+

+# ----- rate limits (S50 §0) -----

+# Per-hour budgets for /api/v1/* requests. Authed keyed by token id;

+# anon keyed by remote IP. Zero falls back to the default.

+SHITHUB_RATELIMIT__API__AUTHED_PER_HOUR=5000

+SHITHUB_RATELIMIT__API__ANON_PER_HOUR=60

+### Added

+

+- **REST API contract (S50 §0).** `GET /api/v1/meta` returns the

+  server's version stamp and a list of feature capability strings

+  for client-side feature detection. Every `/api/v1/*` response

+  now carries `X-RateLimit-Limit`, `X-RateLimit-Remaining`,

+  `X-RateLimit-Reset`, and (when PAT-authenticated) `X-OAuth-Scopes`.

+  The 403 scope-reject response also carries

+  `X-Accepted-OAuth-Scopes`. Operators tune the API rate-limit

+  budgets via `ratelimit.api.authed_per_hour` /

+  `ratelimit.api.anon_per_hour` (defaults: 5000 / 60).

+- **Pagination helper** `internal/web/handlers/api/apipage` —

+  emits canonical RFC 8288 Link headers (`first`/`prev`/`next`/`last`)

+  with absolute URLs rooted at the configured public base URL.

+

+### Changed

+

+- **JSON error envelope on `/api/v1/*`.** `401` and `403`

+  responses now emit `{"error": "..."}` with

+  `Content-Type: application/json` (previously `text/plain`).

+  Existing `4xx`/`5xx` responses from the handler bodies are

+  unchanged.

+.PHONY: help dev build test test-race lint lint-policy lint-markdown lint-org-plan lint-secret-logs lint-spdx lint-unused lint-migrations verify-api-docs fmt tidy clean ci assets install-tools version deploy deploy-check restore-drill bench-staging docs docs-serve docs-verify gen-third-party-notices audit-a11y audit-a11y-pa11y audit-a11y-axe load-test

+ci: lint lint-policy lint-markdown lint-org-plan lint-secret-logs lint-spdx lint-unused lint-migrations verify-api-docs test build ## Full CI pipeline (matches .github/workflows/ci.yml).

+lint-org-plan: ## Enforce paid org entitlement boundary (no direct orgs.plan feature gates).

+	@scripts/lint-org-plan-boundary.sh

+

+

+## Actions smoke fixture

+

+`actions/smoke-run-only.yml` is the canonical first end-to-end Actions

+workflow fixture. Copy it into `.shithub/workflows/smoke.yml` in a

+repository with a registered `ubuntu-latest` runner. It intentionally uses only

+`run:` steps because the current executor rejects reserved `uses:` aliases

+until checkout and artifact execution are implemented.

+name: smoke

+on: [push, workflow_dispatch]

+jobs:

+  hello:

+    runs-on: ubuntu-latest

+    env:

+      RUN_ID: ${{ shithub.run_id }}

+    steps:

+      - run: echo "hello from shithub actions"

+      - run: test -n "$RUN_ID"

+	"context"

+	"errors"

+	"time"

+	actionslifecycle "github.com/tenseleyFlow/shithub/internal/actions/lifecycle"

+	actionsdb "github.com/tenseleyFlow/shithub/internal/actions/sqlc"

+	"github.com/tenseleyFlow/shithub/internal/infra/config"

+	"github.com/tenseleyFlow/shithub/internal/infra/db"

+func newAdminActionsCancelAllCmd() *cobra.Command {

+	var repoID int64

+	var limit int

+	var dryRun bool

+	var confirm bool

+

+	cmd := &cobra.Command{

+		Use:   "cancel-all",

+		Short: "Request cancellation for active Actions workflow runs",

+		Long: `Requests cancellation for queued/running Actions workflow runs.

+

+By default this scans all repositories, oldest first. Use --repo-id to scope

+the operation to one repository. Running jobs receive cancel_requested=true and

+are killed by their runner's cancel-check loop; queued jobs become terminal

+immediately.

+

+This is an operator break-glass command. Run with --dry-run first, then repeat

+with --confirm to mutate state.`,

+		Args: cobra.NoArgs,

+		RunE: func(cmd *cobra.Command, _ []string) error {

+			if repoID < 0 {

+				return errors.New("admin actions cancel-all: --repo-id must be zero or positive")

+			}

+			if limit < 1 || limit > 5000 {

+				return errors.New("admin actions cancel-all: --limit must be between 1 and 5000")

+			}

+			if !dryRun && !confirm {

+				return errors.New("admin actions cancel-all: refusing to mutate without --confirm; use --dry-run to inspect")

+			}

+

+			cfg, err := config.Load(nil)

+			if err != nil {

+				return err

+			}

+			if cfg.DB.URL == "" {

+				return errors.New("admin actions cancel-all: DB not configured (set SHITHUB_DATABASE_URL)")

+			}

+			ctx, cancel := context.WithTimeout(cmd.Context(), 5*time.Minute)

+			defer cancel()

+

+			pool, err := db.Open(ctx, db.Config{

+				URL:            cfg.DB.URL,

+				MaxConns:       2,

+				MinConns:       0,

+				ConnectTimeout: cfg.DB.ConnectTimeout,

+			})

+			if err != nil {

+				return fmt.Errorf("admin actions cancel-all: db open: %w", err)

+			}

+			defer pool.Close()

+

+			q := actionsdb.New()

+			runs, err := q.ListActiveWorkflowRunsForAdmin(ctx, pool, actionsdb.ListActiveWorkflowRunsForAdminParams{

+				RepoID:     repoID,

+				LimitCount: int32(limit),

+			})

+			if err != nil {

+				return fmt.Errorf("admin actions cancel-all: list active runs: %w", err)

+			}

+

+			out := cmd.OutOrStdout()

+			scope := "all repositories"

+			if repoID != 0 {

+				scope = fmt.Sprintf("repo_id=%d", repoID)

+			}

+			if dryRun {

+				for _, run := range runs {

+					_, _ = fmt.Fprintf(out,

+						"would cancel: run_id=%d repo_id=%d run_index=%d status=%s workflow=%s ref=%s sha=%s\n",

+						run.ID, run.RepoID, run.RunIndex, run.Status, run.WorkflowFile, run.HeadRef, run.HeadSha)

+				}

+				_, _ = fmt.Fprintf(out, "cancel-all dry-run: found %d active run(s) in %s (limit=%d)\n",

+					len(runs), scope, limit)

+				return nil

+			}

+

+			cancelledRuns := 0

+			cancelledJobs := 0

+			completedRuns := 0

+			for _, run := range runs {

+				result, err := actionslifecycle.CancelRun(ctx, actionslifecycle.Deps{Pool: pool}, run.ID, actionslifecycle.CancelReasonUser)

+				if err != nil {

+					return fmt.Errorf("admin actions cancel-all: cancel run %d: %w", run.ID, err)

+				}

+				if len(result.ChangedJobs) > 0 {

+					cancelledRuns++

+				}

+				cancelledJobs += len(result.ChangedJobs)

+				if result.RunCompleted {

+					completedRuns++

+				}

+				_, _ = fmt.Fprintf(out,

+					"cancelled: run_id=%d repo_id=%d run_index=%d changed_jobs=%d run_completed=%t\n",

+					run.ID, run.RepoID, run.RunIndex, len(result.ChangedJobs), result.RunCompleted)

+			}

+			_, _ = fmt.Fprintf(out,

+				"cancel-all: scanned %d active run(s) in %s; changed_runs=%d changed_jobs=%d completed_runs=%d\n",

+				len(runs), scope, cancelledRuns, cancelledJobs, completedRuns)

+			return nil

+		},

+	}

+	cmd.Flags().Int64Var(&repoID, "repo-id", 0, "Repository id to scope cancellation to; 0 scans all repositories")

+	cmd.Flags().IntVar(&limit, "limit", 500, "Maximum active runs to scan")

+	cmd.Flags().BoolVar(&dryRun, "dry-run", false, "Print matching active runs without mutating state")

+	cmd.Flags().BoolVar(&confirm, "confirm", false, "Confirm cancellation of matching active runs")

+	return cmd

+}

+

+	adminActionsCmd.AddCommand(newAdminActionsCancelAllCmd())

+Exactly three aliases are reserved at parse time, no exceptions:

+| Alias                            | Parser status | Runner status                              |

+| -------------------------------- | ------------- | ------------------------------------------ |

+| `actions/checkout@v4`            | accepted      | rejected until checkout support lands      |

+| `shithub/upload-artifact@v1`     | accepted      | rejected until artifact upload lands       |

+| `shithub/download-artifact@v1`   | accepted      | rejected until artifact download lands     |

+The current Docker executor runs `run:` steps only. It fails a reserved

+`uses:` alias deliberately instead of pretending checkout/artifact

+semantics exist. This keeps the first end-to-end smoke path honest:

+`run:`-only workflows are executable now, while repository checkout and

+artifact transfer remain explicit follow-up work.

+

+- `GET /{owner}/{repo}/actions.atom`

+  Returns the last 50 workflow runs as an Atom feed. Auth and visibility

+  match the Actions tab (`repo:read`). Entries link to

+  `/{owner}/{repo}/actions/runs/{run_index}` and include the workflow

+  name/path, event, branch, short SHA, status, and conclusion.

+

+### Webhook events (S41h)

+

+Actions emits webhook-facing domain events through `notif.EmitTx` on

+state transitions:

+

+- `workflow_run`, with `payload.action` set to `queued`, `running`, or

+  `completed` (`completed` may carry `conclusion:"cancelled"`).

+- `workflow_job`, with `payload.action` set to `queued`, `running`,

+  `completed`, or `cancelled`.

+

+Payloads are structural snapshots only. They include ids, run index,

+workflow path/name, head SHA/ref, event kind, status, conclusion,

+timestamps, job key/name/runner id, needs, timeout, and cancellation

+state. They deliberately exclude `workflow_runs.event_payload`, env,

+permissions, logs, runner JWTs, and secret values. This keeps the

+webhook surface stable without turning arbitrary workflow input into

+subscriber-facing data.

+# Billing and paid organizations

+

+shithub's first paid surface is organization billing. The code does not

+ship billing yet; this document records the product and engineering

+contract that the PAYMENTS sprint series implements.

+

+The current implementation already has the important shape for paid

+organizations: `orgs.plan` is an enum with `free`, `team`, and

+`enterprise`; organizations own repositories; organization members and

+teams exist; branch protection and PR review gates exist; Actions has

+schema for org/repo secrets, variables, and artifacts. Billing must

+turn that substrate into a fair hosted service without taxing

+public/open-source collaboration.

+

+## Product contract

+

+As of 2026-05-12, GitHub's public pricing page presents Free at

+`$0`, Team at `$4/user/month`, and Enterprise starting at

+`$21/user/month`. shithub follows the same mental model but removes

+Copilot/AI promises from the paid-org offering.

+

+Initial decisions:

+

+- Free organizations remain self-serve.

+- Team is `$4` per active organization member per month.

+- Active organization members, including owners, count as paid seats.

+- Team has no launch trial.

+- Enterprise is a visible contact-sales stub, not self-serve.

+- Stripe Billing is the first payment processor.

+- PayPal, manual invoices, SAML, SCIM, LDAP, enterprise account

+  hierarchy, and contracts are deferred.

+

+The fairness rule is explicit: public/open-source collaboration should

+stay generous. Paid gates focus on private collaboration, hosted cost,

+advanced organization controls, and support expectations.

+

+## Pricing copy rules

+

+Pricing and onboarding pages must describe only features shithub can

+actually deliver on the hosted service. Before changing pricing copy,

+refresh the official GitHub pricing source and the Stripe Billing docs

+because both are time-sensitive inputs.

+

+Rules for paid-org copy:

+

+- Do not mention Copilot, AI agents, AI code review, or AI quotas.

+- Do not promise SAML, SCIM, LDAP, managed users, audit exports, data

+  residency, compliance attestations, contracts, or custom support

+  until the matching implementation sprint ships.

+- Do not advertise Packages, Pages, Wikis, Projects, Actions minutes,

+  or storage quotas until those surfaces have enforcement and usage

+  accounting.

+- Use upgrade language for unavailable Team features instead of hiding

+  existing data. Downgrades preserve configuration and make gated

+  settings read-only where possible.

+- Keep public/open-source collaboration generous in both copy and

+  enforcement. Avoid copy that makes public repositories feel like a

+  second-class Free tier.

+- Enterprise is a contact-sales stub in v1. It should collect interest

+  without promising contractual features.

+

+## Entitlement matrix

+

+| Capability | Free | Team | Enterprise stub |

+| --- | --- | --- | --- |

+| Public org repositories | Included | Included | Contact sales |

+| Basic private org repositories | Included | Included | Contact sales |

+| Org members and invitations | Included | Billed by active member | Contact sales |

+| Visible teams | Included | Included | Contact sales |

+| Secret teams | Upgrade | Included | Contact sales |

+| Basic branch protection | Included | Included | Contact sales |

+| Advanced private-repo branch protection | Upgrade | Included | Contact sales |

+| Required reviewers on private org repos | Upgrade | Included | Contact sales |

+| CODEOWNERS review | Deferred | Deferred | Deferred |

+| Org-level Actions secrets | Upgrade | Included | Contact sales |

+| Org-level Actions variables | Upgrade | Included | Contact sales |

+| Actions minutes | Low quota once metered | Higher quota once metered | Contact sales |

+| Actions artifacts/storage | Low quota once metered | Higher quota once metered | Contact sales |

+| Packages storage | Deferred until Packages is active | Deferred until Packages is active | Deferred |

+| Pages/Wikis/Projects | Do not promise until shipped | Do not promise until shipped | Deferred |

+| Audit log export | Deferred | Deferred | Later Enterprise feature |

+| SAML/SCIM/managed users | Deferred | Deferred | Later Enterprise feature |

+| Data residency/compliance | Deferred | Deferred | Later Enterprise feature |

+| Billing support | Basic instance support | Billing support after runbook exists | Contact sales |

+

+## Current capability audit

+

+Already present and safe to gate:

+

+- Organizations with `plan` and `billing_email`.

+- Organization members, owner role, and invitations.

+- Teams, including `privacy='secret'`.

+- Branch protection rules and required review counts.

+- PR review and reviewer-request substrate.

+- Org/repo Actions secrets and variables schema.

+

+Present but missing enforcement or metering:

+

+- Storage quota type exists, but quota persistence and enforcement are

+  incomplete.

+- Actions minutes, artifacts, and object usage need accounting before

+  paid limits can be promised.

+- Packages storage cannot be sold until the Packages sprint is active

+  and quota enforcement exists.

+

+Deferred:

+

+- SAML, SCIM, LDAP, enterprise account hierarchy, audit-log export, data

+  residency, compliance promises, and custom support SLAs.

+- Copilot/AI features are intentionally outside shithub's paid-org

+  product.

+

+## Billing architecture

+

+Stripe is the payment source of truth. shithub is the entitlement source

+of truth.

+

+The billing implementation should add a local billing domain that stores

+only Stripe IDs and payment summaries, never card data. Webhooks update

+local subscription state after signature verification. Policy and

+request handlers read local billing/entitlement state and must not call

+Stripe in hot paths.

+

+Required local concepts:

+

+- Stripe customer per billable organization.

+- Subscription state per organization.

+- Subscription item ID for seat quantity sync.

+- Immutable webhook receipts with unique provider event IDs.

+- Invoice/payment summaries for UI.

+- Seat snapshots for auditability.

+- Billing grace/lock state derived from processed subscription events.

+

+PAYMENTS SP02 adds these as local database tables:

+

+- `org_billing_states` stores the organization billing projection used

+  by entitlement checks.

+- `billing_seat_snapshots` records active and billable seat counts over

+  time.

+- `billing_invoices` stores invoice/payment summaries for billing UI.

+- `billing_webhook_events` stores immutable provider event receipts for

+  idempotent webhook processing.

+

+New organizations receive a Free billing state from a database trigger,

+and the migration backfills existing organizations as Free. Subscription

+snapshot writes also keep `orgs.plan` synchronized as the

+human-facing summary.

+

+## Entitlement architecture

+

+Paid feature checks must live behind a central entitlement package, not

+as scattered `orgs.plan` checks in handlers.

+

+`make lint-org-plan` enforces this boundary. Schema/sqlc plumbing may

+store and scan the plan value, but product behavior should ask the

+entitlement package whether a feature key is available.

+

+Expected feature keys:

+

+- `org.secret_teams`

+- `org.advanced_branch_protection`

+- `org.required_reviewers`

+- `org.actions_org_secrets`

+- `org.actions_org_variables`

+- `org.private_collaboration_limit`

+- `org.storage_quota`

+- `org.actions_minutes_quota`

+

+Authorization and entitlement are separate gates. A user must have both

+the policy permission and the paid entitlement for gated writes. Denials

+must preserve existing `policy.Maybe404` behavior where existence leaks

+matter.

+

+## Downgrade behavior

+

+Downgrades must preserve customer data. Moving from Team to Free should

+not delete teams, secrets, variables, branch rules, or review settings.

+Existing gated resources become read-only where possible. Users can

+remove gated configuration, but cannot create or expand it until the

+organization upgrades again.

+

+## Open questions for implementation

+

+- Whether Free should limit private org collaborators before usage

+  metering exists, or whether the first paid gates are advanced controls

+  only.

+- Whether required reviewers are gated only for private org repos. The

+  current lean is private-org-only.

+- Whether org-level Actions secrets and variables should be Team-only

+  even for public repositories. The current lean is yes for org scope.

+- Exact Free and Team quota numbers for Actions and storage. These must

+  come from real host-cost estimates before SP08.

+

+## Source references

+

+- GitHub pricing: `https://github.com/pricing`

+- GitHub plans docs:

+  `https://docs.github.com/en/get-started/learning-about-github/githubs-plans`

+- Stripe Billing: `https://docs.stripe.com/billing`

+- Stripe pricing models:

+  `https://docs.stripe.com/products-prices/pricing-models`

+| `GET /{owner}/{repo}/compare`                           | `compareView`                 |

+empty). The bare `/compare` route renders GitHub's branch/tag picker

+blank slate instead of redirecting to `default...default`. Renders:

+

+- Base/head dropdowns listing local branches and tags with live

+  filtering. Cross-repo `fork:branch` input is still normalized to a

+  local ref until fork PRs ship.

+- A mergeability/status line plus a "Create pull request" button when

+  `head` has commits not on `base`.

+- [billing.md](./billing.md) — paid org product contract,

+  entitlements, and Stripe integration guardrails.

+## Billing posture

+

+Organizations are the first planned paid shithub surface. The

+`orgs.plan` and `billing_email` fields are present today, but payment

+processing and entitlement enforcement live in the PAYMENTS sprint

+series. The durable product and implementation contract is tracked in

+[`billing.md`](./billing.md).

+

+Until that series lands, production code must not branch on

+`orgs.plan` for feature access. Paid feature checks should go through

+the future entitlement package described in the billing doc.

+

+## Authorization versus entitlements

+

+`policy.Can` answers only one question: is this actor allowed to

+perform this action on this resource under shithub's permission model?

+It must not decide whether an organization has paid for a feature.

+

+Paid organization checks are a second gate after authorization. The

+expected flow for gated writes is:

+

+1. Load the resource and run the normal policy check.

+2. Preserve `policy.Maybe404` behavior for private-resource denials.

+3. Ask the entitlement layer whether the organization has the specific

+   feature key.

+4. If the feature is unavailable, return a billing/upgrade response

+   without re-deriving ownership, visibility, role, or plan state in

+   the handler.

+

+The entitlement layer may inspect billing state and plan-derived

+features. Policy code, handlers, git transports, and domain packages

+must not branch directly on `orgs.plan` or sqlc `OrgPlan*` constants.

+That keeps security authorization independent from commercial product

+packaging, and makes downgrades/grace periods possible without

+rewriting role checks.

+

+  the handler runs. It still binds username, suspension, and site-admin

+  fields into `middleware.PATAuth`; API policy gates must construct

+  actors through `PATAuth.PolicyActor()` so the request actor stays

+  honest even as the middleware evolves.

+

+`scripts/lint-org-plan-boundary.sh` also runs in `make ci`. It fails on

+direct plan feature gates outside `internal/billing/`,

+`internal/entitlements/`, generated sqlc models, migrations, and tests.

+When adding a paid feature, add or use an entitlement feature key rather

+than comparing `OrgPlanTeam` or `OrgPlanEnterprise` at the call site.

+The pull-request list's "New pull request" button starts at

+`/{owner}/{repo}/compare`, where the user picks base/head refs. Once

+the head is ahead of base, compare links into

+`/pulls/new?base=...&head=...`. `/pulls/new` redirects back to

+compare when no head ref is supplied so the GitHub-style branch picker

+remains the canonical entry point.

+- Compare/new-PR entry follows GitHub's range editor: base and head

+  dropdowns list branches and tags with live filtering, preserve the

+  opposite side of the comparison, and render compare URLs with the

+  `base...head` shape.

+- The open-PR page reuses the compare state: ahead/behind counts,

+  mergeability probe, commits, and three-dot diff all render before

+  submission. The form posts the selected refs as hidden fields.

+- The new PR description uses the shared GitHub-like Markdown editor

+  (write/preview, toolbar, mentions/references/saved replies shell).

+  Copilot suggestions are intentionally omitted.

+This is the operator runbook for shithub Actions. Host provisioning lives in

+[runner-deploy.md](./runner-deploy.md), and runner protocol details live in

+[actions-runner-api.md](../actions-runner-api.md).

+

+## Shape

+

+```text

+git push / workflow_dispatch / schedule / pull_request

+        |

+        v

+workflow:trigger worker job

+        |

+        v

+workflow_runs + workflow_jobs + workflow_steps + check_runs

+        |

+        v

+registered runner heartbeat claims a matching queued job

+        |

+        v

+containerized run: steps -> log chunks -> step/job status -> run rollup

+```

+

+The v1 executor supports containerized `run:` steps. The parser reserves

+`actions/checkout@v4`, `shithub/upload-artifact@v1`, and

+`shithub/download-artifact@v1`, but the Docker runner rejects `uses:` steps

+until checkout metadata and artifact transfer are wired end to end. Do not use

+`actions/checkout@v4` in production smoke workflows yet.

+

+## First smoke

+

+1. Confirm migrations are applied and the web process can enqueue workers.

+2. Register one runner with a label that matches the workflow:

+

+```sh

+shithubd admin runner register \

+  --name smoke-runner-1 \

+  --labels self-hosted,linux,ubuntu-latest \

+  --capacity 1

+```

+

+3. Start `shithubd-runner` with the printed token. For production hosts, use

+   the Ansible/systemd path in [runner-deploy.md](./runner-deploy.md).

+4. Push a `run:`-only workflow:

+

+```yaml

+name: smoke

+on: [push, workflow_dispatch]

+jobs:

+  hello:

+    runs-on: ubuntu-latest

+    env:

+      RUN_ID: ${{ shithub.run_id }}

+    steps:

+      - run: echo "hello from shithub actions"

+      - run: test -n "$RUN_ID"

+```

+

+5. Expected result:

+

+- `workflow:trigger` enqueues a workflow run.

+- A runner heartbeat claims the queued job within one idle poll interval.

+- The Actions run page streams step logs while the job is running.

+- The matching check run completes with `success`.

+- `/{owner}/{repo}/actions.atom` includes the completed run.

+

+Repeat with `exit 1`; the check should complete with `failure`.

+

+In `shithubd`, this route is mounted outside the normal app compression and

+30-second timeout middleware. If a future route move puts live logs back under

+either middleware, EventSource clients will churn and logs can buffer despite

+the Caddy flush setting.

+

+

+## Runner health

+

+On the runner host:

+

+```sh

+systemctl status shithubd-runner

+journalctl -u shithubd-runner -n 100 --no-pager

+```

+

+On the app host, inspect runner registration and heartbeat state:

+

+```sh

+shithubd admin actions runner list

+```

+

+Important metrics:

+

+- `shithub_actions_runner_heartbeats_total{result="claimed|no_job"}`

+- `shithub_actions_runner_jwt_total{result="issued|rejected|replay"}`

+- `shithub_actions_jobs_cancelled_total{reason="user|concurrency|timeout"}`

+- `shithub_actions_log_scrub_replacements_total{location="server"}`

+- `shithub_actions_step_timeouts_total`

+

+## Emergency cancel

+

+Start with a dry run:

+

+```sh

+shithubd admin actions cancel-all --dry-run --limit 100

+```

+

+Scope to one repository when possible:

+

+```sh

+shithubd admin actions cancel-all --dry-run --repo-id 42

+```

+

+Then confirm:

+

+```sh

+shithubd admin actions cancel-all --confirm --repo-id 42

+```

+

+Queued jobs are marked cancelled immediately. Running jobs receive

+`cancel_requested=true`; the runner sees that through `/cancel-check`, kills the

+active container, and reports terminal `cancelled`.

+

+## Common failures

+

+- **Run never appears:** confirm the workflow file is under

+  `.shithub/workflows/`, parse it with `shithubd admin actions parse <file>`,

+  and verify the trigger event matches `on:`.

+- **Run stays queued:** confirm a runner is registered with matching labels and

+  capacity, then inspect runner journal output and heartbeat metrics.

+- **Step logs buffer:** verify the Caddy route above and confirm the SSE route

+  is still mounted outside compression and short timeouts.

+- **`uses:` step fails:** expected for now. Replace with a `run:` step until

+  checkout/artifact support lands.

+- **Secrets appear masked inconsistently:** check

+  `shithub_actions_log_scrub_replacements_total{location="server"}` and confirm

+  the job was claimed after the secret was created or rotated. Mask snapshots

+  are captured at claim time.

+| Paid org feature gates stay behind entitlements | `scripts/lint-org-plan-boundary.sh` in `make ci` | PAYMENTS SP01 |

+keyset cursor over `(created_at, id)`. Full-page requests with a

+`before` cursor still render that cursor window for no-JavaScript

+fallbacks; HTMX requests return only the next feed rows plus a replacement

+`More` control, so the browser appends activity in place like GitHub's

+dashboard feed.

+- [Actions](./user/actions.md)

+- [Actions workflow API](./api/actions.md)

+- [Actions runner API](./api/actions-runner.md)

+# Actions workflow API

+

+Actions workflow lifecycle endpoints are PAT-authenticated and require

+`repo:write`. The token's user must also have write permission on the

+repository that owns the target run or job.

+

+## Runs Atom feed

+

+```text

+GET /{owner}/{repo}/actions.atom

+```

+

+Returns the last 50 workflow runs as `application/atom+xml`. Visibility

+matches the Actions tab: public repositories are public; private

+repositories require repository read access.

+

+Each entry links to the run page and summarizes workflow name, event,

+branch, commit, status, and conclusion.

+

+## Cancel job

+

+```text

+POST /api/v1/jobs/{id}/cancel

+```

+

+Requests cancellation for a workflow job. Queued jobs become terminal

+immediately. Running jobs set `cancel_requested=true`; the runner observes

+that flag through its cancel-check endpoint, stops the active container, and

+reports the terminal status.

+

+Response: `202 Accepted`.

+

+```json

+{

+  "job_id": 10,

+  "run_id": 4,

+  "repo_id": 2,

+  "changed_jobs": 1,

+  "run_completed": false,

+  "run_conclusion": ""

+}

+```

+

+## Re-run workflow run

+

+```text

+POST /api/v1/runs/{id}/rerun

+```

+

+Creates a new workflow run from the original run's commit and workflow file.

+Only terminal runs are rerunnable. The new run records `parent_run_id` so the

+history remains linked.

+

+Response: `201 Created`.

+

+```json

+{

+  "run_id": 12,

+  "run_index": 8,

+  "parent_run_id": 4,

+  "repo_id": 2,

+  "workflow_file": ".shithub/workflows/ci.yml",

+  "head_sha": "0123456789abcdef0123456789abcdef01234567"

+}

+```

+> `/api/v1/user/starred*` stars endpoints, plus the Actions lifecycle

+> routes in [Actions workflow API](actions.md). Other sections of this

+expired / revoked PAT — returns `401 Unauthorized` with the

+canonical JSON error envelope. The response also carries a

+`WWW-Authenticate: Bearer realm="shithub", error="invalid_token"`

+challenge so HTTP-aware clients can reauthenticate cleanly.

+{"error": "invalid token"}

+`403 Forbidden` with the required scope surfaced in the

+`X-Accepted-OAuth-Scopes` response header. The token's actual

+scopes are echoed on every PAT-authenticated response (including

+errors) via `X-OAuth-Scopes`, so clients can build precise

+"missing scope X, present scopes Y, Z" error messages without

+parsing the body:

+```

+HTTP/1.1 403 Forbidden

+X-OAuth-Scopes: user:read

+X-Accepted-OAuth-Scopes: repo:write

+Content-Type: application/json; charset=utf-8

+

+{"error":"token lacks required scope: repo:write"}

+  max 100) and return an RFC 8288 `Link:` header with `next`,

+  `prev`, `first`, `last` URLs. URLs are absolute and use the

+  instance's configured public base URL. Forward-only feeds emit

+  only `next` / `prev` (no `first` / `last`) when totals are

+  expensive to compute. Cursor pagination on hot lists uses

+  `?cursor=…` and returns the next cursor in the same `Link:`

+  timestamp). Exceeding the limit returns `429` with the canonical

+  error envelope, a `Retry-After` header (seconds), and

+  `X-RateLimit-Remaining: 0`. Defaults: 5000 / hour for PAT

+  callers (keyed by token id) and 60 / hour for anonymous callers

+  (keyed by remote IP). Operators tune via

+  `SHITHUB_RATELIMIT__API__AUTHED_PER_HOUR` and

+  `SHITHUB_RATELIMIT__API__ANON_PER_HOUR`.

+- **Request id:** every response echoes `X-Request-Id`. If the

+  caller sends one (matching `[a-z0-9/:_-]{1,128}`) it's reused;

+  otherwise the server generates a fresh 16-byte hex id. Quote

+  this id in support reports — it correlates against the server

+  logs.

+

+## Capability discovery

+

+`GET /api/v1/meta` is unauthenticated and returns the server's

+version stamp plus a list of feature capability strings. Clients

+use it to gate optional features without trial-and-error:

+

+```json

+{

+  "version": "v0.2.0",

+  "commit": "abc1234",

+  "built_at": "2026-05-12T03:00:00Z",

+  "capabilities": ["pat-auth", "check-runs", "stars", "actions-lifecycle"]

+}

+```

+

+New capability identifiers are appended as feature batches land;

+existing entries are stable.

+- `workflow_run` (actions: `queued`, `running`, `completed`)

+- `workflow_job` (actions: `queued`, `running`, `completed`,

+  `cancelled`)

+

+### Actions payload safety

+

+`workflow_run` and `workflow_job` payloads are structural snapshots:

+ids, run index, workflow path/name, head SHA/ref, event kind, status,

+conclusion, timestamps, job key/name, runner id, needs, timeout, and

+cancellation state. They intentionally do **not** include workflow

+event payloads, env, permissions, logs, runner JWTs, or secret values.

+# Actions

+

+shithub Actions runs CI workflows from `.shithub/workflows/*.yml`.

+The workflow format intentionally follows the parts of GitHub Actions that are

+useful for ordinary repository CI, while keeping the runner surface small enough

+to secure.

+

+## Minimal workflow

+

+```yaml

+name: smoke

+on: [push, workflow_dispatch]

+jobs:

+  hello:

+    runs-on: ubuntu-latest

+    env:

+      RUN_ID: ${{ shithub.run_id }}

+    steps:

+      - run: echo "hello from shithub actions"

+      - run: test -n "$RUN_ID"

+```

+

+Commit that file as `.shithub/workflows/smoke.yml` and push to the repository.

+The run appears under the repository's Actions tab and its job also appears as

+a check run on matching pull requests.

+

+## What works today

+

+- `push`, `pull_request`, `schedule`, and `workflow_dispatch` triggers

+- `run:` steps executed in the operator-configured runner image

+- `runs-on:` label matching against registered runners

+- workflow, job, and step `env:`

+- `${{ secrets.NAME }}`, `${{ vars.NAME }}`, `${{ env.NAME }}`, and

+  `${{ shithub.* }}` expressions

+- `needs:`, `if:`, `timeout-minutes:`, and concurrency groups

+- live step logs, cancel, re-run, check-run sync, and the Actions Atom feed

+

+`runs-on: ubuntu-latest` is a runner label, not a promise that shithub downloads

+a hosted Ubuntu image for you. The site operator decides which image a matching

+runner uses. On shithub.sh, use the labels published by the instance operator.

+

+## Current limit

+

+Use `run:` steps for now. The parser accepts these reserved aliases:

+

+- `actions/checkout@v4`

+- `shithub/upload-artifact@v1`

+- `shithub/download-artifact@v1`

+

+The runner does not execute them yet. A workflow containing those `uses:` steps

+will fail until checkout and artifact execution land. If you need repository

+files in a smoke workflow today, keep the command self-contained or fetch what

+you need explicitly inside a `run:` step.

+

+## Expressions

+

+Use the shithub namespace:

+

+```yaml

+env:

+  REF: ${{ shithub.ref }}

+  SHA: ${{ shithub.sha }}

+  RUN_ID: ${{ shithub.run_id }}

+```

+

+The `github.*` namespace is accepted as a compatibility alias for the fields

+shithub exposes, but new workflows should use `shithub.*`.

+

+Event payload values such as `${{ shithub.event.pull_request.title }}` are

+treated as untrusted. The runner passes them through temporary environment

+bindings instead of splicing them directly into shell command text.

+

+## Secrets and variables

+

+Repository and organization settings expose Actions secrets and variables.

+Secrets are encrypted at rest and are redacted from logs. Variables are

+plaintext configuration and are suitable for non-secret values such as tool

+versions or feature flags.

+

+Repo-scoped values shadow organization-scoped values with the same name.

+

+## Migrating from GitHub Actions

+

+Most simple CI files need three edits:

+

+1. Move the workflow file from `.github/workflows/` to `.shithub/workflows/`.

+2. Replace `uses:` actions with equivalent `run:` commands.

+3. Confirm `runs-on:` matches a label registered by your shithub operator.

+

+Marketplace actions, Docker actions, composite actions, hosted runner images,

+matrix expansion, service containers, and built-in checkout are not part of the

+current v1 runner.

+- `X-Shithub-Event: <event-name>` — e.g., `push`, `pull_request`,

+  `workflow_run`.

+## Actions events

+

+Repository webhooks can subscribe to Actions lifecycle events:

+

+- `workflow_run` actions: `queued`, `running`, `completed`.

+- `workflow_job` actions: `queued`, `running`, `completed`,

+  `cancelled`.

+

+Actions payloads only carry structural run/job metadata. shithub does

+not include workflow event payloads, env, permissions, logs, runner

+tokens, or secrets in webhook bodies.

+

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+// Package events emits webhook-facing Actions lifecycle events.

+//

+// These payloads are deliberately structural. Do not include workflow

+// event_payload, env, permissions, step logs, runner JWTs, or secret material.

+package events

+

+import (

+	"context"

+

+	"github.com/jackc/pgx/v5"

+	"github.com/jackc/pgx/v5/pgtype"

+

+	actionsdb "github.com/tenseleyFlow/shithub/internal/actions/sqlc"

+	"github.com/tenseleyFlow/shithub/internal/notif"

+)

+

+const (

+	KindWorkflowRun = "workflow_run"

+	KindWorkflowJob = "workflow_job"

+

+	ActionQueued    = "queued"

+	ActionRunning   = "running"

+	ActionCompleted = "completed"

+	ActionCancelled = "cancelled"

+)

+

+// EmitRunTx writes one workflow_run domain event inside the caller's

+// transaction. Use it when the run mutation and event row must commit

+// atomically.

+func EmitRunTx(ctx context.Context, tx pgx.Tx, run actionsdb.WorkflowRun, action string) error {

+	return notif.EmitTx(ctx, tx, runEvent(run, action))

+}

+

+// EmitJobTx writes one workflow_job domain event inside the caller's

+// transaction. The parent run snapshot is included so webhook subscribers do

+// not need a second API call to identify the workflow execution.

+func EmitJobTx(ctx context.Context, tx pgx.Tx, run actionsdb.WorkflowRun, job actionsdb.WorkflowJob, action string) error {

+	return notif.EmitTx(ctx, tx, jobEvent(run, job, action))

+}

+

+func runEvent(run actionsdb.WorkflowRun, action string) notif.Event {

+	return notif.Event{

+		ActorUserID: int8Value(run.ActorUserID),

+		Kind:        KindWorkflowRun,

+		RepoID:      run.RepoID,

+		SourceKind:  KindWorkflowRun,

+		SourceID:    run.ID,

+		Public:      false,

+		Extra: map[string]any{

+			"action":       action,

+			"workflow_run": runPayload(run),

+		},

+	}

+}

+

+func jobEvent(run actionsdb.WorkflowRun, job actionsdb.WorkflowJob, action string) notif.Event {

+	return notif.Event{

+		ActorUserID: int8Value(run.ActorUserID),

+		Kind:        KindWorkflowJob,

+		RepoID:      run.RepoID,

+		SourceKind:  KindWorkflowJob,

+		SourceID:    job.ID,

+		Public:      false,

+		Extra: map[string]any{

+			"action":       action,

+			"workflow_run": runPayload(run),

+			"workflow_job": jobPayload(job),

+		},

+	}

+}

+

+func runPayload(run actionsdb.WorkflowRun) map[string]any {

+	return map[string]any{

+		"id":               run.ID,

+		"repo_id":          run.RepoID,

+		"run_index":        run.RunIndex,

+		"workflow_file":    run.WorkflowFile,

+		"workflow_name":    run.WorkflowName,

+		"head_sha":         run.HeadSha,

+		"head_ref":         run.HeadRef,

+		"event":            string(run.Event),

+		"status":           string(run.Status),

+		"conclusion":       conclusionValue(run.Conclusion),

+		"actor_user_id":    int8Nullable(run.ActorUserID),

+		"parent_run_id":    int8Nullable(run.ParentRunID),

+		"created_at":       timeValue(run.CreatedAt),

+		"updated_at":       timeValue(run.UpdatedAt),

+		"started_at":       timeValue(run.StartedAt),

+		"completed_at":     timeValue(run.CompletedAt),

+		"trigger_event_id": run.TriggerEventID,

+	}

+}

+

+func jobPayload(job actionsdb.WorkflowJob) map[string]any {

+	return map[string]any{

+		"id":               job.ID,

+		"run_id":           job.RunID,

+		"job_index":        job.JobIndex,

+		"job_key":          job.JobKey,

+		"job_name":         job.JobName,

+		"runs_on":          job.RunsOn,

+		"runner_id":        int8Nullable(job.RunnerID),

+		"needs_jobs":       job.NeedsJobs,

+		"timeout_minutes":  job.TimeoutMinutes,

+		"status":           string(job.Status),

+		"conclusion":       conclusionValue(job.Conclusion),

+		"cancel_requested": job.CancelRequested,

+		"created_at":       timeValue(job.CreatedAt),

+		"updated_at":       timeValue(job.UpdatedAt),

+		"started_at":       timeValue(job.StartedAt),

+		"completed_at":     timeValue(job.CompletedAt),

+	}

+}

+

+func conclusionValue(v actionsdb.NullCheckConclusion) any {

+	if !v.Valid {

+		return nil

+	}

+	return string(v.CheckConclusion)

+}

+

+func int8Value(v pgtype.Int8) int64 {

+	if !v.Valid {

+		return 0

+	}

+	return v.Int64

+}

+

+func int8Nullable(v pgtype.Int8) any {

+	if !v.Valid {

+		return nil

+	}

+	return v.Int64

+}

+

+func timeValue(v pgtype.Timestamptz) any {

+	if !v.Valid {

+		return nil

+	}

+	return v.Time.UTC().Format("2006-01-02T15:04:05.999999999Z07:00")

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package events

+

+import (

+	"encoding/json"

+	"strings"

+	"testing"

+	"time"

+

+	"github.com/jackc/pgx/v5/pgtype"

+

+	actionsdb "github.com/tenseleyFlow/shithub/internal/actions/sqlc"

+)

+

+func TestPayloadsExcludeSensitiveWorkflowState(t *testing.T) {

+	now := pgtype.Timestamptz{Time: time.Date(2026, 5, 12, 12, 0, 0, 0, time.UTC), Valid: true}

+	run := actionsdb.WorkflowRun{

+		ID:             11,

+		RepoID:         22,

+		RunIndex:       3,

+		WorkflowFile:   ".shithub/workflows/ci.yml",

+		WorkflowName:   "CI",

+		HeadSha:        strings.Repeat("a", 40),

+		HeadRef:        "refs/heads/trunk",

+		Event:          actionsdb.WorkflowRunEventPush,

+		EventPayload:   []byte(`{"secret":"do-not-emit"}`),

+		ActorUserID:    pgtype.Int8{Int64: 33, Valid: true},

+		Status:         actionsdb.WorkflowRunStatusRunning,

+		TriggerEventID: "push:demo",

+		CreatedAt:      now,

+		UpdatedAt:      now,

+		StartedAt:      now,

+	}

+	job := actionsdb.WorkflowJob{

+		ID:             44,

+		RunID:          run.ID,

+		JobIndex:       0,

+		JobKey:         "build",

+		JobName:        "Build",

+		RunsOn:         "ubuntu-latest",

+		NeedsJobs:      []string{},

+		TimeoutMinutes: 30,

+		Permissions:    []byte(`{"contents":"read"}`),

+		JobEnv:         []byte(`{"TOKEN":"do-not-emit"}`),

+		Status:         actionsdb.WorkflowJobStatusCompleted,

+		Conclusion:     actionsdb.NullCheckConclusion{CheckConclusion: actionsdb.CheckConclusionSuccess, Valid: true},

+		CreatedAt:      now,

+		UpdatedAt:      now,

+		StartedAt:      now,

+		CompletedAt:    now,

+	}

+

+	payload, err := json.Marshal(jobEvent(run, job, ActionCompleted).Extra)

+	if err != nil {

+		t.Fatalf("marshal payload: %v", err)

+	}

+	got := string(payload)

+	for _, forbidden := range []string{

+		"event_payload",

+		"do-not-emit",

+		"permissions",

+		"job_env",

+		"TOKEN",

+		"secret",

+	} {

+		if strings.Contains(got, forbidden) {

+			t.Fatalf("payload leaked %q: %s", forbidden, got)

+		}

+	}

+	for _, required := range []string{

+		`"action":"completed"`,

+		`"workflow_run"`,

+		`"workflow_job"`,

+		`"status":"completed"`,

+		`"conclusion":"success"`,

+		`"trigger_event_id":"push:demo"`,

+	} {

+		if !strings.Contains(got, required) {

+			t.Fatalf("payload missing %q: %s", required, got)

+		}

+	}

+}

+	actionsevents "github.com/tenseleyFlow/shithub/internal/actions/events"

+		run, err := q.GetWorkflowRunByID(ctx, tx, runID)

+		if err != nil {

+			return CancelResult{}, err

+		}

+		if err := emitCancelEvents(ctx, tx, run, changed, runCompleted); err != nil {

+			return CancelResult{}, err

+		}

+		run, err := q.GetWorkflowRunByID(ctx, tx, runID)

+		if err != nil {

+			return CancelResult{}, err

+		}

+		if err := emitCancelEvents(ctx, tx, run, changed, runCompleted); err != nil {

+			return CancelResult{}, err

+		}

+func emitCancelEvents(ctx context.Context, tx pgx.Tx, run actionsdb.WorkflowRun, jobs []actionsdb.WorkflowJob, runCompleted bool) error {

+	for _, job := range jobs {

+		if job.Status != actionsdb.WorkflowJobStatusCancelled {

+			continue

+		}

+		if err := actionsevents.EmitJobTx(ctx, tx, run, job, actionsevents.ActionCancelled); err != nil {

+			return err

+		}

+	}

+	if runCompleted {

+		action := actionsevents.ActionCompleted

+		if run.Status == actionsdb.WorkflowRunStatusCancelled {

+			action = actionsevents.ActionCancelled

+		}

+		if err := actionsevents.EmitRunTx(ctx, tx, run, action); err != nil {

+			return err

+		}

+	}

+	return nil

+}

+

+func TestListActiveWorkflowRunsForAdminFiltersActiveRuns(t *testing.T) {

+	ctx := context.Background()

+	pool := dbtest.NewTestDB(t)

+	repoID, userID := setupLifecycleRepo(t, pool)

+	q := actionsdb.New()

+

+	queued := insertLifecycleRun(t, pool, repoID, userID, 1)

+	running := insertLifecycleRun(t, pool, repoID, userID, 2)

+	running, err := q.StartWorkflowRun(ctx, pool, running.ID)

+	if err != nil {

+		t.Fatalf("StartWorkflowRun: %v", err)

+	}

+	completed := insertLifecycleRun(t, pool, repoID, userID, 3)

+	if _, err := q.CompleteWorkflowRun(ctx, pool, actionsdb.CompleteWorkflowRunParams{

+		ID:         completed.ID,

+		Conclusion: actionsdb.CheckConclusionSuccess,

+	}); err != nil {

+		t.Fatalf("CompleteWorkflowRun: %v", err)

+	}

+	otherRepoID, otherUserID := setupNamedLifecycleRepo(t, pool, "bob", "other")

+	otherRepoRun := insertLifecycleRun(t, pool, otherRepoID, otherUserID, 1)

+

+	all, err := q.ListActiveWorkflowRunsForAdmin(ctx, pool, actionsdb.ListActiveWorkflowRunsForAdminParams{

+		RepoID:     0,

+		LimitCount: 10,

+	})

+	if err != nil {

+		t.Fatalf("ListActiveWorkflowRunsForAdmin all: %v", err)

+	}

+	assertRunIDs(t, all, queued.ID, running.ID, otherRepoRun.ID)

+

+	repoOnly, err := q.ListActiveWorkflowRunsForAdmin(ctx, pool, actionsdb.ListActiveWorkflowRunsForAdminParams{

+		RepoID:     repoID,

+		LimitCount: 10,

+	})

+	if err != nil {

+		t.Fatalf("ListActiveWorkflowRunsForAdmin repo: %v", err)

+	}

+	assertRunIDs(t, repoOnly, queued.ID, running.ID)

+

+	limited, err := q.ListActiveWorkflowRunsForAdmin(ctx, pool, actionsdb.ListActiveWorkflowRunsForAdminParams{

+		RepoID:     0,

+		LimitCount: 1,

+	})

+	if err != nil {

+		t.Fatalf("ListActiveWorkflowRunsForAdmin limited: %v", err)

+	}

+	assertRunIDs(t, limited, queued.ID)

+}

+

+	t.Helper()

+	return setupNamedLifecycleRepo(t, db, "alice", "demo")

+}

+

+func setupNamedLifecycleRepo(t *testing.T, db actionsdb.DBTX, username, repoName string) (repoID, userID int64) {

+		Username:     username,

+		DisplayName:  username,