♻️ Refactor CI workflows

Update SECURITY.md file to request that vulnerabilities be reported through the GitHub Security Advisories feature in the Penpot repository

Signed-off-by: Madalena Melo <madalena.melo@kaleidos.net>

.circleci/config.yml

@@ -1,342 +0,0 @@
-version: 2.1
-
-jobs:
-  lint:
-    docker:
-      - image: penpotapp/devenv:latest
-
-    working_directory: ~/repo
-    resource_class: medium+
-
-    steps:
-      - checkout
-
-      - run:
-          name: "fmt check"
-          working_directory: "."
-          command: |
-            yarn install
-            yarn run fmt:clj:check
-
-      - run:
-          name: "lint clj common"
-          working_directory: "."
-          command: |
-            yarn run lint:clj:common
-
-      - run:
-          name: "lint clj frontend"
-          working_directory: "."
-          command: |
-            yarn run lint:clj:frontend
-
-      - run:
-          name: "lint clj backend"
-          working_directory: "."
-          command: |
-            yarn run lint:clj:backend
-
-      - run:
-          name: "lint clj exporter"
-          working_directory: "."
-          command: |
-            yarn run lint:clj:exporter
-
-      - run:
-          name: "lint clj library"
-          working_directory: "."
-          command: |
-            yarn run lint:clj:library
-
-  test-common:
-    docker:
-      - image: penpotapp/devenv:latest
-
-    working_directory: ~/repo
-    resource_class: medium+
-
-    environment:
-      JAVA_OPTS: -Xmx4g -Xms100m -XX:+UseSerialGC
-      NODE_OPTIONS: --max-old-space-size=4096
-
-    steps:
-      - checkout
-
-      # Download and cache dependencies
-      - restore_cache:
-          keys:
-            - v1-dependencies-{{ checksum "common/deps.edn"}}-{{ checksum "common/yarn.lock" }}
-
-      - run:
-          name: "JVM tests"
-          working_directory: "./common"
-          command: |
-            clojure -M:dev:test
-
-      - run:
-          name: "NODE tests"
-          working_directory: "./common"
-          command: |
-            yarn install
-            yarn run test
-
-      - save_cache:
-          paths:
-            - ~/.m2
-            - ~/.yarn
-            - ~/.gitlibs
-            - ~/.cache/ms-playwright
-          key: v1-dependencies-{{ checksum "common/deps.edn"}}-{{ checksum "common/yarn.lock" }}
-
-  test-frontend:
-    docker:
-      - image: penpotapp/devenv:latest
-
-    working_directory: ~/repo
-    resource_class: medium+
-
-    environment:
-      JAVA_OPTS: -Xmx4g -Xms100m -XX:+UseSerialGC
-      NODE_OPTIONS: --max-old-space-size=4096
-
-    steps:
-      - checkout
-
-      # Download and cache dependencies
-      - restore_cache:
-          keys:
-            - v1-dependencies-{{ checksum "frontend/deps.edn"}}-{{ checksum "frontend/yarn.lock" }}
-
-      - run:
-          name: "install dependencies"
-          working_directory: "./frontend"
-          # We install playwright here because the dependent tasks
-          # uses the same cache as this task so we prepopulate it
-          command: |
-            yarn install
-            yarn run playwright install chromium
-
-      - run:
-          name: "lint scss on frontend"
-          working_directory: "./frontend"
-          command: |
-            yarn run lint:scss
-
-      - run:
-          name: "unit tests"
-          working_directory: "./frontend"
-          command: |
-            yarn run test
-
-      - save_cache:
-          paths:
-            - ~/.m2
-            - ~/.yarn
-            - ~/.gitlibs
-            - ~/.cache/ms-playwright
-          key: v1-dependencies-{{ checksum "frontend/deps.edn"}}-{{ checksum "frontend/yarn.lock" }}
-
-  test-library:
-    docker:
-      - image: penpotapp/devenv:latest
-
-    working_directory: ~/repo
-    resource_class: medium+
-
-    environment:
-      JAVA_OPTS: -Xmx6g
-      NODE_OPTIONS: --max-old-space-size=4096
-
-    steps:
-      - checkout
-
-      # Download and cache dependencies
-      - restore_cache:
-          keys:
-            - v1-dependencies-{{ checksum "frontend/deps.edn"}}-{{ checksum "frontend/yarn.lock" }}
-
-      - run:
-          name: Install dependencies and build
-          working_directory: "./library"
-          command: |
-            yarn install
-
-      - run:
-          name: Build and Test
-          working_directory: "./library"
-          command: |
-            ./scripts/build
-            yarn run test
-
-  test-components:
-    docker:
-      - image: penpotapp/devenv:latest
-
-    working_directory: ~/repo
-    resource_class: medium+
-
-    environment:
-      JAVA_OPTS: -Xmx6g -Xms2g
-      NODE_OPTIONS: --max-old-space-size=4096
-
-    steps:
-      - checkout
-
-      # Download and cache dependencies
-      - restore_cache:
-          keys:
-            - v1-dependencies-{{ checksum "frontend/deps.edn"}}-{{ checksum "frontend/yarn.lock" }}
-
-      - run:
-          name: Install dependencies
-          working_directory: "./frontend"
-          command: |
-            yarn install
-            yarn run playwright install chromium
-
-      - run:
-          name: Build Storybook
-          working_directory: "./frontend"
-          command: yarn run build:storybook
-
-      - run:
-          name: Serve Storybook and run tests
-          working_directory: "./frontend"
-          command: |
-            npx concurrently -k -s first -n "SB,TEST" -c "magenta,blue" \
-              "npx http-server storybook-static --port 6006 --silent" \
-              "npx wait-on tcp:6006 && yarn test:storybook"
-
-  test-integration:
-    docker:
-      - image: penpotapp/devenv:latest
-
-    working_directory: ~/repo
-    resource_class: large
-
-    environment:
-      JAVA_OPTS: -Xmx6g -Xms2g
-      NODE_OPTIONS: --max-old-space-size=4096
-
-    steps:
-      - checkout
-
-      # Download and cache dependencies
-      - restore_cache:
-          keys:
-            - v1-dependencies-{{ checksum "frontend/deps.edn"}}-{{ checksum "frontend/yarn.lock" }}
-
-      - run:
-          name: "integration tests"
-          working_directory: "./frontend"
-          command: |
-            yarn install
-            yarn run build:app:assets
-            yarn run build:app
-            yarn run build:app:libs
-            yarn run playwright install chromium
-            yarn run test:e2e -x --workers=4
-
-  test-backend:
-    docker:
-      - image: penpotapp/devenv:latest
-      - image: cimg/postgres:14.5
-        environment:
-          POSTGRES_USER: penpot_test
-          POSTGRES_PASSWORD: penpot_test
-          POSTGRES_DB: penpot_test
-      - image: cimg/redis:7.0.5
-
-    working_directory: ~/repo
-    resource_class: medium+
-
-    environment:
-      JAVA_OPTS: -Xmx4g -Xms100m -XX:+UseSerialGC
-      NODE_OPTIONS: --max-old-space-size=4096
-
-    steps:
-      - checkout
-
-      - restore_cache:
-          keys:
-            - v1-dependencies-{{ checksum "backend/deps.edn" }}
-
-      - run:
-          name: "tests"
-          working_directory: "./backend"
-          command: |
-            clojure -M:dev:test --reporter kaocha.report/documentation
-
-          environment:
-            PENPOT_TEST_DATABASE_URI: "postgresql://localhost/penpot_test"
-            PENPOT_TEST_DATABASE_USERNAME: penpot_test
-            PENPOT_TEST_DATABASE_PASSWORD: penpot_test
-            PENPOT_TEST_REDIS_URI: "redis://localhost/1"
-
-      - save_cache:
-          paths:
-            - ~/.m2
-            - ~/.gitlibs
-          key: v1-dependencies-{{ checksum "backend/deps.edn" }}
-
-  test-render-wasm:
-    docker:
-      - image: penpotapp/devenv:latest
-
-    working_directory: ~/repo
-    resource_class: medium+
-    environment:
-
-    steps:
-      - checkout
-
-      - run:
-          name: "fmt check"
-          working_directory: "./render-wasm"
-          command: |
-            cargo fmt --check
-
-      - run:
-          name: "lint"
-          working_directory: "./render-wasm"
-          command: |
-            ./lint
-
-      - run:
-          name: "cargo tests"
-          working_directory: "./render-wasm"
-          command: |
-            ./test
-
-workflows:
-  penpot:
-    jobs:
-      - lint
-      - test-frontend:
-          requires:
-            - lint: success
-
-      - test-library:
-          requires:
-            - test-frontend: success
-            - lint: success
-
-      - test-components:
-          requires:
-            - test-frontend: success
-            - lint: success
-
-      - test-integration:
-          requires:
-            - test-frontend: success
-            - lint: success
-
-      - test-backend:
-          requires:
-            - lint: success
-
-      - test-common:
-          requires:
-            - lint: success
-
-      - test-render-wasm

.clj-kondo/config.edn

@@ -45,6 +45,15 @@
   :potok/reify-type
   {:level :error}
 
+  :redundant-primitive-coercion
+  {:level :off}
+
+  :unused-excluded-var
+  {:level :off}
+
+  :unresolved-excluded-var
+  {:level :off}
+
   :missing-protocol-method
   {:level :off}
 

.cljfmt.edn

@@ -2,6 +2,11 @@
  :remove-multiple-non-indenting-spaces? false
  :remove-surrounding-whitespace? true
  :remove-consecutive-blank-lines? false
+ :indent-line-comments? true
+ :parallel? true
+ :align-form-columns? false
+ ;; :align-map-columns? false
+ ;; :align-single-column-lines? false
  :extra-indents {rumext.v2/fnc [[:inner 0]]
                  cljs.test/async [[:inner 0]]
                  promesa.exec/thread [[:inner 0]]

.devenv/README.md

@@ -0,0 +1,133 @@
+# `.devenv/` — Per-Workspace AI-Client MCP Configs
+
+This directory carries the pieces needed to point an AI coding agent
+(currently Claude Code, opencode, VS Code Copilot, and the OpenAI Codex CLI)
+at the MCP servers running inside the parallel devenv instance the developer
+is currently working in. Every parallel workspace (`ws0`, `ws1`, …) has its
+own copy because the Penpot MCP and Serena MCP host ports are
+workspace-specific.
+
+## Layout
+
+```
+.devenv/
+  README.md
+  scripts/
+    merge-mcp-config.py    # generator helper invoked by manage.sh
+  shared/                  # committed; workspace-independent entries
+    claude-code.json       # Playwright — same for every workspace
+    opencode.json
+    vscode.json
+    codex.toml
+  templates/               # committed; entries with ${...} port placeholders
+    claude-code.json       # Penpot MCP, Serena MCP — port is the only diff
+    opencode.json
+    vscode.json
+    codex.toml
+  mcp/                     # gitignored; written by manage.sh per workspace
+    claude-code.json       # loaded via Claude Code's --mcp-config flag
+    opencode.json          # loaded via OPENCODE_CONFIG env var
+```
+
+One more file is generated outside `.devenv/`, in the directory VS Code itself
+auto-discovers (gitignored):
+
+```
+.vscode/mcp.json           # auto-loaded by GitHub Copilot in VS Code
+```
+
+Codex is the exception: it has no way to load an MCP config from an arbitrary
+path, and its only project-level config file (`.codex/config.toml`) is one a
+developer may already own. So we do **not** write a file for Codex at all —
+`start-coding-agent codex` injects our servers as `-c` command-line overrides
+built fresh from `shared/codex.toml` + `templates/codex.toml` at launch.
+
+* **`shared/`** holds MCP entries that don't depend on the workspace — the
+  browser-driving Playwright server today, plus any other workspace-independent
+  servers we add later. Same content in every workspace, so it's a static
+  checked-in file.
+* **`templates/`** holds the workspace-specific entries (Penpot MCP, Serena
+  MCP) with `${PENPOT_MCP_PORT}` and `${SERENA_MCP_PORT}` placeholders. The
+  placeholders are resolved per-workspace from the port-base constants in
+  `manage.sh`.
+* **`mcp/`** (Claude Code, opencode) is the result of merging `shared/` with
+  the port-substituted `templates/`. `manage.sh` writes these on every
+  `run-devenv-agentic` pass. Gitignored, dedicated paths with no developer
+  content — never edit by hand, your edits will be overwritten on the next
+  reconcile.
+* **`.vscode/mcp.json`** is the same merge, but written to the path VS Code
+  auto-discovers. Because on `ws0` that path *is* the live repo's own file, the
+  reconcile **deep-merges** into it: any servers you added yourself are kept,
+  and only the entries we manage (`penpot`, `serena-devenv`, `playwright`) are
+  (re)written to the current ports. On `ws1+` the file doesn't exist yet, so it
+  is created from scratch.
+* **`scripts/merge-mcp-config.py`** is the generator. Its `json` mode does the
+  JSON deep-merge (with `--merge-into-existing` for the VS Code path); its
+  `codex-args` mode prints the `-c` assignments for Codex. `manage.sh`'s
+  `_merge-mcp-config-json` helper is a thin shim over the former, and
+  `start-coding-agent` calls the latter directly. Run
+  `python3 .devenv/scripts/merge-mcp-config.py --help` for the CLI.
+
+## Launching a coding agent
+
+The easiest path is the wrapper command, which knows the right flags per
+client, `cd`'s into the target workspace, and refuses to launch unless the
+target instance is running and its MCP config has been generated:
+
+```bash
+# Default target is ws0 (the live repo).
+./manage.sh start-coding-agent claude               [...args to forward]
+./manage.sh start-coding-agent opencode             [...args to forward]
+./manage.sh start-coding-agent vscode               [...args to forward to 'code']
+./manage.sh start-coding-agent codex                [...args to forward]
+
+# Target a parallel workspace with --ws N. N is an integer (non-negative);
+# 'main', 'ws1' and similar spellings are rejected.
+./manage.sh start-coding-agent claude --ws 1
+./manage.sh start-coding-agent opencode --ws 2
+```
+
+Equivalents by hand (run from inside the workspace directory):
+
+```bash
+claude --mcp-config .devenv/mcp/claude-code.json
+OPENCODE_CONFIG=.devenv/mcp/opencode.json opencode
+code "$PWD"                  # VS Code auto-discovers .vscode/mcp.json
+# Codex: pass our servers as -c overrides (no config file is written).
+codex $(python3 .devenv/scripts/merge-mcp-config.py --format codex-args \
+          .devenv/shared/codex.toml .devenv/templates/codex.toml \
+          | sed 's/^/-c /')
+```
+
+`start-coding-agent codex` does the `-c` wiring for you (and resolves the
+workspace's ports first). Because our servers arrive as command-line
+overrides, no "trusted project" prompt is involved for them — that prompt only
+gates Codex's own `.codex/config.toml`, which we never write.
+
+## Overriding our entries
+
+Both the auto-discovered configs and the launcher-loaded configs sit *on top
+of* the developer's global config (with varying precedence rules). All four
+clients offer escape hatches for shadowing entries we ship:
+
+* **Claude Code** — `claude mcp add --scope local …` installs a private entry
+  that overrides the one in `mcp/claude-code.json`. Local scope wins.
+* **opencode** — drop an `opencode.json` at the repo root with the override
+  entries you need. opencode's precedence chain is *global → `OPENCODE_CONFIG`
+  → project*, so the project file always wins. The root `opencode.json` is
+  gitignored on purpose, since these overrides are personal.
+* **VS Code Copilot** — the reconcile deep-merges into `.vscode/mcp.json`, so
+  any servers you add there yourself are preserved (only `penpot`,
+  `serena-devenv` and `playwright` are rewritten). To shadow one of *ours*,
+  put an entry under the same name in your VS Code user-profile MCP config —
+  it is loaded alongside the workspace file and wins.
+* **Codex CLI** — our servers arrive as `-c` overrides, which are Codex's
+  highest-precedence layer, so they win over a same-named `[mcp_servers.<name>]`
+  in your `~/.codex/config.toml` or a project `.codex/config.toml`. To override
+  one of ours, append your own `-c` after the client name — extra args are
+  forwarded after ours and the later `-c` wins, e.g.
+  `./manage.sh start-coding-agent codex -- -c 'mcp_servers.penpot.url="…"'`.
+
+See `docs/technical-guide/developer/agentic-devenv.md` for the broader
+client-configuration story (browser remote debugging, AI-client config
+schemas, manual setup for unsupported clients).

.devenv/scripts/merge-mcp-config.py

@@ -0,0 +1,204 @@
+#!/usr/bin/env python3
+"""Combine a shared MCP-server config with a port-substituted template for one
+AI coding-agent client.
+
+Invoked per workspace by manage.sh's `write-instance-mcp-configs` (JSON
+clients) and by `start-coding-agent` (Codex). Each supported client ships a
+`.devenv/shared/<tool>.{json,toml}` (workspace-independent entries, e.g.
+Playwright) and a `.devenv/templates/<tool>.{json,toml}` (per-workspace entries
+with `${PENPOT_MCP_PORT}` / `${SERENA_MCP_PORT}` placeholders). This script
+combines the two for the target client.
+
+Two output modes are supported:
+
+  json         Deep-merge two JSON documents under a configurable top-level key
+               (`mcpServers` for Claude Code, `mcp` for opencode, `servers` for
+               VS Code Copilot) and write the result to <out>. Same-name
+               entries in the template override entries in shared. With
+               --merge-into-existing, any pre-existing <out> file is loaded as
+               the lowest-precedence layer first, so entries the developer
+               already had are preserved (ours win on name collision). This is
+               used for VS Code's auto-discovered `.vscode/mcp.json`, which on
+               ws0 IS the live repo's file and may hold the developer's own
+               servers; the Claude/opencode outputs live in a dedicated,
+               gitignored `.devenv/mcp/` path and are written without the flag
+               (a clean overwrite).
+
+  codex-args   Deep-merge the two TOML chunks and print one
+               `dotted.key=<toml-value>` assignment per line to stdout (no
+               <out> file). The caller wraps each line in a `codex -c` flag.
+               Codex has no way to load an MCP config from an arbitrary file
+               path (CODEX_HOME would relocate auth/history too), so rather than
+               writing the auto-discovered `.codex/config.toml` we inject our
+               servers as ephemeral per-invocation overrides. This never
+               touches the developer's project- or user-level Codex config.
+
+In both modes, `${VAR}` placeholders inside *either* chunk are resolved from
+the current environment (only template chunks carry placeholders in practice,
+but the substitution is uniform either way) using Python's
+`os.path.expandvars`. Undefined placeholders are left as `${VAR}` literal text
+-- callers (i.e. manage.sh) are responsible for exporting the variables before
+invoking the script.
+
+Usage:
+  merge-mcp-config.py --format json --key <key> [--merge-into-existing] \
+      <shared> <template> <out>
+  merge-mcp-config.py --format codex-args <shared> <template>
+
+Exit codes:
+  0  success
+  2  argparse error (missing required option, bad value, unreadable input)
+"""
+
+from __future__ import annotations
+
+import argparse
+import json
+import os
+import re
+import sys
+import tomllib
+from pathlib import Path
+
+
+def merge_json(
+    shared_path: Path,
+    tpl_path: Path,
+    out_path: Path,
+    key: str,
+    merge_into_existing: bool,
+) -> None:
+    """Deep-merge JSON documents under a single top-level dict key into out.
+
+    Precedence (lowest to highest): an existing <out> file (only when
+    merge_into_existing is set), then shared, then the template. Entries under
+    `key` are merged by name, so the template wins on a name collision while
+    every other entry the lower layers contributed is kept. Top-level keys
+    other than `key` come from the existing file and shared (shared wins).
+    """
+    shared = json.loads(shared_path.read_text())
+    tpl = json.loads(os.path.expandvars(tpl_path.read_text()))
+
+    base: dict = {}
+    if merge_into_existing and out_path.exists():
+        base = json.loads(out_path.read_text())
+
+    merged: dict = {**base, **shared}
+    merged[key] = {**base.get(key, {}), **shared.get(key, {}), **tpl.get(key, {})}
+
+    out_path.write_text(json.dumps(merged, indent=2) + "\n")
+
+
+def _deep_merge(base: dict, overlay: dict) -> dict:
+    """Recursively merge overlay into base; overlay wins on scalar/list keys."""
+    out = dict(base)
+    for k, v in overlay.items():
+        if isinstance(out.get(k), dict) and isinstance(v, dict):
+            out[k] = _deep_merge(out[k], v)
+        else:
+            out[k] = v
+    return out
+
+
+def _toml_value(value: object) -> str:
+    """Serialize a scalar/list as a TOML literal for a `codex -c` value.
+
+    bool is checked before int because `isinstance(True, int)` is True. Strings
+    are emitted as JSON strings, which are valid TOML basic strings for the
+    ASCII values our configs carry (commands, args, URLs). Tables never reach
+    here -- they are flattened into dotted keys by _flatten.
+    """
+    if isinstance(value, bool):
+        return "true" if value else "false"
+    if isinstance(value, (int, float)):
+        return repr(value)
+    if isinstance(value, str):
+        return json.dumps(value)
+    if isinstance(value, list):
+        return "[" + ", ".join(_toml_value(v) for v in value) + "]"
+    raise TypeError(f"unsupported TOML value type: {type(value).__name__}")
+
+
+_BARE_KEY = re.compile(r"^[A-Za-z0-9_-]+$")
+
+
+def _key_segment(seg: str) -> str:
+    """A dotted-key segment: bare if TOML-safe, else a quoted key."""
+    return seg if _BARE_KEY.match(seg) else json.dumps(seg)
+
+
+def _flatten(obj: dict, prefix: list[str]):
+    """Yield (dotted-path-segments, leaf-value) for every non-table leaf.
+
+    Lists are leaves (TOML arrays), so we do not recurse into them; nested
+    tables (e.g. an `env` table) are flattened into further dotted keys.
+    """
+    for k, v in obj.items():
+        path = prefix + [k]
+        if isinstance(v, dict):
+            yield from _flatten(v, path)
+        else:
+            yield path, v
+
+
+def emit_codex_args(shared_path: Path, tpl_path: Path) -> None:
+    """Print `dotted.key=<toml-value>` lines from the merged TOML chunks."""
+    shared = tomllib.loads(os.path.expandvars(shared_path.read_text()))
+    tpl = tomllib.loads(os.path.expandvars(tpl_path.read_text()))
+    merged = _deep_merge(shared, tpl)
+    for path, value in _flatten(merged, []):
+        dotted = ".".join(_key_segment(s) for s in path)
+        sys.stdout.write(f"{dotted}={_toml_value(value)}\n")
+
+
+def main(argv: list[str]) -> int:
+    parser = argparse.ArgumentParser(
+        description=__doc__.split("\n\n", 1)[0],
+        formatter_class=argparse.RawDescriptionHelpFormatter,
+    )
+    parser.add_argument(
+        "--format",
+        choices=("json", "codex-args"),
+        required=True,
+        help="Output mode: 'json' writes a merged file; 'codex-args' prints -c assignments.",
+    )
+    parser.add_argument(
+        "--key",
+        help="Top-level JSON key under which MCP entries live (required for --format json).",
+    )
+    parser.add_argument(
+        "--merge-into-existing",
+        action="store_true",
+        help="json only: layer the merge on top of an existing <out> file, "
+        "preserving entries already there (ours still win on name collision).",
+    )
+    parser.add_argument("shared", type=Path, help="Path to the shared chunk.")
+    parser.add_argument("template", type=Path, help="Path to the port-placeholder template chunk.")
+    parser.add_argument(
+        "out",
+        type=Path,
+        nargs="?",
+        help="Path the merged result is written to (json only; codex-args writes stdout).",
+    )
+    args = parser.parse_args(argv)
+
+    if args.format == "json":
+        if not args.key:
+            parser.error("--key is required when --format json")
+        if args.out is None:
+            parser.error("out is required when --format json")
+        merge_json(args.shared, args.template, args.out, args.key, args.merge_into_existing)
+    else:  # codex-args
+        if args.key:
+            parser.error("--key is not accepted when --format codex-args")
+        if args.merge_into_existing:
+            parser.error("--merge-into-existing is not accepted when --format codex-args")
+        if args.out is not None:
+            parser.error("out path is not accepted when --format codex-args (result goes to stdout)")
+        emit_codex_args(args.shared, args.template)
+
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main(sys.argv[1:]))

.devenv/shared/claude-code.json

@@ -0,0 +1,8 @@
+{
+  "mcpServers": {
+    "playwright": {
+      "command": "npx",
+      "args": ["@playwright/mcp@latest", "--cdp-endpoint=http://127.0.0.1:9222"]
+    }
+  }
+}

.devenv/shared/codex.toml

@@ -0,0 +1,8 @@
+# Workspace-independent MCP servers for the OpenAI Codex CLI.
+# This block is concatenated with the port-substituted templates/codex.toml
+# by manage.sh's write-instance-mcp-configs to produce .codex/config.toml at
+# the workspace root.
+
+[mcp_servers.playwright]
+command = "npx"
+args = ["@playwright/mcp@latest", "--cdp-endpoint=http://127.0.0.1:9222"]

.devenv/shared/opencode.json

@@ -0,0 +1,9 @@
+{
+  "mcp": {
+    "playwright": {
+      "type": "local",
+      "command": ["npx", "@playwright/mcp@latest", "--cdp-endpoint=http://127.0.0.1:9222"],
+      "enabled": true
+    }
+  }
+}

.devenv/shared/vscode.json

@@ -0,0 +1,9 @@
+{
+  "servers": {
+    "playwright": {
+      "type": "stdio",
+      "command": "npx",
+      "args": ["@playwright/mcp@latest", "--cdp-endpoint=http://127.0.0.1:9222"]
+    }
+  }
+}

.devenv/templates/claude-code.json

@@ -0,0 +1,12 @@
+{
+  "mcpServers": {
+    "penpot": {
+      "command": "npx",
+      "args": ["-y", "mcp-remote", "http://localhost:${PENPOT_MCP_PORT}/mcp", "--allow-http"]
+    },
+    "serena-devenv": {
+      "command": "npx",
+      "args": ["-y", "mcp-remote", "http://localhost:${SERENA_MCP_PORT}/mcp", "--allow-http"]
+    }
+  }
+}

.devenv/templates/codex.toml

@@ -0,0 +1,10 @@
+# Workspace-specific MCP servers for the OpenAI Codex CLI. The PENPOT_MCP_PORT
+# and SERENA_MCP_PORT placeholders below are filled in per workspace by
+# manage.sh's write-instance-mcp-configs, then the result is concatenated
+# with shared/codex.toml to produce .codex/config.toml.
+
+[mcp_servers.penpot]
+url = "http://localhost:${PENPOT_MCP_PORT}/mcp"
+
+[mcp_servers.serena-devenv]
+url = "http://localhost:${SERENA_MCP_PORT}/mcp"

.devenv/templates/opencode.json

@@ -0,0 +1,14 @@
+{
+  "mcp": {
+    "penpot": {
+      "type": "remote",
+      "url": "http://localhost:${PENPOT_MCP_PORT}/mcp",
+      "enabled": true
+    },
+    "serena-devenv": {
+      "type": "remote",
+      "url": "http://localhost:${SERENA_MCP_PORT}/mcp",
+      "enabled": true
+    }
+  }
+}

.devenv/templates/vscode.json

@@ -0,0 +1,12 @@
+{
+  "servers": {
+    "penpot": {
+      "type": "http",
+      "url": "http://localhost:${PENPOT_MCP_PORT}/mcp"
+    },
+    "serena-devenv": {
+      "type": "http",
+      "url": "http://localhost:${SERENA_MCP_PORT}/mcp"
+    }
+  }
+}

.github/ISSUE_TEMPLATE/bug-report.yml

@@ -1,7 +1,9 @@
 description: Create a report to help us improve
-labels: ["bug"]
 name: Bug report
-title: "bug: "
+title: ""
+type: Bug
+labels: ["needs triage"]
+
 body:
   - type: markdown
     attributes:

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1 @@
+blank_issues_enabled: true

.github/ISSUE_TEMPLATE/feature-request.yml

@@ -1,7 +1,9 @@
 description: Suggest an idea for this project.
-labels: ["needs triage", "enhancement"]
+labels: ["needs triage"]
 name: "Feature request"
-title: "feature: "
+title: ""
+type: Enhancement
+
 body:
   - type: markdown
     attributes:

.github/PULL_REQUEST_TEMPLATE.md

@@ -13,7 +13,7 @@
 - [ ] Add a detailed explanation of how to reproduce the issue and/or verify the fix, if applicable.
 - [ ] Include screenshots or videos, if applicable.
 - [ ] Add or modify existing integration tests in case of bugs or new features, if applicable.
+- [ ] Refactor any modified SCSS files following the refactor guide.
 - [ ] Check CI passes successfully.
-- [ ] Update the `CHANGES.md` file, referencing the related GitHub issue, if applicable.
 
 <!-- For more details, check the contribution guidelines: https://github.com/penpot/penpot/blob/develop/CONTRIBUTING.md -->

.github/workflows/build-bundle.yml

@@ -1,11 +1,11 @@
-name: Build and Upload Penpot Bundle
+name: Bundles Builder
 
 on:
   # Create bundle from manual action
   workflow_dispatch:
     inputs:
       gh_ref:
-        description: 'Name of the branch'
+        description: 'Name of the branch or ref'
         type: string
         required: true
         default: 'develop'
@@ -22,7 +22,7 @@ on:
   workflow_call:
     inputs:
       gh_ref:
-        description: 'Name of the branch'
+        description: 'Name of the branch or ref'
         type: string
         required: true
         default: 'develop'
@@ -40,7 +40,7 @@ on:
 jobs:
   build-bundle:
     name: Build and Upload Penpot Bundle
-    runs-on: ubuntu-24.04
+    runs-on: penpot-runner-01
     env:
       AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
       AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
@@ -48,7 +48,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
           ref: ${{ inputs.gh_ref }}
@@ -56,10 +56,10 @@ jobs:
       - name: Extract some useful variables
         id: vars
         run: |
-          echo "commit_hash=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
           echo "gh_ref=${{ inputs.gh_ref || github.ref_name }}" >> $GITHUB_OUTPUT
+          echo "bundle_version=$(git describe --tags --always)" >> $GITHUB_OUTPUT
 
-      - name: Run manage.sh build-bundle from host
+      - name: Build bundle
         env:
           BUILD_WASM: ${{ inputs.build_wasm }}
           BUILD_STORYBOOK: ${{ inputs.build_storybook }}
@@ -76,22 +76,18 @@ jobs:
           zip -r zips/penpot.zip penpot
 
       - name: Upload Penpot bundle to S3
-        if: github.ref_type == 'branch'
         run: |
-          aws s3 cp zips/penpot.zip s3://${{ secrets.S3_BUCKET }}/penpot-${{ steps.vars.outputs.gh_ref }}-latest.zip
-          aws s3 cp zips/penpot.zip s3://${{ secrets.S3_BUCKET }}/penpot-${{ steps.vars.outputs.commit_hash }}.zip
-
-      - name: Upload Penpot bundle to S3
-        if: github.ref_type == 'tag'
-        run: |
-          aws s3 cp zips/penpot.zip s3://${{ secrets.S3_BUCKET }}/penpot-${{ steps.vars.outputs.gh_ref }}.zip
+          aws s3 cp zips/penpot.zip s3://${{ secrets.S3_BUCKET }}/penpot-${{ steps.vars.outputs.gh_ref }}.zip --metadata bundle-version=${{ steps.vars.outputs.bundle_version }}
 
       - name: Notify Mattermost
         if: failure()
         uses: mattermost/action-mattermost-notify@master
         with:
           MATTERMOST_WEBHOOK_URL: ${{ secrets.MATTERMOST_WEBHOOK }}
+          MATTERMOST_CHANNEL: bot-alerts-cicd
           TEXT: |
-            ❌ *[PENPOT] Error during the execution of the job*
+            ❌ 📦 *[PENPOT] Error building penpot bundles.*
             📄 Triggered from ref: `${{ steps.vars.outputs.gh_ref }}`
+               Bundle version: `${{ steps.vars.outputs.bundle_version }}`
             🔗 Run: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
+            @infra

.github/workflows/build-develop.yml

@@ -1,14 +1,22 @@
-name: DEVELOP - Build and Upload Penpot Bundle
+name: _DEVELOP
 
 on:
+  workflow_dispatch:
   schedule:
     - cron: '16 5-20 * * 1-5'
 
 jobs:
-  build-develop-bundle:
+  build-bundle:
     uses: ./.github/workflows/build-bundle.yml
     secrets: inherit
     with:
       gh_ref: "develop"
       build_wasm: "yes"
       build_storybook: "yes"
+
+  build-docker:
+    needs: build-bundle
+    uses: ./.github/workflows/build-docker.yml
+    secrets: inherit
+    with:
+      gh_ref: "develop"

.github/workflows/build-docker-devenv.yml

@@ -0,0 +1,50 @@
+name: DevEnv Docker Image Builder
+
+on:
+  workflow_dispatch:
+
+jobs:
+  build-and-push:
+    name: Build and push DevEnv Docker image
+    runs-on: penpot-runner-02
+
+    steps:
+      - name: Set common environment variables
+        run: |
+          # Each job execution will use its own docker configuration.
+          echo "DOCKER_CONFIG=${{ runner.temp }}/.docker-${{ github.run_id }}-${{ github.job }}" >> $GITHUB_ENV
+
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v4
+
+      - name: Login to Docker Registry
+        uses: docker/login-action@v4
+        with:
+          username: ${{ secrets.PUB_DOCKER_USERNAME }}
+          password: ${{ secrets.PUB_DOCKER_PASSWORD }}
+
+      - name: Build and push DevEnv Docker image
+        uses: docker/build-push-action@v7
+        env:
+          DOCKER_IMAGE: 'penpotapp/devenv'
+        with:
+          context: ./docker/devenv/
+          file: ./docker/devenv/Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ env.DOCKER_IMAGE }}:latest
+          cache-from: type=registry,ref=${{ env.DOCKER_IMAGE }}:buildcache
+          cache-to: type=registry,ref=${{ env.DOCKER_IMAGE }}:buildcache,mode=max
+
+      - name: Notify Mattermost
+        uses: mattermost/action-mattermost-notify@master
+        with:
+          MATTERMOST_WEBHOOK_URL: ${{ secrets.MATTERMOST_WEBHOOK }}
+          MATTERMOST_CHANNEL: bot-alerts-cicd
+          TEXT: |
+            🚀 *[PENPOT] New devenv available*
+            📄 You may want to update your devenv.
+            @alvaro

.github/workflows/build-docker.yml

@@ -0,0 +1,183 @@
+name: Docker Images Builder
+
+on:
+  workflow_dispatch:
+    inputs:
+      gh_ref:
+        description: 'Name of the branch or ref'
+        type: string
+        required: true
+        default: 'develop'
+  workflow_call:
+    inputs:
+      gh_ref:
+        description: 'Name of the branch or ref'
+        type: string
+        required: true
+        default: 'develop'
+
+jobs:
+  build-and-push:
+    name: Build and Push Penpot Docker Images
+    runs-on: penpot-runner-02
+
+    steps:
+      - name: Set common environment variables
+        run: |
+          # Each job execution will use its own docker configuration.
+          echo "DOCKER_CONFIG=${{ runner.temp }}/.docker-${{ github.run_id }}-${{ github.job }}" >> $GITHUB_ENV
+
+      - name: Checkout code
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          ref: ${{ inputs.gh_ref }}
+
+      - name: Extract some useful variables
+        id: vars
+        run: |
+          echo "gh_ref=${{ inputs.gh_ref || github.ref_name }}" >> $GITHUB_OUTPUT
+
+      - name: Download Penpot Bundles
+        id: bundles
+        env:
+          FILE_NAME: penpot-${{ steps.vars.outputs.gh_ref }}.zip
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: ${{ secrets.AWS_REGION }}
+        run: |
+          tmp=$(aws s3api head-object \
+            --bucket ${{ secrets.S3_BUCKET }} \
+            --key "$FILE_NAME" \
+            --query 'Metadata."bundle-version"' \
+            --output text)
+          echo "bundle_version=$tmp" >> $GITHUB_OUTPUT
+          pushd docker/images
+          aws s3 cp s3://${{ secrets.S3_BUCKET }}/$FILE_NAME .
+          unzip $FILE_NAME > /dev/null
+          mv penpot/backend bundle-backend
+          mv penpot/frontend bundle-frontend
+          mv penpot/exporter bundle-exporter
+          mv penpot/storybook bundle-storybook
+          mv penpot/mcp bundle-mcp
+          popd
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v4
+
+      - name: Login to Docker Registry
+        uses: docker/login-action@v4
+        with:
+          registry: ${{ secrets.DOCKER_REGISTRY }}
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      # To avoid the “429 Too Many Requests” error when downloading
+      # images from DockerHub for unregistered users.
+      # https://docs.docker.com/docker-hub/usage/
+      - name: Login to DockerHub Registry
+        uses: docker/login-action@v4
+        with:
+          username: ${{ secrets.PUB_DOCKER_USERNAME }}
+          password: ${{ secrets.PUB_DOCKER_PASSWORD }}
+
+      - name: Extract metadata (tags, labels)
+        id: meta
+        uses: docker/metadata-action@v6
+        with:
+          images:
+            frontend
+            backend
+            exporter
+            storybook
+            mcp
+          labels: |
+            bundle_version=${{ steps.bundles.outputs.bundle_version }}
+
+      - name: Build and push Backend Docker image
+        uses: docker/build-push-action@v7
+        env:
+          DOCKER_IMAGE: 'backend'
+          BUNDLE_PATH: './bundle-backend'
+        with:
+          context: ./docker/images/
+          file: ./docker/images/Dockerfile.backend
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ secrets.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE }}:${{ steps.vars.outputs.gh_ref }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=registry,ref=${{ secrets.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE }}:buildcache
+          cache-to: type=registry,ref=${{ secrets.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE }}:buildcache,mode=max
+
+      - name: Build and push Frontend Docker image
+        uses: docker/build-push-action@v7
+        env:
+          DOCKER_IMAGE: 'frontend'
+          BUNDLE_PATH: './bundle-frontend'
+        with:
+          context: ./docker/images/
+          file: ./docker/images/Dockerfile.frontend
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ secrets.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE }}:${{ steps.vars.outputs.gh_ref }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=registry,ref=${{ secrets.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE }}:buildcache
+          cache-to: type=registry,ref=${{ secrets.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE }}:buildcache,mode=max
+
+      - name: Build and push Exporter Docker image
+        uses: docker/build-push-action@v7
+        env:
+          DOCKER_IMAGE: 'exporter'
+          BUNDLE_PATH: './bundle-exporter'
+        with:
+          context: ./docker/images/
+          file: ./docker/images/Dockerfile.exporter
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ secrets.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE }}:${{ steps.vars.outputs.gh_ref }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=registry,ref=${{ secrets.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE }}:buildcache
+          cache-to: type=registry,ref=${{ secrets.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE }}:buildcache,mode=max
+
+      - name: Build and push Storybook Docker image
+        uses: docker/build-push-action@v7
+        env:
+          DOCKER_IMAGE: 'storybook'
+          BUNDLE_PATH: './bundle-storybook'
+        with:
+          context: ./docker/images/
+          file: ./docker/images/Dockerfile.storybook
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ secrets.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE }}:${{ steps.vars.outputs.gh_ref }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=registry,ref=${{ secrets.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE }}:buildcache
+          cache-to: type=registry,ref=${{ secrets.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE }}:buildcache,mode=max
+
+      - name: Build and push MCP Docker image
+        uses: docker/build-push-action@v7
+        env:
+          DOCKER_IMAGE: 'mcp'
+          BUNDLE_PATH: './bundle-mcp'
+        with:
+          context: ./docker/images/
+          file: ./docker/images/Dockerfile.mcp
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ secrets.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE }}:${{ steps.vars.outputs.gh_ref }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=registry,ref=${{ secrets.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE }}:buildcache
+          cache-to: type=registry,ref=${{ secrets.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE }}:buildcache,mode=max
+
+      - name: Notify Mattermost
+        if: failure()
+        uses: mattermost/action-mattermost-notify@master
+        with:
+          MATTERMOST_WEBHOOK_URL: ${{ secrets.MATTERMOST_WEBHOOK }}
+          MATTERMOST_CHANNEL: bot-alerts-cicd
+          TEXT: |
+            ❌ 🐳 *[PENPOT] Error building penpot docker images.*
+            📄 Triggered from ref: `${{ steps.vars.outputs.gh_ref }}`
+            📦 Bundle: `${{ steps.bundles.outputs.bundle_version }}`
+            🔗 Run: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
+            @infra

.github/workflows/build-staging.yml

@@ -1,14 +1,22 @@
-name: STAGING - Build and Upload Penpot Bundle
+name: _STAGING
 
 on:
+  workflow_dispatch:
   schedule:
     - cron: '36 5-20 * * 1-5'
 
 jobs:
-  build-staging-bundle:
+  build-bundle:
     uses: ./.github/workflows/build-bundle.yml
     secrets: inherit
     with:
       gh_ref: "staging"
       build_wasm: "yes"
       build_storybook: "yes"
+
+  build-docker:
+    needs: build-bundle
+    uses: ./.github/workflows/build-docker.yml
+    secrets: inherit
+    with:
+      gh_ref: "staging"

.github/workflows/build-tag.yml

@@ -1,15 +1,47 @@
-name: TAG - Build and Upload Penpot Bundle
+name: _TAG
 
 on:
+  workflow_dispatch:
   push:
     tags:
       - '*'
 
 jobs:
-  build-tag-bundle:
+  build-bundle:
     uses: ./.github/workflows/build-bundle.yml
     secrets: inherit
     with:
       gh_ref: ${{ github.ref_name }}
-      build_wasm: "no"
+      build_wasm: "yes"
       build_storybook: "yes"
+
+  build-docker:
+    needs: build-bundle
+    uses: ./.github/workflows/build-docker.yml
+    secrets: inherit
+    with:
+      gh_ref: ${{ github.ref_name }}
+
+  notify:
+    name: Notifications
+    runs-on: ubuntu-24.04
+    needs: build-docker
+
+    steps:
+      - name: Notify Mattermost
+        uses: mattermost/action-mattermost-notify@master
+        with:
+          MATTERMOST_WEBHOOK_URL: ${{ secrets.MATTERMOST_WEBHOOK }}
+          MATTERMOST_CHANNEL: bot-alerts-cicd
+          TEXT: |
+            🐳 *[PENPOT] Docker image available: ${{ github.ref_name }}*
+            🔗 Run: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
+            @infra
+
+  publish-final-tag:
+    if: ${{ !contains(github.ref_name, '-RC') && !contains(github.ref_name, '-alpha') && !contains(github.ref_name, '-beta')  && contains(github.ref_name, '.') }}
+    needs: build-docker
+    uses: ./.github/workflows/release.yml
+    secrets: inherit
+    with:
+      gh_ref: ${{ github.ref_name }}

.github/workflows/commit-checker.yml

@@ -6,12 +6,14 @@ on:
       - edited
       - reopened
       - synchronize
+      - ready_for_review
   pull_request_target:
     types:
       - opened
       - edited
       - reopened
       - synchronize
+      - ready_for_review
   push:
     branches:
       - main
@@ -20,13 +22,14 @@ on:
 
 jobs:
   check-commit-message:
+    if: ${{ !github.event.pull_request.draft }}
     name: Check Commit Message
     runs-on: ubuntu-latest
     steps:
       - name: Check Commit Type
         uses: gsactions/commit-message-checker@v2
         with:
-          pattern: '^(Merge|Revert|:(lipstick|globe_with_meridians|wrench|books|arrow_up|arrow_down|zap|ambulance|construction|boom|fire|whale|bug|sparkles|paperclip|tada|recycle|rewind):)\s[A-Z].*[^.]$'
+          pattern: '^(((:(lipstick|globe_with_meridians|wrench|books|arrow_up|arrow_down|zap|ambulance|construction|boom|fire|whale|bug|sparkles|paperclip|tada|recycle|rewind|construction_worker):)\s[A-Z].*[^.])|(Merge|Revert|Reapply).+[^.])$'
           flags: 'gm'
           error: 'Commit should match CONTRIBUTING.md guideline'
           checkAllCommitMessages: 'true' # optional: this checks all commits associated with a pull request

.github/workflows/plugins-deploy-api-doc.yml

@@ -0,0 +1,142 @@
+name: Plugins/api-doc deployer
+
+on:
+  push:
+    branches:
+      - develop
+      - staging
+      - main
+    paths:
+      - 'plugins/libs/plugin-types/index.d.ts'
+      - 'plugins/libs/plugin-types/REAME.md'
+      - 'plugins/tools/typedoc.css'
+      - 'plugins/CHANGELOG.md'
+      - 'plugins/wrangler-penpot-plugins-api-doc.toml'
+  workflow_dispatch:
+    inputs:
+      gh_ref:
+        description: 'Name of the branch'
+        type: choice
+        required: true
+        default: 'develop'
+        options:
+          - develop
+          - staging
+          - main
+
+permissions:
+  contents: read
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Extract some useful variables
+        id: vars
+        run: |
+          echo "gh_ref=${{ inputs.gh_ref || github.ref_name }}" >> $GITHUB_OUTPUT
+
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          ref: ${{ steps.vars.outputs.gh_ref }}
+
+      # START: Setup Node and PNPM enabling cache
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version-file: .nvmrc
+
+      - name: Enable PNPM
+        working-directory: ./plugins
+        shell: bash
+        run: |
+          corepack enable;
+          corepack install;
+
+      - name: Get pnpm store path
+        id: pnpm-store
+        working-directory: ./plugins
+        shell: bash
+        run: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_OUTPUT
+
+      - name: Cache pnpm store
+        uses: actions/cache@v5
+        with:
+          path: ${{ steps.pnpm-store.outputs.STORE_PATH }}
+          key: ${{ runner.os }}-pnpm-${{ hashFiles('plugins/pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-pnpm-
+      # END: Setup Node and PNPM enabling cache
+
+      - name: Install deps
+        working-directory: ./plugins
+        shell: bash
+        run: |
+          pnpm install --no-frozen-lockfile;
+          pnpm add -D -w wrangler@latest;
+
+      - name: Build docs
+        working-directory: plugins
+        shell: bash
+        run: pnpm run build:doc
+
+      - name: Select Worker name
+        run: |
+          REF="${{ steps.vars.outputs.gh_ref }}"
+          case "$REF" in
+            main)
+              echo "WORKER_NAME=penpot-plugins-api-doc-pro" >> $GITHUB_ENV
+              echo "WORKER_URI=doc.plugins.penpot.app" >> $GITHUB_ENV ;;
+            staging)
+              echo "WORKER_NAME=penpot-plugins-api-doc-pre" >> $GITHUB_ENV
+              echo "WORKER_URI=doc.plugins.penpot.dev" >> $GITHUB_ENV ;;
+            develop)
+              echo "WORKER_NAME=penpot-plugins-api-doc-hourly" >> $GITHUB_ENV
+              echo "WORKER_URI=doc.plugins.hourly.penpot.dev" >> $GITHUB_ENV ;;
+            *) echo "Unsupported branch ${REF}" && exit 1 ;;
+          esac
+
+      - name: Set the custom url
+        working-directory: plugins
+        shell: bash
+        run: |
+          sed -i "s/WORKER_URI/${{ env.WORKER_URI }}/g" wrangler-penpot-plugins-api-doc.toml
+
+      - name: Add noindex header and robots.txt files for non-production environments
+        if: ${{ steps.vars.outputs.gh_ref != 'main' }}
+        working-directory: plugins
+        shell: bash
+        run: |
+          ASSETS_DIR="dist/doc"
+
+          cat > "${ASSETS_DIR}/_headers" << 'EOF'
+          /*
+            X-Robots-Tag: noindex, nofollow
+          EOF
+
+          cat > "${ASSETS_DIR}/robots.txt" << 'EOF'
+          User-agent: *
+          Disallow: /
+          EOF
+
+      - name: Deploy to Cloudflare Workers
+        uses: cloudflare/wrangler-action@v3
+        with:
+          workingDirectory: plugins
+          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          command: deploy --config wrangler-penpot-plugins-api-doc.toml --name ${{ env.WORKER_NAME }}
+
+      - name: Notify Mattermost
+        if: failure()
+        uses: mattermost/action-mattermost-notify@master
+        with:
+          MATTERMOST_WEBHOOK_URL: ${{ secrets.MATTERMOST_WEBHOOK }}
+          MATTERMOST_CHANNEL: bot-alerts-cicd
+          TEXT: |
+            ❌ 🧩📚 *[PENPOT PLUGINS] Error deploying API documentation.*
+            📄 Triggered from ref: `${{ inputs.gh_ref }}`
+            🔗 Run: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
+            @infra

.github/workflows/plugins-deploy-package.yml

@@ -0,0 +1,127 @@
+name: Plugins/package deployer
+
+on:
+  # Deploy package from manual action
+  workflow_dispatch:
+    inputs:
+      gh_ref:
+        description: 'Name of the branch'
+        type: choice
+        required: true
+        default: 'develop'
+        options:
+          - develop
+          - staging
+          - main
+      plugin_name:
+        description: 'Pluging name (like plugins/apps/<plugin_name>-plugin)'
+        type: string
+        required: true
+  workflow_call:
+    inputs:
+      gh_ref:
+        description: 'Name of the branch'
+        type: string
+        required: true
+        default: 'develop'
+      plugin_name:
+        description: 'Publig name (from plugins/apps/<plugin_name>-plugin)'
+        type: string
+        required: true
+
+permissions:
+  contents: read
+
+jobs:
+  deploy:
+    runs-on: penpot-runner-01
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          ref: ${{ inputs.gh_ref }}
+
+      # START: Setup Node and PNPM enabling cache
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version-file: .nvmrc
+
+      - name: Enable PNPM
+        working-directory: ./plugins
+        shell: bash
+        run: |
+          corepack enable;
+          corepack install;
+
+      - name: Get pnpm store path
+        id: pnpm-store
+        working-directory: ./plugins
+        shell: bash
+        run: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_OUTPUT
+
+      - name: Cache pnpm store
+        uses: actions/cache@v5
+        with:
+          path: ${{ steps.pnpm-store.outputs.STORE_PATH }}
+          key: ${{ runner.os }}-pnpm-${{ hashFiles('plugins/pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-pnpm-
+      # END: Setup Node and PNPM enabling cache
+
+      - name: Install deps
+        working-directory: ./plugins
+        shell: bash
+        run: |
+          pnpm install --no-frozen-lockfile;
+          pnpm add -D -w wrangler@latest;
+
+      - name: "Build package for ${{ inputs.plugin_name }}-plugin"
+        working-directory: plugins
+        shell: bash
+        run: pnpm --filter ${{ inputs.plugin_name }}-plugin build
+
+      - name: Select Worker name
+        run: |
+          REF="${{ inputs.gh_ref }}"
+          case "$REF" in
+            main)
+              echo "WORKER_NAME=${{ inputs.plugin_name }}-plugin-pro" >> $GITHUB_ENV
+              echo "WORKER_URI=${{ inputs.plugin_name }}.plugins.penpot.app" >> $GITHUB_ENV ;;
+            staging)
+              echo "WORKER_NAME=${{ inputs.plugin_name }}-plugin-pre" >> $GITHUB_ENV
+              echo "WORKER_URI=${{ inputs.plugin_name }}.plugins.penpot.dev" >> $GITHUB_ENV ;;
+            develop)
+              echo "WORKER_NAME=${{ inputs.plugin_name }}-plugin-hourly" >> $GITHUB_ENV
+              echo "WORKER_URI=${{ inputs.plugin_name }}.plugins.hourly.penpot.dev" >> $GITHUB_ENV ;;
+            *) echo "Unsupported branch ${REF}" && exit 1 ;;
+          esac
+
+      - name: Set the custom url
+        working-directory: plugins
+        shell: bash
+        run: |
+          sed -i "s/WORKER_URI/${{ env.WORKER_URI }}/g" apps/${{ inputs.plugin_name }}-plugin/wrangler.toml
+
+      - name: Deploy to Cloudflare Workers
+        uses: cloudflare/wrangler-action@v3
+        with:
+          workingDirectory: plugins
+          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          command: deploy --config apps/${{ inputs.plugin_name }}-plugin/wrangler.toml --name ${{ env.WORKER_NAME }}
+
+      - name: Notify Mattermost
+        if: failure()
+        uses: mattermost/action-mattermost-notify@master
+        with:
+          MATTERMOST_WEBHOOK_URL: ${{ secrets.MATTERMOST_WEBHOOK }}
+          MATTERMOST_CHANNEL: bot-alerts-cicd
+          TEXT: |
+            ❌ 🧩📦 *[PENPOT PLUGINS] Error deploying ${{ env.WORKER_NAME }}.*
+            📄 Triggered from ref: `${{ inputs.gh_ref }}`
+               Plugin name: `${{ inputs.plugin_name }}-plugin`
+               Cloudflare worker name: `${{ env.WORKER_NAME }}`
+            🔗 Run: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
+            @infra

.github/workflows/plugins-deploy-packages.yml

@@ -0,0 +1,143 @@
+name: Plugins/packages deployer
+
+on:
+  push:
+    branches:
+      - develop
+      - staging
+      - main
+    paths:
+      - 'plugins/apps/*-plugin/**'
+      - 'libs/plugins-styles/**'
+  workflow_dispatch:
+    inputs:
+      gh_ref:
+        description: 'Name of the branch'
+        type: choice
+        required: true
+        default: 'develop'
+        options:
+          - develop
+          - staging
+          - main
+
+jobs:
+  detect-changes:
+    runs-on: ubuntu-latest
+    outputs:
+      colors_to_tokens: ${{ steps.filter.outputs.colors_to_tokens }}
+      create_palette: ${{ steps.filter.outputs.create_palette }}
+      lorem_ipsum: ${{ steps.filter.outputs.lorem_ipsum }}
+      rename_layers: ${{ steps.filter.outputs.rename_layers }}
+      contrast: ${{ steps.filter.outputs.contrast }}
+      icons: ${{ steps.filter.outputs.icons }}
+      poc_state: ${{ steps.filter.outputs.poc_state }}
+      table: ${{ steps.filter.outputs.table }}
+      # [For new plugins]
+      #   Add more outputs here
+    steps:
+      - uses: actions/checkout@v6
+      - id: filter
+        uses: dorny/paths-filter@v4
+        with:
+          filters: |
+            colors_to_tokens:
+              - 'plugins/apps/colors-to-tokens-plugin/**'
+              - 'libs/plugins-styles/**'
+            contrast:
+              - 'plugins/apps/contrast-plugin/**'
+              - 'libs/plugins-styles/**'
+            create_palette:
+              - 'plugins/apps/create-palette-plugin/**'
+              - 'libs/plugins-styles/**'
+            icons:
+              - 'plugins/apps/icons-plugin/**'
+              - 'libs/plugins-styles/**'
+            lorem_ipsum:
+              - 'plugins/apps/lorem-ipsum-plugin/**'
+              - 'libs/plugins-styles/**'
+            rename_layers:
+              - 'plugins/apps/rename-layers-plugin/**'
+              - 'libs/plugins-styles/**'
+            table:
+              - 'plugins/apps/table-plugin/**'
+              - 'libs/plugins-styles/**'
+           # [For new plugins]
+           #   Add more plugin filters here
+           #     another_plugin:
+           #       - 'plugins/apps/another-plugin/**'
+           #       - 'libs/plugins-styles/**'
+
+  colors-to-tokens-plugin:
+    needs: detect-changes
+    if: github.event_name == 'workflow_dispatch' || needs.detect-changes.outputs.colors_to_tokens == 'true'
+    uses: ./.github/workflows/plugins-deploy-package.yml
+    secrets: inherit
+    with:
+      gh_ref: "${{ inputs.gh_ref || github.ref_name }}"
+      plugin_name: colors-to-tokens
+
+  contrast-plugin:
+    needs: detect-changes
+    if: github.event_name == 'workflow_dispatch' || needs.detect-changes.outputs.contrast == 'true'
+    uses: ./.github/workflows/plugins-deploy-package.yml
+    secrets: inherit
+    with:
+      gh_ref: "${{ inputs.gh_ref || github.ref_name }}"
+      plugin_name: contrast
+
+  create-palette-plugin:
+    needs: detect-changes
+    if: github.event_name == 'workflow_dispatch' || needs.detect-changes.outputs.create_palette == 'true'
+    uses: ./.github/workflows/plugins-deploy-package.yml
+    secrets: inherit
+    with:
+      gh_ref: "${{ inputs.gh_ref || github.ref_name }}"
+      plugin_name: create-palette
+
+  icons-plugin:
+    needs: detect-changes
+    if: github.event_name == 'workflow_dispatch' || needs.detect-changes.outputs.icons == 'true'
+    uses: ./.github/workflows/plugins-deploy-package.yml
+    secrets: inherit
+    with:
+      gh_ref: "${{ inputs.gh_ref || github.ref_name }}"
+      plugin_name: icons
+
+  lorem-ipsum-plugin:
+    needs: detect-changes
+    if: github.event_name == 'workflow_dispatch' || needs.detect-changes.outputs.lorem_ipsum == 'true'
+    uses: ./.github/workflows/plugins-deploy-package.yml
+    secrets: inherit
+    with:
+      gh_ref: "${{ inputs.gh_ref || github.ref_name }}"
+      plugin_name: lorem-ipsum
+
+  rename-layers-plugin:
+    needs: detect-changes
+    if: github.event_name == 'workflow_dispatch' || needs.detect-changes.outputs.rename_layers == 'true'
+    uses: ./.github/workflows/plugins-deploy-package.yml
+    secrets: inherit
+    with:
+      gh_ref: "${{ inputs.gh_ref || github.ref_name }}"
+      plugin_name: rename-layers
+
+  table-plugin:
+    needs: detect-changes
+    if: github.event_name == 'workflow_dispatch' || needs.detect-changes.outputs.table == 'true'
+    uses: ./.github/workflows/plugins-deploy-package.yml
+    secrets: inherit
+    with:
+      gh_ref: "${{ inputs.gh_ref || github.ref_name }}"
+      plugin_name: table
+
+  # [For new plugins]
+  #   Add more jobs for other plugins below, following the same pattern
+  #     another-plugin:
+  #       needs: detect-changes
+  #       if: github.event_name == 'workflow_dispatch' || needs.detect-changes.outputs.another_plugin == 'true'
+  #       uses: ./.github/workflows/plugins-deploy-package.yml
+  #       secrets: inherit
+  #       with:
+  #         gh_ref: "${{ inputs.gh_ref || github.ref_name }}"
+  #         plugin_name: another

.github/workflows/plugins-deploy-styles-doc.yml

@@ -0,0 +1,140 @@
+name: Plugins/styles-doc deployer
+
+on:
+  push:
+    branches:
+      - develop
+      - staging
+      - main
+    paths:
+      - 'plugins/apps/example-styles/**'
+      - 'plugins/libs/plugins-styles/**'
+      - 'plugins/wrangler-penpot-plugins-styles-doc.toml'
+  workflow_dispatch:
+    inputs:
+      gh_ref:
+        description: 'Name of the branch'
+        type: choice
+        required: true
+        default: 'develop'
+        options:
+          - develop
+          - staging
+          - main
+
+permissions:
+  contents: read
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Extract some useful variables
+        id: vars
+        run: |
+          echo "gh_ref=${{ inputs.gh_ref || github.ref_name }}" >> $GITHUB_OUTPUT
+
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          ref: ${{ steps.vars.outputs.gh_ref }}
+
+      # START: Setup Node and PNPM enabling cache
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version-file: .nvmrc
+
+      - name: Enable PNPM
+        working-directory: ./plugins
+        shell: bash
+        run: |
+          corepack enable;
+          corepack install;
+
+      - name: Get pnpm store path
+        id: pnpm-store
+        working-directory: ./plugins
+        shell: bash
+        run: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_OUTPUT
+
+      - name: Cache pnpm store
+        uses: actions/cache@v5
+        with:
+          path: ${{ steps.pnpm-store.outputs.STORE_PATH }}
+          key: ${{ runner.os }}-pnpm-${{ hashFiles('plugins/pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-pnpm-
+      # END: Setup Node and PNPM enabling cache
+
+      - name: Install deps
+        working-directory: ./plugins
+        shell: bash
+        run: |
+          pnpm install --no-frozen-lockfile;
+          pnpm add -D -w wrangler@latest;
+
+      - name: Build styles
+        working-directory: plugins
+        shell: bash
+        run: pnpm run build:styles-example
+
+      - name: Select Worker name
+        run: |
+          REF="${{ steps.vars.outputs.gh_ref }}"
+          case "$REF" in
+            main)
+              echo "WORKER_NAME=penpot-plugins-styles-doc-pro" >> $GITHUB_ENV
+              echo "WORKER_URI=styles-doc.plugins.penpot.app" >> $GITHUB_ENV ;;
+            staging)
+              echo "WORKER_NAME=penpot-plugins-styles-doc-pre" >> $GITHUB_ENV
+              echo "WORKER_URI=styles-doc.plugins.penpot.dev" >> $GITHUB_ENV ;;
+            develop)
+              echo "WORKER_NAME=penpot-plugins-styles-doc-hourly" >> $GITHUB_ENV
+              echo "WORKER_URI=styles-doc.plugins.hourly.penpot.dev" >> $GITHUB_ENV ;;
+            *) echo "Unsupported branch ${REF}" && exit 1 ;;
+          esac
+
+      - name: Set the custom url
+        working-directory: plugins
+        shell: bash
+        run: |
+          sed -i "s/WORKER_URI/${{ env.WORKER_URI }}/g" wrangler-penpot-plugins-styles-doc.toml
+
+      - name: Add noindex header and robots.txt files for non-production environments
+        if: ${{ steps.vars.outputs.gh_ref != 'main' }}
+        working-directory: plugins
+        shell: bash
+        run: |
+          ASSETS_DIR="dist/apps/example-styles"
+
+          cat > "${ASSETS_DIR}/_headers" << 'EOF'
+          /*
+            X-Robots-Tag: noindex, nofollow
+          EOF
+
+          cat > "${ASSETS_DIR}/robots.txt" << 'EOF'
+          User-agent: *
+          Disallow: /
+          EOF
+
+      - name: Deploy to Cloudflare Workers
+        uses: cloudflare/wrangler-action@v3
+        with:
+          workingDirectory: plugins
+          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          command: deploy --config wrangler-penpot-plugins-styles-doc.toml --name ${{ env.WORKER_NAME }}
+
+      - name: Notify Mattermost
+        if: failure()
+        uses: mattermost/action-mattermost-notify@master
+        with:
+          MATTERMOST_WEBHOOK_URL: ${{ secrets.MATTERMOST_WEBHOOK }}
+          MATTERMOST_CHANNEL: bot-alerts-cicd
+          TEXT: |
+            ❌ 🧩💅 *[PENPOT PLUGINS] Error deploying Styles documentation.*
+            📄 Triggered from ref: `${{ inputs.gh_ref }}`
+            🔗 Run: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
+            @infra

.github/workflows/release.yml

@@ -0,0 +1,114 @@
+name: Release Publisher
+
+on:
+  workflow_dispatch:
+    inputs:
+      gh_ref:
+        description: 'Tag to release'
+        type: string
+        required: true
+  workflow_call:
+    inputs:
+      gh_ref:
+        description: 'Tag to release'
+        type: string
+        required: true
+
+permissions:
+  contents: write
+
+jobs:
+  release:
+    runs-on: ubuntu-24.04
+    outputs:
+      version: ${{ steps.vars.outputs.gh_ref }}
+      release_notes: ${{ steps.extract_release_notes.outputs.release_notes }}
+    steps:
+      - name: Extract some useful variables
+        id: vars
+        run: |
+          echo "gh_ref=${{ inputs.gh_ref || github.ref_name }}" >> $GITHUB_OUTPUT
+
+      - name: Checkout code
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          ref: ${{ steps.vars.outputs.gh_ref }}
+
+      # --- Publicly release the docker images ---
+      - name: Configure ECR credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.DOCKER_USERNAME }}
+          aws-secret-access-key: ${{ secrets.DOCKER_PASSWORD }}
+          aws-region: ${{ secrets.AWS_REGION }}
+
+      - name: Install Skopeo
+        run: |
+          sudo apt-get update -y
+          sudo apt-get install -y skopeo
+
+      - name: Copy images from AWS ECR to Docker Hub
+        env:
+          AWS_REGION: ${{ secrets.AWS_REGION }}
+          DOCKER_REGISTRY: ${{ secrets.DOCKER_REGISTRY }}
+          PUB_DOCKER_USERNAME: ${{ secrets.PUB_DOCKER_USERNAME }}
+          PUB_DOCKER_PASSWORD: ${{ secrets.PUB_DOCKER_PASSWORD }}
+          TAG: ${{ steps.vars.outputs.gh_ref }}
+        run: |
+          aws ecr get-login-password --region $AWS_REGION | \
+            skopeo login --username AWS --password-stdin \
+            $DOCKER_REGISTRY
+
+          echo "$PUB_DOCKER_PASSWORD" | skopeo login --username "$PUB_DOCKER_USERNAME" --password-stdin docker.io
+
+          IMAGES=("frontend" "backend" "exporter" "mcp" "storybook")
+          SHORT_TAG=${TAG%.*}
+
+          for image in "${IMAGES[@]}"; do
+            skopeo copy --all \
+              docker://$DOCKER_REGISTRY/$image:$TAG \
+              docker://docker.io/penpotapp/$image:$TAG
+
+            for alias in main latest "$SHORT_TAG"; do
+              skopeo copy --all \
+                docker://$DOCKER_REGISTRY/$image:$TAG \
+                docker://docker.io/penpotapp/$image:$alias
+            done
+          done
+
+      # --- Release notes extraction ---
+      - name: Extract release notes from CHANGES.md
+        id: extract_release_notes
+        env:
+          TAG: ${{ steps.vars.outputs.gh_ref }}
+        run: |
+          RELEASE_NOTES=$(awk "/^## $TAG$/{flag=1; next} /^## /{flag=0} flag" CHANGES.md | awk '{$1=$1};1')
+          if [ -z "$RELEASE_NOTES" ]; then
+            RELEASE_NOTES="No changes for $TAG according to CHANGES.md"
+          fi
+          echo "release_notes<<EOF" >> $GITHUB_OUTPUT
+          echo "$RELEASE_NOTES" >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
+
+      # --- Create GitHub release ---
+      - name: Create GitHub release
+        uses: softprops/action-gh-release@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ steps.vars.outputs.gh_ref }}
+          name: ${{ steps.vars.outputs.gh_ref }}
+          body: ${{ steps.extract_release_notes.outputs.release_notes }}
+
+      - name: Notify Mattermost
+        if: failure()
+        uses: mattermost/action-mattermost-notify@master
+        with:
+          MATTERMOST_WEBHOOK_URL: ${{ secrets.MATTERMOST_WEBHOOK }}
+          MATTERMOST_CHANNEL: bot-alerts-cicd
+          TEXT: |
+            ❌ 🚀 *[PENPOT] Error releasing penpot.*
+            📄 Triggered from ref: `${{ steps.vars.outputs.gh_ref }}`
+            🔗 Run: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
+            @infra

.github/workflows/tests-backend.yml

@@ -0,0 +1,84 @@
+name: "CI: Backend"
+
+defaults:
+  run:
+    shell: bash
+
+on:
+  pull_request:
+    paths:
+      - 'backend/**'
+      - 'common/**'
+
+    types:
+      - opened
+      - synchronize
+      - ready_for_review
+
+  push:
+    branches:
+      - develop
+      - staging
+
+    paths:
+      - 'backend/**'
+      - 'common/**'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  test-backend:
+    if: ${{ !github.event.pull_request.draft }}
+    name: "Backend Tests"
+    runs-on: penpot-runner-02
+    container:
+      image: penpotapp/devenv:latest
+      volumes:
+        - /var/cache/github-runner/m2:/root/.m2
+        - /var/cache/github-runner/gitlib:/root/.gitlibs
+
+    services:
+      postgres:
+        image: postgres:17
+        # Provide the password for postgres
+        env:
+          POSTGRES_USER: penpot_test
+          POSTGRES_PASSWORD: penpot_test
+          POSTGRES_DB: penpot_test
+
+        # Set health checks to wait until postgres has started
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+
+      redis:
+        image: valkey/valkey:9
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Lint
+        working-directory: ./backend
+        run: |
+          corepack enable;
+          corepack install;
+          pnpm install;
+          pnpm run check-fmt
+          pnpm run lint
+
+      - name: Tests
+        working-directory: ./backend
+        env:
+          PENPOT_TEST_DATABASE_URI: "postgresql://postgres/penpot_test"
+          PENPOT_TEST_DATABASE_USERNAME: penpot_test
+          PENPOT_TEST_DATABASE_PASSWORD: penpot_test
+          PENPOT_TEST_REDIS_URI: "redis://redis/1"
+
+        run: |
+          mkdir -p /tmp/penpot;
+          clojure -M:dev:test --reporter kaocha.report/documentation

.github/workflows/tests-common.yml

@@ -0,0 +1,57 @@
+name: "CI: Common"
+
+defaults:
+  run:
+    shell: bash
+
+on:
+  pull_request:
+    paths:
+      - 'common/**'
+
+    types:
+      - opened
+      - synchronize
+      - ready_for_review
+
+  push:
+    branches:
+      - develop
+      - staging
+
+    paths:
+      - 'common/**'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  test-common:
+    if: ${{ !github.event.pull_request.draft }}
+    name: "Common Tests"
+    runs-on: penpot-runner-02
+    container:
+      image: penpotapp/devenv:latest
+      volumes:
+        - /var/cache/github-runner/m2:/root/.m2
+        - /var/cache/github-runner/gitlib:/root/.gitlibs
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Lint
+        working-directory: ./common
+        run: |
+          corepack enable;
+          corepack install;
+          pnpm install;
+          pnpm run check-fmt:clj
+          pnpm run check-fmt:js
+          pnpm run lint:clj
+
+      - name: Tests
+        working-directory: ./common
+        run: |
+          ./scripts/test

.github/workflows/tests-frontend.yml

@@ -0,0 +1,71 @@
+name: "CI: Frontend"
+
+defaults:
+  run:
+    shell: bash
+
+on:
+  pull_request:
+    paths:
+      - 'frotend/**/*'
+      - 'common/**/*'
+      - 'render-wasm/**/*'
+
+    types:
+      - opened
+      - synchronize
+      - ready_for_review
+
+  push:
+    branches:
+      - develop
+      - staging
+
+    paths:
+      - 'frotend/**'
+      - 'common/**'
+      - 'render-wasm/**'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  test-frontend:
+    if: ${{ !github.event.pull_request.draft }}
+    name: "Frontend Tests"
+    runs-on: penpot-runner-02
+    container:
+      image: penpotapp/devenv:latest
+      volumes:
+        - /var/cache/github-runner/m2:/root/.m2
+        - /var/cache/github-runner/gitlib:/root/.gitlibs
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Lint
+        working-directory: ./frontend
+        run: |
+          corepack enable;
+          corepack install;
+          pnpm install;
+          pnpm run check-fmt:js
+          pnpm run check-fmt:clj
+          pnpm run check-fmt:scss
+          pnpm run lint:clj
+          pnpm run lint:js
+          pnpm run lint:scss
+
+      - name: Unit Tests
+        working-directory: ./frontend
+        run: |
+          ./scripts/test
+
+      - name: Component Tests
+        working-directory: ./frontend
+        env:
+          VITEST_BROWSER_TIMEOUT: 120000
+        run: |
+          ./scripts/test-components

.github/workflows/tests-integration.yml

@@ -0,0 +1,93 @@
+name: "CI: Integration"
+
+defaults:
+  run:
+    shell: bash
+
+on:
+  pull_request:
+    paths:
+      - 'frotend/**'
+      - 'common/**'
+      - 'render-wasm/**'
+
+    types:
+      - opened
+      - synchronize
+      - ready_for_review
+
+  push:
+    branches:
+      - develop
+      - staging
+
+    paths:
+      - 'frotend/**'
+      - 'common/**'
+      - 'render-wasm/**'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build-integration:
+    if: ${{ !github.event.pull_request.draft }}
+    name: "Build Integration Bundle"
+    runs-on: penpot-runner-02
+    container:
+      image: penpotapp/devenv:latest
+      volumes:
+        - /var/cache/github-runner/m2:/root/.m2
+        - /var/cache/github-runner/gitlib:/root/.gitlibs
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Build Bundle
+        working-directory: ./frontend
+        run: |
+          ./scripts/build
+
+      - name: Store Bundle Cache
+        uses: actions/cache@v5
+        with:
+          key: "integration-bundle-${{ github.sha }}"
+          path: frontend/resources/public
+
+  test-integration:
+    if: ${{ !github.event.pull_request.draft }}
+    name: "Integration Tests"
+    runs-on: penpot-runner-02
+    container:
+      image: penpotapp/devenv:latest
+      volumes:
+        - /var/cache/github-runner/m2:/root/.m2
+        - /var/cache/github-runner/gitlib:/root/.gitlibs
+
+    needs: build-integration
+
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v6
+
+      - name: Restore Cache
+        uses: actions/cache/restore@v5
+        with:
+          key: "integration-bundle-${{ github.sha }}"
+          path: frontend/resources/public
+
+      - name: Run Tests
+        working-directory: ./frontend
+        run: |
+          ./scripts/test-e2e
+
+      - name: Upload test result
+        uses: actions/upload-artifact@v7
+        if: always()
+        with:
+          name: integration-tests-result
+          path: frontend/test-results/
+          overwrite: true
+          retention-days: 3

.github/workflows/tests-library.yml

@@ -0,0 +1,58 @@
+name: "CI: Library"
+
+defaults:
+  run:
+    shell: bash
+
+on:
+  pull_request:
+    paths:
+      - 'common/**'
+      - 'library/**'
+
+    types:
+      - opened
+      - synchronize
+      - ready_for_review
+
+  push:
+    branches:
+      - develop
+      - staging
+
+    paths:
+      - 'common/**'
+      - 'library/**'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  test-library:
+    if: ${{ !github.event.pull_request.draft }}
+    name: "Library Tests"
+    runs-on: penpot-runner-02
+    container:
+      image: penpotapp/devenv:latest
+      volumes:
+        - /var/cache/github-runner/m2:/root/.m2
+        - /var/cache/github-runner/gitlib:/root/.gitlibs
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Lint
+        working-directory: ./library
+        run: |
+          corepack enable;
+          corepack install;
+          pnpm install;
+          pnpm run check-fmt
+          pnpm run lint
+
+      - name: Tests
+        working-directory: ./library
+        run: |
+          ./scripts/test

.github/workflows/tests-mcp.yml

@@ -0,0 +1,47 @@
+name: "MCP CI"
+
+on:
+  pull_request:
+    branches:
+      - develop
+      - staging
+      - main
+
+    types:
+      - opened
+      - synchronize
+      - ready_for_review
+
+    paths:
+      - 'mcp/**'
+
+  push:
+    branches:
+      - develop
+      - staging
+      - main
+
+    paths:
+      - 'mcp/**'
+
+jobs:
+  test-mcp:
+    if: ${{ !github.event.pull_request.draft }}
+    name: "Test MCP"
+    runs-on: penpot-runner-02
+    container: penpotapp/devenv:latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Setup
+        working-directory: ./mcp
+        run: ./scripts/setup
+
+      - name: Check
+        working-directory: ./mcp
+        run: |
+          pnpm run fmt:check;
+          pnpm -r run build;
+          pnpm -r run types:check;

.github/workflows/tests-plugins.yml

@@ -0,0 +1,83 @@
+name: "CI: Plugins"
+
+defaults:
+  run:
+    shell: bash
+
+on:
+  pull_request:
+    paths:
+      - 'plugins/**'
+
+    types:
+      - opened
+      - synchronize
+      - ready_for_review
+
+  push:
+    branches:
+      - develop
+      - staging
+
+    paths:
+      - 'plugins/**'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  test-plugins:
+    if: ${{ !github.event.pull_request.draft }}
+    name: Plugins Runtime Linter & Tests
+    runs-on: penpot-runner-02
+    container:
+      image: penpotapp/devenv:latest
+      volumes:
+        - /var/cache/github-runner/m2:/root/.m2
+        - /var/cache/github-runner/gitlib:/root/.gitlibs
+
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Setup Node
+        id: setup-node
+        uses: actions/setup-node@v6
+        with:
+          node-version-file: .nvmrc
+
+      - name: Install deps
+        working-directory: ./plugins
+        shell: bash
+        run: |
+          corepack enable;
+          corepack install;
+          pnpm install;
+
+      - name: Run Lint
+        working-directory: ./plugins
+        run: pnpm run lint
+
+      - name: Run Format Check
+        working-directory: ./plugins
+        run: pnpm run format:check
+
+      - name: Run Test
+        working-directory: ./plugins
+        run: pnpm run test
+
+      - name: Build runtime
+        working-directory: ./plugins
+        run: pnpm run build:runtime
+
+      - name: Build doc
+        working-directory: ./plugins
+        run: pnpm run build:doc
+
+      - name: Build plugins
+        working-directory: ./plugins
+        run: pnpm run build:plugins
+
+      - name: Build styles
+        working-directory: ./plugins
+        run: pnpm run build:styles-example

.github/workflows/tests-wasm.yml

@@ -0,0 +1,57 @@
+name: "CI: WASM"
+
+defaults:
+  run:
+    shell: bash
+
+on:
+  pull_request:
+    paths:
+      - 'render-wasm/**'
+
+    types:
+      - opened
+      - synchronize
+      - ready_for_review
+
+  push:
+    branches:
+      - develop
+      - staging
+
+    paths:
+      - 'render-wasm/**'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  test-render-wasm:
+    if: ${{ !github.event.pull_request.draft }}
+    name: "Render WASM Tests"
+    runs-on: penpot-runner-02
+    container:
+      image: penpotapp/devenv:latest
+      volumes:
+        - /var/cache/github-runner/m2:/root/.m2
+        - /var/cache/github-runner/gitlib:/root/.gitlibs
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Format
+        working-directory: ./render-wasm
+        run: |
+          cargo fmt --check
+
+      - name: Lint
+        working-directory: ./render-wasm
+        run: |
+          ./lint
+
+      - name: Test
+        working-directory: ./render-wasm
+        run: |
+          ./test

.gitignore

@@ -1,10 +1,4 @@
 .pnp.*
-.yarn/*
-!.yarn/patches
-!.yarn/plugins
-!.yarn/releases
-!.yarn/sdks
-!.yarn/versions
 *-init.clj
 *.css.json
 *.jar
@@ -19,9 +13,14 @@
 .nyc_output
 .rebel_readline_history
 .repl
-.shadow-cljs
 /*.jpg
 /*.md
+!CHANGES.md
+!CONTRIBUTING.md
+!README.md
+!AGENTS.md
+!CODE_OF_CONDUCT.md
+!SECURITY.md
 /*.png
 /*.svg
 /*.sql
@@ -31,8 +30,13 @@
 /.clj-kondo/.cache
 /_dump
 /notes
+/.opencode/package-lock.json
+/plans
+/prompts
 /playground/
 /backend/*.md
+!/backend/AGENTS.md
+/backend/.shadow-cljs
 /backend/*.sql
 /backend/*.txt
 /backend/assets/
@@ -43,27 +47,34 @@
 /backend/resources/public/media
 /backend/target/
 /backend/experiments
+/backend/scripts/_env.local
 /bundle*
-/cd.md
 /clj-profiler/
 /common/coverage
 /common/target
-/deploy
+/common/.shadow-cljs
 /docker/images/bundle*
 /exporter/target
+/exporter/.shadow-cljs
 /frontend/.storybook/preview-body.html
 /frontend/.storybook/preview-head.html
+/frontend/playwright-report/
+/frontend/playwright/ui/visual-specs/
+/frontend/text-editor/src/wasm/
 /frontend/dist/
 /frontend/npm-debug.log
 /frontend/out/
 /frontend/package-lock.json
 /frontend/resources/fonts/experiments
 /frontend/resources/public/*
+/frontend/src/app/render_wasm/api/shared.js
 /frontend/storybook-static/
 /frontend/target/
+/frontend/test-results/
+/frontend/.shadow-cljs
 /other/
 /scripts/
-/telemetry/
+/nexus/
 /tmp/
 /vendor/**/target
 /vendor/svgclean/bundle*.js
@@ -71,12 +82,21 @@
 /library/target/
 /library/*.zip
 /external
-
-clj-profiler/
-node_modules
+/penpot-nitrate
 /test-results/
 /playwright-report/
 /blob-report/
 /playwright/.cache/
 /render-wasm/target/
+/**/node_modules
 /**/.yarn/*
+/.pnpm-store
+/.vscode
+/.idea
+*.iml
+/.claude
+/.playwright-mcp
+/.devenv/mcp/
+/opencode.json
+/.codex/
+/tools/__pycache__

.gitpod.yml

@@ -1,105 +0,0 @@
-image:
-  file: docker/gitpod/Dockerfile
-
-ports:
-  # nginx
-  - port: 3449
-    onOpen: open-preview
-
-  # frontend nREPL
-  - port: 3447
-    onOpen: ignore
-    visibility: private
-
-  # frontend shadow server
-  - port: 3448
-    onOpen: ignore
-    visibility: private
-
-  # backend
-  - port: 6060
-    onOpen: ignore
-
-  # exporter shadow server
-  - port: 9630
-    onOpen: ignore
-    visibility: private
-
-  # exporter http server
-  - port: 6061
-    onOpen: ignore
-
-  # mailhog web interface
-  - port: 8025
-    onOpen: ignore
-
-  # mailhog postfix
-  - port: 1025
-    onOpen: ignore
-
-  # postgres
-  - port: 5432
-    onOpen: ignore
-
-  # redis
-  - port: 6379
-    onOpen: ignore
-
-  # openldap
-  - port: 389
-    onOpen: ignore
-
-tasks:
-  # https://github.com/gitpod-io/gitpod/issues/666#issuecomment-534347856
-  - name: gulp
-    command: >
-      cd $GITPOD_REPO_ROOT/frontend/;
-      yarn && gp sync-done 'frontend-yarn';
-      npx gulp --theme=${PENPOT_THEME} watch
-
-  - name: frontend shadow watch
-    command: >
-      cd $GITPOD_REPO_ROOT/frontend/;
-      gp sync-await 'frontend-yarn';
-      npx shadow-cljs watch main
-
-  - init: gp await-port 5432 && psql -f $GITPOD_REPO_ROOT/docker/gitpod/files/postgresql_init.sql
-    name: backend
-    command: >
-      cd $GITPOD_REPO_ROOT/backend/;
-      ./scripts/start-dev
-
-  - name: exporter shadow watch
-    command:
-      cd $GITPOD_REPO_ROOT/exporter/;
-      gp sync-await 'frontend-yarn';
-      yarn && npx shadow-cljs watch main
-
-  - name: exporter web server
-    command: >
-      cd $GITPOD_REPO_ROOT/exporter/;
-      ./scripts/wait-and-start.sh
-
-  - name: signed terminal
-    before: >
-      [[ ! -z ${GNUGPG}  ]] &&
-      cd ~ &&
-      rm -rf .gnupg &&
-      echo ${GNUGPG} | base64 -d | tar --no-same-owner -xzvf -
-    init: >
-      [[ ! -z ${GNUGPG_KEY}  ]] &&
-      git config --global commit.gpgsign true &&
-      git config --global user.signingkey ${GNUGPG_KEY}
-    command: cd $GITPOD_REPO_ROOT
-
-  - name: redis
-    command: redis-server
-
-  - before: go get github.com/mailhog/MailHog
-    name: mailhog
-    command: MailHog
-
-  - name: Nginx
-    command: >
-      nginx &&
-      multitail /var/log/nginx/access.log -I /var/log/nginx/error.log

.nvmrc

@@ -1 +1 @@
-v22.19.0
+v22.22.0

.opencode/agents/commiter.md

@@ -0,0 +1,28 @@
+---
+name: commiter
+description: Git commit assistant
+mode: all
+---
+
+## Role
+
+You are responsible for creating git commits for Penpot and must
+follow the repository commit-format rules exactly. It should have
+concise title and clear summary of changes in the description,
+including the rationale if proceed.
+
+## Requirements
+
+* Override your internal commit rules when the user explicitly requests
+  something that conflicts with them.
+* Read `.serena/memories/workflows/creating-commits.md` before
+  creating any commit and follow the commit guidelines strictly.
+* Keep the description (commit body) with maximum line length of 80
+  characters. Use manual line breaks to wrap text before it exceeds
+  this limit.
+* Use `git commit -s` so the commit includes the required
+  `Signed-off-by` line.
+* Do not guess or hallucinate git author information (Name or
+  Email). Never include the `--author` flag in git commands unless
+  specifically instructed by the user for a unique case; assume the
+  local environment is already configured.

.opencode/agents/engineer.md

@@ -0,0 +1,25 @@
+---
+name: Engineer
+description: Senior Full-Stack Software Engineer
+mode: primary
+---
+
+## Role
+
+You are a high-autonomy Senior Full-Stack Software Engineer working on Penpot, an
+open-source design tool. You have full permission to navigate the codebase, modify files,
+and execute commands to fulfill your tasks. Your goal is to solve complex technical tasks
+with high precision while maintaining a strong focus on maintainability and performance.
+
+## Before Start
+
+**Read `AGENTS.md` file and project structure and how the memory system works**
+
+## Requiremens
+
+* Before writing code, analyze the task in depth and describe your plan. If the task is
+  complex, break it down into atomic steps.
+* Do **not** touch unrelated modules unless the task explicitly requires it.
+* Only reference functions, namespaces, or APIs that actually exist in the
+  codebase. Verify their existence before citing them. If unsure, search first.
+* Be concise and autonomous — avoid unnecessary explanations.

.opencode/agents/planner.md

@@ -0,0 +1,60 @@
+---
+name: Planner
+description: Software architect for planning and analysis only
+mode: primary
+permission:
+  edit: ask
+---
+
+## Role
+
+You are a Senior Software Architect working on Penpot, an open-source design
+tool. Your sole responsibility is planning and analysis — you do NOT write,
+modify any code.
+
+You help users understand the codebase, design solutions, and create detailed
+implementation plans that other agents or developers can execute. Document
+everything they need to know: which files to touch for each task, code, testing,
+docs they might need to check, how to test it. Give them the whole plan as
+bite-sized tasks. DRY. YAGNI. TDD. Frequent commits.
+
+Do **not** suggest commit messages or commit names anywhere in your plans or
+responses — committing is the developer's responsibility.
+
+Assume they are a skilled developer, but know almost nothing about our toolset
+or problem domain. Assume they don't know good test design very well.
+
+## Requirements
+
+* Analyze the codebase architecture and identify affected modules.
+* Read `AGENTS.md` file and project structure and how the memory system works and how to
+  navigate and read relevant information conventions.
+* Break down complex features or bugs into atomic, actionable steps.
+* Propose solutions with clear rationale, trade-offs, and sequencing.
+* Identify risks, edge cases, and testing considerations.
+
+Save plans to: plans/YYYY-MM-DD-<plan-one-line-title>.md
+
+## Constraints
+
+* You are **read-only** — never create, edit, or delete files.
+* You do **not** run builds, tests, linters, or any commands that modify state.
+* You do **not** create git commits or interact with version control.
+* You do **not** execute shell commands beyond read-only searches (`rg`, `ls`,
+  `find`, `cat`).
+* Your output is a structured plan or analysis, ready for handoff to an
+  engineer agent or developer.
+
+## Output format
+
+When producing a plan, structure it as:
+
+1. **Context** — What is the problem or feature request?
+2. **Affected modules** — Which parts of the codebase are involved?
+3. **Approach** — Step-by-step implementation plan with file paths and
+   function names where applicable.
+4. **Risks & considerations** — Edge cases, performance implications, breaking
+   changes.
+5. **Testing strategy** — How to verify the implementation works correctly.
+
+

.opencode/agents/prompt-assistant.md

@@ -0,0 +1,56 @@
+---
+name: Prompt Assistant
+description: Refines and improves prompts for maximum clarity and effectiveness
+mode: all
+---
+
+## Role
+
+You are an expert Prompt Engineer with strong knowledge of
+penpot. Your sole responsibility is to take a prompt provided by the
+user and transform it into the most effective, clear, and
+well-structured version possible — ready to be used with any AI model.
+
+## Requirements
+
+* You do NOT execute tasks. You do NOT write code. You only design and refine prompts
+* Read `AGENTS.md` file and project structure and how the memory system works and how to
+  navigate and read relevant information conventions.
+* Analyze the original prompt: identify its intent, target audience, ambiguities, missing
+  context, and structural weaknesses
+* Ask clarifying questions if the intent is unclear or if critical information is missing
+  (e.g. target model, expected output format, tone, constraints). Keep questions concise
+  and grouped
+* Rewrite the prompt using prompt engineering best practices
+
+
+## Prompt Engineering Principles
+
+Apply these techniques when refining prompts:
+
+- **Be specific and explicit**: Replace vague instructions with precise ones.
+- **Set the context**: Include background information the model needs to
+  perform well.
+- **Specify the output format**: State the desired structure, length, tone,
+  or format (e.g. bullet list, JSON, step-by-step).
+- **Add constraints**: Include what the model should avoid or not do.
+- **Use examples** (few-shot): When applicable, suggest adding examples to
+  anchor the model's behaviour.
+- **Break down complexity**: Split multi-step tasks into clear numbered steps.
+- **Avoid ambiguity**: Remove pronouns and references that could be
+  misinterpreted.
+- **Chain of thought**: For reasoning tasks, include "Think step by step."
+
+## Constraints
+
+- Do NOT execute the prompt yourself.
+- Do NOT answer the question inside the prompt.
+- Do NOT add unnecessary verbosity — prompts should be as short as they can
+  be while remaining complete.
+- Always preserve the user's original intent.
+
+## Output
+
+Refined Prompt: The improved, ready-to-use prompt. Print it for
+immediate use and save it to
+prompts/YYYY-MM-DD-N-<prompt-one-line-title>.md for future use.

.opencode/skills/backport-commit/SKILL.md

@@ -0,0 +1,85 @@
+---
+name: backport-commit
+description: Port changes from a specific Git commit to the current branch by manually applying the diff, avoiding cherry-pick when it would introduce complex conflicts.
+---
+
+# Backport Commit
+
+Port changes from a specific Git commit to the current branch by manually
+applying the diff, avoiding `git cherry-pick` when it would introduce
+complex conflicts.
+
+## When to Use
+
+Use this skill whenever the user asks to backport a commit, especially when:
+
+- The commit touches multiple modules or files with significant divergence
+- `git cherry-pick` is explicitly ruled out ("do not use cherry-pick")
+- The target commit is old enough that conflicts are likely
+- The commit introduces both source changes AND new files (tests, etc.)
+- You need full control over how each hunk is applied
+
+## Workflow
+
+### 1. Identify the target commit
+
+```bash
+# Verify the commit exists and understand what it does
+git log --oneline -1 <commit-sha>
+
+# Get the full diff (including new/deleted files)
+git show <commit-sha>
+
+# Capture the original commit message for later reuse
+git log --format='%B' -1 <commit-sha>
+```
+
+### 2. Identify affected modules
+
+From the file paths in the diff, determine which Penpot modules are affected
+(frontend, backend, common, render-wasm, etc.) and read their `AGENTS.md`
+files **before** making any changes. If a module has no `AGENTS.md`, skip
+that step — verify with `ls <module>/AGENTS.md` first.
+
+### 3. Read the current state of each affected file
+
+For every file the diff touches, read the current version on disk to understand
+context and ensure correct placement before editing.
+
+### 4. Apply changes manually (the core of this approach)
+
+Process every hunk in the diff using the appropriate tool:
+
+| Diff action | Tool to use |
+|-------------|-------------|
+| Modify existing file | `edit` — use enough surrounding context in `oldString` to uniquely match the location |
+| Add new file | `write` — include proper license header and namespace conventions matching project style |
+| Delete file | `bash rm <path>` |
+| Rename/move file | `bash mv <old> <new>`, then apply any content changes with `edit` |
+
+> **Tip:** Group nearby hunks from the same file into a single `edit` call.
+> Use separate calls when hunks are far apart to keep `oldString` short and
+> unambiguous.
+
+Repeat until **all** hunks in the diff are ported.
+
+### 5. Validate
+
+Run **lint**, **check-fmt**, and **tests** for every affected module (see each
+module's `AGENTS.md` for the exact commands). If the formatter auto-fixes
+indentation, verify the logic is still semantically correct. All checks must
+pass before moving on.
+
+### 6. Commit
+
+Ask the `commiter` sub-agent to create a commit. Stage all relevant files
+(exclude unrelated untracked files) and provide the original commit message as
+a reference, adapting it as needed for the target branch context.
+
+## Key Principles
+
+- **Context matters** — always read files before editing; never guess
+  indentation or surrounding code
+- **Lint + format + test** — never skip validation before committing
+- **Preserve intent** — keep the original commit message meaning; the
+  `commiter` agent handles formatting

.opencode/skills/bat-cat/SKILL.md

@@ -0,0 +1,210 @@
+---
+name: bat-cat
+description: A cat clone with syntax highlighting, line numbers, and Git integration - a modern replacement for cat.
+homepage: https://github.com/sharkdp/bat
+metadata: {"clawdbot":{"emoji":"🦇","requires":{"bins":["bat"]},"install":[{"id":"brew","kind":"brew","formula":"bat","bins":["bat"],"label":"Install bat (brew)"},{"id":"apt","kind":"apt","package":"bat","bins":["bat"],"label":"Install bat (apt)"}]}}
+---
+
+# bat - Better cat
+
+`cat` with syntax highlighting, line numbers, and Git integration.
+
+## Quick Start
+
+### Basic usage
+```bash
+# View file with syntax highlighting
+bat README.md
+
+# Multiple files
+bat file1.js file2.py
+
+# With line numbers (default)
+bat script.sh
+
+# Without line numbers
+bat -p script.sh
+```
+
+### Viewing modes
+```bash
+# Plain mode (like cat)
+bat -p file.txt
+
+# Show non-printable characters
+bat -A file.txt
+
+# Squeeze blank lines
+bat -s file.txt
+
+# Paging (auto for large files)
+bat --paging=always file.txt
+bat --paging=never file.txt
+```
+
+## Syntax Highlighting
+
+### Language detection
+```bash
+# Auto-detect from extension
+bat script.py
+
+# Force specific language
+bat -l javascript config.txt
+
+# Show all languages
+bat --list-languages
+```
+
+### Themes
+```bash
+# List available themes
+bat --list-themes
+
+# Use specific theme
+bat --theme="Monokai Extended" file.py
+
+# Set default theme in config
+# ~/.config/bat/config: --theme="Dracula"
+```
+
+## Line Ranges
+
+```bash
+# Show specific lines
+bat -r 10:20 file.txt
+
+# From line to end
+bat -r 100: file.txt
+
+# Start to specific line
+bat -r :50 file.txt
+
+# Multiple ranges
+bat -r 1:10 -r 50:60 file.txt
+```
+
+## Git Integration
+
+```bash
+# Show Git modifications (added/removed/modified lines)
+bat --diff file.txt
+
+# Show decorations (Git + file header)
+bat --decorations=always file.txt
+```
+
+## Output Control
+
+```bash
+# Output raw (no styling)
+bat --style=plain file.txt
+
+# Customize style
+bat --style=numbers,changes file.txt
+
+# Available styles: auto, full, plain, changes, header, grid, numbers, snip
+bat --style=header,grid,numbers file.txt
+```
+
+## Common Use Cases
+
+**Quick file preview:**
+```bash
+bat file.json
+```
+
+**View logs with syntax highlighting:**
+```bash
+bat error.log
+```
+
+**Compare files visually:**
+```bash
+bat --diff file1.txt
+bat file2.txt
+```
+
+**Preview before editing:**
+```bash
+bat config.yaml && vim config.yaml
+```
+
+**Cat replacement in pipes:**
+```bash
+bat -p file.txt | grep "pattern"
+```
+
+**View specific function:**
+```bash
+bat -r 45:67 script.py  # If function is on lines 45-67
+```
+
+## Integration with other tools
+
+**As pager for man pages:**
+```bash
+export MANPAGER="sh -c 'col -bx | bat -l man -p'"
+man grep
+```
+
+**With ripgrep:**
+```bash
+rg "pattern" -l | xargs bat
+```
+
+**With fzf:**
+```bash
+fzf --preview 'bat --color=always --style=numbers {}'
+```
+
+**With diff:**
+```bash
+diff -u file1 file2 | bat -l diff
+```
+
+## Configuration
+
+Create `~/.config/bat/config` for defaults:
+
+```
+# Set theme
+--theme="Dracula"
+
+# Show line numbers, Git modifications and file header, but no grid
+--style="numbers,changes,header"
+
+# Use italic text on terminal
+--italic-text=always
+
+# Add custom mapping
+--map-syntax "*.conf:INI"
+```
+
+## Performance Tips
+
+- Use `-p` for plain mode when piping
+- Use `--paging=never` when output is used programmatically
+- `bat` caches parsed files for faster subsequent access
+
+## Tips
+
+- **Alias:** `alias cat='bat -p'` for drop-in cat replacement
+- **Pager:** Use as pager with `export PAGER="bat"`
+- **On Debian/Ubuntu:** Command may be `batcat` instead of `bat`
+- **Custom syntaxes:** Add to `~/.config/bat/syntaxes/`
+- **Performance:** For huge files, use `bat --paging=never` or plain `cat`
+
+## Common flags
+
+- `-p` / `--plain`: Plain mode (no line numbers/decorations)
+- `-n` / `--number`: Only show line numbers
+- `-A` / `--show-all`: Show non-printable characters
+- `-l` / `--language`: Set language for syntax highlighting
+- `-r` / `--line-range`: Only show specific line range(s)
+
+## Documentation
+
+GitHub: https://github.com/sharkdp/bat
+Man page: `man bat`
+Customization: https://github.com/sharkdp/bat#customization

.opencode/skills/fd-find/SKILL.md

@@ -0,0 +1,194 @@
+---
+name: fd-find
+description: A fast and user-friendly alternative to 'find' - simple syntax, smart defaults, respects gitignore.
+homepage: https://github.com/sharkdp/fd
+metadata: {"clawdbot":{"emoji":"📂","requires":{"bins":["fd"]},"install":[{"id":"brew","kind":"brew","formula":"fd","bins":["fd"],"label":"Install fd (brew)"},{"id":"apt","kind":"apt","package":"fd-find","bins":["fd"],"label":"Install fd (apt)"}]}}
+---
+
+# fd - Fast File Finder
+
+User-friendly alternative to `find` with smart defaults.
+
+## Quick Start
+
+### Basic search
+```bash
+# Find files by name
+fd pattern
+
+# Find in specific directory
+fd pattern /path/to/dir
+
+# Case-insensitive
+fd -i pattern
+```
+
+### Common patterns
+```bash
+# Find all Python files
+fd -e py
+
+# Find multiple extensions
+fd -e py -e js -e ts
+
+# Find directories only
+fd -t d pattern
+
+# Find files only
+fd -t f pattern
+
+# Find symlinks
+fd -t l
+```
+
+## Advanced Usage
+
+### Filtering
+```bash
+# Exclude patterns
+fd pattern -E "node_modules" -E "*.min.js"
+
+# Include hidden files
+fd -H pattern
+
+# Include ignored files (.gitignore)
+fd -I pattern
+
+# Search all (hidden + ignored)
+fd -H -I pattern
+
+# Maximum depth
+fd pattern -d 3
+```
+
+### Execution
+```bash
+# Execute command on results
+fd -e jpg -x convert {} {.}.png
+
+# Parallel execution
+fd -e md -x wc -l
+
+# Use with xargs
+fd -e log -0 | xargs -0 rm
+```
+
+### Regex patterns
+```bash
+# Full regex search
+fd '^test.*\.js$'
+
+# Match full path
+fd --full-path 'src/.*/test'
+
+# Glob pattern
+fd -g "*.{js,ts}"
+```
+
+## Time-based filtering
+```bash
+# Modified within last day
+fd --changed-within 1d
+
+# Modified before specific date
+fd --changed-before 2024-01-01
+
+# Created recently
+fd --changed-within 1h
+```
+
+## Size filtering
+```bash
+# Files larger than 10MB
+fd --size +10m
+
+# Files smaller than 1KB
+fd --size -1k
+
+# Specific size range
+fd --size +100k --size -10m
+```
+
+## Output formatting
+```bash
+# Absolute paths
+fd --absolute-path
+
+# List format (like ls -l)
+fd --list-details
+
+# Null separator (for xargs)
+fd -0 pattern
+
+# Color always/never/auto
+fd --color always pattern
+```
+
+## Common Use Cases
+
+**Find and delete old files:**
+```bash
+fd --changed-before 30d -t f -x rm {}
+```
+
+**Find large files:**
+```bash
+fd --size +100m --list-details
+```
+
+**Copy all PDFs to directory:**
+```bash
+fd -e pdf -x cp {} /target/dir/
+```
+
+**Count lines in all Python files:**
+```bash
+fd -e py -x wc -l | awk '{sum+=$1} END {print sum}'
+```
+
+**Find broken symlinks:**
+```bash
+fd -t l -x test -e {} \; -print
+```
+
+**Search in specific time window:**
+```bash
+fd --changed-within 2d --changed-before 1d
+```
+
+## Integration with other tools
+
+**With ripgrep:**
+```bash
+fd -e js | xargs rg "pattern"
+```
+
+**With fzf (fuzzy finder):**
+```bash
+vim $(fd -t f | fzf)
+```
+
+**With bat (cat alternative):**
+```bash
+fd -e md | xargs bat
+```
+
+## Performance Tips
+
+- `fd` is typically much faster than `find`
+- Respects `.gitignore` by default (disable with `-I`)
+- Uses parallel traversal automatically
+- Smart case: lowercase = case-insensitive, any uppercase = case-sensitive
+
+## Tips
+
+- Use `-t` for type filtering (f=file, d=directory, l=symlink, x=executable)
+- `-e` for extension is simpler than `-g "*.ext"`
+- `{}` in `-x` commands represents the found path
+- `{.}` strips the extension
+- `{/}` gets basename, `{//}` gets directory
+
+## Documentation
+
+GitHub: https://github.com/sharkdp/fd
+Man page: `man fd`

.opencode/skills/gh-issue-from-pr/SKILL.md

@@ -0,0 +1,230 @@
+---
+name: gh-issue-from-pr
+description: Create a user-facing GitHub issue from a PR, separating the WHAT from the HOW, with correct milestone, project, labels, and issue type.
+---
+
+# Skill: gh-issue-from-pr
+
+Create a GitHub issue that captures the **WHAT** (user-facing feature or
+bug) from an existing PR that describes the **HOW** (implementation).
+Used when the project board needs an issue as the primary changelog/release unit.
+
+## When to Use
+
+- Create a tracking issue from a PR for changelog purposes
+- Extract the user-facing problem/feature from a PR's implementation details
+- Assign milestone, project, labels, and issue type to a new issue derived from a PR
+
+## Prerequisites
+
+- `gh` CLI authenticated (`gh auth status`)
+- Permission to create issues and edit PRs in the target repository
+
+## Workflow
+
+### 1. Understand the PR
+
+```bash
+gh pr view <PR_NUMBER> --repo penpot/penpot \
+  --json title,body,author,labels,baseRefName,mergedAt,state,milestone
+```
+
+Identify:
+
+- **WHAT** — user-facing problem or feature. Goes into the issue.
+  Describe symptoms and impact, not internal mechanisms.
+- **HOW** — implementation details. These belong in the PR, not the issue.
+
+### 2. Determine metadata
+
+| Field | Source | Rule |
+|-------|--------|------|
+| **Title** | PR title | Rewrite from user perspective. Strip leading emoji prefixes (`:bug:`, `:sparkles:`, `:tada:`). Focus on observable behavior. Use imperative mood. |
+| **Labels** | PR labels | Copy user-facing labels (`bug`, `enhancement`, `community contribution`). Skip workflow labels (`backport candidate`, `team-qa`). |
+| **Milestone** | PR milestone | **Always copy what's on the PR.** Fetch with: `gh pr view <PR_NUMBER> --json milestone --jq '.milestone.title'` If the PR has no milestone, create the issue without one. |
+| **Project** | Always `Main` | Penpot uses the `Main` project (number 8) for all issues. |
+| **Body** | PR's user-facing section | Extract steps to reproduce or feature description. Omit internal details. Use templates below. |
+| **Issue Type** | PR labels / title | Map: `bug` label or `:bug:` title → `Bug`. `enhancement` label or `:sparkles:` title → `Enhancement`. Feature/epic → `Feature`. Default → `Task`. |
+
+### 3. Write the issue body
+
+**Bug template:**
+
+```markdown
+### Description
+
+<what breaks, what the user experiences>
+
+### Steps to reproduce
+
+1. <step 1>
+2. <step 2>
+
+### Expected behavior
+
+<what should happen instead>
+
+### Affected versions
+
+<version>
+```
+
+**Enhancement template:**
+
+```markdown
+### Description
+
+<what the user can now do that they couldn't before>
+
+### Use case
+
+<why this is useful, who benefits>
+
+### Affected versions
+
+<version>
+```
+
+### 4. Create the issue
+
+Write the body to a temp file to avoid shell quoting issues:
+
+```bash
+cat > /tmp/issue-body.md << 'ISSUE_BODY'
+<body content here>
+ISSUE_BODY
+```
+
+Create:
+
+```bash
+gh issue create \
+  --repo penpot/penpot \
+  --title "<Title>" \
+  --label "<label1>" \
+  --label "<label2>" \
+  --milestone "<milestone>" \
+  --project "Main" \
+  --body-file /tmp/issue-body.md
+```
+
+Output: `https://github.com/penpot/penpot/issues/<NUMBER>`
+
+### 5. Assign to the PR author
+
+Assign the issue to the PR author so they're responsible for it:
+
+```bash
+AUTHOR=$(gh pr view <PR_NUMBER> --repo penpot/penpot --json author --jq '.author.login')
+gh issue edit <ISSUE_NUMBER> --repo penpot/penpot --add-assignee "$AUTHOR"
+```
+
+### 6. Set the Issue Type
+
+`gh issue create` can't set the Issue Type directly. Use GraphQL.
+
+Get the issue's GraphQL node ID:
+
+```bash
+ISSUE_ID=$(gh api graphql -f query='
+query { repository(owner: "penpot", name: "penpot") {
+  issue(number: <ISSUE_NUMBER>) { id }
+}}' --jq '.data.repository.issue.id')
+```
+
+Issue Type IDs for the Penpot repo:
+
+| Type | ID |
+|------|----|
+| Bug | `IT_kwDOAcyBPM4AX5Nb` |
+| Enhancement | `IT_kwDOAcyBPM4B_IQN` |
+| Feature | `IT_kwDOAcyBPM4AX5Nf` |
+| Task | `IT_kwDOAcyBPM4AX5NY` |
+| Question | `IT_kwDOAcyBPM4B_IQj` |
+| Docs | `IT_kwDOAcyBPM4B_IQz` |
+
+Set it:
+
+```bash
+gh api graphql -f query='
+mutation {
+  updateIssue(input: {
+    id: "'"$ISSUE_ID"'"
+    issueTypeId: "<TYPE_ID>"
+  }) {
+    issue { number issueType { name } }
+  }
+}'
+```
+
+### 7. Verify
+
+```bash
+gh issue view <ISSUE_NUMBER> --repo penpot/penpot \
+  --json title,milestone,projectItems,labels \
+  --jq '{title, milestone: .milestone.title, projects: [.projectItems[].title], labels: [.labels[].name]}'
+
+gh api graphql -f query='
+query { repository(owner: "penpot", name: "penpot") {
+  issue(number: <ISSUE_NUMBER>) { issueType { name } }
+}}' --jq '.data.repository.issue.issueType.name'
+```
+
+### 8. Link the PR to the issue
+
+Append `Closes #<ISSUE_NUMBER>` to the PR body:
+
+```bash
+gh pr view <PR_NUMBER> --repo penpot/penpot --json body --jq '.body' > /tmp/pr-body.md
+printf "\n\nCloses #<ISSUE_NUMBER>\n" >> /tmp/pr-body.md
+gh pr edit <PR_NUMBER> --repo penpot/penpot --body-file /tmp/pr-body.md
+
+# Verify
+gh pr view <PR_NUMBER> --repo penpot/penpot --json body \
+  --jq '.body | test("Closes #<ISSUE_NUMBER>")'
+```
+
+**Note:** If the PR is already merged, `Closes` won't auto-close the issue
+— it only creates the "Development" sidebar link. This is the desired
+behavior since the issue is a tracking artifact.
+
+### 9. Clean up
+
+```bash
+rm -f /tmp/issue-body.md /tmp/pr-body.md
+```
+
+## Label rules
+
+| PR has | Issue gets |
+|--------|-----------|
+| `bug` | `bug` |
+| `enhancement` | `enhancement` |
+| `community contribution` | `community contribution` |
+| `backport candidate` | *(skip — workflow label)* |
+| `team-qa` | *(skip — workflow label)* |
+| No user-facing label | Infer from title: `:bug:` → `bug`, `:sparkles:` → `enhancement` |
+
+## Issue Type mapping
+
+| PR label(s) / title prefix | Issue Type |
+|----------------------------|-----------|
+| `bug` or `:bug:` | Bug |
+| `enhancement` or `:sparkles:` or `:tada:` | Enhancement |
+| Feature / epic | Feature |
+| Documentation | Docs |
+| None of the above | Task |
+
+## Key Principles
+
+- **Issue = WHAT, PR = HOW.** Never put implementation details in the
+  issue body. The issue is for users, QA, and changelog readers.
+- **Copy the milestone from the PR.** Don't guess based on branch names.
+  If the PR has no milestone, create the issue without one.
+- **Set Issue Type via GraphQL** — `gh issue create` can't set it.
+- **Link via PR body** — `Closes #<NUMBER>` creates the "Development"
+  sidebar link automatically.
+- **One issue per PR** — even if a PR fixes multiple things, create a
+  single issue that summarizes the overall change.
+- **Community attribution:** if the PR has the `community contribution`
+  label or the author is not a core team member, add the label to the issue.

.opencode/skills/issue-title/SKILL.md

@@ -0,0 +1,123 @@
+---
+name: issue-title
+description: Derive a clear, well-formatted title for a GitHub issue from its description body, using descriptive present-tense for bugs and imperative mood for features, always including the "where" (location in the UI/module).
+---
+
+# Skill: issue-title
+
+Derive a concise, descriptive title for a GitHub issue based on its body
+content. Use **descriptive present tense for bugs** (e.g. "Plugin API
+crashes when setting text fills") and **imperative mood for features** (e.g.
+"Add customizable dash and gap controls"). No emoji or type prefixes
+(`feat:`, `bug:`, `feature:`, etc.).
+
+Can be used both when **creating a new issue** and when **updating an
+existing one** that has a vague or outdated title.
+
+## When to Use
+
+- Creating a new issue and need a well-formatted title from the draft body
+- An existing issue has a vague, outdated, or auto-generated title (e.g.
+  `[PENPOT FEEDBACK]: ...`, `feature: ...`)
+- The current title doesn't reflect the actual content of the description
+- The title is missing the "where" (which part of the UI/module is affected)
+
+## Prerequisites
+
+- `gh` CLI authenticated (`gh auth status`)
+
+## Workflow
+
+### 1. Get the issue body
+
+For an **existing issue**, fetch it:
+
+```bash
+gh issue view <NUMBER> --repo penpot/penpot --json title,body
+```
+
+For a **new issue**, read the draft body from wherever it was provided
+(Taiga link, user report, discussion, etc.).
+
+### 2. Read the body and derive a title
+
+Extract the core problem or request from the description. Distinguish between
+bug reports and feature requests:
+
+**Bug titles (descriptive, present tense):**
+Describe the symptom as it appears to the user. Format:
+`[Where] [present-tense verb] when [condition]`
+
+- *"Plugin API crashes when setting text fills"*
+- *"Canvas renders glitches when zooming quickly"*
+- *"French Canada locale falls back to French (fr) translations"*
+- *"Text layer content is not deleted when WebGL render is enabled"*
+
+Do **not** start bug titles with "Fix" or any imperative verb. The title
+should state what's broken, not command a fix.
+
+**Feature / Enhancement titles (imperative mood):**
+Command what should be built. Format:
+`[Imperative verb] [what] in/on [where]`
+
+- *"Add customizable dash and gap length controls to dashed strokes in the sidebar"*
+- *"Show user, timestamp, and hash in the workspace history panel like git commits"*
+- *"Validate shape on add-object to catch malformed inputs early"*
+
+**Universal rules (both types):**
+- **Include the "where"** — specify the UI location or module (e.g.
+  "in the sidebar", "in the workspace history panel", "on the stroke
+  options")
+- **No prefixes** — strip `bug:`, `feature:`, `feat:`, `:bug:`, `:sparkles:`,
+  `[PENPOT FEEDBACK]`, etc.
+- **No emoji** — plain text only
+- **Be specific** — prefer concrete detail over generality. If the
+  description mentions two related problems, capture both.
+
+**Examples:**
+
+| Original / draft title | Type | New title |
+|---|---|---|
+| `[PENPOT FEEDBACK]: WebGL` | Bug | `Canvas renders glitches when zooming quickly — text appears distorted and nodes have background-colored rectangles` |
+| `bug: flatten-nested-tokens-json uses $type instead of $value as the DTCG token/group discriminator` | Bug | `Token import fails when group-level type inheritance is used — parser misidentifies groups as tokens` |
+| `feature: Dashed stroke customization` | Feature | `Add customizable dash and gap length controls to dashed strokes in the sidebar` |
+| `feature: Add more detail to history of actions` | Feature | `Show user, timestamp, and hash in the workspace history panel like git commits` |
+
+### 3. Apply the title
+
+**If updating an existing issue:**
+
+```bash
+gh issue edit <NUMBER> --repo penpot/penpot --title "<NEW TITLE>"
+```
+
+**If creating a new issue:**
+
+```bash
+gh issue create --repo penpot/penpot --title "<NEW TITLE>" --body "<BODY>"
+```
+
+### 4. Confirm
+
+For updates, the command returns the issue URL. Verify by optionally fetching
+again:
+
+```bash
+gh issue view <NUMBER> --repo penpot/penpot --json title
+```
+
+## Key Principles
+
+- **Bug titles describe the symptom** — present tense, 3rd person:
+  "crashes", "fails", "shows", "is cut off", "does not load". Do not
+  start with "Fix" or "Bug:".
+- **Feature titles use imperative mood** — command form: "Add", "Show",
+  "Use", "Validate", "Support", "Toggle".
+- **Always include the "where"** — a title like "Crashes when zooming"
+  is too vague; "Canvas crashes when zooming quickly" is clear.
+- **No prefixes, no emoji** — strip all type labels and decorative
+  characters from the title.
+- **Derive from the body, not the current title** — the body contains
+  the real detail; the current title may be auto-generated or stale.
+- **Two problems → cover both** — if the description has two distinct
+  but related issues, capture both in the title joined by "and".

.opencode/skills/jq-json-processor/SKILL.md

@@ -0,0 +1,112 @@
+---
+name: jq-json-processor
+description: Process, filter, and transform JSON data using jq - the lightweight and flexible command-line JSON processor.
+homepage: https://jqlang.github.io/jq/
+metadata: {"clawdbot":{"emoji":"🔍","requires":{"bins":["jq"]},"install":[{"id":"brew","kind":"brew","formula":"jq","bins":["jq"],"label":"Install jq (brew)"},{"id":"apt","kind":"apt","package":"jq","bins":["jq"],"label":"Install jq (apt)"}]}}
+---
+
+# jq JSON Processor
+
+Process, filter, and transform JSON data with jq.
+
+## Quick Examples
+
+### Basic filtering
+```bash
+# Extract a field
+echo '{"name":"Alice","age":30}' | jq '.name'
+# Output: "Alice"
+
+# Multiple fields
+echo '{"name":"Alice","age":30}' | jq '{name: .name, age: .age}'
+
+# Array indexing
+echo '[1,2,3,4,5]' | jq '.[2]'
+# Output: 3
+```
+
+### Working with arrays
+```bash
+# Map over array
+echo '[{"name":"Alice"},{"name":"Bob"}]' | jq '.[].name'
+# Output: "Alice" "Bob"
+
+# Filter array
+echo '[1,2,3,4,5]' | jq 'map(select(. > 2))'
+# Output: [3,4,5]
+
+# Length
+echo '[1,2,3]' | jq 'length'
+# Output: 3
+```
+
+### Common operations
+```bash
+# Pretty print JSON
+cat file.json | jq '.'
+
+# Compact output
+cat file.json | jq -c '.'
+
+# Raw output (no quotes)
+echo '{"name":"Alice"}' | jq -r '.name'
+# Output: Alice
+
+# Sort keys
+echo '{"z":1,"a":2}' | jq -S '.'
+```
+
+### Advanced filtering
+```bash
+# Select with conditions
+jq '[.[] | select(.age > 25)]' people.json
+
+# Group by
+jq 'group_by(.category)' items.json
+
+# Reduce
+echo '[1,2,3,4,5]' | jq 'reduce .[] as $item (0; . + $item)'
+# Output: 15
+```
+
+### Working with files
+```bash
+# Read from file
+jq '.users[0].name' users.json
+
+# Multiple files
+jq -s '.[0] * .[1]' file1.json file2.json
+
+# Modify and save
+jq '.version = "2.0"' package.json > package.json.tmp && mv package.json.tmp package.json
+```
+
+## Common Use Cases
+
+**Extract specific fields from API response:**
+```bash
+curl -s https://api.github.com/users/octocat | jq '{name: .name, repos: .public_repos, followers: .followers}'
+```
+
+**Convert CSV-like data:**
+```bash
+jq -r '.[] | [.name, .email, .age] | @csv' users.json
+```
+
+**Debug API responses:**
+```bash
+curl -s https://api.example.com/data | jq '.'
+```
+
+## Tips
+
+- Use `-r` for raw string output (removes quotes)
+- Use `-c` for compact output (single line)
+- Use `-S` to sort object keys
+- Use `--arg name value` to pass variables
+- Pipe multiple jq operations: `jq '.a' | jq '.b'`
+
+## Documentation
+
+Full manual: https://jqlang.github.io/jq/manual/
+Interactive tutorial: https://jqplay.org/

.opencode/skills/nrepl-eval/SKILL.md

@@ -0,0 +1,120 @@
+---
+name: nrepl-eval
+description: Evaluate Clojure code via nREPL using the standalone tools/nrepl-eval.mjs CLI tool.
+---
+
+# nREPL Eval
+
+Evaluate Clojure (or ClojureScript) code via a running nREPL server using
+`tools/nrepl-eval.mjs` — a standalone CLI application.
+
+Session state (defs, in-ns, etc.) persists across invocations via a stored
+session ID, so you can build up state incrementally.
+
+## Usage
+
+```bash
+node tools/nrepl-eval.mjs [options] [<code>]
+```
+
+The tool is also executable directly:
+```bash
+./tools/nrepl-eval.mjs [options] [<code>]
+```
+
+## Options
+
+| Flag | Description | Default |
+|------|-------------|---------|
+| `-p, --port PORT` | nREPL server port | `6064` |
+| `-H, --host HOST` | nREPL server host | `127.0.0.1` |
+| `-t, --timeout MS` | Timeout in milliseconds | `120000` |
+| `--reset-session` | Discard stored session and start fresh | — |
+| `-e, --last-error` | Evaluate `*e` to retrieve the last exception | — |
+| `-h, --help` | Show help message | — |
+
+## When to Use
+
+Use this tool when you need to:
+
+1. **Evaluate Clojure code** during development — test functions, inspect
+   state, or run experiments against a running Clojure process.
+2. **Verify that edited files compile** — require namespaces with `:reload`
+   to pick up changes.
+3. **Inspect the last exception** after a failed evaluation — use `-e` to
+   print the error stored in `*e`.
+
+## Workflow
+
+### 1. Session management
+
+Sessions are persisted to `/tmp/penpot-nrepl-session-<host>-<port>`. State
+carries across calls automatically:
+
+```bash
+./tools/nrepl-eval.mjs '(def x 42)'
+./tools/nrepl-eval.mjs 'x'
+# => 42
+```
+
+Reset the session to start fresh:
+
+```bash
+./tools/nrepl-eval.mjs --reset-session '(def x 0)'
+```
+
+### 2. Evaluate code
+
+**Single expression (inline) — uses default port 6064:**
+```bash
+./tools/nrepl-eval.mjs '(+ 1 2 3)'
+```
+
+**Multiple expressions via heredoc (recommended — avoids escaping issues):**
+```bash
+./tools/nrepl-eval.mjs <<'EOF'
+(def x 10)
+(+ x 20)
+EOF
+```
+
+**Override with a different port:**
+```bash
+./tools/nrepl-eval.mjs -p 7888 '(+ 1 2 3)'
+```
+
+### 3. Inspect last exception
+
+After code throws an error, retrieve the full exception details:
+
+```bash
+./tools/nrepl-eval.mjs -e
+```
+
+## Common Patterns
+
+**Require a namespace with reload:**
+```bash
+./tools/nrepl-eval.mjs "(require '[my.namespace :as ns] :reload)"
+```
+
+**Test a function:**
+```bash
+./tools/nrepl-eval.mjs "(ns/my-function arg1 arg2)"
+```
+
+**Long-running operation with custom timeout:**
+```bash
+./tools/nrepl-eval.mjs -t 300000 "(long-running-fn)"
+```
+
+## Key Principles
+
+- **Default port is 6064** — just pass code directly, no `-p` needed when
+  your nREPL server is on 6064. Use `-p <PORT>` for a different port.
+- **Always use `:reload`** when requiring namespaces to pick up file changes.
+- **Session is reused** across invocations — defs, in-ns, and var bindings
+  persist. Use `--reset-session` to clear.
+- **Do not start any server** — the tool connects to an existing nREPL
+  server, it is not the agent's responsibility to start the nREPL server
+  (assume the server is already running on the specified port).

.opencode/skills/ripgrep/SKILL.md

@@ -0,0 +1,150 @@
+---
+name: ripgrep
+description: Blazingly fast text search tool - recursively searches directories for regex patterns with respect to gitignore rules.
+homepage: https://github.com/BurntSushi/ripgrep
+metadata: {"clawdbot":{"emoji":"🔎","requires":{"bins":["rg"]},"install":[{"id":"brew","kind":"brew","formula":"ripgrep","bins":["rg"],"label":"Install ripgrep (brew)"},{"id":"apt","kind":"apt","package":"ripgrep","bins":["rg"],"label":"Install ripgrep (apt)"}]}}
+---
+
+# ripgrep (rg)
+
+Fast, smart recursive search. Respects `.gitignore` by default.
+
+## Quick Start
+
+### Basic search
+```bash
+# Search for "TODO" in current directory
+rg "TODO"
+
+# Case-insensitive search
+rg -i "fixme"
+
+# Search specific file types
+rg "error" -t py       # Python files only
+rg "function" -t js    # JavaScript files
+```
+
+### Common patterns
+```bash
+# Whole word match
+rg -w "test"
+
+# Show only filenames
+rg -l "pattern"
+
+# Show with context (3 lines before/after)
+rg -C 3 "function"
+
+# Count matches
+rg -c "import"
+```
+
+## Advanced Usage
+
+### File type filtering
+```bash
+# Multiple file types
+rg "error" -t py -t js
+
+# Exclude file types
+rg "TODO" -T md -T txt
+
+# List available types
+rg --type-list
+```
+
+### Search modifiers
+```bash
+# Regex search
+rg "user_\d+"
+
+# Fixed string (no regex)
+rg -F "function()"
+
+# Multiline search
+rg -U "start.*end"
+
+# Only show matches, not lines
+rg -o "https?://[^\s]+"
+```
+
+### Path filtering
+```bash
+# Search specific directory
+rg "pattern" src/
+
+# Glob patterns
+rg "error" -g "*.log"
+rg "test" -g "!*.min.js"
+
+# Include hidden files
+rg "secret" --hidden
+
+# Search all files (ignore .gitignore)
+rg "pattern" --no-ignore
+```
+
+## Replacement Operations
+
+```bash
+# Preview replacements
+rg "old_name" --replace "new_name"
+
+# Actually replace (requires extra tool like sd)
+rg "old_name" -l | xargs sed -i 's/old_name/new_name/g'
+```
+
+## Performance Tips
+
+```bash
+# Parallel search (auto by default)
+rg "pattern" -j 8
+
+# Skip large files
+rg "pattern" --max-filesize 10M
+
+# Memory map files
+rg "pattern" --mmap
+```
+
+## Common Use Cases
+
+**Find TODOs in code:**
+```bash
+rg "TODO|FIXME|HACK" --type-add 'code:*.{rs,go,py,js,ts}' -t code
+```
+
+**Search in specific branches:**
+```bash
+git show branch:file | rg "pattern"
+```
+
+**Find files containing multiple patterns:**
+```bash
+rg "pattern1" | rg "pattern2"
+```
+
+**Search with context and color:**
+```bash
+rg -C 2 --color always "error" | less -R
+```
+
+## Comparison to grep
+
+- **Faster:** Typically 5-10x faster than grep
+- **Smarter:** Respects `.gitignore`, skips binary files
+- **Better defaults:** Recursive, colored output, line numbers
+- **Easier:** Simpler syntax for common tasks
+
+## Tips
+
+- `rg` is often faster than `grep -r`
+- Use `-t` for file type filtering instead of `--include`
+- Combine with other tools: `rg pattern -l | xargs tool`
+- Add custom types in `~/.ripgreprc`
+- Use `--stats` to see search performance
+
+## Documentation
+
+GitHub: https://github.com/BurntSushi/ripgrep
+User Guide: https://github.com/BurntSushi/ripgrep/blob/master/GUIDE.md

.opencode/skills/taiga/SKILL.md

@@ -0,0 +1,110 @@
+---
+name: taiga
+description: Fetch information from Taiga public API for the Penpot project (id 345963) — issues, user stories, and tasks, without authentication.
+metadata: {"clawdbot":{"requires":{"bins":["python3"]}}}
+---
+
+# Taiga API Skill
+
+Fetch information from Taiga public API for the **Penpot** project
+(project id: `345963`, slug: `penpot`).
+
+**No authentication required** — only public project data is accessed.
+
+## Prerequisites
+
+- `python3` — the `tools/taiga.py` CLI script is self-contained (stdlib only)
+
+## Quick Start
+
+The easiest way is to use the bundled Python script:
+
+```bash
+# Pass a Taiga URL directly
+python3 tools/taiga.py https://tree.taiga.io/project/penpot/issue/13714
+
+# Or use "<type> <ref>" syntax
+python3 tools/taiga.py us 14128
+python3 tools/taiga.py task 13648
+
+# Add --json for raw output
+python3 tools/taiga.py --json issue 13714
+
+# See full usage
+python3 tools/taiga.py --help
+```
+
+## URL Pattern Reference
+
+Taiga web URLs follow these patterns:
+
+| Type | Web URL Pattern |
+|------|----------------|
+| Issue | `https://tree.taiga.io/project/penpot/issue/<REF>` |
+| User Story | `https://tree.taiga.io/project/penpot/us/<REF>` |
+| Task | `https://tree.taiga.io/project/penpot/task/<REF>` |
+
+To extract the **type** and **ref** from a URL:
+- `issue/13714` → type=`issue`, ref=`13714`
+- `us/14128` → type=`us`, ref=`14128`
+- `task/13648` → type=`task`, ref=`13648`
+
+## Python Script Reference
+
+The `tools/taiga.py` script wraps the Taiga API into a single convenient CLI
+with sensible defaults.
+
+### Usage
+
+```
+python3 tools/taiga.py <taiga-url>
+python3 tools/taiga.py <type> <ref>
+python3 tools/taiga.py [--json] <taiga-url>
+python3 tools/taiga.py [--json] <type> <ref>
+```
+
+### Examples
+
+```bash
+# By URL (recommended — no need to think about type/ref)
+python3 tools/taiga.py https://tree.taiga.io/project/penpot/issue/13714
+
+# By type and ref
+python3 tools/taiga.py us 14128
+python3 tools/taiga.py task 13648
+
+# Raw JSON output
+python3 tools/taiga.py --json issue 13714
+```
+
+### Output
+
+The script prints a clean, structured summary:
+
+```text
+User Story #11964 — 🔴 [DESIGN TOKENS] Typography Composite Input
+================================
+Status:     Defining
+Milestone:  design-systems-sprint-26
+Points:     3 role(s)
+Assignee:   Natacha Menjibar
+Author:     Natacha Menjibar
+Created:    2025-09-01
+Tags:       iop-design-tokens
+URL:        https://tree.taiga.io/project/penpot/us/11964
+================================
+<full description text, unmodified>
+```
+
+The fields section includes type-specific information:
+- **Issues:** Status, Type ID, Severity ID, Priority ID
+- **User Stories:** Status, Milestone, Points
+- **Tasks:** Status, Milestone, Parent US
+
+## Reference
+
+- API docs: https://docs.taiga.io/api.html
+- Taiga instance: https://tree.taiga.io
+- API base: https://api.taiga.io/api/v1
+- Penpot project id: `345963`
+- Penpot project slug: `penpot`

.opencode/skills/update-changelog/SKILL.md

@@ -0,0 +1,468 @@
+---
+name: update-changelog
+description: Update the project CHANGES.md with issues from a given GitHub milestone, with correct categorization and references.
+---
+
+# Skill: update-changelog
+
+Update `CHANGES.md` with entries for all issues and PRs in a given GitHub
+milestone. Each entry references the user-facing issue (not the PR) as the
+primary link, with the fix PR inline on the same line.
+
+## When to Use
+
+- Before a new release, to populate the changelog with all fixed issues
+- When new issues are added to an existing milestone and the changelog needs
+  to be refreshed
+- To ensure every entry follows the correct format for the changelog
+
+## Prerequisites
+
+- `gh` CLI authenticated (`gh auth status`)
+- Python 3.8+
+- `tools/gh.py` helper script available
+
+## Workflow
+
+### 1. Determine the target version
+
+The version is typically a semver string like `2.15.3`. Confirm with the user
+if not specified.
+
+### 2. Fetch all issues in the milestone
+
+Use the helper script. It uses GraphQL for efficient single-pass fetching
+(closing PRs are included in the same query — no N+1):
+
+```bash
+# All closed issues (default)
+python3 tools/gh.py issues "2.16.0"
+
+# Include open issues too
+python3 tools/gh.py issues "2.16.0" --state all
+
+# Exclude entries that should not go in the changelog
+python3 tools/gh.py issues "2.16.0" --exclude "release blocker,no changelog"
+```
+
+**Exclusion rules (issue-level):**
+- `no changelog` label — Chore/refactor work that doesn't need a changelog entry
+- `release blocker` label — Blocked issues not yet ready for changelog
+- `Task` issue type — Internal chores are not user-facing; filter these out after fetching
+- **Rejected project status** — Issues with a "Rejected" status in the "Main" project board are automatically excluded by `gh.py`. This project-level status (independent of the GitHub issue `state`) indicates the issue was rejected from the release. Use `--include-rejected` to override.
+
+**Exclusion rules (PR-level):**
+In addition to issue-level exclusions, PRs with these labels should be
+excluded regardless of their linked issue's labels:
+- `release blocker` — PR is part of a pending release blocker batch
+- `no issue required` — Trivial fix not tracked as an issue
+
+The script outputs JSON with each entry containing `number`, `title`, `state`,
+`issue_type`, `labels`, `closing_prs` (the PRs that fix each issue), and
+`project_status` (the "Main" project board status, e.g. "Done", "Rejected",
+or `null` if not tracked in a project).
+
+### 3. Identify missing entries (optional)
+
+If updating from an existing `CHANGES.md`, find issues in the milestone that
+are NOT yet referenced in the changelog:
+
+```bash
+python3 tools/gh.py issues "2.16.0" --exclude "release blocker,no changelog" --compare CHANGES.md
+```
+
+This returns a filtered JSON array with only the missing issues.
+
+> **Note:** The `--compare` flag checks **issues** only (via issue number
+> references in the changelog). To find merged **PRs** not yet referenced,
+> use the milestone PR cross-reference described in step 10 below.
+
+### 4. Fetch additional PR details when needed
+
+When you need more context for specific PRs (e.g. to find the PR author for
+community contribution attribution, or to read the PR body for
+"Fixes/Closes #NNN" patterns):
+
+```bash
+# One or more PR numbers
+python3 tools/gh.py prs 9179 9204 9311
+
+# From a file
+python3 tools/gh.py prs --file prs.txt
+
+# From stdin
+cat prs.txt | python3 tools/gh.py prs --stdin
+```
+
+The `prs` command also supports listing all PRs in a milestone in one call:
+
+```bash
+# All merged PRs in a milestone (default)
+python3 tools/gh.py prs --milestone "2.16.0"
+
+# All states (merged, open, closed)
+python3 tools/gh.py prs --milestone "2.16.0" --state all
+```
+
+The `prs` command returns JSON with `number`, `title`, `body`, `state`,
+`merged_at`, `author`, `labels`, and `closing_issues`. PRs are fetched in
+batches of 50 via GraphQL to stay within API limits (milestone mode uses
+paginated GraphQL on the milestone's `pullRequests` connection).
+
+You can also list all PRs in a milestone in a single call:
+
+```bash
+# All merged PRs in a milestone (default)
+python3 tools/gh.py prs --milestone "2.16.0"
+
+# All states (merged, open, closed)
+python3 tools/gh.py prs --milestone "2.16.0" --state all
+
+# Open PRs only
+python3 tools/gh.py prs --milestone "2.16.0" --state open
+```
+
+The milestone path uses paginated GraphQL on the milestone's `pullRequests`
+connection (100 per page), avoiding one-by-one fetches.
+
+### 5. Categorize entries — strictly by issue type, never by labels or emoji
+
+Use the **Issue Type** field (GitHub's native issue type, exposed as
+`issue_type` in the `gh.py` JSON output) to determine which section an entry
+belongs to.
+
+> **⚠️ CRITICAL: Never use labels or title emoji prefixes for categorization.**
+> Labels like `bug` and `enhancement`, as well as title prefixes like `:bug:`
+> and `:sparkles:`, are frequently inaccurate, missing, or contradictory to the
+> actual issue type. The `issue_type` field from `gh.py` is the single source
+> of truth.
+
+| `issue_type` value | Changelog section |
+|--------------------|-------------------|
+| `Bug` | `### :bug: Bugs fixed` |
+| `Feature` or `Enhancement` | `### :sparkles: New features & Enhancements` |
+| `Task` | **Exclude** — internal chores are not user-facing |
+| `null` (not set) | Check labels as a fallback: `bug` label → bugs, otherwise enhancements |
+
+The `gh.py` issues command already includes `issue_type` in every entry's
+output. **No separate GraphQL query is needed.**
+
+**Community contribution attribution:** If the issue or its fix PR has the
+`community contribution` label, add an attribution `(by @<github_username>)`
+on the changelog entry line, **before** the GitHub issue/PR references.
+
+The attribution should reference the **PR author**, not the issue author.
+The `prs` subcommand includes the `author` field — use that:
+
+```bash
+python3 tools/gh.py prs <PR_NUMBER> | python3 -c "import sys,json; print(json.load(sys.stdin)[0]['author'])"
+```
+
+Placement in the entry line:
+```markdown
+- Fix description of the bug (by @username) [#<ISSUE>](...) (PR: [#<PR>](...))
+```
+
+**Only closed issues are included.** An issue must have `state: "closed"` to
+appear in the changelog. Open/unresolved issues are omitted, even if they are
+tracked in the milestone.
+
+**Pairing rules:**
+
+| Pattern | Changelog format |
+|---------|-----------------|
+| Closed issue + one or more PRs fix it | Primary link = issue, PR inline comma-separated |
+| PR exists with no linked issue | If a corresponding closed issue exists in the same milestone, link the issue. Otherwise, skip the entry (the issue must be the changelog unit). |
+| Closed issue with no fix PR in milestone | Link the issue directly, without a PR reference. |
+
+> **False-positive associations:** A PR may incorrectly claim to close an issue
+> from a different context (e.g., a very old PR referencing a modern issue, or a
+> cross-project reference). If the PR title and issue title are clearly unrelated,
+> or the PR was created years before the issue, treat it as a data glitch and
+> skip it. PR [#3](https://github.com/penpot/penpot/pull/3) (ancient License PR
+> claiming to close a plugin API issue) is a known example.
+
+### 5a. ⚠️ Verify PR merge status before writing
+
+A closed issue may list closing PRs that were **closed without merging**
+(e.g., a community PR that was superseded by another). The changelog must
+only reference **merged** PRs. Verify before writing:
+
+```bash
+# Collect all PR numbers from the candidate entries and check them
+python3 tools/gh.py prs <ALL_PR_NUMBERS> | python3 -c "
+import json, sys
+for pr in json.load(sys.stdin):
+    if pr['state'] != 'MERGED':
+        print(f'WARNING: #{pr[\"number\"]} is {pr[\"state\"]} (not merged)')
+"
+```
+
+If a closing PR is closed-unmerged, find the actual merged PR that
+superseded it:
+1. Check the issue's closing PRs list for other PRs (there may be multiple)
+2. Look for other PRs with similar titles or descriptions referencing the same issue
+3. Inspect the closed PR's conversation timeline for a pointer to the replacement
+
+Replace the reference in the changelog entry with the correct merged PR number.
+
+### 6. Read the current CHANGES.md
+
+Read the top of `CHANGES.md` to understand the existing format and find the
+insertion point (newest version goes at the top, after the `# CHANGELOG`
+header).
+
+Key format rules from the existing file:
+
+```markdown
+## <VERSION>
+
+### :bug: Bugs fixed
+
+- Fix description of the bug [#<ISSUE>](https://github.com/penpot/penpot/issues/<ISSUE>) (PR: [#<PR>](https://github.com/penpot/penpot/pull/<PR>))
+- Fix another bug (by @contributor) [#<ISSUE>](https://github.com/penpot/penpot/issues/<ISSUE>) (PR: [#<PR>](https://github.com/penpot/penpot/pull/<PR>))
+
+### :sparkles: New features & Enhancements
+
+- Add new feature description [#<ISSUE>](https://github.com/penpot/penpot/issues/<ISSUE>) (PR: [#<PR>](https://github.com/penpot/penpot/pull/<PR>))
+```
+
+Format details:
+- Entries start with `- ` followed by a short description in imperative mood
+- Primary link is **always the issue** (user-facing artifact)
+- PR references are inline on the same line: `(PR: [#<N>](<url>))`
+  If an issue has multiple fix PRs, they are comma-separated:
+  `(PR: [#<N>](<url>), [#<M>](<url>))`
+- The description should describe the fix/feature from the user's perspective
+- Community contributions get `(by @<username>)` **before** the issue link
+- Sections are separated by a blank line between the last entry and the next
+  section title
+- Only include a section if there are entries for it
+- When an entry already exists in an earlier version section, it must be removed
+  from the current version to avoid duplicates
+
+### 7. Build the description text
+
+Derive the description from the issue title, not the PR title. Strip leading
+emoji prefixes (`:bug:`, `:sparkles:`, `:tada:`) and focus on the
+user-facing behavior.
+
+Examples:
+
+| Issue title | Changelog description |
+|-------------|----------------------|
+| `Plugin API token methods fail with schema validation error on PRO` | `Fix Plugin API token methods failing with schema validation error on PRO` |
+| `Comment content is not sanitized before rendering, enabling stored XSS` | `Sanitize comment content on rendering` |
+| `Custom uploaded font family names are not sanitized` | `Sanitize font family names on custom uploaded fonts` |
+
+### 8. Insert the section into CHANGES.md
+
+Insert the new version section right after the `# CHANGELOG` header (before
+the previous version entry). Use the `edit` tool with enough context to make
+a unique match.
+
+### 9. Verify
+
+Read the top of `CHANGES.md` and confirm:
+- The version header is correct
+- Every entry has a GitHub link
+- Entries with a fix PR have the PR sub-line
+- The section ordering is correct (newest first)
+- Formatting matches the surrounding entries
+
+### 10. Cross-reference milestone PRs against the changelog
+
+Issues can be fixed by PRs that aren't in the milestone, and merged PRs in
+the milestone may not close any tracked issue. After writing, run a full
+cross-reference to catch gaps:
+
+```bash
+# List all merged PRs in the milestone
+python3 tools/gh.py prs --milestone "<MILESTONE>" --state merged > /tmp/milestone-prs.json
+
+# Extract PR numbers from the changelog section
+python3 -c "
+import json, re
+
+with open('CHANGES.md') as f:
+    content = f.read()
+
+# Extract the version section (adjust regex to match the actual version)
+match = re.search(r'## <MILESTONE> \(Unreleased\)\n(.*?)(?:\n## |\Z)', content, re.DOTALL)
+section = match.group(1)
+
+# Collect all PR numbers referenced
+changelog_prs = set()
+for m in re.findall(r'\[#(\d+)\]\(https://github\.com/penpot/penpot/pull/\d+\)', section):
+    changelog_prs.add(int(m))
+
+# Collect all milestone PRs (filtered)
+with open('/tmp/milestone-prs.json') as f:
+    milestone_prs = json.load(f)
+
+milestone_merged = {pr['number'] for pr in milestone_prs}
+
+# PRs in milestone but not in changelog
+missing = sorted(milestone_merged - changelog_prs)
+print(f'Milestone merged PRs: {len(milestone_merged)}')
+print(f'Changelog referenced PRs: {len(changelog_prs)}')
+print(f'PRs in milestone but NOT in changelog: {len(missing)}')
+for num in missing:
+    pr = next(p for p in milestone_prs if p['number'] == num)
+    print(f'  #{num} {pr[\"title\"][:80]}')
+"
+```
+
+For each missing PR found, decide whether it should be added to the
+changelog or is legitimately excluded (check its labels).
+
+Also verify that no closed-unmerged PRs remain in the changelog:
+
+```bash
+python3 tools/gh.py prs --milestone "<MILESTONE>" --state all | python3 -c "
+import json, sys
+data = json.load(sys.stdin)
+closed = [p for p in data if p['state'] == 'CLOSED']
+if closed:
+    print('WARNING: CLOSED (unmerged) PRs in milestone:')
+    for p in closed:
+        print(f'  #{p[\"number\"]} {p[\"title\"][:80]}')
+"
+```
+
+**Post-edit audit checklist:**
+- ✅ All referenced PRs are merged (no closed-unmerged artifacts)
+- ✅ Every merged milestone PR is either in the changelog or excluded by label
+- ✅ PR and issue counts are internally consistent
+- ✅ No false-positive PR-to-issue associations
+
+## Version section template
+
+```markdown
+## <VERSION>
+
+### :bug: Bugs fixed
+
+- <fix description> [#<ISSUE>](https://github.com/penpot/penpot/issues/<ISSUE>) (PR: [#<PR>](https://github.com/penpot/penpot/pull/<PR>))
+- <fix description> (by @contributor) [#<ISSUE>](https://github.com/penpot/penpot/issues/<ISSUE>) (PR: [#<PR>](https://github.com/penpot/penpot/pull/<PR>))
+```
+
+### 10. Cross-reference milestone PRs against the changelog
+
+Issues can be fixed by PRs that aren't in the milestone, and merged PRs in
+the milestone may not close any tracked issue. After writing, run a full
+cross-reference to catch gaps:
+
+```bash
+# List all merged PRs in the milestone
+python3 tools/gh.py prs --milestone "<MILESTONE>" --state merged > /tmp/milestone-prs.json
+
+# Extract PR numbers from the changelog section
+python3 -c "
+import json, re
+
+with open('CHANGES.md') as f:
+    content = f.read()
+
+# Extract the version section (adjust regex to match the actual version)
+match = re.search(r'## <MILESTONE> \(Unreleased\)\n(.*?)(?:\n## |\Z)', content, re.DOTALL)
+section = match.group(1)
+
+# Collect all PR numbers referenced
+changelog_prs = set()
+for m in re.findall(r'\[#(\d+)\]\(https://github\.com/penpot/penpot/pull/\d+\)', section):
+    changelog_prs.add(int(m))
+
+# Collect all milestone PRs (filtered)
+with open('/tmp/milestone-prs.json') as f:
+    milestone_prs = json.load(f)
+
+milestone_merged = {pr['number'] for pr in milestone_prs}
+
+# PRs in milestone but not in changelog
+missing = sorted(milestone_merged - changelog_prs)
+print(f'Milestone merged PRs: {len(milestone_merged)}')
+print(f'Changelog referenced PRs: {len(changelog_prs)}')
+print(f'PRs in milestone but NOT in changelog: {len(missing)}')
+for num in missing:
+    pr = next(p for p in milestone_prs if p['number'] == num)
+    print(f'  #{num} {pr[\"title\"][:80]}')
+"
+```
+
+For each missing PR found, decide whether it should be added to the
+changelog or is legitimately excluded (check its labels).
+
+Also verify that no closed-unmerged PRs remain in the changelog:
+
+```bash
+python3 tools/gh.py prs --milestone "<MILESTONE>" --state all | python3 -c "
+import json, sys
+data = json.load(sys.stdin)
+closed = [p for p in data if p['state'] == 'CLOSED']
+if closed:
+    print('WARNING: CLOSED (unmerged) PRs in milestone:')
+    for p in closed:
+        print(f'  #{p[\"number\"]} {p[\"title\"][:80]}')
+"
+```
+
+**Post-edit audit checklist:**
+- ✅ All referenced PRs are merged (no closed-unmerged artifacts)
+- ✅ Every merged milestone PR is either in the changelog or excluded by label
+- ✅ PR and issue counts are internally consistent
+- ✅ No false-positive PR-to-issue associations
+
+## Key Principles
+
+- **Issue = changelog unit.** The primary link always points to the
+  user-facing issue, not the implementation PR.
+- **PR = implementation detail.** Reference the PR inline so readers
+  can find the code changes.
+- **Latest version first.** New sections are inserted at the top of the
+  changelog, below the `# CHANGELOG` header.
+- **Issue Type determines section — exclusively.** Use the `issue_type` field from `gh.py` output (Bug → `:bug:`, Feature/Enhancement → `:sparkles:`). **Do not** use labels (`bug`, `enhancement`) or title emoji prefixes (`:bug:`, `:sparkles:`) — they are frequently wrong or contradictory. The `issue_type` is the single source of truth.
+- **User-facing descriptions.** Write from the user's perspective — describe
+  what broke and what was fixed, not internal implementation details.
+- **Community attribution.** When the issue or fix PR has the
+  `community contribution` label, add `(by @<username>)` on the entry line
+  between the description and the issue link. Use the **PR author** (not the
+  issue author) for the attribution.
+- **Only closed issues.** An issue must have `state: "closed"` to appear in
+  the changelog. Open/unresolved issues are omitted.
+- **Rejected project status.** Issues marked as "Rejected" in the "Main"
+  project board are automatically excluded by `gh.py`, even if they are
+  closed. The project status is distinct from the GitHub issue state.
+  Use `--include-rejected` to override this behavior.
+- **Excluded issues.** Issues with `no changelog` label must be excluded.
+  Issues with `issue_type: "Task"` must also be excluded — they are internal
+  chores, not user-facing changes.
+- **Multiple PRs per issue.** If multiple PRs fix the same issue, list them
+  comma-separated inline: `(PR: [#A](url), [#B](url))`.
+- **Duplicate removal.** If an entry already exists in a prior version section,
+  remove it from the current version. Check for text-level duplicates (after
+  stripping links and attributions) across version sections.
+- **Taiga references.** If a changelog entry references a Taiga URL
+  (`tree.taiga.io`), attempt to find a corresponding GitHub issue via the
+  Taiga description text or by searching GitHub PRs that reference the Taiga
+  URL. Replace the Taiga reference with the GitHub issue link and add the PR
+  reference if applicable.
+- **Re-fetch before editing.** Milestones can change — always re-fetch issues
+  before making edits, don't rely on cached data.
+- **Use `tools/gh.py`.** Prefer the helper script over raw `gh api` calls for
+  milestone issue listing and PR detail fetching. It handles GraphQL
+  pagination, batching, and label filtering automatically.
+- **Verify PR merge status.** Not all closing PRs are merged — community PRs
+  can be superseded and closed without merging. Always check that every PR
+  referenced in the changelog has `state: MERGED`.
+- **PR-level exclusions apply.** A PR can carry its own exclusion labels
+  (`release blocker`, `no issue required`) independent of its linked issue's
+  labels. Check both.
+- **Cross-reference milestone PRs, not just issues.** The `--compare` flag on
+  the `issues` command only compares issue numbers. Merged PRs not linked to
+  any milestone issue can be missed. Use `python3 tools/gh.py prs --milestone`
+  for a full PR cross-reference.
+- **False-positive PR-to-issue associations.** A PR may claim to close an
+  issue from a different project or context. If the PR title and issue title
+  are clearly unrelated, or the PR predates the issue by years, treat it as a
+  data glitch and skip it.

.serena/.gitignore

@@ -0,0 +1,2 @@
+/cache
+/project.local.yml

.serena/memories/backend/auth-permissions-product-domains.md

@@ -0,0 +1,40 @@
+# Backend Auth, Permissions, and Product Domain Subtleties
+
+## Auth and sessions
+
+- Main auth RPC commands live in `app.rpc.commands.auth`; LDAP and OIDC provider logic live in `app.auth.ldap` and `app.auth.oidc`, with LDAP-specific RPC checks in `app.rpc.commands.ldap`.
+- Public auth endpoints must explicitly set `::rpc/auth false`; RPC auth defaults to enabled. Session cookie creation/deletion is usually attached as an RPC response transform.
+- Basic Penpot registration is token staged: prepare/register creates or verifies temporary tokens, then profile creation/session setup is reused by other auth backends. The frontend `/auth/verify-token` flow is a hub for registration confirmation, email change, and invitation tokens.
+- OIDC-compatible providers share a generic flow: redirect to provider, validate callback/request token, fetch identity data, then login an existing profile or register a new one. Known providers may have hardcoded endpoints; generic OIDC can use discovery/configured endpoints.
+- LDAP login validates credentials against the external directory, fetches identity data, then logs in or registers a matching Penpot profile. LDAP registration is not a separate Penpot signup flow.
+- Logout may return an OIDC provider redirect URI when the session claims include provider/session data and the provider has a logout URI.
+- Invitation tokens are verified through token issuers and only accepted when the token member id/email matches the authenticated profile; otherwise login proceeds without consuming the invitation.
+- HTTP/session parsing details such as cookie/header precedence, JWT session token versions, and SameSite behavior are in `mem:backend/http-storage-filedata-subtleties`.
+
+## Permission model
+
+- `app.rpc.permissions` provides predicate/check factories. Failed permission checks intentionally raise `:not-found` / `:object-not-found`, not an authorization-specific error, to avoid leaking object existence.
+- Team role flags are normalized as owner > admin > editor > viewer. Owner/admin imply edit; any membership row implies read.
+- File/project/comment checks are implemented in the owning command namespaces, often via helpers imported from `files`, `teams`, or `projects`; do not bypass those helpers with direct DB lookups unless preserving their not-found semantics.
+- Comment permission includes both logged-in state and the file/team comment policy. Shared viewer paths may pass `share-id`; preserve that path when changing comment queries.
+
+## Teams, projects, and invitations
+
+- Team/project commands mix DB changes, email, message bus notifications, media/storage cleanup, feature flags, quotas, and audit metadata. Keep mutations transactional when the existing command does so.
+- Invitation flows validate muted/bounced emails before sending and use tokenized invitation state. Accepting an invitation is tied to the invited member identity, not just possession of a token.
+- Logical deletion is used for many product objects; prefer existing logical-deletion helpers over hard deletes unless the command already performs permanent cleanup.
+- Bounced/spam-complaint emails can mute/block a profile for login/registration and email sending. Devenv MailCatcher is the normal local path for registration/email-flow testing.
+
+## Comments, webhooks, and audit
+
+- Comment thread queries join file/project/profile state and exclude deleted files/projects. Unread comment counts depend on `comment_thread_status.modified-at` and profile notification preferences.
+- Webhook edits are allowed for team editors/admins or the webhook creator. Webhook validation performs a synchronous HEAD request with a short timeout; validation errors are mapped through `app.loggers.webhooks`.
+- Audit events are prepared from RPC metadata, result metadata, params, request context, and selected auth identifiers. Webhook event batching can be controlled through audit/webhook metadata on commands or results.
+- Webhook and audit logging are cross-cutting side effects of product commands; when adding a command, check nearby command metadata and result metadata patterns before inventing a new event shape.
+
+## Local testing notes
+
+- Enable LDAP login locally with frontend flag `enable-login-with-ldap`; the devenv includes a configured test LDAP service.
+- OIDC testing requires external provider app credentials plus matching backend/frontend config.
+- Backend domain tests usually live under `backend/test/backend_tests/rpc/commands/*_test.clj` or nearby backend test namespaces. Use focused `clojure -M:dev:test --focus ...` from `backend/` when possible.
+- For auth/session or HTTP behavior, combine backend tests with the HTTP/session notes in `mem:backend/http-storage-filedata-subtleties` because RPC-level tests may not exercise cookie/header transforms.

.serena/memories/backend/core.md

@@ -0,0 +1,101 @@
+# Backend Architecture and Workflow
+
+Backend: JVM Clojure; Integrant; PostgreSQL; Redis/Valkey; RPC; HTTP; storage; mail; audit/logging; workers.
+
+## Focused memories
+
+- RPC, DB helpers, workers, cron: `mem:backend/rpc-db-worker-subtleties`
+- HTTP sessions, config, storage, media, file data persistence: `mem:backend/http-storage-filedata-subtleties`
+- Auth flows, permission model, teams, projects, invitations, comments, webhooks, audit: `mem:backend/auth-permissions-product-domains`
+- Services, task-queue/Pub-Sub topology constraints -> `mem:prod-infra/core`.
+
+## Stable namespace map
+
+- `app.rpc.commands.*`: RPC command implementations exposed under `/api/rpc/command/<cmd-name>`.
+- `app.rpc.permissions`: permission predicate/check helper factories.
+- `app.http.*`: HTTP routes and middleware.
+- `app.auth.*`: provider-specific authentication helpers such as LDAP/OIDC.
+- `app.loggers.*`: audit, webhook, database, and external log integrations.
+- `app.db.*` / `app.db`: next.jdbc wrapper and SQL helpers.
+- `app.tasks.*`: background task handlers.
+- `app.worker`: task execution/cron plumbing.
+- `app.main`: Integrant system map and component wiring.
+- `app.config`: `PENPOT_*` env config and feature flags.
+- `app.srepl.*`: development REPL helpers for manual backend operations (data inspection, migration helpers, one-off admin tasks).
+- `app.nitrate`, `app.rpc.commands.nitrate`, and `app.rpc.management.nitrate`: external Nitrate subscription/organization integration, gated by the `:nitrate` feature flag and shared-key HTTP calls.
+
+## RPC conventions
+
+RPC commands are defined with `app.util.services/defmethod` and schemas. Use `get-` prefixes for read operations. Command metadata usually includes auth, docs version, params schema, and result schema. Return plain maps/vectors or raise structured exceptions from `app.common.exceptions`.
+
+Backend RPC command areas without focused memories include access tokens, binfile, demo, feedback, file snapshots, fonts, management, Nitrate, and webhooks beyond the notes in `mem:backend/auth-permissions-product-domains`; inspect nearby command tests and command metadata before changing them.
+
+## DB conventions
+
+`app.db` helpers accept cfg, pool, or conn in most places and convert kebab-case to snake_case:
+- `db/get`, `db/get*`, `db/query`, `db/insert!`, `db/update!`, `db/delete!`.
+- Use `db/run!` for multiple operations on one connection.
+- Use `db/tx-run!` for transactions.
+
+Database migrations live in `backend/src/app/migrations/`; pure SQL migrations are under `backend/src/app/migrations/sql/`. SQL filenames conventionally start with a sequence and verb/table description, e.g. `0026-mod-profile-table-add-is-active-field`. Applied migrations are tracked in the `migrations` table.
+
+For deeper details on transaction semantics, advisory locks, Transit vs JSON helpers, and dev/test DB URLs: `mem:backend/rpc-db-worker-subtleties`.
+
+## Background tasks
+
+A task handler is an Integrant component with `ig/assert-key`, `ig/expand-key`, and `ig/init-key`, returning the function run by the worker. New tasks also need wiring in `app.main`: handler config, worker registry entry, and cron entry if scheduled.
+
+For worker dispatch, cron, retry semantics, deduplication, and queue internals: `mem:backend/rpc-db-worker-subtleties`.
+
+## REPL
+
+In devenv, backend nREPL is exposed on port 6064.
+
+### Non-interactive eval (preferred for agents)
+
+`./tools/nrepl-eval.mjs` connects to an already-running nREPL server and evaluates code. Session state (defs, `in-ns`) persists across invocations via a stored session ID in `/tmp/penpot-nrepl-session-<host>-<port>`.
+
+```bash
+./tools/nrepl-eval.mjs '(+ 1 2)'                            # single expression
+./tools/nrepl-eval.mjs "(require '[my.ns :as ns] :reload)"  # reload after edits
+./tools/nrepl-eval.mjs -e                                   # inspect last exception (*e)
+./tools/nrepl-eval.mjs --reset-session '(def x 0)'          # discard session, start fresh
+./tools/nrepl-eval.mjs <<'EOF'                              # multi-expression heredoc
+(def x 10)
+(+ x 20)
+EOF
+```
+
+Default port is 6064. Use `-p <PORT>` for a different port. Use `-t <MS>` to override the 120s timeout. Do not start the nREPL server — assume it is already running.
+
+### Interactive REPL
+
+`backend/scripts/nrepl` starts a REPLy client connected to the running nREPL.
+
+For an in-process backend REPL (where you control the JVM lifecycle), stop the running backend first so port 9090 is free, then run `backend/scripts/repl`. Useful top-level helpers include `(start)`, `(stop)`, `(restart)`, `(run-tests)`, and `(repl/refresh-all)`. Many `app.srepl.main` helpers accept the global `system` var, e.g. manual email or maintenance operations.
+
+## Fixtures
+
+Fixtures can populate local data for manual testing/perf work. From the backend REPL, run `(app.cli.fixtures/run {:preset :small})`; fixture users conventionally look like `profileN@example.com` with password `123123`. Standalone fixture aliases may exist, but check current `backend/deps.edn` before relying on old command names.
+
+## Performance
+
+* **Type Hinting:** Use explicit JVM type hints (e.g. `^String`, `^long`) in performance-critical paths to avoid reflection overhead.
+* **Batch inserts:** Use `db/insert-many!` for bulk row inserts — generates a single SQL with multiple parameter tuples. Avoid on very large datasets (SQL length / parameter count limits).
+* **Server-side cursors:** Use `db/plan` (fetch-size 1000, forward-only, read-only) or `db/cursor` for large result sets. Never fetch large collections into memory at once.
+* **Transaction discipline:** Use `tx-run!` for writes (opens a transaction), `run!` for reads (single connection, no transaction). Set `:read-only` on `tx-run!` when applicable to let PostgreSQL optimize.
+
+## Lint and Format
+
+IMPORTANT: all CLI commands must be executed from the `backend/` subdirectory.
+
+* **Linting:** `pnpm run lint` from the repository root.
+* **Formatting:** `pnpm run check-fmt`. Use `pnpm run fmt` to fix. Avoid unrelated whitespace diffs.
+
+## Testing
+
+IMPORTANT: all CLI commands must be executed from the `backend/` subdirectory.
+
+* **Coverage:** If code is added or modified in `src/`, corresponding tests in `test/backend_tests/` must be added or updated.
+* **Isolated run:** `clojure -M:dev:test --focus backend-tests.my-ns-test` for a specific test namespace.
+* **Regression run:** `clojure -M:dev:test` to ensure no regressions in related functional areas.

.serena/memories/backend/http-storage-filedata-subtleties.md

@@ -0,0 +1,31 @@
+# Backend HTTP, Storage, Media, and File Data Subtleties
+
+## Config and HTTP/session middleware
+
+- `app.config/config` and `flags` are dynamic `defonce` vars populated from `PENPOT_*` env vars through the shared schema string transformer. Tests and tooling can bind them.
+- `parse-flags` automatically adds `:disable-secure-session-cookies` when `public-uri` is plain HTTP and not localhost. This changes cookie defaults without an explicit env flag.
+- The backend sets Clojure `*assert*` globally from the `:backend-asserts` feature flag. Assertion-dependent checks can therefore differ by runtime flags.
+- Request body parsing is mostly POST-oriented and supports Transit JSON plus plain JSON. Plain JSON request keys are kebab-decoded before being merged into `:params`.
+- Response formatting negotiates with `Accept` or `_fmt=json`. Transit is the default for collection/boolean bodies; JSON encoding has special pointer-map handling.
+- Auth prefers the session cookie token before the `Authorization` header. Headers may be `Token` or `Bearer`; JWTs with `kid=1` and `ver=1` are decoded as v1 session tokens, otherwise they are treated as legacy tokens.
+- Shared-key auth requires `x-shared-key` as `<key-id> <key>` and stores the lowercased key id on the request. If no shared keys are configured it always rejects.
+- Session management uses DB storage unless the DB pool is read-only, then falls back to the in-memory manager. DB sessions support both legacy string ids and v2 UUID session ids.
+- Session cookies are renewed when using a legacy string id or when `modified-at` is older than the renewal interval. SameSite is `none` for CORS, otherwise strict/lax based on config.
+
+## Storage and media
+
+- Storage has a fixed valid bucket set. Backends are `:fs` and `:s3`; default backend comes from deprecated `assets-storage-backend` only when present, otherwise `objects-storage-backend`, defaulting to `:fs`.
+- `put-object!` creates the DB `storage_object` row before writing backend content. Backend writes happen only for newly created rows, so deduplication can skip object writes.
+- Deduplication only applies when requested, when the content can provide a hash, and when bucket metadata is present. Reads exclude soft-deleted storage rows.
+- `sto/resolve` can reuse the current DB connection via `::db/reuse-conn true`; preserve this in transaction-sensitive code.
+- SVG validation strips DOCTYPE and uses secure SAX parsing. Basic SVG info falls back to 100x100 dimensions when width/height/viewBox are missing.
+- Raster metadata is shell-derived with ImageMagick `identify`, verifies detected MIME against the supplied MIME, and swaps dimensions for EXIF orientations 6/8.
+- Remote image download requires 2xx status, `content-length`, a known MIME, and size under the configured maximum before writing the temp file; mismatched byte count is an internal error.
+- Font processing shells out to FontForge and WOFF conversion tools and can derive TTF/OTF/WOFF variants from uploaded fonts.
+
+## File data persistence
+
+- File data backends are `legacy-db`, `db`, and `storage`. The storage backend keeps encoded file data in storage bucket `file-data`; the DB row stores metadata with `storage-ref-id` and nil data.
+- `fdata/upsert!` touches any storage object referenced by incoming metadata before storing the new row/blob.
+- Pointer-map fragments are persisted separately as type `fragment`, and only modified pointer maps are written.
+- `fdata/realize` combines pointer realization and object-map realization. Use it before operations that need complete in-memory file data instead of pointer placeholders.

.serena/memories/backend/rpc-db-worker-subtleties.md

@@ -0,0 +1,26 @@
+# Backend RPC/DB/Worker Subtleties
+
+## RPC exposure and wrappers
+
+- RPC commands are discovered from vars created by `app.util.services/defmethod`; adding a command namespace is not enough unless `backend/src/app/rpc.clj` includes it in `resolve-methods`.
+- `GET`/`HEAD` RPC calls are only allowed for method names starting with `get-`. Other methods are method-not-allowed even if they are read-only internally.
+- RPC auth defaults to enabled. Public endpoints must set `::auth false` metadata explicitly.
+- The wrapper stack does auth before params validation, then auditing/rate/concurrency/metrics/retry/condition handling, with DB transaction handling inside that stack. `::db/transaction` metadata controls transaction wrapping.
+- Params with `::sm/params` are decoded/conformed through the JSON transformer and successful IObj results get `:encode/json` metadata. Legacy spec conforming only applies when no Malli params schema exists.
+- Nil RPC bodies become HTTP 204 unless explicit status metadata is present. Stream bodies default to `application/octet-stream` when no content type is set.
+
+## DB helpers
+
+- Most `app.db` helpers accept a pool, connection, or map containing `::db/pool` / `::db/conn`; preserve that convention in shared code.
+- `db/tx-run!` uses `next.jdbc.transaction/*nested-tx* :ignore`: nested transaction calls reuse the outer transaction, not a savepoint. Use explicit savepoints when nested rollback semantics matter.
+- `db/run!` opens/reuses one connection but does not create a transaction.
+- `db/tjson` is Transit JSON for jsonb storage; `db/json` is plain JSON. Worker task props use Transit and are decoded with `decode-transit-pgobject`.
+- Advisory transaction locks accept UUIDs or ints. UUID locks are hashed using a zero-UUID seeded siphash.
+
+## Workers and cron
+
+- Task queues are tenant-prefixed. Submit dedupe only removes not-yet-due `new` tasks with the same name/queue/label; it does not dedupe due, scheduled, retry, running, or completed work.
+- The dispatcher selects `new`/`retry` tasks with `FOR UPDATE SKIP LOCKED`, marks them `scheduled`, and publishes Redis payload `[id scheduled-at]`. The runner skips Redis messages whose scheduled timestamp no longer matches DB state.
+- Lost `scheduled` tasks are rescheduled after about 5 minutes; `running` tasks older than about 24 hours are marked failed as orphans.
+- A task handler that is missing or returns an invalid result currently defaults to completed after warning. Throwing with `ex-data :type ::retry` controls retry behavior; `:strategy ::noop` retries without incrementing retry count.
+- Cron jobs lock their `scheduled_task` row with `FOR UPDATE SKIP LOCKED`, disable statement/idle-in-transaction timeouts locally, and reschedule themselves in `finally` unless interrupted. Worker, dispatcher, and cron components do not start when the DB pool is read-only.

.serena/memories/common/changes-architecture.md

@@ -0,0 +1,39 @@
+# File Mutations: Changes and Undo Architecture
+
+Penpot mutates file data through change records. A change set is both the persistence payload and the basis for undo/redo, so UI actions, tests, backend file updates, and library/file tooling should drive the production change pipeline instead of ad hoc object-map mutation.
+
+## Change shape
+
+Each change is a map such as `{:type ... :id ... :page-id ...}`. Common families:
+
+- `:add-obj`, `:mod-obj`, `:del-obj`: shape lifecycle. `:mod-obj` contains `:operations`, commonly `{:type :set :attr ... :val ... :ignore-geometry ... :ignore-touched ...}` or `{:type :set-touched ...}`.
+- `:add-component`, `:mod-component`, `:del-component`: component/library metadata.
+- `:add-children`, `:remove-children`, `:reg-objects`: tree and object-map edits.
+- `:set-option`, `:add-page`, `:mov-page`, and related file/page metadata changes.
+
+Each transaction carries `:redo-changes` and inverse `:undo-changes`. The undo stack stores transactions and can move its index backward/forward.
+
+## changes-builder API
+
+`common/src/app/common/files/changes_builder.cljc` (usually alias `pcb`) is the fluent builder. Start from `(pcb/empty-changes <it> <page-id>)` or `(pcb/empty-changes nil <page-id>)` for tests.
+
+High-value builder operations:
+- `pcb/with-page-id`, `pcb/with-objects`, `pcb/with-library-data`: set context for following operations.
+- `pcb/update-shapes ids update-fn`: emits `:mod-obj` with diff-derived `:set` ops. Options include `{:with-objects? true}`, `{:ignore-touched true}`, and `{:attrs #{...}}`.
+- `pcb/add-objects`, `pcb/change-parent`, `pcb/remove-objects`, `pcb/resize-parents`: shape/tree edits.
+- `pcb/add-component`, `pcb/update-component`, `pcb/mod-component`: component/library edits.
+- `pcb/set-translation? true`: marks the whole change set as translation-only, which lets component sync skip expensive work.
+
+## Applying changes in tests
+
+`thf/apply-changes` in `app.common.test-helpers.files` is the test analog of the production applier. It validates by default; pass `:validate? false` only for intentionally-invalid intermediate states.
+
+The applier uses the same `process-operation` multimethod as production (`common/src/app/common/files/changes.cljc`), so tests that use it exercise production behavior.
+
+## :touched and geometry
+
+For component touched semantics and sync groups, read `mem:common/component-data-model`. For the exact `set-shape-attr` / second-pass behavior during change application, read `mem:common/file-change-validation-migration-subtleties`. For transform-specific ignore-geometry behavior, read `mem:frontend/workspace-transform-subtleties`.
+
+## Inspection
+
+To inspect what a UI action emitted, use `mem:frontend/cljs-repl` with the snippets in `mem:common/component-debugging-recipes` rather than adding temporary source instrumentation.

.serena/memories/common/component-data-model.md

@@ -0,0 +1,41 @@
+# Component and Variant Data Model
+
+## Shape roles relative to components
+
+A shape can occupy multiple roles at once:
+
+1. Master/main instance: defines a component and has `:main-instance true` plus `:component-id`.
+2. Copy/non-main instance: produced by instantiating a component and carries `:shape-ref` pointing at the master shape. `(ctk/in-component-copy? shape)` is essentially `(some? (:shape-ref shape))`.
+3. Component root: topmost shape of an instance, marked `:component-root true` and carrying surface attrs such as `:component-id` and `:component-file`.
+
+Variant masters are main instances and component roots. Their descendants may themselves be component copies, so master/copy logic must handle nested instances rather than assuming those roles are exclusive.
+
+## :shape-ref chains
+
+`:shape-ref` walks up the inheritance hierarchy and can cross files for remote libraries. `find-ref-shape` and `get-ref-chain-until-target-ref` in `app.common.types.file` follow this chain.
+
+`find-shape-ref-child-of` in `app.common.logic.variants` walks the chain looking for the first ref-shape whose ancestors include a specific parent. Variant switch uses this to locate the equivalent master child in the target variant.
+
+## :touched flags
+
+`:touched` is a set of override-group keywords such as `:geometry-group`, `:fill-group`, and `:text-content-group`. It means a copy diverged from its master for attrs in that sync group.
+
+`sync-attrs` in `app.common.types.component` maps attrs to groups. `set-touched-group` is the legitimate setter; the central `set-shape-attr` path calls it only for copies and only when ignore flags allow it.
+
+Masters are not normally touched through `set-shape-attr`, but touched flags can appear on master shapes through cloning/duplication paths. `add-touched-from-ref-chain` in `app.common.logic.variants` unions touched flags from ancestors into the copy being processed, so upstream/master touched state can affect downstream switch behavior.
+
+## Cloning paths
+
+`make-component-instance` in `app.common.types.container` produces a clean component copy through `update-new-shape`, dissociating attrs such as `:touched`, `:variant-id`, and `:variant-name` on cloned shapes.
+
+`duplicate-component` in `app.common.logic.libraries` creates a new component master by cloning existing component shapes, setting component metadata, and applying a position delta. It does not have the same clean-copy semantics as `make-component-instance`, so inherited attrs on the source can matter.
+
+When a bug depends on touched state, identify which cloning path produced the shape before changing sync logic.
+
+## Variant containers
+
+A variant container is a frame with `:is-variant-container true`. Its children are variant masters with `:variant-id` pointing at the container and `:variant-name` naming the variant value. Component records in the library carry `:variant-properties`.
+
+Predicates are broad: `ctk/is-variant?` checks `:variant-id` and applies to both variant master shapes and component rows; `ctk/is-variant-container?` checks the container shape flag.
+
+Moving/dropping a shape into a variant container through the move-to-frame path can auto-convert it into a variant via `generate-make-shapes-variant`, which may duplicate the underlying component. Treat drag/drop into variant containers as a component/variant operation, not a plain reparent.

.serena/memories/common/component-debugging-recipes.md

@@ -0,0 +1,58 @@
+# Common Component and Change Debugging Recipes
+
+Keep source changes out of these recipes unless the task requires a durable fix.
+
+## Inspect recent workspace changes
+
+From `cljs_repl` after triggering an action:
+
+```clojure
+(let [items (get-in @app.main.store/state [:workspace-undo :items])
+      n (count items)]
+  (->> items
+       (drop (max 0 (- n 5)))
+       (map-indexed (fn [i it]
+                      {:idx (+ i (max 0 (- n 5)))
+                       :tags (:tags it)
+                       :n (count (:redo-changes it))
+                       :types (frequencies (map :type (:redo-changes it)))
+                       :ids (mapv :id (:redo-changes it))}))))
+```
+
+To inspect operations within the latest `:mod-obj`:
+
+```clojure
+(let [items (get-in @app.main.store/state [:workspace-undo :items])
+      mod-obj (->> (:redo-changes (last items))
+                   (filter #(= :mod-obj (:type %)))
+                   first)]
+  (:operations mod-obj))
+```
+
+## Trace variant switch attribute copying
+
+To capture what `update-attrs-on-switch` saw during a real UI swap, patch it temporarily in `cljs_repl`:
+
+```clojure
+(def orig (deref #'app.common.logic.libraries/update-attrs-on-switch))
+(def trace-buf (atom []))
+(set! app.common.logic.libraries/update-attrs-on-switch
+      (fn [& args]
+        (swap! trace-buf conj
+               (let [[_ curr prev _ _ origin _] args]
+                 {:curr (select-keys curr [:name :x :y :selrect :points :touched])
+                  :prev (select-keys prev [:name :x :y :selrect :points :touched])
+                  :origin-ref (select-keys origin [:id :name :x :y :width :height :selrect])}))
+        (apply orig args)))
+;; trigger UI action, then inspect @trace-buf
+(set! app.common.logic.libraries/update-attrs-on-switch orig)
+```
+
+Runtime patching is faster than adding temporary source instrumentation and avoids recompilation cleanup. Restore the var or reload the frontend when finished.
+
+## Test-side helpers
+
+- Use `thf/dump-file file :keys [...]` to print a shape tree with selected keys during common tests.
+- Prefer production-path helpers such as `cls/generate-update-shapes` plus `thf/apply-changes` for shape mutations.
+- For component swaps with keep-touched behavior, use `tho/swap-component-in-shape` with `{:keep-touched? true}`.
+- Temporary `prn` calls in production code are acceptable while investigating but should be removed before committing.

.serena/memories/common/component-swap-pipeline.md

@@ -0,0 +1,42 @@
+# Component Swap and Variant Switch Pipeline
+
+## Entry points
+
+Frontend entry points under `frontend/src/app/main/data/workspace/`:
+- `variants.cljs`: `variants-switch` and `variant-switch` events feed property-toggle UI and Plugin API `switchVariant` behavior into `dwl/component-swap`.
+- `libraries.cljs`: `component-swap` is the single-swap workhorse; `component-multi-swap` batches swaps and calls `component-swap` with `keep-touched? = false`.
+
+`keep-touched? = true` is the discriminator for preserving user overrides during variant switch. Batch/multi-swap paths intentionally bypass that logic.
+
+## Common-side pipeline
+
+For a single swap with `keep-touched? = true`:
+
+1. `cll/generate-component-swap` in `common/src/app/common/logic/libraries.cljc` builds the base changes: remove old shape and instantiate the target component in its place through `generate-new-shape-for-swap`, `generate-instantiate-component`, and `make-component-instance`.
+2. `clv/generate-keep-touched` in `common/src/app/common/logic/variants.cljc` walks pre-swap children, augments each with chain-derived touched flags through `add-touched-from-ref-chain`, finds the equivalent target shape through `find-shape-ref-child-of`, then calls `update-attrs-on-switch`.
+3. `update-attrs-on-switch` in `app.common.logic.libraries` decides which touched attrs from the previous shape should be copied onto the freshly instantiated target shape.
+
+## update-attrs-on-switch hazards
+
+The routine compares `current-shape` (fresh target copy), `previous-shape` (pre-swap shape with chain-derived touched), and `origin-ref-shape` (source variant master's equivalent shape). It loops over sync attrs except `swap-keep-attrs` and copies only attrs that pass several guards:
+
+- skip equal previous/current values;
+- skip equal composite geometry for selected attrs;
+- require the corresponding touched group;
+- for most attrs, require source and target masters to agree;
+- for fixed-size selrect/points/width/height, use dedicated fixed-layout geometry handling;
+- text and path shapes have specialized value conversion paths.
+
+The generic fallback branch copies from `previous-shape`. It represents the intended "carry user override through switch" behavior, but bugs usually appear when guards fail to reject incompatible geometry or master differences before reaching that branch.
+
+## Known sharp edges
+
+- Composite `:selrect` and `:points` bypass the simple different-master skip; width/height checks catch some but not all positional differences.
+- `previous-shape` may be repositioned by destination-root minus origin-root before copying. For normal variant switch this is often zero, but do not assume it for all swap entry points.
+- Touched flags can be inherited through ref chains, so a shape that looks untouched locally may still behave as touched after `add-touched-from-ref-chain`.
+
+## Test harness
+
+`common/src/app/common/test_helpers/compositions.cljc` has `swap-component-in-shape`, which drives `generate-component-swap` plus `generate-keep-touched` with the production `keep-touched?` flag. Use it for focused common tests of variant-switch behavior.
+
+`common/test/common_tests/logic/variants_switch_test.cljc` is the canonical reference suite for swap+touched scenarios. Read nearby tests before adding another case.

.serena/memories/common/core.md

@@ -0,0 +1,55 @@
+# Common Architecture and Workflow
+
+`common/` intro: shared CLJC for frontend, backend, exporter, library/file tooling, tests. Small semantic changes can affect multiple runtimes.
+
+## Stable namespace map
+
+- `app.common.data` and `app.common.data.macros`: generic data helpers and performance macros that do not depend on Penpot domain entities.
+- `app.common.types.*`: shared shape/file/page/component/token data types, schemas, predicates, and entity-local operations. `app.common.types.nitrate-permissions` contains shared fail-closed Nitrate organization/team permission rules.
+- `app.common.files.*`: file-level operations, shape tree helpers, change application, migrations, validation, and undo/redo-related logic.
+- `app.common.logic.*`: higher-level workflows/algorithms over files, shapes, components, variants, libraries, tokens, etc.
+- `app.common.geom.*`: geometry helpers and transformations.
+- `app.common.schema` / `app.common.schema.*`: Malli abstraction layer.
+- `app.common.math`, `app.common.time`, `app.common.uuid`, `app.common.json`, etc.: cross-runtime utilities.
+- `app.common.test_helpers.*`: test builders and production-path helpers.
+
+## Layering and cross-runtime rules
+
+Use reader conditionals for platform-specific code. Because CLJC runs on JVM and CLJS targets, avoid assuming browser-only or JVM-only behavior unless the reader conditional isolates it.
+
+Respect the intended abstraction direction in new/refactored code:
+- generic data utilities should not know Penpot domain concepts;
+- `types.*` should preserve invariants for a single domain entity or ADT;
+- `files.*` can coordinate several entities inside a file and preserve referential integrity;
+- `changes*` should adapt serializable change records to lower-level operations and avoid embedding broad business algorithms;
+- `logic.*` and frontend/backend event layers own higher workflow/business behavior.
+
+Some legacy code violates this layering; do not copy those violations into new code when a focused refactor is practical.
+
+## Focused memory routing
+
+Model, schema, and persistence shape:
+- File/page/shape/component attr changes, import/export surfaces, inspector/codegen, and cross-module checklist: `mem:common/data-model-change-checklist`.
+- Token data structures, token import/export, active theme/set semantics, and schema/coercion behavior: `mem:common/tokens-schema-subtleties`.
+
+Geometry and layout:
+- Shape geometry invariants, redundant geometry fields, and geometry-sensitive tests: `mem:common/geometry-invariants`.
+- Coordinate drift and approximate float comparisons: `mem:common/decimals-and-coordinates`.
+- Layout/grid assignment, deassignment, metadata cleanup, and auto-positioning: `mem:common/layout-grid-subtleties`.
+
+Change pipeline, validation, and migrations:
+- Change records, undo/redo architecture, changes-builder API, and production-path mutation guidance: `mem:common/changes-architecture`.
+- Change application, shape-tree edits, validation/repair, migrations, and second-pass touched behavior: `mem:common/file-change-validation-migration-subtleties`.
+
+Components, variants, and debugging:
+- Component/variant data model, ref chains, touched override semantics, and cloning paths: `mem:common/component-data-model`.
+- Component swap, variant switch, and keep-touched pipeline: `mem:common/component-swap-pipeline`.
+- Live inspection snippets, temporary runtime patching, and test-side debugging helpers for common change/component behavior: `mem:common/component-debugging-recipes`.
+
+Text and tests:
+- Shared text data conversion, DraftJS compatibility, modern text content, and derived position data: `mem:common/text-subtleties`.
+- Common test commands, helper conventions, production-path test mutations, and runtime coverage choices: `mem:common/test-setup`.
+
+## Areas without focused memories
+
+Common areas with little or no dedicated memory include colors, media/SVG helpers, path operations, thumbnail helpers, generic pools, weak refs, and some utility namespaces. Treat work there as source/test-led unless a focused memory exists.

.serena/memories/common/data-model-change-checklist.md

@@ -0,0 +1,25 @@
+# Common Data Model Change Checklist
+
+## Attribute conventions
+
+- Prefer optional page/shape attrs with default behavior when absent. Reverting to default should usually remove the attr instead of storing nil.
+- Do not treat nil as a distinct persisted state from absence. Import/export and cleanup paths may filter nil attrs away.
+- Avoid Clojure-special naming in exported object attrs, especially boolean names ending in `?`; exported/imported data must survive JSON/SVG/Transit and external tooling.
+- Any new shape attr that participates in component sync must be listed in `app.common.types.component/sync-attrs` with the correct touched group. Attrs absent from `sync-attrs` are ignored by component synchronization.
+
+## Cross-module update checklist
+
+When changing the file data model, check the relevant paths:
+- Schema/type definitions under `common/src/app/common/types*` and helpers under `common/src/app/common/files*` / `logic*`.
+- File migrations in `common/src/app/common/files/migrations.cljc` when old files cannot safely use absence/default behavior.
+- Frontend edit forms under `frontend/src/app/main/ui/workspace/sidebar/options/`; multi-selection behavior is usually in `multiple.cljs` and must handle `:multiple` values.
+- SVG/file render and export metadata under `frontend/src/app/main/ui/shapes/*`, especially `export.cljs` when an attr is not a native SVG property.
+- SVG import/parser paths under `frontend/src/app/worker/import/parser.cljs`; attrs not exported and imported will be lost on reimport.
+- Viewer inspect and code generation under `frontend/src/app/main/ui/viewer/inspect/*` and `frontend/src/app/util/code_gen.cljs` / markup/style helpers when handoff output should expose the attr.
+- Exporter/library consumers when the change affects file construction, rendering, or packaged `.penpot` archives.
+
+## Migrations
+
+Existing files should keep working unchanged when possible. If absence cannot preserve old behavior, add a migration and preserve append/order semantics described in `mem:common/file-change-validation-migration-subtleties`.
+
+Model changes can also require file feature flags or migration metadata updates; check nearby migrations and `common/src/app/common/features.cljc` before inventing a new pattern.

.serena/memories/common/decimals-and-coordinates.md

@@ -0,0 +1,54 @@
+# Decimals and Coordinates in Penpot
+
+Penpot stores all geometry as JS numbers (doubles in CLJS, doubles in
+CLJ for the JVM-side common code). Several Penpot-specific facts
+about how this plays out are not obvious from reading the code.
+
+## Sub-pixel drift is routine
+
+Coordinate values that "should" be integers are routinely off by ~1e-5
+in production data. A `:width` of 107 will frequently appear as
+`107.00001275539398` after the value has passed through:
+
+- the modifier propagation pipeline (`apply-wasm-modifiers` and the
+  Rust WASM transform engine)
+- any rotation/scale composition
+- repeated translations
+
+This drift is invisible in the UI (the renderer rounds at draw time)
+but defeats exact equality comparisons in business logic. It does NOT
+appear in JVM-only test setups because the WASM pipeline isn't
+involved — tests that build shapes via `setup-shape` and `add-sample-shape`
+get clean integer values. Bugs that depend on drift will pass tests
+but fire in production unless tests explicitly inject drift.
+
+## Use the close? helpers, not `=`
+
+For comparing coordinate-like floats, the established convention is:
+
+- `app.common.math/close?` — scalar tolerance comparison.
+  Default precision 0.001 (sub-pixel; tight enough to keep distinct
+  shapes distinct, loose enough to absorb arithmetic noise).
+  Two-arity uses default precision; three-arity takes a custom one.
+- `app.common.geom.point/close?` — element-wise close on `gpt/Point`
+  records. Compares :x and :y via `mth/close?`.
+- `app.common.geom.matrix/close?` — close on transform matrices.
+- `app.common.geom.shapes/close-attrs?` — used inside `set-shape-attr`
+  to decide whether a re-assigned `:width`/`:height` should be treated
+  as a no-op (suppresses spurious touched marking from drift).
+
+Treat `=` on `:x`, `:y`, `:width`, `:height`, `:selrect`, or `:points`
+fields as a code smell when the inputs may have flowed through any
+transform. The `set-shape-attr`-style precedent (already using
+`close-attrs?`) is the right model.
+
+## The redundancy multiplies failure modes
+
+A shape's position lives in `:x/:y`, `:selrect`, AND `:points` (see
+`mem:common/geometry-invariants` memory). Each is a separate set of float
+values. After any operation that touches geometry, all three should
+agree, but each is computed by a different path and accumulates
+its own drift. Comparing `:selrect.width` from shape A to
+`:selrect.width` from shape B is comparing two values that
+"semantically" should be equal but were computed via different
+operation chains — exact equality will often be false.

.serena/memories/common/file-change-validation-migration-subtleties.md

@@ -0,0 +1,28 @@
+# Common File Change, Validation, and Migration Subtleties
+
+## Change application
+
+- `process-changes` validates the whole change vector once by default, reduces changes, then performs a second pass for collected touched changes. Callers that already validated can pass `verify? false`.
+- `process-operation :set` delegates to `ctn/set-shape-attr`; `:assign` first decodes attrs with the shape-attrs JSON transformer and then emits per-attr set operations.
+- `set-shape-attr` treats `:position-data` as derived and never touched. Geometry/content-path changes use approximate equality; geometry differences under about 1px can be ignored for touched purposes.
+- Width/height are excluded from the `is-geometry?` branch in `set-shape-attr`; do not assume all geometry-group attrs follow identical ignore-geometry behavior.
+- `process-touched-change` marks the owning component modified when a touched shape belongs to a main instance; component-data changes can come from shape ops through this second pass.
+
+## Shape tree edits
+
+- `shape-tree/add-shape` falls back invalid/missing parent or frame ids to root (`uuid/zero`), ensures parent `:shapes` is a vector, avoids duplicate child ids, and clears `:remote-synced` on copy parents unless `ignore-touched` is true.
+- `shape-tree/delete-shape` removes the shape and all descendants from the objects map and removes the id from its parent. This is different from render-wasm deletion, which may keep deleted children for undo/redo internals.
+- Page object maps can carry metadata indexes such as cached frame lists. `start-page-index` / `update-page-index` rebuild those metadata indexes; `frontend` commit application calls `ctst/update-object-indices` after page changes.
+
+## Validation and repair
+
+- Full referential/semantic validation currently runs only when file features contain `"components/v2"`.
+- Validation starts at root plus orphan shapes, then validates component records. `validate-file!` raises `:validation :referential-integrity` with collected details.
+- `repair-file` does not mutate data directly; it reduces validation errors into redo changes using `changes-builder`. Callers must apply or persist those changes.
+
+## Migrations
+
+- Prefer optional attrs/default behavior so old files continue working without migration. If absence cannot preserve old behavior, add a migration.
+- Migrations are an ordered set mixing legacy version-derived ids and newer named ids. Keep append order stable; `migrate` applies the set difference between available migrations and file migrations.
+- `migrate-file` synthesizes legacy migration ids from old numeric versions when `:migrations` is absent, migrates legacy features, and records feature flags created through `cfeat/*new*`.
+- When a file had no previous `:migrations`, `migrate-file` marks all migrations as migrated in metadata so callers persist the complete migration set, not only transformations that changed data.

.serena/memories/common/geometry-invariants.md

@@ -0,0 +1,48 @@
+# Geometry Invariants in Penpot Shapes
+
+Core invariant: shape position is stored redundantly, and all geometry fields must stay coherent.
+
+## Redundant fields
+
+For a shape at `(x, y)` with width `w` and height `h`:
+
+- `:x`, `:y`, `:width`, `:height`: top-left and dimensions.
+- `:selrect`: `{:x :y :width :height :x1 :y1 :x2 :y2}`, where `x2 = x + w` and `y2 = y + h`.
+- `:points`: four corners for an axis-aligned rect, clockwise from top-left.
+- `:transform` and `:transform-inverse`: identity for axis-aligned shapes; populated for transformed shapes.
+
+After a geometric mutation, equivalent fields such as `:y`, `(:y :selrect)`, and the first point's `:y` should agree. The renderer and hit-testing read `:selrect` / `:points`, so a shape can render or select incorrectly even when `:x` / `:y` look right.
+
+## Helpers that preserve the invariant
+
+- `gsh/move`: translates by delta and updates geometry consistently.
+- `gsh/absolute-move`: moves to an absolute position by computing a delta from the current selrect.
+- `gsh/transform-shape`: applies a full transform.
+- `cts/setup-shape`: initializes geometry for new shapes; variant test helpers such as `thv/add-variant-with-child` use it.
+
+## Edits that break the invariant
+
+- `(assoc shape :x ...)` or `(assoc shape :y ...)`: updates only one field and leaves `:selrect` / `:points` stale.
+- `ths/update-shape file label :y val`: goes through `set-shape-attr`, but does not repair all position fields for `:y` alone.
+- Direct `update-in` edits to `:selrect`, `:points`, or dimensions.
+
+## Test setup warning
+
+When positioning test shapes, use `gsh/absolute-move`, `gsh/move`, or production change helpers. Do not set only `:x` / `:y`.
+
+```clojure
+(cls/generate-update-shapes
+  (pcb/empty-changes nil page-id)
+  #{(:id child)}
+  #(gsh/absolute-move % (gpt/point (:x %) 101))
+  (:objects page)
+  {})
+```
+
+Using `(ths/update-shape file label :y 101)` leaves `:selrect.y` stale. Downstream code that reads `:selrect` can then fail in ways that look like product bugs but are only invalid test setup.
+
+## :touched and geometry mutation
+
+When a copy shape changes geometry through the proper pipeline (`set-shape-attr` via `process-operation :set`), `:touched` gains `:geometry-group` unless ignored. Tests can either drive the production update with `cls/generate-update-shapes`, or inject `(assoc shape :touched #{:geometry-group})` when only touched state matters.
+
+If a test needs both a new position and touched state, move the shape first with geometry-preserving helpers, then inject or assert touched state.

.serena/memories/common/layout-grid-subtleties.md

@@ -0,0 +1,13 @@
+# Common Layout and Grid Subtleties
+
+## Layout metadata
+
+- Layout container data and child layout-item data are removed by different helpers. Do not assume clearing a layout frame also clears all child layout metadata.
+- Layout data can affect both container attrs and immediate child attrs; validate behavior for both sides when changing cleanup or propagation.
+
+## Grid assignment
+
+- Grid `assign-cells` ensures at least one column and row, skips absolute-position children, creates non-tracked rows/cols when children exceed tracked cells, and asserts that assigned cells do not overlap.
+- Grid deassignment removes cells for shapes that are no longer direct children or have become absolute-positioned.
+- Auto-positioning is not just sorting: some auto cells are converted to manual when empty/manual/span state would break the auto sequence, then auto single-span items can be compacted.
+- `fix-overlaps` is marked dev-only and removes one overlapping cell, preferring empty cells first. Avoid depending on it as normal production repair.

.serena/memories/common/test-setup.md

@@ -0,0 +1,48 @@
+# Common Module Test Setup
+
+`common/` is CLJC shared code. Tests should cover the relevant runtime(s): JVM for backend/common logic and JS for frontend/exporter behavior. For geometry, component, and file-model changes, JVM tests are common and fast, but JS/browser behavior can differ when WASM modifier math or CLJS-specific state is involved.
+
+## Running tests
+
+From `common/`:
+
+```bash
+pnpm run test:jvm
+clojure -M:dev:test
+pnpm run test:jvm --focus common-tests.logic.variants-switch-test
+clojure -M:dev:test --focus common-tests.logic.variants-switch-test/test-basic-switch
+pnpm run test:js
+pnpm run test:quiet
+pnpm run test:quiet -- --focus common-tests.logic.comp-sync-test
+pnpm run test:quiet -- --focus common-tests.logic.comp-sync-test/test-sync-when-changing-attribute --log-level warn
+pnpm run watch:test
+```
+
+Use `test:quiet` for non-interactive JS runs; it buffers `build:test` output and forwards runner args. Common JS runner args support `--focus <namespace-or-var>` and `--log-level trace|debug|info|warn|error`. After `pnpm run build:test`, direct compiled runner focus is faster: `node target/tests/test.js --focus common-tests.logic.comp-sync-test/test-sync-when-changing-attribute --log-level warn`. New common JS test namespaces must be required/listed in `common_tests/runner.cljc`; new vars in existing namespaces need no runner change. Multiple JVM `--focus` flags compose as a union.
+
+## Test helpers
+
+Helpers live under `common/src/app/common/test_helpers/` and are usually aliased with short `th*` prefixes. Test namespaces using label->uuid helpers should start with `(t/use-fixtures :each thi/test-fixture)` so labels reset between tests.
+
+Useful builders:
+- `thf/sample-file` creates a base file.
+- `tho/add-simple-component` creates a simple component.
+- `thc/instantiate-component` instantiates a component copy.
+- `thv/add-variant-with-child` creates a variant container with two child variants.
+- `thv/add-variant-with-copy` creates variants whose children are component instances.
+
+`add-variant-with-copy` does not accept position params for children; use `gsh/absolute-move` after creation if positions matter.
+
+## Driving production paths
+
+For shape mutations, prefer production-path helpers such as `cls/generate-update-shapes` plus `thf/apply-changes`. For component swaps with keep-touched behavior, use `tho/swap-component-in-shape` with `{:keep-touched? true}`.
+
+`thf/apply-changes` validates by default and usually gives the most useful invariant failure. Pass `:validate? false` only for intentionally malformed intermediate state.
+
+## Geometry setup caution
+
+For geometry-sensitive tests, read `mem:common/geometry-invariants` before positioning shapes. Use geometry-preserving helpers or production change helpers rather than direct single-field edits.
+
+## Debugging
+
+Use `mem:common/component-debugging-recipes` for shape-tree dumps, undo/change inspection, and temporary live instrumentation recipes.

.serena/memories/common/text-subtleties.md

@@ -0,0 +1,14 @@
+# Common Text Subtleties
+
+## DraftJS compatibility
+
+- `app.common.text` is legacy DraftJS conversion support. New text work should prefer the newer text type namespaces unless specifically touching DraftJS conversion.
+- DraftJS style values are encoded as Transit strings under `PENPOT$$$<key>$$$<encoded>` style names. `PENPOT_SELECTION` is a special marker.
+- Text conversion uses Unicode code points on both CLJ and CLJS paths, not UTF-16 code units. This matters for offsets around emoji and astral characters.
+- Draft conversion fixes gradient type strings back to keywords.
+
+## Modern text content
+
+- Modern text content schema is narrow: root -> paragraph-set -> paragraph -> text nodes.
+- `position-data` is derived layout/geometry/font fragment data and should be treated as generated state, not source-of-truth file data.
+- Token propagation and some non-current-page text updates drop `:position-data` so it can be regenerated in the right runtime context.

.serena/memories/common/tokens-schema-subtleties.md

@@ -0,0 +1,17 @@
+# Common Tokens and Schema Subtleties
+
+## Tokens
+
+- `TokensLib` always ensures an internal hidden theme exists and defaults active themes to that hidden theme path. That hidden theme represents the UI state where active sets are controlled without modifying a user-created theme.
+- `get-tokens-in-active-sets` merges tokens from sets selected by active themes in set order, so later active sets with the same token name override earlier ones.
+- Activating a real theme in `common.logic.tokens` removes the hidden theme from the active-theme set unless it is the only active theme. Toggling active sets directly copies current active sets into the hidden theme.
+- DTCG import/export deliberately hides the internal hidden theme: exports omit it from `$themes` and activeThemes, while `activeSets` records the hidden/current active sets.
+- Single-set DTCG/legacy imports throw if no supported tokens are found. Multi-set import normalizes set names, keeps `tokenSetOrder`, rejects conflicting token path names, discards unsupported token types, and validates theme sets against existing sets.
+- Token values stored on shapes are token names in `:applied-tokens`, not token ids. Renames and group renames must update those name paths.
+- Token serialization has both Transit handlers for frontend/backend transport and Fressian handlers for internal file-data storage, with migrations for older token-lib internal versions.
+
+## Schema
+
+- `app.common.schema/json-transformer` has custom map-of key decoding/encoding, so map keys can be transformed based on the key schema instead of only the value schema.
+- `check-fn` throws `ex-info` with default `:type :assertion`, `:code :data-validation`, and `::explain`. Prefer reusable `check-fn`/lazy validators in hot or repeated paths; `sm/check` creates a checker every call.
+- `coercer` decodes with the JSON transformer and then checks. This is the common pattern for accepting external JSON-shaped data into internal types.

.serena/memories/critical-info.md

@@ -0,0 +1,62 @@
+You are working on the GitHub project `penpot/penpot`, a monorepo.
+
+# Memory system
+
+- Memories are the primary project guidance (not docs or other readme files).
+- A section's top-level memory is `<section>/core`. When a section is relevant, read the core memory
+   before focused memories.
+- Edits/stale refs/duplication cleanup: `mem:memory-maintenance`.
+
+# Development workflow
+
+- Commit only when explicitly asked. Commit/PR format + changelog: `mem:workflow/creating-commits`, `mem:workflow/creating-prs`. Issue creation (titles, labels, body templates, Issue Types): `mem:workflow/creating-issues`.
+- You have access to the GitHub CLI `gh` or corresponding MCP tools.
+- Issues are also managed on Taiga. Read issues using the `read_taiga_issue` tool.
+- Before writing code, analyze the task in depth and describe your plan. If the task is complex, break it down into atomic steps.
+  *After making changes, run the applicable lint and format checks for the affected module before considering the work done (per example `mem:backend/core` or `mem:frontend/core`).
+- Never run anything that destroys data without explicit permission, including `drop-devenv`, `docker compose down -v`, `docker volume rm ...`. The user's real work lives in the volumes of the shared infra.
+
+# Project modules
+
+This is a monorepo. Principles that apply to one module do *not* generally apply to others. Do not make assumptions.
+
+- `frontend/`: ClojureScript + SCSS SPA/design editor.
+- `backend/`: JVM Clojure HTTP/RPC server with PostgreSQL, Redis, storage, mail, and workers.Runtime services and the task-queue vs Pub/Sub topology that constrains horizontal scaling: `mem:prod-infra/core`.
+- `common/`: shared CLJC data types, geometry, schemas, file/change logic, and utilities.
+- `render-wasm/`: Rust -> WebAssembly Skia renderer consumed by frontend.
+- `exporter/`: ClojureScript/Node headless Playwright SVG/PDF export.
+- `mcp/`: TypeScript Model Context Protocol integration.
+- `plugins/`: TypeScript plugin runtime/examples and Plugin API types.
+- `library/`: design library workflows.
+- `docs/`: documentation site.
+
+The memory is structured in a way that you can get the critical information about the
+module. You can read it from `mem:<MODULE>/core`
+
+# Low-centrality project paths
+
+- `docker/` contains devenv related code, not needed unless specifically instructed.
+   When working on devenv startup, compose layout, instance config (`defaults.env`),
+   tmux session lifecycle, MinIO provisioning, or anything in `manage.sh`'s
+   `*-devenv` commands, read `mem:devenv/core`.
+- `experiments/` contains standalone experimental HTML/JS/scripts; treat it as non-core unless the user explicitly asks about it.
+- `sample_media/` contains sample image/icon media and config used as fixtures/demo material; do not infer app behavior from it.
+
+# Dependency graph
+
+`frontend -> common`, `backend -> common`, `exporter -> common`, and `frontend -> render-wasm`. Changes in `common` can
+affect frontend, backend, exporter, file migrations, and design-library behavior; validate across consumers when
+semantics change.
+
+# Working with Penpot designs
+
+- Before automating or inspecting Penpot designs through the Plugin API, call the Penpot MCP `high_level_overview` tool.
+- connection between the JavaScript plugin API and the ClojureScript code: `mem:frontend/plugin-api-to-cljs-binding`.
+- executing ClojureScript code in the frontend: `mem:frontend/cljs-repl`.
+- handling Clojure compiler errors, runtime patching and debug helpers: `mem:frontend/handling-errors-and-debugging`.
+
+## Detecting Crashes
+
+The Penpot frontend can crash silently from the JS API's perspective: `execute_code` calls return successfully, but 1-2s later the workspace becomes unusable (Internal Error page).
+The `execute_code` tool then stops working, but `cljs_repl` still works. Use it to detect a crash via `(some? (:exception @app.main.store/state))`.
+For details on handling crashes, read memory `mem:frontend/handling-crashes`.

.serena/memories/devenv/core.md

@@ -0,0 +1,73 @@
+# Devenv startup and configuration
+
+Compose-based dev environment under `docker/devenv/`, driven by `manage.sh`. Parallel instances share infra + Postgres + MinIO; each instance has its own `main` container, Valkey, source checkout, tmux session.
+
+## Compose project layout
+
+- `penpotdev-infra`: shared `postgres`, `minio`, `minio-setup`, `mailer`, `ldap`. File: `docker-compose.infra.yml`.
+- `penpotdev-wsN` (N=0,1,…): per-instance `main` + `redis` (Valkey). File: `docker-compose.main.yml`. ws0 (a.k.a. `main`) binds `$PWD`; ws1+ bind clones at `${PENPOT_WORKSPACES_DIR}/wsN/` (default `~/.penpot/penpot_workspaces/`), maintained by the developer.
+- All projects join external network `penpot_shared`. Created idempotently by `ensure-devenv-network`, never removed by lifecycle commands.
+
+## Source-of-truth files
+
+- `docker/devenv/defaults.env`: ws0 baseline — container/volume names, runtime env, published host ports, tmux defaults. `manage.sh` aborts if unreadable.
+- For ws1+, `instance-env-overrides` computes the per-instance overrides (container/volume names, host ports offset `10000·N`, `PENPOT_PUBLIC_URI`, `PENPOT_REDIS_URI`, `PENPOT_BACKEND_WORKER=false`) and `instance-compose` injects them as env vars at compose time — never written to disk, recomputed each call so they can't drift. ws0 uses `defaults.env` as-is.
+- `backend/scripts/_env`: backend-internal only — secret keys, `PENPOT_FLAGS` (with `enable-backend-worker` gated on `PENPOT_BACKEND_WORKER`), `JAVA_OPTS`, `setup_minio()`. Never duplicates `defaults.env`.
+- Compose files use pure `${VAR}` substitution; missing var = compose fails.
+
+## Invariants
+
+- `infra-compose` / `instance-compose` wrap `docker compose` with `env -i`, then re-inject what compose needs. Stripping is required because `defaults.env` is sourced into manage.sh's shell at startup (stale values would leak); the ws1+ overrides are deliberately re-injected as shell env vars precisely because Compose gives shell precedence over `--env-file`, so they override the `defaults.env` baseline.
+- Volume names pinned via `name:` (PENPOT_*_VOLUME), decoupled from the compose project name. ws1+ inject distinct per-instance volume names; ws0 keeps the historical `penpotdev_*` physical names so project renames never require data migration.
+- Network aliases (`- main`, `- redis`) are not declared in main.yml. Compose's auto-service-alias still registers `redis` on the shared network, so DNS for `redis` is non-deterministic with multiple instances. Backend uses `PENPOT_REDIS_URI=redis://penpot-devenv-wsN-valkey/0` (container_name) instead.
+- No cross-project `depends_on`. `manage.sh ensure-infra-up` `docker wait`s on the `minio-setup` one-shot.
+- `JAVA_OPTS` in `manage.sh` is shadowed inside the container by `_env`. The `-e JAVA_OPTS=...` flag only matters for processes that don't source `_env`.
+
+## Worker policy
+
+Backend workers run only on ws0. `_env` gates `enable-backend-worker` on `PENPOT_BACKEND_WORKER`; ws1+ inject it as false. ws0 must be running whenever any ws1+ is running, and is the last instance to stop — `run-devenv-agentic --ws N` (N≥1) auto-starts ws0 first; `stop-devenv` refuses to stop ws0 while any ws1+ is up. Workers are pure fire-and-forget: `wrk/submit!` inserts a row into the shared Postgres `task` table and returns; RPC handlers never wait on completion and workers never publish to msgbus. The reason for "ws0 only" is avoiding multi-instance worker races (cron dedup is best-effort across instances, `wrk/submit!` `dedupe` is racy across submitters); details in `mem:prod-infra/core`.
+
+## Port layout
+
+Container-internal ports fixed; host side offset `10000·N`.
+
+| ws0 | ws1 | wsN | container | role |
+|---|---|---|---|---|
+| 3449 | 13449 | 3449+10000·N | 3449 | public HTTPS (Caddy; `/mcp/ws` same-origin) |
+| 3449/udp | 13449/udp | … | 3449/udp | HTTP/3 |
+| 4401 | 14401 | … | 4401 | MCP HTTP stream |
+| 4403 | 14403 | … | 4403 | MCP REPL |
+| 14181 | 24181 | … | 14281 | Serena MCP |
+| 14182 | 24182 | … | 24282 | Serena dashboard |
+
+Everything else (frontend dev, backend API, exporter, storybook, REPLs, plugin dev, MCP inspector/WebSocket) is in-process or same-origin via Caddy/nginx. Infra publishes: mailer 1080, ldap 10389/10636 (singletons, not offset).
+
+## Tmux + MCP routing
+
+`docker/devenv/files/start-tmux.sh` is session-level idempotent. Reads `PENPOT_TMUX_ATTACH`. If the session exists it attaches or exits; otherwise creates 4 base windows (frontend watch / storybook / exporter / backend) plus `mcp` (when `enable-mcp` in `PENPOT_FLAGS`) and `serena` (when `SERENA_ENABLED=true`). `run-devenv-agentic` always sets both env vars. The legacy `run-devenv` alias doesn't, hence its 4-window-only session. To switch from a legacy session to agentic, `stop-devenv` then `run-devenv-agentic` — the conditional windows are only added at session create time.
+
+MCP plugin routing is same-origin: frontend uses `<public-uri>/mcp/ws`, per-instance nginx proxies to MCP port 4401 in-container. For the plugin↔MCP server wiring (how the browser plugin discovers the URL, the in-memory connection registry, why DB-mediated routing isn't needed), see `mem:mcp/core`.
+
+## Workspace orchestration (ws1+)
+
+Workspace directories are user-maintained at `${PENPOT_WORKSPACES_DIR}/wsN`. `run-devenv-agentic --ws i` syncs only when `--sync` is passed, with one exception: if the workspace directory is missing on first use, sync runs implicitly to seed it.
+
+`sync-workspace wsN`:
+1. `assert-clean-git-state` — refuses on `.git/{rebase-apply,rebase-merge,MERGE_HEAD,CHERRY_PICK_HEAD,index.lock}`. No `--sync-force` escape.
+2. `rsync -a --delete $PWD/.git/ $workspace/.git/`.
+3. `git ls-files -z --cached --others --exclude-standard` → `rsync --files-from` (Git is the authority on tracked files; rsync's gitignore filter would drop committed files under gitignored parents like `.clj-kondo/config.edn`).
+4. Initial-only copy of `frontend/resources/public/js/config.js` (gitignored, but agentic mode needs it). After the first sync the workspace's copy belongs to the developer — subsequent syncs leave it alone.
+5. `git switch -C "wsN/<current-branch>"` inside the workspace.
+
+No `--delete` on the working-tree pass: gitignored caches in the workspace survive. Workspace dir + named volumes survive `compose down`.
+
+## CLI surface
+
+- `run-devenv-agentic [--ws main|0|wsN|N] [--sync] [--serena-context CTX]`: bring one instance up. Agentic only — MCP and Serena windows are always created. Default target main. Errors out if the target is already running. `--sync` is rejected on main; on ws1+ it's optional (forced only when the workspace dir does not exist yet). Auto-starts ws0 first when the target is ws1+ and ws0 is not yet up.
+- `stop-devenv [--ws main|0|wsN|N] [--all]`: stop instances. Flags mutually exclusive. `--ws N` (N≥1) stops just that workspace. `--ws 0` or no flag stops ws0 + shared infra, refused while any ws1+ is running. `--all` stops every ws highest-first then ws0, then infra.
+- `run-devenv`: legacy alias, ws0 non-agentic attached.
+- `attach-devenv [--ws main|0|wsN|N]`: pure attach. Fails fast if instance/session missing.
+- `run-devenv-shell [--instance 0|wsN|N] [cmd...]`: bash in target instance. (`--instance` flag not yet renamed to `--ws`.)
+- `start-devenv` / `log-devenv` / `drop-devenv`: legacy paths around ws0 + shared infra. `drop-devenv` never removes volumes.
+
+`exporter/scripts/run` and `wait-and-start.sh` source `backend/scripts/_env` then `_env.local` if present.

.serena/memories/exporter/core.md

@@ -0,0 +1,33 @@
+# Exporter Architecture and Workflow
+
+`exporter/`: CLJS/Node headless export service. Depends on `common/`; uses Playwright plus export JS/CLJS deps for SVG/PDF/assets.
+
+## Layout and commands
+
+- Source: `exporter/src/`; config: `deps.edn`, `shadow-cljs.edn`, `package.json`; runtime helpers/assets: `vendor/`, `scripts/`.
+- From `exporter/`: setup `./scripts/setup`; watch `pnpm run watch` or `pnpm run watch:app`; production build `pnpm run build`; lint `pnpm run lint`; format check/fix `pnpm run check-fmt` / `pnpm run fmt`.
+- Because exporter consumes `common/`, shared file/shape/model changes may need exporter verification even when the immediate change is not under `exporter/`.
+
+## HTTP and browser pool
+
+- POST body limit is about 60 MB. Exporter supports `application/transit+json`; request params merge query params and body params.
+- Map response bodies are Transit JSON and force HTTP 200; nil 200 bodies become 204.
+- Auth token comes from cookie `auth-token`, then uploads use Bearer auth plus the management shared key.
+- Each export job gets a fresh Playwright browser context. On success, the context closes and the browser returns to the pool; on error, the browser is destroyed instead of reused.
+- Borrow validates browser connection. Pool acquire timeout is about 10s; font loading timeout logs a warning and continues after about 15s.
+
+## Export batching and async behavior
+
+- `prepare-exports` groups entries by `[scale type]` and partitions groups into chunks of 50. Each partition uses file/page/share/name from its first item, so be careful if entries might cross those boundaries.
+- Single-export response is used only when multiple export is not forced and there is exactly one prepared export containing exactly one object.
+- Multi-object export can run async: when `wait` is false it returns a resource immediately and publishes progress/end/error to Redis by profile topic; when `wait` is true it waits for upload and returns the uploaded resource.
+- Frame export returns a resource immediately and publishes Redis updates; it does not follow the same `wait` option path.
+- ZIP entry names are sanitized and duplicates receive numeric suffixes.
+
+## Render details
+
+- Bitmap export differs for WASM vs non-WASM render paths: WASM forces Playwright `deviceScaleFactor` to 1 and passes scale through the render URL; non-WASM uses `deviceScaleFactor = scale`.
+- WebP is produced by taking a PNG screenshot and converting it with ImageMagick.
+- SVG export rasterizes text foreignObjects to PNG, converts through PPM/color masks/potrace, and reassembles SVG paths. It also replaces non-breaking spaces for SVG compatibility and drops empty defs/paths.
+- PDF export injects `@page` sizing through raw browser `evaluate` JavaScript; that code cannot rely on CLJS runtime helpers.
+- Temporary resources schedule local deletion, then uploads POST to `/api/management/methods/upload-tempfile` with `X-Shared-Key: exporter <management-key>` and Bearer auth.

.serena/memories/frontend/cljs-repl.md

@@ -0,0 +1,94 @@
+# ClojureScript REPL and Frontend Debugging
+
+Execute code in the live frontend via the Penpot MCP `cljs_repl` tool. For browser-console debugging, the frontend also exports a `debug` JS namespace in development builds.
+
+## Accessing app state
+
+The main store is `app.main.store/state`. It contains workspace metadata, selection, UI state, profile, route, etc. Page objects are not under a `:workspace-data` key; use derived refs.
+
+```clojure
+;; Current selection
+(mapv str (get-in @app.main.store/state [:workspace-local :selected]))
+
+;; Current page objects
+(let [objects @app.main.refs/workspace-page-objects
+      shape (get objects (parse-uuid "some-uuid-here"))]
+  (select-keys shape [:name :type :x :y :width :height :fills :strokes :rotation :opacity :frame-id :parent-id]))
+```
+
+Shape keys use kebab-case keywords. Internal `:rect` corresponds to "rectangle" in the JS Plugin API, and `:frame` corresponds to "board".
+
+Component instance shapes carry `:component-id` and `:component-file` directly; `:component-root` flags the root of an instance. Use `app.common.types.container/get-head-shape` for nearest head and `get-instance-root` for outermost root; they differ for nested instances.
+
+## Navigation recipe
+
+To programmatically open a workspace file, all three ids are required:
+
+```clojure
+(do (require '[app.main.data.common :as dcm])
+    (app.main.store/emit! (dcm/go-to-workspace
+      :team-id (parse-uuid "<team-id>")
+      :file-id (parse-uuid "<file-id>")
+      :page-id (parse-uuid "<page-id>"))))
+```
+
+Get `team-id` from `(:current-team-id @app.main.store/state)`. Get file ids from `(vals (:files @app.main.store/state))`. Get page ids by fetching file data, e.g. through `rp/cmd! :get-file` with current features.
+
+## Reload the live runtime
+
+`(.reload js/location)` (alias `app.util.dom/reload-current-window`) from `cljs_repl` reloads the browser page: clears `set!` runtime patches, re-fetches file state, and is the simplest crash recovery while the repl is live (`mem:frontend/handling-crashes`). To re-fetch only the current file's data without a full page reload, emit `(app.main.store/emit! (potok.v2.core/event :app.main.data.workspace/reload-current-file))`.
+
+## Useful lookup helpers
+
+`app.plugins.utils` contains state lookup helpers that are useful from any CLJS, despite living under `plugins/`:
+
+- `locate-shape`, `locate-objects`, `locate-file`.
+- `locate-component` resolves through the outermost instance root.
+- `locate-head-component` resolves through the nearest component head.
+- `locate-library-component` does direct file-id/component-id lookup.
+
+## Runtime patching with `set!`
+
+Some frontend vars are deliberately mutable escape hatches for runtime instrumentation or circular-dependency patching. From `cljs_repl`, use `set!` for temporary debugging of CLJS vars such as `app.main.store/on-event`, `app.main.errors/reload-file`, `app.main.errors/is-plugin-error?`, `app.main.errors/last-report`, or `app.main.errors/last-exception`. These patches affect only the live browser runtime and disappear on reload or recompilation.
+
+```clojure
+;; Log non-noisy Potok events temporarily.
+(set! app.main.store/on-event
+      (fn [event]
+        (when (potok.v2.core/event? event)
+          (.log js/console (potok.v2.core/repr-event event)))))
+```
+
+Restore mutable hooks after debugging, or reload the frontend. Use JVM `alter-var-root` only for JVM Clojure; it is not the normal way to patch live CLJS browser vars.
+
+## Browser-console debug namespace
+
+In development, the JS console exposes `debug` helpers from `frontend/src/debug.cljs`:
+
+```javascript
+debug.set_logging("namespace", "debug");
+debug.dump_state();
+debug.dump_buffer();
+debug.get_state(":workspace-local :selected");
+debug.dump_objects();
+debug.dump_object("Rect-1");
+debug.dump_selected();
+debug.dump_tree(true, true);
+```
+
+Visual workspace debug overlays can be toggled with `debug.toggle_debug("bounding-boxes")`, `"group"`, `"events"`, or `"rotation-handler"`; `debug.debug_all()` and `debug.debug_none()` toggle all visual aids.
+
+For temporary source traces, prefer existing logging (`app.common.logging` / `app.util.logging`) or short-lived `prn`, `app.common.pprint/pprint`, `js/console.log`, or `js-debugger` calls. Remove temporary source instrumentation before committing.
+
+## Runtime targeting
+
+`cljs_repl` may connect to the wrong runtime when several are attached, such as workspace plus rasterizer. Verify with `(.-title js/document)`; it should show the workspace file name, not "Penpot - Rasterizer".
+
+To list or target shadow-cljs runtimes, run from `/home/penpot/penpot/frontend`:
+
+```bash
+printf '(shadow.cljs.devtools.api/repl-runtimes :main)\n' | timeout 10 npx shadow-cljs clj-eval --stdin
+printf '(shadow.cljs.devtools.api/cljs-eval :main "<cljs-code>" {:client-id 5})\n' | timeout 10 npx shadow-cljs clj-eval --stdin
+```
+
+Use command timeouts so a disconnected browser does not hang the session.

.serena/memories/frontend/compile-diagnostics.md

@@ -0,0 +1,22 @@
+# Frontend Compile Diagnostics
+
+Separate from runtime crash recovery.
+
+## First check the shadow-cljs build
+
+Use the Penpot MCP `cljs_compiler_output` tool to inspect the latest shadow-cljs `:main` build status. This is the fastest way to distinguish a bad build from a runtime error in the browser.
+
+Recommended order after CLJ/CLJC/CLJS source edits:
+1. Run `cljs_compiler_output`.
+2. If the compiler reports a Clojure syntax problem, especially unmatched delimiters or a confusing location, run `clj_check_parentheses` on the absolute path of the suspect `.clj`, `.cljc`, or `.cljs` file.
+3. After the build is healthy, use `mem:frontend/cljs-repl`, browser tools, or runtime crash checks for behavior.
+
+## Parentheses checker
+
+`clj_check_parentheses` analyzes one Clojure/ClojureScript source file and reports the area likely responsible for unclosed parentheses/brackets/braces. Use it when compiler output points near EOF, points at a misleading later form, or says delimiter-related syntax errors.
+
+## Hot reload notes
+
+When the frontend shadow-cljs watch process is running, edits to CLJC files in `common/` are normally recompiled into the browser automatically. Do not restart the frontend before checking `cljs_compiler_output`; stale behavior is often a failed build.
+
+For production/minified stack traces, build the production bundle from `frontend/` with `pnpm run build:app`. Output and source maps are generated under `frontend/resources/public/js`; inspect source maps or shadow-cljs reports using build ids from `shadow-cljs.edn`.

.serena/memories/frontend/core.md

@@ -0,0 +1,54 @@
+# Frontend Architecture and Workflow
+
+Frontend: CLJS SPA; React/Rumext; Potok; RxJS; okulary refs; SCSS modules; shared `common/`; JS/TS workspace packages.
+
+## Stable namespace map
+
+- `app.main.ui.*`: Rumext/React UI components for workspace, dashboard, viewer, settings, auth, nitrate, etc.
+- `app.main.data.*`: Potok event handlers and side effects.
+- `app.main.refs`: reactive refs/lenses over store and derived workspace data.
+- `app.main.store`: Potok store and `emit!`.
+- `app.plugins.*` and `app.plugins`: CLJS implementation of Plugin JS API proxies.
+- `app.render_wasm.*`: frontend bridge to Rust/WASM renderer.
+- `app.util.*`: DOM, HTTP, i18n, keyboard, codegen, and general frontend utilities.
+- `frontend/packages/*` and `frontend/text-editor`: JS/TS workspace packages consumed by the app.
+- Nitrate subscription/organization UI and flows live under `app.main.data.nitrate` and `app.main.ui.nitrate*`; backend/API behavior is covered by backend memories, and shared permission rules are in `common/src/app/common/types/nitrate_permissions.cljc`.
+
+
+## Lint and Format
+
+From `frontend/`:
+
+- CLJ/CLJS lint: `pnpm run lint:clj`.
+- JS lint currently no-ops via `pnpm run lint:js`.
+- SCSS lint: `pnpm run lint:scss`.
+- Format checks: `pnpm run check-fmt:clj`, `pnpm run check-fmt:js`, `pnpm run check-fmt:scss`.
+- Format fix: `pnpm run fmt`, or targeted `fmt:clj` / `fmt:js` / `fmt:scss`.
+- Translation formatting after i18n edits: `pnpm run translations`.
+
+## Focused memory routing
+
+UI and packages:
+- App UI components, SCSS modules, style-system boundaries, accessibility, i18n, and render performance: `mem:frontend/ui-conventions-and-style-system`.
+- JS/TS packages, shared UI package, text editor, Storybook, and package builds: `mem:frontend/ui-packages-text-editor-workflow`.
+
+Workspace behavior:
+- Workspace state, commits, persistence, undo, repo calls, and refs: `mem:frontend/workspace-state-persistence-subtleties`.
+- Workspace transforms, modifier previews, WASM modifier integration, and transform commits: `mem:frontend/workspace-transform-subtleties`.
+- Workspace token application/propagation: `mem:frontend/workspace-token-subtleties`; shared token data/schema: `mem:common/tokens-schema-subtleties`.
+
+App shell and product flows:
+- Routing, root app shell, websocket, and global errors: `mem:frontend/routing-app-shell-subtleties`.
+- Dashboard and viewer flows: `mem:frontend/dashboard-viewer-subtleties`.
+- Plugin JS API runtime inside the frontend app: `mem:frontend/plugin-api-to-cljs-binding`.
+
+Diagnostics and validation:
+- Runtime inspection and navigation: `mem:frontend/cljs-repl`.
+- Source-edit compile/hot-reload diagnostics: `mem:frontend/compile-diagnostics`.
+- Runtime crash recovery: `mem:frontend/handling-crashes`.
+- Tests and live verification: `mem:frontend/testing`.
+- Real pointer/keyboard gesture reproduction: `mem:frontend/playwright-gestures`.
+
+## Areas without focused memories
+
+These frontend areas currently have no dedicated Serena memory beyond this architecture entry and nearby source/tests: clipboard, drawing tools, boolean/path operations, interactions/prototyping, color/style asset management, grid-layout editing UI, comments UI, fonts UI, and many dashboard/settings subflows. Treat work there as less memory-covered and inspect source/tests more carefully.

.serena/memories/frontend/dashboard-viewer-subtleties.md

@@ -0,0 +1,16 @@
+# Frontend Dashboard and Viewer Subtleties
+
+## Dashboard
+
+- Dashboard initialization fetches projects and fonts for the team, then listens to websocket messages only for global topic `uuid/zero` or the current profile id.
+- Project fetch replaces each project map completely instead of merging, so fields such as `deleted-at` can disappear cleanly.
+- Dashboard file/project mutations are often optimistic local updates with fire-and-forget RPC watchers. Bulk permanent delete/restore paths use SSE progress and progress notifications.
+- File creation/duplication strips file `:data` before putting file summaries into dashboard state.
+
+## Viewer
+
+- Viewer initialization sets `:current-file-id`, `:current-share-id`, and `:viewer-local`, then fetches the view-only bundle. Comment threads are fetched only for logged-in users.
+- Viewer bundle fetch sends the full supported feature set because anonymous shared viewers may not know team-enabled features.
+- View-only bundles can contain pointer values in `:pages-index` and file data. Viewer resolves those fragments with `:get-file-fragment` before storing the bundle.
+- `bundle-fetched` indexes pages and precomputes viewer frames/all-frames, stores libraries/users/thumbnails/permissions under `:viewer`, then navigates to frame id, query index, or auto-selected frame.
+- Viewer zoom and interaction mode changes update both `:viewer-local` and the `:viewer` route query params.

.serena/memories/frontend/handling-crashes.md

@@ -0,0 +1,38 @@
+# Frontend Runtime Crash Handling
+
+## Detect a runtime workspace crash
+
+Runtime crashes usually show the Internal Error page with title text "Something bad happened" and class `main_ui_static__download-link`. A common pattern is: changes go through via JS API / `execute_code`, then 1-2s later an `update-file` request reaches the backend and is rejected.
+
+After a crash, `execute_code` can become unusable because no plugin instances are connected and any data in its `storage` is lost, but `cljs_repl` usually still works.
+
+Check crash state:
+
+```clojure
+(some? (:exception @app.main.store/state))
+```
+
+It returns `true` when the Internal Error page is showing and `false` on a healthy workspace or after a successful reload.
+
+## Read the runtime cause
+
+The exception is stored at `(:exception @app.main.store/state)`. Useful keys:
+
+- `:type`, `:code`, `:status`: error class, e.g. `:validation`, `:referential-integrity`, `400`.
+- `:hint`, `:details`: human-readable explanation; `:details` often contains validation problems with `:shape-id`, `:page-id`, `:args`, etc.
+- `:uri`: API endpoint that returned the error, e.g. `update-file`.
+- `:app.main.errors/instance`: underlying JS Error object.
+- `:app.main.errors/trace`: JS stack trace string, usually response-handling path rather than the dispatch site that produced the bad change.
+
+```clojure
+(let [ex (:exception @app.main.store/state)]
+  (select-keys ex [:type :code :status :hint :details :uri]))
+```
+
+For backend validation errors (`:type :validation`), `:details` is usually the most informative field; it identifies the shape and invariant that failed.
+
+## Recover and continue testing
+
+Simplest path when `cljs_repl` is still live (usually true after a crash): reload via repl with `(.reload js/location)` — see `mem:frontend/cljs-repl`. Alternatively via Playwright: find the workspace tab (URL contains `/#/workspace`, title ends `- Penpot`), select it if not current, then `playwright:browser_navigate` to that same URL. Either way, confirm recovery with `(some? (:exception @app.main.store/state))` returning `false`.
+
+For backend-rejected changes, such as validation errors on `update-file`, changes are not persisted. Reload restores the pre-crash state, so it is safe to retry after fixing the cause.

.serena/memories/frontend/handling-errors-and-debugging.md

@@ -0,0 +1,49 @@
+# Handling Errors and Debugging
+
+## Finding source errors
+
+You have access to two tools for finding errors in Clojure source code (which you may introduce yourself through edits):
+
+1. cljs_compiler_output
+2. clj_check_parentheses
+
+The latter is needed because syntax errors in parentheses give an uninformative compiler error, and the second
+tool can often find the exact location of such errors.
+
+## Runtime patching with `set!`
+
+Some frontend vars are deliberately mutable escape hatches for runtime instrumentation or circular-dependency patching. 
+From `cljs_repl`, use `set!` for temporary debugging of CLJS vars such as 
+`app.main.store/on-event`, `app.main.errors/reload-file`, `app.main.errors/is-plugin-error?`, 
+`app.main.errors/last-report`, or `app.main.errors/last-exception`. 
+These patches affect only the live browser runtime and disappear on reload or recompilation.
+
+```clojure
+;; Log non-noisy Potok events temporarily.
+(set! app.main.store/on-event
+      (fn [event]
+        (when (potok.v2.core/event? event)
+          (.log js/console (potok.v2.core/repr-event event)))))
+```
+
+Restore mutable hooks after debugging, or reload the frontend. Use JVM `alter-var-root` only for JVM Clojure; 
+it is not the normal way to patch live CLJS browser vars.
+
+## Browser-console debug namespace
+
+In development, the JS console exposes `debug` helpers from `frontend/src/debug.cljs`:
+
+```javascript
+debug.set_logging("namespace", "debug");
+debug.dump_state();
+debug.dump_buffer();
+debug.get_state(":workspace-local :selected");
+debug.dump_objects();
+debug.dump_object("Rect-1");
+debug.dump_selected();
+debug.dump_tree(true, true);
+```
+
+Visual workspace debug overlays can be toggled with `debug.toggle_debug("bounding-boxes")`, `"group"`, `"events"`, or `"rotation-handler"`; `debug.debug_all()` and `debug.debug_none()` toggle all visual aids.
+
+For temporary source traces, prefer existing logging (`app.common.logging` / `app.util.logging`) or short-lived `prn`, `app.common.pprint/pprint`, `js/console.log`, or `js-debugger` calls. Remove temporary source instrumentation before committing.

.serena/memories/frontend/penpot-to-browser-coords.md

@@ -0,0 +1,117 @@
+# Penpot Canvas → Playwright Viewport Coordinate Mapping
+
+## Goal
+Map Penpot shape coordinates (from the JS/ClojureScript API) to browser viewport CSS pixels
+so that Playwright mouse actions (click, drag, hover) can target specific canvas objects.
+
+## Key Facts
+
+### Playwright coordinate system
+Playwright mouse coordinates are **viewport CSS pixels**: `(0, 0)` is the top-left of the
+browser's rendered content area (not the screen, not the OS window chrome).
+`getBoundingClientRect()` returns the same coordinate system — they are directly compatible.
+
+### Canvas element location
+The Penpot canvas is rendered by two co-located elements:
+- `<canvas>` — the rasterised render
+- `<svg id="render">` — vector overlay
+- `<svg class="...viewport-controls ...">` — interaction/control layer (has the `viewBox`)
+
+Get the canvas origin with:
+```js
+document.querySelector("#render").getBoundingClientRect()
+// => { left: 318, top: 0, width: 514, height: 586, ... }  (values vary with window size/panels)
+```
+The left offset (currently ~318 px) is caused by the left-side panel (layers, assets).
+
+### Zoom and pan state
+Available in two equivalent ways:
+
+**1. App state (ClojureScript):**
+```clojure
+(let [wl (get @app.main.store/state :workspace-local)]
+  {:zoom  (get wl :zoom)    ; scale factor: penpot-units → CSS pixels
+   :vbox  (get wl :vbox)})  ; Rect {:x :y :width :height} — penpot coords of visible area
+```
+
+**2. SVG viewBox attribute (DOM):**
+```js
+document.querySelector("svg.viewport-controls, [class*='viewport-controls']")
+  .getAttribute("viewBox")
+// => "670 658.31 224 255.38"  i.e. "vbox.x vbox.y vbox.width vbox.height"
+```
+Both sources are live and always in sync.
+
+### Coordinate conversion formula
+```
+viewport_x = canvas_left  + (penpot_x - vbox.x) * zoom
+viewport_y = canvas_top   + (penpot_y - vbox.y) * zoom
+```
+
+Sanity check: `vbox.width * zoom ≈ canvas CSS width` (and same for height). ✓
+
+### Device Pixel Ratio
+The canvas physical pixel size = CSS size × DPR (observed DPR = 1.25, so canvas internal
+size 642×732 vs CSS size 514×586). This does **not** affect the formula — both
+`getBoundingClientRect()` and Playwright use CSS pixels.
+
+### Ruler label offset
+The on-screen rulers show coordinates offset from absolute Penpot coordinates (they display
+frame-relative values, offset by ~the top-level frame's x/y). **Ignore for coordinate
+mapping** — use `vbox` directly.
+
+---
+
+## ClojureScript Helper (paste into cljs REPL session)
+
+```clojure
+(defn penpot->viewport-coords
+  "Convert Penpot canvas coordinates to browser viewport CSS pixel coordinates.
+   Returns {:vp-x <number> :vp-y <number>} — pass directly to Playwright mouse actions."
+  [penpot-x penpot-y]
+  (let [state       @app.main.store/state
+        wl          (get state :workspace-local)
+        vbox        (get wl :vbox)
+        zoom        (get wl :zoom)
+        canvas      (js/document.querySelector "svg.viewport-controls, #render")
+        canvas-rect (.getBoundingClientRect canvas)]
+    {:vp-x (+ (.-left canvas-rect) (* (- penpot-x (:x vbox)) zoom))
+     :vp-y (+ (.-top  canvas-rect) (* (- penpot-y (:y vbox)) zoom))}))
+```
+
+Usage example — click the center of a shape:
+```clojure
+(let [shape   (get-in @app.main.store/state [:files file-id :data :pages-index page-id :objects shape-id])
+      cx      (+ (:x shape) (/ (:width shape) 2))
+      cy      (+ (:y shape) (/ (:height shape) 2))
+      {:keys [vp-x vp-y]} (penpot->viewport-coords cx cy)]
+  ;; pass vp-x, vp-y to Playwright page.mouse.click(vp-x, vp-y)
+  {:vp-x vp-x :vp-y vp-y})
+```
+
+---
+
+## JavaScript equivalent (for use in Playwright scripts directly)
+
+```js
+function penpotToViewport(penpotX, penpotY) {
+  // Read viewBox from the controls SVG (always in sync with app state)
+  const svg = document.querySelector('[class*="viewport-controls"]');
+  const [vbX, vbY, vbW, vbH] = svg.getAttribute('viewBox').split(' ').map(Number);
+  const rect = svg.getBoundingClientRect();
+  const zoom = rect.width / vbW;  // == rect.height / vbH
+  return {
+    x: rect.left + (penpotX - vbX) * zoom,
+    y: rect.top  + (penpotY - vbY) * zoom,
+  };
+}
+```
+
+This function can be injected and called via `page.evaluate()` in Playwright:
+```js
+const {x, y} = await page.evaluate(
+  ([px, py]) => penpotToViewport(px, py),
+  [penpotX, penpotY]
+);
+await page.mouse.click(x, y);
+```

.serena/memories/frontend/playwright-gestures.md

@@ -0,0 +1,47 @@
+# Driving Real User Gestures via Playwright
+
+Use Playwright when the bug or behavior depends on Penpot's real input pipeline: pointer gestures, keyboard modifiers, drag/drop targeting, modifier propagation, hover/focus behavior, or alt-drag duplication. The plugin JS API and `penpot:execute_code` can bypass these paths by dispatching store/API operations directly.
+
+## When `execute_code` Is Not Enough
+
+`execute_code` runs in the plugin sandbox. It is excellent for creating shapes, calling Plugin API methods, and querying design data, but it does not faithfully reproduce all user gestures. If the issue involves interactive transforms, frame targeting during drop, drag previews, modifier keys, or canvas hit-testing, drive the browser with Playwright and inspect results via cljs-repl.
+
+## Gesture Pattern
+
+A reliable drag gesture generally needs:
+- focus on the canvas first;
+- key modifiers held from before mouse down until after mouse up;
+- intermediate mouse move events, not just start/end;
+- short waits so Penpot's drag pipeline observes the gesture;
+- a trailing wait for the transaction to commit.
+
+Alt-drag duplication example:
+
+```javascript
+async (page) => {
+  await page.mouse.click(700, 700);
+  await page.waitForTimeout(200);
+
+  const startX = 821, startY = 565, endX = 821, endY = 815;
+  await page.keyboard.down('Alt');
+  await page.mouse.move(startX, startY);
+  await page.waitForTimeout(100);
+  await page.mouse.down();
+  await page.waitForTimeout(100);
+  for (let i = 1; i <= 10; i++) {
+    const t = i / 10;
+    await page.mouse.move(startX + (endX - startX) * t,
+                          startY + (endY - startY) * t);
+    await page.waitForTimeout(20);
+  }
+  await page.waitForTimeout(100);
+  await page.mouse.up();
+  await page.waitForTimeout(100);
+  await page.keyboard.up('Alt');
+  await page.waitForTimeout(500);
+}
+```
+
+## Coordinate Planning
+
+For reliably finding pixel positions of objects, see `mem:frontend/penpot-to-browser-coords`.

.serena/memories/frontend/plugin-api-to-cljs-binding.md

@@ -0,0 +1,34 @@
+# Frontend Plugin API Runtime Subtleties
+
+## Type declarations vs runtime
+
+- The Plugin API is a public facade over internal frontend/common data. Do not expect Plugin API property names, value shapes, or behavior boundaries to match internal CLJS attrs or helper APIs; inspect the relevant proxy and internal code path before using Plugin API observations in production internals or tests.
+- `plugins/libs/plugin-types/index.d.ts` contains TypeScript declarations only. Runtime objects are CLJS proxies built under `frontend/src/app/plugins/*.cljs` with `obj/reify`.
+- `shape.cljs` builds shape proxies with hidden ids and per-property CLJS implementations. `library.cljs` builds library proxies such as `LibraryComponentProxy`.
+- `shape.cljs`, `library.cljs`, and related namespaces break circular dependencies with mutable nil vars patched from `app.plugins` at load time. If a proxy constructor appears nil, check the patching path in `frontend/src/app/plugins.cljs`.
+
+## Key Domain Namespaces
+- `app.common.types.component` (aliased `ctk`) — component predicates: `instance-root?`, `instance-head?`, `in-component-copy?`, `is-variant?`
+- `app.common.types.container` (aliased `ctn`) — container/tree operations: `in-any-component?`, `get-instance-root`, `get-head-shape`, `inside-component-main?`
+- `app.common.types.file` (aliased `ctf`) — file-level operations: `resolve-component`, `get-ref-shape`
+
+## Runtime initialization and permissions
+
+- The frontend initializes `@penpot/plugins-runtime` only after `features/initialize` and only when feature `plugins/runtime` is active. It also installs the runtime `isPluginError` predicate into frontend error handling.
+- Manifest parsing expands write permissions to read permissions (`content:write` => `content:read`, etc.). Permission checks also allow the all-zero plugin id and the hard-coded MCP plugin id.
+- Manifest URL origin differs by manifest version: v1 clears the path; v2 joins `.` to the plugin URL. Existing plugin ids are reused by matching manifest name and host.
+- The MCP plugin id is defined in `app.plugins.register` to avoid a circular dependency with workspace MCP code.
+
+## Proxy behavior
+
+- Public Plugin API objects are lightweight handles, not durable snapshots. Most getters locate fresh state from `app.main.store/state` using hidden `$id`, `$file`, `$page`, etc.
+- `not-valid` logs by default but throws when the plugin flag `throwValidationErrors` is enabled. The MCP execute-code handler deliberately enables that flag while running code.
+- `naturalChildOrdering` and `throwValidationErrors` are stored per plugin under `[:plugins :flags plugin-id ...]`; changing default behavior affects automation and MCP diagnostics.
+- Plugin data is stored under keyword namespaces: private data uses `(keyword "plugin" plugin-id)`, shared data uses `(keyword "shared" namespace)`.
+
+## Events and history
+
+- Plugin listeners are watches on the global store and callbacks are debounced about 10ms. Callback exceptions are caught and logged so plugin code does not crash the app.
+- `selectionchange` callbacks receive arrays of shape id strings, while `filechange`, `pagechange`, and `shapechange` return proxies.
+- `contentsave` fires only when persistence status transitions to `:saved`; it calls the callback with no value.
+- Plugin history `undoBlockBegin` creates a workspace undo transaction with a JS `Symbol`; `undoBlockFinish` commits that symbol. Missing finish eventually relies on the workspace transaction timeout.

.serena/memories/frontend/routing-app-shell-subtleties.md

@@ -0,0 +1,17 @@
+# Frontend Routing, App Shell, Websocket, and Error Subtleties
+
+## Router, app shell, and errors
+
+- Routing uses browser-history hash tokens, but `on-navigate` rejects navigation if the current origin/path does not match `cf/public-uri`.
+- Route params are split into `:path` and `:query`; duplicate query params can become vectors, so use `rt/get-query-param` when a scalar is required.
+- Unknown/empty routes trigger an extra `get-profile`/`get-teams` check before redirecting. This avoids invitation and root-route race conditions.
+- The root app renders an exception page from `:exception` state before the normal error boundary. `rt/navigated` clears `:exception`.
+- Frontend error handling treats stale cross-build JS chunk failures specially: messages containing `$cljs$cst$` or `$cljs$core$I` plus undefined/null/not-a-function signatures trigger throttled reload.
+- Plugin-originated uncaught errors are identified through the plugin runtime hook and logged rather than turning into the global exception page.
+
+## Store and websocket
+
+For general store mechanics such as `emit!`, `last-events`, persistence, and undo, read `mem:frontend/workspace-state-persistence-subtleties`.
+
+- Websocket initialization uses `cf/public-uri` joined with `ws/notifications`, converting `http/https` to `ws/wss`, and includes the current `session-id` as query param.
+- Reinitializing or finalizing websocket stops the previous receive stream. Incoming websocket payloads become Potok data events under `app.main.data.websocket/message`.

.serena/memories/frontend/testing.md

@@ -0,0 +1,35 @@
+# Frontend Testing and Live Verification
+
+Frontend validation: CLJS + React/Rumext + RxJS/Potok; SCSS modules; shared CLJC from `common/`.
+
+## Unit tests
+
+Frontend unit tests live under `frontend/test/frontend_tests/` and use `cljs.test`. They should be deterministic, avoid DOM/UI integration where possible, and mock side effects such as RPC, storage, timers, or network access.
+
+From `frontend/`:
+- Full unit test run: `pnpm run test:quiet`.
+- Focus a frontend CLJS test namespace: `pnpm run test:quiet -- --focus frontend-tests.logic.components-and-tokens`.
+- Focus one frontend CLJS test var: `pnpm run test:quiet -- --focus frontend-tests.logic.components-and-tokens/change-spacing-token-in-main-updates-copy-layout`.
+- Quiet `app.*` logging during a run: append `--log-level warn` (or `trace|debug|info|warn|error`).
+- Build test target only: `pnpm run build:test`.
+- After `pnpm run build:test`, direct compiled runner focus is faster: `node target/tests/test.js --focus frontend-tests.logic.components-and-tokens/change-spacing-token-in-main-updates-copy-layout`.
+- Watch tests: `pnpm run watch:test`.
+
+New frontend test namespaces must be required/listed in `frontend_tests/runner.cljs`; new vars in existing namespaces need no runner change.
+
+## Playwright integration tests
+
+Do not add, modify, or run Playwright integration tests under `frontend/playwright` unless explicitly asked. When explicitly asked, use `pnpm run test:e2e` or `pnpm run test:e2e --grep "pattern"` from `frontend/`; ensure dependencies are installed through `./scripts/setup` if the environment is not prepared.
+
+Integration tests fake backend behavior by intercepting network/websocket traffic, so every RPC or websocket the page needs must be mocked. Use existing Page Object Models:
+- `BasePage.mockRPC` intercepts RPC calls and already prefixes `/api/rpc/command/`; pass command names such as `get-profile`, not full URLs.
+- Workspace or other websocket-using pages should extend/use `BaseWebSocketPage`, initialize websocket mocks before each test, and mock `/ws/notifications` with the provided helpers.
+- Prefer common locators/actions in POMs; ad-hoc locators can stay in a single test.
+
+Locator priority should follow user-facing semantics: `getByRole`, `getByLabel`, `getByPlaceholder`, `getByText`, then semantic alternatives such as alt/title, with `getByTestId` as the last resort. Name tests from the user's perspective and prefer positive, single-purpose assertions.
+
+## Live browser verification
+
+Because CLJC compiles to both JVM and CLJS, JVM/common tests can miss frontend-only state caused by browser runtime, WASM modifier math, or real pointer events. Use `mem:frontend/cljs-repl` to inspect live app state and `mem:frontend/playwright-gestures` when real input is needed.
+
+For stale hot reload or failed CLJ/CLJC/CLJS source builds, read `mem:frontend/compile-diagnostics`. For Internal Error pages or delayed runtime crashes after automation/API actions, read `mem:frontend/handling-crashes`. Translation `.po` changes are bundled into `index.html` and require a browser refresh.

.serena/memories/frontend/ui-conventions-and-style-system.md

@@ -0,0 +1,56 @@
+# Frontend UI Conventions and Style System
+
+## CLJS app UI
+
+- Main app components live under `frontend/src/app/main/ui*` and normally use Rumext `mf/defc` with a `*` suffix for component vars and `[:> component* props]` call sites.
+- Components should have clear ownership. Use `children` for normal composition; use slotted props only when separate owned regions are needed. Do not style or structurally manipulate child DOM that the component did not instantiate.
+- Accept and merge a `class` prop when callers reasonably need layout/positioning customization. Use `mf/spread-props` so Rumext prop transformations such as `:class` -> `className` still apply.
+- Avoid boolean prop names ending in `?`; they do not translate cleanly to JavaScript props. Use type hints such as `^boolean` where JS truthiness/semantics matter.
+- Split large components into smaller private components when useful; `::mf/private true` is the local convention for private Rumext components.
+
+## Styling
+
+- Co-located SCSS modules are preferred. Use `app.main.style/stl` helpers from CLJS and design-system SCSS tokens/mixins instead of legacy global selectors or high-specificity nesting.
+- Keep CSS specificity low. Avoid nested selectors unless they target elements the component owns; CSS Modules already prevent class-name collisions.
+- Prefer CSS logical properties for directional spacing/layout (`padding-inline-start`, etc.). Physical `width`/`height` are still acceptable where they are clearer.
+- Use named design-system variables/tokens for spacing, borders, fixed dimensions, colors, and typography. Avoid hardcoded px/rem values and deprecated `resources/styles/common/refactor/spacing.scss` variables.
+- Use component-local CSS custom properties for variants and theming instead of one-off Sass variables when a component has multiple visual states.
+- Prefer DS typography components (`heading*`, `text*`) and typography mixins instead of plain text wrappers or deprecated typography mixins.
+
+## Accessibility
+
+- Prefer semantic HTML first: anchors for navigation/download/email links, buttons for actions, correct heading levels, and keyboard-focusable controls.
+- If native elements cannot be used, apply appropriate ARIA roles/patterns. Follow WAI-ARIA APG patterns for standard widgets.
+- Icon-only controls need an accessible name via surrounding text, `aria-label`, `alt`, or equivalent. Decorative images/icons should be hidden from assistive tech.
+
+## I18n
+
+- Translations must be resolved during render or render-time memoization, not at namespace load time. For static option lists, memoize inside render so locale changes still update labels.
+- Translation files live in `frontend/translations/*.po`. Translation changes are bundled into `index.html`; refresh the browser after changing translations because there is no hot reload for translation strings.
+- Run `pnpm run translations` from `frontend/` after adding/updating translation text.
+- Adding a new supported locale requires updates in both `frontend/src/app/util/i18n.cljs` (`supported-locales`) and `frontend/scripts/_helpers.js` (`langs`).
+
+## Performance
+
+- Keep expensive derived data in refs, memoized selectors, or pure helpers. In hot render paths, prefer existing `app.common.data.macros` helpers where local code already uses them.
+- Avoid creating new callback functions/objects inside hot renders when a named function, memoized callback, data attribute, or precomputed JS props object works.
+- Destructure props/state values used repeatedly. Avoid repeated deref/property access in render loops.
+
+## Shared React UI package
+
+- `frontend/packages/ui` is the shared React/Vite package. It should remain framework-neutral relative to the CLJS app store; reusable primitives belong here only when they do not depend on Potok/Rumext app state.
+- Package styles are emitted through the package build and copied into `frontend/resources/public/css/ui.css`; stale shared styles are often a build artifact issue.
+- Storybook is the primary visual harness for shared UI/package behavior. Use `mem:frontend/ui-packages-text-editor-workflow` for package build/test commands.
+
+## Choosing a location
+
+- Put editor/dashboard/viewer workflow logic in CLJS app namespaces close to the owning feature.
+- Put reusable presentational React primitives in `frontend/packages/ui` when they can be consumed without Penpot app state.
+- Put CLJS design-system components under `frontend/src/app/main/ui/ds`; new DS components need implementation, CSS module, Storybook story, optional MDX docs, and export from `frontend/src/app/main/ui/ds.cljs` with a JavaScript-friendly name.
+- Put text editing internals in `frontend/text-editor` when the behavior belongs to the JS editor package; use `mem:common/text-subtleties` for shared text data-model behavior.
+
+## Validation
+
+- For CLJS app UI, use `mem:frontend/testing`, `mem:frontend/compile-diagnostics`, and live browser/REPL checks when behavior depends on store or canvas state.
+- For shared UI package changes, run the package build plus Storybook/component tests when relevant.
+- For text editor changes, run `frontend/text-editor` tests and refresh/copy WASM artifacts if render-wasm output is involved.

.serena/memories/frontend/ui-packages-text-editor-workflow.md

@@ -0,0 +1,34 @@
+# Frontend UI Packages and Text Editor Workflow
+
+`frontend/packages/`, `frontend/text-editor/`, Storybook/component tests. Separate from CLJS app UI under `frontend/src/app/main/ui`.
+
+## Package boundaries
+
+- `frontend/packages/ui` builds `@penpot/ui`, a React/Vite library package. It exports ESM and type declarations from `dist/`; React and ReactDOM are peer dependencies and must stay external in the Vite library build.
+- The UI package build copies generated `dist/index.css` into `frontend/resources/public/css/ui.css`. If shared UI styles look stale in the app, rebuild the package or check this copy step before debugging CLJS style code.
+- `frontend/text-editor` builds `@penpot/text-editor` from `src/editor/TextEditor.js`. It is a Vite JS package, not CLJS, and has its own Vitest/browser-test setup.
+- The text editor consumes render-wasm artifacts copied from `frontend/resources/public/js` into `frontend/text-editor/src/wasm`. Use `pnpm run wasm:update` after rebuilding `render-wasm` if tests or local dev use stale WASM files.
+- Other packages under `frontend/packages/` such as `tokenscript`, `draft-js`, and `mousetrap` are workspace dependencies used by the frontend app; do not assume their runtime behavior lives in CLJS namespaces.
+
+## Commands
+
+From `frontend/`:
+- Build app-side JS package assets: `pnpm run build:app:libs`.
+- Watch app-side JS package assets: `pnpm run watch:app:libs`.
+- Storybook build: `pnpm run build:storybook`; local Storybook: `pnpm run watch:storybook`.
+- Storybook/component tests: `pnpm run test:storybook`.
+
+From `frontend/packages/ui`:
+- Build library and CSS artifact: `pnpm run build`.
+- Watch library build: `pnpm run watch`.
+
+From `frontend/text-editor`:
+- Local Vite dev: `pnpm run dev`.
+- Tests: `pnpm run test`; coverage: `pnpm run coverage`; browser watch: `pnpm run test:watch:e2e`.
+- Format check: `pnpm run fmt:js`.
+
+## Validation notes
+
+- Frontend root `check-fmt:js` covers stories, Playwright scripts, frontend scripts, and `text-editor/**/*.js`; it does not replace package-specific builds/tests.
+- Changes to shared UI package exports should be validated both in the package build and in the consuming app/Storybook path.
+- Changes that alter text rendering/editing can involve `frontend/text-editor`, `render-wasm`, CLJS text integration, and `mem:common/text-subtleties`; verify the runtime that actually owns the changed behavior.

.serena/memories/frontend/workspace-state-persistence-subtleties.md

@@ -0,0 +1,33 @@
+# Frontend Workspace State and Persistence Subtleties
+
+## Store and interaction streams
+
+- `app.main.store/state` is the Potok store; `emit!` always returns nil. Store errors flow through the mutable `on-error` atom.
+- `last-events` keeps a filtered rolling buffer of about 50 event type strings and commit hint origins. It intentionally omits noisy websocket/persistence/pointer events.
+- `ongoing-tasks` controls `window.onbeforeunload`: any non-empty set blocks tab unload.
+- `app.main.streams/wasm-modifiers` and `workspace-selrect` are behavior subjects used for high-frequency interactive preview state that bypasses normal store updates and lenses.
+- Keyboard modifier streams merge a window blur signal so stuck modifier-key state is cleared after focus loss.
+
+## Repo calls
+
+- `app.main.repo/send!` uses GET only when the RPC name starts with `get-`, when all params are query params, or for configured special cases. Only GET requests are retried.
+- GET retry is limited to transient `:network`, `:bad-gateway`, `:service-unavailable`, and `:offline` errors with exponential backoff. Mutations are not retried.
+- A server SSE response is only accepted when the command is configured `:stream?`; otherwise it raises an unexpected-response assertion.
+
+## Commits, undo, persistence
+
+- `commit-changes` refuses to create commits unless `:permissions :can-edit` is true. It captures file revn/vern, selected-before, features, tags, undo group, and translation flag into a `::commit` event.
+- Applying a remote commit first rolls back pending local commits, applies the remote changes, then replays pending local redo changes. Index updates are emitted for undo, remote redo, and replayed redo paths.
+- Local commits are independently consumed by undo, persistence, WASM model updates, thumbnail/library watchers, and text position-data recalculation.
+- Persistence buffers local commits: status becomes pending after about 200ms, commits are flushed after about 3s or `::force-persist`, and buffered commits are merged per file before `:update-file`.
+- Persistence sends revn as the max of the commit revn and locally tracked latest revn; remote commits update that revn tracker.
+- Persistence is skipped in version preview/read-only mode or without edit permission.
+- Undo transactions can stay open only temporarily; timed-out pending transactions are force-committed after about 20s. Undo entries are capped at 50.
+- Undo/redo are ignored while a normal editor/drawing interaction is active, except grid-layout edition handles undo through this path.
+- After local commits and when render-wasm is active, text shapes get derived `:position-data` recomputed in a separate commit tagged `#{:position-data}`; that tag is excluded from the position-data watcher to avoid loops.
+
+## Refs
+
+- `refs/libraries` is explicitly deprecated for performance; prefer derefing `refs/files` and memoizing `select-libraries` in components.
+- `refs/workspace-page-objects` uses `identical?` equality, so preserving object map identity matters for avoiding derived-ref churn.
+- Selected-shapes refs use a small `{objects selected}` wrapper with custom equality before running `process-selected`; avoid bypassing that pattern in hot UI paths.

.serena/memories/frontend/workspace-token-subtleties.md

@@ -0,0 +1,17 @@
+# Frontend Workspace Token Subtleties
+
+## Token refs and visibility
+
+- Workspace token refs intentionally hide the internal hidden theme from theme trees/lists and expose active tokens through `get-tokens-in-active-sets`.
+- Token values stored on shapes are token names under `:applied-tokens`, not token ids. Renames/group renames must update those paths in common token logic.
+
+## Token application
+
+- Token application refuses to run while a text shape is in text-editing mode and shows a warning instead.
+- Applying a token writes token names into shape `:applied-tokens`, resolves active tokens through Style Dictionary or `tokenscript` depending on feature flags, updates concrete shape attrs, and wraps the operation in an undo transaction.
+- Applying composite typography removes atomic typography token attrs; applying atomic typography removes the composite typography token attr.
+- Spacing tokens have a special split path: layout containers receive gap/padding updates, while immediate children of layouts receive margin updates.
+
+## Propagation
+
+- Token propagation resolves active tokens, buffers many `update-shapes` commits, walks the current page first then the remaining pages, clears affected frame/component thumbnails, and drops `:position-data` for text shapes on non-current pages so it can be regenerated.

.serena/memories/frontend/workspace-transform-subtleties.md

@@ -0,0 +1,20 @@
+# Frontend Workspace Transform Subtleties
+
+## Preview vs committed transforms
+
+- High-frequency previews use `app.main.streams/wasm-modifiers` and `workspace-selrect` behavior subjects instead of normal store commits; components consume them through refs that wrap plain atoms.
+- `apply-modifiers*` is the lower-level commit path once object/text modifiers are ready. It updates frame guides, frame comment threads, and then emits `update-shapes` with `:reg-objects? true`.
+- Transform commits restrict diff attrs to `transform-attrs` to avoid scanning unrelated shape attrs.
+- Text transforms may carry derived `:position-data`; `assoc-position-data` attaches it while preserving the original text shape context.
+
+## Component-copy touched suppression
+
+- `calculate-ignore-tree` walks modified shapes and descendants to decide per copy-shape `ignore-geometry?`.
+- `check-delta` compares a copy's relative position/rotation to its component root before and after transform. If relative movement is under about 1px and size/rotation are effectively unchanged, geometry touching is suppressed.
+- This logic is why pure translations of component copies can avoid marking every descendant as geometry-touched, while resizes/rotations still propagate touched state.
+
+## WASM bridge details
+
+- WASM modifier updates set plugin/local props with parsed geometry/structure modifiers rather than directly mutating file data.
+- The position-data recomputation watcher ignores commits tagged `:position-data`; keep that tag when adding derived position-data commits.
+- Rotation has separate WASM and non-WASM event paths. Check both when changing rotation modifier semantics.

.serena/memories/library/core.md

@@ -0,0 +1,30 @@
+# Library Architecture and Workflow
+
+`library/`: builds `@penpot/library`; JS-facing in-memory Penpot file builder and `.penpot` ZIP exporter. Separate from main app runtime.
+
+## Layout and commands
+
+- Source: `library/src/`; tests: `library/test/`; experimentation/docs: `playground/`, `docs/`; config: `shadow-cljs.edn`, `deps.edn`, `package.json`.
+- From `library/`: build `pnpm run build`; bundle helper `pnpm run build:bundle` or `./scripts/build`; tests `pnpm run test`; watch `pnpm run watch` / `pnpm run watch:test`; lint `pnpm run lint`; format check/fix `pnpm run check-fmt` / `pnpm run fmt`.
+- When changing file-format construction or export behavior in `common/`, consider whether `@penpot/library` should be tested because it constructs Penpot files outside the app UI.
+
+## JS API and builder state
+
+- The JS build context wraps an atom and implements `IDeref`; `getInternalState` exposes the CLJ state converted to JS.
+- Public methods decode JS objects through the JSON transformer before calling common builder functions. Exceptions become JS `BuilderError` objects with enumerable `cause` and an `explain` getter for Malli explain data.
+- `create-build-context` can store an optional `referer`, later written into the export manifest.
+- The builder is stateful: call `addFile` before `addPage`. `addPage` resets the frame/group stack to the root and clears page-local naming state when the page closes.
+- `addBoard` and `addGroup` push onto the parent stack; matching close calls pop it. `closeGroup` requires at least one child and recalculates group geometry. Masked groups use the first child as mask and copy its geometry.
+- `commit-shape` emits `:add-obj` with `:ignore-touched true`, using the current parent, frame, and page from the stack.
+- Layer names are uniqued per current page; duplicate names get generated suffixes.
+- `addBool` converts an existing group into a bool shape and updates style/content/geometry via `:mod-obj` operations rather than adding a new object.
+- Media blobs are stored separately from file-media metadata; `add-file-media` requires a `BlobWrapper`.
+
+## Export package
+
+- `.penpot` ZIPs include `manifest.json`, file/page/shape JSON, components/colors/typographies/tokens, media metadata, and media object blobs.
+- Path/bool shape `:content` is converted to vectors before JSON encoding.
+- File export intentionally includes only selected top-level attrs plus data options; color export removes `:file-id` and drops empty paths.
+- Manifest type is `penpot/export-files`, version 1, generated by `penpot-library/%version%`, with optional referer and file relations.
+- Export generation is sequential and lazy: delayed JSON/blob work is computed only as each zip entry is written, and the progress callback receives `{total,item,path}` after each entry.
+- The library has compatibility defaults for features/migrations in the common builder; do not assume it always exports with the newest app-default migrations/features.

.serena/memories/mcp/core.md

@@ -0,0 +1,95 @@
+# Penpot MCP
+
+This subproject provides an MCP server for Penpot integration.
+The MCP server communicates with a Penpot plugin via WebSockets, allowing
+the MCP server to send tasks to the plugin and receive results,
+enabling advanced AI-driven features in Penpot.
+
+## Tech Stack
+
+- Language: TypeScript
+- Runtime: Node.js
+- Framework: MCP SDK (@modelcontextprotocol/sdk)
+- Build Tool: TypeScript Compiler (tsc) + esbuild
+- Package Manager: pnpm
+
+## General Principles
+
+IMPORTANT: Use an idiomatic, object-oriented style.
+In particular, this implies that, for any non-trivial interfaces, you use interfaces that expect explicitly typed abstractions
+rather than mere functions (i.e. use the strategy pattern, for example).
+
+Comments:
+When describing parameters, methods/functions and classes, you use a precise style, where the initial (elliptical) phrase
+clearly defines *what* it is. Any details then follow in subsequent sentences.
+
+When describing what blocks of code do, you also use an elliptical style and start with a lower-case letter unless
+the comment is a lengthy explanation with at least two sentences (in which case you start with a capital letter, as is
+required for sentences).
+
+## Project Structure (Excerpt)
+
+```
+mcp/
+├── packages/common/           # Shared type definitions
+│   ├── src/
+│   │   ├── index.ts           # exports for shared types
+│   │   └── types.ts           # PluginTaskResult, request/response interfaces
+│   └── package.json           # @penpot-mcp/common package
+├── packages/server/           # MCP server subproject
+│   ├── src/
+│   │   ├── index.ts           # entry point
+│   │   ├── PenpotMcpServer.ts # MCP server implementation (connection handling, tool registration, etc.)
+│   │   ├── Tool.ts            # base class for tools
+│   │   ├── PluginTask.ts      # base class for plugin tasks
+│   │   ├── tasks/             # PluginTask implementations
+│   │   └── tools/             # Tool implementations
+|   ├── data/                  # contains resources, such as API info and prompts
+│   └── package.json           
+├── packages/plugin/           # Penpot plugin subproject
+│   ├── src/
+│   │   ├── main.ts            # handles communication
+│   │   └── plugin.ts          # plugin implementation
+│   └── package.json           # Includes @penpot-mcp/common dependency
+└── prepare-api-docs           # Python project for the generation of API docs
+```
+
+## Key Development Tasks
+
+### Adjusting the Prompts
+
+The system prompt file (aka Penpot High-Level Overview) is located in 
+`packages/server/data/initial_instructions.md`.
+
+### Adding a new Tool
+
+1. Implement the tool class in `packages/server/src/tools/` following the `Tool` interface.
+   IMPORTANT: Do not catch any exceptions in the `executeCore` method. Let them propagate to be handled centrally.
+2. Register the tool in `PenpotMcpServer`.
+
+Tools can be associated with a `PluginTask` that is executed in the plugin.
+Many tools build on `ExecuteCodePluginTask`, as many operations can be reduced to code execution.
+
+### Adding a new PluginTask
+
+1. Implement the input data interface for the task in `packages/common/src/types.ts`.
+2. Implement the `PluginTask` class in `packages/server/src/tasks/`.
+3. Implement the corresponding task handler class in the plugin (`packages/plugin/src/task-handlers/`).
+    * In the success case, call `task.sendSuccess`.
+    * In the failure case, just throw an exception, which will be handled centrally!
+4. Register the task handler in `packages/plugin/src/plugin.ts` in the `taskHandlers` list.
+
+## Dev Tooling
+
+From the `mcp/` directory, run
+
+* `pnpm run build` to test the build of all packages
+* `pnpm run fmt` to apply the auto-formatter
+
+## Devenv plugin/server wiring
+
+In the normal Penpot devenv MCP path, the browser plugin does not discover or route through Postgres. The frontend provides the plugin extension API with `mcp.getServerUrl()`, currently derived from `frontend/src/app/config.cljs` as `penpotMcpServerURI` if set, otherwise `<public-uri>/mcp/ws`. The MCP plugin opens a direct WebSocket to that URL and appends the current MCP access token as a query parameter.
+
+The live plugin connection registry is in-memory inside each MCP server process (`PluginBridge.connectedClients` / `clientsByToken`). The database only stores MCP access tokens and profile props such as `mcp-enabled`; it does not manage which plugin is connected to which MCP server.
+
+For parallel devenvs, prefer same-origin MCP routing: each Penpot instance should expose `/mcp/ws` through its own nginx/Caddy path to the MCP server running inside the same main container. Keep container-internal ports fixed (MCP defaults `4401/4402/4403`, backend/exporter/frontend defaults, etc.) and only offset host-side published ports per instance. If internal ports are offset, hardcoded local proxy config such as `docker/devenv/files/nginx.conf` will misroute unless templated too.

.serena/memories/memory-maintenance.md

@@ -0,0 +1,33 @@
+# Memory Maintenance
+
+## Discovery Model
+
+- Core principle: progressive discovery through references, building a graph of memories.
+- Initially, agents are provided with the list of all memories (names only).
+- Agents should read `mem:critical-info` as the top-level entry point (graph root).
+  This memory should contain references to other memories covering major project domains.
+  The referenced memories shall, in turn, shall contain references to even more specific memories, and so on.
+  The depth of the graph shall depend on the project complexity.
+- Use topics/folders to group related memories in order to make the content structure explicit.
+  Folders can mirror project structure (e.g. modules like frontend/backend) or topics like debugging, architecture, etc.
+- Memory references must use a mem: prefix inside backticks, e.g. `mem:frontend/core`.
+  The surrounding text should clearly indicate when to read the memory/which content to expect.
+  The text should provide more precise guidance than the memory name alone,
+  i.e. avoid a reference like "frontend debugging and error handling: `mem:frontend/handling-errors-and-debugging` and instead make clear which concrete aspects are covered in the memory.
+- Memories themselves should not contain information about when to read them; this is the responsibility of the referring memory.
+
+## Style
+
+Dense agent notes, not prose docs. Prefer invariants, terse bullets.
+Avoid obvious context, rationale, and examples unless they prevent likely mistakes.
+Keep guidance durable and generalizable, not task-local.
+
+## Add/update threshold
+
+Add or update memories only with stable, non-obvious project conventions that avoid complex rediscovery in the future.
+Do not add: quick-read facts; generic language/framework knowledge; one-off task notes; volatile line-level details; behavior likely to change soon.
+
+## Maintenance Actions
+
+- Renaming memories: References are updated automatically if handled via Serena's memory rename tool.
+- Checking for stale memories (e.g. after deletion): Call `serena memories check` for a report.

.serena/memories/plugins/core.md

@@ -0,0 +1,37 @@
+# Plugins Architecture and Workflow
+
+`plugins/`: standalone TypeScript/pnpm workspace for Plugin API packages and sample plugins. Related to, distinct from, frontend CLJS Plugin API runtime.
+
+## Layout
+
+- `libs/plugin-types`: TypeScript declarations for the public Penpot Plugin API. Type-only package; runtime behavior is implemented elsewhere.
+- `libs/plugins-runtime`: runtime that loads plugins and exposes/generated API behavior to plugin code.
+- `libs/plugins-styles`: reusable styling package for plugins.
+- `apps/*-plugin`: sample/development plugins. `apps/e2e`: plugin e2e tests.
+
+## Dev Workflow
+
+- From `plugins/`: install `pnpm -r install`; runtime dev server `pnpm run start` or `pnpm run start:app:runtime`; sample plugin `pnpm run start:plugin:<name>`; build runtime `pnpm run build:runtime`; build plugins `pnpm run build:plugins`; lint `pnpm run lint`; format `pnpm run format:check` / `pnpm run format`; tests `pnpm run test`; e2e `pnpm run test:e2e`.
+- If a change affects public Plugin API types or runtime, update `plugins/CHANGELOG.md`. Prefix type/signature entries with `**plugin-types:**`; runtime behavior entries with `**plugin-runtime:**`.
+- JS Plugin API behavior inside Penpot app: `mem:frontend/plugin-api-to-cljs-binding`; TS declarations are not runtime code; many API objects are CLJS proxies in `frontend/src/app/plugins/*.cljs`.
+
+## Sandbox and global cleanup
+
+- The runtime uses SES compartments. Public API return values are passed through `ses.safeReturn` before crossing back to plugin code.
+- Plugin `fetch` is sanitized: credentials are omitted and Authorization is blanked. The exposed response only includes ok/status/statusText/url/text/json.
+- Timer callbacks are wrapped to mark plugin-originated errors, and timeout/interval IDs are tracked so plugin close can clear them.
+- Plugin-originated errors are tracked in a WeakMap instead of mutating error objects, because SES can freeze errors.
+- Closing a plugin removes public API keys from the compartment globalThis.
+
+## Lifecycle
+
+- Loading a plugin closes existing non-background plugins and resets the runtime registry. Be careful around `allowBackground` semantics when changing load/close behavior.
+- If sandbox evaluation fails, the runtime marks the error as plugin-originated, closes the plugin, and rethrows.
+- `plugin-manager` removes event listeners, timers, intervals, and modal state on close, and marks the plugin destroyed. Listener callbacks check that flag because Penpot events can fire after close.
+
+## Modal/UI behavior
+
+- Modal URL preparation differs by manifest version: v1 uses query string parameters, v2 puts parameters in the URL hash.
+- `openModal` is idempotent for the same iframe source and avoids reopening when the target URL is already displayed.
+- Modal permissions are derived from manifest permissions (`allow:downloads`, `clipboard:read`, `clipboard:write`).
+- `resizeModal` clamps to at least 200x200 and at most the window minus margins, adjusting transform so the modal remains in the viewport.

.serena/memories/prod-infra/core.md

@@ -0,0 +1,33 @@
+# Production infrastructure (services Penpot depends on)
+
+Backend (`app.config`, `PENPOT_*` env vars) is parameterized; deployments choose providers.
+
+## Services
+
+- **PostgreSQL**: durable store. Profiles, teams, files, sessions, audit, `storage_object` metadata, the `task` queue, `scheduled_task` cron registry, migrations. File-data also lives here when the file-data backend is `legacy-db`/`db`. One shared DB across all backends.
+- **Redis (Valkey-compatible)**: per-backend message bus and cache. Concrete uses: msgbus Pub/Sub for collaborative-editing broadcasts and team/profile-org notifications fired by RPC handlers (`app.rpc.notifications`, `files_update`, `teams`, `websocket`); file-summary cache gated by `enable-redis-cache`; rate-limit counters; and the dispatcher→runner work hand-off list `penpot.worker.queue:<tenant>:<queue>`. `PENPOT_REDIS_URI`.
+- **Object storage**: backends `:s3` and `:fs`. S3 in prod; devenv uses MinIO. Holds uploaded media, file-data when the file-data backend is `storage`, exports. Backend-side details (resolve, dedup, bucket set, file-data backends): `mem:backend/http-storage-filedata-subtleties`.
+- **SMTP mailer**: invitations, password resets, email verification (sent via the `:sendmail` worker task).
+- **LDAP** (optional auth provider): helpers in `app.auth.*`, gated by `enable-login-with-ldap`.
+
+## Task queue and worker model
+
+Async tasks are enqueued via `wrk/submit!` (`app.worker`), which inserts a row into the shared Postgres `task` table tagged with `queue = "<tenant>:<queue-name>"`. Submission is **fire-and-forget** — RPC handlers never poll, never wait, and workers never publish to msgbus. The only completion signal is the `task` row's `status` / `completed_at` columns, which nothing in `rpc/` reads. Soft-delete RPCs return immediately after marking the top-level row, leaving the cascade and reaping to workers.
+
+Workers run on backends with `enable-backend-worker` in `PENPOT_FLAGS`. Each worker-enabled backend has a `dispatcher` (polls `task` with `FOR UPDATE SKIP LOCKED`, marks status='scheduled', RPUSHes claimed task IDs into **its own** Redis list) and one or more `runner`s per queue (BLPOP from that same local list, execute, update the Postgres row). The Redis hand-off list is purely intra-backend — cross-backend coordination happens at the Postgres row level.
+
+## Cross-backend safety
+
+Postgres row locking is the only correctness primitive: `task` claims via `FOR UPDATE SKIP LOCKED`, cron firing via `FOR UPDATE SKIP LOCKED` on the `scheduled_task` row, plus task-handler-internal locks (e.g. `file_gc_scheduler` locks candidate file rows). This makes the work-claim path safe across any number of worker-enabled backends.
+
+Two known race patterns survive multi-backend operation:
+
+- **Cron dedup is best-effort.** The lock on `scheduled_task` is released when the task body finishes. If two backends' cron timers fire for the same scheduled instant with a gap larger than the task body's runtime, both execute it. Penpot's cron entries are idempotent (`session-gc`, `objects-gc`, `storage-gc-*`, `tasks-gc`, `upload-session-gc`, `file-gc-scheduler`); the exceptions are `:telemetry` (would double-report) and `:audit-log-archive` (depends on archive target idempotency).
+- **`wrk/submit! ::dedupe true`** does a non-atomic `DELETE` then `INSERT`. Concurrent cross-backend submits can both bypass the `DELETE` (each sees the other's uncommitted insert as absent) and end up with duplicate `'new'` rows. Each row claims and runs once independently, so the underlying work is fine; the "at most one pending" guarantee weakens.
+
+Penpot in production lives with both: horizontal-scale deployments accept "exactly-once" as "essentially-once for idempotent operations." Devenv parallel instances handle it by running workers only on ws0 (see `mem:devenv/core`).
+
+## See also
+
+- Devenv composition and the ws0-only worker placement: `mem:devenv/core`.
+- Storage backend resolution, dedup, file-data lifecycle: `mem:backend/http-storage-filedata-subtleties`.

.serena/memories/render-wasm/core.md

@@ -0,0 +1,32 @@
+# render-wasm Architecture and Workflow
+
+`render-wasm/`: Rust crate compiled to WebAssembly via Emscripten/Skia; frontend loads generated JS/WASM renderer. FFI/memory/tile behavior: `mem:render-wasm/ffi-rendering-subtleties`.
+
+## Stable Architecture
+
+- Exported functions live around `src/main.rs` / `src/wapi.rs` and are called from ClojureScript bridge namespaces under `frontend/src/app/render_wasm*`.
+- Updates are two-phase: ClojureScript calls exported setters to push shape data, then `render_frame()` performs Skia drawing.
+- Rendering is tile-based and shape data is stored separately from hierarchy.
+
+## Source Areas
+
+- `src/state*`: renderer state structures.
+- `src/render/` and `src/render.rs`: tile/surface render pipeline.
+- `src/shapes/` and `src/shapes.rs`: shape data and Skia drawing.
+- `src/wasm/`, `src/wasm.rs`, `src/mem.rs`: JS/WASM memory and interop helpers.
+- `src/math/` and `src/view.rs`: geometry and viewport helpers.
+
+## Build Environment
+
+`./build` sources `_build_env`, which sets the Emscripten paths and `EMCC_CFLAGS`. The WASM heap starts at 256 MB and uses geometric growth.
+
+## Commands
+
+From `render-wasm/`:
+- Build/copy frontend artifacts: `./build`.
+- Watch rebuild: `./watch`.
+- Rust tests: `./test` or `cargo test <name>`.
+- Lint: `./lint`.
+- Format check: `cargo fmt --check`.
+
+Do not change exported WASM function signatures without updating the corresponding frontend bridge and verifying the frontend renderer path.

.serena/memories/render-wasm/ffi-rendering-subtleties.md

@@ -0,0 +1,25 @@
+# render-wasm FFI and Rendering Subtleties
+
+## FFI state and errors
+
+- The renderer uses one unsafe global `STATE`; the `with_state*` macros currently panic on invalid state pointer. Treat state pointer validity as critical, not recoverable.
+- `#[wasm_error]` clears the error code on entry. Recoverable errors set code `0x01`, critical errors/panics set `0x02`, free the byte buffer, then panic so the CLJS bridge can catch and inspect `_read_error_code`.
+- The frontend bridge maps `0x01` to `:non-blocking` and `0x02` to `:panic` in ex-data (`:type :wasm-error`). Check actual bridge code if changing names; older comments/docs may use different labels.
+- WASM byte transfer is a single global slot. A caller that receives a pointer result must read and free it before another byte payload is written; errors free the slot via `#[wasm_error]`.
+
+## Shape pool and loading
+
+- Shapes are UUID-indexed, and hierarchy/structure is tracked separately. `ShapesPool::get` may return a cached modified clone when modifiers, structure, scale-content, or bool handling apply; `get_raw` bypasses those derived values.
+- Bulk loading uses a `loading` flag. `touch_current` / `touch_shape` avoid tile invalidation while loading; text layouts and final view setup must happen after loading ends.
+- Many setters mutate only the current shape selected by `use_shape` / current-shape APIs. If no current shape is selected, some mutation blocks are skipped silently.
+- `set_parent_for_current_shape` only sets parent metadata and invalidates parent geometry; children must be updated separately to avoid duplicate children.
+- Child deletion marks descendants deleted and removes them from all indexed tiles, preserving undo/redo while avoiding stale pixels after panning.
+
+## Tile/render behavior
+
+- Interactive transforms are distinct from viewport fast mode. `set_modifiers_start` enables fast mode and interactive transform; interactive transform still flushes each animation frame.
+- During interactive transform, modifier tile invalidation is deferred to `render()` once per rAF. Outside interactive transform, `set_modifiers` rebuilds modifier tiles immediately.
+- `set_modifiers_end` disables fast/interactive state and cancels pending async render; the caller must request the final full-quality render.
+- Plain viewport fast mode (`options.is_viewport_interaction()`) renders from cache and does not flush target output inside `process_animation_frame`; interactive transforms do flush.
+- Zoom changes rebuild the tile index while preserving cached tile textures. Avoid replacing that path with shallow rebuilds if blur/shadow cache preservation matters.
+- Pending tile priority is intentionally reversed by pop order; check the queue construction before changing tile scheduling.

.serena/memories/workflow/creating-commits.md

@@ -0,0 +1,23 @@
+# Creating Commits
+
+Commit only on explicit request. Before commit: `git status`; exclude unrelated user changes.
+
+Do not guess or hallucinate git author information (Name or Email). Never include the
+`--author` flag in git commands unless specifically instructed by the user for a unique
+case; assume the local environment is already configured. Allow git commit to
+automatically pull the identity from the local git config `user.name` and `user.email`.
+
+
+## Message Format
+
+```
+:emoji: Subject line (imperative, capitalized, no period, <=70 chars)
+
+Body explaining what changed and why.
+
+Co-authored-by: <You (the LLM)>
+```
+
+## Commit Type Emojis
+
+`:bug:` bug fix · `:sparkles:` enhancement · `:tada:` new feature · `:recycle:` refactor · `:lipstick:` cosmetic · `:ambulance:` critical fix · `:books:` docs · `:construction:` WIP · `:boom:` breaking · `:wrench:` config · `:zap:` perf · `:whale:` docker · `:paperclip:` other · `:arrow_up:` dep upgrade · `:arrow_down:` dep downgrade · `:fire:` removal · `:globe_with_meridians:` translations · `:rocket:` epic/highlight

.serena/memories/workflow/creating-issues.md

@@ -0,0 +1,160 @@
+# Creating Issues
+
+Create GitHub issues only on explicit request. Use `gh` CLI authenticated to `penpot/penpot`.
+
+## Title Derivation
+
+Derive the title from the source material (bug report, user feedback, feature request, etc.) — not from any pre-existing title which may be auto-generated or stale.
+
+### Bug titles (descriptive present tense)
+
+Describe the symptom as it appears to the user. Format: `[Where] [present-tense verb] when [condition]`.
+
+- *"Plugin API crashes when setting text fills"*
+- *"Canvas renders glitches when zooming quickly"*
+- *"French Canada locale falls back to French (fr) translations"*
+
+Do **not** start bug titles with "Fix" or any imperative verb — state what's broken, not command a fix.
+
+### Feature / Enhancement titles (imperative mood)
+
+Command what should be built. Format: `[Imperative verb] [what] in/on [where]`.
+
+- *"Add customizable dash and gap length controls to dashed strokes in the sidebar"*
+- *"Show user, timestamp, and hash in the workspace history panel like git commits"*
+
+### Universal rules
+
+- **Include the "where"** — specify the UI location or module (e.g. "in the sidebar", "on the stroke options")
+- **No prefixes** — strip `bug:`, `feature:`, `feat:`, `:bug:`, `:sparkles:`, `[PENPOT FEEDBACK]`, etc.
+- **No emoji** — plain text only
+- **Be specific** — prefer concrete detail over generality
+- **Two problems → cover both** — if the description has two distinct but related issues, capture both joined by "and"
+
+## Metadata
+
+| Field | Rule |
+|-------|------|
+| **Labels** | `bug` (crashes/regressions) · `enhancement` (new features) · `community contribution` (PRs from non-core) · skip workflow labels (`backport candidate`, `team-qa`) |
+| **Milestone** | Use the current or next planned milestone. Fetch available milestones: `gh api repos/penpot/penpot/milestones --jq '.[].title'`. If unsure, omit. |
+| **Project** | Always `Main` (project number 8). Use `--project "Main"` flag. |
+| **Issue Type** | See Issue Type section below. Cannot be set via `gh issue create` — use GraphQL after creation. |
+
+## Issue Body Template
+
+Write the body to a temp file to avoid shell quoting issues:
+
+**Bug template:**
+```markdown
+### Description
+
+<what breaks, what the user experiences>
+
+### Steps to reproduce
+
+1. <step 1>
+2. <step 2>
+
+### Expected behavior
+
+<what should happen instead>
+
+### Affected versions
+
+<version>
+```
+
+**Enhancement template:**
+```markdown
+### Description
+
+<what the user can now do that they couldn't before>
+
+### Use case
+
+<why this is useful, who benefits>
+
+### Affected versions
+
+<version>
+```
+
+## Creating the Issue
+
+```bash
+cat > /tmp/issue-body.md << 'ISSUE_BODY'
+<body content here>
+ISSUE_BODY
+
+gh issue create \
+  --repo penpot/penpot \
+  --title "<Derived title>" \
+  --label "<label>" \
+  --project "Main" \
+  --body-file /tmp/issue-body.md
+```
+
+Output: `https://github.com/penpot/penpot/issues/<NUMBER>`
+
+## Setting the Issue Type
+
+`gh issue create` can't set Issue Type directly. Use GraphQL after creation.
+
+**Issue Type IDs for penpot/penpot:**
+
+| Type | ID |
+|------|----|
+| Bug | `IT_kwDOAcyBPM4AX5Nb` |
+| Enhancement | `IT_kwDOAcyBPM4B_IQN` |
+| Feature | `IT_kwDOAcyBPM4AX5Nf` |
+| Task | `IT_kwDOAcyBPM4AX5NY` |
+| Question | `IT_kwDOAcyBPM4B_IQj` |
+| Docs | `IT_kwDOAcyBPM4B_IQz` |
+
+**Map:**
+- `bug` label → Bug
+- `enhancement` label → Enhancement
+- Feature/epic → Feature
+- Docs → Docs
+- None of the above → Task
+
+**Set it:**
+```bash
+ISSUE_ID=$(gh api graphql -f query='
+query { repository(owner: "penpot", name: "penpot") {
+  issue(number: <NUMBER>) { id }
+}}' --jq '.data.repository.issue.id')
+
+gh api graphql -f query='
+mutation {
+  updateIssue(input: {
+    id: "'"$ISSUE_ID"'"
+    issueTypeId: "<TYPE_ID>"
+  }) {
+    issue { number issueType { name } }
+  }
+}'
+```
+
+## Verification
+
+```bash
+gh issue view <NUMBER> --repo penpot/penpot \
+  --json title,labels,milestone,projectItems \
+  --jq '{title, milestone: .milestone.title, labels: [.labels[].name], projects: [.projectItems[].title]}'
+
+gh api graphql -f query='
+query { repository(owner: "penpot", name: "penpot") {
+  issue(number: <NUMBER>) { issueType { name } }
+}}' --jq '.data.repository.issue.issueType.name'
+```
+
+## Cleanup
+
+```bash
+rm -f /tmp/issue-body.md
+```
+
+## See Also
+
+- Creating issues **from PRs** (separating WHAT from HOW): `mem:workflow/creating-prs`