tenseleyflow/shithub / 6937b30

 follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/)

 conventions and [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

 ## [Unreleased]

 (Empty — first post-launch entries land here.)

   per-account epoch invalidation.

   .gitignore templates.

   max-of-sources policy.

   WireGuard mesh for monitoring, Postgres WAL archive + daily

   logical backups to Spaces, cross-region DR, restore drill.

 Instances of abusive, harassing, or otherwise unacceptable

 behavior may be reported to the project team at

 and investigated promptly and fairly.

 All project maintainers are obligated to respect the privacy and

   `proposal`.

 - **Day-to-day chat:** the project doesn't run a Slack/Discord

   yet; PR comments and issues are the channel.

 ---

 If you came here expecting drop-in parity with everything GitHub does, you'll find specific gaps. If you came here for an honest, AI-free, self-hostable forge, this is for you.

 ## Reporting a vulnerability

 using the key fingerprint published at

 is sensitive.

 The mailbox auto-acknowledges receipt within minutes. A human

 In scope:

 - The shithub source as published on GitHub

   (`github.com/tenseleyFlow/shithub`), exploited against any

   reasonably-deployed self-hosted instance running an unmodified

 ## T-7 days

       (300s) so cutover-day changes propagate fast. Verify:

 - [ ] Postmark domain verified; SPF/DKIM/DMARC aligned. Verify:

       Postmark dashboard → Domains → green.

 - [ ] Signup-throttle config reviewed; per-IP and per-/24

 - [ ] Last DNS change committed. Cutover after 48h ensures no

       propagation lag.

 - [ ] S37 backup-restore drill green within last 7 days.

       returns 200.

 - [ ] S39 P0/P1 bugs closed.

 - [ ] Tag the release commit:

       ```sh

       ```

 ## T-1 hour

 ## T-0: cutover

 ```sh

 git fetch --tags

 # 2. Dry-run to confirm exactly what will change.

 make deploy-check ANSIBLE_INVENTORY=production

 changed=N failed=0`:

 ```sh

 ```

 The script exercises: home page, signup form, login form, health

 Confirm a test push lands on both:

 ```sh

 cd /tmp/test-clone

 echo "launch test" >> .launch-test

 git add .launch-test

 - Refresh Grafana every 30 min.

 - Triage every alert immediately; nothing false-positive should

   page in week 1 (we tuned for it).

   (the project's own self-hosted issues — drink your own

   champagne).

 ## Day-one retro

 with: what worked, what surprised us, top 3 user-reported

 issues, and the next sprint's focus.

 # file; falls back to asking.

 BASE="${SHITHUB_PROD_URL:-}"

 if [[ -z "$BASE" ]]; then

 fi

 echo ""

 echo "running smoke against $BASE..."

 # is reachable, the API authenticates a known PAT.

 #

 # Usage:

 #

 # Optional env (when set, the script also exercises the API):

 #   SHITHUB_SMOKE_PAT     — a valid shp_ token for `user:read`

 # SPDX-License-Identifier: AGPL-3.0-or-later

 #

 # Build the public docs site and sync it to the Spaces bucket

 #

 # Run from CI on every push to main, or from an operator's

 # workstation as a one-off. Idempotent: rclone sync only touches

 A self-hostable git forge that aims to look and feel like GitHub.

 AGPL-licensed, written in Go, no AI training on your code, no

 Copilot.

 the hosted instance, or

 from the source.

 The project's own source is now hosted on shithub at

 A one-way mirror keeps pushing to the original GitHub repo for the

 first 90 days as a recovery surface; after that, the canonical home

 is the self-hosted instance.

   focus-state details — all still drifting.

 The full roadmap is in

 on the source repo.

 ## Why

 ## Self-hosting

 If you'd rather run your own instance, the operator docs are at

 Reference target is one DigitalOcean droplet, Postgres on a

 second, DigitalOcean Spaces for object storage, Caddy at the

 edge. The Ansible playbook in `deploy/ansible/` is the install

 ## Security

 If you find a vulnerability, please email

 within minutes; a human response within 72 hours. Full policy at

 ## On call

 The author is on call for the first month. Expect rough edges;

 we're triaging publicly. Issue tracker for shithub itself lives

 on shithub itself:

 ## Thanks

 make bench-small

 # Pin a different target / iteration count.

 ```

 Output is one JSON line per scenario:

 **Cutover date:** TBD (filled in by the operator on launch day).

 ## Closing

 the project against; what we ship from here forward is judged in

 the context of a public, dogfood-driven instance. That's the

 forcing function we wanted.

    - A flood of ERROR lines from the same handler is a bug —

      bisect.

    - Confirm "All systems normal." with a current timestamp.

    - If you've had any blip, even a 30-second one, log it under

      "Recent incidents" with what happened. Trust comes from

 3. **Mirror push to GitHub.** The mirror job runs hourly. Confirm:

    ```sh

    git ls-remote https://github.com/tenseleyFlow/shithub.git trunk

    ```

    Both should report the same SHA (within an hour of the latest

    push to shithub).

    - Suspended accounts: log who and why for the retro.

 5. **Issue tracker.** Open

    new issue:

    - **P0** — site down / data loss / security. Fix immediately.

    - **P1** — broken core flow (signup, push, merge). Fix this

    - Reply on every issue within 24h, even if just "tracked, P2."

 6. **Retro.** Update

    the "What surprised us" section, the top-3 issues table.

 ## "First incident?"

   is enforced; we don't yet do reproducible-build verification.

 - **The docs subdomain serving from Spaces.** A bucket

   policy mistake there could let an attacker stage a phishing

   and the explicit reverse-proxy origin

   (`deploy/docs-site/Caddyfile.snippet`).

 - **PAT prefix recognition by external secret scanners.**

 This is a mirror of [`SECURITY.md`](https://github.com/tenseleyFlow/shithub/blob/main/SECURITY.md)

 in the source tree. The in-repo file is authoritative.

 The mailbox auto-acknowledges within minutes; a human response

 follows within **72 hours**. Please don't file public issues for

 ## 5. Smoke

   build version.

 - Sign in as the bootstrap admin. Create a test repo. Push to it.

 ## 6. Production

 You need:

 - A TLS certificate. Caddy obtains and renews via Let's Encrypt

   automatically — no manual cert management — but the DNS records

   must point at your public IP first.

 Most often:

 - DNS doesn't yet point at the host. Verify with `dig +short

 - Port 80 is blocked. Let's Encrypt's HTTP-01 challenge needs

   port 80 reachable from the public internet (Caddy redirects

   to 443 *after* obtaining the cert). UFW must allow 80.

 # Status

 This page is hand-maintained by the operator on call; the

 machine-readable health endpoints are linked under each section.

 These return immediately and reflect the running web process:

   `200 OK` with version + commit + buildAt when the web service

   is up.

   liveness only; `200 OK` if the process is responding.

   readiness; `200 OK` only when DB + storage are reachable.

 A scripted check from your machine:

 ```sh

 ```

 Non-200 means the web service is degraded or down. The operator's

 | Subdomain                  | Purpose                | Health                                      |

 |----------------------------|------------------------|---------------------------------------------|

 ## Backups

 ## Mailbox availability

 minutes. If you reported a vulnerability and didn't get an

 auto-ack within 30 min, the inbound flow is broken — please email

 the operator's GitHub-listed contact as a fallback.

 There's no email/RSS feed for status updates yet. Watch the

 operator's announcements account (linked from the

 a known incident window.

 ## SSH and GPG keys

 - **GPG keys** verify signed commits — when a commit's signature

   matches a registered GPG key, the commit shows a "Verified"

   badge in history.

 ## 2. Clone

 ```sh

 ```

 When git asks for credentials:

 job needs and a short expiration.

 ```sh

 ```

 Because the token is in the URL, make sure your CI doesn't echo

 not work for git operations.

 ```sh

 cd <repo>

 ```

 ## 4. Test the connection

 ```sh

 ```

 You'll see a confirmation message. The `-T` disables PTY allocation;

 ## 5. Clone with SSH

 ```sh

 ```

 Subsequent pushes don't prompt — the agent presents the key, the

       A self-hostable git forge that aims to look and feel like GitHub.

       AGPL-licensed, written in Go, no AI training on your code, no

       Copilot. <a href="/signup">Sign up</a> to host code here, or

       your own instance</a> from the source.

     </p>

   </section>

   <nav class="shithub-landing-cta" aria-label="Primary actions">

     <a class="shithub-landing-cta-primary" href="/signup">Create an account</a>

     <a class="shithub-landing-cta-secondary" href="/login">Sign in</a>

     <a class="shithub-landing-cta-secondary" href="/shithub/shithub">Read the source</a>

   </nav>

   <p class="shithub-landing-honest">

     Newly launched. Some surfaces (SSH transport, Actions/CI, GraphQL,

     packages, releases) are planned but not shipped yet. The

     what works and what's still in flight.

   </p>

   {{ end }}

 ## Running against staging

 ```sh

 export TOKEN=shp_<a-pat-on-a-test-account>

 export REPO=loadtest/issue-storm  # for the comment-storm scenario

 export FIRST_ISSUE=1