From 1e282ffb88ab78874eda755c764ded34a4aa8a95 Mon Sep 17 00:00:00 2001 From: Jorge Torres Date: Mon, 29 Jun 2026 21:16:03 -0700 Subject: [PATCH 1/6] docs docs --- docs/use-cases.html | 83 ++++++++++++++++++++++++++++++++------------- 1 file changed, 60 insertions(+), 23 deletions(-) diff --git a/docs/use-cases.html b/docs/use-cases.html index 937cb98740c..ff2c77bdfdd 100644 --- a/docs/use-cases.html +++ b/docs/use-cases.html @@ -241,18 +241,18 @@
Use Cases
-

Two things.
Automate and Create.

+

Two things.
Create and Automate.

Minds Cowork is built around two core primitives. Everything below is an expression of one or both.

-
Automate
-
Recurring tasks that run without you — reports, monitoring, workflows, digests.
+
Create
+
Documents, apps, and workflow tools built around how you actually work — yours to publish, share, and keep.
-
Create
-
Artifacts that used to take hours — apps, decks, docs, analyses, dashboards.
+
Automate
+
Recurring tasks that run without you — reports, monitoring, workflows, and scheduled operations.
@@ -269,6 +269,21 @@

Creators

+
+ Create +
Personal knowledge base
+
Upload your notes, docs, and bookmarks. Ask questions in plain language and get answers that actually reference your material.
+
+
+ Create +
Your brand playbook, always current
+
Connect your tone guidelines, past work, and campaign feedback. The agent synthesizes a living brand doc your whole team references — and updates it as you evolve.
+
+
+ Create +
A content ops app, built your way
+
Pitches, drafts, deadlines, and briefs in one tool — laid out exactly the way your team works, not a generic template someone else designed for someone else.
+
Automate
Content pipeline on autopilot
@@ -281,11 +296,6 @@

Creators

Feed a transcript or essay and get a Twitter thread, LinkedIn post, and email summary — automatically.
video → clips → captions → posts
-
- Create -
Personal knowledge base
-
Upload your notes, docs, and bookmarks. Ask questions in plain language and get answers that actually reference your material.
-
@@ -299,6 +309,17 @@

Operators

+
+ Create +
An ops dashboard wired to your data
+
A live view of your team's KPIs, queues, and blockers — connected to your actual data sources, laid out the way you think about the work. Publish it to a URL in minutes.
+
data → dashboard → publish → always live
+
+
+ Create +
Codify your process as a tool
+
That SOP buried in a Notion doc or a teammate's head — turn it into a working app anyone on the team can use. Step-by-step, context-aware, no engineering required.
+
Automate
Live data reports, written for you
@@ -334,18 +355,23 @@

Strategists

Ask across all your data
Query across docs, tickets, spreadsheets, and databases in plain language. No SQL, no dashboards.
-
- Automate -
Competitive research digest
-
Run a competitor sweep on a schedule. Every week you get a structured digest of what changed — pricing, features, messaging.
-
sources → extract → compare → report
-
Create
Synthesize feedback at scale
Feed support tickets, reviews, and survey responses. Get back themes, sentiment, and concrete product signal.
feedback → themes → insights → action
+
+ Create +
Turn analysis into a shareable app
+
Package a market analysis or research project into a live document teammates can query in plain language — no re-presenting the same deck every quarter.
+
+
+ Automate +
Competitive research digest
+
Run a competitor sweep on a schedule. Every week you get a structured digest of what changed — pricing, features, messaging.
+
sources → extract → compare → report
+
@@ -354,20 +380,31 @@

Strategists

-

For everyone

-
Any knowledge worker with repetitive work
+

For every team

+
Anything you build is uniquely yours
- Automate -
Automate any multi-step task
-
If it involves reading something and writing something else on a schedule, the agent can own it.
+ Create +
Documents from your actual data
+
Proposals, playbooks, briefs, investor updates — written by the agent, sourced from your connected data, published in minutes. Not a template. Your content.
Create -
Build internal AI tools
-
Describe what your team needs. The agent builds it — a web app, a form, a dashboard — and deploys it, no engineering required.
+
Apps built for how you actually work
+
A deal scorecard. A support triage tool. An onboarding portal. Describe it, and the agent builds and deploys it — no engineering required, live URL included.
+
describe → build → publish → share
+
+
+ Create +
Encode your secret sauce
+
Every team has logic no off-the-shelf tool captures: a scoring rubric, a workflow step nobody else does, a way of reading the data that took years to develop. That uniqueness becomes a live tool — yours, not a template everyone else runs too.
+
+
+ Automate +
Own any multi-step recurring task
+
If it involves reading something and writing something else on a schedule — a report, a digest, a status update — the agent can own it end to end.
From b1dc096c5ec07c8665daaeeb6862e46dcaa577fd Mon Sep 17 00:00:00 2001 From: Jorge Torres Date: Tue, 30 Jun 2026 13:51:26 -0700 Subject: [PATCH 2/6] best practices on linear --- CLAUDE.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/CLAUDE.md b/CLAUDE.md index 9580f70d58e..a7810bc4f4d 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -127,6 +127,22 @@ new SHA in the superproject as one reviewable commit. remind you a teammate's pin bump left a module behind — run `make baseline` after pulling the superproject to align. +## Branch naming + +Linear is connected to GitHub (`mindsdb` org). Every branch must include a Linear issue ID so the PR is automatically linked to the ticket. + +**Format:** `-` — copy it directly from the issue in Linear (branch icon on any issue card). + +``` +eng-123-fix-sso-no-credits +eng-456-add-attachment-thumbnails +``` + +- The team prefix is **`ENG`** (lowercase in branch names: `eng-`) +- Linear generates the full branch name for you — always use that, don't invent one +- PRs opened from a correctly named branch auto-attach to the Linear issue; no manual linking needed +- Hotfixes that don't have a ticket yet: create the ticket first, then branch from it + ## Running locally (web browser mode) After initializing submodules, start the full stack with: From 1c58fb2c8a1d257083eb6d48c58d681e7d5bf42b Mon Sep 17 00:00:00 2001 From: Konstantin Sivakov Date: Wed, 1 Jul 2026 18:15:12 +0200 Subject: [PATCH 3/6] stop publishing raw API port 26866 to the host (ENG-459) --- docker-compose.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 2532528e684..a16a9b6ecc0 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -10,8 +10,13 @@ services: # ANTON_ANTHROPIC_API_KEY: "sk-ant-..." volumes: - cowork-data:/home/cowork/.cowork - ports: - - "26866:26866" + # ENG-459: do NOT publish 26866 to the host. Publishing it exposed the raw, + # unauthenticated API directly, bypassing nginx. `expose` keeps the port + # reachable only on the compose network — nginx (web) still proxies to it as + # `api:26866`. NOTE: the nginx /v1/ path is itself still unauthenticated + # until app-layer auth (COWORK_REQUIRE_AUTH / bearer-token-auth) lands. + expose: + - "26866" restart: unless-stopped healthcheck: test: ["CMD", "python", "-c", From 57f0c305380a8b5dbc1b4f59a9cadd6f8a1ac9ad Mon Sep 17 00:00:00 2001 From: Jorge Torres Date: Wed, 1 Jul 2026 15:24:32 -0700 Subject: [PATCH 4/6] bump submodule pins to latest staging frontend, core_api, core_agent all pulled to current staging HEAD. Co-Authored-By: Claude Sonnet 4.6 --- backend/core_agent | 2 +- backend/core_api | 2 +- frontend | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/backend/core_agent b/backend/core_agent index 6b83930e510..b996122dd5e 160000 --- a/backend/core_agent +++ b/backend/core_agent @@ -1 +1 @@ -Subproject commit 6b83930e510a984aa822a2cc46a2143a4e94343f +Subproject commit b996122dd5ee5afcfa061722f0420b1e9b41e11d diff --git a/backend/core_api b/backend/core_api index cb075bdf792..cbea825630a 160000 --- a/backend/core_api +++ b/backend/core_api @@ -1 +1 @@ -Subproject commit cb075bdf79242d865f5e8809cedfa1debb63e519 +Subproject commit cbea825630a380b4c7cb8bf6cff2402177683ac7 diff --git a/frontend b/frontend index 4114336ee0c..f6d37c2861f 160000 --- a/frontend +++ b/frontend @@ -1 +1 @@ -Subproject commit 4114336ee0cf1a8a04c20a96f4a92f30fe059c66 +Subproject commit f6d37c2861fa3f92c22ffbb661d6d9c8d0f28b93 From 6afb7adffc94f9be77b43e2b6e9ccb8197c1d540 Mon Sep 17 00:00:00 2001 From: Konstantin Sivakov Date: Wed, 8 Jul 2026 22:31:45 +0200 Subject: [PATCH 5/6] fix(self-host): share api's network namespace so nginx proxies over loopback (ENG-457) cowork-server's upcoming _require_local guard on /settings/reveal-key and /raw (mindsdb/cowork-server#143) only allows 127.0.0.1/::1 callers. With web and api as separate containers on the default bridge network, nginx's proxied request would arrive at cowork-server as the web container's bridge IP and get 403'd, breaking onboarding. web now runs with network_mode: service:api and nginx proxies to 127.0.0.1:26866 directly, so the request is a genuine loopback hop. Verified against a throwaway nginx+http.server stack with the same topology: the proxied request's peer address is 127.0.0.1. --- docker-compose.yml | 19 ++++++++++++++----- docker/nginx.conf | 5 ++++- 2 files changed, 18 insertions(+), 6 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index a16a9b6ecc0..c1d8009090f 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -12,11 +12,15 @@ services: - cowork-data:/home/cowork/.cowork # ENG-459: do NOT publish 26866 to the host. Publishing it exposed the raw, # unauthenticated API directly, bypassing nginx. `expose` keeps the port - # reachable only on the compose network — nginx (web) still proxies to it as - # `api:26866`. NOTE: the nginx /v1/ path is itself still unauthenticated - # until app-layer auth (COWORK_REQUIRE_AUTH / bearer-token-auth) lands. + # reachable only on the compose network. NOTE: the nginx /v1/ path is + # itself still unauthenticated until app-layer auth + # (COWORK_REQUIRE_AUTH / bearer-token-auth) lands. expose: - "26866" + # ENG-457: `web` now shares this container's network namespace (see + # below), so the host's published port lands here instead of on `web`. + ports: + - "3000:80" restart: unless-stopped healthcheck: test: ["CMD", "python", "-c", @@ -30,8 +34,13 @@ services: build: context: . dockerfile: docker/web.Dockerfile - ports: - - "3000:80" + # ENG-457: share api's network namespace so nginx's proxy to cowork-server + # is a genuine loopback hop (127.0.0.1), not a separate-container bridge + # hop. cowork-server's `_require_local` guard on /settings/reveal-key and + # /raw only allows loopback callers — on the default bridge network the + # proxied request would arrive as this container's bridge IP and get + # 403'd, breaking onboarding's calls to those endpoints. + network_mode: "service:api" depends_on: api: condition: service_healthy diff --git a/docker/nginx.conf b/docker/nginx.conf index 4b5895bd83f..39148536ff6 100644 --- a/docker/nginx.conf +++ b/docker/nginx.conf @@ -4,7 +4,10 @@ server { index index.html; location /v1/ { - proxy_pass http://api:26866; + # ENG-457: web shares api's network namespace (docker-compose.yml), + # so this is a genuine loopback hop -- required for cowork-server's + # loopback-only guard on /settings/reveal-key and /raw. + proxy_pass http://127.0.0.1:26866; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; From f140564f90e6598f5b2ac5c0e3791a42a26e08c3 Mon Sep 17 00:00:00 2001 From: Konstantin Sivakov Date: Wed, 8 Jul 2026 22:39:20 +0200 Subject: [PATCH 6/6] style: drop em dash / double-hyphen from ENG-457 comments --- docker-compose.yml | 2 +- docker/nginx.conf | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index c1d8009090f..0e5196c34d2 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -37,7 +37,7 @@ services: # ENG-457: share api's network namespace so nginx's proxy to cowork-server # is a genuine loopback hop (127.0.0.1), not a separate-container bridge # hop. cowork-server's `_require_local` guard on /settings/reveal-key and - # /raw only allows loopback callers — on the default bridge network the + # /raw only allows loopback callers. On the default bridge network the # proxied request would arrive as this container's bridge IP and get # 403'd, breaking onboarding's calls to those endpoints. network_mode: "service:api" diff --git a/docker/nginx.conf b/docker/nginx.conf index 39148536ff6..e9f3b2c38e6 100644 --- a/docker/nginx.conf +++ b/docker/nginx.conf @@ -5,8 +5,8 @@ server { location /v1/ { # ENG-457: web shares api's network namespace (docker-compose.yml), - # so this is a genuine loopback hop -- required for cowork-server's - # loopback-only guard on /settings/reveal-key and /raw. + # so this is a genuine loopback hop, which cowork-server's + # loopback-only guard on /settings/reveal-key and /raw requires. proxy_pass http://127.0.0.1:26866; proxy_http_version 1.1; proxy_set_header Host $host;