Introduce a singleton instance_settings store and experimental settings API, add the Experimental instance settings page, and gate execution workspace behavior behind the new enableIsolatedWorkspaces flag.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* public-gh/master: (51 commits)
Use attachment-size limit for company logos
Address Greptile company logo feedback
Drop lockfile from PR branch
Use asset-backed company logos
fix: use appType "custom" for Vite dev server so worktree branding is applied
docs: fix documentation drift — adapters, plugins, tech stack
docs: update documentation for accuracy after plugin system launch
chore: ignore superset artifacts
Dark theme for CodeMirror code blocks in MDXEditor
Remove duplicate @paperclipai/adapter-openclaw-gateway in server/package.json
Fix code block styles with robust prose overrides
Add Docker setup for untrusted PR review in isolated containers
Fix org chart canvas height to fit viewport without scrolling
Add doc-maintenance skill for periodic documentation accuracy audits
Fix sidebar scrollbar: hide track background when not hovering
Restyle markdown code blocks: dark background, smaller font, compact padding
Add archive project button and filter archived projects from selectors
fix: address review feedback — subscription cleanup, filter nullability, stale diagram
fix: wire plugin event subscriptions from worker to host
fix(ui): hide scrollbar track background when sidebar is not hovered
...
# Conflicts:
# packages/db/src/migrations/meta/0030_snapshot.json
# packages/db/src/migrations/meta/_journal.json
Vite's "spa" appType adds its own SPA fallback middleware that serves
index.html directly, bypassing the custom catch-all route that calls
applyUiBranding(). Changing to "custom" lets our route handle HTML
serving, which injects the worktree-colored favicon and banner meta tags.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The plugin event bus accepts subscriptions for core events like
issue.created but nothing emits them. This adds a bridge in
logActivity() so every domain action that's already logged also
fires a PluginEvent to subscribing plugins.
Uses a module-level setter (same pattern as publishLiveEvent)
to avoid threading the bus through all route handlers. Only
actions matching PLUGIN_EVENT_TYPES are forwarded.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* public-gh/master:
Drop lockfile from watcher change
Tighten plugin dev file watching
Fix plugin smoke example typecheck
Fix plugin dev watcher and migration snapshot
Clarify plugin authoring and external dev workflow
Expand kitchen sink plugin demos
fix: set AGENT_HOME env var for agent processes
Add kitchen sink plugin example
Simplify plugin runtime and cleanup lifecycle
Add plugin framework and settings UI
# Conflicts:
# packages/db/src/migrations/meta/0029_snapshot.json
# packages/db/src/migrations/meta/_journal.json
res.sendFile can emit NotFoundError from the send module in certain
path resolution scenarios, causing 500s on company-scoped SPA routes.
Cache index.html at startup and serve it directly, which is both
more reliable and faster.
Fixes#233
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add catch-all handler after API router to return a proper 404 JSON
response instead of falling through to the SPA handler.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
When served via npx, the absolute path to index.html traverses .npm,
triggering Express 5 / send's dotfile guard. Using the root option
makes send only check the relative filename for dotfiles.
Fixes#48
The server's static-ui mode resolves the UI dist path relative to its
own directory. In the monorepo it finds ../../ui/dist, but when published
to npm the UI package isn't available.
- server/src/app.ts: try ../ui-dist (published) then ../../ui/dist (dev),
gracefully degrade to API-only if neither exists
- server/package.json: include ui-dist/ in published files
- scripts/release.sh: build UI and copy dist to server/ui-dist before
publishing, clean up in restore step
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Rename all workspace packages from @paperclip/* to @paperclipai/* and
the CLI binary from `paperclip` to `paperclipai` in preparation for
npm publishing. Bump CLI version to 0.1.0 and add package metadata
(description, keywords, license, repository, files). Update all
imports, documentation, user-facing messages, and tests accordingly.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add /api/auth/get-session for board actors to retrieve their session
info. Wrap resolveSession in try/catch to prevent unhandled errors from
crashing requests when auth headers are missing or malformed.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Reject requests from unrecognised Host headers when running
authenticated/private. Adds server middleware, CLI `allowed-hostname`
command, config-schema field, and prompt support for configuring
allowed hostnames during onboard/configure.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Wire up Better Auth for session-based authentication. Add actor middleware
that resolves local_trusted mode to an implicit board actor and authenticated
mode to Better Auth sessions. Add access service with membership, permission,
invite, and join-request management. Register access routes for member/invite/
join-request CRUD. Update health endpoint to report deployment mode and
bootstrap status. Enforce tasks:assign and agents:create permissions in issue
and agent routes. Add deployment mode validation at startup with guardrails
(loopback-only for local_trusted, auth config required for authenticated).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Require trusted browser origin (Origin or Referer header) for
mutating requests from board actors, preventing cross-origin
mutation attempts against the local-trusted API.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Introduce MarkdownEditor built on @mdxeditor/editor with headings,
lists, links, quotes, image upload with drag-and-drop, and themed CSS
integration. Add asset image upload API (routes, service, storage) and
wire image upload into InlineEditor multiline mode, NewIssueDialog,
NewProjectDialog, GoalDetail, IssueDetail, and ProjectDetail
description fields. Tighten prompt template editor styling.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Introduces a provider-agnostic storage subsystem for file attachments.
Includes local disk and S3 backends, asset/attachment DB schemas, issue
attachment CRUD routes with multer upload, CLI configure/doctor/env
integration, and enriched issue ancestors with project/goal resolution.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add AES-256-GCM local encrypted secrets provider with auto-generated
master key, stub providers for AWS/GCP/Vault, and a secrets service
that normalizes adapter configs (converting sensitive inline values to
secret refs in strict mode) and resolves secret refs back to plain
values at runtime. Extract redaction utilities from agent routes into
shared module. Redact sensitive values in activity logs, config
revisions, and approval payloads. Block rollback of revisions
containing redacted secrets. Filter hidden issues from list queries.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Agent management: hire endpoint with permission gates and pending_approval status,
config revision tracking with rollback, agent duplicate route, permission CRUD.
Block pending_approval agents from auth, heartbeat, and assignments.
Approvals: revision request/resubmit flow, approval comments CRUD, issue-approval
linking, auto-wake agents on approval decisions with context snapshot.
Costs: per-agent breakdown, period filtering (month/week/day/all), cost by agent
list endpoint.
Adapters: agentConfigurationDoc on all adapters, /llms/agent-configuration.txt
reflection routes. Inject PAPERCLIP_APPROVAL_ID, PAPERCLIP_APPROVAL_STATUS,
PAPERCLIP_LINKED_ISSUE_IDS into adapter environments.
Sidebar badges endpoint for pending approval/inbox counts. Dashboard and company
settings extensions.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Switch from PGlite (WebAssembly) to embedded-postgres for zero-config
local development — provides a real PostgreSQL server with full
compatibility. Add startup banner with config summary on server boot.
Improve server bootstrap with auto port detection, database creation,
and migration on startup. Update DATABASE.md, DEVELOPING.md, and
SPEC-implementation.md to reflect the change. Update CLI database
check and prompts. Simplify OnboardingWizard database options.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
New routes: companies, approvals, costs, dashboard, authz. New
services: companies, approvals, costs, dashboard, heartbeat,
activity-log. Add auth middleware and structured error handling.
Expand existing agent and issue routes with richer CRUD operations.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Express server with CRUD routes for agents, goals, issues, projects,
and activity log. Includes validation middleware, structured error
handling, request logging, and health check endpoint with tests.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
