feat: ship opencto sdk and cli v0.1.1 with byok and rate limits (#40)

* feat: implement opencto mobile app mvp v1 ios foundation

* feat(landing): redesign opencto landing for conversion and trust

* chore: downgrade mobile app to expo sdk 54

* feat: rebrand mobile app with opencto assets and theme

* feat(sdk): scaffold @heysalad/opencto client package

* feat(sdk): add mqtt transport and protocol v1 foundation

* feat(sdk): add oauth device flow and token store adapters

* feat(sdk): add mqtt inbound dedupe controls

* feat(sdk): add mqtt publish retry delivery policy

* feat(cli): scaffold opencto sdk-powered commands

* feat(cli): add workflow directory commands

* feat(cli): load workflow directory from json or yaml files

* fix(sdk,cli): harden esm runtime imports and add workflow starter file

* chore(release): bump sdk and cli to v0.1.1

* feat(api): add encrypted BYOK keys and llm endpoint rate limits

* feat: add byok workspace wiring and endpoint hardening tests

* fix(api): enforce workspace access for byok keys

* docs: add opencto sdk-cli release runbook and script

* docs: fix markdownlint formatting in opencto runbooks

---------

Co-authored-by: Codex <codex@example.com>

Author: chilu18

docs/opencto/HF_CHERI_OPENVINO_EVALUATION.md

@@ -18,6 +18,7 @@ On the server:
 - Hugging Face token with access to the model (`HF_TOKEN`)
 
 Set token:
+
 ```bash
 export HF_TOKEN='hf_...'
 ```
@@ -53,6 +54,7 @@ pip install "torch>=2.3" "transformers>=4.50" "accelerate>=0.34" "huggingface_hu
 ```
 
 Quick latency check:
+
 ```bash
 python3 - <<'PY'
 import os, time
@@ -74,12 +76,14 @@ PY
 ## 5) OpenVINO Export + Runtime
 
 Install:
+
 ```bash
 source .venv-cheri/bin/activate
 pip install -U "optimum-intel[openvino]" "openvino>=2024.4"
 ```
 
 Export (try int8 first, then int4 if supported):
+
 ```bash
 optimum-cli export openvino \
   --model HeySalad/Cheri-ML-1.3B \
@@ -89,6 +93,7 @@ optimum-cli export openvino \
 ```
 
 If int8 fails or is too slow, try:
+
 ```bash
 optimum-cli export openvino \
   --model HeySalad/Cheri-ML-1.3B \
@@ -98,6 +103,7 @@ optimum-cli export openvino \
 ```
 
 Run OpenVINO inference benchmark:
+
 ```bash
 python3 - <<'PY'
 import time

docs/opencto/NEXT_STEPS_RPI.md

@@ -25,6 +25,7 @@ Move from scaffolded frontend/mocks to production-ready backend-backed auth, bil
 ## 3. RPi Execution Plan (Ordered)
 
 ### Step A: Sync and branch from latest main
+
 ```bash
 cd /home/admin/CTO-AI
 # or: cd /home/peter/CTO-AI-phase2-clean
@@ -36,6 +37,7 @@ git checkout -b feat/opencto-phase7-backend-auth-billing-compliance
 ```
 
 ### Step B: Validate local baseline before edits
+
 ```bash
 cd opencto/opencto-dashboard
 npm install
@@ -98,6 +100,7 @@ Frontend already has `signInWithProvider(provider)` contract. Next:
 - CI green on lint/build/test.
 
 ## 5. Recommended First RPi Prompt (Copy/Paste)
+
 ```text
 Implement Phase 7 backend-live integration for OpenCTO.
 
@@ -125,4 +128,3 @@ Rules:
 - Workstream 1: Backend auth/session.
 - Workstream 2: Billing + Stripe webhook pipeline.
 - Workstream 3: Jobs/compliance live data + websocket stream.
-

docs/opencto/REALTIME_AGENT_CODEX_TASK.md

@@ -161,6 +161,7 @@ interface AudioConfig {
 The Cloudflare Worker backend. Relevant endpoints:
 
 **Token endpoint** (already working):
+
 ```
 POST /api/v1/realtime/token
 Authorization: Bearer demo-token
@@ -171,6 +172,7 @@ Body: { "model": "gpt-4o-realtime-preview" }
 ```
 
 **Tool proxy endpoints** (already wired, need VERCEL_TOKEN / CF_API_TOKEN / CF_ACCOUNT_ID secrets set):
+
 ```
 GET /api/v1/cto/vercel/projects
 GET /api/v1/cto/vercel/projects/:id/deployments
@@ -318,6 +320,7 @@ getUserMedia({ audio: true })
 ```
 
 The worklet code (inline Blob) converts Float32 mic samples → Int16 PCM16:
+
 ```js
 class PcmCaptureProcessor extends AudioWorkletProcessor {
   process(inputs) {
@@ -368,7 +371,7 @@ Browser → sends { type: "response.create", response: {} }
 ### Server events to handle
 
 | Event type | What to do |
-|---|---|
+| --- | --- |
 | `session.created` | Log it; optionally send session.update here instead of on ws.onopen |
 | `session.updated` | Log it |
 | `conversation.item.input_audio_transcription.completed` | Emit `user_transcript` event with `event.transcript` |
@@ -385,7 +388,7 @@ Browser → sends { type: "response.create", response: {} }
 When `response.function_call_arguments.done` fires with `name`, dispatch to:
 
 | `name` | Worker endpoint | How to call |
-|---|---|---|
+| --- | --- | --- |
 | `list_vercel_projects` | `GET /api/v1/cto/vercel/projects` | no args |
 | `list_vercel_deployments` | `GET /api/v1/cto/vercel/projects/{projectId}/deployments` | args.projectId |
 | `get_vercel_deployment` | `GET /api/v1/cto/vercel/deployments/{deploymentId}` | args.deploymentId |
@@ -477,11 +480,13 @@ All must pass with 0 errors.
 ## Environment Variables
 
 `.env.local` (already set, do not change):
+
 ```
 VITE_API_BASE_URL=https://opencto-api-worker.heysalad-o.workers.dev
 ```
 
 Cloudflare Worker secrets (set separately with `wrangler secret put`):
+
 ```
 OPENAI_API_KEY   ← already set on the deployed worker
 VERCEL_TOKEN     ← set this for Vercel tool calls to work

docs/opencto/VOICE_BACKEND_RUNBOOK.md

@@ -64,48 +64,56 @@ Expected ingress:
 ## 6) Operations Commands
 
 Service status:
+
 ```bash
 sudo systemctl status opencto-voice-backend --no-pager -n 50
 sudo systemctl status cloudflared --no-pager -n 50
 ```
 
 Restart services:
+
 ```bash
 sudo systemctl restart opencto-voice-backend
 sudo systemctl restart cloudflared
 ```
 
 Tail logs:
+
 ```bash
 journalctl -u opencto-voice-backend -f
 journalctl -u cloudflared -f
 ```
 
 Port checks:
+
 ```bash
 ss -ltnp | rg '8090|cloudflared|uvicorn'
 ```
 
 ## 7) Smoke Tests
 
 Local app health:
+
 ```bash
 curl -sS http://127.0.0.1:8090/health
 ```
 
 Public health:
+
 ```bash
 curl -sS https://cloud-services-api.opencto.works/health
 ```
 
 Local response:
+
 ```bash
 curl -sS -X POST http://127.0.0.1:8090/v1/respond \
   -H 'Content-Type: application/json' \
   -d '{"text":"Say hello in one line"}'
 ```
 
 Public response:
+
 ```bash
 curl -sS -X POST https://cloud-services-api.opencto.works/v1/respond \
   -H 'Content-Type: application/json' \
@@ -132,10 +140,12 @@ curl -sS -X POST https://cloud-services-api.opencto.works/v1/respond \
 ## 10) Migration to Repo-Managed Deployment (Recommended)
 
 1. Clone repo:
+
 ```bash
 cd /home/hs-chilu/heysalad-ai-projects
 git clone git@github.com:Hey-Salad/CTO-AI.git
 ```
+
 2. Create backend runtime dir from repo source (or update service `WorkingDirectory`).
 3. Validate with local health check.
 4. Switch systemd `WorkingDirectory` + `ExecStart` to repo-managed path.

opencto.workflows.json

@@ -0,0 +1,73 @@
+{
+  "workflows": [
+    {
+      "id": "engineering-ci",
+      "name": "Engineering CI",
+      "description": "Install, lint, test, and build with pnpm defaults.",
+      "commandTemplates": [
+        "pnpm install --frozen-lockfile",
+        "pnpm lint",
+        "pnpm test",
+        "pnpm build"
+      ]
+    },
+    {
+      "id": "founder-landing-launch",
+      "name": "Founder Landing Launch",
+      "description": "Validate and build landing page plus dashboard for deployment.",
+      "commandTemplates": [
+        "cd opencto/opencto-landing && npm ci",
+        "cd opencto/opencto-landing && npm run build",
+        "cd opencto/opencto-dashboard && npm ci",
+        "cd opencto/opencto-dashboard && npm run lint",
+        "cd opencto/opencto-dashboard && npm run build"
+      ]
+    },
+    {
+      "id": "founder-content-seo",
+      "name": "Founder Content SEO",
+      "description": "Generate SEO assets and validate output artifacts.",
+      "commandTemplates": [
+        "npm run content:plan -- --topic \"{{topic}}\"",
+        "npm run content:draft -- --topic \"{{topic}}\" --persona \"{{persona}}\"",
+        "npm run content:publish -- --topic \"{{topic}}\""
+      ]
+    },
+    {
+      "id": "founder-sales-outreach",
+      "name": "Founder Sales Outreach",
+      "description": "Generate lead list and outbound sequence assets.",
+      "commandTemplates": [
+        "npm run sales:leads -- --segment \"{{segment}}\"",
+        "npm run sales:sequence -- --segment \"{{segment}}\" --offer \"{{offer}}\"",
+        "npm run sales:send -- --segment \"{{segment}}\""
+      ]
+    },
+    {
+      "id": "founder-demo-pack",
+      "name": "Founder Demo Pack",
+      "description": "Assemble product + GTM demo artifacts for judges or customers.",
+      "commandTemplates": [
+        "npm run demo:product",
+        "npm run demo:marketing",
+        "npm run demo:ops",
+        "npm run demo:bundle"
+      ]
+    },
+    {
+      "id": "sdk-release-check",
+      "name": "SDK Release Check",
+      "description": "Quality gates for sdk and cli packages before publish.",
+      "commandTemplates": [
+        "cd opencto/opencto-sdk-js && npm ci",
+        "cd opencto/opencto-sdk-js && npm run lint",
+        "cd opencto/opencto-sdk-js && npm run test",
+        "cd opencto/opencto-sdk-js && npm run build",
+        "cd opencto/opencto-cli && npm ci",
+        "cd opencto/opencto-cli && npm run lint",
+        "cd opencto/opencto-cli && npm run test",
+        "cd opencto/opencto-cli && npm run build"
+      ]
+    }
+  ]
+}

opencto/OPENCTO_PACKAGES_RELEASE.md

@@ -0,0 +1,55 @@
+# OpenCTO Package Release Runbook
+
+This runbook is for shipping:
+
+- `@heysalad/opencto`
+- `@heysalad/opencto-cli`
+
+## Preconditions
+
+1. Work on your release branch (never `main` directly).
+2. `opencto/opencto-sdk-js` and `opencto/opencto-cli` must be committed and clean.
+3. npm auth must be active on this machine:
+   - `npm whoami`
+
+## One-command release
+
+From repository root:
+
+```bash
+./opencto/scripts/release-opencto-packages.sh
+```
+
+What it does:
+
+1. Verifies npm auth.
+2. Runs `lint`, `test`, `build` for SDK.
+3. Publishes `@heysalad/opencto`.
+4. Runs `lint`, `test`, `build` for CLI.
+5. Publishes `@heysalad/opencto-cli`.
+
+## Manual fallback
+
+If you want step-by-step control:
+
+```bash
+cd opencto/opencto-sdk-js
+npm run lint && npm run test && npm run build
+npm publish --access public
+
+cd ../opencto-cli
+npm run lint && npm run test && npm run build
+npm publish --access public
+```
+
+## Post-release verification
+
+```bash
+npm view @heysalad/opencto version
+npm view @heysalad/opencto-cli version
+```
+
+## Notes
+
+- `@heysalad/opencto-cli` depends on `@heysalad/opencto`, so publish SDK first.
+- If npm returns `ENEEDAUTH`, run `npm login` and retry.

opencto/mobile-app/.gitignore

@@ -0,0 +1,41 @@
+# Learn more https://docs.github.com/en/get-started/getting-started-with-git/ignoring-files
+
+# dependencies
+node_modules/
+
+# Expo
+.expo/
+dist/
+web-build/
+expo-env.d.ts
+
+# Native
+.kotlin/
+*.orig.*
+*.jks
+*.p8
+*.p12
+*.key
+*.mobileprovision
+
+# Metro
+.metro-health-check*
+
+# debug
+npm-debug.*
+yarn-debug.*
+yarn-error.*
+
+# macOS
+.DS_Store
+*.pem
+
+# local env files
+.env*.local
+
+# typescript
+*.tsbuildinfo
+
+# generated native folders
+/ios
+/android