F3-Nation · sprocktech-dev · Mar 27, 2026 · Mar 6, 2026 · Mar 10, 2026 · Mar 12, 2026
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -0,0 +1,42 @@
+{
+  "name": "SyncBot",
+  "dockerComposeFile": "docker-compose.dev.yml",
+  "service": "app",
+  "workspaceFolder": "/app",
+
+  "features": {
+    "ghcr.io/devcontainers/features/aws-cli:1": {}
+  },
+
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "ms-python.python",
+        "ms-python.vscode-pylance",
+        "charliermarsh.ruff"
+      ],
+      "settings": {
+        "python.defaultInterpreterPath": "/usr/local/bin/python",
+        "python.testing.pytestEnabled": true,
+        "python.testing.pytestArgs": ["tests"],
+        "[python]": {
+          "editor.defaultFormatter": "charliermarsh.ruff",
+          "editor.formatOnSave": true
+        }
+      }
+    }
+  },
+
+  "forwardPorts": [3000, 3306],
+
+  "postCreateCommand": "pip install --no-cache-dir boto3 pytest && echo '✅ Dev container ready'",
+
+  "remoteEnv": {
+    "PYTHONPATH": "/app/syncbot",
+    "LOCAL_DEVELOPMENT": "true",
+    "DATABASE_HOST": "db",
+    "DATABASE_USER": "root",
+    "DATABASE_PASSWORD": "rootpass",
+    "DATABASE_SCHEMA": "syncbot"
+  }
+}
diff --git a/.devcontainer/docker-compose.dev.yml b/.devcontainer/docker-compose.dev.yml
@@ -0,0 +1,45 @@
+services:
+  db:
+    image: mysql:8
+    environment:
+      MYSQL_ROOT_PASSWORD: rootpass
+      MYSQL_DATABASE: syncbot
+      MYSQL_ROOT_HOST: "%"
+    ports:
+      - "3306:3306"
+    volumes:
+      - syncbot-db:/var/lib/mysql
+    healthcheck:
+      test: ["CMD", "mysqladmin", "ping", "-h", "localhost"]
+      interval: 5s
+      timeout: 5s
+      retries: 10
+
+  app:
+    build:
+      context: ..
+      dockerfile: Dockerfile
+    command: sleep infinity
+    depends_on:
+      db:
+        condition: service_healthy
+    env_file:
+      - ../.env
+    environment:
+      # Overrides that are always fixed for local dev
+      LOCAL_DEVELOPMENT: "true"
+      DATABASE_BACKEND: ${DATABASE_BACKEND:-mysql}
+      DATABASE_URL: ${DATABASE_URL:-}
+      DATABASE_HOST: ${DATABASE_HOST:-db}
+      DATABASE_USER: ${DATABASE_USER:-root}
+      DATABASE_PASSWORD: ${DATABASE_PASSWORD:-rootpass}
+      DATABASE_SCHEMA: ${DATABASE_SCHEMA:-syncbot}
+      DATABASE_TLS_ENABLED: ${DATABASE_TLS_ENABLED:-false}
+      DATABASE_SSL_CA_PATH: ${DATABASE_SSL_CA_PATH:-/etc/pki/tls/certs/ca-bundle.crt}
+    volumes:
+      - ..:/app:cached
+    ports:
+      - "3000:3000"
+
+volumes:
+  syncbot-db:
diff --git a/.env.example b/.env.example
@@ -0,0 +1,99 @@
+# =============================================================================
+# SyncBot Environment Variables
+# =============================================================================
+# Copy this file to .env and fill in your values:
+#   cp .env.example .env
+#
+# Docker Compose and Dev Containers read .env automatically.
+# For native Python development, source it:  source .env  or  export $(cat .env | xargs)
+
+# -----------------------------------------------------------------------------
+# Database (mysql, postgresql, or sqlite)
+# -----------------------------------------------------------------------------
+# Option A — MySQL (default): legacy vars or DATABASE_URL
+DATABASE_BACKEND=mysql
+DATABASE_HOST=127.0.0.1
+# DATABASE_PORT=3306
+DATABASE_USER=root
+DATABASE_PASSWORD=rootpass
+DATABASE_SCHEMA=syncbot
+# Optional TLS (provider-dependent)
+# DATABASE_TLS_ENABLED=true
+# DATABASE_SSL_CA_PATH=/etc/pki/tls/certs/ca-bundle.crt
+
+# Option B — PostgreSQL: set backend and PostgreSQL vars or DATABASE_URL
+# DATABASE_BACKEND=postgresql
+# DATABASE_HOST=127.0.0.1
+# DATABASE_PORT=5432
+# DATABASE_USER=postgres
+# DATABASE_PASSWORD=postgres
+# DATABASE_SCHEMA=syncbot
+
+# Option C — SQLite (forks / local): set backend and URL only
+# DATABASE_BACKEND=sqlite
+# DATABASE_URL=sqlite:///syncbot.db
+
+# Slack Team ID of the primary workspace. Required for backup/restore to appear.
+# DB reset (when enabled below) is also scoped to this workspace.
+# PRIMARY_WORKSPACE=T0123456789
+
+# When true (and PRIMARY_WORKSPACE matches), show "Reset Database" on the Home tab.
+# ENABLE_DB_RESET=true
+
+# -----------------------------------------------------------------------------
+# Local Development Mode
+# -----------------------------------------------------------------------------
+# This lets you run the app without all the Slack credentials.
+# LOCAL_DEVELOPMENT=true
+
+# -----------------------------------------------------------------------------
+# Slack
+# In cloud deploys these are usually injected by your provider's secret system
+# (AWS/GCP/Azure). Uncomment if running locally with OAuth flow.
+# -----------------------------------------------------------------------------
+# SLACK_BOT_TOKEN=xoxb-your-bot-token
+# SLACK_SIGNING_SECRET=your-signing-secret
+# SLACK_CLIENT_ID=your-client-id
+# SLACK_CLIENT_SECRET=your-client-secret
+# SLACK_BOT_SCOPES — bot OAuth scopes; must match slack-manifest.json oauth_config.scopes.bot (see syncbot/slack_manifest_scopes.py).
+# SLACK_BOT_SCOPES=app_mentions:read,channels:history,channels:join,channels:read,channels:manage,chat:write,chat:write.customize,files:read,files:write,groups:history,groups:read,groups:write,im:write,reactions:read,reactions:write,team:read,users:read,users:read.email
+# SLACK_USER_SCOPES — user OAuth scopes; must match oauth_config.scopes.user and USER_SCOPES in slack_manifest_scopes.py.
+# SLACK_USER_SCOPES=chat:write,channels:history,channels:read,files:read,files:write,groups:history,groups:read,groups:write,im:write,reactions:read,reactions:write,team:read,users:read,users:read.email
+# OAuth state and installation data are stored in the same database (PostgreSQL, MySQL, or SQLite).
+
+# -----------------------------------------------------------------------------
+# Encryption (optional)
+# -----------------------------------------------------------------------------
+# Passphrase for Fernet bot-token encryption at rest.
+# Use any value except "123" to enable encryption.
+# TOKEN_ENCRYPTION_KEY=my-secret-passphrase
+
+# -----------------------------------------------------------------------------
+# Admin Authorization (optional)
+# -----------------------------------------------------------------------------
+# Set to "false" to allow all users to configure syncs (default: true).
+# REQUIRE_ADMIN=true
+
+# -----------------------------------------------------------------------------
+# Logging (optional)
+# -----------------------------------------------------------------------------
+# Log output level: DEBUG, INFO, WARNING, ERROR, or CRITICAL (default: INFO).
+# LOG_LEVEL=INFO
+
+# -----------------------------------------------------------------------------
+# Soft-Delete Retention (optional)
+# -----------------------------------------------------------------------------
+# Number of days to keep soft-deleted workspace data before permanent purge.
+# When a workspace uninstalls the app, its group memberships and syncs are paused.
+# If it reinstalls within this window, everything is restored automatically.
+# SOFT_DELETE_RETENTION_DAYS=30
+
+# -----------------------------------------------------------------------------
+# External Connections (optional, disabled by default)
+# -----------------------------------------------------------------------------
+# Set SYNCBOT_FEDERATION_ENABLED=true to activate external connections.
+# SYNCBOT_INSTANCE_ID is a unique UUID for this instance (auto-generated if not set).
+# SYNCBOT_PUBLIC_URL is the publicly reachable base URL (required for external connections).
+# SYNCBOT_FEDERATION_ENABLED=false
+# SYNCBOT_INSTANCE_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+# SYNCBOT_PUBLIC_URL=https://your-syncbot.example.com
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,25 @@
+---
+name: Bug report
+about: Report something that is not working as expected
+labels: bug
+---
+
+## What happened
+
+<!-- Brief description of the problem -->
+
+## Steps to reproduce
+
+1.
+2.
+3.
+
+## Expected behavior
+
+<!-- What you expected to happen -->
+
+## Environment
+
+- Cloud / deploy: <!-- e.g. AWS SAM, GCP, local Docker -->
+- Database: <!-- e.g. MySQL, PostgreSQL, SQLite -->
+- Browser (if UI-related): <!-- optional -->
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,17 @@
+---
+name: Feature request
+about: Suggest an idea or improvement
+labels: enhancement
+---
+
+## Problem or use case
+
+<!-- What problem does this solve, or who benefits? -->
+
+## Proposed solution
+
+<!-- How would you like it to work? -->
+
+## Alternatives (optional)
+
+<!-- Other approaches you considered -->
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,28 @@
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: "/syncbot"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    groups:
+      minor-and-patch:
+        update-types: ["minor", "patch"]
+
+  - package-ecosystem: "pip"
+    directory: "/infra/aws/db_setup"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -0,0 +1,13 @@
+## Summary
+
+<!-- What does this PR change and why? -->
+
+## How to test
+
+<!-- Steps or scenarios reviewers can run -->
+
+## Checklist
+
+- [ ] CI passes (requirements sync, SAM lint, tests)
+- [ ] Docs updated if behavior or deploy steps changed
+- [ ] No new cloud-provider-specific code under `syncbot/` (keep infra in `infra/` and workflows)
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,77 @@
+# PR / branch checks without cloud credentials. Deploy workflows stay in deploy-*.yml.
+name: CI
+
+on:
+  pull_request:
+  push:
+    branches: [main, test, prod]
+
+concurrency:
+  group: ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  requirements-sync:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.head_ref || github.ref_name }}
+          repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
+          fetch-depth: 0
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - name: Install Poetry and export plugin
+        run: |
+          python -m pip install --upgrade pip
+          pip install poetry
+          poetry self add poetry-plugin-export
+      - name: Sync requirements.txt with poetry.lock
+        env:
+          PR_HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }}
+        run: |
+          poetry export -f requirements.txt --without-hashes -o syncbot/requirements.txt
+          if git diff --quiet syncbot/requirements.txt; then
+            echo "requirements.txt is already in sync."
+          elif [[ -n "${PR_HEAD_REPO}" && "${PR_HEAD_REPO}" != "${GITHUB_REPOSITORY}" ]]; then
+            echo "::error::syncbot/requirements.txt is out of sync with poetry.lock. From the repo root run: poetry export -f requirements.txt --without-hashes -o syncbot/requirements.txt"
+            exit 1
+          else
+            git config user.name "github-actions[bot]"
+            git config user.email "github-actions[bot]@users.noreply.github.com"
+            git add syncbot/requirements.txt
+            git commit -m "chore: sync requirements.txt with poetry.lock"
+            git push
+            echo "::notice::requirements.txt was out of sync and has been auto-fixed."
+          fi
+
+  sam-lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: aws-actions/setup-sam@v2
+        with:
+          use-installer: true
+      - name: sam validate --lint
+        run: |
+          sam validate -t infra/aws/template.yaml --lint
+          sam validate -t infra/aws/template.bootstrap.yaml --lint
+
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install poetry
+          poetry install --with dev
+      # Infra + deploy-script smoke tests (fast). Use `poetry run pytest` locally for the full suite.
+      - name: pytest (infra & deploy scripts)
+        run: poetry run pytest -q tests/test_deploy_script_syntax.py infra/aws/tests infra/gcp/tests