quarto-dev · shikokuchuo · May 22, 2026 · May 20, 2026 · May 20, 2026 · May 20, 2026
diff --git a/.beads/issues.jsonl b/.beads/issues.jsonl
@@ -176,7 +176,7 @@
 {"id":"bd-cpzp","title":"qmd writer: implicit-figure path drops trailing newline, collapses next block (issue #180)","description":"Triage doc: claude-notes/issue-reports/180/triage.md on branch issue-180.\n\nRoot cause: write_figure (crates/pampa/src/writers/qmd.rs:759) implicit-figure branch returns directly from write_image without emitting the trailing \\n that every block writer is expected to produce. When such a Figure is followed by another block (top-level or inside a Div), the inter-block separator collapses to a single \\n instead of a blank line, and the re-parser glues the two blocks into one Para. Affects every layout/subfigure div in the docs corpus.\n\nReports covered (both same root cause):\n- Bug A: top-level Figure followed by Para -> one Para after round-trip\n- Bug B: Div with multiple Figure children + caption -> one Para inside the Div after round-trip\n\nFix (TDD-first per crates/pampa/CLAUDE.md):\n1. Add failing roundtrip tests under tests/roundtrip_tests/qmd-json-qmd/\n   - figure_implicit_then_para.qmd\n   - layout_div_subfigures.qmd\n   - figure_implicit_then_figure.qmd (extra coverage)\n2. Verify they fail.\n3. Fix write_figure: replace 'return write_image(...)' with 'write_image(...)?; writeln!(buf)?; Ok(())'.\n4. Verify tests pass.\n5. cargo nextest run --workspace to catch downstream snapshot updates.\n\nNot a duplicate of bd-emr4 — that is about non-implicit Figure shapes hitting the fallback fenced-div path. This bug is in the implicit-figure code path; different code, different fix.","status":"open","priority":2,"issue_type":"bug","created_at":"2026-05-12T18:39:12.847875Z","created_by":"cscheid","updated_at":"2026-05-12T18:39:15.853892Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-cpzp","depends_on_id":"bd-emr4","type":"related","created_at":"2026-05-12T18:39:15.853594Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-cqkts","title":"Phase 7 — hub-mcp MCP-tool exposure (authenticate_start / authenticate_finish)","description":"New module ts-packages/quarto-hub-mcp/src/auth/auth-tools.ts. Exposes two tools: authenticate_start (returns verification_uri, canonical_url, user_code, expires_in_seconds) and authenticate_finish (one poll per call, returns pending/slow_down/success/typed-error).\n\nCanonical URL https://www.google.com/device is a hard-coded module constant — never copied from Google's response. Sibling bug bd-XXXX tracks the canonical-URL-constant test specifically.\n\nRFC 8628 §3.5 rate-limiting: nextPollAllowedAt cached state, bumped 5 s per slow_down. Short-circuit on already-authenticated and lastObservedAuthMode === 'no-auth'.\n\nRegistered before registerTools so read/write tools can name authenticate_start in their error text.\n\nPlan §Phase 7: claude-notes/plans/2026-05-05-hub-mcp-device-flow-implementation.md","status":"open","priority":1,"issue_type":"task","created_at":"2026-05-20T14:27:19.527539Z","created_by":"shikokuchuo","updated_at":"2026-05-20T14:27:19.527539Z","source_repo":"kyoto","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-cqkts","depends_on_id":"bd-cmp48","type":"parent-child","created_at":"2026-05-20T14:27:19.527539Z","created_by":"shikokuchuo","metadata":"{}","thread_id":""}]}
 {"id":"bd-creo","title":"quarto render: fail strictly on Pass-1 failures (CI-friendly contract)","description":"Sibling of bd-rqba. Once Pass-1 failures are wired through as a dedicated pass1_failures field on the render summary surfaces (D1 in plan), give 'quarto render' a strict policy: any pass1_failures entry causes a non-zero exit. Remove the current string-matching of 'profile-pass skipped …' warning text in favor of the structured field.\n\nRationale: 'quarto render' is often used in headless CI; partial-progress leniency belongs to 'quarto preview' / hub-client, not render. The engine stays policy-free; consumers choose strict (render) vs lenient (preview).\n\nAlso: document the strict-vs-lenient contract in claude-notes/designs/document-profile-contract.md so future consumers (e.g., the planned hub-client-based 'quarto preview' binary) inherit it.\n\nPlan: claude-notes/plans/2026-05-01-hub-client-website-render-ux.md (Decision D1).","status":"open","priority":1,"issue_type":"task","created_at":"2026-05-01T14:16:43.115104Z","created_by":"cscheid","updated_at":"2026-05-01T14:16:43.115104Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-creo","depends_on_id":"bd-lk66","type":"parent-child","created_at":"2026-05-01T14:16:43.115104Z","created_by":"cscheid","metadata":"{}","thread_id":""},{"issue_id":"bd-creo","depends_on_id":"bd-rqba","type":"related","created_at":"2026-05-01T14:16:43.115104Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
-{"id":"bd-cxara","title":"Phase 9 — end-to-end verification","description":"CRITICAL per CLAUDE.md: tests passing alone is insufficient. Phase 9 runs the full verification matrix and records exact invocations + observed output in the plan's Verification log.\n\nCoverage: full cargo xtask verify; SPA cookie-path regression; clean-machine device-flow E2E (with per-platform credential-store inspection); no-auth-hub regression + explicit-authenticate short-circuit + observation-requirement check; allowlist parity for cookie 403 and bearer 403 (byte-identical detail); insecure-bearer dev-mode interaction (loopback + non-loopback with/without env flag); force-refresh; force-reauth; dual-credential CVE + WS-upgrade-with-no-Origin sanity check; audit-log spot-check; plaintext-leak grep.\n\nPlan §Phase 9: claude-notes/plans/2026-05-05-hub-mcp-device-flow-implementation.md","status":"open","priority":1,"issue_type":"task","created_at":"2026-05-20T14:27:31.218633Z","created_by":"shikokuchuo","updated_at":"2026-05-20T14:27:31.218633Z","source_repo":"kyoto","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-cxara","depends_on_id":"bd-cmp48","type":"parent-child","created_at":"2026-05-20T14:27:31.218633Z","created_by":"shikokuchuo","metadata":"{}","thread_id":""}]}
+{"id":"bd-cxara","title":"Phase 9 — end-to-end verification","description":"CRITICAL per CLAUDE.md: tests passing alone is insufficient. Phase 9 runs the full verification matrix and records exact invocations + observed output in the plan's Verification log.\n\nCoverage: full cargo xtask verify; SPA cookie-path regression; clean-machine device-flow E2E (with per-platform credential-store inspection); no-auth-hub regression + explicit-authenticate short-circuit + observation-requirement check; allowlist parity for cookie 403 and bearer 403 (byte-identical detail); insecure-bearer dev-mode interaction (loopback + non-loopback with/without env flag); force-refresh; force-reauth; dual-credential CVE + WS-upgrade-with-no-Origin sanity check; audit-log spot-check; plaintext-leak grep.\n\nPlan §Phase 9: claude-notes/plans/2026-05-05-hub-mcp-device-flow-implementation.md","status":"in_progress","priority":1,"issue_type":"task","created_at":"2026-05-20T14:27:31.218633Z","created_by":"shikokuchuo","updated_at":"2026-05-21T16:58:00.348922Z","source_repo":"kyoto","source_repo_path":"/Users/shikokuchuo/r/kyoto","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-cxara","depends_on_id":"bd-cmp48","type":"parent-child","created_at":"2026-05-20T14:27:31.218633Z","created_by":"shikokuchuo","metadata":"{}","thread_id":""}]}
 {"id":"bd-d8fo","title":"q2-preview chrome: replace HTML injection with React components","description":"Phase F (q2-preview website chrome) ships Strategy A: include the *-render transforms (navbar-render, sidebar-render, page-nav-render, footer-render, toc-render) in the q2-preview pipeline so meta.rendered.navigation.* is populated with Bootstrap HTML; the React PreviewDocument injects via dangerouslySetInnerHTML.\n\nThis is the pragmatic first cut — shippable in days, byte-identical to q2 render. The tradeoff is DOM stability inside the chrome: open dropdowns, sidebar collapse state, scroll position inside the sidebar, etc., are blown away every time the chrome re-renders. In practice the chrome only re-renders on _quarto.yml edits, page switches, or sidebar reorderings — uncommon during normal authoring — so the cost is bounded.\n\nThis follow-up tracks the proper Strategy B: replace the HTML-injection path with React components that render from the structured meta.navigation.* (the ConfigValue form populated by the *-generate transforms before *-render runs). Each component mirrors the Bootstrap HTML the corresponding render transform emits.\n\nWhat this unlocks:\n- Stateful chrome (open Bootstrap dropdowns, collapsed sidebar sections, scroll position inside the sidebar) survives chrome re-renders.\n- React owns the click handlers natively rather than going through iframePostProcessor's after-the-fact .qmd-link rewriting.\n- The drift risk between server HTML emission and React component output goes away (the React components ARE the renderer; q2-render's HTML stays the source of truth for non-preview pipelines).\n\nScope:\n- Mirror Navbar / Sidebar / PageNav / Footer / Toc / Breadcrumbs from the Bootstrap HTML the *-render transforms emit today.\n- TypeScript types matching the structured ConfigValue shape each *-generate transform writes.\n- Remove the corresponding entries from Q2_PREVIEW_TRANSFORM_EXCLUDED in pipeline.rs — those transforms become unused in the preview pipeline, so the *-render Rust modules either stay (for q2 render) or get factored to a shared HTML emitter consumed only by the q2 render pipeline.\n- Snapshot tests asserting the React components emit markup matching the *-render Rust HTML output.\n\nFiled during Phase F planning (2026-05-14). Parent edge to the F epic to be added once F itself is filed.","status":"open","priority":3,"issue_type":"feature","created_at":"2026-05-14T20:36:07.754117Z","created_by":"cscheid","updated_at":"2026-05-14T20:52:21.580312Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-d8fo","depends_on_id":"bd-kw93.15","type":"discovered-from","created_at":"2026-05-14T20:52:21.579976Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-d8go","title":"L9 follow-up: date_format doctemplate pipe","description":"Originally specified as part of L9's L4 enhancements; deferred at impl-start because L9's RFC 822 pubDate is computed server-side in feed/binding.rs (no template-level need). Adding the pipe later requires a tree-sitter grammar change in crates/tree-sitter-doctemplate/grammar/grammar.js (the pipe set is grammar-fixed; the existing date_format must be a custom rule like pipe_left/pipe_center/pipe_right because it takes an argument), plus a match arm in crates/quarto-doctemplate/src/pipes.rs. Useful for L8's existing custom-template authors who want to format dates in the host page.","status":"open","priority":3,"issue_type":"feature","created_at":"2026-05-08T17:33:55.509676Z","created_by":"cscheid","updated_at":"2026-05-08T17:33:55.509676Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-d8go","depends_on_id":"bd-o90m","type":"discovered-from","created_at":"2026-05-08T17:33:55.509676Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}
 {"id":"bd-dhtw","title":"Phase 1: gh-pages provider end-to-end","description":"Phase 1 of bd-t3ny. Implement the gh-pages provider end-to-end on top of the Phase 0 scaffolding: common::git wrappers, common::github context discovery, _publish.yml reader, GhPagesProvider (prepare/commit/verify with .nojekyll poll), --dry-run cleanup with no residue, mkdocs-style summary, and an end-to-end test against a bare local remote (dry-run + real-run + json-run).\n\nPlan: claude-notes/plans/2026-05-03-publish-command-and-gh-pages.md (Phase 1 section)\n\nBlocked on Phase 0 (bd-068k).","status":"completed","priority":1,"issue_type":"task","created_at":"2026-05-03T14:37:39.274734Z","created_by":"cscheid","updated_at":"2026-05-03T15:18:38.648426Z","source_repo":".","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-dhtw","depends_on_id":"bd-068k","type":"blocks","created_at":"2026-05-03T14:37:39.274734Z","created_by":"cscheid","metadata":"{}","thread_id":""},{"issue_id":"bd-dhtw","depends_on_id":"bd-t3ny","type":"parent-child","created_at":"2026-05-03T14:37:39.274734Z","created_by":"cscheid","metadata":"{}","thread_id":""}]}

diff --git a/.mcp.json b/.mcp.json
@@ -6,7 +6,7 @@
       "args": [
         "ts-packages/quarto-hub-mcp/dist/index.js",
         "--server",
-        "wss://sync.automerge.org"
+        "wss://quarto-hub.com/ws"
       ]
     }
   }

diff --git a/Cargo.lock b/Cargo.lock