Skip to content

Commit d3bad77

Browse files
author
Santosh Kathira
committed
Public release: 2026-07-17
0 parents  commit d3bad77

2,848 files changed

Lines changed: 601926 additions & 0 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.env.example

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
# SuperBased Observer — local secrets template
2+
#
3+
# Copy this file to `.env` and fill in the values you need. The
4+
# real `.env` is gitignored (see /.gitignore), so anything you put
5+
# there stays on your machine.
6+
#
7+
# Usage:
8+
# set -a; source .env; set +a # bash / zsh — exports every line
9+
# # then run vsce / ovsx with $VSCE_PAT / $OVSX_PAT available
10+
#
11+
# Or pass explicitly:
12+
# npx --yes @vscode/vsce publish --packagePath … --pat "$VSCE_PAT"
13+
# npx --yes ovsx publish … --pat "$OVSX_PAT"
14+
#
15+
# IMPORTANT: never `git add .env`. The .gitignore is your safety
16+
# rail but `git add -f .env` would bypass it. The `vscode/`
17+
# .vscodeignore additionally blocks .env from ever riding into a
18+
# published VSIX, but the right habit is still "secrets live only
19+
# in ~/.env or here, never in tracked files".
20+
21+
# -----------------------------------------------------------------
22+
# VS Code Marketplace publish token
23+
# -----------------------------------------------------------------
24+
# Mint at https://dev.azure.com/<your-org>/_usersSettings/tokens
25+
# - Organization: "All accessible organizations" (critical!)
26+
# - Scopes: Marketplace → Manage
27+
# - Expiration: 90 days / 1 year — your choice
28+
# Also stored as the VSCE_PAT secret on marmutapp/superbased-observer-private
29+
# for the npm-release.yml `vscode-publish` job.
30+
VSCE_PAT=
31+
32+
# -----------------------------------------------------------------
33+
# Open VSX publish token (Cursor / VSCodium / Windsurf registry)
34+
# -----------------------------------------------------------------
35+
# Mint at https://open-vsx.org/user-settings/tokens after signing the
36+
# Eclipse Foundation Publisher Agreement at
37+
# https://open-vsx.org/user-settings/profile.
38+
# Also stored as the OVSX_PAT secret on marmutapp/superbased-observer-private.
39+
OVSX_PAT=

.gitattributes

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
# .gitattributes — line-ending posture for the SuperBased Observer tree.
2+
#
3+
# Issue 6 of the 2026-06-02 teams test findings: a Windows checkout with
4+
# default core.autocrlf=true rewrote every text file's line endings to
5+
# CRLF on the working tree, and the alpine `sh` inside the dev-stack
6+
# `keygen` container failed to parse the resulting `keygen.sh`
7+
# (`set: illegal option -`), aborting the org-stack bring-up. The
8+
# fix (and the prevention for any future Windows-clone-meets-alpine
9+
# trap) is to declare every text file LF-only at the .gitattributes
10+
# layer: Git rewrites CRLF → LF on stage and serves LF on checkout
11+
# regardless of core.autocrlf.
12+
#
13+
# Existing CRLF in a working tree won't auto-fix; an operator who hit
14+
# the trap previously can renormalize after pulling this commit with:
15+
#
16+
# git add --renormalize . && git commit -m "chore: re-normalize EOL"
17+
#
18+
# The `* text=auto eol=lf` line covers anything Git detects as text.
19+
# The explicit declarations below pin the LF posture for files
20+
# Git heuristics sometimes misclassify (mostly extensionless shell
21+
# scripts) and for binary types we never want LF-converted.
22+
23+
* text=auto eol=lf
24+
25+
# Shell + container scripts that must run under sh / bash / alpine.
26+
*.sh text eol=lf
27+
*.bash text eol=lf
28+
Makefile text eol=lf
29+
Dockerfile text eol=lf
30+
Dockerfile* text eol=lf
31+
.dockerignore text eol=lf
32+
33+
# YAML / TOML / JSON config (compose, github actions, package
34+
# manifests). Some Windows editors silently emit CRLF; this pins LF.
35+
*.yaml text eol=lf
36+
*.yml text eol=lf
37+
*.toml text eol=lf
38+
*.json text eol=lf
39+
40+
# Go source — gofmt already enforces LF, but the explicit declaration
41+
# protects against an IDE editing a file outside the gofmt pipeline.
42+
*.go text eol=lf
43+
44+
# Documentation.
45+
*.md text eol=lf
46+
47+
# Binary types — Git won't try to munge these.
48+
*.png binary
49+
*.jpg binary
50+
*.jpeg binary
51+
*.gif binary
52+
*.svg text eol=lf
53+
*.ico binary
54+
*.pdf binary
55+
*.zip binary
56+
*.tar.gz binary
57+
*.tgz binary
58+
*.gz binary
59+
*.woff binary
60+
*.woff2 binary
61+
*.ttf binary
62+
*.otf binary
63+
*.vsix binary
64+
*.wheel binary
65+
*.whl binary

.github/workflows/ci.yml

Lines changed: 209 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,209 @@
1+
# Continuous-integration gates — run on every PR + every push to
2+
# main. Catches frontend type errors, Go vet/test regressions, and
3+
# the "I forgot to run `make web-build` before committing" class of
4+
# bug that silently shipped pre-v1.6.0.
5+
#
6+
# Tagged-release builds are handled by npm-release.yml; this file is
7+
# the pre-merge / pre-tag safety net.
8+
9+
name: ci
10+
11+
on:
12+
pull_request:
13+
push:
14+
branches: [main]
15+
16+
permissions:
17+
contents: read
18+
19+
jobs:
20+
# ----------------------------------------------------------------
21+
# React frontend gates: install, typecheck, build. Also asserts the
22+
# committed embedded dist matches what a fresh build produces — if
23+
# `web/src/` was edited without rerunning `make web-build`, this
24+
# job fails with a clear actionable message. Without this gate the
25+
# embedded bundle silently drifted from the React source.
26+
# ----------------------------------------------------------------
27+
frontend:
28+
name: frontend
29+
runs-on: ubuntu-latest
30+
steps:
31+
- uses: actions/checkout@v5
32+
33+
- uses: actions/setup-node@v5
34+
with:
35+
node-version: '22'
36+
cache: 'npm'
37+
cache-dependency-path: web/package-lock.json
38+
39+
- name: npm ci
40+
run: |
41+
cd web
42+
npm ci
43+
44+
- name: typecheck
45+
run: |
46+
cd web
47+
npm run typecheck
48+
49+
- name: build
50+
run: |
51+
cd web
52+
npm run build
53+
54+
- name: dist consistency check
55+
# Mirrors `make web-build`'s second half: regenerates the
56+
# embedded dir from web/dist and asserts it matches what's
57+
# committed. If it doesn't, the dev edited web/src/ but
58+
# forgot to commit the rebuilt bundle — a stale embed would
59+
# ship on the next release.
60+
run: |
61+
set -euo pipefail
62+
rm -rf internal/intelligence/dashboard/webapp/dist
63+
mkdir -p internal/intelligence/dashboard/webapp/dist
64+
cp -R web/dist/. internal/intelligence/dashboard/webapp/dist/
65+
if ! git diff --quiet --exit-code internal/intelligence/dashboard/webapp/dist; then
66+
echo "::error::Committed webapp/dist drifted from web/dist. Run \`make web-build\` and commit the result."
67+
git diff --stat internal/intelligence/dashboard/webapp/dist | head -40
68+
exit 1
69+
fi
70+
echo "embedded dist matches fresh build ✓"
71+
72+
# ----------------------------------------------------------------
73+
# Go gates — vet, test, build. Pure-Go so no special toolchain
74+
# beyond setup-go. Frontend build is independent (this job doesn't
75+
# need a fresh dist to compile; the committed embed satisfies the
76+
# //go:embed directive at compile time, even if it's stale for the
77+
# purposes of the runtime UI).
78+
# ----------------------------------------------------------------
79+
go:
80+
name: go
81+
runs-on: ubuntu-latest
82+
steps:
83+
- uses: actions/checkout@v5
84+
85+
- uses: actions/setup-go@v6
86+
with:
87+
go-version-file: 'go.mod'
88+
cache: true
89+
90+
- name: vet
91+
run: go vet ./...
92+
93+
- name: lint
94+
# golangci-lint enforces the full .golangci.yml set — including
95+
# gofumpt + goimports formatting, errorlint, gosec, gocritic, and
96+
# gocyclo (threshold 30; see .golangci.yml for the documented
97+
# pre-existing exclusions). Joined CI in Teams M5; the tree is clean.
98+
uses: golangci/golangci-lint-action@v6
99+
with:
100+
version: v1.64.8
101+
# Build golangci-lint from source with the runner's Go (1.25 via
102+
# setup-go/go.mod). The prebuilt v1.64.8 binary is compiled with
103+
# go1.24 and refuses to run against a go.mod that targets 1.25
104+
# ("language version used to build golangci-lint is lower than the
105+
# targeted Go version"). goinstall sidesteps that mismatch.
106+
install-mode: goinstall
107+
108+
- name: test
109+
# -race catches the watcher / proxy concurrency bugs that
110+
# otherwise slip past until live use. -timeout 25m: the
111+
# intelligence/dashboard suite exceeds go test's default 10m
112+
# per-binary timeout under -race on CI runners (observed
113+
# 2026-07-11, first full test run after the lint debt cleared).
114+
run: go test -race -timeout 25m ./...
115+
116+
- name: build
117+
# `make build` skipped here — that target requires Node for
118+
# web-build, which the frontend job already verified. This
119+
# step exercises the Go compile path against the committed
120+
# embedded dist.
121+
run: |
122+
mkdir -p bin
123+
go build -trimpath -o bin/observer ./cmd/observer
124+
GOOS=windows GOARCH=amd64 go build -trimpath -o bin/antigravity-bridge.exe ./cmd/antigravity-bridge
125+
ls -l bin/
126+
127+
# ----------------------------------------------------------------
128+
# Distribution README drift gate. The npm and PyPI READMEs share a
129+
# large body (Per-AI-client setup through Configuration) sourced from
130+
# docs/distribution/README-body.md. If a contributor edits one
131+
# channel's README directly instead of the body file, this job fails
132+
# with the diff and a "run `make sync-distribution-readmes`" hint.
133+
# ----------------------------------------------------------------
134+
distribution-readmes:
135+
name: distribution README drift
136+
runs-on: ubuntu-latest
137+
steps:
138+
- uses: actions/checkout@v5
139+
- name: Verify
140+
run: make verify-distribution-readmes
141+
142+
# ----------------------------------------------------------------
143+
# Website accuracy gate (SEO playbook §1.5). Same check the deploy
144+
# workflow runs pre-publish, run here too so a PR that introduces
145+
# stale version/adapter-count/MCP-census strings (or the retracted
146+
# compression-savings claim, or broken JSON-LD) fails fast at review
147+
# time instead of only at the next push-to-main deploy. node builtins
148+
# only — no setup-node/install step needed.
149+
# ----------------------------------------------------------------
150+
website-accuracy:
151+
name: website accuracy check
152+
runs-on: ubuntu-latest
153+
steps:
154+
- uses: actions/checkout@v5
155+
- name: Verify
156+
run: node website/tools/accuracy-check.mjs
157+
158+
# ----------------------------------------------------------------
159+
# Helm chart smoke (Teams M5). Lint + template the observer-org chart,
160+
# then `helm install` it into an ephemeral kind cluster to prove the
161+
# rendered manifests are accepted by a real API server and the release
162+
# deploys. Pod readiness is NOT asserted: the server fetches its SAML
163+
# IdP metadata at startup, so a Ready pod needs real secrets + a
164+
# reachable IdP that the operator supplies. Here we verify the chart
165+
# installs cleanly and the core objects are created.
166+
# ----------------------------------------------------------------
167+
helm:
168+
name: helm chart
169+
runs-on: ubuntu-latest
170+
steps:
171+
- uses: actions/checkout@v5
172+
173+
- uses: azure/setup-helm@v4
174+
with:
175+
version: v3.21.0
176+
177+
- name: Lint + template
178+
run: |
179+
set -euo pipefail
180+
helm lint charts/observer-org -f charts/observer-org/ci/test-values.yaml
181+
helm template obs charts/observer-org -f charts/observer-org/ci/test-values.yaml > /dev/null
182+
183+
- name: Create kind cluster
184+
uses: helm/kind-action@v1
185+
186+
- name: Install into kind
187+
run: |
188+
set -euo pipefail
189+
kubectl create namespace obs
190+
# Placeholder secret so the required secrets.existingSecret
191+
# resolves. Not valid key material — the pod won't reach Ready
192+
# (no live IdP), but the release installs and every manifest is
193+
# validated by the real API server.
194+
kubectl create secret generic observer-org-secrets -n obs \
195+
--from-literal=bearer-signing.key=placeholder \
196+
--from-literal=session.key=placeholder \
197+
--from-literal=sp.crt=placeholder \
198+
--from-literal=sp.key=placeholder \
199+
--from-literal=scim-token=placeholder
200+
helm install obs charts/observer-org -n obs \
201+
-f charts/observer-org/ci/test-values.yaml
202+
echo "=== release status ==="
203+
helm status obs -n obs
204+
echo "=== objects ==="
205+
kubectl get deploy,svc,pvc,cm,sa -n obs
206+
kubectl get deploy/obs-observer-org -n obs
207+
kubectl get svc/obs-observer-org -n obs
208+
kubectl get pvc -n obs | grep -q obs-observer-org-data
209+
echo "Helm chart installs cleanly ✓"

0 commit comments

Comments
 (0)