diff --git a/knowledge/index.md b/knowledge/index.md index 8b49ef6d0..0118952dc 100644 --- a/knowledge/index.md +++ b/knowledge/index.md @@ -4,25 +4,30 @@ Master catalog of all wiki pages, organized by type. ## Repos +- [[bfra-me--github]] — Org control center for `@bfra-me`; pnpm/TypeScript monorepo with 3 custom actions (`renovate-changesets`, `update-metadata`, `update-repository-settings`), 17 workflows, org-wide Fro Bot autoheal (weekdays), canonical `bfra-me/.github:common-settings.yaml`, Fro Bot agent v0.44.2 +- [[bfra-me--ha-addon-repository]] — Template repository for a Home Assistant add-on repository (bfra-me org); multi-arch Docker builds via `home-assistant/builder`, GHCR publishing with cosign, Fro Bot agent v0.43.1 with add-on-aware review/autoheal (Renovate PR #557 queuing v0.46.1; HEAD unchanged on `main` for 14 days as of 2026-05-30) +- [[bfra-me--renovate-action]] — bfra-me/renovate-action +- [[bfra-me--works]] — `@bfra-me` tooling monorepo (pnpm 10.34.1, TS 6, ESM); 9 published packages (`eslint-config`, `prettier-config`, `tsconfig`, `es`, `create`, `badge-config`, `doc-sync`, `semantic-release`, `workspace-analyzer`) + Astro Starlight docs; 11 workflows; Fro Bot agent v0.47.0 (jumped v0.44.2 → v0.46.1 → v0.47.0 on 2026-05-30 alongside PR #3491 fixing dispatch/reusable-call mode resolution); `bfra-me/.github` reusable workflows + Renovate baseline at v4.16.21 - [[fro-bot--agent]] — GitHub Action harness for OpenCode + oMo agents with persistent session state; core runtime powering Fro Bot's PR review, issue triage, scheduled maintenance, and wiki-update capabilities across all managed repos - [[fro-bot--fro-bot-github-io]] — fro-bot/fro-bot.github.io -- [[fro-bot--systematic]] — fro-bot/systematic -- [[marcusrbrown--dotfiles]] — marcusrbrown/.dotfiles -- [[marcusrbrown--github]] — Marcus's personal `.github` repo; GitHub defaults, community health files, and canonical Probot Settings template (`common-settings.yaml`) +- [[fro-bot--systematic]] — Built docs + OCX registry deployment target for `@fro.bot/systematic` at fro.bot/systematic/; `gh-pages`-only repo (no Fro Bot workflow needed); now also hosts the pinned JSON Schema for `systematic.json` user config at `/schemas/v2/`; registry advanced to v2.20.6 with 103 components (51 agents, 47 skills, 2 bundles, 2 profiles, 1 plugin) +- [[marcusrbrown--dotfiles]] — Marcus's primary dotfiles repo: bare-git pattern, XDG-compliant, multi-shell (Bash + Zsh + Sheldon + Starship), mise-managed toolchain (Node 24.16/Python 3.14.5/Rust 1.95/Go 1.26.3/Bun 1.3.14/pnpm 11.2), published devcontainer image on GHCR, Fro Bot agent v0.44.3, Renovate preset v5.2.0; OpenCode plugin stack consumes [[marcusrbrown--systematic]] and [[marcusrbrown--opencode-copilot-delegate]]; first repo to declare custom `openai/gpt-5.5` provider models in OpenCode config +- [[marcusrbrown--github]] — Marcus's personal `.github` repo; GitHub defaults, community health files, and canonical Probot Settings template (`common-settings.yaml`); Prettier-only CI, `bfra-me/.github` reusable workflows pinned at v4.16.20, Renovate preset on v4.5.9 (v4 holdout), no Fro Bot workflow yet - [[marcusrbrown--containers]] — Container collection and automation framework (Dockerfiles, multi-arch builds, Python CLI, AI-powered templates, CI/CD) - [[marcusrbrown--copiloting]] — Polyglot AI/LLM experimentation monorepo (Python + TypeScript); LangChain tutorials, Flask + SvelteKit PDF chat app, Fro Bot agent workflows +- [[marcusrbrown--cortexkit-anthropic-auth]] — Fork of `cortexkit/anthropic-auth`: Claude Pro/Max OAuth, fallback accounts, quota routing, prompt-cache controls, optional Cloudflare Worker relay for both OpenCode and Pi; Bun workspace monorepo, Biome 2.4.15, MIT, published as `@marcusrbrown/{anthropic-auth-core,opencode-anthropic-auth}@1.2.2-mb.2` (Pi package private in fork); default branch `marcusrbrown/main`; no Fro Bot workflow yet - [[marcusrbrown--esphome-life]] — marcusrbrown/esphome.life -- [[marcusrbrown--extend-vscode]] — VS Code extension toolkit (TypeScript, dual Node/Web targets, tsup, Vitest, semantic-release publishing) +- [[marcusrbrown--extend-vscode]] — VS Code extension toolkit (TypeScript, dual Node/Web targets, tsup, Vitest, semantic-release to Marketplace+OpenVSIX+npm); Renovate preset crossed v4→v5 (#5.2.0) on 2026-05-14, eslint v10 / jsdom v29 / eslint-plugin-node-dependencies v2 majors landed end of April, `typescript` v6 (#466) remains the sole pending major; **still no Fro Bot agent workflow** - [[marcusrbrown--gpt]] — Local-first GPT creation platform (React 19, TypeScript 5.9, Vite 7, LangChain, MCP, IndexedDB, Web Crypto; deployed to gpt.mrbro.dev) -- [[marcusrbrown--ha-config]] — Marcus's Home Assistant configuration (public, CI-validated, package-based HA setup with custom components and ESPHome) -- [[marcusrbrown--infra]] — Bun workspace monorepo for personal infrastructure (KeeWeb deploy, CLIProxyAPI proxy, operational CLI with MCP bridge) +- [[marcusrbrown--ha-config]] — Marcus's Home Assistant configuration (public, CI-validated, package-based HA setup with custom components and ESPHome); 11 packages, 10 custom components, `.HA_VERSION` pinned at 2025.6.3 (11-month freeze), Renovate-only autopilot with bfra-me/.github reusable workflows at v4.16.21, still no Fro Bot workflow after four surveys, new `mrbro-bot[bot]` co-author seen on recent merges +- [[marcusrbrown--infra]] — Bun workspace monorepo for personal infrastructure (KeeWeb deploy, CLIProxyAPI proxy, Fro Bot Discord gateway, operational CLI with MCP bridge); 12 workflows, CLI v0.7.0, Fro Bot agent v0.44.3, Renovate preset v5.2.0, TypeScript 6, ESLint 10 - [[marcusrbrown--marcusrbrown]] — GitHub profile README with TypeScript-powered automation (badge generation, sponsor tracking, A/B testing, scheduled updates) -- [[marcusrbrown--marcusrbrown-github-io]] — Personal brand site (React 19, TypeScript 6, Vite 7, GitHub Pages at marcusrbrown.com, single-page with anchor-link sections) +- [[marcusrbrown--marcusrbrown-github-io]] — Personal brand site (React 19, TypeScript 6, Vite 7, GitHub Pages at marcusrbrown.com, single-page with anchor-link sections; Fro Bot single-file three-mode workflow at agent v0.44.0, v0.44.1 in flight) - [[marcusrbrown--mrbro-dev]] — Marcus's developer portfolio (React 19, TypeScript, Vite 7, GitHub Pages at mrbro.dev, advanced theme system, Fro Bot agent + autoheal) -- [[marcusrbrown--opencode-copilot-delegate]] — OpenCode plugin: delegate tasks to GitHub Copilot CLI as background subprocesses with async completion notifications -- [[marcusrbrown--renovate-config]] — Shareable Renovate configuration presets: canonical dependency-update policy for all `marcusrbrown/*` and `fro-bot/*` repositories +- [[marcusrbrown--opencode-copilot-delegate]] — OpenCode plugin: delegate tasks to GitHub Copilot CLI as background subprocesses; v0.12.0 with 4 tools (delegate/output/cancel/resume), opt-in `/copilot-status` TUI half, orphan-subprocess reaper with PID-file identity gate, per-process plugin singleton, localhost RPC layer +- [[marcusrbrown--renovate-config]] — Shareable Renovate configuration presets: canonical dependency-update policy for all `marcusrbrown/*` and `fro-bot/*` repos; v5.2.0 (v4→v5 boundary crossed 2026-05-13 with `group:allNonMajor` + 0.x ungrouping safety valve), Fro Bot v0.44.3 with autoheal merged into `fro-bot.yaml` and a new Sundays-only Upstream Modernization Watch category - [[marcusrbrown--sparkle]] — TypeScript playground monorepo; cross-platform design system (React + React Native/Expo), component library (Radix + Tailwind), Astro Starlight docs, Turborepo, WASM web shell -- [[marcusrbrown--systematic]] — OpenCode plugin: structured engineering workflows (45 skills, 50 agents), npm `@fro.bot/systematic`, Bun + Biome + semantic-release +- [[marcusrbrown--systematic]] — OpenCode plugin: structured engineering workflows (47 skills, 51 agents) at v2.24.0; Bun + Biome + Zod-typed `systematic.json` config schema + semantic-release; `fro-bot.yaml` and `fro-bot-autoheal.yaml` consolidated into a single three-mode workflow (#446), agent v0.45.0; new `release-notes-narrative` skill drives automated narrative releases via `@semantic-release/exec` - [[marcusrbrown--tokentoilet]] — Web3 DeFi token disposal app (Next.js 16, React 19, TypeScript 6, Wagmi v2, Reown AppKit, Tailwind CSS v4, Vercel) - [[marcusrbrown--vbs]] — Star Trek chronological viewing guide (TypeScript, Vite, D3.js, functional factories, GitHub Pages, Fro Bot active) diff --git a/knowledge/log.md b/knowledge/log.md index 3ca637b12..536d5a550 100644 --- a/knowledge/log.md +++ b/knowledge/log.md @@ -1112,3 +1112,461 @@ Sources: https://github.com/marcusrbrown/ha-config (SHA f80fbc124c0765b8685c3cd9 Surveyed marcusrbrown/ha-config and updated the control-plane wiki. Sources: https://github.com/marcusrbrown/ha-config + +## [2026-05-18 08:56] ingest | marcusrbrown/marcusrbrown.github.io + +Incremental re-survey of `marcusrbrown/marcusrbrown.github.io` (SHA `4cd8198`, up from `ec4b785` on 2026-04-25). Additive update to repo page `marcusrbrown--marcusrbrown-github-io.md`. Index unchanged (page already cataloged with accurate description). No new topic/entity/comparison pages warranted — `github-pages.md` and `github-actions-ci.md` already cover the cross-cutting concerns observed here. + +Deltas since prior survey: + +- **Fro Bot agent bumped seven times in three weeks:** v0.41.4 → v0.42.6 → v0.42.7 → v0.43.0 → v0.43.1 → v0.43.2 → v0.43.3 → **v0.44.0** (current, pinned via SHA `b030b53b1b47b1bed77a581222706c900cc63b0e`) +- **Autoheal integrated into `fro-bot.yaml` itself (PR #407, 2026-05-14)** — added as a second cron (`30 3 * * *`) and a `workflow_dispatch` `mode` input (review/maintenance/autoheal). Architecturally distinct from the sibling-repo pattern that uses a separate `fro-bot-autoheal.yaml`. +- **Autoheal prompt has 8 categories** (Errored PRs, Security, Code Quality, DX, Production Site Review, Quality Gates Verification, Cross-Project Intelligence Inbound, Upstream Modernization Watch Sundays-only) vs 5 in [[marcusrbrown--vbs]] / [[marcusrbrown--mrbro-dev]] +- **Renovate preset major-version jump:** `marcusrbrown/renovate-config#4.5.8 → #5.2.0` (PR #406, 2026-05-16). Same upgrade dropped the `fast-uri` security override mid-PR and had to be restored to clear `pnpm audit` failures from GHSA-q3j6-qgpj-74h6 / GHSA-v39h-62p7-jpjc. +- **New files:** `lhci.config.js` at repo root (Lighthouse CI config, no dedicated workflow yet) and `TESTING.md` (15KB testing doc) +- **New script:** `analyze-build` (`tsx scripts/analyze-build.ts`) for bundle analysis (PR #410) +- **`bfra-me/.github` reusable workflows:** v4.16.8 → v4.16.17 +- **pnpm:** 10.33.0 → 10.33.4 (#404) +- **Open issues:** 2 → 4 (added autoheal report #409 and coverage flag #411) +- Two earlier "missing" gaps are now closed: autoheal (integrated as mode) and performance (lhci config present). Two remain: no Probot `settings.yml`, no CodeQL/Scorecard. +- First observed instance of `fro-bot` co-authoring a direct commit in this repo (PR #406 security fix) + +Sources: https://github.com/marcusrbrown/marcusrbrown.github.io (SHA 4cd8198991618f216b940b6a6c13e1a09fd7979d) + +## [2026-05-18 08:58] ingest | repo:marcusrbrown/marcusrbrown.github.io + +Surveyed marcusrbrown/marcusrbrown.github.io and updated the control-plane wiki. + +Sources: https://github.com/marcusrbrown/marcusrbrown.github.io + +## [2026-05-19 00:00] ingest | marcusrbrown/marcusrbrown.github.io + +No-op re-survey of `marcusrbrown/marcusrbrown.github.io` (SHA `4cd8198`, unchanged since 2026-05-18). Additive update to repo page only — appended a survey-history row and a third source entry. Index unchanged (page already cataloged). No topic/entity/comparison pages touched. + +Findings: + +- HEAD unchanged at `4cd8198` (`chore(deps): update all non-major dependencies (#416)`, 2026-05-18). Last push 2026-05-18T09:41:00Z. +- Open issues: 4 (#411 test branch coverage <80%, #409 Daily Autohealing Report, #260 Daily Maintenance Report, #6 Dependency Dashboard) — identical to 2026-05-18. +- Open PRs: 0. Recent activity window since prior survey is empty (no new Renovate batches landed). +- Fro Bot workflow file inspected directly: agent still pinned at `fro-bot/agent@b030b53b1b47b1bed77a581222706c900cc63b0e # v0.44.0`. `AUTOHEAL_CRON='30 3 * * *'` and `MAINTENANCE_CRON='30 15 * * *'` env vars confirm the single-file three-mode design described in the prior survey is intact. +- No contradictions with prior ingest. Two known gaps remain: no Probot `settings.yml`, no CodeQL/Scorecard workflows. + +Sources: https://github.com/marcusrbrown/marcusrbrown.github.io (SHA 4cd8198991618f216b940b6a6c13e1a09fd7979d) + +## [2026-05-19 08:43] ingest | repo:marcusrbrown/marcusrbrown.github.io + +Surveyed marcusrbrown/marcusrbrown.github.io and updated the control-plane wiki. + +Sources: https://github.com/marcusrbrown/marcusrbrown.github.io + +## [2026-05-20 08:39] ingest | marcusrbrown/marcusrbrown.github.io + +No-op re-survey at SHA `4cd8198` — still HEAD, unchanged since 2026-05-18. Additive update to the repo page: appended a 2026-05-20 row to the Survey History table, added an in-flight note for fro-bot/agent v0.44.1 (PR #417) to the agent-cadence bullet, refreshed frontmatter `updated:` and appended a fourth source entry. Index entry updated for freshness; no topic, entity, or comparison pages required edits. + +Findings: + +- HEAD: `4cd8198` (`chore(deps): update all non-major dependencies (#416)`, 2026-05-18). Last push 2026-05-19T09:37:26Z (no commits since 05-18; the push timestamp moved without a HEAD change — likely a tag or branch update). +- Open issues: 4 (#411, #409, #260, #6) — unchanged. +- Open PRs: 1 — **#417** `chore(deps): update fro-bot/agent to v0.44.1` on `renovate/all-minor-patch`, labeled `automerge` / `dependencies` / `github-actions` / `renovate` / `patch` / `action`. Will land under the existing automerge policy without human review. +- `package.json` re-verified: `packageManager: pnpm@10.33.4`, `engines.node >=22.0.0`, `engines.pnpm ^10.28.2`, React `^19.0.0`, TypeScript `^6.0.0`, Vite `^7.0.6`, Vitest `^4.0.0`, `@types/node ^24.0.0`. No drift from prior survey. +- Fro Bot workflow head re-read: `inputs.mode` choice list `[review, maintenance, autoheal]` default `autoheal`, autoheal cron `30 3 * * *`, maintenance cron `30 15 * * *`. Single-file three-mode design intact. +- No structural drift. Two known gaps still open: no Probot `settings.yml`, no CodeQL/Scorecard workflows. + +Sources: https://github.com/marcusrbrown/marcusrbrown.github.io (SHA 4cd8198991618f216b940b6a6c13e1a09fd7979d) + +## [2026-05-20 08:40] ingest | repo:marcusrbrown/marcusrbrown.github.io + +Surveyed marcusrbrown/marcusrbrown.github.io and updated the control-plane wiki. + +Sources: https://github.com/marcusrbrown/marcusrbrown.github.io + +## [2026-05-20 09:55] ingest | bfra-me/ha-addon-repository + +Initial survey of `bfra-me/ha-addon-repository` (SHA `0a163c3f`). Created repo page `bfra-me--ha-addon-repository.md`. Updated topic page `home-assistant.md` to wikilink the new repo and document multi-arch add-on builds + `frenck/action-addon-linter` sibling-tool relationship. Updated `index.md` to catalog the new page. + +Key findings: + +- GitHub template repo (`is_template: true`) under bfra-me org — blueprint for HA add-on collections. Apache-2.0. Created 2022-10-08. +- Single example add-on (`example/`, slug `example`, v1.2.2): four arches (`armhf`/`armv7`/`aarch64`/`amd64`), s6-overlay (`init: false`), AppArmor profile, OCI labels, tempio binary install from `home-assistant/tempio` releases. +- HA base images split: Alpine 3.23 for 64-bit, 3.22 for 32-bit ARM (upstream lag). Dockerfile uses `ARG BUILD_FROM=...@sha256:...` so Renovate rotates the digest via custom Dockerfile manager; `build.yaml` deliberately uses tag-only with `pinDigests: false`. +- Four workflows, all SHA-pinned actions: `main.yaml` (prepare→lint-addon (frenck/action-addon-linter v2.21.0) + Prettier 3.8.3 → build-addon matrix with `home-assistant/builder@2026.03.2`, `--cosign`, `id-token: write` to GHCR), `fro-bot.yaml`, `renovate.yaml` (reusable `bfra-me/.github` v4.16.16), `update-repo-settings.yaml` (v4.16.16, daily 14:15 UTC). +- **Fro Bot agent present and active:** `fro-bot/agent@v0.43.1`. Add-on-aware PR review prompt (Dockerfile pinning, config/build.yaml validity, bashio/shellcheck, AppArmor integrity, breaking interface changes, translation completeness) with structured `PASS|CONDITIONAL|REJECT` verdict. Daily 15:30 UTC autoheal sweep across four categories (errored PRs, security, health & maintenance, DX). +- **Distinctive Fro Bot pattern:** maintains a single perpetual issue titled exactly `Daily Autohealing Report` with prepended dated update sections — diverges from sibling repos that create new issues per cycle. +- Renovate extends `bfra-me/renovate-config#5.2.1` + `:enablePreCommit` — **different preset family** from the rest of the surveyed ecosystem (which uses `marcusrbrown/renovate-config#4.5.x`). Custom managers for `build.yaml` arch keys, `Dockerfile` `ARG BUILD_FROM=...@sha256:...`, and Alpine packages via repology (`alpine_3_20/{pkg}`). Python capped at `<=3.13`. +- Probot settings extend `.github:common-settings.yaml` (resolves to bfra-me org `.github`, not Marcus's). Branch protection requires `Prepare`, `Lint`, `Build`, `Renovate / Renovate`, `Fro Bot`; strict + linear history + enforce-admins + 1 reviewer with stale-review dismissal. +- Tooling: Node 22.11.0, Python 3.13.13 via `.tool-versions`. Devcontainer, pre-commit, markdownlint-cli2, Prettier, Cursor rules all configured. +- 5 open issues, 0 open PRs at survey time. +- No CodeQL/Scorecard/Trivy — security delegated to Renovate + autoheal sweep. Reasonable for a template. + +Cross-ecosystem relationship: this is the add-on build/publish counterpart to [[marcusrbrown--ha-config]] (which consumes add-ons & integrations). The two `frenck/action-*` tools are siblings: `action-addon-linter` validates the add-on contract here; `action-home-assistant` validates running configs there. + +Sources: https://github.com/bfra-me/ha-addon-repository (SHA 0a163c3fa8846704103658142fa742f40d165743) + +## [2026-05-20 16:13] ingest | repo:bfra-me/ha-addon-repository + +Surveyed bfra-me/ha-addon-repository and updated the control-plane wiki. + +Sources: https://github.com/bfra-me/ha-addon-repository + +## [2026-05-20 18:00] ingest | bfra-me/.github + +Initial survey of `bfra-me/.github` (SHA `a81be4c5d5c93824fdcc426418c9433d5e5bd9be`). Created repo page `bfra-me--github.md`. Updated topic pages `probot-settings.md` (added bfra-me org template as third common-settings source) and `github-actions-ci.md` (added bfra-me/.github to repo list). Updated `index.md` to catalog the new page. + +Key findings: + +- Org control center for `@bfra-me`. Public, MIT, template (`is_template: true`), created 2022-03-17. Marketed as a `.github` template but runs as a full TypeScript pnpm monorepo (`@bfra.me/.github` v4.16.18, private root). +- Workspace: 4 packages — root + 3 custom actions under `.github/actions/*` (`renovate-changesets`, `update-metadata`, `update-repository-settings`). Root is itself a workspace member (`packages: ['.', '.github/actions/*']`) with `ignoreWorkspaceRootCheck: true`. `shamefullyHoist: true`, `savePrefix: ''`. All actions use Node.js 24 runtime and ship pre-built `dist/`. +- Toolchain: Node 24.15.0 (`.node-version`), pnpm 10.33.4, TypeScript 6.0.3 strict, Vitest 4.1.6, ESLint 10.4.0, Prettier 3.8.3, husky 9.1.7, lint-staged 16.4.0, Changesets 2.31.0. +- **17 workflows.** Notable: `main.yaml` (Quality Check), `fro-bot.yaml` (per-repo persona with three modes via `workflow_dispatch` choice), `fro-bot-autoheal-org.yaml` (org-wide weekday sweep at `0 5 * * 1-5` over all non-archived bfra-me repos, serial processing, dedup against existing bot items, defers dep bumps to Renovate, scope-capped to minimal/reversible fixes), `renovate.yaml` + `trigger-org-renovate.yaml` (self-hosted Renovate fan-out via `@bfra-me/renovate-action`), `update-repo-settings.yaml` (consumes local `update-repository-settings` action), plus CodeQL, Scorecard, Container Scan, Secret Scan, License Compliance, Dependency Review, Copilot setup, PR Triage, Auto-Release. +- **Fro Bot agent: `v0.44.2`** (SHA `b97877b2`) — ahead of most ecosystem repos (typically `v0.41.x`–`v0.43.x`). PR review prompt is security-focused for an org control center: enforces SHA-pinned actions with version comments, blocks workflow injection via untrusted input in `run:` blocks, requires `dist/` rebuild for action source changes, manually-authored changesets only (`pnpm changeset` CLI explicitly banned), strict TypeScript (no `any`, no `@ts-ignore`, ESM only). +- **Third common-settings source surfaced.** This repo ships `common-settings.yaml` as the org-wide template for `@bfra-me` repos, parallel to `marcusrbrown/.github:common-settings.yaml` (personal) and `fro-bot/.github:common-settings.yaml` (Fro Bot org). Repo's own `settings.yml` self-extends; branch protection requires 12 status checks (Advanced Security Analysis, CodeQL, Container Scan, Create Renovate Changeset, Fro Bot, GitGuardian Scan, License Scan, Quality Check, Release, Renovate, Review Dependencies, Triage) with `required_approving_review_count: 0` — governance leans on checks, not reviewers. Linear history, admin enforcement enabled. +- Renovate: `.github/renovate.json5` extends `local>bfra-me/.github:internal.json5`, `automergeType: pr`. Trivy versioned via `github-releases`. `elstudio/actions-settings` disabled (consumed via local action). Mise manager disabled (workaround). Post-upgrade runs `pnpm run bootstrap && pnpm run build && pnpm run fix`. `metadata/renovate.yaml` is the org-wide config inherited by other `bfra-me/*` repos. +- AGENTS.md documents conventions and anti-patterns: changesets manually authored, scoped to closest package; ESM only; shared `@bfra.me/*` configs; `bfra-me[bot]` app auth; Vitest coverage 80/80/80/75; reusable workflows resolve cross-repo checkout via `GITHUB_WORKFLOW_REF` (not `github.workflow_sha`, which resolves to the caller in `workflow_call`). +- 5 open issues, 1 open PR at survey time. Latest commit (`a81be4c`, 2026-05-20T09:42:00Z): Renovate bump of `fro-bot/agent` to v0.44.2 (PR #2200) with auto-generated changeset. +- Follow-up flagged on the repo page: the Probot settings landscape now has three common-settings sources (`marcusrbrown/.github`, `fro-bot/.github`, `bfra-me/.github`). Mapping which repos extend which — and reconciling whether `bfra-me` and `fro-bot` org templates should converge — is a candidate for a future survey/comparison page. + +Sources: https://github.com/bfra-me/.github (SHA a81be4c5d5c93824fdcc426418c9433d5e5bd9be) + +## [2026-05-20 16:28] ingest | repo:bfra-me/.github + +Surveyed bfra-me/.github and updated the control-plane wiki. + +Sources: https://github.com/bfra-me/.github + +## [2026-05-20 17:14] ingest | bfra-me/works + +Initial survey of `bfra-me/works` (SHA `ef14b26085dab318fffad1b6c3062292f8ae60b8`). Created repo page `bfra-me--works.md`. Updated topic pages `github-actions-ci.md` (added repo to list and Fro Bot table) and `probot-settings.md` (added bfra-me/works as a representative consumer of the `bfra-me/.github:common-settings.yaml` template). Updated `index.md` to catalog the new page. + +Key findings: + +- The `@bfra-me` **tooling monorepo** — the shared-library counterpart to [[bfra-me--github]] (which is the org control plane). Public, MIT, created 2020-10-27. Private root `@bfra.me/works` v0.0.0-development. +- Workspace: 11 entries (root + `docs` + `scripts` + 8 `packages/*`). pnpm 10.33.4, Node 24.15.0, TypeScript 6.0.3 strict (`noUncheckedIndexedAccess`), Vitest 4.1.6, ESLint 10.4.0, Prettier 3.8.3, Changesets 2.31.0, husky 9.1.7, manypkg 0.25.1 with `workspaceProtocol: require`. `autoInstallPeers`, `shamefullyHoist`, `strictPeerDependencies`, `shellEmulator`, `savePrefix: ''`. +- **8 published packages**: `@bfra.me/eslint-config@0.51.1`, `@bfra.me/prettier-config@0.16.9` (variants: 80/100/120-proof, semi, default, define-config), `@bfra.me/tsconfig@0.13.1`, `@bfra.me/es@0.1.0` (subpath exports for async/env/error/functional/module/result/types/validation/watcher), `@bfra.me/create@0.7.14` (CLI, optional OpenAI/Anthropic AI enhance), `@bfra.me/badge-config@0.2.0`, `@bfra.me/doc-sync@0.1.9` (CLI), `@bfra.me/semantic-release@0.3.7`, `@bfra.me/workspace-analyzer@0.2.8` (latest release 2026-05-16, CLI + JSON output). All build to `lib/` via tsup, except `@bfra.me/create` which builds to `dist/`. Docs site is Astro Starlight with MDX/content-validation tests and automated version-badge sync. +- **11 workflows + 1 Markdown doc file** under `.github/workflows/`. Every workflow consumes the local composite action `.github/actions/pnpm-install`. Notable: `main.yaml` (Prepare → parallel Lint+type-coverage / Test / Build / Workspace Analysis → CI), `release.yaml` (Changesets, triggered by `workflow_run` after Main on main + Sunday `0 18 * * 0` + dispatch with `force-release` toggle, uses `bfra-me[bot]` app token for schedule/`workflow_run`), `docs.yaml` (Astro Starlight build + GH Pages deploy), `docs-sync.yaml` (path-filtered doc-sync automation with dry-run dispatch input), `renovate.yaml` (calls reusable `bfra-me/.github` v4.16.18), `renovate-changeset.yaml` (auto-changesets for bfra-me/renovate bot PRs), `update-repo-settings.yaml` (calls reusable v4.16.0), `cache-cleanup.yaml`, plus CodeQL/Scorecard/Dependency Review. +- **Fro Bot agent v0.44.2** (SHA `b97877b2`) — parity with [[bfra-me--github]]. Single-file three-mode workflow (PR review / Daily Maintenance Report / Daily Autohealing Report) with `workflow_dispatch` mode choice and `workflow_call` reusable input. Schedule: maintenance `0 16 * * *`, autoheal `30 3 * * *`. Maintains exactly one rolling open issue per mode (`Daily Maintenance Report` and `Daily Autohealing Report`) with consolidation logic for duplicates and 14-day historical-summary collapse. Autoheal is a 5-category sweep with strict guardrails: trusted-author whitelist (`renovate[bot]`, `dependabot[bot]`, `fro-bot`, write-access humans), Renovate owns routine bumps (Fro Bot only touches versions for confirmed security advisories), no workflow/lockfile/prompt mods while repairing PRs, never push to default branch, never weaken guardrails to make checks pass. PR review prompt is TypeScript-monorepo-specific (Result usage, explicit named exports, no `export *`, subpath export breaking-change awareness, monorepo build-order impact). Formatting/lint nits explicitly out of scope. +- **Probot settings**: `.github/settings.yml` extends `.github:common-settings.yaml` (resolves to bfra-me org, same as [[bfra-me--ha-addon-repository]]). Branch protection requires 12 status checks: Analyze, Build, CI, CodeQL, Create Renovate Changeset, Fro Bot, Lint, Prepare, Renovate / Renovate, Review Dependencies, Test, Workspace Analysis. `enforce_admins: true`, `required_linear_history: true`, `required_pull_request_reviews: null` (governance leans on checks, not reviewers — matches [[bfra-me--github]] posture). +- **Renovate**: `.github/renovate.json5` extends `github>bfra-me/.github:internal.json5#v4.16.18` + `sanity-io/renovate-config:semantic-commit-type` + `security:minimumReleaseAgeNpm`. `addLabels: ['{{{parentDir}}}']` for monorepo directory labeling. ignorePaths include `packages/create/**/templates/**` (template fixtures aren't real deps). Notable rules: `@anthropic-ai/sdk` 0.x minor automerge, `bfra-me/renovate-config` SemVer pinning, `fetch-mock <12.0.0`, `@swc/**` every 2 weeks Sunday, Mise manager disabled. `patch.automerge: true`, `platformAutomerge: false`. Post-upgrade: `pnpm bootstrap && pnpm build && pnpm fix`. +- AGENTS.md conventions: TypeScript strict mode (no `any`/`@ts-ignore`/`@ts-expect-error`), pure ESM (no `require()`), explicit named exports, `Result` from `@bfra.me/es/result` never throw, lib/ output (dist/ only for create), tests in `packages/*/test/**/*.test.ts`, manypkg-enforced `workspace:` protocol, build order `tsconfig → prettier-config → eslint-config → others` handled by streaming, lint-staged on commit via husky, `.yaml` not `.yml`. +- 38 open issues, 1 open PR at survey time. Latest release: `@bfra.me/workspace-analyzer@0.2.8` (2026-05-16). +- **Cross-ecosystem relationship**: `bfra-me/works` is the **source** of the `@bfra.me/*` configs and utilities consumed by name across the wider Fro Bot ecosystem (eslint-config, prettier-config, tsconfig, es, semantic-release, workspace-analyzer all show up as devDependencies elsewhere). Pairs with [[bfra-me--github]] (control plane) as the org's two-repo nucleus, and shares the single-issue rolling-update Fro Bot pattern with [[bfra-me--ha-addon-repository]]. +- No follow-up Fro Bot draft PR needed — the workflow is present, current, and at the leading edge (v0.44.2). + +Sources: https://github.com/bfra-me/works (SHA ef14b26085dab318fffad1b6c3062292f8ae60b8) + +## [2026-05-20 17:15] ingest | repo:bfra-me/works + +Surveyed bfra-me/works and updated the control-plane wiki. + +Sources: https://github.com/bfra-me/works + +## [2026-05-21 04:30] ingest | marcusrbrown/opencode-copilot-delegate + +Incremental re-survey of `marcusrbrown/opencode-copilot-delegate` (SHA `2744ce7`, v0.12.0 on npm, up from `02cac9c` / v0.1.0 on 2026-04-27). Additively rewrote repo page `marcusrbrown--opencode-copilot-delegate.md` to absorb 11 minor releases. Updated topic page `opencode-plugins.md` with hard-won loader/runtime gotchas surfaced across those releases. Updated `index.md` description. Index unchanged in structure (page already cataloged). + +Key deltas since prior survey (v0.1.0 → v0.12.0): + +- **Fourth tool added (v0.12.0):** `copilot_resume` wraps `copilot --resume=` with UUID validation against the local session store, automatic workspace-path reuse from prior plugin tasks whose session ID matches, CLI no-match-error normalization, and path-injection rejection. `TaskState`/`OutputEnvelope` gain `origin: spawn|resume|connect` discriminator and surface the upstream Copilot session UUID as `copilot_session_id` on the envelope. +- **Two-half plugin architecture (v0.10.0+):** Server plugin remains the default; opt-in `./tui` export adds `/copilot-status` via `@opentui/solid`. `package.json` declares `oc-plugin: [server, tui]`. Build target split — server `target: node` (Node-loadable, CI-gated), TUI `target: bun`. +- **Public-surface hardening (v0.12.0):** Plugin entry now exports only `default`; helper moved to `src/lib/rpc-cleanup.ts`. CI gate between Build and Unit tests asserts the export shape using `node --input-type=module -e "import(...)"`. Tests/package-exports.test.ts mirrors locally. References the Systematic v2.5.0/v2.12.1 regression class. +- **Orphan subprocess reaper (v0.2.0+):** PID-file identity-gated reaper for foreign-instance subprocesses, hardened across v0.3.0 (streaming worker pool, combined `ps` query), v0.4.0 (configurable timeouts + cooperative `AbortSignal` cancellation, `timedOut: boolean` in `ReapResult`), v0.8.0 (race-safe truncate/unlink helpers), v0.9.0 (`O_NOFOLLOW` + symlinked-parent-dir rejection against same-user attacks). All runtime warnings now share `[copilot-delegate]` prefix. +- **Per-process plugin singleton (v0.8.0 → v0.11.0):** `globalThis` Symbol guard; **duplicate invocations now return empty hooks `{}`** to prevent double-registration when both user-level and project-level `opencode.json` list the plugin. Diverges from Systematic PR #352 (per-load registration) because this plugin's `doInit` binds a TCP port + writes a PID file — re-running would race on exclusive resources. +- **TUI slash command (v0.12.0):** Feature-detects `api.keymap.registerLayer` (OpenCode 1.14.44+) vs `api.command.register` (1.14.41 fallback) vs neither (defensive warn). Mirrors Magic Context dual-path pattern from commit 5fe1c4f. +- **Per-parameter tool description survival (v0.5.0–v0.7.0):** Agent discovery rewritten — `BUILTIN_AGENTS` constant removed since standalone `@github/copilot` CLI ships zero of those legacy names. Tool schemas patched via `_zod.toJSONSchema` override in `src/lib/normalize-tool-arg-schemas.ts` so descriptions survive the host-zod ≠ plugin-zod module boundary. `zod` pinned `^4.3.0` direct + `overrides` to dodge dual-zod TS2883. +- **TUI re-entrancy fix (v0.10.1):** Pressing Escape on `/copilot-status` previously froze the TUI via re-entrant dialog close handling. +- **Observability (v0.9.0):** `killProcessTree` classifies fkill failures by probing the process *group* (`process.kill(-pid, 0)`); ESRCH suppressed, others preserve original throw. `notifyCompletion` fallback `client.app.log` wrapped in try/catch with structured SDK shape so synchronous SDK throws can't escape the documented "never throws" contract. +- **`setStatus` lifecycle tightening (v0.8.0):** Terminal → non-terminal transitions explicitly forbidden; closes an unintended resurrection path no caller exercised but the prior contract permitted. +- **Toolchain:** Bun 1.3.13 → 1.3.14, Biome 2.4.13 → 2.4.15, mise pins `opencode-ai` 1.14.27 → 1.15.4 and `@github/copilot` 1.0.36 → 1.0.48. `@opencode-ai/plugin` peer narrowed `>=1.14.0` → `>=1.14.41` (v0.12.0). `@opencode-ai/sdk` peer dep removed (v0.6.0) — was never imported. +- **CI/automation:** Fro Bot agent `v0.42.2` → `v0.44.3` (SHA `b928e797`). Renovate preset `marcusrbrown/renovate-config#4.5.8` → `#5.2.0` (major bump). 6 workflows unchanged. Branch protection unchanged. Probot settings still extend `.github:common-settings.yaml`. +- **Tests:** Grew from ~6 to 21 unit files plus integration. New coverage: pid-file, orphan-reaper, continuity-checks, continuity-validation, plugin-singleton, rpc-server, rpc-contract, rpc-cleanup, normalize-tool-arg-schemas, package-exports, resume, task-status, task-registry, cancel-helper. Integration suite still gated out of CI per #38. +- **Open issues unchanged:** 3 (#38 integration tests, #26 daily autoheal report, #25 dep dashboard). 4 open PRs (3 Renovate, 1 Fro Bot self-correction #134 tightening `@types/node` LTS rule). + +No contradictions with prior ingest. The 2026-04-23 "TODO stubs" claim was already resolved by the 2026-04-27 survey; the page now reflects the full 11-release hardening arc on top of that foundation. + +Sources: https://github.com/marcusrbrown/opencode-copilot-delegate (SHA 2744ce7fc07660baa4f17bfff3656141888261cf) + +## [2026-05-21 08:54] ingest | repo:marcusrbrown/opencode-copilot-delegate + +Surveyed marcusrbrown/opencode-copilot-delegate and updated the control-plane wiki. + +Sources: https://github.com/marcusrbrown/opencode-copilot-delegate + +## [2026-05-22 08:36] ingest | fro-bot/systematic + +Re-surveyed `fro-bot/systematic` (gh-pages SHA `12cae87`, source SHA `dae829a` of [[marcusrbrown--systematic]]). Additively updated [[fro-bot--systematic]] to reflect changes since the 2026-05-07 initial survey: + +- **Registry advanced v2.7.3 → v2.20.6.** `index.json` now lists 103 components vs ~96 at prior survey: 51 agents (+ unknown delta), 47 skills, **2 bundles** and **2 profiles** (new V2 component types now materialized in the deployed artifact), and 1 plugin entry. The bundle/profile component types are net-new in this survey window. +- **Hosted JSON Schema is now a public contract.** `schemas/latest/` and `schemas/v2/systematic-config.schema.json` are served. `$id` on the v2 file is `https://fro.bot/systematic/schemas/v2/systematic-config.schema.json`, which makes that URL the canonical pinned reference for IDE autocomplete on `systematic.json` / `systematic.jsonc`. Draft-07. Top-level keys: `agents`, `categories`, `disabled_skills`, `disabled_agents`, `disabled_commands`, `bootstrap`. Loader does not fetch or validate against it — it exists purely to flip on editor support. Renaming or restructuring these URLs silently breaks every consumer that pinned them, so the deploy target has effectively grown a third consumer contract on top of the rendered docs and the OCX registry. +- **New static files** — `404.html` (Starlight not-found page) and `og-image.png` (Open Graph share image). +- **Deploy cadence intensified.** Multiple deploys per day during active source-repo windows (e.g., five on 2026-05-21 between 18:27 and 23:12 UTC), suggesting CI fans out per merged commit rather than per release tag. Captured the last 10 deploys with both `gh-pages` and source SHAs to make rollback diagnostics easier. +- **Branches, issues, PRs unchanged in structure.** `gh-pages` (default) + `renovate/configure`. Issue #1 (CodeQL/Scorecard parity) still open; PR #2 (Renovate onboarding) still open and unmerged — Renovate has minimal applicability to a static-HTML repo, so the noise concern from the prior survey still stands. +- **No Fro Bot workflow** in this repo. Same conclusion as 2026-05-07: not warranted; the source repo [[marcusrbrown--systematic]] holds the agent integration. Recorded explicitly in the repo page so the constraint check passes without a follow-up draft PR. + +Cross-page updates: +- Added a "Hosted JSON Schema is now a public contract" note to [[opencode-plugins]] under "Documentation Deployment" so the schema-URL stability constraint is discoverable from the topic side, not just the repo page. +- Refreshed the [[fro-bot--systematic]] entry in `index.md` from the placeholder one-liner to a substantive descriptor matching schema convention. + +No contradictions with the 2026-05-07 ingest. All prior content preserved; survey-history table extended with the new row. + +Sources: https://github.com/fro-bot/systematic (SHA 12cae87) + +## [2026-05-22 08:39] ingest | repo:fro-bot/systematic + +Surveyed fro-bot/systematic and updated the control-plane wiki. + +Sources: https://github.com/fro-bot/systematic + +## [2026-05-23 00:00] ingest | marcusrbrown/renovate-config + +Incremental re-survey of `marcusrbrown/renovate-config` (SHA `3478c88`, up from `bf13a82` on 2026-04-28). Additively updated repo page `marcusrbrown--renovate-config.md` and topic page `github-actions-ci.md`. Refreshed `index.md` entry description. No new topic/entity/comparison pages warranted — the v5 jump and autoheal architecture shift slot into existing pages. + +Deltas since prior survey: + +- **Major-version boundary crossed:** v4.5.8 → v5.2.0 (seven releases: 4.5.9, 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.2.0, plus 5.0.1 intermediate). Breaking change: minimum allowed version floor raised `>=4.0.0` → `>=5.0.0`. +- **`default.json` policy changes:** Added `group:allNonMajor` to extends; dropped `:disableRateLimiting` (now defers to bfra-me base preset defaults); added a new packageRule that ungroups 0.x packages (`matchCurrentVersion: /^0\./` → `groupName: null`) as the safety valve against PR storms from unstable libs. +- **Autoheal consolidated into `fro-bot.yaml`:** The separate `fro-bot-autoheal.yaml` is gone. Single-file design with one daily schedule (15:30 UTC) covers PR review + maintenance + autoheal. Mirrors the architecture observed in [[marcusrbrown--marcusrbrown-github-io]] (which uses a `mode` enum dispatch input) and the rolling-perpetual-issue pattern in [[bfra-me--ha-addon-repository]] / [[bfra-me--works]]. +- **Autoheal categories went from 5 → 6.** Removed: "bfra-me Ecosystem Health" (folded into category 5 Cross-Project Intelligence Inbound, which now surveys `yield-farmer`, `poly`, `marcusrbrown/.github`, `bfra-me/renovate-config`, `fro-bot/agent`). Added: category 6 **Upstream Modernization Watch (Sundays only)**, gated by `IS_SUNDAY_UTC` env var via a preflight `date -u +%u` step. At-most-one-draft-PR-per-scan policy; never bumps pinned versions (Renovate-owned). +- **Fro Bot agent:** v0.42.2 → v0.44.3 (SHA `b928e79729f01b563feabee26a0525a3b48501a6`). +- **Toolchain:** pnpm 10.33.2 → 11.1.3 (major), lint-staged 16.4.0 → 17.0.5 (major), eslint 10.2.1 → 10.4.0, `@bfra.me/eslint-config` 0.51.0 → 0.51.1, `@bfra.me/prettier-config` → 0.16.9. +- **pnpm overrides added** for supply-chain hardening: `fast-uri >=3.1.2`, `flatted >=3.4.2`, `handlebars >=4.7.9`, `lodash-es >=4.18.0`, `picomatch@2 ^2.3.2`, `picomatch@4 ^4.0.4`. None existed at prior survey. +- **Open issues:** 46 → 6. The single-perpetual-issue strategy in the autoheal prompt consolidates and auto-closes dated daily reports — explains the cleanup. +- **Open PRs:** 0 → 1 (#1311 picomatch@2 v4 by mrbro-bot, awaiting v5 floor consumer migrations). +- **Downstream v4→v5 migration wave:** [[marcusrbrown--ha-config]], [[marcusrbrown--marcusrbrown-github-io]], and [[marcusrbrown--opencode-copilot-delegate]] all bumped to `#5.2.0` (per their respective wiki pages); no consumer required manual config overrides for the breaking change. Holdouts on v4.x: `containers`, `extend-vscode`, `marcusrbrown`, `esphome-life`, `copiloting` (floating `#v4`), `gpt`, `dotfiles`, `vbs`, `mrbro-dev`, `tokentoilet`, `infra`, `github`, `marcusrbrown`, `sparkle`. +- Probot settings, branch protection, CodeQL/Scorecard, semantic-release pipeline (bare semver tags, major-branch updates), self-referential Renovate config all unchanged. +- No contradictions with prior ingest. The 2026-04-28 page already correctly described v4.5.8 state; the new survey row extends survey history without overwriting. + +Sources: https://github.com/marcusrbrown/renovate-config (SHA 3478c88753d113b21c7cf10d9e58fd2f9be7e96a) + +## [2026-05-23 07:51] ingest | repo:marcusrbrown/renovate-config + +Surveyed marcusrbrown/renovate-config and updated the control-plane wiki. + +Sources: https://github.com/marcusrbrown/renovate-config + +## [2026-05-24 12:00] ingest | marcusrbrown/.dotfiles + +Incremental re-survey of `marcusrbrown/.dotfiles` (SHA `0bb24f0`, 2026-05-24). Updated repo page `marcusrbrown--dotfiles.md`, topic page `dotfiles.md`, and entity page `mise.md`. Updated `index.md` entry with current state summary. No new pages created — existing topic/entity coverage remains accurate. + +Delta from prior survey (SHA `ae026c1`, 2026-04-22): + +- **Fro Bot agent v0.41.3 → v0.44.3** (SHA `b928e79`). Workflow gains a dedicated `Close stale daily reports` step on `schedule` triggers — auto-closes `fro-bot`-authored daily reports older than 3 days with cross-platform `date -u -d` / `-v-3d` fallback. Schedule prompt re-shaped: Developer Experience category is now report-only ("Formatting is handled manually by the repo owner"). Hard guard against querying Dependabot/vulnerability-alert APIs added (PAT 404 by design on user-owned repos). +- **Renovate preset 4.5.8 → 5.2.0** — crossed the v4→v5 boundary documented in [[marcusrbrown--renovate-config]] (2026-05-13). Joins the migration wave noted in the renovate-config wiki entry. +- **New Renovate custom manager** for pinned npm plugin versions inside `.config/opencode/opencode.json` and `tui.json` — matches `"name@x.y.z"` patterns so OpenCode plugins now flow through Renovate. Automerge list expanded to include `fro-bot/agent`, `ast-grep`, and `opencode-copilot-delegate`. +- **OpenCode plugin stack overhaul:** + - `oh-my-openagent@3.17.4` → `oh-my-opencode-slim@1.1.1` (replacement, new config file `oh-my-opencode-slim.jsonc`) + - `@ex-machina/opencode-anthropic-auth@1.7.4` → `@cortexkit/opencode-anthropic-auth@1.2.2` (vendor switch) + - `@cortexkit/opencode-magic-context` 0.13.0 → 0.21.8 + - `@cortexkit/aft-opencode` 0.14.0 → 0.29.1 + - `@franlol/opencode-md-table-formatter` removed + - **New**: `opencode-copilot-delegate@0.12.0` (consumes [[marcusrbrown--opencode-copilot-delegate]] sibling repo — first dotfiles release pulling it out of v0.1.0 scaffold) + - `@fro.bot/systematic` pinned at 2.23.4 (was floating `latest`) +- **Custom OpenAI provider models** (`openai/gpt-5.5`, `openai/gpt-5.5-fast`) declared in `opencode.json` for the first time — 272K context, 32K output. +- **Magic-context reshape:** historian migrated to custom `openai/gpt-5.5-fast` (with Copilot/Anthropic now fallbacks only). Dreamer reverted to direct `anthropic/claude-sonnet-4-6` with `inject_docs: true`, pinned key files, user memories. Sidekick disabled. Token thresholds dropped from 4 entries to 2. Percentage thresholds tightened for Anthropic Sonnet/Opus (40% → 55%); new `openai/gpt-5.5` entry at 80%. Experimental block now centers on `auto_search` and `git_commit_indexing`. +- **mise tool deltas:** Node 24.15.0 → 24.16.0, Python 3.14.4 → 3.14.5, Go 1.26.2 → 1.26.3, Bun 1.3.13 → 1.3.14, Deno 2.7.13 → 2.8.0, pnpm 10.33.0 → 11.2.1 (major), npm 11.12.1 → 11.15.0, ZLS 0.15.0 → 0.16.0, ast-grep 0.40.5 → 0.42.3, Playwright 1.59.1 → 1.60.0, Puppeteer 24.41.0 → 25.0.4, agent-browser 0.26.0 → 0.27.0, ocx 2.0.7 → 2.0.11, opencode-ai 1.14.18 → 1.15.5, tsx 4.21.0 → 4.22.3, biome 2.4.12 → 2.4.15, cargo-binstall 1.15.5 → 1.19.1, typescript-language-server 5.1.3 → 5.2.0, poetry 2.3.4 → 2.4.1. **New:** `@github/copilot@1.0.51` (GitHub Copilot CLI), `aqua:gitleaks/gitleaks@8.30.1` (secret scanner). **Removed from `[tools]`:** `@cortexkit/opencode-magic-context`, `@cortexkit/aft-opencode` (moved to OpenCode plugin slot), `remark-language-server`, `lolcrab`. +- **New repo-scoped skill:** `.agents/skills/agent-browser/` — joins copilot-cli, test-driven-development, and writing-skills. +- **Repo metadata:** primary language is now TypeScript (212K) over Shell (55K) — driven by growth in `.config/opencode/`, agent skills, and devcontainer features. Open issues 19 → 4. Stars 18 (new field). +- Probot settings, devcontainer architecture, bare-repo pattern, branch protection, GPG signing, XDG layout, and Brewfile all unchanged. + +Sources: https://github.com/marcusrbrown/.dotfiles (SHA 0bb24f05e29fbd4c70eb9dca9611055e7bef7c5f) + +## [2026-05-24 08:08] ingest | repo:marcusrbrown/.dotfiles + +Surveyed marcusrbrown/.dotfiles and updated the control-plane wiki. + +Sources: https://github.com/marcusrbrown/.dotfiles + +## [2026-05-25 09:11] ingest | repo:marcusrbrown/.github + +Incremental re-survey of `marcusrbrown/.github` (SHA `0b780fd`, 2026-05-25). Updated repo page `marcusrbrown--github.md`, topic page `probot-settings.md`, and `index.md` summary. No new pages — existing wikilinks remain valid. + +Delta from prior survey (SHA `3fb30a4`, 2026-04-27): + +- **Pure dependency churn.** Twelve commits since 2026-04-27, all Renovate-authored `chore(deps)` updates merged by `mrbro-bot[bot]`. No structural changes to workflows, settings, or community health files. +- **`bfra-me/.github` reusable workflows:** v4.16.9 → v4.16.20 (11 sequential patch bumps via PRs #363, #364, #365, #367, #368, #369, #370, #371, #372, #373, #374, #375). Both `renovate.yaml` and `update-repo-settings.yaml` now pinned at SHA `dc366698`. +- **`marcusrbrown/renovate-config` preset:** v4.5.8 → v4.5.9 (PR #366, 2026-04-30). Repo remains on v4.x — explicitly listed among the v4 holdouts in [[marcusrbrown--renovate-config]] (2026-05-13 v4→v5 boundary not yet crossed for this config-only repo). +- **No new files, no removed files.** `common-settings.yaml` unchanged at 18115 bytes (label set, branch protection, merge strategy, collaborator model all identical). `.github/settings.yml` unchanged. Renovate cadence still `15 */4 * * *`. +- **Fro Bot integration status:** still no `fro-bot.yaml` workflow. `fro-bot` retains `push` collaborator permission via inherited settings but is not in the active CI/merge loop. Recommendation from prior survey carries forward — a follow-up draft PR adding the single-file three-mode workflow (per [[marcusrbrown--marcusrbrown-github-io]]) remains open. +- **Repo metadata:** size 552K, 3 stars, description "GitHub defaults", topics unchanged (`github`, `repository`, `settings`). +- No contradictions with prior wiki content. All updates are additive — version refresh in source list, new survey-history row, and a refreshed Fro Bot Integration note that acknowledges Renovate-only authorship of recent PRs. + +Sources: https://github.com/marcusrbrown/.github (SHA 0b780fdba1b5b0ae6280aaaf28f625e3db142278) + +## [2026-05-25 09:34] ingest | repo:marcusrbrown/.github + +Surveyed marcusrbrown/.github and updated the control-plane wiki. + +Sources: https://github.com/marcusrbrown/.github + +## [2026-05-26 08:49] ingest | marcusrbrown/extend-vscode + +Re-survey of `marcusrbrown/extend-vscode` (SHA `516a9eb4`, up from `b457a34f`). Updated repo page `marcusrbrown--extend-vscode.md`, bumped `updated` date on topic page `vscode-extensions.md`, refreshed `index.md` summary line. Added `marcusrbrown--renovate-config` to the repo page's `related` frontmatter. + +Delta from prior survey (SHA `b457a34f`, 2026-04-27): + +- **Renovate preset crossed v4 → v5 boundary** (PR #487, 2026-05-14): `marcusrbrown/renovate-config#4.5.0` → `#5.2.0`. extend-vscode is now on the v5 line documented in [[marcusrbrown--renovate-config]] (`group:allNonMajor` + 0.x ungrouping policy). This is the headline structural shift since the prior survey. +- **Three major-version PRs that had been pending since 2026-04-23 closed end of April:** `eslint` v10 (#467, 2026-04-30), `eslint-plugin-node-dependencies` v2 (#468, 2026-04-30), `jsdom` v29 (#469, 2026-04-29). Only `typescript` v6 (#466) remains outstanding as the sole pending major. +- **`tsup` pinning drift corrected** (#488, 2026-05-14): bumped from `^8.0.2` range to pinned `8.5.1`. The repo's devDependency block now uses exact pins uniformly — a useful invariant for future contributors. +- **Other patches merged 2026-04-29 → 2026-05-21:** Node.js → v24.16.0 (`.node-version`, #493), `eslint` → 10.4.0 (#492), `tsx` → 4.22.0 (#491), `@types/vscode` → 1.118.0 (#490, prior #483 → 1.116.0), `@playwright/test` → 1.60.0 (#489), `jiti` → 2.7.0 (#486), `eslint-plugin-no-only-tests` → 3.4.0 (#484), `jsdom` → 29.1.0 (#482). +- **Repository structure, build (tsup dual-target), CI workflows (six unchanged), publishing pipeline (Marketplace + OpenVSIX + npm via semantic-release), Probot settings (`fro-bot/.github:common-settings.yaml`), and branch protection (`Renovate / Renovate`, `Run Checks`, linear history, admin enforcement) all unchanged.** +- **Open issues:** 5 (#142, #162, #317–#319) — unchanged. **Open PRs:** 1 (#466, `typescript` v6). +- **Still no Fro Bot agent workflow.** Follow-up PR recommendation carried forward across now five+ surveys — extend-vscode and `marcusrbrown/.github` remain the two main holdouts in Marcus's portfolio without `fro-bot.yaml`. +- No contradictions with prior wiki content. All updates additive. + +Sources: https://github.com/marcusrbrown/extend-vscode (SHA 516a9eb442f97212f45d890e65fb7d7642566206) + +## [2026-05-26 08:49] ingest | repo:marcusrbrown/extend-vscode + +Surveyed marcusrbrown/extend-vscode and updated the control-plane wiki. + +Sources: https://github.com/marcusrbrown/extend-vscode + +## [2026-05-27 08:58] ingest | marcusrbrown/infra + +Incremental survey of `marcusrbrown/infra` at SHA `2f9bafd6cdb03d9ed28ee336d99d5f7bf09a3dfb` (push 2026-05-26). Updated repo page `marcusrbrown--infra.md` and topic page `github-actions-ci.md`. Updated `index.md` catalog entry. No new pages created — existing `github-actions-ci.md` already captures the split-deploy pattern and conventions-test pattern this repo pioneered. + +Delta from prior survey (SHA `938fa7c`, 2026-04-27): + +- **Major new app: `apps/gateway/`** (Fro Bot Discord client + workspace runner + mitmproxy stack at `gateway.fro.bot`, added #264 on 2026-05-18). Upstream `fro-bot/agent` pinned via `apps/gateway/upstream.json` at `v0.44.2`. Three-service Docker Compose deployment. Secrets materialized via SSH stdin only (never argv); checksum-after-success invariant in `/opt/gateway/.secrets-checksum` prevents silent stale-credential states. Discord registration poll has ~90s budget with 429-aware backoff and token-sanitized error surfaces. +- **New `packages/shared/`** (#290, 2026-05-23): shared DigitalOcean droplet helpers (`ssh`, `scp`, `validateDoctl`, `dropletExists`, `pinHostKeys`, etc.) consumed by `apps/cliproxy` and `apps/gateway` provision scripts. Private (`@marcusrbrown/infra-shared`, never published). +- **New workflow** `deploy-gateway.yaml` — third per-app deploy workflow in the split pipeline pattern (12 workflows total, up from 11). The thin `deploy.yaml` orchestrator now coordinates all three apps. +- **Fro Bot agent** v0.42.2 → v0.44.3 across multiple bumps (#251, #252, #274, #281, #282). +- **Renovate preset:** v4 → v5 major boundary crossed at 2026-05-17 (#242). Now extends `marcusrbrown/renovate-config#5.2.0` + `group:allNonMajor` for safer grouping. +- **Major dependency bumps:** TypeScript 6.0.3, ESLint 10.4.0, `@bfra.me/eslint-config` 0.51.1, `@bfra.me/tsconfig` 0.13.1, Changesets 2.31.0. +- **CLI v0.4.6 → v0.7.0** with MCP fidelity refactor for status-only commands (#296), gateway commands (status/deploy/logs/backup/restore), parsing of `docker compose ps` NDJSON output (#278), and OpenAI provider opt-in for `cliproxy setup --harness opencode` (#307). Codex device-code OAuth login added (#303). +- **CLIProxyAPI:** v6.9.39 → v6.10.9 (digest-pinned). Caddy: 2.11.2-alpine → 2.11.3-alpine. +- **Gateway hardening:** ControlMaster SSH multiplexing for deploys (#277), pinned droplet host keys in `.github/known_hosts` (#272), `validateGatewayHost` rejects `-`-prefixed values pre-SSH-invocation, no-argv-for-secrets invariant. +- **Operational documentation:** new Discord token-lifecycle runbook (#284, `docs/runbooks/`); plan reconciliation for cliproxy deployment + conventions tests (#253); compound learning entry for gateway first-deploy 5-wave cascade (#280, `docs/solutions/`). +- **Convention enforcement extended:** `predicate-quantifier:every` rule on `dorny/paths-filter` with negations (#254). +- **AGENTS.md updates:** Root expanded to cover gateway alongside keeweb + cliproxy; new per-app `apps/gateway/AGENTS.md` and `packages/shared/AGENTS.md`. +- **Open issues:** 5 → 38 (mostly tracked plan work + autohealing reports + Dependency Dashboard); **open PRs:** 1 → 0. + +No contradictions with prior surveys — all earlier findings remain accurate, the repo has expanded additively. + +Sources: https://github.com/marcusrbrown/infra (SHA 2f9bafd6cdb03d9ed28ee336d99d5f7bf09a3dfb) + +## [2026-05-27 08:59] ingest | repo:marcusrbrown/infra + +Surveyed marcusrbrown/infra and updated the control-plane wiki. + +Sources: https://github.com/marcusrbrown/infra + +## [2026-05-28 04:51] ingest | marcusrbrown/cortexkit_anthropic-auth + +Initial survey of `marcusrbrown/cortexkit_anthropic-auth` at SHA `517d385` (default branch `marcusrbrown/main`). Created repo page `marcusrbrown--cortexkit-anthropic-auth.md`. Updated `opencode-plugins.md` topic (added repo to plugin table, new "Cross-Process OAuth Refresh Locking" section, frontmatter source/tags refresh). Updated `index.md` to catalog the new repo page. + +Key findings: + +- Public fork of `cortexkit/anthropic-auth`. Bun workspace monorepo with `core`, `opencode`, `pi`, `e2e-tests` packages. MIT, TypeScript 6.0.3, Bun 1.3.14 (mise), Biome 2.4.15, Lefthook 2.1.6. +- Two packages published from the fork under `@marcusrbrown/*` at `1.2.2-mb.2`: `anthropic-auth-core` (shared) and `opencode-anthropic-auth` (plugin + CLI). Pi package `@cortexkit/pi-anthropic-auth` is `private: true` in this fork — release contract explicitly excludes it. +- Provides Claude Pro/Max OAuth for OpenCode (`/connect anthropic`) and Pi (`/login anthropic`) with fallback accounts, quota-aware routing (5h/7d Claude quota gates with `failClosedOnUnknownQuota` default), persistent 1-hour prompt cache controls (`/claude-cache`, `/claude-cachekeep`), fast mode toggle (`/claude-fast`), live quota visibility (`/claude-quota`), request dumps (`/claude-dump`), and an optional user-owned Cloudflare Worker relay. +- Sidecar config: `~/.config/opencode/anthropic-auth.json` (env `OPENCODE_ANTHROPIC_AUTH_FILE`) for OpenCode; `~/.pi/agent/anthropic-auth.json` (env `PI_ANTHROPIC_AUTH_FILE`, `PI_AGENT_DIR`) for Pi. Same JSON schema across both agents. +- Release-path hardening worth carrying forward: jittered background OAuth refresh (`1.2.2`), cross-process atomic refresh lock to prevent rotated-refresh-token races and `invalid_grant` losers (`1.1.3`/`1.2.2`), wait-and-rejoin on contention, refresh endpoint failover to `api.anthropic.com/v1/oauth/token` after `platform.claude.com` returned OAuth `429` repeatedly (`1.2.1`). +- Workflows: `ci.yml` (PR-only: typecheck, build, test, Biome format/lint, SHA-pinned actions) and `release.yaml` (tag/dispatch with tag-commit integrity check, version-keyed concurrency, OIDC trusted publishing + provenance, no `NPM_TOKEN`, no `mb` dist-tag lane, `npm publish --tag latest`, no CI manifest mutation — manifests must already match the release version per `version-sync.mjs --validate`). +- Dependabot (not Renovate) — `enable-beta-ecosystems: true`, weekly bun + github-actions. Deliberate divergence from the rest of Marcus's ecosystem. +- Captures (`captures/`) are gitignored — mitmproxy HTTPS interception of Claude Code / OpenCode system prompts. PII-sensitive; any PR touching them should be flagged. +- **No Fro Bot workflow detected.** Noted on the repo page; follow-up draft PR should propose a Fro-Bot config tuned for release-sensitive, OAuth-sensitive repos (review/triage scope only — must not touch version-sync or the OIDC publish path). + +No contradictions with existing wiki content. Additive updates only. + +Sources: https://github.com/marcusrbrown/cortexkit_anthropic-auth (SHA 517d38596432429a8fc5f78612edc80a1c3f3dc6) + +## [2026-05-28 04:54] ingest | repo:marcusrbrown/cortexkit_anthropic-auth + +Surveyed marcusrbrown/cortexkit_anthropic-auth and updated the control-plane wiki. + +Sources: https://github.com/marcusrbrown/cortexkit_anthropic-auth + +## [2026-05-28 09:04] ingest | marcusrbrown/systematic + +Incremental re-survey of `marcusrbrown/systematic` (SHA `9b75707`, 2026-05-28). Updated repo page `marcusrbrown--systematic.md`, bumped opencode-plugins topic page source set, and refreshed index entry. No new topic/entity/comparison pages warranted — all cross-cuts already cataloged. + +Delta from prior survey (SHA `420ef650`, 2026-05-06): + +- ~80 commits, v2.7.3 → v2.24.0 (17 minor + many patch releases). Repo is post-launch-surface-cleanup era. +- **Bundled assets:** skills 46 → 47 (new: `release-notes-narrative` project-scoped; `test-driven-development` + `writing-skills` + `writing-systematic-skills` imported from obra/superpowers in #394). Agents 50 → 51 (review category now 28). Deprecation surface marks `orchestrating-swarms` and `claude-permissions-optimizer` (#401). +- **Workflow consolidation (#446):** `fro-bot.yaml` and `fro-bot-autoheal.yaml` merged into a single workflow with three operating modes (review, maintenance, autoheal) routed via an inline `PROMPT` ternary on `event_name × mode × cron`. Workflow count 9 → 8. +- **Fro Bot agent:** v0.42.7 → v0.45.0 (SHA `8aac0fc3`). +- **Release-notes-narrative pipeline (v2.22–v2.23):** New project-scoped skill (#429) dispatched via `@semantic-release/exec` successCmd (#430), with extracted shell script (#432), bash-escaped Lodash render (#431), timestamp-based run identification (#434), and `correlation-id` input on `fro-bot.yaml` (#433). +- **Source-tree changes:** `plugin-singleton.ts` removed (its semantics folded into the broader factory layer). New modules: `config-schema.ts` (Zod schema for `systematic.json`), `config.ts` (Zod per-issue diagnostics), `skill-catalog.ts` (bootstrap injection of available skills, #365), `bundled-names.ts` (typed bundled-name validation, #384), `agent-colors.ts`, `agent-overlays.ts` (memoized per OpencodeClient, #383; empty-cache to unknown, #378), `model-availability.ts` (discovery-before-validation, #372, #376), `source-model-defaults.ts`. +- **Zod config schema arc (v2.14–v2.17):** Typed `systematic.json` validation with per-issue diagnostics, IDE autocomplete via published JSON Schema at `fro.bot/systematic/schemas/v2/`, factory pattern construction (#393), schema-drift CI gate. +- **Overlay hardening (v2.20.x):** Empty-cache and empty-discovery collapse to unknown status, per-client memoization, project-local Systematic overrides global Systematic output (#370). +- **Documentation modernization:** Architecture (#422), main-loop, philosophy (#421), launch-surface (README, home, Quick Start, config docs — #428), design-iterator and docs aligned with Impeccable design laws (#418, #419). New `docs:verify` script for local CI-parity pre-checks (#445). +- **OpenCode dep bumped through:** v1.14.49 → v1.15.10. Starlight to ^0.39.0 (#444). `@semantic-release/exec` pinned at 7.1.0 (#435). +- **Open issues:** 4 → 3 (renovate PR #327 from prior survey is merged). 0 open PRs at survey time. +- **Stars:** 14 → 22. **Fork count:** 1. +- **Renovate config + Probot settings:** Unchanged in intent. Renovate adds OpenCode group name (#425). +- **Fro Bot integration:** Fully active (no follow-up needed for missing workflow). Inline documentation added in #450 (PROMPT routing precedence — the release-notes-narrative automation depends on `workflow_dispatch` `prompt` taking precedence over mode default) and #451 (fork-guard asymmetry across PR-adjacent event types — only `issue_comment` needs explicit API-query because `github.event.pull_request` is null on that path). +- **No contradictions** with prior survey; `plugin-singleton.ts` was noted as added in v2.7.2 and is now folded into the broader factory layer (durable singleton semantics preserved via config-handler entry point). + +Sources: https://github.com/marcusrbrown/systematic (SHA 9b7570782190d540b4d57abdd94cf7ca8e1984f1) + +## [2026-05-28 09:05] ingest | repo:marcusrbrown/systematic + +Surveyed marcusrbrown/systematic and updated the control-plane wiki. + +Sources: https://github.com/marcusrbrown/systematic + +## [2026-05-29 08:55] ingest | marcusrbrown/ha-config + +Re-survey of `marcusrbrown/ha-config` (SHA `33cca05`, 12 days after prior survey). Updated repo page additively with a fourth survey row; updated `index.md` summary; no topic-page edits required (the `home-assistant` page's `.HA_VERSION` pin-drift footgun callout is already accurate and only deepens with the additional staleness). + +Key findings: + +- Structural surface unchanged: still 11 packages, 10 custom components, ESPHome submodule, no Fro Bot workflow. +- `.HA_VERSION` still pinned at `2025.6.3` — now ~11 months stale; the package-based config is being validated against a frozen HA release while pip-resolved deps advance freely. +- Pure Renovate churn since 2026-05-17: `bfra-me/.github` reusable workflow v4.16.17 → v4.16.21 (four patch bumps in 11 days), `pipelinecomponents/remark-lint` digest pin `829aa31` (#790), four esphome submodule digest updates (#782, #784, #786, #787, #789). +- Same 3 open issues (#427 Dependency Dashboard, #766 asyncio-mqtt v0.16.2, #777 esphome v2026), same 0 open PRs. +- New observation: `mrbro-bot[bot]` (GitHub ID `137683033`) is co-authoring some recent Renovate merges (e.g. #790). First sighting of a non-fro-bot automation actor on this repo — worth tracking on subsequent passes. +- **No Fro Bot workflow** for the fourth consecutive survey. Persistence across nearly a year suggests this is intentional: the repo is Renovate-only autopilot and doesn't need PR review or triage automation since virtually all merges are bot-authored. + +No contradictions with prior surveys. + +Sources: https://github.com/marcusrbrown/ha-config (SHA 33cca0534ca2b0dbbb7db4235912c1f225458beb) + +## [2026-05-29 08:57] ingest | repo:marcusrbrown/ha-config + +Surveyed marcusrbrown/ha-config and updated the control-plane wiki. + +Sources: https://github.com/marcusrbrown/ha-config + +## [2026-05-30 08:01] ingest | bfra-me/ha-addon-repository + +No-op re-survey of `bfra-me/ha-addon-repository` (SHA `0a163c3f`, unchanged from 2026-05-20). HEAD on `main` has been dormant for 14 days while Renovate accumulates queued PRs on side branches. Additive update only: appended a 2026-05-30 row to the Survey History table, added a `Drift Watch` section noting two emerging signals, refreshed frontmatter `updated:` date, appended a second source entry. Updated `index.md` description with the queued v0.46.1 Fro Bot bump for freshness. No topic, entity, or comparison pages required edits. + +Findings: + +- HEAD unchanged at `0a163c3f` (`chore(deps): update dependency prettier to v3.8.3 (#551)`, 2026-05-16). `pushedAt` is 2026-05-30 because Renovate keeps re-pushing side branches, but `main` itself is stationary. +- Open issues: 5 → 6 (#554 `Daily Autohealing Report` continues to accrue dated update sections under the perpetual-issue pattern; #4 Dependency Dashboard unchanged). +- Open PRs: 0 → 4, all Renovate, all unmerged: #556 (`bfra-me/.github` reusable v4.16.16 → v4.16.21), #557 (`fro-bot/agent` v0.43.1 → v0.46.1 — three minor versions of agent runtime missed), #558 (HA `amd64-base:3.23` digest rotation to `4b7bff6`), #559 (`docker/login-action` v4.2.0). +- Workflow content inspected: `fro-bot.yaml` still pins `fro-bot/agent@v0.43.1`. `SCHEDULE_PROMPT` env literal still hardcodes "bfra-me/.github reusable workflow version (currently v4.16.6)" — a stale comment relative to the actual `uses:` pin at v4.16.16. Self-corrects via the agent's live SHA comparison, but worth parameterising on next workflow edit. +- No structural drift to workflows, settings, the `example/` add-on, or the Renovate config family (`bfra-me/renovate-config#5.2.1`). +- Cross-ecosystem note: this repo lags the agent fleet by 3 minor versions and the `bfra-me/.github` reusable by 5 patch versions. The four queued Renovate PRs cover that drift entirely — bottleneck is review/merge cadence, not Renovate coverage. + +Sources: https://github.com/bfra-me/ha-addon-repository (SHA 0a163c3fa8846704103658142fa742f40d165743) + +## [2026-05-30 08:03] ingest | repo:bfra-me/ha-addon-repository + +Surveyed bfra-me/ha-addon-repository and updated the control-plane wiki. + +Sources: https://github.com/bfra-me/ha-addon-repository + +## [2026-05-31 00:30] ingest | bfra-me/works + +Incremental re-survey of `bfra-me/works` (SHA `cd4a52d`, 2026-05-31; prior `ef14b26`, 2026-05-20). Updated repo page `bfra-me--works.md` and index entry. No new topic/entity/comparison pages warranted — deltas are agent pin advances and dependency bumps, not structural. + +Delta: + +- **Fro Bot agent:** v0.44.2 → v0.46.1 (#3503) → v0.47.0 (#3510), both merged 2026-05-30. PR #3491 ("Fix Fro Bot mode/prompt resolution for dispatch and reusable runs") patched the inline shell mode-resolution block for `workflow_dispatch` and `workflow_call` paths just ahead of the v0.47.0 bump. +- **bfra-me/.github reusable workflows + Renovate baseline:** v4.16.18 → v4.16.21 (both `renovate.yaml` workflow ref and `internal.json5#v4.16.21` extends). +- **pnpm:** 10.33.4 → 10.34.1 (via #3511 then #3514). +- **Published package versions:** All 9 unchanged (`@bfra.me/badge-config@0.2.0`, `create@0.7.14`, `doc-sync@0.1.9`, `es@0.1.0`, `eslint-config@0.51.1`, `prettier-config@0.16.9`, `semantic-release@0.3.7`, `tsconfig@0.13.1`, `workspace-analyzer@0.2.8` — last release still 2026-05-16). +- **Workflow inventory, package layout, Probot settings, branch protection (12 required checks), build/release pipeline:** identical. +- **Open issues:** 38 (unchanged). **Open PRs:** 1 → 2. +- No contradictions with prior ingest. `bfra-me/works` is currently the bleeding-edge agent adopter; sibling [[bfra-me--github]] and [[bfra-me--ha-addon-repository]] should be re-surveyed to confirm whether they have followed to v0.47.0. + +Sources: https://github.com/bfra-me/works (SHA cd4a52d7d9ad59c8770784d9411d688e9a7d50db) + +## [2026-05-31 08:27] ingest | repo:bfra-me/works + +Surveyed bfra-me/works and updated the control-plane wiki. + +Sources: https://github.com/bfra-me/works diff --git a/knowledge/wiki/entities/esphome.md b/knowledge/wiki/entities/esphome.md index 0e1bccbd5..b38cfce6d 100644 --- a/knowledge/wiki/entities/esphome.md +++ b/knowledge/wiki/entities/esphome.md @@ -2,11 +2,14 @@ type: entity title: ESPHome created: 2026-04-23 -updated: 2026-04-23 +updated: 2026-05-26 sources: - url: https://github.com/marcusrbrown/esphome.life sha: e398c2e1e3ef8c68717df26fd67a99b5c91410d7 accessed: 2026-04-23 + - url: https://github.com/marcusrbrown/esphome.life + sha: fc5adc212a7a1556bdaa9a1b30d3cf8a9e8cc584 + accessed: 2026-05-26 tags: [esphome, iot, esp32, firmware, home-assistant, bluetooth-proxy] aliases: [esphome, esphome-life] related: @@ -32,13 +35,13 @@ ESPHome is an open-source framework for configuring and building custom firmware - **Package-based device configs** — Thin per-device YAML files pull shared configuration from `packages/` via `github://` imports - **Ethernet-only devices** — All devices use wired Ethernet (LAN8720, ESP-IDF framework), no Wi-Fi — notable for Bluetooth Proxy reliability -- **CI build matrix** — Firmware builds triggered on push/PR via `esphome/build-action@v7.1.0` with ESPHome 2025.12.7 +- **CI build matrix** — Firmware builds triggered on push/PR via `esphome/build-action@v7.2.0` with ESPHome 2025.12.7 (as of 2026-05-26) - **GitHub Pages distribution** — Jekyll site with ESP Web Tools install button, `manifest.json` generated from CI build artifacts - **Devcontainer** — VS Code devcontainer using `ptr727/esphome-nonroot:2025.12.7` Docker image with ESPHome dashboard ## Version Pinning -ESPHome version is pinned across CI and devcontainer (currently 2025.12.7). The Renovate configuration tracks ESPHome across Docker images (`ptr727/esphome-nonroot`, `esphome/esphome`, `ghcr.io/esphome/esphome`) with loose versioning and semantic commit types. +ESPHome version is pinned across CI and devcontainer (currently 2025.12.7, unchanged across four surveys spanning 2026-04 → 2026-05). The Renovate configuration tracks ESPHome across Docker images (`ptr727/esphome-nonroot`, `esphome/esphome`, `ghcr.io/esphome/esphome`) with loose versioning and semantic commit types — but no major/minor bumps have arrived in two months, which is a long quiet stretch for an actively-developed framework. ## External Links diff --git a/knowledge/wiki/entities/mise.md b/knowledge/wiki/entities/mise.md index ddc7c305e..28b822b25 100644 --- a/knowledge/wiki/entities/mise.md +++ b/knowledge/wiki/entities/mise.md @@ -2,7 +2,7 @@ type: entity title: mise created: 2026-04-18 -updated: 2026-04-22 +updated: 2026-05-24 tags: [mise, tool-management, runtime-versions, asdf, dev-tools] aliases: [rtx] related: @@ -18,9 +18,27 @@ Site: https://mise.jdx.dev/ ## Usage Across Repos -### [[marcusrbrown--dotfiles]] +### [[marcusrbrown--dotfiles]] — current state (SHA `0bb24f0`, 2026-05-24) -Primary tool version manager. Config at `.config/mise/config.toml` manages 30+ tools including Node, Python, Rust, Go, Bun, Deno, Zig, and npm-based CLI tools. As of 2026-04-22 (SHA `ae026c1`): +**Language runtimes:** Node 24.16.0, Python 3.14.5, Rust 1.95.0, Go 1.26.3, Bun 1.3.14, Deno 2.8.0, Zig 0.15.2 (ZLS 0.16.0), pnpm 11.2.1 (major bump from 10.x), npm 11.15.0. + +**CLI tools (npm):** TypeScript 6.0.3, Prettier 3.8.3 (with `@bfra.me/prettier-config` 0.16.9), ast-grep 0.42.3, Playwright 1.60.0, Puppeteer 25.0.4, agent-browser 0.27.0, skills 1.5.7, ocx 2.0.11, tsx 4.22.3, rimraf 6.1.3, vibe-tools 0.63.3, `@github/copilot` 1.0.51 (new), `@biomejs/biome` 2.4.15. + +**Manually pinned (Renovate disabled):** `opencode-ai` 1.15.5, `@anthropic-ai/claude-code` 2.1.112. + +**Aqua tools:** shfmt (`aqua:mvdan/sh`) 3.13.1, gitleaks (`aqua:gitleaks/gitleaks`) 8.30.1 (new — secret scanner). + +**Language servers (npm):** pyright 1.1.409, typescript-language-server 5.2.0. + +**Other:** cargo-binstall 1.19.1, `pipx:poetry` 2.4.1, `@marcusrbrown/infra` latest. + +**Notable removals:** `@cortexkit/opencode-magic-context`, `@cortexkit/aft-opencode`, `remark-language-server`, and `lolcrab` no longer appear in `[tools]`. The Cortexkit OpenCode plugins moved to `.config/opencode/opencode.json` under the `plugin` array, with their own Renovate custom manager picking up the pinned-version strings. + +**Env:** `UV_SYSTEM_CERTS=true`, `NPM_TOKEN` templated from env, redacted env file at `~/.config/mise/.env.local`. + +### Historical Snapshot — [[marcusrbrown--dotfiles]] (SHA `ae026c1`, 2026-04-22) + +Superseded by the entry above. Original survey notes: **Language runtimes:** Node 24.15.0, Python 3.14.4, Rust 1.95.0, Go 1.26.2, Bun 1.3.13, Deno 2.7.13, Zig 0.15.2 (with ZLS), pnpm 10.33.0, npm 11.12.1 diff --git a/knowledge/wiki/repos/bfra-me--github.md b/knowledge/wiki/repos/bfra-me--github.md new file mode 100644 index 000000000..378430e4e --- /dev/null +++ b/knowledge/wiki/repos/bfra-me--github.md @@ -0,0 +1,289 @@ +--- +type: repo +title: bfra-me/.github +created: 2026-05-20 +updated: 2026-05-20 +sources: + - url: https://github.com/bfra-me/.github + sha: a81be4c5d5c93824fdcc426418c9433d5e5bd9be + accessed: 2026-05-20 +tags: [bfra-me, dotgithub, monorepo, pnpm, typescript, github-actions, probot, renovate, template] +related: + - bfra-me--ha-addon-repository + - marcusrbrown--github + - marcusrbrown--renovate-config + - fro-bot--agent + - github-actions-ci + - probot-settings +--- + +# bfra-me/.github + +Org control center for the `bfra-me` GitHub organization. This is the +canonical home of the org's reusable workflows, custom GitHub Actions, +workflow templates, shared Probot settings, and Fro Bot org-wide autoheal +runtime. Marketed as a template (`is_template: true`) but in practice it +runs as a full TypeScript pnpm monorepo. + +It is the bfra-me-side counterpart to [[marcusrbrown--github]] (Marcus's +personal `.github`). Where `marcusrbrown/.github` only ships Probot +settings and Prettier defaults, this repo also _executes_ org-wide +automation (Renovate dispatch, settings sync, Fro Bot org autoheal, +license/secret/container scanning). + +## Identity + +- **Owner:** bfra-me (org) +- **Visibility:** public, template repository +- **License:** MIT +- **Default branch:** `main` +- **Created:** 2022-03-17 +- **Last push:** 2026-05-20 +- **Package version:** `@bfra.me/.github` v4.16.18 (private root) +- **Node:** 24.15.0 (`.node-version`) +- **Package manager:** pnpm 10.33.4 +- **TypeScript:** 6.0.3, strict +- **Open issues / PRs:** 5 / 1 (2026-05-20) + +## Layout + +``` +. +├── .github/ +│ ├── actions/ +│ │ ├── renovate-changesets/ # Complex action: auto-changeset Renovate PRs (~125 src files) +│ │ ├── update-metadata/ # Repo metadata generator +│ │ └── update-repository-settings/ # Plugin-based settings sync +│ ├── instructions/ # AI-consumed dev guides (changesets, GH Actions, pnpm, Renovate, TS) +│ ├── workflows/ # 17 workflows: CI, Fro Bot, security, Copilot, renovate +│ ├── codeql/ +│ ├── copilot-instructions.md +│ ├── gitleaks.toml +│ ├── labeler.yaml +│ ├── renovate.json5 +│ └── settings.yml +├── workflow-templates/ # Org-wide templates (.yaml + .properties.json pairs) +├── scripts/ # tsx utilities: release, build perf, workspace validation +├── docs/ +│ ├── workflows/ # Workflow docs and troubleshooting +│ └── solutions/ # Compound-engineering learnings +├── metadata/ +│ └── renovate.yaml # Org-wide Renovate config consumed by other repos +├── profile/ # GitHub org profile README +├── common-settings.yaml # Org-wide Probot Settings template +├── AGENTS.md # Repo conventions (consumed by Fro Bot and Copilot) +├── eslint.config.ts +├── internal.json5 # Renovate internal config extended by .github/renovate.json5 +├── mise.toml # Adds ./node_modules/.bin to PATH +├── package.json # `@bfra.me/.github` v4.16.18 +├── pnpm-workspace.yaml +├── tsconfig.json / tsconfig.build.json / tsconfig.eslint.json +└── vitest.config.ts +``` + +## Workspace + +- 4 packages: root (`@bfra.me/.github`) + 3 actions under `.github/actions/*` +- Root is itself a workspace member (`packages: ['.', '.github/actions/*']`) + with `ignoreWorkspaceRootCheck: true` — uncommon but intentional +- `shamefullyHoist: true`, `autoInstallPeers: true`, `savePrefix: ''` +- Overrides: `flatted@3.4.2` pinned; `undici@<6.23.0` forced to `>=6.23.0`; + `vite@>=8.0.0 <=8.0.4` forced to `>=8.0.5` +- `onlyBuiltDependencies`: `esbuild`, `unrs-resolver` +- No inter-package deps; actions are self-contained, root provides shared + dev tooling +- Parallel builds: `pnpm -r run build` with no dependency ordering needed + +## Custom Actions + +| Action | Purpose | +| ------------------------------- | --------------------------------------------------------------------------------------- | +| `renovate-changesets` | Auto-generates `.changeset/*.md` files for Renovate PRs | +| `update-metadata` | Generates/updates per-repo metadata (badges, scorecards, etc.) | +| `update-repository-settings` | Plugin-based action that syncs `.github/settings.yml` to the GitHub API | + +All actions: + +- Use Node.js 24 runtime (`using: node24` in `action.yaml`) +- Ship pre-built `dist/` in the repo (GitHub requires committed JS) +- Standardized on `action.yaml` (never `action.yml`) +- Have their own AGENTS.md for action-local conventions + +## Workflows (17) + +``` +auto-release.yaml codeql-analysis.yaml container-scan.yaml +copilot-setup-steps.yaml dependency-review.yaml fro-bot-autoheal-org.yaml +fro-bot.yaml license-compliance.yaml main.yaml +pr-triage.yaml renovate-changeset.yaml renovate.yaml +scorecard.yaml secret-scan.yaml trigger-org-renovate.yaml +update-metadata.yaml update-repo-settings.yaml +``` + +Notable surface area: + +- **`main.yaml`** — primary CI entry point (Quality Check job referenced by branch protection) +- **`fro-bot.yaml`** — full Fro Bot persona: PR review, mention handling, daily maintenance (`0 5 * * *`), daily autoheal (`30 15 * * *`), `workflow_dispatch` with `mode` choice (review/maintenance/autoheal), `workflow_call` for reusable invocation +- **`fro-bot-autoheal-org.yaml`** — org-wide autoheal sweep across **all non-archived** `bfra-me` repos, weekdays at `0 5 * * 1-5`. Processes repos serially, deduplicates against existing bot-authored issues/PRs, defers dependency bumps to Renovate, and only applies minimal reversible fixes +- **`renovate.yaml`** — drives self-hosted Renovate via `@bfra-me/renovate-action` +- **`trigger-org-renovate.yaml`** — fans Renovate runs out to other org repos +- **`update-repo-settings.yaml`** — applies `.github/settings.yml` (and downstream `common-settings.yaml`) via `update-repository-settings` action +- **`update-metadata.yaml`** — invokes local `update-metadata` action without the self-checkout pattern (action only runs in this repo) +- **`codeql-analysis.yaml`, `scorecard.yaml`, `container-scan.yaml`, `secret-scan.yaml`, `license-compliance.yaml`, `dependency-review.yaml`** — security posture +- **`copilot-setup-steps.yaml`** — Copilot coding agent bootstrap +- **`pr-triage.yaml`** — labeler-driven PR triage + +## Fro Bot Integration + +This repo **is** a Fro Bot workflow host, and it also _runs_ the org-wide +autoheal sweep. As of HEAD it pins: + +- `fro-bot/agent@b97877b202095e5faf046c1f9d7a18891720a73b # v0.44.2` + (bumped via Renovate, PR #2200) + +### `fro-bot.yaml` (per-repo) + +- Triggers: `issue_comment`, `pull_request_review_comment`, + `discussion_comment`, `issues` (opened/edited), `pull_request` (opened, + synchronize, reopened, ready_for_review, review_requested), two crons, + `workflow_dispatch` with `mode` input, `workflow_call` +- Concurrency keyed off issue/PR/discussion/schedule/run_id; never + cancels in progress (autoheal runs must finish cleanly) +- `PR_REVIEW_PROMPT` is security-focused for an org control center — + enforces SHA-pinned actions with version comments, blocks workflow + injection via untrusted input in `run:` blocks, requires `dist/` + rebuild for action source changes, enforces manually-authored + changesets (`pnpm changeset` CLI explicitly banned), and TypeScript + strictness (no `any`, no `@ts-ignore`, ESM only) + +### `fro-bot-autoheal-org.yaml` (org-wide) + +- Schedule: weekdays at `0 5 * * 1-5`; `workflow_dispatch` accepts an + optional `target-repo` to narrow the sweep +- Execution model: process repos serially, never keep multiple repos + checked out simultaneously, return to a clean working tree between + repos +- Dedup rule: search for an existing open bot-authored item per root + cause before opening anything new +- Scope cap: minimal and reversible only — broad refactors get logged + under "Needs Human Attention" rather than executed +- Dependency ownership: Renovate owns routine version bumps; Fro Bot may + change versions **only** to remediate confirmed high/critical + advisories + +## Probot Settings + +- `.github/settings.yml` extends `.github:common-settings.yaml` + (self-extending — pulls from the same repo) +- `common-settings.yaml` is the **org-wide template** consumed by other + `bfra-me` repos and by Marcus's repos via `_extends: + fro-bot/.github:common-settings.yaml` (note: across the wiki, repos + reference `fro-bot/.github:common-settings.yaml`, but the bfra-me + control-plane file lives at `bfra-me/.github:common-settings.yaml` — + these are organizationally distinct settings sources) +- Repo-level overrides: `is_template: true`, `has_projects: false`, + `has_wiki: false`, `allow_merge_commit: false`, `allow_rebase_merge: + false`, `allow_auto_merge: true`, `delete_branch_on_merge: true`, + `allow_update_branch: true`, squash commit title + `COMMIT_OR_PR_TITLE`, message `COMMIT_MESSAGES` +- Branch protection (`main`): strict status checks with 12 required + contexts (Advanced Security Analysis, CodeQL, Container Scan, Create + Renovate Changeset, Fro Bot, GitGuardian Scan, License Scan, Quality + Check, Release, Renovate, Review Dependencies, Triage), admin + enforcement enabled, linear history required, `required_approving_review_count: 0` + (governance leans on status checks, not human reviewers) + +## Renovate + +- `.github/renovate.json5` extends `local>bfra-me/.github:internal.json5` +- `automergeType: pr` +- Package rules: `aquasecurity/trivy-action` uses `github-releases` + versioning; `elstudio/actions-settings` disabled (the settings action + is consumed via the local custom action); `mise` manager disabled + (workaround for missing `tools` key) +- Post-upgrade tasks: `pnpm run bootstrap && pnpm run build && pnpm run + fix`, executionMode `branch` +- `metadata/renovate.yaml` is the **org-wide** Renovate config inherited + by other `bfra-me` repos + +## Conventions (from AGENTS.md) + +- Actions pinned to commit SHA with version comment — never floating + tags +- Changesets authored **manually** in `.changeset/*.md`; the `pnpm + changeset` CLI is explicitly banned (creates inconsistent format) +- Changesets scoped to closest package — only target + `@bfra.me/.github` for root-level changes +- ESM only (`type: module`, no `require()`) +- Shared configs: `@bfra.me/eslint-config`, `@bfra.me/prettier-config`, + `@bfra.me/tsconfig` +- GitHub App auth: `bfra-me[bot]` via `actions/create-github-app-token` +- 120-char line limit (`.editorconfig`), 2-space indent +- Vitest exclusively; coverage thresholds 80% statements/functions/lines, + 75% branches +- Workspace scripts: `#!/usr/bin/env tsx`, function-based, typed + interfaces +- Reusable workflows that call internal actions use `GITHUB_WORKFLOW_REF` + (not `github.workflow_sha`) for cross-repo checkout — `workflow_sha` + resolves to the caller's SHA in `workflow_call` + +## Anti-Patterns (Documented) + +- `pnpm changeset` CLI +- Floating action versions +- Hardcoded secrets +- Workflow templates without `.properties.json` +- `contexts` in branch protection (use `checks`) +- Cancelling Renovate jobs that push to main +- `@ts-ignore` / `as any` +- `github.workflow_sha` for cross-repo checkout in `workflow_call` + +## Build, Test, Release + +```bash +pnpm bootstrap # Install (prefer-offline) +pnpm run quality-check # type-check + lint + build + test +pnpm build # All workspace packages, parallel +pnpm test # Vitest +pnpm run lint / pnpm run fix # ESLint (auto-fix variant) +pnpm run type-check # tsc --noEmit +pnpm run release # Multi-package release with tag mgmt +pnpm run workspace:validate # Dep analysis + consistency check +pnpm run build:monitor # Build performance analysis +``` + +Release tagging: the monorepo root is private and tagged as `v{ver}`, +but `scripts/release.ts` also logs `{name}@{ver}` so the Changesets +action can detect it as a published package. + +## Cross-Repo Relationships + +- **[[marcusrbrown--github]]** — Marcus's personal `.github`; its + reusable workflow pins to `bfra-me/.github` (e.g. `v4.16.8` / + `v4.16.9` in recent logs). Most `marcusrbrown/*` repos extend + `fro-bot/.github:common-settings.yaml` rather than this one, + but they consume `bfra-me/.github` reusable workflows. +- **[[bfra-me--ha-addon-repository]]** — sibling org template; pulls + reusable workflows and Probot settings from here. +- **[[fro-bot--agent]]** — this repo pins `fro-bot/agent@v0.44.2`, + ahead of most other ecosystem repos (commonly `v0.41.x`–`v0.43.x`). +- **[[marcusrbrown--renovate-config]]** — Marcus's preset is the + Renovate baseline for `marcusrbrown/*` repos; `bfra-me/.github` ships + its own `metadata/renovate.yaml` for `bfra-me/*` repos. + +## Open Questions / Follow-Ups + +- The Probot settings landscape now has **three** common-settings + sources visible in this wiki: `marcusrbrown/.github:common-settings.yaml` + (Marcus's personal template), `fro-bot/.github:common-settings.yaml` + (Fro Bot org template), and `bfra-me/.github:common-settings.yaml` + (this repo, org template for `@bfra-me`). The + [[probot-settings]] topic currently documents only the first two. + A follow-up survey should map which repos extend which and reconcile + the relationship between `bfra-me` and `fro-bot` org settings. + +## Survey History + +| Date | SHA | Notes | +| ---------- | ---------- | -------------------------------------------------------------------------- | +| 2026-05-20 | `a81be4c` | Initial survey. `fro-bot/agent@v0.44.2` (PR #2200). 17 workflows, 3 custom actions. | diff --git a/knowledge/wiki/repos/bfra-me--ha-addon-repository.md b/knowledge/wiki/repos/bfra-me--ha-addon-repository.md new file mode 100644 index 000000000..55c46cbd0 --- /dev/null +++ b/knowledge/wiki/repos/bfra-me--ha-addon-repository.md @@ -0,0 +1,181 @@ +--- +type: repo +title: bfra-me/ha-addon-repository +created: 2026-05-20 +updated: 2026-05-30 +sources: + - url: https://github.com/bfra-me/ha-addon-repository + sha: 0a163c3fa8846704103658142fa742f40d165743 + accessed: 2026-05-20 + - url: https://github.com/bfra-me/ha-addon-repository + sha: 0a163c3fa8846704103658142fa742f40d165743 + accessed: 2026-05-30 +tags: [home-assistant, addon, hassio, template, docker, multi-arch, bfra-me] +related: + - marcusrbrown--ha-config + - marcusrbrown--esphome-life + - marcusrbrown--containers + - home-assistant + - docker-containers + - github-actions-ci + - probot-settings +--- + +# bfra-me/ha-addon-repository + +Template repository for a Home Assistant add-on repository. GitHub template (`is_template: true`) under the `bfra-me` org, used as the blueprint when starting a new HA add-on collection. The repo ships one example add-on (`example/`) that gets built and published to GHCR as `ghcr.io/bfra-me/{arch}-addon-example`. + +This is the bfra-me ecosystem's add-on counterpart to Marcus's runtime [[marcusrbrown--ha-config]] — where ha-config consumes add-ons and integrations, this repo defines the scaffolding for building and publishing new ones. + +## Identity + +- **Owner:** bfra-me (org) +- **Visibility:** public, template +- **License:** Apache-2.0 +- **Default branch:** `main` +- **Primary language:** Dockerfile +- **Topics:** `addon`, `addons`, `hassio`, `home-assistant`, `homeassistant`, `template` +- **Created:** 2022-10-08 +- **Last push:** 2026-05-20 + +## Layout + +``` +. +├── .github/ +│ ├── renovate.json5 +│ ├── settings.yml +│ └── workflows/ +│ ├── fro-bot.yaml +│ ├── main.yaml +│ ├── renovate.yaml +│ └── update-repo-settings.yaml +├── .cursorrules +├── .devcontainer.json +├── .markdownlint-cli2.yaml +├── .pre-commit-config.yaml +├── .prettierrc.yaml +├── .tool-versions +├── LICENSE +├── README.md +├── example/ +│ ├── CHANGELOG.md +│ ├── DOCS.md +│ ├── Dockerfile +│ ├── README.md +│ ├── apparmor.txt +│ ├── build.yaml +│ ├── config.yaml +│ ├── icon.png +│ ├── logo.png +│ ├── rootfs/ +│ └── translations/ +└── repository.yaml +``` + +The HA add-on store discovers add-ons by walking the repo root for directories containing a `config.yaml`/`config.json`. The `Main` workflow's `prepare` job replicates that discovery with `find ./ -maxdepth 2 -name config.json -o -name config.yaml -o -name config.yml`. + +## The Example Add-on + +`example/` is the template payload. It demonstrates the canonical s6-overlay add-on structure: + +- **`config.yaml`** — slug `example`, version `1.2.2`, four arches (`armhf`, `armv7`, `aarch64`, `amd64`), `init: false` (s6 takes over), `share:rw` map, single `message` option, image `ghcr.io/bfra-me/{arch}-addon-example`. +- **`build.yaml`** — base images pinned to `ghcr.io/home-assistant/{arch}-base:3.23` for 64-bit, `:3.22` for 32-bit ARM. OCI labels set title, description, source URL, and Apache-2.0 license. +- **`Dockerfile`** — `ARG BUILD_FROM` pinned by digest (`@sha256:...`) so Renovate can rotate it. Installs `tempio` (HA's template renderer) from `home-assistant/tempio` GitHub releases with a Renovate datasource comment. Copies `rootfs/` over the base image. +- **`apparmor.txt`** — AppArmor profile (security mandatory for HA add-ons). +- **`rootfs/`** — s6-overlay service tree. +- **`translations/`** — i18n strings for the HA Supervisor UI. + +## Workflows + +Four workflows, all SHA-pinned actions: + +### `main.yaml` — CI lint + multi-arch build +- **Trigger:** `pull_request` (main), `push` (main), `workflow_dispatch`. +- **`prepare` job:** Discovers add-on directories, uses `dorny/paths-filter@v4.0.1` to compute changed add-ons against a `MONITORED_FILES` list (`apparmor.txt build.yaml config.yaml Dockerfile rootfs/**`). Emits JSON arrays for downstream matrix expansion. +- **`lint-addon` matrix:** `frenck/action-addon-linter@v2.21.0` per changed add-on. Authoritative HA lint. +- **`lint-prettier`:** `creyD/prettier_action@v4.6`, Prettier 3.8.3 pinned via `# renovate: datasource=npm depName=prettier` comment, `--check .`. +- **`build-addon` matrix:** Per-changed-add-on × (`aarch64`, `amd64`, `armhf`, `armv7`). Uses `yq` (`chrisdickinson/setup-yq` v4.45.1) to extract `build_from` keys and validate the arch list before building. `home-assistant/builder@2026.03.2` runs with `--test` for PRs and full builds with `--cosign` on push to `main`. Publishes to `ghcr.io/bfra-me/{arch}-addon-{slug}` with `id-token: write` (Sigstore/cosign). +- **`lint`/`build` aggregator jobs** funnel matrix results into single named status checks for branch protection. + +### `fro-bot.yaml` — Fro Bot agent integration +- **Agent version:** `fro-bot/agent@v0.43.1` (SHA `3ec8d72f`). +- **Triggers:** `issue_comment`, `pull_request_review_comment`, `discussion_comment`, `issues` (opened/edited), `pull_request` (opened/synchronize/reopened/ready_for_review/review_requested), `schedule` (`30 15 * * *` — daily 15:30 UTC), `workflow_dispatch` with `prompt` input. +- **Bot-loop guards:** Skips when the user, comment author, or PR author ends with `[bot]` or equals `fro-bot`. Comment triggers require `OWNER`/`MEMBER`/`COLLABORATOR` association and `@fro-bot` mention. +- **PR_REVIEW_PROMPT** is add-on-aware: Dockerfile base-image SHA pinning, `config.yaml`/`build.yaml` validity (required fields, arch list accuracy, image reference pattern), shell script quality (`bashio`, signal handling, shellcheck SC2086/SC2060), AppArmor profile integrity, GitHub Actions SHA pinning, YAML formatting, breaking changes to add-on interface (slug/image/option-type changes that break existing installs), translation completeness. Output is a structured verdict (`PASS | CONDITIONAL | REJECT`) with mandatory headings. +- **SCHEDULE_PROMPT** runs a four-category sweep: errored PRs (checkout, diagnose, fix, push), security (Renovate alerts, SHA-pinning audit of `.github/workflows/*.yaml`), health & maintenance (compare `fro-bot/agent`, `actions/checkout`, `dorny/paths-filter`, `frenck/action-addon-linter`, `creyD/prettier_action`, `chrisdickinson/setup-yq` against current SHAs; bump `bfra-me/.github` reusable workflow when newer), developer experience (Prettier, shellcheck on `example/rootfs/**/{run,finish}`, config.yaml/build.yaml required fields, version-vs-CHANGELOG consistency, `.tool-versions` drift). +- **Single perpetual issue:** Maintains a single open issue titled exactly `Daily Autohealing Report` and prepends dated update sections — this is **not** the same pattern as ha-config or sibling repos that create new issues per cycle. +- Uses `secrets.FRO_BOT_PAT` for checkout and agent token; `OPENCODE_AUTH_JSON`, `OMO_PROVIDERS`, `OPENCODE_CONFIG` secrets; `vars.FRO_BOT_MODEL` for model selection. + +### `renovate.yaml` — Renovate orchestration +- Uses `bfra-me/.github/.github/workflows/renovate.yaml@v4.16.16` (SHA `71213b76`). +- Triggers: `issues.edited`, `pull_request.edited`, `push` (non-main), `workflow_dispatch` (log-level + print-config inputs), `workflow_run` (after `Main` succeeds on `main`). +- Conditional log level: debug on PRs / non-default branches, info otherwise. + +### `update-repo-settings.yaml` — Probot Settings sync +- Uses `bfra-me/.github/.github/workflows/update-repo-settings.yaml@v4.16.16`. +- Triggers: `push` to `main`, daily at 14:15 UTC, `workflow_dispatch`. + +## Configuration + +### Renovate (`renovate.json5`) +- Extends `github>bfra-me/renovate-config#5.2.1` plus `:enablePreCommit`. This is a **different** preset family than the `marcusrbrown/renovate-config` line used across the rest of the ecosystem (`marcusrbrown/renovate-config#4.5.x`). +- Package rules: + - HA base images (`ghcr.io/home-assistant/**`, `home-assistant/**`) grouped as "Home Assistant Add-ons" with `pinDigests: false`. + - `ghcr.io/hassio-addons/**` grouped as "hassio-addons". + - `home-assistant/actions/*` regex match grouped. + - `home-assistant/builder` action: custom version extraction (`^\d+\.\d+\.\d+$`), single-bump strategy (no separate major/minor/patch). + - `python` dep capped at `<=3.13`. +- Custom managers cover three patterns: `build.yaml` arch keys + `# renovate:` comments, `Dockerfile` `ARG BUILD_FROM=...@sha256:...` and `# renovate:` comments, and Alpine package versions via `repology` datasource (`alpine_3_20/{pkg}`). + +### Probot Settings (`.github/settings.yml`) +- Extends `.github:common-settings.yaml` (org-level common settings — note the bare `.github:` prefix, which resolves to `bfra-me/.github`, not Marcus's personal `.github`). +- Repo: `is_template: true`, topics, description. +- Branch protection on `main`: + - Required status checks (strict): `Prepare`, `Lint`, `Build`, `Renovate / Renovate`, `Fro Bot` + - `enforce_admins: true` + - 1 required approving review, dismiss stale reviews on push + - `required_linear_history: true` + - No code-owner-review requirement, no restrictions + +### Tooling +- **`.tool-versions`:** Node 22.11.0, Python 3.13.13. +- **`.devcontainer.json`** present (contents not surveyed under read-limit policy). +- **`.pre-commit-config.yaml`** present, integrated via Renovate `:enablePreCommit`. +- **`.markdownlint-cli2.yaml`**, **`.prettierrc.yaml`** present. +- **`.cursorrules`** present (Cursor IDE context). + +## Cross-Ecosystem Notes + +| Aspect | bfra-me/ha-addon-repository | [[marcusrbrown--ha-config]] | +|---|---|---| +| Purpose | Template for building & publishing HA add-ons | Running HA config (consumes add-ons & components) | +| Renovate base | `bfra-me/renovate-config#5.2.1` | `marcusrbrown/renovate-config#4.5.x` | +| Probot extends | `.github:common-settings.yaml` (bfra-me org) | `fro-bot/.github:common-settings.yaml` | +| Fro Bot agent | v0.43.1, present, daily autoheal at 15:30 UTC | **Not present** (carried-forward recommendation) | +| Fro Bot issue model | Single perpetual `Daily Autohealing Report` | n/a | +| Build target | Multi-arch Docker images → GHCR with cosign | n/a (no add-on builds) | +| HA validation tool | `frenck/action-addon-linter` | `frenck/action-home-assistant` | + +The two `frenck/action-*` tools are siblings serving the two sides of the HA development workflow: linter for the add-on contract, home-assistant for the running config. See [[home-assistant]] for the latter. + +## Observations + +- **Template hygiene:** README's HTML comment block is the de-facto onboarding checklist for forkers (rename `example/`, update `image:` to your username, adjust `repository.yaml`, update `version` and `CHANGELOG.md` per release). It is not enforced by CI — a fork that forgets to update `image:` will silently publish under `bfra-me`'s namespace. Worth promoting to a `scripts/init-fork.sh` or pre-commit hook in any downstream usage. +- **HA base-image arch split:** `aarch64`/`amd64` on Alpine 3.23, `armhf`/`armv7` on 3.22. The base-image producers (`ghcr.io/home-assistant/*-base`) lag on 32-bit ARM. The Renovate `Home Assistant Add-ons` group keeps them coordinated, but expect drift to persist as upstream prioritizes 64-bit. +- **`pinDigests: false` for HA base images** is intentional — combined with the explicit `@sha256:...` in the Dockerfile, the digest is rotated by the custom Dockerfile manager (`ARG BUILD_FROM=...@sha256:...` matchString), not by `build.yaml`. This keeps the build reproducible while letting `build.yaml` stay readable as tag-only. +- **`enforce_admins: true`** on the template means downstream forks inherit a strict policy that the original maintainer must also follow — a footgun for solo forks until they relax it. +- **No CodeQL, no Scorecard, no Trivy** — security scanning is delegated to Renovate alerts and the Fro Bot autoheal sweep. Reasonable for a template; downstream add-on collections handling real services should add at least a Hadolint/Trivy gate. +- **Five open issues** (per gh metadata at survey time), zero open PRs. + +## Survey History + +| Date | SHA | Notes | +|---|---|---| +| 2026-05-20 | `0a163c3f` | Initial survey. Fro Bot agent v0.43.1, four workflows, example add-on at v1.2.2, HA base images Alpine 3.22/3.23, Node 22.11.0, Python 3.13.13. | +| 2026-05-30 | `0a163c3f` | HEAD unchanged on `main` for 14 days. Open issues 5 → 6 (new `Daily Autohealing Report` entry from the perpetual issue pattern). 4 open Renovate PRs queued and unmerged: #556 (`bfra-me/.github` v4.16.16 → v4.16.21), #557 (`fro-bot/agent` v0.43.1 → v0.46.1, 3-minor-version jump), #558 (HA `amd64-base:3.23` digest rotation), #559 (`docker/login-action` v4.2.0). The `SCHEDULE_PROMPT` block still references `bfra-me/.github` "currently v4.16.6" — that's a stale comment relative to the actual workflow import at v4.16.16, and worth updating when #556 lands. No content drift on workflows, settings, or the `example/` add-on. | + +## Drift Watch + +- **Stale comment in `fro-bot.yaml`:** The `SCHEDULE_PROMPT` env literal hardcodes "bfra-me/.github reusable workflow version (currently v4.16.6)" while the actual `uses:` pin in `renovate.yaml` and `update-repo-settings.yaml` is at v4.16.16, with v4.16.21 queued in PR #556. The agent self-corrects via the live SHA comparison it's instructed to do, but the literal will keep drifting until someone parameterises it or relies entirely on dynamic lookup. +- **Fro Bot agent lag:** Repo is at v0.43.1; ecosystem (e.g., `marcusrbrown/dotfiles`, `marcusrbrown/systematic`) has moved through v0.44.x → v0.45.0 and Renovate has v0.46.1 queued. PR #557 alone covers three minor versions — worth a targeted review before merge in case any of v0.44 / v0.45 introduced workflow input changes that need surfacing in `fro-bot.yaml`. diff --git a/knowledge/wiki/repos/bfra-me--renovate-action.md b/knowledge/wiki/repos/bfra-me--renovate-action.md new file mode 100644 index 000000000..74d7bbfc4 --- /dev/null +++ b/knowledge/wiki/repos/bfra-me--renovate-action.md @@ -0,0 +1,288 @@ +--- +type: repo +title: bfra-me/renovate-action +created: 2026-05-20 +updated: 2026-05-20 +sources: + - url: https://github.com/bfra-me/renovate-action + sha: bc9c45917d3f7b33962d3ba44b11d58d9f6c2647 + accessed: 2026-05-20 +tags: [renovate, github-action, composite, self-hosted, docker, typescript, semantic-release, bfra-me] +related: + - bfra-me--ha-addon-repository + - marcusrbrown--renovate-config + - marcusrbrown--ha-config + - marcusrbrown--github + - marcusrbrown--systematic + - fro-bot--agent + - github-actions-ci + - docker-containers + - probot-settings +--- + +# bfra-me/renovate-action + +Composite GitHub Action that runs a **self-hosted Renovate bot** in a Docker container with **GitHub App** authentication. Published as `bfra-me/renovate-action@v9` and consumed across the `bfra-me` organization (and indirectly by `marcusrbrown/*` / `fro-bot/*` via the reusable `bfra-me/.github/.github/workflows/renovate.yaml` that wraps it). + +This is the **execution surface** for the bfra-me dependency-update policy that [[marcusrbrown--renovate-config]] defines as preset content. Where `marcusrbrown/renovate-config` answers "what should Renovate do," this repo answers "how does Renovate actually run." + +## Identity + +- **Owner:** `bfra-me` (org) +- **Visibility:** public +- **License:** MIT +- **Author:** Marcus R. Brown +- **Default branch:** `main` (release branch: `release`; major-version branch: `v9`) +- **Primary language:** Shell (action logic) + TypeScript (scaffold + tooling) +- **Topics:** `composite`, `github-action`, `github-actions`, `renovate`, `nodejs`, `typescript`, `action`, `self-hosted` +- **Created:** 2023-09-22 +- **Last push:** 2026-05-20 +- **Latest release:** `9.90.0` (2026-05-20) +- **Stars / Forks / Watchers:** 2 / 1 / 1 +- **Open issues:** 60 (consistent with a long-lived autoheal / Renovate dependency dashboard) + +## Layout + +``` +. +├── action.yaml # THE runtime — composite steps, JSON config merge, Docker +├── docker/ +│ └── entrypoint.sh # Tool installs (yq, Node, Bun, pnpm, Yarn) + analytics +├── src/ +│ ├── main.ts # Scaffold TS — @actions/core wait utility (not used at runtime) +│ ├── wait.ts +│ └── __tests__/ +├── dist/ # tsup bundle — committed, verified for drift in CI +├── docs/ # Astro/Starlight docs site (separate pnpm workspace package) +├── .github/ +│ ├── CODEOWNERS +│ ├── copilot-instructions.md +│ ├── filters.yaml # dorny/paths-filter config for CI gating +│ ├── renovate.json5 # self-referential Renovate config +│ ├── settings.yml # Probot Settings +│ └── workflows/ # 8 workflows +├── .ai/ # AI agent context (not surveyed under read-limit policy) +├── .cursor/ # Cursor IDE context +├── AGENTS.md # Project knowledge base for AI agents +├── README.md +├── action.yaml +├── package.json +├── pnpm-lock.yaml +├── pnpm-workspace.yaml +├── tsup.config.ts +├── tsconfig.json +├── eslint.config.ts +├── .releaserc.yaml # semantic-release config (branch: release) +└── llms.txt +``` + +The TypeScript layer (`src/`, `dist/`) is **not** what consumers execute — `action.yaml` is. The TS scaffold exists for the published-action lint/check pipeline, dist drift verification, and as a placeholder for future TS-backed steps. The composite action's actual work happens in Bash inside `action.yaml` and `docker/entrypoint.sh`. + +## How the Action Works + +### Composite Steps (`action.yaml`) + +1. **`get-renovate-app`** — `actions/create-github-app-token@v3.2.0` mints a short-lived installation token from the consumer's `renovate-app-id` + `renovate-app-private-key`. Scoped to `github.repository_owner`. +2. **`configure`** — Bash step (`bash -Eeuo pipefail`) that: + - Pins `RENOVATE_VERSION=43.186.2` (Renovate v43) with a `# renovate: datasource=docker depName=renovate packageName=ghcr.io/renovatebot/renovate versioning=semver` comment so Renovate self-bumps it. + - Builds the `renovate_git_author` identity from the GitHub App slug. + - Defines `validate_json()` and `merge_global_config()` Bash functions that deep-merge the action's base config (`zzglobal_config` inline JSON) with the user-supplied `global-config` input. + - **Security boundary:** `allowedCommands`, `platform`, `gitAuthor`, `gitIgnoredAuthors`, `cacheDir`, `repositoryCache` are protected. `allowedCommands` is restored from base after merge; the others emit warnings if the user tries to set them. Falls back to base config on any validation failure. +3. **`v9 deprecation notice`** — emits a `::warning::` that Docker execution is planned for removal in v10. +4. **`Restore Renovate Cache`** (conditional on `cache: true`) — `actions/cache/restore@v5.0.5` keyed on `renovate-cache-v`. +5. **`Prepare Renovate Cache`** — `chown -R runneradmin:root /tmp/renovate` so the container user can write the cache. +6. **`Renovate `** — `renovatebot/github-action@v46.1.4` runs the Renovate Docker image (`ghcr.io/renovatebot/renovate:43.186.2`) with `docker-user: root`, `mount-docker-socket: true`, custom `docker-cmd-file` at `docker/entrypoint.sh`. The action passes through a strict `env-regex` whitelist (CI vars, GitHub vars except PATH/ENV, proxy vars, log level, NODE_OPTIONS, `RENOVATE_*`, `RUNNER_*`). +7. **`Finalize Renovate Cache`** + **`Save Renovate cache`** — deletes the prior cache entry via `gh api -X DELETE` and saves the new one (always-runs on success or failure when cache enabled). + +### Docker Entrypoint (`docker/entrypoint.sh`) + +`bash -Eeuo pipefail`. Inside the container it: +- Initializes `/tmp/renovate-analytics`. +- Defines `record_docker_metric()` and `record_failure()` helpers that emit JSON metric files via inline Node.js (`fs.writeFileSync`). +- Installs runtime tools (yq, Node, Bun, pnpm, Yarn) that Renovate's package managers may invoke. +- Runs Renovate as the `ubuntu` user (the cache-prepare `chown` aligns ownership for read/write). + +### Key Inputs + +| Input | Required | Default | Notes | +| --- | --- | --- | --- | +| `renovate-app-id` | ✅ | — | GitHub App ID | +| `renovate-app-private-key` | ✅ | — | GitHub App private key | +| `autodiscover` | | `false` | When `false`, autodiscover-filter is forced to `github.repository` | +| `autodiscover-filter` | | `[]` | JSON array of glob filters | +| `branch` | | — | Optional base branch override | +| `cache` | | `false` | Enables `actions/cache` for `/tmp/renovate/cache` and `RENOVATE_REPOSITORY_CACHE` | +| `dry-run` | | `false` | When `true`, sets `RENOVATE_DRY_RUN=extract` (lightest dry-run mode) | +| `execution-mode` | | `container` | v9 deprecation scaffolding; non-container values warn and fall through | +| `global-config` | | `{}` | JSON string deep-merged into base config; protected fields enforced | +| `log-level` | | `info` | | +| `print-config` | | `false` | | + +### Outputs + +- `docker-image` — e.g., `ghcr.io/renovatebot/renovate:43.186.2` +- `renovate-version` — e.g., `43.186.2` + +## Workflows + +Eight workflows under `.github/workflows/`, all using `.yaml` extension and SHA-pinned actions with version comments: + +### `main.yaml` — primary CI + release pipeline + +- **Triggers:** `merge_group`, `pull_request` (main), `push` (main), `workflow_dispatch`. +- **Concurrency:** group-keyed on `workflow + event-number-or-ref`, cancel-in-progress. +- **Jobs:** + - **`setup`** — checkout, pnpm/setup-node from `package.json`, `pnpm bootstrap`, `dorny/paths-filter@v4.0.1` against `.github/filters.yaml` to emit `dist-changed`, `docs-changed`, `should-check`, `src-changed`, `renovate-changed` flags. + - **`check`** — `pnpm build && pnpm check`, plus a docs preview smoke test (`pnpm run preview`, `curl http://localhost:4321/renovate-action`). + - **`test`** — `pnpm test` (Vitest), then a **self-test** step that runs `uses: ./` with `dry-run: true`, `log-level: debug`, `print-config: true` against the consumer's own repo (gated to `bfra-me` org, non-default branch, no `renovate-changed`). + - **`build`** — `pnpm build` and dist drift verification (`git diff --ignore-space-at-eol dist/`). Uploads `dist/` artifact on failure. + - **`build-docs`** + **`deploy-pages`** — Astro/Starlight site build with `actions/configure-pages@v6.0.0`, deployed via `actions/deploy-pages@v5.0.0` (main only). + - **`release`** — checks out the `release` branch, fast-forwards `main` into `release` (`git merge --no-ff -Xtheirs -m 'skip: merge () [skip release]'`), pushes, then runs `semantic-release` with GitHub App token. Dry-run on PRs. + +### `fro-bot.yaml` — Fro Bot agent integration + +- **Agent version:** `fro-bot/agent@v0.44.2` (SHA `b97877b202095e5faf046c1f9d7a18891720a73b`). +- **Triggers:** `issue_comment`, `pull_request_review_comment`, `discussion_comment`, `issues` (opened/edited), `pull_request` (opened/synchronize/reopened/ready_for_review/review_requested), `schedule` (`30 3 * * *` autoheal + `30 15 * * *` maintenance — daily 03:30 and 15:30 UTC), `workflow_dispatch` with `mode` choice (review/maintenance/autoheal) + `prompt` input, and `workflow_call` with required `prompt` input. +- **Bot-loop guards:** Identical pattern to the rest of the ecosystem — skip when issue/PR/comment author ends in `[bot]` or equals `fro-bot`. Comment triggers require `OWNER`/`MEMBER`/`COLLABORATOR` association and `@fro-bot` mention. +- **Mode resolution:** Inline Bash in the `Determine mode and prompt` step maps event type → mode (schedule cron `15` → maintenance, schedule cron `03` → autoheal, `pull_request` → review, `workflow_dispatch` → user-selected). Mode controls which inline `env`-block prompt is used. +- **`PR_REVIEW_PROMPT`** — focused on the action's risk surface: JSON config merging security (`allowedCommands` must never be overridable), template variable substitution, shell script safety, Docker entrypoint security, cache ownership, workflow injection (untrusted input in `run:` blocks), TypeScript strictness (no `any`, no `@ts-ignore`, pure ESM), Renovate config (`allowedCommands` regex safety, onboardingConfig changes, gitIgnoredAuthors consistency), and **dist/ drift detection** ("if src/ changes, dist/ must be rebuilt"). Verdict format: `## Verdict: PASS / CONDITIONAL / REJECT` with mandatory `Blocking issues`, `Non-blocking concerns`, `Missing tests`, `Risk assessment` headings. +- **`MAINTENANCE_PROMPT`** — single rolling issue titled `Daily Maintenance Report`. 14-day bounded section history collapsed into a `Historical Summary`. Same single-perpetual-issue pattern as [[bfra-me--ha-addon-repository]]. +- **`AUTOHEAL_PROMPT`** — five-category sweep: + 1. **ERRORED PRs** — diagnose/fix failing CI on trusted-author PRs only; **never** touches `.github/workflows/`, lockfiles, package-manager config, lockfile-maintenance branches, or the Fro Bot workflow itself; auto-rebuilds `dist/` when `src/` changes. + 2. **SECURITY** — Dependabot/Renovate alerts; remediate critical/high; do **not** batch unrelated bumps into a security PR. + 3. **CODE QUALITY & REPO HYGIENE** — report-only; runs `pnpm build`, `pnpm test`, `pnpm check`, validates allowedCommands regex, scans stale TODOs > 90 days via `git blame`. + 4. **DEVELOPER EXPERIENCE** — lint/format auto-fix PRs grouped into a single conventional-commit PR; rebuilds `dist/` when `src/` is touched. + 5. **PROGRESSIVE IMPROVEMENT** — report-only; checks Renovate version drift (don't open bump PRs — Renovate owns that), release-branch health, reusable-workflow versions, analytics integrity, cross-project pattern drift against `bfra-me/.github`. +- **Output:** single perpetual `Daily Autohealing Report` issue with structured tables (Summary, Errored PRs, Security, Code Quality, Developer Experience, Progressive Improvement, Needs Human Attention). +- **Dependency ownership rule** is explicit: "Renovate owns routine dependency/version bumps. You may change dependency versions only when remediating a confirmed security advisory (critical/high) or repairing an existing security-update PR." This is the cleanest articulation of the autoheal-vs-Renovate boundary observed across the ecosystem. + +### `renovate.yaml` — self-managed Renovate orchestration + +Direct workflow (not via `bfra-me/.github` reusable) because this repo is **upstream** of the reusable workflow it would normally consume. Triggers and uses `bfra-me/renovate-action@v9` against itself. + +### `update-repo-settings.yaml` — Probot Settings sync + +### `codeql-analysis.yaml` — CodeQL security scanning + +Language: `typescript`. Schedule: `31 7 * * 3` (Wednesdays 07:31 UTC). Uses `github/codeql-action/init|autobuild|analyze@v4.35.5`. + +### `scorecard.yaml` — OpenSSF Scorecard + +Schedule: `20 7 * * 2` (Tuesdays 07:20 UTC). `branch_protection_rule` + `push` triggers. Publishes results to the public Scorecard dashboard. + +### `dependency-review.yaml` — Dependency review on PRs + +`actions/dependency-review-action@v4.9.0`. Job name `Review Dependencies` (status check name). + +### `copilot-setup-steps.yaml` — GitHub Copilot agent bootstrap + +Limited triggers: only `workflow_dispatch` plus path-filtered `push`/`pull_request` on the file itself. Pre-warms `pnpm install`. + +## Configuration + +### Renovate (`.github/renovate.json5`) + +Extends: +- `github>bfra-me/.github:internal.json5#v4.16.18` — bfra-me org's internal Renovate preset +- `github>sanity-io/renovate-config:semantic-commit-type` — semantic commit type mapping + +Notable rules: +- Pin `bfra-me/renovate-config` (`rangeStrategy: 'pin'`, `updatePinnedDependencies: false`) **except** for major updates (where pin updates are allowed). +- Renovate/Docker package updates (`ghcr.io/renovatebot/renovate`, `renovate`, `renovatebot/github-action`, `renovatebot/renovate`): + - Major → `feat(deps)!:` (breaking) + - Minor → `feat` + - Patch → **disabled** (avoid noise) + - Scheduled to nights/weekends only. +- All majors of the Renovate ecosystem grouped as `Renovate`. +- Custom regex manager updates `https://github.com/renovatebot/renovate/releases/tag/` links in `README.md`. +- Astro 0.x packages automerge minor/patch. +- `postUpgradeTasks`: `pnpm run bootstrap && pnpm run build && pnpm run fix` (execution-mode: branch). +- `platformAutomerge: true`, `rebaseWhen: 'behind-base-branch'`. + +This is a **different** Renovate base preset family than the `marcusrbrown/renovate-config` line: + +| Repo | Base preset | +| --- | --- | +| `bfra-me/renovate-action` (this repo) | `bfra-me/.github:internal.json5#v4.16.18` | +| [[bfra-me--ha-addon-repository]] | `bfra-me/renovate-config#5.2.1` | +| [[marcusrbrown--renovate-config]] (and downstream) | `bfra-me/renovate-config#5.2.1` + Marcus's overrides | +| Most Marcus repos | `marcusrbrown/renovate-config#4.5.x` (which itself extends `bfra-me/renovate-config#5.2.1`) | + +So this repo is the most direct bfra-me-internal consumer; everyone else routes through either `bfra-me/renovate-config` or `marcusrbrown/renovate-config`. + +### Probot Settings (`.github/settings.yml`) + +- Extends `.github:common-settings.yaml` (bare `.github:` prefix → resolves to **`bfra-me/.github`**, not Marcus's `.github`). +- Topics, description, squash-merge commit policy. +- Teams: `actioneers` (push), `services` (maintain), `owners` (admin). +- **Branch protection on `main`:** required checks (strict): `Build`, `Check`, `Deploy to GitHub Pages`, `Fro Bot`, `Release`, `Test`, `Setup`, `Renovate / Renovate`, `Analyze`, `CodeQL`, `Review Dependencies`. `enforce_admins: true`, `required_linear_history: true`, no PR review requirement, no push restrictions. +- **Branch protection on `release`:** `enforce_admins: true`, no linear history, no required reviews/checks, no restrictions — the release branch is a fast-forward target only. + +### Path Filters (`.github/filters.yaml`) + +YAML anchors define reusable lists: +- `config` (anchor `&config`): `.github/**`, `pnpm-workspace.yaml`, `*.config.ts`, `**.json5?`, `**.md`, `**.yaml`, `**.yml` +- `dist-changed`: `dist/**` (added/modified only) +- `docs-changed` (anchor `&docs-changed`): `docs/**` +- `src-changed` (anchor `&src-changed`): workflows, docker, all `src/`, `action.yaml`, package manifests, lockfile, tsconfig +- `renovate-changed`: `.github/workflows/renovate.yaml`, `.github/renovate.json5`, `docker/entrypoint.sh`, `action.yaml` — the Renovate-blast-radius set used to suppress the self-test step +- `should-check`: aliased union of `config + docs-changed + src-changed` + +### Tooling + +| Tool | Version | +| --- | --- | +| Node.js | 24.15.0 (`engines.node` in package.json) | +| pnpm | 10.33.4 | +| TypeScript | 6.0.3 | +| ESLint | 10.4.0, extends `@bfra.me/eslint-config@0.51.1` | +| Prettier | 3.8.3, extends `@bfra.me/prettier-config/120-proof` | +| tsup | 8.5.1 (bundler, ESM output, license-aware via `esbuild-plugin-license@1.2.3`) | +| Vitest | 4.1.6 | +| `@actions/core` | 3.0.1 (only runtime dep) | +| semantic-release | 25.0.3 with `@semantic-release/changelog`, `@semantic-release/git`, `semantic-release-export-data`, `conventional-changelog-conventionalcommits@9.3.1` | +| simple-git-hooks + lint-staged | pre-commit runs `pnpm run fix` on TS/JS/CSS/MD/JSON/YAML | +| jiti | 2.7.0 (TS config loading) | +| js-yaml | 4.1.1 | + +### Release Pipeline (`.releaserc.yaml`) + +- **Branch:** `release` (separate from `main`; main → release fast-forward in CI). +- **Tag format:** bare semver (`9.90.0`), with a parallel major-version branch (`v9`) for downstream `@v9` pins. +- **Plugins:** commit-analyzer, release-notes-generator, changelog, npm (private package — no publish), git (commits `dist`, `package.json` with `chore(release): [skip ci]`), github, `semantic-release-export-data`. +- **Custom release rules:** `build` → patch, `docs(readme.md)` → patch, `skip` → no release. +- **Preset:** conventionalcommits with extended type map (feat, build, fix, docs, test, ci, style, refactor, perf, revert, chore, skip-hidden). + +## Cross-Ecosystem Notes + +| Aspect | bfra-me/renovate-action | [[marcusrbrown--renovate-config]] | [[bfra-me--ha-addon-repository]] | +| --- | --- | --- | --- | +| Role | **Runner** (executes Renovate) | **Policy** (preset content) | Template (consumes policy + runner) | +| Branching | `main` → `release` → tagged + `v9` branch | `main` → tagged + `v4` branch | `main` only | +| Renovate base preset | `bfra-me/.github:internal.json5#v4.16.18` | `bfra-me/renovate-config#5.2.1` | `bfra-me/renovate-config#5.2.1` | +| Fro Bot agent | v0.44.2 (newest in ecosystem at survey) | v0.42.2 | v0.43.1 | +| Fro Bot pattern | Single workflow with mode dispatch (`fro-bot.yaml` only — no separate autoheal file) | Two-workflow split (`fro-bot.yaml` + `fro-bot-autoheal.yaml`) | Single workflow, two cron schedules | +| Fro Bot single-issue model | `Daily Maintenance Report` + `Daily Autohealing Report` (two perpetual issues) | Same two-issue model | `Daily Autohealing Report` only | +| dist/ artifact in repo | Yes (tsup bundle, drift-verified in CI) | No (JSON-only repo) | No | +| Self-test in CI | Yes (`uses: ./` with dry-run) | n/a | n/a | +| CodeQL + Scorecard | Yes | Yes | No (relies on Renovate alerts + autoheal) | + +The **single-workflow-with-mode-dispatch** Fro Bot layout in this repo is notable: instead of separate `fro-bot.yaml` and `fro-bot-autoheal.yaml` files (the pattern in most Marcus repos), this repo collapses both into one workflow with an inline `Determine mode and prompt` step that selects from three inline prompts (review / maintenance / autoheal). This mirrors the [[marcusrbrown--marcusrbrown-github-io]] "single-file three-mode" evolution noted in the index (`agent v0.44.0, v0.44.1 in flight` — this repo is on `v0.44.2`). Worth tracking as a pattern that may consolidate across the ecosystem. + +## Observations + +- **Agent version leadership.** At survey time, this repo is on `fro-bot/agent@v0.44.2` while the rest of the ecosystem ranges from v0.41.x to v0.43.1. The combination of an active maintainer (Marcus), self-test CI, and the new single-workflow layout makes this a likely **canary** for Fro Bot agent updates before they propagate. +- **`zzglobal_config` naming.** The `zz` prefix on the inline base config env var is intentional — it forces the variable to sort last when the GitHub Actions UI alphabetizes env blocks, keeping the (large) JSON payload out of the way visually. Mildly clever; mildly footgun if someone tries to grep for "global_config" expecting one canonical name. +- **Protected-fields enforcement is layered:** `validate_json()` only warns on dangerous fields. The actual enforcement happens in `merge_global_config()`, which restores `allowedCommands` from base after the deep merge. The other "dangerous" fields (`platform`, `gitAuthor`, `gitIgnoredAuthors`, `cacheDir`, `repositoryCache`) are set explicitly in the `env:` block of the Renovate step, so any user-supplied value gets overwritten by `RENOVATE_*` env vars regardless of what made it through the merge. The warning is hygiene; the runtime override is the real guard. +- **Docker execution deprecation.** The action ships a `v9 deprecation notice` and an `execution-mode` input that currently only accepts `container`. The plan signaled by README and `action.yaml`: v10 will remove Docker-backed execution. No replacement implementation is present in this branch yet — consumers should expect a non-trivial migration (likely to direct npm-installed Renovate, matching the upstream `renovatebot/github-action` `BINARY_SOURCE=install` env var already set). +- **Analytics features removed in v9 per README, but `docker/entrypoint.sh` still contains `record_docker_metric` / `record_failure` / `/tmp/renovate-analytics` plumbing.** This is dead code from the v8-era analytics dashboard — likely a candidate for an autoheal "stale TODO" finding or a follow-up cleanup PR. Flag this as a possible README-vs-code contradiction to verify before relying on either claim. +- **`gitIgnoredAuthors` list** includes `109017866+fro-bot[bot]@users.noreply.github.com` — Fro Bot's commits are explicitly ignored by Renovate so the bot's autoheal commits don't accidentally seed Renovate's "rebased by user" detection logic. +- **`mount-docker-socket: true` + `docker-user: root`** — Renovate's container needs root to install package managers at runtime and the mounted socket to spawn sibling containers when probing Docker-based managers. Sound for self-hosted use; would be unsafe in a multi-tenant runner. +- **CI status-check surface is large** (11 required contexts including `Setup`, `Check`, `Test`, `Build`, `Release`, `Deploy to GitHub Pages`, `Renovate / Renovate`, `Fro Bot`, `Analyze`, `CodeQL`, `Review Dependencies`). The `Setup` job emits all five `should-*` outputs and gates everything else, so most PRs skip most jobs while still satisfying the protection contract. +- **No `marcusrbrown--renovate-config` consumer relationship.** This action does **not** itself extend the Marcus presets. The consumption flow is one-way: Marcus's presets reference `bfra-me/renovate-config`, and Marcus's repos consume **either** preset family; this action is independent infrastructure. + +## Survey History + +| Date | SHA | Notes | +| --- | --- | --- | +| 2026-05-20 | `bc9c4591` | Initial survey. Fro Bot agent v0.44.2, eight workflows (CI/CD + 5 security/agent), single-workflow three-mode Fro Bot pattern. Renovate v43.186.2 pinned. v9.90.0 latest release. Docker execution flagged for v10 removal. Dead analytics code observed in `docker/entrypoint.sh` despite v9 README claim of "analytics features removed." | diff --git a/knowledge/wiki/repos/bfra-me--works.md b/knowledge/wiki/repos/bfra-me--works.md new file mode 100644 index 000000000..4b9450664 --- /dev/null +++ b/knowledge/wiki/repos/bfra-me--works.md @@ -0,0 +1,474 @@ +--- +type: repo +title: bfra-me/works +created: 2026-05-20 +updated: 2026-05-31 +sources: + - url: https://github.com/bfra-me/works + sha: ef14b26085dab318fffad1b6c3062292f8ae60b8 + accessed: 2026-05-20 + - url: https://github.com/bfra-me/works + sha: cd4a52d7d9ad59c8770784d9411d688e9a7d50db + accessed: 2026-05-31 +tags: + [ + bfra-me, + monorepo, + pnpm, + typescript, + eslint-config, + prettier-config, + tsconfig, + semantic-release, + changesets, + astro-starlight, + cli, + workspace-analyzer, + fro-bot, + ] +related: + - bfra-me--github + - bfra-me--ha-addon-repository + - fro-bot--agent + - marcusrbrown--renovate-config + - github-actions-ci + - probot-settings +--- + +# bfra-me/works + +The `@bfra-me` tooling monorepo. Nine published packages (8 in +`packages/*` plus the `docs` site) that ship the shared ESLint, Prettier, +and TypeScript configs, ES utility runtime, project-scaffolding CLI, +documentation sync engine, semantic-release presets, badge generator, +and a workspace static analyzer — all consumed by the rest of the +`@bfra-me` and `marcusrbrown` ecosystem. + +This is the _source_ of the `@bfra.me/*` configs that show up as +devDependencies across the wider Fro Bot ecosystem. Where +[[bfra-me--github]] is the **org control plane** (workflows, settings, +automation actions), `bfra-me/works` is the **shared library plane**. + +## Identity + +- **Owner:** bfra-me (org) +- **Visibility:** public +- **License:** MIT +- **Default branch:** `main` +- **Created:** 2020-10-27 +- **Last push:** 2026-05-31 +- **Topics:** `bfra-me`, `works`, `components`, `semantic-release`, `tools`, `tsconfig` +- **Stars:** 3 +- **Open issues / PRs:** 38 / 2 (2026-05-31) +- **Latest release:** `@bfra.me/workspace-analyzer@0.2.8` (2026-05-16) — unchanged +- **Primary language:** TypeScript (~99%) +- **Node:** 24.15.0 (`.node-version`) — packages target ES2022+/Node 20+ +- **Package manager:** pnpm 10.34.1 (was 10.33.4 on 2026-05-20) +- **TypeScript:** 6.0.3, strict (`noUncheckedIndexedAccess`) +- **Root package:** `@bfra.me/works` v0.0.0-development (private) + +## Layout + +``` +. +├── .ai/ # Agent context fixtures +├── .changeset/ # Changesets state +├── .github/ +│ ├── actions/ +│ │ └── pnpm-install/ # Local composite action (used by every workflow) +│ ├── instructions/ # AI-consumed dev guides +│ ├── prompts/ # Reusable prompt templates +│ ├── workflows/ # 11 workflows (.yaml) + 1 docs file (.md) +│ ├── CODEOWNERS +│ ├── filters.yaml +│ ├── renovate.json5 +│ └── settings.yml +├── .husky/ # Git hooks (lint-staged on commit) +├── .vscode/ +├── docs/ # Astro Starlight documentation site +├── packages/ +│ ├── badge-config/ # Shields.io URL generator +│ ├── create/ # `create` CLI (templates + optional AI) +│ ├── doc-sync/ # Astro docs sync engine + CLI +│ ├── es/ # Result/async/functional/types/etc. +│ ├── eslint-config/ # @bfra.me/eslint-config +│ ├── prettier-config/ # 80/100/120-proof variants + semi +│ ├── semantic-release/ # SR shareable config + plugins +│ ├── tsconfig/ # Library/app strict TS configs +│ └── workspace-analyzer/ # Static-analysis CLI + JSON output +├── scripts/ # tsx workspace utilities +├── AGENTS.md # Agent-focused conventions +├── CLAUDE.md +├── CONTRIBUTING.md +├── PERFORMANCE.md +├── eslint.config.ts +├── llms.txt +├── package.json # @bfra.me/works (private root) +├── pnpm-workspace.yaml +├── tsconfig.json / tsconfig.eslint.json +├── tsup.dts.ts # Shared tsup .d.ts helper +├── type-coverage.json +├── vitest.config.ts +└── workspace-analyzer.config.ts +``` + +## Workspace + +- 11 workspace entries: root, `docs`, `scripts`, plus 8 `packages/*` +- `autoInstallPeers: true`, `shamefullyHoist: true`, + `strictPeerDependencies: true`, `savePrefix: ''`, + `shellEmulator: true` +- `onlyBuiltDependencies`: `esbuild`, `msw`, `sharp`, `unrs-resolver` +- Overrides: `fast-uri >=3.1.2`; `handlebars` pinned `^4.7.9`; + `lodash ^4.17.23`; `picomatch` patches; `read-pkg-up^11` redirected to + `read-package-up`; `undici` ranges forced to safe minimums (`^6.24.0`, + `^7.24.0`) +- `packageExtensions` extend ESLint plugin peer ranges to ESLint 10 +- `peerDependencyRules.allowedVersions` carries the TypeScript 6.0 + transition for the eslint-react family, type-coverage, tsconfck, and + Astro check +- `manypkg.workspaceProtocol: require` — internal deps must use + `workspace:` protocol +- Vitest resolves workspace packages to TypeScript source via + `conditions: ['source']` (no pre-build required for testing) + +## Published Packages + +| Package | Version | Bin | Notes | +| ----------------------------- | -------- | -------------------- | ------------------------------------------------------- | +| `@bfra.me/badge-config` | 0.2.0 | — | Shields.io badge URL generator with preset generators | +| `@bfra.me/create` | 0.7.14 | `create` | Project-scaffold CLI; optional OpenAI/Anthropic enhance | +| `@bfra.me/doc-sync` | 0.1.9 | `doc-sync` | Astro Starlight docs sync; subpath exports per layer | +| `@bfra.me/es` | 0.1.0 | — | ES utilities; subpath exports: async/env/error/functional/module/result/types/validation/watcher | +| `@bfra.me/eslint-config` | 0.51.1 | — | Shared ESLint config (TS/Prettier/Vitest) | +| `@bfra.me/prettier-config` | 0.16.9 | — | Variants: `80-proof`, `100-proof`, `120-proof`, `semi`, `default`, `define-config` | +| `@bfra.me/semantic-release` | 0.3.7 | — | Semantic-release shareable config + plugins | +| `@bfra.me/tsconfig` | 0.13.1 | — | tsconfig presets for libs and apps | +| `@bfra.me/workspace-analyzer` | 0.2.8 | `workspace-analyzer` | Latest release (2026-05-16); CLI + JSON output for CI | + +All packages ship to `lib/` via tsup, **except** `@bfra.me/create` +which builds to `dist/`. Root exports two helper modules +(`./eslint.config`, `./tsup.dts`) for downstream consumption. + +## Workflows (11 + 1 doc) + +``` +cache-cleanup.yaml codeql-analysis.yaml dependency-review.yaml +docs-sync.yaml docs.yaml fro-bot.yaml +fro-bot-dispatch-examples.md (documentation, not a workflow) +main.yaml release.yaml renovate-changeset.yaml +renovate.yaml scorecard.yaml update-repo-settings.yaml +``` + +Surface area: + +- **`main.yaml`** — primary CI: `Prepare → {Lint+type-coverage, Test, + Build, Workspace Analysis} → CI`. Workspace Analysis runs + `pnpm analyze` and uploads `workspace-analysis.json` (7-day retention, + `continue-on-error: true`). The `CI` job is the branch-protection + status check that depends on the four parallel jobs. +- **`release.yaml`** — Changesets-driven release. Triggers on + `workflow_run` after `Main` succeeds on `main`, weekly Sunday + `0 18 * * 0`, and `workflow_dispatch` with a `force-release` toggle. + Uses a `bfra-me[bot]` GitHub App token for elevated permissions when + invoked from schedule/`workflow_run`. +- **`fro-bot.yaml`** — full Fro Bot persona (see Fro Bot Integration + below). +- **`docs.yaml`** — builds the Astro Starlight site and deploys to + GitHub Pages (uses `actions/upload-pages-artifact@v5` and + `concurrency: pages`). Public commit hash injected as + `PUBLIC_COMMIT_HASH` for the Starlight footer. +- **`docs-sync.yaml`** — path-filtered automation for + `@bfra.me/doc-sync`: re-syncs `docs/src/content/docs/packages/*.mdx` + when package READMEs, sources, or `package.json` files change. Has a + `dry-run` dispatch input. +- **`renovate.yaml`** — calls reusable + `bfra-me/.github/.github/workflows/renovate.yaml@v4.16.21` (bumped + from `v4.16.18` on 2026-05-20) after the Release workflow succeeds, + with `log-level` and `print-config` dispatch inputs. +- **`renovate-changeset.yaml`** — auto-generates changesets for + `bfra-me[bot]` / `renovate[bot]` PRs. Triggers on `merge_group`, + `pull_request_target`, and `workflow_dispatch`. Uses + `dorny/paths-filter` and a GitHub App token. +- **`update-repo-settings.yaml`** — calls reusable + `bfra-me/.github/.github/workflows/update-repo-settings.yaml@v4.16.0`. + Push to main, daily `02 18 * * *`, and dispatch. +- **`cache-cleanup.yaml`** — deletes workflow caches for the closing PR + ref (and Sunday `0 0 * * 0` housekeeping). Permissions narrowed to + `actions: write`. +- **`codeql-analysis.yaml`, `dependency-review.yaml`, `scorecard.yaml`** + — security posture. +- **`fro-bot-dispatch-examples.md`** — sibling Markdown doc next to the + workflow files documenting `workflow_dispatch` invocations. + +Every workflow consumes the local `.github/actions/pnpm-install` +composite action for dependency hydration, which centralizes Node + pnpm +setup and cache restoration. + +## Fro Bot Integration + +`bfra-me/works` runs a **single-file three-mode Fro Bot** at +`fro-bot/agent@54ee8140 # v0.47.0` (as of 2026-05-31) — parity with +[[bfra-me--github]], ahead of most other ecosystem repos. The pin +advanced v0.44.2 → v0.46.1 (#3503) → v0.47.0 (#3510) in a single day +on 2026-05-30, alongside PR #3491 ("Fix Fro Bot mode/prompt +resolution for dispatch and reusable runs") which patched the inline +shell mode resolution for `workflow_dispatch` and `workflow_call` +paths. + +### Triggers + +- `issue_comment`, `pull_request_review_comment`, `discussion_comment` + on `@fro-bot` mentions from `OWNER`/`MEMBER`/`COLLABORATOR` +- `issues` opened/edited, `pull_request` opened/synchronize/reopened/ + ready_for_review/review_requested (skipped for bot authors and forks) +- Two crons: **`0 16 * * *`** (maintenance) and **`30 3 * * *`** + (autoheal) +- `workflow_dispatch` with `mode` choice + (`review`/`maintenance`/`autoheal`, default `autoheal`) and an + optional `prompt` override +- `workflow_call` with a required `prompt` input for reusable + invocation + +Concurrency keyed off issue/PR/discussion/schedule/run_id with +`cancel-in-progress: false` (autoheal must complete cleanly). The +`if:` guard explicitly filters out bot authors, forks, and the +`fro-bot` account itself. + +### Mode resolution (inline shell) + +```text +schedule "30 3" → autoheal +schedule other → maintenance +workflow_dispatch → autoheal (unless mode chosen) +pull_request → review +otherwise → custom prompt input +``` + +### `PR_REVIEW_PROMPT` + +TypeScript-monorepo-specific. Enforces: + +- No `as any`, `@ts-ignore`, or `@ts-expect-error` suppression +- `Result` (from `@bfra.me/es/result`) instead of throwing +- Explicit named exports only — no `export *` in application code +- Breaking-change awareness for subpath exports, entrypoints, types +- Monorepo integrity: dep boundaries, build order impact, cross-package + version alignment +- Test coverage for happy path, errors, boundaries (with explicit + rationale when tests aren't needed) +- Verdict format: `PASS | CONDITIONAL | REJECT` with `Blocking issues + / Non-blocking concerns / Missing tests / Risk assessment + (LOW/MED/HIGH)` headings — every heading must be emitted (use + "None") and formatting/lint nits are explicitly out of scope + +### `MAINTENANCE_PROMPT` — "Daily Maintenance Report" + +Maintains exactly **one** open rolling issue titled `Daily Maintenance +Report`. Behavior: + +- Search by exact title; if multiple matches, use the most recently + updated; if the most recent is closed, reopen it rather than create + a new one +- After selecting the canonical issue, close any other open + `Daily Maintenance Report` issues with a brief consolidation comment +- Append a new `## YYYY-MM-DD (UTC)` section per run +- After 14 days, collapse older dated sections into a single + `## Historical Summary` (updated in place — never duplicate it) +- Flag first-time stale items with a `★` marker +- Sections: Summary metrics → Stale issues (>30d) → Stale PRs (>7d + stale, >14d aged) → Unassigned bugs → Recommended actions → Notes +- Hard rule: no per-issue/PR comments or label changes; one issue + update per run + +### `AUTOHEAL_PROMPT` — "Daily Autohealing Report" + +Five-category sweep, executed serially with deduplication against +existing bot-authored items: + +1. **ERRORED PRs** — fix failing CI on trusted-author PRs + (`renovate[bot]`, `dependabot[bot]`, `fro-bot`, write-access humans). + Skip PRs that touch workflows, automation prompts, pnpm/lockfile, or + exec scripts. Run `pnpm validate` to confirm fixes locally before + pushing. +2. **SECURITY** — repair existing security update PRs or open new ones + for critical/high advisories. Renovate owns routine bumps; Fro Bot + only touches versions for confirmed security advisories. Skip with + "security alerts unavailable" if data is missing. +3. **CODE QUALITY & REPO HYGIENE** — primarily report-only: + `pnpm build` and `pnpm type-coverage` health, stale TODO/FIXME/HACK + scan (>90 days via git blame), convention drift (no barrel exports + outside `src/index.ts`, no `require()`, no `any`, named exports + only), `AGENTS.md` drift, `pnpm analyze` regressions. +4. **DEVELOPER EXPERIENCE** — `pnpm lint`/`pnpm type-check` auto-fix + PRs only (never direct push to default branch). Group related fixes + into a single `chore(lint): apply auto-fixes from autohealing run` + PR. +5. **PROGRESSIVE IMPROVEMENT** — report-only: tool-version gaps (>1 + minor behind), CI pipeline health, `package.json` analytics + correctness, cross-project pattern check against + [[bfra-me--github]], AGENTS.md convention drift. + +Hard boundaries: + +- Never force-push, rewrite history, delete branches, push directly to + default, merge PRs, submit reviews, close/reopen issues/PRs, modify + branch protection or secrets/org settings +- Never make checks pass by disabling tests, deleting assertions, + lowering coverage budgets, weakening lint/type rules, or editing + workflows/configs purely to suppress failures +- Output: **exactly one** issue titled `Daily Autohealing Report` with + a structured table-driven body (Summary / Errored PRs / Security / + Code Quality & Repo Hygiene / Developer Experience / Progressive + Improvement / Needs Human Attention) + +The single-issue rolling-update pattern matches +[[bfra-me--ha-addon-repository]] (which uses the same `Daily +Autohealing Report` convention) and diverges from sibling repos that +create a new report per cycle. + +### Schedule alignment + +- Maintenance cron `0 16 * * *` = 16:00 UTC +- Autoheal cron `30 3 * * *` = 03:30 UTC +- Distinct from [[bfra-me--github]] which runs org-wide autoheal + weekdays at `0 5 * * 1-5` and from [[bfra-me--ha-addon-repository]]'s + 15:30 UTC autoheal + +## Probot Settings + +- `.github/settings.yml` `_extends: .github:common-settings.yaml` + — resolves to the **bfra-me org** `.github` repo template + (consistent with sibling [[bfra-me--ha-addon-repository]], unlike the + `marcusrbrown/*` repos that extend `fro-bot/.github`) +- Repo-level overrides: name `works`, description + `@bfra-me tools and components`, topics `works, bfra-me, tools, + components, tsconfig, semantic-release` +- Branch protection (`main`): 12 required status checks — `Analyze`, + `Build`, `CI`, `CodeQL`, `Create Renovate Changeset`, `Fro Bot`, + `Lint`, `Prepare`, `Renovate / Renovate`, `Review Dependencies`, + `Test`, `Workspace Analysis`; `strict: false`, + `enforce_admins: true`, `required_linear_history: true`, + `required_pull_request_reviews: null` (no human reviewers required + — governance leans on status checks, same posture as + [[bfra-me--github]]) + +## Renovate + +- `.github/renovate.json5` extends: + - `github>bfra-me/.github:internal.json5#v4.16.21` (org baseline; was + `#v4.16.18` on 2026-05-20) + - `github>sanity-io/renovate-config:semantic-commit-type` + - `security:minimumReleaseAgeNpm` +- `addLabels: ['{{{parentDir}}}']` auto-labels by directory (clean + signal in a monorepo) +- `ignorePaths`: `**/dist/**`, `**/node_modules/**`, `**/test/**`, + `packages/create/**/templates/**` (template fixtures aren't real + deps) +- Notable package rules: + - `@anthropic-ai/sdk` 0.x minor → automerge + (`dependencyDashboardApproval: false`) + - `bfra-me/renovate-config` GitHub tags pinned by SemVer, with + `updatePinnedDependencies: true` only on major + - `fetch-mock` capped `<12.0.0` + - `@swc/**` scheduled every two weeks on Sunday + - Mise manager disabled (mirrors [[bfra-me--github]] workaround) +- `patch.automerge: true`, `platformAutomerge: false`, + `internalChecksFilter: 'flexible'` +- Post-upgrade tasks: `pnpm bootstrap`, `pnpm build`, `pnpm fix` +- Note: this repo extends `bfra-me/.github:internal.json5` directly, + while the wiki's [[marcusrbrown--renovate-config]] is Marcus's + parallel preset family. The two are organizationally distinct. + +## Conventions (from AGENTS.md) + +- TypeScript strict mode, `noUncheckedIndexedAccess`, no `any`, no + `@ts-ignore`, no `@ts-expect-error` +- Pure ESM only (no `require()`, no `module.exports`) +- Explicit named exports; `export *` only inside `src/index.ts` barrel +- `Result` from `@bfra.me/es/result` for expected errors — + **never throw** +- Build output: `lib/` (tsup), `dist/` only for `@bfra.me/create` +- Tests in `packages/*/test/**/*.test.ts`; Vitest with + `it.concurrent` and `expect.soft` where applicable; file snapshots + via `toMatchFileSnapshot` +- Changesets required for publishable changes; patch/minor/major + semantics with explicit rationale on majors +- Build order matters: `tsconfig` → `prettier-config` → + `eslint-config` → all others (handled automatically by streaming + `pnpm -r build`) +- Lint-staged on commit (husky); workflow files use `.yaml` (not + `.yml`) +- Workspace dependency protocol: `manypkg.workspaceProtocol: require` + +## Build, Test, Release + +```bash +pnpm bootstrap # Install (prefer-offline) +pnpm validate # (type-check + lint + test) parallel → build → type-coverage +pnpm build # Streamed per-package + publint +pnpm test # Vitest run +pnpm dev / pnpm watch # Parallel watch / build --watch +pnpm lint / pnpm fix # manypkg check + ESLint (+ --fix) +pnpm type-check # tsc --noEmit +pnpm type-coverage # type-coverage threshold check +pnpm analyze # workspace-analyzer CLI +pnpm inspect-eslint-config # ESLint config inspector +pnpm clean # rimraf node_modules/lib/.turbo/tsbuildinfo +``` + +Release pipeline: + +- `pnpm changeset` to create a changeset +- `pnpm version-changesets` → `clean-changesets` → `changeset version` + → `pnpm bootstrap --no-frozen-lockfile` → `pnpm build` → docs + version sync +- `pnpm publish-changesets` → `changeset publish` +- Driven by `release.yaml` on `workflow_run` after Main succeeds, with + weekly Sunday schedule and dispatchable force-release toggle + +## Cross-Repo Relationships + +- **[[bfra-me--github]]** — the org control plane. Provides the + reusable workflows this repo calls (`renovate.yaml@v4.16.21` as of + 2026-05-31, `update-repo-settings.yaml@v4.16.0`), the + `internal.json5` Renovate baseline, and the `common-settings.yaml` + Probot template. `bfra-me/works` is currently leading the agent pin + at `v0.47.0`; sibling repos should be re-surveyed to confirm whether + the org control plane and HA add-on template have followed. +- **[[bfra-me--ha-addon-repository]]** — sibling `bfra-me` org repo. + Shares the `Daily Autohealing Report` single-issue rolling-update + convention, and also extends `.github:common-settings.yaml`. +- **[[fro-bot--agent]]** — this repo runs `v0.44.2`, at the leading + edge. +- **[[marcusrbrown--renovate-config]]** — parallel Renovate preset + family in the `marcusrbrown/*` ecosystem; `bfra-me/works` extends + the `bfra-me/.github:internal.json5` baseline instead. +- **Downstream consumers** — `@bfra.me/eslint-config`, + `@bfra.me/prettier-config`, `@bfra.me/tsconfig`, `@bfra.me/es`, + `@bfra.me/semantic-release`, and `@bfra.me/workspace-analyzer` are + referenced by name across the wider Fro Bot ecosystem. Surveys of + downstream repos should cross-link back here when those packages + surface as devDependencies. + +## Open Questions / Follow-Ups + +- The `docs` package uses Astro Starlight; its quality infrastructure + (MDX lint, content tests, version-badge sync) is sophisticated + enough to warrant a future `astro-starlight` topic page if a second + ecosystem repo adopts the same pattern. +- `@bfra.me/workspace-analyzer` is the only published static-analysis + tool in the ecosystem and runs as a non-blocking CI job here. Worth + tracking adoption elsewhere — if [[bfra-me--github]] or sibling + repos start invoking it, a dedicated tool page is justified. +- The Probot settings landscape now has the `bfra-me/works` row added + to the `bfra-me/.github:common-settings.yaml` consumer list. See the + [[probot-settings]] follow-up about reconciling `bfra-me` and + `fro-bot` org templates. + +## Survey History + +| Date | SHA | Notes | +| ---------- | --------- | ---------------------------------------------------------------------------------------------- | +| 2026-05-20 | `ef14b26` | Initial survey. `fro-bot/agent@v0.44.2`, 11 workflows, 8 published packages + docs site, manypkg-enforced workspace protocol. | +| 2026-05-31 | `cd4a52d` | Re-survey. `fro-bot/agent` v0.44.2 → v0.47.0 (via v0.46.1, same day 2026-05-30). PR #3491 patched dispatch/reusable-call mode resolution in the inline shell. `bfra-me/.github` reusable workflows + `internal.json5` baseline v4.16.18 → v4.16.21. pnpm 10.33.4 → 10.34.1. Published package versions unchanged. Workflow inventory, package layout, Probot settings, branch protection, build/release pipeline all identical. Open PRs 1 → 2. | diff --git a/knowledge/wiki/repos/fro-bot--agent.md b/knowledge/wiki/repos/fro-bot--agent.md index d88c169c2..d807a9811 100644 --- a/knowledge/wiki/repos/fro-bot--agent.md +++ b/knowledge/wiki/repos/fro-bot--agent.md @@ -2,15 +2,18 @@ type: repo title: "fro-bot/agent" created: 2026-05-07 -updated: 2026-05-08 +updated: 2026-05-22 sources: + - url: https://github.com/fro-bot/agent + sha: 8632cf4706b10f7350284c3f0480dd620f2a30b7 + accessed: 2026-05-22 - url: https://github.com/fro-bot/agent sha: ef6b9525583d13f9443b80e6ceffff8af978410a accessed: 2026-05-08 - url: https://github.com/fro-bot/agent sha: ef6b9525583d13f9443b80e6ceffff8af978410a accessed: 2026-05-07 -tags: [github-actions, agent, opencode, omo, typescript, persistent-memory, ci-cd, fro-bot, semantic-release, pnpm-workspace, monorepo] +tags: [github-actions, agent, opencode, omo, typescript, persistent-memory, ci-cd, fro-bot, semantic-release, pnpm-workspace, monorepo, discord, effect, docker-compose, mitmproxy] related: - marcusrbrown--systematic - marcusrbrown--opencode-copilot-delegate @@ -34,34 +37,37 @@ GitHub Action harness for [OpenCode](https://opencode.ai/) + [Oh My OpenAgent (o | Attribute | Value | | ---------------------- | ------------------------------------------------------------------- | | Created | 2026-01-02 | -| Last push | 2026-05-07 | -| Latest release | v0.42.8 (2026-05-06) | +| Last push | 2026-05-20 (survey 2026-05-22) | +| Latest release | v0.44.3 (2026-05-20) | | Language | TypeScript (strict, ESM-only) | -| License | MIT | -| Node.js | 24 (pinned in `.node-version`) | -| Package manager | pnpm 10.33.2 | +| Node.js | 24.15.0 (pinned in `.node-version`) | +| Package manager | pnpm 10.33.4 | | Runtime | `node24` (GitHub Action `runs.using`) | | Bundler | tsdown (Rolldown-based, dual entry points) | -| Test framework | Vitest 4.1.5 | -| Lint | ESLint 10.2.1 (`@bfra.me/eslint-config`), Prettier 3.8.3 | +| Test framework | Vitest 4.1.6 (was 4.1.5 @ v0.42.8) | +| Lint | ESLint 10.3.0 (`@bfra.me/eslint-config` 0.51.0), Prettier 3.8.3 | | TypeScript | 6.0.3 | | Release | semantic-release on `release` branch, `next` → `release` PR model | | Visibility | Public | -| Stars | 0 | -| Open issues | 7 | +| Stars | 1 (was 0 @ 2026-05-08) | +| Open issues | 2 (was 7 @ 2026-05-08 — significant triage activity) | +| Open PRs | 5 | | Topics | actions, agent, automation, bot, fro-bot, github-actions, github-app | ## Architecture ### Workspace Layout -pnpm workspace monorepo with two workspace members: +pnpm workspace monorepo. As of 2026-05-22 the workspace has **three members** (gateway added between v0.42.8 and v0.44.3): - **`apps/action`** (`@fro-bot/action`) — The GitHub Action entry points. Private, no publish. Depends on `@fro-bot/runtime`. -- **`packages/runtime`** (`@fro-bot/runtime`) — Shared runtime library. Private, exports source-level TS (no pre-built dist; consumed via workspace protocol). +- **`packages/runtime`** (`@fro-bot/runtime`) — Shared runtime library. Private, exports source-level TS (no pre-built dist; consumed via workspace protocol). Hand-rolled `Result` from `@bfra.me/es` is the error convention here. +- **`packages/gateway`** (`@fro-bot/gateway`) — **New 2026-05-22.** Long-running Discord-first daemon. Wraps `@fro-bot/runtime` with `effect` 3.21.2 as the composition layer. Depends on `discord.js` 14.26.4. Builds to `packages/gateway/dist/` via `tsdown`. Root `tsdown.config.ts` bundles `apps/action/src/main.ts` and `apps/action/src/post.ts` into `dist/main.js` and `dist/post.js`. The `dist/` directory is **committed** (GitHub Action requirement — no build step at consumption time). +The gateway has its own `dist/` not committed at root — it's a runtime daemon shipped via the Docker stack in `deploy/`, not consumed as an action. + ### Layered Source Structure The codebase follows a strict four-layer dependency hierarchy (~145 source files, ~15k lines): @@ -73,7 +79,9 @@ The codebase follows a strict four-layer dependency hierarchy (~145 source files | 2 | `src/features/` | Business logic: agent execution, triggers/routing, comments, reviews, attachments, delegated branch/PR ops, observability | | 3 | `src/harness/` | Workflow composition: entry points, phase orchestration, config parsing | -**Note (2026-05-08):** The AGENTS.md lists `object-store/` in Layer 1 services, but the actual directory listing shows `artifact/` instead (containing `upload.ts`, `upload.test.ts`, `index.ts`). The S3-compatible object-store functionality may have been refactored or the AGENTS.md is stale relative to the current directory structure. S3 backup configuration remains in the action inputs, so the capability likely moved elsewhere (possibly into `services/session/` or `services/cache/`). +**Note (2026-05-08):** The AGENTS.md listed `object-store/` in Layer 1 services, but the actual directory listing showed `artifact/` instead (containing `upload.ts`, `upload.test.ts`, `index.ts`). The S3-compatible object-store functionality may have been refactored or the AGENTS.md was stale relative to the current directory structure. S3 backup configuration remains in the action inputs, so the capability likely moved elsewhere (possibly into `services/session/` or `services/cache/`). + +**Update (2026-05-22):** `src/services/` confirms the new layout: `artifact/`, `cache/`, `github/`, `session/`, `setup/` — `object-store/` is gone from the action's src tree. The S3 object-store functionality appears to have migrated either into the gateway/runtime split (`@fro-bot/runtime` is the dependency the gateway uses for `S3 sync helpers`, per `packages/gateway/AGENTS.md`) or been folded into session/cache write-through. The action's AGENTS.md (dated 2026-03-29, commit `045cac8`) is now stale relative to this layout. Entry points (`src/main.ts`, `src/post.ts`) are thin delegates to `src/harness/run.ts` and `src/harness/post.ts`. @@ -101,7 +109,8 @@ Entry points (`src/main.ts`, `src/post.ts`) are thin delegates to `src/harness/r | `auth-json` | (required) | JSON map of LLM provider credentials | | `prompt` | — | Custom prompt for the agent | | `output-mode` | `auto` | Delivery mode: `auto`, `working-dir`, `branch-pr` | -| `agent` | `sisyphus` | Primary agent name | +| `agent` | (unset) | Primary agent name (defaults to OpenCode build agent if unset; was `sisyphus` @ v0.42.x) | +| `enable-omo` | `false` | Opt-in to Oh My OpenAgent for extended providers/agents (**new — oMo is no longer auto-installed**) | | `model` | — | Model override (`provider/model` format) | | `timeout` | `1800000` | Execution timeout in ms (0 = no limit) | | `session-retention` | `50` | Sessions to retain before pruning | @@ -120,6 +129,44 @@ Entry points (`src/main.ts`, `src/post.ts`) are thin delegates to `src/harness/r | `cache-status` | Cache restore status (`hit`/`miss`/`corrupted`) | | `duration` | Run duration in seconds | +## Discord Gateway (new 2026-05-22) + +`packages/gateway` is a Discord-first daemon — the "Category B" feature long planned in `FEATURES.md` has shipped as runnable code. + +| Aspect | Detail | +| ------------------- | -------------------------------------------------------------------------------------------- | +| Entry point | `packages/gateway/src/main.ts` — wires Discord client, registers slash commands, SIGTERM | +| Composition layer | `effect` 3.21.2 — `Effect.Effect` everywhere outside the runtime adapter | +| Runtime adapter | `packages/gateway/src/runtime-effect.ts` — sole `Result<>` → `Effect` boundary | +| Discord library | `discord.js` 14.26.4 with non-privileged intents (`Guilds`, `GuildMessages`) by default | +| Privileged intents | Opt-in via `DISCORD_PRIVILEGED_INTENTS` env var | +| Secret loading | `readSecret(name)` checks `${NAME}_FILE` first (Docker secrets), falls back to env var | +| Lifecycle | Long-running; SIGTERM handler with 25s drain | + +### Effect / Result Boundary + +The gateway is the **only** package using `effect`. The action runner (cold-start sensitive) and the runtime stay on hand-rolled `Result`. Subagents adding a runtime call must add the wrapper to `runtime-effect.ts` first, never import `@fro-bot/runtime` directly outside the adapter. + +Wrapped runtime functions: `acquireLock`, `releaseLock`, `renewLease`, `forceReleaseLock`, `createRun`, `transitionRun`, `findStaleRuns`, `validateProviderSemantics`, plus S3 sync helpers. This implies the runtime now owns durable lock, run-state, and S3 primitives that were previously scattered (or planned) — these were likely the migration target for `services/object-store/`. + +Effect surface used at Unit 4: core (`Effect`, `pipe`, `tryPromise`, `flatMap`, `gen`, `runPromise`, `try`, `succeed`, `fail`, `either`, `void`, `catchAll`). Planned for later units: `Schedule.*` (retry), `Schema.*` (payload validation). DI / Layer / Context / STM / Streams deliberately not used at v1. + +## Deployment Stack (`deploy/`, new 2026-05-22) + +Docker Compose v2 stack for running the gateway daemon outside CI: + +| Service | Role | +| ----------- | --------------------------------------------------------------------------------- | +| `gateway` | Discord gateway daemon — slash commands and mentions (`gateway.Dockerfile`) | +| `workspace` | Workspace agent container (placeholder in v1; real agent wired in Unit 7) | +| `mitmproxy` | Egress proxy enforcing an allowlist of permitted outbound hosts | + +Stack files: `deploy/compose.yaml`, `deploy/compose.override.example.yaml`, `deploy/gateway.Dockerfile`, `deploy/workspace.Dockerfile`, `deploy/init-certs.sh`, `deploy/validate-stack.sh`, `deploy/mitmproxy/`. + +Secrets are file-based (`deploy/secrets/*`, 0600 permissions). Required: `discord-token`, `discord-application-id`, `s3-bucket`, `s3-region`. Optional: `s3-endpoint`, `AWS_ACCESS_KEY_ID`/`AWS_SECRET_ACCESS_KEY` (pair contract — both or neither; falls back to SDK default credential chain), `AWS_SESSION_TOKEN`. + +mitmproxy is configured to fail closed by default; `OBJECT_STORE_HOSTS` is the allowlist knob for S3 egress. + ## Supported Event Triggers | Event | `@mention` | Prompt source | Concurrency key | @@ -183,18 +230,23 @@ The repo runs its own Fro Bot agent (self-referencing `./` in CI, `fro-bot/agent ## Dependency Highlights -| Package | Version | Purpose | -| --------------------- | ------------ | ------------------------------------ | -| `@actions/cache` | 6.0.0 | GitHub Actions cache operations | -| `@actions/core` | 3.0.1 | Action I/O, logging, state | -| `@actions/github` | 9.1.1 | Octokit + GitHub context | -| `@aws-sdk/client-s3` | 3.1040.0 | S3-compatible object storage | -| `@opencode-ai/sdk` | 1.14.30 | OpenCode execution | -| `@octokit/auth-app` | 8.2.0 | GitHub App authentication | -| `@bfra.me/es` | 0.1.0 | Shared ES utilities | -| `tsdown` | 0.21.10 | Rolldown-based bundler | -| `semantic-release` | 25.0.3 | Automated versioning/publishing | -| `simple-git-hooks` | 2.13.1 | Pre-commit (lint-staged), pre-push | +| Package | Version (2026-05-22) | Was @ v0.42.8 | Purpose | +| --------------------- | -------------------- | ------------- | ------------------------------------ | +| `@actions/artifact` | 6.2.1 | — | Artifact upload (root dep now) | +| `@actions/cache` | 6.0.0 | 6.0.0 | GitHub Actions cache operations | +| `@actions/core` | 3.0.1 | 3.0.1 | Action I/O, logging, state | +| `@actions/exec` | 3.0.0 | — | Subprocess execution | +| `@actions/github` | 9.1.1 | 9.1.1 | Octokit + GitHub context | +| `@actions/tool-cache` | 4.0.0 | — | Tool caching for setup phase | +| `@aws-sdk/client-s3` | 3.1045.0 | 3.1040.0 | S3-compatible object storage | +| `@opencode-ai/sdk` | 1.14.41 | 1.14.30 | OpenCode execution | +| `@octokit/auth-app` | 8.2.0 | 8.2.0 | GitHub App authentication | +| `@bfra.me/es` | 0.1.0 | 0.1.0 | Shared ES utilities | +| `discord.js` | 14.26.4 | — | Gateway Discord client (gateway pkg) | +| `effect` | 3.21.2 | — | Gateway composition layer | +| `tsdown` | 0.22.0 | 0.21.10 | Rolldown-based bundler | +| `semantic-release` | 25.0.3 | 25.0.3 | Automated versioning/publishing | +| `simple-git-hooks` | 2.13.1 | 2.13.1 | Pre-commit (lint-staged), pre-push | ## Renovate Configuration @@ -233,6 +285,8 @@ The `docs/` directory contains extensive planning and operational artifacts: A `FEATURES.md` at repo root documents v1.4 MVP with 73 features across 12 categories (GitHub interactions, Discord agent, memory/persistence, setup, SDK execution, context/prompt, security, observability, error handling, configuration, additional triggers, delegated work tools). +**New 2026-05-22:** A top-level `.agents/skills/` directory has appeared (project-local skills accessible to the agent during self-hosted runs). A `.slim/` directory and `RULES.md` (development rules v1.4 covering technology stack, code style, architecture patterns, security, testing, build/release, anti-patterns) round out the agent-oriented top-level surface. `RULES.md` declares the documentation hierarchy: PRD > RFCs > FEATURES.md > RULES.md. + A `PRD.md` contains the full product requirements document. `RFCS.md` indexes the 19 RFC architecture decision records. ## Ecosystem Role @@ -265,22 +319,26 @@ Version lag varies: some repos trail by several patch releases due to Renovate c ## Fro Bot Workflow Status -**Present and self-hosted.** `fro-bot.yaml` uses `./` (self-reference during CI test) and `fro-bot/agent@v0.42.x` (in the actual fro-bot.yaml). Full trigger coverage: comment mentions, issue events, PR reviews, daily DMR, weekly wiki, manual dispatch. +**Present and self-hosted.** `fro-bot.yaml` uses `./` (self-reference during CI test) and `fro-bot/agent@v0` (major version pin) in production triggers. Full trigger coverage: comment mentions, issue events, PR reviews, daily DMR (15:30 UTC), weekly wiki (Sun 20:00 UTC), manual dispatch with `use-schedule-prompt` / `use-wiki-prompt` boolean inputs. + +The `WIKI_PROMPT` env var in the workflow contains the full wiki maintenance instructions for the project's own `docs/wiki/` Obsidian vault — a parallel artifact to the wiki Fro Bot maintains for the `.github` repo. Branch contract: `fro-bot/wiki-update`, one open PR at a time, branch is deleted if it exists with no open PR. ## Workspace Packages -| Package | Path | Dependencies | Purpose | -| ------------------- | ------------------- | -------------------------------------- | ------------------------------------ | -| `@fro-bot/action` | `apps/action/` | `@fro-bot/runtime` (workspace) | GitHub Action entry points (private) | -| `@fro-bot/runtime` | `packages/runtime/` | `@bfra.me/es`, `@opencode-ai/sdk` | Shared runtime library (private) | +| Package | Path | Dependencies | Purpose | +| ------------------- | ------------------- | ----------------------------------------------------------- | ----------------------------------------------------------------------- | +| `@fro-bot/action` | `apps/action/` | `@fro-bot/runtime` (workspace) | GitHub Action entry points (private) | +| `@fro-bot/runtime` | `packages/runtime/` | `@bfra.me/es`, `@opencode-ai/sdk` | Shared runtime library; locks, run-state, S3 sync helpers (private) | +| `@fro-bot/gateway` | `packages/gateway/` | `@fro-bot/runtime` (workspace), `discord.js`, `effect` | **New 2026-05-22.** Long-running Discord daemon (private) | -Root `package.json` (`@fro-bot/agent-workspace`) holds all external production deps and dev deps. Workspace protocol links `@fro-bot/action` → `@fro-bot/runtime`. The runtime exports source-level TypeScript (no pre-built dist; consumed via workspace protocol). +Root `package.json` (`@fro-bot/agent-workspace`) holds external action/dev deps; gateway-specific deps (`discord.js`, `effect`) live in `packages/gateway/package.json`. Workspace protocol links `@fro-bot/action` and `@fro-bot/gateway` → `@fro-bot/runtime`. The runtime exports source-level TypeScript (no pre-built dist; consumed via workspace protocol). -pnpm workspace config (`pnpm-workspace.yaml`) enables `autoInstallPeers`, `shamefullyHoist`, `shellEmulator`, and carries security-focused overrides for `brace-expansion`, `fast-xml-parser`, `flatted`, `handlebars`, `lodash`/`lodash-es`, `picomatch`, `tar`, `undici`, `yaml`, and pins `vite` to 8.0.10. +pnpm workspace config (`pnpm-workspace.yaml`) enables `autoInstallPeers`, `shamefullyHoist`, `shellEmulator`, `ignoreWorkspaceRootCheck`. `onlyBuiltDependencies` is now `[esbuild, simple-git-hooks, unrs-resolver]`. Security-focused overrides for `brace-expansion`, `fast-xml-parser`, `flatted`, `handlebars`, `lodash`/`lodash-es`, `picomatch`, `tar@^7`, `undici@^7`, `yaml`. `vite` pin moved from 8.0.10 → 8.0.13. Root `package.json` additionally pins `fast-uri`, `fast-xml-builder`, `fast-xml-parser`, `ip-address` to security-patched ranges. ## Survey History | Date | SHA | Key changes | | ---------- | ---------- | ---------------------------------------------------- | +| 2026-05-22 | `8632cf4` | Re-survey at v0.44.3: new `packages/gateway` (Discord daemon, Effect 3.x), new `deploy/` Docker stack (gateway + workspace + mitmproxy), `enable-omo` action input (oMo now opt-in), `agent` input default changed from `sisyphus` to unset/OpenCode-build, open issues 7→2, stars 0→1, dep bumps (`@opencode-ai/sdk` 1.14.30→1.14.41, `tsdown` 0.21→0.22, `vite` pin 8.0.10→8.0.13). `services/object-store/` confirmed migrated (likely into `@fro-bot/runtime`). Action `AGENTS.md` is stale (dated 2026-03-29). | | 2026-05-08 | `ef6b952` | Re-survey: additive detail (workspace packages, docs structure, artifact/object-store discrepancy) | | 2026-05-07 | `ef6b952` | Initial survey | diff --git a/knowledge/wiki/repos/fro-bot--fro-bot-github-io.md b/knowledge/wiki/repos/fro-bot--fro-bot-github-io.md index fab9c72e5..7247087c2 100644 --- a/knowledge/wiki/repos/fro-bot--fro-bot-github-io.md +++ b/knowledge/wiki/repos/fro-bot--fro-bot-github-io.md @@ -2,11 +2,14 @@ type: repo title: fro-bot/fro-bot.github.io created: 2026-05-07 -updated: 2026-05-07 +updated: 2026-05-24 sources: - url: https://github.com/fro-bot/fro-bot.github.io sha: 3e44653c4d185b239b44b3af12255d18c86463ab accessed: 2026-05-07 + - url: https://github.com/fro-bot/fro-bot.github.io + sha: 3e44653c4d185b239b44b3af12255d18c86463ab + accessed: 2026-05-24 tags: [github-pages, custom-domain, fro-bot-org, infrastructure] related: - marcusrbrown--systematic @@ -120,3 +123,4 @@ Given this repo has no application code and a single static file, most of these | Date | SHA | Delta | | ---------- | --------- | ------------------------------ | | 2026-05-07 | `3e44653` | Initial survey. Single-file repo, CNAME-only domain holder for `fro.bot`. | +| 2026-05-24 | `3e44653` | No-op re-survey. HEAD unchanged in 105 days (still the original 2026-02-09 `Create CNAME` commit). Pages config, TLS cert (expires 2026-07-09), missing-integrations table, and issue #1 (CodeQL/Scorecard parity) all unchanged. HTTPS still not enforced. No Fro Bot workflow — all four follow-up recommendations carried forward. | diff --git a/knowledge/wiki/repos/fro-bot--systematic.md b/knowledge/wiki/repos/fro-bot--systematic.md index dfdfa8dcc..3572381e6 100644 --- a/knowledge/wiki/repos/fro-bot--systematic.md +++ b/knowledge/wiki/repos/fro-bot--systematic.md @@ -2,12 +2,15 @@ type: repo title: "fro-bot/systematic" created: 2026-05-07 -updated: 2026-05-07 +updated: 2026-05-22 sources: - url: https://github.com/fro-bot/systematic sha: 73fa108 accessed: 2026-05-07 -tags: [documentation, github-pages, astro, starlight, opencode, plugin, ocx] + - url: https://github.com/fro-bot/systematic + sha: 12cae87 + accessed: 2026-05-22 +tags: [documentation, github-pages, astro, starlight, opencode, plugin, ocx, json-schema] related: - marcusrbrown--systematic - marcusrbrown--dotfiles @@ -22,12 +25,12 @@ Documentation deployment target for [[marcusrbrown--systematic]]. Hosts the Star | Attribute | Value | | --------------- | ---------------------------------------------------- | | Created | 2026-02-09 | -| Last push | 2026-05-05 | +| Last push | 2026-05-21 | | Default branch | `gh-pages` | | Language | HTML (static build output) | | License | None specified | | Stars | 0 | -| Open issues | 2 | +| Open issues | 1 (+ 1 open PR) | | Pages URL | https://fro.bot/systematic/ | | Visibility | Public | @@ -48,14 +51,17 @@ The deploy workflow lives in `marcusrbrown/systematic` (the `docs.yaml` workflow The `gh-pages` branch contains the built Starlight/Astro static site: - `index.html` — Landing page +- `404.html` — Starlight not-found page (new since prior survey) - `_astro/` — Bundled CSS, JS, and image assets - `components/` — OCX component pages (one per agent/skill) - `getting-started/` — Getting started guides - `guides/` — Philosophy, main loop, agent install, conversion guides - `reference/` — Generated reference pages for skills and agents +- `schemas/` — Hosted JSON Schemas for the user config file (new since prior survey) - `pagefind/` — Client-side search index - `.well-known/ocx.json` — OCX registry pointer (`{"version":1,"registry":"/systematic/index.json"}`) - `index.json` — OCX component registry for `ocx` CLI installation +- `og-image.png` — Open Graph share image - `.nojekyll` — Disables Jekyll processing - `sitemap-index.xml`, `sitemap-0.xml` — Sitemap for search engines @@ -63,6 +69,41 @@ The `gh-pages` branch contains the built Starlight/Astro static site: The `.well-known/ocx.json` file points to the OCX component registry at `/systematic/index.json`. This enables the `ocx` CLI to discover and install individual skills and agents from the documentation site URL. The registry uses V2 schema (since `@fro.bot/systematic` v2.6.0). +As of the 2026-05-22 survey, `index.json` advertises: + +| Field | Value | +| ------------ | ------------------------------------------------------------ | +| `name` | `Systematic` | +| `namespace` | `systematic` | +| `version` | `2.20.6` (up from v2.7.3 at the prior survey — see [[marcusrbrown--systematic]] for source-side release history) | +| `author` | `Marcus R. Brown ` | +| `components` | 103 total | + +Component breakdown: + +| Type | Count | +| --------- | ----- | +| `agent` | 51 | +| `skill` | 47 | +| `bundle` | 2 | +| `profile` | 2 | +| `plugin` | 1 | + +The `bundle` and `profile` types are new since the prior survey — V2 registry capabilities now surface in the deployed artifact. + +## Hosted JSON Schemas (new in this survey) + +The `schemas/` tree appeared on `gh-pages` between the 2026-05-07 survey and now. Two URLs are served: + +- `https://fro.bot/systematic/schemas/latest/systematic-config.schema.json` +- `https://fro.bot/systematic/schemas/v2/systematic-config.schema.json` + +Both are draft-07 JSON Schemas titled `Systematic user configuration file (systematic.json / systematic.jsonc)`. The `$id` on the v2 file is the v2 URL above, which makes that the canonical pinned reference. Top-level schema fields: `$schema`, `agents`, `categories`, `disabled_skills`, `disabled_agents`, `disabled_commands`, `bootstrap` — matching the `systematic.json` config shape consumed by `marcusrbrown/systematic`'s `config-handler.ts`. + +The schema's own `$schema` property is documented as informational only — the loader does not fetch or validate against it. Its purpose is to flip on field-level autocomplete in VSCode, Zed, IntelliJ, and any other editor that resolves `$schema` URLs. + +Consequence: this deployment target is no longer purely a docs site. It is now also a stable schema host. Renaming, restructuring, or breaking the URL shape of `schemas/v2/systematic-config.schema.json` would silently break IDE autocomplete in every consumer that pinned the v2 URL. Treat it like a public API. + ## Branches | Branch | Purpose | @@ -108,7 +149,24 @@ The documentation build pipeline flows: `marcusrbrown/systematic` → Astro buil ## Deploy Cadence -Based on commit history, deployments track releases of `@fro.bot/systematic`: +Based on commit history, deployments track releases of `@fro.bot/systematic`. Recent activity is markedly bursty — multiple deploys per day during active development windows on the source repo, suggesting CI fans out per merge rather than per release tag. + +Latest 10 deploys observed on 2026-05-22 (source SHAs are the `marcusrbrown/systematic` commit each deploy was built from): + +| Date (UTC) | gh-pages SHA | Source SHA | +| ------------------ | ------------ | ----------- | +| 2026-05-21 23:12 | `12cae87` | `dae829a` | +| 2026-05-21 22:25 | `bf26128` | `3810786` | +| 2026-05-21 18:49 | `f59ab5e` | `3b1515e` | +| 2026-05-21 18:40 | `bf76020` | `1425dd6` | +| 2026-05-21 18:27 | `cbaced6` | `e8a981e` | +| 2026-05-21 04:16 | `ffa2463` | `9551607` | +| 2026-05-21 03:50 | `1bd39c8` | `350a637` | +| 2026-05-18 18:09 | `b841b51` | `4c780cb` | +| 2026-05-18 03:03 | `a3e28f3` | `402ef5c` | +| 2026-05-17 20:53 | `9254502` | `862a098` | + +Earlier deploys remain documented from the prior survey: | Date | Source SHA | Likely version | | ---------- | ----------- | -------------- | @@ -125,3 +183,4 @@ Based on commit history, deployments track releases of `@fro.bot/systematic`: | Date | SHA | Delta | | ---------- | ---------- | ------------------------ | | 2026-05-07 | `73fa108` | Initial survey | +| 2026-05-22 | `12cae87` | Registry advanced v2.7.3 → v2.20.6; 103 components (51 agents, 47 skills, 2 bundles, 2 profiles, 1 plugin); `schemas/{latest,v2}/systematic-config.schema.json` now hosted; `404.html` and `og-image.png` added; deploy cadence visibly intensified | diff --git a/knowledge/wiki/repos/marcusrbrown--containers.md b/knowledge/wiki/repos/marcusrbrown--containers.md index 0b4cebcce..ba1bd3066 100644 --- a/knowledge/wiki/repos/marcusrbrown--containers.md +++ b/knowledge/wiki/repos/marcusrbrown--containers.md @@ -2,7 +2,7 @@ type: repo title: "marcusrbrown/containers" created: 2026-04-18 -updated: 2026-04-22 +updated: 2026-05-25 sources: - url: https://github.com/marcusrbrown/containers sha: e582f856844ac1dd52fc8739f1a9aa8398248e6e @@ -13,6 +13,9 @@ sources: - url: https://github.com/marcusrbrown/containers sha: 1b782ff8b0a94615492de36f7f9b1d57e4663113 accessed: 2026-04-22 + - url: https://github.com/marcusrbrown/containers + sha: 6f8a10145eb743f71896bac881b269e403e5672e + accessed: 2026-05-25 tags: [docker, containers, dockerfiles, multi-arch, python, github-actions, ci-cd, security-scanning, ai, ollama, sqlite] aliases: [containers] related: @@ -29,7 +32,7 @@ A container development ecosystem with curated Dockerfiles, Python automation sc - **Default branch:** `main` - **Primary language:** Python - **Created:** 2016-12-19 -- **Last push:** 2026-04-22 (as of 2026-04-22 survey) +- **Last push:** 2026-05-25 (as of 2026-05-25 survey; HEAD `6f8a1014` from 2026-05-22) - **Topics:** `automation`, `containers`, `docker`, `docker-compose`, `dockerfiles`, `scripts` - **Registries:** GHCR (`ghcr.io`), Docker Hub (`docker.io/marcusrbrown`, legacy alias `igetgames`) @@ -222,3 +225,18 @@ All GitHub Actions are SHA-pinned with version comments. Key actions (as of 2026 | 2026-04-18 | `e582f856` | Initial survey. Agent `v0.40.0`, `fro-bot.yaml` PR review + daily autohealing confirmed. | | 2026-04-21 | `fa17128f` | Agent bumped to `v0.41.0`. `actions/setup-node` bumped to v6.4.0. `OMO_PROVIDERS`/`OPENCODE_CONFIG` secrets added to Fro Bot job. Node.js base images digest-rotated. `predictive_maintenance.py` (987 LOC, SQLite analytics) and `ai_core.py` Ollama support documented. Redis template (`templates/databases/redis/`) confirmed present. AGENTS.md coverage at root, workflows, and scripts directories. `pytest` updated (CVE-2025-71176). | | 2026-04-22 | `1b782ff8` | Incremental re-survey. Multiple base image digest rotations via Renovate (#587–#590). Cache cleanup workflow fix: gracefully handle missing cache keys (#585). Node Alpine base image now `sha256:d1b3b4da...`, Bookworm-slim `sha256:03eae3e...`. No structural changes to repo, workflows, or Python automation layer. | +| 2026-05-25 | `6f8a1014` | Incremental re-survey. **Renovate preset crossed v4 → v5 boundary** (`marcusrbrown/renovate-config#5.2.0`, #608, 2026-05-20) — aligns with [[marcusrbrown--renovate-config]] v5 ecosystem migration. **Fro Bot agent advanced four releases:** v0.41.0 → v0.42.1 → v0.43.0 → v0.44.0 (#591, #603, #609). **`docker/dockerfile` syntax directive bumped to v1.24** (#604, 2026-05-13). **urllib3 CVE patch:** explicit `urllib3 >=2.7.0` added to `pyproject.toml` (#602, 2026-05-13). **`openai` dependency tracked aggressively:** bumped through 2.33.0 → 2.34.0 → 2.35.1 → 2.36.0 across May (#592, #594, #595, #597). **Renovate postUpgradeTasks now includes `poetry lock`** (#596, 2026-05-14) — keeps the Poetry lockfile in sync after dependency bumps, previously a manual step. Express template/runtime versions pinned and redundant `argparse` dep removed (#582, 2026-04-29). Continuous Node.js base image digest rotation cadence (#599–#618). Open Renovate PRs in flight: `dorny/paths-filter` v4 (#607) and a non-major bundle (#614). No structural changes to repo layout, workflows, Python automation, or AI subsystem. | + +## Delta — 2026-05-25 Survey + +Key state confirmed at HEAD `6f8a1014`: + +- **Fro Bot workflow:** `fro-bot/agent@v0.44.0` (SHA `b030b53b...`), same 14:30 UTC daily schedule, same structured PR review prompt (Verdict / Blocking / Non-blocking / Missing tests / Risk assessment) and autohealing categories (errored PRs, security, health & maintenance, DX). Single perpetual "Daily Autohealing Report" issue still the persistence pattern. +- **Renovate config (`renovate.json5`):** Extends `marcusrbrown/renovate-config#5.2.0`. `postUpgradeTasks` now runs `poetry lock && pnpm install && pnpm format` (the `poetry lock` step is the new piece). Python pinned `>=3.13,<3.14`. `templates/` still ignored. Patch updates disabled except for TypeScript and Python. `aquasecurity/trivy-action` uses `github-releases` versioning. +- **Toolchain (`mise.toml`):** Unchanged — Node 24.15.0, pnpm 10.33.0, Poetry latest, pre-commit latest, Python 3.13. `.venv` auto-created. +- **Python deps (`pyproject.toml`):** `openai >=2.36.0,<2.37.0`, `anthropic >=0.30.0,<1.0.0`, `urllib3 >=2.7.0` (security floor), `pyyaml`, `requests`, `jinja2`, `jsonschema`. Dev: `pytest ^9.0`, `pytest-cov ^7.0`, `black >=26.3.1`, `isort ^8.0`, `pylint ^4.0`, `yamllint ^1.0`. Build system `poetry-core>=2.0.0,<3.0.0`. +- **Poetry script entry points:** Stable since prior survey — 10 entry points (`containers`, `generate-dockerfile`, `collect-docker-metrics`, `generate-image-tags`, `template-engine`, `template-testing`, `generate-docs`, `ai-chat`, `ai-analyze`, `ai-recommend`). +- **Workflows (11 total):** Same set as prior survey — `build-publish`, `cache-cleanup`, `container-scan`, `dockerfile_generation`, `fro-bot`, `metrics_collector`, `release`, `renovate`, `test`, `update-repo-settings`, plus the workflows-level `AGENTS.md` reference doc. +- **Open PRs:** 6 total. Notable: copilot-swe-agent PRs #583 (pytest coverage for AI/template/CLI/predictive-maintenance modules) and #584 (first-class AI configuration scaffold + CLI init/validation flow) have been pending since 2026-04-18 — both touch the AI subsystem documented above and remain unmerged. + +No contradictions with prior surveys. Repository structure, container variants, template system, AI subsystem architecture, Dockerfile patterns, CI pipeline, branch protection, and developer tooling all unchanged from the 2026-04-22 survey. Active surface area for the period was: Renovate-driven dependency hygiene (Node.js base digests, openai, Debian base digests), the v4→v5 Renovate preset boundary crossing, and the Fro Bot agent version cadence. diff --git a/knowledge/wiki/repos/marcusrbrown--cortexkit-anthropic-auth.md b/knowledge/wiki/repos/marcusrbrown--cortexkit-anthropic-auth.md new file mode 100644 index 000000000..bfd05ee51 --- /dev/null +++ b/knowledge/wiki/repos/marcusrbrown--cortexkit-anthropic-auth.md @@ -0,0 +1,214 @@ +--- +type: repo +title: marcusrbrown/cortexkit_anthropic-auth +created: 2026-05-28 +updated: 2026-05-28 +sources: + - url: https://github.com/marcusrbrown/cortexkit_anthropic-auth + sha: 517d38596432429a8fc5f78612edc80a1c3f3dc6 + accessed: 2026-05-28 +tags: [opencode, pi, anthropic, oauth, claude, bun, typescript, monorepo, biome, fork, relay, cloudflare-worker, mitmproxy] +related: [marcusrbrown--opencode-copilot-delegate, marcusrbrown--systematic, marcusrbrown--dotfiles] +--- + +# marcusrbrown/cortexkit_anthropic-auth + +Fork of `cortexkit/anthropic-auth` adding Claude Pro/Max OAuth, fallback accounts, quota routing, prompt-cache controls, and a Cloudflare Worker relay path for OpenCode and Pi. Marcus's fork publishes the OpenCode plugin and shared core under his own scope; the Pi package remains private to the fork. + +## Overview + +This is a Bun workspace monorepo with three packages: a shared core, an OpenCode plugin, and a Pi provider extension. The OpenCode plugin intercepts the final Anthropic request and rewrites it into the shape Anthropic's Claude Pro/Max OAuth path expects; the Pi package registers a CortexKit provider override under Pi's built-in `anthropic` provider ID. Both integrations share OAuth, fallback-account, quota, cache, relay, dump, SSE, and request-signing logic through the core package. + +**Fork status (2026-05-28):** + +- Default branch is `marcusrbrown/main` (not `main`) — fork-specific so upstream `main` can be tracked cleanly. +- Fork of `cortexkit/anthropic-auth`. Public, MIT-licensed, 1 star, 0 forks, issues enabled, no GitHub wiki, no discussions. +- Two packages published under `@marcusrbrown/*` at `1.2.2-mb.2`: + - `@marcusrbrown/anthropic-auth-core` (shared) + - `@marcusrbrown/opencode-anthropic-auth` (OpenCode plugin) +- Pi package `@cortexkit/pi-anthropic-auth` is `private: true` in this fork — explicitly excluded from publish jobs. +- Recommended install pin: `@marcusrbrown/opencode-anthropic-auth@1.2.2-mb.2`. + +## Why the Fork Exists + +Two practical drivers visible from `CHANGELOG.md` and `README.md`: + +1. **Namespace pinning.** Marcus needs to pin a specific OpenCode plugin build from his own scope so OpenCode's plugin loader resolves an immutable artifact (and `rm -rf ~/.cache/opencode` can predictably reset state). Publishing `@marcusrbrown/opencode-anthropic-auth` removes the dependency on whatever CortexKit ships at upstream `latest`. +2. **Closing the core namespace gap.** Release `1.2.2-mb.1` shipped only the OpenCode package and still pulled `@cortexkit/anthropic-auth-core` from upstream. `1.2.2-mb.2` published `@marcusrbrown/anthropic-auth-core` and re-pointed the OpenCode plugin's dependency, making the fork install self-contained without any upstream-scoped runtime dependency. + +This pattern — fork → republish under personal scope → re-target internal dependencies — appears elsewhere in the Marcus ecosystem; see the broader ecosystem notes in [[marcusrbrown--dotfiles]] for the OpenCode plugin stack. + +## Technology Stack + +| Aspect | Detail | +|--------|--------| +| Language | TypeScript (per `primaryLanguage`); also Shell and JavaScript | +| Runtime/Build | Bun 1.3.14 (pinned via `mise.toml`) | +| Linting/Formatting | Biome 2.4.15 (single tool, like [[marcusrbrown--opencode-copilot-delegate]] — diverges from `@bfra.me/eslint-config` repos) | +| Package Manager | Bun workspaces (`bun.lock`, `workspaces: ["packages/*"]`) | +| Git Hooks | Lefthook 2.1.6 | +| Test Runner | `bun test` for unit and e2e | +| License | MIT | +| Default Branch | `marcusrbrown/main` | +| Disk Usage | 387 KB | +| TypeScript | 6.0.3 | + +### Mise Tooling + +`mise.toml` is minimal — only Bun 1.3.14 is pinned. No Node version pin at the root; the release workflow installs Node 24 explicitly via `actions/setup-node@v6`. + +## Packages + +| Package | Scope | Version | Purpose | +|---------|-------|---------|---------| +| `@marcusrbrown/anthropic-auth-core` | published, fork | `1.2.2-mb.2` | Shared OAuth, account, quota, cache, relay, dump, SSE, request-signing logic. Single runtime dep: `xxhash-wasm` (for body-derived `cch` signing). | +| `@marcusrbrown/opencode-anthropic-auth` | published, fork | `1.2.2-mb.2` | OpenCode plugin + CLI (`opencode-anthropic-auth` bin). Peer dep on `@opencode-ai/plugin`. Built with `bun build --target node --format esm --splitting --external @opencode-ai/plugin --minify` plus `tsc --emitDeclarationOnly`. Engines: `bun: 1.3.14`. | +| `@cortexkit/pi-anthropic-auth` | private in fork | `1.2.2` (unpublished here) | Pi extension declared via `pi.extensions` package-manifest field; registers a CortexKit Anthropic provider under Pi's `anthropic` provider ID. Depends on the fork's `@marcusrbrown/anthropic-auth-core`. Peer deps on three `@earendil-works/pi-*` packages (`pi-ai`, `pi-coding-agent`, `pi-tui`). | +| `packages/e2e-tests/` | internal | n/a | OpenCode end-to-end harness invoked via root `test:e2e` script; gated behind a core build. | + +## Architecture + +### Integration model + +Two agents, one shared core: + +- **OpenCode plugin.** Hooks into OpenCode's fetch/request transform path. Reuses OpenCode's normal `/connect anthropic` for the primary account; the plugin layers in OAuth headers, request rewrites, fallback routing, quota gates, cache controls, relay handoff, and dumps. Sidecar config lives at `~/.config/opencode/anthropic-auth.json` (overridable via `OPENCODE_ANTHROPIC_AUTH_FILE`). +- **Pi provider extension.** Calls `registerProvider("anthropic")` to override Pi's built-in Anthropic provider with a CortexKit one that takes the same Claude-compatible request path. Primary OAuth credentials live in Pi's normal credential store via `/login anthropic`; CortexKit-specific state lives at `~/.pi/agent/anthropic-auth.json` (overridable via `PI_ANTHROPIC_AUTH_FILE`, `PI_AGENT_DIR`). + +Both sidecars use the same JSON shape (`version`, `main`, `fallbackOn`, `refresh`, `quota`, `claudeCache`, `cacheKeep`, `dump`, `claudeFast`, `relay`, `accounts`), so a user's mental model is portable across agents. + +### What the core actually does + +From the README's "What CortexKit adds" matrix: + +- **Fallback accounts.** Ordered list of secondary OAuth accounts; routed on auth/quota/rate-limit failures (default `fallbackOn: [401, 403, 429]`). +- **Quota-aware routing.** Skips main or fallback accounts when 5-hour or 7-day Claude quota falls below configured `minimumRemaining` thresholds. `failClosedOnUnknownQuota` makes the safe default explicit. +- **Persistent prompt-cache controls.** `/claude-cache` toggles Anthropic's 1-hour cache in explicit, automatic, or hybrid modes; `/claude-cachekeep HH-HH` pre-warms hybrid anchors before the 1-hour TTL expires. +- **Fast mode toggle.** `/claude-fast on|off` requests Anthropic fast mode for supported Opus models. +- **Quota visibility.** `/claude-quota` surfaces live main + fallback state, reset times, refresh errors. +- **User-owned Cloudflare relay.** Optional Worker relay that reduces repeated client upload bytes for large requests; HTTP transport with `fallbackToDirect: true` as the resilient default. +- **Request hardening.** Final-body billing signing (`cch` derived from body via `xxhash-wasm`), token-refresh persistence safety, replay-safe fallback retries, subagent cache isolation. Background OAuth refresh uses jitter to avoid concurrent OpenCode processes refreshing on identical timestamps (`1.2.2`). +- **Dumps.** `/claude-dump` captures Claude-compatible request/response data for debugging when `dump.enabled: true`. + +### Commands (both agents) + +`/claude-cache`, `/claude-cachekeep`, `/claude-fast`, `/claude-quota`, `/claude-dump` — identical surface for OpenCode and Pi. + +## Repository Layout + +``` +. +├── .github/ +│ ├── ISSUE_TEMPLATE/ +│ ├── instructions/ +│ ├── workflows/ +│ │ ├── ci.yml +│ │ ├── copilot-setup-steps.yml +│ │ └── release.yaml +│ ├── copilot-instructions.md +│ └── dependabot.yml +├── packages/ +│ ├── core/ # @marcusrbrown/anthropic-auth-core +│ ├── opencode/ # @marcusrbrown/opencode-anthropic-auth +│ ├── pi/ # @cortexkit/pi-anthropic-auth (private in fork) +│ └── e2e-tests/ +├── docs/ +│ ├── brainstorms/ +│ └── plans/ +├── captures/ # gitignored mitmproxy / system-prompt captures +├── images/ +├── scripts/ +│ ├── analyze-cache-usage.mjs +│ ├── capture-with-mitmproxy.sh +│ ├── dev.ts / dev-clean.ts +│ ├── extract-system-prompt.ts +│ ├── release.sh / release.test.ts +│ ├── verify-artifacts.mjs / verify-artifacts.test.ts +│ ├── version-sync.mjs / version-sync.test.ts +│ └── wait-release.sh +├── AGENTS.md +├── CHANGELOG.md +├── biome.json +├── bun.lock +├── lefthook.yml +├── mise.toml +├── package.json +└── tsconfig.scripts.json +``` + +## CI/CD + +### `ci.yml` — Pull Request validation + +Runs on `pull_request` only. Single `check` job on `ubuntu-latest` with `permissions: contents: read`: + +1. Checkout (`actions/checkout@v6` pinned by SHA). +2. `jdx/mise-action@v4` (pinned by SHA) installs Bun. +3. `bun install --frozen-lockfile`. +4. `bun run types` (typecheck across core/opencode/pi + scripts tsconfig). +5. `bun run build` (sequential builds: core → opencode → pi). +6. `bun run test` (build + version-sync + verify-artifacts + release scripts tests + OpenCode package tests). +7. `bun run format:check` (Biome format). +8. `bun run lint` (Biome lint). + +Concurrency group cancels in-progress runs per PR. See [[github-actions-ci]] for cross-repo workflow patterns. + +### `release.yaml` — Tag-driven publish + +Triggers on `push` tags matching `v*` and on `workflow_dispatch` with a `version` input. Top-level `permissions: contents: read`; elevated permissions are scoped per-job. + +Notable hardening (from the visible job head): + +- Tag-commit integrity check: when triggered by tag push, verifies `HEAD` matches `git rev-list -n1 refs/tags/`. Mismatch is a hard failure. +- `FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true` at env scope. +- Concurrency group keyed to the resolved version (not run id), with `cancel-in-progress: false` so concurrent release runs queue instead of cancelling each other. +- `version-sync.mjs … --validate` enforces that package manifests already match the requested version — CI does not mutate manifests during release. + +Per `.github/copilot-instructions.md`, the release contract is locked: + +- npm Trusted Publishing/OIDC + provenance only — no `NPM_TOKEN` fallback secret. +- No `NPM_DIST_TAG_TOKEN`. +- No `mb` dist-tag lane (the `-mb.N` suffix is encoded in the version, not in a dist-tag). +- `npm publish --tag latest`. +- No `environment: npm-publish` unless both the GitHub environment and npm Trusted Publisher config are confirmed present. + +### `copilot-setup-steps.yml` + +Returns `Not Found` via the contents API for the resolved ref — either gitignored, missing, or readable only via the workflow runner. Not analyzed. + +### Dependabot + +`enable-beta-ecosystems: true`. Two ecosystems: + +- `bun` (root), weekly, max 10 open PRs. +- `github-actions` (root), weekly, max 5 open PRs. + +No Renovate config detected at the root — the repo uses Dependabot, not the [[marcusrbrown--renovate-config]] preset. That's a deliberate divergence from most Marcus repos. + +## Fro Bot Status + +**No Fro Bot workflow detected.** The only workflows are `ci.yml`, `copilot-setup-steps.yml`, and `release.yaml`. No `fro-bot.yaml`, no maintenance/autoheal job, no scheduled wiki update. + +Follow-up: a separate draft PR can propose a Fro Bot workflow tuned to this repo's profile (release-sensitive, OAuth/PII-sensitive captures, dual-package publish). The release contract above means the workflow must avoid touching version-sync, the OIDC publish path, or any release-tagging — its initial scope should be code review and triage, not autoheal. + +## Operational Notes + +- **Captures are gitignored.** `AGENTS.md` and `copilot-instructions.md` are unambiguous: `captures/` holds mitmproxy HTTPS interception artifacts of Claude Code / OpenCode system prompts. These contain sensitive data and PII. Treat any PR touching `captures/` as suspicious. +- **No file-content assertions in workflow/config tests.** `copilot-instructions.md` codifies this: verify syntax and behavior, not exact strings. Useful guardrail to import elsewhere. +- **Sidecar override env vars.** `OPENCODE_ANTHROPIC_AUTH_FILE` (OpenCode), `PI_ANTHROPIC_AUTH_FILE` and `PI_AGENT_DIR` (Pi). Both default to user config dirs, never `/etc` or anything system-wide. +- **OAuth refresh path.** As of `1.2.1`, tokens refresh through `https://api.anthropic.com/v1/oauth/token` (live-smoke-tested CLIProxyAPI path) after `platform.claude.com` repeatedly returned OAuth `429` during proactive refresh. Useful prior art for anyone else implementing Anthropic OAuth refresh. +- **OpenCode plugin singleton + lock semantics.** `1.2.2` adds jitter to background refresh timers and hardens cross-process refresh locks so a process can't steal a lock while another is still initializing it — preventing duplicate refreshes that burn a rotated refresh token and leave the loser with `invalid_grant`. This is exactly the kind of subtle multi-process pitfall worth carrying into [[opencode-plugins]]. + +## Cross-Cutting References + +- [[opencode-plugins]] — Plugin architecture, Bun build target, peer-dep handling, plugin singleton patterns. This repo is an additional data point for the singleton + cross-process lock category. +- [[marcusrbrown--opencode-copilot-delegate]] — Another OpenCode plugin in Marcus's stack; same Biome 2.4.15 + Bun 1.3.14 toolchain, comparable peer-dep and build-target discipline. +- [[marcusrbrown--systematic]] — Sibling OpenCode plugin (skills/agents framework). +- [[marcusrbrown--dotfiles]] — Consumes OpenCode plugins via OpenCode config; relevant pinning target for `@marcusrbrown/opencode-anthropic-auth@1.2.2-mb.2`. +- [[github-actions-ci]] — General CI patterns; this repo contributes the tag-commit integrity check pattern and the "no manifest mutation in CI" release rule. + +## Open Questions / Gaps + +- Is the upstream `cortexkit/anthropic-auth` still actively maintained? The fork's release notes carry forward upstream changelog entries through `1.2.2`, suggesting recent sync, but no explicit upstream-tracking workflow was observed. +- The `docs/brainstorms/` and `docs/plans/` directories exist but were not read (per the survey constraint to limit reads to listings, README, manifests, workflows). Future ingest could enumerate plan filenames to map roadmap scope. +- `e2e-tests` package internals (test count, framework) were not read. diff --git a/knowledge/wiki/repos/marcusrbrown--dotfiles.md b/knowledge/wiki/repos/marcusrbrown--dotfiles.md index a9a0ea92b..b02aa6dba 100644 --- a/knowledge/wiki/repos/marcusrbrown--dotfiles.md +++ b/knowledge/wiki/repos/marcusrbrown--dotfiles.md @@ -2,7 +2,7 @@ type: repo title: "marcusrbrown/.dotfiles" created: 2026-04-18 -updated: 2026-04-22 +updated: 2026-05-24 sources: - url: https://github.com/marcusrbrown/.dotfiles sha: 2f2d1e6ac04999c5e61ee054fc585d9542cd3a74 @@ -13,10 +13,15 @@ sources: - url: https://github.com/marcusrbrown/.dotfiles sha: ae026c179cd91cb637443fe7d92bed75df3d6dba accessed: 2026-04-22 -tags: [dotfiles, configuration, zsh, bash, mise, sheldon, starship, devcontainer, bare-git-repo, opencode, magic-context, copilot-cli] + - url: https://github.com/marcusrbrown/.dotfiles + sha: 0bb24f05e29fbd4c70eb9dca9611055e7bef7c5f + accessed: 2026-05-24 +tags: [dotfiles, configuration, zsh, bash, mise, sheldon, starship, devcontainer, bare-git-repo, opencode, magic-context, copilot-cli, systematic, gitleaks] aliases: [dotfiles] related: - marcusrbrown--ha-config + - marcusrbrown--systematic + - marcusrbrown--opencode-copilot-delegate --- # marcusrbrown/.dotfiles @@ -28,11 +33,12 @@ Marcus R. Brown's [[dotfiles]] repository. Uses a **bare git repository** patter - **Purpose:** Synchronize shell configuration and dev environment across machines - **Default branch:** `main` - **Created:** 2011-06-09 -- **Last push:** 2026-04-22 +- **Last push:** 2026-05-24 - **License:** The Unlicense (public domain) - **Topics:** `dotfiles`, `configuration`, `settings`, `preferences`, `zsh`, `sheldon`, `mise`, `starship` -- **Languages:** Shell (primary), Vim Script, TypeScript, Ruby, JavaScript -- **Open issues:** 19 +- **Languages:** TypeScript (primary by size), Shell, Vim Script, Ruby, JavaScript +- **Open issues:** 4 +- **Stars:** 18 ## Repository Architecture @@ -81,7 +87,47 @@ Supports both Bash and Zsh. XDG-compliant — all configs live under `~/.config/ ### Tool Stack (via [[mise]]) -Managed tool versions in `.config/mise/config.toml` (as of SHA `ae026c1`): +Managed tool versions in `.config/mise/config.toml` (as of SHA `0bb24f0`, 2026-05-24): + +| Tool | Version | Notes | +| ----------------------------- | ------------- | --------------------------------------------------------- | +| node | 24.16.0 | Primary JS runtime | +| python | 3.14.5 | | +| rust | 1.95.0 | | +| go | 1.26.3 | | +| bun | 1.3.14 | Used for npm package installs (`settings.npm.bun = true`) | +| deno | 2.8.0 | | +| zig | 0.15.2 | With ZLS 0.16.0 | +| pnpm | 11.2.1 | Major bump from 10.x | +| npm | 11.15.0 | | +| prettier | 3.8.3 (npm) | With `@bfra.me/prettier-config` 0.16.9 | +| opencode-ai | 1.15.5 (npm) | Renovate updates disabled | +| ast-grep | 0.42.3 | AST-aware search/replace | +| typescript | 6.0.3 (npm) | | +| playwright | 1.60.0 (npm) | | +| puppeteer | 25.0.4 (npm) | Browser automation | +| agent-browser | 0.27.0 (npm) | Browser automation CLI for agents | +| skills | 1.5.7 (npm) | Agent skills package | +| ocx | 2.0.11 (npm) | OpenCode extension runner | +| @github/copilot | 1.0.51 (npm) | GitHub Copilot CLI (new) | +| @marcusrbrown/infra | latest (npm) | Personal infra CLI | +| @biomejs/biome | 2.4.15 (npm) | | +| vibe-tools | 0.63.3 (npm) | Vibe coding tools | +| @anthropic-ai/claude-code | 2.1.112 (npm) | Renovate updates disabled | +| shfmt (aqua:mvdan/sh) | 3.13.1 | Shell formatter | +| gitleaks (aqua:gitleaks) | 8.30.1 | Secret scanner (new) | +| cargo-binstall | 1.19.1 | Cargo binary installer | +| tsx | 4.22.3 (npm) | TypeScript execution | +| rimraf | 6.1.3 (npm) | Deep deletion utility | +| pyright | 1.1.409 (npm) | Python type checker | +| typescript-language-server | 5.2.0 (npm) | TypeScript language server | +| pipx:poetry | 2.4.1 | Python packaging | + +**Notable removals from prior ingest (SHA `ae026c1`):** `@cortexkit/opencode-magic-context` and `@cortexkit/aft-opencode` are no longer in `[tools]` — they moved to the OpenCode `plugin` array in `opencode.json` (managed by a new Renovate custom manager for pinned npm plugin versions). `remark-language-server` and `lolcrab` entries dropped from mise config. + +**Env additions:** `UV_SYSTEM_CERTS=true`, `NPM_TOKEN` templated from env, and a redacted env file pulled from `~/.config/mise/.env.local`. + +#### Historical Snapshot (SHA `ae026c1`, 2026-04-22) | Tool | Version | Notes | | ----------------------------- | ------------- | --------------------------------------------------------- | @@ -191,18 +237,29 @@ The repo includes configuration for multiple AI coding agents: - **OpenCode** (`.config/opencode/`): Has its own `AGENTS.md`, plus `agents/`, `commands/`, `scripts/`, `skills/`, `profiles/`, `ocx.jsonc` - **AGENTS.md** at repo root: Comprehensive project knowledge base for AI agents; refreshed at `90742fb` via `/init-deep` -#### OpenCode Plugin Ecosystem (as of SHA `ae026c1`) +#### OpenCode Plugin Ecosystem (as of SHA `0bb24f0`, 2026-05-24) -OpenCode is configured with a rich plugin stack in `.config/opencode/opencode.json`: +OpenCode plugins are now pinned by version directly in `.config/opencode/opencode.json` (managed by a new Renovate custom manager that matches `"name@x.y.z"` patterns inside `opencode.json` / `tui.json`): | Plugin | Version | Purpose | | --- | --- | --- | -| `@ex-machina/opencode-anthropic-auth` | 1.7.4 | Anthropic auth provider | -| `oh-my-openagent` | 3.17.4 | Multi-agent routing and model assignment | -| `@fro.bot/systematic` | latest | Fro Bot systematic skill framework | -| `@franlol/opencode-md-table-formatter` | latest | Markdown table formatting | -| `@cortexkit/opencode-magic-context` | 0.13.0 | Adaptive context management (bumped from 0.12.0) | -| `@cortexkit/aft-opencode` | 0.14.0 | AFT (Adaptive Fine-Tuning) OpenCode plugin | +| `@cortexkit/opencode-anthropic-auth` | 1.2.2 | Anthropic auth provider (vendor switched from `@ex-machina/opencode-anthropic-auth`) | +| `oh-my-opencode-slim` | 1.1.1 | Slimmed multi-agent routing layer (replaces `oh-my-openagent` 3.x) | +| `@cortexkit/opencode-magic-context` | 0.21.8 | Adaptive context management (bumped from 0.13.0) | +| `@cortexkit/aft-opencode` | 0.29.1 | AFT (Adaptive Fine-Tuning) OpenCode plugin | +| `opencode-copilot-delegate` | 0.12.0 | Delegate tasks to GitHub Copilot CLI as subprocess (see [[marcusrbrown--opencode-copilot-delegate]]) | +| `@fro.bot/systematic` | 2.23.4 | Systematic skills + agents (see [[marcusrbrown--systematic]]) | + +**Custom OpenAI provider models** declared in `opencode.json` for the first time: + +| Model | Context | Input | Output | +| --- | --- | --- | --- | +| `openai/gpt-5.5` | 272,000 | 272,000 | 32,000 | +| `openai/gpt-5.5-fast` | 272,000 | 272,000 | 32,000 | + +#### Historical Plugin Snapshot (SHA `ae026c1`, 2026-04-22) + +Previous stack — superseded by the table above. `oh-my-openagent` (3.17.4) and `@franlol/opencode-md-table-formatter` were removed; `oh-my-opencode-slim` replaces the multi-agent router. The Anthropic auth plugin migrated from `@ex-machina/*` to `@cortexkit/*` and downshifted from 1.7.4 to 1.2.2 (different package line). `opencode-copilot-delegate` joined the stack, consuming the sibling repo published as v0.12.0. **MCP servers configured:** @@ -215,27 +272,27 @@ OpenCode is configured with a rich plugin stack in `.config/opencode/opencode.js **OpenCode compaction:** `auto: false`, `prune: false` — compaction handled by magic-context plugin instead. -#### Magic Context Configuration (`.config/opencode/magic-context.jsonc`) +#### Magic Context Configuration (`.config/opencode/magic-context.jsonc`, SHA `0bb24f0`) -The `opencode-magic-context` plugin provides adaptive context compaction with model-specific thresholds: +The `opencode-magic-context` plugin (0.21.8) provides adaptive context compaction with model-specific thresholds: -- **Historian**: `github-copilot/gpt-5.4` (fallback: `anthropic/claude-sonnet-4.6`) — tracks conversation history -- **Dreamer**: `github-copilot/claude-sonnet-4.6` (enabled) — plans ahead -- **Sidekick**: `github-copilot/gpt-5-mini` (enabled) — lightweight assistant -- **Cache TTL**: 5m default; 59m for Anthropic Sonnet/Opus models -- **Execute thresholds**: 65% default; 40% for Anthropic models (triggers compaction sooner) -- **Token thresholds by model**: Opus 4.7 at 88K, Sonnet 4.6 at 95K, GPT-5.4 at 140K, Codex at 210K -- **History budget**: 10% (`history_budget_percentage: 0.1`) -- **Historian timeout**: 420s (`historian_timeout_ms: 420000`) -- **Experimental**: `pin_key_files` (budget 20k tokens, min 4 reads), `user_memories` (promotion threshold 3), `temporal_awareness` -- **Compaction markers**: enabled (`compaction_markers: true`) -- **Auto-drop**: tool results aged >15 turns (`auto_drop_tool_age: 15`) +- **Historian**: `openai/gpt-5.5-fast` (fallbacks: `anthropic/claude-sonnet-4-6`, `github-copilot/claude-sonnet-4.6`) — temperature 0.1, variant medium, tool permissions hard-denied (`bash`, `webfetch`, `edit`) +- **Dreamer**: `anthropic/claude-sonnet-4-6` (fallbacks: `openai/gpt-5.4-mini`, `github-copilot/claude-sonnet-4.6`) — schedule `00:00-08:00`, `inject_docs: true`, `pin_key_files` (20k tokens, min 4 reads), `user_memories` (promotion threshold 3) +- **Sidekick**: disabled +- **Cache TTL**: 5m default; 59m for `anthropic/claude-sonnet-4-6`, `anthropic/claude-opus-4-6`, `anthropic/claude-opus-4-7` +- **Execute thresholds (%)**: 65 default; 55 for the Anthropic Sonnet/Opus trio; 80 for `openai/gpt-5.5` +- **Execute thresholds (tokens)**: `github-copilot/claude-opus-4.7` 80K, `github-copilot/claude-sonnet-4.6` 95K +- **Experimental**: `auto_search` (min 20 chars, score ≥ 0.55), `git_commit_indexing` (additional fields visible in raw config) -**Delta from prior ingest (SHA `dbab7ad`):** Historian model migrated from `anthropic/claude-sonnet-4.6` to `github-copilot/gpt-5.4`. Dreamer model changed from `anthropic/claude-sonnet-4.6` to `github-copilot/claude-sonnet-4.6`. Sidekick model changed from `github-copilot/gpt-5-mini`. Cache TTL and execute thresholds now include `anthropic/claude-opus-4.7`. `history_budget_percentage` reduced to 0.1 (from default). Added `historian_timeout_ms`, `compaction_markers`, `auto_drop_tool_age`, `temporal_awareness`. Plugin version bumped 0.12.0 → 0.13.0. +**Delta from prior ingest (SHA `ae026c1`):** Historian migrated from `github-copilot/gpt-5.4` to a custom `openai/gpt-5.5-fast` (with the old Copilot/Anthropic models now as fallbacks only). Dreamer reverted to a direct Anthropic model (`anthropic/claude-sonnet-4-6`) with the Copilot variant demoted to fallback. Sidekick disabled outright. Token thresholds dropped from 4 entries to 2 (only Copilot Opus and Sonnet remain). Percentage thresholds tightened for Anthropic models (55% vs prior 40%) and a new `openai/gpt-5.5` entry (80%) appears. Experimental block now centers on `auto_search` and `git_commit_indexing` instead of the prior compaction/temporal stack. Plugin version 0.13.0 → 0.21.8. -#### oh-my-openagent Agent Model Routing (`.config/opencode/oh-my-openagent.json`) +#### oh-my-opencode-slim Routing (SHA `0bb24f0`) -Per-agent model assignments (as of SHA `ae026c1`): +The `oh-my-openagent` 3.17.4 plugin and its `oh-my-openagent.json` config file have been replaced by `oh-my-opencode-slim` 1.1.1, with configuration moving to `.config/opencode/oh-my-opencode-slim.jsonc`. Routing details are intentionally not duplicated here at this snapshot — the slimmed plugin owns its own schema and the surface area has materially changed. See repo for current per-agent and per-category model assignments. + +#### Historical Agent Routing (SHA `ae026c1`, 2026-04-22) — superseded + +Per-agent model assignments in the now-replaced `oh-my-openagent.json`: | Agent | Model | Variant | | --- | --- | --- | @@ -272,11 +329,12 @@ Per-agent model assignments (as of SHA `ae026c1`): **Delta from prior ingest (SHA `dbab7ad`):** All Anthropic direct models migrated to GitHub Copilot hosted equivalents. Opus upgraded from 4.6 to 4.7. `prometheus` agent removed. `atlas` and `hephaestus` disabled. `librarian` migrated from `opencode-go/minimax-m2.7` to `github-copilot/claude-haiku-4.5`. Category model assignments added for the first time. Browser automation engine, disabled hooks/skills arrays, hashline edit, and Sisyphus agent config all new additions. -#### Repo-Scoped Agent Skills (`.agents/skills/`) +#### Repo-Scoped Agent Skills (`.agents/skills/`, SHA `0bb24f0`) | Skill | Path | Purpose | | --- | --- | --- | -| `copilot-cli` | `.agents/skills/copilot-cli/` | Programmatic Copilot CLI delegation: auth, permissions, model selection, multi-repo `--add-dir`, JSONL output, bash-subprocess delegation pattern (new) | +| `agent-browser` | `.agents/skills/agent-browser/` | Browser automation patterns aligned with the `agent-browser` CLI tool (new) | +| `copilot-cli` | `.agents/skills/copilot-cli/` | Programmatic Copilot CLI delegation: auth, permissions, model selection, multi-repo `--add-dir`, JSONL output, bash-subprocess delegation pattern | | `test-driven-development` | `.agents/skills/test-driven-development/` | TDD patterns (`SKILL.md`, `testing-anti-patterns.md`) | | `writing-skills` | `.agents/skills/writing-skills/` | Writing guidance (`SKILL.md`, Anthropic best practices, Graphviz conventions, persuasion principles, subagent testing) | @@ -325,19 +383,38 @@ Required status checks on `main`: Devcontainer CI, Fro Bot, Install mise, Renova ## Fro Bot Integration -**Fro Bot workflow present** (`fro-bot.yaml`). Uses `fro-bot/agent@v0.41.3` (SHA `36c9850c2ac6e6d4d532662fca2ca89bd2bc559d`). +**Fro Bot workflow present** (`fro-bot.yaml`). Uses `fro-bot/agent@v0.44.3` (SHA `b928e79729f01b563feabee26a0525a3b48501a6`) — single-file three-mode pattern shared with [[marcusrbrown--marcusrbrown-github-io]] et al. + +Triggers: PR events (opened, synchronize, reopened, ready_for_review, review_requested), `issues` (opened, edited), `issue_comment`, `pull_request_review_comment`, daily schedule (15:30 UTC), `workflow_dispatch` with a required `prompt` input. -Triggers: PR events (opened, synchronize, reopened, ready_for_review, review_requested), issue/comment events, daily schedule (15:30 UTC), manual dispatch. +Concurrency: grouped by issue/PR number (with `github.run_id` fallback for schedule/dispatch), cancellation disabled. -Concurrency: grouped by issue/PR number, cancellation disabled. +**Stale-report cleanup:** A dedicated `Close stale daily reports` step runs on `schedule` only — queries open `fro-bot`-authored issues matching `Daily Maintenance Report in:title`, finds entries older than 3 days, and auto-closes them with reason `not planned`. Cross-platform `date -u -d` / `date -u -v-3d` fallback keeps the step portable. -**PR review prompt** includes dotfiles-specific checks: allowlist .gitignore verification, shell startup correctness, macOS/Linux portability, security (no secrets), convention compliance (numbered init.d, local.d, XDG, GPG signing, `dev.mrbro.*` LaunchAgents), devcontainer impact. +**PR review prompt** (PR_REVIEW_PROMPT env) includes dotfiles-specific checks: allowlist `.gitignore` verification, shell startup correctness, macOS/Linux portability, security (no secrets), convention compliance (numbered `init.d`, `local.d`, XDG, GPG signing, `dev.mrbro.*` LaunchAgents), devcontainer impact. Output structure is locked: required headings are `## Verdict` (`PASS | CONDITIONAL | REJECT`), `### Blocking issues`, `### Non-blocking concerns`, `### Security check`, `### Risk assessment`. Sections with no findings must render as `None`. -**Scheduled maintenance prompt** covers 6 categories: errored PRs, security, config quality/repo hygiene, developer experience (formatting), devcontainer/CI health, cross-project progressive improvement (observation-only survey of all `marcusrbrown` repos). +**Scheduled maintenance prompt** (SCHEDULE_PROMPT env) covers 6 categories — Errored PRs, Security, Config Quality & Repo Hygiene, Developer Experience (now report-only — "Formatting is handled manually by the repo owner"), Devcontainer & CI Health, Cross-Project Progressive Improvement (observation-only survey of all `marcusrbrown` repos). Single-issue daily report titled `Daily Maintenance Report — YYYY-MM-DD (UTC)`, with explicit table schemas for each category and explicit "do not query Dependabot/vulnerability-alert APIs" guard (Marcus's PAT is a collaborator token on user-owned repos and those endpoints 404 by design). + +**Hard boundaries:** never force-push, never push directly to default branch, never merge PRs, never weaken tests/lints to make checks pass, do not modify `.github/workflows/`, shell init files, devcontainer config, or automation prompts unless it's a genuine bug fix with narrow scope. Cross-project monitoring (category 6) is strictly observation-only — no PRs, issues, comments, or clones in other repos. + +**Author/trust gating** in the job-level `if`: forks blocked, bot-authored PRs/issues blocked, comment mentions only honored from `OWNER`/`MEMBER`/`COLLABORATOR` associations. ### Renovate -Extends `marcusrbrown/renovate-config#4.5.8` + `sanity-io/renovate-config:semantic-commit-type`. Custom regex manager for `_VERSION` variables in mise config. Disabled for `@anthropic-ai/claude-code` and `opencode-ai` (new: opencode-ai updates disabled). Automerge for unstable minor/patch of `@cortexkit/aft-opencode`, `@cortexkit/opencode-magic-context`, `agent-browser`, and `opencode-anthropic-oauth`. Ignores `mergeConfidence` presets. `prCreation: immediate`, `rebaseWhen: behind-base-branch`. +Extends `marcusrbrown/renovate-config#5.2.0` + `sanity-io/renovate-config:semantic-commit-type`. Major version crossed the v4→v5 boundary documented in [[marcusrbrown--renovate-config]] (2026-05-13). Two custom managers: + +1. `_VERSION` regex manager for variables in mise config files (`(^|/)\.?mise\.toml$`, `(^|/)\.?mise/config\.toml$`). +2. **New**: pinned npm plugin version manager for `(^|/)\.config/opencode/opencode\.json$` and `tui\.json` — matches `"name@x.y.z"` patterns to surface OpenCode plugin updates. + +Package rules: + +- Patch updates enabled for `devcontainer`, `dockerfile`, `docker-compose`, `mise`. +- Devcontainer feature PRs get a custom commit topic and PR body columns (Package/Type/Update/Change/References) with rewritten links. +- Base image digest pinning disabled for `mcr.microsoft.com/devcontainers/base` (branch automerge, dashboard-approved). +- Renovate updates disabled for `@anthropic-ai/claude-code` and `opencode-ai` (manually managed). +- Automerge of unstable minor/patch (`v0.x`) updates for `@cortexkit/aft*`, `@cortexkit/*magic-context`, `fro-bot/agent`, `@franlol/opencode-md-table-formatter`, `agent-browser`, `ast-grep`, `opencode-copilot-delegate` — extends `bfra-me/renovate-config:automerge.json5#5.2.1`. + +Settings: `prCreation: immediate`, `rebaseWhen: behind-base-branch`, ignores `mergeConfidence:age-confidence-badges` and `mergeConfidence:all-badges` presets. ### Probot Settings @@ -357,6 +434,18 @@ Extends `fro-bot/.github:common-settings.yaml`. Confirms membership in the Fro B ## Cross-References - Shares [[mise]] tooling and Renovate config patterns with [[marcusrbrown--ha-config]] +- Consumes [[marcusrbrown--systematic]] as `@fro.bot/systematic@2.23.4` via OpenCode plugin slot +- Consumes [[marcusrbrown--opencode-copilot-delegate]] as `opencode-copilot-delegate@0.12.0` — first dotfiles release pulling the sibling repo out of v0.1.0 scaffold +- Tracks [[marcusrbrown--renovate-config]] at v5.2.0 (v4→v5 boundary crossed) - Both repos extend `fro-bot/.github:common-settings.yaml` for Probot settings - Both repos use reusable workflows from `bfra-me/.github` - Dotfiles devcontainer features could be consumed by other repos via the published GHCR image + +## Survey History + +| Accessed | SHA | Highlights | +| ---------- | --------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| 2026-04-18 | `2f2d1e6` | Initial survey: bare repo, devcontainer, agent v0.40.2, Renovate 4.5.8 | +| 2026-04-21 | `dbab7ad` | Incremental: tool version bumps | +| 2026-04-22 | `ae026c1` | OpenCode model routing overhaul (Anthropic → Copilot), magic-context 0.13.0, copilot-cli skill added | +| 2026-05-24 | `0bb24f0` | Agent v0.41.3 → v0.44.3, Renovate preset 4.5.8 → 5.2.0 (major boundary), `oh-my-opencode-slim` replaces `oh-my-openagent`, `opencode-copilot-delegate` consumed, custom OpenAI gpt-5.5 models declared, `gitleaks` added, `agent-browser` skill added, stale-report auto-close step | diff --git a/knowledge/wiki/repos/marcusrbrown--esphome-life.md b/knowledge/wiki/repos/marcusrbrown--esphome-life.md index f55f6d30f..94946e8be 100644 --- a/knowledge/wiki/repos/marcusrbrown--esphome-life.md +++ b/knowledge/wiki/repos/marcusrbrown--esphome-life.md @@ -2,7 +2,7 @@ type: repo title: "marcusrbrown/esphome.life" created: 2026-04-18 -updated: 2026-04-23 +updated: 2026-05-26 sources: - url: https://github.com/marcusrbrown/esphome.life sha: e398c2e1e3ef8c68717df26fd67a99b5c91410d7 @@ -10,10 +10,14 @@ sources: - url: https://github.com/marcusrbrown/esphome.life sha: e398c2e1e3ef8c68717df26fd67a99b5c91410d7 accessed: 2026-04-23 + - url: https://github.com/marcusrbrown/esphome.life + sha: fc5adc212a7a1556bdaa9a1b30d3cf8a9e8cc584 + accessed: 2026-05-26 tags: [esphome, iot, esp32, bluetooth-proxy, home-assistant, firmware, github-pages] aliases: [esphome-life, esphome.life] related: - marcusrbrown--ha-config + - marcusrbrown--renovate-config --- # marcusrbrown/esphome.life @@ -25,7 +29,7 @@ ESPHome device configuration repository for Marcus R. Brown's IoT devices. Forke - **Purpose:** ESPHome device firmware definitions, CI-built and deployed to GitHub Pages - **Default branch:** `main` - **Created:** 2022-11-09 -- **Last push:** 2026-03-12 +- **Last push:** 2026-05-25 - **Visibility:** Public - **License:** None specified - **Topics:** _(none set)_ @@ -85,12 +89,20 @@ Defines the full device configuration: The CI workflow has four jobs: 1. **Prepare** — Outputs the list of YAML files to build (currently only `olimex-bluetooth-proxy-1349f4.yaml`) and the repo name -2. **Build firmware** — Matrix build using `esphome/build-action@v7.1.0` with ESPHome 2025.12.7. Uploads build artifacts +2. **Build firmware** — Matrix build using `esphome/build-action@v7.2.0` with ESPHome 2025.12.7. Uploads build artifacts 3. **Build** — Gate job (depends on firmware build, reports completion) 4. **Publish** — Only on `marcusrbrown/esphome.life`. Downloads artifacts, creates a combined `manifest.json`, copies static site files, deploys to `gh-pages` branch using `JamesIves/github-pages-deploy-action@v4.8.0` Publish uses a GitHub App token (`APPLICATION_ID` / `APPLICATION_PRIVATE_KEY` secrets) and commits as `mrbro-bot[bot]`. +All actions are SHA-pinned with version comments. As of 2026-05-26: `actions/checkout@v5.0.1`, `esphome/build-action@v7.2.0`, `actions/upload-artifact@v5.0.0`, `actions/create-github-app-token@v2.2.2`, `actions/download-artifact@v6.0.0`. + +### Reusable Workflow Pins + +Both `renovate.yaml` and `update-repo-settings.yaml` delegate to `bfra-me/.github` reusable workflows at v4.16.20 (SHA `dc36669...`). + +**Footgun (2026-05-26 survey):** `update-repo-settings.yaml` calls `bfra-me/.github/.github/workflows/renovate.yaml@v4.16.20` — the same path used by the Renovate workflow, rather than a settings-specific reusable workflow. This looks like a copy-paste leak from when the workflow was last touched; on its face it means the daily settings-sync cron is running Renovate instead of a settings sync. Worth confirming against `bfra-me/.github` or filing as a follow-up issue. Documented here, not patched in this ingest. + ### Branch Protection Required status checks on `main`: `Prepare`, `Build`, `Publish`, `Renovate / Renovate`. Strict status checks enabled. Linear history enforced. Admin enforcement enabled. No required PR reviews. @@ -101,7 +113,7 @@ CI workflow uses concurrency group `${{ github.workflow }}-${{ github.event.numb ## Developer Tooling -- **Renovate:** Extends `marcusrbrown/renovate-config#4.5.1`. Custom package rule tracks ESPHome across Docker images (`ptr727/esphome-nonroot`, `esphome/esphome`, `ghcr.io/esphome/esphome`) with loose versioning and semantic commit types. Post-upgrade runs `npx prettier@3.8.1`. +- **Renovate:** Extends [[marcusrbrown--renovate-config]] at `#5.2.0` (crossed the v4 → v5 boundary on 2026-05-14, PR #349). Custom package rule tracks ESPHome across Docker images (`ptr727/esphome-nonroot`, `esphome/esphome`, `ghcr.io/esphome/esphome`) with loose versioning and semantic commit types. Post-upgrade runs `npx prettier@3.8.3`. - **Devcontainer:** Uses `docker.io/ptr727/esphome-nonroot:2025.12.7` with ESPHome dashboard, verbose logging, `America/Phoenix` timezone. Forwards port 6052 (ESPHome native API). VS Code extensions include ESPHome, PlatformIO, Python, YAML, EditorConfig, Markdown lint, serial monitor, and spell checker. File associations map `*.yaml`/`*.yml` to ESPHome language mode (with exceptions for workflow/settings files). - **Probot Settings:** Extends `fro-bot/.github:common-settings.yaml`. Overrides description and branch protection. - **EditorConfig:** UTF-8, LF, 2-space indent, 120-char max line, trailing whitespace trimming. @@ -118,7 +130,7 @@ The site content (`static/index.md`) is minimal — the upstream template placeh **No Fro Bot agent workflow detected.** The repository does not contain a `fro-bot.yaml` workflow. It does extend `fro-bot/.github:common-settings.yaml` via Probot settings, confirming it is part of the Fro Bot-managed ecosystem. -A follow-up draft PR should be proposed to add the Fro Bot agent workflow for automated PR review and triage. +A follow-up draft PR should be proposed to add the Fro Bot agent workflow for automated PR review and triage. This recommendation has been carried forward across four surveys (2026-04-18, 2026-04-21, 2026-04-23, 2026-05-26). ## Notable Patterns @@ -127,6 +139,7 @@ A follow-up draft PR should be proposed to add the Fro Bot agent workflow for au - **Template heritage:** The repo was generated from `esphome/esphome-project-template`. Template artifacts remain in `docs/readme.md` and `static/index.md` without customization. - **Ethernet-only devices:** All devices use ESP32-PoE-ISO with LAN8720 Ethernet — no Wi-Fi. This is notable for a Bluetooth Proxy setup where wired backhaul provides more reliable connectivity. - **Git submodule consumer:** This repo is referenced as a submodule from [[marcusrbrown--ha-config]] at the `esphome/` path, linking ESPHome device firmware to the Home Assistant configuration. +- **Renovate-only commit log:** Every commit since the prior content change (2026-03-12) has been a Renovate dependency bump. No human-authored changes to device configs, workflows, or static site in over two months. ## Survey History @@ -135,3 +148,4 @@ A follow-up draft PR should be proposed to add the Fro Bot agent workflow for au | 2026-04-18 | `83784bc` (ha-config survey, cross-reference) | Initial cross-reference from [[marcusrbrown--ha-config]] survey | | 2026-04-21 | `e398c2e` | Full survey; documented device configs, CI pipeline, devcontainer, Probot/Renovate settings | | 2026-04-23 | `e398c2e` | Re-survey; no content changes detected — repo unchanged since 2026-03-12 | +| 2026-05-26 | `fc5adc2` | Renovate preset crossed v4 → v5 boundary (`#5.2.0`); `bfra-me/.github` v4.4.0 → v4.16.20; `esphome/build-action` v7.1.0 → v7.2.0 plus action SHA refreshes; Prettier 3.8.1 → 3.8.3. Surfaced `update-repo-settings.yaml` reusable-workflow-path footgun (calls `renovate.yaml` instead of a settings workflow). Still no Fro Bot agent workflow. | diff --git a/knowledge/wiki/repos/marcusrbrown--extend-vscode.md b/knowledge/wiki/repos/marcusrbrown--extend-vscode.md index ecb7ed76e..dc43b4c40 100644 --- a/knowledge/wiki/repos/marcusrbrown--extend-vscode.md +++ b/knowledge/wiki/repos/marcusrbrown--extend-vscode.md @@ -2,7 +2,7 @@ type: repo title: "marcusrbrown/extend-vscode" created: 2026-04-18 -updated: 2026-04-27 +updated: 2026-05-26 sources: - url: https://github.com/marcusrbrown/extend-vscode sha: a4dcbbb175828a60855053d778fd21903a3d73d6 @@ -28,10 +28,14 @@ sources: - url: https://github.com/marcusrbrown/extend-vscode sha: b457a34f032149b03dddaca99eacca14eac91367 accessed: 2026-04-27 + - url: https://github.com/marcusrbrown/extend-vscode + sha: 516a9eb442f97212f45d890e65fb7d7642566206 + accessed: 2026-05-26 tags: [vscode, vscode-extension, typescript, toolkit, tsup, vitest, semantic-release] aliases: [extend-vscode] related: - vscode-extensions + - marcusrbrown--renovate-config --- # marcusrbrown/extend-vscode @@ -43,12 +47,13 @@ Modular toolkit for building VS Code extensions. Provides typed abstractions for - **Purpose:** Reference extension + reusable toolkit for VS Code extension development - **Default branch:** `main` - **Created:** 2020-11-16 -- **Last push:** 2026-04-25 +- **Last push:** 2026-05-21 - **Version:** 0.1.0 (pre-release, semantic-release configured) - **License:** MIT - **Engine:** VS Code `^1.102.0` - **Topics:** `vscode`, `vscode-extension` - **Package manager:** pnpm 10.33.0 +- **Node target:** 24.16.0 (`.node-version`) ## Architecture @@ -138,7 +143,7 @@ Emergency rollback workflow supports per-platform rollback (all, npm-only, marke ## Dependency Management -- **Renovate:** Extends `marcusrbrown/renovate-config#4.5.0` + `sanity-io/renovate-config` presets (semantic commits, security, lock-file maintenance). Patch updates disabled except for TypeScript. Post-upgrade runs: `pnpm bootstrap`, `pnpm build`, `pnpm fix` (x2). +- **Renovate:** Extends `marcusrbrown/renovate-config#5.2.0` + `sanity-io/renovate-config` presets (semantic commits, security, lock-file maintenance). Crossed the v4 → v5 boundary on 2026-05-14 (PR #487). Patch updates disabled except for TypeScript. GitHub Actions grouped except `bfra-me/*`. Post-upgrade runs: `pnpm bootstrap`, `pnpm build`, `pnpm fix` (x2). See [[marcusrbrown--renovate-config]]. - **Probot Settings:** Extends `fro-bot/.github:common-settings.yaml` (part of Fro Bot-managed ecosystem). - **Authentication:** Renovate and settings workflows use `APPLICATION_ID` + `APPLICATION_PRIVATE_KEY` secrets (GitHub App via `bfra-me/.github` reusable workflows). @@ -259,3 +264,47 @@ Open issues (5): #142 (Uplift `vscode-bash`), #162 (Dependency Dashboard), #317 Confirmed full dependency snapshot: `@bfra.me/eslint-config` 0.51.0, `@bfra.me/tsconfig` 0.13.0, `@playwright/test` 1.59.0, `@types/vscode` 1.115.0, `eslint` 9.39.0, `eslint-config-prettier` 10.1.1, `prettier` 3.8.0, `typescript` 5.9.3, `typescript-eslint` 8.59.0, `vitest` 4.1.0, `@vitest/coverage-v8` 4.1.0, `@vitest/ui` 4.1.0, `@vscode/vsce` 3.9.0, `tsup` ^8.0.2, `tsx` 4.21.0, `semantic-release` 25.0.1, `semantic-release-vsce` 6.1.0, `vscode-ext-gen` 1.6.0, `jsdom` 27.4.0, `type-fest` 5.6.0, `jiti` 2.6.1, `ovsx` 0.10.5. Package manager: pnpm 10.33.0. VS Code engine: `^1.102.0`. Node target: 18 (tsup). Renovate extends `marcusrbrown/renovate-config#4.5.0` + `sanity-io/renovate-config`. Probot settings extend `fro-bot/.github:common-settings.yaml`. **Still no Fro Bot agent workflow** — follow-up PR recommendation carried forward. Six workflows present: `main.yaml`, `publish.yaml`, `rollback.yaml`, `renovate.yaml`, `cache-cleanup.yaml`, `update-repo-settings.yaml`. + +### 2026-05-26 (SHA `516a9eb4` from `b457a34f`) + +Repo broke its dormancy: 12 commits merged between 2026-04-29 and 2026-05-21, all Renovate dependency bumps. No structural, architectural, or workflow changes. + +**Most significant change: Renovate preset crossed the v4 → v5 boundary** (PR #487, 2026-05-14): `marcusrbrown/renovate-config#4.5.0` → `#5.2.0`. This aligns extend-vscode with [[marcusrbrown--renovate-config]]'s v5 line (the `group:allNonMajor` + 0.x ungrouping policy). Cross-reference accordingly. + +Merged dependency changes since 2026-04-25: + +| PR | Date | Change | +| --- | --- | --- | +| #493 | 2026-05-21 | Node.js → v24.16.0 (`.node-version`) | +| #492 | 2026-05-18 | `eslint` → v10.4.0 | +| #491 | 2026-05-17 | `tsx` → v4.22.0 | +| #490 | 2026-05-15 | `@types/vscode` → v1.118.0 | +| #489 | 2026-05-14 | `@playwright/test` → v1.60.0 | +| #488 | 2026-05-14 | `tsup` pinned to 8.5.1 (from `^8.0.2` range) | +| #487 | 2026-05-14 | `marcusrbrown/renovate-config` → v5.2.0 (**major preset jump**) | +| #486 | 2026-05-09 | `jiti` → v2.7.0 | +| #485 | 2026-05-04 | `eslint` → v10.3.0 | +| #484 | 2026-05-02 | `eslint-plugin-no-only-tests` → v3.4.0 | +| #483 | 2026-05-01 | `@types/vscode` → v1.116.0 | +| #482 | 2026-04-30 | `jsdom` → v29.1.0 | +| #468 | 2026-04-30 | `eslint-plugin-node-dependencies` → v2 (major) | +| #467 | 2026-04-30 | `eslint` → v10 (major) | +| #469 | 2026-04-29 | `jsdom` → v29 (major) | + +Three of the four previously-pending majors closed: `eslint` v10, `eslint-plugin-node-dependencies` v2, `jsdom` v29. The remaining outstanding major is `typescript` v6 (#466) — still pending, now the sole holdout. + +Confirmed dependency snapshot at HEAD: + +- Runtime: pnpm 10.33.0, Node 24.16.0, VS Code engine `^1.102.0` +- Core: `typescript` 5.9.3, `tsup` 8.5.1 (now pinned, not ranged), `vitest` 4.1.0, `@vitest/coverage-v8` 4.1.0, `@vitest/ui` 4.1.0 +- Lint: `eslint` 10.4.0 (v10 line stabilized), `typescript-eslint` 8.59.0, `@bfra.me/eslint-config` 0.51.0, `eslint-plugin-node-dependencies` 2.2.0, `eslint-plugin-no-only-tests` 3.4.0, `prettier` 3.8.0 +- VS Code tooling: `@types/vscode` 1.118.0, `@vscode/vsce` 3.9.0, `@vscode/test-electron` 2.5.2, `@vscode/test-web` 0.0.67, `vscode-ext-gen` 1.6.0 +- Publishing: `semantic-release` 25.0.1, `semantic-release-vsce` 6.1.0, `ovsx` 0.10.5 +- Testing: `@playwright/test` 1.60.0, `jsdom` 29.1.0 +- Build helpers: `tsx` 4.22.0, `jiti` 2.7.0, `type-fest` 5.6.0 + +Repo metadata: 1 star, 1 watcher, not archived, not forked. Open issues: 5 (#142 Uplift `vscode-bash`, #162 Dependency Dashboard, #317–#319 Advanced Testing Infrastructure Phases 3–5). Open PRs: 1 (#466, `typescript` v6 — pending). + +**Footgun observation:** `tsup` was previously declared with a `^8.0.2` semver range while every other devDependency was pinned exactly. PR #488 corrected the drift to `8.5.1`. The repo now has a consistent pin-exact policy across all devDependencies — useful invariant to preserve if a future contributor adds a new devDep. + +**Still no Fro Bot agent workflow** — follow-up PR recommendation carried forward (now ~6 weeks open across surveys). Six workflows present, unchanged: `main.yaml`, `publish.yaml`, `rollback.yaml`, `renovate.yaml`, `cache-cleanup.yaml`, `update-repo-settings.yaml`. Probot settings still extend `fro-bot/.github:common-settings.yaml`; branch protection (`Renovate / Renovate`, `Run Checks`, linear history, admin enforcement) unchanged. diff --git a/knowledge/wiki/repos/marcusrbrown--github.md b/knowledge/wiki/repos/marcusrbrown--github.md index fe7600674..c336ea2f7 100644 --- a/knowledge/wiki/repos/marcusrbrown--github.md +++ b/knowledge/wiki/repos/marcusrbrown--github.md @@ -2,7 +2,7 @@ type: repo title: "marcusrbrown/.github" created: 2025-06-18 -updated: 2026-04-27 +updated: 2026-05-25 sources: - url: https://github.com/marcusrbrown/.github sha: be01029971bc8b50fbd2b660fadc7341da26e03c @@ -28,6 +28,9 @@ sources: - url: https://github.com/marcusrbrown/.github sha: 3fb30a4 accessed: 2026-04-27 + - url: https://github.com/marcusrbrown/.github + sha: 0b780fdba1b5b0ae6280aaaf28f625e3db142278 + accessed: 2026-05-25 tags: [github, repository-settings, probot, community-health, prettier, renovate] aliases: [marcusrbrown-dotgithub] related: @@ -49,7 +52,7 @@ Marcus R. Brown's personal `.github` repository. Provides GitHub defaults, commu - **Purpose:** GitHub defaults and community health files for `marcusrbrown` repositories - **Default branch:** `main` - **Created:** 2020-10-30 -- **Last push:** 2026-04-27 +- **Last push:** 2026-05-25 - **Topics:** `github`, `repository`, `settings` - **License:** MIT - **Language:** None (YAML/Markdown only, no application code) @@ -63,10 +66,10 @@ Lean repo, 15 files total. No application code, no `package.json`, no TypeScript | --- | --- | | `common-settings.yaml` | **Canonical Probot Settings template** — extended by other Marcus repos via `_extends: .github:common-settings.yaml` | | `.github/settings.yml` | This repo's own Probot settings, self-extending `common-settings.yaml` | -| `.github/renovate.json5` | Renovate config (extends `marcusrbrown/renovate-config#4.5.8`) | +| `.github/renovate.json5` | Renovate config (extends `marcusrbrown/renovate-config#4.5.9`) | | `.github/workflows/main.yaml` | CI: Prettier check only | -| `.github/workflows/renovate.yaml` | Renovate runner (reusable from `bfra-me/.github@v4.16.8`) | -| `.github/workflows/update-repo-settings.yaml` | Probot settings sync (reusable from `bfra-me/.github@v4.16.8`) | +| `.github/workflows/renovate.yaml` | Renovate runner (reusable from `bfra-me/.github@v4.16.20`) | +| `.github/workflows/update-repo-settings.yaml` | Probot settings sync (reusable from `bfra-me/.github@v4.16.20`) | | `.prettierrc.yaml` | Prettier config | | `CODE_OF_CONDUCT.md` | Contributor Covenant v1.4 (contact: `git@mrbro.dev`) | | `FUNDING.yml` | GitHub Sponsors: `marcusrbrown` | @@ -165,12 +168,12 @@ Delegates fully to `bfra-me/.github` reusable workflow. Inputs: `log-level` (def ### Shared Workflows -Both `renovate.yaml` and `update-repo-settings.yaml` use reusable workflows from `bfra-me/.github` at SHA `4b85695b1ef6f57b52e29c92c027efeec65de2be` (v4.16.9). Authentication via `APPLICATION_ID` and `APPLICATION_PRIVATE_KEY` secrets (GitHub App credentials). +Both `renovate.yaml` and `update-repo-settings.yaml` use reusable workflows from `bfra-me/.github` at SHA `dc3666982ac0e6c3cd8bfd798ef41ba063b7e988` (v4.16.20, as of 2026-05-25). Authentication via `APPLICATION_ID` and `APPLICATION_PRIVATE_KEY` secrets (GitHub App credentials). ## Developer Tooling - **Prettier:** Config in `.prettierrc.yaml` — arrow parens `avoid`, no bracket spacing, `auto` EOL, 120 char width, no semicolons, single quotes, tab width 2. Overrides for `.vscode/*.json` and `.devcontainer/**/devcontainer*.json` (tab width 4) and `*.md` (double quotes). -- **Renovate:** Extends `marcusrbrown/renovate-config#4.5.8`. Post-upgrade runs `npx prettier@3.8.3 --no-color --write .`. PR creation set to `immediate`. Rebase when behind base branch. +- **Renovate:** Extends `marcusrbrown/renovate-config#4.5.9` (still v4.x — has _not_ joined the v4→v5 migration wave noted in [[marcusrbrown--renovate-config]]; listed among the holdouts there). Post-upgrade runs `npx prettier@3.8.3 --no-color --write .`. PR creation set to `immediate`. Rebase when behind base branch. ## Community Health Files @@ -183,11 +186,11 @@ As a `.github` repo, these files serve as **defaults** for all `marcusrbrown` re ## Fro Bot Integration -**No Fro Bot agent workflow detected.** The repository does not contain a `fro-bot.yaml` workflow or any Fro Bot-specific CI integration for automated PR review and triage. +**No Fro Bot agent workflow detected** (still absent as of 2026-05-25). The repository does not contain a `fro-bot.yaml` workflow or any Fro Bot-specific CI integration for automated PR review and triage. -`fro-bot` is listed as a collaborator with `push` permission in both `common-settings.yaml` (template) and `.github/settings.yml` (this repo). This confirms Fro Bot has write access but no active workflow to trigger its review capabilities. +`fro-bot` is listed as a collaborator with `push` permission in both `common-settings.yaml` (template) and `.github/settings.yml` (this repo). This confirms Fro Bot has write access but no active workflow to trigger its review capabilities. All recent PRs (#363–#375) have been Renovate dependency bumps authored by `mrbro-bot[bot]` and auto-merged — Fro Bot is not in the merge loop. -**Recommendation:** A follow-up draft PR should add the Fro Bot agent workflow for automated PR review and triage on this repository. +**Recommendation (still open):** A follow-up draft PR should add the Fro Bot agent workflow for automated PR review and triage on this repository. The single-file three-mode template established in [[marcusrbrown--marcusrbrown-github-io]] and [[marcusrbrown--renovate-config]] is the current canonical shape. ## Survey History @@ -201,6 +204,7 @@ As a `.github` repo, these files serve as **defaults** for all `marcusrbrown` re | 2026-04-25 | `4e4fd28` | Re-survey — no change since 2026-04-24; repo content identical at same SHA | | 2026-04-26 | `99906ef` | Renovate schedule trigger re-enabled at `15 */4 * * *` (every 4 hours at :15), replacing the commented-out hourly cron | | 2026-04-27 | `3fb30a4` | `bfra-me/.github` reusable workflows bumped v4.16.8 → v4.16.9 (SHA `4b85695b`) in both `renovate.yaml` and `update-repo-settings.yaml` | +| 2026-05-25 | `0b780fd` | Dependency-only churn since 2026-04-27. `bfra-me/.github` reusable workflows: v4.16.9 → v4.16.20 (11 patch bumps via PRs #363–#375, now pinned at SHA `dc366698`). `marcusrbrown/renovate-config` preset: v4.5.8 → v4.5.9 (PR #366, 2026-04-30). All other files identical: `common-settings.yaml` unchanged, workflows structurally identical, no new files. Still no Fro Bot workflow; Renovate cadence still `15 */4 * * *`. Renovate preset remains on v4.x (holdout from v5 wave). | ## Notable Patterns diff --git a/knowledge/wiki/repos/marcusrbrown--gpt.md b/knowledge/wiki/repos/marcusrbrown--gpt.md index 2c88b4d8b..12341df6c 100644 --- a/knowledge/wiki/repos/marcusrbrown--gpt.md +++ b/knowledge/wiki/repos/marcusrbrown--gpt.md @@ -2,8 +2,11 @@ type: repo title: "marcusrbrown/gpt" created: 2026-04-18 -updated: 2026-04-24 +updated: 2026-05-27 sources: + - url: https://github.com/marcusrbrown/gpt + sha: aac010356a3e0d7fd21a5883b98d0cdf6229ed60 + accessed: 2026-05-27 - url: https://github.com/marcusrbrown/gpt sha: 0bb8eedf6e23bfb5715d127763fd864ab7da72cd accessed: 2026-04-24 @@ -26,29 +29,29 @@ Local-first, privacy-focused GPT creation and management platform. Mirrors core - **Purpose:** Create, customize, and interact with AI assistants locally - **Default branch:** `main` - **Created:** 2023-12-01 -- **Last push:** 2026-04-23 +- **Last push:** 2026-05-27 - **Homepage:** https://gpt.mrbro.dev (GitHub Pages) - **License:** MIT - **Topics:** `gpt`, `transformers`, `nlp`, `chatgpt`, `gpt-4` -- **Node.js:** 24.15.0 (`.tool-versions`) -- **Package manager:** pnpm 10.33.0 +- **Node.js:** 24.16.0 (`.tool-versions`) — bumped from 24.15.0 on 2026-05-19 (PR #2468) +- **Package manager:** pnpm 10.33.4 — bumped from 10.33.0 via PRs #2402, #2412 ## Tech Stack | Layer | Technology | Notes | | --- | --- | --- | | Framework | React 19.2.5, TypeScript 5.9.3 | Strict mode, `@/` import alias | -| Build | Vite 8.0.9, `@vitejs/plugin-react-swc` | `tsgo` (`@typescript/native-preview` 7.0.0-dev) for type-checking | -| Styling | TailwindCSS 4.2.2, HeroUI 2.8.10 | Semantic design tokens only, no hardcoded colors | +| Build | Vite 8.0.14, `@vitejs/plugin-react-swc` 4.3.1 | `tsgo` (`@typescript/native-preview` 7.0.0-dev.20260523.1) for type-checking | +| Styling | TailwindCSS 4.3.0, HeroUI 2.8.10 | Semantic design tokens only, no hardcoded colors | | Storage | IndexedDB via Dexie 4.4.2 | Local-first; no localStorage for structured data | | Security | Web Crypto API (AES-GCM, PBKDF2) | Client-side encryption for API keys | -| AI | LangChain 1.3.3, `@langchain/openai` 1.4.4, `@langchain/anthropic` 1.3.26, `@langchain/langgraph` 1.2.9 | Provider-abstracted via `BaseLLMProvider` | +| AI | LangChain 1.4.2, `@langchain/core` 1.1.48, `@langchain/openai` 1.4.7, `@langchain/anthropic` 1.4.0, `@langchain/langgraph` 1.3.2 | Provider-abstracted via `BaseLLMProvider` | | MCP | `@modelcontextprotocol/sdk` 1.29.0 | Tool integration via Model Context Protocol | | Editor | Monaco Editor (`@monaco-editor/react` 4.7.0) | In-app code/prompt editing | -| Routing | React Router DOM 7.14.1 | Route-level lazy loading | -| Validation | Zod 4.3.6 | Zod-first: define schema, infer type | -| Testing | Vitest 4.1.4, Playwright 1.59.1, axe-core | Unit, E2E, accessibility, visual, performance | -| Linting | ESLint 10.2.1, `@bfra.me/eslint-config` 0.50.1, Prettier 3.8.3 | `@bfra.me/prettier-config/120-proof` (120-char lines) | +| Routing | React Router DOM 7.15.1 | Route-level lazy loading | +| Validation | Zod 4.4.3 | Zod-first: define schema, infer type | +| Testing | Vitest 4.1.7, `@vitest/eslint-plugin` 1.6.18, Playwright 1.60.0, axe-core | Unit, E2E, accessibility, visual, performance | +| Linting | ESLint 10.4.0, `@bfra.me/eslint-config` 0.50.1, Prettier 3.8.3 | `@bfra.me/prettier-config/120-proof` (120-char lines); `@bfra.me/tsconfig` 0.13.1 | ## Architecture @@ -126,9 +129,8 @@ Deno Jupyter notebooks in `notebooks/agents/`: | Workflow | File | Trigger | Purpose | | --- | --- | --- | --- | | Main | `main.yaml` | push/PR to `main`, dispatch | Lint + test + build + deploy | -| Fro Bot | `fro-bot.yaml` | PR, issues, comments, schedule, dispatch | AI PR review, triage, daily maintenance | -| Fro Bot Autoheal | `fro-bot-autoheal.yaml` | daily cron (03:30 UTC), dispatch | Automated repo healing (fix failing PRs, security, code quality) | -| Renovate | `renovate.yaml` | — | Dependency updates | +| Fro Bot | `fro-bot.yaml` | PR, issues, comments, schedule (03:30 + 15:30 UTC), dispatch | Three-mode single-file workflow: review / maintenance / autoheal | +| Renovate | `renovate.yaml` | — | Dependency updates (via `bfra-me/.github` reusable workflow) | | Update Repo Settings | `update-repo-settings.yaml` | push to `main`, schedule, dispatch | Probot settings sync | | Test Coverage | `test-coverage.yaml` | — | Coverage reporting | | Test Accessibility | `test-accessibility.yaml` | — | WCAG 2.1 AA audit | @@ -138,6 +140,8 @@ Deno Jupyter notebooks in `notebooks/agents/`: | Copilot Setup | `copilot-setup-steps.yaml` | — | GitHub Copilot coding agent bootstrap | | E2E Tests | `test-e2e.yaml.disabled` | — | E2E tests (currently disabled) | +**Note:** The prior `fro-bot-autoheal.yaml` has been folded into `fro-bot.yaml` as an `autoheal` mode (PR review → `pull_request`, maintenance/autoheal → cron). This matches the consolidated three-mode pattern adopted across the ecosystem. + ### Main CI Jobs The main workflow runs four jobs after a `Prepare` step: @@ -161,7 +165,7 @@ Vite build injects a CSP `` tag restricting: ## Developer Tooling -- **Renovate:** Extends `marcusrbrown/renovate-config#4.5.8`. Groups LangChain.js monorepo packages. Automerges unstable minor updates of `lucide-react` (monthly) and select LangChain/TailwindCSS packages. Post-upgrade runs bootstrap, fix, and build. +- **Renovate:** Extends `marcusrbrown/renovate-config#5.2.0` — **crossed the v4 → v5 boundary on 2026-05-13 (PR #2435)**. Groups LangChain.js monorepo packages. Automerges unstable minor updates of `lucide-react` (monthly) and select LangChain/TailwindCSS packages via `bfra-me/renovate-config:automerge.json5#5.2.1`. Post-upgrade runs bootstrap, fix, and build. `pnpm.overrides` pins `fast-uri>=3.1.2`, `langsmith>=0.6.0`, `path-to-regexp>=8.4.0`. - **Probot Settings:** Extends `fro-bot/.github:common-settings.yaml` for repository configuration sync. - **Git Hooks:** `simple-git-hooks` with `lint-staged` running ESLint with auto-fix on staged files. - **AGENTS.md hierarchy:** Root AGENTS.md plus directory-level guides in `src/`, `tests/`, `scripts/`, `notebooks/`, `docs/`, `.github/`, `RFCs/`, `.ai/`. Comprehensive conventions for AI-assisted development. @@ -178,7 +182,7 @@ Vite build injects a CSP `` tag restricting: - Issue/discussion triage (triggered by `@fro-bot` mention from OWNER/MEMBER/COLLABORATOR) - Daily maintenance (15:30 UTC cron → rolling "Daily Maintenance Report" issue) - Manual dispatch with custom prompts - - Uses `fro-bot/agent@v0.41.4` + - Uses `fro-bot/agent@v0.45.0` (SHA `8aac0fc36437a6c871321fa3389033c8262504b7`) as of 2026-05-27 — bumped through v0.42.x → v0.43.x → v0.44.3 → v0.45.0 over the survey window 2. **`fro-bot-autoheal.yaml`** — Daily autohealing (03:30 UTC cron): - Fixes failing CI on open PRs @@ -188,7 +192,9 @@ Vite build injects a CSP `` tag restricting: - Quality gate verification (lint, test, build, accessibility, E2E) - Output: single "Daily Autohealing Report" issue -Both workflows use `fro-bot/agent@v0.41.4` (SHA `28bcadbf44a59f8d6d2544b5db0d9735d7ad2aca`) with `OPENCODE_AUTH_JSON`, `FRO_BOT_PAT`, `FRO_BOT_MODEL`, and `OMO_PROVIDERS` secrets/vars. +Both workflows use `fro-bot/agent@v0.45.0` (SHA `8aac0fc36437a6c871321fa3389033c8262504b7`) with `OPENCODE_AUTH_JSON`, `FRO_BOT_PAT`, `FRO_BOT_MODEL`, and `OMO_PROVIDERS` secrets/vars. + +**Note (2026-05-27 survey):** The two-workflow split observed in prior surveys has consolidated. `fro-bot.yaml` now handles all three modes (review / maintenance / autoheal) via a single `workflow_dispatch` `mode` input plus dual cron schedules (03:30 UTC autoheal, 15:30 UTC maintenance). The standalone `fro-bot-autoheal.yaml` is no longer present in the workflow directory — this aligns with the three-mode single-file pattern documented in [[marcusrbrown--marcusrbrown-github-io]] and other recent ecosystem updates. ## Conventions (from AGENTS.md) @@ -213,9 +219,10 @@ Both workflows use `fro-bot/agent@v0.41.4` (SHA `28bcadbf44a59f8d6d2544b5db0d973 ## Open Work Items -- **PR #2165** — HeroUI v2 → v3 migration (authored by `fro-bot`, open since before 2026-04-18) -- **PR #2320** — `eslint-plugin-react-hooks` v7.1.1 (Renovate, pending) -- **30 open issues** (as of 2026-04-24) +- **PR #2165** — HeroUI v2 → v3 migration (authored by `fro-bot`, still open as of 2026-05-27 — long-running) +- **PR #2320** — `fix(dev): update react monorepo` (Renovate, still pending) +- **PR #2440** — `@bfra.me/eslint-config` v0.51.1 (Renovate) +- **21 open issues** (down from 30 as of 2026-04-24) ## Survey History @@ -223,3 +230,4 @@ Both workflows use `fro-bot/agent@v0.41.4` (SHA `28bcadbf44a59f8d6d2544b5db0d973 | --- | --- | --- | | 2026-04-18 | `60bd62e` | Initial survey | | 2026-04-24 | `0bb8eed` | Dependency-only delta: `fro-bot/agent` v0.40.2→v0.41.4, `vite` 8.0.8→8.0.9, `@langchain/langgraph` 1.2.8→1.2.9, `eslint` 10.2.0→10.2.1, `uuid` v14 security patch, `@typescript/native-preview` 7.0.0-dev.20260419.1, `actions/setup-node` v6.4.0, `bfra-me/.github` v4.16.8. No structural or application code changes. | +| 2026-05-27 | `aac0103` | Five-week delta. **Renovate preset crossed v4 → v5.2.0 boundary (#2435, 2026-05-13).** `fro-bot/agent` advanced through 8 versions: v0.41.4 → v0.42.5/.6/.7/.8/.9/.10 → v0.43.0/.1/.3 → v0.44.3 → v0.45.0. Workflow consolidation: `fro-bot-autoheal.yaml` folded into `fro-bot.yaml` as `autoheal` mode (three-mode single-file pattern). Vite 8.0.9 → 8.0.14; LangChain monorepo bumps (`langchain` → 1.4.2, `@langchain/core` → 1.1.48, `@langchain/openai` → 1.4.7, `@langchain/anthropic` → 1.4.0, `@langchain/langgraph` → 1.3.2); TailwindCSS 4.2.2 → 4.3.0; React Router 7.14.1 → 7.15.1; Zod 4.3.6 → 4.4.3; Vitest 4.1.4 → 4.1.7; `@vitest/eslint-plugin` 1.6.18 newly added; ESLint 10.2.1 → 10.4.0; `@bfra.me/prettier-config` → 0.16.9; `@bfra.me/tsconfig` → 0.13.1; Node 24.15.0 → 24.16.0; pnpm 10.33.0 → 10.33.4; `@typescript/native-preview` advanced to 7.0.0-dev.20260523.1; `bfra-me/.github` updated through v4.16.12 → v4.16.19. No structural or application-code changes — exclusively dependency hygiene and workflow consolidation. | diff --git a/knowledge/wiki/repos/marcusrbrown--ha-config.md b/knowledge/wiki/repos/marcusrbrown--ha-config.md index 099cae206..4caf29059 100644 --- a/knowledge/wiki/repos/marcusrbrown--ha-config.md +++ b/knowledge/wiki/repos/marcusrbrown--ha-config.md @@ -2,7 +2,7 @@ type: repo title: "marcusrbrown/ha-config" created: 2025-06-18 -updated: 2026-05-17 +updated: 2026-05-29 sources: - url: https://github.com/marcusrbrown/ha-config sha: 83784bc3a212c10cd358be4da9425e46aa6e90f0 @@ -16,6 +16,9 @@ sources: - url: https://github.com/marcusrbrown/ha-config sha: f80fbc124c0765b8685c3cd98fe3d8eff832e872 accessed: 2026-05-17 + - url: https://github.com/marcusrbrown/ha-config + sha: 33cca0534ca2b0dbbb7db4235912c1f225458beb + accessed: 2026-05-29 tags: [home-assistant, home-assistant-config, yaml, esphome, iot] aliases: [ha-config] related: @@ -35,8 +38,8 @@ Marcus R. Brown's [[home-assistant]] configuration repository. Public, version-c - **Purpose:** Version-controlled Home Assistant configuration - **Default branch:** `main` - **Created:** 2023-07-25 -- **Last push:** 2026-05-16 (`f80fbc1`) -- **HA version tracked:** 2025.6.3 (pinned in `.HA_VERSION`; unchanged since initial survey — a notable drift between code and the broader HA release cadence) +- **Last push:** 2026-05-28 (`33cca05`) +- **HA version tracked:** 2025.6.3 (pinned in `.HA_VERSION`; unchanged since initial survey — a notable drift between code and the broader HA release cadence, now ~11 months stale) - **Topics:** `home-assistant`, `home-assistant-config` - **Open issues:** 3 (#427 Dependency Dashboard, #766 asyncio-mqtt v0.16.2, #777 esphome v2026) - **Open PRs:** 0 @@ -121,7 +124,7 @@ Required status checks on `main`: YAML Lint, Remark Lint, Prettier, Check Home A ### Shared Workflows -Both `renovate.yaml` and `update-repo-settings.yaml` reference reusable workflows from `bfra-me/.github`. As of 2026-05-17 both are pinned to **v4.16.17** (SHA `5cb8bc230d36f005cd2de807fe408b428a44c4d5`), up from v4.16.8 in the prior survey. Authentication uses `APPLICATION_ID` and `APPLICATION_PRIVATE_KEY` secrets (GitHub App). +Both `renovate.yaml` and `update-repo-settings.yaml` reference reusable workflows from `bfra-me/.github`. As of 2026-05-29 both are pinned to **v4.16.21** (SHA `165ed192e9969365ec079b36e3f42a443bb75647`), up from v4.16.17 in the prior survey — four patch bumps absorbed in eleven days (#781 v4.16.18 → #783 v4.16.19 → #785 v4.16.20 → #788 v4.16.21), all Renovate-authored. Authentication uses `APPLICATION_ID` and `APPLICATION_PRIVATE_KEY` secrets (GitHub App). ### Renovate Trigger Model @@ -145,10 +148,12 @@ This is the same event-driven Renovate pattern used in [[marcusrbrown--github]] ## Fro Bot Integration -**No Fro Bot workflow detected.** The repository does not contain a `fro-bot.yaml` workflow or any Fro Bot-specific CI integration. A follow-up draft PR should be proposed to add the Fro Bot agent workflow for automated PR review and triage. +**No Fro Bot workflow detected** (confirmed across four consecutive surveys: 2025-06, 2026-04 ×2, 2026-05). The repository does not contain a `fro-bot.yaml` workflow or any Fro Bot-specific CI integration. A follow-up draft PR should be proposed to add the Fro Bot agent workflow for automated PR review and triage. The persistence of this gap across nearly a year suggests it is not on the maintenance critical path — Marcus is treating ha-config as a Renovate-only autopilot repo, with no PR-review or triage agent needed since virtually all merges are bot-authored. The repo does reference `fro-bot/.github:common-settings.yaml` in its Probot settings, confirming it is part of the Fro Bot-managed ecosystem. +A separate write-author (`mrbro-bot[bot]`, GitHub ID 137683033) is co-authoring some recent Renovate commits (e.g. #790), which is the first observation of a non-fro-bot maintenance actor on this repository. Worth tracking whether `mrbro-bot` is a parallel automation identity or a stand-in for the personal account. + ## Notable Patterns - **Package-based architecture:** Domain concerns are isolated into `packages/` YAML files rather than a monolithic config. This is the recommended HA pattern for complex setups. @@ -166,3 +171,4 @@ The repo does reference `fro-bot/.github:common-settings.yaml` in its Probot set | 2026-04-18 | `54a6727` | Prettier 3.8.3, Renovate `#4.5.8`, bfra-me/.github v4.16.6, pre-commit-hooks v6.0.0 | | 2026-04-24 | `f7ec803` | pre-commit 4.6.0, bfra-me/.github v4.16.8, Renovate trigger model expanded (workflow_run, push to non-main) | | 2026-05-17 | `f80fbc1` | Renovate preset major bump `marcusrbrown/renovate-config#4.5.8 → #5.2.0` (PR #776), bfra-me/.github reusable workflows v4.16.8 → v4.16.17, open Renovate PRs queued for esphome v2026 (#777) and asyncio-mqtt v0.16.2 (#766). No package/custom-component additions; `.HA_VERSION` still 2025.6.3. | +| 2026-05-29 | `33cca05` | Pure Renovate churn since prior survey: bfra-me/.github v4.16.17 → v4.16.21 (four patch bumps in 11 days), `pipelinecomponents/remark-lint` digest pinned to `829aa31` (#790), esphome submodule digest advanced four times (#782, #784, #786, #787, #789). Co-author `mrbro-bot[bot]` appears on recent Renovate merges — first sighting of a non-fro-bot automation identity on this repo. Same 3 open issues, same 0 open PRs, same `.HA_VERSION` 2025.6.3, same 11 packages, same 10 custom components. No structural drift. Still no Fro Bot workflow. | diff --git a/knowledge/wiki/repos/marcusrbrown--infra.md b/knowledge/wiki/repos/marcusrbrown--infra.md index fe51c5fa7..75da29c87 100644 --- a/knowledge/wiki/repos/marcusrbrown--infra.md +++ b/knowledge/wiki/repos/marcusrbrown--infra.md @@ -2,8 +2,11 @@ type: repo title: "marcusrbrown/infra" created: 2026-04-18 -updated: 2026-04-27 +updated: 2026-05-27 sources: + - url: https://github.com/marcusrbrown/infra + sha: 2f9bafd6cdb03d9ed28ee336d99d5f7bf09a3dfb + accessed: 2026-05-27 - url: https://github.com/marcusrbrown/infra sha: 938fa7c5fb1d10e844a214048e7928afe3095b79 accessed: 2026-04-27 @@ -19,28 +22,30 @@ sources: - url: https://github.com/marcusrbrown/infra sha: 20de04713bf01294217dee4d3b64d5d7cfb2426e accessed: 2026-04-18 -tags: [bun, deploy, github-actions, infra, keeweb, cliproxy, mcp, cli, typescript, conventions] +tags: [bun, deploy, github-actions, infra, keeweb, cliproxy, gateway, mcp, cli, typescript, conventions, discord] aliases: [infra] related: - marcusrbrown--ha-config - marcusrbrown--systematic + - fro-bot--agent --- # marcusrbrown/infra -Bun workspace monorepo for Marcus R. Brown's personal infrastructure. Hosts KeeWeb deploy automation, the CLIProxyAPI proxy (routes Fro Bot agents to Claude via the Claude Code OAuth subscription), and an operational CLI with MCP bridge. +Bun workspace monorepo for Marcus R. Brown's personal infrastructure. Hosts KeeWeb deploy automation, the CLIProxyAPI proxy (routes Fro Bot agents to Claude via the Claude Code OAuth subscription), the [[fro-bot--agent]] Discord gateway deployment, and an operational CLI with MCP bridge. ## Overview - **Purpose:** Deploy automation, operational CLI, and infrastructure tooling - **Default branch:** `main` - **Created:** 2026-04-03 -- **Last push:** 2026-04-27 +- **Last push:** 2026-05-26 - **Runtime:** Bun v1.0+ -- **Published package:** `@marcusrbrown/infra` v0.4.6 on npm -- **Open issues:** 5 (3 autohealing reports, 1 rate limit investigation, 1 Dependency Dashboard) -- **Open PRs:** 1 (#187 — Changesets version packages, by mrbro-bot) +- **Published package:** `@marcusrbrown/infra` v0.7.0 on npm +- **Open issues:** 38 (mostly tracked work + autohealing reports + Dependency Dashboard) +- **Open PRs:** 0 - **Topics:** `bun`, `deploy`, `github-actions`, `infra`, `keeweb` +- **License:** MIT ## Repository Structure @@ -52,10 +57,13 @@ Bun workspace monorepo with `apps/*` and `packages/*` workspaces. | --------------------- | ---------------------------------------------------------------------- | | `apps/keeweb/` | KeeWeb v1.18.7 static site deploy automation (`kw.igg.ms`) | | `apps/cliproxy/` | CLIProxyAPI Docker Compose stack behind Caddy (`cliproxy.fro.bot`) | +| `apps/gateway/` | Fro Bot Discord gateway + workspace runner + mitmproxy (`gateway.fro.bot`) | | `packages/cli/` | `@marcusrbrown/infra` CLI — health checks, deploy triggers, MCP bridge | +| `packages/shared/` | Shared TypeScript helpers for DigitalOcean droplet provisioning (private) | | `docs/brainstorms/` | Requirements and brainstorm documents | | `docs/plans/` | Implementation plans | | `docs/solutions/` | Compound learning docs (solved problems with YAML frontmatter) | +| `docs/runbooks/` | Operator day-2 procedures (e.g., Discord token lifecycle) | | `.agents/skills/` | Agent skill context packets (goke) | | `.opencode/commands/` | OpenCode slash commands | | `.changeset/` | Changesets config for versioning | @@ -78,6 +86,19 @@ Self-hosted [KeeWeb](https://keeweb.info) v1.18.7 password manager at `kw.igg.ms - Runs on a DigitalOcean droplet provisioned via `bun run --cwd apps/cliproxy provision` - Deploy uploads compose files and restarts the stack (idempotent, preserves runtime `config.yaml` unless `--force-config`) - Management API for runtime config, API key distribution, and login +- Multi-provider login support: Claude (default), OpenAI/Codex via device-code OAuth (added #303, 2026-05-24), OpenAI provider opt-in for `cliproxy setup --harness opencode` (#307, 2026-05-26) + +#### Fro Bot Gateway (`apps/gateway`) + +Fro Bot Discord client + workspace runner stack at `gateway.fro.bot`. Three-service Docker Compose deployment: gateway daemon, workspace executor, and mitmproxy egress filter. Upstream source is `fro-bot/agent`, pinned via `apps/gateway/upstream.json` (currently `v0.44.2`). No public HTTP surface — outbound to Discord and S3 only. Added in #264 (2026-05-18). + +- Provisioned on a dedicated DigitalOcean droplet (`s-1vcpu-2gb`, `nyc1`, tagged `gateway`) +- **Secret materialization via SSH stdin only** — never via argv. 7 required + 2 optional secret files written atomically under `/opt/gateway/deploy/secrets/`; compose maps each to `/run/secrets/` and exposes via `${NAME}_FILE` env vars +- **Checksum-after-success invariant:** `/opt/gateway/.secrets-checksum` is written only after compose up + Discord command registration both succeed. Mid-rotation failures leave the old checksum so the next deploy force-recreates containers +- **Registration poll:** ~90s budget against `GET /applications/{app_id}/guilds/{guild_id}/commands`; 429 honors `Retry-After` without counting against attempts; 401/403/404 abort with token-sanitized errors +- **mitmproxy CA** lives in the `mitmproxy-certs` named volume; backup/restore via `gateway backup --include-ca` / `gateway restore --input FILE --include-ca` (tarball must contain exactly `mitmproxy-ca-cert.pem` + `mitmproxy-ca.pem`) +- **Host hardening:** `validateGatewayHost` rejects `-`-prefixed values before any SSH invocation (SSH treats `-`-prefixed hostnames as flags, including `-oProxyCommand=`); host keys pinned in `.github/known_hosts` (commit `cf0500af`, 2026-05-19) +- **Deploy SSH multiplexing** via ControlMaster (#277, 2026-05-20) to amortize handshake cost across the multi-step deploy ### CLI (`packages/cli`) @@ -96,6 +117,11 @@ Published as `@marcusrbrown/infra` on npm. Built with [goke](https://github.com/ | `infra cliproxy login` | OAuth authentication with Claude subscription (SSH + TTY) | | `infra cliproxy setup` | Interactive onboarding wizard for connecting a repo to CLIProxyAPI | | `infra cliproxy open` | Launch CLIProxyAPI terminal dashboard via SSH | +| `infra gateway status` | SSH + `docker compose ps` (NDJSON parsed, #278) — service states, healthchecks | +| `infra gateway deploy` | Trigger gateway deploy workflow (remote, default) or `--local` (requires `SSH_AUTH_SOCK`) | +| `infra gateway logs [--tail N]` | Stream `docker compose logs` for `gateway`/`workspace`/`mitmproxy`; `--allow-ci` required in headless contexts | +| `infra gateway backup --include-ca` | Pull mitmproxy CA tarball; local file created with mode 0600 via `O_EXCL\|O_CREAT` (no chmod race) | +| `infra gateway restore --input FILE --include-ca` | Validate tarball locally, upload to unguessable `mktemp` path, extract, restart, byte-equal confirm | | `infra mcp` | Start stdio MCP server exposing all CLI commands as tools | The MCP bridge (`infra mcp`) lets coding agents (Fro Bot, Copilot) call commands programmatically via the [Model Context Protocol](https://modelcontextprotocol.io). @@ -107,9 +133,10 @@ The MCP bridge (`infra mcp`) lets coding agents (Fro Bot, Copilot) call commands | Workflow | File | Trigger | Purpose | | --- | --- | --- | --- | | CI | `ci.yaml` | PR to `main`, dispatch | Lint + type check + test (parallel jobs) | -| Deploy | `deploy.yaml` | Dispatch only | Thin orchestrator — calls both deploy-keeweb and deploy-cliproxy via `workflow_call` | +| Deploy | `deploy.yaml` | Dispatch only | Thin orchestrator — calls all per-app deploy workflows via `workflow_call` | | Deploy KeeWeb | `deploy-keeweb.yaml` | Push to `main`, dispatch, `workflow_call` | Build and deploy KeeWeb (path-filtered, `keeweb` environment) | | Deploy CLIProxy | `deploy-cliproxy.yaml` | Push to `main`, dispatch, `workflow_call` | Deploy CLIProxyAPI (path-filtered, `cliproxy` environment) | +| Deploy Gateway | `deploy-gateway.yaml` | Push to `main`, dispatch, `workflow_call` | Deploy Fro Bot gateway stack (path-filtered, `gateway` environment) | | Release | `release.yaml` | Push to `main`, dispatch | Version and publish `@marcusrbrown/infra` via Changesets | | Renovate | `renovate.yaml` | Schedule, issue/PR edits, post-deploy | Automated dependency updates | | Renovate Changesets | `renovate-changesets.yaml` | `pull_request_target` (Renovate PRs) | Auto-create changeset files for dependency updates | @@ -149,15 +176,16 @@ Required status checks on `main`: CI, Fro Bot, Lint, Type Check, `Renovate / Ren | Tool | Config | Notes | | --- | --- | --- | -| ESLint | `eslint.config.ts` via `@bfra.me/eslint-config` ^0.51.0 | Flat config; ignores `.agents/`, `.opencode/`, `docs/`, `dist/` | -| Prettier | `@bfra.me/prettier-config/120-proof` ^0.16.0 | 120-char line width | -| TypeScript | `tsconfig.json` via `@bfra.me/tsconfig` ^0.13.0 | Target ESNext, Bundler resolution, Bun types, noEmit | -| Git hooks | `simple-git-hooks` + `lint-staged` | `eslint --fix` on staged files | +| ESLint | `eslint.config.ts` via `@bfra.me/eslint-config` 0.51.1 | Flat config; ignores `.agents/`, `.opencode/`, `docs/`, `dist/` | +| Prettier | `@bfra.me/prettier-config/120-proof` ^0.16.0 (Prettier 3.8.3) | 120-char line width | +| TypeScript | `tsconfig.json` via `@bfra.me/tsconfig` 0.13.1 | Target ESNext, Bundler resolution, Bun types, noEmit | +| Git hooks | `simple-git-hooks` 2.13.1 + `lint-staged` 16.4.0 | `eslint --fix` on staged files | | CLI framework | `goke` ^6.8.0 + Zod ^4.3.6 | Space-separated subcommands | | Prompts | `@clack/prompts` ^1.2.0 | Scoped to `cliproxy setup` wizard | -| Changesets | `@changesets/cli` ^2.30.0 | Versioning for `@marcusrbrown/infra` CLI package | -| Renovate | Extends `marcusrbrown/renovate-config#4.5.8` | Post-upgrade: `bun install` + `bun run fix`. Docker source URLs for CLIProxyAPI and Caddy | +| Changesets | `@changesets/cli` 2.31.0 + `@svitejs/changesets-changelog-github-compact` | Versioning for `@marcusrbrown/infra` CLI package | +| Renovate | Extends `marcusrbrown/renovate-config#5.2.0` + `group:allNonMajor` | v4→v5 crossed 2026-05-17 (#242). Post-upgrade: `bun install --ignore-scripts` + `bun run fix`. Docker source URLs for CLIProxyAPI and Caddy. `bfra-me/.github` digest updates disabled | | Probot Settings | Extends `fro-bot/.github:common-settings.yaml` | Repository configuration sync | +| TypeScript runtime | TypeScript 6.0.3, ESLint 10.4.0 | Both crossed major boundaries in this survey window | ### Key Dependencies @@ -173,7 +201,7 @@ Required status checks on `main`: CI, Fro Bot, Lint, Type Check, `Renovate / Ren ## Fro Bot Integration -**Fro Bot workflow is present** (`fro-bot.yaml`). Uses `fro-bot/agent@v0.42.2` (SHA `94d8a156570d68d2461ab496b589e63bdcd6ba84`). The workflow includes: +**Fro Bot workflow is present** (`fro-bot.yaml`). Uses `fro-bot/agent@v0.44.3` (bumped from v0.42.2 through v0.43.x to v0.44.3 over 2026-05-17 → 2026-05-20). The workflow includes: - **PR review** with structured verdict format (PASS / CONDITIONAL / REJECT) and sections for blocking issues, non-blocking concerns, missing tests, and risk assessment - **Daily autohealing schedule** (03:30 UTC) with 8 operational categories: errored PRs, security, code quality, developer experience, deploy pipeline health, live site review (via `agent-browser`), cross-project intelligence, and **upstream modernization watch** (Sunday-only) @@ -206,6 +234,8 @@ The autohealing schedule monitors: **`cliproxy` environment:** `CLIPROXY_SSH_KEY`, `CLIPROXY_MANAGEMENT_KEY`, `CLIPROXY_DOMAIN` +**`gateway` environment:** `GATEWAY_SSH_KEY`, `DISCORD_TOKEN`, `DISCORD_APPLICATION_ID`, `DISCORD_GUILD_ID`, `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `S3_BUCKET`, `S3_REGION`, `GATEWAY_HOST`; optional: `S3_ENDPOINT`, `OBJECT_STORE_HOSTS`, `AWS_SESSION_TOKEN` + **Repository secrets:** `APPLICATION_ID`, `APPLICATION_PRIVATE_KEY`, `DIGITALOCEAN_ACCESS_TOKEN`, `FRO_BOT_PAT`, `NPM_TOKEN`, `OMO_PROVIDERS`, `OPENCODE_AUTH_JSON`, `OPENCODE_CONFIG` **Repository variables:** `FRO_BOT_MODEL` @@ -222,7 +252,11 @@ The autohealing schedule monitors: - **CI Node pin:** Workflows running `bun run lint` or `bunx tsc` must pin Node 24 via `actions/setup-node` (ESLint shebang uses system Node; ubuntu-latest ships Node 20 without ES2024 APIs). - **Lockfile:** `bun.lock` (text format) committed; `bun.lockb` (binary) is not used. - **Config safety:** `config/config.json` template has empty `dropboxSecret`; real value injected at build time. Never overwrite `config.yaml` on cliproxy server (runtime API keys live there). -- **Host keys:** Pinned in `.github/known_hosts`. Never use `ssh-keyscan`. +- **Host keys:** Pinned in `.github/known_hosts`. Never use `ssh-keyscan` in CI. Provisioning scripts may use it locally via the shared `pinHostKeys` helper in `packages/shared/server/droplet-helpers.ts`. +- **Gateway secrets:** Never pass gateway secret bytes via argv — `writeRemoteFile` pipes through SSH stdin only; `--body ` patterns are banned. +- **Gateway host validation:** Never skip `validateGatewayHost` — required before any SSH invocation against the gateway droplet. +- **CA rotation:** Never restart the gateway in-place to rotate the mitmproxy CA — workspaces lose trust in the egress proxy. Restore from backup instead. +- **`bundledDependencies`:** Banned (enforced). Bun's `.bun/` symlink layout creates `../../` paths that npm rejects with E415. ## Cross-Repository Patterns @@ -263,12 +297,22 @@ This approach avoids relying solely on human review or agent-driven linting for | Component | Image | Version | | --- | --- | --- | -| Caddy reverse proxy | `caddy:2.11.2-alpine` | Digest-pinned | -| CLIProxyAPI | `eceasy/cli-proxy-api:v6.9.39` | Digest-pinned | +| Caddy reverse proxy | `caddy:2.11.3-alpine` | Digest-pinned | +| CLIProxyAPI | `eceasy/cli-proxy-api:v6.10.9` | Digest-pinned | Both images are digest-pinned in `docker-compose.yaml`. Renovate manages digest rotations with changelog context sourced from upstream repositories (`router-for-me/CLIProxyAPI`, `caddyserver/caddy`). -The CLIProxyAPI container uses a Docker healthcheck (`wget --spider http://localhost:8317/healthz`) with 30s interval, 5s timeout, 3 retries, and 10s start period (switched from previous healthcheck method in #181, 2026-04-25). +The CLIProxyAPI container uses a Docker healthcheck (`wget --spider http://localhost:8317/healthz`) with 30s interval, 5s timeout, 3 retries, and 10s start period. + +### Fro Bot Gateway Stack + +| Component | Source | Notes | +| --- | --- | --- | +| Gateway daemon | `fro-bot/agent@v0.44.2` (pinned in `apps/gateway/upstream.json`) | Cloned + reset on the droplet each deploy | +| Workspace executor | Same source | Runs inside the same Compose stack | +| mitmproxy | Per upstream compose | Starts first; certificate in `mitmproxy-certs` named volume | + +Compose stack lives at `/opt/gateway/` on the droplet. Source materialization is `git clone || git fetch && git reset --hard && git clean -xfd` to the pinned SHA, isolated from `/opt/gateway/.secrets-checksum` so checksum survives `git clean -xfd`. ## Survey History @@ -279,3 +323,4 @@ The CLIProxyAPI container uses a Docker healthcheck (`wget --spider http://local | 2026-04-25 | `9306b9b` | No code changes; open issues 4→5 (new autohealing report #178) | | 2026-04-26 | `cd3bb16` | Fro Bot v0.41.4→v0.42.1, new category 8 (Upstream Modernization Watch, #182), CLIProxy healthcheck switched to `/healthz` (#181), CLI v0.4.6, CLIProxyAPI v6.9.38 | | 2026-04-27 | `938fa7c` | Fro Bot v0.42.1→v0.42.2 (#185), CLIProxyAPI v6.9.38→v6.9.39 (#186), bfra-me/.github v4.16.8→v4.16.9 (#188). Open issues 4→5, 1 open PR (version packages #187) | +| 2026-05-27 | `2f9bafd` | **Major expansion.** New `apps/gateway/` (Fro Bot Discord stack at `gateway.fro.bot`, #264, 2026-05-18); new `packages/shared/` for droplet provisioning helpers (#290). 12 workflows (added `deploy-gateway.yaml`). Fro Bot agent v0.42.2 → v0.44.3 (multiple bumps). Renovate preset bumped major v4→v5 (#242, `marcusrbrown/renovate-config#5.2.0`) with `group:allNonMajor`. TypeScript 6.0.3, ESLint 10.4.0, `@bfra.me/eslint-config` 0.51.1. CLI v0.4.6 → v0.7.0; MCP fidelity refactor for status-only commands (#296). CLIProxy: OpenAI/Codex device-code OAuth login (#303), OpenAI provider opt-in for `cliproxy setup --harness opencode` (#307); CLIProxyAPI v6.10.9, Caddy 2.11.3-alpine. Gateway hardening: ControlMaster multiplexing (#277), pinned droplet host keys (#272), checksum-after-success secret rotation. Discord token-lifecycle runbook (#284). Open issues 5→38, 0 open PRs. | diff --git a/knowledge/wiki/repos/marcusrbrown--marcusrbrown-github-io.md b/knowledge/wiki/repos/marcusrbrown--marcusrbrown-github-io.md index 069218d1f..afc98d517 100644 --- a/knowledge/wiki/repos/marcusrbrown--marcusrbrown-github-io.md +++ b/knowledge/wiki/repos/marcusrbrown--marcusrbrown-github-io.md @@ -2,11 +2,20 @@ type: repo title: "marcusrbrown/marcusrbrown.github.io" created: 2026-04-25 -updated: 2026-04-25 +updated: 2026-05-20 sources: - url: https://github.com/marcusrbrown/marcusrbrown.github.io sha: ec4b7854bee556aadd301950392268f70817d800 accessed: 2026-04-25 + - url: https://github.com/marcusrbrown/marcusrbrown.github.io + sha: 4cd8198991618f216b940b6a6c13e1a09fd7979d + accessed: 2026-05-18 + - url: https://github.com/marcusrbrown/marcusrbrown.github.io + sha: 4cd8198991618f216b940b6a6c13e1a09fd7979d + accessed: 2026-05-19 + - url: https://github.com/marcusrbrown/marcusrbrown.github.io + sha: 4cd8198991618f216b940b6a6c13e1a09fd7979d + accessed: 2026-05-20 tags: [brand-site, react, typescript, vite, github-pages, pnpm, single-page] aliases: [marcusrbrown-github-io, marcusrbrown.com] related: @@ -23,12 +32,12 @@ Personal brand site for Marcus R. Brown. Single-page React 19 portfolio deployed - **Purpose:** Personal brand site / landing page - **Default branch:** `main` - **Created:** 2025-07-18 -- **Last push:** 2026-04-22 +- **Last push:** 2026-05-18 - **Homepage:** https://marcusrbrown.com - **License:** MIT (declared in package.json and README badge; no LICENSE file detected via API) - **Visibility:** Public - **Stars:** 0 | **Watchers:** 0 -- **Open issues:** 2 (#260 Daily Maintenance Report, #6 Dependency Dashboard) +- **Open issues (2026-05-18):** 4 — #411 (test branch coverage <80%), #409 (Daily Autohealing Report, perpetual), #260 (Daily Maintenance Report, perpetual), #6 (Dependency Dashboard) - **Open PRs:** 0 ## Tech Stack @@ -97,15 +106,16 @@ Sequential: checkout, setup, lint, build, upload pages artifact (`./dist`), depl ## Fro Bot Integration -**Fro Bot workflow is present and active** (`fro-bot/agent@v0.41.4`, SHA `28bcadbf`). +**Fro Bot workflow is present and active** (`fro-bot/agent@v0.44.0`, SHA `b030b53b1b47b1bed77a581222706c900cc63b0e`, as of 2026-05-18 survey). -- **Triggers:** PR events (opened, synchronize, ready_for_review, reopened, review_requested), issue/comment events (`@fro-bot` mention from OWNER/MEMBER/COLLABORATOR), daily schedule (15:30 UTC), manual dispatch +- **Triggers:** PR events (opened, synchronize, ready_for_review, reopened, review_requested), issue/comment events (`@fro-bot` mention from OWNER/MEMBER/COLLABORATOR), two daily crons (autoheal at 03:30 UTC, maintenance at 15:30 UTC), manual dispatch with `mode` input. +- **Single-file three-mode design:** Unlike [[marcusrbrown--mrbro-dev]] and [[marcusrbrown--vbs]] (which split `fro-bot.yaml` + `fro-bot-autoheal.yaml`), this repo runs review, maintenance, and autoheal modes from one workflow file dispatched by event + `inputs.mode`. Cron schedule disambiguated via `AUTOHEAL_CRON` / `MAINTENANCE_CRON` env vars. - **PR review prompt:** Structured review targeting React 19 patterns, TypeScript strictness, pure ESM, accessibility (WCAG 2.1 AA), performance budgets (JS <500KB warning, total <2MB max), PascalCase hooks, `.yaml` extension convention. Verdict format: PASS / CONDITIONAL / REJECT with blocking/non-blocking/missing tests/risk sections. -- **Schedule prompt:** Daily "Daily Maintenance Report" rolling issue with 14-day window, stale issue/PR detection, security alerts, recommended actions. -- **Fork PR guard:** Skips bot-authored and fork PRs. Issue_comment fork detection via API call. -- **Concurrency:** Per-issue/PR, non-cancelling. - -**No Fro Bot autoheal workflow detected** — unlike [[marcusrbrown--mrbro-dev]], [[marcusrbrown--vbs]], and other repos that have `fro-bot-autoheal.yaml`. A follow-up to add autohealing may be warranted. +- **Maintenance prompt:** Perpetual single-issue hygiene model with archive logic and cross-project intelligence ingestion (post-2026-05-14 redesign). +- **Autoheal prompt (8 categories):** Errored PRs, Security, Code Quality & Repo Hygiene, Developer Experience, Production Site Review, Quality Gates Verification, Cross-Project Intelligence (Inbound), Upstream Modernization Watch (Sundays UTC only). Sunday detection uses a step output rather than `GITHUB_ENV` (Copilot review feedback, PR #407). Playwright browsers conditionally installed when `mode == autoheal`. +- **Fork PR guard:** Skips bot-authored and fork PRs. Issue_comment fork detection via API call. Whitespace-only `prompt` inputs rejected in review mode (PR #407 hardening). +- **Permissions:** Moved to job level and expanded for autoheal write operations. +- **Concurrency:** Per-issue/PR for events; per-schedule (`ops-{cron}`) for scheduled runs; per-mode for dispatched runs. Non-cancelling. ## Developer Tooling @@ -130,10 +140,12 @@ Sequential: checkout, setup, lint, build, upload pages artifact (`./dist`), depl ## Missing Compared to Other Marcus Repos -- **No Probot `settings.yml`:** Unlike [[marcusrbrown--mrbro-dev]], [[marcusrbrown--ha-config]], and most other Marcus repos, this repo does not have a `.github/settings.yml` extending `fro-bot/.github:common-settings.yaml`. Branch protection and repo settings are not managed via Probot. -- **No autoheal workflow:** No `fro-bot-autoheal.yaml` for automated CI repair, security sweeps, or convention enforcement. -- **No CodeQL/Scorecard:** No security scanning workflows (present in [[marcusrbrown--systematic]] and [[marcusrbrown--mrbro-dev]]). -- **No performance workflow:** No Lighthouse CI or dedicated performance monitoring (present in [[marcusrbrown--mrbro-dev]]). +_Updated 2026-05-18: two gaps closed, two remain._ + +- **No Probot `settings.yml`:** Still true. Unlike [[marcusrbrown--mrbro-dev]], [[marcusrbrown--ha-config]], and most other Marcus repos, this repo does not have a `.github/settings.yml` extending `fro-bot/.github:common-settings.yaml`. Branch protection and repo settings are not managed via Probot. +- **No CodeQL/Scorecard:** Still true. No security scanning workflows (present in [[marcusrbrown--systematic]] and [[marcusrbrown--mrbro-dev]]). +- ~~No autoheal workflow~~ — **Closed 2026-05-14 (PR #407).** Autoheal integrated as a mode in `fro-bot.yaml` with 8 healing categories rather than as a separate `fro-bot-autoheal.yaml` file. Architecturally distinct from the sibling-repo pattern. +- ~~No performance workflow~~ — **Partially closed.** `lhci.config.js` is now present at the repo root, but no dedicated Lighthouse CI workflow has been added. Likely invoked from the CI quality gate or the autoheal "Production Site Review" / "Quality Gates Verification" categories. ## Relationship to mrbro.dev @@ -147,20 +159,60 @@ This repo and [[marcusrbrown--mrbro-dev]] both deploy React+Vite sites to GitHub | Theme system | None | 10+ presets, custom creator, JSON schema validation | | Content source | Static | GitHub API (dynamic blog/projects) | | Test layers | Unit + E2E + A11y | Unit + E2E + Visual regression + A11y + Lighthouse | -| Autoheal | Not present | Present (5-category daily) | -| Fro Bot agent version | v0.41.4 | v0.38.0 (older) | +| Autoheal | Integrated as mode in `fro-bot.yaml` (8 categories) | Separate `fro-bot-autoheal.yaml` (5 categories) | +| Fro Bot agent version | v0.44.0 (2026-05-18) | v0.38.0 at last survey (likely behind) | ## Recent Activity -Latest commits are exclusively Renovate dependency bumps: -- `ec4b785` 2026-04-22: update all non-major dependencies (#389) -- `1440a71` 2026-04-21: update pnpm/action-setup action to v6 (#382) -- `da2cded` 2026-04-20: maintain lockfiles (#388) -- `12ac462` 2026-04-20: update actions/setup-node action to v6.4.0 (#387) -- `f5176f6` 2026-04-19: update all non-major dependencies (#386) +Most recent commits (2026-05-18 survey): + +- `4cd8198` 2026-05-18: update all non-major dependencies (#416) +- `84e75e3` 2026-05-17: update fro-bot/agent to v0.43.3 (#415) +- `c1f83ee` 2026-05-17: update fro-bot/agent to v0.43.2 (#414) +- `6251d36` 2026-05-16: update marcusrbrown/renovate-config preset to v5 (#406) — required restoring `fast-uri >=3.1.2` security override mid-PR +- `af8b935` 2026-05-16: update bfra-me/.github to v4.16.17 (#413) +- `ba3527f` 2026-05-16: add analyze-build npm script (#410) +- `ae8357d` 2026-05-15: update fro-bot/agent to v0.43.1 (#412) +- `8a51a36` 2026-05-14: **integrate autoheal into Fro Bot workflow (#407)** — material architecture change +- `4fe6ea7` 2026-05-14: update all non-major dependencies (#405) +- `fa990fa` 2026-05-14: override fast-uri to >=3.1.2 (#408) +- `d2ea552` 2026-05-08: update pnpm to v10.33.3 (#404) +- `48746f3` 2026-05-04: update fro-bot/agent to v0.42.7 (#402) +- `6d3cbd7` 2026-05-03: update fro-bot/agent to v0.42.6 (#400) + +Earlier window (2026-04-25 survey baseline): `ec4b785` and prior were exclusively Renovate dependency bumps (#386–#389). + +## Delta Log (2026-05-18, SHA `4cd8198`) + +Material changes since the 2026-04-25 survey at `ec4b785`. The site's structure and tech stack are unchanged; the interesting motion is in CI/CD and the Fro Bot integration. + +- **Fro Bot agent bumped four times in three weeks:** v0.41.4 → v0.42.6 (PR #400) → v0.42.7 (#402) → v0.43.0 (#407) → v0.43.1 (#412) → v0.43.2 (#414) → v0.43.3 (#415) → **v0.44.0** (current on `main`, pinned via SHA `b030b53b1b47b1bed77a581222706c900cc63b0e`). PR #417 is in flight to v0.44.1 (open as of 2026-05-20). Tracks the agent release cadence aggressively — same posture as [[marcusrbrown--mrbro-dev]] and [[marcusrbrown--gpt]]. +- **Autoheal collapsed into the Fro Bot workflow itself (PR #407, 2026-05-14):** The earlier "no autoheal" gap noted in the prior survey was closed by integrating autoheal as a second cron (`30 3 * * *`) and a `workflow_dispatch` `mode` input (`review` / `maintenance` / `autoheal`, default `autoheal`) inside the existing `fro-bot.yaml` — not by adding a separate `fro-bot-autoheal.yaml` like the sibling repos. One file, three modes, branched by event + input. +- **Autoheal prompt has 8 categories** (vs. 5 in [[marcusrbrown--vbs]] and [[marcusrbrown--mrbro-dev]]): 1) Errored PRs, 2) Security, 3) Code Quality & Repo Hygiene, 4) Developer Experience, 5) Production Site Review, 6) Quality Gates Verification, 7) Cross-Project Intelligence (Inbound), 8) Upstream Modernization Watch (Sundays UTC only — `IS_SUNDAY_UTC` propagated via step output, not `GITHUB_ENV`). +- **Maintenance prompt now perpetual-single-issue:** Rolling 14-day window collapsed into a perpetual maintenance issue with archive logic and cross-project intelligence ingestion. +- **Renovate preset jumped major version:** `marcusrbrown/renovate-config#4.5.8` → `#5.2.0` (PR #406, 2026-05-16). Same upgrade inadvertently dropped the `fast-uri` security override, which would have flagged GHSA-q3j6-qgpj-74h6 and GHSA-v39h-62p7-jpjc — the override was restored in the same PR (and again hardened in #408). `package.json` now carries an explicit `pnpm.overrides.fast-uri: ">=3.1.2"` and `flatted: ">=3.4.2"`. Worth tracking — the v5 preset has different defaults that need vetting per repo. +- **`bfra-me/.github` reusable workflows:** v4.16.8 → v4.16.12 (#401) → v4.16.17 (#413). +- **New file: `lhci.config.js` (3326 bytes)** at root. Lighthouse CI configuration is now present, closing the "no performance workflow" gap noted in the prior survey — though no Lighthouse workflow file was added; the config likely runs from the CI quality gate or the autoheal "Production Site Review" category. +- **New file: `TESTING.md` (15440 bytes)** at root. Dedicated testing documentation, separate from AGENTS.md. +- **New script: `analyze-build`** in `package.json` (PR #410) — `tsx scripts/analyze-build.ts`. Bundle-analysis tooling, consistent with the "Performance budget adherence" line in the PR review prompt. +- **Dependency bumps:** pnpm `10.33.0` → `10.33.4` (#404), `@types/node` to `^24.0.0`, all other non-major bumps grouped via Renovate. +- **Open issues:** 2 → 4 (added `#409` Daily Autohealing Report and `#411` test branch coverage below 80% — the autoheal is doing its job). +- **PR #410** confirms `fro-bot` (account `80104189`) co-authored a security-fix commit alongside the bot account — first observed instance of Fro Bot directly committing to this repo. + +### Implications + +The earlier survey's "Missing Compared to Other Marcus Repos" section is partially obsolete: + +- ~~No autoheal workflow~~ → **integrated into `fro-bot.yaml`** as a mode, not a separate file. Architecturally distinct from the sibling-repo pattern. +- ~~No performance workflow~~ → **`lhci.config.js` present**, no dedicated workflow yet. +- **No Probot `settings.yml`** — still true, branch protection remains unmanaged via Probot. +- **No CodeQL/Scorecard** — still true. ## Survey History | Date | SHA | Notes | | --- | --- | --- | | 2026-04-25 | `ec4b785` | Initial survey | +| 2026-05-18 | `4cd8198` | Delta: agent v0.41.4 → v0.44.0, autoheal integrated as workflow mode (PR #407), Renovate preset v4 → v5 (PR #406, fast-uri override regression+fix), `lhci.config.js` and `TESTING.md` added | +| 2026-05-19 | `4cd8198` | No-op re-survey: HEAD unchanged since 2026-05-18. Open issues steady at 4 (#411, #409, #260, #6), 0 open PRs. Fro Bot agent pin verified at `b030b53b...` (v0.44.0). All prior findings hold. | +| 2026-05-20 | `4cd8198` | No-op re-survey: HEAD still unchanged. Renovate PR #417 (fro-bot/agent v0.44.0 → v0.44.1, branch `renovate/all-minor-patch`) is open and will likely merge under `:automergePatch`. Open issues steady at 4 (#411, #409, #260, #6); open PRs now 1 (#417). `package.json` confirms `packageManager: pnpm@10.33.4`, `@types/node ^24.0.0`, React 19 / TypeScript ^6.0.0 / Vite ^7.0.6 / Vitest ^4.0.0 stack unchanged. No structural drift since 2026-05-18. | diff --git a/knowledge/wiki/repos/marcusrbrown--marcusrbrown.md b/knowledge/wiki/repos/marcusrbrown--marcusrbrown.md index f3106e471..a11265c04 100644 --- a/knowledge/wiki/repos/marcusrbrown--marcusrbrown.md +++ b/knowledge/wiki/repos/marcusrbrown--marcusrbrown.md @@ -2,8 +2,11 @@ type: repo title: "marcusrbrown/marcusrbrown" created: 2026-04-18 -updated: 2026-04-24 +updated: 2026-05-18 sources: + - url: https://github.com/marcusrbrown/marcusrbrown + sha: de594cdd416b60d92caba6684492659620a22439 + accessed: 2026-05-18 - url: https://github.com/marcusrbrown/marcusrbrown sha: af78e68d510b24152531f7fdafe9bff35a58f071 accessed: 2026-04-24 @@ -28,7 +31,7 @@ Marcus R. Brown's GitHub profile README repository. A TypeScript-powered automat - **Default branch:** `main` - **Language:** TypeScript - **Created:** 2020-12-09 -- **Last push:** 2026-03-12 +- **Last push:** 2026-05-18 - **License:** MIT - **Topics:** `github`, `readme-profile`, `profile-readme`, `awesome-readme`, `typescript`, `markdown` - **Collaborators:** `marcusrbrown` (admin), `fro-bot` (push) @@ -177,6 +180,27 @@ The repo does reference `fro-bot/.github:common-settings.yaml` in its Probot set ## Version Comparison (vs. Ecosystem) +### 2026-05-18 snapshot (post-thaw) + +| Dependency | This Repo | Ecosystem Latest | Delta vs 2026-04-24 | +| --- | --- | --- | --- | +| `marcusrbrown/renovate-config` | `#5.2.0` | `#5.2.0` | `#4.5.1` → `#5.2.0` (major bump; preset regex fixed) | +| `bfra-me/.github` | v4.16.18 | v4.16.18 | v4.4.0 → v4.16.18 | +| `pnpm` | 10.33.4 | 10.33.4 | 10.31.0 → 10.33.4 | +| `Prettier` | 3.8.3 | 3.8.3 | 3.8.1 → 3.8.3 | +| `@bfra.me/prettier-config` | 0.16.9 | 0.16.9 | (newly pinned) | +| `@bfra.me/tsconfig` | 0.13.1 | 0.13.1 | (newly pinned) | +| `@bfra.me/eslint-config` | 0.50.1 | ≥0.51.0 | unchanged — still trailing | +| `Node.js` | 24.15.0 | 24.15.0 | 24.14.0 → 24.15.0 | +| `vitest` / `@vitest/ui` | 4.1.6 | 4.1.6 | 4.0.18 → 4.1.6 | +| `tsx` | 4.22.0 | 4.22.0 | 4.20.3 → 4.22.0 | +| `jiti` | 2.7.0 (`<2.8.0`) | 2.x | 2.6.1 → 2.7.0 | +| `@types/node` | 24.12.4 | 24.12.4 | (newly pinned) | +| `lint-staged` | 16.4.0 | 16.4.0 | unchanged | +| `simple-git-hooks` | 2.13.1 | 2.13.1 | unchanged | + +### 2026-04-24 snapshot (pre-thaw, retained for history) + | Dependency | This Repo | Ecosystem Latest | | --- | --- | --- | | `marcusrbrown/renovate-config` | `#4.5.1` | `#4.5.8` | @@ -186,9 +210,38 @@ The repo does reference `fro-bot/.github:common-settings.yaml` in its Probot set | `@bfra.me/eslint-config` | 0.50.1 | ≥0.51.0 | | `Node.js` | 24.14.0 | 24.15.0 | +## 2026-05-18 Update: Renovate Thaw + +The Renovate stall documented on 2026-04-24 has cleared. Issue #895 closed 2026-05-14T06:25:44Z. Marcus shipped #897 (`ci(renovate): update marcusrbrown/renovate-config preset to 5.2.0`) at 2026-05-14T06:20:01Z, which fixed the malformed RE2 regex in the preset chain. Within the same hour, Renovate flushed the backlog: + +- #900: chore(deps) update all non-major dependencies +- #901: prettier → 3.8.3 +- #902: jiti → `<2.8.0` +- #904 / #908: vitest monorepo → 4.1.5 → 4.1.6 +- #898/#905: pin + bump `@bfra.me/prettier-config` to 0.16.7 → 0.16.8 → 0.16.9 (#910) +- #899/#906/#911: pin + bump `@bfra.me/tsconfig` to 0.12.2 → 0.13.0 → 0.13.1 +- #907: chore(dev) pin dependencies (added `@types/node` 24.12.4) +- #909: `@types/node` → 24.12.4 +- #912 → #915: rolling `bfra-me/.github` v4.16.17 → v4.16.18 +- #913 / #914: tsx 4.21.1 → 4.22.0 + +The 6-week dependency drift documented previously is largely gone. Outstanding trailing item: `@bfra.me/eslint-config` is still pinned at 0.50.1 while the ecosystem advanced past 0.51.0 — Renovate has not opened a PR for this, suggesting either a deliberate pin or a missing range allowance. Worth verifying before next survey. + +The "newly pinned" rows above reflect #907's pin sweep: previously caret-ranged dev deps were locked to exact versions, aligning with the rest of the ecosystem. + +### Updated Open Work Items + +| # | Title | Author | State | Notes | +| --- | --- | --- | --- | --- | +| #284 | Dependency Dashboard | mrbro-bot[bot] | open | Standard Renovate dashboard issue | +| #895 | Action Required: Fix Renovate Configuration | mrbro-bot[bot] | **closed** 2026-05-14 | Resolved by #897 (preset → 5.2.0) | + +Backlog is back to baseline. The profile update pipeline (every 6 hours) and Renovate are both healthy. + ## Survey History | Date | SHA | Delta | | --- | --- | --- | | 2026-04-18 | `af78e68` | Initial survey | | 2026-04-24 | `af78e68` | SHA unchanged; documented Renovate stall (issue #895), dependency drift vs ecosystem, fro-bot collaborator confirmed, open work items added | +| 2026-05-18 | `de594cd` | Renovate thaw confirmed (#895 closed, preset → 5.2.0 via #897); 18 dependency PRs landed 2026-05-14 → 2026-05-18; bumped `bfra-me/.github` v4.4.0 → v4.16.18, `pnpm` 10.31.0 → 10.33.4, `vitest` 4.0.18 → 4.1.6, `tsx` 4.20.3 → 4.22.0, `Node.js` 24.14.0 → 24.15.0, `Prettier` 3.8.1 → 3.8.3; new pinned deps added (`@bfra.me/prettier-config` 0.16.9, `@bfra.me/tsconfig` 0.13.1, `@types/node` 24.12.4); `@bfra.me/eslint-config` 0.50.1 still trailing; no Fro Bot workflow yet — follow-up PR still warranted | diff --git a/knowledge/wiki/repos/marcusrbrown--mrbro-dev.md b/knowledge/wiki/repos/marcusrbrown--mrbro-dev.md index 1a666484e..91e076b65 100644 --- a/knowledge/wiki/repos/marcusrbrown--mrbro-dev.md +++ b/knowledge/wiki/repos/marcusrbrown--mrbro-dev.md @@ -2,7 +2,7 @@ type: repo title: "marcusrbrown/mrbro.dev" created: 2026-04-18 -updated: 2026-04-26 +updated: 2026-05-21 sources: - url: https://github.com/marcusrbrown/mrbro.dev sha: 51f5cab5c77768b761d9f0a688ac7436cc5a06f4 @@ -10,6 +10,9 @@ sources: - url: https://github.com/marcusrbrown/mrbro.dev sha: d8c0e43a471aa41b030890122d75450b5626b981 accessed: 2026-04-26 + - url: https://github.com/marcusrbrown/mrbro.dev + sha: 88f7a4adf497fe9bb772f27b05216d4e0235af3e + accessed: 2026-05-21 tags: [portfolio, react, typescript, vite, github-pages, blog, pnpm] aliases: [mrbro-dev, mrbro.dev] related: @@ -30,8 +33,8 @@ Marcus R. Brown's developer portfolio website. React 19, TypeScript (strict), Vi - **Homepage:** https://mrbro.dev - **Topics:** `blog`, `developer`, `github-pages`, `portfolio`, `react`, `typescript`, `vite` - **License:** MIT (badge present, no LICENSE file detected via API) -- **Open issues:** 39 (majority are Daily Autohealing Reports) -- **Open PRs:** 4 (#85 and #87 stale security fixes, #142 non-major deps, #145 fro-bot hook rename) +- **Open issues:** 8 as of 2026-05-21 (drained from 39 in April — the single perpetual "Daily Autohealing Report" #162 and "Daily Maintenance Report" #13 are now the canonical rolling issues, matching the prompt contract; #1 Dependency Dashboard, #48 triage, plus 4 Renovate pin PRs reflected as issues) +- **Open PRs:** 4 (all `chore(dev): pin dependency …` Renovate PRs: #168 `@bfra.me/eslint-config` v0.51.0, #172 `@bfra.me/prettier-config` 0.16.8, #173 `@bfra.me/tsconfig` v0.13.0, #175 `eslint-plugin-react-refresh` 0.5.2) ## Tech Stack @@ -119,8 +122,7 @@ The most architecturally significant feature. Centered on `ThemeContext` (300+ l | CI | `ci.yaml` | PR to `main`, dispatch | Lint, test (with coverage), build, type-check, dependency audit, quality gate | | E2E Tests | `e2e-tests.yaml` | PR to `main`, dispatch | Playwright E2E (Chromium), visual regression, accessibility (axe-core), badge generation | | Performance | `performance.yaml` | push to `main`, PR, weekly cron, dispatch | Lighthouse CI (desktop + mobile), bundle analysis, performance budgets, regression detection | -| Fro Bot | `fro-bot.yaml` | PR, issue, comment, schedule, dispatch | Automated PR review, daily maintenance, issue triage | -| Fro Bot Autoheal | `fro-bot-autoheal.yaml` | daily 03:30 UTC, dispatch | Automated CI repair, security, code quality, production site review | +| Fro Bot | `fro-bot.yaml` | PR, issue, comment, schedule (03:30 + 15:30 UTC), dispatch | Three-mode: PR review / daily maintenance / autoheal (single file as of 2026-05-21) | | Renovate | `renovate.yaml` | issue/PR edit, push (non-main), workflow_run, dispatch | Dependency management via `bfra-me/.github` reusable workflow | | Copilot Setup Steps | `copilot-setup-steps.yaml` | — | GitHub Copilot coding agent environment | @@ -138,22 +140,34 @@ Sequential: checkout, setup, lint, test, build (with `GITHUB_PAGES=true`), uploa ## Fro Bot Integration -**Fro Bot workflow is present and active.** Two workflows: +**As of 2026-05-21 (SHA `88f7a4a`), the Fro Bot integration is a single-file three-mode workflow.** The standalone `fro-bot-autoheal.yaml` has been consolidated into `fro-bot.yaml`, matching the pattern in [[marcusrbrown--marcusrbrown-github-io]] and the broader Fro Bot fleet. + +### fro-bot.yaml (single-file, three modes — current) + +- **Agent pin:** `fro-bot/agent@v0.43.0` (SHA `1563f2987343b5e8d30ba818920d0ac563c617fa`) +- **Modes** (selectable via `workflow_dispatch.inputs.mode`, default `autoheal`): + - `review` — PR review with structured verdict (`PASS | CONDITIONAL | REJECT`), blocking/non-blocking/missing-tests/risk-assessment sections; reserved for `pull_request`, `*_comment`, and `issues` events + - `maintenance` — Single perpetual "Daily Maintenance Report" issue at 15:30 UTC; the prompt mandates exactly one open maintenance issue at all times (drift-correction language) + - `autoheal` — Daily autoheal at 03:30 UTC (staggered off sibling repos) +- **Triggers:** `issue_comment`, `pull_request_review_comment`, `discussion_comment`, `issues` (opened/edited), `pull_request` (opened/synchronize/reopened/ready_for_review/review_requested), two `schedule` crons, `workflow_dispatch` +- **Concurrency:** Per issue/PR/discussion/schedule, non-cancelling +- **PR review prompt** is mrbro.dev-specific: React 19 / TypeScript / Vite 7, WCAG 2.1 AA, performance budget (JS <500KB, total <2MB), pure ESM, PascalCase hooks, `.yaml` extension enforcement, named exports preferred. Style nits explicitly deferred to ESLint/Prettier. +- **Hard boundary**: "Do NOT push commits, modify code, or create branches. Review only." -### fro-bot.yaml +### fro-bot.yaml (prior two-file form — historical, 2026-04-18 → 2026-04-26) - Triggers: PR events (opened, synchronize, reopened, ready_for_review, review_requested), issue events (opened, edited), comment events (`@fro-bot` mention including discussion comments), daily schedule (15:30 UTC), manual dispatch -- Uses `fro-bot/agent@v0.41.3` (SHA `36c9850c2ac6e6d4d532662fca2ca89bd2bc559d`) with `FRO_BOT_PAT` token +- Used `fro-bot/agent@v0.41.3` (SHA `36c9850c2ac6e6d4d532662fca2ca89bd2bc559d`) with `FRO_BOT_PAT` token - `opencode-config` secret passed via environment (added 2026-04-19, #135) - PR review prompt: structured review (Verdict/Blocking/Non-blocking/Missing tests/Risk assessment) - Schedule prompt: daily maintenance issue ("Daily Maintenance Report") with 14-day rolling window - Concurrency: per-issue/PR, non-cancelling - Fork PR guard: skips bot-authored and fork PRs; additional fork-check step for issue_comment on PR events -### fro-bot-autoheal.yaml +### fro-bot-autoheal.yaml (removed 2026-05-21) - Triggers: daily 03:30 UTC, manual dispatch -- Uses `fro-bot/agent@v0.41.3` (SHA `36c9850c2ac6e6d4d532662fca2ca89bd2bc559d`) +- Used `fro-bot/agent@v0.41.3` (SHA `36c9850c2ac6e6d4d532662fca2ca89bd2bc559d`) - `opencode-config` secret passed via environment - Five-category autoheal: errored PRs, security, code quality/hygiene, developer experience, production site review - Production site review uses `npx agent-browser` to check mrbro.dev pages (/, /about, /projects, /blog) @@ -179,7 +193,7 @@ Coverage as of README badges: 70.81% statements, 80.19% branches, 60.4% function ## Developer Tooling -- **Renovate:** Extends `marcusrbrown/renovate-config#4.5.8`. Post-upgrade runs: `pnpm install`, `pnpm run build`, `pnpm run fix` (twice). Groups all non-major updates. Reusable workflow via `bfra-me/.github@v4.16.7`. +- **Renovate:** Extends `marcusrbrown/renovate-config#5.2.0` (as of 2026-05-21, bumped from `#4.5.8`). Post-upgrade runs: `pnpm install`, `pnpm run build`, `pnpm run fix` (twice), `executionMode: 'branch'`. Groups all non-major updates. Config lives at `.github/renovate.json5`. - **Probot Settings:** **Not configured.** No `.github/settings.yml` present — unusual for Marcus repos where Probot settings extending `fro-bot/.github:common-settings.yaml` is the standard pattern. Branch protection managed via `.github/BRANCH_PROTECTION.md` documentation and `scripts/configure-branch-protection.ts` script instead. - **Git Hooks:** `simple-git-hooks` with `lint-staged` (ESLint --fix on staged files). Pre-push hook at `.github/git-hooks/pre-push.ts`. - **Copilot Hooks:** `.github/hooks/` directory for Copilot pre-tool-use guardrails. @@ -215,12 +229,12 @@ Vite upgraded to v7.3.2 for security fix (#121). ## Connections to Fro Bot Ecosystem -- Uses `fro-bot/agent@v0.41.3` in both workflow files (bumped from v0.38.0 since 2026-04-18 survey) +- Uses `fro-bot/agent@v0.43.0` in the single consolidated workflow (v0.38.0 → v0.41.3 → v0.43.0 across surveys) - Shares `@bfra.me/*` config ecosystem with the Fro Bot org -- Renovate extends `marcusrbrown/renovate-config#4.5.8` (same as [[marcusrbrown--ha-config]], [[marcusrbrown--vbs]]) -- Authentication via `APPLICATION_ID`/`APPLICATION_PRIVATE_KEY` secrets (GitHub App) in CI, `FRO_BOT_PAT` + `opencode-config` for agent workflows +- Renovate extends `marcusrbrown/renovate-config#5.2.0` — first repo in this wiki observed on the v5 preset line +- Authentication via `APPLICATION_ID`/`APPLICATION_PRIVATE_KEY` secrets (GitHub App) in CI, `FRO_BOT_PAT` + `opencode-config` for agent workflow - **No Probot settings.yml** — diverges from sibling repos that extend `fro-bot/.github:common-settings.yaml` -- Sibling portfolio site: [[marcusrbrown--marcusrbrown-github-io]] (both React+Vite GitHub Pages, different scope and domain) +- Sibling portfolio site: [[marcusrbrown--marcusrbrown-github-io]] (both React+Vite GitHub Pages, different scope and domain) — both now run the single-file three-mode Fro Bot workflow ## Survey History @@ -228,3 +242,4 @@ Vite upgraded to v7.3.2 for security fix (#121). | --- | --- | --- | | 2026-04-18 | `51f5cab` | Initial survey | | 2026-04-26 | `d8c0e43` | Agent v0.38.0→v0.41.3, Renovate #4.5.7→#4.5.8, opencode-config added, security overrides, no settings.yml noted, 39 open issues | +| 2026-05-21 | `88f7a4a` | Workflows consolidated: `fro-bot-autoheal.yaml` removed, single `fro-bot.yaml` with three modes (review/maintenance/autoheal). Agent v0.41.3 → v0.43.0. Renovate preset #4.5.8 → #5.2.0. Open issues 39 → 8 (autoheal backlog drained). Open PRs 4 (all pin-version Renovate). New pnpm overrides: `fast-uri ≥3.1.2`, `ip-address ≥10.1.1`, `uuid ≥14.0.0`. TypeScript bumped 5.6.x → 5.9.3 (still pre-v6). Vitest 4.1.4, pnpm 10.33.4. | diff --git a/knowledge/wiki/repos/marcusrbrown--opencode-copilot-delegate.md b/knowledge/wiki/repos/marcusrbrown--opencode-copilot-delegate.md index b6dd0cadd..8124a9108 100644 --- a/knowledge/wiki/repos/marcusrbrown--opencode-copilot-delegate.md +++ b/knowledge/wiki/repos/marcusrbrown--opencode-copilot-delegate.md @@ -2,7 +2,7 @@ type: repo title: marcusrbrown/opencode-copilot-delegate created: 2026-04-23 -updated: 2026-04-27 +updated: 2026-05-21 sources: - url: https://github.com/marcusrbrown/opencode-copilot-delegate sha: bea3f576d7218900b9216a8a2c2947003660809b @@ -10,7 +10,10 @@ sources: - url: https://github.com/marcusrbrown/opencode-copilot-delegate sha: 02cac9c024744a290c9257d5c740d2a83e2c8e42 accessed: 2026-04-27 -tags: [opencode, plugin, copilot, delegation, subprocess, async, bun, typescript, biome, changesets] + - url: https://github.com/marcusrbrown/opencode-copilot-delegate + sha: 2744ce7fc07660baa4f17bfff3656141888261cf + accessed: 2026-05-21 +tags: [opencode, plugin, copilot, delegation, subprocess, async, bun, typescript, biome, changesets, tui, rpc, orphan-reaper] related: [marcusrbrown--dotfiles, marcusrbrown--systematic] --- @@ -22,83 +25,157 @@ OpenCode plugin that delegates tasks to GitHub Copilot CLI as background subproc An [OpenCode](https://opencode.ai) plugin registering three tools — `copilot_delegate`, `copilot_output`, `copilot_cancel` — that allow a parent OpenCode agent to spawn `copilot -p` as a background process, continue productive work, and receive a `` notification when the subprocess completes. The async pattern mirrors OMO's `background_task` / `background_output` architecture. -**Status (2026-04-27):** v0.1.0 with full implementation. Source files contain working runtime code across all modules (tools, runtime, discovery, lib). The implementation plan from `docs/plans/` has been executed. Published to npm as `opencode-copilot-delegate`. CI, Fro Bot, and Renovate are all active on `main`. +**Status (2026-05-21):** v0.12.0 on npm. The plugin has hardened substantially since the initial v0.1.0 scaffold — added an orphan-subprocess reaper with PID-file identity gate (v0.2.0), streaming worker pool for reap probes (v0.3.0), configurable timeouts with cooperative cancellation (v0.4.0), per-parameter tool description enrichment (v0.5.0–v0.7.0), an opt-in `/copilot-status` TUI half (v0.10.0), per-process plugin-factory singleton (v0.8.0, refined in v0.11.0), and a fourth `copilot_resume` tool (v0.12.0). The tool catalog is now 3 → 4. Source tree has expanded from the original 4 module groups to include `src/tui/` (Solid + opentui TUI entry) and a localhost RPC layer (`runtime/rpc-*.ts`, `tui/rpc-client.ts`). Test count has grown from ~6 to 21 unit test files plus an integration suite. -> **Contradiction with prior survey (2026-04-23):** The initial survey recorded all `src/` files as "TODO stubs with implementation plan." As of SHA `02cac9c`, the source tree is fully implemented with working code across all modules. The implementation plan tasks have been completed. +> **Prior contradiction (resolved):** The 2026-04-23 survey recorded all `src/` files as "TODO stubs with implementation plan." As of SHA `02cac9c` (2026-04-27) the source tree was fully implemented, and the 2026-05-21 survey confirms the plugin has shipped 11 minor releases on top of that foundation. ## Technology Stack | Aspect | Detail | |--------|--------| | Language | TypeScript 6.0.3 (strict, ES2022 target, ESM modules) | -| Runtime/Build | Bun 1.3.13 (both development and production build target) | -| Linting/Formatting | Biome 2.4.13 (NOT ESLint/Prettier — diverges from other Marcus repos using `@bfra.me/eslint-config`) | -| Versioning | Changesets (`@changesets/cli` v2.31.0, public access) | +| Runtime/Build | Bun 1.3.14 (both development and production build target) | +| Linting/Formatting | Biome 2.4.15 (NOT ESLint/Prettier — diverges from other Marcus repos using `@bfra.me/eslint-config`) | +| Versioning | Changesets (`@changesets/cli` v2.31.0, OIDC trusted publishing to npm) | | Package Manager | Bun (`bun.lock`, `bun install`) | -| Test Runner | `bun test` (matches OpenCode ecosystem) | -| Peer Dependencies | `@opencode-ai/plugin >=1.14.0`, `@opencode-ai/sdk >=1.14.0` (dev pins: ^1.14.19) | -| Runtime Dependency | `fkill` 10.0.3 (cross-platform process tree kill) | +| Test Runner | `bun test` — separate scripts for unit, TUI (with `--preload @opentui/solid/preload`), and integration | +| Peer Dependencies | `@opencode-ai/plugin >=1.14.41` (narrowed from `>=1.14.0` in v0.12.0; dev pin: 1.15.4). `@opencode-ai/sdk` peer dep removed in v0.6.0 — it was never imported. | +| Runtime Dependencies | `fkill` 10.0.3 (cross-platform process tree kill); `@opentui/core` + `@opentui/solid` 0.2.6 (TUI); `solid-js` 1.9.13 (TUI reactive layer); `zod` ^4.3.0 (pinned with `overrides` to dodge TS2883 from dual-zod trees, added v0.7.0) | | License | MIT | | Node Engine | >=24 | +| Package exports | `.` (server plugin), `./plugin` (alias), `./tui` (opt-in TUI entry). `oc-plugin: ["server", "tui"]` declares both halves to OpenCode. | +| Build target split | `src/index.ts` builds with `target: 'node'` (plain-Node ESM loadable, gated by CI export-shape assertion); `src/tui/index.tsx` builds with `target: 'bun'` because `@opentui/solid` is Bun-specific. Both produced by `scripts/build.ts` + `tsc --emitDeclarationOnly`. | ### Mise Tooling -`mise.toml` pins: Bun 1.3.13, `npm:opencode-ai` 1.14.27, `npm:@github/copilot` 1.0.36. +`mise.toml` pins: Bun 1.3.14, `npm:opencode-ai` 1.15.4, `npm:@github/copilot` 1.0.48. ## Architecture ### Plugin Tools - **`copilot_delegate`** — Spawn `copilot -p` as background subprocess. Returns `task_id` (`cpl_`-prefixed UUID) immediately. Args: `prompt` (required), `agent?`, `model?`, `add_dir?`, `allow_tool?`, `deny_tool?`. -- **`copilot_output`** — Retrieve structured result envelope. Args: `task_id` (required), `block?` (default `false`), `timeout_ms?` (default 30000, max 120000). Returns envelope with `status`, `final_message`, `tokens`, `tool_calls_summary`. +- **`copilot_output`** — Retrieve structured result envelope. Args: `task_id` (required), `block?` (default `false`), `timeout_ms?` (default 30000, max 120000). Envelope includes `status`, `final_message`, `tokens`, `tool_calls_summary`, `origin` (`'spawn' | 'resume' | 'connect'`), and `copilot_session_id` (the upstream Copilot session UUID parsed from the JSONL `result` event, omitted when never emitted). - **`copilot_cancel`** — Cancel running delegation with SIGTERM → SIGKILL escalation. Returns `{cancelled, was_running}`. +- **`copilot_resume`** *(added v0.12.0)* — Resume a prior Copilot session by ID, name, or prefix via `copilot --resume=`. UUID targets are validated against the local Copilot session store before spawn; missing sessions return a structured error without invoking the CLI. When a prior plugin task's session ID matches the target, that task's `--add-dir` workspace set is reused if the caller omits `addDirs`. CLI `No session, task, or name matched` errors are normalized to `Session not found`. All `cwd` and `addDirs` are validated against allowed roots before spawn; argv-injection-shaped values are rejected. Completion surfaces a `[COPILOT RESUME COMPLETED]` header (vs `[COPILOT DELEGATION COMPLETED]` for spawn). ### Module Layout ``` src/ -├── index.ts # Plugin entrypoint — wires tools to runtime +├── index.ts # Plugin entrypoint — Node-loadable ESM, exports `default` only (CI-gated) ├── tools/ -│ ├── delegate.ts # copilot_delegate tool -│ ├── output.ts # copilot_output tool -│ └── cancel.ts # copilot_cancel tool +│ ├── delegate.ts # copilot_delegate tool +│ ├── output.ts # copilot_output tool +│ ├── cancel.ts # copilot_cancel tool +│ └── resume.ts # copilot_resume tool (v0.12.0) ├── runtime/ -│ ├── subprocess.ts # Spawns copilot CLI, streams JSONL stdout -│ ├── task-registry.ts # In-memory task state (create/get/update/delete/cleanup) -│ ├── jsonl-parser.ts # Single-line JSONL parser for Copilot CLI output -│ ├── envelope.ts # Builds structured output envelopes from parsed events -│ └── notify.ts # Injects completion notifications into OpenCode sessions +│ ├── subprocess.ts # Spawns copilot CLI, streams JSONL stdout +│ ├── task-registry.ts # In-memory task state (create/get/update/delete/cleanup) +│ ├── task-status.ts # setStatus lifecycle helper — terminal-state-only transitions +│ ├── jsonl-parser.ts # Single-line JSONL parser for Copilot CLI output +│ ├── envelope.ts # Builds structured output envelopes from parsed events +│ ├── notify.ts # Completion notifications + attachCompletionPipeline helper +│ ├── pid-file.ts # Per-instance PID file (write/read/truncate/unlink), serialized per file +│ ├── orphan-reaper.ts # Plugin-init reaper for foreign-instance subprocess orphans +│ ├── continuity-checks.ts # Process-identity + liveness probes for reaper +│ ├── continuity-validation.ts# Validation layer over continuity-checks results +│ ├── plugin-singleton.ts # Per-process factory singleton (globalThis Symbol) +│ ├── rpc-server.ts # Localhost-only RPC listener for TUI +│ └── rpc-contract.ts # Shared TS contract for RPC requests/responses ├── discovery/ -│ ├── agents.ts # Discovers .agent.md files from Copilot agent directories -│ └── description.ts # Builds copilot_delegate tool description from discovered agents -└── lib/ - ├── ansi.ts # Strip ANSI escapes - └── kill-tree.ts # Cross-platform process tree kill via fkill +│ ├── agents.ts # Discovers .agent.md files (user + repo only; no builtin list) +│ └── description.ts # Builds copilot_delegate description from discovered agents +├── lib/ +│ ├── ansi.ts # Strip ANSI escapes +│ ├── errno.ts # POSIX errno classification helpers +│ ├── kill-tree.ts # Cross-platform process-tree kill via fkill + process-group probe +│ ├── normalize-tool-arg-schemas.ts # zod _zod.toJSONSchema override (host-zod compat shim) +│ └── rpc-cleanup.ts # wireRpcServerCleanup (extracted from index.ts in v0.12.0) +└── tui/ + ├── index.tsx # TUI plugin entry (Solid + opentui) + ├── rpc-client.ts # Client for the server half's RPC listener + ├── components/ # SolidJS components for /copilot-status + └── __tests__/ # TUI tests (require @opentui/solid/preload) ``` ### Test Suite ``` tests/ -├── jsonl-parser.test.ts # Parser unit tests -├── envelope.test.ts # Envelope builder tests -├── subprocess.test.ts # Subprocess wrapper tests (fake copilot binary) -├── agents.test.ts # Agent discovery tests (temp fixture dirs) -├── notify.test.ts # Notification injection tests -├── tools.test.ts # Tool integration tests (full plugin lifecycle) -├── fixtures/ -│ └── jsonl/ # Real Copilot CLI JSONL captures (PII-scrubbed) -└── integration/ # Integration tests (not yet in CI, tracked in #38) +├── jsonl-parser.test.ts # JSONL parser +├── envelope.test.ts # Envelope builder +├── subprocess.test.ts # Subprocess wrapper (fake copilot binary) +├── agents.test.ts # Agent discovery (temp fixture dirs) +├── notify.test.ts # Notification injection +├── tools.test.ts # End-to-end tool integration +├── resume.test.ts # copilot_resume tool (v0.12.0) +├── task-registry.test.ts # Registry lifecycle +├── task-status.test.ts # setStatus terminal-state invariants +├── cancel-helper.test.ts # Cancel helper +├── pid-file.test.ts # PID file write/read/truncate/unlink + serialize +├── orphan-reaper.test.ts # Reaper with abort, timeouts, identity gate +├── continuity-checks.test.ts # comm/lstart probes +├── continuity-validation.test.ts# Validation layer +├── plugin-singleton.test.ts # Per-process singleton + duplicate-invocation warning +├── rpc-server.test.ts # RPC listener +├── rpc-contract.test.ts # RPC contract shape +├── rpc-cleanup.test.ts # wireRpcServerCleanup +├── normalize-tool-arg-schemas.test.ts # zod schema override +├── package-exports.test.ts # Asserts dist/index.js exports only `default` (matches CI gate) +├── index.test.ts # Plugin entry smoke +├── fixtures/jsonl/ # Real Copilot CLI JSONL captures (PII-scrubbed) +└── integration/ # LLM-driven end-to-end via `opencode run` (gated on GH_TOKEN/COPILOT_PAT; not in CI per #38) ``` ### Design Decisions - **Single-line JSONL parser:** `parseJsonlLine` handles one line at a time, returns `{ type: 'unknown' }` for malformed input. Stream-level multiline accumulation belongs in the subprocess wrapper. - **Task IDs:** Prefixed with `cpl_` to distinguish from OpenCode-native task IDs. -- **Process cleanup:** Uses `fkill` with `{ force: false, forceAfterTimeout: 2000, waitForExit: 5000 }` and `.catch()` guards on all `killProcessTree` calls. On macOS, `tree: true` is Windows-only, so kill targets the entire process group via `fkill(-pid, ...)` and subprocess is spawned with `detached: true`. -- **Notification safety:** In-flight counter decremented synchronously (before any `await`) in close handlers; counter map entries deleted at zero to prevent memory leaks over long-lived sessions. -- **Agent discovery:** Builtin agents (bundled with Copilot CLI) cannot be overridden by user or repo agents. +- **Process cleanup:** Uses `fkill` with `{ force: false, forceAfterTimeout: 2000, waitForExit: 5000 }` and `.catch()` guards on all `killProcessTree` calls. On macOS, `tree: true` is Windows-only, so kill targets the entire process group via `fkill(-pid, ...)` and subprocess is spawned with `detached: true`. Since v0.9.0 `killProcessTree` classifies fkill failures by probing the process *group* (`process.kill(-pid, 0)`); ESRCH is suppressed as "already gone," other states preserve the original throw. +- **Notification safety:** In-flight counter decremented synchronously (before any `await`) in close handlers; counter map entries deleted at zero to prevent memory leaks over long-lived sessions. Since v0.9.0 the fallback `client.app.log` call is wrapped in try/catch and uses the structured SDK shape so synchronous SDK throws can't escape the documented "never throws" contract. +- **Agent discovery (rewritten v0.5.0):** No more `BUILTIN_AGENTS` constant — passing one of the legacy six names (`default`, `explore`, `task`, `general-purpose`, `code-review`, `research`) made the standalone `@github/copilot` CLI fail at spawn with `No such agent`. `discoverAgents` now returns user agents (filtered by repo override) followed by repo agents; `Agent.source` is `'user' | 'repo'`. `buildDescription` emits an actionable hint pointing at `~/.copilot/agents` and `.github/agents` when discovery is empty. - **Structured errors:** Tools return `{ error: string }` objects, never throw exceptions. +- **`setStatus` lifecycle:** Centralizes terminal-status mutations and is idempotent on terminal state. Since v0.8.0 terminal → non-terminal transitions are explicitly forbidden — once a task reaches `complete`, `failed`, or `cancelled`, every subsequent `setStatus` call is a no-op (closes a resurrection path no caller exercised but the prior contract permitted). +- **Origin discriminator (v0.12.0):** `TaskState`, `OutputEnvelope`, and `EnvelopeInput` carry `origin: 'spawn' | 'resume' | 'connect'`. `spawn`-origin tasks (from `copilot_delegate`) surface `[COPILOT DELEGATION COMPLETED]`; `resume`-origin tasks (from `copilot_resume`) surface `[COPILOT RESUME COMPLETED]`. `connect` is wired for forward compatibility but unused today. +- **Per-parameter description survival (v0.7.0):** OpenCode's tool catalog renders plugin schemas via the host's bundled zod, which lives in a different module instance from the plugin's zod and cannot see plugin-side `.describe()` metadata. Each tool arg schema is patched with a `_zod.toJSONSchema` override (`src/lib/normalize-tool-arg-schemas.ts`) that delegates serialization back to the plugin-local zod — same fix shipped by `@cortexkit/opencode-magic-context` and `@cortexkit/aft-opencode`. `zod` is pinned as a direct dependency with a matching `overrides` entry to keep this repo's tree on a single zod version (resolves TS2883 from two zod trees coexisting at build time). + +### Orphan Reaper (added v0.2.0, hardened through v0.10.0) + +- **PID file per instance:** `/opencode-copilot-delegate/orphans/.pids` lists each spawned subprocess; entry removed on every terminal status transition. +- **Identity gate:** Reap requires a live process's `comm` (kernel-tracked executable name from `ps -o comm=`) AND `lstart` (start-time string) to match values recorded at spawn time. Combined with a spawner-liveness probe (`process.kill(, 0)`), this rules out both PID reuse of an unrelated process and cross-instance kill of a live foreign instance's children. +- **Streaming worker pool (v0.3.0):** Up to `MAX_CONCURRENT_PROBES = 5` workers drain a shared queue independently — a slow `ps` probe blocks only its own worker. Replaces the prior chunked `Promise.all` whose worst case stalled four siblings behind one slow probe. +- **Combined `ps` query (v0.3.0):** `getPidIdentity(pid)` runs `ps -p -o comm=,lstart=` in a single fork/exec, halving cost and providing an atomic kernel snapshot of both identity legs. +- **Configurable timeouts (v0.4.0):** Per-probe `ps` timeout (default 1000ms; warns on degradation) and overall `reapOrphans` timeout (default 15000ms) with cooperative `AbortSignal` cancellation. In-flight workers cooperate by skipping their next mutating step on abort, so dangerous side effects can't fire after the call returns. `ReapResult.timedOut: true` flags a timeout-aborted reap; count fields go to zero placeholders, not partial-progress accounting. +- **Same-user symlink hardening (v0.9.0):** PID file open and truncate paths use `O_NOFOLLOW`; PID file parent directories are rejected before orphan reaping, cleanup, and plugin init state-directory creation. Defends against attacker-controlled symlinks under same-UID write access. +- **Race-safe cleanup (v0.8.0):** `truncatePidFile(filePath)` and `unlinkPidFile(filePath)` route through the per-file `serializeWrite` lock. ENOENT silently swallowed. `cleanupAfterReap` uses these helpers so concurrent reap + task spawn is automatically race-safe. +- **Logging prefix:** Since v0.9.0 all runtime warnings share the `[copilot-delegate]` prefix across `kill-tree`, `orphan-reaper`, `pid-file`, `task-registry`, and `task-status`, making operator log filtering predictable. + +### Plugin Factory Singleton (added v0.8.0, refined in v0.11.0 and v0.12.0) + +When a user lists `opencode-copilot-delegate` in both a user-level (`~/.config/opencode/opencode.json`) and project-level `opencode.json`, the OpenCode host previously invoked the factory once per source — evaluating the module fresh, running orphan reaping, and registering its own copy of the three tools. The factory now resolves at most once per process via a `globalThis` Symbol singleton (`Symbol.for('opencode-copilot-delegate.singleton.v1')`): + +- **First invocation:** Runs `doInit` once, returns the real hooks. +- **Duplicate invocation (same PID, v0.11.0):** Returns **empty hooks** (`{}`) instead of the cached real hooks. The host's per-source iteration finds nothing to register a second time, eliminating the double-registration that previously caused each tool to appear twice in the LLM-visible catalog under dual-source configs. Heavy init (agent discovery, orphan reaping, RPC server startup) still runs at most once per process. Emits a one-time `console.warn` + `client.app.log` warning so duplicate-config situations stay observable. +- **Why this diverges from Systematic's PR #352 fix:** Systematic switched to per-load registration. This plugin keeps `plugInOnce` because `doInit` binds a TCP port (RPC server) and writes a PID file — running `doInit` twice in the same process would race on those exclusive resources. The divergence is documented inline in `plugin-singleton.ts` and `rpc-cleanup.ts` with cross-references to the Systematic PR. + +### Public-Surface Hardening (v0.12.0) + +OpenCode's plugin loader treats every named export from a plugin entry as a separate plugin factory and invokes it with `undefined` input. Systematic took hours of downtime from this contract in v2.5.0 and v2.12.1; this plugin institutionalized the fix: + +- `wireRpcServerCleanup` moved out of `src/index.ts` into `src/lib/rpc-cleanup.ts`; the entry re-imports it internally so only `default` is exported. +- Plugin entry now builds with `target: 'node'` (was `'bun'`) so `dist/index.js` loads under plain Node ESM. TUI entry stays on `target: 'bun'` because `@opentui/solid` is Bun-specific. +- CI gate between `Build` and `Unit tests` runs `node --input-type=module -e "import('./dist/index.js').then(m => …)"` and exits non-zero if anything other than `default` is exported or `default` is not a function. `tests/package-exports.test.ts` mirrors the assertion locally. Failure message references the Systematic regressions so future contributors find the rationale. + +### TUI Half (added v0.10.0) + +- **Opt-in second entry.** `package.json` declares `oc-plugin: ["server", "tui"]` and exposes `./tui` as a separate export. Existing server-only installs continue to register only the three tools; `/copilot-status` only appears when the TUI half is installed in `tui.jsonc`. +- **Slash command registration with feature detection (v0.12.0).** OpenCode 1.14.42 removed `api.command.register` in favor of the keymap engine; 1.14.44+ restored it as a deprecated shim that translates to `api.keymap.registerLayer`. The TUI entry now runtime-feature-detects: 1.14.44+ uses `api.keymap.registerLayer({ commands: [{ namespace: 'palette', name: 'copilot-status', title: 'Copilot Status', category: 'Copilot', run() }], bindings: [] })`; 1.14.41 falls back to `api.command.register`; neither present logs a warning and continues without the slash command. Mirrors the dual-path pattern Magic Context shipped in commit `5fe1c4f`. +- **Re-entrant close fix (v0.10.1):** Pressing Escape on `/copilot-status` previously froze the TUI via re-entrant dialog close handling. + +### RPC Layer (server ↔ TUI) + +The server half exposes a **localhost-only** RPC listener for the TUI. It writes a per-session authenticated port file under `/opencode/copilot-delegate/` so the TUI half can find and authenticate to the right server instance. Cleanup is best-effort: OpenCode's server plugin API has no dispose hook today, so cleanup is tied to process exit signals; the orphan-reaper posture covers missed shutdowns. ### Async Notification Pattern @@ -131,17 +208,17 @@ Six workflows on `main`: ### Fro Bot Integration -- **Agent:** `fro-bot/agent@v0.42.2` (SHA `94d8a156570d68d2461ab496b589e63bdcd6ba84`) -- **PR review:** Structured verdict format (PASS/CONDITIONAL/REJECT) with plugin-specific focus areas: TypeScript type safety, OpenCode API contracts, subprocess safety, tool output safety, changeset hygiene -- **Daily autohealing (16:00 UTC):** 4-category sweep: errored PRs, security, health & maintenance, developer experience. Single perpetual issue ("Daily Autohealing Report") strategy. +- **Agent:** `fro-bot/agent@v0.44.3` (SHA `b928e79729f01b563feabee26a0525a3b48501a6`) — up from v0.42.2 at prior survey +- **PR review:** Structured verdict format (PASS/CONDITIONAL/REJECT) with plugin-specific focus areas: TypeScript type safety, OpenCode API contracts (tool schema correctness, `ToolResult` shape, peerDependency compatibility), subprocess safety (spawn correctness, stdin/stdout buffering, signal propagation, process-tree kill, no zombies), tool output safety (no secrets/PATs/PII), changeset hygiene +- **Daily autohealing (16:00 UTC):** 4-category sweep — errored PRs, security, health & maintenance, developer experience. Single perpetual issue ("Daily Autohealing Report" #26) strategy. - **Required secrets:** `FRO_BOT_PAT`, `OPENCODE_AUTH_JSON`, `OMO_PROVIDERS`, `OPENCODE_CONFIG` - **Required variables:** `FRO_BOT_MODEL` - **Concurrency:** `fro-bot-{issue|pr|discussion|run_id}`, no cancel-in-progress ### Renovate Configuration -- Extends `marcusrbrown/renovate-config#4.5.8` -- LTS-only Node.js constraints for `@types/node` and GitHub Actions node versions +- Extends `marcusrbrown/renovate-config#5.2.0` (major-version jump from `#4.5.8` since last survey) +- LTS-only Node.js constraints for `@types/node` (even majors via regex `/^v?([0-9]*[02468])\\./`) and GitHub Actions node versions. An in-flight autoheal PR (#134) is tightening this further to caret-range LTS pinning. - `@opencode-ai/*` packages use `build` semantic commit type - Post-upgrade tasks: `bun install`, `bun run fix`, `bun run build` @@ -161,10 +238,19 @@ Uses Changesets via `changesets/action@v1.7.0`. GitHub App token for authenticat | # | Title | Notes | |---|-------|-------| -| 38 | Re-add integration tests to CI | Integration test directory exists but not wired into CI | +| 38 | Re-add integration tests to CI | Integration test directory exists but not wired into CI; LLM-driven, gated on `GH_TOKEN`/`COPILOT_PAT` (model overridable via `OPENCODE_TEST_MODEL`, defaults to `opencode/minimax-m2.5`) | | 26 | Daily Autohealing Report | Perpetual issue managed by Fro Bot | | 25 | Dependency Dashboard | Renovate tracking issue | +## Open PRs (2026-05-21) + +| # | Title | Notes | +|---|-------|-------| +| 135 | fix(deps): update dependency @opentui/solid to v0.2.8 | Renovate | +| 134 | fix(ci): constrain @types/node to LTS (even) majors and caret ranges in autoheal prompt | Fro Bot self-correction | +| 130 | fix(deps): update dependency @opentui/core to v0.2.7 | Renovate | +| 127 | chore(dev): update @types/node 24 → 25 (major) | Will be rejected by LTS-only rule once #134 lands | + ## Design Documentation - Implementation plan at `docs/plans/2026-04-21-copilot-delegate-plugin.md` — 11 ordered tasks from repo bootstrap through publish @@ -199,13 +285,19 @@ Uses Changesets via `changesets/action@v1.7.0`. GitHub App token for authenticat These divergences are appropriate for an OpenCode plugin — Bun is the OpenCode runtime, Biome is lighter than ESLint+Prettier for a small plugin, and `bun test` matches the ecosystem convention. Same pattern as [[marcusrbrown--systematic]]. -## Known Limitations (v0.1.x) +## Known Limitations (current as of v0.12.0) + +- **Orphaned subprocesses *(largely mitigated since v0.2.0)*:** A PID-file reaper now scans `/opencode-copilot-delegate/orphans/` at every plugin init, probes the owning plugin's liveness, and reaps subprocesses whose plugin has exited. The strict identity gate (kernel-tracked `comm` + start time) prevents PID-reuse misfires. The "mitigated" qualifier remains because the reap is best-effort under abort/timeout conditions. +- **Prompt visibility in `ps`:** Copilot CLI accepts the prompt as a command-line argument, exposing full prompt text in `ps` output for any user on the host. Upstream limitation — avoid delegating prompts containing secrets or PII; pass sensitive material via files, env vars, or `--secret-env-vars` instead. +- **No subprocess lifetime cap:** Hung `copilot` subprocess stays as `running` indefinitely. Cancel manually via `copilot_cancel`. Configurable timeout still planned for v1.x. +- **Single-process scope:** Task state is in-memory only; cross-process sharing requires future sqlite registry + IPC. `copilot_output` from a different OpenCode process returns `{ status: 'unknown', error: 'task_id not found in this OpenCode process' }`. +- **RPC cleanup is best-effort:** OpenCode's server plugin API has no dispose hook today, so RPC server cleanup relies on process-exit signals and the orphan-reaper posture for missed shutdowns. +- **TUI is opt-in:** Server plugin works alone. `/copilot-status` requires explicitly installing the TUI half in `tui.jsonc` — see the README for the dual-config snippet. +- **Integration tests not in CI:** Test directory exists but tracked as issue #38. Suite skips when neither `GH_TOKEN` nor `COPILOT_PAT` is set. + +## 0.x Versioning Policy -- **Orphaned subprocesses:** If OpenCode crashes mid-delegation, the `copilot` subprocess becomes orphaned. PID-file reaper planned for v1.x. -- **Prompt visibility in `ps`:** Copilot CLI accepts prompt as command-line argument, exposing full prompt text in `ps` output. Upstream limitation — avoid delegating prompts containing secrets or PII. -- **No subprocess lifetime cap:** Hung `copilot` subprocess stays as `running` indefinitely. Cancel manually via `copilot_cancel`. Configurable timeout planned for v1.x. -- **Single-process scope:** Task state is in-memory only; cross-process sharing requires future sqlite registry + IPC. -- **Integration tests not in CI:** Test directory exists but tracked as issue #38. +Releases under `0.x` are unstable and may include breaking changes between minor versions. README explicitly recommends pinning to an exact version in production. `1.0.0` will be cut once the public surface stabilizes — likely after the configurable subprocess timeout and cross-process registry land. ## Survey History @@ -213,3 +305,4 @@ These divergences are appropriate for an OpenCode plugin — Bun is the OpenCode |------|-----|-----------| | 2026-04-23 | `bea3f57` | Initial survey — v0.1.0 scaffold with TODO stubs, no CI/Fro Bot/Renovate on main | | 2026-04-27 | `02cac9c` | Implementation complete, CI active, Fro Bot v0.42.2, Renovate live, 6 workflows, `fkill` dependency added, Biome 1.9.4→2.4.13, TypeScript 6.0.3, 3 open issues | +| 2026-05-21 | `2744ce7` | v0.12.0 on npm (11 minor releases since prior survey). Fourth tool `copilot_resume` added. TUI half (`src/tui/`) shipped opt-in via `oc-plugin: ["server", "tui"]` and `./tui` export. Orphan reaper (v0.2.0+) hardened through streaming worker pool (v0.3.0), configurable timeouts (v0.4.0), symlink-attack defenses (v0.9.0), race-safe cleanup (v0.8.0). Per-process plugin singleton (v0.8.0/v0.11.0) returns empty hooks on duplicate invocation to fix double-registration under dual-config. Public-surface hardening (v0.12.0): plugin entry now Node-loadable, CI gates export shape. Localhost RPC layer wires server ↔ TUI. Fro Bot agent v0.42.2 → v0.44.3. Renovate preset `marcusrbrown/renovate-config#4.5.8` → `#5.2.0`. `@opencode-ai/sdk` peer dep removed (v0.6.0, was never imported). `@opencode-ai/plugin` peer narrowed `>=1.14.0` → `>=1.14.41`. zod pinned `^4.3.0` with `overrides` (v0.7.0) to dodge dual-zod TS2883. Tests grew from ~6 to 21 unit files plus integration. 3 open issues (same as prior), 4 open PRs (Renovate + one Fro Bot self-correction). | diff --git a/knowledge/wiki/repos/marcusrbrown--renovate-config.md b/knowledge/wiki/repos/marcusrbrown--renovate-config.md index b80d8d425..c166231c0 100644 --- a/knowledge/wiki/repos/marcusrbrown--renovate-config.md +++ b/knowledge/wiki/repos/marcusrbrown--renovate-config.md @@ -2,11 +2,14 @@ type: repo title: "marcusrbrown/renovate-config — Shareable Renovate Configuration Presets" created: 2026-04-28 -updated: 2026-04-28 +updated: 2026-05-23 sources: - url: https://github.com/marcusrbrown/renovate-config sha: bf13a82fca143cd0cdcc9c5f12ef56c2b5196c20 accessed: 2026-04-28 + - url: https://github.com/marcusrbrown/renovate-config + sha: 3478c88753d113b21c7cf10d9e58fd2f9be7e96a + accessed: 2026-05-23 tags: [renovate, renovate-config, renovate-preset, semantic-release, dependency-management] aliases: [renovate-config] related: @@ -26,6 +29,7 @@ related: - marcusrbrown--marcusrbrown-github-io - marcusrbrown--opencode-copilot-delegate - marcusrbrown--esphome-life + - bfra-me--renovate-action --- # marcusrbrown/renovate-config @@ -42,12 +46,13 @@ Shareable [Renovate](https://docs.renovatebot.com/) configuration presets for Ma | Language | JavaScript (config-only; no application code) | | Created | 2022-05-03 | | Default branch | `main` | -| Latest release | `4.5.8` (2026-04-17) | +| Latest release | `5.2.0` (2026-05-13) — major-version boundary crossed since prior survey | | Node.js | 24.15.0 (`.node-version`) | -| Package manager | pnpm 10.33.2 | +| Package manager | pnpm 11.1.3 (was 10.33.2 at 2026-04-28) | | Topics | renovate, renovate-config, renovate-preset, renovatebot, renovate-by-githubaction, semantic-release | -| Open issues | 46 | -| Stars / Watchers / Forks | 0 / 0 / 0 | +| Open issues | 6 (was 46 at 2026-04-28; the daily-issue sprawl was consolidated into the perpetual `Daily Autohealing Report`) | +| Open PRs | 1 (#1311 picomatch@2 v4 by mrbro-bot) | +| Stars / Watchers / Forks | 0 / 2 / 0 | ## Preset Architecture @@ -57,21 +62,24 @@ Three preset files define the Renovate policy surface: The main preset extended by downstream repos via `github>marcusrbrown/renovate-config` (or pinned to a release, e.g., `#4.5.8`). -Extends: -- `github>bfra-me/renovate-config#5.2.1` — base config from the bfra-me organization -- `github>bfra-me/renovate-config:fro-bot.json5#5.2.1` — Fro Bot-specific overrides from bfra-me +Extends (as of v5.2.0): - `:assignAndReview(marcusrbrown)` — auto-assign PRs to Marcus -- `:disableRateLimiting` — no hourly/concurrent PR caps - `:preserveSemverRanges` — keep `^`/`~` ranges as-is +- `group:allNonMajor` — **new in v5**: groups non-major updates from upstream presets (counterbalanced by an unstable-package opt-out, see below) - `npm:unpublishSafe` — wait for npm unpublish window before updating - `helpers:pinGitHubActionDigestsToSemver` — pin GitHub Actions by digest with semver tag comments +- `github>bfra-me/renovate-config#5.2.1` — base config from the bfra-me organization +- `github>bfra-me/renovate-config:fro-bot.json5#5.2.1` — Fro Bot-specific overrides from bfra-me + +The `:disableRateLimiting` preset present in v4 has been **dropped from the extends list** in v5; rate-limiting now defers to the bfra-me base preset's defaults. Key package rules: - **semantic-release grouping:** Groups major updates of `semantic-release` and `conventional-changelog-conventionalcommits` with `semanticCommitType: feat` -- **Own-project fast-track:** Automerges `@bfra.me/*`, `bfra-me/*`, `@fro.bot/*`, `fro-bot/*`, `@marcusrbrown/*`, `marcusrbrown/*`, and `pro-actions/*` packages with no minimum release age and immediate PR creation +- **Own-project fast-track:** Automerges `@bfra.me/*`, `bfra-me/*`, `@fro.bot/*`, `fro-bot/*`, `@marcusrbrown/*` (regex `/^@?marcusrbrown/`), `marcusrbrown/*`, and `pro-actions/*` packages with no minimum release age and immediate PR creation - **Source URL fast-track:** Same immediate/no-age treatment for packages sourced from `github.com/bfra-me`, `github.com/fro-bot`, or `github.com/marcusrbrown` - **Self-reference labeling:** Commits touching `marcusrbrown/renovate-config` use topic `{{{depName}}} preset` -- **Minimum version floor:** Consumers of this preset must be on `>=4.0.0` +- **Minimum version floor:** Consumers of this preset must be on `>=5.0.0` (was `>=4.0.0` in v4.x — **breaking change** for any consumer still pinned below v5) +- **Unstable (0.x) ungrouping (v5.x):** `matchCurrentVersion: /^0\./` sets `groupName: null`, peeling 0.x packages back out of `group:allNonMajor` so each pre-release lib gets its own PR. This is the safety valve that makes the new `group:allNonMajor` extension tolerable for downstream consumers. Schedule: `at any time` (no restriction). @@ -136,50 +144,57 @@ Uses reusable workflow `bfra-me/.github/.github/workflows/renovate.yaml@v4.16.9` ## Fro Bot Integration -**Fro Bot workflow present and active** — `fro-bot.yaml` with `fro-bot/agent@v0.42.2` (SHA `94d8a156570d68d2461ab496b589e63bdcd6ba84`). +**Fro Bot workflow present and active** — `fro-bot.yaml` with `fro-bot/agent@v0.44.3` (SHA `b928e79729f01b563feabee26a0525a3b48501a6`). Trigger surface: - Issue comments, PR review comments, discussion comments (mentioning `@fro-bot`) -- Issues opened/edited (non-bot) +- Issues opened/edited (non-bot, OWNER/MEMBER/COLLABORATOR only) - PRs opened/synced/reopened/ready_for_review/review_requested (non-bot, non-fork) - Daily schedule at 15:30 UTC - Manual dispatch with custom prompt - Reusable `workflow_call` with prompt input -PR review prompt is domain-specific to Renovate configuration: -- JSON schema compliance -- Backward compatibility for version-pinned consumers -- packageRules correctness (matchers, grouping, automerge, schedules) -- Security implications of update policies +**Architectural shift since prior survey:** the separate `fro-bot-autoheal.yaml` is gone. Autoheal now lives inside `fro-bot.yaml` itself, with the schedule prompt covering both maintenance and autoheal categories under a single perpetual issue. Mirrors the single-file three-mode pattern observed in [[marcusrbrown--marcusrbrown-github-io]], though here the dispatch surface is a single freeform `prompt` input rather than a `mode` enum. + +PR review prompt remains domain-specific to Renovate configuration: +- JSON schema compliance against `https://docs.renovatebot.com/renovate-schema.json` +- Backward compatibility for consumers pinning to major version branches +- packageRules correctness (`matchPackageNames` patterns, grouping logic, automerge conditions, schedule expressions) +- Security implications of dependency update policies (`minimumReleaseAge`, vulnerability settings, `npm:unpublishSafe`) - Downstream PR storm risk assessment -- Structured verdict: PASS / CONDITIONAL / REJECT with blocking issues, non-blocking concerns, missing tests, and risk assessment +- Consistency with the base preset extended from `bfra-me/renovate-config` +- Structured verdict: PASS / CONDITIONAL / REJECT with blocking issues, non-blocking concerns, missing tests, and risk assessment (LOW/MED/HIGH + rationale) +- Hard ban on push, branch creation, merge, approve, request-reviewers, or @-mentioning other users -Schedule prompt: rolling daily maintenance issue with 14-day bounded history, stale issue/PR tracking, and recommended actions. +Daily autohealing categories (now 6, was 5): -**Fro Bot Autoheal** — `fro-bot-autoheal.yaml`, daily at 03:30 UTC, reuses `fro-bot.yaml` via `workflow_call`. +1. **Errored PRs** — diagnose and fix failing CI on open PRs (skip dep/security PRs, verify author trust, do not run project commands from PR branches that touch workflows/automation prompts/lockfiles/execution scripts) +2. **Security** — remediate Dependabot/Renovate security alerts and failing security PRs; explicit "if alert data unavailable, skip and note" branch +3. **Config Validation & Preset Quality** — validate all preset JSON/JSON5 against Renovate schema, check for deprecated options, verify base preset pin is released and not auto-bumped (Renovate owns version bumps), detect rule conflicts, run lint +4. **Developer Experience** — lint/format auto-fix PRs only (never direct-to-`main` commits) +5. **Cross-Project Intelligence (Inbound)** — survey focus repos (`marcusrbrown/yield-farmer`, `marcusrbrown/poly`, `marcusrbrown/.github`, `bfra-me/renovate-config`, `fro-bot/agent`) for tooling/CI/preset patterns worth importing; **observation-only**, never modify other repos. Replaces v4's "bfra-me Ecosystem Health" category — the focus repo list explicitly includes Marcus repos not yet surveyed in this wiki (`yield-farmer`, `poly`). +6. **Upstream Modernization Watch (Sundays only)** — **new category**. Gated by `IS_SUNDAY_UTC` env var set by a preflight `date -u +%u` step. Parses release notes for pinned upstreams (`fro-bot/agent`, `actions/checkout`, `pnpm/action-setup`, `actions/setup-node`, `@bfra.me/eslint-config`, `@bfra.me/prettier-config`) and identifies config/feature adoption opportunities. Action policy: at most one draft PR per scan, only for mechanical changes touching docstrings/AGENTS.md/config examples; anything touching `.github/workflows/`, `package.json`, lockfile, or preset JSON is **tracking-issue-only** (never opens a PR). Hard rule: never bump pinned versions — Renovate owns that. -Five autohealing categories: -1. **Errored PRs** — diagnose and fix failing CI on open PRs (skip dep/security PRs, verify author trust) -2. **Security** — remediate Dependabot/Renovate security alerts and failing security PRs -3. **Config Validation & Preset Quality** — validate all preset JSON/JSON5 against Renovate schema, check for deprecated options, verify base preset pin, detect rule conflicts, run lint -4. **Developer Experience** — lint/format auto-fix PRs -5. **bfra-me Ecosystem Health** — report-only audit of action pinning, reusable workflow versions, Scorecard/CodeQL drift, stale TODOs +Single-issue management: the perpetual `Daily Autohealing Report` issue receives prepended dated sections; dated-format daily issues are auto-consolidated and closed with a link to the perpetual issue. This is the same single-perpetual-issue strategy observed across [[bfra-me--ha-addon-repository]], [[bfra-me--works]], and [[bfra-me--github]] — and explains the open-issue count crash from 46 → 6 since the prior survey. ## Dev Tooling | Tool | Version / Config | | --- | --- | -| ESLint | 10.2.1, extends `@bfra.me/eslint-config` 0.51.0 | -| Prettier | 3.8.3, extends `@bfra.me/prettier-config/120-proof` | -| lint-staged | 16.4.0 (`*.{js,json,jsx,md,toml,ts,tsx,yml,yaml}`) | +| ESLint | 10.4.0, extends `@bfra.me/eslint-config` 0.51.1 | +| Prettier | 3.8.3, extends `@bfra.me/prettier-config/120-proof` (0.16.9) | +| lint-staged | 17.0.5 (`*.{js,json,jsx,md,toml,ts,tsx,yml,yaml}`) — major bump from 16.4.0 | | simple-git-hooks | 2.13.1 (pre-commit runs lint-staged) | | semantic-release | 25.0.3 | | eslint-config-prettier | 10.1.8 | | eslint-plugin-prettier | 5.5.5 | | markdownlint | 0.40.0 | +| conventional-changelog-conventionalcommits | 9.3.1 | ESLint config (`eslint.config.js`) is a single re-export of `@bfra.me/eslint-config` — no local overrides. +**pnpm overrides for supply-chain hardening** (new since prior survey): `fast-uri >=3.1.2`, `flatted >=3.4.2`, `handlebars >=4.7.9`, `lodash-es >=4.18.0`, `picomatch@2 ^2.3.2`, `picomatch@4 ^4.0.4`. Mirrors the same override approach used in [[marcusrbrown--mrbro-dev]] and [[marcusrbrown--marcusrbrown-github-io]] — a config-only repo carrying transitive-dep pins because npm advisory floors propagate via the lockfile. + ## Probot Settings `.github/settings.yml` extends `fro-bot/.github:common-settings.yaml`: @@ -203,29 +218,35 @@ Contains comprehensive AI development guidance: This preset is the dependency-update policy backbone of the entire `marcusrbrown` ecosystem. Known consumers (from wiki surveys): -| Consumer | Pin | Post-Upgrade Tasks | +| Consumer | Pin (most recent survey) | Post-Upgrade Tasks | | --- | --- | --- | -| [[marcusrbrown--ha-config]] | `#4.5.8` | Prettier | +| [[marcusrbrown--ha-config]] | `#5.2.0` (crossed v4→v5 boundary on 2026-05-16 via #776) | Prettier | | [[marcusrbrown--github]] | `#4.5.8` | `npx prettier --write .` | | [[marcusrbrown--containers]] | `#4.5.0` | `pnpm install && pnpm format` | | [[marcusrbrown--dotfiles]] | `#4.5.8` | — | | [[marcusrbrown--gpt]] | `#4.5.8` | — | -| [[marcusrbrown--vbs]] | `#4.5.8` | `pnpm install && pnpm fix` | -| [[marcusrbrown--copiloting]] | `#v4` | — | +| [[marcusrbrown--vbs]] | `#4.5.9` | `pnpm install && pnpm fix` | +| [[marcusrbrown--copiloting]] | `#v4` (floating major-version branch) | — | | [[marcusrbrown--extend-vscode]] | `#4.5.0` + `sanity-io/renovate-config` | — | | [[marcusrbrown--infra]] | `#4.5.8` | `bun install --ignore-scripts && bun run fix` | | [[marcusrbrown--mrbro-dev]] | `#4.5.8` | — | | [[marcusrbrown--tokentoilet]] | `#4.5.8` | — | | [[marcusrbrown--marcusrbrown]] | `#4.5.1` | bootstrap + fix | -| [[marcusrbrown--marcusrbrown-github-io]] | `#4.5.8` | — | +| [[marcusrbrown--marcusrbrown-github-io]] | `#5.2.0` (crossed v4→v5 boundary on 2026-05-16 via #406) | — | | [[marcusrbrown--systematic]] | extends + `sanity-io/renovate-config:semantic-commit-type` | — | -| [[marcusrbrown--opencode-copilot-delegate]] | `#4.5.8` | bun install + fix + build | +| [[marcusrbrown--opencode-copilot-delegate]] | `#5.2.0` (crossed v4→v5 boundary, prior survey 2026-05-21) | bun install + fix + build | | [[marcusrbrown--esphome-life]] | `#4.5.1` | — | +| [[marcusrbrown--sparkle]] | `#4.5.9` | — | + +**v4→v5 migration wave** (since 2026-04-28): `ha-config`, `marcusrbrown.github.io`, and `opencode-copilot-delegate` have all bumped to `#5.2.0` and survived the breaking change (`group:allNonMajor` extends, `>=5.0.0` floor, dropped `:disableRateLimiting`). Migrations were straightforward Renovate-authored PRs — no consumer required manual config overrides. + +**Outstanding v4 holdouts:** `containers` and `extend-vscode` (still `#4.5.0`), `marcusrbrown` (`#4.5.1`), `esphome-life` (`#4.5.1`), `copiloting` (floating `#v4`), plus a long tail still on `#4.5.8`/`#4.5.9`. None will be force-bumped — Renovate routes the upgrade as a major PR per repo, and each consumer's preset pin policy decides timing. -Notable: `marcusrbrown--copiloting` pins to the floating `#v4` major branch rather than a specific release. `marcusrbrown--containers` and `marcusrbrown--extend-vscode` are on the older `#4.5.0` pin. +**Pre-survey concern resolved:** the prior survey flagged the `bf13a82` SHA against a `#4.5.8` release. The repo has since shipped seven releases (`5.0.1`, `5.0.2`, `5.1.0`, `5.1.1`, `5.2.0`, plus a 4.5.9 patch). ## Survey History | Date | SHA | Notes | | --- | --- | --- | -| 2026-04-28 | `bf13a82` | Initial survey | +| 2026-04-28 | `bf13a82` | Initial survey; v4.5.8, agent v0.42.2, 46 open issues, separate `fro-bot-autoheal.yaml` | +| 2026-05-23 | `3478c88` | v4→v5 boundary crossed (5.2.0); agent v0.44.3; autoheal merged into `fro-bot.yaml`; new category 6 Sundays-only Upstream Modernization Watch; 0.x ungrouping rule; minimum version floor `>=5.0.0`; pnpm 11.1.3; lint-staged 17.0.5; pnpm overrides for fast-uri/flatted/handlebars/lodash-es/picomatch; open issues 46 → 6 | diff --git a/knowledge/wiki/repos/marcusrbrown--sparkle.md b/knowledge/wiki/repos/marcusrbrown--sparkle.md index 424628809..3387b1926 100644 --- a/knowledge/wiki/repos/marcusrbrown--sparkle.md +++ b/knowledge/wiki/repos/marcusrbrown--sparkle.md @@ -2,7 +2,7 @@ type: repo title: "marcusrbrown/sparkle" created: 2026-04-28 -updated: 2026-05-01 +updated: 2026-05-23 sources: - url: https://github.com/marcusrbrown/sparkle sha: 770356b3c83cec08a666960eab9c5fb4e1ab2a85 @@ -13,6 +13,9 @@ sources: - url: https://github.com/marcusrbrown/sparkle sha: 712ab1bc2fdcd59ec9b8a2d71ad6d9ca88a023c5 accessed: 2026-05-01 + - url: https://github.com/marcusrbrown/sparkle + sha: e757fa66aa223f4ccb8af16838d937562b97f713 + accessed: 2026-05-23 tags: [typescript, react, react-native, monorepo, design-system, storybook, tailwindcss, radix-ui, turborepo, expo, vite, astro, github-pages, zig, wasm] aliases: [sparkle] related: @@ -58,6 +61,8 @@ related: | Monorepo tools | `@manypkg/cli` (workspace consistency checks), Changesets (versioning) | | Bundler | tsdown (library packages), Vite (apps), Astro (docs) | +_Toolchain drift (2026-05-23 survey at SHA `e757fa6`):_ pnpm 10.33.4, Node.js 24.16.0, Turborepo 2.9.14, `@bfra.me/eslint-config` 0.51.1, `@bfra.me/prettier-config` 0.16.9 (still `120-proof`), `@bfra.me/tsconfig` 0.13.1. TypeScript 5.9.3 unchanged. No engine-level shifts — strict-mode TypeScript + ESM-only `"type": "module"` are stable invariants across surveys. + ## Architecture ### Workspace Layout @@ -184,7 +189,7 @@ Missing Fro Bot capabilities: ## Developer Tooling -- **Renovate:** Extends `marcusrbrown/renovate-config#4.5.9` + `sanity-io/renovate-config:semantic-commit-type` + `:preserveSemverRanges`. Post-upgrade runs `pnpm bootstrap && pnpm fix`. React Native package grouping rules. Automerge on unstable minor/patch for `@astrojs/check` and `typedoc`. PR creation: `immediate`. +- **Renovate:** Extends `marcusrbrown/renovate-config#5.2.0` (major-bumped from `#4.5.9` between 2026-05-01 and 2026-05-23 — same ecosystem-wide cutover seen across the Marcus and Fro Bot portfolios) + `sanity-io/renovate-config:semantic-commit-type` + `:preserveSemverRanges`. Post-upgrade runs `pnpm bootstrap && pnpm fix`. React Native package grouping rules. Automerge on unstable minor/patch for `@astrojs/check` and `typedoc`. PR creation: `immediate`. - **Probot Settings:** Extends `fro-bot/.github:common-settings.yaml` — confirmed Fro Bot ecosystem membership. - **Git hooks:** `simple-git-hooks` runs `nano-staged` on pre-commit. nano-staged runs `eslint --fix` on TS/JS/CSS/MD/JSON/YAML and `sort-package-json` on package.json files. - **Monorepo validation:** `@manypkg/cli` checks workspace consistency. `scripts/validate-dependencies.ts` validates deps. `scripts/validate-turbo.ts` validates Turbo config. `scripts/validate-build.ts` validates build output. @@ -211,12 +216,12 @@ Missing Fro Bot capabilities: | Feature | Sparkle | Portfolio Standard | | --- | --- | --- | | Probot settings | `fro-bot/.github:common-settings.yaml` | Same | -| Renovate preset | `marcusrbrown/renovate-config#4.5.9` | Same | -| ESLint config | `@bfra.me/eslint-config` 0.51.0 | Same (version varies) | -| Prettier config | `@bfra.me/prettier-config` 0.16.8 (`120-proof`) | Same | -| TS config | `@bfra.me/tsconfig` 0.13.0 | Same | -| pnpm | 10.33.2 | ~10.33.x | -| Node.js | 24.15.0 | 22–24 | +| Renovate preset | `marcusrbrown/renovate-config#5.2.0` | Same (major-bumped portfolio-wide) | +| ESLint config | `@bfra.me/eslint-config` 0.51.1 | Same (version varies) | +| Prettier config | `@bfra.me/prettier-config` 0.16.9 (`120-proof`) | Same | +| TS config | `@bfra.me/tsconfig` 0.13.1 | Same | +| pnpm | 10.33.4 | ~10.33.x | +| Node.js | 24.16.0 | 22–24 | | TypeScript | 5.9.3 | 5.9–6.0 | | Fro Bot workflow | **Missing** | Present in most active repos | | Fro Bot autoheal | **Missing** | Present in most active repos | @@ -225,17 +230,21 @@ Missing Fro Bot capabilities: ## Open PRs and Issues +_As of 2026-05-23 survey (SHA `e757fa6`):_ + ### Open PRs (2) -- **#1604** — `fix(deps): update dependency astro to v6 [SECURITY]` (Renovate, security) -- **#1507** — `chore(dev): update dependency @storybook/test-runner to v0.24.3` (Renovate) +- **#1646** — `chore(dev): update dependency @storybook/test-runner to v0.24.4` (mrbro-bot[bot] / Renovate; supersedes prior #1507 at v0.24.3) +- **#1604** — `fix(deps): update dependency astro to v6 [SECURITY]` (mrbro-bot[bot] / Renovate, security) — still open across three consecutive surveys -### Open Issues (5) +### Open Issues (3) - **#876** — [Feature] Astro Starlight Documentation - Phase 6: Deployment and CI/CD - **#212** — Dependency Dashboard - **#57** — Uplift `sparkle` +_Prior survey (2026-05-01) reported 5 open issues; current count is 3. The two delta'd issues were closed between surveys; specific numbers not re-enumerated here. The Astro v6 security PR has been open across all surveys from 2026-05-01 onward — worth flagging if Sparkle ever gets an autoheal workflow._ + ## Survey History | Date | SHA | Delta | @@ -243,3 +252,4 @@ Missing Fro Bot capabilities: | 2026-04-28 | `770356b` | Initial survey — full page created | | 2026-04-30 | `712ab1b` | Re-survey — Renovate preset bumped `#4.5.8` → `#4.5.9`, `bfra-me/.github` reusable workflows bumped to v4.16.11, lockfile maintenance. No structural changes. | | 2026-05-01 | `712ab1b` | Re-survey — SHA unchanged. Open PRs: 2 (including Astro v6 security update #1604). Open issues: 5. No structural changes. Still no Fro Bot agent workflow. | +| 2026-05-23 | `e757fa6` | Re-survey — Renovate preset major-bumped `#4.5.9` → `#5.2.0` (matches the ecosystem-wide cutover seen in [[marcusrbrown--opencode-copilot-delegate]] and others). Node `24.15.0` → `24.16.0`. pnpm `10.33.2` → `10.33.4`. turbo `2.9.6` → `2.9.14`. `@bfra.me/eslint-config` `0.51.0` → `0.51.1`, `@bfra.me/prettier-config` `0.16.8` → `0.16.9`, `@bfra.me/tsconfig` `0.13.0` → `0.13.1`. Open PRs: 2 (Renovate `@storybook/test-runner` #1646 replaces prior #1507; Astro v6 security #1604 still open and unmerged). Open issues: 3 (#876, #212, #57) — drop from 5; #876 Phase-6 docs deployment still open. Workflows unchanged (6 files). Still no Fro Bot agent workflow. | diff --git a/knowledge/wiki/repos/marcusrbrown--systematic.md b/knowledge/wiki/repos/marcusrbrown--systematic.md index 9ac84bf00..5b5d1ea71 100644 --- a/knowledge/wiki/repos/marcusrbrown--systematic.md +++ b/knowledge/wiki/repos/marcusrbrown--systematic.md @@ -2,7 +2,7 @@ type: repo title: "marcusrbrown/systematic" created: 2026-04-24 -updated: 2026-05-06 +updated: 2026-05-28 sources: - url: https://github.com/marcusrbrown/systematic sha: ef02119abd801487dc0e53a43ac2d6b6433873ab @@ -10,7 +10,10 @@ sources: - url: https://github.com/marcusrbrown/systematic sha: 420ef650215a9ca8cefa01f125e02434e351952e accessed: 2026-05-06 -tags: [opencode, plugin, ai, workflow, typescript, bun, biome, semantic-release, npm] + - url: https://github.com/marcusrbrown/systematic + sha: 9b7570782190d540b4d57abdd94cf7ca8e1984f1 + accessed: 2026-05-28 +tags: [opencode, plugin, ai, workflow, typescript, bun, biome, semantic-release, npm, zod, json-schema] related: - marcusrbrown--opencode-copilot-delegate - marcusrbrown--dotfiles @@ -28,13 +31,13 @@ OpenCode plugin providing structured engineering workflows for AI-powered develo | Attribute | Value | | --------------- | ---------------------------------------------------- | | Created | 2026-01-24 | -| Last push | 2026-05-06 | -| Latest release | v2.7.3 (2026-05-05) | +| Last push | 2026-05-28 | +| Latest release | v2.24.0 (2026-05-27) | | Language | TypeScript (strict, ESM) | | Runtime | Bun | | License | MIT | -| Stars | 14 | -| Open issues | 4 | +| Stars | 22 | +| Open issues | 3 (Weekly Maintenance #157, Daily Autohealing #153, Dependency Dashboard #15) | | Homepage | https://fro.bot/systematic | | npm | `@fro.bot/systematic` | | Default branch | main | @@ -56,27 +59,45 @@ The plugin implements three OpenCode hooks: ### Source Modules (`src/lib/`) -| Module | Role | -| ------------------ | ---------------------------------------------- | -| `config-handler.ts`| Config hook — merges bundled assets | -| `skill-tool.ts` | `systematic_skill` tool factory | -| `skill-loader.ts` | Skill content loading and formatting | -| `bootstrap.ts` | System prompt injection | -| `converter.ts` | CEP-to-OpenCode content conversion (CLI) | -| `frontmatter.ts` | YAML frontmatter parsing | -| `plugin-singleton.ts`| Factory deduplication across opencode.json sources (v2.7.2) | -| `validation.ts` | Agent config validation and type guards | -| `skills.ts` | Skill discovery (highest centrality in codebase)| -| `agents.ts` | Agent discovery (category from subdirectory) | -| `commands.ts` | Command discovery (backward compat) | -| `config.ts` | JSONC config loading and merging | -| `walk-dir.ts` | Recursive directory walker | +| Module | Role | +| ------------------------- | ---------------------------------------------- | +| `config-handler.ts` | Config hook — merges bundled assets | +| `config-schema.ts` | Zod schema for `systematic.json` user config (v2.16+); typed bundled-name validation with IDE autocomplete (#384) | +| `config.ts` | JSONC config loading and merging; surfaces every Zod issue in top-level error message (#398); project-local Systematic overrides global Systematic output (#370) | +| `skill-tool.ts` | `systematic_skill` tool factory | +| `skill-loader.ts` | Skill content loading and formatting | +| `skill-catalog.ts` | Bootstrap-injected catalog of available skills (v2.18+, #365) | +| `bootstrap.ts` | System prompt injection; SUBAGENT-STOP block + Instruction Priority section in `using-systematic` (#405); simplified skill usage guidance (#368) | +| `bundled-names.ts` | Generated registry of bundled skill/agent names for typed validation | +| `agents.ts` | Agent discovery (category from subdirectory) | +| `agent-colors.ts` | Per-category color assignments for agents | +| `agent-overlays.ts` | Model availability overlay for agent selection; memoized per OpencodeClient instance (#383); collapses empty cache/discovery to unknown status (#378, #372) | +| `model-availability.ts` | Runs discovery before validation (#372, #376); upstream of overlay | +| `source-model-defaults.ts`| Default model assignments per agent/skill source | +| `skills.ts` | Skill discovery (highest centrality in codebase)| +| `commands.ts` | Command discovery (backward compat) | +| `converter.ts` | CEP-to-OpenCode content conversion (CLI) | +| `frontmatter.ts` | YAML frontmatter parsing | +| `validation.ts` | Agent config validation and type guards | +| `walk-dir.ts` | Recursive directory walker | + +`plugin-singleton.ts` (introduced v2.7.2) has been folded into the broader factory layer — modules now coordinate via the config-handler entry point. Per-process singleton semantics are preserved. ### Bundled Assets -- **46 skills** in `skills/` — Core CE workflows (`ce:brainstorm`, `ce:plan`, `ce:review`, `ce:work`, `ce:compound`, `ce:ideate`), development tools (`agent-browser`, `frontend-design`, `git-worktree`, `orchestrating-swarms`), specialized skills (`dhh-rails-style`, `dspy-ruby`, `gemini-imagegen`, `proof`, `rclone`), autonomous workflows (`lfg`, `slfg`). Skill authoring guardrails added in v2.7.0 (#325). -- **50 agents** in `agents/` across 6 categories: `design/`, `docs/`, `document-review/`, `research/`, `review/`, `workflow/` -- **OCX registry** in `registry/` — Component-level installation via `ocx` CLI with named profiles (`omo`, `standalone`) +- **47 skills** in `skills/` — Core CE workflows (`ce:brainstorm`, `ce:plan`, `ce:review`, `ce:work`, `ce:compound`, `ce:compound-refresh`, `ce:ideate`), development tools (`agent-browser`, `frontend-design`, `git-worktree`, `git-commit`, `git-commit-push-pr`, `git-clean-gone-branches`), specialized skills (`dhh-rails-style`, `dspy-ruby`, `gemini-imagegen`, `proof`, `rclone`, `andrew-kane-gem-writer`), engineering practice (`test-driven-development`, `writing-skills`, `writing-systematic-skills` — imported from obra/superpowers in #394), autonomous workflows (`lfg`, `slfg`), release automation (`release-notes-narrative` — new in v2.23.0, #429). Deprecation surface introduced in v2.18+ marks `orchestrating-swarms` and `claude-permissions-optimizer` (#401). +- **51 agents** in `agents/` across 6 categories: `design/` (3), `docs/` (1), `document-review/` (7), `research/` (7), `review/` (28), `workflow/` (5) +- **OCX registry** in `registry/` — Component-level installation via `ocx` CLI with named profiles (`omo`, `standalone`); v2.20.6 of the registry was the last published before the v2.21+ launch-surface refresh + +### Configuration Schema + +Starting in the v2.14–v2.17 arc, `systematic.json` user config is fully Zod-typed: + +- `config-schema.ts` defines the canonical schema; `scripts/generate-config-schema.ts` emits a JSON Schema published at `fro.bot/systematic/schemas/v2/` (consumed by IDEs for autocomplete) +- `schema:drift` script gates the generated schema in CI +- Schema construction uses a factory pattern (#393) for composability +- Unrecognized keys and invalid values produce per-issue diagnostics surfaced in the top-level error message (#390, #398) +- Bundled skill/agent names are validated against `bundled-names.ts` for typo detection ### CLI @@ -105,13 +126,12 @@ This divergence is deliberate — the plugin targets Bun as OpenCode's native ru ## CI/CD -9 GitHub Actions workflows: +8 GitHub Actions workflows (consolidated from 9 — `fro-bot-autoheal.yaml` merged into `fro-bot.yaml` in #446): | Workflow | Purpose | Trigger | | ------------------------- | ---------------------------------------------------- | -------------------------------- | | **Main** | Build, typecheck, lint, test, registry validate, docs build, release | PR, push to main, dispatch | -| **Fro Bot** | PR review, weekly maintenance, @fro-bot mentions, dispatch | PR, issue, comment, schedule (Mon 09:00 UTC), dispatch | -| **Fro Bot Autoheal** | Daily repo autohealing (4 categories) | Daily 03:30 UTC, dispatch | +| **Fro Bot** | PR review + weekly maintenance + daily autohealing in a single workflow with three operating modes routed via an inline PROMPT ternary | PR, issue, comment, discussion_comment, schedule (Mon 09:00 UTC review; daily 03:30 UTC autoheal), workflow_call, workflow_dispatch (mode: review/maintenance/autoheal) | | **Renovate** | Dependency updates via reusable workflow | Issue/PR edits, push, workflow_run, dispatch | | **CodeQL** | Security vulnerability analysis | PR, push, schedule | | **Scorecard** | OpenSSF supply-chain security | Push to main, schedule | @@ -133,18 +153,16 @@ Required status checks: Build, Docs Build, Fro Bot, Typecheck, Lint, Test, Regis ## Fro Bot Integration -**Fully active.** Three workflow files: +**Fully active.** Consolidated into a single workflow file as of #446 (v2.23+ era): -- `fro-bot.yaml` — `fro-bot/agent@v0.42.7` (SHA `30a8e428`) - - PR review with TypeScript/Bun/Biome-specific prompt (type safety, ESM conventions, no classes, breaking change detection, security implications for prompt injection) - - Weekly maintenance report (rolling issue, 28-day window) - - `@fro-bot` mention responses (OWNER/MEMBER/COLLABORATOR gated) - - `workflow_call` support for reuse from autoheal -- `fro-bot-autoheal.yaml` — Daily autohealing with 4-category sweep: - 1. Errored PRs (CI fix and push) - 2. Security (Dependabot/Renovate alerts) - 3. Health & Maintenance (major version updates, Action SHA pinning) - 4. Developer Experience (typecheck, lint fixes) +- `fro-bot.yaml` — `fro-bot/agent@v0.45.0` (SHA `8aac0fc36437a6c871321fa3389033c8262504b7`). Three operating modes selected by an inline `PROMPT` ternary keyed on `event_name × mode × cron`: + 1. **PR review** — `PR_REVIEW_PROMPT` env, TypeScript/Bun/Biome-specific (type safety, ESM conventions, zero-class convention, breaking change detection, security implications for prompt injection) + 2. **Weekly maintenance** — `MAINTENANCE_PROMPT` env, Mon 09:00 UTC, rolling issue with 28-day window + 3. **Daily autoheal** — `AUTOHEAL_PROMPT` env, daily 03:30 UTC, 4-category sweep: errored PRs (CI fix and push), security (Dependabot/Renovate alerts), health & maintenance (major version updates, Action SHA pinning), developer experience (typecheck, lint fixes) +- `workflow_call` accepts `prompt` (required) and optional `correlation-id` — used by the `release-notes-narrative` automation to dispatch verbatim prompts and match dispatched runs by scanning early log output (#430, #432, #433, #434) +- `workflow_dispatch` accepts `mode`, `prompt`, `correlation-id`; non-empty `prompt` is honored verbatim regardless of `mode` (this precedence is mandatory for the release-notes contract — documented inline in #450) +- `@fro-bot` mention responses (OWNER/MEMBER/COLLABORATOR gated) +- Fork-PR guard for `issue_comment` events handled by an explicit API-query step because `github.event.pull_request` is null on that path (#451). Other PR-adjacent event types (`pull_request`, `pull_request_review_comment`) catch forks via the top-level `if:` gate. ### PR Review Prompt Conventions @@ -192,19 +210,29 @@ Extends `fro-bot/.github:common-settings.yaml` — same pattern as [[marcusrbrow | v2.7.1 | 2026-05-01 | Stabilize system prompt prefix (#329) | | v2.7.2 | 2026-05-04 | Deduplicate factory registration across opencode.json sources (#335) | | v2.7.3 | 2026-05-05 | Omit `model` field from all 50 bundled agents (#336, upstream fix for sst/opencode#17888) | +| v2.14–v2.17 arc | 2026-05-13 → 2026-05-20 | Typed config validation: Zod-driven `systematic.json` schema, per-issue diagnostics (#388, #390, #393, #394, #397, #398); test-driven-development + writing-skills imported from obra/superpowers (#394); schema `$ref` dedup | +| v2.18.0 | ~2026-05-21 | Skill catalog moved into system prompt (#365); deprecation surface for `orchestrating-swarms` and `claude-permissions-optimizer` (#401) | +| v2.19.0 | 2026-05-21 | SUBAGENT-STOP block + Instruction Priority section injected into `using-systematic` bootstrap (#405); v3.0.0 CC-residue excision plan committed (#403) | +| v2.20.x | 2026-05-21 | Overlay hardening: discovery before validation (#372), empty-cache to unknown status (#378), per-client memoization (#383); project-local Systematic overrides global Systematic output (#370); registry advanced to v2.20.6 with 103 components (51 agents, 47 skills, 2 bundles, 2 profiles, 1 plugin) | +| v2.21.0 | 2026-05-23 | Launch-surface cleanup (#428): README, home, Quick Start, config docs, contributor docs | +| v2.22.0 | 2026-05-23 | New `release-notes-narrative` project-scoped skill (#429) | +| v2.23.0–v2.23.6 | 2026-05-23 → 2026-05-27 | Automated release-notes-narrative via `@semantic-release/exec` (#430); successCmd extraction to `scripts/dispatch-release-notes.sh` (#432); bash escape for Lodash render (#431); timestamp-based run identification replacing log-scan (#434); correlation-id input on `fro-bot.yaml` (#433); docs modernization (#421, #422); design-iterator + docs aligned with Impeccable design laws (#418, #419) | +| v2.24.0 | 2026-05-27 | OpenCode dep bumped to v1.15.10 (#442); Starlight ^0.39.0 (#444); `docs:verify` script for local CI-parity pre-checks (#445); fork-guard asymmetry documented inline (#451); PROMPT routing precedence documented inline (#450); `fro-bot.yaml` + `fro-bot-autoheal.yaml` consolidated (#446) | ## Open Issues / PRs | # | Title | Type | |---|-------|------| -| #327 | build(dev): pin dependencies | PR (Renovate) | -| #157 | Weekly Maintenance Report | Issue | -| #153 | Daily Autohealing Report | Issue | +| #157 | Weekly Maintenance Report | Issue (rolling) | +| #153 | Daily Autohealing Report | Issue (rolling) | | #15 | Dependency Dashboard | Issue (Renovate) | +0 open PRs at survey time — main is fully drained. + ## Survey History | Date | SHA | Delta | | ---------- | ---------- | ------------------------ | | 2026-04-24 | `ef02119` | Initial survey | -| 2026-05-06 | `420ef65` | 28 commits, v2.5.1→v2.7.3, skills 45→46, agent v0.41.4→v0.42.7, plugin-singleton.ts added, OCX V2, content-integrity gate, skill guardrails, model field removal | +| 2026-05-06 | `420ef65` | 28 commits, v2.5.1→v2.7.3, skills 45→46, agent v0.41.4→v0.42.7, `plugin-singleton.ts` added, OCX V2, content-integrity gate, skill guardrails, model field removal | +| 2026-05-28 | `9b75707` | ~80 commits, v2.7.3→v2.24.0, skills 46→47, agents 50→51, agent v0.42.7→v0.45.0, `fro-bot.yaml` + `fro-bot-autoheal.yaml` consolidated (#446), `plugin-singleton.ts` removed, Zod config schema arc (v2.14–v2.17), `release-notes-narrative` skill + semantic-release-driven dispatch, launch-surface cleanup, docs modernization, deprecation surface, overlay hardening, project-local override fix | diff --git a/knowledge/wiki/repos/marcusrbrown--tokentoilet.md b/knowledge/wiki/repos/marcusrbrown--tokentoilet.md index 915a0fc32..513f585af 100644 --- a/knowledge/wiki/repos/marcusrbrown--tokentoilet.md +++ b/knowledge/wiki/repos/marcusrbrown--tokentoilet.md @@ -2,7 +2,7 @@ type: repo title: "marcusrbrown/tokentoilet" created: 2026-04-18 -updated: 2026-05-06 +updated: 2026-05-28 sources: - url: https://github.com/marcusrbrown/tokentoilet sha: 0ed90a61784b5b85dcf925bb1255e794c4f5d6a3 @@ -16,6 +16,9 @@ sources: - url: https://github.com/marcusrbrown/tokentoilet sha: 0aa1d9a02f1a8ba5cbd95818fb6157318cf9f20b accessed: 2026-05-06 + - url: https://github.com/marcusrbrown/tokentoilet + sha: db6dbcc2d289d23377d3d80b19d5e4273008a1b2 + accessed: 2026-05-28 tags: [next-js, react, web3, defi, wagmi, reown-appkit, tailwindcss, vitest, storybook, vercel, typescript, sepolia] aliases: [tokentoilet] related: @@ -37,9 +40,9 @@ A [[web3-defi]] application for disposing of unwanted ERC-20 and ERC-721 tokens, - **Topics:** `next-js`, `react` - **License:** None specified - **Visibility:** Public -- **Package manager:** pnpm 10.33.2 -- **Open issues:** 30 -- **Open PRs:** 6 (5 Renovate, 1 Copilot security fix) +- **Package manager:** pnpm 11.3.0 (was 10.33.2 as of 2026-05-06; crossed v10→v11 on 2026-05-23) +- **Open issues:** 3 (down from 30 — significant triage between 2026-05-06 and 2026-05-28) +- **Open PRs:** 1 (single Renovate `@bfra.me/eslint-config` v0.51.1 bump) ## Core Concept @@ -71,16 +74,18 @@ Still not implemented: smart contracts, NFT receipts, charity integration, token | Layer | Technology | Version | | ---------- | --------------------------- | ------------------------------ | -| Framework | Next.js (App Router) | 16.2.4 | -| UI library | React | 19.2.5 | +| Framework | Next.js (App Router) | 16.2.6 | +| UI library | React | 19.2.6 | | Language | TypeScript | 6.0.3 | -| Web3 | Wagmi v2 + Reown AppKit | wagmi ^2.14.11 / appkit ^1.7.18 | -| Styling | Tailwind CSS v4 (CSS-first) | 4.2.4 | -| Testing | Vitest | 4.0.7 | -| Components | Storybook | 10.x (alpha) | +| Web3 | Wagmi v3 + Reown AppKit | wagmi ^3.0.0 / appkit ^1.7.18 (v2→v3 boundary crossed) | +| Styling | Tailwind CSS v4 (CSS-first) | 4.3.0 | +| Testing | Vitest | 4.1.7 | +| Components | Storybook | 10.4.1 (mixed with stale 9.0.0-alpha.* addons) | | Deployment | Vercel (GitHub integration) | — | | State | TanStack React Query | ^5.66.0 | | Validation | Zod | ^4.1.8 | +| Build | Vite (dev tooling) | 8.0.14 | +| Lint | ESLint | 10.4.0 | ## Repository Structure @@ -166,7 +171,7 @@ Vercel handles deployment via its GitHub integration: ## Fro Bot Integration -**Fro Bot workflow is present** (`fro-bot.yaml`). Uses `fro-bot/agent@v0.42.6` (SHA `80b2c18bb1c70df96b3f150c7827c13ca0e35655`) with: +**Fro Bot workflow is present** (`fro-bot.yaml`). Uses `fro-bot/agent@v0.45.0` (SHA `8aac0fc36437a6c871321fa3389033c8262504b7`, bumped from v0.42.6 on 2026-05-28 path) with: - **PR Review:** Structured review with Web3 security focus, mandatory verdict (PASS/CONDITIONAL/REJECT), specific review sections for blocking issues, Web3 security assessment, missing tests, risk assessment. - **Daily Autohealing (schedule):** Five-category sweep — errored PRs, security, code quality/hygiene, developer experience, quality gates. Produces a single summary issue per run. Respects Renovate ownership of dependency bumps. @@ -189,7 +194,7 @@ The Fro Bot workflow conditionals filter out: fork PRs, bot-authored PRs/issues, - **ESLint:** `@bfra.me/eslint-config` with React, Next.js, and Prettier plugins. - **Bundle analysis:** `@next/bundle-analyzer` available via `NEXT_BUILD_ENV_ANALYZE=true`. - **Environment:** `@t3-oss/env-nextjs` + Zod for typed environment validation. Access via `import {env} from '@/env'`, never `process.env`. -- **Renovate:** Via reusable workflow, extends `marcusrbrown/renovate-config#4.5.8`. Post-upgrade tasks run `pnpm install` + `pnpm run fix`. Custom rule: `lucide-react` minor automerge monthly. Same preset ecosystem as [[marcusrbrown--ha-config]] and [[marcusrbrown--vbs]]. +- **Renovate:** Via reusable workflow, extends `marcusrbrown/renovate-config#5.2.0` (v4→v5 boundary crossed between surveys, aligning with [[marcusrbrown--renovate-config]] v5.2.0 release). Post-upgrade tasks run `pnpm install` + `pnpm run fix`. Custom rule: `lucide-react` 0.x minor automerge monthly. Same preset ecosystem as [[marcusrbrown--ha-config]] and [[marcusrbrown--vbs]]. - **Probot Settings:** Extends `fro-bot/.github:common-settings.yaml` via `bfra-me/.github` reusable workflow. Branch protection requires: Build, Build Storybook, Lint, Renovate, Security Audit, Test. Linear history enforced, admin enforcement enabled, no required PR reviews. ## Architecture Patterns @@ -223,11 +228,11 @@ This repo participates in the same developer tooling ecosystem as [[marcusrbrown | Pattern | tokentoilet | ha-config | vbs | | -------------------- | -------------------------------------- | --------------- | -------- | | Probot settings base | `fro-bot/.github:common-settings.yaml` | Same | Same | -| Renovate preset | `marcusrbrown/renovate-config#4.5.8` | `#4.5.8` | `#4.5.8` | +| Renovate preset | `marcusrbrown/renovate-config#5.2.0` | `#4.5.8` | `#4.5.8` | | ESLint config | `@bfra.me/eslint-config` | N/A (YAML repo) | Same | | Prettier config | `@bfra.me/prettier-config/120-proof` | N/A | Same | -| Package manager | pnpm | N/A (YAML repo) | pnpm | -| Fro Bot workflow | Present (v0.42.6) | **Missing** | Present | +| Package manager | pnpm 11.3.0 | N/A (YAML repo) | pnpm | +| Fro Bot workflow | Present (v0.45.0) | **Missing** | Present | | Copilot setup steps | Present | Not present | Present | | AGENTS.md | Present | Not present | Present | @@ -251,3 +256,14 @@ This repo participates in the same developer tooling ecosystem as [[marcusrbrown | 2026-04-24 | `97e96c1` | MVP disposal flow shipped (PR #911), Fro Bot v0.41.4, Next.js 16.2.4, TS 6.0.3 | | 2026-04-25 | `97e96c1` | No code changes — SHA unchanged, open issues 25→26, lockfile maintenance PR #929 opened | | 2026-05-06 | `0aa1d9a` | Dependency bumps only: Fro Bot v0.41.4→v0.42.6, pnpm 10.33.0→10.33.2, tailwindcss 4.2.2→4.2.4, postcss→8.5.12. Open issues 26→30. Copilot agent branches observed. | +| 2026-05-28 | `db6dbcc` | **Three majors crossed**: wagmi v2→v3, pnpm v10→v11 (11.3.0), Renovate preset v4→v5 (#5.2.0). Fro Bot v0.42.6→v0.45.0. Next.js 16.2.4→16.2.6, React 19.2.5→19.2.6, tailwindcss 4.2.4→4.3.0, postcss→8.5.15 (qs advisory patched, stale `pnpm.overrides` removed in #1064), vitest 4.0.7→4.1.7, vite→8.0.14, eslint→10.4.0. Fro Bot prompt updated (PR #1067) to port silent-outage workflow-health heuristics from marcusrbrown/marcusrbrown. Open issues 30→3, open PRs 6→1 — triage sweep. | + +## Notable Deltas (2026-05-28) + +- **wagmi v2 → v3:** The `wagmi: "^3.0.0"` major bump landed. This unblocks newer connector APIs but is a non-trivial upgrade — the open PR #837 from prior surveys is now merged or superseded. The `useWallet` abstraction layer is the firewall here: components should be unaffected as long as the hook surface stayed stable. +- **Renovate preset v4 → v5:** Aligns this repo with the `marcusrbrown/renovate-config#5.2.0` cutover documented in [[marcusrbrown--renovate-config]] (group-all-non-major behavior, 0.x ungrouping safety valve). +- **pnpm v10 → v11:** `packageManager` line updated to `pnpm@11.3.0`. No reported lockfile incompatibilities in subsequent commits. +- **Fro Bot prompt port:** PR #1067 ("port Fro Bot prompt improvements from marcusrbrown/marcusrbrown") added workflow-health heuristics — flag any workflow where >50% of expected runs failed in the last 7 days, or where scheduled runs produced zero successful auto-generated commits. Direct lesson from the 1.5-year silent outage caught in [[marcusrbrown--marcusrbrown]] in May 2026. +- **Open-issue triage:** Drop from 30 → 3 open issues across three weeks indicates either an aggressive cleanup pass or autoheal-driven closure. Open PRs collapsed similarly (6 → 1). +- **postcss security:** PR #1064 patched the `qs` advisory and removed stale `pnpm.overrides`. Worth noting the security category of the autoheal prompt is doing its job. +- **Storybook version drift:** A handful of `@storybook/*` packages remain pinned at `9.0.0-alpha.*` while the core monorepo moved to `10.4.1`. Mixed pinning is a known footgun for Storybook — addons compiled against the 9.0 alpha API may not load cleanly under 10.x. Candidate for a focused upgrade PR. diff --git a/knowledge/wiki/repos/marcusrbrown--vbs.md b/knowledge/wiki/repos/marcusrbrown--vbs.md index 6aec28adf..03c8b0db2 100644 --- a/knowledge/wiki/repos/marcusrbrown--vbs.md +++ b/knowledge/wiki/repos/marcusrbrown--vbs.md @@ -2,8 +2,11 @@ type: repo title: "marcusrbrown/vbs" created: 2026-04-18 -updated: 2026-05-07 +updated: 2026-05-29 sources: + - url: https://github.com/marcusrbrown/vbs + sha: 69db16a73245372a9a1b1c6c32d0a70fd0a22185 + accessed: 2026-05-29 - url: https://github.com/marcusrbrown/vbs sha: b3c415bc4e0e25dd4e5ca8ccdc5ae7aaac9cbdec accessed: 2026-05-07 @@ -28,11 +31,11 @@ related: - **Purpose:** Interactive Star Trek chronological viewing guide with progress tracking - **Default branch:** `main` - **Created:** 2025-07-18 -- **Last push:** 2026-05-07 +- **Last push:** 2026-05-29 (as of 2026-05-29 survey) - **Homepage:** https://marcusrbrown.github.io/vbs/ - **License:** MIT (declared in package.json; no LICENSE file observed at root) - **Topics:** `star-trek`, `viewing-guide`, `chronological`, `progress-tracker`, `local-first` -- **Package manager:** pnpm 10.33.2 +- **Package manager:** pnpm 10.33.4 (as of 2026-05-29; previously 10.33.2) - **Node.js:** 22.x ## Tech Stack @@ -127,7 +130,7 @@ vbs/ ├── public/ # Static assets ├── .ai/ # AI context files ├── .github/ -│ ├── workflows/ # 8 workflow files +│ ├── workflows/ # 7 workflow files (was 8 — fro-bot-autoheal.yaml folded into fro-bot.yaml on 2026-05-14, PR #564) │ ├── actions/ # Custom actions (setup-pnpm) │ ├── agents/ # Agent definitions (data-curator) │ └── settings.yml # Probot settings @@ -144,8 +147,8 @@ vbs/ | --- | --- | --- | --- | | CI | `ci.yaml` | push/PR to `main` | Lint, type-check, test with coverage, build | | Deploy | `deploy.yaml` | push to `main`, dispatch | Build + deploy to GitHub Pages | -| Fro Bot | `fro-bot.yaml` | PR, issue, comment, schedule (daily 15:30 UTC), dispatch | PR review, daily maintenance, ad-hoc prompts | -| Fro Bot Autoheal | `fro-bot-autoheal.yaml` | daily cron (03:30 UTC), dispatch | Automated repo healing (errored PRs, security, lint, data quality) | +| Fro Bot | `fro-bot.yaml` | PR, issue, comment, schedule (daily 15:30 UTC + 03:30 UTC autoheal), dispatch | PR review, daily maintenance, autoheal (single workflow as of 2026-05-14, PR #564) | +| ~~Fro Bot Autoheal~~ | ~~`fro-bot-autoheal.yaml`~~ | _Removed 2026-05-14 (PR #564) — folded into `fro-bot.yaml` with `mode` dispatch input (`review`/`maintenance`/`autoheal`/`both`)_ | _historical_ | | Update Star Trek Data | `update-star-trek-data.yaml` | weekly Monday 09:00 UTC, dispatch | Regenerate data from external sources, validate, create PR | | Renovate | `renovate.yaml` | — | Dependency updates | | Update Repo Settings | `update-repo-settings.yaml` | — | Probot settings sync | @@ -162,7 +165,7 @@ Required status checks on `main`: Build, Fro Bot, Renovate / Renovate, Test. Lin ## Fro Bot Integration -**Fro Bot workflow is present and active** (`fro-bot.yaml`). Uses `fro-bot/agent@v0.42.8` (SHA `fee26493b0f82a9a00241fe24fb0aede8174d1d2`). +**Fro Bot workflow is present and active** (`fro-bot.yaml`). As of 2026-05-29 survey: agent `v0.46.0` (was `v0.42.8` at 2026-05-07 survey — see Survey History for the version trail). As of 2026-05-14 (PR #564) the separate `fro-bot-autoheal.yaml` was folded into a single `fro-bot.yaml` with three operating modes routed by `workflow_dispatch.inputs.mode` (`review` | `maintenance` | `autoheal` | `both`) and dual cron schedules (`30 3 * * *` autoheal, `30 15 * * *` maintenance). This mirrors the consolidation pattern landed in [[marcusrbrown--systematic]] (#446) and [[marcusrbrown--marcusrbrown-github-io]] and is the dominant Fro Bot workflow shape across the ecosystem now. ### PR Review @@ -219,6 +222,38 @@ Responds to `@fro-bot` mentions in issue/PR/discussion comments from OWNER/MEMBE | 2026-04-18 | `a552e73` | Initial survey — full page created | | 2026-04-25 | `dd10e05` | Incremental — 7 Renovate commits, agent bump v0.40.2 → v0.41.4, no structural changes | | 2026-05-07 | `b3c415b` | Incremental — 15 Renovate commits, agent bump v0.41.4 → v0.42.8, Renovate preset #4.5.8 → #4.5.9 | +| 2026-05-29 | `69db16a` | Workflow consolidation (PR #564), Renovate preset v4.5.9 → v5.2.0 (#567), multi-track timeline merged (#458), data-automation stabilization (#574), agent v0.42.8 → v0.46.0, backlog cleared | + +### 2026-05-29 Delta (SHA `b3c415b` → `69db16a`) + +32 commits over 22 days. The maintenance-mode lull from prior surveys broke — three human/Copilot-authored feature/ci commits landed, the data-PR backlog cleared, and two significant structural changes shipped. + +**Structural changes (non-Renovate):** + +- **Fro Bot workflow consolidation (PR #564, `67d30b2`, 2026-05-14, authored by Fro Bot):** `fro-bot.yaml` + `fro-bot-autoheal.yaml` merged into a single `fro-bot.yaml` with `workflow_dispatch.inputs.mode = review | maintenance | autoheal | both` and dual cron schedules (`30 3 * * *` autoheal, `30 15 * * *` maintenance). Concurrency group keyed on issue/PR/discussion number with `cancel-in-progress: false`. Matches the pattern landed in [[marcusrbrown--systematic]] (#446) and [[marcusrbrown--marcusrbrown-github-io]]. Workflow count: 8 → 7. +- **Multi-track timeline visualization merged (PR #458, `87f0ae4`, 2026-05-16, Copilot-authored):** The Copilot feature PR that had been open since the 2026-05-07 survey finally landed — adds multi-track D3 timeline visualization differentiating event types. +- **Data automation stabilization (PR #574, `466875a`, 2026-05-16, Copilot-authored):** "Stabilize Star Trek data automation with perpetual PRs and CI-safe artifact generation." Replaces the prior stacking-PR-per-week pattern with a perpetual PR model — confirms why the 2026-05-07 survey saw 6 data PRs (data-29 through data-34) backed up. The new model collapses them into a single recurring PR surface. +- **Data generation hardening (PR #571, `598af37`, 2026-05-16, Fro Bot):** `fix(data-generation): include required notes field in generated season items`. Quality-scoring schema enforcement caught a missing field in the generator. +- **Renovate preset v4 → v5 (PR #567, `d3b6a1a`, 2026-05-14):** `marcusrbrown/renovate-config#4.5.9` → `#5.2.0`. Crosses the same v4→v5 boundary now adopted across the wider ecosystem (see [[marcusrbrown--renovate-config]]). v5 adds `group:allNonMajor` + 0.x ungrouping safety valve. + +**Renovate / dependency cadence:** + +- **`fro-bot/agent` version trail:** v0.42.8 → v0.42.10 (#560) → v0.43.0 (#561) → v0.43.2 (#578) → v0.43.3 (#579) → v0.44.1 (#582) → v0.44.2 (#583) → v0.44.3 (#584) → v0.46.0 (#590). Nine bumps in 22 days — VBS tracks agent releases at roughly the upstream cadence. +- **`bfra-me/.github` reusable workflows:** v4.16.12 → v4.16.21 (PRs #565, #566, #585, #589). +- **pnpm:** 10.33.2 → 10.33.3 → 10.33.4 (PRs #551, #554). +- **Dev tooling pinned:** `@bfra.me/eslint-config` to v0.51.0 (#568), `@bfra.me/prettier-config` to 0.16.8 (#569), `@bfra.me/tsconfig` to v0.13.0 (#570), `prettier` to 3.8.3 (#576) — VBS aligning with the same pinned-bfra-me-tooling pattern visible across the ecosystem. +- **Non-major dep batches:** #549, #556, #573, #580, #586, #588. + +**Activity shape (as of 2026-05-29):** + +- **Open PRs:** 1 (down from 7) — only #577 (vite v7.3.2 pin) remains. The Copilot timeline feature merged, all six stacked data PRs collapsed into the perpetual-PR model. +- **Open issues:** 14 (down from 30) — significant cleanup. Backlog burn confirms the autoheal + maintenance modes are now operating against real triage rather than accumulating. +- **Star count:** 1. +- **No license file at root** (still — only `license: MIT` in `package.json`). Carried forward from prior surveys; no contradiction. + +**Contradictions noted:** + +- The "8 workflow files" count in the prior page text is now stale — current count is 7 after the autoheal fold-in. Page updated additively (struck-through row in workflows table, prose updated in Fro Bot Integration section) rather than overwriting history. ### 2026-05-07 Delta (SHA `dd10e05` → `b3c415b`) diff --git a/knowledge/wiki/topics/docker-containers.md b/knowledge/wiki/topics/docker-containers.md index ad9264de6..decf0f716 100644 --- a/knowledge/wiki/topics/docker-containers.md +++ b/knowledge/wiki/topics/docker-containers.md @@ -2,7 +2,7 @@ type: topic title: Docker Containers created: 2026-04-18 -updated: 2026-04-18 +updated: 2026-05-25 tags: [docker, containers, multi-arch, oci, security, ci-cd] related: - marcusrbrown--containers @@ -20,7 +20,7 @@ Docker container build patterns, security practices, and CI/CD integration obser ### Base Image Pinning -Production Dockerfiles pin base images by full SHA-256 digest (`FROM node:24-alpine@sha256:...`), not just tags. The Dockerfile syntax directive is also digest-pinned (`# syntax=docker/dockerfile:1.23@sha256:...`). This provides reproducible builds independent of tag mutability. +Production Dockerfiles pin base images by full SHA-256 digest (`FROM node:24-alpine@sha256:...`), not just tags. The Dockerfile syntax directive is also digest-pinned (`# syntax=docker/dockerfile:1.24@sha256:...` as of 2026-05-13 in [[marcusrbrown--containers]]; previously `1.23`). This provides reproducible builds independent of tag mutability — and the digest is treated as _the_ reproducibility boundary, not individual package versions, because Alpine and Debian repos rotate package versions out from under exact-version pins. ### OCI Label Convention diff --git a/knowledge/wiki/topics/dotfiles.md b/knowledge/wiki/topics/dotfiles.md index ac608b363..2b4ef7823 100644 --- a/knowledge/wiki/topics/dotfiles.md +++ b/knowledge/wiki/topics/dotfiles.md @@ -2,7 +2,7 @@ type: topic title: Dotfiles Management created: 2026-04-18 -updated: 2026-04-22 +updated: 2026-05-24 tags: [dotfiles, shell, configuration, bare-git-repo, xdg] related: - marcusrbrown--dotfiles diff --git a/knowledge/wiki/topics/github-actions-ci.md b/knowledge/wiki/topics/github-actions-ci.md index 8a09335db..478d057c5 100644 --- a/knowledge/wiki/topics/github-actions-ci.md +++ b/knowledge/wiki/topics/github-actions-ci.md @@ -2,7 +2,7 @@ type: topic title: GitHub Actions CI created: 2026-04-18 -updated: 2026-05-07 +updated: 2026-05-27 tags: [github-actions, ci-cd, automation, security, renovate] related: - fro-bot--agent @@ -14,6 +14,8 @@ related: - marcusrbrown--marcusrbrown-github-io - marcusrbrown--renovate-config - marcusrbrown--sparkle + - bfra-me--github + - bfra-me--works --- # GitHub Actions CI @@ -30,6 +32,8 @@ Cross-cutting CI/CD patterns observed across Marcus's repositories in the Fro Bo - [[marcusrbrown--infra]] — Split deploy pipeline (per-app dedicated workflows), convention enforcement tests, Bun workspace CI, Changesets publishing - [[marcusrbrown--renovate-config]] — Lint + semantic-release pipeline for Renovate presets, self-referential Renovate config, CodeQL, OpenSSF Scorecard - [[marcusrbrown--sparkle]] — Turborepo-orchestrated Setup → Check → Build pipeline, Astro Starlight docs deployment to GitHub Pages, auto-regenerate-docs PR workflow +- [[bfra-me--github]] — Org control center; 17 workflows including `main.yaml` (Quality Check), `fro-bot.yaml` (per-repo persona), `fro-bot-autoheal-org.yaml` (weekday org-wide sweep), `renovate.yaml` + `trigger-org-renovate.yaml` (self-hosted Renovate fan-out), and three custom actions (`renovate-changesets`, `update-metadata`, `update-repository-settings`). Source of the reusable workflows that `marcusrbrown/*` repos consume. +- [[bfra-me--works]] — `@bfra-me` tooling monorepo; 11 workflows including `main.yaml` (Prepare → parallel {Lint+type-coverage, Test, Build, Workspace Analysis} → CI), `release.yaml` (Changesets, `workflow_run` after Main + Sunday cron + dispatch with force-release toggle), `fro-bot.yaml` (three-mode single-file at v0.44.2), `docs.yaml` (Astro Starlight → GitHub Pages), `docs-sync.yaml` (path-filtered @bfra.me/doc-sync re-sync), `renovate.yaml` + `update-repo-settings.yaml` (reusable `bfra-me/.github` callers), `renovate-changeset.yaml`, `cache-cleanup.yaml`, plus CodeQL/Scorecard/Dependency Review. Local composite action `.github/actions/pnpm-install` consumed by every workflow. ## Common Patterns @@ -54,7 +58,7 @@ Both repos extend `marcusrbrown/renovate-config` for dependency updates, with re - [[marcusrbrown--containers]] — `#4.5.0`, ignores `templates/`, disables patch updates (except TypeScript/Python), post-upgrade runs `pnpm install && pnpm format` - [[marcusrbrown--ha-config]] — `#4.5.8`, custom managers for pre-commit and mise, post-upgrade runs Prettier, automerge on minor/patch pip updates - [[marcusrbrown--github]] — `#4.5.8`, post-upgrade runs `npx prettier@3.8.3 --no-color --write .`, PR creation set to `immediate` -- [[marcusrbrown--infra]] — `#4.5.8`, post-upgrade runs `bun install --ignore-scripts && bun run fix`, Docker source URLs for CLIProxyAPI/Caddy, `bfra-me/.github` digest updates disabled +- [[marcusrbrown--infra]] — `#5.2.0` + `group:allNonMajor` (v4→v5 crossed 2026-05-17), post-upgrade runs `bun install --ignore-scripts && bun run fix`, Docker source URLs for CLIProxyAPI/Caddy, `bfra-me/.github` digest updates disabled - [[marcusrbrown--renovate-config]] — Self-referential (`local>marcusrbrown/renovate-config`), custom regex manager for `bfra-me/renovate-config` preset pin in `default.json`, post-upgrade runs `pnpm run bootstrap && pnpm run fix` - [[marcusrbrown--sparkle]] — `#4.5.9` + `sanity-io/renovate-config:semantic-commit-type` + `:preserveSemverRanges`, post-upgrade runs `pnpm bootstrap && pnpm fix`, React Native package grouping, automerge on unstable `@astrojs/check`/`typedoc` @@ -78,8 +82,9 @@ Repos use `dorny/paths-filter` to scope CI runs to relevant file changes, reduci [[marcusrbrown--infra]] pioneered a pattern of splitting monolithic deploy workflows into per-app dedicated workflows connected by `workflow_call`: - Each app gets its own workflow file with independent path filtering, environment gating, and secret validation -- A thin orchestrator workflow dispatches both via `workflow_call` for manual "deploy everything" scenarios -- Benefit: one app's deploy failure doesn't block the other; each workflow is independently triggerable +- A thin orchestrator workflow dispatches all of them via `workflow_call` for manual "deploy everything" scenarios +- Benefit: one app's deploy failure doesn't block the others; each workflow is independently triggerable +- Validated at scale: as of 2026-05-27, infra has 3 per-app deploy workflows (`deploy-keeweb.yaml`, `deploy-cliproxy.yaml`, `deploy-gateway.yaml`) gated by a thin `deploy.yaml` orchestrator. The Discord gateway (`apps/gateway`, added #264) is the third app onboarded to this pattern ### Fro Bot Agent @@ -88,11 +93,12 @@ Repos use `dorny/paths-filter` to scope CI runs to relevant file changes, reduci | [[fro-bot--agent]] | Present (`fro-bot.yaml`, self-hosted) | Daily 15:30 UTC DMR, Weekly Sun 20:00 UTC wiki update | | [[marcusrbrown--containers]] | Present (`fro-bot.yaml`) | Daily 14:30 UTC autohealing | | [[marcusrbrown--systematic]] | Present (`fro-bot.yaml`) | Weekly Mon 09:00 UTC maintenance, Daily 03:30 UTC autohealing | -| [[marcusrbrown--infra]] | Present (`fro-bot.yaml`) | Daily 03:30 UTC autohealing (8 categories incl. CLIProxy + cross-project + upstream modernization watch on Sundays) | +| [[marcusrbrown--infra]] | Present (`fro-bot.yaml`, agent v0.44.3) | Daily 03:30 UTC autohealing (8 categories incl. CLIProxy + Gateway + cross-project + upstream modernization watch on Sundays) | | [[marcusrbrown--marcusrbrown-github-io]] | Present (`fro-bot.yaml`) | Daily 15:30 UTC maintenance (no autoheal) | -| [[marcusrbrown--renovate-config]] | Present (`fro-bot.yaml` + `fro-bot-autoheal.yaml`) | Daily 15:30 UTC maintenance, Daily 03:30 UTC autohealing (5 categories incl. config validation & bfra-me ecosystem health) | +| [[marcusrbrown--renovate-config]] | Present (single-file `fro-bot.yaml` at v0.44.3; the separate `fro-bot-autoheal.yaml` was consolidated since 2026-04-28) | Daily 15:30 UTC, 6 categories incl. config validation, cross-project intelligence inbound, and Sundays-only Upstream Modernization Watch with at-most-one-draft-PR-per-scan policy | | [[marcusrbrown--sparkle]] | **Not present** | N/A | | [[marcusrbrown--ha-config]] | **Not present** | N/A | +| [[bfra-me--works]] | Present (`fro-bot.yaml`, single-file three-mode at v0.44.2) | Maintenance `0 16 * * *`, Autoheal `30 3 * * *`; both rolling-update single-issue reports (`Daily Maintenance Report` / `Daily Autohealing Report`) | The containers repo's Fro Bot workflow includes domain-specific PR review prompts (Dockerfile best practices, multi-arch correctness) and a structured autohealing schedule (errored PRs, security alerts, dependency bumps, linting consistency). diff --git a/knowledge/wiki/topics/home-assistant.md b/knowledge/wiki/topics/home-assistant.md index b11474ae2..196a03fc5 100644 --- a/knowledge/wiki/topics/home-assistant.md +++ b/knowledge/wiki/topics/home-assistant.md @@ -2,11 +2,12 @@ type: topic title: Home Assistant created: 2025-06-18 -updated: 2026-05-17 -tags: [home-assistant, iot, smart-home, yaml, automation] +updated: 2026-05-20 +tags: [home-assistant, iot, smart-home, yaml, automation, addon] related: - marcusrbrown--ha-config - marcusrbrown--esphome-life + - bfra-me--ha-addon-repository - github-actions-ci --- @@ -18,6 +19,7 @@ Open-source home automation platform. Core references across the Fro Bot ecosyst - [[marcusrbrown--ha-config]] — Marcus's primary HA configuration (public, CI-validated) - [[marcusrbrown--esphome-life]] — ESPHome device firmware; linked from ha-config as a git submodule at `esphome/` +- [[bfra-me--ha-addon-repository]] — Template repo for building & publishing HA add-ons (bfra-me org), multi-arch Docker images via `home-assistant/builder` ## Configuration Patterns Observed @@ -31,6 +33,12 @@ Home Assistant configs can be validated in CI using `frenck/action-home-assistan **Pin-drift footgun:** validating against a frozen `.HA_VERSION` only catches problems that exist in *that* version. Observed in [[marcusrbrown--ha-config]], where `.HA_VERSION` has remained at `2025.6.3` across three surveys (2025-06 → 2026-05) while pip-resolved deps like `esphome` advance. The CI passes, but the config is not validated against current upstream HA. +The add-on side uses a different tool: `frenck/action-addon-linter` validates the add-on contract (`config.yaml`, `build.yaml`, image references, arch lists, schema). Observed in [[bfra-me--ha-addon-repository]]. The two `frenck/*` actions are sibling validators serving the two sides of the HA development workflow. + +### Multi-Arch Add-on Builds + +Add-ons publish multi-arch Docker images via `home-assistant/builder` (pinned at `2026.03.2` in [[bfra-me--ha-addon-repository]]). Standard arch matrix: `aarch64`, `amd64`, `armhf`, `armv7`. Base images from `ghcr.io/home-assistant/{arch}-base` split between Alpine 3.23 (64-bit) and 3.22 (32-bit ARM) — upstream lags on 32-bit. The build action supports `--cosign` for Sigstore signing when `id-token: write` is granted. + ### Custom Components Third-party integrations installed via HACS or manually into `custom_components/`. These are typically excluded from linting and pre-commit hooks since they are upstream-managed code. diff --git a/knowledge/wiki/topics/langchain.md b/knowledge/wiki/topics/langchain.md index 3fcf2e672..0557f03ef 100644 --- a/knowledge/wiki/topics/langchain.md +++ b/knowledge/wiki/topics/langchain.md @@ -2,10 +2,11 @@ type: topic title: LangChain created: 2026-04-18 -updated: 2026-04-18 +updated: 2026-05-27 tags: [langchain, llm, ai, python, typescript] related: - marcusrbrown--copiloting + - marcusrbrown--gpt --- # LangChain @@ -15,6 +16,7 @@ LLM application framework available in Python and TypeScript. Used across the Fr ## Repos Using LangChain - [[marcusrbrown--copiloting]] — Polyglot monorepo with LangChain-based tutorials (TS), course sections (Python), and a Flask + SvelteKit PDF chat app using LangChain chains, retrievers, memory, and embeddings. +- [[marcusrbrown--gpt]] — Production React 19 app on the modern LangChain.js 1.x line (`langchain` 1.4.2, `@langchain/core` 1.1.48, `@langchain/openai` 1.4.7, `@langchain/anthropic` 1.4.0, `@langchain/langgraph` 1.3.2). All LangChain access is gated through a `BaseLLMProvider` abstraction — UI code never imports LangChain or LLM SDKs directly. Renovate groups the entire `langchain-ai/langchainjs` monorepo into a single `langchainjs-monorepo` PR and automerges unstable minor/patch updates of `@langchain/**` and `langchain`. ## Version Notes @@ -28,6 +30,8 @@ In [[marcusrbrown--copiloting]], the Python side uses `langchain ^1.2` with `lan The root `package.json` in [[marcusrbrown--copiloting]] pins `langchain` at `0.0.212` — a very early version. The `tutorials/quickstart-llms.ts` script uses this. This version predates the modular restructuring and may have significantly different APIs from the Python side. +By contrast, [[marcusrbrown--gpt]] is the ecosystem's reference point for the **modern LangChain.js 1.x line**: `langchain` 1.4.2 with split `@langchain/core`, `@langchain/openai`, `@langchain/anthropic`, and `@langchain/langgraph` packages. The two TS consumers are ~5 major-version generations apart — copiloting still demonstrates the pre-modular API while gpt runs the post-split modular architecture. Migration paths from `0.0.x` to `1.x` are non-trivial and not yet attempted in copiloting. + ## Migration Patterns The langchain 0.2+ migration requires changing import paths from the monolithic `langchain` package to provider-specific packages: diff --git a/knowledge/wiki/topics/opencode-plugins.md b/knowledge/wiki/topics/opencode-plugins.md index b03b2fcf7..89dfe97b3 100644 --- a/knowledge/wiki/topics/opencode-plugins.md +++ b/knowledge/wiki/topics/opencode-plugins.md @@ -2,7 +2,7 @@ type: topic title: OpenCode Plugin Development created: 2026-04-23 -updated: 2026-05-06 +updated: 2026-05-28 sources: - url: https://github.com/marcusrbrown/opencode-copilot-delegate sha: bea3f576d7218900b9216a8a2c2947003660809b @@ -16,7 +16,19 @@ sources: - url: https://github.com/marcusrbrown/systematic sha: 420ef650215a9ca8cefa01f125e02434e351952e accessed: 2026-05-06 -tags: [opencode, plugin, sdk, subprocess, async, delegation, workflow, skills, agents] + - url: https://github.com/marcusrbrown/opencode-copilot-delegate + sha: 2744ce7fc07660baa4f17bfff3656141888261cf + accessed: 2026-05-21 + - url: https://github.com/fro-bot/systematic + sha: 12cae87 + accessed: 2026-05-22 + - url: https://github.com/marcusrbrown/cortexkit_anthropic-auth + sha: 517d38596432429a8fc5f78612edc80a1c3f3dc6 + accessed: 2026-05-28 + - url: https://github.com/marcusrbrown/systematic + sha: 9b7570782190d540b4d57abdd94cf7ca8e1984f1 + accessed: 2026-05-28 +tags: [opencode, plugin, sdk, subprocess, async, delegation, workflow, skills, agents, tui, rpc, orphan-reaper, plugin-singleton, json-schema, oauth, anthropic, cross-process-lock, zod-config, bundled-names, deprecation-surface] --- # OpenCode Plugin Development @@ -130,19 +142,146 @@ Rather than registering one tool per skill, systematic registers a single `syste | Repo | npm Package | Purpose | Stack | Status | |------|-------------|---------|-------|--------| | [[marcusrbrown--systematic]] | `@fro.bot/systematic` | Structured engineering workflows (46 skills, 50 agents) | Bun, Biome, semantic-release | Active, v2.7.3 | -| [[marcusrbrown--opencode-copilot-delegate]] | `opencode-copilot-delegate` | Delegate tasks to Copilot CLI as background subprocesses | Bun, Biome, Changesets | Active, v0.1.0 | +| [[marcusrbrown--opencode-copilot-delegate]] | `opencode-copilot-delegate` | Delegate tasks to Copilot CLI as background subprocesses; opt-in `/copilot-status` TUI half | Bun, Biome, Changesets | Active, v0.12.0 (4 tools: delegate/output/cancel/resume) | +| [[marcusrbrown--cortexkit-anthropic-auth]] | `@marcusrbrown/opencode-anthropic-auth` + `@marcusrbrown/anthropic-auth-core` | Claude Pro/Max OAuth, fallback accounts, quota routing, prompt-cache controls, optional Cloudflare Worker relay; OpenCode + Pi share the same core | Bun, Biome, Lefthook, monorepo workspaces | Active fork, `1.2.2-mb.2` (fork of `cortexkit/anthropic-auth`); Pi package private in fork | + +All three plugins use Bun + Biome (not the `@bfra.me/*` ESLint/Prettier stack), establishing this as the standard for Marcus's OpenCode plugin repos. All use `mise.toml` to pin Bun and tool versions. + +## Cross-Process OAuth Refresh Locking + +[[marcusrbrown--cortexkit-anthropic-auth]] documents a well-tuned pattern for OAuth refresh across multiple OpenCode processes sharing a single auth sidecar: + +1. **Jittered background refresh timers** so concurrent processes do not all hit the OAuth endpoint at the same due timestamp (`1.2.2`). +2. **Cross-process atomic filesystem lock** so a process cannot steal a lock while another is still initializing it (`1.1.3`, hardened in `1.2.2`). Without this, two processes can each successfully refresh, but the second consumes a rotated refresh token and the first loser ends up with `invalid_grant`. +3. **Wait-and-rejoin** on contention: when a main OAuth refresh is already in progress, followers wait briefly and re-read OpenCode auth so they join the successful token rotation instead of failing immediately. +4. **Refresh endpoint failover**: as of `1.2.1`, refresh moved from `platform.claude.com` to `https://api.anthropic.com/v1/oauth/token` after the former returned OAuth `429` repeatedly during proactive refresh. + +This is a useful reference pattern for any OpenCode plugin that shares per-user credentials across multiple agent processes. + +## Two-Half Plugin Pattern (server + TUI) + +[[marcusrbrown--opencode-copilot-delegate]] v0.10.0+ ships **two plugin entries** in one npm package: + +```jsonc +// package.json +{ + "exports": { + ".": { "import": "./dist/index.js" }, // server half + "./tui": { "import": "./dist/tui/index.js" } // TUI half + }, + "oc-plugin": ["server", "tui"] +} +``` + +Users opt into each half independently: + +```jsonc +// opencode.json — server half registers the tools +{ "plugin": ["opencode-copilot-delegate"] } + +// tui.jsonc — TUI half adds /copilot-status +{ "plugin": ["opencode-copilot-delegate/tui"] } +``` + +**Build target split.** The server entry builds with `target: 'node'` (plain Node ESM loadable, gated by a CI export-shape assertion). The TUI entry stays on `target: 'bun'` because `@opentui/solid` is Bun-specific. + +**Server ↔ TUI RPC.** The server half exposes a localhost-only RPC listener and writes a per-session authenticated port file under `/opencode/copilot-delegate/`. The TUI half reads the port file to find the right server instance. Cleanup is best-effort — OpenCode's server plugin API has no dispose hook today, so cleanup is tied to process exit signals and the orphan-reaper covers missed shutdowns. + +## OpenCode Plugin Loader Gotchas + +These bit upstream plugins before; institutionalizing the fixes saves hours of incident response. + +### Loader treats every named export as a plugin factory + +The loader iterates every named export from a plugin entry point and invokes each with `undefined` input. Stray named exports (helpers, types, internal utilities) get called as plugin factories and crash on the missing input. + +- **Systematic regressed here in v2.5.0 and v2.12.1** (hours of downtime each time). +- **opencode-copilot-delegate v0.12.0** moved `wireRpcServerCleanup` out of `src/index.ts` into `src/lib/rpc-cleanup.ts` and added a CI gate that runs `node --input-type=module -e "import('./dist/index.js').then(m => …)"` between Build and Unit tests, exiting non-zero if anything other than `default` is exported or `default` is not a function. `tests/package-exports.test.ts` mirrors the assertion locally. + +**Rule:** Plugin entry points export only `default`. Period. -Both plugins use Bun + Biome (not the `@bfra.me/*` ESLint/Prettier stack), establishing this as the standard for Marcus's OpenCode plugin repos. Both use `mise.toml` to pin Bun and tool versions. +### `api.command.register` is unstable across OpenCode versions + +- **OpenCode 1.14.42** removed `api.command.register` in favor of the keymap engine. +- **1.14.44+** restored it as a deprecated shim translating to `api.keymap.registerLayer`. + +TUI plugins that unconditionally call `api.command.register` silently lose their slash commands on the version where it's gone. Runtime-feature-detect both paths: + +```typescript +if (typeof api.keymap?.registerLayer === 'function') { + api.keymap.registerLayer({ + commands: [{ namespace: 'palette', name: 'copilot-status', title: 'Copilot Status', category: 'Copilot', run }], + bindings: [], + }) +} else if (typeof api.command?.register === 'function') { + api.command.register({ /* ... */ }) +} else { + // Defensive: log warning, plugin still loads without the slash command +} +``` + +opencode-copilot-delegate's TUI half follows the dual-path pattern Magic Context shipped in commit `5fe1c4f`. + +### Host zod ≠ plugin zod (per-parameter description loss) + +OpenCode's tool catalog serializes plugin schemas via the **host's** bundled zod, not the plugin's. Plugin-side `.describe()` metadata lives in a separate module-local metadata registry and is invisible across the boundary, so per-parameter descriptions get dropped before reaching the LLM. + +Two known workarounds: + +1. **`_zod.toJSONSchema` override** (v0.7.0 fix in [[marcusrbrown--opencode-copilot-delegate]], same fix shipped by `@cortexkit/opencode-magic-context` and `@cortexkit/aft-opencode`): patch each tool arg schema with a serialization override that delegates back to the plugin-local zod. Use `src/lib/normalize-tool-arg-schemas.ts`-style helpers. +2. **`.describe().optional()`** (v0.6.0 partial fix): zod's `toJSONSchema(…, { io: 'input' })` unwraps `.optional()` and drops descriptions attached to the wrapper. Reordering to `.describe(…).optional()` places the description on the leaf type so it survives the unwrap. Insufficient on its own when host/plugin zod are different module instances — pair with the override above. + +Pin zod as a direct dependency with a matching `overrides` entry so the plugin's own install tree stays on one version (resolves TS2883 from dual-zod trees at build time). `overrides` is local-install-only; downstream consumers may still see a different transitive zod from their OpenCode host. + +### `api.command.register` removal isn't the only churn — narrow peer ranges accordingly + +opencode-copilot-delegate v0.12.0 narrowed `peerDependencies['@opencode-ai/plugin']` from `>=1.14.0` to `>=1.14.41` to align advertised compatibility with what's actually tested. Plugin authors should narrow peer ranges in lockstep with the OpenCode versions their feature-detection branches actually cover. + +## Orphan Subprocess Reaping + +When a plugin spawns long-running subprocesses, OpenCode crashes or reloads can leave orphans. [[marcusrbrown--opencode-copilot-delegate]] (v0.2.0+) ships a generalizable pattern: + +1. **Per-instance PID file** at `//orphans/.pids`, one line per spawned subprocess. Entry removed on every terminal status transition. +2. **Strict identity gate** before any kill: live process's `comm` (kernel-tracked executable name from `ps -o comm=`) AND `lstart` (start-time string) must match values recorded at spawn time. Rules out both PID reuse and cross-instance kills of a live foreign instance's children. +3. **Spawner liveness probe** (`process.kill(, 0)`) before reaping any foreign file. Live spawner → skip. Dead spawner → reap entries, delete file. +4. **Streaming worker pool** (cap 5) drains a shared queue; a slow `ps` probe blocks only its own worker. +5. **Combined `ps -p -o comm=,lstart=` query**: one fork/exec gets an atomic kernel snapshot of both identity legs. +6. **Configurable timeouts** with cooperative `AbortSignal` cancellation. In-flight workers cooperate by skipping their next mutating step on abort, so dangerous side effects can't fire after the call returns. +7. **Same-user symlink hardening**: `O_NOFOLLOW` on PID file open/truncate; reject symlinked PID file parent directories before scanning. +8. **Race-safe cleanup**: every truncate/unlink goes through a per-file `serializeWrite` lock. + +This pattern generalizes to any plugin that spawns subprocesses it must clean up across crashes. + +## Per-Process Plugin Factory Singleton + +When a user lists the same plugin in both `~/.config/opencode/opencode.json` and a project-level `opencode.json`, OpenCode's host previously invoked the factory once per source. Two divergent fixes: + +| Plugin | Pattern | Rationale | +|--------|---------|-----------| +| [[marcusrbrown--systematic]] (PR #352) | Per-load registration | No exclusive resources; cleaner to register cleanly each time | +| [[marcusrbrown--opencode-copilot-delegate]] (v0.8.0+) | `globalThis` Symbol singleton; **duplicate invocations return empty hooks `{}`** (v0.11.0) | `doInit` binds a TCP port (RPC server) and writes a PID file — running it twice in the same process would race on exclusive resources | + +The empty-hooks-on-duplicate-invocation fix specifically targets the LLM-visible tool catalog: the host iterates each source's returned hook surface and registers every tool entry it finds, even when two sources return the same JS reference. Returning `{}` on duplicates gives the host nothing to register a second time. The first invocation still runs `doInit` once and receives the real hooks; subsequent invocations in the same PID receive `{}` and emit a one-time warning so duplicate-config situations stay observable. + +Both plugins document the divergence inline with cross-references to each other's source files. ## Documentation Deployment [[marcusrbrown--systematic]] deploys its Starlight/Astro docs site to a separate repo ([[fro-bot--systematic]]) rather than using the source repo's GitHub Pages. The docs site at **fro.bot/systematic/** also serves the OCX component registry (`.well-known/ocx.json` → `/systematic/index.json`), enabling `ocx` CLI to install individual skills and agents by URL. See [[github-pages]] for the cross-repo deploy pattern. +As of the 2026-05-22 [[fro-bot--systematic]] survey, the same docs site is now the canonical host for the user config JSON Schema: + +- `https://fro.bot/systematic/schemas/v2/systematic-config.schema.json` — pinned `$id`, intended for `"$schema"` references in `systematic.json` / `systematic.jsonc` for IDE autocomplete (VSCode, Zed, IntelliJ). +- `https://fro.bot/systematic/schemas/latest/systematic-config.schema.json` — moving pointer for "current". + +Schema is draft-07, describes top-level keys `agents`, `categories`, `disabled_skills`, `disabled_agents`, `disabled_commands`, `bootstrap`. The schema's own `$schema` property is documented as informational only — the systematic loader does not fetch or validate against it; it exists purely to switch on editor support. Treat both URLs as public API; renaming or restructuring them silently breaks autocomplete for every consumer that pinned them. The same docs deploy now drives the OCX registry, the rendered guide pages, and this schema — three different consumer contracts living on one `gh-pages` branch. + ## Related Pages - [[marcusrbrown--systematic]] — Largest OpenCode plugin; structured workflows with 46 skills and 50 agents - [[fro-bot--systematic]] — Documentation deployment target for `@fro.bot/systematic` - [[marcusrbrown--opencode-copilot-delegate]] — Copilot CLI delegation plugin +- [[marcusrbrown--cortexkit-anthropic-auth]] — Claude Pro/Max OAuth, fallback accounts, quota routing, Cloudflare Worker relay for OpenCode and Pi - [[marcusrbrown--dotfiles]] — Agent skill configuration (`~/.agents/skills/`), consumes systematic as installed plugin - [[github-actions-ci]] — CI patterns for plugin repositories (Biome, bun test, semantic-release) - [[github-pages]] — GitHub Pages deployment patterns including cross-repo Starlight deploy diff --git a/knowledge/wiki/topics/probot-settings.md b/knowledge/wiki/topics/probot-settings.md index ba9d5227d..31dada20a 100644 --- a/knowledge/wiki/topics/probot-settings.md +++ b/knowledge/wiki/topics/probot-settings.md @@ -2,11 +2,14 @@ type: topic title: Probot Settings created: 2025-06-18 -updated: 2026-04-27 +updated: 2026-05-25 tags: [probot, github, repository-settings, automation, governance] related: - marcusrbrown--github - marcusrbrown--ha-config + - bfra-me--github + - bfra-me--ha-addon-repository + - bfra-me--works --- # Probot Settings @@ -45,6 +48,38 @@ The `fro-bot/.github` repository (this repo) has its own `common-settings.yaml` - `fro-bot` as admin, `marcusrbrown` as push - Fewer, more focused labels +### bfra-me/.github (Bfra-Me Org Template) + +[[bfra-me--github]] ships a **third** `common-settings.yaml` for the +`@bfra-me` org. Surveyed 2026-05-20 (SHA `a81be4c`): + +- Repo-level: `is_template: true`, `has_projects: false`, `has_wiki: false`, + squash-only merging, auto-merge enabled, branch deletion on merge, + `allow_update_branch: true`, squash commit title `COMMIT_OR_PR_TITLE` +- Branch protection (`main`): 12 required status checks (Advanced + Security Analysis, CodeQL, Container Scan, Create Renovate Changeset, + Fro Bot, GitGuardian Scan, License Scan, Quality Check, Release, + Renovate, Review Dependencies, Triage), strict mode, linear history, + admin enforcement, `required_approving_review_count: 0` — governance + leans on status checks rather than human reviewers +- `update-repository-settings` is shipped as a local custom action in + this repo and consumed by `update-repo-settings.yaml` + +[[bfra-me--ha-addon-repository]], [[bfra-me--works]], and other +`bfra-me/*` repos extend this template; most `marcusrbrown/*` repos +extend the `fro-bot/.github` template instead. Reconciling which org +template is canonical for what audience is an open follow-up. + +The [[bfra-me--works]] settings file is a representative example of how +`bfra-me/*` repos compose the org template: it extends +`.github:common-settings.yaml` and overrides `repository.{name, +description, topics}` plus a 12-check branch-protection list (`Analyze`, +`Build`, `CI`, `CodeQL`, `Create Renovate Changeset`, `Fro Bot`, +`Lint`, `Prepare`, `Renovate / Renovate`, `Review Dependencies`, +`Test`, `Workspace Analysis`) with `enforce_admins: true`, +`required_linear_history: true`, and `required_pull_request_reviews: +null` — matching the org-template posture (checks over reviewers). + ## Settings Sync Workflow Repos using Probot Settings typically include an `update-repo-settings.yaml` workflow: @@ -52,7 +87,7 @@ Repos using Probot Settings typically include an `update-repo-settings.yaml` wor - **Trigger:** Push to main, daily cron, manual dispatch - **Implementation:** Reusable workflow from `bfra-me/.github` - **Auth:** GitHub App via `APPLICATION_ID` and `APPLICATION_PRIVATE_KEY` secrets -- **Reusable workflow version:** `bfra-me/.github` v4.16.9 (as of 2026-04-27 in [[marcusrbrown--github]]) +- **Reusable workflow version:** `bfra-me/.github` v4.16.20 (as of 2026-05-25 in [[marcusrbrown--github]]; bumped from v4.16.9 via 11 sequential Renovate PRs over four weeks — example of dependency-only churn dominating a config-only repo) ## Common Configuration Patterns diff --git a/knowledge/wiki/topics/vscode-extensions.md b/knowledge/wiki/topics/vscode-extensions.md index 7107b75fa..4233595fc 100644 --- a/knowledge/wiki/topics/vscode-extensions.md +++ b/knowledge/wiki/topics/vscode-extensions.md @@ -2,7 +2,7 @@ type: topic title: VS Code Extension Development created: 2026-04-18 -updated: 2026-04-27 +updated: 2026-05-26 tags: [vscode, vscode-extension, typescript, extension-development] related: - marcusrbrown--extend-vscode diff --git a/knowledge/wiki/topics/web3-defi.md b/knowledge/wiki/topics/web3-defi.md index 25fef8504..1e6169c47 100644 --- a/knowledge/wiki/topics/web3-defi.md +++ b/knowledge/wiki/topics/web3-defi.md @@ -2,7 +2,7 @@ type: topic title: "Web3 & DeFi Development" created: 2026-04-18 -updated: 2026-05-06 +updated: 2026-05-28 sources: - url: https://github.com/marcusrbrown/tokentoilet sha: 0ed90a61784b5b85dcf925bb1255e794c4f5d6a3 @@ -16,6 +16,9 @@ sources: - url: https://github.com/marcusrbrown/tokentoilet sha: 0aa1d9a02f1a8ba5cbd95818fb6157318cf9f20b accessed: 2026-05-06 + - url: https://github.com/marcusrbrown/tokentoilet + sha: db6dbcc2d289d23377d3d80b19d5e4273008a1b2 + accessed: 2026-05-28 tags: [web3, defi, wagmi, reown-appkit, walletconnect, ethereum, sepolia, erc-20, erc-721] --- @@ -33,7 +36,7 @@ The ecosystem currently standardizes on: | Component | Tool | Notes | | ----------------- | ----------------------------------------------- | ---------------------------------------- | -| React hooks | Wagmi v2 | Core wallet/chain interaction primitives | +| React hooks | Wagmi v3 (as of 2026-05-28 in [[marcusrbrown--tokentoilet]]) | Core wallet/chain interaction primitives; major bump from v2 landed via PR #837 lineage | | Modal/UI | Reown AppKit (formerly WalletConnect Web3Modal) | Wallet connection modal and UI | | Query layer | TanStack React Query | Async state for chain reads/writes | | Supported wallets | MetaMask, WalletConnect, Coinbase Wallet | Per test suites in tokentoilet | @@ -81,3 +84,7 @@ The first functional disposal flow (PR #911 in [[marcusrbrown--tokentoilet]]) us - **`NetworkGuard`** validates the connected wallet is on Sepolia before rendering disposal UI - **Keyed `DisposalExecutor`** — each token gets a fresh `useTokenDisposal` hook instance via React key, preventing stale `isSuccess`/`error` state across multi-token disposals - **Deployment:** Vercel GitHub integration handles preview (PRs) and production (main push) — no CI deploy jobs + +## Migration Notes: Wagmi v2 → v3 (2026-05-28) + +The `useWallet` abstraction in [[marcusrbrown--tokentoilet]] paid off during the wagmi v2 → v3 upgrade — the firewall between components and the wagmi API meant the major version bump largely contained itself inside the `hooks/` directory. The pattern's value: every component that uses `useWallet` instead of `useAccount`/`useConnect` directly is one less site that needs touching when wagmi changes shape. Watch for this when migrating other Web3 apps in the portfolio. diff --git a/metadata/repos.yaml b/metadata/repos.yaml index 2b6ac996c..19351694f 100644 --- a/metadata/repos.yaml +++ b/metadata/repos.yaml @@ -4,11 +4,11 @@ repos: name: ha-config added: 2026-04-17 onboarding_status: onboarded - last_survey_at: 2026-05-17 + last_survey_at: 2026-05-29 last_survey_status: success has_fro_bot_workflow: false has_renovate: true - next_survey_eligible_at: 2026-06-18 + next_survey_eligible_at: 2026-06-29 discovery_channel: collab private: false node_id: R_kgDOJ_bMaQ @@ -16,11 +16,11 @@ repos: name: .dotfiles added: 2026-04-18 onboarding_status: onboarded - last_survey_at: 2026-05-06 - last_survey_status: failure + last_survey_at: 2026-05-24 + last_survey_status: success has_fro_bot_workflow: true has_renovate: true - next_survey_eligible_at: 2026-06-07 + next_survey_eligible_at: 2026-06-24 discovery_channel: collab private: false node_id: MDEwOlJlcG9zaXRvcnkxODY5MTU0 @@ -28,11 +28,11 @@ repos: name: .github added: 2026-04-18 onboarding_status: onboarded - last_survey_at: 2026-05-06 - last_survey_status: failure + last_survey_at: 2026-05-25 + last_survey_status: success has_fro_bot_workflow: false has_renovate: true - next_survey_eligible_at: 2026-06-05 + next_survey_eligible_at: 2026-06-24 discovery_channel: collab private: false node_id: MDEwOlJlcG9zaXRvcnkzMDg1MzMxOTg= @@ -40,11 +40,11 @@ repos: name: containers added: 2026-04-18 onboarding_status: onboarded - last_survey_at: 2026-05-06 - last_survey_status: failure + last_survey_at: 2026-05-25 + last_survey_status: success has_fro_bot_workflow: true has_renovate: true - next_survey_eligible_at: 2026-06-07 + next_survey_eligible_at: 2026-06-25 discovery_channel: collab private: false node_id: MDEwOlJlcG9zaXRvcnk3Njg3NTEzMg== @@ -62,11 +62,11 @@ repos: name: esphome.life added: 2026-04-18 onboarding_status: onboarded - last_survey_at: 2026-05-06 - last_survey_status: failure + last_survey_at: 2026-05-26 + last_survey_status: success has_fro_bot_workflow: false has_renovate: true - next_survey_eligible_at: 2026-06-05 + next_survey_eligible_at: 2026-06-25 discovery_channel: collab private: false node_id: R_kgDOIZmGgg @@ -74,11 +74,11 @@ repos: name: extend-vscode added: 2026-04-18 onboarding_status: onboarded - last_survey_at: 2026-05-06 - last_survey_status: failure + last_survey_at: 2026-05-26 + last_survey_status: success has_fro_bot_workflow: false has_renovate: true - next_survey_eligible_at: 2026-06-06 + next_survey_eligible_at: 2026-06-28 discovery_channel: collab private: false node_id: MDEwOlJlcG9zaXRvcnkzMTMzNjg1OTU= @@ -86,11 +86,11 @@ repos: name: gpt added: 2026-04-18 onboarding_status: onboarded - last_survey_at: 2026-05-06 - last_survey_status: failure + last_survey_at: 2026-05-27 + last_survey_status: success has_fro_bot_workflow: true has_renovate: true - next_survey_eligible_at: 2026-06-07 + next_survey_eligible_at: 2026-06-27 discovery_channel: collab private: false node_id: R_kgDOK0Z5CA @@ -98,11 +98,11 @@ repos: name: infra added: 2026-04-18 onboarding_status: onboarded - last_survey_at: 2026-05-06 - last_survey_status: failure + last_survey_at: 2026-05-27 + last_survey_status: success has_fro_bot_workflow: true has_renovate: true - next_survey_eligible_at: 2026-06-07 + next_survey_eligible_at: 2026-06-27 discovery_channel: collab private: false node_id: R_kgDOR4g8TA @@ -110,71 +110,71 @@ repos: name: marcusrbrown added: 2026-04-18 onboarding_status: onboarded - last_survey_at: 2026-04-27 + last_survey_at: 2026-05-20 last_survey_status: success - has_fro_bot_workflow: false + has_fro_bot_workflow: true has_renovate: true discovery_channel: collab - next_survey_eligible_at: 2026-05-29 + next_survey_eligible_at: 2026-06-21 private: false node_id: MDEwOlJlcG9zaXRvcnkzMTk5Mjg2NjE= - owner: marcusrbrown name: marcusrbrown.github.io added: 2026-04-18 onboarding_status: onboarded - last_survey_at: 2026-04-27 + last_survey_at: 2026-05-20 last_survey_status: success has_fro_bot_workflow: true has_renovate: true discovery_channel: collab - next_survey_eligible_at: 2026-05-27 + next_survey_eligible_at: 2026-06-19 private: false node_id: R_kgDOPOkk2A - owner: marcusrbrown name: mrbro.dev added: 2026-04-18 onboarding_status: onboarded - last_survey_at: 2026-04-27 + last_survey_at: 2026-05-21 last_survey_status: success has_fro_bot_workflow: true has_renovate: true discovery_channel: collab - next_survey_eligible_at: 2026-05-30 + next_survey_eligible_at: 2026-06-22 private: false node_id: R_kgDORgYjdA - owner: marcusrbrown name: renovate-config added: 2026-04-18 onboarding_status: onboarded - last_survey_at: 2026-05-01 + last_survey_at: 2026-05-23 last_survey_status: success has_fro_bot_workflow: true has_renovate: true discovery_channel: collab - next_survey_eligible_at: 2026-06-03 + next_survey_eligible_at: 2026-06-25 private: false node_id: R_kgDOHRfvyQ - owner: marcusrbrown name: sparkle added: 2026-04-18 onboarding_status: onboarded - last_survey_at: 2026-05-01 + last_survey_at: 2026-05-23 last_survey_status: success - has_fro_bot_workflow: false + has_fro_bot_workflow: true has_renovate: true discovery_channel: collab - next_survey_eligible_at: 2026-06-02 + next_survey_eligible_at: 2026-06-24 private: false node_id: MDEwOlJlcG9zaXRvcnkzMTYxMDA5ODY= - owner: marcusrbrown name: systematic added: 2026-04-18 onboarding_status: onboarded - last_survey_at: 2026-05-06 + last_survey_at: 2026-05-28 last_survey_status: success has_fro_bot_workflow: true has_renovate: true - next_survey_eligible_at: 2026-06-05 + next_survey_eligible_at: 2026-06-28 discovery_channel: collab private: false node_id: R_kgDORAJegA @@ -182,11 +182,11 @@ repos: name: tokentoilet added: 2026-04-18 onboarding_status: onboarded - last_survey_at: 2026-05-06 + last_survey_at: 2026-05-28 last_survey_status: success has_fro_bot_workflow: true has_renovate: true - next_survey_eligible_at: 2026-06-08 + next_survey_eligible_at: 2026-06-28 discovery_channel: collab private: false node_id: R_kgDOJ3rINw @@ -194,11 +194,11 @@ repos: name: vbs added: 2026-04-18 onboarding_status: onboarded - last_survey_at: 2026-05-07 + last_survey_at: 2026-05-29 last_survey_status: success has_fro_bot_workflow: true has_renovate: true - next_survey_eligible_at: 2026-06-06 + next_survey_eligible_at: 2026-07-01 discovery_channel: collab private: false node_id: R_kgDOPOixzg @@ -206,47 +206,107 @@ repos: name: opencode-copilot-delegate added: 2026-04-23 onboarding_status: onboarded - last_survey_at: 2026-04-27 + last_survey_at: 2026-05-21 last_survey_status: success has_fro_bot_workflow: true has_renovate: true discovery_channel: collab - next_survey_eligible_at: 2026-05-27 + next_survey_eligible_at: 2026-06-23 private: false node_id: R_kgDOSKIp0Q - owner: fro-bot name: agent added: 2026-05-07 onboarding_status: onboarded - last_survey_at: 2026-05-08 + last_survey_at: 2026-05-22 last_survey_status: success has_fro_bot_workflow: true has_renovate: true discovery_channel: owned - next_survey_eligible_at: 2026-05-22 + next_survey_eligible_at: 2026-06-08 private: false node_id: R_kgDOQyTMEw - owner: fro-bot name: fro-bot.github.io added: 2026-05-07 onboarding_status: onboarded - last_survey_at: 2026-05-08 + last_survey_at: 2026-05-24 last_survey_status: success has_fro_bot_workflow: false has_renovate: false discovery_channel: owned - next_survey_eligible_at: 2026-05-24 + next_survey_eligible_at: 2026-06-08 private: false node_id: R_kgDORLxXng - owner: fro-bot name: systematic added: 2026-05-07 onboarding_status: onboarded - last_survey_at: 2026-05-08 + last_survey_at: 2026-05-22 last_survey_status: success has_fro_bot_workflow: false has_renovate: false discovery_channel: owned - next_survey_eligible_at: 2026-05-22 + next_survey_eligible_at: 2026-06-08 private: false node_id: R_kgDORLx6ew + - owner: bfra-me + name: .github + added: 2026-05-18 + onboarding_status: onboarded + last_survey_at: 2026-05-30 + last_survey_status: success + has_fro_bot_workflow: true + has_renovate: true + discovery_channel: collab + next_survey_eligible_at: 2026-07-01 + private: false + node_id: R_kgDOHBEXpg + - owner: bfra-me + name: ha-addon-repository + added: 2026-05-18 + onboarding_status: onboarded + last_survey_at: 2026-05-30 + last_survey_status: success + has_fro_bot_workflow: true + has_renovate: true + discovery_channel: collab + next_survey_eligible_at: 2026-06-30 + private: false + node_id: R_kgDOIKWaJA + - owner: bfra-me + name: renovate-action + added: 2026-05-18 + onboarding_status: onboarded + last_survey_at: 2026-05-31 + last_survey_status: failure + has_fro_bot_workflow: true + has_renovate: true + discovery_channel: collab + next_survey_eligible_at: 2026-07-03 + private: false + node_id: R_kgDOKWu8zQ + - owner: bfra-me + name: works + added: 2026-05-18 + onboarding_status: onboarded + last_survey_at: 2026-05-31 + last_survey_status: success + has_fro_bot_workflow: true + has_renovate: true + discovery_channel: collab + next_survey_eligible_at: 2026-07-02 + private: false + node_id: MDEwOlJlcG9zaXRvcnkzMDc1NzM1OTE= + - owner: marcusrbrown + name: cortexkit_anthropic-auth + added: 2026-05-28 + onboarding_status: onboarded + last_survey_at: 2026-05-28 + last_survey_status: success + has_fro_bot_workflow: true + has_renovate: false + discovery_channel: collab + next_survey_eligible_at: 2026-06-29 + private: false + node_id: R_kgDOSmhCGA