chore(lockfile): refresh pnpm-lock.yaml

.github/workflows/build-dev.yml

@@ -1,77 +0,0 @@
-name: "Build: Dev"
-
-on:
-  push:
-    branches: [dev]
-  workflow_dispatch:
-
-permissions:
-  contents: read
-  packages: write
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    timeout-minutes: 30
-    outputs:
-      image-tag: ${{ steps.tag.outputs.sha }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Set image tag
-        id: tag
-        run: echo "sha=$(echo ${{ github.sha }} | cut -c1-7)" >> $GITHUB_OUTPUT
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Login to Gitea Registry
-        uses: docker/login-action@v3
-        with:
-          registry: git.farh.net
-          username: admin
-          password: ${{ secrets.REGISTRY_TOKEN }}
-
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: git.farh.net/farhoodlabs/paperclip-dev
-          tags: |
-            type=sha,prefix=
-            type=semver,pattern={{version}}
-            type=raw,value=latest,enable=${{ startsWith(gitea.ref, 'refs/tags/v') }}
-
-      - name: Build and push
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: Dockerfile
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          no-cache: true
-
-  update-infra:
-    needs: build
-    runs-on: ubuntu-latest
-    steps:
-      - name: Update dev image tag in infra repo
-        run: |
-          SHA="${{ needs.build.outputs.image-tag }}"
-          FILE="overlays/dev/kustomization.yaml"
-
-          response=$(curl -sS \
-            -H "Authorization: token ${{ secrets.REGISTRY_TOKEN }}" \
-            "https://git.farh.net/api/v1/repos/farhoodlabs/paperclip-infra/contents/$FILE")
-
-          file_sha=$(echo "$response" | jq -r '.sha')
-          content=$(echo "$response" | jq -r '.content' | base64 -d)
-          new_content=$(echo "$content" | sed "s/newTag: \".*\"/newTag: \"$SHA\"/")
-          encoded=$(printf '%s' "$new_content" | base64 -w 0)
-
-          curl -sS -X PUT \
-            -H "Authorization: token ${{ secrets.REGISTRY_TOKEN }}" \
-            "https://git.farh.net/api/v1/repos/farhoodlabs/paperclip-infra/contents/$FILE" \
-            -d "{\"message\":\"chore(cd): update paperclip-dev to $SHA\",\"content\":\"$encoded\",\"sha\":\"$file_sha\"}"

.github/workflows/build-prod.yml

@@ -1,48 +0,0 @@
-name: "Build: Production"
-
-on:
-  push:
-    branches: [local]
-  workflow_dispatch:
-
-permissions:
-  contents: read
-  packages: write
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    timeout-minutes: 30
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Login to Gitea Registry
-        uses: docker/login-action@v3
-        with:
-          registry: git.farh.net
-          username: admin
-          password: ${{ secrets.REGISTRY_TOKEN }}
-
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: git.farh.net/farhoodlabs/paperclip
-          tags: |
-            type=sha,prefix=
-            type=semver,pattern={{version}}
-            type=raw,value=latest,enable=${{ startsWith(gitea.ref, 'refs/tags/v') }}
-
-      - name: Build and push
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: Dockerfile
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          no-cache: true

CLAUDE.md

@@ -1,43 +0,0 @@
-# Paperclip fork — farhoodlabs
-
-This is a thin fork of [paperclipai/paperclip](https://github.com/paperclipai/paperclip).
-Fork repo: https://git.farh.net/farhoodlabs/paperclip
-
-## Branch model
-
-| Branch | Purpose |
-|---|---|
-| `master` | Pure mirror of `upstream/master`. No fork files. Sync via `git push origin upstream/master:master --force-with-lease`. |
-| `dev` | `master` + one fork commit (Dockerfile prod stage + 2 build workflows). Builds `git.farh.net/farhoodlabs/paperclip-dev:*` on push. |
-| `local` | **Deployed branch.** Same content as `dev`. Builds `git.farh.net/farhoodlabs/paperclip:*` on push. |
-
-The fork tree differs from upstream by exactly **3 files**:
-
-```
-Dockerfile                                 (production stage adds kubectl, kubeseal, uv, forgejo CLIs, tea, mmx-cli, nano, vim)
-.github/workflows/build-prod.yml           (pushes to git.farh.net/farhoodlabs/paperclip)
-.github/workflows/build-dev.yml            (pushes to git.farh.net/farhoodlabs/paperclip-dev)
-```
-
-The base/deps/build stages of the Dockerfile match upstream verbatim so upstream changes apply cleanly.
-
-## Sync upstream
-
-```bash
-git fetch upstream
-git push origin upstream/master:master --force-with-lease
-git checkout dev && git merge master && git push origin dev
-git checkout local && git merge dev && git push origin local
-```
-
-Conflicts should only ever appear on `Dockerfile` itself (if upstream changes the production stage). Resolution rule: keep upstream's deps/base/build stages exactly; preserve the fork's `RUN` block in the production stage.
-
-## Deployment
-
-Production runs in Kubernetes (`paperclip` namespace, single replica). Image: `git.farh.net/farhoodlabs/paperclip:<tag>`. Flux does not watch moving tags — rolling a fix means either pushing a semver-tagged release or `kubectl rollout restart deploy/paperclip -n paperclip`.
-
-## Don't
-
-- **Don't add fork code changes.** This fork is intentionally minimal after the 2026-05-31 reset (event-loop starvation bug from accumulated drift). If a feature is missing relative to a prior fork iteration (Gitea-hosted skills, PAT support for private skill repos, secret export/import, k8s sandbox-provider plugin, agentId threading), surface the regression — don't pull it back from `git log` without explicit go-ahead.
-- **Don't commit to `local` without going through `dev` first** (and through `master` for upstream syncs). The promotion order is enforced.
-- **Don't recreate `.farhoodlabs/` overlay or `assemble-local.yml`.** That model was retired.

Dockerfile

@@ -57,29 +57,10 @@ ARG USER_UID=1000
 ARG USER_GID=1000
 WORKDIR /app
 COPY --chown=node:node --from=build /app /app
-# Fork additions: kubectl, kubeseal, uv, forgejo CLIs, gitea tea CLI, editor tools, mmx-cli
-# Upstream installs: claude-code, codex, opencode-ai, openssh-client, jq
-RUN apt-get update \
-  && apt-get install -y --no-install-recommends openssh-client jq nano vim \
+RUN npm install --global --omit=dev @anthropic-ai/claude-code@latest @openai/codex@latest opencode-ai \
+  && apt-get update \
+  && apt-get install -y --no-install-recommends openssh-client jq \
   && rm -rf /var/lib/apt/lists/* \
-  && curl -fsSL https://dl.k8s.io/release/v1.32.0/bin/linux/amd64/kubectl -o /usr/local/bin/kubectl \
-  && chmod +x /usr/local/bin/kubectl \
-  && curl -fsSL https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.36.6/kubeseal-0.36.6-linux-amd64.tar.gz | tar -xzf - -C /tmp \
-  && mv /tmp/kubeseal /usr/local/bin/kubeseal \
-  && rm -rf /tmp/kubeseal /tmp/LICENSE /tmp/README.md \
-  && curl -LsSf https://astral.sh/uv/install.sh | sh \
-  && mv /root/.local/bin/uv /usr/local/bin/uv \
-  && mv /root/.local/bin/uvx /usr/local/bin/uvx \
-  && curl -fsSL https://codeberg.org/forgejo-contrib/forgejo-cli/releases/download/v0.4.1/forgejo-cli-linux.tar.gz | tar -xzf - -C /usr/local/bin \
-  && chmod +x /usr/local/bin/fj \
-  && curl -fsSL https://github.com/JKamsker/forgejo-cli-ex/releases/download/v0.1.7/fj-ex-linux-x86_64.tar.gz | tar -xzf - -C /usr/local/bin \
-  && chmod +x /usr/local/bin/fj-ex \
-  && curl -fsSL https://codeberg.org/romaintb/fgj/releases/download/v0.3.0/fgj_linux_amd64 -o /usr/local/bin/fgj \
-  && chmod +x /usr/local/bin/fgj \
-  && curl -fsSL https://dl.gitea.com/tea/0.14.0/tea-0.14.0-linux-amd64 -o /usr/local/bin/tea \
-  && chmod +x /usr/local/bin/tea \
-  && npm install --global --omit=dev @anthropic-ai/claude-code@latest @openai/codex@latest opencode-ai \
-  && npm install --global --omit=dev mmx-cli \
   && mkdir -p /paperclip \
   && chown node:node /paperclip
 

pnpm-lock.yaml

@@ -622,6 +622,8 @@ importers:
         specifier: ^5.7.3
         version: 5.9.3
 
+  packages/skills-catalog: {}
+
   server:
     dependencies:
       '@aws-sdk/client-s3':

server/src/__tests__/issues-list-include-blocked-by-routes.test.ts

@@ -1,167 +0,0 @@
-import express from "express";
-import request from "supertest";
-import { beforeEach, describe, expect, it, vi } from "vitest";
-
-const mockList = vi.hoisted(() => vi.fn());
-const mockIssueService = vi.hoisted(() => ({
-  list: mockList,
-  getById: vi.fn(),
-  getByIdentifier: vi.fn(async () => null),
-  getComment: vi.fn(),
-  getCommentCursor: vi.fn(async () => ({
-    totalComments: 0,
-    latestCommentId: null,
-    latestCommentAt: null,
-  })),
-  getRelationSummaries: vi.fn(),
-  update: vi.fn(),
-  getAncestors: vi.fn(async () => []),
-  listWakeableBlockedDependents: vi.fn(async () => []),
-  getWakeableParentAfterChildCompletion: vi.fn(async () => null),
-  findMentionedAgents: vi.fn(async () => []),
-}));
-
-vi.mock("../services/index.js", async () => {
-  const actual = await vi.importActual<typeof import("../services/index.js")>(
-    "../services/index.js",
-  );
-  return {
-    ...actual,
-    companyService: () => ({
-      getById: vi.fn(async () => ({ id: "company-1", attachmentMaxBytes: 10 * 1024 * 1024 })),
-    }),
-    accessService: () => ({
-      canUser: vi.fn(),
-      hasPermission: vi.fn(),
-    }),
-    agentService: () => ({
-      getById: vi.fn(),
-    }),
-    documentAnnotationService: () => ({ remapOpenThreadsForDocument: async () => [] }),
-    documentService: () => ({
-      getIssueDocumentPayload: vi.fn(async () => ({})),
-    }),
-    executionWorkspaceService: () => ({
-      getById: vi.fn(),
-    }),
-    feedbackService: () => ({}),
-    goalService: () => ({
-      getById: vi.fn(),
-      getDefaultCompanyGoal: vi.fn(),
-    }),
-    heartbeatService: () => ({
-      wakeup: vi.fn(async () => undefined),
-      reportRunActivity: vi.fn(async () => undefined),
-    }),
-    instanceSettingsService: () => ({
-      get: vi.fn(),
-      listCompanyIds: vi.fn(),
-    }),
-    issueApprovalService: () => ({}),
-    issueReferenceService: () => ({
-      deleteDocumentSource: async () => undefined,
-      diffIssueReferenceSummary: () => ({
-        addedReferencedIssues: [],
-        removedReferencedIssues: [],
-        currentReferencedIssues: [],
-      }),
-      emptySummary: () => ({ outbound: [], inbound: [] }),
-      listIssueReferenceSummary: async () => ({ outbound: [], inbound: [] }),
-      syncComment: async () => undefined,
-      syncDocument: async () => undefined,
-      syncIssue: async () => undefined,
-    }),
-    issueRecoveryActionService: () => ({
-      getActiveForIssue: vi.fn(async () => null),
-      listActiveForIssues: vi.fn(async () => new Map()),
-    }),
-    issueThreadInteractionService: () => ({
-      listForIssue: vi.fn(async () => []),
-      expireRequestConfirmationsSupersededByComment: vi.fn(async () => []),
-      expireStaleRequestConfirmationsForIssueDocument: vi.fn(async () => []),
-    }),
-    issueService: () => mockIssueService,
-    projectService: () => ({
-      getById: vi.fn(),
-      listByIds: vi.fn(async () => []),
-    }),
-    routineService: () => ({
-      syncRunStatusForIssue: vi.fn(async () => undefined),
-    }),
-    workProductService: () => ({
-      listForIssue: vi.fn(async () => []),
-    }),
-  };
-});
-
-async function createApp() {
-  const [{ issueRoutes }, { errorHandler }] = await Promise.all([
-    vi.importActual<typeof import("../routes/issues.js")>("../routes/issues.js"),
-    vi.importActual<typeof import("../middleware/index.js")>("../middleware/index.js"),
-  ]);
-  const app = express();
-  app.use(express.json());
-  app.use((req, _res, next) => {
-    (req as any).actor = {
-      type: "board",
-      userId: "local-board",
-      companyIds: ["company-1"],
-      memberships: [{ companyId: "company-1", membershipRole: "owner", status: "active" }],
-      source: "local_implicit",
-      isInstanceAdmin: false,
-    };
-    next();
-  });
-  app.use("/api", issueRoutes({} as any, {} as any));
-  app.use(errorHandler);
-  return app;
-}
-
-describe("GET /companies/:companyId/issues includeBlockedBy default", () => {
-  beforeEach(() => {
-    vi.resetModules();
-    vi.doUnmock("../routes/issues.js");
-    vi.doUnmock("../routes/authz.js");
-    vi.doUnmock("../middleware/index.js");
-    vi.clearAllMocks();
-    mockList.mockResolvedValue([]);
-  });
-
-  it("defaults includeBlockedBy to true so list responses are consistent with GET /api/issues/:id", async () => {
-    const res = await request(await createApp()).get("/api/companies/company-1/issues");
-    expect(res.status, JSON.stringify(res.body)).toBe(200);
-    expect(mockList).toHaveBeenCalledTimes(1);
-    const callArgs = mockList.mock.calls[0]?.[1] ?? {};
-    expect(callArgs).toMatchObject({ includeBlockedBy: true });
-  });
-
-  it("defaults includeBlockedBy to true when the status filter is blocked (GRO-2096 regression guard)", async () => {
-    const res = await request(await createApp())
-      .get("/api/companies/company-1/issues")
-      .query({ status: "blocked" });
-    expect(res.status, JSON.stringify(res.body)).toBe(200);
-    expect(mockList).toHaveBeenCalledTimes(1);
-    const callArgs = mockList.mock.calls[0]?.[1] ?? {};
-    expect(callArgs).toMatchObject({ status: "blocked", includeBlockedBy: true });
-  });
-
-  it("opts out of includeBlockedBy when the caller passes ?includeBlockedBy=false", async () => {
-    const res = await request(await createApp())
-      .get("/api/companies/company-1/issues")
-      .query({ includeBlockedBy: "false" });
-    expect(res.status, JSON.stringify(res.body)).toBe(200);
-    expect(mockList).toHaveBeenCalledTimes(1);
-    const callArgs = mockList.mock.calls[0]?.[1] ?? {};
-    expect(callArgs).toMatchObject({ includeBlockedBy: false });
-  });
-
-  it("opts out of includeBlockedBy when the caller passes ?includeBlockedBy=0", async () => {
-    const res = await request(await createApp())
-      .get("/api/companies/company-1/issues")
-      .query({ includeBlockedBy: "0" });
-    expect(res.status, JSON.stringify(res.body)).toBe(200);
-    expect(mockList).toHaveBeenCalledTimes(1);
-    const callArgs = mockList.mock.calls[0]?.[1] ?? {};
-    expect(callArgs).toMatchObject({ includeBlockedBy: false });
-  });
-});

server/src/routes/issues.ts

@@ -1944,9 +1944,7 @@ export function issueRoutes(
         req.query.excludeRoutineExecutions === "true" || req.query.excludeRoutineExecutions === "1",
       includePluginOperations:
         req.query.includePluginOperations === "true" || req.query.includePluginOperations === "1",
-      // Default to including blockedBy so list responses are consistent with GET /api/issues/:id.
-      // Opt out with ?includeBlockedBy=false (or 0) for perf-sensitive callers that don't need the graph.
-      includeBlockedBy: req.query.includeBlockedBy !== "false" && req.query.includeBlockedBy !== "0",
+      includeBlockedBy: req.query.includeBlockedBy === "true" || req.query.includeBlockedBy === "1",
       includeBlockedInboxAttention:
         req.query.includeBlockedInboxAttention === "true" || req.query.includeBlockedInboxAttention === "1",
       q: req.query.q as string | undefined,