♻️ Refactor CI workflows

Update SECURITY.md file to request that vulnerabilities be reported through the GitHub Security Advisories feature in the Penpot repository

Signed-off-by: Madalena Melo <madalena.melo@kaleidos.net>

.devenv/README.md

@@ -0,0 +1,133 @@
+# `.devenv/` — Per-Workspace AI-Client MCP Configs
+
+This directory carries the pieces needed to point an AI coding agent
+(currently Claude Code, opencode, VS Code Copilot, and the OpenAI Codex CLI)
+at the MCP servers running inside the parallel devenv instance the developer
+is currently working in. Every parallel workspace (`ws0`, `ws1`, …) has its
+own copy because the Penpot MCP and Serena MCP host ports are
+workspace-specific.
+
+## Layout
+
+```
+.devenv/
+  README.md
+  scripts/
+    merge-mcp-config.py    # generator helper invoked by manage.sh
+  shared/                  # committed; workspace-independent entries
+    claude-code.json       # Playwright — same for every workspace
+    opencode.json
+    vscode.json
+    codex.toml
+  templates/               # committed; entries with ${...} port placeholders
+    claude-code.json       # Penpot MCP, Serena MCP — port is the only diff
+    opencode.json
+    vscode.json
+    codex.toml
+  mcp/                     # gitignored; written by manage.sh per workspace
+    claude-code.json       # loaded via Claude Code's --mcp-config flag
+    opencode.json          # loaded via OPENCODE_CONFIG env var
+```
+
+One more file is generated outside `.devenv/`, in the directory VS Code itself
+auto-discovers (gitignored):
+
+```
+.vscode/mcp.json           # auto-loaded by GitHub Copilot in VS Code
+```
+
+Codex is the exception: it has no way to load an MCP config from an arbitrary
+path, and its only project-level config file (`.codex/config.toml`) is one a
+developer may already own. So we do **not** write a file for Codex at all —
+`start-coding-agent codex` injects our servers as `-c` command-line overrides
+built fresh from `shared/codex.toml` + `templates/codex.toml` at launch.
+
+* **`shared/`** holds MCP entries that don't depend on the workspace — the
+  browser-driving Playwright server today, plus any other workspace-independent
+  servers we add later. Same content in every workspace, so it's a static
+  checked-in file.
+* **`templates/`** holds the workspace-specific entries (Penpot MCP, Serena
+  MCP) with `${PENPOT_MCP_PORT}` and `${SERENA_MCP_PORT}` placeholders. The
+  placeholders are resolved per-workspace from the port-base constants in
+  `manage.sh`.
+* **`mcp/`** (Claude Code, opencode) is the result of merging `shared/` with
+  the port-substituted `templates/`. `manage.sh` writes these on every
+  `run-devenv-agentic` pass. Gitignored, dedicated paths with no developer
+  content — never edit by hand, your edits will be overwritten on the next
+  reconcile.
+* **`.vscode/mcp.json`** is the same merge, but written to the path VS Code
+  auto-discovers. Because on `ws0` that path *is* the live repo's own file, the
+  reconcile **deep-merges** into it: any servers you added yourself are kept,
+  and only the entries we manage (`penpot`, `serena-devenv`, `playwright`) are
+  (re)written to the current ports. On `ws1+` the file doesn't exist yet, so it
+  is created from scratch.
+* **`scripts/merge-mcp-config.py`** is the generator. Its `json` mode does the
+  JSON deep-merge (with `--merge-into-existing` for the VS Code path); its
+  `codex-args` mode prints the `-c` assignments for Codex. `manage.sh`'s
+  `_merge-mcp-config-json` helper is a thin shim over the former, and
+  `start-coding-agent` calls the latter directly. Run
+  `python3 .devenv/scripts/merge-mcp-config.py --help` for the CLI.
+
+## Launching a coding agent
+
+The easiest path is the wrapper command, which knows the right flags per
+client, `cd`'s into the target workspace, and refuses to launch unless the
+target instance is running and its MCP config has been generated:
+
+```bash
+# Default target is ws0 (the live repo).
+./manage.sh start-coding-agent claude               [...args to forward]
+./manage.sh start-coding-agent opencode             [...args to forward]
+./manage.sh start-coding-agent vscode               [...args to forward to 'code']
+./manage.sh start-coding-agent codex                [...args to forward]
+
+# Target a parallel workspace with --ws N. N is an integer (non-negative);
+# 'main', 'ws1' and similar spellings are rejected.
+./manage.sh start-coding-agent claude --ws 1
+./manage.sh start-coding-agent opencode --ws 2
+```
+
+Equivalents by hand (run from inside the workspace directory):
+
+```bash
+claude --mcp-config .devenv/mcp/claude-code.json
+OPENCODE_CONFIG=.devenv/mcp/opencode.json opencode
+code "$PWD"                  # VS Code auto-discovers .vscode/mcp.json
+# Codex: pass our servers as -c overrides (no config file is written).
+codex $(python3 .devenv/scripts/merge-mcp-config.py --format codex-args \
+          .devenv/shared/codex.toml .devenv/templates/codex.toml \
+          | sed 's/^/-c /')
+```
+
+`start-coding-agent codex` does the `-c` wiring for you (and resolves the
+workspace's ports first). Because our servers arrive as command-line
+overrides, no "trusted project" prompt is involved for them — that prompt only
+gates Codex's own `.codex/config.toml`, which we never write.
+
+## Overriding our entries
+
+Both the auto-discovered configs and the launcher-loaded configs sit *on top
+of* the developer's global config (with varying precedence rules). All four
+clients offer escape hatches for shadowing entries we ship:
+
+* **Claude Code** — `claude mcp add --scope local …` installs a private entry
+  that overrides the one in `mcp/claude-code.json`. Local scope wins.
+* **opencode** — drop an `opencode.json` at the repo root with the override
+  entries you need. opencode's precedence chain is *global → `OPENCODE_CONFIG`
+  → project*, so the project file always wins. The root `opencode.json` is
+  gitignored on purpose, since these overrides are personal.
+* **VS Code Copilot** — the reconcile deep-merges into `.vscode/mcp.json`, so
+  any servers you add there yourself are preserved (only `penpot`,
+  `serena-devenv` and `playwright` are rewritten). To shadow one of *ours*,
+  put an entry under the same name in your VS Code user-profile MCP config —
+  it is loaded alongside the workspace file and wins.
+* **Codex CLI** — our servers arrive as `-c` overrides, which are Codex's
+  highest-precedence layer, so they win over a same-named `[mcp_servers.<name>]`
+  in your `~/.codex/config.toml` or a project `.codex/config.toml`. To override
+  one of ours, append your own `-c` after the client name — extra args are
+  forwarded after ours and the later `-c` wins, e.g.
+  `./manage.sh start-coding-agent codex -- -c 'mcp_servers.penpot.url="…"'`.
+
+See `docs/technical-guide/developer/agentic-devenv.md` for the broader
+client-configuration story (browser remote debugging, AI-client config
+schemas, manual setup for unsupported clients).

.devenv/scripts/merge-mcp-config.py

@@ -0,0 +1,204 @@
+#!/usr/bin/env python3
+"""Combine a shared MCP-server config with a port-substituted template for one
+AI coding-agent client.
+
+Invoked per workspace by manage.sh's `write-instance-mcp-configs` (JSON
+clients) and by `start-coding-agent` (Codex). Each supported client ships a
+`.devenv/shared/<tool>.{json,toml}` (workspace-independent entries, e.g.
+Playwright) and a `.devenv/templates/<tool>.{json,toml}` (per-workspace entries
+with `${PENPOT_MCP_PORT}` / `${SERENA_MCP_PORT}` placeholders). This script
+combines the two for the target client.
+
+Two output modes are supported:
+
+  json         Deep-merge two JSON documents under a configurable top-level key
+               (`mcpServers` for Claude Code, `mcp` for opencode, `servers` for
+               VS Code Copilot) and write the result to <out>. Same-name
+               entries in the template override entries in shared. With
+               --merge-into-existing, any pre-existing <out> file is loaded as
+               the lowest-precedence layer first, so entries the developer
+               already had are preserved (ours win on name collision). This is
+               used for VS Code's auto-discovered `.vscode/mcp.json`, which on
+               ws0 IS the live repo's file and may hold the developer's own
+               servers; the Claude/opencode outputs live in a dedicated,
+               gitignored `.devenv/mcp/` path and are written without the flag
+               (a clean overwrite).
+
+  codex-args   Deep-merge the two TOML chunks and print one
+               `dotted.key=<toml-value>` assignment per line to stdout (no
+               <out> file). The caller wraps each line in a `codex -c` flag.
+               Codex has no way to load an MCP config from an arbitrary file
+               path (CODEX_HOME would relocate auth/history too), so rather than
+               writing the auto-discovered `.codex/config.toml` we inject our
+               servers as ephemeral per-invocation overrides. This never
+               touches the developer's project- or user-level Codex config.
+
+In both modes, `${VAR}` placeholders inside *either* chunk are resolved from
+the current environment (only template chunks carry placeholders in practice,
+but the substitution is uniform either way) using Python's
+`os.path.expandvars`. Undefined placeholders are left as `${VAR}` literal text
+-- callers (i.e. manage.sh) are responsible for exporting the variables before
+invoking the script.
+
+Usage:
+  merge-mcp-config.py --format json --key <key> [--merge-into-existing] \
+      <shared> <template> <out>
+  merge-mcp-config.py --format codex-args <shared> <template>
+
+Exit codes:
+  0  success
+  2  argparse error (missing required option, bad value, unreadable input)
+"""
+
+from __future__ import annotations
+
+import argparse
+import json
+import os
+import re
+import sys
+import tomllib
+from pathlib import Path
+
+
+def merge_json(
+    shared_path: Path,
+    tpl_path: Path,
+    out_path: Path,
+    key: str,
+    merge_into_existing: bool,
+) -> None:
+    """Deep-merge JSON documents under a single top-level dict key into out.
+
+    Precedence (lowest to highest): an existing <out> file (only when
+    merge_into_existing is set), then shared, then the template. Entries under
+    `key` are merged by name, so the template wins on a name collision while
+    every other entry the lower layers contributed is kept. Top-level keys
+    other than `key` come from the existing file and shared (shared wins).
+    """
+    shared = json.loads(shared_path.read_text())
+    tpl = json.loads(os.path.expandvars(tpl_path.read_text()))
+
+    base: dict = {}
+    if merge_into_existing and out_path.exists():
+        base = json.loads(out_path.read_text())
+
+    merged: dict = {**base, **shared}
+    merged[key] = {**base.get(key, {}), **shared.get(key, {}), **tpl.get(key, {})}
+
+    out_path.write_text(json.dumps(merged, indent=2) + "\n")
+
+
+def _deep_merge(base: dict, overlay: dict) -> dict:
+    """Recursively merge overlay into base; overlay wins on scalar/list keys."""
+    out = dict(base)
+    for k, v in overlay.items():
+        if isinstance(out.get(k), dict) and isinstance(v, dict):
+            out[k] = _deep_merge(out[k], v)
+        else:
+            out[k] = v
+    return out
+
+
+def _toml_value(value: object) -> str:
+    """Serialize a scalar/list as a TOML literal for a `codex -c` value.
+
+    bool is checked before int because `isinstance(True, int)` is True. Strings
+    are emitted as JSON strings, which are valid TOML basic strings for the
+    ASCII values our configs carry (commands, args, URLs). Tables never reach
+    here -- they are flattened into dotted keys by _flatten.
+    """
+    if isinstance(value, bool):
+        return "true" if value else "false"
+    if isinstance(value, (int, float)):
+        return repr(value)
+    if isinstance(value, str):
+        return json.dumps(value)
+    if isinstance(value, list):
+        return "[" + ", ".join(_toml_value(v) for v in value) + "]"
+    raise TypeError(f"unsupported TOML value type: {type(value).__name__}")
+
+
+_BARE_KEY = re.compile(r"^[A-Za-z0-9_-]+$")
+
+
+def _key_segment(seg: str) -> str:
+    """A dotted-key segment: bare if TOML-safe, else a quoted key."""
+    return seg if _BARE_KEY.match(seg) else json.dumps(seg)
+
+
+def _flatten(obj: dict, prefix: list[str]):
+    """Yield (dotted-path-segments, leaf-value) for every non-table leaf.
+
+    Lists are leaves (TOML arrays), so we do not recurse into them; nested
+    tables (e.g. an `env` table) are flattened into further dotted keys.
+    """
+    for k, v in obj.items():
+        path = prefix + [k]
+        if isinstance(v, dict):
+            yield from _flatten(v, path)
+        else:
+            yield path, v
+
+
+def emit_codex_args(shared_path: Path, tpl_path: Path) -> None:
+    """Print `dotted.key=<toml-value>` lines from the merged TOML chunks."""
+    shared = tomllib.loads(os.path.expandvars(shared_path.read_text()))
+    tpl = tomllib.loads(os.path.expandvars(tpl_path.read_text()))
+    merged = _deep_merge(shared, tpl)
+    for path, value in _flatten(merged, []):
+        dotted = ".".join(_key_segment(s) for s in path)
+        sys.stdout.write(f"{dotted}={_toml_value(value)}\n")
+
+
+def main(argv: list[str]) -> int:
+    parser = argparse.ArgumentParser(
+        description=__doc__.split("\n\n", 1)[0],
+        formatter_class=argparse.RawDescriptionHelpFormatter,
+    )
+    parser.add_argument(
+        "--format",
+        choices=("json", "codex-args"),
+        required=True,
+        help="Output mode: 'json' writes a merged file; 'codex-args' prints -c assignments.",
+    )
+    parser.add_argument(
+        "--key",
+        help="Top-level JSON key under which MCP entries live (required for --format json).",
+    )
+    parser.add_argument(
+        "--merge-into-existing",
+        action="store_true",
+        help="json only: layer the merge on top of an existing <out> file, "
+        "preserving entries already there (ours still win on name collision).",
+    )
+    parser.add_argument("shared", type=Path, help="Path to the shared chunk.")
+    parser.add_argument("template", type=Path, help="Path to the port-placeholder template chunk.")
+    parser.add_argument(
+        "out",
+        type=Path,
+        nargs="?",
+        help="Path the merged result is written to (json only; codex-args writes stdout).",
+    )
+    args = parser.parse_args(argv)
+
+    if args.format == "json":
+        if not args.key:
+            parser.error("--key is required when --format json")
+        if args.out is None:
+            parser.error("out is required when --format json")
+        merge_json(args.shared, args.template, args.out, args.key, args.merge_into_existing)
+    else:  # codex-args
+        if args.key:
+            parser.error("--key is not accepted when --format codex-args")
+        if args.merge_into_existing:
+            parser.error("--merge-into-existing is not accepted when --format codex-args")
+        if args.out is not None:
+            parser.error("out path is not accepted when --format codex-args (result goes to stdout)")
+        emit_codex_args(args.shared, args.template)
+
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main(sys.argv[1:]))

.devenv/shared/claude-code.json

@@ -0,0 +1,8 @@
+{
+  "mcpServers": {
+    "playwright": {
+      "command": "npx",
+      "args": ["@playwright/mcp@latest", "--cdp-endpoint=http://127.0.0.1:9222"]
+    }
+  }
+}

.devenv/shared/codex.toml

@@ -0,0 +1,8 @@
+# Workspace-independent MCP servers for the OpenAI Codex CLI.
+# This block is concatenated with the port-substituted templates/codex.toml
+# by manage.sh's write-instance-mcp-configs to produce .codex/config.toml at
+# the workspace root.
+
+[mcp_servers.playwright]
+command = "npx"
+args = ["@playwright/mcp@latest", "--cdp-endpoint=http://127.0.0.1:9222"]

.devenv/shared/opencode.json

@@ -0,0 +1,9 @@
+{
+  "mcp": {
+    "playwright": {
+      "type": "local",
+      "command": ["npx", "@playwright/mcp@latest", "--cdp-endpoint=http://127.0.0.1:9222"],
+      "enabled": true
+    }
+  }
+}

.devenv/shared/vscode.json

@@ -0,0 +1,9 @@
+{
+  "servers": {
+    "playwright": {
+      "type": "stdio",
+      "command": "npx",
+      "args": ["@playwright/mcp@latest", "--cdp-endpoint=http://127.0.0.1:9222"]
+    }
+  }
+}

.devenv/templates/claude-code.json

@@ -0,0 +1,12 @@
+{
+  "mcpServers": {
+    "penpot": {
+      "command": "npx",
+      "args": ["-y", "mcp-remote", "http://localhost:${PENPOT_MCP_PORT}/mcp", "--allow-http"]
+    },
+    "serena-devenv": {
+      "command": "npx",
+      "args": ["-y", "mcp-remote", "http://localhost:${SERENA_MCP_PORT}/mcp", "--allow-http"]
+    }
+  }
+}

.devenv/templates/codex.toml

@@ -0,0 +1,10 @@
+# Workspace-specific MCP servers for the OpenAI Codex CLI. The PENPOT_MCP_PORT
+# and SERENA_MCP_PORT placeholders below are filled in per workspace by
+# manage.sh's write-instance-mcp-configs, then the result is concatenated
+# with shared/codex.toml to produce .codex/config.toml.
+
+[mcp_servers.penpot]
+url = "http://localhost:${PENPOT_MCP_PORT}/mcp"
+
+[mcp_servers.serena-devenv]
+url = "http://localhost:${SERENA_MCP_PORT}/mcp"

.devenv/templates/opencode.json

@@ -0,0 +1,14 @@
+{
+  "mcp": {
+    "penpot": {
+      "type": "remote",
+      "url": "http://localhost:${PENPOT_MCP_PORT}/mcp",
+      "enabled": true
+    },
+    "serena-devenv": {
+      "type": "remote",
+      "url": "http://localhost:${SERENA_MCP_PORT}/mcp",
+      "enabled": true
+    }
+  }
+}

.devenv/templates/vscode.json

@@ -0,0 +1,12 @@
+{
+  "servers": {
+    "penpot": {
+      "type": "http",
+      "url": "http://localhost:${PENPOT_MCP_PORT}/mcp"
+    },
+    "serena-devenv": {
+      "type": "http",
+      "url": "http://localhost:${SERENA_MCP_PORT}/mcp"
+    }
+  }
+}

.github/ISSUE_TEMPLATE/bug-report.yml

@@ -1,7 +1,9 @@
 description: Create a report to help us improve
-labels: ["bug"]
 name: Bug report
-title: "bug: "
+title: ""
+type: Bug
+labels: ["needs triage"]
+
 body:
   - type: markdown
     attributes:

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1 @@
+blank_issues_enabled: true

.github/ISSUE_TEMPLATE/feature-request.yml

@@ -1,7 +1,9 @@
 description: Suggest an idea for this project.
-labels: ["needs triage", "enhancement"]
+labels: ["needs triage"]
 name: "Feature request"
-title: "feature: "
+title: ""
+type: Enhancement
+
 body:
   - type: markdown
     attributes:

.github/ISSUE_TEMPLATE/new-render-bug-report.md

@@ -1,38 +0,0 @@
----
-name: New Render Bug Report
-about: Create a report about the bugs you have found in the new render
-title: ''
-labels: new render
-assignees: claragvinola
-
----
-
-**Describe the bug**
-A clear and concise description of what the bug is.
-
-**Steps to Reproduce**
-Steps to reproduce the behavior:
-1. Go to '...'
-2. Click on '....'
-3. Scroll down to '....'
-4. See error
-
-**Expected behavior**
-A clear and concise description of what you expected to happen.
-
-**Screenshots or screen recordings**
-If applicable, add screenshots or screen recording to help illustrate your problem.
-
-**Desktop (please complete the following information):**
- - OS: [e.g. iOS]
- - Browser [e.g. chrome, safari]
- - Version [e.g. 22]
-
-**Smartphone (please complete the following information):**
- - Device: [e.g. iPhone6]
- - OS: [e.g. iOS8.1]
- - Browser [e.g. stock browser, safari]
- - Version [e.g. 22]
-
-**Additional context**
-Add any other context about the problem here.

.github/PULL_REQUEST_TEMPLATE.md

@@ -15,6 +15,5 @@
 - [ ] Add or modify existing integration tests in case of bugs or new features, if applicable.
 - [ ] Refactor any modified SCSS files following the refactor guide.
 - [ ] Check CI passes successfully.
-- [ ] Update the `CHANGES.md` file, referencing the related GitHub issue, if applicable.
 
 <!-- For more details, check the contribution guidelines: https://github.com/penpot/penpot/blob/develop/CONTRIBUTING.md -->

.github/workflows/build-docker-devenv.yml

@@ -6,7 +6,6 @@ on:
 jobs:
   build-and-push:
     name: Build and push DevEnv Docker image
-    environment: release-admins
     runs-on: penpot-runner-02
 
     steps:
@@ -39,3 +38,13 @@ jobs:
           tags: ${{ env.DOCKER_IMAGE }}:latest
           cache-from: type=registry,ref=${{ env.DOCKER_IMAGE }}:buildcache
           cache-to: type=registry,ref=${{ env.DOCKER_IMAGE }}:buildcache,mode=max
+
+      - name: Notify Mattermost
+        uses: mattermost/action-mattermost-notify@master
+        with:
+          MATTERMOST_WEBHOOK_URL: ${{ secrets.MATTERMOST_WEBHOOK }}
+          MATTERMOST_CHANNEL: bot-alerts-cicd
+          TEXT: |
+            🚀 *[PENPOT] New devenv available*
+            📄 You may want to update your devenv.
+            @alvaro

.github/workflows/build-main-staging.yml

@@ -1,22 +0,0 @@
-name: _MAIN-STAGING
-
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: '26 5-20 * * 1-5'
-
-jobs:
-  build-bundle:
-    uses: ./.github/workflows/build-bundle.yml
-    secrets: inherit
-    with:
-      gh_ref: "main-staging"
-      build_wasm: "yes"
-      build_storybook: "yes"
-
-  build-docker:
-    needs: build-bundle
-    uses: ./.github/workflows/build-docker.yml
-    secrets: inherit
-    with:
-      gh_ref: "main-staging"

.github/workflows/release.yml

@@ -19,7 +19,6 @@ permissions:
 
 jobs:
   release:
-    environment: release-admins
     runs-on: ubuntu-24.04
     outputs:
       version: ${{ steps.vars.outputs.gh_ref }}

.github/workflows/tests-backend.yml

@@ -0,0 +1,84 @@
+name: "CI: Backend"
+
+defaults:
+  run:
+    shell: bash
+
+on:
+  pull_request:
+    paths:
+      - 'backend/**'
+      - 'common/**'
+
+    types:
+      - opened
+      - synchronize
+      - ready_for_review
+
+  push:
+    branches:
+      - develop
+      - staging
+
+    paths:
+      - 'backend/**'
+      - 'common/**'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  test-backend:
+    if: ${{ !github.event.pull_request.draft }}
+    name: "Backend Tests"
+    runs-on: penpot-runner-02
+    container:
+      image: penpotapp/devenv:latest
+      volumes:
+        - /var/cache/github-runner/m2:/root/.m2
+        - /var/cache/github-runner/gitlib:/root/.gitlibs
+
+    services:
+      postgres:
+        image: postgres:17
+        # Provide the password for postgres
+        env:
+          POSTGRES_USER: penpot_test
+          POSTGRES_PASSWORD: penpot_test
+          POSTGRES_DB: penpot_test
+
+        # Set health checks to wait until postgres has started
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+
+      redis:
+        image: valkey/valkey:9
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Lint
+        working-directory: ./backend
+        run: |
+          corepack enable;
+          corepack install;
+          pnpm install;
+          pnpm run check-fmt
+          pnpm run lint
+
+      - name: Tests
+        working-directory: ./backend
+        env:
+          PENPOT_TEST_DATABASE_URI: "postgresql://postgres/penpot_test"
+          PENPOT_TEST_DATABASE_USERNAME: penpot_test
+          PENPOT_TEST_DATABASE_PASSWORD: penpot_test
+          PENPOT_TEST_REDIS_URI: "redis://redis/1"
+
+        run: |
+          mkdir -p /tmp/penpot;
+          clojure -M:dev:test --reporter kaocha.report/documentation

.github/workflows/tests-common.yml

@@ -0,0 +1,57 @@
+name: "CI: Common"
+
+defaults:
+  run:
+    shell: bash
+
+on:
+  pull_request:
+    paths:
+      - 'common/**'
+
+    types:
+      - opened
+      - synchronize
+      - ready_for_review
+
+  push:
+    branches:
+      - develop
+      - staging
+
+    paths:
+      - 'common/**'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  test-common:
+    if: ${{ !github.event.pull_request.draft }}
+    name: "Common Tests"
+    runs-on: penpot-runner-02
+    container:
+      image: penpotapp/devenv:latest
+      volumes:
+        - /var/cache/github-runner/m2:/root/.m2
+        - /var/cache/github-runner/gitlib:/root/.gitlibs
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Lint
+        working-directory: ./common
+        run: |
+          corepack enable;
+          corepack install;
+          pnpm install;
+          pnpm run check-fmt:clj
+          pnpm run check-fmt:js
+          pnpm run lint:clj
+
+      - name: Tests
+        working-directory: ./common
+        run: |
+          ./scripts/test

.github/workflows/tests-frontend.yml

@@ -0,0 +1,71 @@
+name: "CI: Frontend"
+
+defaults:
+  run:
+    shell: bash
+
+on:
+  pull_request:
+    paths:
+      - 'frotend/**/*'
+      - 'common/**/*'
+      - 'render-wasm/**/*'
+
+    types:
+      - opened
+      - synchronize
+      - ready_for_review
+
+  push:
+    branches:
+      - develop
+      - staging
+
+    paths:
+      - 'frotend/**'
+      - 'common/**'
+      - 'render-wasm/**'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  test-frontend:
+    if: ${{ !github.event.pull_request.draft }}
+    name: "Frontend Tests"
+    runs-on: penpot-runner-02
+    container:
+      image: penpotapp/devenv:latest
+      volumes:
+        - /var/cache/github-runner/m2:/root/.m2
+        - /var/cache/github-runner/gitlib:/root/.gitlibs
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Lint
+        working-directory: ./frontend
+        run: |
+          corepack enable;
+          corepack install;
+          pnpm install;
+          pnpm run check-fmt:js
+          pnpm run check-fmt:clj
+          pnpm run check-fmt:scss
+          pnpm run lint:clj
+          pnpm run lint:js
+          pnpm run lint:scss
+
+      - name: Unit Tests
+        working-directory: ./frontend
+        run: |
+          ./scripts/test
+
+      - name: Component Tests
+        working-directory: ./frontend
+        env:
+          VITEST_BROWSER_TIMEOUT: 120000
+        run: |
+          ./scripts/test-components

.github/workflows/tests-integration.yml

@@ -0,0 +1,93 @@
+name: "CI: Integration"
+
+defaults:
+  run:
+    shell: bash
+
+on:
+  pull_request:
+    paths:
+      - 'frotend/**'
+      - 'common/**'
+      - 'render-wasm/**'
+
+    types:
+      - opened
+      - synchronize
+      - ready_for_review
+
+  push:
+    branches:
+      - develop
+      - staging
+
+    paths:
+      - 'frotend/**'
+      - 'common/**'
+      - 'render-wasm/**'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build-integration:
+    if: ${{ !github.event.pull_request.draft }}
+    name: "Build Integration Bundle"
+    runs-on: penpot-runner-02
+    container:
+      image: penpotapp/devenv:latest
+      volumes:
+        - /var/cache/github-runner/m2:/root/.m2
+        - /var/cache/github-runner/gitlib:/root/.gitlibs
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Build Bundle
+        working-directory: ./frontend
+        run: |
+          ./scripts/build
+
+      - name: Store Bundle Cache
+        uses: actions/cache@v5
+        with:
+          key: "integration-bundle-${{ github.sha }}"
+          path: frontend/resources/public
+
+  test-integration:
+    if: ${{ !github.event.pull_request.draft }}
+    name: "Integration Tests"
+    runs-on: penpot-runner-02
+    container:
+      image: penpotapp/devenv:latest
+      volumes:
+        - /var/cache/github-runner/m2:/root/.m2
+        - /var/cache/github-runner/gitlib:/root/.gitlibs
+
+    needs: build-integration
+
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v6
+
+      - name: Restore Cache
+        uses: actions/cache/restore@v5
+        with:
+          key: "integration-bundle-${{ github.sha }}"
+          path: frontend/resources/public
+
+      - name: Run Tests
+        working-directory: ./frontend
+        run: |
+          ./scripts/test-e2e
+
+      - name: Upload test result
+        uses: actions/upload-artifact@v7
+        if: always()
+        with:
+          name: integration-tests-result
+          path: frontend/test-results/
+          overwrite: true
+          retention-days: 3

.github/workflows/tests-library.yml

@@ -0,0 +1,58 @@
+name: "CI: Library"
+
+defaults:
+  run:
+    shell: bash
+
+on:
+  pull_request:
+    paths:
+      - 'common/**'
+      - 'library/**'
+
+    types:
+      - opened
+      - synchronize
+      - ready_for_review
+
+  push:
+    branches:
+      - develop
+      - staging
+
+    paths:
+      - 'common/**'
+      - 'library/**'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  test-library:
+    if: ${{ !github.event.pull_request.draft }}
+    name: "Library Tests"
+    runs-on: penpot-runner-02
+    container:
+      image: penpotapp/devenv:latest
+      volumes:
+        - /var/cache/github-runner/m2:/root/.m2
+        - /var/cache/github-runner/gitlib:/root/.gitlibs
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Lint
+        working-directory: ./library
+        run: |
+          corepack enable;
+          corepack install;
+          pnpm install;
+          pnpm run check-fmt
+          pnpm run lint
+
+      - name: Tests
+        working-directory: ./library
+        run: |
+          ./scripts/test

.github/workflows/tests-plugins.yml

@@ -0,0 +1,83 @@
+name: "CI: Plugins"
+
+defaults:
+  run:
+    shell: bash
+
+on:
+  pull_request:
+    paths:
+      - 'plugins/**'
+
+    types:
+      - opened
+      - synchronize
+      - ready_for_review
+
+  push:
+    branches:
+      - develop
+      - staging
+
+    paths:
+      - 'plugins/**'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  test-plugins:
+    if: ${{ !github.event.pull_request.draft }}
+    name: Plugins Runtime Linter & Tests
+    runs-on: penpot-runner-02
+    container:
+      image: penpotapp/devenv:latest
+      volumes:
+        - /var/cache/github-runner/m2:/root/.m2
+        - /var/cache/github-runner/gitlib:/root/.gitlibs
+
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Setup Node
+        id: setup-node
+        uses: actions/setup-node@v6
+        with:
+          node-version-file: .nvmrc
+
+      - name: Install deps
+        working-directory: ./plugins
+        shell: bash
+        run: |
+          corepack enable;
+          corepack install;
+          pnpm install;
+
+      - name: Run Lint
+        working-directory: ./plugins
+        run: pnpm run lint
+
+      - name: Run Format Check
+        working-directory: ./plugins
+        run: pnpm run format:check
+
+      - name: Run Test
+        working-directory: ./plugins
+        run: pnpm run test
+
+      - name: Build runtime
+        working-directory: ./plugins
+        run: pnpm run build:runtime
+
+      - name: Build doc
+        working-directory: ./plugins
+        run: pnpm run build:doc
+
+      - name: Build plugins
+        working-directory: ./plugins
+        run: pnpm run build:plugins
+
+      - name: Build styles
+        working-directory: ./plugins
+        run: pnpm run build:styles-example

.github/workflows/tests-wasm.yml

@@ -0,0 +1,57 @@
+name: "CI: WASM"
+
+defaults:
+  run:
+    shell: bash
+
+on:
+  pull_request:
+    paths:
+      - 'render-wasm/**'
+
+    types:
+      - opened
+      - synchronize
+      - ready_for_review
+
+  push:
+    branches:
+      - develop
+      - staging
+
+    paths:
+      - 'render-wasm/**'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  test-render-wasm:
+    if: ${{ !github.event.pull_request.draft }}
+    name: "Render WASM Tests"
+    runs-on: penpot-runner-02
+    container:
+      image: penpotapp/devenv:latest
+      volumes:
+        - /var/cache/github-runner/m2:/root/.m2
+        - /var/cache/github-runner/gitlib:/root/.gitlibs
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Format
+        working-directory: ./render-wasm
+        run: |
+          cargo fmt --check
+
+      - name: Lint
+        working-directory: ./render-wasm
+        run: |
+          ./lint
+
+      - name: Test
+        working-directory: ./render-wasm
+        run: |
+          ./test

.github/workflows/tests.yml

@@ -1,410 +0,0 @@
-name: "CI"
-
-defaults:
-  run:
-    shell: bash
-
-on:
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - ready_for_review
-  push:
-    branches:
-      - develop
-      - staging
-
-concurrency:
-  group: ${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  lint:
-    if: ${{ !github.event.pull_request.draft }}
-    name: "Linter"
-    runs-on: penpot-runner-02
-    container:
-      image: penpotapp/devenv:latest
-      volumes:
-        - /var/cache/github-runner/m2:/root/.m2
-        - /var/cache/github-runner/gitlib:/root/.gitlibs
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
-
-      - name: Lint Common
-        working-directory: ./common
-        run: |
-          corepack enable;
-          corepack install;
-          pnpm install;
-          pnpm run check-fmt:clj
-          pnpm run check-fmt:js
-          pnpm run lint:clj
-
-      - name: Lint Frontend
-        working-directory: ./frontend
-        run: |
-          corepack enable;
-          corepack install;
-          pnpm install;
-          pnpm run check-fmt:js
-          pnpm run check-fmt:clj
-          pnpm run check-fmt:scss
-          pnpm run lint:clj
-          pnpm run lint:js
-          pnpm run lint:scss
-
-      - name: Lint Backend
-        working-directory: ./backend
-        run: |
-          corepack enable;
-          corepack install;
-          pnpm install;
-          pnpm run check-fmt
-          pnpm run lint
-
-      - name: Lint Exporter
-        working-directory: ./exporter
-        run: |
-          corepack enable;
-          corepack install;
-          pnpm install;
-          pnpm run check-fmt
-          pnpm run lint
-
-      - name: Lint Library
-        working-directory: ./library
-        run: |
-          corepack enable;
-          corepack install;
-          pnpm install;
-          pnpm run check-fmt
-          pnpm run lint
-
-  test-common:
-    if: ${{ !github.event.pull_request.draft }}
-    name: "Common Tests"
-    runs-on: penpot-runner-02
-    container:
-      image: penpotapp/devenv:latest
-      volumes:
-        - /var/cache/github-runner/m2:/root/.m2
-        - /var/cache/github-runner/gitlib:/root/.gitlibs
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
-
-      - name: Run tests
-        working-directory: ./common
-        run: |
-          ./scripts/test
-
-  test-plugins:
-    if: ${{ !github.event.pull_request.draft }}
-    name: Plugins Runtime Linter & Tests
-    runs-on: penpot-runner-02
-    container:
-      image: penpotapp/devenv:latest
-      volumes:
-        - /var/cache/github-runner/m2:/root/.m2
-        - /var/cache/github-runner/gitlib:/root/.gitlibs
-
-    steps:
-      - uses: actions/checkout@v6
-
-      - name: Setup Node
-        id: setup-node
-        uses: actions/setup-node@v6
-        with:
-          node-version-file: .nvmrc
-
-      - name: Install deps
-        working-directory: ./plugins
-        shell: bash
-        run: |
-          corepack enable;
-          corepack install;
-          pnpm install;
-
-      - name: Run Lint
-        working-directory: ./plugins
-        run: pnpm run lint
-
-      - name: Run Format Check
-        working-directory: ./plugins
-        run: pnpm run format:check
-
-      - name: Run Test
-        working-directory: ./plugins
-        run: pnpm run test
-
-      - name: Build runtime
-        working-directory: ./plugins
-        run: pnpm run build:runtime
-
-      - name: Build doc
-        working-directory: ./plugins
-        run: pnpm run build:doc
-
-      - name: Build plugins
-        working-directory: ./plugins
-        run: pnpm run build:plugins
-
-      - name: Build styles
-        working-directory: ./plugins
-        run: pnpm run build:styles-example
-
-  test-frontend:
-    if: ${{ !github.event.pull_request.draft }}
-    name: "Frontend Tests"
-    runs-on: penpot-runner-02
-    container:
-      image: penpotapp/devenv:latest
-      volumes:
-        - /var/cache/github-runner/m2:/root/.m2
-        - /var/cache/github-runner/gitlib:/root/.gitlibs
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
-
-      - name: Unit Tests
-        working-directory: ./frontend
-        run: |
-          ./scripts/test
-
-      - name: Component Tests
-        working-directory: ./frontend
-        env:
-          VITEST_BROWSER_TIMEOUT: 120000
-        run: |
-          ./scripts/test-components
-
-  test-render-wasm:
-    if: ${{ !github.event.pull_request.draft }}
-    name: "Render WASM Tests"
-    runs-on: penpot-runner-02
-    container:
-      image: penpotapp/devenv:latest
-      volumes:
-        - /var/cache/github-runner/m2:/root/.m2
-        - /var/cache/github-runner/gitlib:/root/.gitlibs
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
-
-      - name: Format
-        working-directory: ./render-wasm
-        run: |
-          cargo fmt --check
-
-      - name: Lint
-        working-directory: ./render-wasm
-        run: |
-          ./lint
-
-      - name: Test
-        working-directory: ./render-wasm
-        run: |
-          ./test
-
-  test-backend:
-    if: ${{ !github.event.pull_request.draft }}
-    name: "Backend Tests"
-    runs-on: penpot-runner-02
-    container:
-      image: penpotapp/devenv:latest
-      volumes:
-        - /var/cache/github-runner/m2:/root/.m2
-        - /var/cache/github-runner/gitlib:/root/.gitlibs
-
-    services:
-      postgres:
-        image: postgres:17
-        # Provide the password for postgres
-        env:
-          POSTGRES_USER: penpot_test
-          POSTGRES_PASSWORD: penpot_test
-          POSTGRES_DB: penpot_test
-
-        # Set health checks to wait until postgres has started
-        options: >-
-          --health-cmd pg_isready
-          --health-interval 10s
-          --health-timeout 5s
-          --health-retries 5
-
-      redis:
-        image: valkey/valkey:9
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
-
-      - name: Run tests
-        working-directory: ./backend
-        env:
-          PENPOT_TEST_DATABASE_URI: "postgresql://postgres/penpot_test"
-          PENPOT_TEST_DATABASE_USERNAME: penpot_test
-          PENPOT_TEST_DATABASE_PASSWORD: penpot_test
-          PENPOT_TEST_REDIS_URI: "redis://redis/1"
-
-        run: |
-          clojure -M:dev:test --reporter kaocha.report/documentation
-
-  test-library:
-    if: ${{ !github.event.pull_request.draft }}
-    name: "Library Tests"
-    runs-on: penpot-runner-02
-    container:
-      image: penpotapp/devenv:latest
-      volumes:
-        - /var/cache/github-runner/m2:/root/.m2
-        - /var/cache/github-runner/gitlib:/root/.gitlibs
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
-
-      - name: Run tests
-        working-directory: ./library
-        run: |
-          ./scripts/test
-
-  build-integration:
-    if: ${{ !github.event.pull_request.draft }}
-    name: "Build Integration Bundle"
-    runs-on: penpot-runner-02
-    container:
-      image: penpotapp/devenv:latest
-      volumes:
-        - /var/cache/github-runner/m2:/root/.m2
-        - /var/cache/github-runner/gitlib:/root/.gitlibs
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
-
-      - name: Build Bundle
-        working-directory: ./frontend
-        run: |
-          ./scripts/build
-
-      - name: Store Bundle Cache
-        uses: actions/cache@v5
-        with:
-          key: "integration-bundle-${{ github.sha }}"
-          path: frontend/resources/public
-
-  test-integration-1:
-    if: ${{ !github.event.pull_request.draft }}
-    name: "Integration Tests 1/3"
-    runs-on: penpot-runner-02
-    container:
-      image: penpotapp/devenv:latest
-      volumes:
-        - /var/cache/github-runner/m2:/root/.m2
-        - /var/cache/github-runner/gitlib:/root/.gitlibs
-
-    needs: build-integration
-
-    steps:
-      - name: Checkout Repository
-        uses: actions/checkout@v6
-
-      - name: Restore Cache
-        uses: actions/cache/restore@v5
-        with:
-          key: "integration-bundle-${{ github.sha }}"
-          path: frontend/resources/public
-
-      - name: Run Tests
-        working-directory: ./frontend
-        run: |
-          ./scripts/test-e2e --shard="1/3";
-
-      - name: Upload test result
-        uses: actions/upload-artifact@v7
-        if: always()
-        with:
-          name: integration-tests-result-1
-          path: frontend/test-results/
-          overwrite: true
-          retention-days: 3
-
-  test-integration-2:
-    if: ${{ !github.event.pull_request.draft }}
-    name: "Integration Tests 2/3"
-    runs-on: penpot-runner-02
-    container:
-      image: penpotapp/devenv:latest
-      volumes:
-        - /var/cache/github-runner/m2:/root/.m2
-        - /var/cache/github-runner/gitlib:/root/.gitlibs
-
-    needs: build-integration
-
-    steps:
-      - name: Checkout Repository
-        uses: actions/checkout@v6
-
-      - name: Restore Cache
-        uses: actions/cache/restore@v5
-        with:
-          key: "integration-bundle-${{ github.sha }}"
-          path: frontend/resources/public
-
-      - name: Run Tests
-        working-directory: ./frontend
-        run: |
-          ./scripts/test-e2e --shard="2/3";
-
-      - name: Upload test result
-        uses: actions/upload-artifact@v7
-        if: always()
-        with:
-          name: integration-tests-result-2
-          path: frontend/test-results/
-          overwrite: true
-          retention-days: 3
-
-  test-integration-3:
-    if: ${{ !github.event.pull_request.draft }}
-    name: "Integration Tests 3/3"
-    runs-on: penpot-runner-02
-    container:
-      image: penpotapp/devenv:latest
-      volumes:
-        - /var/cache/github-runner/m2:/root/.m2
-        - /var/cache/github-runner/gitlib:/root/.gitlibs
-
-    needs: build-integration
-
-    steps:
-      - name: Checkout Repository
-        uses: actions/checkout@v6
-
-      - name: Restore Cache
-        uses: actions/cache/restore@v5
-        with:
-          key: "integration-bundle-${{ github.sha }}"
-          path: frontend/resources/public
-
-      - name: Run Tests
-        working-directory: ./frontend
-        run: |
-          ./scripts/test-e2e --shard="3/3";
-
-      - name: Upload test result
-        uses: actions/upload-artifact@v7
-        if: always()
-        with:
-          name: integration-tests-result-3
-          path: frontend/test-results/
-          overwrite: true
-          retention-days: 3

.gitignore

@@ -15,6 +15,12 @@
 .repl
 /*.jpg
 /*.md
+!CHANGES.md
+!CONTRIBUTING.md
+!README.md
+!AGENTS.md
+!CODE_OF_CONDUCT.md
+!SECURITY.md
 /*.png
 /*.svg
 /*.sql
@@ -87,6 +93,10 @@
 /.pnpm-store
 /.vscode
 /.idea
+*.iml
 /.claude
 /.playwright-mcp
+/.devenv/mcp/
+/opencode.json
+/.codex/
 /tools/__pycache__

.opencode/agents/commiter.md

@@ -1,6 +1,6 @@
 ---
 name: commiter
-description: Git commit assistant following CONTRIBUTING.md commit rules
+description: Git commit assistant
 mode: all
 ---
 
@@ -15,16 +15,11 @@ including the rationale if proceed.
 
 * Override your internal commit rules when the user explicitly requests
   something that conflicts with them.
-* Read `CONTRIBUTING.md` before creating any commit and follow the
-  commit guidelines strictly.
-* Use commit messages in the form `:emoji: <imperative subject>`.
-* Keep the subject capitalized, concise, 70 characters or fewer, and
-  without a trailing period.
+* Read `.serena/memories/workflows/creating-commits.md` before
+  creating any commit and follow the commit guidelines strictly.
 * Keep the description (commit body) with maximum line length of 80
   characters. Use manual line breaks to wrap text before it exceeds
   this limit.
-* Separate the subject from the body with a blank line.
-* Write a clear and concise body when needed.
 * Use `git commit -s` so the commit includes the required
   `Signed-off-by` line.
 * Do not guess or hallucinate git author information (Name or

.opencode/agents/engineer.md

@@ -1,37 +1,25 @@
 ---
-name: Penpot Engineer
+name: Engineer
 description: Senior Full-Stack Software Engineer
 mode: primary
 ---
 
-Role: You are a high-autonomy Senior Full-Stack Software Engineer working on
-Penpot, an open-source design tool. You have full permission to navigate the
-codebase, modify files, and execute commands to fulfill your tasks. Your goal is
-to solve complex technical tasks with high precision while maintaining a strong
-focus on maintainability and performance.
+## Role
 
-Tech stack: Clojure (backend), ClojureScript (frontend/exporter), Rust/WASM
-(render-wasm), TypeScript (plugins/mcp), SCSS.
+You are a high-autonomy Senior Full-Stack Software Engineer working on Penpot, an
+open-source design tool. You have full permission to navigate the codebase, modify files,
+and execute commands to fulfill your tasks. Your goal is to solve complex technical tasks
+with high precision while maintaining a strong focus on maintainability and performance.
 
-Requirements:
+## Before Start
 
-* Read the root `AGENTS.md` to understand the repository and application
-  architecture. Then read the `AGENTS.md` **only** for each affected module.
-  Not all modules have one — verify before reading.
-* Before writing code, analyze the task in depth and describe your plan. If the
-  task is complex, break it down into atomic steps.
-* When searching code, prefer `ripgrep` (`rg`) over `grep` — it respects
-  `.gitignore` by default.
+**Read `AGENTS.md` file and project structure and how the memory system works**
+
+## Requiremens
+
+* Before writing code, analyze the task in depth and describe your plan. If the task is
+  complex, break it down into atomic steps.
 * Do **not** touch unrelated modules unless the task explicitly requires it.
 * Only reference functions, namespaces, or APIs that actually exist in the
   codebase. Verify their existence before citing them. If unsure, search first.
 * Be concise and autonomous — avoid unnecessary explanations.
-* After making changes, run the applicable lint and format checks for the
-  affected module before considering the work done (see module `AGENTS.md` for
-  exact commands).
-* Make small and logical commits following the commit guideline described in
-  `CONTRIBUTING.md`. Commit only when explicitly asked.
-- Do not guess or hallucinate git author information (Name or Email). Never include the
-  `--author` flag in git commands unless specifically instructed by the user for a unique
-  case; assume the local environment is already configured. Allow git commit to
-  automatically pull the identity from the local git config `user.name` and `user.email`.

.opencode/agents/planner.md

@@ -1,13 +1,11 @@
 ---
-name: Penpot Planner
+name: Planner
 description: Software architect for planning and analysis only
 mode: primary
 permission:
   edit: ask
 ---
 
-# Penpot Planner
-
 ## Role
 
 You are a Senior Software Architect working on Penpot, an open-source design
@@ -29,10 +27,8 @@ or problem domain. Assume they don't know good test design very well.
 ## Requirements
 
 * Analyze the codebase architecture and identify affected modules.
-* Read `AGENTS.md` files (root and per-module) to understand structure and
-  conventions.
-* Search code using `ripgrep` skill (`rg`) to trace dependencies, find patterns,
-  and understand existing implementations.
+* Read `AGENTS.md` file and project structure and how the memory system works and how to
+  navigate and read relevant information conventions.
 * Break down complex features or bugs into atomic, actionable steps.
 * Propose solutions with clear rationale, trade-offs, and sequencing.
 * Identify risks, edge cases, and testing considerations.

.opencode/agents/prompt-assistant.md

@@ -4,8 +4,6 @@ description: Refines and improves prompts for maximum clarity and effectiveness
 mode: all
 ---
 
-# Prompt Assistant
-
 ## Role
 
 You are an expert Prompt Engineer with strong knowledge of
@@ -15,15 +13,14 @@ well-structured version possible — ready to be used with any AI model.
 
 ## Requirements
 
-* You do NOT execute tasks. You do NOT write code. You only design and
-  refine prompts
-* Read the root `AGENTS.md` to understand the repository and application
-  architecture. Then read the `AGENTS.md` **only** for each affected module.
-* Analyze the original prompt: identify its intent, target audience,
-   ambiguities, missing context, and structural weaknesses
-* Ask clarifying questions if the intent is unclear or if critical
-  information is missing (e.g. target model, expected output format,
-  tone, constraints). Keep questions concise and grouped
+* You do NOT execute tasks. You do NOT write code. You only design and refine prompts
+* Read `AGENTS.md` file and project structure and how the memory system works and how to
+  navigate and read relevant information conventions.
+* Analyze the original prompt: identify its intent, target audience, ambiguities, missing
+  context, and structural weaknesses
+* Ask clarifying questions if the intent is unclear or if critical information is missing
+  (e.g. target model, expected output format, tone, constraints). Keep questions concise
+  and grouped
 * Rewrite the prompt using prompt engineering best practices
 
 

.opencode/skills/backport-commit/SKILL.md

@@ -70,12 +70,7 @@ module's `AGENTS.md` for the exact commands). If the formatter auto-fixes
 indentation, verify the logic is still semantically correct. All checks must
 pass before moving on.
 
-### 6. Port the changelog entry (if any)
-
-If the original commit added or modified a `CHANGES.md` entry, port that entry
-too — adapting wording and version references for the target branch.
-
-### 7. Commit
+### 6. Commit
 
 Ask the `commiter` sub-agent to create a commit. Stage all relevant files
 (exclude unrelated untracked files) and provide the original commit message as

.opencode/skills/issue-title/SKILL.md

@@ -0,0 +1,123 @@
+---
+name: issue-title
+description: Derive a clear, well-formatted title for a GitHub issue from its description body, using descriptive present-tense for bugs and imperative mood for features, always including the "where" (location in the UI/module).
+---
+
+# Skill: issue-title
+
+Derive a concise, descriptive title for a GitHub issue based on its body
+content. Use **descriptive present tense for bugs** (e.g. "Plugin API
+crashes when setting text fills") and **imperative mood for features** (e.g.
+"Add customizable dash and gap controls"). No emoji or type prefixes
+(`feat:`, `bug:`, `feature:`, etc.).
+
+Can be used both when **creating a new issue** and when **updating an
+existing one** that has a vague or outdated title.
+
+## When to Use
+
+- Creating a new issue and need a well-formatted title from the draft body
+- An existing issue has a vague, outdated, or auto-generated title (e.g.
+  `[PENPOT FEEDBACK]: ...`, `feature: ...`)
+- The current title doesn't reflect the actual content of the description
+- The title is missing the "where" (which part of the UI/module is affected)
+
+## Prerequisites
+
+- `gh` CLI authenticated (`gh auth status`)
+
+## Workflow
+
+### 1. Get the issue body
+
+For an **existing issue**, fetch it:
+
+```bash
+gh issue view <NUMBER> --repo penpot/penpot --json title,body
+```
+
+For a **new issue**, read the draft body from wherever it was provided
+(Taiga link, user report, discussion, etc.).
+
+### 2. Read the body and derive a title
+
+Extract the core problem or request from the description. Distinguish between
+bug reports and feature requests:
+
+**Bug titles (descriptive, present tense):**
+Describe the symptom as it appears to the user. Format:
+`[Where] [present-tense verb] when [condition]`
+
+- *"Plugin API crashes when setting text fills"*
+- *"Canvas renders glitches when zooming quickly"*
+- *"French Canada locale falls back to French (fr) translations"*
+- *"Text layer content is not deleted when WebGL render is enabled"*
+
+Do **not** start bug titles with "Fix" or any imperative verb. The title
+should state what's broken, not command a fix.
+
+**Feature / Enhancement titles (imperative mood):**
+Command what should be built. Format:
+`[Imperative verb] [what] in/on [where]`
+
+- *"Add customizable dash and gap length controls to dashed strokes in the sidebar"*
+- *"Show user, timestamp, and hash in the workspace history panel like git commits"*
+- *"Validate shape on add-object to catch malformed inputs early"*
+
+**Universal rules (both types):**
+- **Include the "where"** — specify the UI location or module (e.g.
+  "in the sidebar", "in the workspace history panel", "on the stroke
+  options")
+- **No prefixes** — strip `bug:`, `feature:`, `feat:`, `:bug:`, `:sparkles:`,
+  `[PENPOT FEEDBACK]`, etc.
+- **No emoji** — plain text only
+- **Be specific** — prefer concrete detail over generality. If the
+  description mentions two related problems, capture both.
+
+**Examples:**
+
+| Original / draft title | Type | New title |
+|---|---|---|
+| `[PENPOT FEEDBACK]: WebGL` | Bug | `Canvas renders glitches when zooming quickly — text appears distorted and nodes have background-colored rectangles` |
+| `bug: flatten-nested-tokens-json uses $type instead of $value as the DTCG token/group discriminator` | Bug | `Token import fails when group-level type inheritance is used — parser misidentifies groups as tokens` |
+| `feature: Dashed stroke customization` | Feature | `Add customizable dash and gap length controls to dashed strokes in the sidebar` |
+| `feature: Add more detail to history of actions` | Feature | `Show user, timestamp, and hash in the workspace history panel like git commits` |
+
+### 3. Apply the title
+
+**If updating an existing issue:**
+
+```bash
+gh issue edit <NUMBER> --repo penpot/penpot --title "<NEW TITLE>"
+```
+
+**If creating a new issue:**
+
+```bash
+gh issue create --repo penpot/penpot --title "<NEW TITLE>" --body "<BODY>"
+```
+
+### 4. Confirm
+
+For updates, the command returns the issue URL. Verify by optionally fetching
+again:
+
+```bash
+gh issue view <NUMBER> --repo penpot/penpot --json title
+```
+
+## Key Principles
+
+- **Bug titles describe the symptom** — present tense, 3rd person:
+  "crashes", "fails", "shows", "is cut off", "does not load". Do not
+  start with "Fix" or "Bug:".
+- **Feature titles use imperative mood** — command form: "Add", "Show",
+  "Use", "Validate", "Support", "Toggle".
+- **Always include the "where"** — a title like "Crashes when zooming"
+  is too vague; "Canvas crashes when zooming quickly" is clear.
+- **No prefixes, no emoji** — strip all type labels and decorative
+  characters from the title.
+- **Derive from the body, not the current title** — the body contains
+  the real detail; the current title may be auto-generated or stale.
+- **Two problems → cover both** — if the description has two distinct
+  but related issues, capture both in the title joined by "and".

.opencode/skills/update-changelog/SKILL.md

@@ -49,6 +49,7 @@ python3 tools/gh.py issues "2.16.0" --exclude "release blocker,no changelog"
 - `no changelog` label — Chore/refactor work that doesn't need a changelog entry
 - `release blocker` label — Blocked issues not yet ready for changelog
 - `Task` issue type — Internal chores are not user-facing; filter these out after fetching
+- **Rejected project status** — Issues with a "Rejected" status in the "Main" project board are automatically excluded by `gh.py`. This project-level status (independent of the GitHub issue `state`) indicates the issue was rejected from the release. Use `--include-rejected` to override.
 
 **Exclusion rules (PR-level):**
 In addition to issue-level exclusions, PRs with these labels should be
@@ -57,7 +58,9 @@ excluded regardless of their linked issue's labels:
 - `no issue required` — Trivial fix not tracked as an issue
 
 The script outputs JSON with each entry containing `number`, `title`, `state`,
-`issue_type`, `labels`, and `closing_prs` (the PRs that fix each issue).
+`issue_type`, `labels`, `closing_prs` (the PRs that fix each issue), and
+`project_status` (the "Main" project board status, e.g. "Done", "Rejected",
+or `null` if not tracked in a project).
 
 ### 3. Identify missing entries (optional)
 
@@ -426,7 +429,11 @@ if closed:
   between the description and the issue link. Use the **PR author** (not the
   issue author) for the attribution.
 - **Only closed issues.** An issue must have `state: "closed"` to appear in
-  the changelog. Open unresolved issues are omitted.
+  the changelog. Open/unresolved issues are omitted.
+- **Rejected project status.** Issues marked as "Rejected" in the "Main"
+  project board are automatically excluded by `gh.py`, even if they are
+  closed. The project status is distinct from the GitHub issue state.
+  Use `--include-rejected` to override this behavior.
 - **Excluded issues.** Issues with `no changelog` label must be excluded.
   Issues with `issue_type: "Task"` must also be excluded — they are internal
   chores, not user-facing changes.

.serena/.gitignore

@@ -0,0 +1,2 @@
+/cache
+/project.local.yml

.serena/memories/backend/auth-permissions-product-domains.md

@@ -0,0 +1,40 @@
+# Backend Auth, Permissions, and Product Domain Subtleties
+
+## Auth and sessions
+
+- Main auth RPC commands live in `app.rpc.commands.auth`; LDAP and OIDC provider logic live in `app.auth.ldap` and `app.auth.oidc`, with LDAP-specific RPC checks in `app.rpc.commands.ldap`.
+- Public auth endpoints must explicitly set `::rpc/auth false`; RPC auth defaults to enabled. Session cookie creation/deletion is usually attached as an RPC response transform.
+- Basic Penpot registration is token staged: prepare/register creates or verifies temporary tokens, then profile creation/session setup is reused by other auth backends. The frontend `/auth/verify-token` flow is a hub for registration confirmation, email change, and invitation tokens.
+- OIDC-compatible providers share a generic flow: redirect to provider, validate callback/request token, fetch identity data, then login an existing profile or register a new one. Known providers may have hardcoded endpoints; generic OIDC can use discovery/configured endpoints.
+- LDAP login validates credentials against the external directory, fetches identity data, then logs in or registers a matching Penpot profile. LDAP registration is not a separate Penpot signup flow.
+- Logout may return an OIDC provider redirect URI when the session claims include provider/session data and the provider has a logout URI.
+- Invitation tokens are verified through token issuers and only accepted when the token member id/email matches the authenticated profile; otherwise login proceeds without consuming the invitation.
+- HTTP/session parsing details such as cookie/header precedence, JWT session token versions, and SameSite behavior are in `mem:backend/http-storage-filedata-subtleties`.
+
+## Permission model
+
+- `app.rpc.permissions` provides predicate/check factories. Failed permission checks intentionally raise `:not-found` / `:object-not-found`, not an authorization-specific error, to avoid leaking object existence.
+- Team role flags are normalized as owner > admin > editor > viewer. Owner/admin imply edit; any membership row implies read.
+- File/project/comment checks are implemented in the owning command namespaces, often via helpers imported from `files`, `teams`, or `projects`; do not bypass those helpers with direct DB lookups unless preserving their not-found semantics.
+- Comment permission includes both logged-in state and the file/team comment policy. Shared viewer paths may pass `share-id`; preserve that path when changing comment queries.
+
+## Teams, projects, and invitations
+
+- Team/project commands mix DB changes, email, message bus notifications, media/storage cleanup, feature flags, quotas, and audit metadata. Keep mutations transactional when the existing command does so.
+- Invitation flows validate muted/bounced emails before sending and use tokenized invitation state. Accepting an invitation is tied to the invited member identity, not just possession of a token.
+- Logical deletion is used for many product objects; prefer existing logical-deletion helpers over hard deletes unless the command already performs permanent cleanup.
+- Bounced/spam-complaint emails can mute/block a profile for login/registration and email sending. Devenv MailCatcher is the normal local path for registration/email-flow testing.
+
+## Comments, webhooks, and audit
+
+- Comment thread queries join file/project/profile state and exclude deleted files/projects. Unread comment counts depend on `comment_thread_status.modified-at` and profile notification preferences.
+- Webhook edits are allowed for team editors/admins or the webhook creator. Webhook validation performs a synchronous HEAD request with a short timeout; validation errors are mapped through `app.loggers.webhooks`.
+- Audit events are prepared from RPC metadata, result metadata, params, request context, and selected auth identifiers. Webhook event batching can be controlled through audit/webhook metadata on commands or results.
+- Webhook and audit logging are cross-cutting side effects of product commands; when adding a command, check nearby command metadata and result metadata patterns before inventing a new event shape.
+
+## Local testing notes
+
+- Enable LDAP login locally with frontend flag `enable-login-with-ldap`; the devenv includes a configured test LDAP service.
+- OIDC testing requires external provider app credentials plus matching backend/frontend config.
+- Backend domain tests usually live under `backend/test/backend_tests/rpc/commands/*_test.clj` or nearby backend test namespaces. Use focused `clojure -M:dev:test --focus ...` from `backend/` when possible.
+- For auth/session or HTTP behavior, combine backend tests with the HTTP/session notes in `mem:backend/http-storage-filedata-subtleties` because RPC-level tests may not exercise cookie/header transforms.

.serena/memories/backend/core.md

@@ -0,0 +1,101 @@
+# Backend Architecture and Workflow
+
+Backend: JVM Clojure; Integrant; PostgreSQL; Redis/Valkey; RPC; HTTP; storage; mail; audit/logging; workers.
+
+## Focused memories
+
+- RPC, DB helpers, workers, cron: `mem:backend/rpc-db-worker-subtleties`
+- HTTP sessions, config, storage, media, file data persistence: `mem:backend/http-storage-filedata-subtleties`
+- Auth flows, permission model, teams, projects, invitations, comments, webhooks, audit: `mem:backend/auth-permissions-product-domains`
+- Services, task-queue/Pub-Sub topology constraints -> `mem:prod-infra/core`.
+
+## Stable namespace map
+
+- `app.rpc.commands.*`: RPC command implementations exposed under `/api/rpc/command/<cmd-name>`.
+- `app.rpc.permissions`: permission predicate/check helper factories.
+- `app.http.*`: HTTP routes and middleware.
+- `app.auth.*`: provider-specific authentication helpers such as LDAP/OIDC.
+- `app.loggers.*`: audit, webhook, database, and external log integrations.
+- `app.db.*` / `app.db`: next.jdbc wrapper and SQL helpers.
+- `app.tasks.*`: background task handlers.
+- `app.worker`: task execution/cron plumbing.
+- `app.main`: Integrant system map and component wiring.
+- `app.config`: `PENPOT_*` env config and feature flags.
+- `app.srepl.*`: development REPL helpers for manual backend operations (data inspection, migration helpers, one-off admin tasks).
+- `app.nitrate`, `app.rpc.commands.nitrate`, and `app.rpc.management.nitrate`: external Nitrate subscription/organization integration, gated by the `:nitrate` feature flag and shared-key HTTP calls.
+
+## RPC conventions
+
+RPC commands are defined with `app.util.services/defmethod` and schemas. Use `get-` prefixes for read operations. Command metadata usually includes auth, docs version, params schema, and result schema. Return plain maps/vectors or raise structured exceptions from `app.common.exceptions`.
+
+Backend RPC command areas without focused memories include access tokens, binfile, demo, feedback, file snapshots, fonts, management, Nitrate, and webhooks beyond the notes in `mem:backend/auth-permissions-product-domains`; inspect nearby command tests and command metadata before changing them.
+
+## DB conventions
+
+`app.db` helpers accept cfg, pool, or conn in most places and convert kebab-case to snake_case:
+- `db/get`, `db/get*`, `db/query`, `db/insert!`, `db/update!`, `db/delete!`.
+- Use `db/run!` for multiple operations on one connection.
+- Use `db/tx-run!` for transactions.
+
+Database migrations live in `backend/src/app/migrations/`; pure SQL migrations are under `backend/src/app/migrations/sql/`. SQL filenames conventionally start with a sequence and verb/table description, e.g. `0026-mod-profile-table-add-is-active-field`. Applied migrations are tracked in the `migrations` table.
+
+For deeper details on transaction semantics, advisory locks, Transit vs JSON helpers, and dev/test DB URLs: `mem:backend/rpc-db-worker-subtleties`.
+
+## Background tasks
+
+A task handler is an Integrant component with `ig/assert-key`, `ig/expand-key`, and `ig/init-key`, returning the function run by the worker. New tasks also need wiring in `app.main`: handler config, worker registry entry, and cron entry if scheduled.
+
+For worker dispatch, cron, retry semantics, deduplication, and queue internals: `mem:backend/rpc-db-worker-subtleties`.
+
+## REPL
+
+In devenv, backend nREPL is exposed on port 6064.
+
+### Non-interactive eval (preferred for agents)
+
+`./tools/nrepl-eval.mjs` connects to an already-running nREPL server and evaluates code. Session state (defs, `in-ns`) persists across invocations via a stored session ID in `/tmp/penpot-nrepl-session-<host>-<port>`.
+
+```bash
+./tools/nrepl-eval.mjs '(+ 1 2)'                            # single expression
+./tools/nrepl-eval.mjs "(require '[my.ns :as ns] :reload)"  # reload after edits
+./tools/nrepl-eval.mjs -e                                   # inspect last exception (*e)
+./tools/nrepl-eval.mjs --reset-session '(def x 0)'          # discard session, start fresh
+./tools/nrepl-eval.mjs <<'EOF'                              # multi-expression heredoc
+(def x 10)
+(+ x 20)
+EOF
+```
+
+Default port is 6064. Use `-p <PORT>` for a different port. Use `-t <MS>` to override the 120s timeout. Do not start the nREPL server — assume it is already running.
+
+### Interactive REPL
+
+`backend/scripts/nrepl` starts a REPLy client connected to the running nREPL.
+
+For an in-process backend REPL (where you control the JVM lifecycle), stop the running backend first so port 9090 is free, then run `backend/scripts/repl`. Useful top-level helpers include `(start)`, `(stop)`, `(restart)`, `(run-tests)`, and `(repl/refresh-all)`. Many `app.srepl.main` helpers accept the global `system` var, e.g. manual email or maintenance operations.
+
+## Fixtures
+
+Fixtures can populate local data for manual testing/perf work. From the backend REPL, run `(app.cli.fixtures/run {:preset :small})`; fixture users conventionally look like `profileN@example.com` with password `123123`. Standalone fixture aliases may exist, but check current `backend/deps.edn` before relying on old command names.
+
+## Performance
+
+* **Type Hinting:** Use explicit JVM type hints (e.g. `^String`, `^long`) in performance-critical paths to avoid reflection overhead.
+* **Batch inserts:** Use `db/insert-many!` for bulk row inserts — generates a single SQL with multiple parameter tuples. Avoid on very large datasets (SQL length / parameter count limits).
+* **Server-side cursors:** Use `db/plan` (fetch-size 1000, forward-only, read-only) or `db/cursor` for large result sets. Never fetch large collections into memory at once.
+* **Transaction discipline:** Use `tx-run!` for writes (opens a transaction), `run!` for reads (single connection, no transaction). Set `:read-only` on `tx-run!` when applicable to let PostgreSQL optimize.
+
+## Lint and Format
+
+IMPORTANT: all CLI commands must be executed from the `backend/` subdirectory.
+
+* **Linting:** `pnpm run lint` from the repository root.
+* **Formatting:** `pnpm run check-fmt`. Use `pnpm run fmt` to fix. Avoid unrelated whitespace diffs.
+
+## Testing
+
+IMPORTANT: all CLI commands must be executed from the `backend/` subdirectory.
+
+* **Coverage:** If code is added or modified in `src/`, corresponding tests in `test/backend_tests/` must be added or updated.
+* **Isolated run:** `clojure -M:dev:test --focus backend-tests.my-ns-test` for a specific test namespace.
+* **Regression run:** `clojure -M:dev:test` to ensure no regressions in related functional areas.

.serena/memories/backend/http-storage-filedata-subtleties.md

@@ -0,0 +1,31 @@
+# Backend HTTP, Storage, Media, and File Data Subtleties
+
+## Config and HTTP/session middleware
+
+- `app.config/config` and `flags` are dynamic `defonce` vars populated from `PENPOT_*` env vars through the shared schema string transformer. Tests and tooling can bind them.
+- `parse-flags` automatically adds `:disable-secure-session-cookies` when `public-uri` is plain HTTP and not localhost. This changes cookie defaults without an explicit env flag.
+- The backend sets Clojure `*assert*` globally from the `:backend-asserts` feature flag. Assertion-dependent checks can therefore differ by runtime flags.
+- Request body parsing is mostly POST-oriented and supports Transit JSON plus plain JSON. Plain JSON request keys are kebab-decoded before being merged into `:params`.
+- Response formatting negotiates with `Accept` or `_fmt=json`. Transit is the default for collection/boolean bodies; JSON encoding has special pointer-map handling.
+- Auth prefers the session cookie token before the `Authorization` header. Headers may be `Token` or `Bearer`; JWTs with `kid=1` and `ver=1` are decoded as v1 session tokens, otherwise they are treated as legacy tokens.
+- Shared-key auth requires `x-shared-key` as `<key-id> <key>` and stores the lowercased key id on the request. If no shared keys are configured it always rejects.
+- Session management uses DB storage unless the DB pool is read-only, then falls back to the in-memory manager. DB sessions support both legacy string ids and v2 UUID session ids.
+- Session cookies are renewed when using a legacy string id or when `modified-at` is older than the renewal interval. SameSite is `none` for CORS, otherwise strict/lax based on config.
+
+## Storage and media
+
+- Storage has a fixed valid bucket set. Backends are `:fs` and `:s3`; default backend comes from deprecated `assets-storage-backend` only when present, otherwise `objects-storage-backend`, defaulting to `:fs`.
+- `put-object!` creates the DB `storage_object` row before writing backend content. Backend writes happen only for newly created rows, so deduplication can skip object writes.
+- Deduplication only applies when requested, when the content can provide a hash, and when bucket metadata is present. Reads exclude soft-deleted storage rows.
+- `sto/resolve` can reuse the current DB connection via `::db/reuse-conn true`; preserve this in transaction-sensitive code.
+- SVG validation strips DOCTYPE and uses secure SAX parsing. Basic SVG info falls back to 100x100 dimensions when width/height/viewBox are missing.
+- Raster metadata is shell-derived with ImageMagick `identify`, verifies detected MIME against the supplied MIME, and swaps dimensions for EXIF orientations 6/8.
+- Remote image download requires 2xx status, `content-length`, a known MIME, and size under the configured maximum before writing the temp file; mismatched byte count is an internal error.
+- Font processing shells out to FontForge and WOFF conversion tools and can derive TTF/OTF/WOFF variants from uploaded fonts.
+
+## File data persistence
+
+- File data backends are `legacy-db`, `db`, and `storage`. The storage backend keeps encoded file data in storage bucket `file-data`; the DB row stores metadata with `storage-ref-id` and nil data.
+- `fdata/upsert!` touches any storage object referenced by incoming metadata before storing the new row/blob.
+- Pointer-map fragments are persisted separately as type `fragment`, and only modified pointer maps are written.
+- `fdata/realize` combines pointer realization and object-map realization. Use it before operations that need complete in-memory file data instead of pointer placeholders.

.serena/memories/backend/rpc-db-worker-subtleties.md

@@ -0,0 +1,26 @@
+# Backend RPC/DB/Worker Subtleties
+
+## RPC exposure and wrappers
+
+- RPC commands are discovered from vars created by `app.util.services/defmethod`; adding a command namespace is not enough unless `backend/src/app/rpc.clj` includes it in `resolve-methods`.
+- `GET`/`HEAD` RPC calls are only allowed for method names starting with `get-`. Other methods are method-not-allowed even if they are read-only internally.
+- RPC auth defaults to enabled. Public endpoints must set `::auth false` metadata explicitly.
+- The wrapper stack does auth before params validation, then auditing/rate/concurrency/metrics/retry/condition handling, with DB transaction handling inside that stack. `::db/transaction` metadata controls transaction wrapping.
+- Params with `::sm/params` are decoded/conformed through the JSON transformer and successful IObj results get `:encode/json` metadata. Legacy spec conforming only applies when no Malli params schema exists.
+- Nil RPC bodies become HTTP 204 unless explicit status metadata is present. Stream bodies default to `application/octet-stream` when no content type is set.
+
+## DB helpers
+
+- Most `app.db` helpers accept a pool, connection, or map containing `::db/pool` / `::db/conn`; preserve that convention in shared code.
+- `db/tx-run!` uses `next.jdbc.transaction/*nested-tx* :ignore`: nested transaction calls reuse the outer transaction, not a savepoint. Use explicit savepoints when nested rollback semantics matter.
+- `db/run!` opens/reuses one connection but does not create a transaction.
+- `db/tjson` is Transit JSON for jsonb storage; `db/json` is plain JSON. Worker task props use Transit and are decoded with `decode-transit-pgobject`.
+- Advisory transaction locks accept UUIDs or ints. UUID locks are hashed using a zero-UUID seeded siphash.
+
+## Workers and cron
+
+- Task queues are tenant-prefixed. Submit dedupe only removes not-yet-due `new` tasks with the same name/queue/label; it does not dedupe due, scheduled, retry, running, or completed work.
+- The dispatcher selects `new`/`retry` tasks with `FOR UPDATE SKIP LOCKED`, marks them `scheduled`, and publishes Redis payload `[id scheduled-at]`. The runner skips Redis messages whose scheduled timestamp no longer matches DB state.
+- Lost `scheduled` tasks are rescheduled after about 5 minutes; `running` tasks older than about 24 hours are marked failed as orphans.
+- A task handler that is missing or returns an invalid result currently defaults to completed after warning. Throwing with `ex-data :type ::retry` controls retry behavior; `:strategy ::noop` retries without incrementing retry count.
+- Cron jobs lock their `scheduled_task` row with `FOR UPDATE SKIP LOCKED`, disable statement/idle-in-transaction timeouts locally, and reschedule themselves in `finally` unless interrupted. Worker, dispatcher, and cron components do not start when the DB pool is read-only.

.serena/memories/common/changes-architecture.md

@@ -0,0 +1,39 @@
+# File Mutations: Changes and Undo Architecture
+
+Penpot mutates file data through change records. A change set is both the persistence payload and the basis for undo/redo, so UI actions, tests, backend file updates, and library/file tooling should drive the production change pipeline instead of ad hoc object-map mutation.
+
+## Change shape
+
+Each change is a map such as `{:type ... :id ... :page-id ...}`. Common families:
+
+- `:add-obj`, `:mod-obj`, `:del-obj`: shape lifecycle. `:mod-obj` contains `:operations`, commonly `{:type :set :attr ... :val ... :ignore-geometry ... :ignore-touched ...}` or `{:type :set-touched ...}`.
+- `:add-component`, `:mod-component`, `:del-component`: component/library metadata.
+- `:add-children`, `:remove-children`, `:reg-objects`: tree and object-map edits.
+- `:set-option`, `:add-page`, `:mov-page`, and related file/page metadata changes.
+
+Each transaction carries `:redo-changes` and inverse `:undo-changes`. The undo stack stores transactions and can move its index backward/forward.
+
+## changes-builder API
+
+`common/src/app/common/files/changes_builder.cljc` (usually alias `pcb`) is the fluent builder. Start from `(pcb/empty-changes <it> <page-id>)` or `(pcb/empty-changes nil <page-id>)` for tests.
+
+High-value builder operations:
+- `pcb/with-page-id`, `pcb/with-objects`, `pcb/with-library-data`: set context for following operations.
+- `pcb/update-shapes ids update-fn`: emits `:mod-obj` with diff-derived `:set` ops. Options include `{:with-objects? true}`, `{:ignore-touched true}`, and `{:attrs #{...}}`.
+- `pcb/add-objects`, `pcb/change-parent`, `pcb/remove-objects`, `pcb/resize-parents`: shape/tree edits.
+- `pcb/add-component`, `pcb/update-component`, `pcb/mod-component`: component/library edits.
+- `pcb/set-translation? true`: marks the whole change set as translation-only, which lets component sync skip expensive work.
+
+## Applying changes in tests
+
+`thf/apply-changes` in `app.common.test-helpers.files` is the test analog of the production applier. It validates by default; pass `:validate? false` only for intentionally-invalid intermediate states.
+
+The applier uses the same `process-operation` multimethod as production (`common/src/app/common/files/changes.cljc`), so tests that use it exercise production behavior.
+
+## :touched and geometry
+
+For component touched semantics and sync groups, read `mem:common/component-data-model`. For the exact `set-shape-attr` / second-pass behavior during change application, read `mem:common/file-change-validation-migration-subtleties`. For transform-specific ignore-geometry behavior, read `mem:frontend/workspace-transform-subtleties`.
+
+## Inspection
+
+To inspect what a UI action emitted, use `mem:frontend/cljs-repl` with the snippets in `mem:common/component-debugging-recipes` rather than adding temporary source instrumentation.

.serena/memories/common/component-data-model.md

@@ -0,0 +1,41 @@
+# Component and Variant Data Model
+
+## Shape roles relative to components
+
+A shape can occupy multiple roles at once:
+
+1. Master/main instance: defines a component and has `:main-instance true` plus `:component-id`.
+2. Copy/non-main instance: produced by instantiating a component and carries `:shape-ref` pointing at the master shape. `(ctk/in-component-copy? shape)` is essentially `(some? (:shape-ref shape))`.
+3. Component root: topmost shape of an instance, marked `:component-root true` and carrying surface attrs such as `:component-id` and `:component-file`.
+
+Variant masters are main instances and component roots. Their descendants may themselves be component copies, so master/copy logic must handle nested instances rather than assuming those roles are exclusive.
+
+## :shape-ref chains
+
+`:shape-ref` walks up the inheritance hierarchy and can cross files for remote libraries. `find-ref-shape` and `get-ref-chain-until-target-ref` in `app.common.types.file` follow this chain.
+
+`find-shape-ref-child-of` in `app.common.logic.variants` walks the chain looking for the first ref-shape whose ancestors include a specific parent. Variant switch uses this to locate the equivalent master child in the target variant.
+
+## :touched flags
+
+`:touched` is a set of override-group keywords such as `:geometry-group`, `:fill-group`, and `:text-content-group`. It means a copy diverged from its master for attrs in that sync group.
+
+`sync-attrs` in `app.common.types.component` maps attrs to groups. `set-touched-group` is the legitimate setter; the central `set-shape-attr` path calls it only for copies and only when ignore flags allow it.
+
+Masters are not normally touched through `set-shape-attr`, but touched flags can appear on master shapes through cloning/duplication paths. `add-touched-from-ref-chain` in `app.common.logic.variants` unions touched flags from ancestors into the copy being processed, so upstream/master touched state can affect downstream switch behavior.
+
+## Cloning paths
+
+`make-component-instance` in `app.common.types.container` produces a clean component copy through `update-new-shape`, dissociating attrs such as `:touched`, `:variant-id`, and `:variant-name` on cloned shapes.
+
+`duplicate-component` in `app.common.logic.libraries` creates a new component master by cloning existing component shapes, setting component metadata, and applying a position delta. It does not have the same clean-copy semantics as `make-component-instance`, so inherited attrs on the source can matter.
+
+When a bug depends on touched state, identify which cloning path produced the shape before changing sync logic.
+
+## Variant containers
+
+A variant container is a frame with `:is-variant-container true`. Its children are variant masters with `:variant-id` pointing at the container and `:variant-name` naming the variant value. Component records in the library carry `:variant-properties`.
+
+Predicates are broad: `ctk/is-variant?` checks `:variant-id` and applies to both variant master shapes and component rows; `ctk/is-variant-container?` checks the container shape flag.
+
+Moving/dropping a shape into a variant container through the move-to-frame path can auto-convert it into a variant via `generate-make-shapes-variant`, which may duplicate the underlying component. Treat drag/drop into variant containers as a component/variant operation, not a plain reparent.

.serena/memories/common/component-debugging-recipes.md

@@ -0,0 +1,58 @@
+# Common Component and Change Debugging Recipes
+
+Keep source changes out of these recipes unless the task requires a durable fix.
+
+## Inspect recent workspace changes
+
+From `cljs_repl` after triggering an action:
+
+```clojure
+(let [items (get-in @app.main.store/state [:workspace-undo :items])
+      n (count items)]
+  (->> items
+       (drop (max 0 (- n 5)))
+       (map-indexed (fn [i it]
+                      {:idx (+ i (max 0 (- n 5)))
+                       :tags (:tags it)
+                       :n (count (:redo-changes it))
+                       :types (frequencies (map :type (:redo-changes it)))
+                       :ids (mapv :id (:redo-changes it))}))))
+```
+
+To inspect operations within the latest `:mod-obj`:
+
+```clojure
+(let [items (get-in @app.main.store/state [:workspace-undo :items])
+      mod-obj (->> (:redo-changes (last items))
+                   (filter #(= :mod-obj (:type %)))
+                   first)]
+  (:operations mod-obj))
+```
+
+## Trace variant switch attribute copying
+
+To capture what `update-attrs-on-switch` saw during a real UI swap, patch it temporarily in `cljs_repl`:
+
+```clojure
+(def orig (deref #'app.common.logic.libraries/update-attrs-on-switch))
+(def trace-buf (atom []))
+(set! app.common.logic.libraries/update-attrs-on-switch
+      (fn [& args]
+        (swap! trace-buf conj
+               (let [[_ curr prev _ _ origin _] args]
+                 {:curr (select-keys curr [:name :x :y :selrect :points :touched])
+                  :prev (select-keys prev [:name :x :y :selrect :points :touched])
+                  :origin-ref (select-keys origin [:id :name :x :y :width :height :selrect])}))
+        (apply orig args)))
+;; trigger UI action, then inspect @trace-buf
+(set! app.common.logic.libraries/update-attrs-on-switch orig)
+```
+
+Runtime patching is faster than adding temporary source instrumentation and avoids recompilation cleanup. Restore the var or reload the frontend when finished.
+
+## Test-side helpers
+
+- Use `thf/dump-file file :keys [...]` to print a shape tree with selected keys during common tests.
+- Prefer production-path helpers such as `cls/generate-update-shapes` plus `thf/apply-changes` for shape mutations.
+- For component swaps with keep-touched behavior, use `tho/swap-component-in-shape` with `{:keep-touched? true}`.
+- Temporary `prn` calls in production code are acceptable while investigating but should be removed before committing.

.serena/memories/common/component-swap-pipeline.md

@@ -0,0 +1,42 @@
+# Component Swap and Variant Switch Pipeline
+
+## Entry points
+
+Frontend entry points under `frontend/src/app/main/data/workspace/`:
+- `variants.cljs`: `variants-switch` and `variant-switch` events feed property-toggle UI and Plugin API `switchVariant` behavior into `dwl/component-swap`.
+- `libraries.cljs`: `component-swap` is the single-swap workhorse; `component-multi-swap` batches swaps and calls `component-swap` with `keep-touched? = false`.
+
+`keep-touched? = true` is the discriminator for preserving user overrides during variant switch. Batch/multi-swap paths intentionally bypass that logic.
+
+## Common-side pipeline
+
+For a single swap with `keep-touched? = true`:
+
+1. `cll/generate-component-swap` in `common/src/app/common/logic/libraries.cljc` builds the base changes: remove old shape and instantiate the target component in its place through `generate-new-shape-for-swap`, `generate-instantiate-component`, and `make-component-instance`.
+2. `clv/generate-keep-touched` in `common/src/app/common/logic/variants.cljc` walks pre-swap children, augments each with chain-derived touched flags through `add-touched-from-ref-chain`, finds the equivalent target shape through `find-shape-ref-child-of`, then calls `update-attrs-on-switch`.
+3. `update-attrs-on-switch` in `app.common.logic.libraries` decides which touched attrs from the previous shape should be copied onto the freshly instantiated target shape.
+
+## update-attrs-on-switch hazards
+
+The routine compares `current-shape` (fresh target copy), `previous-shape` (pre-swap shape with chain-derived touched), and `origin-ref-shape` (source variant master's equivalent shape). It loops over sync attrs except `swap-keep-attrs` and copies only attrs that pass several guards:
+
+- skip equal previous/current values;
+- skip equal composite geometry for selected attrs;
+- require the corresponding touched group;
+- for most attrs, require source and target masters to agree;
+- for fixed-size selrect/points/width/height, use dedicated fixed-layout geometry handling;
+- text and path shapes have specialized value conversion paths.
+
+The generic fallback branch copies from `previous-shape`. It represents the intended "carry user override through switch" behavior, but bugs usually appear when guards fail to reject incompatible geometry or master differences before reaching that branch.
+
+## Known sharp edges
+
+- Composite `:selrect` and `:points` bypass the simple different-master skip; width/height checks catch some but not all positional differences.
+- `previous-shape` may be repositioned by destination-root minus origin-root before copying. For normal variant switch this is often zero, but do not assume it for all swap entry points.
+- Touched flags can be inherited through ref chains, so a shape that looks untouched locally may still behave as touched after `add-touched-from-ref-chain`.
+
+## Test harness
+
+`common/src/app/common/test_helpers/compositions.cljc` has `swap-component-in-shape`, which drives `generate-component-swap` plus `generate-keep-touched` with the production `keep-touched?` flag. Use it for focused common tests of variant-switch behavior.
+
+`common/test/common_tests/logic/variants_switch_test.cljc` is the canonical reference suite for swap+touched scenarios. Read nearby tests before adding another case.

.serena/memories/common/core.md

@@ -0,0 +1,55 @@
+# Common Architecture and Workflow
+
+`common/` intro: shared CLJC for frontend, backend, exporter, library/file tooling, tests. Small semantic changes can affect multiple runtimes.
+
+## Stable namespace map
+
+- `app.common.data` and `app.common.data.macros`: generic data helpers and performance macros that do not depend on Penpot domain entities.
+- `app.common.types.*`: shared shape/file/page/component/token data types, schemas, predicates, and entity-local operations. `app.common.types.nitrate-permissions` contains shared fail-closed Nitrate organization/team permission rules.
+- `app.common.files.*`: file-level operations, shape tree helpers, change application, migrations, validation, and undo/redo-related logic.
+- `app.common.logic.*`: higher-level workflows/algorithms over files, shapes, components, variants, libraries, tokens, etc.
+- `app.common.geom.*`: geometry helpers and transformations.
+- `app.common.schema` / `app.common.schema.*`: Malli abstraction layer.
+- `app.common.math`, `app.common.time`, `app.common.uuid`, `app.common.json`, etc.: cross-runtime utilities.
+- `app.common.test_helpers.*`: test builders and production-path helpers.
+
+## Layering and cross-runtime rules
+
+Use reader conditionals for platform-specific code. Because CLJC runs on JVM and CLJS targets, avoid assuming browser-only or JVM-only behavior unless the reader conditional isolates it.
+
+Respect the intended abstraction direction in new/refactored code:
+- generic data utilities should not know Penpot domain concepts;
+- `types.*` should preserve invariants for a single domain entity or ADT;
+- `files.*` can coordinate several entities inside a file and preserve referential integrity;
+- `changes*` should adapt serializable change records to lower-level operations and avoid embedding broad business algorithms;
+- `logic.*` and frontend/backend event layers own higher workflow/business behavior.
+
+Some legacy code violates this layering; do not copy those violations into new code when a focused refactor is practical.
+
+## Focused memory routing
+
+Model, schema, and persistence shape:
+- File/page/shape/component attr changes, import/export surfaces, inspector/codegen, and cross-module checklist: `mem:common/data-model-change-checklist`.
+- Token data structures, token import/export, active theme/set semantics, and schema/coercion behavior: `mem:common/tokens-schema-subtleties`.
+
+Geometry and layout:
+- Shape geometry invariants, redundant geometry fields, and geometry-sensitive tests: `mem:common/geometry-invariants`.
+- Coordinate drift and approximate float comparisons: `mem:common/decimals-and-coordinates`.
+- Layout/grid assignment, deassignment, metadata cleanup, and auto-positioning: `mem:common/layout-grid-subtleties`.
+
+Change pipeline, validation, and migrations:
+- Change records, undo/redo architecture, changes-builder API, and production-path mutation guidance: `mem:common/changes-architecture`.
+- Change application, shape-tree edits, validation/repair, migrations, and second-pass touched behavior: `mem:common/file-change-validation-migration-subtleties`.
+
+Components, variants, and debugging:
+- Component/variant data model, ref chains, touched override semantics, and cloning paths: `mem:common/component-data-model`.
+- Component swap, variant switch, and keep-touched pipeline: `mem:common/component-swap-pipeline`.
+- Live inspection snippets, temporary runtime patching, and test-side debugging helpers for common change/component behavior: `mem:common/component-debugging-recipes`.
+
+Text and tests:
+- Shared text data conversion, DraftJS compatibility, modern text content, and derived position data: `mem:common/text-subtleties`.
+- Common test commands, helper conventions, production-path test mutations, and runtime coverage choices: `mem:common/test-setup`.
+
+## Areas without focused memories
+
+Common areas with little or no dedicated memory include colors, media/SVG helpers, path operations, thumbnail helpers, generic pools, weak refs, and some utility namespaces. Treat work there as source/test-led unless a focused memory exists.

.serena/memories/common/data-model-change-checklist.md

@@ -0,0 +1,25 @@
+# Common Data Model Change Checklist
+
+## Attribute conventions
+
+- Prefer optional page/shape attrs with default behavior when absent. Reverting to default should usually remove the attr instead of storing nil.
+- Do not treat nil as a distinct persisted state from absence. Import/export and cleanup paths may filter nil attrs away.
+- Avoid Clojure-special naming in exported object attrs, especially boolean names ending in `?`; exported/imported data must survive JSON/SVG/Transit and external tooling.
+- Any new shape attr that participates in component sync must be listed in `app.common.types.component/sync-attrs` with the correct touched group. Attrs absent from `sync-attrs` are ignored by component synchronization.
+
+## Cross-module update checklist
+
+When changing the file data model, check the relevant paths:
+- Schema/type definitions under `common/src/app/common/types*` and helpers under `common/src/app/common/files*` / `logic*`.
+- File migrations in `common/src/app/common/files/migrations.cljc` when old files cannot safely use absence/default behavior.
+- Frontend edit forms under `frontend/src/app/main/ui/workspace/sidebar/options/`; multi-selection behavior is usually in `multiple.cljs` and must handle `:multiple` values.
+- SVG/file render and export metadata under `frontend/src/app/main/ui/shapes/*`, especially `export.cljs` when an attr is not a native SVG property.
+- SVG import/parser paths under `frontend/src/app/worker/import/parser.cljs`; attrs not exported and imported will be lost on reimport.
+- Viewer inspect and code generation under `frontend/src/app/main/ui/viewer/inspect/*` and `frontend/src/app/util/code_gen.cljs` / markup/style helpers when handoff output should expose the attr.
+- Exporter/library consumers when the change affects file construction, rendering, or packaged `.penpot` archives.
+
+## Migrations
+
+Existing files should keep working unchanged when possible. If absence cannot preserve old behavior, add a migration and preserve append/order semantics described in `mem:common/file-change-validation-migration-subtleties`.
+
+Model changes can also require file feature flags or migration metadata updates; check nearby migrations and `common/src/app/common/features.cljc` before inventing a new pattern.

.serena/memories/common/decimals-and-coordinates.md

@@ -0,0 +1,54 @@
+# Decimals and Coordinates in Penpot
+
+Penpot stores all geometry as JS numbers (doubles in CLJS, doubles in
+CLJ for the JVM-side common code). Several Penpot-specific facts
+about how this plays out are not obvious from reading the code.
+
+## Sub-pixel drift is routine
+
+Coordinate values that "should" be integers are routinely off by ~1e-5
+in production data. A `:width` of 107 will frequently appear as
+`107.00001275539398` after the value has passed through:
+
+- the modifier propagation pipeline (`apply-wasm-modifiers` and the
+  Rust WASM transform engine)
+- any rotation/scale composition
+- repeated translations
+
+This drift is invisible in the UI (the renderer rounds at draw time)
+but defeats exact equality comparisons in business logic. It does NOT
+appear in JVM-only test setups because the WASM pipeline isn't
+involved — tests that build shapes via `setup-shape` and `add-sample-shape`
+get clean integer values. Bugs that depend on drift will pass tests
+but fire in production unless tests explicitly inject drift.
+
+## Use the close? helpers, not `=`
+
+For comparing coordinate-like floats, the established convention is:
+
+- `app.common.math/close?` — scalar tolerance comparison.
+  Default precision 0.001 (sub-pixel; tight enough to keep distinct
+  shapes distinct, loose enough to absorb arithmetic noise).
+  Two-arity uses default precision; three-arity takes a custom one.
+- `app.common.geom.point/close?` — element-wise close on `gpt/Point`
+  records. Compares :x and :y via `mth/close?`.
+- `app.common.geom.matrix/close?` — close on transform matrices.
+- `app.common.geom.shapes/close-attrs?` — used inside `set-shape-attr`
+  to decide whether a re-assigned `:width`/`:height` should be treated
+  as a no-op (suppresses spurious touched marking from drift).
+
+Treat `=` on `:x`, `:y`, `:width`, `:height`, `:selrect`, or `:points`
+fields as a code smell when the inputs may have flowed through any
+transform. The `set-shape-attr`-style precedent (already using
+`close-attrs?`) is the right model.
+
+## The redundancy multiplies failure modes
+
+A shape's position lives in `:x/:y`, `:selrect`, AND `:points` (see
+`mem:common/geometry-invariants` memory). Each is a separate set of float
+values. After any operation that touches geometry, all three should
+agree, but each is computed by a different path and accumulates
+its own drift. Comparing `:selrect.width` from shape A to
+`:selrect.width` from shape B is comparing two values that
+"semantically" should be equal but were computed via different
+operation chains — exact equality will often be false.

.serena/memories/common/file-change-validation-migration-subtleties.md

@@ -0,0 +1,28 @@
+# Common File Change, Validation, and Migration Subtleties
+
+## Change application
+
+- `process-changes` validates the whole change vector once by default, reduces changes, then performs a second pass for collected touched changes. Callers that already validated can pass `verify? false`.
+- `process-operation :set` delegates to `ctn/set-shape-attr`; `:assign` first decodes attrs with the shape-attrs JSON transformer and then emits per-attr set operations.
+- `set-shape-attr` treats `:position-data` as derived and never touched. Geometry/content-path changes use approximate equality; geometry differences under about 1px can be ignored for touched purposes.
+- Width/height are excluded from the `is-geometry?` branch in `set-shape-attr`; do not assume all geometry-group attrs follow identical ignore-geometry behavior.
+- `process-touched-change` marks the owning component modified when a touched shape belongs to a main instance; component-data changes can come from shape ops through this second pass.
+
+## Shape tree edits
+
+- `shape-tree/add-shape` falls back invalid/missing parent or frame ids to root (`uuid/zero`), ensures parent `:shapes` is a vector, avoids duplicate child ids, and clears `:remote-synced` on copy parents unless `ignore-touched` is true.
+- `shape-tree/delete-shape` removes the shape and all descendants from the objects map and removes the id from its parent. This is different from render-wasm deletion, which may keep deleted children for undo/redo internals.
+- Page object maps can carry metadata indexes such as cached frame lists. `start-page-index` / `update-page-index` rebuild those metadata indexes; `frontend` commit application calls `ctst/update-object-indices` after page changes.
+
+## Validation and repair
+
+- Full referential/semantic validation currently runs only when file features contain `"components/v2"`.
+- Validation starts at root plus orphan shapes, then validates component records. `validate-file!` raises `:validation :referential-integrity` with collected details.
+- `repair-file` does not mutate data directly; it reduces validation errors into redo changes using `changes-builder`. Callers must apply or persist those changes.
+
+## Migrations
+
+- Prefer optional attrs/default behavior so old files continue working without migration. If absence cannot preserve old behavior, add a migration.
+- Migrations are an ordered set mixing legacy version-derived ids and newer named ids. Keep append order stable; `migrate` applies the set difference between available migrations and file migrations.
+- `migrate-file` synthesizes legacy migration ids from old numeric versions when `:migrations` is absent, migrates legacy features, and records feature flags created through `cfeat/*new*`.
+- When a file had no previous `:migrations`, `migrate-file` marks all migrations as migrated in metadata so callers persist the complete migration set, not only transformations that changed data.

.serena/memories/common/geometry-invariants.md

@@ -0,0 +1,48 @@
+# Geometry Invariants in Penpot Shapes
+
+Core invariant: shape position is stored redundantly, and all geometry fields must stay coherent.
+
+## Redundant fields
+
+For a shape at `(x, y)` with width `w` and height `h`:
+
+- `:x`, `:y`, `:width`, `:height`: top-left and dimensions.
+- `:selrect`: `{:x :y :width :height :x1 :y1 :x2 :y2}`, where `x2 = x + w` and `y2 = y + h`.
+- `:points`: four corners for an axis-aligned rect, clockwise from top-left.
+- `:transform` and `:transform-inverse`: identity for axis-aligned shapes; populated for transformed shapes.
+
+After a geometric mutation, equivalent fields such as `:y`, `(:y :selrect)`, and the first point's `:y` should agree. The renderer and hit-testing read `:selrect` / `:points`, so a shape can render or select incorrectly even when `:x` / `:y` look right.
+
+## Helpers that preserve the invariant
+
+- `gsh/move`: translates by delta and updates geometry consistently.
+- `gsh/absolute-move`: moves to an absolute position by computing a delta from the current selrect.
+- `gsh/transform-shape`: applies a full transform.
+- `cts/setup-shape`: initializes geometry for new shapes; variant test helpers such as `thv/add-variant-with-child` use it.
+
+## Edits that break the invariant
+
+- `(assoc shape :x ...)` or `(assoc shape :y ...)`: updates only one field and leaves `:selrect` / `:points` stale.
+- `ths/update-shape file label :y val`: goes through `set-shape-attr`, but does not repair all position fields for `:y` alone.
+- Direct `update-in` edits to `:selrect`, `:points`, or dimensions.
+
+## Test setup warning
+
+When positioning test shapes, use `gsh/absolute-move`, `gsh/move`, or production change helpers. Do not set only `:x` / `:y`.
+
+```clojure
+(cls/generate-update-shapes
+  (pcb/empty-changes nil page-id)
+  #{(:id child)}
+  #(gsh/absolute-move % (gpt/point (:x %) 101))
+  (:objects page)
+  {})
+```
+
+Using `(ths/update-shape file label :y 101)` leaves `:selrect.y` stale. Downstream code that reads `:selrect` can then fail in ways that look like product bugs but are only invalid test setup.
+
+## :touched and geometry mutation
+
+When a copy shape changes geometry through the proper pipeline (`set-shape-attr` via `process-operation :set`), `:touched` gains `:geometry-group` unless ignored. Tests can either drive the production update with `cls/generate-update-shapes`, or inject `(assoc shape :touched #{:geometry-group})` when only touched state matters.
+
+If a test needs both a new position and touched state, move the shape first with geometry-preserving helpers, then inject or assert touched state.

.serena/memories/common/layout-grid-subtleties.md

@@ -0,0 +1,13 @@
+# Common Layout and Grid Subtleties
+
+## Layout metadata
+
+- Layout container data and child layout-item data are removed by different helpers. Do not assume clearing a layout frame also clears all child layout metadata.
+- Layout data can affect both container attrs and immediate child attrs; validate behavior for both sides when changing cleanup or propagation.
+
+## Grid assignment
+
+- Grid `assign-cells` ensures at least one column and row, skips absolute-position children, creates non-tracked rows/cols when children exceed tracked cells, and asserts that assigned cells do not overlap.
+- Grid deassignment removes cells for shapes that are no longer direct children or have become absolute-positioned.
+- Auto-positioning is not just sorting: some auto cells are converted to manual when empty/manual/span state would break the auto sequence, then auto single-span items can be compacted.
+- `fix-overlaps` is marked dev-only and removes one overlapping cell, preferring empty cells first. Avoid depending on it as normal production repair.

.serena/memories/common/test-setup.md

@@ -0,0 +1,48 @@
+# Common Module Test Setup
+
+`common/` is CLJC shared code. Tests should cover the relevant runtime(s): JVM for backend/common logic and JS for frontend/exporter behavior. For geometry, component, and file-model changes, JVM tests are common and fast, but JS/browser behavior can differ when WASM modifier math or CLJS-specific state is involved.
+
+## Running tests
+
+From `common/`:
+
+```bash
+pnpm run test:jvm
+clojure -M:dev:test
+pnpm run test:jvm --focus common-tests.logic.variants-switch-test
+clojure -M:dev:test --focus common-tests.logic.variants-switch-test/test-basic-switch
+pnpm run test:js
+pnpm run test:quiet
+pnpm run test:quiet -- --focus common-tests.logic.comp-sync-test
+pnpm run test:quiet -- --focus common-tests.logic.comp-sync-test/test-sync-when-changing-attribute --log-level warn
+pnpm run watch:test
+```
+
+Use `test:quiet` for non-interactive JS runs; it buffers `build:test` output and forwards runner args. Common JS runner args support `--focus <namespace-or-var>` and `--log-level trace|debug|info|warn|error`. After `pnpm run build:test`, direct compiled runner focus is faster: `node target/tests/test.js --focus common-tests.logic.comp-sync-test/test-sync-when-changing-attribute --log-level warn`. New common JS test namespaces must be required/listed in `common_tests/runner.cljc`; new vars in existing namespaces need no runner change. Multiple JVM `--focus` flags compose as a union.
+
+## Test helpers
+
+Helpers live under `common/src/app/common/test_helpers/` and are usually aliased with short `th*` prefixes. Test namespaces using label->uuid helpers should start with `(t/use-fixtures :each thi/test-fixture)` so labels reset between tests.
+
+Useful builders:
+- `thf/sample-file` creates a base file.
+- `tho/add-simple-component` creates a simple component.
+- `thc/instantiate-component` instantiates a component copy.
+- `thv/add-variant-with-child` creates a variant container with two child variants.
+- `thv/add-variant-with-copy` creates variants whose children are component instances.
+
+`add-variant-with-copy` does not accept position params for children; use `gsh/absolute-move` after creation if positions matter.
+
+## Driving production paths
+
+For shape mutations, prefer production-path helpers such as `cls/generate-update-shapes` plus `thf/apply-changes`. For component swaps with keep-touched behavior, use `tho/swap-component-in-shape` with `{:keep-touched? true}`.
+
+`thf/apply-changes` validates by default and usually gives the most useful invariant failure. Pass `:validate? false` only for intentionally malformed intermediate state.
+
+## Geometry setup caution
+
+For geometry-sensitive tests, read `mem:common/geometry-invariants` before positioning shapes. Use geometry-preserving helpers or production change helpers rather than direct single-field edits.
+
+## Debugging
+
+Use `mem:common/component-debugging-recipes` for shape-tree dumps, undo/change inspection, and temporary live instrumentation recipes.

.serena/memories/common/text-subtleties.md

@@ -0,0 +1,14 @@
+# Common Text Subtleties
+
+## DraftJS compatibility
+
+- `app.common.text` is legacy DraftJS conversion support. New text work should prefer the newer text type namespaces unless specifically touching DraftJS conversion.
+- DraftJS style values are encoded as Transit strings under `PENPOT$$$<key>$$$<encoded>` style names. `PENPOT_SELECTION` is a special marker.
+- Text conversion uses Unicode code points on both CLJ and CLJS paths, not UTF-16 code units. This matters for offsets around emoji and astral characters.
+- Draft conversion fixes gradient type strings back to keywords.
+
+## Modern text content
+
+- Modern text content schema is narrow: root -> paragraph-set -> paragraph -> text nodes.
+- `position-data` is derived layout/geometry/font fragment data and should be treated as generated state, not source-of-truth file data.
+- Token propagation and some non-current-page text updates drop `:position-data` so it can be regenerated in the right runtime context.

.serena/memories/common/tokens-schema-subtleties.md

@@ -0,0 +1,17 @@
+# Common Tokens and Schema Subtleties
+
+## Tokens
+
+- `TokensLib` always ensures an internal hidden theme exists and defaults active themes to that hidden theme path. That hidden theme represents the UI state where active sets are controlled without modifying a user-created theme.
+- `get-tokens-in-active-sets` merges tokens from sets selected by active themes in set order, so later active sets with the same token name override earlier ones.
+- Activating a real theme in `common.logic.tokens` removes the hidden theme from the active-theme set unless it is the only active theme. Toggling active sets directly copies current active sets into the hidden theme.
+- DTCG import/export deliberately hides the internal hidden theme: exports omit it from `$themes` and activeThemes, while `activeSets` records the hidden/current active sets.
+- Single-set DTCG/legacy imports throw if no supported tokens are found. Multi-set import normalizes set names, keeps `tokenSetOrder`, rejects conflicting token path names, discards unsupported token types, and validates theme sets against existing sets.
+- Token values stored on shapes are token names in `:applied-tokens`, not token ids. Renames and group renames must update those name paths.
+- Token serialization has both Transit handlers for frontend/backend transport and Fressian handlers for internal file-data storage, with migrations for older token-lib internal versions.
+
+## Schema
+
+- `app.common.schema/json-transformer` has custom map-of key decoding/encoding, so map keys can be transformed based on the key schema instead of only the value schema.
+- `check-fn` throws `ex-info` with default `:type :assertion`, `:code :data-validation`, and `::explain`. Prefer reusable `check-fn`/lazy validators in hot or repeated paths; `sm/check` creates a checker every call.
+- `coercer` decodes with the JSON transformer and then checks. This is the common pattern for accepting external JSON-shaped data into internal types.

.serena/memories/critical-info.md

@@ -0,0 +1,62 @@
+You are working on the GitHub project `penpot/penpot`, a monorepo.
+
+# Memory system
+
+- Memories are the primary project guidance (not docs or other readme files).
+- A section's top-level memory is `<section>/core`. When a section is relevant, read the core memory
+   before focused memories.
+- Edits/stale refs/duplication cleanup: `mem:memory-maintenance`.
+
+# Development workflow
+
+- Commit only when explicitly asked. Commit/PR format + changelog: `mem:workflow/creating-commits`, `mem:workflow/creating-prs`. Issue creation (titles, labels, body templates, Issue Types): `mem:workflow/creating-issues`.
+- You have access to the GitHub CLI `gh` or corresponding MCP tools.
+- Issues are also managed on Taiga. Read issues using the `read_taiga_issue` tool.
+- Before writing code, analyze the task in depth and describe your plan. If the task is complex, break it down into atomic steps.
+  *After making changes, run the applicable lint and format checks for the affected module before considering the work done (per example `mem:backend/core` or `mem:frontend/core`).
+- Never run anything that destroys data without explicit permission, including `drop-devenv`, `docker compose down -v`, `docker volume rm ...`. The user's real work lives in the volumes of the shared infra.
+
+# Project modules
+
+This is a monorepo. Principles that apply to one module do *not* generally apply to others. Do not make assumptions.
+
+- `frontend/`: ClojureScript + SCSS SPA/design editor.
+- `backend/`: JVM Clojure HTTP/RPC server with PostgreSQL, Redis, storage, mail, and workers.Runtime services and the task-queue vs Pub/Sub topology that constrains horizontal scaling: `mem:prod-infra/core`.
+- `common/`: shared CLJC data types, geometry, schemas, file/change logic, and utilities.
+- `render-wasm/`: Rust -> WebAssembly Skia renderer consumed by frontend.
+- `exporter/`: ClojureScript/Node headless Playwright SVG/PDF export.
+- `mcp/`: TypeScript Model Context Protocol integration.
+- `plugins/`: TypeScript plugin runtime/examples and Plugin API types.
+- `library/`: design library workflows.
+- `docs/`: documentation site.
+
+The memory is structured in a way that you can get the critical information about the
+module. You can read it from `mem:<MODULE>/core`
+
+# Low-centrality project paths
+
+- `docker/` contains devenv related code, not needed unless specifically instructed.
+   When working on devenv startup, compose layout, instance config (`defaults.env`),
+   tmux session lifecycle, MinIO provisioning, or anything in `manage.sh`'s
+   `*-devenv` commands, read `mem:devenv/core`.
+- `experiments/` contains standalone experimental HTML/JS/scripts; treat it as non-core unless the user explicitly asks about it.
+- `sample_media/` contains sample image/icon media and config used as fixtures/demo material; do not infer app behavior from it.
+
+# Dependency graph
+
+`frontend -> common`, `backend -> common`, `exporter -> common`, and `frontend -> render-wasm`. Changes in `common` can
+affect frontend, backend, exporter, file migrations, and design-library behavior; validate across consumers when
+semantics change.
+
+# Working with Penpot designs
+
+- Before automating or inspecting Penpot designs through the Plugin API, call the Penpot MCP `high_level_overview` tool.
+- connection between the JavaScript plugin API and the ClojureScript code: `mem:frontend/plugin-api-to-cljs-binding`.
+- executing ClojureScript code in the frontend: `mem:frontend/cljs-repl`.
+- handling Clojure compiler errors, runtime patching and debug helpers: `mem:frontend/handling-errors-and-debugging`.
+
+## Detecting Crashes
+
+The Penpot frontend can crash silently from the JS API's perspective: `execute_code` calls return successfully, but 1-2s later the workspace becomes unusable (Internal Error page).
+The `execute_code` tool then stops working, but `cljs_repl` still works. Use it to detect a crash via `(some? (:exception @app.main.store/state))`.
+For details on handling crashes, read memory `mem:frontend/handling-crashes`.

.serena/memories/devenv/core.md

@@ -0,0 +1,73 @@
+# Devenv startup and configuration
+
+Compose-based dev environment under `docker/devenv/`, driven by `manage.sh`. Parallel instances share infra + Postgres + MinIO; each instance has its own `main` container, Valkey, source checkout, tmux session.
+
+## Compose project layout
+
+- `penpotdev-infra`: shared `postgres`, `minio`, `minio-setup`, `mailer`, `ldap`. File: `docker-compose.infra.yml`.
+- `penpotdev-wsN` (N=0,1,…): per-instance `main` + `redis` (Valkey). File: `docker-compose.main.yml`. ws0 (a.k.a. `main`) binds `$PWD`; ws1+ bind clones at `${PENPOT_WORKSPACES_DIR}/wsN/` (default `~/.penpot/penpot_workspaces/`), maintained by the developer.
+- All projects join external network `penpot_shared`. Created idempotently by `ensure-devenv-network`, never removed by lifecycle commands.
+
+## Source-of-truth files
+
+- `docker/devenv/defaults.env`: ws0 baseline — container/volume names, runtime env, published host ports, tmux defaults. `manage.sh` aborts if unreadable.
+- For ws1+, `instance-env-overrides` computes the per-instance overrides (container/volume names, host ports offset `10000·N`, `PENPOT_PUBLIC_URI`, `PENPOT_REDIS_URI`, `PENPOT_BACKEND_WORKER=false`) and `instance-compose` injects them as env vars at compose time — never written to disk, recomputed each call so they can't drift. ws0 uses `defaults.env` as-is.
+- `backend/scripts/_env`: backend-internal only — secret keys, `PENPOT_FLAGS` (with `enable-backend-worker` gated on `PENPOT_BACKEND_WORKER`), `JAVA_OPTS`, `setup_minio()`. Never duplicates `defaults.env`.
+- Compose files use pure `${VAR}` substitution; missing var = compose fails.
+
+## Invariants
+
+- `infra-compose` / `instance-compose` wrap `docker compose` with `env -i`, then re-inject what compose needs. Stripping is required because `defaults.env` is sourced into manage.sh's shell at startup (stale values would leak); the ws1+ overrides are deliberately re-injected as shell env vars precisely because Compose gives shell precedence over `--env-file`, so they override the `defaults.env` baseline.
+- Volume names pinned via `name:` (PENPOT_*_VOLUME), decoupled from the compose project name. ws1+ inject distinct per-instance volume names; ws0 keeps the historical `penpotdev_*` physical names so project renames never require data migration.
+- Network aliases (`- main`, `- redis`) are not declared in main.yml. Compose's auto-service-alias still registers `redis` on the shared network, so DNS for `redis` is non-deterministic with multiple instances. Backend uses `PENPOT_REDIS_URI=redis://penpot-devenv-wsN-valkey/0` (container_name) instead.
+- No cross-project `depends_on`. `manage.sh ensure-infra-up` `docker wait`s on the `minio-setup` one-shot.
+- `JAVA_OPTS` in `manage.sh` is shadowed inside the container by `_env`. The `-e JAVA_OPTS=...` flag only matters for processes that don't source `_env`.
+
+## Worker policy
+
+Backend workers run only on ws0. `_env` gates `enable-backend-worker` on `PENPOT_BACKEND_WORKER`; ws1+ inject it as false. ws0 must be running whenever any ws1+ is running, and is the last instance to stop — `run-devenv-agentic --ws N` (N≥1) auto-starts ws0 first; `stop-devenv` refuses to stop ws0 while any ws1+ is up. Workers are pure fire-and-forget: `wrk/submit!` inserts a row into the shared Postgres `task` table and returns; RPC handlers never wait on completion and workers never publish to msgbus. The reason for "ws0 only" is avoiding multi-instance worker races (cron dedup is best-effort across instances, `wrk/submit!` `dedupe` is racy across submitters); details in `mem:prod-infra/core`.
+
+## Port layout
+
+Container-internal ports fixed; host side offset `10000·N`.
+
+| ws0 | ws1 | wsN | container | role |
+|---|---|---|---|---|
+| 3449 | 13449 | 3449+10000·N | 3449 | public HTTPS (Caddy; `/mcp/ws` same-origin) |
+| 3449/udp | 13449/udp | … | 3449/udp | HTTP/3 |
+| 4401 | 14401 | … | 4401 | MCP HTTP stream |
+| 4403 | 14403 | … | 4403 | MCP REPL |
+| 14181 | 24181 | … | 14281 | Serena MCP |
+| 14182 | 24182 | … | 24282 | Serena dashboard |
+
+Everything else (frontend dev, backend API, exporter, storybook, REPLs, plugin dev, MCP inspector/WebSocket) is in-process or same-origin via Caddy/nginx. Infra publishes: mailer 1080, ldap 10389/10636 (singletons, not offset).
+
+## Tmux + MCP routing
+
+`docker/devenv/files/start-tmux.sh` is session-level idempotent. Reads `PENPOT_TMUX_ATTACH`. If the session exists it attaches or exits; otherwise creates 4 base windows (frontend watch / storybook / exporter / backend) plus `mcp` (when `enable-mcp` in `PENPOT_FLAGS`) and `serena` (when `SERENA_ENABLED=true`). `run-devenv-agentic` always sets both env vars. The legacy `run-devenv` alias doesn't, hence its 4-window-only session. To switch from a legacy session to agentic, `stop-devenv` then `run-devenv-agentic` — the conditional windows are only added at session create time.
+
+MCP plugin routing is same-origin: frontend uses `<public-uri>/mcp/ws`, per-instance nginx proxies to MCP port 4401 in-container. For the plugin↔MCP server wiring (how the browser plugin discovers the URL, the in-memory connection registry, why DB-mediated routing isn't needed), see `mem:mcp/core`.
+
+## Workspace orchestration (ws1+)
+
+Workspace directories are user-maintained at `${PENPOT_WORKSPACES_DIR}/wsN`. `run-devenv-agentic --ws i` syncs only when `--sync` is passed, with one exception: if the workspace directory is missing on first use, sync runs implicitly to seed it.
+
+`sync-workspace wsN`:
+1. `assert-clean-git-state` — refuses on `.git/{rebase-apply,rebase-merge,MERGE_HEAD,CHERRY_PICK_HEAD,index.lock}`. No `--sync-force` escape.
+2. `rsync -a --delete $PWD/.git/ $workspace/.git/`.
+3. `git ls-files -z --cached --others --exclude-standard` → `rsync --files-from` (Git is the authority on tracked files; rsync's gitignore filter would drop committed files under gitignored parents like `.clj-kondo/config.edn`).
+4. Initial-only copy of `frontend/resources/public/js/config.js` (gitignored, but agentic mode needs it). After the first sync the workspace's copy belongs to the developer — subsequent syncs leave it alone.
+5. `git switch -C "wsN/<current-branch>"` inside the workspace.
+
+No `--delete` on the working-tree pass: gitignored caches in the workspace survive. Workspace dir + named volumes survive `compose down`.
+
+## CLI surface
+
+- `run-devenv-agentic [--ws main|0|wsN|N] [--sync] [--serena-context CTX]`: bring one instance up. Agentic only — MCP and Serena windows are always created. Default target main. Errors out if the target is already running. `--sync` is rejected on main; on ws1+ it's optional (forced only when the workspace dir does not exist yet). Auto-starts ws0 first when the target is ws1+ and ws0 is not yet up.
+- `stop-devenv [--ws main|0|wsN|N] [--all]`: stop instances. Flags mutually exclusive. `--ws N` (N≥1) stops just that workspace. `--ws 0` or no flag stops ws0 + shared infra, refused while any ws1+ is running. `--all` stops every ws highest-first then ws0, then infra.
+- `run-devenv`: legacy alias, ws0 non-agentic attached.
+- `attach-devenv [--ws main|0|wsN|N]`: pure attach. Fails fast if instance/session missing.
+- `run-devenv-shell [--instance 0|wsN|N] [cmd...]`: bash in target instance. (`--instance` flag not yet renamed to `--ws`.)
+- `start-devenv` / `log-devenv` / `drop-devenv`: legacy paths around ws0 + shared infra. `drop-devenv` never removes volumes.
+
+`exporter/scripts/run` and `wait-and-start.sh` source `backend/scripts/_env` then `_env.local` if present.

.serena/memories/exporter/core.md

@@ -0,0 +1,33 @@
+# Exporter Architecture and Workflow
+
+`exporter/`: CLJS/Node headless export service. Depends on `common/`; uses Playwright plus export JS/CLJS deps for SVG/PDF/assets.
+
+## Layout and commands
+
+- Source: `exporter/src/`; config: `deps.edn`, `shadow-cljs.edn`, `package.json`; runtime helpers/assets: `vendor/`, `scripts/`.
+- From `exporter/`: setup `./scripts/setup`; watch `pnpm run watch` or `pnpm run watch:app`; production build `pnpm run build`; lint `pnpm run lint`; format check/fix `pnpm run check-fmt` / `pnpm run fmt`.
+- Because exporter consumes `common/`, shared file/shape/model changes may need exporter verification even when the immediate change is not under `exporter/`.
+
+## HTTP and browser pool
+
+- POST body limit is about 60 MB. Exporter supports `application/transit+json`; request params merge query params and body params.
+- Map response bodies are Transit JSON and force HTTP 200; nil 200 bodies become 204.
+- Auth token comes from cookie `auth-token`, then uploads use Bearer auth plus the management shared key.
+- Each export job gets a fresh Playwright browser context. On success, the context closes and the browser returns to the pool; on error, the browser is destroyed instead of reused.
+- Borrow validates browser connection. Pool acquire timeout is about 10s; font loading timeout logs a warning and continues after about 15s.
+
+## Export batching and async behavior
+
+- `prepare-exports` groups entries by `[scale type]` and partitions groups into chunks of 50. Each partition uses file/page/share/name from its first item, so be careful if entries might cross those boundaries.
+- Single-export response is used only when multiple export is not forced and there is exactly one prepared export containing exactly one object.
+- Multi-object export can run async: when `wait` is false it returns a resource immediately and publishes progress/end/error to Redis by profile topic; when `wait` is true it waits for upload and returns the uploaded resource.
+- Frame export returns a resource immediately and publishes Redis updates; it does not follow the same `wait` option path.
+- ZIP entry names are sanitized and duplicates receive numeric suffixes.
+
+## Render details
+
+- Bitmap export differs for WASM vs non-WASM render paths: WASM forces Playwright `deviceScaleFactor` to 1 and passes scale through the render URL; non-WASM uses `deviceScaleFactor = scale`.
+- WebP is produced by taking a PNG screenshot and converting it with ImageMagick.
+- SVG export rasterizes text foreignObjects to PNG, converts through PPM/color masks/potrace, and reassembles SVG paths. It also replaces non-breaking spaces for SVG compatibility and drops empty defs/paths.
+- PDF export injects `@page` sizing through raw browser `evaluate` JavaScript; that code cannot rely on CLJS runtime helpers.
+- Temporary resources schedule local deletion, then uploads POST to `/api/management/methods/upload-tempfile` with `X-Shared-Key: exporter <management-key>` and Bearer auth.

.serena/memories/frontend/cljs-repl.md

@@ -0,0 +1,94 @@
+# ClojureScript REPL and Frontend Debugging
+
+Execute code in the live frontend via the Penpot MCP `cljs_repl` tool. For browser-console debugging, the frontend also exports a `debug` JS namespace in development builds.
+
+## Accessing app state
+
+The main store is `app.main.store/state`. It contains workspace metadata, selection, UI state, profile, route, etc. Page objects are not under a `:workspace-data` key; use derived refs.
+
+```clojure
+;; Current selection
+(mapv str (get-in @app.main.store/state [:workspace-local :selected]))
+
+;; Current page objects
+(let [objects @app.main.refs/workspace-page-objects
+      shape (get objects (parse-uuid "some-uuid-here"))]
+  (select-keys shape [:name :type :x :y :width :height :fills :strokes :rotation :opacity :frame-id :parent-id]))
+```
+
+Shape keys use kebab-case keywords. Internal `:rect` corresponds to "rectangle" in the JS Plugin API, and `:frame` corresponds to "board".
+
+Component instance shapes carry `:component-id` and `:component-file` directly; `:component-root` flags the root of an instance. Use `app.common.types.container/get-head-shape` for nearest head and `get-instance-root` for outermost root; they differ for nested instances.
+
+## Navigation recipe
+
+To programmatically open a workspace file, all three ids are required:
+
+```clojure
+(do (require '[app.main.data.common :as dcm])
+    (app.main.store/emit! (dcm/go-to-workspace
+      :team-id (parse-uuid "<team-id>")
+      :file-id (parse-uuid "<file-id>")
+      :page-id (parse-uuid "<page-id>"))))
+```
+
+Get `team-id` from `(:current-team-id @app.main.store/state)`. Get file ids from `(vals (:files @app.main.store/state))`. Get page ids by fetching file data, e.g. through `rp/cmd! :get-file` with current features.
+
+## Reload the live runtime
+
+`(.reload js/location)` (alias `app.util.dom/reload-current-window`) from `cljs_repl` reloads the browser page: clears `set!` runtime patches, re-fetches file state, and is the simplest crash recovery while the repl is live (`mem:frontend/handling-crashes`). To re-fetch only the current file's data without a full page reload, emit `(app.main.store/emit! (potok.v2.core/event :app.main.data.workspace/reload-current-file))`.
+
+## Useful lookup helpers
+
+`app.plugins.utils` contains state lookup helpers that are useful from any CLJS, despite living under `plugins/`:
+
+- `locate-shape`, `locate-objects`, `locate-file`.
+- `locate-component` resolves through the outermost instance root.
+- `locate-head-component` resolves through the nearest component head.
+- `locate-library-component` does direct file-id/component-id lookup.
+
+## Runtime patching with `set!`
+
+Some frontend vars are deliberately mutable escape hatches for runtime instrumentation or circular-dependency patching. From `cljs_repl`, use `set!` for temporary debugging of CLJS vars such as `app.main.store/on-event`, `app.main.errors/reload-file`, `app.main.errors/is-plugin-error?`, `app.main.errors/last-report`, or `app.main.errors/last-exception`. These patches affect only the live browser runtime and disappear on reload or recompilation.
+
+```clojure
+;; Log non-noisy Potok events temporarily.
+(set! app.main.store/on-event
+      (fn [event]
+        (when (potok.v2.core/event? event)
+          (.log js/console (potok.v2.core/repr-event event)))))
+```
+
+Restore mutable hooks after debugging, or reload the frontend. Use JVM `alter-var-root` only for JVM Clojure; it is not the normal way to patch live CLJS browser vars.
+
+## Browser-console debug namespace
+
+In development, the JS console exposes `debug` helpers from `frontend/src/debug.cljs`:
+
+```javascript
+debug.set_logging("namespace", "debug");
+debug.dump_state();
+debug.dump_buffer();
+debug.get_state(":workspace-local :selected");
+debug.dump_objects();
+debug.dump_object("Rect-1");
+debug.dump_selected();
+debug.dump_tree(true, true);
+```
+
+Visual workspace debug overlays can be toggled with `debug.toggle_debug("bounding-boxes")`, `"group"`, `"events"`, or `"rotation-handler"`; `debug.debug_all()` and `debug.debug_none()` toggle all visual aids.
+
+For temporary source traces, prefer existing logging (`app.common.logging` / `app.util.logging`) or short-lived `prn`, `app.common.pprint/pprint`, `js/console.log`, or `js-debugger` calls. Remove temporary source instrumentation before committing.
+
+## Runtime targeting
+
+`cljs_repl` may connect to the wrong runtime when several are attached, such as workspace plus rasterizer. Verify with `(.-title js/document)`; it should show the workspace file name, not "Penpot - Rasterizer".
+
+To list or target shadow-cljs runtimes, run from `/home/penpot/penpot/frontend`:
+
+```bash
+printf '(shadow.cljs.devtools.api/repl-runtimes :main)\n' | timeout 10 npx shadow-cljs clj-eval --stdin
+printf '(shadow.cljs.devtools.api/cljs-eval :main "<cljs-code>" {:client-id 5})\n' | timeout 10 npx shadow-cljs clj-eval --stdin
+```
+
+Use command timeouts so a disconnected browser does not hang the session.

.serena/memories/frontend/compile-diagnostics.md

@@ -0,0 +1,22 @@
+# Frontend Compile Diagnostics
+
+Separate from runtime crash recovery.
+
+## First check the shadow-cljs build
+
+Use the Penpot MCP `cljs_compiler_output` tool to inspect the latest shadow-cljs `:main` build status. This is the fastest way to distinguish a bad build from a runtime error in the browser.
+
+Recommended order after CLJ/CLJC/CLJS source edits:
+1. Run `cljs_compiler_output`.
+2. If the compiler reports a Clojure syntax problem, especially unmatched delimiters or a confusing location, run `clj_check_parentheses` on the absolute path of the suspect `.clj`, `.cljc`, or `.cljs` file.
+3. After the build is healthy, use `mem:frontend/cljs-repl`, browser tools, or runtime crash checks for behavior.
+
+## Parentheses checker
+
+`clj_check_parentheses` analyzes one Clojure/ClojureScript source file and reports the area likely responsible for unclosed parentheses/brackets/braces. Use it when compiler output points near EOF, points at a misleading later form, or says delimiter-related syntax errors.
+
+## Hot reload notes
+
+When the frontend shadow-cljs watch process is running, edits to CLJC files in `common/` are normally recompiled into the browser automatically. Do not restart the frontend before checking `cljs_compiler_output`; stale behavior is often a failed build.
+
+For production/minified stack traces, build the production bundle from `frontend/` with `pnpm run build:app`. Output and source maps are generated under `frontend/resources/public/js`; inspect source maps or shadow-cljs reports using build ids from `shadow-cljs.edn`.

.serena/memories/frontend/core.md

@@ -0,0 +1,54 @@
+# Frontend Architecture and Workflow
+
+Frontend: CLJS SPA; React/Rumext; Potok; RxJS; okulary refs; SCSS modules; shared `common/`; JS/TS workspace packages.
+
+## Stable namespace map
+
+- `app.main.ui.*`: Rumext/React UI components for workspace, dashboard, viewer, settings, auth, nitrate, etc.
+- `app.main.data.*`: Potok event handlers and side effects.
+- `app.main.refs`: reactive refs/lenses over store and derived workspace data.
+- `app.main.store`: Potok store and `emit!`.
+- `app.plugins.*` and `app.plugins`: CLJS implementation of Plugin JS API proxies.
+- `app.render_wasm.*`: frontend bridge to Rust/WASM renderer.
+- `app.util.*`: DOM, HTTP, i18n, keyboard, codegen, and general frontend utilities.
+- `frontend/packages/*` and `frontend/text-editor`: JS/TS workspace packages consumed by the app.
+- Nitrate subscription/organization UI and flows live under `app.main.data.nitrate` and `app.main.ui.nitrate*`; backend/API behavior is covered by backend memories, and shared permission rules are in `common/src/app/common/types/nitrate_permissions.cljc`.
+
+
+## Lint and Format
+
+From `frontend/`:
+
+- CLJ/CLJS lint: `pnpm run lint:clj`.
+- JS lint currently no-ops via `pnpm run lint:js`.
+- SCSS lint: `pnpm run lint:scss`.
+- Format checks: `pnpm run check-fmt:clj`, `pnpm run check-fmt:js`, `pnpm run check-fmt:scss`.
+- Format fix: `pnpm run fmt`, or targeted `fmt:clj` / `fmt:js` / `fmt:scss`.
+- Translation formatting after i18n edits: `pnpm run translations`.
+
+## Focused memory routing
+
+UI and packages:
+- App UI components, SCSS modules, style-system boundaries, accessibility, i18n, and render performance: `mem:frontend/ui-conventions-and-style-system`.
+- JS/TS packages, shared UI package, text editor, Storybook, and package builds: `mem:frontend/ui-packages-text-editor-workflow`.
+
+Workspace behavior:
+- Workspace state, commits, persistence, undo, repo calls, and refs: `mem:frontend/workspace-state-persistence-subtleties`.
+- Workspace transforms, modifier previews, WASM modifier integration, and transform commits: `mem:frontend/workspace-transform-subtleties`.
+- Workspace token application/propagation: `mem:frontend/workspace-token-subtleties`; shared token data/schema: `mem:common/tokens-schema-subtleties`.
+
+App shell and product flows:
+- Routing, root app shell, websocket, and global errors: `mem:frontend/routing-app-shell-subtleties`.
+- Dashboard and viewer flows: `mem:frontend/dashboard-viewer-subtleties`.
+- Plugin JS API runtime inside the frontend app: `mem:frontend/plugin-api-to-cljs-binding`.
+
+Diagnostics and validation:
+- Runtime inspection and navigation: `mem:frontend/cljs-repl`.
+- Source-edit compile/hot-reload diagnostics: `mem:frontend/compile-diagnostics`.
+- Runtime crash recovery: `mem:frontend/handling-crashes`.
+- Tests and live verification: `mem:frontend/testing`.
+- Real pointer/keyboard gesture reproduction: `mem:frontend/playwright-gestures`.
+
+## Areas without focused memories
+
+These frontend areas currently have no dedicated Serena memory beyond this architecture entry and nearby source/tests: clipboard, drawing tools, boolean/path operations, interactions/prototyping, color/style asset management, grid-layout editing UI, comments UI, fonts UI, and many dashboard/settings subflows. Treat work there as less memory-covered and inspect source/tests more carefully.

.serena/memories/frontend/dashboard-viewer-subtleties.md

@@ -0,0 +1,16 @@
+# Frontend Dashboard and Viewer Subtleties
+
+## Dashboard
+
+- Dashboard initialization fetches projects and fonts for the team, then listens to websocket messages only for global topic `uuid/zero` or the current profile id.
+- Project fetch replaces each project map completely instead of merging, so fields such as `deleted-at` can disappear cleanly.
+- Dashboard file/project mutations are often optimistic local updates with fire-and-forget RPC watchers. Bulk permanent delete/restore paths use SSE progress and progress notifications.
+- File creation/duplication strips file `:data` before putting file summaries into dashboard state.
+
+## Viewer
+
+- Viewer initialization sets `:current-file-id`, `:current-share-id`, and `:viewer-local`, then fetches the view-only bundle. Comment threads are fetched only for logged-in users.
+- Viewer bundle fetch sends the full supported feature set because anonymous shared viewers may not know team-enabled features.
+- View-only bundles can contain pointer values in `:pages-index` and file data. Viewer resolves those fragments with `:get-file-fragment` before storing the bundle.
+- `bundle-fetched` indexes pages and precomputes viewer frames/all-frames, stores libraries/users/thumbnails/permissions under `:viewer`, then navigates to frame id, query index, or auto-selected frame.
+- Viewer zoom and interaction mode changes update both `:viewer-local` and the `:viewer` route query params.

.serena/memories/frontend/handling-crashes.md

@@ -0,0 +1,38 @@
+# Frontend Runtime Crash Handling
+
+## Detect a runtime workspace crash
+
+Runtime crashes usually show the Internal Error page with title text "Something bad happened" and class `main_ui_static__download-link`. A common pattern is: changes go through via JS API / `execute_code`, then 1-2s later an `update-file` request reaches the backend and is rejected.
+
+After a crash, `execute_code` can become unusable because no plugin instances are connected and any data in its `storage` is lost, but `cljs_repl` usually still works.
+
+Check crash state:
+
+```clojure
+(some? (:exception @app.main.store/state))
+```
+
+It returns `true` when the Internal Error page is showing and `false` on a healthy workspace or after a successful reload.
+
+## Read the runtime cause
+
+The exception is stored at `(:exception @app.main.store/state)`. Useful keys:
+
+- `:type`, `:code`, `:status`: error class, e.g. `:validation`, `:referential-integrity`, `400`.
+- `:hint`, `:details`: human-readable explanation; `:details` often contains validation problems with `:shape-id`, `:page-id`, `:args`, etc.
+- `:uri`: API endpoint that returned the error, e.g. `update-file`.
+- `:app.main.errors/instance`: underlying JS Error object.
+- `:app.main.errors/trace`: JS stack trace string, usually response-handling path rather than the dispatch site that produced the bad change.
+
+```clojure
+(let [ex (:exception @app.main.store/state)]
+  (select-keys ex [:type :code :status :hint :details :uri]))
+```
+
+For backend validation errors (`:type :validation`), `:details` is usually the most informative field; it identifies the shape and invariant that failed.
+
+## Recover and continue testing
+
+Simplest path when `cljs_repl` is still live (usually true after a crash): reload via repl with `(.reload js/location)` — see `mem:frontend/cljs-repl`. Alternatively via Playwright: find the workspace tab (URL contains `/#/workspace`, title ends `- Penpot`), select it if not current, then `playwright:browser_navigate` to that same URL. Either way, confirm recovery with `(some? (:exception @app.main.store/state))` returning `false`.
+
+For backend-rejected changes, such as validation errors on `update-file`, changes are not persisted. Reload restores the pre-crash state, so it is safe to retry after fixing the cause.

.serena/memories/frontend/handling-errors-and-debugging.md

@@ -0,0 +1,49 @@
+# Handling Errors and Debugging
+
+## Finding source errors
+
+You have access to two tools for finding errors in Clojure source code (which you may introduce yourself through edits):
+
+1. cljs_compiler_output
+2. clj_check_parentheses
+
+The latter is needed because syntax errors in parentheses give an uninformative compiler error, and the second
+tool can often find the exact location of such errors.
+
+## Runtime patching with `set!`
+
+Some frontend vars are deliberately mutable escape hatches for runtime instrumentation or circular-dependency patching. 
+From `cljs_repl`, use `set!` for temporary debugging of CLJS vars such as 
+`app.main.store/on-event`, `app.main.errors/reload-file`, `app.main.errors/is-plugin-error?`, 
+`app.main.errors/last-report`, or `app.main.errors/last-exception`. 
+These patches affect only the live browser runtime and disappear on reload or recompilation.
+
+```clojure
+;; Log non-noisy Potok events temporarily.
+(set! app.main.store/on-event
+      (fn [event]
+        (when (potok.v2.core/event? event)
+          (.log js/console (potok.v2.core/repr-event event)))))
+```
+
+Restore mutable hooks after debugging, or reload the frontend. Use JVM `alter-var-root` only for JVM Clojure; 
+it is not the normal way to patch live CLJS browser vars.
+
+## Browser-console debug namespace
+
+In development, the JS console exposes `debug` helpers from `frontend/src/debug.cljs`:
+
+```javascript
+debug.set_logging("namespace", "debug");
+debug.dump_state();
+debug.dump_buffer();
+debug.get_state(":workspace-local :selected");
+debug.dump_objects();
+debug.dump_object("Rect-1");
+debug.dump_selected();
+debug.dump_tree(true, true);
+```
+
+Visual workspace debug overlays can be toggled with `debug.toggle_debug("bounding-boxes")`, `"group"`, `"events"`, or `"rotation-handler"`; `debug.debug_all()` and `debug.debug_none()` toggle all visual aids.
+
+For temporary source traces, prefer existing logging (`app.common.logging` / `app.util.logging`) or short-lived `prn`, `app.common.pprint/pprint`, `js/console.log`, or `js-debugger` calls. Remove temporary source instrumentation before committing.

.serena/memories/frontend/penpot-to-browser-coords.md

@@ -0,0 +1,117 @@
+# Penpot Canvas → Playwright Viewport Coordinate Mapping
+
+## Goal
+Map Penpot shape coordinates (from the JS/ClojureScript API) to browser viewport CSS pixels
+so that Playwright mouse actions (click, drag, hover) can target specific canvas objects.
+
+## Key Facts
+
+### Playwright coordinate system
+Playwright mouse coordinates are **viewport CSS pixels**: `(0, 0)` is the top-left of the
+browser's rendered content area (not the screen, not the OS window chrome).
+`getBoundingClientRect()` returns the same coordinate system — they are directly compatible.
+
+### Canvas element location
+The Penpot canvas is rendered by two co-located elements:
+- `<canvas>` — the rasterised render
+- `<svg id="render">` — vector overlay
+- `<svg class="...viewport-controls ...">` — interaction/control layer (has the `viewBox`)
+
+Get the canvas origin with:
+```js
+document.querySelector("#render").getBoundingClientRect()
+// => { left: 318, top: 0, width: 514, height: 586, ... }  (values vary with window size/panels)
+```
+The left offset (currently ~318 px) is caused by the left-side panel (layers, assets).
+
+### Zoom and pan state
+Available in two equivalent ways:
+
+**1. App state (ClojureScript):**
+```clojure
+(let [wl (get @app.main.store/state :workspace-local)]
+  {:zoom  (get wl :zoom)    ; scale factor: penpot-units → CSS pixels
+   :vbox  (get wl :vbox)})  ; Rect {:x :y :width :height} — penpot coords of visible area
+```
+
+**2. SVG viewBox attribute (DOM):**
+```js
+document.querySelector("svg.viewport-controls, [class*='viewport-controls']")
+  .getAttribute("viewBox")
+// => "670 658.31 224 255.38"  i.e. "vbox.x vbox.y vbox.width vbox.height"
+```
+Both sources are live and always in sync.
+
+### Coordinate conversion formula
+```
+viewport_x = canvas_left  + (penpot_x - vbox.x) * zoom
+viewport_y = canvas_top   + (penpot_y - vbox.y) * zoom
+```
+
+Sanity check: `vbox.width * zoom ≈ canvas CSS width` (and same for height). ✓
+
+### Device Pixel Ratio
+The canvas physical pixel size = CSS size × DPR (observed DPR = 1.25, so canvas internal
+size 642×732 vs CSS size 514×586). This does **not** affect the formula — both
+`getBoundingClientRect()` and Playwright use CSS pixels.
+
+### Ruler label offset
+The on-screen rulers show coordinates offset from absolute Penpot coordinates (they display
+frame-relative values, offset by ~the top-level frame's x/y). **Ignore for coordinate
+mapping** — use `vbox` directly.
+
+---
+
+## ClojureScript Helper (paste into cljs REPL session)
+
+```clojure
+(defn penpot->viewport-coords
+  "Convert Penpot canvas coordinates to browser viewport CSS pixel coordinates.
+   Returns {:vp-x <number> :vp-y <number>} — pass directly to Playwright mouse actions."
+  [penpot-x penpot-y]
+  (let [state       @app.main.store/state
+        wl          (get state :workspace-local)
+        vbox        (get wl :vbox)
+        zoom        (get wl :zoom)
+        canvas      (js/document.querySelector "svg.viewport-controls, #render")
+        canvas-rect (.getBoundingClientRect canvas)]
+    {:vp-x (+ (.-left canvas-rect) (* (- penpot-x (:x vbox)) zoom))
+     :vp-y (+ (.-top  canvas-rect) (* (- penpot-y (:y vbox)) zoom))}))
+```
+
+Usage example — click the center of a shape:
+```clojure
+(let [shape   (get-in @app.main.store/state [:files file-id :data :pages-index page-id :objects shape-id])
+      cx      (+ (:x shape) (/ (:width shape) 2))
+      cy      (+ (:y shape) (/ (:height shape) 2))
+      {:keys [vp-x vp-y]} (penpot->viewport-coords cx cy)]
+  ;; pass vp-x, vp-y to Playwright page.mouse.click(vp-x, vp-y)
+  {:vp-x vp-x :vp-y vp-y})
+```
+
+---
+
+## JavaScript equivalent (for use in Playwright scripts directly)
+
+```js
+function penpotToViewport(penpotX, penpotY) {
+  // Read viewBox from the controls SVG (always in sync with app state)
+  const svg = document.querySelector('[class*="viewport-controls"]');
+  const [vbX, vbY, vbW, vbH] = svg.getAttribute('viewBox').split(' ').map(Number);
+  const rect = svg.getBoundingClientRect();
+  const zoom = rect.width / vbW;  // == rect.height / vbH
+  return {
+    x: rect.left + (penpotX - vbX) * zoom,
+    y: rect.top  + (penpotY - vbY) * zoom,
+  };
+}
+```
+
+This function can be injected and called via `page.evaluate()` in Playwright:
+```js
+const {x, y} = await page.evaluate(
+  ([px, py]) => penpotToViewport(px, py),
+  [penpotX, penpotY]
+);
+await page.mouse.click(x, y);
+```

.serena/memories/frontend/playwright-gestures.md

@@ -0,0 +1,47 @@
+# Driving Real User Gestures via Playwright
+
+Use Playwright when the bug or behavior depends on Penpot's real input pipeline: pointer gestures, keyboard modifiers, drag/drop targeting, modifier propagation, hover/focus behavior, or alt-drag duplication. The plugin JS API and `penpot:execute_code` can bypass these paths by dispatching store/API operations directly.
+
+## When `execute_code` Is Not Enough
+
+`execute_code` runs in the plugin sandbox. It is excellent for creating shapes, calling Plugin API methods, and querying design data, but it does not faithfully reproduce all user gestures. If the issue involves interactive transforms, frame targeting during drop, drag previews, modifier keys, or canvas hit-testing, drive the browser with Playwright and inspect results via cljs-repl.
+
+## Gesture Pattern
+
+A reliable drag gesture generally needs:
+- focus on the canvas first;
+- key modifiers held from before mouse down until after mouse up;
+- intermediate mouse move events, not just start/end;
+- short waits so Penpot's drag pipeline observes the gesture;
+- a trailing wait for the transaction to commit.
+
+Alt-drag duplication example:
+
+```javascript
+async (page) => {
+  await page.mouse.click(700, 700);
+  await page.waitForTimeout(200);
+
+  const startX = 821, startY = 565, endX = 821, endY = 815;
+  await page.keyboard.down('Alt');
+  await page.mouse.move(startX, startY);
+  await page.waitForTimeout(100);
+  await page.mouse.down();
+  await page.waitForTimeout(100);
+  for (let i = 1; i <= 10; i++) {
+    const t = i / 10;
+    await page.mouse.move(startX + (endX - startX) * t,
+                          startY + (endY - startY) * t);
+    await page.waitForTimeout(20);
+  }
+  await page.waitForTimeout(100);
+  await page.mouse.up();
+  await page.waitForTimeout(100);
+  await page.keyboard.up('Alt');
+  await page.waitForTimeout(500);
+}
+```
+
+## Coordinate Planning
+
+For reliably finding pixel positions of objects, see `mem:frontend/penpot-to-browser-coords`.

.serena/memories/frontend/plugin-api-to-cljs-binding.md

@@ -0,0 +1,34 @@
+# Frontend Plugin API Runtime Subtleties
+
+## Type declarations vs runtime
+
+- The Plugin API is a public facade over internal frontend/common data. Do not expect Plugin API property names, value shapes, or behavior boundaries to match internal CLJS attrs or helper APIs; inspect the relevant proxy and internal code path before using Plugin API observations in production internals or tests.
+- `plugins/libs/plugin-types/index.d.ts` contains TypeScript declarations only. Runtime objects are CLJS proxies built under `frontend/src/app/plugins/*.cljs` with `obj/reify`.
+- `shape.cljs` builds shape proxies with hidden ids and per-property CLJS implementations. `library.cljs` builds library proxies such as `LibraryComponentProxy`.
+- `shape.cljs`, `library.cljs`, and related namespaces break circular dependencies with mutable nil vars patched from `app.plugins` at load time. If a proxy constructor appears nil, check the patching path in `frontend/src/app/plugins.cljs`.
+
+## Key Domain Namespaces
+- `app.common.types.component` (aliased `ctk`) — component predicates: `instance-root?`, `instance-head?`, `in-component-copy?`, `is-variant?`
+- `app.common.types.container` (aliased `ctn`) — container/tree operations: `in-any-component?`, `get-instance-root`, `get-head-shape`, `inside-component-main?`
+- `app.common.types.file` (aliased `ctf`) — file-level operations: `resolve-component`, `get-ref-shape`
+
+## Runtime initialization and permissions
+
+- The frontend initializes `@penpot/plugins-runtime` only after `features/initialize` and only when feature `plugins/runtime` is active. It also installs the runtime `isPluginError` predicate into frontend error handling.
+- Manifest parsing expands write permissions to read permissions (`content:write` => `content:read`, etc.). Permission checks also allow the all-zero plugin id and the hard-coded MCP plugin id.
+- Manifest URL origin differs by manifest version: v1 clears the path; v2 joins `.` to the plugin URL. Existing plugin ids are reused by matching manifest name and host.
+- The MCP plugin id is defined in `app.plugins.register` to avoid a circular dependency with workspace MCP code.
+
+## Proxy behavior
+
+- Public Plugin API objects are lightweight handles, not durable snapshots. Most getters locate fresh state from `app.main.store/state` using hidden `$id`, `$file`, `$page`, etc.
+- `not-valid` logs by default but throws when the plugin flag `throwValidationErrors` is enabled. The MCP execute-code handler deliberately enables that flag while running code.
+- `naturalChildOrdering` and `throwValidationErrors` are stored per plugin under `[:plugins :flags plugin-id ...]`; changing default behavior affects automation and MCP diagnostics.
+- Plugin data is stored under keyword namespaces: private data uses `(keyword "plugin" plugin-id)`, shared data uses `(keyword "shared" namespace)`.
+
+## Events and history
+
+- Plugin listeners are watches on the global store and callbacks are debounced about 10ms. Callback exceptions are caught and logged so plugin code does not crash the app.
+- `selectionchange` callbacks receive arrays of shape id strings, while `filechange`, `pagechange`, and `shapechange` return proxies.
+- `contentsave` fires only when persistence status transitions to `:saved`; it calls the callback with no value.
+- Plugin history `undoBlockBegin` creates a workspace undo transaction with a JS `Symbol`; `undoBlockFinish` commits that symbol. Missing finish eventually relies on the workspace transaction timeout.

.serena/memories/frontend/routing-app-shell-subtleties.md

@@ -0,0 +1,17 @@
+# Frontend Routing, App Shell, Websocket, and Error Subtleties
+
+## Router, app shell, and errors
+
+- Routing uses browser-history hash tokens, but `on-navigate` rejects navigation if the current origin/path does not match `cf/public-uri`.
+- Route params are split into `:path` and `:query`; duplicate query params can become vectors, so use `rt/get-query-param` when a scalar is required.
+- Unknown/empty routes trigger an extra `get-profile`/`get-teams` check before redirecting. This avoids invitation and root-route race conditions.
+- The root app renders an exception page from `:exception` state before the normal error boundary. `rt/navigated` clears `:exception`.
+- Frontend error handling treats stale cross-build JS chunk failures specially: messages containing `$cljs$cst$` or `$cljs$core$I` plus undefined/null/not-a-function signatures trigger throttled reload.
+- Plugin-originated uncaught errors are identified through the plugin runtime hook and logged rather than turning into the global exception page.
+
+## Store and websocket
+
+For general store mechanics such as `emit!`, `last-events`, persistence, and undo, read `mem:frontend/workspace-state-persistence-subtleties`.
+
+- Websocket initialization uses `cf/public-uri` joined with `ws/notifications`, converting `http/https` to `ws/wss`, and includes the current `session-id` as query param.
+- Reinitializing or finalizing websocket stops the previous receive stream. Incoming websocket payloads become Potok data events under `app.main.data.websocket/message`.

.serena/memories/frontend/testing.md

@@ -0,0 +1,35 @@
+# Frontend Testing and Live Verification
+
+Frontend validation: CLJS + React/Rumext + RxJS/Potok; SCSS modules; shared CLJC from `common/`.
+
+## Unit tests
+
+Frontend unit tests live under `frontend/test/frontend_tests/` and use `cljs.test`. They should be deterministic, avoid DOM/UI integration where possible, and mock side effects such as RPC, storage, timers, or network access.
+
+From `frontend/`:
+- Full unit test run: `pnpm run test:quiet`.
+- Focus a frontend CLJS test namespace: `pnpm run test:quiet -- --focus frontend-tests.logic.components-and-tokens`.
+- Focus one frontend CLJS test var: `pnpm run test:quiet -- --focus frontend-tests.logic.components-and-tokens/change-spacing-token-in-main-updates-copy-layout`.
+- Quiet `app.*` logging during a run: append `--log-level warn` (or `trace|debug|info|warn|error`).
+- Build test target only: `pnpm run build:test`.
+- After `pnpm run build:test`, direct compiled runner focus is faster: `node target/tests/test.js --focus frontend-tests.logic.components-and-tokens/change-spacing-token-in-main-updates-copy-layout`.
+- Watch tests: `pnpm run watch:test`.
+
+New frontend test namespaces must be required/listed in `frontend_tests/runner.cljs`; new vars in existing namespaces need no runner change.
+
+## Playwright integration tests
+
+Do not add, modify, or run Playwright integration tests under `frontend/playwright` unless explicitly asked. When explicitly asked, use `pnpm run test:e2e` or `pnpm run test:e2e --grep "pattern"` from `frontend/`; ensure dependencies are installed through `./scripts/setup` if the environment is not prepared.
+
+Integration tests fake backend behavior by intercepting network/websocket traffic, so every RPC or websocket the page needs must be mocked. Use existing Page Object Models:
+- `BasePage.mockRPC` intercepts RPC calls and already prefixes `/api/rpc/command/`; pass command names such as `get-profile`, not full URLs.
+- Workspace or other websocket-using pages should extend/use `BaseWebSocketPage`, initialize websocket mocks before each test, and mock `/ws/notifications` with the provided helpers.
+- Prefer common locators/actions in POMs; ad-hoc locators can stay in a single test.
+
+Locator priority should follow user-facing semantics: `getByRole`, `getByLabel`, `getByPlaceholder`, `getByText`, then semantic alternatives such as alt/title, with `getByTestId` as the last resort. Name tests from the user's perspective and prefer positive, single-purpose assertions.
+
+## Live browser verification
+
+Because CLJC compiles to both JVM and CLJS, JVM/common tests can miss frontend-only state caused by browser runtime, WASM modifier math, or real pointer events. Use `mem:frontend/cljs-repl` to inspect live app state and `mem:frontend/playwright-gestures` when real input is needed.
+
+For stale hot reload or failed CLJ/CLJC/CLJS source builds, read `mem:frontend/compile-diagnostics`. For Internal Error pages or delayed runtime crashes after automation/API actions, read `mem:frontend/handling-crashes`. Translation `.po` changes are bundled into `index.html` and require a browser refresh.

.serena/memories/frontend/ui-conventions-and-style-system.md

@@ -0,0 +1,56 @@
+# Frontend UI Conventions and Style System
+
+## CLJS app UI
+
+- Main app components live under `frontend/src/app/main/ui*` and normally use Rumext `mf/defc` with a `*` suffix for component vars and `[:> component* props]` call sites.
+- Components should have clear ownership. Use `children` for normal composition; use slotted props only when separate owned regions are needed. Do not style or structurally manipulate child DOM that the component did not instantiate.
+- Accept and merge a `class` prop when callers reasonably need layout/positioning customization. Use `mf/spread-props` so Rumext prop transformations such as `:class` -> `className` still apply.
+- Avoid boolean prop names ending in `?`; they do not translate cleanly to JavaScript props. Use type hints such as `^boolean` where JS truthiness/semantics matter.
+- Split large components into smaller private components when useful; `::mf/private true` is the local convention for private Rumext components.
+
+## Styling
+
+- Co-located SCSS modules are preferred. Use `app.main.style/stl` helpers from CLJS and design-system SCSS tokens/mixins instead of legacy global selectors or high-specificity nesting.
+- Keep CSS specificity low. Avoid nested selectors unless they target elements the component owns; CSS Modules already prevent class-name collisions.
+- Prefer CSS logical properties for directional spacing/layout (`padding-inline-start`, etc.). Physical `width`/`height` are still acceptable where they are clearer.
+- Use named design-system variables/tokens for spacing, borders, fixed dimensions, colors, and typography. Avoid hardcoded px/rem values and deprecated `resources/styles/common/refactor/spacing.scss` variables.
+- Use component-local CSS custom properties for variants and theming instead of one-off Sass variables when a component has multiple visual states.
+- Prefer DS typography components (`heading*`, `text*`) and typography mixins instead of plain text wrappers or deprecated typography mixins.
+
+## Accessibility
+
+- Prefer semantic HTML first: anchors for navigation/download/email links, buttons for actions, correct heading levels, and keyboard-focusable controls.
+- If native elements cannot be used, apply appropriate ARIA roles/patterns. Follow WAI-ARIA APG patterns for standard widgets.
+- Icon-only controls need an accessible name via surrounding text, `aria-label`, `alt`, or equivalent. Decorative images/icons should be hidden from assistive tech.
+
+## I18n
+
+- Translations must be resolved during render or render-time memoization, not at namespace load time. For static option lists, memoize inside render so locale changes still update labels.
+- Translation files live in `frontend/translations/*.po`. Translation changes are bundled into `index.html`; refresh the browser after changing translations because there is no hot reload for translation strings.
+- Run `pnpm run translations` from `frontend/` after adding/updating translation text.
+- Adding a new supported locale requires updates in both `frontend/src/app/util/i18n.cljs` (`supported-locales`) and `frontend/scripts/_helpers.js` (`langs`).
+
+## Performance
+
+- Keep expensive derived data in refs, memoized selectors, or pure helpers. In hot render paths, prefer existing `app.common.data.macros` helpers where local code already uses them.
+- Avoid creating new callback functions/objects inside hot renders when a named function, memoized callback, data attribute, or precomputed JS props object works.
+- Destructure props/state values used repeatedly. Avoid repeated deref/property access in render loops.
+
+## Shared React UI package
+
+- `frontend/packages/ui` is the shared React/Vite package. It should remain framework-neutral relative to the CLJS app store; reusable primitives belong here only when they do not depend on Potok/Rumext app state.
+- Package styles are emitted through the package build and copied into `frontend/resources/public/css/ui.css`; stale shared styles are often a build artifact issue.
+- Storybook is the primary visual harness for shared UI/package behavior. Use `mem:frontend/ui-packages-text-editor-workflow` for package build/test commands.
+
+## Choosing a location
+
+- Put editor/dashboard/viewer workflow logic in CLJS app namespaces close to the owning feature.
+- Put reusable presentational React primitives in `frontend/packages/ui` when they can be consumed without Penpot app state.
+- Put CLJS design-system components under `frontend/src/app/main/ui/ds`; new DS components need implementation, CSS module, Storybook story, optional MDX docs, and export from `frontend/src/app/main/ui/ds.cljs` with a JavaScript-friendly name.
+- Put text editing internals in `frontend/text-editor` when the behavior belongs to the JS editor package; use `mem:common/text-subtleties` for shared text data-model behavior.
+
+## Validation
+
+- For CLJS app UI, use `mem:frontend/testing`, `mem:frontend/compile-diagnostics`, and live browser/REPL checks when behavior depends on store or canvas state.
+- For shared UI package changes, run the package build plus Storybook/component tests when relevant.
+- For text editor changes, run `frontend/text-editor` tests and refresh/copy WASM artifacts if render-wasm output is involved.

.serena/memories/frontend/ui-packages-text-editor-workflow.md

@@ -0,0 +1,34 @@
+# Frontend UI Packages and Text Editor Workflow
+
+`frontend/packages/`, `frontend/text-editor/`, Storybook/component tests. Separate from CLJS app UI under `frontend/src/app/main/ui`.
+
+## Package boundaries
+
+- `frontend/packages/ui` builds `@penpot/ui`, a React/Vite library package. It exports ESM and type declarations from `dist/`; React and ReactDOM are peer dependencies and must stay external in the Vite library build.
+- The UI package build copies generated `dist/index.css` into `frontend/resources/public/css/ui.css`. If shared UI styles look stale in the app, rebuild the package or check this copy step before debugging CLJS style code.
+- `frontend/text-editor` builds `@penpot/text-editor` from `src/editor/TextEditor.js`. It is a Vite JS package, not CLJS, and has its own Vitest/browser-test setup.
+- The text editor consumes render-wasm artifacts copied from `frontend/resources/public/js` into `frontend/text-editor/src/wasm`. Use `pnpm run wasm:update` after rebuilding `render-wasm` if tests or local dev use stale WASM files.
+- Other packages under `frontend/packages/` such as `tokenscript`, `draft-js`, and `mousetrap` are workspace dependencies used by the frontend app; do not assume their runtime behavior lives in CLJS namespaces.
+
+## Commands
+
+From `frontend/`:
+- Build app-side JS package assets: `pnpm run build:app:libs`.
+- Watch app-side JS package assets: `pnpm run watch:app:libs`.
+- Storybook build: `pnpm run build:storybook`; local Storybook: `pnpm run watch:storybook`.
+- Storybook/component tests: `pnpm run test:storybook`.
+
+From `frontend/packages/ui`:
+- Build library and CSS artifact: `pnpm run build`.
+- Watch library build: `pnpm run watch`.
+
+From `frontend/text-editor`:
+- Local Vite dev: `pnpm run dev`.
+- Tests: `pnpm run test`; coverage: `pnpm run coverage`; browser watch: `pnpm run test:watch:e2e`.
+- Format check: `pnpm run fmt:js`.
+
+## Validation notes
+
+- Frontend root `check-fmt:js` covers stories, Playwright scripts, frontend scripts, and `text-editor/**/*.js`; it does not replace package-specific builds/tests.
+- Changes to shared UI package exports should be validated both in the package build and in the consuming app/Storybook path.
+- Changes that alter text rendering/editing can involve `frontend/text-editor`, `render-wasm`, CLJS text integration, and `mem:common/text-subtleties`; verify the runtime that actually owns the changed behavior.

.serena/memories/frontend/workspace-state-persistence-subtleties.md

@@ -0,0 +1,33 @@
+# Frontend Workspace State and Persistence Subtleties
+
+## Store and interaction streams
+
+- `app.main.store/state` is the Potok store; `emit!` always returns nil. Store errors flow through the mutable `on-error` atom.
+- `last-events` keeps a filtered rolling buffer of about 50 event type strings and commit hint origins. It intentionally omits noisy websocket/persistence/pointer events.
+- `ongoing-tasks` controls `window.onbeforeunload`: any non-empty set blocks tab unload.
+- `app.main.streams/wasm-modifiers` and `workspace-selrect` are behavior subjects used for high-frequency interactive preview state that bypasses normal store updates and lenses.
+- Keyboard modifier streams merge a window blur signal so stuck modifier-key state is cleared after focus loss.
+
+## Repo calls
+
+- `app.main.repo/send!` uses GET only when the RPC name starts with `get-`, when all params are query params, or for configured special cases. Only GET requests are retried.
+- GET retry is limited to transient `:network`, `:bad-gateway`, `:service-unavailable`, and `:offline` errors with exponential backoff. Mutations are not retried.
+- A server SSE response is only accepted when the command is configured `:stream?`; otherwise it raises an unexpected-response assertion.
+
+## Commits, undo, persistence
+
+- `commit-changes` refuses to create commits unless `:permissions :can-edit` is true. It captures file revn/vern, selected-before, features, tags, undo group, and translation flag into a `::commit` event.
+- Applying a remote commit first rolls back pending local commits, applies the remote changes, then replays pending local redo changes. Index updates are emitted for undo, remote redo, and replayed redo paths.
+- Local commits are independently consumed by undo, persistence, WASM model updates, thumbnail/library watchers, and text position-data recalculation.
+- Persistence buffers local commits: status becomes pending after about 200ms, commits are flushed after about 3s or `::force-persist`, and buffered commits are merged per file before `:update-file`.
+- Persistence sends revn as the max of the commit revn and locally tracked latest revn; remote commits update that revn tracker.
+- Persistence is skipped in version preview/read-only mode or without edit permission.
+- Undo transactions can stay open only temporarily; timed-out pending transactions are force-committed after about 20s. Undo entries are capped at 50.
+- Undo/redo are ignored while a normal editor/drawing interaction is active, except grid-layout edition handles undo through this path.
+- After local commits and when render-wasm is active, text shapes get derived `:position-data` recomputed in a separate commit tagged `#{:position-data}`; that tag is excluded from the position-data watcher to avoid loops.
+
+## Refs
+
+- `refs/libraries` is explicitly deprecated for performance; prefer derefing `refs/files` and memoizing `select-libraries` in components.
+- `refs/workspace-page-objects` uses `identical?` equality, so preserving object map identity matters for avoiding derived-ref churn.
+- Selected-shapes refs use a small `{objects selected}` wrapper with custom equality before running `process-selected`; avoid bypassing that pattern in hot UI paths.

.serena/memories/frontend/workspace-token-subtleties.md

@@ -0,0 +1,17 @@
+# Frontend Workspace Token Subtleties
+
+## Token refs and visibility
+
+- Workspace token refs intentionally hide the internal hidden theme from theme trees/lists and expose active tokens through `get-tokens-in-active-sets`.
+- Token values stored on shapes are token names under `:applied-tokens`, not token ids. Renames/group renames must update those paths in common token logic.
+
+## Token application
+
+- Token application refuses to run while a text shape is in text-editing mode and shows a warning instead.
+- Applying a token writes token names into shape `:applied-tokens`, resolves active tokens through Style Dictionary or `tokenscript` depending on feature flags, updates concrete shape attrs, and wraps the operation in an undo transaction.
+- Applying composite typography removes atomic typography token attrs; applying atomic typography removes the composite typography token attr.
+- Spacing tokens have a special split path: layout containers receive gap/padding updates, while immediate children of layouts receive margin updates.
+
+## Propagation
+
+- Token propagation resolves active tokens, buffers many `update-shapes` commits, walks the current page first then the remaining pages, clears affected frame/component thumbnails, and drops `:position-data` for text shapes on non-current pages so it can be regenerated.

.serena/memories/frontend/workspace-transform-subtleties.md

@@ -0,0 +1,20 @@
+# Frontend Workspace Transform Subtleties
+
+## Preview vs committed transforms
+
+- High-frequency previews use `app.main.streams/wasm-modifiers` and `workspace-selrect` behavior subjects instead of normal store commits; components consume them through refs that wrap plain atoms.
+- `apply-modifiers*` is the lower-level commit path once object/text modifiers are ready. It updates frame guides, frame comment threads, and then emits `update-shapes` with `:reg-objects? true`.
+- Transform commits restrict diff attrs to `transform-attrs` to avoid scanning unrelated shape attrs.
+- Text transforms may carry derived `:position-data`; `assoc-position-data` attaches it while preserving the original text shape context.
+
+## Component-copy touched suppression
+
+- `calculate-ignore-tree` walks modified shapes and descendants to decide per copy-shape `ignore-geometry?`.
+- `check-delta` compares a copy's relative position/rotation to its component root before and after transform. If relative movement is under about 1px and size/rotation are effectively unchanged, geometry touching is suppressed.
+- This logic is why pure translations of component copies can avoid marking every descendant as geometry-touched, while resizes/rotations still propagate touched state.
+
+## WASM bridge details
+
+- WASM modifier updates set plugin/local props with parsed geometry/structure modifiers rather than directly mutating file data.
+- The position-data recomputation watcher ignores commits tagged `:position-data`; keep that tag when adding derived position-data commits.
+- Rotation has separate WASM and non-WASM event paths. Check both when changing rotation modifier semantics.

.serena/memories/library/core.md

@@ -0,0 +1,30 @@
+# Library Architecture and Workflow
+
+`library/`: builds `@penpot/library`; JS-facing in-memory Penpot file builder and `.penpot` ZIP exporter. Separate from main app runtime.
+
+## Layout and commands
+
+- Source: `library/src/`; tests: `library/test/`; experimentation/docs: `playground/`, `docs/`; config: `shadow-cljs.edn`, `deps.edn`, `package.json`.
+- From `library/`: build `pnpm run build`; bundle helper `pnpm run build:bundle` or `./scripts/build`; tests `pnpm run test`; watch `pnpm run watch` / `pnpm run watch:test`; lint `pnpm run lint`; format check/fix `pnpm run check-fmt` / `pnpm run fmt`.
+- When changing file-format construction or export behavior in `common/`, consider whether `@penpot/library` should be tested because it constructs Penpot files outside the app UI.
+
+## JS API and builder state
+
+- The JS build context wraps an atom and implements `IDeref`; `getInternalState` exposes the CLJ state converted to JS.
+- Public methods decode JS objects through the JSON transformer before calling common builder functions. Exceptions become JS `BuilderError` objects with enumerable `cause` and an `explain` getter for Malli explain data.
+- `create-build-context` can store an optional `referer`, later written into the export manifest.
+- The builder is stateful: call `addFile` before `addPage`. `addPage` resets the frame/group stack to the root and clears page-local naming state when the page closes.
+- `addBoard` and `addGroup` push onto the parent stack; matching close calls pop it. `closeGroup` requires at least one child and recalculates group geometry. Masked groups use the first child as mask and copy its geometry.
+- `commit-shape` emits `:add-obj` with `:ignore-touched true`, using the current parent, frame, and page from the stack.
+- Layer names are uniqued per current page; duplicate names get generated suffixes.
+- `addBool` converts an existing group into a bool shape and updates style/content/geometry via `:mod-obj` operations rather than adding a new object.
+- Media blobs are stored separately from file-media metadata; `add-file-media` requires a `BlobWrapper`.
+
+## Export package
+
+- `.penpot` ZIPs include `manifest.json`, file/page/shape JSON, components/colors/typographies/tokens, media metadata, and media object blobs.
+- Path/bool shape `:content` is converted to vectors before JSON encoding.
+- File export intentionally includes only selected top-level attrs plus data options; color export removes `:file-id` and drops empty paths.
+- Manifest type is `penpot/export-files`, version 1, generated by `penpot-library/%version%`, with optional referer and file relations.
+- Export generation is sequential and lazy: delayed JSON/blob work is computed only as each zip entry is written, and the progress callback receives `{total,item,path}` after each entry.
+- The library has compatibility defaults for features/migrations in the common builder; do not assume it always exports with the newest app-default migrations/features.

.serena/memories/mcp/core.md

@@ -0,0 +1,95 @@
+# Penpot MCP
+
+This subproject provides an MCP server for Penpot integration.
+The MCP server communicates with a Penpot plugin via WebSockets, allowing
+the MCP server to send tasks to the plugin and receive results,
+enabling advanced AI-driven features in Penpot.
+
+## Tech Stack
+
+- Language: TypeScript
+- Runtime: Node.js
+- Framework: MCP SDK (@modelcontextprotocol/sdk)
+- Build Tool: TypeScript Compiler (tsc) + esbuild
+- Package Manager: pnpm
+
+## General Principles
+
+IMPORTANT: Use an idiomatic, object-oriented style.
+In particular, this implies that, for any non-trivial interfaces, you use interfaces that expect explicitly typed abstractions
+rather than mere functions (i.e. use the strategy pattern, for example).
+
+Comments:
+When describing parameters, methods/functions and classes, you use a precise style, where the initial (elliptical) phrase
+clearly defines *what* it is. Any details then follow in subsequent sentences.
+
+When describing what blocks of code do, you also use an elliptical style and start with a lower-case letter unless
+the comment is a lengthy explanation with at least two sentences (in which case you start with a capital letter, as is
+required for sentences).
+
+## Project Structure (Excerpt)
+
+```
+mcp/
+├── packages/common/           # Shared type definitions
+│   ├── src/
+│   │   ├── index.ts           # exports for shared types
+│   │   └── types.ts           # PluginTaskResult, request/response interfaces
+│   └── package.json           # @penpot-mcp/common package
+├── packages/server/           # MCP server subproject
+│   ├── src/
+│   │   ├── index.ts           # entry point
+│   │   ├── PenpotMcpServer.ts # MCP server implementation (connection handling, tool registration, etc.)
+│   │   ├── Tool.ts            # base class for tools
+│   │   ├── PluginTask.ts      # base class for plugin tasks
+│   │   ├── tasks/             # PluginTask implementations
+│   │   └── tools/             # Tool implementations
+|   ├── data/                  # contains resources, such as API info and prompts
+│   └── package.json           
+├── packages/plugin/           # Penpot plugin subproject
+│   ├── src/
+│   │   ├── main.ts            # handles communication
+│   │   └── plugin.ts          # plugin implementation
+│   └── package.json           # Includes @penpot-mcp/common dependency
+└── prepare-api-docs           # Python project for the generation of API docs
+```
+
+## Key Development Tasks
+
+### Adjusting the Prompts
+
+The system prompt file (aka Penpot High-Level Overview) is located in 
+`packages/server/data/initial_instructions.md`.
+
+### Adding a new Tool
+
+1. Implement the tool class in `packages/server/src/tools/` following the `Tool` interface.
+   IMPORTANT: Do not catch any exceptions in the `executeCore` method. Let them propagate to be handled centrally.
+2. Register the tool in `PenpotMcpServer`.
+
+Tools can be associated with a `PluginTask` that is executed in the plugin.
+Many tools build on `ExecuteCodePluginTask`, as many operations can be reduced to code execution.
+
+### Adding a new PluginTask
+
+1. Implement the input data interface for the task in `packages/common/src/types.ts`.
+2. Implement the `PluginTask` class in `packages/server/src/tasks/`.
+3. Implement the corresponding task handler class in the plugin (`packages/plugin/src/task-handlers/`).
+    * In the success case, call `task.sendSuccess`.
+    * In the failure case, just throw an exception, which will be handled centrally!
+4. Register the task handler in `packages/plugin/src/plugin.ts` in the `taskHandlers` list.
+
+## Dev Tooling
+
+From the `mcp/` directory, run
+
+* `pnpm run build` to test the build of all packages
+* `pnpm run fmt` to apply the auto-formatter
+
+## Devenv plugin/server wiring
+
+In the normal Penpot devenv MCP path, the browser plugin does not discover or route through Postgres. The frontend provides the plugin extension API with `mcp.getServerUrl()`, currently derived from `frontend/src/app/config.cljs` as `penpotMcpServerURI` if set, otherwise `<public-uri>/mcp/ws`. The MCP plugin opens a direct WebSocket to that URL and appends the current MCP access token as a query parameter.
+
+The live plugin connection registry is in-memory inside each MCP server process (`PluginBridge.connectedClients` / `clientsByToken`). The database only stores MCP access tokens and profile props such as `mcp-enabled`; it does not manage which plugin is connected to which MCP server.
+
+For parallel devenvs, prefer same-origin MCP routing: each Penpot instance should expose `/mcp/ws` through its own nginx/Caddy path to the MCP server running inside the same main container. Keep container-internal ports fixed (MCP defaults `4401/4402/4403`, backend/exporter/frontend defaults, etc.) and only offset host-side published ports per instance. If internal ports are offset, hardcoded local proxy config such as `docker/devenv/files/nginx.conf` will misroute unless templated too.

.serena/memories/memory-maintenance.md

@@ -0,0 +1,33 @@
+# Memory Maintenance
+
+## Discovery Model
+
+- Core principle: progressive discovery through references, building a graph of memories.
+- Initially, agents are provided with the list of all memories (names only).
+- Agents should read `mem:critical-info` as the top-level entry point (graph root).
+  This memory should contain references to other memories covering major project domains.
+  The referenced memories shall, in turn, shall contain references to even more specific memories, and so on.
+  The depth of the graph shall depend on the project complexity.
+- Use topics/folders to group related memories in order to make the content structure explicit.
+  Folders can mirror project structure (e.g. modules like frontend/backend) or topics like debugging, architecture, etc.
+- Memory references must use a mem: prefix inside backticks, e.g. `mem:frontend/core`.
+  The surrounding text should clearly indicate when to read the memory/which content to expect.
+  The text should provide more precise guidance than the memory name alone,
+  i.e. avoid a reference like "frontend debugging and error handling: `mem:frontend/handling-errors-and-debugging` and instead make clear which concrete aspects are covered in the memory.
+- Memories themselves should not contain information about when to read them; this is the responsibility of the referring memory.
+
+## Style
+
+Dense agent notes, not prose docs. Prefer invariants, terse bullets.
+Avoid obvious context, rationale, and examples unless they prevent likely mistakes.
+Keep guidance durable and generalizable, not task-local.
+
+## Add/update threshold
+
+Add or update memories only with stable, non-obvious project conventions that avoid complex rediscovery in the future.
+Do not add: quick-read facts; generic language/framework knowledge; one-off task notes; volatile line-level details; behavior likely to change soon.
+
+## Maintenance Actions
+
+- Renaming memories: References are updated automatically if handled via Serena's memory rename tool.
+- Checking for stale memories (e.g. after deletion): Call `serena memories check` for a report.

.serena/memories/plugins/core.md

@@ -0,0 +1,37 @@
+# Plugins Architecture and Workflow
+
+`plugins/`: standalone TypeScript/pnpm workspace for Plugin API packages and sample plugins. Related to, distinct from, frontend CLJS Plugin API runtime.
+
+## Layout
+
+- `libs/plugin-types`: TypeScript declarations for the public Penpot Plugin API. Type-only package; runtime behavior is implemented elsewhere.
+- `libs/plugins-runtime`: runtime that loads plugins and exposes/generated API behavior to plugin code.
+- `libs/plugins-styles`: reusable styling package for plugins.
+- `apps/*-plugin`: sample/development plugins. `apps/e2e`: plugin e2e tests.
+
+## Dev Workflow
+
+- From `plugins/`: install `pnpm -r install`; runtime dev server `pnpm run start` or `pnpm run start:app:runtime`; sample plugin `pnpm run start:plugin:<name>`; build runtime `pnpm run build:runtime`; build plugins `pnpm run build:plugins`; lint `pnpm run lint`; format `pnpm run format:check` / `pnpm run format`; tests `pnpm run test`; e2e `pnpm run test:e2e`.
+- If a change affects public Plugin API types or runtime, update `plugins/CHANGELOG.md`. Prefix type/signature entries with `**plugin-types:**`; runtime behavior entries with `**plugin-runtime:**`.
+- JS Plugin API behavior inside Penpot app: `mem:frontend/plugin-api-to-cljs-binding`; TS declarations are not runtime code; many API objects are CLJS proxies in `frontend/src/app/plugins/*.cljs`.
+
+## Sandbox and global cleanup
+
+- The runtime uses SES compartments. Public API return values are passed through `ses.safeReturn` before crossing back to plugin code.
+- Plugin `fetch` is sanitized: credentials are omitted and Authorization is blanked. The exposed response only includes ok/status/statusText/url/text/json.
+- Timer callbacks are wrapped to mark plugin-originated errors, and timeout/interval IDs are tracked so plugin close can clear them.
+- Plugin-originated errors are tracked in a WeakMap instead of mutating error objects, because SES can freeze errors.
+- Closing a plugin removes public API keys from the compartment globalThis.
+
+## Lifecycle
+
+- Loading a plugin closes existing non-background plugins and resets the runtime registry. Be careful around `allowBackground` semantics when changing load/close behavior.
+- If sandbox evaluation fails, the runtime marks the error as plugin-originated, closes the plugin, and rethrows.
+- `plugin-manager` removes event listeners, timers, intervals, and modal state on close, and marks the plugin destroyed. Listener callbacks check that flag because Penpot events can fire after close.
+
+## Modal/UI behavior
+
+- Modal URL preparation differs by manifest version: v1 uses query string parameters, v2 puts parameters in the URL hash.
+- `openModal` is idempotent for the same iframe source and avoids reopening when the target URL is already displayed.
+- Modal permissions are derived from manifest permissions (`allow:downloads`, `clipboard:read`, `clipboard:write`).
+- `resizeModal` clamps to at least 200x200 and at most the window minus margins, adjusting transform so the modal remains in the viewport.

.serena/memories/prod-infra/core.md

@@ -0,0 +1,33 @@
+# Production infrastructure (services Penpot depends on)
+
+Backend (`app.config`, `PENPOT_*` env vars) is parameterized; deployments choose providers.
+
+## Services
+
+- **PostgreSQL**: durable store. Profiles, teams, files, sessions, audit, `storage_object` metadata, the `task` queue, `scheduled_task` cron registry, migrations. File-data also lives here when the file-data backend is `legacy-db`/`db`. One shared DB across all backends.
+- **Redis (Valkey-compatible)**: per-backend message bus and cache. Concrete uses: msgbus Pub/Sub for collaborative-editing broadcasts and team/profile-org notifications fired by RPC handlers (`app.rpc.notifications`, `files_update`, `teams`, `websocket`); file-summary cache gated by `enable-redis-cache`; rate-limit counters; and the dispatcher→runner work hand-off list `penpot.worker.queue:<tenant>:<queue>`. `PENPOT_REDIS_URI`.
+- **Object storage**: backends `:s3` and `:fs`. S3 in prod; devenv uses MinIO. Holds uploaded media, file-data when the file-data backend is `storage`, exports. Backend-side details (resolve, dedup, bucket set, file-data backends): `mem:backend/http-storage-filedata-subtleties`.
+- **SMTP mailer**: invitations, password resets, email verification (sent via the `:sendmail` worker task).
+- **LDAP** (optional auth provider): helpers in `app.auth.*`, gated by `enable-login-with-ldap`.
+
+## Task queue and worker model
+
+Async tasks are enqueued via `wrk/submit!` (`app.worker`), which inserts a row into the shared Postgres `task` table tagged with `queue = "<tenant>:<queue-name>"`. Submission is **fire-and-forget** — RPC handlers never poll, never wait, and workers never publish to msgbus. The only completion signal is the `task` row's `status` / `completed_at` columns, which nothing in `rpc/` reads. Soft-delete RPCs return immediately after marking the top-level row, leaving the cascade and reaping to workers.
+
+Workers run on backends with `enable-backend-worker` in `PENPOT_FLAGS`. Each worker-enabled backend has a `dispatcher` (polls `task` with `FOR UPDATE SKIP LOCKED`, marks status='scheduled', RPUSHes claimed task IDs into **its own** Redis list) and one or more `runner`s per queue (BLPOP from that same local list, execute, update the Postgres row). The Redis hand-off list is purely intra-backend — cross-backend coordination happens at the Postgres row level.
+
+## Cross-backend safety
+
+Postgres row locking is the only correctness primitive: `task` claims via `FOR UPDATE SKIP LOCKED`, cron firing via `FOR UPDATE SKIP LOCKED` on the `scheduled_task` row, plus task-handler-internal locks (e.g. `file_gc_scheduler` locks candidate file rows). This makes the work-claim path safe across any number of worker-enabled backends.
+
+Two known race patterns survive multi-backend operation:
+
+- **Cron dedup is best-effort.** The lock on `scheduled_task` is released when the task body finishes. If two backends' cron timers fire for the same scheduled instant with a gap larger than the task body's runtime, both execute it. Penpot's cron entries are idempotent (`session-gc`, `objects-gc`, `storage-gc-*`, `tasks-gc`, `upload-session-gc`, `file-gc-scheduler`); the exceptions are `:telemetry` (would double-report) and `:audit-log-archive` (depends on archive target idempotency).
+- **`wrk/submit! ::dedupe true`** does a non-atomic `DELETE` then `INSERT`. Concurrent cross-backend submits can both bypass the `DELETE` (each sees the other's uncommitted insert as absent) and end up with duplicate `'new'` rows. Each row claims and runs once independently, so the underlying work is fine; the "at most one pending" guarantee weakens.
+
+Penpot in production lives with both: horizontal-scale deployments accept "exactly-once" as "essentially-once for idempotent operations." Devenv parallel instances handle it by running workers only on ws0 (see `mem:devenv/core`).
+
+## See also
+
+- Devenv composition and the ws0-only worker placement: `mem:devenv/core`.
+- Storage backend resolution, dedup, file-data lifecycle: `mem:backend/http-storage-filedata-subtleties`.

.serena/memories/render-wasm/core.md

@@ -0,0 +1,32 @@
+# render-wasm Architecture and Workflow
+
+`render-wasm/`: Rust crate compiled to WebAssembly via Emscripten/Skia; frontend loads generated JS/WASM renderer. FFI/memory/tile behavior: `mem:render-wasm/ffi-rendering-subtleties`.
+
+## Stable Architecture
+
+- Exported functions live around `src/main.rs` / `src/wapi.rs` and are called from ClojureScript bridge namespaces under `frontend/src/app/render_wasm*`.
+- Updates are two-phase: ClojureScript calls exported setters to push shape data, then `render_frame()` performs Skia drawing.
+- Rendering is tile-based and shape data is stored separately from hierarchy.
+
+## Source Areas
+
+- `src/state*`: renderer state structures.
+- `src/render/` and `src/render.rs`: tile/surface render pipeline.
+- `src/shapes/` and `src/shapes.rs`: shape data and Skia drawing.
+- `src/wasm/`, `src/wasm.rs`, `src/mem.rs`: JS/WASM memory and interop helpers.
+- `src/math/` and `src/view.rs`: geometry and viewport helpers.
+
+## Build Environment
+
+`./build` sources `_build_env`, which sets the Emscripten paths and `EMCC_CFLAGS`. The WASM heap starts at 256 MB and uses geometric growth.
+
+## Commands
+
+From `render-wasm/`:
+- Build/copy frontend artifacts: `./build`.
+- Watch rebuild: `./watch`.
+- Rust tests: `./test` or `cargo test <name>`.
+- Lint: `./lint`.
+- Format check: `cargo fmt --check`.
+
+Do not change exported WASM function signatures without updating the corresponding frontend bridge and verifying the frontend renderer path.

.serena/memories/render-wasm/ffi-rendering-subtleties.md

@@ -0,0 +1,25 @@
+# render-wasm FFI and Rendering Subtleties
+
+## FFI state and errors
+
+- The renderer uses one unsafe global `STATE`; the `with_state*` macros currently panic on invalid state pointer. Treat state pointer validity as critical, not recoverable.
+- `#[wasm_error]` clears the error code on entry. Recoverable errors set code `0x01`, critical errors/panics set `0x02`, free the byte buffer, then panic so the CLJS bridge can catch and inspect `_read_error_code`.
+- The frontend bridge maps `0x01` to `:non-blocking` and `0x02` to `:panic` in ex-data (`:type :wasm-error`). Check actual bridge code if changing names; older comments/docs may use different labels.
+- WASM byte transfer is a single global slot. A caller that receives a pointer result must read and free it before another byte payload is written; errors free the slot via `#[wasm_error]`.
+
+## Shape pool and loading
+
+- Shapes are UUID-indexed, and hierarchy/structure is tracked separately. `ShapesPool::get` may return a cached modified clone when modifiers, structure, scale-content, or bool handling apply; `get_raw` bypasses those derived values.
+- Bulk loading uses a `loading` flag. `touch_current` / `touch_shape` avoid tile invalidation while loading; text layouts and final view setup must happen after loading ends.
+- Many setters mutate only the current shape selected by `use_shape` / current-shape APIs. If no current shape is selected, some mutation blocks are skipped silently.
+- `set_parent_for_current_shape` only sets parent metadata and invalidates parent geometry; children must be updated separately to avoid duplicate children.
+- Child deletion marks descendants deleted and removes them from all indexed tiles, preserving undo/redo while avoiding stale pixels after panning.
+
+## Tile/render behavior
+
+- Interactive transforms are distinct from viewport fast mode. `set_modifiers_start` enables fast mode and interactive transform; interactive transform still flushes each animation frame.
+- During interactive transform, modifier tile invalidation is deferred to `render()` once per rAF. Outside interactive transform, `set_modifiers` rebuilds modifier tiles immediately.
+- `set_modifiers_end` disables fast/interactive state and cancels pending async render; the caller must request the final full-quality render.
+- Plain viewport fast mode (`options.is_viewport_interaction()`) renders from cache and does not flush target output inside `process_animation_frame`; interactive transforms do flush.
+- Zoom changes rebuild the tile index while preserving cached tile textures. Avoid replacing that path with shallow rebuilds if blur/shadow cache preservation matters.
+- Pending tile priority is intentionally reversed by pop order; check the queue construction before changing tile scheduling.

.serena/memories/workflow/creating-commits.md

@@ -0,0 +1,23 @@
+# Creating Commits
+
+Commit only on explicit request. Before commit: `git status`; exclude unrelated user changes.
+
+Do not guess or hallucinate git author information (Name or Email). Never include the
+`--author` flag in git commands unless specifically instructed by the user for a unique
+case; assume the local environment is already configured. Allow git commit to
+automatically pull the identity from the local git config `user.name` and `user.email`.
+
+
+## Message Format
+
+```
+:emoji: Subject line (imperative, capitalized, no period, <=70 chars)
+
+Body explaining what changed and why.
+
+Co-authored-by: <You (the LLM)>
+```
+
+## Commit Type Emojis
+
+`:bug:` bug fix · `:sparkles:` enhancement · `:tada:` new feature · `:recycle:` refactor · `:lipstick:` cosmetic · `:ambulance:` critical fix · `:books:` docs · `:construction:` WIP · `:boom:` breaking · `:wrench:` config · `:zap:` perf · `:whale:` docker · `:paperclip:` other · `:arrow_up:` dep upgrade · `:arrow_down:` dep downgrade · `:fire:` removal · `:globe_with_meridians:` translations · `:rocket:` epic/highlight

.serena/memories/workflow/creating-issues.md

@@ -0,0 +1,160 @@
+# Creating Issues
+
+Create GitHub issues only on explicit request. Use `gh` CLI authenticated to `penpot/penpot`.
+
+## Title Derivation
+
+Derive the title from the source material (bug report, user feedback, feature request, etc.) — not from any pre-existing title which may be auto-generated or stale.
+
+### Bug titles (descriptive present tense)
+
+Describe the symptom as it appears to the user. Format: `[Where] [present-tense verb] when [condition]`.
+
+- *"Plugin API crashes when setting text fills"*
+- *"Canvas renders glitches when zooming quickly"*
+- *"French Canada locale falls back to French (fr) translations"*
+
+Do **not** start bug titles with "Fix" or any imperative verb — state what's broken, not command a fix.
+
+### Feature / Enhancement titles (imperative mood)
+
+Command what should be built. Format: `[Imperative verb] [what] in/on [where]`.
+
+- *"Add customizable dash and gap length controls to dashed strokes in the sidebar"*
+- *"Show user, timestamp, and hash in the workspace history panel like git commits"*
+
+### Universal rules
+
+- **Include the "where"** — specify the UI location or module (e.g. "in the sidebar", "on the stroke options")
+- **No prefixes** — strip `bug:`, `feature:`, `feat:`, `:bug:`, `:sparkles:`, `[PENPOT FEEDBACK]`, etc.
+- **No emoji** — plain text only
+- **Be specific** — prefer concrete detail over generality
+- **Two problems → cover both** — if the description has two distinct but related issues, capture both joined by "and"
+
+## Metadata
+
+| Field | Rule |
+|-------|------|
+| **Labels** | `bug` (crashes/regressions) · `enhancement` (new features) · `community contribution` (PRs from non-core) · skip workflow labels (`backport candidate`, `team-qa`) |
+| **Milestone** | Use the current or next planned milestone. Fetch available milestones: `gh api repos/penpot/penpot/milestones --jq '.[].title'`. If unsure, omit. |
+| **Project** | Always `Main` (project number 8). Use `--project "Main"` flag. |
+| **Issue Type** | See Issue Type section below. Cannot be set via `gh issue create` — use GraphQL after creation. |
+
+## Issue Body Template
+
+Write the body to a temp file to avoid shell quoting issues:
+
+**Bug template:**
+```markdown
+### Description
+
+<what breaks, what the user experiences>
+
+### Steps to reproduce
+
+1. <step 1>
+2. <step 2>
+
+### Expected behavior
+
+<what should happen instead>
+
+### Affected versions
+
+<version>
+```
+
+**Enhancement template:**
+```markdown
+### Description
+
+<what the user can now do that they couldn't before>
+
+### Use case
+
+<why this is useful, who benefits>
+
+### Affected versions
+
+<version>
+```
+
+## Creating the Issue
+
+```bash
+cat > /tmp/issue-body.md << 'ISSUE_BODY'
+<body content here>
+ISSUE_BODY
+
+gh issue create \
+  --repo penpot/penpot \
+  --title "<Derived title>" \
+  --label "<label>" \
+  --project "Main" \
+  --body-file /tmp/issue-body.md
+```
+
+Output: `https://github.com/penpot/penpot/issues/<NUMBER>`
+
+## Setting the Issue Type
+
+`gh issue create` can't set Issue Type directly. Use GraphQL after creation.
+
+**Issue Type IDs for penpot/penpot:**
+
+| Type | ID |
+|------|----|
+| Bug | `IT_kwDOAcyBPM4AX5Nb` |
+| Enhancement | `IT_kwDOAcyBPM4B_IQN` |
+| Feature | `IT_kwDOAcyBPM4AX5Nf` |
+| Task | `IT_kwDOAcyBPM4AX5NY` |
+| Question | `IT_kwDOAcyBPM4B_IQj` |
+| Docs | `IT_kwDOAcyBPM4B_IQz` |
+
+**Map:**
+- `bug` label → Bug
+- `enhancement` label → Enhancement
+- Feature/epic → Feature
+- Docs → Docs
+- None of the above → Task
+
+**Set it:**
+```bash
+ISSUE_ID=$(gh api graphql -f query='
+query { repository(owner: "penpot", name: "penpot") {
+  issue(number: <NUMBER>) { id }
+}}' --jq '.data.repository.issue.id')
+
+gh api graphql -f query='
+mutation {
+  updateIssue(input: {
+    id: "'"$ISSUE_ID"'"
+    issueTypeId: "<TYPE_ID>"
+  }) {
+    issue { number issueType { name } }
+  }
+}'
+```
+
+## Verification
+
+```bash
+gh issue view <NUMBER> --repo penpot/penpot \
+  --json title,labels,milestone,projectItems \
+  --jq '{title, milestone: .milestone.title, labels: [.labels[].name], projects: [.projectItems[].title]}'
+
+gh api graphql -f query='
+query { repository(owner: "penpot", name: "penpot") {
+  issue(number: <NUMBER>) { issueType { name } }
+}}' --jq '.data.repository.issue.issueType.name'
+```
+
+## Cleanup
+
+```bash
+rm -f /tmp/issue-body.md
+```
+
+## See Also
+
+- Creating issues **from PRs** (separating WHAT from HOW): `mem:workflow/creating-prs`

.serena/memories/workflow/creating-prs.md

@@ -0,0 +1,32 @@
+# Creating Pull Requests
+
+PR only on explicit request. Branch: issue/feature-specific; fallback `<type>/<short-description>` (`fix/...`, `feat/...`, `refactor/...`, `docs/...`, `chore/...`, `perf/...`).
+
+## Title Format
+
+PR titles follow commit title conventions:
+
+```
+:emoji: Subject line (imperative, capitalized, no period, <=70 chars)
+```
+
+See `mem:workflow/creating-commits` for emoji codes. Squash merge uses the PR title as the final commit subject, so title format matters.
+
+## Description
+
+Include concise sections covering:
+- what changed and why;
+- related GitHub issues or Taiga stories (`Fixes #NNNN`, `Relates to #NNNN`, `Taiga #NNNN`);
+- screenshots or recordings for UI-visible changes;
+- testing performed and residual risk;
+- breaking changes or migration notes, if any.
+
+PR descriptions are expected to start with:
+
+> **Note:** This PR was created with AI assistance as part of the Penpot MCP self-improvement initiative.
+
+## Before Opening
+
+- Follow `mem:workflow/creating-commits` for changelog expectations.
+- Run the focused tests/lints appropriate to touched modules.
+- Do not force-push during review unless the maintainer workflow explicitly asks for it.

.serena/memories/workflow/docs.md

@@ -0,0 +1,19 @@
+# Docs Workflow
+
+`docs/`: Penpot documentation site; Eleventy.
+
+## Layout and Tooling
+
+- `docs/package.json`: Eleventy commands and documentation-site dependencies.
+- `docs/README.md`: local setup and tooling notes.
+- Diagrams may use PlantUML, svgbob, mermaid, and C4/arc42 conventions depending on the existing page.
+
+## Commands
+
+From `docs/`:
+- Install deps if needed: `pnpm install`.
+- Local server: `pnpm start` or `pnpm run serve` (serves on `http://localhost:8080`).
+- Build: `pnpm run build`.
+- Watch: `pnpm run watch`.
+
+Documentation changes should follow the existing page structure and rendered Help Center conventions rather than inventing a new style locally.

.serena/project.yml

@@ -0,0 +1,142 @@
+# the name by which the project can be referenced within Serena
+project_name: "penpot"
+
+
+# list of languages for which language servers are started; choose from:
+#   al                  ansible             bash                clojure             cpp
+#   cpp_ccls            crystal             csharp              csharp_omnisharp    dart
+#   elixir              elm                 erlang              fortran             fsharp
+#   go                  groovy              haskell             haxe                hlsl
+#   java                json                julia               kotlin              lean4
+#   lua                 luau                markdown            matlab              msl
+#   nix                 ocaml               pascal              perl                php
+#   php_phpactor        powershell          python              python_jedi         python_ty
+#   r                   rego                ruby                ruby_solargraph     rust
+#   scala               solidity            swift               systemverilog       terraform
+#   toml                typescript          typescript_vts      vue                 yaml
+#   zig
+#   (This list may be outdated. For the current list, see values of Language enum here:
+#   https://github.com/oraios/serena/blob/main/src/solidlsp/ls_config.py
+#   For some languages, there are alternative language servers, e.g. csharp_omnisharp, ruby_solargraph.)
+# Note:
+#   - For C, use cpp
+#   - For JavaScript, use typescript
+#   - For Free Pascal/Lazarus, use pascal
+# Special requirements:
+#   Some languages require additional setup/installations.
+#   See here for details: https://oraios.github.io/serena/01-about/020_programming-languages.html#language-servers
+# When using multiple languages, the first language server that supports a given file will be used for that file.
+# The first language is the default language and the respective language server will be used as a fallback.
+# Note that when using the JetBrains backend, language servers are not used and this list is correspondingly ignored.
+languages:
+- clojure
+- typescript
+- rust
+
+# the encoding used by text files in the project
+# For a list of possible encodings, see https://docs.python.org/3.11/library/codecs.html#standard-encodings
+encoding: "utf-8"
+
+# line ending convention to use when writing source files.
+# Possible values: unset (use global setting), "lf", "crlf", or "native" (platform default)
+# This does not affect Serena's own files (e.g. memories and configuration files), which always use native line endings.
+line_ending:
+
+# The language backend to use for this project.
+# If not set, the global setting from serena_config.yml is used.
+# Valid values: LSP, JetBrains
+# Note: the backend is fixed at startup. If a project with a different backend
+# is activated post-init, an error will be returned.
+language_backend:
+
+# whether to use project's .gitignore files to ignore files
+ignore_all_files_in_gitignore: true
+
+# advanced configuration option allowing to configure language server-specific options.
+# Maps the language key to the options.
+# Have a look at the docstring of the constructors of the LS implementations within solidlsp (e.g., for C# or PHP) to see which options are available.
+# No documentation on options means no options are available.
+ls_specific_settings: {}
+
+# list of additional paths to ignore in this project.
+# Same syntax as gitignore, so you can use * and **.
+# Note: global ignored_paths from serena_config.yml are also applied additively.
+ignored_paths: []
+
+# whether the project is in read-only mode
+# If set to true, all editing tools will be disabled and attempts to use them will result in an error
+# Added on 2025-04-18
+read_only: false
+
+# list of tool names to exclude.
+# This extends the existing exclusions (e.g. from the global configuration)
+# Find the list of tools here: https://oraios.github.io/serena/01-about/035_tools.html
+excluded_tools: []
+
+# list of tools to include that would otherwise be disabled (particularly optional tools that are disabled by default).
+# This extends the existing inclusions (e.g. from the global configuration).
+# Find the list of tools here: https://oraios.github.io/serena/01-about/035_tools.html
+included_optional_tools: []
+
+# fixed set of tools to use as the base tool set (if non-empty), replacing Serena's default set of tools.
+# This cannot be combined with non-empty excluded_tools or included_optional_tools.
+# Find the list of tools here: https://oraios.github.io/serena/01-about/035_tools.html
+fixed_tools: []
+
+# list of mode names to that are always to be included in the set of active modes
+# The full set of modes to be activated is base_modes + default_modes.
+# If the setting is undefined, the base_modes from the global configuration (serena_config.yml) apply.
+# Otherwise, this setting overrides the global configuration.
+# Set this to [] to disable base modes for this project.
+# Set this to a list of mode names to always include the respective modes for this project.
+base_modes:
+
+# list of mode names that are to be activated by default, overriding the setting in the global configuration.
+# The full set of modes to be activated is base_modes (from global config) + default_modes + added_modes.
+# If the setting is undefined/empty, the default_modes from the global configuration (serena_config.yml) apply.
+# Otherwise, this overrides the setting from the global configuration (serena_config.yml).
+# Therefore, you can set this to [] if you do not want the default modes defined in the global config to apply
+# for this project.
+# This setting can, in turn, be overridden by CLI parameters (--mode).
+# See https://oraios.github.io/serena/02-usage/050_configuration.html#modes
+default_modes:
+
+# initial prompt for the project. It will always be given to the LLM upon activating the project
+# (contrary to the memories, which are loaded on demand).
+initial_prompt: |
+  CRITICAL: Read the memory `critical-info` IMMEDIATELY. It is absolutely critical for your work on this project - as is
+  the Serena Instructions Manual. Do NOT wait for further instructions, read these critical items NOW!
+
+# time budget (seconds) per tool call for the retrieval of additional symbol information
+# such as docstrings or parameter information.
+# This overrides the corresponding setting in the global configuration; see the documentation there.
+# If null or missing, use the setting from the global configuration.
+symbol_info_budget:
+
+# list of regex patterns which, when matched, mark a memory entry as read‑only.
+# Extends the list from the global configuration, merging the two lists.
+read_only_memory_patterns: []
+
+# list of regex patterns for memories to completely ignore.
+# Matching memories will not appear in list_memories or activate_project output
+# and cannot be accessed via read_memory or write_memory.
+# To access ignored memory files, use the read_file tool on the raw file path.
+# Extends the list from the global configuration, merging the two lists.
+# Example: ["_archive/.*", "_episodes/.*"]
+ignored_memory_patterns: []
+
+# list of mode names to be activated additionally for this project, e.g. ["query-projects"]
+# The full set of modes to be activated is base_modes (from global config) + default_modes + added_modes.
+# See https://oraios.github.io/serena/02-usage/050_configuration.html#modes
+added_modes:
+
+# list of additional workspace folder paths for cross-package reference support (e.g. in monorepos).
+# Paths can be absolute or relative to the project root.
+# Each folder is registered as an LSP workspace folder, enabling language servers to discover
+# symbols and references across package boundaries.
+# Currently supported for: TypeScript.
+# Example:
+#   additional_workspace_folders:
+#     - ../sibling-package
+#     - ../shared-lib
+additional_workspace_folders: []

AGENTS.md

@@ -1,104 +1,79 @@
-# AI Agent Guide
+# AI AGENT GUIDE
 
-This document provides the core context and operating guidelines for AI agents
-working in this repository.
+## CRITICAL: Read module memories BEFORE writing any code
 
-## Before You Start
+Do this **before planning, before coding, before touching any file**:
 
-Before responding to any user request, you must:
+1. Read `critical-info` (use `serena_read_memory critical-info` or read `.serena/memories/critical-info.md`).
+   It describes the project structure and tells you which modules exist.
+2. From `critical-info`, identify which modules your task affects.
+3. Read each affected module's **core memory** — the name is `<module>/core`
+   (e.g. `frontend/core`, `backend/core`, `common/core`).
+4. If the core memory references deeper `mem:` memories relevant to your task, read those too.
 
-1. Read this file completely.
-2. Identify which modules are affected by the task.
-3. Load the `AGENTS.md` file **only** for each affected module (see the
-   architecture table below). Not all modules have an `AGENTS.md` — verify the
-   file exists before attempting to read it.
-4. Do **not** load `AGENTS.md` files for unrelated modules.
+**STOP: Do not proceed until you have read the core memory of every affected module.**
+Skipping this step is the #1 cause of incorrect or incomplete work.
 
-## Role: Senior Software Engineer
+---
+
+# Memory system
+
+Memories are the **primary project guidance** — not docs or readme files.
+They are dense, agent-oriented notes: terse bullets, invariants, no prose.
+
+## Entry point
+
+Start at `critical-info` (the graph root). It describes the project structure,
+module dependency graph, and references section-level core memories.
+
+## Progressive discovery model
+
+Memories form a **reference graph**, not a flat list:
+
+```
+critical-info          ← read first (graph root)
+  └─ <section>/core    ← top-level memory per section (e.g. frontend/core, backend/core)
+       └─ <topic>      ← focused memories (e.g. frontend/handling-errors-and-debugging)
+            └─ ...     ← deeper memories as needed
+```
+
+When working on a task:
+1. Read `critical-info` to identify which sections are affected.
+2. Read the affected section's `core` memory for an overview.
+3. Follow `mem:` references in the core memory to focused memories relevant to your task.
+4. Continue following references deeper as needed.
+
+## Accessing memories
+
+- **If `serena_read_memory` / `serena_list_memories` tools are available**: use them.
+  `serena_read_memory` takes a memory name (e.g. `critical-info`, `frontend/core`).
+- **If tools are NOT available**: read the filesystem directly.
+  Memory name `mem:foo/bar` maps to file `.serena/memories/foo/bar.md`.
+
+## Cross-reference convention
+
+Memories reference other memories with `mem:<section>/<name>` inside backticks.
+Example: `mem:common/changes-architecture`.
+When you encounter a `mem:` reference relevant to your task, read that memory next.
+
+## Topic/folder organization
+
+Memories are grouped into folders that mirror project modules or topics:
+`backend/`, `common/`, `frontend/`, `render-wasm/`, `exporter/`, `workflow/`, etc.
+Each folder's top-level memory is `<folder>/core`.
+
+---
+
+# Role: Senior Software Engineer
 
 You are a high-autonomy Senior Full-Stack Software Engineer. You have full
 permission to navigate the codebase, modify files, and execute commands to
 fulfill your tasks. Your goal is to solve complex technical tasks with high
 precision while maintaining a strong focus on maintainability and performance.
 
-### Operational Guidelines
+## Operational Guidelines
 
 1. Before writing code, describe your plan. If the task is complex, break it
    down into atomic steps.
 2. Be concise and autonomous.
 3. Do **not** touch unrelated modules unless the task explicitly requires it.
-4. Commit only when explicitly asked. Follow the commit format rules in
-   `CONTRIBUTING.md`.
-5. When searching code, prefer `ripgrep` (`rg`) over `grep` — it respects
-   `.gitignore` by default.
-
-## Changelogs
-
-The project has two changelogs:
-
-- **Main project changelog**: `CHANGES.md` (root of the repository). Tracks changes for the core Penpot application (backend, frontend, common, render-wasm, exporter, mcp).
-- **Plugins changelog**: `plugins/CHANGELOG.md`. Tracks changes for the plugins subproject only.
-
-When making changes, add a changelog entry to the appropriate file under the
-`## <version> (Unreleased)` section in the correct category
-(`:sparkles: New features & Enhancements` or `:bug: Bugs fixed`).
-
-## GitHub Operations
-
-To obtain the list of repository members/collaborators:
-
-```bash
-gh api repos/:owner/:repo/collaborators --paginate --jq '.[].login'
-```
-
-To obtain the list of open PRs authored by members:
-
-```bash
-MEMBERS=$(gh api repos/:owner/:repo/collaborators --paginate --jq '.[].login' | tr '\n' '|' | sed 's/|$//')
-gh pr list --state open --limit 200 --json author,title,number | jq -r --arg members "$MEMBERS" '
-  ($members | split("|")) as $m |
-  .[] | select(.author.login as $a | $m | index($a)) |
-  "\(.number)\t\(.author.login)\t\(.title)"
-'
-```
-
-To obtain the list of open PRs from external contributors (non-members):
-
-```bash
-MEMBERS=$(gh api repos/:owner/:repo/collaborators --paginate --jq '.[].login' | tr '\n' '|' | sed 's/|$//')
-gh pr list --state open --limit 200 --json author,title,number | jq -r --arg members "$MEMBERS" '
-  ($members | split("|")) as $m |
-  .[] | select(.author.login as $a | $m | index($a) | not) |
-  "\(.number)\t\(.author.login)\t\(.title)"
-'
-```
-
-## Architecture Overview
-
-Penpot is an open-source design tool composed of several modules:
-
-| Directory | Language | Purpose | Has `AGENTS.md` |
-|-----------|----------|---------|:----------------:|
-| `frontend/` | ClojureScript + SCSS | Single-page React app (design editor) | Yes |
-| `backend/` | Clojure (JVM) | HTTP/RPC server, PostgreSQL, Redis | Yes |
-| `common/` | Cljc (shared Clojure/ClojureScript) | Data types, geometry, schemas, utilities | Yes |
-| `render-wasm/` | Rust -> WebAssembly | High-performance canvas renderer (Skia) | Yes |
-| `exporter/` | ClojureScript (Node.js) | Headless Playwright-based export (SVG/PDF) | No |
-| `mcp/` | TypeScript | Model Context Protocol integration | No |
-| `plugins/` | TypeScript | Plugin runtime and example plugins | No |
-
-Some submodules use `pnpm` workspaces. The root `package.json` and
-`pnpm-lock.yaml` manage shared dependencies. Helper scripts live in `scripts/`.
-
-### Module Dependency Graph
-
-```
-frontend ──> common
-backend  ──> common
-exporter ──> common
-frontend ──> render-wasm  (loads compiled WASM)
-```
-
-`common` is referenced as a local dependency (`{:local/root "../common"}`) by
-both `frontend` and `backend`. Changes to `common` can therefore affect multiple
-modules — test across consumers when modifying shared code.

CHANGES.md

@@ -1,10 +1,123 @@
 # CHANGELOG
 
+## 2.17.0 (Unreleased)
+
+### :boom: Breaking changes & Deprecations
+
+### :rocket: Epics and highlights
+
+### :sparkles: New features & Enhancements
+
+- Show a read-only W × H size badge below the bounding box of the current selection (by @bittoby) [#9205](https://github.com/penpot/penpot/issues/9205)
+- Expose `variants` retrieval on `LibraryComponent` via `isVariant()` type guard in plugin API (by @opcode81) [#9185](https://github.com/penpot/penpot/issues/9185) (PR: [#9302](https://github.com/penpot/penpot/pull/9302))
+- Add search bar to prototype interaction destination dropdown (by @EvaMarco) [#8618](https://github.com/penpot/penpot/issues/8618) (PR: [#9769](https://github.com/penpot/penpot/pull/9769))
+- Apply styles to selection (by @AzazelN28) [#9661](https://github.com/penpot/penpot/issues/9661) (PR: [#8625](https://github.com/penpot/penpot/pull/8625))
+- Add dashed stroke customization with dash and gap inputs (by @EvaMarco) [#3881](https://github.com/penpot/penpot/issues/3881) (PR: [#9765](https://github.com/penpot/penpot/pull/9765))
+- Add author, relative timestamp and short identifier to history entries (by @FairyPigDev) [#7660](https://github.com/penpot/penpot/issues/7660) (PR: [#9132](https://github.com/penpot/penpot/pull/9132))
+- Add typography token row to multiselected texts [#9336](https://github.com/penpot/penpot/issues/9336) (PR: [#9128](https://github.com/penpot/penpot/pull/9128))
+- Optimize propagation of tokens [#9261](https://github.com/penpot/penpot/issues/9261) (PR: [#9144](https://github.com/penpot/penpot/pull/9144))
+- Add typography information to token dropdown option [#9377](https://github.com/penpot/penpot/issues/9377) (PR: [#9375](https://github.com/penpot/penpot/pull/9375))
+- Cache OIDC provider records to skip per-login discovery (by @Dexterity104) [#9294](https://github.com/penpot/penpot/issues/9294) (PR: [#9295](https://github.com/penpot/penpot/pull/9295))
+- Validate shape on add-object to catch malformed inputs early (by @Dexterity104) [#9507](https://github.com/penpot/penpot/issues/9507) (PR: [#9291](https://github.com/penpot/penpot/pull/9291))
+- Remove unreachable try/catch in hex->hsl (by @Dexterity104) [#9244](https://github.com/penpot/penpot/issues/9244) (PR: [#9245](https://github.com/penpot/penpot/pull/9245))
+- Remove stray debug log in exporter upload-resource (by @iot2edge) [#9270](https://github.com/penpot/penpot/issues/9270) (PR: [#9272](https://github.com/penpot/penpot/pull/9272))
+- Release pool connection during font variant creation (by @Dexterity104) [#9286](https://github.com/penpot/penpot/issues/9286) (PR: [#9287](https://github.com/penpot/penpot/pull/9287))
+- Add autocomplete combobox to token creation and edition forms [#9899](https://github.com/penpot/penpot/issues/9899) (PR: [#9109](https://github.com/penpot/penpot/pull/9109))
+- Add list view mode to color picker UI [#4420](https://github.com/penpot/penpot/issues/4420) (PR: [#9953](https://github.com/penpot/penpot/pull/9953))
+- Use Clipboard API consistently across the application (by @MilosM348) [#6514](https://github.com/penpot/penpot/issues/6514) (PR: [#9188](https://github.com/penpot/penpot/pull/9188))
+- Use `$` as DTCG token/group discriminator and make `$description` optional [#8342](https://github.com/penpot/penpot/issues/8342) (PR: [#9912](https://github.com/penpot/penpot/pull/9912))
+- Match version preview banner text to History sidebar labels (by @MilosM348) [#9503](https://github.com/penpot/penpot/issues/9503) (PR: [#9697](https://github.com/penpot/penpot/pull/9697))
+- Use "copia" as duplicate suffix for Spanish (by @Rene0422) [#9623](https://github.com/penpot/penpot/issues/9623) (PR: [#9671](https://github.com/penpot/penpot/pull/9671))
+- Harden CORS middleware to not reflect Origin with credentials enabled [#9659](https://github.com/penpot/penpot/issues/9659) (PR: [#9675](https://github.com/penpot/penpot/pull/9675))
+- Revert token migrations on clashing names to prevent data loss [#9816](https://github.com/penpot/penpot/issues/9816) (PR: [#9950](https://github.com/penpot/penpot/pull/9950))
+- Update contributing guidelines with current issue tags and CSS linting rules [#9900](https://github.com/penpot/penpot/issues/9900) (PR: [#9418](https://github.com/penpot/penpot/pull/9418))
+- Add composite typography token input to the Design sidebar [#9932](https://github.com/penpot/penpot/issues/9932) (PR: [#9128](https://github.com/penpot/penpot/pull/9128), [#9375](https://github.com/penpot/penpot/pull/9375), [#8749](https://github.com/penpot/penpot/pull/8749))
+- Avoid deduplicating temporary export files to prevent stale content (by @yong2bba) [#9970](https://github.com/penpot/penpot/issues/9970) (PR: [#9959](https://github.com/penpot/penpot/pull/9959))
+
+### :bug: Bugs fixed
+
+- Fix plugin API `fileVersion.restore()` promise hanging indefinitely on restore failure [Github #9092](https://github.com/penpot/penpot/issues/9092)
+- Fix LDAP provider params schema typo (`bind-passwor` → `bind-password`) introduced during the `clojure.spec` → `malli` migration; the schema slot now matches the runtime key actually read by `prepare-params` (`:password (:bind-password cfg)`) and `try-connectivity` (`(:bind-password cfg)`), so a wrong type for the password no longer slips through unvalidated
+- Fix `login-with-ldap` silently dropping its error message on the `ldap-not-initialized` restriction (typo `:hide` → `:hint`); the message `"ldap auth provider is not initialized"` now actually surfaces in logs and error responses instead of being discarded into an unread key
+- Fix `PENPOT_OIDC_USER_INFO_SOURCE` flag being silently ignored (`userinfo` / `token`) in the OIDC callback, causing "incomplete user info" failures during registration [Github #9108](https://github.com/penpot/penpot/issues/9108)
+- Fix `get-view-only-bundle` crashing when a share-link viewer encounters a team member whose email lacks `@` (NullPointerException in `obfuscate-email`) or whose domain has no `.` (previously produced a dangling-dot `****@****.`); now the viewer-side obfuscation is nil-safe and omits the trailing dot when the domain has no TLD
+- Remove `corepack` from the MCP local launcher so it runs on Node.js 25+, where corepack is no longer bundled [Github #8877](https://github.com/penpot/penpot/issues/8877)
+- Fix Copy as SVG: emit a single valid SVG document when multiple shapes are selected, and publish `image/svg+xml` to the clipboard so the paste target works in Inkscape and other SVG-native tools [Github #838](https://github.com/penpot/penpot/issues/838)
+- Reset profile submenu state when the account menu closes (by @eureka0928) [Github #8947](https://github.com/penpot/penpot/issues/8947)
+- Add export panel to inspect styles tab [Taiga #13582](https://tree.taiga.io/project/penpot/issue/13582)
+- Fix styles between grid layout inputs [Taiga #13526](https://tree.taiga.io/project/penpot/issue/13526)
+- Fix id prop on switch component [Taiga #13534](https://tree.taiga.io/project/penpot/issue/13534)
+- Update copy on penpot update message [Taiga #12924](https://tree.taiga.io/project/penpot/issue/12924)
+- Fix scroll on library modal [Taiga #13639](https://tree.taiga.io/project/penpot/issue/13639)
+- Fix dates to avoid show them in english when browser is in auto [Taiga #13786](https://tree.taiga.io/project/penpot/issue/13786)
+- Fix focus radio button [Taiga #13841](https://tree.taiga.io/project/penpot/issue/13841)
+- Token tree should be expanded by default [Taiga #13631](https://tree.taiga.io/project/penpot/issue/13631)
+- Fix opacity incorrectly disabled for visible shapes [Taiga #13906](https://tree.taiga.io/project/penpot/issue/13906)
+- Update onboarding image [Taiga #13864](https://tree.taiga.io/project/penpot/issue/13864)
+- Fix plugin modal drag interactions over iframe and close-button behavior (by @marekhrabe) [Github #8871](https://github.com/penpot/penpot/pull/8871)
+- Fix hot update on color-row on texts [Taiga #13923](https://tree.taiga.io/project/penpot/issue/13923)
+- Fix selected color tokens [Taiga #13930](https://tree.taiga.io/project/penpot/issue/13930)
+- Fix dashboard Recent/Deleted titles overlapped by scrolling content (by @rockchris099) [Github #8577](https://github.com/penpot/penpot/issues/8577)
+- Display resolved values of inactive tokens [Taiga #13628](https://tree.taiga.io/project/penpot/issue/13628)
+- Fix hyphens stripped from export filenames (by @jamesrayammons) [Github #8901](https://github.com/penpot/penpot/issues/8901)
+- Fix app crash when selecting shapes with one hidden [Taiga #13959](https://tree.taiga.io/project/penpot/issue/13959)
+- Fix opacity mixed value [Taiga #13960](https://tree.taiga.io/project/penpot/issue/13960)
+- Fix gap input throwing an error [Github #8984](https://github.com/penpot/penpot/pull/8984)
+- Fix non-functional clear icon in change email modal inputs (by @Dexterity104) [Github #8977](https://github.com/penpot/penpot/issues/8977)
+- Disable save button after saving account profile settings (by @Dexterity104) [Github #8979](https://github.com/penpot/penpot/issues/8979)
+- Fix copy to be more specific [Taiga #13990](https://tree.taiga.io/project/penpot/issue/13990)
+- Allow deleting the profile avatar after uploading [Github #9067](https://github.com/penpot/penpot/issues/9067)
+- Fix incorrect rendering when exporting text as SVG, PNG and JPG (by @edwin-rivera-dev) [Github #8516](https://github.com/penpot/penpot/issues/8516)
+- Fix Settings and Notifications "Update Settings" button enabled state when form has no changes (by @moorsecopers99) [Github #9090](https://github.com/penpot/penpot/issues/9090)
+- Fix "Help & Learning" submenu vertical alignment in account menu (by @juan-flores077) [Github #9137](https://github.com/penpot/penpot/issues/9137)
+- Fix plugin `addInteraction` silently rejecting `open-overlay` actions with `manualPositionLocation` [Github #8409](https://github.com/penpot/penpot/issues/8409)
+- Fix typography style creation with tokenized line-height (by @juan-flores077) [Github #8479](https://github.com/penpot/penpot/issues/8479)
+- Fix colorpicker layout so the eyedropper button is visible again [Taiga #14057](https://tree.taiga.io/project/penpot/issue/14057)
+- Fix SVG stroke line join not applied when pasting strokes [#4836](https://github.com/penpot/penpot/issues/4836) (PR: [#9982](https://github.com/penpot/penpot/pull/9982), [#10019](https://github.com/penpot/penpot/pull/10019))
+- Fix blend-mode hover preview on canvas not reverted when dismissing dropdown (by @jack-stormentswe) [#9235](https://github.com/penpot/penpot/issues/9235) (PR: [#9237](https://github.com/penpot/penpot/pull/9237))
+- Fix View Mode mouse-leave and click in combination not working [#4855](https://github.com/penpot/penpot/issues/4855) (PR: [#9991](https://github.com/penpot/penpot/pull/9991))
+- Fix Storybook UI missing scrollbar (by @MilosM348) [#6049](https://github.com/penpot/penpot/issues/6049) (PR: [#9319](https://github.com/penpot/penpot/pull/9319))
+- Fix font selector missing intermediate font weights for Source Sans Pro and similar fonts (by @dhgoal) [#7378](https://github.com/penpot/penpot/issues/7378) (PR: [#9247](https://github.com/penpot/penpot/pull/9247))
+- Fix plugin API `typography.remove()` passing wrong parameter format (by @leonaIee) [#8223](https://github.com/penpot/penpot/issues/8223) (PR: [#9279](https://github.com/penpot/penpot/pull/9279))
+- Fix plugin API fills and strokes array elements being read-only (by @RenzoMXD) [#8357](https://github.com/penpot/penpot/issues/8357) (PR: [#9161](https://github.com/penpot/penpot/pull/9161))
+- Fix "Show Guides" shortcut not working on German keyboards (by @RenzoMXD) [#8423](https://github.com/penpot/penpot/issues/8423) (PR: [#9209](https://github.com/penpot/penpot/pull/9209))
+- Fix token validation failing when a malformed token exists in the Component category [#9010](https://github.com/penpot/penpot/issues/9010) (PR: [#9025](https://github.com/penpot/penpot/pull/9025), [#9825](https://github.com/penpot/penpot/pull/9825))
+- Fix prototype interaction targets appearing in View Mode automatically when library component changes (by @jeffrey701) [#9049](https://github.com/penpot/penpot/issues/9049) (PR: [#9695](https://github.com/penpot/penpot/pull/9695))
+- Fix Docker frontend image missing CSS reference (by @NativeTeachingAidsB) [#9135](https://github.com/penpot/penpot/issues/9135) (PR: [#9840](https://github.com/penpot/penpot/pull/9840))
+- Fix MCP media upload error and SVG data URI image parsing (by @claytonlin1110) [#9164](https://github.com/penpot/penpot/issues/9164) (PR: [#9201](https://github.com/penpot/penpot/pull/9201))
+- Fix lost-update race on team features during concurrent file creation (by @JPette1783) [#9197](https://github.com/penpot/penpot/issues/9197) (PR: [#9198](https://github.com/penpot/penpot/pull/9198))
+- Fix get-profile RPC method silently masking DB errors as "Anonymous User" (by @jack-stormentswe) [#9253](https://github.com/penpot/penpot/issues/9253) (PR: [#9254](https://github.com/penpot/penpot/pull/9254))
+- Fix crash when creating or editing tokens named "white" or "black" [#9256](https://github.com/penpot/penpot/issues/9256) (PR: [#9034](https://github.com/penpot/penpot/pull/9034))
+- Fix conditional use-ctx hook violation in shape-wrapper (by @Dexterity104) [#9280](https://github.com/penpot/penpot/issues/9280) (PR: [#9281](https://github.com/penpot/penpot/pull/9281))
+- Make ShapeImageIds byte conversion fallible to prevent panics (by @Dexterity104) [#9282](https://github.com/penpot/penpot/issues/9282) (PR: [#9283](https://github.com/penpot/penpot/pull/9283))
+- Prevent viewers from overwriting file thumbnails (by @jony376) [#9284](https://github.com/penpot/penpot/issues/9284) (PR: [#9285](https://github.com/penpot/penpot/pull/9285))
+- Fix plugin API showing incorrect error messages for invalid operations (by @bitcompass) [#9417](https://github.com/penpot/penpot/issues/9417) (PR: [#9486](https://github.com/penpot/penpot/pull/9486))
+- Add inactivity timeout to SSE sessions to match Streamable HTTP sessions [#9432](https://github.com/penpot/penpot/issues/9432) (PR: [#9464](https://github.com/penpot/penpot/pull/9464))
+- Fix component variant switching behaving differently on two identical copies (by @MischaPanch) [#9498](https://github.com/penpot/penpot/issues/9498) (PR: [#9434](https://github.com/penpot/penpot/pull/9434))
+- Populate is-indirect flag on file libraries from relation graph (by @Dexterity104) [#9506](https://github.com/penpot/penpot/issues/9506) (PR: [#9289](https://github.com/penpot/penpot/pull/9289))
+- Add missing error message for invalid shadow token [#9583](https://github.com/penpot/penpot/issues/9583) (PR: [#9809](https://github.com/penpot/penpot/pull/9809))
+- Fix moving a component in a library triggering stale update notification in dependent files [#9629](https://github.com/penpot/penpot/issues/9629) (PR: [#9616](https://github.com/penpot/penpot/pull/9616))
+- Fix newly created token not visible when placed above existing tokens in the tree [#9711](https://github.com/penpot/penpot/issues/9711) (PR: [#9803](https://github.com/penpot/penpot/pull/9803))
+- Fix B(V) input label misalignment in HSB color picker [#9731](https://github.com/penpot/penpot/issues/9731) (PR: [#9793](https://github.com/penpot/penpot/pull/9793))
+- Fix text style name input appending font name instead of replacing it when edited [#9785](https://github.com/penpot/penpot/issues/9785) (PR: [#9784](https://github.com/penpot/penpot/pull/9784))
+- Fix shadow token creation not allowing empty blur or spread value [#9808](https://github.com/penpot/penpot/issues/9808) (PR: [#9809](https://github.com/penpot/penpot/pull/9809))
+- Fix thinner line in path when its stroke is deleted and added again [#9823](https://github.com/penpot/penpot/issues/9823) (PR: [#9836](https://github.com/penpot/penpot/pull/9836))
+- Fix layers panel perceivable lag when displaying changes [#9834](https://github.com/penpot/penpot/issues/9834)
+- Fix settings form visual layout broken after recent contribution [#9882](https://github.com/penpot/penpot/issues/9882) (PR: [#9883](https://github.com/penpot/penpot/pull/9883))
+- Fix crash when duplicating shapes with fill/stroke properties [#9893](https://github.com/penpot/penpot/issues/9893) (PR: [#9647](https://github.com/penpot/penpot/pull/9647))
+- Fix S3 storage failing with IRSA/Web Identity Token credentials (by @jpc2350) [#9927](https://github.com/penpot/penpot/issues/9927) (PR: [#9928](https://github.com/penpot/penpot/pull/9928))
+- Fix onboarding template spinner stuck after failed template download (by @jeffrey701) [#9931](https://github.com/penpot/penpot/issues/9931) (PR: [#9504](https://github.com/penpot/penpot/pull/9504))
+- Fix stroke caps not working correctly when there are other nodes in the middle of a path [#9987](https://github.com/penpot/penpot/issues/9987) (PR: [#9989](https://github.com/penpot/penpot/pull/9989))
+- Fix missing three dots button for column and row edit menu in WebKit/Safari [#9993](https://github.com/penpot/penpot/issues/9993) (PR: [#9994](https://github.com/penpot/penpot/pull/9994))
+- Fix exported path with strokes being cut off in SVG file [#9995](https://github.com/penpot/penpot/issues/9995) (PR: [#9996](https://github.com/penpot/penpot/pull/9996))
+- Fix French Canada locale falling back to French translations instead of French Canadian (by @alexismo) [#10017](https://github.com/penpot/penpot/issues/10017) (PR: [#10027](https://github.com/penpot/penpot/pull/10027))
+
 ## 2.16.0 (Unreleased)
 
 ### :boom: Breaking changes & Deprecations
 
 ### :rocket: Epics and highlights
+
 - WebGL rendering (beta) user preference [#9683](https://github.com/penpot/penpot/issues/9683) (PR:[9113](https://github.com/penpot/penpot/pull/9113))
 - Design Tokens at the design tab: numeric fields with token selection in place [#9358](https://github.com/penpot/penpot/issues/9358)
 
@@ -59,8 +172,11 @@
 - Clarify self-hosted OIDC configuration for containerized (by @sancfc) [#9764](https://github.com/penpot/penpot/issues/9764) (PR: [#9758](https://github.com/penpot/penpot/pull/9758))
 - Update User Guide with 2.16 features (by @myfunnyandy) [#9767](https://github.com/penpot/penpot/issues/9767) (PR: [#9768](https://github.com/penpot/penpot/pull/9768))
 - Improve file validation performance and fix orphan shape detection [#9790](https://github.com/penpot/penpot/issues/9790) (PR: [#9789](https://github.com/penpot/penpot/pull/9789))
+- Add v2.16 release notes (What's new modal) [#9945](https://github.com/penpot/penpot/issues/9945) (PR: [#9940](https://github.com/penpot/penpot/pull/9940))
 
 ### :bug: Bugs fixed
+
+- Fix plugin API `Board.addRulerGuide` attaching guides to the page instead of the board due to a shadowed `id` binding; also correct the `'content:write'` permission error message and the `RulerGuideProxy` name (by @girafic) [#8225](https://github.com/penpot/penpot/issues/8225) (PR: [#8632](https://github.com/penpot/penpot/pull/8632))
 - Add Shift+Numpad aliases for zoom shortcuts (by @RenzoMXD) [#2457](https://github.com/penpot/penpot/issues/2457) (PR: [#9063](https://github.com/penpot/penpot/pull/9063))
 - Save and restore selection state in undo/redo (by @eureka0928) [#6007](https://github.com/penpot/penpot/issues/6007) (PR: [#8652](https://github.com/penpot/penpot/pull/8652))
 - Add guide locking and fix locked element selection in viewer (by @Dexterity104) [#8358](https://github.com/penpot/penpot/issues/8358) (PR: [#8949](https://github.com/penpot/penpot/pull/8949))
@@ -139,6 +255,7 @@
 - Fix delete invitation modal readability in light theme [#9737](https://github.com/penpot/penpot/issues/9737) (PR: [#9747](https://github.com/penpot/penpot/pull/9747))
 - Fix team invitation not automatically accepted after account validation [#9776](https://github.com/penpot/penpot/issues/9776) (PR: [#9782](https://github.com/penpot/penpot/pull/9782))
 - Fix design tokens vanishing from the sidebar when a token name collides with a token-group prefix from another active set (e.g. `a` in one set and `a.b` in another); the colliding token is now kept and rendered as a broken pill [Github #9584](https://github.com/penpot/penpot/issues/9584)
+- Fix Plugin API addRulerGuide creating guides on page instead of board (by @girafic) [#8225](https://github.com/penpot/penpot/issues/8225) (PR: [#8632](https://github.com/penpot/penpot/pull/8632))
 
 
 ## 2.15.4
@@ -173,7 +290,6 @@
 
 - Fix mcp related internal config for docker images [GH #9565](https://github.com/penpot/penpot/pull/9565)
 
-
 ## 2.15.1
 
 ### :sparkles: New features & Enhancements
@@ -184,7 +300,6 @@
 
 - Fix "Help & Learning" submenu vertical alignment in account menu (by @juan-flores077) [#9137](https://github.com/penpot/penpot/issues/9137) (PR: [#9138](https://github.com/penpot/penpot/pull/9138))
 
-
 ## 2.15.0
 
 ### :sparkles: New features & Enhancements

CONTRIBUTING.md

@@ -159,7 +159,7 @@ To save time on both sides, please avoid submitting PRs that:
 
 ### Good first issues
 
-We use the `easy fix` label to mark issues appropriate for newcomers.
+We use the `good first issue` label to mark issues appropriate for newcomers.
 
 ## Commit Guidelines
 
@@ -175,26 +175,26 @@ Commit messages must follow this format:
 
 ### Commit types
 
-| Emoji | Description |
-|-------|-------------|
-| :bug: | Bug fix |
-| :sparkles: | Improvement or enhancement |
-| :tada: | New feature |
-| :recycle: | Refactor |
-| :lipstick: | Cosmetic changes |
-| :ambulance: | Critical bug fix |
-| :books: | Documentation |
-| :construction: | Work in progress |
-| :boom: | Breaking change |
-| :wrench: | Configuration update |
-| :zap: | Performance improvement |
-| :whale: | Docker-related change |
-| :paperclip: | Other non-relevant changes |
-| :arrow_up: | Dependency update |
-| :arrow_down: | Dependency downgrade |
-| :fire: | Removal of code or files |
+| Emoji                  | Description                |
+| ---------------------- | -------------------------- |
+| :bug:                  | Bug fix                    |
+| :sparkles:             | Improvement or enhancement |
+| :tada:                 | New feature                |
+| :recycle:              | Refactor                   |
+| :lipstick:             | Cosmetic changes           |
+| :ambulance:            | Critical bug fix           |
+| :books:                | Documentation              |
+| :construction:         | Work in progress           |
+| :boom:                 | Breaking change            |
+| :wrench:               | Configuration update       |
+| :zap:                  | Performance improvement    |
+| :whale:                | Docker-related change      |
+| :paperclip:            | Other non-relevant changes |
+| :arrow_up:             | Dependency update          |
+| :arrow_down:           | Dependency downgrade       |
+| :fire:                 | Removal of code or files   |
 | :globe_with_meridians: | Add or update translations |
-| :rocket: | Epic or highlight |
+| :rocket:               | Epic or highlight          |
 
 ### Rules
 
@@ -231,15 +231,27 @@ We use [cljfmt](https://github.com/weavejester/cljfmt) for formatting and
 ./scripts/lint
 ```
 
+For frontend SCSS, we use `stylelint` for linting and
+`Prettier` for formatting:
+
+```bash
+cd frontend
+
+# Lint SCSS
+pnpm run lint:scss (does not modify files)
+
+# Fix SCSS formatting (modifies files in place)
+pnpm run fmt:scss
+```
+
 Ideally, run these as git pre-commit hooks.
 [Husky](https://typicode.github.io/husky/#/) is a convenient option for
 setting this up.
 
 ## Changelog
 
-When your change is user-facing or otherwise notable, add an entry to
-[CHANGES.md](CHANGES.md) following the same commit-type conventions. Reference
-the relevant GitHub issue or Taiga user story.
+The changelog is updated automatically as part of the release process. Contributors
+should **not** modify `CHANGES.md` manually in their pull requests.
 
 ## Code of Conduct
 
@@ -260,23 +272,23 @@ By submitting code you agree to and can certify the following:
 > By making a contribution to this project, I certify that:
 >
 > (a) The contribution was created in whole or in part by me and I have the
->     right to submit it under the open source license indicated in the file; or
+> right to submit it under the open source license indicated in the file; or
 >
 > (b) The contribution is based upon previous work that, to the best of my
->     knowledge, is covered under an appropriate open source license and I have
->     the right under that license to submit that work with modifications,
->     whether created in whole or in part by me, under the same open source
->     license (unless I am permitted to submit under a different license), as
->     indicated in the file; or
+> knowledge, is covered under an appropriate open source license and I have
+> the right under that license to submit that work with modifications,
+> whether created in whole or in part by me, under the same open source
+> license (unless I am permitted to submit under a different license), as
+> indicated in the file; or
 >
 > (c) The contribution was provided directly to me by some other person who
->     certified (a), (b) or (c) and I have not modified it.
+> certified (a), (b) or (c) and I have not modified it.
 >
 > (d) I understand and agree that this project and the contribution are public
->     and that a record of the contribution (including all personal information
->     I submit with it, including my sign-off) is maintained indefinitely and
->     may be redistributed consistent with this project or the open source
->     license(s) involved.
+> and that a record of the contribution (including all personal information
+> I submit with it, including my sign-off) is maintained indefinitely and
+> may be redistributed consistent with this project or the open source
+> license(s) involved.
 
 ### Signed-off-by
 

README.md

@@ -5,7 +5,7 @@
 
 <p align="center">
   <a href="https://www.digitalpublicgoods.net/r/penpot" rel="nofollow">
-    <img alt="Verified DPG" src="https://img.shields.io/badge/Verified-DPG-blue.svg">
+    <img alt="Verified DPG" src="https://img.shields.io/badge/Verified-DPG-3333AB?logo=data:image/svg%2bxml;base64,PHN2ZyB3aWR0aD0iMzEiIGhlaWdodD0iMzMiIHZpZXdCb3g9IjAgMCAzMSAzMyIgZmlsbD0ibm9uZSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KPHBhdGggZD0iTTE0LjIwMDggMjEuMzY3OEwxMC4xNzM2IDE4LjAxMjRMMTEuNTIxOSAxNi40MDAzTDEzLjk5MjggMTguNDU5TDE5LjYyNjkgMTIuMjExMUwyMS4xOTA5IDEzLjYxNkwxNC4yMDA4IDIxLjM2NzhaTTI0LjYyNDEgOS4zNTEyN0wyNC44MDcxIDMuMDcyOTdMMTguODgxIDUuMTg2NjJMMTUuMzMxNCAtMi4zMzA4MmUtMDVMMTEuNzgyMSA1LjE4NjYyTDUuODU2MDEgMy4wNzI5N0w2LjAzOTA2IDkuMzUxMjdMMCAxMS4xMTc3TDMuODQ1MjEgMTYuMDg5NUwwIDIxLjA2MTJMNi4wMzkwNiAyMi44Mjc3TDUuODU2MDEgMjkuMTA2TDExLjc4MjEgMjYuOTkyM0wxNS4zMzE0IDMyLjE3OUwxOC44ODEgMjYuOTkyM0wyNC44MDcxIDI5LjEwNkwyNC42MjQxIDIyLjgyNzdMMzAuNjYzMSAyMS4wNjEyTDI2LjgxNzYgMTYuMDg5NUwzMC42NjMxIDExLjExNzdMMjQuNjI0MSA5LjM1MTI3WiIgZmlsbD0id2hpdGUiLz4KPC9zdmc+Cg==">
   </a>
   <a href="https://community.penpot.app" rel="nofollow">
     <img alt="Penpot Community" src="https://img.shields.io/discourse/posts?server=https%3A%2F%2Fcommunity.penpot.app">

SECURITY.md

@@ -5,8 +5,8 @@
 We take the security of this project seriously. If you have discovered
 a security vulnerability, please do **not** open a public issue.
 
-Please report vulnerabilities via email to: **[support@penpot.app]**
-
+Please report vulnerabilities through the [GitHub Security Advisories](https://github.com/penpot/penpot/security/advisories
+) feature in the Penpot repository.
 
 ### What to include:
 

THANKYOU.md

@@ -7,6 +7,7 @@ list.
 
 ## Security
 
+* Alisher (@7megaumka7)
 * Husnain Iqbal (CEO OF ALPHA INFERNO PVT LTD)
 * [Shiraz Ali Khan](https://www.linkedin.com/in/shiraz-ali-khan-1ba508180/)
 * Vaibhav Shukla

backend/AGENTS.md

@@ -1,262 +0,0 @@
-# Penpot Backend – Agent Instructions
-
-Clojure backend (RPC) service running on the JVM.
-
-Uses Integrant for dependency injection, PostgreSQL for storage, and
-Redis for messaging/caching.
-
-## General Guidelines
-
-To ensure consistency across the Penpot JVM stack, all contributions must adhere
-to these criteria.
-
-IMPORTANT: all CLI commands should be executed under backend/
-subdirectory for make them work correctly.
-
-### 1. Testing & Validation
-
-* **Coverage:** If code is added or modified in `src/`, corresponding
-  tests in `test/backend_tests/` must be added or updated.
-
-* **Execution:**
-  * **Isolated:** Run `clojure -M:dev:test --focus backend-tests.my-ns-test` for the specific test namespace.
-  * **Regression:** Run `clojure -M:dev:test` to ensure the suite passes without regressions in related functional areas.
-
-### 2. Code Quality & Formatting
-
-* **Linting:** All code must pass linter checks (run `pnpm run lint:clj` or `pnpm run lint` on the repository root)
-* **Formatting:** All the code must pass the formatting check (run `pnpm run
-  check-fmt`). Use `pnpm run fmt` to fix formatting issues. Avoid "dirty"
-  diffs caused by unrelated whitespace changes.
-* **Type Hinting:** Use explicit JVM type hints (e.g., `^String`, `^long`) in
-  performance-critical paths to avoid reflection overhead.
-
-## Code Conventions
-
-### Namespace Overview
-
-The source is located under `src` directory and this is a general overview of
-namespaces structure:
-
-- `app.rpc.commands.*` – RPC command implementations (`auth`, `files`, `teams`, etc.)
-- `app.http.*` – HTTP routes and middleware
-- `app.db.*` – Database layer
-- `app.tasks.*` – Background job tasks
-- `app.main` – Integrant system setup and entrypoint
-- `app.loggers` – Internal loggers (auditlog, mattermost, etc.) (not to be confused with `app.common.logging`)
-
-### RPC
-
-The RPC methods are implemented using a multimethod-like structure via the
-`app.util.services` namespace. The main RPC methods are collected under
-`app.rpc.commands` namespace and exposed under `/api/rpc/command/<cmd-name>`.
-
-The RPC method accepts POST and GET requests indistinctly and uses the `Accept`
-header to negotiate the response encoding (which can be Transit — the default —
-or plain JSON). It also accepts Transit (default) or JSON as input, which should
-be indicated using the `Content-Type` header.
-
-The main convention is: use `get-` prefix on RPC name when we want READ
-operation.
-
-Example of RPC method definition:
-
-```clojure
-(sv/defmethod ::my-command
-  {::rpc/auth true            ;; requires auth
-   ::doc/added "1.18"
-   ::sm/params [:map ...]     ;; malli input schema
-   ::sm/result [:map ...]}    ;; malli output schema
-  [{:keys [::db/pool] :as cfg} {:keys [::rpc/profile-id] :as params}]
-  ;; return a plain map or throw
-  {:id (uuid/next)})
-```
-
-Look under `src/app/rpc/commands/*.clj` to see more examples.
-
-### Tests
-
-Test namespaces match `.*-test$` under `test/`. Config is in `tests.edn`.
-
-
-### Integrant System
-
-The `src/app/main.clj` declares the system map. Each key is a component; values
-are config maps with `::ig/ref` for dependencies. Components implement
-`ig/init-key` / `ig/halt-key!`.
-
-
-### Connecting to the Database
-
-Two PostgreSQL databases are used in this environment:
-
-| Database      | Purpose            | Connection string                                  |
-|---------------|--------------------|----------------------------------------------------|
-| `penpot`      | Development / app  | `postgresql://penpot:penpot@postgres/penpot`       |
-| `penpot_test` | Test suite         | `postgresql://penpot:penpot@postgres/penpot_test`  |
-
-**Interactive psql session:**
-
-```bash
-# development DB
-psql "postgresql://penpot:penpot@postgres/penpot"
-
-# test DB
-psql "postgresql://penpot:penpot@postgres/penpot_test"
-```
-
-**One-shot query (non-interactive):**
-
-```bash
-psql "postgresql://penpot:penpot@postgres/penpot" -c "SELECT id, name FROM team LIMIT 5;"
-```
-
-**Useful psql meta-commands:**
-
-```
-\dt              -- list all tables
-\d <table>       -- describe a table (columns, types, constraints)
-\di              -- list indexes
-\q               -- quit
-```
-
-> **Migrations table:** Applied migrations are tracked in the `migrations` table
-> with columns `module`, `step`, and `created_at`. When renaming a migration
-> logical name, update this table in both databases to match the new name;
-> otherwise the runner will attempt to re-apply the migration on next startup.
-
-```bash
-# Example: fix a renamed migration entry in the test DB
-psql "postgresql://penpot:penpot@postgres/penpot_test" \
-  -c "UPDATE migrations SET step = 'new-name' WHERE step = 'old-name';"
-```
-
-### Database Access (Clojure)
-
-`app.db` wraps next.jdbc. Queries use a SQL builder that auto-converts kebab-case ↔ snake_case.
-
-```clojure
-;; Query helpers
-(db/get cfg-or-pool :table {:id id})                    ; fetch one row (throws if missing)
-(db/get* cfg-or-pool :table {:id id})                   ; fetch one row (returns nil)
-(db/query cfg-or-pool :table {:team-id team-id})        ; fetch multiple rows
-(db/insert! cfg-or-pool :table {:name "x" :team-id id}) ; insert
-(db/update! cfg-or-pool :table {:name "y"} {:id id})    ; update
-(db/delete! cfg-or-pool :table {:id id})                ; delete
-
-;; Run multiple statements/queries on single connection
-(db/run! cfg (fn [{:keys [::db/conn]}]
-               (db/insert! conn :table row1)
-               (db/insert! conn :table row2))
-
-
-;; Transactions
-(db/tx-run! cfg (fn [{:keys [::db/conn]}]
-                  (db/insert! conn :table row)))
-```
-
-Almost all methods in the `app.db` namespace accept `pool`, `conn`, or
-`cfg` as params.
-
-Migrations live in `src/app/migrations/` as numbered SQL files. They run automatically on startup.
-
-
-### Error Handling
-
-The exception helpers are defined on Common module, and are available under
-`app.common.exceptions` namespace.
-
-Example of raising an exception:
-
-```clojure
-(ex/raise :type :not-found
-          :code :object-not-found
-          :hint "File does not exist"
-          :file-id id)
-```
-
-Common types: `:not-found`, `:validation`, `:authorization`, `:conflict`, `:internal`.
-
-
-### Performance Macros (`app.common.data.macros`)
-
-Always prefer these macros over their `clojure.core` equivalents — they provide
-optimized implementations:
-
-```clojure
-(dm/select-keys m [:a :b])     ;; faster than core/select-keys
-(dm/get-in obj [:a :b :c])     ;; faster than core/get-in
-(dm/str "a" "b" "c")           ;; string concatenation
-```
-
-### Configuration
-
-`src/app/config.clj` reads `PENPOT_*` environment variables, validated with
-Malli. Access anywhere via `(cf/get :smtp-host)`. Feature flags: `(cf/flags
-:enable-smtp)`.
-
-
-### Background Tasks
-
-Background tasks live in `src/app/tasks/`. Each task is an Integrant component
-that exposes a `::handler` key and follows this three-method pattern:
-
-```clojure
-(defmethod ig/assert-key ::handler   ;; validate config at startup
-  [_ params]
-  (assert (db/pool? (::db/pool params)) "expected a valid database pool"))
-
-(defmethod ig/expand-key ::handler   ;; inject defaults before init
-  [k v]
-  {k (assoc v ::my-option default-value)})
-
-(defmethod ig/init-key ::handler     ;; return the task fn
-  [_ cfg]
-  (fn [_task]                        ;; receives the task row from the worker
-    (db/tx-run! cfg (fn [{:keys [::db/conn]}]
-                      ;; … do work …
-                      ))))
-```
-
-**Wiring a new task** requires two changes in `src/app/main.clj`:
-
-1. **Handler config** – add an entry in `system-config` with the dependencies:
-
-```clojure
-:app.tasks.my-task/handler
-{::db/pool (ig/ref ::db/pool)}
-```
-
-2. **Registry + cron** – register the handler name and schedule it:
-
-```clojure
-;; in ::wrk/registry ::wrk/tasks map:
-:my-task (ig/ref :app.tasks.my-task/handler)
-
-;; in worker-config ::wrk/cron ::wrk/entries vector:
-{:cron #penpot/cron "0 0 0 * * ?"   ;; daily at midnight
- :task :my-task}
-```
-
-**Useful cron patterns** (Quartz format — six fields: s m h dom mon dow):
-
-| Expression                   | Meaning            |
-|------------------------------|--------------------|
-| `"0 0 0 * * ?"`              | Daily at midnight  |
-| `"0 0 */6 * * ?"`            | Every 6 hours      |
-| `"0 */5 * * * ?"`            | Every 5 minutes    |
-
-**Time helpers** (`app.common.time`):
-
-```clojure
-(ct/now)                          ;; current instant
-(ct/duration {:hours 1})          ;; java.time.Duration
-(ct/minus (ct/now) some-duration) ;; subtract duration from instant
-```
-
-`db/interval` converts a `Duration` (or millis / string) to a PostgreSQL
-interval object suitable for use in SQL queries:
-
-```clojure
-(db/interval (ct/duration {:hours 1}))  ;; → PGInterval "3600.0 seconds"
-```

backend/deps.edn

@@ -67,7 +67,8 @@
 
   ;; Pretty Print specs
   pretty-spec/pretty-spec {:mvn/version "0.1.4"}
-  software.amazon.awssdk/s3 {:mvn/version "2.44.4"}}
+  software.amazon.awssdk/s3 {:mvn/version "2.44.4"}
+  software.amazon.awssdk/sts {:mvn/version "2.44.4"}}
 
  :paths ["src" "resources" "target/classes"]
  :aliases

backend/resources/app/email/invite-to-org/en.html

@@ -198,14 +198,14 @@
                         <table role="presentation" cellpadding="0" cellspacing="0" border="0" width="20" height="20" style="display:inline-block;vertical-align:middle;">
                           <tr>
                             <td width="20" height="20" align="center" valign="middle"
-                                background="{{organization-logo}}"
+                                background="{% if organization.logo %}{{organization.logo}}{% else %}{{organization.avatar-bg-url}}{% endif %}"
                                 style="width:20px;height:20px;text-align:center;font-weight:bold;font-size:9px;line-height:20px;color:#ffffff;background-size:cover;background-position:center;background-repeat:no-repeat;border-radius: 50%;color:black">
-                              {% if organization-initials %}{{organization-initials}}{% endif %}
+                              {% if organization.initials %}{{organization.initials}}{% endif %}
                             </td>
                           </tr>
                         </table>
                         <span style="display:inline-block; vertical-align: middle;padding-left:5px;height:20px;line-height: 20px;">
-                        “{{ organization-name|abbreviate:25 }}”
+                        {{ organization.name|abbreviate:50 }}
                         </span>
                       </div>
                     </td>

backend/resources/app/email/invite-to-org/en.subj

@@ -1 +1 @@
-{{invited-by|abbreviate:25}} has invited you to join the organization “{{ organization-name|abbreviate:25 }}”
+{{invited-by|abbreviate:25}} has invited you to join the organization “{{ organization.name|abbreviate:25 }}”

backend/resources/app/email/invite-to-org/en.txt

@@ -1,6 +1,6 @@
 Hello!
 
-{{invited-by|abbreviate:25}} has invited you to join the organization “{{ organization-name|abbreviate:25 }}”.
+{{invited-by|abbreviate:25}} has invited you to join the organization “{{ organization.name|abbreviate:25 }}”.
 
 Accept invitation using this link:
 

backend/resources/app/email/renewal-notice/en.html

@@ -0,0 +1,270 @@
+<!doctype html>
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:v="urn:schemas-microsoft-com:vml"
+  xmlns:o="urn:schemas-microsoft-com:office:office">
+
+<head>
+  <title>
+  </title>
+  <!--[if !mso]><!-- -->
+  <meta http-equiv="X-UA-Compatible" content="IE=edge">
+  <!--<![endif]-->
+  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <style type="text/css">
+    #outlook a {
+      padding: 0;
+    }
+
+    body {
+      margin: 0;
+      padding: 0;
+      -webkit-text-size-adjust: 100%;
+      -ms-text-size-adjust: 100%;
+    }
+
+    table,
+    td {
+      border-collapse: collapse;
+      mso-table-lspace: 0pt;
+      mso-table-rspace: 0pt;
+    }
+
+    img {
+      border: 0;
+      height: auto;
+      line-height: 100%;
+      outline: none;
+      text-decoration: none;
+      -ms-interpolation-mode: bicubic;
+    }
+
+    p {
+      display: block;
+      margin: 13px 0;
+    }
+  </style>
+  <!--[if mso]>
+        <xml>
+        <o:OfficeDocumentSettings>
+          <o:AllowPNG/>
+          <o:PixelsPerInch>96</o:PixelsPerInch>
+        </o:OfficeDocumentSettings>
+        </xml>
+        <![endif]-->
+  <!--[if lte mso 11]>
+        <style type="text/css">
+          .mj-outlook-group-fix { width:100% !important; }
+        </style>
+        <![endif]-->
+  <!--[if !mso]><!-->
+  <link href="https://fonts.googleapis.com/css?family=Source%20Sans%20Pro" rel="stylesheet" type="text/css">
+  <style type="text/css">
+    @import url(https://fonts.googleapis.com/css?family=Source%20Sans%20Pro);
+  </style>
+  <!--<![endif]-->
+  <style type="text/css">
+    @media only screen and (min-width:480px) {
+      .mj-column-per-100 {
+        width: 100% !important;
+        max-width: 100%;
+      }
+
+      .mj-column-px-425 {
+        width: 425px !important;
+        max-width: 425px;
+      }
+    }
+  </style>
+  <style type="text/css">
+    @media only screen and (max-width:480px) {
+      table.mj-full-width-mobile {
+        width: 100% !important;
+      }
+
+      td.mj-full-width-mobile {
+        width: auto !important;
+      }
+    }
+  </style>
+</head>
+
+<body style="background-color:#E5E5E5;">
+  <div style="background-color:#E5E5E5;">
+    <!--[if mso | IE]>
+      <table
+         align="center" border="0" cellpadding="0" cellspacing="0" class="" style="width:600px;" width="600"
+      >
+        <tr>
+          <td style="line-height:0px;font-size:0px;mso-line-height-rule:exactly;">
+      <![endif]-->
+    <div style="margin:0px auto;max-width:600px;">
+      <table align="center" border="0" cellpadding="0" cellspacing="0" role="presentation" style="width:100%;">
+        <tbody>
+          <tr>
+            <td style="direction:ltr;font-size:0px;padding:0;text-align:center;">
+              <!--[if mso | IE]>
+                  <table role="presentation" border="0" cellpadding="0" cellspacing="0">
+
+        <tr>
+
+            <td
+               class="" style="vertical-align:top;width:600px;"
+            >
+          <![endif]-->
+              <div class="mj-column-per-100 mj-outlook-group-fix"
+                style="font-size:0px;text-align:left;direction:ltr;display:inline-block;vertical-align:top;width:100%;">
+                <table border="0" cellpadding="0" cellspacing="0" role="presentation" style="vertical-align:top;"
+                  width="100%">
+                  <tr>
+                    <td align="left" style="font-size:0px;padding:16px;word-break:break-word;">
+                      <table border="0" cellpadding="0" cellspacing="0" role="presentation"
+                        style="border-collapse:collapse;border-spacing:0px;">
+                        <tbody>
+                          <tr>
+                            <td style="width:97px;">
+                              <img height="32" src="{{ public-uri }}/images/email/uxbox-title.png"
+                                style="border:0;display:block;outline:none;text-decoration:none;height:32px;width:100%;font-size:13px;"
+                                width="97" />
+                            </td>
+                          </tr>
+                        </tbody>
+                      </table>
+                    </td>
+                  </tr>
+                </table>
+              </div>
+              <!--[if mso | IE]>
+            </td>
+
+        </tr>
+
+                  </table>
+                <![endif]-->
+            </td>
+          </tr>
+        </tbody>
+      </table>
+    </div>
+    <!--[if mso | IE]>
+          </td>
+        </tr>
+      </table>
+
+      <table
+         align="center" border="0" cellpadding="0" cellspacing="0" class="" style="width:600px;" width="600"
+      >
+        <tr>
+          <td style="line-height:0px;font-size:0px;mso-line-height-rule:exactly;">
+      <![endif]-->
+    <div style="background:#FFFFFF;background-color:#FFFFFF;margin:0px auto;max-width:600px;">
+      <table align="center" border="0" cellpadding="0" cellspacing="0" role="presentation"
+        style="background:#FFFFFF;background-color:#FFFFFF;width:100%;">
+        <tbody>
+          <tr>
+            <td style="direction:ltr;font-size:0px;padding:20px 0;text-align:center;">
+              <!--[if mso | IE]>
+                  <table role="presentation" border="0" cellpadding="0" cellspacing="0">
+
+        <tr>
+
+            <td
+               class="" style="vertical-align:top;width:600px;"
+            >
+          <![endif]-->
+              <div class="mj-column-per-100 mj-outlook-group-fix"
+                style="font-size:0px;text-align:left;direction:ltr;display:inline-block;vertical-align:top;width:100%;">
+                <table border="0" cellpadding="0" cellspacing="0" role="presentation" style="vertical-align:top;"
+                  width="100%">
+                  <tr>
+                    <td align="left" style="font-size:0px;padding:10px 25px;word-break:break-word;">
+                      <div
+                        style="font-family:Source Sans Pro, sans-serif;font-size:16px;line-height:150%;text-align:left;color:#000000;">
+                        Hi{% if user-name %} {{ user-name|abbreviate:25 }}{% endif %},
+                      </div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td align="left" style="font-size:0px;padding:10px 25px;word-break:break-word;">
+                      <div
+                        style="font-family:Source Sans Pro, sans-serif;font-size:16px;line-height:150%;text-align:left;color:#000000;">
+                        Your Enterprise subscription is coming up for renewal. Here's a summary of what's included.
+                      </div>
+                      <div style="font-family:Source Sans Pro, sans-serif;font-size:16px;line-height:150%;text-align:left;color:#000000;margin-top:20px">
+                        <b>Renewal date:</b> {{ renewal-date }}
+                      </div>
+                      <div style="font-family:Source Sans Pro, sans-serif;font-size:16px;line-height:150%;text-align:left;color:#000000;margin-top:10px">
+                        <b>Estimated amount:</b> {{ estimated-amount }}
+                      </div>
+                      <div style="font-family:Source Sans Pro, sans-serif;font-size:16px;line-height:150%;text-align:left;color:#000000;margin:10px 0">
+                        <b>Organizations covered:</b> {% if organizations|empty? %}No organizations yet.{% endif %}
+                      </div>
+
+                      {% for org in organizations %}
+                      <div
+                        style="font-family:Source Sans Pro, sans-serif;font-size:16px;line-height:150%;text-align:left;color:#000000;margin-bottom:5px">
+                        <table role="presentation" cellpadding="0" cellspacing="0" border="0" width="20" height="20" style="display:inline-block;vertical-align:middle;">
+                          <tr>
+                            <td width="20" height="20" align="center" valign="middle"
+                                background="{% if org.logo %}{{org.logo}}{% else %}{{org.avatar-bg-url}}{% endif %}"
+                                style="width:20px;height:20px;text-align:center;font-weight:bold;font-size:9px;line-height:20px;color:#ffffff;background-size:cover;background-position:center;background-repeat:no-repeat;border-radius: 50%;color:black">
+                              {% if org.initials %}{{org.initials}}{% endif %}
+                            </td>
+                          </tr>
+                        </table>
+                        <span style="display:inline-block; vertical-align: middle;padding-left:5px;height:20px;line-height: 20px;">
+                        {{ org.name|abbreviate:50 }}
+                        </span>
+                      </div>
+                      {% endfor %}
+                    </td>
+                  </tr>
+                  <tr>
+                    <td align="left" style="font-size:0px;padding:10px 25px;word-break:break-word;">
+                      <div
+                        style="font-family:Source Sans Pro, sans-serif;font-size:16px;line-height:150%;text-align:left;color:#000000;">
+                        This amount is based on current member counts across your organizations. You can adjust members from the <a href="{{ public-uri }}/admin-console/" target="_blank">Admin Console</a>.</div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td align="left" style="font-size:0px;padding:10px 25px;word-break:break-word;">
+                      <div
+                        style="font-family:Source Sans Pro, sans-serif;font-size:16px;line-height:150%;text-align:left;color:#000000;">
+                        Check our <a href="https://penpot.app/terms" target="_blank">Terms and Conditions</a> and <a href="https://penpot.app/privacy" target="_blank">Privacy Policy.</a></div>
+                    </td>
+                  </tr>
+
+                  <tr>
+                    <td align="left" style="font-size:0px;padding:10px 25px;word-break:break-word;">
+                      <div
+                        style="font-family:Source Sans Pro, sans-serif;font-size:16px;line-height:150%;text-align:left;color:#000000;">
+                        Enjoy!</div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td align="left" style="font-size:0px;padding:10px 25px;word-break:break-word;">
+                      <div
+                        style="font-family:Source Sans Pro, sans-serif;font-size:16px;line-height:150%;text-align:left;color:#000000;">
+                        The Penpot team.</div>
+                    </td>
+                  </tr>
+                </table>
+              </div>
+              <!--[if mso | IE]>
+            </td>
+
+        </tr>
+
+                  </table>
+                <![endif]-->
+            </td>
+          </tr>
+        </tbody>
+      </table>
+    </div>
+
+    {% include "app/email/includes/footer.html" %}
+
+  </div>
+</body>
+
+</html>

backend/resources/app/email/renewal-notice/en.subj

@@ -0,0 +1 @@
+Your Enterprise subscription renews on {{ renewal-date }}

backend/resources/app/email/renewal-notice/en.txt

@@ -0,0 +1,17 @@
+Hi {% if user-name %}{{ user-name }}{% endif %},
+
+Your Enterprise subscription is coming up for renewal. Here's a summary of what's included.
+
+Renewal date: {{ renewal-date }}
+Estimated amount: {{ estimated-amount }}
+
+Organizations covered: {% if organizations|empty? %}No organizations yet.{% endif %}
+{% for org in organizations %}
+- {{ org.name }}
+{% endfor %}
+This amount is based on current member counts across your organizations. You can adjust members from the Admin Console.
+
+Check our Terms and Conditions and Privacy Policy.
+
+Enjoy!
+The Penpot team.

backend/scripts/_env

@@ -8,8 +8,18 @@ export PENPOT_SECRET_KEY=super-secret-devenv-key
 # DEPRECATED: only used for subscriptions
 export PENPOT_MANAGEMENT_API_KEY=super-secret-management-api-key
 
-export PENPOT_HOST=devenv
-export PENPOT_PUBLIC_URI=https://localhost:3449
+# Runtime config that varies per devenv instance (PENPOT_HOST, PENPOT_PUBLIC_URI,
+# PENPOT_DATABASE_*, PENPOT_REDIS_URI, PENPOT_OBJECTS_STORAGE_*, AWS_*) is owned by
+# docker/devenv/defaults.env and injected via the main service's env block.
+
+# Background worker flag is per-instance. Defaults to enabled (ws0); ws1+
+# overlays set PENPOT_BACKEND_WORKER=false so scheduled and async tasks only
+# run on ws0, keeping notification Pub/Sub bound to a single Valkey. See
+# mem:devenv/core for the rationale.
+__worker_flag=""
+if [[ "${PENPOT_BACKEND_WORKER:-true}" == "true" ]]; then
+    __worker_flag="enable-backend-worker"
+fi
 
 export PENPOT_FLAGS="\
        $PENPOT_FLAGS \
@@ -20,7 +30,7 @@ export PENPOT_FLAGS="\
        disable-login-with-github \
        disable-login-with-gitlab \
        disable-telemetry \
-       enable-backend-worker \
+       $__worker_flag \
        enable-backend-asserts \
        disable-feature-fdata-pointer-map \
        enable-feature-fdata-objects-map \
@@ -60,13 +70,7 @@ export PENPOT_HTTP_SERVER_MAX_MULTIPART_BODY_SIZE=314572800
 
 export PENPOT_USER_FEEDBACK_DESTINATION="support@example.com"
 
-export AWS_ACCESS_KEY_ID=penpot-devenv
-export AWS_SECRET_ACCESS_KEY=penpot-devenv
-export PENPOT_OBJECTS_STORAGE_BACKEND=s3
-export PENPOT_OBJECTS_STORAGE_S3_ENDPOINT=http://minio:9000
-export PENPOT_OBJECTS_STORAGE_S3_BUCKET=penpot
-
-export PENPOT_NITRATE_BACKEND_URI=http://localhost:3000/control-center
+export PENPOT_NITRATE_BACKEND_URI=http://localhost:3000/admin-console
 
 export JAVA_OPTS="\
        -Djava.util.logging.manager=org.apache.logging.log4j.jul.LogManager \
@@ -84,14 +88,14 @@ export JAVA_OPTS="\
        --enable-native-access=ALL-UNNAMED";
 
 function setup_minio() {
-    # Initialize MINIO config
-    mc alias set penpot-s3/ http://minio:9000 minioadmin minioadmin -q
-    mc admin user add penpot-s3 penpot-devenv penpot-devenv -q
-    mc admin user info penpot-s3 penpot-devenv |grep -F -q "readwrite"
-    if [ "$?" = "1" ]; then
-        mc admin policy attach penpot-s3 readwrite --user=penpot-devenv -q
+    if [ "${PENPOT_OBJECTS_STORAGE_BACKEND}" != "s3" ]; then
+        return 0
     fi
-    mc mb penpot-s3/penpot -p -q
+
+    # Shared MinIO user/policy provisioning is handled by docker-compose.infra.yml.
+    # Per process startup only ensures that the configured bucket exists.
+    mc alias set penpot-s3/ "${PENPOT_OBJECTS_STORAGE_S3_ENDPOINT}" minioadmin minioadmin -q
+    mc mb "penpot-s3/${PENPOT_OBJECTS_STORAGE_S3_BUCKET}" -p -q
 }
 
 

backend/src/app/auth/oidc.clj

@@ -27,6 +27,7 @@
    [app.rpc.commands.profile :as profile]
    [app.setup :as-alias setup]
    [app.tokens :as tokens]
+   [app.util.cache :as cache]
    [app.util.inet :as inet]
    [app.util.json :as json]
    [buddy.sign.jwk :as jwk]
@@ -694,15 +695,24 @@
     (db/pgarray? roles)
     (assoc :roles (db/decode-pgarray roles #{}))))
 
-;; TODO: add cache layer for avoid build an discover each time
+;; A short TTL avoids paying the OIDC discovery + JWKS fetch on every
+;; login; Caffeine will not store the entry when the load fn throws,
+;; so a transient failure at the provider's discovery endpoint does
+;; not poison the cache.
+(defonce ^:private provider-cache
+  (cache/create :expire "10m" :max-size 64))
+
+(defn- load-provider
+  [cfg id]
+  (when-let [params (some->> (db/get* cfg :sso-provider {:id id :is-enabled true})
+                             (decode-row))]
+    (case (:type params)
+      "oidc" (prepare-oidc-provider cfg params))))
 
 (defn get-provider
   [cfg id]
   (try
-    (when-let [params (some->> (db/get* cfg :sso-provider {:id id :is-enabled true})
-                               (decode-row))]
-      (case (:type params)
-        "oidc" (prepare-oidc-provider cfg params)))
+    (cache/get provider-cache id (partial load-provider cfg))
     (catch Throwable cause
       (l/err :hint "unable to configure custom SSO provider"
              :provider (str id)

backend/src/app/binfile/common.clj

@@ -315,8 +315,8 @@
 (defn get-file
   "Get file, resolve all features and apply migrations.
 
-  Usefull when you have plan to apply massive or not cirurgical
-  operations on file, because it removes the ovehead of lazy fetching
+  Useful when you have plan to apply massive or not surgical
+  operations on file, because it removes the overhead of lazy fetching
   and decoding."
   [cfg file-id & {:as opts}]
   (db/run! cfg get-file* file-id opts))
@@ -843,7 +843,12 @@
 		   l.vern,
 		   l.is_shared,
 		   l.version,
-		   fls.synced_at
+		   fls.synced_at,
+		   NOT EXISTS (
+		     SELECT 1 FROM file_library_rel AS direct
+		      WHERE direct.file_id = ?::uuid
+		        AND direct.library_file_id = l.id
+		   ) AS is_indirect
 	FROM libs AS l
 	JOIN project AS p
 	  ON p.id = l.project_id
@@ -855,12 +860,8 @@
 (defn get-file-libraries
   [conn file-id]
   (into []
-        (comp
-         ;; FIXME: :is-indirect set to false to all rows looks
-         ;; completly useless
-         (map #(assoc % :is-indirect false))
-         (map decode-row-features))
-        (db/exec! conn [sql:get-file-libraries file-id file-id])))
+        (map decode-row-features)
+        (db/exec! conn [sql:get-file-libraries file-id file-id file-id])))
 
 (defn get-resolved-file-libraries
   "Get all file libraries including itself. Returns an instance of