GeorgePearse · GeorgePearse · Mar 29, 2026 · Mar 29, 2026 · Mar 29, 2026 · Mar 29, 2026
diff --git a/.env.example b/.env.example
@@ -4,34 +4,21 @@
 # ==========================================
 # Database Configuration
 # ==========================================
-POSTGRES_DB=genesis
-POSTGRES_USER=genesis
-POSTGRES_PASSWORD=changeme_secure_password
-POSTGRES_PORT=5432
+DATABASE_URL=postgresql://genesis_app:changeme@localhost:5432/genesis
 
 # ==========================================
 # LLM API Keys
 # ==========================================
-# OpenAI API Key (required for OpenAI models)
 OPENAI_API_KEY=sk-your-openai-api-key-here
-
-# Anthropic API Key (required for Claude models)
 ANTHROPIC_API_KEY=sk-ant-your-anthropic-api-key-here
 
 # ==========================================
 # E2B Cloud Sandbox (Optional)
 # ==========================================
-# E2B API Key (required only if using E2B execution backend)
 E2B_API_KEY=your-e2b-api-key-here
 
 # ==========================================
 # Application Settings
 # ==========================================
-# Port for the Genesis Web UI
-GENESIS_WEBUI_PORT=8000
-
-# ==========================================
-# Advanced Database Configuration (Optional)
-# ==========================================
-# Full database URL (alternative to individual postgres settings)
-# DATABASE_URL=postgresql://genesis:password@postgres:5432/genesis
+PORT=8080
+RUST_LOG=info
diff --git a/.factory/settings.json b/.factory/settings.json
@@ -0,0 +1,5 @@
+{
+  "enabledPlugins": {
+    "core@factory-plugins": true
+  }
+}
diff --git a/.gitguardian.yaml b/.gitguardian.yaml
@@ -0,0 +1,13 @@
+# GitGuardian configuration
+# See: https://docs.gitguardian.com/ggshield-docs/reference/gitguardian-yaml
+
+paths-ignore:
+  # Example env file with placeholder values, not real secrets
+  - ".env.example"
+
+  # Terraform files use variable interpolation, not literal secrets
+  - "terraform/*.tf"
+
+  # Test fixtures use ephemeral local containers
+  - "genesis_rust_backend/tests/**"
+  - "**/tests/**"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,126 @@
+name: CI
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  rust-check:
+    name: Rust lint & test
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: genesis_rust_backend
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: dtolnay/rust-toolchain@stable
+        with:
+          components: rustfmt, clippy
+
+      - uses: Swatinem/rust-cache@v2
+        with:
+          workspaces: genesis_rust_backend
+
+      - name: Check formatting
+        run: cargo fmt --check
+
+      - name: Clippy
+        run: cargo clippy -- -D warnings
+
+      - name: Unit tests
+        run: cargo test --lib
+
+      - name: Integration tests (testcontainers)
+        run: cargo test --test db_integration --test memory_tests
+
+  liquibase-validate:
+    name: Validate migrations
+    runs-on: ubuntu-latest
+    services:
+      postgres:
+        image: postgres:15
+        env:
+          POSTGRES_DB: genesis_test
+          POSTGRES_USER: genesis
+          POSTGRES_PASSWORD: genesis_test
+        ports:
+          - 5432:5432
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Liquibase
+        run: |
+          wget -q https://github.com/liquibase/liquibase/releases/download/v4.29.2/liquibase-4.29.2.tar.gz
+          mkdir -p /opt/liquibase
+          tar xzf liquibase-4.29.2.tar.gz -C /opt/liquibase
+          echo "/opt/liquibase" >> $GITHUB_PATH
+
+      - name: Validate changelogs
+        working-directory: migrations
+        run: |
+          liquibase \
+            --url="jdbc:postgresql://localhost:5432/genesis_test" \
+            --username=genesis \
+            --password=genesis_test \
+            --changeLogFile=changelogs/db.changelog-master.yaml \
+            validate
+
+      - name: Run migrations
+        working-directory: migrations
+        run: |
+          liquibase \
+            --url="jdbc:postgresql://localhost:5432/genesis_test" \
+            --username=genesis \
+            --password=genesis_test \
+            --changeLogFile=changelogs/db.changelog-master.yaml \
+            update
+
+      - name: Verify full_ddl.sql is in sync
+        run: |
+          # Normalize function: strip version comments and other pg_dump metadata
+          normalize() {
+            sed '/^-- Dumped from database version/d; /^-- Dumped by pg_dump version/d; /^\\restrict/d; /^\\unrestrict/d; /^SELECT pg_catalog/d; /^SET default_table_access_method/d' "$1"
+          }
+          PGPASSWORD=genesis_test pg_dump \
+            -h localhost -p 5432 -U genesis -d genesis_test \
+            --schema-only --no-owner --no-privileges \
+            --exclude-table='databasechangelog*' \
+            > /tmp/full_ddl_generated.sql
+          normalize migrations/full_ddl.sql > /tmp/full_ddl_repo.sql
+          normalize /tmp/full_ddl_generated.sql > /tmp/full_ddl_ci.sql
+          diff -u /tmp/full_ddl_repo.sql /tmp/full_ddl_ci.sql || \
+            (echo "ERROR: migrations/full_ddl.sql is out of sync. Run scripts/export_ddl.sh and commit the result." && exit 1)
+
+  terraform-plan:
+    name: Terraform plan
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    defaults:
+      run:
+        working-directory: terraform
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "1.9"
+
+      - name: Terraform init
+        run: terraform init -backend=false
+
+      - name: Terraform validate
+        run: terraform validate
+
+      - name: Terraform format check
+        run: terraform fmt -check -recursive
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -0,0 +1,179 @@
+name: Deploy
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'genesis_rust_backend/**'
+      - 'genesis/webui/frontend/**'
+      - 'migrations/**'
+      - 'terraform/**'
+      - '.github/workflows/deploy.yml'
+
+env:
+  PROJECT_ID: openloop-491716
+  REGION: europe-west2
+  REGISTRY: europe-west2-docker.pkg.dev/openloop-491716/genesis
+  SERVICE_NAME: genesis-backend
+
+jobs:
+  build-and-push-backend:
+    name: Build & push backend
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - id: auth
+        uses: google-github-actions/auth@v2
+        with:
+          credentials_json: ${{ secrets.GCP_SA_KEY }}
+
+      - uses: google-github-actions/setup-gcloud@v2
+
+      - name: Configure Docker
+        run: gcloud auth configure-docker ${{ env.REGION }}-docker.pkg.dev --quiet
+
+      - name: Build and push
+        working-directory: genesis_rust_backend
+        run: |
+          IMAGE="${{ env.REGISTRY }}/backend:${{ github.sha }}"
+          docker build -t "${IMAGE}" -t "${{ env.REGISTRY }}/backend:latest" .
+          docker push "${IMAGE}"
+          docker push "${{ env.REGISTRY }}/backend:latest"
+
+  build-and-push-frontend:
+    name: Build & push frontend
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - id: auth
+        uses: google-github-actions/auth@v2
+        with:
+          credentials_json: ${{ secrets.GCP_SA_KEY }}
+
+      - uses: google-github-actions/setup-gcloud@v2
+
+      - name: Configure Docker
+        run: gcloud auth configure-docker ${{ env.REGION }}-docker.pkg.dev --quiet
+
+      - name: Build and push
+        working-directory: genesis/webui/frontend
+        run: |
+          IMAGE="${{ env.REGISTRY }}/frontend:${{ github.sha }}"
+          docker build -t "${IMAGE}" -t "${{ env.REGISTRY }}/frontend:latest" .
+          docker push "${IMAGE}"
+          docker push "${{ env.REGISTRY }}/frontend:latest"
+
+  migrate:
+    name: Run database migrations
+    runs-on: ubuntu-latest
+    needs: build-and-push-backend
+    steps:
+      - uses: actions/checkout@v4
+
+      - id: auth
+        uses: google-github-actions/auth@v2
+        with:
+          credentials_json: ${{ secrets.GCP_SA_KEY }}
+
+      - uses: google-github-actions/setup-gcloud@v2
+
+      - name: Install Cloud SQL Proxy
+        run: |
+          curl -o cloud-sql-proxy https://storage.googleapis.com/cloud-sql-connectors/cloud-sql-proxy/v2.14.1/cloud-sql-proxy.linux.amd64
+          chmod +x cloud-sql-proxy
+
+      - name: Install Liquibase
+        run: |
+          wget -q https://github.com/liquibase/liquibase/releases/download/v4.29.2/liquibase-4.29.2.tar.gz
+          mkdir -p /opt/liquibase
+          tar xzf liquibase-4.29.2.tar.gz -C /opt/liquibase
+          echo "/opt/liquibase" >> $GITHUB_PATH
+
+      - name: Start Cloud SQL Proxy
+        run: |
+          ./cloud-sql-proxy "${{ secrets.CLOUD_SQL_CONNECTION_NAME }}" \
+            --port 5432 &
+          sleep 5
+
+      - name: Run migrations
+        working-directory: migrations
+        run: |
+          liquibase \
+            --url="jdbc:postgresql://localhost:5432/${{ secrets.DB_NAME }}" \
+            --username="${{ secrets.DB_USER }}" \
+            --password="${{ secrets.DB_PASSWORD }}" \
+            --changeLogFile=changelogs/db.changelog-master.yaml \
+            update
+
+  deploy-backend:
+    name: Deploy backend to Cloud Run
+    runs-on: ubuntu-latest
+    needs: [build-and-push-backend, migrate]
+    steps:
+      - uses: actions/checkout@v4
+
+      - id: auth
+        uses: google-github-actions/auth@v2
+        with:
+          credentials_json: ${{ secrets.GCP_SA_KEY }}
+
+      - uses: google-github-actions/setup-gcloud@v2
+
+      - name: Deploy backend
+        run: |
+          gcloud run deploy ${{ env.SERVICE_NAME }} \
+            --project=${{ env.PROJECT_ID }} \
+            --region=${{ env.REGION }} \
+            --image="${{ env.REGISTRY }}/backend:${{ github.sha }}" \
+            --platform=managed \
+            --allow-unauthenticated \
+            --service-account=genesis-cloud-run@${{ env.PROJECT_ID }}.iam.gserviceaccount.com \
+            --set-secrets="DATABASE_URL=genesis-database-url:latest,OPENAI_API_KEY=genesis-openai-api-key:latest,ANTHROPIC_API_KEY=genesis-anthropic-api-key:latest" \
+            --set-env-vars="RUST_LOG=info" \
+            --vpc-connector=genesis-connector \
+            --vpc-egress=private-ranges-only \
+            --port=8080 \
+            --cpu=1 \
+            --memory=512Mi \
+            --min-instances=0 \
+            --max-instances=3
+
+  deploy-frontend:
+    name: Deploy frontend to Cloud Run
+    runs-on: ubuntu-latest
+    needs: [build-and-push-frontend, deploy-backend]
+    steps:
+      - uses: actions/checkout@v4
+
+      - id: auth
+        uses: google-github-actions/auth@v2
+        with:
+          credentials_json: ${{ secrets.GCP_SA_KEY }}
+
+      - uses: google-github-actions/setup-gcloud@v2
+
+      - name: Get backend URL
+        id: backend
+        run: |
+          URL=$(gcloud run services describe ${{ env.SERVICE_NAME }} \
+            --project=${{ env.PROJECT_ID }} \
+            --region=${{ env.REGION }} \
+            --format='value(status.url)')
+          echo "url=${URL}" >> "$GITHUB_OUTPUT"
+
+      - name: Deploy frontend
+        run: |
+          gcloud run deploy genesis-frontend \
+            --project=${{ env.PROJECT_ID }} \
+            --region=${{ env.REGION }} \
+            --image="${{ env.REGISTRY }}/frontend:${{ github.sha }}" \
+            --platform=managed \
+            --allow-unauthenticated \
+            --set-env-vars="BACKEND_URL=${{ steps.backend.outputs.url }}" \
+            --port=8080 \
+            --cpu=1 \
+            --memory=256Mi \
+            --min-instances=0 \
+            --max-instances=2
diff --git a/.gitignore b/.gitignore
@@ -176,3 +176,16 @@ cython_debug/
 .pre-commit-cache/
 results/
 *.log
+
+# Terraform
+terraform/.terraform/
+terraform/*.tfstate
+terraform/*.tfstate.backup
+terraform/.terraform.lock.hcl
+terraform/terraform.tfvars
+
+# Rust
+genesis_rust_backend/target/
+
+# SQLx offline cache (committed intentionally, but gitignore target)
+# genesis_rust_backend/.sqlx/
diff --git a/.mcp.json b/.mcp.json
@@ -4,7 +4,7 @@
       "type": "stdio",
       "command": "python3",
       "args": ["-m", "genesis.mcp_server"],
-      "cwd": "/Users/georgepearse/Genesis"
+      "cwd": "."
     }
   }
 }