bosun 0.32.0 → 0.33.0

package/.env.example

@@ -332,9 +332,9 @@ TELEGRAM_MINIAPP_ENABLED=false
 # by the next agent working on that branch. Default: true
 # TASK_UPSTREAM_SYNC_MAIN=true
 
-# ─── GitHub App (Bosun[botswain] Identity + Auth) ────────────────────────────
-# App: https://github.com/apps/bosun-botswain  (slug: bosun-botswain)
-# Bot identity: bosun-botswain[bot]  (appears as contributor on every agent commit)
+# ─── GitHub App (Bosun[VE] Identity + Auth) ────────────────────────────
+# App: https://github.com/apps/bosun-ve  (slug: bosun-ve)
+# Bot identity: bosun-ve[bot]  (appears as contributor on every agent commit)
 #
 # Numeric App ID (shown on the App settings page under "About"):
 # BOSUN_GITHUB_APP_ID=2911413
@@ -350,9 +350,9 @@ TELEGRAM_MINIAPP_ENABLED=false
 # BOSUN_GITHUB_WEBHOOK_SECRET=
 #
 # Path to the PEM private key downloaded from App settings → Generate a private key:
-# BOSUN_GITHUB_PRIVATE_KEY_PATH=/path/to/bosun-botswain.pem
+# BOSUN_GITHUB_PRIVATE_KEY_PATH=/path/to/bosun-ve.pem
 #
-# ─── GitHub App Settings (enable all three in https://github.com/settings/apps/bosun-botswain) ────
+# ─── GitHub App Settings (enable all three in https://github.com/settings/apps/bosun-ve) ────
 # ✅ Callback URL  →  http://127.0.0.1:54317/github/callback  (set this FIRST, then Save)
 # ✅ "Request user authorization (OAuth) during installation"  →  ON
 #      GitHub does OAuth at install time, redirecting to the Callback URL with

package/README.md

@@ -36,6 +36,7 @@ bosun --setup
 ```
 
 Requires:
+
 - Node.js 18+
 - Git
 - Bash (for `.sh` wrappers) or PowerShell 7+ (for `.ps1` wrappers)
@@ -60,6 +61,7 @@ Requires:
 **Source docs (markdown):** `_docs/` is the source of truth for long-form documentation. The website should be generated from the same markdown content so docs stay in sync.
 
 Key references:
+
 - [GitHub adapter enhancements](_docs/KANBAN_GITHUB_ENHANCEMENT.md)
 - [GitHub Projects v2 index](_docs/GITHUB_PROJECTS_V2_INDEX.md)
 - [GitHub Projects v2 quickstart](_docs/GITHUB_PROJECTS_V2_QUICKSTART.md)
@@ -79,6 +81,7 @@ Bosun enforces a strict quality pipeline in both local hooks and CI:
 
 - **Pre-commit hooks** auto-format and lint staged files.
 - **Pre-push hooks** run targeted checks based on changed files (Go, portal, docs).
+- **Demo load smoke test** runs in `npm test` and blocks push if `site/indexv2.html` or `site/ui/demo.html` fails to load required assets.
 - **Prepublish checks** validate package contents and release readiness.
 
 Local commands you can run any time:

package/agent-prompts.mjs

@@ -119,6 +119,12 @@ const PROMPT_DEFS = [
     description:
       "Task management agent prompt with full CRUD access via CLI and REST API.",
   },
+  {
+    key: "frontendAgent",
+    filename: "frontend-agent.md",
+    description:
+      "Front-end specialist agent with screenshot-based validation and visual verification.",
+  },
 ];
 
 export const AGENT_PROMPT_DEFINITIONS = Object.freeze(
@@ -604,6 +610,75 @@ Types: feat, fix, docs, refactor, test, chore
 Statuses: draft → todo → inprogress → inreview → done
 
 See .bosun/agents/task-manager.md for full documentation.
+`,
+  frontendAgent: `# Frontend Specialist Agent
+
+You are a **front-end development specialist** agent managed by Bosun.
+
+## Core Responsibilities
+
+1. Implement HTML, CSS, and JavaScript/TypeScript UI changes
+2. Build responsive, accessible UI components
+3. Ensure visual accuracy matching specifications
+4. Validate changes through automated testing AND visual verification
+
+## Special Skills
+
+- CSS Grid/Flexbox layout
+- Component architecture (React, Preact, Vue, Svelte, vanilla)
+- Responsive design (mobile-first)
+- Accessibility (WCAG 2.1 AA)
+- CSS animations and transitions
+- Design system adherence
+
+## CRITICAL: Evidence-Based Validation
+
+After completing implementation, you MUST collect visual evidence:
+
+### Screenshot Protocol
+1. Start the dev server if not already running
+2. Navigate to every page/component you modified
+3. Take screenshots at THREE viewport sizes:
+   - Desktop (1920×1080)
+   - Tablet (768×1024)
+   - Mobile (375×812)
+4. Save ALL screenshots to \`.bosun/evidence/\` directory
+5. Use descriptive filenames: \`<page>-<viewport>-<timestamp>.png\`
+6. Also screenshot any interactive states (modals, dropdowns, hover states)
+
+### Evidence Naming Convention
+\`\`\`
+.bosun/evidence/
+  homepage-desktop-1234567890.png
+  homepage-tablet-1234567890.png
+  homepage-mobile-1234567890.png
+  modal-open-desktop-1234567890.png
+  dark-mode-desktop-1234567890.png
+\`\`\`
+
+## Workflow
+1. Read task requirements and any linked designs/specs
+2. Load relevant skills from \`.bosun/skills/\`
+3. Implement frontend changes
+4. Run build: \`npm run build\` (zero errors AND zero warnings)
+5. Run lint: \`npm run lint\`
+6. Run tests: \`npm test\`
+7. Start dev server and collect screenshots (see protocol above)
+8. Commit with conventional format: \`feat(ui): ...\` or \`fix(ui): ...\`
+9. Push branch
+
+## IMPORTANT: Do NOT mark the task complete
+The Bosun workflow engine handles completion verification.
+An independent model will review your screenshots against the task
+requirements before the task is marked as done.
+
+## Task Context
+- Task: {{TASK_TITLE}}
+- Description: {{TASK_DESCRIPTION}}
+- Branch: {{BRANCH}}
+- Working Directory: {{WORKTREE_PATH}}
+
+{{COAUTHOR_INSTRUCTION}}
 `,
 };
 
@@ -670,19 +745,40 @@ export function getDefaultPromptTemplate(key) {
   return DEFAULT_PROMPTS[key] || "";
 }
 
-export function renderPromptTemplate(template, values = {}) {
+export function renderPromptTemplate(template, values = {}, rootDir) {
   if (typeof template !== "string") return "";
   const normalized = {};
   for (const [k, v] of Object.entries(values || {})) {
     normalized[String(k).trim().toUpperCase()] = normalizeTemplateValue(v);
   }
 
-  return template.replace(/\{\{\s*([A-Za-z0-9_]+)\s*\}\}/g, (full, key) => {
+  // Resolve namespaced library refs: {{prompt:name}}, {{agent:name}}, {{skill:name}}
+  let result = template;
+  if (rootDir && _libraryResolver) {
+    try {
+      result = _libraryResolver(result, rootDir, {});
+    } catch {
+      // library resolver failed — skip namespaced refs
+    }
+  }
+
+  return result.replace(/\{\{\s*([A-Za-z0-9_]+)\s*\}\}/g, (full, key) => {
     const hit = normalized[String(key).toUpperCase()];
     return hit == null ? "" : hit;
   });
 }
 
+/**
+ * Register the library reference resolver. Called by library-manager or at
+ * startup to enable {{prompt:name}}, {{agent:name}}, {{skill:name}} syntax.
+ *
+ * @param {(template: string, rootDir: string, vars: Object) => string} resolver
+ */
+let _libraryResolver = null;
+export function setLibraryResolver(resolver) {
+  _libraryResolver = typeof resolver === "function" ? resolver : null;
+}
+
 export function resolvePromptTemplate(template, values, fallback) {
   const base = typeof fallback === "string" ? fallback : "";
   if (typeof template !== "string" || !template.trim()) return base;

package/anomaly-detector.mjs

@@ -1211,3 +1211,57 @@ export function createAnomalyDetector(options = {}) {
  */
 
 export default AnomalyDetector;
+
+// ── Workflow Engine Integration ─────────────────────────────────────────────
+
+/**
+ * Registered workflow engine reference for anomaly → workflow triggers.
+ * @type {import("./workflow-engine.mjs").WorkflowEngine | null}
+ */
+let _workflowEngine = null;
+
+/**
+ * Register a workflow engine to receive anomaly trigger events.
+ * When set, every anomaly emitted will also call engine.evaluateTriggers("anomaly", anomalyData).
+ *
+ * @param {import("./workflow-engine.mjs").WorkflowEngine} engine
+ */
+export function setWorkflowEngine(engine) {
+  _workflowEngine = engine;
+}
+
+/** Get the currently registered workflow engine (or null) */
+export function getWorkflowEngine() {
+  return _workflowEngine;
+}
+
+/**
+ * Create an onAnomaly callback that also fires workflow triggers.
+ * Wraps the user's original callback and additionally invokes
+ * evaluateTriggers on the registered workflow engine.
+ *
+ * @param {(anomaly: Anomaly) => void} [originalCallback]
+ * @returns {(anomaly: Anomaly) => void}
+ */
+export function wrapAnomalyCallback(originalCallback) {
+  return (anomaly) => {
+    // Always call the original callback
+    if (originalCallback) originalCallback(anomaly);
+
+    // Fire workflow triggers if engine is registered
+    if (_workflowEngine?.evaluateTriggers) {
+      try {
+        _workflowEngine.evaluateTriggers("anomaly", {
+          anomalyType: anomaly.type,
+          severity: anomaly.severity,
+          agentId: anomaly.processId || anomaly.shortId,
+          message: anomaly.message,
+          action: anomaly.action,
+          taskTitle: anomaly.taskTitle,
+          data: anomaly.data,
+          timestamp: Date.now(),
+        });
+      } catch { /* workflow trigger errors should not break anomaly detection */ }
+    }
+  };
+}

package/codex-config.mjs

@@ -1618,6 +1618,110 @@ export function printConfigSummary(result, log = console.log) {
   log(`     Config: ${result.path}`);
 }
 
+// ── Trusted Projects ─────────────────────────────────────────────────────────
+
+/**
+ * Escape a string for use inside a double-quoted TOML basic string.
+ * Handles backslashes (Windows paths) and double-quote characters.
+ */
+function tomlEscapeStr(s) {
+  return String(s).replace(/\\/g, "\\\\").replace(/"/g, '\\"');
+}
+
+/**
+ * Format an array of strings as a TOML array literal, correctly escaping
+ * backslashes so Windows paths are stored faithfully.
+ *
+ * Example output:  ["C:\\Users\\jon\\bosun", "/home/jon/bosun"]
+ */
+function formatTomlArrayEscaped(values) {
+  return `[${values.map((v) => `"${tomlEscapeStr(v)}"`).join(", ")}]`;
+}
+
+/**
+ * Parse a TOML basic-string array literal, unescaping backslash sequences.
+ */
+function parseTomlArrayLiteralEscaped(raw) {
+  if (!raw) return [];
+  const inner = raw.trim().replace(/^\[/, "").replace(/\]$/, "");
+  if (!inner.trim()) return [];
+  // Split on commas that are NOT inside quotes
+  const items = [];
+  let buf = "";
+  let inStr = false;
+  for (let i = 0; i < inner.length; i++) {
+    const ch = inner[i];
+    if (ch === "\\" && inStr) { buf += ch + (inner[++i] || ""); continue; }
+    if (ch === '"') { inStr = !inStr; buf += ch; continue; }
+    if (ch === "," && !inStr) { items.push(buf.trim()); buf = ""; continue; }
+    buf += ch;
+  }
+  if (buf.trim()) items.push(buf.trim());
+  return items
+    .map((item) => item.replace(/^"(.*)"$/s, "$1"))              // strip outer quotes
+    .map((item) => item.replace(/\\(["\\])/g, "$1"))             // unescape \" and \\
+    .filter(Boolean);
+}
+
+/**
+ * Ensure the given directory paths are listed in the `trusted_projects`
+ * top-level key in ~/.codex/config.toml.
+ *
+ * Codex refuses to load a per-project .codex/config.toml unless the project
+ * directory appears in this list — producing warnings like:
+ *   "⚠ Project config.toml files are disabled … add <dir> as a trusted project"
+ *
+ * Paths are stored as-is (forward or back slashes preserved) with proper TOML
+ * escaping so Windows paths survive round-trips through the file.
+ *
+ * @param {string[]} paths   Absolute directories to trust (e.g. [bosunHome])
+ * @param {{ dryRun?: boolean }} [opts]
+ * @returns {{ added: string[], already: string[], path: string }}
+ */
+export function ensureTrustedProjects(paths, { dryRun = false } = {}) {
+  const result = { added: [], already: [], path: CONFIG_PATH };
+  const desired = (paths || []).map((p) => resolve(p)).filter(Boolean);
+  if (desired.length === 0) return result;
+
+  let toml = readCodexConfig() || "";
+
+  // Parse existing trusted_projects (multi-line arrays may span lines)
+  const existingMatch = toml.match(/^trusted_projects\s*=\s*(\[[^\]]*\])/m);
+  const existing = existingMatch ? parseTomlArrayLiteralEscaped(existingMatch[1]) : [];
+
+  let changed = false;
+  for (const p of desired) {
+    if (existing.includes(p)) {
+      result.already.push(p);
+    } else {
+      existing.push(p);
+      result.added.push(p);
+      changed = true;
+    }
+  }
+
+  if (!changed) return result;
+  if (dryRun) return result;
+
+  const newLine = `trusted_projects = ${formatTomlArrayEscaped(existing)}`;
+
+  if (existingMatch) {
+    toml = toml.replace(/^trusted_projects\s*=\s*\[[^\]]*\]/m, newLine);
+  } else {
+    // Insert before the first section header (or at top if no sections)
+    const firstSection = toml.search(/^\[/m);
+    if (firstSection === -1) {
+      toml = `${newLine}\n${toml}`;
+    } else {
+      toml = `${toml.slice(0, firstSection)}${newLine}\n\n${toml.slice(firstSection)}`;
+    }
+  }
+
+  mkdirSync(CODEX_DIR, { recursive: true });
+  writeFileSync(CONFIG_PATH, toml, "utf8");
+  return result;
+}
+
 // ── Internal Helpers ─────────────────────────────────────────────────────────
 
 function escapeRegex(str) {

package/github-app-auth.mjs

@@ -2,7 +2,7 @@
 /**
  * github-app-auth.mjs — GitHub App JWT + Installation Token helpers
  *
- * Provides credential helpers for the Bosun[botswain] GitHub App:
+ * Provides credential helpers for the Bosun[VE] GitHub App:
  *   - signAppJWT()                        — RS256 JWT proving Bosun IS the app
  *   - getInstallationToken(installationId) — short-lived install access token
  *   - getInstallationTokenForRepo(owner,repo) — auto-resolves install from repo
@@ -90,7 +90,7 @@ export async function getInstallationToken(installationId) {
         Authorization: `Bearer ${jwt}`,
         Accept: "application/vnd.github+json",
         "X-GitHub-Api-Version": "2022-11-28",
-        "User-Agent": "bosun-botswain",
+        "User-Agent": "bosun-ve",
       },
     },
   );
@@ -123,7 +123,7 @@ export async function getInstallationTokenForRepo(owner, repo) {
         Authorization: `Bearer ${jwt}`,
         Accept: "application/vnd.github+json",
         "X-GitHub-Api-Version": "2022-11-28",
-        "User-Agent": "bosun-botswain",
+        "User-Agent": "bosun-ve",
       },
     },
   );
@@ -163,7 +163,7 @@ export async function startDeviceFlow(scope = "repo") {
     headers: {
       Accept: "application/json",
       "Content-Type": "application/x-www-form-urlencoded",
-      "User-Agent": "bosun-botswain",
+      "User-Agent": "bosun-ve",
     },
     body: body.toString(),
   });
@@ -217,7 +217,7 @@ export async function pollDeviceToken(deviceCode) {
     headers: {
       Accept: "application/json",
       "Content-Type": "application/x-www-form-urlencoded",
-      "User-Agent": "bosun-botswain",
+      "User-Agent": "bosun-ve",
     },
     body: body.toString(),
   });
@@ -281,7 +281,7 @@ export async function exchangeOAuthCode(code) {
     headers: {
       Accept: "application/json",
       "Content-Type": "application/x-www-form-urlencoded",
-      "User-Agent": "bosun-botswain",
+      "User-Agent": "bosun-ve",
     },
     body: body.toString(),
   });
@@ -318,7 +318,7 @@ export async function getOAuthUser(accessToken) {
       Authorization: `Bearer ${accessToken}`,
       Accept: "application/vnd.github+json",
       "X-GitHub-Api-Version": "2022-11-28",
-      "User-Agent": "bosun-botswain",
+      "User-Agent": "bosun-ve",
     },
   });
   if (!res.ok) {

package/github-auth-manager.mjs

@@ -82,7 +82,7 @@ async function verifyToken(token) {
         Authorization: `Bearer ${token}`,
         Accept: "application/vnd.github+json",
         "X-GitHub-Api-Version": "2022-11-28",
-        "User-Agent": "bosun-botswain",
+        "User-Agent": "bosun-ve",
       },
     });
     if (!res.ok) return null;
@@ -162,7 +162,7 @@ export async function getAuthHeaders(options = {}) {
     Authorization: `Bearer ${token}`,
     Accept: "application/vnd.github+json",
     "X-GitHub-Api-Version": "2022-11-28",
-    "User-Agent": "bosun-botswain",
+    "User-Agent": "bosun-ve",
   };
 }
 

package/github-oauth-portal.mjs

@@ -1,5 +1,5 @@
 /**
- * github-oauth-portal.mjs — Self-contained OAuth setup portal for Bosun[botswain]
+ * github-oauth-portal.mjs — Self-contained OAuth setup portal for Bosun[VE]
  *
  * Serves a local HTTP portal on port 54317 (bound to 127.0.0.1) that guides
  * users through GitHub App installation and OAuth authorisation.
@@ -13,7 +13,7 @@
  *   GET  /api/status          — JSON status endpoint
  *   GET  /api/installations   — list App installations (requires App JWT)
  *
- * GitHub App settings (https://github.com/settings/apps/bosun-botswain):
+ * GitHub App settings (https://github.com/settings/apps/bosun-ve):
  *   Callback URL:  http://127.0.0.1:54317/github/callback  ← ONLY URL needed
  *
  * Notes:
@@ -54,7 +54,7 @@ import {
 
 const DEFAULT_PORT = 54317;
 const DEFAULT_HOST = "127.0.0.1";
-const GITHUB_APP_NAME = "bosun-botswain";
+const GITHUB_APP_NAME = "bosun-ve";
 const GITHUB_APP_URL = `https://github.com/apps/${GITHUB_APP_NAME}`;
 const GITHUB_APP_INSTALL_URL = `${GITHUB_APP_URL}/installations/new`;
 const STATE_FILE = join(homedir(), ".bosun", "github-auth-state.json");
@@ -271,7 +271,7 @@ function htmlPage(title, bodyHtml) {
 <body>
   <div class="logo">⚓</div>
   <h1>Bosun</h1>
-  <div class="subtitle">GitHub App OAuth Setup Portal · <code>bosun-botswain</code></div>
+  <div class="subtitle">GitHub App OAuth Setup Portal · <code>bosun-ve</code></div>
   ${bodyHtml}
   <script>
     function copyToClipboard(text, btn) {
@@ -569,7 +569,7 @@ async function handleSetup(req, res) {
             Authorization: `Bearer ${jwt}`,
             Accept: "application/vnd.github+json",
             "X-GitHub-Api-Version": "2022-11-28",
-            "User-Agent": "bosun-botswain",
+            "User-Agent": "bosun-ve",
           },
         },
       );
@@ -703,7 +703,7 @@ function handleWebhookEvent(eventType, payload) {
 }
 
 const CMD_RE = /\/bosun[ \t]+(\w+)(?:[ \t]+(\S+))?/g;
-const MENTION_RE = /@bosun-botswain/i;
+const MENTION_RE = /@bosun-ve/i;
 
 function processBosunCommand(body, payload) {
   if (MENTION_RE.test(body)) {
@@ -766,7 +766,7 @@ async function handleApiInstallations(req, res) {
         Authorization: `Bearer ${jwt}`,
         Accept: "application/vnd.github+json",
         "X-GitHub-Api-Version": "2022-11-28",
-        "User-Agent": "bosun-botswain",
+        "User-Agent": "bosun-ve",
       },
     });
 

package/monitor.mjs

@@ -3339,9 +3339,9 @@ async function createPRViaVK(attemptId, prOpts = {}) {
     return { success: false, error: "repo_id_missing", _elapsedMs: 0 };
   }
 
-  const bosunCredit = "\n\n---\n*Created by [Bosun Bot](https://github.com/apps/bosun-botswain)*";
+  const bosunCredit = "\n\n---\n*Created by [Bosun Bot](https://github.com/apps/bosun-ve)*";
   const rawDescription = prOpts.description || "";
-  const description = rawDescription.includes("bosun-botswain")
+  const description = rawDescription.includes("bosun-ve")
     ? rawDescription
     : rawDescription.trimEnd() + bosunCredit;
 
@@ -5386,7 +5386,7 @@ function buildEpicMergeBody(tasks, headName, baseName) {
   }
   lines.push("");
   lines.push("---");
-  lines.push("*Created by [Bosun Bot](https://github.com/apps/bosun-botswain)*");
+  lines.push("*Created by [Bosun Bot](https://github.com/apps/bosun-ve)*");
   return lines.join("\n");
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bosun",
-  "version": "0.32.0",
+  "version": "0.33.0",
   "description": "AI-powered orchestrator supervisor — manages AI agent executors with failover, auto-restarts on failure, analyzes crashes with Codex SDK, creates PRs via Vibe-Kanban API, and sends Telegram notifications. Supports N executors with weighted distribution, multi-repo projects, and auto-setup.",
   "type": "module",
   "license": "Apache 2.0",
@@ -67,7 +67,6 @@
     "./container-runner": "./container-runner.mjs",
     "./compat": "./compat.mjs",
     "./task-cli": "./task-cli.mjs",
-    "./github-oauth-portal": "./github-oauth-portal.mjs",
     "./github-auth-manager": "./github-auth-manager.mjs",
     "./git-commit-helpers": "./git-commit-helpers.mjs"
   },
@@ -91,6 +90,7 @@
     "desktop": "node cli.mjs --desktop",
     "desktop:install": "npm -C desktop install",
     "desktop:dist": "npm -C desktop run dist",
+    "build": "node vendor-sync.mjs",
     "shared-workspaces": "node shared-workspace-cli.mjs",
     "syntax:check": "node -e \"const fs=require('fs'),path=require('path');const files=fs.readdirSync('.').filter(f=>f.endsWith('.mjs'));let fail=0;for(const f of files){try{require('child_process').execSync('node --check '+f,{stdio:'pipe'});}catch(e){console.error('Syntax error: '+f);console.error(e.stderr.toString());fail=1;}}if(fail)process.exit(1);console.log('Syntax OK: '+files.length+' files checked');\"",
     "pretest": "npm run syntax:check",
@@ -98,6 +98,7 @@
     "test:watch": "vitest",
     "preinstall": "node -e \"try{var r=require('child_process').execSync('npm ls -g codex-monitor --json --depth=0',{encoding:'utf8',stdio:['pipe','pipe','pipe']});var d=JSON.parse(r).dependencies;if(d&&d['codex-monitor']){console.log('\\n  Removing old codex-monitor package...');require('child_process').execSync('npm uninstall -g codex-monitor',{stdio:'inherit',timeout:30000});console.log('  \\u2705 Migrated to bosun. codex-monitor aliases still work.\\n')}}catch(e){}\"",
     "postinstall": "node postinstall.mjs",
+    "prepare": "node vendor-sync.mjs",
     "sentinel": "node telegram-sentinel.mjs",
     "sentinel:stop": "node -e \"import('./telegram-sentinel.mjs').then(m => m.stopSentinel())\"",
     "sentinel:status": "node -e \"import('./telegram-sentinel.mjs').then(m => console.log(JSON.stringify(m.getSentinelStatus(), null, 2)))\"",
@@ -108,7 +109,9 @@
     "publish:minor": "node publish.mjs --bump minor",
     "publish:major": "node publish.mjs --bump major",
     "publish:minor:dry": "node publish.mjs --bump minor --dry-run",
-    "publish:major:dry": "node publish.mjs --bump major --dry-run"
+    "publish:major:dry": "node publish.mjs --bump major --dry-run",
+    "vendorsync": "node vendor-sync.mjs",
+    "vendor:sync": "node vendor-sync.mjs"
   },
   "files": [
     ".env.example",
@@ -212,14 +215,20 @@
     "whatsapp-channel.mjs",
     "container-runner.mjs",
     "daemon-restart-policy.mjs",
-    "publish.mjs"
+    "publish.mjs",
+    "vendor-sync.mjs",
+    "ui/vendor/"
   ],
   "dependencies": {
     "@anthropic-ai/claude-agent-sdk": "latest",
     "@github/copilot-sdk": "latest",
     "@openai/codex-sdk": "latest",
+    "@preact/signals": "1.3.1",
     "@whiskeysockets/baileys": "^7.0.0-rc.9",
     "ajv": "^8.18.0",
+    "es-module-shims": "1.10.0",
+    "htm": "3.1.1",
+    "preact": "10.25.4",
     "qrcode-terminal": "^0.12.0",
     "vibe-kanban": "latest",
     "ws": "^8.19.0"

package/postinstall.mjs

@@ -396,6 +396,23 @@ async function main() {
   } catch {
     // Non-blocking; hooks can be installed via `npm run hooks:install`
   }
+
+  // Sync vendor files into ui/vendor/ so the UI works fully offline.
+  // Non-blocking — a missing vendor file just falls back to node_modules or CDN.
+  try {
+    const { syncVendorFiles } = await import("./vendor-sync.mjs");
+    const { ok, results } = await syncVendorFiles({ silent: true });
+    const synced = results.filter((r) => r.source).length;
+    if (ok) {
+      console.log(`  ✅ Vendor files bundled into ui/vendor/ (${synced}/${results.length} files)`);
+    } else {
+      const missing = results.filter((r) => !r.source).map((r) => r.name);
+      console.warn(`  ⚠️  Some vendor files could not be bundled: ${missing.join(", ")}`);
+      console.warn("     The UI server will fall back to CDN for those files.");
+    }
+  } catch (err) {
+    console.warn(`  ⚠️  vendor-sync skipped: ${err.message}`);
+  }
 }
 
 main().catch((err) => {