feat: initial v0.1.0 public release

GitHub App for automated AuraOne evaluations on pull requests.

- Probot-style listener for pull_request events
- Reads .auraone.yml / .auraone.yaml from PR head
- Posts a auraone/evaluation Check Run with score + evidence link
- Optional merge-block via configurable threshold
- Uses @auraone/sdk for hosted API calls

Distributed as source for self-hosting. A hosted version is
available through the AuraOne dashboard.

Author: gchahal1982

.github/workflows/ci.yml

@@ -0,0 +1,24 @@
+name: ci
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  test:
+    name: test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20.x"
+          cache: npm
+      - name: Install (skip @auraone/sdk linking issues for now)
+        run: npm install --no-package-lock || true
+      - name: Lint
+        run: npm run lint
+      - name: Test
+        run: npm test

.gitignore

@@ -0,0 +1,8 @@
+node_modules/
+.DS_Store
+.env
+.env.local
+*.log
+.vscode/
+.idea/
+coverage/

CHANGELOG.md

@@ -0,0 +1,19 @@
+# Changelog
+
+All notable changes to `@auraone/github-app` are documented here.
+
+## [0.1.0] - 2026-05-11
+
+Initial public release.
+
+### Added
+
+- Probot-based GitHub App that listens for `pull_request` events.
+- Configuration via `.auraone.yml` (or `.auraone.yaml`) in the target repository.
+- Posts a `auraone/evaluation` Check Run with run status, score, and a link to the evidence record.
+- Optional merge-block via configurable threshold.
+- Uses `@auraone/sdk` for hosted API access.
+
+### Notes
+
+- Distributed as source for self-hosting. A hosted version is available via the AuraOne dashboard.

CODE_OF_CONDUCT.md

@@ -0,0 +1,23 @@
+# Code of Conduct
+
+This project adopts the [Contributor Covenant, version 2.1](https://www.contributor-covenant.org/version/2/1/code_of_conduct/) as its code of conduct.
+
+## Scope
+
+This Code of Conduct applies within all project spaces — issues, pull requests, discussions, and any other interaction tied to this repository.
+
+## Reporting
+
+If you experience or witness behavior that violates the Code of Conduct, please report it privately to:
+
+- `conduct@auraone.ai`
+
+Reports will be reviewed and handled with discretion. Reporters will not be identified without their permission.
+
+## Enforcement
+
+Project maintainers are responsible for clarifying standards and may take any action they deem appropriate in response to a violation, up to and including a temporary or permanent ban from project spaces.
+
+## Attribution
+
+The Contributor Covenant is available at https://www.contributor-covenant.org. For answers to common questions about this code of conduct, see https://www.contributor-covenant.org/faq.

CONTRIBUTING.md

@@ -0,0 +1,40 @@
+# Contributing to @auraone/github-app
+
+Thanks for your interest in contributing. This repository hosts a Probot-style GitHub App that runs AuraOne evaluations on pull requests.
+
+## Scope
+
+We welcome:
+
+- Bug reports with a minimal reproduction.
+- Documentation fixes — including `.auraone.yml` config schema improvements.
+- Additional check states, comment formats, or merge-gating policies.
+- Improvements to the self-hosting setup.
+
+Out of scope:
+
+- Hosted AuraOne backend behavior.
+
+## Development
+
+```bash
+git clone https://github.com/auraoneai/github-app.git
+cd github-app
+npm install
+cp .env.example .env  # fill in dev credentials
+npm run dev
+npm test
+```
+
+## Pull request expectations
+
+- Keep changes focused.
+- Add or update tests when changing behavior.
+
+## Code of Conduct
+
+By participating, you agree to abide by the [Code of Conduct](CODE_OF_CONDUCT.md).
+
+## License
+
+Contributions are made under the [MIT License](LICENSE).

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 AuraOne
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,67 @@
+# @auraone/github-app
+
+GitHub App for automated AuraOne evaluations on pull requests.
+
+Drops AuraOne eval runs into the PR check experience: open a PR, the app picks up the configuration in `.auraone.yml`, runs the configured eval against the bundle or model under change, and posts results as a Check Run with a structured summary comment.
+
+This is the **source** distribution for self-hosting or contribution. A hosted instance of the same app is available via the AuraOne dashboard once you have an account.
+
+## What it does
+
+- Listens for `pull_request` events on installed repositories.
+- Reads `.auraone.yml` (or `.auraone.yaml`) from the PR head.
+- Calls the AuraOne hosted API via [`@auraone/sdk`](https://www.npmjs.com/package/@auraone/sdk) to start an evaluation run.
+- Reports a `auraone/evaluation` Check Run with status, score, and a link to the full evidence record.
+- Optionally blocks merge until the eval passes a configured threshold.
+
+## Configuration
+
+Drop a `.auraone.yml` in your repo root:
+
+```yaml
+template_id: rubric.web.qa
+agent_bundle_url: s3://my-bucket/bundle.zip
+threshold: 0.85
+fail_on_threshold: true
+```
+
+## Self-hosting
+
+```bash
+git clone https://github.com/auraoneai/github-app.git
+cd github-app
+npm install
+cp .env.example .env  # fill in GitHub App credentials + AURAONE_API_KEY
+npm start
+```
+
+### Required env vars
+
+- `GITHUB_APP_ID`
+- `GITHUB_PRIVATE_KEY` (PEM)
+- `GITHUB_WEBHOOK_SECRET`
+- `AURAONE_API_KEY`
+- `AURAONE_BASE_URL` (optional, defaults to `https://api.auraone.ai`)
+
+## Hosted version
+
+If you'd rather not self-host, install the hosted version from the AuraOne dashboard at https://www.auraone.ai/developers/integrations.
+
+## Development
+
+```bash
+npm install
+npm run dev    # nodemon
+npm test       # jest
+npm run lint
+```
+
+## Related
+
+- [`@auraone/sdk`](https://www.npmjs.com/package/@auraone/sdk) — TypeScript SDK this app uses internally.
+- [`auraone-sdk`](https://pypi.org/project/auraone-sdk/) — Python SDK with the same API surface.
+- [`auraone-evalkit`](https://pypi.org/project/auraone-evalkit/) — local, no-account evaluation tooling.
+
+## License
+
+MIT — see [LICENSE](LICENSE).

SECURITY.md

@@ -0,0 +1,39 @@
+# Security Policy
+
+## Scope
+
+This policy covers the `@auraone/sdk` TypeScript SDK source published in this repository.
+
+The hosted AuraOne backend at `api.auraone.ai` is out of scope for this repository. Backend security reports should be sent to `security@auraone.ai`.
+
+## Supported versions
+
+| Version | Supported |
+| --- | --- |
+| 0.1.x | Yes |
+
+## Reporting a vulnerability
+
+Please report security issues privately. Do not open a public GitHub issue.
+
+- Email: `security@auraone.ai`
+- Subject: `[github-app] <short description>`
+
+Include:
+
+- Affected SDK version.
+- Description and impact.
+- Steps to reproduce, ideally with a minimal proof-of-concept.
+- Any suggested mitigation.
+
+We'll acknowledge within 3 business days.
+
+## What we consider a vulnerability
+
+- Arbitrary code execution from SDK methods processing trusted-looking input.
+- Token / credential leakage paths.
+- Insecure default authentication or transport behavior.
+
+## Disclosure
+
+We prefer coordinated disclosure. We'll work with you on a timeline that gives users time to upgrade before public details are published.

package.json

@@ -0,0 +1,46 @@
+{
+  "name": "@auraone/github-app",
+  "version": "0.1.0",
+  "description": "GitHub App for automated AuraOne evaluations on pull requests.",
+  "main": "src/app.js",
+  "scripts": {
+    "start": "node src/app.js",
+    "dev": "nodemon src/app.js",
+    "test": "jest",
+    "lint": "eslint src --ext .js",
+    "lint:fix": "eslint src --ext .js --fix"
+  },
+  "keywords": [
+    "github",
+    "app",
+    "ci-cd",
+    "auraone",
+    "ai",
+    "evaluation",
+    "automation"
+  ],
+  "author": "AuraOne",
+  "license": "MIT",
+  "dependencies": {
+    "@octokit/app": "^14.0.2",
+    "@octokit/webhooks": "^12.0.4",
+    "@auraone/sdk": "^0.1.0",
+    "js-yaml": "^4.1.0"
+  },
+  "devDependencies": {
+    "eslint": "^8.54.0",
+    "jest": "^29.7.0",
+    "nodemon": "^3.0.1"
+  },
+  "engines": {
+    "node": ">=16.0.0"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/auraoneai/github-app.git"
+  },
+  "bugs": {
+    "url": "https://github.com/auraoneai/github-app/issues"
+  },
+  "homepage": "https://www.auraone.ai/developers"
+}