garrytan
diff --git a/‎.agents/skills/gstack-setup-browser-cookies/agents/openai.yaml‎
Lines changed: 1 addition & 1 deletion b/‎.agents/skills/gstack-setup-browser-cookies/agents/openai.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/actionlint.yaml‎
Lines changed: 4 additions & 0 deletions b/‎.github/actionlint.yaml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎.github/docker/Dockerfile.ci‎
Lines changed: 15 additions & 2 deletions b/‎.github/docker/Dockerfile.ci‎
Lines changed: 15 additions & 2 deletions
diff --git a/‎.github/workflows/actionlint.yml‎
Lines changed: 8 additions & 0 deletions b/‎.github/workflows/actionlint.yml‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎.github/workflows/evals.yml‎
Lines changed: 36 additions & 7 deletions b/‎.github/workflows/evals.yml‎
Lines changed: 36 additions & 7 deletions
diff --git a/‎.github/workflows/skill-docs.yml‎
Lines changed: 13 additions & 2 deletions b/‎.github/workflows/skill-docs.yml‎
Lines changed: 13 additions & 2 deletions
diff --git a/‎BROWSER.md‎
Lines changed: 1 addition & 1 deletion b/‎BROWSER.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎CHANGELOG.md‎
Lines changed: 26 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 26 additions & 0 deletions
diff --git a/‎CLAUDE.md‎
Lines changed: 4 additions & 2 deletions b/‎CLAUDE.md‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎SKILL.md‎
Lines changed: 2 additions & 1 deletion b/‎SKILL.md‎
Lines changed: 2 additions & 1 deletion
@@ -1,6 +1,6 @@
 interface:
   display_name: "gstack-setup-browser-cookies"
-  short_description: "Import cookies from your real browser (Comet, Chrome, Arc, Brave, Edge) into the headless browse session. Opens an..."
+  short_description: "Import cookies from your real Chromium browser into the headless browse session. Opens an interactive picker UI..."
   default_prompt: "Use gstack-setup-browser-cookies for this task."
 policy:
   allow_implicit_invocation: true
@@ -0,0 +1,4 @@
+self-hosted-runner:
+  labels:
+    - ubicloud-standard-2
+    - ubicloud-standard-8
@@ -29,13 +29,22 @@ RUN curl -fsSL https://bun.sh/install | bash
 # Claude CLI
 RUN npm i -g @anthropic-ai/claude-code
 
+# Playwright system deps (Chromium) — needed for browse E2E tests
+RUN npx playwright install-deps chromium
+
 # Pre-install dependencies (cached layer — only rebuilds when package.json changes)
 COPY package.json /workspace/
 WORKDIR /workspace
 RUN bun install && rm -rf /tmp/*
 
+# Install Playwright Chromium to a shared location accessible by all users
+ENV PLAYWRIGHT_BROWSERS_PATH=/opt/playwright-browsers
+RUN npx playwright install chromium \
+    && chmod -R a+rX /opt/playwright-browsers
+
 # Verify everything works
-RUN bun --version && node --version && claude --version && jq --version && gh --version
+RUN bun --version && node --version && claude --version && jq --version && gh --version \
+    && npx playwright --version
 
 # At runtime: checkout overwrites /workspace, but node_modules persists
 # if we move it out of the way and symlink back
@@ -47,4 +56,8 @@ RUN mv /workspace/node_modules /opt/node_modules_cache \
 # Create a non-root user for eval runs (GH Actions overrides USER, so
 # the workflow must set options.user or use gosu/su-exec at runtime).
 RUN useradd -m -s /bin/bash runner \
-    && chmod -R a+rX /opt/node_modules_cache
+    && chmod -R a+rX /opt/node_modules_cache \
+    && mkdir -p /home/runner/.gstack && chown -R runner:runner /home/runner/.gstack \
+    && chmod 1777 /tmp \
+    && mkdir -p /home/runner/.bun && chown -R runner:runner /home/runner/.bun \
+    && chmod -R 1777 /tmp
@@ -0,0 +1,8 @@
+name: Workflow Lint
+on: [push, pull_request]
+jobs:
+  actionlint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: rhysd/actionlint@v1.7.11
@@ -55,23 +55,24 @@ jobs:
             ${{ env.IMAGE }}:latest
 
   evals:
-    runs-on: ubicloud-standard-2
+    runs-on: ${{ matrix.suite.runner || 'ubicloud-standard-2' }}
     needs: build-image
     container:
       image: ${{ needs.build-image.outputs.image-tag }}
       credentials:
         username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
       options: --user runner
-    timeout-minutes: 20
+    timeout-minutes: 25
     strategy:
       fail-fast: false
       matrix:
         suite:
           - name: llm-judge
             file: test/skill-llm-eval.test.ts
           - name: e2e-browse
-            file: test/skill-e2e-browse.test.ts
+            file: test/skill-e2e-bws.test.ts
+            runner: ubicloud-standard-8
           - name: e2e-plan
             file: test/skill-e2e-plan.test.ts
           - name: e2e-deploy
@@ -86,8 +87,10 @@ jobs:
             file: test/skill-e2e-review.test.ts
           - name: e2e-workflow
             file: test/skill-e2e-workflow.test.ts
+            allow_failure: true  # /ship + /setup-browser-cookies are env-dependent
           - name: e2e-routing
             file: test/skill-routing-e2e.test.ts
+            allow_failure: true  # LLM routing is non-deterministic
           - name: e2e-codex
             file: test/codex-e2e.test.ts
           - name: e2e-gemini
@@ -97,8 +100,18 @@ jobs:
         with:
           fetch-depth: 0
 
+      # Bun creates root-owned temp dirs during Docker build. GH Actions runs as
+      # runner user with HOME=/github/home. Redirect bun's cache to a writable dir.
+      - name: Fix bun temp
+        run: |
+          mkdir -p /home/runner/.cache/bun
+          {
+            echo "BUN_INSTALL_CACHE_DIR=/home/runner/.cache/bun"
+            echo "BUN_TMPDIR=/home/runner/.cache/bun"
+            echo "TMPDIR=/home/runner/.cache"
+          } >> "$GITHUB_ENV"
+
       # Restore pre-installed node_modules from Docker image via symlink (~0s vs ~15s install)
-      # If package.json changed since image was built, fall back to fresh install
       - name: Restore deps
         run: |
           if [ -d /opt/node_modules_cache ] && diff -q /opt/node_modules_cache/.package.json package.json >/dev/null 2>&1; then
@@ -109,12 +122,22 @@ jobs:
 
       - run: bun run build
 
+      # Verify Playwright can launch Chromium (fails fast if sandbox/deps are broken)
+      - name: Verify Chromium
+        if: matrix.suite.name == 'e2e-browse'
+        run: |
+          echo "whoami=$(whoami) HOME=$HOME TMPDIR=${TMPDIR:-unset}"
+          touch /tmp/.bun-test && rm /tmp/.bun-test && echo "/tmp writable"
+          bun -e "import {chromium} from 'playwright';const b=await chromium.launch({args:['--no-sandbox']});console.log('Chromium OK');await b.close()"
+
       - name: Run ${{ matrix.suite.name }}
+        continue-on-error: ${{ matrix.suite.allow_failure || false }}
         env:
           ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
           OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
           GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
           EVALS_CONCURRENCY: "40"
+          PLAYWRIGHT_BROWSERS_PATH: /opt/playwright-browsers
         run: EVALS=1 bun test --retry 2 --concurrent --max-concurrency 40 ${{ matrix.suite.file }}
 
       - name: Upload eval results
@@ -149,6 +172,7 @@ jobs:
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
+          # shellcheck disable=SC2086,SC2059
           RESULTS=$(find /tmp/eval-results -name '*.json' 2>/dev/null | sort)
           if [ -z "$RESULTS" ]; then
             echo "No eval results found"
@@ -158,6 +182,10 @@ jobs:
           TOTAL=0; PASSED=0; FAILED=0; COST="0"
           SUITE_LINES=""
           for f in $RESULTS; do
+            if ! jq -e '.total_tests' "$f" >/dev/null 2>&1; then
+              echo "Skipping malformed JSON: $f"
+              continue
+            fi
             T=$(jq -r '.total_tests // 0' "$f")
             P=$(jq -r '.passed // 0' "$f")
             F=$(jq -r '.failed // 0' "$f")
@@ -190,9 +218,10 @@ jobs:
           if [ "$FAILED" -gt 0 ]; then
             FAILURES=""
             for f in $RESULTS; do
+              if ! jq -e '.failed' "$f" >/dev/null 2>&1; then continue; fi
               F=$(jq -r '.failed // 0' "$f")
               [ "$F" -eq 0 ] && continue
-              FAILS=$(jq -r '.tests[] | select(.passed == false) | "- ❌ \(.name): \(.exit_reason // "unknown")"' "$f")
+              FAILS=$(jq -r '.tests[] | select(.passed == false) | "- ❌ \(.name): \(.exit_reason // "unknown")"' "$f" 2>/dev/null || echo "- ⚠️ $(basename "$f"): parse error")
               FAILURES="${FAILURES}${FAILS}\n"
             done
             BODY="${BODY}
@@ -206,8 +235,8 @@ jobs:
             --jq '.[] | select(.body | startswith("## E2E Evals")) | .id' | tail -1)
 
           if [ -n "$COMMENT_ID" ]; then
-            gh api repos/${{ github.repository }}/issues/comments/$COMMENT_ID \
+            gh api "repos/${{ github.repository }}/issues/comments/${COMMENT_ID}" \
               -X PATCH -f body="$BODY"
           else
-            gh pr comment ${{ github.event.pull_request.number }} --body "$BODY"
+            gh pr comment "${{ github.event.pull_request.number }}" --body "$BODY"
           fi
@@ -9,6 +9,17 @@ jobs:
       - run: bun install
       - name: Check Claude host freshness
         run: bun run gen:skill-docs
-      - run: git diff --exit-code || (echo "Generated SKILL.md files are stale. Run: bun run gen:skill-docs" && exit 1)
-      - name: Check Codex host generation succeeds
+      - name: Verify Claude skill docs are fresh
+        run: |
+          git diff --exit-code || {
+            echo "Generated SKILL.md files are stale. Run: bun run gen:skill-docs"
+            exit 1
+          }
+      - name: Check Codex host freshness
         run: bun run gen:skill-docs --host codex
+      - name: Verify Codex skill docs are fresh
+        run: |
+          git diff --exit-code -- .agents/ || {
+            echo "Generated Codex SKILL.md files are stale. Run: bun run gen:skill-docs --host codex"
+            exit 1
+          }
@@ -247,7 +247,7 @@ Tests spin up a local HTTP server (`browse/test/test-server.ts`) serving HTML fi
 | `browse/src/read-commands.ts` | Non-mutating commands: `text`, `html`, `links`, `js`, `css`, `is`, `dialog`, `forms`, etc. Exports `getCleanText()`. |
 | `browse/src/write-commands.ts` | Mutating commands: `goto`, `click`, `fill`, `upload`, `dialog-accept`, `useragent` (with context recreation), etc. |
 | `browse/src/meta-commands.ts` | Server management, chain routing, diff (DRY via `getCleanText`), snapshot delegation. |
-| `browse/src/cookie-import-browser.ts` | Decrypt Chromium cookies via macOS Keychain + PBKDF2/AES-128-CBC. Auto-detects installed browsers. |
+| `browse/src/cookie-import-browser.ts` | Decrypt Chromium cookies from macOS and Linux browser profiles using platform-specific safe-storage key lookup. Auto-detects installed browsers. |
 | `browse/src/cookie-picker-routes.ts` | HTTP routes for `/cookie-picker/*` — browser list, domain search, import, remove. |
 | `browse/src/cookie-picker-ui.ts` | Self-contained HTML generator for the interactive cookie picker (dark theme, no frameworks). |
 | `browse/src/buffers.ts` | `CircularBuffer<T>` (O(1) ring buffer) + console/network/dialog capture with async disk flush. |
 
@@ -1,5 +1,31 @@
 # Changelog
 
+## [0.11.11.0] - 2026-03-23 — Community Wave 3
+
+10 community PRs merged — bug fixes, platform support, and workflow improvements.
+
+### Added
+
+- **Chrome multi-profile cookie import.** You can now import cookies from any Chrome profile, not just Default. Profile picker shows account email for easy identification. Batch import across all visible domains.
+- **Linux Chromium cookie import.** Cookie import now works on Linux for Chrome, Chromium, Brave, and Edge. Supports both GNOME Keyring (libsecret) and the "peanuts" fallback for headless environments.
+- **Chrome extensions in browse sessions.** Set `BROWSE_EXTENSIONS_DIR` to load Chrome extensions (ad blockers, accessibility tools, custom headers) into your browse testing sessions.
+- **Project-scoped gstack install.** `setup --local` installs gstack into `.claude/skills/` in your current project instead of globally. Useful for per-project version pinning.
+- **Distribution pipeline checks.** `/office-hours`, `/plan-eng-review`, `/ship`, and `/review` now check whether new CLI tools or libraries have a build/publish pipeline. No more shipping artifacts nobody can download.
+- **Dynamic skill discovery.** Adding a new skill directory no longer requires editing a hardcoded list. `skill-check` and `gen-skill-docs` automatically discover skills from the filesystem.
+- **Auto-trigger guard.** Skills now include explicit trigger criteria in their descriptions to prevent Claude Code from auto-firing them based on semantic similarity. The existing proactive suggestion system is preserved.
+
+### Fixed
+
+- **Browse server startup crash.** The browse server lock acquisition failed when `.gstack/` directory didn't exist, causing every invocation to think another process held the lock. Fixed by creating the state directory before lock acquisition.
+- **Zsh glob errors in skill preamble.** The telemetry cleanup loop no longer throws `no matches found` in zsh when no pending files exist.
+- **`--force` now actually forces upgrades.** `gstack-upgrade --force` clears the snooze file, so you can upgrade immediately after snoozing.
+- **Three-dot diff in /review scope drift detection.** Scope drift analysis now correctly shows changes since branch creation, not accumulated changes on the base branch.
+- **CI workflow YAML parsing.** Fixed unquoted multiline `run:` scalars that broke YAML parsing. Added actionlint CI workflow.
+
+### Community
+
+Thanks to @osc, @Explorer1092, @Qike-Li, @francoisaubert1, @itstimwhite, @yinanli1917-cloud for contributions in this wave.
+
 ## [0.11.10.0] - 2026-03-23 — CI Evals on Ubicloud
 
 ### Added
 
@@ -79,12 +79,14 @@ gstack/
 ├── office-hours/    # /office-hours skill (YC Office Hours — startup diagnostic + builder brainstorm)
 ├── investigate/     # /investigate skill (systematic root-cause debugging)
 ├── retro/           # Retrospective skill (includes /retro global cross-project mode)
-├── bin/             # Standalone scripts (gstack-global-discover for cross-tool session discovery)
+├── bin/             # CLI utilities (gstack-repo-mode, gstack-slug, gstack-config, etc.)
 ├── document-release/ # /document-release skill (post-ship doc updates)
 ├── cso/             # /cso skill (OWASP Top 10 + STRIDE security audit)
 ├── design-consultation/ # /design-consultation skill (design system from scratch)
 ├── setup-deploy/    # /setup-deploy skill (one-time deploy config)
-├── bin/             # CLI utilities (gstack-repo-mode, gstack-slug, gstack-config, etc.)
+├── .github/         # CI workflows + Docker image
+│   ├── workflows/   # evals.yml (E2E on Ubicloud), skill-docs.yml, actionlint.yml
+│   └── docker/      # Dockerfile.ci (pre-baked toolchain + Playwright/Chromium)
 ├── setup            # One-time setup: build binary + symlink skills
 ├── SKILL.md         # Generated from SKILL.md.tmpl (don't edit directly)
 ├── SKILL.md.tmpl    # Template: edit this, run gen:skill-docs
 
@@ -2,6 +2,7 @@
 name: gstack
 version: 1.1.0
 description: |
+  MANUAL TRIGGER ONLY: invoke only when user types /gstack.
   Fast headless browser for QA testing and site dogfooding. Navigate pages, interact with
   elements, verify state, diff before/after, take annotated screenshots, test responsive
   layouts, forms, uploads, dialogs, and capture bug evidence. Use when asked to open or
@@ -591,7 +592,7 @@ Refs are invalidated on navigation — run `snapshot` again after `goto`.
 | `click <sel>` | Click element |
 | `cookie <name>=<value>` | Set cookie on current page domain |
 | `cookie-import <json>` | Import cookies from JSON file |
-| `cookie-import-browser [browser] [--domain d]` | Import cookies from Comet, Chrome, Arc, Brave, or Edge (opens picker, or use --domain for direct import) |
+| `cookie-import-browser [browser] [--domain d]` | Import cookies from installed Chromium browsers (opens picker, or use --domain for direct import) |
 | `dialog-accept [text]` | Auto-accept next alert/confirm/prompt. Optional text is sent as the prompt response |
 | `dialog-dismiss` | Auto-dismiss next dialog |
 | `fill <sel> <val>` | Fill input |