tenseleyflow/shithub / 6937b30

 follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/)

 follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/)

 conventions and [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

 conventions and [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

 ## [Unreleased]

 ## [Unreleased]

 (Empty — first post-launch entries land here.)

 (Empty — first post-launch entries land here.)

   per-account epoch invalidation.

   per-account epoch invalidation.

   .gitignore templates.

   .gitignore templates.

   max-of-sources policy.

   max-of-sources policy.

   WireGuard mesh for monitoring, Postgres WAL archive + daily

   WireGuard mesh for monitoring, Postgres WAL archive + daily

   logical backups to Spaces, cross-region DR, restore drill.

   logical backups to Spaces, cross-region DR, restore drill.

 Instances of abusive, harassing, or otherwise unacceptable

 Instances of abusive, harassing, or otherwise unacceptable

 behavior may be reported to the project team at

 behavior may be reported to the project team at

 and investigated promptly and fairly.

 and investigated promptly and fairly.

 All project maintainers are obligated to respect the privacy and

 All project maintainers are obligated to respect the privacy and

   `proposal`.

   `proposal`.

 - **Day-to-day chat:** the project doesn't run a Slack/Discord

 - **Day-to-day chat:** the project doesn't run a Slack/Discord

   yet; PR comments and issues are the channel.

   yet; PR comments and issues are the channel.

 ---

 ---

 If you came here expecting drop-in parity with everything GitHub does, you'll find specific gaps. If you came here for an honest, AI-free, self-hostable forge, this is for you.

 If you came here expecting drop-in parity with everything GitHub does, you'll find specific gaps. If you came here for an honest, AI-free, self-hostable forge, this is for you.

 ## Reporting a vulnerability

 ## Reporting a vulnerability

 using the key fingerprint published at

 using the key fingerprint published at

 is sensitive.

 is sensitive.

 The mailbox auto-acknowledges receipt within minutes. A human

 The mailbox auto-acknowledges receipt within minutes. A human

 In scope:

 In scope:

 - The shithub source as published on GitHub

 - The shithub source as published on GitHub

   (`github.com/tenseleyFlow/shithub`), exploited against any

   (`github.com/tenseleyFlow/shithub`), exploited against any

   reasonably-deployed self-hosted instance running an unmodified

   reasonably-deployed self-hosted instance running an unmodified

 ## T-7 days

 ## T-7 days

       (300s) so cutover-day changes propagate fast. Verify:

       (300s) so cutover-day changes propagate fast. Verify:

 - [ ] Postmark domain verified; SPF/DKIM/DMARC aligned. Verify:

 - [ ] Postmark domain verified; SPF/DKIM/DMARC aligned. Verify:

       Postmark dashboard → Domains → green.

       Postmark dashboard → Domains → green.

 - [ ] Signup-throttle config reviewed; per-IP and per-/24

 - [ ] Signup-throttle config reviewed; per-IP and per-/24

 - [ ] Last DNS change committed. Cutover after 48h ensures no

 - [ ] Last DNS change committed. Cutover after 48h ensures no

       propagation lag.

       propagation lag.

 - [ ] S37 backup-restore drill green within last 7 days.

 - [ ] S37 backup-restore drill green within last 7 days.

       returns 200.

       returns 200.

 - [ ] S39 P0/P1 bugs closed.

 - [ ] S39 P0/P1 bugs closed.

 - [ ] Tag the release commit:

 - [ ] Tag the release commit:

       ```sh

       ```sh

       ```

       ```

 ## T-1 hour

 ## T-1 hour

 ## T-0: cutover

 ## T-0: cutover

 ```sh

 ```sh

 git fetch --tags

 git fetch --tags

 # 2. Dry-run to confirm exactly what will change.

 # 2. Dry-run to confirm exactly what will change.

 make deploy-check ANSIBLE_INVENTORY=production

 make deploy-check ANSIBLE_INVENTORY=production

 changed=N failed=0`:

 changed=N failed=0`:

 ```sh

 ```sh

 ```

 ```

 The script exercises: home page, signup form, login form, health

 The script exercises: home page, signup form, login form, health

 Confirm a test push lands on both:

 Confirm a test push lands on both:

 ```sh

 ```sh

 cd /tmp/test-clone

 cd /tmp/test-clone

 echo "launch test" >> .launch-test

 echo "launch test" >> .launch-test

 git add .launch-test

 git add .launch-test

 - Refresh Grafana every 30 min.

 - Refresh Grafana every 30 min.

 - Triage every alert immediately; nothing false-positive should

 - Triage every alert immediately; nothing false-positive should

   page in week 1 (we tuned for it).

   page in week 1 (we tuned for it).

   (the project's own self-hosted issues — drink your own

   (the project's own self-hosted issues — drink your own

   champagne).

   champagne).

 ## Day-one retro

 ## Day-one retro

 with: what worked, what surprised us, top 3 user-reported

 with: what worked, what surprised us, top 3 user-reported

 issues, and the next sprint's focus.

 issues, and the next sprint's focus.

 # file; falls back to asking.

 # file; falls back to asking.

 BASE="${SHITHUB_PROD_URL:-}"

 BASE="${SHITHUB_PROD_URL:-}"

 if [[ -z "$BASE" ]]; then

 if [[ -z "$BASE" ]]; then

 fi

 fi

 echo ""

 echo ""

 echo "running smoke against $BASE..."

 echo "running smoke against $BASE..."

 # is reachable, the API authenticates a known PAT.

 # is reachable, the API authenticates a known PAT.

 #

 #

 # Usage:

 # Usage:

 #

 #

 # Optional env (when set, the script also exercises the API):

 # Optional env (when set, the script also exercises the API):

 #   SHITHUB_SMOKE_PAT     — a valid shp_ token for `user:read`

 #   SHITHUB_SMOKE_PAT     — a valid shp_ token for `user:read`

 # SPDX-License-Identifier: AGPL-3.0-or-later

 # SPDX-License-Identifier: AGPL-3.0-or-later

 #

 #

 # Build the public docs site and sync it to the Spaces bucket

 # Build the public docs site and sync it to the Spaces bucket

 #

 #

 # Run from CI on every push to main, or from an operator's

 # Run from CI on every push to main, or from an operator's

 # workstation as a one-off. Idempotent: rclone sync only touches

 # workstation as a one-off. Idempotent: rclone sync only touches

 A self-hostable git forge that aims to look and feel like GitHub.

 A self-hostable git forge that aims to look and feel like GitHub.

 AGPL-licensed, written in Go, no AI training on your code, no

 AGPL-licensed, written in Go, no AI training on your code, no

 Copilot.

 Copilot.

 the hosted instance, or

 the hosted instance, or

 from the source.

 from the source.

 The project's own source is now hosted on shithub at

 The project's own source is now hosted on shithub at

 A one-way mirror keeps pushing to the original GitHub repo for the

 A one-way mirror keeps pushing to the original GitHub repo for the

 first 90 days as a recovery surface; after that, the canonical home

 first 90 days as a recovery surface; after that, the canonical home

 is the self-hosted instance.

 is the self-hosted instance.

   focus-state details — all still drifting.

   focus-state details — all still drifting.

 The full roadmap is in

 The full roadmap is in

 on the source repo.

 on the source repo.

 ## Why

 ## Why

 ## Self-hosting

 ## Self-hosting

 If you'd rather run your own instance, the operator docs are at

 If you'd rather run your own instance, the operator docs are at

 Reference target is one DigitalOcean droplet, Postgres on a

 Reference target is one DigitalOcean droplet, Postgres on a

 second, DigitalOcean Spaces for object storage, Caddy at the

 second, DigitalOcean Spaces for object storage, Caddy at the

 edge. The Ansible playbook in `deploy/ansible/` is the install

 edge. The Ansible playbook in `deploy/ansible/` is the install

 ## Security

 ## Security

 If you find a vulnerability, please email

 If you find a vulnerability, please email

 within minutes; a human response within 72 hours. Full policy at

 within minutes; a human response within 72 hours. Full policy at

 ## On call

 ## On call

 The author is on call for the first month. Expect rough edges;

 The author is on call for the first month. Expect rough edges;

 we're triaging publicly. Issue tracker for shithub itself lives

 we're triaging publicly. Issue tracker for shithub itself lives

 on shithub itself:

 on shithub itself:

 ## Thanks

 ## Thanks

 make bench-small

 make bench-small

 # Pin a different target / iteration count.

 # Pin a different target / iteration count.

 ```

 ```

 Output is one JSON line per scenario:

 Output is one JSON line per scenario:

 **Cutover date:** TBD (filled in by the operator on launch day).

 **Cutover date:** TBD (filled in by the operator on launch day).

 ## Closing

 ## Closing

 the project against; what we ship from here forward is judged in

 the project against; what we ship from here forward is judged in

 the context of a public, dogfood-driven instance. That's the

 the context of a public, dogfood-driven instance. That's the

 forcing function we wanted.

 forcing function we wanted.

    - A flood of ERROR lines from the same handler is a bug —

    - A flood of ERROR lines from the same handler is a bug —

      bisect.

      bisect.

    - Confirm "All systems normal." with a current timestamp.

    - Confirm "All systems normal." with a current timestamp.

    - If you've had any blip, even a 30-second one, log it under

    - If you've had any blip, even a 30-second one, log it under

      "Recent incidents" with what happened. Trust comes from

      "Recent incidents" with what happened. Trust comes from

 3. **Mirror push to GitHub.** The mirror job runs hourly. Confirm:

 3. **Mirror push to GitHub.** The mirror job runs hourly. Confirm:

    ```sh

    ```sh

    git ls-remote https://github.com/tenseleyFlow/shithub.git trunk

    git ls-remote https://github.com/tenseleyFlow/shithub.git trunk

    ```

    ```

    Both should report the same SHA (within an hour of the latest

    Both should report the same SHA (within an hour of the latest

    push to shithub).

    push to shithub).

    - Suspended accounts: log who and why for the retro.

    - Suspended accounts: log who and why for the retro.

 5. **Issue tracker.** Open

 5. **Issue tracker.** Open

    new issue:

    new issue:

    - **P0** — site down / data loss / security. Fix immediately.

    - **P0** — site down / data loss / security. Fix immediately.

    - **P1** — broken core flow (signup, push, merge). Fix this

    - **P1** — broken core flow (signup, push, merge). Fix this

    - Reply on every issue within 24h, even if just "tracked, P2."

    - Reply on every issue within 24h, even if just "tracked, P2."

 6. **Retro.** Update

 6. **Retro.** Update

    the "What surprised us" section, the top-3 issues table.

    the "What surprised us" section, the top-3 issues table.

 ## "First incident?"

 ## "First incident?"

   is enforced; we don't yet do reproducible-build verification.

   is enforced; we don't yet do reproducible-build verification.

 - **The docs subdomain serving from Spaces.** A bucket

 - **The docs subdomain serving from Spaces.** A bucket

   policy mistake there could let an attacker stage a phishing

   policy mistake there could let an attacker stage a phishing

   and the explicit reverse-proxy origin

   and the explicit reverse-proxy origin

   (`deploy/docs-site/Caddyfile.snippet`).

   (`deploy/docs-site/Caddyfile.snippet`).

 - **PAT prefix recognition by external secret scanners.**

 - **PAT prefix recognition by external secret scanners.**

 This is a mirror of [`SECURITY.md`](https://github.com/tenseleyFlow/shithub/blob/main/SECURITY.md)

 This is a mirror of [`SECURITY.md`](https://github.com/tenseleyFlow/shithub/blob/main/SECURITY.md)

 in the source tree. The in-repo file is authoritative.

 in the source tree. The in-repo file is authoritative.

 The mailbox auto-acknowledges within minutes; a human response

 The mailbox auto-acknowledges within minutes; a human response

 follows within **72 hours**. Please don't file public issues for

 follows within **72 hours**. Please don't file public issues for

 ## 5. Smoke

 ## 5. Smoke

   build version.

   build version.

 - Sign in as the bootstrap admin. Create a test repo. Push to it.

 - Sign in as the bootstrap admin. Create a test repo. Push to it.

 ## 6. Production

 ## 6. Production

 You need:

 You need:

 - A TLS certificate. Caddy obtains and renews via Let's Encrypt

 - A TLS certificate. Caddy obtains and renews via Let's Encrypt

   automatically — no manual cert management — but the DNS records

   automatically — no manual cert management — but the DNS records

   must point at your public IP first.

   must point at your public IP first.

 Most often:

 Most often:

 - DNS doesn't yet point at the host. Verify with `dig +short

 - DNS doesn't yet point at the host. Verify with `dig +short

 - Port 80 is blocked. Let's Encrypt's HTTP-01 challenge needs

 - Port 80 is blocked. Let's Encrypt's HTTP-01 challenge needs

   port 80 reachable from the public internet (Caddy redirects

   port 80 reachable from the public internet (Caddy redirects

   to 443 *after* obtaining the cert). UFW must allow 80.

   to 443 *after* obtaining the cert). UFW must allow 80.

 # Status

 # Status

 This page is hand-maintained by the operator on call; the

 This page is hand-maintained by the operator on call; the

 machine-readable health endpoints are linked under each section.

 machine-readable health endpoints are linked under each section.

 These return immediately and reflect the running web process:

 These return immediately and reflect the running web process:

   `200 OK` with version + commit + buildAt when the web service

   `200 OK` with version + commit + buildAt when the web service

   is up.

   is up.

   liveness only; `200 OK` if the process is responding.

   liveness only; `200 OK` if the process is responding.

   readiness; `200 OK` only when DB + storage are reachable.

   readiness; `200 OK` only when DB + storage are reachable.

 A scripted check from your machine:

 A scripted check from your machine:

 ```sh

 ```sh

 ```

 ```

 Non-200 means the web service is degraded or down. The operator's

 Non-200 means the web service is degraded or down. The operator's

 | Subdomain                  | Purpose                | Health                                      |

 | Subdomain                  | Purpose                | Health                                      |

 |----------------------------|------------------------|---------------------------------------------|

 |----------------------------|------------------------|---------------------------------------------|

 ## Backups

 ## Backups

 ## Mailbox availability

 ## Mailbox availability

 minutes. If you reported a vulnerability and didn't get an

 minutes. If you reported a vulnerability and didn't get an

 auto-ack within 30 min, the inbound flow is broken — please email

 auto-ack within 30 min, the inbound flow is broken — please email

 the operator's GitHub-listed contact as a fallback.

 the operator's GitHub-listed contact as a fallback.

 There's no email/RSS feed for status updates yet. Watch the

 There's no email/RSS feed for status updates yet. Watch the

 operator's announcements account (linked from the

 operator's announcements account (linked from the

 a known incident window.

 a known incident window.

 ## SSH and GPG keys

 ## SSH and GPG keys

 - **GPG keys** verify signed commits — when a commit's signature

 - **GPG keys** verify signed commits — when a commit's signature

   matches a registered GPG key, the commit shows a "Verified"

   matches a registered GPG key, the commit shows a "Verified"

   badge in history.

   badge in history.

 ## 2. Clone

 ## 2. Clone

 ```sh

 ```sh

 ```

 ```

 When git asks for credentials:

 When git asks for credentials:

 job needs and a short expiration.

 job needs and a short expiration.

 ```sh

 ```sh

 ```

 ```

 Because the token is in the URL, make sure your CI doesn't echo

 Because the token is in the URL, make sure your CI doesn't echo

 not work for git operations.

 not work for git operations.

 ```sh

 ```sh

 cd <repo>

 cd <repo>

 ```

 ```

 ## 4. Test the connection

 ## 4. Test the connection

 ```sh

 ```sh

 ```

 ```

 You'll see a confirmation message. The `-T` disables PTY allocation;

 You'll see a confirmation message. The `-T` disables PTY allocation;

 ## 5. Clone with SSH

 ## 5. Clone with SSH

 ```sh

 ```sh

 ```

 ```

 Subsequent pushes don't prompt — the agent presents the key, the

 Subsequent pushes don't prompt — the agent presents the key, the

       A self-hostable git forge that aims to look and feel like GitHub.

       A self-hostable git forge that aims to look and feel like GitHub.

       AGPL-licensed, written in Go, no AI training on your code, no

       AGPL-licensed, written in Go, no AI training on your code, no

       Copilot. <a href="/signup">Sign up</a> to host code here, or

       Copilot. <a href="/signup">Sign up</a> to host code here, or

       your own instance</a> from the source.

       your own instance</a> from the source.

     </p>

     </p>

   </section>

   </section>

   <nav class="shithub-landing-cta" aria-label="Primary actions">

   <nav class="shithub-landing-cta" aria-label="Primary actions">

     <a class="shithub-landing-cta-primary" href="/signup">Create an account</a>

     <a class="shithub-landing-cta-primary" href="/signup">Create an account</a>

     <a class="shithub-landing-cta-secondary" href="/login">Sign in</a>

     <a class="shithub-landing-cta-secondary" href="/login">Sign in</a>

     <a class="shithub-landing-cta-secondary" href="/shithub/shithub">Read the source</a>

     <a class="shithub-landing-cta-secondary" href="/shithub/shithub">Read the source</a>

   </nav>

   </nav>

   <p class="shithub-landing-honest">

   <p class="shithub-landing-honest">

     Newly launched. Some surfaces (SSH transport, Actions/CI, GraphQL,

     Newly launched. Some surfaces (SSH transport, Actions/CI, GraphQL,

     packages, releases) are planned but not shipped yet. The

     packages, releases) are planned but not shipped yet. The

     what works and what's still in flight.

     what works and what's still in flight.

   </p>

   </p>

   {{ end }}

   {{ end }}

 ## Running against staging

 ## Running against staging

 ```sh

 ```sh

 export TOKEN=shp_<a-pat-on-a-test-account>

 export TOKEN=shp_<a-pat-on-a-test-account>

 export REPO=loadtest/issue-storm  # for the comment-storm scenario

 export REPO=loadtest/issue-storm  # for the comment-storm scenario

 export FIRST_ISSUE=1

 export FIRST_ISSUE=1