diff --git a/AGENTS.md b/AGENTS.md new file mode 100644 index 0000000..b589a41 --- /dev/null +++ b/AGENTS.md @@ -0,0 +1,85 @@ +# AGENTS.md + +A repository guide for contributors and coding agents. Read this before making +changes; it captures the architecture, conventions, and build system so you can +be productive without rediscovering them. + +## Project overview + +OCPP DebugKit Studio is a native desktop debugger for OCPP charging sessions, +built in Zig on the Native SDK (native-rendered `.native` markup + a Zig +`Model` / `Msg` / `update` loop — no WebView, no web frontend). It is a fully +independent sibling of the TypeScript `@ocpp-debugkit/toolkit`; the two share a +specification contract, not code (see `docs/adr/0001-independent-implementation.md`). + +## Repository layout + +``` +studio/ +├── app.zon # app manifest: identity, window, view, security policy +├── src/ +│ ├── main.zig # Model, Msg, update, app wiring +│ ├── app.native # the view (declarative markup) +│ └── tests.zig # headless view/model tests +├── scripts/smoke.sh # portable automation smoke test (Xvfb in CI) +├── docs/adr/ # architecture decision records +└── .github/workflows/ci.yml # CI: verify (macOS+Linux) + Linux Xvfb smoke +``` + +As the engine lands, source grows under `src/ocpp/` (the pure, headless-testable +engine), `src/ui/` (views), `src/capture/` (live proxy), and `src/cli.zig` +(headless mode). Keep the engine free of UI and platform dependencies. + +## Build commands + +The `native` CLI owns the build (zero-config — there is no `build.zig`): + +```sh +native dev # build Debug + run, with markup hot reload +native test # run the test suite +native test -Dplatform=null # headless tests (what CI runs) +native build # ReleaseFast binary → zig-out/bin/studio +native check --strict # validate src/*.native + app.zon +native doctor --strict # toolchain / environment health +``` + +Prerequisites: Zig `0.16.0` and `@native-sdk/cli` (`npm install -g @native-sdk/cli`). + +## Architecture principles + +- **Engine is pure Zig, UI-free.** Everything under `src/ocpp/` must be testable + headlessly with `native test`. The UI consumes it through the Model. +- **TEA discipline.** `.native` views are declarative; all side effects (spawn, + fetch, clipboard, sockets) go through the update-side effects channel. +- **Version-tagged protocol boundary.** The decoder keys off an OCPP version tag + so 2.0.1 can be added later without reworking 1.6J. +- **Conformance over duplication.** Studio mirrors the toolkit's *behavior* via a + vendored fixture + golden contract, not its source. + +## Conventions + +- **Commits:** [Conventional Commits](https://www.conventionalcommits.org) with an + area scope — `feat(engine):`, `fix(capture):`, `ci:`, `docs:`, `chore:`. +- **Issues before code.** Every PR links a tracking issue (`Closes #N`). +- **Tests ship with code.** No behavior lands without a test for it. +- **One concern per PR.** Code, tests, and docs for a change travel together. +- **Living docs.** Update `CURRENT_STATE.md` (and this file, when architecture + changes) inside the PR, never after merge. +- **CI is the gate.** `verify` (both OSes) and the Linux smoke job must be green. + +## Security constraints + +Trace files, pasted content, live socket data, and CLI arguments are **untrusted**. +Validate and bound them: safe parsing, explicit size and event-count limits, no +unbounded recursion, and non-sensitive error messages. Processing is local-first — +Studio never uploads user data. Never commit secrets or real identifiers; user- +loaded traces and runtime-generated reports contain the user's own data and must +never be altered by the tool. + +## Pointers + +- `README.md` — what Studio is and how to build it. +- `ROADMAP.md` — milestones and versions. +- `CURRENT_STATE.md` — what is built and in progress. +- `CONTRIBUTING.md` — setup and PR process. +- `docs/adr/` — why the project is shaped the way it is. diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..571892c --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,127 @@ +# Contributor Covenant Code of Conduct + +## Our Pledge + +We as members, contributors, and leaders pledge to make participation in our +community a harassment-free experience for everyone, regardless of age, body +size, visible or invisible disability, ethnicity, sex characteristics, gender +identity and expression, level of experience, education, socio-economic status, +nationality, personal appearance, race, caste, color, religion, or sexual +identity and orientation. + +We pledge to act and interact in ways that contribute to an open, welcoming, +diverse, inclusive, and healthy community. + +## Our Standards + +Examples of behavior that contributes to a positive environment for our +community include: + +- Demonstrating empathy and kindness toward other people +- Being respectful of differing opinions, viewpoints, and experiences +- Giving and gracefully accepting constructive feedback +- Accepting responsibility and apologizing to those affected by our mistakes, + and learning from the experience +- Focusing on what is best not just for us as individuals, but for the overall + community + +Examples of unacceptable behavior include: + +- The use of sexualized language or imagery, and sexual attention or advances of + any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, + without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a + professional setting + +## Enforcement Responsibilities + +Community leaders are responsible for clarifying and enforcing our standards of +acceptable behavior and will take appropriate and fair corrective action in +response to any behavior that they deem inappropriate, threatening, offensive, +or harmful. + +Community leaders have the right and responsibility to remove, edit, or reject +comments, commits, code, wiki edits, issues, and other contributions that are +not aligned to this Code of Conduct, and will communicate reasons for moderation +decisions when appropriate. + +## Scope + +This Code of Conduct applies within all community spaces, and also applies when +an individual is officially representing the community in public spaces. + +## Enforcement + +Instances of abusive, harassing, or otherwise unacceptable behavior may be +reported to the project maintainers privately through +[GitHub Security Advisories](https://github.com/ocpp-debugkit/studio/security/advisories/new), +which provides a confidential channel to the maintainers. All complaints will be +reviewed and investigated promptly and fairly. + +All community leaders are obligated to respect the privacy and security of the +reporter of any incident. + +## Enforcement Guidelines + +Community leaders will follow these Community Impact Guidelines in determining +the consequences for any action they deem in violation of this Code of Conduct: + +### 1. Correction + +**Community Impact**: Use of inappropriate language or other behavior deemed +unprofessional or unwelcome in the community. + +**Consequence**: A private, written warning from community leaders, providing +clarity around the nature of the violation and an explanation of why the +behavior was inappropriate. A public apology may be requested. + +### 2. Warning + +**Community Impact**: A violation through a single incident or series of +actions. + +**Consequence**: A warning with consequences for continued behavior. No +interaction with the people involved, including unsolicited interaction with +those enforcing the Code of Conduct, for a specified period of time. This +includes avoiding interactions in community spaces as well as external channels +like social media. Violating these terms may lead to a temporary or permanent +ban. + +### 3. Temporary Ban + +**Community Impact**: A serious violation of community standards, including +sustained inappropriate behavior. + +**Consequence**: A temporary ban from any sort of interaction or public +communication with the community for a specified period of time. No public or +private interaction with the people involved, including unsolicited interaction +with those enforcing the Code of Conduct, is allowed during this period. +Violating these terms may lead to a permanent ban. + +### 4. Permanent Ban + +**Community Impact**: Demonstrating a pattern of violation of community +standards, including sustained inappropriate behavior, harassment of an +individual, or aggression toward or disparagement of classes of individuals. + +**Consequence**: A permanent ban from any sort of public interaction within the +community. + +## Attribution + +This Code of Conduct is adapted from the [Contributor Covenant][homepage], +version 2.1, available at +https://www.contributor-covenant.org/version/2/1/code_of_conduct.html. + +Community Impact Guidelines were inspired by +[Mozilla's code of conduct enforcement ladder][mozilla coc]. + +[homepage]: https://www.contributor-covenant.org +[mozilla coc]: https://github.com/mozilla/diversity + +For answers to common questions about this code of conduct, see the FAQ at +https://www.contributor-covenant.org/faq. Translations are available at +https://www.contributor-covenant.org/translations. diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..c2219d3 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,91 @@ +# Contributing to OCPP DebugKit Studio + +Thanks for your interest in contributing. Studio is an open-source project and +contributions of all kinds are welcome — code, tests, docs, bug reports, and +scenario ideas. + +## Prerequisites + +- [Zig](https://ziglang.org/download/) `0.16.0` +- The Native SDK CLI: `npm install -g @native-sdk/cli` + +Verify your environment: + +```sh +native doctor --strict +``` + +## Getting started + +```sh +git clone https://github.com/ocpp-debugkit/studio.git +cd studio +native test # should pass +native dev # opens the app +``` + +The `native` CLI owns the build — there is no `build.zig`. Edit `src/app.native` +while `native dev` runs and the window hot-reloads. + +## Development workflow + +Studio follows a milestone-driven, issue-first workflow: + +1. **Find or open an issue.** Every change starts with a tracking issue describing + scope and acceptance criteria. Comment to claim it. +2. **Branch** from `main`: `feat/…`, `fix/…`, `docs/…`, `chore/…`, `ci/…`. +3. **Implement** with tests. Keep the change to one concern. +4. **Update living docs** (`CURRENT_STATE.md`, and `AGENTS.md` if architecture + changed) in the same branch. +5. **Open a PR** that links the issue (`Closes #N`). Fill in what changed and how + you tested it. +6. CI must be green before merge. + +## Conventions + +- **Commits:** [Conventional Commits](https://www.conventionalcommits.org) with an + area scope, e.g. `feat(engine): parse JSONL traces`, `fix(ui): …`, `docs: …`, + `ci: …`, `chore: …`. +- **Tests ship with code.** No behavior merges without a test. Prefer headless + tests (`native test -Dplatform=null`) so they run on every platform. +- **One concern per PR.** Code, tests, and docs for a change travel together; + unrelated cleanups go in their own PR. +- **Style.** Match the surrounding code. `.editorconfig` sets indentation + (4-space Zig, 2-space markup / YAML / JSON / Markdown). + +## Validating your change + +```sh +native test -Dplatform=null # headless tests +native check --strict # markup + manifest +native doctor --strict # environment +./scripts/smoke.sh # drive the running app (builds with -Dautomation=true first) +``` + +## Security + +Treat all trace files, pasted content, socket data, and CLI arguments as +untrusted: validate input, bound sizes, and never expose internal paths in error +messages. Report vulnerabilities privately — see [SECURITY.md](SECURITY.md). +Never commit secrets or real identifiers. + +## AI-Assisted Development + +Maintainers may use AI-assisted development tools, but all contributions must be +reviewed, tested, documented, and scoped like normal engineering work. +AI-generated code is held to the same standards as any other contribution: it +must pass CI, include tests, be security-reviewed, and be understandable by a +human reviewer. + +Contributors using AI agents can point them at [AGENTS.md](AGENTS.md) for a +structured overview of this repository's architecture, conventions, and build +system. [CURRENT_STATE.md](CURRENT_STATE.md) reflects what has been built so far +and what is in progress — use it to orient your agent before starting work. + +No AI tool preference is assumed or required. The project does not endorse any +specific AI tool. + +## Code of Conduct + +This project follows the [Contributor Covenant](CODE_OF_CONDUCT.md). By +participating, you agree to uphold it. diff --git a/CURRENT_STATE.md b/CURRENT_STATE.md new file mode 100644 index 0000000..64f2483 --- /dev/null +++ b/CURRENT_STATE.md @@ -0,0 +1,53 @@ +# CURRENT_STATE.md + +> Living document — updated inside every PR before merge. + +## Current version + +`0.0.0` — pre-release foundation (unreleased). + +## Active milestone + +**S0 — Foundation** (see [ROADMAP.md](ROADMAP.md)). + +## What's done + +- **Repository genesis** — Apache-2.0 `LICENSE`, `.gitignore`. +- **Scaffold + identity** (#5) — native-rendered Native SDK skeleton (`app.zon`, + `src/main.zig`, `src/app.native`, `src/tests.zig`), `NOTICE`, `.editorconfig`; + bundle id `io.github.ocpp-debugkit.studio`, display name "OCPP DebugKit Studio". + A window opens; the placeholder counter view stands in until S3. +- **CI + automation smoke test** (#6) — `.github/workflows/ci.yml`: a `verify` + matrix (macOS + Linux) running doctor / validate / headless null-platform + tests / strict check, and a Linux Xvfb `smoke` job that drives the running + app through its automation server and uploads a rendered screenshot. + `scripts/smoke.sh` is the portable driver. + +## What's in progress + +- **Founding docs & governance** (this PR) — README, ROADMAP, CURRENT_STATE, + AGENTS, CONTRIBUTING, CODE_OF_CONDUCT, SECURITY. + +## What's next + +1. **Architecture decision records** — ADR-0001..0004 capturing the foundational + decisions (independent implementation, macOS-first, native-rendered, Zig). +2. **Close S0** — verify exit criteria, close the milestone. +3. **S1 — Engine core** — the pure-Zig OCPP types, parser, normalizer, and + session correlation. + +## Known blockers / decisions pending + +- None. Foundational decisions are captured (or being captured) as ADRs. + +## Area status + +| Area | Status | +| --- | --- | +| `repo` (tooling, CI) | ✅ done for S0 | +| `docs` (docs, ADRs) | 🔄 in progress | +| `ocpp` (engine) | ⬜ not started (S1) | +| `ui` (native views) | ⬜ placeholder (S3) | +| `capture` (live proxy) | ⬜ not started (S5) | +| `cli` (headless) | ⬜ not started (S4) | +| `conformance` | ⬜ not started (S2) | diff --git a/README.md b/README.md new file mode 100644 index 0000000..5b65bb0 --- /dev/null +++ b/README.md @@ -0,0 +1,76 @@ +# OCPP DebugKit Studio + +[![CI](https://github.com/ocpp-debugkit/studio/actions/workflows/ci.yml/badge.svg)](https://github.com/ocpp-debugkit/studio/actions/workflows/ci.yml) +[![License](https://img.shields.io/badge/license-Apache--2.0-blue.svg)](LICENSE) + +> A native desktop debugger for OCPP charging sessions — the bench instrument of the OCPP DebugKit ecosystem. + +**OCPP DebugKit Studio** is a native desktop application for engineers building and operating OCPP charge points and CSMS backends. Think of it as *Wireshark for OCPP*: sit between a charging station and its backend, decode every frame live, flag protocol failures as they happen, and keep a high-performance offline inspector for the traces you capture. + +Studio is built in [Zig](https://ziglang.org) on the [Native SDK](https://github.com/vercel-labs/native) — native-rendered, no browser, no Electron. It starts instantly, stays small, and does the things a browser tab fundamentally cannot: open raw sockets, watch the filesystem, and run for days as a background monitor. + +> 🚧 **Early development.** The foundation is in place (a native window, green CI on macOS + Linux, an automation-driven smoke test). The OCPP engine and inspector UI are next — see the [roadmap](ROADMAP.md). + +## The ecosystem + +Studio is one of two independent products under the OCPP DebugKit umbrella: + +| Project | Language | Surface | Role | +| --- | --- | --- | --- | +| [`@ocpp-debugkit/toolkit`](https://github.com/ocpp-debugkit/toolkit) | TypeScript | npm library · CLI · web app | The library and CI brain — parse, analyze, and report OCPP traces anywhere | +| **`ocpp-debugkit/studio`** (this repo) | Zig | native desktop app | The instrument on the bench — live capture, native performance, OS integration | + +The two share **no code**. They meet only at a *conformance contract*: the same trace format, the same normalized event model, the same failure taxonomy, and the same scenario fixtures. A trace captured in Studio opens in the toolkit's web inspector, and vice versa — two independent implementations, one format. See [ADR-0001](docs/adr/0001-independent-implementation.md). + +## What it will do + +The near-term vision, in priority order (full detail in the [roadmap](ROADMAP.md)): + +- **Inspect** — open JSON / JSONL / bare-array traces; virtualized timeline, per-message inspector, session correlation, failure list. +- **Detect** — the full OCPP 1.6J failure taxonomy, streaming, as events arrive. +- **Watch** — a live WebSocket proxy between charge point and CSMS, decoding OCPP frames in flight and recording them to the canonical trace format. +- **Prove** — reports, trace diffing, anonymize-on-export, and wall-clock replay. +- **Scale** — stream-parse traces far past what a browser tab can hold. + +## Quick start + +Studio is a source-first project during early development. + +**Prerequisites** + +- [Zig](https://ziglang.org/download/) `0.16.0` +- The Native SDK CLI: `npm install -g @native-sdk/cli` + +**Build and run** + +```sh +git clone https://github.com/ocpp-debugkit/studio.git +cd studio + +native dev # build a Debug binary and run it, with markup hot reload +native test # run the headless test suite +native build # produce a ReleaseFast binary in zig-out/bin/ +native check # validate src/*.native markup and app.zon +``` + +The `native` CLI owns the build — there is no `build.zig` to manage. + +## Non-goals + +Studio is a debugging instrument, not infrastructure. It is **not**: + +- a production CSMS, or billing / fleet management; +- a compliance certification tool (no OCTT claims); +- a cloud service — it is local-first, with no accounts and no telemetry. + +## Contributing + +Contributions are welcome. Start with [CONTRIBUTING.md](CONTRIBUTING.md), and point your tooling at [AGENTS.md](AGENTS.md) for a structured overview of the architecture and conventions. [CURRENT_STATE.md](CURRENT_STATE.md) tracks what is built and what is in progress. + +## Security + +Please report vulnerabilities privately via [GitHub Security Advisories](https://github.com/ocpp-debugkit/studio/security/advisories/new). See [SECURITY.md](SECURITY.md). + +## License + +[Apache License 2.0](LICENSE) © OCPP DebugKit Contributors diff --git a/ROADMAP.md b/ROADMAP.md new file mode 100644 index 0000000..222e219 --- /dev/null +++ b/ROADMAP.md @@ -0,0 +1,70 @@ +# Roadmap + +Studio is built in milestones, each mapping to a semantic version. Milestones +are tracked as [GitHub milestones](https://github.com/ocpp-debugkit/studio/milestones); +this file is the human-readable summary. Scope may be refined as we learn — the +sequencing rationale (engine before UI, capture after the inspector exists) is +the stable part. + +| Milestone | Version | Theme | Status | +| --- | --- | --- | --- | +| **S0** | 0.0.x | Foundation | ✅ In progress | +| **S1** | 0.1.0 | Engine core | Next | +| **S2** | 0.1.0 | Detection + conformance | Planned | +| **S3** | 0.2.0 | Inspector UI | Planned | +| **S4** | 0.3.0 | Analysis parity+ | Planned | +| **S5** | 0.4.0 | Live capture ⭐ | Planned | +| **S6** | 1.0.0 | 1.0 polish | Planned | + +## S0 — Foundation (0.0.x) + +Repo, tooling, and CI. A native window that opens, an automation-driven smoke +test, founding docs, and architecture decision records. **Exit:** CI green on +macOS + Linux; `native doctor --strict` clean. + +## S1 — Engine core (0.1.0) + +The pure-Zig OCPP engine, headless and testable: canonical `Event` / `Session` +/ `Failure` types, a parser for the three input formats (JSON object, JSONL, +bare array), the normalizer (message-direction inference and timestamp +normalization), and session correlation by transaction id. + +## S2 — Detection + conformance (0.1.0) + +The full OCPP 1.6J failure taxonomy in Zig, plus the conformance harness that +runs the shared scenario fixtures and checks Studio's detected failures against +locked goldens. **Exit:** the shared scenarios match, byte for byte. + +## S3 — Inspector UI (0.2.0) + +The native inspector: open and drag-drop traces, a virtualized event timeline, +the per-message inspector, the failure panel, search / filter, and a +multi-trace workspace. Handles traces far larger than a browser tab can hold. + +## S4 — Analysis parity+ (0.3.0) + +Reach parity with the toolkit's analysis surface: Markdown / HTML reports, +anonymize-on-export, trace diffing, and replay — with real wall-clock playback +that the offline library cannot offer. A headless CLI mode ships in the same +binary. + +## S5 — Live capture ⭐ (0.4.0) + +The flagship. A live WebSocket proxy between a charge point and its CSMS, +decoding OCPP frames in flight, running detection as events stream, recording +to the canonical trace format, and surfacing it all in a live timeline — with +OS notifications on critical failures. This is the capability a browser tab +cannot provide, and the reason Studio exists. + +## S6 — 1.0 polish (1.0.0) + +A signed macOS app and a Linux package, a menu-bar live monitor, a complete +docs set, an automation-driven GUI test suite, and the frozen conformance +contract. Public 1.0 release. + +## Beyond 1.0 + +Sequenced one theme per minor: a message composer / playground, a charge-point +simulator, a CSMS mock, an active scenario runner (running the assertion suite +against live endpoints), TLS proxy support, and — behind the same +version-tagged decoder boundary — OCPP 2.0.1. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..8684e93 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,37 @@ +# Security Policy + +## Reporting a vulnerability + +Please report security vulnerabilities **privately** through GitHub Security +Advisories: + +**https://github.com/ocpp-debugkit/studio/security/advisories/new** + +Do not open a public issue for security reports. We will acknowledge your report, +investigate, and coordinate a fix and disclosure with you. + +## Supported versions + +Studio is in early development (pre-`1.0`). Security fixes are applied to the +`main` branch and the latest release. There are no long-term-support branches +yet. + +## Security principles + +Studio is a debugging instrument that processes untrusted data. Its design holds +to a few principles: + +- **Untrusted input.** Trace files, pasted content, live socket data, and CLI + arguments are treated as untrusted: parsed safely, bounded in size and event + count, and never allowed to exhaust memory or hang the UI. +- **Local-first.** Studio processes data on your machine. It has no accounts, no + telemetry, and never uploads your traces. +- **Your data is yours.** User-loaded traces and the reports Studio generates + contain your own data; the tool never silently alters or exfiltrates them. +- **Least privilege.** Network listeners, filesystem watches, and other native + capabilities are opt-in and scoped to the task at hand. + +## Scope + +This policy covers the Studio application in this repository. The TypeScript +`@ocpp-debugkit/toolkit` is a separate project with its own security policy.