cpflow 5.1.0 → 5.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (69) hide show
  1. checksums.yaml +4 -4
  2. data/.agents/agent-workflow.yml +15 -0
  3. data/.agents/bin/README.md +19 -0
  4. data/.agents/bin/docs +5 -0
  5. data/.agents/bin/lint +5 -0
  6. data/.agents/bin/setup +5 -0
  7. data/.agents/bin/test +5 -0
  8. data/.agents/bin/validate +5 -0
  9. data/.agents/trusted-github-actors.yml +32 -0
  10. data/.agents/workflows/ai-rollout-e2e-test.md +166 -0
  11. data/.github/actions/cpflow-wait-for-health/action.yml +11 -4
  12. data/.github/workflows/claude-code-review.yml +2 -0
  13. data/.github/workflows/claude.yml +2 -0
  14. data/.github/workflows/cpflow-deploy-review-app.yml +16 -1
  15. data/.github/workflows/cpflow-promote-staging-to-production.yml +224 -37
  16. data/.github/workflows/rspec-shared.yml +15 -1
  17. data/.github/workflows/rspec-specific.yml +1 -0
  18. data/.github/workflows/rspec.yml +58 -1
  19. data/AGENTS.md +57 -0
  20. data/CHANGELOG.md +36 -1
  21. data/CLAUDE.md +3 -0
  22. data/CONTRIBUTING.md +6 -2
  23. data/Gemfile.lock +1 -1
  24. data/README.md +25 -7
  25. data/docs/ai-github-flow-prompt.md +18 -16
  26. data/docs/assets/logo/favicon.ico +0 -0
  27. data/docs/assets/logo/icon-1024.png +0 -0
  28. data/docs/assets/logo/icon-128.png +0 -0
  29. data/docs/assets/logo/icon-16.png +0 -0
  30. data/docs/assets/logo/icon-192.png +0 -0
  31. data/docs/assets/logo/icon-24.png +0 -0
  32. data/docs/assets/logo/icon-32.png +0 -0
  33. data/docs/assets/logo/icon-48.png +0 -0
  34. data/docs/assets/logo/icon-512.png +0 -0
  35. data/docs/assets/logo/icon-64.png +0 -0
  36. data/docs/assets/logo/icon-tile.svg +17 -0
  37. data/docs/assets/logo/mark-transparent.svg +16 -0
  38. data/docs/ci-automation.md +203 -15
  39. data/docs/commands.md +16 -1
  40. data/docs/grafana-opentelemetry.md +699 -0
  41. data/docs/secrets-and-env-values.md +29 -2
  42. data/docs/sidebars.ts +70 -0
  43. data/docs/telemetry/application-instrumentation.md +161 -0
  44. data/docs/telemetry/collector.md +297 -0
  45. data/docs/telemetry/index.md +152 -0
  46. data/docs/telemetry/pipelines.md +98 -0
  47. data/docs/telemetry/review-apps.md +55 -0
  48. data/docs/telemetry/troubleshooting.md +92 -0
  49. data/docs/terraform/example/.controlplane/controlplane.yml +0 -1
  50. data/docs/terraform/overview.md +11 -0
  51. data/docs/tips.md +458 -29
  52. data/examples/controlplane.yml +2 -0
  53. data/lib/command/ai_github_flow_prompt.rb +2 -2
  54. data/lib/command/base.rb +17 -2
  55. data/lib/command/deploy_image.rb +77 -5
  56. data/lib/command/maintenance_off.rb +1 -0
  57. data/lib/command/maintenance_on.rb +1 -0
  58. data/lib/command/promote_app_from_upstream.rb +1 -0
  59. data/lib/command/ps_wait.rb +2 -10
  60. data/lib/command/run.rb +25 -5
  61. data/lib/core/config.rb +94 -0
  62. data/lib/core/doctor_service.rb +44 -3
  63. data/lib/core/maintenance_mode.rb +93 -6
  64. data/lib/core/template_parser.rb +43 -9
  65. data/lib/cpflow/version.rb +1 -1
  66. data/lib/generator_templates/controlplane.yml +1 -2
  67. data/lib/github_flow_templates/.github/cpflow-help.md +23 -1
  68. data/lib/github_flow_templates/.github/workflows/cpflow-promote-staging-to-production.yml +224 -39
  69. metadata +33 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 44479e287fa1f7366a4df86ee7f68176c00f2b6cd2fe59c786e5de6f1143d2b3
4
- data.tar.gz: acbf5149907b43cc628d2af8c19572d0ffb5de6d1bae630cb98c14c5ca46d4cc
3
+ metadata.gz: 4d334d4f24d777236b1d99232c0aeb14aaac17a3daed74837738773a5aa42b3c
4
+ data.tar.gz: ca7b66e6bd876a6a3f422a425aa86ce90e74af5f57e23eada8384c3f1e963f75
5
5
  SHA512:
6
- metadata.gz: 1bf64792213761b8e5af2f44bf18c90c32c2ceeef36c23082afbc34def70d7059bb36747dc696e7bb4236538f3670dc177c9d2b06de68459d1e80634604e088a
7
- data.tar.gz: 3c789100969a47e6d7b29efa75fb1b99b799074b89e8cf276dbdf505bab36adec20e010700366e36fc12063426ca80cacf58db3f17253f3dbc241a6533485104
6
+ metadata.gz: e72015fc6143701ee31e311030a71c91957556aba0cc762c01d63834cd71d01ba7bfe4e76e216700a8367e365fbb3da2459c70707e6364e7985326e00e6ccab5
7
+ data.tar.gz: 4b19772575225b90d96ebe788cc555699210df4aa9ae92677e6fbde395f4bcc92b2ef2206b062049c8192ca91228e45e7c7c9414b1948b896248758eb8c71370
@@ -0,0 +1,15 @@
1
+ # Non-command agent-workflow configuration for portable shared skills.
2
+ # Commands live as scripts in .agents/bin/ (see .agents/bin/README.md).
3
+ # Compatibility summary for older workflow copies; canonical values live in
4
+ # AGENTS.md.
5
+ base_branch: main
6
+ changelog: "CHANGELOG.md — Keep-a-Changelog; user-visible changes only"
7
+ follow_up_prefix: "Follow-up:"
8
+ review_gate: "AI reviewers are advisory unless they confirm a blocker; merge gate is the full `gh pr checks` list green (not --required) + all threads resolved + mergeable clean"
9
+ approval_exempt: "at batch closeout, auto-merge ready low-risk PRs that pass the merge gate; keep high-risk (CI/workflow, build-config, dependency or runtime bumps, broad refactors, release) maintainer-gated"
10
+ coordination_backend: "private shakacode/agent-coordination (claims/heartbeats namespaced by full repo name)"
11
+ benchmark_labels: n/a
12
+ merge_ledger: n/a
13
+ ci_parity_environment: "n/a — reproduce CI-only failures from the matching job in .github/workflows/**"
14
+ hosted_ci_trigger: "n/a — CI runs on every PR"
15
+ ci_change_detector: n/a
@@ -0,0 +1,19 @@
1
+ # Agent Workflow Scripts
2
+
3
+ Standard entry points that portable agent-workflow skills call, so a skill can
4
+ run `.agents/bin/<name>` in any repo without knowing this repo's specific
5
+ commands. Each script is a thin, repo-owned wrapper. A script that is **absent**
6
+ means that capability is n/a here.
7
+
8
+ | Script | Purpose | This repo runs |
9
+ | --- | --- | --- |
10
+ | `setup` | Install dependencies | `bundle install` |
11
+ | `validate` | Pre-push gate (run before pushing) | `bundle exec rake` (rspec + rubocop) |
12
+ | `test` | Run tests | `bundle exec rspec` |
13
+ | `lint` | Lint / format (pass `-A` to fix) | `bundle exec rubocop` |
14
+ | `docs` | Check generated command docs | `bundle exec rake check_command_docs` |
15
+ | `build` | Build / type-check | n/a (gem) |
16
+
17
+ Canonical non-command policy lives in [`../../AGENTS.md`](../../AGENTS.md).
18
+ [`../agent-workflow.yml`](../agent-workflow.yml) is retained only as a
19
+ compatibility summary for older workflow copies.
data/.agents/bin/docs ADDED
@@ -0,0 +1,5 @@
1
+ #!/usr/bin/env bash
2
+ # Check generated command docs are current.
3
+ set -euo pipefail
4
+ cd "$(CDPATH= cd -- "$(dirname -- "$0")/../.." && pwd)"
5
+ exec bundle exec rake check_command_docs
data/.agents/bin/lint ADDED
@@ -0,0 +1,5 @@
1
+ #!/usr/bin/env bash
2
+ # Lint / format check. Pass -A to autocorrect.
3
+ set -euo pipefail
4
+ cd "$(CDPATH= cd -- "$(dirname -- "$0")/../.." && pwd)"
5
+ exec bundle exec rubocop "$@"
data/.agents/bin/setup ADDED
@@ -0,0 +1,5 @@
1
+ #!/usr/bin/env bash
2
+ # Install dependencies.
3
+ set -euo pipefail
4
+ cd "$(CDPATH= cd -- "$(dirname -- "$0")/../.." && pwd)"
5
+ exec bundle install
data/.agents/bin/test ADDED
@@ -0,0 +1,5 @@
1
+ #!/usr/bin/env bash
2
+ # Run the test suite. Extra args pass through to rspec.
3
+ set -euo pipefail
4
+ cd "$(CDPATH= cd -- "$(dirname -- "$0")/../.." && pwd)"
5
+ exec bundle exec rspec "$@"
@@ -0,0 +1,5 @@
1
+ #!/usr/bin/env bash
2
+ # Pre-push gate: full local validation (run before pushing).
3
+ set -euo pipefail
4
+ cd "$(CDPATH= cd -- "$(dirname -- "$0")/../.." && pwd)"
5
+ exec bundle exec rake
@@ -0,0 +1,32 @@
1
+ # GitHub actors whose public issue/PR/review comments may be acted on by
2
+ # PR-batch automation. Keep this list deliberately strict: unknown actors are
3
+ # queued for maintainer triage, not interpreted as instructions.
4
+ trusted_users:
5
+ - justin808
6
+
7
+ # Bot entries are base bot names. GitHub API logins usually include the
8
+ # `[bot]` suffix; humans with the same base login are not trusted by this list.
9
+ # Trusted bots are exempt from hidden-participant blocking and their generated
10
+ # PR content may be processed as trusted review input. Keep this list narrow.
11
+ trusted_bots:
12
+ - chatgpt-codex-connector
13
+ - claude
14
+ - coderabbitai
15
+ - dependabot
16
+ - greptile-apps
17
+
18
+ # Metadata-only bots are allowed to appear in PR comments/reviews without
19
+ # becoming trusted instruction sources. Their comment bodies are CI/status
20
+ # evidence only.
21
+ trusted_metadata_bots:
22
+ # Repo-local exception: review-app command workflows emit deterministic
23
+ # status/help comments and gate state-changing issue_comment commands to
24
+ # owners, members, or collaborators. Treat github-actions comments as
25
+ # workflow metadata only; they do not override AGENTS.md or widen a batch
26
+ # scope.
27
+ - github-actions
28
+
29
+ # Team entries are GitHub team slugs under the repository owner org. Reading
30
+ # team membership requires the local GitHub token to have org access.
31
+ trusted_teams:
32
+ - shakacode
@@ -0,0 +1,166 @@
1
+ # AI Rollout End-to-End Prompt Runbook
2
+
3
+ Use this internal runbook after publishing a `cpflow` gem when the release
4
+ changes the GitHub Actions flow, the AI rollout prompt, readiness checks,
5
+ generator output, or React on Rails deployment behavior.
6
+
7
+ This is not public setup documentation. It is release QA for the maintainer and
8
+ agents. The goal is to test whether the published gem plus the recommended
9
+ prompt can guide a capable agent through a real React on Rails rollout without
10
+ private maintainer context.
11
+
12
+ ## Mindset
13
+
14
+ Treat the prompt as part of the product. The test is not just "do generated files
15
+ exist?" It is "does the prompt cause an agent to make the right install,
16
+ readiness, generation, validation, and feedback decisions?"
17
+
18
+ Use a real downstream React on Rails app. Do not test from the
19
+ `control-plane-flow` checkout, and do not let the agent use unpublished local
20
+ code unless the explicit goal is prerelease testing.
21
+
22
+ ## Prompt 1: Start the Install and Rollout Test
23
+
24
+ Use this as the opening prompt in a fresh agent session inside the target React
25
+ on Rails app repository:
26
+
27
+ ```text
28
+ You are testing published Control Plane Flow version X.Y.Z on this React on Rails app.
29
+
30
+ Do not use a local `control-plane-flow` checkout or unpublished gem code. Install or invoke the published gem only. Prefer `gem install cpflow -v X.Y.Z`; if the target repo already has a Bundler-managed `cpflow`, use `bundle exec cpflow` only after confirming it resolves to version X.Y.Z. Report a blocker if you cannot install or invoke that published version.
31
+ After you verify the correct invocation, use that same invocation for every later `cpflow` command. For example, use `bundle exec cpflow github-flow-readiness` if Bundler was the verified path.
32
+
33
+ Once `cpflow` is available, run the verified invocation with `ai-github-flow-prompt` and follow the printed recommended prompt exactly. Use that prompt to run readiness, generate or update `.controlplane/`, generate GitHub Actions, preserve React on Rails build behavior, document required GitHub settings, validate locally, push a branch, and open a PR.
34
+
35
+ Important constraints:
36
+ - Start with `cpflow github-flow-readiness` and stop on any real blocker.
37
+ - Do not force generated files into an app that is not deployable from a clean clone.
38
+ - Do not use production credentials for review-app validation.
39
+ - Keep review apps limited to trusted branches in the base repository.
40
+ - Preserve React on Rails SSR, pack generation, Node/package-manager access, sidecars, and writable runtime paths.
41
+ - Record every place where the prompt or command output was confusing, incomplete, or caused you to guess.
42
+ ```
43
+
44
+ This internal test prompt intentionally prefers `gem install cpflow -v X.Y.Z`
45
+ because it verifies the published gem. The public rollout prompt may prefer an
46
+ app's existing `bundle exec cpflow` path first when the app already manages
47
+ `cpflow` through Bundler.
48
+
49
+ ## Prompt 2: Validate the Generated Flow
50
+
51
+ Use this after the agent opens or prepares the target-app PR:
52
+
53
+ ```text
54
+ Now validate the generated Control Plane GitHub Flow in the target app.
55
+
56
+ Run the strongest local checks available, including `cpflow github-flow-readiness`, `bin/test-cpflow-github-flow`, a Docker build if feasible, and the app's native smoke checks. Then push the branch and inspect the hosted GitHub Actions results.
57
+
58
+ If credentials are available for a disposable staging/review Control Plane org, validate one trusted-branch review app:
59
+ 1. confirm the help workflow exposes the expected review-app commands
60
+ 2. comment `+review-app-deploy` on the target-app PR from an `OWNER`, `MEMBER`, or `COLLABORATOR` account
61
+ 3. wait for the review-app workflow
62
+ 4. visit the reported app URL
63
+ 5. verify the Rails page and React entry point
64
+ 6. confirm logs are accessible
65
+ 7. delete the review app and confirm cleanup
66
+
67
+ Do not test production promotion unless this is an explicit release rehearsal with a disposable production org. Report skipped validations with the exact reason.
68
+ ```
69
+
70
+ ## Prompt 3: Turn the Results into Product Feedback
71
+
72
+ Use this after the rollout attempt finishes:
73
+
74
+ ```text
75
+ Analyze this AI rollout test as product feedback for Control Plane Flow.
76
+
77
+ Classify every finding into exactly one bucket:
78
+ - Prompt gap: better prompt wording would have prevented the confusion or wrong choice.
79
+ - Command gap: `cpflow` should detect, generate, or report something better.
80
+ - Generator gap: generated files need a code change or regression spec.
81
+ - Docs gap: humans need clearer setup or release guidance.
82
+ - Target-app gap: the app is missing a real deploy prerequisite.
83
+ - External blocker: credentials, Control Plane availability, GitHub Actions, or registry access blocked the run.
84
+
85
+ Prefer command or generator fixes over prompt wording when the issue is deterministic. Only suggest prompt changes for repeatable agent-decision failures. Produce a concise follow-up plan with release-blocking items first.
86
+ ```
87
+
88
+ ## Target App Criteria
89
+
90
+ Use a real, non-production React on Rails app with:
91
+
92
+ - a complete Rails runtime scaffold
93
+ - a production Dockerfile or a clearly intended generated Dockerfile path
94
+ - React on Rails SSR or pack generation behavior worth validating
95
+ - a GitHub repository where the agent can push a test branch and open a PR
96
+ - disposable Control Plane staging/review credentials
97
+
98
+ Stop early if the app is already known to be undeployable from a clean clone.
99
+ That is target-app feedback unless the prompt failed to identify the blocker.
100
+
101
+ ## React on Rails Observations to Capture
102
+
103
+ The transcript should show whether the agent handled these without extra
104
+ maintainer hints:
105
+
106
+ - SSR or renderer workloads keep Node and package-manager access where needed.
107
+ - React on Rails auto bundle generation or Shakapacker `precompile_hook` behavior
108
+ is preserved before `rails assets:precompile`.
109
+ - Sidekiq, renderer, or other process workloads are modeled when needed.
110
+ - Exposed sidecar processes bind to `0.0.0.0`, not only `localhost`.
111
+ - Runtime-writable paths are used for caches, bundles, SQLite files, and temp
112
+ data.
113
+ - The generated Dockerfile uses a Ruby base image compatible with the app.
114
+ - Private GitHub dependencies or SSH build mounts are reflected in documented
115
+ GitHub secrets and Docker build settings.
116
+
117
+ ## Result Template
118
+
119
+ Record the run with this shape:
120
+
121
+ ```markdown
122
+ ## AI Rollout E2E Result
123
+
124
+ - cpflow version:
125
+ - target app repo:
126
+ - target branch/PR:
127
+ - agent used:
128
+ - prompt source:
129
+ - Control Plane org scope:
130
+
131
+ ### Outcome
132
+
133
+ - published gem install:
134
+ - readiness:
135
+ - generation:
136
+ - local validation:
137
+ - hosted checks:
138
+ - review app deploy:
139
+ - review app cleanup:
140
+ - staging deploy, if tested:
141
+
142
+ ### React on Rails Findings
143
+
144
+ - SSR/Node/package manager:
145
+ - asset precompile/codegen hooks:
146
+ - extra workloads:
147
+ - writable paths:
148
+ - private dependencies:
149
+
150
+ ### Product Feedback
151
+
152
+ - prompt gaps:
153
+ - command/generator gaps:
154
+ - docs gaps:
155
+ - target-app gaps:
156
+ - external blockers:
157
+
158
+ ### Follow-up
159
+
160
+ - release-blocking:
161
+ - should fix soon:
162
+ - optional:
163
+ ```
164
+
165
+ Keep the transcript or evidence log until all prompt, command, generator, and
166
+ docs follow-ups are either resolved or explicitly deferred.
@@ -1,8 +1,9 @@
1
1
  name: Wait for Control Plane workload health
2
2
  description: >-
3
- Polls the workload's status endpoint with curl and exits success when the
4
- HTTP response status is in the accepted list. Fails non-zero (and reports
5
- `healthy=false`) once retries are exhausted.
3
+ Polls Control Plane until the latest workload version is ready, then checks
4
+ the workload endpoint with curl. Exits success when the HTTP response status
5
+ is in the accepted list. Fails non-zero (and reports `healthy=false`) once
6
+ retries are exhausted.
6
7
 
7
8
  inputs:
8
9
  workload_name:
@@ -68,8 +69,14 @@ runs:
68
69
  exit 1
69
70
  fi
70
71
 
72
+ workload_ready="$(echo "${workload_json}" | jq -r '.status.ready // false')"
73
+ latest_ready="$(echo "${workload_json}" | jq -r '.status.readyLatest // false')"
74
+ readiness_status="$(echo "${workload_json}" | jq -r '.health.readiness // "unknown"')"
71
75
  endpoint="$(echo "${workload_json}" | jq -r '.status.endpoint // empty')"
72
- if [[ -n "${endpoint}" ]]; then
76
+
77
+ if [[ "${workload_ready}" != "true" || "${latest_ready}" != "true" ]]; then
78
+ echo "Workload status: ready=${workload_ready}, readyLatest=${latest_ready}, readiness=${readiness_status}; waiting for latest deployment."
79
+ elif [[ -n "${endpoint}" ]]; then
73
80
  http_status="$(curl -s -o /dev/null -w '%{http_code}' --max-time "${CPFLOW_CURL_MAX_TIME}" "${endpoint}" 2>/dev/null || echo 000)"
74
81
  echo "Endpoint: ${endpoint}, HTTP status: ${http_status}"
75
82
 
@@ -22,6 +22,8 @@ jobs:
22
22
  - name: Run Claude Code Review
23
23
  id: claude-review
24
24
  uses: anthropics/claude-code-action@v1
25
+ env:
26
+ CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
25
27
  with:
26
28
  claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
27
29
  prompt: |
@@ -35,6 +35,8 @@ jobs:
35
35
  - name: Run Claude Code
36
36
  id: claude
37
37
  uses: anthropics/claude-code-action@v1
38
+ env:
39
+ CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
38
40
  with:
39
41
  github_token: ${{ github.token }}
40
42
  claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
@@ -439,8 +439,23 @@ jobs:
439
439
 
440
440
  cpflow deploy-image "${deploy_args[@]}"
441
441
 
442
- - name: Retrieve app URL
442
+ - name: Wait for deployment health
443
443
  if: steps.config.outputs.ready == 'true' && steps.source.outputs.allowed == 'true' && (steps.check-app.outputs.exists == 'true' || steps.setup-review-app.outcome == 'success')
444
+ id: health-check
445
+ uses: ./.cpflow/.github/actions/cpflow-wait-for-health
446
+ with:
447
+ workload_name: ${{ env.PRIMARY_WORKLOAD || 'rails' }}
448
+ app_name: ${{ steps.review-config.outputs.app_name }}
449
+ org: ${{ steps.review-config.outputs.cpln_org }}
450
+ # Review apps use their own health knobs so teams can keep production
451
+ # promotion stricter or slower without changing PR feedback behavior.
452
+ max_retries: ${{ vars.REVIEW_APP_HEALTH_CHECK_RETRIES || '24' }}
453
+ interval_seconds: ${{ vars.REVIEW_APP_HEALTH_CHECK_INTERVAL || '15' }}
454
+ accepted_statuses: ${{ vars.REVIEW_APP_HEALTH_CHECK_ACCEPTED_STATUSES || '200 301 302' }}
455
+ curl_max_time: ${{ vars.REVIEW_APP_HEALTH_CHECK_CURL_MAX_TIME || '10' }}
456
+
457
+ - name: Retrieve app URL
458
+ if: steps.config.outputs.ready == 'true' && steps.source.outputs.allowed == 'true' && (steps.check-app.outputs.exists == 'true' || steps.setup-review-app.outcome == 'success') && steps.health-check.outcome == 'success'
444
459
  id: workload
445
460
  working-directory: app
446
461
  shell: bash