Merge remote-tracking branch 'origin/main' into stevenbarragan/pin-chromium-launch-headed

* origin/main: (35 commits)
  v1.58.1.0 feat: hermetic local E2E + Conductor prose AskUserQuestion (garrytan#2004)
  v1.58.0.0 feat: diagram + multi-format document engine (mermaid, excalidraw, single-file HTML, DOCX) (garrytan#1990)
  v1.57.10.0 feat: Codex review default-on across review/ship/plan/docs (garrytan#1966)
  v1.57.9.0 feat: source-clean gbrain render (dev-setup --out-dir + machine-wide gbrain-refresh) (garrytan#1951)
  v1.57.8.0 feat: browse js/eval --out render-to-file (canonical Chromium for offline rendering) (garrytan#1929)
  v1.57.7.0 feat: GSTACK REVIEW REPORT always declares unresolved decisions (garrytan#1916)
  v1.57.6.0 fix wave: 8 community bugs (4 security guards failing open) (garrytan#1911)
  v1.57.5.0 feat: cross-session decision memory + gbrain dream-stage call graph (garrytan#1910)
  v1.57.4.0 refactor(ethos): rename Boil the Lake principle to Boil the Ocean (garrytan#1912)
  v1.57.3.0 fix(ship): always-loaded PR-title-version rule + fork-PR title-sync backstop (garrytan#1909)
  v1.57.2.0 feat: AskUserQuestion prose fallback when the tool fails at runtime (garrytan#1908)
  v1.57.0.0 feat: carve-guard system + carve cso/document-release/design-consultation (garrytan#1907)
  v1.56.1.0 fix(sync): staging-dir ownership guard + resume-correctness fixes (garrytan#1802) (garrytan#1856)
  v1.56.0.0 Token-reduction Phase B + AUQ paranoid safety net (garrytan#1849)
  v1.55.1.0 fix: telemetry consent accuracy + gstack-slug cache sanitization (garrytan#1848)
  v1.55.0.0 fix wave: gbrain data-loss guards + browser crash-loop + 6 more (garrytan#1808)
  fix(setup): add missing gen:skill-docs:user script (garrytan#1807)
  v1.54.0.0 feat: carve /ship into skeleton + on-demand sections (-59% always-loaded) (garrytan#1806)
  v1.53.1.0 fix: non-interactive-safe plan-tune hook install (flags + smart defaults) (garrytan#1805)
  v1.53.0.0 feat: smarter redaction — PII/secrets/legal guard across /spec, /ship, /cso, /document-* (garrytan#1797)
  ...

Author: stevenbarragan

.gitattributes

@@ -37,3 +37,9 @@ bin/*        text eol=lf
 *.gif        binary
 *.ico        binary
 *.pdf        binary
+
+# The committed diagram-render bundle is hash-pinned (BUILD_INFO sha256);
+# a CRLF rewrite on Windows checkout would break the drift test and change
+# the content-addressed staged filename.
+lib/diagram-render/dist/*.html text eol=lf
+lib/diagram-render/dist/*.json text eol=lf

.github/workflows/evals.yml

@@ -162,6 +162,12 @@ jobs:
     permissions:
       contents: read
       pull-requests: write
+      # The comment upsert below calls the REST `/issues/{n}/comments` endpoints
+      # (gh api ... issues/comments). With GITHUB_TOKEN those are gated by the
+      # `issues` permission, not `pull-requests` — without it the GET returns 401
+      # on every PR that produces eval artifacts (PRs with no artifacts exit
+      # early and never hit it, which is why this stayed hidden). See #1802 CI fix.
+      issues: write
     steps:
       - uses: actions/checkout@v4
         with:

.github/workflows/make-pdf-gate.yml

@@ -4,6 +4,8 @@ on:
     branches: [main]
     paths:
       - 'make-pdf/**'
+      - 'lib/diagram-render/**'
+      - 'test/diagram-render-drift.test.ts'
       - 'browse/src/meta-commands.ts'
       - 'browse/src/write-commands.ts'
       - 'browse/src/commands.ts'
@@ -51,6 +53,15 @@ jobs:
         if: matrix.os == 'ubicloud-standard-8'
         run: sudo apt-get update && sudo apt-get install -y poppler-utils
 
+      # Install a color-emoji font BEFORE Chromium launches so the emoji render
+      # gate has a fallback font. macOS ships Apple Color Emoji already.
+      - name: Install color-emoji font (Ubuntu)
+        if: matrix.os == 'ubicloud-standard-8'
+        run: |
+          sudo apt-get install -y fonts-noto-color-emoji
+          fc-cache -f || true
+          fc-match -f '%{family[0]}\t%{color}\n' ':lang=und-zsye:charset=1F600' || true
+
       - name: Install Playwright Chromium
         run: bunx playwright install chromium
 
@@ -72,9 +83,9 @@ jobs:
           which pdftotext && pdftotext -v 2>&1 | head -1 || true
 
       - name: Run make-pdf unit tests
-        run: bun test make-pdf/test/*.test.ts
+        run: bun test make-pdf/test/*.test.ts test/diagram-render-drift.test.ts
 
-      - name: Run combined-features copy-paste gate (P0)
+      - name: Run E2E gates (combined-features copy-paste + emoji render)
         env:
           BROWSE_BIN: ${{ github.workspace }}/browse/dist/browse
-        run: bun test make-pdf/test/e2e/combined-gate.test.ts
+        run: bun test make-pdf/test/e2e/

.github/workflows/pr-title-sync.yml

@@ -1,7 +1,25 @@
 name: PR Title Sync
 
+# WHY pull_request_target (not pull_request): the default GITHUB_TOKEN is
+# READ-ONLY on fork PRs under `pull_request`, so the title-sync backstop could
+# never `gh pr edit` a fork/agent PR. `pull_request_target` runs in the base-repo
+# context with a write token, which fixes fork coverage.
+#
+# WHY this is SAFE (pull_request_target is the most dangerous trigger):
+#   - We check out the BASE repo (no `ref:`), so the only code we execute is
+#     trusted base-repo infra (bin/gstack-pr-title-rewrite.sh). We NEVER check
+#     out or run PR-head/fork code.
+#   - Every attacker-controlled PR field (title, head repo, head sha) arrives via
+#     `env:` and is referenced as a shell-quoted "$VAR". We NEVER inline a
+#     `${{ github.event.pull_request.* }}` expression inside the run: script
+#     (that would execute a crafted title as shell).
+#   - The PR-head VERSION is read as DATA via the API (raw media type), from the
+#     head repo at the head sha — never by checking out the head.
+# test/pr-title-sync-workflow-safety.test.ts is the static tripwire for all of
+# the above and fails CI if any of it regresses.
+
 on:
-  pull_request:
+  pull_request_target:
     types: [opened, synchronize, edited]
     paths:
       - 'VERSION'
@@ -19,25 +37,62 @@ jobs:
       pull-requests: write
     if: github.actor != 'github-actions[bot]'
     steps:
-      - name: Checkout PR head
+      # Base repo only — trusted infra (the rewrite helper). No PR-head checkout.
+      - name: Checkout base repo (trusted)
         uses: actions/checkout@v4
         with:
           fetch-depth: 1
-          ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Rewrite PR title to match VERSION
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PR_NUM: ${{ github.event.pull_request.number }}
+          # Attacker-controlled on fork PRs — env-only, never inlined into run:.
           OLD_TITLE: ${{ github.event.pull_request.title }}
+          BASE_REPO: ${{ github.repository }}
+          HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }}
+          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
         run: |
           set -euo pipefail
           chmod +x ./bin/gstack-pr-title-rewrite.sh
-          VERSION=$(cat VERSION | tr -d '[:space:]')
-          NEW_TITLE=$(./bin/gstack-pr-title-rewrite.sh "$VERSION" "$OLD_TITLE")
+
+          if [ "$HEAD_REPO" = "$BASE_REPO" ]; then IS_FORK=0; else IS_FORK=1; fi
+
+          # Read the PR-head VERSION as data (raw bytes), from the head repo at
+          # the head sha. Guard the assignment itself: under `set -e` a bare
+          # `VERSION=$(...)` would abort the step before any later [ -z ] check.
+          if ! VERSION=$(gh api -H "Accept: application/vnd.github.raw" \
+              "repos/$HEAD_REPO/contents/VERSION?ref=$HEAD_SHA" 2>/dev/null | tr -d '[:space:]'); then
+            VERSION=""
+          fi
+
+          if [ -z "$VERSION" ]; then
+            # Same-repo read failure should never happen — fail loudly so we
+            # notice. A fork miss (public-contents quirk, private fork) is a
+            # convenience gap, not a gate — warn and skip so the check stays green.
+            if [ "$IS_FORK" = "0" ]; then
+              echo "::error::Could not read VERSION from same-repo PR head ($HEAD_SHA)."
+              exit 1
+            fi
+            echo "::warning::Could not read VERSION from fork $HEAD_REPO ($HEAD_SHA); skipping title sync."
+            exit 0
+          fi
+
+          # The helper rejects a malformed VERSION (exit 2). Same policy: loud for
+          # same-repo, soft for forks. Never echo the raw (attacker-controlled)
+          # title — Actions still parses ::workflow-command:: from stdout.
+          if ! NEW_TITLE=$(./bin/gstack-pr-title-rewrite.sh "$VERSION" "$OLD_TITLE"); then
+            if [ "$IS_FORK" = "0" ]; then
+              echo "::error::Could not compute title for VERSION '$VERSION' on PR #$PR_NUM."
+              exit 1
+            fi
+            echo "::warning::Could not compute title for fork PR #$PR_NUM; skipping."
+            exit 0
+          fi
+
           if [ "$NEW_TITLE" = "$OLD_TITLE" ]; then
-            echo "Title already correct; no change."
+            echo "PR #$PR_NUM title already correct; no change."
             exit 0
           fi
-          echo "Rewriting: $OLD_TITLE -> $NEW_TITLE"
           gh pr edit "$PR_NUM" --title "$NEW_TITLE"
+          echo "PR #$PR_NUM title synced to VERSION."

.github/workflows/windows-free-tests.yml

@@ -116,6 +116,7 @@ jobs:
             test/setup-windows-fallback.test.ts \
             test/build-script-shell-compat.test.ts \
             test/docs-config-keys.test.ts \
+            test/brain-sync-windows-paths.test.ts \
             make-pdf/test/browseClient.test.ts \
             make-pdf/test/pdftotext.test.ts
         shell: bash

.gitignore

@@ -4,9 +4,13 @@ dist/
 browse/dist/
 design/dist/
 make-pdf/dist/
+# diagram-render ships its built bundle (offline-at-install premise, eng-review D2)
+!lib/diagram-render/dist/
+!lib/diagram-render/dist/**
 bin/gstack-global-discover*
 .gstack/
 .claude/skills/
+.claude/gstack-rendered/
 .claude/scheduled_tasks.lock
 .claude/*.lock
 .agents/
@@ -37,3 +41,6 @@ supabase/.temp/
 
 # Throughput analysis — local-only, regenerate via scripts/garry-output-comparison.ts
 docs/throughput-*.json
+
+# gbrain local source-staging dir (capability checks, source clones) — runtime artifact
+.sources/

AGENTS.md

@@ -21,6 +21,7 @@ Invoke them by name (e.g., `/office-hours`).
 | `/plan-tune` | Self-tune AskUserQuestion sensitivity per question. |
 | `/autoplan` | One command runs CEO → design → eng → DX review. |
 | `/design-consultation` | Build a complete design system from scratch. |
+| `/spec` | Turn vague intent into a precise, executable spec in five phases. Files a GitHub issue, optionally spawns a Claude Code agent in a fresh worktree, and lets `/ship` close the source issue on merge. |
 
 ### Implementation + review
 
@@ -75,6 +76,25 @@ Invoke them by name (e.g., `/office-hours`).
 | `/setup-browser-cookies` | Import cookies from your real browser for authenticated testing. |
 | `/pair-agent` | Pair a remote AI agent (OpenClaw, Codex, etc.) with your browser. |
 
+### iOS QA — drive real iPhones over USB or Tailscale (v1.43.0.0+)
+
+| Skill | What it does |
+|-------|-------------|
+| `/ios-qa` | Live-device iOS QA via USB CoreDevice tunnel + embedded StateServer. Optionally exposes the device over Tailscale so remote agents can drive it. |
+| `/ios-fix` | Autonomous iOS bug fixer with regression snapshot capture. |
+| `/ios-design-review` | Designer's-eye QA on a real iPhone — 10-dimension Apple HIG rubric. |
+| `/ios-clean` | Convenience: strip DebugBridge + #if DEBUG wiring before a Release build. |
+| `/ios-sync` | Regenerate the iOS debug bridge against the latest upstream templates. |
+
+Companion CLIs (run on the Mac that's plugged into the device):
+
+| Command | What it does |
+|---------|-------------|
+| `gstack-ios-qa-daemon` | Mac-side broker. Loopback by default; `--tailnet` adds a Tailscale-facing listener with capability tiers and audit logging. |
+| `gstack-ios-qa-mint` | Owner-grant CLI for the tailnet allowlist (`grant`/`revoke`/`list`). |
+
+End-to-end walkthrough: [docs/howto-ios-testing-with-gstack.md](docs/howto-ios-testing-with-gstack.md).
+
 ### Safety + scoping
 
 | Skill | What it does |
@@ -84,6 +104,7 @@ Invoke them by name (e.g., `/office-hours`).
 | `/guard` | Activate both careful + freeze at once. |
 | `/unfreeze` | Remove directory edit restrictions. |
 | `/make-pdf` | Turn any markdown file into a publication-quality PDF. |
+| `/diagram` | English in, diagram out: mermaid source + editable .excalidraw + SVG/PNG, offline. |
 
 ## Build commands
 

BROWSER.md

@@ -212,8 +212,8 @@ from `snapshot`, or `@c` refs from `snapshot -C`. Full table:
 
 | Command | Description |
 |---------|-------------|
-| `js <expr>` | Run inline JavaScript expression in page context, return as string |
-| `eval <file>` | Run JS from a file (path under /tmp or cwd; same sandbox as `js`) |
+| `js <expr> [--out <file>] [--raw]` | Run inline JavaScript expression in page context, return as string. With `--out <file>` the result is written to disk instead of returned (a `data:*;base64,...` result is decoded to raw bytes unless `--raw`). `--out` makes the invocation a WRITE (needs `write` scope, never allowed over the tunnel). |
+| `eval <file> [--out <file>] [--raw]` | Run JS from a file (path under /tmp or cwd; same sandbox as `js`). `--out`/`--raw` behave as for `js`. |
 | `css <sel> <prop>` | Computed CSS value |
 | `attrs <sel\|@ref>` | Element attributes as JSON |
 | `is <prop> <sel\|@ref>` | State check: visible, hidden, enabled, disabled, checked, editable, focused |
@@ -317,6 +317,7 @@ from `snapshot`, or `@c` refs from `snapshot -C`. Full table:
 | `disconnect` | Close headed Chrome, return to headless |
 | `focus [@ref]` | Bring headed Chrome to foreground (macOS); `@ref` also scrolls into view |
 | `state save\|load <name>` | Save or load browser state (cookies + URLs) |
+| `memory [--json]` | Snapshot Bun heap + per-tab JS heap + Chromium process tree + bounded buffer sizes. Use `--json` for programmatic consumers; text mode renders sorted top-10 tabs with "and N more" tail. |
 
 ### Handoff