xiaojiou176-open
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 5 additions & 0 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎DISTRIBUTION.md‎
Lines changed: 10 additions & 4 deletions b/‎DISTRIBUTION.md‎
Lines changed: 10 additions & 4 deletions
diff --git a/‎README.md‎
Lines changed: 9 additions & 3 deletions b/‎README.md‎
Lines changed: 9 additions & 3 deletions
diff --git a/‎apps/dashboard/next-env.d.ts‎
Lines changed: 1 addition & 1 deletion b/‎apps/dashboard/next-env.d.ts‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎apps/dashboard/next.config.js‎
Lines changed: 1 addition & 0 deletions b/‎apps/dashboard/next.config.js‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎apps/dashboard/package.json‎
Lines changed: 1 addition & 1 deletion b/‎apps/dashboard/package.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎apps/dashboard/pnpm-lock.yaml‎
Lines changed: 41 additions & 41 deletions b/‎apps/dashboard/pnpm-lock.yaml‎
Lines changed: 41 additions & 41 deletions
diff --git a/‎apps/orchestrator/tests/e2e/test_dashboard_e2e.py‎
Lines changed: 17 additions & 9 deletions b/‎apps/orchestrator/tests/e2e/test_dashboard_e2e.py‎
Lines changed: 17 additions & 9 deletions
diff --git a/‎docs/README.md‎
Lines changed: 7 additions & 0 deletions b/‎docs/README.md‎
Lines changed: 7 additions & 0 deletions
@@ -267,6 +267,11 @@ jobs:
           set -euo pipefail
           bash scripts/check_workflow_static_security.sh
 
+      - name: Host-process safety gate
+        run: |
+          set -euo pipefail
+          npm run scan:host-process-risks
+
       - name: Quick policy / doc / hygiene gates
         env:
           CORTEXPILOT_DOC_GATE_MODE: ci-diff
 
@@ -15,13 +15,19 @@ change set.
 Today CortexPilot officially ships a public repo front door, a GitHub Pages
 product front door, one proof-first public workflow baseline, a repo-local
 read-only MCP server, a published PyPI package, a live Official MCP Registry
-entry, local coding-agent starter/bundle materials, and a live ClawHub skill.
+entry, and a live ClawHub skill.
 
 It does not yet officially ship a hosted operator service, a public write-capable
 MCP, a Docker distribution path, or standalone npm releases. OpenHands/extensions
 and MCP.so submissions are filed, but they still depend on external review or
 intake handling rather than repo-only publication.
 
+Lane order today is:
+
+1. `pure_mcp`
+2. `pure_skills`
+3. local starter/example bundle materials
+
 ## Status labels
 
 - `shipped`: part of the official public distribution today
@@ -54,9 +60,9 @@ intake handling rather than repo-only publication.
 | Claude Code starter | `starter-only` | Project-local `.claude` and `.mcp.json` starter | `examples/coding-agents/claude-code/` | local project wiring only | keep truthful; do not relabel as marketplace package |
 | OpenClaw starter | `starter-only` | Local config seed for the same read-only MCP and compatible bundle | `examples/coding-agents/openclaw/` | local config + local plugin path | keep truthful; do not relabel as ClawHub publication |
 | Cross-tool coding-agent bundle | `bundle-compatible` | Local bundle compatible with Codex local marketplace installs, Claude plugin-dir development, and OpenClaw local plugin loading | `examples/coding-agents/plugin-bundles/cortexpilot-coding-agent-bundle/` | local bundle metadata + repo-aware MCP wrapper | keep local-install contract; no published listing claim |
-| Repo-owned adoption-router skill | `shipped` | Cross-tool routing skill with `SKILL.md` + `manifest.yaml`, shared between the repo bundle and external skill distribution | `examples/coding-agents/plugin-bundles/cortexpilot-coding-agent-bundle/skills/cortexpilot-adoption-router/` | repo-owned skill contract, local bundle plus external skill publication | keep the repo bundle and published skill receipts aligned |
+| Repo-owned adoption-router skill | `shipped` | Cross-tool routing skill with `SKILL.md` + `manifest.yaml`, shared between the public skill packet, the repo bundle, and external skill distribution | `public-skills/cortexpilot-adoption-router/` | repo-owned skill contract, public skill packet plus local bundle example | keep the public packet, repo bundle, and published skill receipts aligned |
 | ClawHub skill (`cortexpilot-adoption-router`) | `shipped` | Published OpenClaw skill for honest CortexPilot adoption routing | `https://www.clawhub.ai/skills/cortexpilot-adoption-router` | skill registry, no hosted CortexPilot account, no write-capable MCP | keep the skill copy aligned with the repo bundle and public boundary |
-| OpenHands/extensions submission | `submitted-externally` | Public skill submission for the same adoption-router artifact | `https://github.com/OpenHands/extensions/pull/152` | host review flow, not live until merged | track review without overclaiming a merged listing |
+| OpenHands/extensions submission | `submitted-externally` | Public skill submission receipt for the same adoption-router artifact | `https://github.com/OpenHands/extensions/pull/151` | host review flow, not live until merged | track review without overclaiming a merged listing |
 | MCP.so submission | `submitted-externally` | Directory submission for the public read-only MCP server | `https://github.com/chatmcp/mcpso/issues/1559` | directory intake flow, not live until accepted | keep the issue body aligned with current package + registry truth |
 | `@cortexpilot/frontend-api-client` | `publish-ready but deferred` | Thin JS/TS client for control-plane reads and guarded operator add-ons | package metadata + README are publish-ready, but the official install story is still clone / vendor reuse until the first npm release exists | HTTP API with token / mutation-role expectations | publish later only after the first public package release is intentionally cut |
 | `@cortexpilot/frontend-api-contract` | `publish-ready but deferred` | Generated route / query / type boundary for frontend consumers | package metadata + README are publish-ready, but the official install story is still clone / vendor reuse until the first npm release exists | typed contract layer only | publish later only after the first public package release is intentionally cut |
@@ -95,7 +101,7 @@ intake handling rather than repo-only publication.
 These are intentionally outside repo-side completion:
 
 - publish npm packages
-- wait for OpenHands/extensions review on PR `#152`
+- wait for OpenHands/extensions review on PR `#151`
 - wait for MCP.so intake handling on issue `#1559`
 - publish a Docker image
 - deploy a live hosted operator service
 
@@ -18,6 +18,12 @@ The public story is intentionally narrower than the full monorepo:
 Current public boundary: CortexPilot is a repo-backed operator control plane,
 not a hosted product, and the shipped MCP surface remains **read-only**.
 
+Current lane order is deliberate:
+
+- **Primary lane** = the read-only MCP package plus the Official MCP Registry entry
+- **Secondary lane** = the adoption-router public skill packet
+- **Companion/example lane** = local starter kits and coding-agent bundle examples, which are not the canonical public root
+
 [Quickstart](#quickstart) · [First Proven Workflow](https://xiaojiou176-open.github.io/CortexPilot-public/use-cases/) · [Compatibility Matrix](https://xiaojiou176-open.github.io/CortexPilot-public/compatibility/) · [Distribution Contract](DISTRIBUTION.md) · [Distribution Status](https://xiaojiou176-open.github.io/CortexPilot-public/distribution/) · [Docs](docs/README.md) · [Architecture](docs/architecture/runtime-topology.md) · [AI + MCP + API Surfaces](https://xiaojiou176-open.github.io/CortexPilot-public/ai-surfaces/) · [Builder Quickstart](https://xiaojiou176-open.github.io/CortexPilot-public/builders/) · [Releases](https://github.com/xiaojiou176-open/CortexPilot-public/releases)
 
 ![CortexPilot command tower showcase card](docs/assets/storefront/command-tower-showcase-card.svg)
@@ -26,13 +32,13 @@ not a hosted product, and the shipped MCP surface remains **read-only**.
 
 The shortest truthful answer today is:
 
-> CortexPilot officially ships a public repo, a public Pages front door, a repo-local read-only MCP surface, a published PyPI package, a live Official MCP Registry entry, and a live ClawHub skill. OpenHands/extensions and MCP.so submissions are filed with public receipts, while hosted service, write-capable MCP, Docker distribution, and standalone npm releases remain deferred.
+> CortexPilot officially ships a public repo, a public Pages front door, a repo-local read-only MCP surface, a published PyPI package, a live Official MCP Registry entry, and a live ClawHub skill. The adoption-router skill is the secondary public lane. Local coding-agent starters and bundle examples remain companion/example materials, not the canonical public root. OpenHands/extensions and MCP.so external receipts exist, while hosted service, write-capable MCP, Docker distribution, and standalone npm releases remain deferred.
 
 Use these buckets:
 
 - **Shipped now**: repo, Pages, proof-first docs, read-only MCP, PyPI package, Official MCP Registry entry, ClawHub skill
-- **Starter-only**: Codex / Claude Code / OpenClaw local starter kits and bundle examples
-- **Submitted externally**: `OpenHands/extensions#152` and `chatmcp/mcpso#1559` are filed and await host review
+- **Starter-only / example lane**: Codex / Claude Code / OpenClaw local starter kits and local coding-agent bundle examples
+- **Submitted externally**: `OpenHands/extensions#151` and `chatmcp/mcpso#1559` are public receipts and still await host acceptance
 - **Publish-ready but deferred**:
   `@cortexpilot/frontend-api-client`,
   `@cortexpilot/frontend-api-contract`
 
@@ -1,6 +1,6 @@
 /// <reference types="next" />
 /// <reference types="next/image-types/global" />
-import "./.next-storefront-final-capture-english-prod/types/routes.d.ts";
+import "./.next/types/routes.d.ts";
 
 // NOTE: This file should not be edited
 // see https://nextjs.org/docs/app/api-reference/config/typescript for more information.
@@ -5,6 +5,7 @@ const distDirFromEnv = process.env.NEXT_DIST_DIR?.trim();
 module.exports = {
   reactStrictMode: true,
   distDir: distDirFromEnv || undefined,
+  allowedDevOrigins: ["127.0.0.1"],
   experimental: {
     externalDir: true,
   },
 
@@ -23,7 +23,7 @@
     "diff2html": "3.4.56",
     "dompurify": "3.3.3",
     "is-wsl": "2.2.0",
-    "next": "16.2.1",
+    "next": "16.2.3",
     "playwright": "1.58.2",
     "react": "19.2.4",
     "react-dom": "19.2.4",
 
@@ -108,25 +108,33 @@ def test_dashboard_e2e_happy_path(tmp_path: Path) -> None:
                 page.get_by_test_id("task-id").wait_for(timeout=20_000)
                 assert "e2e_happy" in page.get_by_test_id("task-id").inner_text()
                 page.get_by_test_id("allowed-paths-label").wait_for(timeout=20_000)
-                page.get_by_text("1 条路径").wait_for(timeout=20_000)
-                page.get_by_text("展开路径详情").click()
+                page.get_by_text("1 path").wait_for(timeout=20_000)
+                page.get_by_text("Expand path details").click()
                 page.get_by_test_id("allowed-paths-content").wait_for(timeout=20_000)
                 assert "mock_output.txt" in page.get_by_test_id("allowed-paths-content").inner_text()
                 page.get_by_test_id("event-timeline-title").wait_for(timeout=20_000)
                 page.get_by_test_id("detail-panel-title").wait_for(timeout=20_000)
+                page.get_by_test_id("detail-panel-title").scroll_into_view_if_needed()
+                page.get_by_test_id("tab-reports").scroll_into_view_if_needed()
 
-                # allow hydration before tab switch
+                # Wait until the detail-panel state actually flips to Reports
+                # instead of assuming the first click lands after hydration.
                 page.wait_for_timeout(500)
-                for _ in range(3):
-                    page.get_by_test_id("tab-reports").click()
+                for _ in range(10):
+                    page.get_by_role("tab", name="Reports").click()
                     try:
-                        page.get_by_test_id("replay-controls-title").wait_for(timeout=2_000)
-                        page.get_by_test_id("replay-compare-button").wait_for(timeout=2_000)
+                        page.wait_for_function(
+                            """() => document.querySelector('[data-testid="run-detail-active-tab-state"]')?.textContent?.includes('Reports')""",
+                            timeout=1_000,
+                        )
                         break
                     except PlaywrightTimeoutError:
-                        page.wait_for_timeout(300)
+                        page.wait_for_timeout(500)
                 else:
-                    page.get_by_test_id("replay-controls-title").wait_for(timeout=10_000)
+                    raise AssertionError("Reports tab never became active during the run-detail e2e flow.")
+
+                page.get_by_test_id("replay-controls-title").wait_for(timeout=10_000)
+                page.get_by_test_id("replay-compare-button").wait_for(timeout=10_000)
             except Exception:  # noqa: BLE001
                 artifacts_dir.mkdir(parents=True, exist_ok=True)
                 try:
 
@@ -18,6 +18,13 @@ docs inventory. This file is the human-readable summary of that registry.
 Daily local verification lives in the root [README](../README.md). Treat this
 file as the docs inventory map, not as a second CI manual.
 
+## Public Lane Order
+
+- `pure_mcp` is the primary public machine-readable lane.
+- `public-skills/cortexpilot-adoption-router/` is the secondary public adoption lane.
+- `examples/coding-agents/` and `examples/coding-agents/plugin-bundles/` are
+  starter/example lanes only; do not treat them as the canonical public root.
+
 For CI/security/documentation truth, prefer the machine-owned surfaces and
 repo-owned gates instead of restating the same rules here: