Recover Context Panel release readiness after mixed-runtime regressions

[cbusillo]

Objective

Recover Context Panel release readiness after App Store prep mixed runtime, signing, storage, provider, and UI changes into one dirty workstream. The goal is to stop circular regressions by restoring one trustworthy validation runtime, then fixing each product regression in its own scoped branch or PR.

Finish Line

Context Panel has a coherent signed dogfood/TestFlight candidate: the app, widget, and refresh agent run from the same intended bundle root; provider reads are validated from that runtime; settings/product UI is intact; snapshots do not show stale duplicate logical accounts; and remaining App Store/TestFlight issues are isolated.

Current Status

State: Active
Next action: Inventory the current runtime and dirty tree without making product fixes.
Blocked by: Mixed runtime and broad dirty working tree need triage before provider/UI changes.
Last verified: 2026-05-12 on branch fix/widget-refresh-regression

Scope

• In: Runtime hygiene, dirty-tree triage, signed Gemini access, snapshot/account dedupe, settings restoration, Claude Web decision, and TestFlight packaging/icon validation.
• Out: New provider features, widget redesign, release upload, or broad product refactors until the runtime is trustworthy again.

Acceptance Criteria

• Active app process, WidgetKit extension, and refresh agent paths are recorded and come from one intended runtime before behavior is judged.
• Dirty work is split or quarantined so each fix has one purpose.
• Settings still exposes provider setup, diagnostics, account management, widget preferences, and reset-primer controls.
• Gemini succeeds or reports a clear authorization state from the signed app or signed refresh agent, not just Terminal.
• Snapshot merge produces one logical lane per configured account and removes stale account-ID duplicates.
• Claude Web capture is either intentionally removed everywhere or restored with App Store-safe justification.
• TestFlight packaging/icon checks are validated separately from runtime/provider issues.

Relationships

Sub-issues:

• Stabilize Context Panel runtime validation #65 Stabilize Context Panel runtime validation
• Triage dirty release-prep work into focused branches #66 Triage dirty release-prep work into focused branches
• Restore Context Panel settings and account management surface #67 Restore Context Panel settings and account management surface
• Fix Gemini access from signed sandbox runtime #68 Fix Gemini access from signed sandbox runtime
• Deduplicate stale provider account IDs in snapshots #69 Deduplicate stale provider account IDs in snapshots
• Decide and enforce Claude Web capture removal or restoration #70 Decide and enforce Claude Web capture removal or restoration
• Validate TestFlight packaging and App Store icon separately #71 Validate TestFlight packaging and App Store icon separately

Related existing plans:

• Move account setup into macOS Settings #25 Move account setup into macOS Settings
• Build native setup and detail app #5 Build native setup and detail app
• Add Claude status-line setup onboarding #18 Add Claude status-line setup onboarding

Validation

Use the runtime guardrails in AGENTS.md before any provider/UI validation. Minimum evidence includes git status --short --branch, app/widget/refresh-agent paths, widget registration, refresh-agent lsof path, entitlements, bundle hash, and active storage roots.

Decisions

• GitHub issues are the durable planning surface for this recovery workstream.
• Local TODO/planning files should not be used as active recovery state.
• Terminal provider success does not prove signed app/login-item success.

Open Questions

• Should the signed refresh agent read provider OAuth files through security-scoped bookmarks, or should secrets be copied into a more App Store-compatible local store such as Keychain?
• Which exact settings UI from before the App Store prep is the restoration baseline?

[cbusillo]

State: Active
Next action: Review/merge PR #72 for runtime validation guardrails, then continue with dirty-tree cleanup (#66).
Blocked by: PR #72 CI/review for the guardrail change; broader provider/UI fixes remain blocked by dirty-tree triage.
Last verified: 2026-05-12

Update:

• Created PR Document runtime validation guardrails #72 from clean branch docs/runtime-validation-guardrails containing only the AGENTS.md runtime validation guardrails.
• Validation for PR Document runtime validation guardrails #72: npx --yes markdownlint-cli2 AGENTS.md docs/todo.md passed.

[cbusillo]

Recovery work update on 2026-05-12:

Completed:

• Stabilize Context Panel runtime validation #65 runtime inventory captured. Current state has no foreground app process; widget and refresh agent are from /Applications; installed app is signed/profiled; snapshots still show duplicate logical accounts and Gemini file-open failure.
• Triage dirty release-prep work into focused branches #66 dirty tree triage captured. The broad dirty tree is grouped into runtime guardrails, signing/package, Gemini/bookmarks, snapshot dedupe, burn forecast, settings/UI, Claude Web, Claude statusline, widget, and docs.
• PR Document runtime validation guardrails #72 opened from a clean branch with only the AGENTS.md runtime guardrail change.

Current blockers:

• PR Document runtime validation guardrails #72 has swift and Analyze Swift green, but GitHub still reports a pending aggregate CodeQL status: https://github.com/cbusillo/context-panel/runs/75610426291.
• Fix Gemini access from signed sandbox runtime #68 Gemini is blocked on credential access model decision/proof. Dirty app-scoped bookmark code should not be lifted wholesale until signed app -> signed login-item bookmark sharing is proven, or a Keychain/app-owned import model is chosen.
• Deduplicate stale provider account IDs in snapshots #69 snapshot dedupe is blocked on stable logical account identity. SnapshotStore only sees provider/accountID, and provider+displayName would violate multi-account safety.
• Restore Context Panel settings and account management surface #67 settings restoration and Decide and enforce Claude Web capture removal or restoration #70 Claude Web require product/baseline decisions before merging the dirty UI/deletion changes.

Recommended next action:
Wait for or clear the pending GitHub CodeQL status on PR #72, then merge the guardrail docs. After that, resolve the credential storage model (#68) or stable logical account identity (#69) before more provider code changes.

[cbusillo]

Merged on 2026-05-12:

• PR Document runtime validation guardrails #72 added runtime validation guardrails to AGENTS.md.
• PR Remove Claude Web capture path #74 completely removed the Claude Web capture path.
• PR Import Gemini credentials into shared Keychain store #73 added shared Keychain import/fallback for Gemini credentials.

Remaining validation for Gemini:

• Build/install a signed App Store-profiled app from updated main.
• Use Settings to import Gemini credentials into the shared Keychain group.
• Run the signed refresh agent and confirm Google limits refresh without reading ~/.gemini/oauth_creds.json directly.

Remaining design blocker:

• Deduplicate stale provider account IDs in snapshots #69 still needs stable logical account identity before safe snapshot stale-ID dedupe.