agentgui 1.0.1019 → 1.0.1021

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (30) hide show
  1. package/.gm/disciplines/agentgui/mem-1779277005143-0-1352.json +1 -0
  2. package/.gm/disciplines/agentgui/memories/mem-c07fa3b0836edbe2-1352.md +8 -0
  3. package/.gm/memories/.flat-export-done +1 -0
  4. package/.gm/memories/mem-069ff10372ed1770-1375.md +8 -0
  5. package/.gm/memories/mem-0b681bf2340c8df1-3170.md +8 -0
  6. package/.gm/memories/mem-10a776effb7ce3a6-935.md +8 -0
  7. package/.gm/memories/mem-10d264b4f8e66fb4-1492.md +8 -0
  8. package/.gm/memories/mem-119cf70dd19aa0a5-2225.md +8 -0
  9. package/.gm/memories/mem-1fd31d6873e9c164-794.md +8 -0
  10. package/.gm/memories/mem-4dfac801d0378448-3676.md +8 -0
  11. package/.gm/memories/mem-59dd73a463e54948-871.md +8 -0
  12. package/.gm/memories/mem-70de7d5e71fcd439-2680.md +8 -0
  13. package/.gm/memories/mem-720d76c88e64f6ee-1967.md +8 -0
  14. package/.gm/memories/mem-8b438ef4c609b7af-401.md +8 -0
  15. package/.gm/memories/mem-92b199c2024ee1aa-2513.md +8 -0
  16. package/.gm/memories/mem-c0482039e6ab4c50-2047.md +8 -0
  17. package/.gm/memories/mem-d9f26358a7cd3bb8-866.md +8 -0
  18. package/.gm/memories/mem-dfe3b466fd5d1199-802.md +8 -0
  19. package/.gm/memories/mem-e0f9286aed2d5a06-1116.md +8 -0
  20. package/.gm/memories/mem-e1950b064099b7be-1895.md +8 -0
  21. package/.gm/memories/mem-e943b58115a02b4c-593.md +8 -0
  22. package/.gm/memories/mem-ee0596fa17c7102e-362.md +10 -0
  23. package/.gm/memories/mem-ee4450fbc311b583-1361.md +8 -0
  24. package/.gm/memories/mem-f3297e82df622649-1166.md +8 -0
  25. package/.gm/memories/mem-fb3b2a7395800041-525.md +8 -0
  26. package/.gm/memories/mem-fc5753f92ee7d654-966.md +8 -0
  27. package/.gm/mutables.yml +40 -0
  28. package/.gm/prd.yml +2456 -0
  29. package/AGENTS.md +6 -6
  30. package/package.json +1 -1
package/AGENTS.md CHANGED
@@ -1,5 +1,9 @@
1
1
  # AgentGUI — Agent Notes
2
2
 
3
+ ## Sessions-rail selection dead-click fix (2026-07-03) — thirtieth run
4
+
5
+ User feedback: "layout and design choices look weird... make maximum sense." Live-browser audit of history/live tabs (screenshots + `window.__agentgui` state probing, not a full agent fan-out) found a real logic gap the prior 29 runs' visual sweeps never caught: the conversation rail (`ConversationList`) stays mounted on files/live/settings tabs (`keepSessionsTrack`) and is captioned "Browse a conversation's events" there — but `onSelect` (`site/app/js/app.js` sessions-column builder) only special-cased the chat tab (`resumeInChat`); every other tab fell through to `loadSession(sid)`, which sets `state.selectedSid`/fetches events but never switches tabs. Since only the History tab's `historyMain()` renders `state.events`, clicking a row while on Live/Files/Settings was a dead click — data loaded into state that nothing on screen displayed, with a caption promising an outcome the click didn't deliver. Fixed: selecting from any non-chat tab now navigates to history first. Verified live: `state.tab` was `'live'`, clicked `.ds-session-row`, `state.tab` became `'history'` with `selectedSid` set and the events endpoint fetched. **Standing rule: whenever a persistent-across-tabs component (kept mounted via a `keepXTrack` pattern) has an interaction whose effect is rendered by only ONE of the tabs it appears on, every OTHER tab's handler must produce the same visible effect (usually by navigating to the tab that renders it) — a component kept visually consistent across tabs but behaviorally inert on most of them is worse than not showing it at all.** No kit changes this run (app-only wiring fix). agentgui pushed `c1e4915`.
6
+
3
7
  ## Mobile sessions-drawer sliver fix (2026-07-03) — twenty-ninth run
4
8
 
5
9
  Scoped negative-space/attention follow-up (not a full agent fan-out) to the explicit "looks very diy" feedback. Live-browser screenshot + DOM measurement at 420px found a real regression the prior two runs' screenshot audits missed: the closed `.ws-sessions` drawer left a ~35px sliver visibly overlapping the chat content on mobile. Root cause in `../design` `app-shell.css`: the `<=1100px` breakpoint's closed-state `transform: translateX(-110%)` assumes the drawer's `left` is `0`; the `<=900px` breakpoint then shifts the drawer's `left` to `var(--ws-rail-w-collapsed)` (60px) so it sits right of the icon-only rail, but never adjusted the closed-state translate to match — `-110%` of a 248px-wide drawer is only -272.8px, undershooting the needed -308px (left + width) by ~35px. Fixed by overriding the closed-state transform inside the 900px block: `translateX(calc(-100% - var(--ws-rail-w-collapsed)))`, which scales correctly with both the drawer width and the rail offset. Verified via `getBoundingClientRect` before (x:-212.8, rightEdge:35.2 — visible) and after (x:-248, rightEdge:0 — fully clear) plus before/after screenshots. **Standing rule: any drawer/overlay whose `left`/`inset` changes across breakpoints must re-derive its closed-state transform from that breakpoint's own offset — a transform tuned for one breakpoint's geometry silently breaks at the next if the offset shifts underneath it.** Kit pushed `76b2bac`, agentgui pushed `4bb9f3f`.
@@ -24,7 +28,7 @@ Landed the highest-severity finding deferred from the 24th run (gui-completion #
24
28
 
25
29
  ## GUI completion sweep (2026-07-02) — twenty-fourth run
26
30
 
27
- `gui-completion` workflow wf_4a731841-832 (33 agents, 17 confirmed). Landed 5 of the smaller-scope findings: Live-tab dashboard state (sort/filter/errors-only) now round-trips through the URL hash (`lsort=`/`lfilter=`/`lerr=1`) and localStorage — previously `lv.filter` wasn't persisted anywhere and the whole dashboard view reverted to defaults on reload. Shortcuts overlay (`?`) now wraps its content in the kit's existing `FocusTrap` component instead of a bare `role=dialog` div — Tab could previously escape into the page behind the overlay. History event rows expose copy even when collapsed (was expanded-only). Settings agents panel gives a not-installed direct-runner agent (claude-code/agy) a "re-check" button, matching the ACP rows' "restart" affordance. **Caught and fixed a real CSRF-guard test gap**: adding the regression test for the upload-PUT route (`scripts/validate-mutations.mjs`), the first draft accidentally included the `Authorization` header — matching every other case in the file but testing the wrong scenario (a stolen-token request, not real cross-site CSRF) — and passed trivially at 200. Corrected to omit auth (the path a real cross-site attacker is actually limited to); the server's existing guard correctly rejects it. **Rule for any CSRF/auth regression test: match the real attacker's capability set exactly — copying a nearby test's header pattern can silently test the wrong threat model.** 12 findings deferred to their own re-scoped PRD row (mid-thread retry/fork, file-management move UX with folder-tree picker, event-level permalinks, rolling context-size indicator — each needs a larger architecture change than a targeted fix). No kit changes this run. Pushed `d3e2d1e`. 28/28 tests, 17/17 validate-mutations, 0 console errors.
31
+ `gui-completion` workflow wf_4a731841-832 (33 agents, 17 confirmed). Landed 5 smaller-scope findings (live-tab dashboard state persistence, shortcuts overlay FocusTrap, history copy-when-collapsed, settings re-check affordance) plus a CSRF-regression-test gap (a test's `Authorization` header accidentally matched the wrong threat model). Full detail in rs-learn (recall "agentgui 24th run GUI completion sweep"). Pushed `d3e2d1e`.
28
32
 
29
33
  ## GUI perceived-performance sweep (2026-07-02) — twenty-third run
30
34
 
@@ -103,11 +107,7 @@ One-product feel sweep (61 agents -> 40 gaps, `PUNCHLIST-COHESION.md`, workflow
103
107
 
104
108
  ## GUI predictability + polish sweep (2026-06-05) — fifth maximum-effort run
105
109
 
106
- Polish sweep on the shipped Claude-Desktop redesign (`wf_980345e1-201`, 65 agents -> 44 gaps, `PUNCHLIST-POLISH.md`); new workflow `.claude/workflows/gui-predictability-polish.js`. Landed `FileGrid` sort/filter/skeleton/keyboard, `SessionCard` words+disc status + last-activity/current-tool + `onStopAll`, `ChatMessage` streaming caret + `.chat-msg-actions`, `AgentChat` jump-to-latest, `ContextPane` last-turn usage, the load-bearing `<900px` drawer fix (`.ws-scrim` + `toggleWsDrawer`), and `confineToRoots()` realpath symlink-confinement on `/api/list,file,image`. The 7th run (above) supersedes/extends most of these. Full detail in rs-learn (recall "agentgui GUI predictability+polish sweep").
107
-
108
- **Security (`lib/http-handler.js`).** New `confineToRoots()` shared helper adds `fs.realpathSync` re-confinement to `/api/list`, `/api/file`, `/api/image` — a symlink living inside an allowed root but pointing OUTSIDE it passed the lexical prefix check but the resolved target now fails closed (symlink-escape / link-traversal, the workflow's one high-severity server gap).
109
-
110
- **Witness.** Live at `localhost:3000/gm/`, 0 console/page errors: shell+5 rail items, session groups [Today,Earlier], files sort(`size asc`)/filter-narrows/keyboard-focus-moves, grid `role=listbox`, live dashboard empty-state, ContextPane, jump button + scrim present; pane reflow chat=4cols files/live/settings=2cols(`ws-no-pane`) history=3cols with NO h-scroll on any tab; 420px mobile sessions-drawer opens + scrim visible + no h-scroll; whole-DOM glyph sweep count:0 (kept middot/ellipsis/dash). Kit `lint-tokens`+`lint-glyphs` pass on build. Deliberately scoped-out (noted in punch-list, not gaps): inline split-pane file preview (modal retained — predictable, focus-trapped) and persistent mid-conversation suggestions (empty-only starter pattern kept). Update flow unchanged: edit kit -> `node scripts/build.mjs` -> copy `dist/247420.{js,css}` into `site/app/vendor/anentrypoint-design/` -> witness -> push kit.
110
+ Superseded/extended by the 7th run. Load-bearing survivor: `confineToRoots()` in `lib/http-handler.js` applies `fs.realpathSync` re-confinement on `/api/list`, `/api/file`, `/api/image` symlink-escape fails closed. Full detail in rs-learn (recall "agentgui-fifth-run-polish-detail").
111
111
 
112
112
  ## Claude-Desktop redesign + embedding fix (2026-06-05) — fourth maximum-effort run
113
113
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "agentgui",
3
- "version": "1.0.1019",
3
+ "version": "1.0.1021",
4
4
  "description": "Multi-agent ACP client with real-time communication",
5
5
  "type": "module",
6
6
  "main": "electron/main.js",