feat: add meshix-cli-bin package

.github/workflows/version-bumps.yml

@@ -2,6 +2,10 @@ name: version-bumps
 
 on:
   workflow_dispatch:
+    inputs:
+      meshix_cli_version:
+        description: Optional Meshix CLI release tag to pin for this run (for example v0.0.2)
+        required: false
   schedule:
     - cron: '23 6 * * *'
 
@@ -17,6 +21,7 @@ jobs:
     env:
       GH_TOKEN: ${{ github.token }}
       SHPIT_GH_TOKEN: ${{ secrets.SHPIT_GH_TOKEN }}
+      MESHIX_CLI_VERSION: ${{ github.event.inputs.meshix_cli_version || '' }}
       UPDATE_BRANCH: automation/version-bumps
     steps:
       - name: Install updater dependencies
@@ -51,7 +56,7 @@ jobs:
         if: ${{ steps.detect.outputs.changed == 'true' }}
         run: |
           git checkout -B "${UPDATE_BRANCH}"
-          git add README.md docs scripts .github/workflows tabex-bin osyrra-bin
+          git add README.md docs scripts .github/workflows meshix-cli-bin tabex-bin osyrra-bin
           git commit -m "chore(pkgbuilds): bump package versions"
           git push --force --set-upstream origin "${UPDATE_BRANCH}"
 

README.md

@@ -6,6 +6,7 @@ Arch Linux package definitions for SHPIT-maintained command-line tools.
 
 | Package | Upstream | Notes |
 |---|---|---|
+| `meshix-cli-bin` | `shpitdev/meshix-observability` GitHub Releases | Private release assets. Same auth model as `tabex-bin` and `osyrra-bin`. |
 | `tabex-bin` | `shpitdev/tabex` GitHub Releases | Private release assets. The PKGBUILD is public, but `makepkg` needs GitHub access to the `shpitdev` org to download the release tarball. |
 | `osyrra-bin` | `shpitdev/osyrra` GitHub Releases | Private release assets. Same auth model as `tabex-bin`. |
 
@@ -36,7 +37,7 @@ cd <package-dir>
 makepkg -si
 ```
 
-`gh auth login` must be configured with access to the `shpitdev` org before `makepkg` can download the private release assets.
+`gh auth login` must be configured with access to the `shpitdev` org before `makepkg` can download the private `meshix-cli-bin`, `tabex-bin`, or `osyrra-bin` release assets.
 
 After installing `tabex-bin`, start with:
 
@@ -50,12 +51,12 @@ The package includes an install hook that prints the same guidance after install
 
 - You can use this repo immediately without creating the AUR repositories or AUR secrets.
 - The scheduled/manual bump workflow uses the repository `GITHUB_TOKEN` for branch and PR operations in this repo.
-- Without `SHPIT_GH_TOKEN`, the workflow skips the private package updates (both `tabex-bin` and `osyrra-bin` need it).
+- Without `SHPIT_GH_TOKEN`, the workflow skips the private package updates (`meshix-cli-bin`, `tabex-bin`, and `osyrra-bin`).
 - Without AUR secrets, the publish workflow exits successfully without pushing anywhere.
 
 ## Secrets
 
-- `SHPIT_GH_TOKEN` — required for GitHub Actions to refresh private SHPIT packages from their GitHub releases.
+- `SHPIT_GH_TOKEN` — optional; required for GitHub Actions to refresh the private SHPIT packages (`meshix-cli-bin`, `tabex-bin`, and `osyrra-bin`) from their GitHub releases.
 - `AUR_USERNAME`, `AUR_EMAIL`, `AUR_SSH_PRIVATE_KEY` — optional until you actually want to publish to AUR.
 
 ## Local Auth

docs/setup.md

@@ -16,9 +16,9 @@ Use this first.
 Result:
 
 - branch and PR creation use the repo `GITHUB_TOKEN`
-- `tabex-bin` and `osyrra-bin` update only if the repo has access to `SHPIT_GH_TOKEN`
+- `meshix-cli-bin`, `tabex-bin`, and `osyrra-bin` update only if the repo has access to `SHPIT_GH_TOKEN`
 - AUR publishing is skipped without failing
-- upstream `tabex` and `osyrra` release workflows can also trigger this workflow automatically with `gh workflow run version-bumps.yml`, but that depends on `SHPIT_WORKFLOW_DISPATCH_TOKEN` being available in their Depot CI repo secrets
+- upstream `meshix-observability`, `tabex`, and `osyrra` release workflows can also trigger this workflow automatically with `gh workflow run version-bumps.yml`, but that depends on `SHPIT_WORKFLOW_DISPATCH_TOKEN` being available in their producer-repo Depot CI secrets
 
 ## GitHub UI Links
 
@@ -28,7 +28,7 @@ Result:
 
 ## SHPIT_GH_TOKEN
 
-Create the secret (org-level or repo-level) with access to read private releases on `shpitdev/tabex` and `shpitdev/osyrra`. An org-level secret with `selected` visibility is the cleanest option if you have multiple consuming repos.
+Create the secret (org-level or repo-level) with access to read private releases on `shpitdev/meshix-observability`, `shpitdev/tabex`, and `shpitdev/osyrra`. An org-level secret with `selected` visibility is the cleanest option if you have multiple consuming repos.
 
 Attach it to this repo with:
 
@@ -50,12 +50,16 @@ Create a fine-grained PAT that can trigger workflow dispatches in:
 
 Store that PAT as the GitHub org secret `SHPIT_WORKFLOW_DISPATCH_TOKEN` with `selected` visibility for these producer repos:
 
+- `shpitdev/meshix-observability`
 - `shpitdev/tabex`
 - `shpitdev/osyrra`
 
 Those producer release workflows run in Depot CI, so GitHub org secrets are not enough on their own. Mirror the same secret into Depot for each producer repo with one of these paths:
 
 ```bash
+cd /home/anandpant/Development/shpitdev/meshix/meshix-observability
+depot ci migrate secrets-and-vars -y
+
 cd /home/anandpant/Development/shpitdev/tabex
 depot ci migrate secrets-and-vars -y
 
@@ -66,6 +70,7 @@ depot ci migrate secrets-and-vars -y
 Or add the Depot secrets directly:
 
 ```bash
+depot ci secrets add SHPIT_WORKFLOW_DISPATCH_TOKEN --repo shpitdev/meshix-observability
 depot ci secrets add SHPIT_WORKFLOW_DISPATCH_TOKEN --repo shpitdev/tabex
 depot ci secrets add SHPIT_WORKFLOW_DISPATCH_TOKEN --repo shpitdev/osyrra
 ```
@@ -93,7 +98,7 @@ That is safe because `v0.0.4` is the first stable release that ships the source-
 
 When you are ready to publish to AUR:
 
-1. Create the target AUR package repos (`tabex-bin`, `osyrra-bin`).
+1. Create the target AUR package repos (`meshix-cli-bin`, `tabex-bin`, `osyrra-bin`).
 2. Generate an SSH key that can push to those AUR repos.
 3. Add these repo secrets:
    - `AUR_USERNAME`
@@ -105,12 +110,12 @@ When you are ready to publish to AUR:
 ## Token Model
 
 - Same-repo automation uses the built-in `GITHUB_TOKEN`.
-- Cross-repo private release access for `tabex-bin` and `osyrra-bin` needs a separate credential in Actions, because the workflow token is scoped to the repository that contains the workflow.
+- Cross-repo private release access for `meshix-cli-bin`, `tabex-bin`, and `osyrra-bin` needs a separate credential in Actions, because the workflow token is scoped to the repository that contains the workflow.
 - Local runs can use your normal `gh auth login` session instead of any exported token.
 
 ## Recommended Follow-Up
 
 Replace the org-level token with a narrower machine credential when practical:
 
-1. Create a dedicated machine user token with only the repo access needed for private release reads on `shpitdev/tabex` and `shpitdev/osyrra`.
+1. Create a dedicated machine user token with only the repo access needed for private release reads on `shpitdev/meshix-observability`, `shpitdev/tabex`, and `shpitdev/osyrra`.
 2. Or use a GitHub App installation token flow for the cleanest long-term setup.

meshix-cli-bin/.SRCINFO

@@ -0,0 +1,13 @@
+pkgbase = meshix-cli-bin
+	pkgdesc = Meshix CLI for run inspection and generation workflows
+	pkgver = 0.0.1
+	pkgrel = 1
+	url = https://github.com/shpitdev/meshix-observability
+	install = meshix-cli-bin.install
+	arch = x86_64
+	license = LicenseRef-proprietary
+	makedepends = github-cli
+	provides = meshix-cli
+	conflicts = meshix-cli
+
+pkgname = meshix-cli-bin

meshix-cli-bin/PKGBUILD

@@ -0,0 +1,32 @@
+# Maintainer: Anand Pant
+
+pkgname=meshix-cli-bin
+pkgver=0.0.1
+pkgrel=1
+pkgdesc="Meshix CLI for run inspection and generation workflows"
+arch=('x86_64')
+url="https://github.com/shpitdev/meshix-observability"
+license=('LicenseRef-proprietary')
+install="${pkgname}.install"
+makedepends=('github-cli')
+provides=('meshix-cli')
+conflicts=('meshix-cli')
+
+# Public PKGBUILD, private release asset. Users need GitHub access to the shpitdev org.
+_asset="meshix-cli_v${pkgver}_linux_amd64.tar.gz"
+_sha256='a6f8fa1b8c12fa8705bc508efe13b8f462c375016edee0683ceb577370ac1911'
+
+prepare() {
+  gh release download "v${pkgver}" \
+    --repo shpitdev/meshix-observability \
+    --pattern "${_asset}" \
+    --dir . --clobber
+
+  echo "${_sha256}  ${_asset}" | sha256sum -c
+  tar xzf "${_asset}"
+}
+
+package() {
+  install -Dm755 "meshix-cli_v${pkgver}_linux_amd64/meshix-cli" \
+    "${pkgdir}/usr/bin/meshix-cli"
+}

meshix-cli-bin/meshix-cli-bin.install

@@ -0,0 +1,13 @@
+post_install() {
+  cat <<'EOF'
+==> meshix-cli-bin: package-manager installs provide the stable meshix-cli command only.
+==> Start with:
+==>   meshix-cli --help
+==>
+==> For a checkout-linked dev command, install meshix-cli-dev from a local checkout.
+EOF
+}
+
+post_upgrade() {
+  post_install
+}

osyrra-bin/.SRCINFO

@@ -1,6 +1,6 @@
 pkgbase = osyrra-bin
 	pkgdesc = Osyrra silent email worker and operator TUI
-	pkgver = 0.0.2
+	pkgver = 0.0.3
 	pkgrel = 1
 	url = https://github.com/shpitdev/osyrra
 	arch = x86_64

osyrra-bin/PKGBUILD

@@ -1,7 +1,7 @@
 # Maintainer: Anand Pant
 
 pkgname=osyrra-bin
-pkgver=0.0.2
+pkgver=0.0.3
 pkgrel=1
 pkgdesc="Osyrra silent email worker and operator TUI"
 arch=('x86_64')
@@ -13,7 +13,7 @@ conflicts=('osyrra')
 
 # Public PKGBUILD, private release asset. Users need GitHub access to the shpitdev org.
 _asset="osyrra_v${pkgver}_linux_amd64.tar.gz"
-_sha256='b169ace1b18d2be22a264f57524728d3f0985787558c8e2ba6796c0a80b81e71'
+_sha256='0b2ba661104227faa1f4aff9579557633933544578d586abd5972f14802c810c'
 
 prepare() {
   gh release download "v${pkgver}" \

scripts/update-meshix-cli-bin.sh

@@ -0,0 +1,97 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+optional=false
+if (($# > 1)); then
+  echo "usage: $0 [--optional]" >&2
+  exit 1
+fi
+if (($# == 1)); then
+  if [[ "$1" != "--optional" ]]; then
+    echo "usage: $0 [--optional]" >&2
+    exit 1
+  fi
+  optional=true
+fi
+
+repo_root="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")/.." && pwd)"
+pkgbuild="${repo_root}/meshix-cli-bin/PKGBUILD"
+repo="shpitdev/meshix-observability"
+requested_version="${MESHIX_CLI_VERSION:-latest}"
+
+resolve_release_json() {
+  local version="$1"
+  local endpoint
+  local output=""
+
+  if [[ -z "${version}" || "${version}" == "latest" ]]; then
+    endpoint="repos/${repo}/releases/latest"
+  else
+    if [[ "${version}" != v* ]]; then
+      version="v${version}"
+    fi
+    endpoint="repos/${repo}/releases/tags/${version}"
+  fi
+
+  if [[ -n "${SHPIT_GH_TOKEN:-}" ]]; then
+    if output="$(GH_TOKEN="${SHPIT_GH_TOKEN}" gh api "${endpoint}" 2>/dev/null)"; then
+      printf '%s' "${output}"
+      return 0
+    fi
+    if [[ -n "${GITHUB_ACTIONS:-}" && "${optional}" == "true" ]]; then
+      echo "Skipping meshix-cli-bin: SHPIT_GH_TOKEN does not currently grant release access to ${repo}." >&2
+      printf '__SKIP__'
+      return 0
+    fi
+    echo "SHPIT_GH_TOKEN could not read the private meshix-cli release in ${repo}." >&2
+    return 1
+  elif [[ -n "${GITHUB_ACTIONS:-}" ]]; then
+    if [[ "${optional}" == "true" ]]; then
+      echo "Skipping meshix-cli-bin: SHPIT_GH_TOKEN is not configured in GitHub Actions." >&2
+      printf '__SKIP__'
+      return 0
+    fi
+    echo "SHPIT_GH_TOKEN is required in GitHub Actions to read the private meshix-cli release." >&2
+    return 1
+  else
+    gh api "${endpoint}"
+  fi
+}
+
+release_json="$(resolve_release_json "${requested_version}")"
+if [[ "${release_json}" == "__SKIP__" ]]; then
+  exit 0
+fi
+pkgver="$(jq -r '.tag_name | ltrimstr("v")' <<<"${release_json}")"
+asset_json="$(jq -c '
+  .assets
+  | map(select(.name | test("_linux_amd64\\.tar\\.gz$")))
+  | first
+' <<<"${release_json}")"
+release_asset="$(jq -r '.name // empty' <<<"${asset_json}")"
+sha256="$(jq -r '.digest // empty' <<<"${asset_json}")"
+
+if [[ -z "${release_asset}" || "${release_asset}" == "null" ]]; then
+  if [[ "${optional}" == "true" ]]; then
+    echo "Skipping meshix-cli-bin: release is missing a linux amd64 archive." >&2
+    exit 0
+  fi
+  echo "meshix-cli release is missing a linux amd64 archive" >&2
+  exit 1
+fi
+
+if [[ -z "${sha256}" || "${sha256}" == "null" ]]; then
+  if [[ "${optional}" == "true" ]]; then
+    echo "Skipping meshix-cli-bin: release is missing an asset digest." >&2
+    exit 0
+  fi
+  echo "meshix-cli release is missing an asset digest" >&2
+  exit 1
+fi
+
+sha256="${sha256#sha256:}"
+
+perl -0pi -e "s/^pkgver=.*/pkgver=${pkgver}/m" "${pkgbuild}"
+perl -0pi -e "s/^_sha256=.*/_sha256='${sha256}'/m" "${pkgbuild}"
+
+"${repo_root}/scripts/render-srcinfo.sh" "${repo_root}/meshix-cli-bin"

scripts/update-packages.sh

@@ -8,13 +8,14 @@ if (($# == 0)); then
 fi
 
 if [[ "$1" == "auto" ]]; then
-  packages=()
+  packages=(meshix-cli-bin)
   if [[ -n "${SHPIT_GH_TOKEN:-}" || -z "${GITHUB_ACTIONS:-}" ]]; then
     packages+=(tabex-bin)
     packages+=(osyrra-bin)
   fi
 elif [[ "$1" == "all" ]]; then
   packages=(
+    meshix-cli-bin
     tabex-bin
     osyrra-bin
   )
@@ -24,6 +25,13 @@ fi
 
 for package in "${packages[@]}"; do
   case "${package}" in
+    meshix-cli-bin)
+      if [[ "$1" == "auto" ]]; then
+        "${repo_root}/scripts/update-meshix-cli-bin.sh" --optional
+      else
+        "${repo_root}/scripts/update-meshix-cli-bin.sh"
+      fi
+      ;;
     tabex-bin)
       if [[ "$1" == "auto" ]]; then
         "${repo_root}/scripts/update-tabex-bin.sh" --optional

scripts/validate-packages.sh

@@ -9,6 +9,13 @@ for package_dir in "${repo_root}"/*; do
   "${repo_root}/scripts/validate-package.sh" "${package_dir}"
 done
 
+meshix_pkg="${repo_root}/meshix-cli-bin"
+if [[ -f "${meshix_pkg}/PKGBUILD" ]]; then
+  grep -q 'gh release download "v${pkgver}"' "${meshix_pkg}/PKGBUILD"
+  grep -q 'install="${pkgname}\.install"' "${meshix_pkg}/PKGBUILD"
+  grep -q 'meshix-cli-dev' "${meshix_pkg}/meshix-cli-bin.install"
+fi
+
 tabex_pkg="${repo_root}/tabex-bin"
 if [[ -f "${tabex_pkg}/PKGBUILD" ]]; then
   grep -q 'install="${pkgname}\.install"' "${tabex_pkg}/PKGBUILD"

tabex-bin/.SRCINFO

@@ -1,6 +1,6 @@
 pkgbase = tabex-bin
 	pkgdesc = Tabex CLI for browser session, capture, and page inspection
-	pkgver = 0.0.4
+	pkgver = 0.0.5
 	pkgrel = 1
 	url = https://github.com/shpitdev/tabex
 	install = tabex-bin.install

tabex-bin/PKGBUILD

@@ -1,7 +1,7 @@
 # Maintainer: Anand Pant
 
 pkgname=tabex-bin
-pkgver=0.0.4
+pkgver=0.0.5
 pkgrel=1
 pkgdesc="Tabex CLI for browser session, capture, and page inspection"
 arch=('x86_64')
@@ -14,7 +14,7 @@ conflicts=('tabex')
 
 # Public PKGBUILD, private release asset. Users need GitHub access to the shpitdev org.
 _asset="tabex_v${pkgver}_linux_amd64.tar.gz"
-_sha256='f6f3f2e5912ba985453a4ec4d97522a59ecbb4278a44135264303d96c4451e70'
+_sha256='c29a17a401d8a478a3e8f77031e950d0d3bfab8e4bb07d9111a48ab341860c22'
 
 prepare() {
   gh release download "v${pkgver}" \