# Co-Vibe — open-source & launch readiness report (2026-06-11) Status of the program from the `/goal` session: auth/onboarding rebuild, repo-sharing controls, security review, and launch prep. Written for whoever picks this up next. ## Done this session (committed to `main`) **Auth & onboarding** - Custom `/auth/sign-in` and `/auth/sign-up` chooser cards (WorkOS AuthKit): GitHub + Google social deep-links plus email. Sign-up is the tenant-creation path. Landing CTAs and `/auth` redirect wired in. - `/welcome` onboarding wizard: new-tenant-creator vs invited-member variants, device-flow agent setup with live `/api/onboarding/status` readiness polling, a "what gets logged" disclosure, and team invites. Tracked by an `onboarding_pending` flag so existing developers never see it. - Self-serve signups now provision a real WorkOS organization, so invites work from day one (removed the single-seat trap; was a documented TODO). **Repo-sharing controls (extends the other session's exclusion work)** - `covibe-local exclude --new-repos` flips the machine to opt-in (new repos not logged until opted in with `exclude --remove`). Enforced in the same `isExcludedRepo` gate as hooks/bridge/watch/snapshot; doctor + setup disclosures updated. **Security review** — multi-agent, looped to convergence: - Round 1 (audit): 6 domain auditors → adversarial verification → 3 fresh-context sweeps → 9 confirmed findings. - Round 2 (fresh verify): 5 more residuals (2 HIGH), incl. issues the fixes themselves introduced. - Round 3 (fresh verify): 3 HIGH, all incomplete applications of round-2 fixes. - Round 4 (exhaustive verify): enumerated EVERY `from developers` read and EVERY companion send path — **0 non-low findings**. Clean pass = converged. Every confirmed finding fixed and committed with a regression test: - HIGH — stored XSS via Paxel `report_url` in an href (sanitized at source + sink). - HIGH — cookie-only local-dev auth now fails closed by default (was opt-out via `NODE_ENV`); `.env.example` no longer pre-seeds the dangerous opt-in. - HIGH — `covibe-local paxel` (single-repo AND all-repo) refuses to run when the repo/machine is excluded — was exfiltrating excluded repos' working tree / agent transcripts to a third party. - HIGH/MEDIUM — sibling-workspace developer identities no longer leak through any `/api/state` read (one shared `WORKSPACE_MEMBER_FILTER` across all 7 developer-leading queries). - MEDIUM — companion install command (copy-paste `npm install `) and auth redirects derive from a trusted configured origin, not the spoofable `Host` header (was RCE / open-redirect). - MEDIUM — rate limiter no longer trusts spoofable `X-Forwarded-For` (gated behind `COVIBE_TRUST_PROXY`); restores device-code brute-force protection. - MEDIUM — Paxel enable/disable flag is now per-tenant (was a global toggle any tenant admin could flip for everyone). - LOW — private developers' commit SHA redacted in the coordination graph. - MEDIUM — companion re-checks exclusions every watch tick (a running watcher now stops when its repo is excluded, no restart needed). - Documented: the shared-Postgres-connection RLS scope is safe because the synchronous `Atomics.wait` fully serializes queries — a throughput tradeoff, not an isolation bug (added a code comment so it isn't re-flagged). - Accepted residual: a malicious repo can plant fabricated telemetry in its own `.covibe/telemetry` inbox; the data is self-attributed and workspace-scoped, and excluded repos no longer flush. Don't run the companion in untrusted repos. **Open-source prep** - `SECURITY.md` (trust model, required deployment settings, fail-closed auth, `COVIBE_TRUST_PROXY`, vuln reporting to security@co-vibe.dev). - Landing: GitHub star button + real social/contact links, centralized in `src/features/landing/links.ts`. - GitHub repo description + topics set; transferred to `Spaceflow-Technologies-INC/co-vibe`. - `.env.example` documents the new flags. **Hosting prep** - `scripts/deploy-gcp.sh`: idempotent, least-privilege Cloud Run + Cloud SQL deploy (runtime role is not the table owner so RLS holds; secrets via Secret Manager). Prepared but NOT run — see blockers below. Full suite green: 220 files / 1164 tests. `tsc --noEmit` clean. `madge` no cycles. ## Remaining — needs you (can't be done autonomously) These need credentials, dashboards, or business decisions I shouldn't make: 1. **WorkOS production credentials.** In the WorkOS dashboard: enable GitHub and Google as OAuth providers; add `https://co-vibe.dev/callback` to Redirects; copy the production `WORKOS_CLIENT_ID`/`WORKOS_API_KEY` and a strong `WORKOS_COOKIE_PASSWORD` into Secret Manager (the deploy script reads them). The GitHub/Google sign-in buttons are wired but won't work until the providers are enabled. 2. **Scrub git history before going public.** The internal GCP project ID was committed in `scripts/deploy-gcp.sh` (commit `c54e1206`) and the readiness report before both were genericized. The repo is still private, so this is contained — but before flipping to public, either publish from a fresh squashed history or run `git filter-repo`/BFG over those paths. (The current files no longer contain it.) 3. **LICENSE — done.** AGPL-3.0-only: canonical `LICENSE` at root, SPDX identifier in `package.json`, README License section. The network-use clause stops a SaaS competitor from closed-sourcing a hosted fork. (If you ever want to relicense, do it before external contributors land.) 4. **Repo move to the business GitHub org.** Tell me the org name (or do `gh repo transfer`). After the move, update `GITHUB_REPO_URL` in `src/features/landing/links.ts` (one line) and the repo URL in `package.json` if added. 5. **Management/contact emails.** `SECURITY.md` and the landing footer reference `security@co-vibe.dev` and `hello@co-vibe.dev`. Create these (Google Workspace or your mail host on the `co-vibe.dev` domain). 6. **GCP deploy.** Confirm the target project. The gcloud account is currently pointed at a shared project that hosts unrelated production services — use a DEDICATED project for the open-source product and set `COVIBE_GCP_PROJECT` accordingly (the deploy script no longer hardcodes a project ID). Then, with WorkOS prod secrets in hand: set `COVIBE_DB_OWNER_PASSWORD`/`COVIBE_DB_APP_PASSWORD` and the `WORKOS_*` env, run `scripts/deploy-gcp.sh`, run `npm run db:postgres:init` against the new instance, map `co-vibe.dev` via a global external HTTPS load balancer, move profile-photo uploads to Cloud Storage (gcp-production.md blocker #3), then `npm run readiness:handoff -- https://co-vibe.dev`. The domain `co-vibe.dev` is already registered in the project. 7. **GitHub page polish (post-transfer).** README is current; add the LICENSE badge and a screenshot/GIF once public. Topics + description are already set. ## Deploy pipeline (`.github/workflows/deploy.yml`) CI deploys to Cloud Run from the (public) repo via GitHub Actions. It is secret-free — Workload Identity Federation (GitHub OIDC, no long-lived key) for auth, runtime secrets read from GCP Secret Manager, and a `production` environment gate (required reviewers). Fork PRs can't access any of it. One-time wiring (repo Settings → Secrets and variables → Actions → **Variables**): `GCP_PROJECT`, `GCP_REGION`, `GCP_SERVICE`, `GCP_DOMAIN`, `GCP_WIF_PROVIDER`, `GCP_DEPLOY_SA`, `GCP_CLOUDSQL_CONNECTION`. Plus the five Secret Manager entries the deploy step references (`covibe-database-url`, `covibe-postgres-admin-url`, `covibe-workos-{api-key,client-id,cookie-password}`) — the same names `scripts/deploy-gcp.sh` creates. Set up the Workload Identity pool + a `covibe-deployer` SA (roles in the workflow header), then push to `main` (or run the manual dispatch) to deploy. `scripts/deploy-gcp.sh` remains the manual / first-time-provisioning path. ## Pointers - Security details + env flags: `SECURITY.md`, `docs/engineering/auth-plan.md`. - Deploy: `scripts/deploy-gcp.sh`, `docs/engineering/gcp-production.md`, `docs/engineering/hosting-handoff.md`. - Design audit of the new auth/wizard screens: `~/.gstack/projects/derHaken-dev_synce/designs/design-audit-20260611/`.