feat(fh-agent): site.spec.yaml → deployable edge-agent bundle compiler

.editorconfig

@@ -0,0 +1,36 @@
+# EditorConfig — https://editorconfig.org
+# Top-level config; no parent lookups beyond this file.
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+indent_style = space
+indent_size = 2
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+# Go uses tabs (gofmt is non-negotiable).
+[*.go]
+indent_style = tab
+
+# TS / JS / JSON — 2-space (matches Prettier + tsconfig conventions).
+[*.{ts,tsx,js,jsx,mjs,cjs,json,jsonc}]
+indent_style = space
+indent_size = 2
+
+# YAML — 2-space (contract/*.yaml, GitHub Actions).
+[*.{yml,yaml}]
+indent_style = space
+indent_size = 2
+
+# Markdown — preserve trailing spaces (two-space line-break trick).
+[*.md]
+trim_trailing_whitespace = false
+
+# Makefiles require literal tabs.
+[Makefile]
+indent_style = tab
+
+[**/Makefile]
+indent_style = tab

.github/CODEOWNERS

@@ -0,0 +1,31 @@
+# CODEOWNERS — Review routing for edge-agents
+#
+# Syntax: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+# Order matters: the LAST matching pattern wins for a given file.
+#
+# NOTE: The @ForestHubAI/maintainers team must exist in the GitHub org
+# (Org Settings → Teams) for these mentions to resolve. Without the team,
+# GitHub will show "Unknown owner" warnings on the Branch protection /
+# PR review UI but CODEOWNERS routing will silently no-op.
+
+# ---------------------------------------------------------------------------
+# Default owner — applies to anything not covered by a more specific rule below
+# ---------------------------------------------------------------------------
+*                   @ForestHubAI/maintainers
+
+# ---------------------------------------------------------------------------
+# Language subtrees
+# ---------------------------------------------------------------------------
+/go/                @ForestHubAI/maintainers
+/ts/                @ForestHubAI/maintainers
+
+# ---------------------------------------------------------------------------
+# Contract subtree — CRITICAL: this is the source of truth. Drift between
+# go/ and ts/ codegen from the OpenAPI 3.0.3 contracts must always be reviewed.
+# ---------------------------------------------------------------------------
+/contract/          @ForestHubAI/maintainers
+
+# ---------------------------------------------------------------------------
+# Repo meta: CI workflows, issue templates, CODEOWNERS itself
+# ---------------------------------------------------------------------------
+/.github/           @ForestHubAI/maintainers

.github/FUNDING.yml

@@ -0,0 +1,18 @@
+# GitHub Sponsors and other funding platforms for this repository.
+# Reference: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository
+
+github: ForestHubAI
+
+# Additional platforms (uncomment to enable later):
+# patreon: # Replace with a single Patreon username
+# open_collective: # Replace with a single Open Collective username
+# ko_fi: # Replace with a single Ko-fi username
+# tidelift: # Replace with a single Tidelift platform-name/package-name
+# community_bridge: # Replace with a single Community Bridge project-name
+# liberapay: # Replace with a single Liberapay username
+# issuehunt: # Replace with a single IssueHunt username
+# lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name
+# polar: # Replace with a single Polar username
+# buy_me_a_coffee: # Replace with a single Buy Me a Coffee username
+# thanks_dev: # Replace with a single thanks.dev username
+# custom: # Replace with up to 4 custom sponsorship URLs

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,31 @@
+# Issue-template chooser config.
+# Reference: https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/configuring-issue-templates-for-your-repository
+#
+# Forces contributors to pick a structured template (bug_report / feature_request)
+# instead of opening blank issues. The contact_links route off-topic intents
+# (questions, security reports, commercial inquiries) to the right channel so
+# the issue tracker stays focused on actionable engineering work.
+
+blank_issues_enabled: false
+
+contact_links:
+  - name: Question / Discussion
+    url: https://github.com/ForestHubAI/edge-agents/discussions
+    about: |
+      Have a question, an idea, or want to discuss usage? Please open a
+      GitHub Discussion instead of an issue. (If Discussions is not yet
+      enabled on this repo, this link will 404 until the maintainer turns
+      it on in Settings → Features.)
+
+  - name: Security Vulnerability
+    url: https://github.com/ForestHubAI/edge-agents/security/advisories/new
+    about: |
+      Please do NOT open a public issue for security vulnerabilities. Use
+      GitHub's private vulnerability reporting, or email root@foresthub.ai.
+      See .github/SECURITY.md for scope and process.
+
+  - name: Commercial License Inquiry
+    url: mailto:root@foresthub.ai
+    about: |
+      edge-agents is dual-licensed (AGPL-3.0-only + commercial). For use
+      cases that are incompatible with AGPL, contact root@foresthub.ai.

.github/dependabot.yml

@@ -0,0 +1,70 @@
+version: 2
+
+updates:
+  # Go module (root of Go code is /go)
+  - package-ecosystem: "gomod"
+    directory: "/go"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "chore"
+      prefix-development: "chore"
+      include: "scope"
+    groups:
+      go-minor-and-patch:
+        applies-to: version-updates
+        update-types:
+          - "minor"
+          - "patch"
+      go-security:
+        applies-to: security-updates
+        update-types:
+          - "minor"
+          - "patch"
+
+  # npm workspace root (handles workflow-core, workflow-builder, app)
+  - package-ecosystem: "npm"
+    directory: "/ts"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "chore"
+      prefix-development: "chore"
+      include: "scope"
+    groups:
+      npm-minor-and-patch:
+        applies-to: version-updates
+        update-types:
+          - "minor"
+          - "patch"
+      npm-security:
+        applies-to: security-updates
+        update-types:
+          - "minor"
+          - "patch"
+
+  # GitHub Actions workflows
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    groups:
+      actions-minor-and-patch:
+        applies-to: version-updates
+        update-types:
+          - "minor"
+          - "patch"
+      actions-security:
+        applies-to: security-updates
+        update-types:
+          - "minor"
+          - "patch"

.github/workflows/codeql.yml

@@ -0,0 +1,51 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    # Weekly on Sundays at 04:17 UTC. Off-peak, off the hour.
+    - cron: "17 4 * * 0"
+
+permissions:
+  contents: read
+  actions: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    strategy:
+      fail-fast: false
+      matrix:
+        # CodeQL's modern "javascript-typescript" identifier covers ts/.
+        # "go" covers go/ — autobuild finds the module via go/go.mod.
+        language: [go, javascript-typescript]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        if: matrix.language == 'go'
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go/go.mod
+          cache-dependency-path: go/go.sum
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          queries: security-and-quality
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"

.github/workflows/gitleaks.yml

@@ -0,0 +1,29 @@
+name: gitleaks
+
+on:
+  push:
+  pull_request:
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  scan:
+    name: Scan for leaked secrets
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout (full history)
+        uses: actions/checkout@v4
+        with:
+          # gitleaks needs the full history to scan past commits, not just
+          # the diff. Shallow clone would miss anything before the last fetch.
+          fetch-depth: 0
+
+      - name: Run gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # No GITLEAKS_LICENSE on purpose: it's a paid-tier key. Public repos
+          # get full functionality on the free tier without it.

.github/workflows/lint.yml

@@ -0,0 +1,43 @@
+name: Lint
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  go-lint:
+    name: Go (golangci-lint)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go/go.mod
+          cache-dependency-path: go/go.sum
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v6
+        with:
+          version: latest
+          working-directory: go
+          args: --timeout=5m
+
+  ts-lint:
+    name: TS (eslint)
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ts
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+          cache-dependency-path: ts/package-lock.json
+      - run: npm ci
+      - run: npm run lint