CI Workflow and Quality Gates

The Palyra CI pipeline is designed to enforce rigorous quality standards across a diverse monorepo containing Rust daemons, a React-based web console, a Tauri desktop application, and multi-language protocol stubs. The workflow utilizes a multi-platform build matrix and specialized quality gates to ensure that security, performance, and protocol integrity are maintained across Ubuntu, macOS, and Windows.

1. CI Workflow (ci.yml)

The primary CI entry point is defined in .github/workflows/ci.yml, which orchestrates building, testing, and linting across the workspace.

Multi-Platform Build/Test Matrix

The build-and-test job executes a matrix strategy across ubuntu-latest, macos-latest, and windows-latest .github/workflows/ci.yml#18-23. This ensures platform parity for core components like palyrad and the CLI. The workflow pins the Rust toolchain to version 1.91.0 and includes rustfmt and clippy components .github/workflows/ci.yml#28-33.

Quality Gates and Enforcement

The quality job enforces coding standards and repository hygiene:

Rust Standards: Executes cargo fmt --all --check and cargo clippy --workspace --all-targets -- -D warnings .github/workflows/ci.yml#207-212.
Repository Hygiene: Runs custom scripts to ensure GitHub Actions are pinned to specific SHAs (check-gh-actions-pinned.sh), no vendored artifacts are committed (check-no-vendored-artifacts.sh), and local-only files are not tracked (check-local-only-tracked-files.sh) .github/workflows/ci.yml#179-190.
Vite+ (vp) Web CI: Uses the vp check command to validate the web console, desktop UI, and browser extension .github/workflows/ci.yml#204-205.

Specialized Test Suites

Beyond standard unit tests, CI executes several high-assurance suites:

Deterministic Core: A suite of tests in scripts/test/run-deterministic-core.sh that validates state initialization, OAuth flows, and gRPC routing with predictable outcomes .github/workflows/ci.yml#120-122.
Workflow Regression: Validates end-to-end agentic workflows using scripts/test/run-workflow-regression.sh .github/workflows/ci.yml#135-136.
CLI Parity: Generates and validates a CLI parity report to ensure command consistency across platforms .github/workflows/ci.yml#225-230.

CI Execution Flow Sources: .github/workflows/ci.yml#1-172, .github/workflows/ci.yml#213-230, scripts/test/run-deterministic-core.sh#1-20

2. Protocol Contract Validation

Palyra maintains strict coherence between Protobuf definitions and generated language stubs. This is enforced via the protocol-validate and protocol-generate targets. The validation logic ensures:

Protobuf schemas in schemas/proto/ are syntactically correct Makefile#23-24.
Generated Rust stubs are up-to-date and match the schema Makefile#32.
JSON envelope schemas remain compatible with the core engine Makefile#29-31.

Protocol Coherence Pipeline Sources: Makefile#23-33, justfile#97-107

3. Security Gates and Supply Chain

The security.yml workflow provides a secondary layer of defense focusing on the supply chain and secret detection.

Vulnerability Scanning: Uses npm audit (with a dev-only allowlist) for JS dependencies and cargo audit for Rust crates .github/workflows/security.yml#30-31, .github/workflows/security.yml#95-96.
License and Policy: cargo deny enforces license compliance and bans unauthorized crates .github/workflows/security.yml#98-99.
Secret Detection: gitleaks scans the repository for committed secrets or sensitive patterns .github/workflows/security.yml#120-124.
SBOM Generation: cargo cyclonedx generates a Software Bill of Materials for every build .github/workflows/security.yml#131-132.
Desktop Governance: A specialized check check-desktop-glib-patch.sh ensures that security patches for glib are correctly applied in the Tauri desktop environment .github/workflows/security.yml#70-71.

Sources: .github/workflows/security.yml#1-156, Makefile#56-62

4. Local Quality Gates (Pre-push)

To reduce CI failure cycles, Palyra provides a local pre-push hook and a validation script scripts/run-pre-push-checks.sh.

Profiles

The script supports two execution profiles via the PALYRA_PRE_PUSH_PROFILE environment variable scripts/run-pre-push-checks.sh#5:

Fast Profile: Includes rustfmt, vp check, deterministic core smoke tests, and high-risk pattern scans scripts/run-pre-push-checks.sh#49-69.
Full Profile: Adds clippy, the complete workspace test suite, workflow regressions, and protocol schema validation scripts/run-pre-push-checks.sh#71-102.

The .githooks/pre-push script automatically triggers these checks before any git push .githooks/pre-push#1-4. Local vs. Remote Gate Comparison

Feature	Pre-push (Fast)	CI (ci.yml)	Security (security.yml)
Rustfmt / Lint	Yes	Yes	No
Multi-OS Matrix	No (Local only)	Yes	No (Linux only)
Protocol Validation	No	Yes	No
Deterministic Core	Yes	Yes	No
Cargo Audit / Deny	No	No	Yes
Gitleaks	No	No	Yes
SBOM Generation	No	No	Yes

Sources: scripts/run-pre-push-checks.sh#1-123, .githooks/pre-push#1-4, Makefile#126-130

​1. CI Workflow (ci.yml)

​Multi-Platform Build/Test Matrix

​Quality Gates and Enforcement

​Specialized Test Suites

​2. Protocol Contract Validation

​3. Security Gates and Supply Chain

​4. Local Quality Gates (Pre-push)

​Profiles