feat(local-mode): local-first developer experience with zero-ceremony setup (#2544)

* feat(local-mode): local-first developer experience with zero-ceremony setup

Running `bunx @decocms/mesh` (or `bun run dev`) now works with no config:
- Prompts for a data directory on first run (defaults to ~/deco/)
- Auto-generates and persists BETTER_AUTH_SECRET + ENCRYPTION_KEY
- Seeds an admin user from the OS username (e.g. viktor@localhost.mesh)
  and a default "Viktor Local" org on fresh databases
- Auto-logs in the browser without a login form (MESH_LOCAL_MODE=true)
- Skips org selection and redirects straight to the first org
- Enables local filesystem object storage (/mcp/dev-assets) for assets
- Adds --home and --no-local-mode CLI flags; renames old dev to dev:saas

New files:
- apps/mesh/scripts/dev.ts — mirrors CLI setup for `bun run dev`
- apps/mesh/src/auth/local-mode.ts — seedLocalMode, getLocalAdminUser
- POST /api/auth/custom/local-session — auto-sign-in endpoint (local only)

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

* fix(local-mode): security hardening, UX improvements, and reliability fixes

- Generate random ENCRYPTION_KEY instead of empty string (cli.ts, dev.ts)
- Restrict secrets.json file permissions to 0o600 (cli.ts, dev.ts)
- Add non-TTY guard to prevent prompt() hang in Docker/CI (cli.ts)
- Normalize org slug from OS username to valid [a-z0-9-] (local-mode.ts)
- Retry auto-login on 5xx with exponential backoff (login.tsx)
- Always start with fresh chat on page load (use-task-manager.ts)
- Autofocus chat input on load (tiptap/input.tsx)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(chat): stabilize fresh-chat initializer across remounts

Use module-level UUID constant so the fresh-chat behavior is stable
within a session while still generating a new chat on each page load.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: resolve CI test and e2e failures

- Fix TS2345 errors: add non-null assertions for Hono route params
  (threadId, toolName) that are always present in route patterns
- Respect MESH_LOCAL_MODE env var in dev.ts instead of hardcoding true
- Set MESH_LOCAL_MODE=false in e2e workflow so signup form is shown

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: remove unused getMeshHome export flagged by knip

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(local-mode): trusted origins, internal URLs, empty state, and title

- Add localhost:PORT to Better Auth trusted origins for proxy hostnames
- Add getInternalUrl() for server-to-server connections (mcp/self, dev-assets)
- Use BASE_URL in startup logs and CLI banner
- Simplify no-LLM empty state (remove tasks panel when no model connected)
- Change HTML title to "Deco Studio"

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat(studio): add @decocms/studio wrapper package for npm alias

Transitional package so `bunx @decocms/studio` works while the canonical
package remains @decocms/mesh. Includes local publish script and CI workflow
that auto-publishes with the same version as mesh.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(oauth): use localhost origin for redirect URIs behind proxy

External OAuth servers (e.g. OpenRouter MCP) reject .localhost subdomains
as redirect URIs. When running behind a proxy (tokyo.localhost → localhost:3000),
the OAuth flow now uses localhost:PORT for the redirect URI.

- Add setOAuthRedirectOrigin() to mesh-sdk for configuring redirect origin
- Expose internalUrl in /api/config public endpoint
- Set redirect origin from config on app init in ThemeProvider
- Accept cross-origin postMessage between .localhost variants in local dev

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: gate localhost trusted origin to local mode, restore package.json on failure

- Only add localhost:PORT to Better Auth trusted origins in local mode
- Add EXIT trap to studio publish script to restore package.json on failure

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(local-mode): security hardening and reliability improvements

- Restrict /local-session endpoint to loopback requests only (127.0.0.1/::1)
  to prevent LAN access when server is bound to 0.0.0.0
- Fix tilde expansion in dev.ts and cli.ts: ~/dir was resolving to /dir
  instead of $HOME/dir (slice(1) → slice(2) to skip the ~/)
- Gate local-session behind seed completion to prevent 500s on race
- Respect user-provided DATABASE_URL in CLI instead of always overwriting
- Add security comment documenting that loopback check (not password)
  is the security boundary for local-mode auto-login

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(tests): update OAuth callback tests for cross-origin postMessage

Update test mocks to include hostname/port/protocol on window.location
and adjust assertion for postMessage target origin ("*" in local dev).

Also add DEBT.md tracking technical debt for local-first DX work.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(local-mode): use socket-level IP check and fix tilde expansion

- Replace spoofable X-Forwarded-For header check with Bun's getConnInfo()
  (socket-level requestIP) for the local-session loopback guard
- Pass Bun server as env to Hono so getConnInfo can access requestIP
- Fix tilde expansion: only expand bare ~ and ~/path, not ~user inputs

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat(studio): rename package to decocms with deco CLI command

Publish as `decocms` on npm so users can run `npx decocms` or
`npm i -g decocms && deco`. Renamed bin from studio.js to deco.js
and updated CI workflow, publish script, README, and DEBT.md.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs(studio): update decocms README and package metadata for npm

Replace internal wrapper docs with a proper product README showing
features, quick start, and MCP client config. Add descriptive keywords
and update main README to reference `npx decocms`.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(config): only expose internalUrl in local mode

Production deployments don't need the localhost URL in /api/config.
Gate it behind isLocalMode() so it's only sent when running locally
behind a proxy (e.g. tokyo.localhost).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: remove unused getBaseUrl import in org.ts

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs(studio): align README with decocms.com/studio positioning

Rewrite to lead with agents and tools, not just MCP plumbing.
Matches the landing page: hire agents, connect 50+ integrations,
track costs, run locally or scale to teams.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: ignore decocms runtime dependency in knip config

@decocms/mesh is resolved via require() in bin/deco.js at runtime,
which knip can't trace. Add ignoreDependencies for packages/studio.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* chore: rebrand CLI and docs from @decocms/mesh to npx decocms / deco

Update all user-facing references: CLI help text, release workflow,
docs quickstart pages (en + pt-br), dev script comment, and OAuth
client name to use "Deco Studio" / "npx decocms" / "deco".

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(studio): use bun runtime in deco CLI wrapper

The built CLI uses Bun APIs (Bun.file, Bun.serve), so the wrapper
must run it with bun, not node. Auto-detects bun availability.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* chore: rebrand CLI banners from MCP Mesh to Deco Studio

Update startup banners, prompts, and subtitle in cli.ts and dev.ts
to show "Deco Studio" instead of "MCP Mesh".

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(studio): require bun runtime and update instructions to bunx

The built CLI uses Bun APIs so bun is a hard requirement. Show a
clear error with install instructions if bun is missing. Update all
docs, CLI help, README, and release workflow from npx to bunx.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(docs): align section headings with bunx commands

Update "(npx)" headings to "(bunx)" in quickstart docs and change
"Install via npm" to "Install via Bun" in release workflow to match
the actual bunx decocms commands.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(dev): respect existing DATABASE_URL and fix path resolution

- Use nullish coalescing for DATABASE_URL to not override user-provided
  values (e.g., PostgreSQL connection strings), matching cli.ts behavior
- Replace brittle string replace with join(import.meta.dir, "..") for
  cross-platform path handling

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: harden local-first DX — random password, seed gate, postMessage, prod guard

- Extract shared bootstrap module (scripts/bootstrap.ts) from cli.ts and dev.ts
- Generate per-install LOCAL_ADMIN_PASSWORD in secrets.json instead of hardcoded value
- Fix seed gate: resolve immediately when not in local mode (prevents hang)
- Add .catch() to dynamic import chain in index.ts
- Tighten postMessage target from "*" to getOAuthRedirectOrigin()
- Refuse local mode in production (NODE_ENV=production) unless explicitly overridden

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: security hardening, OAuth flow extraction, and deferred debt tracking

- Remove hardcoded "admin@mesh" fallback password — throw on missing secrets.json
- Fix seed gate hang when local-mode module import fails (markSeedComplete in catch)
- Fix directory traversal in sanitizeKey() — use path.resolve() + containment check
- Unify DEV_ASSETS_BASE_DIR to use MESH_HOME in both dev-assets files
- Use crypto.timingSafeEqual() for HMAC signature verification
- Remove production console.log leaking taskId on every stream resume
- Cherry-pick OAuth flow extraction from feat/oauth-flow-extraction
- Update DEBT.md with deferred review issues from merged PRs

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: explicit MESH_ALLOW_LOCAL_PROD check and postMessage target for proxy setups

- Use `!== "true"` instead of truthiness check for MESH_ALLOW_LOCAL_PROD
  to prevent unintended bypass with values like "false"
- Use "*" as postMessage target in local dev so OAuth callbacks work
  behind proxies where opener origin differs from redirect origin

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(local-mode): probe ~/deco for secrets.json when MESH_HOME is unset

getLocalAdminPassword() now checks the default ~/deco directory as a
fallback when MESH_HOME is not set. This fixes auto-login when running
via `bun run dev:server` directly (which doesn't set MESH_HOME), while
still refusing to use a hardcoded credential.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(dev): check non-interactive before defaultPath existence in resolveMeshHome

Swap the order so CI/non-TTY environments always use the CI-safe
.mesh-dev path, even when ~/deco exists from a prior local run.
Previously, existsSync(~/deco) was checked first, causing CI on
shared runners to use the developer's real data directory.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: rename system prompt identity from "decopilot" to "Deco Pilot"

The LLM was self-identifying as "decoCopilot" which reads as "decoco"
in Portuguese. Use properly spaced "Deco Pilot" and "Deco Studio".

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Guilherme Rodrigues <gui@deco.cx>

Author: 3 people

.github/workflows/e2e.yml

@@ -36,3 +36,5 @@ jobs:
 
       - name: Run e2e tests
         run: bun run test:e2e
+        env:
+          MESH_LOCAL_MODE: "false"

.github/workflows/publish-studio-npm.yaml

@@ -0,0 +1,74 @@
+name: Publish decocms
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "apps/mesh/package.json"
+      - "packages/studio/**"
+  workflow_dispatch:
+
+jobs:
+  publish:
+    name: Publish to npm
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "24"
+          registry-url: "https://registry.npmjs.org"
+
+      - name: Read mesh version
+        id: mesh-version
+        run: |
+          VERSION=$(node -e "console.log(require('./apps/mesh/package.json').version)")
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+
+          if [[ "$VERSION" == *-* ]]; then
+            echo "npm-tag=next" >> $GITHUB_OUTPUT
+          else
+            echo "npm-tag=latest" >> $GITHUB_OUTPUT
+          fi
+
+          echo "📦 @decocms/mesh version: $VERSION"
+
+      - name: Check if already published
+        id: check
+        run: |
+          VERSION=${{ steps.mesh-version.outputs.version }}
+          if npm view "decocms@$VERSION" version >/dev/null 2>&1; then
+            echo "skip=true" >> $GITHUB_OUTPUT
+            echo "⏭️ decocms@$VERSION already published"
+          else
+            echo "skip=false" >> $GITHUB_OUTPUT
+            echo "✅ Will publish decocms@$VERSION"
+          fi
+
+      - name: Patch studio package.json
+        if: steps.check.outputs.skip == 'false'
+        run: |
+          VERSION=${{ steps.mesh-version.outputs.version }}
+          cd packages/studio
+          node -e "
+            const pkg = require('./package.json');
+            pkg.version = '$VERSION';
+            pkg.dependencies['@decocms/mesh'] = '$VERSION';
+            require('fs').writeFileSync('package.json', JSON.stringify(pkg, null, 2) + '\n');
+          "
+          echo "✅ Patched to v$VERSION"
+          cat package.json
+
+      - name: Publish to npm
+        if: steps.check.outputs.skip == 'false'
+        run: npm publish --access public --tag ${{ steps.mesh-version.outputs.npm-tag }} --provenance
+        working-directory: packages/studio
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

.github/workflows/release.yaml

@@ -143,15 +143,15 @@ jobs:
         uses: softprops/action-gh-release@v2
         with:
           tag_name: v${{ steps.version-check.outputs.current-version }}
-          name: "@decocms/mesh v${{ steps.version-check.outputs.current-version }}"
+          name: "Deco Studio v${{ steps.version-check.outputs.current-version }}"
           body: |
-            ## MCP Mesh v${{ steps.version-check.outputs.current-version }}
+            ## Deco Studio v${{ steps.version-check.outputs.current-version }}
 
-            Self-hostable Virtual MCP for managing AI connections and tools.
+            Open-source control plane for your AI agents.
 
-            ### Install via npm
+            ### Install via Bun
             ```bash
-            bunx @decocms/mesh@${{ steps.version-check.outputs.current-version }}
+            bunx decocms@${{ steps.version-check.outputs.current-version }}
             ```
 
             ### Install via Docker
@@ -175,11 +175,11 @@ jobs:
         run: |
           echo "## Release Summary" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
-          echo "🎉 **@decocms/mesh v${{ steps.version-check.outputs.current-version }} Released**" >> $GITHUB_STEP_SUMMARY
+          echo "🎉 **Deco Studio v${{ steps.version-check.outputs.current-version }} Released**" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "### npm" >> $GITHUB_STEP_SUMMARY
           echo "\`\`\`bash" >> $GITHUB_STEP_SUMMARY
-          echo "bunx @decocms/mesh@${{ steps.version-check.outputs.current-version }}" >> $GITHUB_STEP_SUMMARY
+          echo "bunx decocms@${{ steps.version-check.outputs.current-version }}" >> $GITHUB_STEP_SUMMARY
           echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "### Docker" >> $GITHUB_STEP_SUMMARY

DEBT.md

@@ -0,0 +1,98 @@
+# Technical Debt — Local-First DX
+
+Items to address after the core local-first DX lands.
+
+## NATS onboarding in local mode
+
+The agentic onboarding flow should detect whether NATS is available and, if not,
+offer to install and start it (via `brew install nats-server` or Docker). NATS
+enables stream recovery (switch tabs / refresh → restore in-progress AI
+responses). Without it, `NoOpStreamBuffer` is used and late-join replay is
+disabled.
+
+- Relevant code: `apps/mesh/src/api/app.ts` (NATS_URL detection),
+  `apps/mesh/src/api/routes/decopilot/stream-buffer.ts` (NoOpStreamBuffer fallback)
+
+## decocms package rename
+
+`packages/studio/` publishes as `decocms` on npm (`bunx decocms` / `deco` CLI).
+It's a thin wrapper that depends on `@decocms/mesh`. Eventually the source
+should move to `decocms` as the canonical package and `@decocms/mesh` becomes
+the wrapper (or is deprecated).
+
+## Playwright e2e excluded from `bun test`
+
+The Playwright e2e test (`apps/mesh/src/**/*.e2e.test.ts`) is picked up by
+`bun test` and fails because `@playwright/test` conflicts with bun's test
+runner. Should be excluded via bun test config or file naming convention.
+
+---
+
+## Items from PR review (deferred — belong to already-merged PRs)
+
+### PROJECT_PINNED_VIEWS_UPDATE missing org ownership check (PR #2567)
+
+The tool calls `requireAuth(ctx)` + `ctx.access.check()` but does not call
+`requireOrganization(ctx)` or validate `project.organizationId !== organization.id`.
+An authenticated user from org A could update pinned views on org B's project.
+
+- File: `apps/mesh/src/tools/projects/pinned-views-update.ts`
+
+### N+1 query in PROJECT_CONNECTION_LIST (PR #2567)
+
+Each connection is fetched individually via `findById` inside `Promise.all(map(...))`.
+No `findByIds` batch method exists on `ConnectionStorage`.
+
+- Fix: Add `findByIds(ids: string[])` using `WHERE id IN (...)`
+- File: `apps/mesh/src/tools/projects/connection-list.ts:52-56`
+
+### COLLECTION_CONNECTIONS_GET write side-effect in readOnly tool (PR #2567)
+
+The GET handler (annotated `readOnlyHint: true`) backfills missing tools via
+`fetchToolsFromMCP` with a 2s timeout and calls `ctx.storage.connections.update()`.
+A read operation should not have write side-effects.
+
+- Fix: Move backfill to an explicit tool or post-OAuth event trigger
+- File: `apps/mesh/src/tools/connection/get.ts`
+
+### TaskStreamManager useSyncExternalStore misuse (PR #2563)
+
+`subscribe` is a new function reference every render, causing interval leaks.
+`useSyncExternalStore` is used as a lifecycle hook rather than for external store
+subscription, which is semantically incorrect under React 19.
+
+- Fix: Stabilize `subscribe` via `useRef` or restructure
+- File: `apps/mesh/src/web/components/chat/context.tsx`
+
+### ResizeObserver memory leak in monitoring dashboard (PR #2554)
+
+Inline ref callback creates a new `ResizeObserver` on every render without
+disconnecting the old one. Use React 19 ref callback cleanup:
+`return () => observer.disconnect();`
+
+- File: monitoring dashboard component (TBD exact location)
+
+### Monitoring fetches 2000 raw rows to browser (PR #2554)
+
+Dashboard fetches 2000 full `MonitoringLog` rows (including `input`/`output` JSON)
+to the browser for client-side bucketing. Only 5 scalar fields are needed.
+
+- Fix: Push aggregation server-side or add field projection to `MONITORING_LOGS_LIST`
+- File: `apps/mesh/src/web/components/monitoring/hooks.ts:37`
+
+### ondownloadfile handler should validate URI scheme (PR #2571)
+
+`window.open(item.uri, "_blank")` accepts arbitrary URIs including `javascript:`.
+Validate scheme is `http:` or `https:` before calling `window.open`.
+
+- File: `apps/mesh/src/mcp-apps/use-app-bridge.ts`
+
+### Thread/Task naming asymmetry
+
+UI uses "task" but backend protocol uses "thread" everywhere (`COLLECTION_THREADS_LIST`,
+`thread_id`, etc.). Either rename fully or document the mapping explicitly.
+
+### Large component files should be split
+
+- `apps/mesh/src/web/components/settings-modal/pages/org-billing.tsx` (1,732 lines)
+- `apps/mesh/src/web/routes/orgs/monitoring.tsx` (1,510 lines)

README.md

@@ -61,7 +61,7 @@ bun run dev
 
 → runs at [http://localhost:3000](http://localhost:3000) (client) + API server
 
-Or use `npx @decocms/mesh` to instantly get a mesh running.
+Or use `bunx decocms` to instantly get a mesh running.
 
 ---
 

apps/docs/client/src/content/draft/en/mcp-mesh/self-hosting/quickstart.mdx

@@ -10,10 +10,10 @@ import Callout from "../../../../../components/ui/Callout.astro";
 
 Pick one:
 
-### Option A: one-command local setup (npx)
+### Option A: one-command local setup (bunx)
 
 ```bash
-npx @decocms/mesh
+bunx decocms
 ```
 
 ### Option B: local setup with Docker Compose

apps/docs/client/src/content/draft/pt-br/introduction.mdx

@@ -25,10 +25,10 @@ Se você conheceu a gente antes, como **deco.cx**, e está buscando **headless C
 
 Escolha uma opção:
 
-### Opção A: setup local com um comando (npx)
+### Opção A: setup local com um comando (bunx)
 
 ```bash
-npx @decocms/mesh
+bunx decocms
 ```
 
 ### Opção B: setup local com Docker Compose

apps/docs/client/src/content/draft/pt-br/mcp-mesh/quickstart.mdx

@@ -10,10 +10,10 @@ import Callout from "../../../../components/ui/Callout.astro";
 
 Escolha uma opção:
 
-### Opção A: setup local com um comando (npx)
+### Opção A: setup local com um comando (bunx)
 
 ```bash
-npx @decocms/mesh
+bunx decocms
 ```
 
 ### Opção B: setup local com Docker Compose

apps/docs/client/src/content/latest/en/introduction.mdx

@@ -26,10 +26,10 @@ If you know us from before (as **deco.cx**) and you’re looking for **headless
 
 Choose one:
 
-### Option A: one-command local setup (npx)
+### Option A: one-command local setup (bunx)
 
 ```bash
-npx @decocms/mesh
+bunx decocms
 ```
 
 ### Option B: local setup with Docker Compose

apps/docs/client/src/content/latest/en/mcp-mesh/quickstart.mdx

@@ -10,10 +10,10 @@ import Callout from "../../../../components/ui/Callout.astro";
 
 Pick one:
 
-### Option A: one-command local setup (npx)
+### Option A: one-command local setup (bunx)
 
 ```bash
-npx @decocms/mesh
+bunx decocms
 ```
 
 ### Option B: local setup with Docker Compose