#skip-bb
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2361">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Upgrades the Claude PR review to include a dedicated code-health agent,
smart deduplication, and an always-posted summary, while enforcing app
builds before E2E tests to avoid stale binaries. Also improves stop
behavior by analyzing Task* tool calls and updates the workflow to use
the new multi-agent review command.

- **New Features**
  - Adds a Code Health reviewer alongside correctness-focused agents.
  - Deduplicates issues with Sonnet and skips already-commented items.
  - Posts a summary every run; inline comments only for HIGH/MEDIUM.
- Improves stop-hook by sending Task* calls to the model and recognizing
plan-mode waits.
- Switches GitHub Action to `/dyad:multi-pr-review`; adds “Plan to
Issue” command; updates trusted commenters and E2E run permissions.

- **Migration**
  - Before any E2E run, build the app: `npm run build`.
- Adds a `build` script; updates docs and commands to require building
before tests.

<sup>Written for commit ceddd301964cf0f74d1d1cd016dec951433dce98.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2342">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Adds a pull workflow and consolidates branch operations into a single
actions menu.
> 
> - UI: Replace standalone buttons with `Branch actions` dropdown
(`GithubBranchManager.tsx`) containing `Create new branch`, `Refresh
branches`, and new `Git pull`; disables controls while pulling
> - IPC: New `github:pull` contract and handler that pulls from `origin`
on current branch, uses auth token, tolerates missing remote branch, and
reloads branches (`src/ipc/types/github.ts`,
`src/ipc/handlers/git_branch_handlers.ts`)
> - E2E: Update flows to use `branch-actions-menu-trigger`; add pull
test and snapshots; factor `configureGitUser()` helper (`e2e-tests/...`)
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
40bb9e7cd72308acf34563e9758884d2b0c2cd4e. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Adds Git pull support and consolidates branch actions into a single
“Branch actions” menu, making it easy to pull remote changes from the
UI. Includes IPC wiring and an end-to-end test.

- **New Features**
- Added “Branch actions” dropdown with Create branch, Refresh branches,
and Git pull.
  - Git pull action with loading state and success/error toasts.
- New IPC contract and handler (github:pull) that pulls from origin and
tolerates missing remote branch.

- **Refactors**
- Replaced separate buttons with a dropdown in GithubBranchManager and
updated test IDs.
- Added configureGitUser helper and new e2e test for pulling from
remote.
  - Updated snapshots to reflect the new menu.

<sup>Written for commit 40bb9e7cd72308acf34563e9758884d2b0c2cd4e.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

## Summary
- When clicking the refresh button in the preview panel, the app now
preserves the current route instead of defaulting to the root path (/)
- Store the current URL in a ref when refresh is clicked, then use it as
the iframe src during reload
- Added E2E test to verify route preservation on refresh

Fixes #253

## Test plan
- E2E test `refresh preserves current route` verifies the fix:
  1. Create an app
2. Navigate to a different route using JavaScript (simulating
client-side navigation)
  3. Click refresh
  4. Verify the address bar still shows the navigated route (not /)
- Existing `refresh app` test continues to pass

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2336">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Ensures the preview iframe keeps the current client-side route on
refresh and after HMR remounts.
> 
> - Track route changes (`pushState`/`replaceState`) and persist per-app
URL via `previewCurrentUrlAtom`; initialize navigation from preserved
URL
> - Use `currentIframeUrlRef` and validated same-origin URL as iframe
`src` on reload; reset history on app change
> - Update `PreviewIframe` navigation history, address bar
(`data-testid="preview-address-bar-path"`), and reload logic; avoid
unintended src resets on re-render
> - Add E2E test `refresh preserves current route` with a multi-page
React Router fixture to verify behavior
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
d715ec38b8fb94383eafe3a31b901d407468ab4e. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Refresh in the preview panel now preserves the current route instead of
resetting to /. Routes are also restored after HMR remounts; adds an E2E
test to confirm this; fixes #253.

- **Bug Fixes**
- Track route changes (pushState/replaceState) and persist the current
URL per app via previewCurrentUrlAtom; on reload, validate same-origin
and use it as the iframe src; reset on app change.
- Add a data-testid to the address bar and a Playwright test that
navigates via a react-router link in a multi-page app, refreshes, waits,
and asserts the route remains.

<sup>Written for commit d715ec38b8fb94383eafe3a31b901d407468ab4e.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>

## Summary
- Add `remarkGfm` plugin to `VanillaMarkdownParser` and
`DyadMarkdownParser` components
- Enables proper rendering of GitHub Flavored Markdown features
including tables, strikethrough, autolinks, and task lists

## Test plan
- Verify tables render correctly in chat messages
- Verify strikethrough text (~~text~~) renders with strikethrough
styling
- Verify task lists (- [ ] and - [x]) render as checkboxes
- Verify autolinks are properly converted to clickable links

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2353">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->


<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Enabled GitHub Flavored Markdown in chat markdown parsing to correctly
render tables, strikethrough, autolinks, and task lists. Adds remarkGfm
to VanillaMarkdownParser and DyadMarkdownParser; addresses Linear issue
2297.

<sup>Written for commit f3eb069a860e6bf95f76a9bcc97b44d89fe07da7.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Adds GitHub Flavored Markdown support to chat markdown rendering.
> 
> - Import `remark-gfm` and pass via `remarkPlugins` to `ReactMarkdown`
in `VanillaMarkdownParser` and within `DyadMarkdownParser` for markdown
pieces
> - Ensures proper rendering of GFM features (tables, strikethrough,
autolinks, task lists) in chat content
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
f3eb069a860e6bf95f76a9bcc97b44d89fe07da7. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary

- Re-triggers CI after Claude Code pushes commits by closing and
reopening the PR (workaround for GITHUB_TOKEN commits not triggering
workflows)
- Updates pr-fix command to post a summary comment on the PR when done,
with collapsible details

## Background

When Claude Code pushes commits using `GITHUB_TOKEN`, GitHub's
anti-recursion protection prevents other workflows from triggering. This
PR adds a step to close and reopen the PR after Claude pushes, which
triggers the `reopened` event that CI listens for.

Also adds instructions to the pr-fix command to have Claude post a
summary comment on the PR summarizing what was done.

## Test plan

- [ ] Verify CI re-triggers after Claude Code pushes commits
- [ ] Verify summary comment is posted on the PR

#skip-bugbot

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2339">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Automatically re-triggers CI after Claude Code pushes and adds a clear
PR summary comment when pr-fix completes. This avoids missed builds from
GITHUB_TOKEN commits and helps reviewers see what changed.

- **New Features**
- Detects new commits from Claude and re-triggers CI by
closing/reopening the PR (uses HEAD tracking, GitHub API, and a reopen
retry for reliability).
- pr-fix posts a success/failure summary comment with addressed review
items, CI fixes, remaining issues, collapsible details, plus a workflow
run link; handles comment failures and missing env vars gracefully.

<sup>Written for commit 77be40a076e264333efb046a81fbc6920b5adc64.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Add Python script to sanitize GitHub issue markdown (removes HTML
comments, zero-width characters, excessive whitespace, details/summary
tags)
- Add unit tests with 5 golden input/output pairs plus additional inline
tests
- Update fix-issue.md to use sanitizer and proceed directly with
implementation for straightforward plans (no remote session question)
- Add goldens directory to format ignore to preserve test data

## Test plan
- Run `python3
.claude/commands/dyad/scripts/test_sanitize_issue_markdown.py` to verify
all 13 unit tests pass
- Test the sanitizer directly: `echo "<!-- comment -->" | python3
.claude/commands/dyad/scripts/sanitize_issue_markdown.py`

#skip-bugbot

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2337">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Adds a Python markdown sanitizer and integrates it into the fix-issue
flow to clean GitHub issue content and enable direct local
implementation for straightforward plans.

- **New Features**
- Added sanitizer script that removes HTML comments, invisible
characters, excessive blank lines, and strips details/summary tags while
keeping content; normalizes line endings and whitespace.
- Updated fix-issue.md to run the sanitizer and let simple plans proceed
directly to local implementation without the remote session prompt.
- Included golden files and unit tests (13) to validate sanitizer
behavior.
- Added the goldens directory to formatter and Prettier ignore lists to
preserve test fixtures.

- **Bug Fixes**
- Fixed shell injection risk in fix-issue.md by using printf in the
sanitizer step.

<sup>Written for commit 226f9436ba6f338efd6fb798aa327334459647aa.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>

## Summary

- Adds an application menu with Edit, View, and Window submenus to
enable standard keyboard shortcuts
- Fixes #1952: Users can now use Cmd/Ctrl+C, Cmd/Ctrl+V, Cmd/Ctrl+Z,
Cmd/Ctrl+X, Cmd/Ctrl+A instead of right-clicking
- The Edit menu provides: Undo, Redo, Cut, Copy, Paste, Delete, Select
All

## Test plan

1. Start the app
2. Click in the chat input field and type some text
3. Test Ctrl/Cmd+A (Select All) - should select all text
4. Test Ctrl/Cmd+C (Copy) - should copy selected text
5. Test Ctrl/Cmd+V (Paste) - should paste clipboard content
6. Test Ctrl/Cmd+Z (Undo) - should undo last action
7. Test Ctrl/Cmd+Shift+Z or Ctrl+Y (Redo) - should redo undone action
8. Test Ctrl/Cmd+X (Cut) - should cut selected text
9. Verify right-click context menu still works as before

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2335">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Introduces a global application menu to enable OS-standard keyboard
shortcuts and window/view controls.
> 
> - Adds `createApplicationMenu` in `src/main.ts` with `Edit`, `View`,
and `Window` menus (plus macOS `App` menu) providing `undo/redo`,
`cut/copy/paste/delete/selectAll`, zoom controls, reload, devtools, and
fullscreen
> - Calls `createApplicationMenu()` during startup after
`createWindow()` to activate shortcuts across the app
> - Leaves existing right-click context menu behavior intact
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
fbd07b8dc49d8ee97f98526ac1d654701734c038. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Adds an application menu to enable standard keyboard shortcuts (Undo,
Redo, Cut, Copy, Paste, Select All) across the app. Fixes #1952 so users
can use Cmd/Ctrl shortcuts instead of relying on the context menu.

- **New Features**
- Create and set application menu on startup with Edit, View, and Window
menus.
- Edit menu wires Undo, Redo, Cut, Copy, Paste, Delete, Select All via
Electron roles.
- Includes macOS app menu (About, Services, Hide, Quit); Windows/Linux
use Window -> Close.

<sup>Written for commit f2499679fb571476cec5f74a2e5a23c3447512c3.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>

## Summary
- Fixed `gh pr edit` commands failing with "Could not resolve to a
PullRequest" error
- When the workflow checks out a fork repository, the `gh` CLI operates
in that context and tries to find the PR in the fork instead of the
upstream repo
- Added `--repo ${{ github.repository }}` flag to all `gh pr edit`
commands to ensure they target the correct repository

## Test plan
- Create a PR from a fork with the `cc:request` label
- Verify the PR Review Responder workflow can successfully update labels

#skip-bugbot

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2338">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->


<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Fixes gh pr edit failures on fork-based PRs by forcing the repo context
with --repo ${{ github.repository }}. The PR Review Responder now
reliably updates cc:request/pending/done/failed labels in the upstream
repo even when the workflow runs in a fork.

<sup>Written for commit b2d37c8852965f102932662d309da8c45bf9f2f1.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Adds `getWindowsSanitizedEnv()` function that filters WSL-related PATH
entries on Windows
- Creates `execGit()` wrapper that applies sanitized environment to all
dugite exec calls
- Prevents WSL relay from intercepting git commands when WSL is
installed but misconfigured

Fixes #2194

## Test plan
- [ ] Test on Windows machine with WSL installed
- [ ] Verify git commit operations work with native Git enabled
- [ ] Verify no regression on macOS/Linux (sanitization only activates
on Windows)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Sanitize PATH on Windows to stop WSL from hijacking git commands,
ensuring native Git runs reliably. Fixes #2194.

- **Bug Fixes**
- Added getWindowsSanitizedEnv to filter WSL PATH entries (\\wsl$,
\\wsl.localhost, windowsapps, /mnt, /usr, /bin, /home) and handle PATH
key casing.
- Wrapped all dugite exec calls with execGit on Windows; added '--'
separators and remote URL validation.
- Prevents WSL hijacking and errors like "execvpe(/bin/bash) failed: No
such file or directory".

<sup>Written for commit ad0a93ceb660831d8c4abf3e05dd91b8523dd9f1.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Fixes Windows WSL PATH contamination by introducing a sanitized env
and routing all native Git calls through a wrapper.
> 
> - **Add** `getWindowsSanitizedEnv()` to filter WSL-related PATH
entries on Windows and handle PATH key casing
> - **Introduce** `execGit()` wrapper and replace all `dugite.exec`
usages to apply sanitized env on Windows
> - **Harden** native Git calls: add `--` separators for path/URL args
(e.g., `clone`, `check-ignore`), and validate `remoteUrl` to prevent
option injection
> - Touches most native Git flows: status, commit, checkout, branch ops,
clone, push/pull/fetch/merge/rebase, file retrieval, and conflict
detection
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
ad0a93ceb660831d8c4abf3e05dd91b8523dd9f1. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2282">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Replace broken prompt-based Stop hook with command-based hook using
Claude Sonnet
- Add .claude/hooks/stop-hook.py that reads conversation transcript and
uses Sonnet to analyze task completion
- Includes infinite loop prevention via stop_hook_active check
- Add unit tests for the stop hook

## Test plan
- [x] Run pytest .claude/hooks/tests/test_stop_hook.py -v - all 9 tests
pass
- [ ] Manual testing: verify stop hook fires and correctly analyzes task
completion

#skip-bugbot

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Replaced the broken prompt-based stop hook with a command-based hook
that blocks when tasks remain and uses Sonnet analysis as a fallback.
Adds loop protection and tests.

- **New Features**
- Added .claude/hooks/stop-hook.py that blocks when
TaskCreate/TaskUpdate show remaining tasks, returning
{"decision":"block","reason":...}. If none remain, it analyzes a 32k
transcript (middle truncation) with Sonnet.
- Added unit tests and a stop_hook_active guard to prevent infinite
loops.

- **Refactors**
- Updated .claude/settings.json to use the command-based hook (30000 ms
timeout) instead of the prompt hook.
- Added --no-session-persistence to Claude CLI calls in stop-hook.py and
permission-request-hook.py.

<sup>Written for commit 575426cee9efb0fa7e1f4be64a8405ae2e717a3b.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2331">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- **gh-permission-hook:** Allow `gh pr` commands without shell injection
check (common workflow patterns need pipes, backticks in markdown
bodies, etc.)
- **gh-permission-hook:** Keep shell injection as deny for all other
`gh` commands
- **gh-permission-hook:** Allow PATCH to `/pulls/{id}` for updating PR
title/body via API
- **python-permission-hook:** Allow `pytest` as an exception to the `-m`
module restriction for running tests
- Update test data to reflect new behavior

## Test plan
- Run `pytest tests/test_gh_permission_hook.py
tests/test_python_permission_hook.py -v` in `.claude/hooks/` to verify
all hook tests pass
- Verify `gh pr create` with backticks in body works without shell
injection error
- Verify `gh api -X PATCH repos/owner/repo/pulls/123` is allowed
- Verify `python -m pytest` is allowed

#skip-bugbot

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

<!-- CURSOR_SUMMARY -->
> [!NOTE]
> Modernizes IPC usage app-wide to new typed, namespaced contracts.
> 
> - Refactors calls from `IpcClient` to `ipc.*` namespaces (system, app,
chat, github, git, version, languageModel, neon, visualEditing, context,
misc, capacitor, template, events, upgrade, agent, proposal)
> - Updates type imports from `"@/ipc/ipc_types"` to `"@/ipc/types"`
(e.g., `ListedApp`, security types) and adapts optional fields
> - Aligns method signatures to object params and new return shapes
(e.g., `getAppVersion` → `{ version }`); replaces various URL
opens/restarts/screenshots with `ipc.system.*`
> - Moves custom theme and theme generation ops to `ipc.template.*`;
adds maxOutputTokens in custom model dialogs; adjusts provider/model
management APIs
> - Switches GitHub/Vercel/Neon/Supabase/Capacitor connectors and
branching flows to new IPC endpoints; updates event subscriptions for
GitHub device flow
> - Normalizes logging/preview interactions and visual editing
apply/analyze via `ipc.misc`/`ipc.visualEditing`
> 
> Potential follow-ups: verify all parameter objects and event handlers,
and update any remaining legacy imports.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
7c574fe53296ba5c9a16d6b69d1008d06490534e. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Adopted the new typed IPC contracts across the app, replacing IpcClient
with namespaced ipc methods. Restored app output streaming via events,
added maxOutputTokens for custom model flows, migrated custom theme
operations to ipc.template, and fixed chat stream cancellation
lifecycle.

- **Refactors**
- Replaced IpcClient usage with ipc.* namespaces (system, app, chat,
github, git, version, languageModel, neon, visualEditing, context,
prompt, mcp, misc, capacitor, template, events, upgrade, agent,
proposal).
- Moved type imports from "@/ipc/ipc_types" to "@/ipc/types"; adjusted
renamed types and paths (e.g., ListedApp under "@/ipc/types/app",
security types under "@/ipc/types/security").
- Updated method signatures to use object params and new return shapes
(e.g., getAppVersion returns { version }).
- Subscribed to ipc.events.misc.onAppOutput in useRunApp to process app
output, restore preview URL updates, and handle HMR after API changes.
- Added missing maxOutputTokens in create/edit custom model dialogs;
small UI and hooks changes to align with new contracts.
- Fixed DeepLinkData typing by re-exporting a discriminated union for
correct type narrowing.
- Migrated custom themes and theme generation to ipc.template.*; added
CustomTheme and theme generation types.
- Moved methods to correct namespaces (e.g., takeScreenshot/restartDyad
→ system; checkProblems → misc).
- Emit chat:stream:end on stream cancellation for consistent renderer
cleanup.

- **Migration**
  - Replace any remaining IpcClient references with ipc.*.
- Update type imports to "@/ipc/types" and adjust for changed/optional
fields (e.g., App lists use ListedApp; Collaborator.permissions and
VercelProject.framework may be optional).
- Verify callers for new parameter objects and result shapes; replace
runApp/restartApp callbacks with ipc.events.misc.onAppOutput
subscriptions.

<sup>Written for commit 7c574fe53296ba5c9a16d6b69d1008d06490534e.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2276">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

#skip-bb

fixes https://github.com/dyad-sh/dyad/issues/2318

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Persist the selected device mode (desktop, tablet, mobile) in user
settings so it stays after app rebuilds. Adds an end-to-end test to
verify the mode persists through a rebuild.

- **New Features**
- PreviewIframe reads and writes previewDeviceMode via useSettings,
replacing local state.
  - Added DeviceModeSchema and previewDeviceMode to UserSettingsSchema.

- **Bug Fixes**
- Stabilized e2e: added a persistence test, use po.clickRebuild(), and
wait for preview loading to appear/disappear with a final assertion
timeout.

<sup>Written for commit c801c37c314413ba23c0174dc7bb401193826389.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Add gitAddSafeDirectory call after moving app directory during rename
and change-app-location operations
- This ensures the new path is added to Git's safe.directory config on
Windows
- Prevents dubious ownership error that occurs when Git operations are
performed on directories owned by different users

Fixes #2303

## Test plan
- Existing rename_app.spec.ts E2E tests pass
- On Windows: rename an app that has git history, verify git operations
(like listing branches) work without errors

Generated with Claude Code

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Ensures Git trusts all repositories under the Dyad apps base directory
on Windows when native Git is enabled.
> 
> - Change `gitAddSafeDirectory(getDyadAppsBaseDirectory())` to
`gitAddSafeDirectory(`${getDyadAppsBaseDirectory()}/*`)` during app
startup
> - Update comments to document rationale and Git config reference
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
b49181edd3612228952e9475c64424b9370f79d9. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Add dyad-apps/* to Git safe.directory at startup so Git works after app
renames or moves on Windows when native Git is enabled. Replaces per-app
updates with a single wildcard entry. Fixes #2303.

<sup>Written for commit b49181edd3612228952e9475c64424b9370f79d9.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Fixed the pr-review-responder workflow failing to find PRs from forks
- Added a fallback that searches for open PRs using `pulls.list` API
with the head repository owner and branch name when
`workflow_run.pull_requests` array is empty

## Test plan
- Create a PR from a fork with the `cc:request` label
- Verify the workflow can now correctly find and process the PR

#skip-bugbot

Generated with [Claude Code](https://claude.com/claude-code)


<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Fixes PR lookup in the pr-review-responder workflow for forked PRs. Adds
a fallback search by head owner and branch when
workflow_run.pull_requests is empty, so fork PRs are processed
correctly.

- **Bug Fixes**
  - Handle empty workflow_run.pull_requests for cross-repo PRs.
  - Use pulls.list with head "<owner>:<branch>" to find the PR number.
  - Exit early (should_continue=false) if no matching open PR is found.

<sup>Written for commit 70e3c1399b438d5fe768aa9171ec2bf683bc38ff.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Add a Stop hook that checks for incomplete tasks before allowing
Claude to stop
- The hook blocks stopping if any tasks are in pending or in_progress
status
- Includes comprehensive tests for the hook behavior

## Test plan
- Run the test suite: python3 .claude/hooks/tests/test_stop_hook.py
- Verify all tests pass (no tasks allows stop, completed tasks allow
stop, pending/in_progress tasks block stop)

#skip-bugbot

Generated with Claude Code

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Adds a Stop hook to prevent early stopping when work isn’t done. Uses a
stricter, prompt-based check of the conversation context with a default
bias to continue.

- **New Features**
- Stop hook returns {"ok": true} to allow stop or {"ok": false,
"reason": "..."} to continue.
- Evaluates task completion, unresolved errors, follow-ups, and work
quality.
- Biases to continue unless everything is truly complete; registered
under Stop in .claude/settings.json with a 30s timeout.

<sup>Written for commit 059862cf76e0df9dd9149df2c8acd840c06dbc15.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Update E2E snapshots to match the new formatter output after the oxfmt
migration

The snapshot changes reflect formatting differences from the transition
from prettier to oxfmt for code formatting.

## Test plan
- E2E tests pass locally with updated snapshots

#skip-bugbot

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Updated E2E snapshots to match oxfmt formatter output after migrating
from Prettier. This resolves snapshot diffs (like JSON key order and
TypeScript line breaks) so tests pass without changing behavior.

<sup>Written for commit 32d4195cde1d0c829b6475212ea10ea7d628471c.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Add `PLAYWRIGHT_HTML_OPEN=never` environment variable to all e2e test
commands in AGENTS.md and Claude command files
- Prevents the Playwright HTML reporter from opening a browser and
blocking the terminal after tests complete

## Test plan
- Run `npm run e2e` with and without the env var to verify behavior
- Agents running e2e tests should no longer hang waiting for user input

#skip-bugbot

🤖 Generated with [Claude Code](https://claude.com/claude-code)


<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Stop the Playwright HTML reporter from auto-opening and blocking the
terminal by setting PLAYWRIGHT_HTML_OPEN=never on all e2e commands.
Updated AGENTS.md and Claude command files so local runs and agent
workflows no longer hang after tests.

<sup>Written for commit 2ee4139f8a43a5bc20ae1933b6c629d19c96937b.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Fix PermissionRequest hook to use correct hookSpecificOutput JSON
wrapper format
- Previously the hook output {behavior: allow} but Claude Code expects
{hookSpecificOutput: {hookEventName: PermissionRequest, decision:
{behavior: allow}}}
- Clean up code: remove debug logging, organize imports

## Test plan
- Run a command that triggers permission request (e.g., rm -rf somedir)
- Verify the hook auto-approves GREEN operations without showing the
permission dialog
- Test with DEBUG_PERMISSION_HOOK=1 to see hook execution logs

Generated with Claude Code


<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Uses Claude Sonnet to analyze permission requests and fixes the
PermissionRequest hook output format so decisions are applied correctly.
GREEN auto-approves, YELLOW passes through, RED auto-denies without
showing the dialog.

- **Bug Fixes**
- Use the correct wrapper: {hookSpecificOutput: {hookEventName:
"PermissionRequest", decision: {behavior: "allow"|"deny"}}}.
  - Improve JSON extraction; remove debug logs and tidy imports.

- **New Features**
- Add permission-request-hook.py to analyze requests with Claude CLI
(sonnet) and auto-approve/deny using permission-policy.md.
  - Add tests for hook behavior, response schema, and policy coverage.
  - Enable the hook in .claude/settings.json for all tools.

<sup>Written for commit bcdcd4eeda5e28d4cde37247fae8c150c1e9ba1b.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->




<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Introduces an AI-driven PermissionRequest hook that evaluates tool
actions against a new security policy and auto-approves/denies
accordingly, plus tests and settings wiring.
> 
> - **Add** `permission-request-hook.py` to call Claude (model `sonnet`)
with `permission-policy.md`, parse JSON robustly, and emit
`hookSpecificOutput` for `allow`/`deny` (GREEN auto-approve, RED
auto-deny, YELLOW passthrough)
> - **Add** comprehensive `permission-policy.md` covering Bash, GitHub,
and file operations with GREEN/YELLOW/RED criteria
> - **Add** tests in `tests/test_permission_request_hook.py` for hook
passthrough behavior, response format, CLI absence, and policy coverage
> - **Configure** `.claude/settings.json` to register the new
PermissionRequest hook for all tools with a 30s timeout
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
bcdcd4eeda5e28d4cde37247fae8c150c1e9ba1b. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

- Add step to check current branch and create feature branch if on
main/master
- Add task tracking requirement using TaskCreate/TaskUpdate tools
- Renumber steps and update summary to report new branch creation

#skip-bb

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Updates the pr-push skill to block pushes to main/master and auto-create
a PR, and adds required task tracking across pr-push and pr-fix so work
happens on feature branches with clear progress and a ready review link.

- **New Features**
- Check current branch; if on main/master, create and switch to a
descriptive feature branch and report its name.
- Require TaskCreate/TaskUpdate across pr-push and pr-fix to track each
step (create tasks, mark in_progress/completed).
- Auto-create a PR if none exists (no manual URL prompts), avoid
duplicates, and include the PR URL in the final summary; steps
renumbered to reflect the new flow.

<sup>Written for commit 81f38c98e48bf915a553dac23d1ec41474c27d0b.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

#skip-bb

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Add a Python permission hook that restricts python/python3 to scripts
inside the .claude directory. Blocks unsafe modes and command injection
to reduce risk.

- **New Features**
- Enforces: allow scripts under .claude; deny scripts outside; deny -m,
-c, and interactive; passthrough for non-python and --version/--help.
- Robust parsing of env-var prefixes, flags, quoted/unquoted paths,
relative/absolute paths, and symlinks; supports CLAUDE_PROJECT_DIR.
- Registered the hook in PreToolUse and expanded allowed tools in
settings (Bash(chmod:*), Bash(python3:*)). Added tests for allowed,
blocked, passthrough, and security-bypass commands.

<sup>Written for commit 798d1abf04cdedc5395603ce4e32b2b943be8941.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude <noreply@anthropic.com>

- Add hardcoded list of trusted humans (wwwillchen, princeaden1,
azizmejri1)
- Add trusted bots (gemini-code-assist, greptile-apps, cubic-dev-ai,
cursor, github-actions)
- Skip reading contents of comments from untrusted authors for security
- Report untrusted commenters in summary without exposing their comment
contents

#skip-bb

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Only process unresolved PR review threads from trusted authors. Skip
reading comment bodies from untrusted users and report their usernames
safely.

- **New Features**
  - Added trusted humans: wwwillchen, princeaden1, azizmejri1
- Added trusted bots: gemini-code-assist, greptile-apps, cubic-dev-ai,
cursor, github-actions, chatgpt-codex-connector
  - Filter threads where the first comment’s author is trusted
- Report untrusted commenters by username only; do not read their
comment contents

<sup>Written for commit a696d73c3b32d8fecd63e9dd0e67815a08e99033.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Swap prettier for oxfmt in devDependencies for faster formatting
- Rename scripts: prettier -> fmt, prettier:check -> fmt:check
- Update lint-staged to use oxfmt
- Update CLAUDE.md and skill docs to reference npm run fmt

## Test plan
- [x] Run npm run fmt to verify formatting works
- [x] Run npm run fmt:check to verify check mode works
- [x] Verify lint-staged runs oxfmt on commit

#skip-bugbot

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Replaced Prettier with oxfmt for faster formatting. Updated to oxfmt
0.26.0, added a project config, renamed scripts to fmt and fmt:check,
and refreshed docs; oxfmt’s new rules applied compact formatting across
many files.

- **Migration**
  - Use npm run fmt and npm run fmt:check in local workflows and CI.
  - lint-staged now formats with oxfmt on commit.
  - Requires Node 20.19+ or 22.12+.

<sup>Written for commit a9e3812b02849f8d6357913113fca68ca8b4fcbc.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

#skip-bb

## Summary
This PR adds a new GitHub Actions workflow that automatically cancels
in-progress and queued CI workflow runs when a pull request is merged.
This helps reduce unnecessary CI resource consumption and prevents stale
workflow runs from completing after their changes have already been
integrated.

## Changes
- Added `.github/workflows/cancel-ci-after-merge.yml` workflow that:
  - Triggers when a pull request is closed (merged)
  - Finds the CI workflow in the repository
- Queries for all in-progress and queued CI runs on the merged PR's
branch
  - Cancels each identified workflow run with error handling and logging
  - Includes comprehensive console logging for debugging and monitoring

## Implementation Details
- The workflow uses `actions/github-script@v7` to interact with the
GitHub Actions API
- It specifically targets the "CI" workflow by name
- Handles both "in_progress" and "queued" statuses to catch all active
runs
- Includes try-catch error handling to gracefully handle cancellation
failures
- Requires `actions: write` permission to cancel workflow runs
- Only executes when `github.event.pull_request.merged == true` to avoid
running on rejected PRs


<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Automatically cancel active CI runs for the merged PR’s head commit.
Frees up runners and prevents stale builds from finishing.

- **New Features**
- Adds .github/workflows/cancel-ci-after-merge.yml triggered on PR
closed, gated to merged PRs.
- Targets the CI workflow via file path ci.yml and lists runs for the PR
head SHA.
- Cancels active runs (in_progress, queued, pending, waiting) with
try/catch error handling and de-duplicates by run ID.
- Supports fork and non-fork PRs; uses actions/github-script@v7 with
actions: write permissions and clear console logs.

<sup>Written for commit 4d631b3ccb9d127c4781b185b9d6eac90d2fd710.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude <noreply@anthropic.com>

Creates a GitHub Action that triggers when CI completes for PRs with the
cc:request label. It runs /dyad:pr-fix to address failing checks and
review comments, then updates labels (removes cc:help, adds
cc:responded)

#skip-bugbot

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Adds a GitHub Action that auto-responds to PRs after CI completes. It
runs /dyad:pr-fix on PRs labeled cc:request from wwwillchen and updates
labels based on status.

- **New Features**
  - Triggers on CI workflow_run completion.
  - Checks out the PR’s head repo/branch and runs /dyad:pr-fix.
  - Restricts usage to PRs authored by wwwillchen.
- Updates labels: cc:request → cc:pending; then cc:done on success or
cc:failed on failure.
  - Uses write permissions for contents and pull-requests.

<sup>Written for commit 21cef82a88b2e3d591f4c3955b679dd28aad0477.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Introduce a type-safe, centralized query key system following TanStack
Query best practices:

- Add src/lib/queryKeys.ts with hierarchical factory functions
- Use `as const` assertions for full type inference
- Group keys by feature (apps, chats, versions, etc.)
- Support prefix-based invalidation via parent keys

Update all 30+ hooks and components to use the new queryKeys:
- Replace inline string arrays with factory calls
- Replace scattered exports (CHATS_QUERY_KEY, TOKEN_COUNT_QUERY_KEY,
etc.)
- Consistent pattern: queryKeys.<feature>.<operation>(params)

Benefits:
- Single source of truth for all query keys
- Full autocomplete/IntelliSense support
- Type-safe invalidation (catches typos at compile time)
- Easier refactoring and key discovery

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Centralized React Query keys behind a typed queryKeys factory and
updated 30+ hooks/components to use it. This improves type-safety,
enables autocomplete, and makes invalidation and refactors simpler.

- **Refactors**
- Added src/lib/queryKeys.ts with hierarchical factory functions (as
const) grouped by feature.
- Replaced inline arrays and scattered constants (e.g., CHATS_QUERY_KEY,
TOKEN_COUNT_QUERY_KEY, APP_THEME_QUERY_KEY, SUPABASE_QUERY_KEYS).
- Standardized invalidate/remove calls to use parent keys (e.g.,
queryKeys.chats.all, queryKeys.versions.list({ appId })).
- Structured MCP keys (mcp.toolsByServer.all and
mcp.toolsByServer.list({ serverIds })) and updated Supabase branches to
include organizationSlug.
- No behavior changes; safer invalidation and consistent keys across the
app.

- **Migration**
- Use queryKeys.<feature>.<operation>(params object) for all queryKey
definitions.
- Invalidate broadly via parent keys when needed (e.g.,
queryKeys.chats.all).
- Update Supabase branches calls to pass organizationSlug:
queryKeys.supabase.branches({ projectId, organizationSlug }).
  - Do not add or export per-hook key constants; rely on queryKeys.

<sup>Written for commit 2b80e408f077b8ea3141369ca21f62e514852cfd.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Introduces a centralized, typed React Query key factory and applies it
across the app for consistency and safer invalidation.
> 
> - Adds `src/lib/queryKeys.ts` with hierarchical, `as const` key
factories (e.g., `queryKeys.apps.detail`, `queryKeys.versions.list`)
> - Refactors 30+ hooks/components to use factory keys in
`useQuery`/`useMutation` and `invalidateQueries`/`removeQueries`
> - Replaces scattered constants (e.g., `CHATS_QUERY_KEY`,
`TOKEN_COUNT_QUERY_KEY`, `APP_THEME_QUERY_KEY`, Supabase/MCP keys) with
`queryKeys`
> - Updates IPC-driven UI pieces (`AppUpgrades`, `CapacitorControls`,
`ModelPicker`, `ChatInput`, preview panels, Neon, MCP, Supabase, Vercel,
etc.) to the new keys
> - Documentation: `AGENTS.md` adds an Architecture section with usage
guidelines and changes format script to `npm run fmt`
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
2b80e408f077b8ea3141369ca21f62e514852cfd. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------
Co-authored-by: Claude <noreply@anthropic.com>

## Summary
- Fixes false positive in gh permission hook when PR bodies contain
markdown code spans like `concurrency`
- Adds `MARKDOWN_CODE_SPAN_PATTERN` to neutralize backtick pairs with
identifier-like content before checking for shell injection
- Security preserved: actual command substitution patterns with
spaces/special chars still blocked

## Test plan
- [x] Tested commands with markdown code spans now pass
- [x] Tested commands with actual command substitution patterns are
still blocked
- [x] Tested command chaining attempts are still blocked

#skip-bugbot

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Allows safe markdown code spans inside double-quoted PR/issue bodies by
neutralizing backtick-wrapped identifiers; command substitution and
unsafe chaining remain blocked.

- **Bug Fixes**
- Neutralize identifier-like code spans only inside double quotes using
MARKDOWN_CODE_SPAN_PATTERN; requires a dot, hyphen, or underscore and
excludes plain words; still blocks backticks with spaces, args, or
pipes.

<sup>Written for commit 9d81ffe0bf0c58dd7862ffc16b49318698c8fb5d.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Adds `claude` to the CLA Assistant allowlist to fix CLA check failures
on PRs authored with Claude Code

## Problem
PRs authored with Claude Code (like #2268) have commits with the
`claude` GitHub user (email: `noreply@anthropic.com`) as an author via
the `Co-Authored-By` trailer. The CLA Assistant requires all commit
authors to sign the CLA, but Claude (the AI) cannot sign a CLA, causing
the check to always fail.

## Solution
The CLA Assistant action supports an `allowlist` parameter to exclude
specific users from the CLA requirement. This PR adds `claude` to that
allowlist.

## Test plan
- [x] Verify this PR's CLA check passes (it should, since this is the
fix)
- [ ] Verify subsequent Claude Code PRs pass the CLA check

#skip-bugbot

🤖 Generated with [Claude Code](https://claude.com/claude-code)


<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Adds "claude" to the CLA Assistant allowlist to prevent false CLA
failures on PRs with commits co-authored by the "claude" GitHub user.
This ensures CLA checks pass for Claude Code-authored PRs without
requiring a signature from that user.

<sup>Written for commit 7ce3f5d2734b06305a425d61000550022151d933.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- The pr-push skill was consistently stopping after running lint checks
instead of continuing to push
- Root cause: calling /dyad:lint as a nested skill created a stopping
point when the sub-skill completed
- Fix: inline lint commands directly and add explicit continuation
reminders after steps 2 and 3

## Test plan
- [ ] Run /dyad:pr-push and verify it completes all steps through to
pushing

#skip-bugbot

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Fixes pr-push stopping after lint by inlining lint commands and adding
clear “keep going” reminders, so the flow completes and pushes the
branch.

- **Bug Fixes**
- Inline lint commands: npm run prettier && npm run lint:fix && npm run
ts
- Add explicit continuation notes after steps 2 and 3 to prevent
stopping mid-flow
  - Clarify amend step when lint modifies files

<sup>Written for commit 75b8c57147f9ff5d0d7aed9d8e3457baf169cea1.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Adds concurrency block to the claude-pr-review workflow
- When a new push is made to a PR, any in-progress review workflow for
that PR is automatically cancelled
- Avoids wasting resources reviewing outdated code

## Test plan
- [ ] Push multiple commits in quick succession to a PR and verify only
the latest run completes

#skip-bugbot

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Add GitHub Actions concurrency to the claude-pr-review workflow so only
the latest run per PR executes. New pushes automatically cancel any
in-progress review, avoiding outdated reviews and saving CI resources.

<sup>Written for commit 8a0a3d25f25657ed9fc34580b7cb51feb43a2c9c.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Switch from inline review prompt to the `/multi-pr-review` skill
- Rely on `.claude/settings.json` for permissions instead of duplicating
allowed tools in the workflow

#skip-bugbot


<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Switches the GitHub PR review workflow to use /multi-pr-review and
centralizes tool permissions in .claude/settings.json. This simplifies
config and keeps reviews consistent.

- **Refactors**
- Call `/multi-pr-review ${{ github.event.pull_request.number }}`
instead of an inline prompt.
- Rely on .claude/settings.json for allowed tools; keep only
`mcp__github_inline_comment__create_inline_comment` in the workflow.
  - Reduced workflow size by ~60 lines.

<sup>Written for commit 258c61670e2830621ec167653db5c07208b066b5.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

#skip-bb

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Adds a multi-agent PR review skill that runs three independent reviewers
with randomized file order, aggregates issues by consensus, and posts a
summary plus inline PR comments for medium+ issues flagged by 2+ agents.
Improves correctness coverage and reduces ordering bias.

- **New Features**
- Orchestrator parses PR diffs, shuffles file order per agent, runs
reviews in parallel (optional extended thinking), and writes consensus
results and formatted comments.
- Aggregation script performs consensus voting across agent outputs with
severity filtering.
- Comment poster posts the consensus summary and inline comments via
GitHub CLI or API; supports --dry-run and --summary-only.
  - Prompt and JSON schema references for structured issue output.
  - Skill docs covering workflow, configuration, and usage.

- **Bug Fixes**
- Align prompt schema fields (line_start, severity) with orchestrator
expectations.
- Make line tolerance symmetric and clamp to positive line numbers in
issue matching.
  - Warn when diff filename parsing fails.

<sup>Written for commit e32332eb80083ea4f61617811d345f92453cdf3e.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Move Claude commands to `dyad/` namespace (e2e-rebase, pr-fix)
- Add new commands: fix-issue, gh-push, gh-rebase, lint, session-debug
- Add `gh-permission-hook.py` to block destructive gh commands (except
PRs)
- Expand allowed bash commands in settings.json
- Update AGENTS.md to reference `/dyad:lint` skill and fix typo

## Test plan
- [ ] Verify commands work with `/dyad:<command>` syntax
- [ ] Test that gh-permission-hook blocks issue modifications but allows
PR operations

🤖 Generated with [Claude Code](https://claude.com/claude-code)


<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Reorganized Claude commands under the /dyad namespace and added a GitHub
CLI permission hook that auto-approves read-only commands plus PR and
issue updates while blocking destructive actions. Added new skills
(including deflaking E2E and split PR fix steps), hardened the hook, and
added tests.

- **New Features**
- Moved e2e-rebase and pr-fix to dyad/; added fix-issue, pr-push,
gh-rebase, lint, session-debug, deflake-e2e; split pr-fix into
pr-fix:comments and pr-fix:actions.
  - Updated AGENTS.md to reference /dyad:lint and fixed a typo.

- **Permissions**
- Added gh-permission-hook.py (PreToolUse) for Bash gh commands;
auto-approves read-only ops, PR modification commands, issue
create/edit/close/reopen/comment, PR review thread ops, and PR/issue
comment replies and updates; blocks destructive actions across issues,
releases, gists, labels, secrets, repos, workflows, config, and auth.
- Hardened checks: require gh as the executed command (handles
env/sudo/command wrappers); detect shell injection (;, &&/||, &,
newlines, ANSI-C $'…', process substitution); allow safe pipes to jq and
common text filters (head/tail/grep/wc/sort/uniq/cut/tr) and stderr
redirects; parse --method/-X (incl. equals syntax); allow GraphQL
queries plus specific PR review thread/comment mutations; added unit
tests with good/bad fixtures.
- Updated settings.json to narrow read-only gh allowlist, expand safe
Bash commands, and register the PreToolUse hook.

<sup>Written for commit 3237d344cdc2850a97a9a4856bff54bd25be102b.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->




<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Streamlines Claude command suite and hardens GitHub CLI usage in the
workspace.
> 
> - Reorganizes commands under `/.claude/commands/dyad/` and adds new
skills: `deflake-e2e`, `fix-issue`, `gh-rebase`, `lint`, `pr-push`,
`session-debug`; splits `pr-fix` into `pr-fix:comments` and
`pr-fix:actions`
> - Adds `/.claude/hooks/gh-permission-hook.py` to auto-approve
read-only/PR operations and block destructive `gh` commands; supports
GraphQL query/limited mutations and safe piping
> - Introduces unit tests (`.claude/hooks/tests/*`) with good/bad
command fixtures and a test runner
> - Updates `.claude/settings.json` to expand safe Bash allowlist and
register `PreToolUse` hook; tweaks `.gitignore` and `AGENTS.md`
(references `/dyad:lint`)
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
3237d344cdc2850a97a9a4856bff54bd25be102b. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Allow build jobs to continue independently even if one platform fails
- The verify-assets job will still only run if all builds succeed

#skip-bugbot

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Set fail-fast: false in the release workflow build matrix so other
platform builds continue even if one fails. Add retry to the publish
step (3 attempts, 30m timeout) to reduce flakiness; verify-assets still
only runs if all builds succeed.

<sup>Written for commit 2f09fc1f6ae1d524f6e626f4acc91bb7adfa4aab.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Fixes Windows-specific bug where `path.relative()` generates backslash
paths (e.g., `src\components\Button.tsx`) that break TSC workers and git
operations
- Normalizes paths to use forward slashes in both component tagger
plugins (nextjs-webpack and react-vite)
- Adds defensive normalization in `visual_editing_handlers.ts` and
`PreviewIframe.tsx`

Fixes #2271

## Test plan
- [ ] Test on Windows: use Annotator / Edit with Select to refactor or
move files
- [ ] Verify no TSC worker errors occur after using the visual editing
tools
- [ ] Verify git operations don't fail due to invalid paths

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Bug fix: Windows path normalization**
> 
> - Update `safeJoin` to normalize backslashes via `normalizePath`, then
validate/block absolute, home, and UNC paths before joining; join uses
normalized segments
> - Normalize `gitAdd` filepaths for both native Git and isomorphic-git;
adjust error messages accordingly
> - Visual editing handler now stages modified files with `gitAdd`
(replacing direct isomorphic-git add) while continuing to use `safeJoin`
> - Tests updated to assert forward-slash normalization for
Windows-style inputs
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
5e1cf28e5632a37c564c71b52cc702b7c57e49fc. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Normalize Windows backslash paths to forward slashes across component
taggers, visual editing, and git staging so TSC workers and git
operations don’t break on Windows. Centralizes normalization in gitAdd
and safeJoin for consistent component IDs and file paths.

- **Bug Fixes**
- Next.js webpack and Vite taggers: replace backslashes from
path.relative() with forward slashes.
- Git utils: gitAdd normalizes filepath before staging (native Git and
isomorphic-git).
- Path utils: safeJoin normalizes segments before joining and blocks
unsafe absolute paths.
- Visual editing and preview: normalize component IDs and paths; use
gitAdd and safeJoin for file staging.

<sup>Written for commit 674f783cdd844fb98cd746cd8d7dc9234d419d80.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Updates the Vercel deployment URL when refreshing deployments to show
the most recent READY production deployment
- Previously, the Live URL was only set once during project creation or
connection and never updated
- Now when users click "Refresh Deployments", the Live URL will update
to reflect the latest production deployment

Fixes #2208

## Test plan
- [ ] Connect an app to a Vercel project
- [ ] Verify the Live URL is shown correctly
- [ ] Push a new deployment to Vercel
- [ ] Click "Refresh Deployments" in Dyad
- [ ] Verify the Live URL updates to reflect the new deployment

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Ensures the app’s Vercel Live URL stays current after refreshing
deployments.
> 
> - In `vercel_handlers.ts`, when fetching deployments, finds the most
recent `READY` production deployment and updates
`apps.vercelDeploymentUrl` if it changed (with logging)
> - In `VercelConnector.tsx`, after `getDeployments()` completes, calls
`refreshApp()` so the updated Live URL is shown in the UI
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
2f2cccc87b91a3653b70d008b7f208a9aebd7af6. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Ensures the Vercel Live URL updates to the latest READY production
deployment when users refresh deployments, fixing the stale URL issue.
Fixes #2208.

- **Bug Fixes**
- Call refreshApp() after getDeployments in VercelConnector to refresh
the Live URL.
- In IPC handler, detect the most recent READY production deployment and
update vercelDeploymentUrl in the DB only when it changes.

<sup>Written for commit 2f2cccc87b91a3653b70d008b7f208a9aebd7af6.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Fixed chat summarization failing in local-agent mode with "no
technical discussion" error
- Added `messageOverride` parameter to `handleLocalAgentStream` to pass
transformed messages
- When summarize intent is detected, the formatted chat content is now
correctly passed to the local agent handler instead of relying on
database messages

Fixes #2292

## Test plan
- [ ] In local-agent mode, trigger "Summarize to new chat" from a chat
with technical content
- [ ] Verify the summarization completes successfully instead of showing
"no technical discussion" error
- [ ] Verify normal chat functionality in local-agent mode is not
affected

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Fixes "Summarize to new chat" failing in local-agent mode by passing the
formatted chat content to the local agent instead of reading DB history,
addressing #2292. Prevents the "no technical discussion" error while
keeping normal chat behavior unchanged.

- **Bug Fixes**
- Added messageOverride to handleLocalAgentStream to use transformed
messages.
- chat_stream_handlers passes chatMessages on summarize intent;
otherwise uses DB-derived history.
- Added Playwright E2E test to verify summarize-to-new-chat works in
local-agent mode.

<sup>Written for commit c88a646b22127a655b8e96f77956e3cbd01f4a45.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Fix local-agent summarization**
> 
> - Detects summarize intent and passes formatted `chatMessages` via
`messageOverride` to `handleLocalAgentStream`; handler now prefers
overrides over DB-derived history
> - Uses read-only system prompt in ask-mode local-agent path and wires
both ask/local-agent paths to support overrides
> - Adds E2E test `local_agent_summarize.spec.ts` with snapshot to
verify summarize-to-new-chat works
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
c88a646b22127a655b8e96f77956e3cbd01f4a45. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Fixes the merge-reports workflow failure on fork PRs (like #2276)
- Wraps GitHub API calls in try-catch to handle 403 permission errors
gracefully
- Test results are still written to the job summary even when PR comment
fails

## Test plan
- [x] Verify the fix by checking the merge-reports job on this PR
(should pass)

#skip-bugbot

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Prevents merge-reports from failing on fork PRs by gracefully handling
403 permission errors when posting Playwright results. Test results
still appear in the job summary even if the PR comment can’t be created
or updated.

- **Bug Fixes**
- Wrap PR comment API calls in try/catch; on 403, log a clear message
and continue without failing the workflow.
- Keep update/create logic for the bot comment when permissions allow;
skip safely when no PR is detected.

<sup>Written for commit befdb30e68a21ddb992e0d175d91352dfe8e04e0.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Prototype custom theme generator that lets users create themes manually
or generate prompts from images, manage them from a new Themes page, and
apply them in chat. Themes are global and used in streaming and token
counting.

- **New Features**
  - Added custom_themes table.
- Implemented IPC and hooks to list/create/update/delete themes with
query cache invalidation.
- New CustomThemeDialog with manual prompt entry and prompt generation
from uploaded images and optional keywords; uses the selected model via
Dyad Pro and requires Dyad Pro enabled.
  - New Themes page with CRUD, EditThemeDialog, and a sidebar link.
- Updated chat Themes menu to show built-in plus recent custom themes,
with “New Theme” and a “More themes” dialog; newly created themes
auto-select and selection persists per app.

- **Refactors**
- Replaced getThemePrompt with async getThemePromptById to support
custom theme IDs (custom:<id>); integrated in chat_stream and
token_count handlers.
  - Whitelisted new IPC channels in preload.

<sup>Written for commit 37d9e5f0c477e2bb0847df506450b45a25ab4874.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->










<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Adds end-to-end custom theme support, including storage, IPC, UI, and
chat/system-prompt integration.
> 
> - New `custom_themes` table (+ migration `0022_loving_wendigo`) and
Drizzle schema `customThemes`
> - IPC: moved/expanded theme handlers to
`pro/main/ipc/handlers/themes_handlers.ts` with endpoints for
`get/set-app-theme`, `get/create/update/delete` custom themes, image
save/cleanup, and `generate-theme-prompt`; whitelisted channels in
`preload`
> - Hooks and client: `useCustomThemes` CRUD/generation hooks;
`IpcClient` methods for custom themes, image handling, and generation
> - UI: new `ThemesPage` with cards, `CustomThemeDialog` (AI + manual),
`AIGeneratorTab` (image upload, model/mode, Pro-gated),
`EditThemeDialog`, improved `DeleteConfirmationDialog`; added
`LibraryList` and updated `app-sidebar` default Library route
> - Chat: `AuxiliaryActionsMenu` shows built-in and recent custom
themes, "New Theme" and "More themes"; auto-select newly created theme
> - Prompt resolution: replaced `getThemePrompt` with async
`getThemePromptById` (supports `custom:<id>`) in chat stream and token
count handlers
> - Routing: added `/themes` route; e2e tests for themes CRUD, AI
generator flow/limits, and prompt library navigation
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
37d9e5f0c477e2bb0847df506450b45a25ab4874. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

This avoids distracting the user during active chat responses.

https://claude.ai/code/session_018bxH7uX9t4TH4wxh9VE7Ka

#skip-bugbot

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Hide the uncommitted files banner while chat is streaming to reduce
distraction. Adds an isStreaming check in ChatHeader so the banner only
appears when not streaming.

<sup>Written for commit 4bd7b9fe48f94414e83ae9e4600b4cf898535c1b.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->
Co-authored-by: Claude <noreply@anthropic.com>