Aureliolo
diff --git a/‎.github/workflows/dev-release.yml‎
Lines changed: 151 additions & 0 deletions b/‎.github/workflows/dev-release.yml‎
Lines changed: 151 additions & 0 deletions
diff --git a/‎.github/workflows/docker.yml‎
Lines changed: 9 additions & 6 deletions b/‎.github/workflows/docker.yml‎
Lines changed: 9 additions & 6 deletions
diff --git a/‎.github/workflows/finalize-release.yml‎
Lines changed: 4 additions & 0 deletions b/‎.github/workflows/finalize-release.yml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎CLAUDE.md‎
Lines changed: 5 additions & 3 deletions b/‎CLAUDE.md‎
Lines changed: 5 additions & 3 deletions
diff --git a/‎README.md‎
Lines changed: 1 addition & 0 deletions b/‎README.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎cli/cmd/config.go‎
Lines changed: 50 additions & 0 deletions b/‎cli/cmd/config.go‎
Lines changed: 50 additions & 0 deletions
@@ -0,0 +1,151 @@
+name: Dev Release
+
+# Create incremental pre-release builds on every push to main between stable
+# releases. Computes a PEP 440 dev version (e.g. v0.4.7.dev3) and creates a
+# lightweight git tag + GitHub pre-release. The tag triggers the existing
+# Docker and CLI workflows for full build/scan/sign pipeline.
+
+on:
+  push:
+    branches: [main]
+
+permissions: {}
+
+concurrency:
+  group: dev-release
+  cancel-in-progress: true
+
+jobs:
+  dev-release:
+    name: Create Dev Pre-Release
+    # Skip Release Please version-bump merges and tag pushes (handled by
+    # the stable release pipeline). Also skip if a v* tag already points
+    # at this commit (the stable release just landed).
+    if: >-
+      !startsWith(github.event.head_commit.message, 'chore(main): release')
+      && !contains(github.event.head_commit.message, 'Release-As:')
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    environment: release
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Check if commit already has a stable tag
+        id: check-tag
+        run: |
+          # If this commit already has a v* tag (without .dev), skip -- it is
+          # a stable release and will be handled by Release Please.
+          TAGS=$(git tag --points-at HEAD | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' || true)
+          if [ -n "$TAGS" ]; then
+            echo "skip=true" >> "$GITHUB_OUTPUT"
+            echo "Commit already tagged as stable release: $TAGS"
+          else
+            echo "skip=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Compute dev version
+        if: steps.check-tag.outputs.skip != 'true'
+        id: version
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          # 1. Find last stable release tag (exclude dev tags)
+          LAST_TAG=$(git tag --sort=-v:refname --list "v[0-9]*.[0-9]*.[0-9]*" | grep -vE '\.dev[0-9]+$' | head -1)
+          LAST_TAG=${LAST_TAG:-""}
+          if [ -z "$LAST_TAG" ]; then
+            echo "::error::No stable release tag found"
+            exit 1
+          fi
+          echo "Last stable tag: $LAST_TAG"
+
+          # 2. Get next version from Release Please pending PR
+          NEXT_VERSION=$(gh pr list --label "autorelease: pending" --state open --json title --jq '.[0].title // ""' | grep -oP '\d+\.\d+\.\d+' || true)
+          if [ -z "$NEXT_VERSION" ]; then
+            # Fallback: bump patch from last tag
+            LAST_VERSION="${LAST_TAG#v}"
+            IFS='.' read -r MAJOR MINOR PATCH <<< "$LAST_VERSION"
+            NEXT_VERSION="${MAJOR}.${MINOR}.$((PATCH + 1))"
+            echo "No Release Please PR found, computed next version: $NEXT_VERSION"
+          else
+            echo "Next version from Release Please: $NEXT_VERSION"
+          fi
+
+          # 3. Count commits since last stable tag
+          DEV_NUM=$(git rev-list "${LAST_TAG}..HEAD" --count)
+          if [ "$DEV_NUM" -eq 0 ]; then
+            echo "::notice::No commits since $LAST_TAG, skipping dev release"
+            echo "skip=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          DEV_TAG="v${NEXT_VERSION}.dev${DEV_NUM}"
+          echo "Dev version: $DEV_TAG"
+          echo "dev_tag=$DEV_TAG" >> "$GITHUB_OUTPUT"
+          echo "dev_num=$DEV_NUM" >> "$GITHUB_OUTPUT"
+          echo "next_version=$NEXT_VERSION" >> "$GITHUB_OUTPUT"
+          echo "skip=false" >> "$GITHUB_OUTPUT"
+
+      - name: Check if dev tag already exists
+        if: steps.check-tag.outputs.skip != 'true' && steps.version.outputs.skip != 'true'
+        id: tag-exists
+        env:
+          DEV_TAG: ${{ steps.version.outputs.dev_tag }}
+        run: |
+          if git rev-parse "$DEV_TAG" >/dev/null 2>&1; then
+            echo "skip=true" >> "$GITHUB_OUTPUT"
+            echo "Tag $DEV_TAG already exists, skipping"
+          else
+            echo "skip=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Create dev tag and pre-release
+        if: >-
+          steps.check-tag.outputs.skip != 'true'
+          && steps.version.outputs.skip != 'true'
+          && steps.tag-exists.outputs.skip != 'true'
+        env:
+          # Use PAT instead of github.token so the tag push triggers
+          # downstream workflows (Docker, CLI). Tags created with the
+          # default GITHUB_TOKEN do not fire push events for other
+          # workflows -- a GitHub Actions anti-recursion safeguard.
+          GH_TOKEN: ${{ secrets.RELEASE_PLEASE_TOKEN }}
+          DEV_TAG: ${{ steps.version.outputs.dev_tag }}
+          DEV_NUM: ${{ steps.version.outputs.dev_num }}
+          NEXT_VERSION: ${{ steps.version.outputs.next_version }}
+        run: |
+          SHORT_SHA="${GITHUB_SHA::7}"
+
+          # Create tag + pre-release atomically (gh release create --target
+          # creates the tag if it does not exist, avoiding orphaned tags on
+          # partial failure).
+          gh release create "$DEV_TAG" \
+            --target "$GITHUB_SHA" \
+            --prerelease \
+            --title "$DEV_TAG" \
+            --notes "Dev build #${DEV_NUM} toward v${NEXT_VERSION}
+
+          **Commit:** ${SHORT_SHA}
+          **Full pipeline:** Docker images, CLI binaries, cosign signatures, and SLSA provenance will be attached by downstream workflows.
+
+          > This is a pre-release for testing. Use \`synthorg config set channel dev\` to opt in."
+
+      - name: Clean up old dev pre-releases
+        if: >-
+          steps.check-tag.outputs.skip != 'true'
+          && steps.version.outputs.skip != 'true'
+          && steps.tag-exists.outputs.skip != 'true'
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          # Keep the 5 most recent dev pre-releases, delete the rest
+          gh release list --limit 50 --json tagName,isPrerelease,createdAt \
+            --jq '[.[] | select(.isPrerelease and (.tagName | contains(".dev")))] | sort_by(.createdAt) | reverse | .[5:] | .[].tagName' \
+          | while read -r tag; do
+              echo "Deleting old dev release: $tag"
+              gh release delete "$tag" --yes --cleanup-tag 2>/dev/null || true
+            done
@@ -88,9 +88,10 @@ jobs:
         with:
           images: ghcr.io/aureliolo/synthorg-backend
           tags: |
-            type=raw,value=${{ needs.version.outputs.app_version }},enable=${{ startsWith(github.ref, 'refs/tags/v') }}
+            type=raw,value=${{ needs.version.outputs.app_version }},enable=${{ startsWith(github.ref, 'refs/tags/v') && !contains(github.ref, '.dev') }}
             type=semver,pattern={{version}},enable=${{ startsWith(github.ref, 'refs/tags/v') }}
-            type=semver,pattern={{major}}.{{minor}},enable=${{ startsWith(github.ref, 'refs/tags/v') }}
+            type=semver,pattern={{major}}.{{minor}},enable=${{ startsWith(github.ref, 'refs/tags/v') && !contains(github.ref, '.dev') }}
+            type=raw,value=dev,enable=${{ startsWith(github.ref, 'refs/tags/v') && contains(github.ref, '.dev') }}
             type=sha,prefix=sha-
 
       # Build locally first, scan, then push only if scans pass
@@ -276,9 +277,10 @@ jobs:
         with:
           images: ghcr.io/aureliolo/synthorg-web
           tags: |
-            type=raw,value=${{ needs.version.outputs.app_version }},enable=${{ startsWith(github.ref, 'refs/tags/v') }}
+            type=raw,value=${{ needs.version.outputs.app_version }},enable=${{ startsWith(github.ref, 'refs/tags/v') && !contains(github.ref, '.dev') }}
             type=semver,pattern={{version}},enable=${{ startsWith(github.ref, 'refs/tags/v') }}
-            type=semver,pattern={{major}}.{{minor}},enable=${{ startsWith(github.ref, 'refs/tags/v') }}
+            type=semver,pattern={{major}}.{{minor}},enable=${{ startsWith(github.ref, 'refs/tags/v') && !contains(github.ref, '.dev') }}
+            type=raw,value=dev,enable=${{ startsWith(github.ref, 'refs/tags/v') && contains(github.ref, '.dev') }}
             type=sha,prefix=sha-
 
       # Build locally first, scan, then push only if scans pass
@@ -460,9 +462,10 @@ jobs:
         with:
           images: ghcr.io/aureliolo/synthorg-sandbox
           tags: |
-            type=raw,value=${{ needs.version.outputs.app_version }},enable=${{ startsWith(github.ref, 'refs/tags/v') }}
+            type=raw,value=${{ needs.version.outputs.app_version }},enable=${{ startsWith(github.ref, 'refs/tags/v') && !contains(github.ref, '.dev') }}
             type=semver,pattern={{version}},enable=${{ startsWith(github.ref, 'refs/tags/v') }}
-            type=semver,pattern={{major}}.{{minor}},enable=${{ startsWith(github.ref, 'refs/tags/v') }}
+            type=semver,pattern={{major}}.{{minor}},enable=${{ startsWith(github.ref, 'refs/tags/v') && !contains(github.ref, '.dev') }}
+            type=raw,value=dev,enable=${{ startsWith(github.ref, 'refs/tags/v') && contains(github.ref, '.dev') }}
             type=sha,prefix=sha-
 
       # Build locally first, scan, then push only if scans pass
 
@@ -21,10 +21,14 @@ jobs:
     # Only process tag-triggered release builds, not PR-triggered runs.
     # The event != 'pull_request' guard prevents a PR that modifies the
     # Docker/CLI workflows from reaching this privileged publish step.
+    # Only publish stable releases (v0.4.7), not dev pre-releases (v0.4.7.dev3).
+    # Dev pre-releases are created as non-draft by dev-release.yml and need no
+    # finalization -- their Docker/CLI assets attach directly to the pre-release.
     if: >-
       github.event.workflow_run.event == 'push'
       && github.event.workflow_run.head_repository.full_name == github.repository
       && startsWith(github.event.workflow_run.head_branch, 'v')
+      && !contains(github.event.workflow_run.head_branch, '.dev')
     runs-on: ubuntu-latest
     permissions:
       actions: read
 
@@ -95,7 +95,7 @@ curl http://localhost:3000/api/v1/health   # backend (via web proxy)
 - **Images**: backend (Chainguard distroless, non-root), web (nginx-unprivileged, SPA + API proxy), sandbox (Python + Node.js, non-root)
 - **Config**: all Docker files in `docker/` -- Dockerfiles, compose, `.env.example`. Single root `.dockerignore` (all images build with `context: .`)
 - **Verification**: CLI verifies cosign signatures + SLSA provenance at pull time; bypass with `--skip-verify`
-- **Tags**: version from `pyproject.toml`, semver, and SHA
+- **Tags**: version from `pyproject.toml`, semver, SHA, plus dev tags (`v0.4.7.dev3`, `dev` rolling) for dev channel builds
 
 ## Package Structure
 
@@ -131,7 +131,7 @@ web/src/          # Vue 3 + PrimeVue + Tailwind CSS dashboard
   __tests__/      # Vitest unit tests
 
 cli/              # Go CLI binary (cross-platform, manages Docker lifecycle)
-  cmd/            # Cobra commands (init, start, stop, status, logs, doctor, update, cleanup, wipe, etc.)
+  cmd/            # Cobra commands (init, start, stop, status, logs, doctor, update, cleanup, wipe, config, etc.)
   internal/       # version, config, docker, compose, health, diagnostics, selfupdate, completion, ui, verify
 
 site/             # Astro landing page (synthorg.io)
@@ -223,6 +223,7 @@ site/             # Astro landing page (synthorg.io)
 - **Version bumping** (pre-1.0): `fix:`/`feat:` = patch, `feat!:`/`BREAKING CHANGE` = minor. Post-1.0: standard semver
 - **`Release-As` trailer**: add `Release-As: 0.4.0` as the **final paragraph** of the PR body (separated by blank line). Mid-body placement is silently ignored.
 - **Release flow**: merge release PR -> draft Release + tag -> Docker + CLI workflows attach assets -> finalize-release publishes
+- **Dev channel**: every push to `main` (except Release Please bumps) creates a dev pre-release (e.g. `v0.4.7.dev3`) via `dev-release.yml`. Users opt in with `synthorg config set channel dev`. Dev releases flow through the same Docker + CLI pipelines as stable releases.
 - **Config**: `.github/release-please-config.json`, `.github/.release-please-manifest.json` (do not edit manually)
 - **Changelog**: `.github/CHANGELOG.md` (auto-generated, do not edit)
 - **Version locations**: `pyproject.toml` (`[tool.commitizen].version`), `src/synthorg/__init__.py` (`__version__`)
@@ -241,7 +242,8 @@ site/             # Astro landing page (synthorg.io)
 - **Dependency review**: `dependency-review.yml` -- license allow-list (permissive only), PR comment summaries
 - **CLA**: `cla.yml` -- contributor-assistant check on PRs, signatures in `.github/cla-signatures.json`
 - **Release**: `release.yml` -- Release Please creates draft release PR. Uses `RELEASE_PLEASE_TOKEN` (PAT)
-- **Finalize Release**: `finalize-release.yml` -- publishes draft after Docker + CLI workflows succeed for tag. Immutable releases enabled.
+- **Dev Release**: `dev-release.yml` -- creates PEP 440 dev tags (e.g. `v0.4.7.dev3`) and GitHub pre-releases on every push to main (skips Release Please version-bump commits). Tags trigger existing Docker + CLI workflows for full build/scan/sign pipeline. Old dev pre-releases auto-cleaned (keeps 5 most recent).
+- **Finalize Release**: `finalize-release.yml` -- publishes draft after Docker + CLI workflows succeed for tag. Immutable releases enabled. Skips dev pre-releases.
 
 ## Dependencies
 
 
@@ -102,6 +102,7 @@ synthorg init       # interactive setup wizard
 synthorg start      # pull images + start containers
 synthorg status     # check health
 synthorg doctor     # diagnostics if something is wrong
+synthorg config set channel dev  # opt in to pre-release builds
 synthorg wipe       # factory-reset: backup, wipe data, restart fresh
 synthorg cleanup    # remove old container images
 ```
 
@@ -5,12 +5,16 @@ import (
 	"fmt"
 	"os"
 	"strconv"
+	"strings"
 
 	"github.com/Aureliolo/synthorg/cli/internal/config"
 	"github.com/Aureliolo/synthorg/cli/internal/ui"
 	"github.com/spf13/cobra"
 )
 
+// supportedConfigKeys is the single source of truth for `config set` key names.
+var supportedConfigKeys = []string{"channel", "log_level"}
+
 var configCmd = &cobra.Command{
 	Use:   "config",
 	Short: "Manage SynthOrg configuration",
@@ -29,8 +33,21 @@ var configShowCmd = &cobra.Command{
 	RunE:  runConfigShow,
 }
 
+var configSetCmd = &cobra.Command{
+	Use:   "set <key> <value>",
+	Short: "Set a configuration value",
+	Long: `Set a configuration value.
+
+Supported keys:
+  channel    Update channel: "stable" or "dev"
+  log_level  Log verbosity: "debug", "info", "warn", "error"`,
+	Args: cobra.ExactArgs(2),
+	RunE: runConfigSet,
+}
+
 func init() {
 	configCmd.AddCommand(configShowCmd)
+	configCmd.AddCommand(configSetCmd)
 	rootCmd.AddCommand(configCmd)
 }
 
@@ -61,6 +78,7 @@ func runConfigShow(cmd *cobra.Command, _ []string) error {
 	out.KeyValue("Config file", statePath)
 	out.KeyValue("Data directory", state.DataDir)
 	out.KeyValue("Image tag", state.ImageTag)
+	out.KeyValue("Channel", state.DisplayChannel())
 	out.KeyValue("Backend port", strconv.Itoa(state.BackendPort))
 	out.KeyValue("Web port", strconv.Itoa(state.WebPort))
 	out.KeyValue("Log level", state.LogLevel)
@@ -76,6 +94,38 @@ func runConfigShow(cmd *cobra.Command, _ []string) error {
 	return nil
 }
 
+func runConfigSet(cmd *cobra.Command, args []string) error {
+	key, value := args[0], args[1]
+	dir := resolveDataDir()
+	out := ui.NewUI(cmd.OutOrStdout())
+
+	state, err := config.Load(dir)
+	if err != nil {
+		return fmt.Errorf("loading config: %w", err)
+	}
+
+	switch key {
+	case "channel":
+		if !config.IsValidChannel(value) {
+			return fmt.Errorf("invalid channel %q: must be one of %s", value, config.ChannelNames())
+		}
+		state.Channel = value
+	case "log_level":
+		if !config.IsValidLogLevel(value) {
+			return fmt.Errorf("invalid log_level %q: must be one of %s", value, config.LogLevelNames())
+		}
+		state.LogLevel = value
+	default:
+		return fmt.Errorf("unknown config key %q (supported: %s)", key, strings.Join(supportedConfigKeys, ", "))
+	}
+
+	if err := config.Save(state); err != nil {
+		return fmt.Errorf("saving config: %w", err)
+	}
+	out.Success(fmt.Sprintf("Set %s = %s", key, value))
+	return nil
+}
+
 func maskSecret(s string) string {
 	if s == "" {
 		return "(not set)"