fix: restore runnable enterprise-grade autogen workbench

.env.example

@@ -0,0 +1,30 @@
+# Legacy dashboard and AutoGen provider configuration
+AUTOGEN_PROVIDER=gemini
+AUTOGEN_APPROVAL_WORD=APPROVE
+AUTOGEN_STATE_DIR=state
+AUTOGEN_REPO_SCAN_ROOT=C:\PersonalRepo
+
+# Active Microsoft Agent Framework provider configuration
+MAF_API_KEY=
+MAF_MODEL=gemini-2.5-flash
+MAF_BASE_URL=https://generativelanguage.googleapis.com/v1beta/openai/
+MAF_REPO_ROOT=C:\PersonalRepo
+MAF_ENTITIES_DIR=entities
+MAF_CHECKPOINT_DIR=state\maf-checkpoints
+MAF_ROUTE_LANE=auto
+
+# Gemini API and optional CLI fallback
+GEMINI_API_KEY=
+GEMINI_MODEL=gemini-2.5-flash
+GEMINI_BASE_URL=https://generativelanguage.googleapis.com/v1beta/openai/
+GEMINI_CLI_COMMAND=gemini.cmd
+GEMINI_CLI_MODEL=
+
+# Optional Anthropic API and local CLI fallbacks
+ANTHROPIC_API_KEY=
+ANTHROPIC_MODEL=claude-sonnet-4-6
+CLAUDE_CLI_COMMAND=claude
+CLAUDE_CLI_MODEL=
+CLAUDE_CODE_GIT_BASH_PATH=
+CODEX_CLI_COMMAND=codex.cmd
+CODEX_CLI_MODEL=

.github/workflows/ci.yml

@@ -5,19 +5,44 @@ on:
     branches: [ main ]
   pull_request:
 
+permissions:
+  contents: read
+
+concurrency:
+  group: ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   test:
-    runs-on: ubuntu-latest
+    name: Python ${{ matrix.python-version }} / ${{ matrix.os }}
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 20
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, windows-latest]
+        python-version: ['3.12']
+
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
-      - name: Set up Python 3.12
-        uses: actions/setup-python@v5
+      - name: Set up Python
+        uses: actions/setup-python@v6
         with:
-          python-version: '3.12'
+          python-version: ${{ matrix.python-version }}
+          cache: pip
+
+      - name: Install dependencies
+        run: python -m pip install -r requirements.txt
+
+      - name: Verify dependency consistency
+        run: python -m pip check
+
+      - name: Run full test suite
+        run: python -m pytest -q --tb=short
 
-      - name: Install test runner
-        run: pip install pytest
+      - name: Compile Python sources
+        run: python -m compileall autogen_starter autogen_dashboard maf_starter main.py -q
 
-      - name: Run static contract tests
-        run: python -m pytest tests/test_phase5_ui_contract.py tests/test_phase5_operator_views.py -v
+      - name: Validate dashboard JavaScript
+        run: node --check autogen_dashboard/static/app.js

.gitignore

@@ -0,0 +1,12 @@
+.venv/
+__pycache__/
+*.pyc
+.pytest_cache/
+.env
+.env.*
+!.env.example
+!.env.*.example
+state/
+.tmp-tests/
+*.out.log
+*.err.log

.planning/STATE.md

@@ -4,8 +4,8 @@ milestone: v1.1
 milestone_name: milestone
 status: completed
 stopped_at: Phase 6 complete
-last_updated: "2026-04-15T19:56:10.036Z"
-last_activity: 2026-03-22 - Phase 6 complete - Plan 03 delivered Command Center parity tests, legacy compatibility notices, and README External API section
+last_updated: "2026-06-10T18:30:00+03:00"
+last_activity: 2026-06-10 - Completed quick task 260610-ppt: PR #1 follow-up truthful Quickstart and Configuration guidance
 progress:
   total_phases: 2
   completed_phases: 1
@@ -28,7 +28,7 @@ See: .planning/PROJECT.md (updated 2026-03-22)
 Phase: 07 (azure-functions-and-cloud-control-plane) - READY TO START
 Plan: 07-01 (next)
 Status: Phase 6 complete - Shared control-plane API delivered with /api/v1 REST router, Command Center parity validation, and external API documentation. Ready for Azure Functions deployment.
-Last activity: 2026-03-22 - Phase 6 complete - Plan 03 delivered Command Center parity tests, legacy compatibility notices, and README External API section
+Last activity: 2026-06-10 - Completed quick task 260610-ppt: PR #1 follow-up truthful Quickstart and Configuration guidance
 
 ## Performance Metrics
 
@@ -135,6 +135,12 @@ None yet.
 - Local Python is `3.14.2`, but Azure Functions hosted deployment work should target GA-supported Python such as `3.13` or `3.12`
 - A cloud-hosted control plane cannot assume local CLI logins, desktop-bound tooling, or direct repo access unless a compatible worker is attached
 
+### Quick Tasks Completed
+
+| # | Description | Date | Commit | Status | Directory |
+|---|-------------|------|--------|--------|-----------|
+| 260610-ppt | PR #1 follow-up: truthful Quickstart and Configuration guidance | 2026-06-10 | 5487e05 | Verified | [260610-ppt-pr-1-follow-up-restore-practical-truthfu](./quick/260610-ppt-pr-1-follow-up-restore-practical-truthfu/) |
+
 ## Session Continuity
 
 Last session: 2026-03-22T22:00:00+02:00

.planning/audits/260610-enterprise-audit-fix/CLASSIFICATION.md

@@ -0,0 +1,14 @@
+# Enterprise Audit-Fix Classification
+
+Source: `gsd-audit-fix --severity all --max 8`
+
+| ID | Severity | Classification | Finding |
+|---|---|---|---|
+| F-01 | High | Auto-fixable | Clean clone could not collect the shipped full test suite because required runtime modules and dependency/bootstrap files were missing. |
+| F-02 | High | Auto-fixable | CI ran only two static contract tests and could report green while the broader suite was broken. |
+| F-03 | High | Auto-fixable | `SessionStore` composed unvalidated session, stage, and attempt identifiers into filesystem paths. |
+| F-04 | High | Auto-fixable | Dashboard CORS allowed wildcard origins with credentials. |
+| F-05 | Medium | Auto-fixable | Repo write operations accepted arbitrary encodings and used non-atomic direct writes. |
+| F-06 | Medium | Auto-fixable | Missing `.gitignore` exposed secrets and runtime/test artifacts to accidental commits. |
+| F-07 | Medium | Manual-only | Legacy dashboard and MAF runtime contracts overlap and require an architectural consolidation decision. |
+| F-08 | Medium | Manual-only | Production authentication, worker isolation, and remote deployment boundaries remain intentionally unimplemented. |

.planning/audits/260610-enterprise-audit-fix/SUMMARY.md

@@ -0,0 +1,25 @@
+# Enterprise Audit-Fix Summary
+
+## Result
+
+Six auto-fixable findings were resolved. Two architecture/deployment findings remain manual-only.
+
+| ID | Status | Commit |
+|---|---|---|
+| F-01 | Fixed | `65cb4f2`, `f2b1210` |
+| F-02 | Fixed | `fa78d6b` |
+| F-03 | Fixed | `48bdb95` |
+| F-04 | Fixed | `92e3adf` |
+| F-05 | Fixed | `76eda85` |
+| F-06 | Fixed | `4975e0b` |
+| F-07 | Manual-only | Architecture decision required |
+| F-08 | Manual-only | Production boundary decision required |
+
+## Outcome
+
+- Restored a runnable clean-clone contract with declared dependencies, example configuration, launcher, and required runtime modules.
+- Replaced narrow green CI with full Windows/Linux validation.
+- Closed durable-state path traversal and wildcard credentialed CORS risks.
+- Made agent-driven repo writes atomic and UTF-8-only.
+- Protected local secrets and generated state from accidental commits.
+- Updated README claims to match the verified repository state.

.planning/audits/260610-enterprise-audit-fix/VERIFICATION.md

@@ -0,0 +1,23 @@
+# Enterprise Audit-Fix Verification
+
+## Automated Checks
+
+- `python -m pytest -q --tb=short`: 71 passed, 4 subtests passed
+- `python -m compileall autogen_starter autogen_dashboard maf_starter main.py -q`: passed
+- `node --check autogen_dashboard/static/app.js`: passed
+- `git diff --check`: passed
+- `python main.py providers`: launcher and provider inventory passed
+- `git check-ignore -v .env .pytest_cache .tmp-tests example.err.log`: expected ignore rules passed
+
+## Environment Note
+
+`python -m pip check` reports an unrelated workstation-level preview dependency mismatch:
+`agent-framework-core 1.0.0rc5` expects `azure-ai-projects>=2.0.0,<3.0`, while the shared environment contains `azure-ai-projects 2.0.0b3`.
+CI installs from `requirements.txt` in a clean environment and now treats dependency consistency as a required gate.
+
+## Manual Verification Remaining
+
+- Observe the Windows and Linux GitHub Actions jobs on PR #1. The workflow was committed through the authenticated GitHub connector because the local GitHub CLI token does not carry the `workflow` scope.
+- Exercise one real provider-backed dashboard run with a non-production key.
+- Decide whether to consolidate or retire the parallel legacy and MAF runtime contracts.
+- Define production authentication and isolated worker execution before any non-loopback deployment.

.planning/quick/260610-ppt-pr-1-follow-up-restore-practical-truthfu/260610-ppt-PLAN.md

@@ -0,0 +1,41 @@
+---
+quick_id: 260610-ppt
+mode: quick-full
+status: ready
+date: 2026-06-10
+---
+
+# PR #1 follow-up: truthful Quickstart and Configuration guidance
+
+## Goal
+
+Restore practical README guidance that helps readers validate and understand the checked-in repository without claiming a missing dependency manifest, `.env.example`, launcher, or supported full-runtime bootstrap.
+
+## Must Haves
+
+- Quickstart commands operate against files present on `docs/portfolio-hardening-20260610`.
+- The README clearly distinguishes the CI-aligned static contract tests from a full runtime launch.
+- Configuration guidance is derived from `maf_starter/config.py` and does not claim an `.env.example` exists.
+- Validation includes the documented test command, README claim checks, and `git diff --check`.
+
+## Tasks
+
+### Task 1: Restore truthful operator guidance
+
+**Files:** `README.md`
+
+**Action:** Add a Quickstart that runs the same static contract tests as CI, disclose the current runtime-bootstrap limitations, and add a configuration reference based only on variables read by `maf_starter/config.py`.
+
+**Verify:** Confirm every named repository path exists and every documented command is appropriate for this snapshot.
+
+**Done:** Readers can validate the portfolio evidence and understand configuration boundaries without being told to use missing files or unsupported launch commands.
+
+### Task 2: Validate and record completion
+
+**Files:** `.planning/quick/260610-ppt-pr-1-follow-up-restore-practical-truthfu/260610-ppt-SUMMARY.md`, `.planning/quick/260610-ppt-pr-1-follow-up-restore-practical-truthfu/260610-ppt-VERIFICATION.md`, `.planning/STATE.md`
+
+**Action:** Run the CI-aligned tests and `git diff --check`, verify README claims against tracked files and configuration source, then record the quick-task result.
+
+**Verify:** All validation commands pass and the final commit contains only the README follow-up and GSD quick-task artifacts/state.
+
+**Done:** The task is documented, verified, atomically committed, and ready to push on the existing PR branch.

.planning/quick/260610-ppt-pr-1-follow-up-restore-practical-truthfu/260610-ppt-SUMMARY.md

@@ -0,0 +1,24 @@
+---
+quick_id: 260610-ppt
+status: complete
+completed: 2026-06-10
+implementation_commit: 5487e05
+---
+
+# Quick Task 260610-ppt Summary
+
+Restored practical README Quickstart and Configuration guidance for PR #1 without presenting the incomplete repository snapshot as a supported full-runtime distribution.
+
+## Delivered
+
+- Added a PowerShell Quickstart that runs the same dependency-light operator-workbench contract tests used by CI.
+- Explicitly documented the missing dependency manifest, `.env.example`, launcher, and legacy dashboard imports that prevent a truthful clean-clone runtime launch command.
+- Added a configuration table derived from environment variables actually read by `maf_starter/config.py`.
+
+## Validation
+
+- `python -m pytest tests/test_phase5_ui_contract.py tests/test_phase5_operator_views.py -v` - 16 passed.
+- Verified all README paths and missing-bootstrap statements against tracked files.
+- `git diff --check` - passed.
+
+Implementation commit: `5487e05`

.planning/quick/260610-ppt-pr-1-follow-up-restore-practical-truthfu/260610-ppt-VERIFICATION.md

@@ -0,0 +1,23 @@
+---
+quick_id: 260610-ppt
+status: passed
+verified: 2026-06-10
+---
+
+# Quick Task 260610-ppt Verification
+
+## Goal
+
+Restore practical, truthful Quickstart and Configuration guidance without claiming missing files or unsupported runtime bootstrap.
+
+## Result
+
+Passed. The README now provides an executable CI-aligned validation path, identifies the full-runtime bootstrap as unsupported in the checked-in snapshot, and documents configuration from `maf_starter/config.py`.
+
+## Evidence
+
+- The documented pytest command completed with 16 passing tests.
+- `README.md`, `maf_starter/config.py`, the two documented tests, and `.github/workflows/ci.yml` exist.
+- `requirements.txt`, `pyproject.toml`, `setup.py`, `.env.example`, `main.py`, and `autogen_starter/` are absent, matching the README limitation statement.
+- Configuration names and defaults were checked against `load_settings()` in `maf_starter/config.py`.
+- `git diff --check` passed before the implementation commit.