[pull] main from tinyhumansai:main

.dockerignore

@@ -38,5 +38,7 @@ Thumbs.db
 tests/
 scripts/
 # Re-include the Docker entrypoint for the core image (Dockerfile COPYs it).
-# The negation must come after the broad exclusion above to take effect.
+# Re-include the parent directory first so older Docker pattern matchers that
+# prune excluded directories still see the leaf exception below.
+!scripts/
 !scripts/docker-entrypoint-core.sh

.env.example

@@ -41,10 +41,20 @@ JWT_TOKEN=
 # [optional] Default: 127.0.0.1 (use 0.0.0.0 for Docker / cloud).
 # Leave unset to keep the default; the Docker image sets 0.0.0.0 automatically.
 # OPENHUMAN_CORE_HOST=
+# [optional] Extra CORS origins (comma-separated) allowed to reach the
+# JSON-RPC server. The Tauri webview and loopback hosts are always allowed.
+# For Docker / cloud deployments where the server binds to 0.0.0.0, add the
+# canonical frontend origin(s) here to prevent cross-origin abuse from
+# arbitrary sites (e.g. OPENHUMAN_CORE_ALLOWED_ORIGINS=https://app.example.com).
+# OPENHUMAN_CORE_ALLOWED_ORIGINS=
 # [optional] Default: 7788
 OPENHUMAN_CORE_PORT=7788
 # [optional] Default: http://127.0.0.1:7788/rpc
 OPENHUMAN_CORE_RPC_URL=http://127.0.0.1:7788/rpc
+# [optional] Comma-separated browser origins allowed to call /rpc with the
+# Authorization bearer. Tauri and loopback Vite origins are allowed by default.
+# Set this when serving a private web UI preview from a non-loopback origin.
+# OPENHUMAN_CORE_ALLOWED_ORIGINS=https://openhuman-ui.example.com
 # Core RPC bearer token. Single source of truth for /rpc auth.
 #  - Tauri desktop: set automatically by the shell — leave blank.
 #  - Docker / cloud / VPS: REQUIRED. Generate with `openssl rand -hex 32`.
@@ -72,6 +82,10 @@ OPENHUMAN_MODEL=
 OPENHUMAN_WORKSPACE=
 # [optional] Default: 0.7
 OPENHUMAN_TEMPERATURE=0.7
+# [optional] Language for background LLM artifacts such as memory-tree summaries,
+# entity-extraction reasons, and learning reflections. Accepts UI locale tags
+# such as zh-CN or a language name. Leave unset for default behavior.
+# OPENHUMAN_OUTPUT_LANGUAGE=zh-CN
 # [optional] Skill + agent tool execution timeout in seconds (default 120, max 3600)
 # OPENHUMAN_TOOL_TIMEOUT_SECS=
 # [optional] Headless update restart contract: self_replace | supervisor
@@ -167,6 +181,9 @@ OLLAMA_BIN=
 # ---------------------------------------------------------------------------
 # [optional] Bot username for managed Telegram DM linking (default: openhuman_bot)
 OPENHUMAN_TELEGRAM_BOT_USERNAME=openhuman_bot
+# [optional] Override Telegram Bot API base URL (defaults to https://api.telegram.org).
+# Used by E2E tests to redirect Telegram API calls to the mock server.
+# OPENHUMAN_TELEGRAM_API_BASE=http://127.0.0.1:18473
 
 # ---------------------------------------------------------------------------
 # Wallet RPC overrides

.gitattributes

@@ -0,0 +1,6 @@
+*.sh text eol=lf
+*.bash text eol=lf
+Dockerfile text eol=lf
+.dockerignore text eol=lf
+docker-compose*.yml text eol=lf
+*.ps1 text eol=crlf

.github/workflows/android-compile.yml

@@ -0,0 +1,64 @@
+---
+name: Android Compile Sanity
+
+on:
+  pull_request:
+    paths:
+      - 'app/src-tauri-mobile/**'
+      - 'packages/tauri-plugin-ptt/**'
+      - 'src/openhuman/devices/**'
+      - 'app/src/services/transport/**'
+      - 'app/src/lib/tunnel/**'
+      - 'app/src/pages/ios/**'
+      - '.github/workflows/android-compile.yml'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pull-requests: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.head_ref || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  android-compile:
+    name: Android Compile Check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+          # Mobile crate uses stock Tauri (no CEF) — no submodules needed.
+          submodules: false
+
+      - name: Set up Rust
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          toolchain: '1.93.0'
+          targets: aarch64-linux-android
+
+      - name: Cache Rust build artifacts
+        uses: Swatinem/rust-cache@v2
+        with:
+          workspaces: |
+            app/src-tauri-mobile -> target
+            packages/tauri-plugin-ptt -> target
+          cache-on-failure: true
+
+      - name: Set up pnpm
+        uses: pnpm/action-setup@v4
+
+      - name: Set up Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: '24'
+          cache: 'pnpm'
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      # Hard gate: mobile Tauri host compiles for Android.
+      - name: cargo check -- mobile host (aarch64-linux-android)
+        run: cargo check --manifest-path app/src-tauri-mobile/Cargo.toml --target aarch64-linux-android

.github/workflows/deploy-smoke.yml

@@ -6,7 +6,9 @@ on:
     paths:
       - Dockerfile
       - .dockerignore
+      - .gitattributes
       - docker-compose.yml
+      - scripts/docker-entrypoint-core.sh
       - .do/app.yaml
       - gitbooks/developing/cloud-deploy.md
       - .github/workflows/deploy-smoke.yml
@@ -18,7 +20,9 @@ on:
     paths:
       - Dockerfile
       - .dockerignore
+      - .gitattributes
       - docker-compose.yml
+      - scripts/docker-entrypoint-core.sh
       - .do/app.yaml
       - gitbooks/developing/cloud-deploy.md
       - .github/workflows/deploy-smoke.yml

.github/workflows/e2e-reusable.yml

@@ -150,16 +150,37 @@ jobs:
 
       - name: Run E2E (full suite)
         if: ${{ inputs.full }}
+        env:
+          E2E_BAIL_ON_FAILURE: ${{ vars.E2E_BAIL_ON_FAILURE || '' }}
         run: |
+          BAIL_FLAG=""
+          if [[ "${E2E_BAIL_ON_FAILURE:-}" == "1" ]]; then
+            BAIL_FLAG="--bail"
+          fi
           xvfb-run -a --server-args="-screen 0 1280x960x24" \
-            bash app/scripts/e2e-run-session.sh
-
-      # Artifact uploads intentionally omitted — this reusable workflow
-      # is invoked from release-staging.yml and release-production.yml,
-      # and uploaded logs can carry mock-backend payloads, env-var
-      # echoes, and CDP transcripts that we don't want pinned to a
-      # release artifact. Local repro: rerun the spec via Docker and
-      # the same logs land in /tmp.
+            bash app/scripts/e2e-run-all-flows.sh --skip-preflight $BAIL_FLAG
+
+      - name: Upload E2E failure artifacts
+        if: failure()
+        uses: actions/upload-artifact@v5
+        with:
+          name: e2e-failure-logs-${{ runner.os }}-${{ github.run_id }}
+          path: |
+            /tmp/openhuman-e2e-app-*.log
+            app/test/e2e/artifacts/
+          retention-days: 7
+          if-no-files-found: ignore
+
+      - name: Write job summary
+        if: always()
+        run: |
+          echo "## E2E Results (${{ runner.os }})" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          if [ -f /tmp/e2e-summary.txt ]; then
+            cat /tmp/e2e-summary.txt >> $GITHUB_STEP_SUMMARY
+          else
+            echo "No summary file found." >> $GITHUB_STEP_SUMMARY
+          fi
 
   # Rust-side E2E counterpart to the Tauri runs above. Same Linux-only
   # scope (CI does not run this on macOS or Windows — the Rust core is

.github/workflows/ios-compile.yml

@@ -0,0 +1,93 @@
+---
+name: iOS Compile Sanity
+
+on:
+  pull_request:
+    paths:
+      - 'app/src-tauri-mobile/**'
+      - 'packages/tauri-plugin-ptt/**'
+      - 'src/openhuman/devices/**'
+      - 'app/src/services/transport/**'
+      - 'app/src/lib/tunnel/**'
+      - 'app/src/pages/ios/**'
+      - '.github/workflows/ios-compile.yml'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pull-requests: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.head_ref || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  ios-compile:
+    name: iOS Compile Check
+    runs-on: macos-latest
+    env:
+      # Pin the deployment target so swift-rs invokes the Swift compiler with
+      # `-target arm64-apple-ios16.0`. Matches Package.swift in
+      # packages/tauri-plugin-ptt/ios/, which uses iOS 14+ APIs (OSLog).
+      IPHONEOS_DEPLOYMENT_TARGET: '16.0'
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+          # The mobile crate uses stock Tauri (no CEF), so we don't need
+          # `submodules: recursive` — which would try to clone the
+          # `app/src-tauri/vendor/tauri-cef` submodule, a step that
+          # intermittently fails on macOS runners for fork PRs.
+          submodules: false
+
+      - name: Set up Rust
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          toolchain: '1.93.0'
+          targets: aarch64-apple-ios
+
+      - name: Cache Rust build artifacts
+        uses: Swatinem/rust-cache@v2
+        with:
+          workspaces: |
+            . -> target
+            app/src-tauri-mobile -> target
+            packages/tauri-plugin-ptt -> target
+          cache-on-failure: true
+
+      - name: Set up pnpm
+        uses: pnpm/action-setup@v4
+
+      - name: Set up Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: '24'
+          cache: 'pnpm'
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      # Hard gate: mobile Tauri host compiles for iOS. No more soft-gate
+      # `continue-on-error` — the mobile crate uses stock Tauri without CEF
+      # so cef-dll-sys is not in the dependency graph.
+      - name: cargo check -- mobile host (aarch64-apple-ios)
+        run: cargo check --manifest-path app/src-tauri-mobile/Cargo.toml --target aarch64-apple-ios
+
+      # Hard gate: PTT plugin (host-target check; Swift sources are built
+      # lazily by swift-rs during the iOS-target check above).
+      - name: cargo check -- tauri-plugin-ptt
+        run: cargo check --manifest-path packages/tauri-plugin-ptt/Cargo.toml
+
+      # Hard gate: TypeScript compile.
+      - name: pnpm compile
+        run: pnpm --dir app compile
+
+      # Hard gate: iOS-relevant Vitest suites.
+      - name: pnpm test (iOS suites)
+        run: >
+          pnpm --dir app test --
+          src/services/transport
+          src/lib/tunnel
+          src/pages/ios
+          src/components/settings/panels/devices

.gitignore

@@ -8,6 +8,9 @@ remove_dupe_nonsense_issues
 # Diagnostic harness output (scripts/diagnose-cef-runtime.mjs)
 diagnosis-*.json
 
+# Dev-mode keyring file backend (plain-text secrets, dev artifact only)
+dev-keychain.json
+
 # Logs
 logs
 *.log

AGENTS.md

@@ -525,6 +525,7 @@ Follow this order so behavior is **specified**, **proven in Rust**, **proven ove
 - **Pre-merge checks** (when touching code): Prettier, ESLint, `tsc --noEmit` in `app/`; `cargo fmt` + `cargo check` for changed Rust (`Cargo.toml` at root and/or `app/src-tauri/Cargo.toml` as appropriate).
 - **No dynamic imports** in production **`app/src`** code — use **static** `import` / `import type` at the top of the module. Do **not** use `import()` (async dynamic import), `React.lazy(() => import(...))`, or `await import('…')` to load app modules, Tauri APIs, or RPC clients. **Why:** predictable chunk graph, simpler static analysis, fewer surprises in Tauri + Vite, and easier code review. **If a module must not run at load time** (e.g. heavy optional path), use a static import and **guard the call site** with `try/catch` or an explicit runtime check instead of deferring module load via dynamic import. **Exceptions:** Vitest harness patterns (`vi.importActual`, dynamic imports **only** inside `*.test.ts` / `__tests__` / `test/setup.ts` when required by the runner); ambient `typeof import('…')` in `.d.ts`; config files (e.g. `tailwind.config.js` JSDoc).- **Type-only imports**: `import type` where appropriate.
 - **Dual socket / tool sync**: If you change realtime protocol, keep **frontend** (`socketService` / MCP transport) and **core** socket behavior aligned (see [`gitbooks/developing/architecture.md`](gitbooks/developing/architecture.md) dual-socket section).
+- **i18n for all UI text**: Every user-visible string in `app/src/**` (headings, labels, button text, placeholders, status chips, toasts, dialog copy, `aria-label`, etc.) must go through `useT()` from `app/src/lib/i18n/I18nContext`. Hard-coded literals in JSX or `label=`/`placeholder=`/`aria-label=` props are not allowed. Add the new key to [`app/src/lib/i18n/en.ts`](app/src/lib/i18n/en.ts) in the same PR — other locales fall back to English. **Exceptions:** developer-only debug logs, code identifiers, and non-display data (URLs, slugs, technical sentinel values).
 
 ---
 

CLAUDE.md

@@ -31,6 +31,27 @@ Commands assume the **repo root**; `pnpm dev` delegates to the `app` workspace.
 
 ---
 
+## iOS client (experimental)
+
+The iOS client is an **in-progress, non-shipping** target in this repo. It does not ship a Rust core on-device; instead it connects to the desktop core via one of three transports selected by a `ConnectionProfile`.
+
+**Transport strategies** (see `app/src/services/transport/`):
+- `LanHttpTransport` — direct HTTP to the desktop core on the same LAN.
+- `TunnelTransport` — socket.io relay through the backend; E2E encrypted with XChaCha20-Poly1305 over X25519 key agreement.
+- `CloudHttpTransport` — fallback via the cloud backend API.
+
+**Key paths:**
+- PTT plugin: `packages/tauri-plugin-ptt/` (Swift + Rust, iOS-only).
+- iOS screens: `app/src/pages/ios/` and `app/src/components/ios/`.
+- Devices domain (Rust): `src/openhuman/devices/`.
+- Tunnel crypto (TS): `app/src/lib/tunnel/`.
+- iOS build entry: `pnpm tauri:ios:dev` — uses stock `@tauri-apps/cli@^2` via `npx`, **not** the vendored CEF CLI.
+- Setup guide: `docs/ios/SETUP.md`.
+
+**Backend dependency:** `tinyhumansai/backend#709` (tunnel socket.io contract) must be merged and deployed for end-to-end pairing to work.
+
+---
+
 ## Commands (from repo root)
 
 ```bash
@@ -300,6 +321,7 @@ Specify → prove in Rust → prove over RPC → surface in the UI → test.
 - **Pre-merge** (code changes): Prettier, ESLint, `tsc --noEmit` in `app/`; `cargo fmt` + `cargo check` for changed Rust.
 - **No dynamic imports** in production `app/src` code — static `import` / `import type` only. No `import()`, `React.lazy(() => import(...))`, `await import(...)`. For heavy optional paths, use a static import and guard the call site with `try/catch` or a runtime check. *Exceptions*: Vitest harness patterns in `*.test.ts` / `__tests__` / `test/setup.ts`; ambient `typeof import('…')` in `.d.ts`; config files (e.g. `tailwind.config.js` JSDoc).
 - **Dual socket sync**: when changing the realtime protocol, keep `socketService` / MCP transport aligned with core socket behavior (see `gitbooks/developing/architecture.md` dual-socket section).
+- **i18n for all UI text**: every user-visible string in `app/src/**` (headings, labels, button text, placeholders, status chips, toasts, error messages, dialog copy) must go through `useT()` from `app/src/lib/i18n/I18nContext`. Hard-coded literals in JSX or `label=`/`placeholder=`/`aria-label=` props are not allowed. Add the key to [`app/src/lib/i18n/en.ts`](app/src/lib/i18n/en.ts) in the same PR — other locales fall back to English. Exceptions: developer-only debug logs, code identifiers, and non-display data (URLs, slugs, technical sentinel values).
 
 ---