fix(autopilot): subscribe creator to autopilot-created issues

The issue:created subscriber listener type-asserted payload["issue"] to handler.IssueResponse, but autopilot publishes the issue as map[string]any (via service.issueToMap). The assertion failed silently, so no subscribers (including the creator) were ever added to autopilot issues — meaning creators received no notifications when their autopilot run produced comments or status changes. Add an extractIssueFields helper that accepts either format and use it in both the issue:created and issue:updated listeners. Mirrors the dual-format pattern already used by the comment:created listener.
2026-06-17 19:59:20 +02:00 · 2026-04-17 09:58:37 +08:00
446 changed files with 12985 additions and 37868 deletions
--- a/.env.example
+++ b/.env.example
@@ -4,23 +4,8 @@ POSTGRES_USER=multica
 POSTGRES_PASSWORD=multica
 POSTGRES_PORT=5432
 DATABASE_URL=postgres://multica:multica@localhost:5432/multica?sslmode=disable
-# Optional pgxpool tuning. Defaults are 25 / 5 per pod and are usually fine.
-# You can also set pool_max_conns / pool_min_conns as query params on
-# DATABASE_URL; env vars below take precedence over URL params.
-# DATABASE_MAX_CONNS=25
-# DATABASE_MIN_CONNS=5

 # Server
-# APP_ENV gates dev-only auth shortcuts (primarily the 888888 master code).
-#   - Docker self-host: docker-compose.selfhost.yml already pins APP_ENV to
-#     "production" by default, so 888888 is DISABLED — a public instance can't
-#     be logged into with any email + 888888.
-#   - Local dev (make dev): leave APP_ENV unset so 888888 works out of the box.
-#   - Docker self-host on a private network you fully control, or evaluation
-#     without Resend: set APP_ENV=development to re-enable 888888. Do NOT
-#     enable on a publicly reachable instance.
-# See SELF_HOSTING.md for the full login setup.
-APP_ENV=
 PORT=8080
 JWT_SECRET=change-me-in-production
 MULTICA_SERVER_URL=ws://localhost:8080/ws
@@ -36,28 +21,17 @@ MULTICA_CODEX_MODEL=
 MULTICA_CODEX_WORKDIR=
 MULTICA_CODEX_TIMEOUT=20m

-# Self-host image channel
-# Default stable release channel. Pin to an exact release like v0.2.4 if you
-# want to stay on a specific version. If the selected tag has not been
-# published to GHCR yet, use make selfhost-build / the build override instead.
-MULTICA_IMAGE_TAG=latest
-MULTICA_BACKEND_IMAGE=ghcr.io/multica-ai/multica-backend
-MULTICA_WEB_IMAGE=ghcr.io/multica-ai/multica-web
-
 # Email (Resend)
-# For local/dev use, leave RESEND_API_KEY empty — codes print to stdout, and
-# master code 888888 works (only when APP_ENV != "production"; see above).
+# For local/dev use, leave RESEND_API_KEY empty — codes print to stdout, and master code 888888 works.
 # For production, set your Resend API key and change RESEND_FROM_EMAIL to a domain verified in your Resend account.
 RESEND_API_KEY=
 RESEND_FROM_EMAIL=noreply@multica.ai

 # Google OAuth
-# The web login page reads GOOGLE_CLIENT_ID from /api/config at runtime, so
-# changing it only requires restarting the backend / compose stack. No web
-# rebuild is needed.
 GOOGLE_CLIENT_ID=
 GOOGLE_CLIENT_SECRET=
 GOOGLE_REDIRECT_URI=http://localhost:3000/auth/callback
+NEXT_PUBLIC_GOOGLE_CLIENT_ID=

 # S3 / CloudFront
 S3_BUCKET=
@@ -66,13 +40,6 @@ CLOUDFRONT_KEY_PAIR_ID=
 CLOUDFRONT_PRIVATE_KEY_SECRET=multica/cloudfront-signing-key
 CLOUDFRONT_PRIVATE_KEY=
 CLOUDFRONT_DOMAIN=
-# COOKIE_DOMAIN — optional Domain attribute on session + CloudFront cookies.
-# Leave empty for single-host deployments (localhost, LAN IP, or a single
-# hostname) — session cookies become host-only, which is what the browser
-# wants. Only set it when the frontend and backend sit on different
-# subdomains of one registered domain (e.g. ".example.com"). Do NOT set it
-# to an IP address: RFC 6265 forbids IP literals in the cookie Domain
-# attribute and browsers silently drop such cookies.
 COOKIE_DOMAIN=

 # Local file storage (fallback when S3_BUCKET is not set)
@@ -96,25 +63,3 @@ NEXT_PUBLIC_WS_URL=
 # Remote API (optional) — set to proxy local frontend to a remote backend
 # Leave empty to use local backend (localhost:8080)
 # REMOTE_API_URL=https://multica-api.copilothub.ai
-
-# ==================== Self-hosting: Control Signups (fixes #930) ====================
-# Set to "false" to completely disable new user signups (recommended for private instances)
-ALLOW_SIGNUP=true
-# The web UI reads ALLOW_SIGNUP from /api/config at runtime, so toggling this
-# only requires restarting the backend / compose stack — not rebuilding web.
-# It is not hot-reloaded.
-
-# Optional: Only allow emails from these domains (comma-separated)
-ALLOWED_EMAIL_DOMAINS=
-
-# Optional: Only allow these exact email addresses (comma-separated)
-ALLOWED_EMAILS=
-
-# ==================== Analytics (PostHog) ====================
-# Product analytics events feed the acquisition → activation → expansion funnel.
-# Leave POSTHOG_API_KEY empty for local dev / self-hosted instances; the server
-# will run a no-op analytics client and ship nothing. See docs/analytics.md.
-POSTHOG_API_KEY=
-POSTHOG_HOST=https://us.i.posthog.com
-# Force the no-op client even when POSTHOG_API_KEY is set (CI / opt-out).
-ANALYTICS_DISABLED=
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -30,7 +30,7 @@ jobs:
        run: pnpm install

      - name: Build, type check, and test
-        run: pnpm exec turbo build typecheck test --filter='!@multica/docs'
+        run: pnpm build && pnpm typecheck && pnpm test

  backend:
    runs-on: ubuntu-latest
--- a/.github/workflows/desktop-smoke.yml
+++ b/.github/workflows/desktop-smoke.yml
@@ -1,59 +0,0 @@
-name: Desktop Smoke Build
-
-on:
-  workflow_dispatch:
-
-permissions:
-  contents: read
-
-jobs:
-  desktop:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            target: linux
-          - os: windows-latest
-            target: win
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Install rpmbuild (Linux)
-        if: matrix.target == 'linux'
-        run: sudo apt-get update && sudo apt-get install -y rpm
-
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version-file: server/go.mod
-          cache-dependency-path: server/go.sum
-
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v4
-
-      - name: Setup Node
-        uses: actions/setup-node@v4
-        with:
-          node-version: 22
-          cache: pnpm
-
-      - name: Install dependencies
-        run: pnpm install --frozen-lockfile
-
-      - name: Package Desktop installers (${{ matrix.target }})
-        working-directory: apps/desktop
-        env:
-          CSC_IDENTITY_AUTO_DISCOVERY: "false"
-        run: node scripts/package.mjs --${{ matrix.target }} --x64 --arm64 --publish never
-
-      - name: Upload Desktop artifacts (${{ matrix.target }})
-        uses: actions/upload-artifact@v4
-        with:
-          name: desktop-${{ matrix.target }}
-          path: apps/desktop/dist
-          if-no-files-found: error
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,48 +3,20 @@ name: Release
 on:
  push:
    tags:
-      # GitHub Actions uses glob patterns here, not regex. Match versioned
-      # tags broadly at the trigger layer, then enforce strict semver below.
-      - "v*.*.*"
-      - "!v*-dirty*"
+      - "v*"

 permissions:
  contents: write
-  packages: write

 jobs:
-  verify:
+  release:
    runs-on: ubuntu-latest
-    outputs:
-      tag_name: ${{ steps.release_meta.outputs.tag_name }}
-      is_stable: ${{ steps.release_meta.outputs.is_stable }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

-      - name: Validate tag name
-        id: release_meta
-        shell: bash
-        run: |
-          tag="${GITHUB_REF_NAME}"
-          echo "Triggered by tag: $tag"
-          if [[ ! "$tag" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[0-9A-Za-z.-]+)?$ ]]; then
-            echo "::error::Release tags must look like vX.Y.Z or vX.Y.Z-suffix; got '$tag'."
-            exit 1
-          fi
-          if [[ "$tag" == *-dirty* ]]; then
-            echo "::error::Refusing to release from dirty tag '$tag'."
-            exit 1
-          fi
-          echo "tag_name=$tag" >> "$GITHUB_OUTPUT"
-          if [[ "$tag" == *-* ]]; then
-            echo "is_stable=false" >> "$GITHUB_OUTPUT"
-          else
-            echo "is_stable=true" >> "$GITHUB_OUTPUT"
-          fi
-
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
@@ -54,21 +26,6 @@ jobs:
      - name: Run tests
        run: cd server && go test ./...

-  release:
-    needs: verify
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version-file: server/go.mod
-          cache-dependency-path: server/go.sum
-
      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v6
        with:
@@ -77,298 +34,3 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
-
-  # Multi-arch images are built natively per platform on dedicated runners
-  # (amd64 on ubuntu-latest, arm64 on ubuntu-24.04-arm) and merged into a
-  # manifest list. This avoids QEMU emulation, which was making the Next.js
-  # arm64 build run for 30+ minutes per release.
-  docker-backend-build:
-    needs: verify
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - platform: linux/amd64
-            runs-on: ubuntu-latest
-          - platform: linux/arm64
-            runs-on: ubuntu-24.04-arm
-    runs-on: ${{ matrix.runs-on }}
-    steps:
-      - name: Prepare
-        run: |
-          platform=${{ matrix.platform }}
-          echo "PLATFORM_PAIR=${platform//\//-}" >> "$GITHUB_ENV"
-
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Compute backend image labels
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ghcr.io/${{ github.repository_owner }}/multica-backend
-          labels: |
-            org.opencontainers.image.title=Multica Backend
-            org.opencontainers.image.description=Multica self-hosted backend
-
-      - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Login to GHCR
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build and push by digest
-        id: build
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: Dockerfile
-          pull: true
-          platforms: ${{ matrix.platform }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha,scope=release-backend-${{ env.PLATFORM_PAIR }}
-          cache-to: type=gha,mode=max,scope=release-backend-${{ env.PLATFORM_PAIR }}
-          build-args: |
-            VERSION=${{ needs.verify.outputs.tag_name }}
-            COMMIT=${{ github.sha }}
-          outputs: type=image,name=ghcr.io/${{ github.repository_owner }}/multica-backend,push-by-digest=true,name-canonical=true,push=true
-
-      - name: Export digest
-        run: |
-          mkdir -p /tmp/digests
-          digest="${{ steps.build.outputs.digest }}"
-          touch "/tmp/digests/${digest#sha256:}"
-
-      - name: Upload digest
-        uses: actions/upload-artifact@v4
-        with:
-          name: digests-backend-${{ env.PLATFORM_PAIR }}
-          path: /tmp/digests/*
-          if-no-files-found: error
-          retention-days: 1
-
-  docker-backend-merge:
-    needs: [verify, docker-backend-build]
-    runs-on: ubuntu-latest
-    concurrency:
-      group: release-docker-backend-${{ github.ref }}
-      cancel-in-progress: true
-    steps:
-      - name: Download digests
-        uses: actions/download-artifact@v4
-        with:
-          path: /tmp/digests
-          pattern: digests-backend-*
-          merge-multiple: true
-
-      - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Compute backend image tags
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ghcr.io/${{ github.repository_owner }}/multica-backend
-          flavor: |
-            latest=false
-          tags: |
-            type=raw,value=latest,enable=${{ needs.verify.outputs.is_stable == 'true' }}
-            type=raw,value=${{ needs.verify.outputs.tag_name }}
-            type=sha,prefix=sha-
-
-      - name: Login to GHCR
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Create manifest list and push
-        working-directory: /tmp/digests
-        run: |
-          docker buildx imagetools create \
-            $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
-            $(printf 'ghcr.io/${{ github.repository_owner }}/multica-backend@sha256:%s ' *)
-
-      - name: Inspect image
-        run: |
-          docker buildx imagetools inspect \
-            ghcr.io/${{ github.repository_owner }}/multica-backend:${{ steps.meta.outputs.version }}
-
-  docker-web-build:
-    needs: verify
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - platform: linux/amd64
-            runs-on: ubuntu-latest
-          - platform: linux/arm64
-            runs-on: ubuntu-24.04-arm
-    runs-on: ${{ matrix.runs-on }}
-    steps:
-      - name: Prepare
-        run: |
-          platform=${{ matrix.platform }}
-          echo "PLATFORM_PAIR=${platform//\//-}" >> "$GITHUB_ENV"
-
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Compute web image labels
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ghcr.io/${{ github.repository_owner }}/multica-web
-          labels: |
-            org.opencontainers.image.title=Multica Web
-            org.opencontainers.image.description=Multica self-hosted web frontend
-
-      - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Login to GHCR
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build and push by digest
-        id: build
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: Dockerfile.web
-          pull: true
-          platforms: ${{ matrix.platform }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha,scope=release-web-${{ env.PLATFORM_PAIR }}
-          cache-to: type=gha,mode=max,scope=release-web-${{ env.PLATFORM_PAIR }}
-          build-args: |
-            REMOTE_API_URL=http://backend:8080
-            NEXT_PUBLIC_APP_VERSION=${{ needs.verify.outputs.tag_name }}
-          outputs: type=image,name=ghcr.io/${{ github.repository_owner }}/multica-web,push-by-digest=true,name-canonical=true,push=true
-
-      - name: Export digest
-        run: |
-          mkdir -p /tmp/digests
-          digest="${{ steps.build.outputs.digest }}"
-          touch "/tmp/digests/${digest#sha256:}"
-
-      - name: Upload digest
-        uses: actions/upload-artifact@v4
-        with:
-          name: digests-web-${{ env.PLATFORM_PAIR }}
-          path: /tmp/digests/*
-          if-no-files-found: error
-          retention-days: 1
-
-  docker-web-merge:
-    needs: [verify, docker-web-build]
-    runs-on: ubuntu-latest
-    concurrency:
-      group: release-docker-web-${{ github.ref }}
-      cancel-in-progress: true
-    steps:
-      - name: Download digests
-        uses: actions/download-artifact@v4
-        with:
-          path: /tmp/digests
-          pattern: digests-web-*
-          merge-multiple: true
-
-      - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Compute web image tags
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ghcr.io/${{ github.repository_owner }}/multica-web
-          flavor: |
-            latest=false
-          tags: |
-            type=raw,value=latest,enable=${{ needs.verify.outputs.is_stable == 'true' }}
-            type=raw,value=${{ needs.verify.outputs.tag_name }}
-            type=sha,prefix=sha-
-
-      - name: Login to GHCR
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Create manifest list and push
-        working-directory: /tmp/digests
-        run: |
-          docker buildx imagetools create \
-            $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
-            $(printf 'ghcr.io/${{ github.repository_owner }}/multica-web@sha256:%s ' *)
-
-      - name: Inspect image
-        run: |
-          docker buildx imagetools inspect \
-            ghcr.io/${{ github.repository_owner }}/multica-web:${{ steps.meta.outputs.version }}
-
-  # Build the Desktop installers for Linux and Windows and upload them to
-  # the GitHub Release that the `release` job above just published. macOS
-  # Desktop continues to ship via the manual `release-desktop` skill so it
-  # can be signed + notarized with Apple Developer credentials that are
-  # not (yet) wired into CI.
-  desktop:
-    needs: release
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            target: linux
-          - os: windows-latest
-            target: win
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Install rpmbuild (Linux)
-        if: matrix.target == 'linux'
-        run: sudo apt-get update && sudo apt-get install -y rpm
-
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version-file: server/go.mod
-          cache-dependency-path: server/go.sum
-
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v4
-
-      - name: Setup Node
-        uses: actions/setup-node@v4
-        with:
-          node-version: 22
-          cache: pnpm
-
-      - name: Install dependencies
-        run: pnpm install --frozen-lockfile
-
-      - name: Package Desktop installers (${{ matrix.target }})
-        working-directory: apps/desktop
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          # electron-builder's GitHub publisher reads this:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          # Disable code signing on Linux/Windows for now — the public
-          # release is unsigned for these platforms, the CLI carries the
-          # trust boundary. Set CSC_LINK in repo secrets to enable
-          # Windows signing later.
-          CSC_IDENTITY_AUTO_DISCOVERY: "false"
-        run: node scripts/package.mjs --${{ matrix.target }} --x64 --arm64 --publish always
--- a/.gitignore
+++ b/.gitignore
@@ -57,4 +57,3 @@ _features/
 server/server
 data/
 .kilo
-.idea
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -21,12 +21,12 @@ builds:
    goarch:
      - amd64
      - arm64
+    ignore:
+      - goos: windows
+        goarch: arm64

 archives:
-  # Legacy archive name kept so already-released CLIs (whose `multica update`
-  # looks for `multica_{os}_{arch}.{ext}`) can keep self-updating. Remove
-  # once those versions are no longer in use.
-  - id: legacy
+  - id: default
    formats:
      - tar.gz
    format_overrides:
@@ -34,16 +34,6 @@ archives:
        formats:
          - zip
    name_template: "{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}"
-  # Versioned archive name used by current CLI / install scripts /
-  # desktop bootstrap going forward.
-  - id: versioned
-    formats:
-      - tar.gz
-    format_overrides:
-      - goos: windows
-        formats:
-          - zip
-    name_template: "{{ .ProjectName }}-cli-{{ .Version }}-{{ .Os }}-{{ .Arch }}"

 checksum:
  name_template: "checksums.txt"
@@ -58,8 +48,6 @@ changelog:

 brews:
  - name: multica
-    ids:
-      - versioned
    repository:
      owner: multica-ai
      name: homebrew-tap
--- a/.vercelignore
+++ b/.vercelignore
@@ -1,85 +0,0 @@
-# Deploy the frontend apps from the monorepo root.
-# Keep apps/web, apps/docs, shared packages, and root workspace metadata.
-# Exclude unrelated workspaces and local artifacts that can make
-# `vercel deploy` upload far more than the app needs.
-
-.agent_context
-.claude
-.context
-.env*
-.envrc
-.tool-versions
-_features
-.kilo
-.idea
-.DS_Store
-.husky
-.vscode
-
-/.dockerignore
-/.goreleaser.yml
-/AGENTS.md
-/CLAUDE.md
-/CLI_AND_DAEMON.md
-/CLI_INSTALL.md
-/CONTRIBUTING.md
-/Dockerfile
-/Dockerfile.web
-/HANDOFF_ARCHITECTURE_AUDIT.md
-/Makefile
-/README.md
-/README.zh-CN.md
-/SELF_HOSTING.md
-/SELF_HOSTING_ADVANCED.md
-/SELF_HOSTING_AI.md
-/docker-compose*.yml
-/playwright.config.ts
-/skills-lock.json
-
-/.github/
-/docker/
-/docs/
-/e2e/
-/server/
-/apps/desktop/
-/scripts/
-
-*.log
-*.pid
-*.tsbuildinfo
-
-.cache
-.next
-.pnpm-store
-.turbo
-.vercel
-coverage
-test-results
-playwright-report
-data
-
-node_modules
-bin
-dist
-out
-build
-dist-electron
-
-# Deployment-only trims: tests and lint configs are not used by `next build`.
-**/__tests__/**
-**/test/**
-**/*.test.*
-**/*.spec.*
-/packages/eslint-config/
-/apps/web/components.json
-/apps/web/eslint.config.mjs
-/apps/web/vitest.config.ts
-
-# Root repo metadata not needed in the deployment source.
-/.env.example
-/.gitattributes
-/.gitignore
-/LICENSE
-
-*.app
-*.dmg
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -106,7 +106,6 @@ pnpm ui:add badge                # Adds component to packages/ui/components/ui/
 # Infrastructure
 make db-up            # Start shared PostgreSQL (pgvector/pg17 image)
 make db-down          # Stop shared PostgreSQL
-make db-reset         # Drop + recreate current env's DB, then re-run migrations (local only; stop backend first)
 ```

 ### CI Requirements
@@ -163,7 +162,7 @@ When the two apps need different behavior for the same concept (e.g., different
 When adding a new page or feature:

 1. **New page component** → add to `packages/views/<domain>/`. Never import from `next/*` or `react-router-dom`.
-2. **Wire it in both apps** → add a route in `apps/web/app/` (Next.js page file) AND in the desktop router. **Exception**: pre-workspace transition flows (create workspace, accept invite) are NOT routes on desktop — they're `WindowOverlay` state. See *Desktop-specific Rules → Route categories*.
+2. **Wire it in both apps** → add a route in `apps/web/app/` (Next.js page file) AND in the desktop router.
 3. **Navigation** → use `useNavigation().push()` or `<AppLink>`. Never use framework-specific link/router APIs in shared code.
 4. **Shared guards/providers** → use `DashboardGuard` from `packages/views/layout/`. Don't create separate guard logic per app.
 5. **Platform-specific UI** → if a feature is web-only or desktop-only, keep it in the respective app. Use props slots (`extra`, `topSlot`) on shared layout components to inject platform-specific UI.
@@ -177,79 +176,6 @@ Both apps share the same CSS foundation from `packages/ui/styles/`.
 - **Shared styles** → `packages/ui/styles/`. Never duplicate scrollbar styling, keyframes, or base layer rules in app CSS.
 - **`@source` directives** → both apps scan shared packages so Tailwind sees all class names.

-## Desktop-specific Rules
-
-These rules apply to `apps/desktop/` only. Web has different constraints (URL bar, SSR, no tabs) and doesn't share these concerns. Every rule in this section was added after a concrete bug — treat them as enforced, not suggestions.
-
-### Route categories
-
-Every path in the desktop app falls into exactly one category. Choosing the wrong one reproduces bugs we've already fixed.
-
- **Session routes** — workspace-scoped pages (`/:slug/issues`, `/:slug/settings`). Rendered by the per-tab memory router under `WorkspaceRouteLayout`. These are legitimate tab destinations.
- **Transition flows** — pre-workspace / one-shot actions (create workspace, accept invite). **NOT routes.** They live as `WindowOverlay` state, dispatched when the navigation adapter sees `push('/workspaces/new')` or `push('/invite/<id>')`. The shared view (`NewWorkspacePage`, `InvitePage`) is the content; the overlay wrapper supplies platform chrome.
- **Error / stale states** — "workspace not available", tabs pointing at a revoked workspace. **NOT pages.** `WorkspaceRouteLayout` auto-heals by dropping the stale tab group from the store; the user never lands on an explicit error screen. Web keeps `NoAccessPage` (shareable URL makes the error state meaningful); desktop has no URL bar so stale = heal silently.
-
-**Adding a new pre-workspace flow on desktop**: register a new `WindowOverlay` type in `stores/window-overlay-store.ts`. Do NOT add it to `routes.tsx`. If a shared view needs the flow on both platforms, add the route on web (`apps/web/app/(auth)/...`) AND the overlay type on desktop — the shared view component is identical.
-
-### Workspace identity singleton
-
-`setCurrentWorkspace(slug, uuid)` in `@multica/core/platform` is the single source of truth for "which workspace is active right now". Three consumers depend on it:
-
-1. API client's `X-Workspace-Slug` header.
-2. Zustand per-workspace storage namespace.
-3. Chrome gating (`{slug && <AppSidebar />}` on desktop, similar on web).
-
-Normally set by `WorkspaceRouteLayout` when its route mounts. Critically: **unmount does NOT clear it.** Any code that leaves workspace context (leave workspace, delete workspace, force navigation to overlay) must call `setCurrentWorkspace(null, null)` explicitly — otherwise the realtime `workspace:deleted` handler races the mutation, chrome gating stays truthy while the workspace is gone from cache, and `useWorkspaceId` throws.
-
-### Workspace destructive operations
-
-Leave / Delete workspace flows must follow this order:
-
-1. Read destination from cached workspace list (no extra fetch).
-2. `setCurrentWorkspace(null, null)`.
-3. `navigation.push(destination)` — switch to next workspace or open new-workspace overlay.
-4. THEN `await mutation.mutateAsync(workspaceId)`.
-
-Reversing step 4 with steps 1–3 (mutate first, navigate after) causes a three-way race between the mutation's `onSettled` invalidate, the explicit `navigateAway`, and the realtime handler's `relocateAfterWorkspaceLoss` — all refetching the same `workspaces` query concurrently. One gets cancelled, bubbles as `CancelledError`, and triggers `window.location.assign` → full renderer reload / white screen.
-
-### Tab isolation
-
-Tabs are grouped per workspace in `stores/tab-store.ts`. The TabBar shows only the active workspace's tabs; cross-workspace tab leakage is impossible by construction (no flat global tabs array).
-
-Cross-workspace `push(path)` is detected by the navigation adapter (`platform/navigation.tsx`) and translated into `switchWorkspace(slug, targetPath)` — NOT a navigation within the current tab's router. Don't bypass the adapter; always go through `useNavigation()` from shared code.
-
-### Drag region (macOS window-move)
-
-Every full-window desktop view (login, onboarding, new-workspace, invite, no-access, create-workspace modal) — i.e. anything that isn't inside the dashboard shell — needs a top drag strip so users can move the window. The native macOS traffic lights are **kept visible** for every such surface (Linear/Notion/Arc pattern); no `useImmersiveMode` by default.
-
-**Pattern**: use the shared `<DragStrip />` from `@multica/views/platform` as the first flex child of the page root. It's a 48px transparent row with `-webkit-app-region: drag` — the parent's bg fills through it so the page reads edge-to-edge while the top 48px stays draggable under the traffic lights.
-
-```tsx
-import { DragStrip } from "@multica/views/platform";
-
-return (
-  <div className="flex min-h-svh flex-col bg-background">
-    <DragStrip />
-    <div className="flex flex-1 flex-col px-6 pb-12">
-      {/* page content — interactive elements placed at y ≥ 48 clear the strip;
-          any element at y < 48 needs WebkitAppRegion: "no-drag" */}
-    </div>
-  </div>
-);
-```
-
-Why flex, not absolute: the absolute-strip + `z-index` approach relies on stacking-context hit-testing, which isn't reliable for `-webkit-app-region`. A real flex row with no siblings at that pixel is unambiguous. Web browsers silently ignore `-webkit-app-region`, so shared views render the strip as a plain 48px spacer on web — safe cross-platform.
-
-**Horizontal clearance**: traffic lights occupy roughly x ∈ [16, 76] on macOS. Interactive UI (Back buttons, menus) should start at x ≥ 80 on desktop-sized viewports. The shared views default to sufficient `lg:px-20` padding; re-examine when laying out anything in the top-left corner.
-
-Canonical example: `packages/views/platform/drag-strip.tsx`. Used by `onboarding/steps/step-welcome.tsx` (per-column), `onboarding/onboarding-flow.tsx`, `workspace/new-workspace-page.tsx`, `invite/invite-page.tsx`, `workspace/no-access-page.tsx`, `modals/create-workspace.tsx`, and desktop's `pages/login.tsx`.
-
-**When to use `useImmersiveMode`**: only when a view must place interactive UI in the traffic-light hit-zone (y < 28 AND x < 80). For every current non-dashboard surface, buttons sit at y ≥ 48, so immersive mode is unnecessary. Hook is preserved as an escape hatch but has no callers.
-
-### UX vs platform chrome
-
-UX affordances (Back button, Log out button, welcome copy, invite card) belong in `packages/views/` so web and desktop render identical content. Platform chrome (tab system interaction, native-window IPC, `useImmersiveMode`) lives in desktop-only code. The `DragStrip` + `useImmersiveMode` primitives live in `packages/views/platform/` because they're cross-platform safe (web no-op) and need to be callable from shared views that own the page layout — keeping them in desktop-only would force every shared page to leave top-padding decisions to the platform shell, fragmenting the design.
-
 ## UI/UX Rules

 - Prefer shadcn components over custom implementations. Install via `pnpm ui:add <component>` from project root — adds to `packages/ui/components/ui/`. All components use Base UI primitives (`@base-ui/react`), not Radix.
--- a/CLI_AND_DAEMON.md
+++ b/CLI_AND_DAEMON.md
@@ -278,7 +278,7 @@ multica issue list --priority urgent --assignee "Agent Name"
 multica issue list --limit 20 --output json
 ```

-Available filters: `--status`, `--priority`, `--assignee`, `--project`, `--limit`.
+Available filters: `--status`, `--priority`, `--assignee`, `--limit`.

 ### Get Issue

@@ -293,7 +293,7 @@ multica issue get <id> --output json
 multica issue create --title "Fix login bug" --description "..." --priority high --assignee "Lambda"
 ```

-Flags: `--title` (required), `--description`, `--status`, `--priority`, `--assignee`, `--parent`, `--project`, `--due-date`.
+Flags: `--title` (required), `--description`, `--status`, `--priority`, `--assignee`, `--parent`, `--due-date`.

 ### Update Issue

@@ -332,27 +332,6 @@ multica issue comment add <issue-id> --parent <comment-id> --content "Thanks!"
 multica issue comment delete <comment-id>
 ```

-### Subscribers
-
-```bash
-# List subscribers of an issue
-multica issue subscriber list <issue-id>
-
-# Subscribe yourself to an issue
-multica issue subscriber add <issue-id>
-
-# Subscribe another member or agent by name
-multica issue subscriber add <issue-id> --user "Lambda"
-
-# Unsubscribe yourself
-multica issue subscriber remove <issue-id>
-
-# Unsubscribe another member or agent
-multica issue subscriber remove <issue-id> --user "Lambda"
-```
-
-Subscribers receive notifications about issue activity (new comments, status changes, etc.). Without `--user`, the command acts on the caller.
-
 ### Execution History

 ```bash
@@ -370,70 +349,6 @@ multica issue run-messages <task-id> --since 42 --output json

 The `runs` command shows all past and current executions for an issue, including running tasks. The `run-messages` command shows the detailed message log (tool calls, thinking, text, errors) for a single run. Use `--since` for efficient polling of in-progress runs.

-## Projects
-
-Projects group related issues (e.g. a sprint, an epic, a workstream). Every project
-belongs to a workspace and can optionally have a lead (member or agent).
-
-### List Projects
-
-```bash
-multica project list
-multica project list --status in_progress
-multica project list --output json
-```
-
-Available filters: `--status`.
-
-### Get Project
-
-```bash
-multica project get <id>
-multica project get <id> --output json
-```
-
-### Create Project
-
-```bash
-multica project create --title "2026 Week 16 Sprint" --icon "🏃" --lead "Lambda"
-```
-
-Flags: `--title` (required), `--description`, `--status`, `--icon`, `--lead`.
-
-### Update Project
-
-```bash
-multica project update <id> --title "New title" --status in_progress
-multica project update <id> --lead "Lambda"
-```
-
-Flags: `--title`, `--description`, `--status`, `--icon`, `--lead`.
-
-### Change Status
-
-```bash
-multica project status <id> in_progress
-```
-
-Valid statuses: `planned`, `in_progress`, `paused`, `completed`, `cancelled`.
-
-### Delete Project
-
-```bash
-multica project delete <id>
-```
-
-### Associating Issues with Projects
-
-Use the `--project` flag on `issue create` / `issue update` to attach an issue to a
-project, or on `issue list` to filter issues by project:
-
-```bash
-multica issue create --title "Login bug" --project <project-id>
-multica issue update <issue-id> --project <project-id>
-multica issue list --project <project-id>
-```
-
 ## Setup

 ```bash
@@ -470,63 +385,6 @@ multica config set app_url https://app.example.com
 multica config set workspace_id <workspace-id>
 ```

-## Autopilot Commands
-
-Autopilots are scheduled/triggered automations that dispatch agent tasks (either by creating an issue or by running an agent directly).
-
-### List Autopilots
-
-```bash
-multica autopilot list
-multica autopilot list --status active --output json
-```
-
-### Get Autopilot Details
-
-```bash
-multica autopilot get <id>
-multica autopilot get <id> --output json   # includes triggers
-```
-
-### Create / Update / Delete
-
-```bash
-multica autopilot create \
-  --title "Nightly bug triage" \
-  --description "Scan todo issues and prioritize." \
-  --agent "Lambda" \
-  --mode create_issue
-
-multica autopilot update <id> --status paused
-multica autopilot update <id> --description "New prompt"
-multica autopilot delete <id>
-```
-
-`--mode` currently only accepts `create_issue` (creates a new issue on each run and assigns it to the agent). The server data model also defines `run_only`, but the daemon task path doesn't yet resolve a workspace for runs without an issue, so it's not exposed by the CLI. `--agent` accepts either a name or UUID.
-
-### Manual Trigger
-
-```bash
-multica autopilot trigger <id>            # Fires the autopilot once, returns the run
-```
-
-### Run History
-
-```bash
-multica autopilot runs <id>
-multica autopilot runs <id> --limit 50 --output json
-```
-
-### Schedule Triggers
-
-```bash
-multica autopilot trigger-add <autopilot-id> --cron "0 9 * * 1-5" --timezone "America/New_York"
-multica autopilot trigger-update <autopilot-id> <trigger-id> --enabled=false
-multica autopilot trigger-delete <autopilot-id> <trigger-id>
-```
-
-Only cron-based `schedule` triggers are currently exposed via the CLI. The data model also defines `webhook` and `api` kinds, but there is no server endpoint that fires them yet, so they're not surfaced here.
-
 ## Other Commands

 ```bash
--- a/CLI_INSTALL.md
+++ b/CLI_INSTALL.md
@@ -76,8 +76,7 @@ fi
 LATEST=$(curl -sI https://github.com/multica-ai/multica/releases/latest | grep -i '^location:' | sed 's/.*tag\///' | tr -d '\r\n')

 # Download and extract
-VERSION="${LATEST#v}"
-curl -sL "https://github.com/multica-ai/multica/releases/download/${LATEST}/multica-cli-${VERSION}-${OS}-${ARCH}.tar.gz" -o /tmp/multica.tar.gz
+curl -sL "https://github.com/multica-ai/multica/releases/download/${LATEST}/multica_${OS}_${ARCH}.tar.gz" -o /tmp/multica.tar.gz
 tar -xzf /tmp/multica.tar.gz -C /tmp multica
 sudo mv /tmp/multica /usr/local/bin/multica
 rm /tmp/multica.tar.gz
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -592,19 +592,6 @@ If you want to stop PostgreSQL and keep your local databases:
 make db-down
 ```

-If you want a fresh database for the current checkout only (drops the
-database named in `POSTGRES_DB`, recreates it, and runs all migrations):
-
-```bash
-make stop        # stop backend/frontend first
-make db-reset
-make start
-```
-
- only affects the current env's database; other worktree databases are untouched
- refuses to run if `DATABASE_URL` points at a remote host
- pass `ENV_FILE=.env.worktree` to target a specific worktree
-
 If you want to wipe all local PostgreSQL data for this repo:

 ```bash
--- a/Dockerfile.web
+++ b/Dockerfile.web
@@ -36,11 +36,11 @@ RUN pnpm install --frozen-lockfile --offline

 # Set build-time env: tells Next.js rewrites to proxy API calls to the backend service
 ARG REMOTE_API_URL=http://backend:8080
+ARG NEXT_PUBLIC_GOOGLE_CLIENT_ID
 ARG NEXT_PUBLIC_WS_URL
-ARG NEXT_PUBLIC_APP_VERSION=dev
 ENV REMOTE_API_URL=$REMOTE_API_URL
+ENV NEXT_PUBLIC_GOOGLE_CLIENT_ID=$NEXT_PUBLIC_GOOGLE_CLIENT_ID
 ENV NEXT_PUBLIC_WS_URL=$NEXT_PUBLIC_WS_URL
-ENV NEXT_PUBLIC_APP_VERSION=$NEXT_PUBLIC_APP_VERSION
 ENV STANDALONE=true

 # Build the web app (standalone output for minimal runtime)
--- a/164
+++ b/164
@@ -1,4 +1,4 @@
-.PHONY: help makehelp dev server daemon cli multica build test migrate-up migrate-down sqlc seed clean setup start stop check worktree-env setup-main start-main stop-main check-main setup-worktree start-worktree stop-worktree check-worktree db-up db-down db-reset selfhost selfhost-build selfhost-stop
+.PHONY: dev server daemon cli multica build test migrate-up migrate-down sqlc seed clean setup start stop check worktree-env setup-main start-main stop-main check-main setup-worktree start-worktree stop-worktree check-worktree db-up db-down selfhost selfhost-stop

 MAIN_ENV_FILE ?= .env
 WORKTREE_ENV_FILE ?= .env.worktree
@@ -36,23 +36,10 @@ define REQUIRE_ENV
 	fi
 endef

-# Default target changed from selfhost to help: bare `make` now prints this help
-# instead of launching a full Docker Compose build, which is safer for onboarding.
-.DEFAULT_GOAL := help
-
-##@ Help
-
-help: ## Show available make targets and common local workflows
-	@awk 'BEGIN {FS = ":.*## "; printf "\nUsage:\n  make \033[36m<target>\033[0m\n\nQuick start:\n  \033[36mmake dev\033[0m          Bootstrap the current checkout and start everything\n  \033[36mmake check\033[0m        Run the full local verification pipeline\n\nCheckout modes:\n  Main checkout uses \033[36m.env\033[0m\n  Worktrees use \033[36m.env.worktree\033[0m (generate with \033[36mmake worktree-env\033[0m)\n\n"} \
-		/^##@/ {printf "\n\033[1m%s\033[0m\n", substr($$0, 5); next} \
-		/^[a-zA-Z0-9_.-]+:.*## / {printf "  \033[36m%-18s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST)
-
-makehelp: help ## Alias for `make help`
-
 # ---------- Self-hosting (Docker Compose) ----------
-##@ Self-hosting

-selfhost: ## Create .env if needed, then pull and start the official self-hosted images
+# One-command self-host: create env, start Docker Compose, wait for health
+selfhost:
 	@if [ ! -f .env ]; then \
 		echo "==> Creating .env from .env.example..."; \
 		cp .env.example .env; \
@@ -64,16 +51,8 @@ selfhost: ## Create .env if needed, then pull and start the official self-hosted
 		fi; \
 		echo "==> Generated random JWT_SECRET"; \
 	fi
-	@echo "==> Pulling official Multica images..."
-	@if ! docker compose -f docker-compose.selfhost.yml pull; then \
-		echo ""; \
-		echo "Official images for tag '$${MULTICA_IMAGE_TAG:-latest}' are not published yet."; \
-		echo "If this is before the first GHCR release, build from the current checkout:"; \
-		echo "  make selfhost-build"; \
-		exit 1; \
-	fi
 	@echo "==> Starting Multica via Docker Compose..."
-	docker compose -f docker-compose.selfhost.yml up -d
+	docker compose -f docker-compose.selfhost.yml up -d --build
 	@echo "==> Waiting for backend to be ready..."
 	@for i in $$(seq 1 30); do \
 		if curl -sf http://localhost:$${PORT:-8080}/health > /dev/null 2>&1; then \
@@ -87,11 +66,7 @@ selfhost: ## Create .env if needed, then pull and start the official self-hosted
 		echo "  Frontend: http://localhost:$${FRONTEND_PORT:-3000}"; \
 		echo "  Backend:  http://localhost:$${PORT:-8080}"; \
 		echo ""; \
-		echo "Images: $${MULTICA_BACKEND_IMAGE:-ghcr.io/multica-ai/multica-backend}:$${MULTICA_IMAGE_TAG:-latest}"; \
-		echo "        $${MULTICA_WEB_IMAGE:-ghcr.io/multica-ai/multica-web}:$${MULTICA_IMAGE_TAG:-latest}"; \
-		echo ""; \
-		echo "Log in: configure RESEND_API_KEY in .env for email codes,"; \
-		echo "        or set APP_ENV=development in .env (private networks only) to enable code 888888."; \
+		echo "Log in with any email + verification code: 888888"; \
 		echo ""; \
 		echo "Next — install the CLI and connect your machine:"; \
 		echo "  brew install multica-ai/tap/multica"; \
@@ -102,57 +77,16 @@ selfhost: ## Create .env if needed, then pull and start the official self-hosted
 		echo "  docker compose -f docker-compose.selfhost.yml logs"; \
 	fi

-selfhost-build: ## Build backend/web from the current checkout and start the self-hosted stack
-	@if [ ! -f .env ]; then \
-		echo "==> Creating .env from .env.example..."; \
-		cp .env.example .env; \
-		JWT=$$(openssl rand -hex 32); \
-		if [ "$$(uname)" = "Darwin" ]; then \
-			sed -i '' "s/^JWT_SECRET=.*/JWT_SECRET=$$JWT/" .env; \
-		else \
-			sed -i "s/^JWT_SECRET=.*/JWT_SECRET=$$JWT/" .env; \
-		fi; \
-		echo "==> Generated random JWT_SECRET"; \
-	fi
-	@echo "==> Building Multica from the current checkout..."
-	docker compose -f docker-compose.selfhost.yml -f docker-compose.selfhost.build.yml up -d --build
-	@echo "==> Waiting for backend to be ready..."
-	@for i in $$(seq 1 30); do \
-		if curl -sf http://localhost:$${PORT:-8080}/health > /dev/null 2>&1; then \
-			break; \
-		fi; \
-		sleep 2; \
-	done
-	@if curl -sf http://localhost:$${PORT:-8080}/health > /dev/null 2>&1; then \
-		echo ""; \
-		echo "✓ Multica is running!"; \
-		echo "  Frontend: http://localhost:$${FRONTEND_PORT:-3000}"; \
-		echo "  Backend:  http://localhost:$${PORT:-8080}"; \
-		echo ""; \
-		echo "Log in: configure RESEND_API_KEY in .env for email codes,"; \
-		echo "        or set APP_ENV=development in .env (private networks only) to enable code 888888."; \
-		echo ""; \
-		echo "Built images locally via docker-compose.selfhost.build.yml."; \
-		echo "Local tags: multica-backend:dev and multica-web:dev."; \
-		echo ""; \
-		echo "Next — install the CLI and connect your machine:"; \
-		echo "  brew install multica-ai/tap/multica"; \
-		echo "  multica setup self-host"; \
-	else \
-		echo ""; \
-		echo "Services are still starting. Check logs:"; \
-		echo "  docker compose -f docker-compose.selfhost.yml logs"; \
-	fi
-
-selfhost-stop: ## Stop the self-hosted Docker Compose stack
+# Stop all Docker Compose self-host services
+selfhost-stop:
 	@echo "==> Stopping Multica services..."
 	docker compose -f docker-compose.selfhost.yml down
 	@echo "✓ All services stopped."

 # ---------- One-click commands ----------
-##@ One-click

-setup: ## Prepare the current checkout from its env file: install deps, ensure DB, run migrations
+# First-time setup: install deps, start DB, run migrations
+setup:
 	$(REQUIRE_ENV)
 	@echo "==> Using env file: $(ENV_FILE)"
 	@echo "==> Installing dependencies..."
@@ -163,7 +97,8 @@ setup: ## Prepare the current checkout from its env file: install deps, ensure D
 	@echo ""
 	@echo "✓ Setup complete! Run 'make start' to launch the app."

-start: ## Start backend and frontend for the current checkout and run migrations first
+# Start all services (backend + frontend)
+start:
 	$(REQUIRE_ENV)
 	@echo "Using env file: $(ENV_FILE)"
 	@echo "Backend: http://localhost:$(PORT)"
@@ -177,7 +112,8 @@ start: ## Start backend and frontend for the current checkout and run migrations
 		pnpm dev:web & \
 		wait

-stop: ## Stop backend and frontend processes for the current checkout
+# Stop all services
+stop:
 	$(REQUIRE_ENV)
 	@echo "Stopping services..."
 	@-lsof -ti:$(PORT) | xargs kill -9 2>/dev/null
@@ -189,52 +125,33 @@ stop: ## Stop backend and frontend processes for the current checkout
 			echo "✓ App processes stopped. Remote PostgreSQL was not affected." ;; \
 	esac

-check: ## Run typecheck, TS tests, Go tests, and Playwright E2E for the current checkout
+# Full verification: typecheck + unit tests + Go tests + E2E
+check:
 	$(REQUIRE_ENV)
 	@ENV_FILE="$(ENV_FILE)" bash scripts/check.sh

-db-up: ## Start the shared PostgreSQL container used by main and worktrees
+db-up:
 	@$(COMPOSE) up -d postgres

-db-down: ## Stop the shared PostgreSQL container without removing its Docker volume
+db-down:
 	@$(COMPOSE) down

-# Drop + recreate the current env's database, then run all migrations.
-# Use for a clean slate in local dev. Only affects the DB named in
-# ENV_FILE (POSTGRES_DB); the shared postgres container and other
-# worktree DBs are untouched. Refuses to run against a remote host.
-db-reset: ## Drop and recreate the current env's database, then re-run all migrations
-	$(REQUIRE_ENV)
-	@case "$(DATABASE_URL)" in \
-		""|*@localhost:*|*@localhost/*|*@127.0.0.1:*|*@127.0.0.1/*|*@\[::1\]:*|*@\[::1\]/*) ;; \
-		*) echo "Refusing to reset: DATABASE_URL points at a remote host."; exit 1 ;; \
-	esac
-	@bash scripts/ensure-postgres.sh "$(ENV_FILE)"
-	@echo "==> Dropping and recreating database '$(POSTGRES_DB)'..."
-	@$(COMPOSE) exec -T postgres psql -U $(POSTGRES_USER) -d postgres -v ON_ERROR_STOP=1 \
-		-c "DROP DATABASE IF EXISTS \"$(POSTGRES_DB)\" WITH (FORCE);" \
-		-c "CREATE DATABASE \"$(POSTGRES_DB)\";"
-	@echo "==> Running migrations..."
-	cd server && go run ./cmd/migrate up
-	@echo ""
-	@echo "✓ Database '$(POSTGRES_DB)' reset. Run 'make start' to launch the app."
-
-worktree-env: ## Generate .env.worktree with a unique DB name and app ports for this worktree
+worktree-env:
 	@bash scripts/init-worktree-env.sh .env.worktree

-setup-main: ## Prepare the main checkout using .env
+setup-main:
 	@$(MAKE) setup ENV_FILE=$(MAIN_ENV_FILE)

-start-main: ## Start the main checkout using .env
+start-main:
 	@$(MAKE) start ENV_FILE=$(MAIN_ENV_FILE)

-stop-main: ## Stop the main checkout processes defined by .env
+stop-main:
 	@$(MAKE) stop ENV_FILE=$(MAIN_ENV_FILE)

-check-main: ## Run the full verification pipeline for the main checkout
+check-main:
 	@ENV_FILE=$(MAIN_ENV_FILE) bash scripts/check.sh

-setup-worktree: ## Ensure .env.worktree exists, then prepare this worktree
+setup-worktree:
 	@if [ ! -f "$(WORKTREE_ENV_FILE)" ]; then \
 		echo "==> Generating $(WORKTREE_ENV_FILE) with unique ports..."; \
 		bash scripts/init-worktree-env.sh $(WORKTREE_ENV_FILE); \
@@ -243,68 +160,65 @@ setup-worktree: ## Ensure .env.worktree exists, then prepare this worktree
 	fi
 	@$(MAKE) setup ENV_FILE=$(WORKTREE_ENV_FILE)

-start-worktree: ## Start this worktree using .env.worktree
+start-worktree:
 	@$(MAKE) start ENV_FILE=$(WORKTREE_ENV_FILE)

-stop-worktree: ## Stop this worktree's backend and frontend processes
+stop-worktree:
 	@$(MAKE) stop ENV_FILE=$(WORKTREE_ENV_FILE)

-check-worktree: ## Run the full verification pipeline for this worktree
+check-worktree:
 	@ENV_FILE=$(WORKTREE_ENV_FILE) bash scripts/check.sh

 # ---------- Individual commands ----------
-##@ Individual commands

-dev: ## Bootstrap this checkout end-to-end: create env if needed, ensure DB, migrate, start services
+# One-command dev: auto-setup env/deps/db/migrations, then start all services
+dev:
 	@bash scripts/dev.sh

-server: ## Run only the Go server for the current checkout
+# Go server only
+server:
 	$(REQUIRE_ENV)
 	@bash scripts/ensure-postgres.sh "$(ENV_FILE)"
 	cd server && go run ./cmd/server

-daemon: ## Restart the local agent daemon using the CLI's stored auth/session
+daemon:
 	@$(MAKE) multica MULTICA_ARGS="daemon restart --profile local"

-cli: ## Run the multica CLI with ARGS or MULTICA_ARGS from source
+cli:
 	@$(MAKE) multica MULTICA_ARGS="$(MULTICA_ARGS)"

-multica: ## Run the multica CLI entrypoint directly from the Go source tree
+multica:
 	cd server && go run ./cmd/multica $(MULTICA_ARGS)

 VERSION ?= $(shell git describe --tags --always --dirty 2>/dev/null || echo dev)
 COMMIT  ?= $(shell git rev-parse --short HEAD 2>/dev/null || echo unknown)
 DATE    ?= $(shell date -u '+%Y-%m-%dT%H:%M:%SZ')

-build: ## Build the server, CLI, and migrate binaries into server/bin
+build:
 	cd server && go build -o bin/server ./cmd/server
 	cd server && go build -ldflags "-X main.version=$(VERSION) -X main.commit=$(COMMIT) -X main.date=$(DATE)" -o bin/multica ./cmd/multica
 	cd server && go build -o bin/migrate ./cmd/migrate

-test: ## Run Go tests after ensuring the target DB exists and migrations are applied
+test:
 	$(REQUIRE_ENV)
 	@bash scripts/ensure-postgres.sh "$(ENV_FILE)"
 	cd server && go run ./cmd/migrate up
 	cd server && go test ./...

 # Database
-##@ Database
-
-migrate-up: ## Create the target DB if needed, then apply database migrations
+migrate-up:
 	$(REQUIRE_ENV)
 	@bash scripts/ensure-postgres.sh "$(ENV_FILE)"
 	cd server && go run ./cmd/migrate up

-migrate-down: ## Create the target DB if needed, then roll back database migrations
+migrate-down:
 	$(REQUIRE_ENV)
 	@bash scripts/ensure-postgres.sh "$(ENV_FILE)"
 	cd server && go run ./cmd/migrate down

-sqlc: ## Regenerate sqlc code
+sqlc:
 	cd server && sqlc generate

 # Cleanup
-##@ Cleanup
-
-clean: ## Remove generated server binaries and temp files
+clean:
 	rm -rf server/bin server/tmp
--- a/README.md
+++ b/README.md
@@ -85,8 +85,7 @@ multica setup          # Connect to Multica Cloud, log in, start daemon
 > multica setup self-host
 > ```
 >
-> This pulls the official Multica images from GHCR (latest stable by default). Requires Docker. See the [Self-Hosting Guide](SELF_HOSTING.md) for details.
-> If the selected GHCR tag has not been published yet, fall back to `make selfhost-build` from a checkout.
+> Requires Docker. See the [Self-Hosting Guide](SELF_HOSTING.md) for details.

 ---

--- a/SELF_HOSTING.md
+++ b/SELF_HOSTING.md
@@ -24,9 +24,9 @@ curl -fsSL https://raw.githubusercontent.com/multica-ai/multica/main/scripts/ins
 multica setup self-host
 ```

-This installs the `multica` CLI, checks out the latest self-host assets, pulls the official Multica images from GHCR, and configures everything for localhost.
+This clones the repository, starts all services via Docker Compose, installs the `multica` CLI, then configures it for localhost.

-Open http://localhost:3000. To log in, configure `RESEND_API_KEY` in `.env` for email-based codes (recommended), or set `APP_ENV=development` in `.env` to enable the dev master code **`888888`**. See [Step 2 — Log In](#step-2--log-in) for details.
+Open http://localhost:3000, log in with any email + verification code **`888888`**.

 > **Prerequisites:** Docker and Docker Compose must be installed. The script checks for this and provides install links if missing.
 >
@@ -54,10 +54,6 @@ make selfhost

 `make selfhost` automatically creates `.env` from the example, generates a random `JWT_SECRET`, and starts all services via Docker Compose.

-By default it pulls the latest stable release images from GHCR. To build the backend/web from your current checkout instead, run `make selfhost-build`.
-If the selected GHCR tag has not been published yet, `make selfhost` now tells you to fall back to `make selfhost-build`.
-`make selfhost-build` uses local `multica-backend:dev` / `multica-web:dev` tags, so it does not overwrite the pulled `:latest` images.
-
 Once ready:

 - **Frontend:** http://localhost:3000
@@ -67,15 +63,9 @@ Once ready:

 ### Step 2 — Log In

-Open http://localhost:3000 in your browser. The Docker self-host stack defaults to `APP_ENV=production` (set in `docker-compose.selfhost.yml`), so the dev master code is **disabled by default** for safety on public deployments. Pick one of the following to log in:
+Open http://localhost:3000 in your browser. Enter any email address and use verification code **`888888`** to log in.

- **Recommended (production):** configure `RESEND_API_KEY` in `.env`, then restart the backend. Real verification codes will be sent to the email address you enter. See [Advanced Configuration → Email](SELF_HOSTING_ADVANCED.md#email-required-for-authentication).
- **Evaluation / private network:** set `APP_ENV=development` in `.env` and restart the backend. Verification code **`888888`** will then work for any email address.
- **Without configuring either:** the verification code is generated server-side and printed to the backend container logs (look for `[DEV] Verification code for ...:`). Useful for one-off testing on a single machine.
-
-Changes to `ALLOW_SIGNUP` and `GOOGLE_CLIENT_ID` also take effect after restarting the backend / compose stack. The web UI reads both from `/api/config` at runtime, so no web rebuild is needed.
-
-> **Warning:** do **not** set `APP_ENV=development` on a publicly reachable instance — anyone who knows an email address can then log in with `888888`.
+> This master code works in all non-production environments (i.e. when `APP_ENV` is not set to `production`). For production, configure an email provider — see [Advanced Configuration](SELF_HOSTING_ADVANCED.md#email-required-for-authentication).

 ### Step 3 — Install CLI & Start Daemon

@@ -162,15 +152,14 @@ This reconfigures the CLI for multica.ai, re-authenticates, and restarts the dae

 > Your local Docker services are unaffected. Stop them separately if you no longer need them.

-## Upgrading
+## Rebuilding After Updates

 ```bash
-docker compose -f docker-compose.selfhost.yml pull
-docker compose -f docker-compose.selfhost.yml up -d
+git pull
+make selfhost
 ```

-Pin `MULTICA_IMAGE_TAG` in `.env` to an exact version like `v0.2.4` if you want to stay on a specific release. Migrations run automatically on backend startup.
-If the selected GHCR tag has not been published yet, fall back to `make selfhost-build` or `docker compose -f docker-compose.selfhost.yml -f docker-compose.selfhost.build.yml up -d --build`.
+Migrations run automatically on backend startup.

 ---

@@ -193,7 +182,6 @@ JWT_SECRET=$(openssl rand -hex 32)
 Then start everything:

 ```bash
-docker compose -f docker-compose.selfhost.yml pull
 docker compose -f docker-compose.selfhost.yml up -d
 ```

--- a/SELF_HOSTING_ADVANCED.md
+++ b/SELF_HOSTING_ADVANCED.md
@@ -14,15 +14,6 @@ All configuration is done via environment variables. Copy `.env.example` as a st
 | `JWT_SECRET` | **Must change from default.** Secret key for signing JWT tokens. Use a long random string. | `openssl rand -hex 32` |
 | `FRONTEND_ORIGIN` | URL where the frontend is served (used for CORS) | `https://app.example.com` |

-### Database Pool Tuning (Optional)
-
-These have sensible defaults and only need to be set when tuning a large or constrained deployment. Precedence (highest first): env var → `pool_*` query params on `DATABASE_URL` → built-in default.
-
-| Variable | Description | Default |
-|----------|-------------|---------|
-| `DATABASE_MAX_CONNS` | pgxpool max connections per pod. `pod_count × DATABASE_MAX_CONNS` should stay well below the Postgres `max_connections` ceiling. With a connection pooler (PgBouncer / RDS Proxy / Supavisor) in front, this can be raised significantly. | `25` |
-| `DATABASE_MIN_CONNS` | pgxpool warm baseline connections per pod. Auto-clamped to `DATABASE_MAX_CONNS`. | `5` |
-
 ### Email (Required for Authentication)

 Multica uses email-based magic link authentication via [Resend](https://resend.com).
@@ -32,7 +23,7 @@ Multica uses email-based magic link authentication via [Resend](https://resend.c
 | `RESEND_API_KEY` | Your Resend API key |
 | `RESEND_FROM_EMAIL` | Sender email address (default: `noreply@multica.ai`) |

-> **Note:** The dev master verification code `888888` is gated by `APP_ENV != "production"`. The Docker self-host stack defaults to `APP_ENV=production` (so `888888` is disabled), which protects publicly reachable instances. For local development without email configured, set `APP_ENV=development` in your `.env` to enable `888888` — never do this on a public instance.
+> **Note:** For local/development deployments without email configured, you can use the master verification code `888888` to log in.

 ### Google OAuth (Optional)

@@ -42,18 +33,6 @@ Multica uses email-based magic link authentication via [Resend](https://resend.c
 | `GOOGLE_CLIENT_SECRET` | Google OAuth client secret |
 | `GOOGLE_REDIRECT_URI` | OAuth callback URL (e.g. `https://app.example.com/auth/callback`) |

-Changes take effect after restarting the backend / compose stack. The web UI reads `GOOGLE_CLIENT_ID` from `/api/config` at runtime, so no web rebuild is needed.
-
-### Signup Controls (Optional)
-
-| Variable | Description |
-|----------|-------------|
-| `ALLOW_SIGNUP` | Set to `false` to disable new user signups on a private instance |
-| `ALLOWED_EMAIL_DOMAINS` | Optional comma-separated allowlist of email domains |
-| `ALLOWED_EMAILS` | Optional comma-separated allowlist of exact email addresses |
-
-Changes take effect after restarting the backend / compose stack. The web UI reads `ALLOW_SIGNUP` from `/api/config` at runtime, so no web rebuild is needed.
-
 ### File Storage (Optional)

 For file uploads and attachments, configure S3 and CloudFront:
@@ -65,14 +44,7 @@ For file uploads and attachments, configure S3 and CloudFront:
 | `CLOUDFRONT_DOMAIN` | CloudFront distribution domain |
 | `CLOUDFRONT_KEY_PAIR_ID` | CloudFront key pair ID for signed URLs |
 | `CLOUDFRONT_PRIVATE_KEY` | CloudFront private key (PEM format) |
-
-### Cookies
-
-| Variable | Description |
-|----------|-------------|
-| `COOKIE_DOMAIN` | Optional `Domain` attribute for session + CloudFront cookies. **Leave empty** for single-host deployments (localhost, LAN IP, or a single hostname). Only set it when the frontend and backend sit on different subdomains of one registered domain (e.g. `.example.com`). **Do not use an IP literal** — RFC 6265 forbids IP addresses in the cookie `Domain` attribute and browsers will drop such `Set-Cookie` headers. |
-
-The `Secure` flag on session cookies is derived automatically from the scheme of `FRONTEND_ORIGIN`: HTTPS origins get `Secure` cookies; plain-HTTP origins (LAN / private-network self-host) get non-secure cookies so the browser can actually store them.
+| `COOKIE_DOMAIN` | Domain for CloudFront auth cookies |

 ### Server

@@ -246,7 +218,7 @@ When using separate domains for frontend and backend, set these environment vari
 FRONTEND_ORIGIN=https://app.example.com
 CORS_ALLOWED_ORIGINS=https://app.example.com

-# Frontend (only if you are building the web image from source via docker-compose.selfhost.build.yml)
+# Frontend (set before building the frontend image)
 REMOTE_API_URL=https://api.example.com
 NEXT_PUBLIC_API_URL=https://api.example.com
 NEXT_PUBLIC_WS_URL=wss://api.example.com/ws
@@ -262,15 +234,15 @@ FRONTEND_ORIGIN=http://192.168.1.100:3000
 CORS_ALLOWED_ORIGINS=http://192.168.1.100:3000
 ```

-Then restart the stack:
+Then rebuild:

 ```bash
-docker compose -f docker-compose.selfhost.yml up -d
+docker compose -f docker-compose.selfhost.yml up -d --build
 ```

 The frontend automatically derives the WebSocket URL from the page address, so real-time features (chat streaming, live issue updates, notifications) work over LAN without extra configuration.

-> **Note:** If you need to hard-code a different public API / WebSocket endpoint into the web image, use the source-build override: `docker compose -f docker-compose.selfhost.yml -f docker-compose.selfhost.build.yml up -d --build`.
+> **Note:** If you need to override the WebSocket URL explicitly (e.g. when using a separate backend domain), set `NEXT_PUBLIC_WS_URL` in `.env` and rebuild the frontend image.

 ## Health Check

@@ -286,9 +258,8 @@ Use this for load balancer health checks or monitoring.
 ## Upgrading

 ```bash
-docker compose -f docker-compose.selfhost.yml pull
-docker compose -f docker-compose.selfhost.yml up -d
+git pull
+docker compose -f docker-compose.selfhost.yml up -d --build
 ```

-Pin `MULTICA_IMAGE_TAG` in `.env` to an exact release like `v0.2.4` if you want to stay on a specific version. Migrations run automatically on backend startup. They are idempotent — running them multiple times has no effect.
-If the selected GHCR tag has not been published yet, fall back to `docker compose -f docker-compose.selfhost.yml -f docker-compose.selfhost.build.yml up -d --build`.
+Migrations run automatically on backend startup. They are idempotent — running them multiple times has no effect.
--- a/apps/desktop/electron-builder.yml
+++ b/apps/desktop/electron-builder.yml
@@ -21,34 +21,25 @@ mac:
    - zip
  # Hardcoded name avoids the `@multica/desktop-*` subdirectory that
  # `${name}` produces for scoped package names.
-  # Naming scheme: multica-desktop-<version>-<platform>-<arch>.<ext>
-  # so the filename alone surfaces kind, version, platform, and CPU arch.
-  artifactName: multica-desktop-${version}-mac-${arch}.${ext}
+  artifactName: multica-desktop-${version}-${arch}.${ext}
  # Notarize via notarytool. Requires APPLE_ID + APPLE_APP_SPECIFIC_PASSWORD
  # + APPLE_TEAM_ID env vars at package time. Non-mac contributors are
  # unaffected because `pnpm package` already requires the Developer ID
  # signing cert — notarization is a strict superset.
  notarize: true
 dmg:
-  artifactName: multica-desktop-${version}-mac-${arch}.${ext}
+  artifactName: multica-desktop-${version}-${arch}.${ext}
 linux:
  target:
    - AppImage
    - deb
-    - rpm
-  artifactName: multica-desktop-${version}-linux-${arch}.${ext}
+  artifactName: ${name}-${version}-${arch}.${ext}
 win:
  target:
    - nsis
-  artifactName: multica-desktop-${version}-windows-${arch}.${ext}
+  artifactName: ${name}-${version}-setup.${ext}
 publish:
  provider: github
  owner: multica-ai
  repo: multica
-  # Align with our CLI release flow which pre-creates a *published* GitHub
-  # Release via `gh release create`. The electron-builder default of
-  # `releaseType: draft` conflicts with `existingType=release` and causes
-  # uploads of the DMG/ZIP/blockmaps/latest-mac.yml to be silently skipped,
-  # which breaks electron-updater auto-update on installed clients.
-  releaseType: release
 npmRebuild: false
--- a/apps/desktop/eslint.config.mjs
+++ b/apps/desktop/eslint.config.mjs
@@ -10,28 +10,4 @@ export default [
      globals: { ...globals.node },
    },
  },
-  // Security: every renderer-controlled URL that reaches the OS shell must
-  // flow through openExternalSafely in src/main/external-url.ts (scheme
-  // allowlist). Enforce it statically so a direct shell.openExternal call
-  // cannot silently regress the protection.
-  {
-    files: ["src/main/**/*.ts"],
-    rules: {
-      "no-restricted-syntax": [
-        "error",
-        {
-          selector:
-            "CallExpression[callee.object.name='shell'][callee.property.name='openExternal']",
-          message:
-            "Do not call shell.openExternal directly. Use openExternalSafely from './external-url' so the http/https allowlist stays enforced.",
-        },
-      ],
-    },
-  },
-  {
-    files: ["src/main/external-url.ts"],
-    rules: {
-      "no-restricted-syntax": "off",
-    },
-  },
 ];
--- a/apps/desktop/package.json
+++ b/apps/desktop/package.json
@@ -2,31 +2,17 @@
  "name": "@multica/desktop",
  "version": "0.1.0",
  "private": true,
-  "description": "Multica Desktop — native desktop client for the Multica platform.",
-  "homepage": "https://multica.ai",
-  "repository": {
-    "type": "git",
-    "url": "https://github.com/multica-ai/multica.git",
-    "directory": "apps/desktop"
-  },
-  "author": {
-    "name": "Multica",
-    "email": "support@multica.ai"
-  },
-  "license": "UNLICENSED",
  "main": "./out/main/index.js",
  "scripts": {
    "bundle-cli": "node scripts/bundle-cli.mjs",
    "brand-dev-electron": "node scripts/brand-dev-electron.mjs",
    "dev": "pnpm run bundle-cli && pnpm run brand-dev-electron && electron-vite dev",
-    "dev:staging": "pnpm run bundle-cli && pnpm run brand-dev-electron && electron-vite dev --mode staging",
    "build": "pnpm run bundle-cli && electron-vite build",
    "typecheck:node": "tsc --noEmit -p tsconfig.node.json --composite false",
    "typecheck:web": "tsc --noEmit -p tsconfig.web.json --composite false",
    "typecheck": "pnpm run typecheck:node && pnpm run typecheck:web",
    "preview": "electron-vite preview",
    "package": "node scripts/package.mjs",
-    "package:all": "node scripts/package.mjs --all-platforms --publish never",
    "lint": "eslint .",
    "test": "vitest run",
    "postinstall": "electron-builder install-app-deps"
@@ -39,7 +25,6 @@
    "@electron-toolkit/preload": "^3.0.2",
    "@electron-toolkit/utils": "^4.0.0",
    "@fontsource-variable/inter": "^5.2.5",
-    "@fontsource-variable/source-serif-4": "^5.2.9",
    "@fontsource/geist-mono": "^5.2.7",
    "@multica/core": "workspace:*",
    "@multica/ui": "workspace:*",
--- a/apps/desktop/scripts/bundle-cli.mjs
+++ b/apps/desktop/scripts/bundle-cli.mjs
@@ -13,7 +13,7 @@
 // skip the build and fall through to auto-install at runtime. A genuine
 // Go compile error is fatal — you want that to block dev, not hide.

-import { access, chmod, copyFile, mkdir, rm } from "node:fs/promises";
+import { access, chmod, copyFile, mkdir } from "node:fs/promises";
 import { constants } from "node:fs";
 import { execFileSync, execSync } from "node:child_process";
 import { dirname, join, resolve } from "node:path";
@@ -23,54 +23,8 @@ const here = dirname(fileURLToPath(import.meta.url));
 const repoRoot = resolve(here, "..", "..", "..");
 const serverDir = join(repoRoot, "server");

-const PLATFORM_TO_GOOS = {
-  darwin: "darwin",
-  linux: "linux",
-  win32: "windows",
-};
-
-const SUPPORTED_ARCHS = new Set(["x64", "arm64"]);
-
-function runtimePlatformFromArgs(argv) {
-  const flagIndex = argv.indexOf("--target-platform");
-  if (flagIndex === -1) return process.platform;
-  return argv[flagIndex + 1] ?? "";
-}
-
-function runtimeArchFromArgs(argv) {
-  const flagIndex = argv.indexOf("--target-arch");
-  if (flagIndex === -1) return process.arch;
-  return argv[flagIndex + 1] ?? "";
-}
-
-function normalizeRuntimePlatform(platform) {
-  if (platform in PLATFORM_TO_GOOS) return platform;
-  throw new Error(
-    `[bundle-cli] unsupported target platform: ${platform}. ` +
-      "Use darwin, linux, or win32.",
-  );
-}
-
-function normalizeRuntimeArch(arch) {
-  if (SUPPORTED_ARCHS.has(arch)) return arch;
-  throw new Error(
-    `[bundle-cli] unsupported target architecture: ${arch}. ` +
-      "Use x64 or arm64.",
-  );
-}
-
-function binaryNameForPlatform(platform) {
-  return platform === "win32" ? "multica.exe" : "multica";
-}
-
-const targetPlatform = normalizeRuntimePlatform(
-  runtimePlatformFromArgs(process.argv.slice(2)),
-);
-const targetArch = normalizeRuntimeArch(runtimeArchFromArgs(process.argv.slice(2)));
-const goos = PLATFORM_TO_GOOS[targetPlatform];
-const goarch = targetArch === "x64" ? "amd64" : targetArch;
-const binName = binaryNameForPlatform(targetPlatform);
-const srcBinary = join(serverDir, "bin", `${goos}-${goarch}`, binName);
+const binName = process.platform === "win32" ? "multica.exe" : "multica";
+const srcBinary = join(serverDir, "bin", binName);
 const destDir = join(repoRoot, "apps", "desktop", "resources", "bin");
 const destBinary = join(destDir, binName);

@@ -107,9 +61,8 @@ if (hasGo()) {
  const ldflags = `-X main.version=${version} -X main.commit=${commit} -X main.date=${date}`;

  console.log(
-    `[bundle-cli] go build → ${srcBinary} (${goos}/${goarch}, version=${version} commit=${commit})`,
+    `[bundle-cli] go build → ${srcBinary} (version=${version} commit=${commit})`,
  );
-  await mkdir(join(serverDir, "bin", `${goos}-${goarch}`), { recursive: true });
  execFileSync(
    "go",
    [
@@ -117,19 +70,10 @@ if (hasGo()) {
      "-ldflags",
      ldflags,
      "-o",
-      srcBinary,
+      join("bin", binName),
      "./cmd/multica",
    ],
-    {
-      cwd: serverDir,
-      stdio: "inherit",
-      env: {
-        ...process.env,
-        CGO_ENABLED: "0",
-        GOOS: goos,
-        GOARCH: goarch,
-      },
-    },
+    { cwd: serverDir, stdio: "inherit" },
  );
 } else {
  console.warn(
@@ -144,11 +88,9 @@ if (!(await exists(srcBinary))) {
    `[bundle-cli] ${srcBinary} not present — Desktop will fall back to ` +
      `auto-installing the latest release at runtime.`,
  );
-  await rm(destDir, { recursive: true, force: true });
  process.exit(0);
 }

-await rm(destDir, { recursive: true, force: true });
 await mkdir(destDir, { recursive: true });
 await copyFile(srcBinary, destBinary);
 await chmod(destBinary, 0o755);
--- a/apps/desktop/scripts/package.mjs
+++ b/apps/desktop/scripts/package.mjs
@@ -5,11 +5,11 @@
 // binary via the `main.version` ldflag — so a single `vX.Y.Z` tag push
 // produces matching CLI and Desktop versions.
 //
-// Builds the Electron bundles once, then for each requested target
-// (platform + arch) compiles the matching Go CLI into resources/bin/ and
-// invokes electron-builder with `-c.extraMetadata.version=<derived>` so
-// the override applies at build time without mutating the tracked
-// package.json.
+// Runs bundle-cli.mjs first (so the Go binary is compiled and copied
+// into resources/bin/), then `electron-vite build` to produce the
+// main/preload/renderer bundles under out/, then invokes electron-builder
+// with `-c.extraMetadata.version=<derived>` so the override applies at
+// build time without mutating the tracked package.json.
 //
 // The electron-vite step is important: electron-builder only packages
 // whatever is already in out/, so skipping it (or relying on stale
@@ -25,50 +25,11 @@
 // version-derivation logic without shelling out.

 import { execFileSync, spawnSync, execSync } from "node:child_process";
-import { delimiter, dirname, resolve } from "node:path";
+import { dirname, resolve } from "node:path";
 import { fileURLToPath, pathToFileURL } from "node:url";

 const here = dirname(fileURLToPath(import.meta.url));
 const desktopRoot = resolve(here, "..");
-const bundleCliScript = resolve(here, "bundle-cli.mjs");
-
-const PLATFORM_CONFIG = {
-  mac: {
-    aliases: new Set(["--mac", "--macos", "-m"]),
-    builderFlag: "--mac",
-    runtimePlatform: "darwin",
-    label: "macOS",
-  },
-  win: {
-    aliases: new Set(["--win", "--windows", "-w"]),
-    builderFlag: "--win",
-    runtimePlatform: "win32",
-    label: "Windows",
-  },
-  linux: {
-    aliases: new Set(["--linux", "-l"]),
-    builderFlag: "--linux",
-    runtimePlatform: "linux",
-    label: "Linux",
-  },
-};
-
-const ARCH_FLAGS = new Map([
-  ["--x64", "x64"],
-  ["--arm64", "arm64"],
-  ["--ia32", "ia32"],
-  ["--armv7l", "armv7l"],
-  ["--universal", "universal"],
-]);
-
-const SUPPORTED_CLI_ARCHS = new Set(["x64", "arm64"]);
-const MAC_ALL_PLATFORM_TARGETS = [
-  { platform: "mac", arch: "arm64" },
-  { platform: "win", arch: "x64" },
-  { platform: "win", arch: "arm64" },
-  { platform: "linux", arch: "x64" },
-  { platform: "linux", arch: "arm64" },
-];

 function sh(cmd) {
  try {
@@ -116,231 +77,20 @@ function deriveVersion() {
  return normalizeGitVersion(sh("git describe --tags --always --dirty"));
 }

-function uniqueOrdered(values) {
-  return [...new Set(values)];
-}
-
-export function envWithLocalBins(env = process.env, root = desktopRoot) {
-  const pathKey =
-    Object.keys(env).find((key) => key.toUpperCase() === "PATH") ?? "PATH";
-  const existingPath = env[pathKey] ?? "";
-  const localBins = uniqueOrdered([
-    resolve(root, "node_modules", ".bin"),
-    resolve(root, "..", "..", "node_modules", ".bin"),
-  ]);
-  const mergedPath = uniqueOrdered([
-    ...localBins,
-    ...String(existingPath)
-      .split(delimiter)
-      .filter(Boolean),
-  ]).join(delimiter);
-  return { ...env, [pathKey]: mergedPath };
-}
-
-function hostPlatformKey(platform = process.platform) {
-  if (platform === "darwin") return "mac";
-  if (platform === "win32") return "win";
-  if (platform === "linux") return "linux";
-  throw new Error(`[package] unsupported host platform: ${platform}`);
-}
-
-function hostArchKey(arch = process.arch) {
-  if (SUPPORTED_CLI_ARCHS.has(arch)) return arch;
-  throw new Error(
-    `[package] unsupported host architecture for Desktop CLI bundling: ${arch}`,
-  );
-}
-
-function expandPlatformShorthand(token) {
-  if (!/^-[mwl]{2,}$/.test(token)) return null;
-  const expanded = [];
-  for (const char of token.slice(1)) {
-    if (char === "m") expanded.push("mac");
-    if (char === "w") expanded.push("win");
-    if (char === "l") expanded.push("linux");
-  }
-  return uniqueOrdered(expanded);
-}
-
-function platformKeyForToken(token) {
-  for (const [platform, config] of Object.entries(PLATFORM_CONFIG)) {
-    if (config.aliases.has(token)) return platform;
-  }
-  return null;
-}
-
-function platformTargetsTemplate() {
-  return { mac: [], win: [], linux: [] };
-}
-
-export function parsePackageArgs(argv) {
-  const sharedArgs = [];
-  const platformTargets = platformTargetsTemplate();
-  const requestedPlatforms = [];
-  const requestedArchs = [];
-  let allPlatforms = false;
-
-  for (let i = 0; i < argv.length; i += 1) {
-    const token = argv[i];
-    if (token === "--all-platforms") {
-      allPlatforms = true;
-      continue;
-    }
-
-    const expandedPlatforms = expandPlatformShorthand(token);
-    if (expandedPlatforms) {
-      requestedPlatforms.push(...expandedPlatforms);
-      continue;
-    }
-
-    const platform = platformKeyForToken(token);
-    if (platform) {
-      requestedPlatforms.push(platform);
-      while (i + 1 < argv.length && !argv[i + 1].startsWith("-")) {
-        platformTargets[platform].push(argv[i + 1]);
-        i += 1;
-      }
-      continue;
-    }
-
-    const arch = ARCH_FLAGS.get(token);
-    if (arch) {
-      requestedArchs.push(arch);
-      continue;
-    }
-
-    sharedArgs.push(token);
-  }
-
-  return {
-    allPlatforms,
-    sharedArgs,
-    platformTargets,
-    requestedPlatforms: uniqueOrdered(requestedPlatforms),
-    requestedArchs: uniqueOrdered(requestedArchs),
-  };
-}
-
-export function resolveBuildMatrix(parsed, platform = process.platform, arch = process.arch) {
-  if (parsed.allPlatforms) {
-    if (parsed.requestedPlatforms.length > 0 || parsed.requestedArchs.length > 0) {
-      throw new Error(
-        "[package] --all-platforms cannot be combined with explicit platform or arch flags",
-      );
-    }
-    if (platform !== "darwin") {
-      throw new Error(
-        `[package] --all-platforms is only supported on macOS hosts (current: ${platform})`,
-      );
-    }
-    return MAC_ALL_PLATFORM_TARGETS.map((target) => ({ ...target }));
-  }
-
-  const platforms =
-    parsed.requestedPlatforms.length > 0
-      ? parsed.requestedPlatforms
-      : [hostPlatformKey(platform)];
-  const archs =
-    parsed.requestedArchs.length > 0
-      ? parsed.requestedArchs
-      : [hostArchKey(arch)];
-
-  const unsupported = archs.filter((value) => !SUPPORTED_CLI_ARCHS.has(value));
-  if (unsupported.length > 0) {
-    throw new Error(
-      `[package] unsupported Desktop CLI architecture(s): ${unsupported.join(", ")}. ` +
-        "Use --x64 or --arm64.",
-    );
-  }
-
-  return platforms.flatMap((targetPlatform) =>
-    archs.map((targetArch) => ({
-      platform: targetPlatform,
-      arch: targetArch,
-    })),
-  );
-}
-
-function formatTarget(target) {
-  return `${PLATFORM_CONFIG[target.platform].label} ${target.arch}`;
-}
-
-export function builderArgsForTarget(
-  target,
-  parsed,
-  version,
-  {
-    disableMacNotarize = false,
-    hostPlatform = process.platform,
-    useScopedOutputDir = false,
-  } = {},
-) {
-  const builderArgs = [];
-  if (version) builderArgs.push(`-c.extraMetadata.version=${version}`);
-  if (disableMacNotarize) builderArgs.push("-c.mac.notarize=false");
-  builderArgs.push(PLATFORM_CONFIG[target.platform].builderFlag);
-  const requestedTargets = parsed.platformTargets[target.platform];
-  if (
-    target.platform === "linux" &&
-    hostPlatform !== "linux" &&
-    requestedTargets.length === 0
-  ) {
-    // electron-builder only guarantees AppImage/Snap when cross-building
-    // Linux from macOS/Windows. Keep `package:all` portable by defaulting
-    // to AppImage unless the caller explicitly requests Linux targets.
-    builderArgs.push("AppImage");
-  } else {
-    builderArgs.push(...requestedTargets);
-  }
-  builderArgs.push(`--${target.arch}`);
-  builderArgs.push(...parsed.sharedArgs);
-  if (useScopedOutputDir) {
-    builderArgs.push(
-      `-c.directories.output=dist/${target.platform}-${target.arch}`,
-    );
-  }
-  // electron-builder's update metadata file is `latest.yml` for Windows
-  // regardless of arch (only Linux gets an arch suffix automatically — see
-  // app-builder-lib's getArchPrefixForUpdateFile). Without an explicit
-  // channel override, building Windows x64 and arm64 in two invocations
-  // makes both publish `latest.yml` to the same GitHub Release, so the
-  // second upload overwrites the first and one of the two architectures
-  // ends up with no auto-update metadata. Route Windows arm64 to its own
-  // channel so x64 keeps `latest.yml` and arm64 ships `latest-arm64.yml`;
-  // the renderer-side updater pins the matching channel per arch.
-  if (target.platform === "win" && target.arch === "arm64") {
-    builderArgs.push("-c.publish.channel=latest-arm64");
-  }
-  return builderArgs;
-}
-
 function main() {
-  const passthrough = stripLeadingSeparator(process.argv.slice(2));
-  const parsed = parsePackageArgs(passthrough);
-  const buildMatrix = resolveBuildMatrix(parsed);
-  console.log(
-    `[package] build matrix → ${buildMatrix.map(formatTarget).join(", ")}`,
-  );
+  // Step 1: build + bundle the Go CLI via the existing script.
+  execFileSync("node", [resolve(here, "bundle-cli.mjs")], {
+    stdio: "inherit",
+    cwd: desktopRoot,
+  });

-  // Step 1: build the Electron main/preload/renderer bundles. Without
+  // Step 2: build the Electron main/preload/renderer bundles. Without
  // this step electron-builder silently packages whatever is already in
  // out/, which on a fresh checkout (or after a partial build) ships an
  // app that white-screens because the renderer bundle is missing.
-  //
-  // CI invokes this script via `node scripts/package.mjs`, so we cannot
-  // rely on pnpm/npm to inject package-local binaries into PATH.
-  //
-  // `shell: true` is required on Windows: `node_modules/.bin/electron-vite`
-  // ships as a `.cmd` shim there, and Node's `spawnSync` does not honour
-  // PATHEXT when spawning a bare command without a shell — it would fail
-  // with `ENOENT`. On POSIX hosts the shim is a real executable so going
-  // through the shell is harmless. See
-  // https://nodejs.org/api/child_process.html#spawning-bat-and-cmd-files-on-windows
  const viteResult = spawnSync("electron-vite", ["build"], {
    stdio: "inherit",
    cwd: desktopRoot,
-    env: envWithLocalBins(),
-    shell: true,
  });
  if (viteResult.error) {
    console.error(
@@ -353,7 +103,7 @@ function main() {
    process.exit(viteResult.status ?? 1);
  }

-  // Step 2: derive the version that should be written into the app.
+  // Step 3: derive the version that should be written into the app.
  const version = deriveVersion();
  if (version) {
    console.log(`[package] Desktop version → ${version} (from git describe)`);
@@ -363,62 +113,43 @@ function main() {
    );
  }

-  const disableMacNotarize = !process.env.APPLE_TEAM_ID;
-  if (disableMacNotarize) {
+  // Step 4: assemble electron-builder args.
+  const passthrough = stripLeadingSeparator(process.argv.slice(2));
+  const builderArgs = [];
+  if (version) builderArgs.push(`-c.extraMetadata.version=${version}`);
+
+  // Step 5: gracefully degrade for local dev builds. electron-builder.yml
+  // sets `notarize: true` so real releases notarize in-build (keeping the
+  // stapled .app consistent with latest-mac.yml's SHA512). But a mac dev
+  // who just wants to smoke-test a local package doesn't have Apple
+  // credentials, and would otherwise hit a hard failure at the notarize
+  // step. Detect the missing env and flip notarize off for this run only.
+  if (!process.env.APPLE_TEAM_ID) {
    console.warn(
      "[package] APPLE_TEAM_ID not set — skipping notarization (local dev build). " +
        "Set APPLE_ID + APPLE_APP_SPECIFIC_PASSWORD + APPLE_TEAM_ID for a release build.",
    );
+    builderArgs.push("-c.mac.notarize=false");
  }

-  const useScopedOutputDir = buildMatrix.length > 1;
+  builderArgs.push(...passthrough);

-  // Step 3: for each requested target, build the matching CLI into
-  // resources/bin/ and package that target in isolation.
-  for (const target of buildMatrix) {
-    console.log(`[package] bundling CLI → ${formatTarget(target)}`);
-    execFileSync(
-      "node",
-      [
-        bundleCliScript,
-        "--target-platform",
-        PLATFORM_CONFIG[target.platform].runtimePlatform,
-        "--target-arch",
-        target.arch,
-      ],
-      {
-        stdio: "inherit",
-        cwd: desktopRoot,
-      },
+  // Step 6: invoke electron-builder. pnpm puts node_modules/.bin on PATH
+  // for the script run, so spawnSync finds the binary without needing a
+  // shell wrapper (avoids any risk of argv interpolation).
+  const result = spawnSync("electron-builder", builderArgs, {
+    stdio: "inherit",
+    cwd: desktopRoot,
+  });
+
+  if (result.error) {
+    console.error(
+      "[package] failed to spawn electron-builder:",
+      result.error.message,
    );
-
-    const builderArgs = builderArgsForTarget(target, parsed, version, {
-      disableMacNotarize,
-      hostPlatform: process.platform,
-      useScopedOutputDir,
-    });
-
-    // Step 4: invoke electron-builder for the current target only.
-    // `shell: true` for the same Windows `.cmd` shim reason as the
-    // electron-vite invocation above.
-    const result = spawnSync("electron-builder", builderArgs, {
-      stdio: "inherit",
-      cwd: desktopRoot,
-      env: envWithLocalBins(),
-      shell: true,
-    });
-
-    if (result.error) {
-      console.error(
-        "[package] failed to spawn electron-builder:",
-        result.error.message,
-      );
-      process.exit(1);
-    }
-    if (result.status !== 0) {
-      process.exit(result.status ?? 1);
-    }
+    process.exit(1);
  }
+  process.exit(result.status ?? 1);
 }

 // Only run when invoked as a CLI, not when imported by a test file.
--- a/apps/desktop/scripts/package.test.mjs
+++ b/apps/desktop/scripts/package.test.mjs
@@ -1,13 +1,5 @@
-import { delimiter, resolve } from "node:path";
 import { describe, it, expect } from "vitest";
-import {
-  builderArgsForTarget,
-  envWithLocalBins,
-  normalizeGitVersion,
-  parsePackageArgs,
-  resolveBuildMatrix,
-  stripLeadingSeparator,
-} from "./package.mjs";
+import { normalizeGitVersion, stripLeadingSeparator } from "./package.mjs";

 describe("normalizeGitVersion", () => {
  it("returns null for empty / nullish input", () => {
@@ -67,207 +59,3 @@ describe("stripLeadingSeparator", () => {
    expect(stripLeadingSeparator([])).toEqual([]);
  });
 });
-
-describe("parsePackageArgs", () => {
-  it("collects per-platform targets and shared args", () => {
-    expect(
-      parsePackageArgs([
-        "--win", "nsis",
-        "--mac", "dmg", "zip",
-        "--arm64",
-        "--publish", "never",
-      ]),
-    ).toEqual({
-      allPlatforms: false,
-      sharedArgs: ["--publish", "never"],
-      platformTargets: {
-        mac: ["dmg", "zip"],
-        win: ["nsis"],
-        linux: [],
-      },
-      requestedPlatforms: ["win", "mac"],
-      requestedArchs: ["arm64"],
-    });
-  });
-
-  it("expands combined short flags", () => {
-    expect(parsePackageArgs(["-mw", "--x64"]).requestedPlatforms).toEqual([
-      "mac",
-      "win",
-    ]);
-  });
-
-  it("tracks the all-platforms shortcut", () => {
-    expect(parsePackageArgs(["--all-platforms", "--publish", "never"]).allPlatforms).toBe(true);
-  });
-});
-
-describe("resolveBuildMatrix", () => {
-  it("defaults to the current host platform and arch", () => {
-    expect(
-      resolveBuildMatrix(
-        {
-          allPlatforms: false,
-          sharedArgs: [],
-          platformTargets: { mac: [], win: [], linux: [] },
-          requestedPlatforms: [],
-          requestedArchs: [],
-        },
-        "darwin",
-        "arm64",
-      ),
-    ).toEqual([{ platform: "mac", arch: "arm64" }]);
-  });
-
-  it("expands all-platforms on macOS", () => {
-    expect(
-      resolveBuildMatrix(
-        {
-          allPlatforms: true,
-          sharedArgs: [],
-          platformTargets: { mac: [], win: [], linux: [] },
-          requestedPlatforms: [],
-          requestedArchs: [],
-        },
-        "darwin",
-        "arm64",
-      ),
-    ).toEqual([
-      { platform: "mac", arch: "arm64" },
-      { platform: "win", arch: "x64" },
-      { platform: "win", arch: "arm64" },
-      { platform: "linux", arch: "x64" },
-      { platform: "linux", arch: "arm64" },
-    ]);
-  });
-
-  it("rejects unsupported architectures", () => {
-    expect(() =>
-      resolveBuildMatrix(
-        {
-          allPlatforms: false,
-          sharedArgs: [],
-          platformTargets: { mac: [], win: [], linux: [] },
-          requestedPlatforms: ["win"],
-          requestedArchs: ["universal"],
-        },
-        "darwin",
-        "arm64",
-      ),
-    ).toThrow(/unsupported Desktop CLI architecture/);
-  });
-});
-
-describe("builderArgsForTarget", () => {
-  it("adds scoped output directories for multi-target builds", () => {
-    expect(
-      builderArgsForTarget(
-        { platform: "win", arch: "arm64" },
-        {
-          allPlatforms: false,
-          sharedArgs: ["--publish", "never"],
-          platformTargets: { mac: [], win: ["nsis"], linux: [] },
-          requestedPlatforms: ["win"],
-          requestedArchs: ["arm64"],
-        },
-        "1.2.3",
-        {
-          disableMacNotarize: true,
-          hostPlatform: "darwin",
-          useScopedOutputDir: true,
-        },
-      ),
-    ).toEqual([
-      "-c.extraMetadata.version=1.2.3",
-      "-c.mac.notarize=false",
-      "--win",
-      "nsis",
-      "--arm64",
-      "--publish",
-      "never",
-      "-c.directories.output=dist/win-arm64",
-      "-c.publish.channel=latest-arm64",
-    ]);
-  });
-
-  it("does not override the publish channel for Windows x64 (default latest.yml)", () => {
-    expect(
-      builderArgsForTarget(
-        { platform: "win", arch: "x64" },
-        {
-          allPlatforms: false,
-          sharedArgs: ["--publish", "always"],
-          platformTargets: { mac: [], win: ["nsis"], linux: [] },
-          requestedPlatforms: ["win"],
-          requestedArchs: ["x64"],
-        },
-        "1.2.3",
-        { hostPlatform: "win32", useScopedOutputDir: true },
-      ),
-    ).toEqual([
-      "-c.extraMetadata.version=1.2.3",
-      "--win",
-      "nsis",
-      "--x64",
-      "--publish",
-      "always",
-      "-c.directories.output=dist/win-x64",
-    ]);
-  });
-
-  it("defaults linux cross-builds to AppImage on non-Linux hosts", () => {
-    expect(
-      builderArgsForTarget(
-        { platform: "linux", arch: "x64" },
-        {
-          allPlatforms: false,
-          sharedArgs: ["--publish", "never"],
-          platformTargets: { mac: [], win: [], linux: [] },
-          requestedPlatforms: ["linux"],
-          requestedArchs: ["x64"],
-        },
-        "1.2.3",
-        { hostPlatform: "darwin" },
-      ),
-    ).toEqual([
-      "-c.extraMetadata.version=1.2.3",
-      "--linux",
-      "AppImage",
-      "--x64",
-      "--publish",
-      "never",
-    ]);
-  });
-});
-
-describe("envWithLocalBins", () => {
-  it("prepends desktop-local binary directories to PATH", () => {
-    const desktopRoot = "/repo/apps/desktop";
-    const result = envWithLocalBins(
-      { PATH: ["/usr/local/bin", "/usr/bin"].join(delimiter) },
-      desktopRoot,
-    );
-    expect(result.PATH.split(delimiter)).toEqual([
-      resolve(desktopRoot, "node_modules", ".bin"),
-      resolve(desktopRoot, "..", "..", "node_modules", ".bin"),
-      "/usr/local/bin",
-      "/usr/bin",
-    ]);
-  });
-
-  it("preserves an existing Path key and avoids duplicate entries", () => {
-    const desktopRoot = "/repo/apps/desktop";
-    const desktopBin = resolve(desktopRoot, "node_modules", ".bin");
-    const workspaceBin = resolve(desktopRoot, "..", "..", "node_modules", ".bin");
-    const result = envWithLocalBins(
-      { Path: [desktopBin, "runner-bin", workspaceBin].join(delimiter) },
-      desktopRoot,
-    );
-    expect(result).not.toHaveProperty("PATH");
-    expect(result.Path.split(delimiter)).toEqual([
-      desktopBin,
-      workspaceBin,
-      "runner-bin",
-    ]);
-  });
-});
--- a/apps/desktop/src/main/cli-bootstrap.ts
+++ b/apps/desktop/src/main/cli-bootstrap.ts
@@ -8,15 +8,35 @@ import { pipeline } from "stream/promises";
 import { tmpdir } from "os";
 import { Readable } from "stream";

-import { selectPlatformReleaseAssetName } from "./cli-release-asset";
-
-// Desktop prefers the bundled `multica` CLI shipped inside the app for
-// same-repo builds, but it can also repair or bootstrap a managed copy in
-// userData on first launch when the bundled binary is missing or unusable.
+// Desktop bootstraps its own copy of the `multica` CLI into userData on first
+// launch, so users never have to brew-install anything. Build-time decoupled:
+// we don't bundle the binary into the .app, we download whatever the upstream
+// release is at first run.

 const GITHUB_LATEST_BASE =
  "https://github.com/multica-ai/multica/releases/latest/download";

+function platformAssetName(): string {
+  const osMap: Record<string, string> = {
+    darwin: "darwin",
+    linux: "linux",
+    win32: "windows",
+  };
+  const archMap: Record<string, string> = {
+    x64: "amd64",
+    arm64: "arm64",
+  };
+  const os = osMap[process.platform];
+  const arch = archMap[process.arch];
+  if (!os || !arch) {
+    throw new Error(
+      `unsupported platform for CLI auto-install: ${process.platform}/${process.arch}`,
+    );
+  }
+  const ext = process.platform === "win32" ? "zip" : "tar.gz";
+  return `multica_${os}_${arch}.${ext}`;
+}
+
 function binaryName(): string {
  return process.platform === "win32" ? "multica.exe" : "multica";
 }
@@ -72,8 +92,14 @@ async function sha256OfFile(path: string): Promise<string> {
 async function verifyChecksum(
  archivePath: string,
  assetName: string,
-  expected: string,
 ): Promise<void> {
+  const checksums = await fetchChecksums();
+  const expected = checksums.get(assetName);
+  if (!expected) {
+    throw new Error(
+      `no checksum for ${assetName} in checksums.txt — refusing to install unverified binary`,
+    );
+  }
  const actual = await sha256OfFile(archivePath);
  if (actual.toLowerCase() !== expected) {
    throw new Error(
@@ -92,14 +118,7 @@ async function extractArchive(archive: string, dest: string): Promise<void> {

 async function installFresh(): Promise<string> {
  const target = managedCliPath();
-  const checksums = await fetchChecksums();
-  const assetName = selectPlatformReleaseAssetName(checksums.keys());
-  const expectedChecksum = checksums.get(assetName);
-  if (!expectedChecksum) {
-    throw new Error(
-      `no checksum for ${assetName} in checksums.txt — refusing to install unverified binary`,
-    );
-  }
+  const assetName = platformAssetName();
  const url = `${GITHUB_LATEST_BASE}/${assetName}`;

  const workDir = join(tmpdir(), `multica-cli-${Date.now()}`);
@@ -111,7 +130,7 @@ async function installFresh(): Promise<string> {
    await downloadToFile(url, archivePath);

    console.log(`[cli-bootstrap] verifying ${assetName} against checksums.txt`);
-    await verifyChecksum(archivePath, assetName, expectedChecksum);
+    await verifyChecksum(archivePath, assetName);

    console.log(`[cli-bootstrap] extracting ${assetName}`);
    await extractArchive(archivePath, workDir);
@@ -124,7 +143,6 @@ async function installFresh(): Promise<string> {
    }

    await mkdir(dirname(target), { recursive: true });
-    await rm(target, { force: true }).catch(() => {});
    await rename(extractedBin, target);
    await chmod(target, 0o755);

@@ -148,10 +166,8 @@ async function installFresh(): Promise<string> {
 * the managed userData location, returns it immediately. Otherwise downloads
 * the latest release asset for the current platform and installs it.
 */
-export async function ensureManagedCli(
-  options: { forceInstall?: boolean } = {},
-): Promise<string> {
+export async function ensureManagedCli(): Promise<string> {
  const target = managedCliPath();
-  if (existsSync(target) && !options.forceInstall) return target;
+  if (existsSync(target)) return target;
  return installFresh();
 }
--- a/apps/desktop/src/main/cli-release-asset.test.ts
+++ b/apps/desktop/src/main/cli-release-asset.test.ts
@@ -1,59 +0,0 @@
-import { describe, expect, it } from "vitest";
-
-import { selectPlatformReleaseAssetName } from "./cli-release-asset";
-
-describe("selectPlatformReleaseAssetName", () => {
-  it("prefers the versioned archive name when both exist", () => {
-    const assetNames = [
-      "checksums.txt",
-      "multica_darwin_amd64.tar.gz",
-      "multica-cli-1.2.3-darwin-amd64.tar.gz",
-    ];
-
-    expect(selectPlatformReleaseAssetName(assetNames, "darwin", "x64")).toBe(
-      "multica-cli-1.2.3-darwin-amd64.tar.gz",
-    );
-  });
-
-  it("falls back to the legacy archive name when only legacy is present", () => {
-    const assetNames = ["checksums.txt", "multica_darwin_amd64.tar.gz"];
-
-    expect(selectPlatformReleaseAssetName(assetNames, "darwin", "x64")).toBe(
-      "multica_darwin_amd64.tar.gz",
-    );
-  });
-
-  it("matches the renamed darwin archive from release assets", () => {
-    const assetNames = [
-      "checksums.txt",
-      "multica-cli-1.2.3-darwin-amd64.tar.gz",
-      "multica-cli-1.2.3-darwin-arm64.tar.gz",
-      "multica-cli-1.2.3-linux-amd64.tar.gz",
-    ];
-
-    expect(selectPlatformReleaseAssetName(assetNames, "darwin", "x64")).toBe(
-      "multica-cli-1.2.3-darwin-amd64.tar.gz",
-    );
-  });
-
-  it("matches the renamed windows zip archive", () => {
-    const assetNames = [
-      "multica-cli-1.2.3-windows-amd64.zip",
-      "multica-cli-1.2.3-linux-amd64.tar.gz",
-    ];
-
-    expect(selectPlatformReleaseAssetName(assetNames, "win32", "x64")).toBe(
-      "multica-cli-1.2.3-windows-amd64.zip",
-    );
-  });
-
-  it("fails when the current platform asset is missing", () => {
-    expect(() =>
-      selectPlatformReleaseAssetName(
-        ["multica-cli-1.2.3-linux-amd64.tar.gz", "multica_linux_amd64.tar.gz"],
-        "darwin",
-        "arm64",
-      ),
-    ).toThrow(/no release asset found/);
-  });
-});
--- a/apps/desktop/src/main/cli-release-asset.ts
+++ b/apps/desktop/src/main/cli-release-asset.ts
@@ -1,62 +0,0 @@
-const RELEASE_ARCHIVE_PREFIX = "multica-cli-";
-
-function platformArchiveDescriptor(
-  platform: NodeJS.Platform = process.platform,
-  arch: string = process.arch,
-): { os: string; arch: string; ext: string } {
-  const osMap: Record<string, string> = {
-    darwin: "darwin",
-    linux: "linux",
-    win32: "windows",
-  };
-  const archMap: Record<string, string> = {
-    x64: "amd64",
-    arm64: "arm64",
-  };
-  const os = osMap[platform];
-  const mappedArch = archMap[arch];
-  if (!os || !mappedArch) {
-    throw new Error(
-      `unsupported platform for CLI auto-install: ${platform}/${arch}`,
-    );
-  }
-  const ext = platform === "win32" ? "zip" : "tar.gz";
-  return { os, arch: mappedArch, ext };
-}
-
-export function selectPlatformReleaseAssetName(
-  assetNames: Iterable<string>,
-  platform: NodeJS.Platform = process.platform,
-  arch: string = process.arch,
-): string {
-  const { os, arch: mappedArch, ext } = platformArchiveDescriptor(
-    platform,
-    arch,
-  );
-  const names = [...assetNames];
-
-  // Prefer the versioned `multica-cli-<v>-<os>-<arch>.<ext>` name; fall
-  // back to the legacy `multica_<os>_<arch>.<ext>` so older releases that
-  // only ship the legacy archive keep working.
-  const suffix = `-${os}-${mappedArch}.${ext}`;
-  const matches = names.filter(
-    (name) =>
-      name.startsWith(RELEASE_ARCHIVE_PREFIX) && name.endsWith(suffix),
-  );
-
-  if (matches.length === 1) {
-    return matches[0];
-  }
-  if (matches.length > 1) {
-    throw new Error(
-      `multiple release assets matched current platform ${suffix}: ${matches.join(", ")}`,
-    );
-  }
-
-  const legacyName = `multica_${os}_${mappedArch}.${ext}`;
-  if (names.includes(legacyName)) {
-    return legacyName;
-  }
-
-  throw new Error(`no release asset found for current platform: ${suffix}`);
-}
--- a/apps/desktop/src/main/daemon-manager.ts
+++ b/apps/desktop/src/main/daemon-manager.ts
@@ -316,36 +316,6 @@ function bundledCliPath(): string {
  );
 }

-async function probeCliBinary(
-  bin: string,
-  source: "bundled" | "managed" | "path",
-): Promise<string | null> {
-  try {
-    const stdout = await new Promise<string>((resolve, reject) => {
-      execFile(
-        bin,
-        ["version", "--output", "json"],
-        { timeout: 5_000 },
-        (err, out) => {
-          if (err) reject(err);
-          else resolve(out);
-        },
-      );
-    });
-    const parsed = JSON.parse(stdout) as { version?: string };
-    if (typeof parsed.version === "string" && parsed.version.length > 0) {
-      return parsed.version;
-    }
-    console.warn(
-      `[daemon] ignoring ${source} CLI at ${bin}: version output was missing or invalid`,
-    );
-    return null;
-  } catch (err) {
-    console.warn(`[daemon] ignoring ${source} CLI at ${bin}:`, err);
-    return null;
-  }
-}
-
 /**
 * Returns a usable `multica` binary path. Priority:
 *   1. Cached result from a previous successful resolve.
@@ -369,55 +339,27 @@ async function resolveCliBinary(): Promise<string | null> {
  cliResolvePromise = (async () => {
    const bundled = bundledCliPath();
    if (existsSync(bundled)) {
-      const version = await probeCliBinary(bundled, "bundled");
-      if (version) {
-        console.log(`[daemon] using bundled CLI at ${bundled}`);
-        cachedCliBinary = bundled;
-        cachedCliBinaryVersion = version;
-        return bundled;
-      }
+      console.log(`[daemon] using bundled CLI at ${bundled}`);
+      cachedCliBinary = bundled;
+      return bundled;
    }

    const managed = managedCliPath();
    if (existsSync(managed)) {
-      const version = await probeCliBinary(managed, "managed");
-      if (version) {
-        cachedCliBinary = managed;
-        cachedCliBinaryVersion = version;
-        return managed;
-      }
+      cachedCliBinary = managed;
+      return managed;
    }

    try {
-      const installed = await ensureManagedCli({
-        forceInstall: existsSync(managed),
-      });
-      const version = await probeCliBinary(installed, "managed");
-      if (version) {
-        cachedCliBinary = installed;
-        cachedCliBinaryVersion = version;
-        return installed;
-      }
-      console.warn(
-        `[daemon] managed CLI at ${installed} failed validation after install`,
-      );
+      const installed = await ensureManagedCli();
+      cachedCliBinary = installed;
+      return installed;
    } catch (err) {
      console.warn("[daemon] CLI auto-install failed, falling back to PATH:", err);
+      const onPath = findCliOnPath();
+      cachedCliBinary = onPath;
+      return onPath;
    }
-
-    const onPath = findCliOnPath();
-    if (onPath) {
-      const version = await probeCliBinary(onPath, "path");
-      if (version) {
-        cachedCliBinary = onPath;
-        cachedCliBinaryVersion = version;
-        return onPath;
-      }
-    }
-
-    cachedCliBinary = null;
-    cachedCliBinaryVersion = null;
-    return null;
  })();

  try {
@@ -428,10 +370,11 @@ async function resolveCliBinary(): Promise<string | null> {
 }

 /**
- * Reads the version of the currently resolved CLI binary. Cached for the
- * process lifetime — the bundled binary doesn't change after bundle time.
+ * Reads the version of the currently resolved CLI binary by invoking
+ * `multica version --output json`. Cached for the process lifetime — the
+ * bundled binary doesn't change after `bundle-cli.mjs` runs at dev/build time.
 * Returns null on any failure (unknown `go` at bundle time, broken binary,
- * wrong-arch bundled binary, etc.) so callers can fail open.
+ * etc.) so callers can fail open.
 */
 async function getCliBinaryVersion(): Promise<string | null> {
  if (cachedCliBinaryVersion !== undefined) return cachedCliBinaryVersion;
@@ -440,7 +383,24 @@ async function getCliBinaryVersion(): Promise<string | null> {
    cachedCliBinaryVersion = null;
    return null;
  }
-  cachedCliBinaryVersion = await probeCliBinary(bin, "path");
+  try {
+    const stdout = await new Promise<string>((resolve, reject) => {
+      execFile(
+        bin,
+        ["version", "--output", "json"],
+        { timeout: 5_000 },
+        (err, out) => {
+          if (err) reject(err);
+          else resolve(out);
+        },
+      );
+    });
+    const parsed = JSON.parse(stdout) as { version?: string };
+    cachedCliBinaryVersion = parsed.version ?? null;
+  } catch (err) {
+    console.warn("[daemon] failed to read CLI binary version:", err);
+    cachedCliBinaryVersion = null;
+  }
  return cachedCliBinaryVersion;
 }

--- a/apps/desktop/src/main/external-url.test.ts
+++ b/apps/desktop/src/main/external-url.test.ts
@@ -1,73 +0,0 @@
-import { describe, expect, it, vi, beforeEach } from "vitest";
-
-vi.mock("electron", () => ({
-  shell: { openExternal: vi.fn().mockResolvedValue(undefined) },
-}));
-
-import { shell } from "electron";
-import { isSafeExternalHttpUrl, openExternalSafely } from "./external-url";
-
-describe("isSafeExternalHttpUrl", () => {
-  it("allows http and https URLs", () => {
-    expect(isSafeExternalHttpUrl("https://multica.ai")).toBe(true);
-    expect(isSafeExternalHttpUrl("http://localhost:3000/auth")).toBe(true);
-  });
-
-  it("allows https URLs with embedded credentials", () => {
-    // WHATWG URL parses these as https; OS-level handling is the shell's concern.
-    expect(isSafeExternalHttpUrl("https://user:pass@example.com")).toBe(true);
-  });
-
-  it("normalizes scheme casing so uppercase variants can't bypass", () => {
-    expect(isSafeExternalHttpUrl("HTTPS://example.com")).toBe(true);
-    expect(isSafeExternalHttpUrl("FILE:///etc/passwd")).toBe(false);
-  });
-
-  it("rejects dangerous pseudo-schemes", () => {
-    expect(isSafeExternalHttpUrl("javascript:alert(1)")).toBe(false);
-    expect(
-      isSafeExternalHttpUrl("data:text/html,<script>alert(1)</script>"),
-    ).toBe(false);
-  });
-
-  it("rejects filesystem and network transport schemes", () => {
-    expect(isSafeExternalHttpUrl("file:///etc/passwd")).toBe(false);
-    expect(isSafeExternalHttpUrl("ftp://example.com/x")).toBe(false);
-    expect(isSafeExternalHttpUrl("smb://share/x")).toBe(false);
-  });
-
-  it("rejects local-handler schemes used in past RCE chains", () => {
-    expect(isSafeExternalHttpUrl("vscode://file/test")).toBe(false);
-    expect(isSafeExternalHttpUrl("ms-msdt:/id%20PCWDiagnostic")).toBe(false);
-  });
-
-  it("rejects mailto and other non-web schemes", () => {
-    expect(isSafeExternalHttpUrl("mailto:test@example.com")).toBe(false);
-    expect(isSafeExternalHttpUrl("tel:+15551234567")).toBe(false);
-  });
-
-  it("rejects empty, whitespace, and malformed input", () => {
-    expect(isSafeExternalHttpUrl("")).toBe(false);
-    expect(isSafeExternalHttpUrl(" ")).toBe(false);
-    expect(isSafeExternalHttpUrl("not a url")).toBe(false);
-    expect(isSafeExternalHttpUrl("http://")).toBe(false);
-  });
-});
-
-describe("openExternalSafely", () => {
-  beforeEach(() => {
-    vi.mocked(shell.openExternal).mockClear();
-  });
-
-  it("forwards http/https URLs to shell.openExternal", () => {
-    openExternalSafely("https://multica.ai");
-    expect(shell.openExternal).toHaveBeenCalledWith("https://multica.ai");
-  });
-
-  it("does not call shell.openExternal for rejected schemes", () => {
-    openExternalSafely("file:///etc/passwd");
-    openExternalSafely("javascript:alert(1)");
-    openExternalSafely("not a url");
-    expect(shell.openExternal).not.toHaveBeenCalled();
-  });
-});
--- a/apps/desktop/src/main/external-url.ts
+++ b/apps/desktop/src/main/external-url.ts
@@ -1,38 +0,0 @@
-import { shell } from "electron";
-
-// True when the URL parses and uses http/https — the only schemes we let
-// reach `shell.openExternal`. Scheme comparison is safe because the WHATWG
-// URL parser lowercases the protocol field.
-export function isSafeExternalHttpUrl(url: string): boolean {
-  return getHttpProtocol(url) !== null;
-}
-
-// Canonical wrapper around shell.openExternal. All renderer-controlled URLs
-// that eventually reach the OS shell MUST flow through here; direct calls
-// to `shell.openExternal` elsewhere in the main process are banned by the
-// no-restricted-syntax rule in apps/desktop/eslint.config.mjs.
-export function openExternalSafely(url: string): Promise<void> | void {
-  if (getHttpProtocol(url) === null) {
-    console.warn(`[security] blocked openExternal: ${describeScheme(url)}`);
-    return;
-  }
-  return shell.openExternal(url);
-}
-
-function getHttpProtocol(url: string): "http:" | "https:" | null {
-  try {
-    const { protocol } = new URL(url);
-    if (protocol === "http:" || protocol === "https:") return protocol;
-    return null;
-  } catch {
-    return null;
-  }
-}
-
-function describeScheme(url: string): string {
-  try {
-    return `scheme=${new URL(url).protocol}`;
-  } catch {
-    return "invalid URL";
-  }
-}
--- a/apps/desktop/src/main/index.ts
+++ b/apps/desktop/src/main/index.ts
@@ -1,11 +1,10 @@
-import { app, BrowserWindow, ipcMain, nativeImage } from "electron";
+import { app, shell, BrowserWindow, ipcMain, nativeImage } from "electron";
 import { homedir } from "os";
 import { join } from "path";
 import { electronApp, optimizer, is } from "@electron-toolkit/utils";
 import fixPath from "fix-path";
 import { setupAutoUpdater } from "./updater";
 import { setupDaemonManager } from "./daemon-manager";
-import { openExternalSafely } from "./external-url";

 // Bundled icon used for dev-mode dock/taskbar branding. In production the
 // app bundle icon (from electron-builder) wins; this path is only consumed
@@ -49,19 +48,6 @@ function handleDeepLink(url: string): void {
      if (token && mainWindow) {
        mainWindow.webContents.send("auth:token", token);
      }
-      return;
-    }
-
-    // multica://invite/<invitationId>
-    // Dispatched from the web invite page when the user chooses "Open in
-    // desktop app". The renderer opens the invite overlay — no tab, no
-    // route persistence, so deep-linking the same invite twice stays safe.
-    if (parsed.hostname === "invite") {
-      const id = parsed.pathname.replace(/^\//, "");
-      if (id && mainWindow) {
-        mainWindow.webContents.send("invite:open", decodeURIComponent(id));
-      }
-      return;
    }
  } catch {
    // Ignore malformed URLs
@@ -105,7 +91,7 @@ function createWindow(): void {
  });

  mainWindow.webContents.setWindowOpenHandler((details) => {
-    openExternalSafely(details.url);
+    shell.openExternal(details.url);
    return { action: "deny" };
  });

@@ -184,23 +170,9 @@ if (!gotTheLock) {
      optimizer.watchWindowShortcuts(window);
    });

-    // IPC: open URL in default browser (used by renderer for Google login).
-    // All scheme-allowlist enforcement lives in openExternalSafely — this
-    // is the single audit point for renderer-controlled URLs reaching the
-    // OS shell under the app's intentional webSecurity: false + sandbox:
-    // false configuration.
+    // IPC: open URL in default browser (used by renderer for Google login)
    ipcMain.handle("shell:openExternal", (_event, url: string) => {
-      return openExternalSafely(url);
-    });
-
-    // Sync IPC: app version + normalized OS for preload. Sync (not invoke) so
-    // preload can attach the values to `desktopAPI.appInfo` before any renderer
-    // code reads them, ensuring the very first HTTP request from the renderer
-    // already carries X-Client-Version and X-Client-OS.
-    ipcMain.on("app:get-info", (event) => {
-      const p = process.platform;
-      const os = p === "darwin" ? "macos" : p === "win32" ? "windows" : p === "linux" ? "linux" : "unknown";
-      event.returnValue = { version: app.getVersion(), os };
+      return shell.openExternal(url);
    });

    // IPC: toggle immersive mode — hides the macOS traffic lights so full-screen
--- a/apps/desktop/src/main/updater.ts
+++ b/apps/desktop/src/main/updater.ts
@@ -1,31 +1,9 @@
 import { autoUpdater } from "electron-updater";
-import { app, BrowserWindow, ipcMain } from "electron";
+import { BrowserWindow, ipcMain } from "electron";

 autoUpdater.autoDownload = false;
 autoUpdater.autoInstallOnAppQuit = true;

-// Windows arm64 ships its own update metadata channel because
-// electron-builder's `latest.yml` is not arch-suffixed on Windows — both
-// arches would otherwise collide on the same file in the GitHub Release.
-// See scripts/package.mjs (builderArgsForTarget) for the publish-side half
-// of this pact. Pin the channel here so arm64 clients fetch
-// `latest-arm64.yml` instead of the x64 metadata.
-if (process.platform === "win32" && process.arch === "arm64") {
-  autoUpdater.channel = "latest-arm64";
-}
-
-const STARTUP_CHECK_DELAY_MS = 5_000;
-const PERIODIC_CHECK_INTERVAL_MS = 60 * 60 * 1000; // 1 hour
-
-export type ManualUpdateCheckResult =
-  | {
-      ok: true;
-      currentVersion: string;
-      latestVersion: string;
-      available: boolean;
-    }
-  | { ok: false; error: string };
-
 export function setupAutoUpdater(getMainWindow: () => BrowserWindow | null): void {
  autoUpdater.on("update-available", (info) => {
    const win = getMainWindow();
@@ -59,42 +37,10 @@ export function setupAutoUpdater(getMainWindow: () => BrowserWindow | null): voi
    autoUpdater.quitAndInstall(false, true);
  });

-  ipcMain.handle("updater:check", async (): Promise<ManualUpdateCheckResult> => {
-    try {
-      const result = await autoUpdater.checkForUpdates();
-      const currentVersion = app.getVersion();
-      // Trust electron-updater's own decision rather than re-deriving it from
-      // a version-string compare. The two diverge for pre-release channels,
-      // staged rollouts, downgrades, and minimum-system-version gates — in
-      // those cases updateInfo.version differs from app.getVersion() but no
-      // `update-available` event fires, so showing "available" here would
-      // promise a download prompt that never appears.
-      return {
-        ok: true,
-        currentVersion,
-        latestVersion: result?.updateInfo.version ?? currentVersion,
-        available: result?.isUpdateAvailable ?? false,
-      };
-    } catch (err) {
-      return {
-        ok: false,
-        error: err instanceof Error ? err.message : String(err),
-      };
-    }
-  });
-
-  // Initial check shortly after startup so we don't block boot.
+  // Check for updates after a short delay to avoid blocking startup
  setTimeout(() => {
    autoUpdater.checkForUpdates().catch((err) => {
      console.error("Failed to check for updates:", err);
    });
-  }, STARTUP_CHECK_DELAY_MS);
-
-  // Background poll so long-running sessions still pick up new releases
-  // without requiring the user to restart the app.
-  setInterval(() => {
-    autoUpdater.checkForUpdates().catch((err) => {
-      console.error("Periodic update check failed:", err);
-    });
-  }, PERIODIC_CHECK_INTERVAL_MS);
+  }, 5000);
 }
--- a/apps/desktop/src/preload/index.d.ts
+++ b/apps/desktop/src/preload/index.d.ts
@@ -1,15 +1,8 @@
 import { ElectronAPI } from "@electron-toolkit/preload";

 interface DesktopAPI {
-  /** App version + normalized OS, captured synchronously at preload time. */
-  appInfo: {
-    version: string;
-    os: "macos" | "windows" | "linux" | "unknown";
-  };
  /** Listen for auth token delivered via deep link. Returns an unsubscribe function. */
  onAuthToken: (callback: (token: string) => void) => () => void;
-  /** Listen for invitation IDs delivered via deep link. Returns an unsubscribe function. */
-  onInviteOpen: (callback: (invitationId: string) => void) => () => void;
  /** Open a URL in the default browser. */
  openExternal: (url: string) => Promise<void>;
  /** Hide macOS traffic lights for full-screen modals; restore when false. */
@@ -58,10 +51,6 @@ interface UpdaterAPI {
  onUpdateDownloaded: (callback: () => void) => () => void;
  downloadUpdate: () => Promise<void>;
  installUpdate: () => Promise<void>;
-  checkForUpdates: () => Promise<
-    | { ok: true; currentVersion: string; latestVersion: string; available: boolean }
-    | { ok: false; error: string }
-  >;
 }

 declare global {
--- a/apps/desktop/src/preload/index.ts
+++ b/apps/desktop/src/preload/index.ts
@@ -1,32 +1,7 @@
 import { contextBridge, ipcRenderer } from "electron";
 import { electronAPI } from "@electron-toolkit/preload";

-// Synchronously fetch app metadata from main at preload time so the renderer
-// can pass it into CoreProvider during the initial render — the alternative
-// (async ipc.invoke) would race the ApiClient construction in initCore and
-// the first few HTTP requests would go out without X-Client-Version/OS.
-function fetchAppInfo(): { version: string; os: "macos" | "windows" | "linux" | "unknown" } {
-  try {
-    const info = ipcRenderer.sendSync("app:get-info") as
-      | { version: string; os: "macos" | "windows" | "linux" | "unknown" }
-      | undefined;
-    if (info && typeof info.version === "string" && typeof info.os === "string") return info;
-  } catch {
-    // fall through
-  }
-  // Fallback: derive OS from process.platform; version unknown.
-  const p = process.platform;
-  const os: "macos" | "windows" | "linux" | "unknown" =
-    p === "darwin" ? "macos" : p === "win32" ? "windows" : p === "linux" ? "linux" : "unknown";
-  return { version: "unknown", os };
-}
-
-const appInfo = fetchAppInfo();
-
 const desktopAPI = {
-  /** App version + normalized OS. Read once at preload time so the renderer
-   *  can use it synchronously when initializing the API client. */
-  appInfo,
  /** Listen for auth token delivered via deep link */
  onAuthToken: (callback: (token: string) => void) => {
    const handler = (_event: Electron.IpcRendererEvent, token: string) =>
@@ -36,15 +11,6 @@ const desktopAPI = {
      ipcRenderer.removeListener("auth:token", handler);
    };
  },
-  /** Listen for invitation IDs delivered via deep link */
-  onInviteOpen: (callback: (invitationId: string) => void) => {
-    const handler = (_event: Electron.IpcRendererEvent, invitationId: string) =>
-      callback(invitationId);
-    ipcRenderer.on("invite:open", handler);
-    return () => {
-      ipcRenderer.removeListener("invite:open", handler);
-    };
-  },
  /** Open a URL in the default browser */
  openExternal: (url: string) => ipcRenderer.invoke("shell:openExternal", url),
  /** Toggle immersive mode — hide macOS traffic lights for full-screen modals */
@@ -121,10 +87,6 @@ const updaterAPI = {
  },
  downloadUpdate: () => ipcRenderer.invoke("updater:download"),
  installUpdate: () => ipcRenderer.invoke("updater:install"),
-  checkForUpdates: (): Promise<
-    | { ok: true; currentVersion: string; latestVersion: string; available: boolean }
-    | { ok: false; error: string }
-  > => ipcRenderer.invoke("updater:check"),
 };

 if (process.contextIsolated) {
--- a/apps/desktop/src/renderer/src/App.tsx
+++ b/apps/desktop/src/renderer/src/App.tsx
@@ -1,20 +1,16 @@
-import { useEffect, useLayoutEffect, useMemo, useRef, useState } from "react";
+import { useEffect, useRef, useState } from "react";
 import { useQuery, useQueryClient } from "@tanstack/react-query";
 import { CoreProvider } from "@multica/core/platform";
 import { useAuthStore } from "@multica/core/auth";
 import { workspaceKeys, workspaceListOptions } from "@multica/core/workspace/queries";
 import { api } from "@multica/core/api";
-import { useHasOnboarded } from "@multica/core/paths";
 import { ThemeProvider } from "@multica/ui/components/common/theme-provider";
 import { MulticaIcon } from "@multica/ui/components/common/multica-icon";
 import { Toaster } from "sonner";
 import { DesktopLoginPage } from "./pages/login";
 import { DesktopShell } from "./components/desktop-layout";
-import { PageviewTracker } from "./components/pageview-tracker";
 import { UpdateNotification } from "./components/update-notification";
 import { useTabStore } from "./stores/tab-store";
-import { useWindowOverlayStore } from "./stores/window-overlay-store";
-

 function AppContent() {
  const user = useAuthStore((s) => s.user);
@@ -35,17 +31,6 @@ function AppContent() {
    window.daemonAPI.setTargetApiUrl(DAEMON_TARGET_API_URL);
  }, []);

-  // Listen for invite IDs delivered via deep link (multica://invite/<id>).
-  // We open the overlay regardless of login state — if the user isn't logged
-  // in, InvitePage's queries will fail and render the "not found" state,
-  // which is acceptable; the expected pre-flight happens in the web app
-  // (login + next=/invite/... dance) before the deep link is ever dispatched.
-  useEffect(() => {
-    return window.desktopAPI.onInviteOpen((invitationId) => {
-      useWindowOverlayStore.getState().open({ type: "invite", invitationId });
-    });
-  }, []);
-
  // Listen for auth token delivered via deep link (multica://auth/callback?token=...).
  // daemonAPI.syncToken is handled separately by the [user] effect below, which
  // fires whenever a user logs in (deep link, session restore, account switch).
@@ -92,53 +77,28 @@ function AppContent() {
  // account switches (user A logout → user B login) should not trigger a
  // daemon restart here — daemon-manager already restarts on user change
  // via syncToken.
-  const { data: workspaces = [], isFetched: workspaceListFetched } = useQuery({
+  const { data: workspaces, isFetched: workspaceListFetched } = useQuery({
    ...workspaceListOptions(),
    enabled: !!user,
  });
-  const wsCount = workspaces.length;
-  const hasOnboarded = useHasOnboarded();
+  const wsCount = workspaces?.length ?? 0;

-  // Onboarding and zero-workspace both resolve to an overlay, but
-  // onboarding wins: a user who hasn't completed it gets the onboarding
-  // overlay regardless of how many workspaces already exist.
-  useEffect(() => {
-    if (!user || !workspaceListFetched) return;
-    const { overlay, open } = useWindowOverlayStore.getState();
-    if (overlay) return;
-    if (!hasOnboarded) {
-      open({ type: "onboarding" });
-      return;
-    }
-    if (wsCount === 0) {
-      open({ type: "new-workspace" });
-    }
-  }, [user, workspaceListFetched, wsCount, workspaces, hasOnboarded]);
-
-  // Validate persisted tab state against the current user's workspace list,
-  // and pick an active workspace if none is set. Runs in useLayoutEffect
-  // (synchronously after render, before paint) rather than the render
-  // phase — the original render-phase pattern triggered React's
-  // "Cannot update a component while rendering a different component"
-  // warning because `switchWorkspace` is a Zustand setState that the
-  // TabBar is subscribed to. useLayoutEffect flushes both renders before
-  // the user sees anything, so there's no visible flicker.
+  // Validate persisted tab paths against the current user's workspace list.
+  // Tabs survive across app restarts and account switches (persisted to
+  // localStorage `multica_tabs`), so a tab path like `/naiyuan/issues` may
+  // reference a workspace the current user can't access — showing
+  // NoAccessPage every time they open the app.
  //
-  // Gate on `workspaceListFetched`: useQuery defaults `data` to `[]` before
-  // the first fetch, so without this guard we'd run validation against an
-  // empty slug set, wipe the persisted `activeWorkspaceSlug`, then fall
-  // back to `workspaces[0]` once the real list arrives — losing the user's
-  // last-opened workspace on every app start.
-  useLayoutEffect(() => {
-    if (!workspaceListFetched) return;
+  // Run synchronously in render phase rather than in useEffect so the first
+  // render already sees validated tabs. useEffect runs AFTER commit, which
+  // means the initial render would briefly show NoAccessPage before the
+  // effect resets the tab. Zustand supports render-phase setState; the
+  // validator is idempotent (exits early if nothing changed) so this
+  // doesn't loop.
+  if (workspaces) {
    const validSlugs = new Set(workspaces.map((w) => w.slug));
    useTabStore.getState().validateWorkspaceSlugs(validSlugs);
-    const { activeWorkspaceSlug, switchWorkspace } = useTabStore.getState();
-    if (!activeWorkspaceSlug && workspaces.length > 0) {
-      switchWorkspace(workspaces[0].slug);
-    }
-  }, [workspaces, workspaceListFetched]);
-
+  }
  // null = undecided (pre-login or list hasn't settled yet)
  // true  = session started with zero workspaces; next transition to >=1 triggers restart
  // false = session started with >=1 workspace, OR we've already restarted; skip
@@ -167,29 +127,17 @@ function AppContent() {
    );
  }

-  // Pageview tracker sits at the app root so it covers every visible
-  // surface (login, overlays, tab paths) — mounting it inside DesktopShell
-  // would miss the logged-out and overlay states.
-  return (
-    <>
-      <PageviewTracker />
-      {user ? <DesktopShell /> : <DesktopLoginPage />}
-    </>
-  );
+  if (!user) return <DesktopLoginPage />;
+  return <DesktopShell />;
 }

 // Backend the daemon should connect to — same URL the renderer talks to.
 const DAEMON_TARGET_API_URL =
  import.meta.env.VITE_API_URL || "http://localhost:8080";

-// On logout, wipe desktop-only in-memory state and stop the daemon so that
-// a subsequent login as a different user never inherits the previous user's
-// tabs, overlay, or credentials. Zustand persist only writes to localStorage;
-// useLogout clears the storage key, but the live stores stay populated until
-// we explicitly reset them here.
+// On logout, clear any cached PAT and stop the daemon so that a subsequent
+// login as a different user never inherits the previous user's credentials.
 async function handleDaemonLogout() {
-  useTabStore.getState().reset();
-  useWindowOverlayStore.getState().close();
  try {
    await window.daemonAPI.clearToken();
  } catch {
@@ -203,20 +151,12 @@ async function handleDaemonLogout() {
 }

 export default function App() {
-  const { version, os } = window.desktopAPI.appInfo;
-  // Stable identity reference so downstream effects (WS reconnect) don't
-  // tear down on every parent render.
-  const identity = useMemo(
-    () => ({ platform: "desktop", version, os }),
-    [version, os],
-  );
  return (
    <ThemeProvider>
      <CoreProvider
        apiBaseUrl={import.meta.env.VITE_API_URL || "http://localhost:8080"}
        wsUrl={import.meta.env.VITE_WS_URL || "ws://localhost:8080/ws"}
        onLogout={handleDaemonLogout}
-        identity={identity}
      >
        <AppContent />
      </CoreProvider>
--- a/apps/desktop/src/renderer/src/components/desktop-layout.tsx
+++ b/apps/desktop/src/renderer/src/components/desktop-layout.tsx
@@ -13,13 +13,11 @@ import { ModalRegistry } from "@multica/views/modals/registry";
 import { AppSidebar } from "@multica/views/layout";
 import { SearchCommand, SearchTrigger } from "@multica/views/search";
 import { ChatFab, ChatWindow } from "@multica/views/chat";
-import { StarterContentPrompt } from "@multica/views/onboarding";
 import { WorkspaceSlugProvider } from "@multica/core/paths";
 import { getCurrentSlug, subscribeToCurrentSlug } from "@multica/core/platform";
 import { DesktopNavigationProvider } from "@/platform/navigation";
 import { TabBar } from "./tab-bar";
 import { TabContent } from "./tab-content";
-import { WindowOverlay } from "./window-overlay";

 function SidebarTopBar() {
  const { canGoBack, canGoForward, goBack, goForward } = useTabHistory();
@@ -115,8 +113,7 @@ export function DesktopShell() {
          mount WorkspaceRouteLayout, which calls setCurrentWorkspace()
          to populate the slug. The sidebar gates on slug being present
          to avoid the useRequiredWorkspaceSlug throw. Zero-workspace
-          users see the window-level overlay (new-workspace flow)
-          triggered by IndexRedirect, not a route. */}
+          users are routed to /workspaces/new by IndexRedirect. */}
      <WorkspaceSlugProvider slug={slug}>
        <div className="flex h-screen">
          <SidebarProvider className="flex-1">
@@ -135,8 +132,6 @@ export function DesktopShell() {
        </div>
        {slug && <ModalRegistry />}
        {slug && <SearchCommand />}
-        {slug && <StarterContentPrompt />}
-        <WindowOverlay />
      </WorkspaceSlugProvider>
    </DesktopNavigationProvider>
  );
--- a/apps/desktop/src/renderer/src/components/desktop-runtimes-page.tsx
+++ b/apps/desktop/src/renderer/src/components/desktop-runtimes-page.tsx
@@ -1,39 +0,0 @@
-import { useEffect, useState } from "react";
-import { RuntimesPage } from "@multica/views/runtimes";
-import { DaemonRuntimeCard } from "./daemon-runtime-card";
-import type { DaemonStatus } from "../../../shared/daemon-types";
-
-/**
- * Desktop wrapper around the shared `RuntimesPage`. Bridges the Electron
- * `daemonAPI` (main-process daemon state) into the page so its empty
- * state can distinguish "no runtime registered" from "runtime is on its
- * way" — without the bundled daemon's status, the page shows a
- * misleading "Run multica daemon start" hint during the few seconds
- * between page load and the daemon's first registration.
- *
- * `bootstrapping` is true while the daemon is installing, starting, or
- * already running but hasn't surfaced as a server-side runtime yet.
- * RuntimeList only shows the spinner when the runtime list is also
- * empty, so once the daemon registers (and the list fills) the flag
- * has no visible effect.
- */
-export function DesktopRuntimesPage() {
-  const [status, setStatus] = useState<DaemonStatus>({ state: "stopped" });
-
-  useEffect(() => {
-    window.daemonAPI.getStatus().then(setStatus);
-    return window.daemonAPI.onStatusChange(setStatus);
-  }, []);
-
-  const bootstrapping =
-    status.state === "installing_cli" ||
-    status.state === "starting" ||
-    status.state === "running";
-
-  return (
-    <RuntimesPage
-      topSlot={<DaemonRuntimeCard />}
-      bootstrapping={bootstrapping}
-    />
-  );
-}
--- a/apps/desktop/src/renderer/src/components/pageview-tracker.tsx
+++ b/apps/desktop/src/renderer/src/components/pageview-tracker.tsx
@@ -1,69 +0,0 @@
-import { useEffect } from "react";
-import { capturePageview } from "@multica/core/analytics";
-import { useAuthStore } from "@multica/core/auth";
-import { useTabStore } from "@/stores/tab-store";
-import { useWindowOverlayStore, type WindowOverlay } from "@/stores/window-overlay-store";
-
-/**
- * Fires a PostHog $pageview whenever the user's visible surface changes.
- *
- * Desktop has three layers that can own the visible page:
- *
- *   1. Logged-out state → `/login`. No workspace context, no tabs.
- *   2. Window overlays (onboarding, new-workspace, invite) → synthetic paths
- *      that match the equivalent web routes. Overlays are NOT tab routes on
- *      desktop (see `stores/window-overlay-store.ts` + `routes.tsx`), so the
- *      tab path alone would either miss them or mislabel them as "/".
- *   3. Otherwise → the active tab's path (workspace-scoped, e.g.
- *      `/acme/issues/123`). Kept in sync by `useTabRouterSync`.
- *
- * The overlay takes precedence over the tab path because it is visually in
- * front of the tab system; the logged-out state shadows both because the
- * shell doesn't render at all yet. This keeps the `$pageview` stream aligned
- * with what the user actually sees.
- *
- * PostHog's `capture_pageview: true` auto-capture is intentionally off (see
- * `initAnalytics`) so this component owns the event shape, matching the web
- * implementation in `apps/web/components/pageview-tracker.tsx`.
- */
-export function PageviewTracker() {
-  const user = useAuthStore((s) => s.user);
-  const overlay = useWindowOverlayStore((s) => s.overlay);
-  const activeTabPath = useTabStore((s) => {
-    const slug = s.activeWorkspaceSlug;
-    if (!slug) return null;
-    const group = s.byWorkspace[slug];
-    if (!group) return null;
-    return group.tabs.find((t) => t.id === group.activeTabId)?.path ?? null;
-  });
-
-  const path = resolvePath(user, overlay, activeTabPath);
-
-  useEffect(() => {
-    if (!path) return;
-    capturePageview(path);
-  }, [path]);
-
-  return null;
-}
-
-function resolvePath(
-  user: unknown,
-  overlay: WindowOverlay | null,
-  activeTabPath: string | null,
-): string | null {
-  if (!user) return "/login";
-  if (overlay) return overlayPath(overlay);
-  return activeTabPath;
-}
-
-function overlayPath(overlay: WindowOverlay): string {
-  switch (overlay.type) {
-    case "new-workspace":
-      return "/workspaces/new";
-    case "onboarding":
-      return "/onboarding";
-    case "invite":
-      return `/invite/${overlay.invitationId}`;
-  }
-}
--- a/apps/desktop/src/renderer/src/components/tab-bar.tsx
+++ b/apps/desktop/src/renderer/src/components/tab-bar.tsx
@@ -29,8 +29,8 @@ import {
 } from "@dnd-kit/modifiers";
 import { CSS } from "@dnd-kit/utilities";
 import { cn } from "@multica/ui/lib/utils";
-import { useTabStore, useActiveGroup, resolveRouteIcon, type Tab } from "@/stores/tab-store";
-import { paths } from "@multica/core/paths";
+import { useTabStore, resolveRouteIcon, type Tab } from "@/stores/tab-store";
+import { isGlobalPath, paths } from "@multica/core/paths";

 const TAB_ICONS: Record<string, LucideIcon> = {
  Inbox,
@@ -67,13 +67,16 @@ function SortableTabItem({ tab, isActive, isOnly }: { tab: Tab; isActive: boolea
  const handleClick = () => {
    if (isActive) return;
    setActiveTab(tab.id);
+    // No navigate() — Activity handles visibility
  };

  const handleClose = (e: React.MouseEvent) => {
    e.stopPropagation();
    closeTab(tab.id);
+    // No navigate() — store handles activeTabId switch
  };

+  // Stop pointer down on close so it doesn't start a drag on the parent button.
  const stopDragOnClose = (e: React.PointerEvent) => {
    e.stopPropagation();
  };
@@ -122,13 +125,22 @@ function NewTabButton() {
  const setActiveTab = useTabStore((s) => s.setActiveTab);

  const handleClick = () => {
-    // New tab opens in the currently active workspace — tabs are scoped
-    // per workspace, so there is no cross-workspace ambiguity to resolve.
-    const activeSlug = useTabStore.getState().activeWorkspaceSlug;
-    if (!activeSlug) return;
-    const path = paths.workspace(activeSlug).issues();
+    // Inherit the active tab's workspace. Terminal/IDE convention: new tab
+    // opens in the same context as the active one. Read the slug from the
+    // active tab's path directly rather than from getCurrentSlug(), because
+    // that singleton is "last tab to render" (non-deterministic with N tabs
+    // mounted under <Activity>), while activeTabId is the unambiguous truth.
+    // Falls back to "/" (→ IndexRedirect → first workspace) when the active
+    // tab is on a global route (e.g. /workspaces/new, /login).
+    const { tabs, activeTabId } = useTabStore.getState();
+    const activePath = tabs.find((t) => t.id === activeTabId)?.path ?? "/";
+    let slug: string | null = null;
+    if (activePath !== "/" && !isGlobalPath(activePath)) {
+      slug = activePath.split("/").filter(Boolean)[0] ?? null;
+    }
+    const path = slug ? paths.workspace(slug).issues() : "/";
    const tabId = addTab(path, "Issues", resolveRouteIcon(path));
-    if (tabId) setActiveTab(tabId);
+    setActiveTab(tabId);
  };

  return (
@@ -143,17 +155,17 @@ function NewTabButton() {
 }

 export function TabBar() {
-  const group = useActiveGroup();
+  const tabs = useTabStore((s) => s.tabs);
+  const activeTabId = useTabStore((s) => s.activeTabId);
  const moveTab = useTabStore((s) => s.moveTab);

+  // distance: 5 — pointer must move 5px to start a drag, otherwise it's a click.
  const sensors = useSensors(
    useSensor(PointerSensor, {
      activationConstraint: { distance: 5 },
    }),
  );

-  const tabs = group?.tabs ?? [];
-  const activeTabId = group?.activeTabId ?? "";
  const tabIds = tabs.map((t) => t.id);

  const handleDragEnd = (event: DragEndEvent) => {
@@ -183,7 +195,7 @@ export function TabBar() {
          ))}
        </SortableContext>
      </DndContext>
-      {group && <NewTabButton />}
+      <NewTabButton />
    </div>
  );
 }
--- a/apps/desktop/src/renderer/src/components/tab-content.tsx
+++ b/apps/desktop/src/renderer/src/components/tab-content.tsx
@@ -1,52 +1,40 @@
 import { Activity, useEffect } from "react";
 import { RouterProvider } from "react-router-dom";
-import { useActiveGroup } from "@/stores/tab-store";
+import { useTabStore } from "@/stores/tab-store";
 import { TabNavigationProvider } from "@/platform/navigation";
 import { useTabRouterSync } from "@/hooks/use-tab-router-sync";
-import type { Tab } from "@/stores/tab-store";

-/**
- * Inner wrapper rendered inside each tab's RouterProvider. The router
- * reference is stable for a tab's lifetime, so passing it in directly
- * (instead of re-deriving from the store) avoids needless re-renders.
- */
-function TabRouterInner({ tab }: { tab: Tab }) {
-  useTabRouterSync(tab.id, tab.router);
+/** Inner wrapper rendered inside each tab's RouterProvider. */
+function TabRouterInner({ tabId }: { tabId: string }) {
+  const tab = useTabStore((s) => s.tabs.find((t) => t.id === tabId));
+  useTabRouterSync(tabId, tab!.router);
  return null;
 }

 /**
- * Renders the active workspace's tabs using Activity for state preservation.
+ * Renders all tabs using Activity for state preservation.
 * Only the active tab is visible; hidden tabs keep their DOM and React state.
- *
- * When switching workspaces, the previous workspace's tabs unmount entirely
- * and the new workspace's tabs mount fresh — cross-workspace state
- * preservation is an explicit non-goal (keeping all workspaces' tabs warm
- * simultaneously would bloat memory and make workspace switching feel
- * anything but "switching").
 */
 export function TabContent() {
-  const group = useActiveGroup();
+  const tabs = useTabStore((s) => s.tabs);
+  const activeTabId = useTabStore((s) => s.activeTabId);

-  // Sync document.title when switching tabs within the active workspace.
+  // Sync document.title when switching tabs
  useEffect(() => {
-    if (!group) return;
-    const tab = group.tabs.find((t) => t.id === group.activeTabId);
+    const tab = tabs.find((t) => t.id === activeTabId);
    if (tab) document.title = tab.title;
-  }, [group?.activeTabId, group?.tabs]);
-
-  if (!group) return null;
+  }, [activeTabId, tabs]);

  return (
    <>
-      {group.tabs.map((tab) => (
+      {tabs.map((tab) => (
        <Activity
          key={tab.id}
-          mode={tab.id === group.activeTabId ? "visible" : "hidden"}
+          mode={tab.id === activeTabId ? "visible" : "hidden"}
        >
          <TabNavigationProvider router={tab.router}>
            <RouterProvider router={tab.router} />
-            <TabRouterInner tab={tab} />
+            <TabRouterInner tabId={tab.id} />
          </TabNavigationProvider>
        </Activity>
      ))}
--- a/apps/desktop/src/renderer/src/components/update-notification.tsx
+++ b/apps/desktop/src/renderer/src/components/update-notification.tsx
@@ -110,25 +110,12 @@ export function UpdateNotification() {
            <p className="text-xs text-muted-foreground mt-0.5">
              Restart to apply the update
            </p>
-            <div className="mt-2 flex items-center gap-1.5">
-              {/* Secondary "See changes" — gives the user a reason to
-                  restart by surfacing what they're about to get. Opens
-                  in the default browser via the shared openExternal
-                  bridge so the URL hits the same allow-list as every
-                  other outbound link. */}
-              <button
-                onClick={() => window.desktopAPI.openExternal("https://multica.ai/changelog")}
-                className="inline-flex items-center rounded-md border border-border bg-background px-3 py-1.5 text-xs font-medium text-foreground hover:bg-accent transition-colors"
-              >
-                See changes
-              </button>
-              <button
-                onClick={handleInstall}
-                className="inline-flex items-center rounded-md bg-primary px-3 py-1.5 text-xs font-medium text-primary-foreground hover:bg-primary/90 transition-colors"
-              >
-                Restart now
-              </button>
-            </div>
+            <button
+              onClick={handleInstall}
+              className="mt-2 inline-flex items-center rounded-md bg-primary px-3 py-1.5 text-xs font-medium text-primary-foreground hover:bg-primary/90 transition-colors"
+            >
+              Restart now
+            </button>
          </div>
        </div>
      )}
--- a/apps/desktop/src/renderer/src/components/updates-settings-tab.tsx
+++ b/apps/desktop/src/renderer/src/components/updates-settings-tab.tsx
@@ -1,86 +0,0 @@
-import { useCallback, useState } from "react";
-import { AlertCircle, ArrowDownToLine, Check, Loader2 } from "lucide-react";
-import { Button } from "@multica/ui/components/ui/button";
-
-type CheckState =
-  | { status: "idle" }
-  | { status: "checking" }
-  | { status: "up-to-date"; currentVersion: string }
-  | { status: "available"; latestVersion: string }
-  | { status: "error"; message: string };
-
-export function UpdatesSettingsTab() {
-  const [state, setState] = useState<CheckState>({ status: "idle" });
-
-  const handleCheck = useCallback(async () => {
-    setState({ status: "checking" });
-    const result = await window.updater.checkForUpdates();
-    if (!result.ok) {
-      setState({ status: "error", message: result.error });
-      return;
-    }
-    setState(
-      result.available
-        ? { status: "available", latestVersion: result.latestVersion }
-        : { status: "up-to-date", currentVersion: result.currentVersion },
-    );
-  }, []);
-
-  return (
-    <div>
-      <h2 className="text-lg font-semibold">Updates</h2>
-      <p className="text-sm text-muted-foreground mt-1">
-        The desktop app checks for new versions automatically once an hour and
-        shortly after launch.
-      </p>
-
-      <div className="mt-6 divide-y">
-        <div className="flex items-start justify-between gap-6 py-4">
-          <div className="min-w-0">
-            <p className="text-sm font-medium">Check for updates</p>
-            <p className="text-sm text-muted-foreground mt-0.5">
-              Trigger a check now instead of waiting for the next automatic
-              poll. Available updates appear as a notification in the corner.
-            </p>
-            {state.status === "up-to-date" && (
-              <p className="text-sm text-muted-foreground mt-2 inline-flex items-center gap-1.5">
-                <Check className="size-3.5 text-success" />
-                You&apos;re on the latest version (v{state.currentVersion}).
-              </p>
-            )}
-            {state.status === "available" && (
-              <p className="text-sm text-muted-foreground mt-2 inline-flex items-center gap-1.5">
-                <ArrowDownToLine className="size-3.5 text-primary" />
-                v{state.latestVersion} is available — see the download prompt
-                in the corner.
-              </p>
-            )}
-            {state.status === "error" && (
-              <p className="text-sm text-destructive mt-2 inline-flex items-center gap-1.5">
-                <AlertCircle className="size-3.5" />
-                {state.message}
-              </p>
-            )}
-          </div>
-          <div className="shrink-0">
-            <Button
-              variant="outline"
-              size="sm"
-              onClick={handleCheck}
-              disabled={state.status === "checking"}
-            >
-              {state.status === "checking" ? (
-                <>
-                  <Loader2 className="size-3.5 animate-spin" />
-                  Checking…
-                </>
-              ) : (
-                "Check now"
-              )}
-            </Button>
-          </div>
-        </div>
-      </div>
-    </div>
-  );
-}
--- a/apps/desktop/src/renderer/src/components/window-overlay.tsx
+++ b/apps/desktop/src/renderer/src/components/window-overlay.tsx
@@ -1,79 +0,0 @@
-import { useQuery } from "@tanstack/react-query";
-import { NewWorkspacePage } from "@multica/views/workspace/new-workspace-page";
-import { InvitePage } from "@multica/views/invite";
-import { OnboardingFlow } from "@multica/views/onboarding";
-import { useNavigation } from "@multica/views/navigation";
-import { paths } from "@multica/core/paths";
-import { workspaceListOptions } from "@multica/core/workspace/queries";
-import { useWindowOverlayStore } from "@/stores/window-overlay-store";
-
-/**
- * Window-level transition overlay: renders above the tab system when the
- * user is in a pre-workspace flow (onboarding, create workspace, accept
- * invite).
- *
- * This component is intentionally thin — just a fixed positioning shell
- * that covers the tab system. It does NOT hide traffic lights or provide
- * a drag strip: each contained view (OnboardingFlow, NewWorkspacePage,
- * InvitePage) renders its own `<DragStrip />` as a flex-child at top so
- * native macOS traffic lights stay visible and the page content can fill
- * the window edge-to-edge. This matches the Linear/Notion/Arc pattern for
- * pre-dashboard flows and keeps platform chrome consistent across every
- * "not-in-dashboard" surface.
- *
- * All UX affordances (Back button, Log out button, welcome copy, invite
- * card) live inside the shared view components under `packages/views/`,
- * so web and desktop render identical content.
- */
-export function WindowOverlay() {
-  const overlay = useWindowOverlayStore((s) => s.overlay);
-  if (!overlay) return null;
-  return <WindowOverlayInner />;
-}
-
-function WindowOverlayInner() {
-  const overlay = useWindowOverlayStore((s) => s.overlay);
-  const close = useWindowOverlayStore((s) => s.close);
-  const { push } = useNavigation();
-  const { data: wsList = [] } = useQuery(workspaceListOptions());
-
-  if (!overlay) return null;
-
-  // Back is only meaningful when there's somewhere to go — i.e. the user
-  // has at least one workspace. Zero-workspace users can only Log out or
-  // complete the flow.
-  const onBack = wsList.length > 0 ? close : undefined;
-
-  return (
-    <div className="fixed inset-0 z-50 flex flex-col overflow-auto bg-background">
-      {overlay.type === "new-workspace" && (
-        <NewWorkspacePage
-          onSuccess={(ws) => push(paths.workspace(ws.slug).issues())}
-          onBack={onBack}
-        />
-      )}
-      {overlay.type === "invite" && (
-        <InvitePage
-          invitationId={overlay.invitationId}
-          onBack={onBack}
-        />
-      )}
-      {overlay.type === "onboarding" && (
-        <OnboardingFlow
-          onComplete={(ws) => {
-            close();
-            // Post-onboarding landing is always the workspace issues
-            // list. The welcome-issue flow moved into a dialog that
-            // renders on that page (StarterContentPrompt), so the
-            // flow doesn't need to thread a target issue id back here.
-            if (ws) {
-              push(paths.workspace(ws.slug).issues());
-            } else {
-              push(paths.root());
-            }
-          }}
-        />
-      )}
-    </div>
-  );
-}
--- a/apps/desktop/src/renderer/src/components/workspace-route-layout.tsx
+++ b/apps/desktop/src/renderer/src/components/workspace-route-layout.tsx
@@ -2,14 +2,11 @@ import { useEffect } from "react";
 import { Outlet, useNavigate, useParams } from "react-router-dom";
 import { useQuery } from "@tanstack/react-query";
 import { WorkspaceSlugProvider, paths } from "@multica/core/paths";
-import {
-  workspaceBySlugOptions,
-  workspaceListOptions,
-} from "@multica/core/workspace";
+import { workspaceBySlugOptions } from "@multica/core/workspace";
 import { setCurrentWorkspace } from "@multica/core/platform";
 import { useAuthStore } from "@multica/core/auth";
+import { NoAccessPage } from "@multica/views/workspace/no-access-page";
 import { useWorkspaceSeen } from "@multica/views/workspace/use-workspace-seen";
-import { useTabStore } from "@/stores/tab-store";

 /**
 * Desktop equivalent of apps/web/app/[workspaceSlug]/layout.tsx.
@@ -20,13 +17,9 @@ import { useTabStore } from "@/stores/tab-store";
 * guaranteed non-null when called. Two industry-standard identities are
 * kept distinct: slug (URL / browser) and UUID (API / cache keys).
 *
- * Unlike web, desktop never renders a "workspace not available" page: the
- * app has no URL bar and no clickable links from outside the session, so
- * landing on an inaccessible slug can only mean stale state (a persisted
- * tab group for a workspace the current user no longer has access to, or
- * active eviction). Both cases resolve by dropping the stale tab group
- * from the tab store — the TabBar then renders a different workspace or
- * the WindowOverlay takes over (zero valid workspaces).
+ * If the slug doesn't resolve to any workspace the user has access to,
+ * we render NoAccessPage instead of silently redirecting — users get
+ * explicit feedback for stale bookmarks or revoked access.
 */
 export function WorkspaceRouteLayout() {
  const { workspaceSlug } = useParams<{ workspaceSlug: string }>();
@@ -34,7 +27,10 @@ export function WorkspaceRouteLayout() {
  const user = useAuthStore((s) => s.user);
  const isAuthLoading = useAuthStore((s) => s.isLoading);

-  // Workspace routes require auth. If user is unauthenticated, bounce to /login.
+  // Workspace routes require auth. If user is unauthenticated (token
+  // expired, logged out from another tab, etc.), bounce to /login.
+  // Without this, the layout renders null and the user sees a blank page
+  // stuck on /{slug}/...
  useEffect(() => {
    if (!isAuthLoading && !user) navigate(paths.login(), { replace: true });
  }, [isAuthLoading, user, navigate]);
@@ -44,41 +40,36 @@ export function WorkspaceRouteLayout() {
    enabled: !!user && !!workspaceSlug,
  });

-  const { data: wsList } = useQuery({
-    ...workspaceListOptions(),
-    enabled: !!user,
-  });
-
  // Feed the URL slug into the platform singleton so the API client's
  // X-Workspace-Slug header and persist namespace follow the active tab.
-  // setCurrentWorkspace self-dedupes on slug equality.
+  // setCurrentWorkspace self-dedupes on slug equality — safe to call on
+  // every render (matters on desktop, where N tabs each mount their own
+  // layout). Rehydrate is the singleton's internal side effect.
  if (workspace && workspaceSlug) {
    setCurrentWorkspace(workspaceSlug, workspace.id);
  }

+  // Remember whether this slug has resolved before (see hook docs). Gates
+  // the NoAccessPage render below so active workspace removal doesn't
+  // flash "Workspace not available" before the navigate lands.
  const hasBeenSeen = useWorkspaceSeen(workspaceSlug, !!workspace);

-  // Stale-slug auto-heal: when this tab's slug fails to resolve, drop the
-  // whole workspace group from the tab store. Per-workspace tab grouping
-  // means the cleanup is a single validator call — the TabContent will
-  // unmount this tab (and all siblings in the stale group) once the store
-  // updates. We don't navigate this tab's router because the tab's path
-  // is scoped to the stale slug; navigating to "/" would create an
-  // inconsistent "tab in group X with path /" state.
-  useEffect(() => {
-    if (!user) return;
-    if (!listFetched) return;
-    if (workspace) return;
-    if (hasBeenSeen) return; // active eviction in flight — let the other path win
-    if (!wsList) return;
-    const validSlugs = new Set(wsList.map((w) => w.slug));
-    useTabStore.getState().validateWorkspaceSlugs(validSlugs);
-  }, [user, listFetched, workspace, hasBeenSeen, wsList]);
-
  if (isAuthLoading) return null;
  if (!workspaceSlug) return null;
+  // Don't render children until workspace is resolved. useWorkspaceId()
+  // throws when the workspace list hasn't populated or the slug is
+  // unknown — gating here is the single point where that invariant is
+  // enforced, so every descendant can call useWorkspaceId() safely.
  if (!listFetched) return null;
-  if (!workspace) return null; // auto-heal effect above handles the cleanup
+  if (!workspace) {
+    // Active workspace just removed (delete/leave/realtime eviction) —
+    // navigate is in flight; hold null briefly instead of flashing
+    // NoAccessPage.
+    if (hasBeenSeen) return null;
+    // Genuinely inaccessible slug (stale bookmark, revoked access, or a
+    // link from a former teammate's workspace) → explicit feedback.
+    return <NoAccessPage />;
+  }

  return (
    <WorkspaceSlugProvider slug={workspaceSlug}>
--- a/apps/desktop/src/renderer/src/globals.css
+++ b/apps/desktop/src/renderer/src/globals.css
@@ -25,8 +25,6 @@
  --font-sans: "Inter Variable", "Inter", -apple-system, BlinkMacSystemFont,
               "Segoe UI", "PingFang SC", "Microsoft YaHei", "Noto Sans CJK SC",
               sans-serif;
-  --font-serif: "Source Serif 4 Variable", "Source Serif 4", "Iowan Old Style",
-                "Apple Garamond", Baskerville, "Times New Roman", serif;
  --font-mono: "Geist Mono", ui-monospace, SFMono-Regular, Menlo, Consolas,
               monospace;
 }
--- a/apps/desktop/src/renderer/src/hooks/use-tab-history.ts
+++ b/apps/desktop/src/renderer/src/hooks/use-tab-history.ts
@@ -1,6 +1,6 @@
 import { useCallback } from "react";
 import type { DataRouter } from "react-router-dom";
-import { useActiveTabRouter, useActiveTabHistory } from "@/stores/tab-store";
+import { useTabStore } from "@/stores/tab-store";

 /**
 * Shared hint map so useTabRouterSync can distinguish back vs forward POP.
@@ -9,32 +9,32 @@ import { useActiveTabRouter, useActiveTabHistory } from "@/stores/tab-store";
 export const popDirectionHints = new Map<DataRouter, "back" | "forward">();

 /**
- * Per-tab back/forward navigation derived from the active workspace's
- * active tab.
- *
- * Subscribed via primitive selectors so this hook only re-renders when
- * the numeric history state actually changes — path ticks on the active
- * tab (which don't shift historyIndex) don't churn the back/forward
- * buttons.
+ * Per-tab back/forward navigation derived from the active tab's history state.
+ * Replaces the old global useNavigationHistory() hook.
 */
 export function useTabHistory() {
-  const router = useActiveTabRouter();
-  const { historyIndex, historyLength } = useActiveTabHistory();
+  // Return the actual tab object from the store — stable reference.
+  // Do NOT create a new object in the selector (causes infinite re-renders).
+  const activeTab = useTabStore((s) =>
+    s.tabs.find((t) => t.id === s.activeTabId),
+  );

-  const canGoBack = historyIndex > 0;
-  const canGoForward = historyIndex < historyLength - 1;
+  const canGoBack = (activeTab?.historyIndex ?? 0) > 0;
+  const canGoForward =
+    (activeTab?.historyIndex ?? 0) < (activeTab?.historyLength ?? 1) - 1;

  const goBack = useCallback(() => {
-    if (!router || historyIndex <= 0) return;
-    popDirectionHints.set(router, "back");
-    router.navigate(-1);
-  }, [router, historyIndex]);
+    if (!activeTab || activeTab.historyIndex <= 0) return;
+    popDirectionHints.set(activeTab.router, "back");
+    activeTab.router.navigate(-1);
+  }, [activeTab]);

  const goForward = useCallback(() => {
-    if (!router || historyIndex >= historyLength - 1) return;
-    popDirectionHints.set(router, "forward");
-    router.navigate(1);
-  }, [router, historyIndex, historyLength]);
+    if (!activeTab || activeTab.historyIndex >= activeTab.historyLength - 1)
+      return;
+    popDirectionHints.set(activeTab.router, "forward");
+    activeTab.router.navigate(1);
+  }, [activeTab]);

  return { canGoBack, canGoForward, goBack, goForward };
 }
--- a/apps/desktop/src/renderer/src/hooks/use-tab-sync.ts
+++ b/apps/desktop/src/renderer/src/hooks/use-tab-sync.ts
@@ -2,23 +2,20 @@ import { useEffect } from "react";
 import { useTabStore } from "@/stores/tab-store";

 /**
- * Watches document.title via MutationObserver and updates the active tab's
- * title. Pages set document.title via TitleSync (route handle.title) or
- * useDocumentTitle(). This observer picks up the change and syncs it to
- * the tab store.
+ * Watches document.title via MutationObserver and updates the active tab's title.
+ *
+ * Pages set document.title via TitleSync (route handle.title) or useDocumentTitle().
+ * This observer picks up the change and syncs it to the tab store.
 */
 export function useActiveTitleSync() {
  useEffect(() => {
    const observer = new MutationObserver(() => {
      const title = document.title;
      if (!title) return;
-      const state = useTabStore.getState();
-      if (!state.activeWorkspaceSlug) return;
-      const group = state.byWorkspace[state.activeWorkspaceSlug];
-      if (!group) return;
-      const activeTab = group.tabs.find((t) => t.id === group.activeTabId);
+      const { tabs, activeTabId } = useTabStore.getState();
+      const activeTab = tabs.find((t) => t.id === activeTabId);
      if (activeTab && activeTab.title !== title) {
-        state.updateTab(activeTab.id, { title });
+        useTabStore.getState().updateTab(activeTabId, { title });
      }
    });

--- a/apps/desktop/src/renderer/src/main.tsx
+++ b/apps/desktop/src/renderer/src/main.tsx
@@ -4,11 +4,6 @@ import App from "./App";
 // Geist Mono kept as-is for code blocks; CJK is handled by system font fallback
 // (see globals.css --font-sans chain). Keep font stack in sync with apps/web/app/layout.tsx.
 import "@fontsource-variable/inter";
-// Editorial serif — matches web's next/font Source_Serif_4. Loaded app-wide so
-// onboarding headings and any future editorial surface can use `font-serif`
-// (see tokens.css @theme inline). Variable font = one file covers all weights.
-import "@fontsource-variable/source-serif-4";
-import "@fontsource-variable/source-serif-4/wght-italic.css";
 import "@fontsource/geist-mono/400.css";
 import "@fontsource/geist-mono/700.css";
 import "./globals.css";
--- a/apps/desktop/src/renderer/src/pages/login.tsx
+++ b/apps/desktop/src/renderer/src/pages/login.tsx
@@ -1,5 +1,4 @@
 import { LoginPage } from "@multica/views/auth";
-import { DragStrip } from "@multica/views/platform";
 import { MulticaIcon } from "@multica/ui/components/common/multica-icon";

 const WEB_URL = import.meta.env.VITE_APP_URL || "http://localhost:3000";
@@ -15,7 +14,11 @@ export function DesktopLoginPage() {

  return (
    <div className="flex h-screen flex-col">
-      <DragStrip />
+      {/* Traffic light inset */}
+      <div
+        className="h-[38px] shrink-0"
+        style={{ WebkitAppRegion: "drag" } as React.CSSProperties}
+      />
      <LoginPage
        logo={<MulticaIcon bordered size="lg" />}
        onSuccess={() => {
--- a/apps/desktop/src/renderer/src/platform/navigation.tsx
+++ b/apps/desktop/src/renderer/src/platform/navigation.tsx
@@ -5,101 +5,16 @@ import {
  type NavigationAdapter,
 } from "@multica/views/navigation";
 import { useAuthStore } from "@multica/core/auth";
-import { isReservedSlug } from "@multica/core/paths";
-import {
-  useTabStore,
-  resolveRouteIcon,
-  useActiveTabIdentity,
-  useActiveTabRouter,
-  getActiveTab,
-} from "@/stores/tab-store";
-import { useWindowOverlayStore } from "@/stores/window-overlay-store";
+import { useTabStore, resolveRouteIcon } from "@/stores/tab-store";

-// Public web app URL — injected at build time via .env.production. In dev
-// (no VITE_APP_URL set) falls back to the local web dev server so "Copy
-// link" in a dev build yields a URL that points at the running dev
-// frontend, not the prod host. Matches the fallback used in pages/login.tsx.
-const APP_URL = import.meta.env.VITE_APP_URL || "http://localhost:3000";
+// Public web app URL — injected at build time via .env.production. Falls
+// back to the production host for dev builds so "Copy link" yields a URL
+// that actually points somewhere a teammate can open.
+const APP_URL = import.meta.env.VITE_APP_URL || "https://multica.ai";

 /**
- * Extract the leading workspace slug from a path, or null if the path isn't
- * workspace-scoped (root, login, any reserved prefix).
- */
-function extractWorkspaceSlug(path: string): string | null {
-  const first = path.split("/").filter(Boolean)[0] ?? "";
-  if (!first) return null;
-  if (isReservedSlug(first)) return null;
-  return first;
-}
-
-/**
- * Intercept navigation to "transition" paths — pre-workspace flows that on
- * desktop are rendered as a window-level overlay instead of a tab route.
- * Returns `true` if the navigation was handled (caller should NOT proceed).
- *
- * Side effect: when opening the new-workspace overlay, the tab router is
- * ALSO reset to "/". Rationale — the only way a push lands on
- * /workspaces/new is that the workspace context is gone (fresh install,
- * delete-last, leave-last). Leaving the tab parked on a workspace-scoped
- * path would keep those components mounted under the overlay; the next
- * render after the list cache updates would then throw (useWorkspaceId
- * etc) because the slug no longer resolves.
- */
-function tryRouteToOverlay(path: string, router?: DataRouter): boolean {
-  const overlay = useWindowOverlayStore.getState();
-  if (path === "/workspaces/new") {
-    overlay.open({ type: "new-workspace" });
-    if (router && router.state.location.pathname !== "/") {
-      router.navigate("/", { replace: true });
-    }
-    return true;
-  }
-  if (path === "/onboarding") {
-    overlay.open({ type: "onboarding" });
-    if (router && router.state.location.pathname !== "/") {
-      router.navigate("/", { replace: true });
-    }
-    return true;
-  }
-  if (path.startsWith("/invite/")) {
-    let id = "";
-    try {
-      id = decodeURIComponent(path.slice("/invite/".length));
-    } catch {
-      return true;
-    }
-    if (id) {
-      overlay.open({ type: "invite", invitationId: id });
-      return true;
-    }
-  }
-  // Any other navigation cancels a live overlay.
-  if (overlay.overlay) overlay.close();
-  return false;
-}
-
-/**
- * Intercept pushes that change workspace. Returns `true` if the navigation
- * was delegated to the tab store (caller should NOT proceed).
- *
- * This is the entry point that makes shared code platform-agnostic:
- * sidebar dropdown, cmd+k "switch workspace", post-delete redirects,
- * invite-accept flow — they all call `useNavigation().push(path)` with a
- * full workspace URL, and on desktop we translate "target slug differs
- * from active" into "switch the tab-group that's visible in the TabBar".
- */
-function tryRouteToOtherWorkspace(path: string): boolean {
-  const targetSlug = extractWorkspaceSlug(path);
-  if (!targetSlug) return false;
-  const { activeWorkspaceSlug, switchWorkspace } = useTabStore.getState();
-  if (targetSlug === activeWorkspaceSlug) return false;
-  switchWorkspace(targetSlug, path);
-  return true;
-}
-
-/**
- * Root-level navigation provider for components outside the per-tab
- * RouterProviders (sidebar, search dialog, modals, WindowOverlay contents).
+ * Root-level navigation provider for components outside the per-tab RouterProviders
+ * (sidebar, search dialog, modals, etc.).
 *
 * Reads from the active tab's memory router via router.subscribe().
 * Does NOT use any react-router hooks — it's above all RouterProviders.
@@ -109,61 +24,50 @@ export function DesktopNavigationProvider({
 }: {
  children: React.ReactNode;
 }) {
-  // Primitive-only subscriptions so this component doesn't re-render on
-  // unrelated store updates (e.g. an inactive tab's router tick). We
-  // resolve the active router here only to subscribe once per tab switch.
-  const { tabId: activeTabId } = useActiveTabIdentity();
-  const router = useActiveTabRouter();
-  const [pathname, setPathname] = useState(
-    router?.state.location.pathname ?? "/",
-  );
+  const activeTab = useTabStore((s) => s.tabs.find((t) => t.id === s.activeTabId));
+  const [pathname, setPathname] = useState(activeTab?.path ?? "/issues");

+  // Subscribe to the active tab's router for pathname updates
  useEffect(() => {
-    if (!router) {
-      setPathname("/");
-      return;
-    }
-    setPathname(router.state.location.pathname);
-    return router.subscribe((state) => {
+    if (!activeTab) return;
+    setPathname(activeTab.router.state.location.pathname);
+    return activeTab.router.subscribe((state) => {
      setPathname(state.location.pathname);
    });
-  }, [activeTabId, router]);
+  }, [activeTab?.id]); // eslint-disable-line react-hooks/exhaustive-deps

  const adapter: NavigationAdapter = useMemo(
    () => ({
      push: (path: string) => {
        if (path === "/login") {
+          // DashboardGuard token expired — force back to login screen
          useAuthStore.getState().logout();
          return;
        }
-        const active = currentActiveTab();
-        if (tryRouteToOverlay(path, active?.router)) return;
-        if (tryRouteToOtherWorkspace(path)) return;
-        active?.router.navigate(path);
+        const tab = useTabStore.getState().tabs.find(
+          (t) => t.id === useTabStore.getState().activeTabId,
+        );
+        tab?.router.navigate(path);
      },
      replace: (path: string) => {
-        const active = currentActiveTab();
-        if (tryRouteToOverlay(path, active?.router)) return;
-        if (tryRouteToOtherWorkspace(path)) return;
-        active?.router.navigate(path, { replace: true });
+        const tab = useTabStore.getState().tabs.find(
+          (t) => t.id === useTabStore.getState().activeTabId,
+        );
+        tab?.router.navigate(path, { replace: true });
      },
      back: () => {
-        currentActiveTab()?.router.navigate(-1);
+        const tab = useTabStore.getState().tabs.find(
+          (t) => t.id === useTabStore.getState().activeTabId,
+        );
+        tab?.router.navigate(-1);
      },
      pathname,
      searchParams: new URLSearchParams(),
      openInNewTab: (path: string, title?: string) => {
-        // Cross-workspace "open in new tab" switches workspace and opens
-        // the path there; same-workspace just adds a tab in the current group.
-        const slug = extractWorkspaceSlug(path);
-        const store = useTabStore.getState();
-        if (slug && slug !== store.activeWorkspaceSlug) {
-          store.switchWorkspace(slug, path);
-          return;
-        }
        const icon = resolveRouteIcon(path);
+        const store = useTabStore.getState();
        const tabId = store.openTab(path, title ?? path, icon);
-        if (tabId) store.setActiveTab(tabId);
+        store.setActiveTab(tabId);
      },
      getShareableUrl: (path: string) => `${APP_URL}${path}`,
    }),
@@ -173,10 +77,6 @@ export function DesktopNavigationProvider({
  return <NavigationProvider value={adapter}>{children}</NavigationProvider>;
 }

-function currentActiveTab() {
-  return getActiveTab(useTabStore.getState());
-}
-
 /**
 * Per-tab navigation provider rendered inside each tab's Activity wrapper.
 * Subscribes to the tab's own router for up-to-date pathname.
@@ -201,29 +101,16 @@ export function TabNavigationProvider({

  const adapter: NavigationAdapter = useMemo(
    () => ({
-      push: (path: string) => {
-        if (tryRouteToOverlay(path, router)) return;
-        if (tryRouteToOtherWorkspace(path)) return;
-        router.navigate(path);
-      },
-      replace: (path: string) => {
-        if (tryRouteToOverlay(path, router)) return;
-        if (tryRouteToOtherWorkspace(path)) return;
-        router.navigate(path, { replace: true });
-      },
+      push: (path: string) => router.navigate(path),
+      replace: (path: string) => router.navigate(path, { replace: true }),
      back: () => router.navigate(-1),
      pathname: location.pathname,
      searchParams: new URLSearchParams(location.search),
      openInNewTab: (path: string, title?: string) => {
-        const slug = extractWorkspaceSlug(path);
-        const store = useTabStore.getState();
-        if (slug && slug !== store.activeWorkspaceSlug) {
-          store.switchWorkspace(slug, path);
-          return;
-        }
        const icon = resolveRouteIcon(path);
-        const tabId = store.openTab(path, title ?? path, icon);
-        if (tabId) store.setActiveTab(tabId);
+        const store = useTabStore.getState();
+        const newTabId = store.openTab(path, title ?? path, icon);
+        store.setActiveTab(newTabId);
      },
      getShareableUrl: (path: string) => `${APP_URL}${path}`,
    }),
--- a/apps/desktop/src/renderer/src/routes.tsx
+++ b/apps/desktop/src/renderer/src/routes.tsx
@@ -6,6 +6,7 @@ import {
  useMatches,
 } from "react-router-dom";
 import type { RouteObject } from "react-router-dom";
+import { useQuery } from "@tanstack/react-query";
 import { IssueDetailPage } from "./pages/issue-detail-page";
 import { ProjectDetailPage } from "./pages/project-detail-page";
 import { AutopilotDetailPage } from "./pages/autopilot-detail-page";
@@ -13,14 +14,19 @@ import { IssuesPage } from "@multica/views/issues/components";
 import { ProjectsPage } from "@multica/views/projects/components";
 import { AutopilotsPage } from "@multica/views/autopilots/components";
 import { MyIssuesPage } from "@multica/views/my-issues";
+import { RuntimesPage } from "@multica/views/runtimes";
 import { SkillsPage } from "@multica/views/skills";
-import { DesktopRuntimesPage } from "./components/desktop-runtimes-page";
+import { DaemonRuntimeCard } from "./components/daemon-runtime-card";
 import { AgentsPage } from "@multica/views/agents";
 import { InboxPage } from "@multica/views/inbox";
 import { SettingsPage } from "@multica/views/settings";
-import { Download, Server } from "lucide-react";
+import { NewWorkspacePage } from "@multica/views/workspace/new-workspace-page";
+import { InvitePage } from "@multica/views/invite";
+import { useNavigation } from "@multica/views/navigation";
+import { paths } from "@multica/core/paths";
+import { workspaceListOptions } from "@multica/core/workspace/queries";
+import { Server } from "lucide-react";
 import { DaemonSettingsTab } from "./components/daemon-settings-tab";
-import { UpdatesSettingsTab } from "./components/updates-settings-tab";
 import { WorkspaceRouteLayout } from "./components/workspace-route-layout";

 /**
@@ -53,28 +59,77 @@ function PageShell() {
  );
 }

+function NewWorkspaceRoute() {
+  const nav = useNavigation();
+  return (
+    <NewWorkspacePage
+      onSuccess={(ws) => nav.push(paths.workspace(ws.slug).issues())}
+    />
+  );
+}
+
+/**
+ * Root index route: resolves the URL-less `/` path to a concrete destination.
+ *
+ * Runs both on first login (App.tsx seeded the cache) and on app reopen
+ * (AuthInitializer seeded the cache). Reading from React Query avoids
+ * duplicate fetches across tabs — each tab's memory router hits this
+ * component independently but the query is deduped.
+ *
+ * Sends first-time users without any workspace to /workspaces/new,
+ * everyone else to their first workspace's issues page. Persisted tab
+ * paths that already carry a workspace slug bypass this component
+ * entirely.
+ */
+function IndexRedirect() {
+  const { data: wsList, isFetched } = useQuery(workspaceListOptions());
+
+  // Wait for the query to settle so we don't redirect to /workspaces/new
+  // on the initial render before the seeded/fetched data arrives.
+  if (!isFetched) return null;
+
+  const firstWorkspace = wsList?.[0];
+  if (firstWorkspace) {
+    return <Navigate to={paths.workspace(firstWorkspace.slug).issues()} replace />;
+  }
+  return <Navigate to={paths.newWorkspace()} replace />;
+}
+
+function InviteRoute() {
+  const matches = useMatches();
+  const match = matches.find((m) => (m.params as { id?: string }).id);
+  const id = (match?.params as { id?: string })?.id ?? "";
+  return <InvitePage invitationId={id} />;
+}
+
 /**
 * Route definitions shared by all tabs.
 *
- * Every tab path is workspace-scoped: `/{slug}/{route}/...`. Pre-workspace
- * flows (create workspace, accept invite) are NOT routes — they render as a
- * window-level overlay via `WindowOverlay`, dispatched by the navigation
- * adapter's transition-path interception. The `activeWorkspaceSlug` in the
- * tab store decides which workspace's tabs are visible in the TabBar;
- * workspace-less state (zero-workspace user) shows the overlay instead.
- *
- * The root index route stays as a harmless safety net. With per-workspace
- * tabs, nothing should construct a tab at `/` — but if one ever slips
- * through (malformed persisted state that dodges the migration, direct
- * router.navigate from unforeseen code), the index falls back to null
- * rather than 404; App.tsx's bootstrap repoints activeWorkspaceSlug on the
- * next render pass.
+ * Structure mirrors the web app's [workspaceSlug]/... layout: all dashboard
+ * pages live under /:workspaceSlug, with WorkspaceRouteLayout resolving the
+ * slug to a workspace and syncing side-effects (api client, persist namespace,
+ * Zustand mirror). Global (pre-workspace) routes — workspaces/new and invite —
+ * sit at the top level alongside the workspace wrapper.
 */
 export const appRoutes: RouteObject[] = [
  {
    element: <PageShell />,
    children: [
-      { index: true, element: null },
+      // Top-level index: no slug yet. `IndexRedirect` reads the workspace
+      // list from React Query cache (seeded by AuthInitializer on reopen
+      // or App.tsx on deep-link login) and bounces to the first
+      // workspace's issues page — or /workspaces/new if the user has none.
+      { index: true, element: <IndexRedirect /> },
+      {
+        path: "workspaces/new",
+        element: <NewWorkspaceRoute />,
+        handle: { title: "Create Workspace" },
+      },
+      {
+        path: "invite/:id",
+        element: <InviteRoute />,
+        handle: { title: "Accept Invite" },
+      },
      {
        path: ":workspaceSlug",
        element: <WorkspaceRouteLayout />,
@@ -113,7 +168,7 @@ export const appRoutes: RouteObject[] = [
          },
          {
            path: "runtimes",
-            element: <DesktopRuntimesPage />,
+            element: <RuntimesPage topSlot={<DaemonRuntimeCard />} />,
            handle: { title: "Runtimes" },
          },
          { path: "skills", element: <SkillsPage />, handle: { title: "Skills" } },
@@ -130,12 +185,6 @@ export const appRoutes: RouteObject[] = [
                    icon: Server,
                    content: <DaemonSettingsTab />,
                  },
-                  {
-                    value: "updates",
-                    label: "Updates",
-                    icon: Download,
-                    content: <UpdatesSettingsTab />,
-                  },
                ]}
              />
            ),
--- a/apps/desktop/src/renderer/src/stores/tab-store.test.ts
+++ b/apps/desktop/src/renderer/src/stores/tab-store.test.ts
@@ -1,42 +1,23 @@
-import { describe, expect, it, vi, beforeEach } from "vitest";
+import { describe, expect, it, vi } from "vitest";

 // createTabRouter transitively pulls in route modules that expect a browser
-// router context. For pure store tests we stub it to a minimal disposable.
-const createTabRouterMock = vi.hoisted(() =>
-  vi.fn(() => ({
-    dispose: vi.fn(),
-    state: { location: { pathname: "/" } },
-    navigate: vi.fn(),
-    subscribe: vi.fn(() => () => {}),
-  })),
-);
+// router context. For pure-function tests we stub it out.
 vi.mock("../routes", () => ({
-  createTabRouter: createTabRouterMock,
+  createTabRouter: vi.fn(() => ({ dispose: vi.fn() })),
 }));

-import {
-  sanitizeTabPath,
-  migrateV1ToV2,
-  useTabStore,
-} from "./tab-store";
-
-beforeEach(() => {
-  createTabRouterMock.mockClear();
-  useTabStore.getState().reset();
-});
+import { sanitizeTabPath } from "./tab-store";

 describe("sanitizeTabPath", () => {
-  it("rejects the root sentinel — tabs must be workspace-scoped", () => {
-    expect(sanitizeTabPath("/")).toBeNull();
-    expect(sanitizeTabPath("")).toBeNull();
+  it("passes through root sentinel", () => {
+    expect(sanitizeTabPath("/")).toBe("/");
  });

-  it("silently rejects transition paths (no warn — navigation adapter intercepts them)", () => {
-    const warn = vi.spyOn(console, "warn").mockImplementation(() => {});
-    expect(sanitizeTabPath("/workspaces/new")).toBeNull();
-    expect(sanitizeTabPath("/invite/abc")).toBeNull();
-    expect(warn).not.toHaveBeenCalled();
-    warn.mockRestore();
+  it("passes through global paths", () => {
+    expect(sanitizeTabPath("/login")).toBe("/login");
+    expect(sanitizeTabPath("/workspaces/new")).toBe("/workspaces/new");
+    expect(sanitizeTabPath("/invite/abc")).toBe("/invite/abc");
+    expect(sanitizeTabPath("/auth/callback")).toBe("/auth/callback");
  });

  it("passes through valid workspace-scoped paths", () => {
@@ -44,181 +25,21 @@ describe("sanitizeTabPath", () => {
    expect(sanitizeTabPath("/my-team/projects/abc")).toBe("/my-team/projects/abc");
  });

-  it("rejects paths whose first segment is a reserved slug (missing workspace prefix)", () => {
+  it("rejects paths whose first segment is a reserved slug", () => {
+    // A stray "/issues" (pre-refactor leftover, missing workspace prefix)
+    // would be interpreted as workspaceSlug="issues" → NoAccessPage.
    const warn = vi.spyOn(console, "warn").mockImplementation(() => {});
-    expect(sanitizeTabPath("/issues")).toBeNull();
-    expect(sanitizeTabPath("/settings")).toBeNull();
+    expect(sanitizeTabPath("/issues")).toBe("/");
+    expect(sanitizeTabPath("/issues/abc-123")).toBe("/");
+    expect(sanitizeTabPath("/settings")).toBe("/");
    expect(warn).toHaveBeenCalled();
    warn.mockRestore();
  });

  it("passes through user slugs that happen to look path-like but aren't reserved", () => {
+    // A workspace owner could legitimately pick "acme-issues" or
+    // "project-x" as their slug — sanitize must not touch these.
    expect(sanitizeTabPath("/acme-issues/issues")).toBe("/acme-issues/issues");
    expect(sanitizeTabPath("/project-x/inbox")).toBe("/project-x/inbox");
  });
 });
-
-describe("migrateV1ToV2", () => {
-  it("groups v1 flat tabs by workspace slug", () => {
-    const v1 = {
-      tabs: [
-        { id: "t1", path: "/acme/issues", title: "Issues", icon: "ListTodo" },
-        { id: "t2", path: "/acme/projects", title: "Projects", icon: "FolderKanban" },
-        { id: "t3", path: "/butter/issues", title: "Issues", icon: "ListTodo" },
-      ],
-      activeTabId: "t2",
-    };
-    const v2 = migrateV1ToV2(v1);
-    expect(Object.keys(v2.byWorkspace).sort()).toEqual(["acme", "butter"]);
-    expect(v2.byWorkspace.acme.tabs).toHaveLength(2);
-    expect(v2.byWorkspace.butter.tabs).toHaveLength(1);
-    expect(v2.byWorkspace.acme.activeTabId).toBe("t2");
-    expect(v2.byWorkspace.butter.activeTabId).toBe("t3"); // first tab in group
-    expect(v2.activeWorkspaceSlug).toBe("acme"); // contained v1.activeTabId
-  });
-
-  it("drops tabs at root / transition / reserved-slug paths", () => {
-    const v1 = {
-      tabs: [
-        { id: "t1", path: "/", title: "Issues", icon: "ListTodo" },
-        { id: "t2", path: "/workspaces/new", title: "New", icon: "Plus" },
-        { id: "t3", path: "/invite/abc", title: "Invite", icon: "Mail" },
-        { id: "t4", path: "/acme/issues", title: "Issues", icon: "ListTodo" },
-      ],
-      activeTabId: "t1",
-    };
-    const v2 = migrateV1ToV2(v1);
-    expect(Object.keys(v2.byWorkspace)).toEqual(["acme"]);
-    expect(v2.byWorkspace.acme.tabs).toHaveLength(1);
-    // v1.activeTabId was dropped; active falls back to first group's first tab.
-    expect(v2.activeWorkspaceSlug).toBe("acme");
-    expect(v2.byWorkspace.acme.activeTabId).toBe("t4");
-  });
-
-  it("handles empty v1 state gracefully", () => {
-    const v2 = migrateV1ToV2({ tabs: [], activeTabId: "" });
-    expect(v2.byWorkspace).toEqual({});
-    expect(v2.activeWorkspaceSlug).toBeNull();
-  });
-
-  it("handles v1 with no tabs field (corrupted state)", () => {
-    const v2 = migrateV1ToV2({});
-    expect(v2.byWorkspace).toEqual({});
-    expect(v2.activeWorkspaceSlug).toBeNull();
-  });
-});
-
-describe("useTabStore actions", () => {
-  it("switchWorkspace creates a new group with a default tab on first entry", () => {
-    useTabStore.getState().switchWorkspace("acme");
-    const s = useTabStore.getState();
-    expect(s.activeWorkspaceSlug).toBe("acme");
-    expect(s.byWorkspace.acme.tabs).toHaveLength(1);
-    expect(s.byWorkspace.acme.tabs[0].path).toBe("/acme/issues");
-  });
-
-  it("switchWorkspace without openPath restores the group's last active tab", () => {
-    const store = useTabStore.getState();
-    store.switchWorkspace("acme");
-    store.addTab("/acme/projects", "Projects", "FolderKanban");
-    const acmeProjectsId = useTabStore.getState().byWorkspace.acme.tabs[1].id;
-    store.setActiveTab(acmeProjectsId);
-
-    // Enter a different workspace then come back
-    store.switchWorkspace("butter");
-    expect(useTabStore.getState().activeWorkspaceSlug).toBe("butter");
-
-    store.switchWorkspace("acme");
-    const s = useTabStore.getState();
-    expect(s.activeWorkspaceSlug).toBe("acme");
-    expect(s.byWorkspace.acme.activeTabId).toBe(acmeProjectsId);
-  });
-
-  it("switchWorkspace with openPath dedupes into an existing tab with same path", () => {
-    const store = useTabStore.getState();
-    store.switchWorkspace("acme"); // creates default /acme/issues
-    store.addTab("/acme/projects", "Projects", "FolderKanban");
-
-    store.switchWorkspace("acme", "/acme/issues");
-    const s = useTabStore.getState();
-    expect(s.byWorkspace.acme.tabs).toHaveLength(2); // no duplicate created
-    const activeTab = s.byWorkspace.acme.tabs.find(
-      (t) => t.id === s.byWorkspace.acme.activeTabId,
-    );
-    expect(activeTab?.path).toBe("/acme/issues");
-  });
-
-  it("switchWorkspace with openPath not matching any tab adds a new tab", () => {
-    const store = useTabStore.getState();
-    store.switchWorkspace("acme");
-    store.switchWorkspace("acme", "/acme/issues/bug-42");
-    const s = useTabStore.getState();
-    expect(s.byWorkspace.acme.tabs).toHaveLength(2);
-    const activeTab = s.byWorkspace.acme.tabs.find(
-      (t) => t.id === s.byWorkspace.acme.activeTabId,
-    );
-    expect(activeTab?.path).toBe("/acme/issues/bug-42");
-  });
-
-  it("openTab dedupes by path within the active workspace", () => {
-    const store = useTabStore.getState();
-    store.switchWorkspace("acme");
-    const id1 = store.openTab("/acme/projects", "Projects", "FolderKanban");
-    const id2 = store.openTab("/acme/projects", "Projects", "FolderKanban");
-    expect(id1).toBe(id2);
-    expect(useTabStore.getState().byWorkspace.acme.tabs).toHaveLength(2); // default + projects
-  });
-
-  it("closeTab on the last tab in a workspace reseeds the default tab", () => {
-    const store = useTabStore.getState();
-    store.switchWorkspace("acme");
-    const onlyTabId = useTabStore.getState().byWorkspace.acme.tabs[0].id;
-    store.closeTab(onlyTabId);
-    const s = useTabStore.getState();
-    expect(s.byWorkspace.acme.tabs).toHaveLength(1);
-    expect(s.byWorkspace.acme.tabs[0].path).toBe("/acme/issues");
-    expect(s.byWorkspace.acme.tabs[0].id).not.toBe(onlyTabId); // fresh tab
-  });
-
-  it("validateWorkspaceSlugs drops groups for slugs not in the valid set and repoints active", () => {
-    const store = useTabStore.getState();
-    store.switchWorkspace("acme");
-    store.switchWorkspace("butter");
-    store.switchWorkspace("acme");
-    expect(useTabStore.getState().activeWorkspaceSlug).toBe("acme");
-
-    // Admin removed the user from acme
-    store.validateWorkspaceSlugs(new Set(["butter"]));
-    const s = useTabStore.getState();
-    expect(Object.keys(s.byWorkspace)).toEqual(["butter"]);
-    expect(s.activeWorkspaceSlug).toBe("butter");
-  });
-
-  it("validateWorkspaceSlugs sets activeWorkspaceSlug to null when all groups are dropped", () => {
-    const store = useTabStore.getState();
-    store.switchWorkspace("acme");
-    store.validateWorkspaceSlugs(new Set());
-    const s = useTabStore.getState();
-    expect(s.byWorkspace).toEqual({});
-    expect(s.activeWorkspaceSlug).toBeNull();
-  });
-
-  it("reset wipes the whole store", () => {
-    const store = useTabStore.getState();
-    store.switchWorkspace("acme");
-    store.switchWorkspace("butter");
-    store.reset();
-    const s = useTabStore.getState();
-    expect(s.activeWorkspaceSlug).toBeNull();
-    expect(s.byWorkspace).toEqual({});
-  });
-
-  it("setActiveTab across workspaces also flips the active workspace", () => {
-    const store = useTabStore.getState();
-    store.switchWorkspace("acme");
-    store.switchWorkspace("butter");
-    const acmeTabId = useTabStore.getState().byWorkspace.acme.tabs[0].id;
-    store.setActiveTab(acmeTabId);
-    expect(useTabStore.getState().activeWorkspaceSlug).toBe("acme");
-  });
-});
--- a/apps/desktop/src/renderer/src/stores/tab-store.ts
+++ b/apps/desktop/src/renderer/src/stores/tab-store.ts
@@ -3,7 +3,7 @@ import { createJSONStorage, persist } from "zustand/middleware";
 import { arrayMove } from "@dnd-kit/sortable";
 import { createPersistStorage, defaultStorage } from "@multica/core/platform";
 import { createSafeId } from "@multica/core/utils";
-import { isReservedSlug } from "@multica/core/paths";
+import { isGlobalPath, isReservedSlug } from "@multica/core/paths";
 import type { DataRouter } from "react-router-dom";
 import { createTabRouter } from "../routes";

@@ -13,7 +13,6 @@ import { createTabRouter } from "../routes";

 export interface Tab {
  id: string;
-  /** Every tab path is workspace-scoped: `/{workspaceSlug}/{route}/...`. */
  path: string;
  title: string;
  icon: string;
@@ -22,77 +21,33 @@ export interface Tab {
  historyLength: number;
 }

-export interface WorkspaceTabGroup {
-  tabs: Tab[];
-  /** Must be a valid tab.id in `tabs`; the empty-tabs state is transient only. */
-  activeTabId: string;
-}
-
 interface TabStore {
-  /**
-   * The workspace currently visible in the TabBar / TabContent. Null in three
-   * cases:
-   *   - Fresh install, before any workspace exists or is selected.
-   *   - Logged-out state (reset() wipes it).
-   *   - Every workspace the user had access to got deleted / revoked.
-   * When null, TabContent renders nothing and the WindowOverlay takes over.
-   */
-  activeWorkspaceSlug: string | null;
+  tabs: Tab[];
+  activeTabId: string;

-  /**
-   * Tab groups keyed by workspace slug. Each slug maps to an independent
-   * (tabs, activeTabId) pair; switching workspaces swaps the visible set
-   * without affecting any other group. Cross-workspace tab leakage — the
-   * bug that drove this refactor — is impossible by construction because
-   * there is no global tab array anymore.
-   */
-  byWorkspace: Record<string, WorkspaceTabGroup>;
-
-  /**
-   * Switch to a workspace.
-   *   - If the group doesn't exist yet, create it with a single default tab.
-   *   - If `openPath` is given, find a tab with that exact path and activate
-   *     it; otherwise add a new tab and activate it.
-   *   - If `openPath` is omitted, restore the group's last active tab
-   *     (VSCode / Slack behavior — workspaces resume where you left off).
-   */
-  switchWorkspace: (slug: string, openPath?: string) => void;
-  /** Open-or-activate (dedupes by path) a tab in the active workspace. */
+  /** Open a background tab. Deduplicates by path. Returns the tab id. */
  openTab: (path: string, title: string, icon: string) => string;
-  /** Always creates a new tab (no dedupe) in the active workspace. */
+  /** Always create a new tab (no dedup). Returns the tab id. */
  addTab: (path: string, title: string, icon: string) => string;
-  /**
-   * Close a tab. Finds it across all workspaces (callers like the X button
-   * only know the tab id, not the owning workspace). If this is the last
-   * tab in its workspace, reseed a default tab so the invariant
-   * "every live workspace has at least one tab" holds.
-   */
+  /** Close a tab. Disposes router. */
  closeTab: (tabId: string) => void;
-  /**
-   * Activate a tab. Finds it across all workspaces. Sets both the owning
-   * workspace as active and that group's activeTabId; needed for any code
-   * path that "jumps" to a tab belonging to a non-active workspace.
-   */
+  /** Switch to a tab by id. */
  setActiveTab: (tabId: string) => void;
-  /** Patch metadata of a tab (router-sync, title-sync). Finds across groups. */
+  /** Update a tab's metadata (path, title, icon — partial). */
  updateTab: (tabId: string, patch: Partial<Pick<Tab, "path" | "title" | "icon">>) => void;
-  /** Patch history tracking of a tab. Finds across groups. */
+  /** Update a tab's history tracking. */
  updateTabHistory: (tabId: string, historyIndex: number, historyLength: number) => void;
-  /** Reorder within the active workspace's group only. */
+  /** Reorder tabs by moving one from fromIndex to toIndex. Preserves router/history. */
  moveTab: (fromIndex: number, toIndex: number) => void;
  /**
-   * After the workspace list arrives/changes (login, realtime delete), drop
-   * any tab group whose slug is no longer in `validSlugs`, and repoint
-   * `activeWorkspaceSlug` if it pointed at one of the dropped groups.
+   * Reset any tab whose first path segment references a workspace slug the
+   * current user doesn't have access to. Called after login + workspace list
+   * is populated (and on every subsequent list change, e.g. realtime
+   * workspace:deleted). Stale tabs get reset to `/` so IndexRedirect picks
+   * a valid workspace; tabs on global paths (/login, /workspaces/new, etc.)
+   * are untouched.
   */
  validateWorkspaceSlugs: (validSlugs: Set<string>) => void;
-  /**
-   * Wipe everything. Called from logout so the next user doesn't inherit
-   * the prior user's tabs. Zustand persist only writes to localStorage;
-   * clearing the storage key alone would leave this live store intact
-   * until app restart.
-   */
-  reset: () => void;
 }

 // ---------------------------------------------------------------------------
@@ -112,594 +67,232 @@ const ROUTE_ICONS: Record<string, string> = {
 };

 /**
- * Resolve a route icon from a pathname.
+ * Resolve a route icon from a pathname. Title is NOT determined here — it
+ * comes from document.title.
 *
- * Tab paths are always workspace-scoped: `/{slug}/{route}/...`, so the route
- * segment lives at index 1. Pre-workspace flows (create, invite) are rendered
- * by the window overlay, never as tabs.
+ * Path shape after the workspace URL refactor:
+ *  - workspace-scoped: `/{workspaceSlug}/{route}/...` → use segment index 1
+ *  - global (workspaces/new, invite, auth, login): `/{route}/...` → use segment index 0
 *
- * Title is NOT determined here — it comes from document.title.
+ * `isGlobalPath` is the single source of truth for which prefixes are global.
 */
 export function resolveRouteIcon(pathname: string): string {
  const segments = pathname.split("/").filter(Boolean);
-  return ROUTE_ICONS[segments[1] ?? ""] ?? "ListTodo";
-}
-
-/** Extract the leading workspace slug from a path, or null if the path
- *  isn't workspace-scoped (global path, root, or empty). */
-function extractWorkspaceSlug(path: string): string | null {
-  const first = path.split("/").filter(Boolean)[0] ?? "";
-  if (!first) return null;
-  if (isReservedSlug(first)) return null;
-  return first;
-}
-
-// ---------------------------------------------------------------------------
-// Path sanitization (defensive)
-// ---------------------------------------------------------------------------
-
-/**
- * Defensive: catch paths that don't belong in the tab store.
- *
- * Two kinds of rejects:
- *  1. **Transition paths** (`/workspaces/new`, `/invite/...`). These are
- *     pre-workspace flows rendered by the window overlay on desktop, not
- *     tab routes. The navigation adapter normally intercepts these before
- *     they reach the store; this guard catches older persisted state.
- *  2. **Malformed workspace-scoped paths** like a stray `/issues/abc` that
- *     was constructed without the workspace prefix. The router would
- *     interpret `issues` as a workspace slug → NoAccessPage.
- *
- * Returns null for rejects (caller decides how to recover — usually by
- * dropping the tab or substituting a default). Unlike the prior design,
- * there is no root "/" sentinel — tabs are always scoped.
- */
-export function sanitizeTabPath(path: string): string | null {
-  const firstSegment = path.split("/").filter(Boolean)[0] ?? "";
-  if (!firstSegment) return null;
-  if (isReservedSlug(firstSegment)) {
-    // Don't log for known transition paths — these are legitimate inputs
-    // at the interception boundary (older persisted state or stale callers).
-    const isTransition = path === "/workspaces/new" || path.startsWith("/invite/");
-    if (!isTransition) {
-      // eslint-disable-next-line no-console
-      console.warn(
-        `[tab-store] tab path "${path}" starts with reserved slug "${firstSegment}" — ` +
-          `caller likely forgot the workspace prefix. Dropping.`,
-      );
-    }
-    return null;
-  }
-  return path;
-}
-
-// ---------------------------------------------------------------------------
-// Tab factory
-// ---------------------------------------------------------------------------
-
-function createId(): string {
-  return createSafeId();
-}
-
-function makeTab(path: string, title: string, icon: string): Tab {
-  return {
-    id: createId(),
-    path,
-    title,
-    icon,
-    router: createTabRouter(path),
-    historyIndex: 0,
-    historyLength: 1,
-  };
-}
-
-/** Default entry point for a workspace — its issues list. */
-function defaultPathFor(slug: string): string {
-  return `/${slug}/issues`;
-}
-
-function defaultTabFor(slug: string): Tab {
-  const path = defaultPathFor(slug);
-  return makeTab(path, "Issues", resolveRouteIcon(path));
-}
-
-// ---------------------------------------------------------------------------
-// Group helpers
-// ---------------------------------------------------------------------------
-
-function findTabLocation(
-  byWorkspace: Record<string, WorkspaceTabGroup>,
-  tabId: string,
-): { slug: string; group: WorkspaceTabGroup; index: number } | null {
-  for (const slug of Object.keys(byWorkspace)) {
-    const group = byWorkspace[slug];
-    const index = group.tabs.findIndex((t) => t.id === tabId);
-    if (index >= 0) return { slug, group, index };
-  }
-  return null;
+  const routeSegment = isGlobalPath(pathname)
+    ? (segments[0] ?? "")
+    : (segments[1] ?? "");
+  return ROUTE_ICONS[routeSegment] ?? "ListTodo";
 }

 // ---------------------------------------------------------------------------
 // Store
 // ---------------------------------------------------------------------------

+/**
+ * Sentinel path for new tabs with no explicit destination. The tab store is
+ * workspace-implicit — it doesn't know which workspace is active, so it can't
+ * build a `/:slug/issues` path itself. Instead we hand off to the router: `/`
+ * matches the top-level index route, which redirects to the workspace default
+ * (slug-aware redirect lives in routes.tsx / App.tsx).
+ *
+ * `title` and `icon` on the placeholder tab get overwritten by
+ * useTabRouterSync + useActiveTitleSync once the redirect resolves.
+ */
+const DEFAULT_PATH = "/";
+
+function createId(): string {
+  return createSafeId();
+}
+
+/**
+ * Defensive: catch tab paths that were constructed without a workspace slug
+ * (e.g. a hardcoded "/issues" leftover from before the URL refactor). Such
+ * paths would get matched as `workspaceSlug="issues"` by the router and
+ * render NoAccessPage. Sanitize by falling back to "/" (IndexRedirect picks
+ * a valid workspace).
+ *
+ * Passes through:
+ *  - "/" and global paths (/login, /workspaces/new, /invite/..., /auth/...)
+ *  - workspace-scoped paths whose first segment is not a reserved word
+ *
+ * Rejects (and rewrites to "/"):
+ *  - Paths whose first segment is a reserved slug (=/=workspace slug), which
+ *    means the caller forgot to prefix the workspace. Logs a warning so the
+ *    buggy call site is easy to find.
+ */
+export function sanitizeTabPath(path: string): string {
+  if (path === DEFAULT_PATH || isGlobalPath(path)) return path;
+  const firstSegment = path.split("/").filter(Boolean)[0] ?? "";
+  if (isReservedSlug(firstSegment)) {
+    // eslint-disable-next-line no-console
+    console.warn(
+      `[tab-store] tab path "${path}" starts with reserved slug "${firstSegment}" — ` +
+        `caller likely forgot the workspace prefix. Falling back to "/".`,
+    );
+    return DEFAULT_PATH;
+  }
+  return path;
+}
+
+function makeTab(path: string, title: string, icon: string): Tab {
+  const safePath = sanitizeTabPath(path);
+  return {
+    id: createId(),
+    path: safePath,
+    title,
+    icon,
+    router: createTabRouter(safePath),
+    historyIndex: 0,
+    historyLength: 1,
+  };
+}
+
+const initialTab = makeTab(DEFAULT_PATH, "Issues", resolveRouteIcon(DEFAULT_PATH));
+
 export const useTabStore = create<TabStore>()(
  persist(
    (set, get) => ({
-      activeWorkspaceSlug: null,
-      byWorkspace: {},
+  tabs: [initialTab],
+  activeTabId: initialTab.id,

-      switchWorkspace(slug, openPath) {
-        // Defensive no-op if slug is empty/invalid — callers like the
-        // NavigationAdapter's path-parser should already have filtered
-        // these, but belt-and-braces keeps garbage out of the store.
-        if (!slug) return;
-        const { byWorkspace } = get();
-        const existing = byWorkspace[slug];
+  openTab(path, title, icon) {
+    const { tabs } = get();
+    const existing = tabs.find((t) => t.path === path);
+    if (existing) return existing.id;

-        // Decide the desired active path for this workspace.
-        const desiredPath = openPath ?? (existing ? null : defaultPathFor(slug));
+    const tab = makeTab(path, title, icon);
+    set({ tabs: [...tabs, tab] });
+    return tab.id;
+  },

-        if (!existing) {
-          // First time entering this workspace — create the group.
-          const seedPath =
-            desiredPath && sanitizeTabPath(desiredPath) === desiredPath
-              ? desiredPath
-              : defaultPathFor(slug);
-          const tab = makeTab(seedPath, "Issues", resolveRouteIcon(seedPath));
-          set({
-            activeWorkspaceSlug: slug,
-            byWorkspace: {
-              ...byWorkspace,
-              [slug]: { tabs: [tab], activeTabId: tab.id },
-            },
-          });
-          return;
-        }
+  addTab(path, title, icon) {
+    const tab = makeTab(path, title, icon);
+    set((s) => ({ tabs: [...s.tabs, tab] }));
+    return tab.id;
+  },

-        // Workspace already has tabs. Either dedupe into an existing tab or
-        // add a new one (when openPath was supplied and no tab matches it).
-        if (desiredPath) {
-          const clean = sanitizeTabPath(desiredPath);
-          if (clean) {
-            const match = existing.tabs.find((t) => t.path === clean);
-            if (match) {
-              set({
-                activeWorkspaceSlug: slug,
-                byWorkspace: {
-                  ...byWorkspace,
-                  [slug]: { ...existing, activeTabId: match.id },
-                },
-              });
-              return;
-            }
-            const tab = makeTab(clean, "Issues", resolveRouteIcon(clean));
-            set({
-              activeWorkspaceSlug: slug,
-              byWorkspace: {
-                ...byWorkspace,
-                [slug]: {
-                  tabs: [...existing.tabs, tab],
-                  activeTabId: tab.id,
-                },
-              },
-            });
-            return;
-          }
-        }
+  closeTab(tabId) {
+    const { tabs, activeTabId } = get();

-        // No openPath (or openPath was rejected) — just restore the group.
-        set({ activeWorkspaceSlug: slug });
-      },
+    const closingTab = tabs.find((t) => t.id === tabId);

-      openTab(path, title, icon) {
-        const { activeWorkspaceSlug, byWorkspace } = get();
-        const clean = sanitizeTabPath(path);
-        if (!activeWorkspaceSlug || !clean) return "";
-        const group = byWorkspace[activeWorkspaceSlug];
-        if (!group) return "";
+    // Never close the last tab — replace with default
+    if (tabs.length === 1) {
+      closingTab?.router.dispose();
+      const fresh = makeTab(DEFAULT_PATH, "Issues", resolveRouteIcon(DEFAULT_PATH));
+      set({ tabs: [fresh], activeTabId: fresh.id });
+      return;
+    }

-        const existing = group.tabs.find((t) => t.path === clean);
-        if (existing) {
-          set({
-            byWorkspace: {
-              ...byWorkspace,
-              [activeWorkspaceSlug]: { ...group, activeTabId: existing.id },
-            },
-          });
-          return existing.id;
-        }
+    const idx = tabs.findIndex((t) => t.id === tabId);
+    if (idx === -1) return;

-        const tab = makeTab(clean, title, icon);
-        set({
-          byWorkspace: {
-            ...byWorkspace,
-            [activeWorkspaceSlug]: {
-              tabs: [...group.tabs, tab],
-              activeTabId: group.activeTabId,
-            },
-          },
-        });
-        return tab.id;
-      },
+    closingTab?.router.dispose();
+    const next = tabs.filter((t) => t.id !== tabId);

-      addTab(path, title, icon) {
-        const { activeWorkspaceSlug, byWorkspace } = get();
-        const clean = sanitizeTabPath(path);
-        if (!activeWorkspaceSlug || !clean) return "";
-        const group = byWorkspace[activeWorkspaceSlug];
-        if (!group) return "";
+    if (tabId === activeTabId) {
+      const newActive = next[Math.min(idx, next.length - 1)];
+      set({ tabs: next, activeTabId: newActive.id });
+    } else {
+      set({ tabs: next });
+    }
+  },

-        const tab = makeTab(clean, title, icon);
-        set({
-          byWorkspace: {
-            ...byWorkspace,
-            [activeWorkspaceSlug]: {
-              tabs: [...group.tabs, tab],
-              activeTabId: group.activeTabId,
-            },
-          },
-        });
-        return tab.id;
-      },
+  setActiveTab(tabId) {
+    set({ activeTabId: tabId });
+  },

-      closeTab(tabId) {
-        const { byWorkspace } = get();
-        const hit = findTabLocation(byWorkspace, tabId);
-        if (!hit) return;
-        const { slug, group, index } = hit;
+  updateTab(tabId, patch) {
+    set((s) => ({
+      tabs: s.tabs.map((t) =>
+        t.id === tabId ? { ...t, ...patch } : t,
+      ),
+    }));
+  },

-        const closing = group.tabs[index];
-        closing.router.dispose();
+  updateTabHistory(tabId, historyIndex, historyLength) {
+    set((s) => ({
+      tabs: s.tabs.map((t) =>
+        t.id === tabId ? { ...t, historyIndex, historyLength } : t,
+      ),
+    }));
+  },

-        if (group.tabs.length === 1) {
-          // Last tab in this workspace — reseed a default so the workspace
-          // always has at least one tab. Closing a workspace as an explicit
-          // action is a separate concern (Leave/Delete in Settings).
-          const fresh = defaultTabFor(slug);
-          set({
-            byWorkspace: {
-              ...byWorkspace,
-              [slug]: { tabs: [fresh], activeTabId: fresh.id },
-            },
-          });
-          return;
-        }
+  moveTab(fromIndex, toIndex) {
+    if (fromIndex === toIndex) return;
+    set((s) => ({ tabs: arrayMove(s.tabs, fromIndex, toIndex) }));
+  },

-        const nextTabs = group.tabs.filter((t) => t.id !== tabId);
-        const nextActiveTabId =
-          group.activeTabId === tabId
-            ? nextTabs[Math.min(index, nextTabs.length - 1)].id
-            : group.activeTabId;
+  validateWorkspaceSlugs(validSlugs) {
+    const { tabs } = get();
+    let changed = false;
+    const nextTabs = tabs.map((t) => {
+      // Skip tabs on non-workspace-scoped paths — nothing to validate.
+      if (t.path === "/" || isGlobalPath(t.path)) return t;

-        set({
-          byWorkspace: {
-            ...byWorkspace,
-            [slug]: { tabs: nextTabs, activeTabId: nextActiveTabId },
-          },
-        });
-      },
+      const firstSegment = t.path.split("/").filter(Boolean)[0] ?? "";
+      if (validSlugs.has(firstSegment)) return t;

-      setActiveTab(tabId) {
-        const { byWorkspace, activeWorkspaceSlug } = get();
-        const hit = findTabLocation(byWorkspace, tabId);
-        if (!hit) return;
-        const { slug, group } = hit;
-        if (slug === activeWorkspaceSlug && group.activeTabId === tabId) return;
-        set({
-          activeWorkspaceSlug: slug,
-          byWorkspace: {
-            ...byWorkspace,
-            [slug]: { ...group, activeTabId: tabId },
-          },
-        });
-      },
+      // Stale slug: dispose the old router and replace with a fresh one
+      // pointing at `/`. IndexRedirect will send the tab to a valid
+      // workspace (or /workspaces/new if the user now has none).
+      changed = true;
+      t.router.dispose();
+      return {
+        ...t,
+        path: DEFAULT_PATH,
+        title: "Issues",
+        icon: resolveRouteIcon(DEFAULT_PATH),
+        router: createTabRouter(DEFAULT_PATH),
+        historyIndex: 0,
+        historyLength: 1,
+      };
+    });

-      updateTab(tabId, patch) {
-        const { byWorkspace } = get();
-        const hit = findTabLocation(byWorkspace, tabId);
-        if (!hit) return;
-        const { slug, group, index } = hit;
-        const current = group.tabs[index];
-        const next: Tab = { ...current, ...patch };
-        const nextTabs = [...group.tabs];
-        nextTabs[index] = next;
-        set({
-          byWorkspace: {
-            ...byWorkspace,
-            [slug]: { ...group, tabs: nextTabs },
-          },
-        });
-      },
-
-      updateTabHistory(tabId, historyIndex, historyLength) {
-        const { byWorkspace } = get();
-        const hit = findTabLocation(byWorkspace, tabId);
-        if (!hit) return;
-        const { slug, group, index } = hit;
-        const current = group.tabs[index];
-        const next: Tab = { ...current, historyIndex, historyLength };
-        const nextTabs = [...group.tabs];
-        nextTabs[index] = next;
-        set({
-          byWorkspace: {
-            ...byWorkspace,
-            [slug]: { ...group, tabs: nextTabs },
-          },
-        });
-      },
-
-      moveTab(fromIndex, toIndex) {
-        if (fromIndex === toIndex) return;
-        const { activeWorkspaceSlug, byWorkspace } = get();
-        if (!activeWorkspaceSlug) return;
-        const group = byWorkspace[activeWorkspaceSlug];
-        if (!group) return;
-        set({
-          byWorkspace: {
-            ...byWorkspace,
-            [activeWorkspaceSlug]: {
-              ...group,
-              tabs: arrayMove(group.tabs, fromIndex, toIndex),
-            },
-          },
-        });
-      },
-
-      validateWorkspaceSlugs(validSlugs) {
-        const { activeWorkspaceSlug, byWorkspace } = get();
-        let changed = false;
-        const nextByWorkspace: Record<string, WorkspaceTabGroup> = {};
-        for (const slug of Object.keys(byWorkspace)) {
-          if (validSlugs.has(slug)) {
-            nextByWorkspace[slug] = byWorkspace[slug];
-          } else {
-            changed = true;
-            for (const t of byWorkspace[slug].tabs) t.router.dispose();
-          }
-        }
-
-        let nextActive = activeWorkspaceSlug;
-        if (nextActive && !validSlugs.has(nextActive)) {
-          nextActive = Object.keys(nextByWorkspace)[0] ?? null;
-          changed = true;
-        }
-
-        if (!changed) return;
-        set({ byWorkspace: nextByWorkspace, activeWorkspaceSlug: nextActive });
-      },
-
-      reset() {
-        const { byWorkspace } = get();
-        for (const slug of Object.keys(byWorkspace)) {
-          for (const t of byWorkspace[slug].tabs) t.router.dispose();
-        }
-        set({ activeWorkspaceSlug: null, byWorkspace: {} });
-      },
+    if (!changed) return;
+    set({ tabs: nextTabs });
+  },
    }),
    {
      name: "multica_tabs",
-      version: 2,
+      version: 1,
      storage: createJSONStorage(() => createPersistStorage(defaultStorage)),
-      migrate: (persistedState, version) => {
-        // v1 → v2: flat `tabs` array → per-workspace grouping.
-        // Tabs whose path isn't workspace-scoped (root `/`, login, etc.)
-        // are dropped — they have no workspace to belong to, and the new
-        // model's invariant is "every tab lives in a workspace group".
-        if (version < 2 && persistedState && typeof persistedState === "object") {
-          return migrateV1ToV2(persistedState as Partial<V1Persisted>);
-        }
-        return persistedState as V2Persisted;
-      },
      partialize: (state) => ({
-        activeWorkspaceSlug: state.activeWorkspaceSlug,
-        byWorkspace: Object.fromEntries(
-          Object.entries(state.byWorkspace).map(([slug, group]) => [
-            slug,
-            {
-              activeTabId: group.activeTabId,
-              tabs: group.tabs.map(
-                ({ router: _router, historyIndex: _hi, historyLength: _hl, ...rest }) =>
-                  rest,
-              ),
-            },
-          ]),
+        tabs: state.tabs.map(
+          ({ router, historyIndex, historyLength, ...rest }) => rest,
        ),
+        activeTabId: state.activeTabId,
      }),
      merge: (persistedState, currentState) => {
-        const persisted = persistedState as Partial<V2Persisted> | undefined;
-        if (!persisted?.byWorkspace) return currentState;
+        const persisted = persistedState as
+          | Pick<TabStore, "tabs" | "activeTabId">
+          | undefined;
+        if (!persisted?.tabs?.length) return currentState;

-        const byWorkspace: Record<string, WorkspaceTabGroup> = {};
-        for (const [slug, pGroup] of Object.entries(persisted.byWorkspace)) {
-          const tabs: Tab[] = [];
-          for (const pTab of pGroup.tabs) {
-            const clean = sanitizeTabPath(pTab.path);
-            // Persisted path may have come from a stale version or a
-            // manual edit. Drop rather than rewrite so we never silently
-            // put users on a path that doesn't match the group's slug.
-            if (!clean || extractWorkspaceSlug(clean) !== slug) {
-              // eslint-disable-next-line no-console
-              console.warn(
-                `[tab-store] dropping persisted tab "${pTab.path}" from ` +
-                  `group "${slug}" — path/slug mismatch`,
-              );
-              continue;
-            }
-            tabs.push({
-              id: pTab.id,
-              path: clean,
-              title: pTab.title,
-              icon: pTab.icon,
-              router: createTabRouter(clean),
-              historyIndex: 0,
-              historyLength: 1,
-            });
-          }
-          if (tabs.length === 0) continue;
-          const activeTabId = tabs.some((t) => t.id === pGroup.activeTabId)
-            ? pGroup.activeTabId
-            : tabs[0].id;
-          byWorkspace[slug] = { tabs, activeTabId };
-        }
+        const tabs: Tab[] = persisted.tabs.map((tab) => {
+          // Sanitize persisted paths against reserved-slug rules. Catches
+          // both pre-refactor paths like "/issues/abc" (missing workspace
+          // slug) and any other malformed paths that slipped past the
+          // write-time guard. The defense across makeTab + merge + runtime
+          // validate ensures stale or malformed paths never reach the
+          // router.
+          const path = sanitizeTabPath(tab.path);
+          return {
+            ...tab,
+            path,
+            router: createTabRouter(path),
+            historyIndex: 0,
+            historyLength: 1,
+          };
+        });

-        const activeWorkspaceSlug =
-          persisted.activeWorkspaceSlug && byWorkspace[persisted.activeWorkspaceSlug]
-            ? persisted.activeWorkspaceSlug
-            : (Object.keys(byWorkspace)[0] ?? null);
+        // Validate activeTabId — fall back to first tab if stale
+        const activeTabId = tabs.some((t) => t.id === persisted.activeTabId)
+          ? persisted.activeTabId
+          : tabs[0].id;

-        return { ...currentState, byWorkspace, activeWorkspaceSlug };
+        return { ...currentState, tabs, activeTabId };
      },
    },
  ),
 );
-
-// ---------------------------------------------------------------------------
-// Persisted shapes (for migration)
-// ---------------------------------------------------------------------------
-
-interface V1Tab {
-  id: string;
-  path: string;
-  title: string;
-  icon: string;
-}
-
-interface V1Persisted {
-  tabs: V1Tab[];
-  activeTabId: string;
-}
-
-interface V2PersistedTab {
-  id: string;
-  path: string;
-  title: string;
-  icon: string;
-}
-
-interface V2PersistedGroup {
-  tabs: V2PersistedTab[];
-  activeTabId: string;
-}
-
-interface V2Persisted {
-  activeWorkspaceSlug: string | null;
-  byWorkspace: Record<string, V2PersistedGroup>;
-}
-
-export function migrateV1ToV2(v1: Partial<V1Persisted>): V2Persisted {
-  const byWorkspace: Record<string, V2PersistedGroup> = {};
-  const oldTabs = v1.tabs ?? [];
-  for (const tab of oldTabs) {
-    const slug = extractWorkspaceSlug(tab.path);
-    if (!slug) continue; // drop root / global-path tabs
-    if (!byWorkspace[slug]) byWorkspace[slug] = { tabs: [], activeTabId: "" };
-    byWorkspace[slug].tabs.push({
-      id: tab.id,
-      path: tab.path,
-      title: tab.title,
-      icon: tab.icon,
-    });
-  }
-
-  // Each group needs a valid activeTabId. Prefer the one from v1 if it
-  // landed in this group; otherwise fall back to the first tab.
-  for (const slug of Object.keys(byWorkspace)) {
-    const group = byWorkspace[slug];
-    const hasOldActive = group.tabs.some((t) => t.id === v1.activeTabId);
-    group.activeTabId = hasOldActive
-      ? (v1.activeTabId as string)
-      : group.tabs[0].id;
-  }
-
-  // Active workspace: whichever group inherited the v1 activeTab, falling
-  // back to the first group we created (arbitrary but deterministic given
-  // Object.keys iteration order on string keys).
-  let activeWorkspaceSlug: string | null = null;
-  for (const slug of Object.keys(byWorkspace)) {
-    if (byWorkspace[slug].activeTabId === v1.activeTabId) {
-      activeWorkspaceSlug = slug;
-      break;
-    }
-  }
-  if (!activeWorkspaceSlug) {
-    activeWorkspaceSlug = Object.keys(byWorkspace)[0] ?? null;
-  }
-
-  return { activeWorkspaceSlug, byWorkspace };
-}
-
-// ---------------------------------------------------------------------------
-// Selectors (convenience hooks)
-// ---------------------------------------------------------------------------
-
-/**
- * Pure non-hook helper — useful from event handlers / effects that already
- * need `.getState()`. For React subscriptions prefer the stable selectors
- * below.
- */
-export function getActiveTab(s: TabStore): Tab | null {
-  if (!s.activeWorkspaceSlug) return null;
-  const group = s.byWorkspace[s.activeWorkspaceSlug];
-  if (!group) return null;
-  return group.tabs.find((t) => t.id === group.activeTabId) ?? null;
-}
-
-/**
- * The active workspace's tab group, or null when no workspace is active.
- *
- * Zustand compares selector returns with `Object.is`. Because `updateTab`
- * /  `updateTabHistory` replace the group object on every router tick
- * (immutable update), this selector returns a new reference on every
- * router event — that's fine for TabBar which needs to observe tab-list
- * changes, but don't use this selector from components that only care
- * about one primitive (use `useActiveTabHistory` / `useActiveTabRouter`
- * instead).
- */
-export function useActiveGroup(): WorkspaceTabGroup | null {
-  return useTabStore((s) =>
-    s.activeWorkspaceSlug ? (s.byWorkspace[s.activeWorkspaceSlug] ?? null) : null,
-  );
-}
-
-/**
- * Active tab id + active workspace slug as a compact pair. Both primitives
- * are stable across unrelated store updates — e.g. an inactive tab's
- * router tick doesn't churn these, so consumers don't re-render.
- *
- * Useful anywhere you'd previously have reached for `useActiveTab()` and
- * only needed the identity (for memoization, effect deps, ipc).
- */
-export function useActiveTabIdentity(): { slug: string | null; tabId: string | null } {
-  const slug = useTabStore((s) => s.activeWorkspaceSlug);
-  const tabId = useTabStore((s) =>
-    s.activeWorkspaceSlug
-      ? (s.byWorkspace[s.activeWorkspaceSlug]?.activeTabId ?? null)
-      : null,
-  );
-  return { slug, tabId };
-}
-
-/**
- * Active tab's router — a stable reference across tab updates, because
- * routers are created once per tab and never replaced by `updateTab`.
- * Subscribers only re-render when the active tab *changes*, not on
- * router events within the current tab.
- */
-export function useActiveTabRouter(): DataRouter | null {
-  return useTabStore((s) => getActiveTab(s)?.router ?? null);
-}
-
-/**
- * History tracking for the active tab as primitives. Subscribers re-render
- * only when the numeric index / length change (i.e. on actual navigations),
- * not on unrelated store updates.
- */
-export function useActiveTabHistory(): {
-  historyIndex: number;
-  historyLength: number;
-} {
-  const historyIndex = useTabStore((s) => getActiveTab(s)?.historyIndex ?? 0);
-  const historyLength = useTabStore((s) => getActiveTab(s)?.historyLength ?? 1);
-  return { historyIndex, historyLength };
-}
--- a/apps/desktop/src/renderer/src/stores/window-overlay-store.ts
+++ b/apps/desktop/src/renderer/src/stores/window-overlay-store.ts
@@ -1,30 +0,0 @@
-import { create } from "zustand";
-
-/**
- * Window-level transition overlay: pre-workspace flows that are NOT pages
- * inside a tab. Triggered by navigation-adapter interception, zero-workspace
- * auto-redirect, or deep link; rendered above the tab system as a full-window
- * takeover.
- *
- * These flows used to be routes (`/workspaces/new`, `/invite/:id`) but on
- * desktop the URL is invisible to users — routes are an implementation detail
- * of the tab system. Representing transitions as routes meant tabs tried to
- * persist them, TabBar rendered on top, and invite deep-linking had no clean
- * dispatch target. Modeling them as application state removes all three.
- */
-export type WindowOverlay =
-  | { type: "new-workspace" }
-  | { type: "invite"; invitationId: string }
-  | { type: "onboarding" };
-
-interface WindowOverlayStore {
-  overlay: WindowOverlay | null;
-  open: (overlay: WindowOverlay) => void;
-  close: () => void;
-}
-
-export const useWindowOverlayStore = create<WindowOverlayStore>((set) => ({
-  overlay: null,
-  open: (overlay) => set({ overlay }),
-  close: () => set({ overlay: null }),
-}));
--- a/apps/docs/app/(home)/layout.tsx
+++ b/apps/docs/app/(home)/layout.tsx
@@ -0,0 +1,7 @@
+import type { ReactNode } from "react";
+import { HomeLayout } from "fumadocs-ui/layouts/home";
+import { baseOptions } from "@/app/layout.config";
+
+export default function Layout({ children }: { children: ReactNode }) {
+  return <HomeLayout {...baseOptions}>{children}</HomeLayout>;
+}
--- a/apps/docs/app/(home)/page.tsx
+++ b/apps/docs/app/(home)/page.tsx
@@ -0,0 +1,29 @@
+import Link from "next/link";
+
+export default function HomePage() {
+  return (
+    <main className="flex min-h-screen flex-col items-center justify-center gap-6 text-center px-4">
+      <h1 className="text-4xl font-bold tracking-tight sm:text-5xl">
+        Multica Documentation
+      </h1>
+      <p className="max-w-2xl text-lg text-fd-muted-foreground">
+        The open-source managed agents platform. Turn coding agents into real
+        teammates — assign tasks, track progress, compound skills.
+      </p>
+      <div className="flex gap-4">
+        <Link
+          href="/docs"
+          className="inline-flex items-center rounded-md bg-fd-primary px-6 py-3 text-sm font-medium text-fd-primary-foreground transition-colors hover:bg-fd-primary/90"
+        >
+          Get Started
+        </Link>
+        <Link
+          href="https://github.com/multica-ai/multica"
+          className="inline-flex items-center rounded-md border border-fd-border px-6 py-3 text-sm font-medium transition-colors hover:bg-fd-accent"
+        >
+          GitHub
+        </Link>
+      </div>
+    </main>
+  );
+}
--- a/apps/docs/app/docs/[[...slug]]/page.tsx
+++ b/apps/docs/app/docs/[[...slug]]/page.tsx
@@ -10,7 +10,7 @@ import defaultMdxComponents from "fumadocs-ui/mdx";
 import type { Metadata } from "next";

 export default async function Page(props: {
-  params: Promise<{ slug: string[] }>;
+  params: Promise<{ slug?: string[] }>;
 }) {
  const params = await props.params;
  const page = source.getPage(params.slug);
@@ -29,12 +29,12 @@ export default async function Page(props: {
  );
 }

-export function generateStaticParams() {
-  return source.generateParams().filter((p) => p.slug.length > 0);
+export async function generateStaticParams() {
+  return source.generateParams();
 }

 export async function generateMetadata(props: {
-  params: Promise<{ slug: string[] }>;
+  params: Promise<{ slug?: string[] }>;
 }): Promise<Metadata> {
  const params = await props.params;
  const page = source.getPage(params.slug);
--- a/apps/docs/app/docs/layout.tsx
+++ b/apps/docs/app/docs/layout.tsx
@@ -0,0 +1,12 @@
+import { DocsLayout } from "fumadocs-ui/layouts/docs";
+import type { ReactNode } from "react";
+import { baseOptions } from "@/app/layout.config";
+import { source } from "@/lib/source";
+
+export default function Layout({ children }: { children: ReactNode }) {
+  return (
+    <DocsLayout tree={source.pageTree} {...baseOptions}>
+      {children}
+    </DocsLayout>
+  );
+}
--- a/apps/docs/app/layout.config.tsx
+++ b/apps/docs/app/layout.config.tsx
@@ -1,4 +1,5 @@
 import type { BaseLayoutProps } from "fumadocs-ui/layouts/shared";
+import { BookOpen, Terminal, Rocket, Code } from "lucide-react";

 export const baseOptions: BaseLayoutProps = {
  nav: {
@@ -7,6 +8,11 @@ export const baseOptions: BaseLayoutProps = {
    ),
  },
  links: [
+    {
+      text: "Documentation",
+      url: "/docs",
+      active: "nested-url",
+    },
    {
      text: "GitHub",
      url: "https://github.com/multica-ai/multica",
--- a/apps/docs/app/layout.tsx
+++ b/apps/docs/app/layout.tsx
@@ -1,10 +1,7 @@
 import "./global.css";
 import { RootProvider } from "fumadocs-ui/provider";
-import { DocsLayout } from "fumadocs-ui/layouts/docs";
 import type { ReactNode } from "react";
 import type { Metadata } from "next";
-import { baseOptions } from "@/app/layout.config";
-import { source } from "@/lib/source";

 export const metadata: Metadata = {
  title: {
@@ -19,11 +16,7 @@ export default function Layout({ children }: { children: ReactNode }) {
  return (
    <html lang="en" suppressHydrationWarning>
      <body>
-        <RootProvider>
-          <DocsLayout tree={source.pageTree} {...baseOptions}>
-            {children}
-          </DocsLayout>
-        </RootProvider>
+        <RootProvider>{children}</RootProvider>
      </body>
    </html>
  );
--- a/apps/docs/app/not-found.tsx
+++ b/apps/docs/app/not-found.tsx
@@ -1,18 +0,0 @@
-import Link from "next/link";
-
-export default function NotFound() {
-  return (
-    <main className="flex flex-1 flex-col items-center justify-center gap-4 px-4 py-24 text-center">
-      <h1 className="text-3xl font-semibold">Page not found</h1>
-      <p className="text-fd-muted-foreground">
-        The page you are looking for doesn&apos;t exist.
-      </p>
-      <Link
-        href="/"
-        className="inline-flex items-center rounded-md bg-fd-primary px-4 py-2 text-sm font-medium text-fd-primary-foreground transition-colors hover:bg-fd-primary/90"
-      >
-        Back to docs
-      </Link>
-    </main>
-  );
-}
--- a/apps/docs/app/page.tsx
+++ b/apps/docs/app/page.tsx
@@ -1,37 +0,0 @@
-import { source } from "@/lib/source";
-import {
-  DocsPage,
-  DocsBody,
-  DocsDescription,
-  DocsTitle,
-} from "fumadocs-ui/page";
-import { notFound } from "next/navigation";
-import defaultMdxComponents from "fumadocs-ui/mdx";
-import type { Metadata } from "next";
-
-export default function Page() {
-  const page = source.getPage([]);
-  if (!page) notFound();
-
-  const MDX = page.data.body;
-
-  return (
-    <DocsPage toc={page.data.toc}>
-      <DocsTitle>{page.data.title}</DocsTitle>
-      <DocsDescription>{page.data.description}</DocsDescription>
-      <DocsBody>
-        <MDX components={{ ...defaultMdxComponents }} />
-      </DocsBody>
-    </DocsPage>
-  );
-}
-
-export function generateMetadata(): Metadata {
-  const page = source.getPage([]);
-  if (!page) notFound();
-
-  return {
-    title: page.data.title,
-    description: page.data.description,
-  };
-}
--- a/apps/docs/content/docs/cli/installation.mdx
+++ b/apps/docs/content/docs/cli/installation.mdx
@@ -68,7 +68,7 @@ multica setup

 This configures the CLI for Multica Cloud, opens your browser for login, discovers your workspaces, and starts the agent daemon.

-For self-hosted servers, use `multica setup self-host` instead. See [Self-Hosting](/getting-started/self-hosting) for details.
+For self-hosted servers, use `multica setup self-host` instead. See [Self-Hosting](/docs/getting-started/self-hosting) for details.

 ## Verify

--- a/apps/docs/content/docs/cli/reference.mdx
+++ b/apps/docs/content/docs/cli/reference.mdx
@@ -212,7 +212,7 @@ multica issue list --priority urgent --assignee "Agent Name"
 multica issue list --limit 20 --output json
 ```

-Available filters: `--status`, `--priority`, `--assignee`, `--project`, `--limit`.
+Available filters: `--status`, `--priority`, `--assignee`, `--limit`.

 ### Get Issue

@@ -227,7 +227,7 @@ multica issue get <id> --output json
 multica issue create --title "Fix login bug" --description "..." --priority high --assignee "Lambda"
 ```

-Flags: `--title` (required), `--description`, `--status`, `--priority`, `--assignee`, `--parent`, `--project`, `--due-date`.
+Flags: `--title` (required), `--description`, `--status`, `--priority`, `--assignee`, `--parent`, `--due-date`.

 ### Update Issue

@@ -281,70 +281,6 @@ multica issue run-messages <task-id> --output json
 multica issue run-messages <task-id> --since 42 --output json
 ```

-## Projects
-
-Projects group related issues (e.g. a sprint, an epic, a workstream). Every project
-belongs to a workspace and can optionally have a lead (member or agent).
-
-### List Projects
-
-```bash
-multica project list
-multica project list --status in_progress
-multica project list --output json
-```
-
-Available filters: `--status`.
-
-### Get Project
-
-```bash
-multica project get <id>
-multica project get <id> --output json
-```
-
-### Create Project
-
-```bash
-multica project create --title "2026 Week 16 Sprint" --icon "🏃" --lead "Lambda"
-```
-
-Flags: `--title` (required), `--description`, `--status`, `--icon`, `--lead`.
-
-### Update Project
-
-```bash
-multica project update <id> --title "New title" --status in_progress
-multica project update <id> --lead "Lambda"
-```
-
-Flags: `--title`, `--description`, `--status`, `--icon`, `--lead`.
-
-### Change Status
-
-```bash
-multica project status <id> in_progress
-```
-
-Valid statuses: `planned`, `in_progress`, `paused`, `completed`, `cancelled`.
-
-### Delete Project
-
-```bash
-multica project delete <id>
-```
-
-### Associating Issues with Projects
-
-Use the `--project` flag on `issue create` / `issue update` to attach an issue to a
-project, or on `issue list` to filter issues by project:
-
-```bash
-multica issue create --title "Login bug" --project <project-id>
-multica issue update <issue-id> --project <project-id>
-multica issue list --project <project-id>
-```
-
 ## Configuration

 ### View Config
--- a/apps/docs/content/docs/developers/contributing.mdx
+++ b/apps/docs/content/docs/developers/contributing.mdx
@@ -169,16 +169,6 @@ Stop PostgreSQL and keep local databases:
 make db-down
 ```

-Reset only the current checkout's database (drops `POSTGRES_DB`, recreates it, re-runs all migrations). Other worktree databases are untouched.
-
-```bash
-make stop
-make db-reset
-make start
-```
-
-> `make db-reset` refuses to run if `DATABASE_URL` points at a remote host.
-
 Wipe all local PostgreSQL data:

 ```bash
--- a/apps/docs/content/docs/getting-started/self-hosting.mdx
+++ b/apps/docs/content/docs/getting-started/self-hosting.mdx
@@ -31,7 +31,7 @@ curl -fsSL https://raw.githubusercontent.com/multica-ai/multica/main/scripts/ins
 multica setup self-host
 ```

-This installs the CLI, checks out the latest self-host assets, pulls the official Multica images from GHCR, and configures everything for localhost. Then open http://localhost:3000 and pick a login method: configure `RESEND_API_KEY` in `.env` for email-based codes (recommended), or set `APP_ENV=development` in `.env` to enable the dev master code **`888888`**. See [Step 2 — Log In](#step-2--log-in) for details.
+This clones the repo, starts all services, installs the CLI, and configures it for localhost. Then open http://localhost:3000 — log in with any email + code **`888888`**.

 <Callout>
 If the self-host server is already running and you only need the CLI on a macOS/Linux machine, install it with Homebrew: `brew install multica-ai/tap/multica`.
@@ -53,31 +53,21 @@ make selfhost

 `make selfhost` automatically creates `.env`, generates a random `JWT_SECRET`, and starts all services via Docker Compose.

-By default it pulls the latest stable release images from GHCR. To build the backend/web from your current checkout instead, run `make selfhost-build`.
-If the selected GHCR tag has not been published yet, `make selfhost` now tells you to fall back to `make selfhost-build`.
-`make selfhost-build` uses local `multica-backend:dev` / `multica-web:dev` tags, so it does not overwrite the pulled `:latest` images.
-
 Once ready:

 - **Frontend:** http://localhost:3000
 - **Backend API:** http://localhost:8080

 <Callout>
-If you prefer running the Docker Compose steps manually: `cp .env.example .env`, edit `JWT_SECRET`, then `docker compose -f docker-compose.selfhost.yml pull && docker compose -f docker-compose.selfhost.yml up -d`.
+If you prefer running the Docker Compose steps manually: `cp .env.example .env`, edit `JWT_SECRET`, then `docker compose -f docker-compose.selfhost.yml up -d`.
 </Callout>

 ### Step 2 — Log In

-Open http://localhost:3000. The Docker self-host stack defaults to `APP_ENV=production` (set in `docker-compose.selfhost.yml`), so the dev master code is **disabled by default** for safety on public deployments. Pick one of the following to log in:
-
- **Recommended (production):** configure `RESEND_API_KEY` in `.env`, then restart the backend. Real verification codes will be sent to the email address you enter. See [Configuration](#configuration) below.
- **Evaluation / private network:** set `APP_ENV=development` in `.env` and restart the backend. Verification code **`888888`** will then work for any email address.
- **Without configuring either:** the verification code is generated server-side and printed to the backend container logs (look for `[DEV] Verification code for ...:`). Useful for one-off testing on a single machine.
-
-Changes to `ALLOW_SIGNUP` and `GOOGLE_CLIENT_ID` also take effect after restarting the backend / compose stack. The web UI reads both from `/api/config` at runtime, so no web rebuild is needed.
+Open http://localhost:3000. Enter any email address and use verification code **`888888`** to log in.

 <Callout>
-**Warning:** do **not** set `APP_ENV=development` on a publicly reachable instance — anyone who knows an email address can then log in with `888888`.
+This master code works in all non-production environments (when `APP_ENV` is not set to `production`). For production, configure an email provider — see [Configuration](#configuration) below.
 </Callout>

 ### Step 3 — Install CLI & Start Daemon
@@ -157,15 +147,14 @@ This reconfigures the CLI for multica.ai, re-authenticates, and restarts the dae
 Your local Docker services are unaffected. Stop them separately if you no longer need them.
 </Callout>

-## Upgrading
+## Rebuilding After Updates

 ```bash
-docker compose -f docker-compose.selfhost.yml pull
-docker compose -f docker-compose.selfhost.yml up -d
+git pull
+make selfhost
 ```

-Pin `MULTICA_IMAGE_TAG` in `.env` to an exact version like `v0.2.4` if you want to stay on a specific release. Migrations run automatically on backend startup.
-If the selected GHCR tag has not been published yet, fall back to `make selfhost-build` or `docker compose -f docker-compose.selfhost.yml -f docker-compose.selfhost.build.yml up -d --build`.
+Migrations run automatically on backend startup.

 ---

@@ -198,18 +187,6 @@ Multica uses email-based magic link authentication via [Resend](https://resend.c
 | `GOOGLE_CLIENT_SECRET` | Google OAuth client secret |
 | `GOOGLE_REDIRECT_URI` | OAuth callback URL (e.g. `https://app.example.com/auth/callback`) |

-Changes take effect after restarting the backend / compose stack. The web UI reads `GOOGLE_CLIENT_ID` from `/api/config` at runtime, so no web rebuild is needed.
-
-### Signup Controls (Optional)
-
-| Variable | Description |
-|----------|-------------|
-| `ALLOW_SIGNUP` | Set to `false` to disable new user signups on a private instance |
-| `ALLOWED_EMAIL_DOMAINS` | Optional comma-separated allowlist of email domains |
-| `ALLOWED_EMAILS` | Optional comma-separated allowlist of exact email addresses |
-
-Changes take effect after restarting the backend / compose stack. The web UI reads `ALLOW_SIGNUP` from `/api/config` at runtime, so no web rebuild is needed.
-
 ### File Storage (Optional)

 For file uploads and attachments, configure S3 and CloudFront:
@@ -221,14 +198,7 @@ For file uploads and attachments, configure S3 and CloudFront:
 | `CLOUDFRONT_DOMAIN` | CloudFront distribution domain |
 | `CLOUDFRONT_KEY_PAIR_ID` | CloudFront key pair ID for signed URLs |
 | `CLOUDFRONT_PRIVATE_KEY` | CloudFront private key (PEM format) |
-
-### Cookies
-
-| Variable | Description |
-|----------|-------------|
-| `COOKIE_DOMAIN` | Optional `Domain` attribute for session + CloudFront cookies. **Leave empty** for single-host deployments (localhost, LAN IP, or a single hostname). Only set it when the frontend and backend sit on different subdomains of one registered domain (e.g. `.example.com`). **Do not use an IP literal** — RFC 6265 forbids IP addresses in the cookie `Domain` attribute and browsers will drop such `Set-Cookie` headers. |
-
-The `Secure` flag on session cookies is derived automatically from the scheme of `FRONTEND_ORIGIN`: HTTPS origins get `Secure` cookies; plain-HTTP origins (LAN / private-network self-host) get non-secure cookies so the browser can actually store them.
+| `COOKIE_DOMAIN` | Domain for CloudFront auth cookies |

 ### Server

--- a/apps/docs/content/docs/index.mdx
+++ b/apps/docs/content/docs/index.mdx
@@ -41,7 +41,7 @@ No more copy-pasting prompts. No more babysitting runs. Your agents show up on t

 ## Next Steps

- [Cloud Quickstart](/getting-started/cloud-quickstart)
- [Self-Hosting](/getting-started/self-hosting)
- [CLI Installation](/cli/installation)
- [Contributing](/developers/contributing)
+- [Cloud Quickstart](/docs/getting-started/cloud-quickstart)
+- [Self-Hosting](/docs/getting-started/self-hosting)
+- [CLI Installation](/docs/cli/installation)
+- [Contributing](/docs/developers/contributing)
--- a/apps/docs/lib/source.ts
+++ b/apps/docs/lib/source.ts
@@ -2,6 +2,6 @@ import { docs } from "@/.source";
 import { loader } from "fumadocs-core/source";

 export const source = loader({
-  baseUrl: "/",
+  baseUrl: "/docs",
  source: docs.toFumadocsSource(),
 });
--- a/apps/docs/next.config.mjs
+++ b/apps/docs/next.config.mjs
@@ -5,7 +5,6 @@ const withMDX = createMDX();
 /** @type {import('next').NextConfig} */
 const config = {
  reactStrictMode: true,
-  basePath: "/docs",
 };

 export default withMDX(config);
--- a/apps/web/app/(auth)/invite/[id]/page.tsx
+++ b/apps/web/app/(auth)/invite/[id]/page.tsx
@@ -2,10 +2,8 @@

 import { useEffect } from "react";
 import { useRouter, useParams } from "next/navigation";
-import { useQuery } from "@tanstack/react-query";
 import { useAuthStore } from "@multica/core/auth";
 import { paths } from "@multica/core/paths";
-import { workspaceListOptions } from "@multica/core/workspace/queries";
 import { InvitePage } from "@multica/views/invite";

 export default function InviteAcceptPage() {
@@ -13,10 +11,6 @@ export default function InviteAcceptPage() {
  const params = useParams<{ id: string }>();
  const user = useAuthStore((s) => s.user);
  const isLoading = useAuthStore((s) => s.isLoading);
-  const { data: wsList = [] } = useQuery({
-    ...workspaceListOptions(),
-    enabled: !!user,
-  });

  // Redirect to login if not authenticated, with a redirect back to this page.
  useEffect(() => {
@@ -29,8 +23,5 @@ export default function InviteAcceptPage() {

  if (isLoading || !user) return null;

-  const onBack =
-    wsList.length > 0 ? () => router.push(paths.root()) : undefined;
-
-  return <InvitePage invitationId={params.id} onBack={onBack} />;
+  return <InvitePage invitationId={params.id} />;
 }
--- a/apps/web/app/(auth)/login/page.test.tsx
+++ b/apps/web/app/(auth)/login/page.test.tsx
@@ -11,51 +11,32 @@ function createWrapper() {
  );
 }

-const {
-  mockSendCode,
-  mockVerifyCode,
-  mockIssueCliToken,
-  searchParamsState,
-  authStateRef,
-} = vi.hoisted(() => ({
+const { mockSendCode, mockVerifyCode } = vi.hoisted(() => ({
  mockSendCode: vi.fn(),
  mockVerifyCode: vi.fn(),
-  mockIssueCliToken: vi.fn(),
-  searchParamsState: { params: new URLSearchParams() },
-  authStateRef: {
-    state: {
-      sendCode: vi.fn(),
-      verifyCode: vi.fn(),
-      user: null as null | { id: string; email: string },
-      isLoading: false,
-    },
-  },
 }));

 // Mock next/navigation
 vi.mock("next/navigation", () => ({
  useRouter: () => ({ push: vi.fn(), replace: vi.fn() }),
  usePathname: () => "/login",
-  useSearchParams: () => searchParamsState.params,
+  useSearchParams: () => new URLSearchParams(),
 }));

 // Mock auth store — shared LoginPage uses getState().sendCode/verifyCode,
-// web wrapper uses useAuthStore((s) => s.user/isLoading). Keep the real
-// sanitizeNextUrl so the redirect-sanitization rules are exercised rather
-// than silently drifting behind a mock reimplementation.
-vi.mock("@multica/core/auth", async () => {
-  const actual =
-    await vi.importActual<typeof import("@multica/core/auth")>(
-      "@multica/core/auth",
-    );
-  authStateRef.state.sendCode = mockSendCode;
-  authStateRef.state.verifyCode = mockVerifyCode;
+// web wrapper uses useAuthStore((s) => s.user/isLoading)
+vi.mock("@multica/core/auth", () => {
+  const authState = {
+    sendCode: mockSendCode,
+    verifyCode: mockVerifyCode,
+    user: null,
+    isLoading: false,
+  };
  const useAuthStore = Object.assign(
-    (selector: (s: typeof authStateRef.state) => unknown) =>
-      selector(authStateRef.state),
-    { getState: () => authStateRef.state },
+    (selector: (s: typeof authState) => unknown) => selector(authState),
+    { getState: () => authState },
  );
-  return { ...actual, useAuthStore };
+  return { useAuthStore };
 });

 // Mock auth-cookie
@@ -70,7 +51,6 @@ vi.mock("@multica/core/api", () => ({
    verifyCode: vi.fn(),
    setToken: vi.fn(),
    getMe: vi.fn(),
-    issueCliToken: mockIssueCliToken,
  },
 }));

@@ -79,9 +59,6 @@ import LoginPage from "./page";
 describe("LoginPage", () => {
  beforeEach(() => {
    vi.clearAllMocks();
-    searchParamsState.params = new URLSearchParams();
-    authStateRef.state.user = null;
-    authStateRef.state.isLoading = false;
  });

  it("renders login form with email input and continue button", () => {
@@ -154,44 +131,4 @@ describe("LoginPage", () => {
      expect(screen.getByText("Network error")).toBeInTheDocument();
    });
  });
-
-  // Regression: MUL-1080 — if the user is already authenticated on the web
-  // and the Desktop app redirects them to /login?platform=desktop, the web
-  // must exchange the cookie session for a bearer token and hand it off via
-  // the multica:// deep link, not silently redirect to the workspace page.
-  it("mints a token and deep-links to Desktop when already logged in with platform=desktop", async () => {
-    searchParamsState.params = new URLSearchParams({ platform: "desktop" });
-    authStateRef.state.user = { id: "u1", email: "test@multica.ai" };
-    mockIssueCliToken.mockImplementation(() =>
-      Promise.resolve({ token: "handoff-jwt" }),
-    );
-
-    const hrefSetter = vi.fn();
-    const originalLocation = window.location;
-    Object.defineProperty(window, "location", {
-      configurable: true,
-      value: { ...originalLocation, set href(value: string) { hrefSetter(value); } },
-    });
-
-    try {
-      render(<LoginPage />, { wrapper: createWrapper() });
-
-      await waitFor(() => {
-        expect(mockIssueCliToken).toHaveBeenCalledTimes(1);
-      });
-      await waitFor(() => {
-        expect(hrefSetter).toHaveBeenCalledWith(
-          "multica://auth/callback?token=handoff-jwt",
-        );
-      });
-      expect(
-        await screen.findByRole("button", { name: "Open Multica Desktop" }),
-      ).toBeInTheDocument();
-    } finally {
-      Object.defineProperty(window, "location", {
-        configurable: true,
-        value: originalLocation,
-      });
-    }
-  });
 });
--- a/apps/web/app/(auth)/login/page.tsx
+++ b/apps/web/app/(auth)/login/page.tsx
@@ -1,36 +1,20 @@
 "use client";

-import { Suspense, useEffect, useState } from "react";
+import { Suspense, useEffect } from "react";
 import { useSearchParams, useRouter } from "next/navigation";
 import { useQueryClient } from "@tanstack/react-query";
-import { sanitizeNextUrl, useAuthStore } from "@multica/core/auth";
-import { useConfigStore } from "@multica/core/config";
+import { useAuthStore } from "@multica/core/auth";
 import { workspaceKeys } from "@multica/core/workspace/queries";
-import {
-  paths,
-  resolvePostAuthDestination,
-  useHasOnboarded,
-} from "@multica/core/paths";
-import { api } from "@multica/core/api";
+import { paths } from "@multica/core/paths";
 import type { Workspace } from "@multica/core/types";
-import {
-  Card,
-  CardHeader,
-  CardTitle,
-  CardDescription,
-  CardContent,
-} from "@multica/ui/components/ui/card";
-import { Button } from "@multica/ui/components/ui/button";
-import { Loader2 } from "lucide-react";
-import { captureDownloadIntent } from "@multica/core/analytics";
 import { setLoggedInCookie } from "@/features/auth/auth-cookie";
-import Link from "next/link";
 import { LoginPage, validateCliCallback } from "@multica/views/auth";

+const googleClientId = process.env.NEXT_PUBLIC_GOOGLE_CLIENT_ID;
+
 function LoginPageContent() {
  const router = useRouter();
  const qc = useQueryClient();
-  const googleClientId = useConfigStore((state) => state.googleClientId);
  const user = useAuthStore((s) => s.user);
  const isLoading = useAuthStore((s) => s.isLoading);
  const searchParams = useSearchParams();
@@ -38,67 +22,40 @@ function LoginPageContent() {
  const cliCallbackRaw = searchParams.get("cli_callback");
  const cliState = searchParams.get("cli_state") || "";
  const platform = searchParams.get("platform");
-  const isDesktopHandoff = platform === "desktop" && !cliCallbackRaw;
  // `next` carries a protected URL the user was originally headed to
  // (e.g. /invite/{id}). With URL-driven workspaces there is no legacy
  // "/issues" default — if `next` is absent we decide after login based on
-  // the user's workspace list. Sanitize first so a crafted `?next=https://evil`
-  // cannot bounce the user off-origin after a successful login.
-  const nextUrl = sanitizeNextUrl(searchParams.get("next"));
-
-  const [desktopToken, setDesktopToken] = useState<string | null>(null);
-  const [desktopError, setDesktopError] = useState("");
-  const hasOnboarded = useHasOnboarded();
+  // the user's workspace list.
+  const nextUrl = searchParams.get("next");

  // Already authenticated — honor ?next= or fall back to first workspace
-  // (or /onboarding if the user has none). Skip this entire path when
+  // (or /workspaces/new if the user has none). Skip this entire path when
  // the user arrived to authorize the CLI.
  useEffect(() => {
    if (isLoading || !user || cliCallbackRaw) return;
-    if (isDesktopHandoff) {
-      // Desktop opened the browser for login but the web session is already
-      // authenticated — mint a bearer token from the cookie session and hand
-      // it off via deep link instead of silently redirecting to the workspace.
-      api
-        .issueCliToken()
-        .then(({ token }) => {
-          setDesktopToken(token);
-          window.location.href = `multica://auth/callback?token=${encodeURIComponent(token)}`;
-        })
-        .catch((err) => {
-          setDesktopError(
-            err instanceof Error ? err.message : "Failed to prepare Desktop sign-in",
-          );
-        });
-      return;
-    }
-    if (!hasOnboarded) {
-      router.replace(paths.onboarding());
-      return;
-    }
    if (nextUrl) {
      router.replace(nextUrl);
      return;
    }
    const list = qc.getQueryData<Workspace[]>(workspaceKeys.list()) ?? [];
-    router.replace(resolvePostAuthDestination(list, hasOnboarded));
-  }, [isLoading, user, router, nextUrl, cliCallbackRaw, isDesktopHandoff, hasOnboarded, qc]);
+    const [first] = list;
+    router.replace(
+      first ? paths.workspace(first.slug).issues() : paths.newWorkspace(),
+    );
+  }, [isLoading, user, router, nextUrl, cliCallbackRaw, qc]);

  const handleSuccess = () => {
-    // Read the latest user snapshot directly — the closure's `hasOnboarded`
-    // was captured before login completed and would be stale here.
-    const currentUser = useAuthStore.getState().user;
-    const onboarded = currentUser?.onboarded_at != null;
-    if (!onboarded) {
-      router.push(paths.onboarding());
-      return;
-    }
    if (nextUrl) {
      router.push(nextUrl);
      return;
    }
+    // The LoginPage view populates the workspace list cache before calling
+    // onSuccess, so it's safe to read here.
    const list = qc.getQueryData<Workspace[]>(workspaceKeys.list()) ?? [];
-    router.push(resolvePostAuthDestination(list, onboarded));
+    const [first] = list;
+    router.push(
+      first ? paths.workspace(first.slug).issues() : paths.newWorkspace(),
+    );
  };

  // Build Google OAuth state: encode platform + next URL so the callback
@@ -110,52 +67,6 @@ function LoginPageContent() {
    .filter(Boolean)
    .join(",") || undefined;

-  // While the desktop handoff is in progress (or has produced a token/error),
-  // render a dedicated screen instead of flashing the login form or redirecting
-  // away to a workspace page.
-  if (isDesktopHandoff && user) {
-    if (desktopError) {
-      return (
-        <div className="flex min-h-screen items-center justify-center">
-          <Card className="w-full max-w-sm">
-            <CardHeader className="text-center">
-              <CardTitle className="text-2xl">Sign-in Failed</CardTitle>
-              <CardDescription>{desktopError}</CardDescription>
-            </CardHeader>
-          </Card>
-        </div>
-      );
-    }
-    return (
-      <div className="flex min-h-screen items-center justify-center">
-        <Card className="w-full max-w-sm">
-          <CardHeader className="text-center">
-            <CardTitle className="text-2xl">Opening Multica</CardTitle>
-            <CardDescription>
-              {desktopToken
-                ? "You should see a prompt to open the Multica desktop app. If nothing happens, click the button below."
-                : "Preparing Desktop sign-in..."}
-            </CardDescription>
-          </CardHeader>
-          <CardContent className="flex justify-center">
-            {desktopToken ? (
-              <Button
-                variant="outline"
-                onClick={() => {
-                  window.location.href = `multica://auth/callback?token=${encodeURIComponent(desktopToken)}`;
-                }}
-              >
-                Open Multica Desktop
-              </Button>
-            ) : (
-              <Loader2 className="h-6 w-6 animate-spin text-muted-foreground" />
-            )}
-          </CardContent>
-        </Card>
-      </div>
-    );
-  }
-
  return (
    <LoginPage
      onSuccess={handleSuccess}
@@ -174,22 +85,6 @@ function LoginPageContent() {
          : undefined
      }
      onTokenObtained={setLoggedInCookie}
-      extra={
-        // Web-only nudge toward the desktop app. Copy is hardcoded EN
-        // for now because the login route sits outside the landing
-        // group's LocaleProvider — if this page ever becomes
-        // locale-aware, the strings live in positioning doc §3.3.
-        <span className="text-xs text-muted-foreground">
-          Prefer the desktop app?{" "}
-          <Link
-            href="/download"
-            onClick={() => captureDownloadIntent("login")}
-            className="font-medium text-foreground underline decoration-foreground/30 underline-offset-4 hover:decoration-foreground/70"
-          >
-            Download
-          </Link>
-        </span>
-      }
    />
  );
 }
--- a/apps/web/app/(auth)/onboarding/page.tsx
+++ b/apps/web/app/(auth)/onboarding/page.tsx
@@ -1,72 +0,0 @@
-"use client";
-
-import { useEffect } from "react";
-import { useRouter } from "next/navigation";
-import { useQuery } from "@tanstack/react-query";
-import { useAuthStore } from "@multica/core/auth";
-import {
-  paths,
-  resolvePostAuthDestination,
-  useHasOnboarded,
-} from "@multica/core/paths";
-import { workspaceListOptions } from "@multica/core/workspace/queries";
-import { CliInstallInstructions, OnboardingFlow } from "@multica/views/onboarding";
-
-/**
- * Web shell for the onboarding flow. The route is the platform chrome on
- * web (matching `WindowOverlay` on desktop); content is the shared
- * `<OnboardingFlow />`. Kept minimal — guard on auth, render, exit.
- *
- * On complete: if a workspace was just created, navigate into it;
- * otherwise fall back to root (proxy / landing picks the user's first ws
- * or bounces to onboarding if still zero).
- *
- * `CliInstallInstructions` is passed in as the `runtimeInstructions`
- * slot so the flow can render it inside the CLI dialog. The commands it
- * shows are hardcoded — nothing environmental to thread through.
- */
-export default function OnboardingPage() {
-  const router = useRouter();
-  const user = useAuthStore((s) => s.user);
-  const isLoading = useAuthStore((s) => s.isLoading);
-  const hasOnboarded = useHasOnboarded();
-  const { data: workspaces = [], isFetched: workspacesFetched } = useQuery({
-    ...workspaceListOptions(),
-    enabled: !!user && hasOnboarded,
-  });
-
-  useEffect(() => {
-    if (isLoading || !user) {
-      if (!isLoading && !user) router.replace(paths.login());
-      return;
-    }
-    if (hasOnboarded && workspacesFetched) {
-      router.replace(resolvePostAuthDestination(workspaces, hasOnboarded));
-    }
-  }, [isLoading, user, hasOnboarded, workspacesFetched, workspaces, router]);
-
-  if (isLoading || !user || hasOnboarded) return null;
-
-  // Layout: page owns its own scroll (root layout sets `body {
-  // overflow: hidden }` for the app-shell convention). OnboardingFlow
-  // owns the per-step width constraint internally — Welcome renders a
-  // wide two-column hero, all other steps wrap themselves at max-w-xl.
-  return (
-    <div className="h-full overflow-y-auto bg-background">
-      <OnboardingFlow
-        onComplete={(ws) => {
-          // No more firstIssueId handoff — the welcome issue is created
-          // inside the workspace via StarterContentPrompt, not during
-          // onboarding. Always land on the workspace issues list (or
-          // root if the flow never produced a workspace).
-          if (ws) {
-            router.push(paths.workspace(ws.slug).issues());
-          } else {
-            router.push(paths.root());
-          }
-        }}
-        runtimeInstructions={<CliInstallInstructions />}
-      />
-    </div>
-  );
-}
--- a/apps/web/app/(auth)/workspaces/new/page.tsx
+++ b/apps/web/app/(auth)/workspaces/new/page.tsx
@@ -2,20 +2,14 @@

 import { useRouter } from "next/navigation";
 import { useEffect } from "react";
-import { useQuery } from "@tanstack/react-query";
 import { useAuthStore } from "@multica/core/auth";
 import { paths } from "@multica/core/paths";
-import { workspaceListOptions } from "@multica/core/workspace/queries";
 import { NewWorkspacePage } from "@multica/views/workspace/new-workspace-page";

 export default function Page() {
  const router = useRouter();
  const user = useAuthStore((s) => s.user);
  const isLoading = useAuthStore((s) => s.isLoading);
-  const { data: wsList = [] } = useQuery({
-    ...workspaceListOptions(),
-    enabled: !!user,
-  });

  useEffect(() => {
    if (!isLoading && !user) router.replace(paths.login());
@@ -23,16 +17,9 @@ export default function Page() {

  if (isLoading || !user) return null;

-  // Back goes to the root path — the workspace layout redirects from
-  // there to the user's default workspace. Only show Back when there's
-  // somewhere to go back to (user already has at least one workspace).
-  const onBack =
-    wsList.length > 0 ? () => router.push(paths.root()) : undefined;
-
  return (
    <NewWorkspacePage
      onSuccess={(ws) => router.push(paths.workspace(ws.slug).issues())}
-      onBack={onBack}
    />
  );
 }
--- a/apps/web/app/(landing)/download/download-client.tsx
+++ b/apps/web/app/(landing)/download/download-client.tsx
@@ -1,140 +0,0 @@
-"use client";
-
-import { useEffect, useState } from "react";
-import Link from "next/link";
-import { LandingHeader } from "@/features/landing/components/landing-header";
-import { LandingFooter } from "@/features/landing/components/landing-footer";
-import { DownloadHero } from "@/features/landing/components/download/hero";
-import { AllPlatforms } from "@/features/landing/components/download/all-platforms";
-import { CliSection } from "@/features/landing/components/download/cli-section";
-import { CloudSection } from "@/features/landing/components/download/cloud-section";
-import { useLocale } from "@/features/landing/i18n";
-import {
-  detectOS,
-  type DetectResult,
-} from "@/features/landing/utils/os-detect";
-import type { LatestRelease } from "@/features/landing/utils/github-release";
-import { captureDownloadPageViewed } from "@multica/core/analytics";
-
-const ALL_RELEASES_URL =
-  "https://github.com/multica-ai/multica/releases";
-
-export function DownloadClient({ release }: { release: LatestRelease }) {
-  const [detected, setDetected] = useState<DetectResult | null>(null);
-  const versionUnavailable = release.version === null;
-
-  useEffect(() => {
-    let cancelled = false;
-    detectOS().then((result) => {
-      if (cancelled) return;
-      setDetected(result);
-      // Fires once per page mount after detect resolves. Carries the
-      // detect outcome + version-unavailable flag so PostHog can split
-      // Safari-mac-arm64 fallback rate, Intel-Mac dead-end rate, and
-      // rate-limit degraded sessions. `first_detected_os/arch` is
-      // $set_once'd on the person so every downstream event gains a
-      // platform dimension (useful for "Android visitors who later
-      // downloaded Windows" style cross-device queries once we land
-      // the desktop install closure).
-      captureDownloadPageViewed({
-        detected_os: result.os,
-        detected_arch: result.arch,
-        detect_confident: result.archConfident,
-        version_available: !versionUnavailable,
-      });
-    });
-    return () => {
-      cancelled = true;
-    };
-  }, [versionUnavailable]);
-
-  const releaseHtmlUrl = release.htmlUrl ?? ALL_RELEASES_URL;
-
-  return (
-    <>
-      {/* Positioning context for the dark-variant LandingHeader —
-          mirrors multica-landing.tsx. The header is `absolute top-0
-          inset-x-0`, so it anchors to this `relative` wrapper and
-          scrolls off together with the dark hero below. Without the
-          wrapper, `absolute` would escape to the initial containing
-          block and read as fixed. */}
-      <div className="relative">
-        <LandingHeader variant="dark" />
-        <DownloadHero
-          detected={detected}
-          assets={release.assets}
-          versionUnavailable={versionUnavailable}
-          version={release.version}
-        />
-      </div>
-
-      <AllPlatforms
-        assets={release.assets}
-        fallbackHref={ALL_RELEASES_URL}
-        version={release.version}
-        detected={detected}
-      />
-      <CliSection />
-      <CloudSection />
-      <VersionInfoFooter
-        version={release.version}
-        releaseHtmlUrl={releaseHtmlUrl}
-      />
-      <LandingFooter />
-    </>
-  );
-}
-
-function VersionInfoFooter({
-  version,
-  releaseHtmlUrl,
-}: {
-  version: string | null;
-  releaseHtmlUrl: string;
-}) {
-  const { t } = useLocale();
-  const d = t.download.footer;
-
-  return (
-    <section className="bg-white pb-16 text-[#0a0d12] sm:pb-20">
-      <div className="mx-auto flex max-w-[920px] flex-wrap items-center gap-x-6 gap-y-2 border-t border-[#0a0d12]/8 px-4 pt-8 text-[13px] text-[#0a0d12]/60 sm:px-6 lg:px-8">
-        {version ? (
-          <>
-            <span>
-              {d.currentVersion.replace("{version}", version)}
-            </span>
-            <span aria-hidden className="text-[#0a0d12]/25">
-              ·
-            </span>
-            <Link
-              href={releaseHtmlUrl}
-              className="underline decoration-[#0a0d12]/30 underline-offset-4 hover:text-[#0a0d12] hover:decoration-[#0a0d12]/70"
-              target="_blank"
-              rel="noreferrer"
-            >
-              {d.releaseNotes.replace("{version}", version)}
-            </Link>
-            <span aria-hidden className="text-[#0a0d12]/25">
-              ·
-            </span>
-          </>
-        ) : (
-          <>
-            <span>{d.versionUnavailable}</span>
-            <span aria-hidden className="text-[#0a0d12]/25">
-              ·
-            </span>
-          </>
-        )}
-        <Link
-          href={ALL_RELEASES_URL}
-          className="underline decoration-[#0a0d12]/30 underline-offset-4 hover:text-[#0a0d12] hover:decoration-[#0a0d12]/70"
-          target="_blank"
-          rel="noreferrer"
-        >
-          {d.allReleases}
-        </Link>
-      </div>
-    </section>
-  );
-}
--- a/apps/web/app/(landing)/download/page.tsx
+++ b/apps/web/app/(landing)/download/page.tsx
@@ -1,29 +0,0 @@
-import type { Metadata } from "next";
-import { fetchLatestRelease } from "@/features/landing/utils/github-release";
-import { DownloadClient } from "./download-client";
-
-// Vercel ISR: the server fetch inside fetchLatestRelease carries
-// `next: { revalidate: 300 }`, which makes GitHub API cost at most
-// one request per region per 5 minutes. Page-level revalidate mirrors
-// that window so the first paint also refreshes every 5 minutes.
-export const revalidate = 300;
-
-export const metadata: Metadata = {
-  title: "Download Multica",
-  description:
-    "Download Multica for macOS, Windows, or Linux — or install the CLI for servers and remote dev boxes.",
-  openGraph: {
-    title: "Download Multica",
-    description:
-      "Get the Multica desktop app with a bundled daemon, or install the CLI for servers and remote dev boxes.",
-    url: "/download",
-  },
-  alternates: {
-    canonical: "/download",
-  },
-};
-
-export default async function DownloadPage() {
-  const release = await fetchLatestRelease();
-  return <DownloadClient release={release} />;
-}
--- a/apps/web/app/[workspaceSlug]/(dashboard)/layout.tsx
+++ b/apps/web/app/[workspaceSlug]/(dashboard)/layout.tsx
@@ -4,21 +4,13 @@ import { DashboardLayout } from "@multica/views/layout";
 import { MulticaIcon } from "@multica/ui/components/common/multica-icon";
 import { SearchCommand, SearchTrigger } from "@multica/views/search";
 import { ChatFab, ChatWindow } from "@multica/views/chat";
-import { StarterContentPrompt } from "@multica/views/onboarding";

 export default function Layout({ children }: { children: React.ReactNode }) {
  return (
    <DashboardLayout
      loadingIndicator={<MulticaIcon className="size-6" />}
      searchSlot={<SearchTrigger />}
-      extra={
-        <>
-          <SearchCommand />
-          <ChatWindow />
-          <ChatFab />
-          <StarterContentPrompt />
-        </>
-      }
+      extra={<><SearchCommand /><ChatWindow /><ChatFab /></>}
    >
      {children}
    </DashboardLayout>
--- a/apps/web/app/[workspaceSlug]/(dashboard)/loading.tsx
+++ b/apps/web/app/[workspaceSlug]/(dashboard)/loading.tsx
@@ -0,0 +1,28 @@
+import { Skeleton } from "@multica/ui/components/ui/skeleton";
+
+export default function DashboardLoading() {
+  return (
+    <div className="flex flex-1 min-h-0 flex-col">
+      {/* Header skeleton */}
+      <div className="flex h-12 shrink-0 items-center gap-2 border-b px-4">
+        <Skeleton className="h-5 w-5 rounded" />
+        <Skeleton className="h-4 w-32" />
+      </div>
+      {/* Toolbar skeleton */}
+      <div className="flex h-12 shrink-0 items-center justify-between border-b px-4">
+        <Skeleton className="h-5 w-24" />
+        <Skeleton className="h-8 w-24" />
+      </div>
+      {/* Content skeleton */}
+      <div className="flex-1 p-4 space-y-3">
+        {Array.from({ length: 6 }).map((_, i) => (
+          <div key={i} className="flex items-center gap-3">
+            <Skeleton className="h-4 w-4 rounded" />
+            <Skeleton className="h-4 flex-1 max-w-md" />
+            <Skeleton className="h-4 w-16" />
+          </div>
+        ))}
+      </div>
+    </div>
+  );
+}
--- a/apps/web/app/[workspaceSlug]/layout.tsx
+++ b/apps/web/app/[workspaceSlug]/layout.tsx
@@ -8,7 +8,6 @@ import { workspaceBySlugOptions } from "@multica/core/workspace";
 import { setCurrentWorkspace } from "@multica/core/platform";
 import { useAuthStore } from "@multica/core/auth";
 import { NoAccessPage } from "@multica/views/workspace/no-access-page";
-import { MulticaIcon } from "@multica/ui/components/common/multica-icon";
 import { useWorkspaceSeen } from "@multica/views/workspace/use-workspace-seen";

 export default function WorkspaceLayout({
@@ -61,17 +60,11 @@ export default function WorkspaceLayout({
  // and we just need to hold null briefly.
  const hasBeenSeen = useWorkspaceSeen(workspaceSlug, !!workspace);

-  const loadingIndicator = (
-    <div className="flex h-svh items-center justify-center">
-      <MulticaIcon className="size-6 animate-pulse" />
-    </div>
-  );
-
-  if (isAuthLoading) return loadingIndicator;
+  if (isAuthLoading) return null;
  // Don't render children until workspace is resolved. useWorkspaceId()
  // throws when the list hasn't populated or the slug is unknown — gating
  // here makes that invariant hold for every descendant.
-  if (!listFetched) return loadingIndicator;
+  if (!listFetched) return null;
  if (!workspace) {
    // If we've resolved this slug before in this session, it was just
    // removed from our list (deleted/left/evicted). A navigate is almost
--- a/apps/web/app/auth/callback/page.test.tsx
+++ b/apps/web/app/auth/callback/page.test.tsx
@@ -1,112 +0,0 @@
-import { describe, it, expect, vi, beforeEach } from "vitest";
-import { render, waitFor } from "@testing-library/react";
-import { paths } from "@multica/core/paths";
-
-const { mockPush, mockSearchParams, mockLoginWithGoogle, mockListWorkspaces } =
-  vi.hoisted(() => ({
-    mockPush: vi.fn(),
-    mockSearchParams: new URLSearchParams(),
-    mockLoginWithGoogle: vi.fn(),
-    mockListWorkspaces: vi.fn(),
-  }));
-
-const makeUser = (overrides: Partial<{ onboarded_at: string | null }> = {}) => ({
-  id: "user-1",
-  name: "Test",
-  email: "test@multica.ai",
-  avatar_url: null,
-  onboarded_at: null,
-  onboarding_questionnaire: {},
-  created_at: "2026-01-01T00:00:00Z",
-  updated_at: "2026-01-01T00:00:00Z",
-  ...overrides,
-});
-
-vi.mock("next/navigation", () => ({
-  useRouter: () => ({ push: mockPush }),
-  useSearchParams: () => mockSearchParams,
-}));
-
-vi.mock("@tanstack/react-query", () => ({
-  useQueryClient: () => ({ setQueryData: vi.fn() }),
-}));
-
-// Preserve the real sanitizeNextUrl so the "drop unsafe ?next=" behavior is
-// exercised rather than silently diverging from the source of truth.
-vi.mock("@multica/core/auth", async () => {
-  const actual =
-    await vi.importActual<typeof import("@multica/core/auth")>(
-      "@multica/core/auth",
-    );
-  return {
-    ...actual,
-    useAuthStore: (selector: (s: unknown) => unknown) =>
-      selector({ loginWithGoogle: mockLoginWithGoogle }),
-  };
-});
-
-vi.mock("@multica/core/workspace/queries", () => ({
-  workspaceKeys: { list: () => ["workspaces"] },
-}));
-
-vi.mock("@multica/core/api", () => ({
-  api: {
-    listWorkspaces: mockListWorkspaces,
-    googleLogin: vi.fn(),
-  },
-}));
-
-import CallbackPage from "./page";
-
-describe("CallbackPage", () => {
-  beforeEach(() => {
-    vi.clearAllMocks();
-    mockSearchParams.forEach((_v, k) => mockSearchParams.delete(k));
-    mockSearchParams.set("code", "test-code");
-    mockLoginWithGoogle.mockResolvedValue(makeUser());
-    mockListWorkspaces.mockResolvedValue([]);
-  });
-
-  it("unonboarded user lands on /onboarding regardless of next=", async () => {
-    mockSearchParams.set("state", "next:/invite/abc123");
-    render(<CallbackPage />);
-    await waitFor(() => {
-      expect(mockPush).toHaveBeenCalledWith(paths.onboarding());
-    });
-    expect(mockPush).not.toHaveBeenCalledWith("/invite/abc123");
-  });
-
-  it("unonboarded user with no next= also lands on /onboarding", async () => {
-    render(<CallbackPage />);
-    await waitFor(() => {
-      expect(mockPush).toHaveBeenCalledWith(paths.onboarding());
-    });
-  });
-
-  it("onboarded user ignores unsafe next= targets and lands on the default destination", async () => {
-    mockLoginWithGoogle.mockResolvedValue(
-      makeUser({ onboarded_at: "2026-01-01T00:00:00Z" }),
-    );
-    mockSearchParams.set("state", "next:https://evil.example");
-
-    render(<CallbackPage />);
-
-    await waitFor(() => {
-      expect(mockPush).toHaveBeenCalled();
-    });
-    expect(mockPush).not.toHaveBeenCalledWith("https://evil.example");
-  });
-
-  it("onboarded user honors a safe next= target (e.g. /invite/{id})", async () => {
-    mockLoginWithGoogle.mockResolvedValue(
-      makeUser({ onboarded_at: "2026-01-01T00:00:00Z" }),
-    );
-    mockSearchParams.set("state", "next:/invite/abc123");
-
-    render(<CallbackPage />);
-
-    await waitFor(() => {
-      expect(mockPush).toHaveBeenCalledWith("/invite/abc123");
-    });
-  });
-});
--- a/apps/web/app/auth/callback/page.tsx
+++ b/apps/web/app/auth/callback/page.tsx
@@ -3,9 +3,9 @@
 import { Suspense, useEffect, useState } from "react";
 import { useSearchParams, useRouter } from "next/navigation";
 import { useQueryClient } from "@tanstack/react-query";
-import { sanitizeNextUrl, useAuthStore } from "@multica/core/auth";
+import { useAuthStore } from "@multica/core/auth";
 import { workspaceKeys } from "@multica/core/workspace/queries";
-import { paths, resolvePostAuthDestination } from "@multica/core/paths";
+import { paths } from "@multica/core/paths";
 import { api } from "@multica/core/api";
 import {
  Card,
@@ -42,9 +42,7 @@ function CallbackContent() {
    const stateParts = state.split(",");
    const isDesktop = stateParts.includes("platform:desktop");
    const nextPart = stateParts.find((p) => p.startsWith("next:"));
-    // Strip "next:" prefix, then drop anything that isn't a safe relative path
-    // so an attacker-controlled `state=next:https://evil` cannot redirect here.
-    const nextUrl = sanitizeNextUrl(nextPart ? nextPart.slice(5) : null);
+    const nextUrl = nextPart ? nextPart.slice(5) : null; // strip "next:" prefix

    const redirectUri = `${window.location.origin}/auth/callback`;

@@ -62,17 +60,18 @@ function CallbackContent() {
    } else {
      // Normal web flow
      loginWithGoogle(code, redirectUri)
-        .then(async (loggedInUser) => {
+        .then(async () => {
          const wsList = await api.listWorkspaces();
          qc.setQueryData(workspaceKeys.list(), wsList);
-          const onboarded = loggedInUser.onboarded_at != null;
-          if (!onboarded) {
-            router.push(paths.onboarding());
-            return;
-          }
-          router.push(
-            nextUrl || resolvePostAuthDestination(wsList, onboarded),
-          );
+          // URL is now the source of truth for the current workspace — the
+          // [workspaceSlug]/layout syncs stores + cookie once we navigate.
+          // Honor ?next= first (e.g. came from /invite/{id}), otherwise land
+          // in the first workspace's issues, or /workspaces/new for zero-workspace users.
+          const [first] = wsList;
+          const defaultDest = first
+            ? paths.workspace(first.slug).issues()
+            : paths.newWorkspace();
+          router.push(nextUrl || defaultDest);
        })
        .catch((err) => {
          setError(err instanceof Error ? err.message : "Login failed");
--- a/apps/web/app/layout.tsx
+++ b/apps/web/app/layout.tsx
@@ -1,5 +1,5 @@
 import type { Metadata, Viewport } from "next";
-import { Inter, Geist_Mono, Source_Serif_4 } from "next/font/google";
+import { Inter, Geist_Mono } from "next/font/google";
 import { ThemeProvider } from "@/components/theme-provider";
 import { Toaster } from "@multica/ui/components/ui/sonner";
 import { cn } from "@multica/ui/lib/utils";
@@ -39,23 +39,6 @@ const geistMono = Geist_Mono({
  variable: "--font-mono",
  fallback: ["ui-monospace", "SFMono-Regular", "Menlo", "Consolas", "monospace"],
 });
-// Editorial serif used for onboarding headlines. Italic support for h1 em
-// accents (e.g. "...on one shared board."). Only loaded on routes that
-// render the font; layout-shift-prevention handled by next/font's synthetic
-// fallback metrics, same as Inter.
-const sourceSerif = Source_Serif_4({
-  subsets: ["latin"],
-  style: ["normal", "italic"],
-  variable: "--font-serif",
-  fallback: [
-    "ui-serif",
-    "Iowan Old Style",
-    "Apple Garamond",
-    "Baskerville",
-    "Times New Roman",
-    "serif",
-  ],
-});

 export const viewport: Viewport = {
  width: "device-width",
@@ -106,7 +89,7 @@ export default function RootLayout({
    <html
      lang="en"
      suppressHydrationWarning
-      className={cn("antialiased font-sans h-full", inter.variable, geistMono.variable, sourceSerif.variable)}
+      className={cn("antialiased font-sans h-full", inter.variable, geistMono.variable)}
    >
      <body className="h-full overflow-hidden">
        <LocaleSync />
--- a/apps/web/components/pageview-tracker.tsx
+++ b/apps/web/components/pageview-tracker.tsx
@@ -1,29 +0,0 @@
-"use client";
-
-import { useEffect } from "react";
-import { usePathname, useSearchParams } from "next/navigation";
-import { capturePageview } from "@multica/core/analytics";
-
-/**
- * Fires a PostHog $pageview whenever the Next.js App Router path or query
- * string changes. Mounted once at the root so every route transition is
- * covered, including transitions into workspace-scoped subtrees.
- *
- * PostHog's own `capture_pageview: true` auto-capture is deliberately
- * disabled in `initAnalytics` so we own the event shape — this component
- * is what actually fires the event. Before this existed the acquisition
- * funnel's `/ → signup` step was empty.
- */
-export function PageviewTracker() {
-  const pathname = usePathname();
-  const searchParams = useSearchParams();
-
-  useEffect(() => {
-    if (!pathname) return;
-    const qs = searchParams?.toString();
-    const url = qs ? `${pathname}?${qs}` : pathname;
-    capturePageview(url);
-  }, [pathname, searchParams]);
-
-  return null;
-}
--- a/apps/web/components/web-providers.tsx
+++ b/apps/web/components/web-providers.tsx
@@ -1,14 +1,11 @@
 "use client";

-import { Suspense, useMemo } from "react";
 import { CoreProvider } from "@multica/core/platform";
-import packageJson from "../package.json";
 import { WebNavigationProvider } from "@/platform/navigation";
 import {
  setLoggedInCookie,
  clearLoggedInCookie,
 } from "@/features/auth/auth-cookie";
-import { PageviewTracker } from "./pageview-tracker";

 // Legacy token in localStorage → keep this session in token mode so users who
 // logged in before the cookie-auth migration stay authed. They migrate to
@@ -35,20 +32,8 @@ function deriveWsUrl(): string | undefined {
  return `${proto}//${window.location.host}/ws`;
 }

-// Build-time version preferred (CI sets NEXT_PUBLIC_APP_VERSION to a git tag
-// or sha so different deploys are distinguishable in server logs); fall back
-// to the package.json version so local dev still reports something useful.
-const WEB_VERSION =
-  process.env.NEXT_PUBLIC_APP_VERSION || packageJson.version || "dev";
-
 export function WebProviders({ children }: { children: React.ReactNode }) {
  const cookieAuth = !hasLegacyToken();
-  // Stable identity reference so downstream effects keyed on it don't see a
-  // new object on every parent render.
-  const identity = useMemo(
-    () => ({ platform: "web", version: WEB_VERSION }),
-    [],
-  );
  return (
    <CoreProvider
      apiBaseUrl={process.env.NEXT_PUBLIC_API_URL}
@@ -56,13 +41,7 @@ export function WebProviders({ children }: { children: React.ReactNode }) {
      cookieAuth={cookieAuth}
      onLogin={setLoggedInCookie}
      onLogout={clearLoggedInCookie}
-      identity={identity}
    >
-      {/* Suspense boundary is required by Next.js for useSearchParams in
-          a client component mounted this high in the tree. */}
-      <Suspense fallback={null}>
-        <PageviewTracker />
-      </Suspense>
      <WebNavigationProvider>{children}</WebNavigationProvider>
    </CoreProvider>
  );
--- a/apps/web/features/landing/components/download/all-platforms.tsx
+++ b/apps/web/features/landing/components/download/all-platforms.tsx
@@ -1,239 +0,0 @@
-import Link from "next/link";
-import {
-  captureDownloadInitiated,
-  type DownloadInitiatedPayload,
-} from "@multica/core/analytics";
-import { useLocale } from "../../i18n";
-import type { DetectResult } from "../../utils/os-detect";
-import type { DownloadAssets } from "../../utils/parse-release-assets";
-import { AppleIcon, LinuxIcon, WindowsIcon } from "./os-icons";
-
-type Platform = DownloadInitiatedPayload["platform"];
-type Arch = DownloadInitiatedPayload["arch"];
-type Format = DownloadInitiatedPayload["format"];
-
-interface Props {
-  assets: DownloadAssets;
-  /** Link to GitHub releases page, used when individual asset URLs
-   *  couldn't be resolved (API down / parse failure). */
-  fallbackHref: string;
-  /** Release tag (e.g. "v0.2.13"); null on fetch failure. */
-  version: string | null;
-  /** Current OS/arch guess. Used only to compute `matched_detect` on
-   *  the download_initiated event — the row UI itself is static. */
-  detected: DetectResult | null;
-}
-
-/**
- * Full matrix of platform + arch + format links. Always visible
- * regardless of which platform the Hero resolved to — lets power
- * users grab any build directly.
- */
-export function AllPlatforms({
-  assets,
-  fallbackHref,
-  version,
-  detected,
-}: Props) {
-  const { t } = useLocale();
-  const d = t.download.allPlatforms;
-
-  const trackClick = (platform: Platform, arch: Arch, format: Format) => {
-    if (!version) return;
-    captureDownloadInitiated({
-      platform,
-      arch,
-      format,
-      version,
-      // Manual pick from the matrix — Hero is the primary CTA.
-      primary_cta: false,
-      // True only when the row matches what we guessed client-side.
-      // Lets us measure detect accuracy from the miss rate on this
-      // event alone (no need to cross-join to download_page_viewed).
-      matched_detect:
-        !!detected &&
-        detected.os === platform &&
-        detected.arch === arch,
-    });
-  };
-
-  return (
-    <section
-      id="all-platforms"
-      className="bg-white py-20 text-[#0a0d12] sm:py-24"
-    >
-      <div className="mx-auto max-w-[920px] px-4 sm:px-6 lg:px-8">
-        <h2 className="font-[family-name:var(--font-serif)] text-[2.2rem] leading-[1.1] tracking-[-0.03em] sm:text-[2.6rem]">
-          {d.title}
-        </h2>
-
-        <div className="mt-10 overflow-hidden rounded-2xl border border-[#0a0d12]/10">
-          <Row
-            icon={<AppleIcon className="text-[#0a0d12]" />}
-            label={d.macLabel}
-            formats={[
-              {
-                label: d.formatDmg,
-                href: assets.macArm64Dmg,
-                onClick: () => trackClick("mac", "arm64", "dmg"),
-              },
-              {
-                label: d.formatZip,
-                href: assets.macArm64Zip,
-                onClick: () => trackClick("mac", "arm64", "zip"),
-              },
-            ]}
-            unavailable={d.unavailable}
-          />
-          <Row
-            icon={<WindowsIcon className="text-[#0a0d12]" />}
-            label={d.winX64Label}
-            formats={[
-              {
-                label: d.formatExe,
-                href: assets.winX64Exe,
-                onClick: () => trackClick("windows", "x64", "exe"),
-              },
-            ]}
-            unavailable={d.unavailable}
-          />
-          <Row
-            icon={<WindowsIcon className="text-[#0a0d12]" />}
-            label={d.winArm64Label}
-            formats={[
-              {
-                label: d.formatExe,
-                href: assets.winArm64Exe,
-                onClick: () => trackClick("windows", "arm64", "exe"),
-              },
-            ]}
-            unavailable={d.unavailable}
-          />
-          <Row
-            icon={<LinuxIcon className="text-[#0a0d12]" />}
-            label={d.linuxX64Label}
-            formats={[
-              {
-                label: d.formatAppImage,
-                href: assets.linuxAmd64AppImage,
-                onClick: () => trackClick("linux", "x64", "appimage"),
-              },
-              {
-                label: d.formatDeb,
-                href: assets.linuxAmd64Deb,
-                onClick: () => trackClick("linux", "x64", "deb"),
-              },
-              {
-                label: d.formatRpm,
-                href: assets.linuxAmd64Rpm,
-                onClick: () => trackClick("linux", "x64", "rpm"),
-              },
-            ]}
-            unavailable={d.unavailable}
-          />
-          <Row
-            icon={<LinuxIcon className="text-[#0a0d12]" />}
-            label={d.linuxArm64Label}
-            formats={[
-              {
-                label: d.formatAppImage,
-                href: assets.linuxArm64AppImage,
-                onClick: () => trackClick("linux", "arm64", "appimage"),
-              },
-              {
-                label: d.formatDeb,
-                href: assets.linuxArm64Deb,
-                onClick: () => trackClick("linux", "arm64", "deb"),
-              },
-              {
-                label: d.formatRpm,
-                href: assets.linuxArm64Rpm,
-                onClick: () => trackClick("linux", "arm64", "rpm"),
-              },
-            ]}
-            unavailable={d.unavailable}
-            isLast
-          />
-        </div>
-
-        <p className="mt-6 text-[13px] text-[#0a0d12]/60">{d.intelNote}</p>
-
-        {isFallbackNeeded(assets) ? (
-          <p className="mt-2 text-[13px] text-[#0a0d12]/60">
-            <Link
-              href={fallbackHref}
-              className="underline decoration-[#0a0d12]/30 underline-offset-4 hover:text-[#0a0d12] hover:decoration-[#0a0d12]/70"
-              target="_blank"
-              rel="noreferrer"
-            >
-              {t.download.footer.allReleases}
-            </Link>
-          </p>
-        ) : null}
-      </div>
-    </section>
-  );
-}
-
-// ------------------------------------------------------------
-// Row
-// ------------------------------------------------------------
-
-interface RowProps {
-  icon: React.ReactNode;
-  label: string;
-  formats: {
-    label: string;
-    href: string | undefined;
-    onClick: () => void;
-  }[];
-  unavailable: string;
-  isLast?: boolean;
-}
-
-function Row({ icon, label, formats, unavailable, isLast }: RowProps) {
-  return (
-    <div
-      className={`flex flex-wrap items-center gap-x-6 gap-y-3 px-6 py-5 ${isLast ? "" : "border-b border-[#0a0d12]/8"}`}
-    >
-      <div className="flex min-w-[220px] items-center gap-3">
-        <span className="flex h-8 w-8 items-center justify-center rounded-lg bg-[#0a0d12]/5">
-          {icon}
-        </span>
-        <span className="text-[14.5px] font-medium">{label}</span>
-      </div>
-      <div className="flex flex-wrap items-center gap-2">
-        {formats.map((f) =>
-          f.href ? (
-            <a
-              key={f.label}
-              href={f.href}
-              onClick={f.onClick}
-              className="inline-flex items-center gap-1.5 rounded-lg border border-[#0a0d12]/12 bg-white px-3 py-1.5 text-[13px] font-medium transition-colors hover:border-[#0a0d12]/30 hover:bg-[#0a0d12]/5"
-            >
-              {f.label}
-            </a>
-          ) : (
-            <span
-              key={f.label}
-              aria-disabled="true"
-              className="inline-flex cursor-not-allowed items-center gap-1.5 rounded-lg border border-[#0a0d12]/8 bg-[#0a0d12]/5 px-3 py-1.5 text-[13px] text-[#0a0d12]/40"
-              title={unavailable}
-            >
-              {f.label}
-            </span>
-          ),
-        )}
-      </div>
-    </div>
-  );
-}
-
-// Ten desktop artifacts are expected per release (two Mac,
-// two Windows, six Linux). If any are missing, surface the GitHub
-// fallback link so users on an orphaned row have a way out.
-const EXPECTED_ASSET_COUNT = 10;
-
-function isFallbackNeeded(assets: DownloadAssets): boolean {
-  return Object.values(assets).filter(Boolean).length < EXPECTED_ASSET_COUNT;
-}
--- a/apps/web/features/landing/components/download/cli-section.tsx
+++ b/apps/web/features/landing/components/download/cli-section.tsx
@@ -1,108 +0,0 @@
-"use client";
-
-import { useState } from "react";
-import { Check, Copy, Terminal } from "lucide-react";
-import { useLocale } from "../../i18n";
-
-const INSTALL_CMD =
-  "curl -fsSL https://raw.githubusercontent.com/multica-ai/multica/main/scripts/install.sh | bash";
-const SETUP_CMD = "multica setup";
-
-/**
- * Scenario-first CLI section. Copy leans into servers / remote dev
- * boxes / headless setups rather than positioning CLI as a
- * lightweight Desktop. Two copy-and-paste command blocks.
- */
-export function CliSection() {
-  const { t } = useLocale();
-  const d = t.download.cli;
-
-  return (
-    <section id="cli" className="bg-[#f7f7f5] py-20 text-[#0a0d12] sm:py-24">
-      <div className="mx-auto max-w-[820px] px-4 sm:px-6 lg:px-8">
-        <h2 className="font-[family-name:var(--font-serif)] text-[2.2rem] leading-[1.1] tracking-[-0.03em] sm:text-[2.6rem]">
-          {d.title}
-        </h2>
-        <p className="mt-4 max-w-[620px] text-[15px] leading-7 text-[#0a0d12]/72">
-          {d.sub}
-        </p>
-
-        <div className="mt-10 flex flex-col gap-5">
-          <CommandBlock
-            label={d.installLabel}
-            cmd={INSTALL_CMD}
-            copyLabel={d.copyLabel}
-            copiedLabel={d.copiedLabel}
-          />
-          <CommandBlock
-            label={d.startLabel}
-            cmd={SETUP_CMD}
-            copyLabel={d.copyLabel}
-            copiedLabel={d.copiedLabel}
-          />
-        </div>
-
-        <p className="mt-6 text-[13px] text-[#0a0d12]/60">{d.sshNote}</p>
-      </div>
-    </section>
-  );
-}
-
-function CommandBlock({
-  label,
-  cmd,
-  copyLabel,
-  copiedLabel,
-}: {
-  label: string;
-  cmd: string;
-  copyLabel: string;
-  copiedLabel: string;
-}) {
-  const [copied, setCopied] = useState(false);
-
-  const onCopy = async () => {
-    try {
-      await navigator.clipboard.writeText(cmd);
-      setCopied(true);
-      setTimeout(() => setCopied(false), 1800);
-    } catch {
-      // clipboard may be unavailable (insecure context) — silent no-op
-    }
-  };
-
-  return (
-    <div>
-      <p className="mb-2 text-[12px] font-medium uppercase tracking-[0.08em] text-[#0a0d12]/55">
-        {label}
-      </p>
-      <div className="flex items-start gap-3 rounded-xl border border-[#0a0d12]/10 bg-white px-4 py-3 font-mono text-[13.5px]">
-        <Terminal
-          className="mt-0.5 size-4 shrink-0 text-[#0a0d12]/55"
-          aria-hidden
-        />
-        <code className="min-w-0 flex-1 whitespace-pre-wrap break-all">
-          {cmd}
-        </code>
-        <button
-          type="button"
-          onClick={onCopy}
-          aria-label={copied ? copiedLabel : copyLabel}
-          className="inline-flex shrink-0 items-center gap-1.5 rounded-md px-2 py-1 text-[12px] font-medium text-[#0a0d12]/70 transition-colors hover:bg-[#0a0d12]/5 hover:text-[#0a0d12]"
-        >
-          {copied ? (
-            <>
-              <Check className="size-3.5" />
-              {copiedLabel}
-            </>
-          ) : (
-            <>
-              <Copy className="size-3.5" />
-              {copyLabel}
-            </>
-          )}
-        </button>
-      </div>
-    </div>
-  );
-}
--- a/apps/web/features/landing/components/download/cloud-section.tsx
+++ b/apps/web/features/landing/components/download/cloud-section.tsx
@@ -1,38 +0,0 @@
-"use client";
-
-import { useState } from "react";
-import { CloudWaitlistExpand } from "@multica/views/onboarding";
-import { useLocale } from "../../i18n";
-
-/**
- * Cloud runtime waitlist — thin wrapper around the shared
- * CloudWaitlistExpand form with a download-page-appropriate title
- * and subtitle. Submission persists via `joinCloudWaitlist` inside
- * the child; the submitted flag here only prevents double-submits
- * for the lifetime of the page.
- */
-export function CloudSection() {
-  const { t } = useLocale();
-  const d = t.download.cloud;
-  const [submitted, setSubmitted] = useState(false);
-
-  return (
-    <section className="bg-white py-20 text-[#0a0d12] sm:py-24">
-      <div className="mx-auto max-w-[720px] px-4 sm:px-6 lg:px-8">
-        <h2 className="font-[family-name:var(--font-serif)] text-[2.2rem] leading-[1.1] tracking-[-0.03em] sm:text-[2.6rem]">
-          {d.title}
-        </h2>
-        <p className="mt-4 max-w-[560px] text-[15px] leading-7 text-[#0a0d12]/72">
-          {d.sub}
-        </p>
-
-        <div className="mt-10">
-          <CloudWaitlistExpand
-            submitted={submitted}
-            onSubmitted={() => setSubmitted(true)}
-          />
-        </div>
-      </div>
-    </section>
-  );
-}
--- a/apps/web/features/landing/components/download/hero.tsx
+++ b/apps/web/features/landing/components/download/hero.tsx
@@ -1,285 +0,0 @@
-import Link from "next/link";
-import { ArrowRight, Download } from "lucide-react";
-import {
-  captureDownloadInitiated,
-  type DownloadInitiatedPayload,
-} from "@multica/core/analytics";
-import { useLocale } from "../../i18n";
-import type { DetectResult } from "../../utils/os-detect";
-import type { DownloadAssets } from "../../utils/parse-release-assets";
-import { heroButtonClassName } from "../shared";
-
-interface Props {
-  detected: DetectResult | null;
-  assets: DownloadAssets;
-  /** True when the GitHub API fetch failed; disables all CTAs and
-   *  surfaces a "version unavailable" line. */
-  versionUnavailable: boolean;
-  /** Release tag (e.g. "v0.2.13"). Null when version lookup failed —
-   *  in that case CTAs are already disabled, no tracking fires. */
-  version: string | null;
-}
-
-/**
- * Top CTA section. Server-renders a generic "Choose your platform"
- * placeholder (SEO + flash-before-hydration), then swaps to a
- * platform-specific CTA once the client detection resolves.
- */
-export function DownloadHero({
-  detected,
-  assets,
-  versionUnavailable,
-  version,
-}: Props) {
-  const { t } = useLocale();
-  const d = t.download.hero;
-
-  const content = resolveContent(detected, assets, versionUnavailable, d);
-
-  // Fires download_initiated on primary CTA click. `primary_cta: true`
-  // identifies the hero-recommended path; `matched_detect: true` is
-  // always true here by construction (the primary is computed from
-  // the detect result). All Platforms rows below emit with
-  // matched_detect=false when the user overrides.
-  const onPrimaryClick = (tracking: HeroTracking | undefined) => {
-    if (!tracking || !version) return;
-    captureDownloadInitiated({
-      ...tracking,
-      version,
-      primary_cta: true,
-      matched_detect: true,
-    });
-  };
-
-  return (
-    <section className="relative overflow-hidden bg-[#05070b] text-white">
-      <BackdropGradient />
-      <div className="relative z-10 mx-auto max-w-[1120px] px-4 pb-24 pt-32 text-center sm:px-6 sm:pt-40 lg:px-8 lg:pb-28">
-        <h1 className="mx-auto max-w-[880px] font-[family-name:var(--font-serif)] text-[3rem] leading-[1.02] tracking-[-0.035em] drop-shadow-[0_10px_34px_rgba(0,0,0,0.32)] sm:text-[4rem] lg:text-[5rem]">
-          {content.title}
-        </h1>
-        <p className="mx-auto mt-6 max-w-[620px] text-[15px] leading-7 text-white/84 sm:text-[17px]">
-          {content.sub}
-        </p>
-
-        <div className="mt-10 flex flex-wrap items-center justify-center gap-3">
-          {content.primary ? (
-            <PrimaryCta
-              href={content.primary.href}
-              disabled={content.primary.disabled}
-              onClick={() => onPrimaryClick(content.primary?.tracking)}
-            >
-              <Download className="size-4" aria-hidden />
-              {content.primary.label}
-              {!content.primary.disabled && (
-                <ArrowRight className="size-4" aria-hidden />
-              )}
-            </PrimaryCta>
-          ) : null}
-          {content.alt ? (
-            <Link
-              href={content.alt.href}
-              className={heroButtonClassName("ghost")}
-              onClick={() => onPrimaryClick(content.alt?.tracking)}
-            >
-              {content.alt.label}
-            </Link>
-          ) : null}
-        </div>
-
-        {content.hint ? (
-          <p className="mx-auto mt-5 max-w-[520px] text-[13px] text-white/64">
-            {content.hint}
-          </p>
-        ) : null}
-
-        {versionUnavailable ? (
-          <p className="mx-auto mt-6 max-w-[520px] text-[12px] uppercase tracking-[0.14em] text-white/50">
-            {t.download.footer.versionUnavailable}
-          </p>
-        ) : null}
-      </div>
-    </section>
-  );
-}
-
-// ------------------------------------------------------------
-// Content resolver — maps (detect, assets) → CTA props
-// ------------------------------------------------------------
-
-type HeroTracking = Pick<
-  DownloadInitiatedPayload,
-  "platform" | "arch" | "format"
->;
-
-interface HeroContent {
-  title: string;
-  sub: string;
-  primary?: {
-    href: string;
-    label: string;
-    disabled: boolean;
-    tracking?: HeroTracking;
-  };
-  alt?: { href: string; label: string; tracking?: HeroTracking };
-  hint?: string;
-}
-
-type HeroDict = ReturnType<typeof useLocale>["t"]["download"]["hero"];
-
-function resolveContent(
-  detected: DetectResult | null,
-  assets: DownloadAssets,
-  versionUnavailable: boolean,
-  d: HeroDict,
-): HeroContent {
-  // Before hydration resolves, render a neutral prompt. Same copy
-  // also catches `os === "unknown"`.
-  if (!detected || detected.os === "unknown") {
-    return { title: d.unknown.title, sub: d.unknown.sub };
-  }
-
-  if (detected.os === "mac") {
-    // Only Chromium high-entropy returns arch confidently. Safari
-    // always reports Intel even on Apple Silicon, so we treat
-    // "non-confident" as arm64 + add a small Intel disclaimer.
-    if (detected.arch === "x64" && detected.archConfident) {
-      return {
-        title: d.macIntel.title,
-        sub: d.macIntel.sub,
-        primary: {
-          href: "#cli",
-          label: d.macIntel.disabledCta,
-          disabled: true,
-        },
-        hint: d.macIntel.intelHint,
-      };
-    }
-    const dmg = assets.macArm64Dmg;
-    const zip = assets.macArm64Zip;
-    return {
-      title: d.macArm64.title,
-      sub: d.macArm64.sub,
-      primary: dmg
-        ? {
-            href: dmg,
-            label: d.macArm64.primary,
-            disabled: false,
-            tracking: { platform: "mac", arch: "arm64", format: "dmg" },
-          }
-        : versionUnavailable
-          ? { href: "#", label: d.macArm64.primary, disabled: true }
-          : undefined,
-      alt: zip
-        ? {
-            href: zip,
-            label: d.macArm64.altZip,
-            tracking: { platform: "mac", arch: "arm64", format: "zip" },
-          }
-        : undefined,
-      hint: detected.archConfident ? undefined : d.safariMacHint,
-    };
-  }
-
-  if (detected.os === "windows") {
-    // Trust arch whenever the UA hints at it (even non-confident);
-    // Windows-on-ARM can still run x64 via emulation so this is low
-    // risk either way. Surface the arch-fallback hint when we're
-    // guessing so users on uncommon setups know to scroll down.
-    const isArm = detected.arch === "arm64";
-    const copy = isArm ? d.winArm64 : d.winX64;
-    const url = isArm ? assets.winArm64Exe : assets.winX64Exe;
-    return {
-      title: copy.title,
-      sub: copy.sub,
-      primary: url
-        ? {
-            href: url,
-            label: copy.primary,
-            disabled: false,
-            tracking: {
-              platform: "windows",
-              arch: isArm ? "arm64" : "x64",
-              format: "exe",
-            },
-          }
-        : versionUnavailable
-          ? { href: "#", label: copy.primary, disabled: true }
-          : undefined,
-      hint: detected.archConfident ? undefined : d.archFallbackHint,
-    };
-  }
-
-  // Linux — same principle: trust the arm64 signal, surface a hint
-  // when we're not confident. Linux ARM has no binary emulation so
-  // the hint matters more here than on Windows.
-  const isArmLinux = detected.arch === "arm64";
-  const primaryUrl = isArmLinux
-    ? assets.linuxArm64AppImage
-    : assets.linuxAmd64AppImage;
-  return {
-    title: d.linux.title,
-    sub: d.linux.sub,
-    primary: primaryUrl
-      ? {
-          href: primaryUrl,
-          label: d.linux.primary,
-          disabled: false,
-          tracking: {
-            platform: "linux",
-            arch: isArmLinux ? "arm64" : "x64",
-            format: "appimage",
-          },
-        }
-      : versionUnavailable
-        ? { href: "#", label: d.linux.primary, disabled: true }
-        : undefined,
-    alt: { href: "#all-platforms", label: d.linux.altFormats },
-    hint: detected.archConfident ? undefined : d.archFallbackHint,
-  };
-}
-
-// ------------------------------------------------------------
-// Pieces
-// ------------------------------------------------------------
-
-function PrimaryCta({
-  href,
-  disabled,
-  onClick,
-  children,
-}: {
-  href: string;
-  disabled: boolean;
-  onClick?: () => void;
-  children: React.ReactNode;
-}) {
-  if (disabled) {
-    return (
-      <span
-        aria-disabled="true"
-        className="inline-flex cursor-not-allowed items-center justify-center gap-2 rounded-[12px] border border-white/15 bg-white/8 px-5 py-3 text-[14px] font-semibold text-white/60"
-      >
-        {children}
-      </span>
-    );
-  }
-  return (
-    <a href={href} onClick={onClick} className={heroButtonClassName("solid")}>
-      {children}
-    </a>
-  );
-}
-
-function BackdropGradient() {
-  return (
-    <div
-      aria-hidden
-      className="pointer-events-none absolute inset-0"
-      style={{
-        background:
-          "radial-gradient(ellipse 70% 50% at 50% 0%, rgba(80,120,255,0.18), transparent 60%), radial-gradient(ellipse 50% 40% at 50% 80%, rgba(255,90,90,0.08), transparent 60%)",
-      }}
-    />
-  );
-}
--- a/apps/web/features/landing/components/download/os-icons.tsx
+++ b/apps/web/features/landing/components/download/os-icons.tsx
@@ -1,54 +0,0 @@
-/**
- * Inline SVG marks for macOS / Windows / Linux.
- * Lucide lacks real Apple / Tux marks, and the download page needs
- * the recognizable brand glyphs next to platform rows. Kept as
- * minimal monochrome outlines so they inherit currentColor.
- */
-
-type IconProps = React.SVGProps<SVGSVGElement> & { size?: number };
-
-export function AppleIcon({ size = 18, ...props }: IconProps) {
-  return (
-    <svg
-      viewBox="0 0 24 24"
-      width={size}
-      height={size}
-      fill="currentColor"
-      aria-hidden
-      {...props}
-    >
-      <path d="M16.37 12.8c.02-1.9 1.56-2.83 1.63-2.87-.89-1.3-2.28-1.48-2.77-1.5-1.18-.12-2.3.69-2.9.69-.6 0-1.52-.68-2.5-.66-1.28.02-2.47.74-3.13 1.88-1.33 2.3-.34 5.7.96 7.57.63.92 1.38 1.94 2.36 1.9.95-.04 1.31-.61 2.45-.61 1.14 0 1.47.61 2.47.59 1.02-.02 1.66-.93 2.29-1.84.72-1.06 1.02-2.1 1.04-2.15-.02-.01-2-.77-2.02-3.05-.02-1.9 1.55-2.81 1.63-2.87zm-2.05-5.24c.52-.63.88-1.52.78-2.4-.75.03-1.66.5-2.2 1.12-.48.55-.9 1.44-.79 2.32.84.06 1.69-.42 2.21-1.04z" />
-    </svg>
-  );
-}
-
-export function WindowsIcon({ size = 18, ...props }: IconProps) {
-  return (
-    <svg
-      viewBox="0 0 24 24"
-      width={size}
-      height={size}
-      fill="currentColor"
-      aria-hidden
-      {...props}
-    >
-      <path d="M3 5.5 10.5 4.5v6.75H3V5.5Zm0 7.25h7.5v6.75L3 18.5v-5.75Zm8.75-8.4L21 3v9H11.75V4.35ZM11.75 12h9.25v9L11.75 19.65V12Z" />
-    </svg>
-  );
-}
-
-export function LinuxIcon({ size = 18, ...props }: IconProps) {
-  // Simplified Tux silhouette — round head + body.
-  return (
-    <svg
-      viewBox="0 0 24 24"
-      width={size}
-      height={size}
-      fill="currentColor"
-      aria-hidden
-      {...props}
-    >
-      <path d="M12 2c-2.4 0-4 1.9-4 4.6 0 1.2.3 2.3.8 3.2-.7.7-1.3 1.8-1.6 3-.4 1.4-.7 3.3-1.8 4.4-.6.6-1 .9-1 1.6 0 .9.8 1.3 2 1.6 1.5.3 2.6.1 3.6-.3.6-.2 1.3-.4 2-.4s1.4.2 2 .4c1 .4 2.1.6 3.6.3 1.2-.3 2-.7 2-1.6 0-.7-.4-1-1-1.6-1.1-1.1-1.4-3-1.8-4.4-.3-1.2-.9-2.3-1.6-3 .5-.9.8-2 .8-3.2 0-2.7-1.6-4.6-4-4.6Zm-1.5 5.2c.3 0 .5.3.5.8s-.2.8-.5.8-.5-.3-.5-.8.2-.8.5-.8Zm3 0c.3 0 .5.3.5.8s-.2.8-.5.8-.5-.3-.5-.8.2-.8.5-.8Zm-3 2.6c.7.5 1.5.8 1.5.8s.8-.3 1.5-.8c0 .6-.7 1-1.5 1s-1.5-.4-1.5-1Z" />
-    </svg>
-  );
-}
--- a/apps/web/features/landing/components/landing-footer.tsx
+++ b/apps/web/features/landing/components/landing-footer.tsx
@@ -4,7 +4,6 @@ import Link from "next/link";
 import { MulticaIcon } from "@multica/ui/components/common/multica-icon";
 import { cn } from "@multica/ui/lib/utils";
 import { useAuthStore } from "@multica/core/auth";
-import { captureDownloadIntent } from "@multica/core/analytics";
 import { XMark, GitHubMark, githubUrl, twitterUrl } from "./shared";
 import { useLocale, locales, localeLabels } from "../i18n";

@@ -72,11 +71,6 @@ export function LandingFooter() {
                        {...(link.href.startsWith("http")
                          ? { target: "_blank", rel: "noreferrer" }
                          : {})}
-                        onClick={
-                          link.href === "/download"
-                            ? () => captureDownloadIntent("landing_footer")
-                            : undefined
-                        }
                        className="text-[14px] text-white/50 transition-colors hover:text-white"
                      >
                        {link.label}
--- a/apps/web/features/landing/components/landing-hero.tsx
+++ b/apps/web/features/landing/components/landing-hero.tsx
@@ -2,9 +2,7 @@

 import Image from "next/image";
 import Link from "next/link";
-import { Download } from "lucide-react";
 import { useAuthStore } from "@multica/core/auth";
-import { captureDownloadIntent } from "@multica/core/analytics";
 import { useLocale } from "../i18n";
 import {
  ClaudeCodeLogo,
@@ -44,11 +42,25 @@ export function LandingHero() {
                {user ? t.header.dashboard : t.hero.cta}
              </Link>
              <Link
-                href="/download"
+                href="https://github.com/multica-ai/multica/releases/latest"
+                target="_blank"
+                rel="noreferrer"
                className={heroButtonClassName("ghost")}
-                onClick={() => captureDownloadIntent("landing_hero")}
              >
-                <Download className="size-4" aria-hidden />
+                <svg
+                  viewBox="0 0 24 24"
+                  fill="none"
+                  stroke="currentColor"
+                  strokeWidth="2"
+                  strokeLinecap="round"
+                  strokeLinejoin="round"
+                  className="size-4"
+                  aria-hidden="true"
+                >
+                  <rect x="2" y="3" width="20" height="14" rx="2" ry="2" />
+                  <line x1="8" y1="21" x2="16" y2="21" />
+                  <line x1="12" y1="17" x2="12" y2="21" />
+                </svg>
                {t.hero.downloadDesktop}
              </Link>
            </div>
--- a/apps/web/features/landing/components/redirect-if-authenticated.tsx
+++ b/apps/web/features/landing/components/redirect-if-authenticated.tsx
@@ -5,7 +5,7 @@ import { useRouter } from "next/navigation";
 import { useQuery } from "@tanstack/react-query";
 import { useAuthStore } from "@multica/core/auth";
 import { workspaceListOptions } from "@multica/core/workspace";
-import { resolvePostAuthDestination, useHasOnboarded } from "@multica/core/paths";
+import { paths } from "@multica/core/paths";

 /**
 * Client-side fallback redirect for authenticated visitors on the landing page.
@@ -16,7 +16,7 @@ import { resolvePostAuthDestination, useHasOnboarded } from "@multica/core/paths
 * login* — before the user has ever visited a workspace — the cookie is
 * absent, so the proxy falls through to the landing page. This component
 * covers that gap: once auth is resolved and the workspace list has loaded,
- * push the user into their workspace (or /onboarding if they have none).
+ * push the user into their workspace (or /workspaces/new if they have none).
 *
 * Renders nothing. Uses `router.replace` so the landing page never enters
 * browser history for authenticated users.
@@ -25,17 +25,21 @@ export function RedirectIfAuthenticated() {
  const router = useRouter();
  const user = useAuthStore((s) => s.user);
  const isLoading = useAuthStore((s) => s.isLoading);
-  const hasOnboarded = useHasOnboarded();

-  const { data: list = [], isFetched } = useQuery({
+  const { data: list } = useQuery({
    ...workspaceListOptions(),
    enabled: !!user,
  });

  useEffect(() => {
-    if (isLoading || !user || !isFetched) return;
-    router.replace(resolvePostAuthDestination(list, hasOnboarded));
-  }, [isLoading, user, isFetched, list, hasOnboarded, router]);
+    if (isLoading || !user || !list) return;
+    const [first] = list;
+    if (!first) {
+      router.replace(paths.newWorkspace());
+      return;
+    }
+    router.replace(paths.workspace(first.slug).issues());
+  }, [isLoading, user, list, router]);

  return null;
 }
--- a/apps/web/features/landing/i18n/context.tsx
+++ b/apps/web/features/landing/i18n/context.tsx
@@ -1,15 +1,11 @@
 "use client";

-import { createContext, useContext, useState, useCallback, useMemo } from "react";
-import { useConfigStore } from "@multica/core/config";
-import { createEnDict } from "./en";
-import { createZhDict } from "./zh";
+import { createContext, useContext, useState, useCallback } from "react";
+import { en } from "./en";
+import { zh } from "./zh";
 import type { LandingDict, Locale } from "./types";

-const dictionaryFactories: Record<Locale, (allowSignup: boolean) => LandingDict> = {
-  en: createEnDict,
-  zh: createZhDict,
-};
+const dictionaries: Record<Locale, LandingDict> = { en, zh };

 const COOKIE_NAME = "multica-locale";
 const COOKIE_MAX_AGE = 60 * 60 * 24 * 365; // 1 year
@@ -30,11 +26,6 @@ export function LocaleProvider({
  initialLocale?: Locale;
 }) {
  const [locale, setLocaleState] = useState<Locale>(initialLocale);
-  const allowSignup = useConfigStore((state) => state.allowSignup);
-  const t = useMemo(
-    () => dictionaryFactories[locale](allowSignup),
-    [allowSignup, locale],
-  );

  const setLocale = useCallback((l: Locale) => {
    setLocaleState(l);
@@ -43,7 +34,7 @@ export function LocaleProvider({

  return (
    <LocaleContext.Provider
-      value={{ locale, t, setLocale }}
+      value={{ locale, t: dictionaries[locale], setLocale }}
    >
      {children}
    </LocaleContext.Provider>
--- a/apps/web/features/landing/i18n/en.ts
+++ b/apps/web/features/landing/i18n/en.ts
@@ -1,8 +1,7 @@
 import { githubUrl } from "../components/shared";
 import type { LandingDict } from "./types";

-export function createEnDict(allowSignup: boolean): LandingDict {
-  return {
+export const en: LandingDict = {
  header: {
    github: "GitHub",
    login: "Log in",
@@ -121,10 +120,9 @@ export function createEnDict(allowSignup: boolean): LandingDict {
    headlineFaded: "in the next hour.",
    steps: [
      {
-        title: allowSignup ? "Sign up & create your workspace" : "Login to your workspace",
-        description: allowSignup
-          ? "Enter your email, verify with a code, and you\u2019re in. Your workspace is created automatically \u2014 no setup wizard, no configuration forms."
-          : "Enter your email, verify with a code, and you\u2019re logged into your workspace \u2014 no setup wizard, no configuration forms.",
+        title: "Sign up & create your workspace",
+        description:
+          "Enter your email, verify with a code, and you\u2019re in. Your workspace is created automatically \u2014 no setup wizard, no configuration forms.",
      },
      {
        title: "Install the CLI & connect your machine",
@@ -226,7 +224,7 @@ export function createEnDict(allowSignup: boolean): LandingDict {
          { label: "Features", href: "#features" },
          { label: "How it Works", href: "#how-it-works" },
          { label: "Changelog", href: "/changelog" },
-          { label: "Download", href: "/download" },
+          { label: "Desktop", href: "https://github.com/multica-ai/multica/releases/latest" },
        ],
      },
      resources: {
@@ -281,107 +279,6 @@ export function createEnDict(allowSignup: boolean): LandingDict {
      fixes: "Bug Fixes",
    },
    entries: [
-      {
-        version: "0.2.15",
-        date: "2026-04-22",
-        title: "Local Skills, LaTeX, Focus Mode & Orphan-Task Recovery",
-        changes: [],
-        features: [
-          "Import runtime local Skills into the workspace as first-class artifacts",
-          "Orphan-task recovery — abandoned agent runs auto-retry, with manual rerun as fallback",
-          "LaTeX rendering in issues, comments and chat",
-          "Chat Focus mode — share the page you're on as conversation context",
-        ],
-        improvements: [
-          "Sub-issue `status_changed` events no longer spam parent-issue subscribers",
-          "Multi-arch Docker release images built natively per-arch (no QEMU)",
-          "Pin sidebar derives fields client-side for snappier reorders",
-          "Expanded reserved-slug list so new slugs can't collide with product routes",
-        ],
-        fixes: [
-          "Gemini runtime model list now includes Gemini 3 and CLI aliases",
-          "Chat focus button disabled on pages without an anchor",
-          "Onboarding pin sync, welcome layout and runtime bootstrap state",
-          "`install.ps1` OS architecture detection hardened for more Windows setups",
-          "`/download` falls back to the previous release within a 1h freshness window",
-        ],
-      },
-      {
-        version: "0.2.11",
-        date: "2026-04-21",
-        title: "Desktop Cross-Platform Packaging, CLI Self-Update & Board Pagination",
-        changes: [],
-        features: [
-          "Desktop app cross-platform packaging — macOS, Windows, and Linux artifacts from a single release pipeline",
-          "`multica update` self-update command — upgrade the CLI and local daemon without reinstalling",
-          "Issue board paginates every status column, not only Done — large backlogs stay responsive",
-        ],
-        fixes: [
-          "Workspace isolation enforced end-to-end for agent execution on the local daemon (security)",
-          "Windows daemon stays alive after the terminal closes, so background agents keep running",
-          "Board cards render their description preview again — list queries no longer strip the description field",
-          "OpenClaw agent runtime now reads the real model from agent metadata instead of falling back to a default",
-          "Comment Markdown preserved end-to-end — the HTML sanitizer that was stripping formatting has been removed",
-        ],
-      },
-      {
-        version: "0.2.8",
-        date: "2026-04-20",
-        title: "Per-Agent Models, Kimi Runtime & Self-Host Auth",
-        changes: [],
-        features: [
-          "Per-agent `model` field with a provider-aware dropdown — pick the LLM model for each agent from the UI or via `multica agent create/update --model`, with live discovery from each runtime's CLI",
-          "Kimi CLI as a new agent runtime (Moonshot AI's `kimi-cli` over ACP), with model selection, auto-approved tool permissions, and streaming tool-call rendering",
-          "Expand toggle on inline comment and reply editors for composing long text",
-        ],
-        fixes: [
-          "Posting the result comment is now an explicit, numbered step in agent workflows so final replies reach the issue instead of terminal output",
-          "Agent live status card no longer leaks across issues when switching via Cmd+K",
-          "Self-hosted session cookies honor the `FRONTEND_ORIGIN` scheme — plain-HTTP deployments stop silently dropping cookies, and `COOKIE_DOMAIN=<ip>` now falls back to host-only with a warning instead of breaking login",
-        ],
-      },
-      {
-        version: "0.2.7",
-        date: "2026-04-18",
-        title: "Sub-Issues from Editor, Self-Host Gating & MCP",
-        changes: [],
-        features: [
-          "Create sub-issue directly from selected text in the editor bubble menu",
-          "Self-hosted instance gating — `ALLOW_SIGNUP` and `ALLOWED_EMAIL_*` env vars to restrict account creation",
-          "Per-agent `mcp_config` field to restore MCP access",
-          "Desktop app hourly update poll with manual check button in settings",
-        ],
-        fixes: [
-          "Session hand-off to desktop when already logged in on web",
-          "Open redirect vulnerability on `?next=` validated",
-          "OpenClaw stops passing unsupported flags and properly delivers AgentInstructions",
-        ],
-      },
-      {
-        version: "0.2.5",
-        date: "2026-04-17",
-        title: "CLI Autopilot, Cmd+K & Daemon Identity",
-        changes: [],
-        features: [
-          "CLI `autopilot` commands for managing scheduled and triggered automations",
-          "CLI `issue subscriber` commands for subscription management",
-          "Cmd+K palette extended — theme toggle, quick new issue/project, copy link, switch workspace",
-          "Project and sub-issue progress as optional card properties on the issue list",
-          "Persistent daemon UUID identity — CLI and desktop share one daemon across restarts and machine moves",
-          "Sole-owner workspace leave preflight check",
-          "Persist comment collapse state across sessions",
-        ],
-        fixes: [
-          "Agents now triggered on comments regardless of issue status",
-          "Codex sandbox config fixed for macOS network access",
-          "Editor bubble menu rewritten with @floating-ui/dom for reliable scroll hiding",
-          "Autopilot creator automatically subscribed to autopilot-created issues",
-          "Autopilot workspace ID correctly resolved for run-only tasks",
-          "Desktop restricts `shell.openExternal` to http/https schemes (security)",
-          "Duplicate agent names return 409 instead of silently failing",
-          "New tabs in desktop inherit current workspace",
-        ],
-      },
      {
        version: "0.2.1",
        date: "2026-04-16",
@@ -750,80 +647,4 @@ export function createEnDict(allowSignup: boolean): LandingDict {
      },
    ],
  },
-  download: {
-    hero: {
-      macArm64: {
-        title: "Multica for macOS",
-        sub: "Apple Silicon · bundled daemon, zero setup",
-        primary: "Download (.dmg)",
-        altZip: "or download .zip",
-      },
-      macIntel: {
-        title: "Multica for macOS",
-        sub: "Apple Silicon required — Intel Macs not yet supported.",
-        disabledCta: "Apple Silicon required",
-        intelHint:
-          "On an Intel Mac? Use the CLI below — it runs the same daemon.",
-      },
-      winX64: {
-        title: "Multica for Windows",
-        sub: "Bundled daemon, zero setup",
-        primary: "Download (.exe)",
-      },
-      winArm64: {
-        title: "Multica for Windows",
-        sub: "ARM · bundled daemon, zero setup",
-        primary: "Download (.exe)",
-      },
-      linux: {
-        title: "Multica for Linux",
-        sub: "Bundled daemon, zero setup",
-        primary: "Download AppImage",
-        altFormats: "or .deb / .rpm",
-      },
-      unknown: {
-        title: "Choose your platform",
-        sub: "All installers are listed below.",
-      },
-      safariMacHint: "On an Intel Mac? Use the CLI below.",
-      archFallbackHint: "Wrong architecture? See all formats below.",
-    },
-    allPlatforms: {
-      title: "All platforms",
-      macLabel: "macOS · Apple Silicon",
-      winX64Label: "Windows · x64",
-      winArm64Label: "Windows · ARM64",
-      linuxX64Label: "Linux · x64",
-      linuxArm64Label: "Linux · ARM64",
-      formatDmg: ".dmg",
-      formatZip: ".zip",
-      formatExe: ".exe",
-      formatAppImage: ".AppImage",
-      formatDeb: ".deb",
-      formatRpm: ".rpm",
-      intelNote:
-        "Apple Silicon only — Intel Macs not supported in this release.",
-      unavailable: "Not available",
-    },
-    cli: {
-      title: "Prefer the CLI?",
-      sub: "For servers, remote dev boxes, and headless setups. Same daemon as Desktop, installed via terminal.",
-      installLabel: "Install",
-      startLabel: "Start daemon",
-      sshNote: "Already on a server? Same commands work over SSH.",
-      copyLabel: "Copy",
-      copiedLabel: "Copied",
-    },
-    cloud: {
-      title: "Cloud runtime (waitlist)",
-      sub: "We’ll host the runtime for you. Not live yet — leave your email to be notified.",
-    },
-    footer: {
-      releaseNotes: "What’s new in {version}",
-      allReleases: "View all releases",
-      currentVersion: "Current version: {version}",
-      versionUnavailable: "Version unavailable — check GitHub",
-    },
-  },
-  };
-}
+};
--- a/apps/web/features/landing/i18n/types.ts
+++ b/apps/web/features/landing/i18n/types.ts
@@ -101,63 +101,4 @@ export type LandingDict = {
      fixes?: string[];
    }[];
  };
-  download: {
-    hero: {
-      macArm64: {
-        title: string;
-        sub: string;
-        primary: string;
-        altZip: string;
-      };
-      macIntel: {
-        title: string;
-        sub: string;
-        disabledCta: string;
-        intelHint: string;
-      };
-      winX64: { title: string; sub: string; primary: string };
-      winArm64: { title: string; sub: string; primary: string };
-      linux: {
-        title: string;
-        sub: string;
-        primary: string;
-        altFormats: string;
-      };
-      unknown: { title: string; sub: string };
-      safariMacHint: string;
-      archFallbackHint: string;
-    };
-    allPlatforms: {
-      title: string;
-      macLabel: string;
-      winX64Label: string;
-      winArm64Label: string;
-      linuxX64Label: string;
-      linuxArm64Label: string;
-      formatDmg: string;
-      formatZip: string;
-      formatExe: string;
-      formatAppImage: string;
-      formatDeb: string;
-      formatRpm: string;
-      intelNote: string;
-      unavailable: string;
-    };
-    cli: {
-      title: string;
-      sub: string;
-      installLabel: string;
-      startLabel: string;
-      sshNote: string;
-      copyLabel: string;
-      copiedLabel: string;
-    };
-    cloud: { title: string; sub: string };
-    footer: {
-      releaseNotes: string;
-      allReleases: string;
-      currentVersion: string;
-      versionUnavailable: string;
-    };
-  };
 };
--- a/apps/web/features/landing/i18n/zh.ts
+++ b/apps/web/features/landing/i18n/zh.ts
@@ -1,8 +1,7 @@
 import { githubUrl } from "../components/shared";
 import type { LandingDict } from "./types";

-export function createZhDict(allowSignup: boolean): LandingDict {
-  return {
+export const zh: LandingDict = {
  header: {
    github: "GitHub",
    login: "\u767b\u5f55",
@@ -121,10 +120,9 @@ export function createZhDict(allowSignup: boolean): LandingDict {
    headlineFaded: "\u53ea\u9700\u4e00\u5c0f\u65f6\u3002",
    steps: [
      {
-        title: allowSignup ? "注册并创建您的工作空间" : "登录到您的工作空间",
-        description: allowSignup
-          ? "输入您的邮箱，验证代码后即可使用。工作空间会自动创建——无需设置向导或配置表单。"
-          : "输入您的邮箱，验证代码后即可登录到您的工作空间——无需设置向导或配置表单。",
+        title: "\u6ce8\u518c\u5e76\u521b\u5efa\u5de5\u4f5c\u533a",
+        description:
+          "\u8f93\u5165\u90ae\u7bb1\uff0c\u9a8c\u8bc1\u7801\u786e\u8ba4\uff0c\u5373\u53ef\u8fdb\u5165\u3002\u5de5\u4f5c\u533a\u81ea\u52a8\u521b\u5efa\u2014\u2014\u65e0\u9700\u8bbe\u7f6e\u5411\u5bfc\uff0c\u65e0\u9700\u914d\u7f6e\u8868\u5355\u3002",
      },
      {
        title: "\u5b89\u88c5 CLI \u5e76\u8fde\u63a5\u4f60\u7684\u673a\u5668",
@@ -226,7 +224,7 @@ export function createZhDict(allowSignup: boolean): LandingDict {
          { label: "\u529f\u80fd\u7279\u6027", href: "#features" },
          { label: "\u5982\u4f55\u5de5\u4f5c", href: "#how-it-works" },
          { label: "更新日志", href: "/changelog" },
-          { label: "下载", href: "/download" },
+          { label: "桌面端", href: "https://github.com/multica-ai/multica/releases/latest" },
        ],
      },
      resources: {
@@ -281,107 +279,6 @@ export function createZhDict(allowSignup: boolean): LandingDict {
      fixes: "问题修复",
    },
    entries: [
-      {
-        version: "0.2.15",
-        date: "2026-04-22",
-        title: "本地 Skills、LaTeX、Focus 模式与孤儿任务自恢复",
-        changes: [],
-        features: [
-          "支持将 Runtime 本地 Skills 导入工作区,成为一等工作区资产",
-          "孤儿任务自动恢复——意外中断的 Agent 执行会自动重试,必要时可手动重跑",
-          "Issue、评论与 Chat 支持 LaTeX 渲染",
-          "Chat Focus 模式——将当前页面作为上下文分享给对话",
-        ],
-        improvements: [
-          "子 Issue 的 `status_changed` 事件不再向父 Issue 订阅者刷屏",
-          "Docker 发布镜像改为按架构原生构建,免 QEMU",
-          "侧边栏 Pin 字段在客户端派生,排序更跟手",
-          "扩充保留 slug 列表,新工作区 slug 不会再和产品路由冲突",
-        ],
-        fixes: [
-          "Gemini Runtime 模型列表补上 Gemini 3 及若干 CLI 别名",
-          "没有锚点的页面上 Chat focus 按钮改为禁用",
-          "修复 Onboarding 中 Pin 同步、欢迎页布局与 Runtime bootstrap 状态",
-          "`install.ps1` 的系统架构探测更稳健,覆盖更多 Windows 环境",
-          "`/download` 在 1 小时新鲜度窗口内可回退到上一版本,避免撞上半发布状态",
-        ],
-      },
-      {
-        version: "0.2.11",
-        date: "2026-04-21",
-        title: "桌面应用跨平台打包、CLI 自更新与看板分页",
-        changes: [],
-        features: [
-          "桌面应用跨平台打包——同一条发布流水线产出 macOS、Windows 和 Linux 安装包",
-          "新增 `multica update` 自更新命令——无需重装即可升级 CLI 和本地 Daemon",
-          "Issue 看板所有状态列都支持分页（不再只是 Done 列），大积压下依然流畅",
-        ],
-        fixes: [
-          "本地 Daemon 对 Agent 执行强制端到端工作区隔离（安全）",
-          "Windows 下 Daemon 终端关闭后继续常驻，后台 Agent 不再被意外终止",
-          "看板卡片重新显示描述预览——列表查询不再丢掉 description 字段",
-          "OpenClaw Agent 改为从 Agent 元数据读取真实模型，不再回退到默认值",
-          "评论 Markdown 全链路保留——移除会误伤格式的 HTML sanitizer",
-        ],
-      },
-      {
-        version: "0.2.8",
-        date: "2026-04-20",
-        title: "Agent 模型选择、Kimi Runtime 与自部署登录",
-        changes: [],
-        features: [
-          "Agent 新增 `model` 字段及按 Provider 聚合的模型下拉框——可在界面或通过 `multica agent create/update --model` 为每个 Agent 选择 LLM 模型，并从各 Runtime CLI 实时发现可用模型",
-          "新增 Kimi CLI Agent Runtime（Moonshot AI 的 `kimi-cli`，基于 ACP），支持模型选择、自动授权工具权限以及流式工具调用渲染",
-          "评论和回复编辑器新增放大按钮，便于撰写长文本",
-        ],
-        fixes: [
-          "Agent 工作流将“发布结果评论”提升为独立的显式步骤，确保最终回复送达 Issue 而不是只留在终端输出",
-          "通过 Cmd+K 切换 Issue 时不再出现其他 Issue 的 Agent 实时状态残留",
-          "自部署会话 Cookie 的 Secure 标志改由 `FRONTEND_ORIGIN` 协议决定——HTTP 部署不再因浏览器丢弃 Cookie 导致登录失败；`COOKIE_DOMAIN=<ip>` 会自动回退到 host-only 并输出警告",
-        ],
-      },
-      {
-        version: "0.2.7",
-        date: "2026-04-18",
-        title: "编辑器创建子 Issue、自部署门禁与 MCP",
-        changes: [],
-        features: [
-          "直接从编辑器气泡菜单将选中文本创建为子 Issue",
-          "自部署实例账户门禁——`ALLOW_SIGNUP` 和 `ALLOWED_EMAIL_*` 环境变量限制注册",
-          "Agent 新增 `mcp_config` 字段恢复 MCP 支持",
-          "桌面应用每小时检查更新，设置中新增手动检查按钮",
-        ],
-        fixes: [
-          "网页已登录时将会话交接给桌面应用",
-          "修复 `?next=` 开放重定向漏洞",
-          "OpenClaw 停止传递不支持的参数，正确传递 AgentInstructions",
-        ],
-      },
-      {
-        version: "0.2.5",
-        date: "2026-04-17",
-        title: "CLI Autopilot、Cmd+K 与 Daemon 身份",
-        changes: [],
-        features: [
-          "CLI `autopilot` 命令，管理定时和触发式自动化",
-          "CLI `issue subscriber` 订阅管理命令",
-          "Cmd+K 命令面板扩展——主题切换、快速创建 Issue/项目、复制链接、切换工作区",
-          "Issue 列表卡片可选显示项目和子 Issue 进度",
-          "Daemon 持久化 UUID 身份——CLI 和桌面应用共用同一个 daemon，跨重启和机器迁移保持一致",
-          "唯一所有者退出工作区的前置检查",
-          "评论折叠状态跨会话持久化",
-        ],
-        fixes: [
-          "Agent 现在在任意 Issue 状态下都会响应评论触发",
-          "修复 Codex 沙箱在 macOS 上的网络访问配置",
-          "编辑器气泡菜单改用 @floating-ui/dom 重写，滚动时正确隐藏",
-          "Autopilot 创建者自动订阅其生成的 Issue",
-          "Autopilot run-only 任务正确解析工作区 ID",
-          "桌面应用 `shell.openExternal` 限制仅允许 http/https 协议（安全）",
-          "重名 Agent 创建返回 409 而非静默失败",
-          "桌面应用新建标签页继承当前工作区",
-        ],
-      },
      {
        version: "0.2.1",
        date: "2026-04-16",
@@ -750,78 +647,4 @@ export function createZhDict(allowSignup: boolean): LandingDict {
      },
    ],
  },
-  download: {
-    hero: {
-      macArm64: {
-        title: "Multica for macOS",
-        sub: "Apple Silicon · 内置 daemon，无需配置",
-        primary: "下载 (.dmg)",
-        altZip: "或下载 .zip",
-      },
-      macIntel: {
-        title: "Multica for macOS",
-        sub: "需要 Apple Silicon——暂不支持 Intel Mac。",
-        disabledCta: "需要 Apple Silicon",
-        intelHint: "在 Intel Mac 上？请使用下方 CLI——底层跑的是同一个 daemon。",
-      },
-      winX64: {
-        title: "Multica for Windows",
-        sub: "内置 daemon，无需配置",
-        primary: "下载 (.exe)",
-      },
-      winArm64: {
-        title: "Multica for Windows",
-        sub: "ARM · 内置 daemon，无需配置",
-        primary: "下载 (.exe)",
-      },
-      linux: {
-        title: "Multica for Linux",
-        sub: "内置 daemon，无需配置",
-        primary: "下载 AppImage",
-        altFormats: "或 .deb / .rpm",
-      },
-      unknown: {
-        title: "选择你的平台",
-        sub: "下方是所有支持的安装包。",
-      },
-      safariMacHint: "在 Intel Mac 上？请使用下方 CLI。",
-      archFallbackHint: "架构不对？下方是所有可选格式。",
-    },
-    allPlatforms: {
-      title: "所有平台",
-      macLabel: "macOS · Apple Silicon",
-      winX64Label: "Windows · x64",
-      winArm64Label: "Windows · ARM64",
-      linuxX64Label: "Linux · x64",
-      linuxArm64Label: "Linux · ARM64",
-      formatDmg: ".dmg",
-      formatZip: ".zip",
-      formatExe: ".exe",
-      formatAppImage: ".AppImage",
-      formatDeb: ".deb",
-      formatRpm: ".rpm",
-      intelNote: "仅支持 Apple Silicon——Intel Mac 目前暂不支持。",
-      unavailable: "暂不可用",
-    },
-    cli: {
-      title: "想用 CLI？",
-      sub: "适合服务器、远程开发机、无图形界面环境。底层 daemon 与 Desktop 相同，通过终端安装。",
-      installLabel: "安装",
-      startLabel: "启动 daemon",
-      sshNote: "已经在服务器上？通过 SSH 执行同样的命令即可。",
-      copyLabel: "复制",
-      copiedLabel: "已复制",
-    },
-    cloud: {
-      title: "Cloud runtime（等待名单）",
-      sub: "我们将为你托管 runtime，目前尚未上线——留下邮箱，上线后通知你。",
-    },
-    footer: {
-      releaseNotes: "v{version} 更新内容",
-      allReleases: "查看所有版本",
-      currentVersion: "当前版本：{version}",
-      versionUnavailable: "版本获取失败——请前往 GitHub 查看",
-    },
-  },
-  };
-}
+};
--- a/apps/web/features/landing/utils/github-release.test.ts
+++ b/apps/web/features/landing/utils/github-release.test.ts
@@ -1,149 +0,0 @@
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { fetchLatestRelease } from "./github-release";
-
-const SAMPLE_LATEST_ASSET = {
-  name: "multica-desktop-0.2.14-mac-arm64.dmg",
-  browser_download_url:
-    "https://github.com/multica-ai/multica/releases/download/v0.2.14/multica-desktop-0.2.14-mac-arm64.dmg",
-};
-
-const SAMPLE_PREV_ASSET = {
-  name: "multica-desktop-0.2.13-mac-arm64.dmg",
-  browser_download_url:
-    "https://github.com/multica-ai/multica/releases/download/v0.2.13/multica-desktop-0.2.13-mac-arm64.dmg",
-};
-
-function releasePayload(overrides: {
-  tag: string;
-  publishedMinutesAgo?: number;
-  asset?: { name: string; browser_download_url: string };
-  prerelease?: boolean;
-  draft?: boolean;
-}) {
-  const published = new Date(
-    Date.now() - (overrides.publishedMinutesAgo ?? 0) * 60_000,
-  ).toISOString();
-  return {
-    tag_name: overrides.tag,
-    published_at: published,
-    html_url: `https://github.com/multica-ai/multica/releases/tag/${overrides.tag}`,
-    prerelease: overrides.prerelease ?? false,
-    draft: overrides.draft ?? false,
-    assets: overrides.asset ? [overrides.asset] : [],
-  };
-}
-
-function mockFetchWithReleases(releases: unknown[]) {
-  const fetchMock = vi.fn().mockResolvedValue(
-    new Response(JSON.stringify(releases), {
-      status: 200,
-      headers: { "Content-Type": "application/json" },
-    }),
-  );
-  vi.stubGlobal("fetch", fetchMock);
-  return fetchMock;
-}
-
-afterEach(() => {
-  vi.unstubAllGlobals();
-});
-
-describe("fetchLatestRelease", () => {
-  it("uses previous release when latest was published within the fresh window", async () => {
-    mockFetchWithReleases([
-      releasePayload({
-        tag: "v0.2.14",
-        publishedMinutesAgo: 10,
-        asset: SAMPLE_LATEST_ASSET,
-      }),
-      releasePayload({
-        tag: "v0.2.13",
-        publishedMinutesAgo: 60 * 24,
-        asset: SAMPLE_PREV_ASSET,
-      }),
-    ]);
-
-    const result = await fetchLatestRelease();
-    expect(result.version).toBe("v0.2.13");
-    expect(result.assets.macArm64Dmg).toBe(SAMPLE_PREV_ASSET.browser_download_url);
-  });
-
-  it("uses latest release once it is older than the fresh window", async () => {
-    mockFetchWithReleases([
-      releasePayload({
-        tag: "v0.2.14",
-        publishedMinutesAgo: 120,
-        asset: SAMPLE_LATEST_ASSET,
-      }),
-      releasePayload({
-        tag: "v0.2.13",
-        publishedMinutesAgo: 60 * 24,
-        asset: SAMPLE_PREV_ASSET,
-      }),
-    ]);
-
-    const result = await fetchLatestRelease();
-    expect(result.version).toBe("v0.2.14");
-    expect(result.assets.macArm64Dmg).toBe(SAMPLE_LATEST_ASSET.browser_download_url);
-  });
-
-  it("falls back to latest when there is no previous release", async () => {
-    mockFetchWithReleases([
-      releasePayload({
-        tag: "v0.0.1",
-        publishedMinutesAgo: 5,
-        asset: SAMPLE_LATEST_ASSET,
-      }),
-    ]);
-
-    const result = await fetchLatestRelease();
-    expect(result.version).toBe("v0.0.1");
-  });
-
-  it("skips prereleases and drafts in the candidate list", async () => {
-    mockFetchWithReleases([
-      releasePayload({
-        tag: "v0.2.15-rc.1",
-        publishedMinutesAgo: 30,
-        prerelease: true,
-      }),
-      releasePayload({
-        tag: "v0.2.14",
-        publishedMinutesAgo: 120,
-        asset: SAMPLE_LATEST_ASSET,
-      }),
-    ]);
-
-    const result = await fetchLatestRelease();
-    expect(result.version).toBe("v0.2.14");
-  });
-
-  it("returns an empty release shape when the API errors", async () => {
-    const fetchMock = vi.fn().mockResolvedValue(
-      new Response("rate limited", { status: 403 }),
-    );
-    vi.stubGlobal("fetch", fetchMock);
-    const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
-
-    const result = await fetchLatestRelease();
-    expect(result).toEqual({
-      version: null,
-      publishedAt: null,
-      htmlUrl: null,
-      assets: {},
-    });
-    expect(warnSpy).toHaveBeenCalled();
-    warnSpy.mockRestore();
-  });
-
-  it("returns an empty release shape when all candidates are filtered out", async () => {
-    mockFetchWithReleases([
-      releasePayload({ tag: "v0.2.15-rc.1", prerelease: true }),
-      releasePayload({ tag: "v0.2.14-draft", draft: true }),
-    ]);
-
-    const result = await fetchLatestRelease();
-    expect(result.version).toBeNull();
-    expect(result.assets).toEqual({});
-  });
-});
--- a/apps/web/features/landing/utils/github-release.ts
+++ b/apps/web/features/landing/utils/github-release.ts
@@ -1,114 +0,0 @@
-import {
-  parseReleaseAssets,
-  type DownloadAssets,
-} from "./parse-release-assets";
-
-/**
- * Server-side fetcher for the latest Multica release, designed to
- * run inside a Next.js server component. Response is cached by the
- * Next.js fetch cache for 5 minutes (Vercel ISR) so hitting /download
- * costs at most one GitHub API call per region per 5 minutes.
- *
- * Desktop assets don't all land at the same time: CI uploads Linux
- * and Windows within a minute of each other, but macOS is packaged
- * manually (notarization credentials aren't wired into CI yet) and
- * lands tens of minutes later. To avoid showing the half-filled
- * mid-flight state on /download, the fetcher pulls the two most
- * recent releases and falls back to the previous one for the first
- * hour after publish. Empirically full desktop uploads complete in
- * ~20 min; 1 h gives 3x buffer for commonly-variable manual steps.
- *
- * On any failure (network, rate limit, malformed payload) returns a
- * `null`-shaped result and logs — the page degrades to a "version
- * unavailable" view rather than 500ing.
- */
-
-export interface LatestRelease {
-  version: string | null;
-  publishedAt: string | null;
-  htmlUrl: string | null;
-  assets: DownloadAssets;
-}
-
-const GITHUB_RELEASES_URL =
-  "https://api.github.com/repos/multica-ai/multica/releases?per_page=2";
-
-const REVALIDATE_SECONDS = 300;
-
-const FRESH_RELEASE_WINDOW_MS = 60 * 60 * 1000;
-
-interface GitHubReleasePayload {
-  tag_name?: string;
-  published_at?: string;
-  html_url?: string;
-  prerelease?: boolean;
-  draft?: boolean;
-  assets?: Array<{ name: string; browser_download_url: string }>;
-}
-
-export async function fetchLatestRelease(): Promise<LatestRelease> {
-  const headers: Record<string, string> = {
-    Accept: "application/vnd.github+json",
-    "X-GitHub-Api-Version": "2022-11-28",
-  };
-  // Optional PAT for local development and self-hosted deploys where
-  // the shared outbound IP keeps hitting the 60-requests/hour
-  // unauthenticated limit. Vercel's fetch cache is shared across all
-  // regions so production rarely needs this — but the env var lets
-  // anyone running the site locally avoid the rate-limit dance. Never
-  // prefix this with `NEXT_PUBLIC_`; the token must stay server-side.
-  const token = process.env.GITHUB_TOKEN;
-  if (token) {
-    headers.Authorization = `Bearer ${token}`;
-  }
-
-  try {
-    const res = await fetch(GITHUB_RELEASES_URL, {
-      next: { revalidate: REVALIDATE_SECONDS },
-      headers,
-    });
-    if (!res.ok) {
-      throw new Error(`GitHub API responded ${res.status}`);
-    }
-    const data = (await res.json()) as GitHubReleasePayload[];
-
-    // Defensive filter — Multica doesn't publish prereleases or drafts
-    // today, but the endpoint returns them if that ever changes. A
-    // prerelease shadowing a stable version on /download would be a
-    // regression.
-    const stable = data.filter((r) => !r.prerelease && !r.draft);
-    const latest = stable[0];
-    if (!latest) {
-      return emptyRelease();
-    }
-    const previous = stable[1];
-    const chosen =
-      previous && isWithinFreshWindow(latest) ? previous : latest;
-
-    return {
-      version: chosen.tag_name ?? null,
-      publishedAt: chosen.published_at ?? null,
-      htmlUrl: chosen.html_url ?? null,
-      assets: parseReleaseAssets(chosen.assets ?? []),
-    };
-  } catch (err) {
-    console.warn("[download] fetchLatestRelease failed:", err);
-    return emptyRelease();
-  }
-}
-
-function isWithinFreshWindow(release: GitHubReleasePayload): boolean {
-  if (!release.published_at) return false;
-  const publishedAt = Date.parse(release.published_at);
-  if (Number.isNaN(publishedAt)) return false;
-  return Date.now() - publishedAt < FRESH_RELEASE_WINDOW_MS;
-}
-
-function emptyRelease(): LatestRelease {
-  return {
-    version: null,
-    publishedAt: null,
-    htmlUrl: null,
-    assets: {},
-  };
-}
--- a/apps/web/features/landing/utils/os-detect.ts
+++ b/apps/web/features/landing/utils/os-detect.ts
@@ -1,97 +0,0 @@
-/**
- * Client-side OS + architecture detection for the /download page.
- *
- * Prefers the modern `navigator.userAgentData.getHighEntropyValues`
- * API (Chromium), falling back to the UA string.
- *
- * Known limitation: Safari on macOS always reports `Intel Mac OS X`
- * in the UA string even on Apple Silicon, and Safari does not
- * implement userAgentData. This function therefore returns `arm64`
- * as the best default for any Mac — UI surfaces a small "On Intel
- * Mac? Use CLI." hint to cover the Intel minority.
- */
-
-export type OSName = "mac" | "windows" | "linux" | "unknown";
-export type Arch = "arm64" | "x64" | "unknown";
-
-export interface DetectResult {
-  os: OSName;
-  arch: Arch;
-  /** True when arch came from userAgentData high-entropy values
-   *  (i.e. we can trust the Intel vs arm distinction). False when
-   *  we defaulted — UI should show the Intel Mac disclaimer. */
-  archConfident: boolean;
-}
-
-interface UADataRecord {
-  platform: string;
-  architecture: string;
-}
-
-interface UserAgentDataLike {
-  getHighEntropyValues?: (hints: string[]) => Promise<UADataRecord>;
-}
-
-function normalizePlatform(raw: string): OSName {
-  const p = raw.toLowerCase();
-  if (p.includes("mac") || p === "darwin") return "mac";
-  if (p.includes("win")) return "windows";
-  if (p.includes("linux")) return "linux";
-  return "unknown";
-}
-
-function normalizeArch(raw: string): Arch {
-  const a = raw.toLowerCase();
-  if (a === "arm" || a === "arm64" || a === "aarch64") return "arm64";
-  if (a === "x86" || a === "x86_64" || a === "amd64" || a === "x64") return "x64";
-  return "unknown";
-}
-
-export async function detectOS(): Promise<DetectResult> {
-  if (typeof navigator === "undefined") {
-    return { os: "unknown", arch: "unknown", archConfident: false };
-  }
-
-  // Modern Chromium: userAgentData with high-entropy values gives
-  // both the platform name and CPU architecture unambiguously.
-  const uaData = (navigator as unknown as { userAgentData?: UserAgentDataLike })
-    .userAgentData;
-  if (uaData?.getHighEntropyValues) {
-    try {
-      const data = await uaData.getHighEntropyValues([
-        "platform",
-        "architecture",
-      ]);
-      const os = normalizePlatform(data.platform);
-      const arch = normalizeArch(data.architecture);
-      return { os, arch, archConfident: arch !== "unknown" };
-    } catch {
-      // Some browsers expose the API but reject high-entropy requests.
-    }
-  }
-
-  // Fallback: UA + navigator.platform. Safari on Mac lands here and
-  // cannot distinguish Apple Silicon from Intel.
-  const ua = navigator.userAgent;
-  const platform = navigator.platform || "";
-
-  const os: OSName = /Mac|iPhone|iPad|iPod/i.test(platform) || /Mac OS X/i.test(ua)
-    ? "mac"
-    : /Win/i.test(platform) || /Windows/i.test(ua)
-      ? "windows"
-      : /Linux/i.test(platform) || /Linux/i.test(ua)
-        ? "linux"
-        : "unknown";
-
-  let arch: Arch = "unknown";
-  if (os === "mac") {
-    // Best default. Real Intel Mac users will see the disclaimer.
-    arch = "arm64";
-  } else if (/arm|aarch/i.test(ua)) {
-    arch = "arm64";
-  } else if (os !== "unknown") {
-    arch = "x64";
-  }
-
-  return { os, arch, archConfident: false };
-}
--- a/apps/web/features/landing/utils/parse-release-assets.ts
+++ b/apps/web/features/landing/utils/parse-release-assets.ts
@@ -1,94 +0,0 @@
-/**
- * Parses the GitHub Releases API asset array into a structured
- * download asset map. Skips auxiliary files (blockmaps, update
- * manifests, checksums) and the CLI tarballs — only desktop
- * installer artifacts are relevant on the /download page.
- *
- * Desktop artifact naming (see apps/desktop/electron-builder.yml):
- *   multica-desktop-{version}-mac-{arch}.{dmg|zip}
- *   multica-desktop-{version}-windows-{arch}.exe
- *   multica-desktop-{version}-linux-{arch}.{AppImage|deb|rpm}
- *
- * Linux arch appears as amd64 / x86_64 / arm64 / aarch64 depending
- * on the format; we normalize to amd64 and arm64.
- */
-
-export interface GitHubAsset {
-  name: string;
-  browser_download_url: string;
-}
-
-export interface DownloadAssets {
-  macArm64Dmg?: string;
-  macArm64Zip?: string;
-  winX64Exe?: string;
-  winArm64Exe?: string;
-  linuxAmd64AppImage?: string;
-  linuxAmd64Deb?: string;
-  linuxAmd64Rpm?: string;
-  linuxArm64AppImage?: string;
-  linuxArm64Deb?: string;
-  linuxArm64Rpm?: string;
-}
-
-const DESKTOP_ARTIFACT_RE =
-  /^multica-desktop-[^-]+-(mac|windows|linux)-([a-z0-9_]+)\.(dmg|zip|exe|AppImage|deb|rpm)$/i;
-
-function normalizeLinuxArch(arch: string): "amd64" | "arm64" | null {
-  const a = arch.toLowerCase();
-  if (a === "amd64" || a === "x86_64") return "amd64";
-  if (a === "arm64" || a === "aarch64") return "arm64";
-  return null;
-}
-
-export function parseReleaseAssets(raw: GitHubAsset[]): DownloadAssets {
-  const out: DownloadAssets = {};
-  for (const asset of raw) {
-    const name = asset.name;
-    // Skip auxiliary files that share the release (update manifests,
-    // blockmaps, checksums). CLI tarballs and other non-desktop
-    // artifacts are excluded automatically because they don't match
-    // DESKTOP_ARTIFACT_RE below.
-    if (name.endsWith(".blockmap") || name.endsWith(".yml")) continue;
-    if (name.startsWith("checksums")) continue;
-
-    const match = DESKTOP_ARTIFACT_RE.exec(name);
-    if (!match) continue;
-    const platform = match[1];
-    const arch = match[2];
-    const ext = match[3];
-    if (!platform || !arch || !ext) continue;
-    const archLower = arch.toLowerCase();
-    const extLower = ext.toLowerCase();
-    const url = asset.browser_download_url;
-
-    if (platform === "mac") {
-      if (archLower !== "arm64") continue; // we only ship arm64 today
-      if (extLower === "dmg") out.macArm64Dmg = url;
-      else if (extLower === "zip") out.macArm64Zip = url;
-    } else if (platform === "windows") {
-      if (extLower !== "exe") continue;
-      if (archLower === "x64") out.winX64Exe = url;
-      else if (archLower === "arm64") out.winArm64Exe = url;
-    } else if (platform === "linux") {
-      const normalized = normalizeLinuxArch(arch);
-      if (!normalized) continue;
-      const e = extLower;
-      if (normalized === "amd64") {
-        if (e === "appimage") out.linuxAmd64AppImage = url;
-        else if (e === "deb") out.linuxAmd64Deb = url;
-        else if (e === "rpm") out.linuxAmd64Rpm = url;
-      } else {
-        if (e === "appimage") out.linuxArm64AppImage = url;
-        else if (e === "deb") out.linuxArm64Deb = url;
-        else if (e === "rpm") out.linuxArm64Rpm = url;
-      }
-    }
-  }
-  return out;
-}
-
-/** Whether any desktop asset was parsed out. Used for UI degradation. */
-export function hasAnyAsset(assets: DownloadAssets): boolean {
-  return Object.values(assets).some((v) => typeof v === "string");
-}
--- a/apps/web/next-env.d.ts
+++ b/apps/web/next-env.d.ts
@@ -1,6 +1,6 @@
 /// <reference types="next" />
 /// <reference types="next/image-types/global" />
-import "./.next/types/routes.d.ts";
+import "./.next/dev/types/routes.d.ts";

 // NOTE: This file should not be edited
 // see https://nextjs.org/docs/app/api-reference/config/typescript for more information.
--- a/apps/web/next.config.ts
+++ b/apps/web/next.config.ts
@@ -6,7 +6,6 @@ import { resolve } from "path";
 config({ path: resolve(__dirname, "../../.env") });

 const remoteApiUrl = process.env.REMOTE_API_URL || "http://localhost:8080";
-const docsUrl = process.env.DOCS_URL || "http://localhost:4000";

 // Parse hostnames from CORS_ALLOWED_ORIGINS so that Next.js dev server
 // allows cross-origin HMR / webpack requests (e.g. from Tailscale IPs).
@@ -33,39 +32,24 @@ const nextConfig: NextConfig = {
    qualities: [75, 80, 85],
  },
  async rewrites() {
-    return {
-      // Run before file-system routes so /docs isn't shadowed by the
-      // [workspaceSlug] dynamic segment.
-      beforeFiles: [
-        {
-          source: "/docs",
-          destination: `${docsUrl}/docs`,
-        },
-        {
-          source: "/docs/:path*",
-          destination: `${docsUrl}/docs/:path*`,
-        },
-      ],
-      afterFiles: [
-        {
-          source: "/api/:path*",
-          destination: `${remoteApiUrl}/api/:path*`,
-        },
-        {
-          source: "/ws",
-          destination: `${remoteApiUrl}/ws`,
-        },
-        {
-          source: "/auth/:path*",
-          destination: `${remoteApiUrl}/auth/:path*`,
-        },
-        {
-          source: "/uploads/:path*",
-          destination: `${remoteApiUrl}/uploads/:path*`,
-        },
-      ],
-      fallback: [],
-    };
+    return [
+      {
+        source: "/api/:path*",
+        destination: `${remoteApiUrl}/api/:path*`,
+      },
+      {
+        source: "/ws",
+        destination: `${remoteApiUrl}/ws`,
+      },
+      {
+        source: "/auth/:path*",
+        destination: `${remoteApiUrl}/auth/:path*`,
+      },
+      {
+        source: "/uploads/:path*",
+        destination: `${remoteApiUrl}/uploads/:path*`,
+      },
+    ];
  },
 };

--- a/Show More
+++ b/Show More