feat(SYMPH-142): extract Token Report v2 design reference JSX components

.env.enc

@@ -0,0 +1,15 @@
+LINEAR_API_KEY=ENC[AES256_GCM,data:vRXUs2ShBKmEyxD9yH09OwgtfJ7puOjSHPStCBnHDRN5ITAdkewg5p2JigOF4z9h,iv:2/NtDU6z33IU9T2N3IPlEjQ81OqsWn33cn8Bv9HNRpM=,tag:0De7RGq8d5yYBLAGpHvxgA==,type:str]
+#ENC[AES256_GCM,data:FwVCNi0RYYsvqQ93h603+VqUTFSH4w==,iv:Ll9h37dJfAseA6oWWa2M84BSr6BNF4vdUvMsNLHgcyo=,tag:5mrtQtkKFk8myXaRgTGKGA==,type:comment]
+SLACK_BOT_TOKEN=ENC[AES256_GCM,data:npHvNX/41Tzp9GzWKZJ/JMSotiZcMw8CpBx9Eoje4LKjWKDsyCV4cTAytdY8miyl7b9eRll5XcoUOhw=,iv:8zHB0uz1Xa8bmk6R0GlfRfA7RGoR2Bce8DrMnh89AFE=,tag:NAMlJrgJrc8cgRKIsU8cMw==,type:str]
+SLACK_APP_TOKEN=ENC[AES256_GCM,data:+xX0KtSwC8Y/iTD1W5HCC8g0o/SWHNnRzJViEtrFZhrQUgt6EdkNo12FBtfIhZWpYyDJzkysdCX62DuPbLd6GvtYjVDIpulUYkF/71ehKM7TgdQYTlMSkLrlzSGxx734PuI=,iv:8d/JCXBm1TJLj83vVyZVf0Ejzlyb2hDRVnhLcKvp66U=,tag:Y7JaH+6joe8LW3dPaFtneA==,type:str]
+#ENC[AES256_GCM,data:wL5ZCt4ipsixSaDkQK9nt62XdhvT+RIUlSulqHT/MGJx6FTtgfSjBLXSN88XXOWQygt6Pm18oA==,iv:SK+mmfjiRt5cq/ZCL8WScpjHLKU0a7yKIpi1nx6D5B8=,tag:0WAl/zsnxK726gbxei8N9Q==,type:comment]
+#ENC[AES256_GCM,data:Lwg+4NujXm5WJDzgLyB8SCg/p2x8zpewQyWk7EewcbRzRcc4JNxsoqHKRyWgx7u4gOgi5sD3iphdw4ZHVGgtgoLoQFi+6MdazOpKsdzoapE8a5Cww+oWeJ8kJ1Y=,iv:2Nk/IBWOPDYXiTYXVBHyNvgAdxeU8DwSJcUx75CYnBQ=,tag:wgNcbkmUNxRYAb4Y4shsmA==,type:comment]
+CHANNEL_PROJECT_MAP=ENC[AES256_GCM,data:nlIWKDmFmZAgwTJJnpOnMiondw4rfoILu1QOTLWtXSvxngL7fEQlvTdxM8FP9SnJiS8eorDbiUm+MWeknu3EVfU0E3kLJvY1AooRB2c3pYHKvLm4KuDK5XOFHhS5TSrZsm0EQWxJ54vSMvKRlA5qD4WSv/OT6dFlgkRm1QkJpCSoDbJMm4Tfmc4NFiueYQ9ftkHkgSZtK2RlGWliz2/rYKX2QlKCb3+h8rJchGbeYk11ob5MThztO66LKJ46KppRk3gG/5asqKof/tRGKepcrMOPQguNRI7OoTYDpstNkOWlbmVuwsBca5aYS6xuTdW2J4LiQNKnFMT6hoxSsZxrHIZ0pQ+kUQgAhfpdKcGEAKG1wOdriLWuz0N+1+Q=,iv:VcnNVyQTocHSPhw/ZG/gzei7xsQWEt5yP6tSEosxHTA=,tag:hvn88f983LBwXwOKG6H0lA==,type:str]
+#ENC[AES256_GCM,data:OvZDECuGRW87fnNR/BQUlC25xe0ol8pBcm3hSIcN54NaK2UVg+v2zyxwseTUDcwxRe1U,iv:nylZjuu3I0LitRMpDpzi7tTwFkvSSWKUoN8P1xqWHRk=,tag:sopVFpFrIaz9S8HOMGFliQ==,type:comment]
+CLAUDE_MODEL=ENC[AES256_GCM,data:hbkZYw==,iv:9yzUxI/bXKLlNTuVTLICdobV8+QZDuntByhetG3QmBw=,tag:ynabmmqv//0tSajcjhcvFw==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxU3lVRmx5QnBhN29PRGRH\nTXhRd2RrYS91Y2JuelJqN2pXd1NTck9LYWpzCnBlWWlhNGhiTXBGREJkY2FqNUF6\nbDIvZ24xTXhZUEtPbXNNTGQ3RkFHZW8KLS0tIER0azVIalhOOUlqUjhpNzlqOHVE\nOUdiemtsWC90NzlRZUlXblpYSHJ1VEEKYFK5o+QjcTZh8awX7zM1gtiFGOxhENJa\noyrkrO0sbb+wftQ5VnS540JgGfjZ41woig2NR6BpRc0xfDyVm54aKw==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age17ud00xq42ckzfpmhxtwz4zy0vc50lsa3jfvulrt5zhe2pd94p9kqy775uc
+sops_lastmodified=2026-03-23T20:36:48Z
+sops_mac=ENC[AES256_GCM,data:vloTsrC6A7AYF/W+7WPRrejfK2oeq0G9zPmAGeAcvndv9eW59SVccL8gwiX7L2cp/1T/X/KLIsfEtO4j7aXOtIn2OFRLCgoXLgSbzVR1zoUQIY4sub8fcgQJBWYfwc4jdLbuaCcr4oKhdioneURNVE6a8L0zH79l7bGEHPPatFk=,iv:f75NhCH/eo9Eag+9rdTthd9KdJr5B0v+HHhf3dXpm74=,tag:b1KKr/7CJjz/MQLgXkI4KA==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.12.2

.env.example

@@ -0,0 +1,11 @@
+# Slack bot credentials
+SLACK_BOT_TOKEN=xoxb-your-bot-token
+SLACK_APP_TOKEN=xapp-your-app-level-token
+
+# Channel ID → project directory mapping (JSON object)
+# Example: {"C0123456789":"/home/user/projects/my-app","C9876543210":"/home/user/projects/other-app"}
+CHANNEL_PROJECT_MAP={}
+
+# Claude Code model identifier (optional, defaults to "sonnet")
+# Valid values: sonnet, opus, haiku
+CLAUDE_MODEL=sonnet

.github/workflows/ci.yml

@@ -5,6 +5,7 @@ on:
     branches:
       - main
   pull_request:
+  merge_group:
 
 jobs:
   test:

.github/workflows/post-merge-gate.yml

@@ -0,0 +1,202 @@
+name: Post-Merge Gate
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: write
+
+jobs:
+  gate:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10.30.2
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: pnpm
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Lint
+        id: lint
+        run: pnpm lint
+
+      - name: Typecheck
+        id: typecheck
+        if: always() && steps.lint.outcome != 'cancelled'
+        run: pnpm typecheck
+
+      - name: Test
+        id: test
+        if: always() && steps.typecheck.outcome != 'cancelled'
+        run: pnpm test
+
+      - name: Build
+        id: build
+        if: always() && steps.test.outcome != 'cancelled'
+        run: pnpm build
+
+      - name: Bump calver version
+        if: success()
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+          # Retry loop handles race when concurrent merges push at the same time
+          for ATTEMPT in 1 2 3; do
+            git pull --rebase origin main
+
+            # Read current version after pulling latest
+            CURRENT_VERSION=$(node -p "require('./package.json').version")
+            TODAY=$(date -u +"%Y.%m.%d")
+
+            # Extract date prefix and sequence from current version
+            CURRENT_PREFIX=$(echo "$CURRENT_VERSION" | cut -d. -f1-3)
+            CURRENT_SEQ=$(echo "$CURRENT_VERSION" | cut -d. -f4)
+
+            # Determine next sequence
+            if [ "$CURRENT_PREFIX" = "$TODAY" ]; then
+              NEXT_SEQ=$((CURRENT_SEQ + 1))
+            else
+              NEXT_SEQ=1
+            fi
+
+            NEXT_VERSION="${TODAY}.${NEXT_SEQ}"
+
+            # Update package.json version field directly (avoids npm lockfile side-effects)
+            node -e "
+              const fs = require('fs');
+              const pkg = JSON.parse(fs.readFileSync('package.json', 'utf8'));
+              pkg.version = '${NEXT_VERSION}';
+              fs.writeFileSync('package.json', JSON.stringify(pkg, null, 2) + '\n');
+            "
+
+            git add package.json
+            git commit -m "chore: bump calver to ${NEXT_VERSION} [skip ci]"
+
+            if git push; then
+              echo "::notice::Bumped version to ${NEXT_VERSION}"
+              exit 0
+            fi
+
+            echo "::warning::Push failed (attempt ${ATTEMPT}/3), retrying..."
+            git reset --soft HEAD~1
+          done
+
+          echo "::error::Failed to push calver bump after 3 attempts"
+          exit 1
+
+      - name: Create Linear issue on failure
+        if: failure()
+        env:
+          LINEAR_API_KEY: ${{ secrets.LINEAR_API_KEY }}
+        run: |
+          COMMIT_SHA="${{ github.sha }}"
+          SHORT_SHA="${COMMIT_SHA:0:7}"
+          RUN_URL="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+
+          # Extract PR number from merge commit message (GitHub format: "Merge pull request #N ..." or squash "... (#N)")
+          PR_NUMBER=$(git log -1 --pretty=%s | grep -oP '#\K[0-9]+' | head -1)
+          PR_INFO=""
+          if [ -n "$PR_NUMBER" ]; then
+            PR_INFO="**PR:** #${PR_NUMBER}"
+          fi
+
+          # Determine which steps failed
+          FAILED_STEPS=""
+          if [ "${{ steps.lint.outcome }}" = "failure" ]; then
+            FAILED_STEPS="${FAILED_STEPS}\n- Lint"
+          fi
+          if [ "${{ steps.typecheck.outcome }}" = "failure" ]; then
+            FAILED_STEPS="${FAILED_STEPS}\n- Typecheck"
+          fi
+          if [ "${{ steps.test.outcome }}" = "failure" ]; then
+            FAILED_STEPS="${FAILED_STEPS}\n- Test"
+          fi
+          if [ "${{ steps.build.outcome }}" = "failure" ]; then
+            FAILED_STEPS="${FAILED_STEPS}\n- Build"
+          fi
+
+          TITLE="pipeline-halt: post-merge gate failure on ${SHORT_SHA}"
+
+          BODY="## Post-Merge Gate Failure\n\n**Commit:** ${COMMIT_SHA}\n${PR_INFO}\n**Run:** ${RUN_URL}\n\n**Failed steps:**${FAILED_STEPS}"
+
+          # Look up SYMPH team ID and pipeline-halt label via Linear API
+          TEAM_QUERY='{ "query": "{ teams(filter: { key: { eq: \"SYMPH\" } }) { nodes { id } } }" }'
+          TEAM_RESPONSE=$(curl -s -X POST https://api.linear.app/graphql \
+            -H "Content-Type: application/json" \
+            -H "Authorization: ${LINEAR_API_KEY}" \
+            -d "$TEAM_QUERY")
+          TEAM_ID=$(echo "$TEAM_RESPONSE" | jq -r '.data.teams.nodes[0].id')
+
+          if [ -z "$TEAM_ID" ] || [ "$TEAM_ID" = "null" ]; then
+            echo "::error::Failed to look up SYMPH team ID from Linear API"
+            exit 1
+          fi
+
+          # Find or create the pipeline-halt label
+          LABEL_QUERY='{ "query": "{ issueLabels(filter: { name: { eq: \"pipeline-halt\" } }) { nodes { id } } }" }'
+          LABEL_RESPONSE=$(curl -s -X POST https://api.linear.app/graphql \
+            -H "Content-Type: application/json" \
+            -H "Authorization: ${LINEAR_API_KEY}" \
+            -d "$LABEL_QUERY")
+          LABEL_ID=$(echo "$LABEL_RESPONSE" | jq -r '.data.issueLabels.nodes[0].id')
+
+          LABEL_IDS_PARAM=""
+          if [ -n "$LABEL_ID" ] && [ "$LABEL_ID" != "null" ]; then
+            LABEL_IDS_PARAM=", labelIds: [\"${LABEL_ID}\"]"
+          else
+            # Create the label on the SYMPH team
+            CREATE_LABEL_QUERY=$(cat <<GRAPHQL
+          { "query": "mutation { issueLabelCreate(input: { name: \"pipeline-halt\", color: \"#eb5757\", teamId: \"${TEAM_ID}\" }) { issueLabel { id } success } }" }
+          GRAPHQL
+          )
+            CREATE_LABEL_RESPONSE=$(curl -s -X POST https://api.linear.app/graphql \
+              -H "Content-Type: application/json" \
+              -H "Authorization: ${LINEAR_API_KEY}" \
+              -d "$CREATE_LABEL_QUERY")
+            NEW_LABEL_ID=$(echo "$CREATE_LABEL_RESPONSE" | jq -r '.data.issueLabelCreate.issueLabel.id')
+            if [ -n "$NEW_LABEL_ID" ] && [ "$NEW_LABEL_ID" != "null" ]; then
+              LABEL_IDS_PARAM=", labelIds: [\"${NEW_LABEL_ID}\"]"
+            fi
+          fi
+
+          # Escape the body for JSON
+          ESCAPED_BODY=$(echo -e "$BODY" | jq -Rs .)
+
+          # Create the issue
+          CREATE_ISSUE_QUERY=$(cat <<GRAPHQL
+          { "query": "mutation { issueCreate(input: { teamId: \"${TEAM_ID}\", title: \"${TITLE}\", description: ${ESCAPED_BODY}${LABEL_IDS_PARAM} }) { issue { id identifier url } success } }" }
+          GRAPHQL
+          )
+
+          ISSUE_RESPONSE=$(curl -s -X POST https://api.linear.app/graphql \
+            -H "Content-Type: application/json" \
+            -H "Authorization: ${LINEAR_API_KEY}" \
+            -d "$CREATE_ISSUE_QUERY")
+
+          ISSUE_URL=$(echo "$ISSUE_RESPONSE" | jq -r '.data.issueCreate.issue.url')
+          ISSUE_ID=$(echo "$ISSUE_RESPONSE" | jq -r '.data.issueCreate.issue.identifier')
+
+          if [ -z "$ISSUE_URL" ] || [ "$ISSUE_URL" = "null" ]; then
+            echo "::error::Failed to create Linear issue"
+            echo "Response: $ISSUE_RESPONSE"
+            exit 1
+          fi
+
+          echo "::notice::Created Linear issue ${ISSUE_ID}: ${ISSUE_URL}"

.github/workflows/release.yml

@@ -4,13 +4,15 @@ on:
   push:
     tags:
       - "v*"
+  merge_group:
   workflow_dispatch:
 
 permissions:
   contents: write
 
 jobs:
   release:
+    if: false
     runs-on: ubuntu-latest
 
     steps:

.gitignore

@@ -5,3 +5,6 @@ coverage/
 *.tgz
 
 .worktrees/
+.env
+pipeline-config/workflows/workspaces/
+pipeline-config/workspaces/

.sops.yaml

@@ -0,0 +1,3 @@
+creation_rules:
+  - path_regex: \.env(\.enc)?$
+    age: age17ud00xq42ckzfpmhxtwz4zy0vc50lsa3jfvulrt5zhe2pd94p9kqy775uc

CLAUDE.md

@@ -0,0 +1,132 @@
+# Symphony-ts
+
+Autonomous development pipeline orchestrator. Fork of OasAIStudio/symphony-ts, maintained at github.com/mobilyze-llc/symphony-ts. Symphony reads work items from Linear, creates isolated per-issue workspaces, runs coding agents (Claude Code, Codex, Gemini) inside those workspaces, and handles retries, state transitions, and operator observability. It is the scheduling layer in a 4-stage pipeline: investigate, implement, review, merge.
+
+## Project Overview
+
+Symphony-ts is a CLI tool (no dev server). It polls a Linear project board for eligible issues, clones target repos into deterministic workspaces, renders LiquidJS prompt templates with issue context, dispatches agent runs, and manages the full lifecycle including retry/rework with failure classification. WORKFLOW.md files define per-product pipeline configuration. Hook scripts handle workspace setup and git sync.
+
+## Architecture
+
+```
+src/
+├── agent/           # Agent runner abstraction, prompt builder (LiquidJS rendering)
+├── cli/             # CLI entrypoint (main.ts) — parses args, bootstraps orchestrator
+├── codex/           # Codex app-server integration
+├── config/          # WORKFLOW.md parsing, config resolution, defaults, file watcher
+├── domain/          # Core domain model (issues, states, transitions)
+├── errors/          # Error types and failure classification
+├── logging/         # Structured logging
+├── observability/   # Dashboard server (SSE), runtime metrics
+├── orchestrator/    # Core loop, gate handler, runtime host — the main scheduling engine
+├── runners/         # Agent runtime implementations (claude-code, gemini, factory)
+├── shared/          # Shared utilities
+├── tracker/         # Linear API client, GraphQL queries, state normalization
+└── workspace/       # Workspace lifecycle (create, hooks, path safety)
+
+pipeline-config/
+├── hooks/           # Shell scripts: after-create.sh (clone + install), before-run.sh (git sync)
+├── prompts/         # LiquidJS templates: investigate, implement, review, merge, global
+├── templates/       # WORKFLOW and CLAUDE.md templates
+├── workflows/       # Per-product WORKFLOW configs (symphony, jony-agent, hs-*, stickerlabs, household, TOYS)
+└── workspaces/      # Runtime workspace directories (UUID-named, gitignored)
+
+tests/               # Vitest test suite, mirrors src/ structure + fixtures/
+dist/                # Compiled output (generated, not committed)
+```
+
+**Data flow**: WORKFLOW.md (YAML frontmatter + LiquidJS body) -> config resolver -> orchestrator polls Linear -> creates workspace (after-create hook clones repo) -> renders prompt template with issue context -> dispatches agent run -> agent works in isolated workspace -> orchestrator manages state transitions back to Linear.
+
+**Key architectural decisions**:
+- In-memory state only (no BullMQ/Redis) -- designed for 2-3 concurrent workers
+- `strictVariables: true` on LiquidJS -- all template variables must be in render context
+- Orchestrator is deliberately "dumb" -- review intelligence, failure classification, and feedback injection live in the agent layer (prompts + skills), not here
+- `permissionMode: "bypassPermissions"` required for headless agent runs
+
+## Build & Run
+
+```bash
+# Install dependencies
+pnpm install
+
+# Build (compiles TypeScript to dist/)
+pnpm build            # or: npm run build
+
+# Run the pipeline for a specific product
+./run-pipeline.sh <product>
+# Products: symphony, jony-agent, hs-data, hs-ui, hs-mobile, stickerlabs, household
+
+# Run directly (after building)
+node dist/src/cli/main.js <workflow-path> --acknowledge-high-trust-preview
+
+# Type check only
+pnpm typecheck        # or: npx tsc --noEmit
+
+# Lint
+pnpm lint             # Biome check
+
+# Auto-format
+pnpm format           # Biome format
+```
+
+No dev server -- this is a CLI tool. The D40 port table does not apply.
+
+## Conventions
+
+- **Runtime**: Node.js >= 22, pnpm >= 10, TypeScript strict mode, ES2023 target
+- **Module system**: ESM (`"type": "module"`), NodeNext module resolution
+- **Imports**: `import type { ... }` for type-only imports (`verbatimModuleSyntax: true`), `.js` extensions required for NodeNext
+- **Formatting**: Biome -- spaces (not tabs), double quotes, semicolons always, trailing commas
+- **Naming**: kebab-case for file names, PascalCase for types/interfaces, camelCase for functions/variables
+- **Validation**: Zod for config/input validation at I/O boundaries
+- **Templates**: LiquidJS for prompt rendering -- always pass all required variables (strictVariables is on)
+- **Strict TS options**: `noUncheckedIndexedAccess`, `exactOptionalPropertyTypes`, `useUnknownInCatchVariables`, `noImplicitOverride`
+
+## Testing
+
+- **Framework**: Vitest
+- **Run tests**: `pnpm test` (runs all 347 tests once via `node scripts/test.mjs`)
+- **Watch mode**: `pnpm test:watch`
+- **Location**: `tests/` directory, mirrors `src/` structure (e.g., `tests/orchestrator/core.test.ts` covers `src/orchestrator/core.ts`)
+- **Fixtures**: `tests/fixtures/` for shared test data
+- **Coverage**: All new code must have tests. Critical paths (orchestrator, config resolution, tracker) have thorough coverage.
+- **Naming**: Test files named after the module they cover; individual test cases named after observable behavior.
+
+## Pipeline Notes
+
+### Critical: dist/ staleness
+
+**The pipeline runs from compiled `dist/`, NOT source.** If you modify source files but forget to rebuild, your changes will not take effect. `run-pipeline.sh` includes a staleness check that compares `src/` timestamps against `dist/src/cli/main.js`. Use `--auto-build` to rebuild automatically, or `--skip-build-check` to bypass.
+
+### Auto-generated files (never edit directly)
+- `dist/` -- compiled output, regenerated by `pnpm build`
+- `pipeline-config/workspaces/` -- runtime workspace directories (UUID-named)
+- `pnpm-lock.yaml` -- dependency lock file (regenerated by `pnpm install`)
+
+### Required environment variables
+- `LINEAR_API_KEY` -- Linear API token for tracker integration (loaded from `.env` by `run-pipeline.sh`)
+- `REPO_URL` -- target repo URL for workspace cloning (set per-product in `run-pipeline.sh`, or override via env)
+
+### Fragile areas
+- **`active_states` in WORKFLOW configs** must include ALL states set during execution (In Progress, In Review, Blocked, Resume). This bug has been hit 3 times -- missing a state causes silent failures.
+- **LiquidJS `strictVariables: true`** -- any variable referenced in a prompt template that is not passed in the render context will throw. Always verify template variables match the context passed by `prompt-builder.ts`.
+- **`scheduleRetry`** is used for both failures AND continuations -- the max retry limit must only count actual failures, not continuation retries.
+- **Hook scripts** run with `cwd: workspacePath`, NOT the WORKFLOW.md location. Relative paths in hooks resolve against the workspace.
+- **`issue.state`** is a string in LiquidJS context (via `toTemplateIssue`), not an object. Template conditionals must compare against string values.
+- **`stall_timeout_ms`** default (5 min) is too short for Claude Code agents. Set to 900000 (15 min) in WORKFLOW configs.
+- **Linear project slug** is the `slugId` UUID, not the team key.
+
+### Verify commands (must pass before any PR)
+```bash
+pnpm test             # All 347 tests pass
+pnpm build            # Compiles without errors
+pnpm typecheck        # No type errors
+pnpm lint             # Biome passes
+```
+
+### Scope boundaries
+- Do NOT add BullMQ, Redis, or external queue infrastructure -- in-memory state is a deliberate design choice at current scale
+- Do NOT move review intelligence or failure classification into the orchestrator -- these belong in the agent layer (prompts + skills)
+- Do NOT modify hook scripts without testing against actual workspace creation flow
+- Do NOT commit secrets to `.env` in public contexts (current repo is private; audit before making public)
+- Every non-Claude-Code component should be designed for removal when Anthropic ships equivalent features