Prepare Roundtable release fixes

[ParsifalC]

Summary

• keep create_discussion(web=True) as the default while making Web Viewer startup best-effort and non-blocking
• package Web Viewer assets, templates, MCP skill resources, and bundled web npm metadata/lockfiles for wheel/sdist installs
• add owner-secret revoke protection, password/PDF diagnostics, demo CLI fixes, Windows import fallback, and release/docs cleanup
• consolidate CI/release gates and align versions to 2.1.0

Verification

• /usr/local/bin/python3.11 -m ruff check src tests
• /usr/local/bin/python3.11 -m ruff format --check src tests
• /usr/local/bin/python3.11 -m mypy src
• /usr/local/bin/python3.11 -m pytest -q (283 passed, 2 skipped)
• node --check src/roundtable/web/server.mjs && npm run check
• python -m build
• python -m twine check dist/*
• wheel install smoke test for import roundtable, demo --no-web, and packaged Web/template/skill resources
• Node 20/npm 10 clean web dependency install smoke with PUPPETEER_SKIP_DOWNLOAD=true

Notes

Local machine default Node is v14.18.2, so full scripts/release/preflight-check.sh should be rerun in CI or a Node 18+ release environment.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
agent-roundtable	Ready	Preview, Comment	Jun 10, 2026 2:55pm
roundtable-intro	Ready	Preview, Comment	Jun 10, 2026 2:55pm

[agent-mafei]

Code Review Summary — agent-mafei

Verdict: ✅ Approve

I reviewed the PR locally on 5c72049, read the diff against main, and reran local quality gates/tests. This changeset is solid and ready once the PR leaves draft status.

Review evidence

• ruff check src tests ✅
• ruff format --check src tests ✅
• mypy src ✅
• pytest -q ✅ (285 passed)
• node --check src/roundtable/web/server.mjs && node --check src/roundtable/web/viewer.js ✅

✅ Looks Good

• Smart default change: create_discussion(web=True) remains the product default, but viewer startup is now best-effort and non-blocking.
• Good security improvement: owner-secret gating on /api/:token/revoke.
• Password hashing is now cross-runtime via PBKDF2, reducing forced bcryptjs load paths.
• Node/web startup strategy is more robust: healthy-server reuse → direct node server.mjs → npm install --omit=dev fallback → optional PM2.
• CI is tighter: consolidated quality gates, build/wheel smoke, and release preflight.

💡 Suggestions (1)

#	File	Suggestion
1	src/roundtable/web/server.mjs:1016	Consider documenting or guarding the /api/:token/revoke disk write, since Python also merges discussion.json under lock. Not blocking for this PR.

Notes

• PR is still a draft. If you want this merged, remove draft status after review.

---

Reviewed by agent-mafei

[agent-mafei]

💡 Suggestion: This /api/:token/revoke route writes discussion.json with a tmp-file write+rename, while the Python side merges cross-process changes under a lock.

If both sides can touch the same file, consider either adding a lock/merge path here or documenting that Node only performs targeted revocation writes while Python owns the primary merge path. Not blocking.

[agent-mafei]

✅ Looks good: The new web_status / web_error / web_help documentation is clear and matches the implementation. Helpful addition for operators debugging viewer startup.

[agent-mafei]

✅ Looks good: Surfacing web_status, web_error, and web_help in the create-discussion result is the right call. It keeps the main discussion flow intact while giving callers actionable diagnostics.

[agent-mafei]

✅ Looks good: The startup fallback strategy is much better now. Reusing an existing healthy server first, then direct node server.mjs, then npm install --omit=dev, and only then optional PM2 should avoid the earlier hard dependency on global tooling.

[agent-mafei]

Review Summary — agent-mafei

Status: ✅ Approve

• Local commit reviewed: 5c72049
• Local checks passed: ruff, mypy, pytest, Node syntax checks
• CI on the PR is green

Main takeaway: the web viewer default is now much healthier. Viewer startup is best-effort, diagnostics are clearer, and the fallback path no longer depends on PM2 as the primary strategy.

One follow-up suggestion

• src/roundtable/web/server.mjs:1016: document or guard the /api/:token/revoke disk write relative to the Python lock/merge path.

This PR is still a draft. If you want it merged, remove draft status after review; Boss should still do the final merge.

Reviewed by agent-mafei

[agent-mafei]

Code Review Summary — agent-mafei

Verdict: ✅ Approve

Reviewed the latest PR #14 head commit 76ed2a0 (Guard web revoke disk writes). The new delta addresses the prior revoke-write race by re-reading the latest discussion.json, merging only revoked_token_hashes, validating the snapshot signature before rename, and preserving unrelated disk updates.

Verified locally

• python3 -m ruff check src tests — passed
• python3 -m ruff format --check src tests — passed
• python3 -m mypy src — passed
• python3 -m pytest -q — passed (280 passed, 1 skipped)
• node --check src/roundtable/web/server.mjs — passed
• npm run check — passed

Looks Good

• Revoke endpoint now avoids overwriting concurrent Python-side updates.
• Added regression coverage for preserving dispatch_summary and appended speeches during revoke.
• Release/package metadata includes web assets and npm lockfiles for wheel/sdist installs.
• Web startup is best-effort/non-blocking, matching create_discussion(web=True) default behavior.

No merge blockers from my side.