Skip to content

Professional GitHub presentation + deploy guide#14

Closed
kiro-agent[bot] wants to merge 42 commits into
reference/kol-overlay-mockupfrom
feat/github-showcase
Closed

Professional GitHub presentation + deploy guide#14
kiro-agent[bot] wants to merge 42 commits into
reference/kol-overlay-mockupfrom
feat/github-showcase

Conversation

@kiro-agent

@kiro-agent kiro-agent Bot commented May 11, 2026

Copy link
Copy Markdown

This pull request was generated by @kiro-agent 👻

Comment with /kiro fix to address specific feedback or /kiro all to address everything.
Learn about Kiro autonomous agent


Professional GitHub presentation

README.md (complete rewrite)

  • Tech badges (Chrome Extension, Fastify, Postgres, SIWE, TypeScript)
  • Clear problem/solution statement
  • How it works: dot → hover card → claim flow
  • Feature status table (what's live, what's next, what's planned)
  • ASCII architecture diagram
  • Quick start (3 commands)
  • Full tech stack table
  • Security model explanation
  • Project structure tree
  • Documentation index with links
  • Contributing guidelines

DEPLOY.md (complete rewrite)

  • 5-step guide from zero to live
  • Exact services: Supabase (free) → Railway (free) → Vercel (free) → Chrome Web Store ($5)
  • Every step has: what to click, what to paste, what to verify
  • Cost breakdown table: $0/month until thousands of users
  • Scaling roadmap (0 → 1K → 10K → 50K+)
  • Troubleshooting table for common issues
  • After-launch security checklist

Total cost to go live: $5 one-time (Chrome Web Store fee)

Monthly cost: $0 on free tiers.

kiro and others added 30 commits May 11, 2026 03:12
Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
…ti-gaming)

Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
…(Fastify mock), shared types

Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
…t content+background build, content via Vite IIFE, background via esbuild, manifest copy)

Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
…SIWE message preview, A-tier success state)

Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
…o — watchlist, identity, co-signer)

Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
….kiro/internal/ (ignored); public docs describe principles without numbers

Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
…ture

Feat/monetization architecture
Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
feat: scoring specification (tiers, overlay metrics, risk signals, an…
Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
Feat/public docs sanitization
Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
Feat/mvp skeleton
Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
# Conflicts:
#	.gitignore

Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
…, founder-community popup

Security audit results:
- Removed raw numeric signal fields (confidence, *_hours, *_usd, top10_pct, etc)
  from consumer ScoreResponse. Partner API is a separate surface.
- Removed client-side thresholds from Overlay.tsx. Now a pure renderer of
  server-supplied display strings and ui_flags.
- Split dev manifest.json (localhost origin, 'dev' marker) from manifest.prod.json
  (no dev origins, clean name, default_popup).
- Build-time inject of API_BASE via __API_BASE__ / __BUILD_ENV__ defines in
  both Vite (content) and esbuild (background/popup).
- Background now attaches Bearer session token to every API call; content
  script never touches credentials.

Popup added:
- src/popup/popup.html + index.ts (vanilla TS, no React to keep size small)
- Renders plan badge, usage bar, identity state, founder community link
- Community link is a build-time constant, never fetched from API

Release strategy:
- docs/release-strategy.md (public): 3-phase plan without numbers
- .kiro/steering/release.md: invariants Kiro must preserve going forward
  including explicit rejection of invite-only consumer distribution

Build verified:
- dev: manifest 'TruthLayer (dev)', localhost origin, sourcemaps
- prod: manifest 'TruthLayer', only x.com + twitter.com origins, minified,
        no localhost strings anywhere in bundles

Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
API (apps/api):
- Zero-dep HS256 JWT (timing-safe compare)
- SIWE verifier (secp256k1 personal_sign recovery via ethereum-cryptography)
- SIWS verifier (Ed25519 via @noble/curves + bs58)
- Single-use nonces: 10-min TTL, per-triple, only-latest-valid, consume-on-submit
- In-memory identity/session stores with Postgres-ready interfaces
- Routes: POST /v1/session/anonymous, GET /v1/session,
  POST /v1/claim/nonce, POST /v1/claim
- Category-level errors; no leakage of which defense layer fired
- Twitter OAuth behind TwitterVerifier interface (stub for v1)

Claim web app (apps/claim-web):
- Vanilla TS + Vite, ~8KB gzipped, no wagmi/viem/ethers
- Real wallet integration via window.ethereum (EIP-1193) and window.solana
- 3-step flow: handle -> wallet -> sign; signed message is always the
  server-built canonical form (never templated client-side)
- localStorage session persistence, refresh-safe mid-flow

Extension (apps/extension):
- Anonymous session bootstrap on onInstalled/onStartup and worker load
- Token stored in chrome.storage.local.tl_session, attached to every
  API call by the background worker; content script never touches it

Shared contract (packages/shared):
- Session / claim request+response types
- buildClaimMessage() — single source of truth for the canonical message
  so API and clients cannot desynchronize whitespace

Adapters seam (apps/api/src/adapters):
- Interface-only stubs for chain / price / social / risk adapters
- README documents the mock -> real swap path without leaking provider
  choices

Steering:
- .kiro/steering/claim-flow.md: canonical-message, nonce lifecycle,
  signature verification, session model, never-merge rules

Public docs:
- docs/data-pipeline.md: what the pipeline consumes at the principle
  level, without naming providers or internal cache policies

Smoke verified (both scripts pass):
- apps/api/test-e2e-claim.mjs:
  wallet keypair -> anonymous session -> nonce -> sign -> A-tier recorded
  + replay rejected (403) + tampered message rejected (403)
- apps/api/test-e2e-session.mjs:
  anonymous session issuance, snapshot, score with bearer, invalid bearer
  correctly 401

Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
Feat/release hardening
Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
feat(identity-auth): self-onboarding claim flow end-to-end
Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
Self-onboarding: SIWE/SIWS + /claim web app + extension session bootstrap
Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
Merge pull request #6 from youngboy91-beep/feat/identity-auth-scaffold
Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
…ng to /v1/score

Purpose: give the user a one-liner to stand up the full stack and a
concrete checklist for hands-on testing.

- package.json: add dev:all (api + ext + claim-web via concurrently),
  dev:claim-web, smoke, typecheck scripts
- TESTING.md: surfaces to test, how to report issues, what is known to
  be incomplete (so users don't file those)
- apps/api/scripts/seed-identities.mjs: produces 3 A-tier demo handles
  against a running API using real signatures (no backdoor)
- .github/workflows/ci.yml: build + typecheck + both smoke scripts +
  response-leak scan + prod-bundle leak scan on every PR to main
- apps/api/src/server.ts: /v1/score now consults the identity graph
  when fixtures miss. A seeded handle returns tier:A / signal:clean
  with sources=[tl_graph]. Unknown handles still fall through to C
  with insufficient data. Canonical fixtures (vitalik_research etc.)
  continue to take priority.

Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
chore: testing rig — dev:all, TESTING.md, seed script, CI, graph wiri…
Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
Early-user feedback: the always-visible overlay under every tweet was
perceived as visual noise and actively blocked installs. This rewrites
the extension presence on X into a progressive-disclosure UX.

Content script (apps/extension/src/content/):
- Dot.tsx: 8px inline dot next to the author's @handle, four color
  states (green/yellow/red/gray) mapped from overlay_signal. Focusable,
  keyboard-reachable, role='button' with aria-label.
- HoverCard.tsx: single globally-positioned floating card. Appears on
  pointer/focus of the dot, stays when the pointer enters the card,
  hides after a short delay on leave. Renders tier + three metric
  cells + explanation + a new external-links block + sources footer.
- links.ts: deterministic, build-time URL templates for per-chain
  wallet scanners (Etherscan, Basescan, Arbiscan, BscScan, Solscan,
  Tonviewer), portfolio tools (DeBank, Zapper, Arkham), token
  screeners (DEXScreener, GeckoTerminal, Birdeye) and author profile.
  URLs are NEVER fetched from the API to prevent a compromised server
  from redirecting users.
- index.tsx: one shared Shadow DOM host for the card (no per-tweet
  React trees). Scroll / resize hide the card. rAF-debounced mutation
  observer over the feed with WeakSet per-article guard.
- overlay-css.ts: new styles for dot + card + link pills.
- Old Overlay.tsx removed (it was the always-visible full-width card).

Reference:
- reference/dot-hover.html: static HTML demo of the new UX with four
  tweet shapes + a detached hover-card sample.

Steering:
- .kiro/steering/overlay-ux.md (inclusion: always): locks in the
  'default quiet / progressive disclosure' invariant, one shared
  hover-card host, links-are-build-time, accessibility rules,
  performance rules. Never-merge list rejects regressions to the old
  per-tweet overlay.

Testing docs:
- TESTING.md: section 3.1 rewritten to describe the new behaviour and
  what bugs to file against it.

Built + typechecked clean. Smoke tests (session / claim) still pass.
Content bundle size: 153.75 kB (gzip 49.41 kB), +5 kB vs old overlay
for the extra links + card modules — negligible.

Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>

Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
feat(overlay): inline dot + hover card with external links block
Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
chore: testing rig — dev:all, TESTING.md, seed script, CI, graph → /v1/score
Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
Merge pull request #10 from youngboy91-beep/feat/testing-rig
Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
…ores

- Postgres adapter (pg-identity-store, pg-session-store) with auto-migration
- Store interfaces now fully async (Promise-based)
- server.ts: conditional DATABASE_URL → Postgres or in-memory fallback
- Dockerfile for Railway/Render deploy (multi-stage, 20MB image)
- .env.example with all required variables documented
- DEPLOY.md: 5-step guide from zero to live (/bin/sh cost on free tiers)
- Fixed smoke test assertion (wallets_count >= 1 instead of === 1)
- All builds green, typecheck clean, both smoke tests pass

Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>

Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
kiro and others added 12 commits May 11, 2026 23:27
…ores

- Postgres adapter (pg-identity-store, pg-session-store) with auto-migration
- Store interfaces now fully async (Promise-based)
- server.ts: conditional DATABASE_URL → Postgres or in-memory fallback
- Dockerfile for Railway/Render deploy (multi-stage, 20MB image)
- .env.example with all required variables documented
- DEPLOY.md: 5-step guide from zero to live (/bin/sh cost on free tiers)
- Fixed smoke test assertion (wallets_count >= 1 instead of === 1)
- All builds green, typecheck clean, both smoke tests pass

Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
- README.md: badges, architecture diagram, feature table, tech stack,
  security model, project structure, docs index, quick start
- DEPLOY.md: complete rewrite — step-by-step with tables, cost breakdown
  (/bin/sh/mo on free tiers), troubleshooting, scaling roadmap, after-launch
  checklist

Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>

Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
- README.md: badges, architecture diagram, feature table, tech stack,
  security model, project structure, docs index, quick start
- DEPLOY.md: complete rewrite — step-by-step with tables, cost breakdown
  (/bin/sh/mo on free tiers), troubleshooting, scaling roadmap, after-launch
  checklist

Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
…Node

- packages/shared: add build script, export dist/index.js for prod
- Dockerfile: copy tsconfig.base.json, build shared before api
- Runner stage: copy shared/dist/ instead of shared/src/

Verified: docker run → health OK, /v1/score returns correct response.

Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
…Node

- packages/shared: add build script, export dist/index.js for prod
- Dockerfile: copy tsconfig.base.json, build shared before api
- Runner stage: copy shared/dist/ instead of shared/src/

Verified: docker run → health OK, /v1/score returns correct response.
- railway.json: Dockerfile-based deploy, healthcheck on /health
- apps/claim-web/vercel.json: monorepo build command with shared pkg
- .github/workflows/docker.yml: auto-publish to ghcr.io on push to main
- README: add Railway/Vercel/Supabase deploy buttons + docker pull instructions

User deploy flow is now literally 3 button clicks + 3 env vars.

Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
- railway.json: Dockerfile-based deploy, healthcheck on /health
- apps/claim-web/vercel.json: monorepo build command with shared pkg
- .github/workflows/docker.yml: auto-publish to ghcr.io on push to main
- README: add Railway/Vercel/Supabase deploy buttons + docker pull instructions

User deploy flow is now literally 3 button clicks + 3 env vars.
PR #13 already merged to main; our branch has the same Postgres/Docker
changes plus improvements (shared package build, one-click configs,
GHCR workflow, detailed README). Keep our newer versions.

Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
PR #13 already merged to main; our branch has the same Postgres/Docker
changes plus improvements (shared package build, one-click configs,
GHCR workflow, detailed README). Keep our newer versions.
Fixes CI failure: apps/extension and apps/api import from
@truthlayer/shared which was sometimes built AFTER the consumers in
parallel workspace order. Now we explicitly build shared first.

Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
miraekims pushed a commit that referenced this pull request May 13, 2026
feat: production-ready deploy (supersedes #14)
@miraekims miraekims closed this May 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants