From 89ae7a47f4a3eaf99d7d5b943f18a2672d44f43e Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Fri, 12 Jun 2026 14:54:47 +0200
Subject: [PATCH 1/7] chore(AI): Add agents.md based on latest fable5 analysis

Assisted-by: ClaudeCode:claude-fable-5
Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 AGENTS.md | 131 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 131 insertions(+)
 create mode 100644 AGENTS.md

diff --git a/AGENTS.md b/AGENTS.md
new file mode 100644
index 00000000000..92d2eb5d0c2
--- /dev/null
+++ b/AGENTS.md
@@ -0,0 +1,131 @@
+# AGENTS.md — Nextcloud Talk (spreed)
+
+Guidance for AI coding agents working in this repository. The PHP backend lives in
+`lib/`, integration tests in `tests/integration/` (Behat), unit tests in `tests/php/`.
+
+## Baseline & tooling
+
+- PHP **8.2+**, Nextcloud server **35** (`appinfo/info.xml`). Code must stay portable
+  across MariaDB, MySQL, PostgreSQL, SQLite, and Oracle — migrations, query-builder
+  usage, and tests alike.
+- `lib/Vendor/` is third-party code bundled via Mozart (`cuyz/valinor`,
+  `firebase/php-jwt`). **Never edit or analyze it as project code.**
+- Checks: `composer cs:fix` (php-cs-fixer, Nextcloud coding standard),
+  `composer psalm` (level 4, baseline in `tests/psalm-baseline.xml`),
+  `composer rector:check`, `composer lint`.
+- OpenAPI: controller docblocks/psalm types in `lib/ResponseDefinitions.php` feed
+  `composer openapi`; regenerate after changing API signatures or responses.
+
+## Conventions to follow (and the drift to avoid)
+
+These rules come from a 2026-06 technical-debt analysis. Where the codebase has two
+patterns, **new code must use the modern one** listed first.
+
+### Dependency injection
+- Constructor injection with property promotion everywhere. Do **not** add new
+  `\OCP\Server::get()` calls; the existing ones are debt:
+  - `lib/Room.php:231-332` — four `// TODO use DI` service-locator blocks (the domain
+    model pulls `ParticipantService`/`RoomService`/`Manager` from the container;
+    `getName()` even writes to the DB). Do not extend this pattern.
+  - Controllers contain ~42 `Server::get()` calls to instantiate federation proxy
+    controllers (`ChatController` alone has 13) — tolerated pattern, don't add more
+    variants of it.
+
+### Data access
+- New persisted entities use `QBMapper` + `SnowflakeAwareEntity` in `lib/Model/` (see `ConversationTag`,
+  `ScheduledMessage` as templates).
+- `Room` and `Participant` are **not** Entities: they are hydrated by hand in
+  `Manager::createRoomObject()` (`lib/Manager.php:127`) from columns aliased in
+  `lib/Model/SelectHelper.php`. Adding a Room/Participant column means touching the
+  migration, `SelectHelper`, `Manager` hydration, and the constructor **in lockstep**.
+- Query builder only; no raw SQL outside migrations.
+
+### Services & responsibility split
+- Reads/lookups: `lib/Manager.php`. Writes/mutations + event dispatch:
+  `lib/Service/RoomService.php` / `ParticipantService.php`. Keep that split.
+- New service classes go in `lib/Service/` with a `*Service` name. The lib-root
+  `GuestManager`, `MatterbridgeManager` and `lib/Chat/ChatManager` are legacy naming —
+  don't copy that layout.
+- Use the newer modules (`lib/Federation/`, `lib/Service/RecordingService.php`,
+  `lib/Service/BotService.php`, `lib/RoomPresets/`) as style templates, not the
+  2016-era core.
+
+### Error signaling
+- Lookups throw domain exceptions (`RoomNotFoundException`,
+  `ParticipantNotFoundException` — `lib/Exceptions/`).
+- Idempotent setters may return `bool` (false = no-op/invalid), e.g.
+  `RoomService::setPermissions()`. Don't return `null`/`false` for "not found".
+
+### Events
+- Typed events only (`IEventDispatcher::dispatchTyped()`), extending the `A`-prefixed
+  abstract bases in `lib/Events/`, with `Before*`/`*` pairs for mutations. Listeners
+  are registered in `lib/AppInfo/Application.php`. No string-based events or hooks.
+
+### Controllers & API
+- OCS controllers needing room/participant context extend
+  `AEnvironmentAwareOCSController` (populated by `InjectionMiddleware` via the
+  `#[RequireRoom]`-style attributes in `lib/Middleware/Attribute/`); others extend
+  `OCSController` directly.
+- PHP attributes only (`#[NoAdminRequired]`, `#[PublicPage]`,
+  `#[BruteForceProtection]`, `#[ApiRoute]`) — never docblock annotations.
+- Responses are `DataResponse` with psalm type shapes from `ResponseDefinitions.php`.
+
+### Config
+- Talk settings go through the `lib/Config.php` facade; `lib/ConfigLexicon.php`
+  (currently `Strictness::IGNORE`, only 2 user-preference entries) is the emerging
+  registry — register new app-config keys there as well.
+
+### Caching
+- Cache prefixes belong in `lib/CachePrefix.php`. Known drift: `hpb_servers` lacks the
+  `talk/` prefix and `Capabilities.php` uses a raw `'talk::'` string — don't add more
+  ad-hoc prefixes.
+
+### PHP style
+- Strict comparisons, `?Type` nullables, `match` over `switch`, `str_contains`/
+  `str_starts_with` over `strpos`/`substr` checks, `readonly` where applicable,
+  arrow functions, `JSON_THROW_ON_ERROR` on new `json_encode`/`json_decode` calls.
+- Only two native enums exist (`lib/RoomAttributes.php`,
+  `lib/RoomPresets/Parameter.php`); the domain otherwise uses int constant groups
+  (`Room::TYPE_*`, `Participant::OWNER/...`, `Attendee::ACTOR_*`, …). Prefer native
+  backed enums for new value sets; bitflags (`Attendee::PERMISSIONS_*`,
+  `Participant::FLAG_*`) stay int constants.
+
+## Known technical debt (2026-06 analysis)
+
+Prioritized backlog; safe to pick up as standalone PRs.
+
+1. **`\OC_Util::tearDownFS()/setupFS()`** at `lib/Chat/Parser/SystemMessage.php:990-992`
+   — last private-server-API usage; the only real forward-compat risk. Replace with a
+   public API for per-user filesystem context.
+2. **`Room.php` service locators** (`lib/Room.php:231-332`) — move 1:1 name
+   resolution, display-name and last-message loading out of the model into
+   `Manager`/formatter code; removes the `Room ↔ RoomService` cycle and a
+   getter-with-DB-write.
+3. **Enum migration** — convert the constant groups above to native backed enums,
+   group by group, keeping `->value` at OCS/DB boundaries.
+4. **Room/Participant hydration** — introduce a mapper that owns the
+   `SelectHelper` ⇄ constructor column mapping currently spread over three files.
+5. **Stale "temporary" code** — 15× `FIXME Temporary solution for the Talk6 release`
+   in `lib/Manager.php` (Talk 6 shipped 2019): decide permanent vs repair-step and
+   delete the comments. Likewise `Room::OBJECT_TYPE_PHONE_LEGACY` (`@deprecated`) is
+   still consumed in 5 places (`Notification/Notifier.php:1095`,
+   `Service/AvatarService.php:265`, `Controller/RoomController.php:767`,
+   `Service/RoomService.php:192`, `Listener/RestrictStartingCalls.php:57`).
+6. **God classes** — `Controller/RoomController.php` (~3.3k lines, 63 endpoints),
+   `Controller/ChatController.php` (~2.6k), `Service/ParticipantService.php` (~2.4k;
+   a `SessionService` would split out naturally), `Service/RoomService.php`,
+   `Manager.php`. Don't grow them; extract when touching related code.
+7. **Copy-paste `BackendNotifier`s** — `Signaling/`, `Recording/`, `Federation/`
+   share the `doRequest()` + retry + `PHPUNIT_RUN` boilerplate; extract a base class.
+8. **`MatterbridgeManager`** — 16-branch elseif chain in `generateConfig()` (~line
+   337), remaining `is_null()` calls and `strpos`/`substr` clusters; oldest-style file
+   in the repo.
+9. **Tests** — pyramid is inverted (~61 unit-test files vs huge Behat suite); core
+   domain is only covered end-to-end. Unit tests still use `@dataProvider`
+   annotations — migrate to `#[DataProvider]` attributes before the next PHPUnit bump.
+10. **Static analysis headroom** — psalm level 4 with `findUnusedCode="false"` and a
+    ~200-line baseline; tightening would surface hidden debt.
+11. **`json_encode`/`json_decode`** — ~164 of 193 calls lack `JSON_THROW_ON_ERROR`
+    (e.g. the 1:1 name trick at `Room.php:248`); fix opportunistically.
+12. **Loose comparison** at `BackgroundJob/CheckCertificates.php:90` (`== null`) and
+    `Command/Signaling/VerifyKeys.php:50` (`!=`).

From 2bf863fb61a5c23a74f2fe5f9f3b4f2b6572f1a5 Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Fri, 12 Jun 2026 14:55:12 +0200
Subject: [PATCH 2/7] chore(AI): Add general Nextcloud Contribution Policy

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 AGENTS.md | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/AGENTS.md b/AGENTS.md
index 92d2eb5d0c2..3d93bfacde7 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -3,6 +3,32 @@
 Guidance for AI coding agents working in this repository. The PHP backend lives in
 `lib/`, integration tests in `tests/integration/` (Behat), unit tests in `tests/php/`.
 
+## Nextcloud Contribution Policy
+
+All contributions generated or assisted by this agent must fully comply with:
+
+- **[AI Contribution Policy](https://github.com/nextcloud/.github/blob/master/AI_POLICY.md)** - the primary reference for AI-specific rules, covering disclosure, author accountability, communication, security, licensing, code quality, and autonomous agent behavior.
+- **[Contribution Guidelines](https://github.com/nextcloud/.github/blob/master/CONTRIBUTING.md)** - covering testing requirements, the Developer Certificate of Origin (DCO), license headers, conventional commits, and translations. These apply in full to all contributions regardless of how they were produced.
+
+### What this agent must always do
+
+- Add an `Assisted-by: AGENT_NAME:MODEL_VERSION` git trailer to every commit containing AI-assisted content.
+- Ensure every pull request includes a disclosure of AI tool use in the PR description.
+- Produce focused, scoped pull requests that address exactly one concern. Do not touch unrelated files or introduce incidental refactors.
+- Verify all dependencies against actual package registries before suggesting them. Do not use hallucinated or unverified package names.
+- Explicitly inform the contributor when any action they are about to take, or have taken, would violate the AI Contribution Policy or the Contribution Guidelines. Do not silently proceed. State which rule is at risk and what the contributor should do instead.
+- Warn the contributor if a pull request is growing too large. A PR approaching several thousand lines of changed code is a signal that it should be split into smaller, focused PRs. Suggest a logical split before the PR is opened, not after.
+- Recommend opening a ticket for discussion before starting implementation whenever a feature or change is sufficiently complex - for example when it touches multiple subsystems, requires architectural decisions, or the right approach is not yet clear. A ticket allows maintainers and the contributor to align on direction before code is written, avoiding wasted effort on a PR that may be rejected or require fundamental rework.
+
+### What this agent must never do
+
+- Open issues, submit pull requests, post review comments, or send security reports autonomously. Every contribution must be reviewed and submitted by a human.
+- Add `Signed-off-by` tags to commits. Only the human contributor can certify the Developer Certificate of Origin.
+- Generate or submit security reports without independent human verification. Report verified vulnerabilities via [HackerOne](https://hackerone.com/nextcloud), not as GitHub issues.
+- Write PR descriptions, review comments, or issue reports on behalf of the contributor. These must be in the contributor's own words.
+- Fully automate the resolution of issues labeled [`good first issue`](https://github.com/issues?q=org%3Anextcloud+label%3A%22good+first+issue%22) or similar beginner-friendly labels.
+- Submit code that has not been reviewed and cleaned up by the contributor. Dead code, redundant logic, excessive comments, and unrelated changes must be removed before submission.
+
 ## Baseline & tooling
 
 - PHP **8.2+**, Nextcloud server **35** (`appinfo/info.xml`). Code must stay portable

From 2dd554c2b9971e9d76a121cf80ea22a7479c4dcd Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Fri, 12 Jun 2026 15:20:25 +0200
Subject: [PATCH 3/7] chore(AI): Add info about frontend to AGENTS.md

Assisted-by: ClaudeCode:claude-fable-5
Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 AGENTS.md | 140 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 140 insertions(+)

diff --git a/AGENTS.md b/AGENTS.md
index 3d93bfacde7..3745c857fbe 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -2,6 +2,7 @@
 
 Guidance for AI coding agents working in this repository. The PHP backend lives in
 `lib/`, integration tests in `tests/integration/` (Behat), unit tests in `tests/php/`.
+The Vue 3 frontend lives in `src/`, with frontend tests colocated as `*.spec.js`/`*.spec.ts`.
 
 ## Nextcloud Contribution Policy
 
@@ -155,3 +156,142 @@ Prioritized backlog; safe to pick up as standalone PRs.
     (e.g. the 1:1 name trick at `Room.php:248`); fix opportunistically.
 12. **Loose comparison** at `BackgroundJob/CheckCertificates.php:90` (`== null`) and
     `Command/Signaling/VerifyKeys.php:50` (`!=`).
+
+## Frontend baseline & tooling
+
+- Vue **3.5** + TypeScript, built with **rspack** (`rspack.config.js`), no Vite. State:
+  **Pinia** (`src/stores/`, target) and legacy **Vuex 4** (`src/store/`, being phased
+  out). UI components from `@nextcloud/vue` 9 — import via
+  `@nextcloud/vue/components/NcXxx` only, never `@nextcloud/vue/dist/...`.
+- Checks: `npm run lint` (eslint flat config), `npm run stylelint`,
+  `npm run ts:check` (vue-tsc), `npm run test` (vitest + @vue/test-utils v2; no jest).
+- OCS/API types are generated: `npm run ts:generate` (openapi-typescript) into
+  `src/types/openapi/` — regenerate instead of hand-editing after API changes.
+- No compat mode, no mixins, no `mapGetters`/`$set`/`::v-deep` — the Vue 2 → 3
+  migration removed these; do not reintroduce them.
+
+## Frontend conventions to follow (and the drift to avoid)
+
+These rules come from a 2026-06 technical-debt analysis of `src/`. Where the codebase
+has two patterns, **new code must use the modern one** listed first.
+
+### Components
+- New/rewritten SFCs use `<script setup lang="ts">` with `defineProps<T>()` and
+  `defineEmits<T>()`. ~141 of 198 SFCs are still Options API — don't add more, and
+  don't create the hybrid Options-API-plus-`setup()` style (`App.vue:81-244`,
+  `ChatView.vue:91-243` are debt, not templates).
+- Lifecycle/reactivity via imported `nextTick`/`watch`/`computed`, router via
+  `useRoute()`/`useRouter()` — already 100% migrated, keep it that way.
+
+### State management
+- New state goes in a **Pinia setup-style TS store** (`defineStore('x', () => {...})`,
+  see `src/stores/actor.ts`, `token.ts`). Don't add options-style stores and don't
+  add new JS stores (`integrations.js`, `reactions.js`, `sounds.js`, `talkHash.js`
+  are stragglers awaiting conversion).
+- **Never add state, getters, mutations, or actions to the Vuex modules**
+  (`src/store/conversationsStore.js`, `messagesStore.js`, `participantsStore.js`) —
+  they are migration targets. If a change forces you into them, keep it minimal and
+  flag it in the PR.
+- Don't add new Pinia ↔ Vuex coupling. Existing bridges (`stores/reactions.js`
+  committing Vuex mutations, `stores/chat.ts:97` reading raw Vuex state,
+  `stores/session.ts`/`breakoutRooms.ts` dispatching into Vuex, and `conversationsStore.js`
+  importing ten Pinia stores) are debt that each new link makes harder to unwind.
+- Instantiate stores lazily inside actions/setup (`useXStore()`), not at module level
+  with the pinia instance (`conversationsStore.js:82`, `participantsStore.js:47` are
+  the anti-pattern).
+- Stores synchronize through reactivity, not the EventBus.
+
+### Services & composables
+- New services and composables are TypeScript with **named function exports**
+  (8 of 38 services and 7 of 31 composables are still JS — convert when touching,
+  don't add more).
+- Error-handling split: **services throw** (bare axios calls, no try/catch, no UI);
+  **stores/composables catch** and surface with `showError(t('spreed', ...))` from
+  `@nextcloud/dialogs`. Don't show toasts from services
+  (`participantsService.js:37-50` is drift) or swallow errors with `console.debug`.
+- Use the typed OCS helpers from `src/types/index.ts` instead of new manual
+  `response.data.ocs.data` unwrapping.
+- URLs via `generateOcsUrl()` with `{token}` placeholders — never string
+  concatenation, never `OC.linkTo()` (last use: `src/collections.js:12`).
+- Translations: `t`/`n` imported from `@nextcloud/l10n`, variables interpolated via
+  placeholder objects, never concatenated. Date/time formatting goes through
+  `src/utils/formattedTime.ts` (Intl-based) — no moment.js.
+
+### EventBus
+- `src/services/EventBus.ts` (typed mitt) is for bridging the non-Vue
+  signaling/call layer into Vue. Don't use it for component-to-component UI
+  coordination (use props/provide-inject/store state) or store-to-store sync.
+  Register every new event in the `Events` type. `@nextcloud/event-bus`
+  (`subscribe`/`unsubscribe`) is only for cross-app events from the server.
+
+### Dialogs
+- Declarative `<NcDialog>` in the owning component's template is the target.
+  `spawnDialog()` only where no template context exists. `NcModal` for dialogs is
+  legacy (see the `FIXME: Align NcModal header with NcDialog` in `App.vue`).
+
+### Icons & loading states
+- Icons: `vue-material-design-icons` components, not legacy `icon-*` CSS classes
+  (~11 files remain, e.g. `PublicShareAuthSidebar.vue:15`).
+- Loading: `NcLoadingIcon`, not `icon-loading`/`icon-loading-small` divs.
+
+### Styling
+- Scoped styles with Nextcloud CSS variables (`var(--color-*)`); hardcoded colors
+  only for brand exceptions. Avoid new `:deep()` overrides of `@nextcloud/vue`
+  internals — the existing ~174 are a breakage hotspot on library bumps; prefer
+  component props/slots or an upstream issue.
+
+### Call layer (WebRTC/signaling)
+- `src/utils/webrtc/simplewebrtc/`, `src/utils/webrtc/models/`,
+  `src/utils/signaling.js` and `src/utils/EmitterMixin.js` are pre-Vue legacy
+  (function constructors, `util.inherits`, WildEmitter, `.bind(this)` handler
+  chains, promise chains). **Do not copy these patterns** — for new code in this
+  area use ES6 classes and async/await; `src/utils/media/pipeline/` is the style
+  template.
+- Don't add new manual model `.on()`/`.off()` subscriptions in components
+  (`CallView.vue:535/546` style); prefer a composable wrapper that handles cleanup.
+
+## Known frontend technical debt (2026-06 analysis)
+
+Prioritized backlog; larger items (1, 3) need a discussion ticket and a PR series.
+
+1. **Vuex → Pinia migration** — 3 modules, ~4,200 lines
+   (`conversationsStore.js` 1,377 / `messagesStore.js` 1,485 /
+   `participantsStore.js` 1,306) with bidirectional Pinia coupling and duplicated
+   reactions state (`messagesStore.js` mutations vs `stores/reactions.js`).
+   Finishing this also removes the non-atomic multi-store fan-out in
+   `deleteConversation` (`conversationsStore.js:404`) and the last `useStore()`
+   components (~23).
+2. **Deprecated WebRTC APIs** — `pc.addStream()` at
+   `src/utils/webrtc/simplewebrtc/peer.js:125`, `addstream`/`removestream` event
+   listeners at `peer.js:55-57` and `src/utils/e2ee/encryption.js:646`; removed from
+   the spec, migrate to `addTrack()`/`ontrack`.
+3. **Legacy call layer modernization** (~4,800 lines) — ES6-classify
+   `simplewebrtc/` (2,009 lines) and `webrtc/models/` (1,170 lines), replace
+   `EmitterMixin`/WildEmitter with `EventTarget`, convert `signaling.js`
+   (1,617 lines, 26 promise chains, zero async/await). Drops the `wildemitter`,
+   `util` and `mockconsole` dependencies as a side effect.
+4. **`crypto-js` → Web Crypto** — 8 files use it only for SHA hashing
+   (`prepareTemporaryMessage.ts`, `messagesService.ts`, `stores/session.ts`,
+   `store/participantsStore.js`, `AdminSettings/TurnServer.vue`, …);
+   `crypto.subtle.digest` is async, so call sites need small refactors.
+5. **`hark` (unmaintained)** — `media/pipeline/SpeakingMonitor.js`,
+   `composables/useDevices.js`; replace with native AnalyserNode/AudioWorklet.
+6. **Options API components** — 141 SFCs; migrate directory-by-directory, pulling
+   `defineProps<T>`/`defineEmits<T>` along. Self-contained starts: AdminSettings
+   (15/16 Options API), BreakoutRoomsEditor (4/4), Dashboard (3/3).
+7. **JS stragglers** — 8 services (`signalingService.js`, `participantsService.js`,
+   `BrowserStorage.js`, …), 7 composables (`useDevices.js`, `useIsInCall.js`, …),
+   4 Pinia stores; convert to TS when touched.
+8. **EventBus overreach** — UI-coordination events (`focus-message`,
+   `scroll-chat-to-bottom`) and store-sync listeners (`token.ts`/`session.ts` on
+   `signaling-join-room`, `upload.ts` lifecycle emits) should move to
+   reactivity/provide-inject; signaling fan-out stays.
+9. **`:deep()` overrides** — ~174 overrides of `@nextcloud/vue` internals; audit on
+   each library bump, upstream what's generally useful.
+10. **`@matrix-org/olm`** — deprecated upstream in favor of vodozemac; track for the
+    e2ee code (`src/utils/e2ee/`).
+11. **Misc** — legacy `icon-*` CSS classes (~11 files), `OC.linkTo()` in
+    `src/collections.js:12`, `cropperjs` v1 (+`vue-cropperjs`), `base64-js` in
+    `e2ee/encryption.js` (native `TextEncoder`/`Uint8Array` suffices),
+    `vue-material-design-icons` (421 imports — consider `@mdi/js` +
+    `NcIconSvgWrapper` for bundle size, low priority).

From 2fe651ab5485d97abf3d40c96320322b4056ea0b Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Fri, 12 Jun 2026 15:53:46 +0200
Subject: [PATCH 4/7] chore(AI): Extend agents.md with findings from other apps

Assisted-by: ClaudeCode:claude-fable-5
Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 AGENTS.md | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 65 insertions(+), 1 deletion(-)

diff --git a/AGENTS.md b/AGENTS.md
index 3745c857fbe..49496d379af 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -1,3 +1,7 @@
+<!--
+  - SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+  - SPDX-License-Identifier: AGPL-3.0-or-later
+-->
 # AGENTS.md — Nextcloud Talk (spreed)
 
 Guidance for AI coding agents working in this repository. The PHP backend lives in
@@ -35,13 +39,64 @@ All contributions generated or assisted by this agent must fully comply with:
 - PHP **8.2+**, Nextcloud server **35** (`appinfo/info.xml`). Code must stay portable
   across MariaDB, MySQL, PostgreSQL, SQLite, and Oracle — migrations, query-builder
   usage, and tests alike.
+- Setup: `composer i` and `npm ci`. Frontend builds: `npm run build` (production),
+  `npm run dev` / `npm run watch` (development).
 - `lib/Vendor/` is third-party code bundled via Mozart (`cuyz/valinor`,
   `firebase/php-jwt`). **Never edit or analyze it as project code.**
+- `l10n/` is generated from Transifex (the `fix(l10n): Update translations from
+  Transifex` commits). **Never hand-edit translation files.**
 - Checks: `composer cs:fix` (php-cs-fixer, Nextcloud coding standard),
   `composer psalm` (level 4, baseline in `tests/psalm-baseline.xml`),
   `composer rector:check`, `composer lint`.
 - OpenAPI: controller docblocks/psalm types in `lib/ResponseDefinitions.php` feed
-  `composer openapi`; regenerate after changing API signatures or responses.
+  `composer openapi`, which also regenerates the TypeScript types. Regenerate after
+  adding/removing/renaming a route, changing a controller method signature or its
+  `@param`/`@return`/psalm-shape annotations, changing a response shape in
+  `ResponseDefinitions.php`, or adding/removing an HTTP status code from a return
+  type. CI fails if the generated spec or `src/types/openapi/` is stale.
+
+## Running tests
+
+- PHP unit tests (PHPUnit, `tests/php/`): `composer run test:unit`. Single file:
+  `composer run test:unit -- tests/php/Service/AvatarServiceTest.php`; filter:
+  `composer run test:unit -- --filter="testMethodName"`.
+- `tests/php/bootstrap.php` requires `../../../../lib/base.php`: the suite only runs
+  when this repo lives at `<nextcloud-server>/apps/spreed` inside a configured server
+  checkout. **If you cannot run a test suite, say so explicitly rather than claiming
+  it passes** — `composer lint` and `composer psalm` work standalone and catch a lot.
+- Integration tests (Behat, `tests/integration/`): `tests/integration/run.sh` against
+  a configured local server, or `tests/integration/run-docker.sh` for a containerized
+  run.
+- Frontend tests: `npm run test` (vitest); single file via `npm run test -- <path>`.
+
+## License headers
+
+Every new file needs an SPDX header. Use `AGPL-3.0-or-later` — never
+`AGPL-3.0-only`:
+
+```php
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+```
+
+Adapt the comment style to the file type; files that cannot carry a header (e.g.
+binary assets) are covered via `REUSE.toml`. CI enforces REUSE compliance.
+
+## Git workflow
+
+- Do **not** commit or push unless explicitly asked. Leave changes in the working
+  directory, summarize what changed and why, and suggest a commit message.
+- Never commit on or push to `main` — use a descriptive feature branch following the
+  existing `type/issue-or-noid/short-description` pattern (e.g.
+  `fix/12345/handle-mcu-disconnect`, `chore/noid/start-agents-md`), not generated
+  names like `agent-xxxx`.
+- Commit messages follow Conventional Commits with a component scope, matching the
+  existing history: `feat(chat): …`, `fix(call): …`, `fix(api): …`,
+  `fix(settings): …`.
+- Backports to stable branches are done by the backport bot via a
+  `/backport to stable-X.Y` comment on the merged PR — don't cherry-pick manually.
 
 ## Conventions to follow (and the drift to avoid)
 
@@ -66,6 +121,12 @@ patterns, **new code must use the modern one** listed first.
   `lib/Model/SelectHelper.php`. Adding a Room/Participant column means touching the
   migration, `SelectHelper`, `Manager` hydration, and the constructor **in lockstep**.
 - Query builder only; no raw SQL outside migrations.
+- Build query-builder queries **outside** loops: use `$qb->createParameter('x')` as a
+  placeholder and `$qb->setParameter('x', $value, IQueryBuilder::PARAM_*)` inside the
+  loop. Chunk `IN ()` lists with `array_chunk(..., IQueryBuilder::MAX_IN_PARAMETERS)`
+  for Oracle compatibility (see `lib/Model/ThreadMapper.php:82`); accumulate chunk
+  results in an array and `array_merge(...$results)` once after the loop, never
+  inside it.
 
 ### Services & responsibility split
 - Reads/lookups: `lib/Manager.php`. Writes/mutations + event dispatch:
@@ -239,6 +300,9 @@ has two patterns, **new code must use the modern one** listed first.
   only for brand exceptions. Avoid new `:deep()` overrides of `@nextcloud/vue`
   internals — the existing ~174 are a breakage hotspot on library bumps; prefer
   component props/slots or an upstream issue.
+- Spacing and dimensions use the standard variables too — no magic numbers; use
+  `calc(x * var(--default-grid-baseline))` when finer control is needed. Reference:
+  https://docs.nextcloud.com/server/latest/developer_manual/html_css_design/css.html
 
 ### Call layer (WebRTC/signaling)
 - `src/utils/webrtc/simplewebrtc/`, `src/utils/webrtc/models/`,

From c7a34016bc9b429b6684b51b7402651c17f28779 Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Fri, 12 Jun 2026 22:24:12 +0200
Subject: [PATCH 5/7] ci(workflows): Add AI policy action

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 .github/workflows/ai-policy.yml | 172 ++++++++++++++++++++++++++++++++
 1 file changed, 172 insertions(+)
 create mode 100644 .github/workflows/ai-policy.yml

diff --git a/.github/workflows/ai-policy.yml b/.github/workflows/ai-policy.yml
new file mode 100644
index 00000000000..4ddfe34775f
--- /dev/null
+++ b/.github/workflows/ai-policy.yml
@@ -0,0 +1,172 @@
+# This workflow is provided via the organization template repository
+#
+# https://github.com/nextcloud/.github
+# https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization
+#
+# SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+# SPDX-License-Identifier: MIT
+
+name: AI Policy
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+    branches: [master, main]
+
+permissions:
+  contents: read
+  # Required to add the "AI assisted" label via `gh pr edit --add-label`
+  pull-requests: write
+  # Required to create the "AI assisted" label via the REST labels endpoint
+  # (labels are an issues-scoped resource in the GitHub API)
+  issues: write
+
+concurrency:
+  group: ai-policy-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  check-ai-trailers:
+    runs-on: ubuntu-latest-low
+    steps:
+      - name: Collect PR commit messages
+        id: collect
+        env:
+          GH_TOKEN: ${{ github.token }}
+          COMMITS_URL: ${{ github.event.pull_request.commits_url }}
+        run: |
+          set -euo pipefail
+          gh api ${COMMITS_URL} | jq -r '.[] | .commit.message' > /tmp/pr_commits.txt
+          echo "--- PR commit messages ---"
+          cat /tmp/pr_commits.txt
+          echo "--------------------------"
+
+      - name: Define shared agent detection patterns
+        run: |
+          set -euo pipefail
+
+          # Email addresses known to be used by coding agents.
+          # These should never appear in Signed-off-by because the DCO can only be attested by a human.
+          EMAIL_PATTERN="copilot@github\.com\
+            |noreply@anthropic\.com\
+            |devin@cognition\.ai\
+            |devin@cognition-labs\.com\
+            |aider@aider\.chat\
+            |noreply@aider\.chat\
+            |codex@openai\.com\
+            |cursor@anysphere\.com\
+            |windsurf@codeium\.com\
+            |codeium@codeium\.com\
+            |amazon-q@amazon\.com\
+            |codewhisperer@amazon\.com\
+            |gemini-code-assist@google\.com\
+            |openhands@all-hands\.dev\
+            |swe-agent@princeton\.edu"
+
+          # Strip embedded whitespace (used above only for readability)
+          EMAIL_PATTERN=$(echo "$EMAIL_PATTERN" | tr -d ' \n')
+          echo "AGENT_EMAIL_PATTERN=${EMAIL_PATTERN}" >> "$GITHUB_ENV"
+
+          # Display-name prefixes used by known coding agents (shared by Signed-off-by and Co-Authored-By checks)
+          # shellcheck disable=SC2016
+          echo 'AGENT_NAMES=GitHub Copilot|Claude( [A-Za-z0-9. -]+)?|Devin( AI)?|aider( \(.*\))?|OpenAI Codex|Cursor( AI)?|Windsurf|Amazon Q|CodeWhisperer|Gemini Code Assist|OpenHands|SWE-agent|AutoCodeRover|Tabnine' >> "$GITHUB_ENV"
+
+      - name: Check for AI-assistant / Assisted-by trailers
+        id: ai_trailers
+        run: |
+          set -euo pipefail
+          AI_ASSISTED=false
+          if grep -qiE '^(AI-assistant|Assisted-by|AI-Assisted-By):' /tmp/pr_commits.txt; then
+            AI_ASSISTED=true
+            echo "Found AI-assistant/Assisted-by/AI-Assisted-By trailer(s):"
+            grep -iE '^(AI-assistant|Assisted-by|AI-Assisted-By):' /tmp/pr_commits.txt
+          fi
+          echo "ai_assisted=${AI_ASSISTED}" >> "$GITHUB_OUTPUT"
+
+      - name: Check for coding-agent Signed-off-by trailers
+        id: agent_signoff
+        run: |
+          set -euo pipefail
+
+          EMAIL_HITS=$(grep -iE "^Signed-off-by:.*<(${AGENT_EMAIL_PATTERN})>" /tmp/pr_commits.txt 2>/dev/null || true)
+          NAME_HITS=$(grep -iE "^Signed-off-by: *(${AGENT_NAMES}) *[<(]" /tmp/pr_commits.txt 2>/dev/null || true)
+
+          AGENT_LINES=$(printf '%s\n%s' "$EMAIL_HITS" "$NAME_HITS" | sort -u | sed '/^[[:space:]]*$/d')
+
+          AGENT_SIGNOFF=false
+          if [ -n "$AGENT_LINES" ]; then
+            AGENT_SIGNOFF=true
+          fi
+
+          echo "agent_signoff=${AGENT_SIGNOFF}" >> "$GITHUB_OUTPUT"
+          {
+            echo "agent_lines<<AGENT_EOF"
+            echo "${AGENT_LINES}"
+            echo "AGENT_EOF"
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Check for coding-agent Co-Authored-By trailers
+        id: co_authored
+        run: |
+          set -euo pipefail
+
+          EMAIL_HITS=$(grep -iE "^Co-Authored-By:.*<(${AGENT_EMAIL_PATTERN})>" /tmp/pr_commits.txt 2>/dev/null || true)
+          NAME_HITS=$(grep -iE "^Co-Authored-By: *(${AGENT_NAMES}) *[<(]" /tmp/pr_commits.txt 2>/dev/null || true)
+
+          CO_AUTHORED=false
+          if [ -n "$EMAIL_HITS" ] || [ -n "$NAME_HITS" ]; then
+            CO_AUTHORED=true
+            echo "Found coding-agent Co-Authored-By trailer(s):"
+            printf '%s\n%s' "$EMAIL_HITS" "$NAME_HITS" | sort -u | sed '/^[[:space:]]*$/d'
+          fi
+
+          echo "co_authored=${CO_AUTHORED}" >> "$GITHUB_OUTPUT"
+
+      - name: Create 'AI assisted' label if absent
+        if: steps.ai_trailers.outputs.ai_assisted == 'true' || steps.agent_signoff.outputs.agent_signoff == 'true' || steps.co_authored.outputs.co_authored == 'true'
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh api "repos/${{ github.repository }}/labels" \
+            --method POST \
+            -f name="AI assisted" \
+            -f color="d93f0b" \
+            -f description="This PR contains AI-assisted commits" \
+            2>/dev/null || true
+
+      - name: Label PR as AI assisted
+        if: steps.ai_trailers.outputs.ai_assisted == 'true' || steps.agent_signoff.outputs.agent_signoff == 'true' || steps.co_authored.outputs.co_authored == 'true'
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh pr edit "${{ github.event.pull_request.number }}" \
+            --repo "${{ github.repository }}" \
+            --add-label "AI assisted"
+          echo "Added 'AI assisted' label to PR #${{ github.event.pull_request.number }}"
+
+      - name: Fail on coding-agent Signed-off-by
+        if: steps.agent_signoff.outputs.agent_signoff == 'true'
+        env:
+          AGENT_LINES: ${{ steps.agent_signoff.outputs.agent_lines }}
+          AGENTS_MD_URL: https://github.com/${{ github.repository }}/blob/${{ github.base_ref }}/AGENTS.md
+        run: |
+          echo "::error title=Coding-agent sign-off detected::A Signed-off-by trailer from a known coding agent was found in one or more commits."
+          echo ""
+          echo "Offending trailer(s):"
+          echo "${AGENT_LINES}"
+          echo ""
+          echo "The 'Signed-off-by' trailer represents the Developer Certificate of Origin (DCO)"
+          echo "and must only be attested by a human contributor."
+          echo "Please amend the affected commit(s) to remove the coding-agent sign-off"
+          echo "and replace it with an 'Assisted-by' trailer, for example:"
+          echo ""
+          echo "  Assisted-by: Claude Code:claude-sonnet-4-6"
+          echo ""
+          echo "References:"
+          echo "  • AGENTS.md (this repository)"
+          echo "    ${AGENTS_MD_URL}"
+          echo "  • AI Contribution Policy"
+          echo "    https://github.com/nextcloud/.github/blob/master/AI_POLICY.md"
+          echo "  • Contribution Guidelines"
+          echo "    https://github.com/nextcloud/.github/blob/master/CONTRIBUTING.md"
+          exit 1

From e7939d1493ec01c2198496d82d553a26612a3ad8 Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Mon, 15 Jun 2026 18:09:15 +0200
Subject: [PATCH 6/7] docs(AI): Update after review

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 AGENTS.md | 64 ++++++++++++++++++++++++++-----------------------------
 1 file changed, 30 insertions(+), 34 deletions(-)

diff --git a/AGENTS.md b/AGENTS.md
index 49496d379af..dd72daca1da 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -20,7 +20,7 @@ All contributions generated or assisted by this agent must fully comply with:
 - Add an `Assisted-by: AGENT_NAME:MODEL_VERSION` git trailer to every commit containing AI-assisted content.
 - Ensure every pull request includes a disclosure of AI tool use in the PR description.
 - Produce focused, scoped pull requests that address exactly one concern. Do not touch unrelated files or introduce incidental refactors.
-- Verify all dependencies against actual package registries before suggesting them. Do not use hallucinated or unverified package names.
+- Verify all dependencies against actual package registries before suggesting them.
 - Explicitly inform the contributor when any action they are about to take, or have taken, would violate the AI Contribution Policy or the Contribution Guidelines. Do not silently proceed. State which rule is at risk and what the contributor should do instead.
 - Warn the contributor if a pull request is growing too large. A PR approaching several thousand lines of changed code is a signal that it should be split into smaller, focused PRs. Suggest a logical split before the PR is opened, not after.
 - Recommend opening a ticket for discussion before starting implementation whenever a feature or change is sufficiently complex - for example when it touches multiple subsystems, requires architectural decisions, or the right approach is not yet clear. A ticket allows maintainers and the contributor to align on direction before code is written, avoiding wasted effort on a PR that may be rejected or require fundamental rework.
@@ -36,18 +36,20 @@ All contributions generated or assisted by this agent must fully comply with:
 
 ## Baseline & tooling
 
-- PHP **8.2+**, Nextcloud server **35** (`appinfo/info.xml`). Code must stay portable
+### General
+- `l10n/` is generated from Transifex (the `fix(l10n): Update translations from
+  Transifex` commits). **Never hand-edit translation files.**
+
+### Backend
+- Info: PHP **8.2+**, Nextcloud server **35** (`appinfo/info.xml`). Code must stay portable
   across MariaDB, MySQL, PostgreSQL, SQLite, and Oracle — migrations, query-builder
   usage, and tests alike.
-- Setup: `composer i` and `npm ci`. Frontend builds: `npm run build` (production),
-  `npm run dev` / `npm run watch` (development).
+- Setup: `composer i`
 - `lib/Vendor/` is third-party code bundled via Mozart (`cuyz/valinor`,
   `firebase/php-jwt`). **Never edit or analyze it as project code.**
-- `l10n/` is generated from Transifex (the `fix(l10n): Update translations from
-  Transifex` commits). **Never hand-edit translation files.**
 - Checks: `composer cs:fix` (php-cs-fixer, Nextcloud coding standard),
   `composer psalm` (level 4, baseline in `tests/psalm-baseline.xml`),
-  `composer rector:check`, `composer lint`.
+  `composer rector:fix`, `composer lint`.
 - OpenAPI: controller docblocks/psalm types in `lib/ResponseDefinitions.php` feed
   `composer openapi`, which also regenerates the TypeScript types. Regenerate after
   adding/removing/renaming a route, changing a controller method signature or its
@@ -55,6 +57,19 @@ All contributions generated or assisted by this agent must fully comply with:
   `ResponseDefinitions.php`, or adding/removing an HTTP status code from a return
   type. CI fails if the generated spec or `src/types/openapi/` is stale.
 
+### Frontend
+- Info: Vue **3.5** + TypeScript, built with **rspack** (`rspack.config.js`), no Vite. State:
+  **Pinia** (`src/stores/`, target) and legacy **Vuex 4** (`src/store/`, being phased
+  out). UI components from `@nextcloud/vue` only.
+- Setup: `npm ci`. Frontend builds: `npm run build` (production),
+  `npm run dev` / `npm run watch` (development).
+- Checks: `npm run lint:fix` (ESLint), `npm run stylelint`,
+  `npm run ts:check` (TS typecheck), `npm run test` (vitest + @vue/test-utils v2; no jest).
+- OCS/API types are generated: `npm run ts:generate` (openapi-typescript) into
+  `src/types/openapi/` — regenerate instead of hand-editing after API changes.
+- No compat mode, no mixins, no `mapGetters`/`$set`/`::v-deep` — the Vue 2 → 3
+  migration removed these; do not reintroduce them.
+
 ## Running tests
 
 - PHP unit tests (PHPUnit, `tests/php/`): `composer run test:unit`. Single file:
@@ -178,9 +193,7 @@ patterns, **new code must use the modern one** listed first.
   backed enums for new value sets; bitflags (`Attendee::PERMISSIONS_*`,
   `Participant::FLAG_*`) stay int constants.
 
-## Known technical debt (2026-06 analysis)
-
-Prioritized backlog; safe to pick up as standalone PRs.
+## Known backend technical debt (2026-06 analysis)
 
 1. **`\OC_Util::tearDownFS()/setupFS()`** at `lib/Chat/Parser/SystemMessage.php:990-992`
    — last private-server-API usage; the only real forward-compat risk. Replace with a
@@ -218,19 +231,6 @@ Prioritized backlog; safe to pick up as standalone PRs.
 12. **Loose comparison** at `BackgroundJob/CheckCertificates.php:90` (`== null`) and
     `Command/Signaling/VerifyKeys.php:50` (`!=`).
 
-## Frontend baseline & tooling
-
-- Vue **3.5** + TypeScript, built with **rspack** (`rspack.config.js`), no Vite. State:
-  **Pinia** (`src/stores/`, target) and legacy **Vuex 4** (`src/store/`, being phased
-  out). UI components from `@nextcloud/vue` 9 — import via
-  `@nextcloud/vue/components/NcXxx` only, never `@nextcloud/vue/dist/...`.
-- Checks: `npm run lint` (eslint flat config), `npm run stylelint`,
-  `npm run ts:check` (vue-tsc), `npm run test` (vitest + @vue/test-utils v2; no jest).
-- OCS/API types are generated: `npm run ts:generate` (openapi-typescript) into
-  `src/types/openapi/` — regenerate instead of hand-editing after API changes.
-- No compat mode, no mixins, no `mapGetters`/`$set`/`::v-deep` — the Vue 2 → 3
-  migration removed these; do not reintroduce them.
-
 ## Frontend conventions to follow (and the drift to avoid)
 
 These rules come from a 2026-06 technical-debt analysis of `src/`. Where the codebase
@@ -238,11 +238,7 @@ has two patterns, **new code must use the modern one** listed first.
 
 ### Components
 - New/rewritten SFCs use `<script setup lang="ts">` with `defineProps<T>()` and
-  `defineEmits<T>()`. ~141 of 198 SFCs are still Options API — don't add more, and
-  don't create the hybrid Options-API-plus-`setup()` style (`App.vue:81-244`,
-  `ChatView.vue:91-243` are debt, not templates).
-- Lifecycle/reactivity via imported `nextTick`/`watch`/`computed`, router via
-  `useRoute()`/`useRouter()` — already 100% migrated, keep it that way.
+  `defineEmits<T>()`.
 
 ### State management
 - New state goes in a **Pinia setup-style TS store** (`defineStore('x', () => {...})`,
@@ -270,8 +266,8 @@ has two patterns, **new code must use the modern one** listed first.
   **stores/composables catch** and surface with `showError(t('spreed', ...))` from
   `@nextcloud/dialogs`. Don't show toasts from services
   (`participantsService.js:37-50` is drift) or swallow errors with `console.debug`.
-- Use the typed OCS helpers from `src/types/index.ts` instead of new manual
-  `response.data.ocs.data` unwrapping.
+- Use the type definitions from `src/types/index.ts` for services, API endpoints
+  and internal logic in TS files
 - URLs via `generateOcsUrl()` with `{token}` placeholders — never string
   concatenation, never `OC.linkTo()` (last use: `src/collections.js:12`).
 - Translations: `t`/`n` imported from `@nextcloud/l10n`, variables interpolated via
@@ -296,13 +292,15 @@ has two patterns, **new code must use the modern one** listed first.
 - Loading: `NcLoadingIcon`, not `icon-loading`/`icon-loading-small` divs.
 
 ### Styling
+- For CSS variables only use variables defined in `apps/theming/css/default.css`
 - Scoped styles with Nextcloud CSS variables (`var(--color-*)`); hardcoded colors
   only for brand exceptions. Avoid new `:deep()` overrides of `@nextcloud/vue`
   internals — the existing ~174 are a breakage hotspot on library bumps; prefer
   component props/slots or an upstream issue.
 - Spacing and dimensions use the standard variables too — no magic numbers; use
-  `calc(x * var(--default-grid-baseline))` when finer control is needed. Reference:
-  https://docs.nextcloud.com/server/latest/developer_manual/html_css_design/css.html
+  `calc(x * var(--default-grid-baseline))` when finer control is needed.
+- For wording of translated strings stick to the rules mentioned in
+  https://docs.nextcloud.com/server/latest/developer_manual/design/writing.html
 
 ### Call layer (WebRTC/signaling)
 - `src/utils/webrtc/simplewebrtc/`, `src/utils/webrtc/models/`,
@@ -316,8 +314,6 @@ has two patterns, **new code must use the modern one** listed first.
 
 ## Known frontend technical debt (2026-06 analysis)
 
-Prioritized backlog; larger items (1, 3) need a discussion ticket and a PR series.
-
 1. **Vuex → Pinia migration** — 3 modules, ~4,200 lines
    (`conversationsStore.js` 1,377 / `messagesStore.js` 1,485 /
    `participantsStore.js` 1,306) with bidirectional Pinia coupling and duplicated

From eba5516675852526d6c484bb23a5664ab01a9403 Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Mon, 15 Jun 2026 18:23:22 +0200
Subject: [PATCH 7/7] docs(AI): Optimize Agents.md

Assisted-by: ClaudeCode:claude-opus-4-8
Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 AGENTS.md | 419 ++++++++++++------------------------------------------
 1 file changed, 94 insertions(+), 325 deletions(-)

diff --git a/AGENTS.md b/AGENTS.md
index dd72daca1da..4ee91aab232 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -4,90 +4,54 @@
 -->
 # AGENTS.md — Nextcloud Talk (spreed)
 
-Guidance for AI coding agents working in this repository. The PHP backend lives in
-`lib/`, integration tests in `tests/integration/` (Behat), unit tests in `tests/php/`.
-The Vue 3 frontend lives in `src/`, with frontend tests colocated as `*.spec.js`/`*.spec.ts`.
+Guidance for AI coding agents in this repo. PHP backend in `lib/`, Behat integration tests in `tests/integration/`, unit tests in `tests/php/`. Vue 3 + TS frontend in `src/`, tests colocated as `*.spec.js`/`*.spec.ts`.
 
-## Nextcloud Contribution Policy
+## Contribution policy
 
-All contributions generated or assisted by this agent must fully comply with:
+Comply with the [AI Contribution Policy](https://github.com/nextcloud/.github/blob/master/AI_POLICY.md) (disclosure, accountability, security, licensing, code quality, autonomous behavior) and [Contribution Guidelines](https://github.com/nextcloud/.github/blob/master/CONTRIBUTING.md) (testing, DCO, license headers, conventional commits, translations).
 
-- **[AI Contribution Policy](https://github.com/nextcloud/.github/blob/master/AI_POLICY.md)** - the primary reference for AI-specific rules, covering disclosure, author accountability, communication, security, licensing, code quality, and autonomous agent behavior.
-- **[Contribution Guidelines](https://github.com/nextcloud/.github/blob/master/CONTRIBUTING.md)** - covering testing requirements, the Developer Certificate of Origin (DCO), license headers, conventional commits, and translations. These apply in full to all contributions regardless of how they were produced.
+**Always:**
+- Add an `Assisted-by: AGENT_NAME:MODEL_VERSION` trailer to every AI-assisted commit.
+- Disclose AI tool use in every PR description.
+- Keep PRs focused on one concern; no unrelated files or incidental refactors.
+- Verify dependencies exist in real package registries.
+- Tell the contributor when an action would violate the policy/guidelines — name the rule and the alternative; never silently proceed.
+- Warn before a PR grows too large (approaching several thousand lines) and suggest a split.
+- Recommend a discussion ticket before complex changes (multiple subsystems, architectural decisions, unclear approach).
 
-### What this agent must always do
-
-- Add an `Assisted-by: AGENT_NAME:MODEL_VERSION` git trailer to every commit containing AI-assisted content.
-- Ensure every pull request includes a disclosure of AI tool use in the PR description.
-- Produce focused, scoped pull requests that address exactly one concern. Do not touch unrelated files or introduce incidental refactors.
-- Verify all dependencies against actual package registries before suggesting them.
-- Explicitly inform the contributor when any action they are about to take, or have taken, would violate the AI Contribution Policy or the Contribution Guidelines. Do not silently proceed. State which rule is at risk and what the contributor should do instead.
-- Warn the contributor if a pull request is growing too large. A PR approaching several thousand lines of changed code is a signal that it should be split into smaller, focused PRs. Suggest a logical split before the PR is opened, not after.
-- Recommend opening a ticket for discussion before starting implementation whenever a feature or change is sufficiently complex - for example when it touches multiple subsystems, requires architectural decisions, or the right approach is not yet clear. A ticket allows maintainers and the contributor to align on direction before code is written, avoiding wasted effort on a PR that may be rejected or require fundamental rework.
-
-### What this agent must never do
-
-- Open issues, submit pull requests, post review comments, or send security reports autonomously. Every contribution must be reviewed and submitted by a human.
-- Add `Signed-off-by` tags to commits. Only the human contributor can certify the Developer Certificate of Origin.
-- Generate or submit security reports without independent human verification. Report verified vulnerabilities via [HackerOne](https://hackerone.com/nextcloud), not as GitHub issues.
-- Write PR descriptions, review comments, or issue reports on behalf of the contributor. These must be in the contributor's own words.
-- Fully automate the resolution of issues labeled [`good first issue`](https://github.com/issues?q=org%3Anextcloud+label%3A%22good+first+issue%22) or similar beginner-friendly labels.
-- Submit code that has not been reviewed and cleaned up by the contributor. Dead code, redundant logic, excessive comments, and unrelated changes must be removed before submission.
+**Never:**
+- Open issues, submit PRs, post review comments, or send security reports autonomously — a human submits every contribution.
+- Add `Signed-off-by` tags (only the human certifies the DCO).
+- Submit unverified security reports; report verified ones via [HackerOne](https://hackerone.com/nextcloud), not GitHub issues.
+- Write PR descriptions, review comments, or issue reports for the contributor — these must be in their own words.
+- Fully automate resolution of [`good first issue`](https://github.com/issues?q=org%3Anextcloud+label%3A%22good+first+issue%22)-style issues.
+- Submit unreviewed code — remove dead code, redundant logic, excessive comments, and unrelated changes first.
 
 ## Baseline & tooling
 
-### General
-- `l10n/` is generated from Transifex (the `fix(l10n): Update translations from
-  Transifex` commits). **Never hand-edit translation files.**
+- `l10n/` is generated from Transifex (`fix(l10n): Update translations…` commits). **Never hand-edit translation files.**
 
-### Backend
-- Info: PHP **8.2+**, Nextcloud server **35** (`appinfo/info.xml`). Code must stay portable
-  across MariaDB, MySQL, PostgreSQL, SQLite, and Oracle — migrations, query-builder
-  usage, and tests alike.
-- Setup: `composer i`
-- `lib/Vendor/` is third-party code bundled via Mozart (`cuyz/valinor`,
-  `firebase/php-jwt`). **Never edit or analyze it as project code.**
-- Checks: `composer cs:fix` (php-cs-fixer, Nextcloud coding standard),
-  `composer psalm` (level 4, baseline in `tests/psalm-baseline.xml`),
-  `composer rector:fix`, `composer lint`.
-- OpenAPI: controller docblocks/psalm types in `lib/ResponseDefinitions.php` feed
-  `composer openapi`, which also regenerates the TypeScript types. Regenerate after
-  adding/removing/renaming a route, changing a controller method signature or its
-  `@param`/`@return`/psalm-shape annotations, changing a response shape in
-  `ResponseDefinitions.php`, or adding/removing an HTTP status code from a return
-  type. CI fails if the generated spec or `src/types/openapi/` is stale.
+**Backend:** PHP **8.2+**, Nextcloud server **35** (`appinfo/info.xml`). Stay portable across MariaDB, MySQL, PostgreSQL, SQLite, Oracle (migrations, query builder, tests).
+- Setup: `composer i`. `lib/Vendor/` is Mozart-bundled third-party code (`cuyz/valinor`, `firebase/php-jwt`) — **never edit or analyze it.**
+- Checks: `composer cs:fix`, `composer psalm`, `composer rector:fix`, `composer lint`.
+- OpenAPI: docblocks/psalm types + `lib/ResponseDefinitions.php` feed `composer openapi` (also regenerates TS types). Regenerate after adding/removing/renaming a route, changing a controller signature or its `@param`/`@return`/psalm-shape, changing a response shape, or adding/removing an HTTP status code. CI fails on a stale spec or `src/types/openapi/`.
 
-### Frontend
-- Info: Vue **3.5** + TypeScript, built with **rspack** (`rspack.config.js`), no Vite. State:
-  **Pinia** (`src/stores/`, target) and legacy **Vuex 4** (`src/store/`, being phased
-  out). UI components from `@nextcloud/vue` only.
-- Setup: `npm ci`. Frontend builds: `npm run build` (production),
-  `npm run dev` / `npm run watch` (development).
-- Checks: `npm run lint:fix` (ESLint), `npm run stylelint`,
-  `npm run ts:check` (TS typecheck), `npm run test` (vitest + @vue/test-utils v2; no jest).
-- OCS/API types are generated: `npm run ts:generate` (openapi-typescript) into
-  `src/types/openapi/` — regenerate instead of hand-editing after API changes.
-- No compat mode, no mixins, no `mapGetters`/`$set`/`::v-deep` — the Vue 2 → 3
-  migration removed these; do not reintroduce them.
+**Frontend:** Vue **3.5** + TypeScript, built with **rspack** (no Vite). State: **Pinia** (`src/stores/`, target) and legacy **Vuex 4** (`src/store/`, being phased out). UI components from `@nextcloud/vue` only.
+- Setup: `npm ci`. Build: `npm run build` (prod), `npm run dev`/`npm run watch`.
+- Checks: `npm run lint:fix`, `npm run stylelint`, `npm run ts:check`, `npm run test` (vitest + @vue/test-utils v2; no jest).
+- OCS/API types generated via `npm run ts:generate` (openapi-typescript) into `src/types/openapi/` — regenerate, don't hand-edit.
+- No compat mode, mixins, `mapGetters`/`$set`/`::v-deep` — removed in the Vue 2→3 migration; don't reintroduce.
 
 ## Running tests
 
-- PHP unit tests (PHPUnit, `tests/php/`): `composer run test:unit`. Single file:
-  `composer run test:unit -- tests/php/Service/AvatarServiceTest.php`; filter:
-  `composer run test:unit -- --filter="testMethodName"`.
-- `tests/php/bootstrap.php` requires `../../../../lib/base.php`: the suite only runs
-  when this repo lives at `<nextcloud-server>/apps/spreed` inside a configured server
-  checkout. **If you cannot run a test suite, say so explicitly rather than claiming
-  it passes** — `composer lint` and `composer psalm` work standalone and catch a lot.
-- Integration tests (Behat, `tests/integration/`): `tests/integration/run.sh` against
-  a configured local server, or `tests/integration/run-docker.sh` for a containerized
-  run.
-- Frontend tests: `npm run test` (vitest); single file via `npm run test -- <path>`.
+- PHP unit (`tests/php/`): `composer run test:unit`. Single file: `composer run test:unit -- tests/php/Service/AvatarServiceTest.php`; filter: `composer run test:unit -- --filter="testMethodName"`.
+- `tests/php/bootstrap.php` requires `../../../../lib/base.php`: the suite only runs when this repo lives at `<nextcloud-server>/apps/spreed`. **If you cannot run a suite, say so — don't claim it passes.** `composer lint`/`composer psalm` run standalone.
+- Integration (Behat, `tests/integration/`): `run.sh` against a local server, or `run-docker.sh`.
+- Frontend: `npm run test`; single file via `npm run test -- <path>`.
 
 ## License headers
 
-Every new file needs an SPDX header. Use `AGPL-3.0-or-later` — never
-`AGPL-3.0-only`:
+Every new file needs an SPDX header. Use `AGPL-3.0-or-later`, never `AGPL-3.0-only`:
 
 ```php
 /**
@@ -96,262 +60,67 @@ Every new file needs an SPDX header. Use `AGPL-3.0-or-later` — never
  */
 ```
 
-Adapt the comment style to the file type; files that cannot carry a header (e.g.
-binary assets) are covered via `REUSE.toml`. CI enforces REUSE compliance.
+Adapt the comment style to the file type; files that can't carry a header (binary assets) go in `REUSE.toml`. CI enforces REUSE.
 
 ## Git workflow
 
-- Do **not** commit or push unless explicitly asked. Leave changes in the working
-  directory, summarize what changed and why, and suggest a commit message.
-- Never commit on or push to `main` — use a descriptive feature branch following the
-  existing `type/issue-or-noid/short-description` pattern (e.g.
-  `fix/12345/handle-mcu-disconnect`, `chore/noid/start-agents-md`), not generated
-  names like `agent-xxxx`.
-- Commit messages follow Conventional Commits with a component scope, matching the
-  existing history: `feat(chat): …`, `fix(call): …`, `fix(api): …`,
-  `fix(settings): …`.
-- Backports to stable branches are done by the backport bot via a
-  `/backport to stable-X.Y` comment on the merged PR — don't cherry-pick manually.
-
-## Conventions to follow (and the drift to avoid)
-
-These rules come from a 2026-06 technical-debt analysis. Where the codebase has two
-patterns, **new code must use the modern one** listed first.
-
-### Dependency injection
-- Constructor injection with property promotion everywhere. Do **not** add new
-  `\OCP\Server::get()` calls; the existing ones are debt:
-  - `lib/Room.php:231-332` — four `// TODO use DI` service-locator blocks (the domain
-    model pulls `ParticipantService`/`RoomService`/`Manager` from the container;
-    `getName()` even writes to the DB). Do not extend this pattern.
-  - Controllers contain ~42 `Server::get()` calls to instantiate federation proxy
-    controllers (`ChatController` alone has 13) — tolerated pattern, don't add more
-    variants of it.
-
-### Data access
-- New persisted entities use `QBMapper` + `SnowflakeAwareEntity` in `lib/Model/` (see `ConversationTag`,
-  `ScheduledMessage` as templates).
-- `Room` and `Participant` are **not** Entities: they are hydrated by hand in
-  `Manager::createRoomObject()` (`lib/Manager.php:127`) from columns aliased in
-  `lib/Model/SelectHelper.php`. Adding a Room/Participant column means touching the
-  migration, `SelectHelper`, `Manager` hydration, and the constructor **in lockstep**.
-- Query builder only; no raw SQL outside migrations.
-- Build query-builder queries **outside** loops: use `$qb->createParameter('x')` as a
-  placeholder and `$qb->setParameter('x', $value, IQueryBuilder::PARAM_*)` inside the
-  loop. Chunk `IN ()` lists with `array_chunk(..., IQueryBuilder::MAX_IN_PARAMETERS)`
-  for Oracle compatibility (see `lib/Model/ThreadMapper.php:82`); accumulate chunk
-  results in an array and `array_merge(...$results)` once after the loop, never
-  inside it.
-
-### Services & responsibility split
-- Reads/lookups: `lib/Manager.php`. Writes/mutations + event dispatch:
-  `lib/Service/RoomService.php` / `ParticipantService.php`. Keep that split.
-- New service classes go in `lib/Service/` with a `*Service` name. The lib-root
-  `GuestManager`, `MatterbridgeManager` and `lib/Chat/ChatManager` are legacy naming —
-  don't copy that layout.
-- Use the newer modules (`lib/Federation/`, `lib/Service/RecordingService.php`,
-  `lib/Service/BotService.php`, `lib/RoomPresets/`) as style templates, not the
-  2016-era core.
-
-### Error signaling
-- Lookups throw domain exceptions (`RoomNotFoundException`,
-  `ParticipantNotFoundException` — `lib/Exceptions/`).
-- Idempotent setters may return `bool` (false = no-op/invalid), e.g.
-  `RoomService::setPermissions()`. Don't return `null`/`false` for "not found".
-
-### Events
-- Typed events only (`IEventDispatcher::dispatchTyped()`), extending the `A`-prefixed
-  abstract bases in `lib/Events/`, with `Before*`/`*` pairs for mutations. Listeners
-  are registered in `lib/AppInfo/Application.php`. No string-based events or hooks.
-
-### Controllers & API
-- OCS controllers needing room/participant context extend
-  `AEnvironmentAwareOCSController` (populated by `InjectionMiddleware` via the
-  `#[RequireRoom]`-style attributes in `lib/Middleware/Attribute/`); others extend
-  `OCSController` directly.
-- PHP attributes only (`#[NoAdminRequired]`, `#[PublicPage]`,
-  `#[BruteForceProtection]`, `#[ApiRoute]`) — never docblock annotations.
-- Responses are `DataResponse` with psalm type shapes from `ResponseDefinitions.php`.
-
-### Config
-- Talk settings go through the `lib/Config.php` facade; `lib/ConfigLexicon.php`
-  (currently `Strictness::IGNORE`, only 2 user-preference entries) is the emerging
-  registry — register new app-config keys there as well.
-
-### Caching
-- Cache prefixes belong in `lib/CachePrefix.php`. Known drift: `hpb_servers` lacks the
-  `talk/` prefix and `Capabilities.php` uses a raw `'talk::'` string — don't add more
-  ad-hoc prefixes.
-
-### PHP style
-- Strict comparisons, `?Type` nullables, `match` over `switch`, `str_contains`/
-  `str_starts_with` over `strpos`/`substr` checks, `readonly` where applicable,
-  arrow functions, `JSON_THROW_ON_ERROR` on new `json_encode`/`json_decode` calls.
-- Only two native enums exist (`lib/RoomAttributes.php`,
-  `lib/RoomPresets/Parameter.php`); the domain otherwise uses int constant groups
-  (`Room::TYPE_*`, `Participant::OWNER/...`, `Attendee::ACTOR_*`, …). Prefer native
-  backed enums for new value sets; bitflags (`Attendee::PERMISSIONS_*`,
-  `Participant::FLAG_*`) stay int constants.
-
-## Known backend technical debt (2026-06 analysis)
-
-1. **`\OC_Util::tearDownFS()/setupFS()`** at `lib/Chat/Parser/SystemMessage.php:990-992`
-   — last private-server-API usage; the only real forward-compat risk. Replace with a
-   public API for per-user filesystem context.
-2. **`Room.php` service locators** (`lib/Room.php:231-332`) — move 1:1 name
-   resolution, display-name and last-message loading out of the model into
-   `Manager`/formatter code; removes the `Room ↔ RoomService` cycle and a
-   getter-with-DB-write.
-3. **Enum migration** — convert the constant groups above to native backed enums,
-   group by group, keeping `->value` at OCS/DB boundaries.
-4. **Room/Participant hydration** — introduce a mapper that owns the
-   `SelectHelper` ⇄ constructor column mapping currently spread over three files.
-5. **Stale "temporary" code** — 15× `FIXME Temporary solution for the Talk6 release`
-   in `lib/Manager.php` (Talk 6 shipped 2019): decide permanent vs repair-step and
-   delete the comments. Likewise `Room::OBJECT_TYPE_PHONE_LEGACY` (`@deprecated`) is
-   still consumed in 5 places (`Notification/Notifier.php:1095`,
-   `Service/AvatarService.php:265`, `Controller/RoomController.php:767`,
-   `Service/RoomService.php:192`, `Listener/RestrictStartingCalls.php:57`).
-6. **God classes** — `Controller/RoomController.php` (~3.3k lines, 63 endpoints),
-   `Controller/ChatController.php` (~2.6k), `Service/ParticipantService.php` (~2.4k;
-   a `SessionService` would split out naturally), `Service/RoomService.php`,
-   `Manager.php`. Don't grow them; extract when touching related code.
-7. **Copy-paste `BackendNotifier`s** — `Signaling/`, `Recording/`, `Federation/`
-   share the `doRequest()` + retry + `PHPUNIT_RUN` boilerplate; extract a base class.
-8. **`MatterbridgeManager`** — 16-branch elseif chain in `generateConfig()` (~line
-   337), remaining `is_null()` calls and `strpos`/`substr` clusters; oldest-style file
-   in the repo.
-9. **Tests** — pyramid is inverted (~61 unit-test files vs huge Behat suite); core
-   domain is only covered end-to-end. Unit tests still use `@dataProvider`
-   annotations — migrate to `#[DataProvider]` attributes before the next PHPUnit bump.
-10. **Static analysis headroom** — psalm level 4 with `findUnusedCode="false"` and a
-    ~200-line baseline; tightening would surface hidden debt.
-11. **`json_encode`/`json_decode`** — ~164 of 193 calls lack `JSON_THROW_ON_ERROR`
-    (e.g. the 1:1 name trick at `Room.php:248`); fix opportunistically.
-12. **Loose comparison** at `BackgroundJob/CheckCertificates.php:90` (`== null`) and
-    `Command/Signaling/VerifyKeys.php:50` (`!=`).
-
-## Frontend conventions to follow (and the drift to avoid)
-
-These rules come from a 2026-06 technical-debt analysis of `src/`. Where the codebase
-has two patterns, **new code must use the modern one** listed first.
-
-### Components
-- New/rewritten SFCs use `<script setup lang="ts">` with `defineProps<T>()` and
-  `defineEmits<T>()`.
-
-### State management
-- New state goes in a **Pinia setup-style TS store** (`defineStore('x', () => {...})`,
-  see `src/stores/actor.ts`, `token.ts`). Don't add options-style stores and don't
-  add new JS stores (`integrations.js`, `reactions.js`, `sounds.js`, `talkHash.js`
-  are stragglers awaiting conversion).
-- **Never add state, getters, mutations, or actions to the Vuex modules**
-  (`src/store/conversationsStore.js`, `messagesStore.js`, `participantsStore.js`) —
-  they are migration targets. If a change forces you into them, keep it minimal and
-  flag it in the PR.
-- Don't add new Pinia ↔ Vuex coupling. Existing bridges (`stores/reactions.js`
-  committing Vuex mutations, `stores/chat.ts:97` reading raw Vuex state,
-  `stores/session.ts`/`breakoutRooms.ts` dispatching into Vuex, and `conversationsStore.js`
-  importing ten Pinia stores) are debt that each new link makes harder to unwind.
-- Instantiate stores lazily inside actions/setup (`useXStore()`), not at module level
-  with the pinia instance (`conversationsStore.js:82`, `participantsStore.js:47` are
-  the anti-pattern).
-- Stores synchronize through reactivity, not the EventBus.
-
-### Services & composables
-- New services and composables are TypeScript with **named function exports**
-  (8 of 38 services and 7 of 31 composables are still JS — convert when touching,
-  don't add more).
-- Error-handling split: **services throw** (bare axios calls, no try/catch, no UI);
-  **stores/composables catch** and surface with `showError(t('spreed', ...))` from
-  `@nextcloud/dialogs`. Don't show toasts from services
-  (`participantsService.js:37-50` is drift) or swallow errors with `console.debug`.
-- Use the type definitions from `src/types/index.ts` for services, API endpoints
-  and internal logic in TS files
-- URLs via `generateOcsUrl()` with `{token}` placeholders — never string
-  concatenation, never `OC.linkTo()` (last use: `src/collections.js:12`).
-- Translations: `t`/`n` imported from `@nextcloud/l10n`, variables interpolated via
-  placeholder objects, never concatenated. Date/time formatting goes through
-  `src/utils/formattedTime.ts` (Intl-based) — no moment.js.
-
-### EventBus
-- `src/services/EventBus.ts` (typed mitt) is for bridging the non-Vue
-  signaling/call layer into Vue. Don't use it for component-to-component UI
-  coordination (use props/provide-inject/store state) or store-to-store sync.
-  Register every new event in the `Events` type. `@nextcloud/event-bus`
-  (`subscribe`/`unsubscribe`) is only for cross-app events from the server.
-
-### Dialogs
-- Declarative `<NcDialog>` in the owning component's template is the target.
-  `spawnDialog()` only where no template context exists. `NcModal` for dialogs is
-  legacy (see the `FIXME: Align NcModal header with NcDialog` in `App.vue`).
-
-### Icons & loading states
-- Icons: `vue-material-design-icons` components, not legacy `icon-*` CSS classes
-  (~11 files remain, e.g. `PublicShareAuthSidebar.vue:15`).
-- Loading: `NcLoadingIcon`, not `icon-loading`/`icon-loading-small` divs.
-
-### Styling
-- For CSS variables only use variables defined in `apps/theming/css/default.css`
-- Scoped styles with Nextcloud CSS variables (`var(--color-*)`); hardcoded colors
-  only for brand exceptions. Avoid new `:deep()` overrides of `@nextcloud/vue`
-  internals — the existing ~174 are a breakage hotspot on library bumps; prefer
-  component props/slots or an upstream issue.
-- Spacing and dimensions use the standard variables too — no magic numbers; use
-  `calc(x * var(--default-grid-baseline))` when finer control is needed.
-- For wording of translated strings stick to the rules mentioned in
-  https://docs.nextcloud.com/server/latest/developer_manual/design/writing.html
-
-### Call layer (WebRTC/signaling)
-- `src/utils/webrtc/simplewebrtc/`, `src/utils/webrtc/models/`,
-  `src/utils/signaling.js` and `src/utils/EmitterMixin.js` are pre-Vue legacy
-  (function constructors, `util.inherits`, WildEmitter, `.bind(this)` handler
-  chains, promise chains). **Do not copy these patterns** — for new code in this
-  area use ES6 classes and async/await; `src/utils/media/pipeline/` is the style
-  template.
-- Don't add new manual model `.on()`/`.off()` subscriptions in components
-  (`CallView.vue:535/546` style); prefer a composable wrapper that handles cleanup.
-
-## Known frontend technical debt (2026-06 analysis)
-
-1. **Vuex → Pinia migration** — 3 modules, ~4,200 lines
-   (`conversationsStore.js` 1,377 / `messagesStore.js` 1,485 /
-   `participantsStore.js` 1,306) with bidirectional Pinia coupling and duplicated
-   reactions state (`messagesStore.js` mutations vs `stores/reactions.js`).
-   Finishing this also removes the non-atomic multi-store fan-out in
-   `deleteConversation` (`conversationsStore.js:404`) and the last `useStore()`
-   components (~23).
-2. **Deprecated WebRTC APIs** — `pc.addStream()` at
-   `src/utils/webrtc/simplewebrtc/peer.js:125`, `addstream`/`removestream` event
-   listeners at `peer.js:55-57` and `src/utils/e2ee/encryption.js:646`; removed from
-   the spec, migrate to `addTrack()`/`ontrack`.
-3. **Legacy call layer modernization** (~4,800 lines) — ES6-classify
-   `simplewebrtc/` (2,009 lines) and `webrtc/models/` (1,170 lines), replace
-   `EmitterMixin`/WildEmitter with `EventTarget`, convert `signaling.js`
-   (1,617 lines, 26 promise chains, zero async/await). Drops the `wildemitter`,
-   `util` and `mockconsole` dependencies as a side effect.
-4. **`crypto-js` → Web Crypto** — 8 files use it only for SHA hashing
-   (`prepareTemporaryMessage.ts`, `messagesService.ts`, `stores/session.ts`,
-   `store/participantsStore.js`, `AdminSettings/TurnServer.vue`, …);
-   `crypto.subtle.digest` is async, so call sites need small refactors.
-5. **`hark` (unmaintained)** — `media/pipeline/SpeakingMonitor.js`,
-   `composables/useDevices.js`; replace with native AnalyserNode/AudioWorklet.
-6. **Options API components** — 141 SFCs; migrate directory-by-directory, pulling
-   `defineProps<T>`/`defineEmits<T>` along. Self-contained starts: AdminSettings
-   (15/16 Options API), BreakoutRoomsEditor (4/4), Dashboard (3/3).
-7. **JS stragglers** — 8 services (`signalingService.js`, `participantsService.js`,
-   `BrowserStorage.js`, …), 7 composables (`useDevices.js`, `useIsInCall.js`, …),
-   4 Pinia stores; convert to TS when touched.
-8. **EventBus overreach** — UI-coordination events (`focus-message`,
-   `scroll-chat-to-bottom`) and store-sync listeners (`token.ts`/`session.ts` on
-   `signaling-join-room`, `upload.ts` lifecycle emits) should move to
-   reactivity/provide-inject; signaling fan-out stays.
-9. **`:deep()` overrides** — ~174 overrides of `@nextcloud/vue` internals; audit on
-   each library bump, upstream what's generally useful.
-10. **`@matrix-org/olm`** — deprecated upstream in favor of vodozemac; track for the
-    e2ee code (`src/utils/e2ee/`).
-11. **Misc** — legacy `icon-*` CSS classes (~11 files), `OC.linkTo()` in
-    `src/collections.js:12`, `cropperjs` v1 (+`vue-cropperjs`), `base64-js` in
-    `e2ee/encryption.js` (native `TextEncoder`/`Uint8Array` suffices),
-    `vue-material-design-icons` (421 imports — consider `@mdi/js` +
-    `NcIconSvgWrapper` for bundle size, low priority).
+- Do **not** commit or push unless explicitly asked. Leave changes in the working dir, summarize, and suggest a commit message.
+- Never commit/push to `main` — use a `type/issue-or-noid/short-description` branch (e.g. `fix/12345/handle-mcu-disconnect`), not generated names like `agent-xxxx`.
+- Conventional Commits with a component scope: `feat(chat): …`, `fix(call): …`, `fix(api): …`.
+- Backports happen via a `/backport to stable-X.Y` comment on the merged PR — don't cherry-pick manually.
+
+## Backend conventions (modern pattern first; avoid the drift)
+
+From a 2026-06 tech-debt analysis. New code uses the modern pattern.
+
+- **DI:** constructor injection with property promotion. Don't add `\OCP\Server::get()` calls — existing ones are debt (the service-locator blocks in `lib/Room.php` where `getName()` even writes to the DB; ~42 `Server::get()` calls instantiating federation proxy controllers, 13 in `ChatController`).
+- **Data access:** new persisted entities use `QBMapper` + `SnowflakeAwareEntity` in `lib/Model/` (templates: `ConversationTag`, `ScheduledMessage`). `Room`/`Participant` are **not** Entities — hand-hydrated in `Manager::createRoomObject()` from columns aliased in `lib/Model/SelectHelper.php`; adding a column means touching the migration, `SelectHelper`, `Manager` hydration, and the constructor **in lockstep**. Query builder only (no raw SQL outside migrations). Build queries **outside** loops via `createParameter`/`setParameter`; chunk `IN ()` with `array_chunk(…, IQueryBuilder::MAX_IN_PARAMETERS)` for Oracle and `array_merge(...$results)` once after the loop (see `lib/Model/ThreadMapper.php`).
+- **Services:** reads/lookups in `lib/Manager.php`; writes/mutations + event dispatch in `lib/Service/RoomService.php`/`ParticipantService.php` — keep the split. New services in `lib/Service/` named `*Service`. Lib-root `GuestManager`, `MatterbridgeManager`, `lib/Chat/ChatManager` are legacy naming. Use `lib/Federation/`, `RecordingService`, `BotService`, `lib/RoomPresets/` as templates, not 2016-era core.
+- **Errors:** lookups throw domain exceptions (`RoomNotFoundException`, `ParticipantNotFoundException` in `lib/Exceptions/`). Idempotent setters may return `bool` (false = no-op), e.g. `RoomService::setPermissions()`; don't return `null`/`false` for "not found".
+- **Events:** typed only (`dispatchTyped()`), extending the `A`-prefixed bases in `lib/Events/`, with `Before*`/`*` pairs for mutations; registered in `lib/AppInfo/Application.php`. No string events/hooks.
+- **Controllers/API:** OCS controllers needing room/participant context extend `AEnvironmentAwareOCSController` (populated by `InjectionMiddleware` via `#[RequireRoom]`-style attributes in `lib/Middleware/Attribute/`); others extend `OCSController`. PHP attributes only (`#[NoAdminRequired]`, `#[PublicPage]`, `#[BruteForceProtection]`, `#[ApiRoute]`) — never docblock annotations. Responses are `DataResponse` with psalm shapes from `ResponseDefinitions.php`.
+- **Config:** settings go through the `lib/Config.php` facade; register new app-config keys in `lib/ConfigLexicon.php` (the emerging registry).
+- **Caching:** cache prefixes belong in `lib/CachePrefix.php` — don't add ad-hoc prefixes (drift: `hpb_servers` lacks `talk/`, `Capabilities.php` uses raw `'talk::'`).
+- **PHP style:** strict comparisons, `?Type` nullables, `match` over `switch`, `str_contains`/`str_starts_with`, `readonly` where applicable, arrow functions, `JSON_THROW_ON_ERROR` on new json calls. Prefer native backed enums for new value sets (only `lib/RoomAttributes.php`, `lib/RoomPresets/Parameter.php` exist today); bitflags (`Attendee::PERMISSIONS_*`, `Participant::FLAG_*`) stay int constants.
+
+## Frontend conventions (modern pattern first; avoid the drift)
+
+- **Components:** new/rewritten SFCs use `<script setup lang="ts">` with `defineProps<T>()`/`defineEmits<T>()`.
+- **State:** new state in a **Pinia setup-style TS store** (`defineStore('x', () => {…})`, see `src/stores/actor.ts`, `token.ts`). No new options-style or JS stores. **Never add to the Vuex modules** (`conversationsStore.js`, `messagesStore.js`, `participantsStore.js`) — migration targets; if forced, keep minimal and flag in the PR. Don't add new Pinia↔Vuex coupling. Instantiate stores lazily inside actions/setup (`useXStore()`), not at module level. Stores sync through reactivity, not the EventBus.
+- **Services/composables:** TypeScript with **named function exports** (convert JS ones when touched). Error split: **services throw** (bare axios, no try/catch, no UI); **stores/composables catch** and surface via `showError(t('spreed', …))` from `@nextcloud/dialogs` — don't toast from services or swallow with `console.debug`. Use types from `src/types/index.ts`. URLs via `generateOcsUrl()` with `{token}` placeholders — never concatenation, never `OC.linkTo()`. Translations: `t`/`n` from `@nextcloud/l10n`, interpolate via placeholder objects; date/time via `src/utils/formattedTime.ts` (Intl) — no moment.js.
+- **EventBus:** `src/services/EventBus.ts` (typed mitt) bridges the non-Vue signaling/call layer into Vue only — not for component-to-component UI coordination or store-to-store sync; register every new event in the `Events` type. `@nextcloud/event-bus` is only for cross-app server events.
+- **Dialogs:** declarative `<NcDialog>` in the owning template is the target; `spawnDialog()` only without template context; `NcModal` is legacy.
+- **Icons/loading:** `vue-material-design-icons` components (not `icon-*` CSS classes); `NcLoadingIcon` (not `icon-loading*` divs).
+- **Styling:** scoped styles with Nextcloud CSS vars (`var(--color-*)`, defined in `apps/theming/css/default.css`); hardcoded colors only for brand exceptions. Avoid new `:deep()` overrides of `@nextcloud/vue` internals — prefer props/slots or an upstream issue. Spacing/dimensions use the standard vars (`calc(x * var(--default-grid-baseline))`), no magic numbers. Follow the [string-writing rules](https://docs.nextcloud.com/server/latest/developer_manual/design/writing.html).
+- **Call layer (WebRTC/signaling):** `src/utils/webrtc/simplewebrtc/`, `webrtc/models/`, `signaling.js`, `EmitterMixin.js` are pre-Vue legacy — **don't copy these patterns**; use ES6 classes + async/await, with `src/utils/media/pipeline/` as the template. Don't add new manual model `.on()`/`.off()` subscriptions in components — prefer a composable wrapper that cleans up.
+
+## Known technical debt (2026-06 analysis)
+
+Roadmap, not new-code patterns. Don't extend these; extract/repair when touching nearby code.
+
+**Backend:**
+1. `\OC_Util::tearDownFS()/setupFS()` in `lib/Chat/Parser/SystemMessage.php` — last private-server-API usage; replace with a public per-user FS API.
+2. `Room.php` service locators — move name resolution / display-name / last-message loading into `Manager`/formatter; removes the `Room↔RoomService` cycle and a getter-with-DB-write.
+3. Enum migration — convert constant groups (`Room::TYPE_*`, `Participant::OWNER/…`, `Attendee::ACTOR_*`) to native backed enums, keeping `->value` at OCS/DB boundaries.
+4. Room/Participant hydration — introduce a mapper owning the `SelectHelper`⇄constructor mapping now spread over three files.
+5. Stale "temporary" code — 15× `FIXME Temporary solution for the Talk6 release` in `lib/Manager.php`; `Room::OBJECT_TYPE_PHONE_LEGACY` (`@deprecated`) still used in 5 places (`Notifier`, `AvatarService`, `RoomController`, `RoomService`, `RestrictStartingCalls`).
+6. God classes — `RoomController.php` (~3.3k, 63 endpoints), `ChatController.php` (~2.6k), `ParticipantService.php` (~2.4k, a `SessionService` would split out), `RoomService.php`, `Manager.php`. Don't grow them.
+7. Copy-paste `BackendNotifier`s — `Signaling/`, `Recording/`, `Federation/` share `doRequest()`+retry+`PHPUNIT_RUN` boilerplate; extract a base.
+8. `MatterbridgeManager` — 16-branch elseif in `generateConfig()`, `is_null()`/`strpos`/`substr` clusters; oldest-style file.
+9. Tests — inverted pyramid (~61 unit files vs huge Behat suite)
+10. Static analysis — psalm level 4 with `findUnusedCode="false"` and ~200-line baseline; tightening surfaces hidden debt.
+11. `json_encode`/`json_decode` — ~164 of 193 calls lack `JSON_THROW_ON_ERROR`; fix opportunistically.
+12. Loose comparison in `BackgroundJob/CheckCertificates.php` (`== null`) and `Command/Signaling/VerifyKeys.php` (`!=`).
+
+**Frontend:**
+1. Vuex→Pinia — 3 modules ~4,200 lines (`conversationsStore.js`, `messagesStore.js`, `participantsStore.js`), bidirectional coupling, duplicated reactions state. Finishing removes the non-atomic fan-out in `deleteConversation` and ~23 `useStore()` components.
+2. Deprecated WebRTC APIs — `pc.addStream()` and `addstream`/`removestream` listeners in `simplewebrtc/peer.js` and `e2ee/encryption.js`; migrate to `addTrack()`/`ontrack`.
+3. Legacy call layer (~4,800 lines) — ES6-classify `simplewebrtc/` and `webrtc/models/`, replace `EmitterMixin`/WildEmitter with `EventTarget`, convert `signaling.js` (~26 promise chains) to async/await. Drops `wildemitter`/`util`/`mockconsole`.
+4. `crypto-js`→Web Crypto — 8 files use it only for SHA (`prepareTemporaryMessage.ts`, `messagesService.ts`, `stores/session.ts`, `store/participantsStore.js`, `AdminSettings/TurnServer.vue`, …); `crypto.subtle.digest` is async.
+5. `hark` (unmaintained) — `media/pipeline/SpeakingMonitor.js`, `composables/useDevices.js`; replace with native AnalyserNode/AudioWorklet.
+6. Options API components — 141 SFCs; migrate directory-by-directory. Self-contained starts: AdminSettings (15/16), BreakoutRoomsEditor (4/4), Dashboard (3/3).
+7. JS stragglers — 8 services, 7 composables, 4 Pinia stores; convert to TS when touched.
+8. EventBus overreach — UI-coordination events (`focus-message`, `scroll-chat-to-bottom`) and store-sync listeners should move to reactivity/provide-inject; signaling fan-out stays.
+9. `:deep()` overrides — ~174 of `@nextcloud/vue` internals; audit on each library bump, upstream what's useful.
+10. `@matrix-org/olm` — deprecated upstream for vodozemac; track for `src/utils/e2ee/`.
+11. Misc — `icon-*` CSS classes (~11 files), `OC.linkTo()` in `src/collections.js`, `cropperjs` v1, `base64-js` in `e2ee/encryption.js`, `vue-material-design-icons` (421 imports — consider `@mdi/js`+`NcIconSvgWrapper`, low priority).