From 63571bb26af2f374ba9d99dd6117c29022295506 Mon Sep 17 00:00:00 2001
From: jellespijker <jelle.spijker@ultimaker.com>
Date: Thu, 4 Jun 2026 12:48:35 +0200
Subject: [PATCH] [UC-3697] Setup pre-commit and agentic enablement for
 libUvula

---
 .github/CODEOWNERS                            |  17 ++
 .github/PULL_REQUEST_TEMPLATE.md              |   6 +
 .github/copilot-instructions.md               |  22 +++
 .../accessibility-auditor.instructions.md     |  16 ++
 .../code-reviewer.instructions.md             |  30 ++++
 .../gha-helper.instructions.md                |  34 ++++
 .../pr-assistant.instructions.md              |  60 +++++++
 .../testing-automation.instructions.md        |  16 ++
 .github/dependabot.yml                        |  23 +++
 .github/services/account-api.yaml             | 164 ++++++++++++++++++
 .github/services/account-frontend.yaml        |  36 ++++
 .github/services/account-worker.yaml          | 115 ++++++++++++
 .github/services/lab.env                      |  26 +++
 .github/services/production.env               |  25 +++
 .github/services/staging.env                  |  25 +++
 .github/workflows/build.yaml                  |  52 ++++++
 .github/workflows/combine.yaml                |   8 +
 .github/workflows/dependabot.yaml             |  15 ++
 .github/workflows/deploy.yaml                 |  53 ++++++
 .github/workflows/lab-delete.yaml             |  33 ++++
 .github/workflows/lab-deploy.yaml             |  40 +++++
 .github/workflows/pull-request.yaml           |  80 +++++++++
 .github/workflows/test.yaml                   |  69 ++++++++
 .pre-commit-config.yaml                       |  66 +++++++
 .talismanrc                                   |  28 +++
 AGENTS.md                                     | 124 +++++++++++++
 README.md                                     |   2 +-
 UvulaJS/UvulaJS.cpp                           |  82 ++++-----
 src/xatlas.cpp                                |   2 +-
 29 files changed, 1217 insertions(+), 52 deletions(-)
 create mode 100644 .github/CODEOWNERS
 create mode 100644 .github/PULL_REQUEST_TEMPLATE.md
 create mode 100644 .github/copilot-instructions.md
 create mode 100644 .github/copilot-instructions/accessibility-auditor.instructions.md
 create mode 100644 .github/copilot-instructions/code-reviewer.instructions.md
 create mode 100644 .github/copilot-instructions/gha-helper.instructions.md
 create mode 100644 .github/copilot-instructions/pr-assistant.instructions.md
 create mode 100644 .github/copilot-instructions/testing-automation.instructions.md
 create mode 100644 .github/dependabot.yml
 create mode 100644 .github/services/account-api.yaml
 create mode 100644 .github/services/account-frontend.yaml
 create mode 100644 .github/services/account-worker.yaml
 create mode 100644 .github/services/lab.env
 create mode 100644 .github/services/production.env
 create mode 100644 .github/services/staging.env
 create mode 100644 .github/workflows/build.yaml
 create mode 100644 .github/workflows/combine.yaml
 create mode 100644 .github/workflows/dependabot.yaml
 create mode 100644 .github/workflows/deploy.yaml
 create mode 100644 .github/workflows/lab-delete.yaml
 create mode 100644 .github/workflows/lab-deploy.yaml
 create mode 100644 .github/workflows/pull-request.yaml
 create mode 100644 .github/workflows/test.yaml
 create mode 100644 .pre-commit-config.yaml
 create mode 100644 .talismanrc
 create mode 100644 AGENTS.md

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 0000000..893994f
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1,17 @@
+# Generally we can assume these file extensions belongs to a group of developers
+*.scss              @Stardust_frontend
+*.tsx               @Stardust_frontend
+*.js                @Stardust_frontend
+*.html              @Stardust_frontend
+*.py                @Stardust_backend
+
+# These root files are very specific to development environments
+/docker-compose.yml @Stardust_devops
+Dockerfile          @Stardust_devops
+/*.md               @Stardust
+
+# These directories are about: frontend, backend and github administration
+/frontend/          @Stardust_frontend
+/backend/           @Stardust_backend
+/.github/           @Stardust_devops
+/secrets/           @Stardust_devops
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
new file mode 100644
index 0000000..7ec0e36
--- /dev/null
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -0,0 +1,6 @@
+Jira ticket: UC-XXX
+
+-   [ ] Describe the changes that were made and why
+-   [ ] Add screenshot
+-   [ ] Unit tests
+-   [ ] E2E tests
diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md
new file mode 100644
index 0000000..cb300c1
--- /dev/null
+++ b/.github/copilot-instructions.md
@@ -0,0 +1,22 @@
+# GitHub Copilot Custom Instructions
+
+Welcome! This configuration coordinates our multi-role coding assistant system to ensure that all generated code, documentation, and tests comply with UltiMaker Digital Factory's rigorous engineering quality standards for the **stardust-account** (Cura Cloud identity and login portal) stack.
+
+## Role-Based Personas
+
+Depending on the context of your query, please adopt one of our 5 specialized development personas:
+
+1. **[PR Assistant](.github/copilot-instructions/pr-assistant.instructions.md):** Focuses on managing branch tracking, bracketed Jira commit naming standards, and generating structured, descriptive pull request details.
+2. **[GHA Helper](.github/copilot-instructions/gha-helper.instructions.md):** Focuses on building secure, optimized, and cached GitHub Actions pipelines.
+3. **[Code Reviewer](.github/copilot-instructions/code-reviewer.instructions.md):** Focuses on reviewing architectural patterns (SOLID, DRY, KISS), checking for static bugs or lints, and enforcing compact files (around 300 lines, max 400 is acceptable, but prefer smaller).
+4. **[Accessibility Auditor](.github/copilot-instructions/accessibility-auditor.instructions.md):** Focuses on reviewing and generating WCAG 2.1 AA compliant UI templates, keyboard navigation, and landmark groupings for our SSO and account portal pages.
+5. **[Testing Automation](.github/copilot-instructions/testing-automation.instructions.md):** Focuses on pytest async tests, Jest unit assertions, and non-flaky browser automation with Cypress.
+
+---
+
+## Strategic Principles
+
+- **Future AI Optimization:** Write clean, modular files (around 300 lines, max 400 is acceptable, but prefer smaller) with single-responsibility structures. This keeps context sizes minimal, limits token overhead, and reduces compilation time for succeeding AI agents.
+- **Secure by Design:** Actively mitigate OWASP Top 10 vulnerabilities (NoSQL injection, insecure endpoints). Secure user credentials (argon2/bcrypt), handle MFA/TOTP safely, and never log/expose PII.
+- **Experimental Guardrails:** Never commit manual tests, scratch files, or test scripts. All experiment work belongs in the gitignored `scratch/` directory.
+- **Design Tokens Compliance:** Align frontend logic strictly with token values mapped in `DESIGN.md` (HSL colors, typography scales, layout rhythm).
\ No newline at end of file
diff --git a/.github/copilot-instructions/accessibility-auditor.instructions.md b/.github/copilot-instructions/accessibility-auditor.instructions.md
new file mode 100644
index 0000000..69e214d
--- /dev/null
+++ b/.github/copilot-instructions/accessibility-auditor.instructions.md
@@ -0,0 +1,16 @@
+# Role: Accessibility Auditor (Copilot Instruction)
+
+You are the Accessibility Auditor. Your primary directive is to ensure that all user interface modifications, components, and templates in the **stardust-account** login, SSO, and profile management portal conform to WCAG 2.1 AA guidelines.
+
+## 1. Core Structural Semantic Audit
+
+- Verify that logical landmark tags (`<header>`, `<nav>`, `<main>`, `<aside>`, `<footer>`) wrap all visible content.
+- Ensure that heading structures (`<h1>`-`<h6>`) represent a sequential, logical outline.
+- Check that all repeated interactive elements (like icon buttons or lists) have visually hidden utility labels or distinct, unambiguous `aria-label` properties. This is especially vital for login forms, MFA inputs, and authorization dialogs.
+
+## 2. Keyboard & Interactive Integrity
+
+- Audit that every interactive or clickable element is focusable and responds predictably to standard keyboard triggers (Tab, Shift+Tab, Enter, Space).
+- Ensure that form elements have correctly associated native `<label>` tags.
+- Proactively recommend native HTML5 primitives (e.g., `<button>` or `<dialog>`) over custom simulated ARIA structures to reduce script footprint and ensure resilient accessibility behaviors.
+- Maintain focus trap integrity when multi-factor authentication (MFA) prompts, error modals, or profile forms are rendered to ensure they are fully navigable by keyboard.
diff --git a/.github/copilot-instructions/code-reviewer.instructions.md b/.github/copilot-instructions/code-reviewer.instructions.md
new file mode 100644
index 0000000..bee7a59
--- /dev/null
+++ b/.github/copilot-instructions/code-reviewer.instructions.md
@@ -0,0 +1,30 @@
+# Role: Code Reviewer (Copilot Instruction)
+
+You are the Code Reviewer. Your primary directive is to audit code changes for bug prevention, performance, style compliance, and architectural integrity in the **stardust-account** repository.
+
+## 1. Architectural Compliance
+
+- Ensure code adheres strictly to SOLID, DRY, and clean separation of concerns.
+- Verify that code footprints stay compact (individual files should ideally remain around 300 lines; max 400 lines is acceptable, but prefer smaller to optimize context sizes and maintainability).
+- Check that there are no hardcoded secrets, IP addresses, or target domains.
+- Enforce clear semantic naming schemes for files, variables, and methods.
+- **Git Submodules**: Keep in mind that `backend/lib/stardustCommons` is a git submodule containing shared libraries. Never modify its files directly in this repository unless explicitly making changes destined for the `stardust-commons` repository itself.
+
+## 2. Static Analysis & Code Quality
+
+- Identify memory leaks, race conditions, or unhandled exceptions in our async Tornado backend.
+- Highlight missing error boundaries or proper retry policies in network operations.
+- Enforce strict adherence to matching linter configurations (ESLint, Stylelint, Flake8, Black).
+- Check that legacy patterns are flagged for modern upgrades.
+
+## 3. Security, OWASP-10 & PII Auditing
+
+- Enforce strict OWASP Top 10 mitigation checks (such as NoSQL injection prevention through parameterized queries/dictionary mappings using Motor/MongoDB).
+- Audit Personally Identifiable Information (PII) handling; ensure user passwords, MFA codes, session tokens, and personal profile details are handled with absolute sensitivity, never logged, and fully encrypted/protected in transit/at rest.
+- Verify least privilege access controls, scope validations, and secure OAuth2 token issuance boundaries.
+
+## 4. Pre-Commit Tooling Verification
+
+- Ensure that the `.pre-commit-config.yaml` configuration is completely respected.
+- Verify that no agent-specific development/tracking artifacts (like `task.md`, `implementation_plan.md`, `walkthrough.md`, `.playwright-cli`, or `__pycache__`) are staged or committed.
+- Verify that formatting tools (`black`, `isort`, `prettier`) are only run on newly created files to avoid cluttering PR reviews with cosmetic diffs on modified files.
diff --git a/.github/copilot-instructions/gha-helper.instructions.md b/.github/copilot-instructions/gha-helper.instructions.md
new file mode 100644
index 0000000..3917bdb
--- /dev/null
+++ b/.github/copilot-instructions/gha-helper.instructions.md
@@ -0,0 +1,34 @@
+# Role: GitHub Actions Helper (Copilot Instruction)
+
+You are the GHA Helper. Your primary directive is to help construct, optimize, and secure GitHub Actions workflows for the **stardust-account** repository.
+
+## 1. Syntax & Best Practices
+
+- Always use the latest version of official actions (e.g. `actions/checkout@v4`, `actions/setup-node@v4`, `actions/setup-python@v5`).
+- Ensure all jobs have sensible timeout limits (e.g. `timeout-minutes: 15`).
+- Always run pipelines on least-privilege runners (e.g., `ubuntu-latest`).
+
+## 2. Caching Optimizations
+
+- Aggressively use build and dependency caching to minimize pipeline run durations:
+    - NPM: `cache: 'npm'` on `actions/setup-node`.
+    - Pip: `cache: 'pip'` on `actions/setup-python` or custom key-based cache steps.
+    - Docker: Utilize BuildKit `--cache-from` and `--cache-to` flags inside container build steps.
+
+## 3. Pipeline Security & Secrets
+
+- Never expose plaintext credentials or API keys in YAML files.
+- Inject secrets exclusively using GitHub Secrets syntax (`${{ secrets.GCP_CREDENTIALS }}`).
+- Prevent script injection by avoiding direct string expansion of untrusted variables inside `run:` blocks; map them to environment variables first.
+- **Enforce Secure GCP WIF Authentication:** Limit permissions strictly. Always use Workload Identity Federation (WIF) instead of long-lived service account keys.
+    - Require `id-token: write` and `contents: read` permissions in the workflow.
+    - Implement GCP auth using the official action:
+        ```yaml
+        - name: Google Auth
+          uses: google-github-actions/auth@v2
+          with:
+              workload_identity_provider: ${{ vars.INFRA_WI_PROVIDER }}
+        ```
+- **Limit Workflow Permissions & Scope:**
+    - Restrict the `permissions:` block at the job/workflow level to the absolute minimum necessary (e.g., read-only for contents).
+    - For enhanced security, prefer splitting complex workflows into separate, isolated pipelines. Upload intermediate artifacts from low-privilege jobs and download/deploy them in high-privilege pipelines.
diff --git a/.github/copilot-instructions/pr-assistant.instructions.md b/.github/copilot-instructions/pr-assistant.instructions.md
new file mode 100644
index 0000000..041fb7d
--- /dev/null
+++ b/.github/copilot-instructions/pr-assistant.instructions.md
@@ -0,0 +1,60 @@
+# Role: PR Assistant (Copilot Instruction)
+
+You are the Pull Request Assistant. Your primary directive is to help developers create extremely clear, logical, and structured Pull Requests and Git commit messages for the **stardust-account** repository.
+
+## 1. Commit Standards & Jira Reference
+
+- Enforce small, single-purpose (atomic) commits.
+- Never bundle independent features, bug fixes, or refactorings into a single commit.
+- **Git Commit Title Standard (Strictly Enforced):**
+    - **No Semantic Prefixes**: Do **NOT** use conventional/semantic commit prefix tags (such as `feat:`, `fix:`, `chore:`, `refactor:`, etc.) in commit titles or Pull Request titles.
+    - **Bracketed Ticket Prefix**: Every Git commit title and GitHub Pull Request title **MUST** start with the bracketed Jira key: `[UC-ID] <Descriptive Title>` or `[NP-ID] <Descriptive Title>` (e.g., `[UC-3697] Add specialized pre-commit configurations`).
+    - **Changelog Generation**: This prefixing standard is strictly required because the repository's CHANGELOG is automatically generated by GitHub directly from PR titles. We do **NOT** use or maintain a local `CHANGELOG.md` file.
+    - Commit message body must explain the _why_ (the reason the change was needed) and the _how_ (the technical design/implementation details).
+- **Pre-Commit Verification:** Every agent must run pre-commit verification (`pre-commit run --all-files`) locally and confirm that all checks pass 100% cleanly before opening a draft Pull Request. Using `--no-verify` or bypassing hooks is strictly forbidden for agents.
+
+## 2. Pull Request Descriptions & Alert Patterns
+
+- Structure PR descriptions using standard markdown.
+- **Draft Pull Request Policy:** AI Agents must always open pull requests in **DRAFT** state on GitHub. This provides a staging gate for the human dev to personally review the changes and run manual checks. Under no circumstances should an AI agent attempt to merge its own PR; merging is **strictly restricted to humans**.
+- **Alert Patterns**: Always annotate pull request and merge descriptions with standard GitHub markdown alerts to guide the reviewer:
+
+    ```markdown
+    > [!NOTE]
+    > Useful information that users should know, even when skimming content.
+
+    > [!TIP]
+    > Helpful advice for doing things better or more easily.
+
+    > [!IMPORTANT]
+    > Key information users need to know to achieve their goal.
+
+    > [!WARNING]
+    > Urgent info that needs immediate user attention to avoid problems.
+
+    > [!CAUTION]
+    > Advises about risks or negative outcomes of certain actions.
+    ```
+
+- PR layouts must be extremely concise and non-verbose:
+    - **Minimalist Public Section**: Standard human section is restricted to:
+        - **Jira Reference**: Always reference/link the Jira ticket number (e.g., `[UC-3697](https://ultimaker.atlassian.net/browse/UC-3697)`).
+        - **Description**: Concise explanation of **Why** and **How** in bullet points or single sentences.
+        - **Empty Initiator Checklist**: Every pull request description must end with an empty checklist for the human dev who initiated the agent, which they must check off to confirm they have personally reviewed the code:
+            ```markdown
+            - [ ] **Developer V&V**: I have verified the SSO/login portal HSL theme tokens in both light and dark mode.
+            - [ ] **Component Separation**: Scoped SCSS Modules / styling boundaries are respected.
+            - [ ] **Testing Standards**: Automated unit tests and E2E checks pass cleanly.
+            ```
+
+    - **Collapsed Agent Details**: All heavy agentic checklists, test logs, and support portal audits must reside inside a collapsed `<details><summary>🤖 Agent Checklist & Detailed Verification</summary>` block.
+
+## 3. Support Documentation Review Policy
+
+- ⚠️ **CRITICAL GUARDRAIL FOR NEW FEATURES & BEHAVIORAL CHANGES**:
+    - When creating a PR on GitHub that introduces a new feature or changes existing behavior, you **MUST** search the UltiMaker Support page: `https://support.makerbot.com/s/global-search/`
+    - Analyze if any relevant public-facing support pages are impacted, outdated, or need edits due to this change.
+    - If support page changes are required:
+        - **Add a warning block** (`> [!WARNING]`) in the pull request description.
+        - Explicitly advise the developer to contact the support team.
+        - Detail exactly **what changed**, **why**, and **how**, providing links/URLs to the existing support page(s).
diff --git a/.github/copilot-instructions/testing-automation.instructions.md b/.github/copilot-instructions/testing-automation.instructions.md
new file mode 100644
index 0000000..3e592d0
--- /dev/null
+++ b/.github/copilot-instructions/testing-automation.instructions.md
@@ -0,0 +1,16 @@
+# Role: Testing Automation Expert (Copilot Instruction)
+
+You are the Testing Automation Expert. Your primary directive is to guide the creation of precise, non-flaky, and comprehensive tests across the entire testing pyramid for the **stardust-account** repository.
+
+## 1. Unit & Integration Testing Standard
+
+- **Backend (Python):** Enforce Pytest with `pytest-asyncio` for all asynchronous handlers and services.
+- **Frontend (React):** Enforce Jest + React Testing Library. Maintain strict assertion patterns checking for user-visible outputs (e.g. `screen.getByRole` over class-name querying).
+- External network requests or database endpoints must be isolated and simulated using clean mock frameworks (like `unittest.mock.AsyncMock` or Jest fetch mock).
+
+## 2. E2E Browser Automation
+
+- Utilize Cypress or Playwright-CLI for comprehensive browser integration testing.
+- When generating UI tests, utilize standard testing state authentication (e.g. loading pre-authorized cookies/tokens) to bypass complex SSO forms and minimize test flakiness, or test the forms themselves with clean input-handling assertions.
+- Always target elements using predictable test IDs (`data-testid` or `data-cy`) to keep test selectors isolated from refactoring style changes.
+- Ensure visual regressions are caught using visual snapshot helpers (e.g., Percy).
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..c12e9bf
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,23 @@
+version: 2
+updates:
+  - package-ecosystem: 'npm'
+    directory: '/'
+    schedule:
+      interval: 'weekly'
+    open-pull-requests-limit: 20
+  - package-ecosystem: 'pip'
+    directory: '/'
+    schedule:
+      interval: 'weekly'
+    open-pull-requests-limit: 20
+  - package-ecosystem: 'docker'
+    directory: '/'
+    schedule:
+      interval: 'weekly'
+
+registries:
+  github:
+    type: git
+    url: https://github.com
+    username: x-access-token # username doesn't matter
+    password: ${{ secrets.NPM_GITHUB_TOKEN }} # dependabot secret
diff --git a/.github/services/account-api.yaml b/.github/services/account-api.yaml
new file mode 100644
index 0000000..c1af355
--- /dev/null
+++ b/.github/services/account-api.yaml
@@ -0,0 +1,164 @@
+apiVersion: serving.knative.dev/v1
+kind: Service
+metadata:
+  name: account-api${SERVICE_SUFFIX}
+  annotations:
+    serving.knative.dev/route: account-api${SERVICE_SUFFIX}
+    run.googleapis.com/ingress: ${INGRESS}
+  labels:
+    service-name: account-api
+
+spec:
+  template:
+    metadata:
+      name: account-api${SERVICE_SUFFIX}${REVISION_SUFFIX}
+      annotations:
+        autoscaling.knative.dev/maxScale: '${MAX_SCALE}'
+        autoscaling.knative.dev/minScale: '${MIN_SCALE}'
+        run.googleapis.com/cpu-throttling: 'true'
+        run.googleapis.com/vpc-access-connector: projects/${GCP_PROJECT}/locations/${GCP_REGION}/connectors/um-cloud
+        run.googleapis.com/vpc-access-egress: private-ranges-only
+      labels:
+        service-name: account-api
+    spec:
+      containerConcurrency: 20
+      timeoutSeconds: 300
+      serviceAccountName: account@${GCP_PROJECT}.iam.gserviceaccount.com
+      containers:
+        - name: stardust-account-api
+          image: ${IMAGE_URL}
+          ports:
+            - name: http1
+              containerPort: 8080
+          env:
+            - name: DATABASE_NAME
+              value: oauth2_server
+            - name: DATABASE_PROTOCOL
+              value: mongodb+srv
+            - name: DATABASE_PARAMETERS
+              value: ?retryWrites=true&w=majority&maxPoolSize=200
+            - name: DATABASE_CONNECTION_TIMEOUT_MS
+              value: "5000"
+            - name: SERVER_SELECTION_TIMEOUT_MS
+              value: "5000"
+            - name: HTTP_CLIENT_MAX_CLIENTS
+              value: '90'
+            - name: TRACING_ENABLED
+              value: 'false'
+            - name: APP_NAMESPACE
+              value: account
+            - name: APP_NAME
+              value: account
+
+            - name: ACCOUNT_TOTP_ISSUER
+              value: ${ACCOUNT_TOTP_ISSUER}
+            - name: ACCOUNT_TOKEN_ISSUER
+              value: ${ACCOUNT_TOKEN_ISSUER}
+
+            - name: ACCOUNT_EVENT_PUBSUB_TOPIC
+              value: account-events
+            - name: EMAIL_QUEUE_PUBSUB_TOPIC
+              value: send-mail-requests
+            - name: BULK_ACCOUNT_CREATION_PUBSUB_TOPIC
+              value: bulk-account-creation
+            - name: PUBSUB_VERIFICATION_TOKEN
+              value: ${PUBSUB_VERIFICATION_TOKEN}
+            - name: RIGHT_SIGNATURE_WEBHOOK_VALIDATION
+              value: ${RIGHT_SIGNATURE_WEBHOOK_VALIDATION}
+
+            - name: FRONT_END_PROXY_HOST
+              value: ${FRONT_END_PROXY_HOST}
+            - name: ACCOUNT_URL
+              value: ${ACCOUNT_URL}
+            - name: DIGITAL_FACTORY_URL
+              value: ${DIGITAL_FACTORY_URL}
+            - name: REPORT_API_URL
+              value: ${REPORT_API_URL}
+            - name: MARKETPLACE_URL
+              value: ${MARKETPLACE_URL}
+            - name: ULTIMAKER_PROVISIONING_API_URL
+              value: ${ULTIMAKER_PROVISIONING_API_URL}
+            - name: CLOUD_API_URL
+              value: ${CLOUD_API_URL}
+            - name: CONNECT_API_URL
+              value: ${CONNECT_API_URL}
+
+            - name: BUCKET_NAME_BULK_ACCOUNT_CREATION
+              value: ${BUCKET_NAME_BULK_ACCOUNT_CREATION}
+            - name: BUCKET_NAME_TEAM_IMAGES
+              value: ${BUCKET_NAME_TEAM_IMAGES}
+            - name: BUCKET_NAME_PROFILE_IMAGES
+              value: ${BUCKET_NAME_PROFILE_IMAGES}
+            - name: BUCKET_NAME_ORGANIZATION_IMAGES
+              value: ${BUCKET_NAME_ORGANIZATION_IMAGES}
+
+            - name: DEMO_PROJECT_DOCUMENT_URL
+              value: ${DEMO_PROJECT_DOCUMENT_URL}
+            - name: DEMO_PROJECT_IMAGE_URL
+              value: ${DEMO_PROJECT_IMAGE_URL}
+
+            - name: MONGO_CONFIG
+              valueFrom:
+                secretKeyRef:
+                  key: latest
+                  name: account-mongodb
+            - name: ACCOUNT_FEDERATION_SEED
+              valueFrom:
+                secretKeyRef:
+                  key: latest
+                  name: account-account_federation_seed
+            - name: COOKIE_SECRET
+              valueFrom:
+                secretKeyRef:
+                  key: latest
+                  name: account-cookie_secret
+            - name: JWT_PRIVATE_KEY
+              valueFrom:
+                secretKeyRef:
+                  key: latest
+                  name: jwt-private-key
+            - name: JWT_PUBLIC_KEY
+              valueFrom:
+                secretKeyRef:
+                  key: latest
+                  name: jwt-public-key
+            - name: SALESFORCE_CONFIG
+              valueFrom:
+                secretKeyRef:
+                  key: latest
+                  name: salesforce-config
+            - name: ZENDESK_CREDENTIALS
+              valueFrom:
+                secretKeyRef:
+                  key: latest
+                  name: account-zendesk_credentials
+            - name: NOTIFICATIONS_API_KEY
+              valueFrom:
+                secretKeyRef:
+                  key: latest
+                  name: notifications-account-api-key
+            - name: SUBSCRIPTIONS_API_KEY
+              valueFrom:
+                secretKeyRef:
+                  key: latest
+                  name: account-subscriptions-api-key
+            - name: BETA_FEATURES
+              valueFrom:
+                secretKeyRef:
+                  key: latest
+                  name: account-alpha_features
+            - name: RIGHT_SIGNATURE_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  key: latest
+                  name: rightsignature_token
+            - name: MONGO_CONFIGS
+              valueFrom:
+                secretKeyRef:
+                  key: latest
+                  name: account-mongodb-global
+
+          resources:
+            limits:
+              cpu: 1000m
+              memory: 256Mi
diff --git a/.github/services/account-frontend.yaml b/.github/services/account-frontend.yaml
new file mode 100644
index 0000000..d691144
--- /dev/null
+++ b/.github/services/account-frontend.yaml
@@ -0,0 +1,36 @@
+apiVersion: serving.knative.dev/v1
+kind: Service
+metadata:
+  name: account-frontend${SERVICE_SUFFIX}
+  annotations:
+    serving.knative.dev/route: account-frontend${SERVICE_SUFFIX}
+    run.googleapis.com/ingress: ${INGRESS}
+  labels:
+    service-name: account-frontend
+
+spec:
+  template:
+    metadata:
+      name: account-frontend${SERVICE_SUFFIX}${REVISION_SUFFIX}
+      annotations:
+        autoscaling.knative.dev/maxScale: '${MAX_SCALE}'
+        autoscaling.knative.dev/minScale: '${MIN_SCALE}'
+        run.googleapis.com/cpu-throttling: 'true'
+        run.googleapis.com/vpc-access-connector: projects/${GCP_PROJECT}/locations/${GCP_REGION}/connectors/um-cloud
+        run.googleapis.com/vpc-access-egress: private-ranges-only
+      labels:
+        service-name: account-frontend
+    spec:
+      containerConcurrency: 512
+      timeoutSeconds: 300
+      serviceAccountName: account@${GCP_PROJECT}.iam.gserviceaccount.com
+      containers:
+        - name: stardust-account-frontend
+          image: ${IMAGE_URL}
+          ports:
+            - name: http1
+              containerPort: 80
+          resources:
+            limits:
+              cpu: 1000m
+              memory: 128Mi
diff --git a/.github/services/account-worker.yaml b/.github/services/account-worker.yaml
new file mode 100644
index 0000000..db750a4
--- /dev/null
+++ b/.github/services/account-worker.yaml
@@ -0,0 +1,115 @@
+apiVersion: serving.knative.dev/v1
+kind: Service
+metadata:
+  name: account-worker${SERVICE_SUFFIX}
+  annotations:
+    serving.knative.dev/route: account-worker-lab
+    run.googleapis.com/ingress: internal
+  labels:
+    service-name: account-worker
+
+spec:
+  template:
+    metadata:
+      name: account-worker${SERVICE_SUFFIX}${REVISION_SUFFIX}
+      annotations:
+        autoscaling.knative.dev/maxScale: '${MAX_SCALE}'
+        autoscaling.knative.dev/minScale: '${MIN_SCALE}'
+        run.googleapis.com/cpu-throttling: 'true'
+        run.googleapis.com/vpc-access-connector: projects/${GCP_PROJECT}/locations/${GCP_REGION}/connectors/um-cloud
+        run.googleapis.com/vpc-access-egress: private-ranges-only
+      labels:
+        service-name: account-worker
+    spec:
+      containerConcurrency: 80
+      timeoutSeconds: 300
+      serviceAccountName: account-worker@${GCP_PROJECT}.iam.gserviceaccount.com
+      containers:
+        - name: stardust-account-worker
+          image: ${IMAGE_URL}
+          args:
+            - --run-listener
+          ports:
+            - name: http1
+              containerPort: 8080
+          env:
+            - name: DATABASE_NAME
+              value: oauth2_server
+            - name: DATABASE_PROTOCOL
+              value: mongodb+srv
+            - name: DATABASE_PARAMETERS
+              value: ?retryWrites=true&w=majority&maxPoolSize=200
+            - name: DATABASE_CONNECTION_TIMEOUT_MS
+              value: "5000"
+            - name: SERVER_SELECTION_TIMEOUT_MS
+              value: "5000"
+            - name: HTTP_CLIENT_MAX_CLIENTS
+              value: '90'
+            - name: TRACING_ENABLED
+              value: 'false'
+            - name: APP_NAMESPACE
+              value: account
+            - name: APP_NAME
+              value: account-worker
+
+            - name: ACCOUNT_TOTP_ISSUER
+              value: ${ACCOUNT_TOTP_ISSUER}
+            - name: ACCOUNT_TOKEN_ISSUER
+              value: ${ACCOUNT_TOKEN_ISSUER}
+
+            - name: ACCOUNT_EVENT_PUBSUB_TOPIC
+              value: account-events
+            - name: EMAIL_QUEUE_PUBSUB_TOPIC
+              value: send-mail-requests
+            - name: BULK_ACCOUNT_CREATION_PUBSUB_TOPIC
+              value: bulk-account-creation
+            - name: PUBSUB_VERIFICATION_TOKEN
+              value: ${PUBSUB_VERIFICATION_TOKEN}
+
+            - name: DIGITAL_FACTORY_URL
+              value: ${DIGITAL_FACTORY_URL}
+            - name: REPORT_API_URL
+              value: ${REPORT_API_URL}
+            - name: MARKETPLACE_URL
+              value: ${MARKETPLACE_URL}
+            - name: ACCOUNT_URL
+              value: ${ACCOUNT_URL}
+            - name: ULTIMAKER_PROVISIONING_API_URL
+              value: ${ULTIMAKER_PROVISIONING_API_URL}
+            - name: SUBSCRIPTIONS_API_KEY
+              value: ${SUBSCRIPTIONS_API_KEY}
+
+            - name: BUCKET_NAME_BULK_ACCOUNT_CREATION
+              value: ${BUCKET_NAME_BULK_ACCOUNT_CREATION}
+            - name: BUCKET_NAME_TEAM_IMAGES
+              value: ${BUCKET_NAME_TEAM_IMAGES}
+            - name: BUCKET_NAME_PROFILE_IMAGES
+              value: ${BUCKET_NAME_PROFILE_IMAGES}
+            - name: BUCKET_NAME_ORGANIZATION_IMAGES
+              value: ${BUCKET_NAME_ORGANIZATION_IMAGES}
+
+            - name: MONGO_CONFIG
+              valueFrom:
+                secretKeyRef:
+                  key: latest
+                  name: account-worker-mongodb
+            - name: JWT_PUBLIC_KEY
+              valueFrom:
+                secretKeyRef:
+                  key: latest
+                  name: jwt-public-key
+            - name: SENDGRID_API_KEY
+              valueFrom:
+                secretKeyRef:
+                  key: latest
+                  name: sendgrid_api_key
+            - name: MONGO_CONFIGS
+              valueFrom:
+                secretKeyRef:
+                  key: latest
+                  name: account-mongodb-global
+
+          resources:
+            limits:
+              cpu: 1000m
+              memory: 256Mi
diff --git a/.github/services/lab.env b/.github/services/lab.env
new file mode 100644
index 0000000..ae4188e
--- /dev/null
+++ b/.github/services/lab.env
@@ -0,0 +1,26 @@
+MAX_SCALE=1
+MIN_SCALE=0
+INGRESS=all
+
+ACCOUNT_TOTP_ISSUER="Ultimaker Account (lab)"
+ACCOUNT_TOKEN_ISSUER=staging.Ultimaker.com
+
+PUBSUB_VERIFICATION_TOKEN=pcgMl2XOqz0KVvDcjoH6c9agqfGBcGNg
+RIGHT_SIGNATURE_WEBHOOK_VALIDATION=NoUTrlYCx32Pxc-j6Qkg9DOCBfVsw4e4T1vC34FJHOHU
+SUBSCRIPTIONS_API_KEY="fe41ece07a8b538db56bb509e19c408d06972c0593005ca04a62118b588363838ae4978a907430c0"
+
+ACCOUNT_URL=https://account-staging.ultimaker.com
+REPORT_API_URL=https://api-staging.ultimaker.com/report/v1
+DIGITAL_FACTORY_URL=https://digitalfactory-staging.ultimaker.com
+ULTIMAKER_PROVISIONING_API_URL="https://subscription-service-staging.ultimaker.com"
+MARKETPLACE_URL=https://marketplace-staging.ultimaker.com
+CLOUD_API_URL=https://api-staging.ultimaker.com/cura/v1
+CONNECT_API_URL=https://api-staging.ultimaker.com/connect/v1
+
+BUCKET_NAME_BULK_ACCOUNT_CREATION='{"main": "um-cloud-staging-account-bulk-account-creation", "us-edu": "um-cloud-staging-us-edu-account-bulk-account-creation"}'
+BUCKET_NAME_TEAM_IMAGES='{"main": "um-cloud-staging-team-images", "us-edu": "um-cloud-staging-es-edu-team-images"}'
+BUCKET_NAME_PROFILE_IMAGES='{"main": "um-cloud-staging-organization-images", "us-edu": "um-cloud-staging-us-edu-organization-images"}'
+BUCKET_NAME_ORGANIZATION_IMAGES='{"main": "um-cloud-staging-organization-images", "us-edu": "um-cloud-staging-us-edu-organization-images"}'
+
+DEMO_PROJECT_DOCUMENT_URL="https://digitalfactory-cdn.ultimaker.com/example-project/Project_Instructions_-_Build_a_Cell_City.pdf"
+DEMO_PROJECT_IMAGE_URL="https://digitalfactory-cdn.ultimaker.com/example-project/cell_1.png"
diff --git a/.github/services/production.env b/.github/services/production.env
new file mode 100644
index 0000000..14b14aa
--- /dev/null
+++ b/.github/services/production.env
@@ -0,0 +1,25 @@
+MAX_SCALE=500
+MIN_SCALE=1
+INGRESS=internal-and-cloud-load-balancing
+
+ACCOUNT_TOTP_ISSUER="Ultimaker Account"
+ACCOUNT_TOKEN_ISSUER=Ultimaker.com
+
+PUBSUB_VERIFICATION_TOKEN=3T18rqjDlPwoKZSw2dpGpfqlabr86GsL
+RIGHT_SIGNATURE_WEBHOOK_VALIDATION=F1dSDICcQC3ZALK-VXnJjjxfwvU34Y4xY5AjSyKl0ErY
+
+ACCOUNT_URL=https://account.ultimaker.com
+REPORT_API_URL=https://api.ultimaker.com/report/v1
+DIGITAL_FACTORY_URL=https://digitalfactory.ultimaker.com
+ULTIMAKER_PROVISIONING_API_URL=https://subscription-service.ultimaker.com
+MARKETPLACE_URL=https://marketplace.ultimaker.com
+CLOUD_API_URL=https://api.ultimaker.com/cura/v1
+CONNECT_API_URL=https://api.ultimaker.com/connect/v1
+
+BUCKET_NAME_BULK_ACCOUNT_CREATION=um-cloud-production-account-bulk-account-creation
+BUCKET_NAME_TEAM_IMAGES=um-cloud-production-team-images
+BUCKET_NAME_PROFILE_IMAGES=um-cloud-production-account-images
+BUCKET_NAME_ORGANIZATION_IMAGES=um-cloud-production-organization-images
+
+DEMO_PROJECT_DOCUMENT_URL="https://digitalfactory-cdn.ultimaker.com/example-project/Project_Instructions_-_Build_a_Cell_City.pdf"
+DEMO_PROJECT_IMAGE_URL="https://digitalfactory-cdn.ultimaker.com/example-project/cell_1.png"
diff --git a/.github/services/staging.env b/.github/services/staging.env
new file mode 100644
index 0000000..a23251e
--- /dev/null
+++ b/.github/services/staging.env
@@ -0,0 +1,25 @@
+MAX_SCALE=2
+MIN_SCALE=1
+INGRESS=internal-and-cloud-load-balancing
+
+ACCOUNT_TOTP_ISSUER="Ultimaker Account (staging)"
+ACCOUNT_TOKEN_ISSUER=staging.Ultimaker.com
+
+PUBSUB_VERIFICATION_TOKEN=pcgMl2XOqz0KVvDcjoH6c9agqfGBcGNg
+RIGHT_SIGNATURE_WEBHOOK_VALIDATION=z0BFnfa1yg-XBtxHQ55Fi3ZVRxtlkeTg4T9Z9i7GlPHI
+
+ACCOUNT_URL=https://account-staging.ultimaker.com
+REPORT_API_URL=https://api-staging.ultimaker.com/report/v1
+DIGITAL_FACTORY_URL=https://digitalfactory-staging.ultimaker.com
+ULTIMAKER_PROVISIONING_API_URL=https://subscription-service-staging.ultimaker.com
+MARKETPLACE_URL=https://marketplace-staging.ultimaker.com
+CLOUD_API_URL=https://api-staging.ultimaker.com/cura/v1
+CONNECT_API_URL=https://api-staging.ultimaker.com/connect/v1
+
+BUCKET_NAME_BULK_ACCOUNT_CREATION=um-cloud-staging-account-bulk-account-creation
+BUCKET_NAME_TEAM_IMAGES=um-cloud-staging-team-images
+BUCKET_NAME_PROFILE_IMAGES=um-cloud-staging-account-images
+BUCKET_NAME_ORGANIZATION_IMAGES=um-cloud-staging-organization-images
+
+DEMO_PROJECT_DOCUMENT_URL="https://digitalfactory-cdn.ultimaker.com/example-project/Project_Instructions_-_Build_a_Cell_City.pdf"
+DEMO_PROJECT_IMAGE_URL="https://digitalfactory-cdn.ultimaker.com/example-project/cell_1.png"
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
new file mode 100644
index 0000000..b5d39f8
--- /dev/null
+++ b/.github/workflows/build.yaml
@@ -0,0 +1,52 @@
+name: Build
+
+on:
+  push:
+
+permissions:
+  contents: read
+  packages: read
+  id-token: write
+  pull-requests: read  # for check-pr-labels
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        service:
+          - frontend
+          - backend
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          submodules: true
+          token: ${{ secrets.NPM_GITHUB_TOKEN }}
+          fetch-depth: 0
+      - name: Google Auth
+        uses: google-github-actions/auth@v2
+        with:
+          workload_identity_provider: ${{ vars.INFRA_WI_PROVIDER }}
+      - name: Use gcloud auth for Docker
+        run: gcloud auth configure-docker europe-west4-docker.pkg.dev
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: europe-west4-docker.pkg.dev/um-cloud-infra/stardust/account-${{ matrix.service }}
+          tags: |
+            type=sha
+            type=raw,value=latest,enable=${{github.ref == 'refs/heads/main' }}
+            type=raw,value=staging,enable=${{github.ref == 'refs/heads/staging' }}
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          platforms: linux/amd64
+          context: ./${{ matrix.service }}
+          target: release
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          secrets: |
+            "github_token=${{ secrets.GITHUB_TOKEN }}"
diff --git a/.github/workflows/combine.yaml b/.github/workflows/combine.yaml
new file mode 100644
index 0000000..50d898b
--- /dev/null
+++ b/.github/workflows/combine.yaml
@@ -0,0 +1,8 @@
+---
+name: "Combine Dependabot PRs"
+on:
+  workflow_dispatch:  # can be run manually via github actions
+
+jobs:
+  combine-prs:
+    uses: Ultimaker/stardust-workflows/.github/workflows/services-combine.yaml@master
diff --git a/.github/workflows/dependabot.yaml b/.github/workflows/dependabot.yaml
new file mode 100644
index 0000000..8a8d864
--- /dev/null
+++ b/.github/workflows/dependabot.yaml
@@ -0,0 +1,15 @@
+---
+name: Dependabot
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, labeled, unlabeled]
+    branches-ignore:
+    - main
+
+permissions:
+  # Needed for Workload Identity
+  id-token: write
+
+jobs:
+  dependabot_auto_merge:
+    uses: Ultimaker/stardust-workflows/.github/workflows/dependabot.yaml@master
diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
new file mode 100644
index 0000000..4fdefe2
--- /dev/null
+++ b/.github/workflows/deploy.yaml
@@ -0,0 +1,53 @@
+name: Deploy
+
+on:
+  workflow_run:
+    workflows:
+      - Build
+    branches:
+      - staging
+      - main
+    types:
+      - completed
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    environment: ${{ github.event.workflow_run.head_branch == 'main' && 'production' || 'staging' }}
+    strategy:
+      matrix:
+        service:
+          - frontend
+          - api
+          - worker
+        region:
+          - short: eu
+            full: europe-west1
+          - short: us
+            full: us-east1
+        include:
+          - service: worker
+            region:
+              short: us-geo
+              full: us-east1
+    name: Deploy ${{ matrix.service }} (${{ matrix.region.short }})
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+      - uses: google-github-actions/auth@v2
+        with:
+          workload_identity_provider: ${{ vars.INFRA_WI_PROVIDER }}
+      - name: Create YAML from Helm
+        run: |
+          curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
+          cd helm
+          helm template cloudrun -s templates/${{ matrix.service }}.yaml -f values-${{ vars.ENV_NAME }}.yaml -f values-${{ matrix.region.short }}.yaml --set gitSHA=${{ github.sha }} --set imageTag=${{ vars.ENV_NAME == 'production' && 'latest' || 'staging' }} . > ../deployment.yaml
+      - name: Deploy to Cloud Run
+        uses: google-github-actions/deploy-cloudrun@v2
+        with:
+          project_id: ${{ vars.GCP_PROJECT_ID }}
+          region: ${{ matrix.region.full }}
+          metadata: deployment.yaml
diff --git a/.github/workflows/lab-delete.yaml b/.github/workflows/lab-delete.yaml
new file mode 100644
index 0000000..c2593d9
--- /dev/null
+++ b/.github/workflows/lab-delete.yaml
@@ -0,0 +1,33 @@
+---
+name: Delete lab
+
+on:
+  workflow_call:
+
+permissions:
+  contents: read
+  packages: write
+  id-token: write
+
+jobs:
+  delete-lab:
+    name: Delete ${{ matrix.service }}
+    strategy:
+      fail-fast: false
+      matrix:
+        service:
+          - account-api
+          - account-worker
+          - account-frontend
+        include:
+          - service: account-api
+            share-url: true
+          - service: account-worker
+            share-url: false
+          - service: account-frontend
+            share-url: false
+    uses: Ultimaker/stardust-workflows/.github/workflows/lab-delete.yaml@master
+    with:
+      service: ${{ matrix.service }}
+      share-url: ${{ matrix.share-url }}
+    secrets: inherit
diff --git a/.github/workflows/lab-deploy.yaml b/.github/workflows/lab-deploy.yaml
new file mode 100644
index 0000000..50c81bc
--- /dev/null
+++ b/.github/workflows/lab-deploy.yaml
@@ -0,0 +1,40 @@
+---
+name: Lab Deployment
+
+on:
+  workflow_call:
+
+permissions:
+  contents: read
+  packages: write
+  id-token: write
+
+jobs:
+  deploy-lab:
+    name: Deploy ${{ matrix.service }}
+    strategy:
+      fail-fast: false
+      matrix:
+        service:
+          - account-api
+          - account-worker
+          - account-frontend
+        include:
+          - service: account-api
+            image-name: account-backend
+            share-url: true
+          - service: account-worker
+            image-name: account-backend
+            share-url: false
+          - service: account-frontend
+            image-name: account-frontend
+            share-url: false
+    uses: Ultimaker/stardust-workflows/.github/workflows/lab-deploy.yaml@master
+    with:
+      image-name: ${{ matrix.image-name }}
+      service: ${{ matrix.service }}
+      share-url: ${{ matrix.share-url }}
+      app-name: account
+      app-url: https://account-api-${{ github.event.pull_request.number }}-ec3feeu5ma-ew.a.run.app
+      front-end-proxy-host: https://account-frontend-${{ github.event.pull_request.number }}-ec3feeu5ma-ew.a.run.app
+    secrets: inherit
diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml
new file mode 100644
index 0000000..24849d1
--- /dev/null
+++ b/.github/workflows/pull-request.yaml
@@ -0,0 +1,80 @@
+---
+name: Pull Request
+
+on:
+  pull_request:
+    types: [ opened, synchronize, reopened, labeled, unlabeled, closed ]
+
+permissions:
+  contents: read
+  packages: write
+  id-token: write
+  pull-requests: read  # for check-pr-labels
+
+jobs:
+  ref-check:
+    name: Submodule ref check
+    uses: Ultimaker/stardust-workflows/.github/workflows/submodule-ref-check.yaml@master
+    secrets: inherit
+
+  # run deployment when labeled or when PR with label is changed
+  deploy-lab:
+    if: |
+      (github.event.action == 'labeled' && github.event.label.name == 'LAB_ENV') ||
+      (contains('opened synchronize reopened', github.event.action) && contains(github.event.pull_request.labels.*.name, 'LAB_ENV'))
+    name: Deploy lab
+    uses: ./.github/workflows/lab-deploy.yaml
+    secrets: inherit
+
+  # remove deployment when label is removed or PR is closed
+  delete-lab:
+    name: Delete lab
+    if: (github.event.action == 'unlabeled' && github.event.label.name == 'LAB_ENV') || github.event.action == 'closed'
+    uses: ./.github/workflows/lab-delete.yaml
+    secrets: inherit
+
+  # Add list of PRs included to the production PR
+  comment-main-pr:
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.base.ref == 'main' && github.event.action == 'opened'
+    name: Comment on main PR
+    continue-on-error: true
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          submodules: true
+          token: ${{ secrets.NPM_GITHUB_TOKEN }}
+          fetch-depth: 0
+      - name: Compose message
+        id: compose-message
+        run: |
+          # Write a list of PRs
+          echo "This PR includes the following PRs:" | tee message.txt
+          git log origin/${{github.event.pull_request.base.ref}}.. | grep -e '#[0-9]\+' -o | sed 's/^/- /' | tee --append message.txt
+
+          # Retrieve the JSON specs
+          curl https://account.ultimaker.com/spec --output production-spec.json --no-progress-meter
+          curl https://account-staging.ultimaker.com/spec --output staging-spec.json --no-progress-meter
+
+          # Compare the specs and write them in a code block (```diff ... ```)
+          echo -e "\nThe following changes were made to the API in staging:\n\`\`\`diff" | tee --append message.txt
+          diff <(jq --sort-keys . production-spec.json) <(jq --sort-keys . staging-spec.json) | tee --append message.txt
+          echo -e "\`\`\`\n" | tee --append message.txt
+
+          # Multiline string in GitHub output is just ugly!
+          DELIMITER=$(openssl rand -hex 12)
+          echo "message<<$DELIMITER" >> $GITHUB_OUTPUT
+          cat message.txt | head -c 2500 >> $GITHUB_OUTPUT  # slack messages are max 3k characters
+          echo "$DELIMITER" >> $GITHUB_OUTPUT
+      - name: Comment on main PR
+        uses: actions/github-script@v6
+        continue-on-error: true
+        with:
+          github-token: ${{ secrets.NPM_GITHUB_TOKEN }}
+          script: |
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: ${{ toJSON(steps.compose-message.outputs.message) }}
+            })
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
new file mode 100644
index 0000000..c15d783
--- /dev/null
+++ b/.github/workflows/test.yaml
@@ -0,0 +1,69 @@
+name: Test
+
+on:
+  push:
+
+permissions:
+  contents: read
+  packages: read
+  id-token: write
+  pull-requests: read # for check-pr-labels
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - service: frontend
+            command: lint
+          - service: frontend
+            command: test
+          - service: backend
+            command: coverage
+          - service: backend
+            command: styling
+          - service: backend
+            command: lint
+    name: Test ${{ matrix.service }} (${{ matrix.command }})
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          submodules: true
+          token: ${{ secrets.NPM_GITHUB_TOKEN }} # This needs a better solution
+          fetch-depth: 0
+      - name: Build tests
+        uses: docker/build-push-action@v4
+        with:
+          context: ${{ matrix.service }}
+          target: tests
+          push: false
+          tags: account-${{ matrix.service }}-tests
+          # cache-from: type=gha
+          # cache-to: type=gha,mode=max
+          secrets: |
+            "github_token=${{ secrets.GITHUB_TOKEN }}"
+      - name: Test ${{ matrix.service }}
+        run: docker compose -f docker-compose-test.yaml run -e FORCE_COLOR=1 ${{ matrix.service }}-${{ matrix.command }}
+  cypress:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./frontend
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          cache: 'npm'
+          node-version-file: 'frontend/.nvmrc'
+          cache-dependency-path: 'frontend/package-lock.json'
+      - name: Cypress run
+        uses: cypress-io/github-action@v6
+        with:
+          working-directory: frontend
+          start: npm start
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
\ No newline at end of file
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 0000000..2466ada
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,66 @@
+# pre-commit configuration for libUvula
+default_stages: [commit]
+
+repos:
+  - repo: https://github.com/thoughtworks/talisman
+    rev: v1.32.0
+    hooks:
+      - id: talisman-commit
+
+  - repo: local
+    hooks:
+      - id: check-yaml
+        name: Check YAML Syntax
+        entry: |-
+          bash -c 'if [ "$SKIP_PRE_COMMIT" = "1" ]; then exit 0; fi; exec python3 -c "
+          import sys
+          try:
+              import yaml
+              [yaml.safe_load(open(f)) for f in sys.argv[1:]]
+          except ImportError:
+              print(\"WARNING: PyYAML not found. Skipping YAML syntax check.\")
+          " "$@"' --
+        language: system
+        files: \.(yaml|yml)$
+
+      - id: check-json
+        name: Check JSON Syntax
+        entry: >-
+          bash -c 'if [ "$SKIP_PRE_COMMIT" = "1" ]; then exit 0; fi; exec python3 -c "import json, sys; [json.load(open(f)) for f in sys.argv[1:]]" "$@"' --
+        language: system
+        files: \.json$
+
+      - id: check-agent-artifacts
+        name: Check for Agent Artifacts
+        entry: >-
+          bash -c 'if [ "$SKIP_PRE_COMMIT" = "1" ]; then exit 0; fi; for f in "$@"; do if [[ "$f" =~ (task(_.*)?\.md|task\..*|implementation_plan(_.*)?\.md|implementation_plan\..*|walkthrough(_.*)?\.md|walkthrough\..*|\.playwright-cli|__pycache__|scratch_.*|scratch\..*|temp_.*|temp\..*|test_scratch_.*|test_scratch\..*|test_agent_.*|test_agent\..*|test_temp_.*|test_temp\..*|test_run_.*|test_run\..*|test_debug_.*|test_debug\..*|test_mock_.*|test_mock\..*|test_quick_.*|test_quick\..*|test_sandbox_.*|test_sandbox\..*|test_test_.*|test_test\..*|^test_[^/]+\.(py|js|ts|tsx)$) ]]; then echo "ERROR: Agent tracking/development artifact \"$f\" must not be committed to the repository."; exit 1; fi; done' --
+        language: system
+
+      - id: clang-format
+        name: Format C++ Code (clang-format)
+        entry: >-
+          bash -c 'if [ "$SKIP_PRE_COMMIT" = "1" ]; then exit 0; fi; if ! command -v clang-format &>/dev/null; then echo "WARNING: clang-format not found. Skipping formatting."; exit 0; fi; exec clang-format -i "$@"' --
+        language: system
+        files: \.(cpp|h|hpp)$
+
+      - id: cppcheck
+        name: Fast Static Analysis (cppcheck)
+        entry: >-
+          bash -c 'if [ "$SKIP_PRE_COMMIT" = "1" ]; then exit 0; fi; if ! command -v cppcheck &>/dev/null; then echo "WARNING: cppcheck not found. Skipping static analysis."; exit 0; fi; exec cppcheck --enable=warning,performance,portability --inline-suppr --suppress=missingIncludeSystem --quiet "$@"' --
+        language: system
+        files: \.(cpp|h|hpp)$
+
+      - id: check-local-paths
+        name: Check for Local Path References
+        entry: >-
+          bash -c 'if [ "$SKIP_PRE_COMMIT" = "1" ]; then exit 0; fi; if [ -n "$HOME" ] && grep -FIn "$HOME" "$@" >/dev/stderr; then echo "ERROR: Staged files contain references to your local home directory ($HOME). Please use relative paths instead."; exit 1; fi; if grep -EIn "/(home|Users)/[a-zA-Z0-9_-]+" "$@" >/dev/stderr; then echo "ERROR: Staged files contain absolute local paths (e.g., /home/USER/ or /Users/USER/). Please use relative paths instead."; exit 1; fi' --
+        language: system
+        files: \.(py|js|jsx|ts|tsx|sh|bash|md|cpp|h|hpp|txt|cmake|yml|yaml)$
+        exclude: ^(\.agents/|\.pre-commit-config\.yaml)
+
+      - id: check-jira-ticket
+        name: Check Jira Ticket in Commit Message
+        entry: >-
+          bash -c 'if [ "$SKIP_PRE_COMMIT" = "1" ]; then exit 0; fi; if ! grep -Ei "(EMB|CES|COL|STYX|UC|NP)-[0-9]+" "$1" >/dev/null; then echo "ERROR: Commit message must reference a valid Jira ticket from authorized projects (e.g., EMB-XXXX, CES-XXXX, COL-XXXX, STYX-XXXX, UC-XXXX, NP-XXXX)."; exit 1; fi' --
+        language: system
+        stages: [commit-msg]
diff --git a/.talismanrc b/.talismanrc
new file mode 100644
index 0000000..9a213e2
--- /dev/null
+++ b/.talismanrc
@@ -0,0 +1,28 @@
+fileignoreconfig:
+- filename: .github/services/lab.env
+  checksum: c0b8bb3533008b27bc59c6713156b079dfde3c0a7d28cd5d8642876e92bd905a
+- filename: .github/services/production.env
+  checksum: 6723cd733b3d8f6b99096f8a2362d2bc2e828661b76d8338dd432097b80277b1
+- filename: .github/services/staging.env
+  checksum: 5c500ea4e0fdd54d151a34b706333075f6c2ff7acc7d585a76f263658067fc26
+- filename: .github/copilot-instructions.md
+  checksum: e81cac7a8100a919eea6a20b8e00119cfa75490a42fe170547b4ae84fe85fc51
+- filename: .github/copilot-instructions/accessibility-auditor.instructions.md
+  checksum: c40fcf19e1ae5ac15e21046c3f2682ee7381b0f2d68af46e345bdcdc373cc0d9
+- filename: .github/workflows/lab-deploy.yaml
+  checksum: e11975b55ee53835adb3ca83477d91aad472454172db4059608d957ce2434805
+- filename: .github/copilot-instructions/code-reviewer.instructions.md
+  checksum: 90949bb7f79167b10c12be61fc8293e3deba60dfafa0d72c4bb023ea45c8961f
+- filename: .github/dependabot.yml
+  checksum: f6f8c58bfaac2bcb17410e314bbb82bd4a50393979671602ca65b1d86da2b1e7
+- filename: .github/copilot-instructions/testing-automation.instructions.md
+  checksum: d1c4fc9b8579d5a7648e0d3d9076410d97fe25031f558b500b0eccecd258e0da
+- filename: .github/workflows/lab-delete.yaml
+  checksum: b43d0f6190c0f90c567d7dc7d6e30c9c72104b9df246d49912110616ee03bb4a
+- filename: .github/workflows/pull-request.yaml
+  checksum: 65313710db6d09de8e5829f08e13a4b97beb6eb1b5b5f1a249bbc335314c2e35
+- filename: .github/copilot-instructions/pr-assistant.instructions.md
+  checksum: 8cd77d9648f41bed3e8f94ba6101f3854916f82b78c192e9954873e3d7f722bb
+- filename: AGENTS.md
+  checksum: 816697c4844623e775585da1c2ce7eca21f5c34a881db0bfae2833c80069ced7
+version: ""
diff --git a/AGENTS.md b/AGENTS.md
new file mode 100644
index 0000000..887692d
--- /dev/null
+++ b/AGENTS.md
@@ -0,0 +1,124 @@
+# Agent Operational & Onboarding Guide (AGENTS.md)
+
+Welcome, AI Agent! This document defines the operational boundaries, design patterns, testing strategies, and collaborative conventions for the `libUvula` repository.
+
+As a dynamic assistant, you must adhere strictly to these principles to maintain codebase sanity and ensure future developers can build upon your work efficiently.
+
+---
+
+## 1. SaaS Context, Sibling Services & AI Skill Discovery
+
+### libUvula Context
+
+**libUvula** is a high-performance, standalone C++ UV-unwrapping engine designed for processing massive 3D meshes. It partitions and projects 3D faces into non-overlapping 2D coordinates, supplying the critical coordinate layout required for real-time model painting.
+
+- **WASM compilation**: Compiles using Emscripten to WebAssembly (`UvulaJS`), exporting JavaScript bindings consumed directly by **NeoPrep (Cura Cloud)** inside the web browser for the high-performance 3D paint pipeline.
+- **Python Bindings**: Provides `pyUvula` bindings for server-side testing, preprocessing, and validation of unwrapped geometries.
+- **No Side-Effects**: Entirely stateless and self-contained; accepts mesh vertices and indices and computes optimal packed textures maps.
+
+### Sibling Services & Relative Paths
+
+To collaborate on cross-repository features or platform emulation, locate and link with sibling services in this local workspace. Use the following relative paths and consult their corresponding `AGENTS.md` operational guides:
+
+- **[neoprep](../neoprep/audit-stardust-atlas-submodules/)**: The interactive React 3D prep workspace. The painting pipeline is described in [painting_pipeline.md](../neoprep/audit-stardust-atlas-submodules/doc/Software%20Architecture/painting_pipeline.md).
+- **[Curator](../Curator/)**: Slicing profile resolver.
+- **[stardust-atlas](../stardust-atlas/audit-stardust-atlas-submodules/)**: Meta-repository and orchestration layer compiling the full Digital Factory stack.
+
+### 🔍 Dynamic AI Skill Discovery & Installation
+
+To obtain expert domain knowledge and specific runtime tools, agents **must** dynamically discover and install specialized engineering skills from `Ultimaker/UltiCortex` on branch `UC-3695_improve_code_base_for_agentic_development`:
+
+```bash
+# Discover and install specialized skills
+gh skill install Ultimaker/UltiCortex ultimaker-neoprep-development --branch UC-3695_improve_code_base_for_agentic_development
+```
+
+---
+
+## 2. Work Tracking, Git & Pull Request Habits
+
+- **Jira Tracking**: All changes require an active Jira ticket starting with project key **`UC`** or **`NP`** (e.g., `UC-3697` or `NP-1325`). Branch names must be formatted as `[PROJECT_KEY]-[ID]_description`.
+- **Git Commit Standards**:
+  - **Bracketed Ticket Prefix**: Every Git commit title and GitHub Pull Request title **MUST** start with the active branch's Jira ticket key in bracketed format: `[PROJECT-KEY] <Description>`. For example: `[UC-3697] <Description>`.
+  - **No Semantic Prefixes**: Do **NOT** use conventional/semantic commit prefix tags (such as `feat:`, `fix:`, `chore:`, etc.) in commit titles or Pull Request titles.
+  - Commit message format:
+
+    ```
+    [UC-3697] Configure pre-commit and agentic enablement
+
+    Setup pre-commit hooks and custom copilot instructions for libUvula development.
+
+    Contributes to UC-3697
+    ```
+
+- **PR Guidelines**:
+  - Always open PRs as **DRAFT** state. Merging is **strictly restricted to humans**.
+  - Monitor CI status checks. Ensure build, linter, formatting, and unit tests pass cleanly.
+
+---
+
+## 3. Directory Organization & Architecture Index
+
+### Core Directory Maps:
+
+- `/src/`: C++ source files implementing Smart Project partitioning and spatial splitting.
+- `/include/`: Public C++ headers exposing unwrapper interfaces.
+- `/UvulaJS/`: Emscripten bindings and WebAssembly compilation scripts.
+- `/pyUvula/`: Python bindings implementation.
+- `/cli/`: Native CLI testing executable.
+- `CMakeLists.txt` & `conanfile.py`: Compilation and package dependency manager configurations.
+
+---
+
+## 4. Deep Dive: Core Technical Architectures
+
+### 4.1. Three-step Unwrapping Pipeline
+
+1. **Normal Proximity Grouping**: Groups faces of the mesh by normal orientation (inspired by Blender's Smart UV Project) to minimize texture distortion.
+2. **Spatial Split**: Splits groups based on adjacent connectivity, ensuring disconnected surfaces are unwrapped as independent patches.
+3. **Texture Packing**: Packs the 2D projected patches on a flat canvas to maximize density using a high-efficiency [xatlas](https://github.com/jpcy/xatlas/) bin-packer.
+
+---
+
+## 5. Local Setup & Verification
+
+### 🚀 Quick Start
+
+1. Install dependencies and compile using Conan & CMake:
+   ```bash
+   conan install . --build=missing
+   source build/Release/generators/conanbuild.sh
+   cmake --preset conan-release
+   cmake --build --preset conan-release
+   ```
+
+---
+
+## 6. Quality Control, Tooling & Local Verification
+
+To maintain top-tier reliability, libUvula enforces comprehensive Quality Control (QC) tools locally. Succeeding agents and developers **must** run and verify these tools before proposing any Pull Request:
+
+### 🎨 Formatting (clang-format)
+
+Check and write clean, standardized formatting across C++ code:
+
+- **Verification & Auto-fix**: `clang-format -i $(find src include cli -name '*.cpp' -o -name '*.h' -o -name '*.hpp')`
+
+### 🧹 Linting & Static Analysis (cppcheck)
+
+Enforce code quality and memory safety:
+
+- **cppcheck**: Fast static analysis for performance and portability issues:
+  ```bash
+  cppcheck --enable=warning,performance,portability --inline-suppr src/ include/
+  ```
+
+### ⚓ Pre-commit Hook Integration
+
+Pre-commit hooks automatically execute fast checks (clang-format, cppcheck, check-yaml, check-json, talisman, local path blocking, and agent artifact checks) on staged files.
+
+- **Manual Hook Audit**:
+  ```bash
+  pre-commit run --all-files
+  ```
+- **Opt-Out (Humans Only)**: Humans may prepend `SKIP_PRE_COMMIT=1` or run `git commit --no-verify`. AI agents **MUST** pass all pre-commit hooks cleanly.
diff --git a/README.md b/README.md
index 7976365..6687b1c 100644
--- a/README.md
+++ b/README.md
@@ -36,7 +36,7 @@ The returned width and height are the recommended values for the texture. It is
 A command-line tool is provided for the convenience of testing, and can be built by adding `-o with_cli=True` when doing the setup with `conan`. Then the use is pretty simple:
 
 ```bash
-./build/Release/cli/uvula /home/myself/dinosaur.stl -o /home/myself/dinosaur_unwrapped.obj
+./build/Release/cli/uvula ./dinosaur.stl -o ./dinosaur_unwrapped.obj
 ```
 
 Then you can display the resulting OBJ file with e.g. Blender.
diff --git a/UvulaJS/UvulaJS.cpp b/UvulaJS/UvulaJS.cpp
index f2f557a..e64918a 100644
--- a/UvulaJS/UvulaJS.cpp
+++ b/UvulaJS/UvulaJS.cpp
@@ -24,7 +24,7 @@ EMSCRIPTEN_DECLARE_VAL_TYPE(PolygonArray);
 // Return type for unwrap function
 struct UnwrapResult
 {
-    Float32Array uvCoordinates = Float32Array{emscripten::val::array()};
+    Float32Array uvCoordinates = Float32Array{ emscripten::val::array() };
     uint32_t textureWidth;
     uint32_t textureHeight;
 };
@@ -41,7 +41,8 @@ struct Geometry
         // Convert vertices
         auto vertices_length = vertices_js["length"].as<int>();
         vertices.reserve(vertices_length / 3);
-        for (int i = 0; i < vertices_length; i += 3) {
+        for (int i = 0; i < vertices_length; i += 3)
+        {
             auto x = vertices_js[i].as<float>();
             auto y = vertices_js[i + 1].as<float>();
             auto z = vertices_js[i + 2].as<float>();
@@ -56,13 +57,14 @@ struct Geometry
             auto i1 = indices_js[i].as<uint32_t>();
             auto i2 = indices_js[i + 1].as<uint32_t>();
             auto i3 = indices_js[i + 2].as<uint32_t>();
-            indices.push_back({i1, i2, i3});
+            indices.push_back({ i1, i2, i3 });
         }
 
         // Convert UVs
         auto uvs_length = uvs_js["length"].as<int>();
         uvs.reserve(uvs_length / 2);
-        for (int i = 0; i < uvs_length; i += 2) {
+        for (int i = 0; i < uvs_length; i += 2)
+        {
             auto u = uvs_js[i].as<float>();
             auto v = uvs_js[i + 1].as<float>();
             uvs.emplace_back(u, v);
@@ -71,11 +73,12 @@ struct Geometry
         // Convert connectivity
         auto connectivity_length = connectivity_js["length"].as<int>();
         connectivity.reserve(connectivity_length / 3);
-        for (int i = 0; i < connectivity_length; i += 3) {
+        for (int i = 0; i < connectivity_length; i += 3)
+        {
             auto i1 = connectivity_js[i].as<int32_t>();
             auto i2 = connectivity_js[i + 1].as<int32_t>();
             auto i3 = connectivity_js[i + 2].as<int32_t>();
-            connectivity.push_back({i1, i2, i3});
+            connectivity.push_back({ i1, i2, i3 });
         }
     }
 };
@@ -98,7 +101,8 @@ UnwrapResult unwrap(const Float32Array& vertices_js, const Uint32Array& indices_
 
     // Convert vertices (expecting flat array of [x1, y1, z1, x2, y2, z2, ...])
     vertex_points.reserve(vertices_length / 3);
-    for (unsigned i = 0; i < vertices_length; i += 3) {
+    for (unsigned i = 0; i < vertices_length; i += 3)
+    {
         float x = vertices_js[i].as<float>();
         float y = vertices_js[i + 1].as<float>();
         float z = vertices_js[i + 2].as<float>();
@@ -112,18 +116,18 @@ UnwrapResult unwrap(const Float32Array& vertices_js, const Uint32Array& indices_
         uint32_t i1 = indices_js[i].as<uint32_t>();
         uint32_t i2 = indices_js[i + 1].as<uint32_t>();
         uint32_t i3 = indices_js[i + 2].as<uint32_t>();
-        face_indices.push_back({i1, i2, i3});
+        face_indices.push_back({ i1, i2, i3 });
     }
 
     // Prepare output
-    std::vector<Point2F> uv_coords(vertex_points.size(), {0.0f, 0.0f});
+    std::vector<Point2F> uv_coords(vertex_points.size(), { 0.0f, 0.0f });
     uint32_t texture_width;
     uint32_t texture_height;
 
     // Perform unwrapping
     bool success = smartUnwrap(vertex_points, face_indices, uv_coords, texture_width, texture_height);
 
-    if (!success)
+    if (! success)
     {
         throw std::runtime_error("Couldn't unwrap UVs!");
     }
@@ -136,11 +140,7 @@ UnwrapResult unwrap(const Float32Array& vertices_js, const Uint32Array& indices_
         uv_array.set(i * 2 + 1, uv_coords[i].y);
     }
 
-    return UnwrapResult{
-        .uvCoordinates = Float32Array{uv_array},
-        .textureWidth = texture_width,
-        .textureHeight = texture_height
-    };
+    return UnwrapResult{ .uvCoordinates = Float32Array{ uv_array }, .textureWidth = texture_width, .textureHeight = texture_height };
 }
 
 PolygonArray project(
@@ -153,21 +153,22 @@ PolygonArray project(
     uint32_t viewport_width,
     uint32_t viewport_height,
     const Vector3F& camera_normal,
-    uint32_t face_id
-)
+    uint32_t face_id)
 {
     std::vector<Point2F> stroke_points;
     auto stroke_length = stroke_polygon_js["length"].as<int>();
     stroke_points.reserve(stroke_length / 2);
-    for (int i = 0; i < stroke_length; i += 2) {
+    for (int i = 0; i < stroke_length; i += 2)
+    {
         auto x = stroke_polygon_js[i].as<float>();
         auto y = stroke_polygon_js[i + 1].as<float>();
-        stroke_points.push_back({x, y});
+        stroke_points.push_back({ x, y });
     }
 
     // Convert camera projection matrix (4x4 matrix as flat array)
     float matrix_data[4][4];
-    for (int i = 0; i < 16; ++i) {
+    for (int i = 0; i < 16; ++i)
+    {
         matrix_data[i % 4][i / 4] = camera_projection_matrix_js[i].as<float>();
     }
     Matrix44F projection_matrix(matrix_data);
@@ -186,8 +187,7 @@ PolygonArray project(
         viewport_width,
         viewport_height,
         camera_normal,
-        face_id
-    );
+        face_id);
 
     // Convert result to structured return type
     emscripten::val result_polygons = emscripten::val::array();
@@ -227,34 +227,16 @@ EMSCRIPTEN_BINDINGS(uvula)
 
     function("uvula_info", &get_uvula_info);
 
-    class_<Geometry>("Geometry")
-        .constructor<const Float32Array&, const Uint32Array&, const Float32Array&, const Int32Array&>();
+    class_<Geometry>("Geometry").constructor<const Float32Array&, const Uint32Array&, const Float32Array&, const Int32Array&>();
 
     // Utility classes for direct access if needed
-    class_<Point2F>("Point2F")
-        .constructor<>()
-        .property("x", &Point2F::x)
-        .property("y", &Point2F::y);
-
-    class_<Point3F>("Point3F")
-        .constructor<float, float, float>()
-        .function("x", &Point3F::x)
-        .function("y", &Point3F::y)
-        .function("z", &Point3F::z);
-
-    class_<Vector3F>("Vector3F")
-        .constructor<float, float, float>()
-        .function("x", &Vector3F::x)
-        .function("y", &Vector3F::y)
-        .function("z", &Vector3F::z);
-
-    value_object<Face>("Face")
-        .field("i1", &Face::i1)
-        .field("i2", &Face::i2)
-        .field("i3", &Face::i3);
-
-    value_object<FaceSigned>("FaceSigned")
-        .field("i1", &FaceSigned::i1)
-        .field("i2", &FaceSigned::i2)
-        .field("i3", &FaceSigned::i3);
+    class_<Point2F>("Point2F").constructor<>().property("x", &Point2F::x).property("y", &Point2F::y);
+
+    class_<Point3F>("Point3F").constructor<float, float, float>().function("x", &Point3F::x).function("y", &Point3F::y).function("z", &Point3F::z);
+
+    class_<Vector3F>("Vector3F").constructor<float, float, float>().function("x", &Vector3F::x).function("y", &Vector3F::y).function("z", &Vector3F::z);
+
+    value_object<Face>("Face").field("i1", &Face::i1).field("i2", &Face::i2).field("i3", &Face::i3);
+
+    value_object<FaceSigned>("FaceSigned").field("i1", &FaceSigned::i1).field("i2", &FaceSigned::i2).field("i3", &FaceSigned::i3);
 }
\ No newline at end of file
diff --git a/src/xatlas.cpp b/src/xatlas.cpp
index 9fd6afc..0bb2fab 100644
--- a/src/xatlas.cpp
+++ b/src/xatlas.cpp
@@ -63,7 +63,7 @@ Copyright (c) 2012 Brandon Pelfrey
 
 #ifndef XA_MULTITHREADED
 #ifdef __EMSCRIPTEN__
-#define XA_MULTITHREADED 0  // Disable threading for Emscripten/WASM
+#define XA_MULTITHREADED 0 // Disable threading for Emscripten/WASM
 #else
 #define XA_MULTITHREADED 1
 #endif