CI Pipeline and Quality Gates

The Palyra CI pipeline is a multi-layered validation system designed to ensure code quality, security hygiene, and cross-platform functional parity. Orchestrated via GitHub Actions, the pipeline integrates static analysis, deterministic test suites, and regression matrices to maintain the integrity of the 18-crate Rust workspace and its associated TypeScript applications.

Workflow Orchestration

The primary entry point for continuous integration is ci.yml, which executes on every pull request and push to the main branch .github/workflows/ci.yml#3-7. It defines a matrix of operating systems (ubuntu-latest, macos-latest, windows-latest) to ensure compatibility across the three primary target platforms .github/workflows/ci.yml#22-23.

Pipeline Stages

Stage	Description	Key Commands/Scripts
Quality	Enforces formatting, linting, and artifact hygiene.	`cargo fmt`, `cargo clippy`, `vp check` .github/workflows/ci.yml#204-211
Build & Test	Standard compilation and unit testing across the OS matrix.	`cargo build`, `cargo test` .github/workflows/ci.yml#45-50
Deterministic Core	Executes high-fidelity integration tests with pinned fixtures.	`run-deterministic-core.sh` .github/workflows/ci.yml#121
Workflow Regression	Validates complex state machine transitions and CLI flows.	`run-workflow-regression.sh` .github/workflows/ci.yml#136
CLI Parity	Ensures the CLI command tree matches the defined parity matrix.	`render_cli_parity_report` .github/workflows/ci.yml#226

Pipeline Data Flow The following diagram illustrates the flow of a commit through the CI pipeline. Title: CI Pipeline Execution Flow Sources: .github/workflows/ci.yml#16-235, scripts/test/run-deterministic-core.sh#1-20

Deterministic Test Suites

Palyra utilizes deterministic test suites to prevent flakiness in complex subsystems like the gRPC gateway and session orchestrator. These tests rely on pinned fixtures and fake adapters to simulate external dependencies.

Core Suite (`run-deterministic-core.ps1`)

This suite targets critical path logic in the daemon and desktop applications:

State Initialization: Validates that state_file_initialization_seeds_onboarding_defaults creates correct initial conditions scripts/test/run-deterministic-core.ps1#17.
Gateway gRPC: Tests grpc_route_message_with_fake_adapter_emits_reply_and_journal_events to ensure the message pipeline correctly updates the JournalStore scripts/test/run-deterministic-core.ps1#26-27.
Web Integration: Uses npm run web:test to validate the ConsoleApiClient against expected backend responses scripts/test/run-deterministic-core.ps1#30-35.

Soak Suite (`run-deterministic-soak.sh`)

Designed to detect stability issues over repeated cycles:

Connector Stability: gateway_envelope_reconnect_resume_cycles_remain_stable_under_soak tests the Discord connector’s resilience scripts/test/run-deterministic-soak.sh#37.
Accounting Integrity: repeated_dead_letter_recovery_cycles_keep_queue_accounting_stable ensures the ConnectorSupervisor doesn’t leak state scripts/test/run-deterministic-soak.sh#38.

Sources: scripts/test/run-deterministic-core.ps1#1-36, scripts/test/run-deterministic-soak.sh#1-41

CLI Parity and Regression Matrix

The CLI serves as the primary interface for many users, necessitating strict command structure enforcement.

CLI Parity Acceptance

CI runs an example utility render_cli_parity_report which compares the current CLI implementation against cli_parity_matrix.toml .github/workflows/ci.yml#226. This ensures that every command documented in the spec is implemented and that its help output remains consistent via help_snapshots .github/workflows/ci.yml#229.

Workflow Regression Matrix

The run-workflow-regression.sh script executes complex multi-step scenarios, such as:

Session Compaction: session_compaction_apply_persists_durable_writes_and_quality_gates validates that the Phase 4 compaction logic correctly updates the JournalStore scripts/test/run-workflow-regression.sh#46.
ACP Shim: cli_v1_acp_shim ensures the Agent Control Protocol bridge maintains protocol compatibility scripts/test/run-workflow-regression.sh#49.

Title: CLI Validation Components Sources: .github/workflows/ci.yml#213-230, scripts/test/run-workflow-regression.sh#42-50

Security Gates and Hygiene

The security.yml workflow implements a “Defense in Depth” approach to the supply chain and runtime artifacts .github/workflows/security.yml#1-12.

Supply Chain Validation

Rust Auditing: Uses cargo audit to check for CVEs in the dependency graph and cargo deny to enforce license policies and ban unauthorized crates .github/workflows/security.yml#95-99.
NPM Auditing: Runs npm audit with a custom validate-npm-audit-dev-allowlist.mjs script. This allows the team to explicitly acknowledge vulnerabilities in devDependencies while blocking any “High” or “Critical” issues in runtime dependencies .github/workflows/security.yml#30-64.
SBOM Generation: Produces a Software Bill of Materials in CycloneDX format using cargo cyclonedx .github/workflows/security.yml#131-132.

Static Analysis and Secret Scanning

Gitleaks: Scans the repository for committed secrets using SARIF reporting .github/workflows/security.yml#120-123.
CodeQL: Performs deep semantic analysis of the Rust and TypeScript codebases to identify patterns like SSRF or unsafe memory usage .github/workflows/codeql.yml#19-48.
High-Risk Pattern Scan: A custom check-high-risk-patterns.sh script looks for prohibited code patterns (e.g., hardcoded credentials or bypassed security checks) .github/workflows/security.yml#128-129.

Artifact Hygiene

The pipeline enforces strict rules on what can be checked into the repository:

GitHub Actions Pinning: check-gh-actions-pinned.sh ensures all actions use a full SHA instead of a mutable tag .github/workflows/ci.yml#179-180.
No Vendored Artifacts: check-no-vendored-artifacts.sh prevents binary blobs from being committed .github/workflows/ci.yml#182-183.

Sources: .github/workflows/security.yml#1-156, .github/workflows/ci.yml#179-190, .github/workflows/codeql.yml#1-48

Install and Release Smoke Tests

Before a release is finalized, the release.yml workflow triggers an extensive smoke test to ensure the portable packages are functional.

CLI Install Smoke

The run-cli-install-smoke.ps1 script creates a clean-room environment to test the installed binary scripts/test/run-cli-install-smoke.ps1#41-83.

Scenario Context: It sets up isolated directories for PALYRA_CONFIG, PALYRA_STATE_ROOT, and PALYRA_VAULT_DIR scripts/test/run-cli-install-smoke.ps1#91-101.
Baseline Commands: Validates that the installed binary can execute version, doctor, and protocol version crates/palyra-cli/tests/installed_smoke.rs#69-84.
Lifecycle Flows: Tests non-interactive setup and onboarding wizard flows to ensure the application can be bootstrapped from scratch crates/palyra-cli/tests/installed_smoke.rs#151-194.

Version Coherence

The assert-version-coherence.ps1 script is called during the release preparation to ensure that all 18 crates in the workspace share the exact same version string, preventing partial or mismatched releases .github/workflows/release.yml#45. Sources: scripts/test/run-cli-install-smoke.ps1#1-101, crates/palyra-cli/tests/installed_smoke.rs#1-194, .github/workflows/release.yml#29-65

​Workflow Orchestration

​Pipeline Stages

​Deterministic Test Suites

​Core Suite (run-deterministic-core.ps1)

​Soak Suite (run-deterministic-soak.sh)

​CLI Parity and Regression Matrix

​CLI Parity Acceptance

​Workflow Regression Matrix

​Security Gates and Hygiene

​Supply Chain Validation

​Static Analysis and Secret Scanning

​Artifact Hygiene

​Install and Release Smoke Tests

​CLI Install Smoke

​Version Coherence