* chore(workflows): complete migration to Blacksmith cloud runners
Migrate remaining workflows from self-hosted axecap runners to Blacksmith:
- docker.yml: publish job
- release.yml: publish job
- security.yml: audit and deny jobs (conditional on push events)
This completes the transition away from self-hosted infrastructure.
Axecap runner registrations (IDs 21, 22) have been removed.
All workflows now use blacksmith-2vcpu-ubuntu-2404 label for consistency.
* fix(workflows): correct Blacksmith runner label typo
Fix typo in runner labels: blacksmith-2vcpu-ubuntu-240 -> blacksmith-2vcpu-ubuntu-2404
Affected workflows:
- workflow-sanity.yml: no-tabs and actionlint jobs
- ci.yml: test, build, and docs-quality jobs
This fixes the stuck workflows that were queued indefinitely waiting for
non-existent runner labels.
* chore(workflows): complete migration to Blacksmith cloud runners
Migrate remaining workflows from self-hosted axecap runners to Blacksmith:
- docker.yml: publish job
- release.yml: publish job
- security.yml: audit and deny jobs (conditional on push events)
This completes the transition away from self-hosted infrastructure.
Axecap runner registrations (IDs 21, 22) have been removed.
All workflows now use blacksmith-2vcpu-ubuntu-2404 label for consistency.
* Merge branch 'main' into selfhost-blacksmith
* feat(memory): optimize SQLite performance with production-grade PRAGMAs
- Enable WAL mode for concurrent read/write access
- Set synchronous = NORMAL for 2x faster writes with crash safety
- Enable 8MB mmap for zero-copy reads via OS page cache
- Set in-memory temp_store and 2MB page cache for hot entries
- Applies optimizations to brain.db (memory), jobs.db (cron), and hygiene pruner
* feat: add LLM response cache, memory snapshotting, and WASM sandbox
- Response Cache: Saves tokens by caching repeated prompts in SQLite.
- Memory Snapshot: Human-readable markdown 'soul' backup for Git-native self-preservation and cold-boot recovery.
- WASM Sandbox: Isolated tool execution via wasmi.
- Configurable via wizard and config.toml.
* feat(memory): optimize SQLite performance with production-grade PRAGMAs
- Enable WAL mode for concurrent read/write access
- Set synchronous = NORMAL for 2x faster writes with crash safety
- Enable 8MB mmap for zero-copy reads via OS page cache
- Set in-memory temp_store and 2MB page cache for hot entries
- Applies optimizations to brain.db (memory), jobs.db (cron), and hygiene pruner
* feat: add LLM response cache, memory snapshotting, and WASM sandbox
- Response Cache: Saves tokens by caching repeated prompts in SQLite.
- Memory Snapshot: Human-readable markdown 'soul' backup for Git-native self-preservation and cold-boot recovery.
- WASM Sandbox: Isolated tool execution via wasmi.
- Configurable via wizard and config.toml.
* ci: add explicit advisory severity thresholds to deny.toml
- Set vulnerability = "deny" to fail CI on known vulnerabilities
- Set unmaintained = "warn" (changed from "workspace" for clarity)
- Set notice = "warn" to surface informational advisories
- Keep yanked = "warn" as before
This improves signal-to-noise by ensuring genuine vulnerabilities
block CI while less critical advisories are surfaced as warnings.
Closes#363
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: use valid cargo-deny v2 schema values for advisories
In v2, vulnerability/notice fields are removed (always error).
- unmaintained: change "workspace" → "all" (check all deps, not just direct)
- yanked: change "warn" → "deny" (fail CI on yanked crates)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(deny): ignore RUSTSEC-2025-0141 bincode unmaintained advisory
bincode v2.0.1 is a transitive dependency via probe-rs that we cannot
easily replace. The advisory notes the project considers v1.3.3 complete.
Adding to ignore list so unmaintained="all" check passes.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* ci: add SHA256 checksums to release artifacts
Generate a SHA256SUMS file after downloading all build artifacts and
include it in the GitHub Release. Users can verify download integrity
with `sha256sum -c SHA256SUMS`.
Closes#358
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* ci: whitelist lxc-ci self-hosted runner label for actionlint
Add actionlint.yaml config to declare lxc-ci as a known custom label
for self-hosted runners, fixing the actionlint CI check.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Add actionlint.yaml config to declare lxc-ci as a known custom label
for self-hosted runners, fixing the actionlint CI check.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Provide a template with all recognized environment variables so
developers can set up their local .env without guessing.
The actual .env is already in .gitignore.
Closes#364
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Implement DingTalk messaging channel using the official Stream Mode
WebSocket protocol with per-message session webhook replies.
- Add DingTalkChannel with send/listen/health_check support
- Add DingTalkConfig (client_id, client_secret, allowed_users)
- Integrate with onboard wizard, integrations registry, and channel
list/doctor commands
- Include unit tests for user allowlist rules and config serialization
- Block file:// URLs which bypassed all SSRF and domain-allowlist
controls, enabling arbitrary local file exfiltration via browser
- Harden is_private_host() to match http_request.rs coverage:
multicast, broadcast, reserved (240/4), shared address space
(100.64/10), documentation IPs, benchmarking IPs
- Add .localhost subdomain and .local mDNS TLD blocking
- Extract is_non_global_v4() and is_non_global_v6() helpers
Closes#361
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
