Merge remote-tracking branch 'upstream/dev' into dev

# Conflicts:
#	packages/app/src/app/components/session/composer.tsx
#	packages/app/src/app/components/session/message-list.tsx
#	packages/app/src/app/pages/config.tsx
#	packages/app/src/app/pages/dashboard.tsx
#	packages/app/src/app/pages/scheduled.tsx
#	packages/app/src/app/pages/session.tsx
#	packages/app/src/app/pages/settings.tsx

Author: hello-lizhihua

.github/workflows/ci.yml

@@ -34,7 +34,31 @@ jobs:
         run: pnpm install --frozen-lockfile
 
       - name: Build web
-        run: pnpm --filter @different-ai/openwork build:web
+        run: pnpm --filter @different-ai/openwork-web build
+
+  build-den:
+    name: Build Den service
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10.27.0
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Build den service
+        run: pnpm --filter @openwork/den build
 
   build-orchestrator-binary:
     name: Build openwork orchestrator binary

.github/workflows/deploy-den.yml

@@ -0,0 +1,182 @@
+name: Deploy Den
+
+on:
+  push:
+    branches:
+      - dev
+    paths:
+      - "services/den/**"
+      - "services/den-worker-runtime/**"
+      - ".github/workflows/deploy-den.yml"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: deploy-den-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    if: github.repository == 'different-ai/openwork'
+    steps:
+      - name: Validate required secrets
+        env:
+          RENDER_API_KEY: ${{ secrets.RENDER_API_KEY }}
+          RENDER_DEN_CONTROL_PLANE_SERVICE_ID: ${{ secrets.RENDER_DEN_CONTROL_PLANE_SERVICE_ID }}
+          RENDER_OWNER_ID: ${{ secrets.RENDER_OWNER_ID }}
+          DEN_DATABASE_URL: ${{ secrets.DEN_DATABASE_URL }}
+          DEN_BETTER_AUTH_SECRET: ${{ secrets.DEN_BETTER_AUTH_SECRET }}
+          POLAR_ACCESS_TOKEN: ${{ secrets.POLAR_ACCESS_TOKEN }}
+          POLAR_PRODUCT_ID: ${{ secrets.POLAR_PRODUCT_ID }}
+          POLAR_BENEFIT_ID: ${{ secrets.POLAR_BENEFIT_ID }}
+          DEN_POLAR_FEATURE_GATE_ENABLED: ${{ vars.DEN_POLAR_FEATURE_GATE_ENABLED }}
+        run: |
+          missing=0
+          for key in RENDER_API_KEY RENDER_DEN_CONTROL_PLANE_SERVICE_ID RENDER_OWNER_ID DEN_DATABASE_URL DEN_BETTER_AUTH_SECRET; do
+            if [ -z "${!key}" ]; then
+              echo "::error::Missing required secret: $key"
+              missing=1
+            fi
+          done
+
+          feature_enabled="${DEN_POLAR_FEATURE_GATE_ENABLED:-false}"
+          feature_enabled="$(echo "$feature_enabled" | tr '[:upper:]' '[:lower:]')"
+          if [ "$feature_enabled" = "true" ]; then
+            for key in POLAR_ACCESS_TOKEN POLAR_PRODUCT_ID POLAR_BENEFIT_ID; do
+              if [ -z "${!key}" ]; then
+                echo "::error::Missing required paywall secret: $key"
+                missing=1
+              fi
+            done
+          fi
+
+          if [ "$missing" -ne 0 ]; then
+            exit 1
+          fi
+
+      - name: Sync Render env vars and deploy latest commit
+        env:
+          RENDER_API_KEY: ${{ secrets.RENDER_API_KEY }}
+          RENDER_DEN_CONTROL_PLANE_SERVICE_ID: ${{ secrets.RENDER_DEN_CONTROL_PLANE_SERVICE_ID }}
+          RENDER_OWNER_ID: ${{ secrets.RENDER_OWNER_ID }}
+          DEN_DATABASE_URL: ${{ secrets.DEN_DATABASE_URL }}
+          DEN_BETTER_AUTH_SECRET: ${{ secrets.DEN_BETTER_AUTH_SECRET }}
+          DEN_RENDER_WORKER_OPENWORK_VERSION: ${{ vars.DEN_RENDER_WORKER_OPENWORK_VERSION }}
+          DEN_POLAR_FEATURE_GATE_ENABLED: ${{ vars.DEN_POLAR_FEATURE_GATE_ENABLED }}
+          DEN_POLAR_API_BASE: ${{ vars.DEN_POLAR_API_BASE }}
+          DEN_POLAR_SUCCESS_URL: ${{ vars.DEN_POLAR_SUCCESS_URL }}
+          DEN_POLAR_RETURN_URL: ${{ vars.DEN_POLAR_RETURN_URL }}
+          POLAR_ACCESS_TOKEN: ${{ secrets.POLAR_ACCESS_TOKEN }}
+          POLAR_PRODUCT_ID: ${{ secrets.POLAR_PRODUCT_ID }}
+          POLAR_BENEFIT_ID: ${{ secrets.POLAR_BENEFIT_ID }}
+        run: |
+          python3 <<'PY'
+          import json
+          import os
+          import time
+          import urllib.error
+          import urllib.parse
+          import urllib.request
+
+          api_key = os.environ["RENDER_API_KEY"]
+          service_id = os.environ["RENDER_DEN_CONTROL_PLANE_SERVICE_ID"]
+          owner_id = os.environ["RENDER_OWNER_ID"]
+          openwork_version = os.environ.get("DEN_RENDER_WORKER_OPENWORK_VERSION") or "0.11.113"
+          paywall_enabled = (os.environ.get("DEN_POLAR_FEATURE_GATE_ENABLED") or "false").lower() == "true"
+          polar_api_base = os.environ.get("DEN_POLAR_API_BASE") or "https://api.polar.sh"
+          polar_success_url = os.environ.get("DEN_POLAR_SUCCESS_URL") or "https://app.openwork.software"
+          polar_return_url = os.environ.get("DEN_POLAR_RETURN_URL") or polar_success_url
+          polar_access_token = os.environ.get("POLAR_ACCESS_TOKEN") or ""
+          polar_product_id = os.environ.get("POLAR_PRODUCT_ID") or ""
+          polar_benefit_id = os.environ.get("POLAR_BENEFIT_ID") or ""
+
+          def validate_redirect_url(name: str, value: str):
+              parsed = urllib.parse.urlparse(value)
+              if parsed.scheme not in {"http", "https"} or not parsed.netloc:
+                  raise RuntimeError(f"{name} must be an absolute http(s) URL, got: {value}")
+
+          validate_redirect_url("DEN_POLAR_SUCCESS_URL", polar_success_url)
+          validate_redirect_url("DEN_POLAR_RETURN_URL", polar_return_url)
+
+          if paywall_enabled and (not polar_access_token or not polar_product_id or not polar_benefit_id):
+              raise RuntimeError(
+                  "DEN_POLAR_FEATURE_GATE_ENABLED=true requires POLAR_ACCESS_TOKEN, POLAR_PRODUCT_ID, and POLAR_BENEFIT_ID"
+              )
+
+          headers = {
+              "Authorization": f"Bearer {api_key}",
+              "Accept": "application/json",
+              "Content-Type": "application/json",
+          }
+
+          def request(method: str, path: str, body=None):
+              url = f"https://api.render.com/v1{path}"
+              data = None
+              if body is not None:
+                  data = json.dumps(body).encode("utf-8")
+              req = urllib.request.Request(url, data=data, method=method, headers=headers)
+              try:
+                  with urllib.request.urlopen(req, timeout=60) as resp:
+                      text = resp.read().decode("utf-8")
+                      return resp.status, json.loads(text) if text else None
+              except urllib.error.HTTPError as err:
+                  text = err.read().decode("utf-8", "replace")
+                  raise RuntimeError(f"{method} {path} failed ({err.code}): {text[:600]}")
+
+          _, service = request("GET", f"/services/{service_id}")
+          service_url = (service.get("serviceDetails") or {}).get("url")
+          if not service_url:
+              raise RuntimeError(f"Render service {service_id} has no public URL")
+
+          env_vars = [
+              {"key": "DATABASE_URL", "value": os.environ["DEN_DATABASE_URL"]},
+              {"key": "BETTER_AUTH_SECRET", "value": os.environ["DEN_BETTER_AUTH_SECRET"]},
+              {"key": "BETTER_AUTH_URL", "value": service_url},
+              {"key": "PROVISIONER_MODE", "value": "render"},
+              {"key": "RENDER_API_BASE", "value": "https://api.render.com/v1"},
+              {"key": "RENDER_API_KEY", "value": api_key},
+              {"key": "RENDER_OWNER_ID", "value": owner_id},
+              {"key": "RENDER_WORKER_REPO", "value": "https://github.com/different-ai/openwork"},
+              {"key": "RENDER_WORKER_BRANCH", "value": "dev"},
+              {"key": "RENDER_WORKER_ROOT_DIR", "value": "services/den-worker-runtime"},
+              {"key": "RENDER_WORKER_PLAN", "value": "starter"},
+              {"key": "RENDER_WORKER_REGION", "value": "oregon"},
+              {"key": "RENDER_WORKER_OPENWORK_VERSION", "value": openwork_version},
+              {"key": "RENDER_WORKER_NAME_PREFIX", "value": "den-worker-openwork"},
+              {"key": "RENDER_PROVISION_TIMEOUT_MS", "value": "900000"},
+              {"key": "RENDER_HEALTHCHECK_TIMEOUT_MS", "value": "180000"},
+              {"key": "RENDER_POLL_INTERVAL_MS", "value": "5000"},
+              {"key": "POLAR_FEATURE_GATE_ENABLED", "value": "true" if paywall_enabled else "false"},
+              {"key": "POLAR_API_BASE", "value": polar_api_base},
+              {"key": "POLAR_ACCESS_TOKEN", "value": polar_access_token},
+              {"key": "POLAR_PRODUCT_ID", "value": polar_product_id},
+              {"key": "POLAR_BENEFIT_ID", "value": polar_benefit_id},
+              {"key": "POLAR_SUCCESS_URL", "value": polar_success_url},
+              {"key": "POLAR_RETURN_URL", "value": polar_return_url},
+          ]
+
+          request("PUT", f"/services/{service_id}/env-vars", env_vars)
+          _, deploy = request("POST", f"/services/{service_id}/deploys", {})
+          deploy_id = deploy.get("id") or (deploy.get("deploy") or {}).get("id")
+          if not deploy_id:
+              raise RuntimeError(f"Unexpected deploy response: {deploy}")
+
+          terminal = {"live", "update_failed", "build_failed", "canceled"}
+          started = time.time()
+
+          while time.time() - started < 1800:
+              _, deploys = request("GET", f"/services/{service_id}/deploys?limit=1")
+              latest = deploys[0]["deploy"] if deploys else None
+              if latest and latest.get("id") == deploy_id and latest.get("status") in terminal:
+                  status = latest.get("status")
+                  if status != "live":
+                      raise RuntimeError(f"Render deploy {deploy_id} ended with {status}")
+                  print(f"Render deploy {deploy_id} is live at {service_url}")
+                  break
+              time.sleep(10)
+          else:
+              raise RuntimeError(f"Timed out waiting for deploy {deploy_id}")
+          PY

.github/workflows/release-macos-aarch64.yml

@@ -122,7 +122,15 @@ jobs:
             RELEASE_BODY="See the assets to download this version and install."
           fi
 
-          draft="${INPUT_DRAFT:-false}"
+          draft="${INPUT_DRAFT:-}"
+          if [ -z "$draft" ]; then
+            if [ "${GITHUB_EVENT_NAME}" = "push" ]; then
+              # Keep tag-triggered releases out of /releases/latest until assets + latest.json are ready.
+              draft="true"
+            else
+              draft="false"
+            fi
+          fi
           prerelease="${INPUT_PRERELEASE:-false}"
           notarize="${INPUT_NOTARIZE:-}"
           if [ -z "$notarize" ]; then
@@ -524,7 +532,7 @@ jobs:
           tauriScript: pnpm exec tauri -vvv
           args: ${{ matrix.args }}
           retryAttempts: 3
-          uploadUpdaterJson: true
+          uploadUpdaterJson: false
           updaterJsonPreferNsis: true
           releaseAssetNamePattern: openwork-desktop-[platform]-[arch][ext]
 
@@ -553,7 +561,7 @@ jobs:
           tauriScript: pnpm exec tauri -vvv
           args: ${{ matrix.args }}
           retryAttempts: 3
-          uploadUpdaterJson: true
+          uploadUpdaterJson: false
           updaterJsonPreferNsis: true
           releaseAssetNamePattern: openwork-desktop-[platform]-[arch][ext]
 
@@ -600,6 +608,39 @@ jobs:
 
           echo "Found bundled versions.json at $manifest_path"
 
+  publish-updater-json:
+    name: Publish consolidated latest.json
+    needs: [resolve-release, verify-release, publish-tauri]
+    if: needs.resolve-release.outputs.build_tauri == 'true'
+    runs-on: ubuntu-latest
+    env:
+      RELEASE_TAG: ${{ needs.resolve-release.outputs.release_tag }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ env.RELEASE_TAG }}
+          fetch-depth: 0
+
+      - name: Generate latest.json from release assets
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          set -euo pipefail
+          node scripts/release/generate-latest-json.mjs \
+            --tag "$RELEASE_TAG" \
+            --repo "$GITHUB_REPOSITORY" \
+            --output "$RUNNER_TEMP/latest.json"
+
+      - name: Upload latest.json
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          set -euo pipefail
+          gh release upload "$RELEASE_TAG" "$RUNNER_TEMP/latest.json#latest.json" \
+            --repo "$GITHUB_REPOSITORY" \
+            --clobber
+
   release-orchestrator-sidecars:
     name: Build + Upload openwork-orchestrator Sidecars
     needs: [resolve-release, verify-release]
@@ -848,7 +889,12 @@ jobs:
 
   aur-publish:
     name: Publish AUR
-    needs: [resolve-release, publish-tauri]
+    needs: [resolve-release, publish-tauri, publish-release]
+    if: |
+      always() &&
+      needs.resolve-release.result == 'success' &&
+      (needs.publish-tauri.result == 'success' || needs.publish-tauri.result == 'skipped') &&
+      (needs.publish-release.result == 'success' || needs.publish-release.result == 'skipped')
     runs-on: ubuntu-latest
     permissions:
       contents: write
@@ -893,3 +939,38 @@ jobs:
             exit 0
           fi
           scripts/aur/publish-aur.sh "$RELEASE_TAG"
+
+  publish-release:
+    name: Publish GitHub Release
+    needs:
+      - resolve-release
+      - verify-release
+      - publish-tauri
+      - publish-updater-json
+      - release-orchestrator-sidecars
+      - publish-npm
+    if: |
+      always() &&
+      needs.resolve-release.outputs.draft == 'true' &&
+      needs.resolve-release.result == 'success' &&
+      needs.verify-release.result == 'success' &&
+      (needs.publish-tauri.result == 'success' || needs.publish-tauri.result == 'skipped') &&
+      (needs.publish-updater-json.result == 'success' || needs.publish-updater-json.result == 'skipped') &&
+      (needs.release-orchestrator-sidecars.result == 'success' || needs.release-orchestrator-sidecars.result == 'skipped') &&
+      (needs.publish-npm.result == 'success' || needs.publish-npm.result == 'skipped')
+    runs-on: ubuntu-latest
+    env:
+      RELEASE_TAG: ${{ needs.resolve-release.outputs.release_tag }}
+      RELEASE_PRERELEASE: ${{ needs.resolve-release.outputs.prerelease }}
+    steps:
+      - name: Publish release after assets are ready
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          set -euo pipefail
+
+          if [ "${RELEASE_PRERELEASE}" = "true" ]; then
+            gh release edit "$RELEASE_TAG" --repo "$GITHUB_REPOSITORY" --draft=false --prerelease
+          else
+            gh release edit "$RELEASE_TAG" --repo "$GITHUB_REPOSITORY" --draft=false --latest
+          fi

.gitignore

@@ -39,3 +39,4 @@ vendor/opencode/
 
 # OpenWork workspace-local artifacts
 .opencode/openwork/
+.vercel

.opencode/skills/openwork-docker-chrome-mcp/SKILL.md

@@ -47,6 +47,21 @@ Evidence:
 - Take a Chrome MCP screenshot after the response appears.
 - If something fails, capture console logs and (optionally) Docker logs.
 
+### Verification checklist (copy into PR)
+
+- [ ] Started stack with `packaging/docker/dev-up.sh` from repo root.
+- [ ] Used the printed Web UI URL (not a guessed port).
+- [ ] Completed one full user flow in the UI (input -> action -> visible result).
+- [ ] Captured at least one screenshot for the success state.
+- [ ] Captured failure evidence when relevant (console and/or Docker logs).
+- [ ] Stopped stack with the exact printed `docker compose -p ... down` command.
+
+Suggested screenshot set for user-facing changes:
+- Before action state.
+- During action/progress state.
+- Success state.
+- Failure or recovery state (if applicable).
+
 ### 3) Stop the stack
 
 Use the exact `docker compose -p ... down` command printed by `dev-up.sh`.

AGENTS.md

@@ -37,6 +37,18 @@ Read INFRASTRUCTURE.md
 * **Slick and fluid**: 60fps animations, micro-interactions, premium feel.
 * **Mobile-native**: touch targets, gestures, and layouts optimized for small screens.
 
+## Task Intake (Required)
+
+Before making changes, explicitly confirm the target repository in your first task update.
+
+Required format:
+
+1. `Target repo: <path>` (for example: `_repos/openwork`)
+2. `Out of scope repos: <list>` (for example: `_repos/opencode`)
+3. `Planned output: <what will be changed/tested>`
+
+If the user request references multiple repos and the intended edit location is ambiguous, stop after discovery and ask for a single repo target before editing files.
+
 ## New Feature Workflow (Required)
 
 When the user asks to create a new feature, follow this exact procedure:

STATS.md

@@ -27,3 +27,8 @@
 | 2026-02-14 | 72,204 (+2,676) | 72,204 (+2,676) |
 | 2026-02-15 | 74,561 (+2,357) | 74,561 (+2,357) |
 | 2026-02-16 | 77,144 (+2,583) | 77,144 (+2,583) |
+| 2026-02-17 | 79,817 (+2,673) | 79,817 (+2,673) |
+| 2026-02-18 | 83,020 (+3,203) | 83,020 (+3,203) |
+| 2026-02-19 | 86,687 (+3,667) | 86,687 (+3,667) |
+| 2026-02-20 | 90,491 (+3,804) | 90,491 (+3,804) |
+| 2026-02-21 | 94,409 (+3,918) | 94,409 (+3,918) |