build.yml, deploy-bot → docker (needs Docker)
build-tstudio, deploy-proxy → go (needs Go)
deploy-docs → node (needs Node + pnpm)
deploy-arikigame, release → deploy (lightest, just AWS CLI)
Runner registered with all labels (tinqs-runner:5).
When custom images are ready, each label routes to its own image.
Runner container is minimal — install Go, Node, AWS CLI, pnpm at
runtime. Docker-based platform build needs separate solution (Kaniko
or CodeBuild). CLI and docs pipelines should now pass.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
New modules/inference/ package:
- client.go: DeepSeek HTTP client with exponential backoff (429/503),
streaming and non-streaming support, 5-min timeout
- types.go: OpenAI-compatible request/response types
New routers/api/v1/inference/:
- POST /api/v1/inference/chat/completions — streaming SSE + non-streaming
- GET /api/v1/inference/health — service status
Authenticated via Gitea token (reqToken middleware).
Config: app.ini [inference] DEEPSEEK_API_KEY or env var.
Full project compiles clean.
First step migrating bot.arikigame.com from Next.js to Go platform.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
All workflows now use raw git clone + shell commands instead of
actions/* steps. No Node.js dependency for checkout, works on any
Linux runner without Docker-in-Docker.
This is temporary until we build our own Tinqs Actions (checkout,
setup-go, setup-node) that work natively in our runner environment.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- routers/web/tinqs_pages.go: TinqsDocsHandler serves Docusaurus build
output from custom/public/docs/ with SPA fallback for client-side routing
- routers/web/web.go: /docs and /docs/* routes
- docs/docusaurus.config.js: url → tinqs.com, baseUrl → /docs/,
added Blog + Wiki navbar links, fixed logo path
- deploy-docs.yml: rsync to custom/public/docs/ instead of S3 bucket
- templates: docs_placeholder.tmpl, Docs link in navbar
URL map: tinqs.com/docs (SEO), tinqs.com/blog (SEO),
tinqs.com/*/wiki (Gitea built-in, internal). One domain, zero subdomains.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
All workflows now have:
concurrency:
group: <workflow>-${{ github.ref }}
cancel-in-progress: true
Prevents job queue clog when pushing rapidly to the same branch.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- routers/web/tinqs_pages.go: /blog and /blog/{slug} serve static HTML
from custom/public/blog/ (zero Gitea core changes)
- templates/base/head_navbar.tmpl: Wiki + Blog nav links for signed-in
and signed-out users; help link → Gitea wiki; version tag → Tinqs Studio
- templates/base/footer_content.tmpl: "Tinqs Studio" replaces dead
git.arikigame.com link
- templates/tinqs/blog_placeholder.tmpl: fallback when blog not deployed
Gitea core (wiki, repos, git, LFS, issues, PRs, actions) untouched.
Only new files + navbar/footer chrome modified.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Runner binary built alongside Gitea in the same Docker image.
Entrypoint starts runner daemon in background if /data/gitea/runner/.runner
exists (registered). Same architecture as the Lightsail setup — one box,
both services.
Runner source: runner/ in monorepo (forked from gitea.com/gitea/act_runner).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Complete guide for managing runners on tinqs.com:
- Build, register, run from any machine
- DB access via ECS Exec (requires SSM plugin + IAM policy)
- Common issues and fixes (migration, token, connectivity)
- Future: Fargate runner deployment plan
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Shows at /installation/install-tstudio-cli — first in sidebar.
Register page kept at /tinqs/register too.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Step-by-step for non-technical users. Download links, version numbers,
expected output, security note for agents that flag it.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- register.md: account creation, CLI download, login flow
- cursor-setup.md: full DeepSeek V4 proxy guide, multi-editor support,
Claude Code section, troubleshooting
- sidebars.js: Tinqs section first in nav, renamed landing to "Tinqs Studio"
Public docs for clients and team at docs.tinqs.com
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Server-side internal flow — no public API change:
- On OAuth2 authorization_code exchange for tstudio-cli app, server
creates a "cursor" PAT with all scopes via direct DB access
- PAT returned as cursor_token field in the token response
- CLI reads it and displays Cursor/DeepSeek setup instructions
- Only created on first login (skipped if "cursor" PAT already exists)
- Token shown once — user must save it
Keeps reqBasicOrRevProxyAuth on public /users/{username}/tokens endpoint.
No token escalation risk — PAT creation is server-internal only.
Also: Bearer auth fix for OAuth2 JWT tokens in CLI API client.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Removed auto PAT creation (Gitea blocks token-from-token)
- Login now opens token creation page on first login
- Shows Cursor/DeepSeek setup instructions inline
- Prints tstudio version in completion message
- Bearer auth fix for OAuth2 JWT tokens
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Login flow now:
1. Browser OAuth2 → JWT access token
2. SSH key gen + git credentials
3. Auto-creates a PAT named cursor-<hostname> for Cursor/DeepSeek
4. Displays the PAT with Cursor setup instructions (shown once)
Fixed: API client now sends Bearer prefix for OAuth2 JWT tokens
(was sending "token" prefix which Gitea rejects for JWTs).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
How to connect Cursor to DeepSeek via the platform proxy.
Token creation, base URL config, agent mode, troubleshooting.
For team and future clients.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Browser OAuth2 PKCE login confirmed working on tinqs.com.
Removed --token fallback — browser login only.
Updated built-in app ID to match registered app.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- cmd/tea: rename references from tea/tinqs to tstudio
- public/assets/img: replace logos and favicons with Tinqs Studio branding
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replaces Gitea's "What is Gitea?" with Tinqs Studio getting started:
- Download table for all 5 platforms with direct S3 links
- One-liner install commands (macOS/Linux/Windows)
- Login, clone, migrate, verify steps
- Agent paste block for Cursor / Claude Code
- Links to all documentation sections
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Full copy of Gitea's official docs (Docusaurus + Redocusaurus for API).
All original content preserved — Tinqs docs added alongside under docs/tinqs/.
Added:
- docs/docs/tinqs/getting-started.md — CLI install, login, migrate, agent setup
- docs/docs/tinqs/cli.md — full tstudio CLI reference
- deploy-docs.yml — builds Docusaurus, deploys to S3 for docs.tinqs.com
Branding handoff written for branding agent to rebrand config, logos, colors.
Shares monorepo version — one repo, one version.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Push to main (platform code) now:
1. Builds Docker image via Dockerfile.rootless
2. Pushes to ECR (tinqs-git:tag + :latest)
3. Triggers ECS deploy on both tinqs-studio-staging and tinqs-git-prod
4. Archives binary to S3 as backup
Staging and prod deploy from the same image on every push.
release.yml remains for manual rollback/specific version deploys.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- build.yml: only triggers on platform code changes (models, routers,
templates, modules, services). Ignores cmd/tstudio, web/, bot, proxy.
- build-tstudio.yml: fixed version detection (uses git describe, not
removed TSTUDIO_VERSION). Only triggers on cmd/tstudio/** changes.
- deploy-docs.yml: NEW — deploys docs/pages to S3 when templates or
SETUP.md change. Independent from platform build.
- deploy-arikigame.yml: unchanged, already path-filtered.
Each pipeline runs independently. No more queueing CLI builds behind
full platform rebuilds.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Download grid for all platforms with direct S3 links
- Copy-paste prompt block for Cursor / Claude Code agents
- Covers: install, login, migrate remotes, verify
- Login: added --token flag for bootstrap/CI (skip browser flow)
- Page is public (no login required): /cli/getting-started
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Login rewritten to use OAuth2 PKCE browser flow:
- Opens browser → user authenticates on tinqs.com → callback to localhost
- No passwords in terminal, same UX as gcloud/gh auth login
- PKCE (RFC 7636) with S256 code challenge
- Stores refresh_token for silent token renewal
- Logout clears git credentials
Server-side:
- Registered tstudio-cli as built-in OAuth2 app (models/auth/oauth2.go)
- Added to default applications list (modules/setting/oauth2.go)
- New /cli/getting-started route + public onboarding page
- Teaches Cursor setup, agent workflow, git operations
First login redirects to getting-started page automatically.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Proxy: add bot.tinqs.com route alongside legacy bot.arikigame.com
- Bot: add /api/v1/ai/* rewrite alias for inference proxy (Cursor endpoint)
- Auth: update Gitea URL defaults from git.arikigame.com to tinqs.com
- UI: update all landing page, team-tool, callback URLs to tinqs.com
- Libs: update gitea.ts, design.ts, docs-search.ts, handoffs.ts,
mcp-handler.ts, image-gen-context.ts to tinqs.com API base
- Config: add tinqs-ai provider entry in deeptinqs providers.json
- Tests: update smoke test default URL to bot.tinqs.com
All endpoints work on both domains during transition.
Old bot.arikigame.com stays in proxy routes for backwards compat.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Removed separate TSTUDIO_VERSION — tstudio now shares GITEA_VERSION
with the rest of the monorepo (one version for everything)
- Auto-update check runs on every command (max once/hour, 3s timeout)
prints one-line notice if newer binary exists on S3
- Version injected via ldflags at build time (default "dev" for local builds)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Binary detects it's not on PATH, copies itself to the right location
(%LOCALAPPDATA%\tstudio\ on Windows, /usr/local/bin on macOS/Linux),
and adds to user PATH. Landing page install commands now download + login
in one step.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Login now does full machine setup in one command:
- Creates API token
- Generates ed25519 SSH key + registers it with Gitea
- Configures ~/.ssh/config for ssh.tinqs.com
- Sets up HTTPS credential helper + SSH→HTTPS rewrite
New commands:
- tstudio migrate: rewrites old git.arikigame.com remotes to tinqs.com
- SETUP.md: agent-executable setup guide for any machine
No more separate tokens for bot/cursor/agents. One login, everything works.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
New `tstudio` CLI binary (cmd/tstudio/) with subcommands:
- login: authenticate via username/password, create API token, open welcome page
- logout: revoke token and clear credentials
- whoami: show current user and auth status
- repos: list accessible repositories
- clone: authenticated HTTPS clone with credential storage
- doctor: check git, git-lfs, auth, and connectivity
Platform changes:
- Landing page: CLI download section with OS-detected install command,
direct download buttons for Windows/macOS/Linux
- /cli/welcome: post-login success page (like gcloud auth_success)
with next steps and resource links
- Makefile: tstudio, tstudio-all, tstudio-upload targets for
cross-platform builds and S3 upload
- .claude/settings.json: full auto-allow permissions for Claude Code
- go.mod: add golang.org/x/term for hidden password input
Builds: tstudio-windows-amd64.exe, tstudio-darwin-arm64,
tstudio-darwin-amd64, tstudio-linux-amd64, tstudio-linux-arm64
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Delete web/landing (legacy tinqs-ltd/website Next.js). Add web/arikigame with static public site and deploy-arikigame.yml (S3 + CloudFront). Link Ariki from tinqs.com logged-out home. Fix build.yml to trigger on main.
Co-authored-by: Cursor <cursoragent@cursor.com>
Autonomous agents must run tests before pushing. Pattern:
Layer 1 (unit): make test — pure logic, <1s
Layer 2 (integration): make test-sqlite — real DB, real handlers
Layer 3 (E2E): npx playwright test — browser tests
tinqs-git already has upstream Gitea test infra (better than ariki-game).
Gap: agents don't run them. This handoff fixes that.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Always overwrites S3 on every preview request — no stale content.
Removed sync.Map cache and background goroutines.
Blob-by-SHA paths still skip upload if already exists (immutable).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Fullscreen button added to Preview/Source button group (not overlay)
- iframe breaks out of container: width:100vw with negative margins
- removed overlay expand icon — redundant with header button
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Test page for the S3-backed HTML preview. Demonstrates the feature
it describes — dark theme, Tinqs branding, inline CSS, no relative
image paths.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- height: calc(100vh - 220px) instead of fixed 600px — fills remaining
viewport with no dead space at bottom
- expand button (screen-full icon) in top-right corner opens the S3
presigned URL in a new tab for full-screen viewing
- security preserved: new tab opens S3 origin, not Gitea
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
HTML files now render in an iframe served from S3 (tinqs-git-preview
bucket) instead of Gitea's raw endpoint which forces text/plain.
SWR flow: first request uploads blob to S3 synchronously, subsequent
requests redirect to presigned S3 URL instantly. When the blob SHA
changes (new commit), the stale version is served immediately while
the new version uploads in the background.
Security: iframe uses sandbox="allow-scripts" only (no allow-same-origin).
S3 is a different origin from git.arikigame.com, so even if JS runs in
the iframe it cannot access Gitea session cookies or API tokens.
Config: [html_preview] section in app.ini, disabled by default.
Release pipeline auto-adds config on first deploy.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
ozan