CTO UX, sync hardening, iOS companion, CI signing, simplification pass

.ade/cto/identity.yaml

@@ -1,13 +1,6 @@
 name: CTO
-version: 2
-persona: >-
-  You are the CTO for this project inside ADE.
-
-  You are the persistent technical lead who owns architecture, execution
-  quality, engineering continuity, and team direction.
-
-  Use ADE's tools and project context to help the team move forward with clear,
-  concrete decisions.
+version: 3
+persona: Persistent project CTO with strategic personality.
 personality: strategic
 modelPreferences:
   provider: claude
@@ -30,5 +23,6 @@ openclawContextPolicy:
     - system_prompt
 onboardingState:
   completedSteps:
-    - integrations
-updatedAt: 2026-03-16T04:16:18.954Z
+    - identity
+  completedAt: 2026-03-17T20:35:20.336Z
+updatedAt: 2026-03-17T20:35:20.336Z

.github/dependabot.yml

@@ -0,0 +1,17 @@
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/apps/desktop"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+  - package-ecosystem: "npm"
+    directory: "/apps/mcp-server"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5

.github/workflows/ci.yml

@@ -10,39 +10,177 @@ permissions:
   contents: read
 
 jobs:
-  check:
+  # ── Stage 1: Install & cache ──────────────────────────────────────────
+  install:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
           node-version: 22
-          cache: npm
-          cache-dependency-path: |
-            apps/desktop/package-lock.json
-            apps/mcp-server/package-lock.json
-            apps/web/package-lock.json
 
-      - name: Install MCP server dependencies
-        run: cd apps/mcp-server && npm ci
+      - name: Restore node_modules cache
+        id: cache
+        uses: actions/cache@v4
+        with:
+          path: |
+            apps/desktop/node_modules
+            apps/mcp-server/node_modules
+            apps/web/node_modules
+          key: nm-${{ hashFiles('apps/desktop/package-lock.json','apps/mcp-server/package-lock.json','apps/web/package-lock.json') }}
 
-      - name: Install desktop dependencies
-        run: cd apps/desktop && npm ci
+      - name: Install all dependencies (parallel)
+        if: steps.cache.outputs.cache-hit != 'true'
+        run: |
+          cd apps/desktop   && npm ci &
+          cd apps/mcp-server && npm ci &
+          cd apps/web        && npm ci &
+          wait
 
-      - name: Install web dependencies
-        run: cd apps/web && npm ci
+  # ── Stage 2: Parallel checks ──────────────────────────────────────────
+  typecheck-desktop:
+    needs: install
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+      - uses: actions/cache/restore@v4
+        with:
+          path: |
+            apps/desktop/node_modules
+            apps/mcp-server/node_modules
+            apps/web/node_modules
+          key: nm-${{ hashFiles('apps/desktop/package-lock.json','apps/mcp-server/package-lock.json','apps/web/package-lock.json') }}
+      - run: cd apps/desktop && npm run typecheck
 
-      - name: Typecheck
-        run: cd apps/desktop && npm run typecheck
+  typecheck-mcp:
+    needs: install
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+      - uses: actions/cache/restore@v4
+        with:
+          path: |
+            apps/desktop/node_modules
+            apps/mcp-server/node_modules
+            apps/web/node_modules
+          key: nm-${{ hashFiles('apps/desktop/package-lock.json','apps/mcp-server/package-lock.json','apps/web/package-lock.json') }}
+      - run: cd apps/mcp-server && npm run typecheck
+
+  lint-desktop:
+    needs: install
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+      - uses: actions/cache/restore@v4
+        with:
+          path: |
+            apps/desktop/node_modules
+            apps/mcp-server/node_modules
+            apps/web/node_modules
+          key: nm-${{ hashFiles('apps/desktop/package-lock.json','apps/mcp-server/package-lock.json','apps/web/package-lock.json') }}
+      - run: cd apps/desktop && npm run lint
+
+  test-desktop:
+    needs: install
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        shard: [1, 2, 3]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+      - uses: actions/cache/restore@v4
+        with:
+          path: |
+            apps/desktop/node_modules
+            apps/mcp-server/node_modules
+            apps/web/node_modules
+          key: nm-${{ hashFiles('apps/desktop/package-lock.json','apps/mcp-server/package-lock.json','apps/web/package-lock.json') }}
+      - run: cd apps/desktop && npx vitest run --shard=${{ matrix.shard }}/3
 
-      - name: Test desktop
-        run: cd apps/desktop && npm test
+  test-mcp:
+    needs: install
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+      - uses: actions/cache/restore@v4
+        with:
+          path: |
+            apps/desktop/node_modules
+            apps/mcp-server/node_modules
+            apps/web/node_modules
+          key: nm-${{ hashFiles('apps/desktop/package-lock.json','apps/mcp-server/package-lock.json','apps/web/package-lock.json') }}
+      - run: cd apps/mcp-server && npm test
 
-      - name: Test MCP server
-        run: cd apps/mcp-server && npm test
+  build:
+    needs: install
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+      - uses: actions/cache/restore@v4
+        with:
+          path: |
+            apps/desktop/node_modules
+            apps/mcp-server/node_modules
+            apps/web/node_modules
+          key: nm-${{ hashFiles('apps/desktop/package-lock.json','apps/mcp-server/package-lock.json','apps/web/package-lock.json') }}
+      - run: cd apps/desktop && npm run build
+      - run: cd apps/mcp-server && npm run build
+      - run: cd apps/web && npm run build
 
-      - name: Build web
-        run: cd apps/web && npm run build
+  validate-docs:
+    needs: install
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+      - uses: actions/cache/restore@v4
+        with:
+          path: |
+            apps/desktop/node_modules
+            apps/mcp-server/node_modules
+            apps/web/node_modules
+          key: nm-${{ hashFiles('apps/desktop/package-lock.json','apps/mcp-server/package-lock.json','apps/web/package-lock.json') }}
+      - run: node scripts/validate-docs.mjs
 
-      - name: Validate docs
-        run: node scripts/validate-docs.mjs
+  # ── Gate: all jobs must pass ──────────────────────────────────────────
+  ci-pass:
+    if: always()
+    needs:
+      - typecheck-desktop
+      - typecheck-mcp
+      - lint-desktop
+      - test-desktop
+      - test-mcp
+      - build
+      - validate-docs
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check all jobs passed
+        run: |
+          if [[ "${{ contains(needs.*.result, 'failure') }}" == "true" ]] ||
+             [[ "${{ contains(needs.*.result, 'cancelled') }}" == "true" ]]; then
+            echo "::error::One or more required jobs failed or were cancelled"
+            exit 1
+          fi
+          echo "All CI jobs passed"

.github/workflows/release.yml

@@ -21,8 +21,58 @@ jobs:
           git fetch origin main --depth=1
           git merge-base --is-ancestor "$GITHUB_SHA" origin/main
 
-  release:
+  build-mac-app:
     needs: verify
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - arch: arm64
+            runner: macos-latest
+            app_dir: mac-arm64
+          - arch: x64
+            runner: macos-15-intel
+            app_dir: mac
+    runs-on: ${{ matrix.runner }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: npm
+          cache-dependency-path: apps/desktop/package-lock.json
+
+      - name: Install desktop dependencies
+        run: cd apps/desktop && npm ci
+
+      - name: Stamp release version
+        env:
+          ADE_RELEASE_TAG: ${{ github.ref_name }}
+        run: cd apps/desktop && npm run version:release
+
+      - name: Build unsigned macOS app bundle
+        run: cd apps/desktop && npm run dist:mac:dir -- --${{ matrix.arch }}
+
+      - name: Archive app bundle
+        run: |
+          APP_PATH="apps/desktop/release/${{ matrix.app_dir }}/ADE.app"
+          ARCHIVE_PATH="apps/desktop/release/ADE-${{ matrix.arch }}.app.zip"
+          test -d "$APP_PATH"
+          ditto -c -k --sequesterRsrc --keepParent "$APP_PATH" "$ARCHIVE_PATH"
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: mac-app-${{ matrix.arch }}
+          path: apps/desktop/release/ADE-${{ matrix.arch }}.app.zip
+          if-no-files-found: error
+
+  release:
+    needs:
+      - verify
+      - build-mac-app
     runs-on: macos-latest
     concurrency:
       group: release-${{ github.ref_name }}
@@ -36,21 +86,51 @@ jobs:
         with:
           node-version: 22
           cache: npm
-          cache-dependency-path: |
-            apps/desktop/package-lock.json
-            apps/mcp-server/package-lock.json
+          cache-dependency-path: apps/desktop/package-lock.json
 
       - name: Install desktop dependencies
         run: cd apps/desktop && npm ci
 
-      - name: Install MCP server dependencies
-        run: cd apps/mcp-server && npm ci
-
       - name: Stamp release version
         env:
           ADE_RELEASE_TAG: ${{ github.ref_name }}
         run: cd apps/desktop && npm run version:release
 
+      - uses: actions/download-artifact@v4
+        with:
+          name: mac-app-arm64
+          path: apps/desktop/release/_ci/downloads/arm64
+
+      - uses: actions/download-artifact@v4
+        with:
+          name: mac-app-x64
+          path: apps/desktop/release/_ci/downloads/x64
+
+      - name: Expand architecture app bundles
+        run: |
+          rm -rf apps/desktop/release/_ci/arm64 apps/desktop/release/_ci/x64
+          mkdir -p apps/desktop/release/_ci/arm64 apps/desktop/release/_ci/x64
+          ditto -x -k apps/desktop/release/_ci/downloads/arm64/ADE-arm64.app.zip apps/desktop/release/_ci/arm64
+          ditto -x -k apps/desktop/release/_ci/downloads/x64/ADE-x64.app.zip apps/desktop/release/_ci/x64
+
+      - name: Merge universal app bundle
+        run: cd apps/desktop && npm run merge:mac:universal
+
+      - name: Materialize App Store Connect API key
+        env:
+          APPLE_API_KEY_P8: ${{ secrets.APPLE_API_KEY_P8 }}
+          APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
+        run: |
+          if [ -z "$APPLE_API_KEY_P8" ] || [ -z "$APPLE_API_KEY_ID" ]; then
+            echo "::error::Missing APPLE_API_KEY_P8 or APPLE_API_KEY_ID GitHub secret."
+            exit 1
+          fi
+
+          KEY_PATH="$RUNNER_TEMP/AuthKey_${APPLE_API_KEY_ID}.p8"
+          printf '%s' "$APPLE_API_KEY_P8" > "$KEY_PATH"
+          chmod 600 "$KEY_PATH"
+          echo "APPLE_API_KEY=$KEY_PATH" >> "$GITHUB_ENV"
+
       - name: Create draft GitHub release with generated notes
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -64,4 +144,8 @@ jobs:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           ELECTRON_CACHE: ${{ runner.temp }}/electron
           ELECTRON_BUILDER_CACHE: ${{ runner.temp }}/electron-builder
-        run: cd apps/desktop && npm run release:mac
+          CSC_LINK: ${{ secrets.CSC_LINK }}
+          CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
+          APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
+          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
+        run: cd apps/desktop && npm run release:mac:universal

.gitignore

@@ -51,3 +51,4 @@ xcuserdata/
 .pnpm-store/
 /apps/desktop/.ade
 /.playwright-mcp
+/.codex-derived-data