Merge remote-tracking branch 'origin/main' into garrytan/colombo-v3

Resolves VERSION conflict (kept 1.43.0.0 — already ahead of main's
1.42.2.0 browse launch hardening wave). Picks up main's
browser-manager + server hardening cleanly (no conflicts there).

Also strips "device farm" / "DIY device farm" framing from the iOS
docs per Garry's direction. This isn't a device farm — it's full iOS
app QA, with agents able to control real iOS apps either locally over
USB or remotely over Tailscale.

Files touched in the farm sweep:
- CHANGELOG.md (1.43.0.0 entry headline + AGENTS subsection title)
- README.md (ios-qa row + gstack-ios-qa-daemon row)
- AGENTS.md (section header reframed to "iOS QA — drive real iPhones
  over USB or Tailscale")
- ios-qa/SKILL.md.tmpl + regenerated SKILL.md (description)
- ios-qa/docs/tailscale-acl-example.md (intro + sample ACL host name)
- docs/howto-ios-testing-with-gstack.md (intro + closing)
- docs/skills.md (section header + body)
- test/helpers/touchfiles.ts (touchfile comment)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Garry Tan
2026-05-21 08:33:04 -07:00
12 changed files with 388 additions and 56 deletions
+2 -2
View File
@@ -1214,9 +1214,9 @@ The agent reads your Swift source, finds `@Observable` classes with `@Snapshotab
The iOS app's `StateServer` binds loopback only (`::1` + `127.0.0.1`). The Mac daemon owns tailnet identity validation, capability tiers, and the audit trail. Remote agents NEVER see the boot token — only short-lived session tokens (1h default, 24h hard cap) minted via Tailscale identity gating.
### The unlock: USB-tethered + Tailscale = DIY device farm
### The unlock: USB-tethered + Tailscale = remote iOS QA from any agent
A $500 Mac mini + an old iPhone + Tailscale free tier replaces what most teams pay BrowserStack/Sauce Labs for. Tailscale ACLs scope which identities can reach which devices at which capability tier.
A Mac plus an iPhone you already own plus the Tailscale free tier replaces what most teams pay BrowserStack/Sauce Labs for. Any HTTP-capable agent on your tailnet can drive the iOS app once you've minted them a session token. Tailscale ACLs scope which identities can reach the Mac at which capability tier.
See `ios-qa/docs/tailscale-acl-example.md` for the runnable setup.