vp (Vite+) toolchain, protocol contract consistency, and deterministic behavior of the core daemon.
CI Workflow Architecture
The primary CI entry point is defined inci.yml, which orchestrates a multi-platform build matrix and specialized validation suites.
Multi-Platform Build Matrix
Thebuild-and-test job executes on ubuntu-latest, macos-latest, and windows-latest .github/workflows/ci.yml#17-23. This matrix ensures that platform-specific logic—such as the palyra-vault filesystem backends and the palyra-browserd gRPC service—remains functional across all supported targets.
Quality and Formatting Gates
Thequality job enforces project standards before any tests are executed:
- Action Pinning: Validates that all GitHub Actions use SHA-256 hashes instead of mutable tags .github/workflows/ci.yml#179-180.
- Artifact Hygiene: Ensures no vendored binaries or local-only tracked files are committed .github/workflows/ci.yml#182-189.
- Toolchain Linting: Runs
rustfmtandclippy(with-D warnings) across the entire workspace .github/workflows/ci.yml#207-211. - Frontend Validation: Uses the
vp checkcommand to validateapps/web,apps/desktop/ui, andapps/browser-extension.github/workflows/ci.yml#204-205.
Specialized Test Suites
Beyond standard unit tests, the CI pipeline runs several specialized regression and performance suites to validate complex system behaviors.Deterministic Core Suite
This suite targets components where non-determinism could lead to state corruption or protocol drift. It is executed viascripts/test/run-deterministic-core.sh .github/workflows/ci.yml#120-121. Key areas include:
- Journal Store Consistency: Validates that the SQLite-based
JournalStoremaintains hash-chain integrity across compaction cycles. - Session Compaction: Specifically tests
session_compaction_apply_persists_durable_writes_and_quality_gatesto ensure that partial failures trigger correct rollbacks scripts/test/run-workflow-regression.sh#46-47.
Workflow Regression Matrix
The workflow regression suite validates the high-level coordination between the CLI, the daemon, and external connectors scripts/test/run-workflow-regression.sh#4-51.- CLI Wizard: Validates the
palyra setup --wizardnon-interactive flows crates/palyra-cli/tests/installed_smoke.rs#167-194. - ACP Shim: Ensures the
cli_v1_acp_shimremains compatible with legacy Agent Control Protocol implementations scripts/test/run-workflow-regression.sh#49. - Discord Gateway: A “soak” test validates that Discord gateway reconnect cycles remain stable under load scripts/test/run-deterministic-soak.sh#37.
CLI Parity Acceptance
Thecli-parity job generates a report comparing the current CLI implementation against a requirements matrix .github/workflows/ci.yml#225-226. It runs render_cli_parity_report to produce cli-parity-acceptance-matrix.md and validates help snapshots to prevent command-line interface drift .github/workflows/ci.yml#229-231.
Sources: .github/workflows/ci.yml#89-122, .github/workflows/ci.yml#213-231, scripts/test/run-workflow-regression.sh#40-51, scripts/test/run-deterministic-soak.sh#1-41
Security Gates and Supply Chain
Security validation is decoupled into a dedicatedsecurity.yml workflow to allow for more intensive scanning without slowing down the primary feedback loop.
Dependency and Secret Scanning
- Rust Audit: Uses
cargo-auditandcargo-denyto check for CVEs and license violations in the Rust crate graph .github/workflows/security.yml#95-99. - NPM Audit: Validates the
apps/webdependency tree, utilizing a custom allowlist (npm-audit-dev-allowlist.json) to manage known dev-dependency vulnerabilities that do not impact the production bundle .github/workflows/security.yml#30-64. - Secret Scanning:
gitleaksscans the repository history for accidentally committed credentials or keys .github/workflows/security.yml#120-124. - CodeQL: Performs static analysis for Rust, JavaScript/TypeScript, and GitHub Actions to identify high-risk code patterns .github/workflows/codeql.yml#19-48.
Artifact Integrity
The pipeline generates a Software Bill of Materials (SBOM) in CycloneDX format for every build .github/workflows/security.yml#131-132. It also includes ahigh-risk-pattern-scan via scripts/check-high-risk-patterns.sh to catch forbidden coding patterns (e.g., unsafe blocks in non-core crates) .github/workflows/security.yml#128-129.
Sources: .github/workflows/security.yml#11-156, .github/workflows/codeql.yml#1-48
Installation and Release Smoke Tests
Before a release is finalized, the CI performs “smoke tests” on the actual portable archives.CLI Install Smoke
This test executes the compiledpalyra binary within a cleanroom environment to simulate a fresh installation crates/palyra-cli/tests/installed_smoke.rs#17-36.
- Context Isolation:
New-ScenarioContextcreates isolated directories forHOME,XDG_STATE_HOME, andPALYRA_CONFIGscripts/test/run-cli-install-smoke.ps1#41-83. - Command Validation: Validates that
palyra doctor,palyra config validate, andpalyra update --dry-runfunction correctly when the binary is moved outside the build directory crates/palyra-cli/tests/installed_smoke.rs#69-148.
Release Metadata Assertion
The release workflow (release.yml) includes an assert-version-coherence.ps1 check. This ensures that the version in Cargo.toml, package.json, and the git tag are perfectly synchronized before any artifacts are published .github/workflows/release.yml#41-65.
Sources: crates/palyra-cli/tests/installed_smoke.rs#1-148, scripts/test/run-cli-install-smoke.ps1#1-223, .github/workflows/release.yml#30-119