Update main.py

main.py

@@ -57,8 +57,59 @@ ALLOWED_BINS = {
     "ls":      ["ls"],
     "find":    ["find"],
 }
-EXEC_TIMEOUT = int(os.environ.get("VAULT_EXEC_TIMEOUT", "30"))
-MAX_OUTPUT   = 64 * 1024  # 64KB output cap
+EXEC_TIMEOUT   = int(os.environ.get("VAULT_EXEC_TIMEOUT", "30"))
+MAX_OUTPUT     = 64 * 1024  # 64KB output cap
+
+# ── Sprint 6 — security + AI integrations ─────────────────────────
+APPROVE_URL    = os.environ.get("APPROVE_URL",    "")
+HARNESS_URL    = os.environ.get("HARNESS_URL",    "")
+ANTHROPIC_KEY  = os.environ.get("ANTHROPIC_API_KEY", "")
+GH_TOKEN       = os.environ.get("GH_TOKEN",       "")
+VAULT_KEY      = os.environ.get("VAULT_KEY",       "")
+
+# Patterns that require human approval before exec
+RISKY_EXEC_PATTERNS = [
+    "rm -rf", "rm -f /", "dd if=", "mkfs", "> /dev/",
+    ":(){ :|:& };:", "chmod -R 777", "wget.*| bash", "curl.*| sh",
+]
+RISKY_GIT_PATTERNS = ["push --force", "push -f", "reset --hard", "clean -fd"]
+
+import httpx as _httpx  # sync httpx for gate helpers (called from sync context)
+
+def _approve_sync(tool: str, args: dict, risk: str = "high") -> tuple[bool, str]:
+    """Synchronous approval gate — polls up to 90s."""
+    if not APPROVE_URL:
+        return True, "approve_url_missing"
+    try:
+        r = _httpx.post(f"{APPROVE_URL}/api/approval/request",
+                        json={"agent": "vault", "tool": tool, "args": args,
+                              "risk": risk, "auto_timeout": 120}, timeout=6)
+        if r.status_code == 200:
+            aid = r.json().get("id")
+            for _ in range(18):
+                import time as _t; _t.sleep(5)
+                pr = _httpx.get(f"{APPROVE_URL}/api/approval/{aid}", timeout=4)
+                if pr.status_code == 200:
+                    st = pr.json().get("status")
+                    if st == "approved": return True, "human_approved"
+                    if st in ("rejected","expired"): return False, st
+            return False, "timeout"
+    except Exception as e:
+        return False, f"approve_error: {e}"
+
+def _harness_scan(tool: str, content: str) -> str:
+    """Scan exec output through harness before returning. Pass-through on failure."""
+    if not HARNESS_URL:
+        return content
+    try:
+        r = _httpx.post(f"{HARNESS_URL}/api/scan/output",
+                        json={"agent": "vault", "tool": tool, "content": content},
+                        timeout=4)
+        if r.status_code == 200:
+            return r.json().get("sanitised", content)
+    except Exception:
+        pass
+    return content
 
 # ── Meta / stats ──────────────────────────────────────────────────
 def load_meta():
@@ -387,7 +438,24 @@ async def exec_code(request: Request):
     env     = data.get("env",{})
     timeout = int(data.get("timeout", EXEC_TIMEOUT))
     if not code.strip(): raise HTTPException(400, "code required")
-    result  = await exec_command(runtime, code, cwd, env, min(timeout, 60))
+
+    # Approval gate: risky bash/shell patterns
+    if runtime in ("bash","sh"):
+        if any(p in code for p in RISKY_EXEC_PATTERNS):
+            ok, reason = _approve_sync("vault_exec",
+                                       {"runtime": runtime, "code": code[:300], "cwd": cwd},
+                                       risk="critical")
+            if not ok:
+                return jresp({"ok": False, "exit_code": -1,
+                              "output": f"[VAULT] BLOCKED by approval gate: {reason}",
+                              "ms": 0})
+
+    result = await exec_command(runtime, code, cwd, env, min(timeout, 60))
+
+    # Harness: scan output before returning
+    if result.get("output"):
+        result["output"] = _harness_scan("vault_exec", result["output"])
+
     return jresp(result)
 
 @app.get("/api/exec/stream")
@@ -442,6 +510,175 @@ async def stats():
                    "total_writes":META["total_writes"],"total_execs":META["total_execs"],
                    "by_ext":dict(sorted(by_ext.items(),key=lambda x:-x[1])[:10])})
 
+# ── Git API (Sprint 6) ────────────────────────────────────────────
+
+@app.get("/api/git/status")
+async def git_status(cwd: str = "code"):
+    result = await exec_command("git", "status --short", cwd)
+    staged = await exec_command("git", "diff --cached --name-only", cwd)
+    log    = await exec_command("git", "log --oneline -5", cwd)
+    return jresp({
+        "status":  result.get("output","").strip(),
+        "staged":  staged.get("output","").strip(),
+        "log":     log.get("output","").strip(),
+        "ok":      result.get("ok", False),
+    })
+
+@app.get("/api/git/log")
+async def git_log(cwd: str = "code", limit: int = 20):
+    result = await exec_command("git",
+        f"log --oneline --graph --decorate -n {min(limit,50)}", cwd)
+    return jresp({"log": result.get("output","").strip(), "ok": result.get("ok")})
+
+@app.post("/api/git/init")
+async def git_init(request: Request):
+    data = await request.json()
+    cwd  = data.get("cwd","code")
+    result = await exec_command("git", "init", cwd)
+    if result.get("ok"):
+        await exec_command("git", 'config user.email "vault@ki-fusion-labs.de"', cwd)
+        await exec_command("git", 'config user.name "FORGE Vault"', cwd)
+    return jresp(result)
+
+@app.post("/api/git/commit")
+async def git_commit(request: Request):
+    data    = await request.json()
+    message = data.get("message","auto: vault commit").strip() or "auto: vault commit"
+    cwd     = data.get("cwd","code")
+    files   = data.get("files", [])  # empty = git add -A
+
+    # Stage files
+    if files:
+        for f in files:
+            await exec_command("git", f"add {f}", cwd)
+    else:
+        await exec_command("git", "add -A", cwd)
+
+    # Commit
+    result = await exec_command("git", f'commit -m "{message}"', cwd)
+    return jresp({
+        "ok":     result.get("ok"),
+        "output": result.get("output","").strip(),
+        "ms":     result.get("ms",0),
+    })
+
+@app.post("/api/git/push")
+async def git_push(request: Request):
+    data   = await request.json()
+    remote = data.get("remote","origin")
+    branch = data.get("branch","main")
+    force  = bool(data.get("force", False))
+    cwd    = data.get("cwd","code")
+
+    # Always require approval for git push
+    ok, reason = _approve_sync(
+        "vault_git_push",
+        {"remote": remote, "branch": branch, "force": force, "cwd": cwd},
+        risk="high" if not force else "critical",
+    )
+    if not ok:
+        return jresp({"ok": False, "output": f"[VAULT] git push BLOCKED: {reason}", "ms": 0})
+
+    force_flag = "--force" if force else ""
+    env_extra  = {"GH_TOKEN": GH_TOKEN} if GH_TOKEN else {}
+    cmd = f"push {remote} {branch} {force_flag}".strip()
+    result = await exec_command("git", cmd, cwd, env_extra)
+    return jresp({
+        "ok":     result.get("ok"),
+        "output": result.get("output","").strip(),
+        "ms":     result.get("ms",0),
+    })
+
+@app.post("/api/git/clone")
+async def git_clone(request: Request):
+    data   = await request.json()
+    url    = data.get("url","")
+    dest   = data.get("dest","code")
+    if not url: raise HTTPException(400,"url required")
+    env_extra = {"GH_TOKEN": GH_TOKEN} if GH_TOKEN else {}
+    result = await exec_command("bash", f"git clone {url} {WS_ROOT}/{dest}/repo",
+                                 "", env_extra, timeout=60)
+    return jresp(result)
+
+
+# ── Anthropic API proxy (OpenClaw skill, Sprint 6) ────────────────
+# Streams Claude responses. Agents call this directly for AI-assisted
+# code review, documentation, analysis within the vault context.
+
+@app.post("/api/anthropic")
+async def anthropic_proxy(request: Request):
+    """
+    Anthropic API proxy with vault context injection.
+    Body: { model, max_tokens, messages, system, vault_context_path }
+    If vault_context_path set, injects file content into system prompt.
+    Streams raw SSE from Anthropic back to caller.
+    """
+    if not ANTHROPIC_KEY:
+        raise HTTPException(503, "ANTHROPIC_API_KEY not configured")
+
+    data = await request.json()
+    model      = data.get("model","claude-sonnet-4-20250514")
+    max_tokens = int(data.get("max_tokens", 4096))
+    messages   = data.get("messages", [])
+    system     = data.get("system","You are a helpful AI assistant with access to the FORGE vault workspace.")
+    stream     = bool(data.get("stream", True))
+    ctx_path   = data.get("vault_context_path","")
+
+    # Inject vault file context if requested
+    if ctx_path:
+        try:
+            p = safe_path(ctx_path)
+            ctx_content = p.read_text(errors="replace")[:8000]
+            system = system + f"\n\nVAULT FILE CONTEXT ({ctx_path}):\n```\n{ctx_content}\n```"
+        except Exception as e:
+            system = system + f"\n\n[vault_context_path error: {e}]"
+
+    payload = {
+        "model":      model,
+        "max_tokens": max_tokens,
+        "system":     system,
+        "messages":   messages,
+        "stream":     stream,
+    }
+
+    async def _stream_anthropic():
+        async with _httpx.AsyncClient(timeout=120) as c:
+            async with c.stream(
+                "POST",
+                "https://api.anthropic.com/v1/messages",
+                json=payload,
+                headers={
+                    "x-api-key":         ANTHROPIC_KEY,
+                    "anthropic-version": "2023-06-01",
+                    "content-type":      "application/json",
+                }
+            ) as resp:
+                async for chunk in resp.aiter_text():
+                    if chunk:
+                        yield chunk
+
+    if stream:
+        return StreamingResponse(
+            _stream_anthropic(),
+            media_type="text/event-stream",
+            headers={"Cache-Control":"no-cache","X-Accel-Buffering":"no"},
+        )
+
+    # Non-stream: collect and return
+    async with _httpx.AsyncClient(timeout=120) as c:
+        resp = await c.post(
+            "https://api.anthropic.com/v1/messages",
+            json={**payload, "stream": False},
+            headers={
+                "x-api-key":         ANTHROPIC_KEY,
+                "anthropic-version": "2023-06-01",
+                "content-type":      "application/json",
+            }
+        )
+        return JSONResponse(resp.json())
+
+
+
 # ── MCP ───────────────────────────────────────────────────────────
 MCP_TOOLS = [
     {"name":"vault_read","description":"Read a file from the workspace",
@@ -476,6 +713,14 @@ MCP_TOOLS = [
          "src":{"type":"string"},"dst":{"type":"string"}}}},
     {"name":"vault_stats","description":"Get workspace statistics",
      "inputSchema":{"type":"object","properties":{}}},
+    {"name":"vault_git_status","description":"Git status, staged files and recent log.",
+     "inputSchema":{"type":"object","properties":{"cwd":{"type":"string"}}}},
+    {"name":"vault_git_commit","description":"Stage all and commit.",
+     "inputSchema":{"type":"object","properties":{"message":{"type":"string"},"cwd":{"type":"string"},"files":{"type":"array","items":{"type":"string"}}}}},
+    {"name":"vault_git_push","description":"Push to remote (requires human approval).",
+     "inputSchema":{"type":"object","properties":{"remote":{"type":"string"},"branch":{"type":"string"},"force":{"type":"boolean"},"cwd":{"type":"string"}}}},
+    {"name":"vault_anthropic","description":"Call Claude API with optional vault file context injection.",
+     "inputSchema":{"type":"object","properties":{"messages":{"type":"array"},"system":{"type":"string"},"vault_context_path":{"type":"string"},"max_tokens":{"type":"integer"}}}},
 ]
 
 async def mcp_call(name, args):
@@ -529,6 +774,36 @@ async def mcp_call(name, args):
             if p.is_file(): total_files+=1; total_size+=p.stat().st_size
         return json.dumps({"total_files":total_files,"total_size":total_size,
                             "total_writes":META["total_writes"],"total_execs":META["total_execs"]})
+    if name == "vault_git_status":
+        import asyncio as _aio
+        r  = _aio.get_event_loop().run_until_complete(exec_command("git","status --short",a.get("cwd","code")))
+        lg = _aio.get_event_loop().run_until_complete(exec_command("git","log --oneline -5",a.get("cwd","code")))
+        return json.dumps({"status":r.get("output","").strip(),"log":lg.get("output","").strip()})
+    if name == "vault_git_commit":
+        import urllib.request as _ur
+        body = json.dumps({"message":a.get("message","auto commit"),"cwd":a.get("cwd","code"),"files":a.get("files",[])}).encode()
+        req  = _ur.Request("http://localhost:7860/api/git/commit",data=body,headers={"Content-Type":"application/json"},method="POST")
+        try:
+            with _ur.urlopen(req,timeout=30) as resp: d=json.loads(resp.read())
+        except Exception as e: d={"ok":False,"output":str(e)}
+        return json.dumps(d)
+    if name == "vault_git_push":
+        import urllib.request as _ur
+        body = json.dumps({"remote":a.get("remote","origin"),"branch":a.get("branch","main"),"force":bool(a.get("force",False)),"cwd":a.get("cwd","code")}).encode()
+        req  = _ur.Request("http://localhost:7860/api/git/push",data=body,headers={"Content-Type":"application/json"},method="POST")
+        try:
+            with _ur.urlopen(req,timeout=120) as resp: d=json.loads(resp.read())
+        except Exception as e: d={"ok":False,"output":str(e)}
+        return json.dumps(d)
+    if name == "vault_anthropic":
+        import urllib.request as _ur
+        body = json.dumps({**a,"stream":False}).encode()
+        req  = _ur.Request("http://localhost:7860/api/anthropic",data=body,headers={"Content-Type":"application/json"},method="POST")
+        try:
+            with _ur.urlopen(req,timeout=120) as resp: d=json.loads(resp.read())
+            text = d.get("content",[{}])[0].get("text","") if isinstance(d.get("content"),list) else str(d)
+        except Exception as e: text=str(e)
+        return json.dumps({"text":text[:2000]})
     return json.dumps({"error": f"unknown tool: {name}"})
 
 @app.get("/mcp/sse")
@@ -871,6 +1146,7 @@ body::after{content:'';position:fixed;inset:0;pointer-events:none;
       <div class="tab-item"   id="tab-editor"  >&#9998; Editor</div>
       <div class="tab-item"   id="tab-terminal">&#62; Terminal</div>
       <div class="tab-item"   id="tab-exec-log">&#9881; Exec Log</div>
+      <div class="tab-item"   id="tab-git">&#128279; Git</div>
     </div>
 
     <!-- BROWSER -->
@@ -924,6 +1200,74 @@ body::after{content:'';position:fixed;inset:0;pointer-events:none;
     <!-- EXEC LOG -->
     <div id="exec-log-view" style="display:none;flex:1;overflow-y:auto;padding:.6rem .9rem;"></div>
 
+    <!-- GIT PANEL -->
+    <div id="git-view" style="display:none;flex:1;overflow-y:auto;padding:.9rem;font-family:'DM Mono',monospace">
+      <div style="display:grid;grid-template-columns:1fr 1fr;gap:1rem;margin-bottom:1rem">
+        <div>
+          <div style="font-size:.68rem;color:var(--muted);text-transform:uppercase;letter-spacing:.12em;margin-bottom:.4rem">Working Directory</div>
+          <select id="git-cwd" style="background:var(--surface2);border:1px solid var(--border);color:var(--text);padding:.35rem .6rem;border-radius:4px;font-family:'DM Mono',monospace;font-size:.78rem;width:100%">
+            <option value="code">code/</option>
+            <option value="reports">reports/</option>
+            <option value="scratch">scratch/</option>
+            <option value="shared">shared/</option>
+          </select>
+        </div>
+        <div style="display:flex;align-items:flex-end;gap:.5rem">
+          <button id="git-refresh-btn" class="btn btn-secondary" style="font-size:.75rem;padding:.35rem .8rem">&#8635; Status</button>
+          <button id="git-init-btn" class="btn btn-secondary" style="font-size:.75rem;padding:.35rem .8rem">&#9881; Init</button>
+        </div>
+      </div>
+
+      <div style="display:grid;grid-template-columns:1fr 1fr;gap:1rem;margin-bottom:1rem">
+        <div>
+          <div style="font-size:.68rem;color:var(--muted);text-transform:uppercase;letter-spacing:.12em;margin-bottom:.4rem">Status</div>
+          <pre id="git-status-out" style="background:var(--surface2);border:1px solid var(--border);border-radius:4px;padding:.6rem;font-size:.75rem;line-height:1.5;min-height:80px;overflow-x:auto;white-space:pre-wrap;color:var(--green)">—</pre>
+        </div>
+        <div>
+          <div style="font-size:.68rem;color:var(--muted);text-transform:uppercase;letter-spacing:.12em;margin-bottom:.4rem">Recent Log</div>
+          <pre id="git-log-out" style="background:var(--surface2);border:1px solid var(--border);border-radius:4px;padding:.6rem;font-size:.75rem;line-height:1.5;min-height:80px;overflow-x:auto;white-space:pre-wrap;color:var(--cyan)">—</pre>
+        </div>
+      </div>
+
+      <div style="background:var(--surface2);border:1px solid var(--border);border-radius:6px;padding:1rem;margin-bottom:1rem">
+        <div style="font-size:.72rem;color:var(--accent);font-weight:600;margin-bottom:.75rem">&#10003; Commit</div>
+        <input id="git-commit-msg" class="search-input" placeholder="Commit message&#8230;" style="width:100%;margin-bottom:.6rem;font-family:'DM Mono',monospace;font-size:.8rem">
+        <button id="git-commit-btn" class="btn btn-primary" style="font-size:.78rem">&#9997; Commit (stage all)</button>
+        <span id="git-commit-result" style="margin-left:.75rem;font-size:.75rem;color:var(--muted)"></span>
+      </div>
+
+      <div style="background:var(--surface2);border:1px solid var(--border);border-radius:6px;padding:1rem;margin-bottom:1rem">
+        <div style="font-size:.72rem;color:var(--accent);font-weight:600;margin-bottom:.75rem">&#128640; Push (requires approval)</div>
+        <div style="display:grid;grid-template-columns:1fr 1fr auto;gap:.5rem;align-items:end">
+          <div>
+            <div style="font-size:.65rem;color:var(--muted);margin-bottom:.25rem">Remote</div>
+            <input id="git-remote" class="search-input" value="origin" style="width:100%;font-size:.78rem">
+          </div>
+          <div>
+            <div style="font-size:.65rem;color:var(--muted);margin-bottom:.25rem">Branch</div>
+            <input id="git-branch" class="search-input" value="main" style="width:100%;font-size:.78rem">
+          </div>
+          <button id="git-push-btn" class="btn btn-primary" style="font-size:.78rem;background:var(--purple)">&#8679; Push</button>
+        </div>
+        <label style="display:flex;align-items:center;gap:.4rem;margin-top:.6rem;font-size:.72rem;color:var(--muted);cursor:pointer">
+          <input type="checkbox" id="git-force" style="accent-color:var(--red)"> Force push (--force)
+        </label>
+        <div id="git-push-result" style="margin-top:.5rem;font-size:.75rem;color:var(--muted)"></div>
+      </div>
+
+      <!-- Claude assistant -->
+      <div style="background:var(--surface2);border:1px solid var(--border);border-left:3px solid var(--accent);border-radius:6px;padding:1rem">
+        <div style="font-size:.72rem;color:var(--accent);font-weight:600;margin-bottom:.75rem">&#129302; Claude Code Review</div>
+        <div style="font-size:.7rem;color:var(--muted);margin-bottom:.5rem">Paste code or leave blank to use the open editor file</div>
+        <textarea id="claude-input" class="search-input" rows="4" placeholder="Code to review, or press Run to use the open file&#8230;" style="width:100%;font-family:'DM Mono',monospace;font-size:.78rem;resize:vertical;min-height:80px;margin-bottom:.5rem"></textarea>
+        <div style="display:flex;gap:.5rem;align-items:center">
+          <button id="claude-run-btn" class="btn btn-primary" style="font-size:.78rem">&#9654; Ask Claude</button>
+          <span style="font-size:.7rem;color:var(--muted)">streams via /api/anthropic</span>
+        </div>
+        <pre id="claude-out" style="margin-top:.75rem;background:var(--surface);border:1px solid var(--border);border-radius:4px;padding:.75rem;font-size:.75rem;line-height:1.6;min-height:60px;overflow-x:auto;white-space:pre-wrap;color:var(--text);display:none"></pre>
+      </div>
+    </div>
+
     <!-- VERSIONS PANEL -->
     <div id="versions-panel">
       <div id="vp-hdr">
@@ -1308,17 +1652,118 @@ function showTab(t){
   document.getElementById('tab-editor').className='tab-item'+(t==='editor'?' on':'');
   document.getElementById('tab-terminal').className='tab-item'+(t==='terminal'?' on':'');
   document.getElementById('tab-exec-log').className='tab-item'+(t==='exec-log'?' on':'');
+  document.getElementById('tab-git').className='tab-item'+(t==='git'?' on':'');
   document.getElementById('browser-view').style.display=t==='browser'?'block':'none';
   document.getElementById('editor-wrap').style.display=t==='editor'?'flex':'none';
   document.getElementById('terminal-wrap').style.display=t==='terminal'?'flex':'none';
   document.getElementById('exec-log-view').style.display=t==='exec-log'?'block':'none';
+  document.getElementById('git-view').style.display=t==='git'?'flex':'none';
   if(t==='exec-log') loadExecLog();
+  if(t==='git') loadGitStatus();
 }
 document.getElementById('tab-browser').addEventListener('click',function(){showTab('browser');});
 document.getElementById('tab-editor').addEventListener('click',function(){showTab('editor');});
 document.getElementById('tab-terminal').addEventListener('click',function(){showTab('terminal');});
 document.getElementById('tab-exec-log').addEventListener('click',function(){showTab('exec-log');});
 document.getElementById('btn-open-term').addEventListener('click',function(){showTab('terminal');});
+document.getElementById('tab-git').addEventListener('click',function(){showTab('git');});
+
+// ── Git tab JS ─────────────────────────────────────────────────────
+function gitCwd(){ return document.getElementById('git-cwd').value; }
+
+function loadGitStatus(){
+  fetch('/api/git/status?cwd='+encodeURIComponent(gitCwd()))
+    .then(function(r){return r.json();}).then(function(d){
+      document.getElementById('git-status-out').textContent = d.status || '(clean)';
+      document.getElementById('git-log-out').textContent   = d.log   || '(no commits)';
+    }).catch(function(e){ document.getElementById('git-status-out').textContent='Error: '+e; });
+}
+
+document.getElementById('git-refresh-btn').addEventListener('click', loadGitStatus);
+document.getElementById('git-init-btn').addEventListener('click', function(){
+  fetch('/api/git/init',{method:'POST',headers:{'Content-Type':'application/json'},
+    body:JSON.stringify({cwd:gitCwd()})})
+  .then(function(r){return r.json();}).then(function(d){
+    toast(d.ok?'Git repo initialized':'Init failed: '+(d.output||'?'), d.ok?'ok':'err');
+    loadGitStatus();
+  });
+});
+
+document.getElementById('git-commit-btn').addEventListener('click', function(){
+  var msg = document.getElementById('git-commit-msg').value.trim() || 'auto: vault commit';
+  var btn = document.getElementById('git-commit-btn');
+  btn.disabled=true; btn.textContent='Committing&#8230;';
+  fetch('/api/git/commit',{method:'POST',headers:{'Content-Type':'application/json'},
+    body:JSON.stringify({message:msg,cwd:gitCwd(),files:[]})})
+  .then(function(r){return r.json();}).then(function(d){
+    var el = document.getElementById('git-commit-result');
+    el.style.color = d.ok ? 'var(--green)' : 'var(--red)';
+    el.textContent = d.ok ? '&#10003; Committed' : '&#10007; '+(d.output||'failed').slice(0,80);
+    if(d.ok){ document.getElementById('git-commit-msg').value=''; loadGitStatus(); }
+    btn.disabled=false; btn.textContent='&#9997; Commit (stage all)';
+  });
+});
+
+document.getElementById('git-push-btn').addEventListener('click', function(){
+  var btn = document.getElementById('git-push-btn');
+  btn.disabled=true; btn.textContent='Waiting approval&#8230;';
+  document.getElementById('git-push-result').textContent = 'Awaiting Telegram approval from Christof...';
+  fetch('/api/git/push',{method:'POST',headers:{'Content-Type':'application/json'},
+    body:JSON.stringify({
+      remote: document.getElementById('git-remote').value||'origin',
+      branch: document.getElementById('git-branch').value||'main',
+      force:  document.getElementById('git-force').checked,
+      cwd:    gitCwd()
+    })})
+  .then(function(r){return r.json();}).then(function(d){
+    var el = document.getElementById('git-push-result');
+    el.style.color = d.ok ? 'var(--green)' : 'var(--red)';
+    el.textContent = d.ok ? '&#10003; Pushed: '+(d.output||'').slice(0,100) : '&#10007; '+(d.output||'blocked').slice(0,120);
+    btn.disabled=false; btn.textContent='&#8679; Push';
+    if(d.ok) loadGitStatus();
+  });
+});
+
+// Claude code review
+document.getElementById('claude-run-btn').addEventListener('click', function(){
+  var code    = document.getElementById('claude-input').value.trim();
+  var out     = document.getElementById('claude-out');
+  out.style.display='block'; out.textContent='Calling Claude&#8230;';
+  var btn = document.getElementById('claude-run-btn');
+  btn.disabled=true;
+  // If no code pasted, include open file path for context
+  var ctxPath = (!code && OPEN_FILE) ? OPEN_FILE : '';
+  var userMsg = code ? 'Please review this code and suggest improvements:\n\n```\n'+code+'\n```'
+                     : 'Please review the file at the vault context path and suggest improvements.';
+  fetch('/api/anthropic',{method:'POST',headers:{'Content-Type':'application/json'},
+    body:JSON.stringify({
+      messages:[{role:'user',content:userMsg}],
+      system:'You are a senior software engineer doing code review. Be concise and specific.',
+      vault_context_path: ctxPath,
+      max_tokens:1024,
+      stream:true
+    })})
+  .then(function(resp){
+    var reader=resp.body.getReader(); var decoder=new TextDecoder(); out.textContent='';
+    function read(){
+      reader.read().then(function(a){
+        if(a.done){btn.disabled=false;return;}
+        var chunk=decoder.decode(a.value);
+        // Parse SSE data lines for text delta
+        chunk.split('\n').forEach(function(line){
+          if(!line.startsWith('data: ')) return;
+          try{
+            var ev=JSON.parse(line.slice(6));
+            if(ev.type==='content_block_delta'&&ev.delta&&ev.delta.text)
+              out.textContent+=ev.delta.text;
+          }catch(e){}
+        });
+        read();
+      });
+    }
+    read();
+  }).catch(function(e){ out.textContent='Error: '+e; btn.disabled=false; });
+});
 
 // ── View toggle ───────────────────────────────────────────────────
 document.getElementById('vt-list').addEventListener('click',function(){
@@ -1427,4 +1872,4 @@ loadTree();
 loadBrowser('');
 </script>
 </body>
-</html>"""
+</html>"""