Merge branch 'main' into feat/20-homebrew-formula

Author: zeevdr

.github/workflows/duplicate-discussion.yml

@@ -0,0 +1,92 @@
+name: Duplicate discussion check
+
+on:
+  discussion:
+    types: [created]
+
+permissions:
+  discussions: write
+
+jobs:
+  check-duplicate:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: Find similar discussions
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const discussion = context.payload.discussion;
+            const title = discussion.title || '';
+
+            // Extract meaningful keywords from the title
+            const STOP_WORDS = new Set([
+              'is', 'a', 'the', 'for', 'in', 'on', 'with', 'how', 'do',
+              'does', 'can', 'to', 'of', 'and', 'or', 'it', 'at', 'by',
+              'an', 'be', 'as', 'from', 'that', 'this', 'what', 'why',
+              'when', 'where', 'which', 'who', 'will', 'are', 'was',
+              'not', 'my', 'we', 'i', 'you',
+            ]);
+
+            const keywords = title
+              .toLowerCase()
+              .replace(/[^a-z0-9\s]/g, ' ')
+              .split(/\s+/)
+              .filter(w => w.length > 1 && !STOP_WORDS.has(w))
+              .slice(0, 5);
+
+            if (keywords.length < 2) {
+              core.info('Title too short or no meaningful keywords; skipping duplicate check.');
+              return;
+            }
+
+            const searchQuery = `repo:opendecree/decree is:discussion ${keywords.join(' ')}`;
+            core.info(`Search query: ${searchQuery}`);
+
+            let items;
+            try {
+              const results = await github.rest.search.issuesAndPullRequests({
+                q: searchQuery,
+                per_page: 5,
+              });
+              items = results.data.items;
+            } catch (err) {
+              core.warning(`Search API error (skipping): ${err.message}`);
+              return;
+            }
+
+            // Filter out the current discussion
+            const matches = items
+              .filter(item => item.number !== discussion.number)
+              .slice(0, 3);
+
+            if (matches.length === 0) {
+              core.info('No similar discussions found; no comment posted.');
+              return;
+            }
+
+            const bulletList = matches
+              .map(item => `- [${item.title}](${item.html_url})`)
+              .join('\n');
+
+            const commentBody = [
+              '👋 Before the community answers, here are some existing discussions that might cover your question:',
+              '',
+              bulletList,
+              '',
+              'If none of these answer your question, feel free to continue the discussion!',
+            ].join('\n');
+
+            await github.graphql(`
+              mutation AddComment($discussionId: ID!, $body: String!) {
+                addDiscussionComment(input: {discussionId: $discussionId, body: $body}) {
+                  comment { id }
+                }
+              }
+            `, {
+              discussionId: discussion.node_id,
+              body: commentBody,
+            });
+
+            core.info(`Posted duplicate-discussion comment on discussion #${discussion.number}`);

.github/workflows/release.yml

@@ -461,3 +461,39 @@ jobs:
           path: |
             bench-e2e.txt
             bench-e2e-stats.txt
+
+  # Fires repository_dispatch events to decree-python, decree-typescript,
+  # and demos so they can regenerate proto stubs and open PRs automatically.
+  dispatch-sdk-regen:
+    name: Dispatch SDK stub regen
+    needs: [binaries, release-notes]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Dispatch to decree-python
+        # peter-evans/repository-dispatch@v3
+        uses: peter-evans/repository-dispatch@0e0cf047c08f936c436da4399814cdb4880c8cbf
+        with:
+          token: ${{ secrets.PROJECT_TOKEN }}
+          repository: opendecree/decree-python
+          event-type: decree-released
+          client-payload: '{"version": "${{ github.ref_name }}", "sha": "${{ github.sha }}"}'
+
+      - name: Dispatch to decree-typescript
+        # peter-evans/repository-dispatch@v3
+        uses: peter-evans/repository-dispatch@0e0cf047c08f936c436da4399814cdb4880c8cbf
+        with:
+          token: ${{ secrets.PROJECT_TOKEN }}
+          repository: opendecree/decree-typescript
+          event-type: decree-released
+          client-payload: '{"version": "${{ github.ref_name }}", "sha": "${{ github.sha }}"}'
+
+      - name: Dispatch to demos
+        # peter-evans/repository-dispatch@v3
+        uses: peter-evans/repository-dispatch@0e0cf047c08f936c436da4399814cdb4880c8cbf
+        with:
+          token: ${{ secrets.PROJECT_TOKEN }}
+          repository: opendecree/demos
+          event-type: decree-released
+          client-payload: '{"version": "${{ github.ref_name }}", "sha": "${{ github.sha }}"}'

cmd/decree/go.mod

@@ -3,14 +3,12 @@ module github.com/opendecree/decree/cmd/decree
 go 1.24.0
 
 require (
-	github.com/opendecree/decree/api v0.1.2
 	github.com/opendecree/decree/sdk/adminclient v0.1.2
 	github.com/opendecree/decree/sdk/configclient v0.1.2
 	github.com/opendecree/decree/sdk/grpctransport v0.1.0
 	github.com/opendecree/decree/sdk/tools v0.1.0
 	github.com/spf13/cobra v1.10.2
 	google.golang.org/grpc v1.80.0
-	google.golang.org/protobuf v1.36.11
 	gopkg.in/yaml.v3 v3.0.1
 )
 
@@ -19,17 +17,20 @@ require (
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/kr/text v0.2.0 // indirect
+	github.com/opendecree/decree/api v0.1.2 // indirect
 	github.com/opendecree/decree/sdk/configwatcher v0.1.2 // indirect
 	github.com/opendecree/decree/sdk/retry v0.0.0 // indirect
 	github.com/rogpeppe/go-internal v1.14.1 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 // indirect
 	github.com/spf13/pflag v1.0.9 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/net v0.49.0 // indirect
 	golang.org/x/sys v0.41.0 // indirect
 	golang.org/x/text v0.34.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20260209200024-4cfbd4190f57 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20260209200024-4cfbd4190f57 // indirect
+	google.golang.org/protobuf v1.36.11 // indirect
 )
 
 replace github.com/opendecree/decree/api => ../../api

cmd/decree/go.sum

@@ -3,6 +3,8 @@ github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XL
 github.com/cpuguy83/go-md2man/v2 v2.0.6 h1:XJtiaUW6dEEqVuZiMTn1ldk455QWwEIsMIJlo5vtkx0=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/dlclark/regexp2 v1.11.0 h1:G/nrcoOa7ZXlpoa/91N3X7mM3r8eIlMBBJZvsz/mxKI=
+github.com/dlclark/regexp2 v1.11.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
 github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
@@ -25,6 +27,8 @@ github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0t
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 h1:KRzFb2m7YtdldCEkzs6KqmJw4nqEVZGK7IN2kJkjTuQ=
+github.com/santhosh-tekuri/jsonschema/v6 v6.0.2/go.mod h1:JXeL+ps8p7/KNMjDQk3TCwPpBy0wYklyWTfbkIzdIFU=
 github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU=
 github.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiTUUS4=
 github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=

codecov.yml

@@ -6,7 +6,7 @@ coverage:
         threshold: 0%
     patch:
       default:
-        target: 80%
+        target: 70%
 
 # Exclusion decisions are documented in scripts/check-coverage.sh (COVERAGE_EXCLUDES).
 # Keep this list in sync with that file.

coverage-thresholds.json

@@ -5,5 +5,5 @@
   "sdk/configclient": 87.1,
   "sdk/configwatcher": 90.9,
   "sdk/grpctransport": 90.0,
-  "sdk/tools": 96.1
+  "sdk/tools": 96.0
 }

docs/adr/ADR-001-grpc-over-rest.md

@@ -0,0 +1,39 @@
+# ADR-001: gRPC over REST
+
+**Date:** 2026-06-05
+**Status:** Accepted
+**Deciders:** OpenDecree maintainers
+
+## Context
+
+OpenDecree is a multi-tenant configuration service that needs to support client SDKs in multiple languages (Go, Python, TypeScript). The API must support:
+
+- Strongly typed contracts shared across the server and all SDK clients
+- Efficient binary serialization for high-throughput config reads
+- Streaming for real-time config change notifications (config watcher pattern)
+- Automatic client code generation to keep SDKs in sync with the server
+
+REST/JSON APIs require manual schema maintenance (OpenAPI), are weakly typed at the transport layer, and lack native streaming. HTTP/2 multiplexing and binary framing make gRPC a better fit for an SDK-centric, performance-sensitive service.
+
+## Decision
+
+Use Protocol Buffers (proto3) as the API schema language and gRPC as the primary transport. Proto files in `proto/centralconfig/v1/` are the single source of truth for the API contract. Generated code is committed to `api/centralconfig/v1/`.
+
+`buf` is used for linting, breaking-change detection, and code generation (running plugins locally via Docker, not remote registries).
+
+## Consequences
+
+**Positive:**
+
+- Strong typing enforced at compile time across all languages
+- Automatic client stub generation via `buf generate` — SDKs are always in sync
+- Native bidirectional streaming for config watch notifications
+- Compact binary encoding (Protocol Buffers) reduces latency and bandwidth vs. JSON
+- `buf lint` and `buf breaking` catch API contract violations before they ship
+
+**Negative:**
+
+- Browser clients cannot call gRPC directly; grpc-web or a transcoding gateway is required
+- Not curl-friendly — human debugging requires tooling such as grpcurl or a gRPC reflection client
+- Proto schema changes must follow strict backward-compatibility rules (or be coordinated with a breaking migration during alpha)
+- Adds `buf` and proto toolchain to the developer setup (mitigated by Docker-based generation)

docs/adr/ADR-002-specs-first-workflow.md

@@ -0,0 +1,45 @@
+# ADR-002: Specs-First Workflow
+
+**Date:** 2026-06-05
+**Status:** Accepted
+**Deciders:** OpenDecree maintainers
+
+## Context
+
+OpenDecree has two distinct schema layers that must remain consistent:
+
+1. **API contracts** — defined in `.proto` files, which drive gRPC server interfaces and all SDK clients
+2. **Database contracts** — defined in `.sql` query files, which drive the Go database access layer via `sqlc`
+
+Without a clear source-of-truth policy, there is a risk that hand-written Go code diverges from the API or DB schema, especially as the project evolves across multiple contributors and multiple language SDKs. A "code-first" approach would mean maintaining three or more representations of the same concept in sync by hand.
+
+## Decision
+
+Proto files (`proto/centralconfig/v1/`) and SQL query files (`db/queries/`) are the canonical sources of truth. Go implementation code is written after — and in response to — changes in those files.
+
+The standard workflow is:
+
+1. Edit `.proto` or `.sql` files
+2. Run `make generate` (runs `buf generate` and `sqlc generate` in Docker)
+3. Implement or update Go business logic in `internal/`
+4. Run `make test` and `make lint`
+5. Commit — generated files (`*.pb.go`, `*.gen.go`) are checked into git
+
+Generated files are marked as `linguist-generated` in `.gitattributes` so they are excluded from language statistics and diff noise on GitHub.
+
+## Consequences
+
+**Positive:**
+
+- Single source of truth for both the API surface and the DB access layer
+- Consistency is mechanically enforced — divergence between spec and implementation is a compile error
+- Multi-language SDK clients are always in sync with the server API without manual effort
+- `buf breaking` catches accidental API regressions at lint time
+- `sqlc` type-checks SQL at generation time, catching query errors before runtime
+
+**Negative:**
+
+- Extra codegen step is required before implementing any change — developers must run `make generate` before editing business logic
+- Generated files are committed to git, which increases diff size and requires discipline to avoid manual edits to generated files
+- Mistakes in a proto or SQL file can break generation for all downstream modules until fixed
+- Local development requires Docker to run `buf` and `sqlc` generators

docs/adr/ADR-003-postgresql-redis-architecture.md

@@ -0,0 +1,42 @@
+# ADR-003: PostgreSQL + Redis Architecture
+
+**Date:** 2026-06-05
+**Status:** Accepted
+**Deciders:** OpenDecree maintainers
+
+## Context
+
+OpenDecree needs to:
+
+1. Durably store configuration values, schema definitions, and an immutable audit log across multiple tenants
+2. Serve config reads with low latency — config lookups are on the hot path for every service that depends on this system
+3. Propagate configuration changes in real time to connected clients (config watcher subscriptions)
+
+A single data store would force tradeoffs: a relational database handles durable storage and ACID guarantees well but is not the right tool for low-latency cache reads or fan-out pub/sub; an in-memory store handles cache and messaging well but lacks the durability and query capabilities needed for the config history and audit log.
+
+## Decision
+
+Use **PostgreSQL 17** as the primary durable store and **Redis 7** as the cache and pub/sub layer.
+
+- PostgreSQL stores all config values (versioned), schema definitions, tenant records, and the audit log. Row-Level Security enforces tenant isolation at the database layer (see ADR-005).
+- Redis caches resolved config values for fast reads. On a cache miss, the server fetches from PostgreSQL and repopulates the cache.
+- Redis pub/sub propagates change notifications to all server instances when a config value is written, so connected config-watcher clients receive updates promptly across a horizontally scaled deployment.
+
+Both dependencies are placed behind Go interfaces (`cache.Cache`, `pubsub.PubSub`) so they can be swapped or mocked in tests without touching business logic.
+
+## Consequences
+
+**Positive:**
+
+- Proven, widely-adopted technologies with strong operational tooling and hosting options
+- Full ACID guarantees from PostgreSQL for config mutations and audit entries
+- Optimistic read path: most config reads are served from Redis without hitting the database
+- Real-time change propagation across server replicas with minimal coupling
+- Interfaces-behind-abstraction pattern keeps the business logic testable and the dependencies replaceable
+
+**Negative:**
+
+- Two external infrastructure dependencies increase operational complexity compared to a single-store solution
+- Redis is a single point of failure for pub/sub — if Redis is unavailable, change notifications are not delivered (reads can still be served from PostgreSQL, but watchers will not see updates until Redis recovers)
+- Cache invalidation logic must be kept in sync with write paths; a missed invalidation leads to stale reads until TTL expiry
+- Local development and CI require both PostgreSQL and Redis to be running (addressed via Docker Compose)

docs/adr/ADR-004-metadata-headers-first-auth.md

@@ -0,0 +1,40 @@
+# ADR-004: Metadata-Headers-First Authentication
+
+**Date:** 2026-06-05
+**Status:** Accepted
+**Deciders:** OpenDecree maintainers
+
+## Context
+
+OpenDecree serves two very different deployment contexts:
+
+1. **Internal / developer environments** — services on a private network or inside a Kubernetes cluster where callers are trusted and setting up a full JWT/JWKS infrastructure is unnecessary overhead
+2. **Production / multi-tenant environments** — where callers must be cryptographically authenticated and tenant isolation must be enforced
+
+A design that mandates JWT from day one creates friction for adopters who just want to integrate quickly in a trusted network. A design that defaults to no authentication at all provides no path toward production hardening. The auth mechanism must also work cleanly over gRPC, where the standard carrier is request metadata (headers).
+
+## Decision
+
+The default authentication mode uses gRPC metadata headers:
+
+- `x-tenant-id` — identifies the calling tenant
+- `x-role` — declares the caller's role (`superadmin`, `admin`, `viewer`)
+
+In default mode these values are accepted as-is without cryptographic validation. The server applies RBAC via the Guard chain (`TenantScopeGuard`, `RolePolicyGuard`, `FieldLockGuard`) based on the declared values.
+
+JWT/JWKS authentication is opt-in: when configured, an interceptor validates the bearer token against the configured JWKS endpoint and extracts tenant ID and role from token claims, overriding the metadata headers.
+
+## Consequences
+
+**Positive:**
+
+- Zero-config for internal services and development environments — no key management, no JWKS endpoint required
+- Progressive security model: operators can start with header-based auth on a trusted network and migrate to JWT for external-facing deployments without changing client code
+- Clean integration with gRPC metadata conventions
+- Auth logic is isolated in interceptors, keeping service business logic auth-agnostic
+
+**Negative:**
+
+- Default mode is **not safe** without a network trust boundary — any caller that can reach the gRPC port can claim any tenant ID or role; operators must be explicit about this in their deployment security model
+- The distinction between "trusted network mode" and "validated JWT mode" must be clearly communicated in documentation to avoid misconfiguration in production
+- Mixing metadata-header auth with JWT requires careful interceptor ordering to avoid header spoofing when JWT is enabled