CI Workflow and Multi-Platform Builds
The primary CI workflow executes on every pull request and push to themain branch, targeting ubuntu-latest, macos-latest, and windows-latest .github/workflows/ci.yml#4-23. It orchestrates the build and testing of the entire workspace, including the desktop UI and web dashboard components.
Build and Test Matrix
Thebuild-and-test job ensures that all workspace crates compile and pass unit tests under the locked Cargo.lock dependency tree .github/workflows/ci.yml#17-50.
| Stage | Action | Code Entity / Script |
|---|---|---|
| Toolchain | Install Rust 1.91.0 | setup-rust-toolchain .github/workflows/ci.yml#28-32 |
| JS Environment | Setup Node.js & Vite+ | setup-vp-safe .github/workflows/ci.yml#34-40 |
| UI Prep | Build Desktop UI | scripts/test/ensure-desktop-ui.ps1 .github/workflows/ci.yml#41-44 |
| Rust Build | Workspace Build | cargo build --workspace --locked .github/workflows/ci.yml#45-47 |
| Rust Test | Workspace Test | cargo test --workspace --locked .github/workflows/ci.yml#48-50 |
Workflow Regression Matrix
Beyond unit tests, theworkflow-regression job executes complex integration scenarios that verify the interoperability of palyrad, palyra-cli, and palyra-browserd .github/workflows/ci.yml#123-137.
Key Regression Tests:
- Wizard Flow: Validates the interactive CLI onboarding sequence via
wizard_cliscripts/test/run-workflow-regression.sh#48. - ACP Shim: Ensures the Agent Control Protocol bridge remains compatible via
cli_v1_acp_shimscripts/test/run-workflow-regression.sh#49. - Session Compaction: Verifies that
session_compaction_applycorrectly persists durable writes and handles partial failures scripts/test/run-workflow-regression.sh#46-47.
Quality Gates and Linting
Thequality job enforces coding standards and architectural constraints before code can be merged .github/workflows/ci.yml#172-217.
Static Analysis and Linting
- Rustfmt: Enforces global formatting rules via
cargo fmt --all --check.github/workflows/ci.yml#212-213. - Clippy: Denies all warnings in the workspace and all targets .github/workflows/ci.yml#215-216.
- Vite+ (vp) Check: Validates the frontend applications (
apps/web,apps/desktop/ui,apps/browser-extension) and scripts .github/workflows/ci.yml#209-210.
Module Budget and Boundary Enforcement
The pipeline utilizesscripts/dev/report-module-budgets.sh --strict to enforce size and dependency constraints on internal modules and connector boundaries .github/workflows/ci.yml#193-194. This prevents architectural drift and ensures that connectors remain decoupled from the core daemon logic.
Repository Hygiene
Several scripts guard against accidental inclusion of sensitive or invalid files:- GitHub Actions Pinning: Ensures all actions use SHA hashes instead of tags .github/workflows/ci.yml#181-182.
- Vendored Artifacts: Prevents checking in large binary blobs .github/workflows/ci.yml#184-185.
- Runtime Artifacts: Validates that necessary runtime files are present and correctly located .github/workflows/ci.yml#187-188.
Deterministic Core Testing
Thedeterministic-core suite runs specialized tests that rely on fixed inputs and mocked providers to ensure repeatable results across the gateway and admin surfaces .github/workflows/ci.yml#89-122.
Data Flow: Deterministic Verification
The following diagram illustrates how therun-deterministic-core.ps1 script bridges the CLI and Daemon surfaces to verify deterministic outcomes.
Deterministic Soak
For stability under load, therun-deterministic-soak.sh script executes cycles of reconnection and recovery scripts/test/run-deterministic-soak.sh#1-41:
- Connector Reconnect:
gateway_envelope_reconnect_resume_cycles_remain_stable_under_soakscripts/test/run-deterministic-soak.sh#37. - Queue Stability:
repeated_dead_letter_recovery_cycles_keep_queue_accounting_stablescripts/test/run-deterministic-soak.sh#38.
CLI Parity Matrix
Thecli-parity job ensures that the palyra CLI maintains a consistent command surface and that all documented commands are functional .github/workflows/ci.yml#218-241.
- Report Generation: The
render_cli_parity_reportexample processescrates/palyra-cli/tests/cli_parity_matrix.tomlto generate a markdown acceptance matrix .github/workflows/ci.yml#230-231. - Snapshot Validation: The
help_snapshotstest ensures that CLI help text matches expected output, preventing undocumented flag changes .github/workflows/ci.yml#233-234. - Acceptance Matrix: The
cli_paritytest validates that the actual implementation aligns with the definitions in the parity matrix TOML .github/workflows/ci.yml#233-234.
Security Gates and Supply Chain
Security is enforced through a dedicatedsecurity-gates workflow that scans for vulnerabilities in both Rust and JavaScript dependencies .github/workflows/security.yml#1-156.
Supply Chain Verification
- npm audit: Scans
@palyra/webfor high-severity vulnerabilities .github/workflows/security.yml#30-31. A customvalidate-npm-audit-dev-allowlist.mjsscript manages dev-dependency exceptions .github/workflows/security.yml#56-63. - cargo audit/deny: Checks Rust dependencies against the advisory database and enforces license/source policies .github/workflows/security.yml#95-99.
- OSV Scan: Uses the Google OSV scanner for cross-ecosystem vulnerability detection .github/workflows/security.yml#101-104.
- SBOM Generation: Produces CycloneDX Software Bill of Materials for all components .github/workflows/security.yml#131-132.
Static Security Analysis
- Gitleaks: Scans the repository for committed secrets using SARIF reporting .github/workflows/security.yml#120-123.
- CodeQL: Performs deep static analysis for Rust, JavaScript/TypeScript, and GitHub Actions .github/workflows/codeql.yml#1-48.
- High-Risk Pattern Scan: A custom script
check-high-risk-patterns.shsearches for dangerous code constructs (e.g., unsafeevalor unvalidated shell execution) .github/workflows/security.yml#128-129.