From 843cd7c3e5a5a8dec366b947a5fe7fa84da72748 Mon Sep 17 00:00:00 2001
From: shikokuchuo <53399081+shikokuchuo@users.noreply.github.com>
Date: Thu, 21 May 2026 13:11:07 +0100
Subject: [PATCH 1/2] fix(preview): relative iframe src for subpath deployment
 (bd-0pm7a)

Q2DebugIframe and Q2PreviewIframe hard-coded `src="/q2-*.html"`, which
is root-absolute and bypasses Vite's `base: './'`. Locally and in
Playwright the SPA is served at the host root so the two coincide;
under a subpath deployment the iframe requested `https://host/q2-*.html`
and got the platform's 404 / SPA shell, blanking the preview. Dropping
the leading slash resolves the iframe against the parent doc's
pathname, matching how the rest of the build references its assets.
Hash-only routing keeps the parent's pathname stable across client
navigation, so the relative form is correct at every route.
---
 hub-client/src/components/render/q2-debug/Q2DebugIframe.tsx | 2 +-
 ts-packages/preview-renderer/src/iframe/Q2PreviewIframe.tsx | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/hub-client/src/components/render/q2-debug/Q2DebugIframe.tsx b/hub-client/src/components/render/q2-debug/Q2DebugIframe.tsx
index 9cf8a2e0d..5a345c14c 100644
--- a/hub-client/src/components/render/q2-debug/Q2DebugIframe.tsx
+++ b/hub-client/src/components/render/q2-debug/Q2DebugIframe.tsx
@@ -74,7 +74,7 @@ export function Q2DebugIframe({
   return (
     <iframe
       ref={iframeRef}
-      src="/q2-debug.html"
+      src="q2-debug.html"
       title="q2-debug Renderer"
       sandbox="allow-scripts allow-same-origin"
       style={{
diff --git a/ts-packages/preview-renderer/src/iframe/Q2PreviewIframe.tsx b/ts-packages/preview-renderer/src/iframe/Q2PreviewIframe.tsx
index 54ba692fa..db09c55d6 100644
--- a/ts-packages/preview-renderer/src/iframe/Q2PreviewIframe.tsx
+++ b/ts-packages/preview-renderer/src/iframe/Q2PreviewIframe.tsx
@@ -232,7 +232,7 @@ export function Q2PreviewIframe({
   return (
     <iframe
       ref={iframeRef}
-      src="/q2-preview.html"
+      src="q2-preview.html"
       title="q2-preview Renderer"
       sandbox="allow-scripts allow-same-origin"
       style={{

From 25cd60826dfd855c8023a24adb6fd7151a4b0168 Mon Sep 17 00:00:00 2001
From: shikokuchuo <53399081+shikokuchuo@users.noreply.github.com>
Date: Thu, 21 May 2026 13:11:22 +0100
Subject: [PATCH 2/2] sync beads (close bd-0pm7a)

---
 .beads/issues.jsonl | 24 +++++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/.beads/issues.jsonl b/.beads/issues.jsonl
index 2495bd3bb..d8851e48e 100644
--- a/.beads/issues.jsonl
+++ b/.beads/issues.jsonl
@@ -1,10 +1,13 @@
-{"id":"bd-068k","title":"Phase 0: quarto-publish crate scaffold + provider trait","description":"Phase 0 of bd-t3ny. Build the quarto-publish crate skeleton: types, PublishProvider trait (prepare/commit/verify), PublishHost, PublishRenderer, ProviderRegistry, NativeHost, CLI argument validation, and wire into crates/quarto/src/commands/publish.rs (replacing NotImplemented stub).\n\nProvider impls in this phase: gh-pages registered with prepare/commit unimplemented!() — tests exercise registry lookup and CLI dispatch only.\n\nPlan: claude-notes/plans/2026-05-03-publish-command-and-gh-pages.md (Phase 0 section)","status":"completed","priority":1,"issue_type":"task","created_at":"2026-05-03T14:37:32.946678Z","created_by":"cscheid","updated_at":"2026-05-03T14:57:58.079046Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-068k","depends_on_id":"bd-t3ny","type":"parent-child","created_at":"2026-05-03T14:37:32.946678Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
+{"id":"bd-068k","title":"Phase 0: quarto-publish crate scaffold + provider trait","description":"Phase 0 of bd-t3ny. Build the quarto-publish crate skeleton: types, PublishProvider trait (prepare/commit/verify), PublishHost, PublishRenderer, ProviderRegistry, NativeHost, CLI argument validation, and wire into crates/quarto/src/commands/publish.rs (replacing NotImplemented stub).\n\nProvider impls in this phase: gh-pages registered with prepare/commit unimplemented!() — tests exercise registry lookup and CLI dispatch only.\n\nPlan: claude-notes/plans/2026-05-03-publish-command-and-gh-pages.md (Phase 0 section)","status":"closed","priority":1,"issue_type":"task","created_at":"2026-05-03T14:37:32.946678Z","created_by":"cscheid","updated_at":"2026-05-03T14:57:58.079046Z","closed_at":"2026-05-03T14:57:58.079046Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-068k","depends_on_id":"bd-t3ny","type":"parent-child","created_at":"2026-05-03T14:37:32.946678Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-0a3b","title":"Cargo: upgrade rand v0.9.4 → v0.10.1","description":"Major upgrade surfaced by cargo-upgrade survey 2026-05-04. Current 0.9.4 is range-pinned in workspace; latest is 0.10.1. Type: pre-1.0 minor (semver-breaking). Review changelog and bump deliberately. See claude-notes/plans/2026-05-04-cargo-upgrade-survey.md and bd-hb8h.","status":"open","priority":3,"issue_type":"chore","created_at":"2026-05-04T18:15:54.920222Z","created_by":"cscheid","updated_at":"2026-05-04T19:06:15.700658Z","source_repo":".","compaction_level":0,"original_size":0,"labels":["cargo","deps"],"dependencies":[{"issue_id":"bd-0a3b","depends_on_id":"bd-hb8h","type":"discovered-from","created_at":"2026-05-04T18:16:05.024220Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-0fd0","title":"Lua filter injection slot between generate and render transforms","description":"Today, UserFiltersStage::pre() runs before AstTransformsStage and ::post() runs after. There is no Lua filter slot interleaved between generate-style transforms (NavbarGenerate, SidebarGenerate, ListingGenerate, etc.) and their render-side counterparts inside AstTransformsStage, so user filters cannot mutate resolved navigation/listings data before HTML emission.\n\nStrawman: split build_transform_pipeline (crates/quarto-core/src/pipeline.rs) into build_generate_transforms() and build_render_transforms() with a configurable user-filter bridge in between. The L3 listing transforms, navbar generate, sidebar generate, etc., become the first consumers.\n\nSource-code TODO markers should land at:\n- crates/quarto-core/src/pipeline.rs (NAVIGATION PHASE comment block)\n- crates/quarto-core/src/transforms/navbar_generate.rs (existing precedent with the same latent assumption)\n- crates/quarto-core/src/transforms/listing_generate.rs (added during L3)\n\nDiscovered while writing L3 (bd-ml8z) sub-plan; see D2/D13 in claude-notes/plans/2026-05-06-listings-L3-resolve-transform.md.","status":"open","priority":2,"issue_type":"task","created_at":"2026-05-06T18:26:18.595826Z","created_by":"cscheid","updated_at":"2026-05-06T18:26:18.595826Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-0fd0","depends_on_id":"bd-ml8z","type":"discovered-from","created_at":"2026-05-06T18:26:18.595826Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
+{"id":"bd-0gkh3","title":"Phase 6 — hub-mcp refresh-on-401 (RefreshManager)","description":"New module ts-packages/quarto-hub-mcp/src/auth/refresh-manager.ts wrapping CredentialStore + oauth4webapi refresh-token grant.\n\nBehaviour fixed by empirical verification 2026-05-19: Google does NOT rotate refresh tokens for Limited-Input-Devices clients, so the persistence rule is keep-prior-on-missing. Defensive test still covers the rotated-refresh-token case.\n\nConcurrent-callers coalesce via in-flight-promise mutex; invalid_grant from Google triggers CredentialStore.clear() + typed ReauthRequired naming authenticate_start.\n\nPlan §Phase 6: claude-notes/plans/2026-05-05-hub-mcp-device-flow-implementation.md","status":"open","priority":1,"issue_type":"task","created_at":"2026-05-20T14:27:14.252095Z","created_by":"shikokuchuo","updated_at":"2026-05-20T14:27:14.252095Z","source_repo":"kyoto","source_repo_path":"/Users/shikokuchuo/r/kyoto","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-0gkh3","depends_on_id":"bd-cmp48","type":"parent-child","created_at":"2026-05-20T14:27:14.252095Z","created_by":"shikokuchuo","metadata":"{}","thread_id":""}]}
 {"id":"bd-0gsj","title":"Fix CRLF handling in tree-sitter-qmd grammar.js for pipe tables","description":"Tree-sitter grammar at crates/tree-sitter-qmd/tree-sitter-markdown/grammar.js parses pipe tables incorrectly when input uses CRLF line endings. With LF input, the pipe table closes at the blank line and following content becomes a separate block. With CRLF input, the table absorbs the following paragraph as a malformed body row. Bug propagates through pampa end-to-end: rendered Pandoc AST is structurally wrong for any Windows user with core.autocrlf=true (default) authoring a pipe table followed by a paragraph. Affects all output formats (HTML, PDF, Word) since Pandoc AST is upstream of every writer. Surfaced 2026-04-24 during PR 109 Windows verification as 5 failing pipe-table corpus tests; investigation in bd-ntnx classified it as a real grammar bug, not a corpus formatting issue. Full reproducer and observed parse trees in the design field. Cross-reference q2-windows-verify-tests memory note for related Windows CRLF failures.","design":"Reproducer. Two layers, both diagnostic. Layer 1 tests grammar.js directly. Layer 2 tests the full pampa pipeline that real users hit. Fixtures live in the tree-sitter-markdown directory so tree-sitter parse picks up the configured grammar without an init-config step.\n\nLayer 1 (grammar.js):\n\nprintf \"before\\r\\n\\r\\n| a | b |\\r\\n|---|---|\\r\\n| 1 | 2 |\\r\\n\\r\\nafter\\r\\n\" > crates/tree-sitter-qmd/tree-sitter-markdown/test-crlf.qmd\nprintf \"before\\n\\n| a | b |\\n|---|---|\\n| 1 | 2 |\\n\\nafter\\n\" > crates/tree-sitter-qmd/tree-sitter-markdown/test-lf.qmd\ncd crates/tree-sitter-qmd/tree-sitter-markdown\ntree-sitter parse test-crlf.qmd > test-crlf.parse\ntree-sitter parse test-lf.qmd > test-lf.parse\ndiff test-crlf.parse test-lf.parse\n\nLayer 2 (pampa end-to-end):\n\ncargo run --quiet -p pampa --bin pampa -- crates/tree-sitter-qmd/tree-sitter-markdown/test-crlf.qmd > pampa-crlf.out\ncargo run --quiet -p pampa --bin pampa -- crates/tree-sitter-qmd/tree-sitter-markdown/test-lf.qmd > pampa-lf.out\ndiff pampa-crlf.out pampa-lf.out\n\nObserved parse trees from Layer 1 on this branch (fix/windows-tree-sitter-crlf at 80f07171). Both trees agree on the prefix, so the divergence is the trailing block:\n\nLF (correct, table closes at the blank line):\n  pipe_table [2, 0] - [5, 0]\n    pipe_table_header [2, 0] - [2, 9] ...\n    pipe_table_delimiter_row [3, 0] - [3, 9] ...\n    pipe_table_row [4, 0] - [4, 9] ...\n  pandoc_paragraph [6, 0] - [7, 0]\n    pandoc_str [6, 0] - [6, 5]\n\nCRLF (buggy, table absorbs following paragraph):\n  pipe_table [2, 0] - [7, 0]\n    pipe_table_header [2, 0] - [2, 9] ...\n    pipe_table_delimiter_row [3, 0] - [3, 9] ...\n    pipe_table_row [4, 0] - [4, 9] ...\n    pipe_table_row [6, 0] - [6, 5]   <- SPURIOUS, should be a separate paragraph\n      pipe_table_cell [6, 0] - [6, 5]\n        pandoc_str [6, 0] - [6, 5]\n\nObserved Pandoc AST from Layer 2 (pampa default -t native), confirming the bug propagates past pampa input handling:\n\nLF: [Para [Str \"before\"], Table ... [body row [1,2]], Para [Str \"after\"]]\nCRLF: [Para [Str \"before\"], Table ... [body rows [1,2] AND [Plain \"after\"]]]   <- no trailing Para\n\nConfirms pampa does NOT normalize line endings before feeding the grammar. End-user impact: any qmd document with CRLF endings, a pipe table, and following content produces structurally wrong output in every writer that consumes Pandoc AST.\n\nOpen design questions for the fix.\n\n1. Locate the bug in grammar.js. Likely candidates: newline character classes that match only \\n, or the external scanner (scanner.cc) handling of block boundary detection. Read both grammar.js and any external scanner before patching. Tree-sitter-markdown forks vary on this — confirm what our fork does versus what works.\n\n2. Upstream vs local fix. This grammar is forked from MDeiml/tree-sitter-markdown (or whichever upstream we track — confirm in tree-sitter.json or README). If upstream already fixes this, cherry-pick. If not, patch locally and consider an upstream PR.\n\n3. Test-corpus line-ending policy after the fix. Two viable strategies:\n   a. Keep test/corpus/*.txt files materialized as CRLF on Windows checkout and rely on the fixed grammar to parse them identically. Tests then exercise CRLF on Windows and LF on Linux, which is useful coverage but creates a small risk that future grammar changes regress CRLF handling silently when only Linux CI runs.\n   b. Pin test/corpus/*.txt to LF via .gitattributes (eol=lf for that subdirectory only) and add a separate Windows-only regression test that re-creates the fixtures with CRLF and asserts the parse trees match. More explicit, less coverage drift.\n\n   The choice depends on whether we expect frequent grammar changes and whether ubuntu-only CI is sustainable. Recommend deciding before landing the grammar fix.\n\n4. Audit other CRLF patterns. The 5 failing pipe-table tests are the surface; there may be other constructs whose grammar paths assume \\n only. Grep grammar.js (and scanner.cc if present) for \\n usages and audit each one.\n\nReference. Investigation history and original framing in bd-ntnx (closed). Memory note q2-windows-verify-tests catalogues related Windows CRLF failures.","acceptance_criteria":"tree-sitter parse on matched CRLF and LF qmd inputs produces identical S-expression trees for pipe-table fixtures (Layer 1 reproducer diff is empty). pampa default native output is identical for the same matched inputs (Layer 2 reproducer diff is empty). All 5 originally-failing pipe-table tests under cd crates/tree-sitter-qmd/tree-sitter-markdown && tree-sitter test pass on Windows: Example 201 (GFM), Pipe table can precede content (two variants), Pipe table can follow content, Pipe table with blank-line caption. cargo xtask verify step 4 (tree-sitter test) passes on Windows. cargo nextest run --workspace and cargo xtask verify continue to pass on Linux CI (no regression). Decision recorded in commit message or PR description for upstream-vs-local fix and for test-corpus line-ending policy. Audit findings recorded for any other CRLF patterns discovered in grammar.js or scanner.cc. q2-windows-verify-tests memory note updated with PR link and resolution.","status":"closed","priority":1,"issue_type":"bug","created_at":"2026-04-27T14:26:53.718601600Z","created_by":"cderv","updated_at":"2026-05-04T13:45:00.482193500Z","closed_at":"2026-05-04T13:45:00.481818100Z","close_reason":"PR #139 merged 2026-04-30: fixed CRLF pipe-table line ending in scanner.c (typo fix at line 2259), added Rust regression test and xtask CRLF parity check","external_ref":"https://github.com/quarto-dev/q2/issues/138","source_repo":".","compaction_level":0,"original_size":0,"labels":["tree-sitter","windows"],"dependencies":[{"issue_id":"bd-0gsj","depends_on_id":"bd-ntnx","type":"discovered-from","created_at":"2026-04-27T14:26:53.718601600Z","created_by":"cderv","metadata":"{}","thread_id":""}],"comments":[{"id":15,"issue_id":"bd-0gsj","author":"cderv","text":"PR #139 opened (https://github.com/quarto-dev/q2/pull/139). Layer 1 + Layer 2 reproducer diffs empty post-fix. tree-sitter test on Windows: 451/451 (was 446/451). Decision: local fix, not upstream — typo introduced on this fork in 79489c4e. Decision: no .gitattributes change for test corpus — fixed grammar parses LF and CRLF identically, so existing corpus tests both modes (LF on Linux, CRLF on Windows checkout). Audit: line 2259 was the only outlier; all other newline checks in scanner.c use paired '\\n' || '\\r'. Added Rust regression test pipe_table_crlf_matches_lf for cross-platform coverage.","created_at":"2026-04-28T15:37:36Z"},{"id":16,"issue_id":"bd-0gsj","author":"cderv","text":"Tomorrow's verification (next session pickup): (1) check PR #139 CI status — gh pr checks 139 --repo quarto-dev/q2; (2) if green, merge; (3) on merge, close bd-0gsj with PR link as the close reason; (4) flush and commit accumulated .beads/issues.jsonl from main repo (this session created bd-vxl8 and bd-picv, plus comments on bd-238o, bd-3pe8, bd-0gsj); (5) update q2-windows-verify-tests memory note status to fully resolved.","created_at":"2026-04-28T16:05:51Z"},{"id":18,"issue_id":"bd-0gsj","author":"cderv","text":"CRLF parity check landed in commit 8f61f587 on branch fix/windows-tree-sitter-crlf (PR #139). cargo xtask verify step 4 now re-runs tree-sitter test against a CRLF-converted corpus copy; 451/451 pass, regression-tested by reverting scanner.c (446/451, build fails). Awaiting PR merge to close.","created_at":"2026-04-29T16:25:17Z"}]}
 {"id":"bd-0jyl","title":"Source-info threading through listing markdown re-parse","description":"L3's ListingRenderTransform invokes pampa::readers::qmd::read on doctemplate output to obtain Pandoc blocks, then discards the fresh SourceContext. Diagnostics from that re-parse are collapsed into a single Q-12-10 host-page warning naming the listing id and first message — not threaded back to the host page's SourceContext.\n\nFor a proper design, a way is needed to merge the fresh SourceContext from the re-parse into the host page's SourceContext, *and* preserve the chain 'host YAML key → template substitution → markdown span' through to the diagnostic. Likely cuts across quarto-source-map, quarto-doctemplate, and the diagnostic-builder layer. Worth its own design session.\n\nDiscovered while writing L3 (bd-ml8z) sub-plan; see D3 in claude-notes/plans/2026-05-06-listings-L3-resolve-transform.md.","status":"open","priority":2,"issue_type":"task","created_at":"2026-05-06T18:26:24.690377Z","created_by":"cscheid","updated_at":"2026-05-06T18:26:24.690377Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-0jyl","depends_on_id":"bd-ml8z","type":"discovered-from","created_at":"2026-05-06T18:26:24.690377Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-0mji","title":"Phase D follow-up: SPA render-event hook + dep-graph filter regression tests","description":"Two related affordances needed once Phase D's dep-graph filter for re-render is implemented:\n\n1. **SPA render-event hook.** PreviewApp's render useEffect re-fires for every contentTick bump. Today this is invisible at the DOM when neither active-page content nor merged metadata change. A small test-only counter (window.__renderTicks or similar) would let Playwright assert 'this edit did/didn't trigger a re-render' for cases where the rendered output is identical.\n\n2. **Dep-graph filter regression tests.** Once Phase D filters re-renders against ProjectDependencyGraph, we need:\n   - Active page re-renders when an edited sibling IS a dependency (positive case).\n   - Active page does NOT re-render when an edited sibling is NOT a dependency (negative case — the savings).\n\nReframes the deferred Phase B.4 plan acceptance criterion 3 ('editing an unrelated sibling re-renders the active page only when there's a dep edge'). In Phase B the contract was relaxed to 'always re-renders' because no filter exists; Phase D restores the original strict contract.\n\nPlan: claude-notes/plans/2026-05-13-q2-preview-phase-b.md §B.4 (deferred criterion 3).","status":"closed","priority":3,"issue_type":"task","created_at":"2026-05-13T21:11:41.646912Z","created_by":"cscheid","updated_at":"2026-05-14T19:25:36.371752Z","closed_at":"2026-05-14T19:25:36.371611Z","close_reason":"Both items resolved: (1) window.__renderTicks render-event hook landed in D.3 (bd-kw93.9, commit 1ddcbeaf); (2) dep-graph filter regression tests landed in D.6 (bd-kw93.12, commit 7310d44b) — negative case in dep-graph-filter.spec.ts, positive case in the existing include-shortcode.spec.ts (Phase B.3).","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-0mji","depends_on_id":"bd-kw93","type":"parent-child","created_at":"2026-05-13T21:11:41.646912Z","created_by":"cscheid","metadata":"{}","thread_id":""},{"issue_id":"bd-0mji","depends_on_id":"bd-mrx1","type":"discovered-from","created_at":"2026-05-13T21:11:41.646912Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
+{"id":"bd-0pm7a","title":"fix(preview): iframe src must be relative to support subpath deployment","description":"Q2DebugIframe and Q2PreviewIframe hard-code src='/q2-debug.html' and src='/q2-preview.html' (root-absolute). Vite is configured with base: './' so the rest of the build uses relative URLs. Locally and in Playwright the app is served at the host root, so the two are indistinguishable; when deployed under a subpath the iframe src resolves to the wrong origin path and the iframe loads a 404 / SPA shell, leaving the preview blank. Fix: drop the leading slash in both files.","status":"closed","priority":1,"issue_type":"bug","created_at":"2026-05-21T11:56:32.004803Z","created_by":"shikokuchuo","updated_at":"2026-05-21T12:11:14.743822Z","closed_at":"2026-05-21T12:11:14.743764Z","close_reason":"Dropped the leading slash on both iframe srcs (commit 843cd7c3). Subpath deployment verified locally.","source_repo":"kyoto","source_repo_path":"/Users/shikokuchuo/r/kyoto","compaction_level":0,"original_size":0}
 {"id":"bd-0tr6","title":"Website projects epic: multi-page sites with sidebars, shared resources, and hub-client integration","description":"Design and implement multi-page website projects for Quarto 2. Covers: typed static-document snapshots (PageSnapshot/DocumentProfile working name), pipeline resumability, ProjectType trait, website sidebars, scoped/relocatable artifact stores (site_libs), cross-doc link rewriting, sitemap/favicon/site-url, incremental rebuilds, and hub-client project rendering.\n\nMVP scope explicitly excludes: search, listings/RSS, aliases, announcements, analytics, 404, reader-mode, repo-actions, breadcrumbs, book project type, quarto preview, freeze.\n\nPlan: claude-notes/plans/2026-04-23-website-project-epic.md\n\nDesign decisions from initial conversation:\n- Snapshot is a typed serializable value produced at a pipeline checkpoint after MetadataMergeStage; downstream code consumes Vec<DocumentProfile>; user filters read but do not mutate.\n- Pipeline stages up to snapshot are resumable (cloneable) to avoid redundant execution across pass 1 (snapshot sweep) and pass 2 (per-file render).\n- ProjectType trait introduced now (website, default). Single-document renders go through DefaultProjectType.\n- Artifact stores scope-aware (Page vs Project) and relocatable; single-doc = project with implicit _quarto.yml.\n- Hub-client caches project nav state; renders active page with cached state. Design must leave room for Q2 'quarto preview' which will be a local hub-client instance.\n- Naming TBD in Phase 0 (DocumentProfile working name; user dislikes Page*/Metadata*).","status":"open","priority":1,"issue_type":"epic","created_at":"2026-04-23T18:42:28.206394Z","created_by":"cscheid","updated_at":"2026-04-23T18:42:28.206394Z","source_repo":".","compaction_level":0,"original_size":0}
+{"id":"bd-0ufq5","title":"Phase 2 — Hub middleware: Bearer extraction + audience allowlist + CSRF/Origin gating","description":"Land Bearer-auth support in crates/quarto-hub alongside the existing cookie path. TDD: write the 30-test set in crates/quarto-hub/tests/auth_bearer.rs first, then implement.\n\nTouch points: auth.rs (audience config, OidcClaims migration, azp/iat checks), server.rs (cookie extraction, Authenticated extractor, CSRF + WS-Origin gating).\n\nDual-credential 400 rule and full OIDC §3.1.3.7 azp logic are required. Sibling bug bd-XXXX tracks the dual-credential CVE test specifically.\n\nPlan §Phase 2: claude-notes/plans/2026-05-05-hub-mcp-device-flow-implementation.md","status":"closed","priority":1,"issue_type":"task","created_at":"2026-05-20T14:26:56.463684Z","created_by":"shikokuchuo","updated_at":"2026-05-20T21:22:38.345334Z","closed_at":"2026-05-20T21:22:38.345295Z","close_reason":"Phase 2 landed. AuthConfig.additional_audiences plumbed, OidcClaims gained aud/azp/iat, build_auth_state_from_parts added, extract_credential + CredentialKind + dual-credential 400 in server.rs, Authenticated carries credential_kind, CSRF/WS-Origin gated, audit emission via tracing::event!. 33 new integration tests + 7 lib tests pass; cargo xtask verify --skip-hub-build clean. See plan.","source_repo":"kyoto","source_repo_path":"/Users/shikokuchuo/r/kyoto","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-0ufq5","depends_on_id":"bd-cmp48","type":"parent-child","created_at":"2026-05-20T14:26:56.463684Z","created_by":"shikokuchuo","metadata":"{}","thread_id":""}]}
 {"id":"bd-0wyo","title":"Server-precomputed other_metadata_html for default listing","description":"Q1's item-default.ejs.md iterates over fields *not* in the curated set ('title','image','image-alt','date','author','subtitle','description','reading-time','categories') and emits a <div class=\"metadata-value listing-{field}\">…</div> per such field. This is dynamic in EJS — there is no equivalent in doctemplate without server-side precomputation.\n\nL3 v1 ships the default listing with curated-fields-only output. This issue picks up the gap by adding an other_metadata_html string to the per-item TemplateValue::Map binding, computed server-side in the listing render transform. The built-in item-default.template gets one more interpolation site: $item.other-metadata-html$.\n\nSource-code TODO marker lands in crates/quarto-core/src/project/listing/templates/item-default.template at the otherFields gap location (added during L3).\n\nDiscovered while writing L3 (bd-ml8z) sub-plan; see D15 in claude-notes/plans/2026-05-06-listings-L3-resolve-transform.md.","status":"open","priority":3,"issue_type":"task","created_at":"2026-05-06T18:26:31.323613Z","created_by":"cscheid","updated_at":"2026-05-06T18:26:31.323613Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-0wyo","depends_on_id":"bd-ml8z","type":"discovered-from","created_at":"2026-05-06T18:26:31.323613Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-0xmt","title":"Phase A.0: Lift WASM JS bridge to @quarto/wasm-js-bridge workspace package","description":"Move hub-client/src/wasm-js-bridge/ to a new @quarto/wasm-js-bridge workspace package. Wire hub-client + q2-preview-spa + preview-renderer test configs to alias /src/wasm-js-bridge -> the package's src. Removes the cross-platform symlink/duplication risk for Phase A.3. See claude-notes/plans/2026-05-13-q2-preview-phase-a.md §A.0.","status":"closed","priority":1,"issue_type":"task","created_at":"2026-05-13T16:53:11.353454Z","created_by":"cscheid","updated_at":"2026-05-13T17:07:44.781502Z","closed_at":"2026-05-13T17:07:44.781355Z","close_reason":"Bridge files moved to @quarto/wasm-js-bridge workspace package; consumers alias /src/wasm-js-bridge. Verified end-to-end (sass compile through bridge proven by hub-client test:wasm; cargo xtask verify 11/11). Commits ea1bb889 + changelog 043f65e1.","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-0xmt","depends_on_id":"bd-kw93","type":"parent-child","created_at":"2026-05-13T16:53:11.353454Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-1066","title":"HTML comments lost during incremental writes","description":"HTML comments (<\\!-- ... -->) are dropped from the Pandoc AST during parsing. tree-sitter parses them as 'comment' nodes which become IntermediateUnknown and are silently removed. This causes comments to be lost when the incremental writer rewrites blocks containing comments. Block-level standalone comments survive as empty Para blocks (preserved via source spans on KeepBefore), but inline comments within paragraphs are completely gone.","status":"open","priority":1,"issue_type":"bug","created_at":"2026-02-09T15:35:05.022976Z","created_by":"cscheid","updated_at":"2026-02-09T15:35:05.022976Z","source_repo":".","compaction_level":0,"original_size":0}
@@ -99,6 +102,7 @@
 {"id":"bd-78ud","title":"Empty {stem}_files/ cleanup for pages with no Page-scoped artifacts","description":"Today render_document_to_file calls prepare_html_resources which always creates {stem}_files/, even when the page emits no Page-scoped artifacts (which is the common case for prose-only pages under a website project — all theme/extension CSS lives in site_libs/). Result: every rendered website has empty {stem}_files/ directories scattered around. Opportunity: defer creation until the first Page-scoped write, or skip creation entirely when no Page artifacts exist. Tracked from Phase 5 as open question 5; see claude-notes/plans/2026-04-24-websites-phase-5.md.","status":"closed","priority":3,"issue_type":"task","created_at":"2026-04-25T01:31:24.276058Z","created_by":"cscheid","updated_at":"2026-04-29T17:19:51.662612Z","closed_at":"2026-04-29T17:19:51.662200Z","close_reason":"Dropped eager dir_create from prepare_html_resources. {stem}_files/ is now created lazily by write_artifacts via dir_create(parent, true) on each artifact write — only when there's something to put inside. Prose-only website pages no longer leave empty per-page dirs in _site/. Single-doc renders still create the dir (theme CSS routes there for lib_dir == ''). New regression test website_render_omits_empty_stem_files_dirs in tests/artifact_scoping_pipeline.rs. End-to-end verified across 5 example projects: 0 empty dirs in any _site tree.","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-78ud","depends_on_id":"bd-u5pr","type":"discovered-from","created_at":"2026-04-25T01:31:24.276058Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-79xl","title":"Surface FormatIdentifier::Custom discriminant in TS engine protocol","description":"TsEngine::execute (Plan 1a Phase 1) asserts !matches!(fmt.identifier, FormatIdentifier::Custom(_)) because Custom(u32).as_str() returns the literal \"custom\" and drops the u32 discriminant (crates/quarto-core/src/format.rs:44-58). The assert means TS engine extensions cannot run against any custom format.\n\nResolution path:\n- Decide where the per-Custom(u32) format name lives. Either add a registry that maps the discriminant to a name string, or include the discriminant in the protocol via a new field (e.g., add an optional \"custom-name\" field to TsFormatIdentifier).\n- Plumb it through TsFormatIdentifier.base-format (or a sibling) so the harness can pass it to TS engines correctly.\n- Remove the assert in TsEngine::execute.\n\nLand before the first custom format ships to production. No urgency today (no in-tree custom formats); urgency rises when a downstream extension defines one.\n\nContext: discovered during Plan 1a editorial review. See claude-notes/plans/2026-04-16-plan1a-protocol-and-core.md (\"Custom-format gotcha\" in the format.identifier mapping section).","status":"open","priority":2,"issue_type":"task","created_at":"2026-05-06T19:06:56.710766Z","created_by":"gordon","updated_at":"2026-05-06T19:06:56.710766Z","source_repo":".","compaction_level":0,"original_size":0}
 {"id":"bd-7co9","title":"Clean up stale 'fork of tree-sitter-markdown' framing in tree-sitter-qmd","description":"tree-sitter-qmd is repo-native and has been developed independently for a long time, but several files still describe it as a fork of upstream tree-sitter-markdown. This misleads agents auditing for vendored dependencies (see claude-notes/research/vendored-dependencies-inventory.md entry H). Files to fix: crates/tree-sitter-qmd/README.md (line 3 fork claim); crates/tree-sitter-qmd/package.json (name/version/author/repository all upstream values); crates/tree-sitter-qmd/tree-sitter.json (metadata still upstream); crates/tree-sitter-qmd/README.tree-sitter-md.md (verbatim upstream README — delete or mark historical); the nested crates/tree-sitter-qmd/tree-sitter-markdown/ directory implies vendoring by layout (rename optional). tree-sitter-doctemplate was checked and is fine.","status":"closed","priority":3,"issue_type":"chore","created_at":"2026-05-04T21:24:05.479792Z","created_by":"cscheid","updated_at":"2026-05-04T21:39:51.600399Z","closed_at":"2026-05-04T21:39:51.600240Z","close_reason":"Cleaned up stale fork framing in tree-sitter-qmd: README.md rewritten, tree-sitter.json metadata replaced, README.tree-sitter-md.md and package.json/lock deleted. Committed on .worktrees/7co9-fork-framing-cleanup. Other multi-language scaffolding (pyproject.toml, setup.py, go.mod, Package.swift, binding.gyp, CMakeLists.txt, Makefile, bindings/{go,node,python,swift}/) left as a possible follow-up.","source_repo":".","compaction_level":0,"original_size":0,"labels":["deps","docs"],"dependencies":[{"issue_id":"bd-7co9","depends_on_id":"bd-xm7l","type":"discovered-from","created_at":"2026-05-04T21:24:05.479792Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
+{"id":"bd-7eohf","title":"Phase 4 — hub-mcp device-flow primitives (initiate + pollOnce)","description":"New module ts-packages/quarto-hub-mcp/src/auth/device-flow.ts on oauth4webapi + jose. Two primitives — initiateDeviceFlow, pollDeviceFlowOnce — not a single blocking flow.\n\nTDD: 14-test fixture-driven suite (msw or undici MockAgent — never live Google), then implement. Centralised redact() at every log site; process-level uncaughtException handlers scrub Google-token-shaped substrings.\n\nClient auth: oauth.ClientSecretPost(secret). client_id and client_secret sourced only from process.env (QUARTO_HUB_MCP_CLIENT_ID / _CLIENT_SECRET).\n\nPlan §Phase 4: claude-notes/plans/2026-05-05-hub-mcp-device-flow-implementation.md","status":"open","priority":1,"issue_type":"task","created_at":"2026-05-20T14:27:05.380683Z","created_by":"shikokuchuo","updated_at":"2026-05-20T14:27:05.380683Z","source_repo":"kyoto","source_repo_path":"/Users/shikokuchuo/r/kyoto","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-7eohf","depends_on_id":"bd-cmp48","type":"parent-child","created_at":"2026-05-20T14:27:05.380683Z","created_by":"shikokuchuo","metadata":"{}","thread_id":""}]}
 {"id":"bd-7giz","title":"Add 'cargo xtask setup' for fresh clone/worktree bootstrap","description":"Fresh worktrees (and fresh clones) currently fail 'cargo xtask verify' because the hub-client TypeScript build depends on node_modules/ that isn't created by verify. Discovered while bootstrapping the issue-152 worktree on 2026-05-03 — verify ran the WASM build successfully, then hub-client's tsc step failed with 'Cannot find module' for every npm dep until 'npm install' was run manually from the worktree root.\n\nProposal: introduce 'cargo xtask setup' as a discrete bootstrap verb that runs 'npm install' (and any future first-run prerequisites like rustup component add). Then either:\n  (a) have 'verify' detect a missing node_modules/ and exit with 'run cargo xtask setup first', or\n  (b) have 'verify' call into the same setup logic when it detects first-run state.\n\nOther large Rust+JS monorepos (Deno, Tauri) keep these separate; rust-analyzer hard-fails with a hint. Keeping 'verify' semantically about checking (not network installs) seems preferable.\n\nCross-reference: this snag should also be documented in the upcoming triage/diagnose skill (.claude/skills/triage.md, not yet created) so that running the skill on a fresh worktree picks up bootstrap as a prerequisite step. Until 'cargo xtask setup' exists, the skill should explicitly run 'npm install' before 'cargo xtask verify'.","status":"open","priority":2,"issue_type":"task","created_at":"2026-05-03T16:21:43.847529Z","created_by":"cscheid","updated_at":"2026-05-12T12:29:01.546361500Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-7giz","depends_on_id":"bd-f3pl","type":"related","created_at":"2026-05-03T16:27:22.098662Z","created_by":"cscheid","metadata":"{}","thread_id":""}],"comments":[{"id":19,"issue_id":"bd-7giz","author":"cderv","text":"cargo xtask dev-setup already exists — installs cargo-nextest and wasm-bindgen-cli (pinned, via cargo-binstall fallback to cargo install --locked). Consider extending dev-setup to also run npm install from repo root rather than introducing parallel 'setup' verb. Would unify Rust tool bootstrap + JS dep bootstrap behind one entry point. Skill .claude/skills/triage.md step 4 currently runs npm install manually — would switch to cargo xtask dev-setup once landed.","created_at":"2026-05-04T15:18:55Z"},{"id":23,"issue_id":"bd-7giz","author":"chris","text":"Cross-ref from bd-spsv work (2026-05-12). `cargo xtask create-worktree`\nnow prints a per-worktree setup checklist on stdout that lists\n`cargo xtask dev-setup` and `npm install` as separate steps, with\n`npm install` flagged as \"only if hub-client work is in scope\". When\nthis issue lands (dev-setup also runs `npm install`), the create-worktree\noutput in `crates/xtask/src/create_worktree.rs::print_summary` should be\nupdated to drop the explicit `npm install` line. The relevant block to\nedit is the \"# Per worktree\" group inside print_summary.","created_at":"2026-05-12T12:29:01Z"}]}
 {"id":"bd-7h6a","title":"Per-page favicon override (meta.favicon beats website.favicon)","description":"User flagged 2026-04-27 as expected-soon. A document with its own meta.favicon should override website.favicon. Phase 7 deferred this; needs a small priority lookup in WebsiteFaviconTransform that prefers ast.meta.favicon over ast.meta.website.favicon. Sub-plan reference: claude-notes/plans/2026-04-27-websites-phase-7.md §Non-goals + §Follow-up beads. Originating phase: bd-b9mz.","status":"open","priority":3,"issue_type":"feature","created_at":"2026-04-27T15:02:58.364038Z","created_by":"cscheid","updated_at":"2026-04-27T15:02:58.364038Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-7h6a","depends_on_id":"bd-0tr6","type":"parent-child","created_at":"2026-04-27T15:02:58.364038Z","created_by":"cscheid","metadata":"{}","thread_id":""},{"issue_id":"bd-7h6a","depends_on_id":"bd-b9mz","type":"discovered-from","created_at":"2026-04-27T15:02:58.364038Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-7l1u","title":"Q-2-35: Reject 4-space indented code blocks with a custom parse error (issue #184)","description":"Indented (4-space) code blocks are currently parsed as paragraphs whose leading whitespace is dropped, corrupting documents on a qmd → qmd round-trip (GH issue #184). Per project policy (https://github.com/quarto-dev/q2/issues/184#issuecomment-4426182995) Quarto Markdown does not support indented code blocks; the parser must reject them with a high-quality error message instead.\n\nApproach: mirror the Q-2-32 (TRIPLE_STAR) pattern — emit an external token from scanner.c that is declared in grammar.js but consumed by no rule body, then map the resulting (state, sym) pair through the Merr-style error table in crates/quarto-parse-errors/ to a Q-2-35 diagnostic.\n\nPlan: claude-notes/plans/2026-05-14-q-2-35-indented-code-block-error.md (TDD, six error-corpus cases including a negative one, full xtask verify, no writer changes).\nTriage: claude-notes/issue-reports/184/triage.md\nBranch: issue-184 (worktree at .worktrees/issue-184/)\nRepro: claude-notes/issue-reports/184/repro.qmd\n\nScope confirmed with @cscheid (2026-05-14):\n- Error fires on >= 4 leftover indentation (after container matchers consume their share), so well-indented list continuations are unaffected but extra-indented ones are flagged.\n- Error code Q-2-35.\n- Message suggests fenced code blocks (```) as the replacement.\n- Documentation note added to tree-sitter-markdown CONTRIBUTING.md mirroring the Q-2-32 precedent.","status":"closed","priority":1,"issue_type":"bug","created_at":"2026-05-14T16:08:34.776338Z","created_by":"cscheid","updated_at":"2026-05-14T17:02:40.507132Z","closed_at":"2026-05-14T17:02:40.506948Z","close_reason":"Implemented and verified end-to-end on branch issue-184 (commit e2d224f6). Reporter's repro now produces Q-2-35 diagnostic spanning the full offending line. Full cargo xtask verify (Rust + WASM + hub-client) passes; tree-sitter test 480/480; pampa test suite 3687/3687; xtask lint clean. Conservative detection rule (ATX_H1_MARKER || BLANK_LINE_START) avoids false positives in multi-line shortcodes and lazy paragraph continuations — see the plan doc for the rationale and the rejected alternatives.","source_repo":".","compaction_level":0,"original_size":0}
@@ -155,12 +159,16 @@
 {"id":"bd-c083","title":"Cargo: upgrade tree-sitter v0.25.10 → v0.26.8","description":"Major upgrade surfaced by cargo-upgrade survey 2026-05-04. Current 0.25.10 is range-pinned in workspace; latest is 0.26.8. Type: pre-1.0 minor (semver-breaking). Review changelog and bump deliberately. See claude-notes/plans/2026-05-04-cargo-upgrade-survey.md and bd-hb8h.","status":"closed","priority":3,"issue_type":"chore","created_at":"2026-05-04T18:15:55.321199Z","created_by":"cscheid","updated_at":"2026-05-04T20:30:44.759296Z","closed_at":"2026-05-04T20:30:44.759137Z","close_reason":"merged: 61b01cd4","source_repo":".","compaction_level":0,"original_size":0,"labels":["cargo","deps"],"dependencies":[{"issue_id":"bd-c083","depends_on_id":"bd-hb8h","type":"discovered-from","created_at":"2026-05-04T18:16:05.692502Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-c3jh","title":"Phase 9 follow-up: GC stale VFS artifacts at session end","description":"When the hub-client preview re-renders, the WASM Pass-2 produces new artifact paths (theme-css fingerprints change when content changes) but the *old* artifacts under /.quarto/project-artifacts/... linger in VFS storage. The new HTML never references them — so they don't poison the page — but they do leak.\n\nGC pass at session-end (or periodically): walk /.quarto/project-artifacts/, drop any entry whose path doesn't appear in a 'live' set (the union of artifact paths from the most-recent project render).\n\nPhase 9 plan §Risks: 'Add a follow-up to GC /.quarto/project-artifacts/... entries with no live references at session end. Not a Phase-9 blocker.'","status":"open","priority":4,"issue_type":"task","created_at":"2026-04-29T00:32:31.194561Z","created_by":"cscheid","updated_at":"2026-04-29T00:32:31.194561Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-c3jh","depends_on_id":"bd-0tr6","type":"parent-child","created_at":"2026-04-29T00:32:31.194561Z","created_by":"cscheid","metadata":"{}","thread_id":""},{"issue_id":"bd-c3jh","depends_on_id":"bd-ayj6","type":"discovered-from","created_at":"2026-04-29T00:32:31.194561Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-cfl67","title":"q2 render truncates source images referenced in qmd documents","description":"ResourceCollectorTransform stores image source paths as artifacts with empty content; write_artifacts then opens the source path for writing and truncates it to 0 bytes. Confirmed via 'q2 render docs/authoring/markdown/index.qmd' which truncates docs/authoring/markdown/elephant.png from 126124 bytes to 0. Plan doc: claude-notes/plans/2026-05-20-render-truncates-source-images.md","status":"open","priority":0,"issue_type":"bug","created_at":"2026-05-21T00:53:50.747194Z","created_by":"cscheid","updated_at":"2026-05-21T00:53:50.747194Z","source_repo":".","compaction_level":0,"original_size":0,"labels":["bug","data-loss"]}
+{"id":"bd-cjxlb","title":"Keyring error messages must not leak credential blob","description":"Plan §Phase 5 calls this out as a specifically-flagged risk: when CredentialStore.write/read/clear surfaces a backend error, the error message must NOT contain the credential blob (or any token-shaped substring).\n\nTest name: keyring_error_does_not_leak_blob_in_message in ts-packages/quarto-hub-mcp/test/auth/credential-store.test.ts.\n\nImplementation: wrap keyring errors via redact(err.message) at every site that touches a blob.\n\nPlan §Phase 5: claude-notes/plans/2026-05-05-hub-mcp-device-flow-implementation.md","status":"open","priority":1,"issue_type":"bug","created_at":"2026-05-20T14:27:50.747041Z","created_by":"shikokuchuo","updated_at":"2026-05-20T14:27:50.747041Z","source_repo":"kyoto","source_repo_path":"/Users/shikokuchuo/r/kyoto","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-cjxlb","depends_on_id":"bd-sfr5l","type":"parent-child","created_at":"2026-05-20T14:27:50.747041Z","created_by":"shikokuchuo","metadata":"{}","thread_id":""}]}
+{"id":"bd-cmp48","title":"hub-mcp Google device-flow auth (Design C')","description":"Implements Design C' (Google as device-flow AS) for hub-mcp ↔ quarto-hub authentication over WebSocket. Hub-mcp persists Google ID + refresh tokens locally (OS keyring); hub keeps existing JWKS validator with audience allowlist.\n\nPlan: claude-notes/plans/2026-05-05-hub-mcp-device-flow-implementation.md\n\nPer the plan's Beads section: one issue per phase (1-10) parent-child to this epic, plus separate bug-tagged issues for the dual-credential CVE test (Phase 2), keyring-leak test (Phase 5), and canonical-URL constant test (Phase 7).","status":"open","priority":1,"issue_type":"epic","created_at":"2026-05-20T14:26:43.587791Z","created_by":"shikokuchuo","updated_at":"2026-05-20T14:26:43.587791Z","source_repo":"kyoto","source_repo_path":"/Users/shikokuchuo/r/kyoto","compaction_level":0,"original_size":0}
 {"id":"bd-coffj","title":"q2 preview: Div with class='section' emits <div>, not <section> — breaks Quarto's :has(+ section) margin rules","description":"The native HTML writer (crates/pampa/src/writers/html.rs:1129-1142) emits <section>...</section> for Pandoc Div blocks whose class list contains 'section'; the React Div component in ts-packages/preview-renderer/src/q2-preview/blocks/Div.tsx always emits <div>. Consequence: Quarto theme CSS rules keyed on the <section> tag (e.g. 'main.content > p:has(+ section) { margin-bottom: 2rem }') don't apply to preview, causing visible spacing drift. Concrete repro: the 'This is an extremely basic website' paragraph in the fixture has 17px bottom margin in preview vs 34px in render. Fix: mirror the native writer — emit <section> when classes contains SECTION ('section').","status":"closed","priority":2,"issue_type":"bug","created_at":"2026-05-18T17:53:40.764259Z","created_by":"cscheid","updated_at":"2026-05-18T17:58:07.422417Z","closed_at":"2026-05-18T17:58:07.422276Z","close_reason":"Implementation complete: Pandoc Divs with class='section' now render as <section> in q2 preview, matching the native HTML writer. Visible result: 'This is an extremely basic website' paragraph margin-bottom now 34px (was 17px), matching q2 render exactly. Quarto theme's main.content > p:has(+ section) selector now matches in preview. 2 new SPA tests; 152/152 green; cargo xtask verify 12/12 green.","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-coffj","depends_on_id":"bd-kw93","type":"parent-child","created_at":"2026-05-18T17:53:40.764259Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-cpzp","title":"qmd writer: implicit-figure path drops trailing newline, collapses next block (issue #180)","description":"Triage doc: claude-notes/issue-reports/180/triage.md on branch issue-180.\n\nRoot cause: write_figure (crates/pampa/src/writers/qmd.rs:759) implicit-figure branch returns directly from write_image without emitting the trailing \\n that every block writer is expected to produce. When such a Figure is followed by another block (top-level or inside a Div), the inter-block separator collapses to a single \\n instead of a blank line, and the re-parser glues the two blocks into one Para. Affects every layout/subfigure div in the docs corpus.\n\nReports covered (both same root cause):\n- Bug A: top-level Figure followed by Para -> one Para after round-trip\n- Bug B: Div with multiple Figure children + caption -> one Para inside the Div after round-trip\n\nFix (TDD-first per crates/pampa/CLAUDE.md):\n1. Add failing roundtrip tests under tests/roundtrip_tests/qmd-json-qmd/\n   - figure_implicit_then_para.qmd\n   - layout_div_subfigures.qmd\n   - figure_implicit_then_figure.qmd (extra coverage)\n2. Verify they fail.\n3. Fix write_figure: replace 'return write_image(...)' with 'write_image(...)?; writeln!(buf)?; Ok(())'.\n4. Verify tests pass.\n5. cargo nextest run --workspace to catch downstream snapshot updates.\n\nNot a duplicate of bd-emr4 — that is about non-implicit Figure shapes hitting the fallback fenced-div path. This bug is in the implicit-figure code path; different code, different fix.","status":"open","priority":2,"issue_type":"bug","created_at":"2026-05-12T18:39:12.847875Z","created_by":"cscheid","updated_at":"2026-05-12T18:39:15.853892Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-cpzp","depends_on_id":"bd-emr4","type":"related","created_at":"2026-05-12T18:39:15.853594Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
+{"id":"bd-cqkts","title":"Phase 7 — hub-mcp MCP-tool exposure (authenticate_start / authenticate_finish)","description":"New module ts-packages/quarto-hub-mcp/src/auth/auth-tools.ts. Exposes two tools: authenticate_start (returns verification_uri, canonical_url, user_code, expires_in_seconds) and authenticate_finish (one poll per call, returns pending/slow_down/success/typed-error).\n\nCanonical URL https://www.google.com/device is a hard-coded module constant — never copied from Google's response. Sibling bug bd-XXXX tracks the canonical-URL-constant test specifically.\n\nRFC 8628 §3.5 rate-limiting: nextPollAllowedAt cached state, bumped 5 s per slow_down. Short-circuit on already-authenticated and lastObservedAuthMode === 'no-auth'.\n\nRegistered before registerTools so read/write tools can name authenticate_start in their error text.\n\nPlan §Phase 7: claude-notes/plans/2026-05-05-hub-mcp-device-flow-implementation.md","status":"open","priority":1,"issue_type":"task","created_at":"2026-05-20T14:27:19.527539Z","created_by":"shikokuchuo","updated_at":"2026-05-20T14:27:19.527539Z","source_repo":"kyoto","source_repo_path":"/Users/shikokuchuo/r/kyoto","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-cqkts","depends_on_id":"bd-cmp48","type":"parent-child","created_at":"2026-05-20T14:27:19.527539Z","created_by":"shikokuchuo","metadata":"{}","thread_id":""}]}
 {"id":"bd-creo","title":"quarto render: fail strictly on Pass-1 failures (CI-friendly contract)","description":"Sibling of bd-rqba. Once Pass-1 failures are wired through as a dedicated pass1_failures field on the render summary surfaces (D1 in plan), give 'quarto render' a strict policy: any pass1_failures entry causes a non-zero exit. Remove the current string-matching of 'profile-pass skipped …' warning text in favor of the structured field.\n\nRationale: 'quarto render' is often used in headless CI; partial-progress leniency belongs to 'quarto preview' / hub-client, not render. The engine stays policy-free; consumers choose strict (render) vs lenient (preview).\n\nAlso: document the strict-vs-lenient contract in claude-notes/designs/document-profile-contract.md so future consumers (e.g., the planned hub-client-based 'quarto preview' binary) inherit it.\n\nPlan: claude-notes/plans/2026-05-01-hub-client-website-render-ux.md (Decision D1).","status":"open","priority":1,"issue_type":"task","created_at":"2026-05-01T14:16:43.115104Z","created_by":"cscheid","updated_at":"2026-05-01T14:16:43.115104Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-creo","depends_on_id":"bd-lk66","type":"parent-child","created_at":"2026-05-01T14:16:43.115104Z","created_by":"cscheid","metadata":"{}","thread_id":""},{"issue_id":"bd-creo","depends_on_id":"bd-rqba","type":"related","created_at":"2026-05-01T14:16:43.115104Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
+{"id":"bd-cxara","title":"Phase 9 — end-to-end verification","description":"CRITICAL per CLAUDE.md: tests passing alone is insufficient. Phase 9 runs the full verification matrix and records exact invocations + observed output in the plan's Verification log.\n\nCoverage: full cargo xtask verify; SPA cookie-path regression; clean-machine device-flow E2E (with per-platform credential-store inspection); no-auth-hub regression + explicit-authenticate short-circuit + observation-requirement check; allowlist parity for cookie 403 and bearer 403 (byte-identical detail); insecure-bearer dev-mode interaction (loopback + non-loopback with/without env flag); force-refresh; force-reauth; dual-credential CVE + WS-upgrade-with-no-Origin sanity check; audit-log spot-check; plaintext-leak grep.\n\nPlan §Phase 9: claude-notes/plans/2026-05-05-hub-mcp-device-flow-implementation.md","status":"open","priority":1,"issue_type":"task","created_at":"2026-05-20T14:27:31.218633Z","created_by":"shikokuchuo","updated_at":"2026-05-20T14:27:31.218633Z","source_repo":"kyoto","source_repo_path":"/Users/shikokuchuo/r/kyoto","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-cxara","depends_on_id":"bd-cmp48","type":"parent-child","created_at":"2026-05-20T14:27:31.218633Z","created_by":"shikokuchuo","metadata":"{}","thread_id":""}]}
 {"id":"bd-d8fo","title":"q2-preview chrome: replace HTML injection with React components","description":"Phase F (q2-preview website chrome) ships Strategy A: include the *-render transforms (navbar-render, sidebar-render, page-nav-render, footer-render, toc-render) in the q2-preview pipeline so meta.rendered.navigation.* is populated with Bootstrap HTML; the React PreviewDocument injects via dangerouslySetInnerHTML.\n\nThis is the pragmatic first cut — shippable in days, byte-identical to q2 render. The tradeoff is DOM stability inside the chrome: open dropdowns, sidebar collapse state, scroll position inside the sidebar, etc., are blown away every time the chrome re-renders. In practice the chrome only re-renders on _quarto.yml edits, page switches, or sidebar reorderings — uncommon during normal authoring — so the cost is bounded.\n\nThis follow-up tracks the proper Strategy B: replace the HTML-injection path with React components that render from the structured meta.navigation.* (the ConfigValue form populated by the *-generate transforms before *-render runs). Each component mirrors the Bootstrap HTML the corresponding render transform emits.\n\nWhat this unlocks:\n- Stateful chrome (open Bootstrap dropdowns, collapsed sidebar sections, scroll position inside the sidebar) survives chrome re-renders.\n- React owns the click handlers natively rather than going through iframePostProcessor's after-the-fact .qmd-link rewriting.\n- The drift risk between server HTML emission and React component output goes away (the React components ARE the renderer; q2-render's HTML stays the source of truth for non-preview pipelines).\n\nScope:\n- Mirror Navbar / Sidebar / PageNav / Footer / Toc / Breadcrumbs from the Bootstrap HTML the *-render transforms emit today.\n- TypeScript types matching the structured ConfigValue shape each *-generate transform writes.\n- Remove the corresponding entries from Q2_PREVIEW_TRANSFORM_EXCLUDED in pipeline.rs — those transforms become unused in the preview pipeline, so the *-render Rust modules either stay (for q2 render) or get factored to a shared HTML emitter consumed only by the q2 render pipeline.\n- Snapshot tests asserting the React components emit markup matching the *-render Rust HTML output.\n\nFiled during Phase F planning (2026-05-14). Parent edge to the F epic to be added once F itself is filed.","status":"open","priority":3,"issue_type":"feature","created_at":"2026-05-14T20:36:07.754117Z","created_by":"cscheid","updated_at":"2026-05-14T20:52:21.580312Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-d8fo","depends_on_id":"bd-kw93.15","type":"discovered-from","created_at":"2026-05-14T20:52:21.579976Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-d8go","title":"L9 follow-up: date_format doctemplate pipe","description":"Originally specified as part of L9's L4 enhancements; deferred at impl-start because L9's RFC 822 pubDate is computed server-side in feed/binding.rs (no template-level need). Adding the pipe later requires a tree-sitter grammar change in crates/tree-sitter-doctemplate/grammar/grammar.js (the pipe set is grammar-fixed; the existing date_format must be a custom rule like pipe_left/pipe_center/pipe_right because it takes an argument), plus a match arm in crates/quarto-doctemplate/src/pipes.rs. Useful for L8's existing custom-template authors who want to format dates in the host page.","status":"open","priority":3,"issue_type":"feature","created_at":"2026-05-08T17:33:55.509676Z","created_by":"cscheid","updated_at":"2026-05-08T17:33:55.509676Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-d8go","depends_on_id":"bd-o90m","type":"discovered-from","created_at":"2026-05-08T17:33:55.509676Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
-{"id":"bd-dhtw","title":"Phase 1: gh-pages provider end-to-end","description":"Phase 1 of bd-t3ny. Implement the gh-pages provider end-to-end on top of the Phase 0 scaffolding: common::git wrappers, common::github context discovery, _publish.yml reader, GhPagesProvider (prepare/commit/verify with .nojekyll poll), --dry-run cleanup with no residue, mkdocs-style summary, and an end-to-end test against a bare local remote (dry-run + real-run + json-run).\n\nPlan: claude-notes/plans/2026-05-03-publish-command-and-gh-pages.md (Phase 1 section)\n\nBlocked on Phase 0 (bd-068k).","status":"completed","priority":1,"issue_type":"task","created_at":"2026-05-03T14:37:39.274734Z","created_by":"cscheid","updated_at":"2026-05-03T15:18:38.648426Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-dhtw","depends_on_id":"bd-068k","type":"blocks","created_at":"2026-05-03T14:37:39.274734Z","created_by":"cscheid","metadata":"{}","thread_id":""},{"issue_id":"bd-dhtw","depends_on_id":"bd-t3ny","type":"parent-child","created_at":"2026-05-03T14:37:39.274734Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
+{"id":"bd-dhtw","title":"Phase 1: gh-pages provider end-to-end","description":"Phase 1 of bd-t3ny. Implement the gh-pages provider end-to-end on top of the Phase 0 scaffolding: common::git wrappers, common::github context discovery, _publish.yml reader, GhPagesProvider (prepare/commit/verify with .nojekyll poll), --dry-run cleanup with no residue, mkdocs-style summary, and an end-to-end test against a bare local remote (dry-run + real-run + json-run).\n\nPlan: claude-notes/plans/2026-05-03-publish-command-and-gh-pages.md (Phase 1 section)\n\nBlocked on Phase 0 (bd-068k).","status":"closed","priority":1,"issue_type":"task","created_at":"2026-05-03T14:37:39.274734Z","created_by":"cscheid","updated_at":"2026-05-03T15:18:38.648426Z","closed_at":"2026-05-03T15:18:38.648426Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-dhtw","depends_on_id":"bd-068k","type":"blocks","created_at":"2026-05-03T14:37:39.274734Z","created_by":"cscheid","metadata":"{}","thread_id":""},{"issue_id":"bd-dhtw","depends_on_id":"bd-t3ny","type":"parent-child","created_at":"2026-05-03T14:37:39.274734Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-djpt","title":"Ship Bootstrap Icons font + CSS with Quarto 2 HTML output","description":"Quarto 2 HTML renders Bootstrap-icon markup (`<i class=\\\"bi bi-github\\\"></i>`) for navbar tools and footer nav items, but the Bootstrap Icons package (font file + icon CSS that maps class names to glyphs) is not shipped, so the icons render as empty boxes. Quarto 1 handles this via a separate bootstrap-icons dependency.\n\nScope: vendor vs CDN decision (prefer vendor, to match SCSS strategy); where the font file lives in artifact storage; template link (`<link rel=\\\"stylesheet\\\" href=\\\"...bootstrap-icons.css\\\">`); interaction with the planned JS-deps mechanism (bd-ulgr).\n\nCompanion to bd-ulgr (Bootstrap JS). Both issues concern static Bootstrap-ecosystem resources that Q2 needs to ship to match Q1 UX; worth designing them together.\n\nSurfaced during bd-imiw visual testing — navbar/footer DOM is correct, icons are invisible.","status":"open","priority":2,"issue_type":"feature","created_at":"2026-04-18T20:00:13.337791Z","created_by":"cscheid","updated_at":"2026-04-18T20:00:13.337791Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-djpt","depends_on_id":"bd-imiw","type":"discovered-from","created_at":"2026-04-18T20:00:13.337791Z","created_by":"cscheid","metadata":"{}","thread_id":""},{"issue_id":"bd-djpt","depends_on_id":"bd-ulgr","type":"related","created_at":"2026-04-18T20:00:13.337791Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-dsco4","title":"Port _brand.yml integration to Q2 Typst format once available","description":"Q1 has src/resources/filters/quarto-post/typst-brand-yaml.lua. Q2's typst format is too immature for this today; revisit when typst-format work picks up.","status":"open","priority":4,"issue_type":"feature","created_at":"2026-05-21T02:31:31.019793Z","created_by":"cscheid","updated_at":"2026-05-21T02:31:31.019793Z","source_repo":".","compaction_level":0,"original_size":0}
 {"id":"bd-dy97y","title":"D7: Default HTML format ships Bootstrap-derived stylesheet","description":"## What\n\n`q2 render`'s default HTML format ships a minimal `tables_files/styles.css` (from `crates/quarto-core/resources/styles.css`). For tables to actually look styled even with `class=\"caption-top table\"` applied, the CSS bundle must include Bootstrap's `.table` and `.caption-top` rules.\n\nThe project already has Bootstrap SCSS sources at `resources/scss/bootstrap/`. This task wires the SCSS compilation/loading into the default HTML format so the produced HTML links a stylesheet containing those rules.\n\n## Scope\n\nJust enough to make a default render's tables look like Q1's tables. Custom themes, dark mode toggle, font scales etc. are out of scope.\n\n## Tests\n\nEnd-to-end test via `render_document_to_file` (per CLAUDE.md end-to-end requirement) that renders `tables.qmd` and asserts the produced HTML links a stylesheet whose contents contain `.table` selector + the expected rules (border, padding, font-weight on th).\n\nVisual re-verification in Chrome required before closing.\n\n## Plan\n\nclaude-notes/plans/2026-05-20-table-default-rendering-parity.md (D7 section). Phase 2 work — blocks on D1-D6 only for visual verification, not for code.","status":"closed","priority":2,"issue_type":"feature","created_at":"2026-05-20T20:55:25.109513Z","created_by":"cscheid","updated_at":"2026-05-20T22:51:48.063407Z","closed_at":"2026-05-20T22:51:48.063242Z","close_reason":"No code change needed. CompileThemeCssStage already ships the full Bootstrap 5.3.1 bundle as _files/styles.css for default renders. The original 'unstyled table' symptom was 100% markup-side — once D1/D2 added the caption-top/table class hooks and thead/th promotion, the existing CSS styled the table identically to Quarto 1. Visual verification 2026-05-20 confirms byte-identical computed styles to Q1.","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-dy97y","depends_on_id":"bd-hir7j","type":"parent-child","created_at":"2026-05-20T20:55:25.109513Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
@@ -173,6 +181,7 @@
 {"id":"bd-elgxx","title":"D4/D5 react: preview Table.tsx emits header/odd/even row classes","description":"## What\n\nD4/D5 in pampa's HTML writer (closed as bd-12fpz, commit c02a405a) emit `<tr class=\"header\">`, `<tr class=\"odd\">`, `<tr class=\"even\">` on rendered HTML. `q2 preview` does not benefit because it doesn't go through the pampa HTML writer — its iframe renders directly from AST JSON via the React Table component at `ts-packages/preview-renderer/src/q2-preview/blocks/Table.tsx`. That component currently emits bare `<tr>`.\n\n## Fix\n\nIn Table.tsx, extend `RowNode` to accept the row's class (\"header\" / \"odd\" / \"even\" / null). Caller (`Table`) computes it based on:\n- head rows: always \"header\"\n- body rows: alternating \"odd\" / \"even\" per TableBody, starting at \"odd\"\n- foot rows: null (no class)\n\nMirrors the pampa writer change (bd-12fpz) exactly.\n\n## Tests\n\nVitest test for Table.tsx that builds a minimal Table AST and asserts on the rendered DOM.\n\n## Plan\n\nclaude-notes/plans/2026-05-20-table-default-rendering-parity.md — discovered during preview e2e verification on the table-rendering-parity epic.","status":"closed","priority":3,"issue_type":"bug","created_at":"2026-05-20T22:38:08.670498Z","created_by":"cscheid","updated_at":"2026-05-20T22:42:26.405667Z","closed_at":"2026-05-20T22:42:26.405504Z","close_reason":"Implemented in this commit: row classes emitted in React Table component, mirroring pampa writer.","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-elgxx","depends_on_id":"bd-hir7j","type":"parent-child","created_at":"2026-05-20T22:38:08.670498Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-emr4","title":"qmd writer/reader: explicit Figure shapes don't round-trip (caption ≠ alt, multi-block content, etc.)","description":"Discovered while implementing bd-f5qd. The implicit-figure round-trip is fixed (write_figure now detects the implicit shape and emits bare image syntax). Figures with shapes other than the implicit one have no syntax in qmd that round-trips back to a Figure: the writer's fallback emits a fenced `::: {}` div with the caption as a sibling block, and the reader has no rule that turns that back into a Figure.\n\nConcrete minimal repro (caption text differs from image alt):\n\n  $ cat > /tmp/explicit_fig.json <<'EOF'\n  {\n    \"pandoc-api-version\": [1, 23, 1],\n    \"meta\": {},\n    \"blocks\": [{\"t\":\"Figure\",\"c\":[\n      [\"\",[],[]],\n      [null,[{\"t\":\"Plain\",\"c\":[{\"t\":\"Str\",\"c\":\"A different caption.\"}]}]],\n      [{\"t\":\"Plain\",\"c\":[{\"t\":\"Image\",\"c\":[[\"\",[\"lightbox\"],[]],[{\"t\":\"Str\",\"c\":\"Image alt\"}],[\"image.png\",\"\"]]}]}]\n    ]}]\n  }\n  EOF\n  $ cat /tmp/explicit_fig.json | cargo run --bin pampa -- -f json -t qmd\n  ::: {}\n\n  ![Image alt](image.png){.lightbox}\n\n  A different caption.\n\n  :::\n\n  $ cat /tmp/explicit_fig.json | cargo run --bin pampa -- -f json -t qmd | cargo run --bin pampa -- -t native\n  [ Div ( \"\" , [] , [] ) [\n    Figure ( \"\" , [] , [] ) (Caption Nothing [Plain[Str \"Image\",Space,Str \"alt\"]]) [...],\n    Para [Str \"A\",Space,Str \"different\",Space,Str \"caption.\"]\n  ] ]\n\nThe original caption is gone (replaced by the implicit-figure rule firing on\nthe inner image-only paragraph, which copies the alt text into the caption).\nThe original caption text becomes a free-standing sibling Para. The outer\nDiv wraps the whole thing.\n\nOther shapes that hit the same fallback:\n- Figure with caption.short set\n- Figure with multiple content blocks\n- Figure with classes or kvs on the figure itself (not just the image)\n- Figure whose content isn't a single Plain[Image]\n\nFix needs reader-side support: design a qmd syntax for explicit figures and\nadd a reader rule that converts it back to a Figure block. Likely shape:\nfenced div with a recognizable class/id marker plus a convention for which\nblock is the caption (TS Quarto uses crossref-style `#fig-id` divs).\n\nFor now the writer's fallback path stays as-is; users get a structurally\nincorrect div until this is fixed.","status":"open","priority":2,"issue_type":"bug","created_at":"2026-05-01T00:49:16.022173Z","created_by":"cscheid","updated_at":"2026-05-01T00:49:48.575674Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-emr4","depends_on_id":"bd-f5qd","type":"discovered-from","created_at":"2026-05-01T00:49:16.022173Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-expy","title":"Pipe table parser commits to caption when ':::' follows a row (issue #206)","description":"Parse error when a fenced-div close `:::` directly follows a pipe table row without an intervening blank line. The first `:` of `:::` is shifted by the parser as the start of a `caption` rule (the caption first-token literal is `:`); once shifted, tree-sitter cannot back out, and the second `:` produces 'unexpected character or token here'.\n\nTriage doc: claude-notes/issue-reports/206/triage.md\nWorktree branch: issue-206\nGitHub issue: https://github.com/quarto-dev/q2/issues/206\nReporter: @rundel\nReal-world example: quarto-dev/quarto-web docs/websites/website-navigation.qmd L155-L159\n\nConfirmed not a fenced-div bug — bare pipe table + `:::` reproduces identically. The fenced div in the reporter's example is incidental.\n\nRecommended fix shape: introduce an external `_caption_start` scanner token that only matches a `:` not immediately followed by another `:` (and followed by inline whitespace). Re-key the `caption` rule on `_caption_start` instead of the literal `:`. Add tree-sitter corpus tests for `:::`-after-table, `: caption`-after-table, bare `:::` after table, and a pampa round-trip test for the repro fixture. Re-test on quarto-web after fix.\n\nOut of scope here, file separately if desired: pipe-table parser also silently absorbs trailing headings/paragraphs as one-cell rows when no blank line intervenes (see triage doc 'Adjacent finding').","status":"closed","priority":2,"issue_type":"bug","created_at":"2026-05-15T18:48:39.090203Z","created_by":"cscheid","updated_at":"2026-05-15T21:35:28.981270Z","closed_at":"2026-05-15T21:35:28.981068Z","close_reason":"Fixed by PR #208 (merged as f0a1fd53)","source_repo":".","compaction_level":0,"original_size":0}
+{"id":"bd-f0h89","title":"Phase 3 — Audit logging (minimal v1)","description":"Inline tracing::event! on auth_ok / auth_fail carrying sub, credential_kind, action, outcome, plus detail on failure. Gate is Phase 2's three audit tests + redaction test.\n\nSchema-lock, dedicated audit.rs module, jti correlation, OTEL conventions, and the doc deferred to a follow-up plan.\n\nPlan §Phase 3: claude-notes/plans/2026-05-05-hub-mcp-device-flow-implementation.md","status":"open","priority":2,"issue_type":"task","created_at":"2026-05-20T14:27:00.051312Z","created_by":"shikokuchuo","updated_at":"2026-05-20T14:27:00.051312Z","source_repo":"kyoto","source_repo_path":"/Users/shikokuchuo/r/kyoto","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-f0h89","depends_on_id":"bd-cmp48","type":"parent-child","created_at":"2026-05-20T14:27:00.051312Z","created_by":"shikokuchuo","metadata":"{}","thread_id":""}]}
 {"id":"bd-f3jc","title":"[websites phase 0] Foundations: snapshot type, pipeline checkpoint, naming","description":"First phase of website epic. Plan: claude-notes/plans/2026-04-23-website-project-epic.md § Phase 0.\n\nDeliverables:\n- Final names for the static-document snapshot type (working name DocumentProfile), the ProjectType trait, and the checkpoint stage.\n- Typed snapshot struct, serde-serializable.\n- PipelineData checkpoint variant with Clone/serialization.\n- Round-trip serialization tests + a clone-and-resume test that produces byte-identical output to end-to-end.\n- Decide crate placement (quarto-core vs new quarto-project crate).\n- Decide checkpoint position: after merge, or after merge + pre-engine sugaring.\n- Documentation of the static contract: what is guaranteed, under what conditions.\n\nNo user-visible behavior change in this phase.","status":"closed","priority":1,"issue_type":"task","created_at":"2026-04-23T18:42:37.750604Z","created_by":"cscheid","updated_at":"2026-04-23T20:53:23.807873Z","closed_at":"2026-04-23T20:53:23.807149Z","close_reason":"DocumentProfile type + checkpoint stage + UnwrapProfile stage shipped. Resumability verified: clone-and-resume test produces byte-identical HTML to end-to-end; 3 real-fixture CLI renders byte-identical pre/post-change (MD5 match). 7654/7654 workspace tests + cargo xtask verify pass. Commit b8b72fc2 on feature/websites-phase-0. Contract doc at claude-notes/designs/document-profile-contract.md.","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-f3jc","depends_on_id":"bd-0tr6","type":"parent-child","created_at":"2026-04-23T18:42:37.750604Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-f3pl","title":"qmd writer drops table caption attributes (issue #152)","description":"GitHub: https://github.com/quarto-dev/q2/issues/152\nTriage: claude-notes/issue-reports/152/triage.md\nWorktree: .worktrees/issue-152 (branch issue-152, based on main @ 132c13c8)\n\nThe pipe-table branch of write_table (crates/pampa/src/writers/qmd.rs:1120-1239) ignores Table.attr entirely. A caption-attached attribute block like ': caption {tbl-colwidths=\"[30,70]\"}' is parsed correctly into Table.attr.2 (verified via 'cargo run --bin pampa --' on claude-notes/issue-reports/152/repro.qmd) but is dropped by 'pampa -t qmd', producing a lossy round-trip.\n\nThe list-table branch (write_list_table at lines 928-1118) already handles id/classes/keyvals correctly. The pipe-table branch needs analogous handling at the caption emission point (lines 1217-1235): after writing ': <caption-text>', emit ' {<attrs>}' via the existing write_attr helper (qmd.rs:396) when is_empty_attr(&table.attr) is false.\n\nOpen questions resolved during triage:\n  1. Empty-id auto-suppression NOT NEEDED. The reader (pipe_table.rs:148-200) only sets Table.attr.0 from explicit {#id} in the caption attr block; no implicit tbl-foo numbering exists.\n  2. Caption-suffix is the only valid placement for table attributes. Verified against pandoc 3.9.0.2: prefix form '{attrs}<newline>table<newline>: caption' is not parsed as a table by pandoc OR pampa (pampa raises Q-0-99 + Q-3-32). Suffix form ': caption {attrs}' produces byte-identical AST in both engines, including the mixed id+classes+keyvals shape.\n\nFix workflow per crates/pampa/CLAUDE.md:\n  1. Add failing fixtures under crates/pampa/tests/roundtrip_tests/qmd-json-qmd/ (table-caption-with-keyval.qmd, table-caption-with-id.qmd, table-caption-with-classes.qmd, table-caption-with-mixed-attrs.qmd).\n  2. Verify each fixture fails the round-trip equality check.\n  3. Implement: emit write_attr(&table.attr, buf, ctx) after the caption text (qmd.rs:1228-1234), guarded by !is_empty_attr(&table.attr). No id-suppression guard needed.\n  4. Verify new fixtures pass and existing table-caption.qmd snapshot is unchanged (its Table.attr is empty).\n  5. cargo xtask verify --skip-hub-build (Rust-only, no quarto-core/pandoc-types touched).\n\nExisting parser-side snapshot covering this fixture: crates/pampa/tests/snapshots/json/table-caption-attr.qmd. Read-side contract: docs/syntax/desugaring/table-captions.qmd.","status":"closed","priority":1,"issue_type":"bug","created_at":"2026-05-03T16:27:17.949705Z","created_by":"cscheid","updated_at":"2026-05-03T17:12:42.027337Z","closed_at":"2026-05-03T17:12:42.027211Z","close_reason":"Fixed in PR #154 / commit 688ac678. Pipe-table writer now appends Table.attr via write_attr() on the caption line; 4 round-trip fixtures cover id, classes, keyval, and mixed-attr shapes.","source_repo":".","compaction_level":0,"original_size":0}
 {"id":"bd-f5qd","title":"qmd writer: Figure node emits empty div wrapper and duplicates caption","description":"From issue #150 (item 2): The qmd writer for Figure nodes produces an empty `::: {}` div wrapper and emits the caption text after the image as a separate paragraph, duplicating it. Round-tripping qmd -> ast -> qmd -> ast produces different ASTs.\n\nRepro:\n  printf '![Webpage](image.png){.lightbox}\\n' | cargo run --bin pampa -- -t qmd\n  ::: {}\n\n  ![Webpage](image.png){.lightbox}\n\n  Webpage\n\n  :::\n\nExpected: round-trip should be stable; for an Image with caption inside a Figure with no extra attrs, output should likely just be the bare image syntax (`![Webpage](image.png){.lightbox}`) since pandoc auto-wraps it in a Figure. Plan in claude-notes/plans/ to follow.","notes":"Plan: claude-notes/plans/2026-04-30-figure-qmd-roundtrip.md\nDiscussion needed before implementing — see plan's 'Proposed fix — discussion needed' section.","status":"closed","priority":1,"issue_type":"bug","created_at":"2026-05-01T00:01:55.558223Z","created_by":"cscheid","updated_at":"2026-05-01T00:51:41.517422Z","closed_at":"2026-05-01T00:51:41.517262Z","close_reason":"Fixed implicit-figure round-trip via match_implicit_figure_shape in write_figure. When Figure shape matches what the reader's implicit-figure rule produces (single Plain[Image] content, caption=alt, attr split between figure id and image classes/kvs), the writer now emits bare image syntax. Non-implicit Figure shapes continue to fall through to the existing fenced-div form which does not round-trip — tracked in bd-emr4 with concrete repro. See claude-notes/plans/2026-04-30-figure-qmd-roundtrip.md.","source_repo":".","compaction_level":0,"original_size":0}
@@ -207,7 +216,6 @@
 {"id":"bd-hp3tx","title":"Wire brand navbar logo / brand image into website navbar","description":"Brand data has logo (small/medium/large + images.*). Website navbar should be able to use brand.small or brand.images.<name> as the navbar brand-image. Quarto 1 reference: external-sources/quarto-cli/src/project/types/website/website-navigation.ts (navbar.logo). Q2 has the data model in place (quarto-brand crate); just needs the navbar emission to consult it.","status":"open","priority":3,"issue_type":"feature","created_at":"2026-05-21T02:31:30.944971Z","created_by":"cscheid","updated_at":"2026-05-21T02:31:30.944971Z","source_repo":".","compaction_level":0,"original_size":0}
 {"id":"bd-ht0n","title":"[websites] Sidebar logo / subtitle / header / footer","description":"Render the sidebar's logo (with light/dark variants + logo-href + logo-alt), subtitle (parsed but not rendered in Phase 2), and the 'header:' / 'footer:' freeform content slots Q1 supports. All are parsed by Sidebar::from_config_value today but ignored in sidebar_to_html.","status":"open","priority":2,"issue_type":"feature","created_at":"2026-04-24T17:52:25.088205Z","created_by":"cscheid","updated_at":"2026-04-24T17:52:25.088205Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-ht0n","depends_on_id":"bd-9svl","type":"discovered-from","created_at":"2026-04-24T17:52:25.088205Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-hva0","title":"Local-vendor opt-in for MathJax/KaTeX (offline rendering)","description":"bd-w5ov shipped CDN-default for math (parity with Pandoc / Quarto 1). Users who need offline / air-gapped rendering must today set 'html-math-method.url:' pointed at a self-hosted mirror.\n\nMake this easier: ship a 'quarto install mathjax' (and 'quarto install katex') CLI helper that downloads the bundle into a project resources dir and writes the URL override into _quarto.yml. This is 'we're better than Q1' territory — Q1 offers no equivalent automation.\n\nOut of scope for this issue: vendoring bytes by default in the binary (rejected in bd-w5ov §4.5 because of binary-size cost and parity with Q1).\n\nAcceptance: 'quarto install mathjax' downloads, lays out under project resources, configures override; 'quarto render' uses the local URL; offline rendering works.","status":"open","priority":2,"issue_type":"feature","created_at":"2026-05-04T23:58:29.291389Z","created_by":"cscheid","updated_at":"2026-05-04T23:58:29.291389Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-hva0","depends_on_id":"bd-w5ov","type":"discovered-from","created_at":"2026-05-04T23:58:29.291389Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
-{"id":"bd-hytl","title":"Phase B.4: Acceptance bundle — _quarto.yml + posts/_metadata.yml propagation to preview","description":"Single Playwright spec pinning the two observable plan acceptance criteria for q2 preview (Phase B):\n\n1. Editing _quarto.yml (title:) re-renders the active page; new title visible in DOM within 5 s.\n2. Editing posts/_metadata.yml (subtitle:) re-renders pages under posts/; new subtitle visible in DOM within 5 s.\n\nFixture (single, dual-purpose): _quarto.yml + posts/_metadata.yml + posts/post1.qmd (no frontmatter, inherits both). Empirically verified both knobs flow through to the rendered title-block (2026-05-13 probe with target/debug/q2 render).\n\nReuses the multi-file fixture helper generalised in bd-pf63 (B.3).\n\nPlan acceptance criterion 3 ('unrelated sibling re-renders the active page') is deferred and tracked separately — its relaxed-contract form (any edit fires a re-render) is invisible at the DOM without SPA instrumentation. See discovered-from follow-up.\n\nPlan: claude-notes/plans/2026-05-13-q2-preview-phase-b.md §B.4.","status":"closed","priority":2,"issue_type":"task","created_at":"2026-05-13T21:11:22.459798Z","created_by":"cscheid","updated_at":"2026-05-13T21:16:15.516971Z","closed_at":"2026-05-13T21:16:15.516850Z","close_reason":"Duplicate of bd-mrx1 — created by an accidental double-run during B.4 setup (jq parse error masked the first create's output). No work done against this ID; all B.4 work tracked under bd-mrx1.","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-hytl","depends_on_id":"bd-kw93","type":"parent-child","created_at":"2026-05-13T21:11:22.459798Z","created_by":"cscheid","metadata":"{}","thread_id":""},{"issue_id":"bd-hytl","depends_on_id":"bd-pf63","type":"discovered-from","created_at":"2026-05-13T21:11:22.459798Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-hzsi","title":"L10 — Q1 → Q2 listing template migration docs + LLM skill","description":"User-facing migration doc in docs/ covering EJS → doctemplate mapping (<%= … %> → $…$, control flow, helper-function → server-pre-rendered fields, item.extra). LLM skill in .claude/skills/ that suggests Q2 doctemplate equivalents from Q1 EJS templates. Worked examples for each built-in shape and a representative custom template. See claude-notes/plans/2026-05-05-listings-epic.md §L10.","status":"open","priority":2,"issue_type":"task","created_at":"2026-05-05T19:53:59.836077Z","created_by":"cscheid","updated_at":"2026-05-05T19:53:59.836077Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-hzsi","depends_on_id":"bd-61cd","type":"parent-child","created_at":"2026-05-05T19:53:59.836077Z","created_by":"cscheid","metadata":"{}","thread_id":""},{"issue_id":"bd-hzsi","depends_on_id":"bd-rqgx","type":"blocks","created_at":"2026-05-05T19:53:59.836077Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-i1df","title":"Kanban: Card detail view on title click","description":"Clicking a card title opens a detail modal showing all card information: title, type, status, created/deadline dates, priority, full body text. Plan: claude-notes/plans/2026-02-11-kanban-ui-enhancements.md","status":"closed","priority":2,"issue_type":"feature","created_at":"2026-02-11T18:32:37.650902Z","created_by":"cscheid","updated_at":"2026-02-11T18:36:06.274831Z","closed_at":"2026-02-11T18:36:06.274814Z","close_reason":"Implemented - card detail modal on title click","source_repo":".","compaction_level":0,"original_size":0}
 {"id":"bd-i4wv","title":"L9 follow-up: real version string in feed generator (replace quarto-2)","description":"L9 v1 emits <generator>quarto-2</generator>. Q1 emits quarto-<version> from quartoConfig.version(). Replace with the actual Q2 version string when the version story stabilizes. Site: feed/binding.rs::FEED_GENERATOR.","status":"open","priority":4,"issue_type":"task","created_at":"2026-05-08T17:33:39.786912Z","created_by":"cscheid","updated_at":"2026-05-08T17:33:39.786912Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-i4wv","depends_on_id":"bd-o90m","type":"discovered-from","created_at":"2026-05-08T17:33:39.786912Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
@@ -274,12 +282,14 @@
 {"id":"bd-ml8z","title":"L3 — ListingResolveTransform (Pass-2, built-ins via doctemplate)","description":"New Pass-2 transform inside AstTransformsStage. Reads host's listing: config + ProjectIndex; resolves contents: globs; filters/sorts; truncates by max-items. Builds per-item TemplateValue::Map with curated profile fields, server-pre-rendered helpers (image_html, metadata_attrs), and listing_item.extra. Renders via doctemplate against built-in default/grid/table templates embedded with MemoryResolver. Emits placeholders for L7 alongside L1 fallback content. See claude-notes/plans/2026-05-05-listings-epic.md §L3.","status":"closed","priority":1,"issue_type":"feature","created_at":"2026-05-05T19:53:22.859719Z","created_by":"cscheid","updated_at":"2026-05-07T13:35:17.550573Z","closed_at":"2026-05-07T13:35:17.550209Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-ml8z","depends_on_id":"bd-61cd","type":"parent-child","created_at":"2026-05-05T19:53:22.859719Z","created_by":"cscheid","metadata":"{}","thread_id":""},{"issue_id":"bd-ml8z","depends_on_id":"bd-b5jm","type":"blocks","created_at":"2026-05-05T19:53:22.859719Z","created_by":"cscheid","metadata":"{}","thread_id":""},{"issue_id":"bd-ml8z","depends_on_id":"bd-izqh","type":"blocks","created_at":"2026-05-05T19:53:22.859719Z","created_by":"cscheid","metadata":"{}","thread_id":""},{"issue_id":"bd-ml8z","depends_on_id":"bd-j60g","type":"blocks","created_at":"2026-05-05T19:53:22.859719Z","created_by":"cscheid","metadata":"{}","thread_id":""},{"issue_id":"bd-ml8z","depends_on_id":"bd-n8a4","type":"blocks","created_at":"2026-05-05T19:53:22.859719Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-mlj6","title":"Conditional render lists / _quarto-*.yml profiles","description":"Q1 supports profile-specific renders via _quarto-<profile>.yml (e.g. _quarto-prod.yml vs _quarto-dev.yml). Phase 1 of the website epic ignores profile files entirely — discovery excludes them because of the leading underscore, and config parsing only reads _quarto.yml. Follow-up: decide how profiles compose with the base config, add CLI flag for selecting profile, thread through ProjectContext::discover. See claude-notes/plans/2026-04-23-websites-phase-1.md §Decisions log.","status":"open","priority":3,"issue_type":"feature","created_at":"2026-04-24T01:05:24.479391Z","created_by":"cscheid","updated_at":"2026-04-24T01:05:24.479391Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-mlj6","depends_on_id":"bd-w5os","type":"discovered-from","created_at":"2026-04-24T01:05:24.479391Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-mot7","title":"qmd reader drops whitespace between code_span and html_element (issue #182)","description":"(see triage doc)","status":"closed","priority":1,"issue_type":"bug","created_at":"2026-05-12T13:42:59.836284Z","created_by":"cscheid","updated_at":"2026-05-12T13:43:26.216838Z","closed_at":"2026-05-12T13:43:26.216709Z","close_reason":"Duplicate, accidental second create. Keeping bd-nkx4.","source_repo":".","compaction_level":0,"original_size":0}
+{"id":"bd-mqa4j","title":"Phase 8 — quarto-sync-client header pass-through + connection-manager integration","description":"Add auth?.getBearer option to client.connect(); new Node-only NodeWebSocketClientAdapter inside quarto-sync-client that constructs new WebSocket(url, [], { headers }). Browser path unchanged.\n\nConnection-manager try-then-fallback policy: read bundle, attempt WS with Bearer if present, on 401-with-creds forceRefresh+retry-once then ReauthRequired, on 401-without-creds AuthRequired.\n\nlastObservedAuthMode state machine ({no-auth, requires-auth, unknown}, process-local) drives Phase 7's short-circuit.\n\nInsecure-Bearer gate: refuse to send Bearer over plain HTTP/WS to non-loopback without QUARTO_HUB_MCP_ALLOW_INSECURE_AUTH=1; loud warning on every connect when set.\n\nFollow-up: upstream PR to thread headers through BrowserWebSocketClientAdapter — file separately.\n\nPlan §Phase 8: claude-notes/plans/2026-05-05-hub-mcp-device-flow-implementation.md","status":"open","priority":1,"issue_type":"task","created_at":"2026-05-20T14:27:25.451968Z","created_by":"shikokuchuo","updated_at":"2026-05-20T14:27:25.451968Z","source_repo":"kyoto","source_repo_path":"/Users/shikokuchuo/r/kyoto","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-mqa4j","depends_on_id":"bd-cmp48","type":"parent-child","created_at":"2026-05-20T14:27:25.451968Z","created_by":"shikokuchuo","metadata":"{}","thread_id":""}]}
 {"id":"bd-mre3","title":"[websites phase 2] Sidebar data model, generate, render, template","description":"Plan: claude-notes/plans/2026-04-23-website-project-epic.md § Phase 2.\n\nDeliverables:\n- Schema parsing for website.sidebar: Vec<Sidebar> with id, title, contents, style, collapse-level.\n- Contents supports: string (path), {href, text, icon}, {section, contents}, {auto: ...}.\n- quarto-navigation data types: Sidebar, SidebarEntry, SidebarContents.\n- SidebarGenerateTransform: reads YAML config + ProjectIndex to resolve auto and expand entries.\n- SidebarRenderTransform: emits Bootstrap-5 HTML matching Q1 class names where possible.\n- Template slot: $rendered.navigation.sidebar$.\n- Sidebar-for-page selection logic.\n- Integration tests with manual, auto, and nested contents.\n\nBlocked by Phase 1 (needs ProjectIndex).","status":"closed","priority":1,"issue_type":"feature","created_at":"2026-04-23T18:42:49.915763Z","created_by":"cscheid","updated_at":"2026-04-29T00:31:30.148471Z","closed_at":"2026-04-29T00:31:30.148151Z","close_reason":"Phase 2 (sidebar) implemented — see git log Phase 2 sub-phase commits and claude-notes/plans/2026-04-24-websites-phase-2.md (closed as part of Phase 9 cleanup; this should have been closed earlier).","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-mre3","depends_on_id":"bd-0tr6","type":"parent-child","created_at":"2026-04-23T18:42:49.915763Z","created_by":"cscheid","metadata":"{}","thread_id":""},{"issue_id":"bd-mre3","depends_on_id":"bd-w5os","type":"blocks","created_at":"2026-04-23T18:43:42.284820Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
-{"id":"bd-mrx1","title":"Phase B.4: Acceptance bundle — _quarto.yml + posts/_metadata.yml propagation to preview","description":"Single Playwright spec pinning the two observable plan acceptance criteria for q2 preview (Phase B):\n\n1. Editing _quarto.yml (title:) re-renders the active page; new title visible in DOM within 5 s.\n2. Editing posts/_metadata.yml (subtitle:) re-renders pages under posts/; new subtitle visible in DOM within 5 s.\n\nFixture (single, dual-purpose): _quarto.yml + posts/_metadata.yml + posts/post1.qmd (no frontmatter, inherits both). Empirically verified both knobs flow through to the rendered title-block (2026-05-13 probe with target/debug/q2 render).\n\nReuses the multi-file fixture helper generalised in bd-pf63 (B.3).\n\nPlan acceptance criterion 3 ('unrelated sibling re-renders the active page') is deferred and tracked separately — its relaxed-contract form (any edit fires a re-render) is invisible at the DOM without SPA instrumentation. See discovered-from follow-up.\n\nPlan: claude-notes/plans/2026-05-13-q2-preview-phase-b.md §B.4.","status":"closed","priority":2,"issue_type":"task","created_at":"2026-05-13T21:11:28.867999Z","created_by":"cscheid","updated_at":"2026-05-13T21:15:09.863020Z","closed_at":"2026-05-13T21:15:09.862892Z","close_reason":"Phase B.4 complete; zero production-code changes — new Playwright spec at q2-preview-spa/e2e/config-edits.spec.ts pins _quarto.yml + posts/_metadata.yml propagation. See commit df2f5f55 on beads/bd-mrx1-phase-b4-acceptance-bundle.","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-mrx1","depends_on_id":"bd-kw93","type":"parent-child","created_at":"2026-05-13T21:11:28.867999Z","created_by":"cscheid","metadata":"{}","thread_id":""},{"issue_id":"bd-mrx1","depends_on_id":"bd-pf63","type":"discovered-from","created_at":"2026-05-13T21:11:28.867999Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
+{"id":"bd-mrx1","title":"Phase B.4: Acceptance bundle — _quarto.yml + posts/_metadata.yml propagation to preview","description":"Single Playwright spec pinning the two observable plan acceptance criteria for q2 preview (Phase B):\n\n1. Editing _quarto.yml (title:) re-renders the active page; new title visible in DOM within 5 s.\n2. Editing posts/_metadata.yml (subtitle:) re-renders pages under posts/; new subtitle visible in DOM within 5 s.\n\nFixture (single, dual-purpose): _quarto.yml + posts/_metadata.yml + posts/post1.qmd (no frontmatter, inherits both). Empirically verified both knobs flow through to the rendered title-block (2026-05-13 probe with target/debug/q2 render).\n\nReuses the multi-file fixture helper generalised in bd-pf63 (B.3).\n\nPlan acceptance criterion 3 ('unrelated sibling re-renders the active page') is deferred and tracked separately — its relaxed-contract form (any edit fires a re-render) is invisible at the DOM without SPA instrumentation. See discovered-from follow-up.\n\nPlan: claude-notes/plans/2026-05-13-q2-preview-phase-b.md §B.4.","status":"closed","priority":2,"issue_type":"task","created_at":"2026-05-13T21:11:22.459798Z","created_by":"cscheid","updated_at":"2026-05-13T21:16:15.516971Z","closed_at":"2026-05-13T21:16:15.516850Z","close_reason":"Duplicate of bd-mrx1 — created by an accidental double-run during B.4 setup (jq parse error masked the first create's output). No work done against this ID; all B.4 work tracked under bd-mrx1.","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-mrx1","depends_on_id":"bd-kw93","type":"parent-child","created_at":"2026-05-13T21:11:22.459798Z","created_by":"cscheid","metadata":"{}","thread_id":""},{"issue_id":"bd-mrx1","depends_on_id":"bd-pf63","type":"discovered-from","created_at":"2026-05-13T21:11:22.459798Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-msp0","title":"Hub-client preview resource resolution via service worker (epic)","description":"Long-term direction: replace the iframe post-processor's resource-rewriting passes (CSS data-URIs, image data-URIs, the disabled <script> inlining block) with a service worker scoped to /.quarto/project-artifacts/ and project-relative paths. The SW intercepts fetch events and serves from the VFS, giving us:\n\n- Single resolution path shared between top-frame and iframe.\n- No data-URI churn on every render (iframes routinely carry hundreds of KB of inline base64 stylesheets today).\n- Clean answer for the in-project image redirection bug.\n- Plausible path for executing real JS bundles in preview iframes (Bootstrap collapse, search, copy-button, etc.) once SW + sandbox + COEP/COOP are set up correctly.\n\nNOT in scope: cross-doc link click → editor navigation (bd-lnd3). That's a DOM-event concern, not a fetch concern; about:srcdoc iframes drop link clicks silently regardless of network resolution. The click-interception path stays in iframePostProcessor.ts even after the SW arc lands.\n\nChildren candidates (file as separate issues when this epic gets traction):\n- SW bootstrap + scope registration in hub-client.\n- VFS → fetch handler.\n- Migration of CSS resolution (remove data-URI rewrite from iframePostProcessor).\n- Migration of image resolution (remove data-URI rewrite + fixes the in-project image redirect bug).\n- JS bundle execution in preview iframes (subsumes bd-e7b7 native+incremental constraints).\n- Sandbox / COEP / COOP setup as required.\n\nParent epic: bd-0tr6 (websites, since the immediate motivation is the website rendering pipeline, but the SW infrastructure is broadly useful).","status":"open","priority":2,"issue_type":"epic","created_at":"2026-05-01T17:18:45.016932Z","created_by":"cscheid","updated_at":"2026-05-01T17:18:45.016932Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-msp0","depends_on_id":"bd-0tr6","type":"parent-child","created_at":"2026-05-01T17:18:45.016932Z","created_by":"cscheid","metadata":"{}","thread_id":""},{"issue_id":"bd-msp0","depends_on_id":"bd-e7b7","type":"related","created_at":"2026-05-01T17:18:45.016932Z","created_by":"cscheid","metadata":"{}","thread_id":""},{"issue_id":"bd-msp0","depends_on_id":"bd-lnd3","type":"related","created_at":"2026-05-01T17:18:45.016932Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-mtzry","title":"D6: <body> emits quarto-light / quarto-dark class","description":"## What\n\nQ1 emits `<body class=\"fullcontent quarto-light\">` (or `quarto-dark` depending on theme). Q2 emits only `<body class=\"fullcontent\">`. Add the color-mode class based on the active theme config (default `quarto-light`).\n\n## Where\n\nTemplate body-class logic lives at `crates/quarto-core/src/template.rs:136` area (per existing comment: 'Mirrors TS Quarto's format-html-bootstrap.ts body-class logic').\n\n## Tests\n\nTemplate-render test asserting the body class for:\n- default config (no theme set) → `fullcontent quarto-light`\n- explicit dark theme → `fullcontent quarto-dark`\n\n## Plan\n\nclaude-notes/plans/2026-05-20-table-default-rendering-parity.md (D6 section)","status":"closed","priority":3,"issue_type":"feature","created_at":"2026-05-20T20:55:25.035424Z","created_by":"cscheid","updated_at":"2026-05-20T21:39:26.262052Z","closed_at":"2026-05-20T21:39:26.261894Z","close_reason":"Implemented in this commit: quarto-light appended to body class for default renders.","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-mtzry","depends_on_id":"bd-hir7j","type":"parent-child","created_at":"2026-05-20T20:55:25.035424Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-mw7x","title":"[websites phase 3] Navbar/footer project integration","description":"Plan: claude-notes/plans/2026-04-23-website-project-epic.md § Phase 3.\n\nDeliverables:\n- Extend existing NavbarGenerateTransform and FooterGenerateTransform to read project-level config from _quarto.yml and resolve cross-doc hrefs via ProjectIndex.\n- Active-item highlighting for the current page.\n- Navbar search tool stays a stub (search is a follow-up epic).\n- Tests: navbar entries pointing at .qmd files correctly render as .html links; external URLs pass through unchanged.\n\nBlocked by Phase 1.","status":"closed","priority":1,"issue_type":"task","created_at":"2026-04-23T18:42:59.202302Z","created_by":"cscheid","updated_at":"2026-04-29T00:31:30.330069Z","closed_at":"2026-04-29T00:31:30.329739Z","close_reason":"Phase 3 (navbar/footer project integration) implemented — see git log Phase 3 commits. Closed as part of Phase 9 cleanup.","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-mw7x","depends_on_id":"bd-0tr6","type":"parent-child","created_at":"2026-04-23T18:42:59.202302Z","created_by":"cscheid","metadata":"{}","thread_id":""},{"issue_id":"bd-mw7x","depends_on_id":"bd-w5os","type":"blocks","created_at":"2026-04-23T18:43:43.309371Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-mwtf","title":"Hub-client: active-page parse error renders as 'Project render produced no output for the active page'","description":"When a website document has a Pass-1 parse error AND it is the active page in hub-client, the preview overlay shows the literal string 'Project render produced no output for the active page' instead of the actual parse diagnostic.\n\nRepro: examples/websites/08-hub-preview/about.qmd has an unescaped apostrophe (line 11, 'pages\\\\'') that the strict Q2 markdown parser rejects with [Q-2-10] Closed Quote Without Matching Open Quote. The CLI shows the full ariadne-style snippet via 'warning: profile-pass skipped about.qmd: ...'. Hub-client shows only the generic message.\n\nRoot cause (located): crates/wasm-quarto-hub-client/src/lib.rs:1374-1428 — render_project_active_page_to_response() checks summary.pass2_failures but never checks summary.pass1_failures. When the active page failed Pass-1, both summary.outputs and summary.pass2_failures are empty, so the L1393 fallback fires.\n\nFix: in the L1381 'no output' branch, look up summary.pass1_failures for an entry whose input matches the active path; if found, build a RenderResponse with success: false, error from the failure summary, and diagnostics: failure.diagnostics mapped to JsonDiagnostic.\n\nPlan: claude-notes/plans/2026-05-01-hub-client-website-render-ux.md (Bug 2 section).","status":"open","priority":1,"issue_type":"bug","created_at":"2026-05-01T13:58:04.540272Z","created_by":"cscheid","updated_at":"2026-05-01T13:58:04.540272Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-mwtf","depends_on_id":"bd-lk66","type":"parent-child","created_at":"2026-05-01T13:58:04.540272Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
+{"id":"bd-n4e0p","title":"Canonical device-flow URL must be a module constant, not Google's response","description":"Anti-phishing requirement from plan §Phase 1 (threat #5). authenticate_start MUST return the hard-coded constant https://www.google.com/device as canonical_url alongside Google's verification_uri — and the canonical must come from a module-level constant in auth-tools.ts, NEVER copied from the AS response.\n\nTest name: start_canonical_url_is_a_constant_not_from_google_response in ts-packages/quarto-hub-mcp/test/auth/auth-tools.test.ts. Test uses a mock AS that returns a malicious verification_uri and asserts the tool's canonical_url is unchanged.\n\nPlan §Phase 7 + threat model #5: claude-notes/plans/2026-05-05-hub-mcp-device-flow-implementation.md","status":"open","priority":1,"issue_type":"bug","created_at":"2026-05-20T14:27:54.874842Z","created_by":"shikokuchuo","updated_at":"2026-05-20T14:27:54.874842Z","source_repo":"kyoto","source_repo_path":"/Users/shikokuchuo/r/kyoto","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-n4e0p","depends_on_id":"bd-cqkts","type":"parent-child","created_at":"2026-05-20T14:27:54.874842Z","created_by":"shikokuchuo","metadata":"{}","thread_id":""}]}
 {"id":"bd-n7x2","title":"Syntax highlighting design and implementation for Quarto 2","description":"Design and implement a syntax highlighting system for code blocks in Quarto 2. Generic span-annotation AST format + tree-sitter-driven pipeline stage + per-format writers. Plan: claude-notes/plans/2026-04-19-syntax-highlighting-design.md. Research notes under claude-notes/research/syntax-highlighting-*.md.","status":"open","priority":2,"issue_type":"epic","created_at":"2026-04-19T14:50:53.168567Z","created_by":"cscheid","updated_at":"2026-04-19T14:50:53.168567Z","source_repo":".","compaction_level":0,"original_size":0}
 {"id":"bd-n8a4","title":"L0 — ListingItemInfo profile extension","description":"Add DocumentProfile.listing_item: ListingItemInfo with curated fields + extra: BTreeMap<String, ConfigValue>. Bump DOCUMENT_PROFILE_VERSION 2 → 3. Update document-profile-contract.md with the new row plus a new §'Scoped feature surfaces' explicitly forbidding non-listing reads of listing_item.extra. Schema update in quarto-yaml-validation. See claude-notes/plans/2026-05-05-listings-epic.md §L0.","status":"closed","priority":1,"issue_type":"task","created_at":"2026-05-05T19:52:49.454592Z","created_by":"cscheid","updated_at":"2026-05-05T21:30:29.284197Z","closed_at":"2026-05-05T21:30:29.283825Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-n8a4","depends_on_id":"bd-61cd","type":"parent-child","created_at":"2026-05-05T19:52:49.454592Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-n9dr","title":"[websites epic] Unify nav config placement across features","description":"Nav config placement across features. Phase 3 (2026-04-24) refined the framing: rather than 'unify everything into one namespace,' the principle is now \"placement follows feature semantics.\"\n\nCurrent placement (post-Phase 3):\n- 'navbar:' — top level (feature-scoped; works in single-doc + project)\n- 'page-footer:' — top level (same; revealjs/etc. legitimately use it)\n- 'website.sidebar:' — under website. (sidebar is inherently a multi-page website feature)\n- 'site-sidebar:' (per-doc override selecting which sidebar applies) — top level\n- 'website.title:' / 'website.site-url:' / 'website.favicon:' — under website. (site-scoped)\n\nThe only remaining tension is 'site-sidebar' being a doc-level override for a website-scoped feature. Options:\n(a) rename to 'website.sidebar-id' (canonical; website.sidebar-id already accepted in Phase 2 as an alias)\n(b) keep 'site-sidebar' since it's a per-doc override like 'draft:' / 'date:' and those also live at the top level\n\nNot a blocker for MVP; land before docs-facing release. See claude-notes/plans/2026-04-24-websites-phase-3.md §Decision 1 for the framing shift.","status":"open","priority":2,"issue_type":"task","created_at":"2026-04-24T17:53:00.610122Z","created_by":"cscheid","updated_at":"2026-04-24T19:43:25.192319Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-n9dr","depends_on_id":"bd-9svl","type":"discovered-from","created_at":"2026-04-24T17:53:00.610122Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
@@ -316,11 +326,13 @@
 {"id":"bd-q30j","title":"Port automerge-inspector into hub-client as a debugging view","description":"Port external-sources/automerge-inspector into hub-client as a second Vite entry point (debug.html). Must work with the auth-enabled sync server by sharing hub-client's HttpOnly cookie over same-origin /ws proxy. Read-only document inspection + protocol traffic log. 'Out of general sight' — no link from main UI. See plan at claude-notes/plans/2026-04-16-hub-client-automerge-debugger.md for full design, open questions, and phased work items.","status":"open","priority":2,"issue_type":"epic","created_at":"2026-04-16T15:54:33.232032Z","created_by":"cscheid","updated_at":"2026-04-16T15:54:33.232032Z","source_repo":".","compaction_level":0,"original_size":0,"labels":["automerge","debugging","hub-client"]}
 {"id":"bd-q6ed","title":"Display math inside a blockquote retains '> ' continuation prefix in content (issue #181)","description":"Tree-sitter grammar rule `pandoc_display_math` (crates/tree-sitter-qmd/tree-sitter-markdown/grammar.js:367) matches its body as a single regex `/([^$]|[$][^$]|\\\\$)+/` between the two `$$` delimiters. When the math block is inside a blockquote, the interior `> ` block-continuation markers are never consumed by the grammar's `block_continuation` machinery; they end up verbatim inside the captured node text and then inside `Math.text` (see crates/pampa/src/pandoc/treesitter.rs:502-513). The qmd writer then correctly re-prefixes every line of the math body with `> ` when emitting it inside a blockquote, producing `> > p = q` and adding one more `> ` level on each round trip.\n\nFix is at the grammar level: make `pandoc_display_math` line-structured (loop over `$._newline | _math_line`) the way `pandoc_code_block` already is (grammar.js:828, with `_newline` consuming `block_continuation` at grammar.js:886). The writer is already correct; do not change it.\n\nTriage doc and minimal repros live at claude-notes/issue-reports/181/ on branch issue-181. See triage.md there for full evidence including CST output and a contrasting fenced-code-in-blockquote case that parses cleanly.","status":"open","priority":2,"issue_type":"bug","created_at":"2026-05-12T17:34:18.793641Z","created_by":"cscheid","updated_at":"2026-05-12T17:34:18.793641Z","source_repo":".","compaction_level":0,"original_size":0}
 {"id":"bd-q6ky","title":"Plain-text aria-label projection for rich page-nav titles","description":"When DocumentProfile.title gains inline-markup support, project to plain text for aria-label and title attributes on the prev/next anchors. Phase 4 currently uses the title verbatim, which is fine while titles are plain String.","status":"open","priority":3,"issue_type":"feature","created_at":"2026-04-24T22:47:59.865423Z","created_by":"cscheid","updated_at":"2026-04-24T22:47:59.865423Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-q6ky","depends_on_id":"bd-nwun","type":"discovered-from","created_at":"2026-04-24T22:47:59.865423Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
+{"id":"bd-qabnx","title":"Phase 1 — Design lock-in (hub-mcp device flow)","description":"Record-only phase. Captures the immutable v1 design decisions from empirical verification of Google's device-flow endpoints on 2026-05-19.\n\nNo code; closing condition is the plan's Phase 1 section being merged and the epic + sub-issues being filed.\n\nPlan §Phase 1: claude-notes/plans/2026-05-05-hub-mcp-device-flow-implementation.md","status":"closed","priority":1,"issue_type":"task","created_at":"2026-05-20T14:26:51.454050Z","created_by":"shikokuchuo","updated_at":"2026-05-20T21:22:18.060790Z","closed_at":"2026-05-20T21:22:18.060745Z","close_reason":"Design lock-in is recorded in plan §Phase 1 and replayed in the Phase 2 implementation. No further work.","source_repo":"kyoto","source_repo_path":"/Users/shikokuchuo/r/kyoto","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-qabnx","depends_on_id":"bd-cmp48","type":"parent-child","created_at":"2026-05-20T14:26:51.454050Z","created_by":"shikokuchuo","metadata":"{}","thread_id":""}]}
 {"id":"bd-qawx","title":"cargo xtask create-worktree DWIMs remote-tracking branch as base, doesn't create requested branch","description":"Symptom: 'cargo xtask create-worktree --issue 152 --base bugfix/issue-184' printed 'Branch: issue-152' but the worktree was actually checked out on a freshly-created local 'bugfix/issue-184' branch (tracking origin/bugfix/issue-184). No 'issue-152' branch was ever created; 'git rev-parse refs/heads/issue-152' returns exit 1 immediately after the xtask reports success. Reflog confirms.\n\nReproduction (best-effort, from this session):\n- main worktree at .worktrees/issue-184/ already exists on a local 'issue-184' branch\n- remote bugfix/issue-184 exists; no local bugfix/issue-184 yet\n- cargo xtask create-worktree --issue 152 --base bugfix/issue-184\n- Result: .git/worktrees/issue-152/HEAD reads 'ref: refs/heads/bugfix/issue-184'\n- Expected: HEAD reads 'ref: refs/heads/issue-152'\n\nLikely cause: the underlying 'git worktree add -b issue-152 .worktrees/issue-152 bugfix/issue-184' invocation may interact poorly with git's DWIM when the start-point is a remote-tracking branch. Worth a small repro test in crates/xtask/.\n\nRecovered in-place via 'git checkout -b issue-152' inside the worktree (user-approved during triage). The xtask still claimed success in stdout, so the bug is silent — that's the most user-hostile part.\n\nDiscovered during: triage of issue #152 / bd-j4fe.","status":"open","priority":2,"issue_type":"bug","created_at":"2026-05-14T19:08:20.229932Z","created_by":"cscheid","updated_at":"2026-05-14T19:08:20.229932Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-qawx","depends_on_id":"bd-j4fe","type":"discovered-from","created_at":"2026-05-14T19:08:20.229932Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-qb4o","title":"L11 — Listings epic close-out","description":"Compile per-phase follow-up bd log into single epic report. Confirm cargo xtask verify on a fresh checkout. Update document-profile-contract.md change log. Confirm hub-client renders listings end-to-end via WASM (real browser smoke test): multi-page project with listings, edit a content page, see listing host preview update with L1 fallbacks. See claude-notes/plans/2026-05-05-listings-epic.md §L11.","status":"open","priority":2,"issue_type":"task","created_at":"2026-05-05T19:54:06.937522Z","created_by":"cscheid","updated_at":"2026-05-05T19:54:06.937522Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-qb4o","depends_on_id":"bd-5vsr","type":"blocks","created_at":"2026-05-05T19:54:06.937522Z","created_by":"cscheid","metadata":"{}","thread_id":""},{"issue_id":"bd-qb4o","depends_on_id":"bd-61cd","type":"parent-child","created_at":"2026-05-05T19:54:06.937522Z","created_by":"cscheid","metadata":"{}","thread_id":""},{"issue_id":"bd-qb4o","depends_on_id":"bd-hzsi","type":"blocks","created_at":"2026-05-05T19:54:06.937522Z","created_by":"cscheid","metadata":"{}","thread_id":""},{"issue_id":"bd-qb4o","depends_on_id":"bd-o90m","type":"blocks","created_at":"2026-05-05T19:54:06.937522Z","created_by":"cscheid","metadata":"{}","thread_id":""},{"issue_id":"bd-qb4o","depends_on_id":"bd-qf7r","type":"blocks","created_at":"2026-05-05T19:54:06.937522Z","created_by":"cscheid","metadata":"{}","thread_id":""},{"issue_id":"bd-qb4o","depends_on_id":"bd-xbnf","type":"blocks","created_at":"2026-05-05T19:54:06.937522Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-qf7r","title":"L7 — Post-render placeholder upgrade (engine-rendered previews; BRACKETED)","description":"BRACKETED FEATURE — read epic §L7 'Bracketing rules' before extending. Upgrades L1-fallback description+image to engine-rendered firstPara+previewImage by reading sibling output files in WebsiteProjectType::post_render. Single module home, mandatory file-header discipline, CLI-only by construction (hub-client and quarto preview show L1 fallbacks), no cross-feature reuse, mandatory L1-fallback contract. See claude-notes/plans/2026-05-05-listings-epic.md §L7.","status":"closed","priority":2,"issue_type":"feature","created_at":"2026-05-05T19:53:43.884886Z","created_by":"cscheid","updated_at":"2026-05-07T21:11:33.486906Z","closed_at":"2026-05-07T21:11:33.486767Z","close_reason":"L7 (bd-qf7r) implemented + merged: post-render placeholder upgrade. impl d4877142, merge dc3a0f7b. CLI render now substitutes engine-rendered first paragraphs and preview images into listing entries via the bracketed post_render step. Hub-client preview retains L1 fallbacks per the bracketing rules. +50 tests over 8647 baseline → 8697 total. Follow-ups: bd-rvpd (span threading), bd-bpdz (L9 reader extension), bd-399t (docs callout), bd-fx23 (defensive id encoding).","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-qf7r","depends_on_id":"bd-61cd","type":"parent-child","created_at":"2026-05-05T19:53:43.884886Z","created_by":"cscheid","metadata":"{}","thread_id":""},{"issue_id":"bd-qf7r","depends_on_id":"bd-ml8z","type":"blocks","created_at":"2026-05-05T19:53:43.884886Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-qhkp","title":"New projects not added to Automerge project set (stale closure in App.tsx)","description":"handleProjectCreated and share link handler in App.tsx capture stale projectSetState/projectSetActions due to missing useCallback/useEffect dependencies. The status check always sees 'loading' instead of 'connected', so addProject is never called on the synced set. Plan: claude-notes/plans/2026-04-06-fix-project-set-stale-closure.md","status":"open","priority":1,"issue_type":"bug","created_at":"2026-04-06T20:27:45.091230Z","created_by":"cscheid","updated_at":"2026-04-06T20:27:45.091230Z","source_repo":".","compaction_level":0,"original_size":0}
 {"id":"bd-ql55q","title":"Preview navbar brand link points to artifacts VFS root and dead-ends iframe","description":"In hub-client / q2 preview, the navbar brand anchor (the title 'Quarto 2' in docs/) renders as <a class=\"navbar-brand\" href=\"/.quarto/project-artifacts/\">.\n\nLive repro 2026-05-20 (chrome-devtools MCP against q2 preview docs/):\nclicking it fires beforeunload on the iframe, iframe location moves to\n/.quarto/project-artifacts/, and NO NAVIGATE_TO_DOCUMENT postMessage fires —\nstranding the SPA on a URL the preview server doesn't serve.\n\nBoth TS link handlers reject the trailing-slash form:\n- iframeLinkHandlers.ts::parseArtifactHref (used by q2-preview SPA, this is the path that runs in q2 preview docs/)\n- iframePostProcessor.ts::reverseMapArtifactHref (used by hub-client HTML iframe)\nBoth require .html suffix on the stem.\n\nNative q2 render is correct (href=\"./\"). Bug is preview-only.\n\nFix in both TS link handlers — recognize the bare-directory artifact-root form as the project home (index.qmd). Resolver semantics unchanged.\n\nSee plan: claude-notes/plans/2026-05-20-preview-navbar-brand-artifacts-link.md","status":"closed","priority":1,"issue_type":"bug","created_at":"2026-05-20T14:07:30.497517Z","created_by":"cscheid","updated_at":"2026-05-20T14:24:11.997050Z","closed_at":"2026-05-20T14:24:11.996869Z","close_reason":"Fixed in commit ebcc7f3e. Two-surface fix in TS:\n\n- iframeLinkHandlers.ts::parseArtifactHref (q2-preview SPA path,\n  always-intercept) — empty-stem branch returns\n  { qmdCandidate: 'index.qmd', anchor }.\n\n- iframePostProcessor.ts::reverseMapArtifactHref (hub-client HTML\n  path, strict projectFilePaths lookup) — empty/null-stem branch\n  tries each RENDERABLE_EXTS as 'index'+ext against projectFilePaths;\n  returns first match or null per surface policy.\n\nResolver semantics in quarto-core unchanged — the trailing-slash\ndirectory URL is correct for static-served sites; the adaptation\nbelongs at the SPA-specific interception layer.\n\nE2E verified against docs/ via chrome-devtools MCP (post-fix\nsignature exactly inverts the 2026-05-20 repro): default prevented,\nno beforeunload, iframe stays at /q2-preview.html,\nNAVIGATE_TO_DOCUMENT fires with path=index.qmd, SPA route updates,\nheading after click is \"Quarto 2\".\n\nPlan: claude-notes/plans/2026-05-20-preview-navbar-brand-artifacts-link.md","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-ql55q","depends_on_id":"bd-lk66","type":"parent-child","created_at":"2026-05-20T14:07:30.497517Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
+{"id":"bd-qod9s","title":"Phase 10 — operational hardening + documentation","description":"Operator runbook for Google OAuth client (Limited-Input-Devices type) registration. End-user .mcp.json example with QUARTO_HUB_MCP_CLIENT_ID/_SECRET. README: credential-sourcing rationale + threat-model #10 cross-ref. Per-platform credential-store clear commands. Revocation runbook (myaccount.google.com). Token-leak regression sweep.\n\nFuture-work list (not in v1) captured in plan: authenticate_status/clear tools, --login CLI flag, hub-side sub_denylist, per-scope auth, GitHub OIDC, refresh-expiry monitoring, PKCE on device-auth grant.\n\nPlan §Phase 10: claude-notes/plans/2026-05-05-hub-mcp-device-flow-implementation.md","status":"open","priority":2,"issue_type":"task","created_at":"2026-05-20T14:27:35.458795Z","created_by":"shikokuchuo","updated_at":"2026-05-20T14:27:35.458795Z","source_repo":"kyoto","source_repo_path":"/Users/shikokuchuo/r/kyoto","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-qod9s","depends_on_id":"bd-cmp48","type":"parent-child","created_at":"2026-05-20T14:27:35.458795Z","created_by":"shikokuchuo","metadata":"{}","thread_id":""}]}
 {"id":"bd-qor9a","title":"Resolve metadata paths relative to the file they were declared in (source-location-driven)","description":"Reproducer: `docs/guide/index.qmd` defines a sidebar in its frontmatter:\n\n```yaml\nsidebar:\n  contents:\n    - text: \"Introduction\"\n      href: introduction.qmd\n    - text: \"Markdown\"\n      href: ../authoring/markdown/index.qmd\n```\n\nBoth targets exist relative to `docs/guide/index.qmd` (`docs/guide/introduction.qmd` and `docs/authoring/markdown/index.qmd`). Today `q2 render` warns:\n\n  Sidebar references missing document information for 'introduction.qmd'\n  Sidebar references missing document information for '../authoring/markdown/index.qmd'\n\nbecause `SidebarGenerateTransform` treats sidebar hrefs as project-root-relative regardless of where the YAML was written.\n\nRoot cause: `SidebarEntry::from_plain_string` (`crates/quarto-navigation/src/sidebar.rs`) and the bare-string code path in `SidebarEntry::from_config_value` strip `ConfigValue.source_info`, then `SidebarGenerateTransform` calls `index.lookup_by_source(Path::new(h))` on the bare string. There is no way at lookup time to know whether the href was written in `_quarto.yml` (project-root-relative) or in a doc's frontmatter (doc-relative).\n\nFix direction (chosen): hybrid 'known path-shaped keys' — the sidebar/navbar parser treats strings in href/file/contents/section-href positions as if they were `!path`, retaining the `ConfigValue.source_info` long enough to resolve them against `dirname(source_info.file)` at Generate time. Authors don't have to write `!path` tags. Mirrors the existing `adjust_paths_to_document_dir` machinery for directory metadata, extended to per-document frontmatter.\n\nScope: sidebar, navbar, page-footer entries (hrefs + contents items). Project-config / `_quarto.yml`-rooted values resolve to project-root-relative (unchanged behaviour). Per-doc / `_metadata.yml`-rooted values resolve to dirname-of-that-file, then normalized via `resolve_to_project_root`.\n\nThis issue also lands the SourceInfo plumbing through to the navigation diagnostics that bd-8d6rk migrates to the structured form — once the parser retains source_info, the diagnostic gets a real location and `--json` consumers can show the offending YAML line.\n\nPlan: claude-notes/plans/2026-05-20-bd-PLACEHOLDER-metadata-path-resolution.md (to be created)\n\nBlocks-on bd-8d6rk: the structured-diagnostic surface should exist before we wire SourceInfo into it.","notes":"Plan outline written: claude-notes/plans/2026-05-20-bd-qor9a-metadata-path-resolution.md (draft, awaiting iteration. Will be fleshed out in detail after bd-8d6rk lands)","status":"closed","priority":2,"issue_type":"bug","created_at":"2026-05-20T14:56:32.967393Z","created_by":"cscheid","updated_at":"2026-05-20T17:26:26.218423Z","closed_at":"2026-05-20T17:26:26.218267Z","close_reason":"Implementation complete. RenderContext now carries source_context; NavigationItem / SidebarEntry::Section / Navbar carry href_source paired fields; resolve_metadata_path resolves hrefs against the YAML file they were authored in; sidebar/navbar/footer/page-nav generate+render pass href_source through to Q-13-* diagnostics. End-to-end verified on docs/guide/index.qmd (zero warnings; sidebar links resolve correctly). cargo xtask verify --skip-hub-build clean. Plan: claude-notes/plans/2026-05-20-bd-qor9a-metadata-path-resolution.md (all phases checked). Follow-up bd-hjv5o tracks broader generalization. Changes uncommitted pending user review.","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-qor9a","depends_on_id":"bd-8d6rk","type":"blocks","created_at":"2026-05-20T14:56:32.967393Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-qpa2","title":"Display math column-strip uses wrong column source, mishandles inline-wrapped and labeled math (issue #181 follow-up)","description":"Follow-up to bd-q6ed / issue #181, with revised diagnosis after a second-pass investigation (see `claude-notes/issue-reports/181/triage.md` § \"Second-pass investigation\").\n\n## Symptom\n\nTwo reporter-supplied edge cases (rundel, 2026-05-12):\n\n1. **Labeled display math inside a blockquote** — `> $$\\n> p(x)\\n> $$ {#eq-p}` round-trips with a literal `> ` left in `Math.text` after the second pass.\n2. **Labeled display math at top level** — `$$\\na\\n  b\\n$$ {#eq-x}` loses one column of leading whitespace from interior lines on each round trip.\n\nSubsequent probing revealed both are instances of a broader brittleness in the column-strip introduced by bd-q6ed:\n\n3. `_$$\\na\\n  b\\n$$_` (emph wrapping multi-line displaymath) loses one space on **first** parse — no round trip needed.\n4. `> _$$\\n> a\\n>   b\\n> $$_` (same inside a blockquote) leaks `> ` AND loses interior whitespace on first parse.\n\n## Root cause\n\n`strip_continuation_prefix` in `crates/pampa/src/pandoc/treesitter.rs` uses `node.start_position().column` (the column of `$$`) as the strip width. That column equals the cumulative block-continuation prefix width **only when `$$` is the leftmost non-prefix character on its line**. Anything that precedes `$$` on the same line (`_`, `**`, `[`, the writer's own `[` for `quarto-math-with-attribute` Spans, etc.) shifts the column while the body bytes' source layout does not change. The strip then either eats real content (when the prefix is all whitespace/`>`) or refuses to strip real prefix (when the column overshoots into real content).\n\n## Constraint\n\n`DisplayMath` must remain an inline AST node — there are large existing corpora with display math nested inside paragraphs, and the grammar restructure proposed in the original triage would break those documents.\n\n## Fix shape (reader-side, no grammar change, no AST shape change)\n\nChange the strip-width source from `math_node.start_position().column` to the start column of the **enclosing block-leaf ancestor** (`pandoc_paragraph` / `pandoc_plain`). The cumulative block-continuation prefix width equals the paragraph's start column, which is constant across all interior lines of the paragraph regardless of what precedes `$$` on the opening line.\n\nPandoc's markdown reader uses this exact strategy (verified empirically). The fix matches Pandoc's behaviour on all probed cases — including lazy-continuation, nested blockquotes, list-item indent, and inline-wrapped multi-line math. The existing conservative `bytes ∈ {>, space, tab}` guard in the helper continues to handle lazy continuation correctly.\n\nThis single-input change subsumes:\n- bd-q6ed canonical case (paragraph col = math col, identical result)\n- bd-qpa2 edges A and B (paragraph col reflects true bq/top-level width)\n- Inline-wrapped multi-line math at any block context\n\n## Regression coverage to add\n\nFixtures under `crates/pampa/tests/roundtrip_tests/qmd-json-qmd/`:\n\n- `labeled_display_math_in_blockquote.qmd` (bd-qpa2 edge A)\n- `labeled_display_math_top_level_indented.qmd` (bd-qpa2 edge B)\n- `emph_around_multiline_display_math.qmd`\n- `emph_around_multiline_display_math_in_blockquote.qmd`\n\nReference inputs preserved at `claude-notes/issue-reports/181/exp-labeled-math-in-bq.qmd` and `exp-labeled-math-toplevel.qmd`.\n\n## Worktree / branch\n\nImplementation on its own branch with plan file at `claude-notes/plans/2026-05-12-displaymath-column-strip-fix.md`. Upstream: https://github.com/quarto-dev/q2/issues/181.\n\n## Out of scope (separate issue if desired)\n\nThe writer's `[$$…$$]{attr}` emission for `quarto-math-with-attribute` Spans is suboptimal — Pandoc emits the natural form `$$\\n…\\n$$ {attr}` for the same AST. Switching to that form would improve readability and Pandoc compatibility, but with the reader fix above it is no longer required for round-trip correctness.","status":"open","priority":1,"issue_type":"bug","created_at":"2026-05-12T19:32:00.197200Z","created_by":"cscheid","updated_at":"2026-05-12T19:55:56.757118Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-qpa2","depends_on_id":"bd-q6ed","type":"related","created_at":"2026-05-12T19:32:00.197200Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-r7v2","title":"Browser smoke: confirm MathJax/KaTeX typeset in real browser","description":"Phase 4.3 of bd-w5ov could not be completed in-session because chrome-devtools-mcp disconnected after a stale browser process was killed. Implementation is complete and Phase 4.2 (CLI exercise) verified the rendered HTML markup is correct. What remains: load the rendered fixtures in a real Chromium session and confirm the math is actually typeset, not just present as raw \\(x^2\\) text.\n\nAcceptance:\n- Render /tmp/q2-math-cli/inline_math.html, display_math.html, labelled_eq.html via http.server.\n- chrome-devtools-mcp: navigate, evaluate document.querySelectorAll('mjx-container').length > 0 (MathJax fixtures).\n- Render katex.html, evaluate document.querySelectorAll('.katex, .katex-display').length > 0.\n- Confirm zero console errors from the math runtime (404s on jsDelivr would fail this).\n- Record observations in claude-notes/plans/2026-05-04-math-mode.md.","status":"closed","priority":1,"issue_type":"task","created_at":"2026-05-04T23:58:12.775314Z","created_by":"cscheid","updated_at":"2026-05-05T00:04:57.347714Z","closed_at":"2026-05-05T00:04:57.347571Z","close_reason":"Browser smoke completed in same session as bd-w5ov implementation: 5 fixtures verified live in Chromium via chrome-devtools-mcp. MathJax 3.2.2 typesets inline + display + labelled equations from jsDelivr; KaTeX typesets via auto-render; math-free pages stay clean; user URL override honored. Recorded in plan §Browser smoke log.","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-r7v2","depends_on_id":"bd-w5ov","type":"discovered-from","created_at":"2026-05-04T23:58:12.775314Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
@@ -336,6 +348,7 @@
 {"id":"bd-rwxa0","title":"Inline brand block in document frontmatter not wired through single-file render path","description":"from_config_value extracts brand: from a document's flattened metadata correctly, but single-file render mode (no _quarto.yml) appears to skip CompileThemeCssStage entirely and emit only the default styles.css. Project-level brand: works fine. Either route the inline brand through the single-file path or document the limitation. Discovered during Phase 7 e2e verification on 2026-05-20. Plan ref: claude-notes/plans/2026-05-20-brand-yml-support.md.","status":"open","priority":3,"issue_type":"bug","created_at":"2026-05-21T02:31:10.966556Z","created_by":"cscheid","updated_at":"2026-05-21T02:31:10.966556Z","source_repo":".","compaction_level":0,"original_size":0}
 {"id":"bd-s0ln","title":"hub-react-todo demo app (AST sync proof of concept)","description":"Standalone Vite React app in q2-demos/hub-react-todo that connects to a sync server, subscribes to a QMD file, and renders a live-updating todo list from the Pandoc AST. Demonstrates onASTChanged callback from Phase 1 of AST sync client API. Plan: claude-notes/plans/2026-02-06-hub-react-todo-demo.md","status":"open","priority":1,"issue_type":"task","created_at":"2026-02-06T20:15:06.711433Z","created_by":"cscheid","updated_at":"2026-02-06T20:15:06.711433Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-s0ln","depends_on_id":"bd-3lsb","type":"discovered-from","created_at":"2026-02-06T20:15:06.711433Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-s3z1g","title":"React CodeBlock parity with native div.sourceCode wrapper","description":"Q2 has two HTML output paths: the Rust HTML writer in crates/pampa/src/writers/html.rs (used by 'q2 render') and the React renderer in ts-packages/preview-renderer/src/q2-preview/blocks/CodeBlock.tsx (used by 'q2 preview' / hub-client).\n\nCommit c81b6001 ('match Pandoc's codeblock styling output') updated the native writer to emit Pandoc's nested structure for highlighted code blocks:\n\n    <div class=\"sourceCode [non-language classes]\" id=\"...\"><pre class=\"sourceCode lang\"><code class=\"sourceCode lang\">…</code></pre></div>\n\nThe React component still emits the pre-fix shape (`<pre class=\"sourceCode lang\"><code>…</code></pre>`), so the styling now drifts between 'q2 render' and 'q2 preview'. The component comments at CodeBlock.tsx:170-173 explicitly call out the parity invariant.\n\n## Scope\n\n- Mirror write_highlighted_codeblock in CodeBlock.tsx: when highlight spans are present, emit the div.sourceCode wrapper; move id + non-language classes to the div; emit class='sourceCode <lang>' on both <pre> and <code>.\n- Un-highlighted code blocks stay as bare <pre><code> — already in parity.\n- Update q2-preview.integration.test.tsx (two tests around lines 263 and 297) to assert the new shape.\n\n## Acceptance\n\n- Vitest passes for the integration test file.\n- 'npm run build:all' from hub-client succeeds.\n- Visual diff of rendered fixture (test.qmd from earlier session) between 'q2 render' and 'q2 preview' shows identical rounded-background styling.\n\n## Why this is the right first slice of bd-1tl09\n\nIt stress-tests the native/React parity invariant before any of the new decoration features (filename, copy, fold, etc.) introduce more parity surface. If maintaining parity by hand turns out to be sustainable here (one shape, two tests), the rest of the plan can proceed with confidence. If not, we add a shared contract before Phase 0.\n\nDiscovered-from: bd-1tl09 epic.","status":"closed","priority":2,"issue_type":"task","created_at":"2026-05-19T19:36:31.804213Z","created_by":"cscheid","updated_at":"2026-05-19T19:49:42.966821Z","closed_at":"2026-05-19T19:49:42.966645Z","close_reason":"React CodeBlock now emits Pandoc's nested <div class=\"sourceCode\">…<pre class=\"sourceCode lang\">…<code class=\"sourceCode lang\">…</code></pre></div> structure for highlighted blocks; un-highlighted blocks unchanged. Verified end-to-end with q2 preview (project mode): DOM and visual rendering identical to q2 render. Found a separate bug along the way (bd-tnm3k, single-file preview mode broken).","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-s3z1g","depends_on_id":"bd-1tl09","type":"parent-child","created_at":"2026-05-19T19:36:31.804213Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
+{"id":"bd-sfr5l","title":"Phase 5 — hub-mcp credential storage (OS-native keyring)","description":"New module ts-packages/quarto-hub-mcp/src/auth/credential-store.ts using @napi-rs/keyring. Single opaque JSON blob per Entry(service, account). Per-platform service/account identifiers locked in Phase 1.\n\nTDD: cross-platform unit suite + headless-failure suite + platform-conditional suites (KEYRING_INTEGRATION=1 gate). Sibling bug bd-XXXX tracks the keyring-error blob-leak regression test specifically.\n\nAsymmetric error mapping: read returns null on backend-unavailable; write/clear throw typed KeyringUnavailableError. No silent plaintext fallback anywhere.\n\nPlan §Phase 5: claude-notes/plans/2026-05-05-hub-mcp-device-flow-implementation.md","status":"open","priority":1,"issue_type":"task","created_at":"2026-05-20T14:27:10.359115Z","created_by":"shikokuchuo","updated_at":"2026-05-20T14:27:10.359115Z","source_repo":"kyoto","source_repo_path":"/Users/shikokuchuo/r/kyoto","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-sfr5l","depends_on_id":"bd-cmp48","type":"parent-child","created_at":"2026-05-20T14:27:10.359115Z","created_by":"shikokuchuo","metadata":"{}","thread_id":""}]}
 {"id":"bd-sgm7","title":"Share link single-click: auto-connect without requiring manual project setup","description":"Make share links work in a single click regardless of whether the receiving user already has the project in their settings. Currently, new recipients must manually click 'Connect' in the ProjectSelector. The new flow should auto-create the project entry and connect immediately. Also add project name to the share URL for better UX. Plan: claude-notes/plans/2026-03-30-share-link-single-click.md","status":"closed","priority":1,"issue_type":"feature","created_at":"2026-03-30T16:47:27.895709Z","created_by":"cscheid","updated_at":"2026-03-30T16:56:38.302807Z","closed_at":"2026-03-30T16:56:38.302195Z","close_reason":"Implemented: share links now auto-create project entries and connect immediately. Added project name to share URL. Removed pendingShareData plumbing. All tests pass.","source_repo":".","compaction_level":0,"original_size":0}
 {"id":"bd-sh4h","title":"L9 follow-up: Atom 1.0 emission","description":"L9 emits RSS 2.0 only (with the atom:link rel=self extension element, matching Q1). A pure Atom 1.0 alternative would be a forward feature for users who prefer it. Likely shape: feed.format: rss|atom on the listing config; new templates under feed/templates/atom/.","status":"open","priority":4,"issue_type":"feature","created_at":"2026-05-08T17:33:49.689660Z","created_by":"cscheid","updated_at":"2026-05-08T17:33:49.689660Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-sh4h","depends_on_id":"bd-o90m","type":"discovered-from","created_at":"2026-05-08T17:33:49.689660Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-si8b","title":"Evaluate Temml as a third math engine for HTML output","description":"MathJax (default) and KaTeX shipped in bd-w5ov. Temml is a KaTeX fork that emits MathML directly (~80 KB bundle, native browser rendering, best a11y story). MathML support is now near-universal (Chromium since 2023, WebKit + Firefox always).\n\nInvestigate whether to add Temml as a third 'html-math-method' option:\n- Output contract differs from MathJax/KaTeX (MathML in markup vs TeX delimiters).\n- Could be added as a parallel arm in MathEngine / from_meta() / render_math_slot().\n- Decide: does q2 ship TeX-source delimiters and let Temml convert client-side, or do server-side TeX→MathML conversion at render time?\n\nOut of scope: making Temml the default. Default stays MathJax for parity with Quarto 1.","status":"open","priority":3,"issue_type":"task","created_at":"2026-05-04T23:58:18.920001Z","created_by":"cscheid","updated_at":"2026-05-04T23:58:18.920001Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-si8b","depends_on_id":"bd-w5ov","type":"discovered-from","created_at":"2026-05-04T23:58:18.920001Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
@@ -343,7 +356,7 @@
 {"id":"bd-spsv","title":"Add cargo xtask create-worktree command with CLAUDE.local.md stub","description":"Add cargo xtask create-worktree subcommand that automates full worktree setup: git worktree add, beads redirect, and CLAUDE.local.md context stub prepended with markers. Three modes: beads ID (reads br show), --issue N (reads gh issue view), --upgrade (date-based). CLAUDE.local.md holds context only (worktree location, beads pointer, GitHub URL, plan placeholder) — beads tracks status. Plan at claude-notes/plans/2026-05-07-create-worktree-xtask.md. 8 files: .gitignore, xtask/src/main.rs, xtask/src/create_worktree.rs (new), .claude/rules/xtask.md, .claude/rules/worktrees.md, investigate-beads skill, triage skill, upgrade-cargo-deps skill.","status":"in_progress","priority":2,"issue_type":"feature","created_at":"2026-05-07T14:23:51.141793100Z","created_by":"cderv","updated_at":"2026-05-11T16:49:51.239535200Z","source_repo":".","compaction_level":0,"original_size":0,"comments":[{"id":20,"issue_id":"bd-spsv","author":"cderv","text":"2026-05-07 design phase complete. Worktree: .worktrees/bd-spsv-create-worktree-xtask on branch beads/bd-spsv-create-worktree-xtask (commit 0a2def90).\n\nPlan committed at claude-notes/plans/2026-05-07-create-worktree-xtask.md (~480 lines). Two sub-agent design reviews passed: pass 1 (1 blocking + 12 required → all resolved), pass 2 (3 required → all resolved).\n\nKey design decisions locked:\n- clap struct-style variant `CreateWorktree { #[command(flatten)] args }` matching existing main.rs idiom\n- ArgGroup(required, single) for mode validation\n- Slug derive: split on whitespace+hyphen, ASCII-alphanumeric, drop stop-words, take 4, error on empty\n- CLAUDE.local.md idempotent prepend with BEGIN/END markers; full failure-case table + line-ending decision rules + atomic .tmp+rename\n- time = { version = \"0.3\", features = [\"macros\", \"formatting\"] }\n- xtask is filesystem-only (never touches beads state)\n- worktrees.md gets new sections: § CLAUDE.local.md, § Manual bootstrap (fallback)\n- --slug semantics: override in beads mode, suffix in issue/upgrade\n\nNEXT SESSION: from worktree .worktrees/bd-spsv-create-worktree-xtask, invoke /superpowers:writing-plans against the design plan to produce phased implementation plan with TDD task structure. Then implement.\n\nTouched files (8): .gitignore, crates/xtask/Cargo.toml, crates/xtask/src/main.rs, crates/xtask/src/create_worktree.rs (new), .claude/rules/xtask.md, .claude/rules/worktrees.md, .claude/skills/{investigate-beads,triage,upgrade-cargo-deps}/SKILL.md.\n\nSelf-bootstrap caveat: this worktree was set up with the manual git+echo commands the new xtask replaces (chicken-and-egg). E2E test of new command happens after merge, on next worktree any dev creates.","created_at":"2026-05-07T17:10:40Z"},{"id":21,"issue_id":"bd-spsv","author":"cderv","text":"Implementation complete on branch beads/bd-spsv-create-worktree-xtask (19 commits, 0a2def90..1672540a). 54 xtask tests passing. Final whole-branch review verdict: Ready to merge. Phase E smoke tests (Chris-driven) and Phase G push remain. Two optional follow-ups noted in review: clippy cleanup of new code (~5 lints), and reordering validate_slug ahead of fetch_beads_metadata in plan_beads to fail-fast on bad slug.","created_at":"2026-05-11T15:43:29Z"},{"id":22,"issue_id":"bd-spsv","author":"chris","text":"2026-05-11 session 3 — IMPLEMENTATION COMPLETE on branch beads/bd-spsv-create-worktree-xtask. HEAD 09eead55. 24 commits ahead of main. 55 xtask tests passing.\n\nNEXT SESSION (in priority order):\n\n1) Phase E end-to-end smoke (Chris-driven, from worktree .worktrees/bd-spsv-create-worktree-xtask). Full recipe in claude-notes/plans/2026-05-11-implement-create-worktree-xtask.md § Phase E. Quick form:\n   cargo build -p xtask\n   cargo xtask create-worktree --help\n   cargo xtask create-worktree bd-spsv --slug e2e-beads\n   ISSUE=$(gh issue list --repo quarto-dev/q2 --state open --limit 1 --json number --jq '.[0].number')\n   cargo xtask create-worktree --issue \"$ISSUE\" --slug e2e-issue\n   cargo xtask create-worktree --upgrade --slug e2e-upgrade\n   mkdir -p .worktrees/bd-spsv-collision-test ; cargo xtask create-worktree bd-spsv --slug collision-test ; rmdir .worktrees/bd-spsv-collision-test\n   cargo xtask create-worktree bd-spsv --slug \"foo/bar\"  # rejected\n   cargo xtask create-worktree bd-spsv --slug e2e-beads  # rerun-fails by design\n   Q2_CREATE_WORKTREE_INJECT_FAIL=after_worktree_add cargo xtask create-worktree bd-spsv --slug rollback-test\n   test ! -d .worktrees/bd-spsv-rollback-test && git branch | grep -v 'beads/bd-spsv-rollback-test' && echo OK\n   # cleanup: git worktree remove on each e2e dir + git branch -d on each e2e branch\n\n2) Capture smoke transcript for PR body (per CLAUDE.md \"end-to-end verification before declaring success\").\n\n3) Push: git push -u origin beads/bd-spsv-create-worktree-xtask:feature/bd-spsv-create-worktree-xtask\n\n4) gh pr create against main. PR body should reference: 24 commits, 55 tests, smoke transcript, optional follow-ups list (below).\n\nOPTIONAL FOLLOW-UPS (non-blocking, file separately if desired):\n- clippy cleanup in create_worktree.rs: ~5 findings (map_unwrap_or at :176/:448, collapsible_if at :570, print_literal at :160, naive_bytecount in tests at :759).\n- plan_beads ordering: move validate_slug ahead of fetch_beads_metadata to fail-fast on bad --slug overrides without burning a `br show` subprocess call.\n\nSELF-BOOTSTRAP CAVEAT: this worktree itself was set up with the manual git+echo commands the new xtask replaces. The first real end-to-end use of the new command happens after this PR lands on main, on whatever worktree the next developer creates.","created_at":"2026-05-11T16:49:51Z"}]}
 {"id":"bd-sr73","title":"Re-measure trace size on a fixture that exercises a real engine (jupyter/knitr supporting_files)","description":"bd-5qnj's provisional size budgets (≤100 KB compressed for CI fixtures, ≤1 MB for user-attached bug reports) were measured on markdown-engine fixtures where `engine_capture` is `None`. After merging bd-45yw (replay engine recording), traces from real engine runs additionally carry `engine_capture.result.supporting_files` — for jupyter/knitr documents this can include base64-encoded PNG plots, data-frame snapshots, etc.\n\nInvestigate:\n- Capture a representative jupyter trace from a real notebook (a plot + a small dataset).\n- Measure: total `latest.json.gz` size, `engine_capture.result` share, supporting_files byte share.\n- Decide whether the 100 KB CI-fixture budget still holds, or whether engine_capture needs its own size accommodation (separate file? on-disk gzip-of-gzip is unhelpful for already-compressed PNGs).\n\nReferences:\n- claude-notes/plans/2026-05-03-trace-size-for-replay.md (Phase 3 outstanding follow-up)\n- claude-notes/plans/5qnj-trace-size-investigation/measurements.md (current measurements; markdown engine only)\n- crates/quarto-trace/src/lib.rs::EngineCapture (where supporting_files content lives)","status":"open","priority":2,"issue_type":"task","created_at":"2026-05-03T23:28:59.411296Z","created_by":"cscheid","updated_at":"2026-05-03T23:28:59.411296Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-sr73","depends_on_id":"bd-5qnj","type":"discovered-from","created_at":"2026-05-03T23:28:59.411296Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-swpy","title":"Sidebar/navbar/footer hrefs not relativized to current page in nested directories","description":"Surfaced building examples/websites/03-nested-sidebar (bd-2jwk). resolve_href_for_html in crates/quarto-core/src/transforms/navigation_href.rs returns profile.output_href verbatim, which is project-root-relative. Body links go through resolve_doc_relative_href + ResourceResolverContext::page_url_for, so they get relativized correctly (e.g. inside _site/guide/installation.html the body link to index.qmd renders as 'index.html', not 'guide/index.html'). But sidebar / navbar / page-footer / page-nav hrefs use resolve_href_for_html and skip the resolver, producing absolute-looking project-relative paths like 'guide/index.html' from within a page at depth 1, which a browser resolves as 'guide/guide/index.html'. Reproduces in examples/websites/03-nested-sidebar/_site/guide/installation.html and reference/api.html. Fix plan: claude-notes/plans/2026-04-29-bd-swpy-nav-href-relativization.md (thread ResourceResolverContext through resolve_href_for_html + four Render transforms, route hits through page_url_for matching the body-link path).","status":"closed","priority":1,"issue_type":"bug","created_at":"2026-04-29T14:07:50.403220Z","created_by":"cscheid","updated_at":"2026-04-29T15:10:53.397840Z","closed_at":"2026-04-29T15:10:53.397537Z","close_reason":"Threaded ResourceResolverContext through resolve_href_for_html in commit aa50d29e. All four Render transforms (sidebar, navbar, footer, page-nav) now route hits through page_url_for, mirroring the body-link path. Native renders produce page-relative URLs (deployment-portable); hub-client vfs_root mode produces absolute /{vfs_root}/... URLs (intended). 8081 workspace tests + cargo xtask verify pass. Closes bd-swpy.","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-swpy","depends_on_id":"bd-0tr6","type":"parent-child","created_at":"2026-04-29T14:07:50.403220Z","created_by":"cscheid","metadata":"{}","thread_id":""},{"issue_id":"bd-swpy","depends_on_id":"bd-2jwk","type":"discovered-from","created_at":"2026-04-29T14:07:50.403220Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
-{"id":"bd-t3ny","title":"Publish command scaffolding + gh-pages provider","description":"Build the scaffolding for Quarto 2's `publish` command (mirroring Quarto 1's organization in src/publish/) and ship the `gh-pages` endpoint end-to-end. All other providers (quarto-pub, netlify, posit-connect, posit-connect-cloud, confluence, huggingface) and single-document publishing are explicitly deferred.\n\nPlan: claude-notes/plans/2026-05-03-publish-command-and-gh-pages.md\n\nStatus: design draft — pending user review before implementation.","status":"completed","priority":1,"issue_type":"epic","created_at":"2026-05-03T13:47:55.362968Z","created_by":"cscheid","updated_at":"2026-05-03T15:18:38.758969Z","source_repo":".","compaction_level":0,"original_size":0}
+{"id":"bd-t3ny","title":"Publish command scaffolding + gh-pages provider","description":"Build the scaffolding for Quarto 2's `publish` command (mirroring Quarto 1's organization in src/publish/) and ship the `gh-pages` endpoint end-to-end. All other providers (quarto-pub, netlify, posit-connect, posit-connect-cloud, confluence, huggingface) and single-document publishing are explicitly deferred.\n\nPlan: claude-notes/plans/2026-05-03-publish-command-and-gh-pages.md\n\nStatus: design draft — pending user review before implementation.","status":"closed","priority":1,"issue_type":"epic","created_at":"2026-05-03T13:47:55.362968Z","created_by":"cscheid","updated_at":"2026-05-03T15:18:38.758969Z","closed_at":"2026-05-03T15:18:38.758969Z","source_repo":".","compaction_level":0,"original_size":0}
 {"id":"bd-t9zb","title":"Share crossref label formatting between CrossrefRenderTransform and the LSP outline","description":"CrossrefRenderTransform formats labels like 'Figure 1: <caption>' / 'Theorem 1: <title>' (hardcoded English, see crates/quarto-core/src/transforms/crossref_render.rs). The LSP outline walker (crates/quarto-lsp-core/src/analysis.rs::format_crossref_detail) now builds the same strings independently. When localization lands (crossref.fig-prefix, title-delim, etc.) the two call sites must stay consistent. Extract a shared label helper in quarto-core::crossref that both consumers call.","status":"open","priority":3,"issue_type":"task","created_at":"2026-04-17T22:16:35.378079Z","created_by":"cscheid","updated_at":"2026-04-17T22:16:35.378079Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-t9zb","depends_on_id":"bd-ascs","type":"discovered-from","created_at":"2026-04-17T22:16:35.378079Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-tanz","title":"Cargo: upgrade runtimelib v1.6.0 → v2.0.0","description":"Major upgrade surfaced by cargo-upgrade survey 2026-05-04. Current 1.6.0 is range-pinned in workspace; latest is 2.0.0. Type: major. Review changelog and bump deliberately. See claude-notes/plans/2026-05-04-cargo-upgrade-survey.md and bd-hb8h.","status":"closed","priority":3,"issue_type":"chore","created_at":"2026-05-04T18:15:55.020523Z","created_by":"cscheid","updated_at":"2026-05-04T20:30:45.678359Z","closed_at":"2026-05-04T20:30:45.678215Z","close_reason":"merged: b7b843fe","source_repo":".","compaction_level":0,"original_size":0,"labels":["cargo","deps"],"dependencies":[{"issue_id":"bd-tanz","depends_on_id":"bd-hb8h","type":"discovered-from","created_at":"2026-05-04T18:16:05.189033Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-td2a","title":"Footer text-region project-link rewriting (replaces bd-jfyl)","description":"Phase 5's bd-jfyl follow-up was deferred precisely because Phase 6's helper is its natural home: now that resolve_doc_relative_href exists, the footer renderer's text walker can call it for any .qmd hrefs in user-supplied footer text. This is the planned consumer for the helper, surfaced during Phase 6 close-out (bd-v30t). Probably also depends on the same walking infrastructure as the body-link transform.","status":"open","priority":3,"issue_type":"task","created_at":"2026-04-27T13:37:07.174383Z","created_by":"cscheid","updated_at":"2026-04-27T13:37:07.174383Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-td2a","depends_on_id":"bd-0tr6","type":"parent-child","created_at":"2026-04-27T13:37:07.174383Z","created_by":"cscheid","metadata":"{}","thread_id":""},{"issue_id":"bd-td2a","depends_on_id":"bd-jfyl","type":"related","created_at":"2026-04-27T13:37:07.174383Z","created_by":"cscheid","metadata":"{}","thread_id":""},{"issue_id":"bd-td2a","depends_on_id":"bd-v30t","type":"discovered-from","created_at":"2026-04-27T13:37:07.174383Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
@@ -390,6 +403,7 @@
 {"id":"bd-wjpd","title":"Cargo: upgrade tree-sitter-highlight v0.25.10 → v0.26.8","description":"Major upgrade surfaced by cargo-upgrade survey 2026-05-04. Current 0.25.10 is range-pinned in workspace; latest is 0.26.8. Type: pre-1.0 minor (semver-breaking). Review changelog and bump deliberately. See claude-notes/plans/2026-05-04-cargo-upgrade-survey.md and bd-hb8h.","status":"closed","priority":3,"issue_type":"chore","created_at":"2026-05-04T18:15:55.372492Z","created_by":"cscheid","updated_at":"2026-05-04T20:30:44.850328Z","closed_at":"2026-05-04T20:30:44.850181Z","close_reason":"merged: 61b01cd4","source_repo":".","compaction_level":0,"original_size":0,"labels":["cargo","deps"],"dependencies":[{"issue_id":"bd-wjpd","depends_on_id":"bd-hb8h","type":"discovered-from","created_at":"2026-05-04T18:16:05.776730Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-wo59","title":"Per-project capture cache for cross-session reuse","description":"Phase C.7 (bd-kw93.7) shipped the per-doc capture filesystem cache in <data_dir>/captures/ — the same tempdir that gets deleted when q2 preview exits. So closing and re-opening preview against the same project always misses the cache, even though the inputs are bit-for-bit identical.\n\nA per-project cache location (e.g. <project_root>/.q2/captures/, ignored by .gitignore convention) would unlock cross-session reuse. The cache key derivation (sha256 of canonical input_qmd) is already content-addressed and survives across sessions — only the directory choice changes.\n\nSee plan §C.7 'Open follow-up'.","status":"open","priority":3,"issue_type":"feature","created_at":"2026-05-14T17:35:46.618486Z","created_by":"cscheid","updated_at":"2026-05-14T17:35:46.618486Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-wo59","depends_on_id":"bd-kw93.7","type":"discovered-from","created_at":"2026-05-14T17:35:46.618486Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-wv4e","title":"Tree-sitter scanner over-eagerly excludes *, -, +, #, digits from soft-break","description":"The same class of bug as bd-af1e affects 5 more characters. The scanner's line-break handler at scanner.c:2286-2291 and 2371-2376 excludes these from soft-line-break candidates whenever they appear at the start of a continuation line:\n- '*' (could be emphasis, list, thematic break)\n- '-' (could be list, thematic break, setext header)\n- '+' (could be list)\n- '#' (could be ATX header)\n- digits 0-9 (could be ordered list)\n\nBut each of these only opens a block in specific contexts (most need a trailing space, '#' needs space, '*'/'-'/'+' need space for list, '***'/'---' need 3+ for thematic break, digits need '.' or ')' followed by space). A bare 'X' followed by content is just inline text and should soft-break.\n\nVerified pampa vs pandoc divergence on:\n  foo bar\n  *emph* baz                 → pampa splits, pandoc soft-breaks\n  -text more                 → pampa splits, pandoc soft-breaks\n  +text more                 → pampa splits, pandoc soft-breaks\n  #hashtag more              → pampa splits, pandoc soft-breaks\n  123abc more                → pampa splits, pandoc soft-breaks\n\nCorrect exclusions (pampa already matches pandoc for):\n  * list item                → BulletList opens (correct)\n  - list item                → BulletList opens (correct)\n  # heading                  → Header opens (correct)\n  1. item                    → OrderedList opens (correct)\n\nFix approach: same as bd-af1e (peek-count). For each char, peek the trailing context to decide if it actually opens a block:\n- '*', '-': count run; if >=3 with all whitespace/eol after, thematic break (interrupt). If '* ' or '*\\t', list (interrupt). Otherwise inline.\n- '+': only list if followed by whitespace.\n- '#': only ATX if followed by whitespace or eol.\n- digits: only ordered list if followed by '.' or ')' AND space.\n\n':' (fenced div / definition list) was excluded from this issue because its semantics are more entangled with qmd-specific features and pandoc-mode-specific rules — file separately if regression observed.\n\nSibling of bd-af1e. See claude-notes/plans/2026-04-30-tree-sitter-backtick-paragraph-split.md for the bd-af1e implementation pattern.","status":"closed","priority":1,"issue_type":"bug","created_at":"2026-04-30T18:40:17.998897Z","created_by":"cscheid","updated_at":"2026-04-30T18:45:29.625753Z","closed_at":"2026-04-30T18:45:29.625599Z","close_reason":"Re-scoped: see bd-wv4e replacement for asterisks-only fix. The other characters (-, +, #, digits, :) have a backslash-escape workaround (\\-text, \\#hashtag, etc.) so are not severe enough to fix in this pass.","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-wv4e","depends_on_id":"bd-af1e","type":"related","created_at":"2026-04-30T18:40:25.341409Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
+{"id":"bd-wzhsf","title":"CVE-prevention: cookie+Bearer dual-credential MUST return 400","description":"Highest-impact item flagged in plan §Phase 2. A request carrying BOTH a session cookie AND an Authorization: Bearer header MUST be rejected with HTTP 400 and body {\"error\":\"conflicting_credentials\"} BEFORE any auth-decision logic runs.\n\nTest name: cookie_and_bearer_returns_400 in crates/quarto-hub/tests/auth_bearer.rs.\n\nThe dual-credential 400 rule must win over CSRF, WS-Origin, and per-credential auth checks (covered by sibling test dual_credential_400_wins_over_csrf_and_origin).\n\nPlan §Phase 2 — Cross-cutting security requirements: claude-notes/plans/2026-05-05-hub-mcp-device-flow-implementation.md","status":"closed","priority":0,"issue_type":"bug","created_at":"2026-05-20T14:27:46.526825Z","created_by":"shikokuchuo","updated_at":"2026-05-20T21:22:18.258188Z","closed_at":"2026-05-20T21:22:18.258155Z","close_reason":"Dual-credential 400 enforced. cookie_and_bearer_returns_400 (REST), ws_upgrade_rejects_dual_credentials (WS), and dual_credential_400_wins_over_csrf_and_origin all pass. Body shape locked as {\"error\":\"conflicting_credentials\"} in extract_credential and the WS handler; auth_refresh re-runs the same check before CSRF. See plan §Phase 2 — completion notes (2026-05-20).","source_repo":"kyoto","source_repo_path":"/Users/shikokuchuo/r/kyoto","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-wzhsf","depends_on_id":"bd-0ufq5","type":"parent-child","created_at":"2026-05-20T14:27:46.526825Z","created_by":"shikokuchuo","metadata":"{}","thread_id":""}]}
 {"id":"bd-x5r4","title":"Optional-variable syntax: $variable?$ shorthand for $if(variable)$$variable$$endif$","description":"When users see Q-10-2 warnings on a variable they intend to be optional, today they have to wrap each reference in $if(variable)$$variable$$endif$. A short $variable?$ form would be cleaner and let authors silence the warning at the use site.\n\nFeasibility (recorded in bd-xdnk plan §Follow-up):\n- `?` is unused as a sigil in the current grammar.\n- Doesn't collide with any pipe name (`pairs|first|last|rest|allbutlast|uppercase|lowercase|length|reverse|chomp|nowrap|alpha|roman|left|center|right`).\n- Pipes already use `/` as separator (`tree-sitter-doctemplate/grammar/grammar.js:84-86`), so `?` doesn't conflict.\n- Implementation cost: one grammar token, one `bool optional` field on `VariableRef`, one branch in `render_variable` that returns `Doc::Empty` silently when `optional` is set and the lookup fails.\n\nOpen question: should `?` propagate to applied partials (`$var?:partial()$`)? Probably yes — same intent. Not applicable to `$if$` itself.\n\nDiscovered while wiring template diagnostics through quarto render (bd-xdnk). Now that template warnings are user-visible, having a clean opt-out becomes more valuable.","status":"open","priority":3,"issue_type":"feature","created_at":"2026-05-05T16:36:00.814658Z","created_by":"cscheid","updated_at":"2026-05-05T16:36:00.814658Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-x5r4","depends_on_id":"bd-xdnk","type":"discovered-from","created_at":"2026-05-05T16:36:00.814658Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-xbnf","title":"L6 — Dependency-graph integration (listing_content_targets)","description":"Add DocumentProfile.listing_content_targets: Vec<PathBuf> (additive, no version bump). Populate during dep-graph build by expanding host's listing.contents globs against project source paths. New automatic edge source in dependency_graph.rs. Mode B picks up listing hosts when their content files are touched. See claude-notes/plans/2026-05-05-listings-epic.md §L6.","status":"closed","priority":2,"issue_type":"task","created_at":"2026-05-05T19:53:32.423637Z","created_by":"cscheid","updated_at":"2026-05-07T17:50:28.654543Z","closed_at":"2026-05-07T17:50:28.654365Z","close_reason":"L6 implemented and merged on feature/listings as 8b5efb91 (impl ffa4d227). +26 tests over 8621 baseline → 8647. cargo xtask verify all green incl. WASM. End-to-end CLI Mode-B verification in plan.","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-xbnf","depends_on_id":"bd-61cd","type":"parent-child","created_at":"2026-05-05T19:53:32.423637Z","created_by":"cscheid","metadata":"{}","thread_id":""},{"issue_id":"bd-xbnf","depends_on_id":"bd-j60g","type":"blocks","created_at":"2026-05-05T19:53:32.423637Z","created_by":"cscheid","metadata":"{}","thread_id":""},{"issue_id":"bd-xbnf","depends_on_id":"bd-n8a4","type":"blocks","created_at":"2026-05-05T19:53:32.423637Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-xdier","title":"q2 preview: per-doc sidebar lands at bottom of page (extra <div> wrapper breaks grid)","description":"Symptom: in docs/ website, q2 render places the per-document YAML sidebar (Quarto 2 / Introduction / Markdown) on the left as expected, but q2 preview renders the same sidebar elements at the bottom of the page (below <main>).\n\nReproduced with /Users/cscheid/rooms/room-1/q2/docs/. Render: nav#quarto-sidebar at x=310 width=250 left of main. Preview: same nav inside <div> wrapper at x=585 width=749 below main.\n\nRoot cause: ts-packages/preview-renderer/src/q2-preview/chromeSlots.tsx:53-56 (SidebarSlot, and sibling NavbarSlot/PageNavSlot/FooterSlot) wrap the injected chrome HTML in <div dangerouslySetInnerHTML=...>. The native template at crates/quarto-core/src/template.rs:185-188 emits $rendered.navigation.sidebar$ as a *direct* child of <div id=\"quarto-content\">, no wrapper. The Quarto theme CSS grid on #quarto-content assigns nav#quarto-sidebar to grid-area 'content-top / page-start / page-bottom / body-start' — but only when nav#quarto-sidebar is a grid child. With the extra wrapper <div>, the wrapper becomes the grid item with default placement 'body-content-start / body-content-end' + 'grid-row: auto', stacking below <main>.\n\nVerified by patching `display: contents` on the wrapper at runtime in the preview iframe — sidebar snapped to correct position (x=310, on left).\n\nExisting test PreviewDocument.integration.test.tsx:252 checks `quartoContent.querySelector('nav#quarto-sidebar')` (descendant), not direct-child relationship — missed the bug.\n\nFix: add `style={{display: 'contents'}}` to the wrapping <div> in SidebarSlot (and apply same fix to sibling slots NavbarSlot, PageNavSlot, FooterSlot for parity — they share the same root cause even if the symptoms are less severe today). Add tests that assert direct-child relationship via `Array.from(parent.children).includes(node)` rather than `parent.querySelector(...)`.","status":"closed","priority":2,"issue_type":"bug","created_at":"2026-05-20T18:31:14.064173Z","created_by":"cscheid","updated_at":"2026-05-20T18:36:14.362832Z","closed_at":"2026-05-20T18:36:14.362650Z","close_reason":"Wrapper <div> in chrome slots now display:contents — sidebar/navbar/footer/page-nav are transparent to parent CSS grid/flex layout, matching native template byte-for-byte. Fix verified via failing-first tests (4 new in PreviewDocument.integration.test.tsx) and end-to-end browser check on docs/: sidebar at x=310 width=250 (left), main at x=585.5 — identical to q2 render. cargo xtask verify: all 12 steps green.","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-xdier","depends_on_id":"bd-kw93","type":"parent-child","created_at":"2026-05-20T18:31:14.064173Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}