fix(#2247): compare decoded text in shim drift detection

.claude/commands

@@ -0,0 +1 @@
+../commands

.codecov.yml

@@ -0,0 +1,31 @@
+codecov:
+  require_ci_to_pass: true
+
+coverage:
+  precision: 2
+  round: down
+  range: "60...80"
+  status:
+    project:
+      default:
+        target: auto
+        threshold: 1%
+    patch:
+      default:
+        target: 80%
+        threshold: 5%
+
+ignore:
+  - "**/*_test.go"
+  - "**/testdata/**"
+  - "docs/**"
+  - "hack/**"
+  - "experiments/**"
+  - "images/**"
+  - "**/*.md"
+  - "**/*.sh"
+
+comment:
+  layout: "reach,diff,flags,files,footer"
+  behavior: default
+  require_changes: false

.cursor/commands

@@ -0,0 +1 @@
+../commands

.cursor/skills

@@ -0,0 +1 @@
+../skills

.github/actions/check-e2e-authorization/action.yml

@@ -0,0 +1,145 @@
+name: Check E2E Authorization
+description: >-
+  Authorize PR-triggered e2e runs for trusted authors or a fresh ok-to-test label.
+  Removes stale ok-to-test labels and posts a sticky PR comment when unauthorized.
+
+inputs:
+  pr_number:
+    description: Pull request number to authorize
+    required: true
+  repository:
+    description: Repository in owner/name form
+    required: true
+  pr_updated_at:
+    description: github.event.pull_request.updated_at (server-side push time)
+    required: false
+    default: ""
+  event_action:
+    description: github.event.action
+    required: false
+    default: ""
+  pr_author_association:
+    description: github.event.pull_request.author_association (frozen event payload)
+    required: false
+    default: ""
+  docs_url:
+    description: Link to e2e testing documentation
+    required: false
+    default: https://github.com/fullsend-ai/fullsend/blob/main/docs/guides/dev/e2e-testing.md#ci-authorization
+
+outputs:
+  authorized:
+    description: Whether e2e tests may run for this PR
+    value: ${{ steps.check.outputs.authorized }}
+  reason:
+    description: Authorization outcome reason code
+    value: ${{ steps.check.outputs.reason }}
+  label_removed:
+    description: Whether a stale ok-to-test label was removed
+    value: ${{ steps.check.outputs.label_removed }}
+
+runs:
+  using: composite
+  steps:
+    - name: Check authorization
+      id: check
+      shell: bash
+      env:
+        GH_TOKEN: ${{ github.token }}
+        PR_NUMBER: ${{ inputs.pr_number }}
+        REPOSITORY: ${{ inputs.repository }}
+        PR_UPDATED_AT: ${{ inputs.pr_updated_at }}
+        EVENT_ACTION: ${{ inputs.event_action }}
+        PR_AUTHOR_ASSOCIATION: ${{ inputs.pr_author_association }}
+      run: bash "${GITHUB_WORKSPACE}/scripts/check-e2e-authorization.sh" "${PR_NUMBER}" "${REPOSITORY}"
+
+    - name: Post gate comment
+      if: steps.check.outputs.authorized != 'true'
+      shell: bash
+      env:
+        GH_TOKEN: ${{ github.token }}
+        REPOSITORY: ${{ inputs.repository }}
+        PR_NUMBER: ${{ inputs.pr_number }}
+        REASON: ${{ steps.check.outputs.reason }}
+        LABEL_REMOVED: ${{ steps.check.outputs.label_removed }}
+        DOCS_URL: ${{ inputs.docs_url }}
+        BOT_LOGIN: github-actions[bot]
+      run: |
+        set -euo pipefail
+
+        marker='<!-- e2e-gate -->'
+        owner="${REPOSITORY%%/*}"
+        repo="${REPOSITORY#*/}"
+
+        body="${marker}
+        ## E2E tests did not run
+
+        "
+
+        case "${REASON}" in
+          stale_ok_to_test)
+            body+="The \`ok-to-test\` label was removed because new commits landed after it was applied. A maintainer must re-apply \`ok-to-test\` after reviewing the latest changes.
+        "
+            ;;
+          error)
+            body+="The authorization check failed (GitHub API error). Re-run the workflow when the API is available; if this persists, contact a maintainer.
+        "
+            ;;
+          *)
+            body+="E2E tests run automatically for org/repo **members and collaborators** on pull requests.
+
+        For other contributors, a maintainer must add the \`ok-to-test\` label **after** the latest push.
+        "
+            ;;
+        esac
+
+        if [[ "${LABEL_REMOVED}" == "true" ]]; then
+          body+="
+        > **Note:** \`ok-to-test\` was cleared due to new commits.
+        "
+        fi
+
+        body+="
+        See [E2E testing guide](${DOCS_URL}) for details."
+
+        existing_id="$(gh api "repos/${owner}/${repo}/issues/${PR_NUMBER}/comments" --paginate \
+          | jq -r --arg login "${BOT_LOGIN}" --arg marker "${marker}" \
+            '.[] | select(.user.login == $login and (.body | contains($marker))) | .id' \
+          | head -n1 || true)"
+
+        if [[ -n "${existing_id}" ]]; then
+          jq -n --arg body "${body}" '{body: $body}' | \
+            gh api -X PATCH "repos/${owner}/${repo}/issues/comments/${existing_id}" --input - >/dev/null
+        else
+          jq -n --arg body "${body}" '{body: $body}' | \
+            gh api -X POST "repos/${owner}/${repo}/issues/${PR_NUMBER}/comments" --input - >/dev/null
+        fi
+
+    - name: Clear gate comment
+      if: steps.check.outputs.authorized == 'true'
+      shell: bash
+      env:
+        GH_TOKEN: ${{ github.token }}
+        REPOSITORY: ${{ inputs.repository }}
+        PR_NUMBER: ${{ inputs.pr_number }}
+        BOT_LOGIN: github-actions[bot]
+      run: |
+        set -euo pipefail
+
+        marker='<!-- e2e-gate -->'
+        owner="${REPOSITORY%%/*}"
+        repo="${REPOSITORY#*/}"
+
+        existing_id="$(gh api "repos/${owner}/${repo}/issues/${PR_NUMBER}/comments" --paginate \
+          | jq -r --arg login "${BOT_LOGIN}" --arg marker "${marker}" \
+            '.[] | select(.user.login == $login and (.body | contains($marker))) | .id' \
+          | head -n1 || true)"
+
+        if [[ -n "${existing_id}" ]]; then
+          body="${marker}
+        ## E2E tests are running
+
+        Authorization passed for this commit. See the **E2E Tests** workflow for results."
+          jq -n --arg body "${body}" '{body: $body}' | \
+            gh api -X PATCH "repos/${owner}/${repo}/issues/comments/${existing_id}" --input - >/dev/null
+        fi

internal/scaffold/fullsend-repo/.github/actions/mint-token/action.yml → .github/actions/mint-token/action.yml

@@ -51,14 +51,21 @@ runs:
         REPOS_JSON=$(echo "$REPOS" | jq -Rc 'split(",") | map(select(length > 0))')
         BODY=$(jq -nc --arg role "$ROLE" --argjson repos "$REPOS_JSON" \
           '{role: $role, repos: $repos}')
-        TOKEN=$(curl -sSf --retry 5 --retry-delay 5 --retry-all-errors \
+        echo "Requesting token: role=$ROLE repos=$REPOS"
+        MINT_RESPONSE=$(curl -sSf --retry 5 --retry-delay 5 --retry-all-errors \
           -H "Authorization: Bearer $OIDC_TOKEN" \
           -H "Content-Type: application/json" \
           -d "$BODY" \
-          "${MINT_URL}/v1/token" | jq -r '.token')
+          "${MINT_URL}/v1/token")
+        echo "::add-mask::$MINT_RESPONSE"
+        TOKEN=$(echo "$MINT_RESPONSE" | jq -r '.token')
         if [[ -z "$TOKEN" || "$TOKEN" == "null" ]]; then
           echo "::error::Token mint returned no token for role=$ROLE"
           exit 1
         fi
         echo "::add-mask::$TOKEN"
+        GRANTED_REPOS=$(echo "$MINT_RESPONSE" | jq -r '.granted_repos | if . then map(strings) | join(",") else empty end')
+        GRANTED_PERMS=$(echo "$MINT_RESPONSE" | jq -r '.granted_permissions | if . then to_entries | map("\(.key)=\(.value)") | join(",") else empty end')
+        REPO_SELECTION=$(echo "$MINT_RESPONSE" | jq -r '.repository_selection // empty')
+        echo "Granted scope: repos=${GRANTED_REPOS:-} permissions=${GRANTED_PERMS:-} repo_selection=${REPO_SELECTION:-}"
         echo "token=$TOKEN" >> "$GITHUB_OUTPUT"

.github/actions/setup-gcp/action.yml

@@ -0,0 +1,37 @@
+name: Setup GCP
+description: Authenticate to Google Cloud via Workload Identity Federation, mask credentials, and prepare sandbox credentials
+
+inputs:
+  gcp_wif_provider:
+    description: 'Workload Identity Federation provider resource name'
+    required: true
+  gcp_project_id:
+    description: 'GCP project ID — passed to google-github-actions/auth so the runner env has GOOGLE_CLOUD_PROJECT'
+    required: false
+
+runs:
+  using: composite
+  steps:
+    - name: Pre-mask GCP credential file path
+      shell: bash
+      run: echo "::add-mask::${GITHUB_WORKSPACE}/gha-creds-"
+
+    - name: Authenticate to Google Cloud (WIF)
+      uses: google-github-actions/auth@v3
+      with:
+        workload_identity_provider: ${{ inputs.gcp_wif_provider }}
+        project_id: ${{ inputs.gcp_project_id }}
+
+    - name: Mask GCP credential file paths
+      shell: bash
+      run: |
+        for var in GOOGLE_GHA_CREDS_PATH GOOGLE_APPLICATION_CREDENTIALS CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE; do
+          val="${!var:-}"
+          if [[ -n "${val}" ]]; then
+            echo "::add-mask::${val}"
+          fi
+        done
+
+    - name: Prepare sandbox credentials
+      shell: bash
+      run: bash scripts/prepare-sandbox-credentials.sh

.github/actions/validate-enrollment/action.yml

@@ -0,0 +1,69 @@
+name: Validate Enrollment
+description: Validate that source repository is enrolled and extract repository metadata
+
+inputs:
+  source_repo:
+    description: 'Source repository in owner/repo format'
+    required: true
+  install_mode:
+    description: 'Installation mode: per-org (config repo) or per-repo (in-repo config)'
+    required: false
+    default: 'per-org'
+
+outputs:
+  name:
+    description: 'Repository name (without owner)'
+    value: ${{ steps.extract.outputs.name }}
+
+runs:
+  using: composite
+  steps:
+    - name: Validate source repo is enrolled
+      shell: bash
+      env:
+        SOURCE_REPO: ${{ inputs.source_repo }}
+        INSTALL_MODE: ${{ inputs.install_mode }}
+      run: |
+        set -euo pipefail
+        : "${SOURCE_REPO:?SOURCE_REPO is required}"
+        : "${GITHUB_REPOSITORY_OWNER:?GITHUB_REPOSITORY_OWNER is required}"
+        if [[ ! "$SOURCE_REPO" =~ ^[a-zA-Z0-9._-]+/[a-zA-Z0-9._-]+$ ]]; then
+          echo "::error::Invalid source_repo format: must be owner/repo"
+          exit 1
+        fi
+        REPO_OWNER="${SOURCE_REPO%%/*}"
+        if [[ "$REPO_OWNER" != "$GITHUB_REPOSITORY_OWNER" ]]; then
+          echo "::error::source_repo owner does not match org"
+          exit 1
+        fi
+        if [[ "${INSTALL_MODE}" != "per-org" && "${INSTALL_MODE}" != "per-repo" ]]; then
+          echo "::error::Invalid install_mode '${INSTALL_MODE}': must be 'per-org' or 'per-repo'"
+          exit 1
+        fi
+        REPO_NAME="${SOURCE_REPO#*/}"
+        if [[ "${INSTALL_MODE}" == "per-repo" ]]; then
+          echo "Per-repo mode — skipping config.yaml enrollment check (self-enrolled)"
+        else
+          if [[ ! -f config.yaml ]]; then
+            echo "::error::config.yaml not found"
+            exit 1
+          fi
+          if ! command -v yq &> /dev/null; then
+            echo "::error::yq command not found"
+            exit 1
+          fi
+          ENABLED=$(REPO_NAME="${REPO_NAME}" yq 'env(REPO_NAME) as $name | .repos[$name].enabled' config.yaml)
+          if [[ "$ENABLED" != "true" ]]; then
+            echo "::error::repo is not enabled in config.yaml"
+            exit 1
+          fi
+        fi
+        echo "Validation passed for ${SOURCE_REPO}"
+
+    - name: Extract repo parts
+      id: extract
+      shell: bash
+      env:
+        SOURCE_REPO: ${{ inputs.source_repo }}
+      run: |
+        echo "name=${SOURCE_REPO##*/}" >> "${GITHUB_OUTPUT}"

.github/workflows/branch-cleanup.yml

@@ -10,6 +10,15 @@ on:
   schedule:
     - cron: "0 3 * * 0" # Weekly on Sundays at 3am UTC
   workflow_dispatch:
+    inputs:
+      dry-run:
+        description: "Preview deletions without actually deleting"
+        type: boolean
+        default: true
+
+concurrency:
+  group: branch-cleanup
+  cancel-in-progress: false
 
 permissions:
   contents: write
@@ -25,4 +34,6 @@ jobs:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GH_REPO: ${{ github.repository }}
           STALE_DAYS: "30"
-        run: ./hack/clean-stale-branches
+        run: >-  # schedule trigger has no inputs — dry-run is false (live) by design
+          ./hack/clean-stale-branches
+          ${{ github.event.inputs.dry-run == 'true' && '--dry-run' || '' }}