fix(views): only show "Mark as Done" button on Inbox page

The toolbar button was previously visible on all issue detail views.
Gate it on the `onDone` prop, which is only passed from InboxPage.

Co-authored-by: multica-agent <github@multica.ai>

.agents/skills/web-design-guidelines/SKILL.md

@@ -1,39 +0,0 @@
----
-name: web-design-guidelines
-description: Review UI code for Web Interface Guidelines compliance. Use when asked to "review my UI", "check accessibility", "audit design", "review UX", or "check my site against best practices".
-metadata:
-  author: vercel
-  version: "1.0.0"
-  argument-hint: <file-or-pattern>
----
-
-# Web Interface Guidelines
-
-Review files for compliance with Web Interface Guidelines.
-
-## How It Works
-
-1. Fetch the latest guidelines from the source URL below
-2. Read the specified files (or prompt user for files/pattern)
-3. Check against all rules in the fetched guidelines
-4. Output findings in the terse `file:line` format
-
-## Guidelines Source
-
-Fetch fresh guidelines before each review:
-
-```
-https://raw.githubusercontent.com/vercel-labs/web-interface-guidelines/main/command.md
-```
-
-Use WebFetch to retrieve the latest rules. The fetched content contains all the rules and output format instructions.
-
-## Usage
-
-When a user provides a file or pattern argument:
-1. Fetch guidelines from the source URL above
-2. Read the specified files
-3. Apply all rules from the fetched guidelines
-4. Output findings using the format specified in the guidelines
-
-If no files specified, ask the user which files to review.

.env.example

@@ -21,40 +21,14 @@ APP_ENV=
 # 888888 and keep APP_ENV non-production. This is ignored when APP_ENV=production.
 MULTICA_DEV_VERIFICATION_CODE=
 PORT=8080
-# Optional aliases for the local/self-host backend port. If one is set, it
-# takes precedence over PORT in compose, Makefile, and installer helpers.
-# BACKEND_PORT=8080
-# API_PORT=8080
-# SERVER_PORT=8080
 # Prometheus metrics are disabled by default. When enabled, bind to loopback
 # unless you protect the listener with private networking, allowlists, or
 # proxy auth. Do not expose this endpoint through the public app/API ingress.
 # HTTP request metrics start accumulating only when this listener is enabled.
 # METRICS_ADDR=127.0.0.1:9090
 JWT_SECRET=change-me-in-production
-# Derived by Makefile / local scripts from the backend port.
-# Set explicitly only when the daemon reaches the API through a different URL.
-# MULTICA_SERVER_URL=ws://localhost:8080/ws
-# Derived by docker-compose.selfhost.yml / local scripts from FRONTEND_PORT.
-# Set explicitly only when the app's public URL differs from local frontend.
-# MULTICA_APP_URL=http://localhost:3000
-# Public URL the API is reachable at from the open internet (no trailing
-# slash). Used to mint absolute webhook URLs for autopilot webhook
-# triggers and to show correct daemon setup commands in the web UI. Leave
-# unset behind a same-origin reverse proxy or for plain localhost dev —
-# the frontend will compose the URL from window.origin + webhook_path in
-# that case. Headers are intentionally not used to derive this value, to
-# avoid Host / X-Forwarded-Host spoofing when a self-hosted reverse proxy
-# is not hardened.
-MULTICA_PUBLIC_URL=
-# Comma-separated CIDR list of reverse proxies whose X-Forwarded-For /
-# X-Real-IP headers the per-IP webhook rate limiter is allowed to trust.
-# Empty (the default) means "trust no headers" — the limiter uses
-# r.RemoteAddr only, which is the safe shape when the backend is
-# exposed directly. Set this when running behind nginx/Caddy/Cloudflare:
-# e.g. "127.0.0.1/32" for a same-host reverse proxy, or the CDN's
-# announced ranges for cloud deployments.
-MULTICA_TRUSTED_PROXIES=
+MULTICA_SERVER_URL=ws://localhost:8080/ws
+MULTICA_APP_URL=http://localhost:3000
 MULTICA_DAEMON_CONFIG=
 MULTICA_WORKSPACE_ID=
 MULTICA_DAEMON_ID=
@@ -74,33 +48,11 @@ MULTICA_IMAGE_TAG=latest
 MULTICA_BACKEND_IMAGE=ghcr.io/multica-ai/multica-backend
 MULTICA_WEB_IMAGE=ghcr.io/multica-ai/multica-web
 
-# Email
-# Two delivery options - only one needs to be configured:
-#
-# Option A: Resend (SaaS, recommended for cloud deployments)
-#   Set RESEND_API_KEY to a key from resend.com and verify your sending domain there.
-#   For local/dev use, leave RESEND_API_KEY empty - codes print to stdout. To
-#   accept a fixed local code, also set MULTICA_DEV_VERIFICATION_CODE above
-#   (ignored when APP_ENV=production).
+# Email (Resend)
+# For local/dev use, leave RESEND_API_KEY empty — generated codes print to stdout.
+# For production, set your Resend API key and change RESEND_FROM_EMAIL to a domain verified in your Resend account.
 RESEND_API_KEY=
 RESEND_FROM_EMAIL=noreply@multica.ai
-#
-# Option B: SMTP relay (for self-hosted / on-premise deployments)
-#   Takes priority over Resend when SMTP_HOST is set.
-#   Supports unauthenticated relay (leave SMTP_USERNAME empty) and authenticated SMTP.
-#   Set SMTP_TLS_INSECURE=true only for private CA or self-signed certificates.
-#   SMTP_TLS controls the TLS mode:
-#     - unset / "starttls" (default): plaintext connect, upgrade via STARTTLS.
-#     - "implicit" (aliases: "smtps", "ssl"): TLS handshake on connect (SMTPS).
-#       Required by providers that only offer port 465 and do not advertise
-#       STARTTLS (e.g. Aliyun enterprise mail). Auto-enabled when SMTP_PORT=465
-#       and SMTP_TLS is unset.
-SMTP_HOST=
-SMTP_PORT=25
-SMTP_USERNAME=
-SMTP_PASSWORD=
-SMTP_TLS_INSECURE=false
-SMTP_TLS=
 
 # Google OAuth
 # The web login page reads GOOGLE_CLIENT_ID from /api/config at runtime, so
@@ -108,14 +60,9 @@ SMTP_TLS=
 # rebuild is needed.
 GOOGLE_CLIENT_ID=
 GOOGLE_CLIENT_SECRET=
-# Derived by docker-compose.selfhost.yml / local scripts from FRONTEND_PORT.
-# Set explicitly only when your OAuth callback URL differs from local frontend.
-# GOOGLE_REDIRECT_URI=http://localhost:3000/auth/callback
+GOOGLE_REDIRECT_URI=http://localhost:3000/auth/callback
 
 # S3 / CloudFront
-# S3_BUCKET — bucket NAME only (e.g. "my-bucket"). Do NOT include the
-# ".s3.<region>.amazonaws.com" suffix; the server builds the public URL
-# from S3_BUCKET + S3_REGION. S3_REGION must match the bucket's real region.
 S3_BUCKET=
 S3_REGION=us-west-2
 CLOUDFRONT_KEY_PAIR_ID=
@@ -131,46 +78,15 @@ CLOUDFRONT_DOMAIN=
 # attribute and browsers silently drop such cookies.
 COOKIE_DOMAIN=
 
-# AUTH_TOKEN_TTL — auth token lifetime. Accepts Go duration strings (e.g.
-# "8760h", "720h30m") or plain integer seconds.
-# Default: 2592000 (30 days). Self-hosted deployments on trusted networks can
-# set a longer value to reduce re-authentication frequency.
-# Note: longer TTL = longer exposure window if a cookie is leaked.
-# AUTH_TOKEN_TTL=2592000
-
 # Local file storage (fallback when S3_BUCKET is not set)
 LOCAL_UPLOAD_DIR=./data/uploads
-# Derived by Makefile / local scripts from the backend port.
-# Set explicitly only when uploads are served through a different public URL.
-# LOCAL_UPLOAD_BASE_URL=http://localhost:8080
+LOCAL_UPLOAD_BASE_URL=http://localhost:8080
 
 # Security
 # Comma-separated list of allowed origins for CORS and WebSocket connections.
 # Defaults to localhost dev origins when unset.
-# Example: CORS_ALLOWED_ORIGINS=https://app.multica.ai,https://staging.multica.ai
-CORS_ALLOWED_ORIGINS=
-
-# ==================== Rate limiting (optional Redis) ====================
-# Per-IP fixed-window rate limiter on the public auth endpoints
-# (/auth/send-code, /auth/verify-code, /auth/google). Backed by Redis.
-# When REDIS_URL is unset the limiter is a no-op (fail-open) and the
-# backend logs "rate limiting disabled: REDIS_URL not configured" at
-# startup. The same REDIS_URL is reused by the realtime fan-out hub,
-# the PAT cache, and the daemon-token cache.
-# REDIS_URL=redis://localhost:6379/0
-# Max requests per IP per minute. Defaults are 5 for send-code/google
-# and 20 for verify-code.
-# RATE_LIMIT_AUTH=5
-# RATE_LIMIT_AUTH_VERIFY=20
-# Comma-separated CIDRs whose X-Forwarded-For the auth limiter is
-# allowed to trust. Empty (default) = never trust XFF, only RemoteAddr.
-# REQUIRED behind a reverse proxy — otherwise every real user shares
-# the proxy IP and the whole deployment lands in one bucket, turning
-# /auth/send-code into 5 req/min site-wide. Use e.g. "127.0.0.1/32,::1/128"
-# for same-host Caddy/Nginx, or the CDN's published ranges for ALB/CF.
-# This is a separate list from MULTICA_TRUSTED_PROXIES above (which
-# governs the autopilot webhook limiter).
-# RATE_LIMIT_TRUSTED_PROXIES=
+# Example: ALLOWED_ORIGINS=https://app.multica.ai,https://staging.multica.ai
+ALLOWED_ORIGINS=
 
 # Realtime metrics endpoint (/health/realtime) access control. See MUL-1342.
 # When unset, the endpoint only serves direct loopback (127.0.0.1 / ::1)
@@ -182,20 +98,11 @@ CORS_ALLOWED_ORIGINS=
 # `Authorization: Bearer <token>`.
 # REALTIME_METRICS_TOKEN=
 
-# GitHub App integration (Settings → GitHub "Connect GitHub")
-# Both must be set for the Connect button to enable and for webhooks to be
-# accepted; leave empty to disable the integration. See docs/github-integration.
-# GITHUB_APP_SLUG is the tail of https://github.com/apps/<slug>.
-GITHUB_APP_SLUG=
-GITHUB_WEBHOOK_SECRET=
-
 # Frontend
 FRONTEND_PORT=3000
-# Derived by docker-compose.selfhost.yml / local scripts from FRONTEND_PORT.
-# Set explicitly only when serving frontend on a different origin/domain.
-# FRONTEND_ORIGIN=http://localhost:3000
+FRONTEND_ORIGIN=http://localhost:3000
 # Leave empty — auto-derived from page origin in browser, set by Makefile for local dev.
-# NEXT_PUBLIC_API_URL also feeds the Next.js SSR proxy when explicitly set.
+# Only set explicitly if frontend and backend are on different domains.
 NEXT_PUBLIC_API_URL=
 NEXT_PUBLIC_WS_URL=
 
@@ -216,22 +123,11 @@ ALLOWED_EMAIL_DOMAINS=
 # Optional: Only allow these exact email addresses (comma-separated)
 ALLOWED_EMAILS=
 
-# Set to "true" to disable workspace creation for every caller on this
-# instance (#3433). Operators usually leave this unset, bootstrap the
-# shared workspace, then flip this to "true" and restart so subsequent
-# users join only via invitations and the entire deployment is visible to
-# the platform admin. The web UI reads this from /api/config at runtime,
-# so toggling requires a backend restart but not a frontend rebuild.
-DISABLE_WORKSPACE_CREATION=
-
 # ==================== Analytics (PostHog) ====================
 # Product analytics events feed the acquisition → activation → expansion funnel.
 # Leave POSTHOG_API_KEY empty for local dev / self-hosted instances; the server
 # will run a no-op analytics client and ship nothing. See docs/analytics.md.
 POSTHOG_API_KEY=
 POSTHOG_HOST=https://us.i.posthog.com
-# Optional override for the `environment` PostHog event property.
-# Defaults from APP_ENV and normalizes to production / staging / dev.
-ANALYTICS_ENVIRONMENT=
 # Force the no-op client even when POSTHOG_API_KEY is set (CI / opt-out).
 ANALYTICS_DISABLED=

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -7,10 +7,10 @@ body:
     id: deployment
     attributes:
       label: Deployment type
-      description: Are you using the Official App (multica.ai) or a self-hosted instance?
+      description: Are you using the hosted version or a self-hosted instance?
       options:
-        - Official App
-        - self-host
+        - multica.ai (hosted)
+        - Self-hosted
     validations:
       required: true
 

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -7,10 +7,10 @@ body:
     id: deployment
     attributes:
       label: Deployment type
-      description: Are you using the Official App (multica.ai) or a self-hosted instance?
+      description: Are you using the hosted version or a self-hosted instance?
       options:
-        - Official App
-        - self-host
+        - multica.ai (hosted)
+        - Self-hosted
     validations:
       required: true
 

.github/PULL_REQUEST_TEMPLATE.md

@@ -40,8 +40,6 @@ Closes #
 - [ ] I have added or updated tests where applicable
 - [ ] If this change affects the UI, I have included before/after screenshots
 - [ ] I have updated relevant documentation to reflect my changes
-- [ ] If I added a new runtime / coding tool / UI tab, I synced the change to **landing copy** (`apps/web/features/landing/i18n/`) and **relevant docs** (`apps/docs/content/docs/`)
-- [ ] If this PR touches Chinese product copy, I checked it against `apps/docs/content/docs/developers/conventions.zh.mdx` (terminology, mixed-rule for `task` / `issue` / `skill`)
 - [ ] I have considered and documented any risks above
 - [ ] I will address all reviewer comments before requesting merge
 

.github/workflows/ci.yml

@@ -29,25 +29,8 @@ jobs:
       - name: Install dependencies
         run: pnpm install
 
-      - name: Test self-host env derivation
-        run: bash scripts/selfhost-config.test.sh
-
-      - name: Verify reserved-slugs.ts is up to date
-        # Re-runs the generator and fails on any drift from the
-        # checked-in TypeScript output. The Go side embeds the JSON
-        # source directly, so a passing diff here proves both sides
-        # share one source of truth.
-        run: |
-          pnpm generate:reserved-slugs
-          git diff --exit-code -- packages/core/paths/reserved-slugs.ts
-
-      - name: Build, type check, lint, and test
-        # Mobile lives in a parallel mobile-verify workflow (path-filtered
-        # to apps/mobile/** + packages/core/types/**) so it doesn't add
-        # ~50s of expo-lint + tsc to every web/desktop PR. Keep this
-        # filter in sync with the root package.json scripts, which also
-        # exclude @multica/mobile.
-        run: pnpm exec turbo build typecheck lint test --filter='!@multica/docs' --filter='!@multica/mobile'
+      - name: Build, type check, and test
+        run: pnpm exec turbo build typecheck test --filter='!@multica/docs'
 
   backend:
     runs-on: ubuntu-latest
@@ -99,20 +82,3 @@ jobs:
 
       - name: Test
         run: cd server && go test ./...
-
-  installer:
-    # Stub-driven shell tests for scripts/install.sh. Kept off the heavy
-    # backend job so installer regressions surface independently, and
-    # exercised on macOS too because the installer targets macOS/Homebrew
-    # and `tar` / `sed` / `mktemp` differ between BSD and GNU userlands.
-    strategy:
-      fail-fast: false
-      matrix:
-        os: [ubuntu-latest, macos-latest]
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-
-      - name: Test shell installers
-        run: bash scripts/install.test.sh

.github/workflows/mobile-verify.yml

@@ -1,65 +0,0 @@
-name: Mobile Verify
-
-# Runs lint + typecheck for apps/mobile only, parallel to the main CI
-# workflow. Path-filtered so PRs that don't touch mobile (or anything
-# mobile transitively depends on) pay zero cost.
-#
-# Path scope rationale — mobile transitively depends on:
-# - apps/mobile/**                — the app itself
-# - packages/core/**              — mobile imports types AND pure functions
-#                                   (agents, markdown, permissions, api/schemas, …),
-#                                   not only @multica/core/types
-# - package.json / pnpm-lock.yaml — install graph
-# - pnpm-workspace.yaml           — catalog versions
-# - turbo.json                    — turbo task pipeline
-#
-# Mobile has no vitest suite today; if one lands, add `test` to the turbo
-# task list below.
-
-on:
-  push:
-    branches: [main]
-    paths:
-      - "apps/mobile/**"
-      - "packages/core/**"
-      - "package.json"
-      - "pnpm-lock.yaml"
-      - "pnpm-workspace.yaml"
-      - "turbo.json"
-      - ".github/workflows/mobile-verify.yml"
-  pull_request:
-    branches: [main]
-    paths:
-      - "apps/mobile/**"
-      - "packages/core/**"
-      - "package.json"
-      - "pnpm-lock.yaml"
-      - "pnpm-workspace.yaml"
-      - "turbo.json"
-      - ".github/workflows/mobile-verify.yml"
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  mobile:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v4
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v6
-        with:
-          node-version: 22
-          cache: pnpm
-
-      - name: Install dependencies
-        run: pnpm install
-
-      - name: Type check and lint
-        run: pnpm exec turbo typecheck lint --filter=@multica/mobile

.github/workflows/release.yml

@@ -322,47 +322,6 @@ jobs:
           docker buildx imagetools inspect \
             ghcr.io/${{ github.repository_owner }}/multica-web:${{ steps.meta.outputs.version }}
 
-  helm-chart:
-    needs: [verify, docker-backend-merge, docker-web-merge]
-    if: github.repository_owner == 'multica-ai'
-    runs-on: ubuntu-latest
-    concurrency:
-      group: release-helm-chart-${{ github.ref }}
-      cancel-in-progress: true
-    env:
-      CHART_DIR: deploy/helm/multica
-      OCI_REGISTRY: oci://ghcr.io/${{ github.repository_owner }}/charts
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Setup Helm
-        uses: azure/setup-helm@v4
-
-      - name: Sync chart metadata with release tag
-        env:
-          TAG_NAME: ${{ needs.verify.outputs.tag_name }}
-        run: |
-          chart_version="${TAG_NAME#v}"
-          sed -i -E "s/^version:.*/version: ${chart_version}/" "$CHART_DIR/Chart.yaml"
-          sed -i -E "s/^appVersion:.*/appVersion: \"${TAG_NAME}\"/" "$CHART_DIR/Chart.yaml"
-          echo "CHART_VERSION=${chart_version}" >> "$GITHUB_ENV"
-
-      - name: Lint chart
-        run: helm lint "$CHART_DIR"
-
-      - name: Package chart
-        run: helm package "$CHART_DIR" --destination .chart-packages
-
-      - name: Login to GHCR
-        run: echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io --username "${{ github.actor }}" --password-stdin
-
-      - name: Push chart to GHCR
-        run: helm push ".chart-packages/multica-${CHART_VERSION}.tgz" "$OCI_REGISTRY"
-
-      - name: Verify published chart
-        run: helm show chart "$OCI_REGISTRY/multica" --version "$CHART_VERSION"
-
   # Build the Desktop installers for Linux and Windows and upload them to
   # the GitHub Release that the `release` job above just published. macOS
   # Desktop continues to ship via the manual `release-desktop` skill so it

.gitignore

@@ -23,14 +23,6 @@ dist-electron
 # Desktop production config is public (backend URL, etc.) — track it so
 # `pnpm package` produces a release-ready build without extra setup.
 !apps/desktop/.env.production
-# Mobile staging config is public (staging API URL) — track it so a fresh
-# checkout can run `pnpm dev:mobile:staging` / `ios:mobile*:staging` without
-# the user having to copy `.env.example` first.
-!apps/mobile/.env.staging
-# Mobile production config is public (production API URL) — track it so
-# external users can run `pnpm ios:mobile:device:prod:release` against
-# multica.ai's production backend without copying templates first.
-!apps/mobile/.env.production
 
 # test coverage
 coverage
@@ -48,8 +40,6 @@ apps/web/test-results/
 
 # context (agent workspace)
 .context
-.agent_context/
-.multica/
 
 # local settings
 .claude/

CLAUDE.md

@@ -2,21 +2,6 @@
 
 This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
 
-## Conventions reference
-
-The single source of truth for **code naming, the i18n translation glossary, and the Chinese voice guide** is the docs site:
-
-- **`apps/docs/content/docs/developers/conventions.mdx`** (English)
-- **`apps/docs/content/docs/developers/conventions.zh.mdx`** (Chinese)
-
-Read that page before:
-
-- Writing or editing translations (`packages/views/locales/`)
-- Naming a new route, package, file, DB column, or TS type
-- Writing Chinese product copy (UI strings, error messages, docs)
-
-The legacy `packages/views/locales/glossary.md` is now a stub redirecting to the docs page; do not rely on it.
-
 ## Project Context
 
 Multica is an AI-native task management platform — like Linear, but with AI agents as first-class citizens.
@@ -32,14 +17,11 @@ Multica is an AI-native task management platform — like Linear, but with AI ag
 - `server/` — Go backend (Chi router, sqlc for DB, gorilla/websocket for real-time)
 - `apps/web/` — Next.js frontend (App Router)
 - `apps/desktop/` — Electron desktop app (electron-vite)
-- `apps/mobile/` — Expo / React Native iOS app. See `apps/mobile/CLAUDE.md`.
-- `packages/core/` — Headless business logic (zero react-dom)
+- `packages/core/` — Headless business logic (zero react-dom, all-platform reuse)
 - `packages/ui/` — Atomic UI components (zero business logic)
 - `packages/views/` — Shared business pages/components (zero next/* imports, zero react-router imports)
 - `packages/tsconfig/` — Shared TypeScript configuration
 
-What lives where for sharing purposes is documented in *Sharing Principles* below — read it once.
-
 ### Key Architectural Decisions
 
 **Internal Packages pattern** — all shared packages export raw `.ts`/`.tsx` files (no pre-compilation). The consuming app's bundler compiles them directly. This gives zero-config HMR and instant go-to-definition.
@@ -55,7 +37,7 @@ What lives where for sharing purposes is documented in *Sharing Principles* belo
 The architecture relies on a strict split between server state and client state. Mixing them is the most common way to break it.
 
 - **TanStack Query owns all server state.** Issues, users, workspaces, inbox — anything fetched from the API lives in the Query cache. WS events keep it fresh via invalidation; no polling, no `staleTime` workarounds.
-- **Zustand owns all client state.** UI selections, filters, drafts, modal state, navigation history. Stores live in `packages/core/` (never in `packages/views/`) so they're shared.
+- **Zustand owns all client state.** UI selections, filters, drafts, modal state, navigation history. Stores live in `packages/core/` (never in `packages/views/`) so both apps share them.
 - **React Context** is reserved for cross-cutting platform plumbing — `WorkspaceIdProvider`, `NavigationProvider`. Don't reach for it for general state.
 - **Auth and workspace stores are the only stores allowed to call `api.*` directly**, because they manage critical state that must exist before queries can run. They're created via factory + injected dependencies, registered by the platform layer.
 
@@ -72,17 +54,6 @@ The architecture relies on a strict split between server state and client state.
 - Selectors must return stable references. Returning a freshly built object or array on every call (e.g. `s => ({ a: s.a, b: s.b })` or `s => s.items.map(...)`) triggers infinite re-renders. Either select primitives separately or use shallow comparison.
 - Hooks that need workspace context should accept `wsId` as a parameter, not call `useWorkspaceId()` internally — this lets them work outside the `WorkspaceIdProvider` (e.g. in a sidebar that renders before workspace is loaded).
 
-## Sharing Principles
-
-The monorepo splits into two share zones:
-
-- **Web and desktop** share business logic, components, hooks, stores, and views through `packages/core/`, `packages/ui/`, and `packages/views/`. Existing model — keep using it.
-- **Mobile (`apps/mobile/`) is independent.** It shares only **types and pure functions** from `@multica/core/`, with `import type` for types (zero runtime coupling). UI, state, hooks, providers, i18n, React version, build pipeline, release cadence — all mobile-owned.
-
-Mobile is locked to the React version that Expo SDK / React Native ships (which lags React main by 6-12 months). Coupling mobile to the root `catalog:` React would block mobile from upgrading on its own schedule.
-
-See `apps/mobile/CLAUDE.md` for the mobile rules and tech-stack baseline.
-
 ## Commands
 
 ```bash
@@ -125,16 +96,6 @@ cd server && go test ./internal/handler/ -run TestName
 # Run a single E2E test (requires backend + frontend running)
 pnpm exec playwright test e2e/tests/specific-test.spec.ts
 
-# Mobile (Expo) — two environments only: dev and staging
-pnpm dev:mobile                  # Metro, dev env       (reads apps/mobile/.env.development.local)
-pnpm dev:mobile:staging          # Metro, staging env   (reads apps/mobile/.env.staging)
-pnpm ios:mobile                  # Native build + install dev-client to iOS Simulator, dev env
-pnpm ios:mobile:staging          # Native build + install dev-client to iOS Simulator, staging env
-pnpm ios:mobile:device           # Native build + install dev-client to USB iPhone, dev env
-pnpm ios:mobile:device:staging   # Native build + install dev-client to USB iPhone, staging env
-# Daily flow: run `pnpm dev:mobile:staging` (or :dev). Only re-run `ios:mobile*` when
-# native code or any expo-*/react-native-* dependency changes (lockfile drift counts).
-
 # Desktop build & package
 pnpm --filter @multica/desktop build      # Compile TS → JS (reads .env.production)
 pnpm --filter @multica/desktop package    # Package into .app/.dmg/.exe (current platform only)
@@ -170,28 +131,10 @@ make start-worktree     # Start using .env.worktree
 - Go code follows standard Go conventions (gofmt, go vet).
 - Keep comments in code **English only**.
 - Prefer existing patterns/components over introducing parallel abstractions.
-- Unless the user explicitly asks for backwards compatibility, do **not** add compatibility layers, fallback paths, dual-write logic, legacy adapters, or temporary shims **for internal, non-boundary code** (a function calling another function in the same package, a component reading its own state, a store helper, etc.).
-- This rule does **not** apply at API boundaries: the desktop app cannot assume the backend it talks to has the same shape as the one it was built against (older desktop installs will outlive any given server build). API response handling must follow the rules in **API Response Compatibility** below — that is a defensive boundary, not a legacy shim.
+- Unless the user explicitly asks for backwards compatibility, do **not** add compatibility layers, fallback paths, dual-write logic, legacy adapters, or temporary shims.
 - If a flow or API is being replaced and the product is not yet live, prefer removing the old path instead of preserving both old and new behavior.
 - Avoid broad refactors unless required by the task.
 - New global (pre-workspace) routes MUST use a single word (`/login`, `/inbox`) or a `/{noun}/{verb}` pair (`/workspaces/new`). NEVER add hyphenated word-group root routes (`/new-workspace`, `/create-team`) — they collide with common user workspace names and force endless reserved-slug audits. Reserving the noun (`workspaces`) automatically protects the entire `/workspaces/*` subtree.
-- The reserved-slug list lives in **one** place: `server/internal/handler/reserved_slugs.json`. The Go side embeds the JSON; `packages/core/paths/reserved-slugs.ts` is generated from it by `pnpm generate:reserved-slugs`. Edit the JSON, run the generator, commit both. CI re-runs the generator and fails on any drift, so a stale TS file cannot land.
-- When you change a CLI command or flag, an API request/response field, or product behavior that a built-in skill documents (`server/internal/service/builtin_skills/*`), update that skill's `SKILL.md` **and** its `references/*-source-map.md` in the same PR. The built-in skills are source-traced contracts shipped to agents — if the code moves and the skill doesn't, it silently teaches stale behavior.
-
-### API Response Compatibility
-
-The desktop app installed on a user's machine is older than any backend it talks to: a user on 0.2.26 will hit a server running 0.3.x, then 0.4.x, then beyond. Every response shape is a contract that **will** drift, and the frontend must survive drift without white-screening. Three concrete incidents already happened from violating this — #2143, #2147, #2192.
-
-When writing code that consumes an API response, follow these rules:
-
-- **Parse, don't cast.** Untyped JSON crossing the network is not `T`. Use `parseWithFallback` in `packages/core/api/schema.ts` with a `zod` schema and an explicit fallback. On validation failure it logs a warning and returns the fallback; it never throws into the UI.
-- **No bare `as` casts on response bodies.** Every endpoint method whose response is consumed by UI logic must run through a schema before returning.
-- **Optional-chain and default everywhere downstream.** Treat every field as possibly missing. Use explicit boolean checks (`=== true`) over truthy/falsy negation, which silently treats `undefined` and `null` as `false`.
-- **Don't pin a UI affordance to a single backend field.** If a button or indicator depends on exactly one boolean from the server, a backend bug deletes it. Combine signals (cursor presence, page length, etc.) so the affordance stays available in the worst case.
-- **Enum drift downgrades, not crashes.** A new server-side enum value should render a generic fallback. `switch` statements on server-driven strings must have a `default` branch.
-- **When you add or change an endpoint:** add the schema in the same PR, and write at least one test that feeds a malformed response through it (missing field, wrong type, `null` array). The test fails closed if a future change breaks the contract.
-
-This is not premature defense — it is the *only* defense for an installed-app architecture. CSR-only browser apps can ship a fix in minutes; an Electron build sitting on a developer's laptop cannot.
 
 ### Backend Handler UUID Parsing Convention
 
@@ -204,29 +147,21 @@ Every Go handler in `server/internal/handler/` follows these rules. The conventi
 
 When adding a `Queries.Delete*` or `Queries.Update*` call, ask: "Where did this UUID come from?" If the answer is "raw user input that hasn't been validated," route it through `parseUUIDOrBadRequest` or a loader first.
 
-### Dependency Declaration Rule
-
-Every workspace (`apps/` and `packages/` directories) must explicitly declare all directly imported external packages in its own `package.json`. Relying on pnpm hoist to resolve undeclared imports (phantom deps) is prohibited — it causes production build failures when pnpm creates peer-dep variants.
-
-- Use `"pkg": "catalog:"` to reference the shared version from `pnpm-workspace.yaml`.
-- CI enforces this via `eslint-plugin-import-x/no-extraneous-dependencies`.
-- Exception: `apps/mobile/` uses pinned versions (not `catalog:`) for packages tied to its own React/Expo version.
-
 ### Package Boundary Rules
 
 These are hard constraints. Violating them breaks the cross-platform architecture:
 
-- `packages/core/` — zero react-dom, zero localStorage (use StorageAdapter), zero process.env, zero UI libraries. **Shared Zustand stores live here**, even view-related ones (filters, view modes) — stores are pure state, not UI.
+- `packages/core/` — zero react-dom, zero localStorage (use StorageAdapter), zero process.env, zero UI libraries. **All shared Zustand stores live here**, even view-related ones (filters, view modes) — stores are pure state, not UI.
 - `packages/ui/` — zero `@multica/core` imports (pure UI, no business logic).
 - `packages/views/` — zero `next/*` imports, zero `react-router-dom` imports, zero stores. Use `NavigationAdapter` for all routing.
 - `apps/web/platform/` — the only place for Next.js APIs (`next/navigation`).
 - `apps/desktop/src/renderer/src/platform/` — the only place for react-router-dom navigation wiring.
 
-### The No-Duplication Rule (web + desktop)
+### The No-Duplication Rule
 
-**If the same logic exists in both web and desktop, it must be extracted to a shared package.**
+**If the same logic exists in both apps, it must be extracted to a shared package.**
 
-This applies to everything between web and desktop: components, hooks, guards, providers, utility functions. The decision process:
+This applies to everything: components, hooks, guards, providers, utility functions. The decision process:
 
 1. Does this code depend on Next.js or Electron APIs? → Keep in the respective app.
 2. Does it depend on `react-router-dom` or `next/navigation`? → Keep in app's `platform/` layer.
@@ -234,9 +169,9 @@ This applies to everything between web and desktop: components, hooks, guards, p
 
 When the two apps need different behavior for the same concept (e.g., different loading UI), extract the shared logic into a component with props/slots for the differences. Don't duplicate the logic.
 
-### Cross-Platform Development Rules (web + desktop)
+### Cross-Platform Development Rules
 
-When adding a new page or feature for web/desktop:
+When adding a new page or feature:
 
 1. **New page component** → add to `packages/views/<domain>/`. Never import from `next/*` or `react-router-dom`.
 2. **Wire it in both apps** → add a route in `apps/web/app/` (Next.js page file) AND in the desktop router. **Exception**: pre-workspace transition flows (create workspace, accept invite) are NOT routes on desktop — they're `WindowOverlay` state. See *Desktop-specific Rules → Route categories*.
@@ -245,18 +180,14 @@ When adding a new page or feature for web/desktop:
 5. **Platform-specific UI** → if a feature is web-only or desktop-only, keep it in the respective app. Use props slots (`extra`, `topSlot`) on shared layout components to inject platform-specific UI.
 6. **New hooks that need workspace context** → accept `wsId` as parameter instead of reading from `useWorkspaceId()` Context, so they work both inside and outside `WorkspaceIdProvider`.
 
-### CSS Architecture (web + desktop)
+### CSS Architecture
 
-Web and desktop share the same CSS foundation from `packages/ui/styles/`.
+Both apps share the same CSS foundation from `packages/ui/styles/`.
 
 - **Design tokens** → use semantic tokens (`bg-background`, `text-muted-foreground`). Never use hardcoded Tailwind colors (`text-red-500`, `bg-gray-100`).
 - **Shared styles** → `packages/ui/styles/`. Never duplicate scrollbar styling, keyframes, or base layer rules in app CSS.
 - **`@source` directives** → both apps scan shared packages so Tailwind sees all class names.
 
-## Mobile-specific Rules
-
-Rules for `apps/mobile/` live in `apps/mobile/CLAUDE.md`. Read it before touching anything in `apps/mobile/` — it covers what may be imported from `@multica/core/`, the React version policy, the build/release pipeline, and the locked tech-stack baseline.
-
 ## Desktop-specific Rules
 
 These rules apply to `apps/desktop/` only. Web has different constraints (URL bar, SSR, no tabs) and doesn't share these concerns. Every rule in this section was added after a concrete bug — treat them as enforced, not suggestions.

CLI_AND_DAEMON.md

@@ -70,10 +70,10 @@ Opens your browser for OAuth authentication, creates a 90-day personal access to
 ### Token Login
 
 ```bash
-multica login --token <mul_...>
+multica login --token
 ```
 
-Authenticate using a personal access token directly. Useful for headless environments. Pass `--token=` with an empty value to be prompted interactively (so the token never lands in shell history).
+Authenticate by pasting a personal access token directly. Useful for headless environments.
 
 ### Check Status
 
@@ -140,7 +140,6 @@ The daemon auto-detects these AI CLIs on your PATH:
 |-----|---------|-------------|
 | [Claude Code](https://docs.anthropic.com/en/docs/claude-code) | `claude` | Anthropic's coding agent |
 | [Codex](https://github.com/openai/codex) | `codex` | OpenAI's coding agent |
-| [GitHub Copilot CLI](https://docs.github.com/en/copilot) | `copilot` | GitHub's coding agent (model routed by your GitHub entitlement) |
 | OpenCode | `opencode` | Open-source coding agent |
 | OpenClaw | `openclaw` | Open-source coding agent |
 | Hermes | `hermes` | Nous Research coding agent |
@@ -175,22 +174,6 @@ Daemon behavior is configured via flags or environment variables:
 | Device name | `--device-name` | `MULTICA_DAEMON_DEVICE_NAME` | hostname |
 | Runtime name | `--runtime-name` | `MULTICA_AGENT_RUNTIME_NAME` | `Local Agent` |
 | Workspaces root | — | `MULTICA_WORKSPACES_ROOT` | `~/multica_workspaces` |
-| GC enabled | — | `MULTICA_GC_ENABLED` | `true` (set `false`/`0` to disable) |
-| GC scan interval | — | `MULTICA_GC_INTERVAL` | `1h` |
-| GC TTL (done/cancelled issues) | — | `MULTICA_GC_TTL` | `24h` |
-| GC orphan TTL (no `.gc_meta.json`) | — | `MULTICA_GC_ORPHAN_TTL` | `72h` |
-| GC artifact TTL (open issues) | — | `MULTICA_GC_ARTIFACT_TTL` | `12h` (set `0` to disable) |
-| GC artifact patterns | — | `MULTICA_GC_ARTIFACT_PATTERNS` | `node_modules,.next,.turbo` |
-
-#### Workspace garbage collection
-
-The daemon periodically scans `MULTICA_WORKSPACES_ROOT` and reclaims disk space in three modes:
-
-- **Full task cleanup** — when an issue's status is `done` or `cancelled` and has been idle for `MULTICA_GC_TTL`, the entire task directory is removed.
-- **Orphan cleanup** — task directories with no `.gc_meta.json` (e.g. left over from a daemon crash) are removed once they exceed `MULTICA_GC_ORPHAN_TTL`.
-- **Artifact-only cleanup** — when a task has been completed for at least `MULTICA_GC_ARTIFACT_TTL` but the issue is still open, regenerable build outputs whose directory basename matches `MULTICA_GC_ARTIFACT_PATTERNS` are removed; the rest of the workdir (source, `.git`, `output/`, `logs/`, `.gc_meta.json`) is preserved so the agent can resume the same workdir on the next task.
-
-Patterns are basename-only — entries containing `/` or `\` are silently dropped — and `.git` subtrees are never descended into. The default list (`node_modules`, `.next`, `.turbo`) is intentionally narrow; extend it per deployment if your repos consistently produce other regenerable directories (for example, `MULTICA_GC_ARTIFACT_PATTERNS=node_modules,.next,.turbo,target,__pycache__`). To disable artifact cleanup entirely, set `MULTICA_GC_ARTIFACT_TTL=0`.
 
 Agent-specific overrides:
 
@@ -202,8 +185,6 @@ Agent-specific overrides:
 | `MULTICA_CODEX_PATH` | Custom path to the `codex` binary |
 | `MULTICA_CODEX_MODEL` | Override the Codex model used |
 | `MULTICA_CODEX_ARGS` | Default extra arguments for Codex runs |
-| `MULTICA_COPILOT_PATH` | Custom path to the `copilot` binary |
-| `MULTICA_COPILOT_MODEL` | Override the Copilot model used (note: GitHub Copilot routes models through your account entitlement, so this may not be honoured) |
 | `MULTICA_OPENCODE_PATH` | Custom path to the `opencode` binary |
 | `MULTICA_OPENCODE_MODEL` | Override the OpenCode model used |
 | `MULTICA_OPENCLAW_PATH` | Custom path to the `openclaw` binary |
@@ -269,37 +250,21 @@ Each profile gets its own config directory (`~/.multica/profiles/<name>/`), daem
 
 ## Workspaces
 
-### Working with multiple workspaces
-
-Every command runs against a single workspace. The CLI resolves which one in this order (highest priority first):
-
-1. `--workspace-id <id>` flag on the command
-2. `MULTICA_WORKSPACE_ID` environment variable
-3. The default workspace stored in your current profile (set by `multica workspace switch` or `multica login`)
-
-`multica workspace switch <id|slug>` is the day-to-day way to change the default workspace. For scripting and headless setups where you don't want any stored state, prefer the `--workspace-id` flag or the env variable. `multica config set workspace_id <id>` is the low-level equivalent of `switch` (it writes the same setting but skips the access check).
-
-If you need full isolation between organizations or accounts — separate tokens, separate daemons, separate config dirs — use `--profile <name>` instead. Each profile keeps its own default workspace.
-
 ### List Workspaces
 
 ```bash
 multica workspace list
-multica workspace list --full-id
-multica workspace list --output json
 ```
 
-The current default workspace is marked with `*`. Table output shows short UUID prefixes — pass `--full-id` when you need the canonical UUIDs.
+Watched workspaces are marked with `*`. The daemon only processes tasks for watched workspaces.
 
-### Switch Default Workspace
+### Watch / Unwatch
 
 ```bash
-multica workspace switch <workspace-id>
-multica workspace switch <slug>
+multica workspace watch <workspace-id>
+multica workspace unwatch <workspace-id>
 ```
 
-Verifies you have access to the workspace, then sets it as the default for the current profile. Subsequent commands without `--workspace-id` and `MULTICA_WORKSPACE_ID` target this workspace. Pair `--profile` if you want to change a non-default profile's workspace.
-
 ### Get Details
 
 ```bash
@@ -307,12 +272,10 @@ multica workspace get <workspace-id>
 multica workspace get <workspace-id> --output json
 ```
 
-Passing no `<workspace-id>` resolves to the current default workspace, so `multica workspace get` doubles as "what workspace am I on?".
-
 ### List Members
 
 ```bash
-multica workspace member list <workspace-id>
+multica workspace members <workspace-id>
 ```
 
 ## Issues
@@ -323,19 +286,10 @@ multica workspace member list <workspace-id>
 multica issue list
 multica issue list --status in_progress
 multica issue list --priority urgent --assignee "Agent Name"
-multica issue list --assignee-id 5fb87ac7-23b5-4a7a-81fa-ed295a54545d
-multica issue list --full-id
 multica issue list --limit 20 --output json
 ```
 
-Table output shows a routable issue `KEY` such as `MUL-123`; copy that key into follow-up commands like `issue get`, `issue comment list`, `issue status`, or `--parent`. Add `--full-id` when you need canonical UUIDs. Available filters: `--status`, `--priority`, `--assignee` / `--assignee-id`, `--project`, `--metadata`, `--limit`. Use `--assignee-id <uuid>` for unambiguous filtering when names overlap.
-
-Use `--metadata key=value` (repeatable; combined with AND) to filter by per-issue metadata. The value is JSON-parsed: `true`/`false` become bool, numbers become numbers, anything else is a string. Wrap as `'"42"'` to force a string when the value would otherwise sniff as a number:
-
-```bash
-multica issue list --metadata pipeline_status=waiting_review
-multica issue list --metadata pr_number=482 --metadata is_blocked=true
-```
+Available filters: `--status`, `--priority`, `--assignee`, `--project`, `--limit`.
 
 ### Get Issue
 
@@ -348,10 +302,9 @@ multica issue get <id> --output json
 
 ```bash
 multica issue create --title "Fix login bug" --description "..." --priority high --assignee "Lambda"
-multica issue create --title "Fix login bug" --assignee-id 5fb87ac7-23b5-4a7a-81fa-ed295a54545d
 ```
 
-Flags: `--title` (required), `--description`, `--status`, `--priority`, `--assignee` / `--assignee-id`, `--parent`, `--project`, `--due-date`. Pass `--assignee-id <uuid>` (mutually exclusive with `--assignee`) when scripting against the IDs returned by `multica workspace member list --output json` / `multica agent list --output json`.
+Flags: `--title` (required), `--description`, `--status`, `--priority`, `--assignee`, `--parent`, `--project`, `--due-date`.
 
 ### Update Issue
 
@@ -363,12 +316,9 @@ multica issue update <id> --title "New title" --priority urgent
 
 ```bash
 multica issue assign <id> --to "Lambda"
-multica issue assign <id> --to-id 5fb87ac7-23b5-4a7a-81fa-ed295a54545d
 multica issue assign <id> --unassign
 ```
 
-Pass `--to-id <uuid>` to assign by canonical UUID (mutually exclusive with `--to`); useful when names overlap across members and agents.
-
 ### Change Status
 
 ```bash
@@ -380,44 +330,9 @@ Valid statuses: `backlog`, `todo`, `in_progress`, `in_review`, `done`, `blocked`
 ### Comments
 
 ```bash
-# List comments — flat timeline, chronological. Hard cap of 2000 rows; on
-# long-running issues prefer one of the thread-aware reads below to keep
-# context windows tight.
+# List comments
 multica issue comment list <issue-id>
 
-# Single thread (root + every descendant). Anchor may be the root itself
-# or any reply inside the thread — the server walks up to the root.
-multica issue comment list <issue-id> --thread <comment-id>
-
-# Single thread, capped to the N most recent replies. The thread root is
-# always included (even with --tail 0), so an agent landing on a long
-# thread keeps the "what is this about" context without dragging hundreds
-# of replies into its prompt.
-multica issue comment list <issue-id> --thread <comment-id> --tail 30
-
-# Scroll older replies inside the same thread. --before / --before-id are
-# the reply cursor that the previous response emitted on stderr as
-# `Next reply cursor: --before <ts> --before-id <reply-id>`.
-multica issue comment list <issue-id> --thread <comment-id> --tail 30 \
-    --before <ts> --before-id <reply-id>
-
-# Most recently active threads (root + every descendant), grouped by
-# thread. Returns N complete conversational arcs, oldest-active first so
-# the freshest thread sits closest to "now" in an agent prompt.
-multica issue comment list <issue-id> --recent 20
-
-# Scroll older threads. Under --recent, --before / --before-id are a
-# THREAD cursor (thread last_activity_at + root id), emitted on stderr as
-# `Next thread cursor: --before <ts> --before-id <root-id>`.
-multica issue comment list <issue-id> --recent 20 \
-    --before <ts> --before-id <root-id>
-
-# Incremental polling. Combines with --thread or --recent; filters out
-# replies created on or before <ts> from the page (the thread root is
-# exempt so the agent always gets context).
-multica issue comment list <issue-id> --thread <comment-id> --tail 30 \
-    --since <RFC3339-timestamp>
-
 # Add a comment
 multica issue comment add <issue-id> --content "Looks good, merging now"
 
@@ -428,56 +343,6 @@ multica issue comment add <issue-id> --parent <comment-id> --content "Thanks!"
 multica issue comment delete <comment-id>
 ```
 
-**`--before` / `--before-id` semantics depend on the paging mode**, by
-design — same flag, different scope:
-
-| Mode | What the cursor walks | stderr label |
-| --- | --- | --- |
-| `--recent N` | Older *threads* (last_activity_at, root_id) | `Next thread cursor` |
-| `--thread <id> --tail N` | Older *replies* inside that thread (created_at, id) | `Next reply cursor` |
-
-Outside those two modes (`--thread` without `--tail`, or no `--thread`
-and no `--recent`) the cursor flags are rejected so they cannot silently
-no-op. The server emits the cursor headers (`X-Multica-Next-Before` /
-`X-Multica-Next-Before-Id`) only when an older page actually exists —
-exact-boundary pages (e.g. `--tail 3` on a thread with exactly 3
-replies) intentionally return no cursor so callers stop paginating.
-
-When `--since` is combined with `--recent` or `--thread --tail`, the
-server additionally suppresses the cursor once the cursor target itself
-is older than `since`. Older pages walk strictly older rows, so they
-cannot satisfy `> since` either — emitting a cursor there would just
-hand back root-only pages until the caller reaches the start of the
-thread / issue. Incremental polling stops at the first page whose
-cursor target falls before the watermark.
-
-### Metadata
-
-Per-issue metadata is a small KV map agents use to track pipeline state (PR number, pipeline status, waiting_on, ...). Keys match `^[a-zA-Z_][a-zA-Z0-9_.-]{0,63}$`, values are primitives (string / number / bool), max 50 keys per issue, blob capped at 8KB.
-
-The bar for writing is high: pin a value only when it is materially important to the issue AND likely to be re-read by future runs on this same issue (the PR URL, the deploy URL, what we're blocked on). Most runs write zero new keys — that's the expected case. Don't pin runtime bookkeeping like `attempts`, single-run investigation notes, large logs, secrets/tokens, or description/comment copies — see the agent runtime prompt for the full anti-pattern list.
-
-```bash
-# List every key on an issue
-multica issue metadata list <issue-id>
-
-# Read a single key
-multica issue metadata get <issue-id> --key pipeline_status
-
-# Write a single key — value auto-typed (true/false → bool, numbers → number, else string)
-multica issue metadata set <issue-id> --key pipeline_status --value waiting_review
-multica issue metadata set <issue-id> --key pr_number --value 482
-multica issue metadata set <issue-id> --key is_blocked --value true
-
-# Force a specific type when sniffing would pick the wrong one
-multica issue metadata set <issue-id> --key code --value 42 --type string
-
-# Remove a key
-multica issue metadata delete <issue-id> --key pipeline_status
-```
-
-All writes are single-key atomic — concurrent agents writing different keys do not lose each other's updates. To query, use `multica issue list --metadata key=value` (see *List Issues* above).
-
 ### Subscribers
 
 ```bash
@@ -504,19 +369,17 @@ Subscribers receive notifications about issue activity (new comments, status cha
 ```bash
 # List all execution runs for an issue
 multica issue runs <issue-id>
-multica issue runs <issue-id> --full-id
 multica issue runs <issue-id> --output json
 
 # View messages for a specific execution run
 multica issue run-messages <task-id>
-multica issue run-messages <short-task-id> --issue <issue-id>
 multica issue run-messages <task-id> --output json
 
 # Incremental fetch (only messages after a given sequence number)
 multica issue run-messages <task-id> --since 42 --output json
 ```
 
-The `runs` command shows all past and current executions for an issue, including running tasks. Table output uses short task UUID prefixes by default; pass `--full-id` to print canonical task UUIDs. The `run-messages` command accepts full task UUIDs directly; copied short task prefixes must be scoped with `--issue <issue-id>` so the CLI only checks that issue's runs. It shows the detailed message log (tool calls, thinking, text, errors) for a single run. Use `--since` for efficient polling of in-progress runs.
+The `runs` command shows all past and current executions for an issue, including running tasks. The `run-messages` command shows the detailed message log (tool calls, thinking, text, errors) for a single run. Use `--since` for efficient polling of in-progress runs.
 
 ## Projects
 
@@ -618,8 +481,6 @@ multica config set app_url https://app.example.com
 multica config set workspace_id <workspace-id>
 ```
 
-`config set workspace_id <id>` is the low-level interface — it writes the value verbatim without checking that the workspace exists or that you have access. Prefer `multica workspace switch <id|slug>` for day-to-day workspace changes; it does both checks before saving.
-
 ## Autopilot Commands
 
 Autopilots are scheduled/triggered automations that dispatch agent tasks (either by creating an issue or by running an agent directly).
@@ -628,12 +489,9 @@ Autopilots are scheduled/triggered automations that dispatch agent tasks (either
 
 ```bash
 multica autopilot list
-multica autopilot list --full-id
 multica autopilot list --status active --output json
 ```
 
-Autopilot table IDs are short UUID prefixes; follow-up autopilot commands accept copied prefixes when they are unique in the current workspace. Use `--full-id` to print canonical UUIDs.
-
 ### Get Autopilot Details
 
 ```bash
@@ -655,7 +513,7 @@ multica autopilot update <id> --description "New prompt"
 multica autopilot delete <id>
 ```
 
-`--mode` accepts `create_issue` (creates a new issue on each run and assigns it to the agent) or `run_only` (enqueues a direct agent task without creating an issue). `--agent` accepts either a name or UUID.
+`--mode` currently only accepts `create_issue` (creates a new issue on each run and assigns it to the agent). The server data model also defines `run_only`, but the daemon task path doesn't yet resolve a workspace for runs without an issue, so it's not exposed by the CLI. `--agent` accepts either a name or UUID.
 
 ### Manual Trigger
 

CLI_INSTALL.md

@@ -140,7 +140,7 @@ multica auth status
 Expected output should show the authenticated user and server URL.
 
 **If login fails:**
-- If no browser is available (headless environment), the user can generate a Personal Access Token at `https://app.multica.ai/settings` and run: `multica login --token <mul_...>` (use `--token=` with an empty value to be prompted interactively).
+- If no browser is available (headless environment), the user can generate a Personal Access Token at `https://app.multica.ai/settings` and run: `multica login --token`
 - If the server URL needs to be customized: `multica config set server_url <url>` before logging in.
 
 ---
@@ -166,12 +166,12 @@ Wait 3 seconds, then verify:
 multica daemon status
 ```
 
-Expected output should show `running` status with detected agents (e.g. `claude`, `codex`, `copilot`, `opencode`, `openclaw`, `hermes`, `gemini`, `pi`, `cursor-agent`).
+Expected output should show `running` status with detected agents (e.g. `claude`, `codex`, `opencode`, `openclaw`, `hermes`, `gemini`, `pi`, `cursor-agent`).
 
 **If daemon fails to start:**
 - Check logs: `multica daemon logs`
 - If a port conflict occurs, the daemon may already be running under a different profile.
-- If no agents are detected, ensure at least one AI CLI (`claude`, `codex`, `copilot`, `opencode`, `openclaw`, `hermes`, `gemini`, `pi`, or `cursor-agent`) is installed and on the `$PATH`.
+- If no agents are detected, ensure at least one AI CLI (`claude`, `codex`, `opencode`, `openclaw`, `hermes`, `gemini`, `pi`, or `cursor-agent`) is installed and on the `$PATH`.
 
 ---
 
@@ -185,12 +185,12 @@ multica daemon status
 
 Confirm:
 1. Status is `running`
-2. At least one agent is listed (e.g. `claude`, `codex`, `copilot`, `opencode`, `openclaw`, `hermes`, `gemini`, `pi`, or `cursor-agent`)
+2. At least one agent is listed (e.g. `claude`, `codex`, `opencode`, `openclaw`, `hermes`, `gemini`, `pi`, or `cursor-agent`)
 3. At least one workspace is being watched
 
 If the agents list is empty, tell the user:
 
-> "The Multica daemon is running but no AI agent CLIs were detected. Please install at least one supported CLI (`claude`, `codex`, `copilot`, `opencode`, `openclaw`, `hermes`, `gemini`, `pi`, or `cursor-agent`), then restart the daemon with `multica daemon stop && multica daemon start`."
+> "The Multica daemon is running but no AI agent CLIs were detected. Please install at least one supported CLI (`claude`, `codex`, `opencode`, `openclaw`, `hermes`, `gemini`, `pi`, or `cursor-agent`), then restart the daemon with `multica daemon stop && multica daemon start`."
 
 ---
 

Dockerfile

@@ -18,7 +18,6 @@ ARG COMMIT=unknown
 RUN cd server && CGO_ENABLED=0 go build -ldflags "-s -w -X main.version=${VERSION} -X main.commit=${COMMIT}" -o bin/server ./cmd/server
 RUN cd server && CGO_ENABLED=0 go build -ldflags "-s -w -X main.version=${VERSION} -X main.commit=${COMMIT}" -o bin/multica ./cmd/multica
 RUN cd server && CGO_ENABLED=0 go build -ldflags "-s -w" -o bin/migrate ./cmd/migrate
-RUN cd server && CGO_ENABLED=0 go build -ldflags "-s -w" -o bin/backfill_task_usage_hourly ./cmd/backfill_task_usage_hourly
 
 # --- Runtime stage ---
 FROM alpine:3.21
@@ -30,7 +29,6 @@ WORKDIR /app
 COPY --from=builder /src/server/bin/server .
 COPY --from=builder /src/server/bin/multica .
 COPY --from=builder /src/server/bin/migrate .
-COPY --from=builder /src/server/bin/backfill_task_usage_hourly .
 COPY server/migrations/ ./migrations/
 COPY docker/entrypoint.sh .
 RUN sed -i 's/\r$//' entrypoint.sh && chmod +x entrypoint.sh

Dockerfile.web

@@ -8,8 +8,6 @@ WORKDIR /app
 # Copy workspace config and all package.json files for dependency resolution
 COPY pnpm-lock.yaml pnpm-workspace.yaml package.json turbo.json .npmrc ./
 COPY apps/web/package.json apps/web/
-# postinstall runs fumadocs-mdx which reads apps/web/source.config.ts
-COPY apps/web/source.config.ts apps/web/source.config.ts
 COPY packages/core/package.json packages/core/
 COPY packages/ui/package.json packages/ui/
 COPY packages/views/package.json packages/views/

Makefile

@@ -12,7 +12,7 @@ POSTGRES_DB ?= multica
 POSTGRES_USER ?= multica
 POSTGRES_PASSWORD ?= multica
 POSTGRES_PORT ?= 5432
-PORT := $(or $(BACKEND_PORT),$(API_PORT),$(SERVER_PORT),$(PORT),8080)
+PORT ?= 8080
 FRONTEND_PORT ?= 3000
 FRONTEND_ORIGIN ?= http://localhost:$(FRONTEND_PORT)
 MULTICA_APP_URL ?= $(FRONTEND_ORIGIN)
@@ -21,7 +21,6 @@ NEXT_PUBLIC_API_URL ?= http://localhost:$(PORT)
 NEXT_PUBLIC_WS_URL ?= ws://localhost:$(PORT)/ws
 GOOGLE_REDIRECT_URI ?= $(FRONTEND_ORIGIN)/auth/callback
 MULTICA_SERVER_URL ?= ws://localhost:$(PORT)/ws
-LOCAL_UPLOAD_BASE_URL ?= http://localhost:$(PORT)
 
 export
 

README.md

@@ -20,7 +20,7 @@ Turn coding agents into real teammates — assign tasks, track progress, compoun
 [![CI](https://github.com/multica-ai/multica/actions/workflows/ci.yml/badge.svg)](https://github.com/multica-ai/multica/actions/workflows/ci.yml)
 [![GitHub stars](https://img.shields.io/github/stars/multica-ai/multica?style=flat)](https://github.com/multica-ai/multica/stargazers)
 
-[Website](https://multica.ai) · [Cloud](https://multica.ai) · [X](https://x.com/MulticaAI) · [Self-Hosting](SELF_HOSTING.md) · [Contributing](CONTRIBUTING.md)
+[Website](https://multica.ai) · [Cloud](https://multica.ai/app) · [X](https://x.com/MulticaAI) · [Self-Hosting](SELF_HOSTING.md) · [Contributing](CONTRIBUTING.md)
 
 **English | [简体中文](README.zh-CN.md)**
 
@@ -30,34 +30,18 @@ Turn coding agents into real teammates — assign tasks, track progress, compoun
 
 Multica turns coding agents into real teammates. Assign issues to an agent like you'd assign to a colleague — they'll pick up the work, write code, report blockers, and update statuses autonomously.
 
-No more copy-pasting prompts. No more babysitting runs. Your agents show up on the board, participate in conversations, and compound reusable skills over time. Think of it as open-source infrastructure for managed agents — vendor-neutral, self-hosted, and designed for human + AI teams. Works with **Claude Code**, **Codex**, **GitHub Copilot CLI**, **OpenClaw**, **OpenCode**, **Hermes**, **Gemini**, **Pi**, **Cursor Agent**, **Kimi**, and **Kiro CLI**.
-
-For larger teams, Squads add a stable routing layer: assign work to a group led by an agent, and the leader delegates to the right member.
+No more copy-pasting prompts. No more babysitting runs. Your agents show up on the board, participate in conversations, and compound reusable skills over time. Think of it as open-source infrastructure for managed agents — vendor-neutral, self-hosted, and designed for human + AI teams. Works with **Claude Code**, **Codex**, **OpenClaw**, **OpenCode**, **Hermes**, **Gemini**, **Pi**, **Cursor Agent**, **Kimi**, and **Kiro CLI**.
 
 <p align="center">
   <img src="docs/assets/hero-screenshot.png" alt="Multica board view" width="800">
 </p>
 
-## Why "Multica"?
-
-Multica — **Mul**tiplexed **I**nformation and **C**omputing **A**gent.
-
-The name is a nod to Multics, the pioneering operating system of the 1960s that introduced time-sharing — letting multiple users share a single machine as if each had it to themselves. Unix was born as a deliberate simplification of Multics: one user, one task, one elegant philosophy.
-
-We think the same inflection is happening again. For decades, software teams have been single-threaded — one engineer, one task, one context switch at a time. AI agents change that equation. Multica brings time-sharing back, but for an era where the "users" multiplexing the system are both humans and autonomous agents.
-
-In Multica, agents are first-class teammates. They get assigned issues, report progress, raise blockers, and ship code — just like their human colleagues. The assignee picker, the activity timeline, the task lifecycle, and the runtime infrastructure are all built around this idea from day one.
-
-Like Multics before it, the bet is on multiplexing: a small team shouldn't feel small. With the right system, two engineers and a fleet of agents can move like twenty.
-
 ## Features
 
 Multica manages the full agent lifecycle: from task assignment to execution monitoring to skill reuse.
 
 - **Agents as Teammates** — assign to an agent like you'd assign to a colleague. They have profiles, show up on the board, post comments, create issues, and report blockers proactively.
-- **Squads** — group agents (and humans) under a leader agent and assign work to the *squad*. The leader decides who should pick it up, so routing stays stable as the team grows. `@FrontendTeam` instead of `@alice-or-bob-or-carol`.
 - **Autonomous Execution** — set it and forget it. Full task lifecycle management (enqueue, claim, start, complete/fail) with real-time progress streaming via WebSocket.
-- **Autopilots** — schedule recurring work for agents. Cron triggers, webhooks, or manual runs — each autopilot creates the issue and routes it to an agent automatically, so daily standups, weekly reports, and periodic audits run themselves.
 - **Reusable Skills** — every solution becomes a reusable skill for the whole team. Deployments, migrations, code reviews — skills compound your team's capabilities over time.
 - **Unified Runtimes** — one dashboard for all your compute. Local daemons and cloud runtimes, auto-detection of available CLIs, real-time monitoring.
 - **Multi-Workspace** — organize work across teams with workspace-level isolation. Each workspace has its own agents, issues, and settings.
@@ -114,7 +98,7 @@ multica setup          # Connect to Multica Cloud, log in, start daemon
 multica setup           # Configure, authenticate, and start the daemon
 ```
 
-The daemon runs in the background and auto-detects agent CLIs (`claude`, `codex`, `copilot`, `openclaw`, `opencode`, `hermes`, `gemini`, `pi`, `cursor-agent`, `kimi`, `kiro-cli`, `agy`) on your PATH.
+The daemon runs in the background and auto-detects agent CLIs (`claude`, `codex`, `openclaw`, `opencode`, `hermes`, `gemini`, `pi`, `cursor-agent`, `kimi`, `kiro-cli`) on your PATH.
 
 ### 2. Verify your runtime
 
@@ -124,7 +108,7 @@ Open your workspace in the Multica web app. Navigate to **Settings → Runtimes*
 
 ### 3. Create an agent
 
-Go to **Settings → Agents** and click **New Agent**. Pick the runtime you just connected and choose a provider (Claude Code, Codex, GitHub Copilot CLI, OpenClaw, OpenCode, Hermes, Gemini, Pi, Cursor Agent, Kimi, Kiro CLI, or Antigravity). Give your agent a name — this is how it will appear on the board, in comments, and in assignments.
+Go to **Settings → Agents** and click **New Agent**. Pick the runtime you just connected and choose a provider (Claude Code, Codex, OpenClaw, OpenCode, Hermes, Gemini, Pi, Cursor Agent, Kimi, or Kiro CLI). Give your agent a name — this is how it will appear on the board, in comments, and in assignments.
 
 ### 4. Assign your first task
 
@@ -132,6 +116,21 @@ Create an issue from the board (or via `multica issue create`), then assign it t
 
 ---
 
+## Multica vs Paperclip
+
+| | Multica | Paperclip |
+|---|---------|-----------|
+| **Focus** | Team AI agent collaboration platform | Solo AI agent company simulator |
+| **User model** | Multi-user teams with roles & permissions | Single board operator |
+| **Agent interaction** | Issues + Chat conversations | Issues + Heartbeat |
+| **Deployment** | Cloud-first | Local-first |
+| **Management depth** | Lightweight (Issues / Projects / Labels) | Heavy governance (Org chart / Approvals / Budgets) |
+| **Extensibility** | Skills system | Skills + Plugin system |
+
+**TL;DR — Multica is built for teams that want to collaborate with AI agents on real projects together.**
+
+---
+
 ## CLI
 
 The `multica` CLI connects your local machine to Multica — authenticate, manage workspaces, and run the agent daemon.
@@ -143,8 +142,6 @@ The `multica` CLI connects your local machine to Multica — authenticate, manag
 | `multica daemon status` | Check daemon status |
 | `multica setup` | One-command setup for Multica Cloud (configure + login + start daemon) |
 | `multica setup self-host` | Same, but for self-hosted deployments |
-| `multica workspace list` | List your workspaces (current is marked with `*`) |
-| `multica workspace switch <id\|slug>` | Switch the default workspace for this profile |
 | `multica issue list` | List issues in your workspace |
 | `multica issue create` | Create a new issue |
 | `multica update` | Update to the latest version |
@@ -163,9 +160,10 @@ See the [CLI and Daemon Guide](CLI_AND_DAEMON.md) for the full command reference
                             │
                      ┌──────┴───────┐
                      │ Agent Daemon │  runs on your machine
-                     └──────────────┘  (Claude Code, Codex, GitHub Copilot CLI,
-                                        OpenCode, OpenClaw, Hermes, Gemini,
-                                        Pi, Cursor Agent, Kimi, Kiro CLI)
+                     └──────────────┘  (Claude Code, Codex, OpenCode,
+                                        OpenClaw, Hermes, Gemini,
+                                        Pi, Cursor Agent, Kimi,
+                                        Kiro CLI)
 ```
 
 | Layer | Stack |
@@ -173,7 +171,7 @@ See the [CLI and Daemon Guide](CLI_AND_DAEMON.md) for the full command reference
 | Frontend | Next.js 16 (App Router) |
 | Backend | Go (Chi router, sqlc, gorilla/websocket) |
 | Database | PostgreSQL 17 with pgvector |
-| Agent Runtime | Local daemon executing Claude Code, Codex, GitHub Copilot CLI, OpenClaw, OpenCode, Hermes, Gemini, Pi, Cursor Agent, Kimi, or Kiro CLI |
+| Agent Runtime | Local daemon executing Claude Code, Codex, OpenClaw, OpenCode, Hermes, Gemini, Pi, Cursor Agent, Kimi, or Kiro CLI |
 
 ## Development
 
@@ -188,5 +186,3 @@ make dev
 `make dev` auto-detects your environment (main checkout or worktree), creates the env file, installs dependencies, sets up the database, runs migrations, and starts all services.
 
 See [CONTRIBUTING.md](CONTRIBUTING.md) for the full development workflow, worktree support, testing, and troubleshooting.
-
-An iOS mobile client lives in [`apps/mobile/`](apps/mobile/) — see its [README](apps/mobile/README.md) for how to build it onto your own iPhone.

README.zh-CN.md

@@ -20,7 +20,7 @@
 [![CI](https://github.com/multica-ai/multica/actions/workflows/ci.yml/badge.svg)](https://github.com/multica-ai/multica/actions/workflows/ci.yml)
 [![GitHub stars](https://img.shields.io/github/stars/multica-ai/multica?style=flat)](https://github.com/multica-ai/multica/stargazers)
 
-[官网](https://multica.ai) · [云服务](https://multica.ai) · [X](https://x.com/MulticaAI) · [自部署指南](SELF_HOSTING.md) · [参与贡献](CONTRIBUTING.md)
+[官网](https://multica.ai) · [云服务](https://multica.ai/app) · [X](https://x.com/MulticaAI) · [自部署指南](SELF_HOSTING.md) · [参与贡献](CONTRIBUTING.md)
 
 **[English](README.md) | 简体中文**
 
@@ -30,34 +30,18 @@
 
 Multica 将编码 Agent 变成真正的队友。像分配给同事一样分配给 Agent——它们会自主接手工作、编写代码、报告阻塞问题、更新状态。
 
-不再需要复制粘贴 prompt，不再需要盯着运行过程。你的 Agent 出现在看板上、参与对话、随着时间积累可复用的技能。可以理解为开源的 Managed Agents 基础设施——厂商中立、可自部署、专为人类 + AI 团队设计。支持 **Claude Code**、**Codex**、**GitHub Copilot CLI**、**OpenClaw**、**OpenCode**、**Hermes**、**Gemini**、**Pi**、**Cursor Agent**、**Kimi** 和 **Kiro CLI**。
-
-面向更大的团队，Squads（小队）提供稳定的路由层：把任务分给由 Agent 带队的小队，由队长判断谁最适合接手。
+不再需要复制粘贴 prompt，不再需要盯着运行过程。你的 Agent 出现在看板上、参与对话、随着时间积累可复用的技能。可以理解为开源的 Managed Agents 基础设施——厂商中立、可自部署、专为人类 + AI 团队设计。支持 **Claude Code**、**Codex**、**OpenClaw**、**OpenCode**、**Hermes**、**Gemini**、**Pi** 和 **Cursor Agent**。
 
 <p align="center">
   <img src="docs/assets/hero-screenshot.png" alt="Multica 看板视图" width="800">
 </p>
 
-## 为什么叫 "Multica"？
-
-Multica——**Mul**tiplexed **I**nformation and **C**omputing **A**gent。
-
-这个名字是在向 20 世纪 60 年代具有开创意义的操作系统 Multics 致意。Multics 首创了分时系统，让多个用户能够共享同一台机器，同时又像各自独占它一样使用。Unix 则是在有意简化 Multics 的基础上诞生的，强调一个用户、一个任务、一种优雅的哲学。
-
-我们认为，类似的转折点正在再次出现。几十年来，软件团队一直处于一种单线程的工作模式，一个工程师处理一个任务，一次只专注于一个上下文。AI agents 改变了这个等式。Multica 将"分时"重新带回这个时代，只不过今天在系统中进行多路复用的"用户"，既包括人类，也包括自主代理。
-
-在 Multica 中，agents 是一级团队成员。它们会被分配 issue，汇报进展，提出阻塞，并交付代码，就像人类同事一样。任务分配、活动时间线、任务生命周期，以及运行时基础设施，Multica 从第一天起就是围绕这一理念构建的。
-
-和当年的 Multics 一样，这一判断建立在"多路复用"之上。一个小团队不该因为人数少就显得能力有限。有了合适的系统，两名工程师加上一组 agents，就能发挥出二十人团队的推进速度。
-
 ## 功能特性
 
 Multica 管理完整的 Agent 生命周期：从任务分配到执行监控再到技能复用。
 
 - **Agent 即队友** — 像分配给同事一样分配给 Agent。它们有个人档案、出现在看板上、发表评论、创建 Issue、主动报告阻塞问题。
-- **Squads（小队）** — 把多个 Agent（以及人类成员）组合成由 leader agent 带队的小队，直接把任务分配给小队本身。Leader 会判断谁最适合接手，团队扩容时路由方式保持不变。用 `@前端组` 代替 `@小张或小李或小王`。
 - **自主执行** — 设置后无需管理。完整的任务生命周期管理（排队、认领、执行、完成/失败），通过 WebSocket 实时推送进度。
-- **自动化（Autopilots）** — 为 Agent 安排周期性工作。定时（Cron）、Webhook 或手动触发，自动化会自动创建 Issue 并分配给 Agent——日报、周报、定期巡检都能让它自己跑起来。
 - **可复用技能** — 每个解决方案都成为全团队可复用的技能。部署、数据库迁移、代码审查——技能让团队能力随时间持续增长。
 - **统一运行时** — 一个控制台管理所有算力。本地 daemon 和云端运行时，自动检测可用 CLI，实时监控。
 - **多工作区** — 按团队组织工作，工作区级别隔离。每个工作区有独立的 Agent、Issue 和设置。
@@ -115,7 +99,7 @@ multica setup          # 连接 Multica Cloud，登录，启动 daemon
 multica setup           # 配置、认证、启动 daemon（一条命令搞定）
 ```
 
-daemon 在后台运行，保持你的机器与 Multica 的连接。它会自动检测 PATH 中可用的 Agent CLI（`claude`、`codex`、`copilot`、`openclaw`、`opencode`、`hermes`、`gemini`、`pi`、`cursor-agent`、`kimi`、`kiro-cli`）。
+daemon 在后台运行，保持你的机器与 Multica 的连接。它会自动检测 PATH 中可用的 Agent CLI（`claude`、`codex`、`openclaw`、`opencode`、`hermes`、`gemini`、`pi`、`cursor-agent`）。
 
 ### 2. 确认运行时已连接
 
@@ -125,7 +109,7 @@ daemon 在后台运行，保持你的机器与 Multica 的连接。它会自动
 
 ### 3. 创建 Agent
 
-进入 **设置 → Agents**，点击 **新建 Agent**。选择你刚连接的 Runtime，选择 Provider（Claude Code、Codex、GitHub Copilot CLI、OpenClaw、OpenCode、Hermes、Gemini、Pi、Cursor Agent、Kimi 或 Kiro CLI），并为 Agent 起个名字——它将以这个名字出现在看板、评论和任务分配中。
+进入 **设置 → Agents**，点击 **新建 Agent**。选择你刚连接的 Runtime，选择 Provider（Claude Code、Codex、OpenClaw、OpenCode、Hermes、Gemini、Pi 或 Cursor Agent），并为 Agent 起个名字——它将以这个名字出现在看板、评论和任务分配中。
 
 ### 4. 分配你的第一个任务
 
@@ -135,6 +119,19 @@ daemon 在后台运行，保持你的机器与 Multica 的连接。它会自动
 
 ---
 
+## Multica vs Paperclip
+
+| | Multica | Paperclip |
+|---|---------|-----------|
+| **定位** | 团队 AI Agent 协作平台 | 个人 AI Agent 公司模拟器 |
+| **用户模型** | 多人团队，角色权限 | 单人 Board Operator |
+| **Agent 交互** | Issue + Chat 对话 | Issue + Heartbeat |
+| **部署** | 云端优先 | 本地优先 |
+| **管理深度** | 轻量（Issue / Project / Labels） | 重度（组织架构 / 审批 / 预算） |
+| **扩展** | Skills 系统 | Skills + 插件系统 |
+
+**简单来说：Multica 专为团队协作打造，让团队和 AI Agent 一起高效完成项目。**
+
 ## 架构
 
 ```
@@ -145,9 +142,9 @@ daemon 在后台运行，保持你的机器与 Multica 的连接。它会自动
                             │
                      ┌──────┴───────┐
                      │ Agent Daemon │  运行在你的机器上
-                     └──────────────┘  （Claude Code、Codex、GitHub Copilot CLI、
-                                        OpenCode、OpenClaw、Hermes、Gemini、
-                                        Pi、Cursor Agent、Kimi、Kiro CLI）
+                     └──────────────┘  （Claude Code、Codex、OpenCode、
+                                        OpenClaw、Hermes、Gemini、
+                                        Pi、Cursor Agent）
 ```
 
 | 层级 | 技术栈 |
@@ -155,7 +152,7 @@ daemon 在后台运行，保持你的机器与 Multica 的连接。它会自动
 | 前端 | Next.js 16 (App Router) |
 | 后端 | Go (Chi router, sqlc, gorilla/websocket) |
 | 数据库 | PostgreSQL 17 with pgvector |
-| Agent 运行时 | 本地 daemon 执行 Claude Code、Codex、GitHub Copilot CLI、OpenClaw、OpenCode、Hermes、Gemini、Pi、Cursor Agent、Kimi 或 Kiro CLI |
+| Agent 运行时 | 本地 daemon 执行 Claude Code、Codex、OpenClaw、OpenCode、Hermes、Gemini、Pi 或 Cursor Agent |
 
 ## 开发
 
@@ -172,8 +169,6 @@ make start
 
 完整的开发流程、worktree 支持、测试和问题排查请参阅 [CONTRIBUTING.md](CONTRIBUTING.md)。
 
-iOS 移动端代码位于 [`apps/mobile/`](apps/mobile/)，自己编译装到手机的方法见 [README](apps/mobile/README.md)。
-
 ## 开源协议
 
-[Modified Apache 2.0 (with commercial restrictions)](LICENSE)
+[Apache 2.0](LICENSE)

SELF_HOSTING.md

@@ -73,7 +73,7 @@ Open http://localhost:3000 in your browser. The Docker self-host stack defaults
 - **Without email configured:** the verification code is generated server-side and printed to the backend container logs (look for `[DEV] Verification code for ...:`). Useful for one-off testing on a single machine.
 - **Deterministic local/private testing:** set `APP_ENV=development` and `MULTICA_DEV_VERIFICATION_CODE=888888` in `.env`, then restart the backend. This fixed code is ignored when `APP_ENV=production`.
 
-Changes to `ALLOW_SIGNUP`, `DISABLE_WORKSPACE_CREATION`, and `GOOGLE_CLIENT_ID` also take effect after restarting the backend / compose stack. The web UI reads all three from `/api/config` at runtime, so no web rebuild is needed. See [Advanced Configuration → Signup Controls](SELF_HOSTING_ADVANCED.md#signup-controls-optional) for the recommended sequence to lock down workspace creation.
+Changes to `ALLOW_SIGNUP` and `GOOGLE_CLIENT_ID` also take effect after restarting the backend / compose stack. The web UI reads both from `/api/config` at runtime, so no web rebuild is needed.
 
 > **Warning:** do **not** set `MULTICA_DEV_VERIFICATION_CODE` on a publicly reachable instance — anyone who knows an email address can then log in with that fixed code.
 
@@ -92,7 +92,6 @@ brew install multica-ai/tap/multica
 You also need at least one AI agent CLI installed:
 - [Claude Code](https://docs.anthropic.com/en/docs/claude-code) (`claude` on PATH)
 - [Codex](https://github.com/openai/codex) (`codex` on PATH)
-- [GitHub Copilot CLI](https://docs.github.com/en/copilot) (`copilot` on PATH)
 - [OpenClaw](https://github.com/openclaw/openclaw) (`openclaw` on PATH)
 - [OpenCode](https://github.com/anomalyco/opencode) (`opencode` on PATH)
 - [Hermes](https://github.com/NousResearch/hermes) (`hermes` on PATH)
@@ -135,262 +134,6 @@ multica daemon status
 3. Go to **Settings → Agents** and create a new agent
 4. Create an issue and assign it to your agent — it will pick up the task automatically
 
----
-
-## Kubernetes Deployment (Alternative)
-
-If you already run a Kubernetes cluster, you can deploy Multica there instead of Docker Compose using the released OCI Helm chart at `oci://ghcr.io/multica-ai/charts/multica` or the source chart at [`deploy/helm/multica/`](deploy/helm/multica/). It targets a typical k3s / k8s setup with an Ingress controller and a default `ReadWriteOnce` StorageClass — authored against k3s + Traefik + `local-path`, and should work on any cluster with minor tweaks.
-
-The chart creates the following resources in the target namespace:
-
-- `multica-postgres` — `pgvector/pgvector:pg17` backed by a 10Gi PVC
-- `multica-backend` — Go API/WS server. Backed by a 5Gi `ReadWriteOnce` uploads PVC by default; set `backend.uploads.persistence.enabled=false` when you have configured S3 (`backend.config.s3Bucket`) and don't want the chart to declare the PVC at all.
-- `multica-frontend` — Next.js standalone server
-- Two `Ingress` resources: one for the web host, one for the backend host
-- `multica-config` ConfigMap (rendered from `values.yaml`)
-
-The `multica-secrets` Secret is **not** managed by the chart — you create it once with `kubectl` so real values never need to land in git.
-
-> **One release per namespace:** the prebuilt `multica-web` image bakes `REMOTE_API_URL=http://backend:8080` at build time, so the chart ships an ExternalName Service literally named `backend`. Because that name is unprefixed, you can run only one Multica release per namespace, and `helm install` will fail if a `Service/backend` already exists there (pass `--take-ownership`, or use a dedicated namespace). If you build a web image with a patched `REMOTE_API_URL`, set `frontend.compatibility.backendAlias: false` to drop the alias.
-
-> **Prerequisites:** `kubectl` and `helm` (v3.13+ for `--take-ownership`, or v4+) configured for the target cluster, an Ingress controller (Traefik / NGINX), and a default StorageClass.
-
-### Step 1 — Point hostnames at the cluster
-
-The chart defaults to `multica.dev.lan` (web) and `api.multica.dev.lan` (backend). Pick one of:
-
-- **`/etc/hosts`** on every machine that needs access (developer laptops + the machine running the daemon):
-
-  ```text
-  192.168.1.206  multica.dev.lan api.multica.dev.lan
-  ```
-
-  Replace `192.168.1.206` with any node IP where your Ingress controller's Service is reachable.
-
-- **Local DNS** (Pi-hole, Unbound, etc.): add A records for both hostnames pointing at the cluster Ingress IP.
-
-To use different hostnames, override the matching values at install time (see [Step 4](#step-4--install-the-chart)) — `ingress.frontend.host`, `ingress.backend.host`, plus `backend.config.appUrl`, `backend.config.frontendOrigin`, `backend.config.localUploadBaseUrl`, and `backend.config.googleRedirectUri`.
-
-### Step 2 — Create the namespace
-
-```bash
-kubectl create namespace multica
-```
-
-### Step 3 — Create the `multica-secrets` Secret
-
-The chart references this Secret by name. Create it once with random values:
-
-```bash
-kubectl -n multica create secret generic multica-secrets \
-  --from-literal=JWT_SECRET="$(openssl rand -hex 32)" \
-  --from-literal=POSTGRES_PASSWORD="$(openssl rand -hex 16)" \
-  --from-literal=RESEND_API_KEY="" \
-  --from-literal=GOOGLE_CLIENT_SECRET="" \
-  --from-literal=CLOUDFRONT_PRIVATE_KEY="" \
-  --from-literal=MULTICA_DEV_VERIFICATION_CODE=""
-```
-
-Leave optional values empty for now — you can fill them in later (see [Step 5 — Log In](#step-5--log-in)).
-
-### Step 4 — Install the chart
-
-```bash
-helm install multica oci://ghcr.io/multica-ai/charts/multica \
-  --version <chart-version> \
-  -n multica
-```
-
-Released chart versions strip the leading `v` from the Git tag. For example, release tag `v0.3.5` publishes chart version `0.3.5`; the chart defaults the backend and frontend image tags to `v0.3.5`.
-
-To override defaults, export the chart values, edit them, and pass them with `-f`:
-
-```bash
-helm show values oci://ghcr.io/multica-ai/charts/multica \
-  --version <chart-version> > my-values.yaml
-# edit my-values.yaml — e.g. change ingress hosts, image tags, resource limits
-helm install multica oci://ghcr.io/multica-ai/charts/multica \
-  --version <chart-version> \
-  -n multica \
-  -f my-values.yaml
-```
-
-When developing from a checkout, use the local chart path instead:
-
-```bash
-helm install multica deploy/helm/multica -n multica
-```
-
-Watch the pods come up:
-
-```bash
-kubectl -n multica get pods -w
-```
-
-On a cold cluster the backend can sit `Running` but not `Ready` for a few minutes while it waits on PostgreSQL and runs migrations — a startupProbe absorbs this, so the pod should not restart. Once the backend reports `Ready`, migrations have completed and `/healthz` returns OK:
-
-```bash
-curl -H "Host: api.multica.dev.lan" http://<ingress-ip>/healthz
-# {"status":"ok","checks":{"db":"ok","migrations":"ok"}}
-```
-
-Then open http://multica.dev.lan in your browser.
-
-### Step 5 — Log In
-
-The chart defaults to `APP_ENV=production` (set in `values.yaml` under `backend.config.appEnv`), and there is no fixed verification code by default. Pick one of the following to log in — the same three options as the Docker setup:
-
-- **Recommended (production):** patch the Secret with a real Resend key, then restart the backend:
-
-  ```bash
-  kubectl -n multica patch secret multica-secrets --type=merge \
-    -p '{"stringData":{"RESEND_API_KEY":"re_xxx"}}'
-  kubectl -n multica rollout restart deploy/multica-backend
-  ```
-
-  Real verification codes will be sent to the email address you enter. See [Advanced Configuration → Email](SELF_HOSTING_ADVANCED.md#email-required-for-authentication).
-
-- **Without email configured:** the verification code is generated server-side and printed to the backend pod logs (look for `[DEV] Verification code for ...:`). Useful for one-off testing.
-
-  ```bash
-  kubectl -n multica logs -f deploy/multica-backend | grep "Verification code"
-  ```
-
-- **Deterministic local/private testing:** set `backend.config.appEnv: development` in your values file and `MULTICA_DEV_VERIFICATION_CODE=888888` in the Secret, then `helm upgrade` and restart. This fixed code is ignored when `APP_ENV=production`.
-
-  ```bash
-  helm upgrade multica oci://ghcr.io/multica-ai/charts/multica \
-    --version <chart-version> \
-    -n multica \
-    -f my-values.yaml --set backend.config.appEnv=development
-  kubectl -n multica patch secret multica-secrets --type=merge \
-    -p '{"stringData":{"MULTICA_DEV_VERIFICATION_CODE":"888888"}}'
-  kubectl -n multica rollout restart deploy/multica-backend
-  ```
-
-`ALLOW_SIGNUP`, `DISABLE_WORKSPACE_CREATION`, and `GOOGLE_CLIENT_ID` likewise live under `backend.config.*` in `values.yaml` (as `allowSignup`, `disableWorkspaceCreation`, and `googleClientId`). After `helm upgrade`, the backend pod will roll automatically because the ConfigMap hash changes; the web UI reads all three from `/api/config` at runtime, so no web rebuild is needed.
-
-> **Warning:** do **not** set `MULTICA_DEV_VERIFICATION_CODE` on a publicly reachable instance — anyone who knows an email address can then log in with that fixed code.
-
-### Step 6 — Install CLI & Start Daemon
-
-The daemon runs on your local machine, not in the cluster. Install the CLI and an AI agent as in [Step 3](#step-3--install-cli--start-daemon) above, then point the CLI at your Ingress hostnames:
-
-```bash
-multica setup self-host \
-  --server-url http://api.multica.dev.lan \
-  --app-url http://multica.dev.lan
-```
-
-Make sure the machine running the daemon has the same `/etc/hosts` (or DNS) entries from [Step 1](#step-1--point-hostnames-at-the-cluster).
-
-### Updating
-
-To pull the latest images without changing the chart version when your values still use the mutable `latest` image tag:
-
-```bash
-kubectl -n multica rollout restart deploy/multica-backend deploy/multica-frontend
-```
-
-To upgrade to a specific Multica release, upgrade to the matching chart version. The released chart defaults its app images to the matching Git tag:
-
-```bash
-helm upgrade multica oci://ghcr.io/multica-ai/charts/multica \
-  --version <chart-version> \
-  -n multica \
-  -f my-values.yaml
-```
-
-If you need to override the app images independently from the chart version, set the image tags in your values file:
-
-```yaml
-images:
-  backend:
-    tag: v0.2.4
-  frontend:
-    tag: v0.2.4
-```
-
-Then run the same upgrade command with `-f my-values.yaml`:
-
-```bash
-helm upgrade multica oci://ghcr.io/multica-ai/charts/multica \
-  --version <chart-version> \
-  -n multica \
-  -f my-values.yaml
-```
-
-To roll back if an upgrade goes sideways:
-
-```bash
-helm -n multica rollback multica
-```
-
-> **Upgrading from `v0.3.4` to `v0.3.5+` fails with `refusing to drop legacy daily rollups: ...`?** Same migration guard as the Docker path — see [Usage Dashboard Rollup → Option C](#option-c--backfill-history-first-then-schedule). Run the backfill against the same database the chart is using (`kubectl -n multica exec deploy/multica-backend -- ./backfill_task_usage_hourly --sleep-between-slices=2s`), then restart the backend deployment to re-apply migrations.
-
-### Tearing down
-
-```bash
-# Remove the workloads but keep the PVCs and the Secret
-helm -n multica uninstall multica
-
-# Wipe everything, including PostgreSQL data and uploads
-kubectl delete namespace multica
-```
-
----
-
-## Usage Dashboard Rollup (Required)
-
-Starting with `v0.3.5`, the Usage / Runtime dashboards read from a derived `task_usage_hourly` table rather than directly from `task_usage`. Raw `task_usage` rows are written by the backend on every task, but the dashboard only sees data after `rollup_task_usage_hourly()` runs and aggregates them into `task_usage_hourly`.
-
-**The bundled `pgvector/pgvector:pg17` image does NOT include `pg_cron`.** If nothing schedules the rollup, the dashboard will stay at zero forever even though `task_usage` is populated. You have three supported options — pick one before relying on the dashboard.
-
-> **Upgrading from `v0.3.4` to `v0.3.5+`** with existing `task_usage` history: migration `103` is fail-closed and will abort `migrate up` with `refusing to drop legacy daily rollups: …`. Run `backfill_task_usage_hourly` first (Option C below), then re-run the upgrade. **Fresh installs** are exempted by that guard and migrate cleanly — but the dashboard will still stay at zero until you pick Option A or Option B.
-
-### Option A — External cron / systemd-timer (simplest)
-
-Schedule a 5-minute job that calls `rollup_task_usage_hourly()`. It is idempotent and watermark-driven, so a missed tick catches up on the next run.
-
-```bash
-# /etc/cron.d/multica-rollup — every 5 minutes
-*/5 * * * * root docker compose -f /path/to/multica/docker-compose.selfhost.yml \
-  exec -T postgres psql -U multica -d multica \
-  -c "SELECT rollup_task_usage_hourly();" >/dev/null
-```
-
-Or as a systemd timer + service if you prefer that surface. The function returns the number of (upserted + deleted-empty) rows; it's safe to call concurrently with itself (an advisory lock makes overlapping runs no-op) and safe to call alongside `backfill_task_usage_hourly`.
-
-### Option B — Swap Postgres for an image that ships `pg_cron`
-
-If you'd rather have Postgres schedule itself, replace `pgvector/pgvector:pg17` in `docker-compose.selfhost.yml` with an image that bundles both `pgvector` and `pg_cron` (e.g. `supabase/postgres`, or your own build of `pgvector/pgvector` with `pg_cron` added and `shared_preload_libraries=pg_cron` set on the server). Then, once:
-
-```sql
-CREATE EXTENSION IF NOT EXISTS pg_cron;
-SELECT cron.schedule(
-  'rollup_task_usage_hourly',
-  '*/5 * * * *',
-  $$SELECT rollup_task_usage_hourly()$$
-);
-```
-
-`shared_preload_libraries` requires a Postgres restart to take effect — set it in `postgresql.conf` (or via the image's documented mechanism) before bringing the container up.
-
-### Option C — Backfill history first, then schedule
-
-If you're upgrading from `v0.3.4 → v0.3.5+` and already have `task_usage` rows (or you just want the dashboard to show historical data on a fresh install that you've been running for a while), run the bundled backfill command once before scheduling the rollup:
-
-```bash
-# Backfills task_usage_hourly from all historical task_usage rows and stamps
-# the rollup watermark. Idempotent — safe to re-run.
-docker compose -f docker-compose.selfhost.yml exec backend \
-  ./backfill_task_usage_hourly --sleep-between-slices=2s
-```
-
-On a database with years of data this can scan tens of millions of rows; `--sleep-between-slices=2s` throttles the read pressure. Use `--months-back N` (plus `--force-partial`) if you only want the last N months. Once it finishes, set up Option A or Option B so new buckets keep flowing.
-
-After upgrading, re-run `migrate up` (or restart the backend container — migrations run automatically on startup) to apply migration `103` cleanly.
-
 ## Stopping Services
 
 If you installed via the install script:
@@ -431,8 +174,6 @@ docker compose -f docker-compose.selfhost.yml up -d
 Pin `MULTICA_IMAGE_TAG` in `.env` to an exact version like `v0.2.4` if you want to stay on a specific release. Migrations run automatically on backend startup.
 If the selected GHCR tag has not been published yet, fall back to `make selfhost-build` or `docker compose -f docker-compose.selfhost.yml -f docker-compose.selfhost.build.yml up -d --build`.
 
-> **Upgrading from `v0.3.4` to `v0.3.5+` fails with `refusing to drop legacy daily rollups: ...`?** That's migration `103`'s fail-closed guard: it requires `task_usage_hourly` to be seeded before the legacy daily rollups are dropped. Run `backfill_task_usage_hourly` first, then re-run the upgrade. Full instructions in [Usage Dashboard Rollup → Option C](#option-c--backfill-history-first-then-schedule).
-
 ---
 
 ## Manual Docker Compose Setup

SELF_HOSTING_ADVANCED.md

@@ -25,31 +25,14 @@ These have sensible defaults and only need to be set when tuning a large or cons
 
 ### Email (Required for Authentication)
 
-Multica supports two email backends. `SMTP_HOST` takes priority when set; otherwise `RESEND_API_KEY` is used. With neither configured, verification codes are printed to the server log — copy them from there to log in.
-
-#### Option A: Resend (recommended for cloud deployments)
+Multica uses email-based magic link authentication via [Resend](https://resend.com).
 
 | Variable | Description |
 |----------|-------------|
 | `RESEND_API_KEY` | Your Resend API key |
 | `RESEND_FROM_EMAIL` | Sender email address (default: `noreply@multica.ai`) |
 
-#### Option B: SMTP relay (for self-hosted / on-premise deployments)
-
-Use this option when your deployment cannot reach the public internet or you already have an internal mail relay (e.g. Exchange, Postfix, SendGrid on-prem).
-
-| Variable | Description | Default |
-|----------|-------------|----------|
-| `SMTP_HOST` | SMTP relay hostname (setting this activates SMTP mode) | - |
-| `SMTP_PORT` | SMTP port | `25` |
-| `SMTP_USERNAME` | SMTP username (leave empty for unauthenticated relay) | - |
-| `SMTP_PASSWORD` | SMTP password | - |
-| `SMTP_TLS` | TLS mode. `implicit` (aliases `smtps`, `ssl`) forces SMTPS on connect; port `465` auto-enables it. Unset / `starttls` upgrades via STARTTLS | `starttls` |
-| `SMTP_TLS_INSECURE` | Set `true` to skip TLS certificate verification (self-signed / private CA certs) | `false` |
-
-STARTTLS is used automatically when advertised by the server. Port 465 (SMTPS / implicit TLS) is supported and auto-enables implicit TLS; set `SMTP_TLS=implicit` (aliases `smtps`, `ssl`) to force it on a non-standard port.
-
-> **Note:** If neither Resend nor SMTP is configured, generated verification codes are printed to backend logs — copy them from there to log in. A fixed local testing code (e.g. `888888`) is **opt-in only**: set `MULTICA_DEV_VERIFICATION_CODE=888888` in `.env` and keep `APP_ENV` non-production. The Docker self-host stack pins `APP_ENV=production`, so the shortcut is ignored there. **Never enable a fixed code on a publicly reachable instance.**
+> **Note:** If Resend is not configured, generated verification codes are printed to backend logs. A fixed local testing code is disabled by default; to opt in on a private test instance, set `APP_ENV=development` and `MULTICA_DEV_VERIFICATION_CODE` to a 6-digit value. It is ignored when `APP_ENV=production`.
 
 ### Google OAuth (Optional)
 
@@ -68,32 +51,18 @@ Changes take effect after restarting the backend / compose stack. The web UI rea
 | `ALLOW_SIGNUP` | Set to `false` to disable new user signups on a private instance |
 | `ALLOWED_EMAIL_DOMAINS` | Optional comma-separated allowlist of email domains |
 | `ALLOWED_EMAILS` | Optional comma-separated allowlist of exact email addresses |
-| `DISABLE_WORKSPACE_CREATION` | Set to `true` to make `POST /api/workspaces` return 403 for every caller — users can only join workspaces they were invited to |
 
-Changes take effect after restarting the backend / compose stack. The web UI reads `ALLOW_SIGNUP` and `DISABLE_WORKSPACE_CREATION` from `/api/config` at runtime, so no web rebuild is needed.
-
-#### Locking down workspace creation
-
-`ALLOW_SIGNUP=false` blocks new accounts from being created, but it does **not** block an already-signed-in user from creating another workspace via `POST /api/workspaces`. On a self-hosted instance where every issue/repo/agent must be visible to the platform admin, set `DISABLE_WORKSPACE_CREATION=true` to close that gap. The recommended bootstrap sequence is:
-
-1. Start the instance with `DISABLE_WORKSPACE_CREATION=false` (the default).
-2. Sign in as the admin and create the shared workspace.
-3. Set `DISABLE_WORKSPACE_CREATION=true` and restart the backend. Optionally set `ALLOW_SIGNUP=false` at the same time if you also want to block new account creation.
-4. Going forward, additional users join via invitation only — the "Create workspace" affordance is hidden in the UI and any direct API call returns 403.
-
-> Note: setting `ALLOW_SIGNUP=false` blocks **all** new account creation, including users who already have a pending invitation. If you need invited users to be able to sign up but not create their own workspaces, keep `ALLOW_SIGNUP=true` (optionally combined with `ALLOWED_EMAIL_DOMAINS` / `ALLOWED_EMAILS`) and only flip `DISABLE_WORKSPACE_CREATION=true`.
+Changes take effect after restarting the backend / compose stack. The web UI reads `ALLOW_SIGNUP` from `/api/config` at runtime, so no web rebuild is needed.
 
 ### File Storage (Optional)
 
-For file uploads and attachments, configure S3 and (optionally) CloudFront:
+For file uploads and attachments, configure S3 and CloudFront:
 
 | Variable | Description |
 |----------|-------------|
-| `S3_BUCKET` | Bucket name only (e.g. `my-bucket`). Do **not** include the `.s3.<region>.amazonaws.com` suffix — the server constructs the public URL from `S3_BUCKET` + `S3_REGION` |
-| `S3_REGION` | AWS region (default: `us-west-2`). Must match the bucket's actual region — used for both SDK signing and public URLs |
-| `AWS_ACCESS_KEY_ID` / `AWS_SECRET_ACCESS_KEY` | Static credentials. When both are unset, the AWS SDK default credential chain is used |
-| `AWS_ENDPOINT_URL` | Custom S3-compatible endpoint (e.g. MinIO, R2, B2). Setting this switches to path-style URLs |
-| `CLOUDFRONT_DOMAIN` | CloudFront distribution domain — when set, public URLs use this host instead of the S3 host |
+| `S3_BUCKET` | S3 bucket name |
+| `S3_REGION` | AWS region (default: `us-west-2`) |
+| `CLOUDFRONT_DOMAIN` | CloudFront distribution domain |
 | `CLOUDFRONT_KEY_PAIR_ID` | CloudFront key pair ID for signed URLs |
 | `CLOUDFRONT_PRIVATE_KEY` | CloudFront private key (PEM format) |
 
@@ -112,7 +81,7 @@ The `Secure` flag on session cookies is derived automatically from the scheme of
 | `PORT` | `8080` | Backend server port |
 | `METRICS_ADDR` | empty | Optional Prometheus metrics listener, for example `127.0.0.1:9090` |
 | `FRONTEND_PORT` | `3000` | Frontend port |
-| `CORS_ALLOWED_ORIGINS` | Value of `FRONTEND_ORIGIN` | Comma-separated list of allowed origins. Governs **both** the HTTP CORS allowlist **and** the WebSocket `Origin` check. A browser origin that isn't listed here (and isn't `localhost`) has its real-time WebSocket upgrade rejected with `403`, so live updates stop working until a manual refresh. |
+| `CORS_ALLOWED_ORIGINS` | Value of `FRONTEND_ORIGIN` | Comma-separated list of allowed origins |
 | `LOG_LEVEL` | `info` | Log level: `debug`, `info`, `warn`, `error` |
 
 ### CLI / Daemon
@@ -134,8 +103,6 @@ Agent-specific overrides:
 | `MULTICA_CLAUDE_MODEL` | Override the Claude model used |
 | `MULTICA_CODEX_PATH` | Custom path to the `codex` binary |
 | `MULTICA_CODEX_MODEL` | Override the Codex model used |
-| `MULTICA_COPILOT_PATH` | Custom path to the `copilot` (GitHub Copilot CLI) binary |
-| `MULTICA_COPILOT_MODEL` | Override the Copilot model used (note: GitHub Copilot routes models through your account entitlement, so this may not be honoured) |
 | `MULTICA_OPENCODE_PATH` | Custom path to the `opencode` binary |
 | `MULTICA_OPENCODE_MODEL` | Override the OpenCode model used |
 | `MULTICA_OPENCLAW_PATH` | Custom path to the `openclaw` binary |
@@ -179,111 +146,6 @@ The Docker Compose setup runs migrations automatically. If you need to run them
 cd server && go run ./cmd/migrate up
 ```
 
-## Usage Dashboard Rollup
-
-The Usage and Runtime dashboards read from `task_usage_hourly`, a derived table populated by `rollup_task_usage_hourly()`. The function is **not** scheduled out of the box on the default self-host stack: the bundled `pgvector/pgvector:pg17` image ships without `pg_cron`, and the backend does not run the rollup in-process either. Until something calls it on a schedule, raw `task_usage` rows will keep arriving while the dashboard stays at zero.
-
-Pick one of the supported paths:
-
-### Option A — External cron / systemd-timer
-
-The simplest path. Schedule `SELECT rollup_task_usage_hourly()` every five minutes from any out-of-band timer (host crontab, systemd timer, sidecar container, Kubernetes CronJob). It is idempotent and watermark-driven — overlapping runs are no-ops on an internal advisory lock, and a missed tick catches up on the next run.
-
-Docker Compose:
-
-```bash
-# /etc/cron.d/multica-rollup
-*/5 * * * * root docker compose -f /path/to/multica/docker-compose.selfhost.yml \
-  exec -T postgres psql -U multica -d multica \
-  -c "SELECT rollup_task_usage_hourly();" >/dev/null
-```
-
-Kubernetes (one-off `CronJob`):
-
-```yaml
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: multica-usage-rollup
-spec:
-  schedule: "*/5 * * * *"
-  concurrencyPolicy: Forbid
-  jobTemplate:
-    spec:
-      template:
-        spec:
-          restartPolicy: OnFailure
-          containers:
-            - name: psql
-              image: postgres:17-alpine
-              command:
-                - psql
-                - "$(DATABASE_URL)"
-                - -c
-                - "SELECT rollup_task_usage_hourly();"
-              env:
-                - name: DATABASE_URL
-                  valueFrom:
-                    secretKeyRef:
-                      name: multica-secrets
-                      key: DATABASE_URL
-```
-
-### Option B — Postgres with `pg_cron`
-
-If you'd rather have Postgres schedule itself, swap the bundled image for one that ships both `pgvector` and `pg_cron` (e.g. `supabase/postgres`, or a custom build of `pgvector/pgvector` with `pg_cron` added). `pg_cron` requires `shared_preload_libraries=pg_cron` in `postgresql.conf`, which only takes effect on Postgres restart — set it before bringing the container up.
-
-Then register the job once:
-
-```sql
-CREATE EXTENSION IF NOT EXISTS pg_cron;
-SELECT cron.schedule(
-  'rollup_task_usage_hourly',
-  '*/5 * * * *',
-  $$SELECT rollup_task_usage_hourly()$$
-);
-```
-
-`pg_cron.database_name` defaults to `postgres`; if your Multica database has a different name, point `pg_cron` at it via that GUC or run `cron.schedule_in_database(...)` instead.
-
-### Option C — Backfill historical data first
-
-`rollup_task_usage_hourly()` only processes new buckets after it starts running. If you already have `task_usage` rows from before the rollup was scheduled — most commonly when upgrading from `v0.3.4` to `v0.3.5+`, or on a fresh install that has been collecting usage for a while — run `backfill_task_usage_hourly` once to seed historical buckets, then set up Option A or Option B for ongoing rollups.
-
-```bash
-# Docker Compose
-docker compose -f docker-compose.selfhost.yml exec backend \
-  ./backfill_task_usage_hourly --sleep-between-slices=2s
-
-# Kubernetes
-kubectl -n multica exec deploy/multica-backend -- \
-  ./backfill_task_usage_hourly --sleep-between-slices=2s
-```
-
-The command walks `task_usage`'s full time range in monthly slices and calls the same idempotent primitive the cron path uses, so it's safe to re-run, to interrupt with Ctrl-C, and to run concurrently with an already-scheduled rollup. Flags:
-
-| Flag | Description |
-|---|---|
-| `--sleep-between-slices` | Pause between monthly slices to throttle read pressure on busy databases (e.g. `2s`). Recommended on production DBs with years of history. |
-| `--months-back N` | Only backfill the last N months. **Requires `--force-partial`** because the watermark still advances past the skipped older buckets — those are permanently abandoned. |
-| `--dry-run` | Log slices that would be processed without writing anything. |
-
-After backfill completes, the rollup-state watermark is stamped to `now() - 5 minutes`, so the first scheduled tick after backfill does not redo history.
-
-### `v0.3.4 → v0.3.5+` upgrade order
-
-Migration `103` adds a fail-closed guard that refuses to drop the legacy daily rollups until `task_usage_hourly` has caught up. If you run `migrate up` straight through on a database with existing `task_usage` rows, it aborts with:
-
-```text
-ERROR: refusing to drop legacy daily rollups:
-  task_usage_hourly_rollup_state.watermark_at (1970-01-01 ...) trails
-  task_usage latest event (...) by more than 01:00:00 — backfill is
-  incomplete or pg_cron is not running. Run cmd/backfill_task_usage_hourly
-  (and let pg_cron catch up) before re-running migrate
-```
-
-Recovery is straightforward: run `backfill_task_usage_hourly` (Option C above), then re-run `migrate up` (or restart the backend container — migrations run automatically on startup). **Fresh installs are exempt** — the guard short-circuits when `task_usage` is empty, and migrations succeed, but the dashboard will still stay at zero until you set up Option A or Option B.
-
 ## Manual Setup (Without Docker Compose)
 
 If you prefer to build and run services manually:
@@ -320,49 +182,16 @@ In production, put a reverse proxy in front of both the backend and frontend to
 
 ### Caddy (Recommended)
 
-**Single-domain layout** — frontend and backend served on the same hostname (this is what `docker-compose.selfhost.yml` defaults to):
-
-```
-multica.example.com {
-    # WebSocket route — must come before the catch-all
-    @multica_ws path /ws /ws/*
-    handle @multica_ws {
-        reverse_proxy localhost:8080 {
-            flush_interval -1
-        }
-    }
-
-    # Everything else → frontend
-    reverse_proxy localhost:3000
-}
-```
-
-> Even on a single domain, set `FRONTEND_ORIGIN` / `CORS_ALLOWED_ORIGINS` to that public origin (e.g. `https://multica.example.com`) on the backend. The backend's default origin allowlist is `localhost` only, so without this it rejects the WebSocket upgrade from the public URL with `403` and real-time updates silently stop working. See [LAN / Non-localhost Access](#lan--non-localhost-access).
-
-**Separate-domain layout** — frontend and backend on different hostnames:
-
 ```
 app.example.com {
     reverse_proxy localhost:3000
 }
 
 api.example.com {
-    @multica_ws path /ws /ws/*
-    handle @multica_ws {
-        reverse_proxy localhost:8080 {
-            flush_interval -1
-        }
-    }
-
     reverse_proxy localhost:8080
 }
 ```
 
-Two non-obvious bits inside the `/ws` block are worth calling out — both are common reasons real-time updates "stop working" on a Caddy-fronted self-host:
-
-- **`path /ws /ws/*` (not `/ws*`)** — bare `handle /ws` is an exact match, so future path variants under `/ws/` fall through to the frontend block. The obvious shortcut `handle /ws*` overcorrects in the other direction: Caddy's `*` is a glob without a path-segment boundary, so it would also catch unrelated paths like `/ws-foo`, which is a legitimate workspace URL (only the exact slug `ws` is reserved). Listing `/ws` and `/ws/*` explicitly covers both real cases without overreach.
-- **`flush_interval -1`** — disables response buffering so WebSocket frames are forwarded as soon as they arrive. Without it, frames can sit behind Caddy's default flush window, which looks like delayed comments, missing typing indicators, or "comments only appear after a page refresh."
-
 ### Nginx
 
 ```nginx
@@ -458,8 +287,6 @@ HTTP requests (issues, comments, uploads) work on LAN out of the box — Next.js
 
    `NEXT_PUBLIC_WS_URL` is a build-time variable (see `Dockerfile.web`), so setting it only in `environment:` on the pre-built image has no effect — you must use the `selfhost.build.yml` override that rebuilds the image.
 
-**Also required: allowlist the browser origin.** The two options above fix the WebSocket *upgrade proxying*, but a second, independent setting gates the connection: the backend validates the WebSocket `Origin` header against an allowlist that defaults to `localhost` only. When you open Multica from any other origin — a LAN IP **or a public domain behind a reverse proxy** — set `CORS_ALLOWED_ORIGINS` (or `FRONTEND_ORIGIN`) on the backend to that exact origin and restart, exactly as shown under [LAN / Non-localhost Access](#lan--non-localhost-access) above. Otherwise the upgrade is refused with `403`: the backend logs `websocket: request origin not allowed by Upgrader.CheckOrigin` and the browser console loops `disconnected, reconnecting in 3s`, while HTTP requests (and manual page refreshes) keep working because they are same-origin to the page. The single value covers both HTTP CORS and the WebSocket origin check.
-
 > **Note:** If you need to hard-code a different public API / WebSocket endpoint into the web image for any other reason, use the same source-build override: `docker compose -f docker-compose.selfhost.yml -f docker-compose.selfhost.build.yml up -d --build`.
 
 ## Health Check

apps/desktop/.env.production

@@ -0,0 +1,12 @@
+# Production environment for `pnpm package` / `pnpm build`.
+# electron-vite (Vite under the hood) reads this automatically in
+# production mode and inlines the values into the renderer bundle via
+# import.meta.env.VITE_*. These are public URLs, not secrets.
+
+# Backend API + websocket the desktop app talks to.
+VITE_API_URL=https://api.multica.ai
+VITE_WS_URL=wss://api.multica.ai/ws
+
+# Public web app URL — used to build shareable links like "Copy link to
+# issue" that users paste into Slack / messages. See platform/navigation.tsx.
+VITE_APP_URL=https://multica.ai

apps/desktop/electron-builder.yml

@@ -32,45 +32,6 @@ mac:
 dmg:
   artifactName: multica-desktop-${version}-mac-${arch}.${ext}
 linux:
-  # Override the Linux executable name to avoid leaking the scoped npm
-  # package name (`@multica/desktop`) into the installed binary, the
-  # `.desktop` file, and the hicolor icon filename. Without this override
-  # electron-builder defaults `executableName` to the package `name`,
-  # which after slash-stripping becomes `@multicadesktop` — producing
-  # `/usr/share/applications/@multicadesktop.desktop`,
-  # `Icon=@multicadesktop`, and
-  # `/usr/share/icons/hicolor/*/apps/@multicadesktop.png`. The leading `@`
-  # violates the freedesktop desktop-entry naming guidance, so GNOME /
-  # Ubuntu fail to associate the running window with the `.desktop` entry
-  # and fall back to the theme's default app icon (the Settings gear on
-  # Yaru). Forcing `multica` makes every Linux identity slot agree and
-  # matches `StartupWMClass=Multica` (productName-derived).
-  executableName: multica
-  # Pin StartupWMClass to the WM_CLASS Electron emits on X11. Electron
-  # derives WM_CLASS from `app.getName()`, which reads the *packaged*
-  # ASAR's `package.json` — `productName` if present, otherwise `name`.
-  # PR #2437 assumed electron-builder.yml's productName fed app.getName()
-  # directly; it does not. With our source package.json carrying only
-  # `name: "@multica/desktop"`, packaged Electron emitted
-  # `WM_CLASS=@multica/desktop`, which broke association with this entry
-  # and reproduced #2515 on Ubuntu 0.2.31. The fix lives in two places
-  # outside this file — `productName: "Multica"` on the source
-  # package.json (so the ASAR carries it) and `app.setName("Multica")`
-  # in the production branch of `src/main/index.ts` (belt-and-braces).
-  # Keep `StartupWMClass: Multica` pinned here so any future drift in
-  # those two anchors shows up as a diff against this declaration.
-  # Verification on a real Ubuntu install: `xprop WM_CLASS` on a running
-  # window prints `Multica` for both fields.
-  desktop:
-    entry:
-      StartupWMClass: Multica
-  # Point at pre-rendered hicolor sizes. electron-builder *can* generate
-  # 16/24/32/48/64/128/256/512 from a single build/icon.png, but the
-  # auto-generation silently shipped only the 1024×1024 source in our
-  # v0.2.31 .deb (#2515 reproduces this) — leaving GNOME's hicolor lookup
-  # with no usable size and falling back to the theme default. Shipping
-  # the sizes from source removes the toolchain dependency entirely.
-  icon: build/icons
   target:
     - AppImage
     - deb

apps/desktop/electron.vite.config.ts

@@ -23,7 +23,7 @@ export default defineConfig({
       alias: {
         "@": resolve("src/renderer/src"),
       },
-      dedupe: ["react", "react-dom", "@tanstack/react-query"],
+      dedupe: ["react", "react-dom"],
     },
   },
 });

apps/desktop/eslint.config.mjs

@@ -10,11 +10,10 @@ export default [
       globals: { ...globals.node },
     },
   },
-  // Security: every renderer-controlled URL that reaches the OS shell or the
-  // native download system must flow through the safe wrappers in
-  // src/main/external-url.ts (scheme allowlist). Enforce it statically so
-  // direct shell.openExternal / webContents.downloadURL calls cannot silently
-  // regress the protection.
+  // Security: every renderer-controlled URL that reaches the OS shell must
+  // flow through openExternalSafely in src/main/external-url.ts (scheme
+  // allowlist). Enforce it statically so a direct shell.openExternal call
+  // cannot silently regress the protection.
   {
     files: ["src/main/**/*.ts"],
     rules: {
@@ -26,12 +25,6 @@ export default [
           message:
             "Do not call shell.openExternal directly. Use openExternalSafely from './external-url' so the http/https allowlist stays enforced.",
         },
-        {
-          selector:
-            "CallExpression[callee.object.property.name='webContents'][callee.property.name='downloadURL']",
-          message:
-            "Do not call webContents.downloadURL directly. Use downloadURLSafely from './external-url' so the http/https allowlist stays enforced.",
-        },
       ],
     },
   },

apps/desktop/package.json

@@ -1,6 +1,5 @@
 {
   "name": "@multica/desktop",
-  "productName": "Multica",
   "version": "0.1.0",
   "private": true,
   "description": "Multica Desktop — native desktop client for the Multica platform.",
@@ -45,21 +44,15 @@
     "@multica/core": "workspace:*",
     "@multica/ui": "workspace:*",
     "@multica/views": "workspace:*",
-    "@tanstack/react-query": "catalog:",
     "electron-updater": "^6.8.3",
     "fix-path": "^5.0.0",
-    "lucide-react": "catalog:",
-    "react": "catalog:",
-    "react-dom": "catalog:",
     "react-router-dom": "^7.6.0",
     "shadcn": "^4.1.0",
     "sonner": "^2.0.7",
-    "tw-animate-css": "^1.4.0",
-    "zustand": "catalog:"
+    "tw-animate-css": "^1.4.0"
   },
   "devDependencies": {
     "@electron-toolkit/tsconfig": "^2.0.0",
-    "@multica/eslint-config": "workspace:*",
     "@multica/tsconfig": "workspace:*",
     "@tailwindcss/vite": "^4",
     "@testing-library/jest-dom": "catalog:",
@@ -71,8 +64,9 @@
     "electron": "^39.2.6",
     "electron-builder": "^26.0.12",
     "electron-vite": "^5.0.0",
-    "globals": "^16.0.0",
     "jsdom": "catalog:",
+    "react": "catalog:",
+    "react-dom": "catalog:",
     "tailwindcss": "^4",
     "typescript": "catalog:",
     "vitest": "catalog:"

apps/desktop/src/main/daemon-manager.ts

@@ -15,7 +15,7 @@ import {
   type StatsListener,
 } from "fs";
 import { join } from "path";
-import { homedir, hostname } from "os";
+import { homedir } from "os";
 import type { DaemonStatus, DaemonPrefs } from "../shared/daemon-types";
 import { ensureManagedCli, managedCliPath } from "./cli-bootstrap";
 import { decideVersionAction } from "./version-decision";
@@ -864,11 +864,6 @@ export function setupDaemonManager(
   ipcMain.handle("daemon:stop", () => withGuard(() => stopDaemon()));
   ipcMain.handle("daemon:restart", () => withGuard(() => restartDaemon()));
   ipcMain.handle("daemon:get-status", () => fetchHealth());
-  // The host's OS name, available regardless of daemon state. The Runtimes
-  // page uses it as a fallback identity for "this machine" when no
-  // app-managed daemon is reporting a device name (e.g. the daemon runs
-  // out-of-band in WSL2). See desktop-runtimes-page.tsx.
-  ipcMain.handle("daemon:get-host-name", () => hostname());
   ipcMain.handle(
     "daemon:sync-token",
     (_event, token: string, userId: string) => syncToken(token, userId),

apps/desktop/src/main/external-url.ts

@@ -1,4 +1,4 @@
-import { shell, type BrowserWindow } from "electron";
+import { shell } from "electron";
 
 // True when the URL parses and uses http/https — the only schemes we let
 // reach `shell.openExternal`. Scheme comparison is safe because the WHATWG
@@ -19,19 +19,6 @@ export function openExternalSafely(url: string): Promise<void> | void {
   return shell.openExternal(url);
 }
 
-// Canonical wrapper around webContents.downloadURL. All renderer-controlled
-// URLs that trigger a native download MUST flow through here; direct calls
-// to `webContents.downloadURL` elsewhere in the main process are banned by
-// the no-restricted-syntax rule in apps/desktop/eslint.config.mjs.
-// Reuses the same http/https allowlist as openExternalSafely.
-export function downloadURLSafely(win: BrowserWindow, url: string): void {
-  if (getHttpProtocol(url) === null) {
-    console.warn(`[security] blocked downloadURL: ${describeScheme(url)}`);
-    return;
-  }
-  win.webContents.downloadURL(url);
-}
-
 function getHttpProtocol(url: string): "http:" | "https:" | null {
   try {
     const { protocol } = new URL(url);

apps/desktop/src/main/index.ts

@@ -1,43 +1,18 @@
-import { app, BrowserWindow, dialog, ipcMain, nativeImage, Notification } from "electron";
+import { app, BrowserWindow, ipcMain, nativeImage, Notification } from "electron";
 import { homedir } from "os";
 import { join } from "path";
 import { electronApp, optimizer, is } from "@electron-toolkit/utils";
 import fixPath from "fix-path";
 import { setupAutoUpdater } from "./updater";
 import { setupDaemonManager } from "./daemon-manager";
-import { setupLocalDirectory } from "./local-directory";
-import { openExternalSafely, downloadURLSafely } from "./external-url";
+import { openExternalSafely } from "./external-url";
 import { installContextMenu } from "./context-menu";
-import { handleAppShortcut } from "./keyboard-shortcuts";
-import { installNavigationGestures } from "./navigation-gestures";
 import { getAppVersion } from "./app-version";
-import { loadRuntimeConfig } from "./runtime-config-loader";
-import type { RuntimeConfigResult } from "../shared/runtime-config";
-import {
-  createElectronReloadPrompt,
-  installRendererRecoveryHandlers,
-  type RendererRecoveryWindow,
-} from "./renderer-recovery";
 
-// Bundled icon used for dock/taskbar branding. macOS/Windows production
-// builds let the OS pick up the icon from the .app bundle / .exe resources,
-// but Linux production needs an explicit BrowserWindow `icon` — AppImage
-// direct-launch doesn't register the .desktop entry, so GNOME has no path
-// from the running window to the hicolor icon and falls back to the
-// theme default. Consumed in createWindow() (all platforms in dev, Linux
-// in prod) and the macOS dev dock branch.
-//
-// `asarUnpack: resources/**` in electron-builder.yml extracts the icon to
-// `app.asar.unpacked/`, but `__dirname` resolves into `app.asar/`. The
-// Linux native window-icon code path expects a real filesystem path
-// (unlike Electron's nativeImage loader which transparently reads from
-// asar), so swap the segment — same pattern as bundledCliPath() in
-// daemon-manager.ts. In dev `__dirname` has no `app.asar`, so the replace
-// is a no-op.
-const BUNDLED_ICON_PATH = join(__dirname, "../../resources/icon.png").replace(
-  "app.asar",
-  "app.asar.unpacked",
-);
+// Bundled icon used for dev-mode dock/taskbar branding. In production the
+// app bundle icon (from electron-builder) wins; this path is only consumed
+// by the `is.dev` branch below.
+const DEV_ICON_PATH = join(__dirname, "../../resources/icon.png");
 
 // macOS/Linux GUI launches inherit a minimal PATH from launchd that omits
 // the user's shell config (~/.zshrc, Homebrew, nvm, ~/.local/bin, etc.).
@@ -62,10 +37,6 @@ if (process.platform !== "win32") {
 const PROTOCOL = "multica";
 
 let mainWindow: BrowserWindow | null = null;
-let runtimeConfigResult: RuntimeConfigResult = {
-  ok: false,
-  error: { message: "Runtime config has not loaded yet" },
-};
 
 // --- Deep link helpers ---------------------------------------------------
 
@@ -101,25 +72,7 @@ function handleDeepLink(url: string): void {
 
 // --- Window creation -----------------------------------------------------
 
-// Tracks the OS-preferred language as last seen by the running process.
-// Updated on each window-focus check so we can emit a `locale:system-changed`
-// event to the renderer when the user changes their OS language without
-// quitting the app — without restart, app.getPreferredSystemLanguages()
-// would still report the boot value forever.
-let lastKnownSystemLocale = "en";
-
-function getSystemLocale(): string {
-  return app.getPreferredSystemLanguages()[0] ?? "en";
-}
-
 function createWindow(): void {
-  // Pass the OS-preferred language to the renderer via additionalArguments
-  // instead of a sync IPC call. process.argv is available to the preload
-  // script before the first network request, so the renderer's i18next
-  // instance can initialize with the right locale on the very first paint.
-  const systemLocale = getSystemLocale();
-  lastKnownSystemLocale = systemLocale;
-
   mainWindow = new BrowserWindow({
     width: 1280,
     height: 800,
@@ -129,40 +82,13 @@ function createWindow(): void {
     trafficLightPosition: { x: 16, y: 13 },
     show: false,
     autoHideMenuBar: true,
-    // Windows/Linux pick up the window/taskbar icon from this option.
-    // On macOS it's ignored (dock comes from app.dock.setIcon below).
-    // Linux production needs this explicitly because AppImage direct-launch
-    // does not install a .desktop entry, so the WM has no other path to
-    // the bundled icon; without it Ubuntu falls back to the theme default.
-    ...(is.dev || process.platform === "linux"
-      ? { icon: BUNDLED_ICON_PATH }
-      : {}),
+    // Windows/Linux pick up the window/taskbar icon from this option in
+    // dev — on macOS it's ignored (dock comes from app.dock.setIcon below).
+    ...(is.dev ? { icon: DEV_ICON_PATH } : {}),
     webPreferences: {
       preload: join(__dirname, "../preload/index.js"),
       sandbox: false,
       webSecurity: false,
-      // Required for the Chromium PDF viewer (PDFium) to activate inside
-      // iframes — used by the attachment preview modal for application/pdf
-      // files. Default is false in Electron; without it <iframe src=*.pdf>
-      // renders blank.
-      //
-      // Security trade-off, accepted intentionally:
-      //   1. This window already runs with `webSecurity: false` + `sandbox: false`,
-      //      so `plugins: true` does NOT meaningfully widen the renderer's
-      //      attack surface beyond what is already accepted.
-      //   2. The only PDFs that reach an iframe here are signed CloudFront URLs
-      //      we ourselves issued (see useDownloadAttachment); user-supplied URLs
-      //      are routed through `setWindowOpenHandler` → `openExternalSafely` and
-      //      cannot land in this renderer.
-      //   3. Chromium's PDFium plugin is itself sandboxed inside its own process
-      //      and only handles the `application/pdf` MIME — it does not expose
-      //      Flash, Java, or other historical plugin surfaces.
-      //
-      // If we ever tighten `webSecurity` / `sandbox`, revisit this by hosting
-      // the PDF viewer in a dedicated BrowserView with `plugins: true` scoped
-      // to that view, keeping the main renderer plugin-free.
-      plugins: true,
-      additionalArguments: [`--multica-locale=${systemLocale}`],
     },
   });
 
@@ -180,80 +106,28 @@ function createWindow(): void {
     mainWindow?.show();
   });
 
-  // Detect OS language changes while the app is running. Electron has no
-  // dedicated event for this on any platform, so we poll on focus regain —
-  // catches the common case where users switch System Settings → Language
-  // and bring the app back. The renderer decides whether to act (it ignores
-  // the signal when the user has an explicit Settings choice).
-  mainWindow.on("focus", () => {
-    const current = getSystemLocale();
-    if (current === lastKnownSystemLocale) return;
-    lastKnownSystemLocale = current;
-    mainWindow?.webContents.send("locale:system-changed", current);
-  });
-
   mainWindow.webContents.setWindowOpenHandler((details) => {
     openExternalSafely(details.url);
     return { action: "deny" };
   });
 
-  // Window-level keyboard shortcuts. Calling preventDefault here prevents
-  // both the renderer keydown AND the application menu accelerator, so
-  // anything we own here (reload-block, zoom) is the sole handler for
-  // that combination — no double-fire with the macOS default View menu.
-  mainWindow.webContents.on("before-input-event", (event, input) => {
-    if (handleAppShortcut(input, mainWindow!.webContents)) {
-      event.preventDefault();
+  // Prevent Cmd+R / Ctrl+R / Shift+Cmd+R / Shift+Ctrl+R / F5 from
+  // reloading the page. In a desktop app an accidental reload destroys
+  // in-memory state (tabs, drafts, WS connections) with no URL bar to
+  // navigate back. DevTools refresh (via the DevTools UI) still works.
+  mainWindow.webContents.on("before-input-event", (_event, input) => {
+    if (input.type !== "keyDown") return;
+    const cmdOrCtrl =
+      process.platform === "darwin" ? input.meta : input.control;
+    if (
+      (cmdOrCtrl && input.key.toLowerCase() === "r") ||
+      input.key === "F5"
+    ) {
+      _event.preventDefault();
     }
   });
 
-  // Dev-mode renderer diagnostics. When the renderer crashes hard enough
-  // that DevTools can't be opened (white screen with no clickable surface),
-  // the only way to recover the actual JS error is to forward it from the
-  // main process to the terminal running `make dev`. Without these, the
-  // user sees only the daemon-manager polling noise (`Render frame was
-  // disposed before WebFrameMain could be accessed`) which is a downstream
-  // symptom, not the cause.
-  //
-  // Gated by `is.dev` to keep production stderr clean — packaged builds
-  // don't have a terminal anyway, and we ship to crash-reporting separately.
-  if (is.dev) {
-    const log = (tag: string, ...args: unknown[]) =>
-      process.stderr.write(`[renderer ${tag}] ${args.map(String).join(" ")}\n`);
-
-    // Forward every renderer-side console.* call. The detail object also
-    // carries source URL + line — included so a thrown stack trace from
-    // window.onerror is traceable back to a file.
-    mainWindow.webContents.on("console-message", (details) => {
-      const { level, message, sourceId, lineNumber } = details;
-      log(level, `${message} (${sourceId}:${lineNumber})`);
-    });
-
-    // Fires when loadURL / loadFile can't reach its target (dev server
-    // not up yet, network blip, file missing). errorCode is a Chromium
-    // net error number; -3 = ABORTED is normal during HMR and skipped.
-    mainWindow.webContents.on(
-      "did-fail-load",
-      (_event, errorCode, errorDescription, validatedURL, isMainFrame) => {
-        if (errorCode === -3) return;
-        log(
-          "did-fail-load",
-          `code=${errorCode} desc=${errorDescription} url=${validatedURL} mainFrame=${isMainFrame}`,
-        );
-      },
-    );
-
-  }
-
-  installRendererRecoveryHandlers(mainWindow as unknown as RendererRecoveryWindow, {
-    isDev: is.dev,
-    showReloadPrompt: createElectronReloadPrompt((options) =>
-      dialog.showMessageBox(mainWindow!, options),
-    ),
-  });
-
   installContextMenu(mainWindow.webContents);
-  installNavigationGestures(mainWindow);
 
   if (is.dev && process.env["ELECTRON_RENDERER_URL"]) {
     mainWindow.loadURL(process.env["ELECTRON_RENDERER_URL"]);
@@ -281,14 +155,6 @@ const DEV_APP_NAME = process.env.DESKTOP_APP_SUFFIX
 if (is.dev) {
   app.setName(DEV_APP_NAME);
   app.setPath("userData", join(app.getPath("appData"), DEV_APP_NAME));
-} else {
-  // Pin the production app name in code. Electron's Linux WM_CLASS is set
-  // from app.getName() when the first BrowserWindow is realized; the
-  // packaged ASAR's package.json `productName` already steers app.getName()
-  // to "Multica", but anchoring it here makes WM_CLASS ↔ StartupWMClass
-  // (declared in electron-builder.yml) survive a regression in
-  // productName / the build pipeline. Must run before requestSingleInstanceLock().
-  app.setName("Multica");
 }
 
 // --- Protocol registration -----------------------------------------------
@@ -321,25 +187,7 @@ if (!gotTheLock) {
     if (deepLinkUrl) handleDeepLink(deepLinkUrl);
   });
 
-  app.whenReady().then(async () => {
-    const viteEnv = import.meta.env as ImportMetaEnv & {
-      readonly VITE_API_URL?: string;
-      readonly VITE_WS_URL?: string;
-      readonly VITE_APP_URL?: string;
-    };
-
-    runtimeConfigResult = await loadRuntimeConfig({
-      isDev: is.dev,
-      // electron-vite exposes VITE_* on import.meta.env for the main process;
-      // keep dev URL overrides on the same source the renderer used before
-      // runtime config moved endpoint resolution into main/preload.
-      env: {
-        apiUrl: viteEnv.VITE_API_URL,
-        wsUrl: viteEnv.VITE_WS_URL,
-        appUrl: viteEnv.VITE_APP_URL,
-      },
-    });
-
+  app.whenReady().then(() => {
     electronApp.setAppUserModelId(
       is.dev ? "ai.multica.desktop.dev" : "ai.multica.desktop",
     );
@@ -348,7 +196,7 @@ if (!gotTheLock) {
     // so the Canary dev build is visually distinct from a stock Electron
     // run. `app.dock` is macOS-only — guard the call.
     if (is.dev && process.platform === "darwin" && app.dock) {
-      const icon = nativeImage.createFromPath(BUNDLED_ICON_PATH);
+      const icon = nativeImage.createFromPath(DEV_ICON_PATH);
       if (!icon.isEmpty()) app.dock.setIcon(icon);
     }
 
@@ -365,14 +213,6 @@ if (!gotTheLock) {
       return openExternalSafely(url);
     });
 
-    ipcMain.handle("file:download-url", (_event, url: string) => {
-      if (!mainWindow) {
-        console.warn("[download] ignored file:download-url — mainWindow torn down");
-        return;
-      }
-      downloadURLSafely(mainWindow, url);
-    });
-
     // Sync IPC: app version + normalized OS for preload. Sync (not invoke) so
     // preload can attach the values to `desktopAPI.appInfo` before any renderer
     // code reads them, ensuring the very first HTTP request from the renderer
@@ -383,13 +223,6 @@ if (!gotTheLock) {
       event.returnValue = { version: getAppVersion(), os };
     });
 
-    // Sync IPC: preload exposes the validated runtime config before renderer
-    // boot. If desktop.json exists but is invalid, renderer receives the
-    // blocking error and must not silently fall back to the cloud defaults.
-    ipcMain.on("runtime-config:get", (event) => {
-      event.returnValue = runtimeConfigResult;
-    });
-
     // IPC: toggle immersive mode — hides the macOS traffic lights so full-screen
     // modals (e.g. create-workspace) can place UI in the top-left corner
     // without fighting the native window controls' hit-test.
@@ -460,7 +293,6 @@ if (!gotTheLock) {
 
     setupAutoUpdater(() => mainWindow);
     setupDaemonManager(() => mainWindow);
-    setupLocalDirectory(() => mainWindow);
 
     // macOS: deep link arrives via open-url event
     app.on("open-url", (_event, url) => {

apps/desktop/src/main/keyboard-shortcuts.test.ts

@@ -1,152 +0,0 @@
-import { describe, expect, it, vi } from "vitest";
-import { handleAppShortcut, type ShortcutInput } from "./keyboard-shortcuts";
-
-function makeWc(initialLevel = 0) {
-  let level = initialLevel;
-  return {
-    getZoomLevel: vi.fn(() => level),
-    setZoomLevel: vi.fn((next: number) => {
-      level = next;
-    }),
-    currentLevel: () => level,
-  };
-}
-
-function key(
-  k: string,
-  mods: Partial<Pick<ShortcutInput, "control" | "meta">> = {},
-): ShortcutInput {
-  return {
-    type: "keyDown",
-    key: k,
-    control: false,
-    meta: false,
-    ...mods,
-  };
-}
-
-describe("handleAppShortcut — reload blocking", () => {
-  it("swallows Cmd+R on macOS", () => {
-    const wc = makeWc();
-    expect(handleAppShortcut(key("r", { meta: true }), wc, "darwin")).toBe(true);
-    expect(wc.setZoomLevel).not.toHaveBeenCalled();
-  });
-
-  it("swallows Ctrl+R on Linux/Windows", () => {
-    const wc = makeWc();
-    expect(handleAppShortcut(key("r", { control: true }), wc, "linux")).toBe(true);
-    expect(handleAppShortcut(key("R", { control: true }), wc, "win32")).toBe(true);
-  });
-
-  it("swallows F5 regardless of modifier", () => {
-    const wc = makeWc();
-    expect(handleAppShortcut(key("F5"), wc, "darwin")).toBe(true);
-  });
-
-  it("ignores non-keyDown events", () => {
-    const wc = makeWc();
-    expect(
-      handleAppShortcut({ ...key("r", { meta: true }), type: "keyUp" }, wc, "darwin"),
-    ).toBe(false);
-  });
-});
-
-describe("handleAppShortcut — zoom in", () => {
-  it("zooms in on Cmd+= (unshifted)", () => {
-    const wc = makeWc(0);
-    expect(handleAppShortcut(key("=", { meta: true }), wc, "darwin")).toBe(true);
-    expect(wc.currentLevel()).toBe(0.5);
-  });
-
-  it("zooms in on Cmd++ (Shift+=)", () => {
-    const wc = makeWc(0);
-    expect(handleAppShortcut(key("+", { meta: true }), wc, "darwin")).toBe(true);
-    expect(wc.currentLevel()).toBe(0.5);
-  });
-
-  it("zooms in on Ctrl+= on non-mac", () => {
-    const wc = makeWc(0);
-    expect(handleAppShortcut(key("=", { control: true }), wc, "linux")).toBe(true);
-    expect(wc.currentLevel()).toBe(0.5);
-  });
-
-  it("does nothing without Cmd/Ctrl", () => {
-    const wc = makeWc(0);
-    expect(handleAppShortcut(key("="), wc, "darwin")).toBe(false);
-    expect(wc.setZoomLevel).not.toHaveBeenCalled();
-  });
-
-  it("clamps zoom-in at the upper bound", () => {
-    const wc = makeWc(4.5);
-    expect(handleAppShortcut(key("=", { meta: true }), wc, "darwin")).toBe(true);
-    expect(wc.currentLevel()).toBe(4.5);
-  });
-});
-
-describe("handleAppShortcut — zoom out (regression: MUL-2354)", () => {
-  it("zooms out on Cmd+- (unshifted)", () => {
-    const wc = makeWc(1);
-    expect(handleAppShortcut(key("-", { meta: true }), wc, "darwin")).toBe(true);
-    expect(wc.currentLevel()).toBe(0.5);
-  });
-
-  it("zooms out on Cmd+_ (Shift+-)", () => {
-    const wc = makeWc(1);
-    expect(handleAppShortcut(key("_", { meta: true }), wc, "darwin")).toBe(true);
-    expect(wc.currentLevel()).toBe(0.5);
-  });
-
-  it("zooms out on Ctrl+- on non-mac", () => {
-    const wc = makeWc(1);
-    expect(handleAppShortcut(key("-", { control: true }), wc, "win32")).toBe(true);
-    expect(wc.currentLevel()).toBe(0.5);
-  });
-
-  it("undoes a prior Cmd+= so the user can return to 100%", () => {
-    const wc = makeWc(0);
-    handleAppShortcut(key("=", { meta: true }), wc, "darwin");
-    expect(wc.currentLevel()).toBe(0.5);
-    handleAppShortcut(key("-", { meta: true }), wc, "darwin");
-    expect(wc.currentLevel()).toBe(0);
-  });
-
-  it("clamps zoom-out at the lower bound", () => {
-    const wc = makeWc(-3);
-    expect(handleAppShortcut(key("-", { meta: true }), wc, "darwin")).toBe(true);
-    expect(wc.currentLevel()).toBe(-3);
-  });
-
-  it("does nothing without Cmd/Ctrl", () => {
-    const wc = makeWc(1);
-    expect(handleAppShortcut(key("-"), wc, "darwin")).toBe(false);
-    expect(wc.setZoomLevel).not.toHaveBeenCalled();
-  });
-});
-
-describe("handleAppShortcut — reset zoom", () => {
-  it("resets to 0 on Cmd+0", () => {
-    const wc = makeWc(2);
-    expect(handleAppShortcut(key("0", { meta: true }), wc, "darwin")).toBe(true);
-    expect(wc.currentLevel()).toBe(0);
-  });
-
-  it("resets to 0 on Ctrl+0", () => {
-    const wc = makeWc(-1.5);
-    expect(handleAppShortcut(key("0", { control: true }), wc, "linux")).toBe(true);
-    expect(wc.currentLevel()).toBe(0);
-  });
-
-  it("ignores plain 0 without modifier", () => {
-    const wc = makeWc(2);
-    expect(handleAppShortcut(key("0"), wc, "darwin")).toBe(false);
-    expect(wc.setZoomLevel).not.toHaveBeenCalled();
-  });
-});
-
-describe("handleAppShortcut — unrelated keys pass through", () => {
-  it("does not capture plain letters", () => {
-    const wc = makeWc();
-    expect(handleAppShortcut(key("a", { meta: true }), wc, "darwin")).toBe(false);
-    expect(handleAppShortcut(key("k", { meta: true }), wc, "darwin")).toBe(false);
-  });
-});

apps/desktop/src/main/keyboard-shortcuts.ts

@@ -1,74 +0,0 @@
-import type { WebContents } from "electron";
-
-// Shape of the input subset we read from Electron's `before-input-event`.
-// Modeled as a structural type so the handler is unit-testable without a
-// real Electron Input instance.
-export type ShortcutInput = {
-  type: string;
-  key: string;
-  control: boolean;
-  meta: boolean;
-};
-
-// Subset of WebContents the zoom handler needs. Keeps the test mock tiny.
-export type ZoomTarget = Pick<WebContents, "getZoomLevel" | "setZoomLevel">;
-
-// Match Electron's built-in zoomIn/zoomOut roles (Chromium default of 0.5
-// per step). Clamp to a range that keeps the UI legible — values outside
-// this band turn the workspace into either confetti or a microfiche.
-const ZOOM_STEP = 0.5;
-const ZOOM_MIN = -3;
-const ZOOM_MAX = 4.5;
-
-/**
- * Inspect a `before-input-event` key and apply (or block) the matching
- * window-level shortcut. Returns `true` when the caller should call
- * `event.preventDefault()` — that both swallows the renderer keydown and
- * prevents the application menu accelerator from firing, so we don't
- * double-trigger zoom on macOS where the default menu also binds these
- * keys.
- *
- * Why we don't rely on the menu's `zoomIn` / `zoomOut` roles: on macOS the
- * default `Cmd+-` accelerator does not fire reliably across keyboard
- * layouts (issue MUL-2354 — Cmd+= zooms in but Cmd+- doesn't undo it).
- * Handling the shortcuts here gives identical behavior on every platform
- * and every layout.
- */
-export function handleAppShortcut(
-  input: ShortcutInput,
-  webContents: ZoomTarget,
-  platform: NodeJS.Platform = process.platform,
-): boolean {
-  if (input.type !== "keyDown") return false;
-  const cmdOrCtrl = platform === "darwin" ? input.meta : input.control;
-
-  // Block reload — accidental Cmd+R / Ctrl+R / F5 destroys in-memory state
-  // (tabs, drafts, WS connections) with no URL bar to recover from.
-  if ((cmdOrCtrl && input.key.toLowerCase() === "r") || input.key === "F5") {
-    return true;
-  }
-
-  if (!cmdOrCtrl) return false;
-
-  // Cmd/Ctrl + "=" (unshifted) or "+" (Shift+=) → zoom in.
-  if (input.key === "=" || input.key === "+") {
-    const next = Math.min(webContents.getZoomLevel() + ZOOM_STEP, ZOOM_MAX);
-    webContents.setZoomLevel(next);
-    return true;
-  }
-
-  // Cmd/Ctrl + "-" (unshifted) or "_" (Shift+-) → zoom out.
-  if (input.key === "-" || input.key === "_") {
-    const next = Math.max(webContents.getZoomLevel() - ZOOM_STEP, ZOOM_MIN);
-    webContents.setZoomLevel(next);
-    return true;
-  }
-
-  // Cmd/Ctrl + 0 → reset zoom to 100%.
-  if (input.key === "0") {
-    webContents.setZoomLevel(0);
-    return true;
-  }
-
-  return false;
-}

apps/desktop/src/main/local-directory.ts

@@ -1,93 +0,0 @@
-import { ipcMain, dialog, BrowserWindow } from "electron";
-import { access, stat } from "fs/promises";
-import { constants as fsConstants } from "fs";
-import { basename, isAbsolute } from "path";
-
-export interface PickDirectoryResult {
-  ok: boolean;
-  path?: string;
-  basename?: string;
-  /** Set when ok=false. "cancelled" = user dismissed; otherwise an error blurb. */
-  reason?: "cancelled" | "no_window" | "error";
-  error?: string;
-}
-
-export interface ValidateLocalDirectoryResult {
-  ok: boolean;
-  /** When ok=false, identifies which check failed so the renderer can render a
-   *  specific message without parsing free-form text. */
-  reason?:
-    | "not_absolute"
-    | "not_found"
-    | "not_a_directory"
-    | "not_readable"
-    | "not_writable"
-    | "error";
-  error?: string;
-}
-
-async function validateLocalDirectory(
-  path: string,
-): Promise<ValidateLocalDirectoryResult> {
-  if (!path || !isAbsolute(path)) {
-    return { ok: false, reason: "not_absolute" };
-  }
-  try {
-    const st = await stat(path);
-    if (!st.isDirectory()) return { ok: false, reason: "not_a_directory" };
-  } catch (err) {
-    const code = (err as NodeJS.ErrnoException).code;
-    if (code === "ENOENT") return { ok: false, reason: "not_found" };
-    return { ok: false, reason: "error", error: errorMessage(err) };
-  }
-  try {
-    await access(path, fsConstants.R_OK);
-  } catch {
-    return { ok: false, reason: "not_readable" };
-  }
-  try {
-    await access(path, fsConstants.W_OK);
-  } catch {
-    return { ok: false, reason: "not_writable" };
-  }
-  return { ok: true };
-}
-
-function errorMessage(err: unknown): string {
-  return err instanceof Error ? err.message : String(err);
-}
-
-export function setupLocalDirectory(
-  windowGetter: () => BrowserWindow | null,
-): void {
-  ipcMain.handle(
-    "local-directory:pick",
-    async (_event, defaultPath?: string): Promise<PickDirectoryResult> => {
-      const win = windowGetter();
-      if (!win) return { ok: false, reason: "no_window" };
-      try {
-        const result = await dialog.showOpenDialog(win, {
-          // Multiple-selection is intentionally disabled — a project_resource
-          // points at a single directory, and the create flow expects one
-          // path per click. Multi-add would have to be a separate UX.
-          properties: ["openDirectory", "createDirectory"],
-          ...(defaultPath ? { defaultPath } : {}),
-        });
-        if (result.canceled || result.filePaths.length === 0) {
-          return { ok: false, reason: "cancelled" };
-        }
-        const picked = result.filePaths[0];
-        if (!picked) return { ok: false, reason: "cancelled" };
-        return { ok: true, path: picked, basename: basename(picked) };
-      } catch (err) {
-        return { ok: false, reason: "error", error: errorMessage(err) };
-      }
-    },
-  );
-
-  ipcMain.handle(
-    "local-directory:validate",
-    (_event, path: string): Promise<ValidateLocalDirectoryResult> =>
-      validateLocalDirectory(path),
-  );
-}

apps/desktop/src/main/navigation-gestures.test.ts

@@ -1,60 +0,0 @@
-import type { BrowserWindow } from "electron";
-import { describe, expect, it, vi } from "vitest";
-import { NAVIGATION_GESTURE_CHANNEL } from "../shared/navigation-gestures";
-import { installNavigationGestures } from "./navigation-gestures";
-
-function makeWindow() {
-  let swipeHandler:
-    | ((event: unknown, direction: string) => void)
-    | undefined;
-
-  const win = {
-    on: vi.fn(
-      (event: string, handler: (event: unknown, direction: string) => void) => {
-        if (event === "swipe") swipeHandler = handler;
-        return win;
-      },
-    ),
-    webContents: {
-      send: vi.fn(),
-    },
-  };
-
-  return {
-    win: win as unknown as BrowserWindow,
-    send: win.webContents.send,
-    emitSwipe: (direction: string) => swipeHandler?.({}, direction),
-  };
-}
-
-describe("installNavigationGestures", () => {
-  it("registers macOS swipe navigation", () => {
-    const { win, send, emitSwipe } = makeWindow();
-
-    installNavigationGestures(win, "darwin");
-
-    emitSwipe("right");
-    expect(send).toHaveBeenCalledWith(NAVIGATION_GESTURE_CHANNEL, "back");
-
-    emitSwipe("left");
-    expect(send).toHaveBeenCalledWith(NAVIGATION_GESTURE_CHANNEL, "forward");
-  });
-
-  it("ignores non-horizontal swipe directions", () => {
-    const { win, send, emitSwipe } = makeWindow();
-
-    installNavigationGestures(win, "darwin");
-    emitSwipe("up");
-
-    expect(send).not.toHaveBeenCalled();
-  });
-
-  it("does not register on non-mac platforms", () => {
-    const { win, send, emitSwipe } = makeWindow();
-
-    installNavigationGestures(win, "linux");
-    emitSwipe("right");
-
-    expect(send).not.toHaveBeenCalled();
-  });
-});

apps/desktop/src/main/navigation-gestures.ts

@@ -1,18 +0,0 @@
-import type { BrowserWindow } from "electron";
-import {
-  NAVIGATION_GESTURE_CHANNEL,
-  navigationGestureFromSwipe,
-} from "../shared/navigation-gestures";
-
-export function installNavigationGestures(
-  win: BrowserWindow,
-  platform: NodeJS.Platform = process.platform,
-): void {
-  if (platform !== "darwin") return;
-
-  win.on("swipe", (_event, direction) => {
-    const gesture = navigationGestureFromSwipe(direction);
-    if (!gesture) return;
-    win.webContents.send(NAVIGATION_GESTURE_CHANNEL, gesture);
-  });
-}

apps/desktop/src/main/renderer-recovery.test.ts

@@ -1,112 +0,0 @@
-import { describe, expect, it, vi, beforeEach, afterEach } from "vitest";
-import { installRendererRecoveryHandlers } from "./renderer-recovery";
-
-type Handler = (...args: unknown[]) => void;
-
-function makeWindow() {
-  const windowHandlers = new Map<string, Handler>();
-  const webContentsHandlers = new Map<string, Handler>();
-  const reload = vi.fn();
-  return {
-    window: {
-      on: vi.fn((event: string, handler: Handler) => windowHandlers.set(event, handler)),
-      isDestroyed: vi.fn(() => false),
-      webContents: {
-        on: vi.fn((event: string, handler: Handler) => webContentsHandlers.set(event, handler)),
-        reload,
-      },
-    },
-    windowHandlers,
-    webContentsHandlers,
-    reload,
-  };
-}
-
-describe("installRendererRecoveryHandlers", () => {
-  beforeEach(() => vi.clearAllMocks());
-  afterEach(() => vi.useRealTimers());
-
-  it("registers production reload prompts for renderer death and preload failure without auto reloading", async () => {
-    const fixture = makeWindow();
-    const showReloadPrompt = vi.fn(async () => "reload" as const);
-
-    installRendererRecoveryHandlers(fixture.window, { isDev: false, showReloadPrompt });
-
-    expect(fixture.webContentsHandlers.has("render-process-gone")).toBe(true);
-    expect(fixture.webContentsHandlers.has("preload-error")).toBe(true);
-    expect(fixture.windowHandlers.has("unresponsive")).toBe(true);
-    expect(fixture.windowHandlers.has("responsive")).toBe(true);
-
-    fixture.webContentsHandlers.get("render-process-gone")?.({}, { reason: "crashed" });
-    fixture.webContentsHandlers.get("preload-error")?.({}, "/preload.js", new Error("boom"));
-
-    expect(fixture.reload).not.toHaveBeenCalled();
-    await Promise.resolve();
-
-    expect(showReloadPrompt).toHaveBeenCalledTimes(2);
-    expect(fixture.reload).toHaveBeenCalledTimes(2);
-  });
-
-  it("does not prompt when the renderer exits cleanly", async () => {
-    const fixture = makeWindow();
-    const showReloadPrompt = vi.fn(async () => "reload" as const);
-
-    installRendererRecoveryHandlers(fixture.window, { isDev: false, showReloadPrompt });
-
-    fixture.webContentsHandlers.get("render-process-gone")?.({}, { reason: "clean-exit" });
-    await Promise.resolve();
-
-    expect(showReloadPrompt).not.toHaveBeenCalled();
-    expect(fixture.reload).not.toHaveBeenCalled();
-  });
-
-  it("cancels an unresponsive prompt when the window becomes responsive again", async () => {
-    vi.useFakeTimers();
-    const fixture = makeWindow();
-    const showReloadPrompt = vi.fn(async () => "reload" as const);
-
-    installRendererRecoveryHandlers(fixture.window, {
-      isDev: false,
-      showReloadPrompt,
-      unresponsivePromptDelayMs: 100,
-    });
-
-    fixture.windowHandlers.get("unresponsive")?.();
-    fixture.windowHandlers.get("responsive")?.();
-    await vi.advanceTimersByTimeAsync(100);
-
-    expect(showReloadPrompt).not.toHaveBeenCalled();
-    expect(fixture.reload).not.toHaveBeenCalled();
-  });
-
-  it("prompts for sustained unresponsive windows and only reloads after user confirmation", async () => {
-    vi.useFakeTimers();
-    const fixture = makeWindow();
-    const showReloadPrompt = vi.fn(async () => "dismiss" as const);
-
-    installRendererRecoveryHandlers(fixture.window, {
-      isDev: false,
-      showReloadPrompt,
-      unresponsivePromptDelayMs: 100,
-    });
-
-    fixture.windowHandlers.get("unresponsive")?.();
-    await vi.advanceTimersByTimeAsync(100);
-
-    expect(showReloadPrompt).toHaveBeenCalledWith({ kind: "unresponsive", context: {} });
-    expect(fixture.reload).not.toHaveBeenCalled();
-  });
-
-  it("keeps dev diagnostics non-prompting", async () => {
-    const fixture = makeWindow();
-    const showReloadPrompt = vi.fn(async () => "reload" as const);
-
-    installRendererRecoveryHandlers(fixture.window, { isDev: true, showReloadPrompt, log: vi.fn() });
-
-    fixture.webContentsHandlers.get("render-process-gone")?.({}, { reason: "crashed" });
-    await Promise.resolve();
-
-    expect(showReloadPrompt).not.toHaveBeenCalled();
-    expect(fixture.reload).not.toHaveBeenCalled();
-  });
-});

apps/desktop/src/main/renderer-recovery.ts

@@ -1,135 +0,0 @@
-export type RendererRecoveryWindow = {
-  isDestroyed: () => boolean;
-  on: (event: "unresponsive" | "responsive", handler: () => void) => unknown;
-  webContents: {
-    on: (event: string, handler: (...args: any[]) => void) => unknown;
-    reload: () => void;
-  };
-};
-
-type ReloadPromptPayload = {
-  kind: "render-process-gone" | "preload-error" | "unresponsive";
-  context: Record<string, unknown>;
-};
-
-type ReloadPromptResult = "reload" | "dismiss";
-
-type RendererRecoveryOptions = {
-  isDev: boolean;
-  showReloadPrompt: (payload: ReloadPromptPayload) => Promise<ReloadPromptResult>;
-  log?: (tag: string, ...args: unknown[]) => void;
-  unresponsivePromptDelayMs?: number;
-};
-
-export function installRendererRecoveryHandlers(
-  window: RendererRecoveryWindow,
-  {
-    isDev,
-    showReloadPrompt,
-    log = defaultDevLog,
-    unresponsivePromptDelayMs = 1500,
-  }: RendererRecoveryOptions,
-) {
-  let unresponsivePromptTimer: ReturnType<typeof setTimeout> | null = null;
-  const maybePromptReload = (payload: ReloadPromptPayload) => {
-    if (isDev) return;
-    void showReloadPrompt(payload).then((result) => {
-      if (result === "reload" && !window.isDestroyed()) {
-        window.webContents.reload();
-      }
-    });
-  };
-
-  window.webContents.on("render-process-gone", (_event, details) => {
-    if (isDev) log("process-gone", JSON.stringify(details));
-    if (!isRecoverableRendererExit(details)) return;
-    maybePromptReload({ kind: "render-process-gone", context: { details } });
-  });
-
-  window.webContents.on("preload-error", (_event, preloadPath, error) => {
-    if (isDev) log("preload-error", `path=${preloadPath} err=${formatError(error)}`);
-    maybePromptReload({
-      kind: "preload-error",
-      context: { preloadPath, error: formatError(error) },
-    });
-  });
-
-  window.on("unresponsive", () => {
-    if (isDev || unresponsivePromptTimer) return;
-    unresponsivePromptTimer = setTimeout(() => {
-      unresponsivePromptTimer = null;
-      maybePromptReload({ kind: "unresponsive", context: {} });
-    }, unresponsivePromptDelayMs);
-  });
-
-  window.on("responsive", () => {
-    if (!unresponsivePromptTimer) return;
-    clearTimeout(unresponsivePromptTimer);
-    unresponsivePromptTimer = null;
-  });
-}
-
-export function createElectronReloadPrompt(
-  showMessageBox: (options: {
-    type: "warning";
-    buttons: string[];
-    defaultId: number;
-    cancelId: number;
-    title: string;
-    message: string;
-    detail: string;
-  }) => Promise<{ response: number }>,
-) {
-  return async (payload: ReloadPromptPayload): Promise<ReloadPromptResult> => {
-    const result = await showMessageBox({
-      type: "warning",
-      buttons: ["Reload", "Dismiss"],
-      defaultId: 0,
-      cancelId: 1,
-      title: "Multica needs to reload",
-      message: rendererRecoveryMessage(payload.kind),
-      detail: rendererRecoveryDetail(payload),
-    });
-    return result.response === 0 ? "reload" : "dismiss";
-  };
-}
-
-function isRecoverableRendererExit(details: unknown) {
-  if (!details || typeof details !== "object") return false;
-  const reason = (details as { reason?: unknown }).reason;
-  return (
-    reason === "crashed" ||
-    reason === "oom" ||
-    reason === "abnormal-exit" ||
-    reason === "launch-failed" ||
-    reason === "integrity-failure"
-  );
-}
-
-function rendererRecoveryMessage(kind: ReloadPromptPayload["kind"]) {
-  switch (kind) {
-    case "render-process-gone":
-      return "The desktop renderer process stopped responding or crashed.";
-    case "preload-error":
-      return "The desktop preload script failed before the app could start.";
-    case "unresponsive":
-      return "The desktop window is not responding.";
-  }
-}
-
-function rendererRecoveryDetail(payload: ReloadPromptPayload) {
-  return [
-    "Reloading is the safest recovery path for this window.",
-    "",
-    `kind: ${payload.kind}`,
-    `context: ${JSON.stringify(payload.context)}`,
-  ].join("\n");
-}
-
-function defaultDevLog(tag: string, ...args: unknown[]) {
-  process.stderr.write(`[renderer ${tag}] ${args.map(String).join(" ")}\n`);
-}
-
-function formatError(error: unknown) {
-  return error instanceof Error ? (error.stack ?? error.message) : String(error);
-}

apps/desktop/src/main/runtime-config-loader.test.ts

@@ -1,90 +0,0 @@
-import { mkdtemp, writeFile } from "fs/promises";
-import { join } from "path";
-import { tmpdir } from "os";
-import { describe, expect, it } from "vitest";
-import { loadRuntimeConfig } from "./runtime-config-loader";
-
-describe("loadRuntimeConfig", () => {
-  it("uses dev env and ignores desktop.json during electron-vite dev", async () => {
-    const dir = await mkdtemp(join(tmpdir(), "multica-desktop-config-"));
-    const configPath = join(dir, "desktop.json");
-    await writeFile(
-      configPath,
-      JSON.stringify({ schemaVersion: 1, apiUrl: "https://prod.example.com" }),
-    );
-
-    await expect(
-      loadRuntimeConfig({
-        isDev: true,
-        configPath,
-        env: {
-          apiUrl: "http://localhost:8080",
-          wsUrl: "ws://localhost:8080/ws",
-          appUrl: "http://localhost:3000",
-        },
-      }),
-    ).resolves.toEqual({
-      ok: true,
-      config: {
-        schemaVersion: 1,
-        apiUrl: "http://localhost:8080",
-        wsUrl: "ws://localhost:8080/ws",
-        appUrl: "http://localhost:3000",
-      },
-    });
-  });
-
-  it("uses cloud defaults when packaged config is absent", async () => {
-    const dir = await mkdtemp(join(tmpdir(), "multica-desktop-config-"));
-    await expect(
-      loadRuntimeConfig({
-        isDev: false,
-        configPath: join(dir, "missing.json"),
-        env: {},
-      }),
-    ).resolves.toEqual({
-      ok: true,
-      config: {
-        schemaVersion: 1,
-        apiUrl: "https://api.multica.ai",
-        wsUrl: "wss://api.multica.ai/ws",
-        appUrl: "https://multica.ai",
-      },
-    });
-  });
-
-  it("parses a valid packaged desktop.json", async () => {
-    const dir = await mkdtemp(join(tmpdir(), "multica-desktop-config-"));
-    const configPath = join(dir, "desktop.json");
-    await writeFile(
-      configPath,
-      JSON.stringify({ schemaVersion: 1, apiUrl: "https://api.example.com" }),
-    );
-
-    await expect(
-      loadRuntimeConfig({ isDev: false, configPath, env: {} }),
-    ).resolves.toEqual({
-      ok: true,
-      config: {
-        schemaVersion: 1,
-        apiUrl: "https://api.example.com",
-        wsUrl: "wss://api.example.com/ws",
-        appUrl: "https://example.com",
-      },
-    });
-  });
-
-  it("fails closed when packaged desktop.json is invalid", async () => {
-    const dir = await mkdtemp(join(tmpdir(), "multica-desktop-config-"));
-    const configPath = join(dir, "desktop.json");
-    await writeFile(configPath, "{");
-
-    const result = await loadRuntimeConfig({ isDev: false, configPath, env: {} });
-
-    expect(result.ok).toBe(false);
-    if (!result.ok) {
-      expect(result.error.message).toContain(configPath);
-      expect(result.error.message).toContain("Invalid desktop runtime config JSON");
-    }
-  });
-});

apps/desktop/src/main/runtime-config-loader.ts

@@ -1,60 +0,0 @@
-import { app } from "electron";
-import { readFile } from "fs/promises";
-import { join } from "path";
-import {
-  DEFAULT_RUNTIME_CONFIG,
-  parseRuntimeConfig,
-  runtimeConfigFromDevEnv,
-  type RuntimeConfig,
-  type RuntimeConfigEnv,
-  type RuntimeConfigResult,
-} from "../shared/runtime-config";
-
-export async function loadRuntimeConfig(options: {
-  isDev: boolean;
-  env: RuntimeConfigEnv;
-  configPath?: string;
-}): Promise<RuntimeConfigResult> {
-  if (options.isDev) {
-    try {
-      return { ok: true, config: runtimeConfigFromDevEnv(options.env) };
-    } catch (err) {
-      return { ok: false, error: { message: errorMessage(err) } };
-    }
-  }
-
-  const configPath = options.configPath ?? desktopConfigPath();
-  try {
-    const raw = await readFile(configPath, "utf-8");
-    return { ok: true, config: parseRuntimeConfig(raw) };
-  } catch (err) {
-    if (isMissingFileError(err)) {
-      return { ok: true, config: { ...DEFAULT_RUNTIME_CONFIG } };
-    }
-    return {
-      ok: false,
-      error: {
-        message: `Invalid ${configPath}: ${errorMessage(err)}`,
-      },
-    };
-  }
-}
-
-export function desktopConfigPath(): string {
-  return join(app.getPath("home"), ".multica", "desktop.json");
-}
-
-function isMissingFileError(err: unknown): boolean {
-  return Boolean(
-    err &&
-      typeof err === "object" &&
-      "code" in err &&
-      (err as NodeJS.ErrnoException).code === "ENOENT",
-  );
-}
-
-function errorMessage(err: unknown): string {
-  return err instanceof Error ? err.message : String(err);
-}
-
-export type { RuntimeConfig, RuntimeConfigResult };

apps/desktop/src/main/updater.ts

@@ -1,10 +1,7 @@
-import { autoUpdater, UpdateDownloadedEvent } from "electron-updater";
+import { autoUpdater } from "electron-updater";
 import { app, BrowserWindow, ipcMain } from "electron";
 
-// Silent background updates: electron-updater downloads on its own as soon
-// as `update-available` fires; we only surface UI when the package is fully
-// downloaded and ready to install on next quit.
-autoUpdater.autoDownload = true;
+autoUpdater.autoDownload = false;
 autoUpdater.autoInstallOnAppQuit = true;
 
 // Windows arm64 ships its own update metadata channel because
@@ -29,39 +26,8 @@ export type ManualUpdateCheckResult =
     }
   | { ok: false; error: string };
 
-// Single-flight guard around checkForUpdates(). With autoDownload=true the
-// startup, periodic, and manual triggers can all kick off downloads, and
-// overlapping calls have caused duplicate download warnings in the past
-// (see electronjs.org/docs/latest/api/auto-updater). Coalesce concurrent
-// callers onto the same in-flight promise.
-let inFlightCheck: Promise<unknown> | null = null;
-function checkForUpdatesOnce(): Promise<unknown> {
-  if (inFlightCheck) return inFlightCheck;
-  const p = autoUpdater
-    .checkForUpdates()
-    .then((result) => {
-      // checkForUpdates resolves as soon as metadata is fetched; the actual
-      // download (when autoDownload=true) is exposed on result.downloadPromise.
-      // Without a handler a download failure becomes an unhandled rejection
-      // in the main process — Node may terminate it on future versions.
-      void (result as { downloadPromise?: Promise<unknown> } | null)?.downloadPromise?.catch(
-        (err) => {
-          console.error("Failed to download update:", err);
-        },
-      );
-      return result;
-    })
-    .finally(() => {
-      if (inFlightCheck === p) inFlightCheck = null;
-    });
-  inFlightCheck = p;
-  return p;
-}
-
 export function setupAutoUpdater(getMainWindow: () => BrowserWindow | null): void {
   autoUpdater.on("update-available", (info) => {
-    // Forwarded for renderer-side state tracking only; the notification UI
-    // does not render an "available" affordance with autoDownload=true.
     const win = getMainWindow();
     win?.webContents.send("updater:update-available", {
       version: info.version,
@@ -76,20 +42,15 @@ export function setupAutoUpdater(getMainWindow: () => BrowserWindow | null): voi
     });
   });
 
-  autoUpdater.on("update-downloaded", (info: UpdateDownloadedEvent) => {
+  autoUpdater.on("update-downloaded", () => {
     const win = getMainWindow();
-    win?.webContents.send("updater:update-downloaded", {
-      version: info.version,
-      releaseNotes: info.releaseNotes,
-    });
+    win?.webContents.send("updater:update-downloaded");
   });
 
   autoUpdater.on("error", (err) => {
     console.error("Auto-updater error:", err);
   });
 
-  // Retained for IPC back-compat with older renderer bundles. With
-  // autoDownload=true the renderer no longer triggers this path.
   ipcMain.handle("updater:download", () => {
     return autoUpdater.downloadUpdate();
   });
@@ -100,9 +61,7 @@ export function setupAutoUpdater(getMainWindow: () => BrowserWindow | null): voi
 
   ipcMain.handle("updater:check", async (): Promise<ManualUpdateCheckResult> => {
     try {
-      const result = (await checkForUpdatesOnce()) as
-        | { updateInfo: { version: string }; isUpdateAvailable?: boolean }
-        | null;
+      const result = await autoUpdater.checkForUpdates();
       const currentVersion = app.getVersion();
       // Trust electron-updater's own decision rather than re-deriving it from
       // a version-string compare. The two diverge for pre-release channels,
@@ -126,7 +85,7 @@ export function setupAutoUpdater(getMainWindow: () => BrowserWindow | null): voi
 
   // Initial check shortly after startup so we don't block boot.
   setTimeout(() => {
-    checkForUpdatesOnce().catch((err) => {
+    autoUpdater.checkForUpdates().catch((err) => {
       console.error("Failed to check for updates:", err);
     });
   }, STARTUP_CHECK_DELAY_MS);
@@ -134,7 +93,7 @@ export function setupAutoUpdater(getMainWindow: () => BrowserWindow | null): voi
   // Background poll so long-running sessions still pick up new releases
   // without requiring the user to restart the app.
   setInterval(() => {
-    checkForUpdatesOnce().catch((err) => {
+    autoUpdater.checkForUpdates().catch((err) => {
       console.error("Periodic update check failed:", err);
     });
   }, PERIODIC_CHECK_INTERVAL_MS);

apps/desktop/src/preload/index.d.ts

@@ -1,6 +1,4 @@
 import { ElectronAPI } from "@electron-toolkit/preload";
-import type { RuntimeConfigResult } from "../shared/runtime-config";
-import type { NavigationGesture } from "../shared/navigation-gestures";
 
 interface DesktopAPI {
   /** App version + normalized OS, captured synchronously at preload time. */
@@ -8,21 +6,12 @@ interface DesktopAPI {
     version: string;
     os: "macos" | "windows" | "linux" | "unknown";
   };
-  /** OS-preferred locale (BCP 47) injected by main via additionalArguments. */
-  systemLocale: string;
-  /** Subscribe to OS language changes detected after boot. Returns an unsubscribe function. */
-  onSystemLocaleChanged: (callback: (locale: string) => void) => () => void;
-  /** Validated runtime endpoint config, or a blocking config error. */
-  runtimeConfig: RuntimeConfigResult;
   /** Listen for auth token delivered via deep link. Returns an unsubscribe function. */
   onAuthToken: (callback: (token: string) => void) => () => void;
   /** Listen for invitation IDs delivered via deep link. Returns an unsubscribe function. */
   onInviteOpen: (callback: (invitationId: string) => void) => () => void;
   /** Open a URL in the default browser. */
   openExternal: (url: string) => Promise<void>;
-  /** Download a file by URL through Electron's native download system.
-   *  Shows a native save dialog. On non-desktop platforms this is undefined. */
-  downloadURL: (url: string) => Promise<void>;
   /** Hide macOS traffic lights for full-screen modals; restore when false. */
   setImmersiveMode: (immersive: boolean) => Promise<void>;
   /** Show a native OS notification for a new inbox item. */
@@ -43,34 +32,6 @@ interface DesktopAPI {
       issueKey: string;
     }) => void,
   ) => () => void;
-  /** Listen for native macOS back/forward swipe gestures. Returns an unsubscribe function. */
-  onNavigationGesture: (callback: (gesture: NavigationGesture) => void) => () => void;
-  /** Open the OS folder picker and return the chosen absolute path.
-   *  Used by the Project settings "Add local directory" flow. */
-  pickDirectory: (
-    defaultPath?: string,
-  ) => Promise<{
-    ok: boolean;
-    path?: string;
-    basename?: string;
-    reason?: "cancelled" | "no_window" | "error";
-    error?: string;
-  }>;
-  /** Validate that a path is an existing readable+writable directory.
-   *  Mirrors the daemon's runtime check so the user sees errors before submit. */
-  validateLocalDirectory: (
-    path: string,
-  ) => Promise<{
-    ok: boolean;
-    reason?:
-      | "not_absolute"
-      | "not_found"
-      | "not_a_directory"
-      | "not_readable"
-      | "not_writable"
-      | "error";
-    error?: string;
-  }>;
 }
 
 interface DaemonStatus {
@@ -95,7 +56,6 @@ interface DaemonAPI {
   stop: () => Promise<{ success: boolean; error?: string }>;
   restart: () => Promise<{ success: boolean; error?: string }>;
   getStatus: () => Promise<DaemonStatus>;
-  getHostName: () => Promise<string>;
   onStatusChange: (callback: (status: DaemonStatus) => void) => () => void;
   setTargetApiUrl: (url: string) => Promise<void>;
   syncToken: (token: string, userId: string) => Promise<void>;
@@ -114,9 +74,7 @@ interface DaemonAPI {
 interface UpdaterAPI {
   onUpdateAvailable: (callback: (info: { version: string; releaseNotes?: string }) => void) => () => void;
   onDownloadProgress: (callback: (progress: { percent: number }) => void) => () => void;
-  onUpdateDownloaded: (
-    callback: (info: { version: string; releaseNotes?: string }) => void,
-  ) => () => void;
+  onUpdateDownloaded: (callback: () => void) => () => void;
   downloadUpdate: () => Promise<void>;
   installUpdate: () => Promise<void>;
   checkForUpdates: () => Promise<

apps/desktop/src/preload/index.ts

@@ -1,11 +1,5 @@
 import { contextBridge, ipcRenderer } from "electron";
 import { electronAPI } from "@electron-toolkit/preload";
-import type { RuntimeConfigResult } from "../shared/runtime-config";
-import {
-  isNavigationGesture,
-  NAVIGATION_GESTURE_CHANNEL,
-  type NavigationGesture,
-} from "../shared/navigation-gestures";
 
 // Synchronously fetch app metadata from main at preload time so the renderer
 // can pass it into CoreProvider during the initial render — the alternative
@@ -27,53 +21,12 @@ function fetchAppInfo(): { version: string; os: "macos" | "windows" | "linux" |
   return { version: "unknown", os };
 }
 
-function fetchRuntimeConfig(): RuntimeConfigResult {
-  try {
-    const result = ipcRenderer.sendSync("runtime-config:get") as RuntimeConfigResult | undefined;
-    if (result && typeof result === "object" && "ok" in result) return result;
-  } catch (err) {
-    return {
-      ok: false,
-      error: {
-        message: err instanceof Error ? err.message : String(err),
-      },
-    };
-  }
-  return { ok: false, error: { message: "Runtime config unavailable" } };
-}
-
 const appInfo = fetchAppInfo();
-const runtimeConfig = fetchRuntimeConfig();
-
-// Read the OS-preferred locale that main injected via additionalArguments.
-// Zero IPC, zero blocking — process.argv is populated before preload runs.
-function fetchSystemLocale(): string {
-  const arg = process.argv.find((a) => a.startsWith("--multica-locale="));
-  return arg?.split("=")[1] ?? "en";
-}
-
-const systemLocale = fetchSystemLocale();
 
 const desktopAPI = {
   /** App version + normalized OS. Read once at preload time so the renderer
    *  can use it synchronously when initializing the API client. */
   appInfo,
-  /** OS-preferred locale (BCP 47), passed from main via additionalArguments.
-   *  Used by the renderer's LocaleAdapter as the system-preference signal. */
-  systemLocale,
-  /** Subscribe to OS language changes detected after boot. The renderer
-   *  decides whether to act (no-op when the user has an explicit Settings
-   *  choice). Returns an unsubscribe function. */
-  onSystemLocaleChanged: (callback: (locale: string) => void) => {
-    const handler = (_event: Electron.IpcRendererEvent, locale: string) =>
-      callback(locale);
-    ipcRenderer.on("locale:system-changed", handler);
-    return () => {
-      ipcRenderer.removeListener("locale:system-changed", handler);
-    };
-  },
-  /** Validated runtime endpoint config, or a blocking config error. */
-  runtimeConfig,
   /** Listen for auth token delivered via deep link */
   onAuthToken: (callback: (token: string) => void) => {
     const handler = (_event: Electron.IpcRendererEvent, token: string) =>
@@ -94,11 +47,6 @@ const desktopAPI = {
   },
   /** Open a URL in the default browser */
   openExternal: (url: string) => ipcRenderer.invoke("shell:openExternal", url),
-  /** Download a file by URL through Electron's native download system.
-   *  Shows a save dialog and saves to disk. Unlike openExternal, this
-   *  avoids browser rendering of HTML files on Linux.
-   *  On non-desktop platforms this property is undefined. */
-  downloadURL: (url: string) => ipcRenderer.invoke("file:download-url", url),
   /** Toggle immersive mode — hide macOS traffic lights for full-screen modals */
   setImmersiveMode: (immersive: boolean) =>
     ipcRenderer.invoke("window:setImmersive", immersive),
@@ -146,22 +94,6 @@ const desktopAPI = {
       ipcRenderer.removeListener("inbox:open", handler);
     };
   },
-  /** Listen for native macOS back/forward swipe gestures. */
-  onNavigationGesture: (callback: (gesture: NavigationGesture) => void) => {
-    const handler = (_event: Electron.IpcRendererEvent, gesture: unknown) => {
-      if (isNavigationGesture(gesture)) callback(gesture);
-    };
-    ipcRenderer.on(NAVIGATION_GESTURE_CHANNEL, handler);
-    return () => {
-      ipcRenderer.removeListener(NAVIGATION_GESTURE_CHANNEL, handler);
-    };
-  },
-  /** Open the OS folder picker and return the chosen absolute path. */
-  pickDirectory: (defaultPath?: string) =>
-    ipcRenderer.invoke("local-directory:pick", defaultPath),
-  /** Validate that a path is an existing readable+writable directory. */
-  validateLocalDirectory: (path: string) =>
-    ipcRenderer.invoke("local-directory:validate", path),
 };
 
 interface DaemonStatus {
@@ -185,8 +117,6 @@ const daemonAPI = {
     ipcRenderer.invoke("daemon:restart"),
   getStatus: (): Promise<DaemonStatus> =>
     ipcRenderer.invoke("daemon:get-status"),
-  getHostName: (): Promise<string> =>
-    ipcRenderer.invoke("daemon:get-host-name"),
   onStatusChange: (callback: (status: DaemonStatus) => void) => {
     const handler = (_: unknown, status: DaemonStatus) => callback(status);
     ipcRenderer.on("daemon:status", handler);
@@ -230,11 +160,8 @@ const updaterAPI = {
     ipcRenderer.on("updater:download-progress", handler);
     return () => ipcRenderer.removeListener("updater:download-progress", handler);
   },
-  onUpdateDownloaded: (
-    callback: (info: { version: string; releaseNotes?: string }) => void,
-  ) => {
-    const handler = (_: unknown, info: { version: string; releaseNotes?: string }) =>
-      callback(info);
+  onUpdateDownloaded: (callback: () => void) => {
+    const handler = () => callback();
     ipcRenderer.on("updater:update-downloaded", handler);
     return () => ipcRenderer.removeListener("updater:update-downloaded", handler);
   },

apps/desktop/src/renderer/src/App.tsx

@@ -1,13 +1,10 @@
 import { useEffect, useLayoutEffect, useMemo, useRef, useState } from "react";
 import { useQuery, useQueryClient } from "@tanstack/react-query";
 import { CoreProvider } from "@multica/core/platform";
-import { pickLocale, type SupportedLocale } from "@multica/core/i18n";
 import { useAuthStore } from "@multica/core/auth";
-import { useWelcomeStore } from "@multica/core/onboarding";
 import { workspaceKeys, workspaceListOptions } from "@multica/core/workspace/queries";
 import { api } from "@multica/core/api";
 import { useHasOnboarded } from "@multica/core/paths";
-import { setCurrentWorkspace } from "@multica/core/platform";
 import { ThemeProvider } from "@multica/ui/components/common/theme-provider";
 import { MulticaIcon } from "@multica/ui/components/common/multica-icon";
 import { Toaster } from "@multica/ui/components/ui/sonner";
@@ -18,20 +15,6 @@ import { UpdateNotification } from "./components/update-notification";
 import { useTabStore } from "./stores/tab-store";
 import { useWindowOverlayStore } from "./stores/window-overlay-store";
 import { useDaemonIPCBridge } from "./platform/daemon-ipc-bridge";
-import { createDesktopLocaleAdapter } from "./platform/i18n-adapter";
-import { RESOURCES } from "@multica/views/locales";
-
-// BCP-47 region tags for the <html lang> attribute, mirroring
-// apps/web/app/layout.tsx HTML_LANG. index.html ships a static lang="en";
-// we sync it to the resolved locale at boot so screen readers announce the
-// right language AND the Japanese-scoped CJK font override in globals.css
-// (`html[lang|="ja"]`) can take effect.
-const HTML_LANG: Record<SupportedLocale, string> = {
-  en: "en",
-  "zh-Hans": "zh-CN",
-  ko: "ko-KR",
-  ja: "ja-JP",
-};
 
 
 function AppContent() {
@@ -47,16 +30,11 @@ function AppContent() {
   // first render.
   const [bootstrapping, setBootstrapping] = useState(false);
 
-  const runtimeConfig = window.desktopAPI.runtimeConfig.ok
-    ? window.desktopAPI.runtimeConfig.config
-    : null;
-
   // Tell the main process which backend URL we talk to, so daemon-manager
   // can pick the matching CLI profile (server_url from ~/.multica config).
   useEffect(() => {
-    if (!runtimeConfig) return;
-    window.daemonAPI.setTargetApiUrl(runtimeConfig.apiUrl);
-  }, [runtimeConfig]);
+    window.daemonAPI.setTargetApiUrl(DAEMON_TARGET_API_URL);
+  }, []);
 
   // Listen for invite IDs delivered via deep link (multica://invite/<id>).
   // We open the overlay regardless of login state — if the user isn't logged
@@ -132,65 +110,22 @@ function AppContent() {
     : undefined;
   useDaemonIPCBridge(activeWsId);
 
-  // Pre-workspace overlay routing for desktop. Mirrors the web layout
-  // hard gate via overlays (desktop has no URL bar, so we open the
-  // onboarding overlay instead of router.replace):
-  //   onboarded + has workspace      → no overlay, dashboard
-  //   un-onboarded (any wsCount):
-  //     pending invites on email     → /invitations overlay
-  //     no invites                   → /onboarding overlay
-  //   onboarded + no workspace       → /workspaces/new overlay
-  //
-  // V3 invariant: `onboarded_at != null` is the only path into the
-  // dashboard. CreateWorkspace does not mark onboarded; only Step 3's
-  // CompleteOnboarding (and AcceptInvitation) flip the flag. A user who
-  // somehow has a workspace but no onboarded mark must be sent back to
-  // /onboarding — we also clear the active workspace so the dashboard
-  // doesn't render under the overlay with stale workspace context.
+  // Workspace presence wins over onboarding state: a user invited into an
+  // existing workspace must enter that workspace, not be trapped in the
+  // onboarding overlay just because their personal `onboarded_at` is null.
+  // Onboarding is only the right destination when the account has zero
+  // workspaces AND has never onboarded.
   useEffect(() => {
-    if (!user || !workspaceListFetched) return undefined;
+    if (!user || !workspaceListFetched) return;
     const { overlay, open } = useWindowOverlayStore.getState();
-    if (overlay) return undefined;
-    if (hasOnboarded && wsCount > 0) return undefined;
+    if (overlay) return;
+    if (wsCount > 0) return;
     if (!hasOnboarded) {
-      // Stale workspace context (if any) would leak X-Workspace-Slug
-      // headers into onboarding-time API calls. Clear it before opening
-      // the overlay.
-      setCurrentWorkspace(null, null);
-      // Look up pending invitations by email. Network blip is non-fatal —
-      // fall through to onboarding so the user isn't stuck on a blank
-      // window. The sidebar's pending-invitations dropdown will surface
-      // missed invites later once they're onboarded.
-      let cancelled = false;
-      void api
-        .listMyInvitations()
-        .then((invites) => {
-          if (cancelled) return;
-          const { overlay: latestOverlay, open: latestOpen } =
-            useWindowOverlayStore.getState();
-          if (latestOverlay) return;
-          if (invites.length > 0) {
-            qc.setQueryData(workspaceKeys.myInvitations(), invites);
-            latestOpen({ type: "invitations" });
-          } else {
-            latestOpen({ type: "onboarding" });
-          }
-        })
-        .catch(() => {
-          if (cancelled) return;
-          const { overlay: latestOverlay, open: latestOpen } =
-            useWindowOverlayStore.getState();
-          if (latestOverlay) return;
-          latestOpen({ type: "onboarding" });
-        });
-      return () => {
-        cancelled = true;
-      };
+      open({ type: "onboarding" });
+    } else {
+      open({ type: "new-workspace" });
     }
-    open({ type: "new-workspace" });
-    return undefined;
-  }, [user, workspaceListFetched, wsCount, workspaces, hasOnboarded, qc]);
-
+  }, [user, workspaceListFetched, wsCount, workspaces, hasOnboarded]);
 
   // Validate persisted tab state against the current user's workspace list,
   // and pick an active workspace if none is set. Runs in useLayoutEffect
@@ -255,21 +190,9 @@ function AppContent() {
   );
 }
 
-function BlockingRuntimeConfigError({ message }: { message: string }) {
-  return (
-    <div className="flex h-screen items-center justify-center bg-background p-8 text-foreground">
-      <div className="max-w-xl rounded-lg border bg-card p-6 shadow-sm">
-        <h1 className="text-lg font-semibold">Desktop configuration error</h1>
-        <p className="mt-3 text-sm text-muted-foreground">
-          Multica Desktop could not load <code>~/.multica/desktop.json</code>. Fix or remove the file and restart the app.
-        </p>
-        <pre className="mt-4 whitespace-pre-wrap rounded-md bg-muted p-3 text-xs text-muted-foreground">
-          {message}
-        </pre>
-      </div>
-    </div>
-  );
-}
+// Backend the daemon should connect to — same URL the renderer talks to.
+const DAEMON_TARGET_API_URL =
+  import.meta.env.VITE_API_URL || "http://localhost:8080";
 
 // On logout, wipe desktop-only in-memory state and stop the daemon so that
 // a subsequent login as a different user never inherits the previous user's
@@ -279,9 +202,6 @@ function BlockingRuntimeConfigError({ message }: { message: string }) {
 async function handleDaemonLogout() {
   useTabStore.getState().reset();
   useWindowOverlayStore.getState().close();
-  // Drop any post-onboarding welcome signal so user B logging in next
-  // doesn't inherit user A's pending modal state.
-  useWelcomeStore.getState().reset();
   try {
     await window.daemonAPI.clearToken();
   } catch {
@@ -296,70 +216,22 @@ async function handleDaemonLogout() {
 
 export default function App() {
   const { version, os } = window.desktopAPI.appInfo;
-  const systemLocale = window.desktopAPI.systemLocale;
-  const runtimeConfigResult = window.desktopAPI.runtimeConfig;
   // Stable identity reference so downstream effects (WS reconnect) don't
   // tear down on every parent render.
   const identity = useMemo(
     () => ({ platform: "desktop", version, os }),
     [version, os],
   );
-  // Locale resolution happens once at app boot. Switching language goes
-  // through window.location.reload() to avoid hydration mismatch.
-  const localeAdapter = useMemo(
-    () => createDesktopLocaleAdapter(systemLocale),
-    [systemLocale],
-  );
-  const locale = useMemo(() => pickLocale(localeAdapter), [localeAdapter]);
-  const resources = useMemo(
-    () => ({ [locale]: RESOURCES[locale] }),
-    [locale],
-  );
-
-  // Keep <html lang> in sync with the resolved locale (index.html hardcodes
-  // "en"). Drives the lang-scoped Japanese CJK font override and a11y.
-  // useLayoutEffect (not useEffect) so lang is committed before the first
-  // paint — otherwise Japanese users would see one frame of Kanji rendered
-  // with the Chinese-first fallback stack before the override kicks in.
-  useLayoutEffect(() => {
-    document.documentElement.lang = HTML_LANG[locale];
-  }, [locale]);
-
-  // React to OS-level language changes detected by main on focus regain.
-  // Only act when the user is following the system signal (no explicit
-  // Settings choice) — otherwise their preference wins. Cross-device sync
-  // for the explicit-choice case is handled inside CoreProvider.
-  useEffect(() => {
-    return window.desktopAPI.onSystemLocaleChanged((nextSystemLocale) => {
-      if (localeAdapter.getUserChoice()) return;
-      const next = pickLocale({
-        ...localeAdapter,
-        getSystemPreferences: () =>
-          nextSystemLocale ? [nextSystemLocale] : [],
-      });
-      if (next === locale) return;
-      localeAdapter.persist(next);
-      window.location.reload();
-    });
-  }, [localeAdapter, locale]);
-
   return (
     <ThemeProvider>
-      {runtimeConfigResult.ok ? (
-        <CoreProvider
-          apiBaseUrl={runtimeConfigResult.config.apiUrl}
-          wsUrl={runtimeConfigResult.config.wsUrl}
-          onLogout={handleDaemonLogout}
-          identity={identity}
-          locale={locale}
-          resources={resources}
-          localeAdapter={localeAdapter}
-        >
-          <AppContent />
-        </CoreProvider>
-      ) : (
-        <BlockingRuntimeConfigError message={runtimeConfigResult.error.message} />
-      )}
+      <CoreProvider
+        apiBaseUrl={import.meta.env.VITE_API_URL || "http://localhost:8080"}
+        wsUrl={import.meta.env.VITE_WS_URL || "ws://localhost:8080/ws"}
+        onLogout={handleDaemonLogout}
+        identity={identity}
+      >
+        <AppContent />
+      </CoreProvider>
       <Toaster />
       <UpdateNotification />
     </ThemeProvider>

apps/desktop/src/renderer/src/components/daemon-runtime-card.tsx

@@ -4,6 +4,7 @@ import {
   Play,
   Square,
   RotateCw,
+  Server,
   Activity,
   ScrollText,
 } from "lucide-react";
@@ -11,7 +12,15 @@ import { useQuery } from "@tanstack/react-query";
 import { useWorkspaceId } from "@multica/core/hooks";
 import { runtimeListOptions } from "@multica/core/runtimes";
 import { agentTaskSnapshotOptions } from "@multica/core/agents";
+import { cn } from "@multica/ui/lib/utils";
 import { Button } from "@multica/ui/components/ui/button";
+import {
+  Card,
+  CardAction,
+  CardDescription,
+  CardHeader,
+  CardTitle,
+} from "@multica/ui/components/ui/card";
 import {
   Dialog,
   DialogContent,
@@ -23,13 +32,24 @@ import {
 import { toast } from "sonner";
 import { DaemonPanel } from "./daemon-panel";
 import type { DaemonStatus } from "../../../shared/daemon-types";
-import { DAEMON_STATE_LABELS } from "../../../shared/daemon-types";
+import {
+  DAEMON_STATE_COLORS,
+  DAEMON_STATE_LABELS,
+  daemonStateDescription,
+  formatUptime,
+} from "../../../shared/daemon-types";
 
 /**
- * Desktop-only controls for the daemon embedded in this Electron app. The
- * shared runtimes page renders this inside the selected local machine header.
+ * Header card on the desktop Runtimes page that surfaces the daemon embedded
+ * in this Electron app. The same daemon process registers N runtimes with the
+ * server (one per detected CLI), which appear in the runtime list below — so
+ * this card is the parent control surface for "what's running on this Mac".
+ *
+ * Why this lives only on desktop: web users don't have an embedded daemon;
+ * they bring their own (CLI-launched or remote VM) and just see runtimes in
+ * the list. The `desktop-runtimes-page` wrapper is the only mount point.
  */
-export function DaemonRuntimeActions() {
+export function DaemonRuntimeCard() {
   const [status, setStatus] = useState<DaemonStatus>({ state: "stopped" });
   const [panelOpen, setPanelOpen] = useState(false);
   const [actionLoading, setActionLoading] = useState(false);
@@ -37,8 +57,14 @@ export function DaemonRuntimeActions() {
 
   const wsId = useWorkspaceId();
   const { data: runtimes = [] } = useQuery(runtimeListOptions(wsId));
+  // Snapshot also includes each agent's latest terminal; the filter below
+  // drops anything that isn't running/dispatched, so terminal rows pass
+  // through harmlessly.
   const { data: snapshot = [] } = useQuery(agentTaskSnapshotOptions(wsId));
 
+  // Set of runtime IDs registered by THIS daemon (one per detected CLI).
+  // Used both to count "how many CLIs am I contributing" and to figure
+  // out which active tasks would be impacted by a Stop.
   const localRuntimeIds = useMemo(() => {
     if (!status.daemonId) return new Set<string>();
     return new Set(
@@ -50,6 +76,10 @@ export function DaemonRuntimeActions() {
 
   const runtimeCount = localRuntimeIds.size;
 
+  // Tasks that are actually doing work on this daemon right now —
+  // running or dispatched. Queued tasks haven't claimed a runtime yet,
+  // so stopping the daemon won't break them (they'll wait for any
+  // available daemon). The number drives the Stop-confirmation dialog.
   const affectedTasks = useMemo(
     () =>
       snapshot.filter(
@@ -78,6 +108,9 @@ export function DaemonRuntimeActions() {
     }
   }, []);
 
+  // The actual stop call, separated from the click handler so we can call
+  // it both from the direct path (no active tasks) and from the confirm
+  // dialog's confirm button.
   const performStop = useCallback(async () => {
     setActionLoading(true);
     const result = await window.daemonAPI.stop();
@@ -86,6 +119,8 @@ export function DaemonRuntimeActions() {
     }
   }, []);
 
+  // Click on the Stop button. If there's nothing running, just stop;
+  // otherwise pop a confirm dialog explaining the blast radius.
   const handleStopClick = useCallback(() => {
     if (affectedTasks.length === 0) {
       void performStop();
@@ -101,6 +136,9 @@ export function DaemonRuntimeActions() {
       toast.error("Failed to restart daemon", { description: result.error });
       return;
     }
+    // Success feedback — the daemon takes a few seconds to come back online,
+    // and the only other UI signal is the state badge flipping briefly. A
+    // toast confirms the click was received and tells the user what to expect.
     toast.success("Restarting daemon", {
       description: "Runtimes will be back online in a few seconds.",
     });
@@ -124,64 +162,106 @@ export function DaemonRuntimeActions() {
 
   return (
     <>
-      <div className="flex flex-wrap items-center justify-end gap-1.5">
-        {isRunning && (
-          <>
-            <Button size="sm" variant="ghost" onClick={() => setPanelOpen(true)}>
-              <ScrollText className="size-3.5 mr-1.5" />
-              View logs
-            </Button>
-            <Button
-              size="sm"
-              variant="outline"
-              onClick={handleRestart}
-              disabled={actionLoading}
-            >
-              <RotateCw className="size-3.5 mr-1.5" />
-              Restart
-            </Button>
-            <Button
-              size="sm"
-              variant="destructive"
-              onClick={handleStopClick}
-              disabled={actionLoading}
-            >
-              <Square className="size-3.5 mr-1.5" />
-              Stop
-            </Button>
-          </>
-        )}
+      <Card size="sm">
+        <CardHeader>
+          <CardTitle className="flex items-center gap-2">
+            <Server className="size-4 text-muted-foreground" />
+            Local daemon
+            <span className="inline-flex items-center gap-1.5 rounded-md border bg-background px-1.5 py-0.5 text-xs font-normal">
+              <span
+                className={cn(
+                  "size-1.5 rounded-full",
+                  DAEMON_STATE_COLORS[status.state],
+                )}
+              />
+              <span
+                className={cn(
+                  "tabular-nums",
+                  isRunning ? "text-foreground" : "text-muted-foreground",
+                )}
+              >
+                {DAEMON_STATE_LABELS[status.state]}
+              </span>
+              {isRunning && status.uptime && (
+                <span className="text-muted-foreground">
+                  · {formatUptime(status.uptime)}
+                </span>
+              )}
+            </span>
+          </CardTitle>
+          <CardDescription>
+            {daemonStateDescription(status.state, runtimeCount)}
+          </CardDescription>
+          <CardAction className="self-center">
+            <div className="flex items-center gap-1.5">
+              {isRunning && (
+                <>
+                  <Button
+                    size="sm"
+                    variant="ghost"
+                    onClick={() => setPanelOpen(true)}
+                  >
+                    <ScrollText className="size-3.5 mr-1.5" />
+                    View logs
+                  </Button>
+                  <Button
+                    size="sm"
+                    variant="outline"
+                    onClick={handleRestart}
+                    disabled={actionLoading}
+                  >
+                    <RotateCw className="size-3.5 mr-1.5" />
+                    Restart
+                  </Button>
+                  <Button
+                    size="sm"
+                    variant="destructive"
+                    onClick={handleStopClick}
+                    disabled={actionLoading}
+                  >
+                    <Square className="size-3.5 mr-1.5" />
+                    Stop
+                  </Button>
+                </>
+              )}
 
-        {isStopped && (
-          <Button size="sm" onClick={handleStart} disabled={actionLoading}>
-            {actionLoading ? (
-              <Activity className="size-3.5 mr-1.5 animate-pulse" />
-            ) : (
-              <Play className="size-3.5 mr-1.5" />
-            )}
-            Start
-          </Button>
-        )}
+              {isStopped && (
+                <Button
+                  size="sm"
+                  onClick={handleStart}
+                  disabled={actionLoading}
+                >
+                  {actionLoading ? (
+                    <Activity className="size-3.5 mr-1.5 animate-pulse" />
+                  ) : (
+                    <Play className="size-3.5 mr-1.5" />
+                  )}
+                  Start
+                </Button>
+              )}
 
-        {isCliMissing && (
-          <Button
-            size="sm"
-            variant="outline"
-            onClick={handleRetryInstall}
-            disabled={actionLoading}
-          >
-            <RotateCw className="size-3.5 mr-1.5" />
-            Retry setup
-          </Button>
-        )}
+              {isCliMissing && (
+                <Button
+                  size="sm"
+                  variant="outline"
+                  onClick={handleRetryInstall}
+                  disabled={actionLoading}
+                >
+                  <RotateCw className="size-3.5 mr-1.5" />
+                  Retry setup
+                </Button>
+              )}
 
-        {(isTransitioning || isInstalling) && (
-          <Button size="sm" variant="outline" disabled>
-            <Activity className="size-3.5 mr-1.5 animate-pulse" />
-            {DAEMON_STATE_LABELS[status.state]}
-          </Button>
-        )}
-      </div>
+              {(isTransitioning || isInstalling) && (
+                <Button size="sm" variant="outline" disabled>
+                  <Activity className="size-3.5 mr-1.5 animate-pulse" />
+                  {DAEMON_STATE_LABELS[status.state]}
+                </Button>
+              )}
+            </div>
+          </CardAction>
+        </CardHeader>
+      </Card>
 
       <DaemonPanel
         open={panelOpen}

apps/desktop/src/renderer/src/components/desktop-agents-page.tsx

@@ -1,54 +0,0 @@
-import { useEffect, useState } from "react";
-import { AgentsPage } from "@multica/views/agents";
-import type { DaemonStatus } from "../../../shared/daemon-types";
-
-/**
- * Desktop wrapper around the shared `AgentsPage`. Bridges the Electron
- * `daemonAPI` (main-process daemon state) into the page so the runtime
- * machine filter can render the Local section the same way the Runtimes
- * page does — without these props the page falls back to grouping
- * every local-mode runtime under "Remote" with a generic title, which
- * breaks the "drill from a machine into its agents" promise of the
- * filter.
- *
- * Mirrors `DesktopRuntimesPage`: we cache the last seen daemon
- * identity so the Local row doesn't get reclassified as Remote when
- * the daemon is stopped (which would null out `status.daemonId`), and
- * we fall back to the OS hostname so the section label stays useful
- * even when the app doesn't manage the running daemon (WSL2 etc.).
- */
-export function DesktopAgentsPage() {
-  const [status, setStatus] = useState<DaemonStatus>({ state: "stopped" });
-  const [lastIdentity, setLastIdentity] = useState<{
-    daemonId: string | null;
-    deviceName: string | null;
-  }>({ daemonId: null, deviceName: null });
-  const [hostName, setHostName] = useState<string | null>(null);
-
-  useEffect(() => {
-    const apply = (s: DaemonStatus) => {
-      setStatus(s);
-      if (s.daemonId) {
-        setLastIdentity({
-          daemonId: s.daemonId,
-          deviceName: s.deviceName ?? null,
-        });
-      }
-    };
-    window.daemonAPI.getStatus().then(apply);
-    window.daemonAPI.getHostName().then((name) => setHostName(name || null));
-    return window.daemonAPI.onStatusChange(apply);
-  }, []);
-
-  return (
-    <AgentsPage
-      localDaemonId={status.daemonId ?? lastIdentity.daemonId}
-      localMachineName={status.deviceName ?? lastIdentity.deviceName ?? hostName}
-      // Desktop owns a local machine for the lifetime of the app, even
-      // while the daemon is stopped or hasn't registered yet. The shared
-      // page synthesizes a placeholder local row so the filter dropdown
-      // still has a Local option to pick in the empty window.
-      hasLocalMachine
-    />
-  );
-}

apps/desktop/src/renderer/src/components/desktop-layout.tsx

@@ -13,6 +13,7 @@ import { ModalRegistry } from "@multica/views/modals/registry";
 import { AppSidebar } from "@multica/views/layout";
 import { SearchCommand, SearchTrigger } from "@multica/views/search";
 import { ChatFab, ChatWindow } from "@multica/views/chat";
+import { StarterContentPrompt } from "@multica/views/onboarding";
 import { WorkspaceSlugProvider, paths, useCurrentWorkspace } from "@multica/core/paths";
 import { getCurrentSlug, subscribeToCurrentSlug } from "@multica/core/platform";
 import { useDesktopUnreadBadge } from "@multica/views/platform";
@@ -34,7 +35,6 @@ function SidebarTopBar() {
         style={{ WebkitAppRegion: "no-drag" } as React.CSSProperties}
       >
         <button
-          type="button"
           onClick={goBack}
           disabled={!canGoBack}
           aria-label="Go back"
@@ -43,7 +43,6 @@ function SidebarTopBar() {
           <ChevronLeft className="size-4" />
         </button>
         <button
-          type="button"
           onClick={goForward}
           disabled={!canGoForward}
           aria-label="Go forward"
@@ -56,20 +55,6 @@ function SidebarTopBar() {
   );
 }
 
-function useNativeNavigationGestures() {
-  const { goBack, goForward } = useTabHistory();
-
-  useEffect(() => {
-    return window.desktopAPI.onNavigationGesture((gesture) => {
-      if (gesture === "back") {
-        goBack();
-      } else {
-        goForward();
-      }
-    });
-  }, [goBack, goForward]);
-}
-
 // The main area's top bar doubles as a window drag region. When the sidebar
 // is not occupying main-flow width — either user-collapsed (offcanvas) or
 // auto-hidden in mobile mode (<768px, becomes a sheet drawer) — we pad the
@@ -148,7 +133,6 @@ function DesktopInboxBridge() {
 export function DesktopShell() {
   useInternalLinkHandler();
   useActiveTitleSync();
-  useNativeNavigationGestures();
 
   // Reactive read of current workspace slug from the platform singleton.
   // On first mount, slug is null until WorkspaceRouteLayout (inside the tab
@@ -185,6 +169,7 @@ export function DesktopShell() {
         </div>
         {slug && <ModalRegistry />}
         {slug && <SearchCommand />}
+        {slug && <StarterContentPrompt />}
         <WindowOverlay />
       </WorkspaceSlugProvider>
     </DesktopNavigationProvider>

apps/desktop/src/renderer/src/components/desktop-runtimes-page.tsx

@@ -1,6 +1,6 @@
 import { useEffect, useState } from "react";
 import { RuntimesPage } from "@multica/views/runtimes";
-import { DaemonRuntimeActions } from "./daemon-runtime-card";
+import { DaemonRuntimeCard } from "./daemon-runtime-card";
 import type { DaemonStatus } from "../../../shared/daemon-types";
 
 /**
@@ -19,34 +19,10 @@ import type { DaemonStatus } from "../../../shared/daemon-types";
  */
 export function DesktopRuntimesPage() {
   const [status, setStatus] = useState<DaemonStatus>({ state: "stopped" });
-  // Remember the last known daemonId/deviceName. After the daemon is
-  // stopped, `status.daemonId` goes back to undefined — without this
-  // sticky cache the local row would either disappear or get reclassified
-  // as a remote machine (since `isCurrent` requires a daemonId match),
-  // taking the Start button with it.
-  const [lastIdentity, setLastIdentity] = useState<{
-    daemonId: string | null;
-    deviceName: string | null;
-  }>({ daemonId: null, deviceName: null });
-  // The host's OS hostname, independent of any daemon. Used as the last
-  // fallback for the local machine name so consolidation still works when
-  // the app doesn't manage the running daemon (e.g. it lives in WSL2) and
-  // thus never reports a device name.
-  const [hostName, setHostName] = useState<string | null>(null);
 
   useEffect(() => {
-    const apply = (s: DaemonStatus) => {
-      setStatus(s);
-      if (s.daemonId) {
-        setLastIdentity({
-          daemonId: s.daemonId,
-          deviceName: s.deviceName ?? null,
-        });
-      }
-    };
-    window.daemonAPI.getStatus().then(apply);
-    window.daemonAPI.getHostName().then((name) => setHostName(name || null));
-    return window.daemonAPI.onStatusChange(apply);
+    window.daemonAPI.getStatus().then(setStatus);
+    return window.daemonAPI.onStatusChange(setStatus);
   }, []);
 
   const bootstrapping =
@@ -56,14 +32,7 @@ export function DesktopRuntimesPage() {
 
   return (
     <RuntimesPage
-      localDaemonId={status.daemonId ?? lastIdentity.daemonId}
-      localMachineName={status.deviceName ?? lastIdentity.deviceName ?? hostName}
-      localMachineActions={<DaemonRuntimeActions />}
-      // Desktop owns a local machine for the lifetime of the app, even
-      // while the daemon is stopped or hasn't registered yet. The shared
-      // page synthesizes a placeholder local row when no real runtime
-      // matches, so the Start button is always reachable.
-      hasLocalMachine
+      topSlot={<DaemonRuntimeCard />}
       bootstrapping={bootstrapping}
     />
   );

apps/desktop/src/renderer/src/components/pageview-tracker.test.tsx

@@ -1,247 +0,0 @@
-import { describe, expect, it, vi, beforeEach } from "vitest";
-import { render } from "@testing-library/react";
-
-// vi.hoisted shared state — every store mock reads the same object so each
-// test can mutate it then re-render to drive the tracker.
-const state = vi.hoisted(() => ({
-  user: null as { id: string } | null,
-  overlay: null as { type: string; invitationId?: string } | null,
-  activeWorkspaceSlug: null as string | null,
-  byWorkspace: {} as Record<
-    string,
-    { activeTabId: string; tabs: { id: string; path: string }[] }
-  >,
-  capturePageview: vi.fn<(path?: string) => void>(),
-}));
-
-vi.mock("@multica/core/analytics", () => ({
-  capturePageview: state.capturePageview,
-}));
-
-// Auth store — single selector pattern (`s => s.user`).
-vi.mock("@multica/core/auth", () => {
-  const useAuthStore = (selector: (s: typeof state) => unknown) =>
-    selector(state);
-  return { useAuthStore };
-});
-
-// Window overlay store — same shape.
-vi.mock("@/stores/window-overlay-store", () => {
-  const useWindowOverlayStore = (selector: (s: typeof state) => unknown) =>
-    selector(state);
-  return { useWindowOverlayStore };
-});
-
-// Tab store — selectors read activeWorkspaceSlug + byWorkspace. Also expose
-// getState() for the seed pass and the helpers the tracker imports
-// (useActiveTabIdentity, getActiveTab) so we don't have to re-import them
-// from the real store inside a mocked module.
-vi.mock("@/stores/tab-store", () => {
-  const useTabStore = Object.assign(
-    (selector: (s: typeof state) => unknown) => selector(state),
-    { getState: () => state },
-  );
-  const getActiveTab = (s: typeof state) => {
-    const slug = s.activeWorkspaceSlug;
-    if (!slug) return null;
-    const group = s.byWorkspace[slug];
-    if (!group) return null;
-    return group.tabs.find((t) => t.id === group.activeTabId) ?? null;
-  };
-  const useActiveTabIdentity = () => ({
-    slug: state.activeWorkspaceSlug,
-    tabId: state.activeWorkspaceSlug
-      ? (state.byWorkspace[state.activeWorkspaceSlug]?.activeTabId ?? null)
-      : null,
-  });
-  return { useTabStore, getActiveTab, useActiveTabIdentity };
-});
-
-import { PageviewTracker } from "./pageview-tracker";
-
-function reset() {
-  state.user = { id: "u1" };
-  state.overlay = null;
-  state.activeWorkspaceSlug = null;
-  state.byWorkspace = {};
-  state.capturePageview.mockClear();
-}
-
-beforeEach(() => {
-  reset();
-});
-
-describe("PageviewTracker", () => {
-  it("suppresses pageview when switching to a previously-visible tab on its existing path", () => {
-    state.byWorkspace = {
-      acme: {
-        activeTabId: "tA",
-        tabs: [
-          { id: "tA", path: "/acme/issues" },
-          { id: "tB", path: "/acme/inbox" },
-        ],
-      },
-    };
-    state.activeWorkspaceSlug = "acme";
-
-    const { rerender } = render(<PageviewTracker />);
-    // Initial mount on tA — seeded as observed, no pageview because both
-    // tabs were already in the persisted store before the tracker mounted.
-    expect(state.capturePageview).not.toHaveBeenCalled();
-
-    // Switch to tB (already-known tab on its already-known path).
-    state.byWorkspace = {
-      acme: {
-        activeTabId: "tB",
-        tabs: [
-          { id: "tA", path: "/acme/issues" },
-          { id: "tB", path: "/acme/inbox" },
-        ],
-      },
-    };
-    rerender(<PageviewTracker />);
-    expect(state.capturePageview).not.toHaveBeenCalled();
-
-    // Switch back to tA — still no pageview.
-    state.byWorkspace = {
-      acme: {
-        activeTabId: "tA",
-        tabs: [
-          { id: "tA", path: "/acme/issues" },
-          { id: "tB", path: "/acme/inbox" },
-        ],
-      },
-    };
-    rerender(<PageviewTracker />);
-    expect(state.capturePageview).not.toHaveBeenCalled();
-  });
-
-  it("fires pageview when a foreground tab is added (addTab path)", () => {
-    state.byWorkspace = {
-      acme: {
-        activeTabId: "tA",
-        tabs: [{ id: "tA", path: "/acme/issues" }],
-      },
-    };
-    state.activeWorkspaceSlug = "acme";
-
-    const { rerender } = render(<PageviewTracker />);
-    state.capturePageview.mockClear();
-
-    // Simulate a foreground new-tab action (e.g. an explicit "Open in new
-    // tab" toolbar button that passes `{ activate: true }`) — tC is
-    // appended AND becomes active. `openInNewTab` defaults to background
-    // (no `setActiveTab`); only the `activate: true` branch produces the
-    // state change this test exercises.
-    state.byWorkspace = {
-      acme: {
-        activeTabId: "tC",
-        tabs: [
-          { id: "tA", path: "/acme/issues" },
-          { id: "tC", path: "/acme/agents" },
-        ],
-      },
-    };
-    rerender(<PageviewTracker />);
-
-    expect(state.capturePageview).toHaveBeenCalledTimes(1);
-    expect(state.capturePageview).toHaveBeenCalledWith("/acme/agents");
-  });
-
-  it("fires pageview when switchWorkspace opens a new path in another workspace", () => {
-    state.byWorkspace = {
-      acme: {
-        activeTabId: "tA",
-        tabs: [{ id: "tA", path: "/acme/issues" }],
-      },
-    };
-    state.activeWorkspaceSlug = "acme";
-
-    const { rerender } = render(<PageviewTracker />);
-    state.capturePageview.mockClear();
-
-    // Cross-workspace navigation: switchWorkspace("butter", "/butter/inbox")
-    // creates a fresh tab in the destination workspace and makes it active.
-    state.byWorkspace = {
-      acme: { activeTabId: "tA", tabs: [{ id: "tA", path: "/acme/issues" }] },
-      butter: {
-        activeTabId: "tD",
-        tabs: [{ id: "tD", path: "/butter/inbox" }],
-      },
-    };
-    state.activeWorkspaceSlug = "butter";
-    rerender(<PageviewTracker />);
-
-    expect(state.capturePageview).toHaveBeenCalledTimes(1);
-    expect(state.capturePageview).toHaveBeenCalledWith("/butter/inbox");
-  });
-
-  it("fires pageview on intra-tab navigation (path changes for the same tabId)", () => {
-    state.byWorkspace = {
-      acme: {
-        activeTabId: "tA",
-        tabs: [{ id: "tA", path: "/acme/issues" }],
-      },
-    };
-    state.activeWorkspaceSlug = "acme";
-
-    const { rerender } = render(<PageviewTracker />);
-    state.capturePageview.mockClear();
-
-    state.byWorkspace = {
-      acme: {
-        activeTabId: "tA",
-        tabs: [{ id: "tA", path: "/acme/issues/123" }],
-      },
-    };
-    rerender(<PageviewTracker />);
-
-    expect(state.capturePageview).toHaveBeenCalledTimes(1);
-    expect(state.capturePageview).toHaveBeenCalledWith("/acme/issues/123");
-  });
-
-  it("fires overlay and login pageviews and suppresses re-entry into the same tab afterward", () => {
-    state.byWorkspace = {
-      acme: {
-        activeTabId: "tA",
-        tabs: [{ id: "tA", path: "/acme/issues" }],
-      },
-    };
-    state.activeWorkspaceSlug = "acme";
-
-    const { rerender } = render(<PageviewTracker />);
-    state.capturePageview.mockClear();
-
-    // Open onboarding overlay.
-    state.overlay = { type: "onboarding" };
-    rerender(<PageviewTracker />);
-    expect(state.capturePageview).toHaveBeenLastCalledWith("/onboarding");
-
-    // Close overlay back to the tab — the tab is already observed on
-    // /acme/issues so this is a re-activation, no pageview.
-    state.capturePageview.mockClear();
-    state.overlay = null;
-    rerender(<PageviewTracker />);
-    expect(state.capturePageview).not.toHaveBeenCalled();
-
-    // Logout fires /login.
-    state.user = null;
-    rerender(<PageviewTracker />);
-    expect(state.capturePageview).toHaveBeenLastCalledWith("/login");
-  });
-
-  it("suppresses on initial mount when the active tab was restored from persistence", () => {
-    state.byWorkspace = {
-      acme: {
-        activeTabId: "tA",
-        tabs: [{ id: "tA", path: "/acme/issues" }],
-      },
-    };
-    state.activeWorkspaceSlug = "acme";
-
-    render(<PageviewTracker />);
-    // Restored tab — seeded, treated as a re-activation.
-    expect(state.capturePageview).not.toHaveBeenCalled();
-  });
-});
-

apps/desktop/src/renderer/src/components/pageview-tracker.tsx

@@ -1,17 +1,11 @@
-import { useEffect, useRef } from "react";
+import { useEffect } from "react";
 import { capturePageview } from "@multica/core/analytics";
 import { useAuthStore } from "@multica/core/auth";
-import {
-  getActiveTab,
-  useActiveTabIdentity,
-  useTabStore,
-} from "@/stores/tab-store";
+import { useTabStore } from "@/stores/tab-store";
 import { useWindowOverlayStore, type WindowOverlay } from "@/stores/window-overlay-store";
 
 /**
- * Fires a PostHog $pageview whenever the user's visible surface changes,
- * EXCEPT for re-activations of an already-known tab on its already-known
- * path.
+ * Fires a PostHog $pageview whenever the user's visible surface changes.
  *
  * Desktop has three layers that can own the visible page:
  *
@@ -23,18 +17,10 @@ import { useWindowOverlayStore, type WindowOverlay } from "@/stores/window-overl
  *   3. Otherwise → the active tab's path (workspace-scoped, e.g.
  *      `/acme/issues/123`). Kept in sync by `useTabRouterSync`.
  *
- * Tab-switch suppression: re-activating an already-open tab surfaces a
- * previously-visited path under a `(workspace, tabId)` we have already
- * seen — the pageview was emitted when the user originally navigated
- * there, so re-emitting on every switch just inflates PostHog billing
- * without adding signal (real-data audit: desktop tab switches were
- * ~50% of all `$pageview` events).
- *
- * Newly opened tabs (`openInNewTab`, `addTab`) and cross-workspace
- * `switchWorkspace(slug, path)` to a previously-unseen tab still fire,
- * because their key is not in the observed map yet. The map is seeded
- * from the persisted tab store on first render so tabs restored from a
- * previous session don't all re-emit on first activation.
+ * The overlay takes precedence over the tab path because it is visually in
+ * front of the tab system; the logged-out state shadows both because the
+ * shell doesn't render at all yet. This keeps the `$pageview` stream aligned
+ * with what the user actually sees.
  *
  * PostHog's `capture_pageview: true` auto-capture is intentionally off (see
  * `initAnalytics`) so this component owns the event shape, matching the web
@@ -43,75 +29,34 @@ import { useWindowOverlayStore, type WindowOverlay } from "@/stores/window-overl
 export function PageviewTracker() {
   const user = useAuthStore((s) => s.user);
   const overlay = useWindowOverlayStore((s) => s.overlay);
-  const { slug: activeWorkspaceSlug, tabId: activeTabId } = useActiveTabIdentity();
-  const activeTabPath = useTabStore((s) => getActiveTab(s)?.path ?? null);
+  const activeTabPath = useTabStore((s) => {
+    const slug = s.activeWorkspaceSlug;
+    if (!slug) return null;
+    const group = s.byWorkspace[slug];
+    if (!group) return null;
+    return group.tabs.find((t) => t.id === group.activeTabId)?.path ?? null;
+  });
 
-  // (slug:tabId) → last path observed while that tab was visible. Lets us
-  // tell "re-activating a tab on a path we already saw" (suppress) apart
-  // from "newly opened tab" or "intra-tab navigation" (fire). Seeded
-  // synchronously on first render from the persisted tab store so
-  // session-restored tabs don't re-emit on first click.
-  const observedTabsRef = useRef<Map<string, string> | null>(null);
-  if (observedTabsRef.current === null) {
-    const seed = new Map<string, string>();
-    for (const [slug, group] of Object.entries(useTabStore.getState().byWorkspace)) {
-      for (const tab of group.tabs) {
-        seed.set(`${slug}:${tab.id}`, tab.path);
-      }
-    }
-    observedTabsRef.current = seed;
-  }
-  const lastSurfaceRef = useRef<{
-    kind: "login" | "overlay" | "tab" | null;
-    key: string | null;
-    path: string | null;
-  }>({ kind: null, key: null, path: null });
+  const path = resolvePath(user, overlay, activeTabPath);
 
   useEffect(() => {
-    let kind: "login" | "overlay" | "tab";
-    let path: string;
-    let key: string | null = null;
-
-    if (!user) {
-      kind = "login";
-      path = "/login";
-    } else if (overlay) {
-      kind = "overlay";
-      path = overlayPath(overlay);
-    } else if (activeTabPath && activeTabId && activeWorkspaceSlug) {
-      kind = "tab";
-      key = `${activeWorkspaceSlug}:${activeTabId}`;
-      path = activeTabPath;
-    } else {
-      return;
-    }
-
-    const observed = observedTabsRef.current!;
-    const last = lastSurfaceRef.current;
-    const next = { kind, key, path };
-
-    if (kind === "tab" && key !== null) {
-      const knownPath = observed.get(key);
-      const isReactivation =
-        last.key !== key && knownPath !== undefined && knownPath === path;
-      observed.set(key, path);
-      if (isReactivation) {
-        lastSurfaceRef.current = next;
-        return;
-      }
-    }
-
-    const unchanged =
-      last.kind === kind && last.key === key && last.path === path;
-    if (unchanged) return;
-
+    if (!path) return;
     capturePageview(path);
-    lastSurfaceRef.current = next;
-  }, [user, overlay, activeWorkspaceSlug, activeTabId, activeTabPath]);
+  }, [path]);
 
   return null;
 }
 
+function resolvePath(
+  user: unknown,
+  overlay: WindowOverlay | null,
+  activeTabPath: string | null,
+): string | null {
+  if (!user) return "/login";
+  if (overlay) return overlayPath(overlay);
+  return activeTabPath;
+}
+
 function overlayPath(overlay: WindowOverlay): string {
   switch (overlay.type) {
     case "new-workspace":
@@ -120,7 +65,5 @@ function overlayPath(overlay: WindowOverlay): string {
       return "/onboarding";
     case "invite":
       return `/invite/${overlay.invitationId}`;
-    case "invitations":
-      return "/invitations";
   }
 }

apps/desktop/src/renderer/src/components/route-error-page.test.tsx

@@ -1,98 +0,0 @@
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { fireEvent, render, screen } from "@testing-library/react";
-import { createMemoryRouter, RouterProvider } from "react-router-dom";
-
-const openModal = vi.fn();
-const reloadActiveTab = vi.fn();
-const closeActiveTab = vi.fn();
-
-vi.mock("@multica/core/modals", () => ({
-  useModalStore: {
-    getState: () => ({ open: openModal }),
-  },
-}));
-
-vi.mock("@/stores/tab-store", () => ({
-  useTabStore: {
-    getState: () => ({ reloadActiveTab, closeActiveTab }),
-  },
-}));
-
-import { DesktopRouteErrorPage, formatRouteErrorReport } from "./route-error-page";
-
-function Boom(): null {
-  throw new Error("route render exploded");
-  return null;
-}
-
-describe("DesktopRouteErrorPage", () => {
-  beforeEach(() => {
-    openModal.mockReset();
-    reloadActiveTab.mockReset();
-    closeActiveTab.mockReset();
-    vi.spyOn(console, "error").mockImplementation(() => {});
-  });
-
-  afterEach(() => {
-    vi.restoreAllMocks();
-  });
-
-  it("brands React Router route errors and offers tab reload", async () => {
-    const router = createMemoryRouter(
-      [{ path: "/", element: <Boom />, errorElement: <DesktopRouteErrorPage /> }],
-      { initialEntries: ["/"] },
-    );
-
-    render(<RouterProvider router={router} />);
-
-    expect(await screen.findByRole("alert")).toHaveTextContent(
-      "Something went wrong in this tab",
-    );
-    fireEvent.click(screen.getByRole("button", { name: /reload tab/i }));
-    expect(reloadActiveTab).toHaveBeenCalledTimes(1);
-  });
-
-  it("offers Close tab as the always-safe escape from a crashing route", async () => {
-    const router = createMemoryRouter(
-      [{ path: "/acme/issues/1", element: <Boom />, errorElement: <DesktopRouteErrorPage /> }],
-      { initialEntries: ["/acme/issues/1"] },
-    );
-
-    render(<RouterProvider router={router} />);
-
-    fireEvent.click(await screen.findByRole("button", { name: /close tab/i }));
-    expect(closeActiveTab).toHaveBeenCalledTimes(1);
-  });
-
-  it("opens the existing feedback modal with a structured markdown report only after click", async () => {
-    const router = createMemoryRouter(
-      [{ path: "/acme/issues", element: <Boom />, errorElement: <DesktopRouteErrorPage /> }],
-      { initialEntries: ["/acme/issues"] },
-    );
-
-    render(<RouterProvider router={router} />);
-
-    expect(openModal).not.toHaveBeenCalled();
-    fireEvent.click(await screen.findByRole("button", { name: /report error/i }));
-
-    expect(openModal).toHaveBeenCalledWith(
-      "feedback",
-      expect.objectContaining({
-        initialMessage: expect.stringContaining("kind: desktop_route_error"),
-      }),
-    );
-  });
-
-  it("documents the structured kind/context follow-up debt in the report template", () => {
-    const report = formatRouteErrorReport({
-      error: new Error("bad route"),
-      url: "app://desktop/acme/issues",
-      appInfo: { version: "1.2.3", os: "macos" },
-      trigger: "route-errorElement",
-    });
-
-    expect(report).toContain("kind: desktop_route_error");
-    expect(report).toContain("trigger: route-errorElement");
-    expect(report).toContain("TODO: promote kind/context to structured feedback fields");
-  });
-});

apps/desktop/src/renderer/src/components/route-error-page.tsx

@@ -1,140 +0,0 @@
-import { useMemo } from "react";
-import { useLocation, useNavigate, useRouteError } from "react-router-dom";
-import { AlertTriangle, RotateCw, Send, X } from "lucide-react";
-import { Button } from "@multica/ui/components/ui/button";
-import { useModalStore } from "@multica/core/modals";
-import { useTabStore } from "@/stores/tab-store";
-
-type DesktopAppInfo = {
-  version?: string;
-  os?: string;
-};
-
-export function formatRouteErrorReport({
-  error,
-  url,
-  appInfo,
-  trigger,
-}: {
-  error: unknown;
-  url: string;
-  appInfo?: DesktopAppInfo;
-  trigger: string;
-}) {
-  const normalized = normalizeError(error);
-  return [
-    "kind: desktop_route_error",
-    `trigger: ${trigger}`,
-    `url: ${url}`,
-    `app_version: ${appInfo?.version ?? "unknown"}`,
-    `runtime_os: ${appInfo?.os ?? "unknown"}`,
-    "",
-    "context:",
-    `- name: ${normalized.name}`,
-    `- message: ${normalized.message}`,
-    "",
-    "stack:",
-    "```",
-    normalized.stack ?? "<no stack>",
-    "```",
-    "",
-    "TODO: promote kind/context to structured feedback fields once the feedback API supports them.",
-  ].join("\n");
-}
-
-export function DesktopRouteErrorPage() {
-  const error = useRouteError();
-  const location = useLocation();
-  const navigate = useNavigate();
-  const workspaceSlug = location.pathname.split("/").filter(Boolean)[0];
-  const safeRoute = workspaceSlug ? `/${workspaceSlug}/issues` : null;
-  const report = useMemo(
-    () =>
-      formatRouteErrorReport({
-        error,
-        url:
-          typeof window !== "undefined"
-            ? `${window.location.origin}${location.pathname}${location.search}${location.hash}`
-            : location.pathname,
-        appInfo: typeof window !== "undefined" ? window.desktopAPI?.appInfo : undefined,
-        trigger: "route-errorElement",
-      }),
-    [error, location.hash, location.pathname, location.search],
-  );
-  const message = normalizeError(error).message;
-
-  return (
-    <div
-      role="alert"
-      className="flex h-full min-h-[20rem] flex-col items-center justify-center gap-4 p-8 text-center"
-    >
-      <div className="rounded-full bg-destructive/10 p-3 text-destructive">
-        <AlertTriangle className="h-6 w-6" aria-hidden="true" />
-      </div>
-      <div className="space-y-2">
-        <h2 className="text-lg font-semibold">Something went wrong in this tab</h2>
-        <p className="max-w-lg text-sm text-muted-foreground">
-          A route-level renderer error was contained before it could take down the
-          desktop shell. Reload this tab, or send the report if it keeps happening.
-        </p>
-        <p className="max-w-lg truncate text-xs text-muted-foreground">{message}</p>
-      </div>
-      <div className="flex gap-2">
-        <Button
-          type="button"
-          variant="outline"
-          onClick={() => useTabStore.getState().reloadActiveTab()}
-        >
-          <RotateCw className="mr-2 h-4 w-4" aria-hidden="true" />
-          Reload tab
-        </Button>
-        {safeRoute ? (
-          <Button type="button" variant="outline" onClick={() => navigate(safeRoute, { replace: true })}>
-            Go to issues
-          </Button>
-        ) : null}
-        <Button
-          type="button"
-          variant="outline"
-          onClick={() => useTabStore.getState().closeActiveTab()}
-        >
-          <X className="mr-2 h-4 w-4" aria-hidden="true" />
-          Close tab
-        </Button>
-        <Button
-          type="button"
-          onClick={() =>
-            useModalStore.getState().open("feedback", {
-              initialMessage: report,
-            })
-          }
-        >
-          <Send className="mr-2 h-4 w-4" aria-hidden="true" />
-          Report error
-        </Button>
-      </div>
-    </div>
-  );
-}
-
-function normalizeError(error: unknown): { name: string; message: string; stack?: string } {
-  if (error instanceof Error) {
-    return {
-      name: error.name || "Error",
-      message: error.message || "Unknown route error",
-      stack: error.stack,
-    };
-  }
-  if (typeof error === "string") {
-    return { name: "Error", message: error };
-  }
-  return { name: "Error", message: "Unknown route error", stack: safeJson(error) };
-}
-
-function safeJson(value: unknown) {
-  try {
-    return JSON.stringify(value, null, 2);
-  } catch {
-    return String(value);
-  }
-}

apps/desktop/src/renderer/src/components/tab-bar.test.tsx

@@ -1,151 +0,0 @@
-import { describe, expect, it, vi, beforeEach } from "vitest";
-import { render, fireEvent, within } from "@testing-library/react";
-
-type MockTab = {
-  id: string;
-  path: string;
-  title: string;
-  icon: string;
-  pinned: boolean;
-};
-
-const state = vi.hoisted(() => ({
-  activeWorkspaceSlug: "acme" as string | null,
-  byWorkspace: {
-    acme: {
-      activeTabId: "tA",
-      tabs: [
-        { id: "tA", path: "/acme/issues", title: "Issues", icon: "ListTodo", pinned: false },
-        { id: "tB", path: "/acme/projects", title: "Projects", icon: "ListTodo", pinned: false },
-      ] as MockTab[],
-    },
-  } as Record<string, { activeTabId: string; tabs: MockTab[] }>,
-  togglePin: vi.fn<(tabId: string) => void>(),
-  closeTab: vi.fn<(tabId: string) => void>(),
-  setActiveTab: vi.fn<(tabId: string) => void>(),
-  moveTab: vi.fn<(from: number, to: number) => void>(),
-  addTab: vi.fn<(path: string, title: string, icon: string) => string>(),
-}));
-
-vi.mock("@/stores/tab-store", () => {
-  const store = {
-    get activeWorkspaceSlug() {
-      return state.activeWorkspaceSlug;
-    },
-    get byWorkspace() {
-      return state.byWorkspace;
-    },
-    togglePin: state.togglePin,
-    closeTab: state.closeTab,
-    setActiveTab: state.setActiveTab,
-    moveTab: state.moveTab,
-    addTab: state.addTab,
-  };
-  const useTabStore = Object.assign(
-    (selector?: (s: typeof store) => unknown) =>
-      selector ? selector(store) : store,
-    { getState: () => store },
-  );
-  const useActiveGroup = () =>
-    state.activeWorkspaceSlug
-      ? (state.byWorkspace[state.activeWorkspaceSlug] ?? null)
-      : null;
-  const resolveRouteIcon = () => "ListTodo";
-  return { useTabStore, useActiveGroup, resolveRouteIcon };
-});
-
-vi.mock("@multica/core/paths", () => ({
-  paths: {
-    workspace: (slug: string) => ({
-      issues: () => `/${slug}/issues`,
-    }),
-  },
-}));
-
-import { TabBar } from "./tab-bar";
-
-function reset() {
-  state.activeWorkspaceSlug = "acme";
-  state.byWorkspace = {
-    acme: {
-      activeTabId: "tA",
-      tabs: [
-        { id: "tA", path: "/acme/issues", title: "Issues", icon: "ListTodo", pinned: false },
-        { id: "tB", path: "/acme/projects", title: "Projects", icon: "ListTodo", pinned: false },
-      ],
-    },
-  };
-  state.togglePin.mockReset();
-  state.closeTab.mockReset();
-  state.setActiveTab.mockReset();
-  state.moveTab.mockReset();
-  state.addTab.mockReset();
-}
-
-beforeEach(reset);
-
-describe("TabBar hover action buttons", () => {
-  it("renders a Pin button on every unpinned tab and an Unpin button on every pinned tab", () => {
-    state.byWorkspace.acme.tabs = [
-      { id: "tA", path: "/acme/issues", title: "Issues", icon: "ListTodo", pinned: true },
-      { id: "tB", path: "/acme/projects", title: "Projects", icon: "ListTodo", pinned: false },
-    ];
-    const { getAllByLabelText } = render(<TabBar />);
-    expect(getAllByLabelText("Unpin tab")).toHaveLength(1);
-    expect(getAllByLabelText("Pin tab")).toHaveLength(1);
-  });
-
-  it("clicking the Pin button calls togglePin for the tab", () => {
-    const { getAllByLabelText } = render(<TabBar />);
-    const pinButtons = getAllByLabelText("Pin tab");
-    fireEvent.click(pinButtons[1]); // click Pin on tB (Projects)
-    expect(state.togglePin).toHaveBeenCalledWith("tB");
-  });
-
-  it("clicking the Unpin button on a pinned tab calls togglePin", () => {
-    state.byWorkspace.acme.tabs = [
-      { id: "tA", path: "/acme/issues", title: "Issues", icon: "ListTodo", pinned: true },
-      { id: "tB", path: "/acme/projects", title: "Projects", icon: "ListTodo", pinned: false },
-    ];
-    const { getByLabelText } = render(<TabBar />);
-    fireEvent.click(getByLabelText("Unpin tab"));
-    expect(state.togglePin).toHaveBeenCalledWith("tA");
-  });
-
-  it("hides the X close button on a pinned tab but keeps it on an unpinned tab", () => {
-    state.byWorkspace.acme.tabs = [
-      { id: "tA", path: "/acme/issues", title: "Issues", icon: "ListTodo", pinned: true },
-      { id: "tB", path: "/acme/projects", title: "Projects", icon: "ListTodo", pinned: false },
-    ];
-    const { queryAllByLabelText } = render(<TabBar />);
-    // Only the unpinned tab exposes a Close affordance — pinned tab requires
-    // explicit Unpin first (RFC §3 D3c FINAL).
-    expect(queryAllByLabelText("Close tab")).toHaveLength(1);
-  });
-
-  it("keeps the full title visible on a pinned tab (no icon-only collapse)", () => {
-    state.byWorkspace.acme.tabs = [
-      { id: "tA", path: "/acme/issues", title: "Issues", icon: "ListTodo", pinned: true },
-    ];
-    const { getByLabelText } = render(<TabBar />);
-    const pinnedTab = getByLabelText("Issues (pinned)");
-    expect(within(pinnedTab).getByText("Issues")).toBeTruthy();
-  });
-
-  it("renders the Pin glyph as the leading icon on a pinned tab and the route icon on an unpinned tab", () => {
-    state.byWorkspace.acme.tabs = [
-      { id: "tA", path: "/acme/issues", title: "Issues", icon: "ListTodo", pinned: true },
-      { id: "tB", path: "/acme/projects", title: "Projects", icon: "ListTodo", pinned: false },
-    ];
-    const { getByLabelText } = render(<TabBar />);
-    const pinnedTab = getByLabelText("Issues (pinned)");
-    const unpinnedTab = getByLabelText("Projects");
-    // lucide-react renders the icon name into the class list. The leading
-    // slot icon is size-3.5; the hover Pin/Unpin action button is size-2.5,
-    // so we qualify on size to avoid matching the action glyph.
-    expect(pinnedTab.querySelector(".lucide-pin.size-3\\.5")).toBeTruthy();
-    expect(pinnedTab.querySelector(".lucide-list-todo")).toBeNull();
-    expect(unpinnedTab.querySelector(".lucide-list-todo.size-3\\.5")).toBeTruthy();
-    expect(unpinnedTab.querySelector(".lucide-pin.size-3\\.5")).toBeNull();
-  });
-});

apps/desktop/src/renderer/src/components/tab-bar.tsx

@@ -1,4 +1,3 @@
-import { Fragment } from "react";
 import {
   Inbox,
   CircleUser,
@@ -9,8 +8,6 @@ import {
   Settings,
   X,
   Plus,
-  Pin,
-  PinOff,
   type LucideIcon,
 } from "lucide-react";
 import {
@@ -31,20 +28,8 @@ import {
   restrictToParentElement,
 } from "@dnd-kit/modifiers";
 import { CSS } from "@dnd-kit/utilities";
-import {
-  ContextMenu,
-  ContextMenuContent,
-  ContextMenuItem,
-  ContextMenuSeparator,
-  ContextMenuTrigger,
-} from "@multica/ui/components/ui/context-menu";
 import { cn } from "@multica/ui/lib/utils";
-import {
-  useTabStore,
-  useActiveGroup,
-  resolveRouteIcon,
-  type Tab,
-} from "@/stores/tab-store";
+import { useTabStore, useActiveGroup, resolveRouteIcon, type Tab } from "@/stores/tab-store";
 import { paths } from "@multica/core/paths";
 
 const TAB_ICONS: Record<string, LucideIcon> = {
@@ -57,23 +42,9 @@ const TAB_ICONS: Record<string, LucideIcon> = {
   Settings,
 };
 
-function SortableTabItem({
-  tab,
-  isActive,
-  isOnly,
-}: {
-  tab: Tab;
-  isActive: boolean;
-  /**
-   * True iff this is the only tab in the workspace. Hiding X on the last
-   * tab matches existing behavior and avoids the surprise of the store's
-   * last-tab reseed kicking in. Pinned tabs always hide X (RFC §3 D3c).
-   */
-  isOnly: boolean;
-}) {
+function SortableTabItem({ tab, isActive, isOnly }: { tab: Tab; isActive: boolean; isOnly: boolean }) {
   const setActiveTab = useTabStore((s) => s.setActiveTab);
   const closeTab = useTabStore((s) => s.closeTab);
-  const togglePin = useTabStore((s) => s.togglePin);
 
   const {
     attributes,
@@ -84,11 +55,7 @@ function SortableTabItem({
     isDragging,
   } = useSortable({ id: tab.id });
 
-  // Pinned tabs swap the route icon for a Pin glyph as the static "I am
-  // pinned" indicator (RFC §3 D1v-iv FINAL). The route information is still
-  // present in the title, and this avoids a hard left accent border that read
-  // as visually heavy in light mode.
-  const LeadingIcon = tab.pinned ? Pin : TAB_ICONS[tab.icon];
+  const Icon = TAB_ICONS[tab.icon];
 
   const style = {
     transform: CSS.Transform.toString(transform),
@@ -107,31 +74,17 @@ function SortableTabItem({
     closeTab(tab.id);
   };
 
-  const handleTogglePin = (e: React.MouseEvent) => {
-    e.stopPropagation();
-    togglePin(tab.id);
-  };
-
-  const stopDragOnAction = (e: React.PointerEvent) => {
+  const stopDragOnClose = (e: React.PointerEvent) => {
     e.stopPropagation();
   };
 
-  // Pinned tabs keep their full title (RFC §3 D1v-ii FINAL). The only visual
-  // differences vs. unpinned tabs are the leading Pin icon (swapped in above)
-  // and the suppressed X (closing requires explicit Unpin). Pin/Unpin is
-  // reachable via the hover action button below and the right-click menu.
-  const showCloseButton = !tab.pinned && !isOnly;
-
-  const tabButton = (
+  return (
     <button
-      type="button"
       ref={setNodeRef}
       style={style}
       {...attributes}
       {...listeners}
       onClick={handleClick}
-      aria-label={tab.pinned ? `${tab.title} (pinned)` : tab.title}
-      title={tab.pinned ? `${tab.title} (pinned)` : undefined}
       className={cn(
         "group flex h-7 w-40 items-center gap-1.5 rounded-md px-2 text-xs transition-colors",
         "select-none cursor-default",
@@ -141,7 +94,7 @@ function SortableTabItem({
         isDragging && "opacity-60",
       )}
     >
-      {LeadingIcon && <LeadingIcon className="size-3.5 shrink-0" />}
+      {Icon && <Icon className="size-3.5 shrink-0" />}
       <span
         className="min-w-0 flex-1 overflow-hidden whitespace-nowrap text-left"
         style={{
@@ -151,22 +104,10 @@ function SortableTabItem({
       >
         {tab.title}
       </span>
-      <span
-        onClick={handleTogglePin}
-        onPointerDown={stopDragOnAction}
-        role="button"
-        aria-label={tab.pinned ? "Unpin tab" : "Pin tab"}
-        title={tab.pinned ? "Unpin tab" : "Pin tab"}
-        className="hidden size-3.5 shrink-0 items-center justify-center rounded-sm text-muted-foreground transition-colors group-hover:flex hover:bg-muted-foreground/20 hover:text-foreground"
-      >
-        {tab.pinned ? <PinOff className="size-2.5" /> : <Pin className="size-2.5" />}
-      </span>
-      {showCloseButton && (
+      {!isOnly && (
         <span
           onClick={handleClose}
-          onPointerDown={stopDragOnAction}
-          role="button"
-          aria-label="Close tab"
+          onPointerDown={stopDragOnClose}
           className="hidden size-3.5 shrink-0 items-center justify-center rounded-sm text-muted-foreground transition-colors group-hover:flex hover:bg-muted-foreground/20 hover:text-foreground"
         >
           <X className="size-2.5" />
@@ -174,36 +115,6 @@ function SortableTabItem({
       )}
     </button>
   );
-
-  return (
-    <ContextMenu>
-      <ContextMenuTrigger render={tabButton} />
-      <ContextMenuContent>
-        <ContextMenuItem onClick={() => togglePin(tab.id)}>
-          {tab.pinned ? (
-            <>
-              <PinOff />
-              Unpin tab
-            </>
-          ) : (
-            <>
-              <Pin />
-              Pin tab
-            </>
-          )}
-        </ContextMenuItem>
-        <ContextMenuSeparator />
-        <ContextMenuItem
-          variant="destructive"
-          disabled={tab.pinned || isOnly}
-          onClick={() => closeTab(tab.id)}
-        >
-          <X />
-          Close tab
-        </ContextMenuItem>
-      </ContextMenuContent>
-    </ContextMenu>
-  );
 }
 
 function NewTabButton() {
@@ -222,7 +133,6 @@ function NewTabButton() {
 
   return (
     <button
-      type="button"
       onClick={handleClick}
       style={{ WebkitAppRegion: "no-drag" } as React.CSSProperties}
       className="flex size-7 shrink-0 items-center justify-center rounded-md text-muted-foreground/70 transition-colors hover:bg-muted/50 hover:text-muted-foreground"
@@ -245,17 +155,12 @@ export function TabBar() {
   const tabs = group?.tabs ?? [];
   const activeTabId = group?.activeTabId ?? "";
   const tabIds = tabs.map((t) => t.id);
-  const pinnedCount = tabs.filter((t) => t.pinned).length;
-  const unpinnedCount = tabs.length - pinnedCount;
 
   const handleDragEnd = (event: DragEndEvent) => {
     const { active, over } = event;
     if (!over || active.id === over.id) return;
     const from = tabs.findIndex((t) => t.id === active.id);
     const to = tabs.findIndex((t) => t.id === over.id);
-    // The store clamps the destination to within the source tab's zone
-    // (pinned vs unpinned), so this call is safe even when the user tries
-    // to drag across the boundary — the tab will land at the boundary.
     if (from !== -1 && to !== -1) moveTab(from, to);
   };
 
@@ -268,22 +173,13 @@ export function TabBar() {
         onDragEnd={handleDragEnd}
       >
         <SortableContext items={tabIds} strategy={horizontalListSortingStrategy}>
-          {tabs.map((tab, index) => (
-            <Fragment key={tab.id}>
-              <SortableTabItem
-                tab={tab}
-                isActive={tab.id === activeTabId}
-                isOnly={tabs.length === 1}
-              />
-              {tab.pinned &&
-                index === pinnedCount - 1 &&
-                unpinnedCount > 0 && (
-                  <div
-                    aria-hidden
-                    className="mx-1 h-4 w-px bg-border"
-                  />
-                )}
-            </Fragment>
+          {tabs.map((tab) => (
+            <SortableTabItem
+              key={tab.id}
+              tab={tab}
+              isActive={tab.id === activeTabId}
+              isOnly={tabs.length === 1}
+            />
           ))}
         </SortableContext>
       </DndContext>

apps/desktop/src/renderer/src/components/tab-content.tsx

@@ -3,7 +3,6 @@ import { RouterProvider } from "react-router-dom";
 import { useActiveGroup } from "@/stores/tab-store";
 import { TabNavigationProvider } from "@/platform/navigation";
 import { useTabRouterSync } from "@/hooks/use-tab-router-sync";
-import { useTabScrollRestore } from "@/hooks/use-tab-scroll-restore";
 import type { Tab } from "@/stores/tab-store";
 
 /**
@@ -16,28 +15,6 @@ function TabRouterInner({ tab }: { tab: Tab }) {
   return null;
 }
 
-/**
- * Wraps a tab's subtree so its scroll position survives the round trip
- * through `<Activity mode="hidden">`. Lives inside Activity so the hook's
- * effects cycle with the tab's visibility — see `useTabScrollRestore` for
- * the mechanism. `display: contents` keeps the wrapper transparent to
- * the surrounding flex layout.
- */
-function TabScrollRestoreWrapper({
-  tabPath,
-  children,
-}: {
-  tabPath: string;
-  children: React.ReactNode;
-}) {
-  const ref = useTabScrollRestore(tabPath);
-  return (
-    <div ref={ref} style={{ display: "contents" }}>
-      {children}
-    </div>
-  );
-}
-
 /**
  * Renders the active workspace's tabs using Activity for state preservation.
  * Only the active tab is visible; hidden tabs keep their DOM and React state.
@@ -67,12 +44,10 @@ export function TabContent() {
           key={tab.id}
           mode={tab.id === group.activeTabId ? "visible" : "hidden"}
         >
-          <TabScrollRestoreWrapper tabPath={tab.path}>
-            <TabNavigationProvider router={tab.router}>
-              <RouterProvider router={tab.router} />
-              <TabRouterInner tab={tab} />
-            </TabNavigationProvider>
-          </TabScrollRestoreWrapper>
+          <TabNavigationProvider router={tab.router}>
+            <RouterProvider router={tab.router} />
+            <TabRouterInner tab={tab} />
+          </TabNavigationProvider>
         </Activity>
       ))}
     </>

apps/desktop/src/renderer/src/components/update-notification.tsx

@@ -1,65 +1,137 @@
-import { useEffect, useState } from "react";
-import { RefreshCw, X } from "lucide-react";
+import { useCallback, useEffect, useState } from "react";
+import { ArrowDownToLine, RefreshCw, X } from "lucide-react";
 
-// Downloads run silently in the background (main process has
-// autoDownload=true). The renderer only renders UI once the package is fully
-// downloaded and waiting for a restart.
 type UpdateState =
   | { status: "idle" }
-  | { status: "ready"; version: string };
+  | { status: "available"; version: string }
+  | { status: "downloading"; percent: number }
+  | { status: "ready" };
 
 export function UpdateNotification() {
   const [state, setState] = useState<UpdateState>({ status: "idle" });
   const [dismissed, setDismissed] = useState(false);
 
   useEffect(() => {
-    const cleanup = window.updater.onUpdateDownloaded((info) => {
-      setState({ status: "ready", version: info.version });
-      setDismissed(false);
-    });
-    return cleanup;
+    const cleanups: (() => void)[] = [];
+
+    cleanups.push(
+      window.updater.onUpdateAvailable((info) => {
+        setState({ status: "available", version: info.version });
+        setDismissed(false);
+      }),
+    );
+
+    cleanups.push(
+      window.updater.onDownloadProgress((progress) => {
+        setState({ status: "downloading", percent: progress.percent });
+      }),
+    );
+
+    cleanups.push(
+      window.updater.onUpdateDownloaded(() => {
+        setState({ status: "ready" });
+      }),
+    );
+
+    return () => cleanups.forEach((fn) => fn());
   }, []);
 
+  const handleDownload = useCallback(() => {
+    // Prevent double-click: immediately transition to downloading state
+    if (state.status !== "available") return;
+    setState({ status: "downloading", percent: 0 });
+    window.updater.downloadUpdate();
+  }, [state.status]);
+
+  const handleInstall = useCallback(() => {
+    window.updater.installUpdate();
+  }, []);
+
+  // Only allow dismiss when update is available (not during download or ready)
   if (state.status === "idle") return null;
-  if (dismissed) return null;
+  if (dismissed && state.status === "available") return null;
 
   return (
     <div className="fixed bottom-4 right-4 z-50 w-80 rounded-lg border border-border bg-background p-4 shadow-lg animate-in slide-in-from-bottom-2 fade-in duration-300">
       <button
-        type="button"
         onClick={() => setDismissed(true)}
         className="absolute top-2 right-2 rounded-md p-1 text-muted-foreground hover:text-foreground transition-colors"
       >
         <X className="size-3.5" />
       </button>
 
-      <div className="flex items-start gap-3">
-        <div className="mt-0.5 rounded-md bg-success/10 p-1.5">
-          <RefreshCw className="size-4 text-success" />
-        </div>
-        <div className="flex-1 min-w-0">
-          <p className="text-sm font-medium">Update ready</p>
-          <p className="text-xs text-muted-foreground mt-0.5">
-            v{state.version} will be applied on next launch.
-          </p>
-          <div className="mt-2 flex items-center gap-1.5">
+      {state.status === "available" && (
+        <div className="flex items-start gap-3">
+          <div className="mt-0.5 rounded-md bg-primary/10 p-1.5">
+            <ArrowDownToLine className="size-4 text-primary" />
+          </div>
+          <div className="flex-1 min-w-0">
+            <p className="text-sm font-medium">New version available</p>
+            <p className="text-xs text-muted-foreground mt-0.5">
+              v{state.version} is ready to download
+            </p>
             <button
-              type="button"
-              onClick={() => setDismissed(true)}
-              className="inline-flex items-center rounded-md border border-border bg-background px-3 py-1.5 text-xs font-medium text-foreground hover:bg-accent transition-colors"
+              onClick={handleDownload}
+              className="mt-2 inline-flex items-center rounded-md bg-primary px-3 py-1.5 text-xs font-medium text-primary-foreground hover:bg-primary/90 transition-colors"
             >
-              Later
-            </button>
-            <button
-              type="button"
-              onClick={() => window.updater.installUpdate()}
-              className="inline-flex items-center rounded-md bg-primary px-3 py-1.5 text-xs font-medium text-primary-foreground hover:bg-primary/90 transition-colors"
-            >
-              Restart now
+              Download update
             </button>
           </div>
         </div>
-      </div>
+      )}
+
+      {state.status === "downloading" && (
+        <div className="flex items-start gap-3">
+          <div className="mt-0.5 rounded-md bg-primary/10 p-1.5">
+            <ArrowDownToLine className="size-4 text-primary animate-pulse" />
+          </div>
+          <div className="flex-1 min-w-0">
+            <p className="text-sm font-medium">Downloading update...</p>
+            <div className="mt-2 h-1.5 w-full rounded-full bg-muted overflow-hidden">
+              <div
+                className="h-full rounded-full bg-primary transition-all duration-300"
+                style={{ width: `${Math.round(state.percent)}%` }}
+              />
+            </div>
+            <p className="text-xs text-muted-foreground mt-1">
+              {Math.round(state.percent)}%
+            </p>
+          </div>
+        </div>
+      )}
+
+      {state.status === "ready" && (
+        <div className="flex items-start gap-3">
+          <div className="mt-0.5 rounded-md bg-success/10 p-1.5">
+            <RefreshCw className="size-4 text-success" />
+          </div>
+          <div className="flex-1 min-w-0">
+            <p className="text-sm font-medium">Update ready</p>
+            <p className="text-xs text-muted-foreground mt-0.5">
+              Restart to apply the update
+            </p>
+            <div className="mt-2 flex items-center gap-1.5">
+              {/* Secondary "See changes" — gives the user a reason to
+                  restart by surfacing what they're about to get. Opens
+                  in the default browser via the shared openExternal
+                  bridge so the URL hits the same allow-list as every
+                  other outbound link. */}
+              <button
+                onClick={() => window.desktopAPI.openExternal("https://multica.ai/changelog")}
+                className="inline-flex items-center rounded-md border border-border bg-background px-3 py-1.5 text-xs font-medium text-foreground hover:bg-accent transition-colors"
+              >
+                See changes
+              </button>
+              <button
+                onClick={handleInstall}
+                className="inline-flex items-center rounded-md bg-primary px-3 py-1.5 text-xs font-medium text-primary-foreground hover:bg-primary/90 transition-colors"
+              >
+                Restart now
+              </button>
+            </div>
+          </div>
+        </div>
+      )}
     </div>
   );
 }

apps/desktop/src/renderer/src/components/updates-settings-tab.tsx

@@ -1,7 +1,6 @@
 import { useCallback, useState } from "react";
 import { AlertCircle, ArrowDownToLine, Check, Loader2 } from "lucide-react";
 import { Button } from "@multica/ui/components/ui/button";
-import { useT } from "@multica/views/i18n";
 
 type CheckState =
   | { status: "idle" }
@@ -11,7 +10,6 @@ type CheckState =
   | { status: "error"; message: string };
 
 export function UpdatesSettingsTab() {
-  const { t } = useT("settings");
   const [state, setState] = useState<CheckState>({ status: "idle" });
   const currentVersion = window.desktopAPI.appInfo.version;
 
@@ -31,15 +29,16 @@ export function UpdatesSettingsTab() {
 
   return (
     <div>
-      <h2 className="text-lg font-semibold">{t(($) => $.desktop.updates.title)}</h2>
+      <h2 className="text-lg font-semibold">Updates</h2>
       <p className="text-sm text-muted-foreground mt-1">
-        {t(($) => $.desktop.updates.description)}
+        The desktop app checks for new versions automatically once an hour and
+        shortly after launch.
       </p>
 
       <div className="mt-6 divide-y">
         <div className="flex items-center justify-between gap-6 py-4">
           <div className="min-w-0">
-            <p className="text-sm font-medium">{t(($) => $.desktop.updates.current_version)}</p>
+            <p className="text-sm font-medium">Current version</p>
             <p className="text-sm text-muted-foreground mt-0.5 font-mono">
               v{currentVersion}
             </p>
@@ -48,20 +47,22 @@ export function UpdatesSettingsTab() {
 
         <div className="flex items-start justify-between gap-6 py-4">
           <div className="min-w-0">
-            <p className="text-sm font-medium">{t(($) => $.desktop.updates.check_section_title)}</p>
+            <p className="text-sm font-medium">Check for updates</p>
             <p className="text-sm text-muted-foreground mt-0.5">
-              {t(($) => $.desktop.updates.check_section_description)}
+              Trigger a check now instead of waiting for the next automatic
+              poll. Available updates appear as a notification in the corner.
             </p>
             {state.status === "up-to-date" && (
               <p className="text-sm text-muted-foreground mt-2 inline-flex items-center gap-1.5">
                 <Check className="size-3.5 text-success" />
-                {t(($) => $.desktop.updates.up_to_date)}
+                You&apos;re on the latest version.
               </p>
             )}
             {state.status === "available" && (
               <p className="text-sm text-muted-foreground mt-2 inline-flex items-center gap-1.5">
                 <ArrowDownToLine className="size-3.5 text-primary" />
-                {t(($) => $.desktop.updates.downloading, { version: state.latestVersion })}
+                v{state.latestVersion} is available — see the download prompt
+                in the corner.
               </p>
             )}
             {state.status === "error" && (
@@ -81,10 +82,10 @@ export function UpdatesSettingsTab() {
               {state.status === "checking" ? (
                 <>
                   <Loader2 className="size-3.5 animate-spin" />
-                  {t(($) => $.desktop.updates.checking)}
+                  Checking…
                 </>
               ) : (
-                t(($) => $.desktop.updates.check_now)
+                "Check now"
               )}
             </Button>
           </div>

apps/desktop/src/renderer/src/components/window-overlay.tsx

@@ -1,7 +1,6 @@
 import { useQuery } from "@tanstack/react-query";
 import { NewWorkspacePage } from "@multica/views/workspace/new-workspace-page";
 import { InvitePage } from "@multica/views/invite";
-import { InvitationsPage } from "@multica/views/invitations";
 import { OnboardingFlow } from "@multica/views/onboarding";
 import { useNavigation } from "@multica/views/navigation";
 import { paths } from "@multica/core/paths";
@@ -59,28 +58,20 @@ function WindowOverlayInner() {
           onBack={onBack}
         />
       )}
-      {overlay.type === "invitations" && <InvitationsPage />}
       {overlay.type === "onboarding" && (
         <OnboardingFlow
-          onComplete={(ws, issueId) => {
+          onComplete={(ws) => {
             close();
-            // Runtime-connected onboarding lands on its single guide
-            // issue. Runtime-less exits still land on the issues list.
-            if (ws && issueId) {
-              push(paths.workspace(ws.slug).issueDetail(issueId));
-            } else if (ws) {
+            // Post-onboarding landing is always the workspace issues
+            // list. The welcome-issue flow moved into a dialog that
+            // renders on that page (StarterContentPrompt), so the
+            // flow doesn't need to thread a target issue id back here.
+            if (ws) {
               push(paths.workspace(ws.slug).issues());
             } else {
               push(paths.root());
             }
           }}
-          // Restart the bundled daemon when the user hits Refresh on
-          // Step 3. The daemon's PATH probe runs once at boot, so a
-          // newly-installed CLI (Claude / Codex / Cursor) doesn't show
-          // up until the daemon is bounced.
-          onRuntimeRefresh={async () => {
-            await window.daemonAPI?.restart?.();
-          }}
         />
       )}
     </div>

apps/desktop/src/renderer/src/components/workspace-route-layout.test.tsx

@@ -1,147 +0,0 @@
-import { describe, expect, it, vi, beforeEach } from "vitest";
-import { render } from "@testing-library/react";
-import { MemoryRouter, Route, Routes } from "react-router-dom";
-
-// vi.hoisted shared state for all the stores / hooks the layout consumes.
-const state = vi.hoisted(() => ({
-  user: null as { id: string } | null,
-  isAuthLoading: false,
-  overlay: null as { type: string } | null,
-  workspace: null as { id: string; slug: string } | null,
-  listFetched: true,
-  wsList: [] as { id: string; slug: string }[],
-  workspaceSeen: true,
-  modalRenders: 0,
-  modalAriaLabel: "source-backfill-modal-marker",
-}));
-
-vi.mock("@multica/core/auth", () => {
-  const useAuthStore = (selector: (s: typeof state) => unknown) => {
-    if (selector.toString().includes("isLoading"))
-      return state.isAuthLoading;
-    return state.user;
-  };
-  return { useAuthStore };
-});
-
-vi.mock("@multica/core/platform", () => ({
-  setCurrentWorkspace: vi.fn(),
-}));
-
-vi.mock("@multica/core/workspace", async () => {
-  const actual = await vi.importActual<typeof import("@multica/core/workspace")>(
-    "@multica/core/workspace",
-  );
-  return {
-    ...actual,
-    workspaceBySlugOptions: () => ({
-      queryKey: ["workspace-by-slug"],
-      queryFn: async () => state.workspace,
-    }),
-    workspaceListOptions: () => ({
-      queryKey: ["workspace-list"],
-      queryFn: async () => state.wsList,
-    }),
-  };
-});
-
-vi.mock("@multica/core/paths", async () => {
-  const actual = await vi.importActual<typeof import("@multica/core/paths")>(
-    "@multica/core/paths",
-  );
-  return {
-    ...actual,
-    WorkspaceSlugProvider: ({ children }: { children: React.ReactNode }) => (
-      <>{children}</>
-    ),
-    paths: {
-      ...actual.paths,
-      login: () => "/login",
-    },
-  };
-});
-
-vi.mock("@multica/views/workspace/use-workspace-seen", () => ({
-  useWorkspaceSeen: () => state.workspaceSeen,
-}));
-
-vi.mock("@multica/views/workspace/welcome-after-onboarding", () => ({
-  WelcomeAfterOnboarding: () => null,
-}));
-
-vi.mock("@multica/views/layout", () => ({
-  WorkspacePresencePrefetch: () => null,
-}));
-
-// The point of this whole test: assert the desktop layout mounts the
-// SourceBackfillModal. We stub the real component with a marker that
-// renders only when the layout actually rendered it (and not e.g.
-// suppressed by overlayActive).
-vi.mock("@multica/views/onboarding", () => ({
-  SourceBackfillModal: () => {
-    state.modalRenders += 1;
-    return <div data-testid={state.modalAriaLabel} />;
-  },
-}));
-
-vi.mock("@/stores/tab-store", () => ({
-  useTabStore: Object.assign(() => null, {
-    getState: () => ({ validateWorkspaceSlugs: vi.fn() }),
-  }),
-}));
-
-vi.mock("@/stores/window-overlay-store", () => {
-  const useWindowOverlayStore = (selector: (s: typeof state) => unknown) =>
-    selector(state);
-  return { useWindowOverlayStore };
-});
-
-import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
-import { WorkspaceRouteLayout } from "./workspace-route-layout";
-
-function renderLayout() {
-  const qc = new QueryClient({
-    defaultOptions: { queries: { retry: false, gcTime: 0 } },
-  });
-  // Seed the workspace queries so the gate inside the layout passes
-  // synchronously — the real hook reads from cache.
-  qc.setQueryData(["workspace-by-slug"], state.workspace);
-  qc.setQueryData(["workspace-list"], state.wsList);
-  return render(
-    <QueryClientProvider client={qc}>
-      <MemoryRouter initialEntries={["/acme/issues"]}>
-        <Routes>
-          <Route path=":workspaceSlug/*" element={<WorkspaceRouteLayout />}>
-            <Route path="*" element={<div data-testid="outlet" />} />
-          </Route>
-        </Routes>
-      </MemoryRouter>
-    </QueryClientProvider>,
-  );
-}
-
-beforeEach(() => {
-  state.user = { id: "u1" };
-  state.isAuthLoading = false;
-  state.overlay = null;
-  state.workspace = { id: "ws-1", slug: "acme" };
-  state.listFetched = true;
-  state.wsList = [{ id: "ws-1", slug: "acme" }];
-  state.workspaceSeen = true;
-  state.modalRenders = 0;
-});
-
-describe("WorkspaceRouteLayout", () => {
-  it("mounts SourceBackfillModal when no WindowOverlay is active", () => {
-    const { queryByTestId } = renderLayout();
-    expect(queryByTestId(state.modalAriaLabel)).not.toBeNull();
-    expect(state.modalRenders).toBeGreaterThan(0);
-  });
-
-  it("suppresses SourceBackfillModal while a WindowOverlay is active", () => {
-    state.overlay = { type: "new-workspace" };
-    const { queryByTestId } = renderLayout();
-    expect(queryByTestId(state.modalAriaLabel)).toBeNull();
-    expect(state.modalRenders).toBe(0);
-  });
-});

apps/desktop/src/renderer/src/components/workspace-route-layout.tsx

@@ -9,11 +9,8 @@ import {
 import { setCurrentWorkspace } from "@multica/core/platform";
 import { useAuthStore } from "@multica/core/auth";
 import { useWorkspaceSeen } from "@multica/views/workspace/use-workspace-seen";
-import { WelcomeAfterOnboarding } from "@multica/views/workspace/welcome-after-onboarding";
 import { WorkspacePresencePrefetch } from "@multica/views/layout";
-import { SourceBackfillModal } from "@multica/views/onboarding";
 import { useTabStore } from "@/stores/tab-store";
-import { useWindowOverlayStore } from "@/stores/window-overlay-store";
 
 /**
  * Desktop equivalent of apps/web/app/[workspaceSlug]/layout.tsx.
@@ -37,15 +34,6 @@ export function WorkspaceRouteLayout() {
   const navigate = useNavigate();
   const user = useAuthStore((s) => s.user);
   const isAuthLoading = useAuthStore((s) => s.isLoading);
-  // While a WindowOverlay is open (onboarding, accept-invite, new-workspace),
-  // the underlying tab is still mounted in the React tree — so this layout
-  // and its WelcomeAfterOnboarding Modal would render UNDER the overlay.
-  // Because the modal uses a Portal that targets document.body, it ends up
-  // rendered LATER in the DOM and visually outranks the overlay's z-50.
-  // Suppress the modal whenever any overlay is active; the moment the
-  // overlay closes the welcome hook re-evaluates and pops if its store
-  // signal is still set.
-  const overlayActive = useWindowOverlayStore((s) => s.overlay !== null);
 
   // Workspace routes require auth. If user is unauthenticated, bounce to /login.
   useEffect(() => {
@@ -97,21 +85,6 @@ export function WorkspaceRouteLayout() {
     <WorkspaceSlugProvider slug={workspaceSlug}>
       <WorkspacePresencePrefetch />
       <Outlet />
-      {/* Reads the welcome-store transient signal parked by
-       *  OnboardingFlow.handleRuntimeNext. Suppressed while a WindowOverlay
-       *  (onboarding / accept-invite / new-workspace) is open so the modal
-       *  doesn't portal-jump in front of an active pre-workspace flow.
-       *  Once the overlay closes the hook re-evaluates and pops the
-       *  Modal — unless the store signal has already been consumed, in
-       *  which case the hook renders null. */}
-      {!overlayActive && <WelcomeAfterOnboarding />}
-      {/* Source-attribution backfill: same Dialog the web shell mounts
-       *  inside DashboardLayout. Desktop's WorkspaceRouteLayout doesn't
-       *  wrap DashboardLayout, so the modal has to be wired in directly
-       *  here. Same overlay-suppression rule as WelcomeAfterOnboarding —
-       *  a portal-rendered Dialog at z-50 would otherwise sit above an
-       *  active pre-workspace overlay. */}
-      {!overlayActive && <SourceBackfillModal />}
     </WorkspaceSlugProvider>
   );
 }

apps/desktop/src/renderer/src/font-fallback-order.test.ts

@@ -1,58 +0,0 @@
-import { readFileSync } from "node:fs";
-import { resolve } from "node:path";
-import { describe, expect, it } from "vitest";
-
-const chineseFonts = ["PingFang SC", "Microsoft YaHei", "Noto Sans CJK SC"];
-const koreanFonts = ["Apple SD Gothic Neo", "Malgun Gothic", "Noto Sans CJK KR"];
-const japaneseFonts = ["Hiragino Sans", "Yu Gothic", "Noto Sans CJK JP"];
-
-function expectChineseFontsBeforeKoreanFonts(source: string) {
-  const chineseIndexes = chineseFonts.map((font) => source.indexOf(font));
-  const koreanIndexes = koreanFonts.map((font) => source.indexOf(font));
-
-  expect(chineseIndexes).not.toContain(-1);
-  expect(koreanIndexes).not.toContain(-1);
-
-  for (const chineseIndex of chineseIndexes) {
-    for (const koreanIndex of koreanIndexes) {
-      expect(chineseIndex).toBeLessThan(koreanIndex);
-    }
-  }
-}
-
-// Japanese Kanji share the Han Unicode block with Chinese, so the global
-// Chinese-first stack must stay Chinese-first (no zh regression) while a
-// Japanese-first CJK stack is scoped to html[lang|="ja"]. App.tsx syncs
-// document.documentElement.lang so the selector matches at runtime.
-function expectJapaneseScopedOverride(source: string) {
-  expect(source).toContain('html[lang|="ja"]');
-
-  const japaneseIndexes = japaneseFonts.map((font) => source.indexOf(font));
-  expect(japaneseIndexes).not.toContain(-1);
-
-  const firstJapanese = Math.min(...japaneseIndexes);
-  const lastChinese = Math.max(
-    ...chineseFonts.map((font) => source.lastIndexOf(font)),
-  );
-  expect(firstJapanese).toBeLessThan(lastChinese);
-}
-
-describe("CJK font fallback order", () => {
-  it("keeps desktop Chinese font fallbacks before Korean font fallbacks", () => {
-    const desktopCss = readFileSync(
-      resolve(process.cwd(), "src/renderer/src/globals.css"),
-      "utf8",
-    );
-
-    expectChineseFontsBeforeKoreanFonts(desktopCss);
-  });
-
-  it("scopes the Japanese-first CJK stack to html[lang|='ja']", () => {
-    const desktopCss = readFileSync(
-      resolve(process.cwd(), "src/renderer/src/globals.css"),
-      "utf8",
-    );
-
-    expectJapaneseScopedOverride(desktopCss);
-  });
-});

apps/desktop/src/renderer/src/globals.css

@@ -6,15 +6,16 @@
 
 @custom-variant dark (&:is(.dark *));
 
-/* Font stack: Inter for Latin UI text + system CJK fonts for localized content.
+/* Font stack: Inter for Latin UI text + system Chinese fonts for zh content.
    Web app uses the same stack via next/font/google in apps/web/app/layout.tsx —
    keep the CJK fallback tail in sync across both files. The Inter primary family
    differs by design: next/font produces `__Inter_xxx` (with a synthetic size-adjusted
    fallback face to prevent FOUT layout shift); desktop uses fontsource's "Inter Variable".
    Both resolve to Inter glyphs, so rendering is identical in practice.
-   Per-character fallback: Latin chars render with Inter, CJK chars render with
-   the platform-native Chinese/Korean fallback when needed. Chinese fonts must stay
-   before Korean fonts so zh users do not receive Korean Hanja glyph shapes.
+   Currently covers English + Simplified Chinese. When ja/ko i18n lands, extend
+   the tail with Hiragino Kaku Gothic ProN / Yu Gothic / Apple SD Gothic Neo / Malgun Gothic.
+   Per-character fallback: Latin chars render with Inter, Chinese chars with
+   PingFang SC (macOS) / Microsoft YaHei (Windows) / Noto Sans CJK SC (Linux).
 
    Mono font has no explicit CJK fallback: CJK chars in code blocks are inherently
    non-aligned with a mono grid (Chinese is proportional), so listing CJK fonts
@@ -22,35 +23,14 @@
    the rare mixed case correctly. */
 :root {
   --font-sans: "Inter Variable", "Inter", -apple-system, BlinkMacSystemFont,
-               "Segoe UI", "PingFang SC", "Microsoft YaHei",
-               "Noto Sans CJK SC", "Apple SD Gothic Neo", "Malgun Gothic",
-               "Noto Sans CJK KR", sans-serif;
+               "Segoe UI", "PingFang SC", "Microsoft YaHei", "Noto Sans CJK SC",
+               sans-serif;
   --font-serif: "Source Serif 4 Variable", "Source Serif 4", "Iowan Old Style",
                 "Apple Garamond", Baskerville, "Times New Roman", serif;
   --font-mono: "Geist Mono", ui-monospace, SFMono-Regular, Menlo, Consolas,
                monospace;
 }
 
-/* Japanese-scoped CJK override. Japanese Kanji share the Han Unicode block
-   with Chinese, and CSS font-fallback order is not changed by <html lang> —
-   so the global Chinese-first stack above would give Japanese users Chinese
-   glyph shapes for shared ideographs. We keep the global stack Chinese-first
-   (no regression for zh users) and promote Japanese fonts ahead of the
-   Chinese/Korean families only when the locale is Japanese. App.tsx syncs
-   document.documentElement.lang to the active locale so this selector
-   matches. Mirrors the lang-scoped override in apps/web/app/layout.tsx.
-   `[lang|="ja"]` is the BCP-47 language-range selector: it matches exactly
-   `ja` or `ja-<region>` (App.tsx sets `ja-JP`), never unrelated subtags
-   such as `jam`. */
-html[lang|="ja"] {
-  --font-sans: "Inter Variable", "Inter", "Hiragino Sans",
-               "Hiragino Kaku Gothic ProN", "Yu Gothic", "YuGothic", "Meiryo",
-               "Noto Sans CJK JP", "Noto Sans JP", -apple-system,
-               BlinkMacSystemFont, "Segoe UI", "PingFang SC", "Microsoft YaHei",
-               "Noto Sans CJK SC", "Apple SD Gothic Neo", "Malgun Gothic",
-               "Noto Sans CJK KR", sans-serif;
-}
-
 @source "../../../../../packages/ui/**/*.tsx";
 @source "../../../../../packages/core/**/*.{ts,tsx}";
 @source "../../../../../packages/views/**/*.{ts,tsx}";

apps/desktop/src/renderer/src/hooks/use-tab-scroll-restore.test.tsx

@@ -1,116 +0,0 @@
-import { Activity } from "react";
-import { describe, expect, it } from "vitest";
-import { fireEvent, render } from "@testing-library/react";
-import { useTabScrollRestore } from "./use-tab-scroll-restore";
-
-function Harness({ path }: { path: string }) {
-  const ref = useTabScrollRestore(path);
-  return (
-    <div ref={ref} style={{ display: "contents" }}>
-      <div
-        data-tab-scroll-root
-        data-testid="scroller"
-        style={{ height: 100, overflow: "auto" }}
-      >
-        <div style={{ height: 1000 }} />
-      </div>
-      <div
-        data-tab-scroll-root="aside"
-        data-testid="aside"
-        style={{ height: 100, overflow: "auto" }}
-      >
-        <div style={{ height: 1000 }} />
-      </div>
-      <div
-        data-testid="unmarked"
-        style={{ height: 100, overflow: "auto" }}
-      >
-        <div style={{ height: 1000 }} />
-      </div>
-    </div>
-  );
-}
-
-function App({ visible, path }: { visible: boolean; path: string }) {
-  return (
-    <Activity mode={visible ? "visible" : "hidden"}>
-      <Harness path={path} />
-    </Activity>
-  );
-}
-
-function setScroll(el: HTMLElement, top: number) {
-  el.scrollTop = top;
-  fireEvent.scroll(el);
-}
-
-describe("useTabScrollRestore", () => {
-  it("restores scroll position when a tab cycles through hidden -> visible", () => {
-    const { rerender, getByTestId } = render(
-      <App visible={true} path="/acme/issues/1" />,
-    );
-    const scroller = getByTestId("scroller") as HTMLElement;
-
-    setScroll(scroller, 500);
-    expect(scroller.scrollTop).toBe(500);
-
-    // Simulate Activity hiding the subtree: layout would drop the offset.
-    rerender(<App visible={false} path="/acme/issues/1" />);
-    scroller.scrollTop = 0;
-
-    rerender(<App visible={true} path="/acme/issues/1" />);
-    expect(scroller.scrollTop).toBe(500);
-  });
-
-  it("restores multiple named scroll roots independently", () => {
-    const { rerender, getByTestId } = render(
-      <App visible={true} path="/acme/issues/1" />,
-    );
-    const main = getByTestId("scroller") as HTMLElement;
-    const aside = getByTestId("aside") as HTMLElement;
-
-    setScroll(main, 300);
-    setScroll(aside, 150);
-
-    rerender(<App visible={false} path="/acme/issues/1" />);
-    main.scrollTop = 0;
-    aside.scrollTop = 0;
-
-    rerender(<App visible={true} path="/acme/issues/1" />);
-    expect(main.scrollTop).toBe(300);
-    expect(aside.scrollTop).toBe(150);
-  });
-
-  it("ignores scroll on elements without the data-tab-scroll-root marker", () => {
-    const { rerender, getByTestId } = render(
-      <App visible={true} path="/acme/issues/1" />,
-    );
-    const unmarked = getByTestId("unmarked") as HTMLElement;
-
-    setScroll(unmarked, 250);
-
-    rerender(<App visible={false} path="/acme/issues/1" />);
-    unmarked.scrollTop = 0;
-
-    rerender(<App visible={true} path="/acme/issues/1" />);
-    expect(unmarked.scrollTop).toBe(0);
-  });
-
-  it("drops saved offsets when the tab path changes (intra-tab navigation)", () => {
-    const { rerender, getByTestId } = render(
-      <App visible={true} path="/acme/issues/1" />,
-    );
-    const scroller = getByTestId("scroller") as HTMLElement;
-
-    setScroll(scroller, 500);
-
-    // Navigating within the tab swaps the active route — same marker key,
-    // different page. We should NOT restore the prior page's offset.
-    rerender(<App visible={true} path="/acme/issues/2" />);
-    scroller.scrollTop = 0;
-
-    rerender(<App visible={false} path="/acme/issues/2" />);
-    rerender(<App visible={true} path="/acme/issues/2" />);
-    expect(scroller.scrollTop).toBe(0);
-  });
-});

apps/desktop/src/renderer/src/hooks/use-tab-scroll-restore.ts

@@ -1,106 +0,0 @@
-import { useEffect, useLayoutEffect, useRef } from "react";
-
-/**
- * Persist a tab's scroll positions across <Activity> visibility transitions.
- *
- * Tabs render under `<Activity mode="visible|hidden">`, which keeps React
- * state but loses DOM scrollTop — the subtree is taken out of layout while
- * hidden and rejoins with scrollTop=0. This hook records every marked
- * container's `scrollTop` while the tab is visible (continuously, via a
- * capture-phase scroll listener) and restores them in a `useLayoutEffect`
- * the next time the tab becomes visible, before the browser paints.
- *
- * Mark scroll containers in views with `data-tab-scroll-root`. The
- * attribute value is the cache key — defaults to `"main"` for unnamed
- * roots. Most pages have a single scroll container, so a bare attribute
- * is enough; named keys are only needed when a page has multiple
- * independently scrollable regions whose positions must all be restored.
- *
- * When the tab's path changes (intra-tab navigation), the saved offsets
- * are dropped — the new route's container shares the same marker key but
- * is a different page, and restoring the old offset would land the user
- * somewhere arbitrary on the new page.
- *
- * For virtualized children (Virtuoso, react-virtual, etc.) the single
- * synchronous `scrollTop = saved` inside useLayoutEffect isn't enough:
- * the child registers its observers in a passive useEffect that fires
- * later, so at restore time the container's scrollHeight has collapsed
- * to clientHeight and the browser clamps our assignment to 0. The
- * restore loops across rAF frames until the assignment sticks, which
- * lets virtualization rehydrate before we give up.
- */
-export function useTabScrollRestore(tabPath: string) {
-  const containerRef = useRef<HTMLDivElement>(null);
-  const savedRef = useRef<Map<string, number>>(new Map());
-  const prevPathRef = useRef(tabPath);
-
-  if (prevPathRef.current !== tabPath) {
-    savedRef.current.clear();
-    prevPathRef.current = tabPath;
-  }
-
-  // <Activity> cleans up effects on hidden and re-mounts them on visible,
-  // so an empty-deps useLayoutEffect runs exactly on every hidden → visible
-  // transition. Restoring here (before the browser paints) handles the
-  // common case without a flash.
-  //
-  // The synchronous set isn't enough for virtualized lists though
-  // (issue-detail uses Virtuoso with customScrollParent). Virtuoso wires
-  // its scroll/resize observers in a passive useEffect, which fires AFTER
-  // useLayoutEffect — so at the moment we try to restore, the spacer that
-  // gives the container its tall scrollHeight hasn't been re-established
-  // yet. The browser silently clamps `scrollTop = saved` down to 0 because
-  // `scrollHeight === clientHeight` in that window. Retry across rAF
-  // frames until the set sticks (or we time out around the time any sane
-  // child should have laid out, ~500ms).
-  useLayoutEffect(() => {
-    const root = containerRef.current;
-    if (!root) return;
-    const els = root.querySelectorAll<HTMLElement>("[data-tab-scroll-root]");
-    const cancellers: Array<() => void> = [];
-    els.forEach((el) => {
-      const key = scrollKey(el);
-      const saved = savedRef.current.get(key);
-      if (saved === undefined) return;
-      el.scrollTop = saved;
-      if (el.scrollTop === saved) return;
-
-      let cancelled = false;
-      let attempts = 0;
-      const maxAttempts = 30; // ~500ms at 60fps
-      const tick = () => {
-        if (cancelled) return;
-        el.scrollTop = saved;
-        attempts++;
-        if (el.scrollTop === saved) return;
-        if (attempts >= maxAttempts) return;
-        requestAnimationFrame(tick);
-      };
-      requestAnimationFrame(tick);
-      cancellers.push(() => {
-        cancelled = true;
-      });
-    });
-    return () => cancellers.forEach((c) => c());
-  }, []);
-
-  useEffect(() => {
-    const root = containerRef.current;
-    if (!root) return;
-    const onScroll = (e: Event) => {
-      const target = e.target;
-      if (!(target instanceof HTMLElement)) return;
-      if (!target.hasAttribute("data-tab-scroll-root")) return;
-      savedRef.current.set(scrollKey(target), target.scrollTop);
-    };
-    // Scroll events don't bubble, but capture catches them anyway.
-    root.addEventListener("scroll", onScroll, { capture: true, passive: true });
-    return () => root.removeEventListener("scroll", onScroll, true);
-  }, []);
-
-  return containerRef;
-}
-
-function scrollKey(el: HTMLElement): string {
-  return el.getAttribute("data-tab-scroll-root") || "main";
-}

apps/desktop/src/renderer/src/pages/attachment-preview-page.tsx

@@ -1,16 +0,0 @@
-import { useParams, useSearchParams } from "react-router-dom";
-import { AttachmentPreviewPage } from "@multica/views/attachments";
-import { ErrorBoundary } from "@multica/ui/components/common/error-boundary";
-
-export function AttachmentPreviewRoute() {
-  const { id } = useParams<{ id: string }>();
-  const [searchParams] = useSearchParams();
-  const filename = searchParams.get("name") ?? undefined;
-
-  if (!id) return null;
-  return (
-    <ErrorBoundary resetKeys={[id]}>
-      <AttachmentPreviewPage attachmentId={id} filename={filename} />
-    </ErrorBoundary>
-  );
-}

apps/desktop/src/renderer/src/pages/issue-detail-page.tsx

@@ -13,8 +13,5 @@ export function IssueDetailPage() {
   useDocumentTitle(issue ? `${issue.identifier}: ${issue.title}` : "Issue");
 
   if (!id) return null;
-  // Render errors bubble to the root route errorElement (DesktopRouteErrorPage),
-  // which contains the crash inside the tab content pane. No page-level boundary
-  // here — a whole-page wrapper duplicates the route-level error UI.
   return <IssueDetail issueId={id} />;
 }

apps/desktop/src/renderer/src/pages/login.tsx

@@ -2,23 +2,14 @@ import { LoginPage } from "@multica/views/auth";
 import { DragStrip } from "@multica/views/platform";
 import { MulticaIcon } from "@multica/ui/components/common/multica-icon";
 
-function requireRuntimeAppUrl(): string {
-  const runtimeConfig = window.desktopAPI.runtimeConfig;
-  if (!runtimeConfig.ok) {
-    throw new Error(
-      "Invariant violated: DesktopLoginPage rendered before App accepted runtime config",
-    );
-  }
-  return runtimeConfig.config.appUrl;
-}
+const WEB_URL = import.meta.env.VITE_APP_URL || "http://localhost:3000";
 
 export function DesktopLoginPage() {
-  const webUrl = requireRuntimeAppUrl();
   const handleGoogleLogin = () => {
     // Open web login page in the default browser with platform=desktop flag.
     // The web callback will redirect back via multica:// deep link with the token.
     window.desktopAPI.openExternal(
-      `${webUrl}/login?platform=desktop`,
+      `${WEB_URL}/login?platform=desktop`,
     );
   };
 

apps/desktop/src/renderer/src/pages/member-detail-page.tsx

@@ -1,18 +0,0 @@
-import { useParams } from "react-router-dom";
-import { useQuery } from "@tanstack/react-query";
-import { MemberDetailPage as SharedMemberDetailPage } from "@multica/views/members";
-import { useWorkspaceId } from "@multica/core/hooks";
-import { memberListOptions } from "@multica/core/workspace/queries";
-import { useDocumentTitle } from "@/hooks/use-document-title";
-
-export function MemberDetailPage() {
-  const { id } = useParams<{ id: string }>();
-  const wsId = useWorkspaceId();
-  const { data: members = [] } = useQuery(memberListOptions(wsId));
-  const member = members.find((m) => m.user_id === id) ?? null;
-
-  useDocumentTitle(member?.name ?? "Member");
-
-  if (!id) return null;
-  return <SharedMemberDetailPage userId={id} />;
-}

apps/desktop/src/renderer/src/platform/i18n-adapter.ts

@@ -1,31 +0,0 @@
-import type { LocaleAdapter, SupportedLocale } from "@multica/core/i18n";
-
-const STORAGE_KEY = "multica-locale";
-
-// Desktop adapter:
-//   - User choice: localStorage (set by Settings switcher).
-//   - System preference: locale main injected via additionalArguments
-//     (read from preload, exposed on window.desktopAPI.systemLocale).
-//   - Persist: localStorage. The Settings switcher additionally PATCHes
-//     /api/me when logged in so user.language follows the user across devices.
-export function createDesktopLocaleAdapter(systemLocale: string): LocaleAdapter {
-  return {
-    getUserChoice() {
-      try {
-        return window.localStorage.getItem(STORAGE_KEY);
-      } catch {
-        return null;
-      }
-    },
-    getSystemPreferences() {
-      return systemLocale ? [systemLocale] : [];
-    },
-    persist(locale: SupportedLocale) {
-      try {
-        window.localStorage.setItem(STORAGE_KEY, locale);
-      } catch {
-        // Best-effort
-      }
-    },
-  };
-}

apps/desktop/src/renderer/src/platform/navigation.test.tsx

@@ -1,421 +0,0 @@
-import { describe, expect, it, vi, beforeEach } from "vitest";
-import { render } from "@testing-library/react";
-import { useEffect } from "react";
-
-// Shared in-memory state that the mocked tab store reads / mutates. The test
-// records every method call so we can assert openInNewTab does NOT activate
-// the new tab (i.e. setActiveTab is never invoked on the same-workspace path).
-type MockRouter = {
-  state: { location: { pathname: string; search: string; hash: string } };
-  navigate: ReturnType<typeof vi.fn>;
-};
-
-type MockTab = {
-  id: string;
-  path: string;
-  pinned: boolean;
-  router: MockRouter;
-};
-
-function makeMockRouter(pathname: string, search = "", hash = ""): MockRouter {
-  return {
-    state: { location: { pathname, search, hash } },
-    navigate: vi.fn(),
-  };
-}
-
-const state = vi.hoisted(() => ({
-  activeWorkspaceSlug: "acme" as string | null,
-  byWorkspace: {
-    acme: {
-      activeTabId: "tA",
-      tabs: [
-        {
-          id: "tA",
-          path: "/acme/issues",
-          pinned: false,
-          router: makeMockRouter("/acme/issues"),
-        },
-      ] as MockTab[],
-    },
-  } as Record<string, { activeTabId: string; tabs: MockTab[] }>,
-  openTab: vi.fn<(path: string, title?: string, icon?: string) => string>(),
-  setActiveTab: vi.fn<(tabId: string) => void>(),
-  switchWorkspace: vi.fn<(slug: string, openPath?: string) => void>(),
-}));
-
-vi.mock("@/stores/tab-store", () => {
-  const store = {
-    get activeWorkspaceSlug() {
-      return state.activeWorkspaceSlug;
-    },
-    get byWorkspace() {
-      return state.byWorkspace;
-    },
-    openTab: state.openTab,
-    setActiveTab: state.setActiveTab,
-    switchWorkspace: state.switchWorkspace,
-  };
-  const useTabStore = Object.assign(
-    (selector?: (s: typeof store) => unknown) =>
-      selector ? selector(store) : store,
-    { getState: () => store },
-  );
-  const getActiveTab = () => {
-    const slug = state.activeWorkspaceSlug;
-    if (!slug) return null;
-    const group = state.byWorkspace[slug];
-    if (!group) return null;
-    return group.tabs.find((t) => t.id === group.activeTabId) ?? null;
-  };
-  const useActiveTabIdentity = () => ({
-    slug: state.activeWorkspaceSlug,
-    tabId: state.activeWorkspaceSlug
-      ? (state.byWorkspace[state.activeWorkspaceSlug]?.activeTabId ?? null)
-      : null,
-  });
-  const useActiveTabRouter = () => null;
-  const resolveRouteIcon = () => "File";
-  return {
-    useTabStore,
-    getActiveTab,
-    useActiveTabIdentity,
-    useActiveTabRouter,
-    resolveRouteIcon,
-  };
-});
-
-vi.mock("@/stores/window-overlay-store", () => ({
-  useWindowOverlayStore: Object.assign(
-    () => null,
-    { getState: () => ({ overlay: null, open: vi.fn(), close: vi.fn() }) },
-  ),
-}));
-
-vi.mock("@multica/core/auth", () => ({
-  useAuthStore: Object.assign(
-    () => null,
-    { getState: () => ({ logout: vi.fn() }) },
-  ),
-}));
-
-vi.mock("@multica/core/paths", () => ({
-  isReservedSlug: (s: string) =>
-    ["login", "workspaces", "invite", "onboarding", "invitations"].includes(s),
-}));
-
-// DesktopNavigationProvider reads window.desktopAPI.runtimeConfig synchronously.
-beforeEach(() => {
-  state.openTab.mockReset();
-  state.setActiveTab.mockReset();
-  state.switchWorkspace.mockReset();
-  state.openTab.mockImplementation(() => "tNew");
-  state.activeWorkspaceSlug = "acme";
-  state.byWorkspace = {
-    acme: {
-      activeTabId: "tA",
-      tabs: [
-        {
-          id: "tA",
-          path: "/acme/issues",
-          pinned: false,
-          router: makeMockRouter("/acme/issues"),
-        },
-      ],
-    },
-  };
-  Object.defineProperty(window, "desktopAPI", {
-    configurable: true,
-    value: {
-      runtimeConfig: { ok: true, config: { appUrl: "https://app.example" } },
-    },
-  });
-});
-
-import {
-  DesktopNavigationProvider,
-  TabNavigationProvider,
-} from "./navigation";
-import { useNavigation } from "@multica/views/navigation";
-
-function captureAdapter(onAdapter: (adapter: ReturnType<typeof useNavigation>) => void) {
-  function Probe() {
-    const nav = useNavigation();
-    useEffect(() => {
-      onAdapter(nav);
-    }, [nav]);
-    return null;
-  }
-  return Probe;
-}
-
-describe("DesktopNavigationProvider.openInNewTab", () => {
-  it("opens a background tab (no setActiveTab) for a same-workspace path", () => {
-    let adapter: ReturnType<typeof useNavigation> | null = null;
-    const Probe = captureAdapter((a) => {
-      adapter = a;
-    });
-    render(
-      <DesktopNavigationProvider>
-        <Probe />
-      </DesktopNavigationProvider>,
-    );
-    expect(adapter).not.toBeNull();
-    adapter!.openInNewTab!("/acme/agents", "Agents");
-    expect(state.openTab).toHaveBeenCalledWith("/acme/agents", "Agents", "File");
-    expect(state.setActiveTab).not.toHaveBeenCalled();
-    expect(state.switchWorkspace).not.toHaveBeenCalled();
-  });
-
-  it("activates the new tab when opts.activate is true (foreground)", () => {
-    let adapter: ReturnType<typeof useNavigation> | null = null;
-    const Probe = captureAdapter((a) => {
-      adapter = a;
-    });
-    render(
-      <DesktopNavigationProvider>
-        <Probe />
-      </DesktopNavigationProvider>,
-    );
-    adapter!.openInNewTab!("/acme/agents", "Agents", { activate: true });
-    expect(state.openTab).toHaveBeenCalledWith("/acme/agents", "Agents", "File");
-    expect(state.setActiveTab).toHaveBeenCalledWith("tNew");
-    expect(state.switchWorkspace).not.toHaveBeenCalled();
-  });
-
-  it("delegates to switchWorkspace for a cross-workspace path", () => {
-    let adapter: ReturnType<typeof useNavigation> | null = null;
-    const Probe = captureAdapter((a) => {
-      adapter = a;
-    });
-    render(
-      <DesktopNavigationProvider>
-        <Probe />
-      </DesktopNavigationProvider>,
-    );
-    adapter!.openInNewTab!("/butter/inbox");
-    expect(state.switchWorkspace).toHaveBeenCalledWith("butter", "/butter/inbox");
-    expect(state.openTab).not.toHaveBeenCalled();
-    expect(state.setActiveTab).not.toHaveBeenCalled();
-  });
-});
-
-describe("DesktopNavigationProvider.push with pinned active tab", () => {
-  function pinActive(pathname: string) {
-    state.byWorkspace.acme.tabs[0] = {
-      id: "tA",
-      path: pathname,
-      pinned: true,
-      router: makeMockRouter(pathname),
-    };
-  }
-
-  it("redirects push to a new foreground tab when pathname differs", () => {
-    pinActive("/acme/issues");
-    let adapter: ReturnType<typeof useNavigation> | null = null;
-    const Probe = captureAdapter((a) => {
-      adapter = a;
-    });
-    render(
-      <DesktopNavigationProvider>
-        <Probe />
-      </DesktopNavigationProvider>,
-    );
-    adapter!.push("/acme/projects");
-    expect(state.openTab).toHaveBeenCalledWith("/acme/projects", "/acme/projects", "File");
-    expect(state.setActiveTab).toHaveBeenCalledWith("tNew");
-  });
-
-  it("allows in-tab navigation when only search/hash changes", () => {
-    pinActive("/acme/issues");
-    let adapter: ReturnType<typeof useNavigation> | null = null;
-    const Probe = captureAdapter((a) => {
-      adapter = a;
-    });
-    render(
-      <DesktopNavigationProvider>
-        <Probe />
-      </DesktopNavigationProvider>,
-    );
-    adapter!.push("/acme/issues?filter=open");
-    // Pathname unchanged → pinned interception declines and falls through to
-    // the router's own navigate — openTab / setActiveTab must not fire.
-    expect(state.openTab).not.toHaveBeenCalled();
-    expect(state.setActiveTab).not.toHaveBeenCalled();
-  });
-
-  it("leaves cross-workspace push to the workspace switcher (not pin)", () => {
-    pinActive("/acme/issues");
-    let adapter: ReturnType<typeof useNavigation> | null = null;
-    const Probe = captureAdapter((a) => {
-      adapter = a;
-    });
-    render(
-      <DesktopNavigationProvider>
-        <Probe />
-      </DesktopNavigationProvider>,
-    );
-    adapter!.push("/butter/inbox");
-    // Cross-workspace push runs through tryRouteToOtherWorkspace before
-    // tryRouteToPinnedNewTab, so switchWorkspace wins.
-    expect(state.switchWorkspace).toHaveBeenCalledWith("butter", "/butter/inbox");
-    expect(state.openTab).not.toHaveBeenCalled();
-  });
-});
-
-describe("DesktopNavigationProvider.push duplicate path guard", () => {
-  it("does not navigate when the target exactly matches the active tab location", () => {
-    const activeRouter = makeMockRouter("/acme/issues/child");
-    state.byWorkspace.acme.tabs[0] = {
-      id: "tA",
-      path: "/acme/issues/child",
-      pinned: false,
-      router: activeRouter,
-    };
-
-    let adapter: ReturnType<typeof useNavigation> | null = null;
-    const Probe = captureAdapter((a) => {
-      adapter = a;
-    });
-    render(
-      <DesktopNavigationProvider>
-        <Probe />
-      </DesktopNavigationProvider>,
-    );
-
-    adapter!.push("/acme/issues/child");
-
-    expect(activeRouter.navigate).not.toHaveBeenCalled();
-  });
-});
-
-describe("TabNavigationProvider.openInNewTab", () => {
-  function renderTabProvider() {
-    let adapter: ReturnType<typeof useNavigation> | null = null;
-    const Probe = captureAdapter((a) => {
-      adapter = a;
-    });
-    const fakeRouter = {
-      state: { location: { pathname: "/acme/issues", search: "" } },
-      subscribe: () => () => {},
-      navigate: vi.fn(),
-    } as unknown as Parameters<typeof TabNavigationProvider>[0]["router"];
-    render(
-      <TabNavigationProvider router={fakeRouter}>
-        <Probe />
-      </TabNavigationProvider>,
-    );
-    return () => adapter!;
-  }
-
-  it("opens a background tab (no setActiveTab) for a same-workspace path", () => {
-    const getAdapter = renderTabProvider();
-    getAdapter().openInNewTab!("/acme/agents", "Agents");
-    expect(state.openTab).toHaveBeenCalledWith("/acme/agents", "Agents", "File");
-    expect(state.setActiveTab).not.toHaveBeenCalled();
-    expect(state.switchWorkspace).not.toHaveBeenCalled();
-  });
-
-  it("activates the new tab when opts.activate is true (foreground)", () => {
-    const getAdapter = renderTabProvider();
-    getAdapter().openInNewTab!("/acme/agents", "Agents", { activate: true });
-    expect(state.openTab).toHaveBeenCalledWith("/acme/agents", "Agents", "File");
-    expect(state.setActiveTab).toHaveBeenCalledWith("tNew");
-    expect(state.switchWorkspace).not.toHaveBeenCalled();
-  });
-});
-
-describe("TabNavigationProvider.push duplicate path guard", () => {
-  function renderTabProviderAt(
-    pathname: string,
-    search = "",
-    hash = "",
-  ) {
-    let adapter: ReturnType<typeof useNavigation> | null = null;
-    const Probe = captureAdapter((a) => {
-      adapter = a;
-    });
-    const fakeRouter = {
-      state: { location: { pathname, search, hash } },
-      subscribe: () => () => {},
-      navigate: vi.fn(),
-    } as unknown as Parameters<typeof TabNavigationProvider>[0]["router"];
-    render(
-      <TabNavigationProvider router={fakeRouter}>
-        <Probe />
-      </TabNavigationProvider>,
-    );
-    return { getAdapter: () => adapter!, fakeRouter };
-  }
-
-  it("does not navigate when the target exactly matches the current full location", () => {
-    const { getAdapter, fakeRouter } = renderTabProviderAt("/acme/issues/child");
-
-    getAdapter().push("/acme/issues/child");
-
-    expect(fakeRouter.navigate).not.toHaveBeenCalled();
-  });
-
-  it("still navigates when only search or hash differs", () => {
-    const { getAdapter, fakeRouter } = renderTabProviderAt("/acme/issues");
-
-    getAdapter().push("/acme/issues?filter=open#top");
-
-    expect(fakeRouter.navigate).toHaveBeenCalledWith("/acme/issues?filter=open#top");
-  });
-});
-
-describe("TabNavigationProvider.push with pinned active tab", () => {
-  type ProviderRouter = Parameters<typeof TabNavigationProvider>[0]["router"];
-
-  function renderPinnedTabProvider(pathname: string) {
-    // The active tab and the per-tab router must share the same pathname:
-    // tryRouteToPinnedNewTab reads the *active tab's* router for the current
-    // pathname (so query-only pushes routed via React Router still compare
-    // correctly), while the TabNavigationProvider falls back to *its own*
-    // router.navigate when no interception fires. In real desktop usage they
-    // are the same router instance; this helper mirrors that invariant.
-    const fakeRouter = {
-      state: { location: { pathname, search: "", hash: "" } },
-      subscribe: () => () => {},
-      navigate: vi.fn(),
-    } as unknown as ProviderRouter;
-    state.byWorkspace.acme.tabs[0] = {
-      id: "tA",
-      path: pathname,
-      pinned: true,
-      router: fakeRouter as unknown as MockRouter,
-    };
-
-    let adapter: ReturnType<typeof useNavigation> | null = null;
-    const Probe = captureAdapter((a) => {
-      adapter = a;
-    });
-    render(
-      <TabNavigationProvider router={fakeRouter}>
-        <Probe />
-      </TabNavigationProvider>,
-    );
-    return { getAdapter: () => adapter!, fakeRouter };
-  }
-
-  it("redirects push to a new foreground tab when pathname differs", () => {
-    const { getAdapter, fakeRouter } = renderPinnedTabProvider("/acme/issues");
-    getAdapter().push("/acme/projects");
-    expect(state.openTab).toHaveBeenCalledWith("/acme/projects", "/acme/projects", "File");
-    expect(state.setActiveTab).toHaveBeenCalledWith("tNew");
-    // Pinned interception short-circuits — the per-tab router must NOT
-    // navigate, otherwise the pinned tab itself would move off its path.
-    expect(fakeRouter.navigate).not.toHaveBeenCalled();
-  });
-
-  it("allows in-tab navigation when only search/hash changes", () => {
-    const { getAdapter, fakeRouter } = renderPinnedTabProvider("/acme/issues");
-    getAdapter().push("/acme/issues?filter=open");
-    // Same pathname → pinned interception declines, push falls through to
-    // the tab's own router.navigate, and no new tab is opened.
-    expect(state.openTab).not.toHaveBeenCalled();
-    expect(state.setActiveTab).not.toHaveBeenCalled();
-    expect(fakeRouter.navigate).toHaveBeenCalledWith("/acme/issues?filter=open");
-  });
-});

apps/desktop/src/renderer/src/platform/navigation.tsx

@@ -15,15 +15,11 @@ import {
 } from "@/stores/tab-store";
 import { useWindowOverlayStore } from "@/stores/window-overlay-store";
 
-function requireRuntimeAppUrl(scope: string): string {
-  const runtimeConfig = window.desktopAPI.runtimeConfig;
-  if (!runtimeConfig.ok) {
-    throw new Error(
-      `Invariant violated: ${scope} rendered before App accepted runtime config`,
-    );
-  }
-  return runtimeConfig.config.appUrl;
-}
+// Public web app URL — injected at build time via .env.production. In dev
+// (no VITE_APP_URL set) falls back to the local web dev server so "Copy
+// link" in a dev build yields a URL that points at the running dev
+// frontend, not the prod host. Matches the fallback used in pages/login.tsx.
+const APP_URL = import.meta.env.VITE_APP_URL || "http://localhost:3000";
 
 /**
  * Extract the leading workspace slug from a path, or null if the path isn't
@@ -65,13 +61,6 @@ function tryRouteToOverlay(path: string, router?: DataRouter): boolean {
     }
     return true;
   }
-  if (path === "/invitations") {
-    overlay.open({ type: "invitations" });
-    if (router && router.state.location.pathname !== "/") {
-      router.navigate("/", { replace: true });
-    }
-    return true;
-  }
   if (path.startsWith("/invite/")) {
     let id = "";
     try {
@@ -89,11 +78,6 @@ function tryRouteToOverlay(path: string, router?: DataRouter): boolean {
   return false;
 }
 
-function routerLocationPath(router: DataRouter): string {
-  const { pathname, search, hash } = router.state.location;
-  return `${pathname}${search ?? ""}${hash ?? ""}`;
-}
-
 /**
  * Intercept pushes that change workspace. Returns `true` if the navigation
  * was delegated to the tab store (caller should NOT proceed).
@@ -113,37 +97,6 @@ function tryRouteToOtherWorkspace(path: string): boolean {
   return true;
 }
 
-/**
- * Intercept pushes originating in a pinned tab and force them into a new
- * tab. Returns `true` if the navigation was redirected (caller should NOT
- * proceed). Pathname-only changes (search / hash / same-page state) are
- * allowed through so pinned filter / drawer / form-state interactions
- * still work — see RFC §3 D2a (FINAL: any pathname change → new tab) and
- * D2b (FINAL: same pathname → allowed in pinned tab).
- *
- * Dedupe is preserved (D4a): `openTab` activates an existing same-path tab
- * if one exists, otherwise creates a new one. The newly-focused tab is
- * activated foreground — a pinned-tab push is an explicit user action, not
- * a background cmd+click, so the focus follows.
- */
-function tryRouteToPinnedNewTab(path: string): boolean {
-  const store = useTabStore.getState();
-  const active = getActiveTab(store);
-  if (!active?.pinned) return false;
-
-  // Use the live router pathname rather than `active.path` so query-only
-  // navigations performed via React Router (which only sync pathname back
-  // to the store) still compare correctly.
-  const currentPathname = active.router.state.location.pathname;
-  const newPathname = path.split("?")[0].split("#")[0];
-  if (currentPathname === newPathname) return false;
-
-  const icon = resolveRouteIcon(path);
-  const newId = store.openTab(path, path, icon);
-  if (newId) store.setActiveTab(newId);
-  return true;
-}
-
 /**
  * Root-level navigation provider for components outside the per-tab
  * RouterProviders (sidebar, search dialog, modals, WindowOverlay contents).
@@ -156,7 +109,6 @@ export function DesktopNavigationProvider({
 }: {
   children: React.ReactNode;
 }) {
-  const appUrl = requireRuntimeAppUrl("DesktopNavigationProvider");
   // Primitive-only subscriptions so this component doesn't re-render on
   // unrelated store updates (e.g. an inactive tab's router tick). We
   // resolve the active router here only to subscribe once per tab switch.
@@ -200,9 +152,7 @@ export function DesktopNavigationProvider({
         }
         const active = currentActiveTab();
         if (tryRouteToOverlay(path, active?.router)) return;
-        if (active && routerLocationPath(active.router) === path) return;
         if (tryRouteToOtherWorkspace(path)) return;
-        if (tryRouteToPinnedNewTab(path)) return;
         active?.router.navigate(path);
       },
       replace: (path: string) => {
@@ -216,16 +166,9 @@ export function DesktopNavigationProvider({
       },
       pathname: location.pathname,
       searchParams: new URLSearchParams(location.search),
-      openInNewTab: (
-        path: string,
-        title?: string,
-        opts?: { activate?: boolean },
-      ) => {
+      openInNewTab: (path: string, title?: string) => {
         // Cross-workspace "open in new tab" switches workspace and opens
-        // the path there (focus follows the user); same-workspace defaults
-        // to background tab (browser cmd+click semantics). Callers that
-        // represent an explicit "Open in new tab" CTA pass `activate: true`
-        // to bring the new tab to the foreground.
+        // the path there; same-workspace just adds a tab in the current group.
         const slug = extractWorkspaceSlug(path);
         const store = useTabStore.getState();
         if (slug && slug !== store.activeWorkspaceSlug) {
@@ -233,14 +176,12 @@ export function DesktopNavigationProvider({
           return;
         }
         const icon = resolveRouteIcon(path);
-        const newId = store.openTab(path, title ?? path, icon);
-        if (opts?.activate && newId) {
-          store.setActiveTab(newId);
-        }
+        const tabId = store.openTab(path, title ?? path, icon);
+        if (tabId) store.setActiveTab(tabId);
       },
-      getShareableUrl: (path: string) => `${appUrl}${path}`,
+      getShareableUrl: (path: string) => `${APP_URL}${path}`,
     }),
-    [appUrl, location],
+    [location],
   );
 
   return <NavigationProvider value={adapter}>{children}</NavigationProvider>;
@@ -263,7 +204,6 @@ export function TabNavigationProvider({
   router: DataRouter;
   children: React.ReactNode;
 }) {
-  const appUrl = requireRuntimeAppUrl("TabNavigationProvider");
   const [location, setLocation] = useState(router.state.location);
 
   useEffect(() => {
@@ -277,9 +217,7 @@ export function TabNavigationProvider({
     () => ({
       push: (path: string) => {
         if (tryRouteToOverlay(path, router)) return;
-        if (routerLocationPath(router) === path) return;
         if (tryRouteToOtherWorkspace(path)) return;
-        if (tryRouteToPinnedNewTab(path)) return;
         router.navigate(path);
       },
       replace: (path: string) => {
@@ -290,11 +228,7 @@ export function TabNavigationProvider({
       back: () => router.navigate(-1),
       pathname: location.pathname,
       searchParams: new URLSearchParams(location.search),
-      openInNewTab: (
-        path: string,
-        title?: string,
-        opts?: { activate?: boolean },
-      ) => {
+      openInNewTab: (path: string, title?: string) => {
         const slug = extractWorkspaceSlug(path);
         const store = useTabStore.getState();
         if (slug && slug !== store.activeWorkspaceSlug) {
@@ -302,14 +236,12 @@ export function TabNavigationProvider({
           return;
         }
         const icon = resolveRouteIcon(path);
-        const newId = store.openTab(path, title ?? path, icon);
-        if (opts?.activate && newId) {
-          store.setActiveTab(newId);
-        }
+        const tabId = store.openTab(path, title ?? path, icon);
+        if (tabId) store.setActiveTab(tabId);
       },
-      getShareableUrl: (path: string) => `${appUrl}${path}`,
+      getShareableUrl: (path: string) => `${APP_URL}${path}`,
     }),
-    [appUrl, router, location],
+    [router, location],
   );
 
   return <NavigationProvider value={adapter}>{children}</NavigationProvider>;

apps/desktop/src/renderer/src/routes.tsx

@@ -11,53 +11,20 @@ import { ProjectDetailPage } from "./pages/project-detail-page";
 import { AutopilotDetailPage } from "./pages/autopilot-detail-page";
 import { SkillDetailPage } from "./pages/skill-detail-page";
 import { AgentDetailPage } from "./pages/agent-detail-page";
-import { MemberDetailPage } from "./pages/member-detail-page";
 import { RuntimeDetailPage } from "./pages/runtime-detail-page";
-import { AttachmentPreviewRoute } from "./pages/attachment-preview-page";
 import { IssuesPage } from "@multica/views/issues/components";
 import { ProjectsPage } from "@multica/views/projects/components";
-import { DashboardPage } from "@multica/views/dashboard";
 import { AutopilotsPage } from "@multica/views/autopilots/components";
 import { MyIssuesPage } from "@multica/views/my-issues";
 import { SkillsPage } from "@multica/views/skills";
 import { DesktopRuntimesPage } from "./components/desktop-runtimes-page";
-import { DesktopAgentsPage } from "./components/desktop-agents-page";
-import { SquadsPage, SquadDetailPage as SquadDetailPageView } from "@multica/views/squads/components";
+import { AgentsPage } from "@multica/views/agents";
 import { InboxPage } from "@multica/views/inbox";
 import { SettingsPage } from "@multica/views/settings";
-import { useT } from "@multica/views/i18n";
 import { Download, Server } from "lucide-react";
 import { DaemonSettingsTab } from "./components/daemon-settings-tab";
 import { UpdatesSettingsTab } from "./components/updates-settings-tab";
 import { WorkspaceRouteLayout } from "./components/workspace-route-layout";
-import { DesktopRouteErrorPage } from "./components/route-error-page";
-
-/**
- * Wraps `SettingsPage` so the desktop-only extra tabs can pull their labels
- * from i18n. The route element has to be a component (not a literal JSX
- * value) for `useT` to run.
- */
-function DesktopSettingsRoute() {
-  const { t } = useT("settings");
-  return (
-    <SettingsPage
-      extraAccountTabs={[
-        {
-          value: "daemon",
-          label: "Daemon",
-          icon: Server,
-          content: <DaemonSettingsTab />,
-        },
-        {
-          value: "updates",
-          label: t(($) => $.desktop.tabs.updates),
-          icon: Download,
-          content: <UpdatesSettingsTab />,
-        },
-      ]}
-    />
-  );
-}
 
 /**
  * Sets document.title from the deepest matched route's handle.title.
@@ -109,7 +76,6 @@ function PageShell() {
 export const appRoutes: RouteObject[] = [
   {
     element: <PageShell />,
-    errorElement: <DesktopRouteErrorPage />,
     children: [
       { index: true, element: null },
       {
@@ -117,11 +83,7 @@ export const appRoutes: RouteObject[] = [
         element: <WorkspaceRouteLayout />,
         children: [
           { index: true, element: <Navigate to="issues" replace /> },
-          {
-            path: "issues",
-            element: <IssuesPage />,
-            handle: { title: "Issues" },
-          },
+          { path: "issues", element: <IssuesPage />, handle: { title: "Issues" } },
           {
             path: "issues/:id",
             element: <IssueDetailPage />,
@@ -168,37 +130,33 @@ export const appRoutes: RouteObject[] = [
             element: <SkillDetailPage />,
             handle: { title: "Skill" },
           },
-          { path: "agents", element: <DesktopAgentsPage />, handle: { title: "Agents" } },
+          { path: "agents", element: <AgentsPage />, handle: { title: "Agents" } },
           {
             path: "agents/:id",
             element: <AgentDetailPage />,
             handle: { title: "Agent" },
           },
-          {
-            path: "members/:id",
-            element: <MemberDetailPage />,
-            handle: { title: "Member" },
-          },
-          { path: "squads", element: <SquadsPage />, handle: { title: "Squads" } },
-          {
-            path: "squads/:id",
-            element: <SquadDetailPageView />,
-            handle: { title: "Squad" },
-          },
           { path: "inbox", element: <InboxPage />, handle: { title: "Inbox" } },
-          {
-            path: "attachments/:id/preview",
-            element: <AttachmentPreviewRoute />,
-            handle: { title: "Attachment" },
-          },
-          {
-            path: "usage",
-            element: <DashboardPage />,
-            handle: { title: "Usage" },
-          },
           {
             path: "settings",
-            element: <DesktopSettingsRoute />,
+            element: (
+              <SettingsPage
+                extraAccountTabs={[
+                  {
+                    value: "daemon",
+                    label: "Daemon",
+                    icon: Server,
+                    content: <DaemonSettingsTab />,
+                  },
+                  {
+                    value: "updates",
+                    label: "Updates",
+                    icon: Download,
+                    content: <UpdatesSettingsTab />,
+                  },
+                ]}
+              />
+            ),
             handle: { title: "Settings" },
           },
         ],

apps/desktop/src/renderer/src/stores/tab-store.test.ts

@@ -17,7 +17,6 @@ vi.mock("../routes", () => ({
 import {
   sanitizeTabPath,
   migrateV1ToV2,
-  migrateV2ToV3,
   useTabStore,
 } from "./tab-store";
 
@@ -181,61 +180,6 @@ describe("useTabStore actions", () => {
     expect(s.byWorkspace.acme.tabs[0].id).not.toBe(onlyTabId); // fresh tab
   });
 
-  it("defers disposing the closed tab router until after the store update", () => {
-    vi.useFakeTimers();
-    try {
-      const store = useTabStore.getState();
-      store.switchWorkspace("acme");
-      const closedTabId = store.addTab("/acme/settings", "Settings", "Settings");
-      const closingTab = useTabStore
-        .getState()
-        .byWorkspace.acme.tabs.find((t) => t.id === closedTabId);
-      const dispose = vi.mocked(closingTab!.router.dispose);
-
-      store.closeTab(closedTabId);
-
-      expect(dispose).not.toHaveBeenCalled();
-      expect(
-        useTabStore.getState().byWorkspace.acme.tabs.some((t) => t.id === closedTabId),
-      ).toBe(false);
-
-      vi.runAllTimers();
-
-      expect(dispose).toHaveBeenCalledOnce();
-    } finally {
-      vi.useRealTimers();
-    }
-  });
-
-  it("ignores router-sync updates from a tab after it has been closed", () => {
-    const store = useTabStore.getState();
-    store.switchWorkspace("acme");
-    const closedTabId = store.addTab("/acme/settings", "Settings", "Settings");
-
-    store.closeTab(closedTabId);
-    const before = useTabStore.getState().byWorkspace.acme;
-
-    store.updateTab(closedTabId, { path: "/acme/runtimes", icon: "Monitor" });
-    store.updateTabHistory(closedTabId, 1, 2);
-
-    expect(useTabStore.getState().byWorkspace.acme).toBe(before);
-    expect(
-      useTabStore.getState().byWorkspace.acme.tabs.some((t) => t.id === closedTabId),
-    ).toBe(false);
-  });
-
-  it("does not replace the tab group for no-op router-sync updates", () => {
-    const store = useTabStore.getState();
-    store.switchWorkspace("acme");
-    const tab = useTabStore.getState().byWorkspace.acme.tabs[0];
-    const before = useTabStore.getState().byWorkspace.acme;
-
-    store.updateTab(tab.id, { path: tab.path, icon: tab.icon, title: tab.title });
-    store.updateTabHistory(tab.id, tab.historyIndex, tab.historyLength);
-
-    expect(useTabStore.getState().byWorkspace.acme).toBe(before);
-  });
-
   it("validateWorkspaceSlugs drops groups for slugs not in the valid set and repoints active", () => {
     const store = useTabStore.getState();
     store.switchWorkspace("acme");
@@ -259,47 +203,6 @@ describe("useTabStore actions", () => {
     expect(s.activeWorkspaceSlug).toBeNull();
   });
 
-  it("validateWorkspaceSlugs seeds the first valid workspace when no group exists", () => {
-    const store = useTabStore.getState();
-    store.validateWorkspaceSlugs(new Set(["acme", "butter"]));
-    const s = useTabStore.getState();
-    expect(s.activeWorkspaceSlug).toBe("acme");
-    expect(s.byWorkspace.acme.tabs).toHaveLength(1);
-    expect(s.byWorkspace.acme.tabs[0].path).toBe("/acme/issues");
-  });
-
-  it("validateWorkspaceSlugs reactivates an existing valid group before seeding", () => {
-    const store = useTabStore.getState();
-    store.switchWorkspace("acme");
-    const existingTabId = useTabStore.getState().byWorkspace.acme.tabs[0].id;
-
-    useTabStore.setState({ activeWorkspaceSlug: null });
-    store.validateWorkspaceSlugs(new Set(["acme"]));
-
-    const s = useTabStore.getState();
-    expect(s.activeWorkspaceSlug).toBe("acme");
-    expect(s.byWorkspace.acme.tabs).toHaveLength(1);
-    expect(s.byWorkspace.acme.tabs[0].id).toBe(existingTabId);
-  });
-
-  it("validateWorkspaceSlugs seeds a fresh tab for a valid slug after dropping all stale groups", () => {
-    const store = useTabStore.getState();
-    // The only persisted group points at a workspace the user has lost access
-    // to — the stale-tab heal path WorkspaceRouteLayout drives.
-    store.switchWorkspace("stale");
-    const staleRouter = useTabStore.getState().byWorkspace.stale.tabs[0].router;
-
-    store.validateWorkspaceSlugs(new Set(["acme"]));
-
-    const s = useTabStore.getState();
-    expect(Object.keys(s.byWorkspace)).toEqual(["acme"]);
-    expect(s.activeWorkspaceSlug).toBe("acme");
-    expect(s.byWorkspace.acme.tabs).toHaveLength(1);
-    expect(s.byWorkspace.acme.tabs[0].path).toBe("/acme/issues");
-    // The dropped stale group's router must be disposed, not leaked.
-    expect(staleRouter.dispose).toHaveBeenCalled();
-  });
-
   it("reset wipes the whole store", () => {
     const store = useTabStore.getState();
     store.switchWorkspace("acme");
@@ -319,155 +222,3 @@ describe("useTabStore actions", () => {
     expect(useTabStore.getState().activeWorkspaceSlug).toBe("acme");
   });
 });
-
-describe("togglePin", () => {
-  it("flips a tab's pinned state", () => {
-    const store = useTabStore.getState();
-    store.switchWorkspace("acme");
-    const tabId = useTabStore.getState().byWorkspace.acme.tabs[0].id;
-    expect(useTabStore.getState().byWorkspace.acme.tabs[0].pinned).toBe(false);
-
-    store.togglePin(tabId);
-    expect(useTabStore.getState().byWorkspace.acme.tabs[0].pinned).toBe(true);
-
-    store.togglePin(tabId);
-    expect(useTabStore.getState().byWorkspace.acme.tabs[0].pinned).toBe(false);
-  });
-
-  it("moves a newly-pinned tab to the start of the pinned zone", () => {
-    const store = useTabStore.getState();
-    store.switchWorkspace("acme"); // creates default unpinned tab at index 0
-    store.addTab("/acme/projects", "Projects", "FolderKanban");
-    store.addTab("/acme/agents", "Agents", "Bot");
-    const agentsId = useTabStore.getState().byWorkspace.acme.tabs[2].id;
-
-    store.togglePin(agentsId);
-    const tabs = useTabStore.getState().byWorkspace.acme.tabs;
-    expect(tabs[0].id).toBe(agentsId);
-    expect(tabs[0].pinned).toBe(true);
-    expect(tabs[1].pinned).toBe(false);
-    expect(tabs[2].pinned).toBe(false);
-  });
-
-  it("appends a second pinned tab after the first pinned tab", () => {
-    const store = useTabStore.getState();
-    store.switchWorkspace("acme");
-    store.addTab("/acme/projects", "Projects", "FolderKanban");
-    store.addTab("/acme/agents", "Agents", "Bot");
-    const projectsId = useTabStore.getState().byWorkspace.acme.tabs[1].id;
-    const agentsId = useTabStore.getState().byWorkspace.acme.tabs[2].id;
-
-    store.togglePin(agentsId);
-    store.togglePin(projectsId);
-
-    // Both pinned, in the order they were pinned (agents first, projects
-    // second), then the unpinned default tab.
-    const tabs = useTabStore.getState().byWorkspace.acme.tabs;
-    expect(tabs.map((t) => t.id)).toEqual([
-      agentsId,
-      projectsId,
-      tabs[2].id,
-    ]);
-    expect(tabs.map((t) => t.pinned)).toEqual([true, true, false]);
-  });
-
-  it("returns an unpinned tab to the start of the unpinned zone", () => {
-    const store = useTabStore.getState();
-    store.switchWorkspace("acme");
-    store.addTab("/acme/projects", "Projects", "FolderKanban");
-    const issuesId = useTabStore.getState().byWorkspace.acme.tabs[0].id;
-    const projectsId = useTabStore.getState().byWorkspace.acme.tabs[1].id;
-
-    // Pin both, then unpin one.
-    store.togglePin(issuesId);
-    store.togglePin(projectsId);
-    store.togglePin(issuesId);
-
-    const tabs = useTabStore.getState().byWorkspace.acme.tabs;
-    expect(tabs.map((t) => t.id)).toEqual([projectsId, issuesId]);
-    expect(tabs.map((t) => t.pinned)).toEqual([true, false]);
-  });
-});
-
-describe("moveTab boundary clamp", () => {
-  it("clamps a pinned-tab move so it never crosses into the unpinned zone", () => {
-    const store = useTabStore.getState();
-    store.switchWorkspace("acme");
-    store.addTab("/acme/projects", "Projects", "FolderKanban");
-    store.addTab("/acme/agents", "Agents", "Bot");
-    const issuesId = useTabStore.getState().byWorkspace.acme.tabs[0].id;
-
-    store.togglePin(issuesId); // [issues(pinned), projects, agents]
-
-    // User tries to drag the pinned tab to index 2 (unpinned zone end).
-    store.moveTab(0, 2);
-    const tabs = useTabStore.getState().byWorkspace.acme.tabs;
-    // It should be clamped to index 0 — the only pinned slot — i.e. unchanged.
-    expect(tabs[0].id).toBe(issuesId);
-    expect(tabs.map((t) => t.pinned)).toEqual([true, false, false]);
-  });
-
-  it("clamps an unpinned-tab move so it never crosses into the pinned zone", () => {
-    const store = useTabStore.getState();
-    store.switchWorkspace("acme");
-    store.addTab("/acme/projects", "Projects", "FolderKanban");
-    store.addTab("/acme/agents", "Agents", "Bot");
-    const issuesId = useTabStore.getState().byWorkspace.acme.tabs[0].id;
-    const agentsId = useTabStore.getState().byWorkspace.acme.tabs[2].id;
-
-    store.togglePin(issuesId); // [issues(pinned), projects, agents]
-
-    // User tries to drag agents (index 2) to index 0 (pinned zone).
-    store.moveTab(2, 0);
-    const tabs = useTabStore.getState().byWorkspace.acme.tabs;
-    // Clamped to index 1 — start of the unpinned zone.
-    expect(tabs[0].id).toBe(issuesId);
-    expect(tabs[1].id).toBe(agentsId);
-    expect(tabs.map((t) => t.pinned)).toEqual([true, false, false]);
-  });
-
-  it("reorders freely within the same zone", () => {
-    const store = useTabStore.getState();
-    store.switchWorkspace("acme");
-    store.addTab("/acme/projects", "Projects", "FolderKanban");
-    store.addTab("/acme/agents", "Agents", "Bot");
-
-    // All unpinned; move agents (2) to position 0.
-    store.moveTab(2, 0);
-    const tabs = useTabStore.getState().byWorkspace.acme.tabs;
-    expect(tabs.map((t) => t.path)).toEqual([
-      "/acme/agents",
-      "/acme/issues",
-      "/acme/projects",
-    ]);
-  });
-});
-
-describe("migrateV2ToV3", () => {
-  it("adds pinned=false to every persisted tab", () => {
-    const v2 = {
-      activeWorkspaceSlug: "acme",
-      byWorkspace: {
-        acme: {
-          activeTabId: "t1",
-          tabs: [
-            { id: "t1", path: "/acme/issues", title: "Issues", icon: "ListTodo" },
-            { id: "t2", path: "/acme/projects", title: "Projects", icon: "FolderKanban" },
-          ],
-        },
-      },
-    };
-    const v3 = migrateV2ToV3(v2);
-    expect(v3.activeWorkspaceSlug).toBe("acme");
-    expect(v3.byWorkspace.acme.tabs).toEqual([
-      { id: "t1", path: "/acme/issues", title: "Issues", icon: "ListTodo", pinned: false },
-      { id: "t2", path: "/acme/projects", title: "Projects", icon: "FolderKanban", pinned: false },
-    ]);
-  });
-
-  it("handles missing byWorkspace gracefully", () => {
-    const v3 = migrateV2ToV3({ activeWorkspaceSlug: null } as Parameters<typeof migrateV2ToV3>[0]);
-    expect(v3.byWorkspace).toEqual({});
-    expect(v3.activeWorkspaceSlug).toBeNull();
-  });
-});

apps/desktop/src/renderer/src/stores/tab-store.ts

@@ -20,14 +20,6 @@ export interface Tab {
   router: DataRouter;
   historyIndex: number;
   historyLength: number;
-  /**
-   * Pinned tabs render at the left of the tab bar as icon-only, suppress the
-   * X close button, and turn any `navigation.push()` originating in them into
-   * an `openInNewTab()` so they stay parked on their original path. Pinning
-   * is invariant-preserving: pinned tabs always come before unpinned tabs in
-   * a workspace's `tabs` array; `togglePin` / `moveTab` enforce this.
-   */
-  pinned: boolean;
 }
 
 export interface WorkspaceTabGroup {
@@ -86,30 +78,8 @@ interface TabStore {
   updateTab: (tabId: string, patch: Partial<Pick<Tab, "path" | "title" | "icon">>) => void;
   /** Patch history tracking of a tab. Finds across groups. */
   updateTabHistory: (tabId: string, historyIndex: number, historyLength: number) => void;
-  /** Recreate the active tab's router at the same path after a route-level crash. */
-  reloadActiveTab: () => void;
-  /**
-   * Close the active tab. The always-safe escape from a route-level crash:
-   * unlike reloadActiveTab (recreates the same crashing path) or navigating
-   * to a "safe" route (which may itself be the route that crashed), closing
-   * destroys the crashing router entirely and falls back to a sibling tab
-   * (or a reseeded default if it was the last tab).
-   */
-  closeActiveTab: () => void;
-  /**
-   * Reorder within the active workspace's group only. Clamped so a tab can
-   * never cross the pinned / unpinned boundary — a drag that would move a
-   * pinned tab into the unpinned zone (or vice versa) is dropped at the
-   * boundary instead. This keeps the "pinned tabs first" invariant without
-   * requiring callers to know about it.
-   */
+  /** Reorder within the active workspace's group only. */
   moveTab: (fromIndex: number, toIndex: number) => void;
-  /**
-   * Flip a tab's pinned state. Pinning moves it to the end of the pinned
-   * zone; unpinning moves it to the start of the unpinned zone. Both
-   * preserve the "pinned tabs before unpinned tabs" invariant.
-   */
-  togglePin: (tabId: string) => void;
   /**
    * After the workspace list arrives/changes (login, realtime delete), drop
    * any tab group whose slug is no longer in `validSlugs`, and repoint
@@ -220,17 +190,9 @@ function makeTab(path: string, title: string, icon: string): Tab {
     router: createTabRouter(path),
     historyIndex: 0,
     historyLength: 1,
-    pinned: false,
   };
 }
 
-/** Index of the first unpinned tab in a group (== pinned count). */
-function pinnedBoundary(tabs: Tab[]): number {
-  let i = 0;
-  while (i < tabs.length && tabs[i].pinned) i++;
-  return i;
-}
-
 /** Default entry point for a workspace — its issues list. */
 function defaultPathFor(slug: string): string {
   return `/${slug}/issues`;
@@ -388,10 +350,7 @@ export const useTabStore = create<TabStore>()(
         const { slug, group, index } = hit;
 
         const closing = group.tabs[index];
-        const disposeClosingRouter = () => {
-          // Let React unmount the tab's RouterProvider before disposing it.
-          window.setTimeout(() => closing.router.dispose(), 0);
-        };
+        closing.router.dispose();
 
         if (group.tabs.length === 1) {
           // Last tab in this workspace — reseed a default so the workspace
@@ -404,7 +363,6 @@ export const useTabStore = create<TabStore>()(
               [slug]: { tabs: [fresh], activeTabId: fresh.id },
             },
           });
-          disposeClosingRouter();
           return;
         }
 
@@ -420,7 +378,6 @@ export const useTabStore = create<TabStore>()(
             [slug]: { tabs: nextTabs, activeTabId: nextActiveTabId },
           },
         });
-        disposeClosingRouter();
       },
 
       setActiveTab(tabId) {
@@ -445,13 +402,6 @@ export const useTabStore = create<TabStore>()(
         const { slug, group, index } = hit;
         const current = group.tabs[index];
         const next: Tab = { ...current, ...patch };
-        if (
-          next.path === current.path &&
-          next.title === current.title &&
-          next.icon === current.icon
-        ) {
-          return;
-        }
         const nextTabs = [...group.tabs];
         nextTabs[index] = next;
         set({
@@ -468,12 +418,6 @@ export const useTabStore = create<TabStore>()(
         if (!hit) return;
         const { slug, group, index } = hit;
         const current = group.tabs[index];
-        if (
-          current.historyIndex === historyIndex &&
-          current.historyLength === historyLength
-        ) {
-          return;
-        }
         const next: Tab = { ...current, historyIndex, historyLength };
         const nextTabs = [...group.tabs];
         nextTabs[index] = next;
@@ -485,101 +429,23 @@ export const useTabStore = create<TabStore>()(
         });
       },
 
-      reloadActiveTab() {
-        const { activeWorkspaceSlug, byWorkspace } = get();
-        if (!activeWorkspaceSlug) return;
-        const group = byWorkspace[activeWorkspaceSlug];
-        if (!group) return;
-        const index = group.tabs.findIndex((t) => t.id === group.activeTabId);
-        if (index < 0) return;
-        const current = group.tabs[index];
-        const nextTabs = [...group.tabs];
-        nextTabs[index] = {
-          ...current,
-          router: createTabRouter(current.path),
-          historyIndex: 0,
-          historyLength: 1,
-        };
-        set({
-          byWorkspace: {
-            ...byWorkspace,
-            [activeWorkspaceSlug]: { ...group, tabs: nextTabs },
-          },
-        });
-        window.setTimeout(() => current.router.dispose(), 0);
-      },
-
-      closeActiveTab() {
-        const { activeWorkspaceSlug, byWorkspace, closeTab } = get();
-        if (!activeWorkspaceSlug) return;
-        const group = byWorkspace[activeWorkspaceSlug];
-        if (!group) return;
-        closeTab(group.activeTabId);
-      },
-
       moveTab(fromIndex, toIndex) {
         if (fromIndex === toIndex) return;
         const { activeWorkspaceSlug, byWorkspace } = get();
         if (!activeWorkspaceSlug) return;
         const group = byWorkspace[activeWorkspaceSlug];
         if (!group) return;
-        if (fromIndex < 0 || fromIndex >= group.tabs.length) return;
-
-        // Clamp the drop position to within the source tab's group (pinned vs
-        // unpinned) so the "pinned tabs first" invariant survives drag-reorder.
-        // Pinned zone is [0, boundary); unpinned zone is [boundary, length).
-        const boundary = pinnedBoundary(group.tabs);
-        const source = group.tabs[fromIndex];
-        let clampedTo: number;
-        if (source.pinned) {
-          // boundary is exclusive upper bound for pinned-zone indices.
-          clampedTo = Math.max(0, Math.min(toIndex, boundary - 1));
-        } else {
-          clampedTo = Math.max(boundary, Math.min(toIndex, group.tabs.length - 1));
-        }
-        if (clampedTo === fromIndex) return;
         set({
           byWorkspace: {
             ...byWorkspace,
             [activeWorkspaceSlug]: {
               ...group,
-              tabs: arrayMove(group.tabs, fromIndex, clampedTo),
+              tabs: arrayMove(group.tabs, fromIndex, toIndex),
             },
           },
         });
       },
 
-      togglePin(tabId) {
-        const { byWorkspace } = get();
-        const hit = findTabLocation(byWorkspace, tabId);
-        if (!hit) return;
-        const { slug, group, index } = hit;
-        const current = group.tabs[index];
-        const nextTab: Tab = { ...current, pinned: !current.pinned };
-
-        // Remove from current position, then insert at the new zone boundary:
-        //   pinning   → end of pinned zone (just before first unpinned tab)
-        //   unpinning → start of unpinned zone (right after last pinned tab)
-        const withoutCurrent = [
-          ...group.tabs.slice(0, index),
-          ...group.tabs.slice(index + 1),
-        ];
-        const newBoundary = pinnedBoundary(withoutCurrent);
-        const insertAt = newBoundary;
-        const nextTabs = [
-          ...withoutCurrent.slice(0, insertAt),
-          nextTab,
-          ...withoutCurrent.slice(insertAt),
-        ];
-
-        set({
-          byWorkspace: {
-            ...byWorkspace,
-            [slug]: { ...group, tabs: nextTabs },
-          },
-        });
-      },
-
       validateWorkspaceSlugs(validSlugs) {
         const { activeWorkspaceSlug, byWorkspace } = get();
         let changed = false;
@@ -599,24 +465,6 @@ export const useTabStore = create<TabStore>()(
           changed = true;
         }
 
-        if (!nextActive) {
-          nextActive = Object.keys(nextByWorkspace)[0] ?? null;
-          if (nextActive) changed = true;
-        }
-
-        if (!nextActive) {
-          const fallbackSlug = validSlugs.values().next().value;
-          if (fallbackSlug) {
-            const fresh = defaultTabFor(fallbackSlug);
-            nextByWorkspace[fallbackSlug] = {
-              tabs: [fresh],
-              activeTabId: fresh.id,
-            };
-            nextActive = fallbackSlug;
-            changed = true;
-          }
-        }
-
         if (!changed) return;
         set({ byWorkspace: nextByWorkspace, activeWorkspaceSlug: nextActive });
       },
@@ -631,23 +479,17 @@ export const useTabStore = create<TabStore>()(
     }),
     {
       name: "multica_tabs",
-      version: 3,
+      version: 2,
       storage: createJSONStorage(() => createPersistStorage(defaultStorage)),
       migrate: (persistedState, version) => {
         // v1 → v2: flat `tabs` array → per-workspace grouping.
         // Tabs whose path isn't workspace-scoped (root `/`, login, etc.)
         // are dropped — they have no workspace to belong to, and the new
         // model's invariant is "every tab lives in a workspace group".
-        let state = persistedState;
-        if (version < 2 && state && typeof state === "object") {
-          state = migrateV1ToV2(state as Partial<V1Persisted>);
+        if (version < 2 && persistedState && typeof persistedState === "object") {
+          return migrateV1ToV2(persistedState as Partial<V1Persisted>);
         }
-        // v2 → v3: introduce `Tab.pinned`. Existing tabs default to
-        // unpinned; pin ordering invariant trivially holds (no pinned tabs).
-        if (version < 3 && state && typeof state === "object") {
-          state = migrateV2ToV3(state as V2Persisted);
-        }
-        return state as V3Persisted;
+        return persistedState as V2Persisted;
       },
       partialize: (state) => ({
         activeWorkspaceSlug: state.activeWorkspaceSlug,
@@ -657,19 +499,15 @@ export const useTabStore = create<TabStore>()(
             {
               activeTabId: group.activeTabId,
               tabs: group.tabs.map(
-                ({
-                  router: _router,
-                  historyIndex: _hi,
-                  historyLength: _hl,
-                  ...rest
-                }) => rest,
+                ({ router: _router, historyIndex: _hi, historyLength: _hl, ...rest }) =>
+                  rest,
               ),
             },
           ]),
         ),
       }),
       merge: (persistedState, currentState) => {
-        const persisted = persistedState as Partial<V3Persisted> | undefined;
+        const persisted = persistedState as Partial<V2Persisted> | undefined;
         if (!persisted?.byWorkspace) return currentState;
 
         const byWorkspace: Record<string, WorkspaceTabGroup> = {};
@@ -696,14 +534,9 @@ export const useTabStore = create<TabStore>()(
               router: createTabRouter(clean),
               historyIndex: 0,
               historyLength: 1,
-              pinned: pTab.pinned === true,
             });
           }
           if (tabs.length === 0) continue;
-          // Enforce the "pinned first" invariant on rehydration in case a
-          // user (or a buggy older write) persisted the pinned tabs out of
-          // order. Stable sort preserves intra-group order.
-          tabs.sort((a, b) => (a.pinned === b.pinned ? 0 : a.pinned ? -1 : 1));
           const activeTabId = tabs.some((t) => t.id === pGroup.activeTabId)
             ? pGroup.activeTabId
             : tabs[0].id;
@@ -754,38 +587,6 @@ interface V2Persisted {
   byWorkspace: Record<string, V2PersistedGroup>;
 }
 
-interface V3PersistedTab {
-  id: string;
-  path: string;
-  title: string;
-  icon: string;
-  pinned: boolean;
-}
-
-interface V3PersistedGroup {
-  tabs: V3PersistedTab[];
-  activeTabId: string;
-}
-
-interface V3Persisted {
-  activeWorkspaceSlug: string | null;
-  byWorkspace: Record<string, V3PersistedGroup>;
-}
-
-export function migrateV2ToV3(v2: V2Persisted): V3Persisted {
-  const byWorkspace: Record<string, V3PersistedGroup> = {};
-  for (const [slug, group] of Object.entries(v2.byWorkspace ?? {})) {
-    byWorkspace[slug] = {
-      activeTabId: group.activeTabId,
-      tabs: group.tabs.map((t) => ({ ...t, pinned: false })),
-    };
-  }
-  return {
-    activeWorkspaceSlug: v2.activeWorkspaceSlug ?? null,
-    byWorkspace,
-  };
-}
-
 export function migrateV1ToV2(v1: Partial<V1Persisted>): V2Persisted {
   const byWorkspace: Record<string, V2PersistedGroup> = {};
   const oldTabs = v1.tabs ?? [];

apps/desktop/src/renderer/src/stores/window-overlay-store.ts

@@ -15,7 +15,6 @@ import { create } from "zustand";
 export type WindowOverlay =
   | { type: "new-workspace" }
   | { type: "invite"; invitationId: string }
-  | { type: "invitations" }
   | { type: "onboarding" };
 
 interface WindowOverlayStore {

apps/desktop/src/shared/navigation-gestures.test.ts

@@ -1,27 +0,0 @@
-import { describe, expect, it } from "vitest";
-import {
-  isNavigationGesture,
-  navigationGestureFromSwipe,
-} from "./navigation-gestures";
-
-describe("navigationGestureFromSwipe", () => {
-  it("maps horizontal macOS swipe directions to browser-style history", () => {
-    expect(navigationGestureFromSwipe("right")).toBe("back");
-    expect(navigationGestureFromSwipe("left")).toBe("forward");
-  });
-
-  it("ignores vertical and unknown directions", () => {
-    expect(navigationGestureFromSwipe("up")).toBeNull();
-    expect(navigationGestureFromSwipe("down")).toBeNull();
-    expect(navigationGestureFromSwipe("sideways")).toBeNull();
-  });
-});
-
-describe("isNavigationGesture", () => {
-  it("accepts only the renderer navigation gestures", () => {
-    expect(isNavigationGesture("back")).toBe(true);
-    expect(isNavigationGesture("forward")).toBe(true);
-    expect(isNavigationGesture("right")).toBe(false);
-    expect(isNavigationGesture(null)).toBe(false);
-  });
-});

apps/desktop/src/shared/navigation-gestures.ts

@@ -1,15 +0,0 @@
-export const NAVIGATION_GESTURE_CHANNEL = "navigation:gesture";
-
-export type NavigationGesture = "back" | "forward";
-
-export function isNavigationGesture(value: unknown): value is NavigationGesture {
-  return value === "back" || value === "forward";
-}
-
-export function navigationGestureFromSwipe(
-  direction: string,
-): NavigationGesture | null {
-  if (direction === "right") return "back";
-  if (direction === "left") return "forward";
-  return null;
-}

apps/desktop/src/shared/runtime-config.test.ts

@@ -1,151 +0,0 @@
-import { describe, expect, it } from "vitest";
-import {
-  DEFAULT_RUNTIME_CONFIG,
-  deriveWsUrl,
-  parseRuntimeConfig,
-  runtimeConfigFromDevEnv,
-} from "./runtime-config";
-
-describe("runtime config", () => {
-  it("uses cloud defaults without a desktop.json file", () => {
-    expect(DEFAULT_RUNTIME_CONFIG).toEqual({
-      schemaVersion: 1,
-      apiUrl: "https://api.multica.ai",
-      wsUrl: "wss://api.multica.ai/ws",
-      appUrl: "https://multica.ai",
-    });
-  });
-
-  it("derives https/wss compatible URLs from apiUrl", () => {
-    expect(
-      parseRuntimeConfig(
-        JSON.stringify({
-          schemaVersion: 1,
-          apiUrl: "https://congvc-x99.taila6fa8a.ts.net:18443",
-        }),
-      ),
-    ).toEqual({
-      schemaVersion: 1,
-      apiUrl: "https://congvc-x99.taila6fa8a.ts.net:18443",
-      wsUrl: "wss://congvc-x99.taila6fa8a.ts.net:18443/ws",
-      appUrl: "https://congvc-x99.taila6fa8a.ts.net:18443",
-    });
-  });
-
-  it("strips the leading api. label when deriving appUrl", () => {
-    expect(
-      parseRuntimeConfig(
-        JSON.stringify({ schemaVersion: 1, apiUrl: "https://api.multica.ai" }),
-      ),
-    ).toEqual({
-      schemaVersion: 1,
-      apiUrl: "https://api.multica.ai",
-      wsUrl: "wss://api.multica.ai/ws",
-      appUrl: "https://multica.ai",
-    });
-  });
-
-  it("derives ws for http api URLs", () => {
-    expect(deriveWsUrl("http://localhost:8080")).toBe("ws://localhost:8080/ws");
-  });
-
-  it("accepts explicit appUrl and wsUrl", () => {
-    expect(
-      parseRuntimeConfig(
-        JSON.stringify({
-          schemaVersion: 1,
-          apiUrl: "https://api.example.com/",
-          wsUrl: "wss://ws.example.com/socket/",
-          appUrl: "https://app.example.com/",
-        }),
-      ),
-    ).toEqual({
-      schemaVersion: 1,
-      apiUrl: "https://api.example.com",
-      wsUrl: "wss://ws.example.com/socket",
-      appUrl: "https://app.example.com",
-    });
-  });
-
-  it("rejects invalid JSON", () => {
-    expect(() => parseRuntimeConfig("{")).toThrow(/Invalid desktop runtime config JSON/);
-  });
-
-  it("rejects unsupported schema versions", () => {
-    expect(() =>
-      parseRuntimeConfig(JSON.stringify({ schemaVersion: 2, apiUrl: "https://api.example.com" })),
-    ).toThrow(/schemaVersion/);
-  });
-
-  it("rejects non-http api schemes", () => {
-    expect(() =>
-      parseRuntimeConfig(JSON.stringify({ schemaVersion: 1, apiUrl: "file:///tmp/multica" })),
-    ).toThrow(/apiUrl must use http or https/);
-  });
-
-  it("rejects non-ws websocket schemes", () => {
-    expect(() =>
-      parseRuntimeConfig(
-        JSON.stringify({
-          schemaVersion: 1,
-          apiUrl: "https://api.example.com",
-          wsUrl: "https://api.example.com/ws",
-        }),
-      ),
-    ).toThrow(/wsUrl must use ws or wss/);
-  });
-
-  it("preserves electron-vite dev env precedence", () => {
-    expect(
-      runtimeConfigFromDevEnv({
-        apiUrl: "http://dev-api.example.test:8080/",
-        wsUrl: "ws://dev-api.example.test:8080/ws/",
-        appUrl: "http://dev-app.example.test:3000/",
-      }),
-    ).toEqual({
-      schemaVersion: 1,
-      apiUrl: "http://dev-api.example.test:8080",
-      wsUrl: "ws://dev-api.example.test:8080/ws",
-      appUrl: "http://dev-app.example.test:3000",
-    });
-  });
-
-  it("falls back to local web URL when dev apiUrl is localhost", () => {
-    expect(runtimeConfigFromDevEnv({ apiUrl: "http://localhost:8080" })).toEqual({
-      schemaVersion: 1,
-      apiUrl: "http://localhost:8080",
-      wsUrl: "ws://localhost:8080/ws",
-      appUrl: "http://localhost:3000",
-    });
-  });
-
-  it("derives dev appUrl by stripping the leading api. label", () => {
-    // When the dev renderer is pointed at a remote backend (e.g. a test
-    // environment), copy-link / share URLs must reflect that environment's
-    // public web host, not the api host. Multica's convention exposes the
-    // api at `api.<web-host>`, so stripping the leading label gives the
-    // right web origin without a separate VITE_APP_URL.
-    expect(
-      runtimeConfigFromDevEnv({ apiUrl: "https://api.test.multica.ai" }),
-    ).toEqual({
-      schemaVersion: 1,
-      apiUrl: "https://api.test.multica.ai",
-      wsUrl: "wss://api.test.multica.ai/ws",
-      appUrl: "https://test.multica.ai",
-    });
-  });
-
-  it("dev VITE_APP_URL still wins over apiUrl-derived value", () => {
-    expect(
-      runtimeConfigFromDevEnv({
-        apiUrl: "https://api.test.multica.ai",
-        appUrl: "https://staging.multica.ai",
-      }),
-    ).toEqual({
-      schemaVersion: 1,
-      apiUrl: "https://api.test.multica.ai",
-      wsUrl: "wss://api.test.multica.ai/ws",
-      appUrl: "https://staging.multica.ai",
-    });
-  });
-});

apps/desktop/src/shared/runtime-config.ts

@@ -1,179 +0,0 @@
-export interface RuntimeConfig {
-  schemaVersion: 1;
-  apiUrl: string;
-  wsUrl: string;
-  appUrl: string;
-}
-
-export interface RuntimeConfigError {
-  message: string;
-}
-
-export type RuntimeConfigResult =
-  | { ok: true; config: RuntimeConfig }
-  | { ok: false; error: RuntimeConfigError };
-
-export const DEFAULT_RUNTIME_CONFIG: RuntimeConfig = Object.freeze({
-  schemaVersion: 1,
-  apiUrl: "https://api.multica.ai",
-  wsUrl: "wss://api.multica.ai/ws",
-  appUrl: "https://multica.ai",
-});
-
-const LOCAL_DEV_RUNTIME_CONFIG: RuntimeConfig = Object.freeze({
-  schemaVersion: 1,
-  apiUrl: "http://localhost:8080",
-  wsUrl: "ws://localhost:8080/ws",
-  appUrl: "http://localhost:3000",
-});
-
-export interface RuntimeConfigEnv {
-  apiUrl?: string;
-  wsUrl?: string;
-  appUrl?: string;
-}
-
-export function runtimeConfigFromDevEnv(env: RuntimeConfigEnv): RuntimeConfig {
-  const apiUrl = normalizeHttpUrl(
-    env.apiUrl || LOCAL_DEV_RUNTIME_CONFIG.apiUrl,
-    "VITE_API_URL",
-  );
-  return {
-    schemaVersion: 1,
-    apiUrl,
-    wsUrl: env.wsUrl
-      ? normalizeWsUrl(env.wsUrl, "VITE_WS_URL")
-      : deriveWsUrl(apiUrl),
-    appUrl: env.appUrl
-      ? normalizeHttpUrl(env.appUrl, "VITE_APP_URL")
-      : deriveDevAppUrl(apiUrl),
-  };
-}
-
-export function parseRuntimeConfig(raw: string): RuntimeConfig {
-  let parsed: unknown;
-  try {
-    parsed = JSON.parse(raw);
-  } catch (err) {
-    throw new Error(
-      `Invalid desktop runtime config JSON: ${err instanceof Error ? err.message : "parse failed"}`,
-    );
-  }
-
-  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
-    throw new Error("Invalid desktop runtime config: expected a JSON object");
-  }
-
-  const obj = parsed as Record<string, unknown>;
-  if (obj.schemaVersion !== 1) {
-    throw new Error("Unsupported desktop runtime config schemaVersion: expected 1");
-  }
-
-  const apiUrl = requiredString(obj.apiUrl, "apiUrl");
-  const appUrl = optionalString(obj.appUrl, "appUrl");
-  const wsUrl = optionalString(obj.wsUrl, "wsUrl");
-
-  const normalizedApiUrl = normalizeHttpUrl(apiUrl, "apiUrl");
-  return {
-    schemaVersion: 1,
-    apiUrl: normalizedApiUrl,
-    wsUrl: wsUrl ? normalizeWsUrl(wsUrl, "wsUrl") : deriveWsUrl(normalizedApiUrl),
-    appUrl: appUrl ? normalizeHttpUrl(appUrl, "appUrl") : deriveAppUrl(normalizedApiUrl),
-  };
-}
-
-export function deriveWsUrl(apiUrl: string): string {
-  const url = new URL(apiUrl);
-  if (url.protocol === "https:") url.protocol = "wss:";
-  else if (url.protocol === "http:") url.protocol = "ws:";
-  else throw new Error("apiUrl must use http or https");
-  url.pathname = joinPath(url.pathname, "/ws");
-  url.search = "";
-  url.hash = "";
-  return trimTrailingSlash(url.toString());
-}
-
-// Convention: api hosts are exposed at `api.<web-host>` (api.multica.ai →
-// multica.ai, api.test.multica.ai → test.multica.ai). Strip the leading
-// `api.` label so a single `apiUrl` configuration produces the right
-// shareable web URL. Hosts that don't match the convention (no leading
-// `api.` label, or short two-label hosts like `api.local`) fall through
-// untouched — those deployments must set `appUrl` explicitly.
-export function deriveAppUrl(apiUrl: string): string {
-  const url = new URL(apiUrl);
-  url.pathname = "";
-  url.search = "";
-  url.hash = "";
-  if (url.hostname.startsWith("api.") && url.hostname.split(".").length >= 3) {
-    url.hostname = url.hostname.slice("api.".length);
-  }
-  return trimTrailingSlash(url.toString());
-}
-
-// Dev variant: when the api host is the local backend (`localhost:8080` /
-// `127.0.0.1:8080`), the renderer is served from a different port (3000),
-// so deriving by host alone is wrong. Fall back to the local dev web URL
-// in that case; for any non-local host (e.g. a remote test environment),
-// trust the production-style derivation so `apiUrl=https://api.test.x`
-// yields `appUrl=https://test.x` without a separate VITE_APP_URL.
-export function deriveDevAppUrl(apiUrl: string): string {
-  const url = new URL(apiUrl);
-  if (url.hostname === "localhost" || url.hostname === "127.0.0.1") {
-    return LOCAL_DEV_RUNTIME_CONFIG.appUrl;
-  }
-  return deriveAppUrl(apiUrl);
-}
-
-function requiredString(value: unknown, field: string): string {
-  if (typeof value !== "string" || value.trim().length === 0) {
-    throw new Error(`Invalid desktop runtime config: ${field} must be a non-empty string`);
-  }
-  return value;
-}
-
-function optionalString(value: unknown, field: string): string | undefined {
-  if (value === undefined) return undefined;
-  if (typeof value !== "string" || value.trim().length === 0) {
-    throw new Error(`Invalid desktop runtime config: ${field} must be a non-empty string when set`);
-  }
-  return value;
-}
-
-function normalizeHttpUrl(value: string, field: string): string {
-  let url: URL;
-  try {
-    url = new URL(value.trim());
-  } catch {
-    throw new Error(`Invalid desktop runtime config: ${field} must be a valid URL`);
-  }
-  if (url.protocol !== "http:" && url.protocol !== "https:") {
-    throw new Error(`Invalid desktop runtime config: ${field} must use http or https`);
-  }
-  url.search = "";
-  url.hash = "";
-  return trimTrailingSlash(url.toString());
-}
-
-function normalizeWsUrl(value: string, field: string): string {
-  let url: URL;
-  try {
-    url = new URL(value.trim());
-  } catch {
-    throw new Error(`Invalid desktop runtime config: ${field} must be a valid URL`);
-  }
-  if (url.protocol !== "ws:" && url.protocol !== "wss:") {
-    throw new Error(`Invalid desktop runtime config: ${field} must use ws or wss`);
-  }
-  url.search = "";
-  url.hash = "";
-  return trimTrailingSlash(url.toString());
-}
-
-function joinPath(base: string, suffix: string): string {
-  const normalizedBase = base.endsWith("/") ? base.slice(0, -1) : base;
-  return `${normalizedBase}${suffix}`;
-}
-
-function trimTrailingSlash(value: string): string {
-  return value.replace(/\/+$/, "");
-}

apps/desktop/vitest.config.ts

@@ -1,14 +1,8 @@
-import { resolve } from "path";
 import { defineConfig } from "vitest/config";
 import react from "@vitejs/plugin-react";
 
 export default defineConfig({
   plugins: [react()],
-  resolve: {
-    alias: {
-      "@": resolve(__dirname, "src/renderer/src"),
-    },
-  },
   test: {
     globals: true,
     include: ["src/**/*.test.{ts,tsx}", "scripts/**/*.test.mjs"],

apps/docs/app/[lang]/[...slug]/page.tsx

@@ -9,22 +9,12 @@ import { notFound } from "next/navigation";
 import defaultMdxComponents from "fumadocs-ui/mdx";
 import type { Metadata } from "next";
 import { docsAlternates } from "@/lib/site";
-import { i18n, type Lang } from "@/lib/i18n";
-import { DocsLocaleProvider, LocaleLink } from "@/components/locale-link";
-import { docsSlugStaticParams } from "@/lib/static-params";
-
-function asLang(lang: string): Lang {
-  return (i18n.languages as readonly string[]).includes(lang)
-    ? (lang as Lang)
-    : (i18n.defaultLanguage as Lang);
-}
 
 export default async function Page(props: {
   params: Promise<{ lang: string; slug: string[] }>;
 }) {
   const params = await props.params;
-  const lang = asLang(params.lang);
-  const page = source.getPage(params.slug, lang);
+  const page = source.getPage(params.slug, params.lang);
   if (!page) notFound();
 
   const MDX = page.data.body;
@@ -34,24 +24,21 @@ export default async function Page(props: {
       <DocsTitle>{page.data.title}</DocsTitle>
       <DocsDescription>{page.data.description}</DocsDescription>
       <DocsBody>
-        <DocsLocaleProvider lang={lang}>
-          <MDX components={{ ...defaultMdxComponents, a: LocaleLink }} />
-        </DocsLocaleProvider>
+        <MDX components={{ ...defaultMdxComponents }} />
       </DocsBody>
     </DocsPage>
   );
 }
 
 export function generateStaticParams() {
-  return docsSlugStaticParams(source.generateParams());
+  return source.generateParams().filter((p) => p.slug.length > 0);
 }
 
 export async function generateMetadata(props: {
   params: Promise<{ lang: string; slug: string[] }>;
 }): Promise<Metadata> {
   const params = await props.params;
-  const lang = asLang(params.lang);
-  const page = source.getPage(params.slug, lang);
+  const page = source.getPage(params.slug, params.lang);
   if (!page) notFound();
 
   return {

apps/docs/app/[lang]/layout.tsx

@@ -11,13 +11,18 @@ import { i18n, type Lang } from "@/lib/i18n";
 import { uiTranslations, localeLabels } from "@/lib/translations";
 import { DocsSettings } from "@/components/docs-settings";
 
-// Inter (Latin UI face) is exposed under `--font-inter`. The full `--font-sans`
-// stack — Inter + the per-locale CJK fallback chain, including the Japanese-first
-// override scoped to `<html lang="ja">` — is composed in static CSS in
-// ./global.css (CSP-safe, no inline <style>). Mirrors apps/web/app/layout.tsx.
 const inter = Inter({
   subsets: ["latin"],
-  variable: "--font-inter",
+  variable: "--font-sans",
+  fallback: [
+    "-apple-system",
+    "BlinkMacSystemFont",
+    "Segoe UI",
+    "PingFang SC",
+    "Microsoft YaHei",
+    "Noto Sans CJK SC",
+    "sans-serif",
+  ],
 });
 
 const geistMono = Geist_Mono({

apps/docs/app/[lang]/page.tsx

@@ -8,7 +8,6 @@ import { Byline, NumberedCards, NumberedCard, NumberedSteps, Step } from "@/comp
 import { i18n, type Lang } from "@/lib/i18n";
 import { homeCopy } from "@/lib/translations";
 import { docsAlternates } from "@/lib/site";
-import { DocsLocaleProvider, LocaleLink } from "@/components/locale-link";
 
 function asLang(lang: string): Lang {
   return (i18n.languages as readonly string[]).includes(lang)
@@ -53,18 +52,15 @@ export default async function Page({
       />
       <Byline items={[...copy.byline]} />
       <DocsBody>
-        <DocsLocaleProvider lang={lang}>
-          <MDX
-            components={{
-              ...defaultMdxComponents,
-              a: LocaleLink,
-              NumberedCards,
-              NumberedCard,
-              NumberedSteps,
-              Step,
-            }}
-          />
-        </DocsLocaleProvider>
+        <MDX
+          components={{
+            ...defaultMdxComponents,
+            NumberedCards,
+            NumberedCard,
+            NumberedSteps,
+            Step,
+          }}
+        />
       </DocsBody>
     </DocsPage>
   );

apps/docs/app/api/search/route.ts

@@ -17,42 +17,8 @@ function tokenizeCJK(raw: string): string[] {
   return tokens;
 }
 
-// Japanese mixes Hiragana, Katakana and Kanji; the English regex strips them
-// all, and the zh tokenizer only keeps Han (Kanji), dropping kana entirely.
-// Tokenize each kana/Kanji codepoint on its own and keep Latin/digit runs
-// whole — same character-level recall strategy as tokenizeCJK, extended to
-// the Hiragana (\u3040-\u309f) and Katakana (\u30a0-\u30ff) blocks, plus the
-// ideographic iteration mark \u3005 which sits just below the kana blocks and
-// recurs in common words (e.g. the JP for "various", "daily", "individual").
-function tokenizeJapanese(raw: string): string[] {
-  const tokens: string[] = [];
-  const regex = /[\u3005\u3040-\u30ff\u3400-\u4dbf\u4e00-\u9fff]|[A-Za-z0-9]+/g;
-  const lower = raw.toLowerCase();
-  let match: RegExpExecArray | null;
-  while ((match = regex.exec(lower)) !== null) {
-    tokens.push(match[0]);
-  }
-  return tokens;
-}
-
 export const { GET } = createFromSource(source, {
   localeMap: {
-    ko: {
-      components: {
-        tokenizer: {
-          language: "english",
-        },
-      },
-    },
-    ja: {
-      components: {
-        tokenizer: {
-          language: "english",
-          normalizationCache: new Map(),
-          tokenize: tokenizeJapanese,
-        },
-      },
-    },
     zh: {
       components: {
         tokenizer: {

apps/docs/app/font-fallback-order.test.ts

@@ -1,57 +0,0 @@
-import { readFileSync } from "node:fs";
-import { resolve } from "node:path";
-import { describe, expect, it } from "vitest";
-
-const chineseFonts = ["PingFang SC", "Microsoft YaHei", "Noto Sans CJK SC"];
-const koreanFonts = ["Apple SD Gothic Neo", "Malgun Gothic", "Noto Sans CJK KR"];
-const japaneseFonts = ["Hiragino Sans", "Yu Gothic", "Noto Sans CJK JP"];
-
-function expectChineseFontsBeforeKoreanFonts(source: string) {
-  const chineseIndexes = chineseFonts.map((font) => source.indexOf(font));
-  const koreanIndexes = koreanFonts.map((font) => source.indexOf(font));
-
-  expect(chineseIndexes).not.toContain(-1);
-  expect(koreanIndexes).not.toContain(-1);
-
-  for (const chineseIndex of chineseIndexes) {
-    for (const koreanIndex of koreanIndexes) {
-      expect(chineseIndex).toBeLessThan(koreanIndex);
-    }
-  }
-}
-
-// Japanese Kanji share the Han Unicode block with Chinese, so the docs
-// Japanese-first CJK stack must be scoped to html[lang|="ja"] (zh/en keep
-// Chinese-first) and order Japanese fonts before the Chinese families.
-function expectJapaneseScopedOverride(source: string) {
-  expect(source).toContain('html[lang|="ja"]');
-
-  const japaneseIndexes = japaneseFonts.map((font) => source.indexOf(font));
-  expect(japaneseIndexes).not.toContain(-1);
-
-  const firstJapanese = Math.min(...japaneseIndexes);
-  const lastChinese = Math.max(
-    ...chineseFonts.map((font) => source.lastIndexOf(font)),
-  );
-  expect(firstJapanese).toBeLessThan(lastChinese);
-}
-
-describe("CJK font fallback order", () => {
-  it("keeps docs Chinese font fallbacks before Korean font fallbacks", () => {
-    const cssSource = readFileSync(
-      resolve(process.cwd(), "app/global.css"),
-      "utf8",
-    );
-
-    expectChineseFontsBeforeKoreanFonts(cssSource);
-  });
-
-  it("scopes the Japanese-first CJK stack to html[lang|='ja']", () => {
-    const cssSource = readFileSync(
-      resolve(process.cwd(), "app/global.css"),
-      "utf8",
-    );
-
-    expectJapaneseScopedOverride(cssSource);
-  });
-});

apps/docs/app/global.css

@@ -6,36 +6,6 @@
 
 @source "../../../packages/ui/**/*.{ts,tsx}";
 
-/* ---------------------------------------------------------------------------
- * Font stack. `--font-inter` is the next/font Inter family (+ synthetic
- * size-adjusted fallback), set on <html> by inter.variable in app/[lang]/layout.tsx.
- * `--font-sans` is composed here in static CSS so it can be overridden per
- * `<html lang>` and stays CSP-safe (no inline <style>). Tailwind's `font-sans`
- * utility resolves `var(--font-sans)`. Mirrors apps/web/app/globals.css.
- *
- * Default (en / zh / ko): Latin → Inter, CJK → Chinese then Korean. Chinese MUST
- * stay before Korean so zh users don't get Korean Hanja glyph shapes.
- * ------------------------------------------------------------------------- */
-
-:root {
-  --font-sans: var(--font-inter), -apple-system, BlinkMacSystemFont, "Segoe UI",
-    "PingFang SC", "Microsoft YaHei", "Noto Sans CJK SC", "Apple SD Gothic Neo",
-    "Malgun Gothic", "Noto Sans CJK KR", sans-serif;
-}
-
-/* Japanese: Kanji share the Han Unicode block with Chinese and CSS fallback
-   order is not affected by `<html lang>`, so promote a Japanese-first CJK chain
-   only for Japanese docs (`<html lang="ja">`). `[lang|="ja"]` is the BCP-47
-   language-range selector — matches exactly `ja` or `ja-<region>`, never
-   unrelated subtags like `jam`. Inter still leads for Latin. */
-html[lang|="ja"] {
-  --font-sans: var(--font-inter), "Hiragino Sans", "Hiragino Kaku Gothic ProN",
-    "Yu Gothic", "YuGothic", "Meiryo", "Noto Sans CJK JP", "Noto Sans JP",
-    -apple-system, BlinkMacSystemFont, "Segoe UI", "PingFang SC",
-    "Microsoft YaHei", "Noto Sans CJK SC", "Apple SD Gothic Neo", "Malgun Gothic",
-    "Noto Sans CJK KR", sans-serif;
-}
-
 /* ---------------------------------------------------------------------------
  * Multica Docs — editorial visual identity (v2)
  *

apps/docs/components/editorial.tsx

@@ -1,9 +1,5 @@
-"use client";
-
 import Link from "next/link";
 import type { ReactNode } from "react";
-import { useDocsLocale } from "@/components/locale-link";
-import { prefixLocale } from "@/lib/locale-link";
 
 /**
  * Byline — editorial metadata strip with ruled top + bottom borders.
@@ -59,10 +55,9 @@ export function NumberedCard({
   tag?: string;
   children: ReactNode;
 }) {
-  const lang = useDocsLocale();
   return (
     <Link
-      href={prefixLocale(href, lang)}
+      href={href}
       className="group flex flex-col gap-2.5 border-r border-border px-0 py-5 pr-4 no-underline last:border-r-0 md:px-4 md:first:pl-0 md:last:pr-0"
     >
       <div className="font-mono text-[0.6875rem] uppercase tracking-[0.08em] text-muted-foreground">

apps/docs/components/locale-link.tsx

@@ -1,48 +0,0 @@
-"use client";
-
-import Link from "next/link";
-import {
-  createContext,
-  use,
-  type AnchorHTMLAttributes,
-  type ReactNode,
-} from "react";
-import { i18n, type Lang } from "@/lib/i18n";
-import { prefixLocale } from "@/lib/locale-link";
-
-const DocsLocaleContext = createContext<Lang>(i18n.defaultLanguage as Lang);
-
-// Wraps the rendered MDX subtree so descendant <LocaleLink>s and any
-// editorial component using `useDocsLocale()` know which language the page
-// was rendered in. Mounted at each docs page entry; never elsewhere.
-export function DocsLocaleProvider({
-  lang,
-  children,
-}: {
-  lang: Lang;
-  children: ReactNode;
-}) {
-  return (
-    <DocsLocaleContext.Provider value={lang}>
-      {children}
-    </DocsLocaleContext.Provider>
-  );
-}
-
-export function useDocsLocale(): Lang {
-  return use(DocsLocaleContext);
-}
-
-// Drop-in replacement for the MDX-rendered `<a>` element. Keeps the same
-// surface shape as the default `a` from `defaultMdxComponents` but routes
-// internal links through the locale prefixer + next/link so client-side
-// navigation stays inside the active locale.
-export function LocaleLink({
-  href,
-  ...rest
-}: AnchorHTMLAttributes<HTMLAnchorElement> & { href?: string }) {
-  const lang = useDocsLocale();
-  if (!href) return <a {...rest} />;
-  const final = prefixLocale(href, lang);
-  return <Link href={final} {...rest} />;
-}

apps/docs/content/docs/agents-create.ja.mdx

@@ -1,127 +0,0 @@
----
-title: エージェントの作成と構成
-description: エージェントを作成するために必要な最小限のフィールドと、すべての任意設定 — システム指示、環境変数、公開範囲、同時実行制限、アーカイブ。
----
-
-import { Callout } from "fumadocs-ui/components/callout";
-
-[エージェント](/agents)を作成するのに必要なのは 2 つだけです。**名前**と **[AI コーディングツール](/providers)の選択**です。それ以外はすべて任意です — システム指示、モデル、環境変数、CLI 引数、公開範囲、同時実行制限 — デフォルト値でも問題なく動作します。まず動かしてから後で調整しましょう。すべてのフィールドはいつでも変更できます。
-
-## エージェントを作成する
-
-前提条件: 使用中のマシンにサポートされている [AI コーディングツール](/providers)が少なくとも 1 つインストールされており（Claude Code、Codex など）、[デーモン](/daemon-runtimes)が実行中であること。まだそこまで準備できていない場合は、[Cloud クイックスタート](/cloud-quickstart)または[セルフホストクイックスタート](/self-host-quickstart)から始めてください。
-
-準備が整ったら、ワークスペースの **Agents** ページに移動して **+ New** をクリックするか、CLI を使用します。
-
-```bash
-multica agent create
-```
-
-このフォームには必須フィールドが 2 つだけあります。**name**（ワークスペース内で一意であること）と **runtime**（= AI コーディングツールの選択）です。それ以外のすべてのフィールドは、以下でセクションごとに扱います。
-
-## AI コーディングツールを選ぶ
-
-各ランタイムは特定の AI コーディングツールを基盤としています。Multica はそのうち 12 個をサポートします。最も一般的な選択肢は次のとおりです。
-
-| ツール | 適している場合 |
-|---|---|
-| **Claude Code** | Anthropic の公式ツールで、最も完成度の高い機能セットを提供します。**最初の選択として最適です** |
-| **Codex** | OpenAI 製で、主流の代替手段です |
-| **Cursor** | Cursor エディターのエコシステムを使うユーザー |
-| **Copilot** | GitHub アカウントの権限を活用するチーム |
-| **Gemini** | Google エコシステムのユーザー |
-
-残りの 7 個（Antigravity、Hermes、Kimi、Kiro CLI、OpenCode、Pi、OpenClaw）と、各ツールの完全な機能比較表（セッション再開、MCP、スキル注入パス、モデル選択）は、[AI コーディングツール比較](/providers)で扱います。
-
-## システム指示を書く
-
-**システム指示**（`instructions`）はすべてのタスクの先頭に追加され、エージェントがどんな役割を担い、どんなルールに従うべきかを伝えます。
-
-```text
-You're a frontend code-review agent. When an issue comes in, read the diff first. Focus only on:
-- Styling issues (tailwind class names, box model)
-- Accessibility (a11y)
-Don't change code — leave suggestions in a comment.
-```
-
-空のままにすると（デフォルト）、エージェントは追加の制約なしに、基盤となる AI コーディングツールのネイティブな動作を使用します。
-
-## モデルを選ぶ
-
-ほとんどの AI コーディングツールはモデル選択をサポートしています（例えば Claude Code では Sonnet と Opus のどちらかを選べます）。空のままにするとツール自体のデフォルト値が使われ、明示的に 1 つを選ぶとそのモデルが実行されます。各ツールがサポートするモデルは、[AI コーディングツール比較](/providers)にまとめられています。
-
-モデルの変更は**新しいタスクにのみ適用されます**。すでにディスパッチされたタスクは、ディスパッチ時点で固定されたモデルで実行を続けます。
-
-## カスタム環境変数 (custom_env)
-
-**カスタム環境変数**（`custom_env`）を使うと、タスク実行時に追加の環境変数を注入できます。代表的な用途は API キーの設定やアップストリームエンドポイントの切り替えです。
-
-```
-ANTHROPIC_API_KEY = sk-...
-ANTHROPIC_BASE_URL = https://my-proxy.example.com
-```
-
-システムにとって重要な変数は上書きできません。`PATH`、`HOME`、`USER`、`SHELL`、`TERM`、`CODEX_HOME`、そして `MULTICA_*` で始まるすべてのキーは、デーモンが静かに無視します（警告ログは残しますが、エラーは発生しません）。
-
-<Callout type="warning">
-**`custom_env` の値は Multica サーバーのデータベースに平文で保存されます。** エージェントの list/get レスポンスには環境変数の値がまったく含まれなくなり、不透明な個数だけが返されます。実際の値を読み取るには、ワークスペースの owner または admin が、専用で監査される `GET /api/agents/{id}/env` エンドポイント（CLI: `multica agent env get <id>`）を呼び出す必要があります。タスクを実行中のエージェントは、ホストの owner 資格情報を使って他のエージェントの環境変数を明らかにすることはできません。このエンドポイントはエージェントアクターのセッションを拒否します。
-
-**価値の高いシークレットは `custom_env` に入れないでください**（本番データベースのパスワード、root レベルのトークンなど）。エージェントには**権限範囲が限定された専用の資格情報**（読み取り専用 API キー、単一スコープの PAT）を使用し、定期的にローテーションしてください。データベースのバックアップと DB 監査は、依然として意味のある露出面として残ります。
-</Callout>
-
-## カスタム CLI 引数 (custom_args)
-
-**カスタム CLI 引数**（`custom_args`）は、AI コーディングツールのコマンドラインに 1 つずつ順に付け足される文字列配列です。
-
-```json
-["--max-turns", "100", "--append-system-prompt", "always respond in Chinese"]
-```
-
-最終的なコマンドは次のように生成されます。
-
-```bash
-claude --model <model> --max-turns 100 --append-system-prompt "always respond in Chinese" [...]
-```
-
-引数はシェルを介さずそのまま渡されるため（注入リスクなし）、特定のフラグが認識されるかどうかは AI コーディングツール自体に依存します。この部分はツールによって大きな差があります。
-
-<Callout type="tip">
-`custom_env` と `custom_args` には厳格な上限はありませんが、実際には**それぞれ 10 個以内に抑えてください**。多すぎるとコマンドラインが長くなり、起動が遅くなり、メンテナンスも難しくなります。
-</Callout>
-
-## 公開範囲
-
-- **ワークスペース**（`workspace`） — ワークスペースのすべてのメンバーが割り当てできます
-- **非公開**（`private`） — ワークスペースの owner、admin、またはエージェントの作成者だけが割り当てできます
-
-新しいエージェントはデフォルトで `private` です。
-
-**非公開だからといって隠されるわけではありません** — すべてのメンバーが一覧で非公開エージェントの名前と説明を見ることができ、ただし機微な構成は読み取れません（環境変数の値はエージェントの list/get レスポンスに決して現れず、MCP 構成は owner 以外のユーザーにはマスキングされます）。詳しい意味は[エージェント → 誰がエージェントを割り当てられるか](/agents#who-can-assign-an-agent)を参照してください。
-
-## 同時実行制限
-
-**同時実行制限**（`max_concurrent_tasks`）は、このエージェントが一度に並列で実行できるタスク数を制御します。デフォルト値は **6** です。上限に達した新しいタスクは拒否されず、キューで待機します。
-
-これは 2 段階の制限のうち「エージェント層」にすぎません。デーモン自体がより広い上限（デフォルト値 20）を適用し、2 つのうちより厳しい方が優先されます。詳しくは[デーモンとランタイム → 並列で何個のタスクを実行できるか](/daemon-runtimes#how-many-tasks-can-run-in-parallel)にあります。
-
-この値を変更しても**すでに実行中のタスクはキャンセルされず**、次に処理されるタスクからのみ適用されます。
-
-## ドメインの専門性をつなぐ: スキル
-
-作成したエージェントには**スキル**をアタッチできます — タスク実行時に AI コーディングツールへ自動的に届けられる**ナレッジパック**（`SKILL.md` + 補助ファイル）です。新しいスキルを作成したり、GitHub または ClawHub からインポートしたり、マシン上の既存のスキルディレクトリからスキャンしたりできます。[スキル](/skills)を参照してください。
-
-## アーカイブと復元
-
-もう使わないエージェントは**アーカイブ**できます — 日常的な画面からは消えますが、履歴データ（実行したタスク、投稿したコメント）はすべてそのまま保持されます。いつでも**復元**して再び作業に投入できます。
-
-<Callout type="warning">
-**アーカイブは、そのエージェントに属する未完了のすべてのタスクを即座にキャンセルします** — 実行中、ディスパッチ済み、キュー待ちのタスクがすべて `cancelled` としてマークされ、続行されません。進行中の重要なタスクがある場合は、アーカイブする前に最後まで完了させてください。
-</Callout>
-
-アーカイブ済みのエージェントには新しいタスクを割り当てられません。
-
-## 次のステップ
-
-- [スキル](/skills) — エージェントにナレッジパックをアタッチする
-- [AI コーディングツール比較](/providers) — 12 個のツール全体の機能比較表
-- [エージェントへのイシューの割り当て](/assigning-issues) — 新しく作ったエージェントを作業に投入する

apps/docs/content/docs/agents-create.ko.mdx

@@ -1,127 +0,0 @@
----
-title: 에이전트 생성 및 구성
-description: 에이전트를 생성하는 데 필요한 최소 필드와 모든 선택적 설정 — 시스템 지침, 환경 변수, 공개 범위, 동시 실행 제한, 보관.
----
-
-import { Callout } from "fumadocs-ui/components/callout";
-
-[에이전트](/agents)를 생성하는 데는 단 두 가지만 필요합니다. **이름** 하나와 **[AI 코딩 도구](/providers) 선택** 하나입니다. 나머지는 모두 선택 사항입니다 — 시스템 지침, 모델, 환경 변수, CLI 인자, 공개 범위, 동시 실행 제한 — 기본값으로도 문제없이 작동합니다. 먼저 실행해 보고 나중에 조정하세요. 모든 필드는 언제든지 변경할 수 있습니다.
-
-## 에이전트 생성
-
-전제 조건: 사용 중인 기기에 지원되는 [AI 코딩 도구](/providers)가 최소 하나는 설치되어 있고(Claude Code, Codex 등) [데몬](/daemon-runtimes)이 실행 중이어야 합니다. 아직 여기까지 준비되지 않았다면 [Cloud 빠른 시작](/cloud-quickstart)이나 [자체 호스팅 빠른 시작](/self-host-quickstart)부터 시작하세요.
-
-준비가 끝나면 워크스페이스의 **에이전트** 페이지로 이동해 **+ New**를 클릭하거나 CLI를 사용하세요.
-
-```bash
-multica agent create
-```
-
-이 폼에는 필수 필드가 두 개뿐입니다. **이름**(워크스페이스 내에서 고유해야 함)과 **런타임**(= AI 코딩 도구 선택)입니다. 나머지 모든 필드는 아래에서 섹션별로 다룹니다.
-
-## AI 코딩 도구 선택
-
-각 런타임은 특정 AI 코딩 도구를 기반으로 합니다. Multica는 그중 12개를 지원합니다. 가장 일반적인 선택지는 다음과 같습니다.
-
-| 도구 | 적합한 경우 |
-|---|---|
-| **Claude Code** | Anthropic의 공식 도구로, 가장 완성도 높은 기능 집합을 제공합니다. **첫 선택으로 가장 좋습니다** |
-| **Codex** | OpenAI 제품으로, 주류 대안입니다 |
-| **Cursor** | Cursor 에디터 생태계 사용자 |
-| **Copilot** | GitHub 계정 권한을 활용하는 팀 |
-| **Gemini** | Google 생태계 사용자 |
-
-나머지 7개(Antigravity, Hermes, Kimi, Kiro CLI, OpenCode, Pi, OpenClaw)와 각 도구의 전체 기능 비교표(세션 재개, MCP, 스킬 주입 경로, 모델 선택)는 [AI 코딩 도구 비교](/providers)에서 다룹니다.
-
-## 시스템 지침 작성
-
-**시스템 지침**(`instructions`)은 모든 작업 앞에 추가되어, 에이전트가 어떤 역할을 맡고 어떤 규칙을 따라야 하는지 알려줍니다.
-
-```text
-You're a frontend code-review agent. When an issue comes in, read the diff first. Focus only on:
-- Styling issues (tailwind class names, box model)
-- Accessibility (a11y)
-Don't change code — leave suggestions in a comment.
-```
-
-비워 두면(기본값) 에이전트는 추가 제약 없이 기반이 되는 AI 코딩 도구의 기본 동작을 사용합니다.
-
-## 모델 선택
-
-대부분의 AI 코딩 도구는 모델 선택을 지원합니다(예를 들어 Claude Code는 Sonnet과 Opus 중에서 고를 수 있습니다). 비워 두면 도구 자체의 기본값이 사용되고, 명시적으로 하나를 선택하면 그 모델이 실행됩니다. 각 도구가 지원하는 모델은 [AI 코딩 도구 비교](/providers)에 정리되어 있습니다.
-
-모델 변경은 **새 작업에만 적용됩니다**. 이미 디스패치된 작업은 디스패치 시점에 고정된 모델로 계속 실행됩니다.
-
-## 사용자 지정 환경 변수 (custom_env)
-
-**사용자 지정 환경 변수**(`custom_env`)를 사용하면 작업 실행 시점에 추가 환경 변수를 주입할 수 있습니다. 대표적인 용도는 API 키 설정이나 업스트림 엔드포인트 전환입니다.
-
-```
-ANTHROPIC_API_KEY = sk-...
-ANTHROPIC_BASE_URL = https://my-proxy.example.com
-```
-
-시스템에 핵심적인 변수는 재정의할 수 없습니다. `PATH`, `HOME`, `USER`, `SHELL`, `TERM`, `CODEX_HOME`, 그리고 `MULTICA_*`로 시작하는 모든 키는 데몬이 조용히 무시합니다(경고 로그는 남기지만 오류는 발생하지 않습니다).
-
-<Callout type="warning">
-**`custom_env`의 값은 Multica 서버 데이터베이스에 평문으로 저장됩니다.** 에이전트 list/get 응답은 더 이상 환경 변수 값을 전혀 포함하지 않으며, 불투명한 개수만 반환합니다. 실제 값을 읽으려면 워크스페이스 owner 또는 admin이 전용으로 감사되는 `GET /api/agents/{id}/env` 엔드포인트(CLI: `multica agent env get <id>`)를 호출해야 합니다. 작업을 실행 중인 에이전트는 호스트의 owner 자격 증명을 이용해 다른 에이전트의 환경 변수를 드러낼 수 없습니다. 이 엔드포인트는 에이전트 액터 세션을 거부합니다.
-
-**가치가 높은 secret은 `custom_env`에 넣지 마세요**(운영 데이터베이스 비밀번호, root 수준 토큰 등). 에이전트에는 **권한 범위가 제한된 전용 자격 증명**(읽기 전용 API 키, 단일 스코프 PAT)을 사용하고 정기적으로 교체하세요. 데이터베이스 백업과 DB 감사는 여전히 의미 있는 노출 표면으로 남아 있습니다.
-</Callout>
-
-## 사용자 지정 CLI 인자 (custom_args)
-
-**사용자 지정 CLI 인자**(`custom_args`)는 AI 코딩 도구의 명령줄에 하나씩 차례로 덧붙는 문자열 배열입니다.
-
-```json
-["--max-turns", "100", "--append-system-prompt", "always respond in Chinese"]
-```
-
-최종 명령은 다음과 같이 만들어집니다.
-
-```bash
-claude --model <model> --max-turns 100 --append-system-prompt "always respond in Chinese" [...]
-```
-
-인자는 셸을 거치지 않고 있는 그대로 전달되므로(주입 위험 없음), 특정 플래그가 인식되는지 여부는 AI 코딩 도구 자체에 달려 있습니다. 이 부분은 도구마다 상당한 차이가 있습니다.
-
-<Callout type="tip">
-`custom_env`와 `custom_args`에는 엄격한 상한이 없지만, 실제로는 **각각 10개 이내로 유지하세요**. 너무 많으면 명령줄이 길어지고 시작이 느려지며 유지 관리도 어려워집니다.
-</Callout>
-
-## 공개 범위
-
-- **워크스페이스**(`workspace`) — 워크스페이스의 모든 멤버가 할당할 수 있습니다
-- **비공개**(`private`) — 워크스페이스 owner, admin, 또는 에이전트 생성자만 할당할 수 있습니다
-
-새 에이전트는 기본적으로 `private`입니다.
-
-**비공개라고 해서 숨겨지는 것은 아닙니다** — 모든 멤버가 목록에서 비공개 에이전트의 이름과 설명을 볼 수 있으며, 다만 민감한 구성은 읽을 수 없습니다(환경 변수 값은 에이전트 list/get 응답에 절대 나타나지 않으며, MCP 구성은 owner가 아닌 사용자에게는 마스킹됩니다). 자세한 의미는 [에이전트 → 누가 에이전트를 할당할 수 있나요](/agents#who-can-assign-an-agent)를 참고하세요.
-
-## 동시 실행 제한
-
-**동시 실행 제한**(`max_concurrent_tasks`)은 이 에이전트가 한 번에 병렬로 실행할 수 있는 작업 수를 제어합니다. 기본값은 **6**입니다. 상한에 도달한 새 작업은 거부되지 않고 대기열에서 대기합니다.
-
-이것은 두 단계 제한 중 "에이전트 계층"에 불과합니다. 데몬 자체가 더 넓은 상한(기본값 20)을 적용하며, 둘 중 더 빡빡한 쪽이 우선합니다. 자세한 내용은 [데몬과 런타임 → 병렬로 몇 개의 작업을 실행할 수 있나요](/daemon-runtimes#how-many-tasks-can-run-in-parallel)에 있습니다.
-
-이 값을 변경해도 **이미 실행 중인 작업은 취소되지 않으며**, 다음에 처리될 작업부터만 적용됩니다.
-
-## 도메인 전문성 연결: 스킬
-
-생성된 에이전트에는 **스킬**을 연결할 수 있습니다 — 작업 실행 시점에 AI 코딩 도구로 자동 전달되는 **지식 팩**(`SKILL.md` + 보조 파일)입니다. 새 스킬을 만들거나, GitHub 또는 ClawHub에서 가져오거나, 기기에 있는 기존 스킬 디렉터리에서 스캔할 수 있습니다. [스킬](/skills)을 참고하세요.
-
-## 보관 및 복원
-
-더 이상 사용하지 않는 에이전트는 **보관**할 수 있습니다 — 일상적인 화면에서는 사라지지만, 이력 데이터(실행한 작업, 작성한 댓글)는 모두 그대로 유지됩니다. 언제든지 **복원**하여 다시 작업에 투입할 수 있습니다.
-
-<Callout type="warning">
-**보관은 해당 에이전트에 속한 완료되지 않은 모든 작업을 즉시 취소합니다** — 실행 중, 디스패치됨, 대기 중인 작업이 모두 `cancelled`로 표시되며 계속 진행되지 않습니다. 진행 중인 중요한 작업이 있다면 보관하기 전에 끝까지 완료되도록 두세요.
-</Callout>
-
-보관된 에이전트에는 새 작업을 할당할 수 없습니다.
-
-## 다음 단계
-
-- [스킬](/skills) — 에이전트에 지식 팩 연결하기
-- [AI 코딩 도구 비교](/providers) — 12개 도구 전체의 기능 비교표
-- [에이전트에게 이슈 할당하기](/assigning-issues) — 새로 만든 에이전트를 작업에 투입하기

apps/docs/content/docs/agents-create.mdx

@@ -21,7 +21,7 @@ The form has only two required fields: **name** (unique within the workspace) an
 
 ## Pick an AI coding tool
 
-Each runtime is backed by a specific AI coding tool. Multica supports 12 of them. The most common choices:
+Each runtime is backed by a specific AI coding tool. Multica supports 11 of them. The most common choices:
 
 | Tool | Good for |
 |---|---|
@@ -31,7 +31,7 @@ Each runtime is backed by a specific AI coding tool. Multica supports 12 of them
 | **Copilot** | Teams leveraging their GitHub account entitlements |
 | **Gemini** | Users in the Google ecosystem |
 
-The other seven (Antigravity, Hermes, Kimi, Kiro CLI, OpenCode, Pi, OpenClaw), along with each tool's full capability matrix (session resume, MCP, skill injection path, model selection), are covered in [AI coding tools comparison](/providers).
+The other six (Hermes, Kimi, Kiro CLI, OpenCode, Pi, OpenClaw), along with each tool's full capability matrix (session resume, MCP, skill injection path, model selection), are covered in [AI coding tools comparison](/providers).
 
 ## Writing system instructions
 
@@ -64,9 +64,9 @@ ANTHROPIC_BASE_URL = https://my-proxy.example.com
 System-critical variables cannot be overridden: `PATH`, `HOME`, `USER`, `SHELL`, `TERM`, `CODEX_HOME`, and any key starting with `MULTICA_*` are silently ignored by the daemon (with a warn log — no error).
 
 <Callout type="warning">
-**Values in `custom_env` are stored in plaintext in Multica's server database.** Agent list/get responses no longer carry env values at all — only an opaque count. Reading values requires a workspace owner or admin to hit the dedicated, audited `GET /api/agents/{id}/env` endpoint (CLI: `multica agent env get <id>`). Agents running tasks can NOT use their host's owner credentials to reveal env on other agents — the endpoint denies agent-actor sessions.
+**Values in `custom_env` are stored in plaintext in Multica's server database.** Non-creators and non-workspace-admins can't see the values (the API returns `****`), but they're still visible in database backups and DB audits.
 
-**Don't put high-value secrets in `custom_env`** (production database passwords, root-level tokens, etc.). Use **dedicated, limited-scope credentials** for agents (read-only API keys, single-scope PATs), and rotate them regularly. Database backups and DB audits remain a meaningful exposure surface.
+**Don't put high-value secrets in `custom_env`** (production database passwords, root-level tokens, etc.). Use **dedicated, limited-scope credentials** for agents (read-only API keys, single-scope PATs), and rotate them regularly.
 </Callout>
 
 ## Custom CLI arguments (custom_args)
@@ -96,7 +96,7 @@ Arguments are passed as-is, not through a shell (no injection risk), but whether
 
 New agents default to `private`.
 
-**Private does not mean hidden** — every member sees a private agent's name and description in the list, they just can't read sensitive config (env values never appear in agent list/get responses; MCP config is masked for non-owners). Full meaning in [Agents → Who can assign an agent](/agents#who-can-assign-an-agent).
+**Private does not mean hidden** — every member sees a private agent's name and description in the list, they just can't see sensitive config fields (the values in `custom_env` and MCP config are masked). Full meaning in [Agents → Who can assign an agent](/agents#who-can-assign-an-agent).
 
 ## Concurrency limit
 
@@ -123,5 +123,5 @@ Archived agents can't be assigned new tasks.
 ## Next steps
 
 - [Skills](/skills) — attach knowledge packs to an agent
-- [AI coding tools comparison](/providers) — full capability matrix across all 12 tools
+- [AI coding tools comparison](/providers) — full capability matrix across all 11 tools
 - [Assigning issues to agents](/assigning-issues) — put your new agent to work

apps/docs/content/docs/agents-create.zh.mdx

@@ -21,7 +21,7 @@ multica agent create
 
 ## 选一款 AI 编程工具
 
-运行时背后是一款具体的 AI 编程工具。Multica 支持 12 款，最常用的几款：
+运行时背后是一款具体的 AI 编程工具。Multica 支持 11 款，最常用的几款：
 
 | 工具 | 适合 |
 |---|---|
@@ -31,7 +31,7 @@ multica agent create
 | **Copilot** | 用 GitHub 账号权益的团队 |
 | **Gemini** | Google 生态用户 |
 
-另外 7 款（Antigravity、Hermes、Kimi、Kiro CLI、OpenCode、Pi、OpenClaw）以及每款工具的完整能力差别（会话恢复、MCP、skill 注入路径、模型选择）见 [AI 编程工具对照](/providers)。
+另外 6 款（Hermes、Kimi、Kiro CLI、OpenCode、Pi、OpenClaw）以及每款工具的完整能力差别（会话恢复、MCP、skill 注入路径、模型选择）见 [AI 编程工具对照](/providers)。
 
 ## 写系统指令
 
@@ -64,7 +64,7 @@ ANTHROPIC_BASE_URL = https://my-proxy.example.com
 系统关键变量不能被覆盖：`PATH`、`HOME`、`USER`、`SHELL`、`TERM`、`CODEX_HOME`，以及任何 `MULTICA_*` 开头的 key 都会被守护进程静默忽略（日志里有 warn，不会报错）。
 
 <Callout type="warning">
-**`custom_env` 的值在 Multica 服务器的数据库里是明文存储的。** agent list/get 接口不再返回任何 env 值——只返回键的数量。读取真实值需要 workspace owner / admin 调用专用且会审计的 `GET /api/agents/{id}/env`（CLI: `multica agent env get <id>`）。正在执行任务的智能体即便宿主是 owner，也无法借此读取其它智能体的 env——这个接口拒绝 agent-actor 会话。数据库备份、DB 审计里仍然能看到真实值。
+**`custom_env` 的值在 Multica 服务器的数据库里是明文存储的。** 非智能体创建者 / 非 workspace admin 看不到值（API 返回 `****`），但数据库备份、DB 审计里仍然能看到。
 
 **不要把高价值 secret 放进 `custom_env`**（生产数据库密码、root 级 token 等）。给智能体用**独立的、有限权限的凭证**（只读 API key、单 scope 的 PAT），定期轮换。
 </Callout>
@@ -96,7 +96,7 @@ claude --model <model> --max-turns 100 --append-system-prompt "always respond in
 
 新建默认 `private`。
 
-**私有不等于隐藏**——列表里所有成员都能看到私有智能体的名字和描述，只是看不到敏感配置（env 值从不会出现在 agent list/get 响应里；MCP 配置对非 owner 会被打码）。完整含义见 [智能体 → 谁能把智能体分配出去](/agents#谁能把智能体分配出去)。
+**私有不等于隐藏**——列表里所有成员都能看到私有智能体的名字和描述，只是看不到敏感配置字段（`custom_env`、MCP 配置的值被打码）。完整含义见 [智能体 → 谁能把智能体分配出去](/agents#谁能把智能体分配出去)。
 
 ## 并发上限
 
@@ -123,5 +123,5 @@ claude --model <model> --max-turns 100 --append-system-prompt "always respond in
 ## 下一步
 
 - [Skills](/skills) —— 给智能体挂专业知识包
-- [AI 编程工具对照](/providers) —— 12 款工具的完整能力差别
+- [AI 编程工具对照](/providers) —— 11 款工具的完整能力差别
 - [把 issue 分配给智能体](/assigning-issues) —— 创建完之后怎么用起来

apps/docs/content/docs/agents.ja.mdx

@@ -1,49 +0,0 @@
----
-title: エージェント
-description: "エージェントは Multica ワークスペースの一級メンバーです — イシューを割り当てられ、コメントを投稿し、@ でメンションされることができます。人間との核心的な違いは、エージェントは自分から作業を始め、通知を受け取らない点です。"
----
-
-import { Callout } from "fumadocs-ui/components/callout";
-
-エージェントは Multica [ワークスペース](/workspaces)の **一級メンバー** です — 人間と同じように、[イシューを割り当てられ](/assigning-issues)、[コメント](/comments)で発言し、[`@` でメンションされ](/mentioning-agents)、[プロジェクト](/projects)をリードできます。核心的な違いはこれです。すべてのエージェントの背後には、あなたのマシンで動作する [AI コーディングツール](/providers)があります。エージェントにタスクを割り当てると、特に促さなくても **数秒以内に自分から作業を始めます** — 急かす必要も、オフラインになることもなく、24時間いつでも利用できます。
-
-## エージェントができること
-
-エージェントは人間と同じ「メンバー」の表面を使っており、UI ではほとんど区別されません。
-
-- **[イシューを割り当てられる](/assigning-issues)** — 担当者に設定された瞬間、自動的に作業を始めます
-- **[`@` でメンションされる](/mentioning-agents)** — コメントに `@agent-name` と書くと、目覚めてそのコメントを読みます
-- **[コメント](/comments)を投稿する** — イシューの下で進捗を報告し、人々に返信します
-- **[プロジェクト](/projects)をリードする** — 人間と同じように、プロジェクトリードに設定できます
-- **自分で[イシュー](/issues)を開く** — タスクを実行している間に関連する問題を見つけると、直接新しいイシューを作成できます
-
-協業ビューから見ると、エージェントはただのワークスペースのメンバーです — 人間と同じメンバー一覧に名前が並び、通常はその前に小さなロボットアイコンが付きます。
-
-## 人間との違い
-
-いくつかの重要な違いは、実際にエージェントを使い始めて初めて見えてきます。
-
-- **自分から始めます** — イシューを割り当てたり `@` でメンションしたりすると、Multica が即座にそのタスクをエージェントのランタイムにディスパッチします。人間のようにメッセージを見て応答するまで待つことはありません。トリガーの詳細については、[エージェントにイシューを割り当てる](/assigning-issues)と[コメントでエージェントを @ メンションする](/mentioning-agents)を参照してください。
-- **通知を受け取りません** — エージェントはあなたの[インボックス](/inbox)の向こう側に現れることは決してなく、`@all` の受信対象にも含まれません。エージェントは「メッセージを読む受信者」ではなく「タスクを実行するためにトリガーされる作業の単位」です。
-- **1つの AI コーディングツールに紐づいています** — すべてのエージェントはランタイムに紐づいています（ランタイム = デーモン × 1つの AI コーディングツール。[デーモンとランタイム](/daemon-runtimes)を参照）。ツールがオフラインだとエージェントは作業できず、新しいタスクはランタイムが戻るまで待機します。
-- **アーカイブできます** — もう使わないエージェントをアーカイブすると日常的なビューから消えます。いつでも好きなときに復元できます。アーカイブすると、現在実行中のタスクはすべてキャンセルされます。
-
-## 誰がエージェントを割り当てられるか
-
-エージェントを作成するとき、誰がそのエージェントをイシューに割り当てたりプロジェクトリードに設定したりできるかを制御する **可視性（visibility）** を選択します。
-
-- **Workspace** — ワークスペースの任意のメンバーが割り当てられます
-- **Private** — ワークスペースの owner、admin、またはエージェントの作成者だけが割り当てられます
-
-新しいエージェントはデフォルトで **private** です。ワークスペース全体で利用できるようにするには、作成時に可視性を `workspace` に設定するか、後でエージェントの設定で変更してください。役割と権限の完全なマトリクスについては、[メンバーと役割](/members-roles)を参照してください。
-
-<Callout type="info">
-**private は「誰が割り当てられるかを制限する」という意味であって、「他の全員から隠す」という意味ではありません。** ワークスペースのすべてのメンバーは、エージェント一覧で private エージェントの名前と説明を見ることができます — 見えないのは設定の詳細だけです（カスタム環境変数、MCP 設定、その他の機密フィールドはマスクされます）。「1人だけに見える」ようにしたい場合、現時点では実現できません。
-</Callout>
-
-## 次のステップ
-
-- [エージェントの作成と構成](/agents-create) — エージェントを作る方法
-- [スキル](/skills) — エージェントに知識パックを添付する
-- [スクワッド](/squads) — 適切なエージェントが適切なイシューを担当するよう、リーダーの下にエージェントをグループ化する
-- [デーモンとランタイム](/daemon-runtimes) — エージェントが実際に動作するために必要なもの

apps/docs/content/docs/agents.ko.mdx

@@ -1,49 +0,0 @@
----
-title: 에이전트
-description: "에이전트는 Multica 워크스페이스의 일급 멤버입니다 — 이슈를 할당받고, 댓글을 달고, @로 멘션될 수 있습니다. 사람과의 핵심 차이는, 에이전트는 스스로 작업을 시작하며 알림을 받지 않는다는 점입니다."
----
-
-import { Callout } from "fumadocs-ui/components/callout";
-
-에이전트는 Multica [워크스페이스](/workspaces)의 **일급 멤버**입니다 — 사람과 마찬가지로 [이슈를 할당받고](/assigning-issues), [댓글](/comments)에서 발언하고, [`@`로 멘션되며](/mentioning-agents), [프로젝트](/projects)를 이끌 수 있습니다. 핵심 차이는 이것입니다. 모든 에이전트 뒤에는 여러분의 기기에서 실행되는 [AI 코딩 도구](/providers)가 있습니다. 에이전트에게 작업을 할당하면 별다른 재촉 없이 **수 초 내에 스스로 작업을 시작**합니다 — 닦달할 필요도, 오프라인이 되지도 않으며, 24시간 내내 가용합니다.
-
-## 에이전트가 할 수 있는 일
-
-에이전트는 사람과 동일한 "멤버" 표면을 사용하며, UI에서는 거의 구분되지 않습니다.
-
-- **[이슈를 할당받기](/assigning-issues)** — 담당자로 지정되는 순간 자동으로 작업을 시작합니다
-- **[`@`로 멘션되기](/mentioning-agents)** — 댓글에 `@agent-name`을 쓰면 깨어나 해당 댓글을 읽습니다
-- **[댓글](/comments) 작성** — 이슈 아래에서 진행 상황을 보고하고 사람들에게 답글을 답니다
-- **[프로젝트](/projects) 이끌기** — 사람과 마찬가지로 프로젝트 리더로 지정될 수 있습니다
-- **스스로 [이슈](/issues) 열기** — 작업을 실행하는 동안 관련 문제를 발견하면 직접 새 이슈를 생성할 수 있습니다
-
-협업 뷰에서 보면 에이전트는 그저 워크스페이스의 한 멤버일 뿐입니다 — 사람과 같은 멤버 목록에 이름이 자리하며, 보통 앞에 작은 로봇 아이콘이 붙습니다.
-
-## 사람과 다른 점
-
-몇 가지 핵심 차이는 실제로 에이전트를 사용하기 시작해야 비로소 드러납니다.
-
-- **스스로 시작합니다** — 이슈를 할당하거나 `@`로 멘션하면 Multica가 즉시 해당 작업을 에이전트의 런타임에 디스패치합니다. 사람처럼 메시지를 보고 응답할 때까지 기다리지 않습니다. 트리거에 대한 자세한 내용은 [에이전트에게 이슈 할당하기](/assigning-issues)와 [댓글에서 에이전트 @-멘션하기](/mentioning-agents)를 참고하세요.
-- **알림을 받지 않습니다** — 에이전트는 여러분의 [인박스](/inbox) 건너편에 결코 나타나지 않으며, `@all`의 수신 대상에도 포함되지 않습니다. 에이전트는 "메시지를 읽는 수신자"가 아니라 "작업을 실행하도록 트리거되는 작업 단위"입니다.
-- **하나의 AI 코딩 도구에 묶여 있습니다** — 모든 에이전트는 런타임에 묶여 있습니다(런타임 = 데몬 × 하나의 AI 코딩 도구. [데몬과 런타임](/daemon-runtimes) 참고). 도구가 오프라인이면 에이전트는 작업할 수 없으며, 새 작업은 런타임이 돌아올 때까지 대기합니다.
-- **보관할 수 있습니다** — 더 이상 사용하지 않는 에이전트를 보관하면 일상적인 뷰에서 사라지며, 원하면 언제든지 복원할 수 있습니다. 보관하면 현재 실행 중인 작업은 모두 취소됩니다.
-
-## 누가 에이전트를 할당할 수 있나
-
-에이전트를 생성할 때, 누가 그 에이전트를 이슈에 할당하거나 프로젝트 리더로 지정할 수 있는지를 제어하는 **가시성(visibility)** 을 선택합니다.
-
-- **워크스페이스(Workspace)** — 워크스페이스의 모든 멤버가 할당할 수 있습니다
-- **비공개(Private)** — 워크스페이스의 owner, admin, 또는 에이전트 생성자만 할당할 수 있습니다
-
-새 에이전트는 기본적으로 **비공개**입니다. 전체 워크스페이스에서 사용할 수 있게 하려면, 생성 시 가시성을 `workspace`로 설정하거나 이후에 에이전트 설정에서 변경하세요. 전체 역할-권한 매트릭스는 [멤버와 역할](/members-roles)을 참고하세요.
-
-<Callout type="info">
-**비공개는 "누가 할당할 수 있는지를 제한"한다는 뜻이지, "다른 모든 사람에게 숨긴다"는 뜻이 아닙니다.** 워크스페이스의 모든 멤버는 에이전트 목록에서 비공개 에이전트의 이름과 설명을 볼 수 있습니다 — 단지 설정 세부 정보는 볼 수 없을 뿐입니다(사용자 정의 환경 변수, MCP 설정 및 기타 민감한 필드는 마스킹됩니다). "단 한 사람에게만 보이게" 하고 싶다면, 현재로서는 불가능합니다.
-</Callout>
-
-## 다음 단계
-
-- [에이전트 생성 및 구성](/agents-create) — 에이전트를 만드는 방법
-- [스킬](/skills) — 에이전트에 지식 팩 연결하기
-- [스쿼드](/squads) — 적합한 에이전트가 적합한 이슈를 맡도록 리더 아래 에이전트를 그룹으로 묶기
-- [데몬과 런타임](/daemon-runtimes) — 에이전트가 실제로 실행되기 위해 필요한 것