chore: update botserver submodule

chore: update submodule references
update submodules
2026-03-10 21:18:19 -03:00 · 2026-03-10 19:39:35 -03:00 · 2026-03-10 17:19:59 -03:00 · 2026-03-10 15:26:24 -03:00 · 2026-03-10 15:15:46 -03:00 · 2026-03-10 12:36:01 -03:00
53 changed files with 19814 additions and 814 deletions
--- a/.bashrc
+++ b/.bashrc
@ -0,0 +1 @@
+export NGROK_AUTHTOKEN=2f3uA0WXL3aDxjABuSWpYTWjjh5_2pqnDyrc7CU4o92UzocEt
--- a/.env.example
+++ b/.env.example
@ -0,0 +1,8 @@
+# General Bots Environment Configuration
+# Copy this file to .env and fill in values
+# NEVER commit .env to version control
+
+# Vault connection
+VAULT_ADDR=https://127.0.0.1:8200
+VAULT_TOKEN=<your-vault-token-here>
+VAULT_CACERT=./botserver-stack/vault/certs/ca.crt
--- a/.forgejo/workflows/botserver.yaml
+++ b/.forgejo/workflows/botserver.yaml
@ -0,0 +1,106 @@
+name: BotServer CI
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+
+env:
+  CARGO_BUILD_JOBS: 4
+  CARGO_NET_RETRY: 10
+
+jobs:
+  build:
+    runs-on: gbo
+
+    steps:
+      - name: Disable SSL verification
+        run: git config --global http.sslVerify false
+
+      - name: Checkout BotServer Code
+        uses: actions/checkout@v4
+        with:
+          path: botserver
+
+      - name: Setup Workspace
+        run: |
+          git clone --depth 1 --branch main https://alm.pragmatismo.com.br/GeneralBots/gb.git workspace
+          cd workspace
+          git submodule update --init --depth 1 botlib
+          git submodule update --init --depth 1 botui
+          
+          # Remove all members except botserver and botlib from workspace
+          sed -i '/"botapp",/d' Cargo.toml
+          sed -i '/"botdevice",/d' Cargo.toml
+          sed -i '/"bottest",/d' Cargo.toml
+          sed -i '/"botui",/d' Cargo.toml
+          sed -i '/"botbook",/d' Cargo.toml
+          sed -i '/"botmodels",/d' Cargo.toml
+          sed -i '/"botplugin",/d' Cargo.toml
+          sed -i '/"bottemplates",/d' Cargo.toml
+          
+          cd ..
+          rm -rf workspace/botserver
+          mv botserver workspace/botserver
+
+      - name: Cache Busting
+        run: |
+          TS=$(date +%s)
+          cd workspace/botui/ui/suite/chat
+          mv chat.css chat.$TS.css
+          mv chat.js chat.$TS.js
+          sed -i "s/chat.css/chat.$TS.css/g" chat.html
+          sed -i "s/chat.js/chat.$TS.js/g" chat.html
+
+      - name: Install system dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y libpq-dev libssl-dev liblzma-dev pkg-config
+
+      - name: Install Rust
+        run: |
+          curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal
+          echo "$HOME/.cargo/bin" >> $GITHUB_PATH
+
+      - name: Install sccache
+        run: |
+          wget https://github.com/mozilla/sccache/releases/download/v0.8.2/sccache-v0.8.2-x86_64-unknown-linux-musl.tar.gz
+          tar xzf sccache-v0.8.2-x86_64-unknown-linux-musl.tar.gz
+          mv sccache-v0.8.2-x86_64-unknown-linux-musl/sccache $HOME/.cargo/bin/sccache
+          chmod +x $HOME/.cargo/bin/sccache
+          echo "RUSTC_WRAPPER=sccache" >> $GITHUB_ENV
+          $HOME/.cargo/bin/sccache --start-server || true
+
+      - name: Setup environment
+        run: sudo cp /opt/gbo/bin/system/.env . 2>/dev/null || true
+
+      - name: Build BotServer
+        working-directory: workspace
+        run: |
+          cargo build -p botserver -j 8 2>&1 | tee /tmp/build.log
+          ls -lh target/debug/botserver
+          sccache --show-stats || true
+
+      - name: Save build log
+        if: always()
+        run: |
+          sudo mkdir -p /opt/gbo/logs
+          sudo cp /tmp/build.log /opt/gbo/logs/botserver-$(date +%Y%m%d-%H%M%S).log || true
+
+      - name: Deploy
+        working-directory: workspace
+        run: |
+          lxc exec bot:pragmatismo-system -- systemctl stop system || true
+          
+          # Deploy Binary
+          sudo cp target/debug/botserver /opt/gbo/bin/system/
+          sudo chmod +x /opt/gbo/bin/system/botserver
+          
+          # Deploy UI Assets (botui)
+          sudo mkdir -p /opt/gbo/bin/system/botui/ui
+          sudo cp -r botui/ui/suite /opt/gbo/bin/system/botui/ui/
+          sudo cp -r botui/ui/themes /opt/gbo/bin/system/botui/ui/ || true
+          
+          lxc exec bot:pragmatismo-system -- systemctl start system || true
+          
--- a/.gemini/tasks/multiagent-task-ui-plan.md
+++ b/.gemini/tasks/multiagent-task-ui-plan.md
@ -0,0 +1,931 @@
+# Multi-Agent Task Management UI — Implementation Plan
+
+> **Unifying `auto_task`, `tasks`, `designer` → Draggable Multi-Agent Windows**
+
+---
+
+## 1. High-Level Vision (from Screenshots)
+
+The user wants a **desktop-like environment** with these elements:
+
+### Layout Components
+
+```
+┌──────┬──────────────────────────────────────────────────────┐
+│      │  [Tasks ⚙ 👤]  ← Top Left Mini Bar (fixed)         │
+│ SIDE │                                                      │
+│ BAR  │  ┌─────────────────────┐ ┌────────────────────────┐ │
+│      │  │ PRIMARY WINDOW      │ │ SECONDARY WINDOW       │ │
+│ (far │  │ "Tasks"             │ │ "Agents & Workspaces"  │ │
+│ left)│  │ Tabs:               │ │ (can be minimized)     │ │
+│      │  │ - // DASHBOARD      │ │                        │ │
+│ /chat│  │ - // TASK #N        │ │ Agent cards, quota     │ │
+│/drive│  │                     │ │ monitors, workspace    │ │
+│ etc. │  │ PLAN|BUILD|REVIEW|  │ │ assignment             │ │
+│      │  │ DEPLOY|MONITOR tabs │ │                        │ │
+│      │  │                     │ │                        │ │
+│      │  │ Draggable task cards│ │                        │ │
+│      │  │ with sub-tasks,     │ │                        │ │
+│      │  │ logs, output, chat  │ │                        │ │
+│      │  └─────────────────────┘ └────────────────────────┘ │
+│      │                                                      │
+│      │  ┌───────────────────────────────────────────────┐  │
+│      │  │ // Chat  (shared chat at bottom)              │  │
+│      │  │ TIP: Describe your project...                 │  │
+│      │  └───────────────────────────────────────────────┘  │
+│      ├──────────────────────────────────────────────────────┤
+│      │  [Taskbar: open windows]       [Clock] [Date]       │
+└──────┴──────────────────────────────────────────────────────┘
+```
+
+### Key Rules from User Request
+
+1. **Sidebar** → Far left (already exists in `desktop.html`, keep it)
+2. **Top-left mini bar** → Fixed bar with "Tasks" label, ⚙ Settings icon, 👤 Account icon. **Remove Mantis logo**.
+3. **Where it reads "Mantis" → read "Tasks"** (generic rename throughout)
+4. **Primary Window: "Tasks"** → Two tabs:
+   - **// DASHBOARD** — Overview with Task #N agent card, DNA info, tokens, activity
+   - **// TASK #N** (project view) — PLAN | BUILD | REVIEW | DEPLOY | MONITOR pipeline tabs, with draggable task cards showing sub-tasks, logs, output
+5. **Secondary Window: "Agents & Workspaces"** → Shows agent roster, quota monitors, workspace assignments. Can be minimized.
+6. **Chat panel** → Shared at bottom of task view, project-scoped
+7. **All windows** → Draggable, resizable, use existing `WindowManager`
+8. **VibCode integration** → Multi-draggable agents like the designer canvas
+
+---
+
+## 2. Codebase Inventory & Current State
+
+### Frontend (botui/ui/suite)
+
+| File/Dir | Purpose | Lines | Status |
+|----------|---------|-------|--------|
+| `desktop.html` | Main desktop shell, sidebar, tabs, workspace | 281 | ✅ Keep as shell |
+| `js/window-manager.js` | Window open/close/drag/minimize/maximize | 296 | 🔧 Extend |
+| `tasks/tasks.html` | Current task list + detail panel | 318 | 🔄 Refactor into new primary window |
+| `tasks/tasks.js` | Task JS (3297 lines) | 3297 | 🔄 Refactor (heavy) |
+| `tasks/tasks.css` | Task styles (70k+) | ~2400 | 🔄 Refactor/extend |
+| `tasks/autotask.html` | AutoTask standalone UI | 484 | 🔄 Merge into primary window |
+| `tasks/autotask.js` | AutoTask JS (2201 lines) | 2201 | 🔄 Merge |
+| `tasks/autotask.css` | AutoTask styles | ~1200 | 🔄 Merge |
+| `tasks/progress-panel.html` | Floating progress panel | 133 | 🔄 Keep as sub-component |
+| `tasks/progress-panel.js` | Progress panel JS | ~550 | ✅ Keep |
+| `tasks/intents.html` | Intents listing | ~400 | 🔄 Merge |
+| `designer.html` | Visual .bas designer (node canvas) | 2718 | 📎 Reference for drag patterns |
+| `designer.js` | Designer JS (nodes, connections, drag) | 921 | 📎 Reference for drag |
+| `designer.css` | Designer styles | 500 | 📎 Reference |
+| `partials/tasks.html` | Alternative tasks partial | 318 | 🔄 Will be replaced by new entry |
+
+### Backend (botserver/src)
+
+| File/Dir | Purpose | Lines | Status |
+|----------|---------|-------|--------|
+| `auto_task/autotask_api.rs` | AutoTask CRUD + execution API | 2302 | ✅ Keep (API stable) |
+| `auto_task/task_types.rs` | AutoTask data types | 423 | ✅ Keep |
+| `auto_task/task_manifest.rs` | Manifest tracking (progress tree) | 977 | ✅ Keep |
+| `auto_task/app_generator.rs` | App generation from LLM | 3587 | ✅ Keep |
+| `auto_task/intent_classifier.rs` | Intent classification | 1200+ | ✅ Keep |
+| `auto_task/intent_compiler.rs` | Intent → plan compilation | 900+ | ✅ Keep |
+| `auto_task/mod.rs` | Routes + WebSocket handlers | 293 | 🔧 Add new agent/workspace endpoints |
+| `tasks/task_api/handlers.rs` | Task CRUD handlers | 393 | 🔧 Extend with agent-aware responses |
+| `tasks/task_api/html_renderers.rs` | HTML card rendering | 700+ | 🔧 Update HTML to new design |
+| `tasks/types.rs` | Task data types | 223 | 🔧 Add agent fields |
+| `tasks/scheduler.rs` | Task scheduler (cron etc.) | 503 | ✅ Keep |
+| `designer/workflow_canvas.rs` | Workflow design types | 421 | 📎 Reference |
+| `designer/designer_api/` | Designer API handlers | ~200 | 📎 Reference |
+
+---
+
+## 3. Implementation Phases
+
+### Phase 0: Terminology Rename (Mantis → Tasks/Agent)
+
+**Scope**: All UI references
+**Effort**: ~30 min
+
+| What | Where | Change |
+|------|-------|--------|
+| "Mantis #1" | All HTML templates | → "Agent #1" |
+| "MANTIS MANAGER" | Task cards | → "AGENT MANAGER" |
+| Mantis logo/icon | Top bar, cards | → Remove, use ⚡ or 🤖 icon |
+| "mantis" CSS classes | tasks CSS | → Rename to `agent-*` |
+| Variable names | tasks.js, autotask.js | → `agent*` where needed |
+
+**Files to modify**:
+- `botui/ui/suite/tasks/tasks.html` — template references
+- `botui/ui/suite/tasks/tasks.js` — variable names
+- `botui/ui/suite/tasks/tasks.css` — class names
+- `botui/ui/suite/tasks/autotask.html` — template references
+- `botui/ui/suite/tasks/autotask.js` — variable names
+- `botserver/src/tasks/task_api/html_renderers.rs` — server-rendered HTML
+
+---
+
+### Phase 1: Top-Left Mini Bar (Fixed)
+
+**Scope**: New component added to `desktop.html`
+**Effort**: ~45 min
+
+Create a fixed top-left panel (anchored above sidebar) matching screenshot:
+
+```
+┌──────────────────────┐
+│  Tasks    ⚙️    👤   │
+└──────────────────────┘
+```
+
+#### 1.1 New file: `botui/ui/suite/partials/minibar.html`
+
+```html
+<div class="gb-minibar" id="gb-minibar">
+    <span class="minibar-title">Tasks</span>
+    <div class="minibar-actions">
+        <button class="minibar-btn" id="btn-open-settings" 
+                title="Settings" onclick="openSettingsWindow()">
+            <!-- SVG gear icon -->
+        </button>
+        <button class="minibar-btn" id="btn-open-account" 
+                title="Account" onclick="openAccountWindow()">
+            <!-- SVG user icon -->
+        </button>
+    </div>
+</div>
+```
+
+#### 1.2 CSS additions in `desktop.html <style>` or new `css/minibar.css`
+
+```css
+.gb-minibar {
+    position: fixed;
+    top: 0;
+    left: 51px; /* right of sidebar */
+    height: 34px;
+    display: flex;
+    align-items: center;
+    padding: 0 12px;
+    gap: 8px;
+    background: var(--bg-secondary);
+    border-bottom: 1px solid var(--border-color);
+    z-index: 200;
+    font-family: 'Fira Code', monospace;
+    font-size: 13px;
+    font-weight: 600;
+}
+.minibar-title { color: var(--text); }
+.minibar-actions { display: flex; gap: 6px; }
+.minibar-btn {
+    width: 28px; height: 28px;
+    border: none; background: transparent;
+    cursor: pointer; border-radius: 6px;
+    display: flex; align-items: center; justify-content: center;
+    transition: background 0.15s;
+}
+.minibar-btn:hover { background: var(--bg-hover); }
+.minibar-btn svg { width: 16px; height: 16px; stroke: var(--text-secondary); }
+```
+
+#### 1.3 Integration in `desktop.html`
+
+- Add minibar HTML after sidebar, before main-wrapper
+- Adjust `.main-wrapper` top padding to account for minibar height
+
+---
+
+### Phase 2: Primary Window — "Tasks" (Dashboard + Project Tabs)
+
+**Scope**: Major refactor of `tasks/` directory
+**Effort**: ~4-6 hours
+
+This is the central window. It unifies the old `tasks.html` and `autotask.html` into one coherent window with two tab modes:
+
+#### 2.1 New file: `botui/ui/suite/tasks/task-window.html`
+
+Main entry point loaded by `WindowManager.open('tasks', 'Tasks', html)`.
+
+Structure:
+
+```html
+<link rel="stylesheet" href="/suite/tasks/task-window.css" />
+
+<div class="task-window" id="task-window">
+    <!-- Tab Bar: DASHBOARD | TASK #N -->
+    <div class="task-window-tabs" id="task-window-tabs">
+        <button class="tw-tab active" data-tab="dashboard"
+                onclick="switchTaskTab('dashboard')">
+            // DASHBOARD
+        </button>
+        <!-- Dynamic task tabs appear here -->
+    </div>
+
+    <!-- Tab Content -->
+    <div class="task-window-content" id="task-window-content">
+        <!-- Dashboard tab (default) -->
+        <div class="tw-panel active" id="tw-panel-dashboard">
+            <!-- Agent overview cards, stats, recent activity -->
+        </div>
+    </div>
+</div>
+
+<script src="/suite/tasks/task-window.js"></script>
+```
+
+#### 2.2 Dashboard Tab Content (`tw-panel-dashboard`)
+
+Based on "Agent #1" screenshot:
+
+```html
+<div class="tw-dashboard">
+    <!-- Overview section -->
+    <section class="agent-overview">
+        <div class="agent-card">
+            <div class="agent-header">
+                <span class="agent-icon">⚡</span>
+                <h2 class="agent-name">Agent #1</h2>
+                <button class="agent-edit-btn">✏️</button>
+            </div>
+            <div class="agent-meta">
+                <div class="meta-row">
+                    <span class="meta-label">Status</span>
+                    <span class="meta-value status-active">● Active</span>
+                </div>
+                <div class="meta-row">
+                    <span class="meta-label">DNA</span>
+                    <span class="meta-value">
+                        <a href="#" class="meta-link">Manage Subscription</a>
+                    </span>
+                </div>
+                <div class="meta-stats">
+                    <div class="stat-item">
+                        <span class="stat-label">Renewal</span>
+                        <span class="stat-value" id="agent-renewal">—</span>
+                    </div>
+                    <div class="stat-item">
+                        <span class="stat-label">Created</span>
+                        <span class="stat-value" id="agent-created">—</span>
+                    </div>
+                    <div class="stat-item">
+                        <span class="stat-label">Tokens Used</span>
+                        <span class="stat-value" id="agent-tokens">—</span>
+                    </div>
+                    <div class="stat-item">
+                        <span class="stat-label">Tasks Completed</span>
+                        <span class="stat-value" id="agent-tasks-done">—</span>
+                    </div>
+                </div>
+            </div>
+        </div>
+        <!-- Action buttons -->
+        <div class="agent-actions">
+            <button class="action-btn" onclick="parkAgent()">// PARK</button>
+            <button class="action-btn" onclick="cloneAgent()">// CLONE</button>
+            <button class="action-btn" onclick="exportAgent()">// EXPORT</button>
+            <button class="action-btn disabled">// DELETE</button>
+        </div>
+    </section>
+
+    <!-- Assigned Job section -->
+    <section class="assigned-job" id="assigned-job">
+        <h3>Assigned Job</h3>
+        <div class="job-card" hx-get="/api/ui/tasks/current-job"
+             hx-trigger="load" hx-swap="innerHTML">
+            <!-- Loaded dynamically -->
+        </div>
+    </section>
+
+    <!-- Recent Activity -->
+    <section class="recent-activity" id="recent-activity">
+        <h3>Recent Activity</h3>
+        <div class="activity-list" hx-get="/api/ui/tasks/activity"
+             hx-trigger="load, every 15s" hx-swap="innerHTML">
+            <!-- Activity items loaded dynamically -->
+        </div>
+    </section>
+</div>
+```
+
+#### 2.3 Project Tab Content (Opens when clicking "Open Project")
+
+Based on the multi-agent task cards screenshot with PLAN|BUILD|REVIEW|DEPLOY|MONITOR:
+
+```html
+<div class="tw-project" id="tw-project-{project_id}">
+    <!-- Top breadcrumb -->
+    <div class="project-breadcrumb">
+        <span>// DASHBOARD</span> <span>></span>
+        <span class="project-name">// {PROJECT_NAME}</span>
+    </div>
+
+    <!-- Pipeline Tabs -->
+    <div class="pipeline-tabs">
+        <button class="pipeline-tab" data-phase="plan">// PLAN</button>
+        <button class="pipeline-tab active" data-phase="build">// BUILD</button>
+        <button class="pipeline-tab" data-phase="review">// REVIEW</button>
+        <button class="pipeline-tab" data-phase="deploy">// DEPLOY</button>
+        <button class="pipeline-tab" data-phase="monitor">// MONITOR</button>
+    </div>
+
+    <!-- Zoomable Canvas with draggable task cards -->
+    <div class="task-canvas" id="task-canvas-{project_id}">
+        <div class="canvas-controls">
+            <button onclick="zoomIn()">🔍+</button>
+            <span class="zoom-level">100%</span>
+            <button onclick="zoomOut()">🔍-</button>
+        </div>
+        <div class="canvas-inner" id="canvas-inner-{project_id}">
+            <!-- Draggable task cards rendered here -->
+        </div>
+    </div>
+
+    <!-- Shared Chat Panel (bottom) -->
+    <div class="project-chat" id="project-chat">
+        <div class="chat-header">// Chat <button class="chat-download">⬇</button></div>
+        <div class="chat-body" id="project-chat-body">
+            <div class="chat-tip">
+                💚 TIP: Describe your project. The more detail, the better the plan.
+            </div>
+            <!-- Chat messages -->
+        </div>
+        <div class="chat-input-area">
+            <input type="text" placeholder="Describe what you need..."
+                   id="project-chat-input" />
+            <button class="chat-send" onclick="sendProjectChat()">Send</button>
+        </div>
+    </div>
+</div>
+```
+
+#### 2.4 Draggable Task Cards on Canvas
+
+Each task card (matching the screenshot) is a draggable element:
+
+```html
+<div class="task-card draggable" data-task-id="{id}"
+     style="left: {x}px; top: {y}px;">
+    <div class="task-card-drag-handle">⠿</div>
+    <div class="task-card-badge">// TASK</div>
+
+    <h3 class="task-card-title">{title}</h3>
+    <div class="task-card-stats">
+        <span>{file_count} files</span>
+        <span>{duration}</span>
+        <span>~{token_count} tokens</span>
+    </div>
+    <p class="task-card-desc">{description}</p>
+
+    <div class="task-card-status">
+        <span class="status-label">Status</span>
+        <span class="status-value">● {status}</span>
+    </div>
+
+    <!-- Agent Manager section -->
+    <div class="task-agent-section">
+        <div class="agent-label">// AGENT MANAGER</div>
+        <div class="agent-row">
+            <span class="agent-dot">●</span>
+            <span class="agent-name">Agent #1</span>
+            <div class="agent-capabilities">
+                <!-- capability icons -->
+            </div>
+            <span class="agent-level">EVOLVED</span>
+        </div>
+    </div>
+
+    <!-- Collapsible sections -->
+    <details class="task-detail-section">
+        <summary>// SUB-TASKS</summary>
+        <div class="sub-tasks-content" hx-get="/api/ui/tasks/{id}/subtasks"
+             hx-trigger="toggle" hx-swap="innerHTML"></div>
+    </details>
+    <details class="task-detail-section">
+        <summary>// LOGS</summary>
+        <div class="logs-content"></div>
+    </details>
+    <details class="task-detail-section">
+        <summary>// OUTPUT</summary>
+        <div class="output-content"></div>
+    </details>
+</div>
+```
+
+#### 2.5 New file: `botui/ui/suite/tasks/task-window.js`
+
+Core logic consolidated from `tasks.js` and `autotask.js`:
+
+```javascript
+// task-window.js
+// Unified Task Window Manager
+
+const TaskWindow = {
+    activeTab: 'dashboard',
+    openProjects: new Map(),  // projectId -> project data
+    wsConnection: null,
+
+    init() { ... },
+    switchTab(tabId) { ... },
+    openProject(projectId, projectName) { ... },
+    closeProject(projectId) { ... },
+
+    // Dashboard
+    loadDashboard() { ... },
+    loadAgentOverview() { ... },
+    loadRecentActivity() { ... },
+
+    // Project Canvas
+    initCanvas(projectId) { ... },
+    loadTaskCards(projectId) { ... },
+    makeCardsDraggable(canvasEl) { ... },  // Uses designer.js patterns
+    switchPipelinePhase(phase) { ... },
+
+    // WebSocket
+    initWebSocket() { ... },  // Reuses existing WS from tasks.js
+    handleProgressMessage(data) { ... },
+
+    // Chat
+    initProjectChat(projectId) { ... },
+    sendProjectChat() { ... },
+};
+```
+
+Key functions to port from existing files:
+- From `tasks.js`: `initWebSocket()`, `handleWebSocketMessage()`, `renderManifestProgress()`, `buildProgressTreeHTML()`, `startTaskPolling()`
+- From `autotask.js`: `handleTaskProgressMessage()`, `onTaskStarted()`, `onTaskProgress()`, `selectIntent()`, `loadIntentDetail()`
+- From `designer.js`: `initDragAndDrop()`, `startNodeDrag()`, canvas pan/zoom
+
+#### 2.6 New file: `botui/ui/suite/tasks/task-window.css`
+
+Consolidated and pixel-perfect styles. Key sections:
+
+```css
+/* Task Window Container */
+.task-window { ... }
+
+/* Tab Bar (DASHBOARD / TASK #N) */
+.task-window-tabs { ... }
+.tw-tab { ... }
+.tw-tab.active { ... }
+
+/* Dashboard */
+.tw-dashboard { ... }
+.agent-overview { ... }
+.agent-card { ... }
+.agent-actions { ... }
+.assigned-job { ... }
+.recent-activity { ... }
+
+/* Project View */
+.tw-project { ... }
+.project-breadcrumb { ... }
+.pipeline-tabs { ... }
+.pipeline-tab { ... }
+
+/* Task Canvas (zoomable, pannable) */
+.task-canvas { ... }
+.canvas-inner { ... }
+
+/* Draggable Task Cards */
+.task-card { ... }
+.task-card.dragging { ... }
+.task-card-badge { ... }
+.task-agent-section { ... }
+
+/* Shared Chat */
+.project-chat { ... }
+```
+
+---
+
+### Phase 3: Secondary Window — "Agents & Workspaces"
+
+**Scope**: New component
+**Effort**: ~2-3 hours
+
+Auto-opens alongside the primary Tasks window. Can be minimized.
+
+#### 3.1 New file: `botui/ui/suite/tasks/agents-window.html`
+
+```html
+<link rel="stylesheet" href="/suite/tasks/agents-window.css" />
+
+<div class="agents-window" id="agents-window">
+    <!-- Header -->
+    <div class="aw-header">
+        <h3>Agents & Workspaces</h3>
+    </div>
+
+    <!-- Agent Cards -->
+    <section class="aw-agents" id="aw-agents"
+             hx-get="/api/ui/agents/list" hx-trigger="load, every 30s"
+             hx-swap="innerHTML">
+        <!-- Agent cards loaded dynamically -->
+    </section>
+
+    <!-- Workspace List -->
+    <section class="aw-workspaces" id="aw-workspaces">
+        <h4>Active Workspaces</h4>
+        <div class="workspace-list" hx-get="/api/ui/workspaces/list"
+             hx-trigger="load" hx-swap="innerHTML">
+            <!-- Workspace items -->
+        </div>
+    </section>
+
+    <!-- Quota Monitor -->
+    <section class="aw-quota" id="aw-quota">
+        <h4>Quota Monitor</h4>
+        <div class="quota-details">
+            <div class="quota-row">
+                <span>All Models</span>
+                <span class="quota-value">90%</span>
+                <div class="quota-bar">
+                    <div class="quota-fill" style="width: 90%"></div>
+                </div>
+            </div>
+            <div class="quota-stats">
+                <span>Runtime: <strong id="aw-runtime">10m 15s</strong></span>
+                <span>Token Consumption: <strong id="aw-tokens">13k</strong></span>
+            </div>
+            <div class="quota-changes">
+                <span class="change added">Added <strong>+510</strong></span>
+                <span class="change removed">Removed <strong>+510</strong></span>
+            </div>
+        </div>
+    </section>
+</div>
+
+<script src="/suite/tasks/agents-window.js"></script>
+```
+
+#### 3.2 New file: `botui/ui/suite/tasks/agents-window.js`
+
+```javascript
+const AgentsWindow = {
+    init() { ... },
+    loadAgents() { ... },
+    loadWorkspaces() { ... },
+    updateQuotaMonitor(data) { ... },
+    assignAgentToTask(agentId, taskId) { ... },
+};
+```
+
+#### 3.3 New file: `botui/ui/suite/tasks/agents-window.css`
+
+Styles matching the secondary window screenshot with agent cards, quota bars, etc.
+
+---
+
+### Phase 4: Window Manager Enhancements
+
+**Scope**: `js/window-manager.js`
+**Effort**: ~2 hours
+
+#### 4.1 Add `openPair()` method
+
+Opens primary + secondary windows side by side when Tasks is launched:
+
+```javascript
+openPair(primaryId, primaryTitle, primaryHtml, 
+         secondaryId, secondaryTitle, secondaryHtml) {
+    // Open primary window (left, 60% width)
+    this.open(primaryId, primaryTitle, primaryHtml);
+    const primaryEl = document.getElementById(`window-${primaryId}`);
+    primaryEl.style.left = '0px';
+    primaryEl.style.top = '0px';
+    primaryEl.style.width = '60%';
+    primaryEl.style.height = 'calc(100% - 50px)';
+
+    // Open secondary window (right, 40% width, minimizable)
+    this.open(secondaryId, secondaryTitle, secondaryHtml);
+    const secondaryEl = document.getElementById(`window-${secondaryId}`);
+    secondaryEl.style.left = '60%';
+    secondaryEl.style.top = '0px';
+    secondaryEl.style.width = '40%';
+    secondaryEl.style.height = 'calc(100% - 50px)';
+}
+```
+
+#### 4.2 Improve `makeResizable()`
+
+Replace CSS `resize: both` with proper resize handles (8-directional):
+
+```javascript
+makeResizable(windowEl) {
+    const handles = ['n','e','s','w','ne','nw','se','sw'];
+    handles.forEach(dir => {
+        const handle = document.createElement('div');
+        handle.className = `resize-handle resize-${dir}`;
+        windowEl.appendChild(handle);
+        // Add mousedown handler for each direction
+    });
+}
+```
+
+#### 4.3 Add snap-to-edge behavior
+
+When a window is dragged to the screen edge, snap to fill half:
+
+```javascript
+// In onMouseUp:
+if (newLeft < 10) snapToLeft(windowEl);
+if (newLeft + windowEl.offsetWidth > workspace.offsetWidth - 10) snapToRight(windowEl);
+```
+
+#### 4.4 Add `openAsSecondary()` method
+
+Opens a window in minimized-ready state:
+
+```javascript
+openAsSecondary(id, title, htmlContent) {
+    this.open(id, title, htmlContent);
+    // Mark as secondary (can be auto-minimized)
+    const windowObj = this.openWindows.find(w => w.id === id);
+    windowObj.isSecondary = true;
+}
+```
+
+---
+
+### Phase 5: Backend API Extensions
+
+**Scope**: `botserver/src/auto_task/` and `botserver/src/tasks/`
+**Effort**: ~3 hours
+
+#### 5.1 New Agent Management Endpoints
+
+Add to `botserver/src/auto_task/mod.rs` route configuration:
+
+```rust
+// New routes
+.route("/api/ui/agents/list", get(list_agents_handler))
+.route("/api/ui/agents/:id", get(get_agent_handler))
+.route("/api/ui/agents/:id/park", post(park_agent_handler))
+.route("/api/ui/agents/:id/clone", post(clone_agent_handler))
+.route("/api/ui/agents/:id/export", get(export_agent_handler))
+.route("/api/ui/workspaces/list", get(list_workspaces_handler))
+.route("/api/ui/tasks/current-job", get(current_job_handler))
+.route("/api/ui/tasks/activity", get(recent_activity_handler))
+.route("/api/ui/tasks/:id/subtasks", get(task_subtasks_handler))
+```
+
+#### 5.2 New file: `botserver/src/auto_task/agent_api.rs`
+
+Agent management handlers:
+
+```rust
+pub async fn list_agents_handler(...) -> impl IntoResponse { ... }
+pub async fn get_agent_handler(...) -> impl IntoResponse { ... }
+pub async fn park_agent_handler(...) -> impl IntoResponse { ... }
+pub async fn clone_agent_handler(...) -> impl IntoResponse { ... }
+// Returns HTML fragments (HTMX pattern)
+```
+
+#### 5.3 Extend `task_types.rs` with Agent concept
+
+```rust
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct Agent {
+    pub id: Uuid,
+    pub name: String,
+    pub status: AgentStatus,
+    pub capabilities: Vec<AgentCapability>,
+    pub level: AgentLevel,  // Evolved, etc.
+    pub quota: QuotaInfo,
+    pub assigned_tasks: Vec<Uuid>,
+    pub created_at: DateTime<Utc>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub enum AgentStatus { Active, Parked, Cloning }
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub enum AgentCapability { Code, Design, Data, Web, API, ML }
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub enum AgentLevel { Basic, Standard, Evolved, Superior }
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct QuotaInfo {
+    pub model_usage_percent: f64,
+    pub runtime_seconds: u64,
+    pub tokens_consumed: u64,
+    pub items_added: i64,
+    pub items_removed: i64,
+}
+```
+
+#### 5.4 Extend WebSocket for multi-agent updates
+
+In `handle_task_progress_websocket()`, add agent status broadcasts:
+
+```rust
+// New message types:
+"agent_status_update" -> { agent_id, status, quota }
+"workspace_update" -> { workspace_id, agents, tasks }
+"project_canvas_update" -> { project_id, task_positions }
+```
+
+---
+
+### Phase 6: Desktop Integration
+
+**Scope**: `desktop.html` and auto-open logic
+**Effort**: ~1.5 hours
+
+#### 6.1 Modify `desktop.html` Tasks icon click
+
+Instead of loading `tasks.html` into a single window, load the pair:
+
+```javascript
+// In desktop.html htmx:afterRequest handler
+if (appId === 'tasks') {
+    // Fetch both HTML files
+    Promise.all([
+        fetch('/suite/tasks/task-window.html').then(r => r.text()),
+        fetch('/suite/tasks/agents-window.html').then(r => r.text())
+    ]).then(([taskHtml, agentsHtml]) => {
+        window.wm.openPair(
+            'tasks', 'Tasks', taskHtml,
+            'agents', 'Agents & Workspaces', agentsHtml
+        );
+    });
+    evt.detail.isError = true; // prevent default HTMX swap
+}
+```
+
+#### 6.2 Add minibar to desktop.html
+
+Insert `minibar.html` partial via HTMX or inline.
+
+#### 6.3 Remove old breadcrumb row
+
+The `tabs-container` in `desktop.html` with "E-COMMERCE APP DEVELOPMENT" breadcrumb was hardcoded for demo; replace with dynamic content managed by the active window.
+
+---
+
+### Phase 7: Polish & Pixel-Perfect Styling
+
+**Scope**: CSS refinement
+**Effort**: ~3 hours
+
+#### 7.1 Design System Tokens
+
+Add to `css/theme-sentient.css`:
+
+```css
+:root {
+    /* Task Card Colors */
+    --task-badge-bg: rgba(132, 214, 105, 0.15);
+    --task-badge-border: #84d669;
+    --task-badge-text: #84d669;
+
+    /* Agent Status Colors */
+    --agent-active: #84d669;
+    --agent-parked: #f9e2af;
+    --agent-evolved: #84d669;
+
+    /* Pipeline Tab Colors */
+    --pipeline-active: var(--primary);
+    --pipeline-inactive: var(--text-secondary);
+
+    /* Canvas */
+    --canvas-grid: rgba(0,0,0,0.03);
+    --canvas-card-shadow: 0 2px 12px rgba(0,0,0,0.08);
+}
+```
+
+#### 7.2 Pixel-Perfect Card Styling
+
+Task cards must match screenshots exactly:
+- Monospace font (`Fira Code`) for labels
+- `//` prefix on section labels (e.g., `// TASK`, `// SUB-TASKS`)
+- Green dot for active status
+- Collapsible sections with `▸`/`▾` toggles
+- Agent capability icons row (🔧 📝 ↗ ⚙ 🛡 📊)
+
+#### 7.3 Animations
+
+```css
+/* Card drag feedback */
+.task-card.dragging {
+    opacity: 0.85;
+    transform: rotate(1deg) scale(1.02);
+    box-shadow: 0 8px 30px rgba(0,0,0,0.15);
+    z-index: 9999;
+}
+
+/* Tab switch */
+.tw-panel { transition: opacity 0.2s ease; }
+.tw-panel:not(.active) { opacity: 0; position: absolute; pointer-events: none; }
+
+/* Window open */
+@keyframes window-open {
+    from { transform: scale(0.95); opacity: 0; }
+    to { transform: scale(1); opacity: 1; }
+}
+.window-element { animation: window-open 0.15s ease-out; }
+```
+
+---
+
+## 4. File Creation & Modification Summary
+
+### New Files to Create
+
+| # | File | Purpose |
+|---|------|---------|
+| 1 | `botui/ui/suite/tasks/task-window.html` | Primary unified task window |
+| 2 | `botui/ui/suite/tasks/task-window.js` | Primary window logic |
+| 3 | `botui/ui/suite/tasks/task-window.css` | Primary window styles |
+| 4 | `botui/ui/suite/tasks/agents-window.html` | Secondary agents/workspaces window |
+| 5 | `botui/ui/suite/tasks/agents-window.js` | Secondary window logic |
+| 6 | `botui/ui/suite/tasks/agents-window.css` | Secondary window styles |
+| 7 | `botui/ui/suite/partials/minibar.html` | Top-left mini bar |
+| 8 | `botui/ui/suite/css/minibar.css` | Mini bar styles |
+| 9 | `botserver/src/auto_task/agent_api.rs` | Agent management API |
+
+### Existing Files to Modify
+
+| # | File | Changes |
+|---|------|---------|
+| 1 | `botui/ui/suite/desktop.html` | Add minibar, modify Tasks launch logic |
+| 2 | `botui/ui/suite/js/window-manager.js` | Add `openPair()`, improve resize, snap |
+| 3 | `botui/ui/suite/css/desktop.css` | Minibar layout adjustments |
+| 4 | `botserver/src/auto_task/mod.rs` | Add agent routes, export new module |
+| 5 | `botserver/src/auto_task/task_types.rs` | Add Agent, QuotaInfo types |
+| 6 | `botserver/src/tasks/task_api/html_renderers.rs` | Update rendered HTML (Mantis→Agent) |
+| 7 | `botui/ui/suite/css/theme-sentient.css` | Add new design tokens |
+
+### Files to Keep (No Changes)
+
+- `tasks/progress-panel.html` + `.js` + `.css` — reused as sub-component
+- `botserver/src/auto_task/autotask_api.rs` — API stable
+- `botserver/src/auto_task/app_generator.rs` — No changes needed
+- `botserver/src/auto_task/task_manifest.rs` — No changes needed
+- `botserver/src/tasks/scheduler.rs` — No changes needed
+
+### Files Eventually Deprecated (Phase 8 cleanup)
+
+- `tasks/autotask.html` → merged into `task-window.html`
+- `tasks/autotask.js` → merged into `task-window.js`
+- `tasks/autotask.css` → merged into `task-window.css`
+- `tasks/tasks.html` → merged into `task-window.html` (keep as partial fallback)
+- Original `partials/tasks.html` → replaced by `task-window.html`
+
+---
+
+## 5. Execution Order
+
+```
+Phase 0: Terminology Rename (Mantis → Agent/Tasks)        ~30 min
+Phase 1: Top-Left Mini Bar                                  ~45 min
+Phase 2: Primary Window (task-window.html/js/css)           ~4-6 hrs
+  ├─ 2.1: HTML structure
+  ├─ 2.2: Dashboard tab
+  ├─ 2.3: Project tab with pipeline tabs
+  ├─ 2.4: Draggable task cards
+  ├─ 2.5: JavaScript consolidation
+  └─ 2.6: CSS pixel-perfect styling
+Phase 3: Secondary Window (agents-window.html/js/css)       ~2-3 hrs
+Phase 4: Window Manager Enhancements                        ~2 hrs
+Phase 5: Backend API Extensions                             ~3 hrs
+Phase 6: Desktop Integration                                ~1.5 hrs
+Phase 7: Polish & Pixel-Perfect                             ~3 hrs
+
+Total estimated: ~17-20 hours
+```
+
+---
+
+## 6. Key Design Decisions
+
+1. **Single-window with tabs** vs multi-window for tasks → Using **tabs within a single primary window** (Dashboard / Task #N) matching the screenshots, plus a separate secondary window for agents.
+
+2. **Reuse WindowManager** — All windows still go through the existing WM for consistency with chat/drive/etc.
+
+3. **Drag system from Designer** — Port the `startNodeDrag()` and canvas pan/zoom patterns from `designer.js` for the task card canvas.
+
+4. **HTMX-first** — All data loading uses HTMX fragments from the backend, matching existing patterns in `tasks.html` and `autotask.html`.
+
+5. **WebSocket reuse** — The existing `task_progress_websocket_handler` in `auto_task/mod.rs` is extended with new message types for agent status, not replaced.
+
+6. **Progressive enhancement** — Old `tasks.html` remains functional as a fallback. The new `task-window.html` is the primary entry.
+
+7. **Scoped CSS** — Each new component gets its own CSS file to avoid conflicts with existing 70k+ lines of task styles.
+
+---
+
+## 7. Verification Checklist
+
+- [ ] Sidebar stays on far left
+- [ ] Mini bar shows "Tasks ⚙ 👤" at top-left (no Mantis logo)
+- [ ] Tasks window opens with Dashboard tab by default
+- [ ] Dashboard shows Agent #1 overview (status, tokens, tasks completed)
+- [ ] "Open Project" opens project tab with PLAN|BUILD|REVIEW|DEPLOY|MONITOR
+- [ ] Task cards are draggable on the canvas
+- [ ] Each task card has collapsible SUB-TASKS, LOGS, OUTPUT sections
+- [ ] Agent Manager section shows on each task card
+- [ ] Secondary "Agents & Workspaces" window opens alongside
+- [ ] Secondary window can be minimized
+- [ ] Chat panel at bottom of project view
+- [ ] All terminology says "Tasks" / "Agent" instead of "Mantis"
+- [ ] Monospace `Fira Code` font with `//` prefix styling throughout
+- [ ] WebSocket progress updates work in new UI
+- [ ] Window drag, resize, minimize, maximize all functional
+- [ ] Theme-aware (respects sentient/dark/light themes)
--- a/.gitignore
+++ b/.gitignore
@ -2,7 +2,8 @@
 target/
 *.out
 bin/
-
+*.png
+*.jpg
 # Logs
 *.log
 *logfile*
@ -30,7 +31,32 @@ botserver-installers/*
 !botserver-installers/.gitkeep
 botserver-stack
 TODO*
+work
+.swp
+# Lock file
+# Cargo.lock (should be tracked)
+.kiro
+config

+# Data directory (contains bot configs and API keys)
+data/

-# Lock file (regenerated from Cargo.toml)
-Cargo.lock
+# Playwright
+node_modules/
+/test-results/
+/playwright-report/
+/blob-report/
+/playwright/.cache/
+/playwright/.auth/
+config/directory_config.json
+# CI cache bust: Fri Feb 13 22:33:51 UTC 2026
+
+# Secrets - NEVER commit these files
+vault-unseal-keys
+start-and-unseal.sh
+vault-token-*
+init.json
+*.pem
+*.key
+*.crt
+*.cert
--- a/.gitmodules
+++ b/.gitmodules
@ -1,42 +1,43 @@
 [submodule "botapp"]
 	path = botapp
-	url = https://github.com/GeneralBots/botapp.git
+	url = ../botapp.git

 [submodule "botserver"]
 	path = botserver
-	url = https://github.com/GeneralBots/botserver.git
+	url = ../BotServer.git

 [submodule "botlib"]
 	path = botlib
-	url = https://github.com/GeneralBots/botlib.git
+	url = ../botlib.git

 [submodule "botui"]
 	path = botui
-	url = https://github.com/GeneralBots/botui.git
+	url = ../botui.git

 [submodule "botbook"]
 	path = botbook
-	url = https://github.com/GeneralBots/botbook.git
+	url = ../botbook.git

 [submodule "bottest"]
 	path = bottest
-	url = https://github.com/GeneralBots/bottest.git
+	url = ../bottest.git

 [submodule "botdevice"]
 	path = botdevice
-	url = https://github.com/GeneralBots/botdevice.git
+	url = ../botdevice.git

 [submodule "botmodels"]
 	path = botmodels
-	url = https://github.com/GeneralBots/botmodels.git
+	url = ../botmodels.git

 [submodule "botplugin"]
 	path = botplugin
-	url = https://github.com/GeneralBots/botplugin.git
+	url = ../botplugin.git

 [submodule "bottemplates"]
 	path = bottemplates
-	url = https://github.com/GeneralBots/bottemplates.git
+	url = ../bottemplates.git
+
 [submodule ".github"]
 	path = .github
-	url = https://github.com/GeneralBots/.github.git
+	url = ../.github.git
--- a/.idea/gb.iml
+++ b/.idea/gb.iml
@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module type="JAVA_MODULE" version="4">
+  <component name="NewModuleRootManager" inherit-compiler-output="true">
+    <exclude-output />
+    <content url="file://$MODULE_DIR$" />
+    <orderEntry type="inheritedJdk" />
+    <orderEntry type="sourceFolder" forTests="false" />
+  </component>
+</module>
--- a/.idea/libraries/botserver_installers.xml
+++ b/.idea/libraries/botserver_installers.xml
@ -0,0 +1,10 @@
+<component name="libraryTable">
+  <library name="botserver-installers">
+    <CLASSES>
+      <root url="jar://$PROJECT_DIR$/botserver/botserver-installers/llama-b7345-bin-ubuntu-x64.zip!/" />
+      <root url="jar://$PROJECT_DIR$/botserver/botserver-installers/vault_1.15.4_linux_amd64.zip!/" />
+    </CLASSES>
+    <JAVADOC />
+    <SOURCES />
+  </library>
+</component>
--- a/.idea/misc.xml
+++ b/.idea/misc.xml
@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ProjectRootManager" version="2">
+    <output url="file://$PROJECT_DIR$/out" />
+  </component>
+</project>
--- a/.idea/modules.xml
+++ b/.idea/modules.xml
@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ProjectModuleManager">
+    <modules>
+      <module fileurl="file://$PROJECT_DIR$/.idea/gb.iml" filepath="$PROJECT_DIR$/.idea/gb.iml" />
+    </modules>
+  </component>
+</project>
--- a/.idea/vcs.xml
+++ b/.idea/vcs.xml
@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="VcsDirectoryMappings">
+    <mapping directory="" vcs="Git" />
+  </component>
+</project>
--- a/.idea/workspace.xml
+++ b/.idea/workspace.xml
@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ChangeListManager">
+    <list default="true" id="32fd08b0-7933-467d-9a46-1a53fd2da15c" name="Changes" comment="">
+      <change beforePath="$PROJECT_DIR$/botserver" beforeDir="false" afterPath="$PROJECT_DIR$/botserver" afterDir="false" />
+    </list>
+    <option name="SHOW_DIALOG" value="false" />
+    <option name="HIGHLIGHT_CONFLICTS" value="true" />
+    <option name="HIGHLIGHT_NON_ACTIVE_CHANGELIST" value="false" />
+    <option name="LAST_RESOLUTION" value="IGNORE" />
+  </component>
+  <component name="Git.Settings">
+    <option name="RECENT_GIT_ROOT_PATH" value="$PROJECT_DIR$" />
+  </component>
+  <component name="ProjectColorInfo"><![CDATA[{
+  "associatedIndex": 1
+}]]></component>
+  <component name="ProjectId" id="38qdWTFkX8Nem4LzgigXpAycSN7" />
+  <component name="ProjectViewState">
+    <option name="hideEmptyMiddlePackages" value="true" />
+    <option name="showLibraryContents" value="true" />
+  </component>
+  <component name="PropertiesComponent"><![CDATA[{
+  "keyToString": {
+    "ModuleVcsDetector.initialDetectionPerformed": "true",
+    "RunOnceActivity.ShowReadmeOnStart": "true",
+    "RunOnceActivity.git.unshallow": "true",
+    "RunOnceActivity.typescript.service.memoryLimit.init": "true",
+    "git-widget-placeholder": "main",
+    "last_opened_file_path": "/home/rodriguez/src/gb",
+    "vue.rearranger.settings.migration": "true"
+  }
+}]]></component>
+  <component name="SharedIndexes">
+    <attachedChunks>
+      <set>
+        <option value="bundled-jdk-30f59d01ecdd-2fc7cc6b9a17-intellij.indexing.shared.core-IU-253.30387.90" />
+      </set>
+    </attachedChunks>
+  </component>
+  <component name="TaskManager">
+    <task active="true" id="Default" summary="Default task">
+      <changelist id="32fd08b0-7933-467d-9a46-1a53fd2da15c" name="Changes" comment="" />
+      <created>1769531070022</created>
+      <option name="number" value="Default" />
+      <option name="presentableId" value="Default" />
+      <updated>1769531070022</updated>
+      <workItem from="1769531115917" duration="176000" />
+    </task>
+    <servers />
+  </component>
+</project>
--- a/.kiro/settings/lsp.json
+++ b/.kiro/settings/lsp.json
@ -0,0 +1,198 @@
+{
+  "languages": {
+    "typescript": {
+      "name": "typescript-language-server",
+      "command": "typescript-language-server",
+      "args": [
+        "--stdio"
+      ],
+      "file_extensions": [
+        "ts",
+        "js",
+        "tsx",
+        "jsx"
+      ],
+      "project_patterns": [
+        "package.json",
+        "tsconfig.json"
+      ],
+      "exclude_patterns": [
+        "**/node_modules/**",
+        "**/dist/**"
+      ],
+      "multi_workspace": false,
+      "initialization_options": {
+        "preferences": {
+          "disableSuggestions": false
+        }
+      },
+      "request_timeout_secs": 60
+    },
+    "python": {
+      "name": "pyright",
+      "command": "pyright-langserver",
+      "args": [
+        "--stdio"
+      ],
+      "file_extensions": [
+        "py"
+      ],
+      "project_patterns": [
+        "pyproject.toml",
+        "setup.py",
+        "requirements.txt",
+        "pyrightconfig.json"
+      ],
+      "exclude_patterns": [
+        "**/__pycache__/**",
+        "**/venv/**",
+        "**/.venv/**",
+        "**/.pytest_cache/**"
+      ],
+      "multi_workspace": false,
+      "initialization_options": {},
+      "request_timeout_secs": 60
+    },
+    "rust": {
+      "name": "rust-analyzer",
+      "command": "rust-analyzer",
+      "args": [],
+      "file_extensions": [
+        "rs"
+      ],
+      "project_patterns": [
+        "Cargo.toml"
+      ],
+      "exclude_patterns": [
+        "**/target/**"
+      ],
+      "multi_workspace": false,
+      "initialization_options": {
+        "cargo": {
+          "buildScripts": {
+            "enable": true
+          }
+        },
+        "diagnostics": {
+          "enable": true,
+          "enableExperimental": true
+        },
+        "workspace": {
+          "symbol": {
+            "search": {
+              "scope": "workspace"
+            }
+          }
+        }
+      },
+      "request_timeout_secs": 60
+    },
+    "java": {
+      "name": "jdtls",
+      "command": "jdtls",
+      "args": [],
+      "file_extensions": [
+        "java"
+      ],
+      "project_patterns": [
+        "pom.xml",
+        "build.gradle",
+        "build.gradle.kts",
+        ".project"
+      ],
+      "exclude_patterns": [
+        "**/target/**",
+        "**/build/**",
+        "**/.gradle/**"
+      ],
+      "multi_workspace": false,
+      "initialization_options": {
+        "settings": {
+          "java": {
+            "compile": {
+              "nullAnalysis": {
+                "mode": "automatic"
+              }
+            },
+            "configuration": {
+              "annotationProcessing": {
+                "enabled": true
+              }
+            }
+          }
+        }
+      },
+      "request_timeout_secs": 60
+    },
+    "ruby": {
+      "name": "solargraph",
+      "command": "solargraph",
+      "args": [
+        "stdio"
+      ],
+      "file_extensions": [
+        "rb"
+      ],
+      "project_patterns": [
+        "Gemfile",
+        "Rakefile"
+      ],
+      "exclude_patterns": [
+        "**/vendor/**",
+        "**/tmp/**"
+      ],
+      "multi_workspace": false,
+      "initialization_options": {},
+      "request_timeout_secs": 60
+    },
+    "go": {
+      "name": "gopls",
+      "command": "gopls",
+      "args": [],
+      "file_extensions": [
+        "go"
+      ],
+      "project_patterns": [
+        "go.mod",
+        "go.sum"
+      ],
+      "exclude_patterns": [
+        "**/vendor/**"
+      ],
+      "multi_workspace": false,
+      "initialization_options": {
+        "usePlaceholders": true,
+        "completeUnimported": true
+      },
+      "request_timeout_secs": 60
+    },
+    "cpp": {
+      "name": "clangd",
+      "command": "clangd",
+      "args": [
+        "--background-index"
+      ],
+      "file_extensions": [
+        "cpp",
+        "cc",
+        "cxx",
+        "c",
+        "h",
+        "hpp",
+        "hxx"
+      ],
+      "project_patterns": [
+        "CMakeLists.txt",
+        "compile_commands.json",
+        "Makefile"
+      ],
+      "exclude_patterns": [
+        "**/build/**",
+        "**/cmake-build-**/**"
+      ],
+      "multi_workspace": false,
+      "initialization_options": {},
+      "request_timeout_secs": 60
+    }
+  }
+}
--- a/.zed/settings.json
+++ b/.zed/settings.json
@ -0,0 +1,7 @@
+{
+  "languages": {
+    "Rust": {
+      "enable_language_server": false,
+    },
+  },
+}
--- a/AGENTS.md
+++ b/AGENTS.md
@ -0,0 +1,433 @@
+# General Bots AI Agent Guidelines
+- stop saving .png on root! Use /tmp. never allow new files on root.
+- never push to alm without asking first - pbecause it is production!
+8080 is server 3000 is client ui 
+if you are in trouble with some tool, please go to the ofiical website to get proper install or instructions
+To test web is http://localhost:3000 (botui!)
+Use apenas a lingua culta ao falar .
+test login here http://localhost:3000/suite/auth/login.html
+> **⚠️ CRITICAL SECURITY WARNING**
+I AM IN DEV ENV, but sometimes, pasting from PROD, do not treat my env as prod! Just fix, to me and push to CI. So I can test in PROD, for a while.
+>Use Playwrigth MCP to start localhost:3000/<bot> now.
+> **NEVER CREATE FILES WITH SECRETS IN THE REPOSITORY ROOT**
+See botserver/src/drive/local_file_monitor.rs to see how to load from /opt/gbo/data the list of development bots.
+- ❌ **NEVER** use `cargo clean` - causes 30min rebuilds, use `./reset.sh` for database issues
+
+>
+> Secret files MUST be placed in `/tmp/` only:
+> - ✅ `/tmp/vault-token-gb` - Vault root token
+> - ✅ `/tmp/vault-unseal-key-gb` - Vault unseal key
+> - ❌ `vault-unseal-keys` - FORBIDDEN (tracked by git)
+> - ❌ `start-and-unseal.sh` - FORBIDDEN (contains secrets)
+>
+> **Why `/tmp/`?**
+> - Cleared on reboot (ephemeral)
+> - Not tracked by git
+> - Standard Unix security practice
+> - Prevents accidental commits
+
+---
+
+## 🧭 LLM Navigation Guide
+
+### Reading This Workspace
+/opt/gbo/data is a place also for bots.
+**For LLMs analyzing this codebase:**
+0. Bots are in /opt/gbo/data primary
+1. Start with **[Component Dependency Graph](../README.md#-component-dependency-graph)** in README to understand relationships
+2. Review **[Module Responsibility Matrix](../README.md#-module-responsibility-matrix)** for what each module does
+3. Study **[Data Flow Patterns](../README.md#-data-flow-patterns)** to understand execution flow
+4. Reference **[Common Architectural Patterns](../README.md#-common-architectural-patterns)** before making changes
+5. Check **[Security Rules](#-security-directives---mandatory)** below - violations are blocking issues
+6. Follow **[Code Patterns](#-mandatory-code-patterns)** below - consistency is mandatory
+
+---
+
+## 🔄 Reset Process Notes
+
+### reset.sh Behavior
+- **Purpose**: Cleans and restarts the development environment
+- **Timeouts**: The script can timeout during "Step 3/4: Waiting for BotServer to bootstrap"
+- **Bootstrap Process**: Takes 3-5 minutes to install all components (Vault, PostgreSQL, Valkey, MinIO, Zitadel, LLM)
+
+### Common Issues
+1. **Script Timeout**: reset.sh waits for "Bootstrap complete: admin user" message
+   - If Zitadel isn't ready within 60s, admin user creation fails
+   - Script continues waiting indefinitely
+   - **Solution**: Check botserver.log for "Bootstrap process completed!" message
+
+2. **Zitadel Not Ready**: "Bootstrap check failed (Zitadel may not be ready)"
+   - Directory service may need more than 60 seconds to start
+   - Admin user creation deferred
+   - Services still start successfully
+
+3. **Services Exit After Start**: 
+   - botserver/botui may exit after initial startup
+   - Check logs for "dispatch failure" errors
+   - Check Vault certificate errors: "tls: failed to verify certificate: x509"
+
+### Manual Service Management
+```bash
+# If reset.sh times out, manually verify services:
+ps aux | grep -E "(botserver|botui)" | grep -v grep
+curl http://localhost:8080/health
+tail -f botserver.log botui.log
+
+# Restart services manually:
+./restart.sh
+```
+
+### Reset Verification
+After reset completes, verify:
+- ✅ PostgreSQL running (port 5432)
+- ✅ Valkey cache running (port 6379)
+- ✅ BotServer listening on port 8080
+- ✅ BotUI listening on port 3000
+- ✅ No errors in botserver.log
+
+---
+
+## 🔐 Security Directives - MANDATORY
+
+### 1. Error Handling - NO PANICS IN PRODUCTION
+
+```rust
+// ❌ FORBIDDEN
+value.unwrap()
+value.expect("message")
+panic!("error")
+todo!()
+unimplemented!()
+
+// ✅ REQUIRED
+value?
+value.ok_or_else(|| Error::NotFound)?
+value.unwrap_or_default()
+value.unwrap_or_else(|e| { log::error!("{}", e); default })
+if let Some(v) = value { ... }
+match value { Ok(v) => v, Err(e) => return Err(e.into()) }
+```
+
+### 2. Command Execution - USE SafeCommand
+
+```rust
+// ❌ FORBIDDEN
+Command::new("some_command").arg(user_input).output()
+
+// ✅ REQUIRED
+use crate::security::command_guard::SafeCommand;
+SafeCommand::new("allowed_command")?
+    .arg("safe_arg")?
+    .execute()
+```
+
+### 3. Error Responses - USE ErrorSanitizer
+
+```rust
+// ❌ FORBIDDEN
+Json(json!({ "error": e.to_string() }))
+format!("Database error: {}", e)
+
+// ✅ REQUIRED
+use crate::security::error_sanitizer::log_and_sanitize;
+let sanitized = log_and_sanitize(&e, "context", None);
+(StatusCode::INTERNAL_SERVER_ERROR, sanitized)
+```
+
+### 4. SQL - USE sql_guard
+
+```rust
+// ❌ FORBIDDEN
+format!("SELECT * FROM {}", user_table)
+
+// ✅ REQUIRED
+use crate::security::sql_guard::{sanitize_identifier, validate_table_name};
+let safe_table = sanitize_identifier(&user_table);
+validate_table_name(&safe_table)?;
+```
+
+### 5. Rate Limiting Strategy (IMP-07)
+
+- **Default Limits:**
+  - General: 100 req/s (global)
+  - Auth: 10 req/s (login endpoints)
+  - API: 50 req/s (per token)
+- **Implementation:**
+  - MUST use `governor` crate
+  - MUST implement per-IP and per-User tracking
+  - WebSocket connections MUST have message rate limits (e.g., 10 msgs/s)
+
+### 6. CSRF Protection (IMP-08)
+
+- **Requirement:** ALL state-changing endpoints (POST, PUT, DELETE, PATCH) MUST require a CSRF token.
+- **Implementation:**
+  - Use `tower_csrf` or similar middleware
+  - Token MUST be bound to user session
+  - Double-Submit Cookie pattern or Header-based token verification
+  - **Exemptions:** API endpoints using Bearer Token authentication (stateless)
+
+### 7. Security Headers (IMP-09)
+
+- **Mandatory Headers on ALL Responses:**
+  - `Content-Security-Policy`: "default-src 'self'; script-src 'self'; object-src 'none';"
+  - `Strict-Transport-Security`: "max-age=63072000; includeSubDomains; preload"
+  - `X-Frame-Options`: "DENY" or "SAMEORIGIN"
+  - `X-Content-Type-Options`: "nosniff"
+  - `Referrer-Policy`: "strict-origin-when-cross-origin"
+  - `Permissions-Policy`: "geolocation=(), microphone=(), camera=()"
+
+### 8. Dependency Management (IMP-10)
+
+- **Pinning:**
+  - Application crates (`botserver`, `botui`) MUST track `Cargo.lock`
+  - Library crates (`botlib`) MUST NOT track `Cargo.lock`
+- **Versions:**
+  - Critical dependencies (crypto, security) MUST use exact versions (e.g., `=1.0.1`)
+  - Regular dependencies MAY use caret (e.g., `1.0`)
+- **Auditing:**
+  - Run `cargo audit` weekly
+  - Update dependencies only via PR with testing
+
+---
+
+## ✅ Mandatory Code Patterns
+
+### Use Self in Impl Blocks
+```rust
+impl MyStruct {
+    fn new() -> Self { Self { } }  // ✅ Not MyStruct
+}
+```
+
+### Derive Eq with PartialEq
+```rust
+#[derive(PartialEq, Eq)]  // ✅ Always both
+struct MyStruct { }
+```
+
+### Inline Format Args
+```rust
+format!("Hello {name}")  // ✅ Not format!("{}", name)
+```
+
+### Combine Match Arms
+```rust
+match x {
+    A | B => do_thing(),  // ✅ Combine identical arms
+    C => other(),
+}
+```
+
+---
+
+## ❌ Absolute Prohibitions
+- NEVER search /target folder! It is binary compiled.
+- ❌ **NEVER** build in release mode - ONLY debug builds allowed
+- ❌ **NEVER** use `--release` flag on ANY cargo command
+- ❌ **NEVER** use `--all-targets` with clippy - too slow (1m 44s without vs 10min+ with)
+- ❌ **NEVER** use `--all-features` unless testing specific feature gates
+- ❌ **ALWAYS** use: `cargo clippy --workspace` (DEBUG mode, lib + bin only)
+- ❌ **NEVER** run `cargo build` - use `cargo check` for syntax verification
+
+**Current Status:** ✅ **0 clippy warnings** (down from 61 - PERFECT SCORE in YOLO mode)
+- ❌ **NEVER** use `panic!()`, `todo!()`, `unimplemented!()`
+- ❌ **NEVER** use `Command::new()` directly - use `SafeCommand`
+- ❌ **NEVER** return raw error strings to HTTP clients
+- ❌ **NEVER** use `#[allow()]` in source code - FIX the code instead
+- ❌ **NEVER** add lint exceptions to `Cargo.toml` - FIX the code instead
+- ❌ **NEVER** use `_` prefix for unused variables - DELETE or USE them
+- ❌ **NEVER** leave unused imports or dead code
+- ❌ **NEVER** use CDN links - all assets must be local
+- ❌ **NEVER** create `.md` documentation files without checking `botbook/` first
+- ❌ **NEVER** comment out code - FIX it or DELETE it entirely
+
+---
+
+## 📏 File Size Limits - MANDATORY
+
+### Maximum 450 Lines Per File
+
+When a file grows beyond this limit:
+
+1. **Identify logical groups** - Find related functions
+2. **Create subdirectory module** - e.g., `handlers/`
+3. **Split by responsibility:**
+   - `types.rs` - Structs, enums, type definitions
+   - `handlers.rs` - HTTP handlers and routes
+   - `operations.rs` - Core business logic
+   - `utils.rs` - Helper functions
+   - `mod.rs` - Re-exports and configuration
+4. **Keep files focused** - Single responsibility
+5. **Update mod.rs** - Re-export all public items
+
+**NEVER let a single file exceed 450 lines - split proactively at 350 lines**
+
+---
+
+## 🔥 Error Fixing Workflow
+
+### Mode 1: OFFLINE Batch Fix (PREFERRED)
+
+When given error output:
+
+1. **Read ENTIRE error list first**
+2. **Group errors by file**
+3. **For EACH file with errors:**
+   a. View file → understand context
+   b. Fix ALL errors in that file
+   c. Write once with all fixes
+4. **Move to next file**
+5. **REPEAT until ALL errors addressed**
+6. **ONLY THEN → verify with build/diagnostics**
+
+**NEVER run cargo build/check/clippy DURING fixing**
+**Fix ALL errors OFFLINE first, verify ONCE at the end**
+
+### Mode 2: Interactive Loop
+
+```
+LOOP UNTIL (0 warnings AND 0 errors):
+  1. Run diagnostics → pick file with issues
+  2. Read entire file
+  3. Fix ALL issues in that file
+  4. Write file once with all fixes
+  5. Verify with diagnostics
+  6. CONTINUE LOOP
+END LOOP
+```
+
+---
+
+## 🎭 Playwright Browser Testing - YOLO Mode
+
+**When user requests to start YOLO mode with Playwright:**
+
+1. **Start the browser** - Use `mcp__playwright__browser_navigate` to open http://localhost:3000/{botname}
+2. **Take snapshot** - Use `mcp__playwright__browser_snapshot` to see current page state
+3. **Test user flows** - Use click, type, fill_form, etc.
+4. **Verify results** - Check for expected content, errors in console, network requests
+5. **Validate backend** - Check database and services to confirm process completion
+6. **Report findings** - Always include screenshot evidence with `browser_take_screenshot`
+
+**Bot-Specific Testing URL Pattern:**
+`http://localhost:3000/<botname>`
+
+**Backend Validation Checks:**
+After UI interactions, validate backend state via `psql` or `tail` logs.
+
+---
+
+## 🧪 Testing Strategy
+
+### Unit Tests
+- **Location**: Each crate has `tests/` directory or inline `#[cfg(test)]` modules
+- **Naming**: Test functions use `test_` prefix or describe what they test
+- **Running**: `cargo test -p <crate_name>` or `cargo test` for all
+
+### Integration Tests
+- **Location**: `bottest/` crate contains integration tests
+- **Scope**: Tests full workflows across multiple crates
+- **Running**: `cargo test -p bottest`
+
+### Coverage Goals
+- **Critical paths**: 80%+ coverage required
+- **Error handling**: ALL error paths must have tests
+- **Security**: All security guards must have tests
+
+### WhatsApp Integration Testing
+
+#### Prerequisites
+1. **Enable WhatsApp Feature**: Build botserver with whatsapp feature enabled:
+   ```bash
+   cargo build -p botserver --bin botserver --features whatsapp
+   ```
+2. **Bot Configuration**: Ensure the bot has WhatsApp credentials configured in `config.csv`:
+   - `whatsapp-api-key` - API key from Meta Business Suite
+   - `whatsapp-verify-token` - Custom token for webhook verification
+   - `whatsapp-phone-number-id` - Phone Number ID from Meta
+   - `whatsapp-business-account-id` - Business Account ID from Meta
+
+#### Using Localtunnel (lt) as Reverse Proxy
+
+# Check database for message storage
+psql -h localhost -U postgres -d botserver -c "SELECT * FROM messages WHERE bot_id = '<bot_id>' ORDER BY created_at DESC LIMIT 5;"
+---
+
+## 🐛 Debugging Rules
+
+### 🚨 CRITICAL ERROR HANDLING RULE
+
+**STOP EVERYTHING WHEN ERRORS APPEAR**
+
+When ANY error appears in logs during startup or operation:
+1. **IMMEDIATELY STOP** - Do not continue with other tasks
+2. **IDENTIFY THE ERROR** - Read the full error message and context
+3. **FIX THE ERROR** - Address the root cause, not symptoms
+4. **VERIFY THE FIX** - Ensure error is completely resolved
+5. **ONLY THEN CONTINUE** - Never ignore or work around errors
+
+**NEVER restart servers to "fix" errors - FIX THE ACTUAL PROBLEM**
+
+### Log Locations
+
+| Component | Log File | What's Logged |
+|-----------|----------|---------------|
+| **botserver** | `botserver.log` | API requests, errors, script execution, **client navigation events** |
+| **botui** | `botui.log` | UI rendering, WebSocket connections |
+| **drive_monitor** | In botserver logs with `[drive_monitor]` prefix | File sync, compilation |
+| **client errors** | In botserver logs with `CLIENT:` prefix | JavaScript errors, navigation events |
+
+---
+
+## 🎨 Frontend Standards
+
+### HTMX-First Approach
+- Use HTMX to minimize JavaScript
+- Server returns HTML fragments, not JSON
+- Use `hx-get`, `hx-post`, `hx-target`, `hx-swap`
+- WebSocket via htmx-ws extension
+
+### Local Assets Only - NO CDN
+```html
+<!-- ✅ CORRECT -->
+<script src="js/vendor/htmx.min.js"></script>
+
+<!-- ❌ WRONG -->
+<script src="https://unpkg.com/htmx.org@1.9.10"></script>
+```
+
+---
+
+## 🚀 Performance & Size Standards
+
+### Binary Size Optimization
+- **Release Profile**: Always maintain `opt-level = "z"`, `lto = true`, `codegen-units = 1`, `strip = true`, `panic = "abort"`.
+- **Dependencies**: 
+  - Run `cargo tree --duplicates` weekly
+  - Run `cargo machete` to remove unused dependencies
+  - Use `default-features = false` and explicitly opt-in to needed features
+
+### Linting & Code Quality
+- **Clippy**: Code MUST pass `cargo clippy --workspace` with **0 warnings**.
+- **No Allow**: NEVER use `#[allow(clippy::...)]` in source code - FIX the code instead.
+
+---
+
+## 🔑 Memory & Main Directives
+
+**LOOP AND COMPACT UNTIL 0 WARNINGS - MAXIMUM PRECISION**
+
+- 0 warnings
+- 0 errors
+- Trust project diagnostics
+- Respect all rules
+- No `#[allow()]` in source code
+- Real code fixes only
+
+**Remember:**
+- **OFFLINE FIRST** - Fix all errors from list before compiling
+- **BATCH BY FILE** - Fix ALL errors in a file at once
+- **WRITE ONCE** - Single edit per file with all fixes
+- **VERIFY LAST** - Only compile/diagnostics after ALL fixes
+- **DELETE DEAD CODE** - Don't keep unused code around
+- **GIT WORKFLOW** - ALWAYS push to ALL repositories (github, pragmatismo)
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@ -109,6 +109,7 @@ url = "2.5"
 dirs = "5.0"
 tempfile = "3"
 walkdir = "2.5.0"
+notify = "8.0"

 # ─── COMPRESSION / ARCHIVES ───
 flate2 = "1.0"
@ -174,7 +175,7 @@ indicatif = "0.18.0"

 # ─── MEMORY ALLOCATOR ───
 tikv-jemallocator = "0.6"
-tikv-jemalloc-ctl = { version = "0.6", default-features = false }
+tikv-jemalloc-ctl = { version = "0.6", default-features = false, features = ["stats"] }

 # ─── SECRETS / VAULT ───
 vaultrs = "0.7"
@ -196,7 +197,7 @@ csv = "1.3"
 tonic = { version = "0.14.2", default-features = false }

 # ─── STATIC FILES ───
-rust-embed = "8.5"
+rust-embed = { version = "8.5", features = ["interpolate-folder-path"] }
 mime_guess = "2.0"

 # ─── TAURI (Desktop/Mobile) ───
--- a/DEPENDENCIES-DEV.sh
+++ b/DEPENDENCIES-DEV.sh
@ -1,204 +0,0 @@
-#!/bin/bash
-#
-# DEPENDENCIES-DEV.sh - Development Dependencies for General Bots
-# 
-# This script installs additional packages needed for BUILDING botserver from source.
-# Only install these if you plan to compile the code yourself.
-#
-# Usage: sudo ./DEPENDENCIES-DEV.sh
-#
-
-set -e
-
-# Colors
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-YELLOW='\033[1;33m'
-NC='\033[0m'
-
-echo -e "${GREEN}========================================${NC}"
-echo -e "${GREEN}  General Bots Development Dependencies${NC}"
-echo -e "${GREEN}========================================${NC}"
-
-# Check root
-if [ "$EUID" -ne 0 ]; then
-    echo -e "${RED}Error: Run as root (use sudo)${NC}"
-    exit 1
-fi
-
-# Detect OS
-if [ -f /etc/os-release ]; then
-    . /etc/os-release
-    OS=$ID
-else
-    echo -e "${RED}Error: Cannot detect OS${NC}"
-    exit 1
-fi
-
-echo -e "${YELLOW}OS: $OS${NC}"
-
-install_debian_ubuntu() {
-    apt-get update
-    apt-get install -y \
-        build-essential \
-        gcc \
-        g++ \
-        clang \
-        llvm-dev \
-        libclang-dev \
-        cmake \
-        make \
-        git \
-        pkg-config \
-        libssl-dev \
-        libpq-dev \
-        liblzma-dev \
-        zlib1g-dev \
-        libabseil-dev \
-        protobuf-compiler \
-        libprotobuf-dev \
-        automake \
-        bison \
-        flex \
-        gperf \
-        libtool \
-        m4 \
-        nasm \
-        python3 \
-        python3-pip \
-        nodejs \
-        npm
-    
-    # Cross-compilation toolchains
-    apt-get install -y \
-        gcc-aarch64-linux-gnu \
-        gcc-arm-linux-gnueabihf \
-        gcc-x86-64-linux-gnu || true
-}
-
-install_fedora_rhel() {
-    dnf groupinstall -y "Development Tools"
-    dnf install -y \
-        gcc \
-        gcc-c++ \
-        clang \
-        llvm-devel \
-        clang-devel \
-        cmake \
-        make \
-        git \
-        pkgconf-devel \
-        openssl-devel \
-        libpq-devel \
-        xz-devel \
-        zlib-devel \
-        abseil-cpp-devel \
-        protobuf-compiler \
-        protobuf-devel \
-        automake \
-        bison \
-        flex \
-        gperf \
-        libtool \
-        m4 \
-        nasm \
-        python3 \
-        python3-pip \
-        nodejs \
-        npm
-}
-
-install_arch() {
-    pacman -Sy --noconfirm \
-        base-devel \
-        gcc \
-        clang \
-        llvm \
-        cmake \
-        make \
-        git \
-        pkgconf \
-        openssl \
-        postgresql-libs \
-        xz \
-        zlib \
-        abseil-cpp \
-        protobuf \
-        automake \
-        bison \
-        flex \
-        gperf \
-        libtool \
-        m4 \
-        nasm \
-        python \
-        python-pip \
-        nodejs \
-        npm
-}
-
-install_alpine() {
-    apk add --no-cache \
-        build-base \
-        gcc \
-        g++ \
-        clang \
-        llvm-dev \
-        clang-dev \
-        cmake \
-        make \
-        git \
-        pkgconf-dev \
-        openssl-dev \
-        postgresql-dev \
-        xz-dev \
-        zlib-dev \
-        abseil-cpp-dev \
-        protobuf-dev \
-        protoc \
-        automake \
-        bison \
-        flex \
-        gperf \
-        libtool \
-        m4 \
-        nasm \
-        python3 \
-        py3-pip \
-        nodejs \
-        npm
-}
-
-case $OS in
-    ubuntu|debian|linuxmint|pop)
-        install_debian_ubuntu
-        ;;
-    fedora|rhel|centos|rocky|almalinux)
-        install_fedora_rhel
-        ;;
-    arch|manjaro)
-        install_arch
-        ;;
-    alpine)
-        install_alpine
-        ;;
-    *)
-        echo -e "${RED}Unsupported OS: $OS${NC}"
-        echo "Required development packages:"
-        echo "  - build-essential/base-devel"
-        echo "  - gcc, g++, clang"
-        echo "  - cmake, make, git"
-        echo "  - Development headers for:"
-        echo "    - OpenSSL, PostgreSQL, XZ, zlib"
-        echo "    - Abseil, Protobuf, LLVM"
-        exit 1
-        ;;
-esac
-
-echo -e "${GREEN}Development dependencies installed!${NC}"
-echo ""
-echo "Install Rust if not already installed:"
-echo "  curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh"
-echo ""
-echo "Then build with:"
-echo "  cargo build --release"
--- a/DEPENDENCIES.sh
+++ b/DEPENDENCIES.sh
@ -1,44 +1,44 @@
-#!/bin/bash
-#
-# DEPENDENCIES.sh - Runtime Dependencies for General Bots
-# 
-# This script installs all system packages required to RUN botserver binary.
-# These are the minimal dependencies needed for production deployment.
-#
-# Usage: sudo ./DEPENDENCIES.sh
-#
+        #!/bin/bash
+        #
+        # DEPENDENCIES.sh - Runtime Dependencies for General Bots
+        # 
+        # This script installs all system packages required to RUN botserver binary.
+        # These are the minimal dependencies needed for production deployment.
+        #
+        # Usage: sudo ./DEPENDENCIES.sh
+        #

-set -e
+        set -e

-# Colors
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-YELLOW='\033[1;33m'
-NC='\033[0m'
+        # Colors
+        RED='\033[0;31m'
+        GREEN='\033[0;32m'
+        YELLOW='\033[1;33m'
+        NC='\033[0m'

-echo -e "${GREEN}========================================${NC}"
-echo -e "${GREEN}  General Bots Runtime Dependencies${NC}"
-echo -e "${GREEN}========================================${NC}"
+        echo -e "${GREEN}========================================${NC}"
+        echo -e "${GREEN}  General Bots Runtime Dependencies${NC}"
+        echo -e "${GREEN}========================================${NC}"

-# Check root
-if [ "$EUID" -ne 0 ]; then
+        # Check root
+        if [ "$EUID" -ne 0 ]; then
            echo -e "${RED}Error: Run as root (use sudo)${NC}"
            exit 1
-fi
+        fi

-# Detect OS
-if [ -f /etc/os-release ]; then
+        # Detect OS
+        if [ -f /etc/os-release ]; then
            . /etc/os-release
            OS=$ID
-else
+        else
            echo -e "${RED}Error: Cannot detect OS${NC}"
            exit 1
-fi
+        fi

-echo -e "${YELLOW}OS: $OS${NC}"
+        echo -e "${YELLOW}OS: $OS${NC}"
+
+        install_debian_ubuntu() {
                
-install_debian_ubuntu() {
-    apt-get update
                apt-get install -y \
                    libpq5 \
                    libssl3 \
@ -47,21 +47,14 @@ install_debian_ubuntu() {
                    ca-certificates \
                    curl \
                    wget \
-        libabseil20210324 \
                    libclang1 \
                    pkg-config \
                    snapd

-    # LXC for containers
-    snap install lxd || apt-get install -y lxd || true

-    # Initialize LXD
-    if command -v lxd &> /dev/null && ! lxc list &> /dev/null 2>&1; then
-        lxd init --auto || true
-    fi
-}
+        }

-install_fedora_rhel() {
+        install_fedora_rhel() {
            dnf install -y \
                libpq \
                openssl-libs \
@ -75,9 +68,9 @@ install_fedora_rhel() {
                pkgconf-pkg-config \
                lxc \
                lxc-templates
-}
+        }

-install_arch() {
+        install_arch() {
            pacman -Sy --noconfirm \
                postgresql-libs \
                openssl \
@ -90,9 +83,9 @@ install_arch() {
                clang \
                pkgconf \
                lxc
-}
+        }

-install_alpine() {
+        install_alpine() {
            apk add --no-cache \
                libpq \
                openssl \
@ -105,9 +98,9 @@ install_alpine() {
                clang \
                pkgconf \
                lxc
-}
+        }

-case $OS in
+        case $OS in
            ubuntu|debian|linuxmint|pop)
                install_debian_ubuntu
                ;;
@ -132,9 +125,9 @@ case $OS in
                echo "  - LXC (containers)"
                exit 1
                ;;
-esac
+        esac

-echo -e "${GREEN}Runtime dependencies installed!${NC}"
-echo ""
-echo "You can now run:"
-echo "  ./botserver"
+        echo -e "${GREEN}Runtime dependencies installed!${NC}"
+        echo ""
+        echo "You can now run:"
+        echo "  ./botserver"
--- a/PROMPT.md
+++ b/PROMPT.md
@ -1,383 +0,0 @@
-# General Bots Workspace - Master Development Guide
-
-**Version:** 6.2.0 - DO NOT CHANGE  
-**Project:** General Bots Workspace (Rust Monorepo)
-
---
-
-## 📁 WORKSPACE STRUCTURE
-
-| Crate | Purpose | Port | Tech Stack |
-|-------|---------|------|------------|
-| **botserver** | Main API server, business logic | 8088 | Axum, Diesel, Rhai BASIC |
-| **botui** | Web UI server (dev) + proxy | 3000 | Axum, HTML/HTMX/CSS |
-| **botapp** | Desktop app wrapper | - | Tauri 2 |
-| **botlib** | Shared library | - | Core types, errors |
-| **botbook** | Documentation | - | mdBook |
-| **bottest** | Integration tests | - | tokio-test |
-| **botdevice** | IoT/Device support | - | Rust |
-| **botmodels** | Data models visualization | - | - |
-| **botplugin** | Browser extension | - | JS |
-
-### Key Paths
- **Binary:** `target/debug/botserver`
- **Run from:** `botserver/` directory
- **Env file:** `botserver/.env`
- **Stack:** `botserver/botserver-stack/`
- **UI Files:** `botui/ui/suite/`
-
---
-
-## 🔥 ERROR FIXING WORKFLOW
-
-### Mode 1: OFFLINE Batch Fix (PREFERRED)
-
-When given error output:
-
-```
-1. Read ENTIRE error list first
-2. Group errors by file
-3. For EACH file with errors:
-   a. View file → understand context
-   b. Fix ALL errors in that file
-   c. Write once with all fixes
-4. Move to next file
-5. REPEAT until ALL errors addressed
-6. ONLY THEN → verify with build/diagnostics
-```
-
-**NEVER run cargo build/check/clippy DURING fixing**  
-**Fix ALL errors OFFLINE first, verify ONCE at the end**
-
-### Mode 2: Interactive Loop
-
-```
-LOOP UNTIL (0 warnings AND 0 errors):
-  1. Run diagnostics → pick file with issues
-  2. Read entire file
-  3. Fix ALL issues in that file
-  4. Write file once with all fixes
-  5. Verify with diagnostics
-  6. CONTINUE LOOP
-END LOOP
-```
-
-### Common Error Patterns
-
-| Error | Fix |
-|-------|-----|
-| `expected i64, found u64` | `value as i64` |
-| `expected Option<T>, found T` | `Some(value)` |
-| `expected T, found Option<T>` | `value.unwrap_or(default)` |
-| `cannot multiply f32 by f64` | `f64::from(f32_val) * f64_val` |
-| `no field X on type Y` | Check struct definition |
-| `no variant X found` | Check enum definition |
-| `function takes N arguments` | Match function signature |
-| `cannot find function` | Add missing function or fix import |
-| `unused variable` | Delete or use with `..` in patterns |
-| `unused import` | Delete the import line |
-| `cannot move out of X because borrowed` | Use scoping `{ }` to limit borrow |
-
---
-
-## 🧠 MEMORY MANAGEMENT
-
-When compilation fails due to memory issues (process "Killed"):
-
-```bash
-pkill -9 cargo; pkill -9 rustc; pkill -9 botserver
-CARGO_BUILD_JOBS=1 cargo check -p botserver 2>&1 | tail -200
-```
-
---
-
-## 📏 FILE SIZE LIMITS - MANDATORY
-
-### Maximum 1000 Lines Per File
-
-When a file grows beyond this limit:
-
-1. **Identify logical groups** - Find related functions
-2. **Create subdirectory module** - e.g., `handlers/`
-3. **Split by responsibility:**
-   - `crud.rs` - Create, Read, Update, Delete
-   - `ai.rs` - AI/ML handlers
-   - `export.rs` - Export/import
-   - `validation.rs` - Validation
-   - `mod.rs` - Re-exports
-4. **Keep files focused** - Single responsibility
-5. **Update mod.rs** - Re-export all public items
-
-**NEVER let a single file exceed 1000 lines - split proactively at 800 lines**
-
---
-
-## 🚀 PERFORMANCE & SIZE STANDARDS
-
-### Binary Size Optimization
- **Release Profile**: Always maintain `opt-level = "z"`, `lto = true`, `codegen-units = 1`, `strip = true`, `panic = "abort"`.
- **Dependencies**: 
-  - Run `cargo tree --duplicates` weekly to find and resolve duplicate versions.
-  - Run `cargo machete` to remove unused dependencies.
-  - Use `default-features = false` and explicitly opt-in to needed features.
-
-### Memory Optimization
- **Strings**: Prefer `&str` over `String` where possible. Use `Cow<str>` for conditional ownership.
- **Collections**: Use `Vec::with_capacity` when size is known. Consider `SmallVec` for hot paths.
- **Allocations**: Minimize heap allocations in hot paths.
-
-### Linting & Code Quality
- **Clippy**: Code MUST pass `cargo clippy --all-targets --all-features` with **0 warnings**.
- **No Allow**: Do not use `#[allow(clippy::...)]` unless absolutely necessary and documented. Fix the underlying issue.
-
---
-
-## 🔐 SECURITY DIRECTIVES - MANDATORY
-
-### Error Handling - NO PANICS IN PRODUCTION
-
-```rust
-// ❌ FORBIDDEN
-value.unwrap()
-value.expect("message")
-panic!("error")
-todo!()
-unimplemented!()
-
-// ✅ REQUIRED
-value?
-value.ok_or_else(|| Error::NotFound)?
-value.unwrap_or_default()
-value.unwrap_or_else(|e| { log::error!("{}", e); default })
-if let Some(v) = value { ... }
-match value { Ok(v) => v, Err(e) => return Err(e.into()) }
-```
-
-### Command Execution - USE SafeCommand
-
-```rust
-// ❌ FORBIDDEN
-Command::new("some_command").arg(user_input).output()
-
-// ✅ REQUIRED
-use crate::security::command_guard::SafeCommand;
-SafeCommand::new("allowed_command")?
-    .arg("safe_arg")?
-    .execute()
-```
-
-### Error Responses - USE ErrorSanitizer
-
-```rust
-// ❌ FORBIDDEN
-Json(json!({ "error": e.to_string() }))
-format!("Database error: {}", e)
-
-// ✅ REQUIRED
-use crate::security::error_sanitizer::log_and_sanitize;
-let sanitized = log_and_sanitize(&e, "context", None);
-(StatusCode::INTERNAL_SERVER_ERROR, sanitized)
-```
-
-### SQL - USE sql_guard
-
-```rust
-// ❌ FORBIDDEN
-format!("SELECT * FROM {}", user_table)
-
-// ✅ REQUIRED
-use crate::security::sql_guard::{sanitize_identifier, validate_table_name};
-let safe_table = sanitize_identifier(&user_table);
-validate_table_name(&safe_table)?;
-```
-
---
-
-## ❌ ABSOLUTE PROHIBITIONS
-
-```
-❌ NEVER use .unwrap() or .expect() in production code (tests OK)
-❌ NEVER use panic!(), todo!(), unimplemented!()
-❌ NEVER use Command::new() directly - use SafeCommand
-❌ NEVER return raw error strings to HTTP clients
-❌ NEVER use #[allow()] in source code - FIX the code instead
-❌ NEVER add lint exceptions to Cargo.toml - FIX the code instead
-❌ NEVER use _ prefix for unused variables - DELETE or USE them
-❌ NEVER leave unused imports or dead code
-❌ NEVER add comments - code must be self-documenting
-❌ NEVER modify Cargo.toml lints section!
-❌ NEVER use CDN links - all assets must be local
-```
-
---
-
-## ✅ MANDATORY CODE PATTERNS
-
-### Use Self in Impl Blocks
-```rust
-impl MyStruct {
-    fn new() -> Self { Self { } }  // ✅ Not MyStruct
-}
-```
-
-### Derive Eq with PartialEq
-```rust
-#[derive(PartialEq, Eq)]  // ✅ Always both
-struct MyStruct { }
-```
-
-### Inline Format Args
-```rust
-format!("Hello {name}")  // ✅ Not format!("{}", name)
-```
-
-### Combine Match Arms
-```rust
-match x {
-    A | B => do_thing(),  // ✅ Combine identical arms
-    C => other(),
-}
-```
-
---
-
-## 🖥️ UI Architecture (botui + botserver)
-
-### Two Servers During Development
-
-| Server | Port | Purpose |
-|--------|------|---------|
-| **botui** | 3000 | Serves UI files + proxies API to botserver |
-| **botserver** | 8088 | Backend API + embedded UI fallback |
-
-### How It Works
-
-```
-Browser → localhost:3000 → botui (serves HTML/CSS/JS)
-                        → /api/* proxied to botserver:8088
-                        → /suite/* served from botui/ui/suite/
-```
-
-### Adding New Suite Apps
-
-1. Create folder: `botui/ui/suite/<appname>/`
-2. Add to `SUITE_DIRS` in `botui/src/ui_server/mod.rs`
-3. Rebuild botui: `cargo build -p botui`
-4. Add menu entry in `botui/ui/suite/index.html`
-
-### Hot Reload
-
- **UI files (HTML/CSS/JS)**: Edit & refresh browser (no restart)
- **botui Rust code**: Rebuild + restart botui
- **botserver Rust code**: Rebuild + restart botserver
-
-### Production (Single Binary)
-
-When `botui/ui/suite/` folder not found, botserver uses **embedded UI** compiled into binary via `rust-embed`.
-
---
-
-## 🎨 FRONTEND STANDARDS
-
-### HTMX-First Approach
- Use HTMX to minimize JavaScript
- Server returns HTML fragments, not JSON
- Use `hx-get`, `hx-post`, `hx-target`, `hx-swap`
- WebSocket via htmx-ws extension
-
-### Local Assets Only - NO CDN
-```html
-<!-- ✅ CORRECT -->
-<script src="js/vendor/htmx.min.js"></script>
-
-<!-- ❌ WRONG -->
-<script src="https://unpkg.com/htmx.org@1.9.10"></script>
-```
-
-### Vendor Libraries Location
-```
-ui/suite/js/vendor/
-├── htmx.min.js
-├── htmx-ws.js
-├── marked.min.js
-└── gsap.min.js
-```
-
---
-
-## 📋 PROJECT-SPECIFIC PROMPTS
-
-Each crate has its own PROMPT.md with specific guidelines:
-
-| Crate | PROMPT.md Location | Focus |
-|-------|-------------------|-------|
-| botserver | `botserver/PROMPT.md` | API, security, Rhai BASIC |
-| botui | `botui/PROMPT.md` | UI, HTMX, CSS design system |
-| botapp | `botapp/PROMPT.md` | Tauri, desktop features |
-| botlib | `botlib/PROMPT.md` | Shared types, errors |
-| botbook | `botbook/PROMPT.md` | Documentation, mdBook |
-| bottest | `bottest/PROMPT.md` | Test infrastructure |
-
-### Special Prompts
-| File | Purpose |
-|------|---------|
-| `botserver/src/tasks/PROMPT.md` | AutoTask LLM executor |
-| `botserver/src/auto_task/APP_GENERATOR_PROMPT.md` | App generation |
-
---
-
-## 🚀 STARTING DEVELOPMENT
-
-### Start Both Servers
-```bash
-# Terminal 1: botserver
-cd botserver && cargo run -- --noconsole
-
-# Terminal 2: botui  
-cd botui && BOTSERVER_URL="http://localhost:8088" cargo run
-```
-
-### Build Commands
-```bash
-# Check single crate
-cargo check -p botserver
-
-# Build workspace
-cargo build
-
-# Run tests
-cargo test -p bottest
-```
-
---
-
-## 📋 CONTINUATION PROMPT
-
-When starting a new session or continuing work:
-
-```
-Continue on gb/ workspace. Follow PROMPT.md strictly:
-
-1. Check current state with build/diagnostics
-2. Fix ALL warnings and errors - NO #[allow()] attributes
-3. Delete unused code, don't suppress warnings
-4. Remove unused parameters, don't prefix with _
-5. Verify after each fix batch
-6. Loop until 0 warnings, 0 errors
-```
-
---
-
-## 🔑 REMEMBER
-
- **OFFLINE FIRST** - Fix all errors from list before compiling
- **ZERO WARNINGS, ZERO ERRORS** - The only acceptable state
- **FIX, DON'T SUPPRESS** - No #[allow()], no Cargo.toml lint exceptions
- **SECURITY FIRST** - No unwrap, no raw errors, no direct commands
- **READ BEFORE FIX** - Always understand context first
- **BATCH BY FILE** - Fix ALL errors in a file at once
- **WRITE ONCE** - Single edit per file with all fixes
- **VERIFY LAST** - Only compile/diagnostics after ALL fixes
- **DELETE DEAD CODE** - Don't keep unused code around
- **Version 6.2.0** - Do not change without approval
- **GIT WORKFLOW** - ALWAYS push to ALL repositories (github, pragmatismo)
--- a/README.md
+++ b/README.md
@ -1,85 +1,644 @@
 # General Bots Workspace

-**Version:** 6.1.0  
+## ⚠️ CRITICAL SECURITY WARNING
+
+**NEVER CREATE FILES WITH SECRETS IN THE REPOSITORY ROOT**
+
+Secret files MUST be placed in `/tmp/` only:
+- ✅ `/tmp/vault-token-gb` - Vault root token
+- ✅ `/tmp/vault-unseal-key-gb` - Vault unseal key
+- ❌ `vault-unseal-keys` - FORBIDDEN (tracked by git)
+- ❌ `start-and-unseal.sh` - FORBIDDEN (contains secrets)
+
+**Files added to .gitignore:** `vault-unseal-keys`, `start-and-unseal.sh`, `vault-token-*`
+
+**Why `/tmp/`?**
+- Cleared on reboot (ephemeral)
+- Not tracked by git
+- Standard Unix security practice
+- Prevents accidental commits
+
+---
+
+
+**Version:** 6.2.0  
 **Type:** Rust Workspace (Monorepo with Independent Subproject Repos)

 ---

-## Structure
+## Overview

-This workspace contains multiple General Bots projects:
+General Bots is a comprehensive automation platform built with Rust, providing a unified workspace for building AI-powered bots, web interfaces, desktop applications, and integration tools. The workspace follows a modular architecture with independent subprojects that can be developed and deployed separately while sharing common libraries and standards.

+For comprehensive documentation, see **[docs.pragmatismo.com.br](https://docs.pragmatismo.com.br)** or the **[BotBook](./botbook)** for detailed guides, API references, and tutorials.
+
+---
+
+## 📁 Workspace Structure
+
+| Crate | Purpose | Port | Tech Stack |
+|-------|---------|------|------------|
+| **botserver** | Main API server, business logic | 9000 | Axum, Diesel, Rhai BASIC |
+| **botui** | Web UI server (dev) + proxy | 3000 | Axum, HTML/HTMX/CSS |
+| **botapp** | Desktop app wrapper | - | Tauri 2 |
+| **botlib** | Shared library | - | Core types, errors |
+| **botbook** | Documentation | - | mdBook |
+| **bottest** | Integration tests | - | tokio-test |
+| **botdevice** | IoT/Device support | - | Rust |
+| **botmodels** | Data models visualization | - | - |
+| **botplugin** | Browser extension | - | JS |
+
+### Key Paths
+- **Binary:** `target/debug/botserver`
+- **Run from:** `botserver/` directory
+- **Env file:** `botserver/.env`
+- **Stack:** `botserver-stack/`
+- **UI Files:** `botui/ui/suite/`
+- **Local Bot Data:** `/opt/gbo/data/` (place `.gbai` packages here)
+
+### Local Bot Data Directory
+
+Place local bot packages in `/opt/gbo/data/` for automatic loading and monitoring:
+
+**Directory Structure:**
 ```
-gb/
-├── PROMPT.md          ← Workspace-level development guide (READ THIS FIRST)
-├── Cargo.toml         ← Workspace configuration
-├── README.md          ← This file
-│
-├── botapp/            ← Desktop application (Tauri)
-├── botserver/         ← Main server (API + business logic)
-├── botlib/            ← Shared library (types, utilities)
-├── botui/             ← Web UI (HTML/CSS/JS)
-├── botbook/           ← Documentation
-├── bottest/           ← Integration tests
-├── botdevice/         ← Device integration
-├── botmodels/         ← AI models
-├── botplugin/         ← Plugin system
-├── bottemplates/      ← Templates
-└── target/            ← Build artifacts
+/opt/gbo/data/
+└── mybot.gbai/
+    ├── mybot.gbdialog/
+    │   ├── start.bas
+    │   └── main.bas
+    └── mybot.gbot/
+        └── config.csv
+```
+
+**Features:**
+- **Auto-loading:** Bots automatically mounted on server startup
+- **Auto-compilation:** `.bas` files compiled to `.ast` on change
+- **Auto-creation:** New bots automatically added to database
+- **Hot-reload:** Changes trigger immediate recompilation
+- **Monitored by:** LocalFileMonitor and ConfigWatcher services
+
+**Usage:**
+1. Create bot directory structure in `/opt/gbo/data/`
+2. Add `.bas` files to `<bot_name>.gbai/<bot_name>.gbdialog/`
+3. Server automatically detects and loads the bot
+4. Optional: Add `config.csv` for bot configuration
+
+---
+
+## 🏗️ BotServer Component Architecture
+
+### 🔧 Infrastructure Components (Auto-Managed)
+
+BotServer automatically installs, configures, and manages all infrastructure components on first run. **DO NOT manually start these services** - BotServer handles everything.
+
+**Automatic Service Lifecycle:**
+1. **Start**: When botserver starts, it automatically launches all infrastructure components (PostgreSQL, Vault, MinIO, Valkey, Qdrant, etc.)
+2. **Credentials**: BotServer retrieves all service credentials (passwords, tokens, API keys) from Vault
+3. **Connection**: BotServer uses these credentials to establish secure connections to each service
+4. **Query**: All database queries, cache operations, and storage requests are authenticated using Vault-managed credentials
+
+**Credential Flow:**
+```
+botserver starts
+    ↓
+Launch PostgreSQL, MinIO, Valkey, Qdrant
+    ↓
+Connect to Vault
+    ↓
+Retrieve service credentials (from database)
+    ↓
+Authenticate with each service using retrieved credentials
+    ↓
+Ready to handle requests
+```
+
+| Component | Purpose | Port | Binary Location | Credentials From |
+|-----------|---------|------|-----------------|------------------|
+| **Vault** | Secrets management | 8200 | `botserver-stack/bin/vault/vault` | Auto-unsealed |
+| **PostgreSQL** | Primary database | 5432 | `botserver-stack/bin/tables/bin/postgres` | Vault → database |
+| **MinIO** | Object storage (S3-compatible) | 9000/9001 | `botserver-stack/bin/drive/minio` | Vault → database |
+| **Zitadel** | Identity/Authentication | 8300 | `botserver-stack/bin/directory/zitadel` | Vault → database |
+| **Qdrant** | Vector database (embeddings) | 6333 | `botserver-stack/bin/vector_db/qdrant` | Vault → database |
+| **Valkey** | Cache/Queue (Redis-compatible) | 6379 | `botserver-stack/bin/cache/valkey-server` | Vault → database |
+| **Llama.cpp** | Local LLM server | 8081 | `botserver-stack/bin/llm/build/bin/llama-server` | Vault → database |
+
+### 📦 Component Installation System
+
+Components are defined in `botserver/3rdparty.toml` and managed by the `PackageManager` (`botserver/src/core/package_manager/`):
+
+```toml
+[components.cache]
+name = "Valkey Cache (Redis-compatible)"
+url = "https://github.com/valkey-io/valkey/archive/refs/tags/8.0.2.tar.gz"
+filename = "valkey-8.0.2.tar.gz"
+
+[components.llm]
+name = "Llama.cpp Server"
+url = "https://github.com/ggml-org/llama.cpp/releases/download/b7345/llama-b7345-bin-ubuntu-x64.zip"
+filename = "llama-b7345-bin-ubuntu-x64.zip"
+```
+
+**Installation Flow:**
+1. **Download:** Components downloaded to `botserver-installers/` (cached)
+2. **Extract/Build:** Binaries placed in `botserver-stack/bin/<component>/`
+3. **Configure:** Config files generated in `botserver-stack/conf/<component>/`
+4. **Start:** Components started with proper TLS certificates
+5. **Monitor:** Components monitored and auto-restarted if needed
+
+**Bootstrap Process:**
+- First run: Full bootstrap (downloads, installs, configures all components)
+- Subsequent runs: Only starts existing components (uses cached binaries)
+- Config stored in: `botserver-stack/conf/system/bootstrap.json`
+
+### 🚀 PROPER STARTUP PROCEDURES
+
+**❌ FORBIDDEN:**
+- NEVER manually start infrastructure components (Vault, PostgreSQL, MinIO, etc.)
+- NEVER run `cargo run` or `cargo build` for botserver directly without ./restart.sh
+- NEVER modify botserver-stack/ files manually (use botserver API)
+
+**✅ REQUIRED:**
+
+**Option 1: Development (Recommended)**
+```bash
+./restart.sh
+```
+This script:
+1. Kills existing processes cleanly
+2. Builds botserver and botui sequentially (no race conditions)
+3. Starts botserver in background with logging to `botserver.log`
+4. Starts botui in background with logging to `botui.log`
+5. Shows process IDs and access URLs
+
+**Option 2: Production/Release**
+```bash
+# Build release binary first
+cargo build --release -p botserver
+
+# Start with release binary
+RUST_LOG=info ./target/release/botserver --noconsole 2>&1 | tee botserver.log &
+```
+
+**Option 3: Using Exec (Systemd/Supervisord)**
+```bash
+# In systemd service or similar
+ExecStart=/home/rodriguez/src/gb/target/release/botserver --noconsole
+```
+
+### 🔒 Component Communication
+
+All components communicate through internal networks with mTLS:
+- **Vault**: mTLS for secrets access
+- **PostgreSQL**: TLS encrypted connections
+- **MinIO**: TLS with client certificates
+- **Zitadel**: mTLS for user authentication
+
+Certificates auto-generated in: `botserver-stack/conf/system/certificates/`
+
+### 📊 Component Status
+
+Check component status anytime:
+```bash
+# Check if all components are running
+ps aux | grep -E "vault|postgres|minio|zitadel|qdrant|valkey" | grep -v grep
+
+# View component logs
+tail -f botserver-stack/logs/vault/vault.log
+tail -f botserver-stack/logs/tables/postgres.log
+tail -f botserver-stack/logs/drive/minio.log
+
+# Test component connectivity
+cd botserver-stack/bin/vault && ./vault status
+cd botserver-stack/bin/cache && ./valkey-cli ping
 ```

 ---

-## CRITICAL: PROMPT.md Files
+## 🏗️ Component Dependency Graph

-**Each project has a PROMPT.md that defines its development rules.**
+```
+┌─────────────────────────────────────────────────────────────────┐
+│                         Client Layer                            │
+├─────────────────────────────────────────────────────────────────┤
+│  botui (Web UI)    │  botapp (Desktop)   │  botplugin (Ext)   │
+│  HTMX + Axum       │  Tauri 2 Wrapper    │  Browser Extension  │
+└─────────┬───────────────────┬──────────────────┬─────────────────┘
+          │                   │                  │
+          └───────────────────┼──────────────────┘
+                              │
+                    ┌─────────▼─────────┐
+                    │   botlib          │
+                    │  (Shared Types)   │
+                    └─────────┬─────────┘
+                              │
+          ┌───────────────────┼───────────────────┐
+          │                   │                   │
+    ┌─────▼─────┐      ┌─────▼─────┐      ┌─────▼─────┐
+    │ botserver │      │ bottest   │      │ botdevice  │
+    │ API Core  │      │ Tests     │      │ IoT/Device │
+    └───────────┘      └───────────┘      └───────────┘
+```

-The diagnostics tool reads and respects these PROMPT.md files.
+### Dependency Rules

-### Hierarchy
+| Crate | Depends On | Why |
+|-------|-----------|-----|
+| **botserver** | botlib | Shared types, error handling, models |
+| **botui** | botlib | Common data structures, API client |
+| **botapp** | botlib | Shared types, desktop-specific utilities |
+| **bottest** | botserver, botlib | Integration testing with real components |
+| **botdevice** | botlib | Device types, communication protocols |
+| **botplugin** | - | Standalone browser extension (JS) |

-1. **`PROMPT.md`** (this directory) - Workspace-wide rules
-2. **`botapp/PROMPT.md`** - Desktop app specifics
-3. **`botserver/PROMPT.md`** - Server specifics
-4. **`botlib/PROMPT.md`** - Library specifics
-5. **`botui/PROMPT.md`** - UI specifics
-6. **`botbook/PROMPT.md`** - Documentation specifics
-7. **`bottest/PROMPT.md`** - Test specifics
+**Key Principle:** `botlib` contains ONLY shared types and utilities. No business logic. All business logic lives in botserver or specialized crates.

-**ALWAYS read the relevant PROMPT.md before working on a project.**
+## 📦 Module Responsibility Matrix

---
+### botserver/src/ Module Structure

-## Main Directive
+| Module | Responsibility | Key Types | Dependencies |
+|--------|---------------|-----------|--------------|
+| **core/bot/** | WebSocket handling, bot orchestration | BotOrchestrator, UserMessage | basic, shared |
+| **core/session/** | Session management, conversation history | SessionManager, UserSession | shared, database |
+| **basic/** | Rhai BASIC scripting engine | ScriptService, Engine | rhai, keywords |
+| **basic/keywords/** | BASIC keyword implementations (TALK, HEAR, etc.) | Keyword functions | basic, state |
+| **llm/** | Multi-vendor LLM API integration | LLMClient, ModelConfig | reqwest, shared |
+| **drive/** | S3 file storage and monitoring | DriveMonitor, compile_tool | s3, basic |
+| **security/** | Security guards (command, SQL, error) | SafeCommand, ErrorSanitizer | state |
+| **shared/** | Database models, schema definitions | Bot, Session, Message | diesel |
+| **tasks/** | AutoTask execution system | TaskRunner, TaskScheduler | core/basic |
+| **auto_task/** | LLM-powered app generation | AppGenerator, template engine | llm, tasks |
+| **learn/** | Knowledge base management | KBManager, vector storage | database, drive |
+| **attendance/** | LLM-assisted customer service | AttendantManager, queue | core/bot |

-**LOOP AND COMPACT UNTIL 0 WARNINGS - MAXIMUM YOLO**
+### Data Flow Patterns

- 0 warnings
- 0 errors
- Trust project diagnostics
- Respect all rules
- No `#[allow()]` in source code
- Real code fixes only
+```
+1. User Request Flow:
+   Client → WebSocket → botserver/src/core/bot/mod.rs
+                          ↓
+                    BotOrchestrator::stream_response()
+                          ↓
+              ┌───────────┴───────────┐
+              │                       │
+         LLM API Call            Script Execution
+         (llm/mod.rs)            (basic/mod.rs)
+              │                       │
+              └───────────┬───────────┘
+                          ↓
+                    Response → WebSocket → Client
+
+2. File Sync Flow:
+   S3 Drive → drive_monitor/src/drive_monitor/mod.rs
+                          ↓
+                    Download .bas files
+                          ↓
+              compile_file() → Generate .ast
+                          ↓
+              Store in ./work/{bot_name}.gbai/
+
+3. Script Execution Flow:
+   .bas file → ScriptService::compile()
+                    ↓
+              preprocess_basic_script()
+                    ↓
+              engine.compile() → AST
+                    ↓
+              ScriptService::run() → Execute
+                    ↓
+              TALK commands → WebSocket messages
+```
+
+### Common Architectural Patterns
+
+| Pattern | Where Used | Purpose |
+|---------|-----------|---------|
+| **State via Arc<AppState>** | All handlers | Shared async state (DB, cache, config) |
+| **Extension(state) extractor** | Axum handlers | Inject Arc<AppState> into route handlers |
+| **tokio::spawn_blocking** | CPU-intensive tasks | Offload blocking work from async runtime |
+| **WebSocket with split()** | Real-time comms | Separate sender/receiver for WS streams |
+| **ErrorSanitizer for responses** | All HTTP errors | Prevent leaking sensitive info in errors |
+| **SafeCommand for execution** | Command running | Whitelist-based command validation |
+| **Rhai for scripting** | BASIC interpreter | Embeddable scripting language |
+| **Diesel ORM** | Database access | Type-safe SQL queries |
+| **Redis for cache** | Session data | Fast key-value storage |
+| **S3 for storage** | File system | Scalable object storage |

 ---

 ## Quick Start

+### 🚀 Simple Startup (ALWAYS USE restart.sh)
+
 ```bash
+./restart.sh
+```
+
+**⚠️ CRITICAL: ALWAYS use restart.sh - NEVER start servers individually!**
+
+The script handles BOTH servers properly:
+1. Stop existing processes cleanly
+2. Build botserver and botui sequentially (no race conditions)
+3. Start botserver in background → **automatically starts all infrastructure services (PostgreSQL, Vault, MinIO, Valkey, Qdrant)**
+4. BotServer retrieves credentials from Vault and authenticates with all services
+5. Start botui in background → proxy to botserver
+6. Show process IDs and monitoring commands
+
+**Infrastructure services are fully automated - no manual configuration required!**
+
+**Monitor startup:**
+```bash
+tail -f botserver.log botui.log
+```
+
+**Access:**
+- Web UI: http://localhost:3000
+- API: http://localhost:9000
+
+### 📊 Monitor & Debug
+
+```bash
+tail -f botserver.log botui.log
+```
+
+**Quick status check:**
+```bash
+ps aux | grep -E "botserver|botui" | grep -v grep
+```
+
+**Quick error scan:**
+```bash
+grep -E " E |W |CLIENT:" botserver.log | tail -20
+```
+
+### 🔧 Manual Startup (If needed)
+
+**⚠️ WARNING: Only use if restart.sh fails. Always prefer restart.sh!**
+
+```bash
+cd botserver && cargo run -- --noconsole > ../botserver.log 2>&1 &
+cd botui && BOTSERVER_URL="http://localhost:9000" cargo run > ../botui.log 2>&1 &
+```
+
+### 🛑 Stop Servers
+
+```bash
+pkill -f botserver; pkill -f botui
+```
+
+### ⚠️ Common Issues
+
+**Vault init error?** Delete stale state:
+```bash
+rm -rf botserver-stack/data/vault botserver-stack/conf/vault/init.json && ./restart.sh
+```
+
+**Port in use?** Find and kill:
+```bash
+lsof -ti:9000 | xargs kill -9
+lsof -ti:3000 | xargs kill -9
+```
+
+**⚠️ IMPORTANT: Stack Services Management**
+All infrastructure services (PostgreSQL, Vault, Redis, Qdrant, MinIO, etc.) are **automatically started by botserver** and managed through `botserver-stack/` directory, NOT global system installations. The system uses:
+
+- **Local binaries:** `botserver-stack/bin/` (PostgreSQL, Vault, Redis, etc.)
+- **Configurations:** `botserver-stack/conf/`
+- **Data storage:** `botserver-stack/data/`
+- **Service logs:** `botserver-stack/logs/` (check here for troubleshooting)
+- **Credentials:** Stored in Vault, retrieved by botserver at startup
+
+**Do NOT install or reference global PostgreSQL, Redis, or other services.** When botserver starts, it automatically:
+1. Launches all required stack services
+2. Connects to Vault
+3. Retrieves credentials from the `bot_configuration` database table
+4. Authenticates with each service using retrieved credentials
+5. Begins handling requests with authenticated connections
+
+If you encounter service errors, check the individual service logs in `./botserver-stack/logs/[service]/` directories.
+
+### UI File Deployment - Production Options
+
+**Option 1: Embedded UI (Recommended for Production)**
+
+The `embed-ui` feature compiles UI files directly into the botui binary, eliminating the need for separate file deployment:
+
+```bash
+# Build with embedded UI files
+cargo build --release -p botui --features embed-ui
+
+# The binary now contains all UI files - no additional deployment needed!
+# The botui binary is self-contained and production-ready
+```
+
+**Benefits of embed-ui:**
+- ✅ Single binary deployment (no separate UI files)
+- ✅ Faster startup (no filesystem access)
+- ✅ Smaller attack surface
+- ✅ Simpler deployment process
+
+**Option 2: Filesystem Deployment (Development Only)**
+
+For development, UI files are served from the filesystem:
+
+```bash
+# UI files must exist at botui/ui/suite/
+# This is automatically available in development builds
+```
+
+**Option 3: Manual File Deployment (Legacy)**
+
+If you need to deploy UI files separately (not recommended):
+
+```bash
+# Deploy UI files to production location
+./botserver/deploy/deploy-ui.sh /opt/gbo
+
+# Verify deployment
+ls -la /opt/gbo/bin/ui/suite/index.html
+```
+
+See `botserver/deploy/README.md` for deployment scripts.
+
+### Start Both Servers (Automated)
+```bash
+# Use restart script (RECOMMENDED)
+./restart.sh
+```
+
+### Start Both Servers (Manual)
+```bash
+# Terminal 1: botserver
+cd botserver && cargo run -- --noconsole
+
+# Terminal 2: botui  
+cd botui && BOTSERVER_URL="http://localhost:9000" cargo run
+```
+
+### Build Commands
+```bash
+# Check single crate
+cargo check -p botserver
+
+# Build workspace
 cargo build
-cargo test
+
+# Run tests
+cargo test -p bottest
 ```

 ---

-## Development Workflow
+## 🤖 AI Agent Guidelines

-1. Read `PROMPT.md` (workspace-level rules)
-2. Read `<project>/PROMPT.md` (project-specific rules)
-3. Use diagnostics tool to check warnings
-4. Fix all warnings with full file rewrites
-5. Verify with diagnostics after each file
-6. Never suppress warnings with `#[allow()]`
+> **For LLM instructions, coding rules, security directives, testing workflows, and error handling patterns, see [AGENTS.md](./AGENTS.md).**
+
+---
+
+## 📖 Glossary
+
+| Term | Definition | Usage |
+|------|-----------|-------|
+| **Bot** | AI agent with configuration, scripts, and knowledge bases | Primary entity in system |
+| **Session** | Single conversation instance between user and bot | Stored in `sessions` table |
+| **Dialog** | Collection of BASIC scripts (.bas files) for bot logic | Stored in `{bot_name}.gbdialog/` |
+| **Tool** | Reusable function callable by LLM | Defined in .bas files, compiled to .ast |
+| **Knowledge Base (KB)** | Vector database of documents for semantic search | Managed in `learn/` module |
+| **Scheduler** | Time-triggered task execution | Cron-like scheduling in BASIC scripts |
+| **Drive** | S3-compatible storage for files | Abstracted in `drive/` module |
+| **Rhai** | Embedded scripting language for BASIC dialect | Rhai engine in `basic/` module |
+| **WebSocket Adapter** | Component that sends messages to connected clients | `web_adapter` in state |
+| **AutoTask** | LLM-generated task automation system | In `auto_task/` and `tasks/` modules |
+| **Orchestrator** | Coordinates LLM, tools, KBs, and user input | `BotOrchestrator` in `core/bot/` |
+
+---
+
+
+
+## 🖥️ UI Architecture (botui + botserver)
+
+### Two Servers During Development
+
+| Server | Port | Purpose |
+|--------|------|---------|
+| **botui** | 3000 | Serves UI files + proxies API to botserver |
+| **botserver** | 9000 | Backend API + embedded UI fallback |
+
+### How It Works
+
+```
+Browser → localhost:3000 → botui (serves HTML/CSS/JS)
+                        → /api/* proxied to botserver:9000
+                        → /suite/* served from botui/ui/suite/
+```
+
+### Adding New Suite Apps
+
+1. Create folder: `botui/ui/suite/<appname>/`
+2. Add to `SUITE_DIRS` in `botui/src/ui_server/mod.rs`
+3. Rebuild botui: `cargo build -p botui`
+4. Add menu entry in `botui/ui/suite/index.html`
+
+### Hot Reload
+
+- **UI files (HTML/CSS/JS)**: Edit & refresh browser (no restart)
+- **botui Rust code**: Rebuild + restart botui
+- **botserver Rust code**: Rebuild + restart botserver
+
+### Production (Single Binary)
+
+When `botui/ui/suite/` folder not found, botserver uses **embedded UI** compiled into binary via `rust-embed`.
+
+---
+
+## 🎨 Frontend Standards
+
+### HTMX-First Approach
+- Use HTMX to minimize JavaScript
+- Server returns HTML fragments, not JSON
+- Use `hx-get`, `hx-post`, `hx-target`, `hx-swap`
+- WebSocket via htmx-ws extension
+
+### Local Assets Only - NO CDN
+```html
+<!-- ✅ CORRECT -->
+<script src="js/vendor/htmx.min.js"></script>
+
+<!-- ❌ WRONG -->
+<script src="https://unpkg.com/htmx.org@1.9.10"></script>
+```
+
+### Vendor Libraries Location
+```
+ui/suite/js/vendor/
+├── htmx.min.js
+├── htmx-ws.js
+├── marked.min.js
+└── gsap.min.js
+```
+
+---
+
+## 📋 Project-Specific Guidelines
+
+Each crate has its own README.md with specific guidelines:
+
+| Crate | README.md Location | Focus |
+|-------|-------------------|-------|
+| botserver | `botserver/README.md` | API, security, Rhai BASIC |
+| botui | `botui/README.md` | UI, HTMX, CSS design system |
+| botapp | `botapp/README.md` | Tauri, desktop features |
+| botlib | `botlib/README.md` | Shared types, errors |
+| botbook | `botbook/README.md` | Documentation, mdBook |
+| bottest | `bottest/README.md` | Test infrastructure |
+
+### Special Prompts
+| File | Purpose |
+|------|---------|
+| `botserver/src/tasks/README.md` | AutoTask LLM executor |
+| `botserver/src/auto_task/APP_GENERATOR_PROMPT.md` | App generation |
+
+---
+
+## 📚 Documentation
+
+For complete documentation, guides, and API references:
+
+- **[docs.pragmatismo.com.br](https://docs.pragmatismo.com.br)** - Full online documentation
+- **[BotBook](./botbook)** - Local comprehensive guide with tutorials and examples
+- **[General Bots Repository](https://github.com/GeneralBots/BotServer)** - Main project repository
+
+---
+
+## 🔧 Immediate Technical Debt
+
+### Critical Issues to Address
+
+1. **Error Handling Debt**: 955 instances of `unwrap()`/`expect()` in production code
+2. **Performance Debt**: 12,973 excessive `clone()`/`to_string()` calls
+3. **File Size Debt**: 7 files exceed 450 lines (largest: 3220 lines)
+4. **Test Coverage**: Missing integration tests for critical paths
+5. **Documentation**: Missing inline documentation for complex algorithms
+
+### Weekly Maintenance Tasks
+
+```bash
+# Check for duplicate dependencies
+cargo tree --duplicates
+
+# Remove unused dependencies  
+cargo machete
+
+# Check binary size
+cargo build --release && ls -lh target/release/botserver
+
+# Performance profiling
+cargo bench
+
+# Security audit
+cargo audit
+```

 ---

@ -87,42 +646,56 @@ cargo test

 **Note:** Each subproject has its own git repository. This root repository only tracks workspace-level files:

- `PROMPT.md` - Development guide
 - `Cargo.toml` - Workspace configuration
 - `README.md` - This file
 - `.gitignore` - Ignore patterns
+- `ADDITIONAL-SUGGESTIONS.md` - Enhancement ideas
+- `TODO-*.md` - Task tracking files

-Subprojects (botapp, botserver, etc.) are **not** git submodules - they are independent repositories.
+Subprojects (botapp, botserver, botui, etc.) are **independent repositories referenced as git submodules**.
+
+### ⚠️ CRITICAL: Submodule Push Workflow
+
+When making changes to any submodule (botserver, botui, botlib, etc.):
+
+1. **Commit and push changes within the submodule directory:**
+   ```bash
+   cd botserver
+   git add .
+   git commit -m "Your changes"
+   git push pragmatismo main
+   git push github main
+   ```
+
+2. **Update the global gb repository submodule reference:**
+   ```bash
+   cd ..  # Back to gb root
+   git add botserver
+   git commit -m "Update botserver submodule to latest commit"
+   git push pragmatismo main
+   git push github main
+   ```
+
+**Failure to push the global gb repository will cause submodule changes to not trigger CI/CD pipelines.**
+
+Both repositories must be pushed for changes to take effect in production.

 ---

-## Rules Summary
+## Development Workflow

-```
-✅ FULL FILE REWRITES ONLY
-✅ BATCH ALL FIXES BEFORE WRITING
-✅ VERIFY WITH DIAGNOSTICS AFTER EACH FILE
-✅ TRUST PROJECT DIAGNOSTICS
-✅ RESPECT ALL RULES
-
-❌ NEVER use #[allow()] in source code
-❌ NEVER use partial edits
-❌ NEVER run cargo check/clippy manually
-❌ NEVER leave unused code
-❌ NEVER use .unwrap()/.expect()
-❌ NEVER use panic!/todo!/unimplemented!()
-❌ NEVER add comments
-```
+1. Read this README.md (workspace structure)
+2. Read **[AGENTS.md](./AGENTS.md)** (coding rules & workflows)
+3. **BEFORE creating any .md file, search botbook/ for existing documentation**
+4. Read `<project>/README.md` (project-specific rules)
+5. Use diagnostics tool to check warnings
+6. Fix all warnings with full file rewrites
+7. Verify with diagnostics after each file
+8. Never suppress warnings with `#[allow()]`

 ---

-## Links

- Main Server: http://localhost:8081
- Desktop App: Uses Tauri to wrap botui
- Documentation: See botbook/
-
---

 ## License

--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 1a1e17fa1012e4db10a0f716c9b63a03b4863c9f
+Subproject commit 66ea6cffbc98b4c10449104806a80d368e3460d4
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 827e011ac05084396aaf2c3098409bf5e02b5cf9
+Subproject commit c312a30461841e7116be7c5fbb20d304ef9f6700
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 97778e06dd804be55ff761c7fe2788af0ef50626
+Subproject commit f8e52bacd2c197ce14e5814f284d34432c71aef2
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit bfaa68dc35e96ced2915d43ffe6fca8267a9a598
+Subproject commit 4ce639331bdbe1feafb22a0a5667d36dd9ef2ca3
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 462a6dfa51b12f22e87712e613a559f66f9013cb
+Subproject commit e37554087e8ead3ced2a95847a1fa8e2a1bb4448
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 17a3caebabddbe843c2b7fd93f624b0ccd9c44fb
+Subproject commit 1727e48307fdb7b54c726af8cd6b12669764e908
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 84458b2a6905af7db72b15f5e833bb7942ccdaa9
+Subproject commit ad4aca21ffec3de5db510317aa1e366a15c50499
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit dd3d8c74dd58a1cc6d6b18d22108819519aaf9c3
+Subproject commit 5db33107da0572ce844a5af3cd83093f10dbce0d
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 706391b272e0fb7c5b2646cc4cc72180195e07f4
+Subproject commit d03e13d2eb77ed0343509e0b55f50d17d511c612
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 661edc09fa1063673e84b63d2dcb5cfbe0f91232
+Subproject commit b01a02d396b941151000126a708b5e886b3b36da
--- a/out.txt
+++ b/out.txt
@ -0,0 +1,8 @@
+data: {"candidates": [{"content": {"role": "model","parts": [{"text": "Hello!"}]}}],"usageMetadata": {"trafficType": "ON_DEMAND"},"modelVersion": "gemini-3.1-flash-lite-preview","createTime": "2026-03-10T14:54:45.066123Z","responseId": "tTCwacuEBMvnitYP06qsgQY"}
+
+data: {"candidates": [{"content": {"role": "model","parts": [{"text": " How can I help you today"}]}}],"usageMetadata": {"trafficType": "ON_DEMAND"},"modelVersion": "gemini-3.1-flash-lite-preview","createTime": "2026-03-10T14:54:45.066123Z","responseId": "tTCwacuEBMvnitYP06qsgQY"}
+
+data: {"candidates": [{"content": {"role": "model","parts": [{"text": "?"}]}}],"usageMetadata": {"trafficType": "ON_DEMAND"},"modelVersion": "gemini-3.1-flash-lite-preview","createTime": "2026-03-10T14:54:45.066123Z","responseId": "tTCwacuEBMvnitYP06qsgQY"}
+
+data: {"candidates": [{"content": {"role": "model","parts": [{"text": "","thoughtSignature": "AY89a18iOcFus5wr5bW5xN6zZ4aUiCyhgmg6HE2YjtYDV/dwZ5oZlZHeTmiUKv34qq0="}]},"finishReason": "STOP"}],"usageMetadata": {"promptTokenCount": 1,"candidatesTokenCount": 9,"totalTokenCount": 10,"trafficType": "ON_DEMAND","promptTokensDetails": [{"modality": "TEXT","tokenCount": 1}],"candidatesTokensDetails": [{"modality": "TEXT","tokenCount": 9}]},"modelVersion": "gemini-3.1-flash-lite-preview","createTime": "2026-03-10T14:54:45.066123Z","responseId": "tTCwacuEBMvnitYP06qsgQY"}
+
--- a/package-lock.json
+++ b/package-lock.json
@ -0,0 +1,18 @@
+{
+  "name": "gb",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "dependencies": {
+        "monaco-editor": "^0.45.0"
+      }
+    },
+    "node_modules/monaco-editor": {
+      "version": "0.45.0",
+      "resolved": "https://registry.npmjs.org/monaco-editor/-/monaco-editor-0.45.0.tgz",
+      "integrity": "sha512-mjv1G1ZzfEE3k9HZN0dQ2olMdwIfaeAAjFiwNprLfYNRSz7ctv9XuCT7gPtBGrMUeV1/iZzYKj17Khu1hxoHOA==",
+      "license": "MIT"
+    }
+  }
+}
--- a/package.json
+++ b/package.json
@ -0,0 +1,5 @@
+{
+  "dependencies": {
+    "monaco-editor": "^0.45.0"
+  }
+}
--- a/prompts/BOTCODER_ANALYSIS.md
+++ b/prompts/BOTCODER_ANALYSIS.md
@ -0,0 +1,737 @@
+# BotCoder Multi-Agent OS - Architecture Analysis
+
+## Executive Summary
+
+Based on analysis of **botserver** (Rust backend), **botui** (Web UI), and **botapp** (Tauri Desktop), we can architect **BotCoder** as a unified multi-agent operating system that leverages the existing Mantis Farm infrastructure while adding code-specific capabilities similar to Claude Code.
+
+---
+
+## Current Architecture Analysis
+
+### 1. BotServer (Rust Backend) - `botserver/src/auto_task/`
+
+#### Multi-Agent Pipeline (The "Mantis Farm")
+
+**File:** `orchestrator.rs` (1147 lines)
+
+The orchestrator implements a **5-stage multi-agent pipeline**:
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│                    ORCHESTRATOR PIPELINE                     │
+├─────────────────────────────────────────────────────────────┤
+│                                                               │
+│  Stage 1: PLAN  ────────►  Mantis #1 (Planner)              │
+│    - Analyze user request                                    │
+│    - Break down into sub-tasks                               │
+│    - Identify tables, pages, tools, schedulers               │
+│    - Derive enterprise-grade work breakdown                  │
+│                                                               │
+│  Stage 2: BUILD  ───────►  Mantis #2 (Builder)              │
+│    - Generate application code                               │
+│    - Create HTML/CSS/JS files                                │
+│    - Define database schema                                  │
+│    - Build tools & schedulers                                │
+│                                                               │
+│  Stage 3: REVIEW  ───────►  Mantis #3 (Reviewer)             │
+│    - Validate code quality                                   │
+│    - Check HTMX patterns                                     │
+│    - Verify security                                         │
+│    - Ensure no hardcoded data                                │
+│                                                               │
+│  Stage 4: DEPLOY  ───────►  Mantis #4 (Deployer)             │
+│    - Deploy application                                      │
+│    - Verify accessibility                                    │
+│    - Confirm static assets loading                           │
+│                                                               │
+│  Stage 5: MONITOR  ───────►  Mantis #1 (Planner)             │
+│    - Setup health monitoring                                 │
+│    - Track error rates                                       │
+│    - Monitor response times                                  │
+│                                                               │
+└─────────────────────────────────────────────────────────────┘
+```
+
+#### Agent Status System
+
+**Agent States:**
+- **WILD** - Uninitialized agent
+- **BRED** - Agent created and ready
+- **EVOLVED** - Agent has completed work successfully
+- **WORKING** - Agent actively processing
+- **DONE** - Agent finished
+- **FAILED** - Agent encountered error
+
+**Agent Roles:**
+```rust
+pub enum AgentRole {
+    Planner,    // Mantis #1 - Architect & Analyst
+    Builder,    // Mantis #2 - Code Generator
+    Reviewer,   // Mantis #3 - QA & Validation
+    Deployer,   // Mantis #4 - Deployment
+    Monitor,    // Mantis #1 (reused) - Health checks
+}
+```
+
+#### Agent Executor (Container-Based)
+
+**File:** `agent_executor.rs` (115 lines)
+
+Provides **containerized execution environment** for agents:
+
+```rust
+pub struct AgentExecutor {
+    pub state: Arc<AppState>,
+    pub session_id: String,
+    pub task_id: String,
+    container: Option<ContainerSession>,
+}
+```
+
+**Capabilities:**
+- ✅ Spawn containerized terminal sessions
+- ✅ Execute shell commands
+- ✅ Broadcast terminal output via WebSocket
+- ✅ Browser automation integration (chromiumoxide)
+- ✅ Real-time progress updates
+
+**WebSocket Events:**
+- `terminal_output` - stdout/stderr from agent
+- `thought_process` - agent reasoning/thinking
+- `step_progress` - pipeline stage progress (1/5, 2/5...)
+- `browser_ready` - browser automation available
+- `agent_thought` - agent-specific thoughts
+- `agent_activity` - structured activity logs
+- `task_node` - task breakdown visualization
+
+#### Intent Classification
+
+**File:** `intent_classifier.rs`
+
+Classifies user requests into types:
+- **APP_CREATE** - Generate new application
+- **APP_MODIFY** - Modify existing app
+- **CODE_REVIEW** - Review code
+- **DEBUG** - Debug issues
+- **DEPLOY** - Deploy application
+- **ANALYZE** - Analyze codebase
+
+**Entity Extraction:**
+- Tables (database schema)
+- Features (UI components)
+- Pages (routes/views)
+- Tools (business logic)
+- Schedulers (background jobs)
+
+#### App Generator
+
+**File:** `app_generator.rs` (3400+ lines)
+
+**LLM-powered code generation:**
+- Generates HTMX applications
+- Creates database schemas
+- Builds REST API endpoints
+- Generates BASIC tools
+- Creates scheduled jobs
+- Produces E2E tests
+
+**Output:**
+```rust
+pub struct GeneratedApp {
+    pub name: String,
+    pub description: String,
+    pub tables: Vec<TableDefinition>,
+    pub pages: Vec<GeneratedPage>,
+    pub tools: Vec<GeneratedTool>,
+    pub schedulers: Vec<SchedulerDefinition>,
+}
+```
+
+#### Designer AI
+
+**File:** `designer_ai.rs`
+
+Runtime code modifications with:
+- Undo/redo support
+- Real-time UI editing
+- Visual layout changes
+- Style modifications
+
+#### Safety Layer
+
+**File:** `safety_layer.rs`
+
+- Constraint checking
+- Simulation before execution
+- Audit trail
+- Approval workflows
+
+---
+
+### 2. BotUI (Web Interface) - `botui/ui/suite/`
+
+#### Vibe Builder UI
+
+**File:** `partials/vibe.html` (47KB)
+
+**Components:**
+1. **Pipeline Tabs** - Plan/Build/Review/Deploy/Monitor stages
+2. **Agents Sidebar** - Mantis #1-4 status cards
+3. **Workspaces List** - Project management
+4. **Canvas Area** - Task node visualization
+5. **Chat Overlay** - Real-time communication with agents
+
+**Agent Cards Display:**
+```html
+<div class="as-agent-card" data-agent-id="1">
+    <div class="as-agent-header">
+        <span class="as-status-dot green"></span>
+        <span class="as-agent-name">Mantis #1</span>
+    </div>
+    <div class="as-agent-body">
+        <span class="as-agent-icons">👀 ⚙️ ⚡</span>
+        <span class="as-badge badge-evolved">EVOLVED</span>
+    </div>
+</div>
+```
+
+**WebSocket Integration:**
+```javascript
+// Connect to task progress stream
+const ws = new WebSocket(`ws://localhost:8080/ws/task-progress/${taskId}`);
+
+ws.onmessage = (event) => {
+    const data = JSON.parse(event.data);
+    handleTaskProgress(data);
+};
+
+// Event types handled:
+// - pipeline_start
+// - pipeline_complete
+// - step_progress (1/5, 2/5, ...)
+// - agent_thought
+// - agent_activity
+// - task_node
+// - terminal_output
+// - manifest_update
+```
+
+**Real-time Updates:**
+- Agent status changes (WILD → BRED → WORKING → EVOLVED)
+- Task node visualization (plan breakdown)
+- Terminal output streaming
+- Progress indicators
+- File generation notifications
+
+#### Other UI Components
+
+- `chat.html` - Chat interface for agent interaction
+- `editor-inner.html` - Code editor (currently textarea, needs Monaco)
+- `explorer-inner.html` - File browser
+- `settings.html` - Configuration
+- `tasks.html` - Task management
+- `desktop-inner.html` - Desktop integration
+
+---
+
+### 3. BotApp (Desktop) - `botapp/src/`
+
+**Tauri-based desktop application** with:
+- System tray integration
+- Service monitoring
+- File system access
+- Desktop sync (rclone)
+- Native notifications
+
+**Main Features:**
+```rust
+// Desktop service monitoring
+pub struct ServiceMonitor {
+    services: HashMap<String, ServiceStatus>,
+}
+
+// Tray management
+pub struct TrayManager {
+    mode: RunningMode,  // Server | Desktop | Client
+}
+
+// Drive integration
+mod drive {
+    list_files()
+    upload_file()
+    create_folder()
+}
+
+// Sync integration
+mod sync {
+    get_sync_status()
+    start_sync()
+    configure_remote()
+}
+```
+
+---
+
+## BotCoder Multi-Agent OS Architecture
+
+### Vision
+
+**BotCoder** = **Vibe Builder** + **Code-Specific Agents** + **Professional Tools**
+
+Create a complete development environment that:
+1. Uses the existing Mantis Farm infrastructure
+2. Adds specialized coding agents (similar to Claude Code)
+3. Provides professional editor experience (Monaco, terminal, git, etc.)
+4. Supports both internal (GB Platform) and external (Forgejo) deployment
+
+---
+
+## Proposed BotCoder Agent Ecosystem
+
+### Core Mantis Farm (Keep Existing)
+
+```
+Mantis #1: Planner & Orchestrator  ───►  Already exists in botserver
+Mantis #2: Code Generator          ───►  Already exists (AppGenerator)
+Mantis #3: Reviewer & Validator     ───►  Already exists
+Mantis #4: Deployer                 ───►  Already exists
+```
+
+### New Specialized Agents (Add to BotCoder)
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│                   BOTCODER AGENTS                               │
+├─────────────────────────────────────────────────────────────────┤
+│                                                                 │
+│  Mantis #5: Editor Agent           ───►  File operations        │
+│    - Multi-file editing                                         │
+│    - Syntax awareness                                           │
+│    - Refactoring support                                        │
+│    - Code completion                                            │
+│                                                                 │
+│  Mantis #6: Database Agent         ───►  Schema operations      │
+│    - Query optimization                                         │
+│    - Migration management                                       │
+│    - Data visualization                                        │
+│    - Index suggestions                                          │
+│                                                                 │
+│  Mantis #7: Git Agent               ───►  Version control       │
+│    - Commit analysis                                           │
+│    - Branch management                                         │
+│    - Conflict resolution                                       │
+│    - Code archaeology                                           │
+│                                                                 │
+│  Mantis #8: Test Agent              ───►  Quality assurance     │
+│    - Test generation                                           │
+│    - Coverage analysis                                         │
+│    - E2E testing (chromiumoxide)                                │
+│    - Performance profiling                                     │
+│                                                                 │
+│  Mantis #9: Browser Agent            ───►  Web automation        │
+│    - Page recording                                            │
+│    - Element inspection                                        │
+│    - Performance monitoring                                     │
+│    - SEO checking                                               │
+│                                                                 │
+│  Mantis #10: Terminal Agent         ───►  Command execution     │
+│    - Shell command execution                                    │
+│    - Build system integration                                   │
+│    - Package management                                         │
+│    - Docker orchestration                                       │
+│                                                                 │
+│  Mantis #11: Documentation Agent    ───►  Docs & comments       │
+│    - Auto-generate docs                                        │
+│    - Comment quality check                                      │
+│    - README generation                                          │
+│    - API documentation                                         │
+│                                                                 │
+│  Mantis #12: Security Agent          ───►  Security auditing     │
+│    - Vulnerability scanning                                     │
+│    - Dependency analysis                                        │
+│    - Secret detection                                           │
+│    - OWASP compliance                                           │
+│                                                                 │
+└─────────────────────────────────────────────────────────────────┘
+```
+
+---
+
+## BotCoder Architecture
+
+### Backend (Rust)
+
+```
+botserver/src/
+├── auto_task/              # EXISTING - Mantis Farm
+│   ├── orchestrator.rs      # Keep - Multi-agent pipeline
+│   ├── agent_executor.rs   # Keep - Container execution
+│   ├── app_generator.rs    # Keep - LLM code gen
+│   ├── designer_ai.rs      # Keep - Runtime edits
+│   ├── intent_classifier.rs # Keep - Request classification
+│   └── safety_layer.rs     # Keep - Constraint checking
+│
+├── botcoder/               # NEW - BotCoder-specific agents
+│   ├── mod.rs
+│   ├── editor_agent.rs     # Mantis #5 - File operations
+│   ├── database_agent.rs   # Mantis #6 - Schema ops
+│   ├── git_agent.rs        # Mantis #7 - Version control
+│   ├── test_agent.rs       # Mantis #8 - Testing
+│   ├── browser_agent.rs    # Mantis #9 - Web automation
+│   ├── terminal_agent.rs   # Mantis #10 - Command exec
+│   ├── docs_agent.rs       # Mantis #11 - Documentation
+│   └── security_agent.rs   # Mantis #12 - Security
+│
+├── deployment/             # NEW - From vibe.md Phase 0
+│   ├── mod.rs              # DeploymentRouter
+│   ├── forgejo.rs          # ForgejoClient
+│   ├── api.rs              # Deployment endpoints
+│   └── templates.rs        # CI/CD workflows
+│
+├── api/                    # EXTEND - Add BotCoder APIs
+│   ├── editor.rs           # Monaco integration
+│   ├── database.rs         # DB UI backend
+│   ├── git.rs              # Git operations
+│   ├── browser.rs          # Browser automation
+│   └── terminal.rs         # WebSocket terminals
+│
+└── browser/                # NEW - From vibe.md Phase 4
+    ├── mod.rs              # BrowserSession
+    ├── recorder.rs         # ActionRecorder
+    ├── validator.rs        # TestValidator
+    └── api.rs              # HTTP endpoints
+```
+
+### Frontend (Web + Desktop)
+
+```
+botui/ui/suite/
+├── partials/
+│   ├── vibe.html                    # EXISTING - Agent sidebar
+│   ├── vibe-deployment.html         # NEW - Deployment modal
+│   ├── editor.html                  # NEW - Monaco editor
+│   ├── database.html                # NEW - Schema visualizer
+│   ├── git-status.html              # NEW - Git operations
+│   ├── git-diff.html                # NEW - Diff viewer
+│   ├── browser-controls.html        # NEW - Browser automation
+│   └── terminal.html                # NEW - Enhanced terminal
+│
+├── js/
+│   ├── vibe.js                      # EXISTING - Vibe logic
+│   ├── deployment.js                # NEW - Deployment handler
+│   ├── editor.js                    # NEW - Monaco integration
+│   ├── database.js                  # NEW - DB visualization
+│   ├── git.js                       # NEW - Git operations
+│   ├── browser.js                   # NEW - Browser automation
+│   └── terminal.js                  # NEW - Terminal (xterm.js)
+│
+└── css/
+    ├── agents-sidebar.css            # EXISTING - Mantis cards
+    ├── deployment.css               # NEW - Deployment styles
+    ├── editor.css                    # NEW - Editor styles
+    ├── database.css                  # NEW - DB UI styles
+    └── terminal.css                  # NEW - Terminal styles
+```
+
+---
+
+## Integration Strategy
+
+### Option 1: BotCoder as Separate Repository (Recommended)
+
+```
+gb/
+├── botserver/     # Existing - Backend services
+├── botui/         # Existing - Web UI
+├── botapp/        # Existing - Desktop app
+└── botcoder/      # NEW - Multi-agent IDE
+    ├── Cargo.toml
+    ├── src/
+    │   ├── main.rs
+    │   ├── agents/         # BotCoder agents
+    │   ├── editor/         # Editor integration
+    │   └── workspace/      # Workspace management
+    └── ui/
+        ├── src/
+        │   ├── components/  # React/Vue components
+        │   ├── pages/       # IDE pages
+        │   └── lib/
+        └── index.html
+```
+
+**Pros:**
+- Clean separation of concerns
+- Independent release cycle
+- Can be deployed standalone
+- Easier to maintain
+
+**Cons:**
+- Duplicate some botserver code
+- Need to share common libs
+
+### Option 2: BotCoder as Module in BotServer
+
+```
+botserver/src/
+├── auto_task/      # Existing Mantis Farm
+└── botcoder/       # New BotCoder module
+    ├── mod.rs
+    ├── agents/
+    ├── editor/
+    └── workspace/
+```
+
+**Pros:**
+- Share existing infrastructure
+- Single deployment
+- Unified WebSocket channels
+
+**Cons:**
+- Tighter coupling
+- Larger monolith
+
+### Recommendation: **Option 1 (Separate Repo)**
+
+But share common libraries via a `botlib` crate:
+
+```
+gb/
+├── botlib/         # Shared utilities
+│   ├── src/
+│   │   ├── agents/     # Agent traits
+│   │   ├── llm/        # LLM clients
+│   │   └── websocket/  # WebSocket utils
+│   └── Cargo.toml
+│
+├── botserver/      # Uses botlib
+├── botui/          # Uses botlib
+├── botapp/         # Uses botlib
+└── botcoder/       # Uses botlib ← NEW
+```
+
+---
+
+## BotCoder Features vs Vibe Builder
+
+### Vibe Builder (Existing)
+- ✅ Multi-agent pipeline (Mantis #1-4)
+- ✅ App generation (HTMX apps)
+- ✅ WebSocket real-time updates
+- ✅ Agent status visualization
+- ✅ Task breakdown
+- ✅ Deployment (internal GB platform)
+
+### BotCoder (Add)
+- 📝 **Monaco Editor** - Professional code editing
+- 🗄️ **Database UI** - Schema visualization
+- 🐙 **Git Operations** - Version control UI
+- 🌐 **Browser Automation** - Testing & recording
+- 📂 **Multi-File Workspace** - Tab management
+- 🖥️ **Enhanced Terminal** - xterm.js integration
+- 🚀 **Dual Deployment** - Internal + Forgejo
+- 🔒 **Security Scanning** - Vulnerability detection
+- 📚 **Auto-Documentation** - Generate docs
+- 🧪 **E2E Testing** - chromiumoxide integration
+
+---
+
+## BotCoder Multi-Agent Workflow Example
+
+### User Request: "Create a CRM with contacts and deals"
+
+```
+1. CLASSIFY
+   └─ Intent: APP_CREATE
+   └─ Entities: { tables: [contacts, deals], features: [Contact Manager, Deal Pipeline] }
+
+2. PLAN (Mantis #1 - Planner)
+   ├─ Break down into 12 sub-tasks
+   ├─ Create task nodes
+   └─ Estimate: 45 files, 98k tokens, 2.5 hours
+
+3. BUILD (Mantis #2 - Builder)
+   ├─ Generate HTML/CSS/JS files
+   ├─ Create database schema
+   ├─ Build REST API endpoints
+   └─ Output: /apps/my-crm/
+
+4. CODE REVIEW (Mantis #3 - Reviewer)
+   ├─ Check HTMX patterns
+   ├─ Verify security
+   ├─ Validate error handling
+   └─ Status: PASSED
+
+5. OPTIMIZE (Mantis #5 - Editor Agent) ← NEW
+   ├─ Analyze code structure
+   ├─ Suggest refactorings
+   ├─ Apply safe optimizations
+   └─ Generate PR
+
+6. TEST (Mantis #8 - Test Agent) ← NEW
+   ├─ Generate unit tests
+   ├─ Create E2E tests (chromiumoxide)
+   ├─ Measure coverage
+   └─ Status: 87% coverage
+
+7. SECURITY CHECK (Mantis #12 - Security Agent) ← NEW
+   ├─ Scan vulnerabilities
+   ├─ Check dependencies
+   ├─ Detect secrets
+   └─ Status: 0 issues found
+
+8. DEPLOY (Mantis #4 - Deployer)
+   ├─ Choose deployment target
+   │  ├─ Internal GB Platform ← Selected
+   │  └─ External Forgejo (optional)
+   ├─ Deploy to /apps/my-crm/
+   └─ Verify accessibility
+
+9. DOCUMENT (Mantis #11 - Documentation Agent) ← NEW
+   ├─ Generate README.md
+   ├─ Create API docs
+   ├─ Add code comments
+   └─ Output: /docs/
+
+10. MONITOR (Mantis #1 - Planner)
+    ├─ Setup uptime monitoring
+    ├─ Track error rates
+    ├─ Monitor response times
+    └─ Status: ACTIVE
+```
+
+---
+
+## Technical Implementation Plan
+
+### Phase 1: Core BotCoder Infrastructure (Week 1)
+
+**Tasks:**
+1. Create `botcoder/` repository structure
+2. Implement `botlib` shared crate
+3. Add Mantis #5-12 agent stubs
+4. Extend WebSocket protocol for new agents
+5. Update orchestrator to support 12 agents
+
+**Deliverables:**
+- ✅ BotCoder repo initialized
+- ✅ Agent trait system defined
+- ✅ WebSocket events extended
+- ✅ Orchestrator handles 12-agent pipeline
+
+### Phase 2: Editor & Database UI (Week 2)
+
+**Tasks:**
+1. Integrate Monaco Editor (replace textarea)
+2. Build database schema visualizer
+3. Add query builder UI
+4. Implement Mantis #5 (Editor Agent)
+5. Implement Mantis #6 (Database Agent)
+
+**Deliverables:**
+- ✅ Monaco loads with syntax highlighting
+- ✅ ER diagram shows tables/relationships
+- ✅ Query builder generates SQL
+- ✅ Editor agent can refactor code
+- ✅ Database agent optimizes queries
+
+### Phase 3: Git & Browser Automation (Week 3)
+
+**Tasks:**
+1. Build git operations UI
+2. Implement diff viewer
+3. Add browser automation panel (chromiumoxide)
+4. Implement Mantis #7 (Git Agent)
+5. Implement Mantis #9 (Browser Agent)
+
+**Deliverables:**
+- ✅ Git status shows changes
+- ✅ Diff viewer displays side-by-side
+- ✅ Browser automation records actions
+- ✅ Git agent manages branches
+- ✅ Browser agent generates Playwright tests
+
+### Phase 4: Testing, Security & Docs (Week 4)
+
+**Tasks:**
+1. Implement test generation
+2. Add security scanning
+3. Build documentation generator
+4. Implement Mantis #8 (Test Agent)
+5. Implement Mantis #12 (Security Agent)
+6. Implement Mantis #11 (Docs Agent)
+
+**Deliverables:**
+- ✅ Test agent generates coverage reports
+- ✅ Security agent scans vulnerabilities
+- ✅ Docs agent generates README
+- ✅ E2E tests run via chromiumoxide
+
+### Phase 5: Deployment Integration (Week 5)
+
+**Tasks:**
+1. Implement deployment router (from vibe.md Phase 0)
+2. Add Forgejo integration
+3. Build deployment UI
+4. Integrate with existing Mantis #4 (Deployer)
+
+**Deliverables:**
+- ✅ Can deploy internally to /apps/
+- ✅ Can deploy externally to Forgejo
+- ✅ CI/CD pipelines auto-generated
+- ✅ Deployment choice in UI
+
+---
+
+## Success Metrics
+
+### Agent Performance
+- ⚡ Pipeline completes in < 2 minutes
+- 🎯 95%+ task success rate
+- 🔄 < 5% agent failures requiring retry
+- 📊 Real-time progress updates < 100ms latency
+
+### Code Quality
+- ✅ 80%+ test coverage
+- 🔒 0 critical vulnerabilities
+- 📝 100% documented public APIs
+- 🚀 < 30s deployment time
+
+### User Experience
+- 💬 Natural language → working app
+- 🎨 Beautiful UI by default
+- 🔧 Professional tools (Monaco, terminal, git)
+- 📱 Works on desktop + web
+
+---
+
+## Comparison: BotCoder vs Claude Code
+
+| Feature | BotCoder | Claude Code |
+|---------|----------|-------------|
+| Multi-agent pipeline | ✅ 12 specialized agents | ❌ Single agent |
+| Visual agent status | ✅ Real-time Mantis cards | ❌ No agent visibility |
+| App generation | ✅ Full-stack (HTMX + DB) | ✅ Code generation only |
+| Database UI | ✅ Schema visualizer | ❌ No DB tools |
+| Git operations | ✅ Dedicated agent (Mantis #7) | ✅ Git integration |
+| Browser automation | ✅ chromiumoxide + Mantis #9 | ✅ Playwright support |
+| Deployment options | ✅ Dual (Internal + Forgejo) | ❌ No deployment |
+| Desktop app | ✅ Tauri (botapp) | ❌ CLI only |
+| Multi-user | ✅ SaaS platform | ❌ Single user |
+| Visual workspace | ✅ Vibe Builder | ❌ Terminal only |
+| Agent reasoning | ✅ Transparent thoughts | ❌ Black box |
+
+---
+
+## Conclusion
+
+**BotCoder** can leverage the existing **Mantis Farm** infrastructure in `botserver` while adding specialized coding agents and professional tools. The architecture is:
+
+1. **Foundation:** Existing orchestrator.rs (1147 lines) - 5-stage pipeline
+2. **Extension:** Add 7 new specialized agents (Mantis #5-12)
+3. **UI:** Extend vibe.html with editor, database, git, browser panels
+4. **Desktop:** Integrate with botapp for native experience
+5. **Deployment:** Dual deployment (internal GB Platform + external Forgejo)
+
+**Estimated Effort:** 5 weeks (following vibe.md roadmap)
+
+**Result:** A complete multi-agent development environment that exceeds Claude Code's capabilities while offering visual agent management, dual deployment, and multi-user SaaS architecture.
--- a/prompts/BOTCODER_HYBRID_ARCHITECTURE.md
+++ b/prompts/BOTCODER_HYBRID_ARCHITECTURE.md
@ -0,0 +1,955 @@
+# BotCoder Hybrid Architecture v2.0
+## CLI + Optional Multi-Agent Facade (BYOK vs BotServer)
+
+## Executive Summary
+
+**BotCoder** exists as a **terminal-based AI coding agent** with real-time streaming and tool execution. This document outlines how to extend it into a **hybrid CLI/multi-agent OS** that can:
+
+1. **Work standalone (BYOK)** - Direct LLM access, local execution
+2. **Use botserver facade** - Leverage Mantis Farm agents when available
+3. **Switch dynamically** - Fall back to local if botserver unavailable
+
+---
+
+## Current BotCoder Architecture
+
+### Existing CLI Implementation (`/home/rodriguez/src/pgm/botcoder`)
+
+**Dependencies:**
+```toml
+tokio = "1.42"          # Async runtime
+reqwest = "0.12"        # HTTP client
+ratatui = "0.29"        # TUI framework
+crossterm = "0.29"      # Terminal handling
+futures = "0.3"         # Async utilities
+regex = "1.10"          # Pattern matching
+```
+
+**Core Features:**
+- ✅ Real-time streaming LLM responses
+- ✅ Tool execution (read_file, execute_command, write_file)
+- ✅ Delta format parsing (git-style diffs)
+- ✅ TPM rate limiting
+- ✅ Conversation history management
+- ✅ Animated TUI with ratatui
+
+**Tool Support:**
+```rust
+// Currently supported tools
+fn execute_tool(tool: &str, param: &str, project_root: &str) -> String {
+    match tool {
+        "read_file" => read_file(param),
+        "execute_command" => execute_command(param, project_root),
+        "write_file" => write_file(param),
+        "list_files" => list_files(param, project_root),
+        _ => format!("Unknown tool: {}", tool),
+    }
+}
+```
+
+**LLM Integration:**
+```rust
+// Direct Azure OpenAI client
+mod llm {
+    pub struct AzureOpenAIClient {
+        endpoint: String,
+        api_key: String,
+        deployment: String,
+    }
+
+    impl LLMProvider for AzureOpenAIClient {
+        async fn generate(&self, prompt: &str, params: &serde_json::Value)
+            -> Result<String, Box<dyn std::error::Error>>;
+    }
+}
+```
+
+---
+
+## Proposed Hybrid Architecture
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│                    BOTCODER HYBRID MODE                         │
+├─────────────────────────────────────────────────────────────────┤
+│                                                                 │
+│  ┌──────────────────────────────────────────────────────────┐  │
+│  │              BOTCODER CLI (main.rs)                      │  │
+│  │  - TUI interface (ratatui)                               │  │
+│  │  - Tool execution                                        │  │
+│  │  - Delta parsing                                         │  │
+│  │  - Rate limiting                                         │  │
+│  └──────────────────────────────────────────────────────────┘  │
+│                            │                                    │
+│                            ▼                                    │
+│  ┌──────────────────────────────────────────────────────────┐  │
+│  │            LLM PROVIDER TRAIT (abstraction)              │  │
+│  └──────────────────────────────────────────────────────────┘  │
+│                            │                                    │
+│            ┌───────────────┴───────────────┐                  │
+│            ▼                               ▼                  │
+│  ┌─────────────────────┐        ┌─────────────────────┐       │
+│  │   DIRECT LLM        │        │  BOTSERVER FACADE    │       │
+│  │   (BYOK Mode)       │        │  (Multi-Agent Mode)  │       │
+│  │                     │        │                     │       │
+│  │ - Azure OpenAI      │        │ - Mantis #1-4       │       │
+│  │ - Anthropic         │        │ - Mantis #5-12      │       │
+│  │ - OpenAI            │        │ - Orchestrator      │       │
+│  │ - Local LLM         │        │ - WebSocket         │       │
+│  └─────────────────────┘        └─────────────────────┘       │
+│            │                               │                    │
+│            │                        (Optional)                 │
+│            ▼                               ▼                    │
+│  ┌─────────────────────┐        ┌─────────────────────┐       │
+│  │  LOCAL EXECUTION    │        │  AGENT EXECUTION    │       │
+│  │                     │        │                     │       │
+│  │ - File operations   │        │ - Containerized     │       │
+│  │ - Command execution │        │ - AgentExecutor     │       │
+│  │ - Git operations    │        │ - Browser automation│       │
+│  │ - Docker control    │        │ - Test generation   │       │
+│  └─────────────────────┘        └─────────────────────┘       │
+│                                                                 │
+└─────────────────────────────────────────────────────────────────┘
+```
+
+---
+
+## Implementation Plan
+
+### Phase 1: LLM Provider Abstraction (Week 1)
+
+**Goal:** Create trait-based system for multiple LLM backends
+
+**File:** `src/llm/mod.rs`
+
+```rust
+use async_trait::async_trait;
+
+/// Unified LLM provider trait
+#[async_trait]
+pub trait LLMProvider: Send + Sync {
+    /// Generate completion with streaming support
+    async fn generate_stream(
+        &self,
+        prompt: &str,
+        params: &GenerationParams,
+    ) -> Result<StreamResponse, LLMError>;
+
+    /// Generate completion (non-streaming)
+    async fn generate(
+        &self,
+        prompt: &str,
+        params: &GenerationParams,
+    ) -> Result<String, LLMError>;
+
+    /// Get provider capabilities
+    fn capabilities(&self) -> ProviderCapabilities;
+
+    /// Get provider name
+    fn name(&self) -> &str;
+}
+
+pub struct GenerationParams {
+    pub temperature: f32,
+    pub max_tokens: u32,
+    pub top_p: f32,
+    pub tools: Vec<ToolDefinition>,
+    pub system_prompt: Option<String>,
+}
+
+pub struct StreamResponse {
+    pub content_stream: tokio_stream::wrappers::ReceiverStream<String>,
+    pub tool_calls: Vec<ToolCall>,
+    pub usage: TokenUsage,
+}
+
+pub struct ProviderCapabilities {
+    pub streaming: bool,
+    pub tools: bool,
+    pub max_tokens: u32,
+    pub supports_vision: bool,
+}
+```
+
+**Implementations:**
+
+```rust
+// src/llm/azure_openai.rs
+pub struct AzureOpenAIClient {
+    endpoint: String,
+    api_key: String,
+    deployment: String,
+    client: reqwest::Client,
+}
+
+#[async_trait]
+impl LLMProvider for AzureOpenAIClient {
+    async fn generate(&self, prompt: &str, params: &GenerationParams)
+        -> Result<String, LLMError> {
+        // Existing implementation
+    }
+
+    fn capabilities(&self) -> ProviderCapabilities {
+        ProviderCapabilities {
+            streaming: true,
+            tools: true,
+            max_tokens: 4096,
+            supports_vision: false,
+        }
+    }
+
+    fn name(&self) -> &str {
+        "azure-openai"
+    }
+}
+
+// src/llm/anthropic.rs
+pub struct AnthropicClient {
+    api_key: String,
+    client: reqwest::Client,
+}
+
+#[async_trait]
+impl LLMProvider for AnthropicClient {
+    async fn generate(&self, prompt: &str, params: &GenerationParams)
+        -> Result<String, LLMError> {
+        // Anthropic API implementation
+    }
+
+    fn capabilities(&self) -> ProviderCapabilities {
+        ProviderCapabilities {
+            streaming: true,
+            tools: true,
+            max_tokens: 8192,
+            supports_vision: true,
+        }
+    }
+
+    fn name(&self) -> &str {
+        "anthropic"
+    }
+}
+
+// src/llm/botserver_facade.rs
+pub struct BotServerFacade {
+    base_url: String,
+    api_key: Option<String>,
+    client: reqwest::Client,
+}
+
+#[async_trait]
+impl LLMProvider for BotServerFacade {
+    async fn generate(&self, prompt: &str, params: &GenerationParams)
+        -> Result<String, LLMError> {
+        // Instead of direct LLM call, use botserver's orchestrator
+        // 1. Classify intent
+        // 2. Execute multi-agent pipeline
+        // 3. Return aggregated result
+    }
+
+    fn capabilities(&self) -> ProviderCapabilities {
+        ProviderCapabilities {
+            streaming: true,  // Via WebSocket
+            tools: true,      // Via AgentExecutor
+            max_tokens: 128000,  // Multi-agent consensus
+            supports_vision: true,  // Via Browser Agent
+        }
+    }
+
+    fn name(&self) -> &str {
+        "botserver-mantis-farm"
+    }
+}
+```
+
+**Configuration:**
+
+```rust
+// src/config.rs
+#[derive(Debug, Clone)]
+pub struct BotCoderConfig {
+    pub llm_provider: LLMProviderType,
+    pub botserver_url: Option<String>,
+    pub project_path: PathBuf,
+    pub enable_facade: bool,
+    pub fallback_to_local: bool,
+}
+
+#[derive(Debug, Clone)]
+pub enum LLMProviderType {
+    AzureOpenAI,
+    Anthropic,
+    OpenAI,
+    LocalLLM,
+    BotServerFacade,  // Use Mantis Farm
+}
+
+impl BotCoderConfig {
+    pub fn from_env() -> Result<Self, ConfigError> {
+        let llm_provider = match env::var("LLM_PROVIDER").as_deref() {
+            Ok("azure") => LLMProviderType::AzureOpenAI,
+            Ok("anthropic") => LLMProviderType::Anthropic,
+            Ok("botserver") => LLMProviderType::BotServerFacade,
+            _ => LLMProviderType::AzureOpenAI,  // Default
+        };
+
+        let botserver_url = env::var("BOTSERVER_URL").ok();
+        let enable_facade = env::var("ENABLE_BOTSERVER_FACADE")
+            .unwrap_or_else(|_| "false".to_string()) == "true";
+
+        Ok(Self {
+            llm_provider,
+            botserver_url,
+            project_path: env::var("PROJECT_PATH")?.into(),
+            enable_facade,
+            fallback_to_local: true,
+        })
+    }
+}
+```
+
+---
+
+### Phase 2: Multi-Agent Facade Integration (Week 2)
+
+**Goal:** Connect to botserver's Mantis Farm when available
+
+**File:** `src/botserver_client.rs`
+
+```rust
+use reqwest::Client;
+use serde::{Deserialize, Serialize};
+
+pub struct BotServerClient {
+    base_url: String,
+    api_key: Option<String>,
+    client: Client,
+}
+
+impl BotServerClient {
+    pub fn new(base_url: String, api_key: Option<String>) -> Self {
+        Self {
+            base_url,
+            api_key,
+            client: Client::new(),
+        }
+    }
+
+    /// Classify intent using botserver's intent classifier
+    pub async fn classify_intent(&self, text: &str)
+        -> Result<ClassifiedIntent, BotServerError> {
+        let url = format!("{}/api/autotask/classify", self.base_url);
+
+        let response = self.client
+            .post(&url)
+            .json(&serde_json::json!({ "text": text }))
+            .header("Authorization", self.api_key.as_ref().map(|k| format!("Bearer {}", k)).unwrap_or_default())
+            .send()
+            .await?;
+
+        if response.status().is_success() {
+            Ok(response.json().await?)
+        } else {
+            Err(BotServerError::ClassificationFailed(response.text().await?))
+        }
+    }
+
+    /// Execute multi-agent pipeline
+    pub async fn execute_pipeline(&self, classification: &ClassifiedIntent)
+        -> Result<OrchestrationResult, BotServerError> {
+        let url = format!("{}/api/autotask/execute", self.base_url);
+
+        let response = self.client
+            .post(&url)
+            .json(classification)
+            .header("Authorization", self.api_key.as_ref().map(|k| format!("Bearer {}", k)).unwrap_or_default())
+            .send()
+            .await?;
+
+        if response.status().is_success() {
+            Ok(response.json().await?)
+        } else {
+            Err(BotServerError::PipelineFailed(response.text().await?))
+        }
+    }
+
+    /// Subscribe to WebSocket progress updates
+    pub async fn subscribe_progress(&self, task_id: &str)
+        -> Result<tokio_tungstenite::WebSocketStream<tokio_tungstenite::MaybeTlsStream<tokio::net::TcpStream>>, BotServerError> {
+        let ws_url = format!(
+            "{}/ws/task-progress/{}",
+            self.base_url.replace("http", "ws"),
+            task_id
+        );
+
+        tokio_tungstenite::connect_async(&ws_url).await
+            .map_err(BotServerError::WebSocketError)
+    }
+
+    /// Use specialized agents directly
+    pub async fn query_agent(&self, agent_id: u8, query: &str)
+        -> Result<AgentResponse, BotServerError> {
+        match agent_id {
+            5 => self.query_editor_agent(query).await,
+            6 => self.query_database_agent(query).await,
+            7 => self.query_git_agent(query).await,
+            8 => self.query_test_agent(query).await,
+            9 => self.query_browser_agent(query).await,
+            10 => self.query_terminal_agent(query).await,
+            11 => self.query_docs_agent(query).await,
+            12 => self.query_security_agent(query).await,
+            _ => Err(BotServerError::InvalidAgent(agent_id)),
+        }
+    }
+
+    // Specific agent methods
+    async fn query_editor_agent(&self, query: &str)
+        -> Result<AgentResponse, BotServerError> {
+        // POST /api/botcoder/editor/query
+        let url = format!("{}/api/botcoder/editor/query", self.base_url);
+
+        let response = self.client
+            .post(&url)
+            .json(&serde_json::json!({ "query": query }))
+            .send()
+            .await?;
+
+        Ok(response.json().await?)
+    }
+
+    async fn query_database_agent(&self, query: &str)
+        -> Result<AgentResponse, BotServerError> {
+        // Query database schema, optimize queries
+        let url = format!("{}/api/botcoder/database/query", self.base_url);
+
+        let response = self.client
+            .post(&url)
+            .json(&serde_json::json!({ "query": query }))
+            .send()
+            .await?;
+
+        Ok(response.json().await?)
+    }
+
+    // ... other agent methods
+}
+
+#[derive(Debug, Deserialize)]
+pub struct ClassifiedIntent {
+    pub intent_type: String,
+    pub entities: IntentEntities,
+    pub original_text: String,
+}
+
+#[derive(Debug, Deserialize)]
+pub struct OrchestrationResult {
+    pub success: bool,
+    pub task_id: String,
+    pub stages_completed: u8,
+    pub app_url: Option<String>,
+    pub message: String,
+    pub created_resources: Vec<CreatedResource>,
+}
+
+#[derive(Debug, thiserror::Error)]
+pub enum BotServerError {
+    #[error("Classification failed: {0}")]
+    ClassificationFailed(String),
+
+    #[error("Pipeline execution failed: {0}")]
+    PipelineFailed(String),
+
+    #[error("WebSocket error: {0}")]
+    WebSocketError(#[from] tokio_tungstenite::tungstenite::Error),
+
+    #[error("Invalid agent ID: {0}")]
+    InvalidAgent(u8),
+
+    #[error("HTTP error: {0}")]
+    HttpError(#[from] reqwest::Error),
+
+    #[error("JSON error: {0}")]
+    JsonError(#[from] serde_json::Error),
+}
+```
+
+---
+
+### Phase 3: Unified Tool Execution (Week 2-3)
+
+**Goal:** Abstract tool execution to work locally or via agents
+
+**File:** `src/tools/mod.rs`
+
+```rust
+use async_trait::async_trait;
+
+/// Unified tool execution trait
+#[async_trait]
+pub trait ToolExecutor: Send + Sync {
+    async fn execute(&self, tool: &ToolCall, context: &ExecutionContext)
+        -> Result<ToolResult, ToolError>;
+
+    fn supports_tool(&self, tool_name: &str) -> bool;
+}
+
+pub struct ToolCall {
+    pub name: String,
+    pub parameters: serde_json::Value,
+    pub agent_id: Option<u8>,  // Which agent should execute
+}
+
+pub struct ToolResult {
+    pub output: String,
+    pub exit_code: i32,
+    pub metadata: serde_json::Value,
+}
+
+pub struct ExecutionContext {
+    pub project_path: PathBuf,
+    pub botserver_client: Option<BotServerClient>,
+    pub use_local_fallback: bool,
+}
+
+/// Local tool executor (existing implementation)
+pub struct LocalToolExecutor {
+    project_root: PathBuf,
+}
+
+#[async_trait]
+impl ToolExecutor for LocalToolExecutor {
+    async fn execute(&self, tool: &ToolCall, context: &ExecutionContext)
+        -> Result<ToolResult, ToolError> {
+        match tool.name.as_str() {
+            "read_file" => self.read_file(tool.parameters).await,
+            "write_file" => self.write_file(tool.parameters).await,
+            "execute_command" => self.execute_command(tool.parameters).await,
+            "list_files" => self.list_files(tool.parameters).await,
+            "git_operation" => self.git_operation(tool.parameters).await,
+            _ => Err(ToolError::UnknownTool(tool.name.clone())),
+        }
+    }
+
+    fn supports_tool(&self, tool_name: &str) -> bool {
+        matches!(tool_name,
+            "read_file" | "write_file" | "execute_command" |
+            "list_files" | "git_operation"
+        )
+    }
+}
+
+/// Agent-based tool executor (via botserver)
+pub struct AgentToolExecutor {
+    botserver_client: BotServerClient,
+}
+
+#[async_trait]
+impl ToolExecutor for AgentToolExecutor {
+    async fn execute(&self, tool: &ToolCall, context: &ExecutionContext)
+        -> Result<ToolResult, ToolError> {
+        // Route to appropriate agent
+        let agent_id = tool.agent_id.unwrap_or_else(|| {
+            self.infer_agent_for_tool(&tool.name)
+        });
+
+        match self.botserver_client.query_agent(agent_id, &tool.parameters.to_string()).await {
+            Ok(response) => Ok(ToolResult {
+                output: response.output,
+                exit_code: response.exit_code,
+                metadata: response.metadata,
+            }),
+            Err(e) => {
+                // Fallback to local if enabled
+                if context.use_local_fallback {
+                    warn!("Agent execution failed, falling back to local: {}", e);
+                    LocalToolExecutor::new(context.project_path.clone()).execute(tool, context).await?
+                } else {
+                    Err(ToolError::AgentError(e.to_string()))
+                }
+            }
+        }
+    }
+
+    fn supports_tool(&self, tool_name: &str) -> bool {
+        matches!(tool_name,
+            "database_query" | "schema_visualize" | "git_commit" |
+            "test_generate" | "browser_record" | "docs_generate" |
+            "security_scan" | "code_refactor" | "optimize_query"
+        )
+    }
+
+    fn infer_agent_for_tool(&self, tool_name: &str) -> u8 {
+        match tool_name {
+            "code_refactor" | "syntax_check" => 5,  // Editor Agent
+            "database_query" | "schema_visualize" | "optimize_query" => 6,  // Database Agent
+            "git_commit" | "git_branch" | "git_merge" => 7,  // Git Agent
+            "test_generate" | "coverage_report" => 8,  // Test Agent
+            "browser_record" | "page_test" => 9,  // Browser Agent
+            "shell_execute" | "docker_build" => 10,  // Terminal Agent
+            "docs_generate" | "api_docs" => 11,  // Docs Agent
+            "security_scan" | "vulnerability_check" => 12,  // Security Agent
+            _ => 2,  // Default to Builder Agent
+        }
+    }
+}
+```
+
+---
+
+### Phase 4: Hybrid Execution Loop (Week 3)
+
+**Goal:** Main loop that seamlessly switches between local and agent execution
+
+**File:** `src/main.rs` (modified)
+
+```rust
+use llm::LLMProvider;
+use tools::{LocalToolExecutor, AgentToolExecutor, ToolExecutor};
+
+struct BotCoder {
+    config: BotCoderConfig,
+    llm_provider: Box<dyn LLMProvider>,
+    local_executor: LocalToolExecutor,
+    agent_executor: Option<AgentToolExecutor>,
+    botserver_client: Option<BotServerClient>,
+}
+
+impl BotCoder {
+    pub async fn new(config: BotCoderConfig) -> Result<Self, Box<dyn std::error::Error>> {
+        // Initialize LLM provider based on config
+        let llm_provider: Box<dyn LLMProvider> = match config.llm_provider {
+            LLMProviderType::AzureOpenAI => {
+                Box::new(llm::AzureOpenAIClient::new()?)
+            }
+            LLMProviderType::Anthropic => {
+                Box::new(llm::AnthropicClient::new()?)
+            }
+            LLMProviderType::BotServerFacade => {
+                // Will use botserver client
+                Box::new(llm::BotServerFacade::new(
+                    config.botserver_url.clone().unwrap()
+                )?)
+            }
+            _ => Box::new(llm::AzureOpenAIClient::new()?),
+        };
+
+        // Initialize tool executors
+        let local_executor = LocalToolExecutor::new(config.project_path.clone());
+
+        let mut agent_executor = None;
+        let mut botserver_client = None;
+
+        // Try to connect to botserver if enabled
+        if config.enable_facade {
+            if let Some(url) = &config.botserver_url {
+                match BotServerClient::new(url.clone(), None).health_check().await {
+                    Ok(()) => {
+                        println!("✓ Connected to botserver at {}", url);
+                        let client = BotServerClient::new(url.clone(), None);
+                        botserver_client = Some(client.clone());
+                        agent_executor = Some(AgentToolExecutor::new(client));
+                    }
+                    Err(e) => {
+                        warn!("Failed to connect to botserver: {}", e);
+                        if config.fallback_to_local {
+                            println!("⚠ Falling back to local execution");
+                        }
+                    }
+                }
+            }
+        }
+
+        Ok(Self {
+            config,
+            llm_provider,
+            local_executor,
+            agent_executor,
+            botserver_client,
+        })
+    }
+
+    pub async fn run(&mut self) -> Result<(), Box<dyn std::error::Error>> {
+        let mut iteration = 0;
+        let mut conversation_history: Vec<String> = Vec::new();
+
+        loop {
+            iteration += 1;
+            println!("=== ITERATION {} ===", iteration);
+
+            // Display execution mode
+            if self.agent_executor.is_some() {
+                println!("Mode: Multi-Agent (BotServer Facade)");
+                println!("Agents Available: Mantis #1-12");
+            } else {
+                println!("Mode: Local (BYOK)");
+            }
+            println!();
+
+            // Build context
+            let context = self.build_context(&conversation_history);
+
+            // Generate response (streaming)
+            let response = match self.llm_provider.generate_stream(&context, &Default::default()).await {
+                Ok(r) => r,
+                Err(e) => {
+                    // Try fallback to local if botserver fails
+                    if self.agent_executor.is_some() && self.config.fallback_to_local {
+                        warn!("LLM provider failed, trying fallback: {}", e);
+                        // Switch to local provider
+                        continue;
+                    } else {
+                        return Err(e.into());
+                    }
+                }
+            };
+
+            // Stream response to TUI
+            self.display_streaming_response(response).await?;
+
+            // Extract tools from response
+            let tools = self.extract_tools(&full_response);
+
+            // Execute tools (local or agent-based)
+            for tool in tools {
+                let result = self.execute_tool_hybrid(tool).await?;
+                conversation_history.push(format!("Tool: {}\nResult: {}", tool.name, result));
+            }
+
+            conversation_history.push(format!("Assistant: {}", full_response));
+
+            // Trim history
+            if conversation_history.len() > 20 {
+                conversation_history.drain(0..10);
+            }
+        }
+    }
+
+    async fn execute_tool_hybrid(&self, tool: ToolCall) -> Result<ToolResult, ToolError> {
+        let context = ExecutionContext {
+            project_path: self.config.project_path.clone(),
+            botserver_client: self.botserver_client.clone(),
+            use_local_fallback: self.config.fallback_to_local,
+        };
+
+        // Try agent executor first if available
+        if let Some(agent_executor) = &self.agent_executor {
+            if agent_executor.supports_tool(&tool.name) {
+                println!("🤖 Executing via Mantis Agent: {}", tool.name);
+                return agent_executor.execute(&tool, &context).await;
+            }
+        }
+
+        // Fall back to local executor
+        if self.local_executor.supports_tool(&tool.name) {
+            println!("🔧 Executing locally: {}", tool.name);
+            return self.local_executor.execute(&tool, &context).await;
+        }
+
+        Err(ToolError::UnknownTool(tool.name))
+    }
+}
+```
+
+---
+
+## Usage Examples
+
+### Example 1: Local Mode (BYOK)
+
+```bash
+# .env configuration
+LLM_PROVIDER=azure
+PROJECT_PATH=/home/user/myproject
+ENABLE_BOTSERVER_FACADE=false
+```
+
+```bash
+$ botcoder
+=== ITERATION 1 ===
+Mode: Local (BYOK)
+✓ Azure OpenAI connected
+
+> Add authentication to this Rust project
+
+[AI Reasoning...]
+I'll add JWT authentication using the `jsonwebtoken` crate.
+
+CHANGE: Cargo.toml
+<<<<<<< CURRENT
+[dependencies]
+tokio = "1.0"
+=======
+[dependencies]
+tokio = "1.0"
+jsonwebtoken = "9.0"
+=======
+
+[EXECUTE] Tool 1/3: write_file -> Cargo.toml
+✓ File updated
+```
+
+### Example 2: Multi-Agent Mode (BotServer Facade)
+
+```bash
+# .env configuration
+LLM_PROVIDER=botserver
+BOTSERVER_URL=http://localhost:8080
+PROJECT_PATH=/home/user/myproject
+ENABLE_BOTSERVER_FACADE=true
+FALLBACK_TO_LOCAL=true
+```
+
+```bash
+$ botcoder
+=== ITERATION 1 ===
+✓ Connected to botserver at http://localhost:8080
+Mode: Multi-Agent (BotServer Facade)
+Agents Available: Mantis #1-12
+
+> Create a CRM system with contacts and deals
+
+[CLASSIFY] Intent: APP_CREATE
+[PLAN] Mantis #1 breaking down request...
+  ✓ 12 sub-tasks identified
+  ✓ Estimated: 45 files, 98k tokens, 2.5 hours
+
+[BUILD] Mantis #2 generating code...
+  ✓ contacts table schema created
+  ✓ deals table schema created
+  ✓ Contact Manager page generated
+  ✓ Deal Pipeline page generated
+
+[REVIEW] Mantis #3 validating code...
+  ✓ HTMX patterns verified
+  ✓ Security checks passed
+  ✓ 0 vulnerabilities found
+
+[OPTIMIZE] Mantis #5 refactoring...
+  ✓ Extracted duplicate code to utils.rs
+  ✓ Added error handling wrappers
+
+[TEST] Mantis #8 generating tests...
+  ✓ 87% code coverage achieved
+  ✓ E2E tests created (chromiumoxide)
+
+[SECURITY] Mantis #12 scanning...
+  ✓ 0 critical vulnerabilities
+  ✓ All dependencies up to date
+
+[DEPLOY] Mantis #4 deploying...
+  Target: Internal GB Platform
+  ✓ App deployed to /apps/my-crm/
+  ✓ Verify at http://localhost:8080/apps/my-crm/
+
+[DOCUMENT] Mantis #11 generating docs...
+  ✓ README.md created
+  ✓ API documentation generated
+
+✓ Pipeline complete in 1m 47s
+```
+
+### Example 3: Hybrid Mode (Automatic Fallback)
+
+```bash
+$ botcoder
+=== ITERATION 1 ===
+Mode: Multi-Agent (BotServer Facade)
+✓ Connected to botserver
+
+> Refactor this function for better performance
+
+[EDITOR] Mantis #5 analyzing code...
+⚠ BotServer connection lost
+
+[FALLBACK] Switching to local mode...
+[LOCAL] Analyzing with Azure OpenAI...
+✓ Refactoring complete
+```
+
+---
+
+## Benefits of Hybrid Architecture
+
+### For Users (BYOK)
+- ✅ **Privacy** - Code never leaves local machine
+- ✅ **Speed** - Direct LLM access, no intermediate hops
+- ✅ **Cost Control** - Use your own API keys
+- ✅ **Offline Capable** - Works with local LLMs (llama.cpp, Ollama)
+
+### For Users (BotServer Facade)
+- ✅ **Multi-Agent Consensus** - 12 specialized agents collaborate
+- ✅ **Advanced Capabilities** - Browser automation, security scanning, test generation
+- ✅ **Visual Debugging** - Watch agent reasoning in Vibe Builder UI
+- ✅ **Enterprise Features** - Team sharing, approval workflows, audit trails
+
+### Seamless Switching
+- ✅ **Automatic Fallback** - If botserver unavailable, use local
+- ✅ **Tool Routing** - Use agent for complex tasks, local for simple ones
+- ✅ **Cost Optimization** - Reserve expensive agents for hard problems
+- ✅ **Progressive Enhancement** - Start local, upgrade to multi-agent as needed
+
+---
+
+## Configuration Matrix
+
+| Scenario | LLM Provider | Tools | When to Use |
+|----------|--------------|-------|-------------|
+| **Local Development** | Azure/Anthropic (Direct) | Local file ops | Privacy-critical code |
+| **Enterprise Project** | BotServer Facade | Agent-based | Complex refactoring |
+| **Open Source** | Local LLM (Ollama) | Local | No API budget |
+| **Learning** | BotServer Facade | Agent-based | Study agent reasoning |
+| **CI/CD** | BotServer Facade | Agent-based | Automated testing |
+| **Quick Fix** | Azure/Anthropic (Direct) | Local | Fast iteration |
+| **Security Audit** | BotServer Facade | Mantis #12 | Comprehensive scan |
+
+---
+
+## Implementation Roadmap
+
+### Week 1: Foundation
+- [x] Extract existing LLM client to trait
+- [ ] Implement Azure OpenAI provider
+- [ ] Implement Anthropic provider
+- [ ] Add BotServerFacade provider (stub)
+
+### Week 2: BotServer Integration
+- [ ] Implement BotServerClient
+- [ ] Add WebSocket progress streaming
+- [ ] Implement agent query methods
+- [ ] Add health check & fallback logic
+
+### Week 3: Tool Execution
+- [ ] Refactor existing tools to trait
+- [ ] Implement LocalToolExecutor
+- [ ] Implement AgentToolExecutor
+- [ ] Add tool routing logic
+
+### Week 4: Hybrid Loop
+- [ ] Modify main loop for provider switching
+- [ ] Add streaming TUI updates
+- [ ] Implement automatic fallback
+- [ ] Add mode indicator to UI
+
+### Week 5: Testing & Docs
+- [ ] Test all three modes (local, agent, hybrid)
+- [ ] Add configuration examples
+- [ ] Write migration guide
+- [ ] Update README
+
+---
+
+## Conclusion
+
+The **hybrid BotCoder** gives users the best of both worlds:
+
+1. **CLI First** - Fast, local, privacy-focused development
+2. **Multi-Agent Power** - On-demand access to 12 specialized agents
+3. **Seamless Switching** - Automatic fallback between modes
+4. **Progressive Enhancement** - Start simple, scale when needed
+
+**Result:** A coding agent that works offline for quick fixes but can call in a full multi-agent orchestra when facing complex challenges.
+
+**Estimated Effort:** 5 weeks (1 developer)
+**Lines of Code:** ~2000 new lines (modular, trait-based)
+
+The BotCoder CLI becomes the **control plane** for the Mantis Farm, offering both direct terminal access and a gateway to the full multi-agent OS when needed.
--- a/prompts/PENDING.md
+++ b/prompts/PENDING.md
@ -0,0 +1,113 @@
+# Pending Tasks - General Bots Platform
+
+> **Last Updated:** 2025-02-28
+> **Purpose:** Track actionable tasks and improvements for the GB platform
+
+---
+
+## 🔐 Authentication & Identity (Zitadel)
+
+- [ ] **Fix Zitadel setup issues**
+  - Check v4 configuration
+  - Update `zit.md` documentation
+  - Test login at `http://localhost:3000/login`
+  - Run `reset.sh` to verify clean setup
+
+---
+
+## 📚 Documentation Consolidation
+
+- [ ] **Aggregate all PROMPT.md files into AGENTS.md**
+  - Search git history for all PROMPT.md files
+  - Consolidate into root AGENTS.md
+  - Remove duplicate/ghost lines
+  - Keep only AGENTS.md at project root
+
+- [ ] **Update all README.md files**
+  - Add requirement: Only commit when warnings AND errors are 0
+  - Add requirement: Run `cargo check` after editing multiple `.rs` files
+  - Include Qdrant collection access instructions
+  - Document Vault usage for retrieving secrets
+
+---
+
+## 🔒 Security & Configuration (Vault)
+
+- [ ] **Review all service configurations**
+  - Ensure Gmail and other service configs go to Vault
+  - Store per `botid + setting` or `userid` for individual settings
+
+- [ ] **Remove all environment variables**
+  - Keep ONLY Vault-related env vars
+  - Migrate all other configs to Vault
+
+- [ ] **Database password management**
+  - Generate custom passwords for all databases
+  - Store in Vault
+  - Update README with Vault retrieval instructions
+
+---
+
+## 🎯 Code Quality & Standards
+
+- [ ] **Clean gbai directory**
+  - Remove all `.ast` files (work artifacts)
+  - Remove all `.json` files (work artifacts)
+  - Add `.gitignore` rules to prevent future commits
+
+- [ ] **Fix logging prefixes**
+  - Remove duplicate prefixes in `.rs` files
+  - Example: Change `auth: [AUTH]` to `auth:`
+  - Ensure botname and GUID appear in all bot logs
+
+- [ ] **Review bot logs format**
+  - Always include `botname` and `guid`
+  - Example: `drive_monitor:Error during sync for bot MyBot (a818fb29-9991-4e24-bdee-ed4da2c51f6d): dispatch failure`
+
+---
+
+## 🗄️ Database Management
+
+- [ ] **Qdrant collection management**
+  - Add collection viewing instructions to README
+  - Document collection access methods
+  - Add debugging examples
+
+- [ ] **BASIC table migration**
+  - Implement table migration in BASIC language
+  - Document migration process
+
+---
+
+## 🧹 Cleanup Tasks
+
+- [ ] **Remove outdated documentation snippets**
+  - Remove: "Tools with C++ support, then:# Install PostgreSQL (for libpq)choco install postgresql"
+
+---
+
+## 📝 Notes
+
+
+---
+
+## 🚀 Priority Order
+
+1. **High Priority:** Security & Configuration (Vault integration)
+2. **High Priority:** Authentication & Identity (Zitadel setup)
+3. **Medium Priority:** Code Quality & Standards
+4. **Medium Priority:** Documentation Consolidation
+5. **Low Priority:** Cleanup Tasks
+
+---
+
+## 📋 Task Template
+
+When adding new tasks, use this format:
+
+```markdown
+- [ ] **Task Title**
+  - Detail 1
+  - Detail 2
+  - Related file: `path/to/file.ext`
+```
--- a/prompts/SECURITY_CHECKLIST.md
+++ b/prompts/SECURITY_CHECKLIST.md
@ -0,0 +1,156 @@
+# General Bots Security Checklist
+
+## Critical (P1) - Must Fix Immediately
+
+### Authentication & Authorization
+- [ ] **SecurityManager Integration** - Initialize in bootstrap
+- [ ] **CSRF Protection** - Enable for all state-changing endpoints
+- [ ] **Error Handling** - Replace all `unwrap()`/`expect()` calls
+- [ ] **Security Headers** - Apply to all HTTP routes
+
+### Data Protection
+- [ ] **TLS/MTLS** - Ensure certificates are generated and validated
+- [ ] **SafeCommand Usage** - Replace all `Command::new()` calls
+- [ ] **Error Sanitization** - Use `ErrorSanitizer` for all HTTP errors
+
+## High Priority (P2) - Fix Within 2 Weeks
+
+### Authentication
+- [ ] **Passkey Support** - Complete WebAuthn implementation
+- [ ] **MFA Enhancement** - Add backup codes and recovery flows
+- [ ] **API Key Management** - Implement rotation and expiration
+
+### Monitoring & Detection
+- [ ] **Security Monitoring** - Integrate `SecurityMonitor` with app events
+- [ ] **DLP Policies** - Configure default policies for PII/PCI/PHI
+- [ ] **Rate Limiting** - Apply consistent limits across all endpoints
+
+## Medium Priority (P3) - Fix Within 1 Month
+
+### Infrastructure
+- [ ] **Certificate Management** - Add expiration monitoring and auto-renewal
+- [ ] **Audit Logging** - Ensure comprehensive coverage
+- [ ] **Security Testing** - Create dedicated test suite
+
+### Compliance
+- [ ] **Security Documentation** - Update policies and procedures
+- [ ] **Compliance Mapping** - Map controls to SOC2/GDPR/ISO27001
+- [ ] **Evidence Collection** - Implement automated evidence gathering
+
+## Quick Wins (Can be done today)
+
+### Code Quality
+- [ ] Run `cargo clippy --workspace` and fix all warnings
+- [ ] Use `cargo audit` to check for vulnerable dependencies
+- [ ] Replace 10 `unwrap()` calls with proper error handling
+
+### Configuration
+- [ ] Check `.env` files for hardcoded secrets (move to `/tmp/`)
+- [ ] Verify `botserver-stack/conf/` permissions
+- [ ] Review `Cargo.toml` for unnecessary dependencies
+
+### Testing
+- [ ] Test authentication flows with invalid credentials
+- [ ] Verify CSRF tokens are required for POST/PUT/DELETE
+- [ ] Check security headers on main endpoints
+
+## Daily Security Tasks
+
+### Morning Check
+- [ ] Review `botserver.log` for security events
+- [ ] Check `cargo audit` for new vulnerabilities
+- [ ] Monitor failed login attempts
+- [ ] Verify certificate expiration dates
+
+### Ongoing Monitoring
+- [ ] Watch for unusual access patterns
+- [ ] Monitor DLP policy violations
+- [ ] Track security metric trends
+- [ ] Review audit logs for anomalies
+
+### Weekly Tasks
+- [ ] Run full security scan with protection tools
+- [ ] Review and rotate any expiring credentials
+- [ ] Update security dependencies
+- [ ] Backup security configurations
+
+## Emergency Response
+
+### If you suspect a breach:
+1. **Isolate** - Disconnect affected systems
+2. **Preserve** - Don't delete logs or evidence
+3. **Document** - Record all actions and observations
+4. **Escalate** - Contact security team immediately
+5. **Contain** - Implement temporary security measures
+6. **Investigate** - Determine scope and impact
+7. **Remediate** - Fix vulnerabilities and restore services
+8. **Learn** - Update procedures to prevent recurrence
+
+## Security Tools Commands
+
+### Dependency Scanning
+```bash
+cargo audit
+cargo deny check
+cargo geiger
+```
+
+### Code Analysis
+```bash
+cargo clippy --workspace -- -D warnings
+cargo fmt --check
+```
+
+### Security Testing
+```bash
+# Run security tests
+cargo test -p bottest --test security
+
+# Check for unsafe code
+cargo geiger --forbid
+
+# Audit dependencies
+cargo audit --deny warnings
+```
+
+### Protection Tools
+```bash
+# Security scanning
+curl -X POST http://localhost:9000/api/security/protection/scan
+
+# Get security report
+curl http://localhost:9000/api/security/protection/report
+
+# Check tool status
+curl http://localhost:9000/api/security/protection/status
+```
+
+## Common Security Issues to Watch For
+
+### 1. Hardcoded Secrets
+**Bad:** `password = "secret123"` in code
+**Good:** `password = env::var("DB_PASSWORD")?` from `/tmp/`
+
+### 2. Unsafe Command Execution
+**Bad:** `Command::new("rm").arg("-rf").arg(user_input)`
+**Good:** `SafeCommand::new("rm")?.arg("-rf")?.arg(sanitized_input)?`
+
+### 3. Missing Input Validation
+**Bad:** `format!("SELECT * FROM {}", user_table)`
+**Good:** `validate_table_name(&user_table)?; format!("SELECT * FROM {}", safe_table)`
+
+### 4. Information Disclosure
+**Bad:** `Json(json!({ "error": e.to_string() }))`
+**Good:** `let sanitized = log_and_sanitize(&e, "context", None); (StatusCode::INTERNAL_SERVER_ERROR, sanitized)`
+
+## Security Contact Information
+
+**Primary Contact:** security@pragmatismo.com.br  
+**Backup Contact:** Check `security.txt` at `/.well-known/security.txt`
+
+**Emergency Response:** Follow procedures in `botbook/src/12-auth/security-policy.md`
+
+---
+*Last Updated: 2026-02-22*  
+*Review Frequency: Weekly*  
+*Next Review: 2026-03-01*
--- a/prompts/SECURITY_REVIEW.md
+++ b/prompts/SECURITY_REVIEW.md
@ -0,0 +1,30 @@
+# Security Review Task List
+
+## 1. Unsafe Unwraps in Production (Violates AGENTS.md Error Handling Rules)
+The `AGENTS.md` explicitly forbids the use of `.unwrap()`, `.expect()`, `panic!()`, `todo!()`, and `unimplemented!()` in production code. A search of the codebase revealed several instances of `unwrap()` being used in non-test contexts.
+
+**Vulnerable Locations:**
+- `botserver/src/drive/drive_handlers.rs:269` - Contains a `.unwrap()` call during `Response::builder()` generation, which could panic in production.
+- `botserver/src/basic/compiler/mod.rs` - Contains `unwrap()` usages outside test boundaries.
+- `botserver/src/llm/llm_models/deepseek_r3.rs` - Contains `unwrap()` usages outside test boundaries.
+- `botserver/src/botmodels/opencv.rs` - Test scopes use `unwrap()`, but please audit carefully for any leaks to production scope.
+
+**Action:**
+- Replace all `.unwrap()` occurrences with safe alternatives (`?`, `unwrap_or_default()`, or pattern matching with early returns) and use `ErrorSanitizer` to avoid panics.
+
+## 2. Dependency Vulnerabilities (Found by cargo audit)
+Running `cargo audit` uncovered a reported vulnerability inside the dependency tree.
+
+**Vulnerable Component:**
+- **Crate:** `glib`
+- **Version:** `0.18.5`
+- **Advisory ID:** `RUSTSEC-2024-0429`
+- **Title:** Unsoundness in `Iterator` and `DoubleEndedIterator` impls for `glib::VariantStrIter`
+- **Dependency Tree context:** It's pulled through `botdevice` and `botapp` via Tauri plugins and GTK dependencies.
+
+**Action:**
+- Review dependencies and upgrade the GTK/Glib ecosystem dependencies if patches are available, or evaluate the exact usage to assess the direct risk given the desktop GUI context.
+
+## 3. General Posture Alignment
+- Ensure all new state-changing endpoints are correctly shielded by the custom CSRF store (`redis_csrf_store.rs`). Verification is recommended as standard `tower-csrf` is absent from `Cargo.toml`.
+- Confirm security headers (`Content-Security-Policy` via `headers.rs`) are indeed attached universally in `botserver` and not selectively omitted in new modules.
--- a/prompts/UNIFIED_PLAN.md
+++ b/prompts/UNIFIED_PLAN.md
@ -0,0 +1,877 @@
+# Unified Implementation Plan: VibeCode Platform
+
+## Executive Summary
+
+This document **unifies** two separate task lists into a cohesive roadmap:
+- **task.md**: Security & stability fixes (immediate priority)
+- **TASK.md**: Feature implementation roadmap (development pipeline)
+
+**Current Status:**
+- 🎯 Backend: **80% complete** - LLM-powered app generation, multi-agent orchestration, browser automation ready
+- 🎨 Frontend: **40% complete** - Vibe UI exists, missing professional tools (Monaco, Database UI, Git, Browser)
+- 🔐 Security: **Needs attention** - Unsafe unwraps, dependency vulnerabilities (see Security Priorities below)
+
+---
+
+## Part I: Security & Stability (FROM task.md) - IMMEDIATE PRIORITY ⚠️
+
+### 1. Unsafe Unwraps in Production (Violates AGENTS.md Error Handling)
+
+**Issue:** The codebase uses `.unwrap()`, `.expect()`, `panic!()` in production code, which is explicitly forbidden by AGENTS.md.
+
+**Vulnerable Locations:**
+```
+botserver/src/drive/drive_handlers.rs:269      - Response::builder() unwrap
+botserver/src/basic/compiler/mod.rs            - Multiple unwrap() calls
+botserver/src/llm/llm_models/deepseek_r3.rs   - unwrap() outside tests
+botserver/src/botmodels/opencv.rs             - Test scope unwrap() leaks
+```
+
+**Action Items:**
+- [ ] Replace ALL `.unwrap()` with safe alternatives:
+  - Use `?` operator with proper error propagation
+  - Use `unwrap_or_default()` for defaults
+  - Use pattern matching with early returns
+  - Apply `ErrorSanitizer` to avoid panics
+- [ ] Run `cargo clippy -- -W clippy::unwrap_used -W clippy::expect_used`
+- [ ] Add unit tests verifying error paths work correctly
+
+**Estimated Effort:** 4-6 hours
+
+---
+
+### 2. Dependency Vulnerabilities (Found by `cargo audit`)
+
+**Vulnerable Component:**
+- **Crate:** `glib 0.18.5`
+- **Advisory:** `RUSTSEC-2024-0429`
+- **Issue:** Unsoundness in `Iterator` and `DoubleEndedIterator` impls for `glib::VariantStrIter`
+- **Context:** Pulled through `botdevice` and `botapp` via Tauri plugins/GTK dependencies
+
+**Action Items:**
+- [ ] Review exact usage of glib in the codebase
+- [ ] Check if patches are available in newer versions
+- [ ] Evaluate risk given desktop GUI context
+- [ ] If critical: upgrade GTK/Glib ecosystem dependencies
+- [ ] If acceptable: document risk assessment and add to security review checklist
+
+**Estimated Effort:** 2-4 hours
+
+---
+
+### 3. General Security Posture Alignment
+
+**CSRF Protection:**
+- ✅ Custom CSRF store exists: `redis_csrf_store.rs`
+- ⚠️ Verify: ALL state-changing endpoints use it (standard `tower-csrf` is absent from Cargo.toml)
+
+**Security Headers:**
+- ✅ `headers.rs` provides CSP, HSTS, X-Frame-Options
+- ⚠️ Verify: Headers are attached UNIVERSALLY in botserver, not selectively omitted
+
+**Action Items:**
+- [ ] Audit all POST/PUT/DELETE endpoints for CSRF token validation
+- [ ] Create middleware test to ensure security headers on all responses
+- [ ] Document security checklist for new endpoints
+
+**Estimated Effort:** 3-4 hours
+
+---
+
+## Part II: Feature Implementation Roadmap (FROM TASK.md) - DEVELOPMENT PIPELINE
+
+### Architecture Overview
+
+```
+┌──────────────────────────────────────────────────────────────┐
+│                    USER REQUEST                              │
+│              "I want a full CRM system"                       │
+└────────────────────────┬─────────────────────────────────────┘
+                         │
+                         ▼
+┌──────────────────────────────────────────────────────────────┐
+│              VIBE BUILDER UI                                  │
+│  ┌──────────────────┐  ┌──────────────────┐                │
+│  │ Agent Sidebar    │  │ Canvas Area      │                │
+│  │ (Mantis #1-4)    │  │ - Task Nodes     │                │
+│  │ - Status cards   │  │ - Preview        │                │
+│  │ - Workspaces     │  │ - Chat Overlay   │                │
+│  └──────────────────┘  └──────────────────┘                │
+│                                                              │
+│  NEW TOOLS TO ADD:                                           │
+│  🔌 MCP Sources Panel ← botserver/src/sources/ui.rs          │
+│  📝 Monaco Editor         ← Phase 1 (Critical)               │
+│  🗄️ Database Visualizer   ← Phase 2 (Critical)               │
+│  🐙 Git Operations        ← Phase 3 (High)                   │
+│  🌐 Browser Automation    ← Phase 4 (High)                   │
+│  📂 Multi-File Workspace  ← Phase 5 (Medium)                 │
+│  🖥️ Enhanced Terminal     ← Phase 6 (Medium)                 │
+└────────────────────────┬─────────────────────────────────────┘
+                         │
+                         ▼
+┌──────────────────────────────────────────────────────────────┐
+│         BOTSERVER (Rust Backend)                             │
+│  ┌──────────────┐  ┌──────────────┐  ┌──────────────┐      │
+│  │ Orchestrator │  │ AppGenerator │  │ Designer AI  │      │
+│  │ (5 agents)   │  │(LLM-driven)  │  │(modifications)│     │
+│  └──────────────┘  └──────────────┘  └──────────────┘      │
+│  ┌──────────────┐  ┌──────────────┐  ┌──────────────┐      │
+│  │ Browser      │  │ Git          │  │ Terminal     │      │
+│  │ Automation   │  │ Operations   │  │ Service      │      │
+│  │(chromiumoxide)│ │(git2)        │  │(xterm.js)    │      │
+│  └──────────────┘  └──────────────┘  └──────────────┘      │
+│  ┌──────────────────────────────────────────────────┐       │
+│  │ MCP & Sources Integration ← ALREADY IMPLEMENTED  │       │
+│  │ - botserver/src/sources/mcp.rs                   │       │
+│  │ - botserver/src/sources/ui.rs                    │       │
+│  │ - /api/ui/sources/* endpoints                    │       │
+│  └──────────────────────────────────────────────────┘       │
+└────────────────────────┬─────────────────────────────────────┘
+                         │
+                         ▼
+┌──────────────────────────────────────────────────────────────┐
+│                  GENERATED OUTPUT                            │
+│  - PostgreSQL tables                                         │
+│  - HTML pages with HTMX                                      │
+│  - CSS styling                                               │
+│  - JavaScript                                                │
+│  - BASIC tools/schedulers                                    │
+│  - E2E tests (Playwright)                                    │
+└──────────────────────────────────────────────────────────────┘
+```
+
+---
+
+## Part III: MCP & Sources Integration - EXISTING INFRASTRUCTURE ✅
+
+### What Already Exists
+
+**Backend Implementation (botserver/src/sources/):**
+```
+sources/
+├── mod.rs              # Module exports
+├── mcp.rs              # MCP client, connection, server types
+├── ui.rs               # HTML pages for /suite/sources/*
+├── knowledge_base.rs   # Knowledge base upload/query
+└── sources_api         # API endpoints
+```
+
+**API Endpoints (defined in botserver/src/core/urls.rs):**
+```
+/sources/*:
+  /suite/sources                    - Main sources list page
+  /suite/sources/mcp/add            - Add MCP server form
+  /suite/sources/mcp/catalog        - MCP server catalog
+
+/api/ui/sources/*:
+  /api/ui/sources/mcp               - List MCP servers
+  /api/ui/sources/mcp/:name         - Get server details
+  /api/ui/sources/mcp/:name/enable  - Enable server
+  /api/ui/sources/mcp/:name/disable - Disable server
+  /api/ui/sources/mcp/:name/tools   - List server tools
+  /api/ui/sources/mcp/:name/test    - Test server connection
+  /api/ui/sources/mcp/scan          - Scan for MCP servers
+  /api/ui/sources/mcp-servers       - Get server catalog
+  /api/ui/sources/kb/upload         - Upload to knowledge base
+  /api/ui/sources/kb/list           - List knowledge base docs
+  /api/ui/sources/kb/query          - Query knowledge base
+  /api/ui/sources/repositories      - List repositories
+  /api/ui/sources/apps              - List connected apps
+```
+
+**Vibe UI Integration (botui/ui/suite/):**
+```
+botui/ui/suite/
+├── partials/
+│   └── vibe.html           # Main Vibe Builder UI
+│                           # - Agent sidebar (Mantis #1-4)
+│                           # - Canvas area with task nodes
+│                           # - Chat overlay
+│                           # - Preview panel
+├── vibe/
+│   └── agents-sidebar.css  # Styles for agent sidebar
+├── js/
+│   └── chat-agent-mode.js  # Agent-mode JavaScript
+└── css/
+    └── chat-agent-mode.css # Agent-mode styles
+```
+
+### Integration Task: Add MCP Panel to Vibe UI
+
+**Goal:** Add a "Sources" panel to Vibe that shows connected MCP servers and allows management.
+
+**Action Items:**
+1. **Create MCP Panel Component:**
+   - File: `botui/ui/suite/partials/vibe-mcp-panel.html`
+   - Features:
+     - List connected MCP servers
+     - Show server status (active/inactive)
+     - Display available tools per server
+     - Quick enable/disable toggles
+     - "Add Server" button (opens `/suite/sources/mcp/add`)
+
+2. **Add JavaScript:**
+   - File: `botui/ui/suite/js/vibe-mcp.js`
+   - Fetch servers from `/api/ui/sources/mcp`
+   - Handle enable/disable actions
+   - Update server status in real-time
+   - Display tool risk levels
+
+3. **Add Styles:**
+   - File: `botui/ui/suite/vibe/mcp-panel.css`
+   - Match existing agents-sidebar.css aesthetic
+   - Server cards with status indicators
+   - Tool badges with risk levels
+
+4. **Integrate into Vibe:**
+   - Add "Sources" tab to Vibe sidebar
+   - Load MCP panel when tab clicked
+   - Show server count badge
+
+**Estimated Effort:** 6-8 hours
+
+---
+
+## Part IV: Implementation Phases (UPDATED WITH MCP INTEGRATION)
+
+### Phase 0: Security & Stability ⚠️ - IMMEDIATE (Week 0)
+
+**Priority: CRITICAL - Must complete before any feature work**
+
+**Tasks:**
+1. [ ] Fix all unsafe `unwrap()` calls
+2. [ ] Address dependency vulnerabilities
+3. [ ] Verify CSRF & security headers coverage
+
+**Estimated Effort:** 9-14 hours
+
+**Success Criteria:**
+- ✅ Zero `unwrap()` in production code
+- ✅ `cargo audit` passes cleanly
+- ✅ All state-changing endpoints use CSRF tokens
+- ✅ All responses include security headers
+
+---
+
+### Phase 0.5: MCP Integration in Vibe (Week 0.5)
+
+**Priority: HIGH - Leverage existing infrastructure**
+
+**Tasks:**
+1. [ ] Create MCP panel component
+2. [ ] Add JavaScript for server management
+3. [ ] Style panel to match Vibe aesthetic
+4. [ ] Integrate into Vibe sidebar
+
+**Estimated Effort:** 6-8 hours
+
+**Success Criteria:**
+- ✅ MCP servers visible in Vibe UI
+- ✅ Can enable/disable servers
+- ✅ Can see available tools
+- ✅ Can add new servers
+
+---
+
+### Phase 1: Code Editor Integration (P0 - Critical)
+
+**Goal:** Replace textarea with professional code editor
+
+**Tasks:**
+
+1. **Download Monaco Editor**
+   ```bash
+   cd botui
+   npm install monaco-editor@0.45.0
+   cp -r node_modules/monaco-editor min/vs ui/suite/js/vendor/
+   ```
+
+2. **Create Editor Component**
+   - `botui/ui/suite/partials/editor.html`
+   - Monaco container with tab bar
+   - File tree sidebar
+   - Save/Publish buttons
+
+3. **Editor JavaScript**
+   - `botui/ui/suite/js/editor.js`
+   - Monaco initialization
+   - Language detection (.html, .css, .js, .bas, .json)
+   - Tab management (open, close, switch)
+   - Auto-save with WebSocket sync
+
+4. **API Endpoints**
+   - `botserver/src/api/editor.rs`
+   - GET `/api/editor/file/{path}` - Read file
+   - POST `/api/editor/file/{path}` - Save file
+   - GET `/api/editor/files` - List files
+
+5. **Integration**
+   - Update `chat-agent-mode.html` - replace textarea with Monaco
+   - Update `vibe.html` - add editor panel
+   - Add keyboard shortcuts (Ctrl+S, Ctrl+P, Ctrl+Shift+F)
+
+**Success Criteria:**
+- Monaco loads in < 2 seconds
+- Syntax highlighting for 5+ languages
+- Multi-file tabs work
+- Auto-save completes successfully
+
+**Estimated Effort:** 8-12 hours
+
+---
+
+### Phase 2: Database UI & Schema Visualization (P0 - Critical)
+
+**Goal:** Visual database management and query builder
+
+**Tasks:**
+
+1. **Schema Visualizer Component**
+   - `botui/ui/suite/partials/database.html`
+   - Canvas-based ER diagram
+   - Table cards with fields
+   - Relationship lines (foreign keys)
+   - Zoom/pan controls
+
+2. **Database JavaScript**
+   - `botui/ui/suite/js/database.js`
+   - Fetch schema: `/api/database/schema`
+   - Render tables using Canvas API
+   - Click table → show field details
+   - Drag to rearrange
+
+3. **Query Builder UI**
+   - Visual SELECT builder
+   - Table selection dropdown
+   - Join interface
+   - Filter conditions
+   - SQL preview pane
+
+4. **Data Grid**
+   - Sortable columns
+   - Inline editing
+   - Pagination
+   - Export (CSV/JSON)
+
+5. **Backend API**
+   - `botserver/src/api/database.rs`
+   - GET `/api/database/schema` - Tables, fields, relationships
+   - GET `/api/database/table/{name}/data` - Paginated data
+   - POST `/api/database/query` - Execute SQL
+   - POST `/api/database/table/{name}/row` - Insert/update
+   - DELETE `/api/database/table/{name}/row/{id}` - Delete
+
+**Success Criteria:**
+- ER diagram shows all tables
+- Query builder generates valid SQL
+- Data grid supports inline edits
+- Export works correctly
+
+**Estimated Effort:** 16-20 hours
+
+---
+
+### Phase 3: Git Operations UI (P1 - High Priority)
+
+**Goal:** Version control interface in Vibe
+
+**Tasks:**
+
+1. **Git Status Panel**
+   - `botui/ui/suite/partials/git-status.html`
+   - File list with status icons
+   - Stage/unstage checkboxes
+   - "Commit" button
+
+2. **Diff Viewer**
+   - `botui/ui/suite/partials/git-diff.html`
+   - Side-by-side comparison
+   - Line highlighting (green/red)
+   - Syntax highlighting
+
+3. **Commit Interface**
+   - Message input
+   - "Commit & Push" button
+   - Progress indicator
+
+4. **Branch Manager**
+   - Branch dropdown
+   - "New Branch" dialog
+   - Switch/delete actions
+
+5. **Commit Timeline**
+   - Vertical timeline
+   - Author, date, message
+   - Click → view diff
+
+6. **Backend API**
+   - `botserver/src/api/git.rs`
+   - GET `/api/git/status` - Git status
+   - GET `/api/git/diff/{file}` - File diff
+   - POST `/api/git/commit` - Create commit
+   - POST `/api/git/push` - Push to remote
+   - GET `/api/git/branches` - List branches
+   - POST `/api/git/branch/{name}` - Create/switch
+   - GET `/api/git/log` - Commit history
+
+**Success Criteria:**
+- Git status displays correctly
+- Diff viewer shows side-by-side
+- Commit workflow works end-to-end
+- Branch switching succeeds
+
+**Estimated Effort:** 12-16 hours
+
+---
+
+### Phase 4: Browser Automation Engine (P1 - High Priority)
+
+**Goal:** Pure Rust browser automation for testing & recording
+
+**Why Rust + Chromiumoxide:**
+- ✅ Already in workspace: `chromiumoxide = "0.7"`
+- ✅ No Node.js dependency
+- ✅ Feature flag exists: `browser` in botserver/Cargo.toml
+- ✅ Reference implementation: bottest/src/web/browser.rs (1000+ lines)
+
+**Tasks:**
+
+1. **Core Browser Module**
+   - `botserver/src/browser/mod.rs`
+     - `BrowserSession` - Manage browser instance
+     - `BrowserManager` - Session lifecycle
+     - Methods: `navigate()`, `click()`, `fill()`, `screenshot()`, `execute()`
+
+2. **Action Recorder**
+   - `botserver/src/browser/recorder.rs`
+     - `RecordedAction` - Navigate, Click, Fill, Wait, Assert
+     - `ActionRecorder` - Record/stop/export
+     - Export as Playwright test
+
+3. **Test Validator**
+   - `botserver/src/browser/validator.rs`
+     - Check for flaky selectors
+     - Validate wait conditions
+     - Suggest improvements via Designer AI
+
+4. **Browser API**
+   - `botserver/src/browser/api.rs`
+     - POST `/api/browser/session` - Create session
+     - POST `/api/browser/session/:id/execute` - Run action
+     - GET `/api/browser/session/:id/screenshot` - Capture
+     - POST `/api/browser/session/:id/record/start` - Start recording
+     - POST `/api/browser/session/:id/record/stop` - Stop & get actions
+     - GET `/api/browser/session/:id/record/export` - Export test
+
+5. **Vibe UI - Browser Panel**
+   - `botui/ui/suite/partials/browser-controls.html`
+     - URL bar with navigation buttons
+     - Record/Stop/Export buttons
+     - Actions timeline
+     - Browser preview iframe
+     - Screenshot gallery
+
+   - `botui/ui/suite/js/browser.js`
+     - Session management
+     - Action recording
+     - Test export
+
+   - `botui/ui/suite/css/browser.css`
+     - Browser panel styling
+     - Recording indicator animation
+     - Actions timeline
+     - Screenshot gallery grid
+
+6. **Integration with Vibe**
+   - Add "Browser Automation" button to Vibe toolbar
+   - Load browser-controls.html in panel
+   - Element picker for selector capture
+   - Screenshot capture & gallery
+
+**Success Criteria:**
+- Can navigate to any URL
+- Element picker captures selectors
+- Recording generates valid Playwright tests
+- Screenshots capture correctly
+
+**Estimated Effort:** 20-24 hours
+
+---
+
+### Phase 5: Multi-File Editing Workspace (P2 - Medium Priority)
+
+**Goal:** Professional multi-file editing
+
+**Tasks:**
+
+1. **Tab Management**
+   - File tabs with close buttons
+   - Active tab highlighting
+   - Tab overflow scrolling
+   - Drag to reorder
+
+2. **Split-Pane Layout**
+   - Split horizontal/vertical buttons
+   - Resize handles
+   - 2x2 grid max
+
+3. **File Comparison**
+   - Side-by-side diff
+   - Line-by-line navigation
+   - Copy changes (L→R)
+
+4. **File Tree Sidebar**
+   - Nested folders
+   - File type icons
+   - Expand/collapse
+   - Double-click to open
+
+5. **Quick Open**
+   - Ctrl+P → Search files
+   - Fuzzy matching
+   - Arrow navigation
+
+6. **Project Search**
+   - Ctrl+Shift+F → Search all files
+   - Results with line numbers
+   - Click to open file
+
+**Success Criteria:**
+- 10+ files open in tabs
+- Split view works (2-4 panes)
+- File comparison displays diffs
+- Quick open searches files
+
+**Estimated Effort:** 12-16 hours
+
+---
+
+### Phase 6: Enhanced Terminal (P2 - Medium Priority)
+
+**Goal:** Interactive shell in Vibe
+
+**Tasks:**
+
+1. **Terminal Container**
+   - xterm.js integration (already vendor file)
+   - Multiple terminal tabs
+   - Fit addon for auto-resize
+
+2. **WebSocket Terminal**
+   - Bi-directional WebSocket: `/ws/terminal/{session_id}`
+   - Protocol: `{"type": "input", "data": "command\n"}`
+   - Handle ANSI escape codes
+
+3. **Command History**
+   - Up/Down arrows
+   - Ctrl+R search
+   - Persist in localStorage
+
+4. **Command Completion**
+   - Tab completion
+   - File path completion
+   - Command flags
+
+5. **Backend Terminal Server**
+   - Spawn PTY per session
+   - WebSocket handler
+   - Clean up on disconnect
+
+6. **File Transfer**
+   - Drag file to upload
+   - `upload` / `download` commands
+   - Progress bars
+
+**Success Criteria:**
+- Can type commands & see output
+- Arrow keys navigate history
+- Can run vim, top, etc.
+- Multiple terminals work
+
+**Estimated Effort:** 10-14 hours
+
+---
+
+### Phase 7: Advanced CRM Templates (P2 - Medium Priority)
+
+**Goal:** Pre-built CRM accelerators
+
+**Tasks:**
+
+1. **Template System**
+   - `botserver/src/templates/crm/`
+   - Template JSON definitions
+   - Prompt templates
+   - Field libraries
+
+2. **CRM Templates**
+   - **Sales CRM**
+     - Tables: contacts, leads, opportunities, accounts, activities
+     - Pages: dashboard, pipeline, contacts list
+     - Tools: lead_scoring, email_automation
+     - Schedulers: daily_summary, weekly_review
+
+   - **Real Estate CRM**
+     - Tables: properties, clients, showings, offers
+     - Pages: property gallery, client portal
+     - Tools: mls_sync, showing_scheduler
+     - Schedulers: showing_reminders, market_update
+
+   - **Healthcare CRM**
+     - Tables: patients, appointments, treatments, insurance
+     - Pages: patient portal, appointment scheduler
+     - Tools: insurance_verification, appointment_reminders
+     - Schedulers: daily_appointments, insurance_alerts
+
+3. **Template Gallery UI**
+   - `botui/ui/suite/partials/template-gallery.html`
+   - Template cards with descriptions
+   - Preview screenshots
+   - "Use Template" button
+
+4. **Template Generator**
+   - Load template JSON
+   - Customize with user details
+   - Generate all files
+   - Deploy to /apps/{name}
+
+**Success Criteria:**
+- Can select template from gallery
+- Template generates full CRM
+- Customization works
+- Generated CRM is functional
+
+**Estimated Effort:** 20-24 hours
+
+---
+
+## Part V: Technical Implementation Notes
+
+### Code Quality Standards (per AGENTS.md)
+
+**MUST Follow:**
+1. ✅ **Error Handling** - NO panics, use `?` operator
+2. ✅ **Safe Commands** - Use `SafeCommand` wrapper
+3. ✅ **Error Sanitization** - Use `ErrorSanitizer`
+4. ✅ **SQL Safety** - Use `sql_guard`
+5. ✅ **Rate Limiting** - Per-IP and per-User limits
+6. ✅ **CSRF Protection** - CSRF tokens on state-changing endpoints
+7. ✅ **Security Headers** - CSP, HSTS, X-Frame-Options, etc.
+8. ✅ **No CDNs** - All assets local
+9. ✅ **File Size** - Max 450 lines per file
+10. ✅ **Clippy Clean** - 0 warnings, no `#[allow()]`
+
+### File Organization
+
+**Botui (Frontend):**
+```
+botui/ui/suite/
+  partials/
+    editor.html
+    database.html
+    git-status.html
+    git-diff.html
+    browser-controls.html
+    terminal.html
+    template-gallery.html
+    vibe-mcp-panel.html          # NEW - MCP integration
+  js/
+    editor.js
+    database.js
+    git.js
+    browser.js
+    terminal.js
+    templates.js
+    vibe-mcp.js                  # NEW - MCP integration
+  css/
+    editor.css
+    database.css
+    git.css
+    browser.css
+    terminal.css
+    templates.css
+    vibe/
+      mcp-panel.css              # NEW - MCP integration
+```
+
+**Botserver (Backend):**
+```
+botserver/src/
+  api/
+    editor.rs
+    database.rs
+    git.rs
+  browser/
+    mod.rs          # BrowserSession, BrowserManager
+    recorder.rs     # ActionRecorder
+    validator.rs    # TestValidator
+    api.rs          # HTTP endpoints
+    test_generator.rs
+  templates/
+    crm/
+      sales.json
+      real_estate.json
+      healthcare.json
+    mod.rs
+  sources/         # ALREADY EXISTS
+    mod.rs
+    mcp.rs
+    ui.rs
+    knowledge_base.rs
+```
+
+### Dependencies
+
+**Already in Workspace:**
+```toml
+chromiumoxide = "0.7"  # Browser automation
+tokio = "1.41"          # Async runtime
+axum = "0.7"            # HTTP framework
+diesel = "2.1"          # Database
+git2 = "0.18"           # Git operations (add if needed)
+```
+
+**Frontend (download & serve locally):**
+```
+monaco-editor@0.45.0    # Code editor
+xterm.js@5.3.0          # Terminal (already vendor file)
+```
+
+---
+
+## Part VI: Testing Strategy
+
+### Unit Tests
+- All new modules need unit tests
+- Test coverage > 80%
+- Location: `botserver/src/<module>/tests.rs`
+
+### Integration Tests
+- End-to-end workflows
+- Location: `bottest/tests/integration/`
+
+### E2E Tests
+- Use chromiumoxide (bottest infrastructure)
+- Location: `bottest/tests/e2e/`
+- Test scenarios:
+  - Generate CRM from template
+  - Edit in Monaco editor
+  - View database schema
+  - Create git commit
+  - Record browser test
+
+---
+
+## Part VII: Rollout Plan (UPDATED)
+
+### Milestone 0: Security & MCP (Week 0)
+- **Day 1-2:** Fix all unsafe `unwrap()` calls
+- **Day 3:** Address dependency vulnerabilities
+- **Day 4:** Verify CSRF & security headers
+- **Day 5:** Integrate MCP panel into Vibe UI
+
+### Milestone 1: Core Editor (Week 1)
+- Phase 1 complete (Monaco integration)
+
+### Milestone 2: Database & Git (Week 2)
+- Phase 2 complete (Database UI)
+- Phase 3 complete (Git Operations)
+
+### Milestone 3: Browser & Workspace (Week 3)
+- Phase 4 complete (Browser Automation)
+- Phase 5 complete (Multi-File Editing)
+
+### Milestone 4: Terminal & Templates (Week 4)
+- Phase 6 complete (Enhanced Terminal)
+- Phase 7 complete (CRM Templates)
+
+---
+
+## Part VIII: Success Metrics
+
+### Security Milestones
+- ✅ Zero `unwrap()` in production code
+- ✅ `cargo audit` passes
+- ✅ All endpoints have CSRF + security headers
+
+### Phase 0.5: MCP Integration
+- ✅ MCP panel visible in Vibe sidebar
+- ✅ Can enable/disable servers
+- ✅ Can view available tools
+- ✅ Can add new servers
+
+### Phase 1: Code Editor
+- Monaco loads < 2 seconds
+- 5+ syntax highlighters work
+- Multi-file tabs functional
+- Auto-save succeeds
+
+### Phase 2: Database UI
+- Schema visualizer displays all tables
+- Query builder generates valid SQL
+- Data grid supports inline edits
+- Export functionality works
+
+### Phase 3: Git Operations
+- Git status shows changed files
+- Diff viewer shows side-by-side
+- Commit workflow works
+- Branch switching succeeds
+
+### Phase 4: Browser Automation
+- Can navigate to any URL
+- Element picker captures selectors
+- Recording generates valid tests
+- Screenshots capture correctly
+
+### Phase 5: Multi-File Workspace
+- 10+ files open in tabs
+- Split view supports 2-4 panes
+- File comparison works
+- Project search is fast (< 1s for 100 files)
+
+### Phase 6: Terminal
+- Interactive shell works
+- Can run vim, top, etc.
+- Multiple terminals run simultaneously
+- File transfer works
+
+### Phase 7: CRM Templates
+- 3+ CRM templates available
+- Generation takes < 30 seconds
+- Generated CRMs are fully functional
+- Industry-specific features work
+
+---
+
+## Conclusion
+
+The BotUI platform has a **powerful backend** capable of generating full applications via LLM. The main gaps are in the **frontend user experience** and **security hardening**.
+
+**Key Insight:**
+- The `botserver/src/sources/` infrastructure for MCP is **already complete**
+- The Vibe UI exists and is functional
+- We need to **connect** them: add an MCP panel to the Vibe sidebar
+
+**Updated Priority Order:**
+1. ⚠️ **Security fixes** (Week 0) - Unblock development risk
+2. 🔌 **MCP integration** (Week 0.5) - Quick win, leverage existing code
+3. 📝 **Code editor** (Week 1) - Core developer tool
+4. 🗄️ **Database UI** (Week 2) - Visual data management
+5. 🐙 **Git operations** (Week 2) - Version control
+6. 🌐 **Browser automation** (Week 3) - Testing & recording
+7. 📂 **Multi-file workspace** (Week 3) - Professional editing
+8. 🖥️ **Terminal** (Week 4) - Interactive shell
+9. 📇 **CRM templates** (Week 4) - Accelerators
+
+Once these phases are complete, VibeCode will match or exceed Claude Code's capabilities while offering:
+
+✅ **Multi-user SaaS deployment**
+✅ **Visual app building** (Vibe Builder)
+✅ **Enterprise-grade multi-agent orchestration**
+✅ **Pure Rust backend** (no Node.js dependency)
+✅ **Integrated MCP servers** (extensible tools)
+✅ **Integrated browser automation** (chromiumoxide)
+✅ **Professional development environment**
+
+**Total Estimated Effort:** 113-141 hours (~3-4 weeks with 1 developer)
--- a/prompts/vib.md
+++ b/prompts/vib.md
--- a/req_gemini.json
+++ b/req_gemini.json
@ -0,0 +1,3 @@
+{
+    "contents": [{"role":"user","parts":[{"text":"hello"}]}]
+}
--- a/req_openai.json
+++ b/req_openai.json
@ -0,0 +1,9 @@
+{
+    "model": "gemini-1.5-flash",
+    "messages": [
+        {
+            "role": "user",
+            "content": "hello"
+        }
+    ]
+}
--- a/request.json
+++ b/request.json
@ -0,0 +1,8 @@
+{
+    "contents": [
+        {
+            "role": "user",
+            "parts": [{"text":"hello"}]
+        }
+    ]
+}
--- a/reset.sh
+++ b/reset.sh
@ -0,0 +1,10 @@
+#!/bin/bash
+set -e
+
+echo "Cleaning up..."
+rm -rf botserver-stack/ ./work/ .env
+
+echo "Starting services..."
+./restart.sh
+
+echo "Reset complete!"
--- a/restart.sh
+++ b/restart.sh
@ -0,0 +1,24 @@
+#!/bin/bash
+set -e
+
+echo "Stopping..."
+pkill -f botserver || true
+pkill -f botui || true
+pkill -f rustc || true
+
+echo "Cleaning..."
+rm -f botserver.log botui.log
+
+echo "Building..."
+cargo build -p botserver
+cargo build -p botui
+
+echo "Starting botserver..."
+RUST_LOG=debug ./target/debug/botserver --noconsole > botserver.log 2>&1 &
+echo "  PID: $!"
+
+echo "Starting botui..."
+BOTSERVER_URL="http://localhost:8080" ./target/debug/botui > botui.log 2>&1 &
+echo "  PID: $!"
+
+echo "Done. Logs: tail -f botserver.log botui.log"
--- a/BIN
+++ b/BIN
--- a/security_audit.sh
+++ b/security_audit.sh
@ -0,0 +1,129 @@
+#!/bin/bash
+
+# General Bots Security Audit Script
+# This script helps identify critical security issues in the codebase
+
+set -e
+
+echo "🔒 General Bots Security Audit"
+echo "=============================="
+echo ""
+
+# Check for hardcoded secrets
+echo "1. Checking for hardcoded secrets..."
+if grep -r "password\s*=\s*\"" --include="*.rs" --include="*.toml" --include="*.json" . 2>/dev/null | grep -v "test" | grep -v "example" | head -10; then
+    echo "⚠️  WARNING: Found potential hardcoded passwords"
+else
+    echo "✅ No obvious hardcoded passwords found"
+fi
+
+echo ""
+
+# Check for unwrap/expect calls
+echo "2. Checking for unwrap/expect calls..."
+UNWRAP_COUNT=$(grep -r "\.unwrap()\|\.expect(" --include="*.rs" . 2>/dev/null | wc -l)
+if [ "$UNWRAP_COUNT" -gt 0 ]; then
+    echo "⚠️  WARNING: Found $UNWRAP_COUNT unwrap/expect calls"
+    echo "   Sample locations:"
+    grep -r "\.unwrap()\|\.expect(" --include="*.rs" . 2>/dev/null | head -5
+else
+    echo "✅ No unwrap/expect calls found"
+fi
+
+echo ""
+
+# Check for Command::new usage
+echo "3. Checking for unsafe command execution..."
+if grep -r "Command::new" --include="*.rs" . 2>/dev/null | grep -v "SafeCommand" | head -5; then
+    echo "⚠️  WARNING: Found potential unsafe command execution"
+    echo "   Should use SafeCommand instead"
+else
+    echo "✅ No unsafe Command::new calls found"
+fi
+
+echo ""
+
+# Check for SQL injection patterns
+echo "4. Checking for SQL injection patterns..."
+if grep -r "format!.*SELECT\|format!.*INSERT\|format!.*UPDATE\|format!.*DELETE" --include="*.rs" . 2>/dev/null | grep -v "sanitize" | head -5; then
+    echo "⚠️  WARNING: Found potential SQL injection patterns"
+    echo "   Should use sql_guard functions"
+else
+    echo "✅ No obvious SQL injection patterns found"
+fi
+
+echo ""
+
+# Check security headers in routes
+echo "5. Checking for security middleware usage..."
+if grep -r "security_headers_middleware\|csrf_middleware\|rate_limit_middleware" --include="*.rs" . 2>/dev/null | head -5; then
+    echo "✅ Security middleware found"
+else
+    echo "⚠️  WARNING: No security middleware found in routes"
+fi
+
+echo ""
+
+# Check for SecurityManager usage
+echo "6. Checking for SecurityManager initialization..."
+if grep -r "SecurityManager::new\|SecurityManager::initialize" --include="*.rs" . 2>/dev/null; then
+    echo "✅ SecurityManager usage found"
+else
+    echo "⚠️  WARNING: SecurityManager not initialized"
+fi
+
+echo ""
+
+# Check dependencies
+echo "7. Checking dependencies..."
+if command -v cargo-audit &> /dev/null; then
+    echo "Running cargo audit..."
+    cargo audit
+else
+    echo "⚠️  Install cargo-audit: cargo install cargo-audit"
+fi
+
+echo ""
+
+# Check for .env files in git
+echo "8. Checking for secrets in git..."
+if find . -name ".env" -type f | grep -v node_modules | grep -v target; then
+    echo "⚠️  WARNING: .env files found in repository"
+    echo "   Secrets should be in /tmp/ only"
+else
+    echo "✅ No .env files in repository"
+fi
+
+echo ""
+
+# Check file permissions
+echo "9. Checking critical file permissions..."
+if [ -f "botserver-stack/conf/vault/init.json" ]; then
+    PERMS=$(stat -c "%a" "botserver-stack/conf/vault/init.json")
+    if [ "$PERMS" -gt 600 ]; then
+        echo "⚠️  WARNING: Vault init file permissions too open: $PERMS"
+        echo "   Should be 600 or 400"
+    else
+        echo "✅ Vault init file permissions OK: $PERMS"
+    fi
+fi
+
+echo ""
+
+# Summary
+echo "📊 Security Audit Summary"
+echo "========================"
+echo ""
+echo "Critical Issues to Address:"
+echo "1. $UNWRAP_COUNT unwrap/expect calls need replacement"
+echo "2. SecurityManager initialization missing"
+echo "3. Security middleware may not be applied to all routes"
+echo ""
+echo "Next Steps:"
+echo "1. Review TASKS.md for detailed remediation plan"
+echo "2. Fix P1 issues first (SecurityManager, error handling)"
+echo "3. Run cargo clippy and fix all warnings"
+echo "4. Implement security testing"
+echo ""
+echo "For detailed tasks, see: TASKS.md"
+echo "For quick checklist, see: SECURITY_CHECKLIST.md"
--- a/sim_wa.sh
+++ b/sim_wa.sh
@ -0,0 +1,43 @@
+#!/bin/bash
+curl -X POST http://localhost:8080/webhook/whatsapp/default \
+-H "Content-Type: application/json" \
+-H "X-Hub-Signature-256: sha256=dummy" \
+-d '{
+  "object": "whatsapp_business_account",
+  "entry": [
+    {
+      "id": "1234567890",
+      "changes": [
+        {
+          "value": {
+            "messaging_product": "whatsapp",
+            "metadata": {
+              "display_phone_number": "552140402160",
+              "phone_number_id": "323250907549153"
+            },
+            "contacts": [
+              {
+                "profile": {
+                  "name": "Test User"
+                },
+                "wa_id": "5511999999999"
+              }
+            ],
+            "messages": [
+              {
+                "from": "5511999999999",
+                "id": "wamid.simulated_1",
+                "timestamp": "1625688536",
+                "text": {
+                  "body": "cristo"
+                },
+                "type": "text"
+              }
+            ]
+          },
+          "field": "messages"
+        }
+      ]
+    }
+  ]
+}'
--- a/stop.sh
+++ b/stop.sh
@ -0,0 +1,4 @@
+pkill botui
+pkill botserver -9
+
+
--- a/task.md
+++ b/task.md
@ -0,0 +1,30 @@
+# Security Review Task List
+
+## 1. Unsafe Unwraps in Production (Violates AGENTS.md Error Handling Rules)
+The `AGENTS.md` explicitly forbids the use of `.unwrap()`, `.expect()`, `panic!()`, `todo!()`, and `unimplemented!()` in production code. A search of the codebase revealed several instances of `unwrap()` being used in non-test contexts.
+
+**Vulnerable Locations:**
+- `botserver/src/drive/drive_handlers.rs:269` - Contains a `.unwrap()` call during `Response::builder()` generation, which could panic in production.
+- `botserver/src/basic/compiler/mod.rs` - Contains `unwrap()` usages outside test boundaries.
+- `botserver/src/llm/llm_models/deepseek_r3.rs` - Contains `unwrap()` usages outside test boundaries.
+- `botserver/src/botmodels/opencv.rs` - Test scopes use `unwrap()`, but please audit carefully for any leaks to production scope.
+
+**Action:**
+- Replace all `.unwrap()` occurrences with safe alternatives (`?`, `unwrap_or_default()`, or pattern matching with early returns) and use `ErrorSanitizer` to avoid panics.
+
+## 2. Dependency Vulnerabilities (Found by cargo audit)
+Running `cargo audit` uncovered a reported vulnerability inside the dependency tree.
+
+**Vulnerable Component:**
+- **Crate:** `glib`
+- **Version:** `0.18.5`
+- **Advisory ID:** `RUSTSEC-2024-0429`
+- **Title:** Unsoundness in `Iterator` and `DoubleEndedIterator` impls for `glib::VariantStrIter`
+- **Dependency Tree context:** It's pulled through `botdevice` and `botapp` via Tauri plugins and GTK dependencies.
+
+**Action:**
+- Review dependencies and upgrade the GTK/Glib ecosystem dependencies if patches are available, or evaluate the exact usage to assess the direct risk given the desktop GUI context.
+
+## 3. General Posture Alignment
+- Ensure all new state-changing endpoints are correctly shielded by the custom CSRF store (`redis_csrf_store.rs`). Verification is recommended as standard `tower-csrf` is absent from `Cargo.toml`.
+- Confirm security headers (`Content-Security-Policy` via `headers.rs`) are indeed attached universally in `botserver` and not selectively omitted in new modules.
--- a/tests/example.spec.ts
+++ b/tests/example.spec.ts
@ -0,0 +1,18 @@
+import { test, expect } from '@playwright/test';
+
+test('has title', async ({ page }) => {
+  await page.goto('https://playwright.dev/');
+
+  // Expect a title "to contain" a substring.
+  await expect(page).toHaveTitle(/Playwright/);
+});
+
+test('get started link', async ({ page }) => {
+  await page.goto('https://playwright.dev/');
+
+  // Click the get started link.
+  await page.getByRole('link', { name: 'Get started' }).click();
+
+  // Expects page to have a heading with the name of Installation.
+  await expect(page.getByRole('heading', { name: 'Installation' })).toBeVisible();
+});
--- a/zap.md
+++ b/zap.md
@ -0,0 +1,299 @@
+# WhatsApp - Bot Salesianos
+respeitar AGENTS.md
+## Status: Operacional
+
+| Campo | Valor |
+|-------|-------|
+| Bot ID | `32c579e5-609b-4a07-8599-4e0fccc4d764` |
+| Phone | +15558293147 |
+| Phone ID | 323250907549153 |
+| Business ID | 1261667644771701 |
+
+---
+
+## Comandos
+
+- `/clear` - Limpa histórico da conversa
+
+---
+
+## Streaming
+
+1. Mensagens sem lista: enviar a cada 3 parágrafos
+2. Mensagens com lista: **ISOLAR como mensagem única** (sem texto antes ou depois)
+3. Limite máximo: 4000 caracteres por mensagem
+
+### Exemplo de Agrupamento Correto
+
+**Resposta completa do bot:**
+```
+Olá! 😊
+
+Infelizmente, não tenho a informação específica sobre o horário de funcionamento da Escola Salesiana no momento.
+
+Para obter essa informação, você pode:
+1. *Entrar em contato com a secretaria* - Posso te ajudar a enviar uma mensagem perguntando sobre os horários
+2. *Agendar uma visita* - Assim você conhece a escola pessoalmente e obtém todas as informações necessárias
+
+Gostaria que eu te ajudasse com alguma dessas opções? Se quiser entrar em contato com a secretaria, preciso apenas de:
+- Seu nome
+- Telefone
+- Email
+- Sua pergunta sobre os horários
+
+Ou, se preferir, posso agendar uma visita para você conhecer a escola! 🏫
+
+O que prefere?
+```
+
+**Deve ser enviado como 5 mensagens separadas:**
+
+**Mensagem 1:**
+```
+Olá! 😊
+
+Infelizmente, não tenho a informação específica sobre o horário de funcionamento da Escola Salesiana no momento.
+
+Para obter essa informação, você pode:
+```
+
+**Mensagem 2 (LISTA ISOLADA):**
+```
+1. *Entrar em contato com a secretaria* - Posso te ajudar a enviar uma mensagem perguntando sobre os horários
+2. *Agendar uma visita* - Assim você conhece a escola pessoalmente e obtém todas as informações necessárias
+```
+
+**Mensagem 3:**
+```
+Gostaria que eu te ajudasse com alguma dessas opções? Se quiser entrar em contato com a secretaria, preciso apenas de:
+```
+
+**Mensagem 4 (LISTA ISOLADA):**
+```
+- Seu nome
+- Telefone
+- Email
+- Sua pergunta sobre os horários
+```
+
+**Mensagem 5:**
+```
+Ou, se preferir, posso agendar uma visita para você conhecer a escola! 🏫
+
+O que prefere?
+```
+
+**Regras:**
+- ✅ Cada lista = **1 mensagem ISOLADA** (nunca misturar com texto)
+- ✅ Texto antes da lista = mensagem separada
+- ✅ Texto depois da lista = mensagem separada
+- ✅ Listas nunca são quebradas no meio
+
+---
+
+## Testar Webhook (Simular Callback)
+
+Script de teste em `/tmp/test_whatsapp.sh`:
+
+```bash
+#!/bin/bash
+# Testa o webhook do WhatsApp simulando uma mensagem
+
+BOT_ID="32c579e5-609b-4a07-8599-4e0fccc4d764"
+FROM="5521972102162"  # Número de teste
+
+curl -X POST "http://localhost:8080/webhook/whatsapp/${BOT_ID}" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "object": "whatsapp_business_account",
+    "entry": [{
+      "id": "1261667644771701",
+      "changes": [{
+        "field": "messages",
+        "value": {
+          "messaging_product": "whatsapp",
+          "metadata": {
+            "display_phone_number": "15558293147",
+            "phone_number_id": "323250907549153"
+          },
+          "contacts": [{
+            "wa_id": "'${FROM}'",
+            "profile": { "name": "Teste Usuario" }
+          }],
+          "messages": [{
+            "id": "test_msg_'$(date +%s)'",
+            "from": "'${FROM}'",
+            "timestamp": "'$(date +%s)'",
+            "type": "text",
+            "text": { "body": "Olá, como posso ajudar?" }
+          }]
+        }
+      }]
+    }]
+  }'
+```
+
+Executar teste:
+```bash
+bash /tmp/test_whatsapp.sh
+```
+
+---
+
+## Testar Comando /clear
+
+```bash
+BOT_ID="32c579e5-609b-4a07-8599-4e0fccc4d764"
+FROM="5521972102162"
+
+curl -X POST "http://localhost:8080/webhook/whatsapp/${BOT_ID}" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "object": "whatsapp_business_account",
+    "entry": [{
+      "id": "1261667644771701",
+      "changes": [{
+        "field": "messages",
+        "value": {
+          "messaging_product": "whatsapp",
+          "metadata": {
+            "display_phone_number": "15558293147",
+            "phone_number_id": "323250907549153"
+          },
+          "contacts": [{
+            "wa_id": "'${FROM}'",
+            "profile": { "name": "Teste Usuario" }
+          }],
+          "messages": [{
+            "id": "test_clear_'$(date +%s)'",
+            "from": "'${FROM}'",
+            "timestamp": "'$(date +%s)'",
+            "type": "text",
+            "text": { "body": "/clear" }
+          }]
+        }
+      }]
+    }]
+  }'
+```
+
+---
+
+## Debug
+
+```bash
+# Verificar servidor
+curl http://localhost:8080/health
+
+# Monitorar logs
+tail -f botserver.log | grep -iE "(whatsapp|Embedding)"
+
+# Verificar sessões ativas (requer acesso ao banco)
+# SELECT * FROM user_sessions WHERE bot_id = '32c579e5-609b-4a07-8599-4e0fccc4d764';
+```
+
+---
+
+## Arquivos Relacionados
+
+- Config: `/opt/gbo/data/salesianos.gbai/salesianos.gbot/config.csv`
+- Handler: `botserver/src/whatsapp/mod.rs`
+- Adapter: `botserver/src/core/bot/channels/whatsapp.rs`
+- Cache: `botserver/src/llm/cache.rs`
+
+---
+
+## Pendências
+
+1. **Implementar suporte a `/webhook/whatsapp/default`** (ver TODO abaixo)
+2. Configurar webhook na Meta Business Suite para produção
+3. Configurar SSL/TLS no servidor de produção
+
+---
+
+## 📋 TODO: Default Bot Routing
+
+### Objetivo
+Permitir que a URL `/webhook/whatsapp/default` funcione como roteador dinâmico de bots baseado em comandos de usuário.
+
+### Comportamento Atual
+- ✅ `/webhook/whatsapp/{uuid}` → Rota direta para bot específico
+- ❌ `/webhook/whatsapp/default` → **FALHA** (espera UUID, não aceita "default")
+
+### Comportamento Desejado
+1. `/webhook/whatsapp/default` → Rota para o bot default (`/opt/gbo/data/default.gbai/default.gbot`)
+2. Quando usuário digita um `whatsapp-id` (ex: "cristo", "salesianos"):
+   - Sistema busca bot com essa propriedade no `config.csv`
+   - Mapeia `phone_number` → `bot_id` na sessão/cache
+   - Troca de bot para aquela sessão
+3. Mensagens subsequentes daquele `phone_number` são roteadas para o bot mapeado
+4. Se usuário digitar outro `whatsapp-id`, encerra sessão anterior e abre nova para o novo bot
+
+### Arquivos a Modificar
+
+#### 1. `botserver/src/whatsapp/mod.rs`
+- **Linha ~178**: Modificar `verify_webhook` e `handle_webhook`
+  - Mudar `Path(bot_id): Path<Uuid>` → `Path(bot_id): Path<String>`
+  - Adicionar parsing: `"default"` → buscar UUID do bot default
+  - Manter parsing UUID para compatibilidade
+
+#### 2. `botserver/src/whatsapp/mod.rs`
+- **Nova função**: `resolve_bot_id(bot_id_str: &str, state: &AppState) -> Result<Uuid, Error>`
+  - Se `"default"` → retorna UUID do bot default via `get_default_bot()`
+  - Se UUID válido → retorna UUID
+  - Caso contrário → erro
+
+#### 3. `botserver/src/whatsapp/mod.rs`
+- **Nova função**: `check_whatsapp_id_routing(message_text: &str, state: &AppState) -> Option<Uuid>`
+  - Verifica se texto é um comando de troca de bot
+  - Busca em todos os bots por `whatsapp-id` no `config.csv`
+  - Retorna bot_id se encontrar match
+
+#### 4. `botserver/src/whatsapp/mod.rs`
+- **Modificar** `process_incoming_message`
+  - Antes de processar, verificar se mensagem é comando de roteamento
+  - Se for, atualizar mapeamento `phone` → `bot_id` no cache
+  - Se não for, usar mapeamento existente do cache
+
+### Bots com whatsapp-id Configurado
+- ✅ **cristo.gbot**: `whatsapp-id,cristo`
+- ❓ **salesianos.gbot**: verificar se tem whatsapp-id
+- ✅ **default.gbot**: não tem whatsapp-id (é o roteador)
+
+### Implementação em Passos
+
+**Passo 1**: Modificar handlers para aceitar "default"
+```rust
+// Antes
+Path(bot_id): Path<Uuid>
+
+// Depois
+Path(bot_id_str): Path<String>
+let bot_id = resolve_bot_id(&bot_id_str, &state)?;
+```
+
+**Passo 2**: Implementar `resolve_bot_id`
+- Buscar `get_default_bot()` quando `bot_id_str == "default"`
+- Parse UUID caso contrário
+
+**Passo 3**: Implementar roteamento dinâmico
+- Verificar cache: `phone_number` → `bot_id`
+- Se não existir, usar bot_id do webhook
+- Se mensagem for comando (whatsapp-id), atualizar cache
+
+**Passo 4**: Testar
+```bash
+# Teste 1: URL com default
+curl -X POST "http://localhost:8080/webhook/whatsapp/default" ...
+
+# Teste 2: URL com UUID (deve continuar funcionando)
+curl -X POST "http://localhost:8080/webhook/whatsapp/32c579e5-609b-4a07-8599-4e0fccc4d764" ...
+
+# Teste 3: Roteamento por comando
+# Enviar mensagem "cristo" → deve rotear para bot cristo
+# Enviar mensagem "salesianos" → deve trocar para bot salesianos
+```
+
+### URLs de Teste
+- Localtunnel: `https://bright-bananas-deny.loca.lt/webhook/whatsapp/default`
+- Local: `http://localhost:8080/webhook/whatsapp/default`
				`@ -0,0 +1 @@`
				`export NGROK_AUTHTOKEN=2f3uA0WXL3aDxjABuSWpYTWjjh5_2pqnDyrc7CU4o92UzocEt`