# SuperSkill Agent Guide

## What This Repo Is

SuperSkill is the human-facing registry and universal installer for reviewed AI-agent capabilities. The OnlyHarness names below are compatibility coordinates for existing data, APIs and clients.
A native harness is a directory with a manifest, prompts, examples, eval cases, permissions, and gates; it is one resource type, not the whole product.

## Dev Commands

```bash
npm install
npm run dev
npm run check
npm run smoke
npm run build
```

Local ports:

| Service | URL |
| --- | --- |
| Web | http://127.0.0.1:5177 |
| API | http://127.0.0.1:8787 |
| Gitea smoke forge | http://127.0.0.1:3000 |

Useful targeted checks:

```bash
npm run typecheck -w @harnesshub/api
npm run typecheck -w @harnesshub/registry-web
npm run typecheck -w onlyharness
npm run check:mcp-registry
npm run check:plugin
npm test -w onlyharness
node packages/harness-cli/dist/hh.mjs doctor
```

## Agent Use

Prefer the CLI for agent loops. The `onlyharness` npm package is published; `npx onlyharness@latest` is the clean-user path for search/suggest/install/run/eval/gate and mixed resource catalog commands.

```bash
npx onlyharness@latest suggest market research --json
npx onlyharness@latest resources search superpowers --json
npx onlyharness@latest resources detail github:obra/superpowers --json
npx onlyharness@latest resources open github:obra/superpowers --json
npx onlyharness@latest resources approve onlyharness:harnesses/deep-market-researcher --workspace acme --collection approved --json
npx onlyharness@latest install harnesses/deep-market-researcher --target claude-code --json
npx onlyharness@latest publish-resource ./agent-tool --name agent-tool --type command_pack --json

npm run build -w onlyharness
node packages/harness-cli/dist/hh.mjs search market research
node packages/harness-cli/dist/hh.mjs resources search superpowers --json
node packages/harness-cli/dist/hh.mjs resources detail github:obra/superpowers --json
node packages/harness-cli/dist/hh.mjs resources open github:obra/superpowers --json
node packages/harness-cli/dist/hh.mjs suggest market research --json
node packages/harness-cli/dist/hh.mjs suggest market research --apply --out suggested-deep-market-researcher --json
node packages/harness-cli/dist/hh.mjs suggest market research --apply --target claude-code --out suggested-deep-market-researcher --adapter-out .claude/skills/deep-market-researcher --json
node packages/harness-cli/dist/hh.mjs install harnesses/deep-market-researcher --target claude-code --json
node packages/harness-cli/dist/hh.mjs pull harnesses/deep-market-researcher --version 0.1.0 --out deep-market-researcher-0.1.0 --json
node packages/harness-cli/dist/hh.mjs mcp-config deep-market-researcher --target claude-desktop --json
node packages/harness-cli/dist/hh.mjs run deep-market-researcher --json
node packages/harness-cli/dist/hh.mjs eval deep-market-researcher --json
node packages/harness-cli/dist/hh.mjs gate --dir deep-market-researcher --json
node packages/harness-cli/dist/hh.mjs gate --dir deep-market-researcher --receipt --json
node packages/harness-cli/dist/hh.mjs audit-setup --json
node packages/harness-cli/dist/hh.mjs benchmark benchmarks/research-discovery.yaml --json
node packages/harness-cli/dist/hh.mjs extract ~/.claude/skills/my-skill --out my-skill-harness --json
node packages/harness-cli/dist/hh.mjs setup @acme --json
node packages/harness-cli/dist/hh.mjs publish workflow.md --org acme --name team-workflow --json
node packages/harness-cli/dist/hh.mjs publish ./team-harness --org acme --name team-harness --json
node packages/harness-cli/dist/hh.mjs publish-resource ./agent-tool --name agent-tool --type command_pack --json
HH_WORKSPACE_TOKEN=<workspace-token> node packages/harness-cli/dist/hh.mjs publish-resource ./agent-tool --workspace acme --name agent-tool --type command_pack --json
HH_WORKSPACE_TOKEN=<workspace-token> node packages/harness-cli/dist/hh.mjs resources search agent-tool --workspace acme --json
HH_WORKSPACE_TOKEN=<workspace-token> node packages/harness-cli/dist/hh.mjs resources detail @acme/agent-tool --json
HH_WORKSPACE_TOKEN=<workspace-token> node packages/harness-cli/dist/hh.mjs workspace setup acme --target claude-code --json
node packages/harness-cli/dist/hh.mjs publish-resource https://github.com/acme/agent-tool.git --path packages/tool --name agent-tool --type command_pack --json
node packages/harness-cli/dist/hh.mjs sync git@github.com:acme/skills.git --org acme --json
node packages/harness-cli/dist/hh.mjs pin deep-market-researcher --json
node packages/harness-cli/dist/hh.mjs outdated deep-market-researcher --json
node packages/harness-cli/dist/hh.mjs update deep-market-researcher --diff --json
```

### SuperSkill internal alpha

- Human-readable docs: `https://superskill.sh/#/superskill/docs`.
- Browser agent guide: `https://superskill.sh/#/superskill/agent-guide`; the raw file remains the full machine contract.

- Public showroom reads: `GET /showroom/capabilities` and `GET /showroom/capabilities/{id}`. They return only public-safe exact-release projections and cannot recommend, download, or activate.
- Public selected shelf: `GET /showroom/selected` lists current intake candidates as `selected_unreviewed`. It is discovery-only; managed recommendation and activation remain blocked until approval.
- The project-local `superskill_local` MCP owns interactive account authorization and protected recommendation, publishing and workspace operations. On the first protected action it opens `#/superskill/connect`, waits for explicit approval and retries the same idempotent action in the same task. Opaque access tokens live only in process memory; a rotating refresh token may live only in the OS credential store for at most 30 days. New plugin config does not inherit environment credentials. `HH_TOKEN` remains non-interactive/paid compatibility only. Never put any credential, browser/device proof or connect secret in tool results, prompts, project files, URL queries, analytics or logs.
- The current checked-in supply is 12 candidates and zero approved items. The approved lane stays empty until dual-client compatibility and human review attestations exist; the separate selected shelf may show those candidates only as review-pending discovery.
- `onlyharness@0.3.1` is the current public transition hotfix, pinned to official npm integrity after publication; it keeps the local browser-auth broker and adds digest-bound anonymous native-harness installation for the public catalog. `0.3.0` is the previous transition release. `0.2.14` and `0.2.18` are known-bad one-link releases. Clean new-client marketplace proof remains a rollout gate.
- SuperSkill is selected automatically and locked on `superskill.sh` and `www.superskill.sh`; query parameters and stored legacy skin choices cannot change the product surface. Legacy human routes redirect here.

Crawler-visible share surfaces live on the website origin, outside `/api`: `/r/{base64url-resource-id}` for latest resources, `/r/{base64url-resource-id}/{version}` for exact releases, `/c/{capability-id}` for managed skills, and `/w/{invite-id}#invite={raw-code}` for private workspace invitations. Matching PNG previews live under `/og/r/*`, `/og/c/*`, and `/og/w/*`. The workspace raw code must remain in the URL fragment and must never enter HTML metadata, image URLs, server logs, or caches.

HTTP API base: `https://superskill.sh/api` (`https://onlyharness.com/api` remains a machine-only compatibility alias).

Core endpoints:

| Method | Path | Purpose |
| --- | --- | --- |
| GET | `/healthz` | API health |
| POST | `/auth/agent/start` | Start a scoped Codex, Claude Code or CLI browser authorization; device proof stays local and browser proof is fragment-only |
| POST | `/auth/agent/browser-bind` | Exchange the fragment proof for a short-lived HttpOnly browser binding and sanitized request context |
| GET | `/auth/agent/context` | Read the bound client, requested scopes and expiry without exposing either proof |
| POST | `/auth/agent/decision` | Confirmed signed-in browser explicitly approves or denies the bound request |
| POST | `/auth/agent/token` | Local broker polls and consumes an approved request for memory-only access plus a rotating refresh credential |
| POST | `/auth/agent/refresh` | Rotate a refresh credential; reuse revokes the whole agent session |
| POST | `/auth/agent/revoke` | Revoke the agent session and all of its access/refresh credentials |
| GET | `/registry?q={terms}` | Search harnesses |
| GET | `/resources?q={terms}` | Search mixed source-aware resources: harnesses, skills, plugins, workflows, MCP servers, configs, guides, runtimes and directories |
| GET | `/resources/{id}` | Resource detail; IDs with `/` must be URL-encoded, e.g. `github%3Aobra%2Fsuperpowers` |
| GET | `/resources/{id}/releases/{version}` | Immutable public hosted-resource detail with exact version, artifact digest, static scan state and actions |
| GET | `/resources/{id}/archive` | Download SuperSkill-hosted resource package archives; listed-but-not-hosted resources return 409 `RESOURCE_ARCHIVE_NOT_HOSTED` |
| GET | `/resources/{id}/releases/{version}/archive` | Download one immutable public hosted-resource release; version and digest headers must match exact detail |
| GET | `/repos/{owner}/{name}/harness` | Manifest, trust, files, example |
| GET | `/repos/{owner}/{name}/security-report` | Static security report for install/apply gating |
| GET | `/repos/{owner}/{name}/archive?version={semver}` | Pull harness files; paid harnesses return 402 until entitled; directory shelf entries return 409 `DIRECTORY_LINK_ONLY`; may include x402 `PAYMENT-REQUIRED` |
| POST | `/repos/{owner}/{name}/star` | Authenticated server-side star/unstar path for browser and agent clients |
| GET/POST | `/repos/{owner}/{name}/thread` | Read or create harness thread posts; POST requires Bearer auth and writes through API |
| POST | `/billing/checkout` | Authenticated manual checkout session for paid harnesses; manual provider only |
| GET | `/billing/receipt?provider_ref={ref}` | Authenticated buyer receipt; read-only, never grants entitlement by itself |
| POST | `/billing/escrow/receipt` | Authenticated buyer settles a reserved `gate_escrow` purchase with a signed gate receipt |
| POST | `/billing/escrow/timeout` | Authenticated buyer refunds an expired reserved `gate_escrow` purchase |
| POST | `/webhooks/payments` | Internal manual payment settlement; requires `HARNESS_WEBHOOK_TOKEN`; idempotent entitlement grant |
| POST | `/receipts` | Verify a signed `hh gate --receipt` payload; side-effect-free, no payment or entitlement mutation |
| GET | `/bounties` | List local bounty work-state; payment truth stays in linked purchases |
| POST | `/bounties` | Authenticated customer creates an `open` bounty |
| POST | `/bounties/{id}/claim` | Authenticated builder claims an open bounty |
| POST | `/bounties/{id}/deliver` | Claimant delivers with a signed passing `hh gate --receipt` |
| POST | `/bounties/{id}/accept` | Customer accepts by matching receipt + `gate_escrow` purchase; marks paid only after escrow capture |
| GET | `/entitlements/check?subject={type:id}&harness={owner/name}` | Bot-facing entitlement check; requires org token with `entitlements:read` scope |
| POST | `/community/invite-code` | Authenticated buyer gets a short-lived signed community gate code after entitlement is verified |
| POST | `/community/verify-code` | Bot verifies a community gate code with a scoped org token before granting Discord/Telegram access |
| GET | `/orgs/{slug}/bundle` | Team setup bundle; requires `ORGS_ENABLED=true` and Bearer org token |
| GET | `/orgs/{slug}/workspace` | Network Neighborhood payload: org-private cards, sanitized audit rows, permission/risk summary |
| POST | `/orgs/{slug}/imports/markdown-to-harness` | Publish org-private markdown harness; requires org token with publish scope |
| POST | `/orgs/{slug}/imports/harness-dir` | Publish verified org-private harness directory after eval/gate; requires org token with publish scope |
| POST | `/workspaces` | Confirmed signed-in user creates or idempotently replays a private/invite-only workspace with owner membership, invite policy and default approved collection |
| GET | `/workspaces/{slug}/workspace` | Workspace catalog payload: private resources, sanitized audit rows, permission/risk summary; requires `WORKSPACES_ENABLED=true` and workspace token or active member session |
| GET/POST | `/workspaces/{slug}/members` | List active members or add/update a member; write requires `member:write` or workspace admin membership |
| DELETE | `/workspaces/{slug}/members/{userId}` | Remove a workspace member; requires `member:write` or workspace admin membership |
| POST | `/workspaces/{slug}/invites` | Create a one-time or bounded invite; raw code is returned once, stored as hash only; requires `invite:write` or workspace admin membership |
| GET/PUT | `/workspaces/{slug}/join-policies` | Read or replace workspace join policies for invite, email domain, Telegram, Discord, entitlement and disabled future paid subscription gates |
| POST | `/workspaces/{slug}/join-code` | Signed-in user mints a short-lived workspace gate code for Telegram/Discord/entitlement verification; does not grant membership |
| POST | `/workspaces/{slug}/join-code/verify` | Bot/admin token verifies a workspace gate code read-only; requires `gate:verify`, `gate:write` or `member:write` |
| POST | `/workspaces/{slug}/join-grants` | Explicitly grants workspace membership after the external gate check passes; requires `gate:write` or `member:write` |
| POST | `/workspaces/{slug}/join` | Join a workspace with an invite code or email-domain policy and authenticated user session |
| GET/PUT | `/workspaces/{slug}/setup-bundle` | Read or update workspace setup bundle snippets; setup installs workspace-hosted packages and writes instructions for approved public resources without inventing workspace archives |
| GET | `/workspaces/{slug}/resources` | Search private workspace resources; accepts workspace token, active member session, or legacy org token as compatibility fallback |
| POST | `/workspaces/{slug}/resources/approve` | Add a public resource to a workspace collection; optional `resourceVersion` + `artifactDigest` freeze an exact hosted release; stores local trust evidence and never grants a Verified badge |
| GET | `/workspaces/{slug}/resources/{id}` | Workspace resource detail; IDs can be short names or `@workspace/name` refs |
| GET | `/workspaces/{slug}/resources/{id}/archive` | Download workspace-hosted resource package archives; no upstream redirect |
| POST | `/workspaces/{slug}/imports/resource-package` | Publish a private hosted agent resource package into a workspace; requires `resource:publish` or legacy publish scope |
| GET/PUT | `/me/storefront` | Authenticated creator storefront profile and referral code management |
| GET | `/storefront/{handle}` | Public creator storefront with referral attribution code |
| POST | `/imports/markdown-to-harness` | Publish markdown as a small unverified scaffold; Bearer token required |
| POST | `/imports/harness-dir` | Publish a verified public native package directory after eval/gate; Bearer token required |
| POST | `/imports/resource-package` | Publish an immutable hosted agent resource release for skills, plugins, workflows, MCP servers, commands, scripts, docs, or source bundles; confirmed Bearer required; static-v2 fail is rejected before durable mutation, pass/warn stays unreviewed and does not imply known runtime risk; no Verified badge |
| POST | `/imports/github-resource` | Read-only GitHub resource classifier; GitHub allowlist, redirect, traversal, symlink and size guardrails apply |
| POST | `/events` | Privacy-safe event write; whitelisted fields only |

MCP endpoint for compatible clients: `https://superskill.sh/mcp`.
Tools: `search_harnesses`, `harness_detail`, `pull_instructions`, `pull_harness`, `search_resources`, `resource_detail`, `resource_use_instructions`, `search_docs`, `publish_markdown_to_harness`, `publish_resource_package`.
`harness_detail` and `pull_instructions` include read-only access/payment state; they must not grant entitlement or return archive files. `pull_harness` and HTTP archive delivery are the file-returning entitlement gates.
Resource tools are source-aware. They can list/open upstream skills, plugins, workflows and MCP servers. Hosted resource packages download through `/resources/{id}/archive`; upstream-only resources stay open-only and must not pretend to have a SuperSkill archive.
OpenAPI is available at `https://superskill.sh/api/openapi.json`.
MCP Registry metadata is available at `https://superskill.sh/server.json`; the `com.onlyharness/registry` identifier remains a compatibility coordinate.
OAuth protected-resource metadata is available at `https://superskill.sh/.well-known/oauth-protected-resource`; it intentionally names no authorization server. The local agent authorization broker above is not advertised as OAuth. `/.well-known/oauth-authorization-server` must return 404 until a separate `/mcp/account` endpoint has passed standards-valid OAuth and clean-client Codex plus Claude verification.
Claude Code compatibility marketplace: `claude plugin marketplace add elvismusli/onlyharness`, then `claude plugin install superskill@superskill`. The one-link installer is primary.
Codex public MCP setup: `codex mcp add superskill --url https://superskill.sh/mcp`. Protected actions use the project-local `superskill_local` broker installed by the universal link.

## Conventions

- Run `npm run check` and `npm run smoke` before commits that change runtime behavior.
- Run `npm run smoke:mcp` for MCP/tool changes and `npm run smoke:x402` for x402/payment-signing changes.
- Use `corepack` only if the repo switches package manager; this repo currently uses npm workspaces.
- Keep docs, `/llms.txt`, API behavior, and CLI behavior synchronized.
- Do not commit `infra/production.env`, tokens, cookies, Supabase service keys, or generated secrets.
- Money movement, auth, publishing, permissions, and entitlements are high-risk; prefer explicit failures over optimistic UI.
- Paid `hh install`/`hh pull` uses `HH_TOKEN`; 402 must exit with code 5 and include checkout/manual-entitlement next steps. `hh install --pay` and `hh pull --pay` may sign x402 with `HH_WALLET_KEY`/`EVM_PRIVATE_KEY`, but must enforce `HH_MAX_PAY_USD` before signing; API archive delivery requires facilitator verify/settle via `X402_FACILITATOR_URL` before wallet entitlement is written.
- Manual checkout is the only enabled checkout provider (`PAYMENT_PROVIDER` unset or `manual`). Unsupported provider config must fail closed before a purchase row is created; x402 is not a checkout provider.
- `/billing/receipt` is read-only buyer evidence keyed by `provider_ref`; it must never create purchases, settle providers, or grant entitlements.
- `hh gate --receipt` signs `{harness, version, resultsHash, verdict, at}` with the local install key at `~/.onlyharness/key` by default. `/receipts` only verifies that signature and must not store prompts, local paths, payments, or entitlements.
- `pricing.model: gate_escrow` must reserve first, not mark paid: provider confirmation creates `reserved` + expiring `escrow_reserved`; `/billing/escrow/receipt` captures only a valid passing receipt and refunds a valid failing receipt; `/billing/escrow/timeout` refunds after expiry.
- Bounties are work-state only: `open -> claimed -> delivered -> paid`. `/bounties/{id}/accept` must verify the delivered receipt, match escrow target/amount/currency, block escrow reuse, and set `paid` only after the linked `gate_escrow` purchase is captured.
- Hosted execution endpoints are not live. `hh run` stays local sample preview only, MCP/HTTP archive routes deliver files, and `pricing.model=per_call` returns `409 HOSTED_EXECUTION_NOT_AVAILABLE` until a partner-backed or first-party runner has passed runtime smoke.
- Payout tooling may create only draft/manual payout ledgers (`payout_runs`, `payout_items`); it must not call payout providers or mark ledger items paid.
- `hh suggest` is the agent-first autopilot path: search, ranked candidate shortlist with trust fields, selected detail trust summary, optional `--pick <rank>`, optional `--apply --out <dir>`. `--apply` must use the same archive semantics as `hh pull`, including paid 402 and directory 409. With `--target cli|claude-code|codex|cursor`, it must run the same adapter/install path as `hh install --target` before recording `applied`.
- `hh install` is the primary user-facing install path: it pulls the harness, may generate adapter files with `--target claude-code|codex|cursor`, and records a privacy-safe `install` event only after local writes succeed. `hh install owner/name --version <semver>` and `hh pull owner/name --version <semver>` request the same `/archive?version=` path; require `snapshot:true` when immutability matters.
- Directory shelf entries use manifest `content.type: directory` and `source.vendor_policy: link-only`; they must stay free, expose `open <url>`, and must not return archive files.
- `/repos/{owner}/{repo}/remixes` is the server-side fork graph for local remix drafts: it may create only free unverified `local/{name}` copies from archive files, must strip `.harnesshub/*`, records a source -> fork edge in `harness_forks`/local state, and must reject paid, org/private, directory, link-only, and `UNSPECIFIED` license sources. Copied fallback recipes must not increment forks.
- Public API payloads must not expose server filesystem paths. Registry/detail may include public forge, SuperSkill GitHub mirror, or upstream URLs only; `/healthz` returns status only; detail `prReview.source=local-demo` is a generated preview, not an open forge PR.
- Category benchmarks are local declared-score comparisons until Owner-authored suites add external measurements; never present `hh benchmark` as an independent LLM quality proof. Add suites under `benchmarks/`; smoke requires at least 3 YAML suites and runs all of them.
- Team `hh setup @org`, `hh install @org/name`, `hh pull @org/name`, `hh publish --org`, and `hh sync <git-url> --org` use `HH_ORG_TOKEN`; org auth/bundles/audit read Supabase service-role tables first, fall back to local JSON for smoke, are feature-flagged by `ORGS_ENABLED`, and must not log raw tokens.
- Network Neighborhood still supports the legacy org token path through `/orgs/{slug}/workspace`; new resource-first workspace catalog flows use `/workspaces/{slug}/...` with `HH_WORKSPACE_TOKEN` for CLI/agent automation or active non-expired workspace membership for web/API, falling back to `HH_ORG_TOKEN` during migration. Workspace tokens may now include `workspace:setup`, `member:write`, `invite:write`, `gate:verify`, `gate:write`, or `workspace:admin`; invite and gate codes must never be logged or stored raw. `hh workspace setup acme --target claude-code` reads `/workspaces/{slug}/setup-bundle`, installs only workspace-hosted packages, and writes instructions for approved public resources without pretending those have workspace archives. Workspace community gates use short-lived signed `ohwj_` codes: `/join-code/verify` is read-only, and only `/join-grants` creates membership after Telegram/Discord/entitlement checks pass. Member `expires_at` fails closed for workspace reads and private archive access; removed members must also lose access immediately. Active `paid_subscription` join policies require `WORKSPACE_SUBSCRIPTIONS_ENABLED=true`; checkout creates only an incomplete receipt, idempotent signed `/webhooks/workspace-subscriptions` drives active/renewed/past_due/canceled/expired access windows without restoring removed/suspended members, and `/subscriptions/sweep` expires ended access without charging money. `hh resources approve onlyharness:harnesses/deep-market-researcher --workspace acme --collection approved` adds a scanned public resource to a workspace collection as local curation only; approval is not a SuperSkill Verified badge, `not_scanned`/`fail` resources must fail closed for installable approval, and workspace archive routes still return 409 when the approved listing is not workspace-hosted. Audit rows must stay sanitized and permission summaries reuse schema risk/resource reports.
- `hh suggest`, `hh install`, `hh eval`, and `hh gate` may record `suggested`, `accepted`, `applied`, `install`, `eval`, or `gate` events; event payloads must stay owner/repo/version/target/client only, never local paths or prompts. `accepted` means the user chose `--apply`; `applied` is recorded only after local files are written.
- `/entitlements/check` is read-only for bots: require a scoped org token, check the explicit `subject`, and never treat the org token itself as a buyer entitlement.
- `/community/invite-code` must only mint codes for the authenticated buyer after a live entitlement check. `/community/verify-code` must HMAC/TTL-check the code, re-check entitlement live, and never trust a subject typed into Telegram chat.
- Verified-install confirms come only from privacy-safe `events` rows with `kind=install`, `client=claude-code`, and a non-anonymous subject.
- Registry `runs` come only from privacy-safe `events` rows with `kind=gate` and `target=passed`; `hh run` sample preview must not increment social counters.
- CLI failures should use documented exit codes and, with `--json`, emit `{ "error", "code", "next" }` to stderr.
- Pulled harnesses include `.harnesshub/source.json`; pinned versions live in `.harnesshub/pin.json`.
- Harness imports must not invent eval scores, licenses, permissions, or runtime proof.

## UI Rules

- The human-facing app on `superskill.sh` is the SuperSkill surface. Win98, Modern and Fans are legacy compatibility skins and must never render on the SuperSkill hostname.
- Legacy compatibility skins may retain their historical visual language only on compatibility paths; SuperSkill uses its own tokens and layouts.
- Auth, payments, permissions, and safety copy should be plain and honest, not playful.

## Where Things Live

| Path | Purpose |
| --- | --- |
| `apps/harness-api` | Fastify API, registry/search/import/MCP/OpenAPI |
| `apps/registry-web` | React + Vite SuperSkill UI plus legacy compatibility skins |
| `packages/harness-cli` | Public `onlyharness` package and `hh` CLI |
| `packages/harness-schema` | Harness manifest validation and risk/security reports |
| `packages/semantic-diff` | Harness semantic diff and PR review text |
| `seed-harnesses` | Built-in public harness catalog |
| `supabase/migrations` | Auth/profile/social/thread database migrations |
| `infra` | Docker/Caddy production and local smoke infra |
| `scripts` | Smoke, seed, deploy, and Gitea proof scripts |
| `docs/plans` | Product and rollout plans |
