shithub Public

Watch 1 Fork 0 Star 0

markdown · 8779 bytes Raw Blame History

shithub

A 1:1 reverse-engineering of GitHub. AGPLv3. Without Copilot.

Status: v0.1.0 launched — early days. Honest about WIP areas.

shithub is an attempt to recreate GitHub — the platform, the UI, the workflows — as faithfully as we can, as a self-hostable open-source forge. The goal is "you should barely notice you switched." We are not there yet. The core forge loop works end-to-end (see "What works today"); large surfaces such as GraphQL, Packages, Pages, Projects, Releases, and Gists are still explicitly outside the current shipped surface.

The hosted instance is at shithub.sh. The project's own source has migrated here from GitHub; this GitHub repo is a one-way mirror for the first 90 days post-launch as a recovery surface.

If you came here expecting drop-in parity with everything GitHub does, you'll find specific gaps. If you came here for an honest, AI-free, self-hostable forge, this is for you.

What works today

The core forge loop works end-to-end against the codebase you're reading:

Identity — email/password signup, email verification, password reset, TOTP 2FA + recovery codes, SSH keys, personal access tokens (scoped), sessions.
Repositories — create, fork, archive, transfer, soft-delete with grace, rename with redirects, visibility toggles, branch protection (force-push / deletion / required reviews / required status checks), default-branch swap, topics, README/license/.gitignore templates.
Git — bare repos on disk; HTTPS smart-HTTP and SSH push/pull (sshd Match User git dispatches to shithubd via AuthorizedKeysCommand); pre/post-receive hook integration for size accounting and event emission.
Code browsing — tree, blob (chroma syntax highlighting with light/dark themes), raw, blame, commit history, individual commit views, branch/tag listings, compare views, file finder.
Issues & PRs — full CRUD on issues + comments + labels + milestones + assignees; pull requests with diff rendering, file-by-file review, line comments, reviews (approve/request-changes/comment), required-reviewer enforcement, status-check gates, three merge methods (merge / squash / rebase), conflict detection.
Social — stars, watches with notification level, forks (clone-on-create), follows for users/orgs, Home/Explore feeds, trending repositories/developers, stargazer/watcher/follower lists.
Search — code search (path + content, tantivy-equivalent indexing in Postgres), repo search, user search, quick-search.
Notifications — per-user inbox, email fan-out, watch-level routing, one-click HMAC-signed unsubscribe links, auto-subscribe on participation.
Organizations & teams — create, member roles (member/owner), invitations, one-level team nesting, team grants on repos with max-of-sources policy aggregation.
Repo settings — General (description, topics, features, merge methods), Access (collaborators + team grants), Branches (protection rules), Danger (rename/transfer/archive/visibility/delete).
Webhooks — outbound delivery with HMAC-SHA256 signing, exponential backoff with jitter, auto-disable on persistent failure, SSRF defense (DNS resolve + IP block-list + dial-the-IP transport, no redirect-following), redelivery UI, ping events.
Actions / CI v1 — .shithub/workflows parser, push/PR/schedule/dispatch triggers, per-repo/org secrets and variables, runner registration, single-use job JWTs, scoped checkout, containerized run: steps, live logs, cancel/re-run, retention, check-run sync, Atom feed, and monitoring. v1 intentionally supports actions/checkout@v4 plus run: steps, not arbitrary marketplace actions.

What doesn't work yet

Pulled directly from the sprint plan we're working through:

Actions marketplace parity — shithub Actions does not execute arbitrary uses: steps, matrix builds, service containers, composite actions, or hosted runner images. The project's full CI remains on GitHub Actions until the first-party runner image/Nix toolchain can run it without marketplace setup actions; .shithub/workflows/checkout-canary.yml is the current dogfood canary.
Packages, Pages, Projects, Releases, Gists — none of these surfaces exist yet.
GraphQL API — a documented REST API ships under /api/v1 (see docs/public/api/); a GraphQL surface is not yet planned.
Visual polish — most pages render correctly but do not look like GitHub yet. Spacing, typography, header/footer chrome, color tokens, octicon coverage, empty-state illustrations, focus states — all still drifting from Primer. Closing this gap is ongoing; expect rough edges page-to-page.
Mobile / responsive — the current CSS is desktop-first. Small viewports work but aren't tuned.
Deferred from completed sprints — every sprint spec lists "inbound deferrals" that landed and "outbound deferrals" that were pushed forward. See .docs/sprints/ for the running list.

Why

GitHub is a well-built platform. Microsoft's Copilot push has changed the product's character — particularly around how user code is treated as training data. shithub aims to recreate the parts that worked, on terms that make a self-hosted instance an honest equal to the SaaS experience, with AGPLv3 keeping any hosted variant open.

The "1:1" goal is intentional. There are plenty of git forges with their own UX vision; shithub deliberately doesn't try to be one of them. The closer the muscle-memory match, the lower the cost of switching.

Quickstart (development)

make dev          # hot-reload server on http://localhost:8080
make test         # run tests
make build        # build bin/shithubd
make ci           # full CI pipeline locally (mirrors GitHub Actions)
make dev-migrate  # apply DB migrations against $SHITHUB_DATABASE_URL

Requires:

Go 1.22+ (developed against 1.26)
PostgreSQL 13+
A local MinIO (or any S3-compatible store) for the storage tests — make storage-up brings one up via docker-compose.
golangci-lint, gofumpt, goimports, air, sqlc, goose (installed via go install per the Makefile or your package manager).

Copy .env.example to .env and fill in the database URL, session keys, and TOTP/webhook AEAD key.

Layout

cmd/shithubd/        # main entry: web, ssh, worker, migrate, storage, version
internal/auth/       # password, sessions, TOTP, PATs, SSH keys, policy/RBAC
internal/repos/      # repo lifecycle, git ops, branches, tags, diffs, forks
internal/issues/     # issues + comments + labels + milestones
internal/pulls/      # pull requests + reviews + merge orchestration
internal/orgs/       # orgs + teams + member roles + principals
internal/webhook/    # outbound delivery + SSRF defense + signing
internal/notif/      # inbox + email fan-out + watch-level routing
internal/search/     # code/repo/user search
internal/markdown/   # rendering + reference resolution (#N, @user, @org/team)
internal/web/        # HTTP handlers + html/template + middleware
internal/worker/     # Postgres-backed job queue + handlers
internal/migrationsfs/migrations/   # numbered SQL migrations (goose)
.docs/sprints/       # sprint specifications (S00–S49 + SR1)

Roadmap

The work is structured as 50 sprints (S00–S49, plus SR1 audit remediation). Roughly:

S00–S04 — scaffolding, DB baseline, web shell, observability, storage abstractions ✅
S05–S09 — identity (auth, 2FA, SSH keys, PATs, profiles) ✅
S10–S20 — repos, git protocols (HTTPS + SSH), code browsing, branches/tags, hooks ✅
S21–S25 — issues, pulls, reviews, status checks, markdown ✅
S26–S29 — social, forks, search, notifications ✅
S30–S33 — orgs, teams, repo settings, webhooks ✅
S34 — site admin (/admin/*) ✅
S41 — actions/CI v1 ✅
S35–S40, S42–S49 — security hardening, federation, polish, accessibility, i18n; social feed, advanced search, GraphQL API, packages, pages, projects, releases, gists

See .docs/sprints/ for the per-sprint spec.

Contributing

See CONTRIBUTING.md. The project is in active rapid development — substantial PRs are best discussed in an issue first so we don't both write the same code. Small fixes, doc improvements, and bug reports are welcome any time.

Security

To report a security issue, see SECURITY.md. Please do not open a public issue for security reports.

License

AGPLv3. If you run a modified version as a network service, your users are entitled to the source.

View source

  
        1
        <p align="center">
      
        2
          <img src="internal/web/static/logo/shithub-mark.svg" alt="" width="120">
      
        3
        </p>
      
        4
        
        5
        <h1 align="center">shithub</h1>
      
        6
        
        7
        <p align="center">
      
        8
          A 1:1 reverse-engineering of GitHub. AGPLv3. Without Copilot.
      
        9
        </p>
      
        10
        
        11
        ---
      
        12
        
        13
        **Status: v0.1.0 launched — early days. Honest about WIP areas.**
      
        14
        
        15
        shithub is an attempt to recreate GitHub — the platform, the UI, the workflows — as faithfully as we can, as a self-hostable open-source forge. The goal is "you should barely notice you switched." We are not there yet. The core forge loop works end-to-end (see "What works today"); large surfaces such as GraphQL, Packages, Pages, Projects, Releases, and Gists are still explicitly outside the current shipped surface.
      
        16
        
        17
        The hosted instance is at **[shithub.sh](https://shithub.sh)**. The project's own source has migrated here from GitHub; this GitHub repo is a one-way mirror for the first 90 days post-launch as a recovery surface.
      
        18
        
        19
        If you came here expecting drop-in parity with everything GitHub does, you'll find specific gaps. If you came here for an honest, AI-free, self-hostable forge, this is for you.
      
        20
        
        21
        ## What works today
      
        22
        
        23
        The core forge loop works end-to-end against the codebase you're reading:
      
        24
        
        25
        - **Identity** — email/password signup, email verification, password reset, TOTP 2FA + recovery codes, SSH keys, personal access tokens (scoped), sessions.
      
        26
        - **Repositories** — create, fork, archive, transfer, soft-delete with grace, rename with redirects, visibility toggles, branch protection (force-push / deletion / required reviews / required status checks), default-branch swap, topics, README/license/.gitignore templates.
      
        27
        - **Git** — bare repos on disk; HTTPS smart-HTTP and SSH push/pull (sshd `Match User git` dispatches to shithubd via `AuthorizedKeysCommand`); pre/post-receive hook integration for size accounting and event emission.
      
        28
        - **Code browsing** — tree, blob (chroma syntax highlighting with light/dark themes), raw, blame, commit history, individual commit views, branch/tag listings, compare views, file finder.
      
        29
        - **Issues & PRs** — full CRUD on issues + comments + labels + milestones + assignees; pull requests with diff rendering, file-by-file review, line comments, reviews (approve/request-changes/comment), required-reviewer enforcement, status-check gates, three merge methods (merge / squash / rebase), conflict detection.
      
        30
        - **Social** — stars, watches with notification level, forks (clone-on-create), follows for users/orgs, Home/Explore feeds, trending repositories/developers, stargazer/watcher/follower lists.
      
        31
        - **Search** — code search (path + content, tantivy-equivalent indexing in Postgres), repo search, user search, quick-search.
      
        32
        - **Notifications** — per-user inbox, email fan-out, watch-level routing, one-click HMAC-signed unsubscribe links, auto-subscribe on participation.
      
        33
        - **Organizations & teams** — create, member roles (member/owner), invitations, one-level team nesting, team grants on repos with max-of-sources policy aggregation.
      
        34
        - **Repo settings** — General (description, topics, features, merge methods), Access (collaborators + team grants), Branches (protection rules), Danger (rename/transfer/archive/visibility/delete).
      
        35
        - **Webhooks** — outbound delivery with HMAC-SHA256 signing, exponential backoff with jitter, auto-disable on persistent failure, SSRF defense (DNS resolve + IP block-list + dial-the-IP transport, no redirect-following), redelivery UI, ping events.
      
        36
        - **Actions / CI v1** — `.shithub/workflows` parser, push/PR/schedule/dispatch triggers, per-repo/org secrets and variables, runner registration, single-use job JWTs, scoped checkout, containerized `run:` steps, live logs, cancel/re-run, retention, check-run sync, Atom feed, and monitoring. v1 intentionally supports `actions/checkout@v4` plus `run:` steps, not arbitrary marketplace actions.
      
        37
        
        38
        ## What doesn't work yet
      
        39
        
        40
        Pulled directly from the sprint plan we're working through:
      
        41
        
        42
        - **Actions marketplace parity** — shithub Actions does not execute arbitrary `uses:` steps, matrix builds, service containers, composite actions, or hosted runner images. The project's full CI remains on GitHub Actions until the first-party runner image/Nix toolchain can run it without marketplace setup actions; `.shithub/workflows/checkout-canary.yml` is the current dogfood canary.
      
        43
        - **Packages, Pages, Projects, Releases, Gists** — none of these surfaces exist yet.
      
        44
        - **GraphQL API** — a documented REST API ships under `/api/v1` (see `docs/public/api/`); a GraphQL surface is not yet planned.
      
        45
        - **Visual polish** — most pages render correctly but do not look like GitHub yet. Spacing, typography, header/footer chrome, color tokens, octicon coverage, empty-state illustrations, focus states — all still drifting from Primer. Closing this gap is ongoing; expect rough edges page-to-page.
      
        46
        - **Mobile / responsive** — the current CSS is desktop-first. Small viewports work but aren't tuned.
      
        47
        - **Deferred from completed sprints** — every sprint spec lists "inbound deferrals" that landed and "outbound deferrals" that were pushed forward. See `.docs/sprints/` for the running list.
      
        48
        
        49
        ## Why
      
        50
        
        51
        GitHub is a well-built platform. Microsoft's Copilot push has changed the product's character — particularly around how user code is treated as training data. shithub aims to recreate the parts that worked, on terms that make a self-hosted instance an honest equal to the SaaS experience, with AGPLv3 keeping any hosted variant open.
      
        52
        
        53
        The "1:1" goal is intentional. There are plenty of git forges with their own UX vision; shithub deliberately doesn't try to be one of them. The closer the muscle-memory match, the lower the cost of switching.
      
        54
        
        55
        ## Quickstart (development)
      
        56
        
        57
        ```sh
      
        58
        make dev          # hot-reload server on http://localhost:8080
      
        59
        make test         # run tests
      
        60
        make build        # build bin/shithubd
      
        61
        make ci           # full CI pipeline locally (mirrors GitHub Actions)
      
        62
        make dev-migrate  # apply DB migrations against $SHITHUB_DATABASE_URL
      
        63
        ```
      
        64
        
        65
        Requires:
      
        66
        - Go 1.22+ (developed against 1.26)
      
        67
        - PostgreSQL 13+
      
        68
        - A local MinIO (or any S3-compatible store) for the storage tests — `make storage-up` brings one up via docker-compose.
      
        69
        - `golangci-lint`, `gofumpt`, `goimports`, `air`, `sqlc`, `goose` (installed via `go install` per the Makefile or your package manager).
      
        70
        
        71
        Copy `.env.example` to `.env` and fill in the database URL, session keys, and TOTP/webhook AEAD key.
      
        72
        
        73
        ## Layout
      
        74
        
        75
        ```
      
        76
        cmd/shithubd/        # main entry: web, ssh, worker, migrate, storage, version
      
        77
        internal/auth/       # password, sessions, TOTP, PATs, SSH keys, policy/RBAC
      
        78
        internal/repos/      # repo lifecycle, git ops, branches, tags, diffs, forks
      
        79
        internal/issues/     # issues + comments + labels + milestones
      
        80
        internal/pulls/      # pull requests + reviews + merge orchestration
      
        81
        internal/orgs/       # orgs + teams + member roles + principals
      
        82
        internal/webhook/    # outbound delivery + SSRF defense + signing
      
        83
        internal/notif/      # inbox + email fan-out + watch-level routing
      
        84
        internal/search/     # code/repo/user search
      
        85
        internal/markdown/   # rendering + reference resolution (#N, @user, @org/team)
      
        86
        internal/web/        # HTTP handlers + html/template + middleware
      
        87
        internal/worker/     # Postgres-backed job queue + handlers
      
        88
        internal/migrationsfs/migrations/   # numbered SQL migrations (goose)
      
        89
        .docs/sprints/       # sprint specifications (S00–S49 + SR1)
      
        90
        ```
      
        91
        
        92
        ## Roadmap
      
        93
        
        94
        The work is structured as 50 sprints (S00–S49, plus SR1 audit remediation). Roughly:
      
        95
        
        96
        - **S00–S04** — scaffolding, DB baseline, web shell, observability, storage abstractions ✅
      
        97
        - **S05–S09** — identity (auth, 2FA, SSH keys, PATs, profiles) ✅
      
        98
        - **S10–S20** — repos, git protocols (HTTPS + SSH), code browsing, branches/tags, hooks ✅
      
        99
        - **S21–S25** — issues, pulls, reviews, status checks, markdown ✅
      
        100
        - **S26–S29** — social, forks, search, notifications ✅
      
        101
        - **S30–S33** — orgs, teams, repo settings, webhooks ✅
      
        102
        - **S34** — site admin (`/admin/*`) ✅
      
        103
        - **S41** — actions/CI v1 ✅
      
        104
        - **S35–S40, S42–S49** — security hardening, federation, polish, accessibility, i18n; social feed, advanced search, GraphQL API, packages, pages, projects, releases, gists
      
        105
        
        106
        See `.docs/sprints/` for the per-sprint spec.
      
        107
        
        108
        ## Contributing
      
        109
        
        110
        See [CONTRIBUTING.md](CONTRIBUTING.md). The project is in active rapid development — substantial PRs are best discussed in an issue first so we don't both write the same code. Small fixes, doc improvements, and bug reports are welcome any time.
      
        111
        
        112
        ## Security
      
        113
        
        114
        To report a security issue, see [SECURITY.md](SECURITY.md). Please do not open a public issue for security reports.
      
        115
        
        116
        ## License
      
        117
        
        118
        [AGPLv3](LICENSE). If you run a modified version as a network service, your users are entitled to the source.

1	<p align="center">
2	<img src="internal/web/static/logo/shithub-mark.svg" alt="" width="120">
3	</p>
4
5	<h1 align="center">shithub</h1>
6
7	<p align="center">
8	A 1:1 reverse-engineering of GitHub. AGPLv3. Without Copilot.
9	</p>
10
11	---
12
13	Status: v0.1.0 launched — early days. Honest about WIP areas.
14
15	shithub is an attempt to recreate GitHub — the platform, the UI, the workflows — as faithfully as we can, as a self-hostable open-source forge. The goal is "you should barely notice you switched." We are not there yet. The core forge loop works end-to-end (see "What works today"); large surfaces such as GraphQL, Packages, Pages, Projects, Releases, and Gists are still explicitly outside the current shipped surface.
16
17	The hosted instance is at [shithub.sh](https://shithub.sh). The project's own source has migrated here from GitHub; this GitHub repo is a one-way mirror for the first 90 days post-launch as a recovery surface.
18
19	If you came here expecting drop-in parity with everything GitHub does, you'll find specific gaps. If you came here for an honest, AI-free, self-hostable forge, this is for you.
20
21	## What works today
22
23	The core forge loop works end-to-end against the codebase you're reading:
24
25	- Identity — email/password signup, email verification, password reset, TOTP 2FA + recovery codes, SSH keys, personal access tokens (scoped), sessions.
26	- Repositories — create, fork, archive, transfer, soft-delete with grace, rename with redirects, visibility toggles, branch protection (force-push / deletion / required reviews / required status checks), default-branch swap, topics, README/license/.gitignore templates.
27	- Git — bare repos on disk; HTTPS smart-HTTP and SSH push/pull (sshd `Match User git` dispatches to shithubd via `AuthorizedKeysCommand`); pre/post-receive hook integration for size accounting and event emission.
28	- Code browsing — tree, blob (chroma syntax highlighting with light/dark themes), raw, blame, commit history, individual commit views, branch/tag listings, compare views, file finder.
29	- Issues & PRs — full CRUD on issues + comments + labels + milestones + assignees; pull requests with diff rendering, file-by-file review, line comments, reviews (approve/request-changes/comment), required-reviewer enforcement, status-check gates, three merge methods (merge / squash / rebase), conflict detection.
30	- Social — stars, watches with notification level, forks (clone-on-create), follows for users/orgs, Home/Explore feeds, trending repositories/developers, stargazer/watcher/follower lists.
31	- Search — code search (path + content, tantivy-equivalent indexing in Postgres), repo search, user search, quick-search.
32	- Notifications — per-user inbox, email fan-out, watch-level routing, one-click HMAC-signed unsubscribe links, auto-subscribe on participation.
33	- Organizations & teams — create, member roles (member/owner), invitations, one-level team nesting, team grants on repos with max-of-sources policy aggregation.
34	- Repo settings — General (description, topics, features, merge methods), Access (collaborators + team grants), Branches (protection rules), Danger (rename/transfer/archive/visibility/delete).
35	- Webhooks — outbound delivery with HMAC-SHA256 signing, exponential backoff with jitter, auto-disable on persistent failure, SSRF defense (DNS resolve + IP block-list + dial-the-IP transport, no redirect-following), redelivery UI, ping events.
36	- Actions / CI v1 — `.shithub/workflows` parser, push/PR/schedule/dispatch triggers, per-repo/org secrets and variables, runner registration, single-use job JWTs, scoped checkout, containerized `run:` steps, live logs, cancel/re-run, retention, check-run sync, Atom feed, and monitoring. v1 intentionally supports `actions/checkout@v4` plus `run:` steps, not arbitrary marketplace actions.
37
38	## What doesn't work yet
39
40	Pulled directly from the sprint plan we're working through:
41
42	- Actions marketplace parity — shithub Actions does not execute arbitrary `uses:` steps, matrix builds, service containers, composite actions, or hosted runner images. The project's full CI remains on GitHub Actions until the first-party runner image/Nix toolchain can run it without marketplace setup actions; `.shithub/workflows/checkout-canary.yml` is the current dogfood canary.
43	- Packages, Pages, Projects, Releases, Gists — none of these surfaces exist yet.
44	- GraphQL API — a documented REST API ships under `/api/v1` (see `docs/public/api/`); a GraphQL surface is not yet planned.
45	- Visual polish — most pages render correctly but do not look like GitHub yet. Spacing, typography, header/footer chrome, color tokens, octicon coverage, empty-state illustrations, focus states — all still drifting from Primer. Closing this gap is ongoing; expect rough edges page-to-page.
46	- Mobile / responsive — the current CSS is desktop-first. Small viewports work but aren't tuned.
47	- Deferred from completed sprints — every sprint spec lists "inbound deferrals" that landed and "outbound deferrals" that were pushed forward. See `.docs/sprints/` for the running list.
48
49	## Why
50
51	GitHub is a well-built platform. Microsoft's Copilot push has changed the product's character — particularly around how user code is treated as training data. shithub aims to recreate the parts that worked, on terms that make a self-hosted instance an honest equal to the SaaS experience, with AGPLv3 keeping any hosted variant open.
52
53	The "1:1" goal is intentional. There are plenty of git forges with their own UX vision; shithub deliberately doesn't try to be one of them. The closer the muscle-memory match, the lower the cost of switching.
54
55	## Quickstart (development)
56
57	```sh
58	make dev # hot-reload server on http://localhost:8080
59	make test # run tests
60	make build # build bin/shithubd
61	make ci # full CI pipeline locally (mirrors GitHub Actions)
62	make dev-migrate # apply DB migrations against $SHITHUB_DATABASE_URL
63	```
64
65	Requires:
66	- Go 1.22+ (developed against 1.26)
67	- PostgreSQL 13+
68	- A local MinIO (or any S3-compatible store) for the storage tests — `make storage-up` brings one up via docker-compose.
69	- `golangci-lint`, `gofumpt`, `goimports`, `air`, `sqlc`, `goose` (installed via `go install` per the Makefile or your package manager).
70
71	Copy `.env.example` to `.env` and fill in the database URL, session keys, and TOTP/webhook AEAD key.
72
73	## Layout
74
75	```
76	cmd/shithubd/ # main entry: web, ssh, worker, migrate, storage, version
77	internal/auth/ # password, sessions, TOTP, PATs, SSH keys, policy/RBAC
78	internal/repos/ # repo lifecycle, git ops, branches, tags, diffs, forks
79	internal/issues/ # issues + comments + labels + milestones
80	internal/pulls/ # pull requests + reviews + merge orchestration
81	internal/orgs/ # orgs + teams + member roles + principals
82	internal/webhook/ # outbound delivery + SSRF defense + signing
83	internal/notif/ # inbox + email fan-out + watch-level routing
84	internal/search/ # code/repo/user search
85	internal/markdown/ # rendering + reference resolution (#N, @user, @org/team)
86	internal/web/ # HTTP handlers + html/template + middleware
87	internal/worker/ # Postgres-backed job queue + handlers
88	internal/migrationsfs/migrations/ # numbered SQL migrations (goose)
89	.docs/sprints/ # sprint specifications (S00–S49 + SR1)
90	```
91
92	## Roadmap
93
94	The work is structured as 50 sprints (S00–S49, plus SR1 audit remediation). Roughly:
95
96	- S00–S04 — scaffolding, DB baseline, web shell, observability, storage abstractions ✅
97	- S05–S09 — identity (auth, 2FA, SSH keys, PATs, profiles) ✅
98	- S10–S20 — repos, git protocols (HTTPS + SSH), code browsing, branches/tags, hooks ✅
99	- S21–S25 — issues, pulls, reviews, status checks, markdown ✅
100	- S26–S29 — social, forks, search, notifications ✅
101	- S30–S33 — orgs, teams, repo settings, webhooks ✅
102	- S34 — site admin (`/admin/*`) ✅
103	- S41 — actions/CI v1 ✅
104	- S35–S40, S42–S49 — security hardening, federation, polish, accessibility, i18n; social feed, advanced search, GraphQL API, packages, pages, projects, releases, gists
105
106	See `.docs/sprints/` for the per-sprint spec.
107
108	## Contributing
109
110	See [CONTRIBUTING.md](CONTRIBUTING.md). The project is in active rapid development — substantial PRs are best discussed in an issue first so we don't both write the same code. Small fixes, doc improvements, and bug reports are welcome any time.
111
112	## Security
113
114	To report a security issue, see [SECURITY.md](SECURITY.md). Please do not open a public issue for security reports.
115
116	## License
117
118	[AGPLv3](LICENSE). If you run a modified version as a network service, your users are entitled to the source.