diff --git a/SECURITY_CHECKLIST.md b/SECURITY_CHECKLIST.md
new file mode 100644
index 0000000..fa4e64d
--- /dev/null
+++ b/SECURITY_CHECKLIST.md
@@ -0,0 +1,156 @@
+# General Bots Security Checklist
+
+## Critical (P1) - Must Fix Immediately
+
+### Authentication & Authorization
+- [ ] **SecurityManager Integration** - Initialize in bootstrap
+- [ ] **CSRF Protection** - Enable for all state-changing endpoints
+- [ ] **Error Handling** - Replace all `unwrap()`/`expect()` calls
+- [ ] **Security Headers** - Apply to all HTTP routes
+
+### Data Protection
+- [ ] **TLS/MTLS** - Ensure certificates are generated and validated
+- [ ] **SafeCommand Usage** - Replace all `Command::new()` calls
+- [ ] **Error Sanitization** - Use `ErrorSanitizer` for all HTTP errors
+
+## High Priority (P2) - Fix Within 2 Weeks
+
+### Authentication
+- [ ] **Passkey Support** - Complete WebAuthn implementation
+- [ ] **MFA Enhancement** - Add backup codes and recovery flows
+- [ ] **API Key Management** - Implement rotation and expiration
+
+### Monitoring & Detection
+- [ ] **Security Monitoring** - Integrate `SecurityMonitor` with app events
+- [ ] **DLP Policies** - Configure default policies for PII/PCI/PHI
+- [ ] **Rate Limiting** - Apply consistent limits across all endpoints
+
+## Medium Priority (P3) - Fix Within 1 Month
+
+### Infrastructure
+- [ ] **Certificate Management** - Add expiration monitoring and auto-renewal
+- [ ] **Audit Logging** - Ensure comprehensive coverage
+- [ ] **Security Testing** - Create dedicated test suite
+
+### Compliance
+- [ ] **Security Documentation** - Update policies and procedures
+- [ ] **Compliance Mapping** - Map controls to SOC2/GDPR/ISO27001
+- [ ] **Evidence Collection** - Implement automated evidence gathering
+
+## Quick Wins (Can be done today)
+
+### Code Quality
+- [ ] Run `cargo clippy --workspace` and fix all warnings
+- [ ] Use `cargo audit` to check for vulnerable dependencies
+- [ ] Replace 10 `unwrap()` calls with proper error handling
+
+### Configuration
+- [ ] Check `.env` files for hardcoded secrets (move to `/tmp/`)
+- [ ] Verify `botserver-stack/conf/` permissions
+- [ ] Review `Cargo.toml` for unnecessary dependencies
+
+### Testing
+- [ ] Test authentication flows with invalid credentials
+- [ ] Verify CSRF tokens are required for POST/PUT/DELETE
+- [ ] Check security headers on main endpoints
+
+## Daily Security Tasks
+
+### Morning Check
+- [ ] Review `botserver.log` for security events
+- [ ] Check `cargo audit` for new vulnerabilities
+- [ ] Monitor failed login attempts
+- [ ] Verify certificate expiration dates
+
+### Ongoing Monitoring
+- [ ] Watch for unusual access patterns
+- [ ] Monitor DLP policy violations
+- [ ] Track security metric trends
+- [ ] Review audit logs for anomalies
+
+### Weekly Tasks
+- [ ] Run full security scan with protection tools
+- [ ] Review and rotate any expiring credentials
+- [ ] Update security dependencies
+- [ ] Backup security configurations
+
+## Emergency Response
+
+### If you suspect a breach:
+1. **Isolate** - Disconnect affected systems
+2. **Preserve** - Don't delete logs or evidence
+3. **Document** - Record all actions and observations
+4. **Escalate** - Contact security team immediately
+5. **Contain** - Implement temporary security measures
+6. **Investigate** - Determine scope and impact
+7. **Remediate** - Fix vulnerabilities and restore services
+8. **Learn** - Update procedures to prevent recurrence
+
+## Security Tools Commands
+
+### Dependency Scanning
+```bash
+cargo audit
+cargo deny check
+cargo geiger
+```
+
+### Code Analysis
+```bash
+cargo clippy --workspace -- -D warnings
+cargo fmt --check
+```
+
+### Security Testing
+```bash
+# Run security tests
+cargo test -p bottest --test security
+
+# Check for unsafe code
+cargo geiger --forbid
+
+# Audit dependencies
+cargo audit --deny warnings
+```
+
+### Protection Tools
+```bash
+# Security scanning
+curl -X POST http://localhost:9000/api/security/protection/scan
+
+# Get security report
+curl http://localhost:9000/api/security/protection/report
+
+# Check tool status
+curl http://localhost:9000/api/security/protection/status
+```
+
+## Common Security Issues to Watch For
+
+### 1. Hardcoded Secrets
+**Bad:** `password = "secret123"` in code
+**Good:** `password = env::var("DB_PASSWORD")?` from `/tmp/`
+
+### 2. Unsafe Command Execution
+**Bad:** `Command::new("rm").arg("-rf").arg(user_input)`
+**Good:** `SafeCommand::new("rm")?.arg("-rf")?.arg(sanitized_input)?`
+
+### 3. Missing Input Validation
+**Bad:** `format!("SELECT * FROM {}", user_table)`
+**Good:** `validate_table_name(&user_table)?; format!("SELECT * FROM {}", safe_table)`
+
+### 4. Information Disclosure
+**Bad:** `Json(json!({ "error": e.to_string() }))`
+**Good:** `let sanitized = log_and_sanitize(&e, "context", None); (StatusCode::INTERNAL_SERVER_ERROR, sanitized)`
+
+## Security Contact Information
+
+**Primary Contact:** security@pragmatismo.com.br  
+**Backup Contact:** Check `security.txt` at `/.well-known/security.txt`
+
+**Emergency Response:** Follow procedures in `botbook/src/12-auth/security-policy.md`
+
+---
+*Last Updated: 2026-02-22*  
+*Review Frequency: Weekly*  
+*Next Review: 2026-03-01*
diff --git a/TASKS.md b/TASKS.md
new file mode 100644
index 0000000..8e9182f
--- /dev/null
+++ b/TASKS.md
@@ -0,0 +1,367 @@
+# General Bots Security Review & Tasks
+
+**Date:** 2026-02-22  
+**Reviewer:** Kiro CLI Security Assessment  
+**Status:** IN PROGRESS
+
+## Executive Summary
+
+General Bots has a comprehensive security architecture with 46 security modules covering authentication, authorization, encryption, monitoring, and compliance. However, several critical security gaps and implementation issues require immediate attention to meet enterprise security standards.
+
+## Critical Security Issues (P1)
+
+### 1. **Incomplete Security Manager Initialization**
+**Issue:** The `SecurityManager` struct exists but is not properly initialized in the main application bootstrap process.
+**Location:** `botserver/src/security/mod.rs`
+**Risk:** High - Missing TLS/MTLS, certificate management, and security headers enforcement.
+**Action Required:**
+- [ ] Integrate `SecurityManager::new()` and `initialize()` into `main_module::bootstrap.rs`
+- [ ] Ensure TLS/MTLS certificates are generated and validated on startup
+- [ ] Add security headers middleware to all HTTP routes
+
+### 2. **Passkey Module Incomplete**
+**Issue:** Passkey module is commented out with TODO notes indicating incomplete implementation.
+**Location:** `botserver/src/security/mod.rs` (lines 23-27)
+**Risk:** Medium - Missing modern FIDO2/WebAuthn authentication support.
+**Action Required:**
+- [ ] Uncomment and implement passkey module
+- [ ] Add database schema for passkey storage
+- [ ] Implement WebAuthn registration and authentication flows
+- [ ] Add passkey management UI
+
+### 3. **Missing Security Middleware Integration**
+**Issue:** Security middleware (CSRF, rate limiting, security headers) not consistently applied.
+**Location:** Route configuration files
+**Risk:** High - Exposed to CSRF attacks, brute force, and missing security headers.
+**Action Required:**
+- [ ] Apply `security_headers_middleware` to all routes
+- [ ] Implement `csrf_middleware` for state-changing endpoints
+- [ ] Add `rate_limit_middleware` with appropriate limits
+- [ ] Enable `rbac_middleware` for all protected resources
+
+## High Priority Issues (P2)
+
+### 4. **Inconsistent Error Handling**
+**Issue:** 955 instances of `unwrap()`/`expect()` in production code (per README.md).
+**Location:** Throughout codebase
+**Risk:** Medium - Potential panics exposing internal errors.
+**Action Required:**
+- [ ] Replace all `unwrap()` with proper error handling
+- [ ] Use `ErrorSanitizer::log_and_sanitize()` for all HTTP errors
+- [ ] Implement structured error responses
+
+### 5. **Missing Security Monitoring Integration**
+**Issue:** `SecurityMonitor` exists but not integrated with application logging.
+**Location:** `botserver/src/security/security_monitoring.rs`
+**Risk:** Medium - Missing real-time threat detection.
+**Action Required:**
+- [ ] Integrate `SecurityMonitor` with application event system
+- [ ] Configure alert rules for suspicious activities
+- [ ] Add security dashboard to UI
+
+### 6. **Incomplete DLP Implementation**
+**Issue:** Data Loss Prevention module exists but needs policy configuration.
+**Location:** `botserver/src/security/dlp.rs`
+**Risk:** Medium - Sensitive data exposure risk.
+**Action Required:**
+- [ ] Configure default DLP policies for PII, PCI, PHI
+- [ ] Add DLP scanning to file uploads and exports
+- [ ] Implement data classification system
+
+## Medium Priority Issues (P3)
+
+### 7. **Certificate Management Gaps**
+**Issue:** Certificate auto-generation but missing renewal monitoring.
+**Location:** `botserver/src/security/ca.rs`, `botserver/src/security/tls.rs`
+**Risk:** Medium - Certificate expiration could cause service disruption.
+**Action Required:**
+- [ ] Implement certificate expiration monitoring
+- [ ] Add automatic renewal process
+- [ ] Add certificate pinning for critical services
+
+### 8. **Missing Security Testing**
+**Issue:** No dedicated security test suite.
+**Risk:** Medium - Undetected security vulnerabilities.
+**Action Required:**
+- [ ] Create security test module in `bottest/`
+- [ ] Add penetration testing scenarios
+- [ ] Implement security regression tests
+
+### 9. **Incomplete Audit Logging**
+**Issue:** Audit system exists but needs comprehensive coverage.
+**Location:** `botserver/src/security/audit.rs`
+**Risk:** Low-Medium - Compliance gaps.
+**Action Required:**
+- [ ] Ensure all security events are logged
+- [ ] Add audit trail for data access and modifications
+- [ ] Implement audit log retention and export
+
+## Implementation Tasks
+
+### Phase 1: Critical Security Foundation (Week 1-2)
+
+#### Task 1.1: Security Manager Integration
+```rust
+// In main_module/bootstrap.rs
+async fn initialize_security() -> Result<SecurityManager> {
+    let security_config = SecurityConfig::default();
+    let mut security_manager = SecurityManager::new(security_config)?;
+    security_manager.initialize()?;
+    Ok(security_manager)
+}
+```
+
+#### Task 1.2: Security Middleware Setup
+```rust
+// In route configuration
+let app = Router::new()
+    .route("/api/*", api_routes)
+    .layer(security_headers_middleware())
+    .layer(csrf_middleware())
+    .layer(rate_limit_middleware::create_default_rate_limit_layer())
+    .layer(rbac_middleware());
+```
+
+#### Task 1.3: Error Handling Cleanup
+- Use `cargo clippy --workspace` to identify all `unwrap()` calls
+- Create batch fix script for common patterns
+- Implement `SafeCommand` for all command executions
+
+### Phase 2: Authentication & Authorization (Week 3-4)
+
+#### Task 2.1: Passkey Implementation
+- Uncomment passkey module
+- Add WebAuthn library dependency
+- Implement registration/authentication endpoints
+- Add passkey management UI
+
+#### Task 2.2: MFA Enhancement
+- Complete TOTP implementation
+- Add backup code management
+- Implement MFA enforcement policies
+- Add MFA recovery flows
+
+#### Task 2.3: API Key Management
+- Enhance `ApiKeyManager` with rotation policies
+- Add key usage analytics
+- Implement key expiration and revocation
+- Add API key audit logging
+
+### Phase 3: Data Protection & Monitoring (Week 5-6)
+
+#### Task 3.1: DLP Policy Configuration
+```rust
+// Default DLP policies
+let policies = vec![
+    DlpPolicy::new("pii")
+        .with_patterns(vec![
+            r"\b\d{3}-\d{2}-\d{4}\b", // SSN
+            r"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b", // Email
+        ])
+        .with_action(DlpAction::Redact),
+];
+```
+
+#### Task 3.2: Security Monitoring Integration
+- Connect `SecurityMonitor` to application events
+- Configure alert thresholds
+- Add security dashboard
+- Implement incident response workflows
+
+#### Task 3.3: Certificate Management
+- Add certificate expiration alerts
+- Implement automatic renewal
+- Add certificate pinning
+- Create certificate inventory
+
+### Phase 4: Testing & Compliance (Week 7-8)
+
+#### Task 4.1: Security Test Suite
+```rust
+// In bottest/src/security/
+mod authentication_tests;
+mod authorization_tests;
+mod encryption_tests;
+mod injection_tests;
+mod rate_limit_tests;
+```
+
+#### Task 4.2: Compliance Documentation
+- Update security policy documentation
+- Add compliance mapping (SOC2, ISO27001, GDPR)
+- Create security controls matrix
+- Implement evidence collection
+
+#### Task 4.3: Security Hardening
+- Apply security headers consistently
+- Implement CSP nonce generation
+- Add security.txt file
+- Configure security contact information
+
+## Security Controls Matrix
+
+| Control Category | Implementation Status | Module | Priority |
+|-----------------|----------------------|--------|----------|
+| **Authentication** | ✅ Partial | `auth`, `jwt`, `mfa` | P1 |
+| **Authorization** | ✅ Good | `rbac_middleware`, `auth` | P2 |
+| **Encryption** | ✅ Good | `encryption`, `tls` | P2 |
+| **Input Validation** | ✅ Good | `validation`, `sql_guard` | P2 |
+| **Error Handling** | ❌ Poor | Throughout codebase | P1 |
+| **Audit Logging** | ✅ Partial | `audit` | P3 |
+| **Security Monitoring** | ✅ Partial | `security_monitoring` | P2 |
+| **Data Protection** | ✅ Partial | `dlp`, `secrets` | P2 |
+| **Certificate Management** | ✅ Partial | `ca`, `tls` | P3 |
+| **Security Headers** | ✅ Good | `headers` | P1 |
+| **Rate Limiting** | ✅ Good | `rate_limiter` | P2 |
+| **CSRF Protection** | ✅ Good | `csrf` | P1 |
+| **File Security** | ✅ Good | `file_validation`, `path_guard` | P3 |
+
+## Dependencies & Tools
+
+### Required Security Dependencies
+```toml
+# Cargo.toml additions
+[dependencies]
+webauthn-rs = "0.4"  # For passkey support
+rpassword = "7.0"    # For secure password input
+argon2 = "0.5"       # Password hashing
+ring = "0.17"        # Cryptography
+rustls = "0.22"      # TLS implementation
+```
+
+### Security Testing Tools
+- `cargo audit` - Dependency vulnerability scanning
+- `cargo-deny` - License compliance
+- `cargo-geiger` - Unsafe code detection
+- OWASP ZAP - Web application security testing
+- `sqlmap` - SQL injection testing (for test environments)
+
+## Monitoring & Alerting
+
+### Security Metrics to Monitor
+1. **Authentication Metrics**
+   - Failed login attempts per IP/user
+   - MFA enrollment/completion rates
+   - Session duration and renewal patterns
+
+2. **Authorization Metrics**
+   - Permission denied events
+   - Role assignment changes
+   - Resource access patterns
+
+3. **Data Protection Metrics**
+   - DLP policy violations
+   - Encryption key rotations
+   - Data access audit trails
+
+4. **System Security Metrics**
+   - Certificate expiration dates
+   - Security patch levels
+   - Vulnerability scan results
+
+### Alert Thresholds
+- **Critical:** >10 failed logins/minute from single IP
+- **High:** Certificate expires in <7 days
+- **Medium:** DLP violation on sensitive data
+- **Low:** Security header missing on endpoint
+
+## Compliance Requirements
+
+### SOC2 Type II Controls
+- [ ] CC6.1 - Logical access security software, infrastructure, and architectures
+- [ ] CC6.6 - Logical access to data is managed through identification and authentication
+- [ ] CC6.7 - Security procedures for transmission of data
+- [ ] CC6.8 - Incident management procedures
+
+### GDPR Requirements
+- [ ] Article 32 - Security of processing
+- [ ] Article 33 - Notification of personal data breach
+- [ ] Article 35 - Data protection impact assessment
+
+### ISO 27001 Controls
+- [ ] A.9 - Access control
+- [ ] A.10 - Cryptography
+- [ ] A.12 - Operations security
+- [ ] A.13 - Communications security
+- [ ] A.14 - System acquisition, development and maintenance
+- [ ] A.16 - Information security incident management
+
+## Risk Assessment
+
+### High Risk Areas
+1. **Missing Security Manager Integration** - Exposes all services to TLS/security header gaps
+2. **Incomplete Error Handling** - Potential information disclosure through panics
+3. **Lack of CSRF Protection** - Risk of cross-site request forgery attacks
+
+### Medium Risk Areas
+1. **Incomplete Passkey Support** - Missing modern authentication method
+2. **Gaps in Security Monitoring** - Delayed threat detection
+3. **Certificate Management** - Risk of service disruption
+
+### Low Risk Areas
+1. **Audit Logging Gaps** - Compliance issues but low security impact
+2. **Security Testing** - Quality issue but not immediate vulnerability
+
+## Success Criteria
+
+### Phase 1 Complete
+- [ ] SecurityManager fully integrated and initialized
+- [ ] All `unwrap()` calls replaced with proper error handling
+- [ ] Security headers applied to all routes
+- [ ] CSRF protection enabled for state-changing endpoints
+
+### Phase 2 Complete
+- [ ] Passkey authentication implemented
+- [ ] MFA fully functional with backup codes
+- [ ] API key management with rotation policies
+- [ ] Rate limiting applied consistently
+
+### Phase 3 Complete
+- [ ] DLP policies configured and active
+- [ ] Security monitoring integrated with alerts
+- [ ] Certificate management with auto-renewal
+- [ ] Security dashboard available in UI
+
+### Phase 4 Complete
+- [ ] Security test suite passing
+- [ ] Compliance documentation updated
+- [ ] Security hardening completed
+- [ ] All critical vulnerabilities addressed
+
+## Next Steps
+
+### Immediate (Next 24 hours)
+1. Review and prioritize tasks with development team
+2. Assign owners for critical P1 issues
+3. Begin SecurityManager integration
+
+### Short-term (Week 1)
+1. Complete error handling cleanup
+2. Implement security middleware
+3. Start passkey module implementation
+
+### Medium-term (Month 1)
+1. Complete all P1 and P2 issues
+2. Implement security testing
+3. Update compliance documentation
+
+### Long-term (Quarter 1)
+1. Complete all security tasks
+2. Conduct penetration testing
+3. Achieve security certification readiness
+
+## References
+
+1. General Bots Security Policy: `botbook/src/12-auth/security-policy.md`
+2. Security API Documentation: `botbook/src/10-rest/security-api.md`
+3. Security Features Guide: `botbook/src/12-auth/security-features.md`
+4. Security Auditing Guide: `botbook/src/19-maintenance/security-auditing.md`
+5. SOC2 Compliance: `botbook/src/23-security/soc2-compliance.md`
+
+## Contact
+
+**Security Team:** security@pragmatismo.com.br  
+**Emergency Contact:** Follow incident response procedures in security policy
+
+---
+*This document will be updated as tasks are completed and new security requirements are identified.*
diff --git a/UI.md b/UI.md
new file mode 100644
index 0000000..3254904
--- /dev/null
+++ b/UI.md
@@ -0,0 +1,196 @@
+# Web Desktop Environment Migration Plan (The "Windows" Vibe)
+
+## 1. Project Overview & Vision
+We are migrating the entire UI suite to a Web Desktop Environment (WDE). The goal is to create a UI that feels like a modern, web-based operating system (inspired by Windows 95's spatial model but with modern Tailwind aesthetics like the `html3.html` prototype). 
+
+**Key Principles:**
+- **Vanilla JS + HTMX:** We will build a custom Window Manager in Vanilla JS (`window-manager.js`) rather than relying on outdated libraries like WinBox. HTMX will handle fetching the content *inside* the windows.
+- **Desktop Metaphor:** A main workspace with shortcut icons (Vibe, Tasks, Chat, Terminal, Explorer, Editor, Browser, Mail, Settings).
+- **Taskbar:** A bottom bar showing currently open applications, allowing users to switch between them, alongside a system tray and clock.
+- **Dynamic Windows:** Windows must be draggable, closable, minimizable, and maintain their state. The title bar must dynamically reflect the active view.
+- **App Renames:** 
+  - `Mantis` is now **`Vibe`**
+  - `Terminal` added to suite default features
+  - `Browser` added to suite default features
+  - `Editor` already in suite, add to default features
+  - Note: Keep `Drive` as `Drive` (undo Explorer rename).
+
+This document provides a strictly detailed, step-by-step implementation guide so that any LLM or developer can execute it without ambiguity.
+
+---
+
+## 2. Architecture & File Structure
+
+### Frontend Assets to Create:
+1. `ui/desktop.html` - The main shell containing the desktop background, desktop icons, and the empty taskbar.
+2. `js/window-manager.js` - The core engine. A JavaScript class responsible for DOM manipulation of windows.
+3. `css/desktop.css` - Custom styles for the grid background, scrollbars, and window animations (using Tailwind as the base).
+
+### Backend (Botserver) Updates:
+- **State Management:** The backend needs to track the user's open windows, their positions, and sizes if we want persistence across reloads. Otherwise, local state (localStorage) is fine for V1.
+- **HTMX Endpoints:** Each app (Explorer, Vibe, Chat, etc.) must expose an endpoint that returns *only* the HTML fragment for the app's body, NOT a full HTML page.
+- **Theme Manager:** Needs to be updated to support the new desktop color schemes (e.g., brand-500 greens, transparent glass effects).
+
+---
+
+## 3. Step-by-Step Implementation Guide
+
+### PHASE 1: The Shell (Desktop & Taskbar)
+**Goal:** Create the static HTML structure based on `html3.html`.
+
+**Tasks:**
+1. Create the main `desktop.html`.
+2. Implement the `workspace-bg` and `workspace-grid` using Tailwind and SVG.
+3. Add the left-side Desktop Icons. Each icon must have a `data-app-id` and `data-app-title` attribute.
+   - Example: `<div class="desktop-icon" data-app-id="drive" data-app-title="Drive" hx-get="/app/drive" hx-target="#temp-buffer" hx-swap="none">...</div>`
+4. Create the Bottom Taskbar `<footer id="taskbar">`. It needs an empty container `<div id="taskbar-apps"></div>` to hold icons of open apps.
+
+### PHASE 2: The Window Manager Engine (`window-manager.js`)
+**Goal:** Build a robust, vanilla JavaScript class `WindowManager` to handle floating UI panels that feels as native, smooth, and feature-rich as WinBox.
+
+**Core Requirements for `window-manager.js`:**
+1. **State & Z-Index Management:** Keep an array of `openWindows = []`. Track the `activeWindowId`. Clicking any window must bring it to the front by updating its z-index (stacking context) and highlighting its taskbar icon.
+2. **`createWindow(appId, title, initialContent)` method:**
+   - Generates the DOM nodes for a floating window.
+   - Includes a Title Bar (drag handle, dynamic title, minimize, maximize, close buttons).
+   - Includes invisible 8px borders around the window for **resizing** (N, S, E, W, NE, NW, SE, SW).
+   - Appends it to the `#workspace` container and its icon to the `#taskbar-apps` container.
+3. **Advanced Drag & Drop (The "WinBox" Feel):**
+   - **Smooth Dragging:** Use `requestAnimationFrame` for drag rendering to prevent lag.
+   - **Boundary Constraints:** Prevent windows from being dragged completely out of the viewport. At least a portion of the title bar must remain grabbable.
+   - **Snapping:** (Optional but recommended) If dragged to the top edge, trigger maximize. If dragged to the left/right, snap to 50% screen width.
+4. **Resizing Logic:**
+   - Implement event listeners on the edges/corners. Updating `width`, `height`, `top`, and `left` simultaneously when resizing from the top or left edges.
+5. **Maximize & Minimize Logic:**
+   - **Maximize:** Save the pre-maximized `top/left/width/height` state. Animate the window to fill `100%` of the workspace (accounting for the taskbar).
+   - **Minimize:** Animate the window shrinking down into its taskbar icon, then set `display: none` or opacity. Clicking the taskbar icon restores it with the reverse animation.
+6. **Taskbar Integration:**
+   - Highlight the active window's icon in the taskbar. Click to toggle minimize/restore.
+
+### PHASE 3: HTMX Intercepts (The Magic Glue)
+**Goal:** Connect the Desktop Icons to the Window Manager.
+
+Instead of HTMX swapping directly into the DOM, we use HTMX events to intercept the response and pass it to the Window Manager.
+
+**Implementation for the Dumbest LLM:**
+```javascript
+// Listen to HTMX afterRequest event
+document.body.addEventListener('htmx:afterRequest', function(evt) {
+    const target = evt.detail.elt;
+    
+    // Check if the click came from a desktop icon
+    if (target.classList.contains('desktop-icon')) {
+        const appId = target.getAttribute('data-app-id');
+        const title = target.getAttribute('data-app-title');
+        const htmlContent = evt.detail.xhr.response;
+        
+        // Tell WindowManager to open it
+        window.WindowManager.open(appId, title, htmlContent);
+    }
+});
+```
+
+### PHASE 4: Migrating the Apps
+**Goal:** Refactor existing pages to be fragments.
+
+1. **Vibe (formerly Mantis):** Remove the outer `<html>`, `<head>`, and `<body>`. Return only the inner content grid.
+2. **Drive:** Ensure HTMX links *inside* Drive target elements *inside* Drive's window container (`closest .window-body #target`), not the whole page.
+3. **Chat, Mail, Settings, Terminal:** Wrap their specific UIs into clean fragments.
+
+**Crucial HTMX Rule for Windows:**
+Any link inside a window MUST use relative HTMX targeting (e.g., `hx-target="closest .window-body"`) so it doesn't break out of the floating window.
+
+### PHASE 5: Botserver Routing & AGENTS.md Compliance
+**Goal:** Update backend to serve HTMX fragments while strictly adhering to `AGENTS.md` security and architecture rules.
+
+1. **Route Management (HTMX-First):**
+   - `GET /` -> Returns `desktop.html` (Full page load).
+   - `GET /app/vibe` -> Returns the Vibe fragment (NO `<html>` or `<body>` tags).
+   - `GET /api/drive/files?path=/` -> Returns the Drive fragment.
+   - *Rule:* All state-changing endpoints (POST/PUT/DELETE) triggered from these windows MUST include CSRF tokens (`IMP-08`).
+2. **File Structure & 450-Line Limit:**
+   - Do not dump all routes into a single file. Respect the 450-line maximum per file rule.
+   - Create separate modules for each app's routes (e.g., `botserver/src/handlers/desktop.rs`, `botserver/src/handlers/vibe.rs`, `botserver/src/handlers/explorer.rs`).
+3. **Local Assets ONLY (NO CDNs):**
+   - **CRITICAL:** The original `html3.html` prototype used Tailwind and FontAwesome CDNs. `AGENTS.md` explicitly forbids this.
+   - All CSS, Tailwind outputs, HTMX (`htmx.min.js`), and Web Fonts MUST be downloaded and served locally from the server's static assets folder.
+4. **Command Execution (Terminal/Explorer Apps):**
+   - If the Terminal or Explorer apps need to read files or execute system commands, the backend handlers **MUST** use `crate::security::command_guard::SafeCommand`.
+5. **Theme Manager:**
+   - Update CSS variables locally to match the aesthetic (brand-500 greens, translucent `bg-white/90`).
+
+---
+
+## 4. "Dumbest LLM" Coding Prompts & Snippets
+
+If you are an AI tasked with implementing this, follow these explicit instructions.
+
+### A. Implementing `desktop.html`
+- **CRITICAL:** Do NOT copy the CDN links (`<script src="https://cdn...">`) from `html3.html`. `AGENTS.md` strictly forbids CDNs. You must link to local compiled CSS and local HTMX scripts.
+- The main container must have `position: relative` and `overflow: hidden`.
+- Render the icons exactly as:
+```html
+<div class="desktop-icon flex flex-col items-center w-20 group cursor-pointer" 
+     data-app-id="explorer" data-app-title="Explorer" 
+     hx-get="/app/explorer" hx-swap="none">
+    <div class="app-icon w-16 h-16 rounded-xl flex items-center justify-center text-white text-3xl group-hover:scale-105 transition-transform">
+        <i class="fa-regular fa-folder-open drop-shadow-md"></i>
+    </div>
+    <span class="mt-2 text-xs font-mono font-medium text-gray-800 bg-white/70 px-1.5 py-0.5 rounded backdrop-blur-sm">Explorer</span>
+</div>
+```
+
+### B. Implementing `window-manager.js`
+Create a global object `window.WindowManager`.
+It must have an `open(id, title, html)` method.
+If the window with `id` already exists, call `focus(id)`.
+If it doesn't exist, create this exact DOM structure:
+```html
+<div id="window-{id}" class="absolute w-[700px] bg-white rounded-lg shadow-2xl flex flex-col border border-gray-200 overflow-hidden z-20" style="top: 100px; left: 150px;">
+    <!-- Header (Draggable) -->
+    <div class="window-header h-10 bg-white/95 backdrop-blur flex items-center justify-between px-4 border-b border-gray-200 select-none cursor-move">
+        <div class="font-mono text-xs font-bold text-brand-600 tracking-wide">{title}</div>
+        <div class="flex space-x-3 text-gray-400">
+            <button class="btn-minimize hover:text-gray-600"><i class="fa-solid fa-minus"></i></button>
+            <button class="btn-maximize hover:text-gray-600"><i class="fa-regular fa-square"></i></button>
+            <button class="btn-close hover:text-red-500"><i class="fa-solid fa-xmark"></i></button>
+        </div>
+    </div>
+    <!-- Body (HTMX target) -->
+    <div class="window-body relative flex-1 overflow-y-auto bg-[#fafdfa]">
+        {html}
+    </div>
+</div>
+```
+
+### C. Implementing the Taskbar Task
+When `WindowManager.open()` is called, also append this to `#taskbar-apps`:
+```html
+<div id="taskbar-item-{id}" class="h-10 w-12 flex items-center justify-center cursor-pointer bg-brand-50 rounded border-b-2 border-brand-500 transition-all taskbar-icon" onclick="WindowManager.toggle('{id}')">
+    <div class="app-icon w-8 h-8 rounded-md flex items-center justify-center text-white text-xs shadow-sm">
+        <!-- Map icon based on ID here -->
+    </div>
+</div>
+```
+
+---
+
+## 5. Summary of Definitions
+- **Desktop:** The root view of the application.
+- **Window:** A floating, draggable container for a specific app (Explorer, Vibe, etc.).
+- **Taskbar:** The bottom panel tracking open windows.
+- **App Fragment:** The partial HTML code returned by the server to populate a Window.
+
+**Execute this plan sequentially.** Do not attempt to load full HTML pages inside windows. Build the Window Manager engine first, then migrate apps one by one.
+
+## Current Implementation Status (Feb 24, 2026)
+
+**What is Working:**
+1. The backend has been re-routed. `localhost:3000` now correctly serves the new `desktop.html` UI shell instead of the old `default.gbui`.
+2. The core assets (`window-manager.js`, `desktop.css`) and static HTMX structure for the desktop sidebar, grid background, and icons are loading successfully.
+3. The apps (Chat, Tasks, Terminal) have existing implementations in the suite directories.
+
+**What is Missing/Broken to See Windows Again:**
+1. **Window Manager Initialization Bug:** `desktop.html` currently crashes on load because it tries to call `new window.WindowManager()`. The `window-manager.js` script already exports an *instance*, not a class, causing a `TypeError`.
+2. **Missing Tailwind CDN/CSS Classes:** The original `html3.html` prototype likely relied on a Tailwind CSS CDN script. Because CDNs are banned, `window-manager.js` is creating windows using dynamic Tailwind classes (like `w-[700px]`, `bg-white/95`) which do not exist in the locally compiled CSS (`app.css` or `desktop.css`). The windows will have no structure or styling until these classes are ported to `desktop.css` or compiled.
+3. **App Fragment Extraction:** HTMX is currently fetching the full `chat/chat.html` page (including `<head>`, `<body>`, etc.). When `window-manager.js` tries to inject this into a floating `div`, it can break the DOM. The endpoints must be updated to return *only* the inner content (the fragments) as defined in Phase 4 of this document.
diff --git a/botserver b/botserver
index 764f058..0b1b174 160000
--- a/botserver
+++ b/botserver
@@ -1 +1 @@
-Subproject commit 764f05865348714911be3f2f8d2a3f8c693b20d3
+Subproject commit 0b1b17406db9d4cc91c1a29cf549398e72fd111a
diff --git a/botui b/botui
index 6afeeb3..2f53b65 160000
--- a/botui
+++ b/botui
@@ -1 +1 @@
-Subproject commit 6afeeb311f0ed9be0a3058fe07f21e6a476bdf42
+Subproject commit 2f53b65aeb9f09c2c28b88ef005e540d3823b23d
diff --git a/security_audit.sh b/security_audit.sh
new file mode 100755
index 0000000..13e1671
--- /dev/null
+++ b/security_audit.sh
@@ -0,0 +1,129 @@
+#!/bin/bash
+
+# General Bots Security Audit Script
+# This script helps identify critical security issues in the codebase
+
+set -e
+
+echo "🔒 General Bots Security Audit"
+echo "=============================="
+echo ""
+
+# Check for hardcoded secrets
+echo "1. Checking for hardcoded secrets..."
+if grep -r "password\s*=\s*\"" --include="*.rs" --include="*.toml" --include="*.json" . 2>/dev/null | grep -v "test" | grep -v "example" | head -10; then
+    echo "⚠️  WARNING: Found potential hardcoded passwords"
+else
+    echo "✅ No obvious hardcoded passwords found"
+fi
+
+echo ""
+
+# Check for unwrap/expect calls
+echo "2. Checking for unwrap/expect calls..."
+UNWRAP_COUNT=$(grep -r "\.unwrap()\|\.expect(" --include="*.rs" . 2>/dev/null | wc -l)
+if [ "$UNWRAP_COUNT" -gt 0 ]; then
+    echo "⚠️  WARNING: Found $UNWRAP_COUNT unwrap/expect calls"
+    echo "   Sample locations:"
+    grep -r "\.unwrap()\|\.expect(" --include="*.rs" . 2>/dev/null | head -5
+else
+    echo "✅ No unwrap/expect calls found"
+fi
+
+echo ""
+
+# Check for Command::new usage
+echo "3. Checking for unsafe command execution..."
+if grep -r "Command::new" --include="*.rs" . 2>/dev/null | grep -v "SafeCommand" | head -5; then
+    echo "⚠️  WARNING: Found potential unsafe command execution"
+    echo "   Should use SafeCommand instead"
+else
+    echo "✅ No unsafe Command::new calls found"
+fi
+
+echo ""
+
+# Check for SQL injection patterns
+echo "4. Checking for SQL injection patterns..."
+if grep -r "format!.*SELECT\|format!.*INSERT\|format!.*UPDATE\|format!.*DELETE" --include="*.rs" . 2>/dev/null | grep -v "sanitize" | head -5; then
+    echo "⚠️  WARNING: Found potential SQL injection patterns"
+    echo "   Should use sql_guard functions"
+else
+    echo "✅ No obvious SQL injection patterns found"
+fi
+
+echo ""
+
+# Check security headers in routes
+echo "5. Checking for security middleware usage..."
+if grep -r "security_headers_middleware\|csrf_middleware\|rate_limit_middleware" --include="*.rs" . 2>/dev/null | head -5; then
+    echo "✅ Security middleware found"
+else
+    echo "⚠️  WARNING: No security middleware found in routes"
+fi
+
+echo ""
+
+# Check for SecurityManager usage
+echo "6. Checking for SecurityManager initialization..."
+if grep -r "SecurityManager::new\|SecurityManager::initialize" --include="*.rs" . 2>/dev/null; then
+    echo "✅ SecurityManager usage found"
+else
+    echo "⚠️  WARNING: SecurityManager not initialized"
+fi
+
+echo ""
+
+# Check dependencies
+echo "7. Checking dependencies..."
+if command -v cargo-audit &> /dev/null; then
+    echo "Running cargo audit..."
+    cargo audit
+else
+    echo "⚠️  Install cargo-audit: cargo install cargo-audit"
+fi
+
+echo ""
+
+# Check for .env files in git
+echo "8. Checking for secrets in git..."
+if find . -name ".env" -type f | grep -v node_modules | grep -v target; then
+    echo "⚠️  WARNING: .env files found in repository"
+    echo "   Secrets should be in /tmp/ only"
+else
+    echo "✅ No .env files in repository"
+fi
+
+echo ""
+
+# Check file permissions
+echo "9. Checking critical file permissions..."
+if [ -f "botserver-stack/conf/vault/init.json" ]; then
+    PERMS=$(stat -c "%a" "botserver-stack/conf/vault/init.json")
+    if [ "$PERMS" -gt 600 ]; then
+        echo "⚠️  WARNING: Vault init file permissions too open: $PERMS"
+        echo "   Should be 600 or 400"
+    else
+        echo "✅ Vault init file permissions OK: $PERMS"
+    fi
+fi
+
+echo ""
+
+# Summary
+echo "📊 Security Audit Summary"
+echo "========================"
+echo ""
+echo "Critical Issues to Address:"
+echo "1. $UNWRAP_COUNT unwrap/expect calls need replacement"
+echo "2. SecurityManager initialization missing"
+echo "3. Security middleware may not be applied to all routes"
+echo ""
+echo "Next Steps:"
+echo "1. Review TASKS.md for detailed remediation plan"
+echo "2. Fix P1 issues first (SecurityManager, error handling)"
+echo "3. Run cargo clippy and fix all warnings"
+echo "4. Implement security testing"
+echo ""
+echo "For detailed tasks, see: TASKS.md"
+echo "For quick checklist, see: SECURITY_CHECKLIST.md"