feat: add audio slot feature to Composer UI (Closes #14)

.claude/settings.local.json

@@ -0,0 +1,10 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(npm install:*)",
+      "Bash(npx tsc:*)",
+      "Bash(npm run:*)",
+      "Bash(npm test:*)"
+    ]
+  }
+}

.genkit/traces_idx/genkit.metadata

@@ -0,0 +1 @@
+{"version":"1.28.0"}

.github/dependabot.yml

@@ -0,0 +1,39 @@
+version: 2
+updates:
+  # Enable version updates for npm
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    open-pull-requests-limit: 10
+    reviewers:
+      - "socialawy-dev"
+    assignees:
+      - "socialawy-dev"
+    commit-message:
+      prefix: "deps"
+      include: "scope"
+    labels:
+      - "dependencies"
+      - "npm"
+
+  # Enable version updates for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    open-pull-requests-limit: 5
+    reviewers:
+      - "socialawy-dev"
+    assignees:
+      - "socialawy-dev"
+    commit-message:
+      prefix: "ci"
+      include: "scope"
+    labels:
+      - "dependencies"
+      - "github-actions"

.github/workflows/groq-review.yml

@@ -0,0 +1,190 @@
+name: Groq PR Review & Auto-Merge
+
+on:
+  pull_request:
+    types: [opened, reopened, synchronize, ready_for_review]
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        description: 'PR number to review'
+        required: true
+
+concurrency:
+  group: gemini-review-${{ github.event.pull_request.number || github.event.inputs.pr_number }}
+  cancel-in-progress: true
+
+permissions:
+  contents: write
+  pull-requests: write
+  issues: write
+
+jobs:
+  groq-review:
+    runs-on: ubuntu-latest
+    if: "!github.event.pull_request.draft"
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Get PR diff
+        run: |
+          PR_NUMBER=${{ github.event.pull_request.number || github.event.inputs.pr_number }}
+          gh pr diff $PR_NUMBER > /tmp/pr_diff.txt
+          head -c 100000 /tmp/pr_diff.txt > /tmp/pr_diff_trimmed.txt
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Groq Review
+        id: review
+        run: |
+          PR_NUMBER=${{ github.event.pull_request.number || github.event.inputs.pr_number }}
+          PR_DATA=$(gh pr view $PR_NUMBER --json body,title,author -q '.' || echo '{"body":"No description","title":"Unknown PR","author":{"login":"unknown"}}')
+          PR_BODY=$(echo "$PR_DATA" | jq -r '.body')
+          PR_TITLE=$(echo "$PR_DATA" | jq -r '.title')
+          PR_AUTHOR=$(echo "$PR_DATA" | jq -r '.author.login')
+
+          cat > /tmp/prompt.txt <<PROMPTEOF
+          You are a senior engineer reviewing code for MotionPlate, a browser-based cinematic sequence builder using React 19 + Vite 7 + TypeScript 5.9 + Zustand 5 + Tailwind 4.
+
+          Architecture has strict isolation rules:
+          - Engine (src/engine/) renders frames — never imports UI
+          - Spec (src/spec/) defines JSON schema — never imports Engine
+          - Composer (src/composer/) is the UI — writes spec, asks engine to preview
+          - Director (src/director/) uses LLM adapters — only imports Spec
+
+          READ THE DIFF LINE BY LINE. For each changed file, check:
+          1. BUGS: null/undefined access, off-by-one errors, race conditions, resource leaks (Canvas2D contexts not released, animation frames not cancelled)
+          2. TYPE SAFETY: any casts, missing null checks, incorrect generic params, interface mismatches
+          3. LOGIC: does the code actually do what the PR description claims? Are edge cases handled?
+          4. RENDERING: Canvas2D state save/restore balance, effect compositing order, transition timing, frame-accurate export
+          5. STATE: Zustand store mutations outside actions, stale closures in React hooks, missing dependency arrays
+          6. SCHEMA: JSON spec validation, backward compatibility with schema 1.0.0 → 1.1.0
+          7. MODULE ISOLATION: Engine importing UI, Director importing Engine, cross-layer violations
+          8. SECURITY: XSS via dangerouslySetInnerHTML, unsanitized user input, exposed secrets
+
+          ISSUES MUST reference the specific file and what is wrong. Not vague observations.
+          Bad: "Consider adding error handling" — Good: "renderer.ts: requestAnimationFrame in renderLoop() is never cancelled in dispose(), leaking the frame callback"
+
+          Decision rules:
+          - APPROVE: You read the diff, found no bugs or logic errors. Minor style preferences are NOT grounds for REQUEST_CHANGES.
+          - REQUEST_CHANGES: You found actual bugs, type errors, logic errors, or resource leaks. Each issue must cite file + what is wrong.
+          - ESCALATE: Breaking API changes, schema changes, module isolation violations, or you cannot determine correctness from the diff alone.
+          - Dependabot/deps PRs: APPROVE if only version bumps in package.json/lockfile with no breaking major version changes.
+
+          Return JSON with keys: decision, summary, issues (array of specific findings with file references), risk_level, escalation_reason.
+
+          PR: ${PR_TITLE}
+          Author: ${PR_AUTHOR}
+          Description: ${PR_BODY}
+
+          Diff:
+          PROMPTEOF
+
+          cat /tmp/pr_diff_trimmed.txt >> /tmp/prompt.txt
+
+          # Build payload for Groq (OpenAI compatible)
+          jq -n --rawfile prompt /tmp/prompt.txt '{
+            "model": "llama3-70b-8192",
+            "messages": [
+              {
+                "role": "user",
+                "content": $prompt
+              }
+            ],
+            "response_format": { "type": "json_object" },
+            "temperature": 0.1,
+            "max_tokens": 4096
+          }' > /tmp/payload.json
+
+          HTTP_CODE=$(curl -s -w "%{http_code}" -o /tmp/groq_response.json \
+            "https://api.groq.com/openai/v1/chat/completions" \
+            -H 'Content-Type: application/json' \
+            -H "Authorization: Bearer ${GROQ_API_KEY}" \
+            -d @/tmp/payload.json)
+
+          echo "Groq API HTTP status: $HTTP_CODE"
+
+          if [ "$HTTP_CODE" != "200" ]; then
+            echo "decision=ESCALATE" >> "$GITHUB_OUTPUT"
+            echo "⚠️ **Groq Review: ESCALATE** — API error (HTTP $HTTP_CODE)" > /tmp/review_comment.txt
+            cat /tmp/groq_response.json
+            exit 0
+          fi
+
+          # Extract review JSON from Groq/OpenAI response format
+          jq -r '.choices[0].message.content // "{}"' /tmp/groq_response.json > /tmp/review.json
+          echo "Review JSON:"
+          cat /tmp/review.json
+
+          # Parse fields directly from file (set +e so truncated JSON doesn't kill the run)
+          set +e
+          DECISION=$(jq -r '.decision // "ESCALATE"' /tmp/review.json 2>/dev/null || echo "ESCALATE")
+          SUMMARY=$(jq -r '.summary // "Review parsing failed"' /tmp/review.json 2>/dev/null || echo "Review parsing failed")
+          RISK=$(jq -r '.risk_level // "unknown"' /tmp/review.json 2>/dev/null || echo "unknown")
+          ISSUES=$(jq -r 'if .issues and (.issues | length > 0) then (.issues | map("- " + .) | join("\n")) else "" end' /tmp/review.json 2>/dev/null || echo "")
+          ESCALATION=$(jq -r '.escalation_reason // ""' /tmp/review.json 2>/dev/null || echo "")
+          set -e
+
+          echo "decision=$DECISION" >> "$GITHUB_OUTPUT"
+
+          if [ "$DECISION" = "APPROVE" ]; then ICON="✅";
+          elif [ "$DECISION" = "REQUEST_CHANGES" ]; then ICON="🔧";
+          else ICON="⚠️"; fi
+
+          {
+            echo "${ICON} **Groq Review: ${DECISION}** (Risk: ${RISK})"
+            echo ""
+            echo "${SUMMARY}"
+            if [ -n "$ISSUES" ]; then
+              echo ""
+              echo "**Issues:**"
+              echo "${ISSUES}"
+            fi
+            if [ -n "$ESCALATION" ] && [ "$ESCALATION" != "null" ]; then
+              echo ""
+              echo "**Escalation reason:** ${ESCALATION}"
+            fi
+            echo ""
+            echo "---"
+            echo "*Automated review by Groq (Llama 3 70B)*"
+          } > /tmp/review_comment.txt
+
+        env:
+          GROQ_API_KEY: ${{ secrets.GROQ_API_KEY }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Post review comment
+        run: |
+          PR_NUMBER=${{ github.event.pull_request.number || github.event.inputs.pr_number }}
+          gh pr comment $PR_NUMBER --body-file /tmp/review_comment.txt
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Approve & merge if APPROVE
+        if: steps.review.outputs.decision == 'APPROVE'
+        run: |
+          PR_NUMBER=${{ github.event.pull_request.number || github.event.inputs.pr_number }}
+          gh pr review $PR_NUMBER --approve --body "Auto-approved by Groq review"
+          gh pr merge $PR_NUMBER --squash --auto
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Request changes if needed
+        if: steps.review.outputs.decision == 'REQUEST_CHANGES'
+        run: |
+          PR_NUMBER=${{ github.event.pull_request.number || github.event.inputs.pr_number }}
+          gh pr review $PR_NUMBER --request-changes --body "Changes requested by Groq review — see comment above"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Escalate if needed
+        if: steps.review.outputs.decision == 'ESCALATE'
+        run: |
+          PR_NUMBER=${{ github.event.pull_request.number || github.event.inputs.pr_number }}
+          gh pr comment $PR_NUMBER --body "🚨 **Escalation:** This PR needs human review. @socialawy please check."
+          gh pr edit $PR_NUMBER --add-label "needs-human-review" 2>/dev/null || true
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/jules-issues.yml

@@ -0,0 +1,55 @@
+name: Jules Issue Worker
+
+on:
+  issues:
+    types: [opened, labeled]
+  schedule:
+    - cron: '0 4 * * *' # Daily at 4 AM UTC
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+  issues: write
+
+jobs:
+  jules-work:
+    runs-on: ubuntu-latest
+    if: >
+      github.event_name == 'schedule' ||
+      github.event_name == 'workflow_dispatch' ||
+      (github.event_name == 'issues' && !contains(github.event.issue.labels.*.name, 'needs-human-review'))
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Invoke Jules
+        uses: google-labs-code/jules-invoke@main
+        with:
+          jules_api_key: ${{ secrets.JULES_API_KEY }}
+          prompt: |
+            You are working on MotionPlate, a browser-based cinematic sequence builder.
+            Tech stack: React 19, Vite 7, TypeScript 5.9, Zustand 5, Tailwind 4, Vitest 4, IndexedDB (idb).
+
+            Architecture — strict isolation:
+            - src/engine/ — Canvas2D renderer, effects (Ken Burns, pulse, drift, rotate), transitions, post-effects. Never imports UI.
+            - src/spec/ — JSON schema + validation (Sequence, Plate types). Never imports Engine.
+            - src/composer/ — UI components (timeline, preview, editing). Writes spec, asks engine to preview.
+            - src/director/ — LLM-powered automation with provider adapters (Claude, Gemini, OpenAI, Ollama). Only imports Spec.
+            - src/store/ — Zustand state management.
+
+            Check the open GitHub issues and pick the next unassigned one to work on.
+
+            For each issue:
+            1. Read the issue description and acceptance criteria carefully.
+            2. Implement the feature or fix described.
+            3. Write tests (Vitest) for your changes.
+            4. Make sure existing tests still pass (npm test).
+            5. Run lint (npm run lint) and typecheck (npx tsc --noEmit).
+            6. Create a clean PR referencing the issue number (e.g. "Closes #N").
+
+            Do NOT modify .github/workflows/ files.
+            Do NOT change unrelated code.
+            Do NOT violate module isolation (Engine must not import UI, Director must not import Engine).
+            Keep PRs focused — one issue per PR.

.gitignore

@@ -27,4 +27,6 @@ dist-ssr
 .env
 .env.local
 local-files/
-local-files/*
+local-files/*
+tsc_errors.txt
+tsc_out.txt

CHANGELOG.md

@@ -0,0 +1,27 @@
+# Changelog
+
+## Pipeline Activity — 2026-03-22 to 2026-03-25
+
+### Dependencies (Autonomous: Dependabot + Gemini)
+- **PR #2** globals 17.3.0 → 17.4.0 — merged 2026-03-22
+- **PR #3** eslint 9.39.3 → 10.0.3 — merged 2026-03-22
+- **PR #4** undici 7.22.0 → 7.24.1 (security) — merged 2026-03-22
+- **PR #5** @vitest/ui 4.0.18 → 4.1.0 — merged 2026-03-22
+- **PR #6** @typescript-eslint/parser 8.56.1 → 8.57.0 — merged 2026-03-22
+- **PR #7** zustand 5.0.11 → 5.0.12 — merged 2026-03-22
+- **PR #8** jsdom 28.1.0 → 29.0.0 — merged 2026-03-22
+- **PR #9** @typescript-eslint/eslint-plugin 8.56.1 → 8.57.0 — merged 2026-03-22
+- **PR #10** vite 7.3.1 → 8.0.0 — merged 2026-03-22
+- **PR #11** @vitejs/plugin-react 5.1.4 → 6.0.1 — merged 2026-03-22
+- **PR #19** actions/checkout 4 → 6 — merged 2026-03-25
+- **PRs #20-22** (tailwindcss, postcss, eslint-plugin bumps) — Gemini review retriggered after transient 403, processing
+
+### Features (Autonomous: Jules + Gemini)
+- **PR #23** Manual save + auto-save before export (closes #12) — Gemini APPROVED, merged 2026-03-24
+
+### Pipeline Health
+- 12 PRs merged autonomously (11 deps + 1 feature)
+- Gemini correctly auto-approved deps, correctly escalated major bumps (Vite 8, ESLint 10, jsdom 29)
+- Transient Gemini API 403 on 2026-03-23 batch (4 dependabot PRs) — resolved by close/reopen retrigger
+- `delete_branch_on_merge`: needs admin on socialawy-dev org
+- Open issues: #13 (recent projects list), #14-18 (Phase 5-6 tasks)