Shining Beyond the Night

Whisper in the night, secrets flying free

Lights flicker low, shadows in the breeze

Walking through the maze, echoes of a dream

Silent city streets, hiding all the gleam

Footsteps on the rain, hearts beat in a race

Chasing after what’s lost, finding a strange grace

Hold on tight, don’t let go

In the dark, we’ll find the glow

Every step a new disguise

In this truth, we realize

Break the dawn, make it yours

Feel the fire, ignite the floors

Lost in the night, but now we see

Shining brighter endlessly

Fading shadows, rising sun

Our’s a story just begun

Hand in hand, we’re alive

With a spark that will revive

Whisper in the night, secrets in the air

Forever chasing dreamscapes beyond compare

Turn it up, let’s scream

Living out the reckless dream

Heartbeats, fast and free

This is our harmony

`

### Core Components

- **AI Core (`src/rainbow_jobs_ai`)**

- `core.py`: `RainbowJobsAI` with structured generation and the Empathy Filter for trauma-informed analysis.

- `watermark.py`: Deterministic watermark string applied to all outputs for provenance.

- **API (`api`)**

- `main.py`: FastAPI app, health, welcome, session establishment, `/generate` with usage gate.

- `auth_providers.py`: Google/GitHub OAuth via Authlib (others ready to register).

- `security.py`: JWT mint/verify (issuer, audience, exp).

- `db.py`: Async SQLAlchemy session factory (SQLite URL default).

- `models.py`: `User`, `UsageCounter` for plan/entitlements and usage limits.

- `subscriptions.py`: Enforces per-day limits.

- **Agents (`agents`)**

- `github_device_flow.py`: Device Flow auth and low-level Git object commit path (auditable GitOps).

- **Finance (`finance`)**

- `models.py`: `CoreLedger` (fiduciary truth) and `ProcessorLedger` (raw ad data).

- `reconcile.py`: Quarantine anomalies; monthly roll-ups to core.

- **Quality & Ops**

- Pre-commit, mypy, ruff, black, coverage config; CI workflow; Dockerfile; run script.

---

## Local Development: Quick Start

1. **Clone or create repo folder** and place the provided **bootstrap script** from Appendix A as `bootstrap_onecode.sh`.

2. **Run**:

```bash

chmod +x bootstrap_onecode.sh

./bootstrap_onecode.sh

./infra/run_dev.sh

```

3. **Visit** `http://localhost:8080/` → the **Welcome** page includes working sign-in buttons for Google/GitHub (when provider creds are configured).

---

## Configuration & Secrets

All environment variables are listed in `.env.example`:

```env

# === FastAPI & JWT ===

APP_SECRET=change-me

JWT_ISS=onecode

JWT_AUD=onecode-clients

JWT_EX_MIN=30

COOKIE_SECURE=false

# === OAuth Providers ===

GOOGLE_CLIENT_ID=

GOOGLE_CLIENT_SECRET=

GITHUB_CLIENT_ID=

GITHUB_CLIENT_SECRET=

# Apple/TikTok/Instagram placeholders

APPLE_CLIENT_ID=

APPLE_TEAM_ID=

APPLE_KEY_ID=

APPLE_PRIVATE_KEY_PEM_BASE64=

TIKTOK_CLIENT_KEY=

TIKTOK_CLIENT_SECRET=

INSTAGRAM_CLIENT_ID=

INSTAGRAM_CLIENT_SECRET=

# === Da