ShipSecAI · betterclever · Feb 9, 2026 · Feb 9, 2026 · Feb 9, 2026 · Feb 9, 2026
diff --git a/.ai/analytics-output-port-design.md b/.ai/analytics-output-port-design.md
@@ -1,6 +1,7 @@
 # Analytics Output Port Design
 
 ## Status: Approved
+
 ## Date: 2025-01-21
 
 ## Problem Statement
@@ -12,6 +13,7 @@ When connecting a component's `rawOutput` (which contains complex nested JSON) t
 3. **Varying schemas**: Different scanner outputs accumulate unique field paths over time
 
 Example error:
+
 ```
 illegal_argument_exception: Limit of total fields [1000] has been exceeded
 ```
@@ -51,6 +53,7 @@ illegal_argument_exception: Limit of total fields [1000] has been exceeded
 ### Document Structure
 
 **Before (PRD design):**
+
 ```json
 {
   "workflow_id": "...",
@@ -69,6 +72,7 @@ illegal_argument_exception: Limit of total fields [1000] has been exceeded
 ```
 
 **After (new design):**
+
 ```json
 {
   "check_id": "DB_RLS_DISABLED",
@@ -97,13 +101,14 @@ illegal_argument_exception: Limit of total fields [1000] has been exceeded
 
 Components should use their existing structured list outputs:
 
-| Component | Port | Type | Notes |
-|-----------|------|------|-------|
-| Nuclei | `results` | `z.array(z.record(z.string(), z.unknown()))` | Scanner + asset_key added |
-| TruffleHog | `results` | `z.array(z.record(z.string(), z.unknown()))` | Scanner + asset_key added |
+| Component        | Port      | Type                                         | Notes                     |
+| ---------------- | --------- | -------------------------------------------- | ------------------------- |
+| Nuclei           | `results` | `z.array(z.record(z.string(), z.unknown()))` | Scanner + asset_key added |
+| TruffleHog       | `results` | `z.array(z.record(z.string(), z.unknown()))` | Scanner + asset_key added |
 | Supabase Scanner | `results` | `z.array(z.record(z.string(), z.unknown()))` | Scanner + asset_key added |
 
 All `results` ports include:
+
 - `scanner`: Scanner identifier (e.g., `'nuclei'`, `'trufflehog'`, `'supabase-scanner'`)
 - `asset_key`: Primary asset identifier from the finding
 - `finding_hash`: Stable hash for deduplication (16-char hex from SHA-256)
@@ -113,6 +118,7 @@ All `results` ports include:
 The `finding_hash` enables tracking findings across workflow runs:
 
 **Generation:**
+
 ```typescript
 import { createHash } from 'crypto';
 
@@ -130,6 +136,7 @@ function generateFindingHash(...fields: (string | undefined | null)[]): string {
 | Supabase Scanner | `check_id + projectRef + resource` |
 
 **Use cases:**
+
 - **New vs recurring**: Is this finding appearing for the first time?
 - **First-seen / last-seen**: When did we first detect this? Is it still present?
 - **Resolution tracking**: Findings that stop appearing may be resolved
@@ -139,19 +146,20 @@ function generateFindingHash(...fields: (string | undefined | null)[]): string {
 
 The indexer automatically adds these fields under `shipsec`:
 
-| Field | Description |
-|-------|-------------|
-| `organization_id` | Organization that owns the workflow |
-| `run_id` | Unique identifier for this workflow execution |
-| `workflow_id` | ID of the workflow definition |
-| `workflow_name` | Human-readable workflow name |
-| `component_id` | Component type (e.g., `core.analytics.sink`) |
-| `node_ref` | Node reference in the workflow graph |
-| `asset_key` | Auto-detected or specified asset identifier |
+| Field             | Description                                   |
+| ----------------- | --------------------------------------------- |
+| `organization_id` | Organization that owns the workflow           |
+| `run_id`          | Unique identifier for this workflow execution |
+| `workflow_id`     | ID of the workflow definition                 |
+| `workflow_name`   | Human-readable workflow name                  |
+| `component_id`    | Component type (e.g., `core.analytics.sink`)  |
+| `node_ref`        | Node reference in the workflow graph          |
+| `asset_key`       | Auto-detected or specified asset identifier   |
 
 ### Querying in OpenSearch
 
 With this structure, users can:
+
 - Filter by organization: `shipsec.organization_id: "org_123"`
 - Filter by workflow: `shipsec.workflow_id: "xxx"`
 - Filter by run: `shipsec.run_id: "xxx"`
@@ -164,11 +172,11 @@ With this structure, users can:
 
 ### Trade-offs
 
-| Decision | Pro | Con |
-|----------|-----|-----|
-| Serialize nested objects | Prevents field explosion | Can't query inside serialized fields |
-| `shipsec` namespace | No field collision | Slightly more verbose queries |
-| No generic schema | Better fit per component | Less consistency across components |
+| Decision                 | Pro                       | Con                                        |
+| ------------------------ | ------------------------- | ------------------------------------------ |
+| Serialize nested objects | Prevents field explosion  | Can't query inside serialized fields       |
+| `shipsec` namespace      | No field collision        | Slightly more verbose queries              |
+| No generic schema        | Better fit per component  | Less consistency across components         |
 | Same timestamp per batch | Accurate (same scan time) | Can't distinguish individual finding times |
 
 ### Implementation Files

diff --git a/.github/workflows/upstream-sync.yml b/.github/workflows/upstream-sync.yml
@@ -0,0 +1,83 @@
+name: Sync upstream main
+
+on:
+  schedule:
+    - cron: "0 9 * * *" # Once daily at 9am UTC
+  workflow_dispatch: # Manual trigger
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  sync:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Add upstream remote
+        run: |
+          git remote add upstream https://github.com/ShipSecAI/studio.git || true
+          git fetch upstream main
+
+      - name: Check for divergence
+        id: check
+        run: |
+          UPSTREAM_SHA=$(git rev-parse upstream/main)
+          # Check if upstream-sync branch exists on origin
+          if git ls-remote --exit-code origin upstream-sync &>/dev/null; then
+            CURRENT_SHA=$(git rev-parse origin/upstream-sync)
+          else
+            CURRENT_SHA=""
+          fi
+
+          if [ "$UPSTREAM_SHA" = "$CURRENT_SHA" ]; then
+            echo "skip=true" >> "$GITHUB_OUTPUT"
+            echo "No new upstream commits"
+          else
+            echo "skip=false" >> "$GITHUB_OUTPUT"
+            AHEAD=$(git rev-list --count origin/main..upstream/main)
+            echo "ahead=$AHEAD" >> "$GITHUB_OUTPUT"
+            echo "Upstream is $AHEAD commits ahead"
+          fi
+
+      - name: Push upstream-sync branch
+        if: steps.check.outputs.skip == 'false'
+        run: |
+          git checkout -B upstream-sync upstream/main
+          git push origin upstream-sync --force
+
+      - name: Create or update PR
+        if: steps.check.outputs.skip == 'false'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          EXISTING_PR=$(gh pr list --head upstream-sync --base main --state open --json number --jq '.[0].number' 2>/dev/null || echo "")
+
+          if [ -n "$EXISTING_PR" ]; then
+            echo "PR #$EXISTING_PR already exists, updated sync branch"
+            gh pr comment "$EXISTING_PR" --body "Sync branch updated. Upstream is now ${{ steps.check.outputs.ahead }} commits ahead of main."
+          else
+            gh pr create \
+              --head upstream-sync \
+              --base main \
+              --title "sync: merge upstream main" \
+              --body "$(cat <<'EOF'
+Automated sync from [ShipSecAI/studio](https://github.com/ShipSecAI/studio) main.
+
+**${{ steps.check.outputs.ahead }} new upstream commits.**
+
+Review the changes and merge when ready. If there are conflicts, resolve them locally:
+```bash
+git fetch origin upstream-sync main
+git checkout main
+git merge origin/upstream-sync
+# resolve conflicts
+git push origin main
+```
+EOF
+)"
+          fi
diff --git a/.gitignore b/.gitignore
@@ -75,3 +75,17 @@ vite.config.ts.timestamp-*
 .playground/
 .omc/
 MCP_FLOW_TRACE.md
+
+# Terraform / OpenTofu
+.terraform/
+*.tfstate
+*.tfstate.*
+*.tfvars
+*.tfvars.json
+crash.log
+crash.*.log
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+.terraform.lock.hcl.bak
diff --git a/.prettierignore b/.prettierignore
@@ -11,3 +11,9 @@ node_modules/
 
 # Generated files
 *.generated.ts
+
+# Helm templates (Go template syntax is not valid YAML)
+deploy/helm/*/templates/
+
+# GitHub Actions (uses ${{ }} template syntax)
+.github/workflows/
diff --git a/Dockerfile b/Dockerfile
@@ -83,8 +83,8 @@ FROM base AS frontend
 # Frontend build-time configuration
 ARG VITE_AUTH_PROVIDER=local
 ARG VITE_CLERK_PUBLISHABLE_KEY=""
-ARG VITE_API_URL=http://localhost:3211
-ARG VITE_BACKEND_URL=http://localhost:3211
+ARG VITE_API_URL=""
+ARG VITE_BACKEND_URL=""
 ARG VITE_DEFAULT_ORG_ID=local-dev
 ARG VITE_GIT_SHA=unknown
 ARG VITE_PUBLIC_POSTHOG_KEY=""
@@ -125,8 +125,8 @@ FROM base AS frontend-debug
 # Frontend build-time configuration
 ARG VITE_AUTH_PROVIDER=local
 ARG VITE_CLERK_PUBLISHABLE_KEY=""
-ARG VITE_API_URL=http://localhost:3211
-ARG VITE_BACKEND_URL=http://localhost:3211
+ARG VITE_API_URL=""
+ARG VITE_BACKEND_URL=""
 ARG VITE_DEFAULT_ORG_ID=local-dev
 ARG VITE_GIT_SHA=unknown
 ARG VITE_PUBLIC_POSTHOG_KEY=""