* fix(workflows): standardize runner configuration for security jobs
* ci(actionlint): add Blacksmith runner label to config
Add blacksmith-2vcpu-ubuntu-2404 to actionlint self-hosted-runner labels config
to suppress "unknown label" warnings during workflow linting.
This label is used across all workflows after the Blacksmith migration.
* fix(actionlint): adjust indentation for self-hosted runner labels
* feat(security): enhance security workflow with CodeQL analysis steps
* fix(security): update CodeQL action to version 4 for improved analysis
* fix(security): remove duplicate permissions in security workflow
* fix(security): revert CodeQL action to v3 for stability
The v4 version was causing workflow file validation failures.
Reverting to proven v3 version that is working on main branch.
* fix(security): remove pull_request trigger to reduce costs
* fix(security): restore PR trigger but skip codeql on PRs
* fix(security): resolve YAML syntax error in security workflow
* refactor(security): split CodeQL into dedicated scheduled workflow
* fix(security): update workflow name to Rust Package Security Audit
* fix(codeql): remove push trigger, keep schedule and on-demand only
The permissions block had duplicate security-events and actions keys,
which caused YAML validation errors and prevented workflow execution.
Fixes: workflow file validation failures on main branch
* fix(workflows): standardize runner configuration for security jobs
* ci(actionlint): add Blacksmith runner label to config
Add blacksmith-2vcpu-ubuntu-2404 to actionlint self-hosted-runner labels config
to suppress "unknown label" warnings during workflow linting.
This label is used across all workflows after the Blacksmith migration.
* fix(actionlint): adjust indentation for self-hosted runner labels
* feat(security): enhance security workflow with CodeQL analysis steps
* fix(security): update CodeQL action to version 4 for improved analysis
* fix(security): remove duplicate permissions in security workflow
* fix(workflows): standardize runner configuration for security jobs
* ci(actionlint): add Blacksmith runner label to config
Add blacksmith-2vcpu-ubuntu-2404 to actionlint self-hosted-runner labels config
to suppress "unknown label" warnings during workflow linting.
This label is used across all workflows after the Blacksmith migration.
* Merge branch 'main' into devsecops
* fix(actionlint): adjust indentation for self-hosted runner labels
* Merge branch 'main' into devsecops
* feat(security): enhance security workflow with CodeQL analysis steps
* Merge branch 'main' into devsecops
* fix(security): update CodeQL action to version 4 for improved analysis
* Merge branch 'main' into devsecops
- Fixes the environment variable name from `NVIDIA_NIM_API_KEY` to `NVIDIA_API_KEY` to match NVIDIA's official documentation
- Adds model suggestions for NVIDIA NIM provider in the onboarding wizard
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(workflows): standardize runner configuration for security jobs
* ci(actionlint): add Blacksmith runner label to config
Add blacksmith-2vcpu-ubuntu-2404 to actionlint self-hosted-runner labels config
to suppress "unknown label" warnings during workflow linting.
This label is used across all workflows after the Blacksmith migration.
* Merge branch 'main' into devsecops
* fix(actionlint): adjust indentation for self-hosted runner labels
* Merge branch 'main' into devsecops
* feat(security): enhance security workflow with CodeQL analysis steps
* Merge branch 'main' into devsecops
Fixes#430 - Prevents duplicate memories after restart by using platform message IDs instead of random UUIDs.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add blacksmith-2vcpu-ubuntu-2404 to actionlint self-hosted-runner labels config
to suppress "unknown label" warnings during workflow linting.
This label is used across all workflows after the Blacksmith migration.
* chore(workflows): complete migration to Blacksmith cloud runners
Migrate remaining workflows from self-hosted axecap runners to Blacksmith:
- docker.yml: publish job
- release.yml: publish job
- security.yml: audit and deny jobs (conditional on push events)
This completes the transition away from self-hosted infrastructure.
Axecap runner registrations (IDs 21, 22) have been removed.
All workflows now use blacksmith-2vcpu-ubuntu-2404 label for consistency.
* fix(workflows): correct Blacksmith runner label typo
Fix typo in runner labels: blacksmith-2vcpu-ubuntu-240 -> blacksmith-2vcpu-ubuntu-2404
Affected workflows:
- workflow-sanity.yml: no-tabs and actionlint jobs
- ci.yml: test, build, and docs-quality jobs
This fixes the stuck workflows that were queued indefinitely waiting for
non-existent runner labels.
* chore(workflows): complete migration to Blacksmith cloud runners
Migrate remaining workflows from self-hosted axecap runners to Blacksmith:
- docker.yml: publish job
- release.yml: publish job
- security.yml: audit and deny jobs (conditional on push events)
This completes the transition away from self-hosted infrastructure.
Axecap runner registrations (IDs 21, 22) have been removed.
All workflows now use blacksmith-2vcpu-ubuntu-2404 label for consistency.
* Merge branch 'main' into selfhost-blacksmith
* feat(memory): optimize SQLite performance with production-grade PRAGMAs
- Enable WAL mode for concurrent read/write access
- Set synchronous = NORMAL for 2x faster writes with crash safety
- Enable 8MB mmap for zero-copy reads via OS page cache
- Set in-memory temp_store and 2MB page cache for hot entries
- Applies optimizations to brain.db (memory), jobs.db (cron), and hygiene pruner
* feat: add LLM response cache, memory snapshotting, and WASM sandbox
- Response Cache: Saves tokens by caching repeated prompts in SQLite.
- Memory Snapshot: Human-readable markdown 'soul' backup for Git-native self-preservation and cold-boot recovery.
- WASM Sandbox: Isolated tool execution via wasmi.
- Configurable via wizard and config.toml.
* feat(memory): optimize SQLite performance with production-grade PRAGMAs
- Enable WAL mode for concurrent read/write access
- Set synchronous = NORMAL for 2x faster writes with crash safety
- Enable 8MB mmap for zero-copy reads via OS page cache
- Set in-memory temp_store and 2MB page cache for hot entries
- Applies optimizations to brain.db (memory), jobs.db (cron), and hygiene pruner
* feat: add LLM response cache, memory snapshotting, and WASM sandbox
- Response Cache: Saves tokens by caching repeated prompts in SQLite.
- Memory Snapshot: Human-readable markdown 'soul' backup for Git-native self-preservation and cold-boot recovery.
- WASM Sandbox: Isolated tool execution via wasmi.
- Configurable via wizard and config.toml.
* ci: add explicit advisory severity thresholds to deny.toml
- Set vulnerability = "deny" to fail CI on known vulnerabilities
- Set unmaintained = "warn" (changed from "workspace" for clarity)
- Set notice = "warn" to surface informational advisories
- Keep yanked = "warn" as before
This improves signal-to-noise by ensuring genuine vulnerabilities
block CI while less critical advisories are surfaced as warnings.
Closes#363
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: use valid cargo-deny v2 schema values for advisories
In v2, vulnerability/notice fields are removed (always error).
- unmaintained: change "workspace" → "all" (check all deps, not just direct)
- yanked: change "warn" → "deny" (fail CI on yanked crates)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(deny): ignore RUSTSEC-2025-0141 bincode unmaintained advisory
bincode v2.0.1 is a transitive dependency via probe-rs that we cannot
easily replace. The advisory notes the project considers v1.3.3 complete.
Adding to ignore list so unmaintained="all" check passes.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* ci: add SHA256 checksums to release artifacts
Generate a SHA256SUMS file after downloading all build artifacts and
include it in the GitHub Release. Users can verify download integrity
with `sha256sum -c SHA256SUMS`.
Closes#358
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* ci: whitelist lxc-ci self-hosted runner label for actionlint
Add actionlint.yaml config to declare lxc-ci as a known custom label
for self-hosted runners, fixing the actionlint CI check.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
