From 34af1f2a16587e9f410bddef02cff957eb89e74c Mon Sep 17 00:00:00 2001
From: "Rodrigo Rodriguez (Pragmatismo)" <me@rodrigorodriguez.com>
Date: Thu, 26 Feb 2026 09:22:02 -0300
Subject: [PATCH] Complete agent UI workspace

---
 TASKS.md | 367 -------------------------------------------------------
 UI.md    | 196 -----------------------------
 botui    |   2 +-
 3 files changed, 1 insertion(+), 564 deletions(-)
 delete mode 100644 TASKS.md
 delete mode 100644 UI.md

diff --git a/TASKS.md b/TASKS.md
deleted file mode 100644
index 8e9182f..0000000
--- a/TASKS.md
+++ /dev/null
@@ -1,367 +0,0 @@
-# General Bots Security Review & Tasks
-
-**Date:** 2026-02-22  
-**Reviewer:** Kiro CLI Security Assessment  
-**Status:** IN PROGRESS
-
-## Executive Summary
-
-General Bots has a comprehensive security architecture with 46 security modules covering authentication, authorization, encryption, monitoring, and compliance. However, several critical security gaps and implementation issues require immediate attention to meet enterprise security standards.
-
-## Critical Security Issues (P1)
-
-### 1. **Incomplete Security Manager Initialization**
-**Issue:** The `SecurityManager` struct exists but is not properly initialized in the main application bootstrap process.
-**Location:** `botserver/src/security/mod.rs`
-**Risk:** High - Missing TLS/MTLS, certificate management, and security headers enforcement.
-**Action Required:**
-- [ ] Integrate `SecurityManager::new()` and `initialize()` into `main_module::bootstrap.rs`
-- [ ] Ensure TLS/MTLS certificates are generated and validated on startup
-- [ ] Add security headers middleware to all HTTP routes
-
-### 2. **Passkey Module Incomplete**
-**Issue:** Passkey module is commented out with TODO notes indicating incomplete implementation.
-**Location:** `botserver/src/security/mod.rs` (lines 23-27)
-**Risk:** Medium - Missing modern FIDO2/WebAuthn authentication support.
-**Action Required:**
-- [ ] Uncomment and implement passkey module
-- [ ] Add database schema for passkey storage
-- [ ] Implement WebAuthn registration and authentication flows
-- [ ] Add passkey management UI
-
-### 3. **Missing Security Middleware Integration**
-**Issue:** Security middleware (CSRF, rate limiting, security headers) not consistently applied.
-**Location:** Route configuration files
-**Risk:** High - Exposed to CSRF attacks, brute force, and missing security headers.
-**Action Required:**
-- [ ] Apply `security_headers_middleware` to all routes
-- [ ] Implement `csrf_middleware` for state-changing endpoints
-- [ ] Add `rate_limit_middleware` with appropriate limits
-- [ ] Enable `rbac_middleware` for all protected resources
-
-## High Priority Issues (P2)
-
-### 4. **Inconsistent Error Handling**
-**Issue:** 955 instances of `unwrap()`/`expect()` in production code (per README.md).
-**Location:** Throughout codebase
-**Risk:** Medium - Potential panics exposing internal errors.
-**Action Required:**
-- [ ] Replace all `unwrap()` with proper error handling
-- [ ] Use `ErrorSanitizer::log_and_sanitize()` for all HTTP errors
-- [ ] Implement structured error responses
-
-### 5. **Missing Security Monitoring Integration**
-**Issue:** `SecurityMonitor` exists but not integrated with application logging.
-**Location:** `botserver/src/security/security_monitoring.rs`
-**Risk:** Medium - Missing real-time threat detection.
-**Action Required:**
-- [ ] Integrate `SecurityMonitor` with application event system
-- [ ] Configure alert rules for suspicious activities
-- [ ] Add security dashboard to UI
-
-### 6. **Incomplete DLP Implementation**
-**Issue:** Data Loss Prevention module exists but needs policy configuration.
-**Location:** `botserver/src/security/dlp.rs`
-**Risk:** Medium - Sensitive data exposure risk.
-**Action Required:**
-- [ ] Configure default DLP policies for PII, PCI, PHI
-- [ ] Add DLP scanning to file uploads and exports
-- [ ] Implement data classification system
-
-## Medium Priority Issues (P3)
-
-### 7. **Certificate Management Gaps**
-**Issue:** Certificate auto-generation but missing renewal monitoring.
-**Location:** `botserver/src/security/ca.rs`, `botserver/src/security/tls.rs`
-**Risk:** Medium - Certificate expiration could cause service disruption.
-**Action Required:**
-- [ ] Implement certificate expiration monitoring
-- [ ] Add automatic renewal process
-- [ ] Add certificate pinning for critical services
-
-### 8. **Missing Security Testing**
-**Issue:** No dedicated security test suite.
-**Risk:** Medium - Undetected security vulnerabilities.
-**Action Required:**
-- [ ] Create security test module in `bottest/`
-- [ ] Add penetration testing scenarios
-- [ ] Implement security regression tests
-
-### 9. **Incomplete Audit Logging**
-**Issue:** Audit system exists but needs comprehensive coverage.
-**Location:** `botserver/src/security/audit.rs`
-**Risk:** Low-Medium - Compliance gaps.
-**Action Required:**
-- [ ] Ensure all security events are logged
-- [ ] Add audit trail for data access and modifications
-- [ ] Implement audit log retention and export
-
-## Implementation Tasks
-
-### Phase 1: Critical Security Foundation (Week 1-2)
-
-#### Task 1.1: Security Manager Integration
-```rust
-// In main_module/bootstrap.rs
-async fn initialize_security() -> Result<SecurityManager> {
-    let security_config = SecurityConfig::default();
-    let mut security_manager = SecurityManager::new(security_config)?;
-    security_manager.initialize()?;
-    Ok(security_manager)
-}
-```
-
-#### Task 1.2: Security Middleware Setup
-```rust
-// In route configuration
-let app = Router::new()
-    .route("/api/*", api_routes)
-    .layer(security_headers_middleware())
-    .layer(csrf_middleware())
-    .layer(rate_limit_middleware::create_default_rate_limit_layer())
-    .layer(rbac_middleware());
-```
-
-#### Task 1.3: Error Handling Cleanup
-- Use `cargo clippy --workspace` to identify all `unwrap()` calls
-- Create batch fix script for common patterns
-- Implement `SafeCommand` for all command executions
-
-### Phase 2: Authentication & Authorization (Week 3-4)
-
-#### Task 2.1: Passkey Implementation
-- Uncomment passkey module
-- Add WebAuthn library dependency
-- Implement registration/authentication endpoints
-- Add passkey management UI
-
-#### Task 2.2: MFA Enhancement
-- Complete TOTP implementation
-- Add backup code management
-- Implement MFA enforcement policies
-- Add MFA recovery flows
-
-#### Task 2.3: API Key Management
-- Enhance `ApiKeyManager` with rotation policies
-- Add key usage analytics
-- Implement key expiration and revocation
-- Add API key audit logging
-
-### Phase 3: Data Protection & Monitoring (Week 5-6)
-
-#### Task 3.1: DLP Policy Configuration
-```rust
-// Default DLP policies
-let policies = vec![
-    DlpPolicy::new("pii")
-        .with_patterns(vec![
-            r"\b\d{3}-\d{2}-\d{4}\b", // SSN
-            r"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b", // Email
-        ])
-        .with_action(DlpAction::Redact),
-];
-```
-
-#### Task 3.2: Security Monitoring Integration
-- Connect `SecurityMonitor` to application events
-- Configure alert thresholds
-- Add security dashboard
-- Implement incident response workflows
-
-#### Task 3.3: Certificate Management
-- Add certificate expiration alerts
-- Implement automatic renewal
-- Add certificate pinning
-- Create certificate inventory
-
-### Phase 4: Testing & Compliance (Week 7-8)
-
-#### Task 4.1: Security Test Suite
-```rust
-// In bottest/src/security/
-mod authentication_tests;
-mod authorization_tests;
-mod encryption_tests;
-mod injection_tests;
-mod rate_limit_tests;
-```
-
-#### Task 4.2: Compliance Documentation
-- Update security policy documentation
-- Add compliance mapping (SOC2, ISO27001, GDPR)
-- Create security controls matrix
-- Implement evidence collection
-
-#### Task 4.3: Security Hardening
-- Apply security headers consistently
-- Implement CSP nonce generation
-- Add security.txt file
-- Configure security contact information
-
-## Security Controls Matrix
-
-| Control Category | Implementation Status | Module | Priority |
-|-----------------|----------------------|--------|----------|
-| **Authentication** | ✅ Partial | `auth`, `jwt`, `mfa` | P1 |
-| **Authorization** | ✅ Good | `rbac_middleware`, `auth` | P2 |
-| **Encryption** | ✅ Good | `encryption`, `tls` | P2 |
-| **Input Validation** | ✅ Good | `validation`, `sql_guard` | P2 |
-| **Error Handling** | ❌ Poor | Throughout codebase | P1 |
-| **Audit Logging** | ✅ Partial | `audit` | P3 |
-| **Security Monitoring** | ✅ Partial | `security_monitoring` | P2 |
-| **Data Protection** | ✅ Partial | `dlp`, `secrets` | P2 |
-| **Certificate Management** | ✅ Partial | `ca`, `tls` | P3 |
-| **Security Headers** | ✅ Good | `headers` | P1 |
-| **Rate Limiting** | ✅ Good | `rate_limiter` | P2 |
-| **CSRF Protection** | ✅ Good | `csrf` | P1 |
-| **File Security** | ✅ Good | `file_validation`, `path_guard` | P3 |
-
-## Dependencies & Tools
-
-### Required Security Dependencies
-```toml
-# Cargo.toml additions
-[dependencies]
-webauthn-rs = "0.4"  # For passkey support
-rpassword = "7.0"    # For secure password input
-argon2 = "0.5"       # Password hashing
-ring = "0.17"        # Cryptography
-rustls = "0.22"      # TLS implementation
-```
-
-### Security Testing Tools
-- `cargo audit` - Dependency vulnerability scanning
-- `cargo-deny` - License compliance
-- `cargo-geiger` - Unsafe code detection
-- OWASP ZAP - Web application security testing
-- `sqlmap` - SQL injection testing (for test environments)
-
-## Monitoring & Alerting
-
-### Security Metrics to Monitor
-1. **Authentication Metrics**
-   - Failed login attempts per IP/user
-   - MFA enrollment/completion rates
-   - Session duration and renewal patterns
-
-2. **Authorization Metrics**
-   - Permission denied events
-   - Role assignment changes
-   - Resource access patterns
-
-3. **Data Protection Metrics**
-   - DLP policy violations
-   - Encryption key rotations
-   - Data access audit trails
-
-4. **System Security Metrics**
-   - Certificate expiration dates
-   - Security patch levels
-   - Vulnerability scan results
-
-### Alert Thresholds
-- **Critical:** >10 failed logins/minute from single IP
-- **High:** Certificate expires in <7 days
-- **Medium:** DLP violation on sensitive data
-- **Low:** Security header missing on endpoint
-
-## Compliance Requirements
-
-### SOC2 Type II Controls
-- [ ] CC6.1 - Logical access security software, infrastructure, and architectures
-- [ ] CC6.6 - Logical access to data is managed through identification and authentication
-- [ ] CC6.7 - Security procedures for transmission of data
-- [ ] CC6.8 - Incident management procedures
-
-### GDPR Requirements
-- [ ] Article 32 - Security of processing
-- [ ] Article 33 - Notification of personal data breach
-- [ ] Article 35 - Data protection impact assessment
-
-### ISO 27001 Controls
-- [ ] A.9 - Access control
-- [ ] A.10 - Cryptography
-- [ ] A.12 - Operations security
-- [ ] A.13 - Communications security
-- [ ] A.14 - System acquisition, development and maintenance
-- [ ] A.16 - Information security incident management
-
-## Risk Assessment
-
-### High Risk Areas
-1. **Missing Security Manager Integration** - Exposes all services to TLS/security header gaps
-2. **Incomplete Error Handling** - Potential information disclosure through panics
-3. **Lack of CSRF Protection** - Risk of cross-site request forgery attacks
-
-### Medium Risk Areas
-1. **Incomplete Passkey Support** - Missing modern authentication method
-2. **Gaps in Security Monitoring** - Delayed threat detection
-3. **Certificate Management** - Risk of service disruption
-
-### Low Risk Areas
-1. **Audit Logging Gaps** - Compliance issues but low security impact
-2. **Security Testing** - Quality issue but not immediate vulnerability
-
-## Success Criteria
-
-### Phase 1 Complete
-- [ ] SecurityManager fully integrated and initialized
-- [ ] All `unwrap()` calls replaced with proper error handling
-- [ ] Security headers applied to all routes
-- [ ] CSRF protection enabled for state-changing endpoints
-
-### Phase 2 Complete
-- [ ] Passkey authentication implemented
-- [ ] MFA fully functional with backup codes
-- [ ] API key management with rotation policies
-- [ ] Rate limiting applied consistently
-
-### Phase 3 Complete
-- [ ] DLP policies configured and active
-- [ ] Security monitoring integrated with alerts
-- [ ] Certificate management with auto-renewal
-- [ ] Security dashboard available in UI
-
-### Phase 4 Complete
-- [ ] Security test suite passing
-- [ ] Compliance documentation updated
-- [ ] Security hardening completed
-- [ ] All critical vulnerabilities addressed
-
-## Next Steps
-
-### Immediate (Next 24 hours)
-1. Review and prioritize tasks with development team
-2. Assign owners for critical P1 issues
-3. Begin SecurityManager integration
-
-### Short-term (Week 1)
-1. Complete error handling cleanup
-2. Implement security middleware
-3. Start passkey module implementation
-
-### Medium-term (Month 1)
-1. Complete all P1 and P2 issues
-2. Implement security testing
-3. Update compliance documentation
-
-### Long-term (Quarter 1)
-1. Complete all security tasks
-2. Conduct penetration testing
-3. Achieve security certification readiness
-
-## References
-
-1. General Bots Security Policy: `botbook/src/12-auth/security-policy.md`
-2. Security API Documentation: `botbook/src/10-rest/security-api.md`
-3. Security Features Guide: `botbook/src/12-auth/security-features.md`
-4. Security Auditing Guide: `botbook/src/19-maintenance/security-auditing.md`
-5. SOC2 Compliance: `botbook/src/23-security/soc2-compliance.md`
-
-## Contact
-
-**Security Team:** security@pragmatismo.com.br  
-**Emergency Contact:** Follow incident response procedures in security policy
-
----
-*This document will be updated as tasks are completed and new security requirements are identified.*
diff --git a/UI.md b/UI.md
deleted file mode 100644
index 0ad79b8..0000000
--- a/UI.md
+++ /dev/null
@@ -1,196 +0,0 @@
-# Web Desktop Environment Migration Plan (The "Windows" Vibe)
-
-## 1. Project Overview & Vision
-We are migrating the entire UI suite to a Web Desktop Environment (WDE). The goal is to create a UI that feels like a modern, web-based operating system (inspired by Windows 95's spatial model but with modern Tailwind aesthetics like the `html3.html` prototype). 
-
-**Key Principles:**
-- **Vanilla JS + HTMX:** We will build a custom Window Manager in Vanilla JS (`window-manager.js`) rather than relying on outdated libraries like WinBox. HTMX will handle fetching the content *inside* the windows.
-- **Desktop Metaphor:** A main workspace with shortcut icons (Vibe, Tasks, Chat, Terminal, Explorer, Editor, Browser, Mail, Settings).
-- **Taskbar:** A bottom bar showing currently open applications, allowing users to switch between them, alongside a system tray and clock.
-- **Dynamic Windows:** Windows must be draggable, closable, minimizable, and maintain their state. The title bar must dynamically reflect the active view.
-- **App Renames:** 
-  - `Mantis` is now **`Vibe`**
-  - `Terminal` added to suite default features
-  - `Browser` added to suite default features
-  - `Editor` already in suite, add to default features
-  - Note: Keep `Drive` as `Drive` (undo Explorer rename).
-
-This document provides a strictly detailed, step-by-step implementation guide so that any LLM or developer can execute it without ambiguity.
-
----
-
-## 2. Architecture & File Structure
-
-### Frontend Assets to Create:
-1. `ui/desktop.html` - The main shell containing the desktop background, desktop icons, and the empty taskbar.
-2. `js/window-manager.js` - The core engine. A JavaScript class responsible for DOM manipulation of windows.
-3. `css/desktop.css` - Custom styles for the grid background, scrollbars, and window animations (using Tailwind as the base).
-
-### Backend (Botserver) Updates:
-- **State Management:** The backend needs to track the user's open windows, their positions, and sizes if we want persistence across reloads. Otherwise, local state (localStorage) is fine for V1.
-- **HTMX Endpoints:** Each app (Explorer, Vibe, Chat, etc.) must expose an endpoint that returns *only* the HTML fragment for the app's body, NOT a full HTML page.
-- **Theme Manager:** Needs to be updated to support the new desktop color schemes (e.g., brand-500 greens, transparent glass effects).
-
----
-
-## 3. Step-by-Step Implementation Guide
-
-### PHASE 1: The Shell (Desktop & Taskbar)
-**Goal:** Create the static HTML structure based on `html3.html`.
-
-**Tasks:**
-1. Create the main `desktop.html`.
-2. Implement the `workspace-bg` and `workspace-grid` using Tailwind and SVG.
-3. Add the left-side Desktop Icons. Each icon must have a `data-app-id` and `data-app-title` attribute.
-   - Example: `<div class="desktop-icon" data-app-id="drive" data-app-title="Drive" hx-get="/app/drive" hx-target="#temp-buffer" hx-swap="none">...</div>`
-4. Create the Bottom Taskbar `<footer id="taskbar">`. It needs an empty container `<div id="taskbar-apps"></div>` to hold icons of open apps.
-
-### PHASE 2: The Window Manager Engine (`window-manager.js`)
-**Goal:** Build a robust, vanilla JavaScript class `WindowManager` to handle floating UI panels that feels as native, smooth, and feature-rich as WinBox.
-
-**Core Requirements for `window-manager.js`:**
-1. **State & Z-Index Management:** Keep an array of `openWindows = []`. Track the `activeWindowId`. Clicking any window must bring it to the front by updating its z-index (stacking context) and highlighting its taskbar icon.
-2. **`createWindow(appId, title, initialContent)` method:**
-   - Generates the DOM nodes for a floating window.
-   - Includes a Title Bar (drag handle, dynamic title, minimize, maximize, close buttons).
-   - Includes invisible 8px borders around the window for **resizing** (N, S, E, W, NE, NW, SE, SW).
-   - Appends it to the `#workspace` container and its icon to the `#taskbar-apps` container.
-3. **Advanced Drag & Drop (The "WinBox" Feel):**
-   - **Smooth Dragging:** Use `requestAnimationFrame` for drag rendering to prevent lag.
-   - **Boundary Constraints:** Prevent windows from being dragged completely out of the viewport. At least a portion of the title bar must remain grabbable.
-   - **Snapping:** (Optional but recommended) If dragged to the top edge, trigger maximize. If dragged to the left/right, snap to 50% screen width.
-4. **Resizing Logic:**
-   - Implement event listeners on the edges/corners. Updating `width`, `height`, `top`, and `left` simultaneously when resizing from the top or left edges.
-5. **Maximize & Minimize Logic:**
-   - **Maximize:** Save the pre-maximized `top/left/width/height` state. Animate the window to fill `100%` of the workspace (accounting for the taskbar).
-   - **Minimize:** Animate the window shrinking down into its taskbar icon, then set `display: none` or opacity. Clicking the taskbar icon restores it with the reverse animation.
-6. **Taskbar Integration:**
-   - Highlight the active window's icon in the taskbar. Click to toggle minimize/restore.
-
-### PHASE 3: HTMX Intercepts (The Magic Glue)
-**Goal:** Connect the Desktop Icons to the Window Manager.
-
-Instead of HTMX swapping directly into the DOM, we use HTMX events to intercept the response and pass it to the Window Manager.
-
-**Implementation for the Dumbest LLM:**
-```javascript
-// Listen to HTMX afterRequest event
-document.body.addEventListener('htmx:afterRequest', function(evt) {
-    const target = evt.detail.elt;
-    
-    // Check if the click came from a desktop icon
-    if (target.classList.contains('desktop-icon')) {
-        const appId = target.getAttribute('data-app-id');
-        const title = target.getAttribute('data-app-title');
-        const htmlContent = evt.detail.xhr.response;
-        
-        // Tell WindowManager to open it
-        window.WindowManager.open(appId, title, htmlContent);
-    }
-});
-```
-
-### PHASE 4: Migrating the Apps
-**Goal:** Refactor existing pages to be fragments.
-
-1. **Vibe (formerly Mantis):** Remove the outer `<html>`, `<head>`, and `<body>`. Return only the inner content grid.
-2. **Drive:** Ensure HTMX links *inside* Drive target elements *inside* Drive's window container (`closest .window-body #target`), not the whole page.
-3. **Chat, Mail, Settings, Terminal:** Wrap their specific UIs into clean fragments.
-
-**Crucial HTMX Rule for Windows:**
-Any link inside a window MUST use relative HTMX targeting (e.g., `hx-target="closest .window-body"`) so it doesn't break out of the floating window.
-
-### PHASE 5: Botserver Routing & AGENTS.md Compliance
-**Goal:** Update backend to serve HTMX fragments while strictly adhering to `AGENTS.md` security and architecture rules.
-
-1. **Route Management (HTMX-First):**
-   - `GET /` -> Returns `desktop.html` (Full page load).
-   - `GET /app/vibe` -> Returns the Vibe fragment (NO `<html>` or `<body>` tags).
-   - `GET /api/drive/files?path=/` -> Returns the Drive fragment.
-   - *Rule:* All state-changing endpoints (POST/PUT/DELETE) triggered from these windows MUST include CSRF tokens (`IMP-08`).
-2. **File Structure & 450-Line Limit:**
-   - Do not dump all routes into a single file. Respect the 450-line maximum per file rule.
-   - Create separate modules for each app's routes (e.g., `botserver/src/handlers/desktop.rs`, `botserver/src/handlers/vibe.rs`, `botserver/src/handlers/explorer.rs`).
-3. **Local Assets ONLY (NO CDNs):**
-   - **CRITICAL:** The original `html3.html` prototype used Tailwind and FontAwesome CDNs. `AGENTS.md` explicitly forbids this.
-   - All CSS, Tailwind outputs, HTMX (`htmx.min.js`), and Web Fonts MUST be downloaded and served locally from the server's static assets folder.
-4. **Command Execution (Terminal/Explorer Apps):**
-   - If the Terminal or Explorer apps need to read files or execute system commands, the backend handlers **MUST** use `crate::security::command_guard::SafeCommand`.
-5. **Theme Manager:**
-   - Update CSS variables locally to match the aesthetic (brand-500 greens, translucent `bg-white/90`).
-
----
-
-## 4. "Dumbest LLM" Coding Prompts & Snippets
-
-If you are an AI tasked with implementing this, follow these explicit instructions.
-
-### A. Implementing `desktop.html`
-- **CRITICAL:** Do NOT copy the CDN links (`<script src="https://cdn...">`) from `html3.html`. `AGENTS.md` strictly forbids CDNs. You must link to local compiled CSS and local HTMX scripts.
-- The main container must have `position: relative` and `overflow: hidden`.
-- Render the icons exactly as:
-```html
-<div class="desktop-icon flex flex-col items-center w-20 group cursor-pointer" 
-     data-app-id="explorer" data-app-title="Explorer" 
-     hx-get="/app/explorer" hx-swap="none">
-    <div class="app-icon w-16 h-16 rounded-xl flex items-center justify-center text-white text-3xl group-hover:scale-105 transition-transform">
-        <i class="fa-regular fa-folder-open drop-shadow-md"></i>
-    </div>
-    <span class="mt-2 text-xs font-mono font-medium text-gray-800 bg-white/70 px-1.5 py-0.5 rounded backdrop-blur-sm">Explorer</span>
-</div>
-```
-
-### B. Implementing `window-manager.js`
-Create a global object `window.WindowManager`.
-It must have an `open(id, title, html)` method.
-If the window with `id` already exists, call `focus(id)`.
-If it doesn't exist, create this exact DOM structure:
-```html
-<div id="window-{id}" class="absolute w-[700px] bg-white rounded-lg shadow-2xl flex flex-col border border-gray-200 overflow-hidden z-20" style="top: 100px; left: 150px;">
-    <!-- Header (Draggable) -->
-    <div class="window-header h-10 bg-white/95 backdrop-blur flex items-center justify-between px-4 border-b border-gray-200 select-none cursor-move">
-        <div class="font-mono text-xs font-bold text-brand-600 tracking-wide">{title}</div>
-        <div class="flex space-x-3 text-gray-400">
-            <button class="btn-minimize hover:text-gray-600"><i class="fa-solid fa-minus"></i></button>
-            <button class="btn-maximize hover:text-gray-600"><i class="fa-regular fa-square"></i></button>
-            <button class="btn-close hover:text-red-500"><i class="fa-solid fa-xmark"></i></button>
-        </div>
-    </div>
-    <!-- Body (HTMX target) -->
-    <div class="window-body relative flex-1 overflow-y-auto bg-[#fafdfa]">
-        {html}
-    </div>
-</div>
-```
-
-### C. Implementing the Taskbar Task
-When `WindowManager.open()` is called, also append this to `#taskbar-apps`:
-```html
-<div id="taskbar-item-{id}" class="h-10 w-12 flex items-center justify-center cursor-pointer bg-brand-50 rounded border-b-2 border-brand-500 transition-all taskbar-icon" onclick="WindowManager.toggle('{id}')">
-    <div class="app-icon w-8 h-8 rounded-md flex items-center justify-center text-white text-xs shadow-sm">
-        <!-- Map icon based on ID here -->
-    </div>
-</div>
-```
-
----
-
-## 5. Summary of Definitions
-- **Desktop:** The root view of the application.
-- **Window:** A floating, draggable container for a specific app (Explorer, Vibe, etc.).
-- **Taskbar:** The bottom panel tracking open windows.
-- **App Fragment:** The partial HTML code returned by the server to populate a Window.
-
-**Execute this plan sequentially.** Do not attempt to load full HTML pages inside windows. Build the Window Manager engine first, then migrate apps one by one.
-
-## Current Implementation Status (Feb 24, 2026)
-
-**STATUS: COMPLETED**
-
-**What Was Accomplished:**
-1. **Routing:** The backend has been completely re-routed. `localhost:3000` now correctly serves the new `desktop.html` UI shell instead of the old `default.gbui`.
-2. **Desktop Shell:** The `desktop.html` layout perfectly replicates the "green heavy" vertical floating icons, sidebar, grid background, and taskbar requested in the BUILD V3 PDF.
-3. **Window Manager:** The vanilla JS `window-manager.js` class is fully operational. It manages state, injects content dynamically via HTMX intercepts, and handles dragging, minimizing, maximizing, and closing windows with custom SVGs to replace forbidden CDNs.
-4. **Asset Paths Fixed:** All 404 errors were resolved by explicitly configuring `<script>` and `<link>` tags in `desktop.html` to use absolute `/suite/` paths (e.g. `/suite/css/desktop.css`), bypassing base URL issues.
-5. **Initialization Crash Fixed:** The `Cannot read properties of null (reading 'appendChild')` bug was resolved by lazy-loading the `#desktop-content` workspace container inside the `open()` method, guaranteeing the DOM is fully constructed before window injection.
-6. **App Fragments:** Chat, Tasks, and Terminal have been verified to function as clean HTMX fragments (`/suite/chat/chat.html`) and successfully render inside the floating windows.
diff --git a/botui b/botui
index bfc8f4d..7c1deca 160000
--- a/botui
+++ b/botui
@@ -1 +1 @@
-Subproject commit bfc8f4da77fe5842694261596dffa0ba62802cc1
+Subproject commit 7c1deca8ae0ae502437d3d73bfbbe44306f3f522