improve

.agents/skills/company-creator/SKILL.md

@@ -154,6 +154,14 @@ Each AGENTS.md body should include not just what the agent does, but how they fi
 
 This turns a collection of agents into an organization that actually works together. Without workflow context, agents operate in isolation — they do their job but don't know what happens before or after them.
 
+Add a concise execution contract to every generated working agent:
+
+- Start actionable work in the same heartbeat and do not stop at a plan unless planning was requested.
+- Leave durable progress in comments, documents, or work products with the next action.
+- Use child issues for long or parallel delegated work instead of polling agents, sessions, or processes.
+- Mark blocked work with the unblock owner and action.
+- Respect budget, pause/cancel, approval gates, and company boundaries.
+
 ### Step 5: Confirm Output Location
 
 Ask the user where to write the package. Common options:

.agents/skills/company-creator/references/example-company.md

@@ -105,6 +105,13 @@ Your responsibilities:
 - Implement features and fix bugs
 - Write tests and documentation
 - Participate in code reviews
+
+Execution contract:
+
+- Start actionable implementation work in the same heartbeat; do not stop at a plan unless planning was requested.
+- Leave durable progress with a clear next action.
+- Use child issues for long or parallel delegated work instead of polling agents, sessions, or processes.
+- Mark blocked work with the unblock owner and action.
 ```
 
 ## teams/engineering/TEAM.md

.agents/skills/deal-with-security-advisory/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: deal-with-security-advisory
 description: >
-  Handle a GitHub Security Advisory response for Paperclip, including
+  Handle a GitHub Security Advisory response for Taskcore, including
   confidential fix development in a temporary private fork, human coordination
   on advisory-thread comments, CVE request, synchronized advisory publication,
   and immediate security release steps.
@@ -29,7 +29,7 @@ A security vulnerability has been reported via GitHub Security Advisory:
 Pull the full advisory so you understand the vulnerability before doing anything else:
 
 ```
-gh api repos/paperclipai/paperclip/security-advisories/{{ghsaId}}
+gh api repos/taskcore/taskcore/security-advisories/{{ghsaId}}
 
 ```
 
@@ -51,7 +51,7 @@ This is where all fix development happens. Never push to the public repo.
 
 ```
 gh api --method POST \
-  repos/paperclipai/paperclip/security-advisories/{{ghsaId}}/forks
+  repos/taskcore/taskcore/security-advisories/{{ghsaId}}/forks
 
 ```
 
@@ -60,14 +60,14 @@ This returns a repository object for the private fork. Save the `full_name` and
 Clone it and set up your workspace:
 
 ```
-# Clone the private fork somewhere outside ~/paperclip
+# Clone the private fork somewhere outside ~/taskcore
 git clone <clone_url_from_response> ~/security-patch-{{ghsaId}}
 cd ~/security-patch-{{ghsaId}}
 git checkout -b security-fix
 
 ```
 
-**Do not edit `~/paperclip`** — the dev server is running off the `~/paperclip` master branch and we don't want to touch it. All work happens in the private fork clone.
+**Do not edit `~/taskcore`** — the dev server is running off the `~/taskcore` master branch and we don't want to touch it. All work happens in the private fork clone.
 
 **TIPS:**
 
@@ -115,7 +115,7 @@ This makes vulnerability scanners (npm audit, Snyk, Dependabot) warn users to up
 
 ```
 gh api --method POST \
-  repos/paperclipai/paperclip/security-advisories/{{ghsaId}}/cve
+  repos/taskcore/taskcore/security-advisories/{{ghsaId}}/cve
 
 ```
 
@@ -128,15 +128,15 @@ This all happens at once — do not stagger these steps. The goal is **zero wind
 ### 6a. Verify reporter credit before publishing
 
 ```
-gh api repos/paperclipai/paperclip/security-advisories/{{ghsaId}} --jq '.credits'
+gh api repos/taskcore/taskcore/security-advisories/{{ghsaId}} --jq '.credits'
 
 ```
 
 If the reporter is not credited, add them:
 
 ```
 gh api --method PATCH \
-  repos/paperclipai/paperclip/security-advisories/{{ghsaId}} \
+  repos/taskcore/taskcore/security-advisories/{{ghsaId}} \
   --input - << 'EOF'
 {
   "credits": [
@@ -154,15 +154,15 @@ EOF
 
 ```
 gh api --method PATCH \
-  repos/paperclipai/paperclip/security-advisories/{{ghsaId}} \
+  repos/taskcore/taskcore/security-advisories/{{ghsaId}} \
   --input - << 'EOF'
 {
   "state": "published",
   "vulnerabilities": [
     {
       "package": {
         "ecosystem": "npm",
-        "name": "paperclip"
+        "name": "taskcore"
       },
       "vulnerable_version_range": "< {{patchedVersion}}",
       "patched_versions": "{{patchedVersion}}"
@@ -182,11 +182,11 @@ Publishing the advisory simultaneously:
 ### 6c. Cut a release immediately after merge
 
 ```
-cd ~/paperclip
+cd ~/taskcore
 git pull origin master
 
 gh release create v{{patchedVersion}} \
-  --repo paperclipai/paperclip \
+  --repo taskcore/taskcore \
   --title "v{{patchedVersion}} — Security Release" \
   --notes "## Security Release
 
@@ -196,7 +196,7 @@ This release fixes a critical security vulnerability.
 {{briefDescription}} (e.g., Remote code execution via DNS rebinding in \`local_trusted\` mode)
 
 ### Advisory
-https://github.com/paperclipai/paperclip/security/advisories/{{ghsaId}}
+https://github.com/taskcore/taskcore/security/advisories/{{ghsaId}}
 
 ### Credit
 Thanks to @{{reporterHandle}} for responsibly disclosing this vulnerability.
@@ -210,11 +210,11 @@ All users running versions prior to {{patchedVersion}} should upgrade immediatel
 
 ```
 # Verify the advisory is published and CVE is assigned
-gh api repos/paperclipai/paperclip/security-advisories/{{ghsaId}} \
+gh api repos/taskcore/taskcore/security-advisories/{{ghsaId}} \
   --jq '{state: .state, cve_id: .cve_id, published_at: .published_at}'
 
 # Verify the release exists
-gh release view v{{patchedVersion}} --repo paperclipai/paperclip
+gh release view v{{patchedVersion}} --repo taskcore/taskcore
 
 ```
 
@@ -224,7 +224,7 @@ If the CVE hasn't been assigned yet, that's normal — it can take a few hours.
 
 Tell the human operator what you did by posting a comment to this task, including:
 
-* The published advisory URL: `https://github.com/paperclipai/paperclip/security/advisories/{{ghsaId}}`
+* The published advisory URL: `https://github.com/taskcore/taskcore/security/advisories/{{ghsaId}}`
 * The release URL
 * Whether the CVE has been assigned yet
 * All URLs to any pull requests or branches

.agents/skills/doc-maintenance/SKILL.md

@@ -129,7 +129,7 @@ git commit -m "docs: update documentation for accuracy
 
 - [list each fix briefly]
 
-Co-Authored-By: Paperclip <noreply@paperclip.ing>"
+Co-Authored-By: Taskcore <noreply@taskcore.ing>"
 
 git push -u origin "$BRANCH"
 

.agents/skills/doc-maintenance/references/audit-checklist.md

@@ -16,12 +16,12 @@ against the change summary from git history.
 - [ ] Items reflect current priorities (cross-check with recent PRs)
 
 ### Quickstart
-- [ ] `npx paperclipai onboard` command is correct
+- [ ] `npx taskcore onboard` command is correct
 - [ ] Manual install steps are accurate (clone URL, commands)
 - [ ] Prerequisites (Node version, pnpm version) are current
 - [ ] Server URL and port are correct
 
-### "What is Paperclip" section
+### "What is Taskcore" section
 - [ ] High-level description is accurate
 - [ ] Step table (Define goal / Hire team / Approve and run) is correct
 
@@ -30,11 +30,11 @@ against the change summary from git history.
 - [ ] No removed adapters still listed
 - [ ] Logos and labels match current adapter names
 
-### "Paperclip is right for you if"
+### "Taskcore is right for you if"
 - [ ] Use cases are still accurate
 - [ ] No claims about capabilities that don't exist
 
-### "Why Paperclip is special"
+### "Why Taskcore is special"
 - [ ] Technical claims are accurate (atomic execution, governance, etc.)
 - [ ] No features listed that were removed or significantly changed
 

.agents/skills/release-changelog/SKILL.md

@@ -1,17 +1,17 @@
 ---
 name: release-changelog
 description: >
-  Generate the stable Paperclip release changelog at releases/vYYYY.MDD.P.md by
+  Generate the stable Taskcore release changelog at releases/vYYYY.MDD.P.md by
   reading commits, changesets, and merged PR context since the last stable tag.
 ---
 
 # Release Changelog Skill
 
-Generate the user-facing changelog for the **stable** Paperclip release.
+Generate the user-facing changelog for the **stable** Taskcore release.
 
 ## Versioning Model
 
-Paperclip uses **calendar versioning (calver)**:
+Taskcore uses **calendar versioning (calver)**:
 
 - Stable releases: `YYYY.MDD.P` (e.g. `2026.318.0`)
 - Canary releases: `YYYY.MDD.P-canary.N` (e.g. `2026.318.1-canary.0`)
@@ -126,7 +126,7 @@ When a bullet item clearly maps to a merged pull request, add inline attribution
 end of the entry in this format:
 
 ```
-- **Feature name** — Description. ([#123](https://github.com/paperclipai/paperclip/pull/123), @contributor1, @contributor2)
+- **Feature name** — Description. ([#123](https://github.com/taskcore/taskcore/pull/123), @contributor1, @contributor2)
 ```
 
 Rules:

.agents/skills/release/SKILL.md

@@ -1,14 +1,14 @@
 ---
 name: release
 description: >
-  Coordinate a full Paperclip release across engineering verification, npm,
+  Coordinate a full Taskcore release across engineering verification, npm,
   GitHub, smoke testing, and announcement follow-up. Use when leadership asks
   to ship a release, not merely to discuss versioning.
 ---
 
 # Release Coordination Skill
 
-Run the full Paperclip maintainer release workflow, not just an npm publish.
+Run the full Taskcore maintainer release workflow, not just an npm publish.
 
 This skill coordinates:
 
@@ -38,7 +38,7 @@ Before proceeding, verify all of the following:
 4. The candidate SHA has passed the verification gate or is about to.
 5. If manifests changed, the CI-owned `pnpm-lock.yaml` refresh is already merged on `master`.
 6. npm publish rights are available through GitHub trusted publishing, or through local npm auth for emergency/manual use.
-7. If running through Paperclip, you have issue context for status updates and follow-up task creation.
+7. If running through Taskcore, you have issue context for status updates and follow-up task creation.
 
 If any precondition fails, stop and report the blocker.
 
@@ -53,7 +53,7 @@ Collect these inputs up front:
 
 ## Step 0 — Release Model
 
-Paperclip now uses a commit-driven release model:
+Taskcore now uses a commit-driven release model:
 
 1. every push to `master` publishes a canary automatically
 2. canaries use `YYYY.MDD.P-canary.N`
@@ -88,7 +88,7 @@ Useful commands:
 ```bash
 git tag --list 'v*' --sort=-version:refname | head -1
 git log --oneline --no-merges
-npm view paperclipai@canary version
+npm view taskcore@canary version
 ```
 
 ## Step 2 — Draft the Stable Changelog
@@ -135,7 +135,7 @@ Confirm:
 Useful checks:
 
 ```bash
-npm view paperclipai@canary version
+npm view taskcore@canary version
 git tag --list 'canary/v*' --sort=-version:refname | head -5
 ```
 
@@ -144,13 +144,13 @@ git tag --list 'canary/v*' --sort=-version:refname | head -5
 Run:
 
 ```bash
-PAPERCLIPAI_VERSION=canary ./scripts/docker-onboard-smoke.sh
+TASKCOREAI_VERSION=canary ./scripts/docker-onboard-smoke.sh
 ```
 
 Useful isolated variant:
 
 ```bash
-HOST_PORT=3232 DATA_DIR=./data/release-smoke-canary PAPERCLIPAI_VERSION=canary ./scripts/docker-onboard-smoke.sh
+HOST_PORT=3232 DATA_DIR=./data/release-smoke-canary TASKCOREAI_VERSION=canary ./scripts/docker-onboard-smoke.sh
 ```
 
 Confirm:
@@ -210,7 +210,7 @@ Create or verify follow-up work for:
 
 - website changelog publishing
 - launch post / social announcement
-- release summary in Paperclip issue context
+- release summary in Taskcore issue context
 
 These should reference the stable release, not the canary.
 

.env.example

@@ -2,3 +2,6 @@ DATABASE_URL=postgres://taskcore:taskcore@localhost:5432/taskcore
 PORT=3100
 SERVE_UI=false
 BETTER_AUTH_SECRET=taskcore-dev-secret
+
+# Discord webhook for daily merge digest (scripts/discord-daily-digest.sh)
+# DISCORD_WEBHOOK_URL=https://discord.com/api/webhooks/...

.github/PULL_REQUEST_TEMPLATE.md

@@ -38,6 +38,8 @@
 
 -
 
+> For core feature work, check [`ROADMAP.md`](ROADMAP.md) first and discuss it in `#dev` before opening the PR. Feature PRs that overlap with planned core work may need to be redirected — check the roadmap first. See `CONTRIBUTING.md`.
+
 ## Model Used
 
 <!--
@@ -57,6 +59,7 @@
 
 - [ ] I have included a thinking path that traces from project context to this change
 - [ ] I have specified the model used (with version and capability details)
+- [ ] I have checked ROADMAP.md and confirmed this PR does not duplicate planned core work
 - [ ] I have run tests locally and they pass
 - [ ] I have added or updated tests where applicable
 - [ ] If this change affects the UI, I have included before/after screenshots

.github/workflows/release-smoke.yml

@@ -66,7 +66,7 @@ jobs:
           metadata_file="$RUNNER_TEMP/release-smoke.env"
           HOST_PORT="${{ inputs.host_port }}" \
           DATA_DIR="$RUNNER_TEMP/release-smoke-data" \
-          TASKCORE_VERSION="${{ inputs.taskcore_version }}" \
+          TASKCOREAI_VERSION="${{ inputs.taskcore_version }}" \
           SMOKE_DETACH=true \
           SMOKE_METADATA_FILE="$metadata_file" \
           ./scripts/docker-onboard-smoke.sh
@@ -80,7 +80,7 @@ jobs:
             echo "SMOKE_CONTAINER_NAME=$SMOKE_CONTAINER_NAME"
             echo "SMOKE_DATA_DIR=$SMOKE_DATA_DIR"
             echo "SMOKE_IMAGE_NAME=$SMOKE_IMAGE_NAME"
-            echo "SMOKE_TASKCORE_VERSION=$SMOKE_TASKCORE_VERSION"
+            echo "SMOKE_TASKCOREAI_VERSION=$SMOKE_TASKCOREAI_VERSION"
             echo "SMOKE_METADATA_FILE=$metadata_file"
           } >> "$GITHUB_ENV"
 

.gitignore

@@ -1,4 +1,7 @@
+node_modules
 node_modules/
+**/node_modules
+**/node_modules/
 dist/
 .env
 *.tsbuildinfo
@@ -32,13 +35,15 @@ server/src/**/*.d.ts
 server/src/**/*.d.ts.map
 tmp/
 feedback-export-*
+diagnostics/
 
 # Editor / tool temp files
 *.tmp
 .vscode/
 .claude/settings.local.json
 .taskcore-local/
 /.idea/
+/.agents/
 
 # Doc maintenance cursor
 .doc-review-cursor

CONTRIBUTING.md

@@ -51,6 +51,21 @@ All tests must pass before a PR can be merged. Run them locally first and verify
 
 We use [Greptile](https://greptile.com) for automated code review. Your PR must achieve a **5/5 Greptile score** with **all Greptile comments addressed** before it can be merged. If Greptile leaves comments, fix or respond to each one and request a re-review.
 
+## Feature Contributions
+
+We actively manage the core Taskcore feature roadmap.
+
+Uncoordinated feature PRs against the core product may be closed, even when the implementation is thoughtful and high quality. That is about roadmap ownership, product coherence, and long-term maintenance commitment, not a judgment about the effort.
+
+If you want to contribute a feature:
+
+- Check [ROADMAP.md](ROADMAP.md) first
+- Start the discussion in Discord -> `#dev` before writing code
+- If the idea fits as an extension, prefer building it with the [plugin system](doc/plugins/PLUGIN_SPEC.md)
+- If you want to show a possible direction, reference implementations are welcome as feedback, but they generally will not be merged directly into core
+
+Bugs, docs improvements, and small targeted improvements are still the easiest path to getting merged, and we really do appreciate them.
+
 ## General Rules (both paths)
 
 - Write clear commit messages