Improve OAuth bridge page with Chrome Intent URL + fallback button ...

/auth/mobile-done now tries Chrome Intent URL for automatic app
opening, and falls back to a styled button if the browser blocks
automatic navigation to custom schemes.

- Auto-redirect: intent://...#Intent;scheme=navi;package=com.navi.client;end
- Fallback UI: card with \"Open Navi App\" button after 1.5s timeout
- Works in both Chrome (auto) and DuckDuckGo (manual tap)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Add Android deep-link OAuth bridge for WebView auth ...

Problem: Android WebView opens OAuth in external browser (Chrome).
After successful login, cookie stays in Chrome and WebView remains
unauthenticated because cookies are not shared between apps.

Solution: bridge page flow that avoids cookies entirely for mobile.

Backend:
- /auth/login accepts ?platform=android and ?return_to params
- /auth/callback detects android via state metadata, skips cookie,
  redirects to /auth/mobile-done?sid=<session_id>
- /auth/mobile-done renders HTML that deep-links to navi://auth/callback

Webclient:
- login() detects NaviAndroid UA and adds ?platform=android

Android:
- MainActivity: handle incoming navi:// intent in onCreate and onNewIntent,
  set cookie via CookieManager, reload WebView
- AndroidManifest: add intent-filter for navi://auth/callback and
  singleTask launchMode

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Add per-user sessions and memory filters in admin panel ...

Backend:
- GET /admin/memory now accepts user_id query param to filter facts
  for a specific user instead of returning the global view.

Frontend:
- Users table now has "Sessions" and "Memory" buttons per row.
- Clicking "Sessions" switches to Sessions tab and pre-fills search
  with the user id.
- Clicking "Memory" switches to Memory tab and passes user_id to the
  API, showing only that user's facts.
- Manual tab clicks reset filters (search / userId) so the view
  returns to unfiltered state.

Docs:
- docs/api.md updated with user_id param for GET /admin/memory.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Fix admin memory showing 0 facts; add pagination/search/sort ...

Bug fix:
- get_all_facts(user_id=None) was filtering for user_id IS NULL only,
  so admin panel showed 0 facts when facts had user_ids set.
- Added all_users parameter to get_all_facts and fact_count.
- Admin endpoint now passes all_users=True to return all facts.

Memory pagination:
- Extended get_all_facts with offset, search, sort_by, sort_order params.
- Extended fact_count with search and all_users params.
- /admin/memory endpoint now accepts limit, offset, search, sort_by,
  sort_order and returns {total, limit, offset, items}.

Admin panel frontend:
- Added server-side search with debounce for memory facts.
- Added sortable column headers (category, key, source, confidence, updated).
- Added pagination controls (prev/next, page size selector).
- Switched memory display from grouped tables to flat sortable table.

Tests:
- Added unit tests for get_all_facts(all_users=True) and
  fact_count(all_users=True).
- All 219 tests pass.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Add pagination, search, and sorting to admin sessions ...

Backend:
- Add count_all and search_list abstract methods to SessionStore
- Implement count_all and search_list in PgSessionStore (SQL with ILIKE)
- Implement count_all and search_list in InMemorySessionStore
- Update /admin/sessions to accept limit, offset, search, sort_by, sort_order
- Return {total, limit, offset, items} from /admin/sessions

Frontend:
- Add search input for sessions in admin panel
- Add clickable sortable column headers with asc/desc toggle
- Add pagination controls (prev/next, page size selector, item count)
- Debounce search input (300ms)

Tests:
- Add integration tests for pagination, offset, search, and sorting
- All 217 tests pass

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Fix memory system bugs: deterministic summary id, skip legacy extraction ...

- _summary.py: replace non-deterministic hash() with zlib.crc32 so
  summary id stays stable across server restarts, preventing duplicate
  summary rows.
- extractor.py: skip memory extraction for legacy sessions (user_id=None)
  — ON CONFLICT(user_id, category, key) does not catch NULL duplicates
  in PostgreSQL (NULL != NULL).
- sessions.py: _process_stale_sessions skips legacy sessions.
- _facts.py: remove dead code (user_clause/user_param variables).
- test_extractor.py: add user_id to test sessions + new test for
  legacy session skip.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Propagate user profile to LLM context via current_user_info ContextVar ...

- Extend User model: username, first_name, last_name, phone, birth_date,
  country, city, locale (all from gnexus-auth profile)
- navi_users DDL: add new profile columns
- auth/deps + auth/callback: populate new fields on upsert
- /auth/me: return all profile fields
- Add current_user_info ContextVar for full user profile propagation
- websocket + messages: set current_user_info before agent.run()
- run_ephemeral: inherit and restore current_user_info
- ContextBuilder: _user_context_msg() injects [User context] with name,
  email, location, locale, role into LLM system messages
- _security_policy_msg: reads user_id/role from ContextVar directly

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Add multi-user sandbox: filesystem, terminal, code_exec, security policy ...

- filesystem, share_file: sandbox non-admin users to user_data/<user_id>/
- terminal: working_dir sandbox + allowlist + dangerous pattern block for users
- code_exec: sandbox CWD and temp files to user_data/<user_id>/ for users
- context_builder: inject dynamic security policy into LLM context (user/admin)
- config: terminal_user_allowed_commands setting
- agent: wire user_id/user_role through ContextBuilder.build()
- base: add current_user_role ContextVar; run_ephemeral inherits role

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Use configured GNAUTH_REDIRECT_URI instead of dynamic base_url ...

_get_redirect_uri was building the redirect_uri from request.base_url,
which returns the internal address when behind a reverse proxy. This
caused gnexus-auth to reject the redirect_uri as invalid.

Now _get_redirect_uri always returns settings.gnauth_redirect_uri,
so the public URL configured in .env is used consistently.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Add full-screen login overlay for unauthenticated users ...

- Backend: new endpoint GET /auth/status returns {configured: bool}
- Webclient auth store: add authConfigured ref + fetchStatus()
- LoginScreen.vue: centered card with logo, title, and login button
- App.vue: show LoginScreen overlay when auth is configured but
  user is not authenticated (z-index 9999, blocks all UI)
- App.vue onMounted: fetch auth status before trying to resolve user

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Add avatar display and gnexus-auth profile link ...

Backend:
- User model: add avatar_url field
- auth/deps.py: extract avatar_url from auth_user.profile (picture/avatar_url)
- auth.py /auth/me: return avatar_url + computed profile_url
- config.py: add gnauth_profile_path setting
- .env.example: document GNAUTH_PROFILE_PATH

Frontend:
- AppSidebar.vue: show user avatar (or initial fallback) next to name
- Clicking user info opens gnexus-auth profile in new tab
- Rebuild dist/

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Revert "Force login prompt in gnexus-auth OAuth flow" ...

This reverts commit f232f21.

Force login prompt in gnexus-auth OAuth flow ...

Add prompt=login to authorization URL so gnexus-auth always shows the
login form instead of silently re-authenticating via existing session.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Fix missing Annotated/Depends imports in auth.py and UI button class ...

- auth.py: add from typing import Annotated and from fastapi import Depends
  to fix 422 Unprocessable Content on /auth/me and /auth/logout
- AppSidebar.vue: replace btn-ghost with btn-primary for login/logout buttons

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Fix pydantic-settings env var name mapping for auth ...

Pydantic-settings converts snake_case field names to UPPER_CASE env vars
by removing underscores.  gnexus_auth_client_id became GNEXUS_AUTH_CLIENT_ID
but .env used GNAUTH_CLIENT_ID.  Rename all Settings fields from
 gnexus_auth_* to gnauth_* so they map correctly to GNAUTH_* env vars.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Add graceful auth-not-configured guards ...

- auth_login/auth_callback return 503 when GNAUTH_CLIENT_ID/SECRET are empty
- webhooks return 503 when OAuth not configured
- _resolve_user returns None early if auth not configured, avoiding crash
  during anonymous requests when gnexus-auth is not set up

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Support dynamic redirect_uri for multi-domain OAuth ...

- get_gauth_client(redirect_uri=...) creates per-request client with
  dynamic redirect_uri while keeping shared state/PKCE stores
- auth_login/auth_callback derive redirect_uri from request.base_url
  so both localhost and server addresses work with one gnexus-auth client

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Multi-user auth via gnexus-auth OAuth + hybrid role/permission model ...

- Integrate gnexus-auth-client-py (GAuthClient) for OAuth flow, token refresh,
  and webhook parsing
- Add navi/auth/ package: User model, Fernet encryptor, client singleton,
  deps (get_current_user, require_admin, require_permission)
- New tables: navi_users, user_auth_sessions (auto-created on startup)
- Session/memory isolation by user_id with legacy NULL support
- Cookie-based auth proxy: /auth/login, /callback, /logout, /me
- Webhook receiver /webhooks/gnexus-auth handling user events, global logout,
  session revocation, role/permission changes
- Admin endpoints (/admin/*) gated by role + permissions
- Webclient auth store with isAdmin/hasPermission guards
- Admin-only profile filtering in /agents/profiles
- 200/200 tests passing

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Paginate session list loading

Disable thinking stalls for 3D subagents

Improve 3D modeling validation prompts

Improve content publishing UX

Stability fixes batch — tech debt review 2026-04-29 ...

Critical:
- Concurrent WS run race guard (#1)
- Tool task cancellation on generator teardown (#2)
- StopAsyncIteration kills fallback chain (#3)
- Session loading race with _lastLoadId guard (#4)
- ContentCard .match() crash on non-string result (#5)
- Image data type guard in buildMessageList (#6)

High:
- Cap WS replay buffer at 500 events (#7)
- Deduplicate memory extraction task with asyncio.Lock (#9)
- TTL-based fallback blacklisting (5 min) (#10)
- Subagent tool exception isolation (#11)
- Inline image size/count validation on WS (#12)
- Clean up orphaned file on DB insert failure (#13)
- Deep watch streamingMsg for auto-scroll (#14)
- WS_SCHEME wss:// support for HTTPS (#15)
- Sending guard against duplicate message sends (#16)
- Global unhandledrejection listener in API layer (#17)

Medium:
- Cap planning_logs at 20 entries (#22)
- Store cleanup_loop task reference (#23)
- BaseException → Exception in _run_with_sentinel (#24)
- Propagate SystemExit in agent loop (#25)
- Configurable output_reserve_tokens (#26)
- Always reloadSession on session_sync (#30)
- FIFO queue for confirm dialogs (#31)
- Reset body.overflow on ImageLightbox unmount (#32)
- try/finally in fallback copy (#33)
- _isConnecting guard in WS send() (#34)

Low:
- Lazy-init deps.py singletons (#36)
- Replace __import__ with direct imports (#38)
- Preserve token count 0 in ollama.py (#39)
- Clear orphaned streamingMsg on reconnect reload (#43)
- Escape single quote in UserMessage (#44)
- Polyfill-free findLast replacement (#48)
- Match <table> tags with attributes in markdown (#49)
- Attach copy buttons only when msg.done (#50)
- Fix hasMeta falsy-0 bug (#53)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Make server I/O non-blocking; update docs ...

- Wrap all heavy filesystem ops in asyncio.to_thread: filesystem tool
  (read/write/append/list/find/info/move/delete/query/smart_edit),
  image_view (read_bytes), share_file (shutil.copy2), write_tool
  (write_text, _register_user_tool), session_files (shutil.rmtree,
  iterdir), sessions upload endpoint (sync open/write → to_thread)
- Make delete_session_dir async; update its caller in sessions.py
- docs/config.md: fix wrong defaults (threshold 0.70, keep_recent 8),
  remove phantom SESSION_FILES_TTL_HOURS, add LLM timeouts, DATABASE_URL,
  PUBLIC_URL, Gmail, CONTEXT_SUMMARY_MAX_TOKENS sections
- docs/profiles.md: add missing tool_developer profile to table
- android-client: add WebView remote debugging; remove unused toolbar menu
- Remove stale helper scripts and test files

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Planning debug panel, todo auto-populate, scratchpad/persona improvements ...

- Planning debug panel: new Planning tab in debug/index.html shows raw
  phase 1/2 outputs and token counts per planning run, stored in
  session.planning_logs (new column in both SQLite and PostgreSQL)
- New GET /sessions/{id}/planning API endpoint
- PlanningDebugData internal event wires _run_planning() output into
  session storage; never forwarded to WebSocket clients
- Phase 3 (plan critic) disabled — to be reworked with reflect integration
- Todo tool: auto-populated from plan steps after phase 2; model only
  needs to call update/view, not set
- Scratchpad: clarified description and persona instructions; removed
  context_transfer from user-facing docs (internal mechanism only)
- web_search: switched to ddgs package, SearXNG as primary backend,
  DDG html-only fallback; added find_up action to filesystem tool
- Persona: added SCRATCHPAD and TODO sections with clear usage rules;
  added NAVI.md project context instructions
- chat.js: fixed subagent planning event fallthrough into parent UI;
  statusLabel cleared on first stream delta

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Add Prompts and Tools tabs to debug page ...

Backend:
- GET /agents/prompts — returns full built system prompt for every
  profile, broken into sections (persona / profile / profiles block)
  with char/token counts; mirrors Agent._build_system_prompt() exactly
- GET /agents/tools — now includes parameters schema alongside name
  and description

Debug page:
- Tab bar: Context / Prompts / Tools
- Prompts tab: profile sidebar + collapsible sections per prompt part
  (persona, profile prompt, profiles block), togglable tools list
- Tools tab: searchable list of all tools with description and
  parameter table (name, type, description, required marker)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Persist context token count: return from API, restore on session load ...

- GET /sessions/{id} now returns context_token_count and max_context_tokens
  (max pulled from settings.ollama_num_ctx)
- loadSession() in chat store sets contextTokens/maxContextTokens from the
  response so ContextBar shows the last known fill level immediately on load,
  not only after the first new message
- Restore v-if guard on ContextBar (hides for brand-new sessions with 0 tokens)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Add session name generation via LLM ...

Backend:
- Session model gets name: str | None field
- SQLite migration: ADD COLUMN name TEXT
- PostgreSQL: ADD COLUMN IF NOT EXISTS name TEXT (applied on pool init)
- SessionStore: add set_name() abstract method, implemented in all stores
- navi/core/name_generator.py: LLM worker that reads user messages and
  returns a 3–6 word title or None if content isn't substantial yet
- POST /sessions/{id}/generate-name endpoint: fires LLM, saves and
  returns name; skips if session already named or has no user messages
- GET /sessions and GET /sessions/{id} now include name field

Client:
- api.generateSessionName(id) — calls the new endpoint
- sessions store: updateName(id, name) mutation
- chat store: after stream_end, _tryGenerateName() runs fire-and-forget;
  skips silently if session already has a name or if request fails
- SessionItem already displays session.name (falls back to id prefix)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Add share_file tool and session-lifetime file storage ...

Session file directories now live until the session is deleted, not
24h TTL. Cleanup loop only removes orphaned dirs (session gone from DB).

New share_file tool: copies any file to the session directory and returns
a clickable download URL. Navi can call this after generating any file
the user will want to keep.

New GET /sessions/{id}/files/{filename} endpoint serves files with
correct Content-Disposition (inline for images/HTML/PDF, attachment
for everything else).

Added PUBLIC_URL config key for building correct download links behind
reverse proxies.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Major feature batch: visibility, planning, file uploads, streaming ...

- stream_complete(): streaming with tools for all LLM turns — thinking
  now streams as ThinkingDelta/ThinkingEnd in real-time during tool-
  selection turns, not just on the final response
- todo built-in tool: session-scoped plan manager (set/view/update/clear);
  persona + all profiles updated with mandatory planning instructions
- TurnThinking event: sub-agent thinking forwarded to parent sink as a
  collapsible block in the spawn_agent card
- File uploads: non-image files uploaded via XHR, shown as badges in
  message bubble; SVG treated as regular file (not base64 image)
- session_files: POST /sessions/{id}/files, TTL cleanup, forbidden exts
- WebSocket reconnect: _AgentRun broadcast pattern, re-attach mid-stream
- UI: favicon, sidebar logo, turn-thinking cards, subagent thinking blocks,
  token counter, draft persistence, file progress bar
- Removed AgentNote (content is always None alongside tool_calls)
- Ollama stream_complete: tool_calls captured from non-final chunk (done=False)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>