From 00f3cd4e5f544b56634b8955c057d6b6ad114a8e Mon Sep 17 00:00:00 2001
From: "devin-ai-integration[bot]"
 <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Wed, 15 Apr 2026 14:04:01 +0000
Subject: [PATCH 1/2] Add testing skill for Jada Code web UI

Co-authored-by: garzasecure@pm.me <garzasecure@pm.me>
---
 .agents/skills/testing-jada-code-web/SKILL.md | 80 +++++++++++++++++++
 1 file changed, 80 insertions(+)
 create mode 100644 .agents/skills/testing-jada-code-web/SKILL.md

diff --git a/.agents/skills/testing-jada-code-web/SKILL.md b/.agents/skills/testing-jada-code-web/SKILL.md
new file mode 100644
index 000000000..e3337f1f2
--- /dev/null
+++ b/.agents/skills/testing-jada-code-web/SKILL.md
@@ -0,0 +1,80 @@
+# Testing Jada Code Web UI
+
+## Overview
+Jada Code's web UI is the full Goose Desktop Electron app ported to run standalone in a browser. The renderer (`ui/desktop/`) is built with Vite using a web-specific config (`vite.web.config.mts`), and all `window.electron.*` IPC calls are replaced by web shims (`src/web-shim.ts`).
+
+## Architecture
+- **Static web app**: Built from `ui/desktop/` with `vite.web.config.mts` → produces `dist/` with HTML/JS/CSS
+- **Backend**: `goosed` REST API server (Rust binary, compiled from `crates/goose-server/`)
+- **Auth**: nginx injects `X-Secret-Key` header on all `/api/*` proxied requests. The web-shim generates a random key per session, but nginx overrides it.
+- **Entry point**: `src/web-entry.ts` → installs shims → imports `renderer.tsx`
+- **Routing**: HashRouter (`#/pair`, `#/settings`, `#/recipes`, etc.)
+
+## Deployed Environment
+- **Web UI**: https://coder.garzaos.online (static files at `/opt/jada-code-web/html/`)
+- **goosed API**: port 3270 on VPS 83.228.213.100 (systemd service `goosed.service`)
+- **nginx config**: `/etc/nginx/sites-enabled/coder.garzaos.online`
+- **Model**: moonshotai/kimi-k2 via OpenRouter
+- **Nextcloud embed**: https://next.garzaos.online/apps/external/5/
+
+## How to Build & Deploy
+```bash
+# On VPS (83.228.213.100)
+cd /opt/jada-code-web/jada-code/ui/desktop
+npm install
+npx vite build --config vite.web.config.mts --outDir /opt/jada-code-web/html
+```
+
+## Key Test Procedures
+
+### 1. Verify app loads
+- Navigate to https://coder.garzaos.online
+- Expect: Sidebar with Home, Chat, Recipes, Skills, Apps, Scheduler, Extensions, Settings
+- Expect: Dashboard heading, session stats, model name in status bar
+- Expect: Toast "Successfully loaded N extensions"
+- Fail if: "Unable to connect to Goose server" error (OnboardingGuard failed)
+
+### 2. Chat E2E
+- Type a simple question (e.g., "What is the capital of France?") and click Send
+- Expect: "goose is working on it..." loading state
+- Expect: Streaming response appears within 30 seconds
+- Expect: Session auto-named in sidebar
+- Fail if: No response or error toast
+
+### 3. Sidebar navigation
+- Click through each sidebar item: Recipes, Skills, Apps, Scheduler, Extensions, Settings
+- Expect: Each view renders with heading and appropriate content/empty state
+- Fail if: Blank white screen (component crash) or JS error dialog
+
+### 4. Settings provider config
+- Navigate to Settings → Models tab
+- Expect: Shows configured model name and provider (e.g., "moonshotai/kimi-k2" / "OpenRouter")
+- Fail if: Infinite loading or empty provider section
+
+### 5. Extensions
+- Navigate to Extensions
+- Expect: Grid of default extensions (all toggled ON) and available extensions
+- Expect: "Add custom extension" and "Browse extensions" buttons
+
+## Key Code Paths
+- `src/web-shim.ts` — All `window.electron.*` replacements
+- `src/renderer.tsx` — Configures API client with `getGoosedHostPort()` and `getSecretKey()`
+- `src/components/onboarding/OnboardingGuard.tsx` — Reads `GOOSE_PROVIDER` from goosed config API
+- `src/sessions.ts` — Session creation via goosed REST API
+- `vite.web.config.mts` — Web-only Vite build config
+
+## Known Behaviors
+- Dashboard heading has a typewriter animation that may briefly show garbled characters mid-transition. This is cosmetic and from the original Goose codebase.
+- The web-shim generates a random `X-Secret-Key` per browser session, but nginx overrides this with the real key — so the client-side key doesn't matter for auth.
+- File system operations (open file dialog, save file, etc.) are stubbed in the web shim and do nothing. This is expected — web browsers can't access the native filesystem.
+- The `goosed` binary must be compiled from source (Rust) since the official Docker image only ships the `goose` CLI with ACP protocol, not the REST API server.
+
+## Devin Secrets Needed
+- `VPS_ROOT_PASSWORD` — SSH access to 83.228.213.100
+- `OPENROUTER_API_KEY` — For LLM API calls via OpenRouter
+
+## Troubleshooting
+- If goosed is not responding, check: `ssh root@83.228.213.100 'systemctl status goosed'`
+- If web UI shows "Unable to connect", verify: `curl -s https://coder.garzaos.online/api/status` should return "ok"
+- If chat doesn't respond, check goosed logs: `ssh root@83.228.213.100 'journalctl -u goosed -n 50'`
+- If extensions fail to load, verify goosed has the correct config: `curl -s -H 'X-Secret-Key: <key>' http://83.228.213.100:3270/config/read -d '{"key":"GOOSE_PROVIDER","is_secret":false}'`

From 7a2c5aed7710897665f51abfe25336436fc16d5c Mon Sep 17 00:00:00 2001
From: "garzasecure@pm.me" <garzasecure@pm.me>
Date: Wed, 15 Apr 2026 14:07:27 +0000
Subject: [PATCH 2/2] fix: remove hardcoded infrastructure details from
 SKILL.md

---
 .agents/skills/testing-jada-code-web/SKILL.md | 28 ++++++++-----------
 1 file changed, 12 insertions(+), 16 deletions(-)

diff --git a/.agents/skills/testing-jada-code-web/SKILL.md b/.agents/skills/testing-jada-code-web/SKILL.md
index e3337f1f2..5137de991 100644
--- a/.agents/skills/testing-jada-code-web/SKILL.md
+++ b/.agents/skills/testing-jada-code-web/SKILL.md
@@ -6,29 +6,25 @@ Jada Code's web UI is the full Goose Desktop Electron app ported to run standalo
 ## Architecture
 - **Static web app**: Built from `ui/desktop/` with `vite.web.config.mts` → produces `dist/` with HTML/JS/CSS
 - **Backend**: `goosed` REST API server (Rust binary, compiled from `crates/goose-server/`)
-- **Auth**: nginx injects `X-Secret-Key` header on all `/api/*` proxied requests. The web-shim generates a random key per session, but nginx overrides it.
+- **Auth**: nginx reverse-proxy handles API authentication via header injection. The web-shim generates a per-session key, but nginx overrides it with the server-side secret.
 - **Entry point**: `src/web-entry.ts` → installs shims → imports `renderer.tsx`
 - **Routing**: HashRouter (`#/pair`, `#/settings`, `#/recipes`, etc.)
 
 ## Deployed Environment
-- **Web UI**: https://coder.garzaos.online (static files at `/opt/jada-code-web/html/`)
-- **goosed API**: port 3270 on VPS 83.228.213.100 (systemd service `goosed.service`)
-- **nginx config**: `/etc/nginx/sites-enabled/coder.garzaos.online`
-- **Model**: moonshotai/kimi-k2 via OpenRouter
-- **Nextcloud embed**: https://next.garzaos.online/apps/external/5/
+Infrastructure details (VPS IP, ports, paths, domains) are stored in Devin secrets and org knowledge notes — not committed to the repo. Check `GARZA OS Infrastructure Access Guide` in Devin knowledge for current values.
 
 ## How to Build & Deploy
 ```bash
-# On VPS (83.228.213.100)
-cd /opt/jada-code-web/jada-code/ui/desktop
+# On the VPS (use $VPS_IP from Devin secrets)
+cd <DEPLOY_PATH>/jada-code/ui/desktop
 npm install
-npx vite build --config vite.web.config.mts --outDir /opt/jada-code-web/html
+npx vite build --config vite.web.config.mts --outDir <DEPLOY_PATH>/html
 ```
 
 ## Key Test Procedures
 
 ### 1. Verify app loads
-- Navigate to https://coder.garzaos.online
+- Navigate to the deployed web UI URL
 - Expect: Sidebar with Home, Chat, Recipes, Skills, Apps, Scheduler, Extensions, Settings
 - Expect: Dashboard heading, session stats, model name in status bar
 - Expect: Toast "Successfully loaded N extensions"
@@ -65,16 +61,16 @@ npx vite build --config vite.web.config.mts --outDir /opt/jada-code-web/html
 
 ## Known Behaviors
 - Dashboard heading has a typewriter animation that may briefly show garbled characters mid-transition. This is cosmetic and from the original Goose codebase.
-- The web-shim generates a random `X-Secret-Key` per browser session, but nginx overrides this with the real key — so the client-side key doesn't matter for auth.
+- The web-shim generates a per-session key, but nginx overrides it — so the client-side key is irrelevant for authentication.
 - File system operations (open file dialog, save file, etc.) are stubbed in the web shim and do nothing. This is expected — web browsers can't access the native filesystem.
 - The `goosed` binary must be compiled from source (Rust) since the official Docker image only ships the `goose` CLI with ACP protocol, not the REST API server.
 
 ## Devin Secrets Needed
-- `VPS_ROOT_PASSWORD` — SSH access to 83.228.213.100
+- `VPS_ROOT_PASSWORD` — SSH access to the deployment server
 - `OPENROUTER_API_KEY` — For LLM API calls via OpenRouter
 
 ## Troubleshooting
-- If goosed is not responding, check: `ssh root@83.228.213.100 'systemctl status goosed'`
-- If web UI shows "Unable to connect", verify: `curl -s https://coder.garzaos.online/api/status` should return "ok"
-- If chat doesn't respond, check goosed logs: `ssh root@83.228.213.100 'journalctl -u goosed -n 50'`
-- If extensions fail to load, verify goosed has the correct config: `curl -s -H 'X-Secret-Key: <key>' http://83.228.213.100:3270/config/read -d '{"key":"GOOSE_PROVIDER","is_secret":false}'`
+- If goosed is not responding: SSH to VPS and check `systemctl status goosed`
+- If web UI shows "Unable to connect": verify the `/api/status` endpoint returns "ok"
+- If chat doesn't respond: check goosed logs via `journalctl -u goosed -n 50`
+- If extensions fail to load: verify goosed has the correct provider config via the config read API endpoint