feat(www): add /github landing page for the GitHub App

[peaktwilight]

DRAFT — held until the GitHub App is registered under PwnKit-Labs and we have the real Marketplace install URL. Tracked in #246.

Summary

New Astro page at `foxguard.dev/github`. Hero, three-step "how it works," what-it-flags grid (8 categories), trust/safety story, self-host fallback, soft CTA back to the local CLI.

What flips when the App is registered

Three constants at the top of `www/src/pages/github.astro`:

```ts
const APP_INSTALL_URL = '#'; // → real Marketplace URL
const APP_HOMEPAGE = APP_INSTALL_URL; // → same
const SELF_HOST_IMAGE = 'ghcr.io/pwnkit-labs/foxguard-github-app';
const APP_REGISTERED = false; // → true
```

Flipping `APP_REGISTERED` to `true`:

• Removes the "Coming soon — track GitHub App: one-click install for any repo (distribution / virality) #246" banner above the hero
• Enables the install button (currently visually disabled, `aria-disabled="true"`, opacity 60)
• Updates button label from "Install — coming soon" to "Install on GitHub"

That's the entire follow-up PR after registration.

Why ship the page in draft now rather than after registration

• We need a value to put in the App's homepage URL field on the registration form
• The page documents the trust/safety model (HMAC verification, sandbox clone, hard caps, single-tenant infra) which is part of why someone would feel comfortable installing
• Open source the receiver story is part of the pitch — the page links to the repo + Dockerfile + tracking issue
• The "Coming soon" banner is honest about the current state

Build check

`cd www && npm run build` — `/github/index.html` is generated, no errors. Confirmed locally.

Test plan

• Astro build clean
• Banner visible while `APP_REGISTERED = false`
• Install button disabled while `APP_REGISTERED = false`
• Self-host docker run snippet references the right image path
• (Pre-merge) Flip `APP_REGISTERED` and `APP_INSTALL_URL` to live values once the App is registered
• (Post-merge) Verify `foxguard.dev/github` resolves and the install button click reaches the Marketplace App page

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: a27ce0e2-c165-45e3-8de4-b94df37cb50e

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/landing-page-github-app

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[peaktwilight]

Status / hold-state note for this draft so future-me (or anyone else) doesn't lose the thread:

Blocking on: GitHub App registration under `0sec-labs`. Specifically need:

• The Marketplace App install URL (something like `https://github.com/apps/foxguard\`) — replaces `APP_INSTALL_URL = '#'` at the top of `github.astro`
• Flip `APP_REGISTERED = false` → `true`

That's the entire follow-up. Three-line change, no other rework needed.

Won't be blocking on:

• `Dockerfile.github-app` landing on main — the page references it under `/blob/main/Dockerfile.github-app` which auto-resolves once #289 lands; pre-merge the link 404s but the page still renders fine.
• vega deployment going live — the "self-host fallback" install snippet uses a different code path (`docker run`) and is independent of whether the hosted instance is live.

What's already on this branch:

• Rebrand to `0sec-labs` (commit `b7e8e6e`)
• Hero, three-step "how it works," 8-category what-it-flags grid, trust/safety story (HMAC verification, sandbox clone, hard caps, single-tenant infra), self-host fallback, soft CTA back to local CLI
• "Coming soon — track GitHub App: one-click install for any repo (distribution / virality) #246" banner visible while `APP_REGISTERED = false`
• Install button visually disabled (`aria-disabled="true"`, opacity 60) — won't 404 anyone

Won't merge this until App is registered. Shipping a /github page where the install button points to `#` and the banner says "coming soon" is honest but bad UX as a permanent state.

If anyone needs to ship something at `/github` before then, the easier move is to flip the banner to a marketing-page tone and link to issue #246 explicitly. Happy to do that pivot if there's a reason.

[peaktwilight]

Dashboard/blocker note (2026-05-19): this PR should be tracked as a blocked follow-up to #246.\n\nWhy blocked:\n- The page is implemented, but the install CTA still needs the real GitHub App install URL.\n- Merging it while the CTA is disabled / points at # would make /github a permanent-looking coming-soon page.\n\nUnblock checklist after #246 external registration:\n1. Replace APP_INSTALL_URL = '#' with the real https://github.com/apps/<app-slug> URL.\n2. Confirm SELF_HOST_IMAGE still matches the published image namespace.\n3. Flip APP_REGISTERED = false to true.\n4. Run cd www && npm run build.\n5. Mark this PR ready for review and merge after deploy verification.\n\nProject-board intent: add this PR to the company dashboard as Todo / blocked-followup; dependency is #246.