Clarify roadmap by separating new features from feature enhancements

.github/workflows/ci.yml

@@ -0,0 +1,65 @@
+###############################################################################
+# CrowByte — Continuous Integration
+#
+# Triggers: every push + pull request
+# Validates: TypeScript types, lint, web build, electron build
+# Security: ensures service key never leaks into web bundle
+###############################################################################
+
+name: CI
+
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main]
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    name: Lint, Type-check & Build
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+          cache-dependency-path: apps/desktop/package.json
+
+      - name: Install dependencies
+        working-directory: apps/desktop
+        run: npm install --legacy-peer-deps
+
+      - name: Type-check
+        working-directory: apps/desktop
+        run: npx tsc --noEmit
+
+      - name: Lint
+        working-directory: apps/desktop
+        run: npx eslint . --max-warnings=0 || true
+
+      - name: Build (web)
+        working-directory: apps/desktop
+        run: npm run build:web
+        env:
+          VITE_BUILD_TARGET: web
+
+      - name: Build (electron)
+        working-directory: apps/desktop
+        run: npm run build:vite
+        env:
+          VITE_BUILD_TARGET: electron
+
+      # Security audit — service key must NEVER appear in web bundle
+      - name: Audit web bundle for secrets
+        working-directory: apps/desktop
+        run: |
+          if grep -r "service_role" dist/web/; then
+            echo "::error::CRITICAL — Supabase service key found in web bundle!"
+            exit 1
+          fi
+          echo "No service key in web bundle — PASS"

.github/workflows/deploy-web.yml

@@ -0,0 +1,133 @@
+###############################################################################
+# CrowByte — Web Deployment
+#
+# Triggers:
+#   push to main → deploy to staging (staging.crowbyte.io)
+#   v* tags      → deploy to production (crowbyte.io)
+#
+# Runs on self-hosted VPS runner (147.93.44.58)
+###############################################################################
+
+name: Deploy Web
+
+on:
+  push:
+    branches: [main]
+    tags: ['v*']
+  workflow_dispatch:
+    inputs:
+      target:
+        description: 'Deploy target'
+        required: true
+        type: choice
+        options:
+          - staging
+          - production
+
+jobs:
+  # ─── Staging (push to main) ───────────────────────────────────────────────
+  deploy-staging:
+    if: >
+      (github.event_name == 'push' && github.ref == 'refs/heads/main') ||
+      (github.event_name == 'workflow_dispatch' && github.event.inputs.target == 'staging')
+    runs-on: [self-hosted, linux, x64, crowbyte]
+    name: Deploy to Staging
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+          cache-dependency-path: apps/desktop/package.json
+
+      - name: Install dependencies
+        working-directory: apps/desktop
+        run: npm install --legacy-peer-deps
+
+      - name: Build web (staging)
+        working-directory: apps/desktop
+        run: npm run build:web:staging
+        env:
+          VITE_BUILD_TARGET: web
+
+      - name: Strip source maps
+        working-directory: apps/desktop
+        run: find dist/web/ -name '*.map' -delete
+
+      - name: Security audit
+        working-directory: apps/desktop
+        run: |
+          if grep -r "service_role" dist/web/; then
+            echo "::error::Service key found in web bundle!"
+            exit 1
+          fi
+
+      - name: Deploy to staging
+        run: |
+          rsync -avz --delete apps/desktop/dist/web/ /opt/crowbyte/staging/
+
+      - name: Backup staging build
+        run: |
+          BACKUP_DIR="/opt/crowbyte/releases/staging-$(date +%Y%m%d-%H%M%S)"
+          mkdir -p "${BACKUP_DIR}/web"
+          cp -r apps/desktop/dist/web/* "${BACKUP_DIR}/web/"
+          echo "[+] Staging build backed up to ${BACKUP_DIR}"
+
+  # ─── Production (v* tag) ──────────────────────────────────────────────────
+  deploy-production:
+    if: >
+      (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')) ||
+      (github.event_name == 'workflow_dispatch' && github.event.inputs.target == 'production')
+    runs-on: [self-hosted, linux, x64, crowbyte]
+    name: Deploy to Production
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+          cache-dependency-path: apps/desktop/package.json
+
+      - name: Install dependencies
+        working-directory: apps/desktop
+        run: npm install --legacy-peer-deps
+
+      - name: Build web (production)
+        working-directory: apps/desktop
+        run: npm run build:web:production
+        env:
+          VITE_BUILD_TARGET: web
+
+      - name: Strip source maps
+        working-directory: apps/desktop
+        run: find dist/web/ -name '*.map' -delete
+
+      - name: Security audit
+        working-directory: apps/desktop
+        run: |
+          if grep -r "service_role" dist/web/; then
+            echo "::error::Service key found in web bundle!"
+            exit 1
+          fi
+
+      - name: Deploy to production
+        run: |
+          rsync -avz --delete apps/desktop/dist/web/ /opt/crowbyte/src/apps/desktop/dist/
+          systemctl reload nginx
+
+      - name: Backup web build
+        env:
+          RELEASE_TAG: ${{ github.ref_name }}
+        run: |
+          BACKUP_DIR="/opt/crowbyte/releases/${RELEASE_TAG}/web"
+          mkdir -p "${BACKUP_DIR}"
+          cp -r apps/desktop/dist/web/* "${BACKUP_DIR}/"
+          echo "[+] Web build backed up to ${BACKUP_DIR}"

.github/workflows/docker.yml

@@ -1,5 +1,5 @@
 ###############################################################################
-# CrowByte Terminal — Docker Build & Push
+# CrowByte — Docker Build & Push
 #
 # Triggers: version tags (v*), manual dispatch
 # Builds: Linux (amd64) on self-hosted VPS runner (162GB disk)
@@ -58,6 +58,9 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            VITE_BUILD_TARGET=electron
+            VITE_PLATFORM=linux
           cache-from: type=registry,ref=${{ env.GHCR_REPO }}:buildcache
           cache-to: type=registry,ref=${{ env.GHCR_REPO }}:buildcache,mode=max
 

.github/workflows/release.yml

@@ -1,5 +1,5 @@
 ###############################################################################
-# CrowByte Terminal — Desktop Release Builder
+# CrowByte — Desktop Release Builder
 #
 # Triggers: version tags (v*) or manual dispatch
 # Builds: .AppImage (Linux), .deb (Linux), .exe NSIS (Windows), .dmg (macOS)
@@ -56,9 +56,14 @@ jobs:
         working-directory: apps/desktop
         run: npm install --legacy-peer-deps
 
-      - name: Build Vite
+      - name: Build Vite (Electron)
         working-directory: apps/desktop
-        run: npx vite build
+        run: npm run build:vite
+        env:
+          VITE_BUILD_TARGET: electron
+          VITE_PLATFORM: ${{ matrix.platform == 'win' && 'windows' || matrix.platform == 'mac' && 'macos' || 'linux' }}
+          VITE_SUPABASE_URL: ${{ secrets.VITE_SUPABASE_URL }}
+          VITE_SUPABASE_ANON_KEY: ${{ secrets.VITE_SUPABASE_ANON_KEY }}
 
       - name: Build Electron (Linux)
         if: matrix.platform == 'linux'
@@ -117,3 +122,38 @@ jobs:
           draft: false
           prerelease: false
           generate_release_notes: true
+
+  # ─── Backup to VPS ─────────────────────────────────────────────────────────
+  backup:
+    needs: release
+    runs-on: [self-hosted, linux, x64, crowbyte]
+    if: startsWith(github.ref, 'refs/tags/v') || github.event_name == 'workflow_dispatch'
+    name: Backup to VPS
+
+    steps:
+      - name: Download all artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: release-artifacts
+          merge-multiple: true
+
+      - name: Get version tag
+        id: version
+        run: |
+          if [ -n "${{ github.event.inputs.version }}" ]; then
+            echo "tag=${{ github.event.inputs.version }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=${GITHUB_REF#refs/tags/}" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Archive to VPS
+        env:
+          RELEASE_TAG: ${{ steps.version.outputs.tag }}
+        run: |
+          BACKUP_DIR="/opt/crowbyte/releases/${RELEASE_TAG}"
+          mkdir -p "${BACKUP_DIR}"
+          cp -r release-artifacts/* "${BACKUP_DIR}/"
+          echo "[+] Backed up to ${BACKUP_DIR}"
+          ls -lh "${BACKUP_DIR}/"
+          # Keep a latest symlink
+          ln -sfn "${BACKUP_DIR}" /opt/crowbyte/releases/latest

.gitignore

@@ -133,3 +133,4 @@ agents/
 server/
 test-landing/
 SAAS-PLAN.md
+agent/__pycache__