shipwright-cli 3.2.0 → 3.3.0

package/.claude/agents/code-reviewer.md

@@ -2,6 +2,8 @@
 
 You are a code review specialist for the Shipwright project. Your job is to review shell scripts, GitHub Actions workflows, and configuration files for correctness, security, and adherence to project conventions.
 
+**Model Guidance**: Use Opus 4.6 for thorough architectural reviews. Set `maxTurns: 2` to prevent context bloat during iterative reviews. Use `worktree: true` for parallel code review runs.
+
 ## Review Checklist
 
 ### Bash 3.2 Compatibility (Blockers)

package/.claude/agents/devops-engineer.md

@@ -2,6 +2,8 @@
 
 You are a DevOps and CI/CD specialist for the Shipwright project. You work on GitHub Actions workflows, deployment pipelines, infrastructure automation, and operational tooling.
 
+**Model Guidance**: Use Opus 4.6 for complex infrastructure changes. Use `worktree: true` to isolate concurrent infrastructure updates. Set `maxTurns: 2` for exploratory work.
+
 ## GitHub Actions Workflows
 
 Workflows live in `.github/workflows/` with the `shipwright-*.yml` naming prefix:

package/.claude/agents/doc-fleet-agent.md

@@ -2,6 +2,8 @@
 
 You are a specialized agent in the Shipwright documentation fleet. The fleet orchestrates multiple agents, each with a focused documentation role. Your specific role is assigned at spawn time.
 
+**Model Guidance**: Use Sonnet 4.6 for documentation work. Use `background: true` for parallel doc fleet agents (audit, refactor, enhance). Set `maxTurns: 2` per role to focus on specialized tasks.
+
 ## Fleet Roles
 
 ### 1. Doc Architect (leader)

package/.claude/agents/pipeline-agent.md

@@ -2,6 +2,8 @@
 
 You are an autonomous agent running inside the Shipwright delivery pipeline's build stage. You were spawned by `shipwright loop`, which was called by `shipwright pipeline` during the build stage.
 
+**Model Guidance**: Use Opus 4.6 for complex builds, Sonnet 4.6 for standard features, and Haiku for simple bug fixes. For background tasks (long-running test suites), set `background: true` and allow pre-approved tool permissions.
+
 ## Your Context
 
 Your goal comes from the **enriched goal** assembled by the pipeline, which includes:

package/.claude/agents/shell-script-specialist.md

@@ -2,6 +2,8 @@
 
 You are a shell script development specialist for the Shipwright project — an autonomous delivery platform built entirely in Bash (37+ scripts, 25,000+ lines).
 
+**Model Guidance**: Use Sonnet 4.6 for script development. For long-running test harnesses, use `background: true` with pre-approved permissions.
+
 ## Bash 3.2 Compatibility (CRITICAL)
 
 Shipwright must run on macOS default Bash 3.2. The following are **forbidden**:

package/.claude/agents/test-specialist.md

@@ -2,6 +2,8 @@
 
 You are a test development specialist for the Shipwright project. The project has 90+ test suites (see `package.json` scripts.test and the AUTO:test-suites table in `.claude/CLAUDE.md`), all written in Bash following a consistent harness pattern.
 
+**Model Guidance**: Use Sonnet 4.6 for test development. Use `background: true` and `maxTurns: 3` for long test runs to prevent context bloat.
+
 ## Test Harness Conventions
 
 ### File Structure

package/.claude/hooks/agent-crash-capture.sh

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+# Hook: Capture diagnostics when a Skipper agent crashes
+# Trigger: Post-tool-use on Bash failures that look like agent crashes
+
+set -euo pipefail
+
+# Read stdin for tool result context
+INPUT="$(cat)"
+
+# Check if this looks like an agent crash
+if echo "$INPUT" | grep -qi "panic\|segfault\|killed\|oom\|fatal\|crash"; then
+    TIMESTAMP="$(date +%Y%m%d_%H%M%S)"
+    CRASH_DIR="${HOME}/.shipwright/crash-reports"
+    mkdir -p "$CRASH_DIR"
+
+    REPORT_FILE="${CRASH_DIR}/crash_${TIMESTAMP}.json"
+
+    # Capture diagnostics
+    cat > "$REPORT_FILE" << EOF
+{
+    "timestamp": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
+    "working_directory": "$(pwd)",
+    "git_branch": "$(git branch --show-current 2>/dev/null || echo 'unknown')",
+    "git_commit": "$(git rev-parse HEAD 2>/dev/null || echo 'unknown')",
+    "error_context": $(echo "$INPUT" | python3 -c "import sys,json; print(json.dumps(sys.stdin.read()[:2000]))" 2>/dev/null || echo '"capture_failed"'),
+    "pipeline_state": "$(cat .claude/pipeline-state.md 2>/dev/null | head -20 | python3 -c "import sys,json; print(json.dumps(sys.stdin.read()))" 2>/dev/null || echo '"none"')",
+    "recent_commits": "$(git log --oneline -5 2>/dev/null | python3 -c "import sys,json; print(json.dumps(sys.stdin.read()))" 2>/dev/null || echo '"none"')"
+}
+EOF
+
+    echo "Crash report saved to $REPORT_FILE" >&2
+fi

package/.claude/hooks/post-tool-use.sh

@@ -19,8 +19,9 @@ if [[ "$tool_name" == "Bash" ]] && [[ "${exit_code:-0}" != "0" ]]; then
     # Classify error type
     error_type="unknown"
     case "$error_snippet" in
-        *"test"*|*"FAIL"*|*"assert"*|*"expect"*)        error_type="test" ;;
-        *"syntax"*|*"unexpected"*|*"parse error"*)       error_type="syntax" ;;
+        *"syntax"*|*"parse error"*)                       error_type="syntax" ;;
+        *"unexpected token"*|*"unexpected end"*)          error_type="syntax" ;;
+        *"test"*|*"FAIL"*|*"assert"*|*"expect"*)         error_type="test" ;;
         *"not found"*|*"No such"*|*"ENOENT"*)            error_type="missing" ;;
         *"permission"*|*"denied"*|*"EACCES"*)            error_type="permission" ;;
         *"timeout"*|*"timed out"*|*"ETIMEDOUT"*)         error_type="timeout" ;;

package/.claude/hooks/pre-tool-use.sh

@@ -1,14 +1,46 @@
 #!/usr/bin/env bash
-# Hook: PreToolUse — Context injection for .sh file editing
+# Hook: PreToolUse — Security checks and context injection
 # Triggered before Write/Edit tools
 
 # Read tool input from stdin (JSON)
 input=$(cat)
 
-# Extract file path from tool input
+# Extract tool name and file path
+tool_name=$(echo "$input" | jq -r '.tool_name // empty' 2>/dev/null)
 file_path=$(echo "$input" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+new_string=$(echo "$input" | jq -r '.tool_input.new_string // empty' 2>/dev/null)
+tool_input=$(echo "$input" | jq -r '.tool_input // empty' 2>/dev/null)
 
-# Only trigger for shell script files
+# Security check: Block git push --no-verify (bypasses pre-commit hooks)
+if echo "$tool_input" | grep -qE 'git\s+push.*--no-verify'; then
+    echo '{"message":"Blocked: git push --no-verify bypasses safety checks. Remove --no-verify flag."}'
+    exit 2
+fi
+
+# Security check: Detect secrets being written to non-secret files
+if [[ "$tool_name" == "Edit" || "$tool_name" == "Write" ]]; then
+    # Sensitive files that should not be added to version control
+    if [[ ! "$file_path" =~ (\.env|\.secret|secret|credential|key|token|private) ]]; then
+        # Check for common secret patterns
+        secret_patterns="sk-ant-|ANTHROPIC_API_KEY|GITHUB_TOKEN|OPENAI_API_KEY|AWS_SECRET|DATABASE_URL|PRIVATE_KEY|api_key|BEGIN RSA PRIVATE KEY|BEGIN PRIVATE KEY"
+
+        if echo "$new_string" | grep -qE "$secret_patterns"; then
+            cat << "SECURITY_WARNING"
+⚠️  SECURITY WARNING: Secret pattern detected in non-secret file
+
+The content being written to this file contains a potential secret.
+File: $file_path
+
+Sensitive data should NEVER be committed to version control.
+
+If this is intentional (e.g., example code), please review carefully.
+SECURITY_WARNING
+            exit 2
+        fi
+    fi
+fi
+
+# Shell script context injection
 if [[ "$file_path" == *.sh ]]; then
     cat << 'REMINDER'
 SHIPWRIGHT SHELL RULES:

package/README.md

@@ -13,9 +13,9 @@
   <a href="https://github.com/sethdford/shipwright/actions/workflows/test.yml"><img src="https://github.com/sethdford/shipwright/actions/workflows/test.yml/badge.svg" alt="Tests"></a>
   <a href="https://github.com/sethdford/shipwright/actions/workflows/shipwright-pipeline.yml"><img src="https://github.com/sethdford/shipwright/actions/workflows/shipwright-pipeline.yml/badge.svg" alt="Pipeline"></a>
   <img src="https://img.shields.io/badge/tests-141_suites_passing-4ade80?style=flat-square" alt="141 suites">
-  <img src="https://img.shields.io/badge/version-3.2.0-00d4ff?style=flat-square" alt="v3.2.0">
+  <img src="https://img.shields.io/badge/version-3.3.0-00d4ff?style=flat-square" alt="v3.3.0">
   <img src="https://img.shields.io/badge/license-MIT-green?style=flat-square" alt="MIT License">
-  <img src="https://img.shields.io/badge/bash-3.2%2B-7c3aed?style=flat-square" alt="Bash 3.2+">
+  <img src="https://img.shields.io/badge/bash-3.2%2B-555a66?style=flat-square" alt="Bash 3.2+">
 </p>
 
 ---
@@ -24,7 +24,7 @@
 
 - [Shipwright Builds Itself](#shipwright-builds-itself)
 - [Code Factory Pattern](#code-factory-pattern)
-- [What's New in v3.2.0](#whats-new-in-v320)
+- [What's New in v3.3.0](#whats-new-in-v330)
 - [How It Works](#how-it-works)
 - [Install](#install)
 - [Quick Start](#quick-start)
@@ -109,7 +109,7 @@ shipwright incident gap sla
 
 ---
 
-## What's New in v3.2.0
+## What's New in v3.3.0
 
 **Code Factory pattern** — deterministic, risk-aware agent delivery with machine-verifiable evidence:
 

package/claude-code/hooks/config-change.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+# Hook: ConfigChange — notify daemon of config updates
+set -euo pipefail
+
+input=$(cat)
+
+# Log config change event
+mkdir -p "$HOME/.shipwright" 2>/dev/null || true
+echo "{\"ts\":\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\",\"type\":\"config.changed\",\"detail\":$(echo "$input" | jq -c '.' 2>/dev/null || echo '{}')}" >> "$HOME/.shipwright/events.jsonl" 2>/dev/null || true
+
+# Signal running daemon to reload config (if PID file exists)
+pid_file="$HOME/.shipwright/daemon.pid"
+if [[ -f "$pid_file" ]]; then
+    daemon_pid=$(cat "$pid_file" 2>/dev/null || true)
+    if [[ -n "$daemon_pid" ]] && kill -0 "$daemon_pid" 2>/dev/null; then
+        kill -USR1 "$daemon_pid" 2>/dev/null || true
+    fi
+fi

package/claude-code/hooks/instructions-reloaded.sh

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+# Hook: InstructionsLoaded (matcher: "compact")
+# After auto-compaction, log reload event for observability
+set -euo pipefail
+
+mkdir -p "$HOME/.shipwright" 2>/dev/null || true
+echo "{\"ts\":\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\",\"type\":\"instructions.reloaded\",\"trigger\":\"compaction\"}" >> "$HOME/.shipwright/events.jsonl" 2>/dev/null || true

package/claude-code/hooks/worktree-create.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+# Hook: WorktreeCreate — auto-setup worktree for pipeline agents
+# Copies essential config into new worktrees so agents inherit settings
+set -euo pipefail
+
+# Read hook input from stdin (JSON with worktree details)
+input=$(cat)
+worktree_path=$(echo "$input" | jq -r '.worktree_path // empty' 2>/dev/null || true)
+
+[[ -z "$worktree_path" ]] && exit 0
+
+# Copy daemon config if it exists
+src_root=$(git rev-parse --show-toplevel 2>/dev/null || true)
+if [[ -n "$src_root" ]]; then
+    src_config="$src_root/.claude/daemon-config.json"
+    if [[ -f "$src_config" ]]; then
+        mkdir -p "$worktree_path/.claude" 2>/dev/null || true
+        cp "$src_config" "$worktree_path/.claude/daemon-config.json" 2>/dev/null || true
+    fi
+
+    # Copy pipeline artifacts directory structure
+    if [[ -d "$src_root/.claude/pipeline-artifacts" ]]; then
+        mkdir -p "$worktree_path/.claude/pipeline-artifacts" 2>/dev/null || true
+    fi
+fi

package/claude-code/hooks/worktree-remove.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+# Hook: WorktreeRemove — clean up state for removed worktree agents
+set -euo pipefail
+
+input=$(cat)
+worktree_path=$(echo "$input" | jq -r '.worktree_path // empty' 2>/dev/null || true)
+
+[[ -z "$worktree_path" ]] && exit 0
+
+# Clean up heartbeat files associated with this worktree
+heartbeat_dir="$HOME/.shipwright/heartbeats"
+if [[ -d "$heartbeat_dir" ]]; then
+    for hb in "$heartbeat_dir"/*.json; do
+        [[ -f "$hb" ]] || continue
+        hb_path=$(jq -r '.worktree // empty' "$hb" 2>/dev/null || true)
+        if [[ "$hb_path" == "$worktree_path" ]]; then
+            rm -f "$hb"
+        fi
+    done
+fi

package/config/code-constitution.json

@@ -0,0 +1,130 @@
+{
+  "version": "1.0",
+  "description": "Constitutional principles for autonomous code self-critique",
+  "principles": {
+    "security": [
+      {
+        "id": "SEC-001",
+        "rule": "No hardcoded secrets, API keys, or passwords",
+        "severity": "critical",
+        "check": "grep -nE '(password|api_key|secret_key|api_secret|auth_token)\\s*=\\s*[\"'\"'\"']' {file}"
+      },
+      {
+        "id": "SEC-002",
+        "rule": "All user inputs must be validated before use",
+        "severity": "critical"
+      },
+      {
+        "id": "SEC-003",
+        "rule": "No eval() or exec() with dynamic content",
+        "severity": "critical",
+        "check": "grep -nE '\\beval\\b.*\\$|\\bexec\\b.*\\$' {file}"
+      },
+      {
+        "id": "SEC-004",
+        "rule": "No SQL string concatenation — use parameterized queries",
+        "severity": "high"
+      },
+      {
+        "id": "SEC-005",
+        "rule": "No shell injection via unquoted variables in commands",
+        "severity": "critical",
+        "check": "grep -nE '\\$\\{?[A-Za-z_]+\\}?[^\"'\"'\"']' {file}"
+      }
+    ],
+    "error_handling": [
+      {
+        "id": "ERR-001",
+        "rule": "No empty catch blocks — all errors must be handled or re-thrown",
+        "severity": "high",
+        "check": "grep -nE 'catch\\s*\\([^)]*\\)\\s*\\{\\s*\\}' {file}"
+      },
+      {
+        "id": "ERR-002",
+        "rule": "Error messages must be descriptive — no generic 'Error occurred'",
+        "severity": "medium",
+        "check": "grep -niE '(error occurred|something went wrong|an error happened)' {file}"
+      },
+      {
+        "id": "ERR-003",
+        "rule": "Return values from commands must be checked",
+        "severity": "high"
+      },
+      {
+        "id": "ERR-004",
+        "rule": "No silent failures — failed operations must log or propagate errors",
+        "severity": "medium"
+      }
+    ],
+    "quality": [
+      {
+        "id": "QUA-001",
+        "rule": "Functions should be under 100 lines",
+        "severity": "medium"
+      },
+      {
+        "id": "QUA-002",
+        "rule": "No TODO/FIXME/HACK comments in production code",
+        "severity": "low",
+        "check": "grep -nE '(TODO|FIXME|HACK|XXX)' {file}"
+      },
+      {
+        "id": "QUA-003",
+        "rule": "No magic numbers — use named constants",
+        "severity": "low"
+      },
+      {
+        "id": "QUA-004",
+        "rule": "No duplicate code blocks over 10 lines",
+        "severity": "medium"
+      },
+      {
+        "id": "QUA-005",
+        "rule": "No console.log or print statements left in production code",
+        "severity": "low",
+        "check": "grep -nE '\\bconsole\\.log\\b|\\bprint\\(' {file}"
+      }
+    ],
+    "testing": [
+      {
+        "id": "TST-001",
+        "rule": "New functions must have corresponding tests",
+        "severity": "high"
+      },
+      {
+        "id": "TST-002",
+        "rule": "Tests must cover error and edge cases, not just happy path",
+        "severity": "medium"
+      },
+      {
+        "id": "TST-003",
+        "rule": "No test-only code in production files",
+        "severity": "medium",
+        "check": "grep -nE '(if.*TEST|ifdef.*TEST|IS_TEST)' {file}"
+      },
+      {
+        "id": "TST-004",
+        "rule": "Test assertions must be specific — no assertTrue(result) without message",
+        "severity": "low"
+      }
+    ],
+    "performance": [
+      {
+        "id": "PRF-001",
+        "rule": "All database queries must have .limit() or LIMIT clause",
+        "severity": "high"
+      },
+      {
+        "id": "PRF-002",
+        "rule": "No unbounded loops over external data",
+        "severity": "medium"
+      },
+      {
+        "id": "PRF-003",
+        "rule": "Avoid synchronous file I/O in hot paths",
+        "severity": "medium",
+        "check": "grep -nE 'readFileSync|writeFileSync' {file}"
+      }
+    ]
+  }
+}

package/dashboard/middleware/auth.ts

@@ -0,0 +1,134 @@
+import { join, extname } from "path";
+import { readFileSync, existsSync, writeFileSync, mkdirSync, renameSync } from "fs";
+import type { Session, AuthMode } from "../types/index.js";
+import { SESSION_TTL_MS } from "./constants.js";
+
+// Auth Config
+const GITHUB_CLIENT_ID = process.env.GITHUB_CLIENT_ID || "";
+const GITHUB_CLIENT_SECRET = process.env.GITHUB_CLIENT_SECRET || "";
+const GITHUB_PAT = process.env.GITHUB_PAT || "";
+const DASHBOARD_REPO = process.env.DASHBOARD_REPO || "";
+const SESSION_SECRET = process.env.SESSION_SECRET || crypto.randomUUID();
+
+const HOME = process.env.HOME || "";
+const SESSIONS_FILE = join(HOME, ".shipwright", "sessions.json");
+
+export const sessions = new Map<string, Session>();
+
+export function createSession(data: Omit<Session, "expiresAt">): string {
+  const sessionId = crypto.randomUUID();
+  sessions.set(sessionId, {
+    ...data,
+    expiresAt: Date.now() + SESSION_TTL_MS,
+  });
+  saveSessions();
+  return sessionId;
+}
+
+export function getSession(req: Request): Session | null {
+  const cookie = req.headers.get("cookie");
+  if (!cookie) return null;
+
+  const match = cookie.match(/fleet_session=([^;]+)/);
+  if (!match) return null;
+
+  const sessionId = match[1];
+  const session = sessions.get(sessionId);
+  if (!session) return null;
+
+  if (Date.now() > session.expiresAt) {
+    sessions.delete(sessionId);
+    saveSessions();
+    return null;
+  }
+
+  return session;
+}
+
+export function getSessionFromCookie(cookie: string | null): Session | null {
+  if (!cookie) return null;
+  const match = cookie.match(/fleet_session=([^;]+)/);
+  if (!match) return null;
+  const session = sessions.get(match[1]);
+  if (!session || Date.now() > session.expiresAt) return null;
+  return session;
+}
+
+export function sessionCookie(sessionId: string): string {
+  return `fleet_session=${sessionId}; Path=/; HttpOnly; SameSite=Lax; Max-Age=${Math.floor(SESSION_TTL_MS / 1000)}`;
+}
+
+export function isLocalConnection(req: Request): boolean {
+  const host = req.headers.get("host") || "";
+  return (
+    host.startsWith("localhost:") ||
+    host.startsWith("127.0.0.1:") ||
+    host.startsWith("[::1]:")
+  );
+}
+
+export function clearSessionCookie(): string {
+  return "fleet_session=; Path=/; HttpOnly; SameSite=Lax; Max-Age=0";
+}
+
+export function loadSessions(): void {
+  try {
+    if (existsSync(SESSIONS_FILE)) {
+      const data = JSON.parse(readFileSync(SESSIONS_FILE, "utf-8"));
+      const now = Date.now();
+      if (data && typeof data === "object") {
+        for (const [id, sess] of Object.entries(data)) {
+          const s = sess as Session;
+          if (s.expiresAt > now) {
+            sessions.set(id, s);
+          }
+        }
+      }
+    }
+  } catch {
+    /* start fresh */
+  }
+}
+
+export function saveSessions(): void {
+  const dir = join(HOME, ".shipwright");
+  if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
+  const obj: Record<string, Session> = {};
+  for (const [id, sess] of sessions) {
+    obj[id] = sess;
+  }
+  const tmp = SESSIONS_FILE + ".tmp";
+  writeFileSync(tmp, JSON.stringify(obj, null, 2));
+  renameSync(tmp, SESSIONS_FILE);
+}
+
+export function getAuthMode(): AuthMode {
+  if (GITHUB_CLIENT_ID && GITHUB_CLIENT_SECRET && DASHBOARD_REPO)
+    return "oauth";
+  if (GITHUB_PAT && DASHBOARD_REPO) return "pat";
+  return "none";
+}
+
+export function isAuthEnabled(): boolean {
+  return getAuthMode() !== "none";
+}
+
+export function isPublicRoute(pathname: string): boolean {
+  return (
+    pathname === "/login" ||
+    pathname.startsWith("/auth/") ||
+    pathname === "/api/health" ||
+    pathname === "/api/ws-status" ||
+    pathname.startsWith("/api/join/") ||
+    pathname.startsWith("/api/connect/") ||
+    pathname === "/api/team" ||
+    pathname === "/api/team/activity" ||
+    pathname === "/api/team/invite" ||
+    pathname.startsWith("/api/team/invite/") ||
+    pathname === "/api/claim" ||
+    pathname === "/api/claim/release" ||
+    pathname === "/api/webhook/ci"
+  );
+}
+
+export { SESSION_SECRET, GITHUB_CLIENT_ID, GITHUB_CLIENT_SECRET, GITHUB_PAT, DASHBOARD_REPO };

package/dashboard/middleware/constants.ts

@@ -0,0 +1,21 @@
+// Shared constants and configuration
+export const CORS_HEADERS = {
+  "Access-Control-Allow-Origin": "*",
+  "Access-Control-Allow-Methods": "GET, POST, PATCH, DELETE, OPTIONS",
+  "Access-Control-Allow-Headers": "Content-Type",
+};
+
+export const WS_PUSH_INTERVAL_MS = 2000;
+export const MAX_WS_CLIENTS = 50;
+export const WS_CONNECTION_TIMEOUT_MS = 30 * 60 * 1000; // 30 minutes
+
+export const SESSION_TTL_MS = 24 * 60 * 60 * 1000; // 24 hours
+export const ALLOWED_PERMISSIONS = ["admin", "write"];
+
+// ANSI color codes
+export const CYAN = "\x1b[38;2;0;212;255m";
+export const GREEN = "\x1b[38;2;74;222;128m";
+export const BOLD = "\x1b[1m";
+export const DIM = "\x1b[2m";
+export const ULINE = "\x1b[4m";
+export const RESET = "\x1b[0m";

package/dashboard/public/index.html

@@ -4,12 +4,6 @@
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>Fleet Command — Shipwright</title>
-    <link rel="preconnect" href="https://fonts.googleapis.com" />
-    <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin />
-    <link
-      href="https://fonts.googleapis.com/css2?family=Instrument+Serif:ital@0;1&family=JetBrains+Mono:wght@400;500;700&family=Plus+Jakarta+Sans:wght@300;400;500;600;700&display=swap"
-      rel="stylesheet"
-    />
     <link rel="stylesheet" href="styles.css" />
     <link
       rel="icon"
@@ -113,6 +107,7 @@
         <button class="tab-btn" data-tab="fleet-map">Map</button>
         <button class="tab-btn" data-tab="pipeline-theater">Theater</button>
         <button class="tab-btn" data-tab="agent-cockpit">Cockpit</button>
+        <button class="tab-btn" data-tab="shipyard">Shipyard</button>
         <div class="tab-indicator" id="tab-indicator"></div>
       </div>
     </nav>
@@ -1032,6 +1027,7 @@
     <div class="tab-panel" id="panel-fleet-map"></div>
     <div class="tab-panel" id="panel-pipeline-theater"></div>
     <div class="tab-panel" id="panel-agent-cockpit"></div>
+    <div class="tab-panel" id="panel-shipyard"></div>
 
     <script src="dist/main.js"></script>
   </body>