openmates 0.12.0-alpha.6 → 0.12.0-alpha.8

package/dist/{chunk-MCVRDNDO.js → chunk-M5PZQEY2.js}

@@ -730,6 +730,18 @@ function writeJsonFile(filePath, data) {
   });
   chmodSync(filePath, 384);
 }
+function loadAnonymousId() {
+  const filePath = join(getStateDir(), "anonymous.json");
+  const data = readJsonFile(filePath);
+  return typeof data?.anonymousId === "string" && data.anonymousId.length > 0 ? data.anonymousId : null;
+}
+function saveAnonymousId(anonymousId) {
+  const filePath = join(ensureStateDir(), "anonymous.json");
+  writeJsonFile(filePath, {
+    anonymousId,
+    createdAt: Math.floor(Date.now() / 1e3)
+  });
+}
 function saveSession(session) {
   const filePath = join(ensureStateDir(), "session.json");
   const result = storeMasterKey(session.masterKeyExportedB64, session.hashedEmail);
@@ -2759,6 +2771,65 @@ var OpenMatesClient = class _OpenMatesClient {
   hasSession() {
     return this.session !== null;
   }
+  async getAnonymousFreeUsageStatus() {
+    const response = await this.http.get("/v1/anonymous/free-usage/status");
+    if (response.status === 404) {
+      return {
+        active: false,
+        reason: "self_hosted",
+        resetAt: null,
+        cta: "Anonymous free chat is not available on this server."
+      };
+    }
+    if (!response.ok) {
+      const detail = response.data.detail;
+      const message = typeof detail === "object" && detail?.message ? detail.message : typeof detail === "string" ? detail : `Anonymous free usage status failed with HTTP ${response.status}`;
+      throw new Error(message);
+    }
+    return {
+      active: response.data.active === true,
+      reason: response.data.reason ?? null,
+      resetAt: response.data.reset_at ?? null,
+      cta: response.data.cta ?? null
+    };
+  }
+  async sendAnonymousMessage(params) {
+    const availability = await this.getAnonymousFreeUsageStatus();
+    if (!availability.active) {
+      throw new Error(availability.cta ?? "Create an account to keep using OpenMates.");
+    }
+    let anonymousId = loadAnonymousId();
+    if (!anonymousId) {
+      anonymousId = randomUUID2();
+      saveAnonymousId(anonymousId);
+    }
+    const chatId = `anonymous-${randomUUID2()}`;
+    const messageId = `anonymous-message-${randomUUID2()}`;
+    const response = await this.http.post("/v1/anonymous/chat/stream", {
+      anonymous_id: anonymousId,
+      client_chat_id: chatId,
+      client_message_id: messageId,
+      plaintext_message: params.message,
+      message_history: []
+    });
+    if (!response.ok) {
+      const detail = response.data.detail;
+      const message = typeof detail === "object" && detail?.message ? detail.message : typeof detail === "string" ? detail : `Anonymous chat failed with HTTP ${response.status}`;
+      throw new Error(message);
+    }
+    return {
+      status: "completed",
+      chatId: response.data.chatId ?? chatId,
+      messageId: response.data.messageId ?? messageId,
+      assistant: response.data.assistant ?? "",
+      category: response.data.category ?? null,
+      modelName: response.data.modelName ?? null,
+      mateName: null,
+      followUpSuggestions: response.data.followUpSuggestions ?? [],
+      subChatEvents: [],
+      appSettingsMemoryRequests: []
+    };
+  }
   async createTurnTokenRefs(params) {
     if (params.refs.length === 0) return [];
     const response = await this.http.post(
@@ -2783,6 +2854,35 @@ var OpenMatesClient = class _OpenMatesClient {
       };
     });
   }
+  async cancelConnectedAccountAction(params) {
+    const response = await this.http.post(
+      `/v1/connected-accounts/actions/${encodeURIComponent(params.actionId)}/cancel`,
+      {
+        chat_id: params.chatId,
+        message_id: params.messageId
+      },
+      this.getCliRequestHeaders()
+    );
+    if (!response.ok) {
+      throw new Error(`Failed to cancel connected-account action (HTTP ${response.status})`);
+    }
+    return response.data;
+  }
+  async undoConnectedAccountAction(params) {
+    const response = await this.http.post(
+      `/v1/connected-accounts/actions/${encodeURIComponent(params.actionId)}/undo`,
+      {
+        chat_id: params.chatId,
+        message_id: params.messageId,
+        turn_token_ref: params.turnTokenRef
+      },
+      this.getCliRequestHeaders()
+    );
+    if (!response.ok) {
+      throw new Error(`Failed to undo connected-account action (HTTP ${response.status})`);
+    }
+    return response.data;
+  }
   // -------------------------------------------------------------------------
   // Auth
   // -------------------------------------------------------------------------
@@ -3553,6 +3653,7 @@ var OpenMatesClient = class _OpenMatesClient {
       refs: params.connectedAccountTokenRefInputs
     }) : [];
     assertNoConnectedAccountSecretLeak(connectedAccountTokenRefs);
+    const piiMappings = params.piiMappings ?? [];
     const messagePayload = {
       chat_id: chatId,
       is_incognito: Boolean(params.incognito),
@@ -3666,6 +3767,12 @@ var OpenMatesClient = class _OpenMatesClient {
           last_edited_overall_timestamp: createdAt
         }
       };
+      if (piiMappings.length > 0) {
+        metadataPayload.encrypted_pii_mappings = await encryptWithAesGcmCombined(
+          JSON.stringify(piiMappings),
+          chatKeyBytes
+        );
+      }
       ws.send("encrypted_chat_metadata", metadataPayload);
     }
     let assistant = "";
@@ -5574,6 +5681,7 @@ Required: ${schema.required.join(", ")}`
     const embedKeys = [];
     let newChatSuggestions = [];
     let totalChatCount = 0;
+    const pendingAIResponses = [];
     try {
       ws.send("phased_sync_request", {
         phase: "all",
@@ -5613,6 +5721,8 @@ Required: ${schema.required.join(", ")}`
           }
           if (p.embeds) embeds.push(...p.embeds);
           if (p.embed_keys) embedKeys.push(...p.embed_keys);
+        } else if (frame.type === "pending_ai_response") {
+          pendingAIResponses.push(frame.payload);
         }
       }
       for (const chat of chats) {
@@ -5623,8 +5733,9 @@ Required: ${schema.required.join(", ")}`
         }
       }
       if (totalChatCount === 0) totalChatCount = chats.length;
-    } finally {
+    } catch (error) {
       ws.close();
+      throw error;
     }
     if (existingCache) {
       const cachedById = new Map(
@@ -5681,6 +5792,11 @@ Required: ${schema.required.join(", ")}`
     if (totalChatCount > 0 && chats.length > totalChatCount) {
       chats.length = totalChatCount;
     }
+    try {
+      await this.persistPendingAIResponsesFromSync(ws, chats, pendingAIResponses);
+    } finally {
+      ws.close();
+    }
     const cache = {
       syncedAt: Date.now(),
       totalChatCount,
@@ -5693,6 +5809,76 @@ Required: ${schema.required.join(", ")}`
     saveSyncCache(cache);
     return cache;
   }
+  async persistPendingAIResponsesFromSync(ws, chats, pendingResponses) {
+    if (pendingResponses.length === 0) return;
+    const masterKey = this.getMasterKeyBytes();
+    for (const pending of pendingResponses) {
+      const chatId = pending.chat_id;
+      const messageId = pending.message_id;
+      const content = pending.content;
+      if (!chatId || !messageId || !content) continue;
+      const chat = chats.find((candidate) => String(candidate.details.id ?? "") === chatId);
+      if (!chat) continue;
+      const existingIndex = chat.messages.findIndex((raw) => {
+        try {
+          const message = typeof raw === "string" ? JSON.parse(raw) : raw;
+          return message?.message_id === messageId || message?.id === messageId;
+        } catch {
+          return false;
+        }
+      });
+      if (existingIndex >= 0) {
+        const existingRaw = chat.messages[existingIndex];
+        try {
+          const existing = typeof existingRaw === "string" ? JSON.parse(existingRaw) : existingRaw;
+          if (existing?.role === "assistant" && existing?.encrypted_content) continue;
+        } catch {
+        }
+      }
+      const encryptedChatKey = typeof chat.details.encrypted_chat_key === "string" ? chat.details.encrypted_chat_key : null;
+      if (!encryptedChatKey) continue;
+      const chatKeyBytes = await this.decryptChatKey(encryptedChatKey, masterKey);
+      if (!chatKeyBytes) continue;
+      const completedAt = normalizeUnixSeconds(
+        pending.fired_at,
+        Math.floor(Date.now() / 1e3)
+      );
+      const currentMessagesV = typeof chat.details.messages_v === "number" ? chat.details.messages_v : 0;
+      const nextMessagesV = currentMessagesV + 1;
+      const encryptedMessage = {
+        message_id: messageId,
+        chat_id: chatId,
+        role: "assistant",
+        created_at: completedAt,
+        status: "synced",
+        encrypted_content: await encryptWithAesGcmCombined(content, chatKeyBytes),
+        encrypted_category: pending.category ? await encryptWithAesGcmCombined(pending.category, chatKeyBytes) : void 0,
+        encrypted_model_name: pending.model_name ? await encryptWithAesGcmCombined(pending.model_name, chatKeyBytes) : void 0
+      };
+      const confirmed = ws.waitForMessage(
+        "ai_response_storage_confirmed",
+        (payload) => {
+          const p = payload;
+          return p.message_id === messageId;
+        },
+        2e4
+      );
+      await ws.sendAsync("ai_response_completed", {
+        chat_id: chatId,
+        message: encryptedMessage,
+        versions: {
+          messages_v: nextMessagesV,
+          last_edited_overall_timestamp: completedAt
+        }
+      });
+      await confirmed;
+      const serializedMessage = JSON.stringify(encryptedMessage);
+      if (existingIndex >= 0) chat.messages[existingIndex] = serializedMessage;
+      else chat.messages.push(serializedMessage);
+      chat.details.messages_v = nextMessagesV;
+      chat.details.last_edited_overall_timestamp = completedAt;
+    }
+  }
   async prompt(question) {
     const rl = createInterface({ input: stdin, output: stdout });
     try {
@@ -5991,6 +6177,31 @@ var SECRET_PATTERNS = [
     placeholderPrefix: "JWT_TOKEN"
   }
 ];
+var GENERAL_PII_PATTERNS = [
+  {
+    type: "EMAIL",
+    regex: /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g,
+    label: "Email Address",
+    placeholderPrefix: "EMAIL"
+  },
+  {
+    type: "PHONE",
+    regex: /(?:(?:\+|00)[1-9]\d{0,2}[-.\s/]?(?:\(?\d{1,5}\)?[-.\s/]?){1,4}\d{2,4})|(?:\+?1[-.\s]?)?\(?[2-9]\d{2}\)?[-.\s]?\d{3}[-.\s]?\d{4}|(?:0\d[-.\s/]?(?:\(?\d{1,5}\)?[-.\s/]?){1,4}\d{2,4})/g,
+    label: "Phone Number",
+    placeholderPrefix: "PHONE",
+    validate: (match) => {
+      const trimmed = match.trim();
+      const digits = trimmed.replace(/\D/g, "");
+      if (digits.length < 7 || digits.length > 15) return false;
+      if (/^\d{4}$/.test(trimmed)) return false;
+      if (/^\d{4}[-/.]\d{1,2}[-/.]\d{1,2}$/.test(trimmed)) return false;
+      if (/^\d{1,2}[-/.]\d{1,2}[-/.]\d{4}$/.test(trimmed)) return false;
+      if (/^(?:19|20)\d{6}$/.test(trimmed)) return false;
+      if (/^0\d{1,2}[-/.]\d{1,2}[-/.]\d{1,2}$/.test(trimmed)) return false;
+      return true;
+    }
+  }
+];
 
 // ../secret-scanner/src/registry.ts
 var require3 = createRequire2(import.meta.url);
@@ -6328,6 +6539,7 @@ var SecretScanner = class {
     if (!text) return { redacted: text, mappings: [] };
     const allMappings = [];
     const coveredRanges = [];
+    const urlExclusionZones = getUrlExclusionZones(text);
     if (this.options.enableRegistryDetection && this.registry.size > 0) {
       const registryMappings = this.registry.findAll(text);
       for (const mapping of registryMappings) {
@@ -6345,13 +6557,14 @@ var SecretScanner = class {
     }
     const typeCounts = {};
     if (this.options.enablePatternDetection) {
-      for (const pattern of SECRET_PATTERNS) {
+      for (const pattern of [...SECRET_PATTERNS, ...GENERAL_PII_PATTERNS]) {
         pattern.regex.lastIndex = 0;
         let match;
         while ((match = pattern.regex.exec(text)) !== null) {
           const matchText = match[0];
           const startIndex = match.index;
           const endIndex = startIndex + matchText.length;
+          if (isInsideAnyRange(startIndex, endIndex, urlExclusionZones)) continue;
           const overlaps = coveredRanges.some(
             (range) => startIndex >= range.start && startIndex < range.end || endIndex > range.start && endIndex <= range.end || startIndex <= range.start && endIndex >= range.end
           );
@@ -6427,6 +6640,18 @@ var SecretScanner = class {
 function escapeRegExp2(string) {
   return string.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 }
+function getUrlExclusionZones(text) {
+  const urlExclusionRegex = /https?:\/\/[^\s]+/g;
+  const zones = [];
+  let match;
+  while ((match = urlExclusionRegex.exec(text)) !== null) {
+    zones.push({ start: match.index, end: match.index + match[0].length });
+  }
+  return zones;
+}
+function isInsideAnyRange(startIndex, endIndex, ranges) {
+  return ranges.some((range) => startIndex >= range.start && endIndex <= range.end);
+}
 
 // src/outputRedactor.ts
 var PRIVACY_APP_ID = "privacy";
@@ -7080,6 +7305,8 @@ var DIRECT_TYPES = /* @__PURE__ */ new Set([
   "recording",
   "mail-email",
   "math-plot",
+  "mermaid",
+  "diagrams-mermaid",
   "events-event",
   "health-appointment",
   "shopping-product",
@@ -7107,6 +7334,8 @@ var DIRECT_TYPE_LABELS = {
   "recording": "recording",
   "mail-email": "email",
   "math-plot": "plot",
+  "mermaid": "Mermaid diagram",
+  "diagrams-mermaid": "Mermaid diagram",
   "events-event": "event",
   "health-appointment": "appointment",
   "shopping-product": "product",
@@ -8063,6 +8292,11 @@ function renderByDirectType(embed, c, ln) {
       ln("\x1B[2m[mathematical plot]\x1B[0m");
       break;
     }
+    case "mermaid":
+    case "diagrams-mermaid": {
+      renderMermaidPreview(c, ln);
+      break;
+    }
     case "images-image-result": {
       const title = str(c.title) ?? "";
       const source = str(c.source) ?? str(c.url) ?? "";
@@ -8228,6 +8462,11 @@ function renderDirectTypeFullscreen(embed, c) {
       }
       break;
     }
+    case "mermaid":
+    case "diagrams-mermaid": {
+      renderMermaidFullscreen(c);
+      break;
+    }
     default: {
       for (const [k, v] of Object.entries(c)) {
         if (v === null || v === void 0 || k.startsWith("_")) continue;
@@ -8246,6 +8485,38 @@ function renderDirectTypeFullscreen(embed, c) {
     }
   }
 }
+function renderMermaidPreview(c, ln) {
+  const title = str(c.title) ?? "Mermaid diagram";
+  const kind = str(c.diagram_kind) ?? "mermaid";
+  const source = str(c.diagram_code) ?? str(c.code) ?? str(c.source) ?? "";
+  ln(`\x1B[1m${title}\x1B[0m`);
+  ln(`\x1B[2mMermaid diagram \xB7 ${kind}\x1B[0m`);
+  if (source) {
+    for (const line of source.split("\n").slice(0, 4)) {
+      if (line.trim()) ln(`  ${trunc(line, 80)}`);
+    }
+    if (source.split("\n").length > 4) ln("  ...");
+  }
+}
+function renderMermaidFullscreen(c) {
+  const title = str(c.title) ?? "Mermaid diagram";
+  const kind = str(c.diagram_kind) ?? "mermaid";
+  const status = str(c.status);
+  const source = str(c.diagram_code) ?? str(c.code) ?? str(c.source) ?? "";
+  process.stdout.write(`\x1B[1m${title}\x1B[0m
+`);
+  process.stdout.write(`\x1B[2mMermaid diagram \xB7 ${kind}${status ? ` \xB7 ${status}` : ""}\x1B[0m
+
+`);
+  if (source) {
+    process.stdout.write("```mermaid\n");
+    process.stdout.write(`${source.trim()}
+`);
+    process.stdout.write("```\n");
+  } else {
+    process.stdout.write("No Mermaid source available.\n");
+  }
+}
 function resolveResultCount(c) {
   if (typeof c.result_count === "number") return c.result_count;
   const results = c.results;
@@ -8293,7 +8564,16 @@ var COMPOSE_OVERRIDE = join3("backend", "core", "docker-compose.override.yml");
 var DEFAULT_INSTALL_PATH = join3(homedir5(), "openmates");
 var REPO_URL = "https://github.com/glowingkitty/OpenMates.git";
 var DEV_BRANCH = "dev";
+var MAIN_BRANCH = "main";
 var DEFAULT_IMAGE_REGISTRY = "ghcr.io/glowingkitty";
+var UPDATE_HEALTH_TIMEOUT_MS = 12e4;
+var UPDATE_HEALTH_INTERVAL_MS = 5e3;
+var HEALTH_REQUEST_TIMEOUT_MS = 5e3;
+var IMAGE_CHANNEL_TAGS = {
+  stable: MAIN_BRANCH,
+  main: MAIN_BRANCH,
+  dev: DEV_BRANCH
+};
 var MINIMAL_ENV_TEMPLATE = `# OpenMates self-host image-mode environment
 SECRET__MISTRAL_AI__API_KEY=
 SECRET__CEREBRAS__API_KEY=
@@ -8428,13 +8708,52 @@ function getPackageVersion() {
     return "";
   }
 }
+function getDefaultImageTagForVersion(version) {
+  return version ? `v${version}` : DEV_BRANCH;
+}
 function getDefaultImageTag() {
   const version = getPackageVersion();
-  return version ? `v${version}` : "dev";
+  return getDefaultImageTagForVersion(version);
 }
 function defaultTemplateRefForVersion(version) {
   return /-(alpha|beta|rc)(\.|\d|$)/.test(version) ? DEV_BRANCH : `v${version}`;
 }
+function templateRefForImageTag(imageTag, packageVersion = "") {
+  const channelTag = IMAGE_CHANNEL_TAGS[imageTag];
+  if (channelTag) return channelTag;
+  if (imageTag.startsWith("v")) return defaultTemplateRefForVersion(imageTag.slice(1));
+  if (!imageTag && packageVersion) return defaultTemplateRefForVersion(packageVersion);
+  return DEV_BRANCH;
+}
+function resolveTargetImageTag(flags, currentTag, packageVersion) {
+  const imageTag = flags["image-tag"];
+  const channel = flags.channel;
+  if (imageTag === true) {
+    throw new Error("Provide an image tag value: --image-tag <tag>.");
+  }
+  if (channel === true) {
+    throw new Error("Provide an update channel value: --channel stable, --channel main, or --channel dev.");
+  }
+  if (typeof imageTag === "string" && typeof channel === "string") {
+    throw new Error("Use either --image-tag or --channel, not both.");
+  }
+  if (typeof imageTag === "string") {
+    const trimmed = imageTag.trim();
+    if (!trimmed) throw new Error("--image-tag cannot be empty.");
+    return { tag: trimmed };
+  }
+  if (typeof channel === "string") {
+    const normalized = channel.trim().toLowerCase();
+    const tag = IMAGE_CHANNEL_TAGS[normalized];
+    if (!tag) {
+      throw new Error("Unsupported update channel. Use --channel stable, --channel main, or --channel dev.");
+    }
+    return { tag, channel: tag };
+  }
+  const installedChannel = IMAGE_CHANNEL_TAGS[currentTag];
+  if (installedChannel) return { tag: installedChannel, channel: installedChannel };
+  return { tag: getDefaultImageTagForVersion(packageVersion) };
+}
 function randomHex(bytes) {
   return randomBytes2(bytes).toString("hex");
 }
@@ -8475,7 +8794,7 @@ async function fetchText(url) {
   }
   return response.text();
 }
-async function loadSelfHostComposeTemplate(version) {
+async function loadSelfHostComposeTemplate(templateRef) {
   const templateDir = process.env.OPENMATES_SELFHOST_TEMPLATE_DIR;
   if (templateDir) {
     return readFileSync5(join3(resolve3(templateDir), IMAGE_COMPOSE_FILE), "utf-8");
@@ -8484,16 +8803,15 @@ async function loadSelfHostComposeTemplate(version) {
   if (overrideUrl) {
     return fetchText(overrideUrl);
   }
-  const ref = defaultTemplateRefForVersion(version);
   return fetchText(
-    `https://raw.githubusercontent.com/glowingkitty/OpenMates/${ref}/backend/core/docker-compose.selfhost.yml`
+    `https://raw.githubusercontent.com/glowingkitty/OpenMates/${templateRef}/backend/core/docker-compose.selfhost.yml`
   );
 }
 async function writeImageModeRuntimeFiles(installPath, imageTag) {
   const coreDir = join3(installPath, "backend", "core");
   const vaultConfigDir = join3(coreDir, "vault", "config");
   mkdirSync3(vaultConfigDir, { recursive: true });
-  writeFileSync3(join3(coreDir, "docker-compose.selfhost.yml"), await loadSelfHostComposeTemplate(getPackageVersion()));
+  writeFileSync3(join3(coreDir, "docker-compose.selfhost.yml"), await loadSelfHostComposeTemplate(templateRefForImageTag(imageTag, getPackageVersion())));
   writeFileSync3(join3(vaultConfigDir, "vault.hcl"), VAULT_CONFIG_TEMPLATE);
   const envPath = join3(installPath, ".env");
   let envContent = existsSync5(envPath) ? readFileSync5(envPath, "utf-8") : MINIMAL_ENV_TEMPLATE;
@@ -8511,6 +8829,48 @@ async function writeImageModeRuntimeFiles(installPath, imageTag) {
   writeFileSync3(envPath, envContent.endsWith("\n") ? envContent : `${envContent}
 `);
 }
+function getImageTagFromEnv(installPath, config) {
+  const envPath = join3(installPath, ".env");
+  if (existsSync5(envPath)) {
+    const envTag = getEnvVar(readFileSync5(envPath, "utf-8"), "OPENMATES_IMAGE_TAG");
+    if (envTag) return envTag;
+  }
+  return config?.imageTag ?? "";
+}
+function trailingSlashTrimmed(value) {
+  return value.replace(/\/+$/, "");
+}
+function sleep2(ms) {
+  return new Promise((resolveSleep) => setTimeout(resolveSleep, ms));
+}
+async function checkUrl(url) {
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), HEALTH_REQUEST_TIMEOUT_MS);
+  try {
+    const response = await fetch(url, { signal: controller.signal });
+    return response.ok;
+  } catch {
+    return false;
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+async function waitForServerHealth(installPath) {
+  const envPath = join3(installPath, ".env");
+  const envContent = existsSync5(envPath) ? readFileSync5(envPath, "utf-8") : "";
+  const urls = deriveSelfHostCliUrls(envContent);
+  const apiHealthUrl = `${trailingSlashTrimmed(urls.apiUrl)}/health`;
+  const appUrl = trailingSlashTrimmed(urls.appUrl);
+  const deadline = Date.now() + UPDATE_HEALTH_TIMEOUT_MS;
+  while (Date.now() < deadline) {
+    const [apiOk, appOk] = await Promise.all([checkUrl(apiHealthUrl), checkUrl(appUrl)]);
+    if (apiOk && appOk) return;
+    await sleep2(UPDATE_HEALTH_INTERVAL_MS);
+  }
+  throw new Error(
+    `Updated containers started, but health checks did not pass in time. Check 'openmates server status' and 'openmates server logs --tail 200'. Tried ${apiHealthUrl} and ${appUrl}.`
+  );
+}
 function defaultCloneBranchForVersion(version) {
   return /-(alpha|beta|rc)(\.|\d|$)/.test(version) ? DEV_BRANCH : null;
 }
@@ -8796,25 +9156,85 @@ CLI default API: ${cliUrls.apiUrl}`);
   }
 }
 async function serverUpdate(flags) {
-  requireDocker();
   const installPath = resolveServerPath(flags);
-  ensureGitWorkDirEnv(installPath);
-  console.error("Updating OpenMates...");
+  const dryRun = flags["dry-run"] === true;
+  if (!dryRun) ensureGitWorkDirEnv(installPath);
   const config = loadConfigForInstallPath(installPath);
   const withOverrides = config?.composeProfile === "full";
   const installMode = getInstallMode(installPath, config);
+  if (installMode === "source" && (flags["image-tag"] !== void 0 || flags.channel !== void 0)) {
+    throw new Error("--image-tag and --channel only apply to image-mode installs. Source-mode installs update from Git.");
+  }
+  if (!dryRun) requireDocker();
+  console.error("Updating OpenMates...");
   if (installMode === "image") {
+    const currentTag = getImageTagFromEnv(installPath, config);
+    const target = resolveTargetImageTag(flags, currentTag, getPackageVersion());
+    const templateRef = templateRefForImageTag(target.tag, getPackageVersion());
+    const plan = {
+      command: "update",
+      path: installPath,
+      mode: "image",
+      currentImageTag: currentTag || null,
+      targetImageTag: target.tag,
+      channel: target.channel ?? null,
+      templateRef,
+      dryRun
+    };
+    if (dryRun) {
+      if (flags.json === true) {
+        printJson({ ...plan, status: "planned" });
+      } else {
+        console.log("Update plan:");
+        console.log(`  Mode:          image`);
+        console.log(`  Current tag:   ${currentTag || "unknown"}`);
+        console.log(`  Target tag:    ${target.tag}`);
+        console.log(`  Template ref:  ${templateRef}`);
+        console.log("  Commands:      refresh compose, docker compose pull, docker compose up -d, health checks");
+      }
+      return;
+    }
+    console.error(`Mode: image`);
+    console.error(`Current image tag: ${currentTag || "unknown"}`);
+    console.error(`Target image tag: ${target.tag}`);
+    console.error(`Refreshing self-host runtime files from ${templateRef}...`);
+    await writeImageModeRuntimeFiles(installPath, target.tag);
     const pullArgs = [...composeArgs(installPath, withOverrides, installMode), "pull"];
-    console.error("Pulling prebuilt images...");
-    let code2 = await runInteractive("docker", pullArgs, installPath);
-    if (code2 !== 0) process.exit(code2);
+    let code2 = 0;
+    if (shouldPullImages()) {
+      console.error("Pulling prebuilt images...");
+      code2 = await runInteractive("docker", pullArgs, installPath);
+      if (code2 !== 0) process.exit(code2);
+    } else {
+      console.error("Skipping image pull because OPENMATES_SKIP_IMAGE_PULL=1.");
+    }
     const upArgs2 = [...composeArgs(installPath, withOverrides, installMode), "up", "-d"];
     code2 = await runInteractive("docker", upArgs2, installPath);
     if (code2 !== 0) process.exit(code2);
+    console.error("Waiting for API and web health checks...");
+    try {
+      await waitForServerHealth(installPath);
+    } catch (error) {
+      await runInteractive("docker", [...composeArgs(installPath, withOverrides, installMode), "ps"], installPath);
+      throw error;
+    }
+    if (config) {
+      saveServerConfig({ ...config, imageTag: target.tag, imageChannel: target.channel });
+    }
     if (flags.json === true) {
-      printJson({ command: "update", status: "success", path: installPath, mode: "image" });
+      printJson({ ...plan, status: "success", dryRun: false });
     } else {
-      console.log("Server images pulled and containers restarted.");
+      console.log("Server images updated, containers restarted, and health checks passed.");
+    }
+    return;
+  }
+  if (dryRun) {
+    if (flags.json === true) {
+      printJson({ command: "update", status: "planned", path: installPath, mode: "source", dryRun: true });
+    } else {
+      console.log("Update plan:");
+      console.log("  Mode:     source");
+      console.log("  Commands: git pull --ff-only, docker compose build, docker compose up -d, health checks");
     }
     return;
   }
@@ -8829,7 +9249,7 @@ async function serverUpdate(flags) {
   try {
     const pullOutput = exec("git pull --ff-only", installPath);
     console.error(pullOutput || "Already up to date.");
-  } catch (e) {
+  } catch {
     if (flags.force === true) {
       try {
         exec("git stash pop", installPath);
@@ -8853,10 +9273,17 @@ async function serverUpdate(flags) {
   const upArgs = [...composeArgs(installPath, withOverrides, installMode), "up", "-d"];
   code = await runInteractive("docker", upArgs, installPath);
   if (code !== 0) process.exit(code);
+  console.error("Waiting for API and web health checks...");
+  try {
+    await waitForServerHealth(installPath);
+  } catch (error) {
+    await runInteractive("docker", [...composeArgs(installPath, withOverrides, installMode), "ps"], installPath);
+    throw error;
+  }
   if (flags.json === true) {
-    printJson({ command: "update", status: "success", path: installPath });
+    printJson({ command: "update", status: "success", path: installPath, mode: "source" });
   } else {
-    console.log("Server updated and restarted.");
+    console.log("Server updated, restarted, and health checks passed.");
   }
 }
 async function serverReset(flags) {
@@ -9038,7 +9465,10 @@ Command Options:
     --tail <n>          Number of lines to show (default: 100)
 
   update:
-    --force             Stash local changes before pulling
+    --dry-run           Show update plan without changing files or containers
+    --image-tag <tag>   Image mode: update to a specific prebuilt image tag
+    --channel <name>    Image mode: update using stable/main or dev channel tags
+    --force             Source mode: stash local changes before pulling
 
   reset:
     --delete-user-data-only   Only delete database and cache (preserve config)
@@ -9057,6 +9487,9 @@ Examples:
   openmates server logs --container api --follow
   openmates server make-admin user@example.com
   openmates server update
+  openmates server update --dry-run
+  openmates server update --image-tag v0.12.0-alpha.1
+  openmates server update --channel dev
   openmates server restart --rebuild
 `.trim());
 }
@@ -22151,6 +22584,18 @@ var memoryTravelPreferredTransportChat = {
       "content": "example_chats.memory_travel_preferred_transport.message_1",
       "created_at": 1781280405
     },
+    {
+      "id": "32b6170b-a0f8-4e21-b48f-581782e5957e-memory-response",
+      "role": "system",
+      "content": '{"type":"app_settings_memories_response","user_message_id":"32b6170b-a0f8-4e21-b48f-581782e5957e","action":"included","categories":[{"appId":"travel","itemType":"preferred_transport_methods","entryCount":2}]}',
+      "created_at": 1781280406
+    },
+    {
+      "id": "32b6170b-a0f8-4e21-b48f-581782e5957e-memory-request",
+      "role": "system",
+      "content": '{"type":"app_settings_memories_request","user_message_id":"32b6170b-a0f8-4e21-b48f-581782e5957e","request_id":"32b6170b-a0f8-4e21-b48f-581782e5957e-memory-request","requested_keys":["travel-preferred_transport_methods"],"categories":[{"appId":"travel","itemType":"preferred_transport_methods","entryCount":0}]}',
+      "created_at": 1781280406
+    },
     {
       "id": "6fad1476-1f2f-4977-97ca-b9f5ba773f3d",
       "role": "assistant",
@@ -22185,6 +22630,18 @@ var memoryTravelPreferredActivitiesChat = {
       "content": "example_chats.memory_travel_preferred_activities.message_1",
       "created_at": 1781280434
     },
+    {
+      "id": "b59b7592-a869-4bda-ab68-e87a1663ed11-memory-response",
+      "role": "system",
+      "content": '{"type":"app_settings_memories_response","user_message_id":"b59b7592-a869-4bda-ab68-e87a1663ed11","action":"included","categories":[{"appId":"travel","itemType":"preferred_activities","entryCount":2}]}',
+      "created_at": 1781280435
+    },
+    {
+      "id": "b59b7592-a869-4bda-ab68-e87a1663ed11-memory-request",
+      "role": "system",
+      "content": '{"type":"app_settings_memories_request","user_message_id":"b59b7592-a869-4bda-ab68-e87a1663ed11","request_id":"b59b7592-a869-4bda-ab68-e87a1663ed11-memory-request","requested_keys":["travel-preferred_activities"],"categories":[{"appId":"travel","itemType":"preferred_activities","entryCount":0}]}',
+      "created_at": 1781280435
+    },
     {
       "id": "5dfa7876-6b55-47f8-a472-fd542e19589d",
       "role": "assistant",
@@ -22219,6 +22676,18 @@ var memoryTvWatchedMoviesChat = {
       "content": "example_chats.memory_tv_watched_movies.message_1",
       "created_at": 1781280521
     },
+    {
+      "id": "7909540d-9830-48b0-a7ea-ec3438cb7ff6-memory-response",
+      "role": "system",
+      "content": '{"type":"app_settings_memories_response","user_message_id":"7909540d-9830-48b0-a7ea-ec3438cb7ff6","action":"included","categories":[{"appId":"tv","itemType":"watched_movies","entryCount":2}]}',
+      "created_at": 1781280522
+    },
+    {
+      "id": "7909540d-9830-48b0-a7ea-ec3438cb7ff6-memory-request",
+      "role": "system",
+      "content": '{"type":"app_settings_memories_request","user_message_id":"7909540d-9830-48b0-a7ea-ec3438cb7ff6","request_id":"7909540d-9830-48b0-a7ea-ec3438cb7ff6-memory-request","requested_keys":["tv-watched_movies"],"categories":[{"appId":"tv","itemType":"watched_movies","entryCount":0}]}',
+      "created_at": 1781280522
+    },
     {
       "id": "0bc111c3-32e3-4451-aa54-cae5dfcd1d8a",
       "role": "assistant",
@@ -22253,6 +22722,18 @@ var memoryTvWatchedShowsChat = {
       "content": "example_chats.memory_tv_watched_shows.message_1",
       "created_at": 1781280553
     },
+    {
+      "id": "e54287c0-54dc-4961-93f1-0caed8596ba7-memory-response",
+      "role": "system",
+      "content": '{"type":"app_settings_memories_response","user_message_id":"e54287c0-54dc-4961-93f1-0caed8596ba7","action":"included","categories":[{"appId":"tv","itemType":"watched_tv_shows","entryCount":2}]}',
+      "created_at": 1781280554
+    },
+    {
+      "id": "e54287c0-54dc-4961-93f1-0caed8596ba7-memory-request",
+      "role": "system",
+      "content": '{"type":"app_settings_memories_request","user_message_id":"e54287c0-54dc-4961-93f1-0caed8596ba7","request_id":"e54287c0-54dc-4961-93f1-0caed8596ba7-memory-request","requested_keys":["tv-watched_tv_shows"],"categories":[{"appId":"tv","itemType":"watched_tv_shows","entryCount":0}]}',
+      "created_at": 1781280554
+    },
     {
       "id": "7cf4ba64-2134-4341-9a65-ac3ef207349e",
       "role": "assistant",
@@ -22287,6 +22768,18 @@ var memoryTvToWatchListChat = {
       "content": "example_chats.memory_tv_to_watch_list.message_1",
       "created_at": 1781280581
     },
+    {
+      "id": "794b4c25-ad08-4088-adb4-5729b5fc89d2-memory-response",
+      "role": "system",
+      "content": '{"type":"app_settings_memories_response","user_message_id":"794b4c25-ad08-4088-adb4-5729b5fc89d2","action":"included","categories":[{"appId":"tv","itemType":"to_watch_list","entryCount":2}]}',
+      "created_at": 1781280582
+    },
+    {
+      "id": "794b4c25-ad08-4088-adb4-5729b5fc89d2-memory-request",
+      "role": "system",
+      "content": '{"type":"app_settings_memories_request","user_message_id":"794b4c25-ad08-4088-adb4-5729b5fc89d2","request_id":"794b4c25-ad08-4088-adb4-5729b5fc89d2-memory-request","requested_keys":["tv-to_watch_list"],"categories":[{"appId":"tv","itemType":"to_watch_list","entryCount":0}]}',
+      "created_at": 1781280582
+    },
     {
       "id": "4c8d7bb0-2b55-4428-aa22-c9ab6aa8f01e",
       "role": "assistant",
@@ -22321,6 +22814,18 @@ var memoryVideosToWatchListChat = {
       "content": "example_chats.memory_videos_to_watch_list.message_1",
       "created_at": 1781280606
     },
+    {
+      "id": "9df4f00f-8468-482f-886c-4c323fdc7ef8-memory-response",
+      "role": "system",
+      "content": '{"type":"app_settings_memories_response","user_message_id":"9df4f00f-8468-482f-886c-4c323fdc7ef8","action":"included","categories":[{"appId":"videos","itemType":"to_watch_list","entryCount":2}]}',
+      "created_at": 1781280607
+    },
+    {
+      "id": "9df4f00f-8468-482f-886c-4c323fdc7ef8-memory-request",
+      "role": "system",
+      "content": '{"type":"app_settings_memories_request","user_message_id":"9df4f00f-8468-482f-886c-4c323fdc7ef8","request_id":"9df4f00f-8468-482f-886c-4c323fdc7ef8-memory-request","requested_keys":["videos-to_watch_list"],"categories":[{"appId":"videos","itemType":"to_watch_list","entryCount":0}]}',
+      "created_at": 1781280607
+    },
     {
       "id": "16c2890e-358f-419f-a607-98d8ecb447b2",
       "role": "assistant",
@@ -22355,6 +22860,18 @@ var memoryWebBookmarksChat = {
       "content": "example_chats.memory_web_bookmarks.message_1",
       "created_at": 1781280634
     },
+    {
+      "id": "9a448c41-309c-49ef-a90d-ae00b16b1e10-memory-response",
+      "role": "system",
+      "content": '{"type":"app_settings_memories_response","user_message_id":"9a448c41-309c-49ef-a90d-ae00b16b1e10","action":"included","categories":[{"appId":"web","itemType":"bookmarks","entryCount":2}]}',
+      "created_at": 1781280635
+    },
+    {
+      "id": "9a448c41-309c-49ef-a90d-ae00b16b1e10-memory-request",
+      "role": "system",
+      "content": '{"type":"app_settings_memories_request","user_message_id":"9a448c41-309c-49ef-a90d-ae00b16b1e10","request_id":"9a448c41-309c-49ef-a90d-ae00b16b1e10-memory-request","requested_keys":["web-bookmarks"],"categories":[{"appId":"web","itemType":"bookmarks","entryCount":0}]}',
+      "created_at": 1781280635
+    },
     {
       "id": "f3be11d8-e466-4649-8078-ee5f6ad7920e",
       "role": "assistant",
@@ -22389,6 +22906,18 @@ var memoryWebReadLaterChat = {
       "content": "example_chats.memory_web_read_later.message_1",
       "created_at": 1781280720
     },
+    {
+      "id": "7365e817-390f-4e70-a020-fa4eef5f637c-memory-response",
+      "role": "system",
+      "content": '{"type":"app_settings_memories_response","user_message_id":"7365e817-390f-4e70-a020-fa4eef5f637c","action":"included","categories":[{"appId":"web","itemType":"read_later","entryCount":2}]}',
+      "created_at": 1781280721
+    },
+    {
+      "id": "7365e817-390f-4e70-a020-fa4eef5f637c-memory-request",
+      "role": "system",
+      "content": '{"type":"app_settings_memories_request","user_message_id":"7365e817-390f-4e70-a020-fa4eef5f637c","request_id":"7365e817-390f-4e70-a020-fa4eef5f637c-memory-request","requested_keys":["web-read_later"],"categories":[{"appId":"web","itemType":"read_later","entryCount":0}]}',
+      "created_at": 1781280721
+    },
     {
       "id": "b1bdbb77-38e4-4974-ac51-4fff6ea5c6fd",
       "role": "assistant",
@@ -22892,6 +23421,108 @@ var classicCarReverseImageSearchChat = {
   }
 };
 
+// ../ui/src/demo_chats/data/example_chats/usb-c-3v3-ldo-pcb-schematic.ts
+var usbC3v3LdoPcbSchematicChat = {
+  chat_id: "example-usb-c-3v3-ldo",
+  slug: "usb-c-3v3-ldo-pcb-schematic",
+  title: "example_chats.usb_c_3v3_ldo_pcb_schematic.title",
+  summary: "example_chats.usb_c_3v3_ldo_pcb_schematic.summary",
+  icon: "circuit-board",
+  category: "software_development",
+  keywords: ["PCB schematic", "Atopile", "USB-C", "LDO", "3.3V regulator", "electronics design"],
+  follow_up_suggestions: ["example_chats.usb_c_3v3_ldo_pcb_schematic.follow_up_1", "example_chats.usb_c_3v3_ldo_pcb_schematic.follow_up_2", "example_chats.usb_c_3v3_ldo_pcb_schematic.follow_up_3", "example_chats.usb_c_3v3_ldo_pcb_schematic.follow_up_4", "example_chats.usb_c_3v3_ldo_pcb_schematic.follow_up_5", "example_chats.usb_c_3v3_ldo_pcb_schematic.follow_up_6"],
+  messages: [
+    {
+      "id": "verified-pcb-user-1",
+      "role": "user",
+      "content": "example_chats.usb_c_3v3_ldo_pcb_schematic.message_1",
+      "created_at": 1781772935
+    },
+    {
+      "id": "verified-pcb-assistant-1",
+      "role": "assistant",
+      "content": "example_chats.usb_c_3v3_ldo_pcb_schematic.message_2",
+      "created_at": 1781772936,
+      "category": "software_development",
+      "model_name": "Gemini 3.1 Pro"
+    }
+  ],
+  embeds: [
+    {
+      "embed_id": "46d63593-516e-49b5-8e7d-600c4fe18836",
+      "type": "pcb_schematic",
+      "content": 'type: pcb_schematic\napp_id: electronics\nskill_id: schematic\nlanguage: atopile\ncode: "import Resistor\\nimport Capacitor\\nimport Diode\\nimport ElectricPower\\n\\n# Modeling the USB-C input behavior\\nmodule USBCInput:\\n    power = new ElectricPower\\n    signal vbus\\n    signal gnd\\n    \\n    # Associate the interface pins with local power signals\\n    power.vcc ~ vbus\\n    power.gnd ~ gnd\\n\\n# Modeling the LDO regulator behavior\\nmodule LDO:\\n    power_in = new ElectricPower\\n    power_out = new ElectricPower\\n    \\n    # Regulators typically share a common ground reference\\n    power_in.gnd ~ power_out.gnd\\n\\n# Top-level application module\\nmodule App:\\n    # 1. Instantiate functional blocks\\n    usb_input = new USBCInput\\n    regulator = new LDO\\n\\n    # 2. Establish main power path (5V Input to LDO)\\n    usb_input.power ~ regulator.power_in\\n\\n    # 3. Input Decoupling Capacitor (5V rail)\\n    c_in = new Capacitor\\n    c_in.capacitance = 10uF +/- 20%\\n    regulator.power_in.vcc ~ c_in.unnamed[0]\\n    regulator.power_in.gnd ~ c_in.unnamed[1]\\n\\n    # 4. Output Decoupling Capacitor (3.3V rail)\\n    c_out = new Capacitor\\n    c_out.capacitance = 1uF +/- 20%\\n    regulator.power_out.vcc ~ c_out.unnamed[0]\\n    regulator.power_out.gnd ~ c_out.unnamed[1]\\n\\n    # 5. Power Status Indicator (Modeled as Diode) on the 3.3V Rail\\n    status_led = new Diode\\n    limit_res = new Resistor\\n    limit_res.resistance = 1kohm +/- 5%\\n\\n    # Connections: VCC -> Diode Anode -> Diode Cathode -> Resistor -> GND\\n    regulator.power_out.vcc ~ status_led.anode\\n    status_led.cathode ~ limit_res.unnamed[0]\\n    limit_res.unnamed[1] ~ regulator.power_out.gnd\\n"\nfilename: main.ato\ntitle: USB-C 3.3V LDO PCB Schematic\nmodule_name: App\nembed_ref: main.ato-46d635\nstatus: finished\nline_count: 54\ncompile_id: null\ncompile_status: null\nartifact_manifest: null\natopile_version: 0.15.7\natopile_docs_version: 0.15.7\ncompile_logs: null',
+      "parent_embed_id": null,
+      "embed_ids": null
+    }
+  ],
+  metadata: {
+    featured: true,
+    order: 103
+  }
+};
+
+// ../ui/src/demo_chats/data/example_chats/berlin-morning-bike-forecast.ts
+var berlinMorningBikeForecastChat = {
+  chat_id: "example-berlin-morning-bike-forecast",
+  slug: "berlin-morning-bike-forecast",
+  title: "example_chats.berlin_morning_bike_forecast.title",
+  summary: "example_chats.berlin_morning_bike_forecast.summary",
+  icon: "bike",
+  category: "general_knowledge",
+  keywords: ["Berlin weather", "Tempelhofer Feld", "bike commute", "weather forecast"],
+  follow_up_suggestions: ["example_chats.berlin_morning_bike_forecast.follow_up_1", "example_chats.berlin_morning_bike_forecast.follow_up_2", "example_chats.berlin_morning_bike_forecast.follow_up_3", "example_chats.berlin_morning_bike_forecast.follow_up_4", "example_chats.berlin_morning_bike_forecast.follow_up_5", "example_chats.berlin_morning_bike_forecast.follow_up_6"],
+  messages: [
+    {
+      "id": "40fe35ff-396a-40aa-ae7e-463067a91833",
+      "role": "user",
+      "content": "example_chats.berlin_morning_bike_forecast.message_1",
+      "created_at": 1781772332
+    },
+    {
+      "id": "560ef618-e8df-4bd2-99fb-68a737cee232",
+      "role": "assistant",
+      "content": "example_chats.berlin_morning_bike_forecast.message_2",
+      "created_at": 1781772346,
+      "user_message_id": "40fe35ff-396a-40aa-ae7e-463067a91833",
+      "response_credits": 25,
+      "category": "general_knowledge",
+      "model_name": "Gemini 3 Flash"
+    }
+  ],
+  embeds: [
+    {
+      "embed_id": "324eba33-3622-409c-b401-183f95d6183e",
+      "type": "app_skill_use",
+      "content": 'app_id: weather\nskill_id: forecast\nresult_count: 2\nembed_ids: c72c110f-9513-4ce8-a943-d66888c6bad0|4d855526-af41-47cf-a354-c769f3098c94\nstatus: finished\nembed_id: 324eba33-3622-409c-b401-183f95d6183e\ndays: 2\nlocation: Berlin\nquery: Berlin weather forecast\ndays_requested: 2\nprovider: Deutscher Wetterdienst (DWD) + Open-Meteo\npreview_results[2]{title,source_provider,source_station_name,source_dwd_station_id,source_wmo_station_id,source_observation_type,source_distance_m,source_lat,source_lon,source_height_m,source_first_record,source_last_record,date,provider}:\n  Berlin weather 2026-06-18,Deutscher Wetterdienst (DWD),BERLIN-ALEX.,"00399","10389",forecast,805.0,52.52,13.42,37.0,"2026-06-18T08:00:00+02:00","2026-06-28T12:00:00+02:00",2026-06-18,Deutscher Wetterdienst (DWD)\n  Berlin weather 2026-06-19,Deutscher Wetterdienst (DWD),BERLIN-ALEX.,"00399","10389",forecast,805.0,52.52,13.42,37.0,"2026-06-18T08:00:00+02:00","2026-06-28T12:00:00+02:00",2026-06-19,Deutscher Wetterdienst (DWD)',
+      "parent_embed_id": null,
+      "embed_ids": [
+        "c72c110f-9513-4ce8-a943-d66888c6bad0",
+        "4d855526-af41-47cf-a354-c769f3098c94"
+      ]
+    },
+    {
+      "embed_id": "c72c110f-9513-4ce8-a943-d66888c6bad0",
+      "type": "weather_day",
+      "content": 'type: weather_day\ntitle: Berlin weather 2026-06-18\ndate: 2026-06-18\nlabel: today\nlocation_name: Berlin\ncountry_code: DE\ntimezone: Europe/Berlin\nprovider: Deutscher Wetterdienst (DWD)\ncondition: dry\nicon: partly-cloudy-day\ntemperature_min_c: 20.1\ntemperature_max_c: 28.3\nprecipitation_total_mm: 0\nprecipitation_probability_max_pct: 7\nrain_hours: 0\nwind_speed_max_kmh: 15.8\nwind_gust_speed_max_kmh: 31.5\ncloud_cover_avg_pct: 79\nrelative_humidity_avg_pct: 69.2\nhourly[24]:\n  - time: "00:00"\n    timestamp: "2026-06-18T00:00:00+02:00"\n    condition: dry\n    icon: cloudy\n    temperature_c: 21.0\n    precipitation_mm: 0.0\n    precipitation_probability_pct: null\n    precipitation_probability_6h_pct: null\n    cloud_cover_pct: 100\n    relative_humidity_pct: 65\n    dew_point_c: 14.1\n    pressure_msl_hpa: 1018.9\n    visibility_m: 39690\n    wind_direction_deg: 290\n    wind_speed_kmh: 6.8\n    wind_gust_direction_deg: 280\n    wind_gust_speed_kmh: 10.4\n    sunshine_minutes: 0.0\n    solar: 0.0\n    source_id: 303712\n    fallback_source_ids_sunshine: 6885\n    fallback_source_ids_solar: 255262\n    fallback_source_ids_dew_point: 6150\n    fallback_source_ids_relative_humidity: 6150\n    fallback_source_ids_wind_direction: 6150\n    fallback_source_ids_precipitation: 6150\n    fallback_source_ids_condition: 6150\n    fallback_source_ids_temperature: 6150\n    fallback_source_ids_wind_speed: 6150\n  - time: "01:00"\n    timestamp: "2026-06-18T01:00:00+02:00"\n    condition: dry\n    icon: cloudy\n    temperature_c: 21.0\n    precipitation_mm: 0.0\n    precipitation_probability_pct: null\n    precipitation_probability_6h_pct: null\n    cloud_cover_pct: 100\n    relative_humidity_pct: 65\n    dew_point_c: 14.2\n    pressure_msl_hpa: 1018.9\n    visibility_m: 41770\n    wind_direction_deg: 240\n    wind_speed_kmh: 6.1\n    wind_gust_direction_deg: 230\n    wind_gust_speed_kmh: 8.6\n    sunshine_minutes: 0.0\n    solar: 0.0\n    source_id: 303712\n    fallback_source_ids_sunshine: 6885\n    fallback_source_ids_solar: 255262\n    fallback_source_ids_dew_point: 6150\n    fallback_source_ids_relative_humidity: 6150\n    fallback_source_ids_wind_direction: 6150\n    fallback_source_ids_precipitation: 6150\n    fallback_source_ids_condition: 6150\n    fallback_source_ids_temperature: 6150\n    fallback_source_ids_wind_speed: 6150\n  - time: "02:00"\n    timestamp: "2026-06-18T02:00:00+02:00"\n    condition: dry\n    icon: cloudy\n    temperature_c: 20.5\n    precipitation_mm: 0.0\n    precipitation_probability_pct: null\n    precipitation_probability_6h_pct: null\n    cloud_cover_pct: 100\n    relative_humidity_pct: 68\n    dew_point_c: 14.4\n    pressure_msl_hpa: 1019.1\n    visibility_m: 42400\n    wind_direction_deg: 240\n    wind_speed_kmh: 6.1\n    wind_gust_direction_deg: null\n    wind_gust_speed_kmh: 9.0\n    sunshine_minutes: 0.0\n    solar: 0.0\n    source_id: 6150\n    fallback_source_ids_sunshine: 6148\n    fallback_source_ids_solar: 6147\n  - time: "03:00"\n    timestamp: "2026-06-18T03:00:00+02:00"\n    condition: dry\n    icon: cloudy\n    temperature_c: 20.5\n    precipitation_mm: 0.0\n    precipitation_probability_pct: null\n    precipitation_probability_6h_pct: null\n    cloud_cover_pct: 100\n    relative_humidity_pct: 68\n    dew_point_c: 14.5\n    pressure_msl_hpa: 1019.1\n    visibility_m: 43300\n    wind_direction_deg: 240\n    wind_speed_kmh: 6.1\n    wind_gust_direction_deg: null\n    wind_gust_speed_kmh: 7.9\n    sunshine_minutes: 0.0\n    solar: 0.0\n    source_id: 6150\n    fallback_source_ids_sunshine: 6148\n    fallback_source_ids_solar: 6147\n  - time: "04:00"\n    timestamp: "2026-06-18T04:00:00+02:00"\n    condition: dry\n    icon: cloudy\n    temperature_c: 20.4\n    precipitation_mm: 0.0\n    precipitation_probability_pct: null\n    precipitation_probability_6h_pct: null\n    cloud_cover_pct: 100\n    relative_humidity_pct: 70\n    dew_point_c: 14.7\n    pressure_msl_hpa: 1018.9\n    visibility_m: 39100\n    wind_direction_deg: 230\n    wind_speed_kmh: 6.8\n    wind_gust_direction_deg: null\n    wind_gust_speed_kmh: 11.9\n    sunshine_minutes: 0.0\n    solar: 0.0\n    source_id: 6150\n    fallback_source_ids_sunshine: 6148\n    fallback_source_ids_solar: 6147\n  - time: "05:00"\n    timestamp: "2026-06-18T05:00:00+02:00"\n    condition: dry\n    icon: cloudy\n    temperature_c: 20.1\n    precipitation_mm: 0.0\n    precipitation_probability_pct: null\n    precipitation_probability_6h_pct: null\n    cloud_cover_pct: 100\n    relative_humidity_pct: 72\n    dew_point_c: 15.0\n    pressure_msl_hpa: 1018.8\n    visibility_m: 14400\n    wind_direction_deg: 230\n    wind_speed_kmh: 5.0\n    wind_gust_direction_deg: null\n    wind_gust_speed_kmh: 11.2\n    sunshine_minutes: 0.0\n    solar: 0.001\n    source_id: 6150\n    fallback_source_ids_sunshine: 6148\n    fallback_source_ids_solar: 6147\n  - time: "06:00"\n    timestamp: "2026-06-18T06:00:00+02:00"\n    condition: dry\n    icon: cloudy\n    temperature_c: 20.2\n    precipitation_mm: 0.0\n    precipitation_probability_pct: null\n    precipitation_probability_6h_pct: null\n    cloud_cover_pct: 100\n    relative_humidity_pct: 73\n    dew_point_c: 15.3\n    pressure_msl_hpa: 1019.0\n    visibility_m: 32500\n    wind_direction_deg: 240\n    wind_speed_kmh: 9.0\n    wind_gust_direction_deg: null\n    wind_gust_speed_kmh: 15.1\n    sunshine_minutes: 0.0\n    solar: 0.014\n    source_id: 6150\n    fallback_source_ids_sunshine: 6148\n    fallback_source_ids_solar: 6147\n  - time: "07:00"\n    timestamp: "2026-06-18T07:00:00+02:00"\n    condition: dry\n    icon: partly-cloudy-day\n    temperature_c: 20.7\n    precipitation_mm: 0.0\n    precipitation_probability_pct: null\n    precipitation_probability_6h_pct: null\n    cloud_cover_pct: 75\n    relative_humidity_pct: 74\n    dew_point_c: 15.8\n    pressure_msl_hpa: 1018.9\n    visibility_m: 37200\n    wind_direction_deg: 230\n    wind_speed_kmh: 7.9\n    wind_gust_direction_deg: null\n    wind_gust_speed_kmh: 15.8\n    sunshine_minutes: 6.0\n    solar: 0.069\n    source_id: 6150\n    fallback_source_ids_sunshine: 6148\n    fallback_source_ids_solar: 6147\n  - time: "08:00"\n    timestamp: "2026-06-18T08:00:00+02:00"\n    condition: dry\n    icon: partly-cloudy-day\n    temperature_c: 22.2\n    precipitation_mm: 0.0\n    precipitation_probability_pct: 7\n    precipitation_probability_6h_pct: 10\n    cloud_cover_pct: 75\n    relative_humidity_pct: 68\n    dew_point_c: 16.1\n    pressure_msl_hpa: 1019.1\n    visibility_m: 54700\n    wind_direction_deg: 280\n    wind_speed_kmh: 14.0\n    wind_gust_direction_deg: null\n    wind_gust_speed_kmh: 22.0\n    sunshine_minutes: 36.0\n    solar: 0.218\n    source_id: 6150\n    fallback_source_ids_sunshine: 6148\n    fallback_source_ids_solar: 6147\n    fallback_source_ids_precipitation_probability_6h: 2382\n    fallback_source_ids_precipitation_probability: 2382\n  - time: "09:00"\n    timestamp: "2026-06-18T09:00:00+02:00"\n    condition: dry\n    icon: cloudy\n    temperature_c: 22.4\n    precipitation_mm: 0.0\n    precipitation_probability_pct: 6\n    precipitation_probability_6h_pct: null\n    cloud_cover_pct: 100\n    relative_humidity_pct: 70\n    dew_point_c: 16.6\n    pressure_msl_hpa: 1019.6\n    visibility_m: 59800\n    wind_direction_deg: 280\n    wind_speed_kmh: 15.8\n    wind_gust_direction_deg: null\n    wind_gust_speed_kmh: 27.0\n    sunshine_minutes: 12.0\n    solar: 0.248\n    source_id: 6150\n    fallback_source_ids_sunshine: 6148\n    fallback_source_ids_solar: 6147\n    fallback_source_ids_precipitation_probability: 2382\n  - time: "10:00"\n    timestamp: "2026-06-18T10:00:00+02:00"\n    condition: dry\n    icon: cloudy\n    temperature_c: 23.2\n    precipitation_mm: 0.0\n    precipitation_probability_pct: 5\n    precipitation_probability_6h_pct: null\n    cloud_cover_pct: 100\n    relative_humidity_pct: 68\n    dew_point_c: 17.0\n    pressure_msl_hpa: 1019.7\n    visibility_m: 45500\n    wind_direction_deg: 280\n    wind_speed_kmh: 15.8\n    wind_gust_direction_deg: null\n    wind_gust_speed_kmh: 27.0\n    sunshine_minutes: 42.0\n    solar: 0.517\n    source_id: 6150\n    fallback_source_ids_sunshine: 6148\n    fallback_source_ids_solar: 6147\n    fallback_source_ids_precipitation_probability: 2382\n  - time: "11:00"\n    timestamp: "2026-06-18T11:00:00+02:00"\n    condition: dry\n    icon: cloudy\n    temperature_c: 23.7\n    precipitation_mm: 0.0\n    precipitation_probability_pct: 5\n    precipitation_probability_6h_pct: null\n    cloud_cover_pct: 82\n    relative_humidity_pct: null\n    dew_point_c: 16.3\n    pressure_msl_hpa: 1019.4\n    visibility_m: 33400\n    wind_direction_deg: 269\n    wind_speed_kmh: 13.0\n    wind_gust_direction_deg: null\n    wind_gust_speed_kmh: 27.8\n    sunshine_minutes: 32.0\n    solar: 0.514\n    source_id: 2382\n    fallback_source_ids: null\n  - time: "12:00"\n    timestamp: "2026-06-18T12:00:00+02:00"\n    condition: dry\n    icon: partly-cloudy-day\n    temperature_c: 24.6\n    precipitation_mm: 0.0\n    precipitation_probability_pct: 3\n    precipitation_probability_6h_pct: null\n    cloud_cover_pct: 78\n    relative_humidity_pct: null\n    dew_point_c: 16.4\n    pressure_msl_hpa: 1019.0\n    visibility_m: 32800\n    wind_direction_deg: 274\n    wind_speed_kmh: 13.0\n    wind_gust_direction_deg: null\n    wind_gust_speed_kmh: 29.6\n    sunshine_minutes: 32.0\n    solar: 0.6\n    source_id: 2382\n    fallback_source_ids: null\n  - time: "13:00"\n    timestamp: "2026-06-18T13:00:00+02:00"\n    condition: dry\n    icon: partly-cloudy-day\n    temperature_c: 25.4\n    precipitation_mm: 0.0\n    precipitation_probability_pct: 4\n    precipitation_probability_6h_pct: null\n    cloud_cover_pct: 74\n    relative_humidity_pct: null\n    dew_point_c: 16.4\n    pressure_msl_hpa: 1018.7\n    visibility_m: 31600\n    wind_direction_deg: 282\n    wind_speed_kmh: 13.0\n    wind_gust_direction_deg: null\n    wind_gust_speed_kmh: 31.5\n    sunshine_minutes: 33.0\n    solar: 0.653\n    source_id: 2382\n    fallback_source_ids: null\n  - time: "14:00"\n    timestamp: "2026-06-18T14:00:00+02:00"\n    condition: dry\n    icon: partly-cloudy-day\n    temperature_c: 26.4\n    precipitation_mm: 0.0\n    precipitation_probability_pct: 3\n    precipitation_probability_6h_pct: 8\n    cloud_cover_pct: 72\n    relative_humidity_pct: null\n    dew_point_c: 16.0\n    pressure_msl_hpa: 1018.4\n    visibility_m: 32600\n    wind_direction_deg: 283\n    wind_speed_kmh: 13.0\n    wind_gust_direction_deg: null\n    wind_gust_speed_kmh: 31.5\n    sunshine_minutes: 34.0\n    solar: 0.656\n    source_id: 2382\n    fallback_source_ids: null\n  - time: "15:00"\n    timestamp: "2026-06-18T15:00:00+02:00"\n    condition: dry\n    icon: partly-cloudy-day\n    temperature_c: 27.1\n    precipitation_mm: 0.0\n    precipitation_probability_pct: 4\n    precipitation_probability_6h_pct: null\n    cloud_cover_pct: 71\n    relative_humidity_pct: null\n    dew_point_c: 15.9\n    pressure_msl_hpa: 1018.1\n    visibility_m: 35000\n    wind_direction_deg: 288\n    wind_speed_kmh: 13.0\n    wind_gust_direction_deg: null\n    wind_gust_speed_kmh: 31.5\n    sunshine_minutes: 34.0\n    solar: 0.614\n    source_id: 2382\n    fallback_source_ids: null\n  - time: "16:00"\n    timestamp: "2026-06-18T16:00:00+02:00"\n    condition: dry\n    icon: partly-cloudy-day\n    temperature_c: 27.5\n    precipitation_mm: 0.0\n    precipitation_probability_pct: 3\n    precipitation_probability_6h_pct: null\n    cloud_cover_pct: 70\n    relative_humidity_pct: null\n    dew_point_c: 15.9\n    pressure_msl_hpa: 1017.8\n    visibility_m: 34900\n    wind_direction_deg: 291\n    wind_speed_kmh: 13.0\n    wind_gust_direction_deg: null\n    wind_gust_speed_kmh: 31.5\n    sunshine_minutes: 37.0\n    solar: 0.564\n    source_id: 2382\n    fallback_source_ids: null\n  - time: "17:00"\n    timestamp: "2026-06-18T17:00:00+02:00"\n    condition: dry\n    icon: partly-cloudy-day\n    temperature_c: 28.1\n    precipitation_mm: 0.0\n    precipitation_probability_pct: 1\n    precipitation_probability_6h_pct: null\n    cloud_cover_pct: 67\n    relative_humidity_pct: null\n    dew_point_c: 15.7\n    pressure_msl_hpa: 1017.6\n    visibility_m: 35200\n    wind_direction_deg: 294\n    wind_speed_kmh: 13.0\n    wind_gust_direction_deg: null\n    wind_gust_speed_kmh: 31.5\n    sunshine_minutes: 42.0\n    solar: 0.517\n    source_id: 2382\n    fallback_source_ids: null\n  - time: "18:00"\n    timestamp: "2026-06-18T18:00:00+02:00"\n    condition: dry\n    icon: partly-cloudy-day\n    temperature_c: 28.3\n    precipitation_mm: 0.0\n    precipitation_probability_pct: 1\n    precipitation_probability_6h_pct: null\n    cloud_cover_pct: 63\n    relative_humidity_pct: null\n    dew_point_c: 15.6\n    pressure_msl_hpa: 1017.3\n    visibility_m: 36200\n    wind_direction_deg: 299\n    wind_speed_kmh: 13.0\n    wind_gust_direction_deg: null\n    wind_gust_speed_kmh: 29.6\n    sunshine_minutes: 43.0\n    solar: 0.422\n    source_id: 2382\n    fallback_source_ids: null\n  - time: "19:00"\n    timestamp: "2026-06-18T19:00:00+02:00"\n    condition: dry\n    icon: partly-cloudy-day\n    temperature_c: 28.1\n    precipitation_mm: 0.0\n    precipitation_probability_pct: 1\n    precipitation_probability_6h_pct: null\n    cloud_cover_pct: 62\n    relative_humidity_pct: null\n    dew_point_c: 15.7\n    pressure_msl_hpa: 1017.3\n    visibility_m: 36600\n    wind_direction_deg: 304\n    wind_speed_kmh: 11.1\n    wind_gust_direction_deg: null\n    wind_gust_speed_kmh: 25.9\n    sunshine_minutes: 37.0\n    solar: 0.297\n    source_id: 2382\n    fallback_source_ids: null\n  - time: "20:00"\n    timestamp: "2026-06-18T20:00:00+02:00"\n    condition: dry\n    icon: partly-cloudy-day\n    temperature_c: 27.2\n    precipitation_mm: 0.0\n    precipitation_probability_pct: 1\n    precipitation_probability_6h_pct: 2\n    cloud_cover_pct: 56\n    relative_humidity_pct: null\n    dew_point_c: 15.8\n    pressure_msl_hpa: 1017.3\n    visibility_m: 37300\n    wind_direction_deg: 311\n    wind_speed_kmh: 11.1\n    wind_gust_direction_deg: null\n    wind_gust_speed_kmh: 24.1\n    sunshine_minutes: 33.0\n    solar: 0.172\n    source_id: 2382\n    fallback_source_ids: null\n  - time: "21:00"\n    timestamp: "2026-06-18T21:00:00+02:00"\n    condition: dry\n    icon: partly-cloudy-day\n    temperature_c: 25.8\n    precipitation_mm: 0.0\n    precipitation_probability_pct: 2\n    precipitation_probability_6h_pct: null\n    cloud_cover_pct: 55\n    relative_humidity_pct: null\n    dew_point_c: 15.9\n    pressure_msl_hpa: 1017.4\n    visibility_m: 37100\n    wind_direction_deg: 337\n    wind_speed_kmh: 9.3\n    wind_gust_direction_deg: null\n    wind_gust_speed_kmh: 20.4\n    sunshine_minutes: 22.0\n    solar: 0.058\n    source_id: 2382\n    fallback_source_ids: null\n  - time: "22:00"\n    timestamp: "2026-06-18T22:00:00+02:00"\n    condition: dry\n    icon: partly-cloudy-night\n    temperature_c: 24.0\n    precipitation_mm: 0.0\n    precipitation_probability_pct: 2\n    precipitation_probability_6h_pct: null\n    cloud_cover_pct: 50\n    relative_humidity_pct: null\n    dew_point_c: 16.1\n    pressure_msl_hpa: 1017.7\n    visibility_m: 36100\n    wind_direction_deg: 17\n    wind_speed_kmh: 9.3\n    wind_gust_direction_deg: null\n    wind_gust_speed_kmh: 16.7\n    sunshine_minutes: 11.0\n    solar: 0.006\n    source_id: 2382\n    fallback_source_ids: null\n  - time: "23:00"\n    timestamp: "2026-06-18T23:00:00+02:00"\n    condition: dry\n    icon: partly-cloudy-night\n    temperature_c: 22.6\n    precipitation_mm: 0.0\n    precipitation_probability_pct: 1\n    precipitation_probability_6h_pct: null\n    cloud_cover_pct: 46\n    relative_humidity_pct: null\n    dew_point_c: 16.4\n    pressure_msl_hpa: 1018.0\n    visibility_m: 35700\n    wind_direction_deg: 61\n    wind_speed_kmh: 9.3\n    wind_gust_direction_deg: null\n    wind_gust_speed_kmh: 16.7\n    sunshine_minutes: 0.0\n    solar: 0.0\n    source_id: 2382\n    fallback_source_ids: null\nsource_provider: Deutscher Wetterdienst (DWD)\nsource_station_name: BERLIN-ALEX.\nsource_dwd_station_id: "00399"\nsource_wmo_station_id: "10389"\nsource_observation_type: forecast\nsource_distance_m: 805.0\nsource_lat: 52.52\nsource_lon: 13.42\nsource_height_m: 37.0\nsource_first_record: "2026-06-18T08:00:00+02:00"\nsource_last_record: "2026-06-28T12:00:00+02:00"\ndata_quality_hourly_rows: 24\ndata_quality_raw_source_count: 7\nembed_ref: berlin-weather-2026-mF7\napp_id: weather\nskill_id: forecast',
+      "parent_embed_id": "324eba33-3622-409c-b401-183f95d6183e",
+      "embed_ids": null
+    },
+    {
+      "embed_id": "4d855526-af41-47cf-a354-c769f3098c94",
+      "type": "weather_day",
+      "content": 'type: weather_day\ntitle: Berlin weather 2026-06-19\ndate: 2026-06-19\nlabel: tomorrow\nlocation_name: Berlin\ncountry_code: DE\ntimezone: Europe/Berlin\nprovider: Deutscher Wetterdienst (DWD)\ncondition: dry\nicon: partly-cloudy-day\ntemperature_min_c: 18.4\ntemperature_max_c: 32.0\nprecipitation_total_mm: 0\nprecipitation_probability_max_pct: 4\nrain_hours: 0\nwind_speed_max_kmh: 11.1\nwind_gust_speed_max_kmh: 25.9\ncloud_cover_avg_pct: 58.7\nrelative_humidity_avg_pct: null\nhourly[24]{time,timestamp,condition,icon,temperature_c,precipitation_mm,precipitation_probability_pct,precipitation_probability_6h_pct,cloud_cover_pct,relative_humidity_pct,dew_point_c,pressure_msl_hpa,visibility_m,wind_direction_deg,wind_speed_kmh,wind_gust_direction_deg,wind_gust_speed_kmh,sunshine_minutes,solar,source_id,fallback_source_ids}:\n  "00:00","2026-06-19T00:00:00+02:00",dry,partly-cloudy-night,21.3,0.0,1,null,43,null,16.7,1018.2,37100,91,9.3,null,16.7,0.0,0.0,2382,null\n  "01:00","2026-06-19T01:00:00+02:00",dry,partly-cloudy-night,20.6,0.0,1,null,39,null,16.7,1018.4,38100,96,9.3,null,16.7,0.0,0.0,2382,null\n  "02:00","2026-06-19T02:00:00+02:00",dry,partly-cloudy-night,19.7,0.0,1,1,42,null,16.8,1018.2,39100,110,9.3,null,16.7,0.0,0.0,2382,null\n  "03:00","2026-06-19T03:00:00+02:00",dry,partly-cloudy-night,19.2,0.0,1,null,49,null,16.7,1018.2,37900,113,9.3,null,16.7,0.0,0.0,2382,null\n  "04:00","2026-06-19T04:00:00+02:00",dry,partly-cloudy-night,18.9,0.0,1,null,53,null,16.8,1018.1,36200,113,9.3,null,16.7,0.0,0.0,2382,null\n  "05:00","2026-06-19T05:00:00+02:00",dry,partly-cloudy-day,18.4,0.0,2,null,58,null,16.9,1018.1,34900,121,9.3,null,16.7,6.0,0.0,2382,null\n  "06:00","2026-06-19T06:00:00+02:00",dry,partly-cloudy-day,18.7,0.0,1,null,64,null,17.2,1018.2,31700,127,7.4,null,14.8,15.0,0.022,2382,null\n  "07:00","2026-06-19T07:00:00+02:00",dry,partly-cloudy-day,20.0,0.0,1,null,66,null,17.6,1018.3,29900,131,7.4,null,14.8,24.0,0.097,2382,null\n  "08:00","2026-06-19T08:00:00+02:00",dry,partly-cloudy-day,21.9,0.0,2,3,68,null,17.8,1018.3,31100,137,7.4,null,13.0,30.0,0.192,2382,null\n  "09:00","2026-06-19T09:00:00+02:00",dry,partly-cloudy-day,23.9,0.0,2,null,69,null,17.7,1018.4,30400,145,7.4,null,14.8,36.0,0.311,2382,null\n  "10:00","2026-06-19T10:00:00+02:00",dry,partly-cloudy-day,25.7,0.0,3,null,69,null,17.6,1018.3,31600,151,7.4,null,16.7,40.0,0.442,2382,null\n  "11:00","2026-06-19T11:00:00+02:00",dry,partly-cloudy-day,28.2,0.0,2,null,68,null,17.3,1018.2,32900,141,7.4,null,18.5,42.0,0.533,2382,null\n  "12:00","2026-06-19T12:00:00+02:00",dry,partly-cloudy-day,29.2,0.0,4,null,70,null,17.4,1018.2,32500,155,9.3,null,20.4,40.0,0.608,2382,null\n  "13:00","2026-06-19T13:00:00+02:00",dry,partly-cloudy-day,30.2,0.0,3,null,67,null,17.2,1017.9,31600,156,9.3,null,24.1,41.0,0.65,2382,null\n  "14:00","2026-06-19T14:00:00+02:00",dry,partly-cloudy-day,31.2,0.0,2,3,65,null,16.9,1017.5,29900,151,9.3,null,24.1,43.0,0.683,2382,null\n  "15:00","2026-06-19T15:00:00+02:00",dry,partly-cloudy-day,31.6,0.0,2,null,66,null,17.0,1017.3,29200,153,9.3,null,25.9,44.0,0.658,2382,null\n  "16:00","2026-06-19T16:00:00+02:00",dry,partly-cloudy-day,31.8,0.0,3,null,66,null,16.9,1016.8,28800,157,9.3,null,24.1,47.0,0.603,2382,null\n  "17:00","2026-06-19T17:00:00+02:00",dry,partly-cloudy-day,32.0,0.0,2,null,64,null,17.1,1016.4,29200,140,9.3,null,24.1,49.0,0.536,2382,null\n  "18:00","2026-06-19T18:00:00+02:00",dry,partly-cloudy-day,31.7,0.0,2,null,61,null,17.1,1016.2,31800,142,9.3,null,22.2,47.0,0.431,2382,null\n  "19:00","2026-06-19T19:00:00+02:00",dry,partly-cloudy-day,30.8,0.0,2,null,62,null,17.1,1016.2,30700,122,9.3,null,22.2,41.0,0.294,2382,null\n  "20:00","2026-06-19T20:00:00+02:00",dry,partly-cloudy-day,29.4,0.0,2,7,57,null,17.3,1016.1,31700,112,9.3,null,22.2,34.0,0.167,2382,null\n  "21:00","2026-06-19T21:00:00+02:00",dry,partly-cloudy-day,27.6,0.0,1,null,54,null,17.3,1016.4,31900,108,9.3,null,22.2,23.0,0.058,2382,null\n  "22:00","2026-06-19T22:00:00+02:00",dry,partly-cloudy-night,26.1,0.0,4,null,49,null,17.8,1016.9,31700,114,11.1,null,22.2,12.0,0.008,2382,null\n  "23:00","2026-06-19T23:00:00+02:00",dry,partly-cloudy-night,24.6,0.0,1,null,40,null,17.9,1017.1,32400,115,11.1,null,22.2,0.0,0.0,2382,null\nsource_provider: Deutscher Wetterdienst (DWD)\nsource_station_name: BERLIN-ALEX.\nsource_dwd_station_id: "00399"\nsource_wmo_station_id: "10389"\nsource_observation_type: forecast\nsource_distance_m: 805.0\nsource_lat: 52.52\nsource_lon: 13.42\nsource_height_m: 37.0\nsource_first_record: "2026-06-18T08:00:00+02:00"\nsource_last_record: "2026-06-28T12:00:00+02:00"\ndata_quality_hourly_rows: 24\ndata_quality_raw_source_count: 7\nembed_ref: berlin-weather-2026-Pa5\napp_id: weather\nskill_id: forecast',
+      "parent_embed_id": "324eba33-3622-409c-b401-183f95d6183e",
+      "embed_ids": null
+    }
+  ],
+  metadata: {
+    featured: true,
+    order: 104,
+    app_skill_examples: ["weather.forecast"]
+  }
+};
+
 // ../ui/src/demo_chats/exampleChatData.ts
 var ALL_EXAMPLE_CHATS = [
   giganticAirplanesChat,
@@ -22977,7 +23608,9 @@ var ALL_EXAMPLE_CHATS = [
   berlinCentralStationMapLocationChat,
   launchReadinessChecklistDocChat,
   rostockHeavyRainRadarChat,
-  classicCarReverseImageSearchChat
+  classicCarReverseImageSearchChat,
+  usbC3v3LdoPcbSchematicChat,
+  berlinMorningBikeForecastChat
 ].sort((a, b) => a.metadata.order - b.metadata.order);
 
 // ../ui/src/i18n/locales/en.json
@@ -24607,6 +25240,30 @@ Only output the final Markdown table. Do NOT include explanations, notes, or any
         ai_generated: {
           text: "AI generated"
         },
+        authentic: {
+          text: "Authentic"
+        },
+        ai_generated_chance: {
+          text: "{percentage} chance it's AI generated"
+        },
+        via_provider_prefix: {
+          text: "via"
+        },
+        via_provider: {
+          text: "via {provider}"
+        },
+        detection_limitations: {
+          text: "Pixel-based detection is useful for photos and art, including many compressed or re-shared images. It is not definitive; heavy degradation, UI-heavy screenshots, screen or print recaptures, and new generators may need human judgment."
+        },
+        detection_failed_title: {
+          text: "AI detection unavailable"
+        },
+        detection_failed_retry: {
+          text: "AI detection failed temporarily. Try again later."
+        },
+        detection_failed_description: {
+          text: "The image upload succeeded, but Sightengine did not return a usable AI-detection score for this attempt."
+        },
         signup_to_upload: {
           text: "Signup to upload\u2026"
         }
@@ -25398,6 +26055,12 @@ Only output the final Markdown table. Do NOT include explanations, notes, or any
         text: "Get coding help, docs & project advice."
       }
     },
+    diagrams: {
+      text: "Diagrams",
+      description: {
+        text: "Create flowcharts, sequences, timelines & more."
+      }
+    },
     docs: {
       text: "Docs",
       description: {
@@ -25582,9 +26245,40 @@ Only output the final Markdown table. Do NOT include explanations, notes, or any
     }
   },
   chat: {
+    generated_by_cost: {
+      text: "Cost: {credits} credits"
+    },
     new_chat: {
       text: "New chat"
     },
+    request_feature: {
+      text: "Request feature"
+    },
+    request_feature_prefill: {
+      text: "Requested feature:"
+    },
+    assistant_feedback: {
+      rate_label: {
+        text: "Rate assistant response:"
+      },
+      star_label: {
+        text: "Rate {count} out of 5"
+      },
+      submit: {
+        text: "Submit"
+      },
+      thanks: {
+        text: "Thanks for the feedback!"
+      },
+      report_title: {
+        text: "Assistant response quality bad:"
+      }
+    },
+    anonymous_free_usage: {
+      feature_notice: {
+        text: "You are using free anonymous credits. File uploads, memories, chat sync, and some other features require creating an account."
+      }
+    },
     interactive_question_failed: {
       text: "Failed to display question."
     },
@@ -25651,8 +26345,38 @@ Only output the final Markdown table. Do NOT include explanations, notes, or any
       approve: {
         text: "Approve once"
       },
+      approve_selected: {
+        text: "Approve selected"
+      },
       loading: {
         text: "Approving..."
+      },
+      account: {
+        text: "Account"
+      },
+      request_title: {
+        text: "Requested {action} action"
+      },
+      calendar: {
+        text: "Calendar"
+      },
+      event_title: {
+        text: "Event"
+      },
+      event_id: {
+        text: "Event ID"
+      },
+      start: {
+        text: "Start"
+      },
+      end: {
+        text: "End"
+      },
+      from: {
+        text: "From"
+      },
+      to: {
+        text: "To"
       }
     },
     connected_account_receipts: {
@@ -25668,6 +26392,9 @@ Only output the final Markdown table. Do NOT include explanations, notes, or any
       cancelled: {
         text: "{action} cancelled."
       },
+      pending_cancel: {
+        text: "{action} auto-approved. Press to cancel before it starts."
+      },
       failed: {
         text: "{action} could not be completed."
       },
@@ -25683,6 +26410,18 @@ Only output the final Markdown table. Do NOT include explanations, notes, or any
       undo_failed: {
         text: "Could not undo this action."
       },
+      press_to_cancel: {
+        text: "Press to cancel"
+      },
+      cancelling: {
+        text: "Cancelling..."
+      },
+      cancel_started: {
+        text: "Action cancelled"
+      },
+      cancel_failed: {
+        text: "Could not cancel this action."
+      },
       undo_available: {
         text: "Undo is available."
       },
@@ -28989,6 +29728,50 @@ Only output the final Markdown table. Do NOT include explanations, notes, or any
       },
       electrical: {
         text: "Electrical"
+      },
+      pcb_schematic: {
+        title: {
+          text: "PCB schematic"
+        },
+        prepare_files: {
+          text: "Prepare PCB files"
+        },
+        preparing: {
+          text: "Preparing PCB files"
+        },
+        prepared: {
+          text: "PCB files prepared"
+        },
+        prepare_failed: {
+          text: "PCB file preparation failed"
+        },
+        show_logs: {
+          text: "Show logs"
+        },
+        hide_logs: {
+          text: "Hide logs"
+        },
+        logs: {
+          text: "Compile logs"
+        },
+        no_logs: {
+          text: "No logs available."
+        },
+        artifacts: {
+          text: "Prepared files"
+        },
+        safety_note: {
+          text: "Atopile source is compiled in a sandbox before KiCad and project files are prepared."
+        },
+        copied: {
+          text: "PCB schematic copied"
+        },
+        copy_failed: {
+          text: "Could not copy PCB schematic"
+        },
+        download_failed: {
+          text: "Could not download PCB schematic"
+        }
       }
     },
     math: {
@@ -28999,6 +29782,11 @@ Only output the final Markdown table. Do NOT include explanations, notes, or any
         text: "Plot"
       }
     },
+    diagrams: {
+      mermaid: {
+        text: "Mermaid Diagram"
+      }
+    },
     mail: {
       email: {
         text: "Email Draft"
@@ -29178,6 +29966,15 @@ Only output the final Markdown table. Do NOT include explanations, notes, or any
       },
       drop_files: {
         text: "Drop files to upload"
+      },
+      signup_required_title: {
+        text: "Create an account to upload files"
+      },
+      signup_required_body: {
+        text: "Your message draft will be kept, but files are only uploaded after signup. Remove the file to keep chatting without an account."
+      },
+      remove_pending_file: {
+        text: "Remove file"
       }
     },
     file_size_limits: {
@@ -29249,6 +30046,9 @@ Only output the final Markdown table. Do NOT include explanations, notes, or any
     click_to_add_text: {
       text: "Click here to add text"
     },
+    anonymous_terms_reminder: {
+      text: "By sending a message you accept the terms & privacy policy of OpenMates."
+    },
     send: {
       text: "Send"
     },
@@ -29620,6 +30420,38 @@ Only output the final Markdown table. Do NOT include explanations, notes, or any
         text: '```json\n{"type": "app_skill_use", "embed_id": "7fbf38fc-1126-46b3-bdf4-60bfb1e3197f", "app_id": "health", "skill_id": "search_appointments"}\n```\n\nI found several excellent options for an English-speaking [dermatology](wiki:Dermatology) routine skin check (Hautkrebsvorsorge) in [Berlin Mitte](wiki:Mitte_(locality)) with immediate availability.\n\nBased on your request for English-speaking doctors in Mitte, here are the best options for a routine skin cancer screening:\n\n### **Top Recommendations in Berlin Mitte**\n\n```json\n{"type": "sheet", "embed_id": "08e6061c-e224-46d4-8ac7-7318d0279b57"}\n```\n\n\n### **Additional Options (Nearby)**\nIf those do not suit your schedule, there are also appointments available slightly outside of Mitte:\n*   **HLCP Haut- und Lasercentrum**: Located at Kurf\xFCrstendamm 96 (Charlottenburg). They speak several languages including English and have slots starting tomorrow, June 9th.\n*   **Meike Schr\xF6der**: Located at Clayallee 343 (Zehlendorf). They have slots available on June 9th and June 11th.\n\n**Important Note on Insurance:**\nMost of the immediate appointments found are in private practices or for "self-paying" patients. If you have public health insurance (GKV), please confirm during booking if the screening is covered or if it is a private service (IGeL).\n\nWould you like me to help you [set a reminder](/#settings/apps/reminder) to follow up on this appointment, or should I search for more options further into next week?\n---\n*\u26A0\uFE0F This is educational information only and not medical advice. Consult your doctor for medical decisions.*'
       }
     },
+    berlin_morning_bike_forecast: {
+      title: {
+        text: "Berlin Morning Bike Forecast"
+      },
+      summary: {
+        text: "A concise Berlin weather forecast that helps decide whether to bike to Tempelhofer Feld."
+      },
+      message_1: {
+        text: "@skill:weather:forecast What's the weather forecast for Berlin tomorrow morning, and should I bike to Tempelhofer Feld? Keep the answer concise."
+      },
+      message_2: {
+        text: '```json\n{"type": "app_skill_use", "embed_id": "324eba33-3622-409c-b401-183f95d6183e", "app_id": "weather", "skill_id": "forecast", "query": "Berlin weather forecast", "provider": "Deutscher Wetterdienst (DWD) + Open-Meteo", "location": "Berlin"}\n```\n\nTomorrow morning in [Berlin](wiki:Berlin) (Friday, June 19, 2026), the weather will be dry and partly cloudy, with temperatures starting around 18\u201320\xB0C and rising quickly toward a high of 32\xB0C.\n\n**Should you bike to [Tempelhofer Feld](wiki:Tempelhofer_Feld)?**\nYes, it\'s a great idea! Conditions are ideal for biking:\n*   **Dry:** No rain expected (4% probability).\n*   **Calm:** Wind speeds are light (approx. 11 km/h).\n*   **Morning Window:** Biking in the morning is highly recommended to avoid the afternoon heat peak of 32\xB0C, especially since the airfield offers very little shade.\n\n**What\'s your plan for the rest of the day?**\n*   Would you like to find a [beer garden](wiki:Beer_garden) or cafe near Tempelhof to cool off afterward?\n*   Do you need a more detailed [hourly forecast](/#settings/apps/weather) to time your ride perfectly?'
+      },
+      follow_up_1: {
+        text: "Search for bike-friendly cafes near Tempelhofer Feld"
+      },
+      follow_up_2: {
+        text: "What are some must-see spots at Tempelhofer Feld?"
+      },
+      follow_up_3: {
+        text: "Find the hourly weather forecast for Berlin tomorrow"
+      },
+      follow_up_4: {
+        text: "How should I prepare for biking in Berlin's summer heat?"
+      },
+      follow_up_5: {
+        text: "Show me the best cycling routes to Tempelhofer Feld"
+      },
+      follow_up_6: {
+        text: "Are there any events happening at Tempelhofer Feld tomorrow?"
+      }
+    },
     berlin_weather_bike_commute: {
       title: {
         text: "Berlin Weather and Bike Commute Advice"
@@ -31021,6 +31853,38 @@ As of mid-2026, the severe supply shocks from the 2024\u20132025 avian flu have
       sub_chat_3_message_1: {
         text: "Research market concentration in the US egg producer industry (e.g., Cal-Maine Foods' profit margins, price-fixing lawsuits) and the role of retailer/grocery store markup margins in keeping egg prices high post-avian flu. Distinguish confirmed data from inferred conclusions."
       }
+    },
+    usb_c_3v3_ldo_pcb_schematic: {
+      title: {
+        text: "USB-C 3.3V LDO PCB Schematic"
+      },
+      summary: {
+        text: "Design and prepare a compilable Atopile PCB schematic for a USB-C powered 3.3V regulator circuit."
+      },
+      message_1: {
+        text: "Create a simple compilable Atopile 0.15.7 PCB schematic for a 5V USB-C input feeding a 3.3V LDO rail with a power indicator diode and input/output decoupling capacitors."
+      },
+      message_2: {
+        text: 'Here is a compact Atopile 0.15.7 starting point for a USB-C powered 3.3V regulator stage. It keeps the schematic self-contained, uses `module App` as the build entry, models the USB-C input and LDO as simple power-interface modules, and adds 10uF/1uF decoupling plus a diode indicator on the regulated rail.\n\n```json\n{"type": "pcb_schematic", "embed_id": "46d63593-516e-49b5-8e7d-600c4fe18836"}\n```\n\nThe source is ready for the PCB preparation flow: OpenMates can send it to the sandboxed Atopile compiler, show the build status, and expose the generated source bundle when the build succeeds.'
+      },
+      follow_up_1: {
+        text: "Add voltage constraints to the 5V and 3.3V rails"
+      },
+      follow_up_2: {
+        text: "Choose manufacturer parts for the LDO and diode"
+      },
+      follow_up_3: {
+        text: "Add USB-C connector details and CC resistors"
+      },
+      follow_up_4: {
+        text: "Add an enable pin to the regulator"
+      },
+      follow_up_5: {
+        text: "Prepare PCB files from this schematic"
+      },
+      follow_up_6: {
+        text: "Explain the decoupling capacitor choices"
+      }
     }
   },
   focus_modes: {
@@ -32176,1014 +33040,1014 @@ As of mid-2026, the severe supply shocks from the 2024\u20132025 avian flu have
           text: "Groq Privacy Policy"
         }
       },
-      revolut_business: {
-        heading: {
-          text: "3.15 Revolut Business (SEPA Bank Transfer)"
-        },
-        description: {
-          text: "We use Revolut Bank UAB (Lithuania, EU) as our receiving bank for SEPA bank transfers. When you choose to pay via bank transfer, we display our Revolut IBAN to you. Revolut notifies us via a cryptographically signed webhook when a transfer arrives. We do not send your personal data to Revolut \u2014 only the transaction reference, amount, and Revolut's own transaction ID are processed."
-        },
-        privacy_policy_link: {
-          text: "Revolut Privacy Policy"
-        }
-      },
-      flightradar24: {
-        heading: {
-          text: "3.16 Flightradar24"
-        },
-        description: {
-          text: 'When you request real flight track data using the "Get flight track" skill, we query Flightradar24 to retrieve historical GPS track data for completed flights. Flightradar24 receives the flight number and departure date. No personal data is shared.'
+      providers: {
+        payments: {
+          revolut_business: {
+            heading: {
+              text: "3.15 Revolut Business (SEPA Bank Transfer)"
+            },
+            description: {
+              text: "We use Revolut Bank UAB (Lithuania, EU) as our receiving bank for SEPA bank transfers. When you choose to pay via bank transfer, we display our Revolut IBAN to you. Revolut notifies us via a cryptographically signed webhook when a transfer arrives. We do not send your personal data to Revolut \u2014 only the transaction reference, amount, and Revolut's own transaction ID are processed."
+            },
+            privacy_policy_link: {
+              text: "Revolut Privacy Policy"
+            }
+          },
+          heading: {
+            text: "Payment providers (only when you purchase credits)"
+          },
+          description: {
+            text: "These providers are only used when you purchase credits, subscribe to monthly auto top-up, or receive a refund. If you never make a purchase, none of your data is shared with them."
+          },
+          stripe: {
+            heading: {
+              text: "Stripe (primary payment processor)"
+            },
+            description: {
+              text: "Stripe processes one-time credit purchases and monthly auto top-up subscriptions. We send Stripe your email address, a tokenized payment method (we never see your card number), billing address and VAT information when required for invoicing, and transaction metadata."
+            }
+          }
         },
-        privacy_policy_link: {
-          text: "Flightradar24 Privacy Policy"
-        }
-      },
-      security_measures: {
         heading: {
-          text: "4. Security Measures"
+          text: "When each provider is used"
         },
         intro: {
-          text: "We implement various security measures to protect your account and data in the web application:"
+          text: "Most of the providers below are only reached when you use a specific feature \u2014 for example, image generation providers are only used when you invoke an image skill. The groups below tell you exactly which providers are involved for each feature, so you can opt in or out of data sharing by choosing which features to use."
         },
-        device_fingerprinting: {
-          subheading: {
-            text: "Device Fingerprinting"
+        always_active: {
+          heading: {
+            text: "Always active (used for every user)"
           },
-          purpose: {
-            text: "To enhance account security, prevent fraudulent access, and distinguish between new and recognized devices during login and session validation, we collect User-Agent strings (browser, OS, device type information) and IP addresses (used temporarily to derive approximate geo-location like country/city, then discarded from the device record)."
+          description: {
+            text: "These providers are used for every user, regardless of which features you use. Using OpenMates at all means your data passes through them."
           },
-          storage: {
-            text: "A unique, stable hash is generated based on a combination of the collected signals. This hash is the only value stored in the device record. Browser/OS type and derived country code may be used transiently for risk assessment and notifications but are not stored with the device record. Raw IP addresses are NOT stored as part of the device record itself."
+          vercel: {
+            heading: {
+              text: "Vercel (frontend hosting)"
+            },
+            description: {
+              text: "We use Vercel to host the static frontend of our website and web app. Vercel receives page requests and serves static assets."
+            }
           },
-          ip_logging: {
-            text: "For security monitoring and abuse prevention, IP addresses associated with failed login attempts (invalid password or 2FA code) may be logged with limited retention. In addition, certain security/compliance events (e.g., successful backup-code logins) may be logged with IP for audit purposes. IP addresses are also used for rate limiting login attempts."
+          hetzner: {
+            heading: {
+              text: "Hetzner (backend, database, storage, observability)"
+            },
+            description: {
+              text: "We host all of our backend services \u2014 API servers, Directus CMS, Postgres database, Redis caches, S3-compatible object storage, and our self-hosted OpenObserve observability platform \u2014 on Hetzner infrastructure in the EU. OpenObserve runs on our own Hetzner servers and is not a third-party service; traces never leave the EU."
+            }
+          },
+          brevo: {
+            heading: {
+              text: "Brevo (transactional email)"
+            },
+            description: {
+              text: "We use Brevo to send transactional email \u2014 account verification, password reset links, payment receipts, and credit notes \u2014 and, if you opt in, the OpenMates newsletter. If you are an existing OpenMates customer (i.e. you have completed a purchase), we may also send you occasional product announcements and service updates about OpenMates' own similar services under the existing-customer exception (\xA77 Abs. 3 UWG / ePrivacy Directive Art. 13(2)); you can object in Settings \u2192 Newsletter or via the one-click unsubscribe link in any such email. Brevo sees recipient email addresses and the content of the emails we send you."
+            }
+          },
+          ip_api: {
+            heading: {
+              text: "IP-API (IP geolocation)"
+            },
+            description: {
+              text: "We use IP-API to resolve IP addresses to approximate geolocation for abuse prevention, rate limiting, and regional compliance. The resolved country and city are used transiently and are not stored against your account."
+            }
+          },
+          sightengine: {
+            heading: {
+              text: "Sightengine (image and video moderation)"
+            },
+            description: {
+              text: "Every image and video you upload is scanned by Sightengine for safety moderation before it is stored. Sightengine sees the image or video content."
+            }
+          },
+          api_video: {
+            heading: {
+              text: "api.video (product video hosting)"
+            },
+            description: {
+              text: "We use api.video (EU company, France) to host and stream product demo and feature walkthrough videos shown on our website and web app. When you watch a video, your IP address and basic viewing data are processed by api.video. No user account identifiers are shared."
+            }
           }
-        }
-      },
-      data_categories: {
-        heading: {
-          text: "5. Data Categories We Collect and Process"
-        },
-        intro: {
-          text: "We collect and process the following categories of data to operate and secure our services:"
-        },
-        account: {
-          text: "Account: Email address, username/display name, profile image, locale, and security settings (e.g., 2FA enabled). Email and username are encrypted with your key before storage. We also keep a separate server-side Vault-encrypted copy of your verified email address for mandatory account lifecycle notices, such as account verification, security alerts, and deletion reminders. Passwords are stored as salted hashes."
-        },
-        usage: {
-          text: "Usage: Server logs, event timestamps, feature usage, error logs, and device recognition identifiers (hashed). IP addresses may be temporarily processed for security and rate limiting."
-        },
-        content: {
-          text: "Content: Chat messages, prompts, attachments, and uploaded images/videos necessary to deliver the service (subject to moderation where applicable)."
-        },
-        payments: {
-          text: "Payments: Payment method tokens, transaction IDs, billing address and VAT information as required for invoicing (processed primarily by Stripe). We do not store full card numbers."
-        },
-        newsletter: {
-          text: "Newsletter: If you choose to subscribe to our newsletter, we store your email address in encrypted form. Newsletter subscription is optional and separate from account creation \u2014 creating an account does not automatically subscribe you to the newsletter. If you are an OpenMates customer (i.e. you have completed a purchase), we may additionally send you occasional product announcements and service updates about OpenMates' own similar services under the existing-customer exception (\xA77 Abs. 3 UWG / ePrivacy Directive Art. 13(2)). You can object to this at any time in Settings \u2192 Newsletter or via the one-click unsubscribe link in any such email, without affecting your account."
-        },
-        stability_logs: {
-          text: "Stability Logs: To diagnose technical errors, anonymized browser console logs (error messages, component status, connection events) are collected from authenticated users and stored for up to 48 hours. If an error occurs, surrounding context is retained for up to 14 days. No message content, chat titles, names, email addresses, or other personally identifiable information is included. A random session identifier (generated per browser tab, not linked to your account) is used for log correlation. You can disable this at any time in Settings > Privacy > Stability Logs."
-        }
-      },
-      data_retention: {
-        heading: {
-          text: "6. Data Retention"
-        },
-        account: {
-          text: "Account data: Retained until account deletion and completion of related legal obligations."
-        },
-        usage_and_logs: {
-          text: "Usage and logs: Operational logs retained up to 12 months; IPs tied to failed logins up to 30 days for security."
-        },
-        device_fingerprints: {
-          text: "Device fingerprints: Retained until account deletion or manual removal from account settings (when available)."
-        },
-        content: {
-          text: "Content: Retained until the user deletes the content or closes the account, subject to backup cycles."
-        },
-        payments_and_invoices: {
-          text: "Payments and invoices: Retained up to 10 years where required by tax/commercial law."
-        },
-        compliance_logs: {
-          text: "**Compliance logs:** audit logs retained 2 years (BSI \xA734 BDSG); financial compliance logs retained 10 years (AO \xA7147 and HGB \xA7257)"
-        },
-        observability_traces: {
-          text: "**Observability traces:** up to 30 days; user IDs in traces use a hash that rotates every 24 hours, so older traces cannot be joined to a specific user"
-        },
-        user_data_backups: {
-          text: "**User data backups:** 60 days via S3 lifecycle; backups contain only ciphertext encrypted with your own key"
-        }
-      },
-      legal_basis: {
-        heading: {
-          text: "7. Legal Basis for Processing (GDPR)"
-        },
-        contract: {
-          text: "Contract: Processing necessary to perform our contract with you or to take steps at your request prior to entering into a contract (e.g., account creation, delivering web app features)."
-        },
-        consent: {
-          text: "Consent: Processing based on your consent, where applicable (e.g., optional communications, certain analytics or marketing where used). You can withdraw consent at any time."
-        },
-        legitimate_interests: {
-          text: "Legitimate interests: Processing necessary for our legitimate interests, such as service security, fraud prevention, abuse detection, and improving the service, provided these interests are not overridden by your rights and interests."
         },
-        direct_marketing: {
-          text: "Direct marketing to existing customers: For existing OpenMates customers (users who have completed a purchase), we may rely on Art. 6(1)(f) GDPR (legitimate interests) in combination with \xA77 Abs. 3 UWG and ePrivacy Directive Art. 13(2) to send occasional product announcements, service updates, and marketing about OpenMates' own similar services. Each such email includes a clearly visible one-click unsubscribe link, and you can also manage these preferences at any time in Settings \u2192 Newsletter. You can object to this processing at any time without giving reasons (Art. 21 GDPR)."
-        },
-        legal_obligation: {
-          text: "Legal obligation: Processing necessary to comply with legal obligations (e.g., tax and accounting requirements for invoices and transaction records)."
-        }
-      },
-      legal_rights: {
-        heading: {
-          text: "8. Your Privacy Rights"
-        },
-        intro: {
-          text: "Depending on your jurisdiction, you may have certain rights over your personal data. The following summarizes key rights under GDPR and CCPA/CPRA and how to exercise them:"
-        },
-        gdpr: {
-          subheading: {
-            text: "GDPR (EU/EEA)"
+        ai_models: {
+          heading: {
+            text: "AI model providers (only when you use a model that routes through them)"
           },
-          access: {
-            text: "Right of access"
+          description: {
+            text: 'OpenMates routes AI requests to different providers depending on which model you select. Before any message is sent to a provider in this group, your browser replaces real names, emails, and physical addresses with placeholders (see the "PII placeholder substitution" measure above). You can always see which provider a model uses in the model details panel in AI settings.'
           },
-          rectification: {
-            text: "Right to rectification"
+          mistral: {
+            heading: {
+              text: "Mistral (EU direct)"
+            },
+            description: {
+              text: "Mistral hosts its own family of models in the EU. Only used when you select a Mistral model. Mistral receives your chat messages with PII placeholders already substituted client-side."
+            }
           },
-          erasure: {
-            text: "Right to erasure ('right to be forgotten')"
+          aws_bedrock: {
+            heading: {
+              text: "AWS Bedrock (EU region, primary Claude path)"
+            },
+            description: {
+              text: "AWS Bedrock hosts Anthropic Claude models in its Frankfurt EU region. This is the primary path for Claude requests. AWS receives your chat messages with PII placeholders already substituted client-side."
+            }
           },
-          restriction: {
-            text: "Right to restriction of processing"
+          anthropic: {
+            heading: {
+              text: "Anthropic (US, fallback Claude path)"
+            },
+            description: {
+              text: "Anthropic's direct API is used as a fallback path for Claude models when AWS Bedrock is unreachable. Anthropic is based in the US and receives your chat messages with PII placeholders already substituted client-side."
+            }
           },
-          portability: {
-            text: "Right to data portability"
+          openai: {
+            heading: {
+              text: "OpenAI (US)"
+            },
+            description: {
+              text: "OpenAI processes requests for GPT-family models when you select one. OpenAI receives your chat messages with PII placeholders already substituted client-side."
+            }
           },
-          objection: {
-            text: "Right to object"
+          openrouter: {
+            heading: {
+              text: "OpenRouter (US, routing aggregator)"
+            },
+            description: {
+              text: "OpenRouter is used as a routing aggregator for several third-party models, including Cerebras-hosted models. OpenRouter sees your chat messages with PII placeholders substituted client-side and forwards them to the underlying model host."
+            }
           },
-          withdraw_consent: {
-            text: "Right to withdraw consent"
+          cerebras: {
+            heading: {
+              text: "Cerebras (US, via OpenRouter)"
+            },
+            description: {
+              text: "Cerebras hosts some of the high-speed models routed through OpenRouter. Only used when you select a Cerebras-hosted model."
+            }
           },
-          exercise: {
-            text: "To exercise your GDPR rights, contact us at contact@openmates.org or via the Imprint. We may need to verify your identity before fulfilling your request."
+          google_gemini: {
+            heading: {
+              text: "Google Gemini (US)"
+            },
+            description: {
+              text: "Google Gemini processes requests for Gemini-family models when you select one. Google receives your chat messages with PII placeholders already substituted client-side."
+            }
           },
-          manual_note: {
-            text: "The following rights are available on request (please contact us by email at contact@openmates.org and we will handle them manually):"
+          google_vertex_maas: {
+            heading: {
+              text: "Google Vertex AI Model-as-a-Service (US)"
+            },
+            description: {
+              text: "Google Vertex AI Model-as-a-Service hosts third-party open models (such as DeepSeek) on Google infrastructure via an OpenAI-compatible endpoint. This is a separate service from Google Gemini: the model weights are third-party, but the inference runs on Google's servers. Only used when you select a MaaS-hosted model."
+            }
+          },
+          together: {
+            heading: {
+              text: "Together AI (US)"
+            },
+            description: {
+              text: "Together AI hosts third-party models such as Kimi K2.6 on an OpenAI-compatible endpoint. Only used when you select a Together-hosted model. Together receives your chat messages with PII placeholders already substituted client-side."
+            }
+          },
+          groq: {
+            heading: {
+              text: "Groq (US, content sanitization)"
+            },
+            description: {
+              text: "Groq is used server-side to sanitize external content (search results and scraped web pages) before it is included in AI responses. Groq sees the external content we fetched on your behalf, not your chat messages, and never learns which user requested each piece of content."
+            }
+          },
+          alibaba: {
+            heading: {
+              text: "Alibaba Cloud (Qwen models)"
+            },
+            description: {
+              text: "Alibaba Cloud hosts Qwen-family models. Alibaba receives your chat messages with PII placeholders already substituted client-side only when you select an Alibaba-hosted model."
+            }
+          },
+          deepseek: {
+            heading: {
+              text: "DeepSeek (reasoning models)"
+            },
+            description: {
+              text: "DeepSeek provides DeepSeek-family reasoning models. DeepSeek receives your chat messages with PII placeholders already substituted client-side only when you select a DeepSeek model."
+            }
+          },
+          moonshot: {
+            heading: {
+              text: "Moonshot AI / Kimi (language models)"
+            },
+            description: {
+              text: "Moonshot AI provides Kimi-family models. Moonshot receives your chat messages with PII placeholders already substituted client-side only when you select a Moonshot-hosted Kimi model."
+            }
+          },
+          zai: {
+            heading: {
+              text: "Z.ai (GLM models)"
+            },
+            description: {
+              text: "Z.ai provides GLM-family models. Z.ai receives your chat messages with PII placeholders already substituted client-side only when you select a Z.ai model."
+            }
           }
         },
-        ccpa_cpra: {
-          subheading: {
-            text: "CCPA/CPRA (California)"
+        image_generation: {
+          heading: {
+            text: "Image generation and editing (only when you use an image skill)"
           },
-          right_to_know: {
-            text: "Right to know/access"
+          description: {
+            text: "These providers are only used when you invoke an image generation or editing skill. If you never use the images app, none of your data is shared with them."
           },
-          right_to_delete: {
-            text: "Right to delete"
+          fal: {
+            heading: {
+              text: "FAL (Flux models)"
+            },
+            description: {
+              text: "FAL hosts Flux image generation models used by the images.generate_draft skill. FAL receives your image generation prompts and, when editing, the source images you supply."
+            }
           },
-          right_to_correct: {
-            text: "Right to correct"
+          recraft: {
+            heading: {
+              text: "Recraft (vector and raster image generation)"
+            },
+            description: {
+              text: "Recraft powers the images.generate and images.vectorize skills, producing vector and raster images and converting bitmaps to SVG. Recraft receives your prompts, style preferences, and \u2014 when vectorizing \u2014 your source images."
+            }
           },
-          right_to_opt_out_of_sale_or_sharing: {
-            text: "Right to opt-out of sale or sharing"
+          bfl: {
+            heading: {
+              text: "Black Forest Labs (FLUX image models)"
+            },
+            description: {
+              text: "Black Forest Labs powers draft image generation via FLUX models. BFL receives your image generation prompts and, when editing, the source images you provide."
+            }
+          }
+        },
+        music_generation: {
+          heading: {
+            text: "Music generation (only when you use a music skill)"
           },
-          right_to_non_discrimination: {
-            text: "Right to non-discrimination"
+          description: {
+            text: "These providers are only used when you invoke a music generation skill. If you never use the music app, none of your data is shared with them."
           },
-          exercise: {
-            text: "California residents can exercise CCPA/CPRA rights by contacting us at contact@openmates.org. We do not sell personal information."
+          google_vertex_ai: {
+            heading: {
+              text: "Google Vertex AI (Lyria music generation)"
+            },
+            description: {
+              text: "Google Vertex AI hosts the Lyria models used by the music.generate skill. Google receives your music generation prompts, optional lyrics, style preferences, and generation settings only when you ask OpenMates to generate music or background music."
+            }
           }
-        }
-      },
-      discord_integration: {
-        heading: {
-          text: "9. Discord Integration"
         },
-        description: {
-          text: "If you choose to join our Discord community through links provided on this website, please note that Discord will collect and process your data according to their privacy policy. This includes account information, usage data, communication content, and other information as outlined in Discord's privacy policy."
-        },
-        admin_access: {
-          text: "As Discord server administrators, we have access to all public communications, member lists, and other information shared within our Discord community. However, this information is hosted and primarily processed by Discord. We do not extract, store, or process this data outside of Discord's platform. For more information about how Discord handles your data, please review Discord's Privacy Policy."
+        code_execution: {
+          heading: {
+            text: "Code and developer tools (only when you use code skills)"
+          },
+          description: {
+            text: "These providers are only used when you invoke a code app skill, such as searching public repositories, running code in an isolated sandbox, creating a generated application that auto-starts a short screenshot preview, or explicitly starting a generated application live preview. If you never use the code app, none of your data is shared with them."
+          },
+          github: {
+            heading: {
+              text: "GitHub (public repository search)"
+            },
+            description: {
+              text: "GitHub powers the code app's repository search skill. GitHub receives public repository search queries without an OpenMates user identifier."
+            }
+          },
+          context7: {
+            heading: {
+              text: "Context7 (programming documentation lookup)"
+            },
+            description: {
+              text: "Context7 powers the code app's documentation lookup skill. Context7 receives library names and documentation questions without an OpenMates user identifier."
+            }
+          },
+          e2b: {
+            heading: {
+              text: "E2B (isolated code sandbox)"
+            },
+            description: {
+              text: "E2B runs selected code embeds, generated application previews, and Remotion video renders inside isolated sandboxes. E2B receives the code or generated application/Remotion files and assets needed to run or render the result, runtime inputs, preview/render logs, and execution output needed to display the sandbox result. This sharing happens when you explicitly run code, create a generated application that auto-starts a short screenshot preview, start/resume an application live preview, or when a Remotion video render auto-starts after the assistant closes an explicit remotion code fence."
+            }
+          }
         },
-        privacy_policy_link: {
-          text: "Discord Privacy Policy"
-        }
-      },
-      contact: {
-        heading: {
-          text: "10. Contact Information"
-        },
-        questions: {
-          text: "For questions about data protection:"
-        },
-        email: {
-          text: "Email"
-        },
-        postal: {
-          text: "Postal address: See Legal Notice (Imprint) for the current registered address."
-        },
-        controller: {
-          text: "Controller: OpenMates (see Imprint for legal representative details)."
-        }
-      },
-      aggregate_analytics: {
-        heading: {
-          text: "11. Anonymous Aggregate Analytics"
-        },
-        overview: {
-          text: "We collect anonymous, aggregate statistics about how our website and web application are used. This data is genuinely anonymous \u2014 it cannot be linked to any individual user, and no cookies or tracking identifiers are set. No consent banner is required because no personal data is collected."
-        },
-        what_we_collect: {
-          text: "What we collect (all aggregate, never individual):"
-        },
-        items: {
-          text: "Daily page load counts; approximate unique visit counts (probabilistic HyperLogLog, ~0.81% error); country distribution (GeoIP lookup \u2014 IP discarded immediately, never stored); device class (mobile/tablet/desktop); browser family and major version; OS family; referrer domain (domain only, never full URL); screen size class; session duration distribution (bucketed)"
-        },
-        no_pii: {
-          text: "IP addresses are used transiently for GeoIP lookup only and are never written to disk or any database. User-Agent strings are parsed to metadata only (browser name, OS) \u2014 the raw string is never stored. All data is stored as daily aggregate counters, not as individual records."
-        }
-      },
-      follow_up_1: {
-        text: "How is my chat content encrypted?"
-      },
-      follow_up_2: {
-        text: "How does client-side encryption work?"
-      },
-      follow_up_3: {
-        text: "What if I lose my encryption key?"
-      },
-      follow_up_4: {
-        text: "Do AI providers see my messages?"
-      },
-      follow_up_5: {
-        text: "How do I delete my account?"
-      },
-      follow_up_6: {
-        text: "What data do you share with third parties?"
-      },
-      provider_link_label: {
-        text: "Privacy policy"
-      },
-      overview: {
-        heading: {
-          text: "Overview"
-        },
-        summary: {
-          text: "OpenMates is designed so that most of your data is encrypted on your device before it reaches our servers. This is **not** end-to-end encryption: our servers briefly decrypt your content in memory to run AI responses, render invoices, and deliver reminders. But we never write decrypted content to disk, logs, or traces, and when you delete your account we destroy the encryption key that protects your data \u2014 cryptographically shredding every encrypted field we still hold."
-        }
-      },
-      protection: {
-        heading: {
-          text: "How we protect your data"
-        },
-        intro: {
-          text: "We rely on six technical measures to protect your data. Each is verifiable in our open-source code and maps to a specific GDPR obligation."
-        },
-        client_side_encryption: {
-          heading: {
-            text: "Client-side encryption of your content"
-          },
-          description: {
-            text: "Your chat content, titles, summaries, tags, per-chat keys, app settings and memories, reminders, and sensitive profile fields (encrypted username, auto-top-up email, 2FA secrets) are encrypted in your browser before being sent to our servers. The browser uses a key derived from your login credential; our servers reject writes that contain anything but ciphertext. This is *not* end-to-end encryption \u2014 our servers can decrypt your content in memory when they need to (for AI responses, invoice rendering, reminder delivery). The difference from end-to-end encryption is that decryption happens transiently in process memory and the plaintext is never persisted to disk, logs, or traces."
-          }
-        },
-        pii_placeholder_substitution: {
-          heading: {
-            text: "PII placeholder substitution before AI calls"
-          },
-          description: {
-            text: "Before any message is sent to a third-party AI model, your browser scans your message for real names, email addresses, and physical addresses that you have saved in your privacy settings (or that match common patterns) and replaces any matches with neutral placeholders (for example [USER_0]). The mapping back to your real values is stored encrypted with your key and is never decrypted on our servers. **Important limitation:** this substitution only protects personal data that our client-side detector actually recognizes \u2014 typically the values you have explicitly saved in your privacy settings and values highlighted in the message field before you send. Anything the detector does not recognize (typos of your own name, uncommon address formats, other people's personal data, sensitive topics that are not formally PII) will be transmitted as you typed it. Please treat every message as you would treat a note passed to a third-party AI provider and be cautious with personal data."
-          }
-        },
-        encrypted_at_rest: {
-          heading: {
-            text: "Encrypted at rest, decrypted only in memory"
-          },
-          description: {
-            text: "Our PostgreSQL database, Redis caches, S3 object storage, and backup snapshots hold only ciphertext for any field containing user content. When our servers need to read your content to run an AI response, render an invoice, or deliver a reminder, decryption happens transiently in process memory and is discarded immediately after. Key material is released on demand by HashiCorp Vault and never stored in raw form outside it."
-          }
-        },
-        hashed_identifiers: {
-          heading: {
-            text: "Hashed identifiers throughout"
-          },
-          description: {
-            text: "Your user ID is stored in most database tables as a SHA-256 hash rather than as a direct reference. Login uses a zero-knowledge password verification flow: we verify that you know your password without ever learning it. API-key device records anonymize the IP address to its first two octets before encryption, so we can recognize a device without storing a precise location."
-          }
-        },
-        cryptographic_erasure: {
-          heading: {
-            text: "Cryptographically shredded on deletion"
-          },
-          description: {
-            text: "When you delete your account we destroy your HashiCorp Vault Transit key in addition to removing your rows from our database. Any encrypted field still sitting in a backup, cache, or running process becomes mathematically unrecoverable ciphertext at that moment \u2014 cryptographic erasure on top of row-level deletion."
-          }
-        },
-        observability_without_tracking: {
-          heading: {
-            text: "Observability without tracking"
-          },
-          description: {
-            text: "Our internal tracing pipeline (OpenTelemetry) replaces your user ID with a hash that rotates every 24 hours, strips authentication headers and cookies from every span, and redacts chat content before any trace leaves the backend. Our web analytics use a server-side beacon with no cookies and no stored individual identifiers. We do not use Google Analytics, Plausible, PostHog, or any third-party analytics platform."
-          }
-        }
-      },
-      promises: {
-        intro: {
-          text: "Below are the privacy promises we make to every user. Each one is backed by code in our open-source repository and verified by automated tests. When the enforcing code changes, a registry-linked check reminds us to rerun those tests before release."
-        },
-        client_side_chat_encryption: {
-          heading: {
-            text: "Client-side chat encryption"
-          },
-          description: {
-            text: "Your chats, settings, and memories are encrypted on your device with AES-256-GCM before they leave your browser. The server stores only ciphertext on disk, in caches, and in backups. This is not end-to-end encryption: when a server-side task needs to read content (to run an AI response, render an invoice, or deliver a reminder), it decrypts in memory via HashiCorp Vault and discards the plaintext immediately after use."
-          }
-        },
-        email_encryption_at_rest: {
-          heading: {
-            text: "Email addresses encrypted at rest"
-          },
-          description: {
-            text: "Your email address is stored only as ciphertext. The server decrypts it transiently in memory during login, billing, and notification delivery, and never writes plaintext to disk or logs."
-          }
-        },
-        no_third_party_tracking: {
-          heading: {
-            text: "No third-party tracking cookies or analytics"
-          },
-          description: {
-            text: "We do not use Google Analytics, Plausible, PostHog, Mixpanel, Amplitude, Segment, or any other third-party analytics platform. Our telemetry is server-side, cookie-free, and contains no individually stored identifiers. A pre-edit check in our repository blocks the introduction of analytics SDKs."
-          }
-        },
-        pii_placeholder_substitution: {
-          heading: {
-            text: "Personal information never reaches AI providers"
-          },
-          description: {
-            text: "Before any message is sent to an AI provider, your browser detects 32 categories of personal data \u2014 emails, phone numbers, credit card numbers, API keys, and more \u2014 and replaces them with placeholders like `[EMAIL_com]`. The substitution map is encrypted with your chat key so only your devices can restore the original values."
-          }
-        },
-        telemetry_privacy_filter: {
-          heading: {
-            text: "Telemetry stripped of sensitive data"
-          },
-          description: {
-            text: "Our internal tracing pipeline (OpenTelemetry) strips authentication headers, cookies, and database statements from every span, and pseudonymises your user ID with a salt that rotates every 24 hours. Regular users never have their raw identifiers in telemetry."
-          }
-        },
-        cryptographic_erasure: {
-          heading: {
-            text: "Deleted accounts are cryptographically erased"
-          },
-          description: {
-            text: "When you delete your account, the first step destroys your encryption keys. Any residual ciphertext in backups, caches, or audit logs is rendered permanently unreadable \u2014 no key, no content."
-          }
-        },
-        argon2_password_hashing: {
-          heading: {
-            text: "Passwords stored as Argon2 hashes"
-          },
-          description: {
-            text: "We store password and backup-code verifiers as Argon2 hashes. Plaintext passwords are never persisted to disk, never written to logs, and never recoverable \u2014 even by us."
-          }
-        },
-        payment_data_minimization: {
-          heading: {
-            text: "No card numbers ever touch our servers"
-          },
-          description: {
-            text: "Payments flow directly from your browser to Stripe. We store only provider tokens and customer identifiers. We never see, receive, or persist full card numbers, security codes, or bank account details."
-          }
-        },
-        logging_redaction: {
-          heading: {
-            text: "Logs are scrubbed of sensitive data"
-          },
-          description: {
-            text: "Every log line passes through a redaction filter that strips email addresses, IP addresses, bearer tokens, and password values. Compliance logs preserve pseudonymous user IDs but remove all other personal data."
-          }
-        },
-        prompt_injection_defense: {
-          heading: {
-            text: "Defense against prompt injection"
-          },
-          description: {
-            text: "Two layers protect your conversations from malicious content in web pages, files, and URLs you reference. Invisible Unicode characters are stripped first, then a dedicated safety model detects semantic injection attempts and blocks or replaces high-risk content before it reaches your assistant."
-          }
-        },
-        no_training_on_user_data: {
-          heading: {
-            text: "Your conversations are not used to train AI models"
-          },
-          description: {
-            text: "All AI chat providers we use (Anthropic, OpenAI, Mistral, Google Gemini, Google Vertex AI, Together AI, Groq, Cerebras, and OpenRouter) have explicit no-training clauses in their terms \u2014 your conversations are never used to fine-tune, evaluate, or otherwise train AI models. For image generation, Recraft has a training opt-out which we have activated. fal.ai (used for draft image generation) may use anonymized, aggregated derivatives of prompts for model improvement under their standard API terms; no full opt-out is available outside an enterprise contract. A per-provider audit with verbatim policy quotes and verification dates is published in our open-source repository."
-          }
-        },
-        no_external_resources: {
-          heading: {
-            text: "The web app never loads external images or scripts"
-          },
-          description: {
-            text: "Every external image, favicon, or preview shown in the app is fetched through our own preview.openmates.org proxy \u2014 the originating website never sees your IP address. The only third-party script the web app loads is the Stripe payment SDK needed to process a purchase, and only when you explicitly open the payment flow. There is no ad network, tag manager, CDN font loader, or third-party analytics library."
-          }
-        },
-        cli_no_credential_prompts: {
-          heading: {
-            text: "The command-line tool never asks for your password"
-          },
-          description: {
-            text: "The OpenMates CLI never prompts you for your email, password, 2FA code, or any other login credential. Authentication uses a browser-based pair-auth handshake: the CLI shows a QR code and URL, you approve the session in your logged-in web browser, and you type a short 6-character binding PIN back into the CLI to confirm. Your credentials never pass through the terminal."
-          }
-        },
-        open_source_transparency: {
+        web_and_search: {
           heading: {
-            text: "Every claim on this page is independently auditable"
+            text: "Web, search, and content retrieval (only when you use a web or search skill)"
           },
           description: {
-            text: "OpenMates is open source. Every promise above is backed by code you can read, tests you can run, and architecture documents you can audit in our public repository. Our privacy-promises registry links each claim to the exact files that enforce it."
-          }
-        }
-      },
-      providers: {
-        heading: {
-          text: "When each provider is used"
-        },
-        intro: {
-          text: "Most of the providers below are only reached when you use a specific feature \u2014 for example, image generation providers are only used when you invoke an image skill. The groups below tell you exactly which providers are involved for each feature, so you can opt in or out of data sharing by choosing which features to use."
-        },
-        always_active: {
-          heading: {
-            text: "Always active (used for every user)"
+            text: "These providers are only used when you invoke a web, videos, news, or web-read skill. They see the content of what you search for or the URLs you ask to read, but no user identifier \u2014 they do not know which OpenMates user made each request."
           },
-          description: {
-            text: "These providers are used for every user, regardless of which features you use. Using OpenMates at all means your data passes through them."
+          brave: {
+            heading: {
+              text: "Brave Search (web, videos, news)"
+            },
+            description: {
+              text: "Brave Search powers the web, videos, and news search skills. Brave sees the text of your search queries and your country and language preferences for localized results, but no user identifier."
+            }
           },
-          vercel: {
+          firecrawl: {
             heading: {
-              text: "Vercel (frontend hosting)"
+              text: "Firecrawl (web page scraping)"
             },
             description: {
-              text: "We use Vercel to host the static frontend of our website and web app. Vercel receives page requests and serves static assets."
+              text: "Firecrawl powers the web read skill, scraping and extracting content from web pages you ask about. Firecrawl sees the URL you requested and the full content of the scraped page."
             }
           },
-          hetzner: {
+          webshare: {
             heading: {
-              text: "Hetzner (backend, database, storage, observability)"
+              text: "Webshare (rotating proxy)"
             },
             description: {
-              text: "We host all of our backend services \u2014 API servers, Directus CMS, Postgres database, Redis caches, S3-compatible object storage, and our self-hosted OpenObserve observability platform \u2014 on Hetzner infrastructure in the EU. OpenObserve runs on our own Hetzner servers and is not a third-party service; traces never leave the EU."
+              text: "Webshare provides a rotating proxy for requests to services that would otherwise block us. We route YouTube transcript requests (for the videos get-transcript skill) and doctor appointment searches (for the health search-appointments skill \u2014 see Group H) through Webshare. Webshare sees the URLs we route through it."
             }
           },
-          brevo: {
+          google_maps: {
             heading: {
-              text: "Brevo (transactional email)"
+              text: "Google Maps Platform (places search)"
             },
             description: {
-              text: "We use Brevo to send transactional email \u2014 account verification, password reset links, payment receipts, and credit notes \u2014 and, if you opt in, the OpenMates newsletter. If you are an existing OpenMates customer (i.e. you have completed a purchase), we may also send you occasional product announcements and service updates about OpenMates' own similar services under the existing-customer exception (\xA77 Abs. 3 UWG / ePrivacy Directive Art. 13(2)); you can object in Settings \u2192 Newsletter or via the one-click unsubscribe link in any such email. Brevo sees recipient email addresses and the content of the emails we send you."
+              text: "Google Maps powers the places search skill. Google sees the text of your place queries and an approximate location for localized results, but no user identifier."
             }
           },
-          ip_api: {
+          youtube: {
             heading: {
-              text: "IP-API (IP geolocation)"
+              text: "YouTube (video transcripts)"
             },
             description: {
-              text: "We use IP-API to resolve IP addresses to approximate geolocation for abuse prevention, rate limiting, and regional compliance. The resolved country and city are used transiently and are not stored against your account."
+              text: "YouTube is queried when you ask OpenMates to retrieve a transcript for a YouTube video. YouTube receives video URLs and requested transcript language preferences without an OpenMates user identifier."
             }
+          }
+        },
+        travel: {
+          heading: {
+            text: "Travel (only when you use a travel skill)"
           },
-          sightengine: {
+          description: {
+            text: "These providers are only used when you invoke a travel skill \u2014 flight search, hotel search, or flight tracking. If you never use the travel app, none of your data is shared with them."
+          },
+          serpapi: {
             heading: {
-              text: "Sightengine (image and video moderation)"
+              text: "SerpAPI (flight and hotel search)"
             },
             description: {
-              text: "Every image and video you upload is scanned by Sightengine for safety moderation before it is stored. Sightengine sees the image or video content."
+              text: "SerpAPI powers flight and hotel search via its Google Flights and Google Hotels endpoints. SerpAPI receives your search queries \u2014 origin, destination, dates, and preferences \u2014 without a user identifier."
             }
           },
-          api_video: {
+          flightradar24: {
             heading: {
-              text: "api.video (product video hosting)"
+              text: "Flightradar24 (flight tracking)"
             },
             description: {
-              text: "We use api.video (EU company, France) to host and stream product demo and feature walkthrough videos shown on our website and web app. When you watch a video, your IP address and basic viewing data are processed by api.video. No user account identifiers are shared."
+              text: "Flightradar24 provides real flight track data when you ask about a specific flight number. It receives IATA flight numbers and departure dates without a user identifier."
             }
-          }
-        },
-        payments: {
-          heading: {
-            text: "Payment providers (only when you purchase credits)"
           },
-          description: {
-            text: "These providers are only used when you purchase credits, subscribe to monthly auto top-up, or receive a refund. If you never make a purchase, none of your data is shared with them."
+          deutsche_bahn: {
+            heading: {
+              text: "Deutsche Bahn (train connections)"
+            },
+            description: {
+              text: "Deutsche Bahn provides train connection results when you search for rail routes. Deutsche Bahn receives origin, destination, and date search details without an OpenMates user identifier."
+            }
           },
-          stripe: {
+          flix: {
             heading: {
-              text: "Stripe (primary payment processor)"
+              text: "FlixBus / FlixTrain (bus and train connections)"
             },
             description: {
-              text: "Stripe processes one-time credit purchases and monthly auto top-up subscriptions. We send Stripe your email address, a tokenized payment method (we never see your card number), billing address and VAT information when required for invoicing, and transaction metadata."
+              text: "Flix provides intercity bus and rail connection results when you search for FlixBus or FlixTrain routes. Flix receives origin, destination, and date search details without an OpenMates user identifier."
             }
           }
         },
-        ai_models: {
+        events: {
           heading: {
-            text: "AI model providers (only when you use a model that routes through them)"
+            text: "Events (only when you use the events skill)"
           },
           description: {
-            text: 'OpenMates routes AI requests to different providers depending on which model you select. Before any message is sent to a provider in this group, your browser replaces real names, emails, and physical addresses with placeholders (see the "PII placeholder substitution" measure above). You can always see which provider a model uses in the model details panel in AI settings.'
+            text: "These providers are only used when you invoke the events search skill. The specific set of providers called depends on the city and event type you search for."
           },
-          mistral: {
+          meetup: {
             heading: {
-              text: "Mistral (EU direct)"
+              text: "Meetup"
             },
             description: {
-              text: "Mistral hosts its own family of models in the EU. Only used when you select a Mistral model. Mistral receives your chat messages with PII placeholders already substituted client-side."
+              text: "Meetup powers event search for community events. Meetup receives your search queries \u2014 city, category, dates \u2014 without a user identifier."
             }
           },
-          aws_bedrock: {
+          luma: {
             heading: {
-              text: "AWS Bedrock (EU region, primary Claude path)"
+              text: "Luma"
             },
             description: {
-              text: "AWS Bedrock hosts Anthropic Claude models in its Frankfurt EU region. This is the primary path for Claude requests. AWS receives your chat messages with PII placeholders already substituted client-side."
+              text: "Luma powers event search for tech, creative, and community events. Luma receives your search queries without a user identifier."
             }
           },
-          anthropic: {
+          resident_advisor: {
             heading: {
-              text: "Anthropic (US, fallback Claude path)"
+              text: "Resident Advisor"
             },
             description: {
-              text: "Anthropic's direct API is used as a fallback path for Claude models when AWS Bedrock is unreachable. Anthropic is based in the US and receives your chat messages with PII placeholders already substituted client-side."
+              text: "Resident Advisor powers event search for electronic music events. RA receives your search queries without a user identifier."
             }
+          }
+        },
+        health: {
+          heading: {
+            text: "Health appointment search (only when you use the health skill)"
           },
-          openai: {
+          description: {
+            text: `These upstream services are reached through the Webshare rotating proxy (see Group E) only when you invoke the health app's appointment search skill. The queries you send \u2014 for example "dermatologist in Berlin next Tuesday" \u2014 are transmitted without user identifiers, but the content of the query itself can imply a health concern. By invoking the skill you consent to this processing under GDPR Art. 9(2)(a) (explicit consent for special-category data).`
+          },
+          doctolib: {
             heading: {
-              text: "OpenAI (US)"
+              text: "Doctolib (EU)"
             },
             description: {
-              text: "OpenAI processes requests for GPT-family models when you select one. OpenAI receives your chat messages with PII placeholders already substituted client-side."
+              text: "Doctolib lists doctors and specialists across supported EU regions. We query Doctolib for available appointments matching your criteria, routed through the Webshare proxy, without a user identifier."
             }
           },
-          openrouter: {
+          jameda: {
             heading: {
-              text: "OpenRouter (US, routing aggregator)"
+              text: "Jameda (Germany)"
             },
             description: {
-              text: "OpenRouter is used as a routing aggregator for several third-party models, including Cerebras-hosted models. OpenRouter sees your chat messages with PII placeholders substituted client-side and forwards them to the underlying model host."
+              text: "Jameda lists doctors and specialists across Germany. We query Jameda for available appointments matching your criteria, routed through the Webshare proxy, without a user identifier."
             }
+          }
+        },
+        shopping: {
+          heading: {
+            text: "Shopping (only when you use the shopping skill)"
           },
-          cerebras: {
+          description: {
+            text: "These providers are only used when you invoke the shopping search skill for live product and price lookups."
+          },
+          rewe: {
             heading: {
-              text: "Cerebras (US, via OpenRouter)"
+              text: "REWE (German grocery)"
             },
             description: {
-              text: "Cerebras hosts some of the high-speed models routed through OpenRouter. Only used when you select a Cerebras-hosted model."
+              text: "REWE's product catalogue is queried for live product and price data when you search German grocery items. REWE receives your search queries without a user identifier."
             }
           },
-          google_gemini: {
+          amazon: {
             heading: {
-              text: "Google Gemini (US)"
+              text: "Amazon"
             },
             description: {
-              text: "Google Gemini processes requests for Gemini-family models when you select one. Google receives your chat messages with PII placeholders already substituted client-side."
+              text: "Amazon's product catalogue is queried for live product and price data. Amazon receives your search queries without a user identifier."
             }
+          }
+        },
+        nutrition: {
+          heading: {
+            text: "Nutrition (only when you use the recipe search skill)"
           },
-          google_vertex_maas: {
+          description: {
+            text: "These providers are only used when you invoke the nutrition recipe search skill. They receive recipe search queries and selected dietary filters without a user identifier."
+          },
+          edamam: {
             heading: {
-              text: "Google Vertex AI Model-as-a-Service (US)"
+              text: "Edamam"
             },
             description: {
-              text: "Google Vertex AI Model-as-a-Service hosts third-party open models (such as DeepSeek) on Google infrastructure via an OpenAI-compatible endpoint. This is a separate service from Google Gemini: the model weights are third-party, but the inference runs on Google's servers. Only used when you select a MaaS-hosted model."
+              text: "Edamam's Recipe Search API is queried when you search for recipes. Edamam receives the recipe query and selected dietary or nutrition filters without a user identifier."
             }
+          }
+        },
+        electronics: {
+          heading: {
+            text: "Electronics (only when you use the electronics skill)"
           },
-          together: {
+          description: {
+            text: "These providers are only used when you invoke the electronics component search skill for live component and reference-design lookups."
+          },
+          ti_webench: {
             heading: {
-              text: "Together AI (US)"
+              text: "Texas Instruments WEBENCH (US)"
             },
             description: {
-              text: "Together AI hosts third-party models such as Kimi K2.6 on an OpenAI-compatible endpoint. Only used when you select a Together-hosted model. Together receives your chat messages with PII placeholders already substituted client-side."
+              text: "TI WEBENCH is queried for power converter component candidates and reference design summaries. Texas Instruments receives the electrical requirements you search for, such as input voltage, output voltage, output current, temperature, isolation, and optimization goal, without a user identifier."
             }
+          }
+        },
+        mail: {
+          heading: {
+            text: "Mail (only when you use mail skills)"
           },
-          groq: {
+          description: {
+            text: "This provider is only used when you invoke mail skills against a connected mailbox. If you never use the mail app, none of your data is shared with it."
+          },
+          protonmail: {
             heading: {
-              text: "Groq (US, content sanitization)"
+              text: "Proton Mail (mail search)"
             },
             description: {
-              text: "Groq is used server-side to sanitize external content (search results and scraped web pages) before it is included in AI responses. Groq sees the external content we fetched on your behalf, not your chat messages, and never learns which user requested each piece of content."
+              text: "Proton Mail is queried when you search a connected Proton Mail mailbox. Proton receives the mail search query and mailbox data needed to return matching results."
             }
+          }
+        },
+        home: {
+          heading: {
+            text: "Home and housing (only when you use housing search)"
           },
-          alibaba: {
+          description: {
+            text: "These providers are only used when you invoke the home app's housing search skill. If you never search for housing, none of your data is shared with them."
+          },
+          immoscout24: {
             heading: {
-              text: "Alibaba Cloud (Qwen models)"
+              text: "ImmoScout24 (German housing search)"
             },
             description: {
-              text: "Alibaba Cloud hosts Qwen-family models. Alibaba receives your chat messages with PII placeholders already substituted client-side only when you select an Alibaba-hosted model."
+              text: "ImmoScout24 is queried when you search German housing listings. ImmoScout24 receives housing search queries, locations, filters, and listing pages requested without an OpenMates user identifier."
             }
           },
-          deepseek: {
+          kleinanzeigen: {
             heading: {
-              text: "DeepSeek (reasoning models)"
+              text: "Kleinanzeigen (German classified housing search)"
             },
             description: {
-              text: "DeepSeek provides DeepSeek-family reasoning models. DeepSeek receives your chat messages with PII placeholders already substituted client-side only when you select a DeepSeek model."
+              text: "Kleinanzeigen is queried when you search German classified housing listings. Kleinanzeigen receives housing search queries, locations, filters, and listing pages requested without an OpenMates user identifier."
             }
           },
-          moonshot: {
+          wg_gesucht: {
             heading: {
-              text: "Moonshot AI / Kimi (language models)"
+              text: "WG-Gesucht (German shared-apartment search)"
             },
             description: {
-              text: "Moonshot AI provides Kimi-family models. Moonshot receives your chat messages with PII placeholders already substituted client-side only when you select a Moonshot-hosted Kimi model."
+              text: "WG-Gesucht is queried when you search German shared-apartment or rental listings. WG-Gesucht receives housing search queries, locations, filters, and listing pages requested without an OpenMates user identifier."
             }
+          }
+        },
+        community: {
+          heading: {
+            text: "Community and developer channels (only if you choose to use them)"
           },
-          zai: {
+          description: {
+            text: "These providers are only involved if you choose to join our community or developer channels. You can use OpenMates without ever touching them."
+          },
+          discord: {
             heading: {
-              text: "Z.ai (GLM models)"
+              text: "Discord (community server)"
             },
             description: {
-              text: "Z.ai provides GLM-family models. Z.ai receives your chat messages with PII placeholders already substituted client-side only when you select a Z.ai model."
+              text: "If you join the OpenMates community Discord server, Discord will see anything you post on its platform, plus your Discord username and whatever data Discord itself collects per its own privacy policy. We have no control over what Discord does with that data."
+            },
+            admin_access: {
+              text: "OpenMates administrators with Discord server admin rights can read all messages posted in the OpenMates Discord server. Do not share sensitive information on Discord."
             }
           }
         },
-        image_generation: {
+        social_media: {
           heading: {
-            text: "Image generation and editing (only when you use an image skill)"
+            text: "Social media (only when you use social media skills)"
           },
           description: {
-            text: "These providers are only used when you invoke an image generation or editing skill. If you never use the images app, none of your data is shared with them."
+            text: "These providers are only used when you invoke the social media app's get-posts or search skills. They receive public profile, page, or search queries without an OpenMates user identifier."
           },
-          fal: {
+          reddit: {
             heading: {
-              text: "FAL (Flux models)"
+              text: "Reddit (public posts and discussions)"
             },
             description: {
-              text: "FAL hosts Flux image generation models used by the images.generate_draft skill. FAL receives your image generation prompts and, when editing, the source images you supply."
+              text: "Reddit is queried when you fetch or search public Reddit posts. Reddit receives subreddit names, public post URLs, and search queries without an OpenMates user identifier."
             }
           },
-          recraft: {
+          bluesky: {
             heading: {
-              text: "Recraft (vector and raster image generation)"
+              text: "Bluesky (public posts and profile feeds)"
             },
             description: {
-              text: "Recraft powers the images.generate and images.vectorize skills, producing vector and raster images and converting bitmaps to SVG. Recraft receives your prompts, style preferences, and \u2014 when vectorizing \u2014 your source images."
+              text: "Bluesky is queried when you fetch or search public Bluesky posts. Bluesky receives handles and search queries without an OpenMates user identifier."
+            }
+          },
+          mastodon: {
+            heading: {
+              text: "Mastodon (public profile posts)"
+            },
+            description: {
+              text: "Mastodon is queried when you fetch public Mastodon profile posts. The relevant Mastodon server receives profile identifiers or public profile URLs without an OpenMates user identifier."
             }
+          }
+        }
+      },
+      flightradar24: {
+        heading: {
+          text: "3.16 Flightradar24"
+        },
+        description: {
+          text: 'When you request real flight track data using the "Get flight track" skill, we query Flightradar24 to retrieve historical GPS track data for completed flights. Flightradar24 receives the flight number and departure date. No personal data is shared.'
+        },
+        privacy_policy_link: {
+          text: "Flightradar24 Privacy Policy"
+        }
+      },
+      security_measures: {
+        heading: {
+          text: "4. Security Measures"
+        },
+        intro: {
+          text: "We implement various security measures to protect your account and data in the web application:"
+        },
+        device_fingerprinting: {
+          subheading: {
+            text: "Device Fingerprinting"
+          },
+          purpose: {
+            text: "To enhance account security, prevent fraudulent access, and distinguish between new and recognized devices during login and session validation, we collect User-Agent strings (browser, OS, device type information) and IP addresses (used temporarily to derive approximate geo-location like country/city, then discarded from the device record)."
+          },
+          storage: {
+            text: "A unique, stable hash is generated based on a combination of the collected signals. This hash is the only value stored in the device record. Browser/OS type and derived country code may be used transiently for risk assessment and notifications but are not stored with the device record. Raw IP addresses are NOT stored as part of the device record itself."
+          },
+          ip_logging: {
+            text: "For security monitoring and abuse prevention, IP addresses associated with failed login attempts (invalid password or 2FA code) may be logged with limited retention. In addition, certain security/compliance events (e.g., successful backup-code logins) may be logged with IP for audit purposes. IP addresses are also used for rate limiting login attempts."
+          }
+        }
+      },
+      data_categories: {
+        heading: {
+          text: "5. Data Categories We Collect and Process"
+        },
+        intro: {
+          text: "We collect and process the following categories of data to operate and secure our services:"
+        },
+        account: {
+          text: "Account: Email address, username/display name, profile image, locale, and security settings (e.g., 2FA enabled). Email and username are encrypted with your key before storage. We also keep a separate server-side Vault-encrypted copy of your verified email address for mandatory account lifecycle notices, such as account verification, security alerts, and deletion reminders. Passwords are stored as salted hashes."
+        },
+        usage: {
+          text: "Usage: Server logs, event timestamps, feature usage, error logs, and device recognition identifiers (hashed). IP addresses may be temporarily processed for security and rate limiting."
+        },
+        content: {
+          text: "Content: Chat messages, prompts, attachments, and uploaded images/videos necessary to deliver the service (subject to moderation where applicable)."
+        },
+        payments: {
+          text: "Payments: Payment method tokens, transaction IDs, billing address and VAT information as required for invoicing (processed primarily by Stripe). We do not store full card numbers."
+        },
+        newsletter: {
+          text: "Newsletter: If you choose to subscribe to our newsletter, we store your email address in encrypted form. Newsletter subscription is optional and separate from account creation \u2014 creating an account does not automatically subscribe you to the newsletter. If you are an OpenMates customer (i.e. you have completed a purchase), we may additionally send you occasional product announcements and service updates about OpenMates' own similar services under the existing-customer exception (\xA77 Abs. 3 UWG / ePrivacy Directive Art. 13(2)). You can object to this at any time in Settings \u2192 Newsletter or via the one-click unsubscribe link in any such email, without affecting your account."
+        },
+        stability_logs: {
+          text: "Stability Logs: To diagnose technical errors, anonymized browser console logs (error messages, component status, connection events) are collected from authenticated users and stored for up to 48 hours. If an error occurs, surrounding context is retained for up to 14 days. No message content, chat titles, names, email addresses, or other personally identifiable information is included. A random session identifier (generated per browser tab, not linked to your account) is used for log correlation. You can disable this at any time in Settings > Privacy > Stability Logs."
+        }
+      },
+      data_retention: {
+        heading: {
+          text: "6. Data Retention"
+        },
+        account: {
+          text: "Account data: Retained until account deletion and completion of related legal obligations."
+        },
+        usage_and_logs: {
+          text: "Usage and logs: Operational logs retained up to 12 months; IPs tied to failed logins up to 30 days for security."
+        },
+        device_fingerprints: {
+          text: "Device fingerprints: Retained until account deletion or manual removal from account settings (when available)."
+        },
+        content: {
+          text: "Content: Retained until the user deletes the content or closes the account, subject to backup cycles."
+        },
+        payments_and_invoices: {
+          text: "Payments and invoices: Retained up to 10 years where required by tax/commercial law."
+        },
+        compliance_logs: {
+          text: "**Compliance logs:** audit logs retained 2 years (BSI \xA734 BDSG); financial compliance logs retained 10 years (AO \xA7147 and HGB \xA7257)"
+        },
+        observability_traces: {
+          text: "**Observability traces:** up to 30 days; user IDs in traces use a hash that rotates every 24 hours, so older traces cannot be joined to a specific user"
+        },
+        user_data_backups: {
+          text: "**User data backups:** 60 days via S3 lifecycle; backups contain only ciphertext encrypted with your own key"
+        }
+      },
+      legal_basis: {
+        heading: {
+          text: "7. Legal Basis for Processing (GDPR)"
+        },
+        contract: {
+          text: "Contract: Processing necessary to perform our contract with you or to take steps at your request prior to entering into a contract (e.g., account creation, delivering web app features)."
+        },
+        consent: {
+          text: "Consent: Processing based on your consent, where applicable (e.g., optional communications, certain analytics or marketing where used). You can withdraw consent at any time."
+        },
+        legitimate_interests: {
+          text: "Legitimate interests: Processing necessary for our legitimate interests, such as service security, fraud prevention, abuse detection, and improving the service, provided these interests are not overridden by your rights and interests."
+        },
+        direct_marketing: {
+          text: "Direct marketing to existing customers: For existing OpenMates customers (users who have completed a purchase), we may rely on Art. 6(1)(f) GDPR (legitimate interests) in combination with \xA77 Abs. 3 UWG and ePrivacy Directive Art. 13(2) to send occasional product announcements, service updates, and marketing about OpenMates' own similar services. Each such email includes a clearly visible one-click unsubscribe link, and you can also manage these preferences at any time in Settings \u2192 Newsletter. You can object to this processing at any time without giving reasons (Art. 21 GDPR)."
+        },
+        legal_obligation: {
+          text: "Legal obligation: Processing necessary to comply with legal obligations (e.g., tax and accounting requirements for invoices and transaction records)."
+        }
+      },
+      legal_rights: {
+        heading: {
+          text: "8. Your Privacy Rights"
+        },
+        intro: {
+          text: "Depending on your jurisdiction, you may have certain rights over your personal data. The following summarizes key rights under GDPR and CCPA/CPRA and how to exercise them:"
+        },
+        gdpr: {
+          subheading: {
+            text: "GDPR (EU/EEA)"
+          },
+          access: {
+            text: "Right of access"
+          },
+          rectification: {
+            text: "Right to rectification"
+          },
+          erasure: {
+            text: "Right to erasure ('right to be forgotten')"
+          },
+          restriction: {
+            text: "Right to restriction of processing"
+          },
+          portability: {
+            text: "Right to data portability"
+          },
+          objection: {
+            text: "Right to object"
+          },
+          withdraw_consent: {
+            text: "Right to withdraw consent"
+          },
+          exercise: {
+            text: "To exercise your GDPR rights, contact us at contact@openmates.org or via the Imprint. We may need to verify your identity before fulfilling your request."
+          },
+          manual_note: {
+            text: "The following rights are available on request (please contact us by email at contact@openmates.org and we will handle them manually):"
+          }
+        },
+        ccpa_cpra: {
+          subheading: {
+            text: "CCPA/CPRA (California)"
+          },
+          right_to_know: {
+            text: "Right to know/access"
+          },
+          right_to_delete: {
+            text: "Right to delete"
+          },
+          right_to_correct: {
+            text: "Right to correct"
+          },
+          right_to_opt_out_of_sale_or_sharing: {
+            text: "Right to opt-out of sale or sharing"
+          },
+          right_to_non_discrimination: {
+            text: "Right to non-discrimination"
+          },
+          exercise: {
+            text: "California residents can exercise CCPA/CPRA rights by contacting us at contact@openmates.org. We do not sell personal information."
+          }
+        }
+      },
+      discord_integration: {
+        heading: {
+          text: "9. Discord Integration"
+        },
+        description: {
+          text: "If you choose to join our Discord community through links provided on this website, please note that Discord will collect and process your data according to their privacy policy. This includes account information, usage data, communication content, and other information as outlined in Discord's privacy policy."
+        },
+        admin_access: {
+          text: "As Discord server administrators, we have access to all public communications, member lists, and other information shared within our Discord community. However, this information is hosted and primarily processed by Discord. We do not extract, store, or process this data outside of Discord's platform. For more information about how Discord handles your data, please review Discord's Privacy Policy."
+        },
+        privacy_policy_link: {
+          text: "Discord Privacy Policy"
+        }
+      },
+      contact: {
+        heading: {
+          text: "10. Contact Information"
+        },
+        questions: {
+          text: "For questions about data protection:"
+        },
+        email: {
+          text: "Email"
+        },
+        postal: {
+          text: "Postal address: See Legal Notice (Imprint) for the current registered address."
+        },
+        controller: {
+          text: "Controller: OpenMates (see Imprint for legal representative details)."
+        }
+      },
+      aggregate_analytics: {
+        heading: {
+          text: "11. Anonymous Aggregate Analytics"
+        },
+        overview: {
+          text: "We collect anonymous, aggregate statistics about how our website and web application are used. This data is genuinely anonymous \u2014 it cannot be linked to any individual user, and no cookies or tracking identifiers are set. No consent banner is required because no personal data is collected."
+        },
+        what_we_collect: {
+          text: "What we collect (all aggregate, never individual):"
+        },
+        items: {
+          text: "Daily page load counts; approximate unique visit counts (probabilistic HyperLogLog, ~0.81% error); country distribution (GeoIP lookup \u2014 IP discarded immediately, never stored); device class (mobile/tablet/desktop); browser family and major version; OS family; referrer domain (domain only, never full URL); screen size class; session duration distribution (bucketed)"
+        },
+        no_pii: {
+          text: "IP addresses are used transiently for GeoIP lookup only and are never written to disk or any database. User-Agent strings are parsed to metadata only (browser name, OS) \u2014 the raw string is never stored. All data is stored as daily aggregate counters, not as individual records."
+        }
+      },
+      follow_up_1: {
+        text: "How is my chat content encrypted?"
+      },
+      follow_up_2: {
+        text: "How does client-side encryption work?"
+      },
+      follow_up_3: {
+        text: "What if I lose my encryption key?"
+      },
+      follow_up_4: {
+        text: "Do AI providers see my messages?"
+      },
+      follow_up_5: {
+        text: "How do I delete my account?"
+      },
+      follow_up_6: {
+        text: "What data do you share with third parties?"
+      },
+      provider_link_label: {
+        text: "Privacy policy"
+      },
+      overview: {
+        heading: {
+          text: "Overview"
+        },
+        summary: {
+          text: "OpenMates is designed so that most of your data is encrypted on your device before it reaches our servers. This is **not** end-to-end encryption: our servers briefly decrypt your content in memory to run AI responses, render invoices, and deliver reminders. But we never write decrypted content to disk, logs, or traces, and when you delete your account we destroy the encryption key that protects your data \u2014 cryptographically shredding every encrypted field we still hold."
+        }
+      },
+      protection: {
+        heading: {
+          text: "How we protect your data"
+        },
+        intro: {
+          text: "We rely on six technical measures to protect your data. Each is verifiable in our open-source code and maps to a specific GDPR obligation."
+        },
+        client_side_encryption: {
+          heading: {
+            text: "Client-side encryption of your content"
           },
-          bfl: {
-            heading: {
-              text: "Black Forest Labs (FLUX image models)"
-            },
-            description: {
-              text: "Black Forest Labs powers draft image generation via FLUX models. BFL receives your image generation prompts and, when editing, the source images you provide."
-            }
+          description: {
+            text: "Your chat content, titles, summaries, tags, per-chat keys, app settings and memories, reminders, and sensitive profile fields (encrypted username, auto-top-up email, 2FA secrets) are encrypted in your browser before being sent to our servers. The browser uses a key derived from your login credential; our servers reject writes that contain anything but ciphertext. This is *not* end-to-end encryption \u2014 our servers can decrypt your content in memory when they need to (for AI responses, invoice rendering, reminder delivery). The difference from end-to-end encryption is that decryption happens transiently in process memory and the plaintext is never persisted to disk, logs, or traces."
           }
         },
-        music_generation: {
+        pii_placeholder_substitution: {
           heading: {
-            text: "Music generation (only when you use a music skill)"
+            text: "PII placeholder substitution before AI calls"
           },
           description: {
-            text: "These providers are only used when you invoke a music generation skill. If you never use the music app, none of your data is shared with them."
-          },
-          google_vertex_ai: {
-            heading: {
-              text: "Google Vertex AI (Lyria music generation)"
-            },
-            description: {
-              text: "Google Vertex AI hosts the Lyria models used by the music.generate skill. Google receives your music generation prompts, optional lyrics, style preferences, and generation settings only when you ask OpenMates to generate music or background music."
-            }
+            text: "Before any message is sent to a third-party AI model, your browser scans your message for real names, email addresses, and physical addresses that you have saved in your privacy settings (or that match common patterns) and replaces any matches with neutral placeholders (for example [USER_0]). The mapping back to your real values is stored encrypted with your key and is never decrypted on our servers. **Important limitation:** this substitution only protects personal data that our client-side detector actually recognizes \u2014 typically the values you have explicitly saved in your privacy settings and values highlighted in the message field before you send. Anything the detector does not recognize (typos of your own name, uncommon address formats, other people's personal data, sensitive topics that are not formally PII) will be transmitted as you typed it. Please treat every message as you would treat a note passed to a third-party AI provider and be cautious with personal data."
           }
         },
-        code_execution: {
+        encrypted_at_rest: {
           heading: {
-            text: "Code and developer tools (only when you use code skills)"
+            text: "Encrypted at rest, decrypted only in memory"
           },
           description: {
-            text: "These providers are only used when you invoke a code app skill, such as searching public repositories, running code in an isolated sandbox, creating a generated application that auto-starts a short screenshot preview, or explicitly starting a generated application live preview. If you never use the code app, none of your data is shared with them."
-          },
-          github: {
-            heading: {
-              text: "GitHub (public repository search)"
-            },
-            description: {
-              text: "GitHub powers the code app's repository search skill. GitHub receives public repository search queries without an OpenMates user identifier."
-            }
-          },
-          context7: {
-            heading: {
-              text: "Context7 (programming documentation lookup)"
-            },
-            description: {
-              text: "Context7 powers the code app's documentation lookup skill. Context7 receives library names and documentation questions without an OpenMates user identifier."
-            }
-          },
-          e2b: {
-            heading: {
-              text: "E2B (isolated code sandbox)"
-            },
-            description: {
-              text: "E2B runs selected code embeds, generated application previews, and Remotion video renders inside isolated sandboxes. E2B receives the code or generated application/Remotion files and assets needed to run or render the result, runtime inputs, preview/render logs, and execution output needed to display the sandbox result. This sharing happens when you explicitly run code, create a generated application that auto-starts a short screenshot preview, start/resume an application live preview, or when a Remotion video render auto-starts after the assistant closes an explicit remotion code fence."
-            }
+            text: "Our PostgreSQL database, Redis caches, S3 object storage, and backup snapshots hold only ciphertext for any field containing user content. When our servers need to read your content to run an AI response, render an invoice, or deliver a reminder, decryption happens transiently in process memory and is discarded immediately after. Key material is released on demand by HashiCorp Vault and never stored in raw form outside it."
           }
         },
-        web_and_search: {
+        hashed_identifiers: {
           heading: {
-            text: "Web, search, and content retrieval (only when you use a web or search skill)"
+            text: "Hashed identifiers throughout"
           },
           description: {
-            text: "These providers are only used when you invoke a web, videos, news, or web-read skill. They see the content of what you search for or the URLs you ask to read, but no user identifier \u2014 they do not know which OpenMates user made each request."
-          },
-          brave: {
-            heading: {
-              text: "Brave Search (web, videos, news)"
-            },
-            description: {
-              text: "Brave Search powers the web, videos, and news search skills. Brave sees the text of your search queries and your country and language preferences for localized results, but no user identifier."
-            }
-          },
-          firecrawl: {
-            heading: {
-              text: "Firecrawl (web page scraping)"
-            },
-            description: {
-              text: "Firecrawl powers the web read skill, scraping and extracting content from web pages you ask about. Firecrawl sees the URL you requested and the full content of the scraped page."
-            }
-          },
-          webshare: {
-            heading: {
-              text: "Webshare (rotating proxy)"
-            },
-            description: {
-              text: "Webshare provides a rotating proxy for requests to services that would otherwise block us. We route YouTube transcript requests (for the videos get-transcript skill) and doctor appointment searches (for the health search-appointments skill \u2014 see Group H) through Webshare. Webshare sees the URLs we route through it."
-            }
-          },
-          google_maps: {
-            heading: {
-              text: "Google Maps Platform (places search)"
-            },
-            description: {
-              text: "Google Maps powers the places search skill. Google sees the text of your place queries and an approximate location for localized results, but no user identifier."
-            }
-          },
-          youtube: {
-            heading: {
-              text: "YouTube (video transcripts)"
-            },
-            description: {
-              text: "YouTube is queried when you ask OpenMates to retrieve a transcript for a YouTube video. YouTube receives video URLs and requested transcript language preferences without an OpenMates user identifier."
-            }
+            text: "Your user ID is stored in most database tables as a SHA-256 hash rather than as a direct reference. Login uses a zero-knowledge password verification flow: we verify that you know your password without ever learning it. API-key device records anonymize the IP address to its first two octets before encryption, so we can recognize a device without storing a precise location."
           }
         },
-        travel: {
+        cryptographic_erasure: {
           heading: {
-            text: "Travel (only when you use a travel skill)"
+            text: "Cryptographically shredded on deletion"
           },
           description: {
-            text: "These providers are only used when you invoke a travel skill \u2014 flight search, hotel search, or flight tracking. If you never use the travel app, none of your data is shared with them."
-          },
-          serpapi: {
-            heading: {
-              text: "SerpAPI (flight and hotel search)"
-            },
-            description: {
-              text: "SerpAPI powers flight and hotel search via its Google Flights and Google Hotels endpoints. SerpAPI receives your search queries \u2014 origin, destination, dates, and preferences \u2014 without a user identifier."
-            }
-          },
-          flightradar24: {
-            heading: {
-              text: "Flightradar24 (flight tracking)"
-            },
-            description: {
-              text: "Flightradar24 provides real flight track data when you ask about a specific flight number. It receives IATA flight numbers and departure dates without a user identifier."
-            }
-          },
-          deutsche_bahn: {
-            heading: {
-              text: "Deutsche Bahn (train connections)"
-            },
-            description: {
-              text: "Deutsche Bahn provides train connection results when you search for rail routes. Deutsche Bahn receives origin, destination, and date search details without an OpenMates user identifier."
-            }
-          },
-          flix: {
-            heading: {
-              text: "FlixBus / FlixTrain (bus and train connections)"
-            },
-            description: {
-              text: "Flix provides intercity bus and rail connection results when you search for FlixBus or FlixTrain routes. Flix receives origin, destination, and date search details without an OpenMates user identifier."
-            }
+            text: "When you delete your account we destroy your HashiCorp Vault Transit key in addition to removing your rows from our database. Any encrypted field still sitting in a backup, cache, or running process becomes mathematically unrecoverable ciphertext at that moment \u2014 cryptographic erasure on top of row-level deletion."
           }
         },
-        events: {
+        observability_without_tracking: {
           heading: {
-            text: "Events (only when you use the events skill)"
+            text: "Observability without tracking"
           },
           description: {
-            text: "These providers are only used when you invoke the events search skill. The specific set of providers called depends on the city and event type you search for."
-          },
-          meetup: {
-            heading: {
-              text: "Meetup"
-            },
-            description: {
-              text: "Meetup powers event search for community events. Meetup receives your search queries \u2014 city, category, dates \u2014 without a user identifier."
-            }
-          },
-          luma: {
-            heading: {
-              text: "Luma"
-            },
-            description: {
-              text: "Luma powers event search for tech, creative, and community events. Luma receives your search queries without a user identifier."
-            }
-          },
-          resident_advisor: {
-            heading: {
-              text: "Resident Advisor"
-            },
-            description: {
-              text: "Resident Advisor powers event search for electronic music events. RA receives your search queries without a user identifier."
-            }
+            text: "Our internal tracing pipeline (OpenTelemetry) replaces your user ID with a hash that rotates every 24 hours, strips authentication headers and cookies from every span, and redacts chat content before any trace leaves the backend. Our web analytics use a server-side beacon with no cookies and no stored individual identifiers. We do not use Google Analytics, Plausible, PostHog, or any third-party analytics platform."
           }
+        }
+      },
+      promises: {
+        intro: {
+          text: "Below are the privacy promises we make to every user. Each one is backed by code in our open-source repository and verified by automated tests. When the enforcing code changes, a registry-linked check reminds us to rerun those tests before release."
         },
-        health: {
+        client_side_chat_encryption: {
           heading: {
-            text: "Health appointment search (only when you use the health skill)"
+            text: "Client-side chat encryption"
           },
           description: {
-            text: `These upstream services are reached through the Webshare rotating proxy (see Group E) only when you invoke the health app's appointment search skill. The queries you send \u2014 for example "dermatologist in Berlin next Tuesday" \u2014 are transmitted without user identifiers, but the content of the query itself can imply a health concern. By invoking the skill you consent to this processing under GDPR Art. 9(2)(a) (explicit consent for special-category data).`
-          },
-          doctolib: {
-            heading: {
-              text: "Doctolib (EU)"
-            },
-            description: {
-              text: "Doctolib lists doctors and specialists across supported EU regions. We query Doctolib for available appointments matching your criteria, routed through the Webshare proxy, without a user identifier."
-            }
-          },
-          jameda: {
-            heading: {
-              text: "Jameda (Germany)"
-            },
-            description: {
-              text: "Jameda lists doctors and specialists across Germany. We query Jameda for available appointments matching your criteria, routed through the Webshare proxy, without a user identifier."
-            }
+            text: "Your chats, settings, and memories are encrypted on your device with AES-256-GCM before they leave your browser. The server stores only ciphertext on disk, in caches, and in backups. This is not end-to-end encryption: when a server-side task needs to read content (to run an AI response, render an invoice, or deliver a reminder), it decrypts in memory via HashiCorp Vault and discards the plaintext immediately after use."
           }
         },
-        shopping: {
+        email_encryption_at_rest: {
           heading: {
-            text: "Shopping (only when you use the shopping skill)"
+            text: "Email addresses encrypted at rest"
           },
           description: {
-            text: "These providers are only used when you invoke the shopping search skill for live product and price lookups."
-          },
-          rewe: {
-            heading: {
-              text: "REWE (German grocery)"
-            },
-            description: {
-              text: "REWE's product catalogue is queried for live product and price data when you search German grocery items. REWE receives your search queries without a user identifier."
-            }
-          },
-          amazon: {
-            heading: {
-              text: "Amazon"
-            },
-            description: {
-              text: "Amazon's product catalogue is queried for live product and price data. Amazon receives your search queries without a user identifier."
-            }
+            text: "Your email address is stored only as ciphertext. The server decrypts it transiently in memory during login, billing, and notification delivery, and never writes plaintext to disk or logs."
           }
         },
-        nutrition: {
+        no_third_party_tracking: {
           heading: {
-            text: "Nutrition (only when you use the recipe search skill)"
+            text: "No third-party tracking cookies or analytics"
           },
           description: {
-            text: "These providers are only used when you invoke the nutrition recipe search skill. They receive recipe search queries and selected dietary filters without a user identifier."
-          },
-          edamam: {
-            heading: {
-              text: "Edamam"
-            },
-            description: {
-              text: "Edamam's Recipe Search API is queried when you search for recipes. Edamam receives the recipe query and selected dietary or nutrition filters without a user identifier."
-            }
+            text: "We do not use Google Analytics, Plausible, PostHog, Mixpanel, Amplitude, Segment, or any other third-party analytics platform. Our telemetry is server-side, cookie-free, and contains no individually stored identifiers. A pre-edit check in our repository blocks the introduction of analytics SDKs."
           }
         },
-        electronics: {
+        pii_placeholder_substitution: {
           heading: {
-            text: "Electronics (only when you use the electronics skill)"
+            text: "Personal information never reaches AI providers"
           },
           description: {
-            text: "These providers are only used when you invoke the electronics component search skill for live component and reference-design lookups."
-          },
-          ti_webench: {
-            heading: {
-              text: "Texas Instruments WEBENCH (US)"
-            },
-            description: {
-              text: "TI WEBENCH is queried for power converter component candidates and reference design summaries. Texas Instruments receives the electrical requirements you search for, such as input voltage, output voltage, output current, temperature, isolation, and optimization goal, without a user identifier."
-            }
+            text: "Before any message is sent to an AI provider, your browser detects 32 categories of personal data \u2014 emails, phone numbers, credit card numbers, API keys, and more \u2014 and replaces them with placeholders like `[EMAIL_com]`. The substitution map is encrypted with your chat key so only your devices can restore the original values."
           }
         },
-        mail: {
+        telemetry_privacy_filter: {
           heading: {
-            text: "Mail (only when you use mail skills)"
+            text: "Telemetry stripped of sensitive data"
           },
           description: {
-            text: "This provider is only used when you invoke mail skills against a connected mailbox. If you never use the mail app, none of your data is shared with it."
-          },
-          protonmail: {
-            heading: {
-              text: "Proton Mail (mail search)"
-            },
-            description: {
-              text: "Proton Mail is queried when you search a connected Proton Mail mailbox. Proton receives the mail search query and mailbox data needed to return matching results."
-            }
+            text: "Our internal tracing pipeline (OpenTelemetry) strips authentication headers, cookies, and database statements from every span, and pseudonymises your user ID with a salt that rotates every 24 hours. Regular users never have their raw identifiers in telemetry."
           }
         },
-        home: {
+        cryptographic_erasure: {
           heading: {
-            text: "Home and housing (only when you use housing search)"
+            text: "Deleted accounts are cryptographically erased"
           },
           description: {
-            text: "These providers are only used when you invoke the home app's housing search skill. If you never search for housing, none of your data is shared with them."
-          },
-          immoscout24: {
-            heading: {
-              text: "ImmoScout24 (German housing search)"
-            },
-            description: {
-              text: "ImmoScout24 is queried when you search German housing listings. ImmoScout24 receives housing search queries, locations, filters, and listing pages requested without an OpenMates user identifier."
-            }
+            text: "When you delete your account, the first step destroys your encryption keys. Any residual ciphertext in backups, caches, or audit logs is rendered permanently unreadable \u2014 no key, no content."
+          }
+        },
+        argon2_password_hashing: {
+          heading: {
+            text: "Passwords stored as Argon2 hashes"
           },
-          kleinanzeigen: {
-            heading: {
-              text: "Kleinanzeigen (German classified housing search)"
-            },
-            description: {
-              text: "Kleinanzeigen is queried when you search German classified housing listings. Kleinanzeigen receives housing search queries, locations, filters, and listing pages requested without an OpenMates user identifier."
-            }
+          description: {
+            text: "We store password and backup-code verifiers as Argon2 hashes. Plaintext passwords are never persisted to disk, never written to logs, and never recoverable \u2014 even by us."
+          }
+        },
+        payment_data_minimization: {
+          heading: {
+            text: "No card numbers ever touch our servers"
           },
-          wg_gesucht: {
-            heading: {
-              text: "WG-Gesucht (German shared-apartment search)"
-            },
-            description: {
-              text: "WG-Gesucht is queried when you search German shared-apartment or rental listings. WG-Gesucht receives housing search queries, locations, filters, and listing pages requested without an OpenMates user identifier."
-            }
+          description: {
+            text: "Payments flow directly from your browser to Stripe. We store only provider tokens and customer identifiers. We never see, receive, or persist full card numbers, security codes, or bank account details."
           }
         },
-        community: {
+        logging_redaction: {
           heading: {
-            text: "Community and developer channels (only if you choose to use them)"
+            text: "Logs are scrubbed of sensitive data"
           },
           description: {
-            text: "These providers are only involved if you choose to join our community or developer channels. You can use OpenMates without ever touching them."
+            text: "Every log line passes through a redaction filter that strips email addresses, IP addresses, bearer tokens, and password values. Compliance logs preserve pseudonymous user IDs but remove all other personal data."
+          }
+        },
+        prompt_injection_defense: {
+          heading: {
+            text: "Defense against prompt injection"
           },
-          discord: {
-            heading: {
-              text: "Discord (community server)"
-            },
-            description: {
-              text: "If you join the OpenMates community Discord server, Discord will see anything you post on its platform, plus your Discord username and whatever data Discord itself collects per its own privacy policy. We have no control over what Discord does with that data."
-            },
-            admin_access: {
-              text: "OpenMates administrators with Discord server admin rights can read all messages posted in the OpenMates Discord server. Do not share sensitive information on Discord."
-            }
+          description: {
+            text: "Two layers protect your conversations from malicious content in web pages, files, and URLs you reference. Invisible Unicode characters are stripped first, then a dedicated safety model detects semantic injection attempts and blocks or replaces high-risk content before it reaches your assistant."
           }
         },
-        social_media: {
+        no_training_on_user_data: {
           heading: {
-            text: "Social media (only when you use social media skills)"
+            text: "Your conversations are not used to train AI models"
           },
           description: {
-            text: "These providers are only used when you invoke the social media app's get-posts or search skills. They receive public profile, page, or search queries without an OpenMates user identifier."
+            text: "All AI chat providers we use (Anthropic, OpenAI, Mistral, Google Gemini, Google Vertex AI, Together AI, Groq, Cerebras, and OpenRouter) have explicit no-training clauses in their terms \u2014 your conversations are never used to fine-tune, evaluate, or otherwise train AI models. For image generation, Recraft has a training opt-out which we have activated. fal.ai (used for draft image generation) may use anonymized, aggregated derivatives of prompts for model improvement under their standard API terms; no full opt-out is available outside an enterprise contract. A per-provider audit with verbatim policy quotes and verification dates is published in our open-source repository."
+          }
+        },
+        no_external_resources: {
+          heading: {
+            text: "The web app never loads external images or scripts"
           },
-          reddit: {
-            heading: {
-              text: "Reddit (public posts and discussions)"
-            },
-            description: {
-              text: "Reddit is queried when you fetch or search public Reddit posts. Reddit receives subreddit names, public post URLs, and search queries without an OpenMates user identifier."
-            }
+          description: {
+            text: "Every external image, favicon, or preview shown in the app is fetched through our own preview.openmates.org proxy \u2014 the originating website never sees your IP address. The only third-party script the web app loads is the Stripe payment SDK needed to process a purchase, and only when you explicitly open the payment flow. There is no ad network, tag manager, CDN font loader, or third-party analytics library."
+          }
+        },
+        cli_no_credential_prompts: {
+          heading: {
+            text: "The command-line tool never asks for your password"
           },
-          bluesky: {
-            heading: {
-              text: "Bluesky (public posts and profile feeds)"
-            },
-            description: {
-              text: "Bluesky is queried when you fetch or search public Bluesky posts. Bluesky receives handles and search queries without an OpenMates user identifier."
-            }
+          description: {
+            text: "The OpenMates CLI never prompts you for your email, password, 2FA code, or any other login credential. Authentication uses a browser-based pair-auth handshake: the CLI shows a QR code and URL, you approve the session in your logged-in web browser, and you type a short 6-character binding PIN back into the CLI to confirm. Your credentials never pass through the terminal."
+          }
+        },
+        open_source_transparency: {
+          heading: {
+            text: "Every claim on this page is independently auditable"
           },
-          mastodon: {
-            heading: {
-              text: "Mastodon (public profile posts)"
-            },
-            description: {
-              text: "Mastodon is queried when you fetch public Mastodon profile posts. The relevant Mastodon server receives profile identifiers or public profile URLs without an OpenMates user identifier."
-            }
+          description: {
+            text: "OpenMates is open source. Every promise above is backed by code you can read, tests you can run, and architecture documents you can audit in our public repository. Our privacy-promises registry links each claim to the exact files that enforce it."
           }
         }
       },
@@ -35439,6 +36303,33 @@ As of mid-2026, the severe supply shocks from the 2024\u20132025 avian flu have
         connect_button: {
           text: "Connect Google Calendar"
         },
+        manage_account: {
+          text: "Manage {label}"
+        },
+        capability_read: {
+          text: "Read events"
+        },
+        capability_read_description: {
+          text: "Let OpenMates request permission before reading calendar events."
+        },
+        capability_write: {
+          text: "Write events"
+        },
+        capability_write_description: {
+          text: "Let OpenMates request permission before creating or updating events."
+        },
+        capability_delete: {
+          text: "Delete events"
+        },
+        capability_delete_description: {
+          text: "Let OpenMates request permission before deleting events."
+        },
+        oauth_summary: {
+          text: "OAuth request: {capabilities}"
+        },
+        no_capabilities_selected: {
+          text: "No access selected"
+        },
         finalizing: {
           text: "Encrypting and saving your connected account..."
         },
@@ -36966,7 +37857,10 @@ As of mid-2026, the severe supply shocks from the 2024\u20132025 avian flu have
       }
     },
     apps: {
-      text: "Apps"
+      text: "Apps",
+      all: {
+        text: "Apps"
+      }
     },
     mates: {
       description: {
@@ -37444,6 +38338,71 @@ As of mid-2026, the severe supply shocks from the 2024\u20132025 avian flu have
           text: "OpenMates will auto replace sensitive data with placeholders, before sending them to the OpenMates server and any external provider, to protect your privacy. Replaced data are visually highlighted. You can always click on a replaced data entry to overwrite the replacement, or turn off the functionality completely here."
         }
       },
+      connected_accounts: {
+        title: {
+          text: "Connected accounts"
+        },
+        subtitle: {
+          text: "Apps | Providers"
+        },
+        description: {
+          text: "Connected accounts are stored as encrypted browser-managed records. OpenMates only receives encrypted account data and opaque hashes."
+        },
+        loading: {
+          text: "Loading connected accounts..."
+        },
+        empty: {
+          text: "No connected accounts yet."
+        },
+        accounts: {
+          text: "Accounts"
+        },
+        details: {
+          text: "Account details"
+        },
+        account_label: {
+          text: "Account label"
+        },
+        provider: {
+          text: "Provider"
+        },
+        provider_google_calendar: {
+          text: "Google Calendar"
+        },
+        app: {
+          text: "App"
+        },
+        capabilities: {
+          text: "Capabilities"
+        },
+        runtime_modes: {
+          text: "Runtime modes"
+        },
+        none: {
+          text: "None"
+        },
+        add_calendar_write: {
+          text: "Add Calendar write access"
+        },
+        finalizing: {
+          text: "Encrypting and saving connected account update..."
+        },
+        updated_success: {
+          text: "Connected account updated. New access was encrypted before saving."
+        },
+        sign_in_required: {
+          text: "Sign in to manage connected accounts."
+        },
+        load_error: {
+          text: "Could not load connected accounts."
+        },
+        update_error: {
+          text: "Could not start connected account update."
+        },
+        finalize_error: {
+          text: "Could not finish updating connected account."
+        }
+      },
       nearby_by_default: {
         text: "Nearby by default"
       },
@@ -37787,7 +38746,10 @@ As of mid-2026, the severe supply shocks from the 2024\u20132025 avian flu have
         text: "Community Suggestions"
       },
       stats: {
-        text: "Stats"
+        text: "Stats",
+        subtitle: {
+          text: "View global server usage and growth metrics"
+        }
       },
       gift_cards: {
         text: "Gift Cards",
@@ -37938,6 +38900,89 @@ As of mid-2026, the severe supply shocks from the 2024\u20132025 avian flu have
       free_testing_credits: {
         text: "Free testing credits"
       },
+      anonymous_free_usage_budget: {
+        title: {
+          text: "Anonymous free usage"
+        },
+        subtitle: {
+          text: "Configure logged-out free chat budget caps"
+        },
+        loading: {
+          text: "Loading anonymous free usage budget..."
+        },
+        load_error: {
+          text: "Failed to load anonymous free usage budget."
+        },
+        save_success: {
+          text: "Anonymous free usage budget saved."
+        },
+        save_error: {
+          text: "Failed to save anonymous free usage budget."
+        },
+        status_active: {
+          text: "Anonymous free usage is active for new logged-out users."
+        },
+        status_daily_exhausted: {
+          text: "The anonymous free usage daily cap is exhausted until the next reset."
+        },
+        status_weekly_exhausted: {
+          text: "The anonymous free usage weekly cap is exhausted."
+        },
+        status_disabled: {
+          text: "Anonymous free usage is currently inactive."
+        },
+        daily_cap: {
+          text: "Daily cap"
+        },
+        weekly_cap: {
+          text: "Weekly cap"
+        },
+        daily_used: {
+          text: "Daily used"
+        },
+        weekly_used: {
+          text: "Weekly used"
+        },
+        daily_remaining: {
+          text: "Daily remaining"
+        },
+        weekly_remaining: {
+          text: "Weekly remaining"
+        },
+        reset_at: {
+          text: "Daily reset"
+        },
+        updated_at: {
+          text: "Updated"
+        },
+        never: {
+          text: "Never"
+        },
+        enabled: {
+          text: "Enable anonymous free usage for logged-out users"
+        },
+        monthly_budget: {
+          text: "Monthly budget credits"
+        },
+        daily_percent: {
+          text: "Daily hard cap percent"
+        },
+        weekly_percent: {
+          text: "Weekly cap percent"
+        },
+        per_identity_cap: {
+          text: "Per-identity daily cap credits"
+        },
+        derived_daily_cap: {
+          text: "Derived daily cap"
+        },
+        derived_weekly_cap: {
+          text: "Derived weekly cap"
+        },
+        validation_percent: {
+          text: "Percent values must be between 0 and 100."
+        }
+      },
       tests: {
         text: "Tests",
         subtitle: {
@@ -40433,6 +41478,28 @@ function toWaitingForUserResult(params) {
   };
 }
 
+// src/feedback.ts
+var ASSISTANT_FEEDBACK_THANKS = "Thanks for the feedback!";
+var ASSISTANT_FEEDBACK_REPORT_TITLE = "Assistant response quality bad:";
+function buildAssistantFeedbackDecision(rating) {
+  if (!Number.isInteger(rating) || rating < 1 || rating > 5) {
+    throw new Error("Rating must be an integer from 1 to 5.");
+  }
+  if (rating <= 3) {
+    return {
+      rating,
+      action: "report_issue",
+      message: ASSISTANT_FEEDBACK_THANKS,
+      reportTitle: ASSISTANT_FEEDBACK_REPORT_TITLE
+    };
+  }
+  return {
+    rating,
+    action: "thanks",
+    message: ASSISTANT_FEEDBACK_THANKS
+  };
+}
+
 // src/cli.ts
 async function main() {
   const parsed = parseArgs(process.argv.slice(2));
@@ -40441,11 +41508,13 @@ async function main() {
     apiUrl: typeof parsed.flags["api-url"] === "string" ? parsed.flags["api-url"] : void 0
   });
   const redactor = new OutputRedactor();
-  if (client.hasSession() && shouldInitializeRedactor(command, subcommand)) {
+  const piiDetectionEnabled = parsed.flags["no-pii-detection"] !== true;
+  if (piiDetectionEnabled && shouldInitializeRedactor(command, subcommand)) {
     try {
-      const memories = await client.listMemories();
+      const memories = client.hasSession() ? await client.listMemories() : [];
       redactor.initializeFromMemories(memories);
     } catch {
+      redactor.initializeFromMemories([]);
     }
   }
   if (!command || command === "help") {
@@ -40493,6 +41562,10 @@ async function main() {
       printServerHelp();
       return;
     }
+    if (command === "feedback") {
+      printFeedbackHelp();
+      return;
+    }
     if (command === "docs") {
       printDocsHelp();
       return;
@@ -40563,6 +41636,10 @@ async function main() {
     await handleNewChatSuggestions(client, parsed.flags);
     return;
   }
+  if (command === "feedback") {
+    handleFeedback(subcommand, rest, parsed.flags);
+    return;
+  }
   throw new Error(`Unknown command '${command}'. Run 'openmates help'.`);
 }
 function shouldInitializeRedactor(command, subcommand) {
@@ -40618,7 +41695,8 @@ async function handleChats(client, subcommand, rest, flags, redactor) {
         incognito: false,
         json: flags.json === true,
         autoApproveSubChats: flags["auto-approve"] === true,
-        autoApproveMemories: flags["auto-approve-memories"] === true
+        autoApproveMemories: flags["auto-approve-memories"] === true,
+        piiDetection: flags["no-pii-detection"] !== true
       },
       redactor
     );
@@ -40691,7 +41769,8 @@ Run 'openmates chats show ` + chatId + "' to check if suggestions have been save
         incognito: flags.incognito === true,
         json: flags.json === true,
         autoApproveSubChats: flags["auto-approve"] === true,
-        autoApproveMemories: flags["auto-approve-memories"] === true
+        autoApproveMemories: flags["auto-approve-memories"] === true,
+        piiDetection: flags["no-pii-detection"] !== true
       },
       redactor
     );
@@ -40711,7 +41790,8 @@ Run 'openmates chats show ` + chatId + "' to check if suggestions have been save
         incognito: true,
         json: flags.json === true,
         autoApproveSubChats: flags["auto-approve"] === true,
-        autoApproveMemories: flags["auto-approve-memories"] === true
+        autoApproveMemories: flags["auto-approve-memories"] === true,
+        piiDetection: flags["no-pii-detection"] !== true
       },
       redactor
     );
@@ -43013,6 +44093,29 @@ Usage: openmates settings memories <list|types|create|update|delete>`
   );
   process.exit(1);
 }
+function handleFeedback(subcommand, _rest, flags) {
+  if (!subcommand || subcommand === "help" || flags.help === true) {
+    printFeedbackHelp();
+    return;
+  }
+  if (subcommand !== "assistant-response") {
+    throw new Error(`Unknown feedback command '${subcommand}'. Run 'openmates feedback --help'.`);
+  }
+  const rawRating = flags.rating;
+  if (typeof rawRating !== "string") {
+    throw new Error("Missing --rating <1-5>.");
+  }
+  const decision = buildAssistantFeedbackDecision(Number(rawRating));
+  if (flags.json === true) {
+    printJson2(decision);
+    return;
+  }
+  console.log(decision.message);
+  if (decision.action === "report_issue") {
+    console.log(`Report issue title: ${decision.reportTitle}`);
+    console.log("Open the report issue form and include the affected assistant response.");
+  }
+}
 function parseArgs(argv) {
   const positionals = [];
   const flags = {};
@@ -43301,6 +44404,20 @@ async function sendMessageStreaming(client, params, redactor) {
         process.exit(1);
       }
       if (parsed.filePaths.length > 0) {
+        if (!client.hasSession()) {
+          clearTyping();
+          const result2 = {
+            status: "signup_required",
+            reason: "file_upload_requires_signup",
+            signup_required: true,
+            message: "File uploads require signup. Your message text can be kept as a draft, but files must be attached after creating an account."
+          };
+          if (!params.json) {
+            process.stderr.write(`${result2.message}
+`);
+          }
+          return result2;
+        }
         const fileResult = processFiles(parsed.filePaths, redactor ?? null);
         for (const b of fileResult.blocked) {
           clearTyping();
@@ -43439,6 +44556,29 @@ async function sendMessageStreaming(client, params, redactor) {
     } catch {
     }
   }
+  const piiResult = params.piiDetection !== false && redactor?.isInitialized ? redactor.redactWithMappings(finalMessage) : { redacted: finalMessage, mappings: [] };
+  finalMessage = piiResult.redacted;
+  if (!client.hasSession()) {
+    let result2;
+    try {
+      result2 = await client.sendAnonymousMessage({ message: finalMessage });
+    } finally {
+      clearTyping();
+    }
+    if (!params.json) {
+      const mateBlock = ansiMateBlock(result2.category, result2.mateName);
+      const modelSuffix = result2.modelName ? `  \x1B[2m${result2.modelName}\x1B[0m` : "";
+      process.stdout.write(`${SEP}
+`);
+      process.stdout.write(`${mateBlock}${modelSuffix}
+`);
+      process.stdout.write(`${SEP}
+`);
+      process.stdout.write(`${result2.assistant}
+`);
+    }
+    return result2;
+  }
   const urlResult = prepareUrlEmbeds(finalMessage);
   finalMessage = urlResult.message;
   preparedEmbeds.push(...urlResult.embeds);
@@ -43451,7 +44591,12 @@ async function sendMessageStreaming(client, params, redactor) {
     onSubChatApprovalRequest,
     autoApproveSubChats: params.autoApproveSubChats,
     autoApproveMemories: params.autoApproveMemories,
-    preparedEmbeds: preparedEmbeds.length > 0 ? preparedEmbeds : void 0
+    preparedEmbeds: preparedEmbeds.length > 0 ? preparedEmbeds : void 0,
+    piiMappings: piiResult.mappings.map((mapping) => ({
+      placeholder: mapping.placeholder,
+      original: mapping.original,
+      type: mapping.type
+    }))
   });
   clearTyping();
   if (result.status === "waiting_for_user") {
@@ -44754,6 +45899,7 @@ Commands:
   openmates settings [--help]                Predefined settings commands
   openmates inspirations [--lang <code>] [--json]   Daily inspirations
   openmates newchatsuggestions [--limit <n>] [--json]   Personalized new chat suggestions
+  openmates feedback [--help]                Assistant response feedback helpers
   openmates server [--help]                   Server management (install, start, stop, ...)
   openmates docs [--help]                     Browse, search, and download documentation
   openmates e2e provision-auth-accounts       Provision local E2E auth-account artifacts
@@ -44764,6 +45910,18 @@ Flags:
   --api-key <key> Optional API key override (or set OPENMATES_API_KEY)
   --help          Show contextual help for any command`);
 }
+function printFeedbackHelp() {
+  console.log(`Feedback commands:
+  openmates feedback assistant-response --rating <1-5> [--json]
+
+Mirrors the web chat assistant-response feedback decision:
+  4-5 stars  Thank the user only
+  1-3 stars  Thank the user and prompt a report issue with the standard prefill
+
+Options:
+  --rating <1-5>  Required star rating
+  --json          Output the decision contract as JSON`);
+}
 function printSignupHelp() {
   console.log(`Signup command:
   openmates signup --email <email> --username <name> --invite-code <code>
@@ -44804,13 +45962,13 @@ function printChatsHelp() {
   openmates chats show <chat-id> [--raw] [--json]
   openmates chats open [<n|example-id|slug>] [--json]
   openmates chats search <query> [--json]
-  openmates chats new <message> [--json] [--auto-approve] [--auto-approve-memories]
-  openmates chats send [--chat <id>] [--incognito] <message> [--json] [--auto-approve] [--auto-approve-memories]
+  openmates chats new <message> [--json] [--auto-approve] [--auto-approve-memories] [--no-pii-detection]
+  openmates chats send [--chat <id>] [--incognito] <message> [--json] [--auto-approve] [--auto-approve-memories] [--no-pii-detection]
   openmates chats send --chat <id> --followup <n> [--json] [--auto-approve] [--auto-approve-memories]
   openmates chats download <chat-id> [--output <path>] [--zip] [--json]
   openmates chats delete <id1> [id2] [id3] ... [--yes]
   openmates chats share [<chat-id>] [--expires <seconds>] [--password <pwd>] [--json]
-  openmates chats incognito <message> [--json]
+  openmates chats incognito <message> [--json] [--no-pii-detection]
   openmates chats incognito-history [--json]      Deprecated: incognito stores no history
   openmates chats incognito-clear                 Deprecated: incognito stores no history
 
@@ -44839,8 +45997,10 @@ Options for 'new', 'send', and 'incognito':
   --auto-approve           Automatically approve server-requested sub-chat batches.
                            Without this, the CLI prompts in the terminal like the web app.
   --auto-approve-memories  Explicitly approve server-requested memory categories.
-                           Memories are never approved by default.
-                           Use only for trusted non-interactive runs.
+                            Memories are never approved by default.
+                            Use only for trusted non-interactive runs.
+  --no-pii-detection       Send the message exactly as typed. By default, the CLI
+                            replaces detected PII with placeholders before send.
 
 Options for 'download':
   --output <path>  Target directory (default: current directory)
@@ -45172,6 +46332,9 @@ export {
   deriveAppUrl,
   OpenMatesClient,
   defaultCloneBranchForVersion,
+  ASSISTANT_FEEDBACK_THANKS,
+  ASSISTANT_FEEDBACK_REPORT_TITLE,
+  buildAssistantFeedbackDecision,
   serializeToYaml,
   getExtForLang
 };