The "View Plan" button in the plan card was non-functional when:

The preview panel was manually collapsed by the user
Starting a new app session (preview panel is closed initially)
The button only changed the preview mode to "plan" but didn't open the
panel, making it invisible to users.

Root Cause
[isPreviewOpenAtom]was set to false when starting the app and only set
back to true after streaming completes. The "View Plan" button only
called [setPreviewMode("plan")] but didn't call
[setIsPreviewOpen(true)], leaving the panel closed.

Solution
Added [setIsPreviewOpen(true)] to the "View Plan" button's onClick
handler to ensure the preview panel opens when users click the button.


Testing
The fix can be verified by:

Generating a plan in the chat
Collapsing the preview panel (or having it closed on new app start)
Clicking the "View Plan" button
Confirm the panel opens and shows the plan view
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3073"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Mohamed Aziz Mejri <mjrmohamedaziz@gmail.com>

## Summary
- Adds a nightly GitHub Actions workflow that checks for open security
advisories in triage/draft state
- Sends email alerts via Mailgun when open advisories are found
- Includes the supporting Node.js script at
`scripts/github-security-advisory-alert.mjs`

## Test plan
- [ ] Verify the workflow YAML is valid by triggering a manual
`workflow_dispatch` run
- [ ] Confirm required secrets/vars (`KEPPO_GITHUB_APP_ID`,
`KEPPO_GITHUB_APP_PRIVATE_KEY`, `MAILGUN_API_KEY`, `MAILGUN_DOMAIN`,
`MAILGUN_FROM_EMAIL`, `SECURITY_ADVISORY_ALERT_EMAILS`) are configured
in the `ai-bots` environment

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3087"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

#skip-bb
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3081"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

I've updated neon integration plan to include using neon auth and neon
data api for react/vite apps .
The data api will make it possible to integrate neon with react/vite
apps without requiring the users to add a backend on their own .

Closes #399. Adds a setting (under "General Settings") to select a
custom directory to store new apps in, replacing the default `dyad-apps`
folder.

In order to make sure that users don't lose access to older apps, I
opted for creating symlinks inside the new folder to the old app
locations. I went with symlinking because moving every single app could
be an expensive operation depending on how many apps there are, and the
user might not want that. However, this is inconsistent with the import
apps and move folder features (i.e. #2000), which copy the apps instead
of symlinking.

I'm happy to change the approach on request. Some options I've been
thinking about:
- Add a button in the settings which moves all the apps (replacing the
symlinks) after the user chooses a new custom directory. This way, the
user would get to choose.
- Convert all of previously-created apps to absolute paths, which avoids
all of the symlinking. The only potential issue with this is that if the
user wants to move the apps to their new directory after all, they'd
have to use the "move app" feature for every single app, otherwise the
database wouldn't get updated. As is, they at least could just delete
all the symlinks and mass-move all of their apps into the new directory
(though they'd currently have to do this outside of Dyad).

Also, since I'm tentatively adding in the use of symlinks, I modified
the move/copy/delete app features so that they always target the true
location of the app, not the symlink.

I can also write tests if desired.
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2875"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

close #2989 
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3043"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

#skip-bb
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3064"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

## Summary
- Wraps the app name button in the title bar with a `Tooltip` component
to show the full app name on hover
- Improves usability when the app name is truncated due to the
`max-w-38` constraint
- Uses the `render` prop pattern consistent with the project's
`@base-ui/react` tooltip usage

## Test plan
- [ ] Verify the app name button in the title bar shows a tooltip on
hover displaying the full app name
- [ ] Verify the tooltip shows "No app selected" when no app is selected
- [ ] Verify the button click behavior (navigating to app details) still
works correctly
- [ ] Verify the tooltip styling matches other tooltips in the app

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3005"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->
Co-authored-by: Will Chen <willchen90@gmail.com>
Co-authored-by: Claude <noreply@anthropic.com>

## Summary
- Non-Anthropic providers (OpenAI, Google, Ollama, etc.) error with "The
model does not support assistant message prefill" when the unclosed
`dyad-write` continuation retry triggers
- The continuation logic was using an assistant message as the last
message (prefill pattern), which only Anthropic supports
- Replaced with a user message that includes the partial response and
asks the model to continue where it left off

## Test plan
- Use a non-Anthropic provider (e.g. OpenAI, Gemini) in build mode
- Trigger a response that produces an unclosed `<dyad-write>` tag (e.g.
a large file write that gets cut off)
- Verify the continuation retry no longer errors and the model completes
the response

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3027"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

## Summary
- Buffer stdout/stderr messages from child processes and flush them
every 100ms as a single batched IPC event (`app:output-batch`), reducing
IPC traffic, array allocations, and React re-renders when apps emit
high-volume logs
- Keep `input-requested` messages on the immediate `app:output` channel
for responsive UX
- Renderer processes batched events with a single `setConsoleEntries`
state update instead of one per message

## Test plan
- [ ] Run an app that emits high-volume logs (e.g., `console.log` in a
loop) and verify the UI remains responsive
- [ ] Verify app console still shows all log output correctly
- [ ] Verify interactive prompts (y/n) still appear immediately
- [ ] Verify proxy URL detection and preview panel still work
- [ ] Verify HMR updates still trigger iframe refresh

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3035"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

## Summary
- Add `DyadError` / `DyadErrorKind` in `src/errors/dyad_error.ts` for
classified failures (validation, not found, auth, precondition,
conflict, user cancel, rate limit, etc.).
- Extend `shouldFilterTelemetryException` so filtered kinds are not sent
as PostHog `$exception` events; preserve legacy filters (RateLimitError
429, exact Supabase message set).
- `safe_handle` rethrows `DyadError` unchanged; typed handler invalid
input uses `Validation`.
- Migrate many IPC/main/git/supabase/local-agent call sites from `throw
new Error` to `DyadError` with appropriate kinds.
- Document in `AGENTS.md`, `rules/dyad-errors.md`, and
`.cursor/rules/ipc.mdc`.

## Test plan
- `npm run ts`, `npm run lint`, `npm test` (946 tests) passed locally.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Made with [Cursor](https://cursor.com)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3063"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

## Summary
- Increased `DEFAULT_MAX_TOOL_CALL_STEPS` from 50 to 100 to better
support complex multi-step tasks
- Reorganized option tiers: Low (25), Medium (50), Default (100), High
(200) — removed the old "Very High" tier
- Updated E2E tests and snapshots to reflect the new defaults

## Test plan
- [x] Unit tests pass (`npm test` — 44 test files)
- [x] Lint, format, and type checks pass
- [ ] Verify max tool call steps selector UI shows correct options
- [ ] Run E2E test `max_tool_call_steps.spec.ts` to confirm snapshot
alignment

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3053"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Will Chen <7344640+wwwillchen@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>

## Summary
- retry local-agent stream passes when providers emit transient server
errors like Azure `server_error`
- keep the existing terminated-stream continuation path and apply it to
retryable provider-side failures
- add a regression test covering the structured provider error event
shape

## Test plan
- npm run fmt
- npm run lint:fix
- npm run ts
- npm test

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3044"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

closes #3010 
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3029"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Claude <noreply@anthropic.com>

closes #2808

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2950"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

## Summary
- remove the automatic `cc:request` labeling step from the
`dyad:pr-push` skill
- keep the rest of the push and PR workflow unchanged

## Test plan
- npm run fmt
- npm run lint:fix
- npm run ts
- npm test

#skip-bugbot

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3025"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

## Summary
- filter PostHog telemetry exceptions for  instances emitted by 
- keep existing telemetry filtering behavior for other exception types
unchanged
- add unit coverage for filtered 429 and non-filtered non-429 rate limit
errors

## Test plan
- npm run fmt
- npm run lint:fix
- npm run ts
- npm test

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3024"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

## Summary
- route main-process `$exception` telemetry through
`posthog.captureException()` in the renderer
- normalize exception fields in IPC telemetry payloads and strip them
from extra context before capture
- add focused unit coverage for exception reconstruction and context
extraction

## Test plan
- npm run fmt && npm run lint:fix && npm run ts
- npm test

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3022"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

#skip-bb

## Summary
- Use `dispatchEvent("click")` instead of `force: true` click to bypass
telemetry consent overlay issues in the setup flow e2e test
- Add `toPass` retry logic to handle accordion auto-collapse state
transitions after Node.js is detected as installed
- Dismiss telemetry consent "Later" button if visible before proceeding
with test steps

## Test plan
- Run the setup flow e2e test (`setup_flow.spec.ts`) and verify it
passes reliably without flaking on the Node.js installation detection
step
- Verify the test correctly handles the accordion collapsing after
Node.js is detected

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2996"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->
Co-authored-by: Will Chen <willchen90@gmail.com>
Co-authored-by: Claude <noreply@anthropic.com>

#skip-bb

## Summary
- During AI streaming, the full messages array (potentially 500KB+ with
many messages) was serialized and sent through IPC on every text-delta
chunk, causing UI sluggishness
- Changed to send only the streaming message ID and updated content for
high-frequency streaming updates
- Full messages are still sent for initial loads and state changes
(compaction, lazy edits) to maintain correctness
- Updated all consumers (`useStreamChat`, `usePlanImplementation`,
`useResolveMergeConflictsWithAI`) to handle both full and incremental
chunk modes

## Test plan
- [x] TypeScript compilation passes
- [x] All 897 unit tests pass (39 files)
- [x] E2E tests pass (234 passed — 20 pre-existing failures unrelated to
this change, confirmed by running on clean main)
- [x] Specifically tested: `new_chat`, `chat_input`,
`local_agent_advanced`, `local_agent_code_search`, `local_agent_grep`,
`local_agent_search_replace`, `local_agent_list_files`,
`local_agent_summarize`, `local_agent_connection_retry`,
`local_agent_read_logs`, `local_agent_consent`,
`local_agent_persistent_todos`, `local_agent_todo_followup`,
`concurrent_chat`, `chat_history`

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2988"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Will Chen <willchen90@gmail.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

### Motivation
- Prevent the UI from becoming sluggish while the assistant streams
large or rapidly-updated messages by deferring expensive
markdown/custom-tag parsing during active streaming.

### Description
- Use React's `useDeferredValue` in `DyadMarkdownParser` and switch the
parser to consume a `contentToParse` value that is the deferred
`content` only while `isStreaming` is true, and update the `useMemo`
dependency to `contentToParse` so final rendering uses the full, current
content.

### Testing
- Ran `npm run fmt`, `npm run lint`, and `npm run ts` in this
environment, and all three failed due to the npm registry returning `403
Forbidden` for required tooling (formatter/linter/typechecker) rather
than code errors in the change.

------
[Codex
Task](https://chatgpt.com/codex/tasks/task_e_69b10fad1e74832782eea5db1ccb0196)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2987"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

## Summary
- Add `image_utils.ts` for extracting MIME type and extension from image
data (base64 or binary)
- Add `image_dimension_utils.ts` for reading dimensions from
PNG/JPEG/GIF/WebP images
- Update `web_crawl` to use `maxTokens` (9000) from
`GEMINI_CRAWL_LONG_CONTEXT` config
- Update `prepare_step_utils` to handle `GEMINI_CRAWL_LONG_CONTEXT`
model config
- Add comprehensive tests for all new utilities

## Test plan
- [x] All existing tests pass
- [x] New tests added for image utilities covering:
- Image type detection from various formats (PNG, JPEG, GIF, WebP, BMP,
TIFF)
  - Base64 and binary data handling
  - Invalid/corrupted data handling
  - Dimension extraction from PNG, JPEG, GIF, WebP

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2892"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Will Chen <willchen90@gmail.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>

## Summary
- fetch the builtin language model catalog from api.dyad.sh with local
fallback data and alias resolution
- migrate theme generation, auto mode, and help bot to use dynamic
catalog aliases
- add E2E coverage for both remote-catalog and fallback behavior

## Test plan
- npm run fmt
- npm run lint:fix
- npm run ts
- npm test
- PLAYWRIGHT_HTML_OPEN=never npm run e2e --
e2e-tests/dynamic_models.spec.ts (run outside sandbox)

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2914"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

## Summary
- Fixes a bug where the response processor would attempt `git commit`
even when there were no staged changes, causing "nothing to commit"
errors
- Adds a `hasStagedChanges` utility function to `git_utils.ts` that
checks whether there are actually staged files before committing
- Updates the commit flow in `response_processor.ts` to check for staged
changes first, skipping the commit when unnecessary

## Test plan
- [x] All 897 existing tests pass
- [x] Lint, formatting, and type checks pass
- Verify that file write/rename/delete operations still commit correctly
when changes are staged
- Verify that no error is thrown when git operations result in no staged
changes

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2991"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: Will Chen <willchen90@gmail.com>

## Summary
- Improve error message handling in local agent error responses by using
`getErrorMessage()` helper
- This ensures consistent error message formatting across the
application

## Test plan
- Verify local agent error responses display proper error messages
- Check that the error handling works for various error types

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2983"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

closes #2905 
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2931"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

## Summary
- Add `enableSelectAppFromHomeChatInput` experiment setting with toggle
in Settings UI
- Conditionally render the app selector ("No app selected") in
HomeChatInput based on the setting
- Update e2e tests to enable the flag via `setUp()` UI toggle instead of
writing `user-settings.json` directly

## Test plan
- [ ] Verify the app selector is hidden by default on the home chat
input
- [ ] Enable the toggle in Settings > Experiments and verify the app
selector appears
- [ ] Run e2e tests: `npx playwright test home_chat_existing_app`

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2964"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>

## Summary
- Add `dyad-assistant` to all trusted author/actor lists across the
codebase
- This includes GitHub Actions workflows (CI, PR review, rebase, triage,
bugbot, label-rebase) and Claude skill definitions (pr-fix-comments,
deflake-e2e-recent-commits)
- Ensures `dyad-assistant` can trigger CI on self-hosted runners, use
the PR review responder, trigger rebases, and be recognized as a trusted
bot for comment processing

## Files changed (9 files)
- `.github/workflows/ci.yml` - privileged author check
- `.github/workflows/pr-review-responder.yml` - allowedActors list and
prAuthor check
- `.github/workflows/claude-pr-review.yml` - author filter and
allowed_non_write_users
- `.github/workflows/claude-rebase.yml` - allowedUsers list
- `.github/workflows/bugbot-trigger.yml` - author filter
- `.github/workflows/label-rebase-prs.yml` - allowedAuthors list
- `.github/workflows/claude-triage.yml` - trusted comment authors for
duplicate surfacing
- `.claude/skills/pr-fix-comments/SKILL.md` - trusted bots list
- `.claude/skills/deflake-e2e-recent-commits/SKILL.md` - PR author scan
list

## Test plan
- [ ] Verify `dyad-assistant` PRs trigger CI on self-hosted runners
- [ ] Verify `dyad-assistant` PRs get automated code review
- [ ] Verify `dyad-assistant` can use the PR review responder workflow

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2963"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

## Summary
- Enable `display_report: true` on trusted `claude-code-action`
workflows so Claude's work summary appears in GitHub Actions step
summaries
- Leave `display_report` as default (false) for `closed-issue-comment`
which processes untrusted input
- Replace the "Push any unpushed changes" step in `pr-review-responder`
with a deterministic `git push` instead of spawning a full
`claude-code-action` invocation

## Test plan
- Verify workflow YAML syntax is valid
- Trigger a workflow run and confirm the step summary now appears
- Confirm the deterministic push step works when there are/aren't
unpushed commits

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2959"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

## Summary
- Set top-level `permissions: {}` on 7 workflows to restrict default
token permissions, moving grants to job level with least-privilege
scoping
- Pinned CLA Assistant action to commit SHA (`ca4a40a7d...`) instead of
mutable tag for supply-chain safety
- Mitigated prompt injection in the issue triage workflow by passing
issue data via environment variables instead of direct template
interpolation, with an explicit security notice

## Test plan
- [ ] Verify CLA workflow still posts status comments on PRs
(permissions moved to job level)
- [ ] Verify issue triage workflow still labels and comments on new
issues (env var approach)
- [ ] Verify PR review, rebase, bugbot, and closed-issue-comment
workflows still trigger correctly with restricted top-level permissions
- [ ] Confirm no permission errors in workflow runs

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2928"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->
Co-authored-by: Will Chen <willchen90@gmail.com>
Co-authored-by: Claude <noreply@anthropic.com>

closes #2809 
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2920"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

## Summary
- When a user enters a pro key via deep link, the budget query was not
invalidated, leaving stale budget data until the 5-minute cache expired
- Added `queryClient.invalidateQueries` for the user budget query in the
deep link handler in `TitleBar.tsx`, matching the behavior already
present in the manual key entry path

## Test plan
- [ ] Enter a Dyad Pro key via deep link
(`dyad://dyad-pro-return?key=...`) and verify the budget display updates
immediately
- [ ] Enter a Dyad Pro key manually in settings and verify budget still
refreshes (regression check)

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2956"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

closes #2916 
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2918"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2901"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

## Summary
- Bump version to v0.39.0
- Add promote-beta-to-stable skill for automating future releases

## Test plan
- CI passes
- Version number is correct in package.json

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2955"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->

---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2954"
target="_blank">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->