patchwork-os 0.2.0-alpha.34 → 0.2.0-alpha.36

package/README.md

@@ -1,6 +1,89 @@
 # Patchwork OS
 
-**Proactive AI automation that runs on your machine. Oversight built in. No vendor lock-in.**
+### Your personal AI runtime, local-first.
+
+> Patchwork OS is a local-first personal AI runtime: pluggable model providers, hot-reloadable tools, YAML recipes, a delegation policy with approval queue, and a durable trace memory — all running on your machine, all under your policy.
+
+You decide which model. You decide which actions need a human nod. You own the credentials, the logs, and the deployment. Nothing phones home.
+
+**Five primitives, one runtime:**
+
+- **Tools** — 170+ built-in (LSP, git, terminal, debugger, files) plus any plugin you write. Plugins hot-reload — Claude can author a tool mid-session and call it on the next turn. See [Live Toolsmithing](documents/live-toolsmithing.md).
+- **Recipes** — YAML automations triggered by cron, file save, git commit, test run, or webhook. Anything that can POST a JSON payload can fire a recipe.
+- **Delegation Policy** — three risk tiers, four-source precedence (managed → project-local → project → user). Auto-approve safe, require approval for risky, block dangerous.
+- **Trace memory** — every approval, every recipe run, every enrichment is durable JSONL. Past decisions are surfaced into future sessions automatically. Bundle and back up with [`patchwork traces export`](src/commands/tracesExport.ts).
+- **OAuth** — turn your runtime into a private personal API. PKCE S256, dynamic client registration, deployable on a VPS in minutes.
+
+> **Why not [an MCP server / Zapier / a hosted assistant / a local agent framework]?** See [the comparison page](documents/comparison.md) for the honest tradeoff against each.
+>
+> **What does this look like in one diagram?** See the [architecture overview](documents/architecture.md).
+
+---
+
+The same codebase ships **two ways to use it.** Pick the layer you need.
+
+| | What you get | Install | Best for |
+|---|---|---|---|
+| **🔌 Claude IDE Bridge** | MCP bridge connecting Claude Code to your IDE. 170+ tools — diagnostics, LSP, debugger, terminal, git, GitHub, file ops. | `npm i -g patchwork-os` then run `claude-ide-bridge` | Anyone who wants Claude Code to see and act on their editor state |
+| **🤖 Patchwork OS** | Everything in the bridge **plus** YAML recipes, approval queue, oversight dashboard, mobile push approvals, multi-model providers, JetBrains companion. | Same package, run `patchwork patchwork-init` | Power users running automation, agent workflows, or background tasks |
+
+Same codebase. Bridge is the foundation; Patchwork OS is the optional layer on top. **No vendor lock-in. Runs on your machine.**
+
+---
+
+## 🔌 Claude IDE Bridge — Quick Start
+
+```bash
+# 1. Install the npm package
+npm install -g patchwork-os
+
+# 2. Install the VS Code / Cursor / Windsurf extension
+#    Search "Claude IDE Bridge" on OpenVSX, or:
+claude-ide-bridge install-extension
+
+# 3. Start the bridge for your workspace
+claude-ide-bridge --workspace .
+
+# 4. Connect Claude Code (in another terminal)
+CLAUDE_CODE_IDE_SKIP_VALID_CHECK=true claude --ide
+```
+
+Type `/ide` in Claude Code to confirm the connection. That's it — Claude now sees your diagnostics, open files, and editor state, and can call 170+ tools to act on them.
+
+**What the bridge gives Claude:**
+
+- Diagnostics, LSP navigation (goto / references / call hierarchy), refactoring with risk analysis
+- Terminal — run commands, read output, wait for async work
+- Git — status, diff, commit, push, blame, checkout, branch list
+- GitHub — open PRs, list issues, post reviews, fetch run logs
+- Debugger — set breakpoints, evaluate expressions, inspect runtime state
+- Files — read, edit by line range, search and replace, capture screenshots
+- Code quality — `auditDependencies`, `detectUnusedCode`, `getCodeCoverage`, `getGitHotspots`
+
+The bridge runs without any flags. No recipes, no automation, no dashboard — just the IDE-Claude connection.
+
+**Compatible IDEs:** VS Code, Cursor, Windsurf, Google Antigravity. JetBrains IDEs via [companion plugin](#jetbrains-plugin).
+
+**Transport layers:**
+
+| Client | Protocol |
+|---|---|
+| Claude Code CLI | WebSocket `ws://127.0.0.1:<port>` |
+| Claude Desktop | stdio shim → WebSocket |
+| Remote (claude.ai, Codex CLI) | Streamable HTTP + Bearer token |
+
+**Tool modes:**
+
+| Mode | Tools | When to use |
+|---|---|---|
+| Full _(default)_ | ~170 | All git, GitHub, terminal, file ops, orchestration |
+| Slim (`--slim`) | ~60 | LSP + debugger + editor state only |
+
+Bridge-only docs: [documents/platform-docs.md](documents/platform-docs.md)
+
+---
+
+## 🤖 Patchwork OS — Quick Start
 
 ```bash
 npx patchwork-os@alpha patchwork-init
@@ -8,9 +91,27 @@ npx patchwork-os@alpha patchwork-init
 
 Sets up 5 local recipes, detects Ollama, and opens a terminal dashboard — under 90 seconds.
 
+### ☀️ Morning Brief — the hero workflow
+
+Get an AI digest of your Gmail, calendar, and tasks every morning — or on demand:
+
+```bash
+# First-time setup (connect Gmail + Google Calendar)
+patchwork-os patchwork-init
+patchwork-os connections connect gmail
+patchwork-os connections connect google-calendar
+
+# Run it now
+patchwork-os recipe run morning-brief
+```
+
+The brief lands in `~/.patchwork/inbox/` as a Markdown file. Open the dashboard (`http://localhost:3100`) to read it, approve any drafted replies, or let it auto-send at 08:00 via the built-in cron trigger.
+
+No connectors yet? Run with `--local` using Ollama — it summarises your clipboard and last-touched files instead.
+
 ---
 
-## What it is
+### What it adds on top of the bridge
 
 Patchwork OS is a local automation platform that watches your workspace for events, runs AI-powered recipes in response, and routes anything risky through an approval queue before it goes anywhere.
 
@@ -20,94 +121,109 @@ Think of it as a background agent that acts on your behalf — but asks before s
 - Customer email arrives → draft reply in your voice, pending your approval
 - Field-trip permission form flagged → reply drafted to the teacher, waiting for your nod
 
----
-
-## How it works
-
 **Recipes** are plain YAML files. They declare a trigger (cron, file save, git commit, test run, webhook) and an action (run a prompt, write to inbox, call a connector). No code required. Share them like dotfiles.
 
 **Models** are yours. Claude, GPT, Gemini, Grok, or local Ollama. Swap at any time. Nothing phones home.
 
 **Oversight** is non-negotiable. Every write or external action lands in `~/.patchwork/inbox/` for approval. The web UI at `http://localhost:3100` shows pending approvals, live sessions, recipe run history, and analytics.
 
----
-
-## Quickstart
+### Patchwork commands
 
 ```bash
-# Install globally
-npm install -g patchwork-os
-
 # One-command setup: extension + CLAUDE.md + starter recipes
-patchwork-os patchwork-init
+patchwork patchwork-init
 
 # Explore
-patchwork-os recipe list                      # installed recipes
-patchwork-os recipe run daily-status         # run one now
-patchwork-os recipe run morning-brief --local # run with local Ollama
-patchwork-os tools list                      # browse 170+ tools
-patchwork-os                                 # open terminal dashboard
+patchwork recipe list                      # installed recipes
+patchwork recipe run daily-status         # run one now
+patchwork recipe run morning-brief --local # run with local Ollama
+patchwork tools list                      # browse 170+ tools
+patchwork                                 # open terminal dashboard
+
+# Web UI — bridge + extension watcher in tmux
+patchwork start-all                       # then http://localhost:3100
 ```
 
-**Web UI** — start the bridge, then open `http://localhost:3100`
+### Starter recipes
 
-```bash
-patchwork-os start-all    # bridge + extension watcher in tmux
-```
+The package ships these in `templates/recipes/`. Recipes that need API keys are noted; the rest are zero-config.
 
----
+| Recipe | Trigger | What it does | Needs |
+|---|---|---|---|
+| `ambient-journal` | git commit | Appends one line to `~/.patchwork/journal/` | — |
+| `daily-status` | cron 08:00 | Morning brief from yesterday's commits | — |
+| `lint-on-save` | file save | Surfaces new TS/JS diagnostics to inbox | — |
+| `stale-branches` | cron weekly | Lists branches older than 30 days | — |
+| `watch-failing-tests` | test run | Drops triage note to inbox on failure | — |
+| `project-health-check` | manual | Snapshot of repo health + flagged risks | — |
+| `ctx-loop-test` | manual | Smoke test for context-platform end-to-end | — |
+| `morning-brief` | cron 08:00 | Gmail + Linear + Slack + Calendar digest | Gmail, Linear, Slack, Google Calendar |
+| `morning-brief-slack` | cron 08:00 | Same brief but only posts to Slack | Linear, Slack |
+| `gmail-health-check` | manual | Verify Gmail connector + token state | Gmail |
+| `inbox-triage` | manual | Triage Gmail unread → suggest archive/reply | Gmail |
+| `sentry-to-linear` | manual | Sentry issue → Linear ticket (one-shot) | Sentry, Linear |
 
-## Starter recipes
+**Connectors available** (all writes governed by your delegation policy): Slack, GitHub, Linear, Gmail, Google Calendar, Google Drive, Sentry, Notion, Confluence, Datadog, HubSpot, Intercom, Stripe, Zendesk, Jira, PagerDuty, Discord, Asana, GitLab.
 
-No external API keys needed for these:
+**Delegation policy presets** ([`templates/policies/`](templates/policies/)): five persona starters — conservative, developer, headless-CI, regulated-industry, personal-assistant. Copy one into `~/.patchwork/config.json` and restart.
 
-| Recipe | Trigger | What it does |
-|---|---|---|
-| `ambient-journal` | git commit | Appends one line to `~/.patchwork/journal/` |
-| `daily-status` | cron 08:00 | Morning brief from yesterday's commits |
-| `watch-failing-tests` | test run | Drops triage note to inbox on failure |
-| `lint-on-save` | file save | Surfaces new TS/JS diagnostics to inbox |
-| `stale-branches` | cron weekly | Lists branches older than 30 days |
-| `morning-brief` | cron 08:00 | Commits + Linear issues + Calendar events |
-| `sentry-to-linear` | manual | Sentry issue → Linear ticket (one-shot) |
+**Webhook recipe starters** ([`templates/recipes/webhook/`](templates/recipes/webhook/)): five webhook-triggered recipes — capture-thought, morning-brief (on-demand), meeting-prep, incident-intake, customer-escalation. Anything that can POST HTTP can drive these — iPhone Shortcut, Stream Deck, Home Assistant, NFC tag, monitoring tool.
 
-Connectors (Linear, Sentry, Slack, Google Calendar) require API keys and approval-gated writes.
+### Automation hooks
+
+Event-driven hooks trigger Claude tasks automatically. Activate with `--automation --automation-policy <path.json> --claude-driver subprocess`.
+
+Key hooks:
+
+| Hook | Fires when |
+|---|---|
+| `onFileSave` | Matching files saved |
+| `onDiagnosticsStateChange` | Errors appear or clear |
+| `onRecipeSave` | Any `.yaml`/`.yml` saved — runs preflight |
+| `onGitCommit` / `onGitPush` / `onGitPull` | Git tools succeed |
+| `onTestRun` | Test run completes (filter: any/failure/pass-after-fail) |
+| `onBranchCheckout` | After branch switch |
+| `onPullRequest` | After `githubCreatePR` succeeds |
+| `onCompaction` | Before/after Claude context compaction |
+| `onTaskCreated` / `onTaskSuccess` | Orchestrator task lifecycle |
+
+All hooks support inline prompts, named prompt references, and a minimum 5s cooldown. Full reference: [documents/platform-docs.md → Automation Hooks](documents/platform-docs.md)
 
 ---
 
 ## Architecture
 
 ```
-patchwork-os CLI
-├── Recipe runner          YAML triggers → LLM prompt → action
-├── Claude IDE Bridge      MCP server — 170+ tools over WebSocket/HTTP
-│   ├── VS Code extension  LSP, debugger, editor state, live diagnostics
-│   ├── Git / GitHub       gitCommit, gitPush, githubCreatePR, …
-│   ├── Terminal           runInTerminal, getTerminalOutput, …
-│   ├── Connectors         Linear, Sentry, Slack, Google Calendar
-│   └── Orchestrator       Claude subprocess tasks, automation hooks
-├── Oversight inbox        ~/.patchwork/inbox/ — approval queue
-└── Web dashboard          http://localhost:3100 — approvals, sessions, analytics
+patchwork-os (npm package)
+│
+├── claude-ide-bridge          ← run alone for bridge-only mode
+│   ├── MCP server             170+ tools over WebSocket / HTTP / stdio
+│   ├── VS Code extension      LSP, debugger, editor state, live diagnostics
+│   ├── Git / GitHub           gitCommit, gitPush, githubCreatePR, …
+│   ├── Terminal               runInTerminal, getTerminalOutput, …
+│   └── Code quality           auditDependencies, detectUnusedCode, getCodeCoverage
+│
+└── patchwork                  ← run for full Patchwork OS layer
+    ├── Recipe runner          YAML triggers → LLM prompt → action
+    ├── Connectors             Linear, Sentry, Slack, Google Calendar, +
+    ├── Orchestrator           Claude subprocess tasks, automation hooks
+    ├── Oversight inbox        ~/.patchwork/inbox/ — approval queue
+    └── Web dashboard          http://localhost:3100 — approvals, sessions, analytics
 ```
 
-**Transport layers:**
+The npm package ships **three CLI binaries** that share the same code:
 
-| Client | Protocol |
+| Binary | Default behavior |
 |---|---|
-| Claude Code CLI | WebSocket `ws://127.0.0.1:<port>` |
-| Claude Desktop | stdio shim → WebSocket |
-| Remote (claude.ai, Codex) | Streamable HTTP + Bearer token |
+| `claude-ide-bridge` | Bridge only — no automation, no recipe runner, no dashboard |
+| `patchwork` | Full Patchwork OS — automation + recipes + dashboard |
+| `patchwork-os` | Alias for `patchwork` |
 
-**Tool modes:**
-
-| Mode | Tools | When to use |
-|---|---|---|
-| Full _(default)_ | ~170 | All git, GitHub, terminal, file ops, orchestration |
-| Slim (`--slim`) | ~60 | LSP + debugger + editor state only |
+Use whichever fits your mental model.
 
 ---
 
-## Tool surface (v0.2.0-alpha.33)
+## Tool surface (v0.2.0-alpha.35)
 
 170+ MCP tools across 15 categories. Highlights:
 
@@ -126,52 +242,42 @@ Full reference: [documents/platform-docs.md](documents/platform-docs.md)
 
 ---
 
-## Automation hooks
-
-Event-driven hooks trigger Claude tasks automatically. Activate with `--automation --automation-policy <path.json> --claude-driver subprocess`.
-
-Key hooks:
-
-| Hook | Fires when |
-|---|---|
-| `onFileSave` | Matching files saved |
-| `onDiagnosticsStateChange` | Errors appear or clear |
-| `onRecipeSave` | Any `.yaml`/`.yml` saved — runs preflight |
-| `onGitCommit` | After successful commit |
-| `onTestRun` | After test run completes |
-| `onBranchCheckout` | After branch switch |
-| `onCompaction` | Before/after Claude context compaction |
-
-All hooks support inline prompts, named prompt references, and a minimum 5s cooldown.
-
-Full reference: [documents/platform-docs.md → Automation Hooks](documents/platform-docs.md)
-
----
-
 ## Plugin system
 
 Extend the tool surface without forking the bridge.
 
 ```bash
 # Scaffold a new plugin
-patchwork-os gen-plugin-stub ./my-plugin --name "org/name" --prefix "myPrefix"
+patchwork gen-plugin-stub ./my-plugin --name "org/name" --prefix "myPrefix"
 
 # Load at runtime
-patchwork-os --plugin ./my-plugin
+claude-ide-bridge --plugin ./my-plugin
 ```
 
-Plugins register MCP tools in-process. Publish to npm with keyword `claude-ide-bridge-plugin`.
+Plugins register MCP tools in-process. With `--plugin-watch`, the bridge reloads them on save — Claude can write a tool *during* a session and use it on the next turn. See [documents/live-toolsmithing.md](documents/live-toolsmithing.md) for the worked walkthrough and [examples/plugins/sqlite-library/](examples/plugins/sqlite-library/) for a runnable example.
+
+Publish to npm with keyword `claude-ide-bridge-plugin` for distribution.
 
 Full reference: [documents/plugin-authoring.md](documents/plugin-authoring.md)
 
 ---
 
+## JetBrains plugin
+
+Companion IntelliJ plugin (v1.0.0) on the JetBrains Marketplace. Covers 49 handlers: core tools, PSI-based LSP (goto, references, hover, rename, symbols, format), XDebugger integration, and code style tools.
+
+Use the same bridge from VS Code and JetBrains IDEs simultaneously — IntelliJ IDEA, PyCharm, GoLand, WebStorm, and other IntelliJ-platform editors.
+
+Source: [intellij-plugin/](intellij-plugin/)
+
+---
+
 ## Remote deployment
 
-Patchwork runs headless on a VPS with full tool support via VS Code Remote-SSH.
+Run headless on a VPS with full tool support via VS Code Remote-SSH.
 
 ```bash
-patchwork-os --bind 0.0.0.0 \
+claude-ide-bridge --bind 0.0.0.0 \
   --issuer-url https://your-domain.com \
   --fixed-token <uuid> \
   --vps
@@ -185,20 +291,18 @@ Systemd service and deploy scripts in [`deploy/`](deploy/). Full guide: [docs/re
 
 | Feature | Status |
 |---|---|
+| 170+ MCP tools (LSP, git, tests, debugger, diagnostics) | **shipped** |
+| VS Code / Cursor / Windsurf / Antigravity extension | **shipped** |
+| JetBrains plugin (49 handlers) | **shipped** |
 | `patchwork-init` — one-command setup | **shipped** |
 | Terminal dashboard | **shipped** |
 | Web oversight UI (approvals, sessions, recipes) | **shipped** |
 | Recipe runner (YAML, cron, manual, webhook) | **shipped** |
 | Multi-provider LLM (Claude, Gemini, OpenAI, Grok, Ollama) | **shipped** |
-| 170+ MCP tools (LSP, git, tests, debugger, diagnostics) | **shipped** |
-| Linear connector (read + approval-gated write) | **shipped** |
-| Sentry connector | **shipped** |
-| Google Calendar connector (read-only) | **shipped** |
-| Slack connector | **shipped** |
+| Connectors: Linear, Sentry, Slack, Google Calendar, Intercom, HubSpot, Datadog, Stripe | **shipped** |
 | Cross-session memory (traces, handoff notes) | **shipped** |
-| JetBrains plugin | **shipped** (marketplace review) |
-| Mobile oversight PWA | in progress |
-| Community recipe marketplace | Q3 |
+| Mobile oversight PWA (push approvals) | **shipped (alpha)** |
+| Community recipe marketplace | Q3 2026 |
 
 ---
 
@@ -213,7 +317,7 @@ npm install && npm run build
 # Symlink installs break the macOS LaunchAgent (EPERM at startup)
 npm pack
 npm install -g patchwork-os-*.tgz
-patchwork-os patchwork-init
+patchwork patchwork-init
 ```
 
 ---
@@ -228,6 +332,11 @@ patchwork-os patchwork-init
 | [documents/roadmap.md](documents/roadmap.md) | Development direction |
 | [documents/data-reference.md](documents/data-reference.md) | Data flows, state management, protocol details |
 | [documents/plugin-authoring.md](documents/plugin-authoring.md) | Plugin manifest schema, entrypoint API, distribution |
+| [documents/live-toolsmithing.md](documents/live-toolsmithing.md) | Write tools while the AI is using them — hot-reload narrative + worked example |
+| [documents/triggers.md](documents/triggers.md) | Anything Can Trigger Your AI — iPhone Shortcuts, Stream Deck, Home Assistant, curl, GitHub Actions |
+| [documents/speculative-refactoring.md](documents/speculative-refactoring.md) | Stage multi-file edits, review the diff, commit or discard — honest about commit-phase semantics |
+| [documents/architecture.md](documents/architecture.md) | One-page architecture diagram + how to read it |
+| [documents/comparison.md](documents/comparison.md) | Patchwork vs MCP server / Zapier / hosted assistants / agent frameworks — honest tradeoffs |
 | [docs/adr/](docs/adr/) | Architecture Decision Records |
 | [docs/remote-access.md](docs/remote-access.md) | VPS deployment guide |
 

package/deploy/bootstrap-new-vps.sh

@@ -1,10 +1,10 @@
 #!/usr/bin/env bash
 # deploy/bootstrap-new-vps.sh
-# Full fresh-server setup for claude-ide-bridge on a NEW VPS.
+# Full fresh-server setup for patchwork-os on a NEW VPS.
 # Handles everything from Node.js install to running HTTPS service.
 #
 # Usage (run as root on a fresh Ubuntu 22.04/24.04 VPS):
-#   curl -fsSL https://raw.githubusercontent.com/Oolab-labs/claude-ide-bridge/main/deploy/bootstrap-new-vps.sh | \
+#   curl -fsSL https://raw.githubusercontent.com/Oolab-labs/patchwork-os/main/deploy/bootstrap-new-vps.sh | \
 #     DOMAIN=bridge.example.com bash
 #
 #   Or after cloning:
@@ -14,9 +14,9 @@
 #   DOMAIN        Subdomain for the bridge  (e.g. bridge.example.com)
 #
 # Optional environment variables:
-#   REPO_URL      Git repo URL              (default: https://github.com/Oolab-labs/claude-ide-bridge)
-#   INSTALL_DIR   Where to clone the repo   (default: /opt/claude-ide-bridge)
-#   SERVICE_USER  System user to run bridge (default: claude-bridge)
+#   REPO_URL      Git repo URL              (default: https://github.com/Oolab-labs/patchwork-os)
+#   INSTALL_DIR   Where to clone the repo   (default: /opt/patchwork-os)
+#   SERVICE_USER  System user to run bridge (default: patchwork)
 #   PORT          Bridge port               (default: 9000)
 #   BRANCH        Git branch to clone       (default: main)
 #   SKIP_CERTBOT  Set to 1 to skip TLS cert (useful if DNS not yet set)
@@ -25,13 +25,13 @@ set -euo pipefail
 
 # ── Config ────────────────────────────────────────────────────────────────────
 DOMAIN="${DOMAIN:-}"
-REPO_URL="${REPO_URL:-https://github.com/Oolab-labs/claude-ide-bridge}"
-INSTALL_DIR="${INSTALL_DIR:-/opt/claude-ide-bridge}"
-SERVICE_USER="${SERVICE_USER:-claude-bridge}"
+REPO_URL="${REPO_URL:-https://github.com/Oolab-labs/patchwork-os}"
+INSTALL_DIR="${INSTALL_DIR:-/opt/patchwork-os}"
+SERVICE_USER="${SERVICE_USER:-patchwork}"
 PORT="${PORT:-9000}"
 BRANCH="${BRANCH:-main}"
 SKIP_CERTBOT="${SKIP_CERTBOT:-0}"
-SERVICE_NAME="claude-ide-bridge"
+SERVICE_NAME="patchwork-os"
 
 RED='\033[0;31m'; GREEN='\033[0;32m'; YELLOW='\033[1;33m'; NC='\033[0m'
 info()    { echo -e "${GREEN}✓${NC} $*"; }
@@ -163,8 +163,8 @@ section "Systemd service"
 # Generate service file from template (parameterised for this install)
 cat > "/etc/systemd/system/${SERVICE_NAME}.service" <<SERVICE
 [Unit]
-Description=Claude IDE Bridge MCP Server
-Documentation=https://github.com/Oolab-labs/claude-ide-bridge
+Description=Patchwork OS bridge
+Documentation=https://github.com/Oolab-labs/patchwork-os
 After=network.target
 StartLimitIntervalSec=120
 StartLimitBurst=5
@@ -193,7 +193,7 @@ RestartSec=5
 
 StandardOutput=journal
 StandardError=journal
-SyslogIdentifier=claude-ide-bridge
+SyslogIdentifier=patchwork-os
 
 NoNewPrivileges=true
 PrivateTmp=true

package/deploy/bootstrap-vps.sh

@@ -40,9 +40,12 @@ mkdir -p "${BRIDGE_HOME}"
 chown "${BRIDGE_USER}:${BRIDGE_USER}" "${BRIDGE_HOME}"
 
 # ── 4. Install bridge globally ────────────────────────────────────────────────
-info "Installing claude-ide-bridge from npm..."
-npm install -g claude-ide-bridge 2>&1 | tail -5
-BRIDGE_BIN="$(which claude-ide-bridge)"
+info "Installing patchwork-os from npm..."
+npm install -g patchwork-os@alpha 2>&1 | tail -5
+# `patchwork-os` ships three bin aliases: `patchwork` (preferred),
+# `patchwork-os`, and the legacy `claude-ide-bridge`. Use the canonical
+# `patchwork` name for the systemd unit + nginx config below.
+BRIDGE_BIN="$(which patchwork)"
 info "Bridge binary: ${BRIDGE_BIN}"
 
 # ── 5. Generate fixed token ───────────────────────────────────────────────────

package/deploy/deploy-landing.sh

@@ -9,9 +9,16 @@ NGINX_CONF="/etc/nginx/sites-available/patchworkos"
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
 
-echo "==> Copying landing page to VPS..."
+echo "==> Copying landing page + assets to VPS..."
 ssh "$VPS" "mkdir -p $LANDING_DIR"
-scp "$REPO_ROOT/landing/index.html" "$VPS:$LANDING_DIR/index.html"
+# index.html plus the favicon + manifest browsers probe at apex. Without
+# these the browser console fills with /favicon.svg and /manifest.json
+# 401s on every page load (nginx falls through to the dashboard middleware
+# for paths that don't have an explicit `location`).
+scp "$REPO_ROOT/landing/index.html"   "$VPS:$LANDING_DIR/index.html"
+scp "$REPO_ROOT/landing/favicon.ico"  "$VPS:$LANDING_DIR/favicon.ico"
+scp "$REPO_ROOT/landing/favicon.svg"  "$VPS:$LANDING_DIR/favicon.svg"
+scp "$REPO_ROOT/landing/manifest.json" "$VPS:$LANDING_DIR/manifest.json"
 
 echo "==> Updating nginx to serve landing page at root..."
 ssh "$VPS" bash <<'REMOTE'
@@ -70,6 +77,56 @@ else
   echo "nginx: landing location already present, skipping"
 fi
 
+# Independent idempotency block for the apex asset locations — these were
+# added after the original landing block, so existing installs miss them.
+if ! grep -q "location = /favicon.ico" "$NGINX_CONF"; then
+  python3 - "$NGINX_CONF" <<'PYEOF'
+import sys
+
+path = sys.argv[1]
+with open(path) as f:
+    content = f.read()
+
+asset_blocks = """
+    # Apex assets — favicon + PWA manifest browsers probe at root
+    location = /favicon.ico {
+        root /var/www/patchwork-landing;
+        try_files /favicon.ico =404;
+        access_log off;
+    }
+    location = /favicon.svg {
+        root /var/www/patchwork-landing;
+        try_files /favicon.svg =404;
+        access_log off;
+    }
+    location = /manifest.json {
+        root /var/www/patchwork-landing;
+        try_files /manifest.json =404;
+        access_log off;
+    }
+"""
+
+# Insert immediately after the existing `location = /` block
+marker = '    location = / {'
+idx = content.find(marker)
+if idx == -1:
+    print("WARN: could not find `location = /` to anchor; appending to end", flush=True)
+    idx = content.rfind('\n}')
+    new_content = content[:idx] + asset_blocks + content[idx:]
+else:
+    # find end of the location = / block
+    end = content.find('    }', idx)
+    end = content.find('\n', end) + 1 if end != -1 else idx
+    new_content = content[:end] + asset_blocks + content[end:]
+
+with open(path, 'w') as f:
+    f.write(new_content)
+print("nginx: apex asset location blocks inserted")
+PYEOF
+else
+  echo "nginx: apex asset locations already present, skipping"
+fi
+
 nginx -t && systemctl reload nginx
 echo "nginx reloaded"
 REMOTE

package/dist/activityLog.d.ts

@@ -58,6 +58,55 @@ export declare class ActivityLog {
      * need historical correlation should cross-reference by time bounds.
      */
     querySessionTools(sessionId: string, limit?: number): ActivityEntry[];
+    /**
+     * Cross-session query for approval-decision lifecycle rows. Used by the
+     * passive risk personalization signals (`src/approvalSignals.ts`) to
+     * answer questions like "how many times has the user approved this tool
+     * before?" without paying the cost of `queryTimeline`'s combined-sort.
+     *
+     * Filters honored:
+     *   - `toolName` — match `metadata.toolName` exactly
+     *   - `decision` — match `metadata.decision` ("allow" | "deny")
+     *   - `last`     — return at most this many most-recent matches (cap 1000)
+     *
+     * Returns rows ordered oldest → newest (the natural append order of the
+     * lifecycle log) so callers can compute counts or "last decision" cheaply.
+     */
+    queryApprovalDecisions(opts?: {
+        toolName?: string;
+        decision?: string;
+        last?: number;
+    }): LifecycleEntry[];
+    /**
+     * Return the most recent tool entry matching `toolName` exactly, or
+     * `null` if none. Used by personalization heuristic 5 ("last called T
+     * days ago") to compute the gap between now and the most recent prior
+     * call without scanning the whole buffer downstream.
+     *
+     * Walks the entries ring backwards (newest first) so the common case —
+     * a tool called recently — returns after one comparison.
+     */
+    queryLastToolCall(toolName: string): ActivityEntry | null;
+    /**
+     * Cross-session query for tool entries by namespace prefix (e.g. "gmail"
+     * matches "gmail.fetch_unread", "gmail.send"). Used by personalization
+     * heuristic 3 ("first use of this connector") to detect whether the
+     * connector has been used before. Cap at 1000 most-recent matches.
+     */
+    queryByNamespace(namespace: string, last?: number): ActivityEntry[];
+    /**
+     * Return all activity entries within a time window. Used by the
+     * automation-suggestions module (`src/automationSuggestions.ts`) to feed
+     * `computeCoOccurrence` and similar pattern-mining over a fresh slice of
+     * the activity ring without pulling the whole buffer.
+     *
+     * `sinceMs` is an absolute epoch ms — entries with `timestamp >= sinceMs`
+     * are returned. Set to `0` for "all".
+     */
+    queryAll(opts?: {
+        sinceMs?: number;
+        last?: number;
+    }): ActivityEntry[];
     queryTimeline(opts?: {
         last?: number;
     }): TimelineEntry[];