Merge remote-tracking branch 'origin/main' into garrytan/colombo-v3

Resolves VERSION conflict (kept 1.43.0.0 — already ahead of main's
1.42.2.0 browse launch hardening wave). Picks up main's
browser-manager + server hardening cleanly (no conflicts there).

Also strips "device farm" / "DIY device farm" framing from the iOS
docs per Garry's direction. This isn't a device farm — it's full iOS
app QA, with agents able to control real iOS apps either locally over
USB or remotely over Tailscale.

Files touched in the farm sweep:
- CHANGELOG.md (1.43.0.0 entry headline + AGENTS subsection title)
- README.md (ios-qa row + gstack-ios-qa-daemon row)
- AGENTS.md (section header reframed to "iOS QA — drive real iPhones
  over USB or Tailscale")
- ios-qa/SKILL.md.tmpl + regenerated SKILL.md (description)
- ios-qa/docs/tailscale-acl-example.md (intro + sample ACL host name)
- docs/howto-ios-testing-with-gstack.md (intro + closing)
- docs/skills.md (section header + body)
- test/helpers/touchfiles.ts (touchfile comment)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Garry Tan
2026-05-21 08:33:04 -07:00
12 changed files with 388 additions and 56 deletions
+2 -2
View File
@@ -7,9 +7,9 @@ description: |
CoreDevice IPv6 tunnel, reads Swift source to understand every screen, then
runs a vision-driven agent loop: screenshot → analyze → decide → act →
verify → repeat. All interaction happens via HTTP to an embedded
StateServer in the app under test. Optionally exposes the device farm over
StateServer in the app under test. Optionally exposes the device over
Tailscale so remote agents (OpenClaw, Codex, any HTTP-capable agent) can
drive the device from anywhere.
run iOS QA from anywhere without touching the hardware.
Use when asked to "ios qa", "test my iPhone app", "find bugs on the device",
or "qa the iOS app". (gstack)
Voice triggers (speech-to-text aliases): "iOS quality check", "test the iPhone app", "run iOS QA".
+2 -2
View File
@@ -7,9 +7,9 @@ description: |
CoreDevice IPv6 tunnel, reads Swift source to understand every screen, then
runs a vision-driven agent loop: screenshot → analyze → decide → act →
verify → repeat. All interaction happens via HTTP to an embedded
StateServer in the app under test. Optionally exposes the device farm over
StateServer in the app under test. Optionally exposes the device over
Tailscale so remote agents (OpenClaw, Codex, any HTTP-capable agent) can
drive the device from anywhere.
run iOS QA from anywhere without touching the hardware.
Use when asked to "ios qa", "test my iPhone app", "find bugs on the device",
or "qa the iOS app". (gstack)
voice-triggers:
+5 -5
View File
@@ -2,7 +2,7 @@
The Mac-side daemon binds the Tailscale interface only when you pass
`--tailnet`. By default the daemon is local-USB-only. This doc walks through
the steps to expose your device farm to remote agents safely.
the steps to expose your iPhone to remote agents safely so they can run iOS QA over the tailnet.
## Threat model recap
@@ -97,23 +97,23 @@ restrict the tailnet ACL to limit who can even *reach* the daemon port.
// In your tailscale admin console:
{
"acls": [
// Allow CI runner to reach the device farm Mac on port 9999 only.
// Allow CI runner to reach the iOS QA Mac on port 9999 only.
{
"action": "accept",
"src": ["ci@example.com"],
"dst": ["device-farm-mac:9999"]
"dst": ["ios-qa-mac:9999"]
},
// Tagged Claude agents — observe tier only (enforced by daemon, not ACL).
{
"action": "accept",
"src": ["tag:claude-readonly"],
"dst": ["device-farm-mac:9999"]
"dst": ["ios-qa-mac:9999"]
},
// Default deny.
{
"action": "drop",
"src": ["*"],
"dst": ["device-farm-mac:9999"]
"dst": ["ios-qa-mac:9999"]
}
]
}