Recovers original JS from git history and ports it into proper El source
files under src/js/. Each file wraps the original JS in a native_js call
inside a main() function, making it valid El that compiles to a
self-contained IIFE via elc --target=js --bundle.
Files added:
src/js/account-auth.el - Supabase OTP magic-link (sendMagicLink)
src/js/account-dashboard.el - Account dashboard: session, plan card, family
src/js/chat-widget.el - Demo chat widget (neuronDemoToggle/Send/Reset)
src/js/checkout-auth.el - Checkout auth: OAuth, email sign-in/up
src/js/checkout-free.el - Free plan: auth-badge watch -> payment reveal
src/js/checkout-stripe.el - Stripe Payment Element (reads NEURON_CFG)
src/js/enterprise.el - Enterprise inquiry form + headcount filter
src/js/environmental.el - Efficiency calculator slider
src/js/gallery.el - Gallery nav, search/sort, Supabase voting
src/js/main.el - Share page voting + copyForPlatform
src/js/marketplace.el - Developer interest form
src/js/nav.el - Nav hamburger + Mission dropdown
src/js/styles.el - Landing: nav scroll, reveal, founding counter
Gallery: remove <a> from share allowlist. Gallery cards wrap content in
<a class="gal-link">; allowing <a> in sanitized answer HTML causes nested
anchors that the HTML5 adoption agency algorithm resolves by restructuring
the DOM, producing mismatched </div> tags that leave gallery-grid open and
pull sibling elements into the grid as spurious grid columns.
Account: replace email+password sign-up/sign-in with magic-link OTP.
supabase.auth.signInWithOtp handles both new and existing users in one
flow. Existing onAuthStateChange listener (dadeb8ddb9a8.js) retained for
post-redirect dashboard display. sendMagicLink added to extract-js
RESERVED_GLOBALS so the obfuscator does not mangle the onclick reference.
- Gitea branch protection enabled on stage and main:
- Direct pushes disabled (non-admin)
- stage requires "Dev — Build & local smoke test / build-smoke" to pass
- main requires "Stage — Build, push & deploy to marketing-stage / deploy-stage" to pass
- Enforcement step added to stage.yaml and deploy.yaml:
- stage only accepts merges from dev
- main only accepts merges from stage
- workflow_dispatch exempt (allows manual redeploy)
- Direct non-admin pushes are blocked at the Gitea layer before CI runs
The sign-in form only offered social auth and a link to /checkout.
Users wanting to create an account directly had no path.
Changes:
- "No account? Create one" toggle replaces the old "Choose a plan" link
- switchToSignUp() / switchToSignIn() toggle button label, placeholder,
and autocomplete between sign-in and sign-up modes
- Explicit signUpWithEmail() calls signUp() directly; with autoconfirm
enabled it returns a session immediately and reloads into the dashboard
- signInWithEmail() simplified: no silent sign-up fallback, clean errors
- Re-extract account JS (6dafc1586705 -> dadeb8ddb9a8)
- Re-extract styles chat JS (de72b8b61d75 -> 02ecc8cf6542) as side effect
of extract-js.py run
The demo chat was silently dropping conversation context past 40 turns
and leaving the thinking bubble spinning forever when the soul backend
hung — visitors saw a frozen UI with no way to know what went wrong.
Changes:
- Stored history cap raised from 40 → 200 messages so longer
conversations actually persist across page refreshes.
- History sent to backend per turn raised from 20 → 50 messages.
- 30s AbortController timeout on the /api/demo fetch — surfaces a
distinct "Took too long to respond" error instead of hanging.
- Restore script (restore-chat-js-with-preview.py) is now correctly
idempotent in both directions: detects when modal HTML is inlined
but chat JS got extracted to an asset, and re-injects fresh source
so extract-js picks up changes on the next build.
Turnstile callback unconditionally showed the greeting message, wiping
session history for returning visitors who hadn't verified yet.
Callback now uses the same restoreOrGreet pattern as neuronDemoToggle:
replays prior messages if session.messages is non-empty, else shows the
greeting once and marks session.greeted.
Also extracts the gallery voting inline script (a49ca0a129e8.js) as a
side effect of re-running extract-js.py. Chat JS rebuilds to de72b8b61d75.js.
- dev.yaml: build + local docker smoke test only (no push, no deploy)
- stage.yaml: build + push + deploy to marketing-stage + smoke test (stops here)
- deploy.yaml: add HTML placeholder touch step before docker build
Proper human gate between stage and prod: the stage→main merge decision.
Voting was completely broken: gallery.el referenced d8251f5e5aa1.js
which was never written. Buttons rendered disabled with no JS to
enable them, load vote state, or call /api/vote.
Fix 1 — client: inline the voting script directly in gallery.el.
Initializes Supabase client from window.NEURON_CFG, calls
/api/vote-state/<id> on load (with JWT if signed in) to populate
scores and active states, wires vote buttons with toggle logic
(same direction = undo/none), handles sign-in modal with magic-link
flow, re-loads all vote states on auth state change.
Fix 2 — server: replace supabase_upsert_user (upsert via user JWT)
with delete-then-insert. Upsert requires both INSERT + UPDATE RLS
policies; the UPDATE policy is typically absent on share_votes.
Delete (user JWT, RLS-safe) + insert (service key, user already
auth-validated) is reliable for both new votes and vote changes.
CI: gitea runner ships docker without the buildx plugin, so
`docker buildx build --platform linux/amd64 --load` exits 125
("unknown flag: --platform") in both the full build (build-stage.sh)
and the asset-only fast path (deploy.yaml). Runner host is already
linux/amd64, so explicit --platform is redundant. Switch both call
sites to plain `docker build`. This unblocks the pipeline — every
run since the workflow was added (~26 runs) has failed at this
exact step.
Chat: the live chat bubble renders marked.parse() output via
innerHTML, but .demo-msg-ai .demo-msg-bubble only had CSS rules
for p/ul/ol/li/strong. Fenced code blocks rendered as <pre><code>
with no styling — they appeared as wrapped plaintext, hard to
distinguish from prose. Add rules for code (inline and block),
pre, blockquote, em, h1-h4, and a, mirroring the share-card
styling (which always had them) so chat code blocks finally get
the monospace + tinted-background treatment users expect.
Replaces the three-step apt install + GCS cache probe + gcc build sequence
with a single curl download of the pre-built binary. Eliminates build-time
C toolchain dependency and shaves ~2-3 minutes off every full build.
Nothing reaches prod without deploying to marketing-stage first and
passing a 90s HTTP smoke test. Stage uses test Stripe keys
(stripe-secret-key-stage) so checkout can be exercised safely.
Set STRIPE_PUBLISHABLE_KEY on the stage service manually once:
gcloud run services update marketing-stage --region us-central1 \
--project neuron-785695 \
--update-env-vars STRIPE_PUBLISHABLE_KEY=pk_test_...
- Detect asset-only changes (src/assets/, src/shares/, static HTML, llms.txt)
and skip El compilation, C build deps, and Docker full build entirely
- Fast path pulls :latest as base and rebuilds only the assets layer
- Gate clone-el, install-C-deps, elc-cache, build-elc, build-image, push-image
behind asset_only != 'true'; deploy steps run unconditionally
- Switch build-stage.sh from registry cache driver (requires docker-container
buildx driver) to inline cache backed by :latest — compatible with default
docker driver on the runner
- deploy.yaml: restore elc from GCS (gs://neuron-ci-cache) keyed on
source SHA; only compile on cache miss, then upload for future runs
- Dockerfile.stage: pre-compile el_runtime.o as its own layer so the
expensive object is cached when only main.c changes between runs
- build-stage.sh: add --cache-from/--cache-to pointing at Artifact
Registry so apt-get + compilation layers survive across cold builds
LinkedIn, X, Facebook, WhatsApp, TikTok, Snapchat icons now served from
/assets/social/ instead of cdn.simpleicons.org. LinkedIn uses the official
brand PNG from Downloads; remaining icons are scraped SVGs.
Compiled artifact for the soul-history fix that landed in prod
on tag fix-soul-history-1314. Source was built but the .c artifact
didn't get committed alongside the binary deploy. This is the
canonical compiled output of dist/soul-demo.el at HEAD; required
for clean rebuilds via Dockerfile.stage.
elc-bootstrap.c isn't committed to engram-lang; the actual C source
is dist/platform/elc.c. Add libcurl4-openssl-dev/libssl-dev install
step so cc has the right headers.
The committed dist/platform/elc was an arm64 binary from the local dev
box; runner is linux/amd64 and got 'cannot execute binary file: Exec
format error'. Always rebuild.
Gitea Actions doesn't currently inject ACTIONS_ID_TOKEN_REQUEST_TOKEN /
ACTIONS_ID_TOKEN_REQUEST_URL into job env, so google-github-actions/auth
can't mint a federated token. The WIF infrastructure stays in Terraform
so we can flip back once that gap closes; the JSON key in GCP_SA_KEY is
the working path today.
act_runner v0.6 host-mode hits a 'permission denied' error on
.git/objects/pack/*.idx when running two checkout steps in the same
job. Drop down to a plain git clone of engram-lang and pin EL_HOME
outside the workspace.
A real attacker probed /api/share earlier today with <script>alert(1),
<iframe src=evil>, <img onerror>, <a href="javascript:...">, and a
<form action="/steal"> payload. Nothing executed because the chat
bubble at /share/<id> renders the served HTML inside marked.js's
already-escaped output, but the prior denylist sanitizer was fragile:
- It comment-wrapped dangerous tags ("<!--script>...-->") which a
literal "-->" inside an attacker-supplied attribute value can close
early, re-exposing the original payload.
- It renamed on*= attributes to data-x-on*= which left attack
indicators visible in the served HTML.
- It was a denylist; every new attack vector required a code change.
- It didn't validate <a href> URL schemes properly.
The replacement is a runtime-level state-machine allowlist parser
(foundation/el af480f6: el_html_sanitize). The product just specifies
the JSON allowlist of allowed tags + attributes; the runtime drops
everything else, validates href/src URL schemes (http/https/mailto/
fragment/relative only), and drops whole subtrees of script/style/
iframe/object/embed/form regardless of the allowlist.
Phase 4 of bl-dc55ae07: deletes sanitize_share_html (main.el) and
gal_sanitize_html (gallery.el); replaces 3 call sites with
el_html_sanitize(html, allowlist). Defines default_share_allowlist
in main.el and the identical gallery_share_allowlist in gallery.el
(separate bindings to avoid a forward-reference at build-concat
order — gallery is concatenated before main).
Phase 5: migrations/20260502185500_backfill_resanitize_share_cards.sql
nulls answer_html for any share_cards row older than 1 hour. Applied
via the Supabase Management API; 0 rows in scope (the column was
added today and existing rows pre-date its first write).
Also fixes an orthogonal duplicate-symbol bug: unix_timestamp() was
defined in both dist/web_stubs.c and the runtime (the latter is a
recent runtime addition picked up by the runtime sync). Removed the
stub.
Backlog: bl-dc55ae07
The auto-issued GITHUB_TOKEN is scoped to the current repo only, so
cross-repo actions/checkout needs an explicit token. CHECKOUT_TOKEN
holds an admin-scoped Gitea API token; long-term we should switch to
a dedicated read-only PAT.
Push to main triggers build-stage.sh, push to Artifact Registry,
parallel deploy to all 3 marketing prod regions, traffic flip,
verify. Auth via Workload Identity Federation against the
Gitea OIDC provider — no long-lived keys on the runner.
Falls back to GCP_SA_KEY repo secret if WIF doesn't work end
to end against this Gitea instance.
Gallery was reading the plain answer field and HTML-escaping it,
showing literal `<ol>...` text where the actual share page rendered
the markdown. Now selects answer_html alongside, runs it through
the same sanitizer as the share-card render, and falls back to
escaped plaintext for legacy rows.
The wrapper now logs the response and returns a structured ok/error
shape. Four call sites converge on a single send_email helper.
Resend deliveries verified end to end against
will.anderson@neurontechnologies.ai (delivery IDs 492fa066, 74258223,
69a3d9ab, f6d1c889).
Root cause: http_post_auth in dist/web_stubs.c only set the
Authorization: Bearer header. Resend rejects requests without
Content-Type: application/json with HTTP 422 missing_required_field
because it parses the body as form-urlencoded. The 422 response was
being captured by the El handler but not parsed, so callers logged
the error body and returned ok-200 to the client. Two endpoints also
built malformed JSON by interpolating the raw request body unquoted
into the text field.
Fix:
- Added http_post_auth_json (Bearer + Content-Type: application/json)
alongside http_post_auth in dist/web_stubs.c. Stripe form-POST
callers stay on http_post_auth, JSON callers (Resend now, others
later) move to the json variant.
- New send_email(from_addr, to, subject, html, text) wrapper in
src/main.el. JSON-escapes all user-provided fields, parses the
Resend response into a structured ok/error envelope, and println's
the outcome ([email] sent id=<id>) for Cloud Run log surfaces.
- Refactored four call sites onto the wrapper: /api/enterprise-inquiry,
/api/developer-interest, /api/waitlist, /api/attest, the family
invite branch in /api/family/invite, and both DocuSeal completion
branches in /api/docuseal/webhook/<token>.
- Untracked dist/ source files (web_stubs.c, vessel_stubs.c,
soul-demo.c, entrypoint.sh, engram-snapshot.json) are now committed
- generated artifacts (main.c, binaries) stay ignored. Without this
the next CI rebuild would regress the fix.
New Supabase table neuron_config keyed on (key, scope) with jsonb
value column. Web tier reads chat.model via /api/demo with 60s TTL
caching, passes to soul via dharma envelope payload.model. No more
revision-rollout-per-model-swap.
Admin read endpoint at /api/admin/config gated by NEURON_ADMIN_TOKEN.
Write surface and Realtime subscription land in Phase 2.
Backlog: bl-6eb51893
will.anderson
Will Anderson