add automated Docker image tests, Makefile, agent skills, and updated docs

- tests/test-image.sh: 9-test TAP suite (build, binaries, env validation, healthcheck, shutdown)
- .env.test: minimal unquoted env for isolated test runs
- Makefile: dev/test/release targets
- CI: test job gates push/sign in docker-publish.yml
- AGENTS.md + .agent/skills/: agent reference and skill docs
- README: added Development, Testing, CI/CD, Contributing sections
- compose.yml: renamed from docker-compose.yml, added healthcheck
- start.sh: added env validation and signal handling

Author: sudocarlos

.agent/skills/ci-cd/SKILL.md

@@ -0,0 +1,63 @@
+---
+name: ci-cd
+description: CI/CD pipeline for haven-docker including the GitHub Actions workflow for GHCR publishing, the manual DockerHub release script, cosign image signing, and version management. Use when modifying build automation, release processes, or image signing.
+---
+
+# CI/CD
+
+## GitHub Actions — `docker-publish.yml`
+
+Located at `.github/workflows/docker-publish.yml`.
+
+### Triggers
+
+- **Schedule**: daily at 12:28 UTC
+- **Push**: to `main` branch or semver tags (`v*.*.*`)
+- **Pull request**: against `main`
+
+### Pipeline steps
+
+1. Checkout repo
+2. Install cosign (skipped on PRs)
+3. Set up Docker Buildx
+4. Log into GHCR (`ghcr.io`) using `GITHUB_TOKEN`
+5. Extract Docker metadata (tags, labels)
+6. Build and push image (push skipped on PRs, uses GHA cache)
+7. Sign image with cosign (skipped on PRs, uses Sigstore/Fulcio)
+
+### Registry
+
+- **GHCR**: `ghcr.io/sudocarlos/haven-docker` (automated via Actions)
+- **DockerHub**: `sudocarlos/haven` (manual via `release-to-dockerhub.sh`)
+
+## Manual DockerHub Release — `release-to-dockerhub.sh`
+
+```bash
+./release-to-dockerhub.sh
+```
+
+This script:
+1. Extracts version from the `TAG=` line in `Dockerfile`
+2. Builds with `docker buildx` (no cache), pushes `latest` + version tags
+3. Commits all changes, creates an annotated git tag `dockerhub-<version>`
+4. Pushes commits and tags
+
+### Prerequisites
+- Logged into DockerHub (`docker login`)
+- Docker Buildx configured
+
+## Version Management
+
+The Haven version is pinned in `Dockerfile`:
+
+```dockerfile
+ARG TAG=v1.2.0-rc2
+ARG COMMIT=986c21b79c93779a449a52f6414ea267c83428bb
+```
+
+The release script extracts the version with:
+```bash
+VERSION=`awk -F "=" '/TAG=/{print $NF}' Dockerfile`
+```
+
+**To bump**: update `TAG` and `COMMIT` in `Dockerfile`, then run the release workflow.

.agent/skills/docker-packaging/SKILL.md

@@ -0,0 +1,97 @@
+---
+name: docker-packaging
+description: Dockerfile multi-stage build, compose.yml service config, image tagging, volume mounts, and resource limits for the haven-docker project. Use when modifying the Docker build, changing volumes, updating compose settings, or troubleshooting container issues.
+---
+
+# Docker Packaging
+
+## Dockerfile
+
+Multi-stage build in `Dockerfile`:
+
+1. **Builder stage** (`golang` base):
+   - Clones `bitvora/haven`, checks out the `TAG` arg
+   - Runs `go install -v`
+
+2. **Runtime stage** (`debian:stable-slim`):
+   - Installs curl, gpg, ca-certificates, build-essential, Tor
+   - Copies built Go binary and Haven source from builder
+   - Copies `start.sh` as entrypoint
+   - Exposes port `3355`
+
+### Version pinning
+
+```dockerfile
+ARG TAG=v1.2.0-rc2
+ARG COMMIT=986c21b79c93779a449a52f6414ea267c83428bb
+```
+
+To update Haven version: change `TAG` and `COMMIT` at the top of the `Dockerfile`.
+
+## compose.yml
+
+Single service `haven`:
+
+```yaml
+services:
+  haven:
+    container_name: haven
+    image: sudocarlos/haven:main
+    build: .
+    env_file: .env
+    ports:
+      - 3355:3355
+    volumes:
+      - ./data/blossom:/haven/blossom   # Media storage
+      - ./data/db:/haven/db             # Database files
+      - ./relays_blastr.json:/haven/relays_blastr.json
+      - ./relays_import.json:/haven/relays_import.json
+      - ./data/tor:/var/lib/tor         # Tor hidden service state
+    restart: unless-stopped
+    init: true
+    deploy:
+      resources:
+        limits:
+          memory: 2GB
+```
+
+### Key details
+
+- `init: true` ensures proper PID 1 signal handling
+- Memory limit is 2 GB — increase if using lmdb with large datasets
+- All persistent data lives under `./data/` on the host
+- Relay JSON files are bind-mounted directly (not inside `data/`)
+
+## Common Tasks
+
+### Rebuild after Dockerfile changes
+
+```bash
+docker compose build --no-cache
+docker compose up -d
+```
+
+### View container resource usage
+
+```bash
+docker stats haven
+```
+
+## Testing
+
+Run the full image test suite:
+
+```bash
+make test
+```
+
+Tests are in `tests/test-image.sh` (TAP output). They validate:
+- Image builds successfully
+- Required binaries exist (`haven`, `curl`, `tor`, `bash`)
+- `start.sh` entrypoint is executable
+- Env validation rejects missing `OWNER_NPUB` / `RELAY_URL`
+- Haven process starts and port 3355 responds
+- Docker healthcheck passes
+- Container shuts down gracefully
+
+Tests use `.env.test` (minimal config) and clean up containers on exit.

.agent/skills/haven-config/SKILL.md

@@ -0,0 +1,90 @@
+---
+name: haven-config
+description: Configuration reference for Haven relay including .env variables, relay JSON files, database engine selection, backup providers, and rate limiter tuning. Use when modifying relay settings, adding new config variables, or debugging configuration issues.
+---
+
+# Haven Configuration
+
+All configuration is in `.env` (copy from `.env.example`). No config files are baked into the image.
+
+## Core Settings
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `OWNER_NPUB` | — | Owner's Nostr public key (npub format) |
+| `RELAY_URL` | — | Public-facing relay hostname (no `wss://`) |
+| `RELAY_PORT` | `3355` | Port Haven listens on |
+| `RELAY_BIND_ADDRESS` | `0.0.0.0` | Bind address (empty string = all interfaces) |
+| `DB_ENGINE` | `badger` | `badger` or `lmdb` (lmdb needs NVMe for stability) |
+| `LMDB_MAPSIZE` | `0` | 0 = default (~273 GB), or size in bytes |
+| `BLOSSOM_PATH` | `blossom/` | Media storage directory inside container |
+| `TOR_ENABLED` | `0` | Set to `1` to start a Tor hidden service |
+
+## Relay Sections
+
+Haven runs four relay types, each with its own settings block:
+
+| Relay | Prefix | Purpose |
+|-------|--------|---------|
+| Private | `PRIVATE_RELAY_*` | Owner drafts and ecash |
+| Chat | `CHAT_RELAY_*` | Private messages, WoT-gated |
+| Outbox | `OUTBOX_RELAY_*` | Public notes + Blossom media |
+| Inbox | `INBOX_RELAY_*` | Interactions with owner's notes |
+
+Each relay section has: `NAME`, `NPUB`, `DESCRIPTION`, `ICON`, and rate limiter vars.
+
+### Rate Limiter Variables (per relay)
+
+| Suffix | Description |
+|--------|-------------|
+| `EVENT_IP_LIMITER_TOKENS_PER_INTERVAL` | Tokens added per interval |
+| `EVENT_IP_LIMITER_INTERVAL` | Interval in seconds |
+| `EVENT_IP_LIMITER_MAX_TOKENS` | Burst capacity |
+| `ALLOW_EMPTY_FILTERS` | Allow filters with no criteria |
+| `ALLOW_COMPLEX_FILTERS` | Allow multi-criteria filters |
+| `CONNECTION_RATE_LIMITER_TOKENS_PER_INTERVAL` | Connection tokens per interval |
+| `CONNECTION_RATE_LIMITER_INTERVAL` | Connection interval in seconds |
+| `CONNECTION_RATE_LIMITER_MAX_TOKENS` | Connection burst capacity |
+
+### Chat-specific
+
+| Variable | Description |
+|----------|-------------|
+| `CHAT_RELAY_WOT_DEPTH` | Web-of-trust traversal depth |
+| `CHAT_RELAY_WOT_REFRESH_INTERVAL_HOURS` | WoT graph refresh interval |
+| `CHAT_RELAY_MINIMUM_FOLLOWERS` | Min followers to pass WoT gate |
+
+### Inbox-specific
+
+| Variable | Description |
+|----------|-------------|
+| `INBOX_PULL_INTERVAL_SECONDS` | How often to pull from other relays |
+
+## Relay JSON Files
+
+- `relays_blastr.json` — list of relay URLs to blast public notes to
+- `relays_import.json` — list of relay URLs to import notes from
+
+Both are JSON arrays of relay URL strings. Copy from the `.example` versions.
+
+## Import & Backup
+
+| Variable | Description |
+|----------|-------------|
+| `IMPORT_START_DATE` | Start date for note import (YYYY-MM-DD) |
+| `IMPORT_QUERY_INTERVAL_SECONDS` | Query interval during import |
+| `IMPORT_SEED_RELAYS_FILE` | Path to import relays JSON |
+| `BACKUP_PROVIDER` | `aws`, `gcp`, or `none` |
+| `BACKUP_INTERVAL_HOURS` | Backup frequency |
+
+### AWS backup vars
+`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_REGION`, `AWS_BUCKET_NAME`
+
+### GCP backup vars
+`GCP_BUCKET_NAME`
+
+## Blastr
+
+| Variable | Description |
+|----------|-------------|
+| `BLASTR_RELAYS_FILE` | Path to blastr relays JSON (default: `relays_blastr.json`) |

.agent/skills/tor-integration/SKILL.md

@@ -0,0 +1,61 @@
+---
+name: tor-integration
+description: Tor hidden service integration for Haven relay including start.sh entrypoint logic, torrc configuration, and data volume persistence. Use when enabling Tor, debugging hidden service issues, or modifying the container entrypoint.
+---
+
+# Tor Integration
+
+Haven can expose the relay as a Tor hidden service, running inside the same container.
+
+## How It Works
+
+The entrypoint `start.sh` checks the `TOR_ENABLED` env var:
+
+```bash
+#!/usr/bin/env bash
+if [[ "$TOR_ENABLED" == 1 ]]; then
+    echo "HiddenServiceDir /var/lib/tor/haven/" >> /etc/tor/torrc
+    echo "HiddenServicePort 80 ${RELAY_BIND_ADDRESS}:${RELAY_PORT}" >> /etc/tor/torrc
+    tor &
+fi
+cd /haven
+./haven
+```
+
+When `TOR_ENABLED=1`:
+1. Appends hidden service config to `/etc/tor/torrc`
+2. Starts `tor` in the background
+3. Haven binds on `RELAY_BIND_ADDRESS:RELAY_PORT` (default `0.0.0.0:3355`)
+4. Tor maps port 80 of the `.onion` address to Haven's port
+
+## Persistent State
+
+Tor keys are persisted via the volume mount:
+
+```yaml
+- ./data/tor:/var/lib/tor
+```
+
+This ensures the `.onion` address survives container restarts. The hidden service hostname is stored at `/var/lib/tor/haven/hostname`.
+
+## Usage
+
+### Enable Tor
+
+Set in `.env`:
+```
+TOR_ENABLED=1
+```
+
+### Start and get the .onion address
+
+```bash
+docker compose up -d
+docker compose exec haven cat /var/lib/tor/haven/hostname
+```
+
+The relay is then available at `ws://<address>.onion`.
+
+## Tor Installation in Dockerfile
+
+Tor is installed from the official Tor Project apt repository (not Debian's package). The Dockerfile adds the Tor Project GPG key and apt source to get the latest stable version.

.agent/workflows/release.md

@@ -0,0 +1,34 @@
+---
+description: Release a new Haven version to DockerHub and GHCR
+---
+
+## Steps
+
+1. Check the latest Haven release at https://github.com/bitvora/haven/releases
+
+2. Update the version in `Dockerfile`:
+   ```
+   ARG TAG=<new-version>
+   ARG COMMIT=<new-commit-hash>
+   ```
+
+3. Test the build locally:
+   // turbo
+   ```bash
+   docker compose build --no-cache
+   ```
+
+4. Verify the container starts:
+   ```bash
+   docker compose up -d
+   docker logs -f haven
+   ```
+
+5. Push to DockerHub (requires `docker login`):
+   ```bash
+   ./release-to-dockerhub.sh
+   ```
+
+   This will also create a git tag `dockerhub-<version>` and push it.
+
+6. The GitHub Actions workflow will automatically build and push to GHCR on the next push to `main`.