chore: prep for release pipeline — drop project-agent + skills-project, align image env contract

Removes the project-agent backend module (already gone from modules/), its
orphan web frontend (`components/project-agent/*`, `api/agent-context`,
`api/agent-session`), the AgentSession Prisma model + a drop migration, and
the standalone skills-project catalogue.

Aligns docker-compose with the actual runtime env contract of each image:
  - web: adds SANDBOX0_API_KEY (chat 401s without it) + SANDBOX0_BASE_URL,
    plus optional knobs as comments
  - track-service: adds ClickHouse__{Database,FlagEvaluationsTable,MetricEventsTable}
    overrides matching the chart

Adds .github/workflows/{publish-docker-images,release-charts}.yml and
RELEASING.md for the upcoming GitHub-driven release flow. Renames published
image repos to featbit/featbit-rda-{track-service,web} for namespace clarity.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: cosmic-flood

.dockerignore

@@ -5,15 +5,3 @@
 **/dist
 **/.env
 **/.env.local
-
-# Codex runtime state — volume-mounted at container start, must not be in build context
-modules/project-agent/codex-config/sessions
-modules/project-agent/codex-config/memories
-modules/project-agent/codex-config/shell_snapshots
-modules/project-agent/codex-config/tmp
-modules/project-agent/codex-config/*.sqlite
-modules/project-agent/codex-config/*.sqlite-shm
-modules/project-agent/codex-config/*.sqlite-wal
-modules/project-agent/codex-config/logs_*
-modules/project-agent/codex-config/state_*
-modules/project-agent/codex-config/installation_id

.github/workflows/publish-docker-images.yml

@@ -0,0 +1,85 @@
+name: Publish Docker Images
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Image version (e.g. 0.3.0). Becomes the image tag."
+        required: true
+      build-latest:
+        description: "Also tag and push :latest"
+        type: boolean
+        default: false
+        required: false
+      next-public-featbit-api-url:
+        description: "NEXT_PUBLIC_FEATBIT_API_URL baked into the web image at build time"
+        required: false
+        default: "https://app-api.featbit.co"
+      debug:
+        description: "Print GitHub context"
+        type: boolean
+        default: false
+        required: false
+
+env:
+  LATEST_TAG: latest
+  VERSION_TAG: ${{ github.event.inputs.version }}
+
+jobs:
+  build-publish:
+    name: Build and publish ${{ matrix.app }}
+    runs-on: ubuntu-latest
+    environment: Production
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - app: featbit-rda-track-service
+            build-dir: modules/track-service
+            file: ./Dockerfile
+          - app: featbit-rda-web
+            build-dir: modules/web
+            file: ./Dockerfile
+    steps:
+      - name: Dump GitHub context
+        if: ${{ github.event.inputs.debug == 'true' }}
+        run: echo "${{ toJson(github) }}"
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+      - name: Build and push - ${{ matrix.app }} (${{ env.VERSION_TAG }})
+        uses: docker/build-push-action@v5
+        with:
+          context: "{{defaultContext}}:${{ matrix.build-dir }}"
+          file: ${{ matrix.file }}
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ secrets.DOCKER_HUB_USERNAME }}/${{ matrix.app }}:${{ env.VERSION_TAG }}
+          build-args: |
+            NEXT_PUBLIC_FEATBIT_API_URL=${{ github.event.inputs.next-public-featbit-api-url }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Build and push - ${{ matrix.app }} (${{ env.LATEST_TAG }})
+        if: ${{ github.event.inputs.build-latest == 'true' }}
+        uses: docker/build-push-action@v5
+        with:
+          context: "{{defaultContext}}:${{ matrix.build-dir }}"
+          file: ${{ matrix.file }}
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ secrets.DOCKER_HUB_USERNAME }}/${{ matrix.app }}:${{ env.LATEST_TAG }}
+          build-args: |
+            NEXT_PUBLIC_FEATBIT_API_URL=${{ github.event.inputs.next-public-featbit-api-url }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

.github/workflows/release-charts.yml

@@ -0,0 +1,35 @@
+name: Release Charts
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'charts/**'
+      - '.github/workflows/release-charts.yml'
+
+permissions:
+  contents: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    environment: Production
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install Helm
+        uses: azure/setup-helm@v4
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+
+      - name: Run chart-releaser
+        uses: helm/chart-releaser-action@v1.6.0
+        env:
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

.gitignore

@@ -61,28 +61,6 @@ yarn-error.log*
 .pnpm-debug.log*
 
 
-# =======
-# modules/project-agent/ (ts)
-# =======
-modules/project-agent/dist/
-modules/project-agent/node_modules/
-modules/project-agent/.pnp
-modules/project-agent/.pnp.*
-modules/project-agent/.yarn/*
-!modules/project-agent/.yarn/patches
-!modules/project-agent/.yarn/plugins
-!modules/project-agent/.yarn/releases
-!modules/project-agent/.yarn/versions
-modules/project-agent/coverage/
-modules/project-agent/.next/
-modules/project-agent/out/
-modules/project-agent/build/
-modules/project-agent/.vercel/
-modules/project-agent/next-env.d.ts
-modules/project-agent/*.tsbuildinfo
-modules/project-agent/.env
-!modules/project-agent/.env.example
-
 # =======
 # modules/sandbox/ (ts)
 # =======

AGENTS.md

@@ -20,18 +20,18 @@
 │  modules/web  (Next.js + Prisma)  :3000                     │
 │  Dashboard + REST API + Analysis Engine + Memory API        │
 │  + server-side /api/sandbox0/* (Managed-mode chat proxy)    │
-└──────┬───────────────────────────┬──────────────────────────┘
-       │ TRACK_SERVICE_URL          │ MEMORY_API_BASE / SYNC_API_URL
-       ↓                           ↓
-┌─────────────────────┐                              ┌────────────────────────┐
-│  modules/track-     │                              │  modules/project-agent │
-│  service (.NET 10)  │                              │  (Codex, SSE)          │
-│  :5050 → :8080      │                              │  :3031 → :3031         │
-│  POST /api/track    │                              │  POST /query           │
-│  POST /api/query/   │                              │  (project memory +     │
-│       experiment    │                              │   onboarding)          │
-│  GET  /health       │                              │                        │
-└──────────┬──────────┘                              └────────────────────────┘
+└──────┬──────────────────────────────────────────────────────┘
+       │ TRACK_SERVICE_URL
+       ↓
+┌─────────────────────┐
+│  modules/track-     │
+│  service (.NET 10)  │
+│  :5050 → :8080      │
+│  POST /api/track    │
+│  POST /api/query/   │
+│       experiment    │
+│  GET  /health       │
+└──────────┬──────────┘
            ↑
 ┌──────────────────────┐
 │  modules/run-active- │
@@ -53,7 +53,7 @@ Storage:
   ClickHouse          ← track-service read/write
 ```
 
-The four runtime services (web, track-service, project-agent, run-active-test) are wired together in `modules/docker-compose.yml`. The local-mode connector is published to npm and is **not** part of `docker compose` — each end user runs it themselves on their own machine.
+The runtime services (web, track-service, run-active-test) are wired together in `modules/docker-compose.yml`. The local-mode connector is published to npm and is **not** part of `docker compose` — each end user runs it themselves on their own machine.
 
 ---
 
@@ -66,7 +66,7 @@ The four runtime services (web, track-service, project-agent, run-active-test) a
 ### Responsibilities
 
 - **UI**: Experiment dashboard, wizard stages (intent → hypothesis → exposure → measurement → analysis → decision → learning)
-- **REST API**: Experiment / run CRUD, activity log, memory, agent-session proxy
+- **REST API**: Experiment / run CRUD, activity log, memory
 - **Analysis Engine**: Bayesian A/B + Bandit analysis (in-process TypeScript)
 - **Memory API**: Per-project and per-user AI memory storage (`/api/memory/`)
 
@@ -86,8 +86,7 @@ modules/web/src/
 │     ├─ experiments/[id]/experiment-run/ ← Run CRUD
 │     ├─ experiments/running/        ← GET running runs (used by workers)
 │     ├─ memory/project/             ← Project-scoped AI memory
-│     ├─ memory/user/                ← User-scoped AI memory
-│     └─ agent-session/[projectKey]/ ← Agent session proxy
+│     └─ memory/user/                ← User-scoped AI memory
 ├─ lib/
 │  ├─ stats/
 │  │  ├─ analyze.ts        ← Bayesian A/B orchestrator
@@ -267,43 +266,7 @@ The pre-connector containerised sandbox lives at `modules/sandbox/`. It is no lo
 
 ---
 
-## 4️⃣ modules/project-agent — Project-Level AI Assistant (SSE)
-
-**Language**: TypeScript (Node.js, Codex CLI)  
-**Port** (docker): 3031  
-**Type**: Server-Sent Events streaming
-
-### Responsibilities
-
-- Project onboarding assistant powered by OpenAI Codex CLI
-- Reads and writes shared project memory via `MEMORY_API_BASE`
-- Per-session env vars: `FEATBIT_PROJECT_KEY`, `FEATBIT_USER_ID`
-
-### Key Files
-
-```
-modules/project-agent/src/
-├─ server.ts        ← Express, /query route
-├─ agent.ts         ← Codex CLI wrapper
-├─ prompt.ts        ← Builds system prompt with project context
-├─ session-store.ts ← In-memory session tracking
-└─ sse.ts           ← SSE helpers
-```
-
-Skills in `modules/project-agent/skills/` — loaded on demand.
-
-### Environment Variables
-
-| Variable | Notes |
-|---|---|
-| `OPENAI_API_KEY` | Required for Codex |
-| `MEMORY_API_BASE` | `http://web:3000` |
-| `PORT` | Default: 3031 |
-| `CODEX_HOME` | `/app/codex-config` (volume-mounted) |
-
----
-
-## 5️⃣ modules/run-active-test-worker — Synthetic Data Generator (Cloudflare Worker)
+## 4️⃣ modules/run-active-test-worker — Synthetic Data Generator (Cloudflare Worker)
 
 **Language**: TypeScript (Cloudflare Workers)  
 **Trigger**: Cron, every minute  
@@ -346,7 +309,7 @@ All services (except the Cloudflare Worker) run via `modules/docker-compose.yml`
 ```
 modules/
   docker-compose.yml
-  .env                ← DATABASE_URL, CLICKHOUSE_CONNECTION_STRING, SANDBOX0_API_KEY, OPENAI_API_KEY, …
+  .env                ← DATABASE_URL, CLICKHOUSE_CONNECTION_STRING, SANDBOX0_API_KEY, TRACK_SERVICE_SIGNING_KEY, …
 ```
 
 ### Service Map
@@ -355,7 +318,6 @@ modules/
 |---|---|---|---|
 | `track-service` | `featbit/track-service:local` | 5050 | ClickHouse |
 | `run-active-test` | `featbit/run-active-test:local` | — | track-service (healthy) |
-| `project-agent` | `featbit/project-agent:local` | 3031 | web (healthy) |
 | `web` | `featbit/web:local` | 3000 | — |
 
 The `Local Claude Code` chat path is **not** a docker service — users run `npx @featbit/experimentation-claude-code-connector` on their own machines.
@@ -567,7 +529,6 @@ Use the language-native dev loop:
 |---|---|
 | `modules/web` | `npm run dev` (Next.js HMR) — or `npx tsc --noEmit` + `npm run lint` for compile-time only |
 | `modules/track-service` | `dotnet run` from the project directory |
-| `modules/project-agent` | `npm run dev` in the module |
 | `modules/experimentation-claude-code-connector` | `npm run dev` (tsx watch) — only when modifying the connector itself; end-user verification is `npx @featbit/experimentation-claude-code-connector` from outside the repo |
 | `modules/run-active-test-worker` | `npm run dev` (wrangler dev) |
 

RELEASING.md

@@ -0,0 +1,58 @@
+# Releasing
+
+Release flow modelled on [`featbit/featbit`](https://github.com/featbit/featbit) (Docker images) +
+[`featbit/featbit-charts`](https://github.com/featbit/featbit-charts) (Helm chart).
+
+Two GitHub Actions workflows do all the work:
+
+| Workflow | File | Trigger | Output |
+|---|---|---|---|
+| Publish Docker Images | [`.github/workflows/publish-docker-images.yml`](.github/workflows/publish-docker-images.yml) | Manual (`workflow_dispatch`) | Multi-arch images on Docker Hub: `featbit/featbit-rda-track-service:<version>` and `featbit/featbit-rda-web:<version>` |
+| Release Charts | [`.github/workflows/release-charts.yml`](.github/workflows/release-charts.yml) | Push to `main` under `charts/**` | A new GitHub Release `featbit-rda-<chart-version>` containing the packaged `.tgz`, plus an updated `index.yaml` on the `gh-pages` branch |
+
+## One-time GitHub setup
+
+1. **Create a `Production` environment** in repo Settings → Environments → New environment → name it `Production` (capital P, matches the `environment:` key in both workflows).
+2. **Add Docker Hub secrets to the `Production` environment**:
+   - `DOCKER_HUB_USERNAME` — Docker Hub user/org that owns the images. Must be `featbit` to publish under the official namespace.
+   - `DOCKER_HUB_ACCESS_TOKEN` — Docker Hub PAT with `Read, Write, Delete` on the `featbit` namespace.
+3. **Enable a `gh-pages` branch** for the Helm repo. The chart-releaser action will create it on first run if missing; you only need to flip Settings → Pages → Source = `gh-pages` / `/ (root)` *after* the first successful chart release so the index becomes browseable at `https://featbit.github.io/featbit-release-decision-agent`.
+4. **Workflow permissions** — Settings → Actions → General → Workflow permissions → "Read and write permissions". chart-releaser needs this to push to `gh-pages` and create releases.
+
+## Cutting an image release
+
+When you've merged code changes that need to ship in a new image:
+
+1. Decide the version (e.g. `0.4.0` for track-service, or whatever you'll pin in `values.yaml` next).
+2. GitHub → Actions → **Publish Docker Images** → Run workflow:
+   - **version**: `0.4.0`
+   - **build-latest**: usually leave off; flip on for stable cuts you want `:latest` to follow.
+   - **next-public-featbit-api-url**: defaults to `https://app-api.featbit.co` (FeatBit SaaS). Override if you're publishing an image targeting a self-hosted FeatBit backend — this value is baked into the web bundle and cannot be changed at runtime.
+3. Wait for both matrix jobs (`featbit-rda-track-service`, `featbit-rda-web`) to go green. Verify on Docker Hub.
+
+## Cutting a chart release
+
+The chart release is automatic on every push to `main` that touches `charts/**`, but only publishes when `Chart.yaml`'s `version:` is **new** (i.e. no existing GitHub Release tag matches `featbit-rda-<version>`). Workflow:
+
+1. Bump image tags in `charts/featbit-rda/values.yaml` to the just-published version(s).
+2. Bump `version:` (and usually `appVersion:`) in `charts/featbit-rda/Chart.yaml`. Use SemVer; chart-releaser refuses to re-release a version that already has a Release.
+3. Commit + merge to `main`.
+4. The `Release Charts` workflow runs, creates GitHub Release `featbit-rda-<version>`, attaches the packaged `.tgz`, and pushes the updated `index.yaml` to `gh-pages`.
+
+## Consuming the published chart
+
+Once the first chart release ships and `gh-pages` is exposed via GitHub Pages:
+
+```bash
+helm repo add featbit-rda https://featbit.github.io/featbit-release-decision-agent
+helm repo update
+helm install my-rda featbit-rda/featbit-rda --version 0.2.0
+```
+
+Until then, point `helm install` at the local checkout (the existing flow documented in `charts/README.md`).
+
+## Recommended cadence
+
+- Publish images first; verify by pulling them in a smoke environment.
+- Then bump `values.yaml` + `Chart.yaml` in a single commit so the chart release strictly follows working images.
+- Image tags and chart `appVersion` don't have to match each other — track-service and web typically version independently — but the chart's own `version:` must always be bumped per release.

charts/featbit-rda/examples/aks/values.yaml

@@ -107,15 +107,10 @@ trackService:
       secretName: "track-service-tls"
 
 # ── web ────────────────────────────────────────────────────────────────────────
-# NOTE: `NEXT_PUBLIC_*` build args are baked at `next build` time. The default
-# agent backend is sandbox0 (Managed Agents) and only needs the FeatBit auth
-# URL at build time:
+# NOTE: `NEXT_PUBLIC_FEATBIT_API_URL` is baked at `next build` time:
 #   docker build modules/web \
 #     --build-arg NEXT_PUBLIC_FEATBIT_API_URL=https://app-api.featbit.co \
-#     -t your-acr.azurecr.io/featbit/web:0.2.0
-#
-# `NEXT_PUBLIC_SANDBOX_URL` is only relevant when explicitly setting
-# `NEXT_PUBLIC_AGENT_BACKEND=classic` to revert to the SSE backend.
+#     -t your-acr.azurecr.io/featbit/featbit-rda-web:<version>
 #
 # Server-side runtime envs (`SANDBOX0_API_KEY`, `SANDBOX0_BASE_URL`) are NOT
 # build-time — pass them via `extraEnv` below or project them from Azure