electron-builder's NSIS target does not produce a `.blockmap` file
unless `differentialPackage: true` is configured (it is not in this
project). The release-stable lane was unconditionally requiring,
copying, and listing the blockmap, which made the win build job
fail even after the installer was successfully produced.
release-beta.yml already runs without expecting a blockmap, so
align release-stable.yml with it: drop the blockmap variables,
the existence check, the copy, and the summary mention. The win
NSIS installer + sha256 + latest.yml are produced unchanged and
match what release-beta has been shipping.
The win build job was failing with `makensis is required to build the
Windows installer; install NSIS or populate the electron-builder NSIS
cache` because GitHub's windows-latest runner image no longer ships
NSIS by default and `tools-pack`'s `resolveMakensisCommand` throws
when it cannot find `makensis.exe`.
The matching fix already exists in release-beta.yml (added in #768).
Mirror that step into release-stable.yml so the stable release lane
can build the win NSIS installer too.
Workflow-only change. Does not affect the packaged app contents
shipped from this commit (release artifacts are byte-identical to
what release-beta produced from 4761906).
* feat(prompt-templates): add Notion-style team dashboard (Live Artifact)
Adds a single image prompt template under the Live Artifact category — a
Notion-native team dashboard mockup with KPI grid, 7-day sparkline,
activity feed, and linked-database task table.
This is the first prompt template to use the curated Live Artifact
category, whose de/fr/ru localization slots were already reserved in
apps/web/src/i18n/content{,.fr,.ru}.ts. Only the new tag 'live-artifact'
is added to each locale's PROMPT_TEMPLATE_TAGS map (+1 line each) so the
arrayContaining check in e2e/tests/localized-content.test.ts continues
to pass.
Template-level only: no new surface, no loader changes, no schema or
TypeScript type changes.
* fix(prompt-templates,i18n): register 'Live Artifact' category and template ID fallback for de/fr/ru
CI's e2e/localized-content.test.ts enumerates LOCALIZED_CONTENT_IDS from
apps/web/src/i18n/content.ts and asserts:
- ids.promptTemplates === sorted(all template ids in prompt-templates/)
- ids.promptTemplateCategories ⊇ all categories actually used by templates
- ids.promptTemplateTags ⊇ all tags actually used by templates
The new notion-team-dashboard-live-artifact template introduced both
the first 'Live Artifact' category and the first prompt-template id
without a copy translation, so each locale needs:
- 'Live Artifact' added to *_PROMPT_TEMPLATE_CATEGORIES (currently
consumed via arrayContaining; order doesn't matter)
- 'notion-team-dashboard-live-artifact' listed in
*_PROMPT_TEMPLATE_IDS_WITH_EN_FALLBACK so it joins ids.prommplates
via the EN-fallback path (no per-locale title/summary copy needed)
The 'live-artifact' tag was already added to *_PROMPT_TEMPLATE_TAGS in
the previous commit on this branch.
3 files changed, +6 / -3.
* fix(i18n): register Live Artifact category + template id fallback (CI repair on #799)
* fix(i18n): register Live Artifact category + template id fallback (CI repair on #799)
* fix(i18n): register Live Artifact category + template id fallback (CI repair on #799)
* fix(prompt-templates): scrub live/connector affordances from notion-team-dashboard prompt (#799 review)
Reviewers (mrcfps, lefarcen) flagged that even with the amber "Sample
data — design preview" banner and the "(sample data)" footer, the inner
prompt blob still asked the model to render UI affordances claiming a
real Notion / Composio connector binding ("Live · synced" pill, "Last
refreshed just now", "Refresh from Notion" blue button, callout saying
numbers are "pulled from your {workspace} Notion workspace via the
Composio connector"). That contradicts the prompt-only contract and
reintroduces the #778 mock-honesty concern.
Rewrite the prompt blob so every UI element is consistently presented
as seeded sample data:
- topbar.preview_pill (was live_pill):ample · design preview' pill
with explicit negative instruction no to render any live/sync pill
- page_header.meta_row: drop 'Last refreshed', 'Auto' toggle, and the
'Refresh from Notion' blue button; explicit DO NOT instructions
- callout: 'prompt-only design preview ... seeded sample data ... not
pulled from a real Notion workspace and not refreshed via the
Composio connector. For real refreshable / connector-backed Live
Artifacts, use the live-artifact skill.' Also removes the bare
'{workspace}' placeholder that was not using {argument ...} syntax
(P2 nit from lefarcen).
- activity_feed_card.subtitle: 'Notion-style seeded activity for
design preview' (was 'From Notion')
- linked_database.title/subtitle: marked '(sample)' / 'seeded sample
rows · no live connector binding'
- linked_database.row_styles: explicit negative instruction not to
render an 'Updated ↻' refresh badge
- footer: 'Notion-style sample data · seeded design preview, not bound
to any Notion workspace or Composio connector'
- honesty_rule: enumerates all live/sync/refresh affordanche
generator must NOT render
Top-level metadata (id, title, summary, category, tags, model, aspect,
previewImageUrl, source) is unchanged. Preview PNG already shows the
amber banner and a layout without a Refresh button, so it matches the
new in-prompt language.
* fix(prompt-templates): scrub live/connector affordances from notion-team-dashboard prompt (#799 review)
Reviewers (mrcfps, lefarcen) flagged that even with the amber "Sample data — design preview" banner and the "(sample data)" footer, the inner prompt blob still asked the model to render UI affordances claiming a real Notion / Composio connector binding ("Live · synced" pill, "Last refreshed just now", "Refresh from Notion" blue button, callout saying numbers are "pulled from your {workspace} Notion workspace via the Composio connector"). That contradicts the prompt-only contract and reintroduces the #778 mock-honesty concern.
Rewrite the prompt blob so every UI element is consistently presented as seeded sample data:
- topbar.preview_pill (was live_pill): 'Sample · design preview' pill with explicit negative instruction not to render any live/sync pill.
- page_header.meta_row: drop 'Last refreshed', 'Auto' toggle, and the 'Refresh from Notion' blue button; explicit DO NOT instructions for all three.
- callout: 'prompt-only design preview ... seeded sample data ... not pulled from a real Notion workspace and not refreshed via the Composio connector. For real refreshable / connector-backed Live Artifacts, use the live-artifact skill.' Also removes the bare '{workspace}' placeholder that was not using {argument ...} syntax (P2 nit from lefarcen).
- activity_feed_card.subtitle: 'Notion-style seeded activity for design preview' (was 'From Notion').
- linked_database.title/subtitle: marked '(sample)' / 'seeded sample rows · no live connector binding'.
- linked_database.row_styles: explicit negative instruction not to render an 'Updated ↻' refresh badge.
- footer: 'Notion-style sample data · seeded design preview, not bound to any Notion workspace or Composio connector'.
- honesty_rule: enumerates all live/sync/refresh affordances the generator must NOT render.
Top-level metadata (id, title, summary, category, tags, model, aspect, previewImageUrl, source) is unchanged. Preview PNG already shows the amber banner and a layout without a Refresh button, so it matches the new in-prompt language.
* fix(prompt-templates): scrub live/connector affordances from notion-team-dashboard prompt (#799 review)
Reviewers (mrcfps, lefarcen) flagged that even with the amber "Sample data — design preview" banner and the "(sample data)" footer, the inner prompt blob still asked the model to render UI affordances claiming a real Notion / Composio connector binding ("Live · synced" pill, "Last refreshed just now", "Refresh from Notion" blue button, callout saying numbers are "pulled from your {workspace} Notion workspace via the Composio connector"). That contradicts the prompt-only contract and reintroduces the #778 mock-honesty concern.
Rewrite the prompt blob so every UI element is consistently presented as seeded sample data:
- topbar.preview_pill (was live_pill): 'Sample · design preview' pill with explicit negative instruction not to render any live/sync pill.
- page_header.meta_row: drop 'Last refreshed', 'Auto' toggle, and the 'Refresh from Notion' blue button; explicit DO NOT instructions for all three.
- callout: 'prompt-only design preview ... seeded sample data ... not pulled from a real Notion workspace and not refreshed via the Composio connector. For real refreshable / connector-backed Live Artifacts, use the live-artifact skill.' Also removes the bare '{workspace}' placeholder that was not using {argument ...} syntax (P2 nit from lefarcen).
- activity_feed_card.subtitle: 'Notion-style seeded activity for design preview' (was 'From Notion').
- linked_database.title/subtitle: marked '(sample)' / 'seeded sample rows · no live connector binding'.
- linked_database.row_styles: explicit negative instruction not to render an 'Updated ↻' refresh badge.
- footer: 'Notion-style sample data · seeded design preview, not bound to any Notion workspace or Composio connector'.
- honesty_rule: enumerates all live/sync/refresh affordances the generator must NOT render.
Top-level metadata (id, title, summary, category, tags, model, aspect, previewImageUrl, source) is unchanged. Preview PNG already shows the amber banner and a layout without a Refresh button, so it matches the new in-prompt language.
---------
Co-authored-by: joeylee12629-star <joeylee12629-star@users.noreply.github.com>
* add flowai live dashboard template skill
Introduce a new template-mode skill under the live-artifacts scenario with a default interactive example and seed template so users can generate polished, refresh-ready team dashboards quickly.
Co-authored-by: Cursor <cursoragent@cursor.com>
* add preview screenshot for flowai live dashboard template
Attach the provided dashboard screenshot under docs/screenshots/skills so the template contribution includes a visual preview artifact.
Co-authored-by: Cursor <cursoragent@cursor.com>
* fix(flowai-template): reposition as static prototype dashboard skill
Address review feedback on PR #801:
- SKILL.md: drop `scenario: live-artifacts` and live-related triggers;
align with peer single-page dashboard skills using
`mode: prototype` + `scenario: operations` so the four-file
live-artifact contract no longer applies.
- references/checklist.md: rewrite quality gates around the static
prototype scope (export-from-DOM, responsive breakpoints, theme-aware
charts).
- assets/template.html:
- CSV export now reads every visible row from the table DOM,
including the Workflow column, instead of a hardcoded fixture.
- Add 1300px and 720px breakpoints; the main grid stacks to one
column, stat cards fall back to two then one, tabs wrap, table
scrolls horizontally on phones.
- Move chart colors into CSS variables (--chart-stroke,
--chart-fill, --chart-axis, --chart-bar-label, --chart-bar-value)
so dark-mode toggling re-derives them; chart canvases are
re-rendered after theme switch.
- Hash-sync tabs (#members | #details | #activity), animate the
role bar chart only on first reveal of the details tab,
fall back when CanvasRenderingContext2D.roundRect is unavailable,
add Esc to exit zoom and prevent tooltip clipping.
- example.html: title cleanup to match new skill identity.
Localized content:
- Add `flowai-live-dashboard-template` to DE/FR/RU
SKILL_IDS_WITH_EN_FALLBACK lists in apps/web/src/i18n so the
e2e localized-content test passes.
---------
Co-authored-by: tuolaji <tuola@tuolajideMacBook-Air.local>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Tuola Ge <gexingli@refly.ai>
* add clinic-console live-artifact template
Adds a built-in clinic-console template under
skills/live-artifact/assets/templates/, fulfilling the
assets/templates/<name> directory shape that
specs/2026-04-29-live-artifacts/spec.md §5.1 already plans for but
has not yet populated.
Three files, no other changes:
- template.html — html_template_v1 source, only DOM, CSS tokens, and {{data.*}} bindings
- data.json — canonical default sample (~6.7 KB, well within bounded JSON limits)
- README.md — data contract + telemedicine/pharmacy/pediatric variants
Verified locally against apps/daemon/src/live-artifacts/render.ts:
all paths match the html_template_v1 grammar, all bindings resolve
to scalars, no script/iframe/srcdoc/on*=/javascript:/raw HTML
directives, no forbidden JSON keys, JSON within bounded envelope.
* clinic-console: hardcode icon refs, drop icon_href bindings
Address @mrcfps's review on PR #795: stop interpolating {{data.*}} into
<use href="..."> attributes. The html_template_v1 binding contract
forbids interpolation inside URL-bearing attributes, and the security
validator runs *before* {{data.*}} substitution — so even a benign
icon_href today could be replaced with javascript:alert(1) tomorrow
without the validator ever seeing it.
Fix:
- template.html: every <use href="..."> is now a hardcoded literal
(#icon-dashboard, #icon-message, …). 14 nav slots + 4 KPI tiles
converted; total <use href="..."> count unchanged at 28, all
fragment-id literals, zero {{data.*}} inside URL-bearing attrs.
- data.json: icon_href removed from each nav_main[] item, each
nav_management[] item, and from kpi_a / kpi_b / kpi_c / kpi_d
(14 keys removed). Sample is now 6,333 bytes (was ~6,840).
- README.md: data-contract tables no longer list icon_href; new
"Icons are template-locked" section explains the binding-contract
rationale, lists the hardcoded id per slot, and gives guidance for
future runtime-configurable icons (route through a constrained,
non-URL mechanism such as enumerated CSS classes — never interpolate
into <use href> directly).
Verified locally against apps/daemon/src/live-artifacts/render.ts:
298 bindings, 297 unique paths, all resolve to scalars; zero
{{...}} inside any URL-bearing attribute (href / src / action /
formaction / srcset / xlink:href / ping / background / poster /
cite); none of the 6 forbidden security patterns present; bounded
JSON envelope: 6.3 KiB / depth 5 / max 22 keys / max 35 array items
/ max 45-char string — all well within limits.
---------
Co-authored-by: Joey-nexu <236967869+joeylee12629-star@users.noreply.github.com>
* add live-dashboard skill
Notion-style team dashboard rendered as a Live Artifact.
Wires the OD 0.4.0 connector catalog (#381) end-to-end:
refresh-on-open, manual Refresh tween, auto-refresh, stale state.
Falls back to seeded mock data when no connector is bound.
* address PR #778 review comments
P1 — security and correctness:
- skills/live-dashboard/assets/template.html · skills/live-dashboard/example.html: escape every connector-derived string before innerHTML interpolation. Adds a tiny e() helper and routes feed.who/action/target/suffix/icon, row.title/icon/due/prio, person.name/color/id, KPI label/delta through it. Closes lefarcen #3200122795 + #3200122820.
- skills/live-dashboard/SKILL.md (live behavior section): align connector poll URL with references/connectors.md — POST /api/od/connectors/poll with { project, read } body, not /api/od/connectors/<id>/poll. Closes codex bot #3200100897.
- apps/web/src/i18n/content{,.ru,.fr}.ts: register live-dashboard in DE_/RU_/FR_SKILL_IDS_WITH_EN_FALLBACK so the localized-content e2e check passes. Closes mrcfps #3200122059.
- skills/live-dashboard/references/connectors.md: prepend a Status callout that names skills/live-artifact/ as the canonical file/CLI live-artifact contract and frames the HTTP shape as a forward-looking proposal sitting alongside it (out-of-the-box the artifact runs on seeded data; only seedNextChange() needs swapping when POST /api/od/connectors/poll lands). Closes lefarcen #3200122811.
P2 — quality and honesty:
- skills/live-dashboard/references/connectors.md: rewrite the auth_ref resolution step to match apps/daemon/src/media-config.ts (OD_MEDIA_CONFIG_DIR → OD_DATA_DIR → <projectRoot>/.od/media-config.json, $HOME/~/relative paths handled via expandHomePrefix). Closes codex bot #3200100906.
- skills/live-dashboard/example.html: switch the live-pill to a sticky Sample data state with a grey static dot, rewrite the callout to admit the figures are seeded fixtures, retitle the toast and the refresh tooltip, and refuse to flip to Live · synced inside updateTimes(). Adds a .pill-live.sample CSS variant. Closes lefarcen #3200122823.
- skills/live-dashboard/assets/template.html: hoist <meta name=od:project> from <body> into <head>. Closes lefarcen #3200122832.
- skills/live-dashboard/assets/template.html · example.html: add role=button + tabindex=0 + aria-current to every clickable .ws / .side-search / .nav-item, and wire a single document-level keydown handler that maps Enter/Space to a synthetic click for any role=button div (skipping real buttons / anchors / form controls). Closes lefarcen #3200122837.
- skills/live-dashboard/assets/template.html: implement the KPI tween + flash + snapshotKpi() the SKILL.md prose already promised — first render builds escaped cards, subsequent renderKpi(prev) calls tween numeric values and flash() the cells that actually changed; refresh() now calls snapshotKpi() before mutating state and forwards prev. SKILL.md spells out the wire-up. Closes lefarcen #3200122839.
* gate KPI tween + flash + row/feed highlight on prefers-reduced-motion
Addresses mrcfps's non-blocking review item on PR #778 (comment #3200614137,
template.html:453). The CSS @media (prefers-reduced-motion: reduce) block
already neutralizes CSS animations and transitions, but the new JS-driven
helpers kept moving for opted-out users:
- tweenText() scheduled requestAnimationFrame updates for 600ms
- flash() toggled the .flash highlight class for 700ms
- renderFeed()/renderRows() applied .feed-row.new / .db-row.changed
classes which carry transient backgrounds even when their CSS
animations are off
Both runtimes (assets/template.html and example.html) now share a
reduceMotion() helper (window.matchMedia('(prefers-reduced-motion:
reduce)').matches). When it returns true:
- tweenText()/tween() set the final value immediately and return
- flash() returns without touching the class
- renderFeed()/renderRows() pass null as the highlight id so the .new /
.changed classes are never applied
Normal-motion users see the existing tween + flash + highlight pulse
unchanged. Keeps the P0 prefers-reduced-motion row in
references/checklist.md honest for agents that copy this template
verbatim.
---------
Co-authored-by: joey <joey@joeydeMacBook-Air.local>
Co-authored-by: joeylee12629-star <joeylee12629-star@users.noreply.github.com>
* add waitlist-page skill
* fix(waitlist-page): address PR review feedback
- Remove novalidate from example.html form
- Ensure checkValidity() guard present in both template and example
- Remove required from firstname input in template
- Add token escaping rules to SKILL.md workflow (step 9)
- Add token mapping/fallback rules for BORDER/SUCCESS/STRIPE/DECO (step 7)
- Fix mobile quality gate to be measurable (375x667, 390x844)
- Promote hardcoded #fff, rgba(0,0,0,0.9), rgba(255,255,255,0.9) to
CSS variables (--btn-label, --ticker-bg, --ticker-fg) in template
- Create references/checklist.md with P0/P1/P2 tiers; countdown timer
is now a hard P0 prohibition; a11y gate split into six specific checks"
* fix: resolve P0 color and accessibility issues
- Add role=status to success messages for screen reader announcement
- Replace all hardcoded hex/rgba colors with template tokens
- Update SKILL.md with comprehensive color token mapping rules
- SVG decorations now use CSS variables instead of hardcoded strokes
* fix: address PR review feedback on scope, scrolling, and font tokens
Fixes:
- Restore pricing-page files accidentally deleted in previous commit
(skills/pricing-page/SKILL.md and example.html now back on branch)
- Remove temp-original.html scratch file from commit
- Fix mobile viewport scrolling: change 'height: 100vh; overflow: hidden'
to 'min-height: 100svh; overflow-x: hidden; overflow-y: auto'
so content doesn't clip on 375×667 and 390×844 screens
- Split font tokens into URL-safe and CSS-safe variants:
* {{DISPLAY_FONT_URL}} and {{DISPLAY_FONT_CSS}} for display fonts
* {{BODY_FONT_URL}} and {{BODY_FONT_CSS}} for body fonts
This fixes encoding: spaces as '+' in Google Fonts URL, literal in CSS
- Update SKILL.md frontmatter with new font input fields
- Update token escaping rules to document the split
* fix: resolve token contract mismatch and remove hardcoded colors from example.html
P0 Fixes:
- Remove all hardcoded colors from example.html (except #2D6A4F for --success)
- Use CSS variables for all color values: --btn-label, --ticker-bg, --ticker-fg, --deco-stroke
- Fix gradient to use var(--deco) instead of hardcoded #D1632B
- Apply consistent color expressions across decorations and text
Token Contract Fixes:
- template.html now uses full CSS expressions for opacity-based colors:
* {{BORDER_EXPRESSION}} instead of {{BORDER_HEX}} (no # prefix)
* {{BTN_LABEL_EXPRESSION}} instead of {{BTN_LABEL_HEX}}
* {{TICKER_BG_EXPRESSION}}, {{TICKER_FG_EXPRESSION}}, {{DECO_STROKE_EXPRESSION}}
- Remove extra quotes from font tokens in template:
* --font-body: {{BODY_FONT_CSS}} instead of '{{BODY_FONT_CSS}}'
* Font tokens are already quoted if needed, no wrapping
- Update SKILL.md frontmatter with all color expression inputs and descriptions
- Update token mapping rules to clarify the new contract:
* Hex tokens: simple six-digit colors
* Expression tokens: full CSS values (rgba/color-mix), no # prefix
* Font tokens: CSS font-family values, no extra wrapping
- Update token escaping rules to reflect new contract
This ensures agents can follow SKILL.md instructions without producing invalid CSS.
* fix: remove final hardcoded colors from example.html - P0 complete
- Button text: #fff → var(--btn-label)
- Ticker background: rgba(0,0,0,0.9) → var(--ticker-bg)
- Ticker text: rgba(255,255,255,0.9) → var(--ticker-fg)
- Logo text: fill=white → fill=var(--btn-label)
All colors now derive from design system tokens. Only #2D6A4F (--success) allowed hardcoded exception.
* fix: correct --btn-label contrast for CTA readability
Change --btn-label from #1A1410 (same as button background) to #FDE8DF
(light background color) so button text has proper contrast against
the dark --accent button background.
This resolves the black-text-on-black issue that broke the main
email capture action and satisfies the checklist button contrast gate.
* fix: add visible focus indicator for input accessibility
P1 Accessibility Polish:
- Update .form-row input:focus to include outline and outline-offset
- Before: border-color only, removing default outline (no visible focus)
- After: border-color + 2px outline + 2px offset (clear focus indicator)
This satisfies the checklist P1 focus-style gate and ensures keyboard
users can see which form field has focus. Both example.html and
template.html updated so agents copy complete focus patterns.
* fix: remove hardcoded logo shadow color - P0 compliance
- Add --logo-shadow CSS variable derived from foreground
- example.html: box-shadow 0 2px 8px rgba(0,0,0,0.08) → var(--logo-shadow)
- template.html: add {{LOGO_SHADOW_EXPRESSION}} placeholder
- Update SKILL.md with logo_shadow_expression input and mapping rules
All colors in example.html now derive from design system tokens.
Ensures agents copy compliant reference without hardcoded shadow colors.
* fix: register waitlist-page skill in i18n localized content registry
Add waitlist-page to locale-specific skill fallback lists so the web
content coverage test passes when the new skill is discovered:
- apps/web/src/i18n/content.ts: Add to DE_SKILL_IDS_WITH_EN_FALLBACK
- apps/web/src/i18n/content.fr.ts: Add to FR_SKILL_IDS_WITH_EN_FALLBACK
- apps/web/src/i18n/content.ru.ts: Add to RU_SKILL_IDS_WITH_EN_FALLBACK
The skill falls back to English localization for now; localized
descriptions can be added to each locale file later.
Fixes: web content coverage test now passes (6/6 tests).
* fix: wire template and checklist into skill workflow as mandatory gates
Restructure waitlist-page SKILL.md workflow to enforce the hardened
template-based execution path:
- Add Preflight section: agents MUST read assets/template.html first
- Add explicit token mapping and escaping rules (steps 2-4)
- Add mandatory Validation section: run references/checklist.md P0/P1
gates BEFORE emitting artifact; fail fast if any P0 gate fails
- Update Quality gates section to emphasize template-based execution
and reinforce P0/P1 gate hierarchy
- Update Output section: only emit after P0 passes; re-validate on
iterations
This prevents agents from writing HTML from scratch or skipping the
hardened seed (template) and validation (checklist) that this PR adds.
* refactor(waitlist-page): replace literal logo placeholder with token
- Replaced `[LOGO]` with `{{LOGO_MARK}}` in template.html
- Added `logo_mark` to inputs in SKILL.md
- Updated mapping rules in SKILL.md to handle raw SVG or text for logo
- Updated P0 validation gates in SKILL.md and checklist.md to ensure logo replacement
* fix(waitlist-page): enforce strict escaping and sanitization for logo token
- Mandate HTML-escaping for text initials.
- Enforce strict allowlist-based sanitization for inline SVG (stripping `<script>`, `on*`, `<foreignObject>`, `href`, `xlink:href`, `url()`).
- Add fallback to escaped text initials for invalid/unsafe SVG.
* docs(waitlist-page): sync logo_mark frontmatter description with rules
- Updated the `logo_mark` input description in the SKILL.md frontmatter to explicitly outline the new requirements for HTML-escaped text or strict allowlist-sanitized SVG.
* fix(waitlist-page): add logo_fg_expression to guarantee contrast in logo mark text fallback
- Added `--logo-fg` CSS variable mapped to `{{LOGO_FG_EXPRESSION}}`.
- Updated `.logo-container` in `template.html` to inherit typography styles and apply `--logo-fg` for safe fallback when rendering escaped initials.
- Enforced WCAG AA contrast for logo initials against container background in `checklist.md`.
* refactor(waitlist-page): migrate hex color tokens to full css expressions
* refactor(waitlist-page): strict validation for color expression tokens to prevent CSS injection
* docs(waitlist-page): update validation summary to reflect strict color grammar
---------
Co-authored-by: Siri-Ray <2667192167@qq.com>
* Optimize Windows packaged web output
* Fix packaged contracts runtime build
* Optimize Windows packaged size pruning
* Prune Windows root Next payload
* Remove Windows bundled Node runtime
* Prune Windows standalone duplicate Next
* Add tools-pack cache foundation
* Cache Windows packaged build layers
* Cache Windows workspace builds
* Cache Electron-ready Windows app
* Split Windows tools-pack module
* Cache Windows dir build outputs
* Split Windows pack build modules
* Document Windows NSIS smoke namespace limits
* Move Windows NSIS smoke note to agents guide
* Optimize Windows beta packaging
* Bump packaged beta base version
* Improve Windows installer namespace UX
* Improve Windows tools-pack cache keys
* Stabilize Windows beta cache version keys
* Cache Windows workspace build outputs
* Optimize windows release beta cache layers
* Cache windows release dependencies
* Trim windows release cache before save
* Refresh windows tools-pack cache key
* Improve windows installer preflight prompts
* Fallback NSIS installer strings to English
* Fix Windows installer cleanup and preflight
* Improve Windows NSIS state logging
* Fix system NSIS Persian language alias
* Use long-path removal for Windows uninstall
* Fix mac tools-pack tests on Windows
* Address Windows packaging review feedback
* Fix Windows installer cache namespace isolation
* Include web output mode in Windows tarball cache key
* Use unique Windows release cache save keys
Add a one-shot OD_LEGACY_DATA_DIR migrator so packaged Desktop users can recover 0.3.x repo .od data into the 0.4.x data root. The migrator stages payloads before promotion, refuses unsafe merges and symlinks, rolls back failed promotion or marker writes, and extends packaged daemon startup handling for long migrations while failing fast on daemon exits.
Closes#710
* Support overriding the Codex executable path
* Replace save-as-template prompts with an in-app dialog
* Seed local packaged app config from workspace
* Fix packaged config and connection test overrides
* Keep tools-pack mac config seeding self-contained
* Require absolute CODEX_BIN overrides
* docs(readme): add @nexudotio X link + Stay in the loop section
- Add X/Twitter follow badge in the header next to Discord, so visitors
can subscribe to release notes and milestone threads in one click.
- Add a short "Stay in the loop" section above "Star us" pointing to
@nexudotio on X. Discord is for chat, X is for the public milestones
(releases, new skills, new design systems).
No other changes.
* feat(web): add Follow @nexudotio pill to entry sidebar foot
- Surface the official X account next to the Settings/Pet/Language pills
so users can subscribe to release notes from inside the app, not only
the README.
- Uses the existing .foot-pill style (already supports <a>, has
text-decoration: none) and the existing 'external-link' Icon — no new
CSS, no new icons, no i18n key required (single short English label).
- Opens in a new tab with rel="noreferrer noopener".
Pairs with the README badge added in this same PR.
---------
Co-authored-by: Tuola-waj <ge@nexu.io>
* feat(settings): add connection test for providers and CLI agents
Adds a "Test" action in the Settings dialog that verifies the configured
provider (Anthropic/OpenAI/Azure/Google) or CLI agent without sending a
real chat. Backed by a new daemon endpoint and shared contracts, with
categorized inline statuses and i18n strings across all supported locales.
* fix(settings): address connection test review feedback
* fix(daemon): pass empty MCP servers for connection probes
* fix(connection-test): address review blockers
* fix(daemon): fail json stream runs on structured errors
* fix(contracts): build connection test subpath export
* Use draft CLI env in agent connection tests
* fix(i18n): add fallback ids for new curated content
* fix(web): add hover tooltips to Design Files action buttons (#283)
The batch-download, select-all, and clear-selection buttons in
DesignFilesPanel had no title attribute, so users hovering them saw no
tooltip. The other action buttons (refresh, new sketch, paste, upload)
already had titles. Added titles to the three missing ones using the
existing translation keys, so hover behavior is consistent across the
panel.
Closes#283.
* docs: point pi-ai links to pi-mono packages (#275)
The pi project moved from a standalone repo to the pi-mono monorepo.
The old URL https://github.com/mariozechner/pi-ai now 404s. Replaced
both shapes of reference:
- The reference-style [piai]: definition now points at
https://github.com/badlogic/pi-mono/tree/main/packages/ai
(the multi-provider LLM API package).
- Inline links whose visible text is the CLI tool 'pi' or 'Pi' now
point at
https://github.com/badlogic/pi-mono/tree/main/packages/coding-agent
(the interactive coding-agent CLI), so a reader clicking 'pi' in
the daemon-discovery section lands on the actual binary's docs.
Affected: README.md and 10 translated READMEs, plus docs/spec.md,
docs/architecture.md, docs/references.md, docs/roadmap.md.
Closes#275.
* fix(daemon): expand $HOME / ${HOME} in OD_DATA_DIR (#390)
Some launchers (systemd unit files, NixOS modules, certain Docker
entrypoints) pass OD_DATA_DIR with a literal '$HOME' or '${HOME}'
because no shell ever expands them. resolveDataDir previously only
handled '~/' shorthand, so '$HOME/.open-design' fell through to
path.resolve(PROJECT_ROOT, '$HOME/.open-design') and produced paths
like /opt/open-design/$HOME/.open-design.
resolveDataDir now expands '~', '~/...', '$HOME', '$HOME/...',
'${HOME}', and '${HOME}/...' to os.homedir() before the absolute /
relative branch runs. Rebuilds via path.join so the platform separator
is correct on Windows even when the input used forward slashes.
Tests: 7 unit tests cover empty/undefined, '~', '~/...', '$HOME',
'$HOME/...', '${HOME}/...', absolute paths, and relative paths.
Closes#390.
* fix(daemon): accept backslash separators + hermetic resolve-data-dir tests
Round 1 review feedback on PR #530.
The previous regex only matched forward-slash separators, so a Windows
launcher passing OD_DATA_DIR=$HOME\.open-design or ${HOME}\.open-design
fell through to path.resolve(projectRoot, ...) and produced a directory
named $HOME or ~ under projectRoot. The regex now accepts both forward
and back slashes for the home-prefix separator.
The previous tests called the real resolveDataDir against literal
~/od-test, $HOME/od-test, etc., which created and write-checked
directories under the developer's or CI runner's actual home. The tests
now stub os.homedir() with vi.spyOn to a per-test mkdtemp directory and
remove it in afterEach, so no test ever writes outside its own sandbox.
Added explicit fixtures for the Windows backslash forms ($HOME\od-test,
${HOME}\od-test, ~\od-test) so launcher coverage stays cross-platform.
12/12 resolve-data-dir tests pass, daemon typecheck clean.
* fix(docs,daemon): apply pi-mono links to README.es and await test cleanup
Round 2 review feedback on PR #530.
README.es.md was added in upstream #552 after my pi-mono link sweep
landed, so the daemon-discovery paragraph (line 222), the [piai]
reference (line 684), and the Pi table row (line 709) still pointed
at the broken https://github.com/mariozechner/pi-ai URL. Applied the
same replacements: the [piai] ref now points at packages/ai, and the
inline Pi link now points at packages/coding-agent. Spanish readers
get the same coverage as the other 11 locales.
The absolute-path test in tests/resolve-data-dir.test.ts dropped its
fixture via void rm(abs, ...), so a failed async removal could leak
rdd-abs-* directories from the suite. The test is now async and
awaits the rm in the finally block, matching the awaited cleanup in
afterEach. 12/12 resolve-data-dir tests still pass, daemon typecheck
clean.
* fix(daemon): share $HOME expander between OD_DATA_DIR and OD_MEDIA_CONFIG_DIR
Round 3 review feedback on PR #530.
resolveDataDir (server.ts) now expands $HOME / ${HOME} / ~, but
media-config.ts had its own resolveOverrideDir that only handled ~/.
Because configFile() falls back to OD_DATA_DIR when OD_MEDIA_CONFIG_DIR
is unset, setting OD_DATA_DIR=$HOME/.open-design split state: SQLite,
projects, and artifacts went to the expanded path while
media-config.json stayed under <projectRoot>/$HOME/.open-design.
Stored provider keys then appeared missing on the next read.
Extracted the home-prefix expansion into apps/daemon/src/home-expansion.ts
so resolveDataDir and resolveOverrideDir share one resolver. Both now
recognize ~ / $HOME / ${HOME} (bare tokens) and ~/, ~\, $HOME/, $HOME\,
${HOME}/, ${HOME}\ (prefix forms with either separator).
Three new media-config routing tests cover the OD_DATA_DIR fallback for
$HOME/..., ${HOME}/..., and the OD_MEDIA_CONFIG_DIR explicit-override
$HOME/... case so the co-location guarantee is locked down by tests.
Daemon typecheck clean. Tests pass on Linux CI; the existing pattern in
the file uses process.env.HOME which os.homedir() reads on POSIX.
Resolve-data-dir tests stay hermetic via vi.spyOn.
* docs(daemon): media-config comments reflect full $HOME / ${HOME} expansion
Round 3 review feedback on PR #530 (lefarcen, P3 non-blocking).
The file-header and resolveOverrideDir() function comment said only
~/ expands. Updated both to mention the shared expandHomePrefix()
helper and the full set of forms it handles (~, $HOME, ${HOME} with
either separator), so a future reader does not need to chase the
implementation to understand what env values are accepted.
* test(daemon): stub os.homedir() in media-config routing tests
Round 4 review feedback on PR #530.
The new $HOME / ${HOME} routing tests relied on process.env.HOME being
read by os.homedir(), which works on POSIX but is unreliable on Windows
(Node prefers USERPROFILE / profile APIs there). The tests would expand
to the real user home while fixtures were written under the per-test
homeDir, causing platform-specific failures in the same area this PR
is making cross-platform.
The inner describe block now stubs os.homedir() via vi.spyOn to return
the per-test homeDir, matching the pattern in resolve-data-dir.test.ts.
Restored in afterEach. The four $HOME-form routing tests now pass on
both POSIX and Windows.
Daemon typecheck clean. The two OAuth fallback test failures unrelated
to this change (real ChatGPT/Codex tokens in the local env) remain
out-of-scope.
* fix(i18n): drop duplicate uk.ts promptTemplates keys after rebase
Upstream #674 added the same Ukrainian translations my earlier
commit added. The rebase landed both copies; tsc rejects duplicate
property names. Drop my copies so #674 (which is now upstream) is
the single source for these keys.
---------
Co-authored-by: Nagendhra <nagendhra405@gmail.com>
* fix(daemon): unbreak Claude Design ZIP import on Node 24 and raise file ceiling
- Skip inflateRawSync when an entry's central-directory uncompressedSize is 0;
Node 24 rejects { maxOutputLength: 0 } with ERR_OUT_OF_RANGE, which silently
killed the entire import for any zip containing an empty file or a streaming
entry whose size is only present in the data descriptor.
- Raise MAX_FILES from 500 to 5000. Real-world design-system exports commonly
exceed 500 files; MAX_TOTAL_BYTES (100 MB) and MAX_FILE_BYTES (25 MB) already
cap pathological inputs.
- Add regression tests for both: zero-byte deflate entry, central directory
advertising uncompressedSize=0, and a 600-file zip.
Refs #590
* fix(daemon): preserve real payload when central uncompressedSize is 0
Reviewers correctly flagged that the previous Buffer.alloc(0) fast-path
trusted the central directory's uncompressedSize, which is unreliable for
streaming/data-descriptor zips: an entry whose central record reports 0
can still carry real deflated bytes. The earlier fix wrote empty files to
disk in that case, and the post-condition body.length !== uncompressedSize
check still passed because both sides were 0.
- Inflate streaming entries with maxOutputLength = MAX_FILE_BYTES when the
central directory advertises 0, so legitimate non-empty payloads decode
fully instead of being silently truncated.
- Move size enforcement post-decode: per-file and total-byte budgets are now
computed from the actual decoded length, and the strict equality check is
skipped when central was 0 (i.e., genuinely unknown).
- Keep the empty-deflate degenerate case (compressed.length === 0) safe by
short-circuiting before zlib instead of relying on uncompressedSize.
Tests:
- New: streaming-zip case with central uncompressedSize=0 + non-empty body
asserts the on-disk file matches the original bytes (would have been
silently truncated under the previous fix).
- New: oversized streaming entry (> MAX_FILE_BYTES) is still rejected even
though the central directory under-reports.
- The original 0-byte and >500-file regressions remain covered.
* fix(daemon): surface OpenCode error frames + treat empty-output runs as failed
Closes#691. OpenCode runs would silently complete in ~3 seconds without
producing any visible chat output and still be rendered as a successful
turn — three independent bugs along the structured-stream path conspired
to produce this silent-failure shape.
## Bug 1 — `apps/daemon/src/json-event-stream.ts:85-91`
OpenCode emits structured error frames on stdout (e.g. provider auth
failures, network errors, schema mismatches) and still exits 0. The
parser was downgrading these to `{type: 'raw', line: ...}`, which the
chat UI does not render as an assistant message. The error string was
discarded as "no-op output."
Fix: emit a proper `{type: 'error', message, raw}` event matching the
qoder-stream contract that the daemon's existing error-handling path
already recognises.
## Bug 2 — `apps/daemon/src/server.ts:4199-4205`
Even after Bug 1 was fixed, the json-event-stream branch wired the
parser to a bare `(ev) => send('agent', ev)` lambda — bypassing the
`sendAgentEvent` wrapper that interprets `type:'error'` events and
sets the `agentStreamError` flag the close handler reads to flip the
run to `failed`. So an emitted `error` event would just be forwarded
as a no-op `agent` SSE event with no lifecycle effect.
Fix: route json-event-stream through `sendAgentEvent`, mirroring the
qoder-stream-json wiring at line 4175.
## Bug 3 — `apps/daemon/src/server.ts:4220-4234`
Even after Bugs 1 and 2 are fixed, there's still a class of runs where
OpenCode never emits any error frame, never emits any substantive
event, and exits 0. Pre-fix this was marked `succeeded` and the user
saw a blank chat with no diagnostic.
Fix: track `agentProducedOutput` inside `sendAgentEvent` (set on
`text_delta`, `thinking_delta`, `tool_use`, `tool_result`, `artifact`
— deliberately NOT on `status` / `usage`, since a model can emit
token-usage numbers for an empty completion). When the close handler
sees `code === 0 && trackingSubstantiveOutput && !agentProducedOutput`
the run is marked `failed` with an explicit AGENT_EXECUTION_FAILED
SSE error so the chat shows a clear reason instead of a silent
empty turn.
The check is gated by `trackingSubstantiveOutput` so it only fires
on streams that actually contribute to the output flag (currently
qoder-stream-json and json-event-stream). ACP sessions and plain
stdout streams keep their existing success/failure determination.
## Tests
- 3 new unit tests in `apps/daemon/tests/json-event-stream.test.ts`
pin the OpenCode error event shape: full repro
(`error.data.message`), `error.name` fallback, and the
generic-fallback shape when `error` is empty.
- All 60 daemon test files (851 tests) pass on `pnpm --filter
@open-design/daemon test`. All 42 web test files (309 tests) pass
on `pnpm --filter @open-design/web test`.
- Full repo `pnpm typecheck` clean.
## Live verification
Verified end-to-end via a stub `opencode` binary that mimics each of
the failure shapes against `pnpm tools-dev run web`:
1. Stub emits `{"type":"error",...}` then `exit 0` — run now ends as
`failed` with the OpenCode error message surfaced as an SSE
`error` event. Pre-fix this was `succeeded` with an empty chat.
2. Stub emits nothing then `exit 0` — run now ends as `failed` with
"Agent completed without producing any output…" diagnostic.
Pre-fix this was `succeeded` with an empty chat.
3. Stub emits a normal `step_start` / `text` / `step_finish` sequence
then `exit 0` — run still succeeds. (Regression check.)
## Out of scope (mentioned for the next person)
- `claude-stream-json` and `copilot-stream-json` still wire to a bare
`(ev) => send('agent', ev)` and don't currently parse `type:'error'`
frames. If their CLIs ever start emitting structured error events
the same pattern (route through `sendAgentEvent` + emit proper
`type:'error'`) applies. Not in scope here because we have no
evidence those CLIs do this today, and changing the wiring without
a confirmed failure mode risks regressing currently-working flows.
- ACP sessions (`pi-rpc`, `acp-json-rpc`) own their own success /
failure determination via `acpSession?.hasFatalError()` and the
empty-output guard explicitly skips them via
`trackingSubstantiveOutput`.
- Plain stdout streams have no event-level tracking, so the empty-
output guard skips them too. Diagnosing a no-output plain-stream
agent is a separate problem that needs different signals.
* chore: retrigger CI on top of green main (post #697 i18n backfill)
* feat(linux): add headless mode for install/start/stop operations
* docs(linux): document headless mode commands and usage
* refactor(linux-headless): write web-root.json instead of polling IPC for URL
* fix(linux-headless): fail start when web identity never appears instead of returning success
* docs(linux-headless): add use-case context and clarify launcher path dependency
* fix(linux-headless): ensure launcher, identity and shutdown align with tools-pack
- Bake OD_DATA_DIR into launcher so manual runs use the same paths as tools-pack
- Validate web-root.json fields before accepting to reject stale identity
- Remove web-root.json on successful stop
- Add IPC server for graceful STATUS/SHUTDOWN handling
* fix(linux-headless): create IPC server before writing web-root.json
* docs: fix broken pi-ai links, point to correct pi-mono packages
All links to https://github.com/mariozechner/pi-ai returned 404 after
the project was restructured into the badlogic/pi-mono monorepo.
- "pi" / "Pi" (the CLI tool the daemon scans for) now points to
packages/coding-agent
- "pi-ai" (the multi-provider LLM API) now points to packages/ai
via the shared [piai] reference definitions
Closes#275.
* fixup! Merge remote-tracking branch 'upstream/main' into docs/fix-pi-pi-ai-links
Fix [piai] reference in README.ar.md and README.es.md: was incorrectly
pointing to packages/coding-agent (pi CLI) instead of packages/ai (pi-ai
provider library).
* fixup! fix row order in README.uk.md: move Pi after DeepSeek TUI to match English README
* feat: add accent color control and launcher for Open Design
* fix: remove launcher binary from PR
* test: cover accent appearance edge cases
---------
Co-authored-by: ferasbusiness666 <ferasbusiness666@users.noreply.github.com>
* ci: notify Discord #resolved on issue close-via-merged-PR
* ci: address review feedback on Discord #resolved workflow
P1:
- Add contents:read permission (required by listPullRequestsAssociatedWithCommit)
- Drop cross-referenced timeline fallback to eliminate false positives from
plain mentions; closed-event+commit_id is now the only resolver path
(also fixes the cross-repo number-collision concern Codex raised)
P2:
- Validate webhook URL prefix before POST (reject misconfigured secrets)
- Retry on Discord 429 up to 3 times honouring Retry-After header,
bounded 1..60s, with sane default if header missing
P3:
- allowed_mentions: { parse: [] } so issue/PR titles can't @everyone or
ping roles/users in #resolved
* feat(skills): add social-media-dashboard skill + Totality Festival design system
- New skill 'social-media-dashboard': single-screen creator analytics
dashboard with platform switcher (X / GitHub / LinkedIn / YouTube /
Instagram), KPI row, growth chart with annotations, top-post / top-PR
preview, trending topics, and top comments. Includes a self-contained
example.html (Totality Festival styled, X + GitHub tabs, live KPI
ticker, GitHub contributors grid, world-map audience geography).
- New design system 'totality-festival': cosmic-premium dark glassmorphic
system with amber corona highlights and cyan atmospheric accents.
Mirrors Google Labs' design.md spec example so skills can be
validated against an upstream reference.
- Fix swatches parser in apps/daemon/src/design-systems.ts so it
recognises the '- **Name:**' bold-with-inner-colon form used by
several existing systems (ant, totality-festival, ...). Previously
only the '**Name** (`#hex`)' form was matched, which left their
picker thumbnails empty.
* feat(skills): polish social-media-dashboard example + add PR preview
- Top Post media block: replace empty gold frame with an inline SVG
thumbnail (radial glow + ascending data curve + amber/cyan pulse dots
+ play icon + 'LIVE · 0:22' caption). Visually echoes the live-artifact
story the post copy is selling.
- Hoist the brand-mark linearGradient into a global SVG defs block at
the top of <body> so all three avatars (header, user, top-post) can
reference url(#brandRing) and render the teal arrow consistently.
Previously only the header SVG carried the gradient definition, so
the user and post avatars rendered as empty rings under headless
capture.
- Add hero.png preview to .preview/ for the PR description.
---------
Co-authored-by: Tuola Ge <gexingli@refly.ai>
* feat(daemon): export project transcript to disk for downstream consumption
Adds exportProjectTranscript(db, projectsRoot, projectId, options?) — a
pure function that walks SQLite-backed conversation history and writes a
structured, lossless JSONL transcript to <projectDir>/.transcript.jsonl.
This is the input primitive that #450's "Finalize design package"
synthesis step needs. Landed ahead of the synthesis endpoint as a small,
reviewable, well-tested unit — no HTTP route, no LLM call, no web UI in
this diff. PR 2 will wire POST /api/projects/:id/finalize on top of it.
Format: JSONL with header line + per-conversation marker lines +
per-message lines. Compact encoding saves ~20–30% on synth-call tokens
vs pretty-printed JSON. schemaVersion field reserved on the header for
incompatible changes later.
Coalescing: events_json carries streaming text_delta / thinking_delta
chunks plus tool_use / tool_result / thinking_start markers and
telemetry. The export collapses runs of same-type deltas into terminal
text / thinking blocks via arrival-order with type-change flush,
preserving any interleaving with tool blocks. Telemetry (status, usage,
raw) is dropped. thinking_start is treated as an explicit flush trigger
so multiple thinking blocks in one message survive intact.
Content fallback: user-typed messages persist as plain text in
messages.content with events_json = NULL because user input does not
flow through the streaming pipeline. When event-derived blocks come
back empty, fall back to a single text block from content so user
prompts are not silently dropped.
Atomic write: tmp filename includes pid + crypto-random suffix so
concurrent exports for the same project cannot collide. fsync before
rename so a crash between rename and power loss cannot lose bytes.
Hidden file: leading dot keeps .transcript.jsonl out of listFiles
(projects.ts:54), the archive zip, and the gallery.
Tests: 14 unit cases — empty project, text/streaming coalescing, tool
ordering, telemetry filtering, type-change flush, text↔thinking↔text
interleaving, thinking_start flush, multi-conversation chronological
order, atomic-write hygiene, content fallback (both directions),
malformed events_json, and unsafe project id rejection.
Refs: nexu-io/open-design#450
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix(daemon): address PR #493 review feedback for transcript export
Addresses every blocker, P2, and P3 raised on
https://github.com/nexu-io/open-design/pull/493:
- Blocker (event-shape mismatch): coalescer now switches on the
PersistedAgentEvent kind discriminator (text/thinking/tool_use/
tool_result), reading the shared `text` field for content kinds,
matching what apps/web/src/providers/daemon.ts:347-394 actually
persists into messages.events_json. Empirical confirmation: live
SQLite contains zero `type` keys.
- Removed @ts-nocheck from the source file; added inline types for
Db (Database.Database), ConversationRow, MessageRow, AttachmentRef,
CommentAttachmentRef, and Block. Tests retain @ts-nocheck per
codebase convention. Note: db.ts still uses @ts-nocheck, so the
new types catch drift inside transcript-export.ts itself, not at
the SQLite-helper boundary.
- parseEvents now distinguishes null / malformed / not_array / ok
cases; non-null-but-unparseable rows emit a console.warn with
project+message id before falling back to content.
- Switched temp-write from writeSync (which can return short) to
writeFileSync({flag:'wx'}); explicit fsync via reopen before
rename, per reviewer concern about partial-write durability.
- Added per-project lockfile (.transcript.lock) acquired with
openSync(..., 'wx') and released in finally; concurrent exports
throw the new TranscriptExportLockedError. Stale-lock recovery
is documented as a known limitation in the file header.
- Header gains attachmentCount, commentAttachmentCount, and explicit
attachmentsInlined: false. Per-message lines gain attachments /
commentAttachments references (paths only, not bytes; synthesis
reads files from disk by path). schemaVersion bumped 1 -> 2 so
the change is explicit; v1 was never consumed.
- mkdirSync(dir, { recursive: true }) at entry covers projects
with DB rows but no on-disk directory yet (codex bot finding).
- Refactored node:fs imports from named to default
(import fs from 'node:fs') so vitest spies in tests #15-#17 can
redefine properties on the underlying CJS exports object. ESM
namespace imports of node:fs produce a frozen Module Namespace
Object that vi.spyOn cannot mutate; default-import returns the
CJS module.exports which is mutable.
- Inline PersistedAgentEvent union: the daemon tsconfig does not
resolve the `@open-design/contracts/api/chat` subpath export, so
the union is restated in the source. Schema-mismatch tests cover
the case where the contract would diverge.
- Test count 14 -> 24: failure injection for writeFileSync /
fsyncSync / renameSync, existing-file replacement, lockfile
contention (lockfile-pre-create design — synchronous API can't
race via Promise.allSettled), parse-warning cases (malformed +
not-array), attachments header + per-message coverage, missing-
project-dir case.
Refs nexu-io/open-design#450 (does not close).
* fix(daemon): preserve thinking-segment boundaries on status thinking-start
Codex flagged this as a P2 on PR #493a39d430:
https://github.com/nexu-io/open-design/pull/493#discussion_r3188524878
The web translator emits `{ kind: 'status', label: 'thinking' }` at every
thinking_start (apps/web/src/providers/daemon.ts:367-369). The previous
default branch dropped all status events without flushing the active
accumulator, so two thinking segments separated only by that marker
merged into one block — losing the original boundary and making the
transcript non-lossless for downstream synthesis.
coalesceBlocks now matches `status` explicitly: when `label === 'thinking'`
the prior accumulator flushes; other status labels and usage / raw drop
without flushing as before. Behavior fix within schemaVersion 2; no
shape change.
Test #25 verifies the boundary preservation:
[thinking 'a', thinking 'b', status 'thinking', thinking 'c', thinking 'd']
→ blocks: [thinking 'ab', thinking 'cd'] (two blocks, not one)
Existing test #5 still passes because it uses status with label 'streaming'
which remains pure telemetry and does not flush.
Suite: 506 -> 507 daemon tests, all green.
Refs nexu-io/open-design#493
---------
Co-authored-by: DevForgeAI CI/CD Engineer <devforge-ai@development.ai>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(skills): add 5 Orbit briefing templates
Introduces a new "orbit" scenario family in the Examples gallery for
morning-briefing surfaces. Each template lives at the top of "我的设计"
and aggregates yesterday's connector activity into a single page.
- orbit-general: adaptive bento dashboard that fans across 12-16
connectors, where each module picks its own UI form by data type
(list / avatar stack / status ring / heatmap / file grid / alert
card / kanban / etc.)
- orbit-github: GitHub-flavored single-connector digest mirroring the
Notifications + PR-diff visual language
- orbit-gmail: Gmail-flavored digest rendered as a Daily Digest email
inside the three-pane inbox
- orbit-linear: Linear-flavored digest in the dark Inbox + cycle-
progress layout
- orbit-notion: Notion-flavored digest authored as a native Notion
page (callout / toggle / database table)
The new scenario value 'orbit' surfaces as a filter pill in
ExamplesTab automatically; no UI code change required.
* fix(skills): reframe Orbit skill descriptions as pipeline-triggered
The original descriptions framed each skill as a standalone "X-flavored
briefing template" the user picks. They are actually skills the Orbit
daily-digest pipeline selects automatically based on which connectors
the user has authenticated, then runs against live connector data.
Rewrites both `description` and `example_prompt` for all 5 templates:
- orbit-general: invoked when 2+ connectors are connected; aggregates
the past 24h across every authenticated source
- orbit-github / orbit-gmail / orbit-linear / orbit-notion: invoked
when the named connector is the user's only connection (or scope is
explicitly limited to it); pulls the past 24h from that connection
alone
All 5 now state explicitly that they are not user-triggered — the
Orbit scheduler invokes them.
* feat(examples): add Orbit pill to the mode filter row
Surfaces the Orbit briefing skills as a top-level "type" filter in the
Examples gallery, alongside Prototype · Desktop / Mobile / Slide deck /
Docs & templates. Filter matches skills with scenario === 'orbit'.
- ExamplesTab: extend ModeFilter and MODE_PILLS with 'orbit'; teach
matchesMode and modeCounts about it
- i18n: add 'examples.modeOrbit' to Dict and to all 16 locale files
('Orbit' is left untranslated as a brand name)
* polish(orbit-general): real Figma preview image + revised comment
Replaces the empty gray placeholder in the Figma module with an
Unsplash UI-design photo, and rewrites the mock comment to read like
a substantive design-review note rather than a nit about button
placement.
* feat(examples): eager-load card previews via IntersectionObserver
Card previews previously only loaded on hover, leaving the example
gallery showing 'Hover to preview' placeholders for everything below
the fold. Now each card observes the viewport and prefetches its HTML
800px before scrolling into view, so the iframe is ready by the time
the user reaches it.
Hover remains as a fallback path (and for browsers without
IntersectionObserver, the card loads immediately on mount).
Also reverts the Unsplash photo on the orbit-general Figma module
back to the gray placeholder — the stock image semantically misread
as a Photoshop screenshot rather than a Figma artboard.
* feat(orbit-general): drop Figma connector module
Removes the Figma bento card and its scoped CSS, plus the orphaned
Top-3 entry that referenced a Figma comment. Reassigns Top-3 #2 to
a Notion document review so the priority list stays aligned with
the connectors actually rendered.
* i18n(skills): translate Orbit example prompts to English
The example_prompt is what gets injected into the chat input when a
user clicks 'Use this prompt', and is read by the agent verbatim. It
should match the SKILL.md description language (English), not the UI
locale. Replaces the Chinese drafts with English equivalents across
all 5 Orbit skills, and drops the Figma reference from orbit-general
since that connector module was removed earlier.
* fix(skills): rewrite Orbit SKILL.md bodies with reproducible specs
Earlier the bodies were too abstract (only a connector→UI mapping
table and a one-line style note), so agents running the skill could
not reproduce the shipped example.html and got stuck in long retries.
Each SKILL.md body now contains:
- exact color tokens lifted from the example.html
- type stack and font sizes
- a section-by-section page spec (top-to-bottom)
- chip / pill / icon rendering rules
- forbidden list
The example_prompt is collapsed back to a one-line user intent so the
skill body is the source of design truth.
Covers all 5 templates: orbit-general, orbit-github, orbit-gmail,
orbit-linear, orbit-notion.
* feat(orbit): make every connector item clickable
Each Orbit briefing template now links its rows / cards to the matching
source URL so users can jump straight from the morning digest to the
underlying connector.
- orbit-general: each bento card gains an 'Open in {connector} ↗' CTA
built from a connector→URL map; each Top 3 card becomes an anchor
- orbit-github: every event row opens the corresponding github.com
pull/issue URL parsed from the row identifier; the header logo links
to the repo
- orbit-linear: each issue row gains a small ↗ button that opens
linear.app/{team}/issue/{ID}
- orbit-gmail: action and reply buttons jump to a Gmail search URL
scoped to the sender
- orbit-notion: page-link spans wrap as anchors and database rows are
click-to-open against notion.so
All links use target="_blank" rel="noopener noreferrer".
* fix(skills): force agents to mirror example.html 1:1
Earlier skills told the agent the example was 'source of truth' but
left phrasing soft, so agents felt free to add extra UI elements
(snoozed-mail row, extra yellow stars on inbox rows, etc.) that
were not in example.html.
Each Orbit SKILL.md now opens with a 'Source-of-truth protocol' that
forces the agent to:
1. read example.html before writing any output
2. mirror its DOM structure / class names / module count / element
order 1:1
3. only refresh mock values; never invent additional UI elements,
rail entries, sections, badges, or chrome ornaments
The reference sections that follow stay informative for tokens and
visual language but are explicitly demoted from spec to commentary.
* fix(orbit-gmail): remove three-pane / left-rail / inbox-list claims
The example.html is a single-column page: Gmail top header + the
opened Orbit Daily Digest email (toolbar / subject / sender / digest
body / reply bar). Earlier copy described a Gmail three-pane app with
Compose button, label list, Categories tabs, and an inbox listing —
none of which exist in the actual asset.
- example_prompt: drops 'three-pane inbox' phrasing
- description: same
- body: rewrites Page sections to mirror the real header → email-chrome
layout, top to bottom; explicitly forbids left rail, inbox list, and
Categories tab strip
* feat(orbit): forbid external design systems in all 5 skills
Each Orbit briefing template ships its own complete visual language
baked into example.html (Gmail / GitHub / Linear / Notion / Open
Orbit's editorial bento). Adds an explicit 'Design system policy'
block telling the agent to:
- ignore any DESIGN.md attached to the active project
- ignore brand tokens or Figma files supplied via chat
- use exclusively the colors / fonts / radii from example.html
This is a hard constraint: an Orbit briefing must look like the
connector it represents, not like the user's brand.
* feat(newproj): hide design-system picker for skills that opt out
Skills can declare 'od.design_system.requires: false' in SKILL.md to
opt out of DESIGN.md injection (the Orbit briefing skills do this —
their example.html ships with a complete connector-native visual
language). When the active default skill for a tab opts out, hide the
design-system picker so we don't ask the user to attach a brand we'll
then ignore.
Existing tabs that don't host a default skill (template, other) keep
the picker. The check only fires for prototype / live-artifact / deck.
* review: address P2 reviewer feedback
P2 — Connector family coverage gaps (orbit-general):
Adds Finance, CRM/Sales, Support, Analytics, Infrastructure, Security
rows to the connector→UI mapping table (now 16 families). Adds a
'Fallback heuristics' subsection so unknown connectors are routed by
data shape (numbers + time series → Alerts, rows + status field →
Task mgmt, etc.).
P2 — 'Forbidden' rules too vague (all 5 skills):
Rewrites every Forbidden section as a paired 'Don't / Do' constraints
table so each negative is paired with a concrete positive. Replaces
obvious bans (lorem ipsum) with substantive ones (real-shaped mock
copy, plausible identifiers, dev-team label hues, etc.).
* ci: register orbit skills in de/ru/fr en-fallback lists
The localized-content coverage test asserts that every skill in
skills/ is either translated or explicitly declared as falling back
to English in the LOCALIZED_CONTENT_IDS bundle. The 5 new orbit
skills weren't in any bundle, so the workspace validation job failed
on the de/ru/fr coverage assertions.
Adds the 5 orbit-* ids to DE/FR/RU_SKILL_IDS_WITH_EN_FALLBACK so
those locales explicitly fall back to the SKILL.md English copy
(matching the minimal-change posture chosen earlier in this PR).
* fix(daemon, packaged): unbreak GUI-launched agent detection on minimal PATHs (#442)
GUI-launched daemons (Finder/Dock on macOS, .desktop on Linux) inherit a
stripped PATH from launchd / the desktop session and don't read the
user's interactive shell rc files, so any CLI installed via `npm i -g`
under a sudo-free prefix like ~/.npm-global was silently undetected.
Two layers maintained their own copies of the user-toolchain bin list
(`apps/daemon/src/agents.ts:userToolchainDirs` for the resolver,
`apps/packaged/src/sidecars.ts:resolvePackagedPathEnv` for the packaged
sidecar PATH builder) and had already drifted on `~/.asdf/shims` and
`~/Library/pnpm`. Adding ~/.npm-global to one side would have
preserved the same anti-pattern.
Extracts `wellKnownUserToolchainBins` into @open-design/platform as the
single source of truth, has both layers consume it, and extends the
list to cover ~/.npm-global/bin, ~/.npm-packages/bin, plus
$NPM_CONFIG_PREFIX/bin / $npm_config_prefix/bin for users with a
non-standard prefix. New vitest coverage in the platform package and
a regression test in apps/daemon/tests/agents.test.ts modelled on the
existing mise case.
Verified end-to-end: under PATH=/usr/bin:/bin:/usr/sbin:/sbin (the
launchd default a `.app` actually inherits), `resolveAgentExecutable`
now returns ~/.npm-global/bin/gemini instead of null.
* fix(daemon): isolate OD_AGENT_HOME resolution from $NPM_CONFIG_PREFIX leakage
Address review feedback on PR #614:
- mrcfps spotted that the daemon wrapper called wellKnownUserToolchainBins
without passing `env`, so the helper read its default process.env. A
developer or CI runner with NPM_CONFIG_PREFIX / npm_config_prefix
exported would inject that real <prefix>/bin into resolveOnPath() even
while the OD_AGENT_HOME hook pointed home at a temp fixture, making
agent-detection tests environment-dependent. Reproduced locally: with
OD_AGENT_HOME=<tmp> + NPM_CONFIG_PREFIX=/Users/me/.npm-global,
resolveAgentExecutable({ bin: 'codex' }) returned the real machine's
binary instead of null. Wrapper now passes `env: {}` whenever
homeOverride is set, alongside the existing includeSystemBins gate.
- lefarcen suggested also handling whitespace-only NPM_CONFIG_PREFIX
values (e.g. NPM_CONFIG_PREFIX=" ") so the helper does not emit a
bogus "<whitespace>/bin" entry. Added a .trim() check before
appending.
- lefarcen also suggested a comment pointer from the daemon wrapper to
the platform helper so readers don't have to grep. Added the
reference inline.
Coverage:
- packages/platform/tests/index.test.ts: new whitespace-prefix case.
- apps/daemon/tests/agents.test.ts: new env-isolation regression
asserting that OD_AGENT_HOME + NPM_CONFIG_PREFIX cannot leak the
real prefix bin into the sandbox.
* test(daemon): preserve $NPM_CONFIG_PREFIX across the env-isolation case (#614)
Address mrcfps's second-round review on PR #614: the env-isolation
regression sets `process.env.NPM_CONFIG_PREFIX = realPrefix` in its
body and then unconditionally `delete`s it in `finally`. On a developer
machine or CI runner that already exported `NPM_CONFIG_PREFIX`, that
mutates the worker-wide env for every later test, making downstream
env-sensitive assertions order-dependent.
Move the save/restore into the file's existing afterEach hook (mirroring
the OD_AGENT_HOME / OD_DAEMON_URL / OD_TOOL_TOKEN pattern) and drop the
in-test `delete`. Same coverage, no worker-state mutation.
* fix(platform): prioritise $NPM_CONFIG_PREFIX over the conventional npm guesses (#614)
Address mrcfps's third-round review on PR #614: when the user has
explicitly configured a prefix via $NPM_CONFIG_PREFIX (or
$npm_config_prefix), that's where `npm i -g` puts the *current*
binaries. The conventional guesses ~/.npm-global / ~/.npm-packages
often hold *stale* installs from an older prefix the user has since
rewritten — searching the env-driven prefix first matches npm's own
resolution order (env > .npmrc > default) and gives "explicit beats
convention" semantics.
Move the env-driven push above the conventional `dirs.push(.npm-global,
.npm-packages)`. Add a vitest case in the platform package that asserts
$NPM_CONFIG_PREFIX/bin's index in the result is strictly less than
~/.npm-global/bin's and ~/.npm-packages/bin's.
`resolveOnPath()` and the packaged PATH builder both preserve insertion
order, so first hit wins and the new ordering propagates to both
layers.
* fix(platform): lift $NPM_CONFIG_PREFIX above every conventional bin (#614)
Address mrcfps's fourth-round review on PR #614: the previous fix only
moved $NPM_CONFIG_PREFIX/bin ahead of ~/.npm-global / ~/.npm-packages,
but ~/.local/bin still appeared earlier in the array. Under a minimal
GUI-launch PATH a stale agent in ~/.local/bin (also a shared dumping
ground for pip --user / cargo install / hand-built binaries) could
outrank the user's *current* explicit npm prefix.
Move the env-driven push to the head of `dirs` so the explicit prefix
wins over every conventional location below — ~/.local/bin included.
Matches npm's own resolution order (env > .npmrc > default) across the
whole list, not just the npm-prefix block.
Tightened the existing order test to assert `explicitIdx === 0` and
that ~/.local/bin's index is strictly greater than the explicit
prefix's index, so a future drift would fail loudly.
* feat(media): add Nano Banana image provider
* fix(media): support Gemini API key headers for Nano Banana
* refactor(media): move Nano Banana model override flag into provider metadata
* feat(craft): add form-validation + opt-ins on saas-landing, mobile-onboarding
Module 5 of 5 in the behavioral craft series proposed in #501.
Modules 1-4 merged: state-coverage (#502), animation-discipline (#515),
accessibility-baseline (#587), rtl-and-bidi (#595).
Picks up where accessibility-baseline.md ends (label + describedby +
invalid + role=alert for inline errors) and connects the four layers a
real form spans: WHATWG Constraint Validation as the platform floor,
validation timing as a state machine on the input, WCAG 3.3.x as the
announcement and recovery contract, schema as the cross-stack truth.
Sections: input state machine; validation timing (4 rules anchored on
:user-invalid Baseline 2023); Constraint Validation API rules
(setCustomValidity, requestSubmit vs submit, readonly + #11841,
inputmode); error wiring beyond the baseline (adaptive messages,
error summary without role=alert, preserve user input on error);
schema as cross-stack contract (Standard Schema, server-authoritative,
Zod 4 z.email() form); WCAG 3.3.3 / 3.3.4 / 3.3.8 / 3.3.9; native
mobile parity (UIKit, SwiftUI, Compose, Flutter, RN); common mistakes.
Reviewed in 3 loops with Claude CLI Opus 4.7 xhigh effort:
- Loop 1: 6 P0s caught (SwiftUI Form validity claim, SwiftUI
announcement primitive, Compose semantics syntax, UIKit
UIAlertController, contradictory Baymard stats, 3.3.8 CAPTCHA
framing reversed) + 11 P1/P2s; all addressed.
- Loop 2: verified P0 fixes; flagged 1 P1 (RN table row scrambled) +
4 P2s; all addressed.
- Loop 3: SHIP verdict. Three P2 nits applied (Zod 4 z.email() form,
WebAIM Million 2026 stat woven in: 51% page-level, 33.1% input-level).
WebAIM Million 2026 numbers verified directly against
webaim.org/projects/million/.
Skill opt-ins: saas-landing (lead capture form), mobile-onboarding
(sign-in screen). Skill bodies do not contain validation-specific
instructions that would override craft guidance — opt-in alone is
sufficient. README updated.
Refs #501.
* fix(craft+skills): form-validation review fixes (lefarcen + mrcfps P2s)
Both non-blocking findings addressed:
- Drop form-validation from saas-landing.craft.requires. The skill body
produces a CTA-driven landing page with no JS and no interactive
form. Adding form-validation injected ~221 lines of irrelevant prompt
pressure and conflicted with the README opt-in rule ("primary
artifact contains an interactive form"). mobile-onboarding keeps the
opt-in — sign-in screen is a real form.
- Reword timing rule 4 (async checks). Previous "never block submit on
a network round-trip" was too broad and conflicted with the
schema-layer "server is the truth" rule. Split into two paths:
background preflight (uniqueness, address lookup) doesn't gate the
form; authoritative submit-path server validation must await the
server response and surface its field errors. The rule is "don't let
a slow background check freeze the form," not "don't ever wait for
the server."
* fix(craft): form-validation mrcfps round-2 (novalidate trade-off, Flutter RTL)
Two non-blocking precision items:
- novalidate trade-off: previous wording said keeping required/pattern/type
preserves no-JS PE, but a literal server-rendered <form novalidate>
disables the browser's submit-blocking and validation UI even when
JS is unavailable — losing the no-JS constraint-validation floor.
Reworded to spell out the two safe patterns: (A) render <form>
without novalidate server-side and have the form library set
form.noValidate = true after hydration, or (B) ship novalidate from
the start only when the submit path reaches server validation
without JS. Either way, keep the constraint attributes.
- Flutter announcement example: hardcoded TextDirection.ltr would
announce Arabic/Hebrew/Persian validation messages with wrong bidi
direction when this craft is combined with rtl-and-bidi. Switched
to SemanticsService.announce(message, Directionality.of(context))
with an explicit warning never to hardcode the direction.
* fix(craft): form-validation mrcfps round-3 (readonly safety, Compose error message)
Two non-blocking precision items:
- Non-input readonly fallback: previous text said `aria-readonly` plus
hidden mirror input was an option for non-input controls that need
to submit. But `aria-readonly` doesn't actually stop a `<select>` or
custom widget from being changed, so the visible control can drift
while the hidden input ships a stale value — user sees one option,
server gets another. Tightened: prefer `disabled` plus a same-named
hidden input, or non-editable text plus hidden input. If using
`aria-readonly`, the interaction must also be blocked or the two
values kept in sync.
- Compose error message: previous rule was too absolute about avoiding
`Modifier.semantics { error("…") }`. `isError = true` flips the
field state but does not carry the localized error message; Android
Compose accessibility guidance pairs `isError` with
`semantics { error(message) }` so the accessibility service gets the
real text. The trap is duplication, not the API itself. Reframed
the rule: use both, source the message from the same state field as
`supportingText` so they stay in sync.
* fix(craft): form-validation Compose live-region API name
Compose row in the native-mobile parity table named a "LiveRegion"
semantic that doesn't exist. Real API is `Modifier.semantics
{ liveRegion = LiveRegionMode.Polite }` on the supporting-text node.
Also replaced the generic `view.announceForAccessibility(…)` with the
Compose-idiomatic `LocalView.current.announceForAccessibility(message)`
so generated snippets compile.
* fix(web): improve settings dialog scroll behavior
- Remove double scroll containers by changing modal-body overflow from auto to hidden, letting only settings-content handle scrolling
- Add min-height: 0 to settings-content and settings-sidebar to allow proper shrinking in grid layout
- Add overscroll-behavior: contain to prevent scroll chaining (scroll bleed-through to parent page)
- Add overflow-y: auto to settings-sidebar for cases where navigation items exceed viewport height
These changes fix the nested scroll issue that caused confusing scroll behavior and prevent content overflow on smaller viewports.
* fix(i18n): add missing Ukrainian translations for promptTemplates
Add promptTemplates.allSources and promptTemplates.sourceFilterAria translations to fix TypeScript error.
