From 9e070707c205c0699626afede2b2dcc0063b20fe Mon Sep 17 00:00:00 2001
From: Samuel Monroe <spat.monroe@gmail.com>
Date: Tue, 28 Apr 2026 14:39:10 +0200
Subject: [PATCH 1/6] Agentic setup review with Codex

---
 .../skills}/wefa-tanstack-query/SKILL.md      |   2 +-
 .../wefa-tanstack-query/agents/openai.yaml    |   0
 .../references/official-v5-patterns.md        |   0
 .../references/wefa-conventions.md            |   0
 .../skills}/wefa-vue-frontend/SKILL.md        |   6 +-
 .../wefa-vue-frontend/agents/openai.yaml      |   0
 .gitignore                                    |   1 +
 AGENTS.md                                     | 106 +++--
 PLANS.md                                      |  38 ++
 bff/AGENTS.md                                 |  61 +++
 code_review.md                                |  23 +
 django/AGENTS.md                              | 179 ++++++++
 django/CONTRIBUTE.md                          |   2 +
 vue/.github/copilot-instructions.md           | 275 +-----------
 vue/AGENTS.md                                 |  67 +++
 vue/package-lock.json                         |  67 +--
 vue/scripts/files/copilot-instructions.md     | 420 ------------------
 17 files changed, 492 insertions(+), 755 deletions(-)
 rename {skills => .agents/skills}/wefa-tanstack-query/SKILL.md (97%)
 rename {skills => .agents/skills}/wefa-tanstack-query/agents/openai.yaml (100%)
 rename {skills => .agents/skills}/wefa-tanstack-query/references/official-v5-patterns.md (100%)
 rename {skills => .agents/skills}/wefa-tanstack-query/references/wefa-conventions.md (100%)
 rename {skills => .agents/skills}/wefa-vue-frontend/SKILL.md (92%)
 rename {skills => .agents/skills}/wefa-vue-frontend/agents/openai.yaml (100%)
 create mode 100644 PLANS.md
 create mode 100644 bff/AGENTS.md
 create mode 100644 code_review.md
 create mode 100644 django/AGENTS.md
 create mode 100644 vue/AGENTS.md
 delete mode 100644 vue/scripts/files/copilot-instructions.md

diff --git a/skills/wefa-tanstack-query/SKILL.md b/.agents/skills/wefa-tanstack-query/SKILL.md
similarity index 97%
rename from skills/wefa-tanstack-query/SKILL.md
rename to .agents/skills/wefa-tanstack-query/SKILL.md
index f4b393ae..6fabb0ba 100644
--- a/skills/wefa-tanstack-query/SKILL.md
+++ b/.agents/skills/wefa-tanstack-query/SKILL.md
@@ -68,4 +68,4 @@ Apply TanStack Query Vue v5 with official v5 patterns while preserving WeFa's pr
 1. For wrapper tests in `vue/src/network/__tests__`, mock `@tanstack/vue-query` directly and assert the wrapper configuration.
 2. For feature or component tests, mock `@/network` instead of TanStack internals unless the feature truly owns the hook configuration.
 3. Use `vue/CONTRIBUTE.md` as the source of truth for the current Vue quality gates and validation commands.
-4. If the task also changes frontend behavior outside the network layer, follow the matching validation expectations from `skills/wefa-vue-frontend/SKILL.md` instead of redefining them here.
+4. If the task also changes frontend behavior outside the network layer, follow the matching validation expectations from `.agents/skills/wefa-vue-frontend/SKILL.md` instead of redefining them here.
diff --git a/skills/wefa-tanstack-query/agents/openai.yaml b/.agents/skills/wefa-tanstack-query/agents/openai.yaml
similarity index 100%
rename from skills/wefa-tanstack-query/agents/openai.yaml
rename to .agents/skills/wefa-tanstack-query/agents/openai.yaml
diff --git a/skills/wefa-tanstack-query/references/official-v5-patterns.md b/.agents/skills/wefa-tanstack-query/references/official-v5-patterns.md
similarity index 100%
rename from skills/wefa-tanstack-query/references/official-v5-patterns.md
rename to .agents/skills/wefa-tanstack-query/references/official-v5-patterns.md
diff --git a/skills/wefa-tanstack-query/references/wefa-conventions.md b/.agents/skills/wefa-tanstack-query/references/wefa-conventions.md
similarity index 100%
rename from skills/wefa-tanstack-query/references/wefa-conventions.md
rename to .agents/skills/wefa-tanstack-query/references/wefa-conventions.md
diff --git a/skills/wefa-vue-frontend/SKILL.md b/.agents/skills/wefa-vue-frontend/SKILL.md
similarity index 92%
rename from skills/wefa-vue-frontend/SKILL.md
rename to .agents/skills/wefa-vue-frontend/SKILL.md
index ac5d5cf3..a2677b4e 100644
--- a/skills/wefa-vue-frontend/SKILL.md
+++ b/.agents/skills/wefa-vue-frontend/SKILL.md
@@ -10,7 +10,6 @@ Apply the WeFa Vue workspace standards with predictable discovery, implementatio
 ## First Reads
 1. Read `vue/README.md` for package capabilities, exports, and workspace scripts.
 2. Read `vue/CONTRIBUTE.md` for quality gates and contribution expectations.
-3. Read `vue/scripts/files/copilot-instructions.md` when the task changes UI composition patterns or component selection.
 
 ## Workspace Map
 1. Start public-surface discovery at `vue/src/lib.ts` and `vue/src/containers/index.ts`.
@@ -27,8 +26,9 @@ Apply the WeFa Vue workspace standards with predictable discovery, implementatio
 5. Prefer Tailwind utility classes for routine styling. Do not add new CSS imports. Use scoped styles or bound style objects only when the existing feature pattern needs layout math, chart sizing, or other cases Tailwind cannot express cleanly.
 6. Prefer `const { prop = defaultValue } = defineProps<Type>()` for defaults and avoid `withDefaults()` unless the local file pattern already depends on it.
 7. Keep user-facing literals translated through i18n keys (`useI18nLib`, `t`, `$t`), including `aria-label`, `title`, placeholders, validation copy, and button labels.
-8. When a change creates or exposes new public surface, update the nearest `index.ts` and shared entrypoints such as `vue/src/lib.ts` or `vue/src/containers/index.ts` as needed.
-9. Regenerate or reuse generated OpenAPI client artifacts through the existing script instead of hand-editing generated files.
+8. New public components or containers should usually ship with source, stories, MDX docs, and unit tests, unless the adjacent feature pattern in this repo clearly differs.
+9. When a change creates or exposes new public surface, update the nearest `index.ts` and shared entrypoints such as `vue/src/lib.ts` or `vue/src/containers/index.ts` as needed.
+10. Regenerate or reuse generated OpenAPI client artifacts through the existing script instead of hand-editing generated files.
 
 ## Delivery Workflow
 1. Inspect existing implementation first:
diff --git a/skills/wefa-vue-frontend/agents/openai.yaml b/.agents/skills/wefa-vue-frontend/agents/openai.yaml
similarity index 100%
rename from skills/wefa-vue-frontend/agents/openai.yaml
rename to .agents/skills/wefa-vue-frontend/agents/openai.yaml
diff --git a/.gitignore b/.gitignore
index 83e11e05..2047f509 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,6 +4,7 @@
 *.code-workspace
 *.iml
 .claude/settings.local.json
+.claude/launch.json
 django/docs/source/api/*
 django/docs/output/**/*
 .env
diff --git a/AGENTS.md b/AGENTS.md
index 583404ce..3a6d9958 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -1,56 +1,94 @@
 # N-SIDE WeFa – Agent Guide
 
+## Product
+
+**WeFa** (Web Factory) is N-SIDE's internal toolkit for assembling full-stack product experiences quickly. It gives product teams batteries-included building blocks — auth, legal consent, locale, audit, request-scoped helpers, and a Vue/PrimeVue component library — so a new app starts at "wired and tested", not at a blank repo.
+
 ## Project Snapshot
-- WeFa (Web Factory) ships two publishable packages: `django/` contains the `nside-wefa` Django toolkit, `vue/` contains the `@nside/wefa` Vue 3 component library.
-- Goal: provide production-ready auth, legal-consent, other backend packages, and UI building blocks so product teams can assemble full-stack experiences quickly.
-- Primary technologies: Python 3.12+, Django 5.2 + Django REST Framework, Vitest + Playwright, Vue 3 + PrimeVue + Tailwind 4.
+- WeFa ships three artifacts on a shared version: `django/` (the `nside-wefa` Django toolkit, published to PyPI), `vue/` (the `@nside/wefa` Vue 3 component library, published to npm), and `bff/` (a Flask backend-for-frontend, published as a Docker image to GHCR).
+- Primary technologies: Python 3.12+, Django 5.2 + Django REST Framework, Flask 3 (BFF), Vue 3 + PrimeVue + Tailwind 4, Vitest + Playwright.
 
 ## Repository Layout & Key Docs
-- `README.md` – top-level overview; defer to `django/README.md` and `vue/README.md` for workspace specifics.
-- `django/` – reusable apps (`nside_wefa.common`, `.authentication`, `.legal_consent`, etc) plus `demo/` project and pytest setup.
-- `vue/` – component library, demo playground, Storybook, scripts (e.g. `wefa-install`), and AI guidance (`scripts/files/copilot-instructions.md`).
-- Contribution guides: `django/CONTRIBUTE.md` & `vue/CONTRIBUTE.md` define environment setup, quality gates, and release discipline.
+- `README.md` – top-level overview; defer to per-workspace `README.md` for specifics.
+- `django/` – reusable apps (`nside_wefa.common`, `.utils`, `.authentication`, `.legal_consent`, `.locale`, `.audit`) plus `demo/` project and pytest setup. See `django/AGENTS.md`.
+- `vue/` – component library, demo playground, Storybook, `wefa-install` script. See `vue/AGENTS.md` plus the repo-local skills under `.agents/skills/`.
+- `bff/` – Flask BFF handling OAuth/session/cookie + Django proxy. See `bff/AGENTS.md`.
+- `.agents/skills/` – repo-local Codex skills. Codex can auto-discover these; other agents should read the referenced `SKILL.md` files directly.
+- `docs/agent-roadmap.md` – checked-in replacement for older machine-local roadmap references used for cross-cutting infrastructure planning.
+- `code_review.md` – review checklist for agent-led PR and patch review.
+- `PLANS.md` – template for multi-step or cross-workspace execution plans.
+- Contribution guides: `django/CONTRIBUTE.md` & `vue/CONTRIBUTE.md` cover human onboarding; the agent guides cover conventions and the quality gate.
 
 ## Instruction Routing
-- For frontend work inside `vue/` (components, containers, stories/docs, translations, tests), use the `$wefa-vue-frontend` skill defined at `skills/wefa-vue-frontend/SKILL.md`.
-- For work inside `django/`, use the backend guidance in this file until a dedicated `django/AGENTS.md` is introduced.
-- For cross-cutting work (API + UI), follow this file for shared expectations and apply the `wefa-vue-frontend` skill for the frontend part.
+- For frontend work inside `vue/` (components, containers, stories/docs, translations, tests), use the repo-local skills `wefa-vue-frontend` and `wefa-tanstack-query` from `.agents/skills/`. Codex can auto-discover them; agents that do not auto-load skills should read `.agents/skills/wefa-vue-frontend/SKILL.md`, `.agents/skills/wefa-tanstack-query/SKILL.md`, and `vue/AGENTS.md`.
+- For backend work inside `django/`, see `django/AGENTS.md` for app conventions, the quality gate, the new-app checklist, and known gotchas.
+- For BFF work inside `bff/`, see `bff/AGENTS.md` for blueprint layout, OAuth/cookie conventions, OpenAPI flow, and the quality gate.
+- For cross-cutting work (Django ↔ BFF ↔ Vue), follow this file for shared expectations plus the relevant workspace AGENTS / SKILL files.
+- Before designing cross-cutting infrastructure (auth modes, observability, retention, RBAC, tenancy, …), check `docs/agent-roadmap.md` first. If the intended shape is not recorded there, surface the design question early instead of relying on machine-local notes.
 
 ## Core Engineering Principles
 - **Convention over configuration**: align with provided settings helpers (`NSIDE_WEFA` for Django and documented Vue defaults) before introducing bespoke wiring.
 - **Type safety & documentation**: keep Python and TypeScript hints accurate; add comments only for non-obvious logic; update relevant docs whenever behaviour changes.
 - **Tests as gatekeepers**: extend existing suites when behaviour changes; no feature lands without matching tests unless explicitly justified.
-
-## Backend Playbook (`django/`)
-- **App structure**: extend existing apps (`nside_wefa.authentication`, `.legal_consent`, `.common`, etc) unless a new domain warrants a standalone package. Mirror current layout: `apps.py`, `checks.py`, `models/`, `serializers.py`, `urls.py`, `views/`, `tests/`, `README.md`.
-- **Settings contract**: all configuration flows through the `NSIDE_WEFA` dict. When adding options, document in `django/README.md`, add system checks in `checks.py`, and ensure defaults keep migrations optional.
-- **APIs & serializers**: follow DRF patterns already present; keep authentication utilities DRY by placing shared logic under `utils/`. Expose URLs through `include('nside_wefa.<app>.urls')` and cover them in tests.
-- **Testing & quality**: use pytest with Django (`pytest` or `python manage.py test`) plus coverage when needed. Run `ruff format .`, `ruff check .`, and `mypy nside_wefa/` before submission. Demo project (`django/demo`) is available for manual validation.
+- **Mirror an existing app/component**: when in doubt about layout, settings shape, signal pattern, or test structure, copy the closest analogue rather than inventing a new pattern.
+- **Test under non-default settings too**: any feature gated by an opt-in flag (tamper-evidence, `INCLUDE_ALL_MODELS`, `RAISE_ON_FAILURE`, …) needs a test that exercises the flag turned on. Code paths that work only in the default config are how silent regressions ship.
 
 ## Shared Workflow Expectations
-- Stay within the workspace toolchain: `uv`/pip + Hatchling builds for Django, npm scripts + Vite for Vue.
+- Stay within the workspace toolchain: `uv` + Hatchling builds for Django and BFF, npm scripts + Vite for Vue.
 - Keep lockfiles consistent with the package manager in use (`uv.lock`, `package-lock.json`).
-- Maintain documentation parity: adjust relevant READMEs, MDX docs, or changelog entries (once introduced) whenever behaviour changes.
-- For cross-cutting features, coordinate backend API shape first, then wire the frontend through the generated clients/composables.
+- Maintain documentation parity: adjust relevant READMEs, MDX docs, or changelog entries whenever behaviour changes.
+- For cross-cutting features, coordinate backend API shape first, then wire the frontend through the generated clients/composables; the BFF sits at the boundary and should not absorb logic that belongs in Django or Vue.
+
+## Cross-Workspace Verification
+- If only `django/` changes, run the Django quality gate from `django/AGENTS.md`.
+- If only `bff/` changes, run the BFF quality gate from `bff/AGENTS.md`.
+- If only `vue/` changes, run the Vue quality gate from `vue/AGENTS.md`.
+- If Django API shape, BFF proxy/auth behavior, cookie names, redirect targets, or error-code contracts change, run the relevant backend gate and, in `vue/`, run `npm run type-check`, `npm run build`, and `npm run test:package-types`. If routed demo flows or browser-visible auth UX changed, also run `npm run test:e2e -- --reporter=dot`.
+
+### Quality Gate Cheat Sheet
+
+Minimum entry commands per workspace. See each workspace's `AGENTS.md` for the full gate.
+
+```bash
+# django/  (cwd: django/)
+uv sync --all-extras && uv run pytest && uv run ruff check nside_wefa demo \
+  && uv run ruff format --check nside_wefa demo && uv run mypy nside_wefa/ \
+  && uv run python manage.py check
+
+# bff/  (cwd: bff/)
+uv sync --dev && uv run pytest \
+  && uv run python -m bff_app.openapi.generate --check --output bff_app/openapi/openapi.yaml
+
+# vue/  (cwd: vue/)
+npm install && npm run lint-check && npm run type-check && npm run format-check \
+  && npm run test:unit -- --reporter=dot --silent && npm run build
+# Add: npm run test:e2e -- --reporter=dot     when routing/demo/browser flows changed
+# Add: npm run test:package-types             when exports or packaging changed
+```
+
+## Domain Invariants
+
+Cross-workspace contracts that don't live in any single file. Honor these when planning changes that span workspaces.
+
+- **Single shared version.** All three artifacts (`django/`, `vue/`, `bff/`) ship on one version, bumped from the repo root via `python3 scripts/wefa_version.py {bump|set} ...`. Do not edit `pyproject.toml` / `package.json` versions by hand.
+- **BFF ↔ Vue auth contract.** The `bff/` cookie names (`<SESSION_COOKIE_NAME>_at|_rt|_it|_meta`, see `TOKEN_COOKIE_SUFFIXES` in `bff/bff_app/services/token_cookies.py`) and the `FRONTEND_REDIRECT?error=<code>` failure codes (`auth_state_missing`, `auth_state_mismatch`, `auth_provider_error`, `auth_callback_incomplete`, `auth_token_exchange_failed`, `auth_invalid_token`, `auth_cookie_too_large`) are part of the public contract with `vue/`. Renames or additions are coordinated changes — update `bff/README.md`, `bff/AGENTS.md`, and the consuming Vue flows in the same PR.
+- **Django app load order.** `nside_wefa.common` must be installed before any other `nside_wefa.*` app (it owns shared settings access and `get_section` / `get_value`). Beyond that, `audit/checks.py::wefa_apps_dependencies_check` enforces the rest of the dependency order at boot — failing `manage.py check` is the signal, not a runtime crash.
+- **Generated artifacts stay in sync.** The BFF OpenAPI spec at `bff/bff_app/openapi/openapi.yaml` is regression-checked in CI (`--check` flag); the Vue typed OpenAPI client under `vue/src/demo/openapi/` is regenerated through the existing script, never hand-edited. If a route schema or Django API shape changes, regenerate before opening the PR.
+- **Opt-in flags need their own tests.** Every feature gated by an opt-in (`tamper_evident`, `INCLUDE_ALL_MODELS`, `RAISE_ON_FAILURE`, future toggles) must ship with a regression test that exercises the flag turned on. "Worked in default config, broke under the opt-in" is the documented bug shape.
+
+## Review And Planning
+- For review requests, follow `code_review.md` so findings stay ordered and consistent across workspaces.
+- For ambiguous or multi-step cross-workspace work, start from `PLANS.md` or ask the agent to plan before editing.
 
 ## Decision Checklists
-- **Before shipping backend change**:
-  - [ ] Update/extend system checks and settings docs.
-  - [ ] Provide migrations only when required and reversible.
-  - [ ] Add pytest coverage for new branches/edge cases.
 - **Before opening a PR**:
-  - [ ] Run required backend lint/format/test commands.
-  - [ ] Update backend docs/demo snippets as needed.
-  - [ ] Document breaking changes and version impacts.
-
-## Quick Command Reference
-- Backend install: `cd django && pip install -e .[dev]` (or `uv sync --all-extras`)
-- Backend tests: `cd django && pytest`
-- Backend lint/type: `cd django && ruff check . && ruff format --check && mypy nside_wefa/`
+  - [ ] Tests added/updated for changed behaviour, edge cases, and any opt-in flags.
+  - [ ] Workspace-specific quality gate run green (see the workspace's `AGENTS.md`).
+  - [ ] Per-app / per-feature README + top-level workspace README updated alongside behaviour changes.
+  - [ ] Breaking changes and version impacts called out in the PR body.
 
 ## When in Doubt
-- Re-read the relevant `README.md` and `CONTRIBUTE.md` before altering flows.
-- Trace existing backend implementations (e.g., `nside_wefa/legal_consent`) to mirror patterns.
-- Surface open questions early (e.g., new authentication modes) so design/system owners can confirm direction.
+- Workspace AGENTS / SKILL files first, then `README.md` / `CONTRIBUTE.md`, then mirror the closest existing implementation.
+- Surface open questions early (new auth modes, new top-level apps, schema-breaking changes, BFF surface expansion) so design/system owners can confirm direction.
 
 Following this guide keeps contributions aligned with the existing architecture, ensures compliance with the WeFa component hierarchy, and preserves release quality across both Django and Vue packages.
diff --git a/PLANS.md b/PLANS.md
new file mode 100644
index 00000000..c2bc3124
--- /dev/null
+++ b/PLANS.md
@@ -0,0 +1,38 @@
+# WeFa Cross-Workspace Plan Template
+
+Use this template for ambiguous, long-running, or cross-workspace work before implementation starts.
+
+## Goal
+
+State the user-visible outcome and the success condition.
+
+## Touched Workspaces
+
+- `django/`
+- `bff/`
+- `vue/`
+
+List only the workspaces that the change will touch and explain why.
+
+## Constraints
+
+- Architecture or ownership boundaries to preserve
+- Existing contracts that must remain compatible
+- Documentation or generated artifacts that must stay in sync
+
+## Implementation Notes
+
+- Main behavior changes
+- Public API or contract changes
+- Required docs or generated-file updates
+
+## Verification
+
+- Exact commands to run in each touched workspace
+- Any cross-workspace checks needed for contracts, generated clients, or browser flows
+
+## Rollback / Compatibility
+
+- Backward-compatibility concerns
+- Migration or deploy notes
+- Safe rollback approach if the change needs to be reverted
diff --git a/bff/AGENTS.md b/bff/AGENTS.md
new file mode 100644
index 00000000..65e15de1
--- /dev/null
+++ b/bff/AGENTS.md
@@ -0,0 +1,61 @@
+# WeFa BFF – Agent Guide
+
+Flask Backend-for-Frontend that handles OAuth login/logout/session for the Vue SPA and proxies REST calls to the Django backend. Read alongside the repo-wide [`../AGENTS.md`](../AGENTS.md). Setup, env vars, and security model live in [`README.md`](README.md); this file captures conventions, the quality gate, and gotchas.
+
+## Layout
+
+- **Entrypoint**: [`bff.py`](bff.py) — loads `.env` and calls `bff_app.create_app()`.
+- **App factory**: [`bff_app/__init__.py`](bff_app/__init__.py) — wires CORS, smorest API, blueprints.
+- **Routes** (Flask blueprints): [`bff_app/routes/auth.py`](bff_app/routes/auth.py), [`bff_app/routes/proxy.py`](bff_app/routes/proxy.py), [`bff_app/routes/health.py`](bff_app/routes/health.py).
+- **Services**: [`bff_app/services/auth.py`](bff_app/services/auth.py) (Authlib + PKCE), [`bff_app/services/token_cookies.py`](bff_app/services/token_cookies.py) (encrypted HttpOnly cookies).
+- **Settings**: [`bff_app/settings.py`](bff_app/settings.py) — fail-fast env validation; required keys listed in `README.md`.
+- **OpenAPI**: [`bff_app/openapi/generate.py`](bff_app/openapi/generate.py) emits the static spec at `bff_app/openapi/openapi.yaml`.
+- **Tests**: `tests/` (one file per route + service).
+
+## Conventions
+
+- **Blueprint per concern**; register in `bff_app/__init__.py` only. Don't add routes to existing blueprints if they don't fit the concern (e.g. don't put proxy logic into `auth_bp`).
+- **`flask-smorest`** for schema-validated routes — define schemas in the same file as the blueprint unless they're shared.
+- **OAuth state lives in Flask's signed session cookie**; tokens live in separate encrypted cookies (`<SESSION_COOKIE_NAME>_at`, `_rt`, `_it`, `_meta`). Don't store tokens in the session. **`SESSION_COOKIE_SECURE=True` and `SESSION_COOKIE_SAMESITE=Strict` are mandatory in production** — the BFF doesn't enforce this; the deployment does.
+- **PKCE**: every login flow generates a verifier; the callback validates state + verifier before token exchange. See `bff_app/services/auth.py`.
+- **Failure redirects**: callback errors redirect to `FRONTEND_REDIRECT?error=<code>`. Add new error codes to the documented list in `README.md` when introducing them. Current codes: `auth_state_missing`, `auth_state_mismatch`, `auth_provider_error`, `auth_callback_incomplete`, `auth_token_exchange_failed`, `auth_invalid_token`, `auth_cookie_too_large`.
+- **Settings module is fail-fast**: missing required env vars raise at app startup. Add new required vars to both `bff_app/settings.py` validation and the `README.md` env reference. **`dotenv` loads once at process start** — adding a var to `.env.example` only is not enough.
+- **Encrypted-cookie code is security-sensitive**: don't bypass key validation, don't introduce new cookie names without coordinating with the frontend. **Existing signed-session token payloads are not migrated** when the cookie scheme changes (encrypted cookies were a recent rollout). Document any further format change in the PR body so deployers know to clear sessions.
+
+## Quality gate
+
+CWD is `bff/`.
+
+```bash
+uv sync --dev                                                                            # install + dev deps
+FLASK_RUN_PORT=5022 uv run flask --app bff.py run                                        # local server
+uv run pytest                                                                            # full suite
+uv run python -m bff_app.openapi.generate --output bff_app/openapi/openapi.yaml          # regenerate spec
+uv run python -m bff_app.openapi.generate --check  --output bff_app/openapi/openapi.yaml # CI: spec is current
+docker-compose up --build                                                                # parity with the published image
+```
+
+The BFF has no ruff/mypy gate today; adding one is a good first issue.
+
+## Tests
+
+- **Conftest** (`tests/conftest.py`) sets up the Flask test client with a known set of env vars; mirror its pattern when adding tests so the OAuth/PKCE state is deterministic.
+- Mock the upstream IdP and the upstream Django backend via `requests` patching — never hit real endpoints.
+- Encrypted cookies are exercised with a known `TOKEN_COOKIE_ENCRYPTION_KEY`; reuse the conftest fixture rather than rolling a new key per test.
+- The OpenAPI spec is regression-tested in `tests/test_openapi_generation.py` — run it after touching any route schema.
+
+## Cross-workspace coordination
+
+- **Vue** consumes the BFF cookies and the proxied Django responses. When you change cookie names, redirect targets, or error codes, update the corresponding flows in `vue/` and notify the frontend on the PR.
+- **Django** is the upstream backend. When the BFF proxy touches a new endpoint, confirm the Django route exists and is documented in the relevant `nside_wefa/<app>/README.md`.
+- The BFF sits at the boundary; rather than expand BFF surface area, prefer pushing logic to Django (where it can be unit-tested + system-checked) or to Vue (where the user owns the state).
+
+## Docker / release
+
+- The BFF is shipped as a Docker image to GHCR on every GitHub release: `ghcr.io/n-side-dev/wefa/bff:<release-tag>` (and `:latest` for non-prerelease tags). See repo root `README.md`.
+- **Port env vars differ by entrypoint**: `flask run` reads `FLASK_RUN_PORT`, Docker reads `PORT`, and `python bff.py` defaults to 5000 unless code overrides it. Always set `FLASK_RUN_PORT` for `flask run` and `PORT` for Docker.
+- Don't change `pyproject.toml` Python ceiling (`>=3.12,<3.13`) without coordinating; some downstream Docker tooling pins 3.12.
+
+## Open follow-ups
+
+- **No central log correlation yet.** When the request-ID middleware tracked in [`../docs/agent-roadmap.md`](../docs/agent-roadmap.md) ships, the BFF should forward `X-Request-ID` so logs correlate end-to-end.
diff --git a/code_review.md b/code_review.md
new file mode 100644
index 00000000..bb0a23e5
--- /dev/null
+++ b/code_review.md
@@ -0,0 +1,23 @@
+# WeFa Review Checklist
+
+Use this checklist when the task is a review rather than an implementation.
+
+## Output Shape
+
+- Findings first, ordered by severity, with file references.
+- Keep summaries brief and secondary to the findings.
+- If there are no findings, say so explicitly and call out any residual risk or missing verification.
+
+## Review Priorities
+
+1. Correctness issues, behavioural regressions, broken contracts, and risky edge cases.
+2. Missing tests, especially for non-default or opt-in paths.
+3. API, documentation, release, or versioning impacts that were not updated alongside the change.
+4. Auth, cookie, session, and security-sensitive concerns.
+5. Maintainability issues that materially raise future change risk.
+
+## WeFa-Specific Prompts
+
+- Check that generated artifacts and documented contracts stay in sync.
+- Call out missing workspace quality-gate coverage when the change crosses `django/`, `bff/`, or `vue/`.
+- For Vue work, treat untranslated user-facing text as a review issue.
diff --git a/django/AGENTS.md b/django/AGENTS.md
new file mode 100644
index 00000000..b7cea6dd
--- /dev/null
+++ b/django/AGENTS.md
@@ -0,0 +1,179 @@
+# WeFa Django – Agent Guide
+
+Backend slice of the N-SIDE WeFa toolkit. Read alongside the repo-wide [`../AGENTS.md`](../AGENTS.md). Each shipped app additionally has its own `README.md` covering its public surface — read that before extending an existing app.
+
+## Layout
+
+- Source: `nside_wefa/<app>/` — one app per concern. Existing apps: `common`, `utils`, `authentication`, `legal_consent`, `locale`, `audit`.
+- Each app mirrors the same shape: `apps.py`, `checks.py`, `models/` or `models.py`, `serializers.py`, `urls.py`, `views/`, `admin.py` (when it owns models), `tests/`, `README.md`.
+- Canonical references when in doubt:
+  - **`audit/`** — most complete: settings, system checks, registration UX, REST endpoints, admin, signals, management commands, tamper-evident model, exhaustive tests.
+  - **`locale/`** — smallest end-to-end: model + signal + REST + checks + tests.
+- Test settings & wiring live in `demo/` — adding a new app means updating `demo/settings.py` (`INSTALLED_APPS`, `MIDDLEWARE`, `NSIDE_WEFA`) and `demo/urls.py`.
+- `pytest.ini` is configured to use `demo.settings`.
+
+## Conventions
+
+### Settings access
+- Every app reads from `NSIDE_WEFA.<SECTION>`. Use `nside_wefa.common.settings.get_section(name)` / `get_value(name, key, default)` to read. Do not invent new `_*Configuration` private classes — the legacy ones in `legal_consent` and `locale` are kept for back-compat only.
+- `override_settings(NSIDE_WEFA={...})` replaces the **whole** dict in tests. Re-include `APP_NAME` and any other section consumed by an installed app's `apps.py.ready()`.
+
+```python
+# Bad — bespoke private config class duplicating shared infrastructure
+class _LegalConsentConfiguration:
+    def __init__(self) -> None:
+        nside_wefa_settings = cast(_NsideWefaSettings, settings.NSIDE_WEFA)
+        configuration = nside_wefa_settings["LEGAL_CONSENT"]
+        self.version = configuration["VERSION"]
+
+config = _LegalConsentConfiguration()
+version = config.version
+
+# Good — read through the shared helper so checks and tests behave consistently
+from nside_wefa.common.settings import get_value
+
+version = get_value("LEGAL_CONSENT", "VERSION")
+```
+
+### System checks
+- Every app registers via `apps.py.ready() → from . import checks`. The import is intentionally unused; `@register()` decorators in `checks.py` do the work.
+- Use the helpers in `nside_wefa.utils.checks`:
+  - `check_apps_dependencies_order(deps)` — enforces order between **consecutive pairs**. For "X *and* Y must each precede Z" without ordering X vs Y, call it twice with separate two-element lists (see `audit/checks.py::wefa_apps_dependencies_check`).
+  - `check_nside_wefa_settings(...)` — validates a section + required keys + per-key validators. **Footgun: it rejects empty `{}` sections.** For all-keys-optional sections, iterate validators directly (see `audit/checks.py::audit_settings_check`).
+  - Primitive validators (each takes a `setting_path` for error messages): `validate_bool`, `validate_optional_positive_int`, `validate_string_list(allowed=...)`, `validate_dotted_path_callable`, `validate_model_label`, `validate_model_label_dict`.
+
+```python
+# Bad — using check_nside_wefa_settings on an all-optional section.
+#       Empty NSIDE_WEFA["AUDIT"] = {} would now raise a system-check error
+#       even though "use all defaults" is the intended UX.
+@register()
+def audit_settings_check(app_configs, **kwargs):
+    return check_nside_wefa_settings(
+        section_name="AUDIT",
+        required_keys=[],
+        validators={"TAMPER_EVIDENT": validate_bool("...")},
+    )
+
+# Good — iterate validators only over keys that are actually present
+@register()
+def audit_settings_check(app_configs, **kwargs):
+    section = (getattr(django_settings, "NSIDE_WEFA", None) or {}).get("AUDIT")
+    if section is None:
+        return []
+    validators = {"TAMPER_EVIDENT": validate_bool("NSIDE_WEFA.AUDIT.TAMPER_EVIDENT")}
+    errors = []
+    for key, validator in validators.items():
+        if key in section:
+            errors.extend(validator(section[key]))
+    return errors
+```
+
+### Models, signals, migrations
+- OneToOne to `settings.AUTH_USER_MODEL` with `post_save` auto-creation is the toolkit pattern (`legal_consent.LegalConsent`, `locale.UserLocale`). Use `dispatch_uid="models.create_*"` so reconnects stay idempotent.
+- Migrations should backfill existing users via `RunPython` (see `locale/migrations/0001_initial.py`).
+- `default_auto_field = "django.db.models.BigAutoField"` on every `AppConfig`.
+
+### Signal-driven diffs (only emit on real change)
+- Pattern used by `audit/builtin/locale.py` and `audit/builtin/legal_consent.py`: `post_init` snapshots the persisted tuple onto the instance under `_wefa_audit_previous_*`, `post_save` compares current vs snapshot and emits only on change, then refreshes the snapshot. Do not use `created` as a proxy — it misses re-saves of already-changed rows.
+
+```python
+# Bad — `created` only fires on insert, so updates that change `code`
+#       silently never emit an audit event.
+def _on_locale_saved(sender, instance, created, **kwargs):
+    if created:
+        api.log("locale.change", actor=instance.user, target=instance,
+                changes={"code": {"from": None, "to": instance.code}})
+
+# Good — snapshot the persisted value at post_init, diff at post_save,
+#        refresh the snapshot so successive saves are also tracked.
+_SNAPSHOT_ATTR = "_wefa_audit_previous_code"
+
+def _snapshot_code(sender, instance, **kwargs):
+    setattr(instance, _SNAPSHOT_ATTR, instance.code)
+
+def _on_locale_saved(sender, instance, created, **kwargs):
+    previous = getattr(instance, _SNAPSHOT_ATTR, None)
+    current = instance.code
+    if previous == current:
+        return
+    api.log("locale.change", actor=instance.user, target=instance,
+            changes={"code": {"from": previous, "to": current}})
+    setattr(instance, _SNAPSHOT_ATTR, current)
+```
+
+### REST views
+- `APIView`-based; explicit `permission_classes` and `serializer_class`.
+- `@extend_schema` annotations on every method with `operation_id`, `tags=["<App>"]`, `summary`, `description`, explicit `responses={...}`.
+- Define `app_name` in `urls.py`; mount in `demo/urls.py` via `include("nside_wefa.<app>.urls")`.
+
+### Admin
+- Every shipped model should be admin-registered (`audit/admin.py` is the reference for read-only admins).
+- When wrapping a third-party model that's already admin-registered (e.g. `auditlog.LogEntry`), `admin.site.unregister(Model)` first inside a `try/except NotRegistered`. **`NotRegistered` lives at `django.contrib.admin.exceptions`** — the alias under `.sites` exists at runtime but isn't in the type stubs.
+
+### Working with `django-auditlog` (when relevant)
+- **Always resolve the active model via `auditlog.get_logentry_model()`** instead of importing `LogEntry` directly. Under tamper-evidence the base `LogEntry.objects` raises `AttributeError: Manager isn't available; ... has been swapped`, so hard-coded references silently break — and silently-failing audit writes are doubly bad because `RAISE_ON_FAILURE=False` swallows them.
+- `AUDITLOG_LOGENTRY_MODEL` expects Django's `app_label.ModelName` form (e.g. `audit.WefaLogEntry`), **not** the dotted Python import path. Resolved via `apps.get_model(...)` internally.
+
+## Quality gate
+
+Run before opening a PR. CWD is `django/`.
+
+```bash
+uv sync --all-extras                               # install + dev deps (idempotent)
+uv run pytest                                      # full suite
+uv run ruff check nside_wefa demo                  # lint
+uv run ruff format --check nside_wefa demo         # format check
+uv run mypy nside_wefa/                            # type check
+uv run python manage.py check                      # system checks
+```
+
+Helpers:
+
+```bash
+uv run ruff format nside_wefa demo                 # auto-format
+uv run ruff check --fix nside_wefa demo            # auto-fix lint
+uv run pytest nside_wefa/<app>/tests/test_<x>.py -x --tb=short
+uv run python manage.py makemigrations --check --dry-run
+```
+
+## Tests
+
+- Mirror production layout under `nside_wefa/<app>/tests/<area>/`. Each `tests/` and subfolder needs an empty `__init__.py`.
+- `django.test.TestCase` for DB-touching tests (auto-rollback per test); `rest_framework.test.APITestCase` for view tests.
+- **Transaction gotcha**: a query expected to raise inside `TestCase` leaves the implicit `atomic` block in error state and subsequent queries fail with `TransactionManagementError`. Wrap the failing call in its own savepoint:
+  ```python
+  with transaction.atomic(), self.assertRaises(SomeError):
+      thing_that_raises()
+  ```
+- **Module-global registries** (e.g. `auditlog.registry.auditlog`) persist across tests. Add a `tearDown` that unregisters anything the test registered, and prefer test-only models that aren't already wired in `demo/settings.py` to avoid cross-test interference.
+- **`AUDITLOG_*` settings** get set during `AppConfig.ready()` at suite boot. Tests that exercise the translation layer must snapshot, clear, and restore those keys around each case (see `audit/tests/test_settings_translation.py::_RestoreAuditlogSettings`).
+- **Test under non-default settings**: every feature gated by an opt-in flag (tamper-evidence, `INCLUDE_ALL_MODELS`, `RAISE_ON_FAILURE=True`) needs a regression test with the flag flipped on. Several real bugs in past PRs shared the shape "worked in the default config, broke under the opt-in".
+
+## Demo project
+
+- `python manage.py runserver` and `python manage.py migrate` use the SQLite DB at `django/db.sqlite3` (committed for the demo).
+- One-shot ORM scripts need `DJANGO_SETTINGS_MODULE` in the env:
+  ```bash
+  DJANGO_SETTINGS_MODULE=demo.settings uv run python -c '
+  import django; django.setup()
+  ...
+  '
+  ```
+- New apps must be wired in `demo/settings.py` (`INSTALLED_APPS`, `MIDDLEWARE` if relevant, `NSIDE_WEFA["<APP>"]`) and `demo/urls.py` **before** `manage.py makemigrations <app>` will work — the autodetector needs the app installed.
+
+## Adding a new app — checklist
+
+1. **Scaffold**: `nside_wefa/<app>/{__init__.py, apps.py, checks.py}`. `apps.py` sets `default_auto_field = "django.db.models.BigAutoField"` and `name = "nside_wefa.<app>"`; `ready()` does `from . import checks  # noqa: F401` and any startup wiring.
+2. **Wire the demo**: add to `demo/settings.py` `INSTALLED_APPS` (after `nside_wefa.common`); populate `NSIDE_WEFA["<APP>"]` if the app reads settings; register URLs in `demo/urls.py`; append middleware if needed.
+3. **System checks**: dependency-order check, settings-shape check, per-key validators using the primitives from `nside_wefa.utils.checks`. Cover every key so `manage.py check` catches mistakes at boot.
+4. **Models + migrations**: `python manage.py makemigrations <app>` once models exist; commit migration alongside the model. Backfill existing users via `RunPython` for OneToOne to `AUTH_USER_MODEL`.
+5. **Tests**: mirrored `tests/` tree covering models, serializers, views, checks, signals, management commands. Include cases for opt-in flags turned on.
+6. **Per-app README**: follow `nside_wefa/audit/README.md` shape — overview, installation, registration UX (if relevant), settings reference table, REST endpoints table, conventions.
+7. **Top-level docs**: update `django/README.md` Features list, Included Apps, Quick Start `INSTALLED_APPS` snippet, `NSIDE_WEFA` Configuration block.
+8. **Version bump**: bump `pyproject.toml` `version` when shipping; the monorepo release script lives at `scripts/wefa_version.py` (run from repo root).
+
+## When in doubt
+
+- Mirror [`nside_wefa/audit/`](nside_wefa/audit/) (latest, full surface) or [`nside_wefa/locale/`](nside_wefa/locale/) (smallest end-to-end).
+- For DRF / SimpleJWT mutations of `REST_FRAMEWORK`, mirror `nside_wefa.authentication.utils.settings_initialization`.
+- Before adding cross-cutting infrastructure, check [`../docs/agent-roadmap.md`](../docs/agent-roadmap.md) first — some presets are already scoped there (for example audit was tracked as E1 and request-ID observability as E8).
diff --git a/django/CONTRIBUTE.md b/django/CONTRIBUTE.md
index 165c16a8..198a9556 100644
--- a/django/CONTRIBUTE.md
+++ b/django/CONTRIBUTE.md
@@ -3,6 +3,8 @@
 Thank you for your interest in contributing to N-SIDE WeFa!
 This document provides guidelines and instructions for setting up your development environment and contributing to the project.
 
+> **Working with an AI agent (Codex, Claude Code, Copilot, etc.)?** Read [`AGENTS.md`](AGENTS.md) for the curated backend conventions, the quality gate, the new-app checklist, and known gotchas. This CONTRIBUTE.md focuses on the human contributor onboarding flow.
+
 ## Table of Contents
 
 - [Development Setup](#development-setup)
diff --git a/vue/.github/copilot-instructions.md b/vue/.github/copilot-instructions.md
index 7fca9627..d6c8ed77 100644
--- a/vue/.github/copilot-instructions.md
+++ b/vue/.github/copilot-instructions.md
@@ -1,270 +1,15 @@
-# N-SIDE WeFa- Development Instructions
+# WeFa Vue Compatibility Instructions
 
-## Project Overview
-**This is a PrimeVue-based component library superset** (`@nside/wefa`) built with Vue 3 and TypeScript. The library extends and enhances PrimeVue components with additional functionality, custom styling using Tailwind CSS, and domain-specific features for energy management applications.
+This file exists only for tools that look specifically for `copilot-instructions.md`.
 
-### Core Architecture
-- **Base Framework**: PrimeVue 4.3.6 as the foundational UI component library
-- **Enhancement Layer**: Custom components that wrap, extend, or compose PrimeVue components
-- **Styling**: Tailwind CSS 4.1.11 with PrimeUI integration - **NO custom CSS files**
-- **Component Pattern**: Each component is a superset that adds value to existing PrimeVue functionality
+## Source Of Truth
 
-## Component Development Guidelines
+- Start with [`../AGENTS.md`](../AGENTS.md).
+- For reusable frontend workflows, read [`../../.agents/skills/wefa-vue-frontend/SKILL.md`](../../.agents/skills/wefa-vue-frontend/SKILL.md).
+- For TanStack Query work, also read [`../../.agents/skills/wefa-tanstack-query/SKILL.md`](../../.agents/skills/wefa-tanstack-query/SKILL.md).
 
-### Required Deliverables for Each Component
-Every component exposed by this library **MUST** include:
+## Notes
 
-1. **Single File Component (SFC)**: The main `.vue` component file
-2. **Storybook Stories**: `.stories.ts` file with interaction tests. Never includes the `autodocs` tag.
-3. **Unit Tests**: `.spec.ts` file with comprehensive test coverage
-4. **MDX Documentation**: `.mdx` file with complete documentation including use cases.
-
-### Component Development Pattern
-When creating new components, follow this established pattern:
-
-#### 1. Use PrimeVue as Foundation
-```typescript
-// Import PrimeVue components when needed
-import Breadcrumb from 'primevue/breadcrumb'
-import type { MenuItem } from 'primevue/menuitem'
-
-// Extend or compose PrimeVue functionality
-export interface YourComponentProps {
-  // Add your custom props that enhance PrimeVue behavior
-}
-```
-
-#### 2. Style with Tailwind Only
-- **DO**: Use Tailwind CSS classes for all styling
-- **DO**: Leverage `tailwindcss-primeui` for PrimeVue component styling
-- **DON'T**: Create custom CSS files or `<style>` blocks
-- **DON'T**: Use inline styles
-
-#### 3. Component Structure Example
-Reference the `AutoroutedBreadcrumb` component as the gold standard:
-```
-src/components/YourComponent/
-├── YourComponent.vue          # Main SFC component
-├── YourComponent.stories.ts   # Storybook stories with interactions
-├── YourComponent.spec.ts      # Unit tests
-└── YourComponent.mdx          # Complete documentation
-```
-
-### Development Workflow
-1. **Plan**: Identify which PrimeVue component(s) to extend or compose
-2. **Implement**: Create the SFC using PrimeVue + Tailwind styling
-3. **Document**: Write comprehensive MDX documentation with use cases, as well as stories for Storybook
-4. **Test**: Create unit tests and Storybook stories with interactions
-5. **Validate**: Ensure all four deliverables are complete and working
-
-## Build/Configuration Instructions
-
-### Prerequisites
-- Node.js (version compatible with ES2022)
-- npm for package management
-
-### Development Setup
-```bash
-npm install
-npm run dev  # Starts development server on http://localhost:5173
-```
-
-### Build Process
-```bash
-npm run build  # Runs type-checking and Vite build in parallel
-```
-- **Type Checking**: `vue-tsc --build` validates TypeScript across the project
-- **Build Output**: Creates demo application in `dist/` directory
-- **Bundle Analysis**: Main bundle ~237KB (63KB gzipped)
-
-### Key Configuration Files
-- **vite.config.ts**: Standard Vue 3 setup with Tailwind CSS integration
-- **tsconfig.json**: Uses project references for modular TypeScript configuration
-  - `tsconfig.app.json`: Main application config (ES2022 target, DOM libraries)
-  - `tsconfig.node.json`: Node.js tooling configuration
-  - `tsconfig.vitest.json`: Test-specific TypeScript settings
-
-## Testing Information
-
-### Test Architecture
-The project uses a multi-layered testing approach with three distinct test projects:
-
-#### 1. Component Tests
-- **Location**: `src/components/**/*.{test,spec}.{js,mjs,cjs,ts,mts,cts,jsx,tsx}`
-- **Framework**: Vitest + Vue Test Utils
-- **Environment**: jsdom
-
-**Example Component Test** (PrimeVue-based component):
-```typescript
-import { describe, it, expect } from 'vitest'
-import { mount } from '@vue/test-utils'
-import { createRouter, createWebHistory } from 'vue-router'
-import AutoroutedBreadcrumb from '../AutoroutedBreadcrumb/AutoroutedBreadcrumb.vue'
-
-describe('AutoroutedBreadcrumb', () => {
-  it('renders PrimeVue breadcrumb with route-based items', async () => {
-    const router = createRouter({
-      history: createWebHistory(),
-      routes: [{ path: '/dashboard/settings', component: {} }]
-    })
-    
-    const wrapper = mount(AutoroutedBreadcrumb, {
-      global: { plugins: [router] }
-    })
-    
-    // Test that PrimeVue Breadcrumb component is rendered
-    expect(wrapper.findComponent({ name: 'Breadcrumb' }).exists()).toBe(true)
-  })
-})
-```
-
-#### 2. Network Layer Tests
-- **Location**: `src/network/**/*.{test,spec}.{js,mjs,cjs,ts,mts,cts,jsx,tsx}`
-- **Framework**: Vitest with axios-mock-adapter
-- **Coverage**: 18 comprehensive API client tests
-
-#### 3. Storybook Visual Tests
-- **Framework**: Storybook + Vitest browser mode
-- **Browsers**: Chromium, WebKit (Firefox commented out)
-- **Integration**: Tests run against actual Storybook stories
-- **Setup**: `.storybook/vitest.setup.ts`
-
-#### 4. End-to-End Tests
-- **Location**: `e2e/`
-- **Framework**: Playwright
-- **Browsers**: Chromium, Firefox, WebKit
-- **Configuration**: Auto-starts dev server before tests
-
-**Example E2E Test**:
-```typescript
-import { test, expect } from '@playwright/test';
-
-test('visits the app root url', async ({ page }) => {
-  await page.goto('/');
-  await expect(page.locator('h1')).toHaveText('You did it!');
-})
-```
-
-### Running Tests
-```bash
-# Unit and component tests
-npm run test:unit        # Run once
-npm run test:unit:watch  # Watch mode
-
-# End-to-end tests
-npm run test:e2e
-
-# All tests run automatically include:
-# - Component tests (jsdom environment)
-# - Network layer tests
-# - Storybook visual tests (browser mode)
-```
-
-### Test Coverage
-- **Provider**: Istanbul
-- **Reporters**: text, cobertura, lcov
-- **Output**: `./coverage` directory
-
-### Adding New Tests
-1. **Component Tests**: Create `*.spec.ts` files in `src/components/__tests__/` (centralized location for all component tests)
-2. **Network Tests**: Create `*.test.ts` files in `src/network/__tests__/`
-3. **E2E Tests**: Create `*.spec.ts` files in `e2e/`
-4. **Storybook Tests**: Tests automatically generated from `*.stories.ts` files
-
-## Additional Development Information
-
-### Technology Stack
-- **Framework**: Vue 3.5.18 with Composition API
-- **Build Tool**: Vite 7.0.5
-- **Language**: TypeScript 5.8.3
-- **UI Framework**: PrimeVue 4.3.6 with PrimeIcons
-- **Styling**: Tailwind CSS 4.1.11 with PrimeUI integration
-- **State Management**: Pinia 3.0.3
-- **HTTP Client**: Axios 1.11.0
-- **Router**: Vue Router 4.5.1
-
-### Code Quality & Standards
-
-#### ESLint Configuration
-Comprehensive linting setup with multiple plugins:
-- **Vue**: `eslint-plugin-vue` with flat/recommended config
-- **TypeScript**: Vue TypeScript recommended rules
-- **Security**: `eslint-plugin-security` for vulnerability detection
-- **Code Quality**: `eslint-plugin-sonarjs` for code smells
-- **Documentation**: `eslint-plugin-jsdoc` for JSDoc validation
-- **Testing**: Specific rules for Vitest and Playwright
-- **Storybook**: `eslint-plugin-storybook` integration
-
-**Custom Rules**:
-```json
-{
-  "vue/block-order": ["error", {
-    "order": ["template", "script", "style"]
-  }]
-}
-```
-
-#### Code Formatting
-- **Tool**: Prettier 3.6.2
-- **Integration**: ESLint skip-formatting config prevents conflicts
-- **Commands**: 
-  - `npm run format` - Format code
-  - `npm run format-check` - Check formatting
-
-### Development Workflow
-
-#### Storybook Integration
-```bash
-npm run storybook        # Start Storybook dev server (port 6006)
-npm run build-storybook  # Build static Storybook
-```
-
-#### Linting & Type Checking
-```bash
-npm run lint           # Fix linting issues
-npm run lint-check     # Check without fixing
-npm run type-check     # TypeScript validation
-```
-
-### Project Structure
-```
-src/
-├── components/         # Reusable Vue components
-│   └── */              # Component directories with stories and tests
-├── network/            # API client and network utilities
-│   ├── __tests__/      # Network layer tests
-│   ├── apiClient.ts    # Main HTTP client
-│   └── index.ts        # Network exports
-├── stores/             # Pinia stores
-├── stories/            # Storybook stories
-├── App.vue             # Main application component
-└── main.ts             # Application entry point
-```
-
-### Special Configurations
-
-#### Path Aliases
-- `@/*` maps to `./src/*` (configured in both Vite and TypeScript)
-
-#### Bundle Size Monitoring
-- **Tool**: bundlesize package
-- **Limit**: 300 kB for `./dist/**/*.js`
-
-#### CI/CD Considerations
-- Playwright runs in headless mode on CI
-- Different server ports for dev (5173) vs preview (4173)
-- Test retries enabled on CI (2 retries)
-- Parallel test execution disabled on CI
-
-### Development Tips
-1. **Component Development**: Use Storybook for isolated component development
-2. **Testing Strategy**: Write component tests first, then add Storybook stories for visual testing
-3. **Network Layer**: Mock API responses using axios-mock-adapter in tests
-4. **Type Safety**: Leverage TypeScript strict mode and Vue 3's improved TypeScript support
-5. **Performance**: Monitor bundle size with the configured bundlesize limits
-
-### Debugging
-- **Vue DevTools**: Enabled in development via `vite-plugin-vue-devtools`
-- **Test Debugging**: Use `npm run test:unit:watch` for interactive test development
-- **E2E Debugging**: Playwright traces available on test failures
-- **Storybook**: Visual debugging of components in isolation
\ No newline at end of file
+- Keep durable Vue workspace rules in `vue/AGENTS.md`.
+- Keep reusable workflow instructions in `.agents/skills/`.
+- Do not duplicate those rules here.
diff --git a/vue/AGENTS.md b/vue/AGENTS.md
new file mode 100644
index 00000000..7815f45b
--- /dev/null
+++ b/vue/AGENTS.md
@@ -0,0 +1,67 @@
+# WeFa Vue – Agent Guide
+
+Frontend slice of the N-SIDE WeFa monorepo. This file is the entry point for any agent that follows the AGENTS.md convention; the deep guidance lives in two repo-local skills that Codex can auto-discover and other agents can read directly.
+
+## Library identity
+
+`@nside/wefa` is a **PrimeVue superset** — every public component either wraps, extends, or composes PrimeVue + PrimeIcons, styled exclusively through Tailwind 4 with `tailwindcss-primeui`. The reuse hierarchy is **WeFa → PrimeVue → native HTML**, never invent a new primitive when a PrimeVue equivalent exists. Pinia, Vue Router, Axios, and TanStack Query Vue v5 round out the runtime stack.
+
+## Where the conventions live
+
+- **`../.agents/skills/wefa-vue-frontend/SKILL.md`** — component reuse hierarchy (WeFa → PrimeVue → native), folder shape, i18n, delivery workflow, quality-gate commands. Read first for any UI work. Codex can auto-discover this skill; non-Codex agents should open the `SKILL.md` file directly.
+- **`../.agents/skills/wefa-tanstack-query/SKILL.md`** — TanStack Query Vue v5 patterns, when to use `apiClient` / `typedApiClient` / direct hooks, cache invalidation, mutations, v5 vs pre-v5 review checklist. Read when adding or reviewing network code.
+- **[`CONTRIBUTE.md`](CONTRIBUTE.md)** — human onboarding, project layout, full npm scripts table, release flow.
+- **[`README.md`](README.md)** — package capabilities, exports, install, demo flow.
+- **[`.github/copilot-instructions.md`](.github/copilot-instructions.md)** — compatibility entry point for tools that look for `copilot-instructions.md`; it points back to this file and the skills above and is not the source of truth.
+
+## Quality gate (paste-ready)
+
+Run from `vue/` before opening a PR:
+
+```bash
+npm install
+npm run lint-check
+npm run type-check
+npm run format-check
+npm run test:unit -- --reporter=dot --silent
+npm run build
+npm run test:e2e -- --reporter=dot       # only when routing, demo flows, or browser interactions changed
+npm run test:package-types               # only when exports or packaging changed
+```
+
+## Workspace map (cheat sheet)
+
+- Public surface starts at `src/lib.ts` and `src/containers/index.ts`.
+- Feature folders keep neighbours together: source, `index.ts`, stories, MDX docs, tests in the same folder.
+- Reference component: [`src/components/AutoroutedBreadcrumb/`](src/components/AutoroutedBreadcrumb/) — canonical four-deliverable shape (`.vue`, `.stories.ts`, `.spec.ts`, `.mdx`). Mirror this structure when adding a public component.
+- Library i18n: `src/locales/index.ts` + `src/locales/<locale>/*.json`.
+- Cross-cutting helpers: `src/network/`, `src/router/`, `src/plugins/`, `src/stores/` — check before duplicating.
+- Demo + generated OpenAPI client: `src/demo/` and `src/demo/openapi/`.
+
+## Test layout
+
+Vitest is configured with three projects plus a separate Playwright runner. Pick the right one:
+
+- **Component tests** — `src/components/**/*.{spec,test}.ts`, jsdom env, Vue Test Utils.
+- **Network tests** — `src/network/__tests__/**`, jsdom + axios-mock-adapter; mock `@tanstack/vue-query` directly when asserting wrapper config.
+- **Storybook visual tests** — auto-generated from `*.stories.ts`, run in browser mode (Chromium + WebKit).
+- **E2E** — `e2e/**/*.spec.ts` via Playwright; auto-starts the demo dev server. Run only when routing, demo flows, or browser interactions changed.
+
+Coverage is Istanbul, output in `./coverage` (`text` + `cobertura` + `lcov` reporters).
+
+## Cross-workspace coordination
+
+- Backend API shape comes from `django/` first. When the OpenAPI surface changes, regenerate the typed client through the existing script under `src/demo/openapi/` rather than hand-editing.
+- Cookie/session-based auth flows are mediated by `bff/`. When changing auth-aware UI, confirm cookie names and redirect targets match what `bff/AGENTS.md` and `bff/README.md` document.
+
+## Known gotchas
+
+- `copilot-instructions.md` is a compatibility pointer only. Keep the current rules in this file and the two skill files above.
+- `withDefaults()` is discouraged; use `const { prop = default } = defineProps<Type>()` (per the frontend SKILL).
+- Treat data returned from queries as immutable; copy before binding to `v-model` or local mutation (per the TanStack SKILL).
+- Test runs default to low-verbosity reporters (`--reporter=dot --silent`); rerun the failing scope with detail only when debugging.
+- Keep user-facing literals (including `aria-label`, `title`, placeholders) translated through i18n keys — never hard-code English copy.
+- **SFC block order is enforced**: `<template>` → `<script>` → `<style>` (eslint `vue/block-order`). Composition-API instinct is to write script first; ESLint will fail the build.
+- **Stories must not declare the `autodocs` tag** — the project relies on hand-authored `.mdx` docs as the canonical reference and `autodocs` causes duplicated/stale auto-generated pages.
+- **No new CSS files / `<style>` blocks for routine styling.** Stick to Tailwind utilities and `tailwindcss-primeui`. Scoped styles are an escape hatch only when an existing feature pattern already needs layout math, chart sizing, or other cases Tailwind cannot express cleanly (per the frontend SKILL).
+- **Bundle budget**: `./dist/**/*.js` is capped at 2 MB by [bundlesize](package.json) — if a change risks breaching it, flag the bundle delta in the PR.
diff --git a/vue/package-lock.json b/vue/package-lock.json
index c3d6aa42..0183501d 100644
--- a/vue/package-lock.json
+++ b/vue/package-lock.json
@@ -164,6 +164,7 @@
       "integrity": "sha512-CGOfOJqWjg2qW/Mb6zNsDm+u5vFQ8DxXfbM09z69p5Z6+mE1ikP2jUXw+j42Pf1XTYED2Rni5f95npYeuwMDQA==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@babel/code-frame": "^7.29.0",
         "@babel/generator": "^7.29.0",
@@ -347,7 +348,6 @@
       "integrity": "sha512-KHp2IflsnGywDjBWDkR9iEqiWSpc8GIi0lgTT3mOElT0PP1tG26P4tmFI2YvAdzgq9RGyoHZQEIEdZy6Ec5xCA==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": ">=6.9.0"
       }
@@ -528,6 +528,7 @@
         }
       ],
       "license": "MIT",
+      "peer": true,
       "engines": {
         "node": ">=20.19.0"
       },
@@ -576,31 +577,11 @@
         }
       ],
       "license": "MIT",
+      "peer": true,
       "engines": {
         "node": ">=20.19.0"
       }
     },
-    "node_modules/@emnapi/core": {
-      "version": "1.9.2",
-      "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.9.2.tgz",
-      "integrity": "sha512-UC+ZhH3XtczQYfOlu3lNEkdW/p4dsJ1r/bP7H8+rhao3TTTMO1ATq/4DdIi23XuGoFY+Cz0JmCbdVl0hz9jZcA==",
-      "license": "MIT",
-      "optional": true,
-      "dependencies": {
-        "@emnapi/wasi-threads": "1.2.1",
-        "tslib": "^2.4.0"
-      }
-    },
-    "node_modules/@emnapi/runtime": {
-      "version": "1.9.2",
-      "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.9.2.tgz",
-      "integrity": "sha512-3U4+MIWHImeyu1wnmVygh5WlgfYDtyf0k8AbLhMFxOipihf6nrWC4syIm/SwEeec0mNSafiiNnMJwbza/Is6Lw==",
-      "license": "MIT",
-      "optional": true,
-      "dependencies": {
-        "tslib": "^2.4.0"
-      }
-    },
     "node_modules/@emnapi/wasi-threads": {
       "version": "1.2.1",
       "resolved": "https://registry.npmjs.org/@emnapi/wasi-threads/-/wasi-threads-1.2.1.tgz",
@@ -3170,6 +3151,7 @@
       "integrity": "sha512-PlXPeEWMXMZ7sPYOHqmDyCJzcfNrUr3fGNKtezX14ykXOEIvyK81d+qydx89KY5O71FKMPaQ2vBfBFI5NHR63A==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "fast-deep-equal": "^3.1.3",
         "fast-uri": "^3.0.1",
@@ -4104,8 +4086,7 @@
       "resolved": "https://registry.npmjs.org/@types/aria-query/-/aria-query-5.0.4.tgz",
       "integrity": "sha512-rfT93uj5s0PRL7EzccGMs3brplhcrghnDoV26NqKhCAS1hVo+WdNsPvE/yb6ilfr5hi2MEk6d5EWJTKdxg8jVw==",
       "dev": true,
-      "license": "MIT",
-      "peer": true
+      "license": "MIT"
     },
     "node_modules/@types/chai": {
       "version": "5.2.2",
@@ -4257,6 +4238,7 @@
       "integrity": "sha512-aC2qc5thQahutKjP+cl8cgN9DWe3ZUqVko30CMSZHnFEHyhOYoZSzkGtAI2mcwZ38xeImDucI4dnqsHiOYuuCw==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@eslint-community/regexpp": "^4.12.2",
         "@typescript-eslint/scope-manager": "8.58.2",
@@ -4296,6 +4278,7 @@
       "integrity": "sha512-/Zb/xaIDfxeJnvishjGdcR4jmr7S+bda8PKNhRGdljDM+elXhlvN0FyPSsMnLmJUrVG9aPO6dof80wjMawsASg==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@typescript-eslint/scope-manager": "8.58.2",
         "@typescript-eslint/types": "8.58.2",
@@ -4542,6 +4525,7 @@
       "integrity": "sha512-TrNaY/yVOwxtrxNsDUC/wQ56xSwplpytTeRAqF/197xV/ZddxxulBsxR6TrhVMyniJmp9in8d5u0AcDaNRY30w==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@blazediff/core": "1.9.1",
         "@vitest/mocker": "4.1.4",
@@ -4565,6 +4549,7 @@
       "integrity": "sha512-q3PchVhZINX23Pv+RERgAtDlp6wzVkID/smOPnZ5YGWpeWUe3jMNYppeVh15j4il3G7JIJty1d1Kicpm0HSMig==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@vitest/browser": "4.1.4",
         "@vitest/mocker": "4.1.4",
@@ -4770,6 +4755,7 @@
       "integrity": "sha512-xTp7VZ5aXP5ZJrn15UtJUWlx6qXLnGtF6jNxHepdPHpMfz/aVPx+htHtgcAL2mDXJgKhpoo2e9/hVJsIeFbytQ==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@vitest/utils": "4.1.4",
         "pathe": "^2.0.3"
@@ -5326,6 +5312,7 @@
       "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.16.0.tgz",
       "integrity": "sha512-UVJyE9MttOsBQIDKw1skb9nAwQuR5wuGD3+82K6JgJlm/Y+KI92oNsMNGZCYdDsVtRHSak0pcV5Dno5+4jh9sw==",
       "license": "MIT",
+      "peer": true,
       "bin": {
         "acorn": "bin/acorn"
       },
@@ -5592,6 +5579,7 @@
       "resolved": "https://registry.npmjs.org/axios/-/axios-1.15.1.tgz",
       "integrity": "sha512-WOG+Jj8ZOvR0a3rAn+Tuf1UQJRxw5venr6DgdbJzngJE3qG7X0kL83CZGpdHMxEm+ZK3seAbvFsw4FfOfP9vxg==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "follow-redirects": "^1.15.11",
         "form-data": "^4.0.5",
@@ -5744,6 +5732,7 @@
         }
       ],
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "baseline-browser-mapping": "^2.10.12",
         "caniuse-lite": "^1.0.30001782",
@@ -6412,8 +6401,7 @@
       "resolved": "https://registry.npmjs.org/dom-accessibility-api/-/dom-accessibility-api-0.5.16.tgz",
       "integrity": "sha512-X7BJ2yElsnOJ30pZF4uIIDfBEVgF4XEBxL9Bxhy6dnrm5hkzqmsWHGTiHqRiITNhMyFLyAiWndIJP7Z1NTteDg==",
       "dev": true,
-      "license": "MIT",
-      "peer": true
+      "license": "MIT"
     },
     "node_modules/dotenv": {
       "version": "17.4.2",
@@ -6584,6 +6572,7 @@
       "devOptional": true,
       "hasInstallScript": true,
       "license": "MIT",
+      "peer": true,
       "bin": {
         "esbuild": "bin/esbuild"
       },
@@ -6655,6 +6644,7 @@
       "integrity": "sha512-wiyGaKsDgqXvF40P8mDwiUp/KQjE1FdrIEJsM8PZ3XCiniTMXS3OHWWUe5FI5agoCnr8x4xPrTDZuxsBlNHl+Q==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@eslint-community/eslint-utils": "^4.8.0",
         "@eslint-community/regexpp": "^4.12.2",
@@ -6711,6 +6701,7 @@
       "integrity": "sha512-82GZUjRS0p/jganf6q1rEO25VSoHH0hKPCTrgillPjdI/3bgBhAE1QzHrHTizjpRvy6pGAvKjDJtk2pF9NDq8w==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "bin": {
         "eslint-config-prettier": "bin/cli.js"
       },
@@ -6857,6 +6848,7 @@
       "integrity": "sha512-f1J/tcbnrpgC8suPN5AtdJ5MQjuXbSU9pGRSSYAuF3SHoiYCOdEX6O22pLaRyLHXvDcOe+O5ENgc1owQ587agA==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@eslint-community/eslint-utils": "^4.4.0",
         "natural-compare": "^1.4.0",
@@ -7808,6 +7800,7 @@
       "integrity": "sha512-am5zfg3yu6sqn5yjKBNqhnTX7Cv+m00ox+7jbaKkrLMRJ4rAdldd1xPd/JzbBWspqaQv6RSTrgFN95EsfhC+7w==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "engines": {
         "node": ">=16.9.0"
       }
@@ -8926,7 +8919,6 @@
       "integrity": "sha512-h5bgJWpxJNswbU7qCrV0tIKQCaS3blPDrqKWx+QxzuzL1zGUzij9XCWLrSLsJPu5t+eWA/ycetzYAO5IOMcWAQ==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "bin": {
         "lz-string": "bin/bin.js"
       }
@@ -8961,6 +8953,7 @@
       "integrity": "sha512-E3ZJh4J3S9KfwdjZhe2afj6R9lGIN5Pher1pF39UGrXRqq/VDaGVIGN13BjHd2u8B61hArAGOnso7nBOouW3TQ==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@babel/parser": "^7.29.0",
         "@babel/types": "^7.29.0",
@@ -9768,6 +9761,7 @@
       "resolved": "https://registry.npmjs.org/pinia/-/pinia-3.0.4.tgz",
       "integrity": "sha512-l7pqLUFTI/+ESXn6k3nu30ZIzW5E2WZF/LaHJEpoq6ElcLD+wduZoB2kBN19du6K/4FDpPMazY2wJr+IndBtQw==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@vue/devtools-api": "^7.7.7"
       },
@@ -9811,6 +9805,7 @@
       "integrity": "sha512-C8oWjPR3F81yljW9o5OxcWzfh6avkVwDD2VYdwIGqTkl+OGFISgypqzfu7dOe4QNLL2aqcWBmI3PMtLIK233lw==",
       "dev": true,
       "license": "Apache-2.0",
+      "peer": true,
       "dependencies": {
         "playwright-core": "1.59.1"
       },
@@ -9872,6 +9867,7 @@
         }
       ],
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "nanoid": "^3.3.11",
         "picocolors": "^1.1.1",
@@ -9931,6 +9927,7 @@
       "integrity": "sha512-7igPTM53cGHMW8xWuVTydi2KO233VFiTNyF5hLJqpilHfmn8C8gPf+PS7dUT64YcXFbiMGZxS9pCSxL/Dxm/Jw==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "bin": {
         "prettier": "bin/prettier.cjs"
       },
@@ -9960,7 +9957,6 @@
       "integrity": "sha512-Qb1gy5OrP5+zDf2Bvnzdl3jsTf1qXVMazbvCoKhtKqVs4/YK4ozX4gKQJJVyNe+cajNPn0KoC0MC3FUmaHWEmQ==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "ansi-regex": "^5.0.1",
         "ansi-styles": "^5.0.0",
@@ -9976,7 +9972,6 @@
       "integrity": "sha512-Cxwpt2SfTzTtXcfOlzGEee8O+c+MmUgGrNiBcXnuWxuFJHe6a5Hz7qwhwe5OgaSYI0IJvkLqWX1ASG+cJOkEiA==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": ">=10"
       },
@@ -10298,6 +10293,7 @@
       "integrity": "sha512-FS+XFBNvn3GTAWq26joslQgWNoFu08F4kl0J4CgdNKADkdSGXQyTCnKteIAJy96Br6YbpEU1LSzV5dYtjMkMDg==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "engines": {
         "node": ">=0.10.0"
       }
@@ -10308,6 +10304,7 @@
       "integrity": "sha512-Xs1hdnE+DyKgeHJeJznQmYMIBG3TKIHJJT95Q58nHLSrElKlGQqDTR2HQ9fx5CN/Gk6Vh/kupBTDLU11/nDk/g==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "scheduler": "^0.26.0"
       },
@@ -10320,8 +10317,7 @@
       "resolved": "https://registry.npmjs.org/react-is/-/react-is-17.0.2.tgz",
       "integrity": "sha512-w2GsyukL62IJnlaff/nRegPQR94C/XXamvMWmSHRJ4y7Ts/4ocGRmTHvOs8PSE6pB3dWOrD/nueuU5sduBsQ4w==",
       "dev": true,
-      "license": "MIT",
-      "peer": true
+      "license": "MIT"
     },
     "node_modules/read-package-json-fast": {
       "version": "4.0.0",
@@ -11006,6 +11002,7 @@
       "integrity": "sha512-uBSZu/GZa9aEIW3QMGvdQPMZWhGxSe4dyRWU8B3/Vd47Gy/XLC7tsBxRr13txmmPOEDHZR94uLuq0H50fvuqBw==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@storybook/global": "^5.0.0",
         "@storybook/icons": "^2.0.1",
@@ -11254,7 +11251,8 @@
       "version": "4.2.2",
       "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-4.2.2.tgz",
       "integrity": "sha512-KWBIxs1Xb6NoLdMVqhbhgwZf2PGBpPEiwOqgI4pFIYbNTfBXiKYyWoTsXgBQ9WFg/OlhnvHaY+AEpW7wSmFo2Q==",
-      "license": "MIT"
+      "license": "MIT",
+      "peer": true
     },
     "node_modules/tailwindcss-primeui": {
       "version": "0.6.1",
@@ -11589,6 +11587,7 @@
       "integrity": "sha512-y2TvuxSZPDyQakkFRPZHKFm+KKVqIisdg9/CZwm9ftvKXLP8NRWj38/ODjNbr43SsoXqNuAisEf1GdCxqWcdBw==",
       "devOptional": true,
       "license": "Apache-2.0",
+      "peer": true,
       "bin": {
         "tsc": "bin/tsc",
         "tsserver": "bin/tsserver"
@@ -11814,6 +11813,7 @@
       "resolved": "https://registry.npmjs.org/vite/-/vite-8.0.9.tgz",
       "integrity": "sha512-t7g7GVRpMXjNpa67HaVWI/8BWtdVIQPCL2WoozXXA7LBGEFK4AkkKkHx2hAQf5x1GZSlcmEDPkVLSGahxnEEZw==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "lightningcss": "^1.32.0",
         "picomatch": "^4.0.4",
@@ -11933,6 +11933,7 @@
       "integrity": "sha512-tFuJqTxKb8AvfyqMfnavXdzfy3h3sWZRWwfluGbkeR7n0HUev+FmNgZ8SDrRBTVrVCjgH5cA21qGbCffMNtWvg==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@vitest/expect": "4.1.4",
         "@vitest/mocker": "4.1.4",
@@ -12115,6 +12116,7 @@
       "resolved": "https://registry.npmjs.org/vue/-/vue-3.5.32.tgz",
       "integrity": "sha512-vM4z4Q9tTafVfMAK7IVzmxg34rSzTFMyIe0UUEijUCkn9+23lj0WRfA83dg7eQZIUlgOSGrkViIaCfqSAUXsMw==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@vue/compiler-dom": "3.5.32",
         "@vue/compiler-sfc": "3.5.32",
@@ -12793,6 +12795,7 @@
       "resolved": "https://registry.npmjs.org/zod/-/zod-3.25.76.tgz",
       "integrity": "sha512-gzUt/qt81nXsFGKIFcC3YnfEAx5NkunCfnDlvuBSSFS02bcXu4Lmea0AFIUwbLWxWPx3d9p8S5QoaujKcNQxcQ==",
       "license": "MIT",
+      "peer": true,
       "funding": {
         "url": "https://github.com/sponsors/colinhacks"
       }
diff --git a/vue/scripts/files/copilot-instructions.md b/vue/scripts/files/copilot-instructions.md
deleted file mode 100644
index 50ae74b5..00000000
--- a/vue/scripts/files/copilot-instructions.md
+++ /dev/null
@@ -1,420 +0,0 @@
-# N-SIDE WeFa- AI Agent Instructions
-
-> **TARGET AUDIENCE**: AI Agents (Junie, GitHub Copilot, Claude, etc.)  
-> **PROJECT TYPE**: Vue.js applications using N-SIDE WeFa
-> **LAST UPDATED**: 2025-24-09
-
----
-
-## 🤖 MANDATORY AI AGENT DIRECTIVES
-
-### ⚡ INSTANT DECISION MATRIX
-
-**WHEN IMPLEMENTING ANY UI COMPONENT:**
-
-```
-START → Need UI Component?
-  ↓
-1. ✅ CHECK: @nside/wefa has component?
-   → YES: USE WeFa component → END
-   → NO: Continue to step 2
-  ↓
-2. ✅ CHECK: Can compose solution with PrimeVue components?
-   → YES: USE PrimeVue composition + Tailwind → END
-   → NO: Continue to step 3
-  ↓
-3. ⚠️  LAST RESORT: Use native HTML
-   → REQUIRED: Add comment explaining why steps 1-2 failed → END
-```
-
----
-
-## 🚨 CRITICAL DEVELOPMENT RULES
-
-### Rule #1: Component Priority Hierarchy (ABSOLUTE ORDER)
-
-**🥇 FIRST CHOICE**: N-SIDE WeFa Components
-```javascript
-// ALWAYS check these first - import from main package
-import { 
-  ControlBarComponent,     // Navigation/toolbar
-  ConfiguredControlBarComponent,
-  FormComponent,          // Dynamic forms
-  TableComponent,         // Data tables
-  RoutedTabsComponent,    // Tab navigation
-  NetworkButton,          // Network operations
-  NotFound               // 404 pages
-} from '@nside/wefa'
-```
-
-**🥈 SECOND CHOICE**: PrimeVue Component Composition
-- **PRIORITY**: Compose complex UI using multiple PrimeVue components
-- **APPROACH**: Build custom functionality through composition
-- **STYLING**: Apply Tailwind CSS classes exclusively
-- **CATALOG**: https://primevue.org/
-
-**🥉 LAST RESORT**: Native HTML Elements  
-- **CONDITION**: Only when WeFa + PrimeVue cannot achieve the requirement
-- **REQUIREMENT**: Must include detailed comment explaining why higher-priority options failed
-
-### Rule #2: Styling - Tailwind CSS ONLY
-
-**🚫 ABSOLUTELY FORBIDDEN (AUTO-REJECT):**
-
-```vue
-<!-- ❌ NEVER: Custom style blocks -->
-<style scoped>
-.custom-class { background: red; }
-</style>
-
-<!-- ❌ NEVER: CSS file imports -->
-import './custom-styles.css'
-```
-
-**✅ REQUIRED APPROACH:**
-
-```vue
-<!-- ✅ ALWAYS: Use Tailwind classes -->
-<div class="text-red-500 bg-white p-4 rounded-lg shadow-md"></div>
-<Button class="bg-primary-500 hover:bg-primary-600 px-4 py-2 rounded-md"></Button>
-```
-
-**📚 STYLING RESOURCES:**
-- **Tailwind Classes**: https://tailwindcss.com/docs
-- **PrimeVue Integration**: Use `tailwindcss-primeui` package  
-- **Theme System**: Leverage `@primeuix/themes` integration
-
----
-
-## 📋 AI AGENT IMPLEMENTATION EXAMPLES
-
-### ❌ VIOLATION EXAMPLE (AUTO-REJECT)
-
-```vue
-<template>
-  <!-- ❌ VIOLATION: Custom HTML + Custom CSS -->
-  <div class="custom-card">
-    <h2 class="card-title">Title</h2>
-    <button class="primary-btn" @click="handleClick">Action</button>
-  </div>
-</template>
-
-<style scoped>
-/* ❌ FORBIDDEN: Custom CSS */
-.custom-card {
-  background: white;
-  padding: 20px;
-  border-radius: 8px;
-  box-shadow: 0 2px 4px rgba(0,0,0,0.1);
-}
-.primary-btn {
-  background: blue;
-  color: white;
-  padding: 10px 20px;
-}
-</style>
-```
-
-### ✅ CORRECT IMPLEMENTATION PATTERNS
-
-#### Pattern 1: WeFa First Choice
-```vue
-<template>
-  <!-- ✅ PRIORITY 1: Use WeFa components when available -->
-  <FormComponent 
-    v-if="needsForm" 
-    :config="formConfig" 
-    class="mb-6"
-  />
-  
-  <TableComponent 
-    v-if="needsTable"
-    :data="tableData"
-    :columns="tableColumns"
-    class="w-full"
-  />
-</template>
-
-<script setup>
-import { FormComponent, TableComponent } from '@nside/wefa'
-</script>
-```
-
-#### Pattern 2: PrimeVue Composition (When WeFa Unavailable)
-```vue
-<template>
-  <!-- ✅ PRIORITY 2: Compose with PrimeVue + Tailwind -->
-  <Card class="bg-white shadow-lg rounded-lg border border-gray-200 mb-6">
-    <template #title>
-      <div class="flex items-center justify-between p-4 border-b border-gray-200">
-        <h2 class="text-xl font-semibold text-gray-800">Dashboard</h2>
-        <Button 
-          icon="pi pi-refresh" 
-          class="bg-primary-500 hover:bg-primary-600 text-white"
-          @click="refresh"
-        />
-      </div>
-    </template>
-    
-    <template #content>
-      <div class="p-4 space-y-4">
-        <!-- Compose multiple PrimeVue components -->
-        <DataTable 
-          :value="users" 
-          class="border border-gray-300 rounded-md"
-          paginator 
-          :rows="10"
-        >
-          <Column field="name" header="Name" class="font-medium"></Column>
-          <Column field="email" header="Email" class="text-gray-600"></Column>
-          <Column>
-            <template #body="slotProps">
-              <div class="flex gap-2">
-                <Button 
-                  icon="pi pi-pencil" 
-                  size="small"
-                  class="bg-blue-500 hover:bg-blue-600 text-white px-2 py-1"
-                  @click="editUser(slotProps.data)"
-                />
-                <Button 
-                  icon="pi pi-trash" 
-                  size="small"
-                  class="bg-red-500 hover:bg-red-600 text-white px-2 py-1"
-                  @click="deleteUser(slotProps.data)"
-                />
-              </div>
-            </template>
-          </Column>
-        </DataTable>
-      </div>
-    </template>
-  </Card>
-</template>
-
-<script setup>
-import Card from 'primevue/card'
-import Button from 'primevue/button'
-import DataTable from 'primevue/datatable'
-import Column from 'primevue/column'
-</script>
-```
-
-#### Pattern 3: Complex Form Composition
-```vue
-<template>
-  <!-- ✅ ADVANCED: Multi-component composition -->
-  <Panel header="User Registration" class="bg-white shadow-md rounded-lg">
-    <form @submit.prevent="submitForm" class="space-y-4 p-6">
-      <div class="grid grid-cols-1 md:grid-cols-2 gap-4">
-        <div>
-          <label class="block text-sm font-medium text-gray-700 mb-2">
-            First Name
-          </label>
-          <InputText 
-            v-model="form.firstName"
-            class="w-full border border-gray-300 rounded-md px-3 py-2 focus:ring-2 focus:ring-primary-500"
-            placeholder="Enter first name"
-          />
-        </div>
-        
-        <div>
-          <label class="block text-sm font-medium text-gray-700 mb-2">
-            Department
-          </label>
-          <Dropdown 
-            v-model="form.department"
-            :options="departments"
-            optionLabel="name"
-            optionValue="id"
-            placeholder="Select Department"
-            class="w-full border border-gray-300 rounded-md"
-          />
-        </div>
-      </div>
-      
-      <div class="flex justify-end space-x-3 pt-4 border-t border-gray-200">
-        <Button 
-          type="button"
-          label="Cancel" 
-          severity="secondary"
-          class="bg-gray-200 hover:bg-gray-300 text-gray-700 px-4 py-2 rounded-md"
-          @click="resetForm"
-        />
-        <Button 
-          type="submit"
-          label="Save User" 
-          class="bg-primary-500 hover:bg-primary-600 text-white px-4 py-2 rounded-md"
-        />
-      </div>
-    </form>
-  </Panel>
-</template>
-
-<script setup>
-import Panel from 'primevue/panel'
-import InputText from 'primevue/inputtext'
-import Dropdown from 'primevue/dropdown'
-import Button from 'primevue/button'
-</script>
-```
-
-## Component Usage Guidelines
-
-### WeFa Components
-```vue
-<script setup>
-// Always import WeFa components first
-import { 
-  ControlBarComponent,
-  FormComponent, 
-  TableComponent,
-  NetworkButton 
-} from '@nside/wefa'
-</script>
-```
-
-### PrimeVue Components (when WeFa doesn't have equivalent)
-```vue
-<script setup>
-// Import individual PrimeVue components
-import DataTable from 'primevue/datatable'
-import Column from 'primevue/column'
-import InputText from 'primevue/inputtext'
-import Dialog from 'primevue/dialog'
-</script>
-```
-
-### Common Tailwind Patterns for PrimeVue
-```vue
-<template>
-  <!-- Buttons -->
-  <Button class="bg-primary-500 hover:bg-primary-600 px-4 py-2" />
-  
-  <!-- Cards -->
-  <Card class="shadow-lg border border-gray-200 rounded-lg" />
-  
-  <!-- Forms -->
-  <InputText class="w-full border border-gray-300 rounded-md px-3 py-2" />
-  
-  <!-- Tables -->
-  <DataTable class="border border-gray-200 rounded-lg overflow-hidden" />
-</template>
-```
-
----
-
-## 🔄 AI AGENT DECISION FLOW ALGORITHM
-
-### 🎯 STEP-BY-STEP COMPONENT SELECTION
-
-```mermaid
-flowchart TD
-    A[Need UI Component] --> B{WeFa has component?}
-    B -->|YES| C[✅ Use WeFa<br/>Import from @nside/wefa<br/>END]
-    B -->|NO| D{Can compose with PrimeVue?}
-    D -->|YES| E[✅ Use PrimeVue Composition<br/>+ Tailwind Classes<br/>END]
-    D -->|NO| F[⚠️ Native HTML<br/>+ Justification Comment<br/>END]
-```
-
-### 📋 MANDATORY VALIDATION CHECKLIST
-
-**🔍 PRE-IMPLEMENTATION VALIDATION:**
-Before writing any component code, AI agents MUST verify:
-
-```
-[ ] 1. COMPONENT CHECK: Searched @nside/wefa exports
-[ ] 2. COMPOSITION CHECK: Evaluated PrimeVue component combination
-[ ] 3. STYLING CHECK: Planned Tailwind-only approach
-[ ] 4. FALLBACK CHECK: Prepared justification if using HTML
-```
-
-**✅ POST-IMPLEMENTATION VALIDATION:**
-After writing component code, AI agents MUST validate:
-
-```
-[ ] ✅ IMPORT: WeFa components from '@nside/wefa'
-[ ] ✅ IMPORT: PrimeVue components from 'primevue/[component]'
-[ ] ✅ STYLING: Only Tailwind CSS classes used
-[ ] ✅ FORBIDDEN: No <style> blocks, CSS files, inline styles
-[ ] ✅ HIERARCHY: Priority order followed (WeFa → PrimeVue → HTML)
-[ ] ✅ COMPOSITION: PrimeVue components composed before HTML fallback
-[ ] ✅ DOCUMENTATION: HTML usage justified with comments
-```
-
-### 🚨 AUTO-REJECT TRIGGERS
-
-**IMMEDIATE REJECTION if code contains:**
-- `<style>` blocks or `.css` file imports
-- `style="..."` inline attributes  
-- Native HTML when PrimeVue composition possible
-- Missing justification comments for HTML usage
-- WeFa components not prioritized when available
-
----
-
-## 📚 AI AGENT RESOURCE GUIDE
-
-### 🎯 QUICK REFERENCE LINKS
-
-| Resource Type           | Primary Source               | Purpose |
-|-------------------------|------------------------------|---------|
-| **WeFa Components**     | `@nside/wefa` package        | First-priority component lookup |
-| **PrimeVue Components** | https://primevue.org/        | Second-priority component catalog |
-| **Tailwind Classes**    | https://tailwindcss.com/docs | Styling reference |
-| **Integration Guide**   | `tailwindcss-primeui` docs   | PrimeVue + Tailwind setup |
-
-### 🔍 COMPONENT DISCOVERY WORKFLOW
-
-**Step 1: WeFa Component Lookup**
-```bash
-# Check available exports
-npm info @nside/wefa
-# View TypeScript definitions  
-node_modules/@nside/wefa/dist/types/index.d.ts
-```
-
-**Step 2: PrimeVue Component Search**
-- Visit https://primevue.org/
-- Use search: "input", "table", "dialog", etc.
-- Import pattern: `import ComponentName from 'primevue/componentname'`
-
-**Step 3: Tailwind Class Reference**
-- Common patterns: `bg-`, `text-`, `p-`, `m-`, `flex`, `grid`
-- Responsive: `sm:`, `md:`, `lg:`, `xl:`
-- States: `hover:`, `focus:`, `active:`
-
-### 🛠️ TROUBLESHOOTING GUIDE
-
-**❌ Problem: WeFa component not found**
-```javascript
-// ✅ Solution: Verify import and check package exports
-import { ComponentName } from '@nside/wefa'
-// If not available → Move to PrimeVue composition
-```
-
-**❌ Problem: PrimeVue styling conflicts**
-```javascript
-// ✅ Solution: Use tailwindcss-primeui integration
-// Ensure tailwind.config.js includes PrimeUI plugin
-```
-
-**❌ Problem: Complex UI requirements**
-```javascript
-// ✅ Solution: Compose multiple PrimeVue components
-// Example: Card + DataTable + Button + Dialog
-```
-
----
-
-## ⚡ SUCCESS CRITERIA
-
-**AI Agent implementation is SUCCESSFUL when:**
-- ✅ WeFa components used when available
-- ✅ PrimeVue composition preferred over native HTML
-- ✅ All styling achieved through Tailwind classes
-- ✅ No custom CSS files or style blocks present
-- ✅ Code follows documented patterns and examples
-- ✅ Native HTML usage is justified with comments
-
-**🎖️ COMPLIANCE GUARANTEE**: Following these instructions ensures code review approval and maintains consistency across the projects.
-

From 096ad98982df66370ab162479279fd8c88712643 Mon Sep 17 00:00:00 2001
From: ala <ala@n-side.com>
Date: Fri, 22 May 2026 16:12:28 +0200
Subject: [PATCH 2/6] Rework wefa-vue codex skills

---
 .agents/skills/wefa-tanstack-query/SKILL.md   |  71 ---------
 .../wefa-tanstack-query/agents/openai.yaml    |   4 -
 .../references/official-v5-patterns.md        | 111 --------------
 .../references/wefa-conventions.md            |  97 ------------
 .agents/skills/wefa-vue-cookbook/SKILL.md     |  78 ++++++++++
 .../wefa-vue-cookbook/agents/openai.yaml      |   4 +
 .../references/api-calls-tanstack-query.md    | 139 ++++++++++++++++++
 .../references/css-guidelines.md              |  66 +++++++++
 .../references/delivery-and-validation.md     |  33 +++++
 .../references/design-and-architecture.md     |  88 +++++++++++
 .../references/ecosystem-map.md               |  78 ++++++++++
 .agents/skills/wefa-vue-frontend/SKILL.md     |  54 +++----
 .../wefa-vue-frontend/agents/openai.yaml      |   6 +-
 .../references/contributing-and-checks.md     |  57 +++++++
 AGENTS.md                                     |   3 +-
 README.md                                     |   9 ++
 vue/.gitignore                                |   6 +
 vue/AGENTS.md                                 |   6 +-
 vue/CONTRIBUTE.md                             |   9 ++
 vue/README.md                                 |   9 ++
 20 files changed, 611 insertions(+), 317 deletions(-)
 delete mode 100644 .agents/skills/wefa-tanstack-query/SKILL.md
 delete mode 100644 .agents/skills/wefa-tanstack-query/agents/openai.yaml
 delete mode 100644 .agents/skills/wefa-tanstack-query/references/official-v5-patterns.md
 delete mode 100644 .agents/skills/wefa-tanstack-query/references/wefa-conventions.md
 create mode 100644 .agents/skills/wefa-vue-cookbook/SKILL.md
 create mode 100644 .agents/skills/wefa-vue-cookbook/agents/openai.yaml
 create mode 100644 .agents/skills/wefa-vue-cookbook/references/api-calls-tanstack-query.md
 create mode 100644 .agents/skills/wefa-vue-cookbook/references/css-guidelines.md
 create mode 100644 .agents/skills/wefa-vue-cookbook/references/delivery-and-validation.md
 create mode 100644 .agents/skills/wefa-vue-cookbook/references/design-and-architecture.md
 create mode 100644 .agents/skills/wefa-vue-cookbook/references/ecosystem-map.md
 create mode 100644 .agents/skills/wefa-vue-frontend/references/contributing-and-checks.md

diff --git a/.agents/skills/wefa-tanstack-query/SKILL.md b/.agents/skills/wefa-tanstack-query/SKILL.md
deleted file mode 100644
index 6fabb0ba..00000000
--- a/.agents/skills/wefa-tanstack-query/SKILL.md
+++ /dev/null
@@ -1,71 +0,0 @@
----
-name: wefa-tanstack-query
-description: TanStack Query Vue v5 implementation and review guide for the WeFa `vue/` workspace. Use when adding or reviewing `@tanstack/vue-query` setup, query or mutation flows, cache invalidation, optimistic updates, query keys, or QueryClient defaults, and when deciding whether to use WeFa wrappers (`apiClient`, `typedApiClient`) versus direct TanStack hooks.
----
-
-# WeFa TanStack Query
-
-Apply TanStack Query Vue v5 with official v5 patterns while preserving WeFa's preferred wrapper-first architecture.
-
-## First Reads
-
-1. Read `references/wefa-conventions.md` first for repo-specific rules and preferred entrypoints.
-2. Read `references/official-v5-patterns.md` when a task depends on cache semantics, reactivity, mutations, cancellation, or migration details.
-3. Re-read `vue/src/network/network.mdx`, `vue/README.md`, and `vue/CONTRIBUTE.md` before changing public APIs or developer guidance.
-
-## Decision Order
-
-1. Prefer `typedApiClient` from `@/network` or `@nside/wefa/network` when an OpenAPI-generated callable exists.
-2. Prefer `apiClient` when the call is a straightforward URL-based GET or POST and reactive URL refs are enough.
-3. Use direct TanStack hooks (`useQuery`, `useMutation`, `useInfiniteQuery`, `queryOptions`) only when the wrappers cannot model the behavior cleanly.
-4. Use `useQueryClient` whenever wrapper-backed flows still need invalidation or other cache management.
-5. Use `axiosInstance` directly only when the task does not need TanStack-managed server state or when you are implementing infrastructure beneath the wrappers.
-
-## Setup Workflow
-
-1. Confirm app-level installation before feature work:
-   `app.use(VueQueryPlugin)` must happen during startup.
-2. If the app needs non-default cache behavior, pass `queryClientConfig` or a stable `QueryClient` instance to `VueQueryPlugin`; do not create query clients inside components or composables.
-3. Configure `axiosInstance.defaults.baseURL` when env-based backend wiring is absent.
-4. When OpenAPI codegen exists, call `typedApiClient.setupOpenApiClient(client)` during startup before using generated SDK callables.
-
-## Query Workflow
-
-1. Build reactive inputs first.
-   For existing WeFa wrappers, pass `ref`, `toRef`, or `computed` values that match the current `Ref<... | undefined>` signatures. For new direct-hook composables, accept refs, plain values, or reactive getters when that improves ergonomics.
-2. Put every query dependency into the query key.
-   If `queryFn` depends on a changing variable, that variable belongs in the key.
-3. Prefer wrapper signatures that already encode WeFa's reactive patterns:
-   `apiClient.query(refUrl)` and `typedApiClient.query(callable, refOptions)`.
-4. Use `queryOptions(...)` to share direct-query configuration across `useQuery`, `useQueries`, or prefetching sites.
-5. Treat returned query data as immutable.
-   Copy it before binding to `v-model` or mutating it locally.
-6. Pass the provided `signal` through custom direct-query functions when cancellation matters and the transport supports it.
-
-## Mutation Workflow
-
-1. Start with `typedApiClient.mutation(...)` or `apiClient.mutation(...)` unless direct hooks are required.
-2. After successful mutations, prefer one of two cache-update paths:
-   invalidate related queries with `useQueryClient().invalidateQueries(...)`, or
-   write returned entity data into the cache with `setQueryData(...)` only when you own the exact key shape or a direct-hook abstraction exposes it clearly.
-3. Await invalidations when the mutation should remain pending until related queries are refreshed.
-4. Use optimistic updates only when the UX gain is worth the rollback complexity; pair them with `onMutate`, rollback context, and targeted invalidation.
-
-## Review Checklist
-
-1. Prefer WeFa wrappers over raw TanStack hooks unless there is a concrete gap.
-2. Keep query keys complete, stable, and consistent with the fetch inputs.
-3. Use reactive values correctly; avoid extracting `.value` too early and accidentally freezing reactivity.
-4. Adjust `staleTime`, `gcTime`, retries, or refetch triggers intentionally instead of cargo-culting defaults.
-5. Update docs, tests, and public exports when adding new wrappers or network helpers.
-6. Use TanStack Query v5 names and semantics:
-   `gcTime` instead of `cacheTime`, `throwOnError` instead of `useErrorBoundary`, and `placeholderData` when replacing old `keepPreviousData` behavior.
-7. Reject common pre-v5 patterns:
-   positional hook overloads, `onSuccess` or `onError` on queries, infinite queries without `initialPageParam` and `getNextPageParam`, or `useQueries` code that assumes a reactive array instead of a `ref`.
-
-## Testing
-
-1. For wrapper tests in `vue/src/network/__tests__`, mock `@tanstack/vue-query` directly and assert the wrapper configuration.
-2. For feature or component tests, mock `@/network` instead of TanStack internals unless the feature truly owns the hook configuration.
-3. Use `vue/CONTRIBUTE.md` as the source of truth for the current Vue quality gates and validation commands.
-4. If the task also changes frontend behavior outside the network layer, follow the matching validation expectations from `.agents/skills/wefa-vue-frontend/SKILL.md` instead of redefining them here.
diff --git a/.agents/skills/wefa-tanstack-query/agents/openai.yaml b/.agents/skills/wefa-tanstack-query/agents/openai.yaml
deleted file mode 100644
index 8caf5a52..00000000
--- a/.agents/skills/wefa-tanstack-query/agents/openai.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-interface:
-  display_name: "WeFa TanStack Query"
-  short_description: "Guide WeFa TanStack Query v5 usage"
-  default_prompt: "Use $wefa-tanstack-query to implement or review TanStack Query Vue v5 usage in the `vue/` workspace."
diff --git a/.agents/skills/wefa-tanstack-query/references/official-v5-patterns.md b/.agents/skills/wefa-tanstack-query/references/official-v5-patterns.md
deleted file mode 100644
index 244a33ef..00000000
--- a/.agents/skills/wefa-tanstack-query/references/official-v5-patterns.md
+++ /dev/null
@@ -1,111 +0,0 @@
-# Official TanStack Query Vue v5 Patterns
-
-This file distills the official Vue v5 docs into the guidance most likely to matter in WeFa work.
-
-## Source Pages
-
-- Overview: `https://tanstack.com/query/v5/docs/framework/vue/overview`
-- Reactivity: `https://tanstack.com/query/v5/docs/framework/vue/reactivity`
-- Important Defaults: `https://tanstack.com/query/v5/docs/framework/vue/guides/important-defaults`
-- Query Keys: `https://tanstack.com/query/v5/docs/framework/vue/guides/query-keys`
-- Query Options: `https://tanstack.com/query/v5/docs/framework/vue/guides/query-options`
-- Mutations: `https://tanstack.com/query/v5/docs/framework/vue/guides/mutations`
-- Invalidations from Mutations: `https://tanstack.com/query/v5/docs/framework/vue/guides/invalidations-from-mutations`
-- Updates from Mutation Responses: `https://tanstack.com/query/v5/docs/framework/vue/guides/updates-from-mutation-responses`
-- Optimistic Updates: `https://tanstack.com/query/v5/docs/framework/vue/guides/optimistic-updates`
-- Query Cancellation: `https://tanstack.com/query/v5/docs/framework/vue/guides/query-cancellation`
-- Custom Client: `https://tanstack.com/query/v5/docs/framework/vue/guides/custom-client`
-- Migrating to v5: `https://tanstack.com/query/v5/docs/framework/vue/guides/migrating-to-v5`
-
-## Important Defaults
-
-- Cached query data is stale by default.
-- Stale queries refetch automatically when a new instance mounts, the window refocuses, or the network reconnects.
-- Inactive queries remain cached and are garbage-collected after 5 minutes by default.
-  This 5-minute horizon is TanStack's default inactive-query `gcTime`, not a WeFa-specific policy.
-- Failed queries retry 3 times with exponential backoff by default.
-  These are TanStack defaults: `retry` defaults to `3`, and the default `retryDelay` doubles from 1000 ms up to 30000 ms.
-- Query results are structurally shared by default, which preserves references when JSON-compatible data has not meaningfully changed.
-
-Implication:
-
-- Set `staleTime` intentionally before disabling refetch triggers.
-- If your app needs a different inactive-query cache horizon, change the default query `gcTime`.
-- If your app needs different retry behavior, change the default query `retry` and `retryDelay` options globally or per-query. Use `retry: false`, a number, or a function; use `retryDelay` as either a fixed number or a function.
-- Change `gcTime`, `retry`, or refetch policies only when the UX or API cost justifies it.
-
-## Reactivity Rules
-
-- `queryKey` and `enabled` can consume reactive values.
-- If a query should refetch when an input changes, pass the ref or reactive getter itself, not an eagerly-unwrapped `.value`.
-- For composables, prefer parameter types that accept plain values, refs, or reactive getters when the API benefits from both reactive and non-reactive use sites.
-- Query results are immutable; create a copy before editing or two-way binding.
-
-## Query-Key Rules
-
-- Include every changing variable that the query function depends on.
-- Array item order matters in keys.
-- Object property order inside a key segment does not matter because keys are hashed deterministically.
-
-Implication:
-
-- When a fetch depends on filters, pagination, IDs, locale, or auth-relevant scope, put those into the key.
-
-## Shared Query Definitions
-
-Use `queryOptions(...)` when the same key, function, and defaults need to be reused across:
-
-- `useQuery`
-- `useQueries`
-- prefetching
-- imperative cache reads/writes tied to the same key
-
-This keeps the authoritative query shape in one place while preserving strong TypeScript inference.
-
-## Mutation Rules
-
-- Mutations do not update related queries automatically.
-- After success, either invalidate related queries or update the cache directly with `setQueryData(...)`.
-- If the mutation response already contains the full updated entity, prefer `setQueryData(...)` over a blind refetch.
-- If follow-up invalidations must finish before the mutation is considered complete, return or await the invalidation promise from `onSuccess`.
-
-## Optimistic Updates
-
-Use optimistic updates only when:
-
-- the interaction benefits materially from immediate UI feedback, and
-- you can define a safe rollback strategy
-
-Typical shape:
-
-1. `onMutate`: cancel overlapping queries, snapshot previous cache, write optimistic value
-2. `onError`: roll back with the snapshot
-3. `onSettled` or `onSuccess`: invalidate the affected queries
-
-## Cancellation
-
-- Direct query functions receive an `AbortSignal`.
-- If your transport supports cancellation, pass the signal through.
-- Manual cancellation uses `queryClient.cancelQueries({ queryKey })`.
-
-This matters most for long-running or rapidly-changing direct queries.
-
-## Custom Client
-
-- `VueQueryPlugin` accepts either `queryClientConfig` or a prebuilt `QueryClient`.
-- Keep the client stable and app-scoped.
-- Reach for a custom client only when defaults or integration requirements demand it.
-
-## v5 Migration Notes
-
-- v5 only supports the single-object hook signature. Do not copy older positional overloads like `useQuery(key, fn, options)`.
-- Query callbacks were removed from `useQuery` and `QueryObserver`; do not add `onSuccess`, `onError`, or `onSettled` to query options. Mutation callbacks still exist.
-- `cacheTime` was renamed to `gcTime`.
-- `useErrorBoundary` was renamed to `throwOnError`.
-- `keepPreviousData` behavior now maps to `placeholderData` with the previous value identity pattern.
-- Infinite queries now require `initialPageParam`, and `getNextPageParam` is required when using infinite-query pagination.
-- `useQueries` now returns a `ref` that wraps the array instead of returning a reactive array directly.
-- Query and mutation loading state terminology changed: `status: loading` became `status: pending`, and `isLoading` on mutations became `isPending`.
-- The removed hook-level `context` prop from older examples was replaced by passing a custom `queryClient`; in Vue, `queryClientKey` is still supported through `VueQueryPlugin` and per-query options when custom client keys are needed.
-
-If you encounter older examples or local code written against v4 language, translate them to these v5 terms before copying the pattern.
diff --git a/.agents/skills/wefa-tanstack-query/references/wefa-conventions.md b/.agents/skills/wefa-tanstack-query/references/wefa-conventions.md
deleted file mode 100644
index db8ac2b9..00000000
--- a/.agents/skills/wefa-tanstack-query/references/wefa-conventions.md
+++ /dev/null
@@ -1,97 +0,0 @@
-# WeFa TanStack Query Conventions
-
-## Purpose
-
-Capture the project-specific rules that sit on top of TanStack Query Vue v5 in this repository.
-
-## Preferred Entry Points
-
-1. `vue/src/network/typedApiClient.ts`
-   Use first when the backend exposes OpenAPI-generated callables.
-2. `vue/src/network/apiClient.ts`
-   Use for simple URL-based GET and POST flows.
-3. Direct `@tanstack/vue-query` hooks
-   Use only when the wrappers do not cover the required behavior.
-4. `vue/src/network/axios.ts`
-   Use directly only for lower-level infrastructure or non-cached calls.
-
-This mirrors the order documented in `vue/src/network/network.mdx`.
-
-## Existing Wrapper Patterns
-
-### `apiClient.query`
-
-- Input shape: `Ref<string | undefined>`
-- Key shape: `[url]`
-- Fetch suppression: `enabled: () => !!url.value`
-- Query function behavior: return `undefined` when the URL is absent
-- Current wrapper boundary: do not pass plain values or reactive getters directly; wrap prop access with `toRef`, `computed`, or another `Ref`-producing helper first
-
-### `typedApiClient.query`
-
-- Input shape: generated callable plus `Ref<TOptions | undefined>`
-- Key shape: `[callable.name, options]`
-- Fetch suppression: `enabled: () => !!options.value`
-- Query function behavior:
-  - return `undefined` when options are absent
-  - unwrap `result.data`
-  - throw results that expose `isAxiosError`
-- Current wrapper boundary: plain values and reactive getters are excellent for new direct-hook composables, but this wrapper still expects a `Ref`
-
-### `typedApiClient.mutation`
-
-- Wrap generated POST/PUT/DELETE callables
-- Unwrap `result.data`
-- Throw Axios-like errors when `isAxiosError` is present
-
-## Startup Order In This Repo
-
-See `vue/src/demo/main.ts` for the concrete example.
-
-1. `app.use(VueQueryPlugin)`
-2. Configure `axiosInstance.defaults.baseURL` if env wiring is not present
-3. Call `typedApiClient.setupOpenApiClient(client)` when generated SDK code exists
-4. Continue app/plugin/router/i18n setup
-
-There is currently no custom `QueryClient` policy in the demo app. If you add one, keep it app-level and document why the defaults were changed.
-
-## Query-Key Guidance For Repo Work
-
-Use the existing wrapper key shapes unless you are intentionally upgrading the abstraction.
-
-- URL wrapper: `[url]`
-- Typed wrapper: `[callable.name, options]`
-
-If you introduce a new reusable direct-hook composable, prefer a small local key factory or `queryOptions(...)` helper instead of scattering ad-hoc keys across components.
-If you need `setQueryData(...)`, prefer doing it in abstractions that own the exact key shape. Wrapper-backed feature code should usually invalidate instead of reconstructing internal keys by hand.
-
-## Testing Boundaries
-
-### Wrapper tests
-
-Files:
-
-- `vue/src/network/__tests__/apiClient.test.ts`
-- `vue/src/network/__tests__/typedApiClient.test.ts`
-
-Pattern:
-
-- mock `@tanstack/vue-query`
-- assert `queryKey`, `enabled`, forwarded options, and unwrapped/raised results
-
-### Feature tests
-
-Example:
-
-- `vue/src/plugins/legalConsent/views/__tests__/LegalDocument.test.ts`
-
-Pattern:
-
-- mock `@/network`
-- test the feature against the wrapper return shape instead of TanStack internals
-
-## Documentation To Keep In Sync
-
-- `vue/src/network/network.mdx` when public guidance changes
-- `vue/README.md` if package-level setup or exports change
-- `vue/CONTRIBUTE.md` if validation steps or expected checks change
diff --git a/.agents/skills/wefa-vue-cookbook/SKILL.md b/.agents/skills/wefa-vue-cookbook/SKILL.md
new file mode 100644
index 00000000..8412e9c8
--- /dev/null
+++ b/.agents/skills/wefa-vue-cookbook/SKILL.md
@@ -0,0 +1,78 @@
+---
+name: wefa-vue-cookbook
+description: Shared cookbook of conventions for writing Vue code with the WeFa ecosystem. Use it first in product apps that consume `@nside/wefa`, and also use it inside the WeFa `vue/` package for the shared rules that apply there too. It covers architecture and layout conventions, WeFa versus PrimeVue reuse decisions, i18n expectations, validation planning, and TanStack Query Vue v5 usage including wrapper choice, query keys, invalidation, optimistic updates, and v5 migration pitfalls.
+---
+
+# WeFa Vue Cookbook
+
+This is the shared Vue skill for WeFa.
+
+Use it in two situations:
+
+1. In consuming Vue projects that use `@nside/wefa`.
+2. Inside the WeFa `vue/` package for the shared conventions that also apply to the library itself.
+
+When the task is inside the WeFa `vue/` package, pair this skill with `wefa-vue-frontend`, which is the maintainer skill for repo-specific export, docs, demo, generated-artifact, and quality-gate work.
+
+Use this skill in two layers:
+
+1. Keep this `SKILL.md` loaded for the always-on rules.
+2. Load only the matching reference file when the task needs deeper checks.
+
+## Always-Loaded Rules
+
+1. Treat `@nside/wefa` as a PrimeVue superset styled through Tailwind 4 with `tailwindcss-primeui`.
+2. Follow the reuse hierarchy strictly: **WeFa component/container -> PrimeVue composition -> native HTML fallback**.
+3. Start by mirroring the nearest existing local pattern before inventing a new abstraction, prop API, fetch flow, or styling approach.
+4. Before adding helpers or infrastructure, check whether the current app, WeFa, or PrimeVue already provides the needed building block.
+5. Keep user-facing text translated through i18n keys, including labels, placeholders, validation copy, `aria-label`, and `title`.
+6. Prefer Tailwind utilities for routine styling. Use flex by default for layout, reach for grid when it clearly fits better, and do not add new CSS imports or routine `<style>` blocks.
+7. For server state, prefer `typedApiClient` when an OpenAPI-generated callable exists, then `apiClient` for straightforward URL-based GET or POST flows, then direct TanStack Query hooks only when the wrappers cannot model the behavior cleanly, then raw `axiosInstance` only for lower-level infrastructure or non-query-managed calls.
+8. TanStack Query already covers most fetch lifecycle, caching, retries, invalidation, and mutation state. Prefer built-in query and cache features over hand-rolled refs, watches, loading flags, or manual cache synchronization.
+9. Treat TanStack query data as immutable. Copy it before binding to `v-model` or mutating it locally.
+10. Put every changing query dependency into the query key, and avoid unwrapping reactive inputs too early if the query should react to them.
+11. Parent components own external layout and sizing context. Reusable children should not assume fill behavior or decorative outer chrome unless that is part of their explicit contract.
+12. When shared or public-facing behavior changes, update the surrounding tests, docs, and usage examples expected by that codebase.
+13. Run the validation commands that match the host project and the risk of the change. If working inside the WeFa repo, `wefa-vue-frontend` adds the exact repo gate.
+
+## First Reads
+
+1. Inspect how the current codebase already uses `@nside/wefa`, PrimeVue, i18n, and network helpers before introducing new patterns.
+2. If the task touches API calls, cache behavior, invalidation, optimistic updates, or direct `@tanstack/vue-query` hooks, load `references/api-calls-tanstack-query.md`.
+3. If the task is inside the WeFa repo's `vue/` package, also read `vue/AGENTS.md` and then load `wefa-vue-frontend` for maintainer-only rules.
+
+## Topic References
+
+- `references/ecosystem-map.md`
+  Load when choosing between WeFa, PrimeVue, local app code, router/plugins/stores helpers, i18n, or network layers.
+- `references/design-and-architecture.md`
+  Load when designing a new component/container/composable, choosing where code belongs, or reviewing whether code fits the intended architecture.
+- `references/css-guidelines.md`
+  Load when styling components, deciding whether CSS is allowed, or reviewing Tailwind/PrimeVue usage, flex-first layout choices, and parent/child layout ownership.
+- `references/api-calls-tanstack-query.md`
+  Load when adding or reviewing API calls, wrapper choice, startup wiring, query keys, cache behavior, invalidation, optimistic updates, or TanStack Query Vue v5 usage and migration pitfalls.
+- `references/delivery-and-validation.md`
+  Load when deciding what checks, tests, docs, or review hygiene should accompany the change.
+
+## Package Anchors
+
+- Main package import: `@nside/wefa`
+- Network helpers: `@nside/wefa/network`
+- Type exports: `@nside/wefa/types`
+
+## Repo Anchors
+
+Use these only when the task is inside the WeFa repository:
+
+- Public library entrypoints: `vue/src/lib.ts`, `vue/src/containers/index.ts`
+- Canonical public component shape: `vue/src/components/AutoroutedBreadcrumb/`
+- Translation guidance: `vue/src/locales/Translation.mdx`
+- Network guidance: `vue/src/network/network.mdx`
+
+## Definition of Done
+
+1. The implementation follows the WeFa -> PrimeVue -> native hierarchy.
+2. The chosen tool matches the highest-level fitting abstraction instead of the first thing that works.
+3. Styling stays inside the Tailwind + PrimeVue theme conventions, with parent-owned layout and intentional child fill behavior.
+4. Tests, docs, examples, and translations are updated when the changed surface requires them.
+5. The relevant validation commands for the current codebase have been run.
diff --git a/.agents/skills/wefa-vue-cookbook/agents/openai.yaml b/.agents/skills/wefa-vue-cookbook/agents/openai.yaml
new file mode 100644
index 00000000..19527495
--- /dev/null
+++ b/.agents/skills/wefa-vue-cookbook/agents/openai.yaml
@@ -0,0 +1,4 @@
+interface:
+  display_name: "WeFa Vue Cookbook"
+  short_description: "Shared WeFa Vue rules for consumers and the library"
+  default_prompt: "Use $wefa-vue-cookbook to implement or review Vue code in a consuming app that uses `@nside/wefa`, or as the shared base when working inside the WeFa `vue/` package. Apply WeFa's preferred architecture, flex-first styling, parent-owned layout rules, and TanStack Query Vue v5 conventions."
diff --git a/.agents/skills/wefa-vue-cookbook/references/api-calls-tanstack-query.md b/.agents/skills/wefa-vue-cookbook/references/api-calls-tanstack-query.md
new file mode 100644
index 00000000..58860c01
--- /dev/null
+++ b/.agents/skills/wefa-vue-cookbook/references/api-calls-tanstack-query.md
@@ -0,0 +1,139 @@
+# API Calls With TanStack Query
+
+## Purpose
+
+Use this reference when adding or reviewing API calls, wrapper choice, query configuration, cache invalidation, optimistic updates, or TanStack Query Vue v5 usage in WeFa-based Vue code.
+
+## Decision Order
+
+1. Prefer `typedApiClient` from `@nside/wefa/network` when an OpenAPI-generated callable exists.
+2. If the host app exposes a local wrapper around WeFa's network helpers, follow that local wrapper instead of bypassing it.
+3. Prefer `apiClient` for straightforward URL-based GET and POST flows.
+4. Use direct `@tanstack/vue-query` hooks only when the wrappers cannot model the needed behavior cleanly.
+5. Use `useQueryClient` whenever wrapper-backed flows still need invalidation or other cache management.
+6. Use `axiosInstance` directly only for lower-level infrastructure or non-query-managed calls.
+
+This is the preferred order for WeFa-based code. When the host project already wraps WeFa's network layer locally, keep following that local abstraction boundary.
+
+TanStack Query already provides the main building blocks for fetching, caching, reactivity, retries, invalidation, and mutation lifecycle state. Prefer those built-in features over hand-rolled refs, watches, loading flags, or manual cache synchronization.
+
+## Setup Order
+
+1. Install `VueQueryPlugin` at app startup.
+2. If the app needs non-default cache behavior, pass `queryClientConfig` or a stable `QueryClient` instance to `VueQueryPlugin`; do not create query clients inside components or composables.
+3. Configure `axiosInstance.defaults.baseURL` when env wiring is absent.
+4. Call `typedApiClient.setupOpenApiClient(client)` before using generated SDK callables.
+5. Continue app, router, i18n, feature, and backend-store setup.
+
+Do not create query clients inside components or feature composables.
+
+## Wrapper Conventions In WeFa
+
+### `apiClient.query`
+
+- Accepts a `Ref<string | undefined>`
+- Uses `[url]` as the query key
+- Suppresses fetches when the URL ref is empty
+
+### `typedApiClient.query`
+
+- Accepts a generated callable plus `Ref<TOptions | undefined>`
+- Uses `[callable.name, options]` as the query key
+- Suppresses fetches when the options ref is empty
+- Unwraps `result.data`
+
+### `typedApiClient.mutation`
+
+- Wraps generated POST/PUT/DELETE callables
+- Unwraps `result.data`
+- Throws Axios-like errors when `isAxiosError` is present
+
+Current wrapper boundaries are ref-oriented. For new direct-hook abstractions, plain values or reactive getters may still be reasonable, but do not silently change wrapper ergonomics in feature code.
+
+## Important Defaults
+
+- Cached query data is stale by default.
+- Stale queries refetch automatically on mount, window refocus, and network reconnect unless you opt out.
+- Inactive queries are garbage-collected after 5 minutes by default through `gcTime`.
+- Failed queries retry 3 times with exponential backoff by default.
+- Query results are structurally shared by default.
+
+Implication:
+
+- Set `staleTime` intentionally before disabling refetch triggers.
+- Change `gcTime`, retry behavior, or refetch policies only when the UX or API cost justifies it.
+
+## Query Workflow
+
+1. Build reactive inputs first with `ref`, `toRef`, or `computed`.
+2. Put every fetch dependency in the query key.
+3. Treat fetched data as immutable.
+4. Prefer wrapper signatures that already encode WeFa's reactive patterns:
+   `apiClient.query(refUrl)` and `typedApiClient.query(callable, refOptions)`.
+5. Use TanStack features before custom orchestration:
+   `enabled`, `select`, `placeholderData`, `staleTime`, `gcTime`, `retry`, cancellation via `signal`, and `queryOptions(...)` should usually replace watcher-based or ref-based control flow.
+6. Use `queryOptions(...)` when sharing direct-hook configuration across multiple call sites.
+7. Pass `signal` through custom direct-query functions when cancellation matters.
+
+## Mutation Workflow
+
+1. Start with wrapper mutations unless there is a concrete gap.
+2. After success, prefer one of two cache-update paths:
+   invalidate related queries with `useQueryClient().invalidateQueries(...)`, or
+   write returned entity data into the cache with `setQueryData(...)` only when you own the exact key shape or a direct-hook abstraction exposes it clearly.
+3. Await invalidation when the UI should remain pending until related queries refresh.
+4. Use optimistic updates only when the UX benefit clearly justifies rollback complexity; pair them with `onMutate`, rollback context, and targeted invalidation.
+5. Prefer `useMutation` lifecycle hooks and cache APIs over custom pending, error, or success state machines.
+
+## v5 Migration Checks
+
+- Use the single-object hook signature, not older positional overloads.
+- Do not add `onSuccess`, `onError`, or `onSettled` to query options; those query callbacks were removed in v5.
+- Use `gcTime` instead of `cacheTime`.
+- Use `throwOnError` instead of `useErrorBoundary`.
+- Replace old `keepPreviousData` patterns with `placeholderData`.
+- Infinite queries need `initialPageParam` and `getNextPageParam`.
+- `useQueries` returns a `ref` wrapping the array, not a reactive array directly.
+- Mutation loading state is `isPending`, not the older `isLoading`.
+
+## Review Checklist
+
+1. Did the code use the highest-level fitting abstraction?
+2. Are the query keys complete and stable?
+3. Was reactivity preserved, or did the code unwrap `.value` too early?
+4. Were `staleTime`, `gcTime`, retries, and refetch triggers chosen intentionally?
+5. Are the semantics v5-correct:
+   `gcTime` instead of `cacheTime`, `throwOnError` instead of `useErrorBoundary`, and `placeholderData` instead of old `keepPreviousData` patterns?
+6. Did the implementation avoid common pre-v5 patterns such as positional hook overloads, query callbacks, or infinite queries without `initialPageParam`?
+7. Did the implementation use TanStack features that already exist instead of rebuilding fetch state, caching, or mutation bookkeeping manually?
+
+## Testing Boundaries
+
+### Wrapper tests
+
+- Location: wherever the host project keeps network-wrapper tests
+- Pattern: mock `@tanstack/vue-query` directly and assert wrapper configuration
+
+### Feature tests
+
+- Pattern: mock the host project's network wrapper unless the feature truly owns direct TanStack configuration
+- Goal: test feature behavior against the wrapper contract, not TanStack internals
+
+## Inside The WeFa Repo
+
+Use this section only when the task is inside the WeFa repository itself.
+
+- Concrete startup reference: `vue/src/demo/main.ts`
+- Network guidance: `vue/src/network/network.mdx`
+- Wrapper test location: `vue/src/network/__tests__/`
+- Keep repo docs in sync:
+  `vue/README.md` when consumer setup changes,
+  `vue/CONTRIBUTE.md` when validation expectations change,
+  `vue/AGENTS.md` and the repo-root `AGENTS.md` when skill-routing guidance changes
+
+## Smell Checks
+
+- Raw axios used in a normal query flow that wrappers already support
+- Manual cache writes without owning the key shape
+- Query keys missing a dependency used by `queryFn`
+- Query data mutated directly in component state
diff --git a/.agents/skills/wefa-vue-cookbook/references/css-guidelines.md b/.agents/skills/wefa-vue-cookbook/references/css-guidelines.md
new file mode 100644
index 00000000..8d89cbde
--- /dev/null
+++ b/.agents/skills/wefa-vue-cookbook/references/css-guidelines.md
@@ -0,0 +1,66 @@
+# CSS Guidelines
+
+## Purpose
+
+Use this reference when styling WeFa-based Vue code or reviewing whether a styling approach fits WeFa conventions.
+
+## Default Styling Stack
+
+1. Tailwind 4 utilities
+2. `tailwindcss-primeui`
+3. PrimeVue theming and component APIs
+4. Scoped styles only as an explicit escape hatch
+
+The default expectation is utility-first styling, not custom CSS-first styling.
+
+## Rules
+
+1. Prefer Tailwind utility classes for layout, spacing, typography, colors, and responsive behavior.
+2. Do not add new CSS imports or routine `<style>` blocks for normal component work.
+3. Use flex by default for layout. Reach for grid when two-dimensional track control, explicit row or column alignment, or track-based sizing clearly makes it the better fit.
+4. Reach for PrimeVue props, slots, and pass-through customization before DOM or CSS hacks.
+5. Use scoped styles or bound style objects only when the existing local pattern already needs them or when Tailwind cannot express the requirement cleanly, such as layout math, chart sizing, or library-specific rendering constraints.
+6. Keep theme ownership centralized:
+   rely on the established app or library theme entrypoints instead of introducing ad-hoc fonts, color systems, or resets inside components.
+
+## Layout Ownership
+
+- The parent owns external layout:
+  available space, flex or grid participation, sibling spacing, and container padding.
+- The child owns internal layout:
+  content arrangement, internal spacing, and the minimum size required by its own UI.
+- The parent should usually control whether children participate in layout at all, for example with parent-owned `v-if` or `v-show` driven by parent props or parent state. Once rendered, the child may still control its own internal visual state.
+- Reusable children should not default to `h-full` or `w-full` unless fill behavior is part of their explicit contract.
+- If a child is meant to fill available space, the parent should establish that sizing context on the relevant axis and pass fill behavior intentionally through classes, slots, or an explicit child API.
+- Do not assume `h-full` works by default:
+  use it only when the parent chain makes height resolvable.
+- Prefer layout-driven sizing through flex, grid, and min/max constraints over fixed `h-*` or `w-*` values. Use fixed sizes sparingly.
+- For parent/child layout interfaces, prefer parent-owned `gap`, padding, and placement rules over child margins or offsets when expressing layout between siblings.
+- Reusable children should usually avoid defining decorative backgrounds, borders, shadows, or similar chrome at the outer interface level. Keep those at the parent level unless they are semantic, serve a clear purpose, or are an explicit part of the child component contract.
+
+## Practical Heuristics
+
+- Prefer existing Tailwind scale tokens before arbitrary values.
+- If a class list is growing because the component is doing too much, review the component structure before extracting CSS.
+- If the styling problem comes from the underlying PrimeVue component, first inspect whether PrimeVue props or pass-through APIs already solve it.
+
+## Repo-Specific Anchors
+
+- Theme exports: `vue/src/theme/index.ts`, `vue/src/theme/nside.ts`
+- Shared CSS entrypoint: `vue/src/assets/main.css`
+- Markdown-to-Tailwind utility mapping: `vue/src/utils/markdown.ts`
+
+## When CSS Is Justified
+
+Scoped CSS is justified when all of the following are true:
+
+1. Tailwind or PrimeVue APIs cannot express the requirement cleanly.
+2. The styling is local to the component.
+3. The nearest existing pattern uses the same escape hatch or the need is clearly technical rather than stylistic.
+
+## Smell Checks
+
+- New stylesheet added for routine spacing or color tweaks
+- Component-level font imports or theme definitions
+- Native CSS overrides used before checking PrimeVue theming options
+- Large custom style blocks where Tailwind classes would have been clearer
diff --git a/.agents/skills/wefa-vue-cookbook/references/delivery-and-validation.md b/.agents/skills/wefa-vue-cookbook/references/delivery-and-validation.md
new file mode 100644
index 00000000..845d91f2
--- /dev/null
+++ b/.agents/skills/wefa-vue-cookbook/references/delivery-and-validation.md
@@ -0,0 +1,33 @@
+# Delivery And Validation
+
+## Purpose
+
+Use this reference when deciding what checks, documentation, and review hygiene should accompany a WeFa-based change.
+
+## Core Rule
+
+The validation should match the risk and the host codebase.
+
+- Small presentational change: lint, type-check, focused tests
+- Shared component or composable change: broader unit coverage and affected usage examples
+- Routing or integration change: add the relevant browser or e2e checks
+- Public API or package-surface change: verify the published usage path, not only local internals
+
+## Delivery Checklist
+
+1. Update or add tests for the changed behavior, not only the happy path.
+2. Update the nearest docs, examples, or stories when the usage surface changed.
+3. Verify translations for any new user-facing copy.
+4. Confirm the abstraction choice still matches the WeFa -> PrimeVue -> native order.
+5. Run the validation commands that the current project expects.
+
+## Review Prompts
+
+- Did the code choose the right abstraction layer?
+- Did it preserve existing conventions instead of introducing a parallel pattern?
+- Did it validate the behavior at the layer where users will actually feel the change?
+- Did it update surrounding guidance, examples, or tests when the surface changed?
+
+## WeFa Repo Note
+
+If the task is inside the WeFa repository itself, load `wefa-vue-frontend` for the exact repo quality gate, Storybook/MDX expectations, export wiring, demo wiring, and review workflow.
diff --git a/.agents/skills/wefa-vue-cookbook/references/design-and-architecture.md b/.agents/skills/wefa-vue-cookbook/references/design-and-architecture.md
new file mode 100644
index 00000000..32a7ece2
--- /dev/null
+++ b/.agents/skills/wefa-vue-cookbook/references/design-and-architecture.md
@@ -0,0 +1,88 @@
+# Design And Architecture
+
+## Purpose
+
+Use this reference when shaping new Vue features, reviewing architectural fit, or deciding where code belongs in a WeFa-based codebase.
+
+## SFC structure
+
+Use the following as the recommended SFC organization order. If the host project already has a strong local pattern, keep that pattern, but still split each concern with short comment delimiters inside the SFC.
+
+- Top-level block order should follow the host project rules.
+  The default order is `template -> script -> style`.
+- Inside `script setup lang="ts"`, the recommended concern order is:
+  - imports
+  - hardcoded constants
+  - reference state: props and their types, `v-model`s, router params, and the refs that define the base state of the SFC
+  - emits and `defineExpose`, with their types when needed
+  - additional local types and interfaces used by the code that follows
+  - local helper functions needed by later sections; move reusable logic to composables or utils files
+  - derived and integrated reactive state: computed values, TanStack Query or WeFa query hooks with their options and extracted results, store reads, and data reshaping before passing to child components
+  - watchers
+  - lifecycle hooks
+  - one-time initialization calls
+
+## Core Design Rules
+
+1. Mirror the closest existing implementation before inventing a new pattern.
+2. Keep related files close to the feature when the host codebase already uses that pattern.
+3. Prefer extending the current public surface over creating parallel entrypoints.
+4. Keep product-app code inside the app and reusable library code inside the library; do not blur those layers accidentally.
+5. If working inside the WeFa repo, keep the library surface in `src/`, use `src/demo/` only for demo wiring, and do not hand-edit generated clients in `src/demo/openapi/`.
+
+## Placement Heuristics
+
+Ask first: "Is this behavior app-specific, reusable within the app, or reusable across products?"
+
+- App-specific behavior belongs in the consuming app, close to its feature.
+- WeFa-specific reusable behavior belongs in the library only when it is broadly reusable and consistent with the library's scope.
+- Do not push product logic down into WeFa just because the current task is happening in the WeFa repo.
+
+## Repo-Specific Folder Heuristics
+
+### `vue/src/components`
+
+Use for reusable UI primitives and composable visual building blocks.
+
+### `vue/src/containers`
+
+Use for higher-level routed or layout-aware building blocks that compose multiple primitives and often integrate router concerns.
+
+### `vue/src/network`
+
+Use for shared HTTP and TanStack Query infrastructure, not feature-local fetch logic that belongs inside an existing wrapper consumer.
+
+### `vue/src/router`, `vue/src/plugins`, `vue/src/stores`
+
+Check these before adding new helpers elsewhere. Many cross-cutting needs already have a home.
+
+### `vue/src/demo`
+
+Use for example integration, routed showcase flows, and local manual validation. Keep library abstractions out of the demo unless they are intentionally part of the public package.
+
+## Public Surface Rules
+
+1. If a new abstraction should be reused, expose it through the codebase's normal public surface instead of relying on deep imports.
+2. If a change alters setup or usage for consumers, update the surrounding docs or examples.
+3. Inside the WeFa repo, wire the nearest `index.ts`, shared entrypoint, and supporting docs when the library surface changes.
+
+## Component Design Checks
+
+- Does the API mirror the nearest comparable WeFa component?
+- Is the component wrapping or composing PrimeVue rather than re-implementing the primitive?
+- Are prop defaults expressed with `const { prop = defaultValue } = defineProps<Type>()` unless the local file pattern already depends on `withDefaults()`?
+- If inside the WeFa repo, is the SFC block order `template -> script -> style`?
+- Are user-visible states documented and tested according to the host project's conventions?
+
+## Architecture Smells
+
+- Generic helper added in a feature folder even though a shared helper area already exists
+- Shared abstraction added to WeFa even though the need is product-specific
+- Public component added without exports, docs, or tests
+- Demo code copied into library code
+- New pattern introduced despite a strong neighboring precedent
+- English literals embedded in components instead of locale keys
+
+## Review Prompt
+
+Ask: "If another developer adds the next feature beside this one, will they be able to copy a clear local pattern?"
diff --git a/.agents/skills/wefa-vue-cookbook/references/ecosystem-map.md b/.agents/skills/wefa-vue-cookbook/references/ecosystem-map.md
new file mode 100644
index 00000000..ca8bf055
--- /dev/null
+++ b/.agents/skills/wefa-vue-cookbook/references/ecosystem-map.md
@@ -0,0 +1,78 @@
+# Ecosystem Map
+
+## Purpose
+
+Use this reference when deciding which tool or layer to use for Vue code that depends on WeFa, whether in a consuming app or in the WeFa library itself.
+
+## Library Identity
+
+`@nside/wefa` is a PrimeVue superset. The normal path is:
+
+1. Reuse an existing WeFa component or container.
+2. Compose PrimeVue when WeFa does not provide the needed primitive.
+3. Fall back to native HTML only when both higher layers fail.
+
+If a native element is chosen while PrimeVue already solves the problem, that choice should be justified and rare.
+
+When working in a consuming app, think in layers:
+
+1. Existing app-level abstraction or local pattern
+2. WeFa abstraction
+3. PrimeVue building block
+4. Native Vue or HTML primitive
+
+## Tool Selection By Concern
+
+### UI primitives
+
+- Search for a neighboring feature in the current app before adding a new primitive.
+- Check `@nside/wefa` exports before composing PrimeVue from scratch.
+- Use PrimeVue as the default building-block layer below WeFa.
+- Use native HTML only as an escape hatch.
+
+### Routing and navigation
+
+- Prefer the host app's existing router conventions.
+- If WeFa already provides the navigation-shaped abstraction you need, prefer it over rebuilding the interaction locally.
+- Inside the WeFa repo, check `vue/src/router` and existing routed containers before adding route helpers from scratch.
+
+### State management
+
+- Keep state local to the component or composable when it is screen-local and short-lived.
+- Reach for Pinia only when the state is app-level, cross-route, or already follows an existing store-driven pattern.
+- Avoid introducing a store just to move local component state elsewhere.
+
+### Translations
+
+- In WeFa-based code, use the established i18n helpers instead of hard-coded strings.
+- Inside the WeFa repo, use `vue/src/locales/index.ts` and `useI18nLib`, and add locale messages under `vue/src/locales/<locale>/`.
+- Treat `aria-label`, placeholders, helper text, dialog titles, and validation copy as translatable UI.
+
+### Networking
+
+- Prefer `typedApiClient` when an OpenAPI-generated callable exists.
+- Prefer `apiClient` for simple URL-based GET/POST flows.
+- Use direct TanStack Query hooks only when the wrappers do not model the behavior cleanly.
+- Use `axiosInstance` directly only below the query layer or for calls that should not be modeled as TanStack-managed server state.
+
+### Documentation and demos
+
+- In consuming apps, keep examples and tests close to the app's existing conventions.
+- Inside the WeFa repo, public components and containers usually need a story, MDX docs, and tests next to the implementation.
+- Treat `vue/src/demo` as the manual integration surface, not as a place for reusable library logic.
+- Treat `vue/src/demo/openapi` as generated code.
+
+## Useful Anchors
+
+- Package imports: `@nside/wefa`, `@nside/wefa/network`, `@nside/wefa/types`
+- Repo-only anchors: `vue/src/lib.ts`, `vue/src/containers/index.ts`, `vue/src/network`, `vue/src/router`, `vue/src/plugins`, `vue/src/stores`
+- Repo-only translation guidance: `vue/src/locales/Translation.mdx`
+- Repo-only network guidance: `vue/src/network/network.mdx`
+
+## Smell Checks
+
+- New component created even though a WeFa or PrimeVue equivalent already exists
+- Hard-coded strings instead of i18n keys
+- New store for state that could remain local
+- Repo-only demo shortcuts copied into reusable code
+- Direct axios or raw TanStack usage where the wrappers already fit
diff --git a/.agents/skills/wefa-vue-frontend/SKILL.md b/.agents/skills/wefa-vue-frontend/SKILL.md
index a2677b4e..4d6f0a4f 100644
--- a/.agents/skills/wefa-vue-frontend/SKILL.md
+++ b/.agents/skills/wefa-vue-frontend/SKILL.md
@@ -1,15 +1,19 @@
 ---
 name: wefa-vue-frontend
-description: Frontend implementation and review guide for the N-SIDE WeFa Vue package. Use when coding or reviewing files under `vue/`, especially `vue/src/components`, `vue/src/containers`, `vue/src/locales`, Storybook stories or MDX docs, router/network/plugins/stores helpers, demo wiring, and frontend tests.
+description: Maintainer guide for contributing to the N-SIDE WeFa Vue package itself. Use it only when the task is inside this repository's `vue/` workspace, and load it after `wefa-vue-cookbook`. It covers repo-specific maintainer concerns such as exports, Storybook or MDX docs, demo wiring, generated artifacts, frontend tests, and the Vue package quality gate.
 ---
 
-# WeFa Vue Frontend
+# WeFa Vue Maintainer
 
-Apply the WeFa Vue workspace standards with predictable discovery, implementation, and validation steps.
+This is the maintainer skill for the WeFa Vue library inside this repository.
+
+Load `wefa-vue-cookbook` first. That cookbook is the shared skill used by consuming projects and by the library itself for common WeFa conventions. Use this skill only for repo-specific maintainer concerns such as exports, Storybook, MDX docs, demo wiring, generated artifacts, tests, and review hygiene inside `vue/`.
 
 ## First Reads
-1. Read `vue/README.md` for package capabilities, exports, and workspace scripts.
-2. Read `vue/CONTRIBUTE.md` for quality gates and contribution expectations.
+1. Read `vue/AGENTS.md` for workspace identity, gotchas, and the repo quality gate.
+2. Read `vue/README.md` for package capabilities, exports, and workspace scripts.
+3. Read `vue/CONTRIBUTE.md` for contribution expectations and the npm script surface.
+4. Read `code_review.md` from the repo root when the task is a review.
 
 ## Workspace Map
 1. Start public-surface discovery at `vue/src/lib.ts` and `vue/src/containers/index.ts`.
@@ -18,36 +22,31 @@ Apply the WeFa Vue workspace standards with predictable discovery, implementatio
 4. Check `vue/src/network`, `vue/src/router`, `vue/src/plugins`, and `vue/src/stores` before adding duplicate helpers.
 5. Treat `vue/src/demo` and `vue/src/demo/openapi` as the manual-validation and generated-client surface for demo flows.
 
-## Implementation Rules
-1. Start from the nearest existing feature and mirror its folder shape, naming, and test style instead of inventing a new pattern.
-2. Reuse existing WeFa exports before building anything new; inspect the nearest `index.ts` files and the library entrypoints first.
-3. Compose with PrimeVue if WeFa does not provide the needed UI.
-4. Fall back to native HTML only when higher tiers fail, and leave a brief inline justification comment when the fallback is not obvious.
-5. Prefer Tailwind utility classes for routine styling. Do not add new CSS imports. Use scoped styles or bound style objects only when the existing feature pattern needs layout math, chart sizing, or other cases Tailwind cannot express cleanly.
-6. Prefer `const { prop = defaultValue } = defineProps<Type>()` for defaults and avoid `withDefaults()` unless the local file pattern already depends on it.
-7. Keep user-facing literals translated through i18n keys (`useI18nLib`, `t`, `$t`), including `aria-label`, `title`, placeholders, validation copy, and button labels.
-8. New public components or containers should usually ship with source, stories, MDX docs, and unit tests, unless the adjacent feature pattern in this repo clearly differs.
-9. When a change creates or exposes new public surface, update the nearest `index.ts` and shared entrypoints such as `vue/src/lib.ts` or `vue/src/containers/index.ts` as needed.
-10. Regenerate or reuse generated OpenAPI client artifacts through the existing script instead of hand-editing generated files.
+## Repo-Specific Rules
+1. New public components or containers should usually ship with source, stories, MDX docs, and unit tests, unless the adjacent feature pattern in this repo clearly differs.
+2. When a change creates or exposes new public surface, update the nearest `index.ts` and shared entrypoints such as `vue/src/lib.ts` or `vue/src/containers/index.ts`.
+3. Regenerate or reuse generated OpenAPI client artifacts through the existing script instead of hand-editing generated files.
+4. Treat `vue/src/demo` as a manual-validation surface, not as a place to hide reusable library logic.
+5. Keep `README.md`, MDX docs, and Storybook stories aligned with behavior changes that affect consumers.
+6. Respect repo-enforced gotchas from `vue/AGENTS.md`, including SFC block order, the `withDefaults()` preference, and the rule against Storybook `autodocs` tags.
 
 ## Delivery Workflow
 1. Inspect existing implementation first:
    Search for a neighboring component, container, plugin, store, or network helper that already solves most of the problem.
-2. Confirm the reuse hierarchy:
-   WeFa component reuse, then PrimeVue composition, then native HTML fallback.
-3. Implement with local conventions:
+2. Implement with local conventions:
    Match adjacent prop patterns, file names, exports, and test naming (`.spec.ts`, `.test.ts`, or `__tests__`) used by that feature.
-4. Wire localization:
+3. Wire localization:
    Add or update locale namespaces under `vue/src/locales/<locale>/` and use `useI18nLib` or `$t` in code. If a story or test needs extra messages, register them through the existing locale helpers.
-5. Update supporting artifacts:
+4. Update supporting artifacts:
    Update stories and MDX docs when props, states, a11y guidance, or usage changed. Update demo wiring when the change affects routed or integrated flows.
-6. Validate before handoff:
+5. Validate before handoff:
    `npm run lint-check`
    `npm run type-check`
    `npm run format-check`
    `npm run test:unit -- --reporter=dot --silent`
    `npm run build`
    `npm run test:e2e -- --reporter=dot` when routing, demo flows, or browser interactions changed
+   `npm run test:package-types` when exports or packaging changed
 
 ## Test Output Discipline
 1. Always run tests with low-verbosity flags to limit terminal noise and token usage.
@@ -55,12 +54,13 @@ Apply the WeFa Vue workspace standards with predictable discovery, implementatio
 3. If extra verbosity is needed for debugging, rerun only the failing test scope with detailed output.
 
 ## References
+- Load `wefa-vue-cookbook` for shared WeFa usage conventions.
+- Load `references/contributing-and-checks.md` for the repo quality gate and PR-ready checklist.
 - Read `vue/README.md` and `vue/CONTRIBUTE.md` for project workflows.
 - Read `vue/src/locales/Translation.mdx` when adding or reshaping translations.
 
 ## Definition of Done
-1. UI follows WeFa/PrimeVue/Tailwind hierarchy.
-2. User-facing literals are translated.
-3. Public exports and supporting entrypoints are updated when surface area changes.
-4. Tests, stories, docs, and demo wiring are updated for behaviour changes.
-5. Required lint, type, format, unit-test, build, and relevant e2e checks pass.
+1. Shared WeFa usage conventions come from `wefa-vue-cookbook`; this skill adds only repo-specific rules.
+2. Public exports and supporting entrypoints are updated when surface area changes.
+3. Tests, stories, docs, and demo wiring are updated for behavior changes.
+4. Required lint, type, format, unit-test, build, and relevant e2e or package-type checks pass.
diff --git a/.agents/skills/wefa-vue-frontend/agents/openai.yaml b/.agents/skills/wefa-vue-frontend/agents/openai.yaml
index 6b189763..02bbb955 100644
--- a/.agents/skills/wefa-vue-frontend/agents/openai.yaml
+++ b/.agents/skills/wefa-vue-frontend/agents/openai.yaml
@@ -1,4 +1,4 @@
 interface:
-  display_name: "WeFa Vue Frontend"
-  short_description: "Implement and review WeFa Vue frontend changes"
-  default_prompt: "Use $wefa-vue-frontend to implement or review a change in the `vue/` workspace following WeFa frontend conventions."
+  display_name: "WeFa Vue Maintainer"
+  short_description: "Repo-only maintainer rules for the WeFa Vue library"
+  default_prompt: "Use $wefa-vue-frontend after $wefa-vue-cookbook when implementing or reviewing changes inside this repository's WeFa `vue/` workspace."
diff --git a/.agents/skills/wefa-vue-frontend/references/contributing-and-checks.md b/.agents/skills/wefa-vue-frontend/references/contributing-and-checks.md
new file mode 100644
index 00000000..db8aadaa
--- /dev/null
+++ b/.agents/skills/wefa-vue-frontend/references/contributing-and-checks.md
@@ -0,0 +1,57 @@
+# Contributing And Checks
+
+## Purpose
+
+Use this reference when the task needs contribution workflow, quality-gate commands, or a deeper verification checklist than the always-loaded summary.
+
+## First Reads
+
+1. `vue/AGENTS.md`
+2. `vue/CONTRIBUTE.md`
+3. `vue/README.md` when the task changes package-level setup, exports, or developer guidance
+
+## Required Quality Gate
+
+Run from `vue/` before handoff:
+
+```bash
+npm run lint-check
+npm run type-check
+npm run format-check
+npm run test:unit -- --reporter=dot --silent
+npm run build
+```
+
+## Extra Checks When The Change Needs Them
+
+- Run `npm run test:e2e -- --reporter=dot` when routing, demo flows, or browser-visible interactions changed.
+- Run `npm run test:package-types` when exports, packaging, or published type declarations changed.
+- Keep test output low-noise by default; only rerun a narrowed failing scope with higher verbosity while debugging.
+
+## Contributor Expectations
+
+1. Mirror the nearest existing component, container, store, plugin, or network helper before introducing a new pattern.
+2. Update docs alongside behavior:
+   `README.md`, MDX docs, stories, or in-repo guidance depending on what changed.
+3. Keep public-surface changes synchronized:
+   update the nearest `index.ts`, `vue/src/lib.ts`, or `vue/src/containers/index.ts` when the change exposes new surface.
+4. Keep generated artifacts generated:
+   never hand-edit the generated OpenAPI client under `vue/src/demo/openapi/`.
+5. Keep user-facing strings translated and test the translated path, not just hard-coded English.
+
+## PR-Ready Checklist
+
+1. Tests cover the changed behavior, not only the happy path.
+2. Stories and MDX docs are updated for public component/container changes.
+3. Screenshots or recordings exist when the UI changes materially.
+4. The quality gate is green, with any justified deviations called out explicitly.
+5. The branch does not contain unrelated refactors mixed into the feature.
+
+## Review Prompts
+
+Use these when reviewing agent-generated Vue work:
+
+- Did it choose the correct layer, or did it skip a WeFa/PrimeVue abstraction that already exists?
+- Did it add docs, tests, translations, and exports together, or only code?
+- Did it run the right checks for the kind of change made?
+- Did it change public behavior without updating package-level guidance?
diff --git a/AGENTS.md b/AGENTS.md
index 3a6d9958..12f626cf 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -20,7 +20,8 @@
 - Contribution guides: `django/CONTRIBUTE.md` & `vue/CONTRIBUTE.md` cover human onboarding; the agent guides cover conventions and the quality gate.
 
 ## Instruction Routing
-- For frontend work inside `vue/` (components, containers, stories/docs, translations, tests), use the repo-local skills `wefa-vue-frontend` and `wefa-tanstack-query` from `.agents/skills/`. Codex can auto-discover them; agents that do not auto-load skills should read `.agents/skills/wefa-vue-frontend/SKILL.md`, `.agents/skills/wefa-tanstack-query/SKILL.md`, and `vue/AGENTS.md`.
+- For Vue work in consuming projects that use `@nside/wefa`, use the shared skill `wefa-vue-cookbook` from `.agents/skills/`.
+- For frontend work inside this repository's `vue/` workspace (components, containers, stories/docs, translations, tests, network code), load `wefa-vue-cookbook` first and then `wefa-vue-frontend`. Codex can auto-discover them; agents that do not auto-load skills should read `.agents/skills/wefa-vue-cookbook/SKILL.md`, `.agents/skills/wefa-vue-frontend/SKILL.md`, and `vue/AGENTS.md`.
 - For backend work inside `django/`, see `django/AGENTS.md` for app conventions, the quality gate, the new-app checklist, and known gotchas.
 - For BFF work inside `bff/`, see `bff/AGENTS.md` for blueprint layout, OAuth/cookie conventions, OpenAPI flow, and the quality gate.
 - For cross-cutting work (Django ↔ BFF ↔ Vue), follow this file for shared expectations plus the relevant workspace AGENTS / SKILL files.
diff --git a/README.md b/README.md
index e83c96a4..ad426093 100644
--- a/README.md
+++ b/README.md
@@ -16,6 +16,15 @@ N-SIDE WeFa (Web Factory) is an open-source toolkit for building full-stack, pro
 
 Explore the [interactive documentation](https://n-side-dev.github.io/wefa/) for the Django and Vue packages.
 
+## Agent Guidance
+
+For AI-agent work on Vue code, this repository keeps two distinct guidance layers under `.agents/skills/`:
+
+- `wefa-vue-cookbook` is the shared Vue skill. It is the right starting point for consuming projects that use `@nside/wefa`, and it is also the shared base for work inside this repository's `vue/` package.
+- `wefa-vue-frontend` is the maintainer skill. Use it only for work inside this repository's `vue/` package, after loading the cookbook, when the task touches repo-specific library concerns such as exports, Storybook or MDX docs, demo wiring, generated artifacts, or the Vue quality gate.
+
+See [AGENTS.md](AGENTS.md) for the repo routing rules.
+
 ## Packages at a Glance
 
 - `django/` – source code for the Django distribution published as `nside-wefa`. Includes the demo project in `django/demo`.
diff --git a/vue/.gitignore b/vue/.gitignore
index 56a6c73c..ad983e50 100644
--- a/vue/.gitignore
+++ b/vue/.gitignore
@@ -38,3 +38,9 @@ playwright-report/
 
 *storybook.log
 storybook-static
+
+# ALA
+/src/components/EnergyGridComponent/scotland-260417.osm.pbf
+/public/scotland-power.geojson
+/src/components/EnergyGridComponent/scotland-power.geojson
+/src/components/EnergyGridComponent/scotland-power.osm.pbf
diff --git a/vue/AGENTS.md b/vue/AGENTS.md
index 7815f45b..bf06b261 100644
--- a/vue/AGENTS.md
+++ b/vue/AGENTS.md
@@ -8,8 +8,8 @@ Frontend slice of the N-SIDE WeFa monorepo. This file is the entry point for any
 
 ## Where the conventions live
 
-- **`../.agents/skills/wefa-vue-frontend/SKILL.md`** — component reuse hierarchy (WeFa → PrimeVue → native), folder shape, i18n, delivery workflow, quality-gate commands. Read first for any UI work. Codex can auto-discover this skill; non-Codex agents should open the `SKILL.md` file directly.
-- **`../.agents/skills/wefa-tanstack-query/SKILL.md`** — TanStack Query Vue v5 patterns, when to use `apiClient` / `typedApiClient` / direct hooks, cache invalidation, mutations, v5 vs pre-v5 review checklist. Read when adding or reviewing network code.
+- **`../.agents/skills/wefa-vue-cookbook/SKILL.md`** — the shared WeFa Vue cookbook. It is the base skill for consuming projects that use `@nside/wefa`, and it is also the first skill to load for work inside this `vue/` workspace. It covers reuse hierarchy (WeFa → PrimeVue → native), layout and i18n rules, validation routing, and TanStack Query Vue v5 guidance including wrapper choice, query keys, invalidation, and v5 review checks.
+- **`../.agents/skills/wefa-vue-frontend/SKILL.md`** — the maintainer skill for this repository's Vue library. Read it after the cookbook when working inside this repo. It adds repo-specific rules for exports, Storybook and MDX docs, demo wiring, generated artifacts, frontend tests, and the Vue package quality gate.
 - **[`CONTRIBUTE.md`](CONTRIBUTE.md)** — human onboarding, project layout, full npm scripts table, release flow.
 - **[`README.md`](README.md)** — package capabilities, exports, install, demo flow.
 - **[`.github/copilot-instructions.md`](.github/copilot-instructions.md)** — compatibility entry point for tools that look for `copilot-instructions.md`; it points back to this file and the skills above and is not the source of truth.
@@ -58,7 +58,7 @@ Coverage is Istanbul, output in `./coverage` (`text` + `cobertura` + `lcov` repo
 
 - `copilot-instructions.md` is a compatibility pointer only. Keep the current rules in this file and the two skill files above.
 - `withDefaults()` is discouraged; use `const { prop = default } = defineProps<Type>()` (per the frontend SKILL).
-- Treat data returned from queries as immutable; copy before binding to `v-model` or local mutation (per the TanStack SKILL).
+- Treat data returned from queries as immutable; copy before binding to `v-model` or local mutation (per the cookbook SKILL).
 - Test runs default to low-verbosity reporters (`--reporter=dot --silent`); rerun the failing scope with detail only when debugging.
 - Keep user-facing literals (including `aria-label`, `title`, placeholders) translated through i18n keys — never hard-code English copy.
 - **SFC block order is enforced**: `<template>` → `<script>` → `<style>` (eslint `vue/block-order`). Composition-API instinct is to write script first; ESLint will fail the build.
diff --git a/vue/CONTRIBUTE.md b/vue/CONTRIBUTE.md
index 4a1c6a8a..058a1131 100644
--- a/vue/CONTRIBUTE.md
+++ b/vue/CONTRIBUTE.md
@@ -4,6 +4,15 @@ Thanks for helping shape the WeFa (Web Factory) frontend library. This guide cov
 
 > **Namespace note**: the package is still published as `@nside/wefa` while we complete the rename. File paths and commands below use that scope until the transition lands.
 
+## Agent Guidance
+
+This document is for maintaining the Vue library inside this repository.
+
+- `../.agents/skills/wefa-vue-cookbook/SKILL.md` is the shared cookbook used by consuming projects that depend on `@nside/wefa`, and it is also the shared base guidance for this workspace.
+- `../.agents/skills/wefa-vue-frontend/SKILL.md` is the maintainer skill for this `vue/` workspace. Use it after the cookbook for repo-specific library work such as exports, Storybook or MDX docs, demo wiring, generated artifacts, and the Vue quality gate.
+
+See [AGENTS.md](AGENTS.md) for the workspace routing summary.
+
 ## Table of Contents
 
 - [Development Environment](#development-environment)
diff --git a/vue/README.md b/vue/README.md
index ec27c676..1d49dfb9 100644
--- a/vue/README.md
+++ b/vue/README.md
@@ -33,6 +33,15 @@ The library is built on top of the following ecosystem:
 
 A demo playground lives alongside the library so you can experiment locally while developing components.
 
+## Agent Guidance
+
+For AI-agent work, the Vue guidance is split intentionally:
+
+- `../.agents/skills/wefa-vue-cookbook/SKILL.md` is the shared cookbook. It is the base guidance for consuming projects that use `@nside/wefa`, and it is also the first skill to load when working inside this `vue/` workspace.
+- `../.agents/skills/wefa-vue-frontend/SKILL.md` is the maintainer skill for this repository's Vue library. Load it after the cookbook when the task is specific to maintaining the library itself, such as exports, Storybook or MDX docs, demo wiring, generated artifacts, or the Vue quality gate.
+
+See [AGENTS.md](AGENTS.md) for the workspace routing rules and [CONTRIBUTE.md](CONTRIBUTE.md) for the maintainer workflow.
+
 ## Feature Highlights
 
 - Rich component catalogue following the WeFa design language

From d9e8e78749c53cc40fac4a0d3f7cb659e6122747 Mon Sep 17 00:00:00 2001
From: ala <ala@n-side.com>
Date: Fri, 22 May 2026 16:35:02 +0200
Subject: [PATCH 3/6] Remove local paths from doc

---
 AGENTS.md        | 10 +++++-----
 bff/AGENTS.md    |  2 +-
 django/AGENTS.md |  4 ++--
 vue/.gitignore   |  6 ------
 vue/AGENTS.md    |  4 ++--
 5 files changed, 10 insertions(+), 16 deletions(-)

diff --git a/AGENTS.md b/AGENTS.md
index c0da83f1..f71be618 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -17,9 +17,9 @@ Codex loads AGENTS instructions from the repository root down to the current wor
 ## Repository Map
 
 - `README.md` is the top-level overview; defer to per-workspace `README.md` files for package specifics.
-- `django/` contains reusable Django apps plus the `demo/` validation project. See [django/AGENTS.md](/Users/ala/N-SIDE/wefa/django/AGENTS.md).
-- `vue/` contains the library, demo app, Storybook docs, and package tooling. See [vue/AGENTS.md](/Users/ala/N-SIDE/wefa/vue/AGENTS.md).
-- `bff/` contains the Flask BFF and its generated OpenAPI spec. See [bff/AGENTS.md](/Users/ala/N-SIDE/wefa/bff/AGENTS.md).
+- `django/` contains reusable Django apps plus the `demo/` validation project. See [django/AGENTS.md](django/AGENTS.md).
+- `vue/` contains the library, demo app, Storybook docs, and package tooling. See [vue/AGENTS.md](vue/AGENTS.md).
+- `bff/` contains the Flask BFF and its generated OpenAPI spec. See [bff/AGENTS.md](bff/AGENTS.md).
 - `.agents/skills/` contains repo-local Codex skills.
 - `docs/agent-roadmap.md` records cross-cutting infrastructure direction.
 - `code_review.md` is the review checklist.
@@ -32,8 +32,8 @@ Codex loads AGENTS instructions from the repository root down to the current wor
 - `wefa-vue-cookbook` is the shared base skill: it applies both to consuming apps and to shared Vue conventions inside this repo.
 - `wefa-vue-frontend` adds only repo-specific maintainer guidance for this monorepo's `vue/` workspace: exports, docs, demo wiring, generated artifacts, tests, and quality-gate expectations.
 - For TanStack Query work in `vue/`, also use `wefa-tanstack-query` when the task is specifically about query wiring, invalidation, mutation flows, or wrapper choice.
-- For `django/` work, follow [django/AGENTS.md](/Users/ala/N-SIDE/wefa/django/AGENTS.md).
-- For `bff/` work, follow [bff/AGENTS.md](/Users/ala/N-SIDE/wefa/bff/AGENTS.md).
+- For `django/` work, follow [django/AGENTS.md](django/AGENTS.md).
+- For `bff/` work, follow [bff/AGENTS.md](bff/AGENTS.md).
 - For cross-cutting changes, coordinate backend/API shape first, then update consumers and documentation in the affected workspaces.
 
 ## Shared Engineering Rules
diff --git a/bff/AGENTS.md b/bff/AGENTS.md
index 76d646d6..78d4060a 100644
--- a/bff/AGENTS.md
+++ b/bff/AGENTS.md
@@ -4,7 +4,7 @@
 
 This file applies to the Flask backend-for-frontend in `bff/`. The service handles OAuth login/logout/session checks, encrypted token cookies, health endpoints, OpenAPI generation, and proxying backend REST calls.
 
-Read [README.md](/Users/ala/N-SIDE/wefa/bff/README.md) before changing environment contracts, auth/session behavior, OpenAPI output, Docker behavior, or deployment-facing docs.
+Read [README.md](README.md) before changing environment contracts, auth/session behavior, OpenAPI output, Docker behavior, or deployment-facing docs.
 
 ## Security And Configuration Rules
 
diff --git a/django/AGENTS.md b/django/AGENTS.md
index ab3f92fe..3d41adff 100644
--- a/django/AGENTS.md
+++ b/django/AGENTS.md
@@ -4,7 +4,7 @@
 
 This file applies to the Django toolkit in `django/`. The package publishes `nside-wefa` and contains reusable apps under `nside_wefa/` plus the `demo/` project used for local and CI validation.
 
-Read [README.md](/Users/ala/N-SIDE/wefa/django/README.md) and [CONTRIBUTE.md](/Users/ala/N-SIDE/wefa/django/CONTRIBUTE.md) before changing public behavior, settings, migrations, or release-facing docs.
+Read [README.md](README.md) and [CONTRIBUTE.md](CONTRIBUTE.md) before changing public behavior, settings, migrations, or release-facing docs.
 
 ## Architecture Rules
 
@@ -50,4 +50,4 @@ If running a smaller subset while iterating, choose the narrowest command that e
 ## When In Doubt
 
 - Mirror the closest existing app, usually `audit/` for the fullest reference or `locale/` for the smallest end-to-end shape.
-- Check [../docs/agent-roadmap.md](/Users/ala/N-SIDE/wefa/docs/agent-roadmap.md) before inventing new cross-cutting infrastructure.
+- Check [../docs/agent-roadmap.md](../docs/agent-roadmap.md) before inventing new cross-cutting infrastructure.
diff --git a/vue/.gitignore b/vue/.gitignore
index ad983e50..56a6c73c 100644
--- a/vue/.gitignore
+++ b/vue/.gitignore
@@ -38,9 +38,3 @@ playwright-report/
 
 *storybook.log
 storybook-static
-
-# ALA
-/src/components/EnergyGridComponent/scotland-260417.osm.pbf
-/public/scotland-power.geojson
-/src/components/EnergyGridComponent/scotland-power.geojson
-/src/components/EnergyGridComponent/scotland-power.osm.pbf
diff --git a/vue/AGENTS.md b/vue/AGENTS.md
index 484695c9..5794a6fd 100644
--- a/vue/AGENTS.md
+++ b/vue/AGENTS.md
@@ -4,7 +4,7 @@
 
 This file applies to the `@nside/wefa` Vue 3 workspace in `vue/`: components, containers, composables, stores, router helpers, network helpers, locales, demo code, Storybook docs, tests, and packaging helpers.
 
-Read [README.md](/Users/ala/N-SIDE/wefa/vue/README.md) and [CONTRIBUTE.md](/Users/ala/N-SIDE/wefa/vue/CONTRIBUTE.md) before changing public exports, package behavior, docs, or validation commands.
+Read [README.md](README.md) and [CONTRIBUTE.md](CONTRIBUTE.md) before changing public exports, package behavior, docs, or validation commands.
 
 ## Skill Routing
 
@@ -13,7 +13,7 @@ Read [README.md](/Users/ala/N-SIDE/wefa/vue/README.md) and [CONTRIBUTE.md](/User
 - After the cookbook, load `wefa-vue-frontend` for repo-specific maintainer guidance in this `vue/` workspace.
 - `wefa-vue-frontend` adds only repo-specific rules for exports, Storybook and MDX docs, demo wiring, generated artifacts, frontend tests, and the package quality gate.
 - For TanStack Query setup, query or mutation flows, invalidation, or wrapper-choice work, also use `wefa-tanstack-query`.
-- [`.github/copilot-instructions.md`](/Users/ala/N-SIDE/wefa/vue/.github/copilot-instructions.md) is a compatibility pointer only, not the source of truth.
+- [`.github/copilot-instructions.md`](.github/copilot-instructions.md) is a compatibility pointer only, not the source of truth.
 
 ## UI And Composition Rules
 

From a4a4180e8ee1b47f83994f9f9131807ebede50f9 Mon Sep 17 00:00:00 2001
From: ala <ala@n-side.com>
Date: Fri, 22 May 2026 16:37:47 +0200
Subject: [PATCH 4/6] npm audit fix

---
 vue/package-lock.json | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/vue/package-lock.json b/vue/package-lock.json
index 525f2a7d..880a368e 100644
--- a/vue/package-lock.json
+++ b/vue/package-lock.json
@@ -8642,13 +8642,13 @@
       }
     },
     "node_modules/js-cookie": {
-      "version": "3.0.5",
-      "resolved": "https://registry.npmjs.org/js-cookie/-/js-cookie-3.0.5.tgz",
-      "integrity": "sha512-cEiJEAEoIbWfCZYKWhVwFuvPX1gETRYPw6LlaTKoxD3s2AkXzkCjnp6h0V77ozyqj0jakteJ4YqDJT830+lVGw==",
+      "version": "3.0.7",
+      "resolved": "https://registry.npmjs.org/js-cookie/-/js-cookie-3.0.7.tgz",
+      "integrity": "sha512-z/wZZgDrkNV1eA0ULjM/F9/50Ya8fbzgKneSpoPsXSGd0KnpdtHfOZWK+GcwLk+EZbS4F9RBhU+K2RgzuDaItw==",
       "dev": true,
       "license": "MIT",
       "engines": {
-        "node": ">=14"
+        "node": ">=20"
       }
     },
     "node_modules/js-stringify": {

From a03d8b3dbc28a5bed557710622f3be9cc2658aaf Mon Sep 17 00:00:00 2001
From: ala <ala@n-side.com>
Date: Thu, 18 Jun 2026 12:07:38 +0200
Subject: [PATCH 5/6] Tightening

---
 .agents/skills/wefa-vue-cookbook/references/css-guidelines.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.agents/skills/wefa-vue-cookbook/references/css-guidelines.md b/.agents/skills/wefa-vue-cookbook/references/css-guidelines.md
index 8d89cbde..8d993678 100644
--- a/.agents/skills/wefa-vue-cookbook/references/css-guidelines.md
+++ b/.agents/skills/wefa-vue-cookbook/references/css-guidelines.md
@@ -36,7 +36,7 @@ The default expectation is utility-first styling, not custom CSS-first styling.
   use it only when the parent chain makes height resolvable.
 - Prefer layout-driven sizing through flex, grid, and min/max constraints over fixed `h-*` or `w-*` values. Use fixed sizes sparingly.
 - For parent/child layout interfaces, prefer parent-owned `gap`, padding, and placement rules over child margins or offsets when expressing layout between siblings.
-- Reusable children should usually avoid defining decorative backgrounds, borders, shadows, or similar chrome at the outer interface level. Keep those at the parent level unless they are semantic, serve a clear purpose, or are an explicit part of the child component contract.
+- Reusable children should usually avoid defining decorative backgrounds, borders, shadows, or similar chrome at the outer interface level. The only exception is if it serves a clearly defined purpose (e.g a red background for an error status).
 
 ## Practical Heuristics
 

From aef0dae1a985bc330172edb79a96d17c834776c0 Mon Sep 17 00:00:00 2001
From: ala <ala@n-side.com>
Date: Thu, 18 Jun 2026 12:13:05 +0200
Subject: [PATCH 6/6] Every day on god's green earth is a fight against
 pipeline checks, and I'm afraid I'm not on the winning side

---
 bff/pyproject.toml |  2 +-
 bff/uv.lock        | 62 ++++++++++++++++++++++------------------------
 2 files changed, 31 insertions(+), 33 deletions(-)

diff --git a/bff/pyproject.toml b/bff/pyproject.toml
index d148d9e5..3019073c 100644
--- a/bff/pyproject.toml
+++ b/bff/pyproject.toml
@@ -5,7 +5,7 @@ description = "Flask backend-for-frontend"
 requires-python = ">=3.12,<3.13"
 dependencies = [
     "authlib>=1.7.2",
-    "cryptography",
+    "cryptography>=49.0.0",
     "flask~=3.1.2",
     "flask-cors",
     "flask-session",
diff --git a/bff/uv.lock b/bff/uv.lock
index 5d27e0cd..a2fc933b 100644
--- a/bff/uv.lock
+++ b/bff/uv.lock
@@ -58,7 +58,7 @@ dev = [
 [package.metadata]
 requires-dist = [
     { name = "authlib", specifier = ">=1.7.2" },
-    { name = "cryptography" },
+    { name = "cryptography", specifier = ">=49.0.0" },
     { name = "flask", specifier = "~=3.1.2" },
     { name = "flask-cors" },
     { name = "flask-session" },
@@ -173,41 +173,39 @@ wheels = [
 
 [[package]]
 name = "cryptography"
-version = "48.0.0"
+version = "49.0.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "cffi", marker = "platform_python_implementation != 'PyPy'" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/9f/a9/db8f313fdcd85d767d4973515e1db101f9c71f95fced83233de224673757/cryptography-48.0.0.tar.gz", hash = "sha256:5c3932f4436d1cccb036cb0eaef46e6e2db91035166f1ad6505c3c9d5a635920", size = 832984, upload-time = "2026-05-04T22:59:38.133Z" }
-wheels = [
-    { url = "https://files.pythonhosted.org/packages/df/3d/01f6dd9190170a5a241e0e98c2d04be3664a9e6f5b9b872cde63aff1c3dd/cryptography-48.0.0-cp311-abi3-macosx_10_9_universal2.whl", hash = "sha256:0c558d2cdffd8f4bbb30fc7134c74d2ca9a476f830bb053074498fbc86f41ed6", size = 8001587, upload-time = "2026-05-04T22:57:36.803Z" },
-    { url = "https://files.pythonhosted.org/packages/b2/6e/e90527eef33f309beb811cf7c982c3aeffcce8e3edb178baa4ca3ae4a6fa/cryptography-48.0.0-cp311-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:f5333311663ea94f75dd408665686aaf426563556bb5283554a3539177e03b8c", size = 4690433, upload-time = "2026-05-04T22:57:40.373Z" },
-    { url = "https://files.pythonhosted.org/packages/90/04/673510ed51ddff56575f306cf1617d80411ee76831ccd3097599140efdfe/cryptography-48.0.0-cp311-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:7995ef305d7165c3f11ae07f2517e5a4f1d5c18da1376a0a9ed496336b69e5f3", size = 4710620, upload-time = "2026-05-04T22:57:42.935Z" },
-    { url = "https://files.pythonhosted.org/packages/14/d5/e9c4ef932c8d800490c34d8bd589d64a31d5890e27ec9e9ad532be893294/cryptography-48.0.0-cp311-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:40ba1f85eaa6959837b1d51c9767e230e14612eea4ef110ee8854ada22da1bf5", size = 4696283, upload-time = "2026-05-04T22:57:45.294Z" },
-    { url = "https://files.pythonhosted.org/packages/0c/29/174b9dfb60b12d59ecfc6cfa04bc88c21b42a54f01b8aae09bb6e51e4c7f/cryptography-48.0.0-cp311-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:369a6348999f94bbd53435c894377b20ab95f25a9065c283570e70150d8abc3c", size = 5296573, upload-time = "2026-05-04T22:57:47.933Z" },
-    { url = "https://files.pythonhosted.org/packages/95/38/0d29a6fd7d0d1373f0c0c88a04ba20e359b257753ac497564cd660fc1d55/cryptography-48.0.0-cp311-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:a0e692c683f4df67815a2d258b324e66f4738bd7a96a218c826dce4f4bd05d8f", size = 4743677, upload-time = "2026-05-04T22:57:50.067Z" },
-    { url = "https://files.pythonhosted.org/packages/30/be/eef653013d5c63b6a490529e0316f9ac14a37602965d4903efed1399f32b/cryptography-48.0.0-cp311-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:18349bbc56f4743c8b12dc32e2bccb2cf83ee8b69a3bba74ef8ae857e26b3d25", size = 4330808, upload-time = "2026-05-04T22:57:52.301Z" },
-    { url = "https://files.pythonhosted.org/packages/84/9e/500463e87abb7a0a0f9f256ec21123ecde0a7b5541a15e840ea54551fd81/cryptography-48.0.0-cp311-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:7e8eac43dfca5c4cccc6dad9a80504436fca53bb9bc3100a2386d730fbe6b602", size = 4695941, upload-time = "2026-05-04T22:57:54.603Z" },
-    { url = "https://files.pythonhosted.org/packages/e3/dc/7303087450c2ec9e7fbb750e17c2abfbc658f23cbd0e54009509b7cc4091/cryptography-48.0.0-cp311-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:9ccdac7d40688ecb5a3b4a604b8a88c8002e3442d6c60aead1db2a89a041560c", size = 5252579, upload-time = "2026-05-04T22:57:57.207Z" },
-    { url = "https://files.pythonhosted.org/packages/d0/c0/7101d3b7215edcdc90c45da544961fd8ed2d6448f77577460fa75a8443f7/cryptography-48.0.0-cp311-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:bd72e68b06bb1e96913f97dd4901119bc17f39d4586a5adf2d3e47bc2b9d58b5", size = 4743326, upload-time = "2026-05-04T22:57:59.535Z" },
-    { url = "https://files.pythonhosted.org/packages/ac/d8/5b833bad13016f562ab9d063d68199a4bd121d18458e439515601d3357ec/cryptography-48.0.0-cp311-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:59baa2cb386c4f0b9905bd6eb4c2a79a69a128408fd31d32ca4d7102d4156321", size = 4826672, upload-time = "2026-05-04T22:58:01.996Z" },
-    { url = "https://files.pythonhosted.org/packages/98/e1/7074eb8bf3c135558c73fc2bcf0f5633f912e6fb87e868a55c454080ef09/cryptography-48.0.0-cp311-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:9249e3cd978541d665967ac2cb2787fd6a62bddf1e75b3e347a594d7dacf4f74", size = 4972574, upload-time = "2026-05-04T22:58:03.968Z" },
-    { url = "https://files.pythonhosted.org/packages/04/70/e5a1b41d325f797f39427aa44ef8baf0be500065ab6d8e10369d850d4a4f/cryptography-48.0.0-cp311-abi3-win32.whl", hash = "sha256:9c459db21422be75e2809370b829a87eb37f74cd785fc4aa9ea1e5f43b47cda4", size = 3294868, upload-time = "2026-05-04T22:58:06.467Z" },
-    { url = "https://files.pythonhosted.org/packages/f4/ac/8ac51b4a5fc5932eb7ee5c517ba7dc8cd834f0048962b6b352f00f41ebf9/cryptography-48.0.0-cp311-abi3-win_amd64.whl", hash = "sha256:5b012212e08b8dd5edc78ef54da83dd9892fd9105323b3993eff6bea65dc21d7", size = 3817107, upload-time = "2026-05-04T22:58:08.845Z" },
-    { url = "https://files.pythonhosted.org/packages/f2/63/61d4a4e1c6b6bab6ce1e213cd36a24c415d90e76d78c5eb8577c5541d2e8/cryptography-48.0.0-cp39-abi3-macosx_10_9_universal2.whl", hash = "sha256:58d00498e8933e4a194f3076aee1b4a97dfec1a6da444535755822fe5d8b0b86", size = 7983482, upload-time = "2026-05-04T22:58:43.769Z" },
-    { url = "https://files.pythonhosted.org/packages/d5/ac/f5b5995b87770c693e2596559ffafe195b4033a57f14a82268a2842953f3/cryptography-48.0.0-cp39-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:614d0949f4790582d2cc25553abd09dd723025f0c0e7c67376a1d77196743d6e", size = 4683266, upload-time = "2026-05-04T22:58:46.064Z" },
-    { url = "https://files.pythonhosted.org/packages/ec/c6/8b14f67e18338fbc4adb76f66c001f5c3610b3e2d1837f268f47a347dbbb/cryptography-48.0.0-cp39-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:7ce4bfae76319a532a2dc68f82cc32f5676ee792a983187dac07183690e5c66f", size = 4696228, upload-time = "2026-05-04T22:58:48.22Z" },
-    { url = "https://files.pythonhosted.org/packages/ea/73/f808fbae9514bd91b47875b003f13e284c8c6bdfd904b7944e803937eec1/cryptography-48.0.0-cp39-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:2eb992bbd4661238c5a397594c83f5b4dc2bc5b848c365c8f991b6780efcc5c7", size = 4689097, upload-time = "2026-05-04T22:58:50.9Z" },
-    { url = "https://files.pythonhosted.org/packages/93/01/d86632d7d28db8ae83221995752eeb6639ffb374c2d22955648cf8d52797/cryptography-48.0.0-cp39-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:22a5cb272895dce158b2cacdfdc3debd299019659f42947dbdac6f32d68fe832", size = 5283582, upload-time = "2026-05-04T22:58:53.017Z" },
-    { url = "https://files.pythonhosted.org/packages/02/e1/50edc7a50334807cc4791fc4a0ce7468b4a1416d9138eab358bfc9a3d70b/cryptography-48.0.0-cp39-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:2b4d59804e8408e2fea7d1fbaf218e5ec984325221db76e6a241a9abd6cdd95c", size = 4730479, upload-time = "2026-05-04T22:58:55.611Z" },
-    { url = "https://files.pythonhosted.org/packages/6f/af/99a582b1b1641ff5911ac559beb45097cf79efd4ead4657f578ef1af2d47/cryptography-48.0.0-cp39-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:984a20b0f62a26f48a3396c72e4bc34c66e356d356bf370053066b3b6d54634a", size = 4326481, upload-time = "2026-05-04T22:58:57.607Z" },
-    { url = "https://files.pythonhosted.org/packages/90/ee/89aa26a06ef0a7d7611788ffd571a7c50e368cc6a4d5eef8b4884e866edb/cryptography-48.0.0-cp39-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:5a5ed8fde7a1d09376ca0b40e68cd59c69fe23b1f9768bd5824f54681626032a", size = 4688713, upload-time = "2026-05-04T22:59:00.077Z" },
-    { url = "https://files.pythonhosted.org/packages/70/ba/bcb1b0bb7a33d4c7c0c4d4c7874b4a62ae4f56113a5f4baefa362dfb1f0f/cryptography-48.0.0-cp39-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:8cd666227ef7af430aa5914a9910e0ddd703e75f039cef0825cd0da71b6b711a", size = 5238165, upload-time = "2026-05-04T22:59:02.317Z" },
-    { url = "https://files.pythonhosted.org/packages/c9/70/ca4003b1ce5ca3dc3186ada51908c8a9b9ff7d5cab83cc0d43ee14ec144f/cryptography-48.0.0-cp39-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:9071196d81abc88b3516ac8cdfad32e2b66dd4a5393a8e68a961e9161ddc6239", size = 4729947, upload-time = "2026-05-04T22:59:05.255Z" },
-    { url = "https://files.pythonhosted.org/packages/44/a0/4ec7cf774207905aef1a8d11c3750d5a1db805eb380ee4e16df317870128/cryptography-48.0.0-cp39-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:1e2d54c8be6152856a36f0882ab231e70f8ec7f14e93cf87db8a2ed056bf160c", size = 4822059, upload-time = "2026-05-04T22:59:07.802Z" },
-    { url = "https://files.pythonhosted.org/packages/1e/75/a2e55f99c16fcac7b5d6c1eb19ad8e00799854d6be5ca845f9259eae1681/cryptography-48.0.0-cp39-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:a5da777e32ffed6f85a7b2b3f7c5cbc88c146bfcd0a1d7baf5fcc6c52ee35dd4", size = 4960575, upload-time = "2026-05-04T22:59:09.851Z" },
-    { url = "https://files.pythonhosted.org/packages/b8/23/6e6f32143ab5d8b36ca848a502c4bcd477ae75b9e1677e3530d669062578/cryptography-48.0.0-cp39-abi3-win32.whl", hash = "sha256:77a2ccbbe917f6710e05ba9adaa25fb5075620bf3ea6fb751997875aff4ae4bd", size = 3279117, upload-time = "2026-05-04T22:59:12.019Z" },
-    { url = "https://files.pythonhosted.org/packages/9d/9a/0fea98a70cf1749d41d738836f6349d97945f7c89433a259a6c2642eefeb/cryptography-48.0.0-cp39-abi3-win_amd64.whl", hash = "sha256:16cd65b9330583e4619939b3a3843eec1e6e789744bb01e7c7e2e62e33c239c8", size = 3792100, upload-time = "2026-05-04T22:59:14.884Z" },
+sdist = { url = "https://files.pythonhosted.org/packages/1f/99/d1c90d6041656cc6ee229dc99cd67fd0cd5aec3c5f7d72fffc27cc750054/cryptography-49.0.0.tar.gz", hash = "sha256:f89660a348f4f78a92366240a61404e337586ef7f5909a2fef59ca88ef505493", size = 854345, upload-time = "2026-06-12T20:02:30.512Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/9b/22/adf66990e63584a68dfb50c24f48a125c07b1699899381c8151e63ed458c/cryptography-49.0.0-cp311-abi3-macosx_11_0_arm64.whl", hash = "sha256:966fe0e9c67490071f14c0d2b1cb2dfb3023c5ce39457343931415f08382f2db", size = 4032100, upload-time = "2026-06-12T20:02:32.143Z" },
+    { url = "https://files.pythonhosted.org/packages/09/41/3797cfaf69cae04a13ee78ebd83f0678d9c02b4779d21ce24445326f1a69/cryptography-49.0.0-cp311-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:36d1709f992593689b45bda411498d62c6e365f2ca00b84657d4dadd24de16db", size = 4692978, upload-time = "2026-06-12T20:01:21.305Z" },
+    { url = "https://files.pythonhosted.org/packages/e6/8b/43011f7ebe515a8aa20d61f290a326cd890c2e738e16e59eaff8d9c3a412/cryptography-49.0.0-cp311-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:0e959b578856a3924bc0cbb710fc12c387b9412a951389f3ca61704a9e25f325", size = 4716422, upload-time = "2026-06-12T20:01:48.566Z" },
+    { url = "https://files.pythonhosted.org/packages/4a/91/01ce7303a4579e6d3a6abef01bd322848e9ea7a219adcabc5048b9033571/cryptography-49.0.0-cp311-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:53ecee2e23f7169b6117e99fc8a944e5e50f79e69758a83b52a00cb98ab2b2d2", size = 4700503, upload-time = "2026-06-12T20:02:47.091Z" },
+    { url = "https://files.pythonhosted.org/packages/62/99/a2c95cf8293f07491e9e27c20cc4dcd18176d944e674679adeb1d0173fd6/cryptography-49.0.0-cp311-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:2eda353d8a27bcbcaa4cbed18994a74ab4d19a2ca897db188ea269ab9b71419b", size = 5309779, upload-time = "2026-06-12T20:02:08.987Z" },
+    { url = "https://files.pythonhosted.org/packages/20/2c/0622f20ff02b2ef32558733443805dc82fd4c275be01b2d19d14676f3a1b/cryptography-49.0.0-cp311-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:2afe9051da7ae7bd5905da5a949280c7d2bb75682e188f650a9d0f2756b834c6", size = 4749683, upload-time = "2026-06-12T20:02:03.335Z" },
+    { url = "https://files.pythonhosted.org/packages/a3/5b/c5246635d5fd3b64e0d45ae10e99fd32fe9676a79915ccfe5a61ba9af1a5/cryptography-49.0.0-cp311-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:0b82e28ee398a386f0807bba7884d30f25218855690f45115831bcce5d90822c", size = 4337874, upload-time = "2026-06-12T20:02:54.323Z" },
+    { url = "https://files.pythonhosted.org/packages/6d/88/05563c7fe2e914e87d1a536d06fe83e66b4e1d95cb593e05aea375531da8/cryptography-49.0.0-cp311-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:ccac2bfebc306b862133e3bb71f3f6ee8bb525240089b2d952e4144b3a6d5da7", size = 4700283, upload-time = "2026-06-12T20:01:34.822Z" },
+    { url = "https://files.pythonhosted.org/packages/c4/b6/d7696e4e890d6ae1469935164c9e5215c557671cb78d6e3f458ccceaa632/cryptography-49.0.0-cp311-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:d0527ce944105f257f605a827d6ebead966c752038b6e8656abb9c5edee6fc68", size = 5265844, upload-time = "2026-06-12T20:01:24.09Z" },
+    { url = "https://files.pythonhosted.org/packages/a9/3c/f3ad17eecc1a57b0ba236dc01f90e783c51f4a2f35f64777cc4f47a184b2/cryptography-49.0.0-cp311-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:cbc77da8c523d5abd028635ba850a6966fcee2c82e2bf65a41d1d8afe0f98be9", size = 4749290, upload-time = "2026-06-12T20:01:30.848Z" },
+    { url = "https://files.pythonhosted.org/packages/4f/01/339573cf1023163a400b0b5d16f6d507de413b9f60be6fd1b77feeaf6737/cryptography-49.0.0-cp311-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:b87e65d263b3e5d3bb92a57e2a6638e2f31110fa7aa890c7b2dbba42248d0a3f", size = 4834612, upload-time = "2026-06-12T20:01:29.246Z" },
+    { url = "https://files.pythonhosted.org/packages/71/fd/577302e213a1be9468f92d1afef66fcf1ef83d516819d9992ca547f592bd/cryptography-49.0.0-cp311-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:66ec79c3904820572d7e987abdf304281f141d37ad9a489b8e97066e7b9b6459", size = 4980804, upload-time = "2026-06-12T20:01:42.853Z" },
+    { url = "https://files.pythonhosted.org/packages/1f/09/f42b1d190c5ba75f72062a387f8030d1d75f6ab035788f1d9c4b01de6525/cryptography-49.0.0-cp311-abi3-win_amd64.whl", hash = "sha256:e5dfc1e64de5677cec922ffa8da89c546d0415bf6efdf081842e5d44c84e1f0e", size = 3810026, upload-time = "2026-06-12T20:02:39.262Z" },
+    { url = "https://files.pythonhosted.org/packages/19/2a/5bb823f5bedcf80718cea7fbc95ec5515cca3769633c4b01a32be7f30e7c/cryptography-49.0.0-cp39-abi3-macosx_11_0_arm64.whl", hash = "sha256:ec5e529fb80935c94fe7b729f9972b50e351a0e6b50aa294fd5cabb109fcc29a", size = 4025947, upload-time = "2026-06-12T20:01:25.745Z" },
+    { url = "https://files.pythonhosted.org/packages/3d/df/40577043ca124e17012f408ddddaeb213b856336ac82ddb3bc915f39e29f/cryptography-49.0.0-cp39-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:f78ff2c9ed8dc2d036b0f4d640e22522213d047c1b14e61205a7e55c80a494d4", size = 4692429, upload-time = "2026-06-12T20:01:53.628Z" },
+    { url = "https://files.pythonhosted.org/packages/2c/99/2d13299eb3dd27b02dcfaafcc91d6b5cb3329f7cbd6d8f51921acd566c1a/cryptography-49.0.0-cp39-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:35b151772baff2c74cba7fa290ceaff4c3b11c0c881eb93eb5dbc05a7cfbba18", size = 4700968, upload-time = "2026-06-12T20:02:45.383Z" },
+    { url = "https://files.pythonhosted.org/packages/a5/4d/9c0cd02f95e2602dd5e563da149ee0830abef3537be8b34dc56281ebe27a/cryptography-49.0.0-cp39-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:0f21641cf4b30fca7aee061ced0ec7ad7b073518088b7c9969a297c0ae796c69", size = 4697758, upload-time = "2026-06-12T20:01:41.13Z" },
+    { url = "https://files.pythonhosted.org/packages/24/01/186c825898477d77e2324d5360fefe622ff1d8d1963ec0554e2cada8ec77/cryptography-49.0.0-cp39-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:9e82dcc8e56052715fb18b2429e3bca4823b1629136a2084fc45a9a5cecb9b64", size = 5298863, upload-time = "2026-06-12T20:02:24.579Z" },
+    { url = "https://files.pythonhosted.org/packages/b8/7b/62cbbab75d0659865bf0273790031544a0b16c8072d258f9428dcd8190dc/cryptography-49.0.0-cp39-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:6f2debedf9ca60cf1d5bd466475638af5130f89965605cd818484d19987d3a21", size = 4735983, upload-time = "2026-06-12T20:01:50.14Z" },
+    { url = "https://files.pythonhosted.org/packages/6c/72/3e798c064bc39e471008075d0f9bc9daf77a80879c092e4a8e170c585ed4/cryptography-49.0.0-cp39-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:8c25ceb16df5b9435f3f6a9829204985b0e0cbee3b48aacd432c7d2c850b44d9", size = 4334173, upload-time = "2026-06-12T20:01:44.743Z" },
+    { url = "https://files.pythonhosted.org/packages/f0/ee/6fca21d1ac73e06f8bef71940abfd4d2f6472b4bca284d770f32bd4086f6/cryptography-49.0.0-cp39-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:28d8b15e6275f12c8a207dc309dfa957903c927d08d0cc937ee3f63f200693cc", size = 4697298, upload-time = "2026-06-12T20:02:20.918Z" },
+    { url = "https://files.pythonhosted.org/packages/67/d0/a5fcd3515f0bae49a7b6d0413cc1bdccdcc1fc0047037a0d480642cdc5d6/cryptography-49.0.0-cp39-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:6fc361c34fb6aac015ce19435876635e5c6d21db31998b0920f675f131e043b8", size = 5254338, upload-time = "2026-06-12T20:02:22.737Z" },
+    { url = "https://files.pythonhosted.org/packages/a0/84/84fe36f19caf857d61cb7fc9c63035a47ffabd84ea12d1d393148efa3615/cryptography-49.0.0-cp39-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:2400ef9c9e2299a25614eb1dea3db54a69b1349efd043bfac9c67630d136df36", size = 4735650, upload-time = "2026-06-12T20:02:41.389Z" },
+    { url = "https://files.pythonhosted.org/packages/6c/a0/db537264e234f7273a73ec020873d6d6b39dfd8a53db78b550ca8320440e/cryptography-49.0.0-cp39-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:67e1d20ad9ef3a563c59ef22e7a8a0b8210bd26604369ea4a30a7c66aefe504e", size = 4834820, upload-time = "2026-06-12T20:01:51.847Z" },
+    { url = "https://files.pythonhosted.org/packages/93/77/8df9eb486495979bccecd1062e2eaf435250e84437040295b57d09048b0b/cryptography-49.0.0-cp39-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:42b0684e0e40cf26122427802486f6d93aea593612603a94fbf260c7eb1e9c1b", size = 4967968, upload-time = "2026-06-12T20:02:12.524Z" },
+    { url = "https://files.pythonhosted.org/packages/c2/e6/f60198ea8d9dfa15fff9ed4ca02ce362f6eadd9ba757dcc50634c4257b63/cryptography-49.0.0-cp39-abi3-win_amd64.whl", hash = "sha256:026ac7423e6fa66872d3bf889be5974507da3944f866f704fa200eadacd00001", size = 3785547, upload-time = "2026-06-12T20:02:26.847Z" },
 ]
 
 [[package]]