merge: integrate repository-centered desktop workflow into dev#1652
Merged
oscharko merged 21 commits intoJun 28, 2026
Conversation
…ntract (#1572) (#1601) Add the decision-ready UI architecture note for Epic #1571's Git client: - map the GitHub Desktop flows to adapt (repo/branch selection, Changes, History, diff, commit composer, sync, PR/merge entry points) as UX reference - classify every Keiko reuse point (GovernedGitFlowCard, gitRoutes, gitRepositoryRoutes, gitDelivery/*, keiko-tools gateways, FilesWidget, ReviewWidget/diffParser, window registry, left rail) as reuse/extend/generalize/replace/untouched with verified file:line evidence - record the selective-code policy (no wholesale fork; MIT attribution and no GitHub branding for any later copy) - freeze the GitHub-Desktop-inspired Keiko layout spec with an ASCII wireframe - plan removal of the current form/workflow layout from the product surface - record the visible-naming policy (product text says "Git") Audit/contract only: no production UI, BFF route, or Git mutation change. Refs #1572 Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
The feat/keiko-repository-centered-desktop-workflow integration branch for Epic #1571 was created without being registered in the CI workflow triggers, so the required `ci` check never runs for the epic's child pull requests (#1572-#1578) or for pushes to the branch. Every other active integration branch is already listed. Add the branch to on.push.branches, on.pull_request.branches, and the protected-branch gate case (both ref and base_ref sides), mirroring the existing integration branches. This strictly strengthens coverage: it enables the `ci` gate where it currently does not run and weakens no existing gate. Validated locally: YAML parse, prettier --check, and actionlint v1.7.12 all clean. Refs #1572 Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
…ation (#1573) (#1606) Close the #1572 reuse-contract section 3 capability gaps for the Git client (Epic #1571) with additive, content-free, redacted read and sync APIs. No existing route or contract changes; the governed mutation kernel and evidence taxonomy are untouched. Reads (GET, gitRoutes family; reuse resolveRepository / hardened runner / classifyFailure / redacted plus a shared parsePorcelainV2Branch): - /api/git/summary - branch, upstream, ahead/behind, dirty/conflict counts, remotes, last-sync (FETCH_HEAD mtime, containment-checked). - /api/git/history - paginated git log (sha, shortSha, subject, author, date, refs, parentCount, changedFileCount); empty-repo safe. - /api/git/remotes - configured remotes (fetch/push URLs, redacted). Sync (POST under /api/git-delivery, mirrors the push route structure; fetch and pull deliberately do NOT enter GitDeliveryActionKind / runGitMutation - that taxonomy is frozen): - {fetch,pull}/preview - read-only readiness (executable + typed blockReason). - {fetch,pull}/execute - bounded "fetch --no-tags" / "pull --ff-only" through a dedicated network-capable runner (user credential configuration available, but GIT_TERMINAL_PROMPT=0 + SSH BatchMode keep it fail-closed and never prompting), a 12-member GitSyncOutcome taxonomy, and a content-free sibling evidence ledger (syncEvidence.ts; repoIdHash only). Contracts: GitRepositorySummary, GitHistoryEntry, GitSyncPreview/Execute plus validators. Docs: ADR-0097 and an endpoint reference. CSRF stays central; reads keep the hardened config-isolated env while network sync uses a credential-capable env. Server unit tests cover clean/dirty/no-remote/missing-upstream/detached-HEAD/ unsafe/Git-missing/timeout/auth-failure and fetch/pull outcomes. Refs #1573 Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
…actor (#1608) The shared redactor's URL_CREDENTIALS_PATTERN only stripped userinfo from the `scheme://user:password@host` form. A token-as-username remote URL with no colon (e.g. `https://<opaque-pat>@host/repo.git`, common for GitHub/GitLab PATs) was not redacted unless the token matched a known shape (ghp_, sk-, …). `git remote -v` output surfaced by /api/git/summary and /api/git/remotes (#1573, #1606) can carry such tokens to the browser. Add a sibling URL_USERINFO_PATTERN that masks colon-less userinfo for credential-carrying schemes while preserving bare SSH usernames (git@… is a login name, not a credential), matching the redactor's existing intent of stripping credentials rather than usernames. The colon-bearing pattern is unchanged and still strips SSH passwords. Scoped to the URL authority (a real scheme:// must precede the userinfo) so general '@' text is not over-matched. ReDoS-safe: one linear userinfo class bounded by '@' (ADR-0002 CodeQL gate). Verified end-to-end: both new endpoints route `git remote -v` URLs through redacted(deps, …) → deepRedactStrings → createAuditRedactor → redact(); the keiko-evidence redaction module is a re-export shim onto this file. Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
…out (#1574) (#1614) Replace the form-heavy GovernedGitFlowCard "Repository Manager" surface with a compact, GitHub-Desktop-inspired Git client shell (GitClientWindow) rendered by the existing governedGit window key. The shell has a header toolbar (repository selector, current-branch display, sync status, Open in Editor / Open Files), a left sidebar (repository list/search + Changes/History tabs), and a right diff pane with reserved Pull Request / Merge entry points that reuse the existing governed PR/Merge windows. Clone/open-local moves into a compact modal. Visible product text uses plain Git wording only (Git, Repository, Changes, History, Branch, Commit, Sync, Pull Request, Merge); "Governance", "Governed Git", and "Delivery path" are absent. Internal governedGit/symbol IDs unchanged. Scope is the shell: read surfaces (repositories, branches, status, diff) are wired through existing BFF reads; mutation flows (staging, commit, branch switch/create, sync execution) and full PR/merge logic are reserved for siblings #1575/#1576/#1577. The carry-forward internals (DI seam, label maps, error formatter, useGitActions hook with seqRef stale-guard) are re-homed verbatim in git-client/git-client-seam.ts. Reuse: KeikoSelect for selectors; the ReviewWidget parsed-diff components are generalized into cards/shared/diffView.tsx (consumed by both); existing fetchProjects/createProject/cloneRepository/fetchGitBranches/fetchGitStatus/ fetchGitDiff reads; governedPullRequest/governedMerge windows as entry points; ed-*/rv-*/arun-*/ksel- globals.css classes via ADR-0051 inline tokens (zero new CSS, globals.css byte-unchanged, #1300 SHA pins intact). Studio visual regression: add git-window-desktop + git-window-constrained scenarios (desktop/tablet/mobile x 6 themes) to the #1300 browser evidence harness; regenerate manifest.json + PNGs; the manifest gate dimensions are updated in lockstep (strengthening/neutral, not weakening). Also fixes a pre-existing TaskWorkspaceSwitcher mock gap in capture.mjs that crashed the harness, restoring all baseline captures. Tests: component (GitClientWindow.test.tsx), a11y (GitClientWindow.a11y.test.tsx, jest-axe + name/role/value + keyboard), and seam (git-client-seam.test.ts). Local gates green: build:packages, keiko-ui lint/typecheck/test (3621), root lint/typecheck, globals.css manifest gate (250, 3 SHA pins). Refs #1574 Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Refs #1578 Signed-off-by: Codex coordinator implementation team.
…#1651) The #1576 acceptance criterion "Empty repository and no-repository states guide users to clone or open a local repository" and its "empty states" verification gate were satisfied in production code (RepositoryListSearch and HistoryPane) but lacked dedicated regression tests. An acceptance audit of Epic #1571 confirmed the behaviour is correct yet untested. Add two GitClientWindow regression tests: - no-repository state renders the add-repository guidance and affordance - an initialized repository with zero commits renders the no-commits history guidance and omits the commit listbox No production behaviour changes; this closes the one evidence gap found during the Epic #1571 acceptance-criteria audit. Refs #1571 Refs #1576 Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
![github-code-quality[bot]](https://avatars.githubusercontent.com/u/9919?s=60&v=4){kind=small}
…th) (#1653) Two LOW-severity, non-exploitable defense-in-depth hardenings on the agent repository-operation facade surfaced by the Epic #1571 security-boundary review. The trust boundary was already intact; these tighten it symmetrically. 1. Bound the agent-facade idempotency cache. POST /api/git/agent/operations kept its idempotency replay map as an unbounded process-memory Map removed only on completion, so a client streaming many distinct idempotency keys could grow it without limit. Replace it with an IdempotencyCache (bounded LRU + TTL): settled replay entries self-evict past a size cap or after a TTL, while in-flight reservations are exempt from eviction so existing idempotency semantics (replay-on-same-key, conflict-on-key-reuse, reserve-before-settle) are preserved exactly. The handler takes an optional injectable cache for testing. 2. Reject C0 control chars in pathspecs at the requestGuards layer. isContainedPathspec now rejects TAB/LF/CR/NUL and all other C0 control / DEL chars, matching the network-ref REF_CONTROL_CHAR guard. Not exploitable today (pathspecs are literalized as :(literal)<value> after a "--" sentinel at the adapter) — this is symmetric defense-in-depth. Adds unit tests for LRU + TTL eviction, in-flight-reservation exemption, replay preservation, and TAB/LF/CR rejection. keiko-server gitDelivery suite 196 pass; keiko-tools git suite 287 pass. Refs #1577 #1571 Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
oscharko
deleted the
codex/merge-repository-centered-desktop-workflow-to-dev
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
origin/feat/keiko-repository-centered-desktop-workflowintoorigin/devthrough a dedicated integration PR.origin/devat7b0fad52andorigin/feat/keiko-repository-centered-desktop-workflowate6191434.devbranch layout decisions while carrying forward the repository-centered desktop workflow implementation and latest hardening.Conflict / integration handling
tests/e2e/config/and moved the Git delivery e2e configs there, updating scripts and evidence manifests.ChangesPane.tsxwithout changing behavior.Verification
npm cinpm run typechecknpm run lintnpm run arch:checknpm run arch:check:negativenpm run check:version-consistencynpm run check:git-client-evidencenpm run check:git-delivery-evidencenpm run testnpm run test:coverage:qualitynpm run typecheck,npm run lint, andnpm run test -- packages/keiko-server/src/gitDelivery/agentOperationsRoutes.test.ts packages/keiko-server/src/gitDelivery/requestGuards.test.tsMerge note
Repository policy disables merge commits and requires linear history on
dev; this PR is configured for squash auto-merge after required checks and conversations are resolved.