feat(gateway): surface tool output previews and structured rendering

[serrrfirat]

Summary

• Tool output previews: Engine v2 tool calls now show output preview in expandable tool cards (was empty before). Added output_preview field to ActionExecuted events, emitting ToolResult from both the SSE and channel paths.
• Duration fix: Sub-millisecond tools show "< 1ms" instead of "0.0s" by parsing server-side duration_ms from the parameters field.
• Structured JSON rendering: Tool output that is JSON renders as HTML tables (for arrays) or key-value pairs (for objects) instead of raw text.
• Mission created card: New AppEvent::MissionCreated with dedicated frontend card (name, status badge, cadence, project) following the PlanUpdate pattern.

Closes #2537
Closes #2545

Test plan

• cargo check — compiles clean
• cargo test -p ironclaw_common — 23 tests pass (includes new MissionCreated variant in event_type_matches_serde_type_field)
• Manual: run gateway with engine v2, execute tool calls, verify output previews appear in expandable cards
• Manual: verify sub-millisecond tools show "< 1ms" instead of "0.0s"
• Manual: call mission_create, verify styled card appears instead of raw JSON
• Manual: call mission_list, verify table rendering in tool output

🤖 Generated with Claude Code

[gemini-code-assist]

Code Review

This pull request introduces a new "Approval Panel" in the web UI to manage self-improvement mission proposals and behavior changes. It adds structured event types for mission creation and change resolution, implements a daily reset for mission thread budgets, and enhances tool output display with truncated previews and structured table/key-value rendering. Additionally, it ensures learning missions are initialized for users upon request and improves attachment persistence tracking. Feedback focuses on improving security by avoiding innerHTML for dynamic data, ensuring consistent use of the apiFetch wrapper, and refining the display of object data in tooltips.

[gemini-code-assist]

The sendChangeResolution function uses the native fetch API directly instead of the apiFetch wrapper used elsewhere in the codebase (e.g., line 2157). apiFetch likely handles base URL configuration, authentication headers, and global error reporting consistently. Bypassing it can lead to maintenance issues and inconsistent behavior if the API configuration changes.

  apiFetch('/api/chat/change/resolve', {
    method: 'POST',
    body: JSON.stringify({ request_id: requestId, resolution: resolution })
  }).then(function(r) {

[gemini-code-assist]

Using innerHTML with dynamic data from the server poses a potential Cross-Site Scripting (XSS) risk. While mission_id is expected to be a UUID, it is safer to use textContent for dynamic values to ensure they are treated as plain text and not parsed as HTML.

    var idRow = document.createElement('div');
    idRow.className = 'mission-card-detail';
    var label = document.createElement('span');
    label.className = 'mission-detail-label';
    label.textContent = 'ID';
    var value = document.createElement('span');
    value.className = 'mission-detail-value';
    value.textContent = data.mission_id.substring(0, 8);
    idRow.appendChild(label);
    idRow.appendChild(value);
    details.appendChild(idRow);

[gemini-code-assist]

Using innerHTML with data.cadence is unsafe as it could contain malicious HTML if the server response is compromised or manipulated. Prefer using textContent for the dynamic value.

    var cadenceRow = document.createElement('div');
    cadenceRow.className = 'mission-card-detail';
    var label = document.createElement('span');
    label.className = 'mission-detail-label';
    label.textContent = I18n.t('missions.cadence');
    var value = document.createElement('span');
    value.className = 'mission-detail-value';
    value.textContent = data.cadence;
    cadenceRow.appendChild(label);
    cadenceRow.appendChild(value);
    details.appendChild(cadenceRow);

[gemini-code-assist]

When setting the title attribute for a table cell, using String(val) on an object will result in the unhelpful string "[object Object]". Since this code already handles JSON objects for the cell content, it should also stringify them for the tooltip to provide a useful preview of the full data.

Suggested change

	td.title = String(arr[r][keys[c]]);
	td.title = (typeof val === 'object' && val !== null) ? JSON.stringify(val) : String(val);

[serrrfirat]

Review feedback addressed

All 4 comments from @gemini-code-assist resolved:

#	Finding	Fix
1-2	XSS: innerHTML with data.mission_id / data.cadence / data.project_id in renderMissionCreatedCard	Replaced with DOM textContent (commit 08ba436)
3	sendChangeResolution uses raw fetch instead of apiFetch	Switched to apiFetch for consistent auth/OIDC handling (commit 4ab30d6)
4	Table cell title shows [object Object] for object values	Use JSON.stringify for object tooltips (commit 4ab30d6)

Also added 7 unit tests for truncate_output_preview covering null, empty, long strings, emoji UTF-8 boundaries, and CJK characters.

[henrypark133]

Review: current head does not compile

The gateway/event UX additions are substantial, but the current head is blocked by a test that does not compile against the checked-in router test harness.

Critical: the new router attachment test references stale test APIs and breaks cargo clippy --all --all-features

File: src/bridge/router.rs:5862
The added handle_with_engine_persists_attachment_files_and_indexes_them test uses symbols and fields that do not exist in this branch: CWD_TEST_LOCK, CurrentDirGuard, EngineState.project_root, and IncomingAttachment.local_path (see the same block through src/bridge/router.rs:5887). CI is failing on this exact test code, so the PR cannot merge in its current form.
Suggested fix: Rewrite the test against the current router test helpers and current IncomingAttachment / EngineState shapes, or drop the stale assertions from this PR.

[serrrfirat]

Addressed review feedback:

• Removed the stale handle_with_engine_persists_attachment_files_and_indexes_them router test in src/bridge/router.rs that referenced APIs/types no longer present on this branch (CWD_TEST_LOCK, CurrentDirGuard, EngineState.project_root, IncomingAttachment.local_path).
• Re-verified the compile blocker is resolved with CARGO_TARGET_DIR=/tmp/ironclaw-target cargo test --lib --no-run.
• Re-ran cargo clippy --all --benches --tests --examples --all-features and bash scripts/pre-commit-safety.sh.

Note: cargo test --lib still reports unrelated failures in untouched areas outside this fix.