Co-VibeDocs

Operations

Co-Vibe — open-source & launch readiness report (2026-06-11)#

Status of the program from the /goal session: auth/onboarding rebuild, repo-sharing controls, security review, and launch prep. Written for whoever picks this up next.

Done this session (committed to main)#

Auth & onboarding

  • Custom /auth/sign-in and /auth/sign-up chooser cards (WorkOS AuthKit): GitHub + Google social deep-links plus email. Sign-up is the tenant-creation path. Landing CTAs and /auth redirect wired in.
  • /welcome onboarding wizard: new-tenant-creator vs invited-member variants, device-flow agent setup with live /api/onboarding/status readiness polling, a "what gets logged" disclosure, and team invites. Tracked by an onboarding_pending flag so existing developers never see it.
  • Self-serve signups now provision a real WorkOS organization, so invites work from day one (removed the single-seat trap; was a documented TODO).

Repo-sharing controls (extends the other session's exclusion work)

  • covibe-local exclude --new-repos flips the machine to opt-in (new repos not logged until opted in with exclude --remove). Enforced in the same isExcludedRepo gate as hooks/bridge/watch/snapshot; doctor + setup disclosures updated.

Security review — multi-agent, looped to convergence:

  • Round 1 (audit): 6 domain auditors → adversarial verification → 3 fresh-context sweeps → 9 confirmed findings.
  • Round 2 (fresh verify): 5 more residuals (2 HIGH), incl. issues the fixes themselves introduced.
  • Round 3 (fresh verify): 3 HIGH, all incomplete applications of round-2 fixes.
  • Round 4 (exhaustive verify): enumerated EVERY from developers read and EVERY companion send path — 0 non-low findings. Clean pass = converged.

Every confirmed finding fixed and committed with a regression test:

  • HIGH — stored XSS via Paxel report_url in an href (sanitized at source + sink).
  • HIGH — cookie-only local-dev auth now fails closed by default (was opt-out via NODE_ENV); .env.example no longer pre-seeds the dangerous opt-in.
  • HIGH — covibe-local paxel (single-repo AND all-repo) refuses to run when the repo/machine is excluded — was exfiltrating excluded repos' working tree / agent transcripts to a third party.
  • HIGH/MEDIUM — sibling-workspace developer identities no longer leak through any /api/state read (one shared WORKSPACE_MEMBER_FILTER across all 7 developer-leading queries).
  • MEDIUM — companion install command (copy-paste npm install <url>) and auth redirects derive from a trusted configured origin, not the spoofable Host header (was RCE / open-redirect).
  • MEDIUM — rate limiter no longer trusts spoofable X-Forwarded-For (gated behind COVIBE_TRUST_PROXY); restores device-code brute-force protection.
  • MEDIUM — Paxel enable/disable flag is now per-tenant (was a global toggle any tenant admin could flip for everyone).
  • LOW — private developers' commit SHA redacted in the coordination graph.
  • MEDIUM — companion re-checks exclusions every watch tick (a running watcher now stops when its repo is excluded, no restart needed).
  • Documented: the shared-Postgres-connection RLS scope is safe because the synchronous Atomics.wait fully serializes queries — a throughput tradeoff, not an isolation bug (added a code comment so it isn't re-flagged).
  • Accepted residual: a malicious repo can plant fabricated telemetry in its own .covibe/telemetry inbox; the data is self-attributed and workspace-scoped, and excluded repos no longer flush. Don't run the companion in untrusted repos.

Open-source prep

  • SECURITY.md (trust model, required deployment settings, fail-closed auth, COVIBE_TRUST_PROXY, vuln reporting to security@co-vibe.dev).
  • Landing: GitHub star button + real social/contact links, centralized in src/features/landing/links.ts.
  • GitHub repo description + topics set; transferred to Spaceflow-Technologies-INC/co-vibe.
  • .env.example documents the new flags.

Hosting prep

  • scripts/deploy-gcp.sh: idempotent, least-privilege Cloud Run + Cloud SQL deploy (runtime role is not the table owner so RLS holds; secrets via Secret Manager). Prepared but NOT run — see blockers below.

Full suite green: 220 files / 1164 tests. tsc --noEmit clean. madge no cycles.

Remaining — needs you (can't be done autonomously)#

These need credentials, dashboards, or business decisions I shouldn't make:

  1. WorkOS production credentials. In the WorkOS dashboard: enable GitHub and Google as OAuth providers; add https://co-vibe.dev/callback to Redirects; copy the production WORKOS_CLIENT_ID/WORKOS_API_KEY and a strong WORKOS_COOKIE_PASSWORD into Secret Manager (the deploy script reads them). The GitHub/Google sign-in buttons are wired but won't work until the providers are enabled.

  2. Scrub git history before going public. The internal GCP project ID was committed in scripts/deploy-gcp.sh (commit c54e1206) and the readiness report before both were genericized. The repo is still private, so this is contained — but before flipping to public, either publish from a fresh squashed history or run git filter-repo/BFG over those paths. (The current files no longer contain it.)

  3. LICENSE — done. AGPL-3.0-only: canonical LICENSE at root, SPDX identifier in package.json, README License section. The network-use clause stops a SaaS competitor from closed-sourcing a hosted fork. (If you ever want to relicense, do it before external contributors land.)

  4. Repo move to the business GitHub org. Tell me the org name (or do gh repo transfer). After the move, update GITHUB_REPO_URL in src/features/landing/links.ts (one line) and the repo URL in package.json if added.

  5. Management/contact emails. SECURITY.md and the landing footer reference security@co-vibe.dev and hello@co-vibe.dev. Create these (Google Workspace or your mail host on the co-vibe.dev domain).

  6. GCP deploy. Confirm the target project. The gcloud account is currently pointed at a shared project that hosts unrelated production services — use a DEDICATED project for the open-source product and set COVIBE_GCP_PROJECT accordingly (the deploy script no longer hardcodes a project ID). Then, with WorkOS prod secrets in hand: set COVIBE_DB_OWNER_PASSWORD/COVIBE_DB_APP_PASSWORD and the WORKOS_* env, run scripts/deploy-gcp.sh, run npm run db:postgres:init against the new instance, map co-vibe.dev via a global external HTTPS load balancer, move profile-photo uploads to Cloud Storage (gcp-production.md blocker #3), then npm run readiness:handoff -- https://co-vibe.dev. The domain co-vibe.dev is already registered in the project.

  7. GitHub page polish (post-transfer). README is current; add the LICENSE badge and a screenshot/GIF once public. Topics + description are already set.

Deploy pipeline (.github/workflows/deploy.yml)#

CI deploys to Cloud Run from the (public) repo via GitHub Actions. It is secret-free — Workload Identity Federation (GitHub OIDC, no long-lived key) for auth, runtime secrets read from GCP Secret Manager, and a production environment gate (required reviewers). Fork PRs can't access any of it.

One-time wiring (repo Settings → Secrets and variables → Actions → Variables): GCP_PROJECT, GCP_REGION, GCP_SERVICE, GCP_DOMAIN, GCP_WIF_PROVIDER, GCP_DEPLOY_SA, GCP_CLOUDSQL_CONNECTION. Plus the five Secret Manager entries the deploy step references (covibe-database-url, covibe-postgres-admin-url, covibe-workos-{api-key,client-id,cookie-password}) — the same names scripts/deploy-gcp.sh creates. Set up the Workload Identity pool + a covibe-deployer SA (roles in the workflow header), then push to main (or run the manual dispatch) to deploy. scripts/deploy-gcp.sh remains the manual / first-time-provisioning path.

Pointers#

  • Security details + env flags: SECURITY.md, docs/engineering/auth-plan.md.
  • Deploy: scripts/deploy-gcp.sh, docs/engineering/gcp-production.md, docs/engineering/hosting-handoff.md.
  • Design audit of the new auth/wizard screens: ~/.gstack/projects/derHaken-dev_synce/designs/design-audit-20260611/.
View as .md