Professional GitHub presentation + deploy guide#14
Closed
kiro-agent[bot] wants to merge 42 commits into
Closed
Conversation
Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
…ti-gaming) Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
…(Fastify mock), shared types Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
…t content+background build, content via Vite IIFE, background via esbuild, manifest copy) Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
…SIWE message preview, A-tier success state) Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
…o — watchlist, identity, co-signer) Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
….kiro/internal/ (ignored); public docs describe principles without numbers Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
…ture Feat/monetization architecture Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
feat: scoring specification (tiers, overlay metrics, risk signals, an… Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
Feat/public docs sanitization Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
Feat/mvp skeleton Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
# Conflicts: # .gitignore Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
…, founder-community popup
Security audit results:
- Removed raw numeric signal fields (confidence, *_hours, *_usd, top10_pct, etc)
from consumer ScoreResponse. Partner API is a separate surface.
- Removed client-side thresholds from Overlay.tsx. Now a pure renderer of
server-supplied display strings and ui_flags.
- Split dev manifest.json (localhost origin, 'dev' marker) from manifest.prod.json
(no dev origins, clean name, default_popup).
- Build-time inject of API_BASE via __API_BASE__ / __BUILD_ENV__ defines in
both Vite (content) and esbuild (background/popup).
- Background now attaches Bearer session token to every API call; content
script never touches credentials.
Popup added:
- src/popup/popup.html + index.ts (vanilla TS, no React to keep size small)
- Renders plan badge, usage bar, identity state, founder community link
- Community link is a build-time constant, never fetched from API
Release strategy:
- docs/release-strategy.md (public): 3-phase plan without numbers
- .kiro/steering/release.md: invariants Kiro must preserve going forward
including explicit rejection of invite-only consumer distribution
Build verified:
- dev: manifest 'TruthLayer (dev)', localhost origin, sourcemaps
- prod: manifest 'TruthLayer', only x.com + twitter.com origins, minified,
no localhost strings anywhere in bundles
Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
API (apps/api): - Zero-dep HS256 JWT (timing-safe compare) - SIWE verifier (secp256k1 personal_sign recovery via ethereum-cryptography) - SIWS verifier (Ed25519 via @noble/curves + bs58) - Single-use nonces: 10-min TTL, per-triple, only-latest-valid, consume-on-submit - In-memory identity/session stores with Postgres-ready interfaces - Routes: POST /v1/session/anonymous, GET /v1/session, POST /v1/claim/nonce, POST /v1/claim - Category-level errors; no leakage of which defense layer fired - Twitter OAuth behind TwitterVerifier interface (stub for v1) Claim web app (apps/claim-web): - Vanilla TS + Vite, ~8KB gzipped, no wagmi/viem/ethers - Real wallet integration via window.ethereum (EIP-1193) and window.solana - 3-step flow: handle -> wallet -> sign; signed message is always the server-built canonical form (never templated client-side) - localStorage session persistence, refresh-safe mid-flow Extension (apps/extension): - Anonymous session bootstrap on onInstalled/onStartup and worker load - Token stored in chrome.storage.local.tl_session, attached to every API call by the background worker; content script never touches it Shared contract (packages/shared): - Session / claim request+response types - buildClaimMessage() — single source of truth for the canonical message so API and clients cannot desynchronize whitespace Adapters seam (apps/api/src/adapters): - Interface-only stubs for chain / price / social / risk adapters - README documents the mock -> real swap path without leaking provider choices Steering: - .kiro/steering/claim-flow.md: canonical-message, nonce lifecycle, signature verification, session model, never-merge rules Public docs: - docs/data-pipeline.md: what the pipeline consumes at the principle level, without naming providers or internal cache policies Smoke verified (both scripts pass): - apps/api/test-e2e-claim.mjs: wallet keypair -> anonymous session -> nonce -> sign -> A-tier recorded + replay rejected (403) + tampered message rejected (403) - apps/api/test-e2e-session.mjs: anonymous session issuance, snapshot, score with bearer, invalid bearer correctly 401 Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
Feat/release hardening Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
feat(identity-auth): self-onboarding claim flow end-to-end Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
Self-onboarding: SIWE/SIWS + /claim web app + extension session bootstrap Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
Merge pull request #6 from youngboy91-beep/feat/identity-auth-scaffold Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
…ng to /v1/score Purpose: give the user a one-liner to stand up the full stack and a concrete checklist for hands-on testing. - package.json: add dev:all (api + ext + claim-web via concurrently), dev:claim-web, smoke, typecheck scripts - TESTING.md: surfaces to test, how to report issues, what is known to be incomplete (so users don't file those) - apps/api/scripts/seed-identities.mjs: produces 3 A-tier demo handles against a running API using real signatures (no backdoor) - .github/workflows/ci.yml: build + typecheck + both smoke scripts + response-leak scan + prod-bundle leak scan on every PR to main - apps/api/src/server.ts: /v1/score now consults the identity graph when fixtures miss. A seeded handle returns tier:A / signal:clean with sources=[tl_graph]. Unknown handles still fall through to C with insufficient data. Canonical fixtures (vitalik_research etc.) continue to take priority. Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
chore: testing rig — dev:all, TESTING.md, seed script, CI, graph wiri… Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
Early-user feedback: the always-visible overlay under every tweet was perceived as visual noise and actively blocked installs. This rewrites the extension presence on X into a progressive-disclosure UX. Content script (apps/extension/src/content/): - Dot.tsx: 8px inline dot next to the author's @handle, four color states (green/yellow/red/gray) mapped from overlay_signal. Focusable, keyboard-reachable, role='button' with aria-label. - HoverCard.tsx: single globally-positioned floating card. Appears on pointer/focus of the dot, stays when the pointer enters the card, hides after a short delay on leave. Renders tier + three metric cells + explanation + a new external-links block + sources footer. - links.ts: deterministic, build-time URL templates for per-chain wallet scanners (Etherscan, Basescan, Arbiscan, BscScan, Solscan, Tonviewer), portfolio tools (DeBank, Zapper, Arkham), token screeners (DEXScreener, GeckoTerminal, Birdeye) and author profile. URLs are NEVER fetched from the API to prevent a compromised server from redirecting users. - index.tsx: one shared Shadow DOM host for the card (no per-tweet React trees). Scroll / resize hide the card. rAF-debounced mutation observer over the feed with WeakSet per-article guard. - overlay-css.ts: new styles for dot + card + link pills. - Old Overlay.tsx removed (it was the always-visible full-width card). Reference: - reference/dot-hover.html: static HTML demo of the new UX with four tweet shapes + a detached hover-card sample. Steering: - .kiro/steering/overlay-ux.md (inclusion: always): locks in the 'default quiet / progressive disclosure' invariant, one shared hover-card host, links-are-build-time, accessibility rules, performance rules. Never-merge list rejects regressions to the old per-tweet overlay. Testing docs: - TESTING.md: section 3.1 rewritten to describe the new behaviour and what bugs to file against it. Built + typechecked clean. Smoke tests (session / claim) still pass. Content bundle size: 153.75 kB (gzip 49.41 kB), +5 kB vs old overlay for the extra links + card modules — negligible. Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com> Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
feat(overlay): inline dot + hover card with external links block Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
chore: testing rig — dev:all, TESTING.md, seed script, CI, graph → /v1/score Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
Merge pull request #10 from youngboy91-beep/feat/testing-rig Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
…ores - Postgres adapter (pg-identity-store, pg-session-store) with auto-migration - Store interfaces now fully async (Promise-based) - server.ts: conditional DATABASE_URL → Postgres or in-memory fallback - Dockerfile for Railway/Render deploy (multi-stage, 20MB image) - .env.example with all required variables documented - DEPLOY.md: 5-step guide from zero to live (/bin/sh cost on free tiers) - Fixed smoke test assertion (wallets_count >= 1 instead of === 1) - All builds green, typecheck clean, both smoke tests pass Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com> Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
…ores - Postgres adapter (pg-identity-store, pg-session-store) with auto-migration - Store interfaces now fully async (Promise-based) - server.ts: conditional DATABASE_URL → Postgres or in-memory fallback - Dockerfile for Railway/Render deploy (multi-stage, 20MB image) - .env.example with all required variables documented - DEPLOY.md: 5-step guide from zero to live (/bin/sh cost on free tiers) - Fixed smoke test assertion (wallets_count >= 1 instead of === 1) - All builds green, typecheck clean, both smoke tests pass Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
- README.md: badges, architecture diagram, feature table, tech stack, security model, project structure, docs index, quick start - DEPLOY.md: complete rewrite — step-by-step with tables, cost breakdown (/bin/sh/mo on free tiers), troubleshooting, scaling roadmap, after-launch checklist Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com> Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
- README.md: badges, architecture diagram, feature table, tech stack, security model, project structure, docs index, quick start - DEPLOY.md: complete rewrite — step-by-step with tables, cost breakdown (/bin/sh/mo on free tiers), troubleshooting, scaling roadmap, after-launch checklist Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
…Node - packages/shared: add build script, export dist/index.js for prod - Dockerfile: copy tsconfig.base.json, build shared before api - Runner stage: copy shared/dist/ instead of shared/src/ Verified: docker run → health OK, /v1/score returns correct response. Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
…Node - packages/shared: add build script, export dist/index.js for prod - Dockerfile: copy tsconfig.base.json, build shared before api - Runner stage: copy shared/dist/ instead of shared/src/ Verified: docker run → health OK, /v1/score returns correct response.
- railway.json: Dockerfile-based deploy, healthcheck on /health - apps/claim-web/vercel.json: monorepo build command with shared pkg - .github/workflows/docker.yml: auto-publish to ghcr.io on push to main - README: add Railway/Vercel/Supabase deploy buttons + docker pull instructions User deploy flow is now literally 3 button clicks + 3 env vars. Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
- railway.json: Dockerfile-based deploy, healthcheck on /health - apps/claim-web/vercel.json: monorepo build command with shared pkg - .github/workflows/docker.yml: auto-publish to ghcr.io on push to main - README: add Railway/Vercel/Supabase deploy buttons + docker pull instructions User deploy flow is now literally 3 button clicks + 3 env vars.
PR #13 already merged to main; our branch has the same Postgres/Docker changes plus improvements (shared package build, one-click configs, GHCR workflow, detailed README). Keep our newer versions. Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
PR #13 already merged to main; our branch has the same Postgres/Docker changes plus improvements (shared package build, one-click configs, GHCR workflow, detailed README). Keep our newer versions.
Fixes CI failure: apps/extension and apps/api import from @truthlayer/shared which was sometimes built AFTER the consumers in parallel workspace order. Now we explicitly build shared first. Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
miraekims
pushed a commit
that referenced
this pull request
May 13, 2026
feat: production-ready deploy (supersedes #14)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request was generated by @kiro-agent 👻
Comment with /kiro fix to address specific feedback or /kiro all to address everything.
Learn about Kiro autonomous agent
Professional GitHub presentation
README.md (complete rewrite)
DEPLOY.md (complete rewrite)
Total cost to go live: $5 one-time (Chrome Web Store fee)
Monthly cost: $0 on free tiers.