## Summary
- Expanded the safe pipe destinations whitelist in the GitHub CLI
permission hook to include common text-processing commands like
`base64`, `cat`, `column`, `fmt`, `fold`, `paste`, `strings`, checksum
utilities, and more
- Previously, commands like `gh api ... | base64 -d` were blocked
because `base64` wasn't in the narrow allowlist

## Test plan
- [x] Verified `gh api
repos/dyad-sh/dyad/contents/.github/workflows/closed-issue-comment.yml
--jq '.content' 2>&1 | base64 -d` no longer blocked
- [x] All 784 unit tests pass
- [x] Lint and type checks pass

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2581"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Expands the set of commands permitted in piped shell invocations,
which could widen the attack surface if the whitelist includes tools
with unexpected side effects; changes are contained to the permission
hook and docs.
> 
> **Overview**
> Broadens the `gh` permission hook’s allowed pipe destinations from a
small set of utilities to a larger whitelist of common text-processing
commands (e.g., `base64`, `cat`, `column`, `strings`, and checksum
tools), so more `gh ... | <tool>` pipelines are auto-approved.
> 
> Updates `rules/git-workflow.md` to document using `gh api
.../issues/{PR_NUMBER}/labels` as a workaround for `gh pr edit
--add-label` failing due to the GraphQL Projects (classic) deprecation
error.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
775a7623ae7bd4b484cf09626f425aaa2912b8f1. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Broadened the GitHub CLI permission hook’s safe pipe whitelist to
include more text-processing commands (e.g., base64, column, strings,
checksum tools), allowing gh ... | base64 -d. Clarified allowed-pipe
wording in the hook and updated git-workflow docs to use the REST API
for adding labels due to GraphQL “Projects (classic)” errors.

<sup>Written for commit 08eb796e50730e1e0ed78f2a55b2c9addb8c38cd.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

## Summary
- Split the monolithic `test_helper.ts` (~1700 lines) into focused
modules for better maintainability
- Created `constants.ts` for timeout constants
- Created `fixtures.ts` for Playwright fixtures and test setup
- Created `utils/` directory for utility functions (normalization,
dump-prettifier)
- Created `page-objects/` directory with component and dialog page
objects

## Test plan
- [x] All existing unit tests pass (784 tests)
- [x] Lint and type checks pass
- [ ] E2E tests should work with the refactored helpers (imports are
re-exported from test_helper.ts for backward compatibility)

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2556"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Refactored e2e test helpers into modular page objects, fixtures, and
utilities for easier maintenance and more deterministic snapshots. Added
loop guards to prevent hangs in toast dismissal and the Context Files
Picker; existing tests keep working via re-exports.

- **Refactors**
- Split test_helper.ts into constants.ts, fixtures.ts, utils/, and
page-objects/ (components + dialogs); added a main PageObject that
composes component page objects.
- Introduced normalization and dump-prettifier utilities for stable
snapshots.
- Centralized CI-aware timeouts in constants.ts; added optional debug
logging flag.
  - Kept test_helper.ts as a thin re-export for backward compatibility.
- Updated TypeScript strict-mode docs with ES2020 target limitations on
replaceAll.

- **Bug Fixes**
  - Fixed importApp path resolution to use __dirname three levels up.
- Switched git config calls to execFileSync to avoid command injection.
- Corrected toast dismissal loop to click the first toast repeatedly
until none remain; added maxAttempts=20 guard (and in Context Files
Picker) to prevent hangs.
- Derived the app executable name from appInfo instead of hardcoding
dyad.exe.

<sup>Written for commit 26329e6b1866fd31e1cba91e0b641fc04df30e8a.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Will Chen <willchen90@gmail.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>

## Summary
- The `claude-code-action` requires write permissions on the triggering
actor by default, but the closed issue comment workflow is designed to
respond to **any** user commenting on a closed issue
- Added `allowed_non_write_users: '*'` to bypass this check — safe
because the workflow's permissions are tightly scoped (`issues: write`,
`contents: read`) and Claude is restricted to only `gh issue reopen` and
`gh issue comment`

## Test plan
- Comment on a closed issue from a non-collaborator account and verify
the workflow runs successfully instead of failing with "Actor does not
have write permissions"

#skip-bugbot

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2578"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->


<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Allow non-write users to trigger the closed-issue comment workflow by
setting allowed_non_write_users: "*". This removes the write-permission
block so any comment on a closed issue runs the workflow, while staying
safe via scoped permissions and restricted tools (only gh issue
reopen/comment).

<sup>Written for commit 211887fea46b0e48c3f4bf7eeacba6b3a3b74b53.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

## Summary
- Add PLAYWRIGHT_RETRIES env var support to allow different retry counts
for different CI environments
- Self-hosted macOS runners now use 1 retry (more reliable hardware)
while GitHub-hosted runners use 2 retries
- Refactors playwright.config.ts to read retries from environment
variable with sensible defaults

## Test plan
- Verify CI workflow sets PLAYWRIGHT_RETRIES appropriately for
self-hosted vs GitHub-hosted runners
- Run `npm test` to ensure all unit tests pass
- E2E tests should respect the new retry configuration

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2558"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->


<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Make Playwright retries configurable via the PLAYWRIGHT_RETRIES env var
to tune test stability across environments. Self-hosted macOS runners
use 1 retry; GitHub-hosted runners use 2 (local stays 0 unless set).

- **New Features**
  - Added PLAYWRIGHT_RETRIES with sensible defaults (CI 2, local 0).
- CI sets retries per runner type: 1 for self-hosted macOS, 2 for
GitHub-hosted.

<sup>Written for commit 896a3dbcbb8278d5cedfbd27088466d780d05fd2.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->
Co-authored-by: Will Chen <willchen90@gmail.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

#skip-bb
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2575"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

## Summary
- Add `repository` and `ref` parameters to the checkout step in CI
workflow so it correctly checks out the fork's branch when running on
pull requests from external contributors
- Update package-lock.json with dependency resolution changes

## Test plan
- Verify CI passes on this PR
- Test by opening a PR from a fork and confirming CI checks out the
correct branch

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2560"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->


<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Fix CI checkout for forked pull requests. The workflow now checks out
the PR’s head repo and branch so jobs run against the contributor’s
code.

- **Bug Fixes**
- Pass repository and ref to actions/checkout, using PR head repo/ref
when available with safe fallbacks.

- **Dependencies**
- Regenerated package-lock.json to reflect updated resolutions; no
version changes.

<sup>Written for commit 37839729e6e42b41dbc2c71a84dddcd50f3103da.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

#skip-bb

## Summary
- Skip the Electron singleton lock for E2E test builds to allow multiple
app instances to run concurrently
- Update Playwright config to use 2 workers for parallel test execution

## Performance Impact
With parallelism of 2, tests should complete approximately **~1.6-1.8x
faster** (not a perfect 2x due to overhead and some sequential test
dependencies). The speedup comes from:
- Two Electron app instances can now run simultaneously during E2E tests
- Previously, the singleton lock (`app.requestSingleInstanceLock()`)
would cause second instances to quit immediately

## Implementation Details
- Modified `src/main.ts` to check `IS_TEST_BUILD` and skip the singleton
lock for e2e test builds
- Changed `playwright.config.ts` from `workers: 1` to `workers: 2`

## Test plan
- [ ] Run `npm run build` to ensure the e2e build compiles correctly
- [ ] Run `npx playwright test` to verify tests pass with parallel
execution
- [ ] Verify no race conditions occur when multiple app instances run
simultaneously

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2547"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Enable parallel Playwright E2E tests by skipping Electron’s
single-instance lock in test builds and reading worker count from
PLAYWRIGHT_PARALLELISM. CI sets 3 workers on self-hosted macOS (1
elsewhere), keeping single-instance behavior in production.

- **Bug Fixes**
- Prevent crash in second-instance handler when no deep link URL;
clarify deep link handling for test builds.

<sup>Written for commit 0f542e189f5b17cc857acc9ad07955c47a0049f1.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Will Chen <willchen90@gmail.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Set toast duration to 500ms when in test mode to speed up E2E tests
- This reduces test flakiness and speeds up tests that wait for toasts
to disappear

## Test plan
- Run E2E tests to verify toasts now disappear faster in test mode
- Verify regular app behavior is unchanged (toasts use default duration)

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2551"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->


<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Shorten toast duration to 500ms when test mode is enabled to speed up
E2E runs and reduce flakiness. Production behavior is unchanged; toasts
use the default duration outside test mode.

<sup>Written for commit 5d38cc2b792a215b89c2c4c3a5f970c44a3fa120.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->
Co-authored-by: Will Chen <willchen90@gmail.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

#skip-bb
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2546"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->


<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Route PRs from wwwillchen* to a self-hosted macOS ARM64 runner (Mac
mini) and dynamically set the CI matrix; all other authors keep
GitHub-hosted macOS/Windows with sharded e2e. Also simplifies formatting
in lint-staged and bumps the package-lock version.

- **New Features**
- Detect privileged authors (wwwillchen, wwwillchen-bot) and run
build/e2e on self-hosted macOS ARM64 with no sharding.
  - For others, run on GitHub-hosted macOS + Windows with 4 e2e shards.
- Expose dynamic matrix outputs (build_os, e2e_os, e2e_shard,
e2e_shard_total) and use fromJSON for runner labels.

- **Refactors**
- e2e now also depends on check-changes; E2E step name reflects dynamic
shard total.
- lint-staged: run oxfmt on all files with
--no-error-on-unmatched-pattern.
  - package-lock updated to 0.36.0-beta.2.

<sup>Written for commit 5d99b98267104283d9dce0dda983c6305ab37599.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

## Summary
- Replaced manual `useState`/`useEffect` data fetching patterns with
React Query's `useQuery` and `useMutation` in `useSettings`,
`useLoadAppFile`, `useLoadApps`, `useAppVersion`, and related hooks
- Added centralized query keys for `system`, `settings`, `appFiles`, and
`github` domains in `queryKeys.ts`
- Added new `useGithubRepos` and `useSystemPlatform` hooks using React
Query
- Simplified `TitleBar` and `ImportAppDialog` to use the updated hook
interfaces

## Test plan
- All 784 unit tests pass
- Verify settings load correctly on app startup
- Verify file loading works in the code viewer
- Verify app list loads and refreshes properly
- Verify title bar shows correct app version

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2536"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Touches core loading paths (settings, app list, file reads) and
caching/invalidations, so regressions could show up as stale data or
missing refreshes; changes are mostly refactors with minimal behavioral
intent.
> 
> **Overview**
> **Migrates several app/system/settings data flows from local
state/Jotai-driven fetching to React Query.** `useLoadApps`,
`useLoadAppFile`, `useAppVersion`, and `useSettings` now use
`useQuery`/`useMutation` with cache updates and refresh via query
invalidation, and app favorites (`useAddAppToFavorite`) update the React
Query apps cache instead of an `appsListAtom` (which is removed).
> 
> Adds new React Query-powered hooks (`useSystemPlatform`,
`useGithubRepos`) and extends `queryKeys` with `system`, `settings`,
`appFiles`, and `github` domains; UI callers (`TitleBar`,
`ImportAppDialog`, `app-details`) are adjusted to consume the new hooks.
E2E favorite-app tests are hardened by hovering before clicks and using
a longer assertion timeout.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
c82dfca589d0186d25cec33a2453fc5b3f28520b. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Migrated core data fetching to React Query to standardize caching,
loading, and error handling. Cleaned up UI and tests, removed the apps
Jotai atom, and made refresh flows consistent via query invalidation.

- **Refactors**
- Replaced manual state/effect with useQuery/useMutation in useSettings,
useLoadApps, useLoadAppFile, and useAppVersion.
- Centralized query keys for system, settings, appFiles, and github in
queryKeys.ts.
- Removed appsListAtom; apps now read/write via React Query. Kept Jotai
sync for settings and env vars.
- Simplified TitleBar (uses useSystemPlatform), ImportAppDialog (uses
useGithubRepos), and app-details (reads apps from useLoadApps).
  - Updated useAddAppToFavorite to update the React Query cache.
- Reduced flakiness in favorite app e2e tests by hovering before clicks
and using a medium timeout.

- **New Features**
- Added useGithubRepos and useSystemPlatform hooks with session-level
caching.

<sup>Written for commit c82dfca589d0186d25cec33a2453fc5b3f28520b.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

#skip-bb
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2543"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

#skip-bb

The migration from Radix to Base UI broke file attachments because
calling e.preventDefault() in the onClick handler does not stop Base UI
menus from closing. Base UI relies on an internal closeOnClick mechanism
instead. As a result, when the menu closed, the portaled hidden <input
type="file"> elements were unmounted from the DOM before the user could
select a file.
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2541"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->


<!-- This is an auto-generated description by cubic. -->
## Summary by cubic
Fixes the file attachment menu so selecting “Attach chat context” or
“Upload to codebase” no longer closes the dropdown too early. Uses
closeOnClick={false} with direct onClick handlers to keep hidden inputs
mounted and make file selection reliable.

<sup>Written for commit afe8de3b5de300b8c2254418aa9bbd87d818c0bf.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

## Summary
- Extracted topic-specific learnings and guidelines from AGENTS.md into
9 separate files under `rules/` for better discoverability and
maintainability
- AGENTS.md now has a concise rules index table with "read when..."
descriptions so agents know which file to consult
- No content was lost — all learnings are preserved in their respective
rule files

## Test plan
- [x] Verify all rule files exist and contain the expected content
- [x] Verify AGENTS.md rules index links are correct
- [x] Lint, type checks, and tests all pass

#skip-bugbot

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2540"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Modularized guidance from AGENTS.md into nine focused docs under rules/,
and added a concise rules index in AGENTS.md for quick navigation. No
content was removed; it’s now easier to find and maintain.

- **Refactors**
- Extracted topic docs into rules/: electron-ipc, e2e-testing,
git-workflow, base-ui-components, database-drizzle,
typescript-strict-mode, openai-reasoning-models, adding-settings,
chat-message-indicators.
- Updated .claude/commands/remember-learnings.md to write learnings to
rules/ (use AGENTS.md only when needed) and maintain the index when new
files are added.

<sup>Written for commit 7d217b84ce3d1e434f28a31bb6a2329c672d2bcf.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

## Summary
- Fixed UI element occlusion bug where the "Copy" utility button was
unusable due to layout overlap with the language identifier label in
code blocks
- Added flexbox properties (gap, items-center, truncate, min-w-0,
flex-shrink-0) to ensure proper spacing and prevent overflow

## Test plan
- Open a chat with code blocks containing language labels (e.g.,
typescript, javascript)
- Verify the language label and copy button no longer overlap
- Test with narrow window widths to ensure the layout remains correct
- Click the copy button to confirm it's clickable and functional

Fixes #2466

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2533"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Fixes an overlap in code blocks where the Copy button covered the
language label, so the button stays visible and clickable at all widths.
Fixes #2466.

- **Bug Fixes**
- Aligned header padding with pre (left/right 0, px-6) and added
gap-2/items-center for spacing.
- Applied truncate and min-w-0 to the language label to prevent
overflow.
  - Set the Copy button to flex-shrink-0 to avoid shrinking.

<sup>Written for commit 246b0df6569b41f813f0843b048125da8efe9830.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Will Chen <willchen90@gmail.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>

Closes #1272.

Currently, the refactor suggestion button doesn't show the full path of
the file that it's going to refactor. This PR adds the file path in the
tooltip so that the user can see the path if they hover over the button.

I also took the liberty to make the button slightly wider by 20px. This
means that the button will typically show ~2-4 more characters than it
does currently, which I think makes it a bit easier at a glance to infer
which file the AI will refactor without needing to hover. For example,
if the suggestion is to refactor `src/components/big-file.tsx`, this
might make the difference of having the button show "Refactor
components/big-fil..." instead of "Refactor components/big...".
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2511"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->


<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Added the full file path to the refactor button tooltip for clarity.
Widened the button from 180px to 200px to show a few more characters in
the label.

<sup>Written for commit c8824c43fa66506ba6ced69b0c6675c4978ecaf9.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

Currently, after confirming the reset, there is no feedback in the
dialog to indicate that the operation has started, which makes it appear
as if the button is not working.
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2537"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->


<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Disable the reset confirmation button after confirmation and show
“Resetting…” to give clear feedback and prevent duplicate resets.

- **Bug Fixes**
- ConfirmationDialog: added confirmDisabled prop to control disabled
state and styling.
- Settings: when isResetting is true, disable confirm button and set
text to “Resetting…”.

<sup>Written for commit 02397273dcf8e04ae7b8b39fea2f58b767edc6b6.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

## Summary
This PR introduces a new `DyadCardPrimitives` component library and
refactors all Dyad markdown action cards to use these reusable
primitives. This improves consistency, reduces code duplication, and
makes styling changes easier to maintain across the codebase.

## Key Changes

- **New `DyadCardPrimitives.tsx`**: Created a comprehensive library of
reusable card components including:
- `DyadCard`: Main container with accent color support and state
indicators
  - `DyadCardHeader`: Header row with icon and flexible content area
  - `DyadBadge`: Small pill badges for card type labels
  - `DyadExpandIcon`: Animated chevron for expand/collapse
- `DyadStateIndicator`: Spinner/X/checkmark for pending/aborted/finished
states
  - `DyadCardContent`: Expandable content area with smooth animations
- `DyadFilePath`, `DyadDescription`, `DyadFinishedIcon`: Additional
utility components
- Support for 11 accent colors (blue, purple, violet, red, amber, green,
emerald, teal, sky, indigo, slate)

- **Refactored components** to use new primitives:
- `DyadAddDependency`: Simplified layout, improved package display
styling
- `DyadAddIntegration`: Consistent card styling for both pending and
completed states
  - `DyadCodeSearch`: Cleaner header with state indicator
  - `DyadCodeSearchResult`: Standardized file list display
  - `DyadCodebaseContext`: Unified expand/collapse behavior
  - `DyadDatabaseSchema`: Simplified header structure
  - `DyadDelete`: Consistent red accent styling
  - `DyadEdit`: Improved state indicators and layout
  - `DyadExecuteSql`: Cleaner SQL badge and state handling
  - And 19+ additional components

## Implementation Details

- All components now use semantic color tokens (`foreground`,
`muted-foreground`, `background-lightest`, etc.) for better dark mode
support
- Consistent spacing and sizing across all cards (px-3, py-2 for
headers, px-3 pb-3 for content)
- Smooth transitions for expand/collapse animations using `max-h` and
`opacity`
- Left border accent (3px) appears only when card is in pending or
aborted state
- Removed inline icon imports from individual components; now
centralized in primitives
- Improved accessibility with proper semantic HTML and ARIA attributes

https://claude.ai/code/session_01AAvVLShqeRjs42LhUdeK3e
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2482">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Large UI refactor across many chat card components and accessibility
attributes; primary risk is visual/interaction regressions and
snapshot/test churn rather than data/security impact.
> 
> **Overview**
> **Refactors Dyad chat “action cards” to a shared component library.**
Introduces `DyadCardPrimitives` (e.g., `DyadCard`, `DyadCardHeader`,
`DyadBadge`, `DyadStateIndicator`, `DyadCardContent`) and migrates many
markdown-rendered cards
(edit/write/delete/grep/logs/list-files/code-search, integrations, etc.)
to use these primitives for consistent styling, expand/collapse
behavior, and keyboard/ARIA interaction.
> 
> Updates E2E ARIA snapshots to match the new card structure and
accessibility tree, slightly tweaks chat message typography, bumps
`@playwright/test` to `^1.58.2`, and expands `lint-staged` formatting
(`oxfmt`) to include `*.json`.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
e020627fdb8955d948d982cb525c929b0610ee77. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Refactored all Dyad markdown action cards to use new DyadCardPrimitives
for a consistent, accessible card UI with smoother interactions and
easier styling. Adds lazy-mounted content and keyboard-accessible
expand/collapse, reduces duplication, and improves dark mode across 28+
components.

- **New Features**
- Added DyadCardPrimitives: DyadCard, DyadCardHeader, DyadBadge,
DyadExpandIcon, DyadStateIndicator (with finished state),
DyadCardContent, plus helpers (DyadFilePath, DyadDescription,
DyadFinishedIcon).
- 11 accent colors with tinted icon circles and a left accent border
shown for pending/aborted states; showAccent prop for explicit control.
- Smooth expand/collapse using CSS grid with a rotating chevron;
DyadCardContent lazy-mounts heavy children.
  - Semantic color tokens for reliable light/dark theming.
- Improved accessibility: role="button", tabIndex, Enter/Space handlers,
and aria-expanded on interactive cards.

- **Refactors**
- Migrated 28+ markdown action cards (e.g., AddDependency, CodeSearch,
Edit, ExecuteSql, Status, WebSearch, Write) to the primitives; unified
headers, badges, spacing, state indicators, and expand/collapse
behavior.
- Fixed regressions: correct state extraction (Delete/Rename/Output),
restored children rendering (Delete/Read/Rename), passed isExpanded to
all interactive cards, click propagation fix in Grep.
- Removed per-component icon imports and ad‑hoc styles; net reduction of
~480 LOC.

<sup>Written for commit e020627fdb8955d948d982cb525c929b0610ee77.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude <noreply@anthropic.com>

#skip-bb
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2539"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

## Summary
- Resolve stash merge conflicts in `app_handlers.ts` — use
`updateAppCommands` handler without `withLock`
- Resolve stash merge conflicts in `app_commands.spec.ts` — consolidate
into a single E2E test covering validation, cancel, configure/edit/clear
flows
- Include updated `test_helper.ts` and `package-lock.json`

## Test plan
- [ ] Verify `npm run ts` passes (type checks)
- [ ] Verify `npm test` passes (unit tests)
- [ ] Run app commands E2E test: `PLAYWRIGHT_HTML_OPEN=never npm run e2e
-- --grep "configure app commands"`

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2538"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Removes per-app locking from `updateAppCommands`, which could allow
concurrent updates to race and overwrite command values. Other changes
are test and dependency/lockfile adjustments with limited production
impact.
> 
> **Overview**
> Improves the app-commands E2E coverage by consolidating previously
separate tests into a single `configure app commands` flow that now
exercises **required-field validation**, **cancel**, **save/edit**, and
**clear-to-default** behavior end-to-end.
> 
> Updates the Playwright helper `waitForToastWithText` to use the shared
`Timeout.MEDIUM` default (instead of a fixed 5s) to reduce CI flakiness.
> 
> In `app_handlers.ts`, removes `withLock` usage from the
`updateAppCommands` IPC handler while keeping the same trimming +
“both-or-neither” validation before persisting commands. Also bumps the
app version to `0.36.0` and refreshes `package-lock.json` accordingly.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
4dfd2931629fee1d89af85a227c97981788fa0a9. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Resolved merge conflicts and finalized the app commands flow. Simplified
the updateAppCommands handler and consolidated E2E coverage to reduce
flakiness.

- **Refactors**
- updateAppCommands no longer uses withLock; validates paired commands
and updates the DB directly.
- Merged app commands E2E into a single test covering validation,
cancel, and configure/edit/clear flows.
- Standardized toast waiting to Timeout.MEDIUM in test_helper to reduce
flakes.
  - Updated package-lock.json to 0.36.0.

<sup>Written for commit 4dfd2931629fee1d89af85a227c97981788fa0a9.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Add the ability to configure install and start commands in the Configure
panel after an app has been created. Previously these were only
configurable when first importing an app.

Changes:
- Add updateAppCommands IPC contract and handler
- Add AppCommandsSection component in ConfigurePanel
- Allow users to view, edit, and clear custom commands
- Include validation requiring both commands when customizing
- Add E2E tests for the new feature

https://claude.ai/code/session_01RHmPUNG7Bdw9MC1DKQJX8g
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2433">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Moderate risk because it introduces a new IPC write path that persists
user-provided command strings and affects how apps will run, though
guarded by client/server validation and locking.
> 
> **Overview**
> Adds an **App Commands** card to `ConfigurePanel` that lets users view
default vs custom install/start commands, edit them with client-side
validation (both required), cancel edits, and clear back to defaults.
> 
> Introduces a new IPC contract `updateAppCommands` plus a main-process
handler that trims inputs, enforces *both-or-neither* semantics, updates
the `apps` record under `withLock`, and triggers UI refresh/toasts.
> 
> Adds Playwright E2E coverage for configure/edit/clear flows,
validation behavior, and canceling edits.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
3f0abe3b8f9ed2483ed27d537dd874e4caa66fcf. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Let users configure custom install and start commands from the Configure
panel after an app is created. Defaults to “pnpm install && pnpm dev”
when unset, and both fields are required when customizing.

- **New Features**
- Configure, edit, or clear custom install/start commands in
ConfigurePanel.
- Added updateAppCommands IPC contract and handler to persist commands.
- E2E tests cover happy path, validation (both required), cancel, and
clear flows.

- **Bug Fixes**
- Prevent overwriting edits on refetch; fix custom commands check (AND),
and update default-state message.
- Enforce server-side validation (both commands set together or both
cleared) and remove sensitive command content from logs.

<sup>Written for commit 3f0abe3b8f9ed2483ed27d537dd874e4caa66fcf.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>

## Summary
- Update pr-push skill to default to staging files when in doubt, rather
than being overly cautious
- Narrow the exclusion list to only true secrets/artifacts (`.env`,
keys, `node_modules`, etc.)
- Remove vague exclusion language about "temporary files" and "personal
configuration"

#skip-bugbot

## Test plan
- Run `/dyad:pr-push` and verify the updated behavior stages files more
aggressively

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2530"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Make /dyad:pr-push stage and commit files more aggressively with a tight
exclude list, while improving safety and reliability of the push flow.
Blocks pushes to main, runs checks/tests, tracks tasks, and detects the
right remote.

- **New Features**
- Stage most changes by default; only exclude true secrets/artifacts
(.env, keys, .DS_Store, node_modules, *.log).
  - Remove vague exclusions for “temporary files” or personal configs.
- Prevent pushing on main/master; auto-create and switch to a feature
branch when needed.
- Inline checks: run fmt, lint --fix, type-check, and npm test; amend if
tools change files.
- Use TaskCreate/TaskUpdate to track progress and provide a clear
summary.
- Capture session learnings before lint; commit AGENTS.md updates when
present.
- Auto-detect the correct remote (handles forks), set upstream; push
with --force-with-lease; never pull/rebase from a fork—only from
upstream.
- If no PR exists, create one and add cc:request for non-trivial
changes.

<sup>Written for commit fc6933aeb2e26e743805e65b4e0e92462d8eb7c2.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

## Summary
- Add `include_hidden` parameter to the `list_files` tool schema that
allows including .dyad files (normally git-ignored) in results
- Update UI components (`DyadListFiles`, `DyadMarkdownParser`) to
display "(include hidden)" indicator when the option is used
- Add E2E test to verify the new functionality works correctly

## Test plan
- [x] E2E test for `list_files` with `include_hidden=true` added
- [x] All existing tests pass
- [x] Lint and type checks pass

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2526"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Adds an include_hidden option to the list_files tool so the agent can
include .dyad files in results when needed. Updates the UI label and
consent preview, and adds an e2e test to cover the behavior.

- **New Features**
- Tool: include_hidden boolean (default false). When true, includes
.dyad files from the app root (regardless of directory filter), expands
the ignore list, dedupes/sorts results, and updates consent preview and
counts.
- UI: DyadListFiles shows “(include hidden)” when used; Markdown parser
passes the attribute through.
- Tests: Adds minimal-with-dyad fixture and e2e to verify .dyad files
appear in the list and snapshot.

<sup>Written for commit a60579274594888e75fd9cb9d4d6ce5437255b16.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Will Chen <willchen90@gmail.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>

#skip-bb

## Summary
- Handle 403 Forbidden errors gracefully when listing Supabase branches
- Return empty array instead of throwing error for free tier users
without branch access
- Allows free tier users to continue using other Supabase features
without error toasts

Fixes #2525

## Test plan
- Verified all 784 unit tests pass
- Existing E2E test (`supabase_branch.spec.ts`) continues to work for
paid tier (test mode returns mock data)
- Free tier users should now see no branches available instead of an
error toast

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2527"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Show a clear inline message when Supabase branch listing returns 403 for
free‑tier projects, and suppress error toasts so users can keep using
other Supabase features (addresses #2525).

- **Bug Fixes**
- Detect 403 from branches API and show “Branches are only supported for
Supabase paid customers” in the UI; no toast.
- Removed toast meta from the branches query and added getErrorMessage
to clean up IPC-wrapped errors.
  - Other statuses keep existing handling; paid tier behavior unchanged.

<sup>Written for commit eb414f84c5c4ff44a4f6f152aae5c395903430b3.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Will Chen <willchen90@gmail.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Add `claude_args: --model claude-opus-4-6` to the pr-review-responder
workflow so it uses Opus 4.6

#skip-bugbot

## Test plan
- Verify the workflow YAML is valid
- Confirm both CI workflows specify `claude-opus-4-6` via `claude_args`

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2531"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->


<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Set the pr-review-responder GitHub Actions workflow to use Claude Opus
4.6 by adding claude_args: --model claude-opus-4-6, so PR review runs on
the intended model.

<sup>Written for commit f7bb9047549c88d41888e49dd98cf6ae865966ea.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

## Summary
- Updated the code health reviewer role to explicitly check for **dead
infrastructure**: DB migrations creating unused tables, API endpoints
with no callers, config entries nothing references
- Added cross-referencing guidance to the teammate prompt template so
all reviewers verify schema/infra changes against actual code usage

## Context
During review of PR #2370, the swarm review missed that a `plans` DB
table migration was created but the implementation used file-based
storage instead. This update ensures future reviews catch such
mismatches.

## Test plan
- [x] No code changes, only `.claude/skills/` markdown files updated
- [x] Lint, type checks, and all 784 tests pass

#skip-bugbot

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2529"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Improves the swarm PR review to catch dead infrastructure by adding
explicit checks and cross-referencing of schema/API/config changes
against actual usage. Prevents misses like unused DB tables by updating
reviewer roles, prompts, and enabling agent teams.

- **New Features**
- Added dead infrastructure checks to the code health reviewer (DB
migrations, endpoints, configs) with severity guidance.
- Added a standardized swarm review skill (SKILL.md + role refs) and
updated prompts to enforce cross-referencing against code usage.
- Enabled agent teams via settings
(CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS=1); no runtime code changes.

<sup>Written for commit 78e829037cc0bc66382502b25092184f5d8f05ae.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

#skip-bb
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2528"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->


<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Fixes the PR review responder so pushes go to the PR’s fork instead of
the base repo on forked PRs. Exposes the head repository and sets
origin’s pushurl to ensure correct push behavior.

- **Bug Fixes**
- Exposes head_repo from workflow_run (run.head_repository.full_name)
for later steps.
- Adds a step to set origin’s pushurl to the PR’s head repo using
GITHUB_TOKEN, preventing accidental pushes to the base repo after
claude-code-action rewrites origin.

<sup>Written for commit 9ca429753073a667b554987f3ab3e6f03a14355b.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->
Co-authored-by: Will Chen <willchen90@gmail.com>

…builds

https://github.com/dyad-sh/dyad/actions/runs/21731969067/job/62688473027

#skip-bb

logs:

```
   > Name: Developer ID Application: William Chen (***) 
   > Hash: 90560E040ED522CFE1B4FA8068B4FFDECD6E193F
  2026-02-05T23:16:18.906Z electron-osx-sign Found 1 identity.
  2026-02-05T23:16:18.906Z electron-osx-sign Pre-sign operation enabled for provisioning profile: 
   * Disable by setting `pre-embed-provisioning-profile` to `false`.
  2026-02-05T23:16:18.907Z electron-osx-sign No `provisioning-profile` passed in arguments, will find in current working directory and in user library...
  ✖ Finalizing package [FAILED: ENOENT: no such file or directory, stat '/Users/runner/work/dyad/dyad/CLAUDE.md']
  ✖ Packaging for x64 on darwin [FAILED: ENOENT: no such file or directory, stat '/Users/runner/work/dyad/dyad/CLAUDE.md']
  ✖ Packaging application [FAILED: ENOENT: no such file or directory, stat '/Users/runner/work/dyad/dyad/CLAUDE.md']
  ✖ Running package command [FAILED: ENOENT: no such file or directory, stat '/Users/runner/work/dyad/dyad/CLAUDE.md']
  ✖ Running make command [FAILED: ENOENT: no such file or directory, stat '/Users/runner/work/dyad/dyad/CLAUDE.md']
  25h
  An unhandled rejection has occurred inside Forge:
  Error: ENOENT: no such file or directory, stat '/Users/runner/work/dyad/dyad/CLAUDE.md'
  2026-02-05T23:16:18.910Z electron-forge:plugin:vite handling process exit with: { cleanup: true }
  2026-02-05T23:16:18.910Z electron-forge:plugin:vite handling process exit with: { cleanup: true }
  2026-02-05T23:16:18.910Z electron-forge:plugin:vite handling process exit with: { cleanup: true }
```
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2522"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

#skip-bb
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2521"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

#skip-bb
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2520"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

## Summary
- Increase chat list panel width from 240px to 272px and app item width
from 190px to 206px for better readability
- Adjust overall sidebar width from 18rem to 19rem and icon column from
5rem to 4.5rem

## Test plan
- Open the app and verify sidebar renders at the new width
- Verify chat list items and app items display correctly without
truncation
- Verify icon column alignment looks correct

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2519"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->


<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Widened the chat list panel (240px→272px) and app item width
(190px→206px), and adjusted the sidebar (18rem→19rem) and icon column
(5rem→4.5rem) to improve readability and alignment.

<sup>Written for commit 5b43043809979d2b09e7b86cfdae9c2b2f757241.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Purely presentational layout tweaks (Tailwind widths/CSS vars) with no
changes to data flow, auth, or persistence logic.
> 
> **Overview**
> Increases the right-hand panel width in `app-sidebar.tsx`
(chat/apps/settings/library lists) and the per-row width in `AppItem` to
reduce truncation.
> 
> Updates global sidebar sizing constants in `ui/sidebar.tsx`, widening
the expanded sidebar while slightly narrowing the collapsed icon rail to
rebalance spacing.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
5b43043809979d2b09e7b86cfdae9c2b2f757241. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

## Summary
- Trims whitespace from API keys and secrets during both encryption and
decryption in `src/main/settings.ts`
- Prevents issues caused by accidental leading/trailing whitespace or
newlines in API keys (e.g., from copy-paste)
- Adds comprehensive tests for the `encrypt`, `decrypt`, and
`readSettings` whitespace trimming behavior

## Test plan
- [x] Unit tests added for `encrypt()` trimming whitespace before
encrypting
- [x] Unit tests added for `decrypt()` trimming whitespace from both
plaintext and electron-safe-storage secrets
- [x] Unit tests added for `readSettings()` trimming whitespace from
decrypted API keys
- [x] All 784 existing tests pass

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2518"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> <sup>[Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) is
generating a summary for commit
d24002f59f18428d78ce55d11e82d4800425d3eb. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Trim whitespace from API keys and secrets during encryption, decryption,
and settings reads to prevent auth failures from copy‑pasted spaces or
newlines. Ensures consistent storage and use of secrets across
providers.

- **Bug Fixes**
  - encrypt(): trims input before encrypting or storing plaintext
- decrypt(): trims decrypted strings for both electron-safe-storage and
plaintext
- readSettings(): trims whitespace from decrypted and plaintext secrets
- Added unit tests for encrypt, decrypt, and readSettings trimming
behavior

<sup>Written for commit d24002f59f18428d78ce55d11e82d4800425d3eb.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Automatically compact long conversations when approaching context window
limits (80% of model context or 180k tokens, whichever is first).

Changes:
- Add enableContextCompaction setting (default: enabled) in Settings >
AI
- Add database fields to track compaction state and backup paths
- Create compaction handler that generates structured summaries via LLM
- Store original messages in app data directory before compaction
- Show visual indicator using dyad-status tag when compaction occurs
- Integrate compaction checks into local_agent_handler
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2515"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Touches core `local-agent` chat streaming and adds new
persistence/migration paths plus LLM-driven summarization, so
regressions could affect message ordering/history sent to models. Scoped
behind a setting (default on) with added unit/E2E tests, reducing risk.
> 
> **Overview**
> Adds **automatic context compaction** for `local-agent` chats: when
token usage crosses a threshold, the chat is marked for compaction and
the next turn generates an LLM summary, stores an XML transcript backup
under `.dyad/chats/<id>/compaction-*.md`, and inserts a
`is_compaction_summary` assistant message with a new `<dyad-compaction>`
indicator.
> 
> Introduces a user-facing toggle `enableContextCompaction` (default on)
wired into settings schema/defaults/search and Settings UI, plus new DB
fields on `chats` (`pending_compaction`, `compacted_at`,
`compaction_backup_path`) and `messages` (`is_compaction_summary`).
Updates local-agent streaming to (a) run pending compaction before
processing, (b) send only post-compaction history to the LLM, and (c)
update the correct placeholder message by ID to avoid overwriting the
compaction summary; includes new unit/E2E coverage and test-fixture
support for streaming usage data/snapshot scrubbing.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
df1cdaacbe3e9f3fb47473a3e6965e302a75fe7a. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Adds automatic context compaction for local-agent mode to summarize long
conversations when token usage reaches 80% of the model’s context window
or 180k tokens. Original messages are preserved and backed up, a
structured summary is inserted, and a dyad-compaction indicator is
shown.

- **New Features**
- New toggle in Settings > AI: enableContextCompaction (default on) with
UI switch and searchable setting.
- DB fields to track compaction and backups (chats: compacted_at,
compaction_backup_path, pending_compaction; messages:
is_compaction_summary).
- Compaction handler backs up LLM-visible messages to
.dyad/chats/<chatId>/compaction-*.md, generates structured summaries
with a system prompt, inserts a summary message, and emits
chat:compaction:complete.
- Local-agent flow: pending compaction runs at the start of the next
turn; LLM history includes only post-compaction messages; streaming
updates target the placeholder message by ID to avoid overwriting the
summary.
- Token threshold checks integrated into local_agent_handler (min(80% of
context window, 180k)).

<sup>Written for commit df1cdaacbe3e9f3fb47473a3e6965e302a75fe7a.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Add `start_line_one_indexed` and `end_line_one_indexed_inclusive`
optional parameters to the `read_file` agent tool, allowing the agent to
read specific line ranges from files
- Update consent preview to display line range (e.g., "Read src/App.tsx
(lines 10-50)") and XML builder to include `start_line`/`end_line`
attributes
- Add comprehensive unit tests (36 tests) with minimal mocking, using
real temp files on disk

## Test plan
- [x] All 36 new unit tests pass covering: schema validation, full file
reads, start-only, end-only, both params, edge cases (out-of-bounds
clamping, start > end, empty files, single-line files), consent preview,
and XML builder
- [x] All 747 existing tests pass (no regressions)
- [x] Lint, formatting, and type checks pass

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2516"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Adds optional line range parameters to the read_file tool so the agent
can read specific lines and reflect the range in consent preview and
XML. Improves safety with clamping, schema validation, and clear errors,
backed by comprehensive tests.

- **New Features**
- Support start_line_one_indexed and end_line_one_indexed_inclusive to
read a specific line range.
- Consent preview shows ranges; XML builder adds start_line/end_line
attributes.

- **Bug Fixes**
- Escape start_line/end_line in XML and update parser to accept
dyad-read tags with attributes.
- Validate start <= end and fix trailing newline handling to match
full-file reads.

<sup>Written for commit 4c96f70ff20ba37bee46955b739a693acd0afc0c.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Expands an agent file-access primitive and changes how `<dyad-read>`
tags are parsed, which could affect context gathering and partial reads;
behavior is well-covered by new unit tests but still touches
security-adjacent tooling.
> 
> **Overview**
> Adds optional `start_line_one_indexed` /
`end_line_one_indexed_inclusive` parameters to the local agent
`read_file` tool so it can return a specific line range (with bounds
clamping and trailing-newline preservation).
> 
> Updates consent previews and `<dyad-read>` XML generation to
surface/encode the requested range, and loosens
`parseFilesFromMessage`’s `<dyad-read>` regex to tolerate extra
attributes. Includes a comprehensive new `read_file` unit test suite
covering schema validation, range behavior, and XML/preview formatting.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
4c96f70ff20ba37bee46955b739a693acd0afc0c. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2512"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Only updates the configured Claude model IDs for PR review and issue
triage automation; behavior changes are limited to upstream model
differences.
> 
> **Overview**
> Updates the automated PR review orchestrator and GitHub Actions
workflows to use `claude-opus-4-6` instead of the prior Opus 4.5 model
identifiers.
> 
> This aligns model selection across the multi-agent review script
(`REVIEW_MODEL`) and the `claude-pr-review`/`claude-triage` workflows
(`--model`/`model`).
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
5a870393caea2f5a942dbed21c67f1f302694e98. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Switch PR review and triage to use claude-opus-4-6 for improved results
and consistent model usage across jobs.
Updated orchestrate_review.py, claude-pr-review.yml, and
claude-triage.yml to replace 4-5/4-5-20251101 with 4-6.

<sup>Written for commit 5a870393caea2f5a942dbed21c67f1f302694e98.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

#skip-bb
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2514"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->


<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Removed the unused plans table migration (0025_romantic_mantis) and its
Drizzle snapshot/journal to clean up the schema history. Updated
lint-staged to exclude JSON files from oxfmt formatting.

<sup>Written for commit 2e57ccf8f43df3dd03b5a0fadd18db6bddf5c097.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

## Summary
- Add a configurable `limit` parameter to the grep tool (default: 100,
max: 500) to prevent context window overflow
- Truncate individual line text to 500 characters to handle very long
lines
- Add clear truncation notice telling the AI to narrow its search when
results are truncated
- Add `total` and `truncated` attributes to XML output for visibility

## Test plan
- [x] Build passes (`npm run build`)
- [x] Lint passes (`npm run lint`)
- [x] All 669 unit tests pass (`npm test`)
- Manual testing: grep with a broad query like "import" should now
return limited results with a truncation notice instead of overflowing
the context window

Fixes #2509

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2510"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Limits grep results and line lengths to prevent context window overflows
and context_length_exceeded errors. Addresses Linear #2509 with a
configurable cap, consistent sorting, clearer UI output, and ignoring
include_pattern "*" when it matches all files.

- **Bug Fixes**
  - Added limit parameter (default 100, max 250) to cap matches.
  - Truncated each matched line to 500 chars.
- Sorted results by path and line number, and ignored include_pattern
"*" with a note to avoid broad searches.
  - Added truncation notice and "X of Y matches" in UI.
  - Exposed total and truncated flags in XML output for visibility.

<sup>Written for commit ad5979b9352ffc754019e13ead9c6be2e7b24ce9.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Will Chen <willchen90@gmail.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>

fixes https://github.com/dyad-sh/dyad/issues/2500

## Summary
- Adds `filterOrphanedReasoningParts()` function to filter out OpenAI
reasoning items that aren't followed by output items
- Fixes error: "Item of type 'reasoning' was provided without its
required following item"
- This error occurs with OpenAI reasoning models (o1, o3, o4-mini) when
conversation history contains orphaned reasoning items

## Test plan
- Added 4 unit tests covering:
  - Reasoning with following output is preserved
  - Orphaned reasoning (alone in message) is filtered out
  - Reasoning followed by tool-call is preserved
  - Trailing reasoning after text output is filtered
- All 672 tests pass

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2508"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Touches message-history shaping sent to OpenAI (including multi-step
local-agent flows); incorrect filtering could drop reasoning parts or
change message arrays, potentially impacting model behavior, but changes
are scoped and covered by new unit tests.
> 
> **Overview**
> Prevents OpenAI Responses API errors by **cleaning conversation
history** before reuse: message parts now have stale
`providerOptions/providerMetadata.{openai,azure}.itemId` removed and
**orphaned `reasoning` parts (not followed by any non-reasoning
output)** filtered out via `cleanMessageForOpenAI()`.
> 
> This cleaning is applied both when parsing persisted `aiMessagesJson`
(`parseAiMessagesJson`) and during local-agent multi-step
`prepareStepMessages`, with expanded unit tests covering preservation vs
filtering cases; `thinking_utils` also disables OpenAI `store` for
`local-agent` mode and `AGENTS.md` documents the failure mode and fix.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
5b0c70c2817345598e2eb88dcefbb0f859d6bb88. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Filters orphaned reasoning parts in conversation history to prevent
OpenAI Responses API errors when a reasoning item isn’t followed by
output. Applies filtering when parsing stored messages and during
multi-step prepare step.

- **Bug Fixes**
- Replaced stripItemIds with cleanMessageForOpenAI in
parseAiMessagesJson and prepareStepMessages to strip provider itemId and
filter orphaned reasoning parts.
- Preserves reasoning when followed by text or tool-call, preventing
“reasoning without required following item” errors on o1/o3/o4-mini;
sets store: false to avoid expired item references.
- Expanded tests for parsing and multi-step flows; documented behavior
and fix in AGENTS.md.

<sup>Written for commit 5b0c70c2817345598e2eb88dcefbb0f859d6bb88.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>