closes #3199 
## summary

This PR introduces a secure toggle mechanism to reveal or hide the keys,
preventing accidental exposure of sensitive credentials during screen
sharing or general use.


<img width="550" height="488" alt="image"
src="https://github.com/user-attachments/assets/638aef02-9036-4bdd-8a3a-10d33baba5cd"
/>


<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3274"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open in Devin Review">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3293"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open in Devin Review">
  </picture>
</a>
<!-- devin-review-badge-end -->

## Summary
- Move the author-vs-commenter check from the Claude prompt into
workflow-level `if:` conditions so Case 1 (original author follow-up)
and Case 2 (third-party comment) route deterministically.
- Case 2 no longer invokes Claude — it just posts the fixed redirect
comment with `gh issue comment`.
- Skip bot-authored comments to prevent loops.

Previously the single-prompt design conflated the two cases when a
maintainer's closing comment mentioned the original author and described
the symptom, causing the bot to re-open the issue under Case 1 even
though COMMENT_AUTHOR did not match ISSUE_AUTHOR (see
dyad-sh/dyad#3228).

## Test plan
- [ ] Trigger a closed-issue comment from a non-author account → expect
only the redirect comment, no re-open, no LLM usage.
- [ ] Trigger a closed-issue comment from the original author expressing
the issue still occurs → expect re-open + "we've re-opened the issue"
comment.
- [ ] Trigger a closed-issue comment from the original author that's
just a thank-you → expect no action.
- [ ] Bot comment on a closed issue → no workflow run.

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3270"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open in Devin Review">
  </picture>
</a>
<!-- devin-review-badge-end -->

## Summary

Addresses the two "needs update" items from the weekly rules review in
#3238:

- **`rules/openai-reasoning-models.md`**: Replace reference to
non-existent `filterOrphanedReasoningParts()` with the actual function
`cleanMessage()` in `src/ipc/utils/ai_messages_utils.ts`.
- **`rules/chat-message-indicators.md`**: Replace `"in-progress"` with
`"pending"` to match the actual `CustomTagState` type (`"pending" |
"finished" | "aborted"`) defined in `src/components/chat/stateTypes.ts`.

Closes #3238.

## Test plan

- [x] Verified `cleanMessage()` exists at
`src/ipc/utils/ai_messages_utils.ts:67`
- [x] Verified `CustomTagState` type in
`src/components/chat/stateTypes.ts:1`
- [x] `npm run fmt && npm run lint:fix && npm run ts` passes
- [x] `npm test` passes (1139 tests)

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3271"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open in Devin Review">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Will Chen <7344640+wwwillchen@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

#skip-bb
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3300"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open in Devin Review">
  </picture>
</a>
<!-- devin-review-badge-end -->

#skip-bb
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3292"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open in Devin Review">
  </picture>
</a>
<!-- devin-review-badge-end -->

## Summary
- Add a project-scoped Supabase deploy queue with concurrency capped at
8.
- Run deploy-all through bounded concurrency instead of unbounded
parallel requests.
- Stream Supabase deploy progress as a dyad-status indicator, with an
E2E covering queue progress.

## Test plan
- npm run fmt && npm run lint:fix && npm run ts
- npm test -- src/__tests__/supabase_utils.test.ts
src/__tests__/local_agent_handler.test.ts
- npm test
- PYTHON=/usr/local/bin/python3.13 npm run build
- npm run e2e e2e-tests/local_agent_supabase_deploy_progress.spec.ts
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3289"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open in Devin Review">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Will Chen <7344640+wwwillchen@users.noreply.github.com>

## Summary
- Append shared Supabase deploy warnings and errors as inline
dyad-output cards in Local Agent mode.
- Keep post-turn commits non-fatal when shared edge function redeploys
fail, matching single function deploy behavior.
- Refresh formatting/lint for eval fixtures touched by pre-commit
checks.

## Test plan
- npm run fmt && npm run lint:fix && npm run ts
- npm test

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3288"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open in Devin Review">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Will Chen <7344640+wwwillchen@users.noreply.github.com>

<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3280"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open in Devin Review">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3286"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open in Devin Review">
  </picture>
</a>
<!-- devin-review-badge-end -->

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

See `src/__tests__/evals/README.md` for usage. 

Other notes:
- The test fixtures are 300+ lines each. Even so, I still think some of
them are a little too easy. I might swap some of them out for more
challenging ones, or edit them so that they're not so straightforward.
- This currently still only tests `search_replace`, so I don't yet have
a way to compare correctness/token usage/time taken of `search_replace`
vs `edit_file` vs `write_file`.
- Otherwise, though, I think I'm fairly thorough about collecting data.
One thing I'm missing is the cost (it would probably be a rough estimate
at best) but I'm at least able to store the number of input/output
tokens for each tool call.
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3205"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3134"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

## Summary

- Update the dyad:deflake-e2e-from-run workflow so artifact-based
diagnosis is still first, but post-fix verification now requires a local
rebuild and affected E2E rerun.
- Document the Python fallback build command and require PR bodies to
list the local build/E2E commands.

## Testing

- Not run; documentation-only skill workflow update.

#skip-bugbot

<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3262"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open in Devin Review">
  </picture>
</a>
<!-- devin-review-badge-end -->
Co-authored-by: Will Chen <7344640+wwwillchen@users.noreply.github.com>

## Summary
- Stop treating set_chat_summary as a local-agent stream stop condition.
- Update local-agent prompt and tool guidance to call the chat summary
tool early and exactly once.
- Add coverage and update prompt/request snapshots for the new behavior.

## Test plan
- npm run fmt && npm run lint:fix && npm run ts
- npm test
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3260"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open in Devin Review">
  </picture>
</a>
<!-- devin-review-badge-end -->

Pin claude code action to v1.0.96 b/c of https://github.com/anthropics/claude-code-action/issues/1220 (#3261)

https://github.com/anthropics/claude-code-action/issues/1220

## Summary
- Add include_ignored to local-agent grep and list_files so ignored and
hidden paths can be inspected only when requested.
- Remove include_hidden from list_files, add a root recursive
ignored-listing guard, cap list output at 1000 paths, and sort
directories before files.
- Update local-agent tests and snapshots, including a less brittle
read_logs E2E assertion.

## Test plan
- PYTHON=/usr/bin/python3 npm run build
- PLAYWRIGHT_HTML_OPEN=never npm run e2e --
e2e-tests/local_agent_search_replace.spec.ts
e2e-tests/local_agent_step_limit.spec.ts
e2e-tests/local_agent_consent.spec.ts
e2e-tests/local_agent_code_search.spec.ts
e2e-tests/local_agent_advanced.spec.ts
e2e-tests/local_agent_file_upload.spec.ts
e2e-tests/local_agent_basic.spec.ts e2e-tests/local_agent_grep.spec.ts
e2e-tests/local_agent_auto.spec.ts
e2e-tests/local_agent_list_files.spec.ts
e2e-tests/local_agent_ask.spec.ts
e2e-tests/local_agent_todo_followup.spec.ts
e2e-tests/local_agent_summarize.spec.ts
e2e-tests/local_agent_read_logs.spec.ts
e2e-tests/local_agent_generate_image.spec.ts
e2e-tests/local_agent_connection_retry.spec.ts
e2e-tests/local_agent_persistent_todos.spec.ts
e2e-tests/local_agent_web_fetch.spec.ts
e2e-tests/local_agent_run_type_checks.spec.ts
- npm run fmt && npm run lint:fix && npm run ts
- npm test
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3256"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open in Devin Review">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Will Chen <7344640+wwwillchen@users.noreply.github.com>

<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3257"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open in Devin Review">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3259"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open in Devin Review">
  </picture>
</a>
<!-- devin-review-badge-end -->

This PR should fix CI build failure 
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3258"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open in Devin Review">
  </picture>
</a>
<!-- devin-review-badge-end -->

closes #1772 

When an AI request fails during build, the error popup would appear and
cover the retry button at the bottom of the chat, forcing users to
manually scroll down to access it. This fix adds an auto-scroll effect
that scrolls up ~150px when an error occurs, ensuring the retry button
remains visible and accessible above the error popup. This improves the
UX for error recovery scenarios.
before:
<img width="550" height="365" alt="Capture d&#39;écran 2026-04-18
031044"
src="https://github.com/user-attachments/assets/61b4108b-0732-469e-abae-bd6ba86ee7ab"
/>
after 
<img width="583" height="439" alt="Capture d&#39;écran 2026-04-18
030508"
src="https://github.com/user-attachments/assets/917ac306-a7eb-41ae-959c-aadf9d87b2c2"
/>

<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3231"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

This is related to #3240, but likely does not fix the crash.

#3240 mentions heavy rate-limits from Supabase. This happens because
currently:
- we are polling the Supabase endpoint every 5 seconds, and
- we do not stop making requests when we get rate limited.

This PR makes a few changes:
1. When we get rate-limited by Supabase, we'll check the `Retry-After`
property that Supabase sends back. This tells us when Supabase will
allow us to make our next request, and we'll honor that value.
2. Changes the polling rate from once every 5 seconds to once every 15
seconds. From what I can tell the requests are just fetching logs from
the Supabase API, so I don't think that it's critical enough to need to
happen once every 5 seconds. If I'm wrong about this though, please
correct me.
3. Refactors `loadEdgeLogsMutation` into a `useQuery` call, which is
probably what we want it to be given that we're periodically polling an
API endpoint. The side effects can be handled in a separate `useEffect`
call, so the behavior should stay essentially the same. This does also
prevent us from making extra requests to the endpoint when we already
have an active request.

Also closes #3244.

<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3250"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open in Devin Review">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3254"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open in Devin Review">
  </picture>
</a>
<!-- devin-review-badge-end -->

## Summary
- Adds chat mode persistence to chats so Ask, Build, and Plan are
remembered per conversation.
- Resolves effective chat mode for chat creation and streaming paths,
including fallback metadata for the UI.
- Updates chat mode hooks, selectors, tab flows, and coverage for
persistence behavior.

## Test plan
- npm run fmt && npm run lint:fix && npm run ts
- npm test
- npm run build
- PLAYWRIGHT_HTML_OPEN=never npm run e2e -- e2e-tests/chat_mode.spec.ts

Generated with Codex

<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3249"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open in Devin Review">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Will Chen <7344640+wwwillchen@users.noreply.github.com>

@azizmejri1 - I added an info banner with a link to
https://neon.com/docs/auth/production-checklist#email-provider under the
email verification toggle so users know to not rely on it for production

<img width="506" height="377" alt="image"
src="https://github.com/user-attachments/assets/7f403de7-de2f-462e-84c0-8eb0779af87a"
/>

## Summary
- Add a compact, clickable info banner below the Neon email verification
toggle that recommends configuring a custom email provider for
production.
- Link opens the Neon Auth production checklist (email provider
section).
- Add `integrations.neon.customEmailProviderHint` strings for English,
Portuguese (Brazil), and Chinese (Simplified).

## Test plan
- Open Neon integration for a connected Next.js app and confirm the
banner appears under email verification with correct copy.
- Click the banner and confirm the Neon docs open in the browser.

## Summary
- Escape the keppo-bot[bot] Bash case pattern so it matches the literal
bot login.
- Add RyanGroch to the privileged CI author allow-list for E2E test
routing.

## Test plan
- npm run fmt && npm run lint:fix && npm run ts
- npm test

#skip-bugbot
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3248"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open in Devin Review">
  </picture>
</a>
<!-- devin-review-badge-end -->

## Summary

Fixes the 6 `TimeoutError: locator.click: ... element is not enabled`
failures in `chat_tabs.spec.ts` and `per_chat_input.spec.ts` on CI run
[24692456779](https://github.com/dyad-sh/dyad/actions/runs/24692456779)
caused by a Lexical/jotai race during chat switches.

## Root cause

Trace + screenshot from the failing shards show chat 2 with an empty
input and a disabled Send button the moment the second `sendPrompt()`
runs. The race:

1. `clickNewChat()` navigates to chat 2 (`selectedChatIdAtom` flips, URL
updates, `ChatInput` re-renders with `chatId=2`).
2. Playwright's `fill()` into the Lexical editor fires
`OnChangePlugin.onChange` before React has flushed the atom update for
this render cycle.
3. `chatInputValueAtom`'s writer is keyed off `selectedChatIdAtom`, so
the typed text gets stored under the **previous** chat's slot.
4. On the next render `ExternalValueSyncPlugin` sees `value=""` for chat
2 and resets the editor to empty.
5. `inputValue.trim()` is empty → Send button stays `disabled` → 30s
click timeout.

Only the *second* `sendPrompt()` after a `clickNewChat()` fails, and
it's flaky because it depends on render/event ordering.

## Fix

Wrap `click → fill` in `expect.toPass()` and assert the editor actually
contains the prompt and the Send button is enabled before clicking. On a
dropped fill the loop re-runs once atoms settle, eliminating the race
deterministically. No product changes.

## Test plan

- [x] `npm run fmt && npm run lint && npm run ts`
- [ ] CI: chat_tabs.spec.ts and per_chat_input.spec.ts pass on shards
1/2

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3246"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open in Devin Review">
  </picture>
</a>
<!-- devin-review-badge-end -->
Co-authored-by: Will Chen <7344640+wwwillchen@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

## Summary

Adds a new skill, `dyad:deflake-e2e-from-run`, for root-causing E2E
failures from a specific CI run by reading the Playwright HTML report
artifacts directly — traces, screenshots, error-context, and app
stdout/stderr — instead of rebuilding and rerunning locally.

This complements the existing `deflake-e2e` and
`deflake-e2e-recent-commits` skills, which drive *discovery* by
repeat-running tests. This new skill is for when you already have a
failing run and want to root-cause fast.

## What the skill covers

- Downloading the merged `html-report` artifact with `gh run download -R
dyad-sh/dyad -n html-report`.
- `jq` queries against `results.json` for `unexpected` vs `flaky` test
buckets.
- Matching trace `.zip` hashes (paths in `results.json` are CI-side;
files are local in `/tmp/pw-report/data/`).
- Reading `test.trace` as JSONL to extract the step timeline.
- Correlating with app IPC logs that show up as `stderr`/`stdout` trace
events (gold for race-condition root-causing — e.g. `(proposal_handlers)
› IPC: get-proposal returned: …` at failure time).
- A short playbook of common failure shapes (disabled-button-after-fill,
navigation races, cross-test state) and their usual fixes.

Derived from the workflow used to root-cause #3246.

## Test plan

- [x] Skill file follows the same frontmatter format as existing skills
in `.claude/skills/`.
- [x] Verified via the use case in #3246 (full investigation done
end-to-end using exactly these steps).

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3247"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open in Devin Review">
  </picture>
</a>
<!-- devin-review-badge-end -->
Co-authored-by: Will Chen <7344640+wwwillchen@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

closes #2416 
This PR addresses the following improvements and fixes in the chat
message UI for assistant messages:

Commit Hash Display: The commit hash is now shown as a sibling to the
commit message in the metadata row, following the commit message and
icon.
Minimal Tooltip: The tooltip for the commit hash now displays only the
commit hash itself (no commit message or extra text), providing a clean
and focused UX.
Copy-to-Clipboard: Users can copy the full commit hash by clicking the
hash or copy icon
<img width="769" height="199" alt="image"
src="https://github.com/user-attachments/assets/9b28db64-6521-4ee7-b46c-a3b9e8ee9389"
/>


<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3191"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

#skip-bb
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3243"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open in Devin Review">
  </picture>
</a>
<!-- devin-review-badge-end -->

Closes #3185.

For context, a while back I had opened #2511 to close #1272. For some
reason the change got reverted, though, which I think is why #3185 was
opened.

This PR makes the essentially the same change as #2511, so it has the
"refactor" button tooltip show the full path of the file it's going to
refactor. #2511 also changed the width of the button, but I've changed
my mind on that.
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3237"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open in Devin Review">
  </picture>
</a>
<!-- devin-review-badge-end -->

<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3241"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open in Devin Review">
  </picture>
</a>
<!-- devin-review-badge-end -->

### Context for review bots :

1.The agent can execute sql commands directly on production , this is
fine because they user may choose to start with a simple setup first and
use the production database directly (in a follow up PR we should give
the users the ability to sync dev branch to match production branch).The
user also has the possiblity to revert database changes .
2.Right now there’s no warning for destructive changes before migration
, this is fine for now as we're gonna add a follow up PR for this
3.When linking an existing neon project that doesnt have a developement
database , we're setting the default branch as the active branch . This
is fine because the user may prefer to start a simple setup at the
beginning and work directly on the production database , in addition
since the project was created outside dyad it may have a developement
branch named differently so it wouldnt be wise to auto create one here .
However, in a follow up PR we should allow the user to manually create
branches and sync dev branch to match production .
4.neon is only available for next.js now
5.We dont have enough tests for now, i am gonna add a follow-up PR to
cover this
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3178"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

This plan solves the React/Vite + Neon integration issue by adding a
server layer to the app using Nitro.

- Nitro deploys cleanly to Vercel

- API routes are automatically exposed as Vercel Functions

- it keeps the setup lightweight and requires minimal effort from both
the user and the AI agent
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3090"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

closes #3075 
Implements pause/resume functionality for the message queue processing
system, allowing users to pause automatic processing of queued messages
and selectively resume. Includes session-level persistence via
sessionStorage.


<img width="594" height="694" alt="Capture d&#39;écran 2026-03-26
045040"
src="https://github.com/user-attachments/assets/2cf9648f-7be1-466c-971c-e2e96faccd0d"
/>


9 comprehensive E2E test cases covering:
Pause/Resume button visibility
Pause functionality and message blocking
Resume processing
SessionStorage persistence (empty & non-empty cases)
Multiple pause/resume cycles
Per-chat isolation
Visual styling

When mid-turn compaction ran during a multi-step tool loop (e.g., after
web_crawl completed), injected user messages (like screenshots) were
registered at an array index based on the compacted message history. The
AI SDK's internal messages don't include the compaction summary, so in
subsequent steps the stale index caused the injected user message to
land between a tool_use and its tool_result, breaking the SDK's
validation.

Fix 1: Track the delta between compacted and SDK base message counts,
and adjust injection indices after prepareStepMessages runs so future
re-injections land at the correct position.

Fix 2: Add ensureToolResultOrdering() as a defensive safety net that
detects and fixes any user messages misplaced between tool_use/
tool_result pairs before returning from prepareStep.
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3213"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3194"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

## What changed
- switch the cloud sandbox upload client to a multipart
manifest-plus-file request instead of JSON `Record<string, string>`
payloads
- read synced files as raw bytes for both full and incremental uploads
while preserving `replaceAll`, `deletedFiles`, and queued incremental
sync behavior
- update the fake cloud sandbox server and desktop-side tests to
validate multipart uploads and binary byte preservation

## Why
The previous upload path decoded files as UTF-8 strings before sending
them to the engine, which corrupted binary assets and broke cloud
previews for files like images, fonts, and wasm.

## Impact
Desktop cloud sandbox syncs now send byte-exact file contents to the
engine, including incremental syncs.

## Compatibility
- depends on the engine multipart upload support in
dyad-sh/dyad-llm-engine#146
- the engine PR keeps legacy JSON uploads available for older desktop
clients, but this desktop change is required for binary-safe uploads

## Validation
- `npm test -- src/ipc/utils/cloud_sandbox_provider.test.ts`
- `npm run ts`
- `npm run lint`
- `npm run fmt:check`

<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3188"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->
Co-authored-by: Will Chen <7344640+wwwillchen@users.noreply.github.com>

## Summary
- replace context_manage snapshot assertions with narrower UI and
dump-path checks
- wait for context rows to appear or disappear before continuing so the
picker interactions are deterministic
- remove the obsolete context_manage snapshot baselines

## Test plan
- npm run build
- PLAYWRIGHT_RETRIES=0 PLAYWRIGHT_HTML_OPEN=never npm run e2e --
e2e-tests/context_manage.spec.ts --repeat-each=10
- npm run fmt
- npm run lint:fix
- npm run ts
- npm test

#skip-bugbot
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3187"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Will Chen <7344640+wwwillchen@users.noreply.github.com>

<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3179"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->