Review follow-ups: coalesce gutter re-layout posts (avoid dispatcher flooding when
visual lines aren't ready), drop the zero-length deletable segment (undo hygiene),
and clear stale scroll-sync hooks on DataContext swap. Update Ui/CLAUDE.md to the
3-pane editor and log visual-verification items (incl. empty-side + alignment edges)
in docs/open.md.
Plumb a per-resource owner (Zitadel sub) through the sync contract without
enforcing isolation client-side — the server stays the authority.
- Dtos: add optional ownerId to RemoteList/RemoteTask/MirrorTask
- JwtClaims: decode the sub claim from the access token (never throws)
- OnlineSyncService: stamp ownerId on pushed lists + mirror; defensively skip
pulled tasks owned by a different user (unowned tasks still sync, so
single-user behavior is unchanged)
- docs: contract documents ownerId + multi-user readiness
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The Online API now requires the "user" project role (claim
urn:zitadel:iam:org:project:roles) instead of an ALLOWED_USER_IDS allowlist.
- IOnlineAuthProvider: add GetAccessTokenAsync(forceRefresh) overload
- ZitadelAuthProvider: forceRefresh drops the cached token and re-runs the
refresh-token grant to mint a fresh, role-bearing token
- OnlineInboxApiClient: on 401, force-refresh and retry once; if still 401,
throw a clear "missing 'user' role" error
- OnlineSyncService: surface the 401 at Error level (no longer silent)
- UI: ZitadelTokenInspector decodes the access token after login and warns
early when the "user" role is absent (fail-open); shown in settings
- docs: online-inbox-api-contract reflects role-based access (no allowlist)
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Five findings filed as ClaudeDo tasks (IWorkerClient parity, merge-API
naming, DetailsIslandViewModel split, test-fake hygiene, FailAsync guard)
plus the deferred WorkerHub split and the AgentMcpTools file move.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Design for simplifying single-task review/merge (Layer A), multi-worktree
batch merge cockpit (Layer B), and inline conflict resolver (Layer C),
with frozen shared contracts so B/C build in parallel worktrees.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Approved design for a Nuxt 3 site at claudedo.kuns.dev: "the page is the
app" concept (3-island layout), build-time release fetch, and a Nitro
release proxy that fronts the self-updater to hide the Gitea URL.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Children fan out from the parent's worktree HEAD and merge via a
generalized planning orchestrator (parent branch + children); child
roadblocks roll up to the parent review card.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Agent offloads out-of-scope work via SuggestImprovement; children run
automatically; new WaitingForChildren state; generalize planning's
parent/child machinery.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Externalize all prose prompts to editable files, collapse system+agent,
add an inline roadblock protocol detected by StreamAnalyzer.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Drop the changelog of completed/verified work — that lives in commits and
code. Keep only pending manual verification, the one open code item, and a
short "decided against" list to prevent re-proposing dropped ideas.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The generic Claude-Mailbox plugin already covers cross-session messaging,
so the ClaudeDo-internal integration is parked. architecture.md and ADRs
are deliberately skipped — per-project CLAUDE.md files are the living
architecture doc, and ADRs add little for a solo project.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
A test that spawns the actual claude binary shouldn't live in the suite —
dotnet test must never invoke Claude. §1.0 step 3 stays a manual check.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Spawns the actual claude binary and asserts exit code 0, a session id,
non-empty result, and output tokens > 0 (plan-verification §1.0 step 3).
Inert unless CLAUDE_AUTHENTICATED=1, since it needs an authenticated CLI.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- TaskRunner: extract worktree-vs-sandbox selection into
PrepareRunDirectoryAsync so RunAsync reads linearly (a small helper, not
a Strategy pattern — overkill for a two-way branch).
- App: drop the public static ServiceProvider locator; inject the provider
via constructor through AppBuilder.Configure(() => new App(services)).
Parameterless ctor + BuildAvaloniaApp() retained for the XAML designer.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Add error-path + git-backed happy-path tests for the five previously
untested ExternalMcpService tools: GetTaskWorktree, GetTaskDiff,
MergeTask (dry-run + not-Done guard), ListWorktrees, CleanupTaskWorktree.
Git-backed cases skip when git is unavailable.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
If WorktreeAddAsync succeeds but the worktrees-row insert throws, the
worktree was left on disk and branch undeleted with nothing tracking it.
Wrap the insert in try/catch and best-effort remove the worktree+branch
(non-cancellable) before rethrowing.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Audit found the backlog stale: many open items shipped, several large
features (localization, weekly report, daily notes, daily-prep) were
missing, and the removed tag system was still treated as live.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
