jaylfc · jaylfc · Jun 20, 2026 · Jun 20, 2026 · Jun 20, 2026 · Jun 20, 2026
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -11,6 +11,12 @@ updates:
       python-deps:
         patterns:
           - "*"
+    ignore:
+      # fastapi 0.137 regressed include_router so sub-router routes are not
+      # registered (#903); pyproject pins fastapi<0.137. Stop dependabot
+      # proposing the cap-raise until the regression is fixed upstream.
+      - dependency-name: "fastapi"
+        versions: [">=0.137"]
 
   # Desktop SPA (Vite/React)
   - package-ecosystem: "npm"
@@ -23,6 +29,13 @@ updates:
       spa-deps:
         patterns:
           - "*"
+    ignore:
+      # Major bumps of the heavy UI libs (tldraw 4->5, lucide-react 0->1,
+      # tsparticles 3->4, etc.) carry breaking API changes and must be migrated
+      # deliberately (e.g. the tldraw engine migration, #75), not auto-merged.
+      # Minor/patch bumps still flow through normally.
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
 
   # GitHub Actions workflows
   - package-ecosystem: "github-actions"

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -69,7 +69,7 @@ jobs:
       # distro-agnostic standalone builds, which works on Fedora, the Ubuntu
       # VPS, and GitHub-hosted runners alike.
       - name: Set up uv
-        uses: astral-sh/setup-uv@v6
+        uses: astral-sh/setup-uv@v7
         with:
           enable-cache: true
 
@@ -107,7 +107,7 @@ jobs:
           python-version: "3.12"
 
       - name: Set up uv
-        uses: astral-sh/setup-uv@v6
+        uses: astral-sh/setup-uv@v7
         with:
           enable-cache: true
 

diff --git a/docs/STATUS.md b/docs/STATUS.md
@@ -1,5 +1,8 @@
 SINGLE SOURCE OF TRUTH for cross-agent handoff.
-Last updated: 2026-06-20 ~12:05 UTC, @taOS-dev (SELF-HOSTED CI LANDED: #1201 (-> task #119) routes the slow python `test` job to two self-hosted runners labelled taos-ci -- the always-on fasthosts VPS (16c EPYC-Milan, dedicated) + the Fedora 3060 box (i5-10600, 6c/12t). Benchmarked ~tied per-core (Fedora 2.04s / VPS 2.17s single-thread microbench), so CI uses the POOL in PARALLEL (3.12+3.13 split across both boxes, ~5min cold vs ~16min on GitHub) rather than pinning to one "primary". Dropped actions/setup-python (no prebuilt CPython for Fedora 43) -> uv now provisions Python from its distro-agnostic standalone builds, which works on Fedora + the Ubuntu VPS + GitHub alike. A pick-runner chooser job falls back to ubuntu-latest ONLY when BOTH self-hosted runners are offline (never-hang); that fallback needs an OPTIONAL repo secret RUNNER_ADMIN_PAT (fine-grained, administration:read) to read runner status -- without it CI just stays on the pool, which the always-on VPS keeps serviceable. Repo set to require-approval-for-all-outside-collaborators. Runner services: VPS in /opt/actions-runner as an unprivileged ghrunner user; Fedora in /opt/actions-runner (relocated from home to satisfy SELinux). #120 kilo compute lane on Fedora PENDING Jay (installing+authing kilo; global-npm EACCES -> user prefix ~/.npm-global or sudo; then I scp ~/.taos-team over). UPDATE-FIX promoted to MASTER earlier this session (8996ac26): `npm ci` so the in-app update never dirties desktop/package-lock.json and aborts the pull (#1197) + hardened lockfile restore (#1199) + WSL memory-cap detection in hardware.py (wsl/mem_note advisory, #1199). The WINDOWS "remote access app" pop-up a Discord user reported was AUDITED and is BENIGN: the standard Windows Firewall prompt for the local uvicorn server binding 0.0.0.0:6969; no Windows-API calls, phone-home, or remote-access/screen-share tool anywhere (only-if-used secondary firewall-y bits: Neko browser WebRTC UDP + torrent UPnP). dependabot #991-994 + #1196 still HELD for Jay's separate pass. #114 VITEST CI GATE LANDED (#1202, task #114 DONE): vitest now runs in the spa-build CI job over ~1,900 desktop tests (previously never gated). Fixed 2 stale tests (userspace app ids are namespaced `userspace:<id>` per #89; the projectsApi.subscribeEvents EventSource mock must be constructable since the code does `new EventSource`). Quarantined 9 suites in desktop/vite.config.ts test.exclude tagged #114: AgentsApp x4 (drift vs #59 redesign), BrowserApp x4 (drift vs #66), EmojiPicker (order-dependent: passes alone, fails under the full suite) -- un-exclude each as its owning work lands. WSL user RESOLVED: his install/reach issue self-resolved (back in the UI). New report: UI LAG on an older laptop (GTX 1060, Edge, default STATIC wallpaper so wallpaper is NOT the cause) -> traced to GPU-heavy compositing (~90 backdrop-blur surfaces + big soft shadows + continuous animations). #58 PERF MODE BUILT (#1203, green CI, HELD for eyeball): opt-in Settings -> Accessibility "Reduce effects" toggle sets reduceEffects in the theme store -> App.tsx applies data-perf=reduced on :root -> tokens.css strips backdrop-filter, opaques the glass bg token, flattens the shadow tokens, stops the named infinite animations. FULLY opt-in: every rule is scoped to [data-perf=reduced] and the attr is off by default, so the default desktop is byte-for-byte unchanged. NOT pixel-verified by me (control-API /screenshot needs a live browser session, none headless); awaiting Jay/user eyeball of the reduced look before merge. Fast-follow: auto-enable on low-end GPUs via a client-side FPS probe on first run. #120 FEDORA KILO LANE LIVE (task #120 DONE): @taOS-dev-kilo-fedora dispatch-only loop in tmux `owl-fedora` (model kilo/openrouter/owl-alpha = the free owl model, same kilo account) claims board cards + pushes exec/* PRs while the Mac stays the single gater; idle now (board empty, campaign plateaued). Fedora prepped: jaylfc git identity + uv + gh re-authed (token piped from the Mac) + ~/tinyagentos clone + ~/.taos-team stack; executor.sh REPO is now TAOS_REPO-parameterized (Mac path is the default). five_hour 64% / seven_day 13%. PRIOR ENTRY BELOW.)
+Last updated: 2026-06-20 ~20:25 UTC, @taOS-dev (BETA.4.1 SHIPPED + SECURITY PASS. INSTALL RELIABILITY fully resolved: the SPA bundle is no longer built on every machine -- CI publishes a prebuilt bundle (keyed by the git tree SHA of desktop/, plus a SHA256 the installer verifies before extracting) to a rolling `bundle-latest` release AND each version tag; install-server.sh + desktop_rebuild.py download+verify it and skip the memory-heavy vite build that OOM'd on small machines (8GB WSL), falling back to a loud-failing local build only on a miss (#117 via #1204/#1205/#1207). Re-installs now update the EXISTING install in place (INSTALL_DIR defaults to the running service WorkingDirectory, then /opt, not $HOME) -- found on the Pi where a root curl|bash had forked /root + repointed the service; restored Pi to /opt on beta.4.1, data intact. Reduce-effects perf mode (#58) + Fedora kilo lane (#120) MERGED. RELEASED v1.0.0-beta.4.1 (version bumped so the in-app updater flags it); Pi verified on beta.4.1, the install ran in 31s via the prebuilt path with no local build. gitar must-fixes folded (mktemp symlink-safe staging, atomic-rename swap, stale-mtime touch, path-safe tar fallback, chown primary-group). SECURITY (dependabot pass): advisories 14 (2 critical / 5 high) -> 3 (1 high / 2 moderate). Merged the clean bumps undici/uv-group/setup-uv (#991/#992/#1196, cleared all criticals); closed the breaking ones (#993 npm majors tldraw 4->5 / lucide / tsparticles, #994 fastapi 0.137 which regresses include_router #903) + added dependabot.yml ignores (fastapi>=0.137, npm semver-major) so they recreate clean; bumped cryptography 48->49 (patched OpenSSL = the HIGH) + pydantic-settings (#1211 MERGED to dev). 3 remaining are all minor/patch-fixable: cryptography fixed on dev (pending master), dompurify medium + the rest land via the next dependabot run. INSTALL first-run message now tells users to create their admin account at the Web UI -- there is NO default password, first visit serves a /setup page (answered a Discord question). PROMOTING dev->master now: this clears the master advisory count AND activates the dependabot.yml ignores (dependabot reads config from the default branch). NEXT (Jay order 4,1,3,2; #4 board exhausted+skipped, #1 dependabot ~done): #117 broader install-rescue hardening, #58 FPS auto-detect on low-end GPUs, #115 RK image-gen flagged store install, #116 rknn-llm 1.3.0. five_hour 4% / seven_day 17%. PRIOR ENTRY BELOW.)
+
+==================================================================
+STATE 2026-06-20 ~12:05 UTC, @taOS-dev (SELF-HOSTED CI LANDED: #1201 (-> task #119) routes the slow python `test` job to two self-hosted runners labelled taos-ci -- the always-on fasthosts VPS (16c EPYC-Milan, dedicated) + the Fedora 3060 box (i5-10600, 6c/12t). Benchmarked ~tied per-core (Fedora 2.04s / VPS 2.17s single-thread microbench), so CI uses the POOL in PARALLEL (3.12+3.13 split across both boxes, ~5min cold vs ~16min on GitHub) rather than pinning to one "primary". Dropped actions/setup-python (no prebuilt CPython for Fedora 43) -> uv now provisions Python from its distro-agnostic standalone builds, which works on Fedora + the Ubuntu VPS + GitHub alike. A pick-runner chooser job falls back to ubuntu-latest ONLY when BOTH self-hosted runners are offline (never-hang); that fallback needs an OPTIONAL repo secret RUNNER_ADMIN_PAT (fine-grained, administration:read) to read runner status -- without it CI just stays on the pool, which the always-on VPS keeps serviceable. Repo set to require-approval-for-all-outside-collaborators. Runner services: VPS in /opt/actions-runner as an unprivileged ghrunner user; Fedora in /opt/actions-runner (relocated from home to satisfy SELinux). #120 kilo compute lane on Fedora PENDING Jay (installing+authing kilo; global-npm EACCES -> user prefix ~/.npm-global or sudo; then I scp ~/.taos-team over). UPDATE-FIX promoted to MASTER earlier this session (8996ac26): `npm ci` so the in-app update never dirties desktop/package-lock.json and aborts the pull (#1197) + hardened lockfile restore (#1199) + WSL memory-cap detection in hardware.py (wsl/mem_note advisory, #1199). The WINDOWS "remote access app" pop-up a Discord user reported was AUDITED and is BENIGN: the standard Windows Firewall prompt for the local uvicorn server binding 0.0.0.0:6969; no Windows-API calls, phone-home, or remote-access/screen-share tool anywhere (only-if-used secondary firewall-y bits: Neko browser WebRTC UDP + torrent UPnP). dependabot #991-994 + #1196 still HELD for Jay's separate pass. #114 VITEST CI GATE LANDED (#1202, task #114 DONE): vitest now runs in the spa-build CI job over ~1,900 desktop tests (previously never gated). Fixed 2 stale tests (userspace app ids are namespaced `userspace:<id>` per #89; the projectsApi.subscribeEvents EventSource mock must be constructable since the code does `new EventSource`). Quarantined 9 suites in desktop/vite.config.ts test.exclude tagged #114: AgentsApp x4 (drift vs #59 redesign), BrowserApp x4 (drift vs #66), EmojiPicker (order-dependent: passes alone, fails under the full suite) -- un-exclude each as its owning work lands. WSL user RESOLVED: his install/reach issue self-resolved (back in the UI). New report: UI LAG on an older laptop (GTX 1060, Edge, default STATIC wallpaper so wallpaper is NOT the cause) -> traced to GPU-heavy compositing (~90 backdrop-blur surfaces + big soft shadows + continuous animations). #58 PERF MODE BUILT (#1203, green CI, HELD for eyeball): opt-in Settings -> Accessibility "Reduce effects" toggle sets reduceEffects in the theme store -> App.tsx applies data-perf=reduced on :root -> tokens.css strips backdrop-filter, opaques the glass bg token, flattens the shadow tokens, stops the named infinite animations. FULLY opt-in: every rule is scoped to [data-perf=reduced] and the attr is off by default, so the default desktop is byte-for-byte unchanged. NOT pixel-verified by me (control-API /screenshot needs a live browser session, none headless); awaiting Jay/user eyeball of the reduced look before merge. Fast-follow: auto-enable on low-end GPUs via a client-side FPS probe on first run. #120 FEDORA KILO LANE LIVE (task #120 DONE): @taOS-dev-kilo-fedora dispatch-only loop in tmux `owl-fedora` (model kilo/openrouter/owl-alpha = the free owl model, same kilo account) claims board cards + pushes exec/* PRs while the Mac stays the single gater; idle now (board empty, campaign plateaued). Fedora prepped: jaylfc git identity + uv + gh re-authed (token piped from the Mac) + ~/tinyagentos clone + ~/.taos-team stack; executor.sh REPO is now TAOS_REPO-parameterized (Mac path is the default). five_hour 64% / seven_day 13%. PRIOR ENTRY BELOW.)
 
 ==================================================================
 STATE 2026-06-20 ~09:15 UTC, @taOS-dev (STEADY-STATE autonomous loop, full budget all window (five_hour ~7% / seven_day 6%). MERGED to dev since the 01:10 entry: account-proxy #1133 + trust-gate hardening #1140 (X-Forwarded-Proto only honored when TAOS_TRUST_FORWARDED_PROTO is set; the taOSgo relay deployment MUST set it, noted in ~/tinyagentos-private/taosgo/SPEC.md) [#113 DONE], node_modules untrack #1134 + root node-cruft removal #1152 (a lane had committed a root package.json/package-lock/vitest.config.ts, the SEED of the node_modules pollution; removed + root-anchored ignores), multi-window Projects #1138 [#111 DONE], canvas test DB-isolation #1139, shortcuts test isolation #1116. AUTONOMOUS TEST-COVERAGE CAMPAIGN: ~30 gate-verified test PRs merged across 10 batches (#1147-1195): python route tests (themes/feedback/manifest/knowledge/system/agent-archive/agent-debugger/skill-exec/service-proxy + reads of others), ~16 desktop API-client lib tests (memory-api/projects/models/framework-api/channel-admin/chat-*/personas/knowledge/userspace-apps/taos-agent-api/hw-detect/account-client/agent-browsers/browser-site-permissions/github/mail/memory/reddit/youtube), component render tests (MigrationBanner/LaunchpadIcon/EmojiPicker/ModelPickerModal/LoginScreen + earlier ServiceIcon/StatusIndicators/ConsentNotification/DockIcon/ScreenshotFlash/WallpaperTextOverlay/SafetyFloor), and hook tests (use-list-nav/use-clock/use-device-mode/use-focus-trap/use-is-pwa/use-visual-viewport/use-widget-size). GATE HARDENED: ~/.taos-team/gate_merge.sh now runs `vitest run --no-cache` on each PR's changed desktop *.test.tsx against the merge result (worktree + symlinked node_modules), BLOCKS real failures, fails OPEN on setup glitches, closing the ungated-desktop-test hole at the lane-gate level. STILL OPEN #114: there is NO vitest CI job + ~23 desktop tests already FAIL on dev (drift from in-progress AgentsApp #59 + BrowserApp/AddressBar #66 redesigns); the durable fix (repair the 23 + add a CI vitest job) needs Jay's steer on update-test-vs-fix-component, so HELD (do NOT blind-rewrite). CAMPAIGN PLATEAUED: clean testable units exhausted; remaining are hard/context-heavy (use-desktop-control 224L, use-session-persistence 215L, server/fetch hooks, canvas wallpapers, websocket libs), not force-feeding. Lanes idle; dispatch + freshness(:08/:38) + repo-watch(:23) crons alive; resume pair armed 9d76dbd7/ce31b067 for the 10:10 UTC reset. gitar+qodo budgets EXHAUSTED (manual severity-gating; recent findings all deferrable Quality nits). dependabot #991-994 HELD for Jay (failing builds, master-gated). PRIOR (01:10 UTC): account-proxy hardening #1133 (honor X-Forwarded-Proto so the session-cookie Secure attr survives the TLS-terminating taOSgo relay + relay redirect Location / auth-challenge headers, with tests), node_modules ROOT-CAUSE cleanup #1134 (dev was TRACKING a stray root node_modules -> it rode into every lane worktree and `git add -A` swept siblings, escalating to 99-file CONFLICTING exec PRs; untracked it + added a generic node_modules/ ignore so it can never recur), and csrf.test #1122. PUSHED + awaiting CI: multi-window Projects #1138 (Jay's ask -- dock right-click New Window for non-singleton apps + Projects singleton:false + per-window projectId prop + project-list 'open in new window' affordance; tsc+build+tests green), shortcuts route-test isolation fix #1116 (reset the _active_manager module global so the no-worker assertion is order-independent), project_canvas test DB-isolation fix #1139 (fixture set a bogus `_db_path` string but BaseStore.init reads self.db_path Path, so the suite ran against the PRODUCTION canvas DB -> now a tmp Path; completes #113 with #1133). Closed 3 node_modules-polluted exec PRs (#1129/#1131/#1132); salvaged #1122. BOARD REFILLED with 11 CI-gated python route-test cards (themes/manifest/feedback/skills/knowledge/system + scheduler/memory-mgmt/a2a-bus/agent-registry/librarian-memory-model), each card carrying exact endpoints + a reference test + the acceptance command + a BLOCKED.txt escape -- python route tests are gated by CI's full suite, so a weak-lane mistake yields a red PR I triage, never a silent bad merge. KEY FINDING (tracked #114): there is NO vitest CI job AND 10 desktop test files / 23 tests already FAIL on dev (drift from the AgentsApp + BrowserApp/AddressBar redesigns), so every colocated desktop test the lanes add is UNGATED; FIX = repair the 23 drifted tests then add a vitest step to the spa-build job; until then do NOT delegate more ungated desktop test cards. Dispatch lane alive (kilo mid-card). Resume pair re-armed eafb5884/00111e53 for the 05:13/05:32 UTC 5h-reset wake. PRIOR (02:40 BST wind-down): WEEKLY WIND-DOWN at seven_day 94%, per Jay's push-to-98 + 'near limits, do orchestration / fill the board' directive. SHIPPED to dev + LIVE on Pi this session: dvh DEAD-SPACE fix in the standalone PWA shells (#1115 -- ChatStandalone/AppStandalone now height:100dvh not h-screen, the installed-iOS-PWA bottom gap), iOS Add-to-Home banner + sturdier copy fallback (#1107), multi-window primitive openWindow forceNew (#1109), taOSgo P1 CORE (Account pane + off-network screen #1105 + host /api/account proxy #1110, HARDENED by #1117 to rescope Set-Cookie [strip Domain, drop Secure on http] + relay the upstream body verbatim), My Apps launcher rename, npm-skip update speedup, README DATA-SOVEREIGNTY positioning #1106 + GitHub repo description rebrand + topics, shared platform-detect util. BOARD FILLED FOR THE WEEKEND: ~20 claimable lane cards (route-coverage + component-test pools, each detailed with a reference test, exact acceptance command, and a BLOCKED.txt escape) + the multi-window consumer (dock New Window + Projects opt-in, tsk-6ax5dk, builds on #1109's forceNew). @taOS-website-dev owns jaylfc/taos-website (taos.my auth + the sovereignty hero) on prj-utbsh7; the shared kilo+opencode lanes serve BOTH boards (TAOS_PROJECTS in ~/.taos-team/config). Project refs accept slug/name now; website-dev wrapper ~/.taos-team/website-dev. gitar+qodo budgets EXHAUSTED -> manual severity-gating (open lane PRs quality-only, nothing must-fix). HANDOFF: the dispatcher auto-builds + auto-merges the board; freshness(:08/:38) + repo-watch(:23) crons keep firing; weekly resets ~2026-06-21 02:00 UTC. On the next 5h reset (01:30 UTC) the resume-pair crons 59dbf43c/6ba30976 wake me to refill the board, scrutinise the overnight lane PRs, fold any gitar findings, and review the multi-window consumer. Pi tip lags dev by backend/test-only merges (no visible delta; dvh fix IS live). five_hour 50% / seven_day 94%.)

diff --git a/scripts/install-server.sh b/scripts/install-server.sh
@@ -1952,6 +1952,10 @@ log "━━━━━━━━━━━━━━━━━━━━━━━━━
 log ""
 log "  Web UI      : http://$host_ip:$TAOS_PORT"
 log "  Localhost   : http://localhost:$TAOS_PORT"
+log ""
+log "  First run   : open the Web UI above and create your admin account."
+log "                You choose the username and password (8+ chars) -- there"
+log "                is no default password."
 if [[ "$TAOS_BROWSER_PROXY_PORT" != "0" ]]; then
     log "  Browser app : also listens on port $TAOS_BROWSER_PROXY_PORT (TAOS_BROWSER_PROXY_PORT)"
     log "                open both ports in your firewall if accessing remotely"