Flip both CI gates from informational to hard-fail (SPEC-001 quality gates):
- clippy: `-- -D warnings` on the server crate. Cleared the debt via clippy --fix
(unused imports/style), targeted #[allow(dead_code)] on native-remote-control
future API, and #[allow(clippy::too_many_arguments)] on 3 protocol-mirroring fns.
- cargo audit: hard-fail with documented per-ID --ignore flags (rsa RUSTSEC-2023-0071
unfixable/unreachable in active tree; gtk-rs + glib Linux-only tray backend not
compiled into the Windows agent; proc-macro-error build-time). New advisories fail.
- Move [profile.release] to the workspace root (it was silently ignored in the server
member), activating lto/codegen-units/strip.
No behavioral changes. Reviewed and gates verified passing on the build host.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
jsign 7.1 signs guruconnect.exe successfully via Azure Trusted Signing, but the separate
verify step called `jsign --info` (not a real jsign subcommand) and wrongly failed the job.
jsign's non-zero exit under `set -euo pipefail` already gates signing fail-closed.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
jsign 6.0 lacks the TRUSTEDSIGNING keystore type (only AZUREKEYVAULT); Azure Trusted
Signing support requires jsign >= 7.0. 7.1 matches /usr/share/jsign on the build host.
Fixes the release sign-and-publish step.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- Windows agent jobs (build-and-test + release): set PROTOC env + add protoc to PATH
(prost-build needs it; the runner did not inherit the machine env), and fix the artifact
path to the workspace-root target/ (Cargo workspace, not agent/target/).
- Commit root Cargo.lock (was missing) -> fixes `cargo audit` (Couldn't load Cargo.lock) and
makes builds reproducible.
- Security audit is now a single workspace-root `cargo audit`, informational (warn-only) like
clippy; re-tighten in the GC re-spec.
- Remove test.yml: redundant with build-and-test and broken (`no library targets` — server is
a binary crate).
Native MSVC agent build verified on the Pluto runner (4m20s, clean compile).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Allow manual re-runs of the CI gate without a dummy commit (useful while
provisioning the Pluto windows-msvc runner). Also re-triggers the run.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The build-agent job (build-and-test.yml) and a new build-agent-windows job (release.yml)
now run on the windows-msvc Gitea Actions runner on Pluto, building native
x86_64-pc-windows-msvc with crt-static. release.yml hands the unsigned guruconnect.exe to
the Linux job, which signs it with Azure Trusted Signing (jsign). Removes the fragile
mingw/GNU cross-compile. Reviewed by Code Review Agent (approve-with-nits).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The pre-spec server has ~65 clippy lints (no compile errors), mostly dead-code
for API the native-remote-control integration will wire. Keep clippy running for
visibility but stop gating on it; fmt stays strict. Re-tighten to -D warnings
during the GC re-spec.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
.cargo/config.toml defaults to x86_64-pc-windows-msvc for local Windows dev,
which made the CI clippy/test steps (no explicit --target) try to compile for
an uninstalled cross target (E0463 can't find crate for core). Set
CARGO_BUILD_TARGET=x86_64-unknown-linux-gnu for the build-server job.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Release builds (auto-versioning + Azure Trusted Signing + Gitea release) no longer
run on every push to main; trigger deliberately via workflow_dispatch. build-and-test.yml
remains the automatic PR/push CI gate.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
