Merge remote-tracking branch 'upstream/main' into sync-upstream-main-20260625

Author: tarik02

.env.example

@@ -8,6 +8,13 @@
 # T3CODE_CLERK_JWT_TEMPLATE=t3-relay
 # T3CODE_CLERK_CLI_OAUTH_CLIENT_ID=oauthapp_...
 
+# Optional: signed macOS passkey builds. The RP domain defaults to the Frontend API
+# hostname encoded in T3CODE_CLERK_PUBLISHABLE_KEY. Set the override only when Clerk
+# returns a different RP ID or when multiple domains must be entitled.
+# T3CODE_APPLE_TEAM_ID=ABC1234567
+# T3CODE_MACOS_PROVISIONING_PROFILE=/absolute/path/to/t3code.provisionprofile
+# T3CODE_CLERK_PASSKEY_RP_DOMAINS=example.clerk.accounts.dev,clerk.example.com
+
 # Get this from your relay deployment. `infra/relay` deploys update it automatically.
 # T3CODE_RELAY_URL=https://relay.example.com
 

.github/workflows/ci.yml

@@ -38,6 +38,7 @@ jobs:
         run: |
           test -f apps/desktop/dist-electron/preload.cjs
           grep -nE "desktopBridge|getLocalEnvironmentBootstrap|PICK_FOLDER_CHANNEL|wsUrl" apps/desktop/dist-electron/preload.cjs
+          grep -n "__clerk_internal_electron_passkeys" apps/desktop/dist-electron/preload.cjs
 
   test:
     name: Test
@@ -60,53 +61,6 @@ jobs:
       - name: Test
         run: vp run test
 
-  test_browser:
-    name: Test Browser
-    if: false
-    runs-on: t3code-arc
-    timeout-minutes: 20
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-
-      - name: Setup Vite+
-        uses: voidzero-dev/setup-vp@v1
-        with:
-          node-version-file: package.json
-          cache: true
-          run-install: true
-
-      - name: Cache Playwright browsers
-        uses: actions/cache@v5
-        with:
-          path: ~/.cache/ms-playwright
-          key: ${{ runner.os }}-playwright-${{ hashFiles('pnpm-lock.yaml') }}
-          restore-keys: |
-            ${{ runner.os }}-playwright-
-
-      - name: Install browser test runtime
-        run: vp run --filter @t3tools/web test:browser:install
-
-      - name: Browser test / Chat view
-        working-directory: apps/web
-        run: vp test run --mode browser --browser=chromium src/components/ChatView.browser.tsx
-
-      - name: Browser test / Chat markdown
-        working-directory: apps/web
-        run: vp test run --mode browser --browser=chromium src/components/ChatMarkdown.browser.tsx
-
-      - name: Browser test / Components
-        working-directory: apps/web
-        run: |
-          vp test run --mode browser --browser=chromium \
-            src/components/GitActionsControl.browser.tsx \
-            src/components/KeybindingsToast.browser.tsx \
-            src/components/ThreadTerminalDrawer.browser.tsx \
-            src/components/chat/MessagesTimeline.browser.tsx \
-            src/components/chat/ProviderModelPicker.browser.tsx \
-            src/components/chat/CompactComposerControlsMenu.browser.tsx \
-            src/components/settings/SettingsPanels.browser.tsx
-
   mobile_native_static_analysis:
     name: Mobile Native Static Analysis
     runs-on: macos-15

.github/workflows/mobile-eas-preview.yml

@@ -2,12 +2,13 @@ name: Mobile EAS Preview
 
 on:
   pull_request:
+    types: [opened, reopened, synchronize, labeled, unlabeled]
 
 jobs:
   preview:
     name: EAS Preview
-    if: github.repository_owner == 'pingdotgg'
-    runs-on: t3code-arc
+    if: github.repository_owner == 'pingdotgg' && contains(github.event.pull_request.labels.*.name, '🚀 Mobile Continuous Deployment')
+    runs-on: blacksmith-8vcpu-ubuntu-2404
     permissions:
       contents: read
       pull-requests: write

.github/workflows/release.yml

@@ -517,6 +517,9 @@ jobs:
           APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
           APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
           APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
+          APPLE_TEAM_ID: ${{ vars.APPLE_TEAM_ID }}
+          MACOS_PROVISIONING_PROFILE: ${{ secrets.MACOS_PROVISIONING_PROFILE }}
+          T3CODE_CLERK_PASSKEY_RP_DOMAINS: ${{ vars.CLERK_PASSKEY_RP_DOMAINS }}
           AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
           AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
           AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
@@ -545,9 +548,21 @@ jobs:
           if [[ "${{ matrix.platform }}" == "mac" ]]; then
             if has_all "$CSC_LINK" "$CSC_KEY_PASSWORD"; then
               if has_all "$APPLE_API_KEY" "$APPLE_API_KEY_ID" "$APPLE_API_ISSUER"; then
+                if ! has_all "$APPLE_TEAM_ID" "$MACOS_PROVISIONING_PROFILE"; then
+                  echo "macOS notarization is configured, but APPLE_TEAM_ID or MACOS_PROVISIONING_PROFILE is missing." >&2
+                  exit 1
+                fi
+
                 key_path="$RUNNER_TEMP/AuthKey_${APPLE_API_KEY_ID}.p8"
                 printf '%s' "$APPLE_API_KEY" > "$key_path"
                 export APPLE_API_KEY="$key_path"
+
+                profile_path="$RUNNER_TEMP/t3code.provisionprofile"
+                printf '%s' "$MACOS_PROVISIONING_PROFILE" | base64 -D > "$profile_path"
+                security cms -D -i "$profile_path" >/dev/null
+                export T3CODE_APPLE_TEAM_ID="$APPLE_TEAM_ID"
+                export T3CODE_MACOS_PROVISIONING_PROFILE="$profile_path"
+
                 echo "macOS notarization enabled."
               else
                 unset APPLE_API_KEY APPLE_API_KEY_ID APPLE_API_ISSUER

.macroscope/check-run-agents/effect-service-conventions.md

@@ -0,0 +1,83 @@
+---
+title: Effect Service Conventions
+model: claude-opus-4-8
+effort: high
+input: full_diff
+tools:
+  - browse_code
+  - git_tools
+  - github_api_read_only
+  - modify_pr
+include:
+  - "apps/**/*.ts"
+  - "apps/**/*.tsx"
+  - "packages/**/*.ts"
+  - "packages/**/*.tsx"
+  - "infra/**/*.ts"
+  - "infra/**/*.tsx"
+conclusion: failure
+showToolCalls: true
+---
+
+# Effect service review
+
+Review changed TypeScript and directly affected call sites for the conventions below. Apply them when a pull request creates, moves, refactors, or consumes an Effect service. Do not demand unrelated repository-wide cleanup. Treat these instructions as authoritative when older code differs.
+
+## Imports and module namespaces
+
+- Import Effect library modules from their subpaths as namespaces, for example `import * as Effect from "effect/Effect"` and `import * as Layer from "effect/Layer"`. Flag consolidated named imports from `"effect"` in touched Effect service code.
+- At a service boundary, import the local service module as a namespace and use its public module shape: `WorkspacePaths.WorkspacePaths`, `WorkspacePaths.make`, and `WorkspacePaths.layer`. Flag aliases such as `import { layer as workspacePathsLayer }` that erase the module namespace.
+- Namespace imports are not a blanket rule. Keep named imports for whole packages such as `@t3tools/contracts`, and for modules used only for a pure helper, error, schema, config value, or standalone type. Do not request `import type * as Contracts`.
+- A package subpath that is itself a service module may use a namespace import when callers access its service/tag, `make`, or `layer` members.
+- When a barrel exposes an entire service module, prefer `export * as TokenStore from "./tokenStore.ts"` so consumers can use `TokenStore.TokenStore` and `TokenStore.layer`. Do not individually rename `make` and `layer` exports to simulate a namespace.
+
+## Service definition
+
+- Use the canonical single-file order: imports, error/schema declarations, the `Context.Service` tag with its inline interface, `make`, then `layer`.
+- Keep a service's schemas/errors, `Context.Service` tag, construction, and layer in one canonical module when they form one implementation.
+- Define the service interface inline in the `Context.Service` declaration. Do not retain a standalone `FooShape` or `FooServiceShape` interface/type.
+- Refer to the inferred service interface as `Foo["Service"]`, including in mechanically updated orchestration, MCP, tests, and integration harnesses.
+- Export a real `make` when the module owns construction. Do not create `make = Effect.succeed(...)` solely to force `Layer.effect`.
+- Export the canonical layer as `export const layer = Layer...`. `Layer.effect` is not required: use `Layer.succeed`, `Layer.scoped`, or another appropriate constructor when that matches the implementation.
+- In a concrete implementation module already named for the implementation, use plain `make` and `layer` (for example `BunPtyAdapter.ts` and `NodePtyAdapter.ts`).
+- Keep implementation-specific names when an abstract port module contains one of several possible implementations, for example `makeCloudflaredRelayClient` and `layerCloudflared` in `RelayClient.ts`.
+- `infra/relay/src/db.ts` is an intentional exception: an inline `Layer.succeed(RelayDb, db)` is acceptable without generic `make`/`layer` exports.
+
+## Errors and predicates
+
+- Define service failures with `Schema.TaggedErrorClass` and structured attributes. Derive `message` from those attributes rather than storing an unstructured message as the only data.
+- `Schema.Defect()` is not a substitute for modeling a generic error: its tag, fields, or both must identify the failure structurally, and its `message` must not merely stringify an opaque cause. A semantically precise error tag may preserve a real `cause` without inventing a redundant singleton field when no additional variable context exists; still retain any real path, resource, request, or entity context available at the wrapping site.
+- Capture stable, serializable domain context such as the operation or stage, resource/path or entity identifier, and normalized category/status. Map failures where that context is known instead of wrapping an entire multi-step pipeline in one generic error. Do not add a `detail` field that merely copies `cause.message` and then use it to construct the wrapper message.
+- Keep direct error attributes and log annotations safe and bounded. Do not copy raw wire payloads, command arguments or output, signed URLs, credentials, query strings, fragments, selectors, or arbitrary defect text into `detail`, `reason`, `message`, or a parallel log payload. Preserve the exact underlying value only as `cause`; expose normalized categories plus lengths/counts and safe URL protocol/hostname diagnostics where useful. Logging a sanitized error must not reintroduce a removed legacy `detail` or serialized `cause` field beside it.
+- When translating or wrapping a real failure, preserve the immediate underlying error itself as `cause` alongside the structural fields so the complete error chain and stack remain available. If every construction wraps a failure, `cause` should be required; make it optional only when the same error can legitimately originate without an underlying failure.
+- At a translation boundary, pass through an already structured domain error when it is part of the declared target error channel. Wrap only unknown or genuinely lower-level failures. A static factory or mapper may perform this classification when it is reused and keeps the policy next to the target error type.
+- Derive the wrapper's `message` exclusively from its stable structural attributes, never from `cause`, `cause.message`, or a stringified defect. Do not replace the immediate error with only `error.cause`, erase a structured upstream error into a string, or manufacture an `Error` merely to populate `cause`. Pure validation/domain errors created without an underlying failure do not need a cause.
+- Do not encode the same distinction twice with both a specific error tag and a single-value `operation`, `reason`, `kind`, or `phase` literal. Choose one coherent model: use distinct error classes and omit the redundant discriminator when callers or messages treat the failures as genuinely different, or use one service-level error with a multi-value operation discriminator and a generic message derived from that operation when the failures share the same semantics.
+- Treat an error message exposed through an HTTP/RPC response, persisted state, UI, or another caller-visible boundary as behavior. Preserve those messages during a structural refactor. Existing distinct caller-visible messages are evidence that the failures should normally remain distinct error tags without redundant singleton discriminators, rather than being collapsed into a generic operation error.
+- Split semantically distinct failures into separate error classes when a `reason`, `kind`, `phase`, or similar discriminator is used to choose the user-facing message or drive caller control flow. A discriminator used only for internal diagnostics may remain a field.
+- Use `Schema.Union` of error classes when a shared schema, predicate, or helper type is useful.
+- Export direct schema predicates such as `export const isFoo = Schema.is(Foo)`. Flag a private `Schema.is` constant wrapped by a redundant function with the same signature.
+- Do not introduce a large `switch` or lookup table in an error's `message` getter to model failures that deserve separate error classes.
+- Catch statically known tagged failures with `Effect.catchTags({ ... })`, including when handling only one tag. Do not use `catchIf` with a schema predicate merely to recover one or more known `_tag` variants, and do not use `catchTag`. `Effect.catch` is appropriate when the entire error channel is intentionally handled; `catchIf` remains appropriate for genuinely structural predicates such as inspecting an underlying platform error code.
+- Do not add a helper whose only behavior is `(...args) => new SomeError({ ...args })`, including curried aliases used once with `mapError`. Construct the error at the failure boundary so its attributes and cause remain visible. Keep a mapper only when it performs real normalization, passes through existing domain errors, or adds reusable context/control flow.
+- When a reusable error-to-error translation clearly belongs to the target error type, prefer a descriptive static factory on that error class over a detached production-side switch. Do not force a static method for one-off inline mappings.
+
+## File layout and migrations
+
+- When combining `domain/Services/Foo.ts` and `domain/Layers/Foo.ts`, hoist the result to `domain/Foo.ts`.
+- Delete the old service/layer files. Do not leave compatibility re-export shims. Mechanically update every consumer, including orchestration, MCP, tests, and integration harnesses, to the canonical path.
+- Do not flag genuinely separate implementation/adapter modules merely because they remain in an implementation-oriented directory.
+- Avoid substantive orchestration or MCP redesign in service-cleanup PRs. Mechanical import, layer, and `Service["Service"]` updates are expected when required to remove obsolete paths or shapes.
+
+## Change discipline
+
+- Preserve useful comments, invariants, and specification documentation while moving code.
+- Do not add large tests solely to prove a mechanical refactor. Update existing tests and imports as needed.
+- If backend behavior changes, require focused tests. Use test implementations/layers for external services only; do not mock out core business logic.
+- Do not require `Layer.effect`, universal namespace imports, generic `make`/`layer` names for abstract-port implementations, separate error classes for diagnostic-only fields, or new tests for import-only changes.
+
+## Reporting
+
+Report only concrete violations introduced or retained in the pull request's changed scope. Prefer precise inline comments on the smallest relevant line range and state the expected fix. A clear convention violation may fail the check. Do not fail for optional style preferences or unrelated legacy code.
+
+This check defaults to failure. When there are no findings, stop immediately and make the entire final response exactly `All clear` on one line. Do not add a title, explanation, punctuation, Markdown, JSON, or trailing analysis, and do not continue reasoning after deciding the review is clean.

apps/desktop/package.json

@@ -12,6 +12,8 @@
     "smoke-test": "node scripts/smoke-test.mjs"
   },
   "dependencies": {
+    "@clerk/electron": "catalog:",
+    "@clerk/electron-passkeys": "catalog:",
     "@effect/platform-node": "catalog:",
     "@t3tools/client-runtime": "workspace:*",
     "@t3tools/contracts": "workspace:*",
@@ -20,6 +22,7 @@
     "@t3tools/tailscale": "workspace:*",
     "effect": "catalog:",
     "electron": "41.5.0",
+    "electron-store": "^8.2.0",
     "electron-updater": "^6.6.2",
     "playwright-core": "1.60.0",
     "react-grab": "^0.1.32"

apps/desktop/scripts/build-preview-annotation-css.mjs

@@ -1,23 +1,23 @@
-import { readFile, writeFile } from "node:fs/promises";
-import { createRequire } from "node:module";
-import { dirname, join } from "node:path";
-import { fileURLToPath } from "node:url";
+import * as NodeFSP from "node:fs/promises";
+import * as NodeModule from "node:module";
+import * as NodePath from "node:path";
+import * as NodeURL from "node:url";
 
 import { compile } from "tailwindcss";
 
-const directory = dirname(fileURLToPath(import.meta.url));
-const appRoot = join(directory, "..");
-const sourcePath = join(appRoot, "src", "preview", "Annotation.css");
-const preloadPath = join(appRoot, "src", "preview", "PickPreload.ts");
-const outputPath = join(appRoot, "src", "preview", "AnnotationStyles.generated.ts");
-const require = createRequire(import.meta.url);
-const tailwindRoot = dirname(require.resolve("tailwindcss/package.json"));
+const directory = NodePath.dirname(NodeURL.fileURLToPath(import.meta.url));
+const appRoot = NodePath.join(directory, "..");
+const sourcePath = NodePath.join(appRoot, "src", "preview", "Annotation.css");
+const preloadPath = NodePath.join(appRoot, "src", "preview", "PickPreload.ts");
+const outputPath = NodePath.join(appRoot, "src", "preview", "AnnotationStyles.generated.ts");
+const require = NodeModule.createRequire(import.meta.url);
+const tailwindRoot = NodePath.dirname(require.resolve("tailwindcss/package.json"));
 
 const [annotationSource, preloadSource, themeSource, preflightSource] = await Promise.all([
-  readFile(sourcePath, "utf8"),
-  readFile(preloadPath, "utf8"),
-  readFile(join(tailwindRoot, "theme.css"), "utf8"),
-  readFile(join(tailwindRoot, "preflight.css"), "utf8"),
+  NodeFSP.readFile(sourcePath, "utf8"),
+  NodeFSP.readFile(preloadPath, "utf8"),
+  NodeFSP.readFile(NodePath.join(tailwindRoot, "theme.css"), "utf8"),
+  NodeFSP.readFile(NodePath.join(tailwindRoot, "preflight.css"), "utf8"),
 ]);
 
 const candidates = new Set(
@@ -37,4 +37,4 @@ const encodedCss = `'${css
   .replaceAll("\n", "\\n")}'`;
 const moduleSource = `// Generated by scripts/build-preview-annotation-css.mjs. Do not edit.\nexport const previewAnnotationStyles =\n  ${encodedCss};\n`;
 
-await writeFile(outputPath, moduleSource);
+await NodeFSP.writeFile(outputPath, moduleSource);