From ca8f7d1ab2004fe36c5b9885dc11be955d7aa42a Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Thu, 4 Jun 2026 16:39:20 -0700
Subject: [PATCH 1/7] feat(hephd): CORS + optional static serving on the hub
 HTTP endpoint
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add a permissive CORS middleware (answers the browser OPTIONS preflight and
stamps Access-Control-* on every response) and an optional --web-root static
file handler with an index.html SPA fallback. Together these let a browser
surface — the forthcoming heph-pwa mobile app — call /rpc cross-origin or be
hosted same-origin straight from the hub. No new crate dependencies; file
reads run on the blocking pool. Covered by tests/web_serve.rs.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 crates/hephd/src/main.rs        |  11 ++-
 crates/hephd/src/sync.rs        | 117 ++++++++++++++++++++++-
 crates/hephd/tests/web_serve.rs | 163 ++++++++++++++++++++++++++++++++
 3 files changed, 287 insertions(+), 4 deletions(-)
 create mode 100644 crates/hephd/tests/web_serve.rs

diff --git a/crates/hephd/src/main.rs b/crates/hephd/src/main.rs
index ad3517c..c8e4e25 100644
--- a/crates/hephd/src/main.rs
+++ b/crates/hephd/src/main.rs
@@ -60,6 +60,12 @@ struct Cli {
     #[arg(long)]
     http_addr: Option<String>,
 
+    /// Directory of static files to serve for non-API paths (server mode). Point
+    /// this at the `heph-pwa/` shell to host the mobile app same-origin from the
+    /// hub. Unset: the hub serves only its API routes.
+    #[arg(long)]
+    web_root: Option<PathBuf>,
+
     /// Server to proxy to (client mode only; required there).
     #[arg(long)]
     server_url: Option<String>,
@@ -190,7 +196,10 @@ async fn main() -> Result<()> {
                             anyhow::bail!("--oidc-issuer and --oidc-audience must be set together")
                         }
                     };
-                let app = sync::router(daemon.store(), verifier);
+                if let Some(root) = cli.web_root.as_deref() {
+                    tracing::info!(web_root = %root.display(), "hub serving static PWA shell");
+                }
+                let app = sync::router_with_web(daemon.store(), verifier, cli.web_root.clone());
                 let http_listener = TcpListener::bind(&addr)
                     .await
                     .with_context(|| format!("binding hub HTTP endpoint {addr}"))?;
diff --git a/crates/hephd/src/sync.rs b/crates/hephd/src/sync.rs
index 266cae1..41e5524 100644
--- a/crates/hephd/src/sync.rs
+++ b/crates/hephd/src/sync.rs
@@ -10,6 +10,12 @@
 //! - `POST /rpc` — the full daemon API ([`crate::rpc::dispatch`]) over HTTP, for
 //!   a no-replica `client`-mode [`crate::remote::RemoteStore`] to proxy against.
 //!
+//! All routes carry permissive CORS headers and answer the browser preflight
+//! (`OPTIONS`), so a browser surface (the `heph-pwa` mobile app) can call `/rpc`
+//! cross-origin. When the hub is given a `web_root`, unmatched paths fall back to
+//! serving that directory's static files (the PWA shell), so the app can be
+//! hosted same-origin straight from the hub.
+//!
 //! Exchange is **incremental by HLC cursor** (`sync_state`, [`heph_core::SyncCursors`]):
 //! each side transfers only the tail it hasn't sent/seen. Merge is idempotent,
 //! so a re-pushed op the hub already has is a harmless no-op. When the hub is
@@ -17,13 +23,14 @@
 //! OIDC bearer token whose `sub` owns the hub (tech-spec §13); spokes attach
 //! that token via the `bearer` argument to [`sync_once`].
 
+use std::path::PathBuf;
 use std::sync::{Arc, Mutex};
 
 use anyhow::Result;
 use axum::extract::{Query, Request, State};
-use axum::http::StatusCode;
+use axum::http::{header, HeaderValue, Method, StatusCode, Uri};
 use axum::middleware::{self, Next};
-use axum::response::Response as AxumResponse;
+use axum::response::{IntoResponse, Response as AxumResponse};
 use axum::routing::{get, post};
 use axum::{Json, Router};
 use serde::{Deserialize, Serialize};
@@ -44,6 +51,9 @@ pub type SharedStore = Arc<Mutex<dyn Store + Send>>;
 struct HubState {
     store: SharedStore,
     verifier: Option<Arc<dyn TokenVerifier>>,
+    /// When set, unmatched paths serve static files from this directory (the
+    /// `heph-pwa` shell), so the app can be hosted same-origin from the hub.
+    web_root: Option<PathBuf>,
 }
 
 /// A batch of ops in flight (push body / pull response).
@@ -102,15 +112,116 @@ fn apply_batch(
 /// `verifier` is `Some`, every route requires a valid OIDC bearer token whose
 /// `sub` owns this hub (tech-spec §13); `None` leaves the hub open (local dev).
 pub fn router(store: SharedStore, verifier: Option<Arc<dyn TokenVerifier>>) -> Router {
-    let state = HubState { store, verifier };
+    router_with_web(store, verifier, None)
+}
+
+/// [`router`] plus an optional `web_root`: when `Some(dir)`, paths that don't
+/// match an API route serve static files from `dir` (the `heph-pwa` shell),
+/// with a `index.html` fallback so the single-page app can deep-link. Static
+/// files are served without authentication — they are only the app shell; all
+/// data still flows through the auth-gated `/rpc` and `/sync/*` routes.
+pub fn router_with_web(
+    store: SharedStore,
+    verifier: Option<Arc<dyn TokenVerifier>>,
+    web_root: Option<PathBuf>,
+) -> Router {
+    let state = HubState {
+        store,
+        verifier,
+        web_root,
+    };
     Router::new()
         .route("/sync/pull", get(pull))
         .route("/sync/push", post(push))
         .route("/rpc", post(rpc_call))
         .route_layer(middleware::from_fn_with_state(state.clone(), require_auth))
+        // The static shell is unauthenticated and lives behind the API routes.
+        .fallback(serve_static)
+        // Outermost: stamp CORS headers on every response and short-circuit the
+        // browser's `OPTIONS` preflight (before it reaches auth or routing).
+        .layer(middleware::from_fn(cors))
         .with_state(state)
 }
 
+/// Permissive-CORS middleware. Answers the browser preflight (`OPTIONS`) with a
+/// 204 and stamps `Access-Control-*` headers on every response. The hub is a
+/// personal endpoint guarded by bearer tokens (not cookies), so a wildcard
+/// origin is safe — there are no ambient credentials for `*` to expose.
+async fn cors(request: Request, next: Next) -> AxumResponse {
+    let is_preflight = request.method() == Method::OPTIONS;
+    let mut response = if is_preflight {
+        StatusCode::NO_CONTENT.into_response()
+    } else {
+        next.run(request).await
+    };
+    let h = response.headers_mut();
+    h.insert(
+        header::ACCESS_CONTROL_ALLOW_ORIGIN,
+        HeaderValue::from_static("*"),
+    );
+    h.insert(
+        header::ACCESS_CONTROL_ALLOW_METHODS,
+        HeaderValue::from_static("GET, POST, OPTIONS"),
+    );
+    h.insert(
+        header::ACCESS_CONTROL_ALLOW_HEADERS,
+        HeaderValue::from_static("authorization, content-type"),
+    );
+    h.insert(
+        header::ACCESS_CONTROL_MAX_AGE,
+        HeaderValue::from_static("86400"),
+    );
+    response
+}
+
+/// Serve the PWA shell from `web_root` for any non-API path. Returns 404 when no
+/// `web_root` is configured. Unknown paths fall back to `index.html` so the SPA
+/// can own its own routing. Path traversal (`..`) is rejected.
+async fn serve_static(State(state): State<HubState>, uri: Uri) -> AxumResponse {
+    let Some(root) = state.web_root.as_ref() else {
+        return StatusCode::NOT_FOUND.into_response();
+    };
+    let rel = uri.path().trim_start_matches('/');
+    if rel.split('/').any(|seg| seg == "..") {
+        return StatusCode::BAD_REQUEST.into_response();
+    }
+    let rel = if rel.is_empty() { "index.html" } else { rel };
+
+    let direct = root.join(rel);
+    let index = root.join("index.html");
+    // File reads run on the blocking pool (tokio's `fs` feature is off, and DB /
+    // disk I/O never runs on an async worker, tech-spec §3).
+    let read = tokio::task::spawn_blocking(move || {
+        match std::fs::read(&direct) {
+            Ok(bytes) => Some((content_type(&direct), bytes)),
+            // SPA fallback: serve index.html for unknown (extension-less) routes.
+            Err(_) => std::fs::read(&index)
+                .ok()
+                .map(|bytes| ("text/html; charset=utf-8", bytes)),
+        }
+    })
+    .await;
+    match read {
+        Ok(Some((ctype, bytes))) => ([(header::CONTENT_TYPE, ctype)], bytes).into_response(),
+        _ => StatusCode::NOT_FOUND.into_response(),
+    }
+}
+
+/// Best-effort content type from a file extension (the handful the PWA serves).
+fn content_type(path: &std::path::Path) -> &'static str {
+    match path.extension().and_then(|e| e.to_str()) {
+        Some("html") => "text/html; charset=utf-8",
+        Some("js" | "mjs") => "text/javascript; charset=utf-8",
+        Some("css") => "text/css; charset=utf-8",
+        Some("json" | "webmanifest") => "application/json; charset=utf-8",
+        Some("svg") => "image/svg+xml",
+        Some("png") => "image/png",
+        Some("ico") => "image/x-icon",
+        Some("woff2") => "font/woff2",
+        _ => "application/octet-stream",
+    }
+}
+
 /// Reject any request lacking a valid bearer token whose `sub` owns this hub.
 /// A no-op when the hub has no verifier configured (open dev mode).
 async fn require_auth(
diff --git a/crates/hephd/tests/web_serve.rs b/crates/hephd/tests/web_serve.rs
new file mode 100644
index 0000000..b176137
--- /dev/null
+++ b/crates/hephd/tests/web_serve.rs
@@ -0,0 +1,163 @@
+//! The hub's browser-facing surface (for the `heph-pwa` mobile app): permissive
+//! CORS on every response, an `OPTIONS` preflight answer, and—when a `web_root`
+//! is configured—static serving of the app shell with an `index.html` SPA
+//! fallback. A tiny raw-HTTP client keeps this dependency-free and lets us drive
+//! arbitrary methods (`OPTIONS`) and inspect response headers directly.
+
+use std::io::{Read, Write};
+use std::net::TcpStream;
+use std::sync::mpsc;
+use std::sync::{Arc, Mutex};
+use std::thread;
+use std::time::Duration;
+
+use heph_core::{FixedClock, LocalStore};
+use hephd::sync::{self, SharedStore};
+
+const NOW: i64 = 1_704_067_200_000; // 2024-01-01T00:00:00Z
+
+/// One parsed HTTP response: status line code, lowercased headers, and body.
+struct Resp {
+    status: u16,
+    headers: Vec<(String, String)>,
+    body: String,
+}
+
+impl Resp {
+    fn header(&self, name: &str) -> Option<&str> {
+        let name = name.to_ascii_lowercase();
+        self.headers
+            .iter()
+            .find(|(k, _)| *k == name)
+            .map(|(_, v)| v.as_str())
+    }
+}
+
+/// Issue one HTTP/1.1 request over a fresh connection (`Connection: close`, so
+/// we can read the whole response to EOF) and parse the response.
+fn request(addr: &str, method: &str, path: &str) -> Resp {
+    let mut stream = TcpStream::connect(addr).unwrap();
+    let req = format!("{method} {path} HTTP/1.1\r\nHost: {addr}\r\nConnection: close\r\n\r\n");
+    stream.write_all(req.as_bytes()).unwrap();
+    let mut raw = String::new();
+    stream.read_to_string(&mut raw).unwrap();
+
+    let (head, body) = raw.split_once("\r\n\r\n").unwrap_or((&raw, ""));
+    let mut lines = head.split("\r\n");
+    let status = lines
+        .next()
+        .and_then(|l| l.split_whitespace().nth(1))
+        .and_then(|c| c.parse().ok())
+        .unwrap();
+    let headers = lines
+        .filter_map(|l| l.split_once(": "))
+        .map(|(k, v)| (k.to_ascii_lowercase(), v.to_string()))
+        .collect();
+    Resp {
+        status,
+        headers,
+        body: body.to_string(),
+    }
+}
+
+/// Start the hub router (with the given `web_root`) over a temp `LocalStore` on
+/// an ephemeral port; return its `host:port`. The server thread + temp dirs live
+/// for the test's duration.
+fn start(web_root: Option<std::path::PathBuf>) -> String {
+    let (tx, rx) = mpsc::channel();
+    thread::spawn(move || {
+        let rt = tokio::runtime::Builder::new_current_thread()
+            .enable_all()
+            .build()
+            .unwrap();
+        rt.block_on(async move {
+            let dir = tempfile::tempdir().unwrap();
+            let store =
+                LocalStore::open(dir.path().join("heph.db"), Box::new(FixedClock(NOW))).unwrap();
+            let shared: SharedStore = Arc::new(Mutex::new(store));
+            let listener = tokio::net::TcpListener::bind("127.0.0.1:0").await.unwrap();
+            tx.send(listener.local_addr().unwrap()).unwrap();
+            let _keep = dir;
+            let app = sync::router_with_web(shared, None, web_root);
+            axum::serve(listener, app).await.unwrap();
+        });
+    });
+    rx.recv_timeout(Duration::from_secs(5)).unwrap().to_string()
+}
+
+#[test]
+fn cors_headers_on_rpc_and_preflight_answered() {
+    let addr = start(None);
+
+    // The browser preflight gets a 204 with the CORS allowances, without auth.
+    let pre = request(&addr, "OPTIONS", "/rpc");
+    assert_eq!(pre.status, 204);
+    assert_eq!(pre.header("access-control-allow-origin"), Some("*"));
+    assert!(pre
+        .header("access-control-allow-headers")
+        .unwrap()
+        .contains("authorization"));
+    assert!(pre
+        .header("access-control-allow-methods")
+        .unwrap()
+        .contains("POST"));
+
+    // A regular GET also carries the origin header (so XHR can read the body).
+    let get = request(&addr, "GET", "/sync/pull");
+    assert_eq!(get.header("access-control-allow-origin"), Some("*"));
+}
+
+#[test]
+fn serves_static_shell_with_index_fallback() {
+    let dir = tempfile::tempdir().unwrap();
+    std::fs::write(
+        dir.path().join("index.html"),
+        "<!doctype html><title>heph</title>",
+    )
+    .unwrap();
+    std::fs::write(dir.path().join("app.js"), "export const x = 1;\n").unwrap();
+    let addr = start(Some(dir.path().to_path_buf()));
+
+    // Root serves index.html as HTML.
+    let root = request(&addr, "GET", "/");
+    assert_eq!(root.status, 200);
+    assert!(root.body.contains("<title>heph</title>"));
+    assert_eq!(
+        root.header("content-type"),
+        Some("text/html; charset=utf-8")
+    );
+
+    // A real asset is served with a JS content type.
+    let js = request(&addr, "GET", "/app.js");
+    assert_eq!(js.status, 200);
+    assert!(js.body.contains("export const x"));
+    assert_eq!(
+        js.header("content-type"),
+        Some("text/javascript; charset=utf-8")
+    );
+
+    // An unknown (extension-less) route falls back to index.html for the SPA.
+    let deep = request(&addr, "GET", "/inbox");
+    assert_eq!(deep.status, 200);
+    assert!(deep.body.contains("<title>heph</title>"));
+
+    // Path traversal never escapes web_root (whether the client/proxy normalizes
+    // the `..` away or our guard rejects it, the crate's Cargo.toml never leaks).
+    let escape = request(&addr, "GET", "/../../Cargo.toml");
+    assert!(
+        !escape.body.contains("[package]"),
+        "must not serve files outside web_root"
+    );
+
+    // The temp dir must outlive the server thread's reads.
+    drop(dir);
+}
+
+#[test]
+fn no_web_root_yields_404_for_static_paths() {
+    let addr = start(None);
+    let resp = request(&addr, "GET", "/inbox");
+    assert_eq!(resp.status, 404);
+    // Even the 404 carries CORS headers (it passed through the layer).
+    assert_eq!(resp.header("access-control-allow-origin"), Some("*"));
+}

From c3111d498bc55882e1f3ce1fbcea88a4d4421062 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Thu, 4 Jun 2026 16:42:09 -0700
Subject: [PATCH 2/7] feat(heph-pwa): port quickadd + datespec parsers to JS
 (with parity tests)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Faithful JS ports of hephd's quickadd.rs / datespec.rs so the PWA's quick-add
accepts the identical syntax (p1-4, #Project greedy match, today/+3d/fri/ISO,
'every …' recurrence) and produces the same RRULEs and local-midnight do-dates
as the CLI/TUI. test/parsers.test.mjs replays the Rust unit cases under
`node --test` (13/13 pass).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 heph-pwa/src/datespec.js       | 221 +++++++++++++++++++++++++++++++++
 heph-pwa/src/quickadd.js       | 113 +++++++++++++++++
 heph-pwa/test/parsers.test.mjs | 125 +++++++++++++++++++
 3 files changed, 459 insertions(+)
 create mode 100644 heph-pwa/src/datespec.js
 create mode 100644 heph-pwa/src/quickadd.js
 create mode 100644 heph-pwa/test/parsers.test.mjs

diff --git a/heph-pwa/src/datespec.js b/heph-pwa/src/datespec.js
new file mode 100644
index 0000000..7c2986a
--- /dev/null
+++ b/heph-pwa/src/datespec.js
@@ -0,0 +1,221 @@
+// Human-friendly date and recurrence parsing — a faithful JS port of hephd's
+// `datespec.rs` (tech-spec §1, §8, §8.1) so the PWA's quick-add accepts the
+// exact same forms as the CLI/TUI and produces identical RRULEs and do-dates.
+//
+// Dates are date-grained and stored as epoch ms at *local midnight* (matching
+// `to_epoch_ms`). All pure functions take an explicit `today` so they stay
+// deterministically testable; the thin wrappers read the local clock.
+
+/** A local-midnight Date for today (time component stripped). */
+export function today() {
+  const n = new Date();
+  return new Date(n.getFullYear(), n.getMonth(), n.getDate());
+}
+
+/** Local-midnight epoch ms for a Date (the form do_date/late_on are stored in). */
+export function toEpochMs(date) {
+  return new Date(date.getFullYear(), date.getMonth(), date.getDate()).getTime();
+}
+
+function addDays(date, n) {
+  return new Date(date.getFullYear(), date.getMonth(), date.getDate() + n);
+}
+function addMonths(date, n) {
+  return new Date(date.getFullYear(), date.getMonth() + n, date.getDate());
+}
+
+// JS getDay(): 0=Sun..6=Sat.
+const WEEKDAYS = {
+  mon: 1, monday: 1,
+  tue: 2, tues: 2, tuesday: 2,
+  wed: 3, weds: 3, wednesday: 3,
+  thu: 4, thur: 4, thurs: 4, thursday: 4,
+  fri: 5, friday: 5,
+  sat: 6, saturday: 6,
+  sun: 0, sunday: 0,
+};
+const BYDAY = { 0: "SU", 1: "MO", 2: "TU", 3: "WE", 4: "TH", 5: "FR", 6: "SA" };
+
+/** Weekday name (full or common abbreviation) → JS day index, or null. */
+function parseWeekday(s) {
+  return Object.prototype.hasOwnProperty.call(WEEKDAYS, s) ? WEEKDAYS[s] : null;
+}
+
+/** The soonest date on/after `today` whose weekday is `wd` (JS day index). */
+function soonestWeekday(today, wd) {
+  let d = today;
+  for (let i = 0; i < 7; i++) {
+    if (d.getDay() === wd) return d;
+    d = addDays(d, 1);
+  }
+  return today;
+}
+
+function parseOffset(rest, today) {
+  rest = rest.trim();
+  const m = rest.match(/^(\d+)\s*([a-z]*)$/);
+  if (!m) throw new Error(`not a relative date offset: +${rest}`);
+  const n = parseInt(m[1], 10);
+  switch (m[2]) {
+    case "": case "d": case "day": case "days": return addDays(today, n);
+    case "w": case "wk": case "week": case "weeks": return addDays(today, n * 7);
+    case "m": case "mo": case "month": case "months": return addMonths(today, n);
+    default: throw new Error(`unknown offset unit "${m[2]}" (use d, w, or m)`);
+  }
+}
+
+/**
+ * Parse a human date spec relative to `today` (a local-midnight Date) into a
+ * local-midnight Date. Accepts: today/now, tomorrow/tom, yesterday; +Nd/+Nw/+Nm
+ * (bare +N = days); weekday names (soonest on/after today); ISO YYYY-MM-DD.
+ * Throws on anything unrecognized.
+ */
+export function parseDate(input, todayDate) {
+  const s = input.trim().toLowerCase();
+  if (s === "") throw new Error("empty date");
+  switch (s) {
+    case "today": case "now": return todayDate;
+    case "tomorrow": case "tom": return addDays(todayDate, 1);
+    case "yesterday": return addDays(todayDate, -1);
+  }
+  const wd = parseWeekday(s);
+  if (wd !== null) return soonestWeekday(todayDate, wd);
+  if (s.startsWith("+")) return parseOffset(s.slice(1), todayDate);
+
+  // ISO YYYY-MM-DD (strict; construct as local midnight).
+  const iso = s.match(/^(\d{4})-(\d{2})-(\d{2})$/);
+  if (iso) {
+    const [, y, mo, d] = iso;
+    const date = new Date(Number(y), Number(mo) - 1, Number(d));
+    if (
+      date.getFullYear() === Number(y) &&
+      date.getMonth() === Number(mo) - 1 &&
+      date.getDate() === Number(d)
+    ) {
+      return date;
+    }
+  }
+  throw new Error(
+    `unrecognized date: "${input}" (try today, tomorrow, +3d, fri, or YYYY-MM-DD)`,
+  );
+}
+
+/** parseDate to epoch ms, or null if unparseable (convenience for quick-add). */
+export function parseDateMsOrNull(input, todayDate) {
+  try {
+    return toEpochMs(parseDate(input, todayDate));
+  } catch {
+    return null;
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Recurrence
+// ---------------------------------------------------------------------------
+
+const MONTHS = {
+  jan: 1, feb: 2, mar: 3, apr: 4, may: 5, jun: 6,
+  jul: 7, aug: 8, sep: 9, oct: 10, nov: 11, dec: 12,
+};
+
+function parseMonthDay(s) {
+  const toks = s.split(/\s+/).filter(Boolean);
+  if (toks.length !== 2) return null;
+  const month = (t) => MONTHS[t.slice(0, 3)] ?? null;
+  const day = (t) => {
+    const m = t.match(/^(\d+)/);
+    return m ? parseInt(m[1], 10) : null;
+  };
+  let m = month(toks[0]);
+  let d = day(toks[1]);
+  if (m !== null && d !== null) return [m, d];
+  d = day(toks[0]);
+  m = month(toks[1]);
+  if (m !== null && d !== null) return [m, d];
+  return null;
+}
+
+function parseMonthdayOrdinal(s) {
+  const m = s.match(/^(\d+)(st|nd|rd|th)$/);
+  if (!m) return null;
+  const d = parseInt(m[1], 10);
+  return d >= 1 && d <= 31 ? d : null;
+}
+
+function intervalForm(n, unit) {
+  const wd = parseWeekday(unit);
+  if (wd !== null) {
+    return n === 1
+      ? `FREQ=WEEKLY;BYDAY=${BYDAY[wd]}`
+      : `FREQ=WEEKLY;INTERVAL=${n};BYDAY=${BYDAY[wd]}`;
+  }
+  let freq;
+  switch (unit) {
+    case "day": case "days": freq = "DAILY"; break;
+    case "week": case "weeks": freq = "WEEKLY"; break;
+    case "month": case "months": freq = "MONTHLY"; break;
+    case "year": case "years": freq = "YEARLY"; break;
+    default:
+      throw new Error(
+        `unrecognized recurrence "${unit}" (try daily/weekly/monthly/yearly, ` +
+          `'every 3 days', 'every fri', or a raw RRULE)`,
+      );
+  }
+  return n === 1 ? `FREQ=${freq}` : `FREQ=${freq};INTERVAL=${n}`;
+}
+
+/**
+ * Parse a recurrence spec into an RFC-5545 RRULE. Accepts a raw RRULE (anything
+ * containing FREQ=), presets (daily/weekly/monthly/yearly/weekdays), and the
+ * common natural-language forms (§6.2.1): every N (day|week|month|year)s, every
+ * <weekday>, every other <weekday|unit>, every workday, every <Month> <day>,
+ * every <Nth>. A trailing "at <time>" is ignored. Throws if unrecognized.
+ */
+export function parseRecurrence(spec) {
+  const raw = spec.trim();
+  if (raw.toUpperCase().includes("FREQ=")) return raw;
+
+  let s = raw.toLowerCase();
+  const at = s.indexOf(" at ");
+  if (at !== -1) s = s.slice(0, at);
+  s = s.trim();
+
+  switch (s) {
+    case "daily": case "day": return "FREQ=DAILY";
+    case "weekly": case "week": return "FREQ=WEEKLY";
+    case "monthly": case "month": return "FREQ=MONTHLY";
+    case "yearly": case "annually": case "year": return "FREQ=YEARLY";
+    case "weekdays": case "workdays": case "workday": case "weekday":
+      return "FREQ=WEEKLY;BYDAY=MO,TU,WE,TH,FR";
+  }
+
+  const body = (s.startsWith("every ") ? s.slice("every ".length) : s).trim();
+
+  if (body.startsWith("other ")) return intervalForm(2, body.slice("other ".length).trim());
+  if (body === "workday" || body === "weekday" || body === "workdays" || body === "weekdays") {
+    return "FREQ=WEEKLY;BYDAY=MO,TU,WE,TH,FR";
+  }
+  const wd = parseWeekday(body);
+  if (wd !== null) return `FREQ=WEEKLY;BYDAY=${BYDAY[wd]}`;
+
+  const md = parseMonthDay(body);
+  if (md) return `FREQ=YEARLY;BYMONTH=${md[0]};BYMONTHDAY=${md[1]}`;
+
+  const ord = parseMonthdayOrdinal(body);
+  if (ord !== null) return `FREQ=MONTHLY;BYMONTHDAY=${ord}`;
+
+  const toks = body.split(/\s+/).filter(Boolean);
+  const first = toks[0] ?? "";
+  const asNum = /^\d+$/.test(first) ? parseInt(first, 10) : null;
+  if (asNum !== null) return intervalForm(asNum, toks[1] ?? "");
+  return intervalForm(1, first);
+}
+
+/** parseRecurrence, but returns null instead of throwing. */
+export function parseRecurrenceOrNull(spec) {
+  try {
+    return parseRecurrence(spec);
+  } catch {
+    return null;
+  }
+}
diff --git a/heph-pwa/src/quickadd.js b/heph-pwa/src/quickadd.js
new file mode 100644
index 0000000..b0e5c4d
--- /dev/null
+++ b/heph-pwa/src/quickadd.js
@@ -0,0 +1,113 @@
+// Single-line natural-language quick-add — a faithful JS port of hephd's
+// `quickadd.rs` (tech-spec §8.1). Todoist-style capture:
+//   `Water plants tomorrow p2 #Chores every 3 days`
+//
+// Recognized inline tokens are extracted and the remainder is the title (order
+// preserved). This mirrors the owner's Todoist usage ([[design]] §6.2.1):
+//   - Priority  p1..p4 → attention (p1 red, p2 orange, p3 blue, p4 white)
+//   - Project   #Name  → resolved against existing projects, greedily matching
+//                        multi-word titles (#Camano Chores). Unresolved #tags
+//                        stay in the title verbatim (no surprise project).
+//   - Do-date   a datespec token: today/tomorrow/+3d/fri/ISO
+//   - Recurrence  an `every …` phrase (the longest suffix that parses)
+
+import { parseDate, toEpochMs, parseRecurrenceOrNull } from "./datespec.js";
+
+/** p1..p4 → attention color string (matching the RPC serialization), or null. */
+function priorityAttention(token) {
+  switch (token.toLowerCase()) {
+    case "p1": return "red";
+    case "p2": return "orange";
+    case "p3": return "blue";
+    case "p4": return "white";
+    default: return null;
+  }
+}
+
+/**
+ * Greedily match `first` (+ following words) against a known project title,
+ * case-insensitively, longest-first. Returns [projectId, extraWordsTaken] or
+ * null. `projects` is an array of { id, title }.
+ */
+function matchProject(first, rest, projects) {
+  const maxExtra = Math.min(rest.length, 4);
+  for (let extra = maxExtra; extra >= 0; extra--) {
+    const candidate = [first, ...rest.slice(0, extra)].join(" ");
+    const p = projects.find((p) => p.title.toLowerCase() === candidate.toLowerCase());
+    if (p) return [p.id, extra];
+  }
+  return null;
+}
+
+/** Find the first `every` token and consume the longest suffix that parses. */
+function extractRecurrence(tokens, out) {
+  const start = tokens.findIndex((t) => t.toLowerCase() === "every");
+  if (start === -1) return;
+  for (let end = tokens.length; end > start + 1; end--) {
+    const phrase = tokens.slice(start, end).join(" ");
+    const rrule = parseRecurrenceOrNull(phrase);
+    if (rrule) {
+      out.recurrence = rrule;
+      tokens.splice(start, end - start);
+      return;
+    }
+  }
+}
+
+/**
+ * Parse a quick-add line against `today` (a local-midnight Date) and the known
+ * `projects` (array of { id, title }). Returns:
+ *   { title, attention|null, doDate(ms)|null, recurrence(RRULE)|null, projectId|null }
+ */
+export function parse(input, todayDate, projects = []) {
+  const tokens = input.split(/\s+/).filter(Boolean);
+  const out = {
+    title: "",
+    attention: null,
+    doDate: null,
+    recurrence: null,
+    projectId: null,
+  };
+
+  extractRecurrence(tokens, out);
+
+  const title = [];
+  let i = 0;
+  while (i < tokens.length) {
+    const tok = tokens[i];
+
+    const att = priorityAttention(tok);
+    if (att !== null) {
+      out.attention = att;
+      i += 1;
+      continue;
+    }
+
+    if (tok.startsWith("#")) {
+      const stripped = tok.slice(1);
+      const matched = matchProject(stripped, tokens.slice(i + 1), projects);
+      if (matched) {
+        out.projectId = matched[0];
+        i += 1 + matched[1];
+        continue;
+      }
+      // Unresolved #tag: keep the word (with the #) in the title.
+    }
+
+    if (out.doDate === null) {
+      try {
+        out.doDate = toEpochMs(parseDate(tok, todayDate));
+        i += 1;
+        continue;
+      } catch {
+        // not a date token; fall through to title
+      }
+    }
+
+    title.push(tok);
+    i += 1;
+  }
+
+  out.title = title.join(" ");
+  return out;
+}
diff --git a/heph-pwa/test/parsers.test.mjs b/heph-pwa/test/parsers.test.mjs
new file mode 100644
index 0000000..7c006d0
--- /dev/null
+++ b/heph-pwa/test/parsers.test.mjs
@@ -0,0 +1,125 @@
+// Parity tests for the JS parser ports — the exact cases from hephd's
+// quickadd.rs / datespec.rs unit tests. Run: `node --test heph-pwa/test/`.
+import test from "node:test";
+import assert from "node:assert/strict";
+
+import { parseDate, parseRecurrence, toEpochMs } from "../src/datespec.js";
+import { parse } from "../src/quickadd.js";
+
+const d = (y, m, day) => new Date(y, m - 1, day);
+const ms = (y, m, day) => toEpochMs(d(y, m, day));
+
+// datespec.rs uses 2026-06-02 (a Tuesday) as `today`.
+const DTODAY = d(2026, 6, 2);
+
+test("parse_date keywords and offsets", () => {
+  assert.deepEqual(parseDate("today", DTODAY), d(2026, 6, 2));
+  assert.deepEqual(parseDate("tomorrow", DTODAY), d(2026, 6, 3));
+  assert.deepEqual(parseDate("yesterday", DTODAY), d(2026, 6, 1));
+  assert.deepEqual(parseDate("+3d", DTODAY), d(2026, 6, 5));
+  assert.deepEqual(parseDate("+2w", DTODAY), d(2026, 6, 16));
+  assert.deepEqual(parseDate("+1m", DTODAY), d(2026, 7, 2));
+  assert.deepEqual(parseDate("+5", DTODAY), d(2026, 6, 7));
+});
+
+test("parse_date weekdays are soonest on/after today", () => {
+  assert.deepEqual(parseDate("tue", DTODAY), d(2026, 6, 2)); // today
+  assert.deepEqual(parseDate("fri", DTODAY), d(2026, 6, 5));
+  assert.deepEqual(parseDate("mon", DTODAY), d(2026, 6, 8)); // wraps
+});
+
+test("parse_date iso and errors", () => {
+  assert.deepEqual(parseDate("2026-12-25", DTODAY), d(2026, 12, 25));
+  assert.throws(() => parseDate("someday", DTODAY));
+  assert.throws(() => parseDate("", DTODAY));
+});
+
+test("recurrence presets and raw", () => {
+  assert.equal(parseRecurrence("daily"), "FREQ=DAILY");
+  assert.equal(parseRecurrence("weekly"), "FREQ=WEEKLY");
+  assert.equal(parseRecurrence("monthly"), "FREQ=MONTHLY");
+  assert.equal(parseRecurrence("yearly"), "FREQ=YEARLY");
+  assert.equal(parseRecurrence("weekdays"), "FREQ=WEEKLY;BYDAY=MO,TU,WE,TH,FR");
+  assert.equal(parseRecurrence("FREQ=DAILY;INTERVAL=2"), "FREQ=DAILY;INTERVAL=2");
+});
+
+test("recurrence natural language", () => {
+  assert.equal(parseRecurrence("every day"), "FREQ=DAILY");
+  assert.equal(parseRecurrence("every 3 days"), "FREQ=DAILY;INTERVAL=3");
+  assert.equal(parseRecurrence("every 2 weeks"), "FREQ=WEEKLY;INTERVAL=2");
+  assert.equal(parseRecurrence("every 6 months"), "FREQ=MONTHLY;INTERVAL=6");
+  assert.equal(parseRecurrence("every fri"), "FREQ=WEEKLY;BYDAY=FR");
+  assert.equal(parseRecurrence("every other wed"), "FREQ=WEEKLY;INTERVAL=2;BYDAY=WE");
+  assert.equal(parseRecurrence("every other day"), "FREQ=DAILY;INTERVAL=2");
+  assert.equal(parseRecurrence("every workday at 08:00"), "FREQ=WEEKLY;BYDAY=MO,TU,WE,TH,FR");
+  assert.equal(parseRecurrence("every April 15"), "FREQ=YEARLY;BYMONTH=4;BYMONTHDAY=15");
+  assert.equal(parseRecurrence("every 5th"), "FREQ=MONTHLY;BYMONTHDAY=5");
+  assert.equal(parseRecurrence("every 22nd"), "FREQ=MONTHLY;BYMONTHDAY=22");
+  assert.throws(() => parseRecurrence("every blue moon"));
+});
+
+// quickadd.rs uses 2026-06-03 as `today` with projects Work + Camano Chores.
+const QTODAY = d(2026, 6, 3);
+const PROJECTS = [
+  { id: "work", title: "Work" },
+  { id: "camano", title: "Camano Chores" },
+];
+const p = (input) => parse(input, QTODAY, PROJECTS);
+
+test("plain title", () => {
+  const r = p("Buy milk");
+  assert.equal(r.title, "Buy milk");
+  assert.equal(r.attention, null);
+  assert.equal(r.doDate, null);
+  assert.equal(r.recurrence, null);
+  assert.equal(r.projectId, null);
+});
+
+test("priority maps to attention", () => {
+  assert.equal(p("Email boss p1").attention, "red");
+  assert.equal(p("Email boss p2").attention, "orange");
+  assert.equal(p("Email boss p3").attention, "blue");
+  assert.equal(p("Email boss p4").attention, "white");
+  assert.equal(p("Email boss p1").title, "Email boss");
+});
+
+test("relative date is extracted", () => {
+  const r = p("Call dentist tomorrow");
+  assert.equal(r.title, "Call dentist");
+  assert.equal(r.doDate, ms(2026, 6, 4));
+});
+
+test("single + multi-word projects resolve", () => {
+  assert.equal(p("Standup #Work").projectId, "work");
+  assert.equal(p("Standup #Work").title, "Standup");
+  const r = p("Sweep deck #Camano Chores");
+  assert.equal(r.title, "Sweep deck");
+  assert.equal(r.projectId, "camano");
+});
+
+test("unresolved tag stays in title", () => {
+  const r = p("Buy #groceries milk");
+  assert.equal(r.title, "Buy #groceries milk");
+  assert.equal(r.projectId, null);
+});
+
+test("recurrence phrase is extracted", () => {
+  const r = p("Water plants every 3 days");
+  assert.equal(r.title, "Water plants");
+  assert.equal(r.recurrence, "FREQ=DAILY;INTERVAL=3");
+});
+
+test("everything at once", () => {
+  const r = p("Plan trip p2 friday #Work every week");
+  assert.equal(r.title, "Plan trip");
+  assert.equal(r.attention, "orange");
+  assert.equal(r.doDate, ms(2026, 6, 5));
+  assert.equal(r.projectId, "work");
+  assert.equal(r.recurrence, "FREQ=WEEKLY");
+});
+
+test("non-recurrence every stays in title", () => {
+  const r = p("Review every report");
+  assert.equal(r.title, "Review every report");
+  assert.equal(r.recurrence, null);
+});

From 4baa8e1c9d316185af39d7df6ba132c63dcbca83 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Thu, 4 Jun 2026 16:59:37 -0700
Subject: [PATCH 3/7] =?UTF-8?q?feat(heph-pwa):=20mobile=20app=20shell=20?=
 =?UTF-8?q?=E2=80=94=20views,=20quick-add,=20triage,=20search,=20voice?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

A buildless, installable PWA that mirrors heph-tui: sidebar of built-in views
(tom/tasks/work/chores/ondeck/inbox) + projects, a task list with attention
flags / project bullets / date chips, tap-to-expand triage (done/drop/skip/
attention/reschedule/move/delete + undo), full-text search, and a read-only
context+log preview. The primary surface is the quick-add modal (FAB or Cmd-'),
which live-parses the TUI syntax into preview chips and supports voice via
on-device dictation / the Web Speech API. rpc.js is the online-only JSON-RPC
client mirroring heph-tui's Backend; settings persist in localStorage. Service
worker caches the app shell for offline launch.

Verified end-to-end against a local server-mode hephd (--web-root): the app
boots, calls the view RPC, and renders RankedTasks in headless Chrome.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 heph-pwa/README.md               |  63 +++
 heph-pwa/icons/icon-180.png      | Bin 0 -> 3397 bytes
 heph-pwa/icons/icon-192.png      | Bin 0 -> 3663 bytes
 heph-pwa/icons/icon-512.png      | Bin 0 -> 10449 bytes
 heph-pwa/icons/icon-maskable.png | Bin 0 -> 4260 bytes
 heph-pwa/icons/icon.svg          |  14 +
 heph-pwa/index.html              |  24 +
 heph-pwa/manifest.webmanifest    |  17 +
 heph-pwa/src/app.js              | 800 +++++++++++++++++++++++++++++++
 heph-pwa/src/fmt.js              |  71 +++
 heph-pwa/src/rpc.js              | 163 +++++++
 heph-pwa/styles.css              | 504 +++++++++++++++++++
 heph-pwa/sw.js                   |  53 ++
 13 files changed, 1709 insertions(+)
 create mode 100644 heph-pwa/README.md
 create mode 100644 heph-pwa/icons/icon-180.png
 create mode 100644 heph-pwa/icons/icon-192.png
 create mode 100644 heph-pwa/icons/icon-512.png
 create mode 100644 heph-pwa/icons/icon-maskable.png
 create mode 100644 heph-pwa/icons/icon.svg
 create mode 100644 heph-pwa/index.html
 create mode 100644 heph-pwa/manifest.webmanifest
 create mode 100644 heph-pwa/src/app.js
 create mode 100644 heph-pwa/src/fmt.js
 create mode 100644 heph-pwa/src/rpc.js
 create mode 100644 heph-pwa/styles.css
 create mode 100644 heph-pwa/sw.js

diff --git a/heph-pwa/README.md b/heph-pwa/README.md
new file mode 100644
index 0000000..197d86a
--- /dev/null
+++ b/heph-pwa/README.md
@@ -0,0 +1,63 @@
+# heph-pwa
+
+A phone-first, installable **Progressive Web App** that mirrors `heph-tui`:
+browse the built-in views and projects, triage tasks, and — the primary use
+case — capture tasks fast with the same quick-add syntax as the TUI's `a` /
+Cmd-' popover. Context/KB is read-only here.
+
+Full guide: [`docs/how-to/heph-pwa.md`](../docs/how-to/heph-pwa.md).
+
+## What it is
+
+- **Thin, online-only client.** Every read/write is a JSON-RPC call to a
+  server-mode `hephd` (the sync hub). No local replica, no offline write queue.
+- **Buildless.** Plain ES modules, no bundler, no `npm install`. Serve the
+  directory and go.
+- **Same parser as the TUI.** `src/quickadd.js` + `src/datespec.js` are faithful
+  ports of the Rust `hephd::quickadd` / `hephd::datespec` modules, verified by
+  parity tests against the original Rust unit cases.
+
+## Layout
+
+```
+index.html              # app shell
+styles.css              # dark, terminal-flavored, touch-tuned
+manifest.webmanifest    # PWA manifest (installable)
+sw.js                   # service worker — caches the app shell for offline launch
+icons/                  # app icons (svg + rasterized png, incl. maskable)
+src/
+  app.js                # UI controller: views, list, quick-add, triage, search, voice
+  rpc.js                # hephd JSON-RPC-over-HTTP client + settings (localStorage)
+  quickadd.js           # quick-add parser (port of quickadd.rs)
+  datespec.js           # date + recurrence parser (port of datespec.rs)
+  fmt.js                # display helpers (date chips, attention colors, bullets)
+test/
+  parsers.test.mjs      # parity tests for the parser ports
+```
+
+## Run it
+
+Serve from the hub (recommended — same-origin, no CORS):
+
+```bash
+hephd --mode server --http-addr 0.0.0.0:8787 --web-root /path/to/heph-pwa
+# then open http://<host>:8787/ on your phone and Add to Home Screen
+```
+
+Or from any static server (the hub now sends CORS headers, so cross-origin
+`/rpc` calls work); set the hub URL in the app's Settings screen.
+
+## Test
+
+```bash
+node --test heph-pwa/test/parsers.test.mjs
+```
+
+## Status / next steps
+
+First cut (C1). Known gaps, roughly in priority order:
+
+- In-app OIDC device-code login (today: paste a bearer token in Settings).
+- Offline write queue / CRDT replica (today: online-only).
+- Read-only context could grow wiki-link navigation.
+- A native Swift wrapper, if/when an Apple Developer account is in play.
diff --git a/heph-pwa/icons/icon-180.png b/heph-pwa/icons/icon-180.png
new file mode 100644
index 0000000000000000000000000000000000000000..dfa2b2a4fe4fa2c5cb2e87d641a8dad05e0bd6d7
GIT binary patch
literal 3397
zcmcInXHb*P7JdN(7^IgV5KxdFdJk0$gf5*RO^OteCP6wPMS1`MMWqFiDm@@IfPxWF
z3>FXq0R^NJq)7Y38}H2hbLalOv$K2V?Ae_?`|O@)&!$;gAeq5@U;qG^jg1i2REhgr
z8R@C5_Ir9os-X8UMIwMde@j_!RUQDGJ2pmKwv8y-oQ=FC-~eUVrbKtQdp2f^;W<gh
zroP{Krqe5Jx%f=<%AKVUesnVRwn>1MgyorPf#+N_9FGP?`3jz;=%s<5bAa<{WuEV)
z(@C1I4PF$*dr)39ekHfHl4p;8BJ<`iVR{K0JyVku<Tc5X*~bTVd;7<m8v@`TN&MGH
za^sf8w2rK~yEJWldfM@Ce<IrkV$gR&fV72d1-;`7wMf4&3$(M(UjP0>pQFldcBFwa
zH6<kbi3T|cKLvW(bNF-#;(gVA{jvJ_Q8V28ZzFJhq?frF+Ij&_r1YIka=CNoS#S{S
zR|J<9c!j6>BzOEED|62<L(4t{heJEBfCC|-PBcjwDl7&0xYX$_shBzxWx52?74oIl
zG-o1Q?;9U5y}p^p?F_I=PxealXzm2bsckr7KRCAjC~EOK_Gb%YiqCN%iPm+}9@!Zf
z>4Yx6%~g<7T`|T|_ZMhcj%O&F%Gey2wy;I$Xs(?*?IJRB+pe^?w~u%k{$Udql2vBR
z)f2RQyhuPA8h$?t6rt!h`mT0dI5R~vuW}TaxMEg|?0j5*G*-VWg$@lRIJqRxh3G1B
z8`I|aBg+%-z6%>F((O@Ee(A!RJO@<23v(%l70})EujmR47Sq{}k(K^oyYlAYFQ<HK
z-O(`ZaxGtgQq$1DZ$4Pn)#4(#?x9MZ+L+(PF!R#v)CwS<uhFRr7t?wCr3hZ9@pnNI
zV%UOagee`FU&?i1(o3nzwS{PI9so(Rzq+vWY%bL-&3}Mjz~}m$huk&vF>z)_fW5vw
z@rKxLE!9(1Wo1~GPr$gokL}b|8gvw2hQ!_F^_G!<jNbVdLg0TxWa+l6!)bNd)rq@C
zQ$4TnTJT!)yg<}YdRrTIXORY|H^?%~7ZPuS;ZA*nDC3_>QNbhZQdi?RVM-u}P)Ehy
z`HgRx;VW<K>SQk)Qt11%u-8W=CVThxJaxt*QXb+?rBL2re9j8d!NM(KL=zpmzGfk_
zrL#@alVUChLEg`)#hQd%3GRzIRxAf>&Wo1n-WW)`tE^H?g2A;JONb`VMW5ejcpp;4
zD^HpI%KW^MVbtt-)jNZsldJy(w-8Mh4V5BO!4;=-E})(m=B#sG<B2+{3GcpO$C|NZ
zIzHfIPMtY}uv8Mq!Oi)@{41Bq9;z%>?zo;AcjgP{s->BiFG{5XLG*0a%=Mf6`4`qh
z+fx%vaClpPD@Y-W{^HqT^i8XlF*J*?oUhfoGNPI21)`bo(;HKPCcPC|_5<1~ZP+3!
z?CIwBSKsoez?7#d3=<(Pm!c8MG59uqD|X3}Vtspe?64F}*)cg;tgeaZ#m)2N#Vh?h
zJCtt=n92PAX>|WY(=r}1rAZ8#`XW)6T8Pm%HG*b{+-YJ;DUIT-@jN?6aLAI`{C-lc
zf$IKw?N-N6i%$v?NJ8bC?a%Eb`P;!S8yD!~Mt;`TwLih=MWXDTveo9I)Yj~Krzb<`
z+*WFrWGY20OI~poM9hY{ZHK+<hdeQHvRPiDj--$xV9MMD)_f{5%g3s&^GwCYA0A`$
zK;TDmy8$oyA#fFbHRwGPqj@H1Hgh4>z%jZ1xBqx0SMU>iwchYyQjjMIPi!uc{j0X-
ziQu!i5B0MJHg@*aih2qx#)LIgwn!28<Zw?do*hihJ;hv(OuwTGVjsg^9p7Dv4emT?
zxCD(nRd6Fnr|Ew%LxjwapO_KK1Vk4&d1rPZZUk7GK3#u?CgqLoUehXXej+5Cob~xd
zUrNqHGptf5;V%Z60-mOwPX*%6%4y?YAB31z5&?OQ2(~|mt5xcyEFE4R9Dfdn#dC)%
zVuZRYz|4Tffl|bG2B9lA@4KZjSb1;pmXPo8R~GAtEHIpA7PQv*xn@c0>}bO%E6UJh
z%+trbZ}N0cFNqx=@Q+%yB+~;>@WMalYGu1FLIwsEW9T9W7(3+mht0tfhQ35k8&AX5
zd^Gl|gcHv|WYBb`ii30F(q;_dmnn6j`@c@1vzjm6J?7(A)d85~UX0zS(>N}WZp|Lg
zXSZK3(O7$L;;3}Sb+(5u_qae%42Bszl>a_XF302=e{jE}cz^1dg4rGgxi{pKV+@sE
zE9`7(Ai6q*4U0KPj%J$?P#-^$bTUq7vkNiq&cmBa+fHaoo{^ZCIRRx0*T}&3UM<A1
zGs5;b6d!ZZ|JnEXq`;%nu`FjK?qg11Ji`NL`rUnc9sa8PxP;^f*T3FGbWGhxyZ@;6
zguh96@bj!XLx}=ZL>{#QOYPwO`n!6Smx=G|Z}E;*+$!(A0ezpEyAJYyUL1g8;EQTJ
za8u8e1CQxd73cz&66b4PZ5#oesppOjCC=?5Ke1bk|Cter(eAC`Y9eYdPLq@HE(6CP
zCR!digU$HsLSFgsOH(nIM>sCQ(3pgs23}kr&*cIAWeJJhiBs9FS(K6SjHjrPx7hvh
zgBgp@?f4PY{X?U^W+nXu43d;<r@nOIzvDQZbmQ_W+s!9%wuWkD#W*S+t0>*U_q^x(
z@|%dJ)zyyo%uBl=Ve|)@bp4-+7ysGsRuj?KoEv&=%3dX4N)0~v!VUWP=>q@eUnBlh
zytH_t&c=~JVUnY3d}c_h`oAf|HNhyD1;T3mu*?JdNdDK{vN=*+(#SDkWKGE)Es^=;
zVJJKJ(NZ7#^QIp=;m<;5Z!jiH_b@$5G=rz*(sdKN{lzW&yU}9Buh4t)Gnu`QSX$eO
z{%Wo%lX!}~t*x9IRMe7sG(Foy*6ojZtWPl3Tv(&9+2YD85doWaLjCty$@hXgA3s}2
zfH}LS*+JZrr)sEosMi;cS$^^K%6bdf8Fyq;>3N1c^i-D_Dys&49Xi1s6?p>BcbK5w
zmWU<0HWV2@hCcVf(P3q~C3TfiRK(da0G_b?LRz`Eh03=7AxmYT8;=Tk?{*&N_4VMc
zC||r?_^qPi)W;Z0MQ^e4N|6W|ERESyi*L^*m*wA_bWtJfX(q?2x;_Y>?xIF{YhOq4
zWFrc3JL+6_+)sl~3hD0GRN8SA`rw+?ORjZVRcF`d;*|I%UDJ1ridWU|$v-MYZ0L4V
zc|=Yj8a;?E@>sFXk_lj?y_vCk2_g6ud$E>)1`EqcR14NCGnwBB9@-q2?RTN|0&#;k
z9e`I<R`mpK{(X7+7md(mu5?CpI~A+Sh-9|pKAN|_09!TT{hNzYnYZ1xn&<(D6z{=_
z=tv&_$Gfx`NR-y}9P?Yj*4)&c2^H1P(LiDNVYS45e5V!y#HKMdo0rVe8QMpCox*MO
z)?PB}Glo;Q2!>lwR}j5Pc(u+3%F}Dt#Dwk?ezO@v4g2mh0~64F^NHJ6%JJHF2PBgP
z`L{@{^X_gU>`RoF7^SA5(*&h4N!x~K2tfXpn;=_nfR8(VMO<a#Nb?i7c9~?H-^ULM
zkEA>h8Y)jbD8)w%wBnUQx!q{xZTBn@M`@K(ufk>b1{0D6g>;ogg-fNqh09~o=9Q4q
z(b=+lGv{qEoZcKZ(IQ{MmT5XVe1}tShf}JRwzFEbJ6DpuaqnUU`r|%Oomnoc@CkC+
z0A=t@hZH68Oo1<a^MjSo3|+B&ibNtIy(R+>9?^yt4fJ07tO7hJF%TIsH<7%RW_a?b
zXQ|(DnYb&;k(W{@9F~&*${VPik3dXug7&c}^gQ;KYmpt6=DL_dTVq#OAXmR;zjdCj
zGbl!w2YMLUF74&w3m8%Jv0CA_6r43>n3}^mOI)`&qn4#k*Y_@@cjk*)Be|kL>l|Z{
zxBgI0`~w-0*NNGST^_EJDT1NLf}sUn0{!He330flMwxS`aH%34$ay>FR!7iX1C*>o
z`POhaKVtXnB8^N9bMx1ErlY{ud92~g?>B`k!E+46??b;<xP4G(US`4RNKCUi;zAo#
zyiTM>_~I%@7471u0rFZx%YsyH^vBR83RGzGqzb~n7jxibV?#11--pKcu)<Vj-hmb`
z%5;o|&};t|u*dx#mc9m;B_@yx9@GOP>3{R<e7*JzaP0cwlvRoJG2~KPK!Eg!QdGw6
zB{7Mf=C2D@+Y)6?Wm^t`D`eD0lg(oDKQ?{0-$#jVeKGOkjL!lh{9-lDrRLAF?-wS0
z%+6$CKDsmPo#*DB!e`%r=Y6nh+i;CFd6&D%FrFKzUDlR}_%1F8=7p3&5)x^r8uhWi
jMXtok^%Em&{?L^S(yDK3sa8?{MS!t^1)@R!dcwZ|KQdZm

literal 0
HcmV?d00001

diff --git a/heph-pwa/icons/icon-192.png b/heph-pwa/icons/icon-192.png
new file mode 100644
index 0000000000000000000000000000000000000000..571bc1e666e414c808819570246167de5f768314
GIT binary patch
literal 3663
zcmc&%c{J2-)c?-d$4(?m29<q_EMptl4P%>ZgRD`up^=?IM1ID;uTg|VlE@M%GosKa
z#n{)euUQJO{(jGS|9#JM?sLyQ&pmfJ_c@<)KS}0D17-*>1ONbLBST%wbKUh%=xNVy
zOR^8$xuSJN80Z3L|4vy)RVDziP#fuLqe6<-C(u6pqmi^*o6!%99y?e*HB3hsKQ-)s
zEN&6A`YtJbME?SVv5N=;Ie8V4aZR7|(lUai_>!rDhWDd1FHhaK3wr4_`mrtex}RPg
zTDnHOdRgoCkGbp~i;y@x977ys`WA}Y<^zKl_hK@nEEGR=3=|a?ZysD(_xMUT8`0+J
z>3N5S2FmZ(@hNtaWq92f(Z)T&QpOFZhcn}hfvfsDmX(&k9gqn)k&1^?ddX*a0te%J
zh}Emm(9q`uvvJ1#xS{Niy8DK2s0~=79&#0?%fAXQrG?Q1{zR_oyt0k{2&WBJR94Ov
zC9PQDPD0@uRBRY;pB-vGUP4ob=ej#3W_x>=<j1rU0$M4se=F|0NwdX<3#=kkl&1k(
zRA`!#%gK91L4i;LWN2t8qOESL1+GceIcD|12QJtobXzd__t{tyXvYb+zlttIC7sCH
z&$);;n{_^Yle3vzcX|igBw8@YytJEbSLZ+0WRMkgsq0Z!pV^U!aEpNPCPVzaMUL%i
zP5|qqRFs<Xu%}RIyqpy{#Ar4fG;x6N$=0l_tOrh?gU}MA%!)o<M>^;|2Fy+-LJ^ZI
z{o8+qPgx^xwK>oZOtZ?Td?Km%J0?7s80i6ArjM`j=Gdm_5Ce^}zH@l>=SX{4z1|%J
z?ZA}=ML&y5hlHBKwXVy_$>mb+E6Bi2(P-1Y_WkR)RF7i^VY-eCWDZ$NJ|I9MQ`7^6
zD`;*m$WU$LEZ-zb@ul<aRbv~mp4YD027$O)J<>{J>i?pK=53RVH}Sf{N#E7O-h{`1
z`<m40kWmsL#}(pg7yypBk?Qo_sqDDdbPBxX#ZsL}9=Qy;Rd4#SDmv;l-6WO)HPu1^
z!QW?<I_Pe&4@Y0WuDI31CHVSVv8n0XCVN<<rEE#j&3S3wOvuXD>`r+niUJ&3N0JTL
z$@FBn=kuzR070A_bW~`zQ)Gn>%SE~q$t3=o7nh9&kh0+_`;CaQ<Kt$1u~jDO8(;5;
z1b%8l*4DkU-5mO+mg5LE8X6<?nd!OLQLp<;1rwMzfqg#ZNf4sgVM9}xmE^jrrms&M
z6~3OL+(~5{^PWmni%W3WxTJli*Za)s?GxYH#yXk#8Ff%O*!`}DZ>pZ~gpFT|U%BLX
zm@CCsSMLh+f%E1YWrs+*=XDc}O6CRpVDp(UDdB^UL18b&xs$&DqwQmK#u==*%+klV
z4QV7#mp?~OqBrPI2MqazbAOfBe+>fR#!~nSsd83mM$hJ1n~}APwl9JWLGUiiw(dT&
z(<kPx>-K*M<;Ao;Y^_MBT1-F9(2&|duTWs_k1%DxP=y?pEd5)L6q88i&T=knEPGqX
za?|~$eHAQ=qvJc4O_;NZX#GrY%#=>(y7n(Go1tT>$~d<CGCe;lUR!?{efp($NYJ})
zSSDeenygq<K2qD=F#E%7syXM8MfNv%HRXbCLe@5*vU7tQ7m-2(z3m1fj@knMZ|0ja
z3Xspn)s-W_`sCGI1$|CVAznu{ukcdOR{rfLn}=pD&lXb_(vEw%eSP+rCidg28jeb|
zlmy~-#56S@R{Rkp{EVOCxiqDKDBCFrL!Js>sPX;qwO&0gNP7Ig|2Ff%D5a(XJe-9g
zCws2v_8|;9d;GIR9GB=>ZpnQQt!6&@Zel+`wf4F5h+pT#zPyGN;QP$f0Qx99{zt23
zr6(i}dCkNCT9x!i?TUsK?kHcL#QvN<v=X?VSz&nfjwu03cenpRq{-j~0O$=z7M^D^
z{xaC2Sy=^P(+D5HQU{tx_z=(I-oj1J(LH(d$3Jr(-`A<|GL=#dzS5h(whp@oqg8b-
zKVzDmi=b<%4rbX<7Kq`O3#lOyTS_FmmfQSYr{~WK@Y<p7RT(WIdyn*ce>;GH>3PPf
zuA33(gZ`X(zgQOPGEF5nJq*5b?a_Aarg|UiM?I*jLV^Nq?wb-R0ML#4BQY7VAx@GP
zqk8~L89mz#xH4zedp)EX05GTDF9yv1G21TgN^a^c96Y1af0xRa!cKq7I{J%OEPu*D
zdrDG?jH2KB!X<|AhuH-LzNr(m1MJw1WYHdk+%o>`&5K#;F)Lp<IPJn-u<u?o)WV;P
z&he~<j$<zXdMKRa%3E?0-b^#0cRhGlsu7$~R16<A>r7!R*1~x_Ga<CrEJHAQ&zl*f
z1>aqq@fFmbsCysxZAXHX9^omZnM9<F%3)UI${p*4ii;EkD71QL+_TR$_be<p^)aS2
zD5JZ`@v-A1gW<jI@SUsy0Yb^I<fHt6CAvo6r;B&e^7y;|q6Ut(1Lvz5-4=vZ74YsQ
z*We9JAFOEdmbKz0m7`o?`r5O?s*J;=dftiP;_69dmIAzagDp<V)*2F5#gdPI1+%X>
z`#5M)C1xuH&k0KnpSu+_KcUPnn4E{V_~)2Xq=El9-$3C}UdS#l_yBe{^5#1ch5Tvo
z88>#Do|iQth<QoDS&s1+f0tx0s~PMzFV)(<0#te0u)GRA9hGkFvNF+rcp9R`R6XPU
z3_HeM9`$_$Ngi^UF|Fd}N$lONI;0aakjoawZ)zaxQa*LkA4+D*)vE0Q&uedPmlohL
z#qq6|m^x0PE8RlCjA?X{{uh4Gv>luM<$n;?jb$=(2JJxQ<sbe$vZ{1*_)b_DtT|f5
zcvansM_X9DJ$C?-r!2k4uM6~W{zC(qnE!<e5%(=4I%)bP8eV!xqVDDo^IHdA&ZL@9
z-w;Je!MSS+{d-=%kD~Rs6;xRP0E<<Gq1MghJl=>=?1jM@4lzc7gQ#lfYg)hyJM<&p
zgUG(~l3YQJ=1x}run)`<_jpYVwyyjikc5+Zx;R@YLWbT@_J+lZz5?u84v$kID_275
zd>tZA49>gG@JA-0x}m&k8@*%9XlTZt-x5D=luM9lxup6c-BcS$;sZ<vP<i$*p=f(5
zQu=OU=Pqmw3uC1~N@XGD9otkbOR}BuHJDn8Sc#khId1fHu0Ic7q%80$K<_=ZM4fGN
z>e=@w<S7#>etc`Ye(m6stT%Tg$ZujB`Z=`BwpZfbho9|p+9Y{?n>`xa=+(^v{IuP^
z=HWP3B*^#&D(~F7x*$Yi|Mv{FXJCYP_JY&uUjg&pQovCGN7?geBcU6Es|)V6Y^=xq
zub+a=M;@{F$`mOIbidXgym&I@r~hk6q0&l)@*(|VdLF-$K+k;+P78;Sbv=@Nkx~U9
zz7mW({{;L;i*9+BJKbTAJxvT`XR`e@6Hw*Pt7w4%!$`M&c0kQUG+=CYX6Sut!Qz9g
z7viUJ?TzULrQPn)%H^K;<9Uo1B`aa8^2C1cGRY#5Tp8mpiN?OAKy~#Kv65acAY!iW
z_=E&Nxi0XK_^_$5jT-o&taL#Cu*xLe-)ni&7F%Wt!ol%8Uv=gs*j1?=G`J06rU^oU
zh0Xge(}AG1vPgRPjKgvQ(Jtp__W?vsNluQQD0xSLy;T<za=wK@9D-GvPW`Py6UkT7
zYVV(PfNghWL1M>qxBCueVH&~vunZeUIT#GaShmc1CQ{1D-=aPWl2R2Ju#TzfX6-?>
zOVzDa)pyLi1OKNN_7!|6Xd`kSn_9M)mTu57e4KfSI@$M31XupvS>_1OjXooN<MS8m
zA`++3<qM&~*V$Va!+UzDs&Xe={@xP8PS+0QVbwX()vjeZg}An=f%_+TQq6jGvb{Ok
zS_gkQ=zis#t`+G?_jteTNO@}sW=@edxPi&lX-#y167(w~52ho3`@O`vNJ&0>p~dA)
z&Ue;jA?2a$HIum>tk;Klv?Lim9sIE))?$;`Zjk&fT2r0eHoE}NIbp)o=|-$Lh@l**
zx(#-6Q;2rpHNGU4zvEvn2a~`6Tv#(w4At69m4+u*u&W{%oi3;R-t3mJmZ|Mfd3nR$
z=EP1~B@3-6Oc1D+VpM19vi}mNaQulJw5nu7*Ut?DiJuCl3d_RskvVGxc`Yh$#zft*
zp?gV5$yN;+f^pLq^F2iZM<nx+QPAWmIvxRm;yRY>NZu|)zGg0w!G4b5p&fa<GE<O<
zVQA7V(<JW<vPGy8*4aD|vK#A^XmG8=u59-1N9IT9jnUXmuQH`kUv>{?NSa2)aA%RV
zaA@d)pO26CYv&GNs|_3&$Ioayo&MwrqC?eRTrfb!iaDiFv+BtK=z0I#gCy>|Cg7bn
z!!w=H204h5XV&|AKP4!KYa{4vuAnKBYdlS$+TkzUjt*6bwad(D`V7%!etU?YaLr4F
zyrYfSbBa+1LzhQXP$TDDU_@f;;FV#$h?ec*q2%5%GvC-JmbHIeB8@a>VUehVflL0O
zJX_jYEc8ZXEiNwZxZ6iU8njr69n)=K$H9bN`MP<#ryQ~$UFB_}+J}j}9i5$Z7O|8G
z`+g+Q1~lapwR;_7ryCMBvanmZHZnHLm9d9uV<T9E_xTprL{##aQ<C-~%pO3p!6U%)
z5qR}XURF%MR+naNj1lk}_g~VFC7*b|;bR~BUyhvVhNYCEGuC7_1F8zu+|+Z12pH)h
Kbzk0ej{P5S-py73

literal 0
HcmV?d00001

diff --git a/heph-pwa/icons/icon-512.png b/heph-pwa/icons/icon-512.png
new file mode 100644
index 0000000000000000000000000000000000000000..8ac6bbc881ffb9c4fa7d9a19ff675a2c55e74e5d
GIT binary patch
literal 10449
zcmeHtRX~(M)adL|5`uw9gGi^S)C#gHN=bJ&NUN|YQi~{p0ullOQi4b>As{7TfHYD|
z3W_YkQqr=-KkFZF_wC;M^uxo>_kCy1Idf{xoHLQS+NwwC*y#WON7dC-^Z`J^Arc&+
zhCdtk2Y2BQwY{dQ3OFSHXMK2^001vgSGi(%|JBl@e;}8O-SVHgbe~GocnO6hUq`d}
z#Lu*6=xNncPsPWVCFz={KGLOo!z^sk>E~MeX5((?UDxHKFPLjY&h#Z|((_lMk!EV=
z1dEo6Wxr_u92vW3mL$$q;_{vJWNG^T&|T;6K7{?C!}vEBF7(dL$gkvVr~9`Z>5-9@
zHGX8b`&l8yIHzo=W0;+)D5|{3Bj23OLMX*eJv4V=|4E`op)U(N*h-1L`0kLXr=Fdw
z6i*%ft*pv<M3j@!k@_0dQuZS5sc%hDQIUJUnY~(k6cJo5D6y(X2_Nm%ztzj=xq5;v
z;Axza-uX@3I|RCGw`5Ro)CK8Ugj_e2Kk326?zV#A>N?GgjTo$~9)5AN+e+MBvb@#W
z!?7pHkcc`Bm}{=MZy4HcmdR{o*B10YQN7_8Q^%O7!i-fc@NzXXL*<yTxtEsRNY+4E
zk@6N1;Mr-7T`4goTgTzvBpT)Mf#K>lOg?`W5WjNmS|^*ryr}!4SoF|ryoRL<68orA
z{egbPw&;;%*2VezY9tLLO9ZkEO`_gk^^EsV%e{g32hHxrlXQzrjt?zp0#Mv99IaGE
zS(vf@rbB(cS2|LO#ovbFQ?2F@fU`%9E8gp9bmOJL@xS>*#m6zo+stAn8HVYinE~%;
zH!rgV#1It$mTFWmB}7DPw(;BKq|zel=9$-k^R*Xdz0>p7cZaAC=K8f{D1nq0zD2ZM
zc$zJV<F?9l&6lru=FM)ljx;6t#u3i}tni3X)WZ<g-^3j`bsyY74FQA5FDbF|(m%CQ
zDYzFAXGTOZ0bUl*_*&O$#T}tc9+8a-FgQFcDJRf*Iaik_K`)w2W{1u7eO29+AA`|h
zVPP}4_0Qc!$i9&gQ|UC#CX3dCd+KaZ0)WcS^!#Bx|4UL^Mn*<4@!Xw1x!{$Fe)4=s
zY1H3b)*S>;9d^&{J-UGjw&I>R8@q#yZLe%Ne{oAQzQ;G63g|L)4e0NDYiYz~)@h%3
z^O*%(SC?n-;(UnEJUiYDfG=(AlN{#j*^@zBO@8SDbdh2}OG~RW&u7=dY+brsP8rzJ
zMqP9$!IfGj?bcUUSBv2N*F^NFvT)_IPIRBr1bkA7;sC4SFIm|V5KbBoSw^Wf^1lYf
zmj3#fx<JB(3PRY=Qw;!n%T$bX=-j`%YHEV_!rLVk{-#F@4y<+PZe==EwqjTS_H^A<
zj=ekOz0|puG^P#f8Vej62gB?E@1hE=-Xg$#hsV-eONpH(ulh!Gn}WBOCl&CaEIGn1
zz_`Sk^s|}Jcs3=ut_KNL$4Zgzhh<Go?nOjidLv)rEGC6;k6Jb`s)YyWf*yuw|6E-5
z>~kv`v;5a)NYnRTR%V68KcB__ZMfgS1a##!`1h@iW}mi34if?{%9}E4BCnTImK7Gb
zYMpcOI$63v1(>T<2LyvK-YYmi{FRuu)AZ=c1wwM?*f_tz3W^?p^*$G*&n8-@EesdN
zsd;6JLKok6H@bM)Zj}Zw$5C^Pk=#t=J`7=E9YjU~z`}V6p7?UPXPdzQ{YRZ6WvaBW
zQ2OLdPSb5Jf*M^p$R%Frwn_Llm475j7yx;?v-9u8iV7_%X5LPSY=+|~xQer=NAmLW
zoCbUdH1XDRWDfj&1DyO9#;!id)@@<N-V`)Qq1OnxRct*^{&;-Ec202W+{KHPc+9Z^
zG#y&Y-Ce7FV?xKVTLAYCfMeO+1Fod8tM^l4*Z-O1C62u1Bwrj<H26GS-fy^*y1cw>
zmwe_G3pP<qr%*e&`@7hDV6p-L5s5N7Jul{;ev64YZgTw95(U|!<0R8QSTP&`FvS|6
zJs%aUZ(?FHEBY`2**7>?=^=Y_>dgGCB#sGS1GenbL`in;?(VhEiY^I*xx~eQ!QMu`
z19u9jm#D79lLoabni_3EOCxf~!rt5_!5rexMoH);3)d4ni|~$ZZNZ##*BvB4)zR+E
z_-}194T1n%pPuL_Of6X4x#b~s>}d%YbV{A_h-!R|yuWb_V3EE~U)D}ts+e)Gn5i)p
z54!_Z*}3&$NXO}pC1i<D#_8j9M`-BQlh=*9zo@dR{g&Jk7<m#ZQ48(}5DWJ0#xmq4
zhK9Iiuk!`dO*foKpz}TzrVMQ$k(SWqiJFP(7nV9PuLL$z;?o>A0`#mY0G86N@YO5p
z6fU0n3x)J5#$dtZeM5Iguw>yn1&F<U+R)hO9$ZRB)X!gW6BM_vUhA9}8C4aKc=mG-
zfctzL)CKF|0b|v3q|g3MG`5p<7$=dUl?Z6v*f)hoK2F?wUBkn>q6y~vJBUsjq`#M?
z0LU=6Qjjr<hZLnUg}R9+{<&V?Nd4@pL>K`4x~yZ<MxXYVlzZ{C>&C#%+`?T$(5ET>
zTWVnXNdOc}FUT4A5tb(}wXWT%XxPuQMzLA<PBQ_tW2(WMfkQDHq0UYQwCA;f*&EJ5
zjXg8~#0VSOO7g(SZd)K^zQ)j8haq-E`6jULAwYzAmhRLoPfrP(g~+5mW;Ap@pLo0X
zP-Z{%F3Gtpecl<_ee=puy{W3y%|l7zh>rz-qWG*L0JaA(68UU(wY1<|P6xyYNFXTf
zmY>-}r{Xm>7Oe`c4HlU*-C$@wa5)I6e(?+n`pbn->kEAY{=N1wR*MX1l*^*B_?jsI
zu}s;G{30J-UOR0B-A`-fLO<Ix1r`8)JxSCqwVB+*ec`O179jf#TWbFtzY~kk6*$S{
zgOh8(T@w@hud9sas|;8f0iI)IRX?`hG?d(V_n5mfiw%a?I?*>B83{M{uS!t@z<1%+
zoS+UjJNwwBDGHX06t)JlJmfHtH9eT(`-OD+ZgYbR(3ZEGd}`S4TOZ}dk^vo5#Y4XA
zf;)*s5+bbs@b3kbZw6MJ$&+kL=!~}BuJ5k~(xXwa2ljEH0H8Ue_9F<jQq2u?XwSTP
zbFnIM5oYL#=I&P4I@1X2E&ivl%`cfGB$(jKC;K~rmoXDa-S>5WXN~J@=g9~ddP==L
zYB%olpu7-e+5S4gYXD&7NBSB`_cIj;4p^Cz5*Y!5S}*le{+d((yp~lka2t;D^Nr$M
zqG)@C5Kdv3lB5m+;AwY71sf^JA!vF;6NCo2SkFK_rl#{RS7_wj5aeAuw791ygdawj
zu;f8moYM9!WkolHnwgK)MYz?W#jgeomhau7YX170iSH=|0QR<yr2~3iJIeNme0Pu9
z7wLxp2tVjfxjArrdre`D0iExDHku4)7p?H~WpFOimcMfYDumYdjl1t7C+sIW^wL6-
zkAO_;ahM{i;A$I#yEPg233iY~qhtm&DPG3mTt<%Z=Vg>=1botq3R<$8LhUdONl1uk
zx-4RIeLb=vXM+Sno~9c)0pi|irFRAzZ<mU`knO)eSF^(fr?|r*B@AwCJ-xq9mYk`(
z^|{ujEbyq+lHHpVu9lwkQTpI-z<>Hx-rY~A?;J=3KudRYYb6(>Zu2y+hXu6{P6+%n
z<pO<yPG>2_)hAO7JHwVg`5B?wRCm&xuygcSnJqp!SF*~B%TM#{?EXdCIx>z69)lhn
zF{D7#$iQDvU0tiEpZ*R_UK(a|Q^+}YpQ`zVX)uWfG}G56tI^P5PeC05rbi+HNtI3D
zQGbdTSxxe+MN`aJG~xQcCsWpdLio{iUgbTRoOrQ<Ui?kLgaQVw`5KtJ!0e`)|Em#I
z>x-&7ZJ2S}JLDOSo#<+>L@|<|m`7@dd39@sF_5uiJZA^k)$+do8)x<vN|sd=S<*mR
z|B-IR(eV$}k!SpL_?RUdd;9|A>;7l<dePXbE;yV{9z&lOvwRDO<%P74M$0J3c*OHK
z4GOlz|C;uu0{xl{nW9fV0vy<p(|)Ezs(5{z0onB4An~-2{XMvCg8LDW5cbLc4*ypU
z{|6)J$5HUI4{5z!_?2u`5`Nky|EZDt3rPzC>IC34ke7Qq+AbZ<w0%owPWGtBRBna@
z$HhxBKTzg;DRtq_L=@$kkXrJ>gxq1GcH^Eo+b2pU?9ZgM6n#=&=B;t7_qV)5>WT7^
zR}pHlyjF#s%DxHb-&*}f(Sct^5VgxP$;9*THxuR_?fRI6BYRI@^3GXp)54${$(%cY
zT9R2AOgvn&FgG@sLuvErf)lUn<_*(*M`dsh0G(@`?ptlWiJvmk8hB=@D)N9C`$+z;
zlgT>*Q#1W3F%I9qPrUT6Yqertyl#z%JC-sab(aeP?B5mVStmEHXwvn+!R0VZ(4nsy
z7JJ+#f2mr?eTUg4PA#Ese0vS}Rn-085RZUk^#j(MLKDn2YH)W!f73{o7+@<6DJ8OA
zkA$8j>{fERDbB3#dKUDxr{;AYDaM(Y6!`H8`Qw94kB8N^|K?eY`W6z8{MTzEj27-J
zGZ%E;tlx>^7R#us-?AY=NjV}43FJS;VChv6Y7w;s#gIOh4+<}W6UKlt09W`jErZOg
zu8J_AmA<5~3@2noK*{jcyEJ1c0s1&Z^x5=K5`P?KfRB)|#{vRGU;y}=17CkXkcF?C
zQ*L{;VjjJ|2GN!`rpH%7VPa3dGf<?h(j^l}f7O?<>|)slfY1no=MPAyzbPmIax(pS
zk@@*mDP}6(E7aA>Kgq00%g8SNC-YyM-#zaLSHMdHUOxwj%9a^RnbIBOe!J}?Sy_ws
zPq>j$4V3?3ggo&2d4yNrhScUq0+T<Ex{{~K4u`Y5P7$E+;S##KepzFbs=i|wKty*2
z?yby)@-|EqndhwPC&9lU?az53<2UffpPr!N4Sf)dX}VFLiQ%FE_R?kP$TC)DEPsXZ
z`0`#jkr^DT9bJ@9%aVYQ*<*531t0d8{@D+TyWXI7R0J<g#*yvua-h22>kdT0H?+07
z1oZ=L<6)K3-r1%3iDeWuP_Ylpx)yec`yN-$Ej@5TysO)F{k^h;`!&2C;9aSn+SjrU
zYovs0;`m-=RL{MaO=N|+(`ek~rC)J#0@>jHbOBFboYr~3-?0_Y_=c>6sMj|TtIZob
z5wZvCQ|FARd5^c!psE}`mEathmFTcSb(xl>Z&ygw5L21s^N^MGhIM`>VZiObKqGf+
zr&h?S4PdVmAN;i5^!WRR$Qp@8tg1n`dg66ZlefL>$3+ELJOnT0wH@x$;~e;@shTgG
z{G>FtI=k)W=k^i93|=a`SIuWCzgbi(CGtmJL9F&IZyoki*zEf(XHn^1%xGL0Ux3*0
z(kC7xrwb02II8|wWI87B0xIv-(YDIjYN@)IIC*C9yvlpGfV*KnXF`iU%Qkv*v5$;n
z_U=1e4nHGRvyavD!<!slftk)iwL$=G*B-Os`YCy;Xg*R8uXh5v(WduQ{-)d>tqu(k
zW<6OSP<0TlJoMSiYxfx)6^P%OWWB%bQaaSfxJ3)5hi|R;)UD8a50I@{?}UVrnbE#0
z{){fG^V`;;>OXB7iAMQbx$guVELD-yDJ?EM15%AUl3Gh#ep~{7ZdzTt!0~zJoO_S|
zW68j_IYV=^85oRsOpC~3uAbPs?zQubmI|mEnU`O6IasE_be!^zlP+dKM6@pcdL+9~
zd^`B}_arXo{$nI|#vHSzfI2J*$w};%g2G0B^i{f3%6+&kRrV>9f*Eu@qt!?KiI-dW
zQW}(;<T6|rLy`40n#p(J&q}bhl7)Zyb1`Nh9zm<`rf?{O+Q0WbXF=v|4H?K$b+>Xq
z!`rnj++y@mmoyz<X=5$9JmW;h=GLuHs#};lf#CyG9?&AkR}S+0ly<Ipt%)6j=*-lw
zC#LoWMVm|2X;cw=jAAwFV<@vg*Ue?4xtx0iOFzbCYG&@VpPyhpK?l|fa~t$AZ!_NR
z4oK<~D(MXeHuy4lfufyfzLJ$rQ3y%!s7HWG(74?BZkuLd5Mc;IVv>t_RYSIs7`yi1
zTKGvLy@4#>zvtg{iW=#cTh6c1z0nuI<sju_EWM0<49vQnx81zlEDZwgxqI8BweI@4
z7KbF?7<=#PZ2z42@}&?RC_7S0;yEl>$TP5NLsM?~DwWh9%%#ET!`C(;UUp<DEo1?O
z<m+#YY_ix1MFR1w<E@u!vPB|`joJv8tlk3qD+s`H=F&vbk93{dm{3KI2g@Q_44C>D
z#OH?){6r^cA87n5ggXn$VMhCGuyJ1daV-o}u|jrUG0ESWp$cr{ptB4&4?wEu3<i&>
z`~vCkSC~R{VM*-P)Ylhx^eer8uAB&l(>41xKli>!OTWuSp$Ye_B4RrUa%z7a0g`O}
z?q2=S&{O#v<2{-+x>!SGMHdT$<`Y$(ziR*3w-J<Ak5d8D*BK>yTc%xG-9IN*P}IjR
z!S$<<hM&WVB*nAA%^jtQHiVQOz$#9=Vt)>`P9Cl@Q-QBx!5L?yGzJ2m$n0!5!$>J4
z4A9&o=ibJ2--9cra+~r!U9a%bf*J7Y+?PZDv0LZai9&*3?W@|~`Au$CeEPutz3K~w
zp_z>i#7YgXDf%CG4fy5PZVpkokWp1B->oMec`20SF%21tRn7U(>sm=<!%N@h45-T(
zzP0@hhD&WSTQhQ<AKUbgq7h&X=Q+bwEOGk0`%rnxwj6-Od;d}T`+~?S|1^8<zBxrK
zM9yzYEo`}z=D)@B?`ceKvYpX~O1P`LVEtP?3}19eDiG1U@qLp0{(}TK^D|iS02!(X
z!1s{@NzY_)h-`ui=Ie)Yzuy~(pmljWwD~It@<SDd1S*bXp<9H^qo}ut-z%=X8@+><
z#y%uZ7_5$)>!znlI|NcH<i~f3Qz-hD#?hA~GEo>+BKjIJa{*RutJe6L?c2)Kw~x?)
zW6~Maw@ahz4?{me<wtC;FV-6TkJzyfuR%o4pI)J4r)E*%@8MFu;G&w3LrB(DFK};U
zk4FAH#1Zx*y&<&c@#5{$@Oz$cI}wI?13Yf6an@0IKA(_;RZ?nQvMg?n@zhRYC|Alh
zkeulS?zi%|DZn(FGfX2^kNrET=>5MO>W*PR)=R2+{gV1U_L2|NqDG|(*XJvoaAyU^
zCN^^6W@<#ryHp9cBDy(e7)hTdK^CiV*T9$j*Md2n2S42lT`zZIn5Ck9y$1H>g3+T&
z`?wr%JyHPJ9)IX764vA(mS$6&eE7xWRIa9#Dgy4Y!1NI&+2+%<4KS8%G8MA%tAb9V
z2M;pO%C<hr)x==;&7~STFqB!s(AKW!dnt}$C>KpW5Sa1Dv9F;PS<YA)|3D$PW>%1<
zoaBQKH=GNm&-{NJK07Cuj^RR(y0x`yVgR!MIez6R_0~e(TOZu}pI1v9-uEC>m1o1J
z|6a~W`43|#D<7^;0cX?4D}Bg&JQNo>qRGqUki7SRKy!9nk7wOsE0b_?8itEXSR)UY
zJzB?zU@kH&R1vZYhB3WCW5``wudetbCRZgbt;Y?zX_e=0q@Pz!VhfKck`CCL_<wXO
z@t;5CrbxVNG$>p6I`0ZutqzFtl(Y;(Kb_2qYf1~>*XS|I<<_Hd*7)*i7#8de^b)?!
zd*9F04jxT&eE5PWk8UZGHN-n84<x+b=h0%=hTD>kE;#l~X3nzU+0-Ug-q%ovm+7f}
zXW#E7!YpM4MW+~BSX_8eNj#=jZD8|PwQiLw(?HZ}0Y#_Vr$4V>wKwc8lg2f$iYvj*
z@cy_@2ja|qdJ-SZSA_^T?C2bQ$>f0iu+g2_m+E8v14VZt=1}bHd2$l}r@paynn^rX
zI#hCZpb1}*`T(yNYrB`p7N<ar=5g%iG0lx%(@6hY&vToLg7yXi%`d8BS~C1B1dn0J
z%1`&5Un#P83L~<r3DW_-a>5&v)qI{Z6+t!EZUvK?n9xVB0q=>T-i9s=CGT<L%+0&_
z<FUHTFxT@BdPY2g<})0UtB=9{gPI+xg1bnhu3o|&E(Gm$NU4Uz^Ofm9;*2QF@PQ(<
zP|$qs|I(0It)rGP^jAt+PhAY){|Ivr;t{nxOJ3Jj3>|;(uM7nA36+<evr{Mdq_rR`
ztu*zPs^ElOVA%kMlK&(X`1X6Wu7$j)2i2?Iv~e$K`L*h`Lx0T&+kf!*x+Ku7|EN}B
zQ*o0X?u2OPLk2(v{FAxnhj34Vf5QMZ=y!RCrz2(q?k|)T&Nc{E3>RhlMiEbt(K~~Q
z76x&0GIT)PDuv&3E5=TKb^D58<TvosY2w~}`@9^cA+c52+_ke(GPN#!7-oLFt}XH?
znf${3(Efv;q!1}`){K2^>zOaqxJ`w5xApvpnR~dwDI=L=&AL7eD?c6@%Gf}yRkT#C
zWr1%2*&tKl!6ZyBNCigGWoRKiYRWoBh7wK9U-zns=hUh{1bL4AZDx9*k?cA<HsFNx
z%cf?8HcV>0w9$;eoFBJkQy)XYL%ADS;C(B&DY0<@MZc$4UU9{}r}iqOax<|?tI#y%
zpKpot%K8kLIjQc-TplUNkZ3aOH6YfG^OT>zv2vm6sJo3f^Y<Sp23VAdEH9<MI%<XU
zfhVjT)04||9bvVy>cbdTa`DT;$b5`@V`IZnpz~8606W?5OG-RNWBJbx5ah{|!^%D5
znbq`#NtFZVU}=eaSn=$V6bS8N`B!`5ESA<$C(&b(|F!|N=%Dd@^NHr0Wka6i%G&dJ
zShdQ|-m-3ItT{?9w+`c{rj&WPOp&pUN4KFN#@^bJ(>&-sjcs1A`|r{j6W0z(zF!Vj
z;MQ_IR;NQtGo?W7{Mr-#*;oAVw5r!Rdv`RN=3q4tG4dgx?Ipjp%29wmuOtH-Cfm(C
z55q$2-_S4}!ZMg}FoDWpkDd-2_t(F{j$D_!X>0SZ^w$L&pa~aGyYoRFt42rL<2PwS
zW~iuabu7lY)t`T6hh-_1rIxt3^c<Ryv+|2)Z`}LB0;}eqn>l5xd5l3Z?Q)dRKiSZJ
z`qb*@liNGwlzPdjQZW1`l+e{13$Xj>k?6>DaPUJDkS^bL=Y&Zay7KBg3FWw&9AgO_
zJ$ClLo<sob*U=!V>2s>)$XI@Z@xIE=uf@^lPC}s%<60Vf5@e>>fVymKt;84^uYPN=
zjw<Wko1D|&@r|iyaag{Ku(oZwSINWWNsEp*Om_9Z+M1DYr~+Z_pC8@AWQ0`maAT;^
z@s1xY*0>@6Dm|=0Gp5SQ&WM+3lKa)U9@b<Y^0j(iyosrO5z>V`cfP`Bu;YNYDFyQT
zxv~Cm|FSA(Q2?k59%;;IB3BmO1R1<9FS`(YUXO(nRHJ-<^q++&B0RYli4D`RM7_*_
z<!39Bl29U-vs0zFR^~Qq{WGMD@O^txxd|*hWXXEqZEfa6;_tSRrW>3A|7@}JVNE4@
zh4yl{xWk$*9wK?Wg9jp^c^r8_z6;>&E#1HTMG)#fj$NGg?o{f^lQ}C89v;4BUc|wY
zOh(zRhTq=U=n7cL_}dHA=q|21wKIw<!j?gVt_|vIkmnhiT$Z&Tk&%(3g@tbF4>qsH
zz`FGD3PQqukQI~ouUM*Xpr(J_e?hEb!TR?d$jS*NCxN!9ojG0lR77m9QovT1kwj@m
z{KoEMZrA}>>trXDH)i0X>6N@1Nq|$7yuL@d?^yhyj7&w{GdLGl<ZadiH&$%vt&t;A
zr^lv0JtMR8D^%vkld6ao8}mR!-|Y}mZ}i5@7j7u4q>tZa2k}*Q<*HJ3KrQ}ikYWEu
zd=C@>i<@X!L6c<%Elc3Z=@vo3)*GT?MV(H*qxwB?354E`V861abyZD;wtgr}BPl6T
zaa{0+!F6&mrEJ{2uw!nswaLM3(Ev#4+B6aDIVhQgnI1z~avI%2`izphpqfhG;*$X5
z%a<eLMtVjc#?<EKW&&ZxqSj?X9dM~JBl*JY41av(-C6aa`HE2+b+-<@0s=H&Hm<hv
zF>pD0^ypG|+ut==CuL|ohBv&2_%c<YudANY*wR^(+0pbjN6PbFx;$*HXJp`%tGVuP
z4M2nQ=HKiCoHt?pg@2Q)cYf(|LcHu8sR0&(7s^}4PGz=ltFQYpHMjg{_c;8yMq$Li
z_L}|2ypKLl>gpjt<XL|Y@0#~PX);?%dapPDuwhNvR+WYX8)>F(NB@+UBpMBE#s`ZP
zy2C(Y*t(!ev7e4t#T=-~Ewe2a9hT*iavESsI?`eB8by`Z<>T`LuN7<ghlZ+Tg%bmA
z>N^bLk$@MmyZEYygMDE!a*Z#}d-9U}$S~|4m*f`Ymr?<ATpC01{)c>;5RtqOr0pd$
zkMEKqQ8Nz!V9xGiB~>3B;G*wXidUq;vNspcKE}zZyEqCLMNEYN^kPAQWu?TV8r*3M
zXkv?>e^V&3!L6B|&E1Q8ab=HaTFN%}WlIw;bMf#=uAF?0ENrBHG2g$P-?Z-bWlu8Q
zbQvN4d1AWol!<0tXG;|V)+C01e=l?@c>lHK*@k5oG$VEn4l(CXgX!^-K8etl?sa|Y
z&}w{e`}XaL_8}|F4eUv6)AxKvsG!W;bt?k2dgEb51%o`X8<$WwEU(`#r(A8AtiKnP
znD-H{@u15IwmR%9{p<J}`e&!56fzL<SvVX{qrgcyX;IA51py=9_MCGEZj2n2iM-k_
zfRUAxlT(V8fQuhe`q#NW`p&wxU`pgsi;ZY3l2=_xNolmhsX$JnZW7)w0Bao!%0)#Q
zHggN%O=m?S1hCg~7uZw1Uu*>9uRymt@6aecGXCc>yw#DzDL$MI=GvWMN7>xW?49b3
zQe(R$nA60xv8VJhY+(X#Qte2-ddO`_G?Cj6ts;!aC)M^KK{N8EMbSNm&3nOkOl*$G
zZ^*;urn^-6mHTPALu3xmF)4)}J<MuqA{~cU2j19vAr(`}-DUk$C5!V!E4avMdG0cw
zmcNfL?`S^uXKJ=<ZEJfs`sdq<p>c_DLRY8d90bvA9V=zpa{2zM+lvE}?sS<hn08us
zv&iDRbIE>FyeJtBy1%CCL9cGeTvI(`#j)!qfL|oREWrNO;ywO=a&jlX)U&!^^?5k7
z^gCRR*-z~uhLb0A0xD*54)u+U90Wc<1xZoBo>+0zep`#tkazp#?FlUL+%vrw7XVF>
zr|CLf&a@4`Og&t-+GVkEuPA?#t@oUim5bTa*RK%rrhb9m<7*vGHtz-1)Cng9vIYU5
zi<cSx{whr(WMI|S;+xiA9#Oq8r=a~YP3A{(7W2O33n{er8^u*yO4ov{;Qa>yo2S9l
z)3%VW^dgQ0@01kUYwD-fHR^jPVZqtJc<bG@qQb*-^~Bma%O~w`Rk{J^;-l790x!cs
z&)0@-sB*M)#XU;d9o>+SHf_B6>(~+GZM5g7R1?;df$GLCWY&f0#-qNeQa`w~;>X3W
z5h(>oZx&4Cn#Rq8H1u=G*L@xiIz{hy>3ZYk1ZFLtM5ann*=Ano5iXhhu+7yvrt>VB
z9s#!4UUVIGnqO^&_NtDz`}xxZF(Q@FZWx}o7#6=@lWT;7;qn#h`3n5ou+<`Hm1Yo#
z;DnIpg+PRd74O-Lo@;DfCqvnnYYqo0^lixP!uGG_lRICC$lI}5vIA=mPCm+vl}WB)
zqyQ10XKoNWDT25T1zmeEtaxGYBp-Hg2gA1}<8g6@Kj8f%TlI?gM(>ZSL<)*Yrg}yL
zHDRE7=OZoAn9}J2p3VL6W`8Z28lhLMsrvjODxJ}ro47Exgwla`qPnhm&W!n-8Y4z6
z%EX)hyI}QAvOU;Fgf!W*yewq(M8uaF`&b&bVX2G>-NV1#{!m{9w>!vpu)5oWLuyLh
z6Nrjm9wEypQ*L&uXKzq*j1(b@I*Sb#P$vPurFMV94MI%c@2%|bF>L~7`0S_0sd#ma
zaf$_Xxq*bl;nb-l8L5PF7ZE!t3nZYq8$ZdHLK9uCoS7!s<h{Mj<$${;fS}^#6M9wV
zb-gZdm+vt_-+l2*#g<3=V0{l2pu*W0>##X+8|Tw}I!F52*Vku_&yJ5k9?RL?J$a$^
zS5F7kmO$%*I9os=>}z^xGBhiHIPaHS>_5i7FM29fqJJal;NSp(Zwb7D5C$bBC9?r<
zmm)*EtJoce!-t1Ca*PBSjLjTOT&MiL&{T`#l9<&*;|ym-FMvfkNmpZiVOQV7?Qnsk
z9PZ(s#~5KcPmyy)Y@8+4cYIC13jS#+XfmkxAJRl6b#oUHhG0krK>fP53ht`y!~Xz=
C2^N_E

literal 0
HcmV?d00001

diff --git a/heph-pwa/icons/icon-maskable.png b/heph-pwa/icons/icon-maskable.png
new file mode 100644
index 0000000000000000000000000000000000000000..ec5c299a7b4fbad4195c5c974373c77837fa46d8
GIT binary patch
literal 4260
zcmeHLXIvB67N5k>7eQFoT`-`_lc=;uRR{@D1Xft2E-myTNQ;6LLkWn=f+FflP}Bs(
zfPfH@ra%OB6)X@4B?trv#SmIl5^BmD-@f<x{r2;7=EI#i=gztRbM7hkOs>mudqsJ5
zc>n+ukNtAg4FI6vBNUMRI;5)G)PRF@h@<^cK=So2p;i0=0Lnhcjvn?%xwFLD!re^{
z?mVr9Oj;a1Rvhg<(%TT@GE#Fn?%^Y2xq(Nyw{?P4Zkw7rg&uii<YY5qyA@pA5a_9B
zZgjeG^_|XZ<;%Aldfnu|kMu3Z+9*5~Obyg&AWo|w>)@T}CVEDt>9r3|HgEzt0ZnCE
zpF*$J^^9_?=x0eI<@(rBpsPOs4*=n^0A?QqklhOar7&Rk4FEW=0%W>C0c8gOI3o9r
z`OOI5JmG6NMA>p7e)=?xfVwCaakaLPlA|1ZB4lxDqkkv;?n%>+jySd(wD(*SYom5_
zT*Mw^#_6J90WR%_&Q2ka1xu+xkrUYtF7QStY!h+3!>wgnL|B<$YWKoR>BYp%b%_mG
z3150cDLK7E;MF(U+{BkAzHdTK2wEn@-dwdu50=d|nrWX|34&Yw^hHCO6eLnVIene%
zwd(JVmukD|ThlZ<bg(h`49Tjknom5_1C4@%XxRyb;#W1i^=S=WS_D^(3oA+FKOFVL
zL)*d{N8s&S&HkurN8ax`KuwwF!afwFw&U%1BQ<?X#*qpVF-8Yj0+MfcwTn@P0As|8
zHh<W@vC7bmmjhfFn_lC-_#*}oz+v8}wUU3{587*~p8u4gI+>SPv)Wx40<QHw;LZUQ
zBtyE9u`ON>vvBh+Ne=~y)B$JCyF&p#2qY5T|3_$j|4s)gP<#<+xM~+F9KdjQVEUCa
ziSZfhkzBb`;p+7QhAQ~Eqs5xgor35ntPDJ}SoI?$az8?eX8>ZpT+ftO$s`(Ep6Ymt
zF)dOkLpVBj?FID1GvZbUcHp3qI@1WUE^1E^&`=zjx~%(E%_k;1-|ootG<hOHnz&C>
zygD4?<DN{AqYp!SqdqS5XQyiIqd^0%U(;Sz2)qt7lvHR63+zIl@#UYismf@9!iqs+
z!b=gICrRR}o%%^o`G!qi)T8|j(#y9Ymt&(%9jKW*6JmIx1i>YW*HP8XAydngCz5Ma
zVgSUjT*5XiB3(TW_zo336XtSr`xv@G!HDf>{KvThN9r#KKtK9K{9-OO?H*s=dpHYD
z)<=QXIw?Z7Z;sW%LA(^{we;v2ZaT$lH&7GD<A}w=V-pSck9<5~uq@%FI#5e$oB-eP
zMg9eQ>#e%Y3%LxNNvQ$?m!uGJ(ed9*mCK6ov+M2z%RsUL3N~_ON%XOPLK4DNYbz;h
z#>H|K{SyC(xI)%gZf9RvYD{`laWlcjc}d8(=dhp;jbXcAZLr1tBIg)dXzEs84+Hzl
znPC2(Hd>N0?&o?+&L;wFch^i;?;GvZxD?T<nm>!ue0BE4TrMwNn5|kN<EX^0ki`%y
z`&6@Ad7~*SOVvZT{j>|;b1rVRuQ?Ou2HVfUb{|iV3YpB2^nYMAv&#cxss|nDrLPnv
zGwd9RK--<;T%`E|3ft{kW@Mcf#HrLyH6P<E=z38NQ8`1V)(5v{n38ZFM-m+OT5aNh
z0}$^-vJfx!7&0q#n6a(ht`Oo-SO1o#c)&hKGuh{hLv`%P<3_%;{KDdL`XDxgLu?iu
zUMp6lH23m*$cOMjoe|PW6P$B1g9rdLQGMzHd=!^9-P%01S?-%^&$TeUZ5KLotCK8V
zCMYg%5j7ZQ3Xn-R6f>qpyxJV|Y_=yFw=q~)O+!q+dfz=rU$wRXQFnwQb?Cc5#Jbvm
zUacpVw(;7GNsH=E9QDMFH$BF&@|J(Qi>gMprc&pz=bz;>bI2r9R7QEm=_-Dnq@wTU
zEp;;OkP#APW@LOu{Ab^1RZ+whv<1?iR@r6>#mvS?79?ZqRm`FQS4KKv4a+I81`|dN
zy)gK}oh<*gLXrz(ZgLM*tfvGiiT~;Y!m${x+N<vtpSAO0Zn8k32`XcCrnJ+6y6=A9
zk7FQ6RY*ymbP}PAf8N-R#Nzp>6Y~KVTQCrM{7|1aA?!|T?-Njr+MwZaO~Mx$ikDvV
z#?uea)0J)n99D*u+>=h~6d9&{=~ZGGUYPv{;4$zS(Qa*G7Jz^CSbbOxKa=eS%gie#
z-#v@w`d(iVa5?1lIIddQ4xnn`>HUPPi=>nXXfq$Yln*R(-ZC+gIWSzw&?V-s5WF*>
zm_#%6mFz7|Jz9vxK!r|@5*U%^4nZ-L3u)RhrzW<6;uyNWYXcr5x5NmY<8WQtRF%f?
z^oo|eGEfy4gu4`|!I^s6U$LEMKs$F7iW!8b#@KV^yqI;UiJ15F!hpj+LrUg*6xRwA
z;rnS*2h@jEPv6OwR{@GK3V}a_goMq#@6##@IJ^&1BDZT)kl$oi#?Pw`30k}2De8NG
z2C2W2;AobljG<dAzb3i28&YD?FtanfQ(CE2WGE#EbeHbMeZR;jyah$R<gb5l&q*!}
zsJpM8ABvWgf>KX542SO-6BkXvGRuwl>&;lM-E;l39@!s%22ArkTU<X0#}<31Cl1ig
zoq=LZPTs<uziY*Rd5J>@jo+e1k?Bx7B%am+H<wDImGQ3@RfGAckOaj3RhIw^1Pz7$
zt;3*!jFVbo?R@JJT&smGz%9&UvG{lIj7^NppYWb%uT5ad#d<U;gW33AkK<nS`Buq%
zLNryf!LT8|AMU-z8(V=WmPA?NZwsyUeCbQPtxF38ZVl)&6tLcnA}yVFr8V%C*Y{t6
zxL9Bbvj-iVz46qvmpCE`C{h6qR75P5GgOHIbTj6EDW1{Kt=|!arIAVEeUQI@f;|xN
z4DFA9!H9mNm3IOGc=XIovcVO`KV;c}rH2B`d~1;+X)h!_8c@&wsvaKZ_tuGBdFQh#
zz1#0l@{)e?&<N52=L21-HvzM)mW<}8D_+*Gs_EprA%;fe_9fjGbJ}K+7p|?eKDpc2
z%Fl~lJji5?4fZoVtMy;L^jFJ&{eIxj^-uL+S$g*=Qt)PFx+2GpG;+`yS^u4qy@E1e
zfD4~!!A@+H-kuPS_biVyuum>;4unax11%m+kKcMz$G|?YgiIQnj|p1>C0&SCW}F`C
zyzW0yMlCBQ1oW4IafZzU(@r48XaU!@wA?OStNrcW=UYmSk+xp+d|b*_?lxpaPyUVZ
zBZ(FYzuVS$e^~iwy%A;~k<8sA)U#}9;ca#ykS$i}dJcg1K=iU$^xHzyjezI$+GJ58
z^@BKzq5Hr966AW2wn3vHKE<=rm|G6cB`vVb3xe43k!J2ihHlDJtAaLJNKi0sA<z{M
zbqp=6xNa*8C@d`c_=B%6kNN4@0p3SfG9*ODlmkBJ|94;V!_ZB#Au5Z)t_(ARcDxvK
zZ3_Rj0IZr>c`CpU<`%{tpxDyBn^x16VZk8Z;PTyFa4QeIlpzz`;Yy=ssS_ai9_j4d
zrLUM#qTZc<VYY>*^P|UMrj7O6WD3xmg8wMDl2ETim@h+PBHi3WwF}ZV>FO&9lpGg-
zI4wQe5m(YO@2+aIr8z7tKFEK_^1v&2O)hpk=cP|&@3hNtR4Qde-ENA}r)5<|^Sn>@
zQ)wK|_@+1!8;Hd#6d75j%yD@c?76bQwRY>Gy?|d9DcXE3wk>$JIKMF|`KO1(*J+`f
xLT+w<Hu~{2MHTGWwnMjl>)igo+gCw*UV3nt$|gA#{Otf7vps&a_DImVe*t^nZqxt(

literal 0
HcmV?d00001

diff --git a/heph-pwa/icons/icon.svg b/heph-pwa/icons/icon.svg
new file mode 100644
index 0000000..a0beeed
--- /dev/null
+++ b/heph-pwa/icons/icon.svg
@@ -0,0 +1,14 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="512" height="512" viewBox="0 0 512 512">
+  <rect width="512" height="512" rx="112" fill="#15181d"/>
+  <!-- anvil: the forge of Hephaestus -->
+  <g fill="#6db3f2">
+    <!-- horn + body -->
+    <path d="M120 214 h300 a16 16 0 0 1 16 16 v8 a40 40 0 0 1 -40 40 h-70
+             l-14 40 h-92 l-14 -40 h-44 a48 48 0 0 1 -48 -48 v-8
+             a8 8 0 0 1 8 -8 z"/>
+    <!-- waist -->
+    <rect x="206" y="338" width="100" height="34" rx="6"/>
+    <!-- base -->
+    <rect x="150" y="372" width="212" height="40" rx="12"/>
+  </g>
+</svg>
diff --git a/heph-pwa/index.html b/heph-pwa/index.html
new file mode 100644
index 0000000..1943625
--- /dev/null
+++ b/heph-pwa/index.html
@@ -0,0 +1,24 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <meta
+      name="viewport"
+      content="width=device-width, initial-scale=1, viewport-fit=cover, maximum-scale=1"
+    />
+    <meta name="theme-color" content="#15181d" />
+    <meta name="apple-mobile-web-app-capable" content="yes" />
+    <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent" />
+    <meta name="apple-mobile-web-app-title" content="heph" />
+    <title>heph</title>
+    <link rel="manifest" href="./manifest.webmanifest" />
+    <link rel="icon" href="./icons/icon.svg" type="image/svg+xml" />
+    <link rel="apple-touch-icon" href="./icons/icon-180.png" />
+    <link rel="stylesheet" href="./styles.css" />
+  </head>
+  <body>
+    <div id="app"></div>
+    <noscript>heph needs JavaScript enabled.</noscript>
+    <script type="module" src="./src/app.js"></script>
+  </body>
+</html>
diff --git a/heph-pwa/manifest.webmanifest b/heph-pwa/manifest.webmanifest
new file mode 100644
index 0000000..d5b14c8
--- /dev/null
+++ b/heph-pwa/manifest.webmanifest
@@ -0,0 +1,17 @@
+{
+  "name": "heph",
+  "short_name": "heph",
+  "description": "Capture and triage hephaestus tasks from your phone.",
+  "start_url": "./",
+  "scope": "./",
+  "display": "standalone",
+  "orientation": "portrait",
+  "background_color": "#15181d",
+  "theme_color": "#15181d",
+  "icons": [
+    { "src": "./icons/icon.svg", "sizes": "any", "type": "image/svg+xml", "purpose": "any" },
+    { "src": "./icons/icon-192.png", "sizes": "192x192", "type": "image/png", "purpose": "any" },
+    { "src": "./icons/icon-512.png", "sizes": "512x512", "type": "image/png", "purpose": "any" },
+    { "src": "./icons/icon-maskable.png", "sizes": "512x512", "type": "image/png", "purpose": "maskable" }
+  ]
+}
diff --git a/heph-pwa/src/app.js b/heph-pwa/src/app.js
new file mode 100644
index 0000000..6acc2a9
--- /dev/null
+++ b/heph-pwa/src/app.js
@@ -0,0 +1,800 @@
+// heph-pwa — a mobile-first browser mirror of heph-tui. Browse the built-in
+// views and projects, triage tasks, and (the primary use case) capture new
+// tasks fast with the same quick-add syntax as the TUI's `a` / Cmd-' popover.
+//
+// Online-only thin client: every action is an RPC to the configured hub (see
+// rpc.js). Context/KB is read-only here (no nvim editing surface).
+
+import { Client, loadSettings, saveSettings, RpcError } from "./rpc.js";
+import { parse as quickParse } from "./quickadd.js";
+import { today, parseDate, toEpochMs } from "./datespec.js";
+import {
+  ATTENTION_COLORS,
+  fmtRelative,
+  hasFlag,
+  isOverdue,
+  nextAttention,
+  projectColor,
+} from "./fmt.js";
+
+// The built-in views, in the TUI sidebar order (filter.rs BUILTIN_VIEWS).
+const VIEWS = [
+  { id: "tom", title: "Top of Mind" },
+  { id: "tasks", title: "Tasks" },
+  { id: "work", title: "Work Tasks" },
+  { id: "chores", title: "Chores" },
+  { id: "ondeck", title: "On Deck" },
+  { id: "inbox", title: "Inbox" },
+];
+
+const state = {
+  settings: loadSettings(),
+  client: null,
+  target: { type: "view", id: "tom", title: "Top of Mind" },
+  tasks: [],
+  projects: [],
+  expandedId: null,
+  loading: false,
+  error: null,
+  search: null, // null, or { query, results }
+  lastUndo: null, // { label, run }
+};
+
+state.client = new Client(state.settings);
+
+// --- tiny DOM helper --------------------------------------------------------
+
+/** h("div", {class:"x", onclick:fn}, child, child...) → HTMLElement. */
+function h(tag, props = {}, ...children) {
+  const el = document.createElement(tag);
+  for (const [k, v] of Object.entries(props || {})) {
+    if (v == null || v === false) continue;
+    if (k === "class") el.className = v;
+    else if (k === "html") el.innerHTML = v;
+    else if (k.startsWith("on") && typeof v === "function") {
+      el.addEventListener(k.slice(2).toLowerCase(), v);
+    } else el.setAttribute(k, v === true ? "" : String(v));
+  }
+  for (const c of children.flat()) {
+    if (c == null || c === false) continue;
+    el.append(c.nodeType ? c : document.createTextNode(String(c)));
+  }
+  return el;
+}
+
+const $ = (sel) => document.querySelector(sel);
+
+function toast(message, action) {
+  const root = $("#toast");
+  root.innerHTML = "";
+  const node = h(
+    "div",
+    { class: "toast-body" },
+    h("span", {}, message),
+    action &&
+      h(
+        "button",
+        {
+          class: "toast-action",
+          onclick: () => {
+            root.innerHTML = "";
+            action.run();
+          },
+        },
+        action.label,
+      ),
+  );
+  root.append(node);
+  if (!action) setTimeout(() => (root.innerHTML === "" ? null : (root.innerHTML = "")), 2600);
+}
+
+// --- data -------------------------------------------------------------------
+
+async function reload() {
+  if (!state.client.configured) {
+    state.error = "Set your hub URL in Settings to begin.";
+    render();
+    openSettings();
+    return;
+  }
+  state.loading = true;
+  state.error = null;
+  render();
+  try {
+    const [tasks, projects] = await Promise.all([
+      state.target.type === "view"
+        ? state.client.view(state.target.id)
+        : state.client.list({ scope: [state.target.id] }),
+      state.client.projects(),
+    ]);
+    state.tasks = tasks;
+    state.projects = projects;
+    state.error = null;
+  } catch (e) {
+    state.error = e instanceof RpcError ? e.message : String(e);
+  } finally {
+    state.loading = false;
+    render();
+  }
+}
+
+function projectTitle(id) {
+  if (!id) return null;
+  return state.projects.find((p) => p.id === id)?.title || id;
+}
+
+async function refreshProjects() {
+  try {
+    state.projects = await state.client.projects();
+  } catch {
+    /* keep stale list */
+  }
+}
+
+// --- rendering --------------------------------------------------------------
+
+function render() {
+  renderHeader();
+  renderMain();
+}
+
+function renderHeader() {
+  $("#view-title").textContent = state.search ? "Search" : state.target.title;
+}
+
+function attentionDot(att) {
+  return h("span", {
+    class: "flag",
+    style: hasFlag(att) ? `color:${ATTENTION_COLORS[att]}` : "color:transparent",
+  }, hasFlag(att) ? "⚑" : "·");
+}
+
+function dateChip(t) {
+  const now = Date.now();
+  if (isOverdue(t.late_on, now)) {
+    return h("span", { class: "chip overdue" }, `late ${fmtRelative(t.late_on, now)}`);
+  }
+  if (t.do_date != null) {
+    return h("span", { class: "chip" }, fmtRelative(t.do_date, now));
+  }
+  return null;
+}
+
+function taskRow(t) {
+  const expanded = state.expandedId === t.node_id;
+  const row = h(
+    "div",
+    { class: "row" + (expanded ? " expanded" : "") },
+    h(
+      "div",
+      {
+        class: "row-head",
+        onclick: () => {
+          state.expandedId = expanded ? null : t.node_id;
+          render();
+          if (!expanded) loadPreview(t);
+        },
+      },
+      attentionDot(t.attention),
+      h("span", { class: "bullet", style: `color:${projectColor(t.project_id)}` }, "●"),
+      h("span", { class: "title" }, t.title),
+      t.recurrence && h("span", { class: "recur" }, "↻"),
+      dateChip(t),
+    ),
+    expanded && taskDetail(t),
+  );
+  return row;
+}
+
+function taskDetail(t) {
+  const meta = [];
+  if (t.project_id) meta.push(["project", projectTitle(t.project_id)]);
+  if (t.recurrence) meta.push(["recurs", t.recurrence]);
+  if (t.do_date != null) meta.push(["do", fmtRelative(t.do_date)]);
+  if (t.late_on != null) meta.push(["late", fmtRelative(t.late_on)]);
+
+  return h(
+    "div",
+    { class: "detail" },
+    meta.length &&
+      h(
+        "div",
+        { class: "meta" },
+        meta.map(([k, v]) => h("div", { class: "meta-row" }, h("span", { class: "meta-k" }, k), h("span", {}, v))),
+      ),
+    h(
+      "div",
+      { class: "actions" },
+      actionBtn("✓ Done", () => triage(t, "done")),
+      actionBtn("⤓ Drop", () => triage(t, "dropped")),
+      t.recurrence && actionBtn("↻ Skip", () => doSkip(t)),
+      actionBtn("⚑ Attn", () => cycleAttention(t)),
+      actionBtn("📅 Date", () => openReschedule(t)),
+      actionBtn("📁 Move", () => openMove(t)),
+      actionBtn("🗑 Delete", () => doDelete(t), "danger"),
+    ),
+    h("pre", { class: "preview", id: `preview-${t.node_id}` }, "…"),
+  );
+}
+
+function actionBtn(label, onclick, extra = "") {
+  return h("button", { class: `act ${extra}`, onclick }, label);
+}
+
+async function loadPreview(t) {
+  const pre = $(`#preview-${t.node_id}`);
+  if (!pre) return;
+  try {
+    const ctxId = t.canonical_context_id || (await state.client.contextOf(t.node_id));
+    const [body, log] = await Promise.all([
+      ctxId ? state.client.nodeBody(ctxId) : Promise.resolve(""),
+      state.client.logTail(t.node_id, 5).catch(() => []),
+    ]);
+    const parts = [];
+    if (body.trim()) parts.push(body.trim());
+    if (log && log.length) parts.push("— log —\n" + log.join("\n"));
+    pre.textContent = parts.join("\n\n") || "(no context yet)";
+  } catch (e) {
+    pre.textContent = `(could not load context: ${e.message})`;
+  }
+}
+
+function renderMain() {
+  const main = $("#main");
+  main.innerHTML = "";
+
+  if (state.search) {
+    main.append(searchPane());
+    return;
+  }
+  if (state.error) {
+    main.append(h("div", { class: "notice error" }, state.error));
+  }
+  if (state.loading && state.tasks.length === 0) {
+    main.append(h("div", { class: "notice" }, "Loading…"));
+    return;
+  }
+  if (!state.loading && state.tasks.length === 0 && !state.error) {
+    main.append(h("div", { class: "notice" }, "Nothing here. Tap + to capture a task."));
+    return;
+  }
+  const list = h("div", { class: "list" }, state.tasks.map(taskRow));
+  main.append(list);
+}
+
+// --- drawer (views + projects) ---------------------------------------------
+
+function renderDrawer() {
+  const body = $("#drawer-body");
+  body.innerHTML = "";
+  body.append(h("div", { class: "drawer-section" }, "Views"));
+  for (const v of VIEWS) {
+    body.append(drawerItem(v.title, state.target.type === "view" && state.target.id === v.id, () => {
+      state.target = { type: "view", id: v.id, title: v.title };
+      closeDrawer();
+      reload();
+    }));
+  }
+  body.append(h("div", { class: "drawer-section" }, "Projects"));
+  if (state.projects.length === 0) {
+    body.append(h("div", { class: "drawer-empty" }, "(none yet)"));
+  }
+  for (const p of state.projects) {
+    body.append(drawerItem(p.title, state.target.type === "project" && state.target.id === p.id, () => {
+      state.target = { type: "project", id: p.id, title: p.title };
+      closeDrawer();
+      reload();
+    }, projectColor(p.id)));
+  }
+}
+
+function drawerItem(label, active, onclick, dot) {
+  return h(
+    "div",
+    { class: "drawer-item" + (active ? " active" : ""), onclick },
+    dot ? h("span", { class: "bullet", style: `color:${dot}` }, "●") : h("span", { class: "bullet" }, " "),
+    h("span", {}, label),
+  );
+}
+
+function openDrawer() {
+  renderDrawer();
+  $("#drawer").classList.add("open");
+  $("#backdrop").classList.add("show");
+}
+function closeDrawer() {
+  $("#drawer").classList.remove("open");
+  $("#backdrop").classList.remove("show");
+}
+
+// --- modal scaffolding ------------------------------------------------------
+
+function openModal(node) {
+  const root = $("#modal-root");
+  root.innerHTML = "";
+  root.append(h("div", { class: "modal-backdrop", onclick: closeModal }, h("div", { class: "modal", onclick: (e) => e.stopPropagation() }, node)));
+  root.classList.add("show");
+}
+function closeModal() {
+  $("#modal-root").classList.remove("show");
+  $("#modal-root").innerHTML = "";
+}
+function modalOpen() {
+  return $("#modal-root").classList.contains("show");
+}
+
+// --- quick-add (the primary use case) --------------------------------------
+
+function openQuickAdd() {
+  closeDrawer();
+  const input = h("input", {
+    class: "qa-input",
+    type: "text",
+    placeholder: "Buy milk tomorrow p2 #Work every week",
+    autocomplete: "off",
+    autocapitalize: "sentences",
+    enterkeyhint: "done",
+  });
+  const preview = h("div", { class: "qa-preview" });
+
+  const updatePreview = () => {
+    const parsed = quickParse(input.value, today(), state.projects);
+    preview.innerHTML = "";
+    if (!input.value.trim()) {
+      preview.append(h("span", { class: "qa-hint" }, "p1–p4 · #Project · today/+3d/fri · every week"));
+      return;
+    }
+    preview.append(h("span", { class: "qa-title" }, parsed.title || "(no title)"));
+    if (parsed.attention) {
+      preview.append(h("span", { class: "qa-tag", style: `color:${ATTENTION_COLORS[parsed.attention]}` }, "⚑ " + parsed.attention));
+    }
+    if (parsed.doDate != null) preview.append(h("span", { class: "qa-tag" }, "📅 " + fmtRelative(parsed.doDate)));
+    if (parsed.projectId) preview.append(h("span", { class: "qa-tag" }, "📁 " + projectTitle(parsed.projectId)));
+    if (parsed.recurrence) preview.append(h("span", { class: "qa-tag" }, "↻ " + parsed.recurrence));
+  };
+  input.addEventListener("input", updatePreview);
+  input.addEventListener("keydown", (e) => {
+    if (e.key === "Enter") {
+      e.preventDefault();
+      submitQuickAdd(input.value);
+    } else if (e.key === "Escape") {
+      closeModal();
+    }
+  });
+
+  const mic = voiceButton(input, updatePreview);
+
+  const node = h(
+    "div",
+    { class: "qa" },
+    h("div", { class: "qa-row" }, input, mic),
+    preview,
+    h(
+      "div",
+      { class: "qa-foot" },
+      state.target.type === "project"
+        ? h("span", { class: "qa-dest" }, "→ " + state.target.title)
+        : h("span", { class: "qa-dest" }, "→ Inbox (unless #Project given)"),
+      h("button", { class: "qa-add", onclick: () => submitQuickAdd(input.value) }, "Add"),
+    ),
+  );
+  openModal(node);
+  updatePreview();
+  setTimeout(() => input.focus(), 50);
+}
+
+async function submitQuickAdd(raw) {
+  const text = raw.trim();
+  if (!text) return;
+  const parsed = quickParse(text, today(), state.projects);
+  if (!parsed.title) {
+    toast("Needs a title.");
+    return;
+  }
+  const projectId =
+    parsed.projectId || (state.target.type === "project" ? state.target.id : null);
+  closeModal();
+  try {
+    await state.client.createTask({
+      title: parsed.title,
+      attention: parsed.attention,
+      doDate: parsed.doDate,
+      recurrence: parsed.recurrence,
+      projectId,
+    });
+    toast(`Added: ${parsed.title}`);
+    reload();
+  } catch (e) {
+    toast(`Add failed: ${e.message}`);
+  }
+}
+
+// --- voice input ------------------------------------------------------------
+
+// Web Speech API where available (desktop Chrome, Android). On iOS Safari the
+// API is absent, but the on-screen keyboard's dictation mic works in the text
+// field for free — so we simply omit the button there.
+function voiceButton(input, onUpdate) {
+  const SR = window.SpeechRecognition || window.webkitSpeechRecognition;
+  if (!SR) return null;
+  let rec = null;
+  const btn = h("button", { class: "qa-mic", title: "Dictate" }, "🎤");
+  btn.addEventListener("click", () => {
+    if (rec) {
+      rec.stop();
+      return;
+    }
+    rec = new SR();
+    rec.lang = navigator.language || "en-US";
+    rec.interimResults = true;
+    btn.classList.add("listening");
+    let base = input.value ? input.value + " " : "";
+    rec.onresult = (ev) => {
+      let text = "";
+      for (const r of ev.results) text += r[0].transcript;
+      input.value = base + text;
+      onUpdate();
+    };
+    rec.onend = () => {
+      rec = null;
+      btn.classList.remove("listening");
+      input.focus();
+    };
+    rec.onerror = () => toast("Voice input unavailable.");
+    rec.start();
+  });
+  return btn;
+}
+
+// --- reschedule -------------------------------------------------------------
+
+function openReschedule(t) {
+  const input = h("input", {
+    class: "qa-input",
+    type: "text",
+    placeholder: "today · tomorrow · +3d · fri · 2026-07-01 · (blank to clear)",
+    value: t.do_date != null ? fmtRelative(t.do_date) : "",
+    autocomplete: "off",
+    enterkeyhint: "done",
+  });
+  const apply = async () => {
+    const v = input.value.trim();
+    let doDate = null;
+    if (v) {
+      try {
+        doDate = toEpochMs(parseDate(v, today()));
+      } catch {
+        toast("Unrecognized date.");
+        return;
+      }
+    }
+    closeModal();
+    try {
+      await state.client.setSchedule(t.node_id, { doDate });
+      toast(doDate ? `Rescheduled: ${fmtRelative(doDate)}` : "Do-date cleared");
+      reload();
+    } catch (e) {
+      toast(`Failed: ${e.message}`);
+    }
+  };
+  input.addEventListener("keydown", (e) => {
+    if (e.key === "Enter") (e.preventDefault(), apply());
+    if (e.key === "Escape") closeModal();
+  });
+  openModal(
+    h(
+      "div",
+      { class: "qa" },
+      h("div", { class: "modal-title" }, "Reschedule"),
+      input,
+      h("div", { class: "qa-foot" }, h("button", { class: "qa-add", onclick: apply }, "Set")),
+    ),
+  );
+  setTimeout(() => input.focus(), 50);
+}
+
+// --- move / project picker --------------------------------------------------
+
+function openMove(t) {
+  const filter = h("input", { class: "qa-input", type: "text", placeholder: "Filter or new project…", autocomplete: "off" });
+  const list = h("div", { class: "picker-list" });
+
+  const renderOptions = () => {
+    const q = filter.value.trim().toLowerCase();
+    list.innerHTML = "";
+    list.append(pickerItem("(Unfile)", () => move(t, null)));
+    for (const p of state.projects) {
+      if (q && !p.title.toLowerCase().includes(q)) continue;
+      list.append(pickerItem(p.title, () => move(t, p.id), projectColor(p.id)));
+    }
+    const exact = state.projects.some((p) => p.title.toLowerCase() === q);
+    if (q && !exact) {
+      list.append(pickerItem(`+ New project "${filter.value.trim()}"`, () => createAndMove(t, filter.value.trim())));
+    }
+  };
+  filter.addEventListener("input", renderOptions);
+  filter.addEventListener("keydown", (e) => e.key === "Escape" && closeModal());
+
+  openModal(h("div", { class: "qa" }, h("div", { class: "modal-title" }, `Move "${t.title}"`), filter, list));
+  renderOptions();
+  setTimeout(() => filter.focus(), 50);
+}
+
+function pickerItem(label, onclick, dot) {
+  return h(
+    "div",
+    { class: "picker-item", onclick },
+    dot ? h("span", { class: "bullet", style: `color:${dot}` }, "●") : h("span", { class: "bullet" }, " "),
+    h("span", {}, label),
+  );
+}
+
+async function move(t, projectId) {
+  closeModal();
+  try {
+    await state.client.setProject(t.node_id, projectId);
+    toast(projectId ? `Moved to ${projectTitle(projectId)}` : "Unfiled");
+    reload();
+  } catch (e) {
+    toast(`Failed: ${e.message}`);
+  }
+}
+
+async function createAndMove(t, name) {
+  closeModal();
+  try {
+    const id = await state.client.createProject(name);
+    await refreshProjects();
+    await state.client.setProject(t.node_id, id);
+    toast(`Moved to ${name}`);
+    reload();
+  } catch (e) {
+    toast(`Failed: ${e.message}`);
+  }
+}
+
+// --- triage actions ---------------------------------------------------------
+
+async function triage(t, newState) {
+  state.expandedId = null;
+  try {
+    await state.client.setState(t.node_id, newState);
+    const verb = newState === "done" ? "Done" : "Dropped";
+    toast(`${verb}: ${t.title}`, {
+      label: "Undo",
+      run: async () => {
+        try {
+          await state.client.setState(t.node_id, "outstanding");
+          reload();
+        } catch (e) {
+          toast(`Undo failed: ${e.message}`);
+        }
+      },
+    });
+    reload();
+  } catch (e) {
+    toast(`Failed: ${e.message}`);
+  }
+}
+
+async function doSkip(t) {
+  try {
+    await state.client.skip(t.node_id);
+    toast(`Skipped: ${t.title}`);
+    reload();
+  } catch (e) {
+    toast(`Failed: ${e.message}`);
+  }
+}
+
+async function cycleAttention(t) {
+  const next = nextAttention(t.attention);
+  try {
+    await state.client.setAttention(t.node_id, next);
+    toast(`Attention: ${next}`);
+    reload();
+  } catch (e) {
+    toast(`Failed: ${e.message}`);
+  }
+}
+
+async function doDelete(t) {
+  if (!confirm(`Delete "${t.title}"? This removes it for good (use Drop to triage instead).`)) {
+    return;
+  }
+  state.expandedId = null;
+  try {
+    await state.client.tombstone(t.node_id);
+    toast(`Deleted: ${t.title}`);
+    reload();
+  } catch (e) {
+    toast(`Failed: ${e.message}`);
+  }
+}
+
+// --- search -----------------------------------------------------------------
+
+function openSearch() {
+  state.search = { query: "", results: [] };
+  render();
+  setTimeout(() => $("#search-input")?.focus(), 50);
+}
+
+function closeSearch() {
+  state.search = null;
+  render();
+}
+
+function searchPane() {
+  const input = h("input", {
+    id: "search-input",
+    class: "search-input",
+    type: "search",
+    placeholder: "Search tasks & docs…",
+    value: state.search.query,
+    autocomplete: "off",
+    enterkeyhint: "search",
+  });
+  let timer = null;
+  const run = async () => {
+    state.search.query = input.value;
+    const q = input.value.trim();
+    if (!q) {
+      state.search.results = [];
+      renderSearchResults();
+      return;
+    }
+    try {
+      state.search.results = await state.client.search(q);
+    } catch (e) {
+      state.search.results = [];
+      toast(e.message);
+    }
+    renderSearchResults();
+  };
+  input.addEventListener("input", () => {
+    clearTimeout(timer);
+    timer = setTimeout(run, 200);
+  });
+  input.addEventListener("keydown", (e) => e.key === "Escape" && closeSearch());
+
+  return h(
+    "div",
+    { class: "search-pane" },
+    h("div", { class: "search-bar" }, input, h("button", { class: "search-close", onclick: closeSearch }, "✕")),
+    h("div", { class: "search-results", id: "search-results" }),
+  );
+}
+
+function renderSearchResults() {
+  const root = $("#search-results");
+  if (!root) return;
+  root.innerHTML = "";
+  if (!state.search.results.length) {
+    root.append(h("div", { class: "notice" }, state.search.query ? "No matches." : "Type to search."));
+    return;
+  }
+  for (const hit of state.search.results) {
+    root.append(
+      h(
+        "div",
+        { class: "search-hit" },
+        h("span", { class: "hit-kind" }, `[${hit.kind}]`),
+        h("span", {}, hit.title),
+      ),
+    );
+  }
+}
+
+// --- settings ---------------------------------------------------------------
+
+function openSettings() {
+  const url = h("input", { class: "qa-input", type: "url", placeholder: "https://hub.example.com:8787", value: state.settings.baseUrl, autocomplete: "off", inputmode: "url" });
+  const tok = h("input", { class: "qa-input", type: "password", placeholder: "Bearer token (optional)", value: state.settings.token, autocomplete: "off" });
+  const test = h("div", { class: "settings-test" });
+
+  const save = async () => {
+    state.settings.baseUrl = url.value.trim();
+    state.settings.token = tok.value.trim();
+    saveSettings(state.settings);
+    state.client = new Client(state.settings);
+    closeModal();
+    reload();
+  };
+  const check = async () => {
+    test.textContent = "Checking…";
+    const probe = new Client({ baseUrl: url.value.trim(), token: tok.value.trim() });
+    try {
+      const v = await probe.call("version", {});
+      test.textContent = `✓ Connected (hephd ${v.version})`;
+      test.className = "settings-test ok";
+    } catch (e) {
+      test.textContent = `✗ ${e.message}`;
+      test.className = "settings-test bad";
+    }
+  };
+
+  openModal(
+    h(
+      "div",
+      { class: "qa" },
+      h("div", { class: "modal-title" }, "Settings"),
+      h("label", { class: "settings-label" }, "Hub URL"),
+      url,
+      h("label", { class: "settings-label" }, "Token"),
+      tok,
+      test,
+      h(
+        "div",
+        { class: "qa-foot settings-foot" },
+        h("button", { class: "act", onclick: check }, "Test"),
+        h("button", { class: "qa-add", onclick: save }, "Save"),
+      ),
+      h("div", { class: "settings-hint" }, "The hub is your server-mode hephd. Leave the token blank if the hub runs without OIDC."),
+    ),
+  );
+}
+
+// --- keyboard ---------------------------------------------------------------
+
+function onKeydown(e) {
+  const typing = ["INPUT", "TEXTAREA", "SELECT"].includes(document.activeElement?.tagName);
+  // Cmd/Ctrl + ' opens quick-add anywhere (mirrors the global popover).
+  if ((e.metaKey || e.ctrlKey) && e.key === "'") {
+    e.preventDefault();
+    openQuickAdd();
+    return;
+  }
+  if (typing || modalOpen()) {
+    if (e.key === "Escape" && modalOpen()) closeModal();
+    return;
+  }
+  if (e.key === "a") (e.preventDefault(), openQuickAdd());
+  else if (e.key === "/") (e.preventDefault(), openSearch());
+  else if (e.key === "r") reload();
+  else if (e.key === "Escape") state.search ? closeSearch() : closeDrawer();
+}
+
+// --- shell + init -----------------------------------------------------------
+
+function buildShell() {
+  const app = $("#app");
+  app.append(
+    h(
+      "header",
+      { class: "appbar" },
+      h("button", { class: "icon-btn", title: "Menu", onclick: openDrawer }, "☰"),
+      h("div", { id: "view-title", class: "appbar-title" }, state.target.title),
+      h("button", { class: "icon-btn", title: "Search", onclick: openSearch }, "🔍"),
+      h("button", { class: "icon-btn", title: "Settings", onclick: openSettings }, "⚙"),
+    ),
+    h("main", { id: "main" }),
+    h("button", { id: "fab", class: "fab", title: "Quick add (Cmd-’)", onclick: openQuickAdd }, "+"),
+    h("div", { id: "backdrop", class: "backdrop", onclick: closeDrawer }),
+    h(
+      "aside",
+      { id: "drawer", class: "drawer" },
+      h("div", { class: "drawer-head" }, "heph"),
+      h("div", { id: "drawer-body", class: "drawer-body" }),
+    ),
+    h("div", { id: "modal-root", class: "modal-root" }),
+    h("div", { id: "toast", class: "toast" }),
+  );
+}
+
+async function init() {
+  buildShell();
+  document.addEventListener("keydown", onKeydown);
+  render();
+  reload();
+
+  if ("serviceWorker" in navigator) {
+    try {
+      await navigator.serviceWorker.register("./sw.js");
+    } catch {
+      /* offline shell is best-effort */
+    }
+  }
+}
+
+init();
diff --git a/heph-pwa/src/fmt.js b/heph-pwa/src/fmt.js
new file mode 100644
index 0000000..a3b98ad
--- /dev/null
+++ b/heph-pwa/src/fmt.js
@@ -0,0 +1,71 @@
+// Display helpers — the PWA mirror of heph-tui's fmt.rs: relative date chips,
+// attention colors/flags, and a stable per-project bullet color.
+
+/** Attention color string → the CSS custom-property color used for flags/dots. */
+export const ATTENTION_COLORS = {
+  red: "var(--att-red)",
+  orange: "var(--att-orange)",
+  blue: "var(--att-blue)",
+  white: "var(--att-white)",
+};
+
+/** The cycle order used by the attention toggle (matches the TUI's `A` key). */
+export const ATTENTION_CYCLE = [null, "white", "orange", "red", "blue"];
+
+/** Next attention in the cycle: none → white → orange → red → blue → white. */
+export function nextAttention(att) {
+  const i = ATTENTION_CYCLE.indexOf(att ?? null);
+  // After blue (last), wrap to white (index 1), not back to none.
+  const next = i < 0 ? 1 : (i + 1) % ATTENTION_CYCLE.length;
+  return ATTENTION_CYCLE[next === 0 ? 1 : next] ?? "white";
+}
+
+/** Whether an attention band shows a flag glyph (red/orange/blue; not white). */
+export function hasFlag(att) {
+  return att === "red" || att === "orange" || att === "blue";
+}
+
+function startOfDay(ms) {
+  const d = new Date(ms);
+  return new Date(d.getFullYear(), d.getMonth(), d.getDate()).getTime();
+}
+
+/**
+ * Compact, relative date label for an epoch-ms date (heph-tui fmt.rs):
+ * today/tomorrow/yesterday, else MM-DD within the current year, else YYYY-MM-DD.
+ */
+export function fmtRelative(ms, nowMs = Date.now()) {
+  if (ms == null) return "";
+  const day = startOfDay(ms);
+  const today = startOfDay(nowMs);
+  const oneDay = 86_400_000;
+  if (day === today) return "today";
+  if (day === today + oneDay) return "tomorrow";
+  if (day === today - oneDay) return "yesterday";
+  const d = new Date(ms);
+  const mm = String(d.getMonth() + 1).padStart(2, "0");
+  const dd = String(d.getDate()).padStart(2, "0");
+  if (d.getFullYear() === new Date(nowMs).getFullYear()) return `${mm}-${dd}`;
+  return `${d.getFullYear()}-${mm}-${dd}`;
+}
+
+/** True when `lateOn` is strictly in the past — the sole urgency signal (§7). */
+export function isOverdue(lateOn, nowMs = Date.now()) {
+  return lateOn != null && nowMs > lateOn;
+}
+
+/** A stable hue (0–359) for a project id, so its bullet color is deterministic. */
+export function projectHue(id) {
+  if (!id) return null;
+  let h = 0;
+  for (let i = 0; i < id.length; i++) {
+    h = (h * 31 + id.charCodeAt(i)) >>> 0;
+  }
+  return h % 360;
+}
+
+/** CSS color for a project's bullet, or a neutral default when unfiled. */
+export function projectColor(id) {
+  const hue = projectHue(id);
+  return hue == null ? "var(--bullet-none)" : `hsl(${hue} 55% 62%)`;
+}
diff --git a/heph-pwa/src/rpc.js b/heph-pwa/src/rpc.js
new file mode 100644
index 0000000..cb8c6d9
--- /dev/null
+++ b/heph-pwa/src/rpc.js
@@ -0,0 +1,163 @@
+// hephd JSON-RPC-over-HTTP client for the PWA. The PWA is a thin, online-only
+// client (no local CRDT replica): every read and write is a POST to the hub's
+// `/rpc` endpoint, exactly mirroring heph-tui's socket Backend (backend.rs).
+//
+// Connection settings (hub base URL + optional bearer token) live in
+// localStorage so the install remembers them across launches.
+
+const SETTINGS_KEY = "heph-pwa:settings";
+
+export function loadSettings() {
+  try {
+    const s = JSON.parse(localStorage.getItem(SETTINGS_KEY) || "{}");
+    return { baseUrl: s.baseUrl || "", token: s.token || "" };
+  } catch {
+    return { baseUrl: "", token: "" };
+  }
+}
+
+export function saveSettings(settings) {
+  localStorage.setItem(
+    SETTINGS_KEY,
+    JSON.stringify({ baseUrl: settings.baseUrl || "", token: settings.token || "" }),
+  );
+}
+
+/** Thrown for transport/auth/method failures, carrying an HTTP-ish status. */
+export class RpcError extends Error {
+  constructor(message, status = 0) {
+    super(message);
+    this.name = "RpcError";
+    this.status = status;
+  }
+}
+
+export class Client {
+  constructor(settings) {
+    this.settings = settings;
+  }
+
+  get configured() {
+    return !!this.settings.baseUrl;
+  }
+
+  /** Low-level call: returns the `result` value, or throws RpcError. */
+  async call(method, params = {}) {
+    if (!this.configured) {
+      throw new RpcError("No hub configured — open Settings and set the hub URL.", 0);
+    }
+    const base = this.settings.baseUrl.replace(/\/+$/, "");
+    const headers = { "Content-Type": "application/json" };
+    if (this.settings.token) headers["Authorization"] = `Bearer ${this.settings.token}`;
+
+    let resp;
+    try {
+      resp = await fetch(`${base}/rpc`, {
+        method: "POST",
+        headers,
+        body: JSON.stringify({ method, params }),
+      });
+    } catch (e) {
+      throw new RpcError(`Cannot reach hub at ${base} (${e.message}).`, 0);
+    }
+    if (resp.status === 401) throw new RpcError("Unauthorized — set or refresh your token.", 401);
+    if (resp.status === 403) throw new RpcError("Forbidden — this token does not own the hub.", 403);
+    if (!resp.ok) throw new RpcError(`Hub returned HTTP ${resp.status}.`, resp.status);
+
+    const body = await resp.json();
+    if (body.error) throw new RpcError(body.error.message || "RPC error", 200);
+    return body.result;
+  }
+
+  // --- Reads (mirror heph-tui's Backend) ---------------------------------
+
+  /** Built-in named view (tom|tasks|work|chores|ondeck|inbox) → RankedTask[]. */
+  view(name) {
+    return this.call("view", { name });
+  }
+
+  /** Raw filter listing → RankedTask[]. */
+  list(filter) {
+    return this.call("list", filter);
+  }
+
+  /** Projects, title-sorted → [{ id, title }]. */
+  async projects() {
+    const nodes = await this.call("node.list", { kind: "project" });
+    return nodes.map((n) => ({ id: n.id, title: n.title }));
+  }
+
+  async nodeBody(id) {
+    const node = await this.call("node.get", { id });
+    return node && node.body ? node.body : "";
+  }
+
+  logTail(taskId, n = 5) {
+    return this.call("log.tail", { task_id: taskId, n });
+  }
+
+  /** Full-text search → [{ id, title, kind }]. */
+  async search(query) {
+    const nodes = await this.call("search", { query });
+    return nodes.map((n) => ({ id: n.id, title: n.title, kind: n.kind }));
+  }
+
+  health() {
+    return this.call("health", {});
+  }
+
+  // --- Writes ------------------------------------------------------------
+
+  /** Create a task. attention/doDate/recurrence/projectId may be null. */
+  createTask({ title, attention = null, doDate = null, recurrence = null, projectId = null }) {
+    return this.call("task.create", {
+      title,
+      attention,
+      do_date: doDate,
+      recurrence,
+      project_id: projectId,
+    });
+  }
+
+  setState(id, state) {
+    return this.call("task.set_state", { id, state });
+  }
+
+  setAttention(id, attention) {
+    return this.call("task.set_attention", { id, attention });
+  }
+
+  /** Patch schedule scalars. Pass undefined to leave a field unchanged; pass
+   *  null to clear it; pass a value to set it (double-option semantics). */
+  setSchedule(id, patch) {
+    const params = { id };
+    if ("doDate" in patch) params.do_date = patch.doDate;
+    if ("lateOn" in patch) params.late_on = patch.lateOn;
+    if ("recurrence" in patch) params.recurrence = patch.recurrence;
+    return this.call("task.set_schedule", params);
+  }
+
+  setProject(id, projectId) {
+    return this.call("task.set_project", { id, project_id: projectId });
+  }
+
+  skip(id) {
+    return this.call("task.skip", { id });
+  }
+
+  tombstone(id) {
+    return this.call("node.tombstone", { id });
+  }
+
+  async createProject(title) {
+    const node = await this.call("node.create", { kind: "project", title });
+    return node.id;
+  }
+
+  /** The canonical context doc id for a task, if any (links.outgoing). */
+  async contextOf(taskId) {
+    const links = await this.call("links.outgoing", { id: taskId });
+    const ctx = links.find((l) => l.link_type === "canonical-context");
+    return ctx ? ctx.dst_id : null;
+  }
+}
diff --git a/heph-pwa/styles.css b/heph-pwa/styles.css
new file mode 100644
index 0000000..ed64983
--- /dev/null
+++ b/heph-pwa/styles.css
@@ -0,0 +1,504 @@
+/* heph-pwa — a dark, terminal-flavored mirror of heph-tui, tuned for touch. */
+
+:root {
+  --bg: #15181d;
+  --bg-elev: #1c2027;
+  --bg-row: #1a1e24;
+  --border: #2a2f38;
+  --fg: #e6e9ef;
+  --fg-dim: #8b94a3;
+  --accent: #6db3f2;
+  --att-red: #ff6b6b;
+  --att-orange: #ffb454;
+  --att-blue: #6db3f2;
+  --att-white: #e6e9ef;
+  --bullet-none: #5a6373;
+  --danger: #ff6b6b;
+  --safe-top: env(safe-area-inset-top, 0px);
+  --safe-bottom: env(safe-area-inset-bottom, 0px);
+}
+
+* {
+  box-sizing: border-box;
+  -webkit-tap-highlight-color: transparent;
+}
+
+html,
+body {
+  margin: 0;
+  height: 100%;
+  background: var(--bg);
+  color: var(--fg);
+  font: 16px/1.4 -apple-system, BlinkMacSystemFont, "Segoe UI", system-ui, sans-serif;
+  overscroll-behavior-y: none;
+}
+
+#app {
+  display: flex;
+  flex-direction: column;
+  height: 100%;
+}
+
+/* --- App bar --- */
+.appbar {
+  display: flex;
+  align-items: center;
+  gap: 4px;
+  padding: calc(var(--safe-top) + 6px) 8px 6px;
+  background: var(--bg-elev);
+  border-bottom: 1px solid var(--border);
+  position: sticky;
+  top: 0;
+  z-index: 5;
+}
+.appbar-title {
+  flex: 1;
+  font-weight: 600;
+  font-size: 18px;
+  padding-left: 4px;
+}
+.icon-btn {
+  background: none;
+  border: 0;
+  color: var(--fg);
+  font-size: 20px;
+  width: 40px;
+  height: 40px;
+  border-radius: 8px;
+}
+.icon-btn:active {
+  background: var(--bg-row);
+}
+
+/* --- Main / list --- */
+#main {
+  flex: 1;
+  overflow-y: auto;
+  -webkit-overflow-scrolling: touch;
+  padding-bottom: calc(var(--safe-bottom) + 96px);
+}
+.notice {
+  padding: 32px 20px;
+  text-align: center;
+  color: var(--fg-dim);
+}
+.notice.error {
+  color: var(--att-orange);
+}
+
+.list {
+  display: flex;
+  flex-direction: column;
+}
+.row {
+  border-bottom: 1px solid var(--border);
+}
+.row-head {
+  display: flex;
+  align-items: center;
+  gap: 8px;
+  padding: 12px 14px;
+  min-height: 28px;
+}
+.row.expanded {
+  background: var(--bg-row);
+}
+.flag {
+  width: 14px;
+  text-align: center;
+  flex: 0 0 auto;
+}
+.bullet {
+  flex: 0 0 auto;
+  font-size: 12px;
+}
+.title {
+  flex: 1;
+  min-width: 0;
+  overflow: hidden;
+  text-overflow: ellipsis;
+  white-space: nowrap;
+}
+.row.expanded .title {
+  white-space: normal;
+}
+.recur {
+  color: #c678dd;
+  flex: 0 0 auto;
+}
+.chip {
+  flex: 0 0 auto;
+  font-size: 13px;
+  color: var(--fg-dim);
+  font-variant-numeric: tabular-nums;
+}
+.chip.overdue {
+  color: var(--att-red);
+  font-weight: 700;
+}
+
+/* --- Task detail --- */
+.detail {
+  padding: 4px 14px 14px 36px;
+}
+.meta {
+  margin-bottom: 10px;
+  font-size: 13px;
+  color: var(--fg-dim);
+}
+.meta-row {
+  display: flex;
+  gap: 8px;
+}
+.meta-k {
+  width: 64px;
+  flex: 0 0 auto;
+}
+.actions {
+  display: flex;
+  flex-wrap: wrap;
+  gap: 6px;
+}
+.act {
+  background: var(--bg-elev);
+  border: 1px solid var(--border);
+  color: var(--fg);
+  border-radius: 8px;
+  padding: 8px 10px;
+  font-size: 14px;
+}
+.act:active {
+  background: var(--border);
+}
+.act.danger {
+  color: var(--danger);
+  border-color: #4a2a2a;
+}
+.preview {
+  margin: 12px 0 0;
+  padding: 10px;
+  background: #0f1216;
+  border: 1px solid var(--border);
+  border-radius: 8px;
+  font: 13px/1.45 ui-monospace, SFMono-Regular, Menlo, monospace;
+  color: var(--fg-dim);
+  white-space: pre-wrap;
+  word-break: break-word;
+  max-height: 240px;
+  overflow-y: auto;
+}
+
+/* --- FAB --- */
+.fab {
+  position: fixed;
+  right: 18px;
+  bottom: calc(var(--safe-bottom) + 18px);
+  width: 60px;
+  height: 60px;
+  border-radius: 30px;
+  border: 0;
+  background: var(--accent);
+  color: #0c1014;
+  font-size: 34px;
+  line-height: 1;
+  box-shadow: 0 6px 18px rgba(0, 0, 0, 0.45);
+  z-index: 6;
+}
+.fab:active {
+  transform: scale(0.95);
+}
+
+/* --- Drawer --- */
+.backdrop {
+  position: fixed;
+  inset: 0;
+  background: rgba(0, 0, 0, 0.5);
+  opacity: 0;
+  pointer-events: none;
+  transition: opacity 0.18s;
+  z-index: 9;
+}
+.backdrop.show {
+  opacity: 1;
+  pointer-events: auto;
+}
+.drawer {
+  position: fixed;
+  top: 0;
+  left: 0;
+  bottom: 0;
+  width: 78%;
+  max-width: 320px;
+  background: var(--bg-elev);
+  border-right: 1px solid var(--border);
+  transform: translateX(-100%);
+  transition: transform 0.2s ease;
+  z-index: 10;
+  display: flex;
+  flex-direction: column;
+}
+.drawer.open {
+  transform: translateX(0);
+}
+.drawer-head {
+  padding: calc(var(--safe-top) + 16px) 16px 12px;
+  font-weight: 700;
+  font-size: 20px;
+  border-bottom: 1px solid var(--border);
+}
+.drawer-body {
+  overflow-y: auto;
+  padding-bottom: var(--safe-bottom);
+}
+.drawer-section {
+  padding: 14px 16px 6px;
+  font-size: 12px;
+  text-transform: uppercase;
+  letter-spacing: 0.06em;
+  color: var(--fg-dim);
+}
+.drawer-empty {
+  padding: 4px 16px 8px;
+  color: var(--fg-dim);
+  font-size: 14px;
+}
+.drawer-item {
+  display: flex;
+  align-items: center;
+  gap: 10px;
+  padding: 12px 16px;
+}
+.drawer-item.active {
+  background: var(--bg-row);
+  box-shadow: inset 3px 0 0 var(--accent);
+}
+.drawer-item:active {
+  background: var(--border);
+}
+
+/* --- Modals --- */
+.modal-root {
+  position: fixed;
+  inset: 0;
+  z-index: 20;
+  display: none;
+}
+.modal-root.show {
+  display: block;
+}
+.modal-backdrop {
+  position: absolute;
+  inset: 0;
+  background: rgba(0, 0, 0, 0.55);
+  display: flex;
+  align-items: flex-start;
+  justify-content: center;
+  padding: calc(var(--safe-top) + 12vh) 12px 12px;
+}
+.modal {
+  width: 100%;
+  max-width: 560px;
+  background: var(--bg-elev);
+  border: 1px solid var(--border);
+  border-radius: 14px;
+  padding: 14px;
+  box-shadow: 0 10px 40px rgba(0, 0, 0, 0.5);
+}
+.modal-title {
+  font-weight: 600;
+  margin-bottom: 10px;
+}
+
+.qa {
+  display: flex;
+  flex-direction: column;
+  gap: 10px;
+}
+.qa-row {
+  display: flex;
+  gap: 8px;
+  align-items: center;
+}
+.qa-input,
+.search-input {
+  flex: 1;
+  width: 100%;
+  background: #0f1216;
+  border: 1px solid var(--border);
+  color: var(--fg);
+  border-radius: 10px;
+  padding: 13px 12px;
+  font-size: 17px; /* ≥16px so iOS doesn't zoom on focus */
+}
+.qa-input:focus,
+.search-input:focus {
+  outline: none;
+  border-color: var(--accent);
+}
+.qa-mic {
+  flex: 0 0 auto;
+  width: 46px;
+  height: 46px;
+  border-radius: 10px;
+  border: 1px solid var(--border);
+  background: var(--bg-row);
+  font-size: 20px;
+}
+.qa-mic.listening {
+  border-color: var(--att-red);
+  animation: pulse 1s infinite;
+}
+@keyframes pulse {
+  50% {
+    background: #3a2326;
+  }
+}
+.qa-preview {
+  display: flex;
+  flex-wrap: wrap;
+  gap: 6px;
+  align-items: center;
+  min-height: 22px;
+}
+.qa-hint {
+  color: var(--fg-dim);
+  font-size: 13px;
+}
+.qa-title {
+  font-weight: 600;
+}
+.qa-tag {
+  font-size: 13px;
+  color: var(--fg-dim);
+  background: var(--bg-row);
+  border: 1px solid var(--border);
+  border-radius: 6px;
+  padding: 2px 6px;
+}
+.qa-foot {
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  gap: 10px;
+}
+.qa-dest {
+  color: var(--fg-dim);
+  font-size: 13px;
+}
+.qa-add {
+  background: var(--accent);
+  color: #0c1014;
+  border: 0;
+  border-radius: 10px;
+  padding: 11px 22px;
+  font-size: 16px;
+  font-weight: 600;
+}
+
+.picker-list {
+  max-height: 50vh;
+  overflow-y: auto;
+  display: flex;
+  flex-direction: column;
+}
+.picker-item {
+  display: flex;
+  align-items: center;
+  gap: 10px;
+  padding: 12px 6px;
+  border-bottom: 1px solid var(--border);
+}
+.picker-item:active {
+  background: var(--bg-row);
+}
+
+.settings-label {
+  font-size: 13px;
+  color: var(--fg-dim);
+  margin-bottom: -4px;
+}
+.settings-foot {
+  justify-content: flex-end;
+}
+.settings-test {
+  font-size: 13px;
+  min-height: 18px;
+  color: var(--fg-dim);
+}
+.settings-test.ok {
+  color: #7ec77e;
+}
+.settings-test.bad {
+  color: var(--att-red);
+}
+.settings-hint {
+  font-size: 12px;
+  color: var(--fg-dim);
+}
+
+/* --- Search --- */
+.search-pane {
+  display: flex;
+  flex-direction: column;
+  height: 100%;
+}
+.search-bar {
+  display: flex;
+  gap: 8px;
+  padding: 10px 12px;
+  border-bottom: 1px solid var(--border);
+}
+.search-close {
+  background: var(--bg-row);
+  border: 1px solid var(--border);
+  color: var(--fg);
+  border-radius: 10px;
+  width: 46px;
+  font-size: 18px;
+}
+.search-results {
+  overflow-y: auto;
+}
+.search-hit {
+  display: flex;
+  gap: 10px;
+  padding: 12px 14px;
+  border-bottom: 1px solid var(--border);
+}
+.hit-kind {
+  color: var(--fg-dim);
+  font: 13px ui-monospace, monospace;
+  flex: 0 0 auto;
+}
+
+/* --- Toast --- */
+.toast {
+  position: fixed;
+  left: 0;
+  right: 0;
+  bottom: calc(var(--safe-bottom) + 90px);
+  display: flex;
+  justify-content: center;
+  z-index: 30;
+  pointer-events: none;
+  padding: 0 12px;
+}
+.toast-body {
+  pointer-events: auto;
+  background: #2a2f38;
+  color: var(--fg);
+  border-radius: 10px;
+  padding: 11px 14px;
+  display: flex;
+  align-items: center;
+  gap: 14px;
+  box-shadow: 0 6px 20px rgba(0, 0, 0, 0.5);
+  max-width: 560px;
+}
+.toast-action {
+  background: none;
+  border: 0;
+  color: var(--accent);
+  font-weight: 700;
+  font-size: 15px;
+}
diff --git a/heph-pwa/sw.js b/heph-pwa/sw.js
new file mode 100644
index 0000000..fef89ff
--- /dev/null
+++ b/heph-pwa/sw.js
@@ -0,0 +1,53 @@
+// Service worker: cache the app shell so heph launches offline. Data is never
+// cached — every /rpc call must hit the live hub (and POSTs aren't cacheable
+// anyway). Bump CACHE when shell assets change to evict the old set.
+const CACHE = "heph-pwa-v1";
+const SHELL = [
+  "./",
+  "./index.html",
+  "./styles.css",
+  "./manifest.webmanifest",
+  "./src/app.js",
+  "./src/rpc.js",
+  "./src/quickadd.js",
+  "./src/datespec.js",
+  "./src/fmt.js",
+  "./icons/icon.svg",
+];
+
+self.addEventListener("install", (e) => {
+  e.waitUntil(caches.open(CACHE).then((c) => c.addAll(SHELL)).then(() => self.skipWaiting()));
+});
+
+self.addEventListener("activate", (e) => {
+  e.waitUntil(
+    caches
+      .keys()
+      .then((keys) => Promise.all(keys.filter((k) => k !== CACHE).map((k) => caches.delete(k))))
+      .then(() => self.clients.claim()),
+  );
+});
+
+self.addEventListener("fetch", (e) => {
+  const req = e.request;
+  // Only cache same-origin GETs (the shell). Everything else (RPC, cross-origin)
+  // goes straight to the network.
+  if (req.method !== "GET" || new URL(req.url).origin !== self.location.origin) {
+    return;
+  }
+  e.respondWith(
+    caches.match(req).then(
+      (hit) =>
+        hit ||
+        fetch(req)
+          .then((resp) => {
+            if (resp.ok) {
+              const copy = resp.clone();
+              caches.open(CACHE).then((c) => c.put(req, copy));
+            }
+            return resp;
+          })
+          .catch(() => caches.match("./index.html")),
+    ),
+  );
+});

From b24a148add7b6137a1da3bd245178e40e7a7b18e Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Thu, 4 Jun 2026 16:59:38 -0700
Subject: [PATCH 4/7] doc(heph-pwa): how-to card, index entry, changelog
 fragment

Document serving the app from the hub (--web-root), connecting (hub URL +
optional token), quick-add syntax, voice, triage, and the deliberate
design choices (PWA over native iOS; online-only; token paste vs device flow)
with their known limitations to revisit.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .../feature-heph-pwa-mobile.feature.md        |   1 +
 docs/how-to/heph-pwa.md                       | 118 ++++++++++++++++++
 docs/how-to/how-to.md                         |   1 +
 3 files changed, 120 insertions(+)
 create mode 100644 docs/changelog.d/feature-heph-pwa-mobile.feature.md
 create mode 100644 docs/how-to/heph-pwa.md

diff --git a/docs/changelog.d/feature-heph-pwa-mobile.feature.md b/docs/changelog.d/feature-heph-pwa-mobile.feature.md
new file mode 100644
index 0000000..3dffb02
--- /dev/null
+++ b/docs/changelog.d/feature-heph-pwa-mobile.feature.md
@@ -0,0 +1 @@
+New **heph-pwa** mobile app: an installable, phone-first PWA that mirrors heph-tui — browse the built-in views and projects, triage tasks, and capture new tasks fast with the same quick-add syntax (`p1-4`, `#Project`, `today/+3d/fri`, `every …`) and live preview. Voice capture via on-device dictation. The hub (`hephd --mode server`) gains CORS and an optional `--web-root` so it can serve the app same-origin straight from the daemon.
diff --git a/docs/how-to/heph-pwa.md b/docs/how-to/heph-pwa.md
new file mode 100644
index 0000000..dbc19ef
--- /dev/null
+++ b/docs/how-to/heph-pwa.md
@@ -0,0 +1,118 @@
+---
+title: heph-pwa (mobile app)
+modified: 2026-06-04
+tags:
+  - how-to
+---
+
+# heph-pwa — the mobile app
+
+`heph-pwa` is a phone-first, installable web app that mirrors [[v1-prototype-tech-spec|heph-tui]]:
+browse the built-in views and projects, triage tasks, and — the primary use
+case — **capture tasks fast** with the same quick-add syntax as the TUI's `a` /
+Cmd-' popover. Context/KB is **read-only** here (no Neovim editing surface).
+
+It is a thin, online-only client: every read and write is a JSON-RPC call to a
+**server-mode `hephd`** (the sync hub, see [[set-up-sync-hub]]). There is no
+local replica or background sync — when the hub is unreachable, the app shows an
+error rather than queueing offline.
+
+> **Why a PWA and not native iOS?** A native Swift app cannot be signed, built,
+> or installed without an Apple Developer account. A PWA delivers the primary
+> use case today — installable to the home screen, full-screen, with home-screen
+> launch and offline app-shell — and keeps the door open to a native wrapper
+> later. This was a deliberate first-cut choice; revisit if a native app becomes
+> worthwhile.
+
+## Serve it from the hub
+
+The hub can serve the app shell same-origin (no CORS or separate static host
+needed). Point `hephd` at the `heph-pwa/` directory:
+
+```bash
+hephd --mode server \
+      --http-addr 0.0.0.0:8787 \
+      --web-root /path/to/hephaestus/heph-pwa \
+      --oidc-issuer  https://auth.example.com/... \
+      --oidc-audience heph-mobile
+```
+
+- `--web-root` is optional. Unset, the hub serves only its API routes (unchanged
+  behavior). Set, it serves the static shell for any non-API path, with an
+  `index.html` SPA fallback. The shell is unauthenticated (it's just HTML/JS);
+  all data still flows through the auth-gated `/rpc`.
+- Every hub response now carries permissive CORS headers and answers the browser
+  `OPTIONS` preflight, so you can alternatively host the shell anywhere (any
+  static server, GitHub Pages, etc.) and still call the hub cross-origin.
+
+Then open `https://<hub-host>:8787/` on your phone and **Add to Home Screen**.
+
+## Connect
+
+On first launch the app opens **Settings**:
+
+- **Hub URL** — the server-mode `hephd` base URL (e.g. `https://hub.example.com:8787`).
+  When served from the hub, use that same origin.
+- **Token** — a bearer token, if the hub requires OIDC (`--oidc-issuer`/`-audience`).
+  Leave blank for an unauthenticated hub (local network / dev). Tap **Test** to
+  verify the connection (it calls the `version` RPC).
+
+Settings persist in the browser's local storage.
+
+> The device-code OIDC login flow (RFC 8628) the CLI/daemon use is **not** yet
+> wired into the PWA — for now paste a bearer token obtained out-of-band. Wiring
+> the in-app device flow is the obvious next step.
+
+## Quick-add
+
+Tap **+** (or press Cmd-' / Ctrl-' on a keyboard) to capture. The single input
+accepts the exact [[v1-prototype-tech-spec|tech-spec §8.1]] syntax, parsed live
+into preview chips before you submit:
+
+| Token | Example | Effect |
+|-------|---------|--------|
+| `p1`–`p4` | `p1` | attention: red / orange / blue / white |
+| `#Project` | `#Camano Chores` | file under a project (greedy multi-word match) |
+| date | `today` `tomorrow` `+3d` `fri` `2026-07-01` | do-date |
+| `every …` | `every 3 days` `every other wed` `every workday` | recurrence (RRULE) |
+
+Unmatched `#tags` stay in the title verbatim. With no `#Project` token, the task
+files into the currently selected project (or Inbox). The parser is a faithful
+JS port of the Rust `quickadd`/`datespec` modules, covered by parity tests
+(`heph-pwa/test/parsers.test.mjs`, run with `node --test`).
+
+## Voice
+
+The quick-add field supports voice two ways:
+
+- **iOS / iPadOS:** use the **microphone key on the on-screen keyboard** — Apple
+  dictation works in the text field for free, no app permission needed.
+- **Chrome / Android / desktop:** a 🎤 button appears when the Web Speech API is
+  available and dictates straight into the field.
+
+(Anthropic has no speech-to-text endpoint, so transcription leans on the
+platform. A server-side transcription proxy could be added later if needed.)
+
+## Triage
+
+Tap a task to expand its actions, mirroring the TUI keys: **Done** (`x`),
+**Drop** (`d`), **Skip** (`S`, recurring only), **Attn** (cycle attention, `A`),
+**Date** (reschedule, `e`), **Move** (project picker, `m`), **Delete**
+(tombstone, `D`). Done/Drop show an **Undo**. The expanded view also shows the
+task's canonical-context body + recent log tail (read-only).
+
+Search (🔍 or `/`) runs full-text search across tasks and docs.
+
+## Known limitations (first cut)
+
+- Online-only; no offline write queue or CRDT replica.
+- No in-app OIDC device-code login yet (paste a token).
+- Context/KB is read-only (no wiki-link navigation or editing).
+- Undo covers Done/Drop only.
+
+## Related
+
+- [[set-up-sync-hub]] — stand up the server-mode hub the app talks to
+- [[run-the-daemon]] — run `hephd` as a managed service
+- [[v1-prototype-tech-spec]] — data model, RPC API, quick-add spec
+- [[design]] — vision and rationale
diff --git a/docs/how-to/how-to.md b/docs/how-to/how-to.md
index eb0a6c8..62c0173 100644
--- a/docs/how-to/how-to.md
+++ b/docs/how-to/how-to.md
@@ -21,3 +21,4 @@ Task-oriented guides for common operations.
 - [[set-up-sync-hub]] — Stand up the canonical hub (indri) and connect an existing device as an offline-capable spoke
 - [[import-todoist]] — Seed a heph store from your Todoist projects + tasks (`mise run import-todoist`)
 - [[self-update]] — Opt-in `hephd` self-update: poll the forge for new releases and auto-update
+- [[heph-pwa]] — The mobile app: an installable PWA mirror of heph-tui (browse, triage, fast quick-add, voice)

From 0036c1a28421598136e4f00e00324908b34cc16c Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Thu, 4 Jun 2026 17:13:28 -0700
Subject: [PATCH 5/7] =?UTF-8?q?fix(hephd):=20supervise=20the=20=E2=8C=98'?=
 =?UTF-8?q?=20popover=20in=20server=20mode=20too;=20PWA=20defaults=20hub?=
 =?UTF-8?q?=20to=20its=20origin?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Popover supervision was gated to Mode::Local, so running the store-owning
daemon in server mode (now needed to host heph-pwa) silently dropped the
desktop quick-capture popover. Server mode is local + an HTTP hub and owns the
same store/socket, so it should drive the popover too; broaden the guard to
Local | Server (client, a thin proxy, still opts out).

Also: when the PWA shell is served from the hub, default the hub URL to its own
origin so the app is zero-config on first open (Settings still overrides). Bump
the service-worker cache to v2.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 crates/hephd/src/main.rs | 17 ++++++++++-------
 heph-pwa/src/rpc.js      | 14 +++++++++++---
 heph-pwa/sw.js           |  2 +-
 3 files changed, 22 insertions(+), 11 deletions(-)

diff --git a/crates/hephd/src/main.rs b/crates/hephd/src/main.rs
index c8e4e25..fde7d57 100644
--- a/crates/hephd/src/main.rs
+++ b/crates/hephd/src/main.rs
@@ -231,14 +231,17 @@ async fn main() -> Result<()> {
 
     tracing::info!(socket = %socket.display(), mode = ?cli.mode, "hephd listening");
 
-    // macOS local mode: supervise the global quick-capture popover (⌘'). hephd
-    // already runs as a `gui/$uid` LaunchAgent, so its child inherits the Aqua
-    // session the hotkey/GUI need — no separate launch agent. Opt-in via
-    // HEPH_QUICKADD=1 (the installed plist sets it) so dev/test runs that spawn a
-    // local daemon never pop a window. The helper self-exits when this daemon
-    // goes away, so killing hephd (even `kill -9`) leaves nothing behind.
+    // macOS store-owning modes: supervise the global quick-capture popover (⌘').
+    // hephd already runs as a `gui/$uid` LaunchAgent, so its child inherits the
+    // Aqua session the hotkey/GUI need — no separate launch agent. Both `local`
+    // and `server` own the local store on the device (server is local + an HTTP
+    // hub), so both should drive the desktop popover; only `client` (a thin
+    // remote proxy) does not. Opt-in via HEPH_QUICKADD=1 (the installed plist
+    // sets it) so dev/test runs that spawn a daemon never pop a window. The
+    // helper self-exits when this daemon goes away, so killing hephd (even
+    // `kill -9`) leaves nothing behind.
     #[cfg(target_os = "macos")]
-    if cli.mode == Mode::Local && quickadd_enabled() {
+    if matches!(cli.mode, Mode::Local | Mode::Server) && quickadd_enabled() {
         spawn_quickadd_supervisor(socket.clone());
     }
 
diff --git a/heph-pwa/src/rpc.js b/heph-pwa/src/rpc.js
index cb8c6d9..8f8b690 100644
--- a/heph-pwa/src/rpc.js
+++ b/heph-pwa/src/rpc.js
@@ -8,12 +8,20 @@
 const SETTINGS_KEY = "heph-pwa:settings";
 
 export function loadSettings() {
+  let s = {};
   try {
-    const s = JSON.parse(localStorage.getItem(SETTINGS_KEY) || "{}");
-    return { baseUrl: s.baseUrl || "", token: s.token || "" };
+    s = JSON.parse(localStorage.getItem(SETTINGS_KEY) || "{}");
   } catch {
-    return { baseUrl: "", token: "" };
+    s = {};
   }
+  let baseUrl = s.baseUrl || "";
+  // Served from the hub? Default the hub URL to our own origin so the app is
+  // zero-config out of the box (the Settings screen still lets you override,
+  // e.g. when the shell is hosted separately from the hub).
+  if (!baseUrl && typeof location !== "undefined" && /^https?:/.test(location.origin)) {
+    baseUrl = location.origin;
+  }
+  return { baseUrl, token: s.token || "" };
 }
 
 export function saveSettings(settings) {
diff --git a/heph-pwa/sw.js b/heph-pwa/sw.js
index fef89ff..3ecb45d 100644
--- a/heph-pwa/sw.js
+++ b/heph-pwa/sw.js
@@ -1,7 +1,7 @@
 // Service worker: cache the app shell so heph launches offline. Data is never
 // cached — every /rpc call must hit the live hub (and POSTs aren't cacheable
 // anyway). Bump CACHE when shell assets change to evict the old set.
-const CACHE = "heph-pwa-v1";
+const CACHE = "heph-pwa-v2";
 const SHELL = [
   "./",
   "./index.html",

From 271c609c14fb4ce8a6f44addc5c0387f4d441933 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Thu, 4 Jun 2026 17:16:15 -0700
Subject: [PATCH 6/7] feat(heph-pwa): re-fetch the current view when the app
 regains focus
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The PWA shares the daemon's store with the TUI/desktop popover but only
re-fetched on a view switch or action — so a task marked done elsewhere left a
stale list on screen. Reload the current view on visibilitychange→visible
(switch back to the phone, unlock, tab re-show), skipping it mid-modal/search.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 heph-pwa/src/app.js | 17 +++++++++++++++++
 heph-pwa/sw.js      |  2 +-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/heph-pwa/src/app.js b/heph-pwa/src/app.js
index 6acc2a9..f06ba06 100644
--- a/heph-pwa/src/app.js
+++ b/heph-pwa/src/app.js
@@ -785,6 +785,23 @@ function buildShell() {
 async function init() {
   buildShell();
   document.addEventListener("keydown", onKeydown);
+
+  // The PWA shares the daemon's store with the TUI / desktop popover, but only
+  // re-fetches on a view switch or an action. So another surface marking a task
+  // done leaves a stale list on screen until then. Re-fetch the current view
+  // whenever the app regains focus (switching back to the phone, unlock, tab
+  // re-show) — but not while a modal or search is mid-interaction.
+  document.addEventListener("visibilitychange", () => {
+    if (
+      document.visibilityState === "visible" &&
+      state.client.configured &&
+      !modalOpen() &&
+      !state.search
+    ) {
+      reload();
+    }
+  });
+
   render();
   reload();
 
diff --git a/heph-pwa/sw.js b/heph-pwa/sw.js
index 3ecb45d..571d1e6 100644
--- a/heph-pwa/sw.js
+++ b/heph-pwa/sw.js
@@ -1,7 +1,7 @@
 // Service worker: cache the app shell so heph launches offline. Data is never
 // cached — every /rpc call must hit the live hub (and POSTs aren't cacheable
 // anyway). Bump CACHE when shell assets change to evict the old set.
-const CACHE = "heph-pwa-v2";
+const CACHE = "heph-pwa-v3";
 const SHELL = [
   "./",
   "./index.html",

From 936c2635ef8c8462815c12e4cdb81c1989df7af6 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Thu, 4 Jun 2026 17:17:25 -0700
Subject: [PATCH 7/7] =?UTF-8?q?doc(heph-pwa):=20production=20runbook=20?=
 =?UTF-8?q?=E2=80=94=20host=20the=20app=20from=20the=20hub=20(indri)=20wit?=
 =?UTF-8?q?h=20OIDC?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add host-heph-pwa.md: a deployment how-to for serving the PWA from the canonical
hub in the hub/spoke OIDC setup (post-release) — fetch the shell at the hub's
tag, add --web-root, terminate TLS (tailscale serve / reverse proxy), and the
token-paste caveat with the device-code-login follow-up. Cross-linked from
heph-pwa and the how-to index.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 docs/how-to/heph-pwa.md      |   1 +
 docs/how-to/host-heph-pwa.md | 127 +++++++++++++++++++++++++++++++++++
 docs/how-to/how-to.md        |   1 +
 3 files changed, 129 insertions(+)
 create mode 100644 docs/how-to/host-heph-pwa.md

diff --git a/docs/how-to/heph-pwa.md b/docs/how-to/heph-pwa.md
index dbc19ef..2a158e9 100644
--- a/docs/how-to/heph-pwa.md
+++ b/docs/how-to/heph-pwa.md
@@ -112,6 +112,7 @@ Search (🔍 or `/`) runs full-text search across tasks and docs.
 
 ## Related
 
+- [[host-heph-pwa]] — serve this app from the hub (indri) with OIDC, in the hub/spoke deployment
 - [[set-up-sync-hub]] — stand up the server-mode hub the app talks to
 - [[run-the-daemon]] — run `hephd` as a managed service
 - [[v1-prototype-tech-spec]] — data model, RPC API, quick-add spec
diff --git a/docs/how-to/host-heph-pwa.md b/docs/how-to/host-heph-pwa.md
new file mode 100644
index 0000000..0be1d59
--- /dev/null
+++ b/docs/how-to/host-heph-pwa.md
@@ -0,0 +1,127 @@
+---
+title: Host heph-pwa from the hub
+modified: 2026-06-04
+tags:
+  - how-to
+---
+
+# Host heph-pwa from the hub
+
+How to serve the [[heph-pwa]] mobile app from the canonical **hub** (`indri`) in
+the hub-and-spoke deployment, with OIDC auth — the production counterpart of the
+unauthenticated single-machine demo. Assumes the `heph-pwa` work is **merged and
+released**, so the installed `hephd` already has `--web-root` and CORS.
+
+> Read [[set-up-sync-hub]] first — this builds directly on the hub it stands up
+> (server mode, Authentik OIDC, Tailscale transport).
+
+## What the app needs from the hub
+
+The PWA is a thin, online-only client: it loads its static shell over HTTP and
+makes JSON-RPC calls to the hub's `/rpc`. So the hub must (1) serve the shell
+files and (2) accept the app's authenticated RPC calls. Both are already in
+`hephd --mode server`:
+
+- `--web-root <dir>` serves the shell for any non-API path (with an `index.html`
+  SPA fallback). The shell is unauthenticated — it is only HTML/JS; all data
+  still flows through the OIDC-gated `/rpc`.
+- Every response carries permissive CORS headers and answers the `OPTIONS`
+  preflight, so the shell may instead be hosted anywhere and still call the hub
+  cross-origin.
+
+## 1. Put the shell on the hub
+
+The release does not yet bundle the app, so fetch the `heph-pwa/` directory at
+the **same version tag** the hub runs (keeping shell and hub in lockstep matters
+— see *Upgrades* below), and copy it to a stable path:
+
+```bash
+# on indri, matching the running hephd version (e.g. v1.4.0)
+git clone --depth 1 --branch v1.4.0 \
+  https://forge.ops.eblu.me/eblume/hephaestus.git /tmp/heph-src
+sudo mkdir -p /var/lib/heph/web
+sudo cp -r /tmp/heph-src/heph-pwa/. /var/lib/heph/web/
+```
+
+> **Future improvement:** have the release workflow package a `heph-pwa-<version>.tar.gz`
+> asset (as it already does for docs), so this step becomes "download + extract"
+> and the lockstep is automatic. Until then, pin the clone to the hub's tag.
+
+## 2. Add `--web-root` to the hub service
+
+Extend the hub invocation from [[set-up-sync-hub]] with `--web-root` (everything
+else — issuer, audience, db — unchanged):
+
+```bash
+hephd --mode server \
+  --http-addr 0.0.0.0:8787 \
+  --db /var/lib/heph/heph.db \
+  --web-root /var/lib/heph/web \
+  --oidc-issuer  https://authentik.ops.eblu.me/application/o/heph/ \
+  --oidc-audience <heph-client-id>
+```
+
+In the systemd unit (or launchd plist), add the two `--web-root` arguments and
+`systemctl restart hephd`. Self-update is compatible now that the release ships
+the flag — just refresh the web-root on each upgrade (next section).
+
+## 3. Terminate TLS (recommended)
+
+Serve the app over **HTTPS** so it is a *secure context*: only then do the
+service worker (offline launch), proper PWA install, and the Web Speech mic
+work. (On iOS, "Add to Home Screen" and keyboard dictation work over plain HTTP
+too, so HTTPS is a polish step, not a blocker.) Two good options:
+
+- **Tailscale serve** — tailnet-only, automatic MagicDNS cert, no public
+  exposure:
+
+  ```bash
+  tailscale serve --bg --https=443 http://127.0.0.1:8787
+  # app is then at https://indri.<tailnet>.ts.net/
+  ```
+
+  Bind `hephd` to `127.0.0.1:8787` in this case and let Tailscale be the only
+  thing exposing it.
+
+- **Reverse proxy** (Caddy / nginx) terminating a real cert, if the hub should
+  be reachable beyond the tailnet. Proxy all paths (`/`, `/rpc`, `/sync/*`) to
+  `hephd`.
+
+Either way the app is same-origin with the hub, so no CORS is involved and the
+app defaults its hub URL to its own origin.
+
+## 4. Connect a phone
+
+1. Ensure the phone is on the tailnet (or can reach the proxy).
+2. Open the hub URL (`https://indri.<tailnet>.ts.net/`) and **Add to Home Screen**.
+3. The app defaults its **Hub URL** to the origin it loaded from — no typing.
+4. **Token:** the hub requires an OIDC bearer token, and the PWA does **not yet
+   implement the in-app device-code login** — paste a token into Settings →
+   Token for now. Obtain one via the device-code flow against the Authentik
+   client (the same flow the CLI uses; e.g. reuse the access token a logged-in
+   spoke cached, or run a one-off device-code grant). Tap **Test** to confirm.
+
+> **Known gap / next step:** wire the RFC 8628 device-code flow into the PWA's
+> Settings so login is in-app (open the verification URL, poll for the token,
+> store it, and refresh it) — removing the manual paste. Tracked as follow-up
+> work for `heph-pwa`.
+
+## Upgrades
+
+On each hub upgrade, refresh the shell so it matches the running `hephd`:
+
+```bash
+git -C /tmp/heph-src fetch --depth 1 origin v1.5.0 && git -C /tmp/heph-src checkout v1.5.0
+sudo cp -r /tmp/heph-src/heph-pwa/. /var/lib/heph/web/
+```
+
+The service worker is versioned (`CACHE = "heph-pwa-vN"`), so an updated shell
+evicts the old cache on next load. Hard-refresh once if a phone seems stuck on a
+stale version.
+
+## Related
+
+- [[heph-pwa]] — the app itself (features, quick-add, voice, triage)
+- [[set-up-sync-hub]] — stand up the hub + Authentik OIDC this doc extends
+- [[run-the-daemon]] — run `hephd` as a managed service
+- [[v1-prototype-tech-spec]] — RPC API and auth model
diff --git a/docs/how-to/how-to.md b/docs/how-to/how-to.md
index 62c0173..c20c904 100644
--- a/docs/how-to/how-to.md
+++ b/docs/how-to/how-to.md
@@ -22,3 +22,4 @@ Task-oriented guides for common operations.
 - [[import-todoist]] — Seed a heph store from your Todoist projects + tasks (`mise run import-todoist`)
 - [[self-update]] — Opt-in `hephd` self-update: poll the forge for new releases and auto-update
 - [[heph-pwa]] — The mobile app: an installable PWA mirror of heph-tui (browse, triage, fast quick-add, voice)
+- [[host-heph-pwa]] — Serve the mobile app from the hub (indri) with OIDC, in the hub/spoke deployment