## Summary
- Add planning documentation for dangerous-action guardrails and
implementation approach.
- Document detection and mitigation strategies for potentially
destructive operations.
- Define acceptance criteria and rollout/testing recommendations.

## Test plan
- Manual review of the plan document for completeness and consistency.
- Validate markdown formatting and consistency with repository
conventions.

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2733"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

## Summary
- Add documentation guidance to AGENTS.md about testing changes before
committing or pushing
- Include guidance on running relevant unit tests and E2E tests
- Note scenarios where local testing may not be possible and alternative
verification steps

## Test plan
- Verify the documentation is clear and useful for developers
- Ensure the changes don't break the build

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2731"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

## Summary
- Fixed ambiguous `getByLabel("Theme Name")` selectors in themes
management E2E tests
- Used specific element IDs (`#manual-name`, `#ai-name`) for create
dialogs where multiple matching inputs exist
- Scoped edit dialog selectors to the dialog context to avoid matching
create form inputs

## Test plan
- Run the themes_management E2E tests: `npx playwright test
e2e-tests/themes_management.spec.ts`
- Verify all theme CRUD operations, chat input creation, and AI
generator flows pass

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2728"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->
Co-authored-by: Will Chen <willchen90@gmail.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Add AI-powered permission request hook that analyzes Claude Code tool
requests and classifies them as safe (GREEN), uncertain (YELLOW), or
dangerous (RED)
- Add comprehensive multi-platform roadmap for expanding Dyad from
desktop-only to web + mobile (PWA) with freemium model

## Test plan
- Verify permission-request-hook.py is properly formatted and placed in
`.claude/hooks/`
- Review multi-platform roadmap documentation for completeness and
accuracy
- No behavior changes to existing functionality

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2734"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

…ary tests

- context_limit_banner: increase banner visibility timeout from MEDIUM
to LONG since token counting IPC fires asynchronously after streaming
ends
- attach_image: wait for file card button to render before taking aria
snapshot in the upload-to-codebase test
- prompt_library: replace flaky toMatchAriaSnapshot with explicit
assertions (toBeVisible, toContainText, getByRole) since Chrome's
accessibility tree non-deterministically merges heading and paragraph
text
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2725"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Allow users to queue multiple messages while a response is streaming.
Queued items are visible, editable, reorderable, and auto-send
one-by-one only after the current stream ends successfully.

- **New Features**
- Per-chat queue state via queuedMessagesByIdAtom and
streamCompletedSuccessfullyByIdAtom.
- QueuedMessagesList to view, edit, reorder, and delete items; shows
status and attachment indicator.
- ChatInput queues while streaming, supports editing queued items,
clears input/attachments only on successful queue/send, and clears all
queued on cancel.
- useStreamChat exposes queuedMessages and
queue/update/remove/reorder/clear APIs; processes the next item only
after a confirmed successful end.

- **Bug Fixes**
- Eliminated race conditions by gating processing on successful onEnd
(wasCancelled-aware), fixing a stale firstMessage closure, and clearing
the queue before cancel IPC to avoid rapid-response races.
- Preserved input and attachments when queueMessage fails; prevented
dropping newly queued messages; cleared editing state when the edited
queued item is deleted.

<sup>Written for commit fb431f55b3a24284058062a6ced97ac21f825952.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Introduces queued message support so users can submit another prompt
while a response is streaming; the queued prompt auto-sends only after
the current stream ends successfully.
> 
> - Adds `QueuedMessage`, `queuedMessageByIdAtom`, and
`streamCompletedSuccessfullyByIdAtom` to track one queued message and
confirmed stream completion per chat
> - Extends `useStreamChat` with queue APIs (`queuedMessage`,
`queueMessage`, `clearQueuedMessage`) and processing gated by `onEnd`
success; resets/sets completion flags; warns on multiple queue attempts
> - Updates `ChatInput` to queue while streaming, clear on successful
queue, and clear queued message on cancel; uses `shouldProcessQueue`
> - Updates `MessagesList` to display queued prompt with status and a
Clear action
> - Expands IPC `ChatResponseEnd` schema with optional `wasCancelled`;
send this flag on cancel in `chat_stream_handlers`
> - Adds e2e test `queued_message.spec.ts` verifying queuing and
auto-send behavior
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
62ed2131f7f9ee253b2542d35307459af504d6d0. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2120">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Claude <noreply@anthropic.com>

## Summary
- Update deflake E2E workflow permissions to use explicit PAT token
secrets instead of default GITHUB_TOKEN.
- Reduce workflow repository permissions to empty set and align token
usage for install and Claude action steps.
- Maintain existing deflake behavior while removing default
token-dependent permission requirements.

## Test plan
- npm run fmt
- npm run lint:fix
- npm run ts

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2726"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

## Summary
- Adds comprehensive feature plan for app icons/emoji system
(`plans/app-icons.md`)
- Every app gets a visual identity (emoji or GitHub-style generated
avatar) shown in chat tabs, sidebar, and app details
- Chat tabs become condensed single-line layouts (icon + chat title) for
better density
- Plan covers data model, UX flows, accessibility, backfill strategy,
and phased implementation

## Test plan
- [x] Markdown renders correctly
- [x] All lint/type checks pass
- [x] No code changes, plan document only

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2722"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

## Summary
- Add right-click context menu to chat tabs with options: Close tab,
Close other tabs, Close tabs to the right, Close all tabs
- Track which chats were opened in the current session via
`sessionOpenedChatIdsAtom` - only tabs explicitly opened this session
are shown
- Add `context-menu.tsx` UI component from shadcn/ui with Radix UI
dependency
- Add translations for context menu items (en, pt-BR, zh-CN)

## Test plan
- [x] Unit tests added for `getOrderedRecentChatIds` with session
filtering
- [x] Unit tests added for `closeMultipleTabsAtom`
- [x] E2E tests added for context menu interactions (close other tabs,
close tabs to right, close all)
- [ ] Manual testing: right-click a chat tab and verify context menu
appears with all options
- [ ] Manual testing: verify "Close other tabs" closes all tabs except
the clicked one
- [ ] Manual testing: verify "Close tabs to the right" closes only tabs
to the right
- [ ] Manual testing: verify "Close all" closes all tabs

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2705"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Will Chen <willchen90@gmail.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Added a prominent callout in the E2E testing section making it clear
that `npm run build` must be run before E2E tests and re-run whenever
application (non-test) code changes
- Added a prominent callout in the Rules index section emphasizing that
relevant rule files must be read BEFORE writing any code or making
changes

## Test plan
- Documentation-only change, no functional impact

#skip-bugbot

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2720"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

## Summary
- Remove Python orchestrator scripts (`orchestrate_review.py`,
`aggregate_results.py`, `post_comment.py`) from the multi-pr-review
skill
- Rewrite SKILL.md to use Claude Code's Task tool for spawning
sub-agents directly
- Replace simple consensus voting (2+ agents agree) with reasoned
validation for more accurate issue detection
- Add merge verdict determination (YES / NOT SURE / NO) to guide
reviewers

## Test plan
- [ ] Run `/dyad:multi-pr-review` on a test PR to verify the new
Task-tool-based approach works
- [ ] Verify all three agents spawn correctly with different file
orderings
- [ ] Confirm issues are validated through reasoned analysis rather than
vote counting
- [ ] Check that merge verdict is correctly displayed in the summary
comment

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2719"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->
Co-authored-by: Will Chen <willchen90@gmail.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Skip actual Node.js downloads in E2E tests by returning a tiny test
URL instead of the real Node.js installer
- Skip opening external URLs in shell handler to avoid spawning browser
windows during E2E tests
- Both changes are conditional on `E2E_TEST_BUILD=true` environment
variable

## Test plan
- Run E2E tests with `E2E_TEST_BUILD=true` to verify external operations
are skipped
- Verify normal operation is unaffected when the environment variable is
not set

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2716"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Will Chen <willchen90@gmail.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Move the favorite toggle button from the app list sidebar to the app
details page header
- Update AppItem component to show a small filled star indicator for
favorited apps (instead of an interactive button)
- Simplify AppList by removing favorite-related props and hooks
- Update E2E tests to test favorite functionality from the app details
page

## Test plan
- Open an app's details page and verify the favorite button appears next
to the app name
- Click the favorite button and verify the star fills in (app is
favorited)
- Click again to unfavorite and verify the star becomes unfilled
- Return to the app list and verify favorited apps show a small filled
star indicator
- Run E2E tests: `npx playwright test favorite_app.spec.ts`

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2704"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Will Chen <willchen90@gmail.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Updated the pr-push skill documentation with improved instructions for
handling uncommitted changes and pushing to remotes

## Test plan
- Review the updated SKILL.md file for clarity and accuracy
- Verify the instructions are correct for the pr-push workflow

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2714"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->
Co-authored-by: Will Chen <willchen90@gmail.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Update the release workflow dry-run publish step to invoke
`electron-forge` directly.
- Avoid `npm run publish` script indirection in CI release publishing.

## Test plan
- npm run fmt
- npm run lint:fix
- npm run ts

#skip-bugbot

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2711"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

This reverts commit a0693563.

#skip-bb
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2710"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

#skip-bb

ci: add reboot and verification steps to nightly runner cleanup (drive-by clean up fast push) (#2708)

## Summary
- Add reboot step after cleanup script to ensure fresh runner state
- Add verification job that runs on all CI runners to check disk space
post-reboot
- Verification job runs even if cleanup fails (since reboot kills the
runner mid-job)

## Test plan
- Verify the workflow structure is valid by checking GitHub Actions UI
- Monitor next nightly run to ensure reboot completes successfully
- Confirm verification job runs and reports disk space

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2708"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

## Summary
- Replaces static timeout-based wait with toPass() retry logic for
ArrowUp navigation wrap test
- Makes the test more resilient to timing variations with the
BeautifulMentionsPlugin
- Uses aria-selected attribute for more reliable selection detection

## Test plan
- Run `npm run e2e -- chat_history.spec.ts` to verify the test passes
- The test should be more stable and less prone to flakiness

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2699"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->
Co-authored-by: Will Chen <willchen90@gmail.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Fixed flaky SecurityReview E2E test by waiting for the "Running
Security Review..." button state to appear and disappear, rather than
just waiting for the original button to hide
- Added documentation to `rules/e2e-testing.md` with a pattern for
handling button state transitions in E2E tests

## Test plan
- Run the SecurityReview E2E test multiple times to verify it's no
longer flaky
- `npm run e2e -- e2e-tests/security-review.spec.ts --repeat-each=10`

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2696"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Will Chen <willchen90@gmail.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Update Playwright summary artifact handling in CI workflow.
- Adjust Playwright summary generation script for deterministic artifact
links.

## Test plan
- npm run fmt
- npm run lint:fix
- npm run ts

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2691"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

## Summary
- Add a comprehensive plan document for convex backend support in .
- Outline architecture and implementation strategy for switching backend
storage and API behavior.
- Define staged rollout and verification steps.

## Test plan
- Run 
> dyad@0.37.0 fmt
> npx oxfmt, 
> dyad@0.37.0 lint:fix
> npx oxlint --fix --fix-suggestions --fix-dangerously

Found 0 warnings and 0 errors.
Finished in 20ms on 795 files with 88 rules using 10 threads., and 
> dyad@0.37.0 ts
> npm run ts:main && npm run ts:workers


> dyad@0.37.0 ts:main
> npx tsgo -p tsconfig.app.json --noEmit --incremental


> dyad@0.37.0 ts:workers
> npx tsc -p workers/tsc/tsconfig.json --noEmit --incremental locally.
- Manually review the generated plan document for completeness.

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2693"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

## Summary
- Add comprehensive test suite for `readSettings()` covering all setting
types including nested objects
- Refactor `UserSettings` schema using Zod with proper nested objects
(`chatMode.enabled`, `chatMode.mode`, `thinking.enabled`,
`thinking.budget`)
- Add migration path for legacy flat settings format to new nested
structure

## Test plan
- Run `npm test` to verify all 814 tests pass including new readSettings
tests
- Verify settings are properly loaded with both new nested format and
legacy flat format

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2676"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Will Chen <willchen90@gmail.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

- setup_flow.spec.ts: Wait for domcontentloaded after reload and
increase timeout for "Install Node.js Runtime" button visibility check
- chat_history.spec.ts: Add small delay between keyboard navigation
events and increase timeout on class assertion to prevent ArrowUp race
condition
- Navigation.ts: Wait for "Apps" link to be visible before clicking in
goToAppsTab() to prevent timeouts when sidebar loads slowly
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2681"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

## Summary
- Added `GH_TOKEN` env var from `secrets.GITHUB_TOKEN` to the `Deflake
E2E tests` action step in `.github/workflows/claude-deflake-e2e.yml`.
- Removed `direct: true` from the `anthropics/claude-code-action` input
list.

## Test plan
- `npm run fmt`
- `npm run lint:fix`
- `npm run ts`
- `npm test`

## Summary
- add local `.agents/skills` symlink for skill tool access in workspace

## Test plan
- npm run fmt
- npm run lint:fix
- npm run ts
- npm test

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2690"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

## Summary
- Adds comprehensive planning document for cloud sandbox runtime mode
feature
- Generated from collaborative planning session using dyad:swarm-to-plan
skill
- Outlines complete feature design, UX flows, technical architecture,
and implementation phases

## Test plan
- Document is for planning purposes and doesn't require functional
testing
- Review content for completeness and accuracy of scope and technical
approach
- Validate that implementation phases are well-sequenced and address all
scope items

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2675"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

Fixes #1225 

## Summary
- Separates the release workflow into build and publish phases
- Build phase runs on all platforms in dry-run mode (no actual publish)
- Artifacts are uploaded and downloaded between phases
- Publish phase uses GitHub environment "release" for manual approval
gate
- Removes commented-out code for cleaner workflow

## Test plan
- [ ] Trigger the release workflow manually
- [ ] Verify build phase completes for all platforms (Windows, macOS,
Linux)
- [ ] Verify artifacts are uploaded successfully
- [ ] Verify publish phase waits for environment approval
- [ ] Approve and verify publish completes from dry-run artifacts
- [ ] Verify verify-assets step still validates the release

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2662"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->


<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Adds a manual approval gate to the release workflow by splitting it into
build (dry-run) and publish phases. Builds run on Windows, macOS, and
Linux; publish reuses artifacts after approval via the “release”
environment.

- **New Features**
- Build job runs npm run publish -- --dry-run on all OS and uploads out/
artifacts (1-day retention).
- Publish job waits on GitHub environment “release”, downloads
artifacts, and runs npm run publish -- --from-dry-run.
  - verify-assets now runs after publish to validate the release.
  - Cleaned up commented code and pins npm 11.8.0 in publish job.

- **Migration**
- Ensure the GitHub environment “release” exists and requires the
desired approvers.

<sup>Written for commit 04fcc4025e533a6d8fb0804df80c10b3215cff8a.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->
Co-authored-by: Will Chen <willchen90@gmail.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

#skip-bb
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2678"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

## Summary
- Updates pr-fix-comments skill to leverage product principles for
resolving ambiguous feedback
- Introduces 'Resolved by product principles' category to reduce human
review burden
- Adds guidance for citing principles in replies and flagging when
insufficient
- Enhances pr-fix meta-skill documentation on product principles usage

## Test plan
1. Verify that the updated skill documentation is accessible and clear
2. Review the new guidance on consulting rules/product-principles.md
3. Confirm the categorization options are correctly documented
4. Check that the reply examples include proper principle citations

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2674"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2672"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

## Summary
- Add `onConsoleLog` handler in vitest config to suppress all console
output from tests (retry logs, settings errors, processor warnings)
- Set `NODE_OPTIONS=--no-deprecation` to suppress punycode `DEP0040`
warnings from vitest worker processes
- Set `VITE_CJS_IGNORE_WARNING=true` to suppress Vite CJS API
deprecation warning

#skip-bugbot

## Test plan
- Run `npm test` and verify clean output with no stderr noise
- Verify all 810 tests still pass

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2665"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

## Summary
- Implements a new swarm planning skill that enables Product Manager, UX
Designer, and Engineering Lead agents to collaboratively debate an idea
- Agents analyze from their expert perspectives, debate trade-offs, and
identify ambiguities
- Produces a comprehensive plan document with problem statement, scope,
user stories, UX design, technical design, and implementation roadmap

## Test plan
- The skill can be invoked using `/dyad:swarm-to-plan <idea>`
- It should spawn a planning team with three specialized agents
- Agents should analyze the idea, debate assumptions, and compile a
final plan to `plans/<plan-name>.md`
- Verify the planning team shuts down gracefully after completion
- Check that the generated plan includes all required sections from both
PM, UX, and Engineering perspectives

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2670"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

## Summary
- Add new Playwright debug skill to help developers debug E2E test
failures
- Provide instructions for using manual `page.screenshot()` calls to
capture test state
- Update AGENTS.md with guidance on when and how to use the skill

## Test plan
- Review the skill documentation to ensure it provides clear
instructions for:
  - Identifying which test to debug
  - Adding debug screenshots to test code
  - Viewing and analyzing captured screenshots
  - Cleaning up debug artifacts
- The skill can be invoked with `/dyad:debug-with-playwright` when
debugging E2E test failures

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2671"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

#skip-bb
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2669"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

## Summary
- Updates E2E test snapshot for security review to use
`[[SYSTEM_MESSAGE]]` placeholder instead of the full system message
content
- Makes the test more stable and easier to maintain as system messages
evolve

## Test plan
- [x] Lint passes
- [x] All unit tests pass (810 tests)
- Snapshot update verified by running the E2E test that produced it

🤖 Generated with [Claude Code](https://claude.com/claude-code)

#skip-bugbot
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2668"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->
Co-authored-by: Will Chen <willchen90@gmail.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary
- Update nightly-runner-cleanup.yml to add ci3 runner to the cleanup
matrix
- Enhance ci-cleanup-macos.sh with improved disk space management for
host-level caches
- Add support for nightly cleanup mode with better handling of Homebrew
and Xcode caches

## Test plan
- Manually trigger the nightly-runner-cleanup workflow to verify cleanup
steps complete successfully
- Verify that the ci3 runner is now included in the cleanup matrix
- Confirm that old browser installations and npm cache are properly
cleaned up

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2664"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Small CI-maintenance change limited to a scheduled workflow and
cleanup script; main risk is masking unexpected deletion failures via
non-fatal warnings.
> 
> **Overview**
> Extends the nightly self-hosted macOS runner cleanup workflow to also
run on `ci3` via the job matrix.
> 
> Hardens `scripts/ci-cleanup-macos.sh` by making npm cache
(`~/.npm/_cacache`) and log (`~/.npm/_logs`) removal tolerate failures
(e.g., files in use), emitting warnings instead of failing the cleanup
run.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
c49b18aa7df6e6da179507d678c67cc5680505c5. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Include the ci3 runner in the nightly macOS cleanup and make npm
cache/log removal more resilient to prevent flaky failures.

- **Bug Fixes**
- Added ci3 to the nightly-runner-cleanup matrix so all macOS hosts are
cleaned.
- Updated ci-cleanup-macos.sh to ignore permission/in-use errors when
removing npm cache/logs and emit warnings instead.

<sup>Written for commit c49b18aa7df6e6da179507d678c67cc5680505c5.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

#skip-bb
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2667"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

## Summary
- Migrates all 16 `.claude/commands/` to `.claude/skills/` with proper
SKILL.md frontmatter (name + description)
- Moves supporting scripts (sanitize_issue_markdown.py, tests, goldens)
into the fix-issue skill folder
- Updates path references in `.prettierignore`, `.oxfmtrc.json`, and
`.claude/README.md`
- Eliminates spurious golden file "commands" (e.g.,
`dyad:scripts:goldens:*`) that were being registered as slash commands

## Test plan
- Verify all skills are listed with `/` autocomplete
- Invoke a skill (e.g., `/dyad:lint`) and confirm it works

#skip-bugbot

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2663"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->


<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Migrates all Claude Code commands to the new skills format with SKILL.md
frontmatter and updates docs/paths. This standardizes slash usage
(/dyad:<skill>), fixes autocomplete, and removes stray commands.

- **Refactors**
- Moved 16 items from .claude/commands to .claude/skills with
name/description frontmatter.
- Moved sanitize_issue_markdown.py, tests, and goldens under the
fix-issue skill; updated path in SKILL.md.
- Updated .claude/README.md to list skills and include fast-push,
pr-screencast, feedback-to-issues, deflake-e2e-recent-commits,
remember-learnings.
  - Updated .prettierignore and .oxfmtrc.json to new goldens path.
- Removed golden file “commands” that were being registered as slash
commands.

- **Migration**
  - Use /dyad:<skill> instead of /dyad:<command>.
  - Verify skills show in autocomplete and run one (e.g., /dyad:lint).
- Update any local scripts from .claude/commands/... to
.claude/skills/....

<sup>Written for commit 31ae67f994cb704c223428e66455665ffd2454ff.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

## Summary
- Replace unreliable winget installation with NuGet installation for
Azure Trusted Signing tools
- Simplify DLL discovery logic to use direct NuGet installation path
- Makes Windows signing step more robust and reliable

## Test plan
- Verify that the release workflow still builds successfully on Windows
runners
- Confirm Azure Trusted Signing client is installed and used correctly

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2661"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->


<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Switch the Windows release workflow to use NuGet for Azure Trusted
Signing and simplify DLL discovery to the NuGet install path. This
reduces CI flakiness and makes the signing step more reliable.

- **Refactors**
- Install Microsoft.Trusted.Signing.Client 1.0.95 to
$RUNNER_TEMP\TrustedSigning from nuget.org.
- Find Azure.CodeSigning.Dlib.dll (x64) by scanning the install
directory only.

<sup>Written for commit 0dd327769005b7890b31d782bf07f66a4912406b.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Workflow-only change that alters how Windows signing dependencies are
installed and discovered; risk is limited to potential release pipeline
breakage if the NuGet package layout/version changes.
> 
> **Overview**
> Improves the Windows portion of the release workflow by installing
Azure Trusted Signing tooling via `nuget` (pinned to
`Microsoft.Trusted.Signing.Client` `1.0.95`) instead of `winget`.
> 
> Simplifies DLL discovery by searching only within the NuGet install
directory for the x64 `Azure.CodeSigning.Dlib.dll`, then exporting
`AZURE_CODE_SIGNING_DLIB` for subsequent signing steps.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
0dd327769005b7890b31d782bf07f66a4912406b. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>