feat: Onboarding Phase 2 — chat-first setup + forced password change

.dockerignore

@@ -16,6 +16,7 @@ tmp/
 .claude/
 .vscode/
 .idea/
-ui/
+ui/web/node_modules/
+ui/web/dist/
 plans/
 skills-store/

.env.example

@@ -1,16 +1,16 @@
-# GoClaw environment variables.
+# ArgoClaw environment variables.
 # Copy to .env and fill in values. For Docker Compose, do NOT use 'export' prefix.
 #
-# Auto-generated by prepare-env.sh: GOCLAW_GATEWAY_TOKEN, GOCLAW_ENCRYPTION_KEY.
+# Auto-generated by prepare-env.sh: ARGOCLAW_GATEWAY_TOKEN, ARGOCLAW_ENCRYPTION_KEY.
 # LLM provider API keys: configure via the web dashboard setup wizard.
 
 # --- Gateway (required) ---
-GOCLAW_GATEWAY_TOKEN=
-GOCLAW_ENCRYPTION_KEY=
+ARGOCLAW_GATEWAY_TOKEN=
+ARGOCLAW_ENCRYPTION_KEY=
 
 # --- Database (only for non-Docker deployments) ---
 # Docker Compose auto-builds this from POSTGRES_USER/PASSWORD/DB.
-# GOCLAW_POSTGRES_DSN=postgres://user:pass@host:5432/dbname?sslmode=disable
+# ARGOCLAW_POSTGRES_DSN=postgres://user:pass@host:5432/dbname?sslmode=disable
 
 # --- Debug ---
-# GOCLAW_TRACE_VERBOSE=1
+# ARGOCLAW_TRACE_VERBOSE=1

.github/workflows/ci-tenant-isolation.yml

@@ -0,0 +1,70 @@
+name: CI - Tenant Isolation E2E
+
+on:
+  pull_request:
+    paths:
+      - 'internal/store/**'
+      - 'internal/http/**'
+      - 'internal/auth/**'
+      - 'internal/gateway/**'
+      - 'migrations/**'
+      - 'tests/tenant_isolation/**'
+  push:
+    branches: [main]
+    paths:
+      - 'internal/store/**'
+      - 'internal/http/**'
+      - 'internal/auth/**'
+      - 'internal/gateway/**'
+      - 'migrations/**'
+      - 'tests/tenant_isolation/**'
+
+jobs:
+  tenant-isolation-e2e:
+    name: Tenant Isolation E2E Tests
+    runs-on: ubuntu-latest
+
+    services:
+      postgres:
+        image: pgvector/pgvector:pg18
+        env:
+          POSTGRES_USER: argoclaw_test
+          POSTGRES_PASSWORD: argoclaw_test_password
+          POSTGRES_DB: argoclaw_test
+        ports:
+          - 5432:5432
+        options: >-
+          --health-cmd="pg_isready -U argoclaw_test"
+          --health-interval=5s
+          --health-timeout=5s
+          --health-retries=10
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: true
+
+      - name: Run DB Migrations
+        env:
+          POSTGRES_DSN: postgres://argoclaw_test:argoclaw_test_password@localhost:5432/argoclaw_test?sslmode=disable
+        run: |
+          go install -tags postgres github.com/golang-migrate/migrate/v4/cmd/migrate@latest
+          migrate -path migrations -database "$POSTGRES_DSN" up
+
+      - name: Run Tenant Isolation Tests (Store Layer)
+        env:
+          TEST_POSTGRES_DSN: postgres://argoclaw_test:argoclaw_test_password@localhost:5432/argoclaw_test?sslmode=disable
+          TEST_JWT_SECRET: ci-jwt-secret-for-tenant-isolation-tests-32b!
+        run: |
+          go test -v -race -count=1 -timeout 120s ./tests/tenant_isolation/...
+
+      - name: Upload Test Results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: tenant-isolation-results
+          path: tests/tenant_isolation/
+          retention-days: 7

.github/workflows/docker-build.yml

@@ -0,0 +1,53 @@
+name: Build & Push Docker Image
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: vellus-ai/argoclaw
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=sha,prefix=
+            type=raw,value=latest,enable={{is_default_branch}}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            VERSION=${{ github.sha }}
+            ENABLE_PYTHON=true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

.github/workflows/docker-publish.yaml

@@ -7,11 +7,13 @@ on:
 
 env:
   GHCR_IMAGE: ghcr.io/${{ github.repository }}
-  DOCKERHUB_IMAGE: digitop/goclaw
+  DOCKERHUB_IMAGE: digitop/argoclaw
+  GAR_IMAGE: us-central1-docker.pkg.dev/vellus-ai-agent-platform/argoclaw/argoclaw
 
 permissions:
   contents: read
   packages: write
+  id-token: write  # Workload Identity Federation para GAR
 
 jobs:
   build-and-push:
@@ -22,6 +24,7 @@ jobs:
           # ── Runtime variants ──
           - variant: latest
             suffix: ""
+            enable_web_ui: "false"
             enable_otel: "false"
             enable_tsnet: "false"
             enable_redis: "false"
@@ -30,6 +33,7 @@ jobs:
             enable_full_skills: "false"
           - variant: node
             suffix: "-node"
+            enable_web_ui: "false"
             enable_otel: "false"
             enable_tsnet: "false"
             enable_redis: "false"
@@ -38,6 +42,7 @@ jobs:
             enable_full_skills: "false"
           - variant: python
             suffix: "-python"
+            enable_web_ui: "false"
             enable_otel: "false"
             enable_tsnet: "false"
             enable_redis: "false"
@@ -46,15 +51,29 @@ jobs:
             enable_full_skills: "false"
           - variant: full
             suffix: "-full"
+            enable_web_ui: "false"
             enable_otel: "false"
             enable_tsnet: "false"
             enable_redis: "false"
             enable_node: "true"
             enable_python: "true"
             enable_full_skills: "true"
+          # ── Web UI variant (React SPA embedded in binary) ──
+          # Issue #33: combines security patches (appsec-tenant-isolation, appsec-branding-validation)
+          # with the embedded React SPA. Built from main HEAD which already includes both.
+          - variant: webui
+            suffix: "-webui"
+            enable_web_ui: "true"
+            enable_otel: "false"
+            enable_tsnet: "false"
+            enable_redis: "false"
+            enable_node: "false"
+            enable_python: "false"
+            enable_full_skills: "false"
           # ── Build-tag variants ──
           - variant: otel
             suffix: "-otel"
+            enable_web_ui: "false"
             enable_otel: "true"
             enable_tsnet: "false"
             enable_redis: "false"
@@ -63,6 +82,7 @@ jobs:
             enable_full_skills: "false"
           - variant: tsnet
             suffix: "-tsnet"
+            enable_web_ui: "false"
             enable_otel: "false"
             enable_tsnet: "true"
             enable_redis: "false"
@@ -71,6 +91,7 @@ jobs:
             enable_full_skills: "false"
           - variant: redis
             suffix: "-redis"
+            enable_web_ui: "false"
             enable_otel: "false"
             enable_tsnet: "false"
             enable_redis: "true"
@@ -101,13 +122,28 @@ jobs:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
+      - name: Authenticate to Google Cloud
+        id: gcp-auth
+        uses: google-github-actions/auth@v2
+        with:
+          workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
+
+      - name: Log in to Google Artifact Registry
+        uses: docker/login-action@v3
+        with:
+          registry: us-central1-docker.pkg.dev
+          username: oauth2accesstoken
+          password: ${{ steps.gcp-auth.outputs.access_token }}
+
       - name: Extract metadata
         id: meta
         uses: docker/metadata-action@v5
         with:
           images: |
             ${{ env.GHCR_IMAGE }}
             ${{ env.DOCKERHUB_IMAGE }}
+            ${{ env.GAR_IMAGE }}
           tags: |
             type=semver,pattern={{version}},suffix=${{ matrix.suffix }}
             type=semver,pattern={{major}}.{{minor}},suffix=${{ matrix.suffix }}
@@ -123,6 +159,7 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           build-args: |
+            ENABLE_WEB_UI=${{ matrix.enable_web_ui || 'false' }}
             ENABLE_OTEL=${{ matrix.enable_otel }}
             ENABLE_TSNET=${{ matrix.enable_tsnet }}
             ENABLE_REDIS=${{ matrix.enable_redis }}
@@ -159,13 +196,28 @@ jobs:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
+      - name: Authenticate to Google Cloud
+        id: gcp-auth
+        uses: google-github-actions/auth@v2
+        with:
+          workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
+
+      - name: Log in to Google Artifact Registry
+        uses: docker/login-action@v3
+        with:
+          registry: us-central1-docker.pkg.dev
+          username: oauth2accesstoken
+          password: ${{ steps.gcp-auth.outputs.access_token }}
+
       - name: Extract metadata
         id: meta
         uses: docker/metadata-action@v5
         with:
           images: |
             ${{ env.GHCR_IMAGE }}-web
             ${{ env.DOCKERHUB_IMAGE }}-web
+            ${{ env.GAR_IMAGE }}-web
           tags: |
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}