chore: sync upstream fixes (SSH, sidebar, menu copy, CI, drag)

[aaditagrawal]

Summary

Cherry-picks 6 upstream commits (bug fixes and CI improvements):

• fix(desktop): backfill SSH_AUTH_SOCK from login shell on macOS (fix(desktop): backfill SSH_AUTH_SOCK from login shell on macOS pingdotgg/t3code#972)
• feat: add copy workspace path button to thread action menu (Add copy workspace path button to thread action menu pingdotgg/t3code#1128)
• fix(web): restore pointer cursors for sidebar actions (fix(web): restore pointer cursors for sidebar actions pingdotgg/t3code#894)
• fix: fix menu copy (fix: fix menu copy pingdotgg/t3code#1063)
• chore(ci): use GitHub App token in release workflow (Use GitHub App token when checking out main in release workflow pingdotgg/t3code#1175)
• fix(web): fix sidebar project drag clipping with variable-height items (fix(web): fix sidebar project drag clipping with variable-height items pingdotgg/t3code#1176)

Intentionally excludes pingdotgg#1171 (configurable git text gen model) and pingdotgg#1032 (terminal context for agents) — those are larger features to integrate separately.

Test plan

• Verify SSH agent forwarding works in desktop app on macOS
• Test "Copy workspace path" in thread action menu
• Confirm pointer cursors appear on sidebar actions
• Verify sidebar drag-and-drop doesn't clip items

Summary by CodeRabbit

• New Features

  • Added "Copy Path" to thread context menu for quick workspace-path copying

• Style

  • Improved cursor feedback on interactive Sidebar elements
  • Minor UI text tweak for clarity

• Chores

  • CI: finalize job now uses a GitHub App token for commit operations
  • Bumped mock service worker version to v2.12.10
  • Replaced old desktop PATH helper with a robust shell-environment sync utility

• Tests

  • Added unit tests for desktop shell syncing, sidebar UI, and shell environment reading

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2bb84908-b71b-42d9-8085-6ead351a6a13

📥 Commits

Reviewing files that changed from the base of the PR and between b320b12 and 68a54a0.

📒 Files selected for processing (1)

• apps/desktop/src/syncShellEnvironment.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• apps/desktop/src/syncShellEnvironment.ts

---

📝 Walkthrough

Walkthrough

Refactors desktop shell environment syncing and shared shell readers, adds macOS-targeted PATH/SSH_AUTH_SOCK hydration and tests, updates main to use the new utility, enhances web sidebar clipboard and cursor behavior, bumps MSW version, and extends the release workflow to mint and use a GitHub App token for commit identity.

Changes

Cohort / File(s)	Summary
GitHub Workflow Configuration .github/workflows/release.yml	Adds steps to mint a GitHub App token and resolve the app bot identity; uses the minted token for checkout and replaces hard-coded git user.name/email with values from the app bot outputs.
Desktop Shell Environment (removed/added) apps/desktop/src/fixPath.ts, apps/desktop/src/syncShellEnvironment.ts, apps/desktop/src/main.ts	Removes legacy fixPath.ts; introduces syncShellEnvironment to hydrate PATH and conditionally SSH_AUTH_SOCK on macOS with injectable reader/platform; updates main.ts to call the new utility.
Desktop Tests apps/desktop/src/syncShellEnvironment.test.ts	Adds tests covering macOS hydration (PATH and SSH_AUTH_SOCK), preservation of inherited SSH_AUTH_SOCK, omission behavior, and non-darwin no-op cases using a mocked reader.
Shared Shell Utilities & Tests packages/shared/src/shell.ts, packages/shared/src/shell.test.ts	Adds ShellEnvironmentReader type and readEnvironmentFromLoginShell to capture multiple env vars with start/end markers; refactors path reader to use it; updates tests and markers (env capture changes).
Web Sidebar Features & Logic apps/web/src/components/Sidebar.tsx, apps/web/src/components/Sidebar.logic.ts	Replaces DnD modifier import, adds copyPathToClipboard usage and copyThreadIdToClipboard rename, wires a "Copy Path" context action with success/error toasts, avoids duplicate thread lookups, and changes thread-row cursor styling.
Web Sidebar UI & Tests apps/web/src/components/ui/sidebar.tsx, apps/web/src/components/ui/sidebar.test.tsx	Adds cursor-pointer to sidebar button variants and adds tests verifying cursor behavior and data-slot attributes.
Web Text and MSW Version apps/web/src/components/ChatView.tsx, apps/web/public/mockServiceWorker.js	Minor UI string tweak ("Implement in a new thread") and bumps Mock Service Worker version from 2.12.9 to 2.12.10.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Possibly related PRs

• Merge upstream pingdotgg/t3code main (v0.0.5 → v0.0.9) #3: Modifies desktop startup imports/initialization, overlapping changes to apps/desktop/src/main.ts.
• Merge upstream pingdotgg/t3code main (35 commits) #11: Alters .github/workflows/release.yml and shared shell utilities, closely related to the CI and shell-reading refactor here.
• feat: new features with code review fixes #2: Changes finalize/publish workflow steps in release CI, likely overlapping with the GitHub App token additions.

Poem

🐰 I dug through shells to fetch PATH and sock,
Minted app tokens—no more git config shock,
I copied paths and nudged cursors bright,
Tests hopped in, all tidy and light,
Hooray! 🥕✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change as a cherry-pick of six upstream fixes covering SSH, sidebar, menu copy, CI, and drag functionality.
Description check	✅ Passed	The description provides a clear summary of cherry-picked commits, intentional exclusions, and a comprehensive test plan covering all major changes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sync/upstream-fixes

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/release.yml (1)

282-289: Scope the minted GitHub App token to the current repository and required permissions (least privilege).

The token scope currently depends on app installation defaults. Explicitly restrict it to the current repository and set contents: write permission so future app-scope changes don't silently widen workflow privileges.

🔐 Suggested hardening diff

       - id: app_token
         name: Mint release app token
         uses: actions/create-github-app-token@v2
         with:
           app-id: ${{ vars.RELEASE_APP_ID }}
           private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
           owner: ${{ github.repository_owner }}
+          repositories: ${{ github.event.repository.name }}
+          permission-contents: write

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml around lines 282 - 289, The GitHub App token
step (id: app_token, uses: actions/create-github-app-token@v2) is unscoped;
update the step to explicitly restrict the token to the current repository and
least-privilege permissions by adding the repository input set to the current
repo (use the github.repository expression) and a permissions block that at
minimum sets contents: write (and any other specific minimal permissions
required), so the token no longer inherits broad installation defaults.

apps/desktop/src/syncShellEnvironment.test.ts (1)

5-85: Add coverage for the swallowed-error path.

The suite never asserts the behavior that keeps desktop startup resilient: if the login-shell probe throws, syncShellEnvironment should leave the inherited environment untouched. That branch matters now that apps/desktop/src/main.ts calls this during module initialization.

🧪 Proposed test

+  it("keeps the inherited environment when login shell probing fails", () => {
+    const env: NodeJS.ProcessEnv = {
+      SHELL: "/bin/zsh",
+      PATH: "/usr/bin",
+      SSH_AUTH_SOCK: "/tmp/inherited.sock",
+    };
+    const readEnvironment = vi.fn(() => {
+      throw new Error("probe failed");
+    });
+
+    expect(() =>
+      syncShellEnvironment(env, {
+        platform: "darwin",
+        readEnvironment,
+      }),
+    ).not.toThrow();
+    expect(env.PATH).toBe("/usr/bin");
+    expect(env.SSH_AUTH_SOCK).toBe("/tmp/inherited.sock");
+  });

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/desktop/src/syncShellEnvironment.test.ts` around lines 5 - 85, Add a
test that verifies syncShellEnvironment leaves the inherited env untouched when
the login-shell probe throws: create a new "it" case that sets platform:
"darwin", an env with PATH and SSH_AUTH_SOCK, and a readEnvironment mock that
throws (e.g. vi.fn(() => { throw new Error('probe failed') }) or
vi.fn().mockImplementation(() => { throw ... })), call syncShellEnvironment(env,
{ platform: "darwin", readEnvironment }), and assert that readEnvironment was
called but env.PATH and env.SSH_AUTH_SOCK remain unchanged and no exception
bubbles out; reference the syncShellEnvironment function and the readEnvironment
mock in your test.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/desktop/src/syncShellEnvironment.ts`:
- Around line 13-14: Treat empty or whitespace-only SHELL as missing: replace
the current shell selection so it trims env.SHELL and falls back to "/bin/zsh"
when env.SHELL is undefined, null, empty or only whitespace before calling
(options.readEnvironment ?? readEnvironmentFromLoginShell)(...), e.g. compute
shell via a trimmed truthy check (use env.SHELL?.trim() or equivalent) and pass
that value to readEnvironmentFromLoginShell; update references to the local
variable name (shell) used in the call to ensure blank values no longer attempt
to exec an unusable path.

---

Nitpick comments:
In @.github/workflows/release.yml:
- Around line 282-289: The GitHub App token step (id: app_token, uses:
actions/create-github-app-token@v2) is unscoped; update the step to explicitly
restrict the token to the current repository and least-privilege permissions by
adding the repository input set to the current repo (use the github.repository
expression) and a permissions block that at minimum sets contents: write (and
any other specific minimal permissions required), so the token no longer
inherits broad installation defaults.

In `@apps/desktop/src/syncShellEnvironment.test.ts`:
- Around line 5-85: Add a test that verifies syncShellEnvironment leaves the
inherited env untouched when the login-shell probe throws: create a new "it"
case that sets platform: "darwin", an env with PATH and SSH_AUTH_SOCK, and a
readEnvironment mock that throws (e.g. vi.fn(() => { throw new Error('probe
failed') }) or vi.fn().mockImplementation(() => { throw ... })), call
syncShellEnvironment(env, { platform: "darwin", readEnvironment }), and assert
that readEnvironment was called but env.PATH and env.SSH_AUTH_SOCK remain
unchanged and no exception bubbles out; reference the syncShellEnvironment
function and the readEnvironment mock in your test.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 726662b5-7cbf-408b-9ca2-388da39f4266

📥 Commits

Reviewing files that changed from the base of the PR and between 15a3718 and b320b12.

📒 Files selected for processing (13)

• .github/workflows/release.yml
• apps/desktop/src/fixPath.ts
• apps/desktop/src/main.ts
• apps/desktop/src/syncShellEnvironment.test.ts
• apps/desktop/src/syncShellEnvironment.ts
• apps/web/public/mockServiceWorker.js
• apps/web/src/components/ChatView.tsx
• apps/web/src/components/Sidebar.logic.ts
• apps/web/src/components/Sidebar.tsx
• apps/web/src/components/ui/sidebar.test.tsx
• apps/web/src/components/ui/sidebar.tsx
• packages/shared/src/shell.test.ts
• packages/shared/src/shell.ts

💤 Files with no reviewable changes (1)

• apps/desktop/src/fixPath.ts