Merge branch 'main' into feat/webchat-reactions

Author: jamiepine

.github/workflows/interface-ci.yml

@@ -0,0 +1,40 @@
+name: Interface CI
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "interface/**"
+      - ".github/workflows/interface-ci.yml"
+  pull_request:
+    branches: [main]
+    paths:
+      - "interface/**"
+      - ".github/workflows/interface-ci.yml"
+
+permissions:
+  contents: read
+
+concurrency:
+  group: interface-ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  quality:
+    name: Interface Quality
+    runs-on: ubuntu-24.04
+    defaults:
+      run:
+        working-directory: interface
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: oven-sh/setup-bun@v1
+        with:
+          bun-version: "1.3"
+
+      - name: Install dependencies
+        run: bun ci
+
+      - name: Typecheck
+        run: bunx tsc --noEmit

.github/workflows/release.yml

@@ -115,27 +115,15 @@ jobs:
         id: platform
         run: echo "pair=$(echo ${{ matrix.platform }} | tr '/' '-')" >> "$GITHUB_OUTPUT"
 
-      - name: Build and push slim
+      - name: Build and push
         uses: docker/build-push-action@v6
         with:
           context: .
-          target: slim
           platforms: ${{ matrix.platform }}
           push: true
-          tags: ${{ env.IMAGE }}:slim-${{ steps.platform.outputs.pair }}
-          cache-from: type=gha,scope=slim-${{ steps.platform.outputs.pair }}
-          cache-to: type=gha,mode=max,scope=slim-${{ steps.platform.outputs.pair }}
-
-      - name: Build and push full
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          target: full
-          platforms: ${{ matrix.platform }}
-          push: true
-          tags: ${{ env.IMAGE }}:full-${{ steps.platform.outputs.pair }}
-          cache-from: type=gha,scope=full-${{ steps.platform.outputs.pair }}
-          cache-to: type=gha,mode=max,scope=full-${{ steps.platform.outputs.pair }}
+          tags: ${{ env.IMAGE }}:build-${{ steps.platform.outputs.pair }}
+          cache-from: type=gha,scope=build-${{ steps.platform.outputs.pair }}
+          cache-to: type=gha,mode=max,scope=build-${{ steps.platform.outputs.pair }}
 
   merge-docker:
     needs: build-docker
@@ -155,22 +143,13 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Create slim multi-arch manifest
-        run: |
-          docker buildx imagetools create \
-            --tag ${{ env.IMAGE }}:${{ needs.build-docker.outputs.version }}-slim \
-            --tag ${{ env.IMAGE }}:slim \
-            ${{ env.IMAGE }}:slim-linux-amd64 \
-            ${{ env.IMAGE }}:slim-linux-arm64
-
-      - name: Create full multi-arch manifest
+      - name: Create multi-arch manifest
         run: |
           docker buildx imagetools create \
-            --tag ${{ env.IMAGE }}:${{ needs.build-docker.outputs.version }}-full \
-            --tag ${{ env.IMAGE }}:full \
+            --tag ${{ env.IMAGE }}:${{ needs.build-docker.outputs.version }} \
             --tag ${{ env.IMAGE }}:latest \
-            ${{ env.IMAGE }}:full-linux-amd64 \
-            ${{ env.IMAGE }}:full-linux-arm64
+            ${{ env.IMAGE }}:build-linux-amd64 \
+            ${{ env.IMAGE }}:build-linux-arm64
 
       - name: Log in to Fly registry
         if: github.repository_owner == 'spacedriveapp'

AGENTS.md

@@ -10,6 +10,17 @@ Single binary. No server dependencies. Runs on tokio. All data lives in embedded
 
 **Stack:** Rust (edition 2024), tokio, Rig (v0.30.0, agentic loop framework), SQLite (sqlx), LanceDB (embedded vector + FTS), redb (embedded key-value).
 
+## JavaScript Tooling (Critical)
+
+- For UI work in `spacebot/interface/`, use `bun` for all JS/TS package management and scripts.
+- **NEVER** use `npm`, `pnpm`, or `yarn` in this repo unless the user explicitly asks for one.
+- Standard commands:
+  - `bun install`
+  - `bun run dev`
+  - `bun run build`
+  - `bun run test`
+  - `bunx <tool>` (instead of `npx <tool>`)
+
 ## Migration Safety
 
 - **NEVER edit an existing migration file in place** once it has been committed or applied in any environment.

Cargo.lock

@@ -61,6 +61,7 @@ notify = "7"
 # Cryptography (for secrets)
 aes-gcm = "0.10"
 sha2 = "0.10"
+argon2 = "0.5"
 rand = "0.9"
 
 # UUID generation
@@ -131,7 +132,7 @@ arrow-array = "57.3.0"
 arrow-schema = "57.3.0"
 
 # Browser automation
-chromiumoxide = { version = "0.8", features = ["tokio-runtime"], default-features = false }
+chromiumoxide = { version = "0.8", features = ["tokio-runtime", "_fetcher-rustls-tokio"], default-features = false }
 chromiumoxide_cdp = "0.8"
 
 # Templating for prompts
@@ -165,6 +166,10 @@ unimplemented = "deny"
 [dev-dependencies]
 tokio-test = "0.4"
 
+# OS keystore (macOS Keychain for master key storage)
+[target.'cfg(target_os = "macos")'.dependencies]
+security-framework = "3"
+
 [profile.release]
 lto = "thin"
 strip = true

Cargo.toml

@@ -43,38 +43,21 @@ RUN SPACEBOT_SKIP_FRONTEND_BUILD=1 cargo build --release \
     && mv /build/target/release/spacebot /usr/local/bin/spacebot \
     && cargo clean -p spacebot --release --target-dir /build/target
 
-# ---- Slim stage ----
-# Minimal runtime with just the binary. No browser.
-FROM debian:bookworm-slim AS slim
+# ---- Runtime stage ----
+# Minimal runtime with Chrome runtime libraries for fetcher-downloaded Chromium.
+# Chrome itself is downloaded on first browser tool use and cached on the volume.
+FROM debian:bookworm-slim
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
     ca-certificates \
     libsqlite3-0 \
     curl \
     gh \
     bubblewrap \
-    && rm -rf /var/lib/apt/lists/*
-
-COPY --from=builder /usr/local/bin/spacebot /usr/local/bin/spacebot
-COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
-RUN chmod +x /usr/local/bin/docker-entrypoint.sh
-
-ENV SPACEBOT_DIR=/data
-ENV SPACEBOT_DEPLOYMENT=docker
-EXPOSE 19898 18789
-
-HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
-    CMD curl -f http://localhost:19898/api/health || exit 1
-
-ENTRYPOINT ["docker-entrypoint.sh"]
-CMD ["spacebot", "start", "--foreground"]
-
-# ---- Full stage ----
-# Slim + Chromium for browser workers.
-FROM slim AS full
-
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    chromium \
+    openssh-server \
+    # Chrome runtime dependencies — required whether Chrome is system-installed
+    # or downloaded by the built-in fetcher. The fetcher provides the browser
+    # binary; these are the shared libraries it links against.
     fonts-liberation \
     libnss3 \
     libatk-bridge2.0-0 \
@@ -91,5 +74,16 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     libxtst6 \
     && rm -rf /var/lib/apt/lists/*
 
-ENV CHROME_PATH=/usr/bin/chromium
-ENV CHROME_FLAGS="--no-sandbox --disable-dev-shm-usage --disable-gpu"
+COPY --from=builder /usr/local/bin/spacebot /usr/local/bin/spacebot
+COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
+RUN chmod +x /usr/local/bin/docker-entrypoint.sh
+
+ENV SPACEBOT_DIR=/data
+ENV SPACEBOT_DEPLOYMENT=docker
+EXPOSE 19898 18789
+
+HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
+    CMD curl -f http://localhost:19898/api/health || exit 1
+
+ENTRYPOINT ["docker-entrypoint.sh"]
+CMD ["spacebot", "start", "--foreground"]