Skip to content

Commit fc8dbf3

Browse files
author
Santosh Kathira
committed
Public release: 2026-07-07
0 parents  commit fc8dbf3

2,310 files changed

Lines changed: 488836 additions & 0 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.env.example

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
# SuperBased Observer — local secrets template
2+
#
3+
# Copy this file to `.env` and fill in the values you need. The
4+
# real `.env` is gitignored (see /.gitignore), so anything you put
5+
# there stays on your machine.
6+
#
7+
# Usage:
8+
# set -a; source .env; set +a # bash / zsh — exports every line
9+
# # then run vsce / ovsx with $VSCE_PAT / $OVSX_PAT available
10+
#
11+
# Or pass explicitly:
12+
# npx --yes @vscode/vsce publish --packagePath … --pat "$VSCE_PAT"
13+
# npx --yes ovsx publish … --pat "$OVSX_PAT"
14+
#
15+
# IMPORTANT: never `git add .env`. The .gitignore is your safety
16+
# rail but `git add -f .env` would bypass it. The `vscode/`
17+
# .vscodeignore additionally blocks .env from ever riding into a
18+
# published VSIX, but the right habit is still "secrets live only
19+
# in ~/.env or here, never in tracked files".
20+
21+
# -----------------------------------------------------------------
22+
# VS Code Marketplace publish token
23+
# -----------------------------------------------------------------
24+
# Mint at https://dev.azure.com/<your-org>/_usersSettings/tokens
25+
# - Organization: "All accessible organizations" (critical!)
26+
# - Scopes: Marketplace → Manage
27+
# - Expiration: 90 days / 1 year — your choice
28+
# Also stored as the VSCE_PAT secret on marmutapp/superbased-observer-private
29+
# for the npm-release.yml `vscode-publish` job.
30+
VSCE_PAT=
31+
32+
# -----------------------------------------------------------------
33+
# Open VSX publish token (Cursor / VSCodium / Windsurf registry)
34+
# -----------------------------------------------------------------
35+
# Mint at https://open-vsx.org/user-settings/tokens after signing the
36+
# Eclipse Foundation Publisher Agreement at
37+
# https://open-vsx.org/user-settings/profile.
38+
# Also stored as the OVSX_PAT secret on marmutapp/superbased-observer-private.
39+
OVSX_PAT=

.gitattributes

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
# .gitattributes — line-ending posture for the SuperBased Observer tree.
2+
#
3+
# Issue 6 of the 2026-06-02 teams test findings: a Windows checkout with
4+
# default core.autocrlf=true rewrote every text file's line endings to
5+
# CRLF on the working tree, and the alpine `sh` inside the dev-stack
6+
# `keygen` container failed to parse the resulting `keygen.sh`
7+
# (`set: illegal option -`), aborting the org-stack bring-up. The
8+
# fix (and the prevention for any future Windows-clone-meets-alpine
9+
# trap) is to declare every text file LF-only at the .gitattributes
10+
# layer: Git rewrites CRLF → LF on stage and serves LF on checkout
11+
# regardless of core.autocrlf.
12+
#
13+
# Existing CRLF in a working tree won't auto-fix; an operator who hit
14+
# the trap previously can renormalize after pulling this commit with:
15+
#
16+
# git add --renormalize . && git commit -m "chore: re-normalize EOL"
17+
#
18+
# The `* text=auto eol=lf` line covers anything Git detects as text.
19+
# The explicit declarations below pin the LF posture for files
20+
# Git heuristics sometimes misclassify (mostly extensionless shell
21+
# scripts) and for binary types we never want LF-converted.
22+
23+
* text=auto eol=lf
24+
25+
# Shell + container scripts that must run under sh / bash / alpine.
26+
*.sh text eol=lf
27+
*.bash text eol=lf
28+
Makefile text eol=lf
29+
Dockerfile text eol=lf
30+
Dockerfile* text eol=lf
31+
.dockerignore text eol=lf
32+
33+
# YAML / TOML / JSON config (compose, github actions, package
34+
# manifests). Some Windows editors silently emit CRLF; this pins LF.
35+
*.yaml text eol=lf
36+
*.yml text eol=lf
37+
*.toml text eol=lf
38+
*.json text eol=lf
39+
40+
# Go source — gofmt already enforces LF, but the explicit declaration
41+
# protects against an IDE editing a file outside the gofmt pipeline.
42+
*.go text eol=lf
43+
44+
# Documentation.
45+
*.md text eol=lf
46+
47+
# Binary types — Git won't try to munge these.
48+
*.png binary
49+
*.jpg binary
50+
*.jpeg binary
51+
*.gif binary
52+
*.svg text eol=lf
53+
*.ico binary
54+
*.pdf binary
55+
*.zip binary
56+
*.tar.gz binary
57+
*.tgz binary
58+
*.gz binary
59+
*.woff binary
60+
*.woff2 binary
61+
*.ttf binary
62+
*.otf binary
63+
*.vsix binary
64+
*.wheel binary
65+
*.whl binary

.github/workflows/ci.yml

Lines changed: 190 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,190 @@
1+
# Continuous-integration gates — run on every PR + every push to
2+
# main. Catches frontend type errors, Go vet/test regressions, and
3+
# the "I forgot to run `make web-build` before committing" class of
4+
# bug that silently shipped pre-v1.6.0.
5+
#
6+
# Tagged-release builds are handled by npm-release.yml; this file is
7+
# the pre-merge / pre-tag safety net.
8+
9+
name: ci
10+
11+
on:
12+
pull_request:
13+
push:
14+
branches: [main]
15+
16+
permissions:
17+
contents: read
18+
19+
jobs:
20+
# ----------------------------------------------------------------
21+
# React frontend gates: install, typecheck, build. Also asserts the
22+
# committed embedded dist matches what a fresh build produces — if
23+
# `web/src/` was edited without rerunning `make web-build`, this
24+
# job fails with a clear actionable message. Without this gate the
25+
# embedded bundle silently drifted from the React source.
26+
# ----------------------------------------------------------------
27+
frontend:
28+
name: frontend
29+
runs-on: ubuntu-latest
30+
steps:
31+
- uses: actions/checkout@v5
32+
33+
- uses: actions/setup-node@v5
34+
with:
35+
node-version: '22'
36+
cache: 'npm'
37+
cache-dependency-path: web/package-lock.json
38+
39+
- name: npm ci
40+
run: |
41+
cd web
42+
npm ci
43+
44+
- name: typecheck
45+
run: |
46+
cd web
47+
npm run typecheck
48+
49+
- name: build
50+
run: |
51+
cd web
52+
npm run build
53+
54+
- name: dist consistency check
55+
# Mirrors `make web-build`'s second half: regenerates the
56+
# embedded dir from web/dist and asserts it matches what's
57+
# committed. If it doesn't, the dev edited web/src/ but
58+
# forgot to commit the rebuilt bundle — a stale embed would
59+
# ship on the next release.
60+
run: |
61+
set -euo pipefail
62+
rm -rf internal/intelligence/dashboard/webapp/dist
63+
mkdir -p internal/intelligence/dashboard/webapp/dist
64+
cp -R web/dist/. internal/intelligence/dashboard/webapp/dist/
65+
if ! git diff --quiet --exit-code internal/intelligence/dashboard/webapp/dist; then
66+
echo "::error::Committed webapp/dist drifted from web/dist. Run \`make web-build\` and commit the result."
67+
git diff --stat internal/intelligence/dashboard/webapp/dist | head -40
68+
exit 1
69+
fi
70+
echo "embedded dist matches fresh build ✓"
71+
72+
# ----------------------------------------------------------------
73+
# Go gates — vet, test, build. Pure-Go so no special toolchain
74+
# beyond setup-go. Frontend build is independent (this job doesn't
75+
# need a fresh dist to compile; the committed embed satisfies the
76+
# //go:embed directive at compile time, even if it's stale for the
77+
# purposes of the runtime UI).
78+
# ----------------------------------------------------------------
79+
go:
80+
name: go
81+
runs-on: ubuntu-latest
82+
steps:
83+
- uses: actions/checkout@v5
84+
85+
- uses: actions/setup-go@v6
86+
with:
87+
go-version-file: 'go.mod'
88+
cache: true
89+
90+
- name: vet
91+
run: go vet ./...
92+
93+
- name: lint
94+
# golangci-lint enforces the full .golangci.yml set — including
95+
# gofumpt + goimports formatting, errorlint, gosec, gocritic, and
96+
# gocyclo (threshold 30; see .golangci.yml for the documented
97+
# pre-existing exclusions). Joined CI in Teams M5; the tree is clean.
98+
uses: golangci/golangci-lint-action@v6
99+
with:
100+
version: v1.64.8
101+
# Build golangci-lint from source with the runner's Go (1.25 via
102+
# setup-go/go.mod). The prebuilt v1.64.8 binary is compiled with
103+
# go1.24 and refuses to run against a go.mod that targets 1.25
104+
# ("language version used to build golangci-lint is lower than the
105+
# targeted Go version"). goinstall sidesteps that mismatch.
106+
install-mode: goinstall
107+
108+
- name: test
109+
# -race catches the watcher / proxy concurrency bugs that
110+
# otherwise slip past until live use.
111+
run: go test -race ./...
112+
113+
- name: build
114+
# `make build` skipped here — that target requires Node for
115+
# web-build, which the frontend job already verified. This
116+
# step exercises the Go compile path against the committed
117+
# embedded dist.
118+
run: |
119+
mkdir -p bin
120+
go build -trimpath -o bin/observer ./cmd/observer
121+
GOOS=windows GOARCH=amd64 go build -trimpath -o bin/antigravity-bridge.exe ./cmd/antigravity-bridge
122+
ls -l bin/
123+
124+
# ----------------------------------------------------------------
125+
# Distribution README drift gate. The npm and PyPI READMEs share a
126+
# large body (Per-AI-client setup through Configuration) sourced from
127+
# docs/distribution/README-body.md. If a contributor edits one
128+
# channel's README directly instead of the body file, this job fails
129+
# with the diff and a "run `make sync-distribution-readmes`" hint.
130+
# ----------------------------------------------------------------
131+
distribution-readmes:
132+
name: distribution README drift
133+
runs-on: ubuntu-latest
134+
steps:
135+
- uses: actions/checkout@v5
136+
- name: Verify
137+
run: make verify-distribution-readmes
138+
139+
# ----------------------------------------------------------------
140+
# Helm chart smoke (Teams M5). Lint + template the observer-org chart,
141+
# then `helm install` it into an ephemeral kind cluster to prove the
142+
# rendered manifests are accepted by a real API server and the release
143+
# deploys. Pod readiness is NOT asserted: the server fetches its SAML
144+
# IdP metadata at startup, so a Ready pod needs real secrets + a
145+
# reachable IdP that the operator supplies. Here we verify the chart
146+
# installs cleanly and the core objects are created.
147+
# ----------------------------------------------------------------
148+
helm:
149+
name: helm chart
150+
runs-on: ubuntu-latest
151+
steps:
152+
- uses: actions/checkout@v5
153+
154+
- uses: azure/setup-helm@v4
155+
with:
156+
version: v3.21.0
157+
158+
- name: Lint + template
159+
run: |
160+
set -euo pipefail
161+
helm lint charts/observer-org -f charts/observer-org/ci/test-values.yaml
162+
helm template obs charts/observer-org -f charts/observer-org/ci/test-values.yaml > /dev/null
163+
164+
- name: Create kind cluster
165+
uses: helm/kind-action@v1
166+
167+
- name: Install into kind
168+
run: |
169+
set -euo pipefail
170+
kubectl create namespace obs
171+
# Placeholder secret so the required secrets.existingSecret
172+
# resolves. Not valid key material — the pod won't reach Ready
173+
# (no live IdP), but the release installs and every manifest is
174+
# validated by the real API server.
175+
kubectl create secret generic observer-org-secrets -n obs \
176+
--from-literal=bearer-signing.key=placeholder \
177+
--from-literal=session.key=placeholder \
178+
--from-literal=sp.crt=placeholder \
179+
--from-literal=sp.key=placeholder \
180+
--from-literal=scim-token=placeholder
181+
helm install obs charts/observer-org -n obs \
182+
-f charts/observer-org/ci/test-values.yaml
183+
echo "=== release status ==="
184+
helm status obs -n obs
185+
echo "=== objects ==="
186+
kubectl get deploy,svc,pvc,cm,sa -n obs
187+
kubectl get deploy/obs-observer-org -n obs
188+
kubectl get svc/obs-observer-org -n obs
189+
kubectl get pvc -n obs | grep -q obs-observer-org-data
190+
echo "Helm chart installs cleanly ✓"

0 commit comments

Comments
 (0)