Morphee — Progress & Next Steps

Last Updated: February 22, 2026 (V1.5 gaps closed — ready for tagging)

See also:

V1.0 Deployment Tasklist for the release checklist
📊 Audits Dashboard for real-time code quality metrics and audit status
Audit Metrics JSON for programmatic access to findings data (run python audits/aggregate-metrics.py to generate)

Unified Paradigm: Knowledge Pipeline + Runtime Hierarchy

IMPORTANT: The roadmap uses version-driven layers (not numbered phases). The architecture is unified by two core concepts:

Knowledge Pipeline

Every piece of knowledge in Morphee flows through a lifecycle: USE → EXTRACT → COMPILE → SHARE → INSTALL → USE. A Space (family recipes, classroom curriculum, team runbook) can be extracted, PII-stripped, compiled into an installable Integration, shared via the marketplace, and installed into another Space. Knowledge flows up the compilation chain as it matures.

Runtime Hierarchy (BaseMorphRuntime)

All execution goes through a unified BaseMorphRuntime contract. The VectorRouter tries the cheapest option first:

Level	Runtime	What runs	Cost
—	VectorRouter	Direct memory recall (0.92 threshold)	Free
0	LLMRuntime	Raw reasoning, creative tasks	$$$ (last resort)
1	PythonRuntime	Structured skills, orchestration	$
2	JSRuntime	Canvas components, interactive UI	$
3	WasmRuntime	Compiled extensions (JIRA, GitHub, Notion)	¢

Version layers:

V0.9 — Product Completeness ✅ SHIPPED
V1.0 — OpenMorph Revolution + Offline-First Data ✅ SHIPPED (git-native .morph/ directories, Knowledge Pipeline foundation)
V1.2 — Extension Ecosystem ✅ SHIPPED (WasmRuntime, wasmer 5.0, marketplace, professional integrations as WASM)
V1.3 — Multimodal Interaction ✅ SHIPPED (multi-modal identity for kids, video, gesture, interactive UI)
V1.5 — Local AI ✅ SHIPPED (LLMRuntime local: candle/GGUF, voice channel, TTS/STT)
V2.0 — Production Platform (monitoring, channels, browser extension)
V2.5+ — Future/Optional (self-aware AI, crypto marketplace)

See ROADMAP.md for full details and architecture.md for the Runtime Hierarchy.

Remaining Before V2.0

Everything through V1.5 is shipped. The following items remain before V2.0:

Deferred V1.3 hardening — ✅ DONE (Feb 22, 2026):

Liveness detection (face + voice) — multi-frame pixel variance, spectral flatness, pitch variance, challenge state machine
Biometric template rotation — 180-day expiry, 7-day grace period, prev-template fallback, re-enroll endpoint + dialog
Voice-only accessibility mode — VoiceOnlyMode.tsx, speech recognition, TTS, voice command parser (en/fr)
Video frame extraction hardening — timeout, partial frames, onProgress callback, browser compat check
Gesture → chat action polish — 3 new actions (read_last, new_conversation, toggle_chat), confidence bar, retry hint
Cargo build verification — --features local-llm,audio,biometrics passes (candle 0.9 API fixes)
E2E scenarios — inline-edit-card, drag-list-items, drag-kanban-cards + data-testid attributes
CI — combined-feature cargo check step in rust-tests.yml

V0.9 tech debt (~1-2 weeks):

38 code quality audit items (code audit clean as of Feb 21)
Branding/logo (M-DESIGN-003)

V1.5 gaps — ✅ CLOSED (Feb 22, 2026):

Whisper language selection — language param in transcribe IPC, auto-detect fallback
Apple Accelerate framework — candle-core/accelerate feature enabled for BLAS/vDSP on Apple Silicon
Download cancellation — llm_cancel_download IPC command, AtomicBool flag, partial cleanup
Docs audit (M-XREF-001, L-STD-001) — 25+ broken links fixed in audits/ and docs/
i18n Rust errors (L-RUST-001) — 19 structured error codes (E_LLM_*, E_AUD_*, E_BIO_*, E_VAULT_*, E_DL_*), EN+FR locales

Mobile shipping (~1-2 weeks):

Physical device testing (iOS + Android)
App Store + Google Play submission

SSO Tier 2 (~1 week):

GitHub, Discord, Slack SSO providers

Total: ~5-7 weeks to V2.0-ready state

✅ Completed: Layer 2 — Product Completeness (V0.9 RC)

Status: Release Candidate — February 19, 2026 Goal: Complete remaining UX polish items and audit fixes to reach production-ready state.

✅ Completed:

Complete Phase 3e.4 final item: M-DESIGN-003 — Branding + logo (deferred to post-V0.9)
Complete audit fixes: 252/274 items fixed (92.0%)
- Legal: 98.0% complete (1 code item fixed: multi-group DSAR)
- Security: 95.7% complete (5 items fixed: SSRF, rate limits, PII exposure, security headers, OAuth allowlist)
- Accessibility: 96.6% complete (WCAG 2.1 AA - 2 items fixed: contrast ratios, Select aria-describedby)
- Product: Deferred professional integrations to V1.2 WASM Extensions
- Code Quality: 38 items remaining (accepted as technical debt for V1.0)
- Documentation: 9 items remaining (will refresh with V1.0)
- i18n: 12 items remaining (V1.0 with full locale support)
- Performance: 7 Low items (measured, acceptable for V0.9)
Phase 3j — Settings as Integration: Conversational settings via AI chat (Feb 18)
Tagged V0.9.0-rc.1 — Release Candidate

Highlights:

5,258 total tests passing (2,014 backend + 165 Rust + 3,016 frontend unit + 63 E2E)
84% backend coverage, 75% frontend statement coverage
WCAG 2.1 AA compliance (96.6%)
GDPR-compliant (98.5%)
Production-ready security posture (95.7%)

See V1.0 Deployment Tasklist for V1.0 release tracking.

✅ Completed: Vector-First Architecture (February 20, 2026)

Status: Implemented — active on all chat messages Goal: Use the vector database as the primary routing layer before every LLM call. Save 50–65% of Claude API calls for typical usage.

What Was Built

backend/chat/vector_router.py — VectorRouter with three route types:
- DIRECT_MEMORY (similarity ≥ 0.92) — return stored fact/preference, zero LLM calls
- SKILL_EXECUTE (similarity ≥ 0.88, no required params) — run skill directly, zero LLM calls
- SKILL_HINT (similarity ≥ 0.83) — guide LLM to correct skill, saves tool-selection round-trip
VectorStore.store_if_novel() — deduplication before memory insert (threshold 0.95)
VectorStore.delete_by_content() — cleanup for skill index entries
Skill vectorization in SkillService:
- _index_skill() — embed name + description → skill_index memory entry on create
- _deindex_skill() — remove entry on update/delete
- reindex_all_skills() — rebuilds full index at startup
ConversationSummarizer updated — uses store_if_novel() everywhere
_stream_orchestrator_response wired — VectorRouter runs in parallel with RAG + user context fetch
_execute_skill_stream — direct skill execution helper (no orchestrator)
Skill vector reindex at startup in main.py

Pending (future phases)

Canvas component indexing (after canvas-first redesign)
Navigation intent indexing (after Space routing redesign, V1.0)
LanceDB equivalents (desktop offline path, V1.5)

✅ Completed: Layer 3 — OpenMorph + Canvas-First + Offline-First (V1.0)

Timeline: ~8 weeks → DONE Status: Complete — tagged v1.0.0 February 21, 2026 Breaking Change: All existing Spaces migrate to .morph/ format (migration script: scripts/migrate_v09_to_v10.py)

Key insight (Feb 20, 2026): Offline-first data and sync move from V1.5 → V1.0. OpenMorph's git-native architecture is the offline sync engine — no separate work. What stays in V1.5 is local LLM inference (candle/GGUF). Web client remains cloud-dependent by design (no Tauri layer for git/LanceDB/GGUF).

V1.0 Work Stream A: Canvas-First UX Redesign

Vision: Morphee is not a chat app with cards. It's a spatial canvas that fills up as you talk. The chat thread is just one integration — accessible but not the default view.

Key decisions (locked Feb 20, 2026):

Spatial free-form canvas — components draggable and repositionable by user
Persistent across sessions — AI can archive components to memory, but they stay by default
Space-scoped — each Space has its own canvas (canvas.yaml in V1.0 .morph/)
AI controls: place_component(position_hint), update_component, dismiss_component → archive to memory, minimize_component
Chat panel: collapsible right-side drawer; last AI message previewed above input

Why it cross-features with OpenMorph: Canvas state lives in .morph/canvas.yaml — it's Git-native, portable, time-navigable. "Show me my canvas from last week" just works.

Phase A — Layout swap ✅ DONE (Feb 20, 2026)

New Canvas.tsx replaces Chat.tsx as the primary route at /, /chat preserved
Chat conversation thread → collapsible right Sheet drawer (💬 button + LastMessagePreview click)
LastMessagePreview strip — last AI message above input, click to open thread
Canvas renders CanvasCard components with absolute % positioning and auto-layout 3-column grid
Floating input bar at bottom (attach, voice, send, stop streaming)
Bonus (Phase B/C work done early): Drag to reposition cards (mousedown/move/up on header)
Bonus: Minimize/close per card (toggle header button)
Bonus: canvasPositions + minimizedComponents persisted to localStorage via Zustand persist
componentStore updated — setCanvasPosition, toggleMinimize, persist middleware, auto-layout

Phase B — AI spatial placement (Week 2) ✅ DONE (Feb 20, 2026)

ComponentSpec gets backend canvas field: CanvasPosition(x, y) + CanvasPosition in frontend types
Position hint mapping: 10 named slots (top-left → bottom-right + full-width) → x/y % matching GRID_SLOTS
FrontendIntegration extended: _POSITION_HINT_PARAM on all 8 render actions, _resolve_canvas(), _spec_result() propagates _canvas
System prompt updated: canvas placement section with position_hint instructions
componentStore.renderComponent uses spec.canvas (AI hint) over auto-grid (user drag still highest priority)
Canvas component indexing in VectorRouter (canvas_component memory_type) — deferred to Phase C

Phase C — Canvas persistence (Week 3) ✅ DONE (Feb 20, 2026)

dismiss(component_id, title, summary) — archives content to canvas_component memory via _archive_dismissed_component() if context has group_id
VectorRouter canvas_component memory_type — added to _check_memory parallel search (same 0.92 threshold); dismissed cards answerable without LLM
System prompt updated — AI instructed to provide title+summary when dismissing info cards; omit for progress bars
Canvas empty state improved — dashed card wireframe illustration + two-line hint text, EN+FR i18n keys
canvas.yaml serialization → deferred to V1.1 by design (component UUIDs are ephemeral per AI render; named persistent canvas objects are a V1.1 concept)

V1.0 Work Stream B: OpenMorph Revolution

Original design doc: features/archive/2026-02-16-git-native-spaces-openmorph.md Canonical spec: features/OPENMORPH_SPECIFICATION.md ✅ locked Feb 20, 2026

Phase 0 — OpenMorph Specification ✅ DONE (Feb 20, 2026)

docs/features/OPENMORPH_SPECIFICATION.md — canonical .morph/ schema (880 lines)
All 9 file schemas defined: config.yaml, acl.yaml, canvas.yaml, task Markdown, skill YAML, schedule YAML, conversations, memory, vault/
Updated spec: core.* naming for built-ins, reverse-domain for third-party, manifest.yaml required per integration directory
V1.0 PostgreSQL Schema Reset — 26 incremental migrations consolidated into single clean supabase/migrations/20260220000000_v1_0_schema.sql. Old migrations archived to supabase/migrations/archive/. Removed unused tables (conversation_summaries, git_commit_metadata, git_commit_embeddings). Added spaces.morph_path + spaces.migrated_at for OpenMorph bootstrap. Updated memory_vectors.memory_type CHECK to include skill_index and canvas_component. Created supabase/reset.sql dev helper.

Phase 1 — Generic .morph/ Protocol + Dual-Write (Feb 20, 2026) ✅ DONE

Key architectural decision (Feb 20): The .morph/ directory is modeled after Android app storage. Each integration owns a sandboxed subdirectory. Morphee.ai is the namespace authority (like IANA). Two-way communication: integrations can emit and subscribe to events AND read/write their .morph/ directory.

GitStore generic entity API — save_entity, load_entity, delete_entity, list_entities (path-based, any integration uses these)
BaseInterface .morph/ protocol — morph_directory, morph_root_access, morph_capabilities, morph_write/read/list/delete, get_manifest()
- morph_write() auto-bootstraps manifest.yaml on first write to a directory
- capabilities declared now (enforced in V1.2 WASM sandbox)
All 11 integrations declare morph_directory + morph_capabilities:
- Built-ins: core.tasks, core.skills, core.memory, core.scheduler, core.canvas, core.filesystem, core.notifications
- Third-party: com.google.calendar, com.google.gmail, com.slack, net.atlassian.jira
TaskService dual-writes to core.tasks/task-{id}.md (YAML frontmatter + linked: graph field)
SkillService dual-writes to core.skills/{slug}.yaml
Serialization owned by each service layer (GitStore is pure I/O)
24 tests: generic entity API + TaskService serialization roundtrips

Week 2 — Schedules + Config + ACL → Git ✅ DONE (Feb 20, 2026)

CronIntegration dual-writes to core.scheduler/{slug}.yaml on create/cancel (morph_write/morph_delete)
SpacesIntegration event-driven bootstrap: config.yaml + canvas.yaml + acl.yaml written on space.created
config.yaml updated on space.updated (canvas + acl preserved)
SpaceService._space_to_config_yaml(), _canvas_yaml(), _acl_yaml() serialization helpers
ScheduleService._schedule_to_yaml() + _name_to_slug() serialization helpers

Week 3 — Conversations → Git ✅ DONE (Feb 20, 2026)

ConversationIntegration mirrors conversation lifecycle to core.conversations/conv-{id}.md
Subscribed to conversation.created / conversation.updated / conversation.deleted events
ChatService emits all three conversation events (verified wired)
ConversationIntegration registered in main.py at startup
PostgreSQL conversations + messages → write-through read cache — implemented via event-driven dual-write (ChatService → EventBus → ConversationIntegration → GitStore). PostgreSQL remains source-of-truth with Git as read cache.
Full migration script — scripts/migrate_v09_to_v10.py (372 lines, dry-run mode, idempotent)
canvas.yaml serialization — deferred to V1.1 by design (§3.3: ephemeral cards stay in localStorage for V1.0; persistent named canvas objects are a V1.1 concept)

Phase 2 — Discovery + Sync (Weeks 4–5)

Tauri: morph_discover command (scan filesystem for .morph/ directories)
Tauri: morph_init command (turn any directory into a Morph Space)
Three sync modes: local-only / morphee-hosted / git-remote
Backend: MorphDiscoveryService + register/sync endpoints
Frontend: SpaceDiscovery page, MorphInitDialog
Sync status indicator per Space in sidebar

Phase 3 — Timeline UI + Polish (Week 6)

TimelineRenderer component (visual git log)
MemoryTimeline page — browse any Space state at any point in time
Branch selector dropdown in Space header
"Create experimental branch" → AI creates git branch
Conflict resolution dialog (AI-mediated merge)
Navigation intent indexing in VectorRouter (nav_index memory_type)

V1.0 Work Stream C: Offline-First Data + Sync (Tauri)

Parallel with OpenMorph Phase 2 (Weeks 4–5) — The sync engine IS OpenMorph V1.0 Phase 3. Work Stream C adds the action queue and UX around disconnection.

Web note: The web client (app.morphee.app) has no Tauri layer. Offline for web = Service Worker + IndexedDB cache (already shipped as M-FEAT-010). No git, no LanceDB, no local LLM on web — this is by design.

✅ ActionQueue — JSON-file-backed queue in Tauri for pending offline writes (send_message, create_task, etc.) — action_queue.rs, 8 tests
✅ Tauri queue_action / drain_queue / get_queue_status / remove_queued_action / clear_queue IPC commands — commands/queue_commands.rs (+5 commands, total 30 IPC)
✅ Network status detector — browser online/offline events + Tauri queue polling — useNetworkStatus hook
✅ networkStore (Zustand) — isOnline, pendingActionsCount reactive state
✅ Offline indicator — OfflineBadge component in Header: "No internet" / "Working offline" + pending count badge
✅ tauriQueue TypeScript wrappers in lib/tauri.ts
JWT grace period extension — 72-hour offline grace period; session persisted to vault; restored on startup
E2E offline tests — 3 scenarios: offline-indicator, offline-graceful-degradation, offline-queue-and-sync; NetworkAction added to controller

What's already done (no new work needed):

✅ Data in .morph/ git repos — offline reads are free (OpenMorph)
✅ Auth cached in OS keychain (keyring crate, done in Phase 2b)
✅ Canvas in localStorage (done Canvas Phase A)
✅ Sync on reconnect via git push/pull (OpenMorph V1.0 Phase 3)

V1.0 Cross-Feature Opportunities

Feature A	×	Feature B	= Combined Capability
Canvas in `.morph/canvas.yaml`	×	Temporal navigation	"Show me my canvas from last week"
Tasks in Git	×	Canvas components	Task cards on canvas stay in sync with `.morph/tasks/`
Skills in Git	×	Skill vectorization	Skills portable + always vector-indexed on load
dismiss_component → memory	×	VectorRouter DIRECT_MEMORY	Dismissed cards answerable without LLM
Discovery	×	Canvas per Space	Open any folder → its canvas loads immediately
git-remote sync	×	Existing project repos	Devs drop `.morph/` into `~/Projects/TechCorp` → AI context
ActionQueue (offline)	×	OpenMorph sync	Offline actions auto-replay on git push/pull reconnect
Offline-first (Tauri)	×	git-native	AI keeps working, data stays safe, syncs when back online

V1.0 offline story (Tauri): data ✅, auth ✅, canvas ✅, sync ✅, AI responses need cloud → completed in V1.5 with local LLM.

After V1.0: Layer 4 (V1.2 WASM Extensions) and Layer 5 (V1.3 Multimodal) both shipped Feb 21-22, 2026.

✅ Completed: Layer 4 — WASM Extension System (V1.2)

Timeline: 12 weeks (6 phases) Status: SHIPPED — Tagged v1.2.0 (February 21, 2026) Goal: Production-grade WASM extension system. Professional integrations (JIRA, GitHub, Notion, Linear, Slack) rebuilt as portable WASM modules. Marketplace for community extensions.

Architecture: BaseMorphRuntime abstraction → WasmRuntime on both Python (wasmtime) and Rust (wasmer). Extensions use WIT interface, sandboxed with permissions, resource limits, and code signing.

V1.2 Phase 1: Foundation (Weeks 1-2) ✅ DONE

Python backend: backend/extensions/ module (models, runtime, host_functions, manager) — 48 tests
WIT interface definition (wit/morphee-extension.wit)
Database migration: installed_extensions table (supabase/migrations/20260301000000_extensions.sql)
Rust runtime: frontend/src-tauri/src/extensions/ module (models, permissions, wasm_runtime) — 20 tests
Rust SDK: sdk/morphee-sdk-rust/ with Extension trait + export_extension! macro — 5 tests
Echo extension: extensions/echo/ (echo + reverse actions, compiles as cdylib)
~73 tests (48 Python + 20 Rust + 5 SDK)

V1.2 Phase 2: Security & Permissions (Weeks 3-4) ✅ DONE

PermissionEnforcer — per-host-function permission checks, SSRF domain blocking, manifest validation — 23 tests
ResourceLimiter — fuel, memory, HTTP rate limits, timeout tracking, limit validation — 18 tests
ExtensionSigner — RSA-PSS + SHA-256 code signing, sign/verify roundtrip — 15 tests
ExtensionAuditService — extension_executions table, buffered writes, stats queries — 8 tests
Frontend: PermissionDialog component with risk-level indicators — 5 tests
Database migration: extension_executions + signature fields on installed_extensions
Wired into ExtensionManager and host_functions.py
~69 tests (64 Python + 5 frontend)

V1.2 Phase 3: Distribution (Week 5) ✅ DONE

RegistryClient — OCI Distribution Spec client (search, pull, manifest, list_versions) — 15 tests
REST API: 8 endpoints (/api/extensions/* — catalog, installed, install, uninstall, enable, disable, execute, audit) — 16 tests
Frontend API client: extensions object in api.ts (catalog, installed, install, uninstall, enable, disable, execute, audit)
CLI tool: morphee-ext (init, build, test, sign, publish) at sdk/morphee-ext-cli/
Router registered in main.py, wired to app state
~36 tests (31 Python + 5 frontend)

V1.2 Phase 4: Developer Experience (Weeks 6-7) ✅ DONE

SDK examples: echo.rs, hello_api.rs, task_creator.rs in sdk/morphee-sdk-rust/examples/
cargo-generate template at sdk/templates/extension-template/ (Cargo.toml, src/lib.rs, manifest.json)
Dev server with hot reload: morphee-ext dev (mock host functions, HTTP test endpoint, file watcher)
SDK README: comprehensive guide (quick start, API, permissions, resource limits, runtime compat)
Developer guide: docs/features/extension-developer-guide.md (full walkthrough, manifest, permissions, host functions)
CLI dev command wired into morphee-ext tool
~21 tests (16 dev server + 5 CLI init)

V1.2 Phase 5: Built-in Extensions (Weeks 8-10) ✅ DONE

JIRA extension (6 actions: list/get/create/update/comment/transition) at extensions/jira/
GitHub extension (6 actions: list_issues/get_issue/create_issue/list_prs/comment/merge_pr) at extensions/github/
Notion extension (4 actions: create_page/update_page/get_page/search) at extensions/notion/
Linear extension (4 actions: create_issue/update_issue/list_issues/comment) at extensions/linear/
Slack extension (3 actions: send_message/list_channels/read_messages) at extensions/slack/
ExtensionOAuthHandler — generic OAuth flow for WASM (authorize URL, callback, vault storage) — 14 tests
OAuth API endpoints: POST /{id}/oauth/authorize, GET /{id}/oauth/callback, GET /{id}/oauth/status
All extensions declare OAuth config in manifest for backend-mediated flow
~14 tests (OAuth handler)

V1.2 Phase 6: Marketplace UI (Weeks 11-12) ✅ DONE

Marketplace page (frontend/src/pages/Marketplace.tsx) — catalog grid, search, browse/installed tabs
Extension components — ExtensionCard, ExtensionDetail, InstallDialog, PermissionDialog
Settings: ExtensionsTab — manage installed, enable/disable toggle, audit stats, uninstall
/marketplace route in App.tsx, "Extensions" nav item in Sidebar (Puzzle icon)
Zustand store (extensionStore.ts) + hooks (useExtensions, useExtensionCatalog)
i18n strings (EN + FR) for all extension/marketplace UI
Extension auto-updater (backend/extensions/updater.py) + GET /updates/check, POST /{id}/update endpoints
~30 tests (8 store + 9 card + 5 dialog + 8 updater)

Completed: Phase 1a — Minimal Chat Loop

Goal: Get a working conversation as fast as possible. User types, AI responds, streamed token-by-token. No tools, no memory, no dynamic UI — just chat.

Prerequisite: Architectural Cleanup

Remove PostgREST — replaced with direct asyncpg connection pool (db/client.py)
Rename family → group across codebase (DB, models, routes, frontend)
Rename project → space across codebase (DB, models, routes, frontend)
Evolve BaseInterface: added config_schema with security levels, config dict, and vault param (Integration/Interface split)
Implement VaultProvider abstraction + EnvVaultProvider default backend (see interfaces.md — Vault)

Backend: LLM Integration

Create backend/chat/llm.py — LLMIntegration class extending BaseInterface
Implement chat action — messages in, streaming response out (Anthropic SDK)
Implement complete action — simple text completion
System prompt builder: inject group name, user name, basic context
Configuration: API key from env, model configurable (default: claude-sonnet-4-20250514)
Register LLM Integration in InterfaceManager at startup

Backend: Chat API

POST /api/chat/ — Accept message, call LLM Integration, return SSE stream
GET /api/chat/conversations — List conversations for current user
GET /api/chat/conversations/{id}/messages — Get full conversation history
DELETE /api/chat/conversations/{id} — Delete conversation
Conversation model: store metadata in PostgreSQL (id, user_id, group_id, space_id, title, timestamps)
Message storage: PostgreSQL (move to Git + LanceDB in Phase 2)
Conversation history management: pass last 50 messages to LLM

Frontend: Chat UI

Chat page component — split layout with conversation list + chat area
Make chat page the default route (/)
Message display: user messages (right, primary) + AI responses (left, muted) with ChatBubble
SSE streaming: render AI response token-by-token with blinking cursor
Conversation list panel (w-64, hidden on mobile)
Create new conversation / continue existing / delete
Auto-scroll, loading states, error handling
chatStore (Zustand): conversations, messages, active conversation, streaming state

Frontend: Wire Up

API client methods: sendMessage (SSE), listConversations, getMessages, deleteConversation
SSE client utility for consuming streaming responses (POST-based fetch + ReadableStream)
Connect chatStore to API via useChat hook

Verification

Backend tests for LLM Integration (mock Anthropic SDK)
Backend tests for chat endpoints
Frontend unit tests for chatStore and useChat hook
E2E test: type message → see streaming response (mocked SSE)
Build passes (604 KB JS, 32 KB CSS), no regressions in existing tests

Completed: Phase 1b — Tool Calling, Agent Loop & Onboarding

Goal: AI can take actions — call Integrations, create tasks, render UI components. Welcome new users.

Sub-Sprint 1b.1 — Tool Bridge + Agent Loop (Backend)

Tool Bridge: convert ActionDefinition → Anthropic SDK tool format (chat/tools.py)
Agent Orchestrator: message → LLM → tool calls → results → response loop (chat/orchestrator.py)
LLM streaming with tools: stream_chat_with_tools() handles text + tool_use content blocks
Extended SSE protocol: tool_use, tool_result events alongside token/done/error
Multi-step tool execution: agent loops until stop_reason == "end_turn" or max_turns reached
Error handling: tool failures fed back to LLM, max_turns prevents infinite loops
Message metadata: tool call data stored in JSONB metadata column
Tests: 32 new tests (tool bridge, orchestrator, LLM streaming with tools, chat API)

Sub-Sprint 1b.2 — Frontend Tool Rendering + Approval Workflow

Evolved ActionDefinition: ai_access enum (execute/propose/blocked) replaces requires_approval boolean
Added side_effect (read/write/delete), returns (output schema), idempotent to ActionDefinition
Added EventDefinition model + get_events() stub on BaseInterface
Added ExecutionContext, PermissionPolicy, InterfacePermissions models (defined, wired later)
Updated all integrations, tool bridge, orchestrator, tests, frontend types, docs
Approval workflow for sensitive actions (pause/resume via asyncio.Event)
Frontend renders tool_use/tool_result events inline in chat (ToolCallCard component)
Approval block UI (approve/reject buttons, ApprovalCard component)
Frontend SSE client extended for new event types (tool_use, tool_result, approval_request)

Sub-Sprint 1b.3 — Task/Space Tools + Frontend as Integration

TasksIntegration: wrap TaskService as Integration (list, create, update_status)
SpacesIntegration: wrap SpaceService as Integration (list, get_current)
FrontendIntegration: show_card, show_task_list render commands
Component registry for dynamic rendering (InfoCard, TaskListRenderer)
Enhanced system prompt with tool usage guidance
ExecutionContext threaded through BaseInterface → InterfaceManager → Orchestrator → chat API
Rich component rendering in ToolCallCard (detects _component field)

Sub-Sprint 1b.4 — Conversational Onboarding

OnboardingIntegration: create_group, create_spaces, complete actions (interfaces/integrations/onboarding.py)
Onboarding system prompt with persona detection + 9-persona space mapping (chat/onboarding_prompts.py)
Onboarding API endpoint: POST /api/onboarding/chat with SSE streaming (api/onboarding.py)
Frontend: Onboarding page, useOnboarding hook, streamOnboarding SSE client
Routing: /onboarding replaces /create-group, ProtectedRoute redirects users without group
Tests: 45 backend + 18 frontend (integration, prompts, API, hook, page)
Default workflows based on persona: PERSONA_SKILLS mapping, create_default_skills onboarding action, auto-registers dynamic skills
Vault-aware Interface creation: interface_configs table, InterfaceConfigService, CRUD API endpoints, InterfaceConfigCard Settings UI, vault:// secret storage

Completed: Phase 2 — Memory & Knowledge

Goal: AI remembers facts, preferences, and events across conversations. Semantic memory via embeddings + pgvector, git-backed Markdown storage, RAG context injection, auto-summarization.

Sub-Sprint 2.1 — Embedding Abstraction + pgvector Setup

EmbeddingProvider ABC with embed(), embed_batch(), model_name(), dimensions() (memory/embeddings.py)
OpenAIEmbeddingProvider — text-embedding-3-small (1536 dims), uses existing OpenAI SDK
FastEmbedProvider — BAAI/bge-small-en-v1.5 (384 dims), local lightweight model
EmbeddingManager singleton — creates/caches active provider, validates consistency (memory/embedding_manager.py)
VectorStore — pgvector wrapper for insert/search/delete/get_by_id/count (memory/vector_store.py)
pgvector migration: embedding_config + memory_vectors tables with HNSW index (002_memory_vectors.sql)
Config: EMBEDDING_PROVIDER, EMBEDDING_MODEL, MEMORY_GIT_PATH settings
Tests: 39 tests (embeddings, embedding_manager, vector_store)

Sub-Sprint 2.2 — Memory Integration (Core)

Sub-Sprint 2.3 — RAG Pipeline + Context Injection

RAGPipeline — searches memory, formats context for system prompt injection (memory/rag.py)
Multi-scope search: group + space + user memories, deduplication by content
Conversation deduplication: don't inject what's already in chat history
Token budget: MAX_CONTEXT_CHARS = 8000 (~2000 tokens)
Automatic injection in _chat_stream() between prompt build and orchestrator run (api/chat.py)
Graceful degradation: RAG failures don't block chat
Tests: 11 tests (context retrieval, deduplication, format, error handling)

Sub-Sprint 2.4 — Git-Backed Storage + Markdown Files

GitStore — per-group git repos with Markdown + YAML frontmatter (memory/git_store.py)
Directory structure: conversations/, facts/, preferences/, events/, notes/, spaces/
Async git operations via asyncio.create_subprocess_exec("git", ...)
MemorySyncScheduler — hourly background sync (follows TaskProcessor pattern) (memory/sync.py)
Docker: git installed, memory-data volume, MEMORY_GIT_PATH env var
Tests: 19 tests (git_store + memory_sync)

Sub-Sprint 2.5 — Conversation Summarization + Auto-Memory

ConversationSummarizer — LLM-based fact/preference/event extraction (memory/summarizer.py)
Threshold trigger: auto-summarize after 10+ messages in a conversation
Extraction prompt: returns JSON array of {content, type, scope}
Stores extracted memories: embed → pgvector + git (per item)
Conversation summary: 2-3 sentence summary stored as conversation_summary type
Background task trigger in _chat_stream() after assistant response (api/chat.py)
Tests: 11 tests (threshold, extraction, errors, deduplication, summary)

Completed: Phase 2b — Tauri Rust Layer

Goal: Move memory operations from Python backend to native Rust in the Tauri desktop app for local-first, offline-capable operation.

Sub-Sprint 2b.1 — Rust Scaffolding + ONNX Embeddings

MorpheeError enum with thiserror + Serialize for Tauri IPC (error.rs)
AppState struct with Mutex/AsyncMutex for subsystem state (state.rs)
EmbeddingProvider wrapping fastembed crate (AllMiniLML6V2, 384 dims) (embeddings.rs)
Tauri commands: embed_text, embed_batch, get_embedding_info (commands/embedding_commands.rs)
Model auto-downloads on first startup via fastembed
Tests: 6 tests (embed, batch, empty batch, model info, unsupported model, similarity ordering)

Sub-Sprint 2b.2 — LanceDB Vector Store

VectorStore with LanceDB (embedded vector DB) — insert, search, delete, get_by_id, count (vector_store.rs)
Arrow RecordBatch schema matching Python memory_vectors table (13 columns, 384-dim vectors)
Cosine distance search with threshold filtering and scope/type/group isolation
Tauri commands: memory_insert, memory_search, memory_delete, memory_get, memory_count (commands/memory_commands.rs)
Tests: 8 tests (insert/get, search, filters, similarity ordering, delete, count, group isolation)

Sub-Sprint 2b.3 — Git-Backed Markdown Storage (git2)

GitStore using git2 crate (native libgit2) — init_repo, save_conversation, save_memory, delete_memory, sync (git_store.rs)
Same Markdown + YAML frontmatter format as Python backend
Same directory structure: conversations/, facts/, preferences/, events/, notes/, spaces/
Tauri commands: git_init_repo, git_save_conversation, git_save_memory, git_delete_memory, git_sync (commands/git_commands.rs)
All git operations wrapped in spawn_blocking (git2 is synchronous)
Tests: 8 tests (init, idempotent, save conversation, save memory, space-scoped, metadata, delete, git commits)

Sub-Sprint 2b.4 — Keychain Vault Provider

VaultProvider trait + KeychainVaultProvider using keyring crate (vault.rs)
Cross-platform: macOS Keychain, Windows Credential Manager, Linux Secret Service
Service name: app.morphee.desktop, arbitrary key strings
Tauri commands: vault_get, vault_set, vault_delete, vault_exists (commands/vault_commands.rs)
Tests: 5 tests (set/get, get nonexistent, exists, delete, overwrite)

Sub-Sprint 2b.5 — Frontend IPC Bridge + Runtime Detection

isTauri() runtime detection via window.__TAURI_INTERNALS__ (lib/runtime.ts)
Typed Tauri invoke wrappers: tauriEmbeddings, tauriMemory, tauriGit, tauriVault (lib/tauri.ts)
Unified memoryClient — routes to Rust IPC (desktop) or Python HTTP (web) (lib/memory-client.ts)
Memory types added to frontend: MemoryRecord, MemorySearchResult, MemoryType, MemoryScope (types/index.ts)
Tests: 12 tests (2 runtime detection + 10 memory client routing for both desktop and web modes)

Sub-Sprint 2b.6 — Integration + Initialization

Full app initialization in lib.rs: embeddings, git store, vault at startup
health_check command: reports status of all 4 subsystems (commands/health_commands.rs)
18 Tauri IPC commands registered (3 embedding + 5 memory + 5 git + 4 vault + 1 health)

Verification

29 Rust tests pass (cargo test)
170 frontend unit tests pass (158 existing + 12 new)
Frontend build clean (614 KB JS, 33 KB CSS)

Completed: Phase 3a — Core Integrations

Goal: Make Morphee proactive and connected by adding core integrations: scheduling, notifications, Google services, and filesystem access.

Sub-Sprint 3a.1 — Cron Integration (Scheduler)

schedules table migration (003_schedules.sql) — once, interval, cron schedule types
ScheduleService — CRUD + next_run calculation with croniter (scheduler/service.py)
ScheduleRunner — async polling loop, follows TaskProcessor pattern (scheduler/runner.py)
CronIntegration(BaseInterface) — 4 actions: schedule, list, get, cancel (interfaces/integrations/cron.py)
Registered in InterfaceManager, system prompt guidance added
Started/stopped in main.py lifespan alongside TaskProcessor and MemorySyncScheduler
Tests: 30 tests (service, runner, integration)

Sub-Sprint 3a.2 — Notifications Integration

notifications table migration (004_notifications.sql) — type, source, read status
NotificationService — CRUD + unread count + EventBus publishing (notifications/service.py)
NotificationsIntegration(BaseInterface) — 3 actions: send, list, mark_read (interfaces/integrations/notifications.py)
REST API: GET /api/notifications, GET /api/notifications/unread-count, POST /api/notifications/{id}/read, POST /api/notifications/read-all (api/notifications.py)
WebSocket extended: subscribes to notification.* events with user-level filtering
Registered in InterfaceManager, system prompt guidance added
Tests: 25 tests (service, integration, API)

Sub-Sprint 3a.3 — Google OAuth Infrastructure

oauth_connections table migration (005_oauth_connections.sql) — provider, scopes, token expiry
OAuth2 helpers: HMAC-signed state, token exchange, scope mapping (google/oauth.py)
GoogleApiClient: authenticated HTTP client with auto token refresh (google/client.py)
REST API: GET /api/oauth/google/authorize, GET /api/oauth/google/callback, GET /api/oauth/google/status, POST /api/oauth/google/disconnect (api/oauth.py)
Config: GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET, GOOGLE_REDIRECT_URI in config.py
Tokens stored in VaultProvider (never in DB), metadata in oauth_connections
Tests: 25 tests (oauth helpers, client, API endpoints)

Sub-Sprint 3a.4 — Google Calendar Integration

GoogleCalendarIntegration(BaseInterface) — 5 actions: list_events, create_event, update_event (PROPOSE), delete_event (PROPOSE), check_availability (interfaces/integrations/google_calendar.py)
Uses GoogleApiClient from Sprint 3a.3 for authenticated Google Calendar API v3
Registered in InterfaceManager, system prompt guidance added
Tests: 30 tests (definition, context validation, all 5 actions, event formatting)

Sub-Sprint 3a.5 — Gmail Integration

GmailIntegration(BaseInterface) — 5 actions: list_emails, read_email, send_email (PROPOSE), draft_email, reply_email (PROPOSE) (interfaces/integrations/gmail.py)
MIME message construction via Python email.mime stdlib + base64url encoding
Body extraction handles plain text, multipart, nested multipart payloads
Registered in InterfaceManager, system prompt guidance added
Tests: 40 tests (definition, context validation, all 5 actions, helper functions)

Sub-Sprint 3a.6 — Filesystem Integration

Python FileStore — sandboxed file operations per group, path traversal prevention, extension allowlist (.md/.txt/.json/.csv/.yaml), size limits (filesystem/file_store.py)
FilesystemIntegration(BaseInterface) — 5 actions: list_files, read_file, write_file (PROPOSE), delete_file (PROPOSE), search_files (interfaces/integrations/filesystem.py)
Tauri Rust FileStore — same sandbox logic, 5 IPC commands (src-tauri/src/file_store.rs, commands/fs_commands.rs)
Frontend fsClient — unified client routing to Rust IPC or Python HTTP (lib/fs-client.ts)
Registered in InterfaceManager, system prompt guidance added
Tests: 46 Python (27 store + 19 integration), 8 Rust, 12 frontend

Verification

766 backend tests pass (94% coverage)
37 Rust tests pass (29 existing + 8 file_store)
182 frontend unit tests pass (170 existing + 12 fs-client)
Frontend build clean (614 KB JS, 33 KB CSS)

Completed: Phase 3a Frontend UI

Goal: Build the frontend components for Phase 3a backend features (notifications, OAuth, settings).

NotificationBell Component

Notification types + NotificationEvent WS event types (types/index.ts)
Notification API client: list, unreadCount, markRead, markAllRead (lib/api.ts)
notificationStore Zustand store: notifications list, unread count, mark-read actions (store/notificationStore.ts)
useNotifications hook: store + API + WebSocket subscription (hooks/useNotifications.ts)
NotificationBell component: bell icon with unread badge, dropdown list, mark-as-read (components/layout/NotificationBell.tsx)
Added to Header between theme toggle and user menu

Settings Page

Replaced placeholder with Tabs: Notifications + Integrations (pages/Settings.tsx)
Notifications tab: full notification list with mark-read, unread count
Integrations tab: Google OAuth connection card

GoogleConnect Component

GoogleOAuthStatus + OAuthCallbackMessage types (types/index.ts)
OAuth API client: googleAuthorize, googleStatus, googleDisconnect (lib/api.ts)
GoogleConnect component: OAuth popup flow, status display, scope badges, connect/disconnect (components/settings/GoogleConnect.tsx)

Verification

206 frontend unit tests pass (182 existing + 24 new: 9 store + 8 hook + 7 API)
Frontend build clean (631 KB JS, 34 KB CSS)

Completed: Phase 3b.1 — Dynamic Skills

Goal: Composable AI capabilities that combine multiple Integration calls into higher-level workflows. Skills are stored "macros" — a sequence of integration calls with variable interpolation. Once created, a Skill appears as a normal tool the AI can call, or that cron can trigger on a schedule.

Database & Models

skills table migration (006_skills.sql) — group-scoped, JSONB definition, unique name per group
Pydantic models: SkillStep, SkillDefinition, SkillParameter, SkillCreate, Skill (skills/models.py)

Skill Service (CRUD)

SkillService — create, get, list, update, delete, increment_run_count (skills/service.py)
list_all_enabled() — cross-group query for startup loading
Group isolation enforced on all queries

Skill Engine (Execution)

SkillEngine — validate definitions + execute step sequences (skills/engine.py)
Template interpolation: {{params.x}}, {{steps.id.result.field}}, {{context.user_id}}
Type preservation: whole-template strings return raw values (lists, dicts, numbers)
Error handling: per-step on_error (fail/continue), combined result output
Side effect inference: worst-case from constituent steps (READ < WRITE < DELETE)

Dynamic Skill Interface

DynamicSkillInterface(BaseInterface) — runtime-generated interface per skill (skills/dynamic.py)
Single run action with parameters from skill definition
Name sanitization: "My Cool Skill" → skill_my_cool_skill

Skills Integration (AI Tool)

SkillsIntegration(BaseInterface) — 5 actions: create, list, get, update, delete (interfaces/integrations/skills.py)
Create validates via SkillEngine, saves to DB, dynamically registers interface
Update/delete manages interface lifecycle (unregister + re-register)
System prompt guidance for skill creation and scheduling

REST API

GET /api/skills/ — list skills for current group
GET /api/skills/{id} — get skill detail
POST /api/skills/ — create skill (validates definition)
PUT /api/skills/{id} — update skill
DELETE /api/skills/{id} — delete skill

Startup & Cron

Startup loading: all enabled skills loaded from DB and registered as dynamic interfaces (main.py)
SKILL ActionType added to scheduler (scheduler/models.py)
_fire_skill() handler in ScheduleRunner (scheduler/runner.py)
CronIntegration extended with "skill" action_type support

Verification

849 backend tests pass (91% coverage) — 83 new skill tests
206 frontend unit tests pass (no regressions)
Frontend build clean (631 KB JS, 34 KB CSS)

Completed: Phase 3b.2 — Frontend as Integration (Advanced)

Goal: Transform the Frontend Integration from 2 display-only actions into a full bidirectional component protocol — the AI composes rich, interactive UI from atomic building blocks, users interact with those components, and events flow back to the AI.

Backend: Component Protocol + Actions

ComponentSpec, ComponentEventDeclaration, ComponentLayout models added to interfaces/models.py
FrontendIntegration rewritten with 10 actions: 7 semantic (show_card, show_list, show_form, show_choices, show_actions, show_progress, show_table) + 1 generic (render) + 2 lifecycle (update, dismiss)
POST /api/chat/component-event endpoint — handles AI_TURN events (formats as synthetic user message, returns SSE stream)
WebSocket extended: component.* event subscription for server-push updates
System prompt updated with guidance for all 10 frontend tools

Frontend: Component System

TypeScript types in types/components.ts (ComponentSpec, ComponentEvent, RendererProps)
componentStore Zustand store — tracks active components per conversation (store/componentStore.ts)
Component event dispatcher — tier classification (LOCAL/AI_TURN), HTTP dispatch (lib/component-events.ts)
ComponentRegistry evolved — recursive renderer, registerComponent(), self-registering pattern
ToolCallCard updated — detects _spec (new) vs _component (legacy), wires events, passes interactive flag
useChat hook extended — componentStore integration, handleComponentEventResponse for SSE
sse.ts extended — processComponentEventResponse() for component event SSE parsing

Tier 1 Components (10 renderers)

Verification

957 backend tests pass (93% coverage) — 108 net new (Phase 3b.2: 72, coverage sprint: 36)
481 frontend unit tests pass (355 existing + 126 new: component tests 108, renderer tests 18) — 73.6% statement coverage (up from 57.8%)
Frontend build clean (652 KB JS, 38 KB CSS)

Goal: Add social/SSO login via GoTrue's built-in OAuth providers. See features/sso-login.md for full design.

Step 1 — GoTrue Provider Configuration

Add GOTRUE_EXTERNAL_GOOGLE_* env vars to docker-compose.dev.yml (prod managed externally)
Add GOTRUE_EXTERNAL_APPLE_* env vars to docker-compose.dev.yml
Add GOTRUE_EXTERNAL_AZURE_* env vars to docker-compose.dev.yml
Update GOTRUE_URI_ALLOW_LIST with callback + Tauri URLs

Step 2 — Backend SSO Endpoints

GET /api/auth/providers — list enabled SSO providers from GoTrue /settings
GET /api/auth/sso/{provider} — return GoTrue authorize URL with redirect
POST /api/auth/sso/callback — verify token, find-or-create morphee_user, emit signup event
Name extraction from user_metadata (full_name → name → email prefix)
Register SSO router in main.py under /api/auth prefix
Tests: 21 new (JWT helpers, provider discovery, authorize URL, callback flows)

API client: providers(), ssoAuthorize(), ssoCallback() methods (lib/api.ts)
ssoLogin(provider) in useAuth hook — full-page redirect to GoTrue authorize URL
handleSSOCallback(accessToken, refreshToken) in useAuth hook — token exchange + user fetch
Tauri desktop support: isTauri() detection for http://tauri.localhost/auth/callback redirect
/auth/callback route — extract tokens from URL fragment hash, error handling
AuthCallback page — loading spinner, error state, back-to-login link
SSOIcons component — inline SVG icons (Google, Apple, Microsoft, GitHub, Discord)
AuthForm — dynamic provider discovery, social login buttons with "or continue with" divider
Tests: 17 new (8 AuthCallback, 5 useAuth SSO, 4 AuthForm SSO buttons)

Step 4 — User Linking + Edge Cases

GoTrue automatic user linking (default GOTRUE_SECURITY_MANUAL_LINKING_ENABLED=false)
Same-email-different-provider: GoTrue merges to one auth.users row → same auth_user_id
Social login without name: falls back to email prefix
Onboarding flow: SSO users get group_id=null → ProtectedRoute redirects to /onboarding

Step 5 — Tier 2 Providers (deferred)

GitHub provider (env vars + button)
Discord provider (env vars + button)
Slack OIDC provider (env vars + button)

Verification

1013 backend tests pass (95% coverage) — 21 SSO + 35 coverage tests
526 frontend unit tests pass — 17 SSO + 28 coverage tests
Frontend build clean (656 KB JS, 38 KB CSS)

Completed: Phase 3d M1 — Minimal Mobile App

Goal: Ship Morphee on iOS and Android via Tauri v2 mobile targets. Online-first (local ML unavailable on mobile). See features/2026-02-12-mobile-ios-android.md for full investigation.

Sub-Phase M1 — Minimal Mobile App

Verification

37 Rust tests pass (desktop, no regressions from conditional compilation)
544 frontend unit tests pass (509 existing + 35 new: 16 runtime + 4 BottomNav + 10 memory-client + 5 other)
Frontend build clean (656 KB JS, 38 KB CSS)

Sub-Phase M2 — Native Mobile Features (L)

Verification (M2)

37 Rust tests pass (desktop, no regressions)
9 Rust mobile-ml tests pass (tokenizer: cargo test --features mobile-ml)
558 frontend unit tests pass (553 → 558: 5 new runtime/isIOS tests)
Frontend build clean (662 KB JS, 38 KB CSS)

Sub-Phase M3 — Local AI Mobile (Layer 6 V1.5)

New Roadmap: Layer 6 / Version 1.5 (depends on OpenMorph) Timeline: 4 weeks (split: offline data/sync moved to V1.0 Work Stream C)

Offline data/sync/auth now lands in V1.0 Work Stream C (free with OpenMorph git-native). M3 focuses on what V1.0 can't provide: local LLM inference.

Local LLM on mobile via candle (Phi-4-mini Q4 — ~2.3GB, Metal GPU on iOS, CPU on Android)
Metal GPU acceleration on iOS (via candle-core/metal feature)
Smart routing: local model for simple tasks, cloud Claude for complex reasoning
Model download on mobile (hf-hub + tokenizers with unstable_wasm for pure-Rust regex)
Model management UI (storage, switch, delete) with mobile storage/RAM warnings
Mobile-specific LLM config (512 max tokens, 2048 context, reduced history)
ANE acceleration on iOS (future — Metal GPU covers primary path)
Progressive model download with background resume

✅ Completed: V1.5 — Local AI (Desktop)

Status: Gaps closed — February 21, 2026 Goal: Local LLM inference via candle/GGUF in Tauri Rust backend. Desktop-first, mobile follow-up. Design doc: docs/features/local-llm.md

Target models: Phi-4 Mini Q4 (~2.3GB), Llama 3.2 3B Q4 (~2.0GB)

✅ Completed (Foundation):

✅ Completed (V1.5 Gaps — February 21, 2026):

Pending (future work):

Whisper ONNX inference pipeline (currently returns stub error; Web Speech API covers primary path)
--features local-llm,audio,biometrics full cargo build verification (candle 0.9 API fixes, Feb 22)
Mobile candle LLM (Phase M3) — Phi-4 Mini Q4 on iOS (Metal) + Android (CPU)
Metal GPU acceleration on iOS
ANE acceleration on iOS (future optimization)

Completed: Phase 3e.1 — Critical UX & Discoverability

Goal: Fix the most urgent UX blockers preventing basic product usage. Driven by Product Review 2026-02-13 — 48 findings, readiness score 4.5/10.

C-UX-001 + C-FEAT-001 — Mobile conversation access — Sheet-based left drawer with ConversationList, mobile header bar with hamburger + title + new button
H-FEAT-001 — Suggested prompts in empty chat state — 6 clickable capability chips (tasks, calendar, email, reminders, memory, help)
M-FEAT-006 — Markdown rendering in chat — ReactMarkdown + remark-gfm for assistant messages, prose styling via @tailwindcss/typography
M-UX-003 — Theme persistence — localStorage morphee-theme key, App.tsx reads on mount before system preference fallback
H-UX-005 — Stop/cancel button for AI streaming — destructive Square button replaces Send during streaming, calls abortController
H-UX-006 — Chat input streaming indicator — placeholder changes to "Morphee is thinking..." during streaming
L-FEAT-001 — Typing indicator — bouncing dots animation before first AI token arrives
L-DESIGN-001 — Standardize page headers — Tasks and Spaces upgraded to text-2xl font-bold (matches Dashboard/Settings)
M-DESIGN-001 — Chat icon consistency — BottomNav changed from MessageSquare to MessageCircle (matches Sidebar)

Verification

645 frontend unit tests pass (633 existing + 12 new)
Frontend build clean (826 KB JS, 61 KB CSS)

Completed: Phase 3e.2 — Core Product Completeness

Goal: Fill fundamental product gaps that every user-facing app needs. 10 items across 5 batches: frontend polish, confirmation/retry, conversation organization, user profiles, search/pagination/editing.

Batch 1 — Frontend-Only Polish

M-FEAT-004 — Humanized tool call displays: humanizeToolCall() in utils.ts maps all 14 integrations' actions to human-readable text in ToolCallCard
L-UX-001 — Skeleton loaders for chat messages: 5 alternating skeleton bubbles in Chat.tsx when loading
L-FEAT-003 — Task sorting options: Sort by newest/oldest/priority/name with Select dropdown in Tasks.tsx

Batch 2 — Confirmation + Retry

M-UX-002 — Confirmation dialogs for destructive actions: AlertDialog before deleting conversations in ConversationList
L-FEAT-004 — Retry mechanism for failed chat messages: Retry button with RotateCcw icon next to error in Chat.tsx

Batch 3 — Conversation Rename + Organization

H-FEAT-002 — Conversation rename/pin/archive: DropdownMenu with Rename/Pin/Archive/Delete options, inline rename, pinned-first ordering. Backend: PATCH /conversations/{id} endpoint, is_pinned/is_archived columns. Migration: 009_phase3e2.sql

Batch 4 — User Profile Management

C-FEAT-003 — User profiles: Profile tab in Settings with name/email/avatar. Backend: GET/PATCH /api/auth/profile, POST /api/auth/change-password. Migration adds avatar_url to users table, edited_at to messages table.

Batch 5 — Search, Pagination, Editing

L-FEAT-002 — Conversation pagination: offset param on messages endpoint, count_messages method
C-FEAT-002 — Global search (Cmd+K): GET /api/search/ endpoint (ILIKE across conversations/tasks/spaces), SearchDialog with cmdk
H-FEAT-008 — Message editing + regeneration: PATCH /conversations/{id}/messages/{msg_id}, POST /conversations/{id}/regenerate with SSE. ChatBubble has edit/regenerate/copy buttons.

Not Implemented (deferred)

M-FEAT-008 — Notification dropdown (bell opens popup) — already partially exists in NotificationBell

Verification

646 frontend unit tests pass (645 existing + 1 new from 3e.1 correction, +13 new Phase 3e.2 tests across 53 test files)
Frontend build clean (865 KB JS, 63 KB CSS)

Completed: Phase 3e.3 — Collaborative Foundation

Goal: Enable the multi-user promise central to Morphee's identity. Group invites, conversation-space association, onboarding polish.

Group Collaboration

C-FEAT-004 — Group member invites + management: email invites with token-based flow (create/accept/decline/cancel), member management (list/update role/remove), group_invites table migration, AcceptInvite page, Settings group management section with invite form + member list + role controls
H-FEAT-003 — Conversation-space association: space_id query param on GET /api/chat/conversations, space-scoped conversation listing in frontend

Onboarding & UX Polish

H-UX-007 — Post-onboarding feature tour: FeatureTour overlay component with step-by-step walkthrough of chat, conversations, spaces, settings
H-UX-001 — Onboarding value explanation: welcome card with feature bullets (group setup, spaces, privacy) before AI chat starts
M-UX-006 — Onboarding space summary: "Here's what I set up" display with created spaces after AI completes setup
H-UX-002 — Login page improvement: 4 feature bullets with icons (smart conversations, spaces & tasks, memory, privacy)

Task Enhancements

Task subtask support: parent_task_id field, subtask creation and display in TaskDetail

Completed (3e.3 continuation)

H-FEAT-007 — Task inline editing (description, priority, space assignment) — already implemented in TaskDetail.tsx
H-UX-003 — Branded loading spinner during auth check — pulsing "M" circle replaces Loader2
H-UX-004 — Friendly error messages — network error wrapping in api.ts (status 0), Dashboard error banner

Verification

Backend tests pass — 100% pass rate, 89% coverage (fixed all 24 failures: TestClient lifespan, database password, rate limiting) — see test-results.md for counts
724 frontend unit tests pass (+49 lib/utils.ts tests: 15% → 73% coverage)
Frontend build clean (981 KB JS, 63 KB CSS)

Sub-Phase 3e.4 — Engagement & Polish (M — 3-5 days)

Completed (3e.4 quick wins)

M-UX-005 — WebSocket reconnect button (forceReconnect method + button in ConnectionStatus)
M-FEAT-005 — Approval card timeout indicator (60s countdown, auto-reject, color urgency)
M-DESIGN-004 — Unified EmptyState component (reusable, used in ConversationList, Tasks, Spaces)
M-FEAT-007 — Breadcrumbs navigation (route-aware, hidden on mobile, in Header)
M-UX-001 — Dashboard evolution (conversations, notifications cards + empty states)
M-UX-004 — Empty state for Spaces page (already done in SpaceList)

Remaining

L-IDEA-004 — Daily briefing skill — Added "Daily briefing" as first suggested prompt + Daily Summary skill for grandparent persona
H-FEAT-004 — Notification preferences + controls — NotificationsTab with per-type toggles, quiet hours, DND mode
H-FEAT-005 — Settings expansion — 5 tabs: Profile (with avatar upload, text size, simplified mode), Members, Notifications, Integrations, Data & Privacy
C-FEAT-006 — Data export + backup (JSON/Markdown)
M-FEAT-009 — Notification sound + desktop alerts — Browser Notification API with DND/quiet hours respect
M-DESIGN-003 — Branding + logo (app icon, favicon)
L-IDEA-003 — "What can I do?" command — Implemented as suggested prompt in empty chat state
M-FEAT-013 — Onboarding re-engagement emails — Day-2, week-1, dormancy templates with daily check loop

Verification

2017+ frontend unit tests (+46 Feb 19, 2026, ~60 failing spec tests for stub components)
Frontend build clean (428 KB JS, 67 KB CSS)

Sub-Phase 3e.5 — Conversation & Context (M — 3-5 days)

Message pinning (pin/unpin/list pinned, max 5 per conversation) — backend + frontend PinnedMessages component
Conversation settings dialog (ConversationSettingsDialog component)
H-FEAT-009 — Conversation context control — ConversationSettingsDialog with 4 context window sizes + message pinning
H-FEAT-006 — Keyboard shortcuts — KeyboardShortcutsDialog (press ?), arrow nav, Cmd+N, Cmd+K
M-FEAT-001 — File upload in chat — Paperclip button with file picker, file name chip, attachment metadata
L-IDEA-001 — Quick Actions floating button (FAB) — QuickActionsFAB component with 4 actions (new conversation, create task, set reminder, upload file), custom event dispatching, mobile-aware rendering
M-FEAT-012 — Integration setup wizards — SETUP_GUIDES with step-by-step guides for Google Calendar, Gmail, Slack, Anthropic LLM

Completed: Safety & Compliance Foundation

Implemented as critical safety prerequisites (pre-V0.9):

Verification (Safety & Compliance)

1865 backend tests pass (87% coverage) — +103 tests Feb 19, 2026
57 Rust tests pass (48 desktop + 9 mobile-ml)
2017+ frontend unit tests + 60 E2E tests (86 test files) — +46 tests Feb 19, 2026
Frontend build clean (435 KB JS, 67 KB CSS)

✅ Completed: V1.3 — Interactive UI + Multimodal

New Roadmap: Layer 5 / Version 1.3 (merged with Multimodal Interaction) Timeline: 8 weeks Status: SHIPPED — February 22, 2026 Goal: Inline editing of AI components + haptic feedback. Multi-modal identity for kids. Video interaction. (Monitoring moved to Layer 7 V2.0)

Sprint 1 — Interactive UI: Editable Components (DONE Feb 21, 2026)

Extend ComponentSpec with editable, edit_permissions, haptic_feedback, auto_save, edit_schema fields
New FrontendIntegration actions: enable_editing, lock_editing, apply_edits
Haptic feedback integration (haptics.ts triggers on edit start/save/error, uses existing Tauri haptic commands)
Editable component types: card (inline field editing), list (add/remove/reorder items), table (cell editing with validation)
Edit permission modes: EditPermission model — user (silent save), parent (requires parent role), ai_turn (triggers AI response)
i18n strings for editable components (en/fr: edit, save, cancel, reorder, validation errors)
Backend tests: 21 new tests (enable_editing, lock_editing, apply_edits actions, EditPermission model, ComponentSpec editable fields)
Frontend tests: 55 new tests (editable CardRenderer, ListRenderer, TableRenderer, edit permissions, haptic triggers, i18n)

Remaining (completed in Sprint 6):

Editable calendar renderer — CalendarRenderer.tsx (Month/Week/Day views, editable mode)
Editable kanban renderer — KanbanRenderer.tsx (drag-and-drop cards, editable mode)

Verification

Frontend tests: editable components, edit permissions, haptic triggers (55 tests)
Backend tests: editable component actions + EditPermission model (21 tests)
E2E tests: inline edit card, drag list items, drag kanban cards (3 scenario YAMLs + data-testid attrs)

Sprint 2: Video1 — Camera & Image Upload ✅ (Feb 21, 2026)

Sprint 4: Video2+3+4 — Visual Analysis, Gesture Recognition, Screen Capture (Feb 22, 2026)

Backend — VisualIntegration (Sprint A / Video2):

Store resized base64 in message metadata (data_b64 field in attachment metadata)
VisualIntegration class (backend/interfaces/integrations/visual.py) — 3 actions: analyze_image, transcribe_handwriting, interpret_diagram
Shared helpers: _resolve_image (UUID / data URL / raw base64), _call_vision (focused Anthropic API call), _check_llm_consent (GDPR)
ChatService.get_message_by_id method for image reference resolution
Registered in main.py, system prompt guidance in prompts.py
Backend tests: 25 tests (definition, analyze, transcribe, diagram, resolve, consent, errors, stored attachment)

Frontend — Screen Capture + Accessibility (Sprint B / Video4):

Tauri: capture_screen + capture_window commands (xcap crate, desktop-only with #[cfg])
screenshot.ts — Tauri IPC wrapper returning AttachedFile
Monitor button in Chat.tsx (desktop-only), wired to attachedFile state
ImageRenderer enhanced: voice feedback (Volume2 + speakText), high-contrast mode (prefers-contrast media query)
i18n: EN/FR strings for screen capture, image descriptions, visual analysis, gesture detection (25+ keys)
Frontend tests: 6 screenshot tests + 4 ImageRenderer tests

Frontend — Gesture Recognition (Sprint C / Video3):

@mediapipe/tasks-vision installed (~137KB gzipped vision_bundle)
gestureStore.ts — Zustand store with persist (6 gesture→action mappings, sensitivity, showIndicator)
useGestureDetection.ts — MediaPipe hook (10fps detection loop, 3-frame debounce, sensitivity thresholds)
GestureDetector.tsx — PiP webcam preview (160x120, bottom-left, minimize button)
GestureOnlyMode.tsx — Fullscreen accessible overlay (voice feedback, Escape to exit)
Chat.tsx wired: gesture action handler (approve/dismiss/stop/scroll_up), Hand button, GestureDetector + GestureOnlyMode
ProfileTab.tsx — GestureSettingsCard (enable toggle, sensitivity, indicator, 6 gesture mapping rows)
Frontend tests: 8 useGestureDetection + 5 GestureDetector + 3 GestureOnlyMode + 4 gestureStore = 20 tests

Totals: 25 backend + 30 frontend = 55 new tests

Sprint 5: Step-Up Authentication ✅ DONE

Goal: Enforce re-authentication for sensitive operations (delete account, data export, ACL changes).

Totals: 12 backend + 8 frontend = 20 new tests

Sprint 6: Calendar + Kanban Renderers ✅ DONE

Goal: AI can render interactive calendar schedules and kanban project boards.

CalendarRenderer.tsx — Month/Week/Day views (CSS Grid), event dots, navigation, editable mode (inline edit, add)
KanbanRenderer.tsx — Horizontal columns with draggable cards (HTML5 DnD), labels, editable mode (add card/column, inline edit)
frontend.py — show_calendar + show_kanban actions with editable/position_hint support
register-renderers.ts — registered both new renderers
prompts.py — AI guidance for when to use calendar vs kanban
i18n: components.calendar.* + components.kanban.* keys (EN + FR)
Frontend tests: 13 CalendarRenderer + 12 KanbanRenderer = 25 tests
Backend tests: 6 tests (show_calendar basic/editable/empty/position, show_kanban basic/editable/empty)

Totals: 6 backend + 25 frontend = 31 new tests

Sprint 7: Video Notes + AI Video Analysis ✅ DONE

Goal: Video capture, playback, and multi-frame Claude Vision analysis.

Totals: 6 backend + 14 frontend = 20 new tests

Deferred: V2.5+ — Crypto Marketplace

New Roadmap: Layer 8 / Version 2.5+ (Future/Optional, deprioritized) Status: Deprioritized — Interesting vision but distracts from core product. Can be built as WASM extension later.

Goal: Decentralized marketplace with cryptocurrency payments, data exchange, smart contracts, DAO governance.

Reference: MyHarbor.AI (user's previous project on transaction publishing) for publisher/reader payment model.

Note: This phase is no longer a near-term priority. V1.3 Multimodal and V1.2 WASM both shipped. Focus has shifted to V2.0 Production Platform.

Smart Contracts (Solidity)

ExtensionMarketplace contract (purchase, license management, revenue splits)
DataMarketplace contract (list data, purchase, escrow, disputes)
MorpheeExtensionNFT contract (ERC-721 + ERC-2981 royalties)
MorpheeDAO contract (proposals, voting, execution, treasury)
WalletACL contract (spending limits, parent approvals, role permissions)
Deploy to Ethereum mainnet, Polygon, Arbitrum, Base
Smart contract security audit (Trail of Bits or OpenZeppelin) — CRITICAL
Hardhat/Foundry test suite (100+ tests for all edge cases)

Backend: Crypto Payment Infrastructure

CryptoPaymentService with Web3.py (blockchain interaction)
Blockchain event indexer (listen for ExtensionPurchased, DataPurchased, etc.)
Transaction verification (on-chain confirmations, fraud prevention)
IPFS integration (upload/download encrypted data)
Price oracle integration (Chainlink for ETH/USD conversion)
Database tables: crypto_transactions, user_wallets, data_listings, data_purchases, dao_proposals
Web3 auth endpoints: nonce generation, signature verification, wallet linking

Frontend: Web3 Integration

Web3Modal integration (WalletConnect v2, MetaMask, Coinbase Wallet)
Crypto payment UI (select currency, confirm transaction, wait for confirmation)
Data marketplace UI (browse datasets, preview, purchase, download)
DAO governance UI (proposals list, voting interface, treasury dashboard)
Wallet connection flow (detect wallet, sign message, auth)
Multi-chain support (switch between Ethereum, Polygon, Base)
Transaction status tracking (pending, confirmed, failed)
Balance display (ETH, USDC, DAI, MorphCoin)

Data Marketplace Features

Data anonymization pipeline (PII removal, NER model, GDPR compliance)
Data encryption (AES-256, decryption key in vault)
IPFS upload/download (encrypted data, metadata URIs)
Data quality verification (AI-based review, verified badge)
Seller reputation system (on-chain ratings, NFT badges)
Dispute resolution (DAO arbitration, 7-day escrow)

Governance Token (MorphCoin)

ERC-20 MorphCoin contract (100M supply, governance rights)
Token distribution (40% treasury, 30% team vesting, 20% airdrop, 10% staking)
Liquidity provision (Uniswap v3 pools: MorphCoin/ETH, MorphCoin/USDC)
Staking rewards (stake MorphCoin, earn % of platform fees)
Airdrop campaign (distribute to early users, active participants)

Verification

Smart contract tests: 100+ tests with Hardhat/Foundry (mainnet fork testing)
Backend tests: crypto payment flows, blockchain event handling, IPFS operations
Frontend tests: Web3Modal connection, transaction signing, marketplace UI
E2E tests: buy extension with ETH, sell dataset, vote on DAO proposal
Security audit report (external auditor confirms no critical vulnerabilities)
Gas optimization (minimize transaction costs on L1, batch operations)

Planned: V2.5+ — Self-Aware AI Development

New Roadmap: Layer 8 / Version 2.0+ (Advanced/Optional) Timeline: 4 weeks (4 phases) Goal: Enable Morphee to read, understand, and improve her own codebase through self-referential memory.

Phase 1: Read-Only Self-Awareness (1 week)

Phase 2: Community Contributions (1 week)

Implement branch creation for community contributors
Add review_community_branch action (diff analysis, test check, docs check, recommendation)
Create CommunityPage in frontend (PR list, review UI, branch management)
Add GitHub webhook integration (PR notifications)
Add code_review_history database table
Implement ACL roles: viewer, contributor, reviewer, maintainer, dictator
Test full PR review workflow (create branch → commit → review → recommendation)
Document contribution guidelines in docs/

Phase 3: Self-Improvement (1 week)

Implement suggest_improvement action (search → analyze → draft → commit)
Add self_improvement_proposals database table
Create proposal UI in frontend (list proposals, approve/reject)
Test drafting code changes (multi-file edits)
Test committing to feature branches (proper git author, message format)
Add approval workflow (requires dictator role = Sebastien only)
Implement branch naming convention: morphee-suggests/{component}-{timestamp}

Phase 4: Polish & Governance (1 week)

Finalize MorpheeSelfACL model (permissions by role)
Add contributor recognition system (credits in README, UI badges)
Create governance documentation (benevolent dictator model, workflow)
Set up CI/CD for community branches (auto-run tests on PR)
Add metrics dashboard (contributions, reviews, merges, accuracy)
Implement self_awareness_audit_log for all actions
Write blog post: "The First Self-Aware AI Agent"

Safety & Security

Read-only by default (search/explain = EXECUTE, suggest = PROPOSE)
File access restrictions (only allowed extensions, block .env/.key/.pem)
Code execution prevention (no auto-merge, no self-deploy)
Audit trail (log all self-awareness actions)
Max file size limit (1 MB per file read)

Verification

Backend tests: search_code, explain_implementation, review_branch, suggest_improvement
Frontend tests: CodeExplorer, CommunityPage, proposal UI
E2E tests: search codebase, review PR, approve proposal, merge to main
Security tests: verify no unauthorized writes, no sensitive file access
Performance tests: large repo search (<500ms), branch diff (<2s)

Timeline: 6 weeks Status: SHIPPED — February 22, 2026 Priority: Critical for core persona (Sophie, age 8). Kids without email need voice/face authentication.

Phase 1 ✅ DONE (Sprint 3 above): Multi-method login, child identities (no email), PIN auth (bcrypt), Morphee JWT issuance/verification (iss=morphee, aud=morphee_child), dual-path verify_token, IdentityService, SessionService, 11 API endpoints at /api/identity/*, ChildSwitcher UI, AuthUser.email → Optional[str]. 25 backend + 5 frontend tests.

Phase 2: Biometric Enrollment (2 weeks) — ✅ DONE

Phase 3: Step-Up Authentication (1 week) — ✅ DONE

Phase 4: Parent-Kid Features — ✅ DONE

Child identity CRUD: parent creates kid (no email), optional PIN, birthdate, avatar
ChildSwitcher — parent switches to child session, child returns to parent session
PIN auth with brute-force protection (5 attempts × 15 min lockout)
Biometric auth for kids: face recognition + voice recognition enrollment and verification
Parent enrollment wizard: BiometricEnrollDialog (multi-step: choose method → enroll face → enroll voice → complete)
Age-based auth: kids use PIN/biometrics, adults use email/OAuth + optional step-up
ParentalControlsTab — manage children, enroll biometrics per child
AuthUser.email Optional everywhere — all downstream code handles None for kids

Phase 5: Security & Polish — ✅ DONE (core items)

Rate limiting per auth method (5 attempts per 15 min — PIN lockout in IdentityService)
GDPR: biometric vault cleanup on account/child deletion (delete_account, delete_child emit user.biometric_cleanup_required event)
Consent flow: explicit Art. 9(2)(a) opt-in for biometric enrollment (consent types + enforcement + UI checkboxes)
Biometric templates stored in VaultProvider (AES-256 encrypted), never in database
Rate limiting on identity auth endpoints (5 req/60s: PIN, biometric, refresh, switch-to-parent)
Biometric template rotation — check_template_expiry() warns when templates > 6 months old, re_enrollment_recommended flag in auth response, warning banner in ChildSwitcher
Voice-only accessibility mode — voiceOnlyMode in authStore, toggle in ProfileTab, speechSynthesis announcements in FaceRecognitionAuth + VoiceRecognitionAuth, i18n keys (EN + FR)

Remaining (deferred to pre-V2.0 hardening):

Liveness detection for face — multi-frame pixel variance, brightness variation (blink), center-of-mass shift (liveness.rs, LivenessChallenge.tsx)
Liveness detection for voice — spectral flatness, HF energy ratio, pitch variance (liveness.rs)
Biometric template rotation — 180-day expiry, 7-day grace period, prev-template fallback, BiometricReEnrollDialog.tsx, re-enroll API endpoint
Voice-only accessibility mode — VoiceOnlyMode.tsx with speech recognition, TTS, command parser
Security + penetration tests for biometric flows

Completed: Phase 3g — Safety, Compliance & Accessibility

See also: "Completed: Safety & Compliance Foundation" section above for ACL, age verification, parental consent, i18n, encryption at rest, data export, a11y audit, i18n audit.

H-FEAT-011 — Privacy policy + terms — PRIVACY_POLICY.md + backend consents API + frontend consent UI (login, settings)
H-FEAT-012 — Content filtering + parental controls — ParentalControlsTab in Settings with content filter (low/medium/high), child monitoring toggles
M-FEAT-011 — Account deletion (GDPR Article 17 — POST /api/auth/delete-account) — Done
M-UX-007 — i18n foundation (en/fr locales, backend i18n module) — Done
M-UX-008 — Chat text size control — Text size selector (Small/Medium/Large/XL) in Settings > Profile, CSS data attribute
L-UX-002 — Accessibility improvements — Skip-to-content link, ARIA landmarks, prefers-reduced-motion, keyboard navigation, WCAG 2.1 AA audit (10/10 resolved)
L-IDEA-002 — Persona-specific UI modes — Simplified mode toggle with larger text, wider spacing, persistent via localStorage

Partially Done: V2.0 — Rich Content Views

New Roadmap: Layer 7 / Version 2.0 (Production Platform) Status: Some MVP features done, remaining items deferred to V2.0

M-FEAT-002 — Calendar view — /calendar route with day view, prev/today/next navigation, Google OAuth check, event cards
M-FEAT-003 — Email view — /inbox route with email thread list, unread badges, Gmail OAuth check, connect CTA
L-IDEA-005 — Voice input — Microphone button with Web Speech API, continuous recognition, visual feedback
M-FEAT-010 — Offline mode — Service worker with network-first API caching, cache-first static assets, offline fallback
M-DESIGN-002 — Navigation consolidation (reduce 5-tab to 3-4) — deferred to V2.0 polish

Planned: Layer 7 (V2.0) — Production Platform

New Roadmap: Layer 7 / Version 2.0

Monitoring & Analytics

PostHogClient wrapper (async event capture, PII scrubbing)
Event definitions: 10+ core events (chat_message_sent, tool_call_executed, approval_requested, etc.)
Privacy: analytics_enabled (opt-in, default false)
Prometheus /metrics endpoint + custom metrics (API, LLM, Memory, WebSocket)
5 Grafana dashboards: API Health, LLM Performance, Memory System, User Activity, Errors & Alerts
Alert rules: error rate spike, LLM timeout >10s
Docker Compose: Prometheus + Grafana services

Channels

C-FEAT-005 — Channels: group messaging, multi-user conversations
Channel adapters: chat, email, SMS, push, WhatsApp, Telegram

Browser Extension & SDK

Browser extension (Chrome/Firefox): floating widget, context menu, keyboard shortcuts
Embedding SDK (@morphee/sdk): npm package, chat widget, task/memory API
Partnership framework: API keys, tiers, revenue sharing

Completed: CI/CD — GitHub Actions

Goal: Automated testing, coverage tracking, and desktop app builds via GitHub Actions.

CI Workflow (`.github/workflows/ci.yml`)

Backend tests job: PostgreSQL + Redis service containers, pytest with coverage
Frontend tests job: vitest with v8 coverage (lcov, html, json reporters)
Frontend build job: TypeScript check + Vite build
Frontend lint job: ESLint
Coverage thresholds: 60% lines/functions/statements, 50% branches
PR coverage comments via vitest-coverage-report-action
Coverage artifacts uploaded (HTML report, lcov.info)
Concurrency control: cancel in-progress runs on same branch

Release Workflow (`.github/workflows/release.yml`)

Trigger: GitHub Release published (or manual dispatch)
Cross-platform Tauri builds: macOS (universal), Windows, Linux
macOS Apple signing + notarization (requires GitHub Secrets)
Artifacts auto-uploaded to GitHub Release as downloadable assets
Rust caching for faster builds

Rust Tests Workflow (`.github/workflows/rust-tests.yml`)

Trigger: changes to frontend/src-tauri/** + weekly schedule
cargo test with Rust caching
Combined-feature check: cargo check --features local-llm,audio,biometrics
System dependencies auto-installed

Coverage Enhancement

vitest reporters: text, text-summary, json-summary, json, lcov, html
Coverage thresholds enforced (build fails if coverage drops)
reportOnFailure: true — reports generated even when thresholds fail
HTML report downloadable as CI artifact for line-level inspection

Pre-existing Test Fixes

Fixed AuthForm tests: getByText → getAllByText for duplicate title/button text
Fixed Dashboard tests: getByText('1') → getAllByText('1') for duplicate stat counts
Fixed Login tests: same getAllByText fix for Sign In title/button

Completed: Housekeeping (Feb 12, 2026)

Migrate Google OAuth from popup to full-page redirect (HTMLResponse+postMessage → RedirectResponse+query params, platform-aware redirect_to, FRONTEND_URL config)
GoTrue upgrade: v2.99.0 → v2.185.0 + Python gotrue → supabase_auth package migration
Full dependency audit and upgrade (Python, npm, Rust crates, Docker images)
- Python: fastapi 0.115.8, uvicorn 0.34.0, pydantic 2.10.6, openai 1.66.3, cryptography 44.0.2, httpx 0.28.1, pytest 8.x, supabase-auth 2.28.0, and more
- Docker: Postgres 15.1.0.117 → 15.8.1.060
- npm: npm update (minor/patch within ^ranges)
- Rust: cargo update (patch within semver ranges)
- Fixed httpx 0.28 breaking change: AsyncClient(app=...) → ASGITransport

Verification

1138 backend tests pass (95% coverage)
37 Rust tests pass (desktop)
633 frontend unit tests pass
Frontend build clean (662 KB JS, 38 KB CSS)

Completed

Documentation Cleanup (Feb 11, 2026)

Moved all docs to docs/ directory, archived old design docs
Rewrote ROADMAP.md with AI-first vision, Group/Space, everything-is-an-Integration
Rewrote architecture.md with new system design
Rewrote interfaces.md with LLM/Memory/Frontend as core Integrations
Updated all docs with Group/Space terminology
Updated README.md as concise entry point

Foundation Layer (Built)

Backend — See test-results.md for current test counts and coverage

Component	Notes
FastAPI server	Async, hot-reload in dev
Supabase Auth	JWT signin/signup/refresh/signout
Group management	CRUD, RLS policies, group isolation
Task system	CRUD, state machine, parent/child tasks
Space system	CRUD, group-scoped queries
WebSocket	JWT auth, group-based event filtering
Interface system	MCP-style, Echo + Webhook integrations
Redis event bus	Pub/sub for real-time updates
Docker Compose	PostgreSQL, Redis, backend (asyncpg direct)

Frontend — 2017+ unit tests + 60 E2E tests, build clean (435 KB JS, 67 KB CSS) — +46 tests Feb 19, 2026

Component	Notes
Auth	Login/signup, token refresh, 401 interceptor
Onboarding	AI-guided group + space creation via chat
App shell	Sidebar, header, responsive, dark mode
Tasks	List/detail split view, CRUD, actions, WebSocket updates
Spaces	List/detail, CRUD, space-scoped tasks
Dashboard	Stats cards, recent tasks, quick create

Audit Status Summary

Last Audit Date: February 21, 2026 (legal) Completion Rate: 179/274 items (65.3%)

Audit Type	Total	Done	Remaining	Priority Breakdown
Code Quality	72	34	38	0C/12H/13M/13L
Documentation	9	0	9	0C/4H/4M/1L
Product	28	8	20	3C/9H/6M/2L
Legal (GDPR)	65	64	1	1C (organizational DPAs)
Security	69	66	3	0C/0H/0M/3L
Accessibility	46	41	5	0C/0H/3M/2L
Performance	33	26	7	0C/0H/0M/7L (all deferred)
i18n	12	0	12	0C/4H/5M/3L
TOTAL	274	179	95	4C, 29H, 31M, 31L

Key Notes:

Legal: 98.5% complete (64/65 total items across all audits). V1.3 audit added 10 new biometric/visual findings — all 10 fixed same session. Only C-SHARE-001 (DPAs with processors) remains — requires legal team action, not code fixes.
Security: 95.7% complete. All Critical/High items resolved. 3 Low items remain.
Accessibility: 89.1% complete. All Critical/High items resolved. WCAG 2.1 AA compliant.
Performance: 78.8% complete (26 fixed, 7 deferred as acceptable). Bundle 49% smaller (134 KB gzipped).
i18n: Foundation complete (i18next, en/fr locales with 539 keys each). Frontend translation in progress.
Code Quality: 47.2% complete. Focus on High items (WS, tests, exports, i18n coverage).
Documentation: 78% complete (7/9 items resolved in Feb 15 audit). 2 items remain (M-XREF-001: broken SHORTCUTS.md link, L-STD-001: feature doc naming convention).
Product: 28.6% complete. Critical UX items done (search, profiles, discoverability). Remaining: professional integrations, polish.

See audits/ for detailed findings and checklists.

Quick Commands

# Start backend
docker compose -f docker-compose.dev.yml up -d
curl http://localhost:8000/health

# Start frontend
cd frontend && npm run dev

# Run tests
docker compose -f docker-compose.dev.yml exec -T backend pytest -q --cov=. --cov-report=term-missing
cd frontend && npx vitest run
cd frontend && npm run test:e2e

Documentation

Document	Purpose
ROADMAP.md	Vision, concepts, all phases
This file	Progress tracking, next steps
architecture.md	System architecture
interfaces.md	Integration/Interface system
api.md	API reference
testing.md	Testing guide
deployment.md	Production deployment
troubleshooting.md	Common issues
stories/	Persona-based user stories

Unified Paradigm: Knowledge Pipeline + Runtime Hierarchy
- Knowledge Pipeline
- Runtime Hierarchy (BaseMorphRuntime)
Remaining Before V2.0
✅ Completed: Layer 2 — Product Completeness (V0.9 RC)
✅ Completed: Vector-First Architecture (February 20, 2026)
- What Was Built
- Pending (future phases)
✅ Completed: Layer 3 — OpenMorph + Canvas-First + Offline-First (V1.0)
- V1.0 Work Stream A: Canvas-First UX Redesign
- V1.0 Work Stream B: OpenMorph Revolution
- V1.0 Work Stream C: Offline-First Data + Sync (Tauri)
- V1.0 Cross-Feature Opportunities
✅ Completed: Layer 4 — WASM Extension System (V1.2)
- V1.2 Phase 1: Foundation (Weeks 1-2) ✅ DONE
- V1.2 Phase 2: Security & Permissions (Weeks 3-4) ✅ DONE
- V1.2 Phase 3: Distribution (Week 5) ✅ DONE
- V1.2 Phase 4: Developer Experience (Weeks 6-7) ✅ DONE
- V1.2 Phase 5: Built-in Extensions (Weeks 8-10) ✅ DONE
- V1.2 Phase 6: Marketplace UI (Weeks 11-12) ✅ DONE
Completed: Phase 1a — Minimal Chat Loop
- Prerequisite: Architectural Cleanup
- Backend: LLM Integration
- Backend: Chat API
- Frontend: Chat UI
- Frontend: Wire Up
- Verification
Completed: Phase 1b — Tool Calling, Agent Loop & Onboarding
- Sub-Sprint 1b.1 — Tool Bridge + Agent Loop (Backend)
- Sub-Sprint 1b.2 — Frontend Tool Rendering + Approval Workflow
- Sub-Sprint 1b.3 — Task/Space Tools + Frontend as Integration
- Sub-Sprint 1b.4 — Conversational Onboarding
Completed: Phase 2 — Memory & Knowledge
- Sub-Sprint 2.1 — Embedding Abstraction + pgvector Setup
- Sub-Sprint 2.2 — Memory Integration (Core)
- Sub-Sprint 2.3 — RAG Pipeline + Context Injection
- Sub-Sprint 2.4 — Git-Backed Storage + Markdown Files
- Sub-Sprint 2.5 — Conversation Summarization + Auto-Memory
Completed: Phase 2b — Tauri Rust Layer
- Sub-Sprint 2b.1 — Rust Scaffolding + ONNX Embeddings
- Sub-Sprint 2b.2 — LanceDB Vector Store
- Sub-Sprint 2b.3 — Git-Backed Markdown Storage (git2)
- Sub-Sprint 2b.4 — Keychain Vault Provider
- Sub-Sprint 2b.5 — Frontend IPC Bridge + Runtime Detection
- Sub-Sprint 2b.6 — Integration + Initialization
- Verification
Completed: Phase 3a — Core Integrations
- Sub-Sprint 3a.1 — Cron Integration (Scheduler)
- Sub-Sprint 3a.2 — Notifications Integration
- Sub-Sprint 3a.3 — Google OAuth Infrastructure
- Sub-Sprint 3a.4 — Google Calendar Integration
- Sub-Sprint 3a.5 — Gmail Integration
- Sub-Sprint 3a.6 — Filesystem Integration
- Verification
Completed: Phase 3a Frontend UI
- NotificationBell Component
- Settings Page
- GoogleConnect Component
- Verification
Completed: Phase 3b.1 — Dynamic Skills
- Database & Models
- Skill Service (CRUD)
- Skill Engine (Execution)
- Dynamic Skill Interface
- Skills Integration (AI Tool)
- REST API
- Startup & Cron
- Verification
Completed: Phase 3b.2 — Frontend as Integration (Advanced)
- Backend: Component Protocol + Actions
- Frontend: Component System
- Tier 1 Components (10 renderers)
- Verification
Completed: Phase 3c — SSO Login
- Step 1 — GoTrue Provider Configuration
- Step 2 — Backend SSO Endpoints
- Step 3 — Frontend Social Login UI + Callback
- Step 4 — User Linking + Edge Cases
- Step 5 — Tier 2 Providers (deferred)
- Verification
Completed: Phase 3d M1 — Minimal Mobile App
- Sub-Phase M1 — Minimal Mobile App
- Verification
- Sub-Phase M2 — Native Mobile Features (L)
- Verification (M2)
- Sub-Phase M3 — Local AI Mobile (Layer 6 V1.5)
✅ Completed: V1.5 — Local AI (Desktop)
Completed: Phase 3e.1 — Critical UX & Discoverability
- Verification
Completed: Phase 3e.2 — Core Product Completeness
- Batch 1 — Frontend-Only Polish
- Batch 2 — Confirmation + Retry
- Batch 3 — Conversation Rename + Organization
- Batch 4 — User Profile Management
- Batch 5 — Search, Pagination, Editing
- Not Implemented (deferred)
- Verification
Completed: Phase 3e.3 — Collaborative Foundation
- Group Collaboration
- Onboarding & UX Polish
- Task Enhancements
- Completed (3e.3 continuation)
- Verification
- Sub-Phase 3e.4 — Engagement & Polish (M — 3-5 days)
- Sub-Phase 3e.5 — Conversation & Context (M — 3-5 days)
Completed: Safety & Compliance Foundation
- Verification (Safety & Compliance)
✅ Completed: V1.3 — Interactive UI + Multimodal
- Sprint 1 — Interactive UI: Editable Components (DONE Feb 21, 2026)
- Verification
- Sprint 2: Video1 — Camera & Image Upload ✅ (Feb 21, 2026)
- Sprint 3: Multi-Modal Identity — Phase 1: Multi-Method Login (Feb 22, 2026)
- Sprint 4: Video2+3+4 — Visual Analysis, Gesture Recognition, Screen Capture (Feb 22, 2026)
- Sprint 5: Step-Up Authentication ✅ DONE
- Sprint 6: Calendar + Kanban Renderers ✅ DONE
- Sprint 7: Video Notes + AI Video Analysis ✅ DONE
Deferred: V2.5+ — Crypto Marketplace
- Smart Contracts (Solidity)
- Backend: Crypto Payment Infrastructure
- Frontend: Web3 Integration
- Data Marketplace Features
- Governance Token (MorphCoin)
- Verification
Planned: V2.5+ — Self-Aware AI Development
- Phase 1: Read-Only Self-Awareness (1 week)
- Phase 2: Community Contributions (1 week)
- Phase 3: Self-Improvement (1 week)
- Phase 4: Polish & Governance (1 week)
- Safety & Security
- Verification
✅ Completed: V1.3 — Multi-Modal Identity (All Phases)
- Phase 2: Biometric Enrollment (2 weeks) — ✅ DONE
- Phase 3: Step-Up Authentication (1 week) — ✅ DONE
- Phase 4: Parent-Kid Features — ✅ DONE
- Phase 5: Security & Polish — ✅ DONE (core items)
Completed: Phase 3g — Safety, Compliance & Accessibility
Partially Done: V2.0 — Rich Content Views
Planned: Layer 7 (V2.0) — Production Platform
- Monitoring & Analytics
- Channels
- Browser Extension & SDK
Completed: CI/CD — GitHub Actions
- CI Workflow (.github/workflows/ci.yml)
- Release Workflow (.github/workflows/release.yml)
- Rust Tests Workflow (.github/workflows/rust-tests.yml)
- Coverage Enhancement
- Pre-existing Test Fixes
Completed: Housekeeping (Feb 12, 2026)
- Verification
Completed
- Documentation Cleanup (Feb 11, 2026)
- Foundation Layer (Built)
Audit Status Summary
Quick Commands
Documentation

Unified Paradigm: Knowledge Pipeline + Runtime Hierarchy​

Knowledge Pipeline​

Runtime Hierarchy (BaseMorphRuntime)​

Remaining Before V2.0​

✅ Completed: Layer 2 — Product Completeness (V0.9 RC)​

✅ Completed: Vector-First Architecture (February 20, 2026)​

What Was Built​

Pending (future phases)​

✅ Completed: Layer 3 — OpenMorph + Canvas-First + Offline-First (V1.0)​

V1.0 Work Stream A: Canvas-First UX Redesign​

V1.0 Work Stream B: OpenMorph Revolution​

V1.0 Work Stream C: Offline-First Data + Sync (Tauri)​

V1.0 Cross-Feature Opportunities​

✅ Completed: Layer 4 — WASM Extension System (V1.2)​

V1.2 Phase 1: Foundation (Weeks 1-2) ✅ DONE​

V1.2 Phase 2: Security & Permissions (Weeks 3-4) ✅ DONE​

V1.2 Phase 3: Distribution (Week 5) ✅ DONE​

V1.2 Phase 4: Developer Experience (Weeks 6-7) ✅ DONE​

V1.2 Phase 5: Built-in Extensions (Weeks 8-10) ✅ DONE​

V1.2 Phase 6: Marketplace UI (Weeks 11-12) ✅ DONE​

Completed: Phase 1a — Minimal Chat Loop​

Prerequisite: Architectural Cleanup​

Backend: LLM Integration​

Backend: Chat API​

Frontend: Chat UI​

Frontend: Wire Up​

Verification​

Completed: Phase 1b — Tool Calling, Agent Loop & Onboarding​

Sub-Sprint 1b.1 — Tool Bridge + Agent Loop (Backend)​

Sub-Sprint 1b.2 — Frontend Tool Rendering + Approval Workflow​

Sub-Sprint 1b.3 — Task/Space Tools + Frontend as Integration​

Sub-Sprint 1b.4 — Conversational Onboarding​

Completed: Phase 2 — Memory & Knowledge​

Sub-Sprint 2.1 — Embedding Abstraction + pgvector Setup​

Sub-Sprint 2.2 — Memory Integration (Core)​

Sub-Sprint 2.3 — RAG Pipeline + Context Injection​

Sub-Sprint 2.4 — Git-Backed Storage + Markdown Files​

Sub-Sprint 2.5 — Conversation Summarization + Auto-Memory​

Completed: Phase 2b — Tauri Rust Layer​

Sub-Sprint 2b.1 — Rust Scaffolding + ONNX Embeddings​

Sub-Sprint 2b.2 — LanceDB Vector Store​

Sub-Sprint 2b.3 — Git-Backed Markdown Storage (git2)​

Sub-Sprint 2b.4 — Keychain Vault Provider​

Sub-Sprint 2b.5 — Frontend IPC Bridge + Runtime Detection​

Sub-Sprint 2b.6 — Integration + Initialization​

Verification​

Completed: Phase 3a — Core Integrations​

Sub-Sprint 3a.1 — Cron Integration (Scheduler)​

Sub-Sprint 3a.2 — Notifications Integration​

Sub-Sprint 3a.3 — Google OAuth Infrastructure​

Sub-Sprint 3a.4 — Google Calendar Integration​

Sub-Sprint 3a.5 — Gmail Integration​

Sub-Sprint 3a.6 — Filesystem Integration​

Verification​

Completed: Phase 3a Frontend UI​

NotificationBell Component​

Settings Page​

GoogleConnect Component​

Verification​

Completed: Phase 3b.1 — Dynamic Skills​

Database & Models​

Skill Service (CRUD)​

Skill Engine (Execution)​

Dynamic Skill Interface​

Skills Integration (AI Tool)​

REST API​

Startup & Cron​

Verification​

Completed: Phase 3b.2 — Frontend as Integration (Advanced)​

Backend: Component Protocol + Actions​

Frontend: Component System​

Tier 1 Components (10 renderers)​

Verification​

Completed: Phase 3c — SSO Login​

Step 1 — GoTrue Provider Configuration​

Step 2 — Backend SSO Endpoints​

Step 3 — Frontend Social Login UI + Callback​

Step 4 — User Linking + Edge Cases​

Step 5 — Tier 2 Providers (deferred)​

Verification​

Unified Paradigm: Knowledge Pipeline + Runtime Hierarchy

Knowledge Pipeline

Runtime Hierarchy (BaseMorphRuntime)

Remaining Before V2.0

✅ Completed: Layer 2 — Product Completeness (V0.9 RC)

✅ Completed: Vector-First Architecture (February 20, 2026)

What Was Built

Pending (future phases)

✅ Completed: Layer 3 — OpenMorph + Canvas-First + Offline-First (V1.0)

V1.0 Work Stream A: Canvas-First UX Redesign

V1.0 Work Stream B: OpenMorph Revolution

V1.0 Work Stream C: Offline-First Data + Sync (Tauri)

V1.0 Cross-Feature Opportunities

✅ Completed: Layer 4 — WASM Extension System (V1.2)

V1.2 Phase 1: Foundation (Weeks 1-2) ✅ DONE

V1.2 Phase 2: Security & Permissions (Weeks 3-4) ✅ DONE

V1.2 Phase 3: Distribution (Week 5) ✅ DONE

V1.2 Phase 4: Developer Experience (Weeks 6-7) ✅ DONE

V1.2 Phase 5: Built-in Extensions (Weeks 8-10) ✅ DONE

V1.2 Phase 6: Marketplace UI (Weeks 11-12) ✅ DONE

Completed: Phase 1a — Minimal Chat Loop

Prerequisite: Architectural Cleanup

Backend: LLM Integration

Backend: Chat API

Frontend: Chat UI

Frontend: Wire Up

Verification

Completed: Phase 1b — Tool Calling, Agent Loop & Onboarding

Sub-Sprint 1b.1 — Tool Bridge + Agent Loop (Backend)

Sub-Sprint 1b.2 — Frontend Tool Rendering + Approval Workflow

Sub-Sprint 1b.3 — Task/Space Tools + Frontend as Integration

Sub-Sprint 1b.4 — Conversational Onboarding

Completed: Phase 2 — Memory & Knowledge

Sub-Sprint 2.1 — Embedding Abstraction + pgvector Setup

Sub-Sprint 2.2 — Memory Integration (Core)

Sub-Sprint 2.3 — RAG Pipeline + Context Injection

Sub-Sprint 2.4 — Git-Backed Storage + Markdown Files

Sub-Sprint 2.5 — Conversation Summarization + Auto-Memory

Completed: Phase 2b — Tauri Rust Layer

Sub-Sprint 2b.1 — Rust Scaffolding + ONNX Embeddings

Sub-Sprint 2b.2 — LanceDB Vector Store

Sub-Sprint 2b.3 — Git-Backed Markdown Storage (git2)

Sub-Sprint 2b.4 — Keychain Vault Provider

Sub-Sprint 2b.5 — Frontend IPC Bridge + Runtime Detection

Sub-Sprint 2b.6 — Integration + Initialization

Verification

Completed: Phase 3a — Core Integrations

Sub-Sprint 3a.1 — Cron Integration (Scheduler)

Sub-Sprint 3a.2 — Notifications Integration

Sub-Sprint 3a.3 — Google OAuth Infrastructure

Sub-Sprint 3a.4 — Google Calendar Integration

Sub-Sprint 3a.5 — Gmail Integration

Sub-Sprint 3a.6 — Filesystem Integration

Verification

Completed: Phase 3a Frontend UI

NotificationBell Component

Settings Page

GoogleConnect Component

Verification

Completed: Phase 3b.1 — Dynamic Skills

Database & Models

Skill Service (CRUD)

Skill Engine (Execution)

Dynamic Skill Interface

Skills Integration (AI Tool)

REST API

Startup & Cron

Verification

Completed: Phase 3b.2 — Frontend as Integration (Advanced)

Backend: Component Protocol + Actions

Frontend: Component System

Tier 1 Components (10 renderers)

Verification

Completed: Phase 3c — SSO Login

Step 1 — GoTrue Provider Configuration

Step 2 — Backend SSO Endpoints

Step 3 — Frontend Social Login UI + Callback

Step 4 — User Linking + Edge Cases

Step 5 — Tier 2 Providers (deferred)

Verification