EKKOLearnAI · tw19880217-creator · May 20, 2026 · Jun 1, 2026 · Jun 1, 2026 · Jun 1, 2026
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -0,0 +1,36 @@
+## Summary
+
+-
+
+## Validation
+
+- [ ] `npm run test:aurora:unit`
+- [ ] `npx vue-tsc -b --pretty false`
+- [ ] `npm run build`
+- [ ] `npm run test:aurora` or manual Aurora browser smoke, when UI/routing/security changed
+
+## Aurora OS Integration Checklist
+
+Use `docs/aurora-validation.md` as the source of truth for detailed validation.
+
+- [ ] Aurora-facing capabilities are registered in `capability-manifest.ts` when they should appear in the coverage matrix.
+- [ ] Tool definitions use the correct L1-L4 security level.
+- [ ] Natural-language routing is isolated in `intent-parsers.ts` and covered by parser tests.
+- [ ] Structured legacy output renders through ResultOverlay presenters or App Mode, not raw JSON.
+- [ ] Heavy legacy apps open through App Mode without revealing the Advanced Console.
+- [ ] Hub/Proxy remains excluded from Aurora App Mode.
+- [ ] L3/L4 actions require approval and cannot bypass Governance or Approval Gateway.
+- [ ] Unknown Aurora prompts fall back to the standard Hermes chat stream.
+- [ ] Legacy Hermes routes, backend APIs, and Socket.IO streaming remain intact.
+
+## UI Evidence
+
+Add screenshots or recordings for visible Aurora/Hermes UI changes:
+
+- Idle launcher:
+- Active chat:
+- App Mode or overlay:
+
+## Notes
+
+-
diff --git a/.github/workflows/aurora-release-gate.yml b/.github/workflows/aurora-release-gate.yml
@@ -0,0 +1,74 @@
+name: Aurora Release Gate
+
+on:
+  workflow_dispatch:
+    inputs:
+      release_candidate:
+        description: Release candidate label to validate
+        required: true
+        default: aurora-v0.1-rc
+      acknowledge_large_chunks:
+        description: Acknowledge known Vite large chunk warnings
+        required: true
+        default: 'false'
+        type: choice
+        options:
+          - 'false'
+          - 'true'
+
+permissions:
+  contents: read
+
+concurrency:
+  group: aurora-release-gate-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  release-gate:
+    name: Validate ${{ inputs.release_candidate }}
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Require warning acknowledgement
+        if: ${{ inputs.acknowledge_large_chunks != 'true' }}
+        run: |
+          echo "Aurora release gate requires acknowledge_large_chunks=true."
+          echo "Known Vite large chunk warnings must be reviewed before release."
+          exit 1
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 23
+          cache: npm
+
+      - name: Install dependencies
+        run: npm install
+
+      - name: Install Playwright browsers
+        run: npx playwright install --with-deps chromium
+
+      - name: Run Aurora release smoke
+        run: npm run test:aurora
+
+      - name: Build production artifacts
+        run: npm run build
+
+      - name: Upload Aurora Playwright report
+        if: ${{ !cancelled() }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: aurora-release-playwright-report-${{ inputs.release_candidate }}
+          path: playwright-report/
+          retention-days: 14
+
+      - name: Upload build output
+        if: ${{ success() }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: aurora-release-dist-${{ inputs.release_candidate }}
+          path: dist/
+          retention-days: 14
diff --git a/.github/workflows/aurora-smoke.yml b/.github/workflows/aurora-smoke.yml
@@ -0,0 +1,70 @@
+name: Aurora Smoke
+
+on:
+  pull_request:
+    branches:
+      - main
+      - base
+    paths:
+      - '.github/workflows/aurora-smoke.yml'
+      - 'docs/aurora-*.md'
+      - 'package.json'
+      - 'package-lock.json'
+      - 'packages/client/src/**'
+      - 'packages/server/src/**'
+      - 'tests/client/aurora-*.test.ts'
+      - 'tests/e2e/aurora-os.spec.ts'
+  workflow_dispatch:
+    inputs:
+      full_e2e:
+        description: Run full Aurora Playwright browser smoke
+        required: true
+        default: 'false'
+        type: choice
+        options:
+          - 'false'
+          - 'true'
+  schedule:
+    - cron: '0 18 * * *'
+
+permissions:
+  contents: read
+
+jobs:
+  aurora-smoke:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 23
+          cache: npm
+
+      - name: Install dependencies
+        run: npm install
+
+      - name: Run Aurora unit smoke
+        run: npm run test:aurora:unit
+
+      - name: Run Vue type check
+        run: npx vue-tsc -b --pretty false
+
+      - name: Install Playwright browsers
+        if: ${{ github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.full_e2e == 'true') }}
+        run: npx playwright install --with-deps chromium
+
+      - name: Run Aurora browser smoke
+        if: ${{ github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.full_e2e == 'true') }}
+        run: npx playwright test tests/e2e/aurora-os.spec.ts
+
+      - name: Upload Aurora Playwright report
+        if: ${{ !cancelled() && (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.full_e2e == 'true')) }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: aurora-playwright-report
+          path: playwright-report/
+          retention-days: 7
diff --git a/.gitignore b/.gitignore
@@ -49,3 +49,10 @@ CLAUDE.md
 # Client source map artifacts
 packages/client/src/**/*.js
 .hermes/
+
+# Local runtime/state and generated app bundles
+.runtime/
+data/
+build/
+src-tauri/target/
+src-tauri/gen/schemas/
diff --git a/AGENTS.md b/AGENTS.md
@@ -50,3 +50,15 @@ Use the smallest relevant check while iterating. Before a broad PR, run
 Improve the harness instead of repeating the same prompt. Add missing docs,
 tests, logs, scripts, or CI checks so the next agent can see and verify the
 constraint directly.
+
+## Local Hermes Web UI API
+
+
+When checking local Hermes Web UI APIs from terminal tools, do not call `http://127.0.0.1:8648/api/...` directly without auth. Use:
+
+```bash
+scripts/hermes-webui-api GET /api/hermes/quant-lab/snapshot
+scripts/hermes-quant-top10
+```
+
+These helpers read the local Web UI token from `.runtime/.hermes-web-ui/.token` and add the required `Authorization` header without printing the token.