oscharko-dev · oscharko · Jun 28, 2026 · Jun 27, 2026 · Jun 27, 2026 · Jun 27, 2026
@@ -11,6 +11,7 @@ on:
       - feat/keiko-voice-digital-twin
       - feat/keiko-isolated-task-workspaces
       - feat/keiko-colleague-like-voice-dialogue-mode
+      - feat/keiko-repository-centered-desktop-workflow
       - "release/**"
   pull_request:
     branches:
@@ -22,6 +23,7 @@ on:
       - feat/keiko-voice-digital-twin
       - feat/keiko-isolated-task-workspaces
       - feat/keiko-colleague-like-voice-dialogue-mode
+      - feat/keiko-repository-centered-desktop-workflow
       - "release/**"
   workflow_dispatch:
 
@@ -36,7 +38,7 @@ jobs:
       - name: Confirm dev branch gate
         run: |
           case "${{ github.ref }}:${{ github.base_ref }}" in
-            refs/heads/dev: | refs/heads/feat/keiko-editor: | refs/heads/feat/keiko-agent-native-editor-foundation-and-runtime: | refs/heads/feat/prompt-enhancer-1307: | refs/heads/feat/keiko-establish-governed-end-to-end-git-delivery: | refs/heads/feat/keiko-voice-digital-twin: | refs/heads/feat/keiko-isolated-task-workspaces: | refs/heads/feat/keiko-colleague-like-voice-dialogue-mode: | refs/heads/release/*: | *:dev | *:feat/keiko-editor | *:feat/keiko-agent-native-editor-foundation-and-runtime | *:feat/prompt-enhancer-1307 | *:feat/keiko-establish-governed-end-to-end-git-delivery | *:feat/keiko-voice-digital-twin | *:feat/keiko-isolated-task-workspaces | *:feat/keiko-colleague-like-voice-dialogue-mode | *:release/*)
+            refs/heads/dev: | refs/heads/feat/keiko-editor: | refs/heads/feat/keiko-agent-native-editor-foundation-and-runtime: | refs/heads/feat/prompt-enhancer-1307: | refs/heads/feat/keiko-establish-governed-end-to-end-git-delivery: | refs/heads/feat/keiko-voice-digital-twin: | refs/heads/feat/keiko-isolated-task-workspaces: | refs/heads/feat/keiko-colleague-like-voice-dialogue-mode: | refs/heads/feat/keiko-repository-centered-desktop-workflow: | refs/heads/release/*: | *:dev | *:feat/keiko-editor | *:feat/keiko-agent-native-editor-foundation-and-runtime | *:feat/prompt-enhancer-1307 | *:feat/keiko-establish-governed-end-to-end-git-delivery | *:feat/keiko-voice-digital-twin | *:feat/keiko-isolated-task-workspaces | *:feat/keiko-colleague-like-voice-dialogue-mode | *:feat/keiko-repository-centered-desktop-workflow | *:release/*)
               echo "Protected or integration branch gate satisfied."
               ;;
             *)
@@ -76,6 +78,7 @@ jobs:
           npm --workspace @oscharko-dev/keiko-editor test
       - run: npm run typecheck
       - run: npm run check:version-consistency
+      - run: npm run check:git-client-evidence
       - run: npm run lint
       - run: npm run arch:check
       - run: npm run arch:check:negative

@@ -72,6 +72,7 @@ This page keeps only the product decisions needed by reviewers. It is not an imp
 | Voice assistant speech synthesis — Model Gateway TTS adapter, BFF synthesis route, audio playback engine | [ADR-0095](ADR-0095-voice-assistant-speech-synthesis.md) implements Issue #1558 by reusing the existing Model Gateway `gatewayFetch` egress seam for OpenAI-compatible text-to-speech, adding bounded binary response handling, a capability-gated `/api/voice/speak` BFF route, server-side persona-to-voice-id resolution, base64 audio responses with canonical MIME types, and a UI playback hook bound to the exact visible assistant message. No new egress path, raw generated-audio persistence, SDK dependency, or independent answer generation. |
 | Voice dialogue session orchestration — deterministic turn controller, STT+TTS fallback, barge-in, master cleanup | [ADR-0096](ADR-0096-voice-dialogue-session-orchestration.md) implements Issue #1560 as a pure `keiko-ui` orchestration layer over the existing dictation, assistant speech, and Voice Turn Manager surfaces: dialogue is offered only for the fail-closed STT plus speech-output plus persona matrix, the regulated STT+TTS fallback is active even without browser WebRTC media, barge-in routes through existing playback and turn-manager effects, and cleanup is idempotent across stop, unmount, leave, and capability loss. No server route, provider authority, contract, egress path, or parallel state machine is added. |
 | Editor file-tree mutations (create / rename / delete) and open-tab re-homing | [ADR-0097](ADR-0097-files-tree-mutations-and-tab-rehoming.md) adds `POST /api/files/{create,rename,delete}` that reuse the read-surface containment model (realpath root, both-ends deny-list, metadata redaction) and are non-destructive by default (atomic `O_EXCL` create, no-clobber rename with a realpath-gated case-only exception, symlink- and root-rejecting delete), with a single non-probeable errno mapper and the server CSRF + JSON gate; two prefix-aware layout reducer actions (`rename-file` / `remove-file`) re-home or close open tabs across every pane; and a Files-widget UX (toolbar, right-click menu, inline rename, confirm-gated delete, `F2`/`Delete`) that reuses existing CSS classes so the #1300 `globals.css` proof gate is untouched. Wire types in `keiko-contracts`; no new trust, no server-side parallel subsystem. |
+| Git client repository state, history, remotes, and fetch/pull sync API | [ADR-0098](ADR-0098-git-client-repository-state-and-sync-api.md) implements the Issue #1573 (Epic #1572) API foundation: three additive read contracts and routes close the reuse-contract §3 gaps (`GET /api/git/summary` ahead/behind + remotes + last-sync, `GET /api/git/history` paginated `git log`, `GET /api/git/remotes`) reusing `resolveRepository` / `defaultGitProcessRunner` / `classifyFailure` / `redacted()` from `gitRoutes.ts` (only behavior-preservingly `export`ed) plus a shared `parsePorcelainV2Branch`; fetch/pull deliberately do NOT enter the frozen `GitDeliveryActionKind` / `runGitMutation` taxonomy but run through a dedicated bounded executor that uses the hardened runner for reads and a preflight-gated credential-capable runner for network sync (`fetch --no-tags`, `pull --ff-only`), exposed as read-only `POST .../{fetch,pull}/preview` plus audited `POST .../{fetch,pull}/execute` with a 13-member `GitSyncOutcome` taxonomy; sync stays evidence-compatible through a sibling `syncEvidence.ts` ledger mirroring the ADR-0083 bounded/redacted/fail-closed pattern with a content-free `repoIdHash`. Every response and record is content-free and redacted; no existing route or contract changed and no version bumped. |
 | Capability-gated Voice Digital Twin architecture                                                                              | [ADR-0058](ADR-0058-voice-digital-twin-capability-architecture.md) defines the design-only baseline for Epic #491's optional Voice Digital Twin (Issue #492; child issues #493–#506): voice is optional and capability-gated so Keiko starts and stays fully usable with no voice model (D1); four provider profiles (`none` / STT-only dictation / speech output only / full realtime) with STT-only kept distinct from full conversation (D2); WebSocket as the authoritative control/signaling plane realized today on the existing loopback HTTP + SSE seam (the BFF hard-rejects WS upgrades, so a bidirectional channel is a deferred #496/#497 decision) and native-browser WebRTC as the preferred media plane (D3); a local-first data boundary with no external destinations except explicitly configured model endpoints selected by runtime capability metadata, reusing `gatewayFetch` (ADR-0038) + `model-selection` and honestly recording that no outbound host allowlist exists yet (D4); zero-dependency voice capability advertisement through the existing `ModelCapability` metadata (additive flags or a new `ModelKind`, D5); a security-review contract for ephemeral tokens, provider credentials, ICE candidate privacy, allowlisted endpoints, and audit redaction reusing the AES-256-GCM / redaction / hashing stack (D6); Azure Foundry development-or-academic and customer-hosted controlled-network deployment profiles plus no-voice (D7); a "no new runtime media packages by default" supply-chain policy beyond the existing `ws` 8.21.0 and browser-native WebRTC (D8); and child-issue sequencing / write-ownership (D9). Detailed contracts in `docs/voice/`. No runtime code, no model deployment, no new dependency (Status: Proposed).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
 | Voice control, WebRTC media, capability-gating, and replay protocol                                                           | [ADR-0059](ADR-0059-voice-control-media-capability-replay-protocol.md) defines the versioned voice protocol contract for Epic #491 (Issue #496; transport is #497): a dedicated `VOICE_PROTOCOL_VERSION` independent of `CONVERSATION_CAPABILITY_CONTRACT_VERSION` (D1); two planes — the WebSocket control/signaling plane (every message kind) separated from the WebRTC media plane (raw audio only, never a control message) (D2); v1 control transport on loopback HTTP + SSE with the WebSocket upgrade reopening deferred to #497 (D3); a deterministic capability-gating fallback table where `none` permits nothing and STT-only excludes all WebRTC signaling/media (D4); replay/reconnect/idempotency where committed transcripts and control are replayable but raw audio and ephemeral SDP/ICE are excluded (D5); redaction classes reusing the existing redaction/hashing stack (D6); browser↔provider negotiation modes (`proxied-sdp` preferred / `direct-ephemeral` / `disabled`) and a content-free security surface (D7); and no new runtime media packages beyond `ws` + native WebRTC (D8). Typed contract in `packages/keiko-contracts/src/voice-protocol.ts`, specification in `docs/voice/protocol.md`. No transport code, no new dependency (Status: Accepted — realized by the transport in Issue #497 / [ADR-0060](ADR-0060-realtime-voice-transport.md)).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
 | Realtime voice transport — re-opened loopback WebSocket control + browser WebRTC media                                        | [ADR-0060](ADR-0060-realtime-voice-transport.md) records the transport decision deferred by ADR-0058 D3 / ADR-0059 D3 for Epic #491 (Issue #497): re-open the deliberately hard-rejected BFF WebSocket upgrade for the single loopback path `/api/voice/control`, and **only** when the deployment is full-realtime capable and policy permits — every other upgrade keeps the unchanged `404` + `socket.destroy()` default (D1); proxied-SDP media negotiation through the Model Gateway egress (`requestRealtimeNegotiation` via `gatewayFetch`) so no long-lived provider credential reaches the browser, with native-browser WebRTC media and the contract's `direct-ephemeral` mode left opt-in/out-of-scope (D2); a security posture reusing the loopback `Host`/`Origin` check (no CSRF on a WS handshake), redaction on every outbound frame, opaque `secret-bearing` SDP/ICE never logged, raw audio rejected on the control plane, a bounded replay buffer, and deterministic teardown (D3); existing strict controls re-justified not relaxed — `Permissions-Policy microphone=(self)` scoped to STT-or-realtime (never widened), CSP unchanged (same-origin WS covered by `connect-src 'self'`), and no new runtime media package (D4); and no new persisted local-runtime state, with transcript/recap persistence deferred to #504 (D5). Transport in `packages/keiko-server/src/voice-realtime.ts` + `packages/keiko-model-gateway/src/realtime-voice-adapter.ts` + the keiko-ui realtime client; notes in `docs/voice/realtime-transport.md` (Status: Accepted).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |