@hybridaione/hybridclaw 0.19.2 → 0.21.0

package/AGENTS.md

@@ -202,6 +202,12 @@ npm run dev                          # tsx src/cli.ts gateway (hot reload)
 npm run tui                          # tsx src/cli.ts tui
 ```
 
+### Runtime Diagnostics
+
+```bash
+hybridclaw gateway status             # gateway liveness, PID, build/version diagnostics
+```
+
 ---
 
 ## 6) Working Rules
@@ -212,6 +218,9 @@ npm run tui                          # tsx src/cli.ts tui
   task requires wider movement.
 - Match the existing TypeScript + ESM patterns in the touched area.
 - Update tests and docs when behavior, commands, or repo workflows change.
+- When implementing a new feature, ask before keeping any compatibility shim,
+  migration fallback, legacy alias, or feature flag solely for backward
+  compatibility.
 - Do not rename or relocate files in `templates/` without updating
   `src/workspace.ts` and the workspace bootstrap tests.
 - Do not mix container and gateway changes in one commit unless they are
@@ -220,6 +229,16 @@ npm run tui                          # tsx src/cli.ts tui
   relative to a prior version. Avoid "now", "no longer", "deprecated … for
   now", "recently added". The changelog is the place for transition language.
 
+### Diagnostics
+
+- Before diagnosing gateway/runtime issues, inspect the actual checkout, the
+  running process, runtime state, logs, and `hybridclaw gateway status`.
+- Use `hybridclaw gateway status` to compare the PID file, API-reported PID,
+  entrypoint, package root, Node version, Git commit/branch, and
+  source-vs-build freshness before concluding that a gateway is stale.
+- Do not restart the gateway unless the user explicitly requests or approves a
+  restart. If a restart would help, report the exact reason and command instead.
+
 ### Coding Style
 
 - **Language:** TypeScript (strict mode, ES2022 target, NodeNext modules, ESM).

package/CHANGELOG.md

@@ -2,6 +2,189 @@
 
 ## Unreleased
 
+## [0.21.0](https://github.com/HybridAIOne/hybridclaw/tree/v0.21.0) - 2026-05-29
+
+### Added
+
+- **A2A cross-instance transport**: Outbound A2A delivery can resolve
+  canonical peer IDs through the local deployment URL or active tunnel URL, the
+  public-key trust ledger, and DNS-style discovery, then dispatch over the A2A
+  transport with route invalidation and coverage for remote handoff delivery.
+- **Harness evolution loop**: Added `hybridclaw harness-evolve` for
+  eval-driven coworker workspace evolution, including seed validation,
+  round/rollout summaries, F12 manifest reporting, allowed-surface write
+  enforcement, and admin inspection support.
+- **Second-opinion command**: Added `/second-opinion` for stronger-model
+  comparison, validation of the last answer, and optional fact-checking with
+  web-search evidence. The command refreshes the model catalog, estimates
+  context/cost, honors per-agent budgets, and redacts or blocks confidential
+  payloads before remote model calls.
+- **Web response ratings**: Added thumbs-up/thumbs-down controls for persisted
+  web chat assistant responses, backed by idempotent per-operator ratings,
+  `response.rating` observability events, and Adaptive Skills feedback when a
+  response maps to a skill observation.
+- **Turn-level audit traces**: Added focused `/audit turn` and `/audit run`
+  trace views plus session trace export support for inspecting the exact
+  request, response, tool, approval, and audit events around one turn.
+- **Token agent budgets**: Agent budget config now supports token caps in
+  addition to USD/EUR spend caps, and board/job budget chips report token
+  usage with neutral, warning, and over-budget states.
+- **Per-channel brand-voice profiles**: The `output-guard` plugin can apply
+  channel-specific brand-voice profiles, blocked terms, rewrite behavior, and
+  guard configuration.
+- **`homematic` skill**: Added Homematic IP Home Control Unit state reads,
+  Connect API auth setup payloads, WebSocket message planning, guarded switch,
+  thermostat, shutter, scene, and safety-alarm control plans, and offline HCU
+  state fixture summaries.
+- **`fronius` skill**: Added Fronius photovoltaic monitoring through local
+  Fronius Solar API V1 and Solar.web Query API reads, including local health,
+  live power flow, energy rollups, cloud system/device/status endpoints, and
+  SecretRef-backed Solar.web access-key headers.
+
+### Changed
+
+- **Security fallback deprecations**: Added migration warnings for legacy
+  BlueBubbles query-param webhook auth, unbound `bearerSecretName` and
+  `secretHeaders` injection, and legacy `container.additionalMounts` config.
+  Existing setups continue to work during the deprecation window while docs and
+  `hybridclaw doctor security` point operators to header auth, bound bearer
+  secrets, and `container.binds`.
+- **A2A handoff ownership**: Handoff envelopes now preserve recipient
+  ownership and org-chart context so inbox views, persisted threads, and audit
+  records can distinguish handoff recipient responsibility from ordinary chat
+  routing.
+- **Slash-command rendering**: Web chat treats slash-command output as a
+  distinct command-result block instead of rendering it as ordinary assistant
+  prose, with stream metadata carried through history reloads.
+- **Admin console dialog behavior**: Console sheets were consolidated into the
+  dialog component, exit animation handling moved to the Web Animations API,
+  and focus guards were tightened for modal navigation.
+- **Console linting**: Added a console lint script and moved Biome scoping into
+  the shared config so root and console checks use the same formatting source
+  of truth.
+- **Roadmap status**: Updated internal roadmap status for merged A2A,
+  brand-voice, budget-chip, second-opinion, response-rating, harness
+  evolution, Homematic, Fronius, and T Cloud Public work, and added follow-up
+  rows for AWS, Blink, BYD Battery, Alexa, Hue, skill identity assets/chat
+  rendering, and pluggable secret backends.
+
+### Fixed
+
+- **Unknown provider prefixes**: Provider factory validation now rejects
+  unknown provider-prefixed model ids instead of falling through to an
+  unintended provider.
+- **Recovered skill tool failures**: Skill evaluations that recover from tool
+  failures are classified as partial instead of successful, and the admin
+  Skills page surfaces those partial states more clearly.
+- **Idle heartbeat runs**: Heartbeat scheduling skips idle agent runs instead
+  of creating empty proactive work.
+- **Web chat newlines**: Assistant message rendering preserves newlines in web
+  chat responses.
+- **npm signature audit attestation 404s**: Treat missing npm registry
+  attestation endpoint artifacts as best-effort after retries while keeping
+  registry signature validation failures fatal.
+- **Release workflow reruns**: Skip `npm publish` when the exact package
+  version already exists on npm so release reruns can complete after partial
+  publishes.
+
+## [0.20.0](https://github.com/HybridAIOne/hybridclaw/tree/v0.20.0) - 2026-05-26
+
+### Added
+
+- **Codex app-server runtime**: Added an optional `openai-codex/*` runtime
+  path through `codex app-server`, including HybridClaw callback MCP tools,
+  approval translation, transcript projection, and runtime-selector tests.
+- **Managed and Mac browser providers**: Added managed-cloud browser launch,
+  tenant navigation policy, provider health checks, and a macOS CUA browser
+  provider with `hybridclaw doctor cua-mac` diagnostics.
+- **Browser 2FA handoff**: Browser providers can detect two-factor and
+  device-check waypoints, park the run for operator escalation, and resume
+  without exposing credentials to the model.
+- **Admin console surfaces**: Added Agents Overview, Output Guard, richer
+  config editing, per-agent budget chips, job and chat UI improvements, and
+  admin secret overwrite/unset APIs that never return cleartext values.
+- **`hubspot` skill**: Adds HubSpot CRM reads and guarded writes for contacts,
+  companies, deals, notes, and tasks through SecretRef-backed bearer auth.
+- **`lexware-office` skill**: Adds Lexware Office contacts, invoices,
+  vouchers, receipts, posting categories, and payment-state workflows through
+  the Lexware Public API.
+- **`hetzner-cloud` skill**: Adds Hetzner Cloud inventory, cost, provisioning,
+  volume, snapshot, restore, and guarded delete workflows.
+- **`hetzner-dns` skill**: Adds Hetzner DNS zone and record inspection plus
+  guarded A, AAAA, CNAME, TXT, add, update, and delete workflows.
+- **`hetzner-storage-box` skill**: Adds Hetzner Storage Box inventory,
+  snapshot, WebDAV file, archive, upload, download, and public URL workflows.
+- **`zabbix` skill**: Adds Zabbix monitoring reads for API health, host
+  inventory, current problems, trigger severity summaries, and incident
+  context.
+- **`t-cloud-public` skill**: Adds T Cloud Public and Open Telekom Cloud
+  infrastructure inventory, quotas, service status, and guarded operation
+  planning with gateway-managed API signing.
+- **`mittwald` skill**: Adds mittwald mStudio and Kundencenter reads for
+  projects, apps, runtimes, databases, domains, mail, backups, files,
+  containers, and access users.
+- **`shelly` skill**: Adds Shelly local and cloud device inspection plus
+  guarded relay, switch, light, and cover control workflows.
+- **`fax-send` skill**: Adds outbound fax preparation and explicitly approved
+  send workflows for configured fax providers.
+- **`distil-pii-redactor` skill**: Adds local PII redaction and anonymization
+  with Distil-PII and `llama.cpp` so sensitive text can be sanitized before it
+  reaches external tools.
+- **`warehouse-sql` skill**: Adds reviewed natural-language SQL workflows with
+  cached schema inspection, model-review enforcement, and guarded execution
+  for warehouse queries.
+- **Fax channel docs and accounting**: Added outbound fax skill support,
+  provider-facing fax accounting helpers, eval scenarios, and setup
+  documentation for fax workflows.
+- **Adaptive Skills SkillOpt-lite**: Added trajectory minibatch reflection,
+  bounded edit candidates, candidate artifacts, held-out evaluation gates, and
+  acceptance tests for the adaptive-skills amendment loop.
+- **Board dependency edges**: Board cards can carry typed `blocks`,
+  `blocked_by`, and `related` edges so work-board status and future
+  coordination surfaces can reason about dependencies.
+- **Supply-chain guardrails**: Added dependency-audit workflow coverage,
+  shrinkwrap synchronization, release-check updates, and dependency policy
+  baselines.
+- **Google OAuth recovery hint**: Authentication diagnostics include an
+  actionable recovery hint when Google OAuth state needs to be refreshed.
+
+### Changed
+
+- **Diagram validation and accounting**: Mermaid diagrams are validated with
+  the bundled Mermaid parser before render, diagram render artifacts retain
+  skill-scoped source/rendered metadata, and local diagram renders emit
+  zero-cost usage hooks so budget accounting only reflects LLM token use.
+- **Skill amendment safety**: Skill amendment generation and application now
+  enforce tighter best-practice constraints, clearer formatting, and rollback
+  evaluation behavior.
+- **SkillOpt roadmap status**: Roadmap docs reflect the full SkillOpt-lite
+  implementation status after the acceptance gates landed.
+- **Auxiliary routing and provider health**: Auxiliary model calls prefer
+  healthy local providers when configured and route through health-aware
+  fallback decisions.
+- **FastBill wrapper guidance**: FastBill API helper instructions and guard
+  rails are stricter to reduce model-side request reconstruction mistakes.
+- **Runtime and docs diagnostics**: Gateway status and operator docs describe
+  the current runtime, managed-browser, threat-model, and skill setup surfaces
+  more completely.
+- **Conversation preview logging**: Web chat diagnostics label conversation
+  preview roles more clearly.
+
+### Fixed
+
+- **Remote A2A routing bug**: Fixed `sendMessage` delivery for remote A2A
+  recipients that were incorrectly treated as local recipients.
+- **Skill CLI runtime bug**: Fixed skill CLI runtime initialization so skill
+  commands start with the expected runtime context.
+- **Targeted skill learning bug**: Fixed targeted skill learning so quiet
+  learning paths do not emit unnecessary operator-facing output.
+- **Admin SPA navigation bug**: Fixed admin job links that triggered full-page
+  reloads instead of staying inside the existing SPA route.
+- **Observability ingest token bug**: Fixed stale observability ingest tokens
+  that could cause ingest requests to fail after token rotation.
+- **Chat error banner bug**: Fixed web chat error banners that could remain
+  visible after the underlying error state cleared.
+
 ## [0.19.2](https://github.com/HybridAIOne/hybridclaw/tree/v0.19.2) - 2026-05-14
 
 ### Fixed

package/README.md

@@ -20,8 +20,8 @@ credentials, approvals, persistent memory, and admin surfaces behind a single
 gateway.
 
 Connect it to Discord, Discord Incoming Webhooks, Slack, Slack Incoming
-Webhooks, Signal, WhatsApp, Telegram, Microsoft Teams, email, Twilio voice, or
-the web. Run it locally, deploy it for business workflows, and keep your
+Webhooks, Signal, WhatsApp, Telegram, Microsoft Teams, email, fax, Twilio
+voice, or the web. Run it locally, deploy it for business workflows, and keep your
 agents, secrets, and data under your control.
 
 [Quick Start](https://hybridaione.github.io/hybridclaw/docs/getting-started/quickstart) ·
@@ -79,7 +79,8 @@ Open locally:
 
 - Chat UI: `http://127.0.0.1:9090/chat`
 - Admin UI: `http://127.0.0.1:9090/admin` for channels, versioned agent files,
-  scheduler, audit, statistics, config, and channel-specific instructions
+  scheduler, audit, statistics, config, secrets, output guard, and
+  channel-specific instructions
 - Agents UI: `http://127.0.0.1:9090/agents`
 - OpenAI-compatible API: `http://127.0.0.1:9090/v1/models` and `http://127.0.0.1:9090/v1/chat/completions`
 
@@ -116,11 +117,15 @@ Once the gateway is running, open HybridClaw locally:
 - Web Chat accepts `/btw <question>` side questions while a primary run is
   active, so you can ask an ephemeral follow-up without interrupting the
   current run
+- Web Chat renders slash-command output as command results and lets operators
+  rate persisted assistant responses with thumbs-up/down feedback that feeds
+  observability and skill-improvement signals
 - Admin Console: `http://127.0.0.1:9090/admin` for channels, versioned agent files,
-  scheduler, audit, statistics, config, and channel-specific instructions
+  scheduler, audit, statistics, config, secrets, output guard, A2A inbox threads, and
+  channel-specific instructions
 - Agent Dashboard: `http://127.0.0.1:9090/agents`
 - or connect Discord, Discord Incoming Webhooks, Slack, Slack Incoming
-  Webhooks, Signal, WhatsApp, Telegram, Microsoft Teams, Email
+  Webhooks, Signal, WhatsApp, Telegram, Microsoft Teams, Email, Fax
 
 ## Operator workflows
 
@@ -145,12 +150,19 @@ Once the gateway is running, open HybridClaw locally:
   spend summaries without scanning every stored session on page load.
 - `/admin/agent-scoreboard` ranks agents by observed skill scores, reliability,
   timing, best skills, and CV links.
+- `/audit turn <n>` and `/audit run <runId>` show focused turn traces for
+  debugging one request without reading the full session audit stream.
 - `hybridclaw agent config` accepts generated JSON payloads to upsert agent
   metadata, write bootstrap markdown, import profile images into the agent
   workspace, and optionally activate the agent.
 - `/admin/channels` edits transport config, encrypted channel credentials,
   Signal QR linking, Twilio voice settings, and per-channel instructions that
   are injected into prompts at runtime.
+- `/admin/secrets` lists stored and declared-but-empty secrets by metadata
+  only, supports overwrite and unset actions, and never returns cleartext
+  secret values to the browser.
+- `/admin/output-guard` configures response guardrails and plugin-backed
+  output classification without editing runtime config by hand.
 - `slack_webhook` targets provide outbound-only Slack Incoming Webhook delivery
   with encrypted webhook URLs, named destinations, Block Kit text chunking,
   reachability status, and POST-only network policy grants.
@@ -160,6 +172,8 @@ Once the gateway is running, open HybridClaw locally:
 - `/admin/approvals` manages approval policies from the browser.
 - Approval policy evaluation runs through a hook-fed rule pipeline, so
   workspace policy ordering and plugin tool-use hooks share one approval path.
+- `/admin/a2a-inbox` shows read-only A2A message threads across the instance,
+  with sender, recipient, timestamp, intent, and content for each message.
 - `/admin/a2a-trust` shows the local A2A public-key trust ledger for paired
   peer instances.
 - `/admin/gateway` reloads runtime config and refreshes secrets from the
@@ -171,6 +185,9 @@ Once the gateway is running, open HybridClaw locally:
 - `/goal` stores a standing completion condition for the current thread and
   queues supervised continuations until the goal is judged complete, paused,
   cleared, interrupted, or blocked by approval policy.
+- `/second-opinion` asks a stronger configured model to compare a question,
+  validate the last answer, or fact-check with web-search evidence while
+  honoring configured model context, confidentiality, and agent-budget limits.
 - `proactive.delegation.model` can pin delegated work to a different model
   from the parent turn; `/status` shows delegate token totals and local-token
   share when that split is configured.
@@ -180,11 +197,18 @@ Once the gateway is running, open HybridClaw locally:
   Cloudflare Tunnel providers read `NGROK_AUTHTOKEN`, `TS_AUTHKEY`,
   `CLOUDFLARE_TUNNEL_TOKEN`, and Cloudflare certificate credentials from the
   encrypted runtime secret store.
+- A2A cross-instance delivery resolves canonical peer IDs in order from the
+  local deployment URL or active tunnel URL, the A2A public-key trust ledger,
+  then DNS-style discovery when `HYBRIDCLAW_IDENTITY_DISCOVERY_ZONE` is
+  configured.
 - `container.warmPool` keeps a bounded adaptive pool of idle host/container
   runtimes for recently active agents when low cold-start latency matters.
 - `container.persistBashState` controls whether bash tool calls share shell
   state (`cd`, exported env vars, aliases) across turns in the same active
   runtime session; `/admin/config` exposes the same setting as `Persistent bash state`.
+- Agent budget config supports monthly USD/EUR caps and token caps; job and
+  board budget chips show neutral, warning, and over-budget states for
+  configured agents.
 - `security.confidentialRedactionEnabled` controls whether optional
   `.confidential.yml` rules redact prompts and block matching outbound text;
   `/admin/config` exposes the same setting as `Confidential leak guard`.
@@ -212,6 +236,10 @@ Once the gateway is running, open HybridClaw locally:
 - `hybridclaw skill list blocked` and `hybridclaw skill unblock <name>` let
   local operators review scanner-blocked skills and record a bypass marker for
   the installed copy when the finding has been accepted.
+- Bundled skills include CRM, finance, infrastructure, monitoring,
+  home-automation and solar monitoring, fax, local PII redaction, media,
+  search, and office workflows. Skill setup guides live in the
+  [Skills Catalog](https://hybridaione.github.io/hybridclaw/docs/guides/skills/).
 - The bundled tutorials cover owner, GTM, marketing, sales, DevRel, content,
   invoicing, webinar, and release-launch workflows that can run from the TUI,
   web chat, or connected channels.
@@ -264,8 +292,9 @@ Once the gateway is running, open HybridClaw locally:
 - Bundled skills include API-backed Google Workspace workflows (`gog`, `gws`),
   Salesforce inspection, GitHub issue queue processing (`gh-issues`),
   monthly SaaS invoice harvesting (`download-platform-invoices`), Airtable,
-  FastBill, managed or self-hosted Firecrawl, Google Ads, GA4 reporting,
-  HeyGen, Hermes3000 long-form writing, natural-language warehouse SQL
+  FastBill, Lexware Office, managed or self-hosted Firecrawl, Google Ads, GA4 reporting,
+  HeyGen, Hermes3000 long-form writing, Fronius solar monitoring, Homematic
+  HCU state/control planning, natural-language warehouse SQL
   (`warehouse-sql`), brand-voice drafting, speech transcription and language
   detection (`speech.transcribe`, `speech.detect-language`), validated
   diagram-as-code creation through `diagram`, and editable Excalidraw diagram

package/community-skills/meme-generation/SKILL.md

@@ -8,7 +8,7 @@ requires:
 metadata:
   hybridclaw:
     short_description: Generate memes.
-    category: creativity
+    category: media
     tags:
       - creative
       - memes

package/config.example.json

@@ -1,5 +1,5 @@
 {
-  "version": 28,
+  "version": 29,
   "security": {
     "trustModelAccepted": false,
     "trustModelAcceptedAt": "",
@@ -26,6 +26,11 @@
       "headed": false,
       "launchOptions": {}
     },
+    "managedCloud": {
+      "endpointUrl": "http://127.0.0.1:8787",
+      "defaultTenantId": "",
+      "pricing": {}
+    },
     "browserUseCloud": {
       "apiKeyRef": {
         "source": "store",
@@ -34,6 +39,12 @@
       "baseUrl": "",
       "browser": {},
       "pricing": {}
+    },
+    "macCua": {
+      "browser": "chrome",
+      "driverCommand": "",
+      "driverArgs": [],
+      "screenshotMode": "som"
     }
   },
   "skills": {
@@ -304,7 +315,8 @@
     "models": ["gpt-4.1-mini", "gpt-5-nano", "gpt-5"]
   },
   "codex": {
-    "baseUrl": "https://chatgpt.com/backend-api/codex"
+    "baseUrl": "https://chatgpt.com/backend-api/codex",
+    "turnRuntime": "hybridclaw"
   },
   "anthropic": {
     "enabled": false,
@@ -632,55 +644,5 @@
     "ralph": {
       "maxIterations": 0
     }
-  },
-  "scheduler": {
-    "jobs": [
-      {
-        "id": "resource-hygiene",
-        "name": "Resource Hygiene",
-        "description": "Runs conservative doctor-based resource hygiene twice daily and auto-applies only safe cleanup.",
-        "schedule": {
-          "kind": "every",
-          "at": null,
-          "everyMs": 43200000,
-          "expr": null,
-          "tz": "UTC"
-        },
-        "action": {
-          "kind": "system_event",
-          "message": "resource_hygiene_maintenance"
-        },
-        "delivery": {
-          "kind": "last-channel",
-          "channel": "",
-          "to": "",
-          "webhookUrl": ""
-        },
-        "enabled": true
-      },
-      {
-        "id": "morning-standup",
-        "name": "Daily Standup Report",
-        "description": "Runs standup summary every weekday at 9am.",
-        "schedule": {
-          "kind": "cron",
-          "at": null,
-          "everyMs": null,
-          "expr": "0 9 * * 1-5",
-          "tz": "America/New_York"
-        },
-        "action": {
-          "kind": "agent_turn",
-          "message": "Post a brief morning standup update for the team."
-        },
-        "delivery": {
-          "kind": "channel",
-          "channel": "discord",
-          "to": "123456789012345678",
-          "webhookUrl": ""
-        },
-        "enabled": false
-      }
-    ]
   }
 }

package/console/dist/assets/chat-BBTk0x5Q.css

@@ -0,0 +1 @@
+._wrap_jrif0_1{flex-shrink:0;justify-content:center;align-items:center;width:34px;height:34px;display:inline-flex;position:relative}._trigger_jrif0_11{appearance:none;width:34px;height:34px;color:inherit;cursor:pointer;background:0 0;border:none;border-radius:999px;justify-content:center;align-items:center;padding:0;transition:background .12s;display:flex}._trigger_jrif0_11:hover,._trigger_jrif0_11:focus-visible{background:var(--muted);outline:none}._ring_jrif0_33{transform:rotate(-90deg)}._ringTrack_jrif0_37{fill:none;stroke:var(--line);stroke-width:3.5px}._ringFill_jrif0_43{fill:none;stroke-width:3.5px;stroke-linecap:round;transition:stroke-dashoffset .4s,stroke .2s}._ringFillNominal_jrif0_52{stroke:var(--primary)}._ringFillWarn_jrif0_56{stroke:var(--accent,#d97706)}._ringFillDanger_jrif0_60{stroke:var(--danger,#dc2626)}._ringLabel_jrif0_64{color:var(--muted-foreground);pointer-events:none;letter-spacing:0;justify-content:center;align-items:center;font-size:.62rem;font-weight:700;display:flex;position:absolute;inset:0}._ringLabelUnknown_jrif0_77{font-size:.7rem}._popover_jrif0_81{background:var(--popover);border:1px solid var(--line);border-radius:var(--radius-md);min-width:240px;box-shadow:var(--shadow-popover);color:var(--text);z-index:30;opacity:0;pointer-events:none;flex-direction:column;gap:6px;padding:10px 12px;font-size:.8rem;transition:opacity .15s,transform .15s;display:flex;position:absolute;top:calc(100% + 6px);right:0;transform:translateY(-4px)}._wrap_jrif0_1:hover ._popover_jrif0_81,._wrap_jrif0_1:focus-within ._popover_jrif0_81{opacity:1;pointer-events:auto;transform:translateY(0)}._popoverTitle_jrif0_112{color:var(--text);justify-content:space-between;gap:8px;font-size:.82rem;font-weight:600;display:flex}._popoverTitleValue_jrif0_121{color:var(--muted-foreground);font-weight:500}._popoverRow_jrif0_126{color:var(--muted-foreground);justify-content:space-between;gap:12px;display:flex}._popoverRowValue_jrif0_133{color:var(--text);font-variant-numeric:tabular-nums}._popoverProgress_jrif0_138{background:var(--muted);border-radius:999px;width:100%;height:6px;margin-top:2px;position:relative;overflow:hidden}._popoverProgressFill_jrif0_148{background:var(--primary);transition:width .4s,background .2s;position:absolute;inset:0 auto 0 0}._popoverProgressFillWarn_jrif0_157{background:var(--accent,#d97706)}._popoverProgressFillDanger_jrif0_161{background:var(--danger,#dc2626)}._popoverFoot_jrif0_165{color:var(--muted-foreground);margin-top:2px;font-size:.72rem}