chore: oss launch

Author: albri

.dockerignore

@@ -0,0 +1,66 @@
+# =============================================================================
+# mdplane Docker Ignore File
+# Excludes files from Docker build context for faster builds
+# =============================================================================
+
+# Dependencies (reinstalled in container)
+node_modules
+.pnpm-store
+
+# Build artifacts (rebuilt in container)
+.next
+.turbo
+dist
+build
+out
+
+# Version control
+.git
+.gitignore
+
+# Test files
+**/__tests__
+**/*.test.ts
+**/*.test.tsx
+**/*.spec.ts
+**/*.spec.tsx
+coverage
+
+# Documentation (not needed in container)
+*.md
+!README.md
+docs/
+
+# Environment files (pass secrets at runtime)
+.env*
+!.env.example
+
+# IDE and editor files
+.vscode
+.idea
+*.swp
+*.swo
+.DS_Store
+
+# Logs
+logs
+*.log
+npm-debug.log*
+pnpm-debug.log*
+
+# Database files (mounted via volume)
+*.sqlite
+*.sqlite-wal
+*.sqlite-shm
+data/
+
+# Task files (development only)
+tasks/
+
+# Misc
+*.bak
+*.tmp
+*.tsbuildinfo
+.vercel
+.cache
+.eslintcache

.env.example

@@ -0,0 +1,70 @@
+# =============================================================================
+# mdplane Monorepo Environment Variables
+# Copy this file to .env in the repository root for local development.
+# =============================================================================
+
+# -----------------------------------------------------------------------------
+# Server (@mdplane/server)
+# -----------------------------------------------------------------------------
+
+NODE_ENV=development
+PORT=3001
+HOST=0.0.0.0
+DATABASE_URL=./data/mdplane.sqlite
+
+# Public origins returned in API responses.
+BASE_URL=http://127.0.0.1:3001
+APP_URL=http://127.0.0.1:3000
+
+# Better Auth API origin (must point to the server host).
+BETTER_AUTH_URL=http://127.0.0.1:3001
+
+# Required in production:
+# - BETTER_AUTH_SECRET: Better Auth signing secret.
+# - MP_JWT_SECRET: base64-encoded 32-byte secret for WebSocket token signing.
+# BETTER_AUTH_SECRET=
+# MP_JWT_SECRET=
+
+# Optional OAuth providers (required only if OAuth login is enabled).
+# GITHUB_CLIENT_ID=
+# GITHUB_CLIENT_SECRET=
+# GOOGLE_CLIENT_ID=
+# GOOGLE_CLIENT_SECRET=
+
+# Optional operator and runtime controls.
+# ADMIN_SECRET=
+MDPLANE_GOVERNED_MODE=false
+# WS_URL=ws://127.0.0.1:3001/ws
+# DISABLE_BACKGROUND_JOBS=false
+# ALLOW_HTTP_WEBHOOKS=false
+# MP_DEBUG_WS=false
+# MAX_WORKSPACE_STORAGE_BYTES=104857600
+# MAX_FILE_SIZE_BYTES=10485760
+# MAX_VOLUME_SIZE_BYTES=5368709120
+
+# -----------------------------------------------------------------------------
+# Web (@mdplane/web)
+# -----------------------------------------------------------------------------
+
+NEXT_PUBLIC_API_URL=http://127.0.0.1:3001
+NEXT_PUBLIC_APP_URL=http://127.0.0.1:3000
+NEXT_PUBLIC_GOVERNED_MODE=false
+# Optional server-side API override for Docker/internal networking.
+# API_INTERNAL_URL=http://server:3001
+
+# Optional override vars.
+# NEXT_PUBLIC_WS_URL=ws://127.0.0.1:3001/ws
+
+# -----------------------------------------------------------------------------
+# Docs / Landing metadata (optional)
+# -----------------------------------------------------------------------------
+
+# NEXT_PUBLIC_DOCS_URL=http://127.0.0.1:3002
+# NEXT_PUBLIC_SITE_URL=http://127.0.0.1:3004
+
+# -----------------------------------------------------------------------------
+# CLI overrides (optional)
+# -----------------------------------------------------------------------------
+
+# MDPLANE_API_URL=http://127.0.0.1:3001
+# MDPLANE_APP_URL=http://127.0.0.1:3000

.env.selfhost.example

@@ -0,0 +1,93 @@
+# =============================================================================
+# mdplane Self-Host Docker Compose Environment
+# Copy to .env.selfhost and use with:
+# pnpm run selfhost:min:up
+# =============================================================================
+
+# Optional host port overrides (compose defaults: app=3000, api=3001, docs=3002, landing=3004).
+# APP_PORT=3000
+# API_PORT=3001
+# DOCS_PORT=3002
+# LANDING_PORT=3004
+#
+# If you change host ports, also update the localhost URL vars below so generated links,
+# browser calls, and websocket connections stay consistent.
+# Required pairings:
+# - API_PORT <-> BASE_URL, BETTER_AUTH_URL, WS_URL, NEXT_PUBLIC_API_URL, NEXT_PUBLIC_WS_URL, LANDING_NEXT_PUBLIC_API_URL
+# - APP_PORT <-> APP_URL, NEXT_PUBLIC_APP_URL
+# - DOCS_PORT <-> NEXT_PUBLIC_DOCS_URL
+# - LANDING_PORT <-> NEXT_PUBLIC_SITE_URL
+
+# Local default origins (change for production deployments).
+BASE_URL=http://localhost:3001
+APP_URL=http://localhost:3000
+WS_URL=ws://localhost:3001/ws
+BETTER_AUTH_URL=http://localhost:3001
+
+# Required secrets.
+# Generate with:
+# node -e "console.log(require('crypto').randomBytes(32).toString('base64'))"
+BETTER_AUTH_SECRET=local-selfhost-better-auth-secret-32-bytes-min
+MP_JWT_SECRET=local-selfhost-jwt-secret-32-bytes-minimum
+
+# Capability-first mode default. Set true to enable governed control features.
+MDPLANE_GOVERNED_MODE=false
+NEXT_PUBLIC_GOVERNED_MODE=false
+
+# Web public URLs.
+API_INTERNAL_URL=http://server:3001
+NEXT_PUBLIC_API_URL=http://localhost:3001
+NEXT_PUBLIC_APP_URL=http://localhost:3000
+NEXT_PUBLIC_WS_URL=ws://localhost:3001/ws
+
+# Optional OAuth providers for governed mode.
+# GITHUB_CLIENT_ID=
+# GITHUB_CLIENT_SECRET=
+# GOOGLE_CLIENT_ID=
+# GOOGLE_CLIENT_SECRET=
+
+# Optional operator/admin endpoint token.
+# ADMIN_SECRET=
+
+# Trust proxy-provided IP headers (X-Real-IP / X-Forwarded-For) in addition to CF-Connecting-IP.
+# Enable only when your ingress proxy strips and rewrites these headers.
+# TRUST_PROXY_HEADERS=false
+# Optional shared secret required on proxy-forwarded requests before trusting client IP headers.
+# Recommended for platforms where origin IP allowlisting is not available.
+# TRUSTED_PROXY_SHARED_SECRET=
+# TRUSTED_PROXY_SHARED_SECRET_HEADER=x-mdplane-proxy-secret
+# Trust a single-value X-Forwarded-For header as client IP.
+# Keep disabled unless your proxy always overwrites this header.
+# TRUST_SINGLE_X_FORWARDED_FOR=false
+# Require trusted client IP on anonymous sensitive endpoints (/bootstrap, /capabilities/check).
+# Defaults to true in production.
+# REQUIRE_TRUSTED_CLIENT_IP_FOR_ANON_RATE_LIMITS=true
+
+# Optional rate-limit overrides (requests per window + window in ms).
+# RATE_LIMIT_BOOTSTRAP_LIMIT=10
+# RATE_LIMIT_BOOTSTRAP_WINDOW_MS=3600000
+# RATE_LIMIT_READ_LIMIT=1000
+# RATE_LIMIT_READ_WINDOW_MS=60000
+# RATE_LIMIT_WRITE_LIMIT=100
+# RATE_LIMIT_WRITE_WINDOW_MS=60000
+# RATE_LIMIT_APPEND_LIMIT=200
+# RATE_LIMIT_APPEND_WINDOW_MS=60000
+# RATE_LIMIT_SEARCH_LIMIT=60
+# RATE_LIMIT_SEARCH_WINDOW_MS=60000
+# RATE_LIMIT_SUBSCRIBE_LIMIT=10
+# RATE_LIMIT_SUBSCRIBE_WINDOW_MS=60000
+# RATE_LIMIT_BULK_LIMIT=10
+# RATE_LIMIT_BULK_WINDOW_MS=60000
+# RATE_LIMIT_WEBHOOK_CREATE_LIMIT=5
+# RATE_LIMIT_WEBHOOK_CREATE_WINDOW_MS=3600000
+# RATE_LIMIT_CAPABILITY_CHECK_LIMIT=5
+# RATE_LIMIT_CAPABILITY_CHECK_WINDOW_MS=60000
+
+# Optional full-profile docs + landing public URLs.
+# NEXT_PUBLIC_DOCS_URL=https://docs.example.com
+# NEXT_PUBLIC_SITE_URL=https://www.example.com
+# LANDING_NEXT_PUBLIC_API_URL=https://api.example.com
+
+# Production note:
+# - Replace localhost URLs with public HTTPS origins
+# - Replace sample secrets with cryptographically random values

.gitattributes

@@ -0,0 +1,2 @@
+# Auto detect text files and perform LF normalization
+* text=auto

.github/CODEOWNERS

@@ -0,0 +1,2 @@
+# Default owners for all files
+* @albri