo", key.RepoName, "branch", tempBranch)
+			// Best-effort cleanup of the empty branch
+			_, _ = client.Git.DeleteRef(ctx, owner, repoName, "refs/heads/"+tempBranch)
+			return nil
+		}
 		return err
 	}
 
@@ -388,7 +407,7 @@ func commitFilesToBranch(ctx context.Context, config *configs.Config, client *gi
 			"branch", tempBranch,
 			"tree_sha", tr.TreeSHA,
 		)
-		return nil
+		return errTreeUnchanged
 	}
 
 	if err = createCommit(ctx, client, config.ConfigRepoOwner, tempKey, tr.BaseSHA, tr.TreeSHA, commitMessage); err != nil {
diff --git a/services/log_buffer.go b/services/log_buffer.go
new file mode 100644
index 0000000..0fa3563
--- /dev/null
+++ b/services/log_buffer.go
@@ -0,0 +1,116 @@
+package services
+
+import (
+	"context"
+	"sync"
+	"time"
+)
+
+// Maximum entries per delivery and total across all deliveries.
+const (
+	logBufferMaxPerDelivery = 100
+	logBufferMaxDeliveries  = 50
+)
+
+// LogEntry is a single captured log line for operator diagnostics.
+type LogEntry struct {
+	Time    time.Time      `json:"time"`
+	Level   string         `json:"level"`
+	Message string         `json:"message"`
+	Fields  map[string]any `json:"fields,omitempty"`
+}
+
+// DeliveryLogBuffer stores recent log entries keyed by delivery ID for the operator UI.
+type DeliveryLogBuffer struct {
+	mu      sync.Mutex
+	entries map[string][]LogEntry
+	order   []string // insertion order for eviction
+}
+
+// NewDeliveryLogBuffer creates an empty delivery log buffer.
+func NewDeliveryLogBuffer() *DeliveryLogBuffer {
+	return &DeliveryLogBuffer{
+		entries: make(map[string][]LogEntry),
+		order:   make([]string, 0, logBufferMaxDeliveries),
+	}
+}
+
+// Append adds a log entry for a delivery ID.
+func (b *DeliveryLogBuffer) Append(deliveryID string, entry LogEntry) {
+	if b == nil || deliveryID == "" {
+		return
+	}
+	if entry.Time.IsZero() {
+		entry.Time = time.Now().UTC()
+	}
+	b.mu.Lock()
+	defer b.mu.Unlock()
+
+	logs, exists := b.entries[deliveryID]
+	if !exists {
+		b.order = append(b.order, deliveryID)
+		// Evict oldest delivery if over limit
+		if len(b.order) > logBufferMaxDeliveries {
+			evict := b.order[0]
+			b.order = b.order[1:]
+			delete(b.entries, evict)
+		}
+	}
+	logs = append(logs, entry)
+	if len(logs) > logBufferMaxPerDelivery {
+		logs = logs[len(logs)-logBufferMaxPerDelivery:]
+	}
+	b.entries[deliveryID] = logs
+}
+
+// Get returns log entries for a delivery ID (nil if not found).
+func (b *DeliveryLogBuffer) Get(deliveryID string) []LogEntry {
+	if b == nil {
+		return nil
+	}
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	logs, ok := b.entries[deliveryID]
+	if !ok {
+		return nil
+	}
+	out := make([]LogEntry, len(logs))
+	copy(out, logs)
+	return out
+}
+
+// context key for log buffer
+type logBufferCtxKey struct{}
+
+// ContextWithLogBuffer returns a context that carries a delivery ID for log capture.
+func ContextWithLogBuffer(ctx context.Context, deliveryID string, buf *DeliveryLogBuffer) context.Context {
+	return context.WithValue(ctx, logBufferCtxKey{}, &logBufferCtxVal{deliveryID: deliveryID, buf: buf})
+}
+
+type logBufferCtxVal struct {
+	deliveryID string
+	buf        *DeliveryLogBuffer
+}
+
+// logBufferFromCtx extracts the log buffer from context (nil if not set).
+func logBufferFromCtx(ctx context.Context) *logBufferCtxVal {
+	if ctx == nil {
+		return nil
+	}
+	val, _ := ctx.Value(logBufferCtxKey{}).(*logBufferCtxVal)
+	return val
+}
+
+// appendToCtxBuffer appends a log entry to the context's delivery log buffer if present.
+func appendToCtxBuffer(ctx context.Context, level, message string, fields map[string]any) {
+	val := logBufferFromCtx(ctx)
+	if val == nil || val.buf == nil {
+		return
+	}
+	val.buf.Append(val.deliveryID, LogEntry{
+		Time:    time.Now().UTC(),
+		Level:   level,
+		Message: message,
+		Fields:  fields,
+	})
+}
diff --git a/services/logger.go b/services/logger.go
index 0efa0fe..98ea6bc 100644
--- a/services/logger.go
+++ b/services/logger.go
@@ -208,12 +208,14 @@ func LogCritical(message string, args ...any) {
 func LogInfoCtx(ctx context.Context, message string, fields map[string]interface{}) {
 	slog.InfoContext(ctx, message, mapToAttrs(fields)...)
 	logToGCP(slog.LevelInfo, message, mapToAttrs(fields)...)
+	appendToCtxBuffer(ctx, "info", message, fieldsToAny(fields))
 }
 
 // LogWarningCtx writes a warning-level log with context.
 func LogWarningCtx(ctx context.Context, message string, fields map[string]interface{}) {
 	slog.WarnContext(ctx, message, mapToAttrs(fields)...)
 	logToGCP(slog.LevelWarn, message, mapToAttrs(fields)...)
+	appendToCtxBuffer(ctx, "warn", message, fieldsToAny(fields))
 }
 
 // LogErrorCtx writes an error-level log with context and an optional error.
@@ -224,6 +226,22 @@ func LogErrorCtx(ctx context.Context, message string, err error, fields map[stri
 	}
 	slog.ErrorContext(ctx, message, attrs...)
 	logToGCP(slog.LevelError, message, attrs...)
+	f := fieldsToAny(fields)
+	if err != nil {
+		f["error"] = err.Error()
+	}
+	appendToCtxBuffer(ctx, "error", message, f)
+}
+
+func fieldsToAny(fields map[string]interface{}) map[string]any {
+	if fields == nil {
+		return nil
+	}
+	out := make(map[string]any, len(fields))
+	for k, v := range fields {
+		out[k] = v
+	}
+	return out
 }
 
 // LogWebhookOperation logs webhook-related operations.
diff --git a/services/operator_ui.go b/services/operator_ui.go
index c90b304..6816eff 100644
--- a/services/operator_ui.go
+++ b/services/operator_ui.go
@@ -13,6 +13,7 @@ import (
 	"regexp"
 	"strconv"
 	"strings"
+	"sync"
 	"time"
 
 	"github.com/grove-platform/github-copier/configs"
@@ -24,31 +25,53 @@ var operatorIndexHTML []byte
 var operatorVersionTagRe = regexp.MustCompile(`^v[0-9]+\.[0-9]+\.[0-9]+$`)
 
 // RegisterOperatorRoutes mounts the operator HTML UI and JSON APIs under /operator/.
-// cfg.OperatorUIToken must be non-empty before calling (caller checks).
+// Call only when cfg.OperatorUIEnabled is true (local/dev). Secured APIs require
+// OPERATOR_UI_TOKEN on the server plus Authorization: Bearer from the client.
 func RegisterOperatorRoutes(mux *http.ServeMux, cfg *configs.Config, container *ServiceContainer, version string) {
 	o := &operatorUI{
 		cfg:       cfg,
 		container: container,
 		version:   version,
 	}
+	// Register specific paths before the /operator/ subtree so /operator/api/* is not handled by serveIndex.
+	mux.HandleFunc("/operator/api/status", o.handleOperatorStatus)
 	mux.HandleFunc("/operator/api/audit/events", o.wrapAPI(o.handleAuditEvents))
+	mux.HandleFunc("/operator/api/audit/overview", o.wrapAPI(o.handleAuditOverview))
+	mux.HandleFunc("/operator/api/observability/deliveries", o.wrapAPI(o.handleObservabilityDeliveries))
+	mux.HandleFunc("/operator/api/observability/webhook-traces", o.wrapAPI(o.handleObservabilityWebhookTraces))
 	mux.HandleFunc("/operator/api/deployment", o.wrapAPI(o.handleDeployment))
 	mux.HandleFunc("/operator/api/release", o.wrapAPI(o.handleRelease))
+	mux.HandleFunc("/operator/api/replay", o.wrapAPI(o.handleReplay))
+	mux.HandleFunc("/operator/api/workflows", o.wrapAPI(o.handleWorkflows))
+	mux.HandleFunc("/operator/api/logs", o.wrapAPI(o.handleDeliveryLogs))
 	mux.HandleFunc("/operator/", o.serveIndex)
 	mux.HandleFunc("/operator", func(w http.ResponseWriter, r *http.Request) {
 		http.Redirect(w, r, "/operator/", http.StatusFound)
 	})
+	if cfg.OperatorUIToken == "" {
+		LogInfo("Operator UI: /operator/ (set OPERATOR_UI_TOKEN to enable audit, deployment JSON, and release APIs)")
+	} else {
+		LogInfo("Operator UI: /operator/ with API authentication enabled")
+	}
 }
 
 type operatorUI struct {
-	cfg       *configs.Config
-	container *ServiceContainer
-	version   string
+	cfg            *configs.Config
+	container      *ServiceContainer
+	version        string
+	replayInFlight sync.Map // key: "owner/repo#pr" → prevents concurrent replays
 }
 
 func (o *operatorUI) wrapAPI(next http.HandlerFunc) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
+		if o.cfg.OperatorUIToken == "" {
+			w.WriteHeader(http.StatusServiceUnavailable)
+			_ = json.NewEncoder(w).Encode(map[string]string{
+				"error": "operator APIs disabled on server: set OPERATOR_UI_TOKEN in the environment and redeploy",
+			})
+			return
+		}
 		if !operatorAuthOK(o.cfg.OperatorUIToken, bearerToken(r)) {
 			w.WriteHeader(http.StatusUnauthorized)
 			_ = json.NewEncoder(w).Encode(map[string]string{"error": "unauthorized"})
@@ -58,6 +81,31 @@ func (o *operatorUI) wrapAPI(next http.HandlerFunc) http.HandlerFunc {
 	}
 }
 
+// handleOperatorStatus reports whether secured operator APIs are configured (no auth).
+func (o *operatorUI) handleOperatorStatus(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusMethodNotAllowed)
+		_ = json.NewEncoder(w).Encode(map[string]string{"error": "method not allowed"})
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
+	out := map[string]any{
+		"operator_apis_enabled": o.cfg.OperatorUIToken != "",
+		"metrics_enabled":       o.cfg.MetricsEnabled,
+		"audit_enabled":         o.cfg.AuditEnabled,
+		"version":               o.version,
+	}
+	if o.container != nil && o.container.DeliveryTracker != nil {
+		out["webhook_dedupe_entries"] = o.container.DeliveryTracker.Len()
+		out["webhook_recent_observations"] = o.container.DeliveryTracker.HistoryLen()
+	}
+	if o.container != nil && o.container.WebhookTraces != nil {
+		out["webhook_trace_entries"] = o.container.WebhookTraces.Len()
+	}
+	_ = json.NewEncoder(w).Encode(out)
+}
+
 func bearerToken(r *http.Request) string {
 	h := r.Header.Get("Authorization")
 	const p = "Bearer "
@@ -68,15 +116,12 @@ func bearerToken(r *http.Request) string {
 }
 
 func operatorAuthOK(expected, got string) bool {
-	if expected == "" {
+	if expected == "" || got == "" {
 		return false
 	}
-	e := []byte(expected)
-	g := []byte(got)
-	if len(e) != len(g) {
-		return false
-	}
-	return subtle.ConstantTimeCompare(e, g) == 1
+	// subtle.ConstantTimeCompare returns 0 for different-length inputs without
+	// leaking the expected token length through timing.
+	return subtle.ConstantTimeCompare([]byte(expected), []byte(got)) == 1
 }
 
 func (o *operatorUI) serveIndex(w http.ResponseWriter, r *http.Request) {
@@ -98,14 +143,11 @@ func (o *operatorUI) handleAuditEvents(w http.ResponseWriter, r *http.Request) {
 		_ = json.NewEncoder(w).Encode(map[string]string{"error": "method not allowed"})
 		return
 	}
-	limit := 50
-	if q := r.URL.Query().Get("limit"); q != "" {
-		if n, err := strconv.Atoi(q); err == nil && n > 0 {
-			limit = n
-		}
-	}
-	if limit > 200 {
-		limit = 200
+	q, err := parseAuditListQuery(r)
+	if err != nil {
+		w.WriteHeader(http.StatusBadRequest)
+		_ = json.NewEncoder(w).Encode(map[string]string{"error": err.Error()})
+		return
 	}
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()
@@ -113,7 +155,7 @@ func (o *operatorUI) handleAuditEvents(w http.ResponseWriter, r *http.Request) {
 		_ = json.NewEncoder(w).Encode(map[string]any{"events": []any{}})
 		return
 	}
-	events, err := o.container.AuditLogger.GetRecentEvents(ctx, limit)
+	events, err := o.container.AuditLogger.QueryAuditEvents(ctx, q)
 	if err != nil {
 		w.WriteHeader(http.StatusBadGateway)
 		_ = json.NewEncoder(w).Encode(map[string]string{"error": err.Error()})
@@ -122,9 +164,162 @@ func (o *operatorUI) handleAuditEvents(w http.ResponseWriter, r *http.Request) {
 	_ = json.NewEncoder(w).Encode(map[string]any{"events": events})
 }
 
+func parseAuditListQuery(r *http.Request) (AuditListQuery, error) {
+	q := r.URL.Query()
+	lim := 50
+	if v := q.Get("limit"); v != "" {
+		if n, err := strconv.Atoi(v); err == nil && n > 0 {
+			lim = n
+		}
+	}
+	if lim > 200 {
+		lim = 200
+	}
+	aq := AuditListQuery{Limit: lim}
+	if et := strings.TrimSpace(q.Get("event_type")); et != "" {
+		switch AuditEventType(et) {
+		case AuditEventCopy, AuditEventDeprecation, AuditEventError:
+			aq.EventType = et
+		default:
+			return AuditListQuery{}, fmt.Errorf("invalid event_type (use copy, deprecation, or error)")
+		}
+	}
+	switch strings.TrimSpace(strings.ToLower(q.Get("success"))) {
+	case "true":
+		t := true
+		aq.Success = &t
+	case "false":
+		f := false
+		aq.Success = &f
+	case "":
+	default:
+		return AuditListQuery{}, fmt.Errorf("invalid success (use true or false)")
+	}
+	if rn := strings.TrimSpace(q.Get("rule_name")); rn != "" {
+		aq.RuleName = rn
+	}
+	if prStr := strings.TrimSpace(q.Get("pr_number")); prStr != "" {
+		n, err := strconv.Atoi(prStr)
+		if err != nil || n <= 0 {
+			return AuditListQuery{}, fmt.Errorf("pr_number must be a positive integer")
+		}
+		aq.PRNumber = &n
+	}
+	if ps := strings.TrimSpace(q.Get("path")); ps != "" {
+		aq.PathSearch = ps
+	}
+	if since := strings.TrimSpace(q.Get("since")); since != "" {
+		t, err := time.Parse(time.RFC3339, since)
+		if err != nil {
+			return AuditListQuery{}, fmt.Errorf("since must be RFC3339: %w", err)
+		}
+		aq.Since = &t
+	}
+	return aq, nil
+}
+
+func (o *operatorUI) handleAuditOverview(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		w.WriteHeader(http.StatusMethodNotAllowed)
+		_ = json.NewEncoder(w).Encode(map[string]string{"error": "method not allowed"})
+		return
+	}
+	days := 14
+	if v := r.URL.Query().Get("days"); v != "" {
+		if n, err := strconv.Atoi(v); err == nil && n > 0 {
+			days = n
+		}
+	}
+	if days > 366 {
+		days = 366
+	}
+	ctx, cancel := context.WithTimeout(r.Context(), 20*time.Second)
+	defer cancel()
+	if o.container.AuditLogger == nil {
+		_ = json.NewEncoder(w).Encode(map[string]any{
+			"days":           days,
+			"daily_volume":   []DailyStats{},
+			"stats_by_rule":  map[string]RuleStats{},
+			"audit_disabled": true,
+		})
+		return
+	}
+	daily, err1 := o.container.AuditLogger.GetDailyVolume(ctx, days)
+	if err1 != nil {
+		w.WriteHeader(http.StatusBadGateway)
+		_ = json.NewEncoder(w).Encode(map[string]string{"error": err1.Error()})
+		return
+	}
+	byRule, err2 := o.container.AuditLogger.GetStatsByRule(ctx)
+	if err2 != nil {
+		w.WriteHeader(http.StatusBadGateway)
+		_ = json.NewEncoder(w).Encode(map[string]string{"error": err2.Error()})
+		return
+	}
+	_ = json.NewEncoder(w).Encode(map[string]any{
+		"days":          days,
+		"daily_volume":  daily,
+		"stats_by_rule": byRule,
+	})
+}
+
+func (o *operatorUI) handleObservabilityDeliveries(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		w.WriteHeader(http.StatusMethodNotAllowed)
+		_ = json.NewEncoder(w).Encode(map[string]string{"error": "method not allowed"})
+		return
+	}
+	max := 100
+	if v := r.URL.Query().Get("limit"); v != "" {
+		if n, err := strconv.Atoi(v); err == nil && n > 0 {
+			max = n
+		}
+	}
+	if max > deliveryHistoryMax {
+		max = deliveryHistoryMax
+	}
+	if o.container.DeliveryTracker == nil {
+		_ = json.NewEncoder(w).Encode(map[string]any{"deliveries": []DeliverySnapshot{}})
+		return
+	}
+	snap := o.container.DeliveryTracker.RecentDeliveries(max)
+	_ = json.NewEncoder(w).Encode(map[string]any{
+		"deliveries":     snap,
+		"dedupe_entries": o.container.DeliveryTracker.Len(),
+	})
+}
+
+func (o *operatorUI) handleObservabilityWebhookTraces(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		w.WriteHeader(http.StatusMethodNotAllowed)
+		_ = json.NewEncoder(w).Encode(map[string]string{"error": "method not allowed"})
+		return
+	}
+	max := 50
+	if v := r.URL.Query().Get("limit"); v != "" {
+		if n, err := strconv.Atoi(v); err == nil && n > 0 {
+			max = n
+		}
+	}
+	if max > webhookTraceMaxEntries {
+		max = webhookTraceMaxEntries
+	}
+	if o.container == nil || o.container.WebhookTraces == nil {
+		_ = json.NewEncoder(w).Encode(map[string]any{"traces": []WebhookTraceEntry{}})
+		return
+	}
+	tr := o.container.WebhookTraces.Recent(max)
+	_ = json.NewEncoder(w).Encode(map[string]any{
+		"traces": tr,
+		"total":  o.container.WebhookTraces.Len(),
+	})
+}
+
 // OperatorDeploymentInfo is non-secret runtime and platform metadata for the operator UI.
 type OperatorDeploymentInfo struct {
 	Version            string            `json:"version"`
+	UptimeSeconds      int64             `json:"uptime_seconds"`
+	MongoHealthy       *bool             `json:"mongo_healthy,omitempty"`
 	GoogleCloudRegion  string            `json:"google_cloud_region,omitempty"`
 	CloudRunService    string            `json:"cloud_run_service,omitempty"`
 	CloudRunRevision   string            `json:"cloud_run_revision,omitempty"`
@@ -155,6 +350,7 @@ func (o *operatorUI) handleDeployment(w http.ResponseWriter, r *http.Request) {
 	}
 	info := OperatorDeploymentInfo{
 		Version:            o.version,
+		UptimeSeconds:      int64(time.Since(o.container.StartTime).Seconds()),
 		CloudRunService:    os.Getenv("K_SERVICE"),
 		CloudRunRevision:   os.Getenv("K_REVISION"),
 		CloudRunConfig:     os.Getenv("K_CONFIGURATION"),
@@ -176,6 +372,12 @@ func (o *operatorUI) handleDeployment(w http.ResponseWriter, r *http.Request) {
 	if region := os.Getenv("GOOGLE_CLOUD_REGION"); region != "" {
 		info.GoogleCloudRegion = region
 	}
+	if o.cfg.AuditEnabled && o.container.AuditLogger != nil {
+		ctx, cancel := context.WithTimeout(r.Context(), 3*time.Second)
+		defer cancel()
+		healthy := o.container.AuditLogger.Ping(ctx) == nil
+		info.MongoHealthy = &healthy
+	}
 	_ = json.NewEncoder(w).Encode(info)
 }
 
@@ -241,6 +443,213 @@ func (o *operatorUI) handleRelease(w http.ResponseWriter, r *http.Request) {
 	})
 }
 
+// ── Per-delivery log viewer ──
+
+func (o *operatorUI) handleDeliveryLogs(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		w.WriteHeader(http.StatusMethodNotAllowed)
+		_ = json.NewEncoder(w).Encode(map[string]string{"error": "method not allowed"})
+		return
+	}
+	deliveryID := strings.TrimSpace(r.URL.Query().Get("delivery_id"))
+	if deliveryID == "" {
+		w.WriteHeader(http.StatusBadRequest)
+		_ = json.NewEncoder(w).Encode(map[string]string{"error": "delivery_id is required"})
+		return
+	}
+	if o.container.DeliveryLogs == nil {
+		_ = json.NewEncoder(w).Encode(map[string]any{"logs": []LogEntry{}, "delivery_id": deliveryID})
+		return
+	}
+	logs := o.container.DeliveryLogs.Get(deliveryID)
+	if logs == nil {
+		logs = []LogEntry{}
+	}
+	_ = json.NewEncoder(w).Encode(map[string]any{"logs": logs, "delivery_id": deliveryID})
+}
+
+// ── Workflow config browser ──
+
+func (o *operatorUI) handleWorkflows(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		w.WriteHeader(http.StatusMethodNotAllowed)
+		_ = json.NewEncoder(w).Encode(map[string]string{"error": "method not allowed"})
+		return
+	}
+	if o.container.ConfigLoader == nil {
+		w.WriteHeader(http.StatusServiceUnavailable)
+		_ = json.NewEncoder(w).Encode(map[string]string{"error": "config loader not initialized"})
+		return
+	}
+	ctx, cancel := context.WithTimeout(r.Context(), 15*time.Second)
+	defer cancel()
+	yamlCfg, err := o.container.ConfigLoader.LoadConfig(ctx, o.cfg)
+	if err != nil {
+		w.WriteHeader(http.StatusBadGateway)
+		_ = json.NewEncoder(w).Encode(map[string]any{
+			"error":     "failed to load config: " + err.Error(),
+			"workflows": []any{},
+		})
+		return
+	}
+	_ = json.NewEncoder(w).Encode(map[string]any{
+		"workflows":   yamlCfg.Workflows,
+		"defaults":    yamlCfg.Defaults,
+		"config_file": o.cfg.EffectiveConfigFile(),
+		"config_repo": o.cfg.ConfigRepoOwner + "/" + o.cfg.ConfigRepoName,
+	})
+}
+
+// ── Webhook replay ──
+
+type operatorReplayRequest struct {
+	Repo      string `json:"repo"` // "owner/repo"
+	PRNumber  int    `json:"pr_number"`
+	Branch    string `json:"branch"`     // base branch
+	CommitSHA string `json:"commit_sha"` // optional — fetched from GitHub if empty
+}
+
+type operatorReplayResponse struct {
+	OK      bool   `json:"ok,omitempty"`
+	Message string `json:"message,omitempty"`
+	Error   string `json:"error,omitempty"`
+}
+
+func (o *operatorUI) handleReplay(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		w.WriteHeader(http.StatusMethodNotAllowed)
+		_ = json.NewEncoder(w).Encode(map[string]string{"error": "method not allowed"})
+		return
+	}
+
+	body, err := io.ReadAll(io.LimitReader(r.Body, 4096))
+	if err != nil {
+		w.WriteHeader(http.StatusBadRequest)
+		_ = json.NewEncoder(w).Encode(operatorReplayResponse{Error: "read body"})
+		return
+	}
+	var req operatorReplayRequest
+	if err := json.Unmarshal(body, &req); err != nil {
+		w.WriteHeader(http.StatusBadRequest)
+		_ = json.NewEncoder(w).Encode(operatorReplayResponse{Error: "invalid json"})
+		return
+	}
+
+	// Validate inputs
+	parts := strings.SplitN(strings.TrimSpace(req.Repo), "/", 2)
+	if len(parts) != 2 || parts[0] == "" || parts[1] == "" {
+		w.WriteHeader(http.StatusBadRequest)
+		_ = json.NewEncoder(w).Encode(operatorReplayResponse{Error: "repo must be owner/repo"})
+		return
+	}
+	owner, repoName := parts[0], parts[1]
+
+	if req.PRNumber <= 0 {
+		w.WriteHeader(http.StatusBadRequest)
+		_ = json.NewEncoder(w).Encode(operatorReplayResponse{Error: "pr_number must be > 0"})
+		return
+	}
+	if strings.TrimSpace(req.Branch) == "" {
+		w.WriteHeader(http.StatusBadRequest)
+		_ = json.NewEncoder(w).Encode(operatorReplayResponse{Error: "branch is required"})
+		return
+	}
+
+	// In-flight dedup: prevent concurrent replays for the same PR
+	replayKey := fmt.Sprintf("%s#%d", req.Repo, req.PRNumber)
+	if _, loaded := o.replayInFlight.LoadOrStore(replayKey, true); loaded {
+		w.WriteHeader(http.StatusConflict)
+		_ = json.NewEncoder(w).Encode(operatorReplayResponse{Error: "replay already in progress for this PR"})
+		return
+	}
+
+	// Fetch commit SHA from GitHub if not provided
+	commitSHA := strings.TrimSpace(req.CommitSHA)
+	if commitSHA == "" {
+		ctx, cancel := context.WithTimeout(r.Context(), 15*time.Second)
+		defer cancel()
+		client, err := GetRestClientForOrg(ctx, o.cfg, owner)
+		if err != nil {
+			o.replayInFlight.Delete(replayKey)
+			w.WriteHeader(http.StatusBadGateway)
+			_ = json.NewEncoder(w).Encode(operatorReplayResponse{Error: "github auth: " + err.Error()})
+			return
+		}
+		pr, _, err := client.PullRequests.Get(ctx, owner, repoName, req.PRNumber)
+		if err != nil {
+			o.replayInFlight.Delete(replayKey)
+			w.WriteHeader(http.StatusBadGateway)
+			_ = json.NewEncoder(w).Encode(operatorReplayResponse{Error: "fetch PR: " + err.Error()})
+			return
+		}
+		if !pr.GetMerged() {
+			o.replayInFlight.Delete(replayKey)
+			w.WriteHeader(http.StatusBadRequest)
+			_ = json.NewEncoder(w).Encode(operatorReplayResponse{Error: "PR is not merged — only merged PRs can be replayed"})
+			return
+		}
+		commitSHA = pr.GetMergeCommitSHA()
+		if commitSHA == "" {
+			o.replayInFlight.Delete(replayKey)
+			w.WriteHeader(http.StatusBadGateway)
+			_ = json.NewEncoder(w).Encode(operatorReplayResponse{Error: "PR has no merge commit SHA"})
+			return
+		}
+	}
+
+	// Dispatch replay in background (same path as real webhook processing)
+	deliveryID := fmt.Sprintf("replay-%d", time.Now().UnixMilli())
+	baseBranch := strings.TrimSpace(req.Branch)
+
+	LogInfo("operator replay requested",
+		"repo", req.Repo,
+		"pr_number", req.PRNumber,
+		"branch", baseBranch,
+		"commit_sha", commitSHA,
+		"delivery_id", deliveryID,
+	)
+
+	AppendWebhookTrace(o.container, WebhookTraceEntry{
+		DeliveryID: deliveryID,
+		EventType:  "operator_replay",
+		Repo:       req.Repo,
+		BaseBranch: baseBranch,
+		CommitSHA:  commitSHA,
+		PRNumber:   req.PRNumber,
+		Outcome:    "replay_started",
+		Detail:     "initiated via operator UI",
+	})
+
+	bgCtx := context.Background()
+	if o.container.DeliveryLogs != nil {
+		bgCtx = ContextWithLogBuffer(bgCtx, deliveryID, o.container.DeliveryLogs)
+	}
+	if o.cfg.WebhookProcessingTimeoutSeconds > 0 {
+		var cancel context.CancelFunc
+		bgCtx, cancel = context.WithTimeout(bgCtx, time.Duration(o.cfg.WebhookProcessingTimeoutSeconds)*time.Second)
+		o.container.wg.Add(1)
+		go func() {
+			defer o.container.wg.Done()
+			defer cancel()
+			defer o.replayInFlight.Delete(replayKey)
+			processWebhookWithRetry(bgCtx, req.PRNumber, commitSHA, owner, repoName, baseBranch, deliveryID, o.cfg, o.container)
+		}()
+	} else {
+		o.container.wg.Add(1)
+		go func() {
+			defer o.container.wg.Done()
+			defer o.replayInFlight.Delete(replayKey)
+			processWebhookWithRetry(bgCtx, req.PRNumber, commitSHA, owner, repoName, baseBranch, deliveryID, o.cfg, o.container)
+		}()
+	}
+
+	w.WriteHeader(http.StatusAccepted)
+	_ = json.NewEncoder(w).Encode(operatorReplayResponse{
+		OK:      true,
+		Message: fmt.Sprintf("Replay started for %s PR #%d (delivery %s). Check webhook traces for progress.", req.Repo, req.PRNumber, deliveryID),
+	})
+}
+
 func firstEnv(keys ...string) string {
 	for _, k := range keys {
 		if v := os.Getenv(k); v != "" {
diff --git a/services/service_container.go b/services/service_container.go
index 85c1dfb..212c15c 100644
--- a/services/service_container.go
+++ b/services/service_container.go
@@ -28,6 +28,12 @@ type ServiceContainer struct {
 	// Webhook deduplication
 	DeliveryTracker *DeliveryTracker
 
+	// Recent webhook outcomes for operator troubleshooting (in-memory)
+	WebhookTraces *WebhookTraceBuffer
+
+	// Per-delivery log capture for operator diagnostics (in-memory)
+	DeliveryLogs *DeliveryLogBuffer
+
 	// Server state
 	StartTime time.Time
 
@@ -101,6 +107,8 @@ func NewServiceContainer(config *configs.Config) (*ServiceContainer, error) {
 		MetricsCollector:  metricsCollector,
 		SlackNotifier:     slackNotifier,
 		DeliveryTracker:   NewDeliveryTracker(1 * time.Hour),
+		WebhookTraces:     NewWebhookTraceBuffer(),
+		DeliveryLogs:      NewDeliveryLogBuffer(),
 		StartTime:         time.Now(),
 	}, nil
 }
diff --git a/services/web/operator/index.html b/services/web/operator/index.html
index 8cb433e..847fb42 100644
--- a/services/web/operator/index.html
+++ b/services/web/operator/index.html
@@ -1,163 +1,1502 @@
 <!DOCTYPE html>
-<html lang="en">
+<html lang="en" data-theme="light">
 <head>
   <meta charset="utf-8" />
   <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <link rel="icon" href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 100 100'><text y='.9em' font-size='90'>&#x1F4CB;</text></svg>" />
   <title>GitHub Copier — Operator</title>
   <style>
-    :root { font-family: system-ui, sans-serif; line-height: 1.45; color: #1a1a1a; background: #f6f7f9; }
-    body { margin: 0; padding: 1.25rem 1.5rem 3rem; max-width: 1100px; margin-inline: auto; }
-    h1 { font-size: 1.35rem; margin: 0 0 0.25rem; }
-    p.sub { margin: 0 0 1.25rem; color: #555; font-size: 0.95rem; }
-    section { background: #fff; border-radius: 10px; padding: 1rem 1.25rem; margin-bottom: 1.25rem; box-shadow: 0 1px 2px rgba(0,0,0,.06); }
-    h2 { font-size: 1.05rem; margin: 0 0 0.75rem; }
-    label { display: block; font-size: 0.85rem; color: #444; margin-bottom: 0.35rem; }
-    input[type="password"], input[type="text"] { width: 100%; max-width: 28rem; padding: 0.45rem 0.55rem; border: 1px solid #ccc; border-radius: 6px; font-size: 0.95rem; }
-    button { padding: 0.45rem 0.85rem; border-radius: 6px; border: 1px solid #2563eb; background: #2563eb; color: #fff; font-size: 0.9rem; cursor: pointer; }
-    button.secondary { background: #fff; color: #2563eb; }
-    button:disabled { opacity: 0.55; cursor: not-allowed; }
-    .row { display: flex; flex-wrap: wrap; gap: 0.75rem; align-items: flex-end; margin-top: 0.5rem; }
-    table { width: 100%; border-collapse: collapse; font-size: 0.88rem; }
-    th, td { text-align: left; padding: 0.45rem 0.35rem; border-bottom: 1px solid #eee; vertical-align: top; }
-    th { color: #555; font-weight: 600; }
-    .ok { color: #15803d; font-weight: 600; }
-    .fail { color: #b91c1c; font-weight: 600; }
-    pre { background: #f1f5f9; padding: 0.75rem; border-radius: 8px; overflow: auto; font-size: 0.8rem; max-height: 320px; }
-    .err { color: #b91c1c; font-size: 0.9rem; margin-top: 0.5rem; }
-    .hint { font-size: 0.82rem; color: #64748b; margin-top: 0.5rem; }
+    :root {
+      --bg:#f6f7f9; --surface:#fff; --surface-alt:#f8fafc; --pre-bg:#f1f5f9;
+      --text:#0f172a; --text-2:#475569; --text-3:#64748b;
+      --border:#e2e8f0; --border-light:#f1f5f9;
+      --blue:#2563eb; --blue-light:#dbeafe;
+      --green:#16a34a; --green-light:#dcfce7;
+      --red:#dc2626; --red-light:#fee2e2;
+      --amber:#d97706; --amber-light:#fef3c7;
+      --topbar-bg:#fff; --topbar-border:#e2e8f0;
+      --hover:rgba(0,0,0,.025); --link:#2563eb;
+      --shadow:0 1px 3px rgba(0,0,0,.06);
+    }
+    [data-theme="dark"] {
+      --bg:#0f172a; --surface:#1e293b; --surface-alt:#1e293b; --pre-bg:#0f172a;
+      --text:#e2e8f0; --text-2:#94a3b8; --text-3:#64748b;
+      --border:#334155; --border-light:#1e293b;
+      --blue:#3b82f6; --blue-light:#1e3a5f;
+      --green:#22c55e; --green-light:#052e16;
+      --red:#ef4444; --red-light:#450a0a;
+      --amber:#f59e0b; --amber-light:#451a03;
+      --topbar-bg:#1e293b; --topbar-border:#334155;
+      --hover:rgba(255,255,255,.03); --link:#60a5fa;
+      --shadow:0 1px 3px rgba(0,0,0,.3);
+      color-scheme: dark;
+    }
+    *,*::before,*::after{box-sizing:border-box;}
+    body{font-family:system-ui,sans-serif;line-height:1.45;color:var(--text);background:var(--bg);margin:0;padding:0;}
+    a{color:var(--link);text-decoration:none;} a:hover{text-decoration:underline;}
+
+    .topbar{position:sticky;top:0;z-index:50;background:var(--topbar-bg);border-bottom:1px solid var(--topbar-border);padding:0.45rem 1.25rem;display:flex;justify-content:space-between;align-items:center;gap:0.75rem;backdrop-filter:blur(8px);}
+    .topbar-left{display:flex;align-items:center;gap:0.6rem;flex-wrap:wrap;font-size:0.85rem;}
+    .topbar-left strong{font-size:0.95rem;}
+    .topbar-right{display:flex;align-items:center;gap:0.45rem;}
+    .chip{display:inline-flex;align-items:center;gap:3px;padding:0.15rem 0.5rem;border-radius:9999px;font-size:0.75rem;font-weight:500;background:var(--surface-alt);border:1px solid var(--border);color:var(--text-2);white-space:nowrap;}
+    .chip-ok{background:var(--green-light);color:var(--green);border-color:var(--green);}
+    .chip-err{background:var(--red-light);color:var(--red);border-color:var(--red);}
+    .dot{width:7px;height:7px;border-radius:50%;display:inline-block;}
+    .dot-green{background:var(--green);} .dot-red{background:var(--red);} .dot-gray{background:var(--text-3);}
+    .tb-btn{padding:0.2rem 0.55rem;border-radius:6px;border:1px solid var(--border);background:var(--surface);color:var(--text-2);font-size:0.8rem;cursor:pointer;}
+    .tb-btn:hover{background:var(--hover);}
+
+    main{max-width:1200px;margin:0 auto;padding:1rem 1.25rem 3rem;}
+    .banner{background:var(--amber-light);border:1px solid var(--amber);color:var(--amber);padding:0.6rem 0.85rem;border-radius:8px;font-size:0.88rem;margin:0.75rem 1.25rem 0;max-width:1200px;margin-inline:auto;}
+
+    section{background:var(--surface);border-radius:10px;padding:0;margin-bottom:1rem;box-shadow:var(--shadow);overflow:hidden;}
+    .sh{cursor:pointer;display:flex;justify-content:space-between;align-items:center;padding:0.75rem 1.15rem;user-select:none;border-bottom:1px solid transparent;}
+    .sh:hover{background:var(--hover);}
+    section:not(.collapsed) .sh{border-bottom-color:var(--border-light);}
+    .sh-left{display:flex;align-items:center;gap:0.5rem;}
+    .sh h2{font-size:1rem;margin:0;}
+    .chev::before{content:'\25BE';display:inline-block;transition:transform 0.15s;font-size:0.7rem;color:var(--text-3);width:0.8rem;text-align:center;}
+    .collapsed .chev::before{transform:rotate(-90deg);}
+    .collapsed .sb{display:none;}
+    .sb{padding:0.75rem 1.15rem 1rem;}
+    .badge{font-size:0.72rem;font-weight:600;padding:0.1rem 0.45rem;border-radius:9999px;background:var(--surface-alt);border:1px solid var(--border);color:var(--text-3);}
+    .refreshed{font-size:0.72rem;color:var(--text-3);}
+
+    label{display:block;font-size:0.82rem;color:var(--text-2);margin-bottom:0.3rem;}
+    input[type="password"],input[type="text"]{padding:0.4rem 0.55rem;border:1px solid var(--border);border-radius:6px;font-size:0.9rem;background:var(--surface);color:var(--text);}
+    select{padding:0.4rem 0.5rem;border:1px solid var(--border);border-radius:6px;background:var(--surface);color:var(--text);font-size:0.88rem;}
+    button{padding:0.4rem 0.8rem;border-radius:6px;border:1px solid var(--blue);background:var(--blue);color:#fff;font-size:0.85rem;cursor:pointer;transition:opacity 0.15s;}
+    button:hover:not(:disabled){opacity:0.88;}
+    button:disabled{opacity:0.5;cursor:not-allowed;}
+    button.secondary{background:var(--surface);color:var(--blue);}
+    .row{display:flex;flex-wrap:wrap;gap:0.65rem;align-items:flex-end;margin-top:0.4rem;}
+    .hint{font-size:0.8rem;color:var(--text-3);margin:0.4rem 0 0;}
+    .err{color:var(--red);font-size:0.88rem;margin:0.4rem 0 0;}
+    .mono{font-family:ui-monospace,monospace;font-size:0.78rem;}
+    .small{font-size:0.8rem;}
+    .qchip{padding:0.15rem 0.45rem;border-radius:9999px;border:1px solid var(--border);background:var(--surface-alt);color:var(--text-2);font-size:0.75rem;cursor:pointer;}
+    .qchip:hover{background:var(--blue-light);color:var(--blue);border-color:var(--blue);}
+
+    table{width:100%;border-collapse:collapse;font-size:0.84rem;}
+    th,td{text-align:left;padding:0.4rem 0.35rem;border-bottom:1px solid var(--border-light);vertical-align:top;}
+    th{color:var(--text-3);font-weight:600;font-size:0.78rem;text-transform:uppercase;letter-spacing:0.03em;position:sticky;top:0;background:var(--surface);z-index:1;}
+    tbody tr:hover{background:var(--hover);}
+    .ok{color:var(--green);font-weight:600;}
+    .fail{color:var(--red);font-weight:600;}
+    .warn{color:var(--amber);font-weight:600;}
+    .err-trunc{cursor:pointer;} .err-more{color:var(--link);margin-left:2px;font-size:0.78rem;}
+    tr.clickable{cursor:pointer;}
+    .btn-sm{padding:0.15rem 0.45rem;font-size:0.75rem;border-radius:4px;border:1px solid var(--border);background:var(--surface-alt);color:var(--text-2);cursor:pointer;}
+    .btn-sm:hover:not(:disabled){background:var(--blue-light);color:var(--blue);border-color:var(--blue);}
+    .btn-sm:disabled{opacity:0.4;cursor:not-allowed;}
+
+    pre{background:var(--pre-bg);padding:0.65rem;border-radius:8px;overflow:auto;font-size:0.78rem;max-height:260px;color:var(--text);border:1px solid var(--border-light);}
+    /* Metric groups */
+    .mg-group{margin-top:0.7rem;}
+    .mg-group+.mg-group{margin-top:0.85rem;}
+    .mg-label{font-size:0.7rem;font-weight:600;text-transform:uppercase;letter-spacing:.05em;color:var(--text-3);margin-bottom:0.35rem;padding-left:0.1rem;}
+    .metric-grid{display:grid;grid-template-columns:repeat(auto-fill,minmax(145px,1fr));gap:0.5rem;}
+    .metric-card{background:var(--surface-alt);border:1px solid var(--border);border-radius:8px;padding:0.5rem 0.65rem;border-left:3px solid var(--border);transition:border-color 0.2s;}
+    .metric-card .mk{font-size:0.66rem;color:var(--text-3);text-transform:uppercase;letter-spacing:.03em;}
+    .metric-card .mv-row{display:flex;align-items:baseline;gap:0.3rem;margin-top:0.15rem;}
+    .metric-card .mv{font-size:1.1rem;font-weight:700;color:var(--text);word-break:break-all;}
+    .metric-card .mv.mv-red{color:var(--red);}
+    .metric-card .delta{font-size:0.68rem;font-weight:500;}
+    .metric-card .delta-up{color:var(--green);}
+    .metric-card .delta-down{color:var(--red);}
+    .metric-card .delta-zero{color:var(--text-3);}
+    .metric-card.mc-ok{border-left-color:var(--green);}
+    .metric-card.mc-warn{border-left-color:var(--amber);}
+    .metric-card.mc-danger{border-left-color:var(--red);}
+    .spark{display:flex;align-items:flex-end;gap:1px;height:18px;margin-top:0.25rem;}
+    .spark-bar{width:4px;border-radius:1px;background:var(--blue);min-height:1px;transition:height 0.15s;opacity:0.55;}
+    .spark-bar:last-child{opacity:1;}
+    .deploy-grid{display:grid;grid-template-columns:repeat(auto-fill,minmax(190px,1fr));gap:0.5rem;}
+    .deploy-card{background:var(--surface-alt);border:1px solid var(--border);border-radius:8px;padding:0.45rem 0.65rem;border-left:3px solid var(--border);transition:border-color 0.2s;}
+    .deploy-card.mc-ok{border-left-color:var(--green);}
+    .deploy-card.mc-warn{border-left-color:var(--amber);}
+    .deploy-card.mc-danger{border-left-color:var(--red);}
+    .deploy-card .dk{font-size:0.68rem;color:var(--text-3);text-transform:uppercase;letter-spacing:.03em;}
+    .deploy-card .dv{font-size:0.9rem;font-weight:500;color:var(--text);margin-top:0.08rem;word-break:break-all;}
+    .vol-bar{display:flex;height:13px;border-radius:3px;overflow:hidden;background:var(--border);min-width:50px;max-width:140px;}
+    .vb-ok{background:var(--green);} .vb-fail{background:var(--red);}
+    .status-line{font-size:0.85rem;margin:0.4rem 0 0.15rem;color:var(--text-2);}
+    .http-ok{color:var(--green);font-weight:600;} .http-warn{color:var(--amber);font-weight:600;} .http-err{color:var(--red);font-weight:600;}
+    .toggle-raw{font-size:0.78rem;color:var(--link);cursor:pointer;background:none;border:none;padding:0;margin-top:0.4rem;}
+
+    /* Toast */
+    .toast-box{position:fixed;bottom:1rem;right:1rem;z-index:200;display:flex;flex-direction:column;gap:0.45rem;max-width:380px;pointer-events:none;}
+    .toast{pointer-events:auto;padding:0.55rem 0.85rem;border-radius:8px;font-size:0.84rem;display:flex;align-items:flex-start;gap:0.45rem;animation:toastin 0.2s ease;box-shadow:0 4px 14px rgba(0,0,0,.18);}
+    .toast-error{background:var(--red-light);color:var(--red);border:1px solid var(--red);}
+    .toast-info{background:var(--blue-light);color:var(--blue);border:1px solid var(--blue);}
+    .toast-x{background:none;border:none;color:inherit;cursor:pointer;font-size:1.1rem;line-height:1;padding:0;opacity:0.6;}
+    .toast-x:hover{opacity:1;}
+    @keyframes toastin{from{opacity:0;transform:translateY(10px);}to{opacity:1;transform:translateY(0);}}
+
+    /* Drawer */
+    .drawer-backdrop{position:fixed;inset:0;background:rgba(0,0,0,.35);z-index:100;}
+    .drawer-panel{position:fixed;top:0;right:0;bottom:0;width:min(440px,90vw);background:var(--surface);z-index:101;box-shadow:-4px 0 20px rgba(0,0,0,.12);display:flex;flex-direction:column;animation:slidein 0.2s ease;}
+    @keyframes slidein{from{transform:translateX(100%);}to{transform:translateX(0);}}
+    .drawer-hd{display:flex;justify-content:space-between;align-items:center;padding:0.75rem 1rem;border-bottom:1px solid var(--border);}
+    .drawer-hd h3{margin:0;font-size:1rem;}
+    .drawer-cx{background:none;border:none;font-size:1.4rem;cursor:pointer;color:var(--text-3);line-height:1;padding:0;}
+    .drawer-bd{flex:1;overflow:auto;padding:0.75rem 1rem;}
+    .detail-tbl{width:100%;border-collapse:collapse;font-size:0.84rem;}
+    .detail-tbl th{text-align:right;padding:0.35rem 0.65rem 0.35rem 0;color:var(--text-3);font-weight:500;white-space:nowrap;width:110px;vertical-align:top;text-transform:none;letter-spacing:0;position:static;}
+    .detail-tbl td{padding:0.35rem 0;word-break:break-all;}
+
+    /* Help overlay */
+    .help-bg{position:fixed;inset:0;background:rgba(0,0,0,.4);z-index:150;display:flex;align-items:center;justify-content:center;}
+    .help-bg[hidden]{display:none;}
+    .help-card{background:var(--surface);border-radius:12px;padding:1.25rem 1.5rem;max-width:360px;width:90vw;box-shadow:0 8px 30px rgba(0,0,0,.18);}
+    .help-card h3{margin:0 0 0.75rem;}
+    .help-card table{width:100%;font-size:0.88rem;}
+    .help-card td{padding:0.25rem 0;}
+    .help-card kbd{background:var(--surface-alt);border:1px solid var(--border);border-radius:4px;padding:0.1rem 0.4rem;font-family:ui-monospace,monospace;font-size:0.82rem;}
+
+    /* Empty state */
+    .empty-state{text-align:center;padding:1.5rem 1rem;color:var(--text-3);font-size:0.88rem;}
+    .empty-state .es-icon{font-size:1.6rem;margin-bottom:0.3rem;opacity:0.5;}
+
+    /* Tabs */
+    .tab-bar{display:flex;gap:0;border-bottom:2px solid var(--border);margin-bottom:1rem;overflow-x:auto;}
+    .tab-btn{padding:0.55rem 1.1rem;border:none;background:none;color:var(--text-3);font-size:0.88rem;font-weight:500;cursor:pointer;border-bottom:2px solid transparent;margin-bottom:-2px;white-space:nowrap;display:inline-flex;align-items:center;gap:0.4rem;transition:color 0.15s,border-color 0.15s;}
+    .tab-btn:hover{color:var(--text);}
+    .tab-btn.tab-active{color:var(--blue);border-bottom-color:var(--blue);}
+    .tab-badge{font-size:0.65rem;font-weight:700;min-width:16px;height:16px;line-height:16px;text-align:center;border-radius:9999px;padding:0 4px;display:none;}
+    .tab-badge.tb-warn{display:inline-block;background:var(--amber-light);color:var(--amber);}
+    .tab-badge.tb-err{display:inline-block;background:var(--red-light);color:var(--red);}
+    .tab-badge.tb-info{display:inline-block;background:var(--blue-light);color:var(--blue);}
+    .tab-panel{display:none;}
+    .tab-panel.tab-visible{display:block;}
+
+    /* Detail badges for trace detail column */
+    .dbadge{display:inline-block;padding:0.08rem 0.35rem;border-radius:4px;font-size:0.72rem;font-weight:500;margin:0 2px;white-space:nowrap;}
+    .dbadge-ok{background:var(--green-light);color:var(--green);}
+    .dbadge-fail{background:var(--red-light);color:var(--red);}
+    .dbadge-neutral{background:var(--surface-alt);border:1px solid var(--border);color:var(--text-2);}
+    .dbadge-target{background:var(--blue-light);color:var(--blue);}
+
+    /* Replay highlight */
+    tr.trace-replay{background:var(--blue-light);}
+    tr.trace-replay:hover{background:var(--blue-light);}
+
+    /* Copy tooltip */
+    .copy-card{cursor:pointer;position:relative;}
+    .copy-card:hover{border-color:var(--blue);}
+    .copy-tip{position:absolute;top:-1.6rem;left:50%;transform:translateX(-50%);background:var(--text);color:var(--bg);padding:0.15rem 0.45rem;border-radius:4px;font-size:0.7rem;white-space:nowrap;pointer-events:none;opacity:0;transition:opacity 0.2s;}
+    .copy-card.copied .copy-tip{opacity:1;}
+
+    /* Token reveal */
+    .token-wrap{position:relative;display:flex;flex:1;min-width:200px;max-width:28rem;}
+    .token-wrap input{flex:1;padding-right:2.2rem;}
+    .token-eye{position:absolute;right:0.45rem;top:50%;transform:translateY(-50%);background:none;border:none;cursor:pointer;color:var(--text-3);font-size:1rem;padding:0;line-height:1;}
+
+    /* Workflow cards */
+    .wf-card{background:var(--surface-alt);border:1px solid var(--border);border-radius:10px;padding:0.75rem 0.9rem;border-left:3px solid var(--blue);}
+    .wf-card+.wf-card{margin-top:0.65rem;}
+    .wf-name{font-size:0.95rem;font-weight:600;color:var(--text);margin-bottom:0.4rem;}
+    .wf-flow{display:flex;align-items:center;gap:0.5rem;flex-wrap:wrap;margin-bottom:0.35rem;font-size:0.84rem;}
+    .wf-repo{background:var(--surface);border:1px solid var(--border);border-radius:6px;padding:0.2rem 0.55rem;font-family:ui-monospace,monospace;font-size:0.8rem;}
+    .wf-arrow{color:var(--text-3);font-size:0.9rem;}
+    .wf-meta{display:flex;flex-wrap:wrap;gap:0.4rem;margin-top:0.3rem;}
+    .wf-tag{display:inline-block;padding:0.1rem 0.4rem;border-radius:4px;font-size:0.72rem;font-weight:500;background:var(--surface);border:1px solid var(--border);color:var(--text-2);}
+    .wf-tag-pr{background:var(--blue-light);color:var(--blue);border-color:var(--blue);}
+    .wf-tag-direct{background:var(--green-light);color:var(--green);border-color:var(--green);}
+    .wf-transforms{margin-top:0.35rem;font-size:0.8rem;color:var(--text-2);}
+
+    /* Recent copies feed */
+    .copy-feed{display:flex;flex-direction:column;gap:0.5rem;margin-top:0.5rem;}
+    .copy-item{background:var(--surface-alt);border:1px solid var(--border);border-radius:8px;padding:0.55rem 0.75rem;display:flex;justify-content:space-between;align-items:flex-start;gap:0.75rem;border-left:3px solid var(--green);}
+    .copy-item.copy-fail{border-left-color:var(--red);}
+    .copy-paths{flex:1;min-width:0;}
+    .copy-path{font-family:ui-monospace,monospace;font-size:0.82rem;word-break:break-all;}
+    .copy-path-arrow{color:var(--text-3);margin:0 0.3rem;font-size:0.75rem;}
+    .copy-right{text-align:right;white-space:nowrap;font-size:0.78rem;color:var(--text-3);}
+
+    /* PR search bar */
+    .pr-search{display:flex;gap:0.5rem;align-items:flex-end;margin-bottom:0.65rem;padding:0.55rem 0.75rem;background:var(--surface-alt);border:1px solid var(--border);border-radius:8px;}
+    .pr-search input{flex:1;max-width:14rem;}
+
+    /* File match tester */
+    .fmt-result{margin-top:0.5rem;padding:0.5rem 0.7rem;border-radius:8px;font-size:0.84rem;}
+    .fmt-match{background:var(--green-light);border:1px solid var(--green);color:var(--green);}
+    .fmt-no{background:var(--surface-alt);border:1px solid var(--border);color:var(--text-3);}
+    .fmt-target{font-family:ui-monospace,monospace;font-size:0.8rem;margin-top:0.15rem;}
+    .wf-card.wf-match{border-left-color:var(--green);background:color-mix(in srgb,var(--green-light) 30%,var(--surface-alt));}
+    .wf-card.wf-nomatch{opacity:0.45;}
+
+    /* Timeline */
+    .timeline{margin-top:0.5rem;}
+    .tl-item{display:flex;gap:0.65rem;padding:0.45rem 0;border-bottom:1px solid var(--border-light);font-size:0.84rem;}
+    .tl-dot{width:10px;height:10px;border-radius:50%;margin-top:0.25rem;flex-shrink:0;}
+    .tl-dot-ok{background:var(--green);} .tl-dot-fail{background:var(--red);} .tl-dot-info{background:var(--blue);} .tl-dot-warn{background:var(--amber);}
+    .tl-body{flex:1;min-width:0;}
+    .tl-title{font-weight:500;} .tl-detail{font-size:0.8rem;color:var(--text-2);margin-top:0.1rem;}
+
+    /* Help content */
+    .help-content{font-size:0.88rem;line-height:1.6;color:var(--text-2);}
+    .help-content h3{font-size:0.95rem;color:var(--text);margin:1rem 0 0.3rem;}
+    .help-content h3:first-child{margin-top:0;}
+    .help-content code{background:var(--surface-alt);border:1px solid var(--border);border-radius:3px;padding:0.1rem 0.3rem;font-size:0.82rem;}
+    .help-content ol,.help-content ul{padding-left:1.4rem;margin:0.3rem 0;}
+    .help-content li{margin:0.2rem 0;}
+
+    /* Mode toggle */
+    .mode-toggle{display:inline-flex;border:1px solid var(--border);border-radius:6px;overflow:hidden;font-size:0.78rem;}
+    .mode-toggle button{padding:0.18rem 0.55rem;border:none;background:var(--surface);color:var(--text-3);cursor:pointer;font-size:0.78rem;font-weight:500;transition:all 0.15s;}
+    .mode-toggle button.mode-active{background:var(--blue);color:#fff;}
+    .mode-toggle button:not(.mode-active):hover{background:var(--hover);color:var(--text);}
+    /* Writer mode: hide operator-only tabs */
+    body.writer-mode .tab-btn[data-tab="overview"],
+    body.writer-mode .tab-btn[data-tab="webhooks"],
+    body.writer-mode .tab-btn[data-tab="system"]{display:none;}
+
+    /* Log viewer */
+    .log-entry{padding:0.25rem 0;border-bottom:1px solid var(--border-light);font-size:0.8rem;font-family:ui-monospace,monospace;display:flex;gap:0.5rem;}
+    .log-entry .log-time{color:var(--text-3);white-space:nowrap;min-width:5rem;}
+    .log-entry .log-level{font-weight:600;min-width:3.5rem;text-transform:uppercase;}
+    .log-entry .log-level-info{color:var(--blue);}
+    .log-entry .log-level-warn{color:var(--amber);}
+    .log-entry .log-level-error{color:var(--red);}
+    .log-entry .log-msg{flex:1;word-break:break-all;}
+    .log-fields{color:var(--text-3);font-size:0.75rem;margin-left:8.5rem;}
+
+    /* Responsive: hide less-critical audit columns on narrow screens */
+    @media(max-width:900px){
+      .audit-hide-narrow{display:none;}
+    }
   </style>
 </head>
 <body>
-  <h1>GitHub Copier — Operator</h1>
-  <p class="sub">Recent copy audit events, deployment metadata, and optional tag-based release (same trigger as CI on version tags).</p>
 
-  <section>
-    <h2>Access</h2>
-    <label for="token">Operator token (<code>OPERATOR_UI_TOKEN</code>)</label>
-    <div class="row">
-      <input id="token" type="password" autocomplete="off" placeholder="Paste token" style="flex:1;min-width:220px" />
-      <button type="button" id="saveToken">Save in session</button>
-      <button type="button" class="secondary" id="clearToken">Clear</button>
-    </div>
-    <p class="hint">Stored only in <code>sessionStorage</code> for this browser tab. Send <code>Authorization: Bearer …</code> on API calls.</p>
-  </section>
+<div class="topbar">
+  <div class="topbar-left">
+    <strong>GitHub Copier</strong>
+    <span class="chip" id="tbVersion">...</span>
+    <span class="chip" id="tbUptime" hidden></span>
+    <span class="chip" id="tbMongo" hidden></span>
+    <span class="chip" id="tbLastWH" hidden></span>
+    <span class="chip chip-err" id="tbConn" hidden><span class="dot dot-red"></span> Disconnected</span>
+  </div>
+  <div class="topbar-right">
+    <div class="mode-toggle" id="modeToggle"><button data-mode="writer" title="Writer view: Workflows + Audit">Writer</button><button data-mode="operator" title="Operator view: all tabs">Operator</button></div>
+    <button class="tb-btn" id="timeToggle" title="Toggle absolute/relative times (T)">REL</button>
+    <button class="tb-btn" id="refreshAll" title="Refresh all sections (R)">&#8635; Refresh all</button>
+    <button class="tb-btn" id="darkToggle" title="Toggle dark mode (D)">&#9788;</button>
+    <button class="tb-btn" id="helpBtn" title="Keyboard shortcuts (?)">?</button>
+  </div>
+</div>
+
+<div id="serverStatusBanner" class="banner" hidden></div>
+
+<main>
 
   <section>
-    <h2>Recent copy events</h2>
-    <div class="row">
-      <div>
-        <label for="limit">Limit</label>
-        <input id="limit" type="text" value="50" style="width:4rem" />
+    <div class="sb" style="padding-top:0.85rem">
+      <label for="token"><strong>Operator token</strong> (<code>OPERATOR_UI_TOKEN</code>)</label>
+      <div class="row">
+        <div class="token-wrap"><input id="token" type="password" autocomplete="off" placeholder="Paste token" /><button type="button" class="token-eye" id="tokenEye" title="Show/hide token">&#x1F441;</button></div>
+        <button type="button" id="saveToken">Save in session</button>
+        <button type="button" class="secondary" id="clearToken">Clear</button>
       </div>
-      <button type="button" id="loadAudit">Refresh</button>
-    </div>
-    <p id="auditErr" class="err" hidden></p>
-    <div style="overflow:auto;margin-top:0.75rem">
-      <table>
-        <thead>
-          <tr>
-            <th>Time</th>
-            <th>Status</th>
-            <th>Rule</th>
-            <th>Source</th>
-            <th>Target</th>
-            <th>PR</th>
-            <th>Error</th>
-          </tr>
-        </thead>
-        <tbody id="auditBody"></tbody>
-      </table>
+      <p class="hint">Stored in <code>sessionStorage</code> (this tab only).</p>
     </div>
   </section>
 
-  <section>
-    <h2>Deployment</h2>
-    <button type="button" id="loadDeploy">Load</button>
-    <p id="deployErr" class="err" hidden></p>
-    <pre id="deployJson" hidden></pre>
-  </section>
+  <!-- Tab bar -->
+  <div class="tab-bar">
+    <button class="tab-btn tab-active" data-tab="overview" onclick="switchTab('overview')">Overview<span class="tab-badge" id="tabBadgeOverview"></span></button>
+    <button class="tab-btn" data-tab="webhooks" onclick="switchTab('webhooks')">Webhooks<span class="tab-badge" id="tabBadgeWebhooks"></span></button>
+    <button class="tab-btn" data-tab="audit" onclick="switchTab('audit')">Audit<span class="tab-badge" id="tabBadgeAudit"></span></button>
+    <button class="tab-btn" data-tab="workflows" onclick="switchTab('workflows')">Workflows<span class="tab-badge" id="tabBadgeWorkflows"></span></button>
+    <button class="tab-btn" data-tab="system" onclick="switchTab('system')">System<span class="tab-badge" id="tabBadgeSystem"></span></button>
+  </div>
 
-  <section>
-    <h2>Release (tag → deploy)</h2>
-    <p class="hint">Production deploy runs on <strong>version tag</strong> pushes (<code>vMAJOR.MINOR.PATCH</code>). Changelog updates still require <code>scripts/release.sh</code> locally unless you only create a tag.</p>
-    <label for="version">Version tag</label>
-    <div class="row">
-      <input id="version" type="text" placeholder="v0.4.0" style="max-width:10rem" />
-      <button type="button" id="doRelease">Create tag via API</button>
+  <!-- ── Overview tab ── -->
+  <div class="tab-panel tab-visible" data-tab="overview">
+    <section data-section="metrics">
+      <div class="sh" onclick="toggleSection('metrics')">
+        <div class="sh-left"><span class="chev"></span><h2>Live metrics</h2><span class="badge" id="metricsCount"></span></div>
+        <span class="refreshed" id="metricsRefreshed"></span>
+      </div>
+      <div class="sb">
+        <div class="row">
+          <button type="button" id="loadMetricsCards">Refresh</button>
+          <label class="small" style="display:flex;align-items:center;gap:0.3rem;margin:0"><input type="checkbox" id="metricsAuto" /> Auto 10s</label>
+        </div>
+        <p id="metricsCardErr" class="err" hidden></p>
+        <div id="metricsCards" class="metric-grid"></div>
+      </div>
+    </section>
+
+    <section data-section="deployment">
+      <div class="sh" onclick="toggleSection('deployment')"><div class="sh-left"><span class="chev"></span><h2>Deployment</h2></div></div>
+      <div class="sb">
+        <button type="button" id="loadDeploy">Load</button>
+        <p id="deployErr" class="err" hidden></p>
+        <div id="deployCards" class="deploy-grid" hidden></div>
+        <button type="button" class="toggle-raw" id="deployToggleRaw" hidden>Show raw JSON</button>
+        <pre id="deployJson" hidden></pre>
+      </div>
+    </section>
+  </div>
+
+  <!-- ── Webhooks tab ── -->
+  <div class="tab-panel" data-tab="webhooks">
+    <section data-section="traces">
+      <div class="sh" onclick="toggleSection('traces')">
+        <div class="sh-left"><span class="chev"></span><h2>Recent webhook activity</h2><span class="badge" id="tracesCount"></span></div>
+        <span class="refreshed" id="tracesRefreshed"></span>
+      </div>
+      <div class="sb">
+        <div class="row">
+          <div><label for="traceLimit">Limit</label><input id="traceLimit" type="text" value="50" style="width:3.5rem" /></div>
+          <div><label for="traceOutcome">Outcome</label><select id="traceOutcome"><option value="">all</option><option value="processed_ok">processed_ok</option><option value="skipped_not_merged_pr">skipped</option><option value="duplicate_delivery">duplicate</option><option value="processing_failed">failed</option></select></div>
+          <div style="flex:1;min-width:120px;max-width:220px"><label for="traceSearch">Search</label><input id="traceSearch" type="text" placeholder="repo, delivery, detail..." style="width:100%" /></div>
+          <button type="button" id="loadTraces">Refresh</button>
+          <label class="small" style="display:flex;align-items:center;gap:0.3rem;margin:0"><input type="checkbox" id="tracesAuto" /> Auto 30s</label>
+        </div>
+        <p id="traceErr" class="err" hidden></p>
+        <div style="overflow:auto;margin-top:0.5rem;max-height:520px">
+          <table><thead><tr><th>Time</th><th>Outcome</th><th>Repo</th><th>PR</th><th>Base</th><th>Event</th><th>Action</th><th>Delivery</th><th>Detail</th><th></th></tr></thead><tbody id="traceBody"></tbody></table>
+        </div>
+      </div>
+    </section>
+
+    <section data-section="deliveries">
+      <div class="sh" onclick="toggleSection('deliveries')"><div class="sh-left"><span class="chev"></span><h2>Webhook deliveries (dedup)</h2><span class="badge" id="delCount"></span></div></div>
+      <div class="sb">
+        <p class="hint" style="margin-top:0">Recent <code>X-GitHub-Delivery</code> IDs. In-memory; resets on restart.</p>
+        <div class="row">
+          <div><label for="delLimit">Limit</label><input id="delLimit" type="text" value="50" style="width:3.5rem" /></div>
+          <button type="button" id="loadDeliveries">Refresh</button>
+        </div>
+        <p id="delErr" class="err" hidden></p>
+        <div style="overflow:auto;margin-top:0.5rem;max-height:320px"><table><thead><tr><th>Seen</th><th>Delivery ID</th><th>Duplicate</th></tr></thead><tbody id="delBody"></tbody></table></div>
+      </div>
+    </section>
+  </div>
+
+  <!-- ── Audit tab ── -->
+  <div class="tab-panel" data-tab="audit">
+    <!-- PR lookup -->
+    <div class="pr-search">
+      <div><label for="prLookup">PR lookup</label><input id="prLookup" type="text" placeholder="PR # or repo/PR" style="width:10rem" /></div>
+      <div style="flex:1;max-width:14rem"><label for="pathLookup">File path search</label><input id="pathLookup" type="text" placeholder="docs/setup.md" style="width:100%" /></div>
+      <button type="button" id="prLookupBtn">Search</button>
+      <button type="button" class="secondary" id="prLookupClear">Clear</button>
     </div>
-    <p id="relErr" class="err" hidden></p>
-    <pre id="relJson" hidden></pre>
-  </section>
 
-  <script>
-    const TKEY = 'github-copier-operator-token';
-    function authHeaders() {
-      const t = sessionStorage.getItem(TKEY) || '';
-      const h = { 'Accept': 'application/json' };
-      if (t) h['Authorization'] = 'Bearer ' + t;
-      return h;
-    }
-    function showErr(id, msg) {
-      const el = document.getElementById(id);
-      if (!msg) { el.hidden = true; el.textContent = ''; return; }
-      el.hidden = false; el.textContent = msg;
+    <!-- PR timeline (shown when PR lookup is active) -->
+    <section data-section="pr-timeline" id="prTimelineSection" hidden>
+      <div class="sh" onclick="toggleSection('pr-timeline')">
+        <div class="sh-left"><span class="chev"></span><h2>PR timeline</h2><span class="badge" id="prTimelineBadge"></span></div>
+      </div>
+      <div class="sb">
+        <div id="prTimeline" class="timeline"></div>
+      </div>
+    </section>
+
+    <!-- Recent copies feed -->
+    <section data-section="recent-copies">
+      <div class="sh" onclick="toggleSection('recent-copies')">
+        <div class="sh-left"><span class="chev"></span><h2>Recent copies</h2><span class="badge" id="recentCopiesCount"></span></div>
+      </div>
+      <div class="sb">
+        <p class="hint" style="margin-top:0">Latest file copies at a glance. Click any item to see full details.</p>
+        <div id="recentCopiesFeed" class="copy-feed"></div>
+      </div>
+    </section>
+
+    <section data-section="audit-events">
+      <div class="sh" onclick="toggleSection('audit-events')">
+        <div class="sh-left"><span class="chev"></span><h2>Audit events</h2><span class="badge" id="auditCount"></span></div>
+        <span class="refreshed" id="auditRefreshed"></span>
+      </div>
+      <div class="sb">
+        <div class="row">
+          <div><label for="limit">Limit</label><input id="limit" type="text" value="50" style="width:3.5rem" /></div>
+          <div><label for="fltEvent">Event type</label><select id="fltEvent"><option value="">any</option><option value="copy">copy</option><option value="deprecation">deprecation</option><option value="error">error</option></select></div>
+          <div><label for="fltSuccess">Status</label><select id="fltSuccess"><option value="">any</option><option value="true">ok</option><option value="false">failed</option></select></div>
+          <div><label for="fltRule">Rule name</label><input id="fltRule" type="text" placeholder="exact match" style="max-width:9rem" /></div>
+          <div style="min-width:11rem"><label for="fltSince">Since</label><input id="fltSince" type="text" placeholder="RFC3339 or use presets" class="mono" style="width:100%" /></div>
+          <button type="button" id="loadAudit">Apply</button>
+          <button type="button" class="secondary" id="exportCSV" title="Export displayed rows as CSV">CSV</button>
+          <label class="small" style="display:flex;align-items:center;gap:0.3rem;margin:0"><input type="checkbox" id="auditAuto" /> Auto 30s</label>
+        </div>
+        <div class="row" style="gap:0.3rem;margin-top:0.3rem">
+          <span class="small" style="color:var(--text-3)">Quick:</span>
+          <button class="qchip" type="button" onclick="setSince(1)">1h</button>
+          <button class="qchip" type="button" onclick="setSince(24)">24h</button>
+          <button class="qchip" type="button" onclick="setSince(168)">7d</button>
+          <button class="qchip" type="button" onclick="setSince(720)">30d</button>
+          <button class="qchip" type="button" onclick="document.getElementById('fltSince').value='';loadAuditBtn()">clear</button>
+        </div>
+        <p id="auditErr" class="err" hidden></p>
+        <p id="auditEmptyHint" class="hint" hidden>No rows for this query. Check <code>AUDIT_ENABLED</code>, Mongo connectivity, and that <code>DRY_RUN</code> is off.</p>
+        <div style="overflow:auto;margin-top:0.5rem;max-height:520px">
+          <table><thead><tr><th>Time</th><th class="audit-hide-narrow">Type</th><th>Status</th><th>Rule</th><th>Source</th><th>Target</th><th class="audit-hide-narrow">SHA</th><th>PR</th><th>Error</th></tr></thead><tbody id="auditBody"></tbody></table>
+        </div>
+      </div>
+    </section>
+
+    <section data-section="aggregates">
+      <div class="sh" onclick="toggleSection('aggregates')">
+        <div class="sh-left"><span class="chev"></span><h2>Audit aggregates</h2></div>
+      </div>
+      <div class="sb">
+        <div class="row">
+          <div><label for="ovDays">Days</label><input id="ovDays" type="text" value="14" style="width:3rem" /></div>
+          <button type="button" id="loadOverview">Load</button>
+        </div>
+        <p id="ovErr" class="err" hidden></p>
+        <h3 class="small" style="margin:0.65rem 0 0.3rem">Daily copy volume</h3>
+        <div style="overflow:auto"><table><thead><tr><th>Date</th><th>Total</th><th>OK</th><th>Failed</th><th style="min-width:80px"></th></tr></thead><tbody id="ovDailyBody"></tbody></table></div>
+        <h3 class="small" style="margin:0.65rem 0 0.3rem">By rule</h3>
+        <div style="overflow:auto"><table><thead><tr><th>Rule</th><th>Total</th><th>OK</th><th>Failed</th><th>Avg ms</th><th style="min-width:80px">Success</th></tr></thead><tbody id="ovRuleBody"></tbody></table></div>
+      </div>
+    </section>
+  </div>
+
+  <!-- ── Workflows tab ── -->
+  <div class="tab-panel" data-tab="workflows">
+    <!-- File match tester -->
+    <section data-section="file-tester">
+      <div class="sh" onclick="toggleSection('file-tester')">
+        <div class="sh-left"><span class="chev"></span><h2>File match tester</h2></div>
+      </div>
+      <div class="sb">
+        <p class="hint" style="margin-top:0">Enter a source file path to see which workflow rules would match it and where the file would be copied.</p>
+        <div class="row">
+          <div style="flex:1;max-width:24rem"><label for="fmtPath">Source file path</label><input id="fmtPath" type="text" placeholder="docs/api/endpoints.md" style="width:100%" /></div>
+          <button type="button" id="fmtTest">Test</button>
+          <button type="button" class="secondary" id="fmtClear">Clear</button>
+        </div>
+        <div id="fmtResults" style="margin-top:0.5rem"></div>
+      </div>
+    </section>
+
+    <!-- Workflow browser -->
+    <section data-section="wf-browser">
+      <div class="sh" onclick="toggleSection('wf-browser')">
+        <div class="sh-left"><span class="chev"></span><h2>Active workflows</h2><span class="badge" id="wfCount"></span></div>
+      </div>
+      <div class="sb">
+        <p class="hint" style="margin-top:0">Source &rarr; target mappings loaded from the copier config. Shows file patterns, commit strategy, and transformation rules.</p>
+        <div class="row">
+          <div style="flex:1;max-width:16rem"><label for="wfSearch">Search workflows</label><input id="wfSearch" type="text" placeholder="rule name, repo, path..." style="width:100%" /></div>
+          <button type="button" id="loadWorkflows">Refresh</button>
+        </div>
+        <p id="wfErr" class="err" hidden></p>
+        <div id="wfCards" style="margin-top:0.65rem"></div>
+      </div>
+    </section>
+
+    <!-- Getting started / help -->
+    <section data-section="wf-help">
+      <div class="sh" onclick="toggleSection('wf-help')">
+        <div class="sh-left"><span class="chev"></span><h2>How it works</h2></div>
+      </div>
+      <div class="sb">
+        <div class="help-content">
+          <h3>What is GitHub Copier?</h3>
+          <p>GitHub Copier automatically copies files between repositories when pull requests are merged. It listens for GitHub webhook events and runs <strong>workflow rules</strong> that define which files to copy and where.</p>
+
+          <h3>When does a copy happen?</h3>
+          <ol>
+            <li>You merge a PR in a <strong>source repository</strong></li>
+            <li>GitHub sends a webhook to the copier service</li>
+            <li>The copier loads its config and checks which <strong>workflows</strong> match the source repo and branch</li>
+            <li>For each matching workflow, it checks which <strong>changed files</strong> match the transformation rules</li>
+            <li>Matched files are copied to the <strong>target repository</strong> (via direct commit or pull request)</li>
+          </ol>
+
+          <h3>How do I check if my file is covered?</h3>
+          <ol>
+            <li>Go to the <strong>File match tester</strong> above</li>
+            <li>Enter your file path (e.g., <code>docs/api/endpoints.md</code>)</li>
+            <li>Click <strong>Test</strong> to see which workflows match and where the file would be copied</li>
+          </ol>
+
+          <h3>My file wasn't copied &mdash; why?</h3>
+          <ul>
+            <li>The PR must be <strong>merged</strong> (not just closed) to trigger a copy</li>
+            <li>The source repo and branch must match a workflow's <code>source</code> setting</li>
+            <li>The file path must match at least one <strong>transformation rule</strong> (move, copy, glob, or regex)</li>
+            <li>The file must not be in an <strong>exclude</strong> pattern</li>
+            <li>Check the <strong>Audit</strong> tab &rarr; PR lookup to see if the webhook was received and what happened</li>
+          </ul>
+
+          <h3>Keyboard shortcuts</h3>
+          <p>Press <kbd>?</kbd> anywhere to see all shortcuts, or <kbd>1</kbd>&ndash;<kbd>5</kbd> to switch tabs.</p>
+        </div>
+      </div>
+    </section>
+  </div>
+
+  <!-- ── System tab ── -->
+  <div class="tab-panel" data-tab="system">
+    <section data-section="probes">
+      <div class="sh" onclick="toggleSection('probes')"><div class="sh-left"><span class="chev"></span><h2>Liveness, readiness &amp; metrics</h2></div></div>
+      <div class="sb">
+        <p class="hint" style="margin-top:0">Public probe routes. No token required.</p>
+        <div class="row"><button type="button" id="loadProbes">Refresh</button></div>
+        <div style="margin-top:0.5rem">
+          <p class="status-line"><strong>GET /health</strong> <span id="healthStatus"></span></p><pre id="healthJson" hidden></pre>
+          <p class="status-line"><strong>GET /ready</strong> <span id="readyStatus"></span></p><pre id="readyJson" hidden></pre>
+          <p class="status-line"><strong>GET /metrics</strong> <span id="metricsStatus"></span></p><pre id="metricsJson" hidden></pre>
+        </div>
+        <p id="probesErr" class="err" hidden></p>
+      </div>
+    </section>
+
+    <section data-section="release">
+      <div class="sh" onclick="toggleSection('release')"><div class="sh-left"><span class="chev"></span><h2>Release (tag &rarr; deploy)</h2></div></div>
+      <div class="sb">
+        <p class="hint" style="margin-top:0">Pushes a <code>vMAJOR.MINOR.PATCH</code> tag. Changelog requires <code>scripts/release.sh</code>.</p>
+        <label for="version">Version tag</label>
+        <div class="row"><input id="version" type="text" placeholder="v0.4.0" style="max-width:10rem" /><button type="button" id="doRelease">Create tag via API</button></div>
+        <p id="relErr" class="err" hidden></p><pre id="relJson" hidden></pre>
+      </div>
+    </section>
+  </div>
+
+</main>
+
+<!-- Toast container -->
+<div id="toasts" class="toast-box"></div>
+
+<!-- Help overlay -->
+<div id="helpOverlay" class="help-bg" hidden onclick="if(event.target===this)this.hidden=true">
+  <div class="help-card">
+    <h3>Keyboard shortcuts</h3>
+    <table>
+      <tr><td><kbd>1</kbd>-<kbd>5</kbd></td><td>Switch tab (Overview, Webhooks, Audit, Workflows, System)</td></tr>
+      <tr><td><kbd>R</kbd></td><td>Refresh all sections</td></tr>
+      <tr><td><kbd>D</kbd></td><td>Toggle dark mode</td></tr>
+      <tr><td><kbd>T</kbd></td><td>Toggle absolute / relative times</td></tr>
+      <tr><td><kbd>W</kbd></td><td>Toggle Writer / Operator mode</td></tr>
+      <tr><td><kbd>?</kbd></td><td>Show this help</td></tr>
+      <tr><td><kbd>Esc</kbd></td><td>Close drawer or overlay</td></tr>
+    </table>
+    <div style="margin-top:0.75rem;text-align:right"><button type="button" onclick="$('helpOverlay').hidden=true">Close</button></div>
+  </div>
+</div>
+
+<script>
+/* ── Utilities ── */
+var TKEY='github-copier-operator-token', SKEY='operator-sections', DKEY='operator-dark', TMKEY='operator-time-mode';
+var COP_ORIGIN=(location.protocol==='file:'||!location.origin)?'':location.origin;
+function appURL(p){return COP_ORIGIN?COP_ORIGIN+(p[0]==='/'?p:'/'+p):p;}
+function authHeaders(){var t=sessionStorage.getItem(TKEY)||'',h={Accept:'application/json'};if(t)h['Authorization']='Bearer '+t;return h;}
+function hasToken(){return!!sessionStorage.getItem(TKEY);}
+function escapeHtml(s){return String(s).replace(/[&<>"']/g,function(c){return{'&':'&amp;','<':'&lt;','>':'&gt;','"':'&quot;',"'":'&#39;'}[c];});}
+function showErr(id,msg){var el=$(id);if(!msg){el.hidden=true;el.textContent='';return;}el.hidden=false;el.textContent=msg;}
+function $(id){return document.getElementById(id);}
+function fmtNum(n){return(n===undefined||n===null||n===''||(typeof n==='number'&&!isFinite(n)))?'\u2014':String(n);}
+function p2(n){return String(n).padStart(2,'0');}
+function fmtUptime(s){if(s==null||s<0)return'\u2014';var d=Math.floor(s/86400),h=Math.floor(s%86400/3600),m=Math.floor(s%3600/60);if(d>0)return d+'d '+h+'h '+m+'m';if(h>0)return h+'h '+m+'m';return m+'m '+(s%60|0)+'s';}
+
+/* Time formatting with mode toggle (#7) */
+var timeMode=localStorage.getItem(TMKEY)||'abs';
+function fmtAbsTime(raw){try{var d=new Date(raw);if(isNaN(d.getTime()))return escapeHtml(raw);var mo=d.toLocaleString('en-US',{month:'short'});return escapeHtml(mo+' '+d.getDate()+', '+p2(d.getHours())+':'+p2(d.getMinutes())+':'+p2(d.getSeconds()));}catch(e){return escapeHtml(raw);}}
+function fmtRelTime(raw){try{var ago=Math.round((Date.now()-new Date(raw).getTime())/1000);if(ago<0)return'future';if(ago<60)return ago+'s ago';if(ago<3600)return Math.floor(ago/60)+'m ago';if(ago<86400)return Math.floor(ago/3600)+'h ago';return Math.floor(ago/86400)+'d ago';}catch(e){return escapeHtml(raw);}}
+function fmtTimeVal(raw){return timeMode==='rel'?fmtRelTime(raw):fmtAbsTime(raw);}
+function fmtTime(raw){if(!raw)return'';try{if(isNaN(new Date(raw).getTime()))return escapeHtml(raw);}catch(e){return escapeHtml(raw);}return'<span data-ts="'+escapeHtml(String(raw))+'" title="'+escapeHtml(String(raw))+'">'+fmtTimeVal(raw)+'</span>';}
+function syncTimeBtn(){$('timeToggle').textContent=timeMode==='abs'?'REL':'ABS';$('timeToggle').title=timeMode==='abs'?'Switch to relative times (T)':'Switch to absolute times (T)';}
+function toggleTimeMode(){timeMode=timeMode==='abs'?'rel':'abs';localStorage.setItem(TMKEY,timeMode);syncTimeBtn();document.querySelectorAll('[data-ts]').forEach(function(el){el.textContent=fmtTimeVal(el.dataset.ts);});}
+$('timeToggle').onclick=toggleTimeMode;
+
+/* GitHub links */
+function ghLink(repo,text){if(!repo)return escapeHtml(text||'');return'<a href="https://github.com/'+encodeURI(repo)+'" target="_blank" rel="noopener">'+escapeHtml(text||repo)+'</a>';}
+function ghPR(repo,num){if(!num)return'';if(!repo)return'#'+num;return'<a href="https://github.com/'+encodeURI(repo)+'/pull/'+num+'" target="_blank" rel="noopener">#'+num+'</a>';}
+function ghCommit(repo,sha){if(!sha)return'';var short=sha.slice(0,8);if(!repo)return'<span class="mono">'+escapeHtml(short)+'</span>';return'<a href="https://github.com/'+encodeURI(repo)+'/commit/'+encodeURI(sha)+'" target="_blank" rel="noopener" class="mono">'+escapeHtml(short)+'</a>';}
+
+/* Loading state */
+async function withLoading(btnId,fn){var btn=$(btnId);if(!btn||btn.disabled)return;var orig=btn.textContent;btn.disabled=true;btn.textContent='Loading\u2026';try{await fn();}finally{btn.disabled=false;btn.textContent=orig;}}
+function setBadge(id,text){var el=$(id);if(el)el.textContent=text;}
+function setRefreshed(id){var el=$(id);if(el)el.dataset.refreshedAt=String(Date.now());}
+
+/* Toast notifications (#1) */
+function toast(msg,type){type=type||'info';var c=$('toasts'),t=document.createElement('div');t.className='toast toast-'+type;t.innerHTML='<span style="flex:1">'+escapeHtml(msg)+'</span><button class="toast-x" onclick="this.parentNode.remove()">&times;</button>';c.appendChild(t);setTimeout(function(){if(t.parentNode)t.remove();},5000);}
+var _lastAutoErr={};
+function checkAutoToast(section,errId){var el=$(errId);if(!el)return;var has=!el.hidden,msg=has?el.textContent:'';if(has&&_lastAutoErr[section]!==msg){_lastAutoErr[section]=msg;toast(section+': '+msg,'error');}else if(!has){delete _lastAutoErr[section];}}
+
+/* Empty state helper */
+function emptyState(tbodyId,cols,icon,msg){
+  var tb=$(tbodyId);if(!tb)return;
+  if(tb.rows.length===0){
+    var tr=document.createElement('tr');
+    tr.innerHTML='<td colspan="'+cols+'" class="empty-state"><div class="es-icon">'+(icon||'')+'</div>'+escapeHtml(msg||'No data')+'</td>';
+    tb.appendChild(tr);
+  }
+}
+
+/* Parse trace detail into badges */
+function parseDetailBadges(detail){
+  if(!detail)return'';
+  // Pattern: "attempt N | X matched, Y uploaded, Z failed | targets: repo1, repo2"
+  var m=detail.match(/^attempt (\d+) \| (\d+) matched, (\d+) uploaded, (\d+) failed \| targets: (.+)$/);
+  if(m){
+    var badges='<span class="dbadge dbadge-neutral">attempt '+escapeHtml(m[1])+'</span>';
+    badges+='<span class="dbadge dbadge-neutral">'+escapeHtml(m[2])+' matched</span>';
+    var up=parseInt(m[3],10); badges+='<span class="dbadge '+(up>0?'dbadge-ok':'dbadge-neutral')+'">'+up+' uploaded</span>';
+    var fl=parseInt(m[4],10); if(fl>0)badges+='<span class="dbadge dbadge-fail">'+fl+' failed</span>';
+    m[5].split(', ').forEach(function(t){t=t.trim();if(t&&t!=='(none)')badges+='<span class="dbadge dbadge-target">'+escapeHtml(t)+'</span>';});
+    return badges;
+  }
+  // Fallback: plain text (truncated)
+  return escapeHtml(detail.slice(0,260));
+}
+
+/* Copy to clipboard helper */
+function copyToClip(text,el){
+  navigator.clipboard.writeText(text).then(function(){
+    el.classList.add('copied');
+    setTimeout(function(){el.classList.remove('copied');},1200);
+  }).catch(function(){});
+}
+
+/* Dynamic tab title */
+var _failCount=0;
+function updateTabTitle(){
+  document.title=_failCount>0?'GitHub Copier \u2014 '+_failCount+' failed':'GitHub Copier \u2014 Operator';
+}
+
+/* Token reveal toggle */
+$('tokenEye').onclick=function(){
+  var inp=$('token');
+  var isPassword=inp.type==='password';
+  inp.type=isPassword?'text':'password';
+  this.textContent=isPassword?'\u{1F648}':'\u{1F441}';
+};
+
+/* Periodic tick: refreshed timestamps + relative time update */
+setInterval(function(){
+  document.querySelectorAll('[data-refreshed-at]').forEach(function(el){var ago=Math.round((Date.now()-Number(el.dataset.refreshedAt))/1000);el.textContent=ago<5?'just now':ago<60?ago+'s ago':Math.floor(ago/60)+'m ago';});
+  if(timeMode==='rel')document.querySelectorAll('[data-ts]').forEach(function(el){el.textContent=fmtRelTime(el.dataset.ts);});
+},3000);
+
+/* ── Shareable URL state ── */
+function updateURL(){
+  var p=new URLSearchParams();
+  var tab=localStorage.getItem(TABKEY);if(tab&&tab!=='overview')p.set('tab',tab);
+  var mode=localStorage.getItem(MKEY);if(mode==='writer')p.set('mode','writer');
+  var pr=$('auditBody').dataset.prFilter;if(pr)p.set('pr',pr);
+  var path=$('auditBody').dataset.pathFilter;if(path)p.set('path',path);
+  var et=$('fltEvent').value;if(et)p.set('event_type',et);
+  var su=$('fltSuccess').value;if(su)p.set('success',su);
+  var rn=$('fltRule').value.trim();if(rn)p.set('rule_name',rn);
+  var since=$('fltSince').value.trim();if(since)p.set('since',since);
+  var qs=p.toString();
+  var url=location.pathname+(qs?'?'+qs:'');
+  history.replaceState(null,'',url);
+}
+
+/* ── Sections ── */
+function getSectState(){try{return JSON.parse(localStorage.getItem(SKEY))||{};}catch(e){return{};}}
+function toggleSection(id){var sec=document.querySelector('[data-section="'+id+'"]');if(!sec)return;var close=!sec.classList.contains('collapsed');sec.classList.toggle('collapsed',close);var st=getSectState();st[id]=!close;localStorage.setItem(SKEY,JSON.stringify(st));}
+function initSections(){var st=getSectState(),defaults={probes:false};document.querySelectorAll('[data-section]').forEach(function(sec){var id=sec.dataset.section,open=st[id]!==undefined?st[id]:(defaults[id]!==undefined?defaults[id]:true);sec.classList.toggle('collapsed',!open);});}
+
+/* ── Tabs ── */
+var TABKEY='operator-active-tab';
+function switchTab(tabId){
+  document.querySelectorAll('.tab-btn').forEach(function(b){b.classList.toggle('tab-active',b.dataset.tab===tabId);});
+  document.querySelectorAll('.tab-panel').forEach(function(p){p.classList.toggle('tab-visible',p.dataset.tab===tabId);});
+  localStorage.setItem(TABKEY,tabId);
+  updateURL();
+}
+function initTabs(){
+  var saved=localStorage.getItem(TABKEY)||'overview';
+  switchTab(saved);
+}
+function updateTabBadges(){
+  // Webhooks tab: show trace count if on another tab
+  var traceN=_traceData.length;
+  var tbw=$('tabBadgeWebhooks');
+  var failedTraces=_traceData.filter(function(r){return r.outcome==='processing_failed';}).length;
+  if(failedTraces>0){tbw.textContent=failedTraces;tbw.className='tab-badge tb-err';}
+  else if(traceN>0){tbw.textContent=traceN;tbw.className='tab-badge tb-info';}
+  else{tbw.className='tab-badge';}
+
+  // Audit tab: show failure count
+  var tba=$('tabBadgeAudit');
+  if(_failCount>0){tba.textContent=_failCount;tba.className='tab-badge tb-err';}
+  else if(_auditData.length>0){tba.textContent=_auditData.length;tba.className='tab-badge tb-info';}
+  else{tba.className='tab-badge';}
+}
+
+/* ── Dark mode ── */
+function initDarkMode(){var dark=localStorage.getItem(DKEY)==='true';document.documentElement.dataset.theme=dark?'dark':'light';$('darkToggle').textContent=dark?'\u263E':'\u2600';}
+$('darkToggle').onclick=function(){var next=document.documentElement.dataset.theme!=='dark';document.documentElement.dataset.theme=next?'dark':'light';localStorage.setItem(DKEY,String(next));this.textContent=next?'\u263E':'\u2600';};
+
+/* ── Writer / Operator mode ── */
+var MKEY='operator-view-mode';
+function setMode(mode){
+  document.body.classList.toggle('writer-mode',mode==='writer');
+  document.querySelectorAll('#modeToggle button').forEach(function(b){b.classList.toggle('mode-active',b.dataset.mode===mode);});
+  localStorage.setItem(MKEY,mode);
+  // If writer mode and current tab is hidden, switch to a visible tab
+  if(mode==='writer'){
+    var cur=localStorage.getItem(TABKEY)||'overview';
+    if(cur==='overview'||cur==='webhooks'||cur==='system') switchTab('workflows');
+  }
+  updateURL();
+}
+function initMode(){setMode(localStorage.getItem(MKEY)||'operator');}
+$('modeToggle').onclick=function(e){var btn=e.target.closest('button');if(btn&&btn.dataset.mode)setMode(btn.dataset.mode);};
+
+/* ── Token ── */
+$('token').value=sessionStorage.getItem(TKEY)||'';
+$('saveToken').onclick=function(){var v=$('token').value.trim();if(!v)return;sessionStorage.setItem(TKEY,v);var btn=$('saveToken');btn.textContent='Saved!';btn.style.background='var(--green)';btn.style.borderColor='var(--green)';setTimeout(function(){btn.textContent='Save in session';btn.style.background='';btn.style.borderColor='';},1200);loadAllSecured();};
+$('clearToken').onclick=function(){sessionStorage.removeItem(TKEY);$('token').value='';};
+
+/* ── Status bar ── */
+function updateTBVersion(v){$('tbVersion').textContent=v||'...';}
+function updateTBUptime(s){if(s==null)return;var el=$('tbUptime');el.hidden=false;el.textContent='\u23F1 '+fmtUptime(s);}
+function updateTBMongo(ok){var el=$('tbMongo');el.hidden=false;el.className='chip '+(ok?'chip-ok':'chip-err');el.innerHTML='<span class="dot '+(ok?'dot-green':'dot-red')+'"></span> Mongo';}
+function updateTBLastWH(iso){if(!iso)return;var el=$('tbLastWH');el.hidden=false;var ago=Math.round((Date.now()-new Date(iso).getTime())/1000);el.textContent='Last WH: '+(ago<60?ago+'s ago':ago<3600?Math.floor(ago/60)+'m ago':Math.floor(ago/3600)+'h ago');}
+
+/* Heartbeat (#6) */
+var _connected=true;
+function startHeartbeat(){if(!COP_ORIGIN)return;setInterval(function(){fetch(appURL('/operator/api/status')).then(function(r){if(!_connected){_connected=true;$('tbConn').hidden=true;toast('Reconnected to server','info');}}).catch(function(){if(_connected){_connected=false;$('tbConn').hidden=false;toast('Connection lost to server','error');}});},60000);}
+
+/* Server status */
+function checkServerStatus(){if(!COP_ORIGIN){$('serverStatusBanner').hidden=false;$('serverStatusBanner').textContent='Open this page at http://127.0.0.1:<PORT>/operator/.';return;}fetch(appURL('/operator/api/status')).then(function(r){if(r.status===404){$('serverStatusBanner').hidden=false;$('serverStatusBanner').textContent='Operator routes not enabled.';return null;}return r.json();}).then(function(d){if(!d)return;updateTBVersion(d.version);if(!d.operator_apis_enabled){$('serverStatusBanner').hidden=false;$('serverStatusBanner').textContent='No OPERATOR_UI_TOKEN: secured APIs return 503.';}}).catch(function(){});}
+
+/* ── Metrics with groups, deltas, sparklines, health accents ── */
+var _prevMetrics={}, _metricHistory={};
+var SPARK_MAX=12; // 12 samples = 2 min at 10s interval
+
+function metricDelta(key,val){
+  if(val==null||val===''||typeof val!=='number') return '';
+  // Store history
+  if(!_metricHistory[key]) _metricHistory[key]=[];
+  _metricHistory[key].push(val);
+  if(_metricHistory[key].length>SPARK_MAX) _metricHistory[key]=_metricHistory[key].slice(-SPARK_MAX);
+  // Compute delta
+  var prev=_prevMetrics[key];
+  _prevMetrics[key]=val;
+  if(prev===undefined) return '';
+  var d=val-prev;
+  if(d===0) return '<span class="delta delta-zero">\u00b70</span>';
+  if(d>0) return '<span class="delta delta-up">+'+d+'</span>';
+  return '<span class="delta delta-down">'+d+'</span>';
+}
+
+function sparkHtml(key){
+  var hist=_metricHistory[key];
+  if(!hist||hist.length<2) return '';
+  var max=Math.max.apply(null,hist);
+  if(max===0) return '';
+  var html='<div class="spark">';
+  hist.forEach(function(v){
+    var pct=Math.max(1,Math.round(v/max*100));
+    html+='<div class="spark-bar" style="height:'+pct+'%"></div>';
+  });
+  html+='</div>';
+  return html;
+}
+
+function metricAccent(key,val){
+  // Health-based left border color
+  if(key==='wh_success_pct'&&typeof val==='number'){
+    if(val<80) return 'mc-danger';
+    if(val<95) return 'mc-warn';
+    return 'mc-ok';
+  }
+  if((key==='wh_failed'||key==='upload_failed'||key==='api_errors')&&val>0) return 'mc-danger';
+  if((key==='wh_processed'||key==='files_uploaded')&&val>0) return 'mc-ok';
+  return '';
+}
+
+async function loadMetricsCards(){
+  showErr('metricsCardErr','');var root=$('metricsCards');root.innerHTML='';
+  var res;try{res=await fetch(appURL('/metrics'),{headers:{Accept:'application/json'}});}catch(e){showErr('metricsCardErr',String(e));return;}
+  if(res.status===404){showErr('metricsCardErr','METRICS_ENABLED=false');return;}
+  var m;try{m=JSON.parse(await res.text());}catch(e){showErr('metricsCardErr','Invalid JSON');return;}
+  var w=m.webhooks||{},f=m.files||{},g=m.github_api||{},q=m.queues||{},s=m.system||{},rl=g.rate_limit||{};
+
+  var whPct=w.success_rate!=null?Math.round(w.success_rate*1000)/10:null;
+
+  var groups=[
+    {label:'Webhooks', cards:[
+      {key:'wh_received',name:'Received',val:w.received},
+      {key:'wh_processed',name:'Processed',val:w.processed},
+      {key:'wh_failed',name:'Failed',val:w.failed,red:true},
+      {key:'wh_ignored',name:'Ignored',val:w.ignored},
+      {key:'wh_success_pct',name:'Success %',val:whPct,fmt:whPct!=null?whPct+'%':'\u2014'}
+    ]},
+    {label:'Files', cards:[
+      {key:'files_matched',name:'Matched',val:f.matched},
+      {key:'files_uploaded',name:'Uploaded',val:f.uploaded},
+      {key:'upload_failed',name:'Upload Failed',val:f.upload_failed,red:true},
+      {key:'files_deprecated',name:'Deprecated',val:f.deprecated}
+    ]},
+    {label:'GitHub API', cards:[
+      {key:'api_calls',name:'Calls',val:g.calls},
+      {key:'api_errors',name:'Errors',val:g.errors,red:true},
+      {key:'rate_left',name:'Rate Limit Left',val:rl.remaining}
+    ]},
+    {label:'Queues', cards:[
+      {key:'q_upload',name:'Upload',val:q.upload_queue_size},
+      {key:'q_retry',name:'Retry',val:q.retry_queue_size}
+    ]}
+  ];
+
+  var total=0;
+  groups.forEach(function(grp){
+    var wrap=document.createElement('div');wrap.className='mg-group';
+    var lbl=document.createElement('div');lbl.className='mg-label';lbl.textContent=grp.label;
+    wrap.appendChild(lbl);
+    var grid=document.createElement('div');grid.className='metric-grid';
+    grp.cards.forEach(function(c){
+      var d=document.createElement('div');
+      var accent=metricAccent(c.key,c.val);
+      d.className='metric-card'+(accent?' '+accent:'');
+      var display=c.fmt||fmtNum(c.val);
+      var deltaHtml=metricDelta(c.key,c.val);
+      var sparkStr=sparkHtml(c.key);
+      d.innerHTML='<div class="mk">'+escapeHtml(c.name)+'</div>'
+        +'<div class="mv-row"><span class="mv'+(c.red&&c.val?' mv-red':'')+'">'+escapeHtml(display)+'</span>'+deltaHtml+'</div>'
+        +sparkStr;
+      grid.appendChild(d);total++;
+    });
+    wrap.appendChild(grid);root.appendChild(wrap);
+  });
+
+  setBadge('metricsCount',total+' metrics');setRefreshed('metricsRefreshed');
+  if(s.uptime_seconds!=null)updateTBUptime(s.uptime_seconds);
+}
+var metricsTimer=null;
+function syncMetricsAuto(){if(metricsTimer){clearInterval(metricsTimer);metricsTimer=null;}localStorage.setItem('op-auto-metrics',$('metricsAuto').checked?'1':'0');if(!$('metricsAuto').checked)return;metricsTimer=setInterval(async function(){if(document.hidden)return;await loadMetricsCards();checkAutoToast('Metrics','metricsCardErr');},10000);}
+$('metricsAuto').addEventListener('change',syncMetricsAuto);
+$('loadMetricsCards').onclick=function(){withLoading('loadMetricsCards',loadMetricsCards);};
+
+/* ── Webhook traces with client-side filter/search (#4, #9) ── */
+var _traceData=[];
+function traceOutcomeClass(o){if(!o)return'';if(o==='processed_ok')return'ok';if(o==='duplicate_delivery'||o==='skipped_not_merged_pr'||o==='ignored_non_pull_request')return'warn';return'fail';}
+function renderTraces(){
+  var outcomeF=$('traceOutcome').value,searchF=$('traceSearch').value.toLowerCase().trim();
+  var filtered=_traceData;
+  if(outcomeF)filtered=filtered.filter(function(r){return r.outcome===outcomeF;});
+  if(searchF)filtered=filtered.filter(function(r){return((r.repo||'')+' '+(r.delivery_id||'')+' '+(r.outcome||'')+' '+(r.detail||'')+' '+String(r.pr_number||'')).toLowerCase().indexOf(searchF)>=0;});
+  var tb=$('traceBody');tb.innerHTML='';
+  filtered.forEach(function(row){
+    var tr=document.createElement('tr'),oc=row.outcome||'';
+    if(row.event_type==='operator_replay')tr.className='trace-replay';
+    var replayBtn='';
+    if(row.repo&&row.pr_number&&row.base_branch){replayBtn='<button class="btn-sm" onclick="event.stopPropagation();confirmReplay('+escapeHtml(JSON.stringify(row.repo))+','+row.pr_number+','+escapeHtml(JSON.stringify(row.base_branch))+','+escapeHtml(JSON.stringify(row.commit_sha||''))+')">Replay</button>';}
+    if(row.delivery_id){replayBtn+=' <button class="btn-sm" onclick="event.stopPropagation();viewDeliveryLogs(\''+escapeHtml(row.delivery_id)+'\')">Logs</button>';}
+    var detailHtml=parseDetailBadges(row.detail||'');
+    tr.innerHTML='<td class="mono">'+fmtTime(row.at)+'</td><td><span class="'+traceOutcomeClass(oc)+'">'+escapeHtml(oc)+'</span></td><td>'+ghLink(row.repo)+'</td><td>'+ghPR(row.repo,row.pr_number)+'</td><td class="mono">'+escapeHtml(row.base_branch||'')+'</td><td class="mono">'+escapeHtml(row.event_type||'')+'</td><td class="mono">'+escapeHtml(row.action||'')+'</td><td class="mono">'+escapeHtml(row.delivery_id||'')+'</td><td>'+detailHtml+'</td><td>'+replayBtn+'</td>';
+    tb.appendChild(tr);
+  });
+  setBadge('tracesCount',filtered.length+(_traceData.length>filtered.length?' / '+_traceData.length:''));
+  emptyState('traceBody',10,'\u{1F4E1}','No webhook activity yet');
+}
+async function loadWebhookTraces(){
+  showErr('traceErr','');
+  var lim=parseInt($('traceLimit').value,10)||50;
+  var res=await fetch(appURL('/operator/api/observability/webhook-traces?limit='+encodeURIComponent(Math.min(120,Math.max(1,lim)))),{headers:authHeaders()});
+  var body=await res.json().catch(function(){return{};});
+  if(!res.ok){showErr('traceErr',body.error||res.statusText);return;}
+  _traceData=body.traces||[];
+  renderTraces();setRefreshed('tracesRefreshed');
+  if(_traceData.length>0&&_traceData[_traceData.length-1].at)updateTBLastWH(_traceData[_traceData.length-1].at);
+  updateTabBadges();
+}
+$('traceOutcome').addEventListener('change',renderTraces);
+$('traceSearch').addEventListener('input',renderTraces);
+var tracesTimer=null;
+function syncTracesAuto(){if(tracesTimer){clearInterval(tracesTimer);tracesTimer=null;}localStorage.setItem('op-auto-traces',$('tracesAuto').checked?'1':'0');if(!$('tracesAuto').checked)return;tracesTimer=setInterval(async function(){if(document.hidden)return;await loadWebhookTraces();checkAutoToast('Traces','traceErr');},30000);}
+$('tracesAuto').addEventListener('change',syncTracesAuto);
+$('loadTraces').onclick=function(){withLoading('loadTraces',loadWebhookTraces);};
+
+/* ── Audit events with detail drawer (#2) and CSV export (#3) ── */
+var _auditData=[];
+function buildAuditQuery(){
+  var p=new URLSearchParams(),lim=parseInt($('limit').value,10)||50;
+  p.set('limit',String(Math.min(200,Math.max(1,lim))));
+  var et=$('fltEvent').value;if(et)p.set('event_type',et);
+  var su=$('fltSuccess').value;if(su)p.set('success',su);
+  var rn=$('fltRule').value.trim();if(rn)p.set('rule_name',rn);
+  var since=$('fltSince').value.trim();if(since)p.set('since',since);
+  // PR lookup and path search from the search bar
+  var prF=$('auditBody').dataset.prFilter;if(prF)p.set('pr_number',prF);
+  var pathF=$('auditBody').dataset.pathFilter;if(pathF)p.set('path',pathF);
+  return p.toString();
+}
+function setSince(hours){$('fltSince').value=new Date(Date.now()-hours*3600000).toISOString();loadAuditBtn();}
+async function loadAudit(){
+  showErr('auditErr','');var qs=buildAuditQuery(),lim=parseInt($('limit').value,10)||50;
+  var res=await fetch(appURL('/operator/api/audit/events?'+qs),{headers:authHeaders()});
+  var body=await res.json().catch(function(){return{};});
+  if(!res.ok){showErr('auditErr',body.error||res.statusText);$('auditEmptyHint').hidden=true;return;}
+  _auditData=body.events||[];
+  var tb=$('auditBody');tb.innerHTML='';
+  $('auditEmptyHint').hidden=_auditData.length>0;
+  _auditData.forEach(function(ev,idx){
+    var tr=document.createElement('tr');tr.className='clickable';tr.dataset.idx=String(idx);
+    tr.onclick=function(){openAuditDetail(Number(this.dataset.idx));};
+    var st=ev.success?'<span class="ok">ok</span>':'<span class="fail">fail</span>';
+    var srcRepo=ev.source_repo||'',errText=ev.error_message||'',errHtml='';
+    if(errText.length>120){errHtml='<span class="err-trunc" title="Click row for full detail">'+escapeHtml(errText.slice(0,120))+'<span class="err-more">\u2026</span></span>';}else{errHtml=escapeHtml(errText);}
+    tr.innerHTML='<td class="mono">'+fmtTime(ev.timestamp)+'</td><td class="audit-hide-narrow">'+escapeHtml(ev.event_type||'')+'</td><td>'+st+'</td><td>'+escapeHtml(ev.rule_name||'')+'</td><td>'+ghLink(srcRepo,srcRepo+(ev.source_path?':'+ev.source_path:''))+'</td><td>'+ghLink(ev.target_repo,(ev.target_repo||'')+(ev.target_path?':'+ev.target_path:''))+'</td><td class="audit-hide-narrow">'+ghCommit(srcRepo,ev.commit_sha)+'</td><td>'+ghPR(srcRepo,ev.pr_number)+'</td><td>'+errHtml+'</td>';
+    tb.appendChild(tr);
+  });
+  emptyState('auditBody',9,'\u{1F4C4}','No audit events match this filter');
+  _failCount=_auditData.filter(function(e){return!e.success;}).length;
+  updateTabTitle();
+  var limitHit=_auditData.length>=Math.min(200,lim);
+  setBadge('auditCount',_auditData.length+(limitHit?' (limit)':''));setRefreshed('auditRefreshed');
+  updateTabBadges();
+  renderRecentCopies();
+  renderPRTimeline();
+  updateURL();
+}
+function loadAuditBtn(){withLoading('loadAudit',loadAudit);}
+$('loadAudit').onclick=loadAuditBtn;
+var auditTimer=null;
+function syncAuditAuto(){if(auditTimer){clearInterval(auditTimer);auditTimer=null;}localStorage.setItem('op-auto-audit',$('auditAuto').checked?'1':'0');if(!$('auditAuto').checked)return;auditTimer=setInterval(async function(){if(document.hidden)return;await loadAudit();checkAutoToast('Audit','auditErr');},30000);}
+$('auditAuto').addEventListener('change',syncAuditAuto);
+
+/* Audit detail drawer (#2) */
+function openAuditDetail(idx){
+  var ev=_auditData[idx];if(!ev)return;
+  var rows=[['Timestamp',ev.timestamp],['Event Type',ev.event_type],['Status',ev.success?'Success':'Failed'],['Rule',ev.rule_name],['Source Repo',ev.source_repo],['Source Path',ev.source_path],['Target Repo',ev.target_repo],['Target Path',ev.target_path],['Commit SHA',ev.commit_sha],['PR Number',ev.pr_number],['Duration',ev.duration_ms?ev.duration_ms+' ms':''],['File Size',ev.file_size?ev.file_size+' bytes':''],['Error',ev.error_message]];
+  if(ev.additional_data&&Object.keys(ev.additional_data).length>0)rows.push(['Additional Data',JSON.stringify(ev.additional_data,null,2)]);
+  var html='<table class="detail-tbl">';
+  rows.forEach(function(r){var v=r[1];if(v===undefined||v===null||v==='')return;html+='<tr><th>'+escapeHtml(r[0])+'</th><td>'+escapeHtml(String(v))+'</td></tr>';});
+  html+='</table>';
+  if(ev.source_repo&&ev.pr_number){
+    html+='<div style="margin-top:0.75rem"><button class="btn-sm" onclick="confirmReplay(\''+escapeHtml(ev.source_repo)+'\','+ev.pr_number+',\'\',\''+escapeHtml(ev.commit_sha||'')+'\')">Replay this PR</button></div>';
+  }
+  $('drawerBody').innerHTML=html;$('drawer').hidden=false;
+}
+function closeDrawer(){$('drawer').hidden=true;}
+
+/* Webhook replay */
+function confirmReplay(repo,pr,branch,sha){
+  var msg='Replay processing for '+repo+' PR #'+pr;
+  if(branch)msg+=' on branch '+branch;
+  msg+='?\n\nThis will re-run the full copy workflow as if the webhook just arrived.';
+  if(!confirm(msg))return;
+  doReplay(repo,pr,branch,sha);
+}
+async function doReplay(repo,pr,branch,sha){
+  try{
+    var res=await fetch(appURL('/operator/api/replay'),{
+      method:'POST',headers:Object.assign({'Content-Type':'application/json'},authHeaders()),
+      body:JSON.stringify({repo:repo,pr_number:pr,branch:branch||'main',commit_sha:sha||''})
+    });
+    var body=await res.json().catch(function(){return{};});
+    if(!res.ok){toast('Replay failed: '+(body.error||res.statusText),'error');return;}
+    toast(body.message||'Replay started','info');
+    closeDrawer();
+    setTimeout(function(){loadWebhookTraces();},2000);
+  }catch(e){toast('Replay error: '+e,'error');}
+}
+
+/* Per-delivery log viewer */
+async function viewDeliveryLogs(deliveryID){
+  $('drawerBody').innerHTML='<div style="text-align:center;padding:1rem;color:var(--text-3)">Loading logs\u2026</div>';
+  $('drawer').hidden=false;
+  try{
+    var res=await fetch(appURL('/operator/api/logs?delivery_id='+encodeURIComponent(deliveryID)),{headers:authHeaders()});
+    var body=await res.json().catch(function(){return{};});
+    if(!res.ok){$('drawerBody').innerHTML='<div class="err">'+escapeHtml(body.error||res.statusText)+'</div>';return;}
+    var logs=body.logs||[];
+    var html='<h3 style="margin:0 0 0.5rem;font-size:0.95rem">Logs for <code>'+escapeHtml(deliveryID)+'</code></h3>';
+    if(logs.length===0){
+      html+='<div class="empty-state"><div class="es-icon">\u{1F4DD}</div>No log entries captured for this delivery.<br>Logs are captured for webhooks processed after this feature was enabled.</div>';
+    }else{
+      html+='<div style="font-size:0.78rem;color:var(--text-3);margin-bottom:0.5rem">'+logs.length+' entries</div>';
+      logs.forEach(function(entry){
+        var lvlClass='log-level-info';
+        if(entry.level==='warn')lvlClass='log-level-warn';
+        if(entry.level==='error')lvlClass='log-level-error';
+        var timeStr='';
+        if(entry.time){try{var d=new Date(entry.time);timeStr=p2(d.getHours())+':'+p2(d.getMinutes())+':'+p2(d.getSeconds())+'.'+String(d.getMilliseconds()).padStart(3,'0');}catch(e){}}
+        html+='<div class="log-entry"><span class="log-time">'+escapeHtml(timeStr)+'</span><span class="log-level '+lvlClass+'">'+escapeHtml(entry.level||'info')+'</span><span class="log-msg">'+escapeHtml(entry.message||'')+'</span></div>';
+        if(entry.fields&&Object.keys(entry.fields).length>0){
+          var parts=[];for(var k in entry.fields)parts.push(k+'='+JSON.stringify(entry.fields[k]));
+          html+='<div class="log-fields">'+escapeHtml(parts.join(' '))+'</div>';
+        }
+      });
     }
-    document.getElementById('saveToken').onclick = () => {
-      sessionStorage.setItem(TKEY, document.getElementById('token').value.trim());
-    };
-    document.getElementById('clearToken').onclick = () => {
-      sessionStorage.removeItem(TKEY);
-      document.getElementById('token').value = '';
+    $('drawerBody').innerHTML=html;
+  }catch(e){$('drawerBody').innerHTML='<div class="err">'+escapeHtml(String(e))+'</div>';}
+}
+
+/* CSV export (#3) */
+$('exportCSV').onclick=function(){
+  if(!_auditData.length){toast('No audit data to export','info');return;}
+  var hdr=['timestamp','event_type','success','rule_name','source_repo','source_path','target_repo','target_path','commit_sha','pr_number','duration_ms','file_size','error_message'];
+  var lines=[hdr.join(',')];
+  _auditData.forEach(function(ev){var row=hdr.map(function(h){var v=ev[h];if(v===undefined||v===null)v='';return'"'+String(v).replace(/"/g,'""')+'"';});lines.push(row.join(','));});
+  var blob=new Blob([lines.join('\n')],{type:'text/csv'});var url=URL.createObjectURL(blob);
+  var a=document.createElement('a');a.href=url;a.download='audit-events-'+new Date().toISOString().slice(0,10)+'.csv';a.click();URL.revokeObjectURL(url);
+  toast('Exported '+_auditData.length+' rows','info');
+};
+
+/* ── PR lookup + file path search ── */
+$('prLookupBtn').onclick=function(){
+  var pr=$('prLookup').value.trim(), path=$('pathLookup').value.trim();
+  // Parse "repo#123" or "repo/123" or just "123"
+  var prNum='';
+  if(pr){
+    var m=pr.match(/(\d+)$/);
+    if(m) prNum=m[1];
+  }
+  if(prNum) $('limit').value='200';
+  // Set the audit filters and trigger load
+  if(prNum){ /* inject pr_number into the query by temporarily setting a data attribute */
+    $('auditBody').dataset.prFilter=prNum;
+  } else { delete $('auditBody').dataset.prFilter; }
+  if(path){ $('auditBody').dataset.pathFilter=path; } else { delete $('auditBody').dataset.pathFilter; }
+  loadAuditBtn();
+};
+$('prLookupClear').onclick=function(){
+  $('prLookup').value=''; $('pathLookup').value='';
+  delete $('auditBody').dataset.prFilter;
+  delete $('auditBody').dataset.pathFilter;
+  $('limit').value='50';
+  $('prTimelineSection').hidden=true;
+  loadAuditBtn();
+};
+
+/* ── Recent copies feed ── */
+function renderRecentCopies(){
+  var feed=$('recentCopiesFeed');feed.innerHTML='';
+  // Show last 15 copy events (most recent first) from loaded audit data
+  var copies=_auditData.filter(function(e){return e.event_type==='copy';}).slice(0,15);
+  if(copies.length===0){
+    feed.innerHTML='<div class="empty-state"><div class="es-icon">\u{1F4CB}</div>No recent copies. Merge a PR that matches a workflow to see copy events here.</div>';
+    setBadge('recentCopiesCount','');
+    return;
+  }
+  copies.forEach(function(ev,idx){
+    var d=document.createElement('div');
+    d.className='copy-item'+(ev.success?'':' copy-fail');
+    d.style.cursor='pointer';
+    d.onclick=function(){
+      var realIdx=_auditData.indexOf(ev);
+      if(realIdx>=0) openAuditDetail(realIdx);
     };
-    document.getElementById('token').value = sessionStorage.getItem(TKEY) || '';
-
-    async function loadAudit() {
-      showErr('auditErr', '');
-      const lim = parseInt(document.getElementById('limit').value, 10) || 50;
-      const res = await fetch('/operator/api/audit/events?limit=' + encodeURIComponent(lim), { headers: authHeaders() });
-      const body = await res.json().catch(() => ({}));
-      if (!res.ok) { showErr('auditErr', body.error || res.statusText); return; }
-      const tb = document.getElementById('auditBody');
-      tb.innerHTML = '';
-      (body.events || []).forEach(ev => {
-        const tr = document.createElement('tr');
-        const st = ev.success ? '<span class="ok">copied</span>' : '<span class="fail">failed</span>';
-        const err = ev.error_message ? escapeHtml(ev.error_message.slice(0, 200)) : '';
-        tr.innerHTML = '<td>' + escapeHtml(ev.timestamp || '') + '</td><td>' + st + '</td><td>' + escapeHtml(ev.rule_name || '') + '</td><td>' + escapeHtml((ev.source_repo || '') + ':' + (ev.source_path || '')) + '</td><td>' + escapeHtml((ev.target_repo || '') + ':' + (ev.target_path || '')) + '</td><td>' + (ev.pr_number || '') + '</td><td>' + err + '</td>';
-        tb.appendChild(tr);
-      });
+    var src=(ev.source_repo||'')+(ev.source_path?':'+ev.source_path:'');
+    var tgt=(ev.target_repo||'')+(ev.target_path?':'+ev.target_path:'');
+    var status=ev.success?'<span class="ok">\u2713</span>':'<span class="fail">\u2717 '+escapeHtml((ev.error_message||'').slice(0,60))+'</span>';
+    d.innerHTML='<div class="copy-paths"><div><span class="copy-path">'+escapeHtml(src)+'</span><span class="copy-path-arrow">\u2192</span><span class="copy-path">'+escapeHtml(tgt)+'</span></div><div style="margin-top:0.2rem">'+status+'</div></div><div class="copy-right"><div>'+fmtTime(ev.timestamp)+'</div><div>'+escapeHtml(ev.rule_name||'')+'</div>'+(ev.pr_number?'<div>'+ghPR(ev.source_repo,ev.pr_number)+'</div>':'')+'</div>';
+    feed.appendChild(d);
+  });
+  setBadge('recentCopiesCount',copies.length);
+}
+
+/* ── PR timeline ── */
+function renderPRTimeline(){
+  var prFilter=$('auditBody').dataset.prFilter;
+  var sec=$('prTimelineSection');
+  if(!prFilter){sec.hidden=true;return;}
+  sec.hidden=false;
+  var prNum=parseInt(prFilter,10);
+  var tl=$('prTimeline');tl.innerHTML='';
+
+  // Collect trace entries for this PR
+  var traceItems=_traceData.filter(function(t){return t.pr_number===prNum;}).map(function(t){
+    var dot='tl-dot-info';
+    if(t.outcome==='processed_ok')dot='tl-dot-ok';
+    else if(t.outcome==='processing_failed')dot='tl-dot-fail';
+    else if(t.outcome==='skipped_not_merged_pr'||t.outcome==='duplicate_delivery')dot='tl-dot-warn';
+    return{time:t.at,dot:dot,title:'Webhook: '+t.outcome,detail:(t.repo||'')+' '+escapeHtml((t.detail||'').slice(0,200)),source:'trace'};
+  });
+
+  // Collect audit events for this PR
+  var auditItems=_auditData.filter(function(e){return e.pr_number===prNum;}).map(function(e){
+    return{time:e.timestamp,dot:e.success?'tl-dot-ok':'tl-dot-fail',
+      title:(e.success?'Copied':'Failed')+': '+(e.source_path||'?')+' \u2192 '+(e.target_repo||'?')+':'+(e.target_path||'?'),
+      detail:e.rule_name+(e.error_message?' \u2014 '+escapeHtml(e.error_message.slice(0,120)):''),
+      source:'audit'};
+  });
+
+  // Merge and sort chronologically
+  var all=traceItems.concat(auditItems);
+  all.sort(function(a,b){return new Date(a.time)-new Date(b.time);});
+
+  if(all.length===0){
+    tl.innerHTML='<div class="empty-state"><div class="es-icon">\u{1F50D}</div>No webhook or audit activity found for PR #'+prNum+'</div>';
+    setBadge('prTimelineBadge','');
+    return;
+  }
+
+  all.forEach(function(item){
+    var d=document.createElement('div');d.className='tl-item';
+    d.innerHTML='<div class="tl-dot '+item.dot+'"></div><div class="tl-body"><div class="tl-title">'+escapeHtml(item.title)+'</div><div class="tl-detail">'+fmtTime(item.time)+' &mdash; '+item.detail+'</div></div>';
+    tl.appendChild(d);
+  });
+  setBadge('prTimelineBadge',all.length+' events');
+}
+
+
+/* ── File match tester ── */
+function globToRegex(pat){
+  var re='',i=0;
+  while(i<pat.length){
+    var c=pat[i];
+    if(c==='*'&&pat[i+1]==='*'){
+      if(pat[i+2]==='/'){re+='(?:.+/)?';i+=3;}
+      else{re+='.*';i+=2;}
+    }else if(c==='*'){re+='[^/]*';i++;}
+    else if(c==='?'){re+='[^/]';i++;}
+    else if('.+^${}()|[]\\'.indexOf(c)>=0){re+='\\'+c;i++;}
+    else{re+=c;i++;}
+  }
+  return new RegExp('^'+re+'$');
+}
+function builtInVars(filePath){
+  var v={path:filePath};
+  var ls=filePath.lastIndexOf('/');
+  v.filename=ls>=0?filePath.substring(ls+1):filePath;
+  v.dir=ls>=0?filePath.substring(0,ls):'';
+  var ld=v.filename.lastIndexOf('.');
+  v.ext=ld>=0?v.filename.substring(ld+1):'';
+  return v;
+}
+function applyTemplate(tmpl,vars){
+  var result=tmpl;
+  for(var k in vars){result=result.split('${'+k+'}').join(vars[k]);}
+  return result;
+}
+function testFileMatch(filePath,wf){
+  // returns {matched:bool, transform:string, targetPath:string, rule:string}
+  var transforms=wf.transformations||[];
+  for(var i=0;i<transforms.length;i++){
+    var t=transforms[i];
+    if(t.move){
+      var from=t.move.from.replace(/\/$/,'');
+      if(filePath.indexOf(from)===0){
+        var rel=filePath.substring(from.length).replace(/^\//,'');
+        var target=t.move.to.replace(/\/$/,'')+'/'+rel;
+        return{matched:true,transform:'move',targetPath:target,rule:from+' \u2192 '+t.move.to};
+      }
     }
-    function escapeHtml(s) {
-      return String(s).replace(/[&<>"']/g, c => ({'&':'&amp;','<':'&lt;','>':'&gt;','"':'&quot;',"'":'&#39;'}[c]));
+    if(t.copy){
+      if(filePath===t.copy.from){
+        return{matched:true,transform:'copy',targetPath:t.copy.to,rule:t.copy.from+' \u2192 '+t.copy.to};
+      }
     }
-    document.getElementById('loadAudit').onclick = loadAudit;
-
-    document.getElementById('loadDeploy').onclick = async () => {
-      showErr('deployErr', '');
-      const res = await fetch('/operator/api/deployment', { headers: authHeaders() });
-      const body = await res.json().catch(() => ({}));
-      if (!res.ok) { showErr('deployErr', body.error || res.statusText); return; }
-      const pre = document.getElementById('deployJson');
-      pre.hidden = false;
-      pre.textContent = JSON.stringify(body, null, 2);
-    };
+    if(t.glob){
+      var gre=globToRegex(t.glob.pattern);
+      if(gre.test(filePath)){
+        var vars=builtInVars(filePath);
+        // Compute relative_path: strip the prefix before the first wildcard
+        var prefixEnd=t.glob.pattern.indexOf('*');
+        if(prefixEnd>0){var pfx=t.glob.pattern.substring(0,prefixEnd).replace(/\/$/,'');vars.relative_path=filePath.substring(pfx.length).replace(/^\//,'');}
+        else{vars.relative_path=filePath;}
+        vars.matched_pattern=t.glob.pattern;
+        var tp=applyTemplate(t.glob.transform,vars);
+        return{matched:true,transform:'glob',targetPath:tp,rule:t.glob.pattern+' \u2192 '+t.glob.transform};
+      }
+    }
+    if(t.regex){
+      try{
+        var jsPat=t.regex.pattern.replace(/\(\?P</g,'(?<');
+        var re=new RegExp(jsPat);
+        var rm=re.exec(filePath);
+        if(rm){
+          var vars=builtInVars(filePath);
+          // Add named and positional groups
+          if(re.source){
+            var names=re.source.match(/\?<(\w+)>/g);
+            if(names)names.forEach(function(n){var name=n.replace('?<','').replace('>','');if(rm.groups&&rm.groups[name])vars[name]=rm.groups[name];});
+          }
+          for(var g=1;g<rm.length;g++){if(rm[g])vars['$'+g]=rm[g];}
+          vars.matched_pattern=t.regex.pattern;
+          var tp=applyTemplate(t.regex.transform,vars);
+          return{matched:true,transform:'regex',targetPath:tp,rule:t.regex.pattern};
+        }
+      }catch(e){}
+    }
+  }
+  return{matched:false};
+}
+$('fmtTest').onclick=function(){
+  var filePath=$('fmtPath').value.trim();
+  if(!filePath){toast('Enter a file path to test','info');return;}
+  if(!_wfData.length){toast('Load workflows first (click Refresh in Active workflows)','info');return;}
+  var results=$('fmtResults');results.innerHTML='';
+  var anyMatch=false;
+  _wfData.forEach(function(wf){
+    var m=testFileMatch(filePath,wf);
+    var d=document.createElement('div');d.className='fmt-result '+(m.matched?'fmt-match':'fmt-no');
+    if(m.matched){
+      anyMatch=true;
+      var dst=wf.destination?wf.destination.repo:'?';
+      d.innerHTML='<strong>\u2713 '+escapeHtml(wf.name||'unnamed')+'</strong> \u2014 '+escapeHtml(m.transform)+': <code>'+escapeHtml(m.rule)+'</code><div class="fmt-target">\u2192 '+ghLink(dst,dst+':'+m.targetPath)+'</div>';
+    }else{
+      d.innerHTML='\u2717 '+escapeHtml(wf.name||'unnamed')+' \u2014 no matching transformation';
+    }
+    results.appendChild(d);
+  });
+  // Also highlight/dim workflow cards
+  document.querySelectorAll('.wf-card').forEach(function(card){card.classList.remove('wf-match','wf-nomatch');});
+  if(anyMatch){
+    var cardEls=document.querySelectorAll('.wf-card');
+    _wfData.forEach(function(wf,idx){
+      var m=testFileMatch(filePath,wf);
+      if(cardEls[idx]){cardEls[idx].classList.add(m.matched?'wf-match':'wf-nomatch');}
+    });
+  }
+};
+$('fmtPath').addEventListener('keydown',function(e){if(e.key==='Enter')$('fmtTest').click();});
+$('fmtClear').onclick=function(){
+  $('fmtPath').value='';
+  $('fmtResults').innerHTML='';
+  document.querySelectorAll('.wf-card').forEach(function(c){c.classList.remove('wf-match','wf-nomatch');});
+};
+
+/* ── Workflow browser ── */
+var _wfData=[];
+async function loadWorkflows(){
+  showErr('wfErr','');
+  var res=await fetch(appURL('/operator/api/workflows'),{headers:authHeaders()});
+  var body=await res.json().catch(function(){return{};});
+  if(!res.ok){showErr('wfErr',body.error||res.statusText);return;}
+  _wfData=body.workflows||[];
+  renderWorkflows();
+  setBadge('wfCount',_wfData.length+' rules');
+  setBadge('tabBadgeWorkflows',_wfData.length);
+  $('tabBadgeWorkflows').className='tab-badge tb-info';
+}
+function renderWorkflows(){
+  var container=$('wfCards');container.innerHTML='';
+  var search=$('wfSearch').value.toLowerCase().trim();
+  var filtered=_wfData;
+  if(search) filtered=filtered.filter(function(wf){
+    return (wf.name||'').toLowerCase().indexOf(search)>=0
+      ||(wf.source&&wf.source.repo||'').toLowerCase().indexOf(search)>=0
+      ||(wf.destination&&wf.destination.repo||'').toLowerCase().indexOf(search)>=0
+      ||JSON.stringify(wf.transformations||[]).toLowerCase().indexOf(search)>=0;
+  });
+  if(filtered.length===0){
+    container.innerHTML='<div class="empty-state"><div class="es-icon">\u{1F4D6}</div>'+(search?'No workflows match "'+escapeHtml(search)+'"':'No workflows configured')+'</div>';
+    return;
+  }
+  filtered.forEach(function(wf){
+    var card=document.createElement('div');card.className='wf-card';
+    var srcRepo=wf.source?wf.source.repo:'?';
+    var srcBranch=wf.source&&wf.source.branch?wf.source.branch:'main';
+    var dstRepo=wf.destination?wf.destination.repo:'?';
+    var dstBranch=wf.destination&&wf.destination.branch?wf.destination.branch:'main';
+    var strategy=(wf.commit_strategy&&wf.commit_strategy.type)||'direct';
+    var autoMerge=wf.commit_strategy&&wf.commit_strategy.auto_merge;
+    var usePRT=wf.commit_strategy&&wf.commit_strategy.use_pr_template;
+
+    var html='<div class="wf-name">'+escapeHtml(wf.name||'unnamed')+'</div>';
+    html+='<div class="wf-flow"><span class="wf-repo">'+ghLink(srcRepo)+'<span style="color:var(--text-3);margin-left:4px">:'+escapeHtml(srcBranch)+'</span></span>';
+    html+='<span class="wf-arrow">\u2192</span>';
+    html+='<span class="wf-repo">'+ghLink(dstRepo)+'<span style="color:var(--text-3);margin-left:4px">:'+escapeHtml(dstBranch)+'</span></span></div>';
+
+    // Tags
+    html+='<div class="wf-meta">';
+    html+='<span class="wf-tag '+(strategy==='pull_request'?'wf-tag-pr':'wf-tag-direct')+'">'+escapeHtml(strategy)+'</span>';
+    if(autoMerge) html+='<span class="wf-tag wf-tag-pr">auto-merge</span>';
+    if(usePRT) html+='<span class="wf-tag">pr-template</span>';
+    if(wf.exclude&&wf.exclude.length) html+='<span class="wf-tag">'+wf.exclude.length+' excludes</span>';
+    var depEnabled=wf.deprecation_check&&wf.deprecation_check.enabled;
+    if(depEnabled) html+='<span class="wf-tag">deprecation-check</span>';
+    html+='</div>';
 
-    document.getElementById('doRelease').onclick = async () => {
-      showErr('relErr', '');
-      const version = document.getElementById('version').value.trim();
-      const res = await fetch('/operator/api/release', {
-        method: 'POST',
-        headers: Object.assign({ 'Content-Type': 'application/json' }, authHeaders()),
-        body: JSON.stringify({ version })
+    // Transformations
+    var transforms=wf.transformations||[];
+    if(transforms.length>0){
+      html+='<div class="wf-transforms">';
+      transforms.forEach(function(t){
+        if(t.move) html+='<div><span class="wf-tag">move</span> <code>'+escapeHtml(t.move.from)+'</code> \u2192 <code>'+escapeHtml(t.move.to)+'</code></div>';
+        if(t.copy) html+='<div><span class="wf-tag">copy</span> <code>'+escapeHtml(t.copy.from)+'</code> \u2192 <code>'+escapeHtml(t.copy.to)+'</code></div>';
+        if(t.glob) html+='<div><span class="wf-tag">glob</span> <code>'+escapeHtml(t.glob.pattern)+'</code> \u2192 <code>'+escapeHtml(t.glob.transform)+'</code></div>';
+        if(t.regex) html+='<div><span class="wf-tag">regex</span> <code>'+escapeHtml(t.regex.pattern)+'</code> \u2192 <code>'+escapeHtml(t.regex.transform)+'</code></div>';
       });
-      const body = await res.json().catch(() => ({}));
-      const pre = document.getElementById('relJson');
-      pre.hidden = false;
-      pre.textContent = JSON.stringify(body, null, 2);
-      if (!res.ok) { showErr('relErr', body.error || res.statusText); }
-    };
+      html+='</div>';
+    }
+
+    card.innerHTML=html;
+    container.appendChild(card);
+  });
+}
+$('wfSearch').addEventListener('input',renderWorkflows);
+$('loadWorkflows').onclick=function(){withLoading('loadWorkflows',loadWorkflows);};
+
+/* ── Audit aggregates with rate bars (#8) ── */
+async function loadOverview(){
+  showErr('ovErr','');var d=parseInt($('ovDays').value,10)||14;
+  var res=await fetch(appURL('/operator/api/audit/overview?days='+encodeURIComponent(Math.min(366,Math.max(1,d)))),{headers:authHeaders()});
+  var body=await res.json().catch(function(){return{};});
+  if(!res.ok){showErr('ovErr',body.error||res.statusText);return;}
+  var db=$('ovDailyBody'),rb=$('ovRuleBody');db.innerHTML='';rb.innerHTML='';
+  var daily=body.daily_volume||[];var maxDay=Math.max(1,...daily.map(function(r){return r.total_copies||0;}));
+  daily.forEach(function(row){
+    var tr=document.createElement('tr'),ok=row.success_count||0,fail=row.failure_count||0;
+    tr.innerHTML='<td>'+escapeHtml(row.date||'')+'</td><td>'+fmtNum(row.total_copies)+'</td><td>'+fmtNum(ok)+'</td><td>'+fmtNum(fail)+'</td><td><div class="vol-bar"><div class="vb-ok" style="width:'+Math.round(ok/maxDay*100)+'%"></div><div class="vb-fail" style="width:'+Math.round(fail/maxDay*100)+'%"></div></div></td>';
+    db.appendChild(tr);
+  });
+  var by=body.stats_by_rule||{};
+  Object.keys(by).sort().forEach(function(k){
+    var row=by[k],tr=document.createElement('tr'),total=row.total_copies||0,ok=row.success_count||0,fail=row.failure_count||0;
+    var pct=total>0?Math.round(ok/total*100):0;
+    tr.innerHTML='<td>'+escapeHtml(row.rule_name||k)+'</td><td>'+fmtNum(total)+'</td><td>'+fmtNum(ok)+'</td><td>'+fmtNum(fail)+'</td><td>'+(row.avg_duration_ms!=null?fmtNum(Math.round(row.avg_duration_ms)):'\u2014')+'</td><td><div class="vol-bar" title="'+pct+'% success"><div class="vb-ok" style="width:'+pct+'%"></div><div class="vb-fail" style="width:'+(100-pct)+'%"></div></div> <span class="small">'+pct+'%</span></td>';
+    rb.appendChild(tr);
+  });
+}
+$('loadOverview').onclick=function(){withLoading('loadOverview',loadOverview);};
+
+/* ── Deployment (grouped) ── */
+$('loadDeploy').onclick=function(){withLoading('loadDeploy',async function(){
+  showErr('deployErr','');var res=await fetch(appURL('/operator/api/deployment'),{headers:authHeaders()});
+  var body=await res.json().catch(function(){return{};});
+  if(!res.ok){showErr('deployErr',body.error||res.statusText);return;}
+  var root=$('deployCards');root.innerHTML='';root.hidden=false;
+
+  function dc(l,v,opts){
+    opts=opts||{};
+    var d=document.createElement('div');
+    var accent=opts.accent||'';
+    var plainVal=String(v!=null&&v!==''?v:'');
+    d.className='deploy-card copy-card'+(accent?' '+accent:'');
+    d.innerHTML='<div class="copy-tip">Copied!</div><div class="dk">'+escapeHtml(l)+'</div><div class="dv">'+(opts.html||escapeHtml(plainVal||'\u2014'))+'</div>';
+    if(plainVal)d.onclick=function(){copyToClip(plainVal,d);};
+    d.title=plainVal?'Click to copy':'';
+    return d;
+  }
+  function addGroup(label,cards){
+    var wrap=document.createElement('div');wrap.className='mg-group';
+    var lbl=document.createElement('div');lbl.className='mg-label';lbl.textContent=label;
+    wrap.appendChild(lbl);
+    var grid=document.createElement('div');grid.className='deploy-grid';
+    cards.forEach(function(c){if(c)grid.appendChild(c);});
+    wrap.appendChild(grid);root.appendChild(wrap);
+  }
+
+  // Service identity
+  addGroup('Service',[
+    dc('Version',body.version),
+    dc('Uptime',null,{html:escapeHtml(fmtUptime(body.uptime_seconds))}),
+    body.cloud_env&&body.cloud_env.ENV?dc('Environment',body.cloud_env.ENV):null,
+    dc('Dry Run',body.dry_run?'yes':'no',{accent:body.dry_run?'mc-warn':''})
+  ]);
+
+  // Health
+  var mongoCard=null;
+  if(body.mongo_healthy!=null){
+    var mOk=body.mongo_healthy;
+    mongoCard=dc('MongoDB',null,{html:'<span class="dot '+(mOk?'dot-green':'dot-red')+'"></span> '+(mOk?'connected':'unreachable'),accent:mOk?'mc-ok':'mc-danger'});
+    updateTBMongo(mOk);
+  }
+  addGroup('Health',[
+    dc('Audit',body.audit_enabled?'enabled':'disabled',{accent:body.audit_enabled?'mc-ok':''}),
+    body.audit_enabled&&body.audit_database?dc('Audit DB',body.audit_database+'.'+(body.audit_collection||'')):null,
+    mongoCard
+  ]);
+
+  // Infrastructure (only if Cloud Run fields present)
+  var infraCards=[];
+  if(body.cloud_run_service)infraCards.push(dc('Cloud Run',body.cloud_run_service));
+  if(body.cloud_run_revision)infraCards.push(dc('Revision',body.cloud_run_revision));
+  if(body.google_cloud_region)infraCards.push(dc('Region',body.google_cloud_region));
+  if(body.google_cloud_project)infraCards.push(dc('Project',body.google_cloud_project));
+  if(infraCards.length>0)addGroup('Infrastructure',infraCards);
+
+  // Configuration
+  addGroup('Configuration',[
+    dc('Webhook Path',body.webhook_path),
+    dc('Config Repo',body.config_repo),
+    body.effective_config_file?dc('Config File',body.effective_config_file):null,
+    dc('Release API',body.release_api_mode,{accent:body.release_api_mode==='tag_create_enabled'?'mc-ok':''}),
+    body.operator_repo_slug?dc('Operator Repo',body.operator_repo_slug):null
+  ]);
+
+  if(body.uptime_seconds!=null)updateTBUptime(body.uptime_seconds);
+  var toggle=$('deployToggleRaw'),pre=$('deployJson');toggle.hidden=false;pre.textContent=JSON.stringify(body,null,2);
+  toggle.onclick=function(){pre.hidden=!pre.hidden;toggle.textContent=pre.hidden?'Show raw JSON':'Hide raw JSON';};
+});};
+
+/* ── Probes ── */
+function statusClass(c){return c>=200&&c<300?'http-ok':c===503||c===429?'http-warn':'http-err';}
+async function loadProbe(path,sId,pId){var se=$(sId),pr=$(pId);try{var r=await fetch(appURL(path),{headers:{Accept:'application/json'}});var t=await r.text();se.innerHTML='<span class="'+statusClass(r.status)+'">HTTP '+r.status+'</span>';pr.hidden=false;try{pr.textContent=JSON.stringify(JSON.parse(t),null,2);}catch(e){pr.textContent=t;}return r.status;}catch(e){se.innerHTML='<span class="http-err">failed</span>';pr.hidden=false;pr.textContent=String(e);return 0;}}
+async function loadAllProbes(){showErr('probesErr','');await loadProbe('/health','healthStatus','healthJson');await loadProbe('/ready','readyStatus','readyJson');var ms=await loadProbe('/metrics','metricsStatus','metricsJson');if(ms===404)showErr('probesErr','/metrics not mounted (METRICS_ENABLED=false)');}
+$('loadProbes').onclick=function(){withLoading('loadProbes',loadAllProbes);};
+
+/* ── Deliveries ── */
+async function loadDeliveries(){showErr('delErr','');var lim=parseInt($('delLimit').value,10)||50;var res=await fetch(appURL('/operator/api/observability/deliveries?limit='+encodeURIComponent(Math.min(200,Math.max(1,lim)))),{headers:authHeaders()});var body=await res.json().catch(function(){return{};});if(!res.ok){showErr('delErr',body.error||res.statusText);return;}var tb=$('delBody');tb.innerHTML='';var dels=body.deliveries||[];dels.forEach(function(row){var tr=document.createElement('tr');tr.innerHTML='<td class="mono">'+fmtTime(row.seen_at)+'</td><td class="mono">'+escapeHtml(row.delivery_id||'')+'</td><td>'+(row.duplicate?'<span class="fail">yes</span>':'<span class="ok">no</span>')+'</td>';tb.appendChild(tr);});emptyState('delBody',3,'\u{1F4E6}','No delivery observations yet');setBadge('delCount',dels.length+(dels.length>=lim?' (limit)':''));}
+$('loadDeliveries').onclick=function(){withLoading('loadDeliveries',loadDeliveries);};
+
+/* ── Release ── */
+$('doRelease').onclick=function(){
+  var v=$('version').value.trim();
+  if(!v){showErr('relErr','Enter a version tag');return;}
+  if(!confirm('Push tag '+v+' to GitHub?\n\nThis may trigger a CI deploy pipeline.'))return;
+  withLoading('doRelease',async function(){showErr('relErr','');var res=await fetch(appURL('/operator/api/release'),{method:'POST',headers:Object.assign({'Content-Type':'application/json'},authHeaders()),body:JSON.stringify({version:v})});var body=await res.json().catch(function(){return{};});var pre=$('relJson');pre.hidden=false;pre.textContent=JSON.stringify(body,null,2);if(!res.ok)showErr('relErr',body.error||res.statusText);});
+};
+
+/* ── Global refresh ── */
+function loadAllSecured(){if(!hasToken())return;loadAudit();loadWebhookTraces();loadDeliveries();loadOverview();loadWorkflows();$('loadDeploy').click();}
+function refreshAll(){if(COP_ORIGIN){loadMetricsCards();loadAllProbes();}loadAllSecured();}
+$('refreshAll').onclick=refreshAll;
+
+/* Deep-linkable URL params (#5) */
+function initFromURL(){
+  var p=new URLSearchParams(location.search);
+  if(p.has('event_type'))$('fltEvent').value=p.get('event_type');
+  if(p.has('success'))$('fltSuccess').value=p.get('success');
+  if(p.has('rule_name'))$('fltRule').value=p.get('rule_name');
+  if(p.has('since'))$('fltSince').value=p.get('since');
+  if(p.has('limit'))$('limit').value=p.get('limit');
+  if(p.has('pr')){$('prLookup').value=p.get('pr');$('auditBody').dataset.prFilter=p.get('pr');}
+  if(p.has('path')){$('pathLookup').value=p.get('path');$('auditBody').dataset.pathFilter=p.get('path');}
+  if(p.has('tab'))switchTab(p.get('tab'));
+  if(p.has('mode'))setMode(p.get('mode'));
+}
+
+/* ── Keyboard shortcuts (#10) ── */
+$('helpBtn').onclick=function(){$('helpOverlay').hidden=!$('helpOverlay').hidden;};
+document.addEventListener('keydown',function(e){
+  if(e.target.tagName==='INPUT'||e.target.tagName==='TEXTAREA'||e.target.tagName==='SELECT'){if(e.key==='Escape'){e.target.blur();}return;}
+  if(e.key==='Escape'){$('helpOverlay').hidden=true;closeDrawer();return;}
+  if(e.key==='r'||e.key==='R'){e.preventDefault();refreshAll();}
+  if(e.key==='d'||e.key==='D'){e.preventDefault();$('darkToggle').click();}
+  if(e.key==='t'||e.key==='T'){e.preventDefault();toggleTimeMode();}
+  if(e.key==='w'||e.key==='W'){e.preventDefault();setMode(document.body.classList.contains('writer-mode')?'operator':'writer');}
+  if(e.key==='1'){switchTab('overview');}
+  if(e.key==='2'){switchTab('webhooks');}
+  if(e.key==='3'){switchTab('audit');}
+  if(e.key==='4'){switchTab('workflows');}
+  if(e.key==='5'){switchTab('system');}
+  if(e.key==='?'){e.preventDefault();$('helpOverlay').hidden=!$('helpOverlay').hidden;}
+});
+
+/* ── Init ── */
+function restoreAutoRefresh(){
+  if(localStorage.getItem('op-auto-metrics')==='1'){$('metricsAuto').checked=true;syncMetricsAuto();}
+  if(localStorage.getItem('op-auto-traces')==='1'){$('tracesAuto').checked=true;syncTracesAuto();}
+  if(localStorage.getItem('op-auto-audit')==='1'){$('auditAuto').checked=true;syncAuditAuto();}
+}
+initDarkMode();initMode();syncTimeBtn();initSections();initTabs();initFromURL();checkServerStatus();startHeartbeat();
+if(COP_ORIGIN){
+  loadAllProbes();loadMetricsCards();restoreAutoRefresh();
+  if(hasToken()){loadAudit();loadWebhookTraces();loadOverview();$('loadDeploy').click();}
+}
+</script>
+
+<!-- Drawer (must be after script so closeDrawer is defined) -->
+<div id="drawer" hidden>
+  <div class="drawer-backdrop" onclick="closeDrawer()"></div>
+  <div class="drawer-panel">
+    <div class="drawer-hd"><h3>Event detail</h3><button class="drawer-cx" onclick="closeDrawer()">&times;</button></div>
+    <div class="drawer-bd" id="drawerBody"></div>
+  </div>
+</div>
 
-    loadAudit();
-  </script>
 </body>
 </html>
diff --git a/services/webhook_handler_new.go b/services/webhook_handler_new.go
index 23513e8..871875d 100644
--- a/services/webhook_handler_new.go
+++ b/services/webhook_handler_new.go
@@ -88,26 +88,41 @@ func HandleWebhookWithContainer(w http.ResponseWriter, r *http.Request, config *
 	if err != nil {
 		LogWebhookOperation(ctx, "read_body", "failed to read webhook body", err)
 		container.MetricsCollector.RecordWebhookFailed()
+		AppendWebhookTrace(container, WebhookTraceEntry{
+			DeliveryID: r.Header.Get("X-GitHub-Delivery"),
+			EventType:  r.Header.Get("X-GitHub-Event"),
+			Outcome:    "read_body_failed",
+			Detail:     err.Error(),
+		})
 		http.Error(w, "invalid body", http.StatusBadRequest)
 		return
 	}
 
 	eventType := r.Header.Get("X-GitHub-Event")
+	deliveryID := r.Header.Get("X-GitHub-Delivery")
 	if eventType == "" {
 		LogWebhookOperation(ctx, "missing_event", "missing X-GitHub-Event header", nil)
 		container.MetricsCollector.RecordWebhookFailed()
+		AppendWebhookTrace(container, WebhookTraceEntry{
+			DeliveryID: deliveryID,
+			Outcome:    "missing_event_header",
+		})
 		http.Error(w, "missing event type", http.StatusBadRequest)
 		return
 	}
 
 	// Check for duplicate delivery using X-GitHub-Delivery header
-	deliveryID := r.Header.Get("X-GitHub-Delivery")
 	if deliveryID != "" && container.DeliveryTracker != nil {
 		if !container.DeliveryTracker.TryRecord(deliveryID) {
 			LogInfoCtx(ctx, "duplicate webhook delivery, skipping", map[string]interface{}{
 				"delivery_id": deliveryID,
 				"event_type":  eventType,
 			})
+			AppendWebhookTrace(container, WebhookTraceEntry{
+				DeliveryID: deliveryID,
+				EventType:  eventType,
+				Outcome:    "duplicate_delivery",
+			})
 			w.WriteHeader(http.StatusOK)
 			return
 		}
@@ -125,6 +140,11 @@ func HandleWebhookWithContainer(w http.ResponseWriter, r *http.Request, config *
 		if !simpleVerifySignature(sigHeader, payload, []byte(config.WebhookSecret)) {
 			LogWebhookOperation(ctx, "signature_verification", "webhook signature verification failed", nil)
 			container.MetricsCollector.RecordWebhookFailed()
+			AppendWebhookTrace(container, WebhookTraceEntry{
+				DeliveryID: deliveryID,
+				EventType:  eventType,
+				Outcome:    "signature_failed",
+			})
 			http.Error(w, "unauthorized", http.StatusUnauthorized)
 			return
 		}
@@ -141,6 +161,12 @@ func HandleWebhookWithContainer(w http.ResponseWriter, r *http.Request, config *
 		LogWebhookOperation(ctx, "parse_payload", "failed to parse webhook payload", err,
 			map[string]interface{}{"event_type": eventType})
 		container.MetricsCollector.RecordWebhookFailed()
+		AppendWebhookTrace(container, WebhookTraceEntry{
+			DeliveryID: deliveryID,
+			EventType:  eventType,
+			Outcome:    "parse_failed",
+			Detail:     err.Error(),
+		})
 		http.Error(w, "bad webhook", http.StatusBadRequest)
 		return
 	}
@@ -156,6 +182,11 @@ func HandleWebhookWithContainer(w http.ResponseWriter, r *http.Request, config *
 			"event_type": eventType,
 			"size_bytes": len(payload),
 		})
+		AppendWebhookTrace(container, WebhookTraceEntry{
+			DeliveryID: deliveryID,
+			EventType:  eventType,
+			Outcome:    "ignored_non_pull_request",
+		})
 		w.WriteHeader(http.StatusNoContent)
 		return
 	}
@@ -173,6 +204,23 @@ func HandleWebhookWithContainer(w http.ResponseWriter, r *http.Request, config *
 			"action": action,
 			"merged": merged,
 		})
+		trace := WebhookTraceEntry{
+			DeliveryID: deliveryID,
+			EventType:  eventType,
+			Action:     action,
+			Outcome:    "skipped_not_merged_pr",
+			Detail:     fmt.Sprintf("merged=%v", merged),
+		}
+		if r := prEvt.GetRepo(); r != nil {
+			trace.Repo = r.GetFullName()
+		}
+		if pr := prEvt.GetPullRequest(); pr != nil {
+			trace.PRNumber = pr.GetNumber()
+			if b := pr.GetBase(); b != nil {
+				trace.BaseBranch = b.GetRef()
+			}
+		}
+		AppendWebhookTrace(container, trace)
 		w.WriteHeader(http.StatusNoContent)
 		return
 	}
@@ -185,6 +233,13 @@ func HandleWebhookWithContainer(w http.ResponseWriter, r *http.Request, config *
 	repo := prEvt.GetRepo()
 	if repo == nil {
 		LogWarningCtx(ctx, "webhook missing repository info", nil)
+		AppendWebhookTrace(container, WebhookTraceEntry{
+			DeliveryID: deliveryID,
+			EventType:  eventType,
+			Action:     action,
+			PRNumber:   prNumber,
+			Outcome:    "invalid_payload_missing_repo",
+		})
 		w.WriteHeader(http.StatusBadRequest)
 		return
 	}
@@ -230,6 +285,10 @@ func HandleWebhookWithContainer(w http.ResponseWriter, r *http.Request, config *
 	// Process asynchronously in background with a new context.
 	// Don't use the request context as it will be cancelled when the request completes.
 	bgCtx := context.Background()
+	// Attach log buffer for operator diagnostics
+	if container.DeliveryLogs != nil {
+		bgCtx = ContextWithLogBuffer(bgCtx, deliveryID, container.DeliveryLogs)
+	}
 
 	// Apply a timeout to prevent stuck API calls from running indefinitely (#9).
 	if config.WebhookProcessingTimeoutSeconds > 0 {
@@ -252,6 +311,27 @@ func HandleWebhookWithContainer(w http.ResponseWriter, r *http.Request, config *
 	}
 }
 
+// webhookResult carries completion info from a successful webhook processing run,
+// surfaced in the operator UI webhook trace for at-a-glance diagnostics.
+type webhookResult struct {
+	TargetRepos   []string
+	FilesMatched  int
+	FilesUploaded int
+	FilesFailed   int
+}
+
+func (r *webhookResult) traceDetail(attempt int) string {
+	if r == nil {
+		return fmt.Sprintf("attempt %d", attempt)
+	}
+	targets := strings.Join(r.TargetRepos, ", ")
+	if targets == "" {
+		targets = "(none)"
+	}
+	return fmt.Sprintf("attempt %d | %d matched, %d uploaded, %d failed | targets: %s",
+		attempt, r.FilesMatched, r.FilesUploaded, r.FilesFailed, targets)
+}
+
 // processWebhookWithRetry wraps handleMergedPRWithContainer with panic recovery
 // and exponential-backoff retries for transient failures (#7).
 func processWebhookWithRetry(ctx context.Context, prNumber int, sourceCommitSHA string, repoOwner string, repoName string, baseBranch string, deliveryID string, config *configs.Config, container *ServiceContainer) {
@@ -261,8 +341,20 @@ func processWebhookWithRetry(ctx context.Context, prNumber int, sourceCommitSHA
 
 	var lastErr error
 	for attempt := 1; attempt <= maxAttempts; attempt++ {
-		lastErr = runWithRecovery(ctx, prNumber, sourceCommitSHA, repoOwner, repoName, baseBranch, config, container)
+		result, err := runWithRecovery(ctx, prNumber, sourceCommitSHA, repoOwner, repoName, baseBranch, config, container)
+		lastErr = err
 		if lastErr == nil {
+			AppendWebhookTrace(container, WebhookTraceEntry{
+				DeliveryID: deliveryID,
+				EventType:  "pull_request",
+				Action:     "closed",
+				Repo:       webhookRepo,
+				BaseBranch: baseBranch,
+				CommitSHA:  sourceCommitSHA,
+				PRNumber:   prNumber,
+				Outcome:    "processed_ok",
+				Detail:     result.traceDetail(attempt),
+			})
 			return // success
 		}
 
@@ -322,6 +414,17 @@ func processWebhookWithRetry(ctx context.Context, prNumber int, sourceCommitSHA
 		"error", lastErr,
 	)
 	container.MetricsCollector.RecordWebhookFailed()
+	AppendWebhookTrace(container, WebhookTraceEntry{
+		DeliveryID: deliveryID,
+		EventType:  "pull_request",
+		Action:     "closed",
+		Repo:       webhookRepo,
+		BaseBranch: baseBranch,
+		CommitSHA:  sourceCommitSHA,
+		PRNumber:   prNumber,
+		Outcome:    "processing_failed",
+		Detail:     fmt.Sprintf("after %d attempt(s): %v", maxAttempts, lastErr),
+	})
 	if notifyErr := container.SlackNotifier.NotifyError(ctx, &ErrorEvent{
 		Operation:  operation,
 		Error:      fmt.Errorf("failed after %d attempt(s): %w", maxAttempts, lastErr),
@@ -336,9 +439,10 @@ func processWebhookWithRetry(ctx context.Context, prNumber int, sourceCommitSHA
 
 // runWithRecovery calls handleMergedPRWithContainer in a panic-safe wrapper,
 // converting panics into errors.
-func runWithRecovery(ctx context.Context, prNumber int, sourceCommitSHA string, repoOwner string, repoName string, baseBranch string, config *configs.Config, container *ServiceContainer) (retErr error) {
+func runWithRecovery(ctx context.Context, prNumber int, sourceCommitSHA string, repoOwner string, repoName string, baseBranch string, config *configs.Config, container *ServiceContainer) (retResult *webhookResult, retErr error) {
 	defer func() {
 		if r := recover(); r != nil {
+			retResult = nil
 			retErr = fmt.Errorf("panic: %v", r)
 			LogCritical("panic in webhook handler", "pr_number", prNumber, "repo_owner", repoOwner, "repo_name", repoName, "recovered", r)
 		}
@@ -348,8 +452,9 @@ func runWithRecovery(ctx context.Context, prNumber int, sourceCommitSHA string,
 
 // handleMergedPRWithContainer orchestrates processing of a merged PR:
 // auth → config → match workflows → fetch changed files → process → upload → notify.
-// Returns an error if a retryable failure occurred (#6 — per-workflow error tracking).
-func handleMergedPRWithContainer(ctx context.Context, prNumber int, sourceCommitSHA string, repoOwner string, repoName string, baseBranch string, config *configs.Config, container *ServiceContainer) error {
+// Returns a webhookResult on success (for operator trace enrichment) and an error
+// if a retryable failure occurred (#6 — per-workflow error tracking).
+func handleMergedPRWithContainer(ctx context.Context, prNumber int, sourceCommitSHA string, repoOwner string, repoName string, baseBranch string, config *configs.Config, container *ServiceContainer) (*webhookResult, error) {
 	startTime := time.Now()
 	webhookRepo := fmt.Sprintf("%s/%s", repoOwner, repoName)
 
@@ -359,20 +464,20 @@ func handleMergedPRWithContainer(ctx context.Context, prNumber int, sourceCommit
 			LogAndReturnError(ctx, "auth", "failed to configure GitHub permissions", err)
 			container.MetricsCollector.RecordWebhookFailed()
 			notifySlackError(ctx, container, "auth", err, prNumber, webhookRepo)
-			return fmt.Errorf("auth: %w", err)
+			return nil, fmt.Errorf("auth: %w", err)
 		}
 	}
 
 	// 2. Load config and find matching workflows
 	yamlConfig, err := loadAndMatchWorkflows(ctx, config, container, webhookRepo, baseBranch, prNumber)
 	if err != nil {
-		return fmt.Errorf("config: %w", err)
+		return nil, fmt.Errorf("config: %w", err)
 	}
 
 	// 3. Fetch changed files from the source PR
 	changedFiles, err := fetchChangedFiles(ctx, config, container, repoOwner, repoName, prNumber, webhookRepo)
 	if err != nil {
-		return fmt.Errorf("fetch_files: %w", err)
+		return nil, fmt.Errorf("fetch_files: %w", err)
 	}
 
 	// 4. Snapshot metrics before processing
@@ -391,16 +496,24 @@ func handleMergedPRWithContainer(ctx context.Context, prNumber int, sourceCommit
 	reportCompletion(ctx, container, webhookRepo, prNumber, sourceCommitSHA, startTime,
 		filesMatchedBefore, filesUploadedBefore, filesFailedBefore, targetRepos)
 
+	// Build result for operator trace enrichment
+	result := &webhookResult{
+		TargetRepos:   targetRepos,
+		FilesMatched:  container.MetricsCollector.GetFilesMatched() - filesMatchedBefore,
+		FilesUploaded: container.MetricsCollector.GetFilesUploaded() - filesUploadedBefore,
+		FilesFailed:   container.MetricsCollector.GetFilesUploadFailed() - filesFailedBefore,
+	}
+
 	// Return an aggregate error if any workflows failed (enables retry for partial failures)
 	if len(workflowErrors) > 0 {
 		errMsgs := make([]string, 0, len(workflowErrors))
 		for wfName, wfErr := range workflowErrors {
 			errMsgs = append(errMsgs, fmt.Sprintf("%s: %v", wfName, wfErr))
 		}
-		return fmt.Errorf("%d workflow(s) failed: %s", len(workflowErrors), strings.Join(errMsgs, "; "))
+		return result, fmt.Errorf("%d workflow(s) failed: %s", len(workflowErrors), strings.Join(errMsgs, "; "))
 	}
 
-	return nil
+	return result, nil
 }
 
 // loadAndMatchWorkflows loads the YAML config and filters to workflows matching
diff --git a/services/webhook_trace_buffer.go b/services/webhook_trace_buffer.go
new file mode 100644
index 0000000..8d5b16e
--- /dev/null
+++ b/services/webhook_trace_buffer.go
@@ -0,0 +1,97 @@
+package services
+
+import (
+	"sync"
+	"time"
+)
+
+const webhookTraceMaxEntries = 120
+
+// WebhookTraceEntry is one observed webhook for operator troubleshooting (in-memory only).
+type WebhookTraceEntry struct {
+	At         time.Time `json:"at"`
+	DeliveryID string    `json:"delivery_id,omitempty"`
+	EventType  string    `json:"event_type,omitempty"`
+	Action     string    `json:"action,omitempty"`
+	Repo       string    `json:"repo,omitempty"`
+	BaseBranch string    `json:"base_branch,omitempty"`
+	CommitSHA  string    `json:"commit_sha,omitempty"`
+	PRNumber   int       `json:"pr_number,omitempty"`
+	Outcome    string    `json:"outcome"`
+	Detail     string    `json:"detail,omitempty"`
+}
+
+// WebhookTraceBuffer stores the last N webhook outcomes for the operator UI.
+type WebhookTraceBuffer struct {
+	mu  sync.Mutex
+	buf []WebhookTraceEntry
+}
+
+// NewWebhookTraceBuffer creates an empty trace buffer.
+func NewWebhookTraceBuffer() *WebhookTraceBuffer {
+	return &WebhookTraceBuffer{buf: make([]WebhookTraceEntry, 0, 32)}
+}
+
+// Append adds an entry (timestamps default to UTC now; detail is truncated).
+func (b *WebhookTraceBuffer) Append(e WebhookTraceEntry) {
+	if b == nil {
+		return
+	}
+	if e.Outcome == "" {
+		e.Outcome = "unknown"
+	}
+	if e.At.IsZero() {
+		e.At = time.Now().UTC()
+	}
+	if len(e.Detail) > 500 {
+		e.Detail = e.Detail[:500] + "…"
+	}
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	b.buf = append(b.buf, e)
+	if len(b.buf) > webhookTraceMaxEntries {
+		b.buf = b.buf[len(b.buf)-webhookTraceMaxEntries:]
+	}
+}
+
+// Len returns how many trace entries are buffered.
+func (b *WebhookTraceBuffer) Len() int {
+	if b == nil {
+		return 0
+	}
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	return len(b.buf)
+}
+
+// Recent returns the last up to max entries (oldest first within the slice).
+func (b *WebhookTraceBuffer) Recent(max int) []WebhookTraceEntry {
+	if b == nil {
+		return nil
+	}
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	if len(b.buf) == 0 {
+		return nil
+	}
+	if max <= 0 {
+		max = 50
+	}
+	if max > webhookTraceMaxEntries {
+		max = webhookTraceMaxEntries
+	}
+	if len(b.buf) <= max {
+		out := make([]WebhookTraceEntry, len(b.buf))
+		copy(out, b.buf)
+		return out
+	}
+	return append([]WebhookTraceEntry(nil), b.buf[len(b.buf)-max:]...)
+}
+
+// AppendWebhookTrace records one webhook row for the operator dashboard.
+func AppendWebhookTrace(c *ServiceContainer, e WebhookTraceEntry) {
+	if c == nil || c.WebhookTraces == nil {
+		return
+	}
+	c.WebhookTraces.Append(e)
+}
diff --git a/services/workflow_processor.go b/services/workflow_processor.go
index 15a862b..8700223 100644
--- a/services/workflow_processor.go
+++ b/services/workflow_processor.go
@@ -459,6 +459,7 @@ func (wp *workflowProcessor) queueUpload(
 		RuleName:   workflow.Name,
 		SourceRepo: workflow.Source.Repo,
 		SourcePath: sourcePath,
+		CommitSHA:  sourceCommitSHA,
 		PRNumber:   prNumber,
 	})
 
diff --git a/types/types.go b/types/types.go
index 7a026f0..88a3d10 100644
--- a/types/types.go
+++ b/types/types.go
@@ -127,6 +127,7 @@ type CopierFileMeta struct {
 	RuleName   string `json:"rule_name,omitempty"`
 	SourceRepo string `json:"source_repo,omitempty"`
 	SourcePath string `json:"source_path,omitempty"`
+	CommitSHA  string `json:"commit_sha,omitempty"`
 	PRNumber   int    `json:"pr_number,omitempty"`
 }
 

From 58975f44b335f2587dfe92e7f93406fca9d55edd Mon Sep 17 00:00:00 2001
From: Cory Bullinger <cory.bullinger@mongodb.com>
Date: Tue, 21 Apr 2026 09:04:48 -0400
Subject: [PATCH 03/20] feat(operator): optional GitHub PAT auth with role +
 per-repo access checks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds a second authentication mode (OPERATOR_AUTH_MODE=github) that validates
the bearer token as a GitHub Personal Access Token instead of a shared secret.
The existing shared-token mode remains the default for backward compatibility.

Backend:
- New config: OPERATOR_AUTH_MODE (token|github), OPERATOR_AUTH_REPO
- operator_auth.go: GitHub PAT validation with GET /user + per-user permission
  check on OPERATOR_AUTH_REPO. Maps GitHub permissions to operator/writer/denied
  roles. 5-minute cache keyed by PAT to avoid hitting GitHub on every request.
- operator_ui.go: wrapAPI supports both auth modes, wrapOperatorOnly enforces
  the operator role on write endpoints (replay, release).
- Per-repo permission check on POST /operator/api/replay — the user's PAT must
  have at least read access to the source repo being replayed (in github mode
  only; token mode unchanged). Cached per token+repo pair.
- New endpoints: GET /operator/api/me returns the authenticated user + role;
  GET /operator/api/repo-permission?repos=... batch-checks repo read access
  for frontend button state.
- /operator/api/status now includes auth_mode so the frontend can adapt.

Frontend:
- User chip in top bar shows GitHub avatar + username + role suffix
- Dynamic token input label: "GitHub token" in github mode
- body.role-writer hides elements with .operator-only class (replay, release)
- Replay buttons pre-check per-repo access via fetchRepoPermissions and
  disable with an explanatory tooltip for inaccessible source repos
- Token clear resets user state and permission cache
---
 configs/environment.go           |   8 +-
 services/operator_auth.go        | 267 +++++++++++++++++++++++++++++++
 services/operator_ui.go          | 190 ++++++++++++++++++++--
 services/web/operator/index.html |  85 +++++++++-
 4 files changed, 532 insertions(+), 18 deletions(-)
 create mode 100644 services/operator_auth.go

diff --git a/configs/environment.go b/configs/environment.go
index 42e246f..ec3a8a2 100644
--- a/configs/environment.go
+++ b/configs/environment.go
@@ -73,6 +73,8 @@ type Config struct {
 	// Operator web UI — off unless OPERATOR_UI_ENABLED=true (intended for local dev).
 	OperatorUIEnabled           bool
 	OperatorUIToken             string
+	OperatorAuthMode            string // "token" (default) or "github"
+	OperatorAuthRepo            string // repo to check permissions against when AuthMode=github (e.g. "org/repo")
 	OperatorRepoSlug            string // "owner/repo" for GitHub links and optional tag API
 	OperatorReleaseGitHubToken  string // PAT with contents:write to create a version tag (optional)
 	OperatorReleaseTargetBranch string // branch SHA used when creating a tag (default main)
@@ -125,7 +127,9 @@ const (
 	WebhookMaxRetries               = "WEBHOOK_MAX_RETRIES"
 	WebhookRetryInitialDelay        = "WEBHOOK_RETRY_INITIAL_DELAY" //nolint:gosec // env var name, not a credential
 	OperatorUIEnabled               = "OPERATOR_UI_ENABLED"
-	OperatorUIToken                 = "OPERATOR_UI_TOKEN" // #nosec G101 -- env var name
+	OperatorUIToken                 = "OPERATOR_UI_TOKEN"  // #nosec G101 -- env var name
+	OperatorAuthMode                = "OPERATOR_AUTH_MODE" // "token" or "github"
+	OperatorAuthRepo                = "OPERATOR_AUTH_REPO" // repo for permission check in github mode
 	OperatorRepoSlug                = "OPERATOR_REPO_SLUG"
 	OperatorReleaseGitHubToken      = "OPERATOR_RELEASE_GITHUB_TOKEN" // #nosec G101 -- env var name
 	OperatorReleaseTargetBranch     = "OPERATOR_RELEASE_TARGET_BRANCH"
@@ -249,6 +253,8 @@ func LoadEnvironment(envFile string) (*Config, error) {
 
 	config.OperatorUIEnabled = getBoolEnvWithDefault(OperatorUIEnabled, false)
 	config.OperatorUIToken = os.Getenv(OperatorUIToken)
+	config.OperatorAuthMode = getEnvWithDefault(OperatorAuthMode, "token")
+	config.OperatorAuthRepo = os.Getenv(OperatorAuthRepo)
 	config.OperatorRepoSlug = os.Getenv(OperatorRepoSlug)
 	config.OperatorReleaseGitHubToken = os.Getenv(OperatorReleaseGitHubToken)
 	config.OperatorReleaseTargetBranch = getEnvWithDefault(OperatorReleaseTargetBranch, "main")
diff --git a/services/operator_auth.go b/services/operator_auth.go
new file mode 100644
index 0000000..08bd1ca
--- /dev/null
+++ b/services/operator_auth.go
@@ -0,0 +1,267 @@
+package services
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+	"sync"
+	"time"
+)
+
+// OperatorRole represents the permission level for the operator UI.
+type OperatorRole string
+
+const (
+	// RoleOperator has full access: view, replay, release.
+	RoleOperator OperatorRole = "operator"
+	// RoleWriter has read-only access: view workflows, audit, recent copies.
+	RoleWriter OperatorRole = "writer"
+	// RoleDenied means the user has no access.
+	RoleDenied OperatorRole = "denied"
+)
+
+// OperatorUser represents an authenticated operator UI user.
+type OperatorUser struct {
+	Login     string       `json:"login"`
+	AvatarURL string       `json:"avatar_url,omitempty"`
+	Role      OperatorRole `json:"role"`
+}
+
+// ghAuthCache caches GitHub PAT validation results to avoid hitting the API on every request.
+// It also caches per-repo permission lookups (one permission level per token+repo pair).
+type ghAuthCache struct {
+	mu       sync.RWMutex
+	entries  map[string]*ghAuthEntry
+	repoPerm map[string]*ghRepoPermEntry // key: token + "\x00" + repo
+	ttl      time.Duration
+}
+
+type ghAuthEntry struct {
+	user      *OperatorUser
+	err       error
+	expiresAt time.Time
+}
+
+type ghRepoPermEntry struct {
+	permission string // "admin", "maintain", "write", "triage", "read", or "" for denied
+	err        error
+	expiresAt  time.Time
+}
+
+func newGHAuthCache(ttl time.Duration) *ghAuthCache {
+	return &ghAuthCache{
+		entries:  make(map[string]*ghAuthEntry),
+		repoPerm: make(map[string]*ghRepoPermEntry),
+		ttl:      ttl,
+	}
+}
+
+func (c *ghAuthCache) get(token string) (*OperatorUser, error, bool) {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+	e, ok := c.entries[token]
+	if !ok || time.Now().After(e.expiresAt) {
+		return nil, nil, false
+	}
+	return e.user, e.err, true
+}
+
+func (c *ghAuthCache) set(token string, user *OperatorUser, err error) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	c.entries[token] = &ghAuthEntry{
+		user:      user,
+		err:       err,
+		expiresAt: time.Now().Add(c.ttl),
+	}
+	// Evict expired entries periodically (simple sweep when cache grows)
+	if len(c.entries) > 100 {
+		now := time.Now()
+		for k, v := range c.entries {
+			if now.After(v.expiresAt) {
+				delete(c.entries, k)
+			}
+		}
+	}
+}
+
+func (c *ghAuthCache) getRepoPerm(token, repo string) (string, error, bool) {
+	key := token + "\x00" + repo
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+	e, ok := c.repoPerm[key]
+	if !ok || time.Now().After(e.expiresAt) {
+		return "", nil, false
+	}
+	return e.permission, e.err, true
+}
+
+func (c *ghAuthCache) setRepoPerm(token, repo, permission string, err error) {
+	key := token + "\x00" + repo
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	c.repoPerm[key] = &ghRepoPermEntry{
+		permission: permission,
+		err:        err,
+		expiresAt:  time.Now().Add(c.ttl),
+	}
+	if len(c.repoPerm) > 500 {
+		now := time.Now()
+		for k, v := range c.repoPerm {
+			if now.After(v.expiresAt) {
+				delete(c.repoPerm, k)
+			}
+		}
+	}
+}
+
+// CanUserReadRepo returns true if the user (identified by PAT) has at least read access to the repo.
+// Uses the cache when available. Returns (hasAccess, error).
+func (c *ghAuthCache) CanUserReadRepo(ctx context.Context, pat, username, repo string) (bool, error) {
+	if perm, err, ok := c.getRepoPerm(pat, repo); ok {
+		if err != nil {
+			return false, err
+		}
+		return permissionGrantsRead(perm), nil
+	}
+	perm, err := ghAPIGetRepoPermission(ctx, pat, repo, username)
+	c.setRepoPerm(pat, repo, perm, err)
+	if err != nil {
+		return false, err
+	}
+	return permissionGrantsRead(perm), nil
+}
+
+func permissionGrantsRead(perm string) bool {
+	switch perm {
+	case "admin", "maintain", "write", "triage", "read":
+		return true
+	}
+	return false
+}
+
+// validateGitHubPAT validates a GitHub PAT and returns the authenticated user with their role.
+// It calls the GitHub API to get the user info, then checks their permission on the auth repo.
+func validateGitHubPAT(ctx context.Context, pat string, authRepo string) (*OperatorUser, error) {
+	if pat == "" {
+		return nil, fmt.Errorf("empty token")
+	}
+
+	// 1. Get the authenticated user
+	ghUser, err := ghAPIGetUser(ctx, pat)
+	if err != nil {
+		return nil, fmt.Errorf("validate token: %w", err)
+	}
+
+	user := &OperatorUser{
+		Login:     ghUser.Login,
+		AvatarURL: ghUser.AvatarURL,
+		Role:      RoleWriter, // default to read-only
+	}
+
+	// 2. If no auth repo configured, grant operator access to any valid GitHub user
+	if authRepo == "" {
+		user.Role = RoleOperator
+		return user, nil
+	}
+
+	// 3. Check the user's permission on the auth repo
+	perm, err := ghAPIGetRepoPermission(ctx, pat, authRepo, ghUser.Login)
+	if err != nil {
+		// If we can't check permissions (repo not found, no access), default to writer
+		LogWarning("GitHub permission check failed, defaulting to writer role",
+			"user", ghUser.Login, "repo", authRepo, "error", err)
+		return user, nil
+	}
+
+	switch perm {
+	case "admin", "maintain", "write":
+		user.Role = RoleOperator
+	case "read", "triage":
+		user.Role = RoleWriter
+	default:
+		user.Role = RoleDenied
+		return user, fmt.Errorf("user %s has no access to %s", ghUser.Login, authRepo)
+	}
+
+	return user, nil
+}
+
+// ghUserResponse is the minimal response from GET /user.
+type ghUserResponse struct {
+	Login     string `json:"login"`
+	AvatarURL string `json:"avatar_url"`
+}
+
+func ghAPIGetUser(ctx context.Context, pat string) (*ghUserResponse, error) {
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, "https://api.github.com/user", nil)
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Set("Authorization", "Bearer "+pat)
+	req.Header.Set("Accept", "application/vnd.github+json")
+	req.Header.Set("X-GitHub-Api-Version", "2022-11-28")
+
+	resp, err := (&http.Client{Timeout: 10 * time.Second}).Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer func() { _ = resp.Body.Close() }()
+	body, _ := io.ReadAll(io.LimitReader(resp.Body, 1<<16))
+
+	if resp.StatusCode == http.StatusUnauthorized || resp.StatusCode == http.StatusForbidden {
+		return nil, fmt.Errorf("invalid or expired GitHub token (HTTP %d)", resp.StatusCode)
+	}
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("GitHub API error: HTTP %d: %s", resp.StatusCode, strings.TrimSpace(string(body)))
+	}
+
+	var user ghUserResponse
+	if err := json.Unmarshal(body, &user); err != nil {
+		return nil, fmt.Errorf("parse user response: %w", err)
+	}
+	if user.Login == "" {
+		return nil, fmt.Errorf("empty login in GitHub response")
+	}
+	return &user, nil
+}
+
+// ghPermissionResponse is the response from GET /repos/{owner}/{repo}/collaborators/{user}/permission.
+type ghPermissionResponse struct {
+	Permission string `json:"permission"`
+}
+
+func ghAPIGetRepoPermission(ctx context.Context, pat string, repo string, username string) (string, error) {
+	parts := strings.SplitN(repo, "/", 2)
+	if len(parts) != 2 {
+		return "", fmt.Errorf("invalid repo format: %s (expected owner/repo)", repo)
+	}
+	url := fmt.Sprintf("https://api.github.com/repos/%s/%s/collaborators/%s/permission", parts[0], parts[1], username)
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return "", err
+	}
+	req.Header.Set("Authorization", "Bearer "+pat)
+	req.Header.Set("Accept", "application/vnd.github+json")
+	req.Header.Set("X-GitHub-Api-Version", "2022-11-28")
+
+	resp, err := (&http.Client{Timeout: 10 * time.Second}).Do(req)
+	if err != nil {
+		return "", err
+	}
+	defer func() { _ = resp.Body.Close() }()
+	body, _ := io.ReadAll(io.LimitReader(resp.Body, 1<<16))
+
+	if resp.StatusCode != http.StatusOK {
+		return "", fmt.Errorf("permission check: HTTP %d: %s", resp.StatusCode, strings.TrimSpace(string(body)))
+	}
+
+	var perm ghPermissionResponse
+	if err := json.Unmarshal(body, &perm); err != nil {
+		return "", fmt.Errorf("parse permission response: %w", err)
+	}
+	return perm.Permission, nil
+}
diff --git a/services/operator_ui.go b/services/operator_ui.go
index 6816eff..9841d1f 100644
--- a/services/operator_ui.go
+++ b/services/operator_ui.go
@@ -33,6 +33,9 @@ func RegisterOperatorRoutes(mux *http.ServeMux, cfg *configs.Config, container *
 		container: container,
 		version:   version,
 	}
+	if cfg.OperatorAuthMode == "github" {
+		o.ghCache = newGHAuthCache(5 * time.Minute)
+	}
 	// Register specific paths before the /operator/ subtree so /operator/api/* is not handled by serveIndex.
 	mux.HandleFunc("/operator/api/status", o.handleOperatorStatus)
 	mux.HandleFunc("/operator/api/audit/events", o.wrapAPI(o.handleAuditEvents))
@@ -40,18 +43,29 @@ func RegisterOperatorRoutes(mux *http.ServeMux, cfg *configs.Config, container *
 	mux.HandleFunc("/operator/api/observability/deliveries", o.wrapAPI(o.handleObservabilityDeliveries))
 	mux.HandleFunc("/operator/api/observability/webhook-traces", o.wrapAPI(o.handleObservabilityWebhookTraces))
 	mux.HandleFunc("/operator/api/deployment", o.wrapAPI(o.handleDeployment))
-	mux.HandleFunc("/operator/api/release", o.wrapAPI(o.handleRelease))
-	mux.HandleFunc("/operator/api/replay", o.wrapAPI(o.handleReplay))
+	mux.HandleFunc("/operator/api/release", o.wrapOperatorOnly(o.handleRelease))
+	mux.HandleFunc("/operator/api/replay", o.wrapOperatorOnly(o.handleReplay))
 	mux.HandleFunc("/operator/api/workflows", o.wrapAPI(o.handleWorkflows))
 	mux.HandleFunc("/operator/api/logs", o.wrapAPI(o.handleDeliveryLogs))
+	mux.HandleFunc("/operator/api/me", o.wrapAPI(o.handleMe))
+	mux.HandleFunc("/operator/api/repo-permission", o.wrapAPI(o.handleRepoPermission))
 	mux.HandleFunc("/operator/", o.serveIndex)
 	mux.HandleFunc("/operator", func(w http.ResponseWriter, r *http.Request) {
 		http.Redirect(w, r, "/operator/", http.StatusFound)
 	})
-	if cfg.OperatorUIToken == "" {
-		LogInfo("Operator UI: /operator/ (set OPERATOR_UI_TOKEN to enable audit, deployment JSON, and release APIs)")
-	} else {
-		LogInfo("Operator UI: /operator/ with API authentication enabled")
+	switch cfg.OperatorAuthMode {
+	case "github":
+		authRepo := cfg.OperatorAuthRepo
+		if authRepo == "" {
+			authRepo = "(any valid GitHub user)"
+		}
+		LogInfo("Operator UI: /operator/ with GitHub PAT authentication", "auth_repo", authRepo)
+	default:
+		if cfg.OperatorUIToken == "" {
+			LogInfo("Operator UI: /operator/ (set OPERATOR_UI_TOKEN or OPERATOR_AUTH_MODE=github to enable APIs)")
+		} else {
+			LogInfo("Operator UI: /operator/ with token authentication enabled")
+		}
 	}
 }
 
@@ -59,20 +73,52 @@ type operatorUI struct {
 	cfg            *configs.Config
 	container      *ServiceContainer
 	version        string
-	replayInFlight sync.Map // key: "owner/repo#pr" → prevents concurrent replays
+	replayInFlight sync.Map     // key: "owner/repo#pr" → prevents concurrent replays
+	ghCache        *ghAuthCache // GitHub PAT validation cache (nil when auth mode is "token")
+}
+
+// operatorUserCtxKey is the context key for the authenticated operator user.
+type operatorUserCtxKey struct{}
+
+// operatorUserFromCtx returns the authenticated user from the request context (nil if not set).
+func operatorUserFromCtx(r *http.Request) *OperatorUser {
+	u, _ := r.Context().Value(operatorUserCtxKey{}).(*OperatorUser)
+	return u
 }
 
 func (o *operatorUI) wrapAPI(next http.HandlerFunc) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
+		token := bearerToken(r)
+
+		if o.cfg.OperatorAuthMode == "github" {
+			// GitHub PAT mode: validate the token as a GitHub PAT
+			if token == "" {
+				w.WriteHeader(http.StatusUnauthorized)
+				_ = json.NewEncoder(w).Encode(map[string]string{"error": "provide a GitHub Personal Access Token as Bearer token"})
+				return
+			}
+			user, err := o.authenticateGitHub(r.Context(), token)
+			if err != nil {
+				w.WriteHeader(http.StatusUnauthorized)
+				_ = json.NewEncoder(w).Encode(map[string]string{"error": err.Error()})
+				return
+			}
+			// Attach the user to the request context for downstream handlers
+			ctx := context.WithValue(r.Context(), operatorUserCtxKey{}, user)
+			next(w, r.WithContext(ctx))
+			return
+		}
+
+		// Default: simple shared-token mode
 		if o.cfg.OperatorUIToken == "" {
 			w.WriteHeader(http.StatusServiceUnavailable)
 			_ = json.NewEncoder(w).Encode(map[string]string{
-				"error": "operator APIs disabled on server: set OPERATOR_UI_TOKEN in the environment and redeploy",
+				"error": "operator APIs disabled on server: set OPERATOR_UI_TOKEN (or OPERATOR_AUTH_MODE=github) and redeploy",
 			})
 			return
 		}
-		if !operatorAuthOK(o.cfg.OperatorUIToken, bearerToken(r)) {
+		if !operatorAuthOK(o.cfg.OperatorUIToken, token) {
 			w.WriteHeader(http.StatusUnauthorized)
 			_ = json.NewEncoder(w).Encode(map[string]string{"error": "unauthorized"})
 			return
@@ -81,6 +127,37 @@ func (o *operatorUI) wrapAPI(next http.HandlerFunc) http.HandlerFunc {
 	}
 }
 
+// wrapOperatorOnly wraps a handler that requires the "operator" role (replay, release).
+// In token mode, all authenticated users are operators. In github mode, checks the role.
+func (o *operatorUI) wrapOperatorOnly(next http.HandlerFunc) http.HandlerFunc {
+	return o.wrapAPI(func(w http.ResponseWriter, r *http.Request) {
+		user := operatorUserFromCtx(r)
+		if user != nil && user.Role != RoleOperator {
+			w.WriteHeader(http.StatusForbidden)
+			_ = json.NewEncoder(w).Encode(map[string]string{
+				"error": fmt.Sprintf("this action requires operator access (you have %s)", string(user.Role)),
+			})
+			return
+		}
+		next(w, r)
+	})
+}
+
+func (o *operatorUI) authenticateGitHub(ctx context.Context, pat string) (*OperatorUser, error) {
+	if o.ghCache != nil {
+		if user, err, ok := o.ghCache.get(pat); ok {
+			return user, err
+		}
+	}
+	authCtx, cancel := context.WithTimeout(ctx, 15*time.Second)
+	defer cancel()
+	user, err := validateGitHubPAT(authCtx, pat, o.cfg.OperatorAuthRepo)
+	if o.ghCache != nil {
+		o.ghCache.set(pat, user, err)
+	}
+	return user, err
+}
+
 // handleOperatorStatus reports whether secured operator APIs are configured (no auth).
 func (o *operatorUI) handleOperatorStatus(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodGet {
@@ -90,8 +167,10 @@ func (o *operatorUI) handleOperatorStatus(w http.ResponseWriter, r *http.Request
 		return
 	}
 	w.Header().Set("Content-Type", "application/json")
+	apisEnabled := o.cfg.OperatorUIToken != "" || o.cfg.OperatorAuthMode == "github"
 	out := map[string]any{
-		"operator_apis_enabled": o.cfg.OperatorUIToken != "",
+		"operator_apis_enabled": apisEnabled,
+		"auth_mode":             o.cfg.OperatorAuthMode,
 		"metrics_enabled":       o.cfg.MetricsEnabled,
 		"audit_enabled":         o.cfg.AuditEnabled,
 		"version":               o.version,
@@ -106,6 +185,76 @@ func (o *operatorUI) handleOperatorStatus(w http.ResponseWriter, r *http.Request
 	_ = json.NewEncoder(w).Encode(out)
 }
 
+// handleMe returns the authenticated user info (GitHub mode) or a generic response (token mode).
+func (o *operatorUI) handleMe(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		w.WriteHeader(http.StatusMethodNotAllowed)
+		_ = json.NewEncoder(w).Encode(map[string]string{"error": "method not allowed"})
+		return
+	}
+	user := operatorUserFromCtx(r)
+	if user != nil {
+		_ = json.NewEncoder(w).Encode(user)
+		return
+	}
+	// Token mode — no user identity
+	_ = json.NewEncoder(w).Encode(map[string]any{
+		"login": "operator",
+		"role":  "operator",
+	})
+}
+
+// handleRepoPermission reports whether the authenticated user has read access to a given repo.
+// Used by the frontend to pre-check replay eligibility. In token mode, always returns true.
+// Query params: repos=owner/repo1,owner/repo2 (comma-separated).
+func (o *operatorUI) handleRepoPermission(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		w.WriteHeader(http.StatusMethodNotAllowed)
+		_ = json.NewEncoder(w).Encode(map[string]string{"error": "method not allowed"})
+		return
+	}
+	reposParam := strings.TrimSpace(r.URL.Query().Get("repos"))
+	if reposParam == "" {
+		w.WriteHeader(http.StatusBadRequest)
+		_ = json.NewEncoder(w).Encode(map[string]string{"error": "repos query param required"})
+		return
+	}
+	repos := strings.Split(reposParam, ",")
+	result := make(map[string]bool, len(repos))
+
+	// Token mode: no per-repo restrictions — grant all
+	if o.cfg.OperatorAuthMode != "github" || o.ghCache == nil {
+		for _, repo := range repos {
+			repo = strings.TrimSpace(repo)
+			if repo != "" {
+				result[repo] = true
+			}
+		}
+		_ = json.NewEncoder(w).Encode(map[string]any{"permissions": result})
+		return
+	}
+
+	user := operatorUserFromCtx(r)
+	userPAT := bearerToken(r)
+	if user == nil || userPAT == "" {
+		w.WriteHeader(http.StatusUnauthorized)
+		_ = json.NewEncoder(w).Encode(map[string]string{"error": "unauthenticated"})
+		return
+	}
+
+	ctx, cancel := context.WithTimeout(r.Context(), 15*time.Second)
+	defer cancel()
+	for _, repo := range repos {
+		repo = strings.TrimSpace(repo)
+		if repo == "" {
+			continue
+		}
+		canRead, _ := o.ghCache.CanUserReadRepo(ctx, userPAT, user.Login, repo)
+		result[repo] = canRead
+	}
+	_ = json.NewEncoder(w).Encode(map[string]any{"permissions": result})
+}
+
 func bearerToken(r *http.Request) string {
 	h := r.Header.Get("Authorization")
 	const p = "Bearer "
@@ -555,6 +704,27 @@ func (o *operatorUI) handleReplay(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// Source-repo permission check (GitHub auth mode only): the user's PAT must
+	// have at least read access to the source repo being replayed.
+	if o.cfg.OperatorAuthMode == "github" && o.ghCache != nil {
+		user := operatorUserFromCtx(r)
+		userPAT := bearerToken(r)
+		if user != nil && userPAT != "" {
+			permCtx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
+			canRead, permErr := o.ghCache.CanUserReadRepo(permCtx, userPAT, user.Login, req.Repo)
+			cancel()
+			if !canRead {
+				w.WriteHeader(http.StatusForbidden)
+				msg := fmt.Sprintf("you do not have access to source repo %s", req.Repo)
+				if permErr != nil {
+					msg = fmt.Sprintf("%s: %s", msg, permErr.Error())
+				}
+				_ = json.NewEncoder(w).Encode(operatorReplayResponse{Error: msg})
+				return
+			}
+		}
+	}
+
 	// In-flight dedup: prevent concurrent replays for the same PR
 	replayKey := fmt.Sprintf("%s#%d", req.Repo, req.PRNumber)
 	if _, loaded := o.replayInFlight.LoadOrStore(replayKey, true); loaded {
diff --git a/services/web/operator/index.html b/services/web/operator/index.html
index 847fb42..b2c70d5 100644
--- a/services/web/operator/index.html
+++ b/services/web/operator/index.html
@@ -243,6 +243,11 @@
     .help-content ol,.help-content ul{padding-left:1.4rem;margin:0.3rem 0;}
     .help-content li{margin:0.2rem 0;}
 
+    /* User avatar */
+    .tb-avatar{width:16px;height:16px;border-radius:50%;vertical-align:middle;}
+    /* Writer role: hide operator-only actions */
+    body.role-writer .operator-only{display:none !important;}
+
     /* Mode toggle */
     .mode-toggle{display:inline-flex;border:1px solid var(--border);border-radius:6px;overflow:hidden;font-size:0.78rem;}
     .mode-toggle button{padding:0.18rem 0.55rem;border:none;background:var(--surface);color:var(--text-3);cursor:pointer;font-size:0.78rem;font-weight:500;transition:all 0.15s;}
@@ -279,6 +284,7 @@
     <span class="chip" id="tbMongo" hidden></span>
     <span class="chip" id="tbLastWH" hidden></span>
     <span class="chip chip-err" id="tbConn" hidden><span class="dot dot-red"></span> Disconnected</span>
+    <span class="chip" id="tbUser" hidden></span>
   </div>
   <div class="topbar-right">
     <div class="mode-toggle" id="modeToggle"><button data-mode="writer" title="Writer view: Workflows + Audit">Writer</button><button data-mode="operator" title="Operator view: all tabs">Operator</button></div>
@@ -557,7 +563,7 @@ <h3>Keyboard shortcuts</h3>
       <div class="sb">
         <p class="hint" style="margin-top:0">Pushes a <code>vMAJOR.MINOR.PATCH</code> tag. Changelog requires <code>scripts/release.sh</code>.</p>
         <label for="version">Version tag</label>
-        <div class="row"><input id="version" type="text" placeholder="v0.4.0" style="max-width:10rem" /><button type="button" id="doRelease">Create tag via API</button></div>
+        <div class="row operator-only"><input id="version" type="text" placeholder="v0.4.0" style="max-width:10rem" /><button type="button" id="doRelease">Create tag via API</button></div>
         <p id="relErr" class="err" hidden></p><pre id="relJson" hidden></pre>
       </div>
     </section>
@@ -750,8 +756,35 @@ <h3>Keyboard shortcuts</h3>
 
 /* ── Token ── */
 $('token').value=sessionStorage.getItem(TKEY)||'';
-$('saveToken').onclick=function(){var v=$('token').value.trim();if(!v)return;sessionStorage.setItem(TKEY,v);var btn=$('saveToken');btn.textContent='Saved!';btn.style.background='var(--green)';btn.style.borderColor='var(--green)';setTimeout(function(){btn.textContent='Save in session';btn.style.background='';btn.style.borderColor='';},1200);loadAllSecured();};
-$('clearToken').onclick=function(){sessionStorage.removeItem(TKEY);$('token').value='';};
+$('saveToken').onclick=function(){var v=$('token').value.trim();if(!v)return;sessionStorage.setItem(TKEY,v);var btn=$('saveToken');btn.textContent='Saved!';btn.style.background='var(--green)';btn.style.borderColor='var(--green)';setTimeout(function(){btn.textContent='Save in session';btn.style.background='';btn.style.borderColor='';},1200);fetchMe();loadAllSecured();};
+$('clearToken').onclick=function(){
+  sessionStorage.removeItem(TKEY);$('token').value='';
+  $('tbUser').hidden=true;
+  document.body.classList.remove('role-writer');
+  _repoPerm={};_currentUser=null;
+};
+
+/* ── Authenticated user ── */
+var _currentUser=null;
+function fetchMe(){
+  if(!hasToken())return;
+  fetch(appURL('/operator/api/me'),{headers:authHeaders()}).then(function(r){
+    if(!r.ok)return null;
+    return r.json();
+  }).then(function(user){
+    if(!user)return;
+    _currentUser=user;
+    var el=$('tbUser');
+    el.hidden=false;
+    var inner='';
+    if(user.avatar_url)inner+='<img class="tb-avatar" src="'+escapeHtml(user.avatar_url)+'&s=32" alt=""> ';
+    inner+=escapeHtml(user.login||'operator');
+    if(user.role&&user.role!=='operator')inner+=' <span style="opacity:0.6">('+escapeHtml(user.role)+')</span>';
+    el.innerHTML=inner;
+    // Apply role-based visibility
+    document.body.classList.toggle('role-writer',user.role==='writer');
+  }).catch(function(){});
+}
 
 /* ── Status bar ── */
 function updateTBVersion(v){$('tbVersion').textContent=v||'...';}
@@ -764,7 +797,9 @@ <h3>Keyboard shortcuts</h3>
 function startHeartbeat(){if(!COP_ORIGIN)return;setInterval(function(){fetch(appURL('/operator/api/status')).then(function(r){if(!_connected){_connected=true;$('tbConn').hidden=true;toast('Reconnected to server','info');}}).catch(function(){if(_connected){_connected=false;$('tbConn').hidden=false;toast('Connection lost to server','error');}});},60000);}
 
 /* Server status */
-function checkServerStatus(){if(!COP_ORIGIN){$('serverStatusBanner').hidden=false;$('serverStatusBanner').textContent='Open this page at http://127.0.0.1:<PORT>/operator/.';return;}fetch(appURL('/operator/api/status')).then(function(r){if(r.status===404){$('serverStatusBanner').hidden=false;$('serverStatusBanner').textContent='Operator routes not enabled.';return null;}return r.json();}).then(function(d){if(!d)return;updateTBVersion(d.version);if(!d.operator_apis_enabled){$('serverStatusBanner').hidden=false;$('serverStatusBanner').textContent='No OPERATOR_UI_TOKEN: secured APIs return 503.';}}).catch(function(){});}
+function checkServerStatus(){if(!COP_ORIGIN){$('serverStatusBanner').hidden=false;$('serverStatusBanner').textContent='Open this page at http://127.0.0.1:<PORT>/operator/.';return;}fetch(appURL('/operator/api/status')).then(function(r){if(r.status===404){$('serverStatusBanner').hidden=false;$('serverStatusBanner').textContent='Operator routes not enabled.';return null;}return r.json();}).then(function(d){if(!d)return;updateTBVersion(d.version);
+    if(d.auth_mode==='github'){$('token').placeholder='GitHub Personal Access Token';$('token').parentNode.parentNode.querySelector('label').innerHTML='<strong>GitHub token</strong> (PAT with repo read access)';}
+    if(!d.operator_apis_enabled){$('serverStatusBanner').hidden=false;$('serverStatusBanner').textContent='No authentication configured: set OPERATOR_UI_TOKEN or OPERATOR_AUTH_MODE=github.';}}).catch(function(){});}
 
 /* ── Metrics with groups, deltas, sparklines, health accents ── */
 var _prevMetrics={}, _metricHistory={};
@@ -877,7 +912,14 @@ <h3>Keyboard shortcuts</h3>
 
 /* ── Webhook traces with client-side filter/search (#4, #9) ── */
 var _traceData=[];
+// Map of repo -> bool (true = user has read access). Populated after loading traces.
+// In token mode, every repo is true. In github mode, only repos the user has access to.
+var _repoPerm={};
 function traceOutcomeClass(o){if(!o)return'';if(o==='processed_ok')return'ok';if(o==='duplicate_delivery'||o==='skipped_not_merged_pr'||o==='ignored_non_pull_request')return'warn';return'fail';}
+function canReplayRepo(repo){
+  // If we haven't checked yet (undefined), assume yes. If checked and false, disable.
+  return _repoPerm[repo]!==false;
+}
 function renderTraces(){
   var outcomeF=$('traceOutcome').value,searchF=$('traceSearch').value.toLowerCase().trim();
   var filtered=_traceData;
@@ -888,7 +930,12 @@ <h3>Keyboard shortcuts</h3>
     var tr=document.createElement('tr'),oc=row.outcome||'';
     if(row.event_type==='operator_replay')tr.className='trace-replay';
     var replayBtn='';
-    if(row.repo&&row.pr_number&&row.base_branch){replayBtn='<button class="btn-sm" onclick="event.stopPropagation();confirmReplay('+escapeHtml(JSON.stringify(row.repo))+','+row.pr_number+','+escapeHtml(JSON.stringify(row.base_branch))+','+escapeHtml(JSON.stringify(row.commit_sha||''))+')">Replay</button>';}
+    if(row.repo&&row.pr_number&&row.base_branch){
+      var allowed=canReplayRepo(row.repo);
+      var disAttrs=allowed?'':' disabled title="You do not have GitHub access to '+escapeHtml(row.repo)+'"';
+      var onClick=allowed?'event.stopPropagation();confirmReplay('+escapeHtml(JSON.stringify(row.repo))+','+row.pr_number+','+escapeHtml(JSON.stringify(row.base_branch))+','+escapeHtml(JSON.stringify(row.commit_sha||''))+')':'event.stopPropagation()';
+      replayBtn='<button class="btn-sm operator-only" onclick="'+onClick+'"'+disAttrs+'>Replay</button>';
+    }
     if(row.delivery_id){replayBtn+=' <button class="btn-sm" onclick="event.stopPropagation();viewDeliveryLogs(\''+escapeHtml(row.delivery_id)+'\')">Logs</button>';}
     var detailHtml=parseDetailBadges(row.detail||'');
     tr.innerHTML='<td class="mono">'+fmtTime(row.at)+'</td><td><span class="'+traceOutcomeClass(oc)+'">'+escapeHtml(oc)+'</span></td><td>'+ghLink(row.repo)+'</td><td>'+ghPR(row.repo,row.pr_number)+'</td><td class="mono">'+escapeHtml(row.base_branch||'')+'</td><td class="mono">'+escapeHtml(row.event_type||'')+'</td><td class="mono">'+escapeHtml(row.action||'')+'</td><td class="mono">'+escapeHtml(row.delivery_id||'')+'</td><td>'+detailHtml+'</td><td>'+replayBtn+'</td>';
@@ -897,6 +944,27 @@ <h3>Keyboard shortcuts</h3>
   setBadge('tracesCount',filtered.length+(_traceData.length>filtered.length?' / '+_traceData.length:''));
   emptyState('traceBody',10,'\u{1F4E1}','No webhook activity yet');
 }
+
+// Fetch repo read-permission for each unique source repo in _traceData.
+// Only relevant in github auth mode; in token mode the backend returns true for all.
+async function fetchRepoPermissions(){
+  if(!_currentUser||!hasToken())return;
+  var uniqueRepos={};
+  _traceData.forEach(function(r){if(r.repo)uniqueRepos[r.repo]=true;});
+  // Also include audit data source repos so replay from the drawer works
+  _auditData.forEach(function(e){if(e.source_repo)uniqueRepos[e.source_repo]=true;});
+  // Skip repos we've already checked
+  var toCheck=Object.keys(uniqueRepos).filter(function(r){return _repoPerm[r]===undefined;});
+  if(toCheck.length===0)return;
+  try{
+    var res=await fetch(appURL('/operator/api/repo-permission?repos='+encodeURIComponent(toCheck.join(','))),{headers:authHeaders()});
+    if(!res.ok)return;
+    var body=await res.json();
+    var perms=body.permissions||{};
+    Object.keys(perms).forEach(function(r){_repoPerm[r]=!!perms[r];});
+    renderTraces(); // Re-render to update button states
+  }catch(e){}
+}
 async function loadWebhookTraces(){
   showErr('traceErr','');
   var lim=parseInt($('traceLimit').value,10)||50;
@@ -907,6 +975,7 @@ <h3>Keyboard shortcuts</h3>
   renderTraces();setRefreshed('tracesRefreshed');
   if(_traceData.length>0&&_traceData[_traceData.length-1].at)updateTBLastWH(_traceData[_traceData.length-1].at);
   updateTabBadges();
+  fetchRepoPermissions();
 }
 $('traceOutcome').addEventListener('change',renderTraces);
 $('traceSearch').addEventListener('input',renderTraces);
@@ -972,7 +1041,9 @@ <h3>Keyboard shortcuts</h3>
   rows.forEach(function(r){var v=r[1];if(v===undefined||v===null||v==='')return;html+='<tr><th>'+escapeHtml(r[0])+'</th><td>'+escapeHtml(String(v))+'</td></tr>';});
   html+='</table>';
   if(ev.source_repo&&ev.pr_number){
-    html+='<div style="margin-top:0.75rem"><button class="btn-sm" onclick="confirmReplay(\''+escapeHtml(ev.source_repo)+'\','+ev.pr_number+',\'\',\''+escapeHtml(ev.commit_sha||'')+'\')">Replay this PR</button></div>';
+    var rpAllowed=canReplayRepo(ev.source_repo);
+    var rpDis=rpAllowed?'':' disabled title="You do not have GitHub access to '+escapeHtml(ev.source_repo)+'"';
+    html+='<div style="margin-top:0.75rem" class="operator-only"><button class="btn-sm" onclick="confirmReplay(\''+escapeHtml(ev.source_repo)+'\','+ev.pr_number+',\'\',\''+escapeHtml(ev.commit_sha||'')+'\')"'+rpDis+'>Replay this PR</button></div>';
   }
   $('drawerBody').innerHTML=html;$('drawer').hidden=false;
 }
@@ -1485,7 +1556,7 @@ <h3>Keyboard shortcuts</h3>
 initDarkMode();initMode();syncTimeBtn();initSections();initTabs();initFromURL();checkServerStatus();startHeartbeat();
 if(COP_ORIGIN){
   loadAllProbes();loadMetricsCards();restoreAutoRefresh();
-  if(hasToken()){loadAudit();loadWebhookTraces();loadOverview();$('loadDeploy').click();}
+  if(hasToken()){fetchMe();loadAudit();loadWebhookTraces();loadOverview();$('loadDeploy').click();}
 }
 </script>
 

From ef976736b9922a5dc927e14624695a64dce65a45 Mon Sep 17 00:00:00 2001
From: Cory Bullinger <cory.bullinger@mongodb.com>
Date: Tue, 21 Apr 2026 09:29:38 -0400
Subject: [PATCH 04/20] refactor(operator): remove token auth mode, require
 GitHub PAT + auth repo
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Simplifies the operator UI authentication to a single path: GitHub PAT
validation with role assignment from OPERATOR_AUTH_REPO permissions.

Prior: two auth modes (shared secret via OPERATOR_UI_TOKEN, or GitHub PAT via
OPERATOR_AUTH_MODE=github). The shared-secret mode had no user identity, no
per-repo restrictions, and a single token that could be leaked.

Now: OPERATOR_UI_ENABLED=true always uses GitHub PAT auth. Each user
authenticates with their personal token, and OPERATOR_AUTH_REPO (required)
determines their role (operator for write/admin, writer for read/triage).

Config:
- Remove OPERATOR_UI_TOKEN env var and Config.OperatorUIToken field
- Remove OPERATOR_AUTH_MODE env var and Config.OperatorAuthMode field
- validateOperatorAuth now requires OPERATOR_AUTH_REPO in owner/repo format
  when the UI is enabled — startup fails with a clear error otherwise

Backend (operator_ui.go):
- Remove operatorAuthOK() and crypto/subtle import (no shared secret to compare)
- wrapAPI: always validate bearer token as GitHub PAT, attach user to context
- wrapOperatorOnly: always enforce operator role
- handleOperatorStatus: return auth_repo instead of auth_mode
- handleMe: user always present in context; 500 if somehow missing
- handleRepoPermission: always checks real permissions via ghCache
- Replay handler: unconditionally enforces source-repo permission check
- ghCache always initialized (no longer gated on mode)

Frontend (index.html):
- Token input label always "GitHub Personal Access Token" with auth repo shown
- Remove conditional label/placeholder logic based on auth_mode
- Status check reads auth_repo and displays it in the token input label

Startup:
- app.go root page shows "authenticate with a GitHub PAT; role from <repo>"
- operator_ui.go startup log includes auth_repo
---
 app.go                           |   2 +-
 configs/environment.go           |  37 +++++---
 services/operator_auth.go        |   8 +-
 services/operator_ui.go          | 149 ++++++++++---------------------
 services/web/operator/index.html |  27 ++++--
 5 files changed, 101 insertions(+), 122 deletions(-)

diff --git a/app.go b/app.go
index df300b1..a7eed2c 100644
--- a/app.go
+++ b/app.go
@@ -188,7 +188,7 @@ func startWebServer(config *configs.Config, container *services.ServiceContainer
 			_, _ = fmt.Fprintf(w, "Metrics: /metrics\n")
 		}
 		if config.OperatorUIEnabled {
-			_, _ = fmt.Fprintf(w, "Operator UI: /operator/ (set OPERATOR_UI_TOKEN for secured APIs)\n")
+			_, _ = fmt.Fprintf(w, "Operator UI: /operator/ (authenticate with a GitHub PAT; role from %s)\n", config.OperatorAuthRepo)
 		}
 	})
 
diff --git a/configs/environment.go b/configs/environment.go
index ec3a8a2..d272583 100644
--- a/configs/environment.go
+++ b/configs/environment.go
@@ -70,12 +70,13 @@ type Config struct {
 	WebhookMaxRetries        int // max retry attempts for failed webhook processing
 	WebhookRetryInitialDelay int // initial delay between retries in seconds (doubles each attempt)
 
-	// Operator web UI — off unless OPERATOR_UI_ENABLED=true (intended for local dev).
+	// Operator web UI — off unless OPERATOR_UI_ENABLED=true. Works with any HTTP
+	// origin (local dev, Cloud Run, etc.). Access is gated by GitHub PATs:
+	// each user authenticates with their personal token, and the role
+	// (operator or writer) is determined by their permission on OPERATOR_AUTH_REPO.
 	OperatorUIEnabled           bool
-	OperatorUIToken             string
-	OperatorAuthMode            string // "token" (default) or "github"
-	OperatorAuthRepo            string // repo to check permissions against when AuthMode=github (e.g. "org/repo")
-	OperatorRepoSlug            string // "owner/repo" for GitHub links and optional tag API
+	OperatorAuthRepo            string // "owner/repo" — user permissions here determine role (required when UI is enabled)
+	OperatorRepoSlug            string // "owner/repo" for GitHub links in audit/trace rows (optional)
 	OperatorReleaseGitHubToken  string // PAT with contents:write to create a version tag (optional)
 	OperatorReleaseTargetBranch string // branch SHA used when creating a tag (default main)
 }
@@ -127,9 +128,7 @@ const (
 	WebhookMaxRetries               = "WEBHOOK_MAX_RETRIES"
 	WebhookRetryInitialDelay        = "WEBHOOK_RETRY_INITIAL_DELAY" //nolint:gosec // env var name, not a credential
 	OperatorUIEnabled               = "OPERATOR_UI_ENABLED"
-	OperatorUIToken                 = "OPERATOR_UI_TOKEN"  // #nosec G101 -- env var name
-	OperatorAuthMode                = "OPERATOR_AUTH_MODE" // "token" or "github"
-	OperatorAuthRepo                = "OPERATOR_AUTH_REPO" // repo for permission check in github mode
+	OperatorAuthRepo                = "OPERATOR_AUTH_REPO" // repo for GitHub PAT permission check
 	OperatorRepoSlug                = "OPERATOR_REPO_SLUG"
 	OperatorReleaseGitHubToken      = "OPERATOR_RELEASE_GITHUB_TOKEN" // #nosec G101 -- env var name
 	OperatorReleaseTargetBranch     = "OPERATOR_RELEASE_TARGET_BRANCH"
@@ -252,8 +251,6 @@ func LoadEnvironment(envFile string) (*Config, error) {
 	config.WebhookRetryInitialDelay = getIntEnvWithDefault(WebhookRetryInitialDelay, config.WebhookRetryInitialDelay)
 
 	config.OperatorUIEnabled = getBoolEnvWithDefault(OperatorUIEnabled, false)
-	config.OperatorUIToken = os.Getenv(OperatorUIToken)
-	config.OperatorAuthMode = getEnvWithDefault(OperatorAuthMode, "token")
 	config.OperatorAuthRepo = os.Getenv(OperatorAuthRepo)
 	config.OperatorRepoSlug = os.Getenv(OperatorRepoSlug)
 	config.OperatorReleaseGitHubToken = os.Getenv(OperatorReleaseGitHubToken)
@@ -351,6 +348,26 @@ func validateConfig(config *Config) error {
 		return err
 	}
 
+	if err := validateOperatorAuth(config); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// validateOperatorAuth enforces that OPERATOR_AUTH_REPO is set when the UI is
+// enabled. Without it, any valid GitHub user could authenticate with full
+// operator access since there would be no per-repo permission gate.
+func validateOperatorAuth(config *Config) error {
+	if !config.OperatorUIEnabled {
+		return nil
+	}
+	if strings.TrimSpace(config.OperatorAuthRepo) == "" {
+		return fmt.Errorf("OPERATOR_UI_ENABLED=true requires OPERATOR_AUTH_REPO (owner/repo) to gate access — each user authenticates with their GitHub PAT and their permission on that repo determines their role")
+	}
+	if !strings.Contains(config.OperatorAuthRepo, "/") {
+		return fmt.Errorf("OPERATOR_AUTH_REPO must be in owner/repo format (got %q)", config.OperatorAuthRepo)
+	}
 	return nil
 }
 
diff --git a/services/operator_auth.go b/services/operator_auth.go
index 08bd1ca..947a369 100644
--- a/services/operator_auth.go
+++ b/services/operator_auth.go
@@ -162,13 +162,13 @@ func validateGitHubPAT(ctx context.Context, pat string, authRepo string) (*Opera
 		Role:      RoleWriter, // default to read-only
 	}
 
-	// 2. If no auth repo configured, grant operator access to any valid GitHub user
+	// authRepo is required in github mode (enforced at config load via
+	// validateOperatorAuth). This guard is defensive only.
 	if authRepo == "" {
-		user.Role = RoleOperator
-		return user, nil
+		return nil, fmt.Errorf("OPERATOR_AUTH_REPO is not configured")
 	}
 
-	// 3. Check the user's permission on the auth repo
+	// 2. Check the user's permission on the auth repo
 	perm, err := ghAPIGetRepoPermission(ctx, pat, authRepo, ghUser.Login)
 	if err != nil {
 		// If we can't check permissions (repo not found, no access), default to writer
diff --git a/services/operator_ui.go b/services/operator_ui.go
index 9841d1f..13b4de3 100644
--- a/services/operator_ui.go
+++ b/services/operator_ui.go
@@ -3,7 +3,6 @@ package services
 import (
 	"bytes"
 	"context"
-	"crypto/subtle"
 	_ "embed"
 	"encoding/json"
 	"fmt"
@@ -25,16 +24,16 @@ var operatorIndexHTML []byte
 var operatorVersionTagRe = regexp.MustCompile(`^v[0-9]+\.[0-9]+\.[0-9]+$`)
 
 // RegisterOperatorRoutes mounts the operator HTML UI and JSON APIs under /operator/.
-// Call only when cfg.OperatorUIEnabled is true (local/dev). Secured APIs require
-// OPERATOR_UI_TOKEN on the server plus Authorization: Bearer from the client.
+// Call only when cfg.OperatorUIEnabled is true. Works with any HTTP origin (local
+// dev, Cloud Run, Kubernetes, etc.). Every secured API requires an Authorization:
+// Bearer <github-pat> header. The user's permission on cfg.OperatorAuthRepo
+// determines their role (operator or writer).
 func RegisterOperatorRoutes(mux *http.ServeMux, cfg *configs.Config, container *ServiceContainer, version string) {
 	o := &operatorUI{
 		cfg:       cfg,
 		container: container,
 		version:   version,
-	}
-	if cfg.OperatorAuthMode == "github" {
-		o.ghCache = newGHAuthCache(5 * time.Minute)
+		ghCache:   newGHAuthCache(5 * time.Minute),
 	}
 	// Register specific paths before the /operator/ subtree so /operator/api/* is not handled by serveIndex.
 	mux.HandleFunc("/operator/api/status", o.handleOperatorStatus)
@@ -53,20 +52,7 @@ func RegisterOperatorRoutes(mux *http.ServeMux, cfg *configs.Config, container *
 	mux.HandleFunc("/operator", func(w http.ResponseWriter, r *http.Request) {
 		http.Redirect(w, r, "/operator/", http.StatusFound)
 	})
-	switch cfg.OperatorAuthMode {
-	case "github":
-		authRepo := cfg.OperatorAuthRepo
-		if authRepo == "" {
-			authRepo = "(any valid GitHub user)"
-		}
-		LogInfo("Operator UI: /operator/ with GitHub PAT authentication", "auth_repo", authRepo)
-	default:
-		if cfg.OperatorUIToken == "" {
-			LogInfo("Operator UI: /operator/ (set OPERATOR_UI_TOKEN or OPERATOR_AUTH_MODE=github to enable APIs)")
-		} else {
-			LogInfo("Operator UI: /operator/ with token authentication enabled")
-		}
-	}
+	LogInfo("Operator UI: /operator/ with GitHub PAT authentication", "auth_repo", cfg.OperatorAuthRepo)
 }
 
 type operatorUI struct {
@@ -74,7 +60,7 @@ type operatorUI struct {
 	container      *ServiceContainer
 	version        string
 	replayInFlight sync.Map     // key: "owner/repo#pr" → prevents concurrent replays
-	ghCache        *ghAuthCache // GitHub PAT validation cache (nil when auth mode is "token")
+	ghCache        *ghAuthCache // GitHub PAT validation + per-repo permission cache
 }
 
 // operatorUserCtxKey is the context key for the authenticated operator user.
@@ -86,56 +72,39 @@ func operatorUserFromCtx(r *http.Request) *OperatorUser {
 	return u
 }
 
+// wrapAPI validates the incoming request's GitHub PAT and attaches the user to the context.
 func (o *operatorUI) wrapAPI(next http.HandlerFunc) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
 		token := bearerToken(r)
-
-		if o.cfg.OperatorAuthMode == "github" {
-			// GitHub PAT mode: validate the token as a GitHub PAT
-			if token == "" {
-				w.WriteHeader(http.StatusUnauthorized)
-				_ = json.NewEncoder(w).Encode(map[string]string{"error": "provide a GitHub Personal Access Token as Bearer token"})
-				return
-			}
-			user, err := o.authenticateGitHub(r.Context(), token)
-			if err != nil {
-				w.WriteHeader(http.StatusUnauthorized)
-				_ = json.NewEncoder(w).Encode(map[string]string{"error": err.Error()})
-				return
-			}
-			// Attach the user to the request context for downstream handlers
-			ctx := context.WithValue(r.Context(), operatorUserCtxKey{}, user)
-			next(w, r.WithContext(ctx))
-			return
-		}
-
-		// Default: simple shared-token mode
-		if o.cfg.OperatorUIToken == "" {
-			w.WriteHeader(http.StatusServiceUnavailable)
-			_ = json.NewEncoder(w).Encode(map[string]string{
-				"error": "operator APIs disabled on server: set OPERATOR_UI_TOKEN (or OPERATOR_AUTH_MODE=github) and redeploy",
-			})
+		if token == "" {
+			w.WriteHeader(http.StatusUnauthorized)
+			_ = json.NewEncoder(w).Encode(map[string]string{"error": "provide a GitHub Personal Access Token as Bearer token"})
 			return
 		}
-		if !operatorAuthOK(o.cfg.OperatorUIToken, token) {
+		user, err := o.authenticateGitHub(r.Context(), token)
+		if err != nil {
 			w.WriteHeader(http.StatusUnauthorized)
-			_ = json.NewEncoder(w).Encode(map[string]string{"error": "unauthorized"})
+			_ = json.NewEncoder(w).Encode(map[string]string{"error": err.Error()})
 			return
 		}
-		next(w, r)
+		ctx := context.WithValue(r.Context(), operatorUserCtxKey{}, user)
+		next(w, r.WithContext(ctx))
 	}
 }
 
 // wrapOperatorOnly wraps a handler that requires the "operator" role (replay, release).
-// In token mode, all authenticated users are operators. In github mode, checks the role.
 func (o *operatorUI) wrapOperatorOnly(next http.HandlerFunc) http.HandlerFunc {
 	return o.wrapAPI(func(w http.ResponseWriter, r *http.Request) {
 		user := operatorUserFromCtx(r)
-		if user != nil && user.Role != RoleOperator {
+		if user == nil || user.Role != RoleOperator {
+			role := "unknown"
+			if user != nil {
+				role = string(user.Role)
+			}
 			w.WriteHeader(http.StatusForbidden)
 			_ = json.NewEncoder(w).Encode(map[string]string{
-				"error": fmt.Sprintf("this action requires operator access (you have %s)", string(user.Role)),
+				"error": fmt.Sprintf("this action requires operator access (you have %s)", role),
 			})
 			return
 		}
@@ -167,10 +136,9 @@ func (o *operatorUI) handleOperatorStatus(w http.ResponseWriter, r *http.Request
 		return
 	}
 	w.Header().Set("Content-Type", "application/json")
-	apisEnabled := o.cfg.OperatorUIToken != "" || o.cfg.OperatorAuthMode == "github"
 	out := map[string]any{
-		"operator_apis_enabled": apisEnabled,
-		"auth_mode":             o.cfg.OperatorAuthMode,
+		"operator_apis_enabled": true,
+		"auth_repo":             o.cfg.OperatorAuthRepo,
 		"metrics_enabled":       o.cfg.MetricsEnabled,
 		"audit_enabled":         o.cfg.AuditEnabled,
 		"version":               o.version,
@@ -185,7 +153,7 @@ func (o *operatorUI) handleOperatorStatus(w http.ResponseWriter, r *http.Request
 	_ = json.NewEncoder(w).Encode(out)
 }
 
-// handleMe returns the authenticated user info (GitHub mode) or a generic response (token mode).
+// handleMe returns the authenticated user's GitHub login, avatar, and role.
 func (o *operatorUI) handleMe(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodGet {
 		w.WriteHeader(http.StatusMethodNotAllowed)
@@ -193,19 +161,16 @@ func (o *operatorUI) handleMe(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	user := operatorUserFromCtx(r)
-	if user != nil {
-		_ = json.NewEncoder(w).Encode(user)
+	if user == nil {
+		w.WriteHeader(http.StatusInternalServerError)
+		_ = json.NewEncoder(w).Encode(map[string]string{"error": "no authenticated user in context"})
 		return
 	}
-	// Token mode — no user identity
-	_ = json.NewEncoder(w).Encode(map[string]any{
-		"login": "operator",
-		"role":  "operator",
-	})
+	_ = json.NewEncoder(w).Encode(user)
 }
 
 // handleRepoPermission reports whether the authenticated user has read access to a given repo.
-// Used by the frontend to pre-check replay eligibility. In token mode, always returns true.
+// Used by the frontend to pre-check replay eligibility per source repo.
 // Query params: repos=owner/repo1,owner/repo2 (comma-separated).
 func (o *operatorUI) handleRepoPermission(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodGet {
@@ -222,18 +187,6 @@ func (o *operatorUI) handleRepoPermission(w http.ResponseWriter, r *http.Request
 	repos := strings.Split(reposParam, ",")
 	result := make(map[string]bool, len(repos))
 
-	// Token mode: no per-repo restrictions — grant all
-	if o.cfg.OperatorAuthMode != "github" || o.ghCache == nil {
-		for _, repo := range repos {
-			repo = strings.TrimSpace(repo)
-			if repo != "" {
-				result[repo] = true
-			}
-		}
-		_ = json.NewEncoder(w).Encode(map[string]any{"permissions": result})
-		return
-	}
-
 	user := operatorUserFromCtx(r)
 	userPAT := bearerToken(r)
 	if user == nil || userPAT == "" {
@@ -264,15 +217,6 @@ func bearerToken(r *http.Request) string {
 	return ""
 }
 
-func operatorAuthOK(expected, got string) bool {
-	if expected == "" || got == "" {
-		return false
-	}
-	// subtle.ConstantTimeCompare returns 0 for different-length inputs without
-	// leaking the expected token length through timing.
-	return subtle.ConstantTimeCompare([]byte(expected), []byte(got)) == 1
-}
-
 func (o *operatorUI) serveIndex(w http.ResponseWriter, r *http.Request) {
 	if r.URL.Path != "/operator/" {
 		http.NotFound(w, r)
@@ -704,24 +648,27 @@ func (o *operatorUI) handleReplay(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// Source-repo permission check (GitHub auth mode only): the user's PAT must
-	// have at least read access to the source repo being replayed.
-	if o.cfg.OperatorAuthMode == "github" && o.ghCache != nil {
+	// Source-repo permission check: the user's PAT must have at least read
+	// access to the source repo being replayed.
+	{
 		user := operatorUserFromCtx(r)
 		userPAT := bearerToken(r)
-		if user != nil && userPAT != "" {
-			permCtx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
-			canRead, permErr := o.ghCache.CanUserReadRepo(permCtx, userPAT, user.Login, req.Repo)
-			cancel()
-			if !canRead {
-				w.WriteHeader(http.StatusForbidden)
-				msg := fmt.Sprintf("you do not have access to source repo %s", req.Repo)
-				if permErr != nil {
-					msg = fmt.Sprintf("%s: %s", msg, permErr.Error())
-				}
-				_ = json.NewEncoder(w).Encode(operatorReplayResponse{Error: msg})
-				return
+		if user == nil || userPAT == "" {
+			w.WriteHeader(http.StatusUnauthorized)
+			_ = json.NewEncoder(w).Encode(operatorReplayResponse{Error: "unauthenticated"})
+			return
+		}
+		permCtx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
+		canRead, permErr := o.ghCache.CanUserReadRepo(permCtx, userPAT, user.Login, req.Repo)
+		cancel()
+		if !canRead {
+			w.WriteHeader(http.StatusForbidden)
+			msg := fmt.Sprintf("you do not have access to source repo %s", req.Repo)
+			if permErr != nil {
+				msg = fmt.Sprintf("%s: %s", msg, permErr.Error())
 			}
+			_ = json.NewEncoder(w).Encode(operatorReplayResponse{Error: msg})
+			return
 		}
 	}
 
diff --git a/services/web/operator/index.html b/services/web/operator/index.html
index b2c70d5..1e3516c 100644
--- a/services/web/operator/index.html
+++ b/services/web/operator/index.html
@@ -301,13 +301,13 @@
 
   <section>
     <div class="sb" style="padding-top:0.85rem">
-      <label for="token"><strong>Operator token</strong> (<code>OPERATOR_UI_TOKEN</code>)</label>
+      <label for="token"><strong>GitHub Personal Access Token</strong> (read access to <code id="authRepoLabel">the configured auth repo</code>)</label>
       <div class="row">
-        <div class="token-wrap"><input id="token" type="password" autocomplete="off" placeholder="Paste token" /><button type="button" class="token-eye" id="tokenEye" title="Show/hide token">&#x1F441;</button></div>
+        <div class="token-wrap"><input id="token" type="password" autocomplete="off" placeholder="ghp_... or github_pat_..." /><button type="button" class="token-eye" id="tokenEye" title="Show/hide token">&#x1F441;</button></div>
         <button type="button" id="saveToken">Save in session</button>
         <button type="button" class="secondary" id="clearToken">Clear</button>
       </div>
-      <p class="hint">Stored in <code>sessionStorage</code> (this tab only).</p>
+      <p class="hint">Stored in <code>sessionStorage</code> (this tab only). Your permission on the auth repo determines your role (operator or writer).</p>
     </div>
   </section>
 
@@ -797,9 +797,24 @@ <h3>Keyboard shortcuts</h3>
 function startHeartbeat(){if(!COP_ORIGIN)return;setInterval(function(){fetch(appURL('/operator/api/status')).then(function(r){if(!_connected){_connected=true;$('tbConn').hidden=true;toast('Reconnected to server','info');}}).catch(function(){if(_connected){_connected=false;$('tbConn').hidden=false;toast('Connection lost to server','error');}});},60000);}
 
 /* Server status */
-function checkServerStatus(){if(!COP_ORIGIN){$('serverStatusBanner').hidden=false;$('serverStatusBanner').textContent='Open this page at http://127.0.0.1:<PORT>/operator/.';return;}fetch(appURL('/operator/api/status')).then(function(r){if(r.status===404){$('serverStatusBanner').hidden=false;$('serverStatusBanner').textContent='Operator routes not enabled.';return null;}return r.json();}).then(function(d){if(!d)return;updateTBVersion(d.version);
-    if(d.auth_mode==='github'){$('token').placeholder='GitHub Personal Access Token';$('token').parentNode.parentNode.querySelector('label').innerHTML='<strong>GitHub token</strong> (PAT with repo read access)';}
-    if(!d.operator_apis_enabled){$('serverStatusBanner').hidden=false;$('serverStatusBanner').textContent='No authentication configured: set OPERATOR_UI_TOKEN or OPERATOR_AUTH_MODE=github.';}}).catch(function(){});}
+function checkServerStatus(){
+  if(!COP_ORIGIN){
+    $('serverStatusBanner').hidden=false;
+    $('serverStatusBanner').textContent='Open this page at http://127.0.0.1:<PORT>/operator/.';
+    return;
+  }
+  fetch(appURL('/operator/api/status')).then(function(r){
+    if(r.status===404){$('serverStatusBanner').hidden=false;$('serverStatusBanner').textContent='Operator routes not enabled (OPERATOR_UI_ENABLED=false).';return null;}
+    return r.json();
+  }).then(function(d){
+    if(!d)return;
+    updateTBVersion(d.version);
+    if(d.auth_repo){
+      var lbl=$('authRepoLabel');
+      if(lbl){lbl.textContent=d.auth_repo;}
+    }
+  }).catch(function(){});
+}
 
 /* ── Metrics with groups, deltas, sparklines, health accents ── */
 var _prevMetrics={}, _metricHistory={};

From b9ad455a603d0721af93abbd89e4e301b8f4d46e Mon Sep 17 00:00:00 2001
From: Cory Bullinger <cory.bullinger@mongodb.com>
Date: Tue, 21 Apr 2026 11:07:37 -0400
Subject: [PATCH 05/20] feat(operator): AI rule suggester with full UI-based
 Ollama management
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds an LLM-powered rule suggester in the Workflows tab. Given a source
file path and a desired target file path, the LLM proposes a copier
workflow rule and the server verifies the rule actually produces the
target before returning it to the user.

All Ollama management (connect/disconnect, list installed models,
pull/delete, switch active model, change base URL) happens from the UI.
No LLM_ENABLED env var or restart required — availability is detected
at runtime via an Ollama ping.

Backend:
- services/llm_client.go: pluggable LLMClient interface with an Ollama
  implementation. Mutex-protected mutable state (active model, base URL)
  so operators can switch models at runtime. Streams pull progress as
  NDJSON, exposes ListModels/Ping/DeleteModel/PullModel.
- services/operator_suggest_rule.go: POST /operator/api/suggest-rule
  prompts the LLM with a bounded schema (move/copy/glob/regex) and
  verifies the generated rule against the user's source/target using the
  existing PatternMatcher + PathTransformer. Returns YAML + explanation
  + verification status + computed_path so writers see exactly what the
  rule would produce.
- services/operator_llm_admin.go: four admin endpoints
    GET  /operator/api/llm/status    reachability, models, active model
    POST /operator/api/llm/settings  set active model / base URL at runtime
    POST /operator/api/llm/pull      stream NDJSON progress from Ollama
    DELETE /operator/api/llm/model   remove a model
  Write operations require operator role.
- operator_ui.go: always instantiate the LLM client (no env gate), expose
  llm_available via /operator/api/status.
- configs/environment.go: LLM_BASE_URL and LLM_MODEL are now optional
  initial defaults; LLM_ENABLED is removed entirely.

Frontend (index.html):
- AI settings panel in the Workflows tab (operator-only): connection
  status chip, installed-models list with delete buttons, active-model
  selector, pull-model input with live streaming progress bar, editable
  base URL. Shows install instructions with a link to ollama.com/download
  when Ollama isn't reachable.
- AI rule suggester panel: source + target inputs (plus optional target
  repo), generate button with long-running spinner, result card with
  verification badge (green or red), computed path on failure, YAML
  code block with copy-to-clipboard, and the LLM's explanation.
- Pre-fills the AI suggester's source from the file match tester if set.
---
 configs/environment.go            |  14 ++
 services/llm_client.go            | 296 ++++++++++++++++++++++++++
 services/operator_llm_admin.go    | 184 ++++++++++++++++
 services/operator_suggest_rule.go | 324 +++++++++++++++++++++++++++++
 services/operator_ui.go           |  15 ++
 services/web/operator/index.html  | 335 +++++++++++++++++++++++++++++-
 6 files changed, 1166 insertions(+), 2 deletions(-)
 create mode 100644 services/llm_client.go
 create mode 100644 services/operator_llm_admin.go
 create mode 100644 services/operator_suggest_rule.go

diff --git a/configs/environment.go b/configs/environment.go
index d272583..8d6ad05 100644
--- a/configs/environment.go
+++ b/configs/environment.go
@@ -79,6 +79,13 @@ type Config struct {
 	OperatorRepoSlug            string // "owner/repo" for GitHub links in audit/trace rows (optional)
 	OperatorReleaseGitHubToken  string // PAT with contents:write to create a version tag (optional)
 	OperatorReleaseTargetBranch string // branch SHA used when creating a tag (default main)
+
+	// AI rule suggestion (optional) — LLM-powered rule generation in the operator UI.
+	// The feature is available whenever the LLM provider is reachable at runtime;
+	// operators can change the active model and base URL from the UI without restart.
+	LLMProvider string // "ollama" (default). Pluggable for future providers.
+	LLMBaseURL  string // initial default; overridable from the UI
+	LLMModel    string // initial default; overridable from the UI
 }
 
 const (
@@ -132,6 +139,9 @@ const (
 	OperatorRepoSlug                = "OPERATOR_REPO_SLUG"
 	OperatorReleaseGitHubToken      = "OPERATOR_RELEASE_GITHUB_TOKEN" // #nosec G101 -- env var name
 	OperatorReleaseTargetBranch     = "OPERATOR_RELEASE_TARGET_BRANCH"
+	LLMProvider                     = "LLM_PROVIDER"
+	LLMBaseURL                      = "LLM_BASE_URL"
+	LLMModel                        = "LLM_MODEL"
 )
 
 // NewConfig returns a new Config instance with default values
@@ -256,6 +266,10 @@ func LoadEnvironment(envFile string) (*Config, error) {
 	config.OperatorReleaseGitHubToken = os.Getenv(OperatorReleaseGitHubToken)
 	config.OperatorReleaseTargetBranch = getEnvWithDefault(OperatorReleaseTargetBranch, "main")
 
+	config.LLMProvider = getEnvWithDefault(LLMProvider, "ollama")
+	config.LLMBaseURL = getEnvWithDefault(LLMBaseURL, "http://localhost:11434")
+	config.LLMModel = getEnvWithDefault(LLMModel, "qwen2.5-coder:7b")
+
 	if err := validateConfig(config); err != nil {
 		return nil, err
 	}
diff --git a/services/llm_client.go b/services/llm_client.go
new file mode 100644
index 0000000..e5502ae
--- /dev/null
+++ b/services/llm_client.go
@@ -0,0 +1,296 @@
+package services
+
+import (
+	"bufio"
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+	"sync"
+	"time"
+)
+
+// LLMClient is the minimal interface used by the operator UI. It supports
+// runtime reconfiguration (active model, base URL) and provider management
+// operations (list/pull/delete models).
+type LLMClient interface {
+	// GenerateJSON sends a prompt to the LLM and returns the raw response body.
+	GenerateJSON(ctx context.Context, systemPrompt, userPrompt string) (string, error)
+
+	// ProviderName returns a short identifier for logging.
+	ProviderName() string
+
+	// Ping checks whether the LLM service is reachable.
+	Ping(ctx context.Context) error
+
+	// GetBaseURL returns the current base URL.
+	GetBaseURL() string
+	// SetBaseURL updates the base URL at runtime.
+	SetBaseURL(url string)
+
+	// GetActiveModel returns the model that will be used for generations.
+	GetActiveModel() string
+	// SetActiveModel updates the active model at runtime.
+	SetActiveModel(model string)
+
+	// ListModels returns the models installed/available on the LLM server.
+	ListModels(ctx context.Context) ([]LLMModel, error)
+
+	// PullModel asks the server to download a model. Progress updates are
+	// written to progress as they arrive. The function blocks until the pull
+	// completes or the context is cancelled.
+	PullModel(ctx context.Context, name string, progress func(LLMPullProgress)) error
+
+	// DeleteModel removes a model from the server.
+	DeleteModel(ctx context.Context, name string) error
+}
+
+// LLMModel describes an installed model returned by the provider.
+type LLMModel struct {
+	Name       string `json:"name"`
+	Size       int64  `json:"size,omitempty"`
+	ModifiedAt string `json:"modified_at,omitempty"`
+}
+
+// LLMPullProgress is a single progress event emitted during PullModel.
+type LLMPullProgress struct {
+	Status    string `json:"status"`
+	Completed int64  `json:"completed,omitempty"`
+	Total     int64  `json:"total,omitempty"`
+	Digest    string `json:"digest,omitempty"`
+	Error     string `json:"error,omitempty"`
+}
+
+// NewLLMClient returns a client for the configured provider.
+func NewLLMClient(provider, baseURL, model string) (LLMClient, error) {
+	switch strings.ToLower(strings.TrimSpace(provider)) {
+	case "", "ollama":
+		if baseURL == "" {
+			baseURL = "http://localhost:11434"
+		}
+		if model == "" {
+			model = "qwen2.5-coder:7b"
+		}
+		return &ollamaClient{
+			baseURL:  strings.TrimSuffix(baseURL, "/"),
+			model:    model,
+			http:     &http.Client{Timeout: 60 * time.Second},
+			pullHTTP: &http.Client{
+				// No timeout for pulls — model downloads can take 10+ minutes
+			},
+		}, nil
+	default:
+		return nil, fmt.Errorf("unsupported LLM provider: %q (only \"ollama\" is implemented)", provider)
+	}
+}
+
+// ── Ollama ──
+
+type ollamaClient struct {
+	mu       sync.RWMutex
+	baseURL  string
+	model    string
+	http     *http.Client // short-timeout client for most calls
+	pullHTTP *http.Client // no-timeout client for streaming pull requests
+}
+
+func (c *ollamaClient) ProviderName() string { return "ollama" }
+
+func (c *ollamaClient) GetBaseURL() string {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+	return c.baseURL
+}
+
+func (c *ollamaClient) SetBaseURL(url string) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	c.baseURL = strings.TrimSuffix(strings.TrimSpace(url), "/")
+}
+
+func (c *ollamaClient) GetActiveModel() string {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+	return c.model
+}
+
+func (c *ollamaClient) SetActiveModel(model string) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	c.model = strings.TrimSpace(model)
+}
+
+// Ping calls GET /api/tags as a reachability check (cheap, no model load).
+func (c *ollamaClient) Ping(ctx context.Context) error {
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, c.GetBaseURL()+"/api/tags", nil)
+	if err != nil {
+		return err
+	}
+	resp, err := c.http.Do(req)
+	if err != nil {
+		return fmt.Errorf("ollama unreachable at %s: %w", c.GetBaseURL(), err)
+	}
+	defer func() { _ = resp.Body.Close() }()
+	if resp.StatusCode != http.StatusOK {
+		body, _ := io.ReadAll(io.LimitReader(resp.Body, 1<<15))
+		return fmt.Errorf("ollama returned %s: %s", resp.Status, strings.TrimSpace(string(body)))
+	}
+	return nil
+}
+
+// ollamaTagsResponse is GET /api/tags.
+type ollamaTagsResponse struct {
+	Models []struct {
+		Name       string `json:"name"`
+		Size       int64  `json:"size"`
+		ModifiedAt string `json:"modified_at"`
+	} `json:"models"`
+}
+
+func (c *ollamaClient) ListModels(ctx context.Context) ([]LLMModel, error) {
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, c.GetBaseURL()+"/api/tags", nil)
+	if err != nil {
+		return nil, err
+	}
+	resp, err := c.http.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("list models: %w", err)
+	}
+	defer func() { _ = resp.Body.Close() }()
+	body, _ := io.ReadAll(io.LimitReader(resp.Body, 1<<20))
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("ollama returned %s: %s", resp.Status, strings.TrimSpace(string(body)))
+	}
+	var tags ollamaTagsResponse
+	if err := json.Unmarshal(body, &tags); err != nil {
+		return nil, fmt.Errorf("parse models: %w", err)
+	}
+	out := make([]LLMModel, 0, len(tags.Models))
+	for _, m := range tags.Models {
+		out = append(out, LLMModel{Name: m.Name, Size: m.Size, ModifiedAt: m.ModifiedAt})
+	}
+	return out, nil
+}
+
+// PullModel starts a model pull and streams NDJSON progress events.
+func (c *ollamaClient) PullModel(ctx context.Context, name string, progress func(LLMPullProgress)) error {
+	body, _ := json.Marshal(map[string]any{"name": name, "stream": true})
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, c.GetBaseURL()+"/api/pull", bytes.NewReader(body))
+	if err != nil {
+		return err
+	}
+	req.Header.Set("Content-Type", "application/json")
+	resp, err := c.pullHTTP.Do(req)
+	if err != nil {
+		return fmt.Errorf("start pull: %w", err)
+	}
+	defer func() { _ = resp.Body.Close() }()
+	if resp.StatusCode != http.StatusOK {
+		respBody, _ := io.ReadAll(io.LimitReader(resp.Body, 1<<15))
+		return fmt.Errorf("ollama returned %s: %s", resp.Status, strings.TrimSpace(string(respBody)))
+	}
+
+	// Ollama emits newline-delimited JSON progress events. Stream them through.
+	scanner := bufio.NewScanner(resp.Body)
+	scanner.Buffer(make([]byte, 64*1024), 1024*1024)
+	for scanner.Scan() {
+		line := scanner.Bytes()
+		if len(line) == 0 {
+			continue
+		}
+		var ev LLMPullProgress
+		if err := json.Unmarshal(line, &ev); err != nil {
+			// Skip unparseable lines rather than aborting
+			continue
+		}
+		if progress != nil {
+			progress(ev)
+		}
+		if ev.Error != "" {
+			return fmt.Errorf("pull error: %s", ev.Error)
+		}
+	}
+	return scanner.Err()
+}
+
+// DeleteModel removes a locally installed model.
+func (c *ollamaClient) DeleteModel(ctx context.Context, name string) error {
+	body, _ := json.Marshal(map[string]string{"name": name})
+	req, err := http.NewRequestWithContext(ctx, http.MethodDelete, c.GetBaseURL()+"/api/delete", bytes.NewReader(body))
+	if err != nil {
+		return err
+	}
+	req.Header.Set("Content-Type", "application/json")
+	resp, err := c.http.Do(req)
+	if err != nil {
+		return fmt.Errorf("delete model: %w", err)
+	}
+	defer func() { _ = resp.Body.Close() }()
+	if resp.StatusCode != http.StatusOK {
+		respBody, _ := io.ReadAll(io.LimitReader(resp.Body, 1<<15))
+		return fmt.Errorf("ollama returned %s: %s", resp.Status, strings.TrimSpace(string(respBody)))
+	}
+	return nil
+}
+
+// ollamaGenerateRequest is the body of POST /api/generate.
+type ollamaGenerateRequest struct {
+	Model  string `json:"model"`
+	Prompt string `json:"prompt"`
+	System string `json:"system,omitempty"`
+	Stream bool   `json:"stream"`
+	Format string `json:"format,omitempty"` // "json" constrains output to valid JSON
+}
+
+type ollamaGenerateResponse struct {
+	Model     string `json:"model"`
+	Response  string `json:"response"`
+	Done      bool   `json:"done"`
+	DoneError string `json:"error,omitempty"`
+}
+
+func (c *ollamaClient) GenerateJSON(ctx context.Context, systemPrompt, userPrompt string) (string, error) {
+	body, err := json.Marshal(ollamaGenerateRequest{
+		Model:  c.GetActiveModel(),
+		System: systemPrompt,
+		Prompt: userPrompt,
+		Stream: false,
+		Format: "json",
+	})
+	if err != nil {
+		return "", fmt.Errorf("marshal ollama request: %w", err)
+	}
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, c.GetBaseURL()+"/api/generate", bytes.NewReader(body))
+	if err != nil {
+		return "", err
+	}
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Accept", "application/json")
+
+	resp, err := c.http.Do(req)
+	if err != nil {
+		return "", fmt.Errorf("call ollama at %s: %w (is ollama running?)", c.GetBaseURL(), err)
+	}
+	defer func() { _ = resp.Body.Close() }()
+
+	respBody, _ := io.ReadAll(io.LimitReader(resp.Body, 1<<20))
+	if resp.StatusCode != http.StatusOK {
+		return "", fmt.Errorf("ollama returned %s: %s", resp.Status, strings.TrimSpace(string(respBody)))
+	}
+
+	var out ollamaGenerateResponse
+	if err := json.Unmarshal(respBody, &out); err != nil {
+		return "", fmt.Errorf("parse ollama response: %w", err)
+	}
+	if out.DoneError != "" {
+		return "", fmt.Errorf("ollama error: %s", out.DoneError)
+	}
+	if out.Response == "" {
+		return "", fmt.Errorf("ollama returned empty response (check that model %q is pulled)", c.GetActiveModel())
+	}
+	return out.Response, nil
+}
diff --git a/services/operator_llm_admin.go b/services/operator_llm_admin.go
new file mode 100644
index 0000000..1521d9c
--- /dev/null
+++ b/services/operator_llm_admin.go
@@ -0,0 +1,184 @@
+package services
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+	"time"
+)
+
+// handleLLMStatus returns the current LLM settings, reachability, and installed models.
+func (o *operatorUI) handleLLMStatus(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		w.WriteHeader(http.StatusMethodNotAllowed)
+		_ = json.NewEncoder(w).Encode(map[string]string{"error": "method not allowed"})
+		return
+	}
+	out := map[string]any{
+		"available":    o.llm != nil,
+		"provider":     o.cfg.LLMProvider,
+		"base_url":     "",
+		"active_model": "",
+		"reachable":    false,
+		"models":       []LLMModel{},
+	}
+	if o.llm == nil {
+		out["error"] = "LLM client not initialized"
+		_ = json.NewEncoder(w).Encode(out)
+		return
+	}
+	out["base_url"] = o.llm.GetBaseURL()
+	out["active_model"] = o.llm.GetActiveModel()
+
+	ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
+	defer cancel()
+	if err := o.llm.Ping(ctx); err != nil {
+		out["error"] = err.Error()
+		_ = json.NewEncoder(w).Encode(out)
+		return
+	}
+	out["reachable"] = true
+
+	models, err := o.llm.ListModels(ctx)
+	if err != nil {
+		out["error"] = "list models: " + err.Error()
+		_ = json.NewEncoder(w).Encode(out)
+		return
+	}
+	out["models"] = models
+	_ = json.NewEncoder(w).Encode(out)
+}
+
+// handleLLMSettings updates the active model and/or base URL at runtime.
+// In-memory only — reverts to env-var defaults on process restart.
+type llmSettingsRequest struct {
+	ActiveModel string `json:"active_model,omitempty"`
+	BaseURL     string `json:"base_url,omitempty"`
+}
+
+func (o *operatorUI) handleLLMSettings(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		w.WriteHeader(http.StatusMethodNotAllowed)
+		_ = json.NewEncoder(w).Encode(map[string]string{"error": "method not allowed"})
+		return
+	}
+	if o.llm == nil {
+		w.WriteHeader(http.StatusServiceUnavailable)
+		_ = json.NewEncoder(w).Encode(map[string]string{"error": "LLM client not initialized"})
+		return
+	}
+	body, _ := io.ReadAll(io.LimitReader(r.Body, 4096))
+	var req llmSettingsRequest
+	if err := json.Unmarshal(body, &req); err != nil {
+		w.WriteHeader(http.StatusBadRequest)
+		_ = json.NewEncoder(w).Encode(map[string]string{"error": "invalid json"})
+		return
+	}
+	if m := strings.TrimSpace(req.ActiveModel); m != "" {
+		o.llm.SetActiveModel(m)
+	}
+	if u := strings.TrimSpace(req.BaseURL); u != "" {
+		o.llm.SetBaseURL(u)
+	}
+	_ = json.NewEncoder(w).Encode(map[string]any{
+		"active_model": o.llm.GetActiveModel(),
+		"base_url":     o.llm.GetBaseURL(),
+	})
+}
+
+// handleLLMDeleteModel deletes a model from the LLM server.
+func (o *operatorUI) handleLLMDeleteModel(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodDelete {
+		w.WriteHeader(http.StatusMethodNotAllowed)
+		_ = json.NewEncoder(w).Encode(map[string]string{"error": "method not allowed"})
+		return
+	}
+	if o.llm == nil {
+		w.WriteHeader(http.StatusServiceUnavailable)
+		_ = json.NewEncoder(w).Encode(map[string]string{"error": "LLM client not initialized"})
+		return
+	}
+	name := strings.TrimSpace(r.URL.Query().Get("name"))
+	if name == "" {
+		w.WriteHeader(http.StatusBadRequest)
+		_ = json.NewEncoder(w).Encode(map[string]string{"error": "name query param required"})
+		return
+	}
+	ctx, cancel := context.WithTimeout(r.Context(), 30*time.Second)
+	defer cancel()
+	if err := o.llm.DeleteModel(ctx, name); err != nil {
+		w.WriteHeader(http.StatusBadGateway)
+		_ = json.NewEncoder(w).Encode(map[string]string{"error": err.Error()})
+		return
+	}
+	_ = json.NewEncoder(w).Encode(map[string]any{"ok": true, "deleted": name})
+}
+
+// handleLLMPullModel streams pull progress to the client as NDJSON.
+// Each line is a JSON object with {status, completed, total, error}.
+func (o *operatorUI) handleLLMPullModel(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		w.WriteHeader(http.StatusMethodNotAllowed)
+		_ = json.NewEncoder(w).Encode(map[string]string{"error": "method not allowed"})
+		return
+	}
+	if o.llm == nil {
+		w.WriteHeader(http.StatusServiceUnavailable)
+		_ = json.NewEncoder(w).Encode(map[string]string{"error": "LLM client not initialized"})
+		return
+	}
+	body, _ := io.ReadAll(io.LimitReader(r.Body, 4096))
+	var req struct {
+		Name string `json:"name"`
+	}
+	if err := json.Unmarshal(body, &req); err != nil {
+		w.WriteHeader(http.StatusBadRequest)
+		_ = json.NewEncoder(w).Encode(map[string]string{"error": "invalid json"})
+		return
+	}
+	req.Name = strings.TrimSpace(req.Name)
+	if req.Name == "" {
+		w.WriteHeader(http.StatusBadRequest)
+		_ = json.NewEncoder(w).Encode(map[string]string{"error": "name is required"})
+		return
+	}
+
+	// Switch to NDJSON streaming
+	w.Header().Set("Content-Type", "application/x-ndjson")
+	w.Header().Set("Cache-Control", "no-cache")
+	w.Header().Set("X-Accel-Buffering", "no") // disable nginx buffering when behind a proxy
+	flusher, canFlush := w.(http.Flusher)
+	encoder := json.NewEncoder(w)
+
+	// Pulls can take a long time; don't use r.Context() if the client could disconnect
+	// prematurely. Use a 20-minute timeout as a safety net.
+	ctx, cancel := context.WithTimeout(context.Background(), 20*time.Minute)
+	defer cancel()
+	// Still honor client cancellation
+	go func() {
+		<-r.Context().Done()
+		cancel()
+	}()
+
+	err := o.llm.PullModel(ctx, req.Name, func(ev LLMPullProgress) {
+		_ = encoder.Encode(ev)
+		if canFlush {
+			flusher.Flush()
+		}
+	})
+	if err != nil {
+		_ = encoder.Encode(LLMPullProgress{Error: fmt.Sprintf("pull failed: %s", err.Error())})
+		if canFlush {
+			flusher.Flush()
+		}
+		return
+	}
+	// Final event so the client knows the stream ended successfully
+	_ = encoder.Encode(LLMPullProgress{Status: "done"})
+	if canFlush {
+		flusher.Flush()
+	}
+}
diff --git a/services/operator_suggest_rule.go b/services/operator_suggest_rule.go
new file mode 100644
index 0000000..e6db858
--- /dev/null
+++ b/services/operator_suggest_rule.go
@@ -0,0 +1,324 @@
+package services
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"regexp"
+	"strings"
+	"time"
+
+	"github.com/grove-platform/github-copier/types"
+)
+
+// operatorSuggestRuleRequest is what the operator UI sends when asking the LLM
+// to generate a copier rule from a source→target example.
+type operatorSuggestRuleRequest struct {
+	SourcePath string `json:"source_path"`
+	TargetPath string `json:"target_path"`
+	TargetRepo string `json:"target_repo,omitempty"` // optional
+	SourceRepo string `json:"source_repo,omitempty"` // optional, for context
+}
+
+// operatorSuggestRuleResponse is what the handler returns: the generated rule,
+// an explanation, and a verification check against the user's example.
+type operatorSuggestRuleResponse struct {
+	RuleYAML     string `json:"rule_yaml"`
+	Explanation  string `json:"explanation,omitempty"`
+	Verified     bool   `json:"verified"`                // true if the rule produces target_path from source_path
+	ComputedPath string `json:"computed_path,omitempty"` // actual target path the rule would produce
+	VerifyError  string `json:"verify_error,omitempty"`  // reason verification failed (if any)
+	Warning      string `json:"warning,omitempty"`       // any non-fatal concern
+	Error        string `json:"error,omitempty"`
+}
+
+// llmSuggestedRule is the structured JSON we ask the LLM to return.
+type llmSuggestedRule struct {
+	Name           string            `json:"name"`
+	DestRepo       string            `json:"destination_repo"`
+	DestBranch     string            `json:"destination_branch,omitempty"`
+	TransformType  string            `json:"transform_type"` // "move" | "copy" | "glob" | "regex"
+	TransformFrom  string            `json:"transform_from,omitempty"`
+	TransformTo    string            `json:"transform_to,omitempty"`
+	Pattern        string            `json:"pattern,omitempty"`
+	TransformTempl string            `json:"transform_template,omitempty"`
+	CommitStrategy string            `json:"commit_strategy,omitempty"` // "direct" or "pull_request"
+	Explanation    string            `json:"explanation,omitempty"`
+	Extra          map[string]string `json:"-"`
+}
+
+// handleSuggestRule accepts a source/target pair and asks the configured LLM to
+// generate a copier workflow rule that would produce that transformation.
+// The generated rule is self-verified against the example before returning.
+func (o *operatorUI) handleSuggestRule(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		w.WriteHeader(http.StatusMethodNotAllowed)
+		_ = json.NewEncoder(w).Encode(operatorSuggestRuleResponse{Error: "method not allowed"})
+		return
+	}
+	if o.llm == nil {
+		w.WriteHeader(http.StatusServiceUnavailable)
+		_ = json.NewEncoder(w).Encode(operatorSuggestRuleResponse{
+			Error: "LLM client not initialized on server (check startup logs)",
+		})
+		return
+	}
+
+	body, err := io.ReadAll(io.LimitReader(r.Body, 4096))
+	if err != nil {
+		w.WriteHeader(http.StatusBadRequest)
+		_ = json.NewEncoder(w).Encode(operatorSuggestRuleResponse{Error: "read body"})
+		return
+	}
+	var req operatorSuggestRuleRequest
+	if err := json.Unmarshal(body, &req); err != nil {
+		w.WriteHeader(http.StatusBadRequest)
+		_ = json.NewEncoder(w).Encode(operatorSuggestRuleResponse{Error: "invalid json"})
+		return
+	}
+	req.SourcePath = strings.TrimSpace(req.SourcePath)
+	req.TargetPath = strings.TrimSpace(req.TargetPath)
+	req.TargetRepo = strings.TrimSpace(req.TargetRepo)
+	req.SourceRepo = strings.TrimSpace(req.SourceRepo)
+	if req.SourcePath == "" || req.TargetPath == "" {
+		w.WriteHeader(http.StatusBadRequest)
+		_ = json.NewEncoder(w).Encode(operatorSuggestRuleResponse{Error: "source_path and target_path are required"})
+		return
+	}
+
+	ctx, cancel := context.WithTimeout(r.Context(), 90*time.Second)
+	defer cancel()
+
+	suggestion, err := o.askLLMForRule(ctx, req)
+	if err != nil {
+		w.WriteHeader(http.StatusBadGateway)
+		_ = json.NewEncoder(w).Encode(operatorSuggestRuleResponse{Error: err.Error()})
+		return
+	}
+
+	ruleYAML := renderRuleYAML(suggestion, req)
+	verified, computed, vErr := verifySuggestedRule(suggestion, req.SourcePath, req.TargetPath)
+
+	resp := operatorSuggestRuleResponse{
+		RuleYAML:     ruleYAML,
+		Explanation:  suggestion.Explanation,
+		Verified:     verified,
+		ComputedPath: computed,
+	}
+	if vErr != nil {
+		resp.VerifyError = vErr.Error()
+	}
+	if !verified {
+		resp.Warning = "Generated rule did not produce the expected target path from your example. Review and adjust before saving."
+	}
+	_ = json.NewEncoder(w).Encode(resp)
+}
+
+// askLLMForRule sends a structured prompt to the LLM and parses the JSON response.
+func (o *operatorUI) askLLMForRule(ctx context.Context, req operatorSuggestRuleRequest) (*llmSuggestedRule, error) {
+	systemPrompt := `You are an expert in GitHub Copier workflow configuration. You generate concise, correct YAML rules that match a single source→target file transformation example.
+
+The copier supports 4 transform types (pick the simplest that works):
+- move: { from: "prefix/path", to: "new/prefix" } — renames a directory prefix. Matches any file under "from" and replaces the prefix with "to".
+- copy: { from: "exact/file.md", to: "new/file.md" } — renames one exact file. Use only when source is a single specific file.
+- glob: { pattern: "dir/**/*.ext", transform: "new/${relative_path}" } — matches files by glob pattern. Use "${relative_path}" to preserve subdirectory structure.
+- regex: { pattern: "dir/(?P<name>.+)\\.ext", transform: "new/${name}.ext" } — uses Go regex with named capture groups. Use ONLY when move/copy/glob are insufficient.
+
+Prefer move > copy > glob > regex (simpler is better).
+
+You return JSON with these fields:
+- transform_type: "move" | "copy" | "glob" | "regex"
+- transform_from, transform_to: for move/copy
+- pattern, transform_template: for glob/regex
+- name: a kebab-case rule name (e.g., "agg-python-models")
+- destination_repo: the target repository (use the one the user provided, or infer from context)
+- destination_branch: optional, defaults to "main"
+- commit_strategy: "direct" or "pull_request" (default "pull_request")
+- explanation: 1-2 sentence plain-English justification
+
+IMPORTANT: The generated rule MUST produce the user's target file when applied to their source file. Test your logic mentally before responding.`
+
+	userPrompt := fmt.Sprintf(`Generate a copier rule for this transformation:
+
+Source file: %s
+Target file: %s
+Target repo: %s
+
+Return ONLY a JSON object with the fields documented above. No prose outside the JSON.`,
+		req.SourcePath, req.TargetPath, defaultIfEmpty(req.TargetRepo, "(user did not specify — use a placeholder like \"org/target-repo\")"))
+
+	raw, err := o.llm.GenerateJSON(ctx, systemPrompt, userPrompt)
+	if err != nil {
+		return nil, fmt.Errorf("LLM error: %w", err)
+	}
+
+	var suggestion llmSuggestedRule
+	if err := json.Unmarshal([]byte(raw), &suggestion); err != nil {
+		return nil, fmt.Errorf("LLM returned invalid JSON: %w (response: %s)", err, truncate(raw, 200))
+	}
+	suggestion.TransformType = strings.ToLower(strings.TrimSpace(suggestion.TransformType))
+	if suggestion.DestRepo == "" && req.TargetRepo != "" {
+		suggestion.DestRepo = req.TargetRepo
+	}
+	if suggestion.DestBranch == "" {
+		suggestion.DestBranch = "main"
+	}
+	if suggestion.CommitStrategy == "" {
+		suggestion.CommitStrategy = "pull_request"
+	}
+	if suggestion.Name == "" {
+		suggestion.Name = "generated-rule"
+	}
+	return &suggestion, nil
+}
+
+// verifySuggestedRule tests whether the suggested rule, applied to sourcePath,
+// produces targetPath. Returns (matched, computedPath, error).
+func verifySuggestedRule(s *llmSuggestedRule, sourcePath, targetPath string) (bool, string, error) {
+	transformer := NewPathTransformer()
+
+	switch s.TransformType {
+	case "move":
+		if s.TransformFrom == "" || s.TransformTo == "" {
+			return false, "", fmt.Errorf("move rule missing from/to")
+		}
+		from := strings.TrimSuffix(s.TransformFrom, "/")
+		if !strings.HasPrefix(sourcePath, from) {
+			return false, "", fmt.Errorf("source path does not start with %q", from)
+		}
+		rel := strings.TrimPrefix(strings.TrimPrefix(sourcePath, from), "/")
+		computed := strings.TrimSuffix(s.TransformTo, "/") + "/" + rel
+		computed = strings.TrimSuffix(computed, "/")
+		return computed == targetPath, computed, nil
+
+	case "copy":
+		if s.TransformFrom == "" || s.TransformTo == "" {
+			return false, "", fmt.Errorf("copy rule missing from/to")
+		}
+		if sourcePath != s.TransformFrom {
+			return false, "", fmt.Errorf("source path %q does not equal copy from %q", sourcePath, s.TransformFrom)
+		}
+		return s.TransformTo == targetPath, s.TransformTo, nil
+
+	case "glob":
+		if s.Pattern == "" || s.TransformTempl == "" {
+			return false, "", fmt.Errorf("glob rule missing pattern/transform")
+		}
+		matcher := NewPatternMatcher()
+		result := matcher.Match(sourcePath, types.SourcePattern{Type: types.PatternTypeGlob, Pattern: s.Pattern})
+		if !result.Matched {
+			return false, "", fmt.Errorf("glob pattern %q does not match %q", s.Pattern, sourcePath)
+		}
+		// Add relative_path (server-side glob transform convention): strip prefix before first wildcard
+		vars := result.Variables
+		if vars == nil {
+			vars = make(map[string]string)
+		}
+		vars["relative_path"] = computeGlobRelativePath(sourcePath, s.Pattern)
+		computed, err := transformer.Transform(sourcePath, s.TransformTempl, vars)
+		if err != nil {
+			return false, "", fmt.Errorf("apply transform: %w", err)
+		}
+		return computed == targetPath, computed, nil
+
+	case "regex":
+		if s.Pattern == "" || s.TransformTempl == "" {
+			return false, "", fmt.Errorf("regex rule missing pattern/transform")
+		}
+		re, err := regexp.Compile(s.Pattern)
+		if err != nil {
+			return false, "", fmt.Errorf("invalid regex: %w", err)
+		}
+		match := re.FindStringSubmatch(sourcePath)
+		if match == nil {
+			return false, "", fmt.Errorf("regex %q does not match %q", s.Pattern, sourcePath)
+		}
+		vars := map[string]string{"matched_pattern": s.Pattern}
+		for i, name := range re.SubexpNames() {
+			if i > 0 && name != "" {
+				vars[name] = match[i]
+			}
+		}
+		computed, err := transformer.Transform(sourcePath, s.TransformTempl, vars)
+		if err != nil {
+			return false, "", fmt.Errorf("apply transform: %w", err)
+		}
+		return computed == targetPath, computed, nil
+
+	default:
+		return false, "", fmt.Errorf("unknown transform type: %q", s.TransformType)
+	}
+}
+
+// computeGlobRelativePath mirrors the server-side convention: strip the
+// longest literal prefix (before the first wildcard) from the source path.
+func computeGlobRelativePath(sourcePath, pattern string) string {
+	// Find the first wildcard character in the pattern
+	idx := strings.IndexAny(pattern, "*?[")
+	if idx < 0 {
+		return ""
+	}
+	prefix := pattern[:idx]
+	// Trim to the last '/' before the wildcard to get a clean directory prefix
+	if slash := strings.LastIndex(prefix, "/"); slash >= 0 {
+		prefix = prefix[:slash+1]
+	}
+	return strings.TrimPrefix(sourcePath, prefix)
+}
+
+// renderRuleYAML produces a YAML snippet for the operator UI to display.
+func renderRuleYAML(s *llmSuggestedRule, req operatorSuggestRuleRequest) string {
+	var sb strings.Builder
+	sb.WriteString("- name: \"")
+	sb.WriteString(s.Name)
+	sb.WriteString("\"\n")
+	if req.SourceRepo != "" {
+		sb.WriteString("  source:\n")
+		sb.WriteString("    repo: \"")
+		sb.WriteString(req.SourceRepo)
+		sb.WriteString("\"\n")
+	}
+	sb.WriteString("  destination:\n")
+	sb.WriteString("    repo: \"")
+	sb.WriteString(s.DestRepo)
+	sb.WriteString("\"\n")
+	sb.WriteString("    branch: \"")
+	sb.WriteString(s.DestBranch)
+	sb.WriteString("\"\n")
+	sb.WriteString("  transformations:\n")
+	switch s.TransformType {
+	case "move":
+		fmt.Fprintf(&sb, "    - move: { from: %q, to: %q }\n", s.TransformFrom, s.TransformTo)
+	case "copy":
+		fmt.Fprintf(&sb, "    - copy: { from: %q, to: %q }\n", s.TransformFrom, s.TransformTo)
+	case "glob":
+		sb.WriteString("    - glob:\n")
+		fmt.Fprintf(&sb, "        pattern: %q\n", s.Pattern)
+		fmt.Fprintf(&sb, "        transform: %q\n", s.TransformTempl)
+	case "regex":
+		sb.WriteString("    - regex:\n")
+		fmt.Fprintf(&sb, "        pattern: %q\n", s.Pattern)
+		fmt.Fprintf(&sb, "        transform: %q\n", s.TransformTempl)
+	}
+	sb.WriteString("  commit_strategy:\n")
+	sb.WriteString("    type: \"")
+	sb.WriteString(s.CommitStrategy)
+	sb.WriteString("\"\n")
+	return sb.String()
+}
+
+func defaultIfEmpty(s, def string) string {
+	if s == "" {
+		return def
+	}
+	return s
+}
+
+func truncate(s string, n int) string {
+	if len(s) <= n {
+		return s
+	}
+	return s[:n] + "…"
+}
diff --git a/services/operator_ui.go b/services/operator_ui.go
index 13b4de3..2b9b97d 100644
--- a/services/operator_ui.go
+++ b/services/operator_ui.go
@@ -35,6 +35,14 @@ func RegisterOperatorRoutes(mux *http.ServeMux, cfg *configs.Config, container *
 		version:   version,
 		ghCache:   newGHAuthCache(5 * time.Minute),
 	}
+	// Always create the LLM client; availability is checked dynamically via Ping.
+	// Operators can change the active model and base URL from the UI without restart.
+	if client, err := NewLLMClient(cfg.LLMProvider, cfg.LLMBaseURL, cfg.LLMModel); err != nil {
+		LogWarning("LLM client init failed", "error", err.Error())
+	} else {
+		o.llm = client
+		LogInfo("LLM rule suggester ready", "provider", client.ProviderName(), "base_url", cfg.LLMBaseURL, "model", cfg.LLMModel, "note", "availability checked at request time")
+	}
 	// Register specific paths before the /operator/ subtree so /operator/api/* is not handled by serveIndex.
 	mux.HandleFunc("/operator/api/status", o.handleOperatorStatus)
 	mux.HandleFunc("/operator/api/audit/events", o.wrapAPI(o.handleAuditEvents))
@@ -48,6 +56,11 @@ func RegisterOperatorRoutes(mux *http.ServeMux, cfg *configs.Config, container *
 	mux.HandleFunc("/operator/api/logs", o.wrapAPI(o.handleDeliveryLogs))
 	mux.HandleFunc("/operator/api/me", o.wrapAPI(o.handleMe))
 	mux.HandleFunc("/operator/api/repo-permission", o.wrapAPI(o.handleRepoPermission))
+	mux.HandleFunc("/operator/api/suggest-rule", o.wrapAPI(o.handleSuggestRule))
+	mux.HandleFunc("/operator/api/llm/status", o.wrapAPI(o.handleLLMStatus))
+	mux.HandleFunc("/operator/api/llm/settings", o.wrapOperatorOnly(o.handleLLMSettings))
+	mux.HandleFunc("/operator/api/llm/model", o.wrapOperatorOnly(o.handleLLMDeleteModel))
+	mux.HandleFunc("/operator/api/llm/pull", o.wrapOperatorOnly(o.handleLLMPullModel))
 	mux.HandleFunc("/operator/", o.serveIndex)
 	mux.HandleFunc("/operator", func(w http.ResponseWriter, r *http.Request) {
 		http.Redirect(w, r, "/operator/", http.StatusFound)
@@ -61,6 +74,7 @@ type operatorUI struct {
 	version        string
 	replayInFlight sync.Map     // key: "owner/repo#pr" → prevents concurrent replays
 	ghCache        *ghAuthCache // GitHub PAT validation + per-repo permission cache
+	llm            LLMClient    // optional: enabled when cfg.LLMEnabled is true
 }
 
 // operatorUserCtxKey is the context key for the authenticated operator user.
@@ -139,6 +153,7 @@ func (o *operatorUI) handleOperatorStatus(w http.ResponseWriter, r *http.Request
 	out := map[string]any{
 		"operator_apis_enabled": true,
 		"auth_repo":             o.cfg.OperatorAuthRepo,
+		"llm_available":         o.llm != nil, // client exists; reachability checked via /operator/api/llm/status
 		"metrics_enabled":       o.cfg.MetricsEnabled,
 		"audit_enabled":         o.cfg.AuditEnabled,
 		"version":               o.version,
diff --git a/services/web/operator/index.html b/services/web/operator/index.html
index 1e3516c..28bf425 100644
--- a/services/web/operator/index.html
+++ b/services/web/operator/index.html
@@ -219,6 +219,34 @@
     .pr-search{display:flex;gap:0.5rem;align-items:flex-end;margin-bottom:0.65rem;padding:0.55rem 0.75rem;background:var(--surface-alt);border:1px solid var(--border);border-radius:8px;}
     .pr-search input{flex:1;max-width:14rem;}
 
+    /* AI settings panel */
+    .ai-status-line{display:flex;align-items:center;gap:0.5rem;padding:0.5rem 0.7rem;border-radius:6px;background:var(--surface-alt);border:1px solid var(--border);margin-bottom:0.6rem;}
+    .ai-status-line.ai-ok{background:var(--green-light);border-color:var(--green);}
+    .ai-status-line.ai-fail{background:var(--red-light);border-color:var(--red);}
+    .ai-status-line .dot{flex-shrink:0;}
+    .ai-model-list{display:flex;flex-direction:column;gap:0.35rem;margin-top:0.5rem;}
+    .ai-model-row{display:flex;align-items:center;gap:0.5rem;padding:0.4rem 0.6rem;background:var(--surface-alt);border:1px solid var(--border);border-radius:6px;font-size:0.85rem;}
+    .ai-model-row.active{border-color:var(--blue);background:var(--blue-light);}
+    .ai-model-name{flex:1;font-family:ui-monospace,monospace;font-size:0.8rem;word-break:break-all;}
+    .ai-model-size{font-size:0.72rem;color:var(--text-3);white-space:nowrap;}
+    .ai-progress{margin-top:0.5rem;padding:0.5rem 0.7rem;border-radius:6px;background:var(--surface-alt);border:1px solid var(--border);font-size:0.82rem;}
+    .ai-progress-bar{height:8px;background:var(--border);border-radius:4px;overflow:hidden;margin-top:0.3rem;}
+    .ai-progress-fill{height:100%;background:var(--blue);transition:width 0.2s;}
+    .ai-progress-status{display:flex;justify-content:space-between;font-size:0.75rem;color:var(--text-3);margin-top:0.25rem;}
+    .ai-install-steps{font-size:0.82rem;color:var(--text-2);line-height:1.6;margin-top:0.4rem;}
+    .ai-install-steps ol{margin:0.3rem 0;padding-left:1.4rem;}
+    .ai-install-steps code{background:var(--surface);border:1px solid var(--border);border-radius:3px;padding:0.08rem 0.3rem;font-size:0.78rem;}
+
+    /* AI rule suggester */
+    .ai-badge{display:inline-block;font-size:0.65rem;font-weight:700;padding:0.1rem 0.4rem;border-radius:3px;background:linear-gradient(135deg,#8b5cf6,#6366f1);color:#fff;letter-spacing:.05em;margin-left:0.4rem;vertical-align:middle;}
+    .ai-result{margin-top:0.65rem;padding:0.75rem;border:1px solid var(--border);border-radius:8px;background:var(--surface-alt);}
+    .ai-verify{display:inline-flex;align-items:center;gap:4px;padding:0.15rem 0.5rem;border-radius:9999px;font-size:0.75rem;font-weight:600;margin-bottom:0.5rem;}
+    .ai-verify-ok{background:var(--green-light);color:var(--green);border:1px solid var(--green);}
+    .ai-verify-fail{background:var(--red-light);color:var(--red);border:1px solid var(--red);}
+    .ai-yaml{background:var(--pre-bg);border:1px solid var(--border-light);border-radius:6px;padding:0.6rem;font-family:ui-monospace,monospace;font-size:0.78rem;color:var(--text);white-space:pre;overflow:auto;max-height:260px;margin:0.3rem 0;}
+    .ai-explain{font-size:0.84rem;color:var(--text-2);margin-top:0.4rem;line-height:1.5;}
+    .ai-disabled{padding:0.75rem;color:var(--text-3);font-size:0.85rem;background:var(--surface-alt);border:1px dashed var(--border);border-radius:6px;}
+
     /* File match tester */
     .fmt-result{margin-top:0.5rem;padding:0.5rem 0.7rem;border-radius:8px;font-size:0.84rem;}
     .fmt-match{background:var(--green-light);border:1px solid var(--green);color:var(--green);}
@@ -484,6 +512,85 @@ <h3 class="small" style="margin:0.65rem 0 0.3rem">By rule</h3>
       </div>
     </section>
 
+    <!-- AI settings (operator-only admin panel) -->
+    <section data-section="ai-settings" class="operator-only">
+      <div class="sh" onclick="toggleSection('ai-settings')">
+        <div class="sh-left"><span class="chev"></span><h2>AI settings<span class="ai-badge">AI</span></h2></div>
+        <span class="refreshed" id="aiSettingsRefreshed"></span>
+      </div>
+      <div class="sb">
+        <p class="hint" style="margin-top:0">Configure the local LLM provider (Ollama) for the AI rule suggester. Settings are in-memory and reset on server restart.</p>
+        <div class="row">
+          <button type="button" id="aiRefreshStatus">Refresh status</button>
+        </div>
+        <div id="aiStatusLine"></div>
+        <div id="aiConnectedUI" hidden>
+          <div class="row">
+            <div style="flex:1;min-width:200px;max-width:24rem"><label for="aiActiveModelSel">Active model</label><select id="aiActiveModelSel" style="width:100%"></select></div>
+            <button type="button" id="aiSetActive">Set active</button>
+          </div>
+          <h3 class="small" style="margin:0.75rem 0 0.3rem">Installed models</h3>
+          <div id="aiModelList" class="ai-model-list"></div>
+          <h3 class="small" style="margin:0.75rem 0 0.3rem">Pull a new model</h3>
+          <div class="row">
+            <div style="flex:1;min-width:200px;max-width:20rem"><input id="aiPullName" type="text" placeholder="qwen2.5-coder:7b" style="width:100%" /></div>
+            <button type="button" id="aiPullStart">Pull</button>
+          </div>
+          <div id="aiPullProgress" hidden></div>
+          <h3 class="small" style="margin:0.75rem 0 0.3rem">Base URL</h3>
+          <div class="row">
+            <div style="flex:1;min-width:200px;max-width:24rem"><input id="aiBaseURL" type="text" placeholder="http://localhost:11434" class="mono" style="width:100%" /></div>
+            <button type="button" id="aiSaveBaseURL">Save</button>
+          </div>
+        </div>
+        <div id="aiNotConnectedUI" hidden>
+          <div class="ai-install-steps">
+            <strong>To enable the AI rule suggester:</strong>
+            <ol>
+              <li>Install Ollama from <a href="https://ollama.com/download" target="_blank" rel="noopener">ollama.com/download</a></li>
+              <li>Start it (on macOS the Ollama app runs automatically after install)</li>
+              <li>Click <strong>Refresh status</strong> above</li>
+              <li>Then pull a model from the section that will appear below</li>
+            </ol>
+            Base URL used for detection: <code id="aiNotConnectedURL">http://localhost:11434</code>. If Ollama is running on a different host/port, update the base URL below.
+          </div>
+          <h3 class="small" style="margin:0.75rem 0 0.3rem">Base URL</h3>
+          <div class="row">
+            <div style="flex:1;min-width:200px;max-width:24rem"><input id="aiBaseURLDisc" type="text" placeholder="http://localhost:11434" class="mono" style="width:100%" /></div>
+            <button type="button" id="aiSaveBaseURLDisc">Save &amp; retry</button>
+          </div>
+        </div>
+        <p id="aiSettingsErr" class="err" hidden></p>
+      </div>
+    </section>
+
+    <!-- AI rule suggester -->
+    <section data-section="ai-suggester">
+      <div class="sh" onclick="toggleSection('ai-suggester')">
+        <div class="sh-left"><span class="chev"></span><h2>AI rule suggester<span class="ai-badge">AI</span></h2></div>
+      </div>
+      <div class="sb">
+        <div id="aiDisabledNote" class="ai-disabled" hidden>
+          The AI rule suggester is disabled on this server. Ask an operator to set <code>LLM_ENABLED=true</code> and configure an Ollama instance (<code>LLM_BASE_URL</code>, <code>LLM_MODEL</code>).
+        </div>
+        <div id="aiEnabledUI" hidden>
+          <p class="hint" style="margin-top:0">Describe a source→target transformation and have the LLM propose a workflow rule. The generated rule is verified against your example before display.</p>
+          <div class="row">
+            <div style="flex:1;min-width:220px;max-width:24rem"><label for="aiSource">Source file path</label><input id="aiSource" type="text" placeholder="agg/python/models/user.py" style="width:100%" /></div>
+            <div style="flex:1;min-width:220px;max-width:24rem"><label for="aiTarget">Desired target path</label><input id="aiTarget" type="text" placeholder="shared/python/models/user.py" style="width:100%" /></div>
+          </div>
+          <div class="row">
+            <div style="flex:1;min-width:180px;max-width:18rem"><label for="aiTargetRepo">Target repo <span style="color:var(--text-3)">(optional)</span></label><input id="aiTargetRepo" type="text" placeholder="org/dest-repo" style="width:100%" /></div>
+            <div style="flex:1;min-width:180px;max-width:18rem"><label for="aiSourceRepo">Source repo <span style="color:var(--text-3)">(optional)</span></label><input id="aiSourceRepo" type="text" placeholder="org/source-repo" style="width:100%" /></div>
+            <button type="button" id="aiGenerate">Generate rule</button>
+            <button type="button" class="secondary" id="aiClear">Clear</button>
+          </div>
+          <p id="aiErr" class="err" hidden></p>
+          <div id="aiResult" style="margin-top:0.5rem"></div>
+        </div>
+      </div>
+    </section>
+
     <!-- Workflow browser -->
     <section data-section="wf-browser">
       <div class="sh" onclick="toggleSection('wf-browser')">
@@ -813,6 +920,7 @@ <h3>Keyboard shortcuts</h3>
       var lbl=$('authRepoLabel');
       if(lbl){lbl.textContent=d.auth_repo;}
     }
+    setLLMAvailable(!!d.llm_available);
   }).catch(function(){});
 }
 
@@ -1343,6 +1451,229 @@ <h3>Keyboard shortcuts</h3>
   document.querySelectorAll('.wf-card').forEach(function(c){c.classList.remove('wf-match','wf-nomatch');});
 };
 
+/* ── AI rule suggester ── */
+var _llmAvailable=false;
+function setLLMAvailable(enabled){
+  _llmAvailable=enabled;
+  $('aiEnabledUI').hidden=!enabled;
+  $('aiDisabledNote').hidden=enabled;
+}
+async function generateRuleSuggestion(){
+  showErr('aiErr','');
+  var src=$('aiSource').value.trim();
+  var tgt=$('aiTarget').value.trim();
+  if(!src||!tgt){showErr('aiErr','Both source and target paths are required');return;}
+  var btn=$('aiGenerate');
+  var orig=btn.textContent;
+  btn.disabled=true;btn.textContent='Generating\u2026 (can take 10-60s)';
+  try{
+    var res=await fetch(appURL('/operator/api/suggest-rule'),{
+      method:'POST',
+      headers:Object.assign({'Content-Type':'application/json'},authHeaders()),
+      body:JSON.stringify({
+        source_path:src,
+        target_path:tgt,
+        target_repo:$('aiTargetRepo').value.trim(),
+        source_repo:$('aiSourceRepo').value.trim()
+      })
+    });
+    var body=await res.json().catch(function(){return{};});
+    if(!res.ok){showErr('aiErr',body.error||res.statusText);$('aiResult').innerHTML='';return;}
+    renderAIResult(body);
+  }catch(e){showErr('aiErr','Request failed: '+e);}
+  finally{btn.disabled=false;btn.textContent=orig;}
+}
+function renderAIResult(body){
+  var html='';
+  var verify=body.verified
+    ?'<div class="ai-verify ai-verify-ok">\u2713 Verified — rule produces the expected target path</div>'
+    :'<div class="ai-verify ai-verify-fail">\u2717 Not verified — rule does not produce the expected target path</div>';
+  html+=verify;
+  if(!body.verified&&body.computed_path){
+    html+='<div class="hint" style="margin:0 0 0.5rem">Rule would produce: <code>'+escapeHtml(body.computed_path)+'</code></div>';
+  }
+  if(!body.verified&&body.verify_error){
+    html+='<div class="hint" style="margin:0 0 0.5rem;color:var(--red)">Reason: '+escapeHtml(body.verify_error)+'</div>';
+  }
+  if(body.warning){
+    html+='<div class="hint" style="margin:0 0 0.5rem;color:var(--amber)">\u26A0 '+escapeHtml(body.warning)+'</div>';
+  }
+  html+='<div style="display:flex;justify-content:space-between;align-items:center;margin-top:0.4rem">';
+  html+='<strong style="font-size:0.82rem">Generated rule</strong>';
+  html+='<button type="button" class="btn-sm" onclick="copyAIRule()">Copy YAML</button>';
+  html+='</div>';
+  html+='<pre class="ai-yaml" id="aiYAML">'+escapeHtml(body.rule_yaml||'')+'</pre>';
+  if(body.explanation){
+    html+='<div class="ai-explain"><strong>Why:</strong> '+escapeHtml(body.explanation)+'</div>';
+  }
+  $('aiResult').innerHTML='<div class="ai-result">'+html+'</div>';
+}
+function copyAIRule(){
+  var yaml=$('aiYAML').textContent;
+  navigator.clipboard.writeText(yaml).then(function(){toast('Rule YAML copied to clipboard','info');}).catch(function(){toast('Copy failed','error');});
+}
+$('aiGenerate').onclick=generateRuleSuggestion;
+$('aiClear').onclick=function(){
+  $('aiSource').value='';$('aiTarget').value='';$('aiTargetRepo').value='';$('aiSourceRepo').value='';
+  $('aiResult').innerHTML='';showErr('aiErr','');
+};
+// Pre-fill from the file match tester if the user has already typed a source path
+$('aiSource').addEventListener('focus',function(){
+  if(!this.value){var fmt=$('fmtPath').value.trim();if(fmt)this.value=fmt;}
+});
+
+/* ── AI settings panel ── */
+var _aiLastStatus=null;
+function fmtBytes(n){
+  if(!n||n<=0)return'';
+  var units=['B','KB','MB','GB','TB'];var i=0;var v=n;
+  while(v>=1024&&i<units.length-1){v/=1024;i++;}
+  return v.toFixed(i===0?0:1)+' '+units[i];
+}
+async function loadAISettingsStatus(){
+  showErr('aiSettingsErr','');
+  try{
+    var res=await fetch(appURL('/operator/api/llm/status'),{headers:authHeaders()});
+    var body=await res.json().catch(function(){return{};});
+    if(!res.ok){showErr('aiSettingsErr',body.error||res.statusText);return;}
+    _aiLastStatus=body;
+    renderAISettings(body);
+    setRefreshed('aiSettingsRefreshed');
+    // Keep the AI rule suggester's availability in sync
+    setLLMAvailable(!!body.reachable);
+  }catch(e){showErr('aiSettingsErr','Request failed: '+e);}
+}
+function renderAISettings(s){
+  var line=$('aiStatusLine');
+  if(!s.available){
+    line.className='ai-status-line ai-fail';
+    line.innerHTML='<span class="dot dot-red"></span> LLM client not initialized';
+    $('aiConnectedUI').hidden=true;$('aiNotConnectedUI').hidden=true;
+    return;
+  }
+  if(!s.reachable){
+    line.className='ai-status-line ai-fail';
+    line.innerHTML='<span class="dot dot-red"></span> Ollama unreachable at <code>'+escapeHtml(s.base_url||'')+'</code>'+(s.error?' — '+escapeHtml(s.error):'');
+    $('aiConnectedUI').hidden=true;$('aiNotConnectedUI').hidden=false;
+    $('aiNotConnectedURL').textContent=s.base_url||'';
+    if(!$('aiBaseURLDisc').value) $('aiBaseURLDisc').value=s.base_url||'';
+    return;
+  }
+  line.className='ai-status-line ai-ok';
+  line.innerHTML='<span class="dot dot-green"></span> Ollama connected at <code>'+escapeHtml(s.base_url||'')+'</code>';
+  $('aiConnectedUI').hidden=false;$('aiNotConnectedUI').hidden=true;
+
+  // Populate model dropdown and list
+  var sel=$('aiActiveModelSel');sel.innerHTML='';
+  var list=$('aiModelList');list.innerHTML='';
+  var models=s.models||[];
+  if(models.length===0){
+    list.innerHTML='<div class="empty-state" style="padding:1rem"><div class="es-icon">\u{1F4E6}</div>No models installed. Pull one below to get started.</div>';
+  }else{
+    models.forEach(function(m){
+      var opt=document.createElement('option');opt.value=m.name;opt.textContent=m.name;
+      if(m.name===s.active_model)opt.selected=true;
+      sel.appendChild(opt);
+      var row=document.createElement('div');
+      row.className='ai-model-row'+(m.name===s.active_model?' active':'');
+      var badge=m.name===s.active_model?' <span style="font-size:0.7rem;color:var(--blue);font-weight:600">\u2713 active</span>':'';
+      row.innerHTML='<span class="ai-model-name">'+escapeHtml(m.name)+badge+'</span>'
+        +'<span class="ai-model-size">'+escapeHtml(fmtBytes(m.size))+'</span>'
+        +'<button class="btn-sm" onclick="aiDeleteModel(\''+escapeHtml(m.name)+'\')">Delete</button>';
+      list.appendChild(row);
+    });
+  }
+  if(!$('aiBaseURL').value) $('aiBaseURL').value=s.base_url||'';
+}
+$('aiRefreshStatus').onclick=function(){withLoading('aiRefreshStatus',loadAISettingsStatus);};
+$('aiSetActive').onclick=async function(){
+  var m=$('aiActiveModelSel').value;
+  if(!m){toast('Pick a model first','info');return;}
+  await updateLLMSettings({active_model:m});
+};
+$('aiSaveBaseURL').onclick=async function(){
+  var u=$('aiBaseURL').value.trim();
+  if(!u){toast('Enter a base URL','info');return;}
+  await updateLLMSettings({base_url:u});
+};
+$('aiSaveBaseURLDisc').onclick=async function(){
+  var u=$('aiBaseURLDisc').value.trim();
+  if(!u){toast('Enter a base URL','info');return;}
+  await updateLLMSettings({base_url:u});
+};
+async function updateLLMSettings(settings){
+  try{
+    var res=await fetch(appURL('/operator/api/llm/settings'),{
+      method:'POST',
+      headers:Object.assign({'Content-Type':'application/json'},authHeaders()),
+      body:JSON.stringify(settings)
+    });
+    var body=await res.json().catch(function(){return{};});
+    if(!res.ok){toast('Update failed: '+(body.error||res.statusText),'error');return;}
+    toast('Settings updated','info');
+    loadAISettingsStatus();
+  }catch(e){toast('Request failed: '+e,'error');}
+}
+async function aiDeleteModel(name){
+  if(!confirm('Delete model "'+name+'"? This frees disk space on the Ollama server.'))return;
+  try{
+    var res=await fetch(appURL('/operator/api/llm/model?name='+encodeURIComponent(name)),{method:'DELETE',headers:authHeaders()});
+    var body=await res.json().catch(function(){return{};});
+    if(!res.ok){toast('Delete failed: '+(body.error||res.statusText),'error');return;}
+    toast('Deleted '+name,'info');
+    loadAISettingsStatus();
+  }catch(e){toast('Request failed: '+e,'error');}
+}
+// Pull with streaming NDJSON progress
+$('aiPullStart').onclick=async function(){
+  var name=$('aiPullName').value.trim();
+  if(!name){toast('Enter a model name (e.g. qwen2.5-coder:7b)','info');return;}
+  var btn=$('aiPullStart');
+  var orig=btn.textContent;
+  btn.disabled=true;btn.textContent='Pulling\u2026';
+  var prog=$('aiPullProgress');prog.hidden=false;
+  prog.innerHTML='<div class="ai-progress"><div><strong>Pulling '+escapeHtml(name)+'</strong></div><div class="ai-progress-bar"><div class="ai-progress-fill" style="width:0%"></div></div><div class="ai-progress-status"><span class="ai-status-text">starting\u2026</span><span class="ai-progress-pct">0%</span></div></div>';
+  try{
+    var res=await fetch(appURL('/operator/api/llm/pull'),{
+      method:'POST',
+      headers:Object.assign({'Content-Type':'application/json'},authHeaders()),
+      body:JSON.stringify({name:name})
+    });
+    if(!res.ok){
+      var errBody=await res.json().catch(function(){return{};});
+      prog.querySelector('.ai-status-text').textContent='failed: '+(errBody.error||res.statusText);
+      return;
+    }
+    var reader=res.body.getReader();
+    var decoder=new TextDecoder();
+    var buf='';
+    while(true){
+      var chunk=await reader.read();
+      if(chunk.done)break;
+      buf+=decoder.decode(chunk.value,{stream:true});
+      var lines=buf.split('\n');
+      buf=lines.pop();
+      lines.forEach(function(line){
+        line=line.trim();if(!line)return;
+        try{
+          var ev=JSON.parse(line);
+          var pct=0;
+          if(ev.total&&ev.completed)pct=Math.round(ev.completed/ev.total*100);
+          prog.querySelector('.ai-status-text').textContent=(ev.status||'')+(ev.error?' ('+ev.error+')':'');
+          if(pct>0){
+            prog.querySelector('.ai-progress-fill').style.width=pct+'%';
+            prog.querySelector('.ai-progress-pct').textContent=pct+'%'+(ev.total?' · '+fmtBytes(ev.completed)+' / '+fmtBytes(ev.total):'');
+          }
+        }catch(e){}
+      });
+    }
+    toast('Pull complete: '+name,'info');
+    $('aiPullName').value='';
+    loadAISettingsStatus();
+  }catch(e){toast('Pull failed: '+e,'error');}
+  finally{btn.disabled=false;btn.textContent=orig;}
+};
+
 /* ── Workflow browser ── */
 var _wfData=[];
 async function loadWorkflows(){
@@ -1527,7 +1858,7 @@ <h3>Keyboard shortcuts</h3>
 };
 
 /* ── Global refresh ── */
-function loadAllSecured(){if(!hasToken())return;loadAudit();loadWebhookTraces();loadDeliveries();loadOverview();loadWorkflows();$('loadDeploy').click();}
+function loadAllSecured(){if(!hasToken())return;loadAudit();loadWebhookTraces();loadDeliveries();loadOverview();loadWorkflows();loadAISettingsStatus();$('loadDeploy').click();}
 function refreshAll(){if(COP_ORIGIN){loadMetricsCards();loadAllProbes();}loadAllSecured();}
 $('refreshAll').onclick=refreshAll;
 
@@ -1571,7 +1902,7 @@ <h3>Keyboard shortcuts</h3>
 initDarkMode();initMode();syncTimeBtn();initSections();initTabs();initFromURL();checkServerStatus();startHeartbeat();
 if(COP_ORIGIN){
   loadAllProbes();loadMetricsCards();restoreAutoRefresh();
-  if(hasToken()){fetchMe();loadAudit();loadWebhookTraces();loadOverview();$('loadDeploy').click();}
+  if(hasToken()){fetchMe();loadAudit();loadWebhookTraces();loadOverview();loadAISettingsStatus();$('loadDeploy').click();}
 }
 </script>
 

From 35ae635346bb3955e0fcb7327aab62ed7995f483 Mon Sep 17 00:00:00 2001
From: Cory Bullinger <cory.bullinger@mongodb.com>
Date: Tue, 21 Apr 2026 11:10:19 -0400
Subject: [PATCH 06/20] security: fix gosec G107/G704 SSRF findings on PR
 branch
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Gosec CI was failing on 3 SSRF findings via taint analysis:

operator_auth.go (2 findings): ghAPIGetRepoPermission constructs a GitHub
API URL using the repo owner/name and username. While the host is
hardcoded, gosec flags the user-derived path components.
- Add strict input validation: ghUsernameRe and ghRepoNameRe whitelists
  enforce GitHub's username and repo name rules before URL construction
  (using RE2-compatible syntax — no lookahead)
- Use url.PathEscape on path components as defense in depth
- Add #nosec G107 G704 with justification on the Request and Do calls

slack_notifier.go (1 finding): sendPayload had an existing nosec on the
Do call but gosec now also flags NewRequestWithContext on the line above.
- Extend the nosec annotation to cover the Request call

No behavioral change — only input validation tightening and nosec
coverage on calls where the URL is either hardcoded (GitHub API) or
comes from trusted server config (Slack webhook).
---
 services/operator_auth.go  | 32 +++++++++++++++++++++++++++++---
 services/slack_notifier.go |  4 ++--
 2 files changed, 31 insertions(+), 5 deletions(-)

diff --git a/services/operator_auth.go b/services/operator_auth.go
index 947a369..f624757 100644
--- a/services/operator_auth.go
+++ b/services/operator_auth.go
@@ -6,11 +6,23 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"net/url"
+	"regexp"
 	"strings"
 	"sync"
 	"time"
 )
 
+// ghUsernameRe matches valid GitHub usernames: alphanumeric + hyphens,
+// cannot start or end with a hyphen, max 39 chars. Used to reject hostile
+// input before it reaches URL construction for the GitHub API. (RE2 has no
+// lookahead, so this doesn't reject consecutive hyphens — that's a GitHub
+// policy issue, not a security one; such requests simply fail downstream.)
+var ghUsernameRe = regexp.MustCompile(`^[a-zA-Z0-9]([a-zA-Z0-9-]{0,37}[a-zA-Z0-9])?$`)
+
+// ghRepoNameRe matches valid GitHub repo names.
+var ghRepoNameRe = regexp.MustCompile(`^[a-zA-Z0-9_.-]{1,100}$`)
+
 // OperatorRole represents the permission level for the operator UI.
 type OperatorRole string
 
@@ -239,8 +251,22 @@ func ghAPIGetRepoPermission(ctx context.Context, pat string, repo string, userna
 	if len(parts) != 2 {
 		return "", fmt.Errorf("invalid repo format: %s (expected owner/repo)", repo)
 	}
-	url := fmt.Sprintf("https://api.github.com/repos/%s/%s/collaborators/%s/permission", parts[0], parts[1], username)
-	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	// Validate path components against strict whitelists before URL construction.
+	// Host is hardcoded to api.github.com — not user-controlled.
+	if !ghUsernameRe.MatchString(parts[0]) {
+		return "", fmt.Errorf("invalid owner in repo %q", repo)
+	}
+	if !ghRepoNameRe.MatchString(parts[1]) {
+		return "", fmt.Errorf("invalid repo name in %q", repo)
+	}
+	if !ghUsernameRe.MatchString(username) {
+		return "", fmt.Errorf("invalid username %q", username)
+	}
+	apiURL := fmt.Sprintf(
+		"https://api.github.com/repos/%s/%s/collaborators/%s/permission",
+		url.PathEscape(parts[0]), url.PathEscape(parts[1]), url.PathEscape(username),
+	)
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, apiURL, nil) // #nosec G107 G704 -- host is hardcoded to api.github.com; path components validated above
 	if err != nil {
 		return "", err
 	}
@@ -248,7 +274,7 @@ func ghAPIGetRepoPermission(ctx context.Context, pat string, repo string, userna
 	req.Header.Set("Accept", "application/vnd.github+json")
 	req.Header.Set("X-GitHub-Api-Version", "2022-11-28")
 
-	resp, err := (&http.Client{Timeout: 10 * time.Second}).Do(req)
+	resp, err := (&http.Client{Timeout: 10 * time.Second}).Do(req) // #nosec G107 G704 -- host is hardcoded to api.github.com; path components validated above
 	if err != nil {
 		return "", err
 	}
diff --git a/services/slack_notifier.go b/services/slack_notifier.go
index 95a0bfb..b9ac25d 100644
--- a/services/slack_notifier.go
+++ b/services/slack_notifier.go
@@ -413,14 +413,14 @@ func (sn *DefaultSlackNotifier) sendMessageWithFallback(ctx context.Context, mes
 
 // sendPayload sends the raw JSON payload to Slack
 func (sn *DefaultSlackNotifier) sendPayload(ctx context.Context, payload []byte) error {
-	req, err := http.NewRequestWithContext(ctx, "POST", sn.webhookURL, bytes.NewBuffer(payload))
+	req, err := http.NewRequestWithContext(ctx, "POST", sn.webhookURL, bytes.NewBuffer(payload)) // #nosec G107 G704 -- URL is the Slack webhook URL from trusted server config, not user input
 	if err != nil {
 		return fmt.Errorf("failed to create slack request: %w", err)
 	}
 
 	req.Header.Set("Content-Type", "application/json")
 
-	resp, err := sn.httpClient.Do(req) // #nosec G704 -- URL is the Slack webhook URL from trusted config
+	resp, err := sn.httpClient.Do(req) // #nosec G107 G704 -- URL is the Slack webhook URL from trusted server config, not user input
 	if err != nil {
 		return fmt.Errorf("failed to send slack message: %w", err)
 	}

From 82b1c52979ceaf0130d77cd14af7aef5c649c81e Mon Sep 17 00:00:00 2001
From: Cory Bullinger <cory.bullinger@mongodb.com>
Date: Tue, 21 Apr 2026 12:02:51 -0400
Subject: [PATCH 07/20] chore(startup): show operator UI and AI settings in
 banner

Surface OPERATOR_UI_ENABLED, auth repo, AI model, and AI base URL in the
startup banner so local dev runs make the active operator/AI configuration
visible at a glance. Adds a truncMiddle helper (ASCII ellipsis) to keep
long paths and URLs from breaking the banner's byte-count-aligned padding.
---
 app.go | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/app.go b/app.go
index a7eed2c..03b3b3e 100644
--- a/app.go
+++ b/app.go
@@ -136,15 +136,34 @@ func printBanner(config *configs.Config, container *services.ServiceContainer) {
 	fmt.Printf("║  Version:      %-48s║\n", version)
 	fmt.Printf("║  Port:         %-48s║\n", config.Port)
 	fmt.Printf("║  Webhook Path: %-48s║\n", config.WebserverPath)
-	fmt.Printf("║  Config File:  %-48s║\n", config.EffectiveConfigFile())
+	fmt.Printf("║  Config File:  %-48s║\n", truncMiddle(config.EffectiveConfigFile(), 48))
 	fmt.Printf("║  Dry Run:      %-48v║\n", config.DryRun)
 	fmt.Printf("║  Audit Log:    %-48v║\n", config.AuditEnabled)
 	fmt.Printf("║  Metrics:      %-48v║\n", config.MetricsEnabled)
 	fmt.Printf("║  Slack:        %-48v║\n", config.SlackEnabled)
+	fmt.Printf("║  Operator UI:  %-48v║\n", config.OperatorUIEnabled)
+	if config.OperatorUIEnabled {
+		fmt.Printf("║    Auth Repo:  %-48s║\n", truncMiddle(config.OperatorAuthRepo, 48))
+		fmt.Printf("║    AI Model:   %-48s║\n", truncMiddle(config.LLMModel, 48))
+		fmt.Printf("║    AI URL:     %-48s║\n", truncMiddle(config.LLMBaseURL, 48))
+	}
 	fmt.Println("╚════════════════════════════════════════════════════════════════╝")
 	fmt.Println()
 }
 
+// truncMiddle shortens s to max bytes, replacing the middle with "..." when
+// too long. Uses ASCII so Go's byte-count-based %-Ns padding stays aligned.
+func truncMiddle(s string, max int) string {
+	if len(s) <= max {
+		return s
+	}
+	if max < 6 {
+		return s[:max]
+	}
+	keep := (max - 3) / 2
+	return s[:keep] + "..." + s[len(s)-(max-3-keep):]
+}
+
 func validateConfiguration(container *services.ServiceContainer) error {
 	ctx := context.Background()
 	_, err := container.ConfigLoader.LoadConfig(ctx, container.Config)

From e4536da655dfa2174a54c3f2710d939102140d60 Mon Sep 17 00:00:00 2001
From: Cory Bullinger <cory.bullinger@mongodb.com>
Date: Tue, 21 Apr 2026 15:16:38 -0400
Subject: [PATCH 08/20] chore(deploy): wire operator UI, enable audit, populate
 changelog
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Prep the Cloud Run deploy for the operator UI + AI rule suggester work:

- CI deploy env vars (ci.yml):
  - OPERATOR_UI_ENABLED=true
  - OPERATOR_AUTH_REPO=grove-platform/github-copier (required when UI is on)
  - OPERATOR_REPO_SLUG=grove-platform/github-copier (for audit-row deep links)
  - AUDIT_ENABLED flipped false → true, aligning with the v0.3.0 "enabled by
    default" CHANGELOG entry; the operator UI's Audit tab is inert without it
    and MONGO_URI_SECRET_NAME is already wired.

- env-cloudrun.yaml: drop the stale OPERATOR_UI_TOKEN comment (token auth
  mode was removed earlier on this branch) and document the PAT/auth-repo
  model plus optional LLM_* overrides.

- CHANGELOG.md: populate [Unreleased] so release.sh has content to extract
  when the next tag is cut. Covers the operator UI, PAT auth, AI rule
  suggester, per-delivery logs, empty-commit fix, audit-decode fix, and the
  gosec SSRF hardening.

LLM_* deliberately left unset in the deploy — defaults point at localhost,
which is unreachable from Cloud Run; operators can configure a real endpoint
from the UI at runtime.
---
 .github/workflows/ci.yml |  2 +-
 CHANGELOG.md             | 27 ++++++++++++++++++++++++++-
 env-cloudrun.yaml        | 19 ++++++++++++++++---
 3 files changed, 43 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 89165be..0a78c33 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -128,7 +128,7 @@ jobs:
             --region $REGION \
             --project $PROJECT_ID \
             --allow-unauthenticated \
-            --set-env-vars="^|^CONFIG_REPO_OWNER=grove-platform|CONFIG_REPO_NAME=github-copier|CONFIG_REPO_BRANCH=main|PEM_NAME=CODE_COPIER_PEM|WEBHOOK_SECRET_NAME=webhook-secret|MONGO_URI_SECRET_NAME=mongo-uri|WEBSERVER_PATH=/events|MAIN_CONFIG_FILE=.copier/main.yaml|USE_MAIN_CONFIG=true|DEPRECATION_FILE=deprecated_examples.json|COMMITTER_NAME=GitHub Copier App|COMMITTER_EMAIL=bot@mongodb.com|GOOGLE_CLOUD_PROJECT_ID=github-copy-code-examples|COPIER_LOG_NAME=code-copier-log|AUDIT_ENABLED=false|METRICS_ENABLED=true|GITHUB_APP_ID=${{ secrets.APP_ID }}|INSTALLATION_ID=${{ secrets.INSTALLATION_ID }}" \
+            --set-env-vars="^|^CONFIG_REPO_OWNER=grove-platform|CONFIG_REPO_NAME=github-copier|CONFIG_REPO_BRANCH=main|PEM_NAME=CODE_COPIER_PEM|WEBHOOK_SECRET_NAME=webhook-secret|MONGO_URI_SECRET_NAME=mongo-uri|WEBSERVER_PATH=/events|MAIN_CONFIG_FILE=.copier/main.yaml|USE_MAIN_CONFIG=true|DEPRECATION_FILE=deprecated_examples.json|COMMITTER_NAME=GitHub Copier App|COMMITTER_EMAIL=bot@mongodb.com|GOOGLE_CLOUD_PROJECT_ID=github-copy-code-examples|COPIER_LOG_NAME=code-copier-log|AUDIT_ENABLED=true|METRICS_ENABLED=true|OPERATOR_UI_ENABLED=true|OPERATOR_AUTH_REPO=grove-platform/github-copier|OPERATOR_REPO_SLUG=grove-platform/github-copier|GITHUB_APP_ID=${{ secrets.APP_ID }}|INSTALLATION_ID=${{ secrets.INSTALLATION_ID }}" \
             --set-build-env-vars="VERSION=${{ steps.version.outputs.tag }}" \
             --tag="${{ steps.version.outputs.traffic_tag }}" \
             --max-instances=10 \
diff --git a/CHANGELOG.md b/CHANGELOG.md
index bb44838..4830b4c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,7 +6,32 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
 ## [Unreleased]
 
-## [v0.3.0] - 2026-04-14
+### Added
+
+- **Operator UI — comprehensive writer + operator dashboard** at `/operator/` (`OPERATOR_UI_ENABLED=true`). Five tabs (Overview, Webhooks, Audit, Workflows, System), sticky status bar, dark mode, keyboard shortcuts, shareable URLs, and a writer/operator mode toggle persisted to localStorage.
+- **GitHub PAT authentication** — users sign in with their personal access token; role is derived from their permission on `OPERATOR_AUTH_REPO` (admin/maintain/write → operator, read/triage → writer). Replay and other write actions additionally enforce read access on the source repo for that specific delivery.
+- **AI rule suggester (Ollama)** — paste a source path and desired target state, receive a suggested workflow rule with self-verification via the in-process `PatternMatcher`. Fully UI-managed: connect to an Ollama endpoint, pull/delete models, switch the active model, all without a redeploy.
+- **Writer-facing features** — workflow browser with per-rule coverage, PR lookup by URL, recent copies feed, file match tester (with clear button and Python-style `(?P<name>)` regex translation for in-browser use), PR timeline, and in-app help overlay.
+- **Per-delivery log viewer** — context-tagged ring buffer captures logs per webhook delivery, surfaced in an audit drawer alongside the trace and outcome summary.
+- **Audit event enrichment** — `processed_ok` traces now include destination repo(s), files matched / uploaded / failed, and commit SHA.
+- **Startup banner** — Operator UI, auth repo, AI model, and AI base URL are now surfaced when the app boots (local and Cloud Run).
+
+### Changed
+
+- **MongoDB audit logging enabled in production** — the Cloud Run deploy previously forced `AUDIT_ENABLED=false`; it is now `true`, aligning with the v0.3.0 "enabled by default" change.
+- **Operator auth hardened** — token-based auth (`OPERATOR_UI_TOKEN`) removed entirely; GitHub PAT is the only supported mechanism. `OPERATOR_UI_ENABLED=true` now requires `OPERATOR_AUTH_REPO` at config load (validated in `validateOperatorAuth`).
+- **`createPullRequest` skipped for empty commits** — `commitFilesToBranch` now returns an `errTreeUnchanged` sentinel so `addFilesViaPR` no longer calls the GitHub PR API with an unchanged tree (previously 422'd).
+- **MongoDB driver v2 ObjectID decoding** — audit reads set `ObjectIDAsHexString: true` to avoid "error decoding key `_id`" on queries.
+
+### Fixed
+
+- **gosec G107 / G704 SSRF findings** — GitHub API URL construction in `services/operator_auth.go` now validates path components against strict RE2-compatible whitelists (`ghUsernameRe`, `ghRepoNameRe`) and escapes them with `url.PathEscape` before request construction; `slack_notifier.go` `#nosec` annotation extended to cover `NewRequestWithContext`.
+- **Keyboard-shortcut overlay wouldn't close** — `.help-bg[hidden]` now wins over the base `display:flex`.
+- **File match tester returned no matches for Java files** — JavaScript `RegExp` does not support Python-style `(?P<name>)` named groups; the tester now rewrites `(?P<` → `(?<` before compilation.
+
+### Security
+
+- **Token auth removed** — the operator UI no longer accepts a shared bearer token; all access is per-user via GitHub PAT with repo-scoped permission checks.
 
 ### Changed
 
diff --git a/env-cloudrun.yaml b/env-cloudrun.yaml
index b61726a..9f70d77 100644
--- a/env-cloudrun.yaml
+++ b/env-cloudrun.yaml
@@ -34,6 +34,19 @@ COPIER_LOG_NAME: "code-copier-log"
 AUDIT_ENABLED: "true"
 METRICS_ENABLED: "true"
 
-# Operator UI is disabled by default (OPERATOR_UI_ENABLED unset/false). Intended for
-# local runs only — do not set OPERATOR_UI_ENABLED in Cloud Run unless you explicitly
-# want this surface on the internet-facing service.
+# Operator dashboard at https://<service>/operator/
+# Access is gated by each user's GitHub PAT: they authenticate with their
+# personal token, and their permission on OPERATOR_AUTH_REPO determines role
+# (admin/maintain/write → operator, read/triage → writer).
+OPERATOR_UI_ENABLED: "true"
+OPERATOR_AUTH_REPO: "grove-platform/github-copier"
+OPERATOR_REPO_SLUG: "grove-platform/github-copier"
+#
+# Optional: OPERATOR_RELEASE_GITHUB_TOKEN, OPERATOR_RELEASE_TARGET_BRANCH
+#
+# AI rule suggester (optional) — if set, points the operator UI at an
+# Ollama-compatible endpoint. Operators can also configure base URL and
+# active model from the UI at runtime without a redeploy.
+# LLM_PROVIDER: "ollama"
+# LLM_BASE_URL: "http://ollama.internal:11434"
+# LLM_MODEL: "qwen2.5-coder:7b"

From f3818044b2205864344392f4ca147d7139c75537 Mon Sep 17 00:00:00 2001
From: Cory Bullinger <cory.bullinger@mongodb.com>
Date: Tue, 21 Apr 2026 15:20:54 -0400
Subject: [PATCH 09/20] docs: restore v0.3.0 heading in CHANGELOG

The previous commit's edit accidentally dropped the '## [v0.3.0] - 2026-04-14'
heading, leaving its Changed/Fixed/Security sections orphaned under
[Unreleased]. Re-add the heading so the release history stays intact.
---
 CHANGELOG.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4830b4c..41c57b3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -33,6 +33,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
 - **Token auth removed** — the operator UI no longer accepts a shared bearer token; all access is per-user via GitHub PAT with repo-scoped permission checks.
 
+## [v0.3.0] - 2026-04-14
+
 ### Changed
 
 - **Audit logging enabled** — MongoDB audit logging is now enabled by default.

From 0e863eedee60deeb95e4d7f33a5de19bbe249fc5 Mon Sep 17 00:00:00 2001
From: Cory Bullinger <cory.bullinger@mongodb.com>
Date: Tue, 21 Apr 2026 15:44:55 -0400
Subject: [PATCH 10/20] feat(operator): Anthropic LLM provider for AI rule
 suggester
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds an Anthropic Messages API client alongside the existing Ollama client so
the AI rule suggester works on Cloud Run without standing up a model-serving
VM. Ollama stays as the local/dev option.

Backend
- New services/llm_anthropic.go implementing LLMClient against /v1/messages
  and /v1/models. Pins anthropic-version=2023-06-01 and sends a JSON-only
  guardrail in the system prompt (Anthropic has no native JSON mode); strips
  ``` code fences from responses as a defensive post-process.
- llm_client.go: add ErrModelManagementNotSupported sentinel; change
  NewLLMClient to take LLMClientOptions (provider, base URL, model, API key)
  and dispatch anthropic/ollama.
- operator_llm_admin.go: include provider + supports_model_mgmt in the /llm/status
  response so the UI can branch; map the sentinel to 400 on pull/delete.
- configs/environment.go: add AnthropicAPIKey and AnthropicAPIKeySecretName
  fields + env vars; per-provider LLM_BASE_URL / LLM_MODEL defaults (Anthropic
  defaults to api.anthropic.com + claude-haiku-4-5-20251001).
- github_auth.go: LoadAnthropicAPIKey follows the existing Secret Manager
  pattern used for the webhook secret and Mongo URI.
- app.go: call LoadAnthropicAPIKey on boot (non-fatal — UI shows
  "not configured" if missing); banner now prints AI Provider.

UI
- web/operator/index.html: renderAISettings branches on provider/
  supports_model_mgmt to hide Ollama-only pull/delete sections for hosted
  providers; separate onboarding text for each. Status line labels the
  provider ("Anthropic connected at…" vs "Ollama connected at…").

Deploy config
- ci.yml + env-cloudrun.yaml: select anthropic, default to
  claude-haiku-4-5-20251001, load the API key from Secret Manager via
  ANTHROPIC_API_KEY_SECRET_NAME=anthropic-api-key. Operators can still switch
  the active model from the UI at runtime.

Before deploy, a one-time step is needed on the prod project:
  gcloud secrets create anthropic-api-key --data-file=<key-file>
  gcloud secrets add-iam-policy-binding anthropic-api-key \
    --member=serviceAccount:<runtime-sa> --role=roles/secretmanager.secretAccessor
---
 .github/workflows/ci.yml         |   2 +-
 CHANGELOG.md                     |   4 +-
 app.go                           |  10 ++
 configs/environment.go           |  24 ++-
 env-cloudrun.yaml                |  15 +-
 services/github_auth.go          |  20 +++
 services/llm_anthropic.go        | 267 +++++++++++++++++++++++++++++++
 services/llm_client.go           |  29 +++-
 services/operator_llm_admin.go   |  17 +-
 services/operator_ui.go          |   7 +-
 services/web/operator/index.html |  87 ++++++----
 11 files changed, 439 insertions(+), 43 deletions(-)
 create mode 100644 services/llm_anthropic.go

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0a78c33..842d3da 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -128,7 +128,7 @@ jobs:
             --region $REGION \
             --project $PROJECT_ID \
             --allow-unauthenticated \
-            --set-env-vars="^|^CONFIG_REPO_OWNER=grove-platform|CONFIG_REPO_NAME=github-copier|CONFIG_REPO_BRANCH=main|PEM_NAME=CODE_COPIER_PEM|WEBHOOK_SECRET_NAME=webhook-secret|MONGO_URI_SECRET_NAME=mongo-uri|WEBSERVER_PATH=/events|MAIN_CONFIG_FILE=.copier/main.yaml|USE_MAIN_CONFIG=true|DEPRECATION_FILE=deprecated_examples.json|COMMITTER_NAME=GitHub Copier App|COMMITTER_EMAIL=bot@mongodb.com|GOOGLE_CLOUD_PROJECT_ID=github-copy-code-examples|COPIER_LOG_NAME=code-copier-log|AUDIT_ENABLED=true|METRICS_ENABLED=true|OPERATOR_UI_ENABLED=true|OPERATOR_AUTH_REPO=grove-platform/github-copier|OPERATOR_REPO_SLUG=grove-platform/github-copier|GITHUB_APP_ID=${{ secrets.APP_ID }}|INSTALLATION_ID=${{ secrets.INSTALLATION_ID }}" \
+            --set-env-vars="^|^CONFIG_REPO_OWNER=grove-platform|CONFIG_REPO_NAME=github-copier|CONFIG_REPO_BRANCH=main|PEM_NAME=CODE_COPIER_PEM|WEBHOOK_SECRET_NAME=webhook-secret|MONGO_URI_SECRET_NAME=mongo-uri|WEBSERVER_PATH=/events|MAIN_CONFIG_FILE=.copier/main.yaml|USE_MAIN_CONFIG=true|DEPRECATION_FILE=deprecated_examples.json|COMMITTER_NAME=GitHub Copier App|COMMITTER_EMAIL=bot@mongodb.com|GOOGLE_CLOUD_PROJECT_ID=github-copy-code-examples|COPIER_LOG_NAME=code-copier-log|AUDIT_ENABLED=true|METRICS_ENABLED=true|OPERATOR_UI_ENABLED=true|OPERATOR_AUTH_REPO=grove-platform/github-copier|OPERATOR_REPO_SLUG=grove-platform/github-copier|LLM_PROVIDER=anthropic|LLM_MODEL=claude-haiku-4-5-20251001|ANTHROPIC_API_KEY_SECRET_NAME=anthropic-api-key|GITHUB_APP_ID=${{ secrets.APP_ID }}|INSTALLATION_ID=${{ secrets.INSTALLATION_ID }}" \
             --set-build-env-vars="VERSION=${{ steps.version.outputs.tag }}" \
             --tag="${{ steps.version.outputs.traffic_tag }}" \
             --max-instances=10 \
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 41c57b3..bd9e165 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,7 +10,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
 - **Operator UI — comprehensive writer + operator dashboard** at `/operator/` (`OPERATOR_UI_ENABLED=true`). Five tabs (Overview, Webhooks, Audit, Workflows, System), sticky status bar, dark mode, keyboard shortcuts, shareable URLs, and a writer/operator mode toggle persisted to localStorage.
 - **GitHub PAT authentication** — users sign in with their personal access token; role is derived from their permission on `OPERATOR_AUTH_REPO` (admin/maintain/write → operator, read/triage → writer). Replay and other write actions additionally enforce read access on the source repo for that specific delivery.
-- **AI rule suggester (Ollama)** — paste a source path and desired target state, receive a suggested workflow rule with self-verification via the in-process `PatternMatcher`. Fully UI-managed: connect to an Ollama endpoint, pull/delete models, switch the active model, all without a redeploy.
+- **AI rule suggester** — paste a source path and desired target state, receive a suggested workflow rule with self-verification via the in-process `PatternMatcher`. Two providers supported:
+  - **Anthropic (hosted)** — default for Cloud Run. API key loaded from Secret Manager via `ANTHROPIC_API_KEY_SECRET_NAME`. No infra required; operators switch between Haiku / Sonnet / Opus from the UI.
+  - **Ollama (local)** — for dev or self-hosted deployments. UI manages connection, model pulls, deletes, and active-model switching without a redeploy.
 - **Writer-facing features** — workflow browser with per-rule coverage, PR lookup by URL, recent copies feed, file match tester (with clear button and Python-style `(?P<name>)` regex translation for in-browser use), PR timeline, and in-app help overlay.
 - **Per-delivery log viewer** — context-tagged ring buffer captures logs per webhook delivery, surfaced in an audit drawer alongside the trace and outcome summary.
 - **Audit event enrichment** — `processed_ok` traces now include destination repo(s), files matched / uploaded / failed, and commit SHA.
diff --git a/app.go b/app.go
index 03b3b3e..ac4d804 100644
--- a/app.go
+++ b/app.go
@@ -63,6 +63,15 @@ func main() {
 		os.Exit(1)
 	}
 
+	// Anthropic API key is only needed when the operator UI's AI suggester uses
+	// the anthropic provider. Failure to load is non-fatal — the UI will show
+	// "not configured" and writers can still use every other feature.
+	if config.OperatorUIEnabled && config.LLMProvider == "anthropic" {
+		if err := services.LoadAnthropicAPIKey(ctx, config); err != nil {
+			fmt.Printf("⚠️  Anthropic API key not loaded: %v (AI suggester will be disabled)\n", err)
+		}
+	}
+
 	// Override dry-run from command line
 	if dryRun {
 		config.DryRun = true
@@ -144,6 +153,7 @@ func printBanner(config *configs.Config, container *services.ServiceContainer) {
 	fmt.Printf("║  Operator UI:  %-48v║\n", config.OperatorUIEnabled)
 	if config.OperatorUIEnabled {
 		fmt.Printf("║    Auth Repo:  %-48s║\n", truncMiddle(config.OperatorAuthRepo, 48))
+		fmt.Printf("║    AI Provider:%-48s║\n", truncMiddle(config.LLMProvider, 48))
 		fmt.Printf("║    AI Model:   %-48s║\n", truncMiddle(config.LLMModel, 48))
 		fmt.Printf("║    AI URL:     %-48s║\n", truncMiddle(config.LLMBaseURL, 48))
 	}
diff --git a/configs/environment.go b/configs/environment.go
index 8d6ad05..14c7329 100644
--- a/configs/environment.go
+++ b/configs/environment.go
@@ -83,9 +83,15 @@ type Config struct {
 	// AI rule suggestion (optional) — LLM-powered rule generation in the operator UI.
 	// The feature is available whenever the LLM provider is reachable at runtime;
 	// operators can change the active model and base URL from the UI without restart.
-	LLMProvider string // "ollama" (default). Pluggable for future providers.
+	LLMProvider string // "ollama" (local) or "anthropic" (hosted)
 	LLMBaseURL  string // initial default; overridable from the UI
 	LLMModel    string // initial default; overridable from the UI
+
+	// Anthropic API key — required when LLMProvider="anthropic". Loaded from
+	// Secret Manager via AnthropicAPIKeySecretName, or directly via
+	// ANTHROPIC_API_KEY for local dev.
+	AnthropicAPIKey           string
+	AnthropicAPIKeySecretName string
 }
 
 const (
@@ -142,6 +148,8 @@ const (
 	LLMProvider                     = "LLM_PROVIDER"
 	LLMBaseURL                      = "LLM_BASE_URL"
 	LLMModel                        = "LLM_MODEL"
+	AnthropicAPIKey                 = "ANTHROPIC_API_KEY"             // #nosec G101 -- env var name, not a credential
+	AnthropicAPIKeySecretName       = "ANTHROPIC_API_KEY_SECRET_NAME" // #nosec G101 -- env var name, not a credential
 )
 
 // NewConfig returns a new Config instance with default values
@@ -266,9 +274,17 @@ func LoadEnvironment(envFile string) (*Config, error) {
 	config.OperatorReleaseGitHubToken = os.Getenv(OperatorReleaseGitHubToken)
 	config.OperatorReleaseTargetBranch = getEnvWithDefault(OperatorReleaseTargetBranch, "main")
 
-	config.LLMProvider = getEnvWithDefault(LLMProvider, "ollama")
-	config.LLMBaseURL = getEnvWithDefault(LLMBaseURL, "http://localhost:11434")
-	config.LLMModel = getEnvWithDefault(LLMModel, "qwen2.5-coder:7b")
+	config.LLMProvider = strings.ToLower(getEnvWithDefault(LLMProvider, "ollama"))
+	// Per-provider defaults: Ollama runs locally, Anthropic is hosted.
+	if config.LLMProvider == "anthropic" {
+		config.LLMBaseURL = getEnvWithDefault(LLMBaseURL, "https://api.anthropic.com")
+		config.LLMModel = getEnvWithDefault(LLMModel, "claude-haiku-4-5-20251001")
+	} else {
+		config.LLMBaseURL = getEnvWithDefault(LLMBaseURL, "http://localhost:11434")
+		config.LLMModel = getEnvWithDefault(LLMModel, "qwen2.5-coder:7b")
+	}
+	config.AnthropicAPIKey = os.Getenv(AnthropicAPIKey)
+	config.AnthropicAPIKeySecretName = os.Getenv(AnthropicAPIKeySecretName)
 
 	if err := validateConfig(config); err != nil {
 		return nil, err
diff --git a/env-cloudrun.yaml b/env-cloudrun.yaml
index 9f70d77..8fa9e29 100644
--- a/env-cloudrun.yaml
+++ b/env-cloudrun.yaml
@@ -44,9 +44,18 @@ OPERATOR_REPO_SLUG: "grove-platform/github-copier"
 #
 # Optional: OPERATOR_RELEASE_GITHUB_TOKEN, OPERATOR_RELEASE_TARGET_BRANCH
 #
-# AI rule suggester (optional) — if set, points the operator UI at an
-# Ollama-compatible endpoint. Operators can also configure base URL and
-# active model from the UI at runtime without a redeploy.
+# AI rule suggester — uses the hosted Anthropic API so Cloud Run can call it
+# directly without standing up a model-serving VM. The API key is loaded from
+# Secret Manager via ANTHROPIC_API_KEY_SECRET_NAME (create the secret once
+# with `gcloud secrets create anthropic-api-key --data-file=...`). Operators
+# can still switch the active model (haiku / sonnet / opus) from the UI
+# without a redeploy.
+LLM_PROVIDER: "anthropic"
+LLM_MODEL: "claude-haiku-4-5-20251001"
+ANTHROPIC_API_KEY_SECRET_NAME: "anthropic-api-key"
+#
+# To use a local Ollama instance instead (e.g. in a dev environment with a
+# reachable Ollama VM), comment out the three lines above and use:
 # LLM_PROVIDER: "ollama"
 # LLM_BASE_URL: "http://ollama.internal:11434"
 # LLM_MODEL: "qwen2.5-coder:7b"
diff --git a/services/github_auth.go b/services/github_auth.go
index 8317d0a..25d80e4 100644
--- a/services/github_auth.go
+++ b/services/github_auth.go
@@ -158,6 +158,26 @@ func LoadMongoURI(ctx context.Context, config *configs.Config) error {
 	return nil
 }
 
+// LoadAnthropicAPIKey loads the Anthropic API key from Secret Manager or
+// environment variable. Only called when the LLM provider is "anthropic".
+// Missing value is non-fatal: NewLLMClient will refuse to construct a client,
+// the operator UI will show "not configured", and the rest of the app runs.
+func LoadAnthropicAPIKey(ctx context.Context, config *configs.Config) error {
+	if config.AnthropicAPIKey != "" {
+		return nil
+	}
+	if config.AnthropicAPIKeySecretName == "" {
+		return nil
+	}
+	resolvedName := config.SecretPath(config.AnthropicAPIKeySecretName)
+	key, err := getSecretFromSecretManager(ctx, resolvedName, "ANTHROPIC_API_KEY")
+	if err != nil {
+		return fmt.Errorf("failed to load Anthropic API key: %w", err)
+	}
+	config.AnthropicAPIKey = key
+	return nil
+}
+
 // getSecretFromSecretManager is a generic function to retrieve any secret from Secret Manager
 func getSecretFromSecretManager(ctx context.Context, secretName, envVarName string) (string, error) {
 	if os.Getenv("SKIP_SECRET_MANAGER") == "true" {
diff --git a/services/llm_anthropic.go b/services/llm_anthropic.go
new file mode 100644
index 0000000..ea130b0
--- /dev/null
+++ b/services/llm_anthropic.go
@@ -0,0 +1,267 @@
+package services
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+	"sync"
+	"time"
+)
+
+// anthropicAPIVersion is pinned to the stable Messages API version. Bump this
+// only when we intentionally adopt a new API contract.
+const anthropicAPIVersion = "2023-06-01"
+
+// defaultAnthropicBaseURL is the hosted Anthropic API. Override (via SetBaseURL
+// or LLM_BASE_URL) only to route through a gateway or proxy that speaks the
+// same wire format.
+const defaultAnthropicBaseURL = "https://api.anthropic.com"
+
+// anthropicFallbackModels is used when /v1/models returns an empty list or
+// errors; keeps the UI usable with a known-good default set.
+var anthropicFallbackModels = []LLMModel{
+	{Name: "claude-opus-4-7"},
+	{Name: "claude-sonnet-4-6"},
+	{Name: "claude-haiku-4-5-20251001"},
+}
+
+type anthropicClient struct {
+	mu      sync.RWMutex
+	baseURL string
+	model   string
+	apiKey  string
+	http    *http.Client
+}
+
+func newAnthropicClient(baseURL, model, apiKey string) *anthropicClient {
+	if strings.TrimSpace(baseURL) == "" {
+		baseURL = defaultAnthropicBaseURL
+	}
+	if strings.TrimSpace(model) == "" {
+		model = "claude-haiku-4-5-20251001"
+	}
+	return &anthropicClient{
+		baseURL: strings.TrimSuffix(baseURL, "/"),
+		model:   model,
+		apiKey:  apiKey,
+		http:    &http.Client{Timeout: 60 * time.Second},
+	}
+}
+
+func (c *anthropicClient) ProviderName() string { return "anthropic" }
+
+func (c *anthropicClient) GetBaseURL() string {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+	return c.baseURL
+}
+
+func (c *anthropicClient) SetBaseURL(url string) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	c.baseURL = strings.TrimSuffix(strings.TrimSpace(url), "/")
+}
+
+func (c *anthropicClient) GetActiveModel() string {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+	return c.model
+}
+
+func (c *anthropicClient) SetActiveModel(model string) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	c.model = strings.TrimSpace(model)
+}
+
+// newAuthedRequest builds a request with the Anthropic auth + version headers.
+// Callers must have already validated that URL components are not user-supplied;
+// the base URL is derived from a pinned default or operator-set value.
+func (c *anthropicClient) newAuthedRequest(ctx context.Context, method, path string, body io.Reader) (*http.Request, error) {
+	req, err := http.NewRequestWithContext(ctx, method, c.GetBaseURL()+path, body) // #nosec G107 -- base URL is pinned default or operator-set; path is a literal constant
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Set("x-api-key", c.apiKey)
+	req.Header.Set("anthropic-version", anthropicAPIVersion)
+	req.Header.Set("content-type", "application/json")
+	return req, nil
+}
+
+// Ping calls GET /v1/models as an auth + reachability check.
+func (c *anthropicClient) Ping(ctx context.Context) error {
+	if strings.TrimSpace(c.apiKey) == "" {
+		return fmt.Errorf("ANTHROPIC_API_KEY is not configured")
+	}
+	req, err := c.newAuthedRequest(ctx, http.MethodGet, "/v1/models", nil)
+	if err != nil {
+		return err
+	}
+	resp, err := c.http.Do(req) // #nosec G107 -- see newAuthedRequest
+	if err != nil {
+		return fmt.Errorf("anthropic unreachable at %s: %w", c.GetBaseURL(), err)
+	}
+	defer func() { _ = resp.Body.Close() }()
+	if resp.StatusCode == http.StatusUnauthorized || resp.StatusCode == http.StatusForbidden {
+		return fmt.Errorf("anthropic auth failed (HTTP %d) — check ANTHROPIC_API_KEY", resp.StatusCode)
+	}
+	if resp.StatusCode != http.StatusOK {
+		body, _ := io.ReadAll(io.LimitReader(resp.Body, 1<<15))
+		return fmt.Errorf("anthropic returned %s: %s", resp.Status, strings.TrimSpace(string(body)))
+	}
+	return nil
+}
+
+type anthropicModelsResponse struct {
+	Data []struct {
+		ID          string `json:"id"`
+		DisplayName string `json:"display_name"`
+		CreatedAt   string `json:"created_at"`
+	} `json:"data"`
+}
+
+// ListModels returns models available to the account. Falls back to a static
+// list if the API call fails so the UI stays usable.
+func (c *anthropicClient) ListModels(ctx context.Context) ([]LLMModel, error) {
+	req, err := c.newAuthedRequest(ctx, http.MethodGet, "/v1/models", nil)
+	if err != nil {
+		return nil, err
+	}
+	resp, err := c.http.Do(req) // #nosec G107 -- see newAuthedRequest
+	if err != nil {
+		return anthropicFallbackModels, nil
+	}
+	defer func() { _ = resp.Body.Close() }()
+	body, _ := io.ReadAll(io.LimitReader(resp.Body, 1<<20))
+	if resp.StatusCode != http.StatusOK {
+		return anthropicFallbackModels, nil
+	}
+	var out anthropicModelsResponse
+	if err := json.Unmarshal(body, &out); err != nil {
+		return anthropicFallbackModels, nil
+	}
+	if len(out.Data) == 0 {
+		return anthropicFallbackModels, nil
+	}
+	models := make([]LLMModel, 0, len(out.Data))
+	for _, m := range out.Data {
+		models = append(models, LLMModel{Name: m.ID, ModifiedAt: m.CreatedAt})
+	}
+	return models, nil
+}
+
+// PullModel / DeleteModel are not supported for hosted providers. The UI
+// hides the relevant sections when provider != "ollama", so these should not
+// normally be reached; returning a sentinel lets the HTTP layer map cleanly.
+func (c *anthropicClient) PullModel(_ context.Context, _ string, _ func(LLMPullProgress)) error {
+	return ErrModelManagementNotSupported
+}
+
+func (c *anthropicClient) DeleteModel(_ context.Context, _ string) error {
+	return ErrModelManagementNotSupported
+}
+
+// anthropicMessagesRequest is the body of POST /v1/messages.
+type anthropicMessagesRequest struct {
+	Model     string             `json:"model"`
+	MaxTokens int                `json:"max_tokens"`
+	System    string             `json:"system,omitempty"`
+	Messages  []anthropicMessage `json:"messages"`
+}
+
+type anthropicMessage struct {
+	Role    string `json:"role"`
+	Content string `json:"content"`
+}
+
+type anthropicMessagesResponse struct {
+	Content []struct {
+		Type string `json:"type"`
+		Text string `json:"text"`
+	} `json:"content"`
+	StopReason string `json:"stop_reason"`
+	Error      *struct {
+		Type    string `json:"type"`
+		Message string `json:"message"`
+	} `json:"error,omitempty"`
+}
+
+// jsonGuardrail is appended to the system prompt to nudge the model toward
+// raw JSON output. Anthropic has no native JSON mode on /v1/messages, so we
+// rely on prompting + a post-processing fence strip.
+const jsonGuardrail = "\n\nRespond with ONLY valid JSON — no prose, no explanations outside the JSON, no code fences, no backticks. Just the JSON object."
+
+func (c *anthropicClient) GenerateJSON(ctx context.Context, systemPrompt, userPrompt string) (string, error) {
+	if strings.TrimSpace(c.apiKey) == "" {
+		return "", fmt.Errorf("ANTHROPIC_API_KEY is not configured")
+	}
+	reqBody, err := json.Marshal(anthropicMessagesRequest{
+		Model:     c.GetActiveModel(),
+		MaxTokens: 4096,
+		System:    systemPrompt + jsonGuardrail,
+		Messages:  []anthropicMessage{{Role: "user", Content: userPrompt}},
+	})
+	if err != nil {
+		return "", fmt.Errorf("marshal anthropic request: %w", err)
+	}
+
+	req, err := c.newAuthedRequest(ctx, http.MethodPost, "/v1/messages", bytes.NewReader(reqBody))
+	if err != nil {
+		return "", err
+	}
+	resp, err := c.http.Do(req) // #nosec G107 -- see newAuthedRequest
+	if err != nil {
+		return "", fmt.Errorf("call anthropic at %s: %w", c.GetBaseURL(), err)
+	}
+	defer func() { _ = resp.Body.Close() }()
+
+	body, _ := io.ReadAll(io.LimitReader(resp.Body, 1<<20))
+	if resp.StatusCode != http.StatusOK {
+		return "", fmt.Errorf("anthropic returned %s: %s", resp.Status, strings.TrimSpace(string(body)))
+	}
+
+	var out anthropicMessagesResponse
+	if err := json.Unmarshal(body, &out); err != nil {
+		return "", fmt.Errorf("parse anthropic response: %w", err)
+	}
+	if out.Error != nil {
+		return "", fmt.Errorf("anthropic error: %s: %s", out.Error.Type, out.Error.Message)
+	}
+	// Concatenate all text blocks (usually one).
+	var sb strings.Builder
+	for _, block := range out.Content {
+		if block.Type == "text" {
+			sb.WriteString(block.Text)
+		}
+	}
+	raw := strings.TrimSpace(sb.String())
+	if raw == "" {
+		return "", fmt.Errorf("anthropic returned empty response (model %q)", c.GetActiveModel())
+	}
+	return stripJSONFences(raw), nil
+}
+
+// stripJSONFences removes ```json ... ``` or ``` ... ``` wrappers that models
+// sometimes add despite being asked for raw JSON. If the input doesn't look
+// fenced, it's returned unchanged.
+func stripJSONFences(s string) string {
+	t := strings.TrimSpace(s)
+	if !strings.HasPrefix(t, "```") {
+		return t
+	}
+	// Drop the opening fence (```json or ```)
+	if nl := strings.IndexByte(t, '\n'); nl >= 0 {
+		t = t[nl+1:]
+	} else {
+		return strings.TrimSpace(strings.TrimPrefix(t, "```"))
+	}
+	// Drop the trailing fence
+	if idx := strings.LastIndex(t, "```"); idx >= 0 {
+		t = t[:idx]
+	}
+	return strings.TrimSpace(t)
+}
diff --git a/services/llm_client.go b/services/llm_client.go
index e5502ae..b928f6f 100644
--- a/services/llm_client.go
+++ b/services/llm_client.go
@@ -5,6 +5,7 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -13,6 +14,12 @@ import (
 	"time"
 )
 
+// ErrModelManagementNotSupported is returned by providers (e.g. Anthropic) where
+// model pulls/deletes don't apply. Handlers should map this to a 400-class
+// response rather than a 502, since it's a client-intent error, not a backend
+// failure.
+var ErrModelManagementNotSupported = errors.New("model management not supported for this provider")
+
 // LLMClient is the minimal interface used by the operator UI. It supports
 // runtime reconfiguration (active model, base URL) and provider management
 // operations (list/pull/delete models).
@@ -64,13 +71,24 @@ type LLMPullProgress struct {
 	Error     string `json:"error,omitempty"`
 }
 
+// LLMClientOptions carries the per-provider settings NewLLMClient needs.
+// APIKey is required for hosted providers (anthropic); ignored by ollama.
+type LLMClientOptions struct {
+	Provider string
+	BaseURL  string
+	Model    string
+	APIKey   string
+}
+
 // NewLLMClient returns a client for the configured provider.
-func NewLLMClient(provider, baseURL, model string) (LLMClient, error) {
-	switch strings.ToLower(strings.TrimSpace(provider)) {
+func NewLLMClient(opts LLMClientOptions) (LLMClient, error) {
+	switch strings.ToLower(strings.TrimSpace(opts.Provider)) {
 	case "", "ollama":
+		baseURL := opts.BaseURL
 		if baseURL == "" {
 			baseURL = "http://localhost:11434"
 		}
+		model := opts.Model
 		if model == "" {
 			model = "qwen2.5-coder:7b"
 		}
@@ -82,8 +100,13 @@ func NewLLMClient(provider, baseURL, model string) (LLMClient, error) {
 				// No timeout for pulls — model downloads can take 10+ minutes
 			},
 		}, nil
+	case "anthropic":
+		if strings.TrimSpace(opts.APIKey) == "" {
+			return nil, fmt.Errorf("anthropic provider requires ANTHROPIC_API_KEY")
+		}
+		return newAnthropicClient(opts.BaseURL, opts.Model, opts.APIKey), nil
 	default:
-		return nil, fmt.Errorf("unsupported LLM provider: %q (only \"ollama\" is implemented)", provider)
+		return nil, fmt.Errorf("unsupported LLM provider: %q (expected \"ollama\" or \"anthropic\")", opts.Provider)
 	}
 }
 
diff --git a/services/operator_llm_admin.go b/services/operator_llm_admin.go
index 1521d9c..3cb7937 100644
--- a/services/operator_llm_admin.go
+++ b/services/operator_llm_admin.go
@@ -3,6 +3,7 @@ package services
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -24,6 +25,9 @@ func (o *operatorUI) handleLLMStatus(w http.ResponseWriter, r *http.Request) {
 		"active_model": "",
 		"reachable":    false,
 		"models":       []LLMModel{},
+		// supports_model_mgmt tells the UI whether to show pull/delete sections.
+		// Hosted providers (anthropic) don't expose those operations.
+		"supports_model_mgmt": strings.ToLower(strings.TrimSpace(o.cfg.LLMProvider)) != "anthropic",
 	}
 	if o.llm == nil {
 		out["error"] = "LLM client not initialized"
@@ -110,7 +114,11 @@ func (o *operatorUI) handleLLMDeleteModel(w http.ResponseWriter, r *http.Request
 	ctx, cancel := context.WithTimeout(r.Context(), 30*time.Second)
 	defer cancel()
 	if err := o.llm.DeleteModel(ctx, name); err != nil {
-		w.WriteHeader(http.StatusBadGateway)
+		status := http.StatusBadGateway
+		if errors.Is(err, ErrModelManagementNotSupported) {
+			status = http.StatusBadRequest
+		}
+		w.WriteHeader(status)
 		_ = json.NewEncoder(w).Encode(map[string]string{"error": err.Error()})
 		return
 	}
@@ -145,6 +153,13 @@ func (o *operatorUI) handleLLMPullModel(w http.ResponseWriter, r *http.Request)
 		_ = json.NewEncoder(w).Encode(map[string]string{"error": "name is required"})
 		return
 	}
+	// Reject up-front for hosted providers so the client doesn't have to interpret
+	// an NDJSON error event.
+	if strings.ToLower(strings.TrimSpace(o.cfg.LLMProvider)) == "anthropic" {
+		w.WriteHeader(http.StatusBadRequest)
+		_ = json.NewEncoder(w).Encode(map[string]string{"error": ErrModelManagementNotSupported.Error()})
+		return
+	}
 
 	// Switch to NDJSON streaming
 	w.Header().Set("Content-Type", "application/x-ndjson")
diff --git a/services/operator_ui.go b/services/operator_ui.go
index 2b9b97d..36abf22 100644
--- a/services/operator_ui.go
+++ b/services/operator_ui.go
@@ -37,7 +37,12 @@ func RegisterOperatorRoutes(mux *http.ServeMux, cfg *configs.Config, container *
 	}
 	// Always create the LLM client; availability is checked dynamically via Ping.
 	// Operators can change the active model and base URL from the UI without restart.
-	if client, err := NewLLMClient(cfg.LLMProvider, cfg.LLMBaseURL, cfg.LLMModel); err != nil {
+	if client, err := NewLLMClient(LLMClientOptions{
+		Provider: cfg.LLMProvider,
+		BaseURL:  cfg.LLMBaseURL,
+		Model:    cfg.LLMModel,
+		APIKey:   cfg.AnthropicAPIKey,
+	}); err != nil {
 		LogWarning("LLM client init failed", "error", err.Error())
 	} else {
 		o.llm = client
diff --git a/services/web/operator/index.html b/services/web/operator/index.html
index 28bf425..b490b64 100644
--- a/services/web/operator/index.html
+++ b/services/web/operator/index.html
@@ -519,7 +519,7 @@ <h3 class="small" style="margin:0.65rem 0 0.3rem">By rule</h3>
         <span class="refreshed" id="aiSettingsRefreshed"></span>
       </div>
       <div class="sb">
-        <p class="hint" style="margin-top:0">Configure the local LLM provider (Ollama) for the AI rule suggester. Settings are in-memory and reset on server restart.</p>
+        <p class="hint" style="margin-top:0" id="aiSettingsHint">Configure the LLM provider for the AI rule suggester. Settings are in-memory and reset on server restart.</p>
         <div class="row">
           <button type="button" id="aiRefreshStatus">Refresh status</button>
         </div>
@@ -529,14 +529,16 @@ <h3 class="small" style="margin:0.65rem 0 0.3rem">By rule</h3>
             <div style="flex:1;min-width:200px;max-width:24rem"><label for="aiActiveModelSel">Active model</label><select id="aiActiveModelSel" style="width:100%"></select></div>
             <button type="button" id="aiSetActive">Set active</button>
           </div>
-          <h3 class="small" style="margin:0.75rem 0 0.3rem">Installed models</h3>
-          <div id="aiModelList" class="ai-model-list"></div>
-          <h3 class="small" style="margin:0.75rem 0 0.3rem">Pull a new model</h3>
-          <div class="row">
-            <div style="flex:1;min-width:200px;max-width:20rem"><input id="aiPullName" type="text" placeholder="qwen2.5-coder:7b" style="width:100%" /></div>
-            <button type="button" id="aiPullStart">Pull</button>
+          <div id="aiOllamaOnly">
+            <h3 class="small" style="margin:0.75rem 0 0.3rem">Installed models</h3>
+            <div id="aiModelList" class="ai-model-list"></div>
+            <h3 class="small" style="margin:0.75rem 0 0.3rem">Pull a new model</h3>
+            <div class="row">
+              <div style="flex:1;min-width:200px;max-width:20rem"><input id="aiPullName" type="text" placeholder="qwen2.5-coder:7b" style="width:100%" /></div>
+              <button type="button" id="aiPullStart">Pull</button>
+            </div>
+            <div id="aiPullProgress" hidden></div>
           </div>
-          <div id="aiPullProgress" hidden></div>
           <h3 class="small" style="margin:0.75rem 0 0.3rem">Base URL</h3>
           <div class="row">
             <div style="flex:1;min-width:200px;max-width:24rem"><input id="aiBaseURL" type="text" placeholder="http://localhost:11434" class="mono" style="width:100%" /></div>
@@ -544,8 +546,8 @@ <h3 class="small" style="margin:0.75rem 0 0.3rem">Base URL</h3>
           </div>
         </div>
         <div id="aiNotConnectedUI" hidden>
-          <div class="ai-install-steps">
-            <strong>To enable the AI rule suggester:</strong>
+          <div class="ai-install-steps" id="aiInstallStepsOllama">
+            <strong>To enable the AI rule suggester (Ollama):</strong>
             <ol>
               <li>Install Ollama from <a href="https://ollama.com/download" target="_blank" rel="noopener">ollama.com/download</a></li>
               <li>Start it (on macOS the Ollama app runs automatically after install)</li>
@@ -554,6 +556,15 @@ <h3 class="small" style="margin:0.75rem 0 0.3rem">Base URL</h3>
             </ol>
             Base URL used for detection: <code id="aiNotConnectedURL">http://localhost:11434</code>. If Ollama is running on a different host/port, update the base URL below.
           </div>
+          <div class="ai-install-steps" id="aiInstallStepsAnthropic" hidden>
+            <strong>Anthropic AI is not reachable.</strong> The server needs a valid <code>ANTHROPIC_API_KEY</code>.
+            <ul>
+              <li>Set <code>ANTHROPIC_API_KEY</code> directly (local dev) or <code>ANTHROPIC_API_KEY_SECRET_NAME</code> pointing at a Secret Manager secret (Cloud Run).</li>
+              <li>Restart the service so the key is picked up at boot.</li>
+              <li>Click <strong>Refresh status</strong> above.</li>
+            </ul>
+            The base URL is <code>https://api.anthropic.com</code> by default; override only to route through an internal gateway.
+          </div>
           <h3 class="small" style="margin:0.75rem 0 0.3rem">Base URL</h3>
           <div class="row">
             <div style="flex:1;min-width:200px;max-width:24rem"><input id="aiBaseURLDisc" type="text" placeholder="http://localhost:11434" class="mono" style="width:100%" /></div>
@@ -571,7 +582,7 @@ <h3 class="small" style="margin:0.75rem 0 0.3rem">Base URL</h3>
       </div>
       <div class="sb">
         <div id="aiDisabledNote" class="ai-disabled" hidden>
-          The AI rule suggester is disabled on this server. Ask an operator to set <code>LLM_ENABLED=true</code> and configure an Ollama instance (<code>LLM_BASE_URL</code>, <code>LLM_MODEL</code>).
+          The AI rule suggester is unavailable. An operator can configure it from <strong>System → AI settings</strong> (choose a provider via <code>LLM_PROVIDER</code>: <code>ollama</code> for local or <code>anthropic</code> for hosted).
         </div>
         <div id="aiEnabledUI" hidden>
           <p class="hint" style="margin-top:0">Describe a source→target transformation and have the LLM propose a workflow rule. The generated rule is verified against your example before display.</p>
@@ -1545,6 +1556,19 @@ <h3>Keyboard shortcuts</h3>
 }
 function renderAISettings(s){
   var line=$('aiStatusLine');
+  var provider=(s.provider||'ollama').toLowerCase();
+  var providerLabel=provider==='anthropic'?'Anthropic':'Ollama';
+  var supportsMgmt=s.supports_model_mgmt!==false && provider!=='anthropic';
+
+  // Toggle installed-models / pull-new-model section based on provider.
+  var ollamaOnly=$('aiOllamaOnly'); if(ollamaOnly) ollamaOnly.hidden=!supportsMgmt;
+
+  // Toggle the disconnected onboarding content based on provider.
+  var stepsOllama=$('aiInstallStepsOllama');
+  var stepsAnthropic=$('aiInstallStepsAnthropic');
+  if(stepsOllama) stepsOllama.hidden=provider==='anthropic';
+  if(stepsAnthropic) stepsAnthropic.hidden=provider!=='anthropic';
+
   if(!s.available){
     line.className='ai-status-line ai-fail';
     line.innerHTML='<span class="dot dot-red"></span> LLM client not initialized';
@@ -1553,36 +1577,41 @@ <h3>Keyboard shortcuts</h3>
   }
   if(!s.reachable){
     line.className='ai-status-line ai-fail';
-    line.innerHTML='<span class="dot dot-red"></span> Ollama unreachable at <code>'+escapeHtml(s.base_url||'')+'</code>'+(s.error?' — '+escapeHtml(s.error):'');
+    line.innerHTML='<span class="dot dot-red"></span> '+escapeHtml(providerLabel)+' unreachable at <code>'+escapeHtml(s.base_url||'')+'</code>'+(s.error?' — '+escapeHtml(s.error):'');
     $('aiConnectedUI').hidden=true;$('aiNotConnectedUI').hidden=false;
     $('aiNotConnectedURL').textContent=s.base_url||'';
     if(!$('aiBaseURLDisc').value) $('aiBaseURLDisc').value=s.base_url||'';
     return;
   }
   line.className='ai-status-line ai-ok';
-  line.innerHTML='<span class="dot dot-green"></span> Ollama connected at <code>'+escapeHtml(s.base_url||'')+'</code>';
+  line.innerHTML='<span class="dot dot-green"></span> '+escapeHtml(providerLabel)+' connected at <code>'+escapeHtml(s.base_url||'')+'</code>';
   $('aiConnectedUI').hidden=false;$('aiNotConnectedUI').hidden=true;
 
   // Populate model dropdown and list
   var sel=$('aiActiveModelSel');sel.innerHTML='';
-  var list=$('aiModelList');list.innerHTML='';
+  var list=$('aiModelList');if(list) list.innerHTML='';
   var models=s.models||[];
-  if(models.length===0){
-    list.innerHTML='<div class="empty-state" style="padding:1rem"><div class="es-icon">\u{1F4E6}</div>No models installed. Pull one below to get started.</div>';
-  }else{
-    models.forEach(function(m){
-      var opt=document.createElement('option');opt.value=m.name;opt.textContent=m.name;
-      if(m.name===s.active_model)opt.selected=true;
-      sel.appendChild(opt);
-      var row=document.createElement('div');
-      row.className='ai-model-row'+(m.name===s.active_model?' active':'');
-      var badge=m.name===s.active_model?' <span style="font-size:0.7rem;color:var(--blue);font-weight:600">\u2713 active</span>':'';
-      row.innerHTML='<span class="ai-model-name">'+escapeHtml(m.name)+badge+'</span>'
-        +'<span class="ai-model-size">'+escapeHtml(fmtBytes(m.size))+'</span>'
-        +'<button class="btn-sm" onclick="aiDeleteModel(\''+escapeHtml(m.name)+'\')">Delete</button>';
-      list.appendChild(row);
-    });
+  if(supportsMgmt && list){
+    if(models.length===0){
+      list.innerHTML='<div class="empty-state" style="padding:1rem"><div class="es-icon">\u{1F4E6}</div>No models installed. Pull one below to get started.</div>';
+    }else{
+      models.forEach(function(m){
+        var row=document.createElement('div');
+        row.className='ai-model-row'+(m.name===s.active_model?' active':'');
+        var badge=m.name===s.active_model?' <span style="font-size:0.7rem;color:var(--blue);font-weight:600">\u2713 active</span>':'';
+        row.innerHTML='<span class="ai-model-name">'+escapeHtml(m.name)+badge+'</span>'
+          +'<span class="ai-model-size">'+escapeHtml(fmtBytes(m.size))+'</span>'
+          +'<button class="btn-sm" onclick="aiDeleteModel(\''+escapeHtml(m.name)+'\')">Delete</button>';
+        list.appendChild(row);
+      });
+    }
   }
+  // Always populate the active-model dropdown from the returned list.
+  models.forEach(function(m){
+    var opt=document.createElement('option');opt.value=m.name;opt.textContent=m.name;
+    if(m.name===s.active_model)opt.selected=true;
+    sel.appendChild(opt);
+  });
   if(!$('aiBaseURL').value) $('aiBaseURL').value=s.base_url||'';
 }
 $('aiRefreshStatus').onclick=function(){withLoading('aiRefreshStatus',loadAISettingsStatus);};

From 4677718ce20aeb74995e21f81a0eab5898c6003f Mon Sep 17 00:00:00 2001
From: Cory Bullinger <cory.bullinger@mongodb.com>
Date: Tue, 21 Apr 2026 15:48:27 -0400
Subject: [PATCH 11/20] fix(operator): route Anthropic client through Grove
 Foundry APIM gateway
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The Anthropic access we have is an APIM-fronted gateway, not the native
Anthropic API. Two changes needed to match the gateway's contract:

- Auth header: gateway uses "api-key" (Azure API Management convention),
  not Anthropic's native "x-api-key". Send both — direct API ignores
  "api-key", gateway ignores "x-api-key", so one client works with either.
- Ping: switch from GET /v1/models (not exposed by the gateway) to a
  minimal POST /v1/messages with max_tokens=1. Cost ≈ 1 input + 1 output
  token per refresh. ListModels already falls back to a static list when
  /v1/models fails, so this keeps the UI usable.

Deploy config:
- LLM_BASE_URL points at the Grove Foundry gateway.
- LLM_MODEL uses the aliased "claude-haiku-4-5" (verified to work through
  the gateway with a smoke-test curl).
---
 .github/workflows/ci.yml  |  2 +-
 env-cloudrun.yaml         | 15 ++++++++-------
 services/llm_anthropic.go | 22 ++++++++++++++++++----
 3 files changed, 27 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 842d3da..d3e6020 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -128,7 +128,7 @@ jobs:
             --region $REGION \
             --project $PROJECT_ID \
             --allow-unauthenticated \
-            --set-env-vars="^|^CONFIG_REPO_OWNER=grove-platform|CONFIG_REPO_NAME=github-copier|CONFIG_REPO_BRANCH=main|PEM_NAME=CODE_COPIER_PEM|WEBHOOK_SECRET_NAME=webhook-secret|MONGO_URI_SECRET_NAME=mongo-uri|WEBSERVER_PATH=/events|MAIN_CONFIG_FILE=.copier/main.yaml|USE_MAIN_CONFIG=true|DEPRECATION_FILE=deprecated_examples.json|COMMITTER_NAME=GitHub Copier App|COMMITTER_EMAIL=bot@mongodb.com|GOOGLE_CLOUD_PROJECT_ID=github-copy-code-examples|COPIER_LOG_NAME=code-copier-log|AUDIT_ENABLED=true|METRICS_ENABLED=true|OPERATOR_UI_ENABLED=true|OPERATOR_AUTH_REPO=grove-platform/github-copier|OPERATOR_REPO_SLUG=grove-platform/github-copier|LLM_PROVIDER=anthropic|LLM_MODEL=claude-haiku-4-5-20251001|ANTHROPIC_API_KEY_SECRET_NAME=anthropic-api-key|GITHUB_APP_ID=${{ secrets.APP_ID }}|INSTALLATION_ID=${{ secrets.INSTALLATION_ID }}" \
+            --set-env-vars="^|^CONFIG_REPO_OWNER=grove-platform|CONFIG_REPO_NAME=github-copier|CONFIG_REPO_BRANCH=main|PEM_NAME=CODE_COPIER_PEM|WEBHOOK_SECRET_NAME=webhook-secret|MONGO_URI_SECRET_NAME=mongo-uri|WEBSERVER_PATH=/events|MAIN_CONFIG_FILE=.copier/main.yaml|USE_MAIN_CONFIG=true|DEPRECATION_FILE=deprecated_examples.json|COMMITTER_NAME=GitHub Copier App|COMMITTER_EMAIL=bot@mongodb.com|GOOGLE_CLOUD_PROJECT_ID=github-copy-code-examples|COPIER_LOG_NAME=code-copier-log|AUDIT_ENABLED=true|METRICS_ENABLED=true|OPERATOR_UI_ENABLED=true|OPERATOR_AUTH_REPO=grove-platform/github-copier|OPERATOR_REPO_SLUG=grove-platform/github-copier|LLM_PROVIDER=anthropic|LLM_BASE_URL=https://grove-gateway-prod.azure-api.net/grove-foundry-prod/anthropic|LLM_MODEL=claude-haiku-4-5|ANTHROPIC_API_KEY_SECRET_NAME=anthropic-api-key|GITHUB_APP_ID=${{ secrets.APP_ID }}|INSTALLATION_ID=${{ secrets.INSTALLATION_ID }}" \
             --set-build-env-vars="VERSION=${{ steps.version.outputs.tag }}" \
             --tag="${{ steps.version.outputs.traffic_tag }}" \
             --max-instances=10 \
diff --git a/env-cloudrun.yaml b/env-cloudrun.yaml
index 8fa9e29..7b33da1 100644
--- a/env-cloudrun.yaml
+++ b/env-cloudrun.yaml
@@ -44,14 +44,15 @@ OPERATOR_REPO_SLUG: "grove-platform/github-copier"
 #
 # Optional: OPERATOR_RELEASE_GITHUB_TOKEN, OPERATOR_RELEASE_TARGET_BRANCH
 #
-# AI rule suggester — uses the hosted Anthropic API so Cloud Run can call it
-# directly without standing up a model-serving VM. The API key is loaded from
-# Secret Manager via ANTHROPIC_API_KEY_SECRET_NAME (create the secret once
-# with `gcloud secrets create anthropic-api-key --data-file=...`). Operators
-# can still switch the active model (haiku / sonnet / opus) from the UI
-# without a redeploy.
+# AI rule suggester — calls Anthropic via the Grove Foundry APIM gateway so
+# Cloud Run can reach it without standing up a model-serving VM. The gateway
+# key is loaded from Secret Manager via ANTHROPIC_API_KEY_SECRET_NAME (create
+# the secret once with `gcloud secrets create anthropic-api-key --data-file=...`).
+# Operators can still switch the active model (haiku / sonnet / opus) from
+# the UI without a redeploy.
 LLM_PROVIDER: "anthropic"
-LLM_MODEL: "claude-haiku-4-5-20251001"
+LLM_BASE_URL: "https://grove-gateway-prod.azure-api.net/grove-foundry-prod/anthropic"
+LLM_MODEL: "claude-haiku-4-5"
 ANTHROPIC_API_KEY_SECRET_NAME: "anthropic-api-key"
 #
 # To use a local Ollama instance instead (e.g. in a dev environment with a
diff --git a/services/llm_anthropic.go b/services/llm_anthropic.go
index ea130b0..cf7b13c 100644
--- a/services/llm_anthropic.go
+++ b/services/llm_anthropic.go
@@ -81,23 +81,37 @@ func (c *anthropicClient) SetActiveModel(model string) {
 // newAuthedRequest builds a request with the Anthropic auth + version headers.
 // Callers must have already validated that URL components are not user-supplied;
 // the base URL is derived from a pinned default or operator-set value.
+//
+// We set both x-api-key (native Anthropic) and api-key (Azure API Management
+// gateway convention) so the same client works when LLM_BASE_URL points at
+// either the direct API or an APIM-fronted proxy. Sending both is harmless —
+// the target service uses whichever it recognizes and ignores the other.
 func (c *anthropicClient) newAuthedRequest(ctx context.Context, method, path string, body io.Reader) (*http.Request, error) {
 	req, err := http.NewRequestWithContext(ctx, method, c.GetBaseURL()+path, body) // #nosec G107 -- base URL is pinned default or operator-set; path is a literal constant
 	if err != nil {
 		return nil, err
 	}
 	req.Header.Set("x-api-key", c.apiKey)
+	req.Header.Set("api-key", c.apiKey)
 	req.Header.Set("anthropic-version", anthropicAPIVersion)
 	req.Header.Set("content-type", "application/json")
 	return req, nil
 }
 
-// Ping calls GET /v1/models as an auth + reachability check.
+// Ping issues a minimal /v1/messages call as an auth + reachability check.
+// Using /v1/messages (rather than /v1/models) keeps this working behind
+// proxies — including Azure APIM-fronted gateways — that only expose the
+// messages endpoint. Cost per ping is roughly 1 input + 1 output token.
 func (c *anthropicClient) Ping(ctx context.Context) error {
 	if strings.TrimSpace(c.apiKey) == "" {
 		return fmt.Errorf("ANTHROPIC_API_KEY is not configured")
 	}
-	req, err := c.newAuthedRequest(ctx, http.MethodGet, "/v1/models", nil)
+	body, _ := json.Marshal(anthropicMessagesRequest{
+		Model:     c.GetActiveModel(),
+		MaxTokens: 1,
+		Messages:  []anthropicMessage{{Role: "user", Content: "ping"}},
+	})
+	req, err := c.newAuthedRequest(ctx, http.MethodPost, "/v1/messages", bytes.NewReader(body))
 	if err != nil {
 		return err
 	}
@@ -110,8 +124,8 @@ func (c *anthropicClient) Ping(ctx context.Context) error {
 		return fmt.Errorf("anthropic auth failed (HTTP %d) — check ANTHROPIC_API_KEY", resp.StatusCode)
 	}
 	if resp.StatusCode != http.StatusOK {
-		body, _ := io.ReadAll(io.LimitReader(resp.Body, 1<<15))
-		return fmt.Errorf("anthropic returned %s: %s", resp.Status, strings.TrimSpace(string(body)))
+		respBody, _ := io.ReadAll(io.LimitReader(resp.Body, 1<<15))
+		return fmt.Errorf("anthropic returned %s: %s", resp.Status, strings.TrimSpace(string(respBody)))
 	}
 	return nil
 }

From d5d284fc2d7d9aeb0d85f1985259a98630ec065e Mon Sep 17 00:00:00 2001
From: Cory Bullinger <cory.bullinger@mongodb.com>
Date: Tue, 21 Apr 2026 16:02:16 -0400
Subject: [PATCH 12/20] chore(tools): add test-llm smoke-test CLI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Small CLI for verifying LLM provider connectivity end-to-end — calls Ping,
ListModels, and a real rule-suggester GenerateJSON against the configured
provider. Useful after rotating ANTHROPIC_API_KEY, changing LLM_BASE_URL,
or pointing at a new APIM gateway.

Mirrors the shape of the existing cmd/test-pem and cmd/test-webhook tools.
---
 cmd/test-llm/README.md |  79 +++++++++++++++++++++++++
 cmd/test-llm/main.go   | 131 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 210 insertions(+)
 create mode 100644 cmd/test-llm/README.md
 create mode 100644 cmd/test-llm/main.go

diff --git a/cmd/test-llm/README.md b/cmd/test-llm/README.md
new file mode 100644
index 0000000..648f709
--- /dev/null
+++ b/cmd/test-llm/README.md
@@ -0,0 +1,79 @@
+# test-llm
+
+Smoke-test the operator UI's LLM client against the configured provider.
+
+## Purpose
+
+Verify end-to-end that:
+
+- The provider URL and API key are reachable from your machine
+- Auth headers are accepted (direct Anthropic API or APIM-fronted gateway)
+- The active model responds to a real rule-suggester prompt and returns valid JSON
+
+Useful after rotating `ANTHROPIC_API_KEY`, changing `LLM_BASE_URL`, or pointing at a new gateway.
+
+## Build
+
+```bash
+go build -o test-llm ./cmd/test-llm
+```
+
+## Usage
+
+```bash
+./test-llm [-env <path>] [-timeout <duration>]
+```
+
+The tool reads standard env vars — `LLM_PROVIDER`, `LLM_BASE_URL`, `LLM_MODEL`, `ANTHROPIC_API_KEY` — from the process environment. Use `-env` to load a `.env`-style file first. Inline env vars on the command line override file values.
+
+## Examples
+
+Smoke-test against the local `.env.test`:
+
+```bash
+./test-llm -env .env.test
+```
+
+Override the key without editing the env file:
+
+```bash
+ANTHROPIC_API_KEY='sk-...' ./test-llm -env .env.test
+```
+
+Test Ollama locally:
+
+```bash
+LLM_PROVIDER=ollama LLM_BASE_URL=http://localhost:11434 LLM_MODEL=qwen2.5-coder:7b ./test-llm
+```
+
+## Output
+
+On success:
+
+```
+Provider: anthropic
+Base URL: https://grove-gateway-prod.azure-api.net/grove-foundry-prod/anthropic
+Model:    claude-haiku-4-5
+API key:  sk-a…xyz9
+
+✅ Ping OK
+✅ ListModels: 3 models
+   - claude-opus-4-7
+   - claude-sonnet-4-6
+   - claude-haiku-4-5-20251001
+✅ GenerateJSON parsed OK:
+   {
+     "transform_type": "move",
+     "transform_from": "agg/python/models",
+     ...
+   }
+
+🎉 All checks passed — the LLM provider is reachable and usable.
+```
+
+## Exit Codes
+
+| Code | Meaning                              |
+|------|--------------------------------------|
+| 0    | All checks passed                    |
+| 1    | Any failure (auth, network, parsing) |
diff --git a/cmd/test-llm/main.go b/cmd/test-llm/main.go
new file mode 100644
index 0000000..4e851ce
--- /dev/null
+++ b/cmd/test-llm/main.go
@@ -0,0 +1,131 @@
+// test-llm exercises the operator UI's LLM client end-to-end against the
+// configured provider. It loads LLM_PROVIDER / LLM_BASE_URL / LLM_MODEL /
+// ANTHROPIC_API_KEY from the environment (or an env file via -env), calls
+// Ping, ListModels, and a minimal GenerateJSON with the real rule-suggester
+// prompt, and prints the result. Useful for verifying a gateway URL or
+// rotated API key before deploying.
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"flag"
+	"fmt"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/joho/godotenv"
+
+	"github.com/grove-platform/github-copier/services"
+)
+
+func main() {
+	envFile := flag.String("env", "", "Optional path to a .env file to load before running")
+	timeout := flag.Duration("timeout", 30*time.Second, "Per-call timeout")
+	flag.Parse()
+
+	if *envFile != "" {
+		if err := godotenv.Load(*envFile); err != nil {
+			fmt.Fprintf(os.Stderr, "❌ failed to load %s: %v\n", *envFile, err)
+			os.Exit(1)
+		}
+		fmt.Printf("Loaded env file: %s\n", *envFile)
+	}
+
+	provider := strings.ToLower(strings.TrimSpace(os.Getenv("LLM_PROVIDER")))
+	if provider == "" {
+		provider = "ollama"
+	}
+	baseURL := os.Getenv("LLM_BASE_URL")
+	model := os.Getenv("LLM_MODEL")
+	apiKey := os.Getenv("ANTHROPIC_API_KEY")
+
+	fmt.Printf("Provider: %s\n", provider)
+	fmt.Printf("Base URL: %s\n", defaultIfEmpty(baseURL, "(default)"))
+	fmt.Printf("Model:    %s\n", defaultIfEmpty(model, "(default)"))
+	if provider == "anthropic" {
+		fmt.Printf("API key:  %s\n", redact(apiKey))
+	}
+	fmt.Println()
+
+	client, err := services.NewLLMClient(services.LLMClientOptions{
+		Provider: provider,
+		BaseURL:  baseURL,
+		Model:    model,
+		APIKey:   apiKey,
+	})
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "❌ NewLLMClient: %v\n", err)
+		os.Exit(1)
+	}
+
+	// 1. Ping
+	ctx, cancel := context.WithTimeout(context.Background(), *timeout)
+	if err := client.Ping(ctx); err != nil {
+		cancel()
+		fmt.Fprintf(os.Stderr, "❌ Ping: %v\n", err)
+		os.Exit(1)
+	}
+	cancel()
+	fmt.Println("✅ Ping OK")
+
+	// 2. ListModels
+	ctx, cancel = context.WithTimeout(context.Background(), *timeout)
+	models, err := client.ListModels(ctx)
+	cancel()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "⚠️  ListModels: %v\n", err)
+	} else {
+		fmt.Printf("✅ ListModels: %d models\n", len(models))
+		for _, m := range models {
+			fmt.Printf("   - %s\n", m.Name)
+		}
+	}
+
+	// 3. GenerateJSON with the real rule-suggester system prompt.
+	systemPrompt := `You are an expert in GitHub Copier workflow configuration. Given a source→target file transformation example, return a JSON object with fields: transform_type ("move"|"copy"|"glob"|"regex"), transform_from, transform_to, pattern, transform_template, name, destination_repo, destination_branch, commit_strategy, explanation. Prefer the simplest transform type that works.`
+	userPrompt := `Source file: agg/python/models/user.py
+Target file: shared/python/models/user.py
+Target repo: org/shared-examples
+
+Return ONLY a JSON object.`
+
+	ctx, cancel = context.WithTimeout(context.Background(), *timeout)
+	raw, err := client.GenerateJSON(ctx, systemPrompt, userPrompt)
+	cancel()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "❌ GenerateJSON: %v\n", err)
+		os.Exit(1)
+	}
+
+	// Pretty-print if the response parses as JSON; otherwise show raw.
+	var pretty map[string]any
+	if jerr := json.Unmarshal([]byte(raw), &pretty); jerr == nil {
+		out, _ := json.MarshalIndent(pretty, "   ", "  ")
+		fmt.Printf("✅ GenerateJSON parsed OK:\n   %s\n", out)
+	} else {
+		fmt.Printf("⚠️  GenerateJSON returned non-JSON (%v):\n%s\n", jerr, raw)
+		os.Exit(1)
+	}
+
+	fmt.Println("\n🎉 All checks passed — the LLM provider is reachable and usable.")
+}
+
+func defaultIfEmpty(s, def string) string {
+	if strings.TrimSpace(s) == "" {
+		return def
+	}
+	return s
+}
+
+func redact(s string) string {
+	s = strings.TrimSpace(s)
+	if s == "" {
+		return "(not set)"
+	}
+	if len(s) <= 8 {
+		return "***"
+	}
+	return s[:4] + "…" + s[len(s)-4:]
+}

From 89cb362f757ec95f9d2d15eb01ee6d7c5d7668af Mon Sep 17 00:00:00 2001
From: Cory Bullinger <cory.bullinger@mongodb.com>
Date: Wed, 22 Apr 2026 07:33:48 -0400
Subject: [PATCH 13/20] refactor(operator): require admin or maintain for
 operator role
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Narrow the operator role mapping so write access no longer grants operator
privileges. Most writers on docs repos have write on the auth repo, which
would have given them replay and release capability — the point of the
role split is to gate those actions behind an explicit grant.

  admin / maintain         → operator  (was: admin / maintain / write)
  write / triage / read    → writer    (was: read / triage)
  none                     → denied

Updates env-cloudrun.yaml and CHANGELOG to match. Frontend has no hardcoded
permission labels; it just branches on the role string, so no UI change.
---
 CHANGELOG.md              | 2 +-
 env-cloudrun.yaml         | 2 +-
 services/operator_auth.go | 9 +++++++--
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bd9e165..c5ac2d8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,7 +9,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 ### Added
 
 - **Operator UI — comprehensive writer + operator dashboard** at `/operator/` (`OPERATOR_UI_ENABLED=true`). Five tabs (Overview, Webhooks, Audit, Workflows, System), sticky status bar, dark mode, keyboard shortcuts, shareable URLs, and a writer/operator mode toggle persisted to localStorage.
-- **GitHub PAT authentication** — users sign in with their personal access token; role is derived from their permission on `OPERATOR_AUTH_REPO` (admin/maintain/write → operator, read/triage → writer). Replay and other write actions additionally enforce read access on the source repo for that specific delivery.
+- **GitHub PAT authentication** — users sign in with their personal access token; role is derived from their permission on `OPERATOR_AUTH_REPO` (admin/maintain → operator, write/triage/read → writer). Operator actions (replay, release, AI settings) require an explicit admin or maintain grant, since most writers have `write` on the auth repo. Replay additionally enforces read access on the source repo for that specific delivery.
 - **AI rule suggester** — paste a source path and desired target state, receive a suggested workflow rule with self-verification via the in-process `PatternMatcher`. Two providers supported:
   - **Anthropic (hosted)** — default for Cloud Run. API key loaded from Secret Manager via `ANTHROPIC_API_KEY_SECRET_NAME`. No infra required; operators switch between Haiku / Sonnet / Opus from the UI.
   - **Ollama (local)** — for dev or self-hosted deployments. UI manages connection, model pulls, deletes, and active-model switching without a redeploy.
diff --git a/env-cloudrun.yaml b/env-cloudrun.yaml
index 7b33da1..4a80ba0 100644
--- a/env-cloudrun.yaml
+++ b/env-cloudrun.yaml
@@ -37,7 +37,7 @@ METRICS_ENABLED: "true"
 # Operator dashboard at https://<service>/operator/
 # Access is gated by each user's GitHub PAT: they authenticate with their
 # personal token, and their permission on OPERATOR_AUTH_REPO determines role
-# (admin/maintain/write → operator, read/triage → writer).
+# (admin/maintain → operator, write/triage/read → writer).
 OPERATOR_UI_ENABLED: "true"
 OPERATOR_AUTH_REPO: "grove-platform/github-copier"
 OPERATOR_REPO_SLUG: "grove-platform/github-copier"
diff --git a/services/operator_auth.go b/services/operator_auth.go
index f624757..27d6e08 100644
--- a/services/operator_auth.go
+++ b/services/operator_auth.go
@@ -189,10 +189,15 @@ func validateGitHubPAT(ctx context.Context, pat string, authRepo string) (*Opera
 		return user, nil
 	}
 
+	// admin/maintain → operator; write/triage/read → writer. "write" is
+	// deliberately NOT operator: most writers have write access to the
+	// auth repo, so mapping write → operator would give every writer the
+	// ability to replay and cut releases. Operator actions require an
+	// explicit admin or maintain grant.
 	switch perm {
-	case "admin", "maintain", "write":
+	case "admin", "maintain":
 		user.Role = RoleOperator
-	case "read", "triage":
+	case "write", "triage", "read":
 		user.Role = RoleWriter
 	default:
 		user.Role = RoleDenied

From 27adad3760fcdc2fd983d2ecdf81393a58c658f4 Mon Sep 17 00:00:00 2001
From: Cory Bullinger <cory.bullinger@mongodb.com>
Date: Wed, 22 Apr 2026 07:50:06 -0400
Subject: [PATCH 14/20] feat(operator): harden AI suggester prompt with worked
 examples
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Rewrite the rule-suggester system prompt around the actual single-rule output
shape (llmSuggestedRule): one transform_type, one rule per request. The
previous prompt described the types accurately but gave the model no concrete
examples to anchor the decision between move / copy / glob / regex.

New prompt adds:
- Explicit response-shape template with field-level "for move or copy" /
  "for glob or regex" guidance.
- Default rules for destination_branch ("main") and commit_strategy
  ("pull_request" unless clearly a direct commit).
- Four worked Input/Output examples — one per transform type — using
  realistic paths (mflix-java-spring prefix rename, mflix README copy,
  agg/python glob with ${relative_path}, tutorials/v2 regex with named
  captures).

Also exports the prompt as services.SuggestRuleSystemPrompt and wires it
into cmd/test-llm so the smoke test exercises the exact prompt writers hit
via the UI. Verified end-to-end against the Grove Foundry APIM gateway:
claude-haiku-4-5 now correctly picks "glob" with ${relative_path} for a
.py-in-directory example (previously chose "move" with the exact file path).
---
 cmd/test-llm/main.go              | 13 +++++--
 services/operator_suggest_rule.go | 65 +++++++++++++++++++++----------
 2 files changed, 54 insertions(+), 24 deletions(-)

diff --git a/cmd/test-llm/main.go b/cmd/test-llm/main.go
index 4e851ce..bd0d492 100644
--- a/cmd/test-llm/main.go
+++ b/cmd/test-llm/main.go
@@ -83,13 +83,18 @@ func main() {
 		}
 	}
 
-	// 3. GenerateJSON with the real rule-suggester system prompt.
-	systemPrompt := `You are an expert in GitHub Copier workflow configuration. Given a source→target file transformation example, return a JSON object with fields: transform_type ("move"|"copy"|"glob"|"regex"), transform_from, transform_to, pattern, transform_template, name, destination_repo, destination_branch, commit_strategy, explanation. Prefer the simplest transform type that works.`
-	userPrompt := `Source file: agg/python/models/user.py
+	// 3. GenerateJSON using the real rule-suggester system prompt. Importing
+	// services.SuggestRuleSystemPrompt keeps the smoke test in lock-step with
+	// what writers hit via the UI — if the prompt changes, the smoke test
+	// covers the new behavior automatically.
+	systemPrompt := services.SuggestRuleSystemPrompt
+	userPrompt := `Generate a copier rule for this transformation:
+
+Source file: agg/python/models/user.py
 Target file: shared/python/models/user.py
 Target repo: org/shared-examples
 
-Return ONLY a JSON object.`
+Return ONLY a JSON object with the fields documented above. No prose outside the JSON.`
 
 	ctx, cancel = context.WithTimeout(context.Background(), *timeout)
 	raw, err := client.GenerateJSON(ctx, systemPrompt, userPrompt)
diff --git a/services/operator_suggest_rule.go b/services/operator_suggest_rule.go
index e6db858..6c242c0 100644
--- a/services/operator_suggest_rule.go
+++ b/services/operator_suggest_rule.go
@@ -116,30 +116,55 @@ func (o *operatorUI) handleSuggestRule(w http.ResponseWriter, r *http.Request) {
 	_ = json.NewEncoder(w).Encode(resp)
 }
 
-// askLLMForRule sends a structured prompt to the LLM and parses the JSON response.
-func (o *operatorUI) askLLMForRule(ctx context.Context, req operatorSuggestRuleRequest) (*llmSuggestedRule, error) {
-	systemPrompt := `You are an expert in GitHub Copier workflow configuration. You generate concise, correct YAML rules that match a single source→target file transformation example.
+// SuggestRuleSystemPrompt is the system prompt used by the AI rule suggester.
+// Exported so cmd/test-llm can exercise the real prompt end-to-end against
+// the configured provider (same prompt writers will hit via the UI).
+const SuggestRuleSystemPrompt = `You are a configuration generator for GitHub Copier workflows.
+
+Given a single source→target file transformation example, output ONLY a valid JSON object — no markdown, no prose outside the JSON. Generate ONE rule describing ONE transformation.
+
+Transform types (prefer the simplest that works — move > copy > glob > regex):
+- "move"  — rename a directory prefix. Matches any file under transform_from; replaces the prefix with transform_to. Use when the source and target share the subpath below the renamed prefix.
+- "copy"  — rename ONE exact file. Use when the example is a specific file pair, not a pattern.
+- "glob"  — wildcards in pattern (e.g. "dir/**/*.ext"). Use "${relative_path}" in transform_template to preserve subdir structure after the matched prefix.
+- "regex" — Go RE2 regex with named captures (e.g. "(?P<name>.+)"). Use ONLY when move/copy/glob cannot express the rename.
+
+Response shape (omit fields that don't apply to the chosen transform_type):
+{
+  "name": "kebab-case-rule-name",
+  "destination_repo": "org/dest-repo",
+  "destination_branch": "main",
+  "commit_strategy": "pull_request",
+  "transform_type": "move" | "copy" | "glob" | "regex",
+  "transform_from": "<for move or copy>",
+  "transform_to":   "<for move or copy>",
+  "pattern":             "<for glob or regex>",
+  "transform_template":  "<for glob or regex>",
+  "explanation": "one sentence describing what this rule does"
+}
+
+Rules:
+- destination_branch defaults to "main"; commit_strategy defaults to "pull_request" (use "direct" only if the user's intent is clearly a direct commit).
+- If the user did not provide a target repo, use a placeholder like "org/target-repo" so the writer can fill it in.
+- name should be short and kebab-case, derived from the source directory or file.
+- The rule MUST produce the user's target path when applied to their source path. Verify the logic before responding.
+
+Examples
 
-The copier supports 4 transform types (pick the simplest that works):
-- move: { from: "prefix/path", to: "new/prefix" } — renames a directory prefix. Matches any file under "from" and replaces the prefix with "to".
-- copy: { from: "exact/file.md", to: "new/file.md" } — renames one exact file. Use only when source is a single specific file.
-- glob: { pattern: "dir/**/*.ext", transform: "new/${relative_path}" } — matches files by glob pattern. Use "${relative_path}" to preserve subdirectory structure.
-- regex: { pattern: "dir/(?P<name>.+)\\.ext", transform: "new/${name}.ext" } — uses Go regex with named capture groups. Use ONLY when move/copy/glob are insufficient.
+Input:  source=mflix/server/java-spring/App.java  target=server/App.java  repo=mongodb/sample-app-java-mflix
+Output: {"name":"mflix-java-spring-server","destination_repo":"mongodb/sample-app-java-mflix","destination_branch":"main","commit_strategy":"pull_request","transform_type":"move","transform_from":"mflix/server/java-spring","transform_to":"server","explanation":"Renames the mflix/server/java-spring prefix to server when copying into the target repo."}
 
-Prefer move > copy > glob > regex (simpler is better).
+Input:  source=mflix/README-JAVA-SPRING.md  target=README.md  repo=mongodb/sample-app-java-mflix
+Output: {"name":"mflix-readme","destination_repo":"mongodb/sample-app-java-mflix","destination_branch":"main","commit_strategy":"pull_request","transform_type":"copy","transform_from":"mflix/README-JAVA-SPRING.md","transform_to":"README.md","explanation":"Copies one specific README file and renames it in the destination."}
 
-You return JSON with these fields:
-- transform_type: "move" | "copy" | "glob" | "regex"
-- transform_from, transform_to: for move/copy
-- pattern, transform_template: for glob/regex
-- name: a kebab-case rule name (e.g., "agg-python-models")
-- destination_repo: the target repository (use the one the user provided, or infer from context)
-- destination_branch: optional, defaults to "main"
-- commit_strategy: "direct" or "pull_request" (default "pull_request")
-- explanation: 1-2 sentence plain-English justification
+Input:  source=agg/python/models/user.py  target=shared/python/models/user.py  repo=org/shared-examples
+Output: {"name":"agg-python","destination_repo":"org/shared-examples","destination_branch":"main","commit_strategy":"pull_request","transform_type":"glob","pattern":"agg/python/**/*.py","transform_template":"shared/python/${relative_path}","explanation":"Matches any .py file under agg/python and preserves the subdirectory structure under shared/python."}
 
-IMPORTANT: The generated rule MUST produce the user's target file when applied to their source file. Test your logic mentally before responding.`
+Input:  source=tutorials/v2/getting-started.mdx  target=docs/getting-started-v2.mdx  repo=org/docs-site
+Output: {"name":"tutorials-versioned","destination_repo":"org/docs-site","destination_branch":"main","commit_strategy":"pull_request","transform_type":"regex","pattern":"tutorials/v(?P<ver>[0-9]+)/(?P<slug>.+)\\.mdx","transform_template":"docs/${slug}-v${ver}.mdx","explanation":"Extracts version and slug from the source path and rebuilds the target filename with the version as a suffix."}`
 
+// askLLMForRule sends a structured prompt to the LLM and parses the JSON response.
+func (o *operatorUI) askLLMForRule(ctx context.Context, req operatorSuggestRuleRequest) (*llmSuggestedRule, error) {
 	userPrompt := fmt.Sprintf(`Generate a copier rule for this transformation:
 
 Source file: %s
@@ -149,7 +174,7 @@ Target repo: %s
 Return ONLY a JSON object with the fields documented above. No prose outside the JSON.`,
 		req.SourcePath, req.TargetPath, defaultIfEmpty(req.TargetRepo, "(user did not specify — use a placeholder like \"org/target-repo\")"))
 
-	raw, err := o.llm.GenerateJSON(ctx, systemPrompt, userPrompt)
+	raw, err := o.llm.GenerateJSON(ctx, SuggestRuleSystemPrompt, userPrompt)
 	if err != nil {
 		return nil, fmt.Errorf("LLM error: %w", err)
 	}

From daae2c99509585136ec2d75144ff200e99268f81 Mon Sep 17 00:00:00 2001
From: Cory Bullinger <cory.bullinger@mongodb.com>
Date: Wed, 22 Apr 2026 08:04:22 -0400
Subject: [PATCH 15/20] security(operator): fail closed on permission check;
 hash PATs in cache
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two security fixes called out in PR review:

1. Soft-fail on permission check granted writer on 404 → auth bypass.
   Previously, ANY error from /repos/.../collaborators/.../permission
   (including GitHub's 404 for "not a collaborator") returned the default
   writer role. Combined with --allow-unauthenticated on the Cloud Run
   service, any valid GitHub PAT got read access to audit logs, webhook
   traces, workflows, logs, and the AI suggester (real token cost).

   Now: only transient 5xx responses keep the writer role (so a GitHub
   outage doesn't lock every operator out). 404/401/403/network/parse
   errors all surface an error AND set RoleDenied. The distinction is
   carried by a new ghAPIError type that exposes StatusCode and
   IsTransient().

2. Raw PATs were live in the heap as cache keys for the 5-min TTL. A
   memory dump of the running Cloud Run instance would have leaked every
   active operator's token. Cache now keys on SHA-256 hex digests via
   hashToken(). Cache API unchanged — hashing happens at the boundary.

Also introduces githubAPIBaseURL (package var) so tests can point the GitHub
client at an httptest.Server. Not user-controllable, so SSRF posture is
unchanged (gosec clean).

Tests: full role-mapping matrix, explicit 404→denied and 5xx→writer cases,
and an assertion that raw PATs never appear as map keys.
---
 services/operator_auth.go      |  79 ++++++++---
 services/operator_auth_test.go | 230 +++++++++++++++++++++++++++++++++
 2 files changed, 292 insertions(+), 17 deletions(-)
 create mode 100644 services/operator_auth_test.go

diff --git a/services/operator_auth.go b/services/operator_auth.go
index 27d6e08..a313e91 100644
--- a/services/operator_auth.go
+++ b/services/operator_auth.go
@@ -2,7 +2,10 @@ package services
 
 import (
 	"context"
+	"crypto/sha256"
+	"encoding/hex"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -13,6 +16,34 @@ import (
 	"time"
 )
 
+// ghAPIError is returned by the GitHub API helper calls on any non-2xx
+// response. Callers can inspect StatusCode to distinguish transient 5xx
+// failures (should not flip authorization decisions) from 4xx responses
+// (definitive "no access").
+type ghAPIError struct {
+	StatusCode int
+	Body       string
+}
+
+func (e *ghAPIError) Error() string {
+	return fmt.Sprintf("GitHub API HTTP %d: %s", e.StatusCode, e.Body)
+}
+
+func (e *ghAPIError) IsTransient() bool { return e.StatusCode >= 500 }
+
+// hashToken returns the SHA-256 hex digest of a PAT. Used as the cache key so
+// raw tokens never sit in the process heap beyond the lifetime of a single
+// request — a memory dump of the running server won't leak active tokens.
+func hashToken(t string) string {
+	sum := sha256.Sum256([]byte(t))
+	return hex.EncodeToString(sum[:])
+}
+
+// githubAPIBaseURL is the base for GitHub REST API calls. Package var (rather
+// than a const) so tests can point it at an httptest.Server. Never set from
+// user input — the SSRF surface for ghAPIGet* is unchanged.
+var githubAPIBaseURL = "https://api.github.com"
+
 // ghUsernameRe matches valid GitHub usernames: alphanumeric + hyphens,
 // cannot start or end with a hyphen, max 39 chars. Used to reject hostile
 // input before it reaches URL construction for the GitHub API. (RE2 has no
@@ -71,10 +102,15 @@ func newGHAuthCache(ttl time.Duration) *ghAuthCache {
 	}
 }
 
+// Cache methods take raw tokens and hash them internally, so callers never
+// have to think about the token→digest boundary. Raw tokens never become
+// map keys.
+
 func (c *ghAuthCache) get(token string) (*OperatorUser, error, bool) {
+	key := hashToken(token)
 	c.mu.RLock()
 	defer c.mu.RUnlock()
-	e, ok := c.entries[token]
+	e, ok := c.entries[key]
 	if !ok || time.Now().After(e.expiresAt) {
 		return nil, nil, false
 	}
@@ -82,9 +118,10 @@ func (c *ghAuthCache) get(token string) (*OperatorUser, error, bool) {
 }
 
 func (c *ghAuthCache) set(token string, user *OperatorUser, err error) {
+	key := hashToken(token)
 	c.mu.Lock()
 	defer c.mu.Unlock()
-	c.entries[token] = &ghAuthEntry{
+	c.entries[key] = &ghAuthEntry{
 		user:      user,
 		err:       err,
 		expiresAt: time.Now().Add(c.ttl),
@@ -101,7 +138,7 @@ func (c *ghAuthCache) set(token string, user *OperatorUser, err error) {
 }
 
 func (c *ghAuthCache) getRepoPerm(token, repo string) (string, error, bool) {
-	key := token + "\x00" + repo
+	key := hashToken(token) + "\x00" + repo
 	c.mu.RLock()
 	defer c.mu.RUnlock()
 	e, ok := c.repoPerm[key]
@@ -112,7 +149,7 @@ func (c *ghAuthCache) getRepoPerm(token, repo string) (string, error, bool) {
 }
 
 func (c *ghAuthCache) setRepoPerm(token, repo, permission string, err error) {
-	key := token + "\x00" + repo
+	key := hashToken(token) + "\x00" + repo
 	c.mu.Lock()
 	defer c.mu.Unlock()
 	c.repoPerm[key] = &ghRepoPermEntry{
@@ -180,13 +217,24 @@ func validateGitHubPAT(ctx context.Context, pat string, authRepo string) (*Opera
 		return nil, fmt.Errorf("OPERATOR_AUTH_REPO is not configured")
 	}
 
-	// 2. Check the user's permission on the auth repo
+	// 2. Check the user's permission on the auth repo.
+	//
+	// Authorization posture: only a transient GitHub outage (5xx) lets the
+	// caller through with the default writer role — otherwise a GitHub
+	// hiccup locks out every legitimate operator. Every other failure
+	// (404 "not a collaborator", 401/403, network error, parse error)
+	// denies access. This closes the "any valid PAT gets writer" hole that
+	// existed when we soft-failed on all errors.
 	perm, err := ghAPIGetRepoPermission(ctx, pat, authRepo, ghUser.Login)
 	if err != nil {
-		// If we can't check permissions (repo not found, no access), default to writer
-		LogWarning("GitHub permission check failed, defaulting to writer role",
-			"user", ghUser.Login, "repo", authRepo, "error", err)
-		return user, nil
+		var apiErr *ghAPIError
+		if errors.As(err, &apiErr) && apiErr.IsTransient() {
+			LogWarning("GitHub permission check transiently failed, keeping writer role",
+				"user", ghUser.Login, "repo", authRepo, "status", apiErr.StatusCode)
+			return user, nil
+		}
+		user.Role = RoleDenied
+		return user, fmt.Errorf("user %s has no access to %s: %w", ghUser.Login, authRepo, err)
 	}
 
 	// admin/maintain → operator; write/triage/read → writer. "write" is
@@ -214,7 +262,7 @@ type ghUserResponse struct {
 }
 
 func ghAPIGetUser(ctx context.Context, pat string) (*ghUserResponse, error) {
-	req, err := http.NewRequestWithContext(ctx, http.MethodGet, "https://api.github.com/user", nil)
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, githubAPIBaseURL+"/user", nil) // #nosec G107 -- githubAPIBaseURL is set by the binary, not user input
 	if err != nil {
 		return nil, err
 	}
@@ -229,11 +277,8 @@ func ghAPIGetUser(ctx context.Context, pat string) (*ghUserResponse, error) {
 	defer func() { _ = resp.Body.Close() }()
 	body, _ := io.ReadAll(io.LimitReader(resp.Body, 1<<16))
 
-	if resp.StatusCode == http.StatusUnauthorized || resp.StatusCode == http.StatusForbidden {
-		return nil, fmt.Errorf("invalid or expired GitHub token (HTTP %d)", resp.StatusCode)
-	}
 	if resp.StatusCode != http.StatusOK {
-		return nil, fmt.Errorf("GitHub API error: HTTP %d: %s", resp.StatusCode, strings.TrimSpace(string(body)))
+		return nil, &ghAPIError{StatusCode: resp.StatusCode, Body: strings.TrimSpace(string(body))}
 	}
 
 	var user ghUserResponse
@@ -268,8 +313,8 @@ func ghAPIGetRepoPermission(ctx context.Context, pat string, repo string, userna
 		return "", fmt.Errorf("invalid username %q", username)
 	}
 	apiURL := fmt.Sprintf(
-		"https://api.github.com/repos/%s/%s/collaborators/%s/permission",
-		url.PathEscape(parts[0]), url.PathEscape(parts[1]), url.PathEscape(username),
+		"%s/repos/%s/%s/collaborators/%s/permission",
+		githubAPIBaseURL, url.PathEscape(parts[0]), url.PathEscape(parts[1]), url.PathEscape(username),
 	)
 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, apiURL, nil) // #nosec G107 G704 -- host is hardcoded to api.github.com; path components validated above
 	if err != nil {
@@ -287,7 +332,7 @@ func ghAPIGetRepoPermission(ctx context.Context, pat string, repo string, userna
 	body, _ := io.ReadAll(io.LimitReader(resp.Body, 1<<16))
 
 	if resp.StatusCode != http.StatusOK {
-		return "", fmt.Errorf("permission check: HTTP %d: %s", resp.StatusCode, strings.TrimSpace(string(body)))
+		return "", &ghAPIError{StatusCode: resp.StatusCode, Body: strings.TrimSpace(string(body))}
 	}
 
 	var perm ghPermissionResponse
diff --git a/services/operator_auth_test.go b/services/operator_auth_test.go
new file mode 100644
index 0000000..8bac4c3
--- /dev/null
+++ b/services/operator_auth_test.go
@@ -0,0 +1,230 @@
+package services
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+)
+
+func TestHashToken(t *testing.T) {
+	a := hashToken("secret-pat-abc")
+	b := hashToken("secret-pat-abc")
+	c := hashToken("secret-pat-xyz")
+	if a != b {
+		t.Fatalf("same input must produce same digest: %s vs %s", a, b)
+	}
+	if a == c {
+		t.Fatalf("different inputs must produce different digests")
+	}
+	if strings.Contains(a, "secret") {
+		t.Fatalf("digest leaks plaintext: %s", a)
+	}
+	if len(a) != 64 {
+		t.Fatalf("expected 64-char sha256 hex digest, got %d chars", len(a))
+	}
+}
+
+func TestGHAPIError_IsTransient(t *testing.T) {
+	cases := []struct {
+		status    int
+		transient bool
+	}{
+		{http.StatusInternalServerError, true},
+		{http.StatusBadGateway, true},
+		{http.StatusServiceUnavailable, true},
+		{http.StatusNotFound, false},
+		{http.StatusUnauthorized, false},
+		{http.StatusForbidden, false},
+		{http.StatusBadRequest, false},
+	}
+	for _, tc := range cases {
+		e := &ghAPIError{StatusCode: tc.status}
+		if got := e.IsTransient(); got != tc.transient {
+			t.Errorf("status %d: IsTransient()=%v, want %v", tc.status, got, tc.transient)
+		}
+	}
+}
+
+func TestPermissionGrantsRead(t *testing.T) {
+	readers := []string{"admin", "maintain", "write", "triage", "read"}
+	nonReaders := []string{"", "none", "denied", "unknown"}
+	for _, p := range readers {
+		if !permissionGrantsRead(p) {
+			t.Errorf("permission %q must grant read", p)
+		}
+	}
+	for _, p := range nonReaders {
+		if permissionGrantsRead(p) {
+			t.Errorf("permission %q must NOT grant read", p)
+		}
+	}
+}
+
+// stubGitHub replaces githubAPIBaseURL with an httptest.Server that returns
+// the given /user and /permission responses. Returns a cleanup func.
+type stubResponses struct {
+	userStatus int
+	userBody   string
+	permStatus int
+	permBody   string
+}
+
+func stubGitHub(t *testing.T, rs stubResponses) func() {
+	t.Helper()
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch {
+		case r.URL.Path == "/user":
+			w.WriteHeader(rs.userStatus)
+			_, _ = w.Write([]byte(rs.userBody))
+		case strings.HasPrefix(r.URL.Path, "/repos/") && strings.HasSuffix(r.URL.Path, "/permission"):
+			w.WriteHeader(rs.permStatus)
+			_, _ = w.Write([]byte(rs.permBody))
+		default:
+			w.WriteHeader(http.StatusNotFound)
+		}
+	}))
+	prev := githubAPIBaseURL
+	githubAPIBaseURL = srv.URL
+	return func() {
+		githubAPIBaseURL = prev
+		srv.Close()
+	}
+}
+
+func TestValidateGitHubPAT_RoleMapping(t *testing.T) {
+	cases := []struct {
+		name     string
+		perm     string
+		wantRole OperatorRole
+		wantErr  bool
+	}{
+		{"admin maps to operator", "admin", RoleOperator, false},
+		{"maintain maps to operator", "maintain", RoleOperator, false},
+		{"write maps to writer (not operator)", "write", RoleWriter, false},
+		{"triage maps to writer", "triage", RoleWriter, false},
+		{"read maps to writer", "read", RoleWriter, false},
+		{"unknown permission denies", "mystery", RoleDenied, true},
+		{"empty permission denies", "", RoleDenied, true},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			cleanup := stubGitHub(t, stubResponses{
+				userStatus: http.StatusOK,
+				userBody:   `{"login":"alice","avatar_url":"https://example.com/a.png"}`,
+				permStatus: http.StatusOK,
+				permBody:   fmt.Sprintf(`{"permission":%q}`, tc.perm),
+			})
+			defer cleanup()
+
+			user, err := validateGitHubPAT(context.Background(), "pat-123", "org/repo")
+			if tc.wantErr && err == nil {
+				t.Fatalf("want error for perm=%q, got none", tc.perm)
+			}
+			if !tc.wantErr && err != nil {
+				t.Fatalf("unexpected error for perm=%q: %v", tc.perm, err)
+			}
+			if user == nil {
+				t.Fatalf("want non-nil user")
+			}
+			if user.Role != tc.wantRole {
+				t.Errorf("perm=%q: role=%q, want %q", tc.perm, user.Role, tc.wantRole)
+			}
+		})
+	}
+}
+
+// Critical test for the review finding: a 404 from the permission check must
+// deny access (not soft-fail to writer). This prevents "any valid PAT → writer".
+func TestValidateGitHubPAT_PermissionCheck404_Denies(t *testing.T) {
+	cleanup := stubGitHub(t, stubResponses{
+		userStatus: http.StatusOK,
+		userBody:   `{"login":"mallory","avatar_url":""}`,
+		permStatus: http.StatusNotFound,
+		permBody:   `{"message":"Not Found"}`,
+	})
+	defer cleanup()
+
+	user, err := validateGitHubPAT(context.Background(), "pat-xyz", "org/repo")
+	if err == nil {
+		t.Fatalf("want error when user is not a collaborator (404), got nil")
+	}
+	if user == nil || user.Role != RoleDenied {
+		var role OperatorRole
+		if user != nil {
+			role = user.Role
+		}
+		t.Fatalf("want RoleDenied on 404, got %q", role)
+	}
+}
+
+// 5xx from GitHub is treated as transient — users keep their default writer
+// role so a GitHub outage doesn't lock everyone out. The audit log captures
+// the event; the cache TTL bounds exposure.
+func TestValidateGitHubPAT_PermissionCheck5xx_KeepsWriter(t *testing.T) {
+	cleanup := stubGitHub(t, stubResponses{
+		userStatus: http.StatusOK,
+		userBody:   `{"login":"bob","avatar_url":""}`,
+		permStatus: http.StatusInternalServerError,
+		permBody:   `upstream error`,
+	})
+	defer cleanup()
+
+	user, err := validateGitHubPAT(context.Background(), "pat-abc", "org/repo")
+	if err != nil {
+		t.Fatalf("5xx must not surface an error to the caller (soft-fail): %v", err)
+	}
+	if user == nil || user.Role != RoleWriter {
+		var role OperatorRole
+		if user != nil {
+			role = user.Role
+		}
+		t.Fatalf("want RoleWriter on 5xx soft-fail, got %q", role)
+	}
+}
+
+// An invalid / expired PAT (401 on /user) must deny, not soft-fail.
+func TestValidateGitHubPAT_UserLookup401_Denies(t *testing.T) {
+	cleanup := stubGitHub(t, stubResponses{
+		userStatus: http.StatusUnauthorized,
+		userBody:   `{"message":"Bad credentials"}`,
+	})
+	defer cleanup()
+
+	user, err := validateGitHubPAT(context.Background(), "expired-pat", "org/repo")
+	if err == nil {
+		t.Fatalf("want error for invalid PAT (401), got nil")
+	}
+	if user != nil {
+		t.Errorf("want nil user on failed token validation, got %+v", user)
+	}
+
+	var apiErr *ghAPIError
+	if !errors.As(err, &apiErr) {
+		t.Errorf("want wrapped ghAPIError, got %T: %v", err, err)
+	} else if apiErr.StatusCode != http.StatusUnauthorized {
+		t.Errorf("want StatusCode=401, got %d", apiErr.StatusCode)
+	}
+}
+
+func TestGHAuthCache_UsesHashedKeys(t *testing.T) {
+	c := newGHAuthCache(5 * 60)
+	pat := "super-secret-pat-12345"
+	user := &OperatorUser{Login: "alice", Role: RoleOperator}
+	c.set(pat, user, nil)
+
+	// The raw token must not appear as a key — only its sha256 digest.
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+	for k := range c.entries {
+		if strings.Contains(k, pat) {
+			t.Fatalf("cache key leaks raw PAT: %q", k)
+		}
+	}
+	if _, ok := c.entries[hashToken(pat)]; !ok {
+		t.Fatalf("expected cache entry under hashed key")
+	}
+}

From 5e8ab6799cb72ca6e49b07e59703c2d73f56e4d2 Mon Sep 17 00:00:00 2001
From: Cory Bullinger <cory.bullinger@mongodb.com>
Date: Wed, 22 Apr 2026 08:07:25 -0400
Subject: [PATCH 16/20] perf(operator): rate-limit /suggest-rule and cache
 /llm/status ping
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two LLM cost controls flagged in PR review:

1. /operator/api/suggest-rule was unbounded per PAT — combined with the
   earlier soft-fail auth hole, any valid GitHub user could have spent
   Anthropic tokens at will. Adds a fixed-window rate limiter keyed by
   hashed PAT at 30 calls/hour/user. Denied requests return 429 with a
   Retry-After header. Normal usage is well under the cap.

2. /operator/api/llm/status was issuing a real /v1/messages call on every
   refresh (1 input + 1 output Anthropic token). Writers poll this tab for
   the connection indicator, so on a busy dashboard that added up. Cache
   the ping outcome for 30s; settings mutations (SetActiveModel / SetBaseURL)
   invalidate the entry so operators see fresh state after a change.

tokenBucket and llmPingCache are small internal types in operator_ratelimit.go
and operator_ui.go respectively. Eviction of rate-limit buckets is
opportunistic (soft cap at 256) — matches the existing ghAuthCache pattern.
---
 services/operator_llm_admin.go      | 23 +++++++++-
 services/operator_ratelimit.go      | 65 +++++++++++++++++++++++++++++
 services/operator_ratelimit_test.go | 47 +++++++++++++++++++++
 services/operator_suggest_rule.go   | 16 +++++++
 services/operator_ui.go             | 39 +++++++++++++++++
 5 files changed, 188 insertions(+), 2 deletions(-)
 create mode 100644 services/operator_ratelimit.go
 create mode 100644 services/operator_ratelimit_test.go

diff --git a/services/operator_llm_admin.go b/services/operator_llm_admin.go
index 3cb7937..2582d27 100644
--- a/services/operator_llm_admin.go
+++ b/services/operator_llm_admin.go
@@ -39,8 +39,18 @@ func (o *operatorUI) handleLLMStatus(w http.ResponseWriter, r *http.Request) {
 
 	ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
 	defer cancel()
-	if err := o.llm.Ping(ctx); err != nil {
-		out["error"] = err.Error()
+
+	// Cache the ping outcome for 30s. For Anthropic this saves real tokens
+	// (every refresh of the status tab used to hit /v1/messages); for
+	// Ollama it saves an /api/tags round-trip. handleLLMSettings clears the
+	// entry when base URL / model change so operators see fresh state.
+	pingErr, ok := o.llmPing.get(30 * time.Second)
+	if !ok {
+		pingErr = o.llm.Ping(ctx)
+		o.llmPing.set(pingErr)
+	}
+	if pingErr != nil {
+		out["error"] = pingErr.Error()
 		_ = json.NewEncoder(w).Encode(out)
 		return
 	}
@@ -81,11 +91,20 @@ func (o *operatorUI) handleLLMSettings(w http.ResponseWriter, r *http.Request) {
 		_ = json.NewEncoder(w).Encode(map[string]string{"error": "invalid json"})
 		return
 	}
+	changed := false
 	if m := strings.TrimSpace(req.ActiveModel); m != "" {
 		o.llm.SetActiveModel(m)
+		changed = true
 	}
 	if u := strings.TrimSpace(req.BaseURL); u != "" {
 		o.llm.SetBaseURL(u)
+		changed = true
+	}
+	// Invalidate the ping cache on mutation so the next /llm/status call
+	// re-checks liveness against the new config — otherwise an operator
+	// flipping the URL sees a stale "connected" line for up to 30s.
+	if changed {
+		o.llmPing.invalidate()
 	}
 	_ = json.NewEncoder(w).Encode(map[string]any{
 		"active_model": o.llm.GetActiveModel(),
diff --git a/services/operator_ratelimit.go b/services/operator_ratelimit.go
new file mode 100644
index 0000000..5c15267
--- /dev/null
+++ b/services/operator_ratelimit.go
@@ -0,0 +1,65 @@
+package services
+
+import (
+	"sync"
+	"time"
+)
+
+// tokenBucket is a trivial fixed-window rate limiter keyed by opaque string
+// (typically a hashed PAT digest). Not a strict token-bucket in the
+// telecom sense — a fixed-window counter is good enough to cap LLM cost
+// per operator, and is cheaper to reason about than leaky-bucket math.
+//
+// Eviction happens opportunistically on writes once the map grows past a
+// soft cap; there's no background goroutine.
+type tokenBucket struct {
+	mu      sync.Mutex
+	buckets map[string]*bucketState
+	max     int
+	window  time.Duration
+}
+
+type bucketState struct {
+	remaining int
+	resetAt   time.Time
+}
+
+func newTokenBucket(max int, window time.Duration) *tokenBucket {
+	return &tokenBucket{
+		buckets: make(map[string]*bucketState),
+		max:     max,
+		window:  window,
+	}
+}
+
+// Allow decrements the caller's remaining allowance for the current window.
+// Returns (allowed, resetAt). resetAt is always non-zero so callers can
+// surface a Retry-After hint regardless of the allow/deny decision.
+func (t *tokenBucket) Allow(key string) (bool, time.Time) {
+	t.mu.Lock()
+	defer t.mu.Unlock()
+	now := time.Now()
+	b, ok := t.buckets[key]
+	if !ok || now.After(b.resetAt) {
+		reset := now.Add(t.window)
+		t.buckets[key] = &bucketState{remaining: t.max - 1, resetAt: reset}
+		t.evictExpiredLocked(now)
+		return true, reset
+	}
+	if b.remaining <= 0 {
+		return false, b.resetAt
+	}
+	b.remaining--
+	return true, b.resetAt
+}
+
+func (t *tokenBucket) evictExpiredLocked(now time.Time) {
+	if len(t.buckets) < 256 {
+		return
+	}
+	for k, b := range t.buckets {
+		if now.After(b.resetAt) {
+			delete(t.buckets, k)
+		}
+	}
+}
diff --git a/services/operator_ratelimit_test.go b/services/operator_ratelimit_test.go
new file mode 100644
index 0000000..73bc2e1
--- /dev/null
+++ b/services/operator_ratelimit_test.go
@@ -0,0 +1,47 @@
+package services
+
+import (
+	"testing"
+	"time"
+)
+
+func TestTokenBucket_AllowsUpToMax(t *testing.T) {
+	b := newTokenBucket(3, time.Hour)
+	for i := 0; i < 3; i++ {
+		if ok, _ := b.Allow("key-a"); !ok {
+			t.Fatalf("call %d: want allowed", i+1)
+		}
+	}
+	if ok, reset := b.Allow("key-a"); ok {
+		t.Fatalf("4th call must be denied")
+	} else if reset.IsZero() {
+		t.Errorf("denied call must return non-zero resetAt so we can populate Retry-After")
+	}
+}
+
+func TestTokenBucket_SeparateKeys(t *testing.T) {
+	b := newTokenBucket(1, time.Hour)
+	if ok, _ := b.Allow("alice"); !ok {
+		t.Fatalf("alice first call must be allowed")
+	}
+	if ok, _ := b.Allow("bob"); !ok {
+		t.Fatalf("bob must have his own bucket; first call must be allowed")
+	}
+	if ok, _ := b.Allow("alice"); ok {
+		t.Fatalf("alice second call must be denied")
+	}
+}
+
+func TestTokenBucket_ResetsAfterWindow(t *testing.T) {
+	b := newTokenBucket(1, 10*time.Millisecond)
+	if ok, _ := b.Allow("k"); !ok {
+		t.Fatalf("first call must be allowed")
+	}
+	if ok, _ := b.Allow("k"); ok {
+		t.Fatalf("second call within window must be denied")
+	}
+	time.Sleep(15 * time.Millisecond)
+	if ok, _ := b.Allow("k"); !ok {
+		t.Fatalf("after window elapses, a new allowance must start")
+	}
+}
diff --git a/services/operator_suggest_rule.go b/services/operator_suggest_rule.go
index 6c242c0..30ebc31 100644
--- a/services/operator_suggest_rule.go
+++ b/services/operator_suggest_rule.go
@@ -66,6 +66,22 @@ func (o *operatorUI) handleSuggestRule(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// Per-PAT rate limit caps Anthropic token spend per operator. Keyed by
+	// hashed PAT so the bucket survives across cache evictions of the full
+	// user record and can't be leaked by a memory dump.
+	if pat := bearerToken(r); pat != "" && o.suggestLimiter != nil {
+		allowed, resetAt := o.suggestLimiter.Allow(hashToken(pat))
+		if !allowed {
+			retry := time.Until(resetAt).Round(time.Second)
+			w.Header().Set("Retry-After", fmt.Sprintf("%d", int(retry.Seconds())))
+			w.WriteHeader(http.StatusTooManyRequests)
+			_ = json.NewEncoder(w).Encode(operatorSuggestRuleResponse{
+				Error: fmt.Sprintf("rate limit exceeded — try again in %s", retry),
+			})
+			return
+		}
+	}
+
 	body, err := io.ReadAll(io.LimitReader(r.Body, 4096))
 	if err != nil {
 		w.WriteHeader(http.StatusBadRequest)
diff --git a/services/operator_ui.go b/services/operator_ui.go
index 36abf22..0feeb60 100644
--- a/services/operator_ui.go
+++ b/services/operator_ui.go
@@ -34,6 +34,9 @@ func RegisterOperatorRoutes(mux *http.ServeMux, cfg *configs.Config, container *
 		container: container,
 		version:   version,
 		ghCache:   newGHAuthCache(5 * time.Minute),
+		// 30 suggestions/hour/PAT caps Anthropic spend per operator. Normal
+		// usage is well under this; a misbehaving client can't rack up a bill.
+		suggestLimiter: newTokenBucket(30, time.Hour),
 	}
 	// Always create the LLM client; availability is checked dynamically via Ping.
 	// Operators can change the active model and base URL from the UI without restart.
@@ -80,6 +83,42 @@ type operatorUI struct {
 	replayInFlight sync.Map     // key: "owner/repo#pr" → prevents concurrent replays
 	ghCache        *ghAuthCache // GitHub PAT validation + per-repo permission cache
 	llm            LLMClient    // optional: enabled when cfg.LLMEnabled is true
+	suggestLimiter *tokenBucket // per-PAT rate limit for /api/suggest-rule (LLM cost cap)
+	llmPing        llmPingCache // cached Ping() result so /llm/status doesn't burn tokens on every refresh
+}
+
+// llmPingCache memoises the most recent LLMClient.Ping() outcome. Status-tab
+// refreshes don't need fresh liveness data more than once every 30s, and
+// each uncached ping costs one input + one output Anthropic token.
+type llmPingCache struct {
+	mu        sync.RWMutex
+	err       error
+	checkedAt time.Time
+}
+
+func (p *llmPingCache) get(ttl time.Duration) (err error, ok bool) {
+	p.mu.RLock()
+	defer p.mu.RUnlock()
+	if p.checkedAt.IsZero() || time.Since(p.checkedAt) > ttl {
+		return nil, false
+	}
+	return p.err, true
+}
+
+func (p *llmPingCache) set(err error) {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+	p.err = err
+	p.checkedAt = time.Now()
+}
+
+// invalidate forces the next get() to miss, so operators who change the
+// base URL or active model see fresh liveness state on the next refresh.
+func (p *llmPingCache) invalidate() {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+	p.err = nil
+	p.checkedAt = time.Time{}
 }
 
 // operatorUserCtxKey is the context key for the authenticated operator user.

From 9b23db54d974a9e756c8d3d8200edaaed7bcd036 Mon Sep 17 00:00:00 2001
From: Cory Bullinger <cory.bullinger@mongodb.com>
Date: Wed, 22 Apr 2026 08:15:20 -0400
Subject: [PATCH 17/20] review: address review-medium and polish items

- handleRepoPermission: return {allowed, error?} per repo instead of a
  raw bool map. The frontend now shows GitHub rate-limit / transient
  errors in replay-button tooltips instead of generic "no access". UI
  keeps boolean-shape compat for partial rollouts. (review #7)

- githubCreateVersionTag: apply the same ghUsernameRe / ghRepoNameRe
  whitelist + url.PathEscape treatment ghAPIGetRepoPermission already
  uses. Also add a ghBranchNameRe check. Env-vars only today, but keeps
  the SSRF hardening story consistent across the package. (review #8)

- sharedGithubHTTPClient package var replaces per-call allocation in
  githubHTTPClient(). (review minor)

- ReleaseAPIMode typed string with ReleaseAPIDisabled /
  ReleaseAPITagCreateEnabled constants. (review minor)

- truncate() is now rune-aware so multi-byte LLM output isn't cut
  mid-glyph in error logs. (review minor)

- Replay delivery IDs append a 3-byte random suffix so two replays in
  the same millisecond can't collide on the trace ring. (review minor)

- Anthropic fallback model list trimmed to one stable alias
  (claude-haiku-4-5). Listing rotating dated IDs here ships dead
  dropdown options on every Claude release. (review #9)

- Normalize the Anthropic default model to the aliased form
  ("claude-haiku-4-5") in configs/environment.go and llm_anthropic.go
  so every default path matches ci.yml and env-cloudrun.yaml. (review #10)

- AI settings UI hint calls out that settings are process-global,
  affect all operators, and revert on restart. Fixes the "two operators
  clobber each other silently" footgun. (review #5)
---
 configs/environment.go            |  2 +-
 services/llm_anthropic.go         | 11 ++--
 services/operator_suggest_rule.go |  8 ++-
 services/operator_ui.go           | 91 +++++++++++++++++++++++++------
 services/web/operator/index.html  | 28 +++++++---
 5 files changed, 109 insertions(+), 31 deletions(-)

diff --git a/configs/environment.go b/configs/environment.go
index 14c7329..9223fad 100644
--- a/configs/environment.go
+++ b/configs/environment.go
@@ -278,7 +278,7 @@ func LoadEnvironment(envFile string) (*Config, error) {
 	// Per-provider defaults: Ollama runs locally, Anthropic is hosted.
 	if config.LLMProvider == "anthropic" {
 		config.LLMBaseURL = getEnvWithDefault(LLMBaseURL, "https://api.anthropic.com")
-		config.LLMModel = getEnvWithDefault(LLMModel, "claude-haiku-4-5-20251001")
+		config.LLMModel = getEnvWithDefault(LLMModel, "claude-haiku-4-5")
 	} else {
 		config.LLMBaseURL = getEnvWithDefault(LLMBaseURL, "http://localhost:11434")
 		config.LLMModel = getEnvWithDefault(LLMModel, "qwen2.5-coder:7b")
diff --git a/services/llm_anthropic.go b/services/llm_anthropic.go
index cf7b13c..ad8a609 100644
--- a/services/llm_anthropic.go
+++ b/services/llm_anthropic.go
@@ -22,11 +22,12 @@ const anthropicAPIVersion = "2023-06-01"
 const defaultAnthropicBaseURL = "https://api.anthropic.com"
 
 // anthropicFallbackModels is used when /v1/models returns an empty list or
-// errors; keeps the UI usable with a known-good default set.
+// errors (e.g. behind a gateway that doesn't expose it). Kept deliberately
+// minimal — listing every model here means every rotation ships dead
+// dropdown options. Aliased names route to the current dated release, so
+// this single entry stays valid across point releases.
 var anthropicFallbackModels = []LLMModel{
-	{Name: "claude-opus-4-7"},
-	{Name: "claude-sonnet-4-6"},
-	{Name: "claude-haiku-4-5-20251001"},
+	{Name: "claude-haiku-4-5"},
 }
 
 type anthropicClient struct {
@@ -42,7 +43,7 @@ func newAnthropicClient(baseURL, model, apiKey string) *anthropicClient {
 		baseURL = defaultAnthropicBaseURL
 	}
 	if strings.TrimSpace(model) == "" {
-		model = "claude-haiku-4-5-20251001"
+		model = "claude-haiku-4-5"
 	}
 	return &anthropicClient{
 		baseURL: strings.TrimSuffix(baseURL, "/"),
diff --git a/services/operator_suggest_rule.go b/services/operator_suggest_rule.go
index 30ebc31..b1397f1 100644
--- a/services/operator_suggest_rule.go
+++ b/services/operator_suggest_rule.go
@@ -357,9 +357,13 @@ func defaultIfEmpty(s, def string) string {
 	return s
 }
 
+// truncate shortens s to at most n runes, appending an ellipsis when cut.
+// Rune-aware (not byte-aware) so multi-byte glyphs in LLM output aren't
+// cut in half when we truncate for logging.
 func truncate(s string, n int) string {
-	if len(s) <= n {
+	runes := []rune(s)
+	if len(runes) <= n {
 		return s
 	}
-	return s[:n] + "…"
+	return string(runes[:n]) + "…"
 }
diff --git a/services/operator_ui.go b/services/operator_ui.go
index 0feeb60..6300e56 100644
--- a/services/operator_ui.go
+++ b/services/operator_ui.go
@@ -3,11 +3,14 @@ package services
 import (
 	"bytes"
 	"context"
+	"crypto/rand"
 	_ "embed"
+	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
+	"net/url"
 	"os"
 	"regexp"
 	"strconv"
@@ -244,7 +247,16 @@ func (o *operatorUI) handleRepoPermission(w http.ResponseWriter, r *http.Request
 		return
 	}
 	repos := strings.Split(reposParam, ",")
-	result := make(map[string]bool, len(repos))
+
+	// Per-repo result: Allowed + optional Error. Surfacing the error lets
+	// the frontend distinguish "user genuinely can't read this repo" from
+	// "GitHub rate limited us" so disabled replay buttons can carry an
+	// actionable tooltip instead of an opaque gray state.
+	type repoPerm struct {
+		Allowed bool   `json:"allowed"`
+		Error   string `json:"error,omitempty"`
+	}
+	result := make(map[string]repoPerm, len(repos))
 
 	user := operatorUserFromCtx(r)
 	userPAT := bearerToken(r)
@@ -261,8 +273,12 @@ func (o *operatorUI) handleRepoPermission(w http.ResponseWriter, r *http.Request
 		if repo == "" {
 			continue
 		}
-		canRead, _ := o.ghCache.CanUserReadRepo(ctx, userPAT, user.Login, repo)
-		result[repo] = canRead
+		canRead, err := o.ghCache.CanUserReadRepo(ctx, userPAT, user.Login, repo)
+		entry := repoPerm{Allowed: canRead}
+		if err != nil {
+			entry.Error = err.Error()
+		}
+		result[repo] = entry
 	}
 	_ = json.NewEncoder(w).Encode(map[string]any{"permissions": result})
 }
@@ -486,19 +502,33 @@ type OperatorDeploymentInfo struct {
 	ConfigRepo         string            `json:"config_repo,omitempty"`
 	EffectiveConfig    string            `json:"effective_config_file,omitempty"`
 	OperatorRepoSlug   string            `json:"operator_repo_slug,omitempty"`
-	ReleaseAPIMode     string            `json:"release_api_mode"`
+	ReleaseAPIMode     ReleaseAPIMode    `json:"release_api_mode"`
 	Env                map[string]string `json:"cloud_env,omitempty"`
 }
 
+// ReleaseAPIMode describes whether the operator UI can cut a release tag.
+// Typed so the set of possible values is discoverable from the type alone
+// and so the frontend can switch on a known enum instead of a free string.
+type ReleaseAPIMode string
+
+const (
+	// ReleaseAPIDisabled — neither OPERATOR_RELEASE_GITHUB_TOKEN nor
+	// OPERATOR_REPO_SLUG is configured; the UI hides the release button.
+	ReleaseAPIDisabled ReleaseAPIMode = "disabled"
+	// ReleaseAPITagCreateEnabled — both are configured; the UI shows the
+	// release flow and /api/release will attempt to create a tag ref.
+	ReleaseAPITagCreateEnabled ReleaseAPIMode = "tag_create_enabled"
+)
+
 func (o *operatorUI) handleDeployment(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodGet {
 		w.WriteHeader(http.StatusMethodNotAllowed)
 		_ = json.NewEncoder(w).Encode(map[string]string{"error": "method not allowed"})
 		return
 	}
-	releaseMode := "disabled"
+	releaseMode := ReleaseAPIDisabled
 	if o.cfg.OperatorReleaseGitHubToken != "" && o.cfg.OperatorRepoSlug != "" {
-		releaseMode = "tag_create_enabled"
+		releaseMode = ReleaseAPITagCreateEnabled
 	}
 	info := OperatorDeploymentInfo{
 		Version:            o.version,
@@ -774,7 +804,12 @@ func (o *operatorUI) handleReplay(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// Dispatch replay in background (same path as real webhook processing)
-	deliveryID := fmt.Sprintf("replay-%d", time.Now().UnixMilli())
+	// Millisecond timestamps alone collide when two operators replay in the
+	// same ms (rare but observed in tests). Append a short random suffix so
+	// the delivery ID is unique across concurrent replays on the same revision.
+	var rnd [3]byte
+	_, _ = rand.Read(rnd[:])
+	deliveryID := fmt.Sprintf("replay-%d-%s", time.Now().UnixMilli(), hex.EncodeToString(rnd[:]))
 	baseBranch := strings.TrimSpace(req.Branch)
 
 	LogInfo("operator replay requested",
@@ -835,14 +870,37 @@ func firstEnv(keys ...string) string {
 	return ""
 }
 
+// ghBranchNameRe matches branch names permitted by GitHub: no spaces, control
+// chars, or the handful of reserved characters (~ ^ : ? * [ \). The regex is
+// intentionally narrower than GitHub's full rules — it's a defense-in-depth
+// check before we embed the value in an API path, not a validator.
+var ghBranchNameRe = regexp.MustCompile(`^[A-Za-z0-9._/-]{1,120}$`)
+
 func githubCreateVersionTag(ctx context.Context, pat, repoSlug, baseBranch, version string) (ref string, sha string, err error) {
 	parts := strings.SplitN(strings.TrimSpace(repoSlug), "/", 2)
 	if len(parts) != 2 || parts[0] == "" || parts[1] == "" {
 		return "", "", fmt.Errorf("invalid OPERATOR_REPO_SLUG (want owner/repo)")
 	}
 	owner, repo := parts[0], parts[1]
-	baseURL := fmt.Sprintf("https://api.github.com/repos/%s/%s/git/ref/heads/%s", owner, repo, baseBranch)
-	req, err := http.NewRequestWithContext(ctx, http.MethodGet, baseURL, nil)
+	// Defense-in-depth: even though these come from env vars and not user
+	// input, validate them against the same whitelists ghAPIGetRepoPermission
+	// uses before embedding in API paths. Apply url.PathEscape for the same
+	// reason. Keeps the gosec story consistent across the package.
+	if !ghUsernameRe.MatchString(owner) {
+		return "", "", fmt.Errorf("invalid owner in OPERATOR_REPO_SLUG %q", repoSlug)
+	}
+	if !ghRepoNameRe.MatchString(repo) {
+		return "", "", fmt.Errorf("invalid repo name in OPERATOR_REPO_SLUG %q", repoSlug)
+	}
+	if !ghBranchNameRe.MatchString(baseBranch) {
+		return "", "", fmt.Errorf("invalid OPERATOR_RELEASE_TARGET_BRANCH %q", baseBranch)
+	}
+	baseURL := fmt.Sprintf(
+		"%s/repos/%s/%s/git/ref/heads/%s",
+		githubAPIBaseURL,
+		url.PathEscape(owner), url.PathEscape(repo), url.PathEscape(baseBranch),
+	)
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, baseURL, nil) // #nosec G107 -- githubAPIBaseURL is binary-controlled; path components validated above
 	if err != nil {
 		return "", "", err
 	}
@@ -850,7 +908,7 @@ func githubCreateVersionTag(ctx context.Context, pat, repoSlug, baseBranch, vers
 	req.Header.Set("Accept", "application/vnd.github+json")
 	req.Header.Set("X-GitHub-Api-Version", "2022-11-28")
 
-	resp, err := githubHTTPClient().Do(req)
+	resp, err := sharedGithubHTTPClient.Do(req)
 	if err != nil {
 		return "", "", err
 	}
@@ -878,8 +936,8 @@ func githubCreateVersionTag(ctx context.Context, pat, repoSlug, baseBranch, vers
 	if err != nil {
 		return "", "", err
 	}
-	postURL := fmt.Sprintf("https://api.github.com/repos/%s/%s/git/refs", owner, repo)
-	postReq, err := http.NewRequestWithContext(ctx, http.MethodPost, postURL, bytes.NewReader(buf))
+	postURL := fmt.Sprintf("%s/repos/%s/%s/git/refs", githubAPIBaseURL, url.PathEscape(owner), url.PathEscape(repo))
+	postReq, err := http.NewRequestWithContext(ctx, http.MethodPost, postURL, bytes.NewReader(buf)) // #nosec G107 -- githubAPIBaseURL is binary-controlled; path components validated above
 	if err != nil {
 		return "", "", err
 	}
@@ -888,7 +946,7 @@ func githubCreateVersionTag(ctx context.Context, pat, repoSlug, baseBranch, vers
 	postReq.Header.Set("Content-Type", "application/json")
 	postReq.Header.Set("X-GitHub-Api-Version", "2022-11-28")
 
-	postResp, err := githubHTTPClient().Do(postReq)
+	postResp, err := sharedGithubHTTPClient.Do(postReq)
 	if err != nil {
 		return "", "", err
 	}
@@ -909,6 +967,7 @@ func githubCreateVersionTag(ctx context.Context, pat, repoSlug, baseBranch, vers
 	return created.Ref, created.Object.SHA, nil
 }
 
-func githubHTTPClient() *http.Client {
-	return &http.Client{Timeout: 25 * time.Second}
-}
+// sharedGithubHTTPClient is reused for all operator-originated GitHub API
+// calls (release tagging, etc.). Reusing one *http.Client amortizes the
+// underlying transport's connection pool.
+var sharedGithubHTTPClient = &http.Client{Timeout: 25 * time.Second}
diff --git a/services/web/operator/index.html b/services/web/operator/index.html
index b490b64..3f322ce 100644
--- a/services/web/operator/index.html
+++ b/services/web/operator/index.html
@@ -519,7 +519,7 @@ <h3 class="small" style="margin:0.65rem 0 0.3rem">By rule</h3>
         <span class="refreshed" id="aiSettingsRefreshed"></span>
       </div>
       <div class="sb">
-        <p class="hint" style="margin-top:0" id="aiSettingsHint">Configure the LLM provider for the AI rule suggester. Settings are in-memory and reset on server restart.</p>
+        <p class="hint" style="margin-top:0" id="aiSettingsHint">Configure the LLM provider for the AI rule suggester. <strong>Settings are process-global:</strong> changes affect every operator using this revision, apply immediately, and revert to env-var defaults on restart. Coordinate with other operators before changing the active model or base URL.</p>
         <div class="row">
           <button type="button" id="aiRefreshStatus">Refresh status</button>
         </div>
@@ -1046,13 +1046,21 @@ <h3>Keyboard shortcuts</h3>
 
 /* ── Webhook traces with client-side filter/search (#4, #9) ── */
 var _traceData=[];
-// Map of repo -> bool (true = user has read access). Populated after loading traces.
-// In token mode, every repo is true. In github mode, only repos the user has access to.
+// Map of repo -> {allowed:boolean, error?:string}. Populated after loading traces.
+// The error field (if present) lets tooltips distinguish "user genuinely can't
+// read this repo" from transient GitHub API failures.
 var _repoPerm={};
 function traceOutcomeClass(o){if(!o)return'';if(o==='processed_ok')return'ok';if(o==='duplicate_delivery'||o==='skipped_not_merged_pr'||o==='ignored_non_pull_request')return'warn';return'fail';}
 function canReplayRepo(repo){
-  // If we haven't checked yet (undefined), assume yes. If checked and false, disable.
-  return _repoPerm[repo]!==false;
+  // If we haven't checked yet (undefined), assume yes. If checked and not allowed, disable.
+  var p=_repoPerm[repo];
+  if(p===undefined)return true;
+  return !!p.allowed;
+}
+function replayDisabledReason(repo){
+  var p=_repoPerm[repo];
+  if(!p||p.allowed)return '';
+  return p.error||('You do not have GitHub access to '+repo);
 }
 function renderTraces(){
   var outcomeF=$('traceOutcome').value,searchF=$('traceSearch').value.toLowerCase().trim();
@@ -1066,7 +1074,7 @@ <h3>Keyboard shortcuts</h3>
     var replayBtn='';
     if(row.repo&&row.pr_number&&row.base_branch){
       var allowed=canReplayRepo(row.repo);
-      var disAttrs=allowed?'':' disabled title="You do not have GitHub access to '+escapeHtml(row.repo)+'"';
+      var disAttrs=allowed?'':' disabled title="'+escapeHtml(replayDisabledReason(row.repo))+'"';
       var onClick=allowed?'event.stopPropagation();confirmReplay('+escapeHtml(JSON.stringify(row.repo))+','+row.pr_number+','+escapeHtml(JSON.stringify(row.base_branch))+','+escapeHtml(JSON.stringify(row.commit_sha||''))+')':'event.stopPropagation()';
       replayBtn='<button class="btn-sm operator-only" onclick="'+onClick+'"'+disAttrs+'>Replay</button>';
     }
@@ -1095,7 +1103,13 @@ <h3>Keyboard shortcuts</h3>
     if(!res.ok)return;
     var body=await res.json();
     var perms=body.permissions||{};
-    Object.keys(perms).forEach(function(r){_repoPerm[r]=!!perms[r];});
+    Object.keys(perms).forEach(function(r){
+      // New shape: {allowed, error?}. Fall back to boolean for compatibility
+      // with older server builds during a partial rollout.
+      var v=perms[r];
+      if(typeof v==='boolean')_repoPerm[r]={allowed:v};
+      else _repoPerm[r]=v||{allowed:false};
+    });
     renderTraces(); // Re-render to update button states
   }catch(e){}
 }

From 14c9d290bb3a9c489fbba8edae86bcadab89b5bc Mon Sep 17 00:00:00 2001
From: Cory Bullinger <cory.bullinger@mongodb.com>
Date: Wed, 22 Apr 2026 08:16:33 -0400
Subject: [PATCH 18/20] test(operator): cover verifySuggestedRule, llm client
 dispatch, helpers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Addresses PR review #6 — the security-critical surface had zero tests.
Adds table-driven coverage for:

- verifySuggestedRule, the invariant the AI suggester depends on to
  decide whether to show a "not verified" warning. Covers every
  transform type (move/copy/glob/regex), pattern mismatches, target
  mismatches, and invalid regex.
- NewLLMClient dispatch: empty/ollama/anthropic/unsupported, plus the
  "anthropic provider requires ANTHROPIC_API_KEY" guard.
- anthropic client getters/setters and ErrModelManagementNotSupported
  returned by PullModel / DeleteModel.
- stripJSONFences edge cases (fenced, unfenced, nested JSON).
- Rune-aware truncate (multi-byte glyphs not cut mid-byte).

The earlier operator_auth_test.go covers validateGitHubPAT role mapping
and the 404→denied / 5xx→writer auth semantics; this completes the
review's minimum bar.
---
 services/llm_client_test.go            | 116 +++++++++++++++++
 services/operator_suggest_rule_test.go | 164 +++++++++++++++++++++++++
 2 files changed, 280 insertions(+)
 create mode 100644 services/llm_client_test.go
 create mode 100644 services/operator_suggest_rule_test.go

diff --git a/services/llm_client_test.go b/services/llm_client_test.go
new file mode 100644
index 0000000..cd583d9
--- /dev/null
+++ b/services/llm_client_test.go
@@ -0,0 +1,116 @@
+package services
+
+import (
+	"errors"
+	"strings"
+	"testing"
+)
+
+func TestNewLLMClient_Dispatch(t *testing.T) {
+	cases := []struct {
+		name         string
+		opts         LLMClientOptions
+		wantProvider string
+		wantErr      bool
+		errSubstring string
+	}{
+		{
+			name:         "empty provider defaults to ollama",
+			opts:         LLMClientOptions{},
+			wantProvider: "ollama",
+		},
+		{
+			name:         "explicit ollama",
+			opts:         LLMClientOptions{Provider: "ollama"},
+			wantProvider: "ollama",
+		},
+		{
+			name:         "case-insensitive provider name",
+			opts:         LLMClientOptions{Provider: "Ollama"},
+			wantProvider: "ollama",
+		},
+		{
+			name:         "anthropic requires API key",
+			opts:         LLMClientOptions{Provider: "anthropic"},
+			wantErr:      true,
+			errSubstring: "ANTHROPIC_API_KEY",
+		},
+		{
+			name:         "anthropic with key succeeds",
+			opts:         LLMClientOptions{Provider: "anthropic", APIKey: "sk-test"},
+			wantProvider: "anthropic",
+		},
+		{
+			name:         "unsupported provider errors",
+			opts:         LLMClientOptions{Provider: "openai"},
+			wantErr:      true,
+			errSubstring: "unsupported",
+		},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			client, err := NewLLMClient(tc.opts)
+			if tc.wantErr {
+				if err == nil {
+					t.Fatalf("want error, got nil")
+				}
+				if tc.errSubstring != "" && !strings.Contains(err.Error(), tc.errSubstring) {
+					t.Errorf("want error containing %q, got %q", tc.errSubstring, err.Error())
+				}
+				return
+			}
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			if client == nil {
+				t.Fatalf("want non-nil client")
+			}
+			if client.ProviderName() != tc.wantProvider {
+				t.Errorf("ProviderName()=%q, want %q", client.ProviderName(), tc.wantProvider)
+			}
+		})
+	}
+}
+
+func TestAnthropicClient_ModelManagementNotSupported(t *testing.T) {
+	c := newAnthropicClient("", "", "sk-test")
+	if err := c.PullModel(nil, "anything", nil); !errors.Is(err, ErrModelManagementNotSupported) {
+		t.Errorf("PullModel: want ErrModelManagementNotSupported, got %v", err)
+	}
+	if err := c.DeleteModel(nil, "anything"); !errors.Is(err, ErrModelManagementNotSupported) {
+		t.Errorf("DeleteModel: want ErrModelManagementNotSupported, got %v", err)
+	}
+}
+
+func TestAnthropicClient_SetGetters(t *testing.T) {
+	c := newAnthropicClient("", "", "sk-test")
+	if c.GetBaseURL() != "https://api.anthropic.com" {
+		t.Errorf("default base URL mismatch: %q", c.GetBaseURL())
+	}
+	if c.GetActiveModel() != "claude-haiku-4-5" {
+		t.Errorf("default model mismatch: %q", c.GetActiveModel())
+	}
+	c.SetActiveModel("claude-sonnet-4-6")
+	if c.GetActiveModel() != "claude-sonnet-4-6" {
+		t.Errorf("SetActiveModel did not stick: %q", c.GetActiveModel())
+	}
+	c.SetBaseURL("https://example.com/")
+	if c.GetBaseURL() != "https://example.com" {
+		t.Errorf("SetBaseURL should trim trailing slash, got %q", c.GetBaseURL())
+	}
+}
+
+func TestStripJSONFences(t *testing.T) {
+	cases := []struct{ in, want string }{
+		{`{"a":1}`, `{"a":1}`},
+		{"```json\n{\"a\":1}\n```", `{"a":1}`},
+		{"```\n{\"a\":1}\n```", `{"a":1}`},
+		{"  ```json\n{\"nested\":{\"b\":2}}\n```  ", `{"nested":{"b":2}}`},
+		{"not fenced at all", "not fenced at all"},
+	}
+	for _, tc := range cases {
+		if got := stripJSONFences(tc.in); got != tc.want {
+			t.Errorf("stripJSONFences(%q) = %q, want %q", tc.in, got, tc.want)
+		}
+	}
+}
diff --git a/services/operator_suggest_rule_test.go b/services/operator_suggest_rule_test.go
new file mode 100644
index 0000000..2e04b73
--- /dev/null
+++ b/services/operator_suggest_rule_test.go
@@ -0,0 +1,164 @@
+package services
+
+import "testing"
+
+// verifySuggestedRule is the invariant the AI suggester relies on: every
+// generated rule must produce the user's target path when applied to their
+// source path. If it doesn't, the UI surfaces a "not verified" warning
+// instead of silently showing a broken rule.
+//
+// These tests assert that invariant holds for each transform type.
+
+func TestVerifySuggestedRule_Move(t *testing.T) {
+	t.Run("matching prefix rename", func(t *testing.T) {
+		s := &llmSuggestedRule{
+			TransformType: "move",
+			TransformFrom: "agg/python",
+			TransformTo:   "shared/python",
+		}
+		ok, computed, err := verifySuggestedRule(s, "agg/python/models/user.py", "shared/python/models/user.py")
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+		if !ok {
+			t.Fatalf("expected match; computed=%q", computed)
+		}
+		if computed != "shared/python/models/user.py" {
+			t.Errorf("computed=%q", computed)
+		}
+	})
+	t.Run("source doesn't start with from", func(t *testing.T) {
+		s := &llmSuggestedRule{
+			TransformType: "move",
+			TransformFrom: "agg/python",
+			TransformTo:   "shared/python",
+		}
+		ok, _, err := verifySuggestedRule(s, "other/path.py", "shared/python/other/path.py")
+		if err == nil || ok {
+			t.Fatalf("want error and no match; got ok=%v err=%v", ok, err)
+		}
+	})
+	t.Run("target mismatch", func(t *testing.T) {
+		s := &llmSuggestedRule{
+			TransformType: "move",
+			TransformFrom: "agg/python",
+			TransformTo:   "shared/python",
+		}
+		ok, _, err := verifySuggestedRule(s, "agg/python/x.py", "different/target.py")
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+		if ok {
+			t.Fatalf("want verification failure for target mismatch")
+		}
+	})
+}
+
+func TestVerifySuggestedRule_Copy(t *testing.T) {
+	t.Run("exact file rename", func(t *testing.T) {
+		s := &llmSuggestedRule{
+			TransformType: "copy",
+			TransformFrom: "mflix/README-JAVA-SPRING.md",
+			TransformTo:   "README.md",
+		}
+		ok, _, err := verifySuggestedRule(s, "mflix/README-JAVA-SPRING.md", "README.md")
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+		if !ok {
+			t.Fatalf("want match")
+		}
+	})
+	t.Run("source doesn't equal from", func(t *testing.T) {
+		s := &llmSuggestedRule{
+			TransformType: "copy",
+			TransformFrom: "mflix/README.md",
+			TransformTo:   "README.md",
+		}
+		ok, _, err := verifySuggestedRule(s, "different/README.md", "README.md")
+		if err == nil || ok {
+			t.Fatalf("want error and no match; got ok=%v err=%v", ok, err)
+		}
+	})
+}
+
+func TestVerifySuggestedRule_Glob(t *testing.T) {
+	t.Run("wildcard with relative_path", func(t *testing.T) {
+		s := &llmSuggestedRule{
+			TransformType:  "glob",
+			Pattern:        "agg/python/**/*.py",
+			TransformTempl: "shared/python/${relative_path}",
+		}
+		ok, computed, err := verifySuggestedRule(s, "agg/python/models/user.py", "shared/python/models/user.py")
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+		if !ok {
+			t.Fatalf("expected match; computed=%q", computed)
+		}
+	})
+	t.Run("pattern doesn't match source", func(t *testing.T) {
+		s := &llmSuggestedRule{
+			TransformType:  "glob",
+			Pattern:        "agg/python/**/*.py",
+			TransformTempl: "shared/python/${relative_path}",
+		}
+		ok, _, err := verifySuggestedRule(s, "not-matching/file.txt", "shared/python/file.txt")
+		if err == nil || ok {
+			t.Fatalf("want error; got ok=%v err=%v", ok, err)
+		}
+	})
+}
+
+func TestVerifySuggestedRule_Regex(t *testing.T) {
+	t.Run("named captures in template", func(t *testing.T) {
+		s := &llmSuggestedRule{
+			TransformType:  "regex",
+			Pattern:        `tutorials/v(?P<ver>[0-9]+)/(?P<slug>.+)\.mdx`,
+			TransformTempl: "docs/${slug}-v${ver}.mdx",
+		}
+		ok, computed, err := verifySuggestedRule(s, "tutorials/v2/getting-started.mdx", "docs/getting-started-v2.mdx")
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+		if !ok {
+			t.Fatalf("expected match; computed=%q", computed)
+		}
+	})
+	t.Run("invalid regex", func(t *testing.T) {
+		s := &llmSuggestedRule{
+			TransformType:  "regex",
+			Pattern:        `[unclosed`,
+			TransformTempl: "anything",
+		}
+		ok, _, err := verifySuggestedRule(s, "src", "dst")
+		if err == nil || ok {
+			t.Fatalf("want error for invalid regex; got ok=%v err=%v", ok, err)
+		}
+	})
+}
+
+func TestVerifySuggestedRule_UnknownType(t *testing.T) {
+	s := &llmSuggestedRule{TransformType: "symlink"}
+	ok, _, err := verifySuggestedRule(s, "a", "b")
+	if err == nil || ok {
+		t.Fatalf("want error for unknown type; got ok=%v err=%v", ok, err)
+	}
+}
+
+func TestTruncate_RuneSafe(t *testing.T) {
+	// ASCII path still works
+	if got := truncate("hello world", 5); got != "hello…" {
+		t.Errorf("ascii: got %q", got)
+	}
+	// Multi-byte runes must not be cut mid-byte
+	s := "日本語テスト" // 6 runes, 18 bytes
+	got := truncate(s, 3)
+	if got != "日本語…" {
+		t.Errorf("multibyte: got %q (len=%d)", got, len(got))
+	}
+	// Short input returned unchanged, no ellipsis
+	if got := truncate("hi", 5); got != "hi" {
+		t.Errorf("short input changed: %q", got)
+	}
+}

From 89ecf99b3f64bf45ebb7181c2ca8c291ead75077 Mon Sep 17 00:00:00 2001
From: Cory Bullinger <cory.bullinger@mongodb.com>
Date: Wed, 22 Apr 2026 08:26:33 -0400
Subject: [PATCH 19/20] docs: document operator UI, PAT auth, and AI rule
 suggester
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bring the doc set up-to-date with what this PR ships so new devs and
operators aren't figuring out a live feature set from source.

- README.md: new "Operator UI" section under Monitoring covering enable
  flags, role mapping (admin/maintain → operator, write/triage/read →
  writer), per-repo replay authorization, and AI-suggester providers.
  Enhanced Features list gains an "Operator UI" group. Tools list gains
  test-llm and test-pem entries.

- docs/CONFIG-REFERENCE.md: new "Operator UI" and "AI Rule Suggester
  (LLM)" env-var tables covering OPERATOR_UI_ENABLED, OPERATOR_AUTH_REPO,
  OPERATOR_REPO_SLUG, OPERATOR_RELEASE_*, LLM_PROVIDER, LLM_BASE_URL,
  LLM_MODEL, ANTHROPIC_API_KEY, ANTHROPIC_API_KEY_SECRET_NAME. Calls out
  the 30/hour/PAT rate limit on /suggest-rule.

- docs/DEPLOYMENT.md: Secret Manager step #4 for anthropic-api-key plus
  the IAM binding; pre-deploy checklist gains the operator-UI auth repo
  bullet; post-deploy smoke test for the operator UI + AI settings.

- docs/LOCAL-TESTING.md: "Optional (for Operator UI + AI rule suggester)"
  env-var block and a step-by-step "Testing the Operator UI Locally"
  section that points at cmd/test-llm for provider verification.

- docs/FAQ.md: new "Operator UI" section (what it is, who can access,
  how the AI suggester works, how to debug "not connected").

- AGENT.md: full rewrite. Expanded file map covers all operator_*.go,
  llm_*.go, web/operator/index.html embed, webhook_trace_buffer, and
  log_buffer. New sections on authorization model, security posture
  (auth fail-closed, PAT hashing, SSRF defense-in-depth, LLM cost cap),
  and edit patterns for operator UI / LLM provider work. Key doc table
  rebuilt with clickable links.
---
 AGENT.md                 | 236 ++++++++++++++++++++++++---------------
 README.md                |  50 +++++++++
 docs/CONFIG-REFERENCE.md |  28 +++++
 docs/DEPLOYMENT.md       |  36 +++++-
 docs/FAQ.md              |  42 +++++++
 docs/LOCAL-TESTING.md    |  37 ++++++
 6 files changed, 337 insertions(+), 92 deletions(-)

diff --git a/AGENT.md b/AGENT.md
index f5c9680..33d3905 100644
--- a/AGENT.md
+++ b/AGENT.md
@@ -1,93 +1,145 @@
 # Agent Context: GitHub Copier
 
-Webhook service: PR merged → match files → transform paths → copy to target repos.
+Webhook service + operator UI.
+
+**Webhook pipeline:** PR merged → match files → transform paths → copy to target repos.
+**Operator UI:** `/operator/` — diagnostic dashboard with PAT auth, replay, audit browsing, and an AI rule suggester. Enabled via `OPERATOR_UI_ENABLED=true` + `OPERATOR_AUTH_REPO`.
 
 ## File Map
 
 ```
-app.go                              # Entrypoint, HTTP server, graceful shutdown
+app.go                              # Entrypoint, HTTP server, graceful shutdown, startup banner
 services/
-  webhook_handler_new.go            # HandleWebhookWithContainer() orchestrator
-  workflow_processor.go             # ProcessWorkflow() - core file matching logic
-  pattern_matcher.go                # MatchFile(pattern, path) bool
-  token_manager.go                  # TokenManager (thread-safe token state, sync.RWMutex)
-  github_auth.go                    # ConfigurePermissions(), JWT generation
+  # Webhook pipeline
+  webhook_handler_new.go            # HandleWebhookWithContainer() — orchestrator
+  workflow_processor.go             # ProcessWorkflow() — core file matching logic
+  pattern_matcher.go                # MatchFile(pattern, path) — prefix/glob/regex
+  github_auth.go                    # ConfigurePermissions(), JWT generation, LoadWebhookSecret, LoadMongoURI, LoadAnthropicAPIKey
   github_read.go                    # GetFilesChangedInPr() (GraphQL), RetrieveFileContents()
-  github_write_to_target.go         # AddFilesToTargetRepos(), addFilesViaPR()
+  github_write_to_target.go         # AddFilesToTargetRepos(); errTreeUnchanged sentinel for empty commits
   github_write_to_source.go         # UpdateDeprecationFile(filesToDeprecate)
+  token_manager.go                  # TokenManager (thread-safe install tokens, sync.RWMutex)
   rate_limit.go                     # RateLimitTransport (auto-retry on 403/429)
-  delivery_tracker.go               # DeliveryTracker (webhook idempotency via X-GitHub-Delivery)
+  delivery_tracker.go               # Webhook idempotency via X-GitHub-Delivery
+  file_state_service.go             # Per-request upload/deprecate queues (thread-safe)
   errors.go                         # Sentinel errors (ErrRateLimited, ErrNotFound, etc.)
   logger.go                         # slog JSON handler, LogCritical, LogAndReturnError
-  file_state_service.go             # Tracks upload/deprecate queues (thread-safe)
   main_config_loader.go             # LoadConfig() with $ref support
   config_loader.go                  # Config loading & validation
-  config_cache.go                   # CachedConfigLoader (TTL-based config caching)
+  config_cache.go                   # CachedConfigLoader (TTL-based)
   service_container.go              # DI container
-  health_metrics.go                 # /health (liveness), /ready (readiness), /metrics
-  audit_logger.go                   # MongoDB audit logging
+  health_metrics.go                 # /health, /ready, /metrics, /config
+  audit_logger.go                   # MongoDB audit logging (driver v2; ObjectIDAsHexString for read decoding)
   slack_notifier.go                 # Slack notifications
   pr_template_fetcher.go            # PR template resolution from target repos
+  webhook_trace_buffer.go           # Ring buffer of recent webhook traces (Overview/Webhooks tabs)
+  log_buffer.go                     # Context-tagged per-delivery log ring buffer (logs drawer)
+
+  # Operator UI
+  operator_ui.go                    # RegisterOperatorRoutes, wrapAPI / wrapOperatorOnly middleware,
+                                    #   handleMe, handleRepoPermission, handleDeployment, handleReplay,
+                                    #   handleRelease, githubCreateVersionTag, sharedGithubHTTPClient,
+                                    #   llmPingCache, ReleaseAPIMode enum
+  operator_auth.go                  # GitHub PAT validation; ghAuthCache (SHA-256 hashed keys);
+                                    #   validateGitHubPAT role mapping; ghAPIError (StatusCode,
+                                    #   IsTransient); 5xx = soft-fail to writer, else RoleDenied
+  operator_ratelimit.go             # tokenBucket — fixed-window rate limiter keyed by hashed PAT
+                                    #   (30/hour on /suggest-rule)
+  operator_suggest_rule.go          # AI rule suggester; SuggestRuleSystemPrompt (exported);
+                                    #   verifySuggestedRule (runs rule through PatternMatcher)
+  operator_llm_admin.go             # /llm/status (cached 30s), /llm/settings, /llm/pull (NDJSON),
+                                    #   /llm/model delete. Maps ErrModelManagementNotSupported to 400.
+  llm_client.go                     # LLMClient interface, NewLLMClient(LLMClientOptions) dispatch,
+                                    #   ErrModelManagementNotSupported, ollamaClient impl
+  llm_anthropic.go                  # anthropicClient — /v1/messages, /v1/models, dual x-api-key +
+                                    #   api-key headers (native API + Azure APIM gateway support)
+  web/operator/index.html           # Embedded single-file SPA (HTML + CSS + JS); served by serveIndex
+
 types/
-  config.go                         # Workflow, Transformation, SourcePattern structs
+  config.go                         # Workflow, Transformation, SourcePattern, CommitStrategyConfig
   types.go                          # ChangedFile, UploadKey, UploadFileContent
-configs/environment.go              # Config struct, LoadEnvironment()
-tests/utils.go                      # Test helpers, httpmock setup
+configs/environment.go              # Config struct, LoadEnvironment(), validateOperatorAuth (hard-fail
+                                    #   when UI enabled without auth repo), per-provider LLM defaults
 cmd/
   config-validator/                 # CLI: validate configs, test patterns, init templates
   test-webhook/                     # CLI: send test webhook payloads (with delivery ID)
   test-pem/                         # CLI: verify PEM key + App ID against GitHub API
+  test-llm/                         # CLI: smoke-test LLM provider end-to-end (Ping, ListModels,
+                                    #   GenerateJSON with the real SuggestRuleSystemPrompt)
 scripts/
-  ci-local.sh                       # Run full CI pipeline locally (build, test, lint, vet)
+  ci-local.sh                       # Run full CI pipeline locally
   run-local.sh                      # Run app locally with dev settings
-  deploy-cloudrun.sh                # Deploy to Google Cloud Run
+  deploy-cloudrun.sh                # Deploy to Google Cloud Run (manual fallback)
   integration-test.sh               # End-to-end integration test
-  release.sh                        # Create versioned release (tag, changelog, GitHub Release)
+  release.sh                        # Create versioned release (tag, CHANGELOG, GitHub Release)
   test-slack.sh                     # Test Slack notification integration
   diagnose-github-auth.sh           # Debug GitHub App authentication issues
-  check-installation-repos.sh       # List repos accessible to GitHub App installation
 ```
 
 ## Key Types
 
 ```go
 // types/config.go
-type PatternType string    // "prefix" | "glob" | "regex"
-type TransformationType string  // "move" | "copy" | "glob" | "regex"
+type PatternType string              // "prefix" | "glob" | "regex"
+type TransformationType string       // "move" | "copy" | "glob" | "regex"
 
 type Workflow struct {
     Name             string
-    Source           Source              // Repo, Branch, InstallationID
-    Destination      Destination         // Repo, Branch
-    Transformations  []Transformation    // Type, From, To, Pattern, Replacement
+    Source           Source                // Repo, Branch, InstallationID
+    Destination      Destination           // Repo, Branch
+    Transformations  []Transformation      // Type, From, To, Pattern, Replacement
     Exclude          []string
-    CommitStrategy   *CommitStrategyConfig // Type (direct|pull_request), PRTitle, PRBody, AutoMerge
+    CommitStrategy   *CommitStrategyConfig // Type, PRTitle, PRBody, AutoMerge
     DeprecationCheck *DeprecationConfig
 }
 
-// types/types.go
-type ChangedFile struct { Path, Status string }  // Status: "ADDED"|"MODIFIED"|"DELETED"
-type UploadKey struct { RepoName, BranchPath string }
+// services/llm_client.go
+type LLMClient interface {
+    GenerateJSON(ctx, system, user string) (string, error)
+    ProviderName() string
+    Ping(ctx) error
+    Get/SetBaseURL, Get/SetActiveModel
+    ListModels(ctx) ([]LLMModel, error)
+    PullModel(ctx, name, progressFn) error       // ollama only
+    DeleteModel(ctx, name) error                  // ollama only
+}
+type LLMClientOptions struct { Provider, BaseURL, Model, APIKey string }
+
+// services/operator_auth.go
+type OperatorRole string              // "operator" | "writer" | "denied"
+type ghAPIError struct { StatusCode int; Body string }  // exposes IsTransient()
 ```
 
 ## State Management
 
-All mutable state is encapsulated in `TokenManager` (thread-safe via `sync.RWMutex`):
-- Installation access token
-- Per-org installation tokens with expiry
-- Cached JWT
-- HTTP client
+- **Per-install tokens**: `TokenManager` (thread-safe via `sync.RWMutex`), cached JWT, HTTP client.
+- **Per-request file state**: `FileStateService` on the `ServiceContainer`.
+- **Webhook idempotency**: `DeliveryTracker` (TTL-based, in-memory).
+- **PAT auth cache**: `ghAuthCache` (5-min TTL). Keys are **SHA-256 hashes** of the PAT — raw tokens never sit in the heap. Stores the full `*OperatorUser` and per-repo permission levels.
+- **LLM settings**: process-global, in-memory, mutated at runtime via `/llm/settings`. Revert to env defaults on restart; the UI hint calls this out.
+- **LLM ping cache**: 30s TTL; invalidated on `SetBaseURL` / `SetActiveModel`.
+- **Rate limit buckets**: fixed-window (30/hour) on `/suggest-rule`, keyed by hashed PAT. Opportunistic eviction.
+- **Log buffer**: context-tagged ring buffer (`ContextWithLogBuffer`) captures slog output per webhook delivery for the logs drawer.
+
+## Authorization Model (Operator UI)
+
+Each user signs in with their own GitHub PAT. Permission on `OPERATOR_AUTH_REPO` decides role:
+
+| GitHub permission | Role       | Capabilities                                              |
+|-------------------|------------|-----------------------------------------------------------|
+| `admin`, `maintain`| operator  | All UI, replay, release, AI settings                      |
+| `write`, `triage`, `read` | writer | View audit/workflows/copies, AI rule suggester        |
+| none              | denied    | 401                                                        |
 
-Per-request file state is managed via `FileStateService` in the `ServiceContainer`.
+`write` is deliberately **not** operator — docs contributors typically have `write` on the auth repo and shouldn't get replay/release capability.
 
-Webhook idempotency is handled by `DeliveryTracker` (TTL-based, in-memory).
+Additional gate on replay: user's PAT must have read access to the **source repo of the webhook being replayed** (checked via `ghAuthCache.CanUserReadRepo`).
+
+Permission-check error handling: **5xx from GitHub is soft-failed to writer** (transient outage shouldn't lock everyone out); everything else (404, 401, 403, network, parse error) → `RoleDenied`. The distinction is carried by `ghAPIError.IsTransient()`.
 
 ## Target Repo Batching
 
-Multiple workflows targeting the **same destination repo** are batched into a single commit/PR.
-The last workflow's commit strategy, PR title/body, and auto-merge setting wins.
-To get separate PRs per workflow, use different destination repos or branches.
-See `docs/ARCHITECTURE.md` § "Target Repo Batching" for full details.
+Multiple workflows targeting the same destination repo are batched into a single commit/PR. The last workflow's commit strategy, PR title/body, and auto-merge setting wins. See `docs/ARCHITECTURE.md` § "Target Repo Batching".
 
 ## Config Example
 
@@ -97,7 +149,7 @@ workflows:
     source: { repo: "org/src", branch: "main", patterns: [{type: glob, pattern: "docs/**"}] }
     destination: { repo: "org/dest", branch: "main" }
     transformations: [{ type: move, from: "docs/", to: "public/" }]
-    commit_strategy: { type: pull_request, pr_title: "Sync docs" }  # type: direct|pull_request
+    commit_strategy: { type: pull_request, pr_title: "Sync docs" }
 ```
 
 ## Quick Reference
@@ -110,74 +162,78 @@ make run                                         # run with .env
 
 # Testing
 go test -race ./...                              # all tests with race detector
-go test ./services/... -run TestWorkflow -v      # specific test
-make test                                        # run all tests via Makefile
+go test ./services/ -run TestValidateGitHubPAT -v  # specific test
 
-# Linting
-golangci-lint run ./...                          # lint (config: .golangci.yml)
-make lint                                        # lint via Makefile
+# Linting + security
+golangci-lint run ./...                          # lint (.golangci.yml)
+gosec ./...                                      # security scanner; should be 0 issues
 
 # CI (local)
 ./scripts/ci-local.sh                            # full CI: build, test, lint, vet
 
 # Release
-./scripts/release.sh v1.2.3                      # create release (see below)
-./scripts/release.sh v1.2.3 --dry-run            # preview without changes
+./scripts/release.sh v1.2.3 --dry-run            # preview
+./scripts/release.sh v1.2.3                      # tag + push, triggers Cloud Run deploy
+
+# Operator UI smoke test
+go build -o test-llm ./cmd/test-llm && ./test-llm -env .env.test
 ```
 
 ## Release Process
 
-Releases use semantic versioning (`vMAJOR.MINOR.PATCH`) and are automated via `scripts/release.sh`.
-
-**Prerequisites:**
-- Clean working tree on `main` branch
-- `gh` CLI authenticated
-- `CHANGELOG.md` has content in `[Unreleased]` section
-
-**What the script does:**
-1. Validates version format and prerequisites
-2. Renames `[Unreleased]` → `[vX.Y.Z] - YYYY-MM-DD` in `CHANGELOG.md`
-3. Adds fresh `[Unreleased]` section
-4. Commits: `Release vX.Y.Z`
-5. Creates annotated git tag
-6. Pushes to origin (triggers CI deploy via `v*` tag)
-7. Creates GitHub Release with changelog excerpt
+Semantic versioning (`vMAJOR.MINOR.PATCH`) via `scripts/release.sh`. Prereqs: clean `main`, `gh` authed, `[Unreleased]` populated. The script promotes `[Unreleased]` to a dated heading, commits, tags, pushes — the tag push triggers the Cloud Run deploy in `.github/workflows/ci.yml`. See the `## Release` section of `README.md` for detail.
 
-**Changelog convention:**
-- Follow [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) format
-- Sections: `Added`, `Changed`, `Fixed`, `Security`, `Deprecated`, `Removed`
-- Add entries to `[Unreleased]` as you work; the release script promotes them
+**Changelog**: Follow [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). Sections: `Added`, `Changed`, `Fixed`, `Security`, `Deprecated`, `Removed`.
 
 ## Edit Patterns
 
-| Task | Files to modify |
-|------|-----------------|
-| New transformation | `types/config.go` (TransformationType) → `workflow_processor.go` (processFileForWorkflow) |
-| New pattern type | `types/config.go` (PatternType) → `pattern_matcher.go` |
-| New config field | `types/config.go` (struct) → consumers in `workflow_processor.go` |
-| Webhook logic | `webhook_handler_new.go` |
-| Rate limit behavior | `rate_limit.go` |
-| Auth flow | `github_auth.go` + `token_manager.go` |
-| CLI tool | `cmd/<tool>/main.go` + `cmd/<tool>/README.md` |
+| Task                                   | Files to modify |
+|----------------------------------------|-----------------|
+| New transformation type                | `types/config.go` (TransformationType) → `workflow_processor.go` (processFileForWorkflow) |
+| New pattern type                       | `types/config.go` (PatternType) → `pattern_matcher.go` |
+| New config field                       | `types/config.go` → consumers in `workflow_processor.go` |
+| New env var                            | `configs/environment.go` (field + const + loader); update `docs/CONFIG-REFERENCE.md` |
+| Webhook pipeline logic                 | `webhook_handler_new.go` → `workflow_processor.go` |
+| Rate-limit behavior (GitHub API)       | `rate_limit.go` |
+| Auth flow (App)                        | `github_auth.go` + `token_manager.go` |
+| Operator UI route                      | `operator_ui.go` (RegisterOperatorRoutes + handler) + `services/web/operator/index.html` |
+| Operator UI auth / role                | `operator_auth.go` (role mapping, `ghAPIError`, cache) |
+| LLM provider                           | Implement `LLMClient` in new `llm_<provider>.go`; dispatch in `llm_client.go` `NewLLMClient` |
+| LLM prompt change                      | `operator_suggest_rule.go` (`SuggestRuleSystemPrompt`); rerun `cmd/test-llm` to validate |
+| AI suggester UI change                 | `services/web/operator/index.html` §§ `ai-settings` / `ai-suggester` |
+| CLI tool                               | `cmd/<tool>/main.go` + `cmd/<tool>/README.md` |
 
 ## Conventions
 
-- Return `error`, never `log.Fatal`
-- Wrap errors: `fmt.Errorf("context: %w", err)`
-- Use sentinel errors from `errors.go` where appropriate
-- Nil-check GitHub API responses before dereference
-- Use `log/slog` for all logging (never `log` or `fmt.Print` for operational output)
-- Tests use `httpmock`; see `tests/utils.go`
-- Always run tests with `-race` flag
-- **Changelog**: Update `CHANGELOG.md` for all notable changes (follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/))
+- Return `error`, never `log.Fatal`. Wrap with `fmt.Errorf("context: %w", err)`.
+- Sentinel errors from `errors.go`; new sentinels go next to the function that owns them (e.g. `ErrModelManagementNotSupported` in `llm_client.go`, `errTreeUnchanged` in `github_write_to_target.go`).
+- Nil-check GitHub API responses before dereferencing.
+- All logging via `log/slog`. Never `log.*` or `fmt.Print*` for operational output.
+- Tests use `httpmock` (see `tests/utils.go`) for webhook flow; `httptest.Server` with `githubAPIBaseURL` package var override for operator auth tests.
+- Always run tests with `-race`.
+- **gosec must stay clean.** New HTTP URLs go through `githubAPIBaseURL` (or the equivalent Anthropic base URL) with validated path components + `url.PathEscape`, not raw user input. Document each `#nosec` inline.
+- **Secrets never get logged or embedded in paths.** Use `hashToken` when you need a stable identifier derived from a PAT.
+- **CHANGELOG.md**: update `[Unreleased]` for all notable changes.
+
+## Security Posture (recap)
+
+Details that tripped previous reviews:
+
+- **Auth failure ≠ writer role**: only transient 5xx from the GitHub permission check keeps the default writer role. Every other failure → `RoleDenied`.
+- **No raw PATs in heap beyond request scope**: `ghAuthCache` keys on `hashToken(pat)`. Memory dumps can't leak active tokens.
+- **LLM cost cap**: `/suggest-rule` is 30/hour per hashed-PAT; `/llm/status` ping is cached 30s.
+- **SSRF defense-in-depth**: all GitHub API paths validate owner/repo/branch against RE2 whitelists (`ghUsernameRe`, `ghRepoNameRe`, `ghBranchNameRe`) and use `url.PathEscape` before embedding.
 
 ## Key Documentation
 
 | Doc | Purpose |
 |-----|---------|
-| `docs/ARCHITECTURE.md` | System design, data flow, batching behavior |
-| `docs/CONFIG-REFERENCE.md` | Full config schema and field reference |
-| `docs/DEPLOYMENT.md` | Cloud Run deployment, secrets setup |
-| `docs/TROUBLESHOOTING.md` | Common issues and debugging |
-| `docs/LOCAL-TESTING.md` | Running and testing locally |
-| `testdata/README.md` | Test fixtures and webhook payload examples |
+| [`README.md`](README.md) | Feature overview, quick start, operator UI + AI suggester |
+| [`docs/ARCHITECTURE.md`](docs/ARCHITECTURE.md) | System design, data flow, batching behavior |
+| [`docs/CONFIG-REFERENCE.md`](docs/CONFIG-REFERENCE.md) | Full env-var + YAML schema reference |
+| [`docs/DEPLOYMENT.md`](docs/DEPLOYMENT.md) | Cloud Run deployment, Secret Manager setup |
+| [`docs/LOCAL-TESTING.md`](docs/LOCAL-TESTING.md) | Running and testing locally (incl. operator UI) |
+| [`docs/TROUBLESHOOTING.md`](docs/TROUBLESHOOTING.md) | Common issues and debugging |
+| [`docs/FAQ.md`](docs/FAQ.md) | FAQ including operator UI / AI suggester |
+| [`cmd/test-llm/README.md`](cmd/test-llm/README.md) | LLM provider smoke test |
+| [`testdata/README.md`](testdata/README.md) | Test fixtures and webhook payload examples |
diff --git a/README.md b/README.md
index 2a74c22..4ecfe41 100644
--- a/README.md
+++ b/README.md
@@ -29,6 +29,13 @@ A GitHub app that automatically copies code examples and files from source repos
 - **Development Tools** - Dry-run mode, CLI validation, enhanced logging
 - **Thread-Safe** - Concurrent webhook processing with proper state management
 
+### Operator UI
+- **Web dashboard at `/operator/`** - Five-tab UI (Overview, Webhooks, Audit, Workflows, System) with dark mode, keyboard shortcuts, and shareable URLs
+- **GitHub PAT authentication** - Users sign in with their personal access token; role is derived from their permission on a configured auth repo (`admin`/`maintain` → operator, `write`/`triage`/`read` → writer)
+- **Per-repo replay authorization** - Replay requires the caller's PAT to have read access to the source repo of the webhook being replayed
+- **Writer-facing tools** - Workflow browser, PR lookup, recent copies feed, file match tester, audit drawer, per-delivery log viewer
+- **AI rule suggester** - Paste a source/target pair; get a generated copier rule self-verified against the in-process pattern matcher. Two providers: [Anthropic](https://www.anthropic.com/) (hosted, default in prod via the Grove Foundry APIM gateway) or [Ollama](https://ollama.com) (local, for dev)
+
 ## 🚀 Quick Start
 
 ### Prerequisites
@@ -385,6 +392,47 @@ Get performance metrics:
 curl http://localhost:8080/metrics
 ```
 
+## Operator UI
+
+The operator UI is a web dashboard served from `/operator/` for diagnosing webhook processing, replaying failed deliveries, browsing workflows, and generating copier rules with AI assistance.
+
+### Enabling the UI
+
+Set the required env vars:
+
+```yaml
+OPERATOR_UI_ENABLED: "true"
+OPERATOR_AUTH_REPO: "your-org/some-repo"  # user permissions here determine role
+OPERATOR_REPO_SLUG: "your-org/some-repo"  # optional; enables audit-row deep links
+```
+
+**Startup fails** if `OPERATOR_UI_ENABLED=true` without `OPERATOR_AUTH_REPO` — this prevents an accidentally-open operator UI.
+
+### Authentication and roles
+
+Each user authenticates with their own **GitHub Personal Access Token**. Paste the PAT into the sign-in prompt; the server checks the user's permission on `OPERATOR_AUTH_REPO` and assigns a role:
+
+| GitHub permission | Operator UI role | Can do |
+|---|---|---|
+| `admin` / `maintain` | **operator** | View everything; replay deliveries; cut release tags; change AI settings |
+| `write` / `triage` / `read` | **writer** | View workflows, audit, recent copies, file match tester, AI rule suggester |
+| None | **denied** | 401 Unauthorized |
+
+`write` maps to writer (not operator) so typical docs contributors with repo write access can't replay deliveries or cut releases — those need an explicit `admin` / `maintain` grant.
+
+On top of the role, **replay is repo-scoped**: the user's PAT must also have read access to the source repo of the webhook being replayed.
+
+### AI rule suggester
+
+The operator UI includes an LLM-backed helper that takes a source/target file pair and returns a generated copier workflow rule, self-verified against the in-process pattern matcher before display.
+
+Two providers are supported via `LLM_PROVIDER`:
+
+- **`anthropic`** (default in Cloud Run): calls the Anthropic Messages API. For MongoDB deployments this routes through the Grove Foundry APIM gateway — set `LLM_BASE_URL=https://grove-gateway-prod.azure-api.net/grove-foundry-prod/anthropic` and load the gateway key from Secret Manager via `ANTHROPIC_API_KEY_SECRET_NAME`.
+- **`ollama`** (default for local dev): runs against a local Ollama instance at `http://localhost:11434`. Connect, pull models, and switch the active model from the UI's System → AI settings panel without a redeploy.
+
+Smoke-test the LLM provider end-to-end with [`cmd/test-llm`](cmd/test-llm/README.md).
+
 ## Audit Logging
 
 When enabled, all operations are logged to MongoDB:
@@ -598,4 +646,6 @@ See [DEPLOYMENT.md](./docs/DEPLOYMENT.md) for the complete deployment and rollba
 
 - **[Config Validator](cmd/config-validator/README.md)** - CLI tool for validating configs
 - **[Test Webhook](cmd/test-webhook/README.md)** - CLI tool for testing webhooks
+- **[Test PEM](cmd/test-pem/README.md)** - CLI tool for verifying the GitHub App private key
+- **[Test LLM](cmd/test-llm/README.md)** - CLI tool for smoke-testing the AI rule suggester's LLM provider
 - **[Scripts](scripts/README.md)** - Helper scripts for deployment, testing, and releases
diff --git a/docs/CONFIG-REFERENCE.md b/docs/CONFIG-REFERENCE.md
index 41895fb..b08bf61 100644
--- a/docs/CONFIG-REFERENCE.md
+++ b/docs/CONFIG-REFERENCE.md
@@ -15,6 +15,8 @@ Complete reference for all github-copier configuration options: environment vari
   - [Audit Logging](#audit-logging)
   - [GitHub API Tuning](#github-api-tuning)
   - [Webhook Processing](#webhook-processing)
+  - [Operator UI](#operator-ui)
+  - [AI Rule Suggester (LLM)](#ai-rule-suggester-llm)
   - [Google Cloud](#google-cloud)
 - [Workflow YAML Schema](#workflow-yaml-schema)
   - [Main Config](#main-config)
@@ -127,6 +129,32 @@ Set via `.env` files, `env-cloudrun.yaml`, or process environment.
 | `WEBHOOK_MAX_RETRIES` | int | `2` | Max retry attempts for failed webhook processing (total attempts = retries + 1). |
 | `WEBHOOK_RETRY_INITIAL_DELAY` | int | `5` | Initial delay between retries in **seconds** (doubles each attempt). |
 
+### Operator UI
+
+Mount the web dashboard at `/operator/` (see the [Operator UI section of the README](../README.md#operator-ui) for access model, roles, and feature overview). Off unless `OPERATOR_UI_ENABLED=true`.
+
+| Variable | Type | Default | Description |
+|----------|------|---------|-------------|
+| `OPERATOR_UI_ENABLED` | bool | `false` | Enable the operator UI routes (`/operator/*`). |
+| `OPERATOR_AUTH_REPO` | string | — | `owner/repo` — the user's permission on this repo determines their role (`admin`/`maintain` → operator, `write`/`triage`/`read` → writer). **Required** when the UI is enabled — startup fails otherwise. |
+| `OPERATOR_REPO_SLUG` | string | — | `owner/repo` used to build clickable GitHub links in audit/trace rows. Optional. |
+| `OPERATOR_RELEASE_GITHUB_TOKEN` | string | — | PAT with `contents:write` used by the UI to create version tag refs. Optional; without it the release button is hidden. |
+| `OPERATOR_RELEASE_TARGET_BRANCH` | string | `main` | Branch whose HEAD SHA is tagged when cutting a release from the UI. |
+
+### AI Rule Suggester (LLM)
+
+Powers `/operator/api/suggest-rule`. The feature surface is always available when the operator UI is enabled; connectivity to the configured provider is checked at request time, and operators can switch model / base URL from the UI at runtime (process-global, reverts on restart).
+
+| Variable | Type | Default | Description |
+|----------|------|---------|-------------|
+| `LLM_PROVIDER` | string | `ollama` | Provider selector: `ollama` (local) or `anthropic` (hosted, default in Cloud Run). |
+| `LLM_BASE_URL` | string | per-provider | Provider endpoint. Default `http://localhost:11434` for Ollama or `https://api.anthropic.com` for Anthropic. For MongoDB's Grove Foundry APIM gateway, use `https://grove-gateway-prod.azure-api.net/grove-foundry-prod/anthropic`. |
+| `LLM_MODEL` | string | per-provider | Initial active model. Default `qwen2.5-coder:7b` for Ollama or `claude-haiku-4-5` for Anthropic. |
+| `ANTHROPIC_API_KEY` | string | — | Anthropic API / gateway key. Loaded directly from the env for local dev. Ignored when `LLM_PROVIDER=ollama`. |
+| `ANTHROPIC_API_KEY_SECRET_NAME` | string | — | GCP Secret Manager name for the Anthropic key; used in Cloud Run so no key material is ever in env vars or YAML. Short name (e.g. `anthropic-api-key`) is resolved to a full path via `SecretPath()`. |
+
+The suggester is rate-limited to 30 requests/hour per authenticated user (keyed by hashed PAT) to cap provider cost. Denied requests return 429 with a `Retry-After` header.
+
 ### Google Cloud
 
 | Variable | Type | Default | Description |
diff --git a/docs/DEPLOYMENT.md b/docs/DEPLOYMENT.md
index 8235616..e846b39 100644
--- a/docs/DEPLOYMENT.md
+++ b/docs/DEPLOYMENT.md
@@ -164,6 +164,22 @@ echo -n "mongodb+srv://user:pass@cluster.mongodb.net/dbname" | \
   --replication-policy="automatic"
 ```
 
+#### 4. Anthropic API Key (Optional - for the AI rule suggester)
+
+Required only when the operator UI is enabled and `LLM_PROVIDER=anthropic` (the default in the committed CI deploy). Skip if you're using Ollama or don't plan to use the AI rule suggester.
+
+```bash
+# For the Grove Foundry APIM gateway, the value is the gateway key you were
+# issued — not a raw Anthropic sk-... key. The app sends it as both the
+# x-api-key (Anthropic) and api-key (APIM) header, so one key works either way.
+echo -n "$GATEWAY_KEY" | \
+  gcloud secrets create anthropic-api-key \
+  --data-file=- \
+  --replication-policy="automatic"
+```
+
+The env-var that points at this secret is `ANTHROPIC_API_KEY_SECRET_NAME=anthropic-api-key` (already set in `.github/workflows/ci.yml` and `env-cloudrun.yaml`). Missing key is non-fatal — the operator UI shows "not configured" and every other feature still works.
+
 ### Grant Cloud Run Access
 
 ```bash
@@ -185,6 +201,11 @@ gcloud secrets add-iam-policy-binding webhook-secret \
 gcloud secrets add-iam-policy-binding mongo-uri \
   --member="serviceAccount:${SERVICE_ACCOUNT}" \
   --role="roles/secretmanager.secretAccessor"
+
+# Only if using the AI rule suggester with LLM_PROVIDER=anthropic
+gcloud secrets add-iam-policy-binding anthropic-api-key \
+  --member="serviceAccount:${SERVICE_ACCOUNT}" \
+  --role="roles/secretmanager.secretAccessor"
 ```
 
 **Note:** Cloud Run uses the default compute service account by default. You can also create a dedicated service account for better security isolation.
@@ -322,11 +343,12 @@ services.LoadMongoURI(config)       // Loads from Secret Manager
 
 ### Pre-Deployment Checklist
 
-- [ ] Secrets created in Secret Manager
-- [ ] IAM permissions granted to Cloud Run service account
+- [ ] Secrets created in Secret Manager (`CODE_COPIER_PEM`, `webhook-secret`, `mongo-uri`, and `anthropic-api-key` if using the AI rule suggester)
+- [ ] IAM permissions granted to Cloud Run service account on each secret
 - [ ] `env-cloudrun.yaml` created and configured
 - [ ] `env-cloudrun.yaml` in `.gitignore`
 - [ ] `Dockerfile` exists in project root
+- [ ] (Operator UI) `OPERATOR_AUTH_REPO` points at a repo you own and can manage collaborators on — its permission list decides who gets operator vs writer access
 
 ### Deploy to Cloud Run
 
@@ -480,6 +502,16 @@ gcloud run services logs read github-copier --limit=50
 # ❌ "webhook signature verification failed"
 ```
 
+### Smoke-Test the Operator UI (if enabled)
+
+Only applicable when `OPERATOR_UI_ENABLED=true`:
+
+1. Open `https://<service-url>/operator/` in a browser.
+2. Generate a GitHub PAT with `repo` scope, paste it into the sign-in prompt.
+3. Confirm the user chip in the header shows your GitHub avatar and the correct role (`operator` if you're `admin`/`maintain` on `OPERATOR_AUTH_REPO`, `writer` if you're `write`/`triage`/`read`).
+4. Click the **System** tab → **AI settings** → **Refresh status**. You should see the provider connected (e.g. "Anthropic connected at https://grove-gateway-prod.azure-api.net/…").
+5. If AI settings shows "unreachable", the `anthropic-api-key` secret wasn't granted to the Cloud Run service account, or the deploy is pointing at a URL the gateway doesn't accept. Check the Cloud Run revision logs for `Anthropic API key not loaded` or a 401/403 from the gateway.
+
 ## Monitoring
 
 ### View Logs
diff --git a/docs/FAQ.md b/docs/FAQ.md
index ed1ee9b..989955c 100644
--- a/docs/FAQ.md
+++ b/docs/FAQ.md
@@ -30,6 +30,48 @@ The GitHub copier is a GitHub app that automatically copies code examples and fi
 - Health and metrics endpoints
 - Slack notifications
 - Dry-run mode for testing
+- **[Operator UI](../README.md#operator-ui)** — Web dashboard at `/operator/` for replay, audit browsing, workflow inspection, and AI-assisted rule generation
+
+## Operator UI
+
+### What is the operator UI?
+
+A web dashboard served from `/operator/` when `OPERATOR_UI_ENABLED=true`. Five tabs:
+
+- **Overview** — live metrics, recent activity, health of dependent services
+- **Webhooks** — recent webhook traces with filter/search and one-click replay
+- **Audit** — searchable audit event history with a per-event drawer (trace + logs + replay)
+- **Workflows** — browse the loaded copier config; test path matches with the built-in file match tester
+- **System** — deployment metadata, AI settings, release tagging
+
+### Who can access the operator UI?
+
+Anyone with a GitHub PAT that has access to `OPERATOR_AUTH_REPO`. The user's permission on that repo determines their UI role:
+
+- `admin` / `maintain` → **operator**: full access including replay, release, AI settings
+- `write` / `triage` / `read` → **writer**: view audit, workflows, recent copies, run the AI rule suggester and file match tester, but no replay / release
+- No access → 401 Unauthorized
+
+`write` is deliberately mapped to **writer** (not operator) so typical docs contributors can't replay deliveries or cut releases just by having repo write access. Operator capability requires an explicit `admin` / `maintain` grant.
+
+### How does the AI rule suggester work?
+
+Paste a source file path and the target file path you want; optionally name the target repo. The server sends the pair plus a structured prompt to the configured LLM, parses the returned JSON, and runs the generated rule through the in-process pattern matcher to verify it actually produces your target from your source. If it doesn't match, the UI shows a "not verified" warning next to the YAML so you can review before copying it into your config.
+
+Two providers are supported:
+
+- **Anthropic** (default in Cloud Run) — calls the hosted Messages API. In this repo's deploy it routes through the Grove Foundry APIM gateway so no infrastructure needs to be stood up.
+- **Ollama** (local dev) — runs against a local model server. The UI can pull models, switch the active one, and delete models without a redeploy.
+
+To cap cost, the suggester is rate-limited to 30 requests/hour per authenticated user.
+
+### The AI settings panel says "not connected" — how do I fix it?
+
+Check the banner at startup — it prints the active `AI Provider`, `AI Model`, and `AI URL`. Then:
+
+- **Anthropic**: make sure `ANTHROPIC_API_KEY` (local) or `ANTHROPIC_API_KEY_SECRET_NAME` (Cloud Run) is set. In Cloud Run, the runtime service account also needs `roles/secretmanager.secretAccessor` on the secret.
+- **Ollama**: confirm `ollama serve` is running on the host at `LLM_BASE_URL` (default `http://localhost:11434`) and that you've pulled a model.
+- Use [`cmd/test-llm`](../cmd/test-llm/README.md) to exercise the full path outside the UI — it reports Ping, ListModels, and a real GenerateJSON call.
 
 ## Configuration
 
diff --git a/docs/LOCAL-TESTING.md b/docs/LOCAL-TESTING.md
index 3c74dca..1621d6e 100644
--- a/docs/LOCAL-TESTING.md
+++ b/docs/LOCAL-TESTING.md
@@ -343,6 +343,43 @@ AUDIT_DATABASE=code_copier_dev
 AUDIT_COLLECTION=audit_events
 ```
 
+### Optional (for Operator UI + AI rule suggester)
+
+```bash
+# Mount the operator dashboard at http://localhost:8080/operator/
+OPERATOR_UI_ENABLED=true
+OPERATOR_AUTH_REPO=your-org/some-repo     # your GitHub permission here decides your UI role
+OPERATOR_REPO_SLUG=your-org/some-repo     # optional; enables clickable audit-row deep links
+
+# AI rule suggester — pick ONE provider:
+#
+# Option A: Ollama (local, no cloud calls, no API key needed)
+#   1. Install Ollama: https://ollama.com/download
+#   2. Leave LLM_PROVIDER unset — it defaults to ollama with http://localhost:11434
+#   3. From the UI's System → AI settings panel, pull a model (e.g. qwen2.5-coder:7b)
+#
+# Option B: Anthropic via Grove Foundry APIM gateway
+LLM_PROVIDER=anthropic
+LLM_BASE_URL=https://grove-gateway-prod.azure-api.net/grove-foundry-prod/anthropic
+LLM_MODEL=claude-haiku-4-5
+ANTHROPIC_API_KEY=<your-gateway-key>      # never commit this; use a local-only env file
+```
+
+### Testing the Operator UI Locally
+
+1. Start the app with the env vars above. The startup banner will confirm `Operator UI: true` and show the configured auth repo, AI provider, model, and base URL.
+2. Open `http://localhost:8080/operator/` in a browser.
+3. Generate a [GitHub Personal Access Token](https://github.com/settings/tokens) with `repo` scope. Paste it into the sign-in prompt. The UI caches it in `localStorage` so you only paste once.
+4. If you own `OPERATOR_AUTH_REPO`, grant yourself `admin` for the operator role, or `read`/`write` for the writer role — the header chip will show which one you got.
+5. Smoke-test the LLM connection end-to-end with `cmd/test-llm` before hitting the UI:
+
+   ```bash
+   go build -o test-llm ./cmd/test-llm
+   ./test-llm -env .env.test
+   ```
+
+   A successful run pings the provider, lists models, and issues a real rule-suggester prompt. See [cmd/test-llm/README.md](../cmd/test-llm/README.md) for details.
+
 ## Troubleshooting
 
 ### Error: "A JSON web token could not be decoded" / "Failed to configure GitHub permissions"

From 338a39c6231a2cbfb83824b29796527a6dc5eed0 Mon Sep 17 00:00:00 2001
From: Cory Bullinger <cory.bullinger@mongodb.com>
Date: Wed, 22 Apr 2026 08:30:14 -0400
Subject: [PATCH 20/20] test: pass context.Background() instead of nil to LLM
 client
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CI staticcheck flagged SA1012 — passing nil as a context argument, even
where the function signature permits it, is a lint error. My local
golangci-lint run was pulling a cached rule set that didn't enforce this;
CI's fresh download did.

Swap the two nil args in TestAnthropicClient_ModelManagementNotSupported
for a shared context.Background(). No behavior change.
---
 services/llm_client_test.go | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/services/llm_client_test.go b/services/llm_client_test.go
index cd583d9..00d11f3 100644
--- a/services/llm_client_test.go
+++ b/services/llm_client_test.go
@@ -1,6 +1,7 @@
 package services
 
 import (
+	"context"
 	"errors"
 	"strings"
 	"testing"
@@ -74,10 +75,11 @@ func TestNewLLMClient_Dispatch(t *testing.T) {
 
 func TestAnthropicClient_ModelManagementNotSupported(t *testing.T) {
 	c := newAnthropicClient("", "", "sk-test")
-	if err := c.PullModel(nil, "anything", nil); !errors.Is(err, ErrModelManagementNotSupported) {
+	ctx := context.Background()
+	if err := c.PullModel(ctx, "anything", nil); !errors.Is(err, ErrModelManagementNotSupported) {
 		t.Errorf("PullModel: want ErrModelManagementNotSupported, got %v", err)
 	}
-	if err := c.DeleteModel(nil, "anything"); !errors.Is(err, ErrModelManagementNotSupported) {
+	if err := c.DeleteModel(ctx, "anything"); !errors.Is(err, ErrModelManagementNotSupported) {
 		t.Errorf("DeleteModel: want ErrModelManagementNotSupported, got %v", err)
 	}
 }