@chanlerdev/scorel 0.0.3 → 0.0.5

package/docs/spec/ship/S0100-gui-provider-danger-zone.md

@@ -0,0 +1,57 @@
+# S0100: GUI Provider Danger Zone Placement
+
+## Goal
+
+Move destructive Provider management actions out of the primary Provider edit form, so normal configuration fields remain the first visual focus and deletion is clearly presented as a secondary dangerous action.
+
+S0101 supersedes the final placement: `删除提供商` now lives in the Provider configuration block's lower-right action area instead of a bottom danger row.
+
+## Scope
+
+- In GUI Settings -> Provider:
+  - this spec recorded the first placement pass;
+  - S0101 defines the current placement in the Provider configuration block;
+  - keep the existing `removeModelProvider` behavior unchanged.
+- Add rendering coverage that verifies the destructive action is below normal model-management controls.
+
+## Not In Scope
+
+- Changing Provider deletion semantics, confirmation behavior, or daemon/client APIs.
+- Redesigning the Provider page layout beyond the destructive-action placement.
+- Changing model catalog, model selection, or provider form fields.
+
+## Acceptance Criteria
+
+- Current acceptance is governed by S0101: `删除提供商` appears in the Provider configuration block.
+- Existing Provider add/edit/model actions remain unchanged.
+- GUI rendering tests cover the current placement.
+
+## Test Requirements
+
+```bash
+pnpm --filter @scorel/app-gui test -- src/renderer/gui-shell.test.tsx
+pnpm --filter @scorel/app-gui typecheck
+```
+
+Manual:
+
+- Start the GUI with a Project that has a configured Provider.
+- Open Settings -> Provider.
+- Confirm S0101 current behavior: the delete button appears in the Provider configuration block's lower-right action area.
+
+## Impacted Files
+
+- `apps/gui/src/renderer/settings/sections/ProviderSection.tsx`
+- `apps/gui/src/renderer/styles.css`
+- `apps/gui/src/renderer/gui-shell.test.tsx`
+- `docs/CHANGELOG.md`
+- `docs/ROADMAP.md`
+
+## Risks And Boundaries
+
+- The delete action remains destructive and immediate, matching existing behavior. This spec only changes placement.
+- The danger row should not introduce another card nested inside the Provider card; it stays as an inline separated row.
+
+## Status
+
+Done.

package/docs/spec/ship/S0101-gui-device-settings-polish.md

@@ -0,0 +1,66 @@
+# S0101 GUI Device Settings Polish
+
+## Goal
+
+Fix GUI settings so configuration is device-scoped, not Project-scoped, and polish the settings interactions surfaced by the latest Provider / Token / Connection review.
+
+One device has one configuration. The Settings scope selector chooses a device:
+
+- `此电脑` configures the local device.
+- A Relay device configures that remote device.
+- Projects remain workspace/session objects and must not appear as the settings configuration scope.
+
+## Scope
+
+- Settings left scope selector becomes device-based.
+- GUI settings IPC for model profile, Provider catalog/deletion, memory settings, and runtime settings targets only a device.
+- Daemon/client config requests used by GUI are device-level and write the device user config at `~/.scorel/config.toml` for that daemon.
+- Provider deletion moves into the top Provider configuration form area, aligned to the lower-right of the Provider parameter block.
+- Runtime token statistics use understandable Chinese labels and expose both output token total and saved token estimate.
+- Relay device rows have an explicit expand affordance.
+- Relay device rename is inline: a small edit icon next to the device name turns the name into an input.
+
+## Not In Scope
+
+- Changing session/project ownership: sessions still belong to Projects.
+- Redesigning Project registry or remote Project selection.
+- Creating per-Project settings overrides.
+- Reworking IM extension settings beyond existing user-config behavior.
+- Changing RTK savings math.
+
+## Acceptance Criteria
+
+- Settings selector labels are device names only, for example `此电脑` and `Remote Device`; it does not render `此电脑 / ProjectName` or `Device / ProjectName`.
+- Settings Provider/Model/Memory/Runtime mutations do not accept a Project in GUI IPC.
+- Daemon writes GUI settings requests to device-level user config.
+- Provider delete is visually close to Provider credentials/configuration, not in a separate bottom danger row.
+- Runtime token stats are Chinese and self-explanatory.
+- Relay device rows visibly indicate expand/collapse and rename through a name-adjacent edit icon.
+
+## Test Requirements
+
+- Update renderer tests for device settings scope, Provider delete placement, Runtime labels, and inline Relay device rename affordance.
+- Add or update daemon/local-host tests proving projectless settings write `config.toml` under device user config.
+- Run targeted GUI/protocol/daemon tests covering changed paths.
+- Run `pnpm typecheck && pnpm test` before shipping.
+
+## Impacted Files
+
+- `packages/protocol/src/events.ts`
+- `packages/protocol/src/wire.ts`
+- `packages/client/src/index.ts`
+- `packages/daemon/src/index.ts`
+- `apps/gui/src/main.ts`
+- `apps/gui/src/main/local-host.ts`
+- `apps/gui/src/main/relay-service.ts`
+- `apps/gui/src/preload.ts`
+- `apps/gui/src/shared/ipc.ts`
+- `apps/gui/src/renderer/App.tsx`
+- `apps/gui/src/renderer/settings/*`
+- `apps/gui/src/renderer/styles.css`
+- `docs/ROADMAP.md`
+- `docs/CHANGELOG.md`
+
+## Risks And Boundaries
+
+- Memory status is a Project activity/status concept; this spec keeps Settings focused on Memory configuration, not Project activity status.

package/docs/spec/ship/S0102-device-only-config.md

@@ -0,0 +1,58 @@
+# S0102 Device Only Config
+
+## Goal
+
+Remove project-level config as a product concept. A Scorel device has exactly one editable config, stored at that device's Scorel home `config.toml`.
+
+Projects are workspace/session objects. They do not own Provider, Model, Memory, Runtime, or Extension settings.
+
+## Scope
+
+- Core config loading reads only the device/user config file.
+- Remove `.scorel/config.toml` from the public config schema and runtime loading contract.
+- Settings writes always target the device config, even if an older request still includes a `projectId`.
+- CLI daemon, CLI chat, GUI local host, and daemon fallback config reads pass the device `scorelHomeDir` explicitly so custom device roots do not read the process user's real `~/.scorel/config.toml`.
+- Update current config docs/specs that describe project-scoped config.
+
+## Not In Scope
+
+- Changing Project/session ownership.
+- Removing Project registry or remote Project selection.
+- Adding migration for old project `.scorel/config.toml` files.
+- Changing project-scoped Memory status or runtime stats, which are activity/status data, not config ownership.
+
+## Acceptance Criteria
+
+- `loadScorelConfig` and `loadScorelConfigProfile` ignore project `.scorel/config.toml`.
+- If device config is missing, config loading reports the missing device config path.
+- Provider/model/memory/runtime/extension Settings writes go to device `config.toml`.
+- Requests with `projectId` do not create or mutate project `.scorel/config.toml`.
+- Runtime creation for a Project still uses that device's single config.
+- Docs describe config as device-only.
+
+## Test Requirements
+
+- Core config tests load from device/user config and prove project `.scorel/config.toml` is ignored.
+- Daemon embedded tests prove Settings writes with `projectId` still write device config only.
+- CLI daemon idle test continues to prove custom device state roots do not inherit active IM from the real user config.
+- Run `pnpm typecheck && pnpm test`.
+
+## Impacted Files
+
+- `packages/core/src/config/index.ts`
+- `packages/core/src/config/config.test.ts`
+- `packages/daemon/src/index.ts`
+- `packages/daemon/src/embedded/embedded.test.ts`
+- `apps/cli/src/index.ts`
+- `apps/cli/src/daemon-cli.ts`
+- `apps/gui/src/main/local-host.ts`
+- `docs/spec/extensions.md`
+- `docs/spec/ship/S0097-rtk-token-saving-settings.md`
+- `docs/spec/ship/S0086-auto-compact-and-session-memory.md`
+- `docs/ROADMAP.md`
+- `docs/CHANGELOG.md`
+
+## Risks And Boundaries
+
+- Pre-1.0 development rules allow removing this stale config surface rather than preserving compatibility.
+- Old project `.scorel/config.toml` files may remain on disk, but runtime no longer treats them as config.

package/docs/spec/ship/S0103-daemon-lifecycle-and-settings-resilience.md

@@ -0,0 +1,61 @@
+# S0103: Daemon Lifecycle And Settings Resilience
+
+## Goal
+
+Clarify daemon lifetime by entrypoint and make GUI Settings resilient when switching devices and sections, especially after selecting a Relay device.
+
+Business value: a VPS demo host should stay online when the user explicitly starts it, while GUI/CUI convenience daemons still clean themselves up after local use. Settings failures must surface as recoverable errors, not a black renderer.
+
+## Scope
+
+- `scorel host start` launches a background host that stays alive until explicit stop, process signal, crash, or machine shutdown.
+- `scorel host serve` is foreground: it stays alive until Ctrl+C / SIGTERM unless the user explicitly provides `--idle-timeout-ms`.
+- GUI auto-start and `scorel up` auto-start keep the existing 15 minute idle shutdown policy.
+- GUI auto-start binds an ephemeral local port so a user-owned daemon on the default port cannot make GUI startup fail.
+- `--idle-timeout-ms 0` remains the explicit "no idle shutdown" value.
+- GUI Settings must ignore stale settings responses from a previously selected device.
+- GUI Settings must render a local error fallback instead of blacking out the whole app when a Settings section throws.
+- CDP verification covers Settings remote-device switching without renderer errors.
+
+## Not In Scope
+
+- Changing active IM keepalive semantics. Active IM still prevents idle shutdown.
+- Adding a new public `--keep-alive` flag; this spec keeps the existing `--idle-timeout-ms 0` primitive and fixes defaults.
+- Remote SSH device installation or management.
+
+## Acceptance Criteria
+
+- Direct `scorel host start` spawns `host serve` with idle shutdown disabled by default.
+- Direct `scorel host serve` does not idle-exit by default; Ctrl+C/SIGTERM still stops it.
+- `scorel up` spawns the daemon with a 15 minute idle timeout.
+- GUI auto-start spawns the daemon with a 15 minute idle timeout.
+- GUI auto-start uses the persisted `daemon.json` actual port instead of assuming the default daemon port is free.
+- Settings device changes reset device-scoped settings state and ignore stale async responses.
+- Settings section render errors show an in-app fallback and do not remove the app shell.
+- CDP GUI verification seeds a device config, switches to a remote device in Settings, flips across Settings sections, and fails on renderer errors.
+
+## Tests
+
+- CLI daemon tests cover background start idle disable, foreground serve default no-idle, explicit idle timeout, and active IM keepalive.
+- `scorel up` tests assert the internal daemon spawn passes the 15 minute idle timeout.
+- GUI renderer tests cover stale local settings data not overwriting remote settings data.
+- CDP GUI verification covers remote Settings section switching and device-level config persistence.
+
+## Files
+
+- `apps/cli/src/daemon-cli.ts`
+- `apps/cli/src/up-cli.ts`
+- `apps/gui/src/main.ts`
+- `apps/gui/src/renderer/App.tsx`
+- `apps/gui/src/renderer/settings/SettingsShell.tsx`
+- `apps/gui/src/renderer/settings/sections/ModelSection.tsx`
+- `apps/gui/src/renderer/settings/sections/ProviderSection.tsx`
+- `scripts/verify-m9-gui-cdp-e2e.ts`
+- `docs/SHIP.md`
+- `docs/ROADMAP.md`
+- `docs/CHANGELOG.md`
+
+## Risks
+
+- A foreground host without idle shutdown can run forever. That is intended because terminal ownership and Ctrl+C are visible to the user.
+- GUI/CUI auto-start must remain explicit about its 15 minute idle timeout; otherwise changing host defaults would make local helper daemons permanent.

package/docs/spec/ship/S0104-tool-result-artifacts.md

@@ -0,0 +1,64 @@
+# S0104: Tool Result Artifacts
+
+## Goal
+
+Keep long tool results useful without letting them dominate model context.
+
+When a tool result is too large, Scorel should preserve the full result as a session-owned artifact and put only a compact, actionable projection in the model-facing tool result.
+
+## Scope
+
+- Add a session-owned artifact path for oversized tool results:
+
+```text
+~/.scorel/sessions/{sessionId}.artifacts/{toolCallId}/result.txt
+```
+
+- Start with `Bash` stdout/stderr because it is the highest-risk long-output source.
+- Preserve the full command result in `result.txt`, including exit code, cwd, stdout, and stderr.
+- Return a compact tool result containing:
+  - exit code;
+  - cwd;
+  - full artifact path;
+  - complete result byte count;
+  - stdout/stderr byte counts;
+  - a budgeted head/tail projection of the oversized streams.
+- Treat `maxOutputBytes` as the total projection snippet budget across stdout/stderr, not as a per-stream head/tail allowance. For example, a 16,000-byte projection budget should not turn into 16,000 bytes of stdout head plus 16,000 bytes of stdout tail plus the same again for stderr.
+- Keep session JSONL append-only. Do not rewrite or delete old tool result events.
+- Keep diagnostics free of full prompt text and full tool results.
+- Keep Relay and attach-cache out of this storage path.
+
+## Not In Scope
+
+- Background Bash, task id, poll, stop, or monitor semantics.
+- Artifact retention policy, compression, upload, or remote retrieval.
+- Rewriting existing session JSONL files.
+- Applying artifact projection to `Read`, `Grep`, `Glob`, or MCP tools.
+- Provider-specific token accounting.
+
+## Acceptance Criteria
+
+- `Bash` output at or below the existing output limit behaves as before.
+- `Bash` output above the limit writes the complete result to `result.txt`.
+- Oversized `Bash` model-facing content includes the artifact path, `resultBytes`, and budgeted head/tail snippets instead of only the leading bytes.
+- The artifact file contains the complete stdout/stderr text, not only the projected snippets.
+- The tool result details expose artifact metadata for UI/diagnostics without requiring it to enter rebuilt model context.
+- Existing `buildContext()` behavior still strips tool execution details from replayed model context.
+- `pnpm --filter @scorel/core test -- src/tools/coding-tools.test.ts`
+- `pnpm --filter @scorel/daemon test -- src/embedded/embedded.test.ts`
+- `pnpm typecheck && pnpm test`
+
+## Impacted Files
+
+- `packages/core/src/tools/coding-tools.ts`
+- `packages/core/src/tools/coding-tools.test.ts`
+- `packages/core/src/session/index.ts`
+- `packages/daemon/src/index.ts`
+- CLI / GUI runtime creation paths that call `createRealRuntime`
+- `docs/ROADMAP.md`
+
+## Risks And Boundaries
+
+- Full command output can contain secrets. The artifact path is local session data and must not be copied into diagnostics, attach-cache, or Relay.
+- Head/tail snippets can still expose sensitive text. This is no worse than the current truncated result, but future permission policy should handle sensitive commands explicitly.
+- Artifact paths are local to the daemon-owning machine. Remote clients can see the path as evidence, but remote file retrieval is a separate future protocol.

package/docs/spec/ship/S0105-cli-update-and-gui-release.md

@@ -0,0 +1,128 @@
+# S0105: CLI Update And GUI Release
+
+## Goal
+
+Make Scorel's user-facing command surface complete enough for release users, and make CLI / GUI updates part of the same release story.
+
+## Scope
+
+- Add top-level `scorel version` / `scorel --version`.
+- Add manual `scorel update` and `scorel upgrade` commands for the public npm package.
+- Add Host-side automatic npm update checks:
+  - check npm latest once per hour
+  - install only when no active work is running, or active work has been stale for at least three hours
+  - after a successful background update, stop the Host with an `auto-update` reason so the next entry start uses the new binary
+- Keep `scorel` as the default interactive project command, and keep lifecycle/diagnostic commands grouped under product nouns: `host`, `pair`, `relay`, `webui`, `up`, `project`, `logs`.
+- Add GUI release packaging to the same GitHub Release:
+  - Electron macOS dmg + zip targets
+  - `latest-mac.yml`
+  - `.blockmap` metadata for incremental updates
+  - `electron-updater` bootstrap in packaged GUI builds
+- Add normal desktop update affordances:
+  - application menu `Check for Updates...`
+  - macOS status bar menu with show, settings, check updates, Host status, and quit
+- Document unsigned macOS build handling for users without an Apple Developer account.
+
+## Non-Goals
+
+- Do not add auth/account commands before Scorel has a real account system.
+- Do not add deprecated aliases for old command shapes.
+- Do not publish GUI through npm.
+- Do not claim notarization or Gatekeeper trust without Apple Developer signing credentials.
+- Do not make Relay or hosted WebUI own update state.
+
+## Contract
+
+### CLI Surface
+
+The stable user command groups are:
+
+```text
+scorel [--session <id>] [--cwd <dir>]
+scorel chat [--session <id>] [--cwd <dir>]
+scorel attach --session <id> --remote <ws-url> --token <token>
+scorel host start|serve|status|stop|reset
+scorel pair <pair-code>
+scorel relay serve
+scorel webui
+scorel up
+scorel project list|add|remove
+scorel logs
+scorel version
+scorel update
+scorel upgrade
+```
+
+This mirrors the broad shape used by mature agent CLIs: one default interactive command, explicit session/control commands, and a direct update command.
+
+### CLI Update
+
+`scorel update` and `scorel upgrade` both:
+
+- query `npm view @chanlerdev/scorel version`
+- compare against the installed package version with semver ordering
+- run `npm install -g @chanlerdev/scorel@<latest>` only when latest is newer
+- print a clear no-op message when already current
+
+Host auto-update uses the same updater helper. The active-work gate is generic: it reads Host runtime/queue activity, not filenames, paths, screenshots, or one failure sample.
+
+### GUI Release
+
+`apps/gui` remains private and separate from the npm CLI package. Release packaging uses Electron Builder with GitHub provider metadata so `electron-updater` can check the same GitHub Release.
+
+The release asset set is:
+
+```text
+<npm pack tarball>
+apps/gui/release/latest-mac.yml
+apps/gui/release/*.dmg
+apps/gui/release/*.dmg.blockmap
+apps/gui/release/*.zip
+apps/gui/release/*.zip.blockmap
+```
+
+The macOS Action runs with `CSC_IDENTITY_AUTO_DISCOVERY=false` until signing/notarization credentials exist.
+
+## Acceptance Criteria
+
+- `scorel --help` lists update/version commands.
+- `scorel --version` and `scorel version` print the installed version.
+- `scorel update` / `scorel upgrade` have tested npm check/install behavior.
+- Host auto-update gate is covered by tests.
+- GUI packaged app initializes `electron-updater` only when packaged.
+- GUI exposes manual update checks from both the application menu and the macOS status bar menu.
+- GUI registers a macOS status bar menu with Host status and common app actions.
+- Release script version lockstep includes `apps/gui/package.json`.
+- Release script uploads GUI installer/update metadata assets to GitHub Release.
+- README documents manual update, automatic update, GUI packaging, and unsigned macOS `xattr` workaround.
+
+## Test Requirements
+
+```bash
+pnpm --filter @scorel/app-cli test -- update-cli.test.ts
+pnpm --filter @scorel/app-gui test -- main-menu.test.ts
+node --test scripts/release-gui.test.mjs
+pnpm typecheck
+pnpm test
+git diff --check
+```
+
+## Affected Paths
+
+- `apps/cli/src/index.ts`
+- `apps/cli/src/update-cli.ts`
+- `apps/cli/src/daemon-cli.ts`
+- `packages/daemon/src/index.ts`
+- `apps/gui/package.json`
+- `apps/gui/src/main.ts`
+- `scripts/release.mjs`
+- `.github/workflows/release.yml`
+- `README.md`
+- `docs/SHIP.md`
+- `docs/ROADMAP.md`
+
+## Risks
+
+- `npm install -g` can fail on machines where the user lacks permission for the global prefix. The command reports the npm error instead of silently mutating local state.
+- Auto-updating a running Host cannot replace the current Node process in-place. The short-stop mechanism exits after successful installation; GUI/WebUI/CLI entrypoints can then start the new binary.
+- Unsigned macOS apps are viable for local distribution but not trustworthy public distribution. Notarization should be added once an Apple Developer account is available.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@chanlerdev/scorel",
-  "version": "0.0.3",
+  "version": "0.0.5",
   "description": "Replayable, recoverable, remotely controllable AI Agent workspace.",
   "type": "module",
   "packageManager": "pnpm@11.1.2",
@@ -36,7 +36,9 @@
     "typecheck": "pnpm -r typecheck",
     "test": "pnpm -r test",
     "verify:m8-relay": "node --import tsx scripts/verify-m8-relay-e2e.ts",
-    "verify:m9-gui": "node --import tsx scripts/verify-m9-gui-e2e.ts",
+    "verify:m9-gui": "pnpm verify:m9-gui:service && pnpm verify:m9-gui:cdp",
+    "verify:m9-gui:service": "node --import tsx scripts/verify-m9-gui-e2e.ts",
+    "verify:m9-gui:cdp": "node --import tsx scripts/verify-m9-gui-cdp-e2e.ts",
     "scorel": "node --import tsx apps/cli/src/index.ts",
     "dev": "node --import tsx apps/cli/src/index.ts up",
     "gui": "pnpm --filter @scorel/app-gui dev"