CI Pipeline & Testing Strategy

The Palyra CI pipeline is designed to enforce cross-platform correctness, protocol stability, and security across a complex monorepo containing Rust daemons, a React web console, and a Tauri desktop application. The strategy transitions from deterministic unit tests to full workflow regression and installed binary smoke tests.

Pipeline Architecture

The CI workflow is orchestrated through GitHub Actions, utilizing a matrix strategy to ensure compatibility across ubuntu-latest, macos-latest, and windows-latest .github/workflows/ci.yml#18-23. The pipeline is divided into specialized suites that target different layers of the system.

Core Workflow Components

Job Name	Purpose	Key Tools/Scripts
`build-and-test`	Standard workspace-wide build and unit testing.	`cargo build`, `cargo test`
`deterministic-core`	Validates critical paths (auth, gRPC, state) using fixed seeds.	`scripts/test/run-deterministic-core.sh`
`workflow-regression`	End-to-end simulation of agent runs and CLI wizards.	`scripts/test/run-workflow-regression.sh`
`cli-parity`	Ensures CLI commands match documented snapshots.	`palyra-cli --example render_cli_parity_report`
`quality`	Enforces linting, formatting, and artifact hygiene.	`clippy`, `rustfmt`, `vp check`

CI Data Flow & Dependency Graph

The following diagram illustrates how the CI pipeline processes the codebase from source to validated artifacts. CI Execution Flow Sources: .github/workflows/ci.yml#16-137, .github/actions/setup-vp-safe/action.yml#17-42, scripts/test/run-deterministic-core.ps1#1-36

Deterministic Core Suite

The deterministic-core suite targets the palyrad (daemon) and palyra-desktop logic. It uses fixed fixtures to ensure that state transitions—such as session bootstrapping and gRPC message routing—remain consistent across versions scripts/test/run-deterministic-core.ps1#13-36.

Key Test Targets

Desktop State: Validates that state_file_initialization_seeds_onboarding_defaults correctly populates the initial configuration scripts/test/run-deterministic-core.ps1#17.
gRPC Gateway: Ensures grpc_route_message_with_fake_adapter_emits_reply_and_journal_events produces the exact expected event sequence in the JournalStore scripts/test/run-deterministic-core.ps1#26-27.
Auth Surface: Validates the openai_auth_surface for session handoff between the daemon and the console scripts/test/run-deterministic-core.ps1#24.

Sources: scripts/test/run-deterministic-core.ps1#1-36, .github/workflows/ci.yml#89-122

Workflow Regression & Protocol Validation

The workflow regression suite simulates high-level user journeys. It validates the interaction between the palyra-cli and palyrad using the workflow_regression_matrix scripts/test/run-workflow-regression.sh#42-51.

Components Tested

Wizard CLI: Full simulation of the palyra setup and onboarding wizard flows scripts/test/run-workflow-regression.ps1#13.
ACP Shim: Validates the Agent Control Protocol (ACP) bridge for tool-use parity scripts/test/run-workflow-regression.ps1#14.
Session Compaction: Specifically tests session_compaction_apply_persists_durable_writes to ensure history integrity during long-running agent sessions scripts/test/run-workflow-regression.sh#46-47.

Sources: scripts/test/run-workflow-regression.sh#1-51, scripts/test/run-workflow-regression.ps1#1-20

CLI Install Smoke Testing

The installed_smoke tests represent the final gate before release. Unlike standard unit tests, these execute against a fully packaged binary in a simulated production environment crates/palyra-cli/tests/installed_smoke.rs#39-56.

Smoke Test Scenario (InstallSmokeContext)

The InstallSmokeContext struct manages a temporary environment including an install_root, config_path, and state_root crates/palyra-cli/tests/installed_smoke.rs#17-22. The run-cli-install-smoke.ps1 script automates the creation of these scenarios, redacting sensitive output and verifying exit codes scripts/test/run-cli-install-smoke.ps1#41-83. CLI Smoke Test Entity Map Sources: crates/palyra-cli/tests/installed_smoke.rs#17-56, scripts/test/run-cli-install-smoke.ps1#85-101, crates/palyra-cli/tests/support/cli_harness.rs#1-12

Toolchain: Vite+ (vp)

Palyra uses a custom toolchain wrapper called Vite+ (vp) to manage the polyglot nature of the repository. The setup-vp-safe composite action ensures that the vp CLI is available on the PATH and that workspace dependencies are installed deterministically .github/actions/setup-vp-safe/action.yml#34-42.

vp check: Used in the quality job to perform linting across apps/web, apps/desktop/ui, and apps/browser-extension .github/workflows/ci.yml#205.
vp install: Handles cross-package dependency resolution for Node.js components .github/actions/setup-vp-safe/action.yml#41.

Sources: .github/actions/setup-vp-safe/action.yml#1-42, .github/workflows/ci.yml#197-205

Security Gates & Supply Chain

Security is integrated into the CI pipeline via the security.yml workflow, which runs in parallel with functional tests .github/workflows/security.yml#1-11.

Security Checks

Secret Scanning: Uses gitleaks to detect committed credentials .github/workflows/security.yml#120-124.
Vulnerability Scanning: Employs cargo audit, osv-scanner, and npm audit .github/workflows/security.yml#95-105.
SBOM Generation: Produces a CycloneDX Software Bill of Materials using cargo cyclonedx .github/workflows/security.yml#131-133.
Static Analysis: Weekly CodeQL scans for Rust, JavaScript/TypeScript, and GitHub Actions .github/workflows/codeql.yml#19-25.

Sources: .github/workflows/security.yml#1-156, .github/workflows/codeql.yml#1-48

​Pipeline Architecture

​Core Workflow Components

​CI Data Flow & Dependency Graph

​Deterministic Core Suite

​Key Test Targets

​Workflow Regression & Protocol Validation

​Components Tested

​CLI Install Smoke Testing

​Smoke Test Scenario (InstallSmokeContext)

​Toolchain: Vite+ (vp)

​Security Gates & Supply Chain

​Security Checks