create-interview-cockpit 0.29.0 → 0.30.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-interview-cockpit",
-  "version": "0.29.0",
+  "version": "0.30.1",
   "description": "Scaffold a personal AI-powered interview prep cockpit",
   "type": "module",
   "bin": {

package/template/client/src/awsGovernanceIamLab.ts

@@ -0,0 +1,526 @@
+import type { InfraLabWorkspace } from "./types";
+
+// Mirrors the structure of a real `governance-iam` Terraform module
+// (roles, policies, attachments, users, OIDC providers, multi-account
+// `for_each` expansion) but trimmed down so it can run end-to-end
+// against LocalStack inside the Infra Lab runner.
+//
+// What works on LocalStack (free):
+//   - aws_iam_policy / aws_iam_role / *_policy_attachment / aws_iam_user
+//   - aws_iam_openid_connect_provider (object exists, trust is not exercised)
+//
+// What does NOT work realistically on LocalStack (left as plan-only / read):
+//   - real cross-account assume-role via Organizations
+//   - real OIDC federation (Azure DevOps, EKS IRSA, etc.)
+export const AWS_GOVERNANCE_IAM_FILES: Record<string, string> = {
+  "README.md": `# AWS Governance IAM Lab
+
+Practice the *shape* of an enterprise \`governance-iam\` Terraform module
+against LocalStack. You get the same patterns the real module uses:
+
+1. **OIDC providers** (\`aws_iam_openid_connect_provider\`)
+2. **Custom IAM policies** loaded from JSON files in \`policy/\`
+3. **IAM roles** with trust documents from \`assume_role/\`
+4. **Policy attachments** (custom + AWS-managed)
+5. **IAM users** with attachments
+6. **Multi-account expansion** via \`for_each\` keyed as \`account/name\`
+
+## How to run it
+
+In the Infra Lab console, one command at a time:
+
+1. \`terraform init\`
+2. \`terraform validate\`
+3. \`terraform plan -out=tfplan\`
+4. \`terraform apply -auto-approve\`
+5. Inspect with \`terraform state list\` and \`terraform show\`
+6. \`terraform destroy -auto-approve\` when done
+
+## What's real vs simulated
+
+LocalStack accepts the IAM CRUD calls, so all roles/policies/users/attachments
+are actually created. The OIDC providers are stored as objects, but no real
+external identity (Azure DevOps, EKS, GKE) can federate into them here.
+
+For the real federation handshake, you'd point this at a free-tier AWS
+account by replacing the \`endpoints\` block in \`provider.tf\` and giving
+real credentials.
+
+## Multi-account note
+
+LocalStack free tier is single-account, so the two "accounts"
+(\`access\`, \`workload\`) are simulated by provider aliases pointing at the
+same LocalStack endpoint. The \`for_each\` and \`account/name\` key shape is
+the same as in a real Organizations setup — flip the endpoints and you can
+reuse it as-is.
+
+## Suggested experiments
+
+- Add a new JSON file in \`policy/\` and reference it in \`terraform.tfvars\`.
+- Add a new role in \`terraform.tfvars\` and watch the keyspace expand.
+- Change a trust policy in \`assume_role/\` and run \`terraform plan\` to see
+  the in-place update.
+- Try \`terraform plan\` after removing an attachment to learn how detach
+  works without destroying the role.
+`,
+  "provider.tf": `terraform {
+  required_version = ">= 1.5.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
+
+# Two provider aliases simulate the multi-account fan-out used by the real
+# governance-iam module. Both point at the same LocalStack endpoint here;
+# in production they would target different AWS accounts via assume-role.
+provider "aws" {
+  alias                       = "access"
+  region                      = "us-east-1"
+  access_key                  = "test"
+  secret_key                  = "test"
+  skip_credentials_validation = true
+  skip_metadata_api_check     = true
+  skip_requesting_account_id  = true
+
+  endpoints {
+    iam = "http://localhost:4566"
+    sts = "http://localhost:4566"
+  }
+}
+
+provider "aws" {
+  alias                       = "workload"
+  region                      = "us-east-1"
+  access_key                  = "test"
+  secret_key                  = "test"
+  skip_credentials_validation = true
+  skip_metadata_api_check     = true
+  skip_requesting_account_id  = true
+
+  endpoints {
+    iam = "http://localhost:4566"
+    sts = "http://localhost:4566"
+  }
+}
+`,
+  "variables.tf": `# Logical inputs that mirror the real module. Swap values in
+# terraform.tfvars to re-shape the deployment without touching main.tf.
+
+variable "accounts" {
+  description = "Logical AWS account name -> provider alias key."
+  type        = map(string)
+  default = {
+    access   = "access"
+    workload = "workload"
+  }
+}
+
+variable "policies" {
+  description = "Custom policies to create. Keyed as <account>/<name>."
+  type = map(object({
+    path        = string
+    description = string
+  }))
+  default = {}
+}
+
+variable "roles" {
+  description = "Roles to create. Keyed as <account>/<name>."
+  type = map(object({
+    name                        = string
+    assume_role_policy_file     = string
+    assume_role_policy_variable = map(string)
+    custom_policies             = list(string) # tf_policy_keys to attach
+    managed_policy_arns         = list(string) # AWS-managed ARNs to attach
+  }))
+  default = {}
+}
+
+variable "users" {
+  description = "IAM users to create. Keyed as <account>/<name>."
+  type = map(object({
+    name                = string
+    custom_policies     = list(string)
+    managed_policy_arns = list(string)
+  }))
+  default = {}
+}
+
+variable "oidc_identity" {
+  description = "OIDC providers to register. Keyed as <account>/<label>."
+  type = map(object({
+    account    = string
+    oidc_url   = string
+    audiences  = list(string)
+    thumbprint = list(string)
+  }))
+  default = {}
+}
+`,
+  "local.tf": `# Real governance-iam splits a single declaration into per-account
+# resources. We do the same here; the keys are "<account>/<name>" so a
+# role declared in two accounts becomes two distinct resources.
+locals {
+  account_policies = var.policies
+  account_roles    = var.roles
+  account_users    = var.users
+
+  # Flatten role -> custom policy attachments.
+  custom_role_attachments = merge([
+    for role_key, role in var.roles : {
+      for pol_key in role.custom_policies :
+      "\${role_key}::\${pol_key}" => {
+        tf_role_key   = role_key
+        tf_policy_key = pol_key
+      }
+    }
+  ]...)
+
+  # Flatten role -> AWS-managed policy attachments.
+  managed_role_attachments = merge([
+    for role_key, role in var.roles : {
+      for arn in role.managed_policy_arns :
+      "\${role_key}::\${arn}" => {
+        tf_role_key = role_key
+        policy_arn  = arn
+      }
+    }
+  ]...)
+
+  custom_user_attachments = merge([
+    for user_key, user in var.users : {
+      for pol_key in user.custom_policies :
+      "\${user_key}::\${pol_key}" => {
+        tf_user_key   = user_key
+        tf_policy_key = pol_key
+      }
+    }
+  ]...)
+
+  managed_user_attachments = merge([
+    for user_key, user in var.users : {
+      for arn in user.managed_policy_arns :
+      "\${user_key}::\${arn}" => {
+        tf_user_key = user_key
+        policy_arn  = arn
+      }
+    }
+  ]...)
+}
+`,
+  "main.tf": `# @ref: aws-oidc-provider
+# Trust links so external systems (ADO, EKS, GKE) can federate without
+# storing AWS keys. On LocalStack the object is created but no real JWT
+# is verified against it.
+resource "aws_iam_openid_connect_provider" "oidc" {
+  for_each = var.oidc_identity
+  provider = aws.access
+
+  url             = each.value.oidc_url
+  client_id_list  = each.value.audiences
+  thumbprint_list = each.value.thumbprint
+}
+
+# @ref: aws-custom-policy
+# Custom permission documents loaded from JSON files in ./policy.
+# The split() trick is what the real module uses to derive a name from
+# the "<account>/<group>/<file>.json" key shape.
+resource "aws_iam_policy" "policies" {
+  for_each = local.account_policies
+  provider = aws.access
+
+  name        = split("/", each.key)[1]
+  description = each.value.description
+  policy      = file("\${path.module}/policy/\${each.value.path}")
+}
+
+# @ref: aws-iam-role
+# Trust policy != permission policy. The trust policy answers
+# "who is allowed to become this role?". Permissions come from attachments.
+resource "aws_iam_role" "roles" {
+  for_each = local.account_roles
+  provider = aws.access
+
+  name = each.value.name
+  assume_role_policy = templatefile(
+    "\${path.module}/assume_role/\${each.value.assume_role_policy_file}",
+    each.value.assume_role_policy_variable,
+  )
+}
+
+# @ref: aws-role-policy-attachment (custom)
+resource "aws_iam_role_policy_attachment" "custom_role_policy" {
+  for_each = local.custom_role_attachments
+  provider = aws.access
+
+  role       = aws_iam_role.roles[each.value.tf_role_key].name
+  policy_arn = aws_iam_policy.policies[each.value.tf_policy_key].arn
+}
+
+# @ref: aws-role-policy-attachment (managed)
+resource "aws_iam_role_policy_attachment" "managed_role_policy" {
+  for_each = local.managed_role_attachments
+  provider = aws.access
+
+  role       = aws_iam_role.roles[each.value.tf_role_key].name
+  policy_arn = each.value.policy_arn
+}
+
+# @ref: aws-iam-user
+# Long-lived identity. Kept as an exercise; modern setups prefer roles
+# + federation, but the real module still supports both.
+resource "aws_iam_user" "users" {
+  for_each = local.account_users
+  provider = aws.access
+
+  name          = each.value.name
+  path          = "/"
+  force_destroy = true
+}
+
+resource "aws_iam_user_policy_attachment" "custom_user_policy" {
+  for_each = local.custom_user_attachments
+  provider = aws.access
+
+  user       = aws_iam_user.users[each.value.tf_user_key].name
+  policy_arn = aws_iam_policy.policies[each.value.tf_policy_key].arn
+}
+
+resource "aws_iam_user_policy_attachment" "managed_user_policy" {
+  for_each = local.managed_user_attachments
+  provider = aws.access
+
+  user       = aws_iam_user.users[each.value.tf_user_key].name
+  policy_arn = each.value.policy_arn
+}
+`,
+  "ado.tf": `# @ref: aws-ado-role
+# Mirrors the real ado.tf: a per-account role assumed by an Azure DevOps
+# pipeline via OIDC, with AdministratorAccess attached. On LocalStack the
+# role exists but the actual federation handshake is not exercised.
+locals {
+  ado_accounts = ["access", "workload"]
+}
+
+resource "aws_iam_role" "ado_role" {
+  for_each = toset(local.ado_accounts)
+  provider = aws.access
+
+  name = "ado-role-\${each.key}"
+  assume_role_policy = templatefile(
+    "\${path.module}/assume_role/ado-assume-role.json",
+    {
+      account_id  = "000000000000"
+      environment = "lab"
+    },
+  )
+}
+
+resource "aws_iam_role_policy_attachment" "ado_admin" {
+  for_each = toset(local.ado_accounts)
+  provider = aws.access
+
+  role       = aws_iam_role.ado_role[each.key].name
+  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+}
+
+resource "aws_iam_role" "ado_readonly" {
+  for_each = toset(local.ado_accounts)
+  provider = aws.access
+
+  name = "ado-role-readonly-\${each.key}"
+  assume_role_policy = templatefile(
+    "\${path.module}/assume_role/ado-assume-role.json",
+    {
+      account_id  = "000000000000"
+      environment = "lab"
+    },
+  )
+}
+
+resource "aws_iam_role_policy_attachment" "ado_readonly" {
+  for_each = toset(local.ado_accounts)
+  provider = aws.access
+
+  role       = aws_iam_role.ado_readonly[each.key].name
+  policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
+}
+`,
+  "outputs.tf": `output "policy_arns" {
+  description = "ARNs of all custom policies that were created."
+  value       = { for k, p in aws_iam_policy.policies : k => p.arn }
+}
+
+output "role_arns" {
+  description = "ARNs of all roles that were created."
+  value       = { for k, r in aws_iam_role.roles : k => r.arn }
+}
+
+output "ado_role_arns" {
+  description = "ARNs of the Azure DevOps deployment roles."
+  value       = { for k, r in aws_iam_role.ado_role : k => r.arn }
+}
+`,
+  "terraform.tfvars": `# Sample data that drives the module. Everything below is what would
+# normally live in variables.<env>.tfvars in the real repo.
+
+policies = {
+  "access/external-dns-policy-v1" = {
+    path        = "external-dns-policy-v1.json"
+    description = "Allows external-dns to manage Route53 records."
+  }
+  "access/cloudwatch-exporter-policy-v1" = {
+    path        = "cloudwatch-exporter-policy-v1.json"
+    description = "Allows the cloudwatch exporter to read metrics."
+  }
+}
+
+roles = {
+  "access/external-dns" = {
+    name                        = "external-dns-role"
+    assume_role_policy_file     = "eks-irsa-assume-role.json"
+    assume_role_policy_variable = {
+      account_id     = "000000000000"
+      oidc_provider  = "oidc.eks.us-east-1.amazonaws.com/id/EXAMPLED539D4633"
+      namespace      = "kube-system"
+      service_account = "external-dns"
+    }
+    custom_policies = [
+      "access/external-dns-policy-v1",
+    ]
+    managed_policy_arns = []
+  }
+  "access/cw-exporter" = {
+    name                        = "cloudwatch-exporter-role"
+    assume_role_policy_file     = "eks-irsa-assume-role.json"
+    assume_role_policy_variable = {
+      account_id     = "000000000000"
+      oidc_provider  = "oidc.eks.us-east-1.amazonaws.com/id/EXAMPLED539D4633"
+      namespace      = "monitoring"
+      service_account = "cloudwatch-exporter"
+    }
+    custom_policies = [
+      "access/cloudwatch-exporter-policy-v1",
+    ]
+    managed_policy_arns = [
+      "arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess",
+    ]
+  }
+}
+
+users = {
+  "access/break-glass" = {
+    name = "break-glass-admin"
+    custom_policies = []
+    managed_policy_arns = [
+      "arn:aws:iam::aws:policy/ReadOnlyAccess",
+    ]
+  }
+}
+
+oidc_identity = {
+  "access/eks-main" = {
+    account    = "access"
+    oidc_url   = "https://oidc.eks.us-east-1.amazonaws.com/id/EXAMPLED539D4633"
+    audiences  = ["sts.amazonaws.com"]
+    thumbprint = ["9e99a48a9960b14926bb7f3b02e22da2b0ab7280"]
+  }
+  "access/azure-devops" = {
+    account    = "access"
+    oidc_url   = "https://vstoken.dev.azure.com/00000000-0000-0000-0000-000000000000"
+    audiences  = ["api://AzureADTokenExchange"]
+    thumbprint = ["9e99a48a9960b14926bb7f3b02e22da2b0ab7280"]
+  }
+}
+`,
+  "policy/external-dns-policy-v1.json": `{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "route53:ChangeResourceRecordSets"
+      ],
+      "Resource": "arn:aws:route53:::hostedzone/*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "route53:ListHostedZones",
+        "route53:ListResourceRecordSets"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+`,
+  "policy/cloudwatch-exporter-policy-v1.json": `{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "cloudwatch:GetMetricData",
+        "cloudwatch:GetMetricStatistics",
+        "cloudwatch:ListMetrics",
+        "tag:GetResources"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+`,
+  "assume_role/eks-irsa-assume-role.json": `{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "arn:aws:iam::\${account_id}:oidc-provider/\${oidc_provider}"
+      },
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Condition": {
+        "StringEquals": {
+          "\${oidc_provider}:sub": "system:serviceaccount:\${namespace}:\${service_account}",
+          "\${oidc_provider}:aud": "sts.amazonaws.com"
+        }
+      }
+    }
+  ]
+}
+`,
+  "assume_role/ado-assume-role.json": `{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "arn:aws:iam::\${account_id}:oidc-provider/vstoken.dev.azure.com/00000000-0000-0000-0000-000000000000"
+      },
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Condition": {
+        "StringEquals": {
+          "vstoken.dev.azure.com/00000000-0000-0000-0000-000000000000:aud": "api://AzureADTokenExchange"
+        },
+        "StringLike": {
+          "vstoken.dev.azure.com/00000000-0000-0000-0000-000000000000:sub": "sc://my-org/my-project/\${environment}-*"
+        }
+      }
+    }
+  ]
+}
+`,
+};
+
+export const AWS_GOVERNANCE_IAM_LAB: InfraLabWorkspace = {
+  version: 1,
+  label: "AWS Governance IAM Lab",
+  provider: "aws",
+  executionMode: "localstack",
+  activeFile: "README.md",
+  files: AWS_GOVERNANCE_IAM_FILES,
+};

package/template/client/src/components/GithubActionsLabModal.tsx

@@ -236,18 +236,103 @@ function mapJobStatusToCheck(
   return s;
 }
 
-// Tiny grouped-by-folder list to keep the modal lean.
-function groupByFolder(paths: string[]): { folder: string; files: string[] }[] {
-  const map = new Map<string, string[]>();
-  for (const p of paths) {
-    const idx = p.lastIndexOf("/");
-    const folder = idx === -1 ? "" : p.slice(0, idx);
-    if (!map.has(folder)) map.set(folder, []);
-    map.get(folder)!.push(p);
+interface FileTreeFileNode {
+  type: "file";
+  name: string;
+  path: string;
+}
+
+interface FileTreeFolderNode {
+  type: "folder";
+  displayName: string;
+  path: string;
+  children: FileTreeNode[];
+}
+
+type FileTreeNode = FileTreeFileNode | FileTreeFolderNode;
+
+interface MutableFileTreeFolder {
+  name: string;
+  path: string;
+  files: FileTreeFileNode[];
+  folders: Map<string, MutableFileTreeFolder>;
+}
+
+function sortFileTreeNodes<T extends { name?: string; displayName?: string }>(
+  a: T,
+  b: T,
+) {
+  return (a.displayName ?? a.name ?? "").localeCompare(
+    b.displayName ?? b.name ?? "",
+  );
+}
+
+function getMutableFolderChildren(folder: MutableFileTreeFolder): FileTreeNode[] {
+  const files = [...folder.files].sort(sortFileTreeNodes);
+  const folders = Array.from(folder.folders.values())
+    .map(compactFileTreeFolder)
+    .sort(sortFileTreeNodes);
+  return [...files, ...folders];
+}
+
+function compactFileTreeFolder(
+  folder: MutableFileTreeFolder,
+): FileTreeFolderNode {
+  const names = [folder.name];
+  let current = folder;
+
+  while (current.files.length === 0 && current.folders.size === 1) {
+    const next = Array.from(current.folders.values())[0];
+    names.push(next.name);
+    current = next;
   }
-  return Array.from(map.entries())
-    .sort(([a], [b]) => a.localeCompare(b))
-    .map(([folder, files]) => ({ folder, files: files.sort() }));
+
+  return {
+    type: "folder",
+    displayName: names.join("/"),
+    path: current.path,
+    children: getMutableFolderChildren(current),
+  };
+}
+
+function buildCompactFileTree(paths: string[]): FileTreeNode[] {
+  const root: MutableFileTreeFolder = {
+    name: "",
+    path: "",
+    files: [],
+    folders: new Map(),
+  };
+
+  for (const filePath of paths) {
+    const parts = filePath.split("/").filter(Boolean);
+    if (parts.length === 0) continue;
+
+    let current = root;
+    let currentPath = "";
+    for (let i = 0; i < parts.length - 1; i += 1) {
+      const name = parts[i];
+      currentPath = currentPath ? `${currentPath}/${name}` : name;
+      let next = current.folders.get(name);
+      if (!next) {
+        next = {
+          name,
+          path: currentPath,
+          files: [],
+          folders: new Map(),
+        };
+        current.folders.set(name, next);
+      }
+      current = next;
+    }
+
+    current.files.push({
+      type: "file",
+      name: parts[parts.length - 1],
+      path: filePath,
+    });
+  }
+
+  return getMutableFolderChildren(root);
 }
 
 // ─── Component ───────────────────────────────────────────────────────────
@@ -514,7 +599,7 @@ export default function GithubActionsLabModal() {
 
   // ── File operations ───────────────────────────────────────────────
   const fileOrder = useMemo(() => getGhaLabFileOrder(workspace), [workspace]);
-  const grouped = useMemo(() => groupByFolder(fileOrder), [fileOrder]);
+  const fileTree = useMemo(() => buildCompactFileTree(fileOrder), [fileOrder]);
   const [collapsedFolders, setCollapsedFolders] = useState<Set<string>>(
     () => new Set(),
   );
@@ -1706,6 +1791,159 @@ interface ImportMeta {
         minHeight: MIN_H,
       };
 
+  const renderFileTreeNode = (node: FileTreeNode, depth: number) => {
+    const paddingLeft = 6 + depth * 14;
+
+    if (node.type === "folder") {
+      const collapsed = collapsedFolders.has(node.path);
+      return (
+        <div key={`folder:${node.path || node.displayName}`}>
+          <button
+            onClick={() => toggleFolder(node.path)}
+            onDragOver={(e) => handleFolderDragOver(e, node.path)}
+            onDragLeave={() =>
+              setDragOverFolder((current) =>
+                current === node.path ? null : current,
+              )
+            }
+            onDrop={(e) => handleFolderDrop(e, node.path)}
+            className="flex items-center gap-1 w-full pr-1 py-0.5 text-slate-400 hover:text-slate-200"
+            style={{ paddingLeft }}
+            title="Drop a file here to move it. Hold Option/Alt while dropping to copy."
+          >
+            {collapsed ? (
+              <ChevronRight className="w-3 h-3 shrink-0" />
+            ) : (
+              <ChevronDown className="w-3 h-3 shrink-0" />
+            )}
+            <Folder className="w-3 h-3 shrink-0" />
+            <span
+              className={`truncate rounded px-1 ${
+                dragOverFolder === node.path
+                  ? "bg-amber-500/15 text-amber-200"
+                  : ""
+              }`}
+            >
+              {node.displayName}/
+            </span>
+          </button>
+          {!collapsed &&
+            node.children.map((child) =>
+              renderFileTreeNode(child, depth + 1),
+            )}
+        </div>
+      );
+    }
+
+    const filePath = node.path;
+    return (
+      <div
+        key={`file:${filePath}`}
+        data-selected={selectedFiles.has(filePath)}
+        draggable
+        onDragStart={(e) => handleFileDragStart(e, filePath)}
+        onDragEnd={() => {
+          setDraggingFile(null);
+          setDragOverFolder(null);
+        }}
+        className={`group relative flex items-center gap-1 pr-1 py-0.5 rounded cursor-pointer ${
+          activeFile === filePath
+            ? "bg-amber-500/15 text-amber-200"
+            : selectedFiles.has(filePath)
+              ? "bg-sky-500/10 text-sky-100 hover:bg-sky-500/15"
+              : "text-slate-300 hover:bg-slate-800/40"
+        }`}
+        onClick={() => setActiveFile(filePath)}
+        style={{ paddingLeft }}
+      >
+        {(selectMode || selectedFiles.has(filePath)) && (
+          <input
+            type="checkbox"
+            checked={selectedFiles.has(filePath)}
+            onClick={(e) => e.stopPropagation()}
+            onChange={() => toggleFileSelection(filePath)}
+            className="h-3 w-3 shrink-0 accent-amber-400"
+            title="Select file"
+          />
+        )}
+        <span className="truncate flex-1">{node.name}</span>
+        <button
+          onClick={(e) => {
+            e.stopPropagation();
+            setOpenFileMenu((current) =>
+              current === filePath ? null : filePath,
+            );
+            setBulkMenuOpen(false);
+          }}
+          className="rounded px-1 text-slate-500 opacity-70 hover:bg-slate-800/70 hover:text-amber-200 group-hover:opacity-100"
+          title="File actions"
+        >
+          ⋯
+        </button>
+        {openFileMenu === filePath && (
+          <div
+            onClick={(e) => e.stopPropagation()}
+            className="absolute right-1 top-6 z-40 w-40 overflow-hidden rounded-lg border border-slate-700 bg-slate-950 py-1 text-[11px] shadow-xl"
+          >
+            <button
+              onClick={() => moveFile(filePath)}
+              className="flex w-full items-center gap-2 px-2 py-1.5 text-left text-slate-200 hover:bg-slate-800/70"
+            >
+              <Pencil className="w-3 h-3 text-amber-300" />
+              Move / rename…
+            </button>
+            <button
+              onClick={() => copyFile(filePath)}
+              className="flex w-full items-center gap-2 px-2 py-1.5 text-left text-slate-200 hover:bg-slate-800/70"
+            >
+              <Copy className="w-3 h-3 text-sky-300" />
+              Copy to path…
+            </button>
+            <button
+              onClick={() => {
+                toggleFileSelection(filePath);
+                setOpenFileMenu(null);
+              }}
+              className="flex w-full items-center gap-2 border-t border-slate-800 px-2 py-1.5 text-left text-slate-200 hover:bg-slate-800/70"
+            >
+              <ListChecks className="w-3 h-3 text-amber-300" />
+              {selectedFiles.has(filePath) ? "Deselect" : "Select"}
+            </button>
+            {selectedFileList.length > 1 && selectedFiles.has(filePath) && (
+              <>
+                <button
+                  onClick={() => {
+                    moveFilesToFolder(selectedFileList);
+                    setOpenFileMenu(null);
+                  }}
+                  className="flex w-full items-center gap-2 border-t border-slate-800 px-2 py-1.5 text-left text-slate-200 hover:bg-slate-800/70"
+                >
+                  Move selected…
+                </button>
+                <button
+                  onClick={() => {
+                    copyFilesToFolder(selectedFileList);
+                    setOpenFileMenu(null);
+                  }}
+                  className="flex w-full items-center gap-2 px-2 py-1.5 text-left text-slate-200 hover:bg-slate-800/70"
+                >
+                  Copy selected…
+                </button>
+              </>
+            )}
+            <button
+              onClick={() => deleteFile(filePath)}
+              className="flex w-full items-center gap-2 border-t border-slate-800 px-2 py-1.5 text-left text-red-300 hover:bg-red-500/10"
+            >
+              <Trash2 className="w-3 h-3" />
+              Delete
+            </button>
+          </div>
+        )}
+      </div>
+    );
+  };
+
   return (
     <div className="fixed inset-0 z-40 bg-black/40">
       <div
@@ -2021,155 +2259,7 @@ interface ImportMeta {
                   in workspace root • hold Option/Alt to copy
                 </div>
               )}
-              {grouped.map(({ folder, files }) => {
-                const collapsed = collapsedFolders.has(folder);
-                return (
-                  <div key={folder || "root"} className="mb-1">
-                    {folder && (
-                      <button
-                        onClick={() => toggleFolder(folder)}
-                        onDragOver={(e) => handleFolderDragOver(e, folder)}
-                        onDragLeave={() =>
-                          setDragOverFolder((current) =>
-                            current === folder ? null : current,
-                          )
-                        }
-                        onDrop={(e) => handleFolderDrop(e, folder)}
-                        className="flex items-center gap-1 w-full px-1 py-0.5 text-slate-400 hover:text-slate-200"
-                        title="Drop a file here to move it. Hold Option/Alt while dropping to copy."
-                      >
-                        {collapsed ? (
-                          <ChevronRight className="w-3 h-3" />
-                        ) : (
-                          <ChevronDown className="w-3 h-3" />
-                        )}
-                        <Folder className="w-3 h-3" />
-                        <span
-                          className={`truncate rounded px-1 ${
-                            dragOverFolder === folder
-                              ? "bg-amber-500/15 text-amber-200"
-                              : ""
-                          }`}
-                        >
-                          {folder}/
-                        </span>
-                      </button>
-                    )}
-                    {!collapsed &&
-                      files.map((filePath) => (
-                        <div
-                          key={filePath}
-                          data-selected={selectedFiles.has(filePath)}
-                          draggable
-                          onDragStart={(e) => handleFileDragStart(e, filePath)}
-                          onDragEnd={() => {
-                            setDraggingFile(null);
-                            setDragOverFolder(null);
-                          }}
-                          className={`group relative flex items-center gap-1 pl-${folder ? 5 : 1} pr-1 py-0.5 rounded cursor-pointer ${
-                            activeFile === filePath
-                              ? "bg-amber-500/15 text-amber-200"
-                              : selectedFiles.has(filePath)
-                                ? "bg-sky-500/10 text-sky-100 hover:bg-sky-500/15"
-                                : "text-slate-300 hover:bg-slate-800/40"
-                          }`}
-                          onClick={() => setActiveFile(filePath)}
-                          style={{ paddingLeft: folder ? 20 : 6 }}
-                        >
-                          {(selectMode || selectedFiles.has(filePath)) && (
-                            <input
-                              type="checkbox"
-                              checked={selectedFiles.has(filePath)}
-                              onClick={(e) => e.stopPropagation()}
-                              onChange={() => toggleFileSelection(filePath)}
-                              className="h-3 w-3 shrink-0 accent-amber-400"
-                              title="Select file"
-                            />
-                          )}
-                          <span className="truncate flex-1">
-                            {baseName(filePath)}
-                          </span>
-                          <button
-                            onClick={(e) => {
-                              e.stopPropagation();
-                              setOpenFileMenu((current) =>
-                                current === filePath ? null : filePath,
-                              );
-                              setBulkMenuOpen(false);
-                            }}
-                            className="rounded px-1 text-slate-500 opacity-70 hover:bg-slate-800/70 hover:text-amber-200 group-hover:opacity-100"
-                            title="File actions"
-                          >
-                            ⋯
-                          </button>
-                          {openFileMenu === filePath && (
-                            <div
-                              onClick={(e) => e.stopPropagation()}
-                              className="absolute right-1 top-6 z-40 w-40 overflow-hidden rounded-lg border border-slate-700 bg-slate-950 py-1 text-[11px] shadow-xl"
-                            >
-                              <button
-                                onClick={() => moveFile(filePath)}
-                                className="flex w-full items-center gap-2 px-2 py-1.5 text-left text-slate-200 hover:bg-slate-800/70"
-                              >
-                                <Pencil className="w-3 h-3 text-amber-300" />
-                                Move / rename…
-                              </button>
-                              <button
-                                onClick={() => copyFile(filePath)}
-                                className="flex w-full items-center gap-2 px-2 py-1.5 text-left text-slate-200 hover:bg-slate-800/70"
-                              >
-                                <Copy className="w-3 h-3 text-sky-300" />
-                                Copy to path…
-                              </button>
-                              <button
-                                onClick={() => {
-                                  toggleFileSelection(filePath);
-                                  setOpenFileMenu(null);
-                                }}
-                                className="flex w-full items-center gap-2 border-t border-slate-800 px-2 py-1.5 text-left text-slate-200 hover:bg-slate-800/70"
-                              >
-                                <ListChecks className="w-3 h-3 text-amber-300" />
-                                {selectedFiles.has(filePath)
-                                  ? "Deselect"
-                                  : "Select"}
-                              </button>
-                              {selectedFileList.length > 1 &&
-                                selectedFiles.has(filePath) && (
-                                  <>
-                                    <button
-                                      onClick={() => {
-                                        moveFilesToFolder(selectedFileList);
-                                        setOpenFileMenu(null);
-                                      }}
-                                      className="flex w-full items-center gap-2 border-t border-slate-800 px-2 py-1.5 text-left text-slate-200 hover:bg-slate-800/70"
-                                    >
-                                      Move selected…
-                                    </button>
-                                    <button
-                                      onClick={() => {
-                                        copyFilesToFolder(selectedFileList);
-                                        setOpenFileMenu(null);
-                                      }}
-                                      className="flex w-full items-center gap-2 px-2 py-1.5 text-left text-slate-200 hover:bg-slate-800/70"
-                                    >
-                                      Copy selected…
-                                    </button>
-                                  </>
-                                )}
-                              <button
-                                onClick={() => deleteFile(filePath)}
-                                className="flex w-full items-center gap-2 border-t border-slate-800 px-2 py-1.5 text-left text-red-300 hover:bg-red-500/10"
-                              >
-                                <Trash2 className="w-3 h-3" />
-                                Delete
-                              </button>
-                            </div>
-                          )}
-                        </div>
-                      ))}
-                  </div>
-                );
-              })}
+              {fileTree.map((node) => renderFileTreeNode(node, 0))}
             </div>
           </div>
 

package/template/client/src/components/LabsPanel.tsx

@@ -8,12 +8,15 @@ import {
   parseInfraLabWorkspace,
 } from "../infraLab";
 import {
+  AWS_GOVERNANCE_GHA_LAB,
   DEFAULT_GHA_LAB,
+  EMPTY_GITHUB_GHA_LAB,
   GOVERNANCE_GHA_LAB,
   parseGhaLabWorkspace,
   REACT_VITE_TYPESCRIPT_GHA_LAB,
 } from "../githubActionsLab";
 import { ENTERPRISE_LOCAL_AUTH_LAB } from "../enterpriseLocalLab";
+import { AWS_GOVERNANCE_IAM_LAB } from "../awsGovernanceIamLab";
 import {
   parseFrontendLabWorkspace,
   ISOLATED_MODULE_FEDERATION_LAB,
@@ -672,6 +675,12 @@ export default function LabsPanel() {
                   "Terraform deploys NestJS BFF, OIDC mock, Redis & claims API",
                 onClick: () => openInfraLab(ENTERPRISE_LOCAL_AUTH_LAB),
               },
+              {
+                label: "AWS Governance IAM",
+                description:
+                  "Roles, policies, attachments, users & OIDC mirroring a real governance-iam module on LocalStack",
+                onClick: () => openInfraLab(AWS_GOVERNANCE_IAM_LAB),
+              },
             ]}
             onOpen={openInfraFile}
             openTitle="Open in Infrastructure Lab"
@@ -685,6 +694,12 @@ export default function LabsPanel() {
             origin="github-actions"
             emptyText="Save a GitHub lab to reopen it here"
             newLabMenu={[
+              {
+                label: "Empty GitHub Template",
+                description:
+                  "Minimal repo with blank .github/workflows/ci.yml and CODEOWNERS files",
+                onClick: () => openGhaLab(EMPTY_GITHUB_GHA_LAB),
+              },
               {
                 label: "React Vite TypeScript Starter",
                 description:
@@ -703,6 +718,12 @@ export default function LabsPanel() {
                   "PLF-style mono-repo: CODEOWNERS, PR template, Azure PIM/Policy + AWS IAM deploy workflows, offboarding",
                 onClick: () => openGhaLab(GOVERNANCE_GHA_LAB),
               },
+              {
+                label: "AWS Governance IAM via GitHub Actions",
+                description:
+                  "PR plan + main-branch apply workflows that drive a real Terraform IAM module against LocalStack via a reusable composite action",
+                onClick: () => openGhaLab(AWS_GOVERNANCE_GHA_LAB),
+              },
             ]}
             onOpen={openGhaFile}
             openTitle="Open in GitHub Lab"

package/template/client/src/githubActionsLab.ts

@@ -12,6 +12,7 @@ import type {
   GithubLabRulesetRules,
 } from "./types";
 import { rulesetFromLegacyProtection } from "./codeowners";
+import { AWS_GOVERNANCE_IAM_FILES } from "./awsGovernanceIamLab";
 
 // ─── Default GitHub Lab "org" roster ────────────────────────────────────
 //
@@ -512,6 +513,11 @@ li {
 `,
 };
 
+const EMPTY_GITHUB_LAB_FILES: Record<string, string> = {
+  ".github/workflows/ci.yml": "",
+  ".github/CODEOWNERS": "",
+};
+
 // ─── Platform Governance Template ────────────────────────────────────────
 //
 // Mirrors a real-world "PLF-governance" mono-repo: one repo that owns
@@ -2169,6 +2175,238 @@ Write-Host "\`nDone. DryRun=$DryRun"
 `,
 };
 
+// ─── AWS Governance IAM via GitHub Actions ───────────────────────────────
+//
+// Combines the Infra Lab's `governance-iam` Terraform module with a
+// GitHub-Actions-driven deploy flow that mirrors the real PLF setup, but
+// runs entirely locally via `act` + LocalStack:
+//
+//   - PR opens / updates  → `terraform-pr.yml`  runs `tofu plan`
+//   - merge to main       → `terraform-ci.yml`  runs `tofu apply`
+//   - shared steps live in a composite action `./.github/actions/run-tofu-action`
+//
+// LocalStack is reachable from the act runner container at
+// `host.docker.internal:4566` on macOS / Windows, and via the
+// `--network host` runner override (or the literal IP) on Linux.
+const AWS_IAM_GHA_FILES: Record<string, string> = {
+  "README.md": `# AWS Governance IAM — GitHub Actions Lab
+
+End-to-end mimic of the real PLF \`governance-iam\` deploy flow, but driven
+by **GitHub Actions** (not Azure DevOps) and pointed at **LocalStack**
+instead of real AWS.
+
+## What this lab demonstrates
+
+1. \`PR opens\`        → workflow runs \`tofu plan\` (read-only preview)
+2. \`merge to main\`   → workflow runs \`tofu apply\` (deploy)
+3. **Composite action** \`./.github/actions/run-tofu-action\` factors out the
+   init/plan/apply boilerplate, exactly like the real repo's reusable action.
+4. **Auth** is faked with static \`test\` credentials and a LocalStack
+   endpoint — the *shape* matches \`provider.tf\`'s assume-role pattern.
+
+## How to run it
+
+In the right pane, pick an event + workflow and click **Run**. Useful combos:
+
+- \`pull_request\` + \`terraform-pr.yml\`  → simulates a plan run on a PR
+- \`push\`         + \`terraform-ci.yml\`  → simulates an apply on main
+- \`workflow_dispatch\` + either workflow → manual trigger
+
+You also need LocalStack running on \`localhost:4566\` on your host. The
+runner container reaches it via \`host.docker.internal:4566\`.
+
+## How this maps to the real PLF setup
+
+| Real PLF                              | This lab                                        |
+| ------------------------------------- | ----------------------------------------------- |
+| Azure DevOps pipeline (\`pr.yml\`)      | GitHub Actions workflow \`terraform-pr.yml\`     |
+| Azure DevOps pipeline (\`ci.yml\`)      | GitHub Actions workflow \`terraform-ci.yml\`     |
+| Shared template \`deploy-aws.yml\`      | Composite action \`run-tofu-action\`            |
+| AWS service connection                | Static \`test\` creds + LocalStack endpoint     |
+| Azure OIDC for state backend          | Local state file (no remote backend)            |
+| \`assume_role\` to target accounts     | Single LocalStack account, dual provider alias  |
+
+## File map
+
+- \`.github/workflows/terraform-pr.yml\`   — plan on PR
+- \`.github/workflows/terraform-ci.yml\`   — apply on push to main
+- \`.github/actions/run-tofu-action/\`     — reusable plan/apply steps
+- \`.github/CODEOWNERS\`                   — PR review routing
+- \`terraform/\`                            — full governance-iam module
+`,
+
+  ".github/CODEOWNERS": `# Reviewers auto-requested when terraform/ changes.
+/terraform/        @acme/platform
+/.github/          @acme/platform
+*.md               @acme/docs
+`,
+
+  ".github/pull_request_template.md": `## Summary
+
+<!-- What does this change to the IAM module? -->
+
+## Plan output
+
+\`\`\`
+<!-- Paste the relevant section of \`tofu plan\` here -->
+\`\`\`
+
+## Checklist
+
+- [ ] PR title follows conventional-commit style
+- [ ] \`terraform-pr.yml\` shows a clean plan
+- [ ] No unintended role/policy deletions
+`,
+
+  ".github/workflows/terraform-pr.yml": `name: terraform-pr
+
+# PR-only workflow. Mirrors the real PLF \`pr.yml\`: run a plan, never apply.
+on:
+  pull_request:
+    paths:
+      - "terraform/**"
+      - ".github/workflows/terraform-*.yml"
+      - ".github/actions/run-tofu-action/**"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  plan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Plan IAM module
+        uses: ./.github/actions/run-tofu-action
+        with:
+          working-directory: terraform
+          mode: plan
+`,
+
+  ".github/workflows/terraform-ci.yml": `name: terraform-ci
+
+# Main-branch workflow. Mirrors the real PLF \`ci.yml\`: apply after merge.
+on:
+  push:
+    branches: [main]
+    paths:
+      - "terraform/**"
+      - ".github/workflows/terraform-*.yml"
+      - ".github/actions/run-tofu-action/**"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  apply:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Apply IAM module
+        uses: ./.github/actions/run-tofu-action
+        with:
+          working-directory: terraform
+          mode: apply
+`,
+
+  ".github/actions/run-tofu-action/action.yml": `# Reusable composite action — same idea as the real repo's run-tofu-action.
+# Hides the OpenTofu install + init + plan/apply behind a single \`uses:\`.
+
+name: "Run OpenTofu"
+description: "Install OpenTofu, init, then plan or apply against LocalStack."
+
+inputs:
+  working-directory:
+    description: "Folder containing the Terraform/OpenTofu config."
+    required: true
+  mode:
+    description: "Either 'plan' or 'apply'."
+    required: true
+    default: "plan"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Install OpenTofu
+      shell: bash
+      run: |
+        curl -fsSL https://get.opentofu.org/install-opentofu.sh -o /tmp/install-opentofu.sh
+        chmod +x /tmp/install-opentofu.sh
+        /tmp/install-opentofu.sh --install-method standalone --skip-verify
+        tofu --version
+
+    - name: Tofu init
+      shell: bash
+      working-directory: \${{ inputs.working-directory }}
+      env:
+        AWS_ACCESS_KEY_ID: test
+        AWS_SECRET_ACCESS_KEY: test
+        AWS_DEFAULT_REGION: us-east-1
+      run: tofu init -input=false
+
+    - name: Tofu plan
+      if: \${{ inputs.mode == 'plan' }}
+      shell: bash
+      working-directory: \${{ inputs.working-directory }}
+      env:
+        AWS_ACCESS_KEY_ID: test
+        AWS_SECRET_ACCESS_KEY: test
+        AWS_DEFAULT_REGION: us-east-1
+      run: tofu plan -input=false -no-color
+
+    - name: Tofu apply
+      if: \${{ inputs.mode == 'apply' }}
+      shell: bash
+      working-directory: \${{ inputs.working-directory }}
+      env:
+        AWS_ACCESS_KEY_ID: test
+        AWS_SECRET_ACCESS_KEY: test
+        AWS_DEFAULT_REGION: us-east-1
+      run: tofu apply -input=false -auto-approve -no-color
+`,
+
+  ".actrc": `# Pin the runner image so installs are reproducible across machines.
+-P ubuntu-latest=catthehacker/ubuntu:act-latest
+--container-architecture linux/amd64
+`,
+
+  // Inline the full governance-iam Terraform module under \`terraform/\` so
+  // the workflows have something real to plan/apply against.
+  ...Object.fromEntries(
+    Object.entries(AWS_GOVERNANCE_IAM_FILES).map(([path, body]) => {
+      // The IAM module assumes provider endpoints point at \`localhost:4566\`,
+      // but the act runner is a separate container and can't reach
+      // \`localhost\` on the host. Rewrite to host.docker.internal so the
+      // workflow run actually succeeds.
+      const rewritten =
+        path === "provider.tf"
+          ? body.replace(
+              /http:\/\/localhost:4566/g,
+              "http://host.docker.internal:4566",
+            )
+          : body;
+      return [`terraform/${path}`, rewritten];
+    }),
+  ),
+};
+
+export const AWS_GOVERNANCE_GHA_LAB: GithubActionsLabWorkspace = {
+  version: 1,
+  label: "AWS Governance IAM via GitHub Actions",
+  activeFile: ".github/workflows/terraform-pr.yml",
+  defaultEvent: "pull_request",
+  defaultWorkflow: ".github/workflows/terraform-pr.yml",
+  files: AWS_IAM_GHA_FILES,
+  ghOrg: DEFAULT_GH_LAB_ORG,
+  rulesets: DEFAULT_GH_LAB_RULESETS,
+  pullRequest: DEFAULT_GH_LAB_PULL_REQUEST,
+};
+
 export const GOVERNANCE_GHA_LAB: GithubActionsLabWorkspace = {
   version: 1,
   label: "Platform Governance Template",
@@ -2202,6 +2440,15 @@ export const REACT_VITE_TYPESCRIPT_GHA_LAB: GithubActionsLabWorkspace = {
   files: REACT_VITE_TYPESCRIPT_FILES,
 };
 
+export const EMPTY_GITHUB_GHA_LAB: GithubActionsLabWorkspace = {
+  version: 1,
+  label: "Empty GitHub Lab Template",
+  activeFile: ".github/workflows/ci.yml",
+  defaultEvent: "push",
+  defaultWorkflow: ".github/workflows/ci.yml",
+  files: EMPTY_GITHUB_LAB_FILES,
+};
+
 // ─── Helpers (mirror infraLab.ts API surface) ────────────────────────────
 
 function cloneGhaLabEnvironment(

package/template/client/tsconfig.tsbuildinfo

@@ -1 +1 @@
-{"root":["./src/app.tsx","./src/api.ts","./src/browsersecuritytemplates.ts","./src/enterpriselocallab.ts","./src/ghaconcurrency.ts","./src/githubactionslab.ts","./src/infralab.ts","./src/main.tsx","./src/reactlab.ts","./src/store.ts","./src/types.ts","./src/vite-env.d.ts","./src/components/aisettingsmodal.tsx","./src/components/annotationdialog.tsx","./src/components/browsersecuritylabmodal.tsx","./src/components/canvaslabmodal.tsx","./src/components/chatmessage.tsx","./src/components/chatview.tsx","./src/components/codecontextpanel.tsx","./src/components/codelineannotationpopup.tsx","./src/components/coderunnermodal.tsx","./src/components/deploymentlabmodal.tsx","./src/components/diagramsmodal.tsx","./src/components/docrefmodal.tsx","./src/components/fileattachments.tsx","./src/components/filepickermodal.tsx","./src/components/fileviewermodal.tsx","./src/components/ghaconcurrencypanel.tsx","./src/components/ghahistorypanel.tsx","./src/components/ghajobspanel.tsx","./src/components/gitdiffpanel.tsx","./src/components/gitdiffviewermodal.tsx","./src/components/githubactionslabmodal.tsx","./src/components/infralabmodal.tsx","./src/components/labspanel.tsx","./src/components/linkedconvospicker.tsx","./src/components/markdownrenderer.tsx","./src/components/mermaiddiagram.tsx","./src/components/notesmodal.tsx","./src/components/plotembed.tsx","./src/components/sidebar.tsx","./src/components/textannotator.tsx","./src/components/vizcraftembed.tsx","./src/components/workspaceswitcher.tsx"],"version":"5.9.3"}
+{"root":["./src/app.tsx","./src/api.ts","./src/awsgovernanceiamlab.ts","./src/browsersecuritytemplates.ts","./src/codeowners.ts","./src/enterpriselocallab.ts","./src/ghaconcurrency.ts","./src/githubactionslab.ts","./src/infralab.ts","./src/main.tsx","./src/reactlab.ts","./src/store.ts","./src/types.ts","./src/vite-env.d.ts","./src/components/aisettingsmodal.tsx","./src/components/annotationdialog.tsx","./src/components/browsersecuritylabmodal.tsx","./src/components/canvaslabmodal.tsx","./src/components/chatmessage.tsx","./src/components/chatview.tsx","./src/components/codecontextpanel.tsx","./src/components/codelineannotationpopup.tsx","./src/components/coderunnermodal.tsx","./src/components/deploymentlabmodal.tsx","./src/components/diagramsmodal.tsx","./src/components/docrefmodal.tsx","./src/components/fileattachments.tsx","./src/components/filepickermodal.tsx","./src/components/fileviewermodal.tsx","./src/components/ghaconcurrencypanel.tsx","./src/components/ghahistorypanel.tsx","./src/components/ghajobspanel.tsx","./src/components/gitdiffpanel.tsx","./src/components/gitdiffviewermodal.tsx","./src/components/githubactionslabmodal.tsx","./src/components/infralabmodal.tsx","./src/components/labspanel.tsx","./src/components/linkedconvospicker.tsx","./src/components/markdownrenderer.tsx","./src/components/mermaiddiagram.tsx","./src/components/notesmodal.tsx","./src/components/plotembed.tsx","./src/components/pullrequestpanel.tsx","./src/components/settingspanel.tsx","./src/components/sidebar.tsx","./src/components/textannotator.tsx","./src/components/vizcraftembed.tsx","./src/components/workspaceswitcher.tsx"],"version":"5.9.3"}

package/template/cockpit.json

@@ -1,3 +1,3 @@
 {
-  "version": "0.28.0"
+  "version": "0.30.0"
 }