Install path home autocoder

.dockerignore

@@ -0,0 +1,27 @@
+.git
+.gitignore
+.code
+__pycache__/
+*.pyc
+*.pyo
+*.pyd
+*.swp
+*.swo
+*.tmp
+.env
+.env.*
+env/
+venv/
+.venv/
+ENV/
+node_modules/
+ui/node_modules/
+ui/dist/
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+coverage/
+dist/
+build/
+tmp/
+*.log

.github/workflows/ci.yml

@@ -1,12 +1,35 @@
-name: CI
+name: Push CI
 
 on:
-  pull_request:
-    branches: [master, main]
   push:
-    branches: [master, main]
+    branches: [main]
+  pull_request:
+    branches: [main]
 
 jobs:
+  repo-guards:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Ensure .code/ and .env are not tracked
+        shell: bash
+        run: |
+          tracked_code="$(git ls-files -- .code)"
+          tracked_env="$(git ls-files -- .env)"
+
+          if [ -n "$tracked_code" ] || [ -n "$tracked_env" ]; then
+            echo "Local-only policy and secrets files must not be tracked."
+            if [ -n "$tracked_code" ]; then
+              echo "Tracked .code/ entries:"
+              echo "$tracked_code"
+            fi
+            if [ -n "$tracked_env" ]; then
+              echo "Tracked .env entries:"
+              echo "$tracked_env"
+            fi
+            exit 1
+          fi
+
   python:
     runs-on: ubuntu-latest
     steps:
@@ -39,3 +62,34 @@ jobs:
         run: npm run lint
       - name: Type check & Build
         run: npm run build
+      - name: UI smoke tests
+        run: npm run test:smoke
+
+  docker-image:
+    needs: [python, ui]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    env:
+      IMAGE_NAME: ghcr.io/${{ github.repository }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: Dockerfile
+          platforms: linux/amd64
+          push: true
+          tags: |
+            ${{ env.IMAGE_NAME }}:latest
+            ${{ env.IMAGE_NAME }}:${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

.github/workflows/deploy.yml

@@ -0,0 +1,113 @@
+name: Deploy to VPS
+
+on:
+  workflow_run:
+    workflows: ["Push CI"]
+    branches: [main]
+    types:
+      - completed
+
+permissions:
+  contents: read
+
+concurrency:
+  group: deploy-${{ github.event.workflow_run.head_branch }}
+  cancel-in-progress: false
+
+jobs:
+  deploy:
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    runs-on: ubuntu-latest
+    env:
+      DEPLOY_PATH: ${{ secrets.VPS_DEPLOY_PATH || '/home/autocoder' }}
+      TARGET_BRANCH: ${{ secrets.VPS_BRANCH || 'main' }}
+      VPS_PORT: ${{ secrets.VPS_PORT || '22' }}
+      DOMAIN: ${{ secrets.VPS_DOMAIN }}
+      DUCKDNS_TOKEN: ${{ secrets.VPS_DUCKDNS_TOKEN }}
+      LETSENCRYPT_EMAIL: ${{ secrets.VPS_LETSENCRYPT_EMAIL }}
+      APP_PORT: ${{ secrets.VPS_APP_PORT || '8888' }}
+      REPO_URL: https://github.com/${{ github.repository }}.git
+      IMAGE_LATEST: ghcr.io/${{ github.repository }}:latest
+      IMAGE_SHA: ghcr.io/${{ github.repository }}:${{ github.event.workflow_run.head_sha }}
+    steps:
+      - name: Deploy over SSH with Docker Compose
+        uses: appleboy/ssh-action@v1.2.4
+        with:
+          host: ${{ secrets.VPS_HOST }}
+          username: ${{ secrets.VPS_USER }}
+          key: ${{ secrets.VPS_SSH_KEY }}
+          port: ${{ env.VPS_PORT }}
+          envs: DEPLOY_PATH,TARGET_BRANCH,VPS_PORT,DOMAIN,DUCKDNS_TOKEN,LETSENCRYPT_EMAIL,APP_PORT,REPO_URL,IMAGE_LATEST,IMAGE_SHA
+          script: |
+            set -euo pipefail
+
+            if [ -z "${DEPLOY_PATH:-}" ]; then
+              echo "VPS_DEPLOY_PATH secret is required"; exit 1;
+            fi
+
+            if [ -z "${DOMAIN:-}" ] || [ -z "${DUCKDNS_TOKEN:-}" ] || [ -z "${LETSENCRYPT_EMAIL:-}" ]; then
+              echo "VPS_DOMAIN, VPS_DUCKDNS_TOKEN, and VPS_LETSENCRYPT_EMAIL secrets are required."; exit 1;
+            fi
+
+            if [ ! -d "$DEPLOY_PATH/.git" ]; then
+              echo "ERROR: $DEPLOY_PATH is missing a git repo. Clone the repository there and keep your .env file."; exit 1;
+            fi
+
+            cd "$DEPLOY_PATH"
+
+            if [ ! -f ./deploy.sh ]; then
+              echo "ERROR: deploy.sh not found in $DEPLOY_PATH. Ensure the repo is up to date."; exit 1;
+            fi
+
+            chmod +x ./deploy.sh
+
+            if [ ! -f .env ]; then
+              echo "WARNING: .env not found in $DEPLOY_PATH. Deployment will continue without it.";
+            fi
+
+            if [ "$(id -u)" -eq 0 ]; then
+              RUNNER=""
+            else
+              if ! command -v sudo >/dev/null 2>&1; then
+                echo "sudo is required to run deploy.sh as root."; exit 1;
+              fi
+              RUNNER="sudo"
+            fi
+
+            $RUNNER env \
+              AUTOCODER_AUTOMATED=1 \
+              AUTOCODER_ASSUME_YES=1 \
+              DOMAIN="${DOMAIN}" \
+              DUCKDNS_TOKEN="${DUCKDNS_TOKEN}" \
+              LETSENCRYPT_EMAIL="${LETSENCRYPT_EMAIL}" \
+              REPO_URL="${REPO_URL}" \
+              DEPLOY_BRANCH="${TARGET_BRANCH}" \
+              APP_DIR="${DEPLOY_PATH}" \
+              APP_PORT="${APP_PORT}" \
+              IMAGE="${IMAGE_SHA:-$IMAGE_LATEST}" \
+              ./deploy.sh
+
+            echo "Running smoke test on http://127.0.0.1:${APP_PORT}/health and /readiness ..."
+            retries=12
+            until curl -fsS --max-time 5 "http://127.0.0.1:${APP_PORT}/health" >/dev/null; do
+              retries=$((retries - 1))
+              if [ "$retries" -le 0 ]; then
+                echo "Health check failed after retries."
+                exit 1
+              fi
+              echo "Waiting for health... ($retries retries left)"
+              sleep 5
+            done
+
+            retries=12
+            until curl -fsS --max-time 5 "http://127.0.0.1:${APP_PORT}/readiness" >/dev/null; do
+              retries=$((retries - 1))
+              if [ "$retries" -le 0 ]; then
+                echo "Readiness check failed after retries."
+                exit 1
+              fi
+              echo "Waiting for readiness... ($retries retries left)"
+              sleep 5
+            done
+
+            echo "Service responded successfully to health and readiness."

.github/workflows/pr-check.yml

@@ -0,0 +1,75 @@
+name: PR Check
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: pr-check-${{ github.event.pull_request?.head.repo.full_name || github.repository }}-${{ github.event.pull_request?.number || github.run_number }}
+  cancel-in-progress: true
+
+jobs:
+  repo-guards:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Ensure .code/ and .env are not tracked
+        shell: bash
+        run: |
+          tracked_code="$(git ls-files -- .code)"
+          tracked_env="$(git ls-files -- .env)"
+
+          if [ -n "$tracked_code" ] || [ -n "$tracked_env" ]; then
+            echo "Local-only policy and secrets files must not be tracked."
+            if [ -n "$tracked_code" ]; then
+              echo "Tracked .code/ entries:"
+              echo "$tracked_code"
+            fi
+            if [ -n "$tracked_env" ]; then
+              echo "Tracked .env entries:"
+              echo "$tracked_env"
+            fi
+            exit 1
+          fi
+
+  python:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+          cache: "pip"
+          cache-dependency-path: requirements.txt
+      - name: Install dependencies
+        run: pip install -r requirements.txt
+      - name: Lint with ruff
+        run: ruff check .
+      - name: Run security tests
+        run: python test_security.py
+
+  ui:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ui
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          cache: "npm"
+          cache-dependency-path: ui/package-lock.json
+      - name: Install dependencies
+        run: npm ci
+      - name: Lint
+        run: npm run lint
+      - name: Type check & Build
+        run: npm run build
+      - name: UI smoke tests
+        run: npm run test:smoke

.gitignore

@@ -6,6 +6,9 @@ temp/
 nul
 issues/
 
+# Repository-specific
+.code/
+
 # Browser profiles for parallel agent execution
 .browser-profiles/
 
@@ -16,6 +19,9 @@ npm-debug.log*
 yarn-debug.log*
 yarn-error.log*
 
+# Local Codex/Claude configuration (do not commit)
+.code/
+
 # ===================
 # Node.js
 # ===================

.pre-commit-config.yaml

@@ -0,0 +1,38 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.6.0
+    hooks:
+      - id: detect-private-key
+      - id: check-added-large-files
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.7.3
+    hooks:
+      - id: ruff
+        args: ["--fix"]
+        stages: [commit]
+  - repo: https://github.com/pre-commit/mirrors-mypy
+    rev: v1.13.0
+    hooks:
+      - id: mypy
+        args: ["--ignore-missing-imports"]
+        additional_dependencies: []
+        stages: [commit]
+  - repo: local
+    hooks:
+      - id: forbid-dotenv
+        name: Block committing .env files
+        entry: bash -c 'if git diff --cached --name-only | grep -E "(^|/)\.env(\.|$)"; then echo "? .env files are blocked from commits"; exit 1; fi'
+        language: system
+        pass_filenames: false
+      - id: eslint
+        name: ESLint (ui)
+        entry: bash -c 'cd ui && npm run lint'
+        language: system
+        pass_filenames: false
+      - id: prettier
+        name: Prettier check (ui)
+        entry: bash -c 'cd ui && npm run format'
+        language: system
+        pass_filenames: false

CONFIGURATION.md

@@ -0,0 +1,36 @@
+# Configuration Matrix
+
+## Required for backend (Claude)
+- `ANTHROPIC_AUTH_TOKEN` **or** Claude CLI auth (`claude login`) to run coding agents.
+
+## Optional / Alternative Models
+- `ANTHROPIC_BASE_URL`, `ANTHROPIC_AUTH_TOKEN` — GLM/other Claude-compatible endpoints.
+- `ANTHROPIC_DEFAULT_OPUS_MODEL`, `ANTHROPIC_DEFAULT_SONNET_MODEL`, `ANTHROPIC_DEFAULT_HAIKU_MODEL` — model overrides.
+- `GEMINI_API_KEY` — use Gemini for assistant chat (chat only, no tools).
+- `GEMINI_MODEL` (default `gemini-1.5-flash`), `GEMINI_BASE_URL` (default OpenAI-compatible endpoint).
+
+## Server runtime
+- `AUTOCODER_ALLOW_REMOTE` — allow remote CORS (set to `1/true` to relax localhost-only guard).
+- `API_TIMEOUT_MS` — passed to Claude SDK.
+
+## Observability
+- Backend Sentry: `SENTRY_DSN` (required to enable), optional `SENTRY_ENV`, `SENTRY_TRACES_SAMPLE_RATE` (default 0.2).
+- Frontend Sentry: `VITE_SENTRY_DSN` (required to enable), optional `VITE_SENTRY_ENV`, `VITE_SENTRY_TRACES_SAMPLE_RATE`, `VITE_SENTRY_PROMPT_USER=1` to prompt for name/email.
+- OTEL: `OTEL_EXPORTER_OTLP_ENDPOINT`, optional `OTEL_SERVICE_NAME` (default `autocoder-server`), `OTEL_ENVIRONMENT` (default `production`).
+
+## Deploy (Traefik/DuckDNS)
+- `.env.deploy` generated by `scripts/deploy.sh`:
+  - `DOMAIN`
+  - `LETSENCRYPT_EMAIL`
+  - `APP_PORT` (internal service port, default 8888)
+- DuckDNS token stored in `/etc/cron.d/duckdns` (not in repo).
+
+## UI build/dev
+- `VITE_API_PORT` — backend port for Vite dev proxy (default 8888).
+
+## Data / volumes
+- `~/.autocoder` persisted via `autocoder-data` volume (docker-compose).
+
+## Make targets
+- `make dev-up`: uses `docker-compose.dev.yml` (hot reload).
+- `make api-dev`, `make ui-dev`, `make lint`, `make smoke`, `make pre-commit-install`.