decapod 0.56.1

Decapod is a Rust-built governance runtime for AI agents: repo-native state, enforced workflow, proof gates, safe coordination.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528

name: CI

on:
  push:
    branches: [ master ]
  pull_request:
    branches: [ master ]

permissions:
  contents: write
  id-token: write

# Cancel in-progress runs for massive time savings
concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

env:
  CARGO_TERM_COLOR: always
  CARGO_INCREMENTAL: 0                              # Better caching
  CARGO_NET_RETRY: 10                               # Reliability
  CARGO_REGISTRIES_CRATES_IO_PROTOCOL: sparse       # 3x faster registry fetching
  RUST_BACKTRACE: 1
  RUSTFLAGS: "-C link-arg=-fuse-ld=lld -D warnings" # LLD linker for 2-3x faster linking
  NIX_CONFIG: "experimental-features = nix-command flakes"

jobs:
  # COMMIT LINT: Fast check, no build dependency
  commit-lint:
    name: Commit Lint
    runs-on: ubuntu-latest
    if: github.event_name == 'pull_request'
    steps:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 0
      - name: Check commit messages
        run: |
          git log --format=%B origin/${{ github.base_ref }}..HEAD | while read -r msg; do
            [ -z "$msg" ] && continue
            if echo "$msg" | grep -qiE "^(wip|fixup|squash)"; then
              echo "❌ ERROR: WIP commit found: $msg"
              exit 1
            fi
          done
          echo "✅ Commit messages look good"

  detect-migration-script-changes:
    name: Detect Migration Script Changes
    runs-on: ubuntu-latest
    if: github.event_name == 'pull_request'
    outputs:
      changed: ${{ steps.diff.outputs.changed }}
    steps:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 0
      - name: Detect changed migration scripts
        id: diff
        run: |
          set -euo pipefail
          base_ref="${{ github.base_ref }}"
          git fetch --no-tags --prune origin "$base_ref"
          changed_files="$(git diff --name-only "origin/$base_ref"...HEAD)"
          echo "$changed_files"
          if echo "$changed_files" | grep -qE '^src/core/sql/.*\.sql$'; then
            echo "changed=true" >> "$GITHUB_OUTPUT"
          else
            echo "changed=false" >> "$GITHUB_OUTPUT"
          fi

  # FMT: Pure source check, no compile needed
  fmt:
    name: Lint (fmt)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 1
      - name: Install Nix
        uses: DeterminateSystems/nix-installer-action@main
      - name: Enable Nix cache
        uses: DeterminateSystems/magic-nix-cache-action@main
      - name: Format check
        run: nix develop .#ci -c cargo fmt --all -- --check

  # CLIPPY: Compiles its own analysis pass, runs in parallel with setup
  clippy:
    name: Lint (clippy)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 1
      - name: Install Nix
        uses: DeterminateSystems/nix-installer-action@main
      - name: Enable Nix cache
        uses: DeterminateSystems/magic-nix-cache-action@main
      - name: Restore cache
        uses: Swatinem/rust-cache@v2
        with:
          shared-key: "ci-build"
          save-if: "false"
      - name: Clippy
        run: nix develop .#ci -c cargo clippy --all-targets --all-features -- -D warnings

  # HEALTH: consumes the shared decapod binary from setup
  health:
    name: Health Checks
    runs-on: ubuntu-latest
    needs: setup
    steps:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 1
      - name: Restore cache
        uses: Swatinem/rust-cache@v2
        with:
          shared-key: "ci-build"
          save-if: "false"
      - name: Download shared decapod binary
        uses: actions/download-artifact@v8
        with:
          name: decapod-debug-linux-${{ github.sha }}
          path: target/debug
      - name: Install shared decapod binary
        run: |
          chmod +x target/debug/decapod
          echo "$PWD/target/debug" >> "$GITHUB_PATH"
      - name: Initialize Decapod
        run: decapod init --force
        env:
          DECAPOD_VALIDATE_SKIP_GIT_GATES: "1"
      - name: Acquire Decapod session
        run: decapod session acquire
        env:
          DECAPOD_VALIDATE_SKIP_GIT_GATES: "1"
      - name: Run validation harness
        run: decapod validate
        env:
          DECAPOD_VALIDATE_SKIP_GIT_GATES: "1"
          DECAPOD_VALIDATE_TIMEOUT_SECS: "120"
      - name: Run watcher
        run: decapod govern watcher run
        env:
          DECAPOD_VALIDATE_SKIP_GIT_GATES: "1"
      - name: Check health summary
        env:
          DECAPOD_VALIDATE_SKIP_GIT_GATES: "1"
        run: |
          STATUS=$(decapod govern health summary)
          echo "$STATUS"
          if echo "$STATUS" | grep -q '"watcher_stale": true'; then
            echo "::warning::Watcher is stale"
          fi

  # STATE_COMMIT: Builds its own golden_vectors binary, no dependency on setup
  state-commit-golden-vectors:
    name: Golden Vectors (${{ matrix.os }})
    runs-on: ${{ matrix.os }}
    env:
      DECAPOD_STATE_COMMIT_CI_JOB: state-commit-golden-vectors
    strategy:
      matrix:
        os: [ubuntu-latest, macos-latest]
    steps:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 1
          submodules: recursive
      - name: Install Rust toolchain
        uses: dtolnay/rust-toolchain@stable
      - name: Verify golden vectors exist
        run: |
          echo "=== Verifying golden vectors exist ==="
          test -f tests/golden/state_commit/v1/scope_record.cbor || exit 1
          test -f tests/golden/state_commit/v1/scope_record_hash.txt || exit 1
          test -f tests/golden/state_commit/v1/state_commit_root.txt || exit 1
          echo "=== Expected values ==="
          echo "scope_record_hash: 41d7e3729b6f4512887fb3cb6f10140942b600041e0d88308b0177e06ebb4b93"
          echo "state_commit_root: 28591ac86e52ffac76d5fc3aceeceda5d8592708a8d7fcb75371567fdc481492"
          echo "=== Actual committed values ==="
          cat tests/golden/state_commit/v1/scope_record_hash.txt
          cat tests/golden/state_commit/v1/state_commit_root.txt
      - name: Build golden vectors generator
        run: cd tests/golden_vectors && unset RUSTFLAGS && cargo build --release
      - name: Initialize fixture repo
        run: |
          cd tests/fixtures/state_commit_repo
          git init
          git config user.email "test@test.com"
          git config user.name "Test"
          git add initial.txt
          git commit -m "base commit"
          git add .
          git commit -m "fixture commit"
      - name: Run golden vectors generator
        working-directory: tests/golden_vectors
        run: |
          ./target/release/golden_vectors > /tmp/generated.txt 2>&1
          GEN_HASH=$(grep "scope_record_hash:" /tmp/generated.txt | awk '{print $2}')
          GEN_ROOT=$(grep "state_commit_root:" /tmp/generated.txt | awk '{print $2}')
          echo "Generated hash: $GEN_HASH"
          echo "Generated root: $GEN_ROOT"
          test -n "$GEN_HASH" || exit 1
          test -n "$GEN_ROOT" || exit 1
          echo "✅ Golden vectors generator runs successfully"
      - name: Verify no network dependencies
        run: |
          if grep -qE "(reqwest|hyper|ureq|http)" tests/golden_vectors/Cargo.toml; then
            echo "ERROR: golden_vectors has network dependencies"
            exit 1
          fi
          echo "✅ No network dependencies"

  # SETUP: Compile the shared decapod binary once and save both cache + binary artifact.
  # Test jobs restore this cache and download the same target/debug/decapod executable
  # so integration tests that use CARGO_BIN_EXE_decapod do not independently rebuild it.
  setup:
    name: Setup & Build Shared Binary
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Install LLD
        uses: ./.github/actions/install-lld
      - name: Install Rust toolchain
        uses: dtolnay/rust-toolchain@stable
        with:
          components: rustfmt, clippy
      - name: Save Rust cache (always, so PRs benefit on next run)
        uses: Swatinem/rust-cache@v2
        with:
          shared-key: "ci-build"
          cache-targets: true
          save-if: "true"
          cache-all-crates: true
      - name: Check Cargo.lock is up to date
        run: cargo generate-lockfile && git diff --quiet Cargo.lock || echo "⚠️ Cargo.lock outdated - run cargo update locally"
      - name: Compile shared decapod binary
        run: cargo build --all-features --bin decapod
      - name: Upload shared decapod binary
        uses: actions/upload-artifact@v7
        with:
          name: decapod-debug-linux-${{ github.sha }}
          path: target/debug/decapod
          retention-days: 1
          compression-level: 0

# SELECTIVE TESTS: Run only tests for changed files (PRs) or all tests (master)
  test:
    name: Tests (${{ matrix.target }})
    runs-on: ubuntu-latest
    needs: setup
    if: github.event_name == 'pull_request'
    strategy:
      fail-fast: false
      matrix:
        target: [core, plugins, cli, integration]
    steps:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 1
      - name: Install LLD
        uses: ./.github/actions/install-lld
      - name: Install Rust toolchain
        uses: dtolnay/rust-toolchain@stable
      - name: Restore cache
        uses: Swatinem/rust-cache@v2
        with:
          shared-key: "ci-build"
          save-if: "false"
      - name: Detect changed files
        id: changed
        run: |
          base_ref="${{ github.base_ref }}"
          git fetch --no-tags --prune origin "$base_ref"
          chg=$(git diff --name-only "origin/$base_ref"...HEAD | tr '\n' ',' | sed 's/,$//')
          echo "changed=$chg" >> "$GITHUB_OUTPUT"
      - name: Run selective tests
        run: |
          set -euo pipefail
          CHANGED="${{ steps.changed.outputs.changed }}"
          echo "Changed files: $CHANGED"
          
          # decapod impact analysis
          decapod impact --changed-files "$CHANGED" --predict --format text || true
          
          case "${{ matrix.target }}" in
            core)
              if echo "$CHANGED" | grep -qE 'src/core/(todo|validate|workspace|workunit|obligation|docs|capsule|rpc|migration|gateway)'; then
                cargo test --all-features --test todo_enforcement -- --test-threads=4
                cargo test --all-features --test validate_termination -- --test-threads=4
                cargo test --all-features --test workspace_interlock -- --test-threads=4
                cargo test --all-features --test workunit_cli -- --test-threads=4
                cargo test --all-features --test context_capsule_cli -- --test-threads=4
              elif echo "$CHANGED" | grep -qE 'src/core/'; then
                cargo test --all-features --test entrypoint_correctness -- --test-threads=4
              fi
              ;;
            plugins)
              if echo "$CHANGED" | grep -qE 'src/plugins/'; then
                cargo test --all-features --test plugins_todo_tests -- --test-threads=4
                cargo test --all-features --test plugins_policy_tests -- --test-threads=4
                cargo test --all-features --test plugins_health_tests -- --test-threads=4
                cargo test --all-features --test plugins_aptitude_tests -- --test-threads=4
                cargo test --all-features --test plugins_internalize_tests -- --test-threads=4
                cargo test --all-features --test plugins_federation_tests -- --test-threads=4
                cargo test --all-features --test plugins_decide_tests -- --test-threads=4
                cargo test --all-features --test plugins_obligation_tests -- --test-threads=4
              fi
              ;;
            cli)
              if echo "$CHANGED" | grep -qE 'src/(cli|lib|main)'; then
                cargo test --all-features --test cli_contract_enforcement -- --test-threads=4
                cargo test --all-features --test entrypoint_correctness -- --test-threads=4
                cargo test --all-features --test cli_contracts -- --test-threads=4
              fi
              ;;
            integration)
              if echo "$CHANGED" | grep -qE 'src/'; then
                cargo test --all-features --test contract_conformance -- --test-threads=4
                cargo test --all-features --test constitution_claims -- --test-threads=4
                cargo test --all-features --test spec_conformance -- --test-threads=4
                cargo test --all-features --test substrate_integrity -- --test-threads=4
              fi
              ;;
          esac
          echo "✓ Selective tests passed"

  # MASTER: Full test suite for direct master pushes only
  test-master:
    name: Tests (Full)
    runs-on: ubuntu-latest
    needs: setup
    if: github.event_name == 'push' && github.ref == 'refs/heads/master'
    steps:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 1
      - name: Install LLD
        uses: ./.github/actions/install-lld
      - name: Install Rust toolchain
        uses: dtolnay/rust-toolchain@stable
      - name: Restore cache
        uses: Swatinem/rust-cache@v2
        with:
          shared-key: "ci-build"
          save-if: "false"
      - name: Run all tests
        run: cargo test --all-features --test gatling -- --test-threads=4

  # RPC SUITE: isolated to avoid contention
  test-rpc-suite:
    name: Tests (RPC Suite)
    runs-on: ubuntu-latest
    needs: setup
    steps:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 1
      - name: Install Nix
        uses: DeterminateSystems/nix-installer-action@main
      - name: Enable Nix cache
        uses: DeterminateSystems/magic-nix-cache-action@main
      - name: Restore cache
        uses: Swatinem/rust-cache@v2
        with:
          shared-key: "ci-build"
          save-if: "false"
      - name: Download shared decapod binary
        uses: actions/download-artifact@v8
        with:
          name: decapod-debug-linux-${{ github.sha }}
          path: target/debug
      - name: Make shared decapod binary executable
        run: chmod +x target/debug/decapod
      - name: Run RPC suite
        run: nix develop .#ci -c cargo test --all-features --test agent_rpc_suite -- --test-threads=1

  # CHAOS: Multi-agent contention + deterministic replay gate
  chaos-replay:
    name: Chaos Replay Gate
    runs-on: ubuntu-latest
    needs: setup
    steps:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 1
      - name: Install LLD
        uses: ./.github/actions/install-lld
      - name: Install Rust toolchain
        uses: dtolnay/rust-toolchain@stable
      - name: Restore cache
        uses: Swatinem/rust-cache@v2
        with:
          shared-key: "ci-build"
          save-if: "false"
      - name: Download shared decapod binary
        uses: actions/download-artifact@v8
        with:
          name: decapod-debug-linux-${{ github.sha }}
          path: target/debug
      - name: Make shared decapod binary executable
        run: chmod +x target/debug/decapod
      - name: Run chaos replay determinism test
        run: cargo test --test chaos_replay -- --test-threads=1

  # DAEMONLESS: ensure commands do not leave background processes
  daemonless-lifecycle:
    name: Daemonless Lifecycle Gate
    runs-on: ubuntu-latest
    needs: setup
    steps:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 1
      - name: Install LLD
        uses: ./.github/actions/install-lld
      - name: Install Rust toolchain
        uses: dtolnay/rust-toolchain@stable
      - name: Restore cache
        uses: Swatinem/rust-cache@v2
        with:
          shared-key: "ci-build"
          save-if: "false"
      - name: Download shared decapod binary
        uses: actions/download-artifact@v8
        with:
          name: decapod-debug-linux-${{ github.sha }}
          path: target/debug
      - name: Make shared decapod binary executable
        run: chmod +x target/debug/decapod
      - name: Run daemonless lifecycle test
        run: cargo test --all-features --test daemonless_lifecycle -- --test-threads=1

  # CONTRACTS: README/Constitution drift detection
  contracts:
    name: Contract Conformance
    runs-on: ubuntu-latest
    needs: setup
    steps:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 1
      - name: Install LLD
        uses: ./.github/actions/install-lld
      - name: Install Rust toolchain
        uses: dtolnay/rust-toolchain@stable
      - name: Restore cache
        uses: Swatinem/rust-cache@v2
        with:
          shared-key: "ci-build"
          save-if: "false"
      - name: Download shared decapod binary
        uses: actions/download-artifact@v8
        with:
          name: decapod-debug-linux-${{ github.sha }}
          path: target/debug
      - name: Make shared decapod binary executable
        run: chmod +x target/debug/decapod
      - name: Run contract conformance tests
        run: |
          cargo test --all-features --test contract_conformance -- --test-threads=1
          cargo test --all-features --test constitution_claims -- --test-threads=1
      - name: Run CLI contract enforcement tests
        run: cargo test --all-features --test cli_contract_enforcement -- --test-threads=1

  # MIGRATION TESTS: Only when SQL migration scripts change
  migration-script-tests:
    name: Migration Script Tests
    runs-on: ubuntu-latest
    needs: [setup, detect-migration-script-changes]
    if: github.event_name == 'pull_request' && needs.detect-migration-script-changes.outputs.changed == 'true'
    steps:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 1
      - name: Install LLD
        uses: ./.github/actions/install-lld
      - name: Install Rust toolchain
        uses: dtolnay/rust-toolchain@stable
      - name: Restore cache
        uses: Swatinem/rust-cache@v2
        with:
          shared-key: "ci-build"
          save-if: "false"
      - name: Download shared decapod binary
        uses: actions/download-artifact@v8
        with:
          name: decapod-debug-linux-${{ github.sha }}
          path: target/debug
      - name: Make shared decapod binary executable
        run: chmod +x target/debug/decapod
      - name: Run migration tests
        run: cargo test --all-features --test core_tests migration_ -- --ignored --test-threads=1


  # RELEASE BUILD: Only on master, after all checks pass
  release-build:
    name: Release Build Check
    runs-on: ubuntu-latest
    if: github.ref == 'refs/heads/master'
    needs: [fmt, clippy, test, test-rpc-suite, chaos-replay, daemonless-lifecycle, contracts, health]
    steps:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 1
      - name: Install LLD
        uses: ./.github/actions/install-lld
      - uses: dtolnay/rust-toolchain@stable
      - name: Restore cache
        uses: Swatinem/rust-cache@v2
        with:
          shared-key: "release"
          cache-targets: true
          save-if: true
      - name: Build release
        run: cargo build --release --locked
      - name: Upload binary
        uses: actions/upload-artifact@v7
        with:
          name: decapod-${{ github.sha }}
          path: target/release/decapod
          retention-days: 1
          compression-level: 9