feat(stats): show Plausible visitors chart and daily-impl timeline

.env.example

@@ -64,6 +64,20 @@ PORT=8000
 # Anthropic API key for Claude
 # ANTHROPIC_API_KEY=sk-ant-...
 
+# ============================================================================
+# Plausible Stats API (for /insights/visitors on the stats page)
+# ============================================================================
+
+# Bearer token created in Plausible -> Account Settings -> API Keys.
+# When unset (or when the upstream call fails), /insights/visitors returns
+# `points: []` so the stats page can render a "visitor data unavailable"
+# placeholder instead of an all-zero chart.
+# PLAUSIBLE_API_KEY=
+
+# Optional overrides — defaults: site_id="anyplot.ai", url=plausible.io v2 query
+# PLAUSIBLE_SITE_ID=anyplot.ai
+# PLAUSIBLE_API_URL=https://plausible.io/api/v2/query
+
 # ============================================================================
 # CLI Model Tier Configuration (optional)
 # ============================================================================

.serena/project.yml

@@ -1,23 +1,30 @@
+
+
 # list of languages for which language servers are started; choose from:
-#   al                  bash                clojure             cpp                 csharp
-#   csharp_omnisharp    dart                elixir              elm                 erlang
-#   fortran             fsharp              go                  groovy              haskell
-#   java                julia               kotlin              lua                 markdown
-#   matlab              nix                 pascal              perl                php
-#   powershell          python              python_jedi         r                   rego
-#   ruby                ruby_solargraph     rust                scala               swift
-#   terraform           toml                typescript          typescript_vts      vue
-#   yaml                zig
+#   al                  angular             ansible             bash                clojure
+#   cpp                 cpp_ccls            crystal             csharp              csharp_omnisharp
+#   dart                elixir              elm                 erlang              fortran
+#   fsharp              go                  groovy              haskell             haxe
+#   hlsl                html                java                json                julia
+#   kotlin              lean4               lua                 luau                markdown
+#   matlab              msl                 nix                 ocaml               pascal
+#   perl                php                 php_phpactor        powershell          python
+#   python_jedi         python_ty           r                   rego                ruby
+#   ruby_solargraph     rust                scala               scss                solidity
+#   swift               systemverilog       terraform           toml                typescript
+#   typescript_vts      vue                 yaml                zig
 #   (This list may be outdated. For the current list, see values of Language enum here:
 #   https://github.com/oraios/serena/blob/main/src/solidlsp/ls_config.py
 #   For some languages, there are alternative language servers, e.g. csharp_omnisharp, ruby_solargraph.)
 # Note:
 #   - For C, use cpp
 #   - For JavaScript, use typescript
+#   - For Angular projects, use angular (subsumes typescript+html; requires `npm install` in the project root)
+#   - For SCSS / Sass / plain CSS, use scss (some-sass-language-server handles all three)
 #   - For Free Pascal/Lazarus, use pascal
 # Special requirements:
-#   - csharp: Requires the presence of a .sln file in the project folder.
-#   - pascal: Requires Free Pascal Compiler (fpc) and optionally Lazarus.
+#   Some languages require additional setup/installations.
+#   See here for details: https://oraios.github.io/serena/01-about/020_programming-languages.html#language-servers
 # When using multiple languages, the first language server that supports a given file will be used for that file.
 # The first language is the default language and the respective language server will be used as a fallback.
 # Note that when using the JetBrains backend, language servers are not used and this list is correspondingly ignored.
@@ -32,54 +39,19 @@ encoding: "utf-8"
 # whether to use project's .gitignore files to ignore files
 ignore_all_files_in_gitignore: true
 
-# list of additional paths to ignore in all projects
-# same syntax as gitignore, so you can use * and **
+# list of additional paths to ignore in this project.
+# Same syntax as gitignore, so you can use * and **.
+# Note: global ignored_paths from serena_config.yml are also applied additively.
 ignored_paths: []
 
 # whether the project is in read-only mode
 # If set to true, all editing tools will be disabled and attempts to use them will result in an error
 # Added on 2025-04-18
 read_only: false
 
-# list of tool names to exclude. We recommend not excluding any tools, see the readme for more details.
-# Below is the complete list of tools for convenience.
-# To make sure you have the latest list of tools, and to view their descriptions, 
-# execute `uv run scripts/print_tool_overview.py`.
-#
-#  * `activate_project`: Activates a project by name.
-#  * `check_onboarding_performed`: Checks whether project onboarding was already performed.
-#  * `create_text_file`: Creates/overwrites a file in the project directory.
-#  * `delete_lines`: Deletes a range of lines within a file.
-#  * `delete_memory`: Deletes a memory from Serena's project-specific memory store.
-#  * `execute_shell_command`: Executes a shell command.
-#  * `find_referencing_code_snippets`: Finds code snippets in which the symbol at the given location is referenced.
-#  * `find_referencing_symbols`: Finds symbols that reference the symbol at the given location (optionally filtered by type).
-#  * `find_symbol`: Performs a global (or local) search for symbols with/containing a given name/substring (optionally filtered by type).
-#  * `get_current_config`: Prints the current configuration of the agent, including the active and available projects, tools, contexts, and modes.
-#  * `get_symbols_overview`: Gets an overview of the top-level symbols defined in a given file.
-#  * `initial_instructions`: Gets the initial instructions for the current project.
-#     Should only be used in settings where the system prompt cannot be set,
-#     e.g. in clients you have no control over, like Claude Desktop.
-#  * `insert_after_symbol`: Inserts content after the end of the definition of a given symbol.
-#  * `insert_at_line`: Inserts content at a given line in a file.
-#  * `insert_before_symbol`: Inserts content before the beginning of the definition of a given symbol.
-#  * `list_dir`: Lists files and directories in the given directory (optionally with recursion).
-#  * `list_memories`: Lists memories in Serena's project-specific memory store.
-#  * `onboarding`: Performs onboarding (identifying the project structure and essential tasks, e.g. for testing or building).
-#  * `prepare_for_new_conversation`: Provides instructions for preparing for a new conversation (in order to continue with the necessary context).
-#  * `read_file`: Reads a file within the project directory.
-#  * `read_memory`: Reads the memory with the given name from Serena's project-specific memory store.
-#  * `remove_project`: Removes a project from the Serena configuration.
-#  * `replace_lines`: Replaces a range of lines within a file with new content.
-#  * `replace_symbol_body`: Replaces the full definition of a symbol.
-#  * `restart_language_server`: Restarts the language server, may be necessary when edits not through Serena happen.
-#  * `search_for_pattern`: Performs a search for a pattern in the project.
-#  * `summarize_changes`: Provides instructions for summarizing the changes made to the codebase.
-#  * `switch_modes`: Activates modes by providing a list of their names
-#  * `think_about_collected_information`: Thinking tool for pondering the completeness of collected information.
-#  * `think_about_task_adherence`: Thinking tool for determining whether the agent is still on track with the current task.
-#  * `think_about_whether_you_are_done`: Thinking tool for determining whether the task is truly completed.
-#  * `write_memory`: Writes a named memory (for future reference) to Serena's project-specific memory store.
+# list of tool names to exclude.
+# This extends the existing exclusions (e.g. from the global configuration)
+# Find the list of tools here: https://oraios.github.io/serena/01-about/035_tools.html
 excluded_tools: []
 
 # initial prompt for the project. It will always be given to the LLM upon activating the project
@@ -88,11 +60,14 @@ initial_prompt: ""
 # the name by which the project can be referenced within Serena
 project_name: "anyplot"
 
-# list of tools to include that would otherwise be disabled (particularly optional tools that are disabled by default)
+# list of tools to include that would otherwise be disabled (particularly optional tools that are disabled by default).
+# This extends the existing inclusions (e.g. from the global configuration).
+# Find the list of tools here: https://oraios.github.io/serena/01-about/035_tools.html
 included_optional_tools: []
 
 # fixed set of tools to use as the base tool set (if non-empty), replacing Serena's default set of tools.
 # This cannot be combined with non-empty excluded_tools or included_optional_tools.
+# Find the list of tools here: https://oraios.github.io/serena/01-about/035_tools.html
 fixed_tools: []
 
 # list of mode names to that are always to be included in the set of active modes
@@ -103,11 +78,14 @@ fixed_tools: []
 # Set this to a list of mode names to always include the respective modes for this project.
 base_modes:
 
-# list of mode names that are to be activated by default.
-# The full set of modes to be activated is base_modes + default_modes.
-# If the setting is undefined, the default_modes from the global configuration (serena_config.yml) apply.
+# list of mode names that are to be activated by default, overriding the setting in the global configuration.
+# The full set of modes to be activated is base_modes (from global config) + default_modes + added_modes.
+# If the setting is undefined/empty, the default_modes from the global configuration (serena_config.yml) apply.
 # Otherwise, this overrides the setting from the global configuration (serena_config.yml).
+# Therefore, you can set this to [] if you do not want the default modes defined in the global config to apply
+# for this project.
 # This setting can, in turn, be overridden by CLI parameters (--mode).
+# See https://oraios.github.io/serena/02-usage/050_configuration.html#modes
 default_modes:
 
 # time budget (seconds) per tool call for the retrieval of additional symbol information
@@ -145,3 +123,19 @@ ignored_memory_patterns: []
 # Have a look at the docstring of the constructors of the LS implementations within solidlsp (e.g., for C# or PHP) to see which options are available.
 # No documentation on options means no options are available.
 ls_specific_settings: {}
+
+# list of mode names to be activated additionally for this project, e.g. ["query-projects"]
+# The full set of modes to be activated is base_modes (from global config) + default_modes + added_modes.
+# See https://oraios.github.io/serena/02-usage/050_configuration.html#modes
+added_modes:
+
+# list of additional workspace folder paths for cross-package reference support (e.g. in monorepos).
+# Paths can be absolute or relative to the project root.
+# Each folder is registered as an LSP workspace folder, enabling language servers to discover
+# symbols and references across package boundaries.
+# Currently supported for: TypeScript.
+# Example:
+#   additional_workspace_folders:
+#     - ../sibling-package
+#     - ../shared-lib
+additional_workspace_folders: []

agentic/commands/audit/plausible-auditor.md

@@ -4,13 +4,41 @@ You are the **plausible-auditor** on the audit team. Your scope is the **live Pl
 
 ## Read-only is absolute
 
-You may only issue HTTP `GET` requests against `https://plausible.io/api/v1/stats/*`. Forbidden: any other Plausible endpoint, any non-`GET` method, any write/mutation, any administration call. If you're unsure whether an endpoint is read-only, do not call it. (Stats API is documented at https://plausible.io/docs/stats-api.)
+You may only call the documented Plausible **Stats** APIs:
+
+- **Stats v1** (`GET https://plausible.io/api/v1/stats/{aggregate|timeseries|breakdown|realtime/visitors}`) — handy for one-shot lookups (top events, top pages, single metric over a range).
+- **Stats v2 query** (`POST https://plausible.io/api/v2/query`) — the same endpoint the backend uses for `/insights/visitors`. POST is required because the query DSL lives in the JSON body; the call is still read-only (no mutation). See `docs/reference/plausible.md` for the canonical request shape used in the codebase.
+
+Forbidden: every other Plausible endpoint (sites, goals, custom-props, shared-links, anything under `/api/v1/sites/*` or admin), any DELETE/PUT/PATCH, any call that creates or changes state. If you're unsure whether an endpoint is read-only, do not call it. (Stats API docs: https://plausible.io/docs/stats-api and https://plausible.io/docs/stats-api-v2.)
 
 ## Auth contract — never block the run
 
-1. First step: read `PLAUSIBLE_API_KEY` from the environment.
-2. If unset/empty: send `COVERAGE: blocked`, single `LIMITATION: PLAUSIBLE_API_KEY env var not set` line, return zero findings.
-3. Otherwise proceed. Use the key as `Authorization: Bearer $PLAUSIBLE_API_KEY` in every request. Never log or echo the key value.
+The key was provisioned in 2026-05 and lives in **three** places — try them in order so an unset shell env doesn't immediately block the audit:
+
+1. **Env var** — `$PLAUSIBLE_API_KEY` (CI, ad-hoc shells).
+2. **Local `.env`** — `grep -E '^PLAUSIBLE_API_KEY=' .env | cut -d= -f2-` from the repo root. The dev box has it; the file is gitignored, so this only works locally.
+3. **GCP Secret Manager** — `gcloud secrets versions access latest --secret=PLAUSIBLE_API_KEY --project=anyplot`. Requires gcloud auth on the `anyplot` project (same pattern as `ADMIN_TOKEN` / `DATABASE_URL`).
+
+If none of (1)–(3) yields a value: send `COVERAGE: blocked`, a single `LIMITATION: PLAUSIBLE_API_KEY not available via env, .env, or Secret Manager` line, return zero findings.
+
+Otherwise proceed. Use the key as `Authorization: Bearer $PLAUSIBLE_API_KEY` in every request. Never log, echo, paste, or include the key value in findings or chat output — if you need to show a curl, redact it to `Authorization: Bearer ***`.
+
+### Quick connectivity check (run before the real queries)
+
+A 1-call sanity check before spending the rest of the budget. Both forms work; pick whichever fits the next finding you're investigating:
+
+```bash
+# v1 — simplest "is the key alive?"
+curl -fsS -H "Authorization: Bearer $PLAUSIBLE_API_KEY" \
+  "https://plausible.io/api/v1/stats/aggregate?site_id=anyplot.ai&period=7d&metrics=visitors,pageviews"
+
+# v2 — same auth, POST body; mirrors api/routers/insights.py:_fetch_plausible_visitors
+curl -fsS -X POST -H "Authorization: Bearer $PLAUSIBLE_API_KEY" -H "Content-Type: application/json" \
+  -d '{"site_id":"anyplot.ai","metrics":["visitors"],"date_range":"7d","dimensions":["time:day"]}' \
+  https://plausible.io/api/v2/query
+```
+
+A 2xx with non-empty JSON means the key is live and the site_id is correct. Anything else → mark `COVERAGE: partial` and explain.
 
 ## Scope ideas (not a checklist — use judgment)
 

api/cloudbuild.yaml

@@ -64,7 +64,11 @@ steps:
       - "--port=8000"
       - "--allow-unauthenticated"
       - "--add-cloudsql-instances=anyplot:europe-west4:anyplot-db"
-      - "--set-secrets=DATABASE_URL=DATABASE_URL:latest,CACHE_INVALIDATE_TOKEN=CACHE_INVALIDATE_TOKEN:latest,ADMIN_TOKEN=ADMIN_TOKEN:latest"
+      # PLAUSIBLE_API_KEY: bearer token for the Plausible Stats API (powers
+       #   /insights/visitors on the public stats page). The Secret Manager
+       #   entry must exist before the first deploy that includes this line —
+       #   create it with: gcloud secrets create PLAUSIBLE_API_KEY --data-file=-
+      - "--set-secrets=DATABASE_URL=DATABASE_URL:latest,CACHE_INVALIDATE_TOKEN=CACHE_INVALIDATE_TOKEN:latest,ADMIN_TOKEN=ADMIN_TOKEN:latest,PLAUSIBLE_API_KEY=PLAUSIBLE_API_KEY:latest"
       - "--execution-environment=gen2"
       # ^|^ alt delimiter: values contain @ (emails) and may contain , (multi-email lists)
       - "--set-env-vars=^|^ENVIRONMENT=production|GOOGLE_CLOUD_PROJECT=$PROJECT_ID|GCS_BUCKET=anyplot-images|CF_ACCESS_TEAM_DOMAIN=${_CF_ACCESS_TEAM_DOMAIN}|CF_ACCESS_AUD=${_CF_ACCESS_AUD}|ADMIN_ALLOWED_EMAILS=${_ADMIN_ALLOWED_EMAILS}"