Files
gstack/supabase/functions/telemetry-ingest/index.ts
T
Garry Tan 11de390be1 v1.58.5.0 feat: first-run activation scaffold + gstack router front door (#2078)
* feat: first-run activation — project-aware scaffold, router front door, onboarding nudges

Adds the activation system that drives a new install toward a concrete first move:
- bin/gstack-first-task-detect: local-git+filesystem repo classifier emitting one
  validated enum bucket (greenfield/code_<lang>/branch_ahead/dirty_default/clean_default),
  portable timeouts, fail-safe empty output.
- generate-first-run-guidance.ts: unified preamble section — first-run project-aware
  scaffold + returning-session plan->review->ship tip, gated on a persistent .activated
  marker and never run in headless. Detection wired lazily in generate-preamble-bash.ts.
- SKILL.md.tmpl: top-level gstack skill is now a pure router (browse body removed; it
  lives in /browse), routing any request and sending browser/QA work to /browse.
- setup: first-move nudge on first install. office-hours: closing handoff that launches
  the next review via the Skill tool.
- telemetry-ingest: accept onboarding/first_task_scaffold_shown/handoff/route event types.

* test: cover first-run detection + repoint browse-content assertions to /browse

- New unit tests for every detection bucket, the eval-safe enum contract, and the
  first-run gating (test/preamble-first-task-scaffold.test.ts); periodic E2E that runs
  the detector through the real harness (test/skill-e2e-first-task-scaffold.test.ts).
- Repoint browse-content assertions (gen-skill-docs, audit-compliance, skill-validation,
  LLM-judge eval) from the root skill to browse/SKILL.md following the router split;
  add a regression pinning that the router carries no browse body.
- Register first-task-scaffold touchfiles + periodic tier; bump parity/carve size caps
  ~1-2KB per skill for the shared first-run-guidance preamble section.
- Refresh ship golden fixtures for the preamble addition.

* chore: regenerate SKILL.md + llms.txt for first-run activation

* chore: bump version and changelog (v1.58.5.0)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(test): repoint bws skillmd-* setup-block assertions to browse/SKILL.md

The skillmd-setup-discovery / -no-local-binary / -outside-git E2E tests extracted
the `## SETUP`→`## IMPORTANT` browse binary-discovery block from the root SKILL.md.
P2 moved that block to browse/SKILL.md (end anchor is now `## Core QA Patterns`),
so the slice came back empty and the `browse/dist/browse` guard failed. Repoint to
browse/SKILL.md. Verified: 7/7 e2e-browse pass locally.

* fix(test): tolerate skill-discovery race in PTY plan-mode smoke

The e2e-pty-plan-smoke suite (office-hours / plan-mode-no-op) failed in CI with
`Unknown command: /office-hours` (claude exited ~10s) while passing locally. Root
cause: a cold CI container's overlay-FS scan of the symlinked ~/.claude/skills
registry finishes AFTER the runner's 8s boot grace, so the first `/skill` send
reaches claude before the skill is indexed and is rejected as unknown. The runner
gave up on the first "Unknown command:" line.

runPlanSkillObservation now re-sends the skill command up to 3x (6s apart),
re-marking the buffer each time so stale scrollback can't re-trip the check,
before concluding the skill is genuinely unregistered. A real dangling-symlink /
missing-skill still surfaces as 'exited' (after retries), preserving the original
diagnostic. Pure-helper contract unchanged: 95/95 unit tests pass.

This is a pre-existing harness bug (fails identically on #2077's own branch, which
introduced the suite) surfaced while shipping the activation feature.

* debug(ci): temporarily instrument pty-smoke skill discovery

Capture claude version, env, registry tree, and a claude -p discovery probe to
pin why /office-hours isn't discovered in CI (retries proved it's not a race).
Temporary — revert once the registry fix is identified.

* chore: revert pty-smoke harness experiments (race-retry + CI debug step)

Diagnosis is conclusive and the experiments aren't the fix, so restore the
harness to its original state (net-zero diff vs main for both files).

What the CI debug step proved: `claude -p` returns READY — claude v2.1.187 fully
DISCOVERS /office-hours from the symlinked registry. Only the interactive PTY TUI
rejects it as "Unknown command" (and it received the full command text). So the
e2e-pty-plan-smoke failure is a claude 2.1.187 interactive-TUI regression (skills
discovered by `claude -p` aren't exposed as TUI slash commands), pre-existing in
the #2077 harness and failing identically on its own origin branch — unrelated to
this activation PR. The race-retry can't help (the TUI genuinely lacks the
command); the debug step also tripped actionlint (shellcheck SC2012). Both reverted.

* fix(ci): copy SKILL.md as real files in pty-smoke registry (cross-mount symlink)

The e2e-pty-plan-smoke suite failed with "Unknown command: /office-hours" in CI
while passing locally. Root cause (proven, not guessed): claude 2.1.187's
interactive-TUI skill scanner does not follow the /github/home -> /__w cross-mount
symlink the registry used for per-skill SKILL.md. Evidence: a CI debug step showed
`claude -p` discovered the skill (printed READY), and a local macOS repro with the
identical symlinked registry recognized /office-hours — isolating the failure to
the container's cross-mount symlink, not registration content, claude version,
duplicate names, or a race.

Fix: register the per-skill SKILL.md + sections as REAL copies (same mount as
$HOME) so the TUI reads them directly. The gstack root stays a symlink — the
preamble's runtime bash resolves bin/* and sections/* through it and bash follows
cross-mount symlinks fine.

* fix(ci): guard rm expansion in pty-smoke registry (shellcheck SC2115)

* fix(ci): also register pty-smoke skills project-scoped (cwd/.claude/skills)

The real-file user-dir registration still left the TUI rejecting /office-hours in
the container. claude's interactive TUI surfaces /slash commands from the PROJECT
dir (<cwd>/.claude/skills); the smokes run with cwd=$REPO whose .claude/skills is
gitignored (absent on a fresh CI checkout), so the user-dir registry feeds
`claude -p` (READY) but not the TUI. Populate $REPO/.claude/skills with real
SKILL.md + sections copies (no gstack symlink there — it would point at its own
parent; runtime paths use the user-dir gstack symlink).

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-25 09:42:45 -07:00

152 lines
4.8 KiB
TypeScript

// gstack telemetry-ingest edge function
// Validates and inserts a batch of telemetry events.
// Called by bin/gstack-telemetry-sync.
import { createClient } from "https://esm.sh/@supabase/supabase-js@2";
interface TelemetryEvent {
v: number;
ts: string;
event_type: string;
skill: string;
session_id?: string;
gstack_version: string;
os: string;
arch?: string;
duration_s?: number;
outcome: string;
error_class?: string;
used_browse?: boolean;
sessions?: number;
installation_id?: string;
}
const MAX_BATCH_SIZE = 100;
const MAX_PAYLOAD_BYTES = 50_000; // 50KB
Deno.serve(async (req) => {
if (req.method !== "POST") {
return new Response("POST required", { status: 405 });
}
// Check payload size
const contentLength = parseInt(req.headers.get("content-length") || "0");
if (contentLength > MAX_PAYLOAD_BYTES) {
return new Response("Payload too large", { status: 413 });
}
try {
const body = await req.json();
const events: TelemetryEvent[] = Array.isArray(body) ? body : [body];
if (events.length > MAX_BATCH_SIZE) {
return new Response(`Batch too large (max ${MAX_BATCH_SIZE})`, { status: 400 });
}
// Use the anon key, not the service role key.
// The service role key bypasses Row Level Security (RLS) and grants full
// unrestricted database access — wildly over-privileged for a public
// telemetry endpoint that only needs INSERT on two tables.
// The anon key + properly configured RLS INSERT policies is correct.
// See: https://supabase.com/docs/guides/database/postgres/row-level-security
const supabase = createClient(
Deno.env.get("SUPABASE_URL") ?? "",
Deno.env.get("SUPABASE_ANON_KEY") ?? ""
);
// Validate and transform events
const rows = [];
const installationUpserts: Map<string, { version: string; os: string }> = new Map();
for (const event of events) {
// Required fields
if (!event.ts || !event.gstack_version || !event.os || !event.outcome) {
continue; // skip malformed
}
// Validate schema version
if (event.v !== 1) continue;
// Validate event_type. Activation-funnel events (v1.x) join the originals:
// onboarding (P0 setup nudge), first_task_scaffold_shown (P4 first-run
// scaffold), handoff (P1 office-hours → next skill), route (gstack router).
const validTypes = [
"skill_run",
"upgrade_prompted",
"upgrade_completed",
"onboarding",
"first_task_scaffold_shown",
"handoff",
"route",
];
if (!validTypes.includes(event.event_type)) continue;
rows.push({
schema_version: event.v,
event_type: event.event_type,
gstack_version: String(event.gstack_version).slice(0, 20),
os: String(event.os).slice(0, 20),
arch: event.arch ? String(event.arch).slice(0, 20) : null,
event_timestamp: event.ts,
skill: event.skill ? String(event.skill).slice(0, 50) : null,
session_id: event.session_id ? String(event.session_id).slice(0, 50) : null,
duration_s: typeof event.duration_s === "number" ? event.duration_s : null,
outcome: String(event.outcome).slice(0, 20),
error_class: event.error_class ? String(event.error_class).slice(0, 100) : null,
used_browse: event.used_browse === true,
concurrent_sessions: typeof event.sessions === "number" ? event.sessions : 1,
installation_id: event.installation_id ? String(event.installation_id).slice(0, 64) : null,
});
// Track installations for upsert
if (event.installation_id) {
installationUpserts.set(event.installation_id, {
version: event.gstack_version,
os: event.os,
});
}
}
if (rows.length === 0) {
return new Response(JSON.stringify({ inserted: 0 }), {
status: 200,
headers: { "Content-Type": "application/json" },
});
}
// Insert events
const { error: insertError } = await supabase
.from("telemetry_events")
.insert(rows);
if (insertError) {
return new Response(JSON.stringify({ error: insertError.message }), {
status: 500,
headers: { "Content-Type": "application/json" },
});
}
// Upsert installations (update last_seen)
for (const [id, data] of installationUpserts) {
await supabase
.from("installations")
.upsert(
{
installation_id: id,
last_seen: new Date().toISOString(),
gstack_version: data.version,
os: data.os,
},
{ onConflict: "installation_id" }
);
}
return new Response(JSON.stringify({ inserted: rows.length }), {
status: 200,
headers: { "Content-Type": "application/json" },
});
} catch {
return new Response("Invalid request", { status: 400 });
}
});