feat(core): seed product surfaces

Author: xiaojiou176

.devcontainer/devcontainer.json

@@ -0,0 +1,18 @@
+{
+  "name": "cortexpilot-ci-core",
+  "dockerComposeFile": [
+    "../infra/ci/compose.yml"
+  ],
+  "service": "core",
+  "workspaceFolder": "/workspace",
+  "overrideCommand": false,
+  "shutdownAction": "stopCompose",
+  "remoteUser": "root",
+  "customizations": {
+    "vscode": {
+      "settings": {
+        "terminal.integrated.defaultProfile.linux": "bash"
+      }
+    }
+  }
+}

.dockerignore

@@ -0,0 +1,26 @@
+.git
+.github
+.claude
+.codex
+.opencode
+.runtime-cache
+.venv
+.pytest_cache
+.mypy_cache
+.ruff_cache
+.coverage
+.coverage.*
+.pnpm-store
+node_modules
+**/node_modules
+dist
+build
+cache
+.cache
+logs
+.agent
+.env
+.env.local
+.env.*
+coverage
+第三方Repo参考实现

.editorconfig

@@ -0,0 +1,15 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.{py,pyi}]
+indent_style = space
+indent_size = 4
+
+[*.{js,jsx,ts,tsx,json,md,yml,yaml}]
+indent_style = space
+indent_size = 2

.env.example

@@ -0,0 +1,82 @@
+# CortexPilot local minimal template (do not commit real secrets)
+# Core ports and API auth
+CORTEXPILOT_DEV_HOST=127.0.0.1
+CORTEXPILOT_API_PORT=10000
+CORTEXPILOT_DASHBOARD_PORT=3100
+CORTEXPILOT_DESKTOP_PORT=18173
+CORTEXPILOT_API_AUTH_REQUIRED=true
+CORTEXPILOT_API_TOKEN=cortexpilot-dev-token
+
+# Frontend runtime wiring (public env for web / desktop shell token)
+NEXT_PUBLIC_CORTEXPILOT_API_BASE=http://127.0.0.1:10000
+NEXT_PUBLIC_CORTEXPILOT_API_TOKEN=cortexpilot-dev-token
+VITE_CORTEXPILOT_API_BASE=http://127.0.0.1:10000
+VITE_CORTEXPILOT_API_TOKEN=cortexpilot-dev-token
+# Optional hosted/public dashboard origins (comma-separated, no secrets)
+CORTEXPILOT_API_ALLOWED_ORIGINS=
+# Later-gated queue pilot stays default-off unless a trusted operator environment enables it.
+CORTEXPILOT_MCP_QUEUE_PILOT_ENABLE_APPLY=0
+
+# Unified LLM provider selection
+# Supported: gemini | openai | anthropic
+CORTEXPILOT_PROVIDER=gemini
+# Optional overrides (leave empty to use provider defaults)
+CORTEXPILOT_PROVIDER_BASE_URL=
+CORTEXPILOT_PROVIDER_MODEL=
+CORTEXPILOT_PROVIDER_USE_LITELLM=0
+
+# M10 SSOT alignment: prefer canonical MCP timeout keys for new config
+CORTEXPILOT_MCP_TIMEOUT_SEC=
+CORTEXPILOT_MCP_CONNECT_TIMEOUT_SEC=
+CORTEXPILOT_MCP_CLEANUP_TIMEOUT_SEC=
+# Compatibility keys are still registered; keep only for legacy/runtime compatibility
+CORTEXPILOT_MCP_SERVER_TIMEOUT_SEC=
+CORTEXPILOT_MCP_SERVER_CONNECT_TIMEOUT_SEC=
+CORTEXPILOT_MCP_SERVER_CLEANUP_TIMEOUT_SEC=
+
+# Provider credentials (fill only what you use)
+GEMINI_API_KEY=
+OPENAI_API_KEY=
+ANTHROPIC_API_KEY=
+GEMINI_BASE_URL=
+
+# Optional eval overrides
+CORTEXPILOT_EVAL_MODEL=
+CORTEXPILOT_EVAL_CONFIG=tests/evals/promptfoo/promptfooconfig.yaml
+
+# Optional governance knobs
+CORTEXPILOT_RUM_MAX_PAYLOAD_BYTES=32768
+CORTEXPILOT_CI_CANARY_DRY_RUN=0
+# Host compatibility only: set to 1 to bypass docker auto-routing for local gate diagnostics.
+CORTEXPILOT_HOST_COMPAT=0
+# Repo-authored runtime artifacts stay under .runtime-cache/. Repo-owned external caches stay under ~/.cache/cortexpilot.
+CORTEXPILOT_MACHINE_CACHE_ROOT=~/.cache/cortexpilot
+CORTEXPILOT_RETENTION_MACHINE_CACHE_CAP_BYTES=21474836480
+CORTEXPILOT_MACHINE_CACHE_AUTO_PRUNE=1
+CORTEXPILOT_MACHINE_CACHE_AUTO_PRUNE_INTERVAL_SEC=1800
+# Local development uses the repo-owned Chrome singleton rooted under ~/.cache/cortexpilot/browser/.
+# First migrate the named default-Chrome profile once, then keep manual and automation flows attached to the same CDP endpoint.
+CHROME_PATH=
+CORTEXPILOT_BROWSER_PROFILE_MODE=allow_profile
+CORTEXPILOT_BROWSER_PROFILE_DIR=~/.cache/cortexpilot/browser/chrome-user-data
+CORTEXPILOT_BROWSER_PROFILE_NAME=cortexpilot
+CORTEXPILOT_BROWSER_PROFILE_ALLOWLIST=~/.cache/cortexpilot/browser
+CORTEXPILOT_BROWSER_CDP_HOST=127.0.0.1
+CORTEXPILOT_BROWSER_CDP_PORT=9341
+
+# Optional CI diagnostics / route-evidence knobs (usually injected by workflow, not hand-authored locally)
+CORTEXPILOT_CI_PROFILE=auto
+CORTEXPILOT_CI_SLICE=full
+CORTEXPILOT_DOCKER_CI_FORCE_REBUILD=0
+CORTEXPILOT_CI_PROVENANCE_IMAGE=cortexpilot-ci-core:local
+CORTEXPILOT_CI_ROUTE_ID=
+CORTEXPILOT_CI_TRUST_CLASS=
+CORTEXPILOT_CI_RUNNER_CLASS=
+CORTEXPILOT_CI_CLOUD_BOOTSTRAP_ALLOWED=false
+CORTEXPILOT_CI_CLOUD_BOOTSTRAP_USED=false
+CORTEXPILOT_CI_CONTROL_PLANE_DOCTOR_OUT_DIR=.runtime-cache/test_output/ci_control_plane_doctor
+CORTEXPILOT_DOCTOR_REQUIRE_DOCKER=1
+CORTEXPILOT_DOCTOR_REQUIRE_SUDO=1
+CORTEXPILOT_CI_PM_CHAT_ON_PR=0
+CORTEXPILOT_UPSTREAM_RECORD_FRESH_SEC=1800
+CORTEXPILOT_UPSTREAM_VERIFICATION_TIMEOUT_SEC=180

apps/README.md

@@ -0,0 +1,11 @@
+# Apps Overview
+
+`apps/` contains the three main operator-facing surfaces of CortexPilot.
+
+- `orchestrator/`: backend execution, orchestration, evidence, replay
+- `dashboard/`: web command surface
+- `desktop/`: Tauri desktop shell with a public macOS-only support boundary;
+  Linux/BSD desktop evidence is historical/manual only
+
+Read these modules as three entry points into one system, not as unrelated
+products.

apps/dashboard/AGENTS.md

@@ -0,0 +1,15 @@
+# Dashboard AGENTS
+
+Read root `AGENTS.md` first.
+
+## Scope
+
+- Next.js routes and components
+- web API clients
+- operator-focused dashboard flows
+
+## Commands
+
+- `pnpm --dir apps/dashboard install`
+- `pnpm --dir apps/dashboard test`
+- `pnpm --dir apps/dashboard exec tsc -p tsconfig.typecheck.json --noEmit`

apps/dashboard/CLAUDE.md

@@ -0,0 +1,3 @@
+# Dashboard CLAUDE
+
+Read `AGENTS.md` in this directory and the root `CLAUDE.md` first.

apps/dashboard/README.md

@@ -0,0 +1,170 @@
+# Dashboard Module
+
+## Positioning
+
+This module is the repository's **web operator surface**.
+
+Read it as:
+
+- the browser-based control surface for runs, sessions, reviews, and command
+  visibility
+- a way to inspect and operate CortexPilot Command Tower orchestration truth from the web
+- a repo-owned UI for evaluating control-plane behavior
+
+Do **not** read it as:
+
+- a polished customer-facing SaaS product
+- a standalone web application with its own independent product roadmap
+- evidence that every workflow here is already broad-market ready
+
+## Module Responsibility
+
+- Provide run, workflow, session, and review visualization for CortexPilot Command Tower
+  orchestration output.
+- Surface operator-facing status, artifacts, and control points for the web.
+- Surface intake preview, approval summaries, and run diagnostics as
+  operator-readable decision objects rather than raw payloads alone.
+
+## Why This Module Exists
+
+If `apps/orchestrator/` is the machine room, `apps/dashboard/` is the glass
+window operators use to see what the machine room is doing. Its job is
+visibility and control, not pretending the whole repository is already a
+finished consumer product.
+
+## Input / Output
+
+- Input: API responses from the orchestrator backend.
+- Output: operational UI views for runs, events, contracts, reports, and
+  command surfaces.
+
+## High-value operator surfaces
+
+- PM workspace: registry-driven task-pack selection plus `execution_plan_report`
+  preview before execution starts.
+- Agents: the first-screen role catalog now also hosts a repo-owned role
+  configuration desk for previewing and saving future compiled defaults
+  (`system_prompt_ref`, bundle refs, and role-level runtime binding) while
+  `task_contract` remains the only execution authority.
+- Workflow views: workflow-case summaries derived from run manifests and PM
+  session bindings, now with queue/SLA read surfaces and a read-only
+  `Workflow read model` card sourced from `workflow_case_read_model`.
+- Dashboard `Run Detail` and `Workflow Case detail` now resolve page-level
+  title/subtitle/degraded-state copy from the shared locale substrate via the
+  UI locale cookie, so the high-value detail routes stay aligned with the
+  English-first / `zh-CN` operator contract instead of drifting through
+  page-local literals.
+- Run Detail: incident packs, approval summaries, replay compare reports, and a
+  read-only role-binding summary in the existing `Status & Contract` card, so
+  bundle/runtime posture is visible on the main run surface without creating a
+  second execution-authority switch.
+- Contracts and Run Detail now also surface the derived runtime capability
+  posture (`lane`, `compat_api_mode`, `provider_status`, `tool_execution`) so
+  operators can read chat-style compatibility vs fail-closed tool execution
+  without overstating the current runtime boundary.
+- The staged UI-audit/dashboard-build path now depends on
+  `apps/dashboard/lib/types.ts` explicitly re-exporting task-pack/runtime
+  helper values and on `scripts/install_dashboard_deps.sh` recreating its
+  runtime log directory before each install attempt, so smoke failures track
+  product regressions instead of staging drift.
+- Builder/public discovery: the home builder section now surfaces direct
+  `Read-only MCP quickstart` and `API and contract quickstart` entry cards so
+  operators can jump from the web control surface into the truthful public
+  onboarding ladder before diving into package-level docs.
+- Home discovery now compresses the old ecosystem / integrations / AI surfaces /
+  builder sprawl into one adoption-path section so the dashboard front door
+  behaves more like a router than a wall of repeated summaries.
+- That same adoption layer now treats `/compatibility/` as the primary routing
+  decision card, swaps the redundant compatibility action button for a lighter
+  `/use-cases/` proof-first CTA, and keeps `/integrations/`, `/skills/`,
+  `/mcp/`, `/api/`, and `/builders/` as the deeper branches once the job is
+  clear.
+- The dashboard public-docs resolver still treats `/integrations/`,
+  `/skills/`, and `/compatibility/` as first-class public docs routes so
+  public-docs base overrides do not strand those CTA links on app-local paths.
+- The same public-home polish keeps the explicit `Open use-case guide` side
+  door routed through the public-docs resolver, so the proof-first walkthrough
+  stays visible without turning the dashboard back into a second full routing
+  matrix.
+- The contract-facing builder card now points to the repo-owned
+  `packages/frontend-api-contract/docs/README.md` guide instead of only the raw
+  generated `.d.ts` surface, so builders get a human-readable package entrypoint
+  before opening the generated types.
+- The home surface and PM workspace now also carry small `zh-CN` screen-reader
+  onboarding lists plus the clearer `Back to bottom` chat action wording, so
+  the first-step contract stays discoverable in localized assistive flows
+  without changing the visible English-first operator copy.
+- PM intake/chat regressions should keep the `Back to bottom` wording and the
+  localized onboarding note aligned with this README in the same patch, so the
+  dashboard doc-drift gate tracks the same visible operator-language contract
+  that the PM intake tests now assert.
+
+## Strongest Signals
+
+- operator-first web workflows
+- command visibility over product marketing polish
+- alignment with the repository's three truth layers
+
+## Key Config
+
+- API base and frontend fetch layer are defined in `apps/dashboard/lib/api.ts`.
+- Runtime defaults and startup commands are coordinated from the repo root
+  quickstart in `README.md`.
+- Dashboard dependency hotfixes should keep the root `package.json` overrides,
+  root `pnpm-lock.yaml`, and `apps/dashboard/pnpm-lock.yaml` aligned so
+  dashboard-only transitive patches do not drift from the workspace baseline.
+- `apps/dashboard/pnpm-lock.yaml` is a maintained dashboard-specific lockfile;
+  keep transitive security patch updates in the same change set when dashboard
+  dependency metadata changes.
+- The optional `depcheck` package is intentionally absent from the default
+  dashboard dependency set; the dead-code gate already skips when the probe is
+  unavailable, so leaving it out avoids carrying an otherwise unnecessary
+  `brace-expansion` advisory path in the maintained lock surface.
+- Dashboard dependency lock refreshes are repo-owned: when transitive package
+  fixes land here, keep `apps/dashboard/pnpm-lock.yaml` aligned with the root
+  `package.json` / `pnpm-lock.yaml` change set.
+- Current transitive hardening includes the `yaml` override used through
+  `cosmiconfig@7.1.0`; keep the dashboard lockfile and the root override in
+  sync so the dashboard does not drift onto an older parser patch level.
+- Current lock maintenance also pins patched `picomatch` / `brace-expansion`
+  transitive paths through the repo-owned override set so GitHub security
+  receipts and the dashboard lockfile stay aligned.
+- Current security-only lock maintenance also pins `lodash-es@4.18.1` through
+  both the root workspace and `apps/dashboard` override surfaces so the
+  tracked `lighthouse@13.0.3` transitive chain does not fall back to the
+  vulnerable `lodash-es@4.17.23` path on either maintained lockfile.
+- When a dashboard security-only lock refresh lands, keep this module README in
+  the same change set so doc-drift gates can trace the maintenance decision to
+  the dashboard surface that actually owns the lockfile.
+
+## Common Troubleshooting
+
+- Dependencies missing: `pnpm --dir apps/dashboard install`
+- Test failure: `pnpm --dir apps/dashboard test`
+- Typecheck: `pnpm --dir apps/dashboard exec tsc -p tsconfig.typecheck.json --noEmit`
+
+## Quality Gate
+
+- Coverage gate (stage-1): >= 85%
+- Command Tower regression tests now treat the English-first labels, drawer
+  names, and quick-action copy as the canonical operator contract; update the
+  dashboard tests in the same patch whenever those public-facing labels move.
+- Search page regression tests should wait for the terminal promote-status copy
+  instead of the first rendered status node because the UI intentionally passes
+  through `Promoting evidence...` before it settles on success or failure.
+- The current CI unblock patch also keeps the PM and RunDetail regression suite
+  aligned with the English-first operator surface, including Command Tower
+  session copy, PM composer controls, and RunDetail tab/status wording.
+- Workflow Case detail now also renders the latest linked run's
+  `workflow_case_read_model` for operator inspection, but that card remains a
+  read-only mirror below `task_contract` execution authority.
+- Run Detail now mirrors `role_binding_read_model` inside the existing
+  `Status & Contract` card, and that note keeps `task_contract` explicit as the
+  only execution authority.
+- Agents now also uses a registry-backed read-only role catalog on the first
+  screen, so operators can inspect skills/MCP/runtime posture before drilling
+  into individual agent seats or scheduler backlog.
+- Contracts now acts as a bundle/runtime inspector: each card keeps the task
+  contract envelope visible while projecting the derived bundle/runtime summary
+  as read-only operator context rather than a control surface; role-default
+  edits belong on `Agents`, not on the contract inspector.