Skip to content

chore: Phase 0 INV resolutions + MS-001/002/004 quick-wins #2020

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
qvidal01 wants to merge 2 commits into from
Closed

chore: Phase 0 INV resolutions + MS-001/002/004 quick-wins #2020

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
423e1fc
docs: resolve Phase 0 investigations INV-004 to INV-007
qvidal01 May 12, 2026
a508447
chore: MS-001 + MS-002 + MS-004 deletions (quick-win cleanup batch)
qvidal01 May 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,10 @@ credentials/
.vscode/
*.swp
*.swo
*.bk
*.bak
*.orig
*~
Comment on lines +35 to +38

@coderabbitai coderabbitai Bot May 12, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Duplicate pattern: *.bak appears twice in the file.

The pattern *.bak is already present on line 128 in the "Misc" section. Having duplicate ignore patterns creates unnecessary maintenance burden and can confuse future contributors.

🧹 Proposed fix to remove the duplicate

Remove the duplicate *.bak from line 128 since it's already covered here in the IDE & Editors section where backup patterns logically belong:

 # ===========================
 # Misc
 # ===========================
 *.local
-*.bak
 *.tmp
 *.temp
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.gitignore around lines 35 - 38, Remove the duplicate ignore pattern '*.bak'
from the repository's .gitignore by keeping it only in the logical "IDE &
Editors" section and removing the second occurrence in the "Misc" section;
locate the two entries by searching for the literal pattern '*.bak' and delete
the redundant one so the pattern appears just once.

*.sublime-workspace
*.sublime-project
.project
Expand Down
4 changes: 2 additions & 2 deletions CLAUDE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,11 +30,11 @@ Auto Claude is a desktop application (+ CLI) where users describe a goal and AI

## Critical Rules

**Vercel AI SDK only** — All AI interactions use the Vercel AI SDK v6 (`ai` package) via the TypeScript agent layer in `apps/desktop/src/main/ai/`. NEVER use `@anthropic-ai/sdk` or `anthropic.Anthropic()` directly. Use `createProvider()` from `ai/providers/factory.ts` and `streamText()`/`generateText()` from the `ai` package. Provider-specific adapters (e.g., `@ai-sdk/anthropic`, `@ai-sdk/openai`) are managed through the provider registry.
**Vercel AI SDK only** — All AI interactions use the Vercel AI SDK v6 (`ai` package) via the TypeScript agent layer in `apps/desktop/src/main/ai/`. NEVER use `@anthropic-ai/sdk` or `anthropic.Anthropic()` directly. Use `createProvider()` from `ai/providers/factory.ts` and `streamText()`/`generateText()` from the `ai` package. Provider-specific adapters (e.g., `@ai-sdk/anthropic`, `@ai-sdk/openai`) are managed through the provider registry. **Exception (INV-005 / UNK-005):** `apps/desktop/src/main/services/profile/profile-service.ts` imports `@anthropic-ai/sdk` solely for API-key validation when a user adds a new profile — it consumes the SDK's typed exceptions (`AuthenticationError`, `NotFoundError`, `APIConnectionError`, `APIConnectionTimeoutError`) to produce precise user-facing error messages. New code outside this file MUST NOT add `@anthropic-ai/sdk` imports.

**i18n required** — All frontend user-facing text uses `react-i18next` translation keys. Hardcoded strings in JSX/TSX break localization for non-English users. Add keys to both `en/*.json` and `fr/*.json`.

**Platform abstraction** — Never use `process.platform` directly. Import from `apps/desktop/src/main/platform/`. CI tests all three platforms.
**Platform abstraction (INV-007 / UNK-008)** — Never use `process.platform` directly. Two complementary layers exist by design: `apps/desktop/src/main/platform/` for main-process path/executable abstractions (paths, executable lookup, OS-specific shell handling); `apps/desktop/src/shared/platform.ts` for the typed `Platform` detection (`getCurrentPlatform`, `isWindows`, `isMacOS`, `isLinux`, `isUnix`) usable cross-process; `apps/desktop/src/shared/platform.cjs` for the same detection from build scripts that cannot import TypeScript. CI tests all three platforms.

**No time estimates** — Provide priority-based ordering instead of duration predictions.

Expand Down
15 changes: 15 additions & 0 deletions RELEASE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -187,6 +187,21 @@ The release workflow **validates** that `CHANGELOG.md` has an entry for the vers
| `release.yml` | Tag `v*` pushed | Builds binaries, extracts changelog, creates release |
| `update-readme` (in release.yml) | After release | Updates README with new version |

## Build-Time Embedded Keys (INV-006 / UNK-007)

`apps/desktop/electron.vite.config.ts` injects build-time constants into the bundled main process via Vite `define`:

| Constant | Source env var | CI workflows that supply it | Local-build behavior |
|---|---|---|---|
| `__SENTRY_DSN__` | `SENTRY_DSN` | `release.yml`, `beta-release.yml`, `build-prebuilds.yml` (GitHub secret) | Embeds `apps/desktop/.env` value if set; empty otherwise |
| `__SENTRY_TRACES_SAMPLE_RATE__` | `SENTRY_TRACES_SAMPLE_RATE` | same as above | Defaults to `'0.1'` |
| `__SENTRY_PROFILES_SAMPLE_RATE__` | `SENTRY_PROFILES_SAMPLE_RATE` | same as above | Defaults to `'0.1'` |
| `__SERPER_API_KEY__` | `SERPER_API_KEY` | **None** (no CI workflow currently passes this secret) | Embeds developer's `.env` value if present |

**Current state of Serper search in shipped builds.** Because no CI workflow supplies `SERPER_API_KEY`, the `WebSearch` tool's Serper provider effectively ships **disabled** in CI release builds: the build embeds an empty string and `serper-search.ts` returns the "missing key" error path. Local builds with a populated `apps/desktop/.env` will bundle the developer's key.

A guardrail that refuses to embed any `__*_API_KEY__` constant in non-CI builds (unless `ALLOW_LOCAL_KEY_EMBED=1` is explicitly set) is tracked by `IDEA-007` / `MS-005` in `.claude/pipeline/roadmap-2026-05-12.md`. Wiring `SERPER_API_KEY` into the release-workflow secrets is **not** currently planned; if you want Serper search to work in shipped builds, add `SERPER_API_KEY: ${{ secrets.SERPER_API_KEY }}` to the build steps in `release.yml`, `beta-release.yml`, and `build-prebuilds.yml`.

@coderabbitai coderabbitai Bot May 12, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Replace gitignored roadmap reference with a durable tracker link.

Pointing release docs to .claude/pipeline/roadmap-2026-05-12.md is not portable for most maintainers/readers. Please reference a committed doc or GitHub issue instead.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@RELEASE.md` at line 203, The RELEASE.md line points to a gitignored roadmap
`.claude/pipeline/roadmap-2026-05-12.md`; replace that reference with a durable,
committed tracker (e.g., a committed docs file or a GitHub issue/PR link) so
maintainers can find the guardrail tracking; update the phrase that currently
says "tracked by `IDEA-007` / `MS-005` in
`.claude/pipeline/roadmap-2026-05-12.md`" to instead reference the chosen
durable identifier (for example "tracked in ISSUE-123" or "tracked in
docs/roadmap.md#IDEA-007 / MS-005") and ensure the rest of the sentence about
wiring `SERPER_API_KEY` remains unchanged.


## Troubleshooting

### Release didn't trigger after merge
Expand Down
4 changes: 4 additions & 0 deletions apps/desktop/CONTRIBUTING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,10 @@ npm run test:coverage
npm run test:e2e
```

### Coverage Strategy (INV-004 / UNK-004)

The Vitest coverage thresholds in `vitest.config.ts` (`lines: 22, branches: 17, functions: 19, statements: 22`) are **regression floors**, not targets. They were set by commit `d958fa65` (*"harden CI/CD with coverage enforcement"*) as the post-Python-elimination baseline. PRs must not drop coverage below these floors. Raising the floors and adding per-module thresholds for high-risk paths (`ai/security`, `ai/tools`, `ai/agent`, `ipc-handlers`) is tracked by `IDEA-011` / `MS-008` in `.claude/pipeline/roadmap-2026-05-12.md`.
Comment on lines +110 to +112

@coderabbitai coderabbitai Bot May 12, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial | 💤 Low value

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify that commit d958fa65 exists in the repository

git cat-file -t d958fa65 2>/dev/null || echo "Commit not found"
git log --oneline -1 d958fa65 2>/dev/null

Repository: AndyMik90/Aperant

Length of output: 165

Consider clarifying internal tracking codes in the section header.

The section header includes internal audit codes (INV-004 / UNK-004) in public-facing contributor documentation. While harmless, external contributors won't understand these references. Consider adding a brief note like "(internal tracking)" or relocating them to a doc comment if they're only for team reference.

The reference to .claude/pipeline/roadmap-2026-05-12.md is also inaccessible to external contributors since this directory is gitignored. This is acceptable for now but worth noting when the roadmap is updated.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/desktop/CONTRIBUTING.md` around lines 110 - 112, Update the "###
Coverage Strategy (INV-004 / UNK-004)" header to make the internal codes
explicit to readers: either append " (internal tracking)" after the codes or
remove the codes from the visible header and move them into an inline doc
comment directly below the header mentioning they are internal references; also
add a short parenthetical note after the
`.claude/pipeline/roadmap-2026-05-12.md` reference stating that this roadmap is
an internal, gitignored file and may be inaccessible to external contributors so
they should file issues/PRs against the public docs instead.


### Writing Tests

```typescript
Expand Down
9 changes: 8 additions & 1 deletion apps/desktop/electron.vite.config.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,14 @@ const sentryDefines = {
'__SENTRY_PROFILES_SAMPLE_RATE__': JSON.stringify(process.env.SENTRY_PROFILES_SAMPLE_RATE || '0.1'),
};

/** Embedded API keys — search works out of the box, no user config needed. */
/**
* Embedded API keys (see RELEASE.md § Build-Time Embedded Keys, INV-006 / UNK-007).
*
* NOTE: no CI workflow currently supplies SERPER_API_KEY, so CI release builds
* embed an empty string and the Serper search provider ships effectively disabled.
* Local builds embed whatever is in apps/desktop/.env at build time — a guardrail
* against accidental dev-key embedding is tracked by IDEA-007 / MS-005.
*/
const embeddedKeys = {
'__SERPER_API_KEY__': JSON.stringify(process.env.SERPER_API_KEY || ''),
};
Expand Down
34 changes: 17 additions & 17 deletions apps/desktop/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,22 +50,22 @@
"typecheck": "tsc --noEmit --incremental"
},
"dependencies": {
"@ai-sdk/amazon-bedrock": "^4.0.77",
"@ai-sdk/anthropic": "^3.0.58",
"@ai-sdk/azure": "^3.0.42",
"@ai-sdk/google": "^3.0.43",
"@ai-sdk/groq": "^3.0.29",
"@ai-sdk/mcp": "^1.0.25",
"@ai-sdk/mistral": "^3.0.24",
"@ai-sdk/openai": "^3.0.41",
"@ai-sdk/openai-compatible": "^2.0.35",
"@ai-sdk/xai": "^3.0.67",
"@anthropic-ai/sdk": "^0.78.0",
"@ai-sdk/amazon-bedrock": "~4.0.77",
"@ai-sdk/anthropic": "~3.0.58",
"@ai-sdk/azure": "~3.0.42",
"@ai-sdk/google": "~3.0.43",
"@ai-sdk/groq": "~3.0.29",
"@ai-sdk/mcp": "~1.0.25",
"@ai-sdk/mistral": "~3.0.24",
"@ai-sdk/openai": "~3.0.41",
"@ai-sdk/openai-compatible": "~2.0.35",
"@ai-sdk/xai": "~3.0.67",
"@anthropic-ai/sdk": "~0.78.0",
"@dnd-kit/core": "^6.3.1",
"@dnd-kit/sortable": "^10.0.0",
"@dnd-kit/utilities": "^3.2.2",
"@libsql/client": "^0.17.0",
"@lydell/node-pty": "^1.1.0",
"@libsql/client": "~0.17.0",
"@lydell/node-pty": "~1.1.0",
"@modelcontextprotocol/sdk": "^1.27.1",
"@openrouter/ai-sdk-provider": "^2.3.1",
Comment on lines 69 to 70

@gemini-code-assist gemini-code-assist Bot May 12, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

For consistency with the other AI-related and volatile dependencies pinned in this PR (MS-002), consider also pinning @modelcontextprotocol/sdk and @openrouter/ai-sdk-provider to tilde (~) versions. This helps prevent unexpected breaking changes in the AI stack during minor version updates, which is the stated goal of this batch of changes.

Suggested change
"@modelcontextprotocol/sdk": "^1.27.1",
"@openrouter/ai-sdk-provider": "^2.3.1",
"@modelcontextprotocol/sdk": "~1.27.1",
"@openrouter/ai-sdk-provider": "~2.3.1",

"@radix-ui/react-alert-dialog": "^1.1.15",
Expand All @@ -84,7 +84,7 @@
"@radix-ui/react-tabs": "^1.1.13",
"@radix-ui/react-toast": "^1.2.15",
"@radix-ui/react-tooltip": "^1.2.8",
"@sentry/electron": "^7.10.0",
"@sentry/electron": "~7.10.0",
"@tailwindcss/typography": "^0.5.19",
"@tanstack/react-virtual": "^3.13.22",
"@tavily/core": "^0.7.2",
Expand All @@ -93,13 +93,13 @@
"@xterm/addon-web-links": "^0.12.0",
"@xterm/addon-webgl": "^0.19.0",
"@xterm/xterm": "^6.0.0",
"ai": "^6.0.116",
"ai": "~6.0.116",
"chokidar": "^5.0.0",
"class-variance-authority": "^0.7.1",
"clsx": "^2.1.1",
"dotenv": "^17.3.1",
"electron-log": "^5.4.3",
"electron-updater": "^6.8.3",
"electron-log": "~5.4.3",
"electron-updater": "~6.8.3",
"i18next": "^25.8.18",
"lucide-react": "^0.577.0",
"minimatch": "^10.2.4",
Expand Down
Loading
Loading