Initial commit

Author: philippnagel

.github/workflows/deploy.yml

@@ -0,0 +1,31 @@
+name: Deploy to Fly.io
+
+on:
+  push:
+    branches: [ main ]
+  workflow_dispatch:
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Flyctl
+        uses: superfly/flyctl-actions/setup-flyctl@v1
+
+      - name: Set Fly secrets
+        run: |
+          flyctl secrets set \
+            GITHUB_APP_ID=${{ secrets.GITHUB_APP_ID }} \
+            GITHUB_WEBHOOK_SECRET=${{ secrets.GITHUB_WEBHOOK_SECRET }} \
+            SNAPSHOT_SIGNING_KEY=${{ secrets.SNAPSHOT_SIGNING_KEY }} \
+            GITHUB_APP_PRIVATE_KEY="${{ secrets.GITHUB_APP_PRIVATE_KEY }}"
+        env:
+          FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN }}
+
+      - name: Deploy
+        run: flyctl deploy --remote-only
+        env:
+          FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN }}

.gitignore

@@ -0,0 +1,45 @@
+# Node
+node_modules/
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+pnpm-debug.log*
+
+# Build output
+dist/
+coverage/
+
+# TypeScript
+*.tsbuildinfo
+
+# Env and secrets (never commit)
+.env
+.env.*
+!.env.example
+
+# OS / editor cruft
+.DS_Store
+Thumbs.db
+*.swp
+*.swo
+
+# Logs and temp
+logs/
+*.log
+tmp/
+temp/
+
+# Fly.io / Docker
+.fly/
+.fly.*
+*.tar
+
+# IDE
+.vscode/
+.idea/
+
+# Test artifacts
+jest-test-results.json
+
+# Repomix
+*repomix-output*

.repomixignore

@@ -0,0 +1,4 @@
+# Add patterns to ignore here, one per line
+# Example:
+# *.log
+# tmp/

Dockerfile

@@ -0,0 +1,11 @@
+
+FROM node:20-alpine
+WORKDIR /app
+COPY package.json package-lock.json* yarn.lock* pnpm-lock.yaml* ./
+RUN npm ci || yarn || pnpm i
+COPY tsconfig.json ./tsconfig.json
+COPY src ./src
+RUN npm run build
+ENV NODE_ENV=production
+EXPOSE 8080
+CMD ["node", "dist/app.js"]

README.md

@@ -0,0 +1,137 @@
+# ganttmarket
+
+GitHub-native prediction market MVP that stores state in GitHub Issues. Deployable to Fly.io with a one-click GitHub Actions workflow.
+
+## Features
+- Markets are Issues with a signed snapshot block (qYes, qNo, price, deadline, seq)
+- Create markets via comments: `/market create issue 123 deadline 2025-11-15`
+- Trade via comments: `/trade yes 10` or `/trade no 5`
+- Ledger Issue tracks balances and positions (signed, with seq)
+- Auto-resolution and payouts ($1 per winning share)
+- Simple in-memory rate limit: max 5 trades per user per minute
+- Minimal dependencies, no external DB
+- Dockerfile + fly.toml + Deploy-to-Fly GitHub Actions workflow
+
+## Architecture at a glance
+- Storage: GitHub Issues (market issue + single “Forecast Ledger” issue per repo)
+- Identity: GitHub username from webhook events
+- Math: LMSR AMM with tunable liquidity `b`
+- Safety:
+  - Signed JSON blocks prevent tampering
+  - Optimistic concurrency with `seq` for both market snapshots and ledger
+  - In-memory rate limiter for trade spam protection
+
+## Commands
+- Create market (comment on any issue or market issue):
+  - `/market create issue <number> deadline YYYY-MM-DD`
+- Trade (comment on market issue):
+  - `/trade yes <shares>`
+  - `/trade no <shares>`
+- Check balance and position in the current market:
+  - `/balance`
+
+## GitHub App setup
+1. Create a GitHub App:
+   - Permissions:
+     - Issues: Read & write
+     - Metadata: Read
+   - Webhooks: subscribe to `issues`, `issue_comment`
+2. Install the App on the target organization/repository.
+3. After deploying, set the webhook URL to:
+   - `https://<your-fly-app>.fly.dev/webhooks`
+
+## Fly.io deployment (via GitHub Actions)
+This repo includes `.github/workflows/deploy.yml` to build and deploy on push to `main` or manually via “Run workflow”.
+
+### Prerequisites
+- Install Fly CLI locally and create the app:
+  ```bash
+  flyctl apps create ganttmarket
+  flyctl auth token
+  ```
+- In your GitHub repo, add the following Actions secrets:
+  - `FLY_API_TOKEN`: from `flyctl auth token`
+  - `GITHUB_APP_ID`: numeric App ID
+  - `GITHUB_WEBHOOK_SECRET`: your webhook secret
+  - `SNAPSHOT_SIGNING_KEY`: a strong random string (256-bit)
+  - `GITHUB_APP_PRIVATE_KEY`: paste the PEM content of your app private key
+
+### Workflow file
+`.github/workflows/deploy.yml`:
+```yaml
+name: Deploy to Fly.io
+
+on:
+  push:
+    branches: [ main ]
+  workflow_dispatch:
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Flyctl
+        uses: superfly/flyctl-actions/setup-flyctl@v1
+
+      - name: Set Fly secrets
+        run: |
+          flyctl secrets set \
+            GITHUB_APP_ID=${{ secrets.GITHUB_APP_ID }} \
+            GITHUB_WEBHOOK_SECRET=${{ secrets.GITHUB_WEBHOOK_SECRET }} \
+            SNAPSHOT_SIGNING_KEY=${{ secrets.SNAPSHOT_SIGNING_KEY }} \
+            GITHUB_APP_PRIVATE_KEY="${{ secrets.GITHUB_APP_PRIVATE_KEY }}"
+        env:
+          FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN }}
+
+      - name: Deploy
+        run: flyctl deploy --remote-only
+        env:
+          FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN }}
+```
+
+### Deploy
+- Push to `main` or go to Actions → “Deploy to Fly.io” → “Run workflow”.
+- After the first deploy, update your GitHub App webhook URL to the Fly app URL:
+  - `https://<your-app>.fly.dev/webhooks`
+
+## Local development
+```bash
+npm install
+npm run dev
+```
+Environment variables (use Fly secrets in production):
+```
+PORT=8080
+GITHUB_APP_ID=123456
+GITHUB_APP_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----"
+GITHUB_WEBHOOK_SECRET=supersecret
+SNAPSHOT_SIGNING_KEY=some-long-random-256-bit-string
+MARKET_B=100
+```
+
+## Files
+- `src/` core TypeScript:
+  - `app.ts` Express server
+  - `webhooks.ts` GitHub webhook handlers (create, trade, balance, resolve)
+  - `lmsr.ts` AMM functions
+  - `snapshot.ts` signed market snapshot (with `seq`)
+  - `storage.ts` read/write snapshot into issue body
+  - `market.ts` market creation and trade application
+  - `ledger.ts` signed ledger snapshot (balances, positions, `seq`)
+  - `resolution.ts` outcome detection and payouts
+- `Dockerfile` container build
+- `fly.toml` Fly app config
+- `.github/workflows/deploy.yml` GitHub Actions deployment
+
+## Notes and limits
+- No selling/shorting; positions are buy-only for now. Selling can be approximated by buying the opposite side in binary markets, but proper shorting needs more accounting.
+- Concurrency: `seq` is incremented on each write; for high-traffic repos, consider adding a retry loop that re-reads the latest snapshot if `seq` changed between read and write.
+- Rate limits are in-memory and reset on process restart.
+
+## Troubleshooting
+- Webhook 401: ensure GitHub App webhook secret matches `GITHUB_WEBHOOK_SECRET`.
+- “Missing env” on startup: set all required secrets in Fly and/or local `.env`.
+- Actions deployment failing: verify `FLY_API_TOKEN` and that `fly.toml` has `app = "ganttmarket"` or your chosen app name.

TODO.md

@@ -0,0 +1,103 @@
+
+# TODO
+
+## 1) Security and Integrity
+- Enforce signature verification on every read of snapshots and ledger
+  - storage.readIssueSnapshot: verify with verifySnapshot; reject if invalid
+  - ledger.readLedger: already verifies; keep consistent
+- Add optimistic concurrency retries (seq-based)
+  - On trade: read -> compute -> write (seq+1); re-read and compare seq; retry N times (e.g., 3) on mismatch
+  - Apply same pattern for ledger writes
+- Add write receipts for partial failures
+  - If ledger updated but market snapshot write fails, post a bot comment noting partial update and suggesting retry/reconcile
+- Harden snapshot block parsing
+  - Ensure only one snapshot block exists; if multiple, prefer the first and remove extras; always re-render at top of body
+
+## 2) Permissions and Governance
+- Trading permissions
+  - Restrict to repo collaborators or org members (octokit.repos.getCollaboratorPermissionLevel)
+  - Optional: team-based allowlist via config
+- Conflict-of-interest flags
+  - If commenter can close the target issue, flag their trades in comments and (optionally) cap trade size
+- Max exposure per user per market
+  - Cap shares per side (e.g., 1,000) to limit manipulation
+
+## 3) Market Discovery and Metadata
+- Label market issues on creation
+  - Labels: `forecast-market`, `target-issue-<n>`
+  - Store target linkage in snapshot (already present)
+- Fast lookup by label
+  - In resolution and helpers, query by labels instead of scanning titles
+- Support multiple markets per target
+  - Encode `marketId` in a label (e.g., `market-id:<id>`) and in the title to disambiguate
+
+## 4) UX: Commands and Feedback
+- Add `/help` command listing supported commands and examples
+- Add `/sell yes|no <shares>` (optional)
+  - MVP: model sell as buying the opposite side; display cost/refund at current price
+- Improve trade feedback
+  - Show pre-trade and post-trade price, slippage, and remaining balance
+- Balance/portfolio
+  - `/portfolio` to list all open market positions and total exposure
+- Leaderboard
+  - Scheduled (GitHub Actions cron) job posts top balances to the Ledger Issue
+
+## 5) PR Integration
+- For PR-targeted markets, update a "Forecast" check on relevant events
+  - On trade and on PR sync, call checks.upsertForecastCheck with latest probability
+- Optionally display a badge in PR description via a bot comment that updates on trades
+
+## 6) Resolution Improvements
+- Deadline handling
+  - Use explicit timezone (UTC) and display local time hints
+- Manual override command
+  - `/market resolve <yes|no> reason:"..."` with audit log in the market issue
+- Auto-resolve scheduler
+  - GitHub Actions workflow that hits a maintenance endpoint or uses the API to scan and resolve past-deadline markets periodically
+
+## 7) Reliability and Performance
+- Add retry with backoff on GitHub API 5xx / rate limits
+- Add minimal request queueing to avoid burst writes on hot markets
+- Cache repo metadata (collaborator permission levels) in-memory with TTL
+- Paginate issue listing calls (currently per_page=100) and/or filter via labels
+
+## 8) Data Model Extensions
+- Record trade receipts
+  - Append a small JSON receipt inside the market issue as a separate block or dedicated comments with a `trade-receipt` marker
+  - Include: user, side, shares, cost, pre/post price, seq, timestamp
+- Transaction IDs
+  - Include a monotonic `txId` field in comments to assist audit/reconciliation
+
+## 9) Configuration and Policy
+- Repo-level config via a `.ganttmarket.yml`
+  - startingCredits, b parameter, rate limits, allowed roles/teams, max shares
+- Environment variables validation with human-friendly errors
+- Toggle features via labels (e.g., `forecast-enabled`)
+
+## 10) Testing and Tooling
+- Add unit tests for lmsr, parsing, and snapshot/ledger signing
+- Add integration tests using nock to stub GitHub API
+- Prettier/ESLint minimal setup for consistency
+
+## 11) Observability
+- Structured logging (JSON) with request IDs and event types
+- Optional webhook delivery logging for debugging signature/headers
+- Health endpoint to verify env and GitHub App configuration (without secrets)
+
+## 12) Documentation
+- Expand README with:
+  - Resolution criteria and edge cases (reopen after deadline, edited titles)
+  - Governance policies (who can trade, caps)
+  - Security model (signed blocks, seq)
+  - Troubleshooting guide (common webhook errors)
+
+## 13) Enterprise/Privacy Options
+- Redact PII in logs (only show GitHub login when necessary)
+- Data residency note (all state is in GitHub; no external DB)
+- Optional export command `/export` to produce CSV summary of markets, trades, balances
+
+## 14) Future Features
+- Conditional/scenario markets ("If +2 engineers, probability?")
+- Milestone and release markets with auto-deadlines from GitHub metadata
+- Slack/Teams notifications on big price moves
+- Visualization: tiny sparkline image rendered and posted as a comment (optional)

fly.toml

@@ -0,0 +1,21 @@
+
+app = "ganttmarket"
+primary_region = "iad"
+
+[build]
+  dockerfile = "Dockerfile"
+
+[env]
+  PORT = "8080"
+
+[[services]]
+  internal_port = 8080
+  protocol = "tcp"
+  [[services.ports]]
+    handlers = ["http"]
+    port = 80
+  [[services.tcp_checks]]
+    grace_period = "10s"
+    interval = "15s"
+    restart_limit = 0
+    timeout = "2s"

package.json

@@ -0,0 +1,22 @@
+
+{
+  "name": "github-prediction-market",
+  "version": "0.1.0",
+  "type": "module",
+  "scripts": {
+    "dev": "ts-node-esm src/app.ts",
+    "start": "node dist/app.js",
+    "build": "tsc"
+  },
+  "dependencies": {
+    "@octokit/rest": "^20.0.0",
+    "@octokit/webhooks": "^12.0.0",
+    "@octokit/auth-app": "^6.0.0",
+    "express": "^4.19.2",
+    "dotenv": "^16.4.5"
+  },
+  "devDependencies": {
+    "typescript": "^5.4.0",
+    "ts-node": "^10.9.2"
+  }
+}