osborn 0.8.11 → 0.8.13

package/.claude/settings.local.json

@@ -0,0 +1,9 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(ps:*)",
+      "Bash(osascript:*)",
+      "Bash(curl -s http://localhost:3000)"
+    ]
+  }
+}

package/.claude/skills/markdown-to-pdf/SKILL.md

@@ -0,0 +1,29 @@
+# Skill: Markdown to PDF
+
+Export Markdown documents as formatted PDF files.
+
+## When to use
+When the user wants to create a PDF from a Markdown file, spec, or research findings.
+
+## How to execute
+
+Option 1 — Using md-to-pdf (best quality):
+```bash
+npx --yes md-to-pdf "<MARKDOWN_PATH>"
+```
+This creates a PDF alongside the source file with the same name.
+
+Option 2 — Using pandoc (if available):
+```bash
+pandoc "<MARKDOWN_PATH>" -o "<OUTPUT_PATH>.pdf" --pdf-engine=wkhtmltopdf
+```
+
+Option 3 — Using markdown-pdf:
+```bash
+npx --yes markdown-pdf "<MARKDOWN_PATH>" -o "<OUTPUT_PATH>.pdf"
+```
+
+## Output
+- Save the PDF to the session workspace (e.g., `library/{name}.pdf`)
+- Confirm the output path and file size to the user
+- If the source is spec.md, name the output `spec-export.pdf`

package/.claude/skills/pdf-to-markdown/SKILL.md

@@ -0,0 +1,28 @@
+# Skill: PDF to Markdown
+
+Convert PDF documents to readable Markdown text.
+
+## When to use
+When the user provides a PDF file path and wants to read, search, or work with its contents.
+
+## How to execute
+
+Option 1 — Using the built-in Read tool:
+The Read tool can directly read PDF files. Use `pages` parameter for large PDFs (max 20 pages per request).
+
+Option 2 — Full extraction via CLI (for better formatting or batch processing):
+```bash
+npx --yes pdf-parse-cli "<PDF_PATH>"
+```
+
+Option 3 — Using pdftotext (if available):
+```bash
+pdftotext -layout "<PDF_PATH>" -
+```
+
+## Output
+Save the converted content to the session workspace as `library/{filename}.md` with:
+- Document title and source path at the top
+- Preserved heading structure where detectable
+- Tables converted to Markdown tables where possible
+- Page numbers as section markers

package/.claude/skills/playwright-browser/SKILL.md

@@ -0,0 +1,90 @@
+# Skill: Playwright Browser Automation
+
+Automate web browser interactions — navigate pages, click buttons, fill forms, take screenshots, and extract content.
+
+## When to use
+- Navigate to a URL and interact with it
+- Click buttons or links by their text or role
+- Fill form fields and submit data
+- Take screenshots of web pages
+- Extract text or structured data from pages
+- Automate multi-step web workflows (e.g. join a room, test a UI flow)
+
+## How to execute
+
+Uses `@playwright/cli` via npx — no global install needed. Token-efficient: uses element references (e.g. `e15`) instead of pixel coordinates.
+
+### First time only — install browser binaries
+```bash
+npx playwright install chromium
+```
+
+### Step 1 — Open a URL
+```bash
+npx @playwright/cli open https://localhost:3000
+```
+
+### Step 2 — Get page structure and element references
+```bash
+npx @playwright/cli snapshot
+```
+Returns an accessibility tree with element IDs like e1, e2, e15. Use these in subsequent commands.
+
+### Step 3 — Interact with elements
+```bash
+npx @playwright/cli click e15
+npx @playwright/cli fill e3 "some text"
+npx @playwright/cli press e3 Enter
+npx @playwright/cli select e7 "optionValue"
+npx @playwright/cli check e9
+npx @playwright/cli hover e12
+```
+
+### Take a screenshot
+```bash
+npx @playwright/cli screenshot --path=/tmp/page.png
+```
+
+### Take a screenshot at a specific viewport size (mobile check)
+```bash
+npx @playwright/cli screenshot --viewport-size=375,812 --path=/tmp/page-mobile.png
+```
+Common mobile sizes: `375,812` (iPhone 14), `390,844` (iPhone 14 Pro), `412,915` (Pixel 7), `768,1024` (iPad).
+
+### Close the browser
+```bash
+npx @playwright/cli close
+```
+
+### Named sessions (persistent state across commands)
+```bash
+npx @playwright/cli -s=myflow open https://localhost:3000
+npx @playwright/cli -s=myflow snapshot
+npx @playwright/cli -s=myflow fill e3 "abc123"
+npx @playwright/cli -s=myflow click e5
+npx @playwright/cli -s=myflow close
+```
+
+## Complete example — join Osborn voice room
+```bash
+npx @playwright/cli open http://localhost:3000
+npx @playwright/cli snapshot
+npx @playwright/cli fill e3 "abc123"
+npx @playwright/cli click e4
+npx @playwright/cli screenshot --path=/tmp/osborn-joined.png
+npx @playwright/cli close
+```
+
+## Complete example — check mobile layout
+```bash
+npx @playwright/cli open http://localhost:3000
+npx @playwright/cli screenshot --viewport-size=375,812 --path=/tmp/mobile-375.png
+npx @playwright/cli close
+```
+
+## Notes
+- Runs headless by default. Add --headed to see the browser window.
+- Install browsers first if needed: npx playwright install chromium
+- Element IDs are session-scoped — run snapshot again after page changes
+- Use `--viewport-size=WIDTH,HEIGHT` to simulate mobile screen sizes (e.g. `375,812` for iPhone 14)
+- Use `--storage-state=/tmp/state.json` to save and restore session state (cookies, localStorage) across runs

package/.claude/skills/shadcn/SKILL.md

@@ -0,0 +1,232 @@
+# Skill: shadcn/ui Components
+
+Add and configure shadcn/ui components in a Next.js or React project.
+
+## When to use
+When the user wants to add UI components (buttons, dialogs, cards, forms, tables, etc.) using shadcn/ui — the copy-paste component library built on Radix UI and Tailwind CSS.
+
+## Setup (first time only)
+
+Initialize shadcn in the project root (where package.json lives):
+```bash
+npx shadcn@latest init
+```
+
+This creates `components.json` and sets up `src/components/ui/`. Answer the prompts to match your project's style preferences.
+
+## Add a component
+
+```bash
+npx shadcn@latest add <component-name>
+```
+
+## Add multiple components at once
+```bash
+npx shadcn@latest add button card dialog input form
+```
+
+## Commonly used components
+
+| Component | Install name | Description |
+|-----------|-------------|-------------|
+| Button | `button` | Clickable button with variants |
+| Card | `card` | Container with header/content/footer |
+| Input | `input` | Text input field |
+| Label | `label` | Form label |
+| Textarea | `textarea` | Multi-line text input |
+| Select | `select` | Dropdown select |
+| Checkbox | `checkbox` | Checkbox with label |
+| Switch | `switch` | Toggle switch |
+| Dialog | `dialog` | Modal dialog |
+| Sheet | `sheet` | Slide-in panel (drawer) |
+| Popover | `popover` | Floating content panel |
+| Tooltip | `tooltip` | Hover tooltip |
+| Dropdown Menu | `dropdown-menu` | Contextual dropdown |
+| Command | `command` | Command palette / search |
+| Badge | `badge` | Small status indicator |
+| Avatar | `avatar` | User avatar with fallback |
+| Separator | `separator` | Visual divider |
+| Table | `table` | Data table |
+| Tabs | `tabs` | Tabbed interface |
+| Accordion | `accordion` | Collapsible sections |
+| Sonner | `sonner` | Toast notifications (preferred over toast) |
+| Alert | `alert` | Inline alert message |
+| Alert Dialog | `alert-dialog` | Confirmation dialog |
+| Progress | `progress` | Progress bar |
+| Skeleton | `skeleton` | Loading placeholder |
+| Scroll Area | `scroll-area` | Custom scrollbar container |
+| Calendar | `calendar` | Date picker calendar |
+| Form | `form` | React Hook Form integration |
+| Slider | `slider` | Range slider |
+| Toggle | `toggle` | Toggle button |
+| Navigation Menu | `navigation-menu` | Site navigation |
+| Breadcrumb | `breadcrumb` | Page navigation breadcrumbs |
+| Collapsible | `collapsible` | Expandable/collapsible section |
+| Context Menu | `context-menu` | Right-click context menu |
+| Menubar | `menubar` | Application menu bar |
+| Resizable | `resizable` | Resizable panel groups |
+
+## Import pattern
+
+```tsx
+import { Button } from "@/components/ui/button"
+import { Card, CardContent, CardHeader, CardTitle, CardDescription, CardFooter } from "@/components/ui/card"
+import { Input } from "@/components/ui/input"
+import { Label } from "@/components/ui/label"
+import {
+  Dialog,
+  DialogContent,
+  DialogDescription,
+  DialogHeader,
+  DialogTitle,
+  DialogTrigger,
+} from "@/components/ui/dialog"
+```
+
+## Example — Button variants
+
+```tsx
+<Button>Default</Button>
+<Button variant="destructive">Delete</Button>
+<Button variant="outline">Cancel</Button>
+<Button variant="ghost">Ghost</Button>
+<Button variant="link">Link</Button>
+<Button size="sm">Small</Button>
+<Button size="lg">Large</Button>
+<Button disabled>Disabled</Button>
+```
+
+## Example — Card
+
+```tsx
+<Card>
+  <CardHeader>
+    <CardTitle>Card Title</CardTitle>
+    <CardDescription>Card description goes here</CardDescription>
+  </CardHeader>
+  <CardContent>
+    <p>Card content here</p>
+  </CardContent>
+  <CardFooter>
+    <Button>Action</Button>
+  </CardFooter>
+</Card>
+```
+
+## Example — Form with validation (React Hook Form + Zod)
+
+```bash
+npx shadcn@latest add form input
+npm install zod react-hook-form @hookform/resolvers
+```
+
+```tsx
+import { useForm } from "react-hook-form"
+import { zodResolver } from "@hookform/resolvers/zod"
+import * as z from "zod"
+import { Form, FormControl, FormField, FormItem, FormLabel, FormMessage } from "@/components/ui/form"
+import { Input } from "@/components/ui/input"
+import { Button } from "@/components/ui/button"
+
+const formSchema = z.object({
+  email: z.string().email("Invalid email address"),
+  password: z.string().min(8, "Password must be at least 8 characters"),
+})
+
+export function LoginForm() {
+  const form = useForm<z.infer<typeof formSchema>>({
+    resolver: zodResolver(formSchema),
+    defaultValues: { email: "", password: "" },
+  })
+
+  function onSubmit(values: z.infer<typeof formSchema>) {
+    console.log(values)
+  }
+
+  return (
+    <Form {...form}>
+      <form onSubmit={form.handleSubmit(onSubmit)} className="space-y-4">
+        <FormField
+          control={form.control}
+          name="email"
+          render={({ field }) => (
+            <FormItem>
+              <FormLabel>Email</FormLabel>
+              <FormControl>
+                <Input placeholder="you@example.com" {...field} />
+              </FormControl>
+              <FormMessage />
+            </FormItem>
+          )}
+        />
+        <FormField
+          control={form.control}
+          name="password"
+          render={({ field }) => (
+            <FormItem>
+              <FormLabel>Password</FormLabel>
+              <FormControl>
+                <Input type="password" {...field} />
+              </FormControl>
+              <FormMessage />
+            </FormItem>
+          )}
+        />
+        <Button type="submit" className="w-full">Sign in</Button>
+      </form>
+    </Form>
+  )
+}
+```
+
+## Example — Toast notifications (Sonner)
+
+```bash
+npx shadcn@latest add sonner
+```
+
+```tsx
+// In your root layout — add the Toaster once
+import { Toaster } from "@/components/ui/sonner"
+export default function RootLayout({ children }) {
+  return (
+    <html>
+      <body>
+        {children}
+        <Toaster />
+      </body>
+    </html>
+  )
+}
+
+// Then anywhere in your app
+import { toast } from "sonner"
+
+toast("Event created")
+toast.success("Profile saved")
+toast.error("Something went wrong")
+toast.promise(saveData(), {
+  loading: "Saving...",
+  success: "Saved!",
+  error: "Failed to save",
+})
+```
+
+## The cn() utility
+
+shadcn uses `clsx` + `tailwind-merge` via a `cn()` helper for conditional classes:
+
+```tsx
+import { cn } from "@/lib/utils"
+
+<div className={cn("base-class", isActive && "active-class", className)} />
+```
+
+## Notes
+- Components are **copied into your project** (not a node_modules dependency) — edit them freely
+- Requires **Tailwind CSS** configured in the project
+- Uses **Radix UI** primitives for accessibility
+- Components land in `src/components/ui/` by default
+- Run `npx shadcn@latest diff` to see if upstream components have changed
+- Check `components.json` for path and style config
+- Use Sonner (`sonner`) instead of the legacy `toast` component for notifications

package/.claude/skills/youtube-transcript/SKILL.md

@@ -0,0 +1,24 @@
+# Skill: YouTube Transcript
+
+Fetch and save transcripts from YouTube videos.
+
+## When to use
+When the user asks to get a transcript, subtitles, captions, or summary from a YouTube video URL.
+
+## How to execute
+
+yt-dlp is installed on this system. Use this exact command:
+
+```bash
+yt-dlp --skip-download --write-auto-sub --sub-lang en --convert-subs srt -o "/tmp/yt-%(id)s" "<VIDEO_URL>"
+```
+
+This downloads auto-generated English subtitles as an SRT file to /tmp/yt-{video-id}.en.srt
+
+Then read the SRT file and strip the timing markers to get clean transcript text.
+
+## Output
+Save the cleaned transcript to the session workspace as `library/youtube-{video-id}-transcript.md` with:
+- Video title and URL at the top
+- Cleaned transcript text (strip SRT timing markers and duplicate lines)
+- Key timestamps preserved as section markers if meaningful breaks exist

package/Dockerfile.sandbox

@@ -0,0 +1,59 @@
+# Osborn Sandbox — Fly.io Machines (per-user)
+# Installs osborn as npm package (not from source) for lightweight per-user machines.
+# Build: docker build -f Dockerfile.sandbox -t registry.fly.io/osborn-sandbox/agent:latest .
+# Push:  fly auth docker && docker push registry.fly.io/osborn-sandbox/agent:latest
+
+FROM node:22-slim
+
+# Runtime deps for osborn + claude-code
+RUN apt-get update -qq && \
+    apt-get install --no-install-recommends -y \
+    ca-certificates \
+    curl \
+    git \
+    python-is-python3 && \
+    rm -rf /var/lib/apt/lists/*
+
+# Install osborn + claude-code globally
+RUN npm install -g osborn@latest @anthropic-ai/claude-code
+
+# Persistent workspace + claude config dirs
+RUN mkdir -p /workspace /root/.claude
+
+ENV OSBORN_CWD=/workspace
+ENV OSBORN_API_PORT=8741
+ENV NODE_ENV=production
+
+WORKDIR /workspace
+
+EXPOSE 8741
+
+# Entrypoint: credential persistence + onboarding suppression + start
+COPY <<'ENTRYPOINT' /entrypoint.sh
+#!/bin/sh
+set -e
+
+# Claude credential persistence (volume at /workspace)
+mkdir -p /workspace/.claude
+rm -rf /root/.claude
+ln -sf /workspace/.claude /root/.claude
+
+# Suppress Claude Code interactive onboarding prompts
+ONBOARDING_JSON='{"numStartups":10,"installMethod":"npm","autoUpdates":false,"hasCompletedOnboarding":true,"hasTrustDialogAccepted":true,"hasTrustDialogHooksAccepted":true,"hasCompletedProjectOnboarding":true,"hasAcknowledgedCostThreshold":true,"effortCalloutV2Dismissed":true,"theme":"dark","projects":{"/workspace":{"hasTrustDialogAccepted":true,"hasTrustDialogHooksAccepted":true,"hasCompletedProjectOnboarding":true}}}'
+echo "$ONBOARDING_JSON" > /root/.claude.json
+mkdir -p /workspace/.claude
+echo "$ONBOARDING_JSON" > /workspace/.claude/.config.json
+echo "$ONBOARDING_JSON" > /workspace/.claude/claude.json
+
+# Restore OAuth token if persisted on volume
+if [ -f /workspace/.claude/.oauth-token ]; then
+  export CLAUDE_CODE_OAUTH_TOKEN="$(cat /workspace/.claude/.oauth-token)"
+  echo "[sandbox] Restored CLAUDE_CODE_OAUTH_TOKEN from volume"
+fi
+
+exec osborn
+ENTRYPOINT
+
+RUN chmod +x /entrypoint.sh
+
+CMD ["/entrypoint.sh"]

package/dist/claude-auth.js

@@ -74,6 +74,26 @@ function resolveClaudePath() {
 // Constants
 // ─────────────────────────────────────────
 const CREDENTIALS_PATH = join(homedir(), '.claude', '.credentials.json');
+/**
+ * Strip ALL ANSI escape sequences from a string — CSI (including private
+ * prefixes like `?`), OSC (both BEL and ST terminators), and lone ESC bytes.
+ *
+ * This is a superset of the common `/\x1B\[[0-9;]*[A-Za-z]/g` pattern, which
+ * misses private-prefix modes like `\x1B[?2026h` and string terminators like
+ * `\x1B\\`. Claude's Ink UI uses these extensively and they leak into error
+ * messages and URLs when we only strip the basic CSI form.
+ */
+function stripAnsi(text) {
+    return text
+        // Full CSI: ESC [ <intermediates 0x20–0x3F> <final 0x40–0x7E>
+        .replace(/\x1B\[[\x20-\x3F]*[\x40-\x7E]/g, '')
+        // OSC terminated by BEL (0x07) — ESC ] <content> BEL
+        .replace(/\x1B\][^\x07]*\x07/g, '')
+        // OSC terminated by ST (ESC \) — ESC ] <content> ESC \
+        .replace(/\x1B\][^\x1B]*\x1B\\/g, '')
+        // Any remaining lone ESC bytes (e.g. ESC \ string terminator used standalone)
+        .replace(/\x1B/g, '');
+}
 // URL matching: strip all whitespace first (like claudebox), then match
 // Handles Ink UI wrapping URLs across multiple lines
 const URL_REGEX = /https:\/\/claude\.(com|ai)\/cai\/oauth\/authorize[^\s]*/;
@@ -168,18 +188,20 @@ export async function checkClaudeAuthStatus() {
  * accepts.
  */
 function extractOAuthUrl(text) {
-    // Replace ANSI control sequences AND lone ESC bytes with a NUL sentinel.
-    // Why NUL and not a space: we need to strip all whitespace next (to
-    // unwrap URLs that Ink wrapped across terminal lines), and if we used
-    // a space it would be eaten by the whitespace strip — then text on
-    // either side of the control sequence would fuse into the URL. NUL
-    // survives the whitespace strip and acts as a hard boundary the
-    // tail-cut logic below can detect.
+    // Replace ALL ANSI control sequences with a NUL sentinel. NUL (not a
+    // space) because we strip all whitespace next to unwrap URLs that Ink
+    // split across terminal lines — a space would vanish and text on either
+    // side of a control sequence would fuse into the URL. NUL survives the
+    // strip and acts as a hard boundary the tail-cut below can detect.
+    //
+    // Uses the same patterns as stripAnsi() but replaces with SENTINEL
+    // instead of '' so boundaries are preserved.
     const SENTINEL = '\x00';
     const noAnsi = text
-        .replace(/\x1B\[[0-9;]*[A-Za-z]/g, SENTINEL)
-        .replace(/\x1B\][^\x07]*\x07/g, SENTINEL)
-        .replace(/\x1B/g, SENTINEL);
+        .replace(/\x1B\[[\x20-\x3F]*[\x40-\x7E]/g, SENTINEL) // Full CSI (incl. private-prefix ?/</>/=)
+        .replace(/\x1B\][^\x07]*\x07/g, SENTINEL) // OSC terminated by BEL
+        .replace(/\x1B\][^\x1B]*\x1B\\/g, SENTINEL) // OSC terminated by ST (ESC \)
+        .replace(/\x1B/g, SENTINEL); // Lone ESC bytes
     // Strip all whitespace (claudebox pattern: strings.Join(strings.Fields(pane), ""))
     // to unwrap URLs split across terminal lines. NUL sentinels survive.
     const stripped = noAnsi.replace(/\s+/g, '');
@@ -223,7 +245,23 @@ export function runClaudeAuthFlow(callbacks) {
     const handle = {
         submitCode: (code) => {
             if (procRef) {
-                const trimmed = code.trim();
+                let trimmed = code.trim();
+                // User may paste the full callback URL instead of just the code:
+                //   http://localhost:38719/callback?code=ZIgFd5nApQMR7...&state=TSLp6...
+                // Extract the bare `code` value so the CLI accepts it.
+                if (trimmed.startsWith('http://') || trimmed.startsWith('https://')) {
+                    try {
+                        const u = new URL(trimmed);
+                        const extracted = u.searchParams.get('code');
+                        if (extracted) {
+                            console.log(`🔑 Extracted code from pasted callback URL (${extracted.length} chars)`);
+                            trimmed = extracted;
+                        }
+                    }
+                    catch {
+                        // Not a valid URL, use as-is
+                    }
+                }
                 console.log(`🔑 Submitting auth code to Claude CLI (${trimmed.length} chars)`);
                 // Ink reads raw keypresses. Write in chunks to simulate typing.
                 const CHUNK_SIZE = 10;
@@ -274,7 +312,7 @@ export function runClaudeAuthFlow(callbacks) {
             }
         }, AUTH_TIMEOUT_MS);
         proc.onData((data) => {
-            const clean = data.replace(/\x1B\[[0-9;]*[A-Za-z]/g, '')
+            const clean = stripAnsi(data)
                 .replace(/\x1B\][^\x07]*\x07/g, '');
             fullBuffer += clean;
             recentBuffer += clean;
@@ -332,7 +370,7 @@ export function runClaudeAuthFlow(callbacks) {
             }
             // Detect errors
             if (/OAuth error|Invalid code|expired/i.test(recentBuffer)) {
-                const errMsg = recentBuffer.replace(/\x1B\[[0-9;]*[A-Za-z]/g, '').trim().substring(0, 200);
+                const errMsg = stripAnsi(recentBuffer).trim().substring(0, 200);
                 console.log('⚠️ Claude auth error:', errMsg);
                 callbacks.onError(errMsg);
                 recentBuffer = '';