feat: hosted morph service, shared inspection, and org-level policy (Phase 7)

Introduce morph-serve as a multi-repo hosted service with a stable REST API
for browsing behavioral history, commits, runs, traces, pipelines, and
certifications. Add organization-level policy with presets and threshold
merging. Wire `morph serve` CLI command for launching the service. Update
the inspector UI with multi-repo selection and behavioral status display.

303 unit/integration tests passed, 29 E2E scenarios (26 passed, 3 skipped).

Made-with: Cursor

Author: r

Cargo.lock

@@ -24,6 +24,18 @@ morph setup cursor   # writes .cursor/ (MCP, hooks, rules)
 
 Then open the project in Cursor. Ensure `morph` and `morph-mcp` are on your PATH. The MCP server and hooks will record prompts/responses and let the agent commit via Morph.
 
+## Hosted service (team inspection)
+
+Run the Morph hosted service for shared, browser-based inspection of behavioral history:
+
+```bash
+morph serve                              # serve current repo at http://127.0.0.1:8765
+morph serve --repo team=/path/to/repo    # named multi-repo mode
+morph serve --org-policy org-policy.json # apply org-level policy
+```
+
+The service exposes a stable JSON API and browser UI for inspecting commits (with certification/gate status), runs, traces, pipelines, merge dominance, and policy. See [v0-spec.md § 15](docs/v0-spec.md#15-hosted-service-phase-7).
+
 ## Develop Morph (this repo)
 
 ```bash

README.md

@@ -82,11 +82,26 @@ Morph works with **Cursor** and **Claude Code**. Each IDE uses the same `morph-m
 
 ---
 
-## 5. Next steps
+## 5. Run the hosted service (optional)
+
+For team-wide inspection and collaboration, run the Morph hosted service:
+
+```bash
+morph serve                    # serve current repo at http://127.0.0.1:8765
+morph serve --port 9000        # custom port
+morph serve --repo team=/path  # named multi-repo
+```
+
+The service exposes a stable JSON API for browsing commits (with behavioral status), runs, traces, pipelines, certifications, and policy. See [v0-spec.md § 15](v0-spec.md#15-hosted-service-phase-7) for the full API reference.
+
+---
+
+## 6. Next steps
 
 - **Commit the filesystem:** [CURSOR-SETUP.md § Committing](CURSOR-SETUP.md#5-committing-the-filesystem) / [CLAUDE-CODE-SETUP.md § Committing](CLAUDE-CODE-SETUP.md#4-committing-the-filesystem).
 - **Use Morph with Git:** [MORPH-AND-GIT.md](MORPH-AND-GIT.md).
 - **MCP tool reference:** [CURSOR-SETUP.md § MCP Tool Reference](CURSOR-SETUP.md#6-mcp-tool-reference) (same tools in Claude Code).
+- **Hosted service API:** [v0-spec.md § 15](v0-spec.md#15-hosted-service-phase-7).
 
 ---
 

docs/INSTALLATION.md

@@ -156,3 +156,4 @@ morph gate --json
 - **Branches**: Each system has its own. You can align names (`main` in both) for clarity, but Morph never reads Git refs.
 - **Remotes**: Morph has its own remote model. Use `morph remote add` to configure Morph remotes, and Git remotes for source. They are independent.
 - **CI**: Clone the Git repo (including `.morph/` if committed), then run Morph CLI against the same tree. Use `morph certify` and `morph gate` for behavioral gating.
+- **Hosted service**: Run `morph serve` to expose a shared HTTP API for browsing Morph state (commits, behavioral status, runs, pipelines). The service reads from `.morph/` and is complementary to Git hosting (GitHub, GitLab). Think of it as a behavioral evidence dashboard alongside your code review tool.

docs/MORPH-AND-GIT.md

@@ -8,7 +8,7 @@
 | **morph-cli** | 76 integration tests | YAML specs in `morph-cli/tests/specs/*.yaml`, compiled by `build.rs` |
 | **morph-e2e** | 25 Cucumber e2e scenarios | `morph-e2e/features/*.feature`, step defs in `morph-e2e/tests/cucumber.rs` |
 | **morph-mcp** | None yet | -- |
-| **morph-serve** | None yet | -- |
+| **morph-serve** | 34+ unit/API tests (views, service, handlers, org policy, multi-repo) | `morph-serve/src/tests.rs` + `org_policy::tests` |
 
 ### morph-core unit test modules
 
@@ -71,7 +71,7 @@ Each YAML spec supports: file/directory setup (`files`, `dirs`), sequenced CLI c
 ## Known gaps
 
 - **morph-mcp**: No tests. An integration harness that speaks MCP over stdio would cover the primary write path.
-- **morph-serve**: No tests. Could test API endpoints with axum's test utilities.
+- **morph-serve**: 34+ tests covering repo list/summary, branch listing, commit list/detail, run/trace/pipeline detail, annotations, policy, gate status, behavioral status (certification/merge), org policy CRUD, multi-repo, backward-compatible endpoints, and error paths.
 - **GixStore-specific paths**: `status()` and `record_session()` are now backend-aware (use `store.hash_object()`), but explicit GixStore integration tests would catch backend-specific regressions.
 - **proptest**: In dev-dependencies but not yet used. Good candidate for property-based tests on hash determinism and serialization round-trips.
 - **Error paths**: Many functions have untested error branches (malformed JSON, permission errors, missing refs).

docs/TESTING.md

@@ -1002,4 +1002,57 @@ The reference v0 implementation is in Rust.
 | `morph-core` | Library: object model, storage, hashing, commits, metrics, trees, migration |
 | `morph-cli` | CLI: read path + manual writes (`morph init`, `add`, `commit`, `log`, ...) |
 | `morph-mcp` | Cursor MCP server: primary write path from the IDE |
-| `morph-serve` | Browser visualization: `morph visualize` serves a web UI for browsing commits |
+| `morph-serve` | Hosted service: shared inspection and policy layer (`morph serve` and `morph visualize`) with stable JSON API, multi-repo support, behavioral status derivation, org-level policy |
+
+---
+
+# 15. Hosted Service (Phase 7)
+
+The hosted service (`morph serve`) exposes the Morph object graph through a stable HTTP/JSON API for collaborative team inspection.
+
+## Starting the service
+
+```bash
+morph serve                              # serve current repo on :8765
+morph serve --port 9000                  # custom port
+morph serve --repo alpha=/path/to/repo   # multi-repo mode
+morph serve --org-policy org-policy.json # apply org-level policy
+```
+
+## API surface
+
+All repo-scoped endpoints live under `/api/repos/{name}/...`.
+
+| Endpoint | Method | Returns |
+|---|---|---|
+| `/api/repos` | GET | List of configured repos with summary stats |
+| `/api/repos/{repo}/summary` | GET | Repo summary: head, branches, commit/run counts |
+| `/api/repos/{repo}/branches` | GET | Branch listing with current branch |
+| `/api/repos/{repo}/commits` | GET | Commit history from HEAD with behavioral badges |
+| `/api/repos/{repo}/commits/{hash}` | GET | Full commit detail with behavioral status |
+| `/api/repos/{repo}/runs` | GET | Run listing |
+| `/api/repos/{repo}/runs/{hash}` | GET | Run detail with agent, environment, metrics |
+| `/api/repos/{repo}/traces/{hash}` | GET | Trace events (prompt/response text) |
+| `/api/repos/{repo}/pipelines/{hash}` | GET | Pipeline graph, provenance, attribution |
+| `/api/repos/{repo}/objects/{hash}` | GET | Raw object JSON |
+| `/api/repos/{repo}/annotations/{hash}` | GET | Annotations on a target |
+| `/api/repos/{repo}/policy` | GET | Effective policy (repo + org merged) |
+| `/api/repos/{repo}/gate/{hash}` | GET | Gate check result for a commit |
+| `/api/org/policy` | GET/POST | Organization-level policy |
+
+Backward-compatible endpoints (`/api/log`, `/api/runs`, `/api/object/{hash}`, `/api/graph`) route to the default repo.
+
+## Behavioral status
+
+The commit detail endpoint returns a `behavioral_status` object:
+
+- `certified`: whether the commit has a passing certification annotation
+- `certification`: details (runner, eval_suite, metrics, failures)
+- `gate_passed`: whether the commit satisfies the repo policy
+- `gate_reasons`: list of reasons for gate failure
+- `is_merge`: true if the commit has 2+ parents
+- `merge_status`: parent metrics and dominance results for merge commits
+
+## Organization-level policy
+
+An optional org-level policy file can set default required_metrics, thresholds, and named presets. The effective policy for each repo is the union of org and repo policies (repo overrides win for thresholds).

docs/v0-spec.md

@@ -227,6 +227,20 @@ enum Command {
         #[arg(long, default_value = "127.0.0.1")]
         interface: String,
     },
+    /// Run the Morph hosted service (multi-repo inspection, shared API, org policy).
+    #[cfg(feature = "visualize")]
+    Serve {
+        /// Repository paths as name=path pairs. Defaults to current repo as "default".
+        #[arg(long = "repo", value_name = "NAME=PATH")]
+        repos: Vec<String>,
+        #[arg(long, default_value = "8765")]
+        port: u16,
+        #[arg(long, default_value = "127.0.0.1")]
+        interface: String,
+        /// Path to an org-level policy JSON file
+        #[arg(long)]
+        org_policy: Option<PathBuf>,
+    },
 }
 
 #[derive(clap::Subcommand)]
@@ -476,6 +490,43 @@ fn main() -> anyhow::Result<()> {
                 .map_err(|_| anyhow::anyhow!("invalid interface or port: {}:{}", interface, port))?;
             morph_serve::run_blocking(morph_dir, addr).map_err(|e| anyhow::anyhow!("{}", e))?;
         }
+        #[cfg(feature = "visualize")]
+        Command::Serve { repos, port, interface, org_policy } => {
+            let repo_entries = if repos.is_empty() {
+                let cwd = std::env::current_dir()?;
+                let repo_root = find_repo(&cwd)
+                    .ok_or_else(|| anyhow::anyhow!("not a morph repository (or any parent); specify --repo name=path"))?;
+                vec![morph_serve::RepoEntry {
+                    name: "default".to_string(),
+                    morph_dir: repo_root.join(".morph"),
+                }]
+            } else {
+                let mut entries = Vec::new();
+                for spec in &repos {
+                    let (name, path_str) = spec.split_once('=')
+                        .ok_or_else(|| anyhow::anyhow!("repo spec must be name=path, got: {}", spec))?;
+                    let path = PathBuf::from(path_str);
+                    let morph_dir = if path.join(".morph").exists() {
+                        path.join(".morph")
+                    } else {
+                        find_repo(&path)
+                            .ok_or_else(|| anyhow::anyhow!("not a morph repository: {}", path_str))?
+                            .join(".morph")
+                    };
+                    entries.push(morph_serve::RepoEntry { name: name.to_string(), morph_dir });
+                }
+                entries
+            };
+            let addr: std::net::SocketAddr = format!("{}:{}", interface, port)
+                .parse()
+                .map_err(|_| anyhow::anyhow!("invalid interface or port: {}:{}", interface, port))?;
+            let config = morph_serve::ServiceConfig {
+                repos: repo_entries,
+                addr,
+                org_policy_path: org_policy,
+            };
+            morph_serve::run_service(config).map_err(|e| anyhow::anyhow!("{}", e))?;
+        }
         Command::Prompt { sub } => match sub {
             PromptCmd::Create { path } => {
                 let (repo_root, store) = get_store(verbose)?;

morph-cli/src/main.rs

@@ -0,0 +1,11 @@
+- name: serve_help
+  steps:
+    - morph: [serve, --help]
+      stdout_contains: "Run the Morph hosted service"
+
+- name: serve_requires_repo_or_flag
+  init: false
+  steps:
+    - morph: [serve, --port, "0"]
+      expect_exit: 1
+      stderr_contains: "not a morph repository"

morph-cli/tests/specs/serve.yaml

@@ -0,0 +1,88 @@
+Feature: Hosted inspection workflow
+  Teams use the Morph hosted service to inspect commits,
+  runs, traces, pipelines, and behavioral status through
+  a stable HTTP/API surface.
+
+  Scenario: Team inspects a certified commit through the hosted service
+    Given a morph repo
+    And a file "src/main.py" with content "print('hello')"
+    When I run "morph add ."
+    Then the last command succeeded
+    When I run "morph commit -m initial --metrics {\"acc\":0.95,\"f1\":0.88}"
+    Then the last command succeeded
+    When I capture the last output as "commit_hash"
+    When I create a JSON file "metrics.json" with metrics "acc=0.95,f1=0.88"
+    When I run "morph certify --metrics-file metrics.json --runner ci-bot"
+    Then the last command succeeded
+    When I start the morph server on port "19871"
+    And I query the server at "/api/repos/default/commits/<commit_hash>"
+    Then the JSON response field "behavioral_status.certified" equals "true"
+    And the JSON response field "behavioral_status.certification.runner" equals "ci-bot"
+    And the JSON response field "eval_contract.observed_metrics.acc" equals "0.95"
+    When I query the server at "/api/repos/default/summary"
+    Then the JSON response field "commit_count" equals "1"
+    And I stop the morph server
+
+  Scenario: Team inspects merge status through the hosted service
+    Given a morph repo
+    And the identity pipeline and a minimal eval suite exist
+    And a file "a.txt" with content "aaa"
+    When I run "morph add ."
+    Then the last command succeeded
+    When I run "morph pipeline create prog.json"
+    And I capture the last output as "prog_hash"
+    When I run "morph commit -m main-commit --pipeline <prog_hash> --metrics {\"acc\":0.8}"
+    Then the last command succeeded
+    When I run "morph branch feature"
+    And I run "morph checkout feature"
+    Then the last command succeeded
+    When I run "morph commit -m feature-commit --pipeline <prog_hash> --metrics {\"acc\":0.85}"
+    Then the last command succeeded
+    When I run "morph checkout main"
+    Then the last command succeeded
+    When I run "morph merge feature -m merged --pipeline <prog_hash> --metrics {\"acc\":0.9}"
+    Then the last command succeeded
+    When I capture the last output as "merge_hash"
+    When I start the morph server on port "19872"
+    And I query the server at "/api/repos/default/commits/<merge_hash>"
+    Then the JSON response field "behavioral_status.is_merge" equals "true"
+    And the JSON response field "behavioral_status.merge_status.dominates_a" is present
+    And the JSON response field "behavioral_status.merge_status.dominates_b" is present
+    And I stop the morph server
+
+  Scenario: Team inspects extracted pipeline and source run
+    Given a morph repo
+    And a file "code.py" with content "print('hi')"
+    When I run "morph add ."
+    Then the last command succeeded
+    When I run record-session with prompt "Build feature X" and response "Feature X built"
+    Then the last command succeeded
+    When I capture the last output as "run_hash"
+    When I run "morph pipeline extract --from-run <run_hash>"
+    Then the last command succeeded
+    When I capture the last output as "pipeline_hash"
+    When I run "morph commit -m snap"
+    Then the last command succeeded
+    When I start the morph server on port "19873"
+    And I query the server at "/api/repos/default/runs/<run_hash>"
+    Then the JSON response field "agent.id" is present
+    And the JSON response field "trace" is present
+    When I query the server at "/api/repos/default/pipelines/<pipeline_hash>"
+    Then the JSON response field "provenance.method" equals "extracted"
+    And the JSON response field "provenance.derived_from_run" equals "<run_hash>"
+    And the JSON response field "node_count" equals "2"
+    And I stop the morph server
+
+  Scenario: Invalid repo or missing object returns clear service error
+    Given a morph repo
+    When I start the morph server on port "19874"
+    And I query the server at "/api/repos/default/commits/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+    Then the JSON response code is "404"
+    And the JSON response field "code" equals "not_found"
+    When I query the server at "/api/repos/nonexistent/summary"
+    Then the JSON response code is "404"
+    And the JSON response field "code" equals "repo_not_found"
+    When I query the server at "/api/repos/default/commits/not-a-hash"
+    Then the JSON response code is "400"
+    And the JSON response field "code" equals "bad_hash"
+    And I stop the morph server