- Add ready_for_review and closed event types to pull_request trigger
- Update concurrency group to use PR number for proper cancellation
- Add condition to skip draft PRs and closed events
- When a PR is merged, the closed event triggers cancellation of
in-progress runs

https://claude.ai/code/session_0131m7Y5ac6ztV6iPCiW6zMU

#skip-bb
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2383">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Update CI to cancel in-progress runs when a PR is merged and use per-PR
concurrency for accurate cancellation. Draft PRs now run; only closed
events are skipped.

- **Refactors**
  - Listen to closed in the pull_request trigger.
  - Use PR number in the concurrency group for proper cancellation.
  - Add a job condition to skip closed events only.

<sup>Written for commit fe1d8903f8730bbf6ed93dbdfc8a9f0b804b9912.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude <noreply@anthropic.com>

## Summary
- Removed ANTHROPIC_API_KEY from the required environment variables list
- Added clarification that sub-agents spawned via the Task tool
automatically have access to Anthropic

#skip-bugbot

## Test plan
- Verify the documentation accurately reflects the current behavior of
the multi-pr-review skill

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2386">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->


<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Clarified that ANTHROPIC_API_KEY is not required for the multi-pr-review
skill. Updated SKILL.md to note that sub-agents launched via the Task
tool already have Anthropic access, so only GITHUB_TOKEN is needed.

<sup>Written for commit f5735d135face9923420ecfa08ebcbfab60796dd.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Updates the E2E test snapshot for the turbo edits search-replace
fallback test
- The error message format changed to remove the fuzzy match similarity
percentage, simplifying the error output

## Test plan
- [x] E2E snapshot updated to reflect new error message format
- All existing tests pass (654/654)

#skip-bugbot

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2384">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->


<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Update the turbo edits E2E snapshot to match the new simplified
search-replace error message. Removes the fuzzy match similarity
percentage from the expected output so tests align with current
behavior.

<sup>Written for commit c256a7205139069cccc23cea31e16b30f50b649f.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Bumps version from 0.34.0-beta.1 to 0.35.0-beta.1

## Test plan
- Verify package.json shows correct version

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2378">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->


<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Bumps package.json version from 0.34.0-beta.1 to 0.35.0-beta.1 to
prepare the next beta release. No functional changes.

<sup>Written for commit a9ff86fa30e2d1811fa0e305aaee6668fe9a7861.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Version bump**
> 
> - Updates `package.json` version from `0.34.0-beta.1` to
`0.35.0-beta.1`. No code or dependency changes.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
a9ff86fa30e2d1811fa0e305aaee6668fe9a7861. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Add E2E test for preview navigation forward/back buttons
- Fix back/forward navigation by sending target URL instead of using
`history.back()`/`history.forward()` which don't work reliably in
Electron iframes
- Update dyad-shim.js to handle URL-based navigation with
`location.replace`
- Add popstate event handler to notify parent of navigation changes

## Test plan
- Run `npm run e2e -- --grep "forward and back"` to verify the new test
passes
- Run `npm run e2e -- --grep "refresh"` to verify all refresh-related
tests pass
- Manually test back/forward navigation buttons in the preview panel

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2372">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Ensures preview back/forward navigation works reliably in Electron
iframes and preserves routes across refresh/HMR. Adds targeted E2E
coverage.
> 
> - In `PreviewIframe.tsx`, switch back/forward handling to send the
target URL via `postMessage` and update local `navigationHistory`,
`currentHistoryPosition`, and `preservedUrls`; keep
`currentIframeUrlRef` in sync.
> - In `worker/dyad-shim.js`, add `popstate` handler to notify parent
(`replaceState` message) and handle `navigate` messages by validating
http/https URLs and using `location.replace`, with fallback to
`history.go(±1)`.
> - Add E2E test `refresh.spec.ts` for preview forward/back buttons,
verifying initial disabled state, navigation to About, back to Home,
then forward to About again.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
7f9f790158262b9e3100ead96bf25f8e3ee8cac7. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Fixes preview forward/back navigation and preserves the current route on
refresh and HMR so the preview behaves like a real browser. Adds E2E
tests for both flows.

- **Bug Fixes**
- Make back/forward work in Electron by posting the target URL to the
iframe and navigating with location.replace; notify parent on popstate;
validate http/https URLs to block unsafe protocols.
- Track and restore the current route across refresh and HMR via
previewCurrentUrlAtom and a URL ref; clear preserved URL on root path;
reset on app switch and validate same-origin URLs.

- **E2E Tests**
  - Add a multi-page react-router fixture (Home/About).
- Add tests for route preservation on refresh and for forward/back
buttons, including enabled/disabled states.

<sup>Written for commit 7f9f790158262b9e3100ead96bf25f8e3ee8cac7.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Add `local_agent:search_replace:success` and
`local_agent:search_replace:failure` telemetry events to track
search-replace outcomes in local-agent mode
- Add `local_agent:file_edit_retry` telemetry to detect when multiple
edit tool types (write_file, edit_file, search_replace) are used on the
same file, indicating retry/fallback behavior
- Add `FileEditTracker` to `AgentContext` to track tool usage per file
during an agent session

## Test plan
- [x] TypeScript type checks pass
- [x] Linter passes
- [x] All 654 unit tests pass

🤖 Generated with [Claude Code](https://claude.com/claude-code)

#skip-bugbot
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2371">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Adds telemetry to local-agent to track search-replace success/failure
and when multiple edit tools touch the same file. Introduces a
FileEditTracker in AgentContext to record write_file, edit_file, and
search_replace usage per file.

- **New Features**
- Emit local_agent:search_replace:success and
local_agent:search_replace:failure (includes filePath and error on
failure).
- Emit local_agent:file_edit_retry when a file uses 2+ different edit
tools; includes per-tool counts.
- Track usage via FileEditTracker on AgentContext with a helper that
records tool calls.

- **Migration**
- Update any AgentContext mocks/constructors to include fileEditTracker:
{}.

<sup>Written for commit f8345128b1d29b555c4c787df7103a6cae98373b.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Add new `search_replace` tool with strict matching requirements:
  - Requires minimum 3 lines of context for unambiguous matching
  - Enforces exact-only matching (no fuzzy/lenient fallback)
  - Rejects ambiguous matches and identical old/new strings
- Extend `applySearchReplace` processor with `SearchReplaceOptions`
interface
- Update system prompt with file editing tool selection guidelines
- Add comprehensive unit tests (43 tests) and E2E test

## Test plan
- Unit tests: `npm run test -- search_replace` (43 tests passing)
- E2E tests: `npm run e2e -- --grep "local-agent"` (19 tests passing)
- Verify lint passes: `npm run fmt && npm run lint && npm run ts`

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2367">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Introduces a precise, single-instance `search_replace` tool for local
agent edits and wires it across stack.
> 
> - New `search_replace` tool: strict schema (`file_path`, `old_string`,
`new_string`), rejects identical/ambiguous matches, streams XML, deploys
Supabase functions when applicable; registered in `tool_definitions`
> - Processor overhaul: replace Levenshtein with cascading matching
(exact → whitespace-tolerant → unicode-normalized), detailed failure
diagnostics, marker escaping helper, async fs usage
> - Update `edit_file` schema/usage from `description` → `instructions`
(tool schema, XML builder, examples)
> - Prompt: add file-editing tool selection guidance and post-edit
verification
> - UI: `DyadSearchReplace` gains `data-testid="dyad-search-replace"`
for E2E visibility
> - Tests: comprehensive unit tests for processor and tool, DSL runner
with pass/fail suites, plus new Playwright E2E and fixtures; snapshots
updated
> - Chore: remove `fastest-levenshtein` dependency from
`package.json`/lockfile
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
dfa9b9e172e89f135fc71cd1f35f7f3c614b9af4. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Adds a strict search_replace tool for precise, single-instance file
edits by the local agent. Enforces exact matches with ≥3 non-empty lines
of context and auto-deploys Supabase functions when server functions are
edited.

- New search_replace tool: exact-only matching, requires ≥3 non-empty
lines of context, rejects ambiguous matches, and disallows identical
old/new strings
- Processor: implement cascading matching passes; add
SearchReplaceOptions (exactMatchOnly, rejectIdentical) and wire into
applySearchReplace
- Prompt: add clear edit-tool selection guidance, post-edit
verification, and write_file fallback
- Tests: comprehensive unit tests plus an E2E covering the new tool;
snapshots updated
- UI: add data-testid to surface search-replace actions and register the
tool in definitions
- Dependencies: remove fastest-levenshtein
- Edit tool: rename description → instructions in the schema and XML;
examples and prompt updated

<sup>Written for commit dfa9b9e172e89f135fc71cd1f35f7f3c614b9af4.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Original PR: https://github.com/dyad-sh/dyad/pull/2328
Authored by @gkrdy - thank you!

---------
Co-authored-by: gkrdy <girishkathirdy@gmail.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Add a new setting "Keep extra Supabase edge functions" that controls
whether dangling edge functions (deployed to Supabase but not in
codebase) are automatically deleted during sync operations.

When disabled (default), edge functions are pruned during batch
deployments triggered by:
- Shared module changes
- Version reverts
- Local agent file operations

Changes:
- Add skipPruneEdgeFunctions to UserSettings schema
- Add listSupabaseFunctions API method to management client
- Modify deployAllSupabaseFunctions to prune dangling functions
- Add UI toggle in SupabaseIntegration component
- Update all call sites to pass the setting

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Introduces a user setting to control pruning of Supabase edge
functions and integrates pruning into batch deployments.
> 
> - Adds `skipPruneEdgeFunctions` to `UserSettings` and a toggle in
`SupabaseIntegration`
> - Extends management client with `listSupabaseFunctions`
> - Updates `deployAllSupabaseFunctions` to optionally prune deployed
functions not in the codebase, using `deleteSupabaseFunction`;
controlled by `skipPruneEdgeFunctions`
> - Threads the setting through all batch deploy call sites: shared
module edits (`app_handlers`), version reverts (`version_handlers`),
chat/agent file ops (`response_processor`, local agent
`file_operations`)
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
6af28fb682e7a6352426e0033d67ee1e750201fc. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Adds a setting to control pruning of extra Supabase edge functions
during batch deployments. By default, dangling functions (deployed but
not in code) are pruned; enable “Keep extra Supabase edge functions” to
skip pruning.

- **New Features**
- Added skipPruneEdgeFunctions to UserSettings and a toggle in
SupabaseIntegration.
- Implemented listSupabaseFunctions API and pruning in
deployAllSupabaseFunctions.
- Passed the setting through all batch deploy paths (shared module
changes, version reverts, local agent file operations).

<sup>Written for commit 6af28fb682e7a6352426e0033d67ee1e750201fc.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2228">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Claude <noreply@anthropic.com>

## Summary
- Adds a new step to run `npm test` in the `/dyad:pr-push` skill after
lint checks
- Ensures tests pass before pushing changes to prevent broken code from
being pushed
- Updates step numbering and summary section accordingly

## Test plan
- Run `/dyad:pr-push` and verify it now runs `npm test` as step 4
- Confirm the skill fails if tests don't pass

#skip-bugbot

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2364">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->


<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Adds an npm test step to the /dyad:pr-push skill after linting, blocking
pushes when tests fail. Also updates step ordering and the final summary
to confirm tests passed.

- New Features
  - Run npm test after lint and before push (required).
  - Fail the skill if tests fail.
  - Renumber follow-up steps and update instructions.
  - Add “tests passed” to the result summary.

<sup>Written for commit ba2ef4fb11989841170a9f1e56732d60ae205c29.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2363">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

## Summary
- Adds a `check-changes` job to CI that detects if a PR only modifies
files in `.claude/`
- Skips the expensive `test` and `merge-reports` jobs when only Claude
config files are changed
- Always runs tests on pushes to main branch for safety

## Test plan
- Create a PR that only changes files in `.claude/` → CI should skip E2E
tests
- Create a PR that changes files outside `.claude/` → CI should run E2E
tests normally
- Push to main → CI should always run E2E tests

#skip-bugbot

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2362">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->


<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Skip E2E tests in CI when a PR only changes files in .claude/, cutting
build time and saving resources. Tests always run on pushes to main;
aligns with Linear issue 1769548046265.

- **New Features**
- Added a check-changes job that outputs should_run_tests based on the
diff (PR vs push).
- Gated test and merge-reports jobs on should_run_tests; skip when only
.claude/ files changed.
  - Falls back to running tests if changed files can’t be determined.

<sup>Written for commit a75bfed9498b31634a8944d63a435688e0bac8ac.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Multiple components calling `useRunApp()` each registered their own
event listener for `onAppOutput`, causing duplicate log entries in the
console
- Extracted the event subscription into a new
`useAppOutputSubscription()` hook
- The new hook is called only once in `layout.tsx` at the root level,
eliminating duplicates

## Test plan
- Run an app and observe the System Messages console
- Verify that server log messages (stdout/stderr) appear only once
instead of multiple times
- Verify HMR updates still trigger iframe refreshes correctly

🤖 Generated with [Claude Code](https://claude.com/claude-code)

#skip-bugbot
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2359">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->


<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Fix duplicate server log messages by subscribing to app output events
only once at the app root. Prevents repeated stdout/stderr entries while
keeping HMR iframe refreshes working.

- **Bug Fixes**
- Extracted event subscription from useRunApp into a new
useAppOutputSubscription hook.
- Call useAppOutputSubscription once in layout.tsx to avoid duplicate
listeners.
  - Preserved proxy URL processing and hot module reload behavior.

<sup>Written for commit 0f4df3f539c818e2100228e23602f31fe1d07742.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Eliminates duplicate server logs by centralizing app output
subscription.
> 
> - Extracts event listener logic from `useRunApp` into new
`useAppOutputSubscription()` and subscribes once in `src/app/layout.tsx`
> - Preserves HMR handling (refresh via preview panel key) and proxy URL
parsing in `processProxyServerOutput`
> - Refactors internals with `useCallback` dependencies to avoid
duplicate processing while keeping existing `useRunApp` API intact
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
0f4df3f539c818e2100228e23602f31fe1d07742. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

#skip-bb
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2361">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Upgrades the Claude PR review to include a dedicated code-health agent,
smart deduplication, and an always-posted summary, while enforcing app
builds before E2E tests to avoid stale binaries. Also improves stop
behavior by analyzing Task* tool calls and updates the workflow to use
the new multi-agent review command.

- **New Features**
  - Adds a Code Health reviewer alongside correctness-focused agents.
  - Deduplicates issues with Sonnet and skips already-commented items.
  - Posts a summary every run; inline comments only for HIGH/MEDIUM.
- Improves stop-hook by sending Task* calls to the model and recognizing
plan-mode waits.
- Switches GitHub Action to `/dyad:multi-pr-review`; adds “Plan to
Issue” command; updates trusted commenters and E2E run permissions.

- **Migration**
  - Before any E2E run, build the app: `npm run build`.
- Adds a `build` script; updates docs and commands to require building
before tests.

<sup>Written for commit ceddd301964cf0f74d1d1cd016dec951433dce98.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2342">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Adds a pull workflow and consolidates branch operations into a single
actions menu.
> 
> - UI: Replace standalone buttons with `Branch actions` dropdown
(`GithubBranchManager.tsx`) containing `Create new branch`, `Refresh
branches`, and new `Git pull`; disables controls while pulling
> - IPC: New `github:pull` contract and handler that pulls from `origin`
on current branch, uses auth token, tolerates missing remote branch, and
reloads branches (`src/ipc/types/github.ts`,
`src/ipc/handlers/git_branch_handlers.ts`)
> - E2E: Update flows to use `branch-actions-menu-trigger`; add pull
test and snapshots; factor `configureGitUser()` helper (`e2e-tests/...`)
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
40bb9e7cd72308acf34563e9758884d2b0c2cd4e. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Adds Git pull support and consolidates branch actions into a single
“Branch actions” menu, making it easy to pull remote changes from the
UI. Includes IPC wiring and an end-to-end test.

- **New Features**
- Added “Branch actions” dropdown with Create branch, Refresh branches,
and Git pull.
  - Git pull action with loading state and success/error toasts.
- New IPC contract and handler (github:pull) that pulls from origin and
tolerates missing remote branch.

- **Refactors**
- Replaced separate buttons with a dropdown in GithubBranchManager and
updated test IDs.
- Added configureGitUser helper and new e2e test for pulling from
remote.
  - Updated snapshots to reflect the new menu.

<sup>Written for commit 40bb9e7cd72308acf34563e9758884d2b0c2cd4e.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

## Summary
- When clicking the refresh button in the preview panel, the app now
preserves the current route instead of defaulting to the root path (/)
- Store the current URL in a ref when refresh is clicked, then use it as
the iframe src during reload
- Added E2E test to verify route preservation on refresh

Fixes #253

## Test plan
- E2E test `refresh preserves current route` verifies the fix:
  1. Create an app
2. Navigate to a different route using JavaScript (simulating
client-side navigation)
  3. Click refresh
  4. Verify the address bar still shows the navigated route (not /)
- Existing `refresh app` test continues to pass

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2336">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Ensures the preview iframe keeps the current client-side route on
refresh and after HMR remounts.
> 
> - Track route changes (`pushState`/`replaceState`) and persist per-app
URL via `previewCurrentUrlAtom`; initialize navigation from preserved
URL
> - Use `currentIframeUrlRef` and validated same-origin URL as iframe
`src` on reload; reset history on app change
> - Update `PreviewIframe` navigation history, address bar
(`data-testid="preview-address-bar-path"`), and reload logic; avoid
unintended src resets on re-render
> - Add E2E test `refresh preserves current route` with a multi-page
React Router fixture to verify behavior
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
d715ec38b8fb94383eafe3a31b901d407468ab4e. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Refresh in the preview panel now preserves the current route instead of
resetting to /. Routes are also restored after HMR remounts; adds an E2E
test to confirm this; fixes #253.

- **Bug Fixes**
- Track route changes (pushState/replaceState) and persist the current
URL per app via previewCurrentUrlAtom; on reload, validate same-origin
and use it as the iframe src; reset on app change.
- Add a data-testid to the address bar and a Playwright test that
navigates via a react-router link in a multi-page app, refreshes, waits,
and asserts the route remains.

<sup>Written for commit d715ec38b8fb94383eafe3a31b901d407468ab4e.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>

## Summary
- Add `remarkGfm` plugin to `VanillaMarkdownParser` and
`DyadMarkdownParser` components
- Enables proper rendering of GitHub Flavored Markdown features
including tables, strikethrough, autolinks, and task lists

## Test plan
- Verify tables render correctly in chat messages
- Verify strikethrough text (~~text~~) renders with strikethrough
styling
- Verify task lists (- [ ] and - [x]) render as checkboxes
- Verify autolinks are properly converted to clickable links

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2353">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->


<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Enabled GitHub Flavored Markdown in chat markdown parsing to correctly
render tables, strikethrough, autolinks, and task lists. Adds remarkGfm
to VanillaMarkdownParser and DyadMarkdownParser; addresses Linear issue
2297.

<sup>Written for commit f3eb069a860e6bf95f76a9bcc97b44d89fe07da7.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Adds GitHub Flavored Markdown support to chat markdown rendering.
> 
> - Import `remark-gfm` and pass via `remarkPlugins` to `ReactMarkdown`
in `VanillaMarkdownParser` and within `DyadMarkdownParser` for markdown
pieces
> - Ensures proper rendering of GFM features (tables, strikethrough,
autolinks, task lists) in chat content
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
f3eb069a860e6bf95f76a9bcc97b44d89fe07da7. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary

- Re-triggers CI after Claude Code pushes commits by closing and
reopening the PR (workaround for GITHUB_TOKEN commits not triggering
workflows)
- Updates pr-fix command to post a summary comment on the PR when done,
with collapsible details

## Background

When Claude Code pushes commits using `GITHUB_TOKEN`, GitHub's
anti-recursion protection prevents other workflows from triggering. This
PR adds a step to close and reopen the PR after Claude pushes, which
triggers the `reopened` event that CI listens for.

Also adds instructions to the pr-fix command to have Claude post a
summary comment on the PR summarizing what was done.

## Test plan

- [ ] Verify CI re-triggers after Claude Code pushes commits
- [ ] Verify summary comment is posted on the PR

#skip-bugbot

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2339">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Automatically re-triggers CI after Claude Code pushes and adds a clear
PR summary comment when pr-fix completes. This avoids missed builds from
GITHUB_TOKEN commits and helps reviewers see what changed.

- **New Features**
- Detects new commits from Claude and re-triggers CI by
closing/reopening the PR (uses HEAD tracking, GitHub API, and a reopen
retry for reliability).
- pr-fix posts a success/failure summary comment with addressed review
items, CI fixes, remaining issues, collapsible details, plus a workflow
run link; handles comment failures and missing env vars gracefully.

<sup>Written for commit 77be40a076e264333efb046a81fbc6920b5adc64.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Add Python script to sanitize GitHub issue markdown (removes HTML
comments, zero-width characters, excessive whitespace, details/summary
tags)
- Add unit tests with 5 golden input/output pairs plus additional inline
tests
- Update fix-issue.md to use sanitizer and proceed directly with
implementation for straightforward plans (no remote session question)
- Add goldens directory to format ignore to preserve test data

## Test plan
- Run `python3
.claude/commands/dyad/scripts/test_sanitize_issue_markdown.py` to verify
all 13 unit tests pass
- Test the sanitizer directly: `echo "<!-- comment -->" | python3
.claude/commands/dyad/scripts/sanitize_issue_markdown.py`

#skip-bugbot

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2337">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Adds a Python markdown sanitizer and integrates it into the fix-issue
flow to clean GitHub issue content and enable direct local
implementation for straightforward plans.

- **New Features**
- Added sanitizer script that removes HTML comments, invisible
characters, excessive blank lines, and strips details/summary tags while
keeping content; normalizes line endings and whitespace.
- Updated fix-issue.md to run the sanitizer and let simple plans proceed
directly to local implementation without the remote session prompt.
- Included golden files and unit tests (13) to validate sanitizer
behavior.
- Added the goldens directory to formatter and Prettier ignore lists to
preserve test fixtures.

- **Bug Fixes**
- Fixed shell injection risk in fix-issue.md by using printf in the
sanitizer step.

<sup>Written for commit 226f9436ba6f338efd6fb798aa327334459647aa.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>

## Summary

- Adds an application menu with Edit, View, and Window submenus to
enable standard keyboard shortcuts
- Fixes #1952: Users can now use Cmd/Ctrl+C, Cmd/Ctrl+V, Cmd/Ctrl+Z,
Cmd/Ctrl+X, Cmd/Ctrl+A instead of right-clicking
- The Edit menu provides: Undo, Redo, Cut, Copy, Paste, Delete, Select
All

## Test plan

1. Start the app
2. Click in the chat input field and type some text
3. Test Ctrl/Cmd+A (Select All) - should select all text
4. Test Ctrl/Cmd+C (Copy) - should copy selected text
5. Test Ctrl/Cmd+V (Paste) - should paste clipboard content
6. Test Ctrl/Cmd+Z (Undo) - should undo last action
7. Test Ctrl/Cmd+Shift+Z or Ctrl+Y (Redo) - should redo undone action
8. Test Ctrl/Cmd+X (Cut) - should cut selected text
9. Verify right-click context menu still works as before

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2335">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Introduces a global application menu to enable OS-standard keyboard
shortcuts and window/view controls.
> 
> - Adds `createApplicationMenu` in `src/main.ts` with `Edit`, `View`,
and `Window` menus (plus macOS `App` menu) providing `undo/redo`,
`cut/copy/paste/delete/selectAll`, zoom controls, reload, devtools, and
fullscreen
> - Calls `createApplicationMenu()` during startup after
`createWindow()` to activate shortcuts across the app
> - Leaves existing right-click context menu behavior intact
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
fbd07b8dc49d8ee97f98526ac1d654701734c038. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Adds an application menu to enable standard keyboard shortcuts (Undo,
Redo, Cut, Copy, Paste, Select All) across the app. Fixes #1952 so users
can use Cmd/Ctrl shortcuts instead of relying on the context menu.

- **New Features**
- Create and set application menu on startup with Edit, View, and Window
menus.
- Edit menu wires Undo, Redo, Cut, Copy, Paste, Delete, Select All via
Electron roles.
- Includes macOS app menu (About, Services, Hide, Quit); Windows/Linux
use Window -> Close.

<sup>Written for commit f2499679fb571476cec5f74a2e5a23c3447512c3.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>

## Summary
- Fixed `gh pr edit` commands failing with "Could not resolve to a
PullRequest" error
- When the workflow checks out a fork repository, the `gh` CLI operates
in that context and tries to find the PR in the fork instead of the
upstream repo
- Added `--repo ${{ github.repository }}` flag to all `gh pr edit`
commands to ensure they target the correct repository

## Test plan
- Create a PR from a fork with the `cc:request` label
- Verify the PR Review Responder workflow can successfully update labels

#skip-bugbot

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2338">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->


<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Fixes gh pr edit failures on fork-based PRs by forcing the repo context
with --repo ${{ github.repository }}. The PR Review Responder now
reliably updates cc:request/pending/done/failed labels in the upstream
repo even when the workflow runs in a fork.

<sup>Written for commit b2d37c8852965f102932662d309da8c45bf9f2f1.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Adds `getWindowsSanitizedEnv()` function that filters WSL-related PATH
entries on Windows
- Creates `execGit()` wrapper that applies sanitized environment to all
dugite exec calls
- Prevents WSL relay from intercepting git commands when WSL is
installed but misconfigured

Fixes #2194

## Test plan
- [ ] Test on Windows machine with WSL installed
- [ ] Verify git commit operations work with native Git enabled
- [ ] Verify no regression on macOS/Linux (sanitization only activates
on Windows)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Sanitize PATH on Windows to stop WSL from hijacking git commands,
ensuring native Git runs reliably. Fixes #2194.

- **Bug Fixes**
- Added getWindowsSanitizedEnv to filter WSL PATH entries (\\wsl$,
\\wsl.localhost, windowsapps, /mnt, /usr, /bin, /home) and handle PATH
key casing.
- Wrapped all dugite exec calls with execGit on Windows; added '--'
separators and remote URL validation.
- Prevents WSL hijacking and errors like "execvpe(/bin/bash) failed: No
such file or directory".

<sup>Written for commit ad0a93ceb660831d8c4abf3e05dd91b8523dd9f1.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Fixes Windows WSL PATH contamination by introducing a sanitized env
and routing all native Git calls through a wrapper.
> 
> - **Add** `getWindowsSanitizedEnv()` to filter WSL-related PATH
entries on Windows and handle PATH key casing
> - **Introduce** `execGit()` wrapper and replace all `dugite.exec`
usages to apply sanitized env on Windows
> - **Harden** native Git calls: add `--` separators for path/URL args
(e.g., `clone`, `check-ignore`), and validate `remoteUrl` to prevent
option injection
> - Touches most native Git flows: status, commit, checkout, branch ops,
clone, push/pull/fetch/merge/rebase, file retrieval, and conflict
detection
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
ad0a93ceb660831d8c4abf3e05dd91b8523dd9f1. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2282">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Replace broken prompt-based Stop hook with command-based hook using
Claude Sonnet
- Add .claude/hooks/stop-hook.py that reads conversation transcript and
uses Sonnet to analyze task completion
- Includes infinite loop prevention via stop_hook_active check
- Add unit tests for the stop hook

## Test plan
- [x] Run pytest .claude/hooks/tests/test_stop_hook.py -v - all 9 tests
pass
- [ ] Manual testing: verify stop hook fires and correctly analyzes task
completion

#skip-bugbot

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Replaced the broken prompt-based stop hook with a command-based hook
that blocks when tasks remain and uses Sonnet analysis as a fallback.
Adds loop protection and tests.

- **New Features**
- Added .claude/hooks/stop-hook.py that blocks when
TaskCreate/TaskUpdate show remaining tasks, returning
{"decision":"block","reason":...}. If none remain, it analyzes a 32k
transcript (middle truncation) with Sonnet.
- Added unit tests and a stop_hook_active guard to prevent infinite
loops.

- **Refactors**
- Updated .claude/settings.json to use the command-based hook (30000 ms
timeout) instead of the prompt hook.
- Added --no-session-persistence to Claude CLI calls in stop-hook.py and
permission-request-hook.py.

<sup>Written for commit 575426cee9efb0fa7e1f4be64a8405ae2e717a3b.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2331">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- **gh-permission-hook:** Allow `gh pr` commands without shell injection
check (common workflow patterns need pipes, backticks in markdown
bodies, etc.)
- **gh-permission-hook:** Keep shell injection as deny for all other
`gh` commands
- **gh-permission-hook:** Allow PATCH to `/pulls/{id}` for updating PR
title/body via API
- **python-permission-hook:** Allow `pytest` as an exception to the `-m`
module restriction for running tests
- Update test data to reflect new behavior

## Test plan
- Run `pytest tests/test_gh_permission_hook.py
tests/test_python_permission_hook.py -v` in `.claude/hooks/` to verify
all hook tests pass
- Verify `gh pr create` with backticks in body works without shell
injection error
- Verify `gh api -X PATCH repos/owner/repo/pulls/123` is allowed
- Verify `python -m pytest` is allowed

#skip-bugbot

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

<!-- CURSOR_SUMMARY -->
> [!NOTE]
> Modernizes IPC usage app-wide to new typed, namespaced contracts.
> 
> - Refactors calls from `IpcClient` to `ipc.*` namespaces (system, app,
chat, github, git, version, languageModel, neon, visualEditing, context,
misc, capacitor, template, events, upgrade, agent, proposal)
> - Updates type imports from `"@/ipc/ipc_types"` to `"@/ipc/types"`
(e.g., `ListedApp`, security types) and adapts optional fields
> - Aligns method signatures to object params and new return shapes
(e.g., `getAppVersion` → `{ version }`); replaces various URL
opens/restarts/screenshots with `ipc.system.*`
> - Moves custom theme and theme generation ops to `ipc.template.*`;
adds maxOutputTokens in custom model dialogs; adjusts provider/model
management APIs
> - Switches GitHub/Vercel/Neon/Supabase/Capacitor connectors and
branching flows to new IPC endpoints; updates event subscriptions for
GitHub device flow
> - Normalizes logging/preview interactions and visual editing
apply/analyze via `ipc.misc`/`ipc.visualEditing`
> 
> Potential follow-ups: verify all parameter objects and event handlers,
and update any remaining legacy imports.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
7c574fe53296ba5c9a16d6b69d1008d06490534e. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Adopted the new typed IPC contracts across the app, replacing IpcClient
with namespaced ipc methods. Restored app output streaming via events,
added maxOutputTokens for custom model flows, migrated custom theme
operations to ipc.template, and fixed chat stream cancellation
lifecycle.

- **Refactors**
- Replaced IpcClient usage with ipc.* namespaces (system, app, chat,
github, git, version, languageModel, neon, visualEditing, context,
prompt, mcp, misc, capacitor, template, events, upgrade, agent,
proposal).
- Moved type imports from "@/ipc/ipc_types" to "@/ipc/types"; adjusted
renamed types and paths (e.g., ListedApp under "@/ipc/types/app",
security types under "@/ipc/types/security").
- Updated method signatures to use object params and new return shapes
(e.g., getAppVersion returns { version }).
- Subscribed to ipc.events.misc.onAppOutput in useRunApp to process app
output, restore preview URL updates, and handle HMR after API changes.
- Added missing maxOutputTokens in create/edit custom model dialogs;
small UI and hooks changes to align with new contracts.
- Fixed DeepLinkData typing by re-exporting a discriminated union for
correct type narrowing.
- Migrated custom themes and theme generation to ipc.template.*; added
CustomTheme and theme generation types.
- Moved methods to correct namespaces (e.g., takeScreenshot/restartDyad
→ system; checkProblems → misc).
- Emit chat:stream:end on stream cancellation for consistent renderer
cleanup.

- **Migration**
  - Replace any remaining IpcClient references with ipc.*.
- Update type imports to "@/ipc/types" and adjust for changed/optional
fields (e.g., App lists use ListedApp; Collaborator.permissions and
VercelProject.framework may be optional).
- Verify callers for new parameter objects and result shapes; replace
runApp/restartApp callbacks with ipc.events.misc.onAppOutput
subscriptions.

<sup>Written for commit 7c574fe53296ba5c9a16d6b69d1008d06490534e.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2276">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

#skip-bb

fixes https://github.com/dyad-sh/dyad/issues/2318

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Persist the selected device mode (desktop, tablet, mobile) in user
settings so it stays after app rebuilds. Adds an end-to-end test to
verify the mode persists through a rebuild.

- **New Features**
- PreviewIframe reads and writes previewDeviceMode via useSettings,
replacing local state.
  - Added DeviceModeSchema and previewDeviceMode to UserSettingsSchema.

- **Bug Fixes**
- Stabilized e2e: added a persistence test, use po.clickRebuild(), and
wait for preview loading to appear/disappear with a final assertion
timeout.

<sup>Written for commit c801c37c314413ba23c0174dc7bb401193826389.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Add gitAddSafeDirectory call after moving app directory during rename
and change-app-location operations
- This ensures the new path is added to Git's safe.directory config on
Windows
- Prevents dubious ownership error that occurs when Git operations are
performed on directories owned by different users

Fixes #2303

## Test plan
- Existing rename_app.spec.ts E2E tests pass
- On Windows: rename an app that has git history, verify git operations
(like listing branches) work without errors

Generated with Claude Code

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Ensures Git trusts all repositories under the Dyad apps base directory
on Windows when native Git is enabled.
> 
> - Change `gitAddSafeDirectory(getDyadAppsBaseDirectory())` to
`gitAddSafeDirectory(`${getDyadAppsBaseDirectory()}/*`)` during app
startup
> - Update comments to document rationale and Git config reference
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
b49181edd3612228952e9475c64424b9370f79d9. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Add dyad-apps/* to Git safe.directory at startup so Git works after app
renames or moves on Windows when native Git is enabled. Replaces per-app
updates with a single wildcard entry. Fixes #2303.

<sup>Written for commit b49181edd3612228952e9475c64424b9370f79d9.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Fixed the pr-review-responder workflow failing to find PRs from forks
- Added a fallback that searches for open PRs using `pulls.list` API
with the head repository owner and branch name when
`workflow_run.pull_requests` array is empty

## Test plan
- Create a PR from a fork with the `cc:request` label
- Verify the workflow can now correctly find and process the PR

#skip-bugbot

Generated with [Claude Code](https://claude.com/claude-code)


<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Fixes PR lookup in the pr-review-responder workflow for forked PRs. Adds
a fallback search by head owner and branch when
workflow_run.pull_requests is empty, so fork PRs are processed
correctly.

- **Bug Fixes**
  - Handle empty workflow_run.pull_requests for cross-repo PRs.
  - Use pulls.list with head "<owner>:<branch>" to find the PR number.
  - Exit early (should_continue=false) if no matching open PR is found.

<sup>Written for commit 70e3c1399b438d5fe768aa9171ec2bf683bc38ff.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Add a Stop hook that checks for incomplete tasks before allowing
Claude to stop
- The hook blocks stopping if any tasks are in pending or in_progress
status
- Includes comprehensive tests for the hook behavior

## Test plan
- Run the test suite: python3 .claude/hooks/tests/test_stop_hook.py
- Verify all tests pass (no tasks allows stop, completed tasks allow
stop, pending/in_progress tasks block stop)

#skip-bugbot

Generated with Claude Code

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Adds a Stop hook to prevent early stopping when work isn’t done. Uses a
stricter, prompt-based check of the conversation context with a default
bias to continue.

- **New Features**
- Stop hook returns {"ok": true} to allow stop or {"ok": false,
"reason": "..."} to continue.
- Evaluates task completion, unresolved errors, follow-ups, and work
quality.
- Biases to continue unless everything is truly complete; registered
under Stop in .claude/settings.json with a 30s timeout.

<sup>Written for commit 059862cf76e0df9dd9149df2c8acd840c06dbc15.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Update E2E snapshots to match the new formatter output after the oxfmt
migration

The snapshot changes reflect formatting differences from the transition
from prettier to oxfmt for code formatting.

## Test plan
- E2E tests pass locally with updated snapshots

#skip-bugbot

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Updated E2E snapshots to match oxfmt formatter output after migrating
from Prettier. This resolves snapshot diffs (like JSON key order and
TypeScript line breaks) so tests pass without changing behavior.

<sup>Written for commit 32d4195cde1d0c829b6475212ea10ea7d628471c.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Add `PLAYWRIGHT_HTML_OPEN=never` environment variable to all e2e test
commands in AGENTS.md and Claude command files
- Prevents the Playwright HTML reporter from opening a browser and
blocking the terminal after tests complete

## Test plan
- Run `npm run e2e` with and without the env var to verify behavior
- Agents running e2e tests should no longer hang waiting for user input

#skip-bugbot

🤖 Generated with [Claude Code](https://claude.com/claude-code)


<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Stop the Playwright HTML reporter from auto-opening and blocking the
terminal by setting PLAYWRIGHT_HTML_OPEN=never on all e2e commands.
Updated AGENTS.md and Claude command files so local runs and agent
workflows no longer hang after tests.

<sup>Written for commit 2ee4139f8a43a5bc20ae1933b6c629d19c96937b.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Fix PermissionRequest hook to use correct hookSpecificOutput JSON
wrapper format
- Previously the hook output {behavior: allow} but Claude Code expects
{hookSpecificOutput: {hookEventName: PermissionRequest, decision:
{behavior: allow}}}
- Clean up code: remove debug logging, organize imports

## Test plan
- Run a command that triggers permission request (e.g., rm -rf somedir)
- Verify the hook auto-approves GREEN operations without showing the
permission dialog
- Test with DEBUG_PERMISSION_HOOK=1 to see hook execution logs

Generated with Claude Code


<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Uses Claude Sonnet to analyze permission requests and fixes the
PermissionRequest hook output format so decisions are applied correctly.
GREEN auto-approves, YELLOW passes through, RED auto-denies without
showing the dialog.

- **Bug Fixes**
- Use the correct wrapper: {hookSpecificOutput: {hookEventName:
"PermissionRequest", decision: {behavior: "allow"|"deny"}}}.
  - Improve JSON extraction; remove debug logs and tidy imports.

- **New Features**
- Add permission-request-hook.py to analyze requests with Claude CLI
(sonnet) and auto-approve/deny using permission-policy.md.
  - Add tests for hook behavior, response schema, and policy coverage.
  - Enable the hook in .claude/settings.json for all tools.

<sup>Written for commit bcdcd4eeda5e28d4cde37247fae8c150c1e9ba1b.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->




<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Introduces an AI-driven PermissionRequest hook that evaluates tool
actions against a new security policy and auto-approves/denies
accordingly, plus tests and settings wiring.
> 
> - **Add** `permission-request-hook.py` to call Claude (model `sonnet`)
with `permission-policy.md`, parse JSON robustly, and emit
`hookSpecificOutput` for `allow`/`deny` (GREEN auto-approve, RED
auto-deny, YELLOW passthrough)
> - **Add** comprehensive `permission-policy.md` covering Bash, GitHub,
and file operations with GREEN/YELLOW/RED criteria
> - **Add** tests in `tests/test_permission_request_hook.py` for hook
passthrough behavior, response format, CLI absence, and policy coverage
> - **Configure** `.claude/settings.json` to register the new
PermissionRequest hook for all tools with a 30s timeout
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
bcdcd4eeda5e28d4cde37247fae8c150c1e9ba1b. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

- Add step to check current branch and create feature branch if on
main/master
- Add task tracking requirement using TaskCreate/TaskUpdate tools
- Renumber steps and update summary to report new branch creation

#skip-bb

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Updates the pr-push skill to block pushes to main/master and auto-create
a PR, and adds required task tracking across pr-push and pr-fix so work
happens on feature branches with clear progress and a ready review link.

- **New Features**
- Check current branch; if on main/master, create and switch to a
descriptive feature branch and report its name.
- Require TaskCreate/TaskUpdate across pr-push and pr-fix to track each
step (create tasks, mark in_progress/completed).
- Auto-create a PR if none exists (no manual URL prompts), avoid
duplicates, and include the PR URL in the final summary; steps
renumbered to reflect the new flow.

<sup>Written for commit 81f38c98e48bf915a553dac23d1ec41474c27d0b.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

#skip-bb

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Add a Python permission hook that restricts python/python3 to scripts
inside the .claude directory. Blocks unsafe modes and command injection
to reduce risk.

- **New Features**
- Enforces: allow scripts under .claude; deny scripts outside; deny -m,
-c, and interactive; passthrough for non-python and --version/--help.
- Robust parsing of env-var prefixes, flags, quoted/unquoted paths,
relative/absolute paths, and symlinks; supports CLAUDE_PROJECT_DIR.
- Registered the hook in PreToolUse and expanded allowed tools in
settings (Bash(chmod:*), Bash(python3:*)). Added tests for allowed,
blocked, passthrough, and security-bypass commands.

<sup>Written for commit 798d1abf04cdedc5395603ce4e32b2b943be8941.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude <noreply@anthropic.com>

- Add hardcoded list of trusted humans (wwwillchen, princeaden1,
azizmejri1)
- Add trusted bots (gemini-code-assist, greptile-apps, cubic-dev-ai,
cursor, github-actions)
- Skip reading contents of comments from untrusted authors for security
- Report untrusted commenters in summary without exposing their comment
contents

#skip-bb

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Only process unresolved PR review threads from trusted authors. Skip
reading comment bodies from untrusted users and report their usernames
safely.

- **New Features**
  - Added trusted humans: wwwillchen, princeaden1, azizmejri1
- Added trusted bots: gemini-code-assist, greptile-apps, cubic-dev-ai,
cursor, github-actions, chatgpt-codex-connector
  - Filter threads where the first comment’s author is trusted
- Report untrusted commenters by username only; do not read their
comment contents

<sup>Written for commit a696d73c3b32d8fecd63e9dd0e67815a08e99033.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Swap prettier for oxfmt in devDependencies for faster formatting
- Rename scripts: prettier -> fmt, prettier:check -> fmt:check
- Update lint-staged to use oxfmt
- Update CLAUDE.md and skill docs to reference npm run fmt

## Test plan
- [x] Run npm run fmt to verify formatting works
- [x] Run npm run fmt:check to verify check mode works
- [x] Verify lint-staged runs oxfmt on commit

#skip-bugbot

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Replaced Prettier with oxfmt for faster formatting. Updated to oxfmt
0.26.0, added a project config, renamed scripts to fmt and fmt:check,
and refreshed docs; oxfmt’s new rules applied compact formatting across
many files.

- **Migration**
  - Use npm run fmt and npm run fmt:check in local workflows and CI.
  - lint-staged now formats with oxfmt on commit.
  - Requires Node 20.19+ or 22.12+.

<sup>Written for commit a9e3812b02849f8d6357913113fca68ca8b4fcbc.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

#skip-bb

## Summary
This PR adds a new GitHub Actions workflow that automatically cancels
in-progress and queued CI workflow runs when a pull request is merged.
This helps reduce unnecessary CI resource consumption and prevents stale
workflow runs from completing after their changes have already been
integrated.

## Changes
- Added `.github/workflows/cancel-ci-after-merge.yml` workflow that:
  - Triggers when a pull request is closed (merged)
  - Finds the CI workflow in the repository
- Queries for all in-progress and queued CI runs on the merged PR's
branch
  - Cancels each identified workflow run with error handling and logging
  - Includes comprehensive console logging for debugging and monitoring

## Implementation Details
- The workflow uses `actions/github-script@v7` to interact with the
GitHub Actions API
- It specifically targets the "CI" workflow by name
- Handles both "in_progress" and "queued" statuses to catch all active
runs
- Includes try-catch error handling to gracefully handle cancellation
failures
- Requires `actions: write` permission to cancel workflow runs
- Only executes when `github.event.pull_request.merged == true` to avoid
running on rejected PRs


<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Automatically cancel active CI runs for the merged PR’s head commit.
Frees up runners and prevents stale builds from finishing.

- **New Features**
- Adds .github/workflows/cancel-ci-after-merge.yml triggered on PR
closed, gated to merged PRs.
- Targets the CI workflow via file path ci.yml and lists runs for the PR
head SHA.
- Cancels active runs (in_progress, queued, pending, waiting) with
try/catch error handling and de-duplicates by run ID.
- Supports fork and non-fork PRs; uses actions/github-script@v7 with
actions: write permissions and clear console logs.

<sup>Written for commit 4d631b3ccb9d127c4781b185b9d6eac90d2fd710.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude <noreply@anthropic.com>

Creates a GitHub Action that triggers when CI completes for PRs with the
cc:request label. It runs /dyad:pr-fix to address failing checks and
review comments, then updates labels (removes cc:help, adds
cc:responded)

#skip-bugbot

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Adds a GitHub Action that auto-responds to PRs after CI completes. It
runs /dyad:pr-fix on PRs labeled cc:request from wwwillchen and updates
labels based on status.

- **New Features**
  - Triggers on CI workflow_run completion.
  - Checks out the PR’s head repo/branch and runs /dyad:pr-fix.
  - Restricts usage to PRs authored by wwwillchen.
- Updates labels: cc:request → cc:pending; then cc:done on success or
cc:failed on failure.
  - Uses write permissions for contents and pull-requests.

<sup>Written for commit 21cef82a88b2e3d591f4c3955b679dd28aad0477.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Introduce a type-safe, centralized query key system following TanStack
Query best practices:

- Add src/lib/queryKeys.ts with hierarchical factory functions
- Use `as const` assertions for full type inference
- Group keys by feature (apps, chats, versions, etc.)
- Support prefix-based invalidation via parent keys

Update all 30+ hooks and components to use the new queryKeys:
- Replace inline string arrays with factory calls
- Replace scattered exports (CHATS_QUERY_KEY, TOKEN_COUNT_QUERY_KEY,
etc.)
- Consistent pattern: queryKeys.<feature>.<operation>(params)

Benefits:
- Single source of truth for all query keys
- Full autocomplete/IntelliSense support
- Type-safe invalidation (catches typos at compile time)
- Easier refactoring and key discovery

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Centralized React Query keys behind a typed queryKeys factory and
updated 30+ hooks/components to use it. This improves type-safety,
enables autocomplete, and makes invalidation and refactors simpler.

- **Refactors**
- Added src/lib/queryKeys.ts with hierarchical factory functions (as
const) grouped by feature.
- Replaced inline arrays and scattered constants (e.g., CHATS_QUERY_KEY,
TOKEN_COUNT_QUERY_KEY, APP_THEME_QUERY_KEY, SUPABASE_QUERY_KEYS).
- Standardized invalidate/remove calls to use parent keys (e.g.,
queryKeys.chats.all, queryKeys.versions.list({ appId })).
- Structured MCP keys (mcp.toolsByServer.all and
mcp.toolsByServer.list({ serverIds })) and updated Supabase branches to
include organizationSlug.
- No behavior changes; safer invalidation and consistent keys across the
app.

- **Migration**
- Use queryKeys.<feature>.<operation>(params object) for all queryKey
definitions.
- Invalidate broadly via parent keys when needed (e.g.,
queryKeys.chats.all).
- Update Supabase branches calls to pass organizationSlug:
queryKeys.supabase.branches({ projectId, organizationSlug }).
  - Do not add or export per-hook key constants; rely on queryKeys.

<sup>Written for commit 2b80e408f077b8ea3141369ca21f62e514852cfd.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Introduces a centralized, typed React Query key factory and applies it
across the app for consistency and safer invalidation.
> 
> - Adds `src/lib/queryKeys.ts` with hierarchical, `as const` key
factories (e.g., `queryKeys.apps.detail`, `queryKeys.versions.list`)
> - Refactors 30+ hooks/components to use factory keys in
`useQuery`/`useMutation` and `invalidateQueries`/`removeQueries`
> - Replaces scattered constants (e.g., `CHATS_QUERY_KEY`,
`TOKEN_COUNT_QUERY_KEY`, `APP_THEME_QUERY_KEY`, Supabase/MCP keys) with
`queryKeys`
> - Updates IPC-driven UI pieces (`AppUpgrades`, `CapacitorControls`,
`ModelPicker`, `ChatInput`, preview panels, Neon, MCP, Supabase, Vercel,
etc.) to the new keys
> - Documentation: `AGENTS.md` adds an Architecture section with usage
guidelines and changes format script to `npm run fmt`
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
2b80e408f077b8ea3141369ca21f62e514852cfd. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------
Co-authored-by: Claude <noreply@anthropic.com>

## Summary
- Fixes false positive in gh permission hook when PR bodies contain
markdown code spans like `concurrency`
- Adds `MARKDOWN_CODE_SPAN_PATTERN` to neutralize backtick pairs with
identifier-like content before checking for shell injection
- Security preserved: actual command substitution patterns with
spaces/special chars still blocked

## Test plan
- [x] Tested commands with markdown code spans now pass
- [x] Tested commands with actual command substitution patterns are
still blocked
- [x] Tested command chaining attempts are still blocked

#skip-bugbot

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Allows safe markdown code spans inside double-quoted PR/issue bodies by
neutralizing backtick-wrapped identifiers; command substitution and
unsafe chaining remain blocked.

- **Bug Fixes**
- Neutralize identifier-like code spans only inside double quotes using
MARKDOWN_CODE_SPAN_PATTERN; requires a dot, hyphen, or underscore and
excludes plain words; still blocks backticks with spaces, args, or
pipes.

<sup>Written for commit 9d81ffe0bf0c58dd7862ffc16b49318698c8fb5d.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>