tailcallhq · KooshaPari · May 2, 2026 · May 2, 2026 · May 2, 2026 · May 2, 2026
diff --git a/.editorconfig b/.editorconfig
@@ -0,0 +1,12 @@
+root = true
+
+[*]
+indent_style = tab
+indent_size = 2
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.md]
+trim_trailing_whitespace = false
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1,2 @@
+# Default owner for everything
+* @KooshaPari
diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
@@ -0,0 +1,11 @@
+github: []
+patreon: # Replace with a single Patreon username
+open_collective: # Replace with a single Open Collective username
+ko_fi: # Replace with a single Ko-fi username
+tidelift: "npm/[email protected]"
+community_bridge: # Replace with a single Community Bridge project slug-id
+liberapay: # Replace with a single Liberapay username
+issuehunt: # Replace with a single IssueHunt username
+otechie: # Replace with a single Otechie username
+lfx_crowdfunding: # Replace with a single LFX Crowdfunding project slug-e.g.
+custom: # Replace with up to 3 custom sponsorship URLs e.g. ['https://example.com/donate']
diff --git a/.github/workflows/cargo-deny.yml b/.github/workflows/cargo-deny.yml
@@ -0,0 +1,23 @@
+name: Cargo Deny
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+jobs:
+  cargo-deny:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+      - uses: taiki-e/upload-rust-binary-action@f0d45ae91ee7b8ee928de7a9d04d893a08bcbec6
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          tool: cargo-deny
+      - name: Check
+        run: cargo deny check --log-level error
diff --git a/.github/workflows/release-attestation.yml b/.github/workflows/release-attestation.yml
@@ -0,0 +1,86 @@
+name: Release Attestation
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  id-token: write
+  attestations: write
+
+jobs:
+  build-and-attest:
+    name: Build and Attest (SLSA Build L2)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      attestations: write
+    env:
+      CARGO_WORKDIR: .
+    steps:
+      - name: Checkout source
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          toolchain: stable
+
+      - name: Cache cargo registry and build artifacts
+        uses: Swatinem/rust-cache@v2
+        with:
+          workspaces: |
+            . -> target
+
+      - name: Build release artifacts
+        working-directory: ${{ env.CARGO_WORKDIR }}
+        run: |
+          set -euo pipefail
+          cargo build --release --locked --workspace --all-targets
+
+      - name: Stage release artifacts
+        working-directory: ${{ env.CARGO_WORKDIR }}
+        run: |
+          set -euo pipefail
+          mkdir -p release-artifacts
+          # Copy all built executables
+          find target/release -maxdepth 1 -type f -executable \
+            -exec cp -t release-artifacts/ {} + 2>/dev/null || true
+          # Source tarball
+          tar \
+            --exclude='./target' \
+            --exclude='./.git' \
+            --exclude='./release-artifacts' \
+            -czf release-artifacts/source.tar.gz \
+            -C "$GITHUB_WORKSPACE/${{ env.CARGO_WORKDIR }}" .
+          # Build manifest
+          cat > release-artifacts/BUILD_MANIFEST.txt <<EOF
+          # Release Build Manifest
+          repository: ${{ github.repository }}
+          ref:        ${{ github.ref }}
+          sha:        ${{ github.sha }}
+          runner:     ${{ runner.os }}
+          rustc:      $(rustc --version)
+          cargo:      $(cargo --version)
+          built_at:   $(date -u +%Y-%m-%dT%H:%M:%SZ)
+          EOF
+          echo "=== Release artifacts ==="
+          ls -la release-artifacts/
+
+      - name: Upload artifacts for provenance
+        uses: actions/upload-artifact@v4
+        with:
+          name: release-artifacts
+          path: ${{ env.CARGO_WORKDIR }}/release-artifacts/
+          if-no-files-found: warn
+          retention-days: 90
+
+      - name: Attest build provenance (SLSA Build L2)
+        uses: slsa-framework/slsa-github-generator/attest-build-provenance@v1
+        with:
+          artifact-name: release-artifacts
diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml
@@ -0,0 +1,24 @@
+name: Trufflehog Secrets Scan
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+jobs:
+  trufflehog:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-go@0a12ed9e1a4ce4b1a02a5f2dd1e3a9c9e6c7f8b1
+        with:
+          go-version: 'stable'
+      - run: go install github.com/trufflehog/trufflehog/v3@latest
+      - run: trufflehog github --only-verified --no-update
+        env:
+          GH_TOKEN: \${{ secrets.GITHUB_TOKEN }}
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,6 @@
+# Phenotype-org standard .gitignore — Node
+# Source: https://github.com/KooshaPari/phenotype-tooling/blob/main/templates/gitignore-node
+
 # Generated by Cargo
 # will have compiled files and executables
 debug/
@@ -35,6 +38,7 @@ jobs/**
 *.new
 .vscode/
 .fastembed_cache/
+.cargo/
 *.log*
 *-dump.json
 *-dump.html
@@ -46,3 +50,24 @@ jobs/**
 node_modules/
 bench/__pycache__
 .ai/
+
+# --- adopted from phenotype-tooling/templates/gitignore-node ---
+.cache/
+.eslintcache
+.idea/
+.npm/
+.parcel-cache/
+.pnp
+.pnp.js
+*.log
+*.swp
+/build/
+/coverage/
+/dist/
+/out/
+lerna-debug.log*
+npm-debug.log*
+pnpm-debug.log*
+Thumbs.db
+yarn-debug.log*
+yarn-error.log*
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -0,0 +1,20 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+### Added
+### Changed
+### Deprecated
+### Removed
+### Fixed
+### Security
+
+## [0.1.0] - YYYY-MM-DD
+
+### Added
+- Initial release
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -0,0 +1,133 @@
+# forgecode — CLAUDE.md
+
+> **Fork of [tailcallhq/forgecode](https://github.com/tailcallhq/forgecode).**
+> Phenotype-org additions: `deny.toml` + `cargo-deny.yml` CI bootstrapped 2026-05-01.
+
+---
+
+This repo is a **fork** of the upstream [tailcallhq/forgecode](https://github.com/tailcallhq/forgecode)
+project — an AI-enhanced terminal development environment with ZSH plugin support,
+TUI, and multi-provider LLM integration.
+
+Do not rewrite upstream content. Any changes to upstream-origin files must be
+clearly annotated as Phenotype-org-specific additions.
+
+## Project Overview
+
+| Field | Value |
+|-------|-------|
+| Workspace | Multi-crate (21 internal crates under `crates/`) |
+| Edition | 2024 |
+| Rust version | 1.92 |
+| License | MIT |
+| Upstream | <https://github.com/tailcallhq/forgecode> |
+
+## Phenotype-Org Additions
+
+The following files are Phenotype-org-specific additions (not present in upstream):
+
+- `deny.toml` — cargo-deny configuration
+- `cargo-deny.yml` — GitHub Actions CI workflow for dependency auditing
+
+All other files follow upstream conventions.
+
+## Stack
+
+| Layer | Technology |
+|-------|------------|
+| Runtime | tokio (full, rt-multi-thread, macros, sync, fs, process, signal) |
+| HTTP client | reqwest (rustls, hickory-dns, http2) |
+| Auth | aws-config, aws-sdk-bedrockruntime, google-cloud-auth |
+| CLI | clap 4.6 + clap_complete |
+| TUI | reedline 0.47, rustyline 18, termimad, console |
+| Serialization | serde, serde_json, serde_yml, toml_edit |
+| Diff/patch | dissimilar, similar, strip-ansi-escapes |
+| Search | grep-searcher, fzf-wrapped, ignore |
+| MCP | rmcp (client + SSE + subprocess + streamable-http transports) |
+| Observability | tracing, tracing-subscriber, posthog-rs |
+| Git | gix |
+| Misc | anyhow, thiserror, uuid, chrono, url, is_ci |
+
+## Key Commands
+
+```bash
+# Build (from repo root)
+cargo build --release
+
+# Test
+cargo test --workspace
+
+# Format
+cargo fmt --check
+
+# Lint
+cargo clippy --workspace --all-targets -- -D warnings
+
+# Full quality gate
+cargo fmt --check && cargo clippy --workspace --all-targets -- -D warnings && cargo test --workspace
+```
+
+## Crate Map
+
+```
+crates/
+├── forge_main        # Binary entry point
+├── forge_app        # Application layer
+├── forge_domain     # Domain types & logic
+├── forge_infra      # Infrastructure / adapters
+├── forge_api        # API layer
+├── forge_embed      # Embedded resources
+├── forge_ci         # CI utilities
+├── forge_display    # Display / TUI rendering
+├── forge_fs         # Filesystem operations
+├── forge_repo       # Git repository integration
+├── forge_services   # Service layer
+├── forge_snaps      # Snapshot testing (insta)
+├── forge_spinner    # Spinner / progress UI
+├── forge_stream     # Streaming utilities
+├── forge_template  # Template rendering (handlebars)
+├── forge_tool_macros # Proc-macro helpers
+├── forge_tracker    # Telemetry / tracking
+├── forge_walker     # Directory traversal
+├── forge_json_repair # JSON repair
+├── forge_select     # Interactive selection (fzf)
+├── forge_test_kit   # Test utilities
+├── forge_markdown_stream # Markdown streaming
+├── forge_config     # Configuration handling
+├── forge_eventsource # Event source
+└── forge_eventsource_stream # Event source streaming
+```
+
+## Quality Gates
+
+- `cargo fmt --check` — formatting must pass
+- `cargo clippy --workspace --all-targets -- -D warnings` — zero lints allowed
+- `cargo test --workspace` — all tests must pass
+- `cargo deny check` — dependency audit (configured in `deny.toml`)
+- Snapshot tests via `insta` — review snapshots with `cargo insta review`
+
+## CI / GitHub Actions
+
+- `cargo-deny.yml` runs `cargo deny check advisories licenses` on every PR
+- `deny.toml` defines allowlist rules for crates and licenses
+- Run `cargo deny check` locally before opening PRs
+
+## Git Workflow
+
+```
+origin  = KooshaPari/forgecode     (Phenotype-org fork)
+upstream = tailcallhq/forgecode     (canonical upstream)
+```
+
+Sync from upstream:
+```bash
+git fetch upstream
+git checkout main
+git merge upstream/main
+git push origin main
+```
+
+## Security & Compliance
+
+- `deny.toml` + `cargo-deny.yml` enforce dependency audit (advisories + licenses)
+- `cargo deny check` must pass before merging
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -0,0 +1 @@
+* @KooshaPari
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -0,0 +1,25 @@
+# Contributing
+
+Contributions are welcome! Please follow these guidelines:
+
+## Development Setup
+
+1. Fork the repository
+2. Clone your fork: `git clone https://github.com/<you>/<repo>.git`
+3. Install dependencies
+4. Run tests: follow the repo's test suite
+
+## Code Style
+
+Follow the project's formatting and linting rules. Run `cargo fmt` for Rust projects, or the appropriate linter for your stack.
+
+## Submitting Changes
+
+1. Create a feature branch
+2. Make your changes
+3. Add tests if applicable
+4. Submit a pull request
+
+## Questions
+
+Open an issue for questions or discussions.