Set up Copilot coding agent instructions and automated environment setup

[Copilot]

• Add .github/copilot-setup-steps.yml for automated environment bootstrap
• Rewrite .github/copilot-instructions.md with architecture overview, coding conventions, and reorganized sections
• Fix DB convention bullets: soft deletes apply to user-generated content; account deletion is a hard delete; timestamps guidance clarified for short-lived records
• Fix API validation snippet: use GET / (public health check) and a real protected route (/api/packs) instead of non-existent /api/health
• Add --frozen-lockfile to bun install in copilot-setup-steps.yml to prevent silent lockfile drift
• Fix source ~/.bashrc → source "$HOME/.bun/env" for cross-shell compatibility (bash + zsh)
• Document what bun clean does (removes node_modules, build artifacts, caches across all workspaces)
• Replace hardcoded API response string with robust grep check in validation snippet

Original prompt

---

This section details on the original issue you should resolve

<issue_title>✨ Set up Copilot instructions</issue_title>
<issue_description>Configure instructions for this repository as documented in Best practices for Copilot coding agent in your repository.

</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes ✨ Set up Copilot instructions #1908

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[andrew-bierman]

@copilot

[Copilot]

Pull request overview

Adds repository-specific GitHub Copilot coding agent configuration so the agent can bootstrap the monorepo reliably (Bun + private package auth) and follow PackRat’s established architectural/coding patterns.

Changes:

• Added .github/copilot-setup-steps.yml to install Bun and run bun install with the required PACKRAT_NATIVEWIND_UI_GITHUB_TOKEN.
• Rewrote .github/copilot-instructions.md to remove duplication and document architecture, conventions, workflows, and common dev commands.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
.github/copilot-setup-steps.yml	Automates agent environment bootstrap (Bun install + dependency install with private package token).
.github/copilot-instructions.md	Consolidates and expands agent guidance: architecture, coding conventions, workflows, validation, and timeouts.

---

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

The API validation example uses curl http://localhost:8787/api/health, but the API worker doesn't define a /api/health route (it mounts routes under /api/* and has a simple liveness endpoint at GET /). Also, a 401 expectation is only true for routes under protectedRoutes; public endpoints like /api/auth/*, /doc, and /scalar are accessible without bearer auth. Update the validation snippet to hit an existing endpoint and clarify what should/shouldn't require auth.

[Copilot]

The Database conventions claim "never hard-delete user data" and "Always add createdAt and updatedAt". In the current API, the account deletion flow hard-deletes user rows and related data (e.g. db.delete(users) in packages/api/src/routes/auth/index.ts), and several tables only have createdAt (e.g. authProviders, oneTimePasswords, refreshTokens). Consider rephrasing these bullets to match current behavior (e.g. soft-delete for user-generated entities like packs/items, but account deletion is a hard delete; timestamps are recommended where needed for sync/auditing).

[andrew-bierman]

@copilot

[andrew-bierman]

@coderabbitai Please review this PR for code quality, best practices, and potential issues.

[coderabbitai]

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Read the new/modified files in the PR
echo "=== .github/copilot-setup-steps.yml ==="
cat .github/copilot-setup-steps.yml

echo ""
echo "=== .github/copilot-instructions.md ==="
cat .github/copilot-instructions.md

Length of output: 11540

---

🏁 Script executed:

#!/bin/bash
# Check the package name in packages/api
cat packages/api/package.json | grep '"name"' | head -5

# Also check if there's a bunfig.toml or .npmrc for private package auth
echo "=== bunfig.toml ==="
cat bunfig.toml 2>/dev/null || echo "(not found)"
echo "=== .npmrc ==="
cat .npmrc 2>/dev/null || echo "(not found)"

# Check if bun version is pinned anywhere
echo "=== bun version in package.json ==="
cat package.json | grep -E '"bun"|"engines"' | head -10

echo "=== package.json engines ==="
python3 -c "import json; d=json.load(open('package.json')); print(d.get('engines', 'not set'), d.get('packageManager', 'not set'))"

Length of output: 271

---

@andrew-bierman: Here's my review of PR #1910.

---

.github/copilot-setup-steps.yml

1. 🔴 Bun version is not pinned

- name: Install Bun
  run: |
    curl -fsSL https://bun.sh/install | bash
    echo "$HOME/.bun/bin" >> $GITHUB_PATH

Always installing the latest Bun can cause non-reproducible agent environments if a breaking Bun release ships. Consider pinning a version:

- name: Install Bun
  run: |
    curl -fsSL https://bun.sh/install | bash -s -- "bun-v1.2.x"
    echo "$HOME/.bun/bin" >> $GITHUB_PATH

Or, since the root package.json has no engines/packageManager field, consider adding:

"packageManager": "bun@1.2.x"

…and using corepack enable instead.

2. 🟡 bun install without --frozen-lockfile

- name: Install dependencies
  run: bun install

In a CI/agent context, bun install without --frozen-lockfile can silently update bun.lock if it drifts from package.json. This could cause confusing failures downstream. Recommend:

- name: Install dependencies
  run: bun install --frozen-lockfile

---

.github/copilot-instructions.md

3. 🟡 source ~/.bashrc won't work on macOS

In the Prerequisites and Installation section:

curl -fsSL https://bun.sh/install | bash
source ~/.bashrc

macOS uses zsh by default, so ~/.bashrc may not exist or may not be sourced. The Bun installer writes a shell-agnostic env file. Recommend:

curl -fsSL https://bun.sh/install | bash
source "$HOME/.bun/env"   # works for bash and zsh alike

4. 🟡 Hardcoded curl response string may become stale

curl http://localhost:8787/            # expect 200 "PackRat API is running!"

If the root response text ever changes, this comment silently misleads. Consider either omitting the expected body or checking it programmatically:

curl -sf http://localhost:8787/ | grep -q "PackRat API" && echo "OK"

5. ℹ️ bun clean is undocumented

The Clean Install section references bun clean without explaining what it does (e.g., removes node_modules, .turbo, build caches). A short parenthetical would help the agent understand when to use it vs. a plain re-install.

---

Positives ✅

• The import path @packrat/api/types/routeHandler in the route example is correct (matches packages/api/package.json).
• The PACKRAT_NATIVEWIND_UI_GITHUB_TOKEN env var approach aligns with the existing bunfig.toml scoped registry config — no extra auth steps needed.
• The API validation snippet fix (GET / + /api/packs) is accurate and better than the previous non-existent /api/health endpoint.
• Timeout guidance and the NEVER CANCEL notes are valuable for a coding agent context.
• The feature flag pattern and module structure conventions are clearly documented.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fee669bd-8cbf-4a22-83aa-37da501adea8

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch copilot/set-up-copilot-instructions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[andrew-bierman]

@copilot CodeRabbit has provided review feedback on this PR. Please address the comments and suggestions. Once you've made the necessary changes, I'll ask CodeRabbit to re-review.

[Copilot]

@copilot CodeRabbit has provided review feedback on this PR. Please address the comments and suggestions. Once you've made the necessary changes, I'll ask CodeRabbit to re-review.

Addressed all four CodeRabbit suggestions in commit 0b09e95:

• copilot-setup-steps.yml: Added --frozen-lockfile to bun install to prevent silent lockfile drift in CI/agent environments.
• copilot-instructions.md: Fixed source ~/.bashrc → source "$HOME/.bun/env" for cross-shell compatibility (works for both bash and zsh). Added a description of what bun clean does (removes node_modules, build artifacts, and caches across all workspaces). Replaced the hardcoded "PackRat API is running!" expected body with a grep-based check that won't silently mislead if the string ever changes.

[andrew-bierman]

Lgtm!