Followup audit of the single-source-of-truth agent-docs rollout. Several
AI.dev prompts and skills still taught agents the old 8-file pattern (which
would re-introduce drift) and the generator script emitted a misleading
summary in --no-commit mode.
AI.dev guides:
- Delete AI.dev/SKILLS/update-agent-docs.md — entire doc taught the old
8-file pattern. Canonical reference is now
.windsurf/workflows/repo_update-agent-docs.md.
- AI.dev/SKILLS/index.md + README.md: replace dangling 'Update Agent
Documentation' link with pointers to agent-behavior-guidelines.md,
agent-onboarding.md, and the workflow doc.
- AI.dev/SKILLS/scan-repo-context.md: remove instructions to read
.windsurfrules / write .cursorrules. Point at the canonical behavior file.
- AI.dev/PROMPTS/new-product-scaffold.md: remove .windsurfrules and CLAUDE.md
from the scaffold tree. Add deprecated-files callout + regeneration hint.
- AI.dev/PROMPTS/agents-md-sync.md: drop 'Step 4 update CLAUDE.md', point at
the generator instead. Remove CLAUDE.md from `git add`.
- AI.dev/PROMPTS/ecosystem-audit.md: replace 'CLAUDE.md exists?' with
'canonical-behavior-pointer block present? legacy files absent?'.
Script UX:
- scripts/update-agent-docs.sh: stop printing 'All repos already in sync'
when --no-commit suppressed commits or --dry-run was used. Emit accurate
per-mode summaries instead.
The client was calling GET ${baseUrl}/flags/kill-switch which does
not exist on platform-service. The actual kill-switch endpoint lives
under /settings/kill-switch in the settings module (public, no auth
required). The bug was silently masked by the client's fail-open
behavior on non-OK responses, but it produced a 404 on every page
load for every consumer (NoteLett, MindLyst, ChronoMind, FlowMonk,
NomGap, PeakPulse, JarvisJr, LysnrAI, ActionTrail, EffoRise, Local
Memory GPT).
Discovery: running the deployed NoteLett docker stack against the
sibling platform-service, every page load triggered:
GET http://localhost:4003/api/flags/kill-switch?platform=web → 404
Confirmed by curl-ing both endpoints directly:
/api/flags/kill-switch → {"message":"Route GET:/api/flags/kill-switch not found"}
/api/settings/kill-switch → {"enabled":true,"disabled":false,"message":""}
Also adds the productId as a query param. The server route accepts
productId from the query string OR an x-product-id header — sending
both is harmless and improves debuggability when grepping logs.
Updated JSDoc and the corresponding test assertion. Test count
unchanged (6 passed).
Verified:
pnpm --filter @bytelyst/kill-switch-client test → 6/6 passed
pnpm --filter @bytelyst/kill-switch-client build → ok
curl /api/settings/kill-switch?productId=notelett → 200 with payload
Root cause: @bytelyst/ui components reference --bl-* tokens but chronomind.css
only defined --cm-* tokens. This caused all shared UI components to fall back
to hardcoded defaults, breaking the visual appearance.
Adds 31 --bl-* → --cm-* CSS custom property aliases matching the pattern
already used in tokens.css (--bl-* → --ml-*).
- Add card-button export to package.json exports field
- Bump version to 0.1.8
- Publish to Gitea registry
Generated with [Devin](https://cli.devin.ai/docs)
Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Add new reusable MCP client package with connection management, tool execution, caching, rate limiting, audit logging, and error handling. This provides a standardized way to integrate with MCP servers across all ByteLyst products.
Generated with [Devin](https://cli.devin.ai/docs)
Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
- Add @bytelyst/devops backend endpoints to platform-service
- Add /api/devops/version (public) and /api/devops/info (admin) endpoints
- Add /devops page to admin-web using @bytelyst/devops/ui DevopsPanel
- Add devops link to admin web sidebar navigation
- Add build metadata and runtime information display
- Follow trading web devops pattern
Generated with [Devin](https://cli.devin.ai/docs)
Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
- Updated Badge component to use design token CSS variables (bl-*)
- Updated Button component to use design token CSS variables (bl-*)
- Improved focus states with proper design token colors
- Added aria-label to logout button in sidebar for better accessibility
- Maintains backward compatibility while improving consistency
This moves admin web toward design system compliance while ensuring
no breaking changes to existing functionality.
Generated with [Devin](https://cli.devin.ai/docs)
Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Phase 1 of UX compliance implementation:
- Add .pnpmfile.cjs for local package resolution from common platform
- Install @bytelyst/ui for shared UI components
- Create Primitives.tsx product adapter for type-safe component extensions
- Integrate @bytelyst/design-tokens CSS variables
- Enable design token usage via CSS custom properties
This establishes the foundation for component normalization and
consistent styling across ByteLyst products, following the UX
implementation guide patterns.
Generated with [Devin](https://cli.devin.ai/docs)
Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
The Button primitive applies `whitespace-nowrap` + a fixed `h-{size}`
because it's tuned for single-line CTAs. Consumers using Button as a
card-shaped picker — title above description, icon next to multi-line
label — hit collapsed/clipped content because of those constraints.
CardButton is the right primitive for that use case:
- block layout, full-width, left-aligned by default
- whitespace: normal so multi-line content wraps
- height: auto so any number of stacked rows works
- focus-visible ring tied to --bl-focus-ring/--bl-accent (matches Button)
- disabled opacity + pointer-events
- selected? prop with subtle inset accent ring (override-able)
- asChild support via Radix Slot for <Link>/<a> handoff
Bumps @bytelyst/ui to 0.1.6 and re-exports CardButton + CardButtonProps
from the package entry point.
Initial consumers: 5 sites in learning_ai_invt_trdg (StrategyWizard
risk + hours pickers, SimpleView buy + sell plan cards, MyStrategiesTab
diagnostic toggle). See docs/ui/UI_AUDIT.md Pattern A in that repo.
Generated with [Devin](https://cli.devin.ai/docs)
Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
@bytelyst/devops 0.1.3:
- Wrap tables in scrollable container (overflow-x: auto) so long values
never push the panel wider than its parent.
- table-layout: fixed + min-width on key column prevents column blow-out.
- Code/value cells use overflow-wrap: anywhere + word-break: break-word
so long commit SHAs and Docker image strings wrap.
- pre block uses pre-wrap + break-word for raw JSON.
- Header actions wrap on narrow viewports.
- Tabs row scrolls horizontally rather than wrapping awkwardly.
- root container: maxWidth 100% + minWidth 0 to play nicely with flex parents.
Generated with [Devin](https://cli.devin.ai/docs)
Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Bumps @bytelyst/devops to 0.1.2.
Adds:
- getBuildInfo() — public-safe build info (commit + branch + image),
no env vars or runtime introspection. Suitable for unauthenticated
/api/devops/version endpoints used by ops/CI.
- getRuntimeInfo() / getConfigInfo() — exposed individually for callers
who want to compose their own payload.
- readServiceVersion(import.meta.url) — walks up to package.json so
consumers don't need to hardcode the version string.
- dependencyCheck(name, fn, timeoutMs) — timed health check wrapper
with consistent ok/latency/detail shape. Enforces a hard timeout.
- httpDependencyCheck(name, url, timeoutMs) — convenience for HTTP probes.
Other improvements:
- SECRET_PATTERN extracted as a module constant.
- 17 unit tests covering build/runtime/config collectors, secret-leak
guards, version walker fallbacks, dep timeouts, full collect payload.
Generated with [Devin](https://cli.devin.ai/docs)
Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
- Server collector via @bytelyst/devops/server: build, runtime, config, deps
- React UI via @bytelyst/devops/ui: tabbed view (Build/Runtime/Config/Deps/Raw)
- Build metadata baked from BYTELYST_COMMIT_SHA / BYTELYST_BUILT_AT / etc env vars
- No secret leakage: only env var keys are exposed, never values
Generated with [Devin](https://cli.devin.ai/docs)
Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
What changed:
- Update handoff docs to point at the latest audit reliability commit.
- Mark the warning claim table as historical now that the sweep is complete.
- Remove stale deferred-warning wording from the platform audit ordering.
Verification:
- git diff --check
- pnpm lint
What changed:
- Recorded d3fbeba in the audit checklist, platform audit, handoff, and resume prompt.
- Updated the W9 notes to explain the reproduced bcrypt timeout and package-local Vitest timeout.
Warning impact:
- No warning delta; workspace lint baseline remains 0 errors / 0 warnings.
Verification:
- git diff --check
What changed:
- Added an auth package Vitest config with the existing forks pool and a 15s test timeout.
- Kept production bcryptjs salt rounds and test assertions unchanged.
Why:
- On this machine one 12-round bcryptjs hash can exceed Vitest's default 5s timeout, making the auth suite fail even though the implementation succeeds.
Verification:
- pnpm --filter @bytelyst/auth build
- pnpm --filter @bytelyst/auth test
- pnpm --filter @bytelyst/auth exec eslint . --ext .ts,.tsx
