zvadaadam · zvadaadam · May 14, 2026 · May 14, 2026 · May 14, 2026 · May 14, 2026
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,8 +1,9 @@
-# Multi-platform release workflow (macOS, Linux)
+# Release workflow (macOS desktop + CLI)
 #
-# Builds and publishes the Electron app for all platforms via GitHub Releases.
-# electron-updater reads latest-mac.yml / latest.yml / latest-linux.yml from
-# the release assets to deliver auto-updates.
+# Builds and publishes the macOS Electron app via GitHub Releases.
+# electron-updater reads latest-mac.yml from the release assets to deliver
+# auto-updates. Linux desktop packaging is intentionally disabled until the
+# native packaged runtime and bundled agent CLIs are staged for Linux.
 #
 # Trigger: GitHub Actions UI → "Run workflow" → pick bump type
 # Or CLI:  gh workflow run release.yml -f bump=patch
@@ -44,6 +45,9 @@ on:
 permissions:
   contents: write
 
+env:
+  BUN_VERSION: 1.2.19
+
 jobs:
   # ── Step 1: Validate version & bump files ───────────────────────────
   validate-and-bump:
@@ -90,7 +94,15 @@ jobs:
 
       - uses: oven-sh/setup-bun@v2
         with:
-          bun-version: 1.2.19
+          bun-version: ${{ env.BUN_VERSION }}
+
+      - name: Verify Bun version pin
+        run: |
+          package_manager="$(sed -nE 's/.*"packageManager": "bun@([^"]+)".*/\1/p' package.json)"
+          if [[ "$package_manager" != "$BUN_VERSION" ]]; then
+            echo "::error::release workflow BUN_VERSION=$BUN_VERSION but package.json packageManager=bun@$package_manager"
+            exit 1
+          fi
 
       - name: Bump version, commit & create tag
         if: ${{ inputs.dry_run == false }}
@@ -117,7 +129,15 @@ jobs:
 
       - uses: oven-sh/setup-bun@v2
         with:
-          bun-version: 1.2.19
+          bun-version: ${{ env.BUN_VERSION }}
+
+      - name: Verify Bun version pin
+        run: |
+          package_manager="$(sed -nE 's/.*"packageManager": "bun@([^"]+)".*/\1/p' package.json)"
+          if [[ "$package_manager" != "$BUN_VERSION" ]]; then
+            echo "::error::release workflow BUN_VERSION=$BUN_VERSION but package.json packageManager=bun@$package_manager"
+            exit 1
+          fi
 
       - uses: actions/setup-node@v4
         with:
@@ -126,9 +146,21 @@ jobs:
       - name: Install dependencies
         run: bun install --frozen-lockfile
 
+      - name: Typecheck runtime surfaces
+        run: |
+          bun run typecheck
+          bun run typecheck:backend
+          bun run typecheck:agent-server
+
       - name: Build all
         run: bun run build:all
 
+      - name: Smoke test staged native runtime
+        run: bun run smoke:runtime-native
+
+      - name: Smoke test packaged runtime resources
+        run: bun run smoke:runtime-resources
+
       - name: Prepare Apple API key for notarization
         run: |
           if [[ -z "$APPLE_API_KEY" || -z "$APPLE_API_KEY_ID" || -z "$APPLE_API_ISSUER" ]]; then
@@ -201,35 +233,48 @@ jobs:
           while IFS= read -r app_path; do
             echo "Verifying signature for $app_path"
             codesign --verify --deep --strict --verbose=2 "$app_path"
+            node scripts/runtime/smoke-packaged-app.cjs --app "$app_path" --require-gatekeeper
           done < <(find dist-electron -maxdepth 2 -path '*/Deus.app' -type d | sort)
 
           while IFS= read -r dmg_path; do
             echo "Validating notarization for $dmg_path"
             xcrun stapler validate "$dmg_path"
           done < <(find dist-electron -maxdepth 1 -name '*.dmg' -type f | sort)
 
-      - name: Smoke test packaged runtime from DMG copy
+          node scripts/runtime/smoke-packaged-dmgs.cjs \
+            --require-gatekeeper \
+            $(find dist-electron -maxdepth 1 -name '*.dmg' -type f | sort)
+
+      - name: Smoke test packaged runtime and desktop from DMG copy
         run: |
           set -euo pipefail
 
-          dmg_path="$(find dist-electron -maxdepth 1 -name '*arm64.dmg' -type f | head -n 1)"
+          runner_arch="$(uname -m)"
+          case "$runner_arch" in
+            arm64)
+              dmg_path="$(find dist-electron -maxdepth 1 -name '*arm64.dmg' -type f | head -n 1)"
+              ;;
+            x86_64)
+              dmg_path="$(find dist-electron -maxdepth 1 \( -name '*x64.dmg' -o \( -name '*.dmg' ! -name '*arm64.dmg' \) \) -type f | head -n 1)"
+              ;;
+            *)
+              echo "::error::Unsupported macOS runner architecture: ${runner_arch}"
+              exit 1
+              ;;
+          esac
           if [[ -z "$dmg_path" ]]; then
-            dmg_path="$(find dist-electron -maxdepth 1 -name '*.dmg' -type f | head -n 1)"
+            echo "::error::No macOS DMG found for runner architecture ${runner_arch}"
+            find dist-electron -maxdepth 1 -name '*.dmg' -type f -print
+            exit 1
           fi
 
           mount_dir="$(mktemp -d "${RUNNER_TEMP}/deus-dmg.XXXXXX")"
           copied_root="$(mktemp -d "${RUNNER_TEMP}/deus-app.XXXXXX")"
-          copied_app="$copied_root/Deus.app"
-          smoke_log="$(mktemp "${RUNNER_TEMP}/deus-smoke.XXXXXX.log")"
-          smoke_db="$(mktemp "${RUNNER_TEMP}/deus-smoke.XXXXXX.db")"
+          copied_home="$copied_root/home"
+          copied_app="$copied_home/Applications/Deus.app"
           attached=0
-          backend_pid=""
 
           cleanup() {
-            if [[ -n "$backend_pid" ]]; then
-              kill "$backend_pid" 2>/dev/null || true
-              wait "$backend_pid" 2>/dev/null || true
-            fi
             if [[ "$attached" -eq 1 ]]; then
               hdiutil detach "$mount_dir" -quiet || true
             fi
@@ -238,6 +283,7 @@ jobs:
 
           hdiutil attach "$dmg_path" -mountpoint "$mount_dir" -nobrowse
           attached=1
+          mkdir -p "$(dirname "$copied_app")"
           ditto "$mount_dir/Deus.app" "$copied_app"
           hdiutil detach "$mount_dir" -quiet
           attached=0
@@ -246,34 +292,17 @@ jobs:
           resources_dir="$copied_app/Contents/Resources"
           test -x "$resources_dir/simulator/simbridge"
           test -f "$resources_dir/simulator/siminspector.dylib"
+          test -x "$app_bin"
 
-          ELECTRON_RUN_AS_NODE=1 \
-          DATABASE_PATH="$smoke_db" \
-          AUTH_TOKEN=smoke \
-          PORT=0 \
-          CDP_PORT=19222 \
-          DEUS_PACKAGED=1 \
-          DEUS_RESOURCES_PATH="$resources_dir" \
-          DEUS_BUNDLED_BIN_DIR="$resources_dir/bin" \
-          DEVICE_USE_SIMBRIDGE="$resources_dir/simulator/simbridge" \
-          DEVICE_USE_SIMINSPECTOR="$resources_dir/simulator/siminspector.dylib" \
-          AGENT_SERVER_ENTRY="$resources_dir/bin/index.bundled.cjs" \
-          AGENT_SERVER_CWD="$resources_dir/bin" \
-          NODE_PATH="$resources_dir/app.asar/node_modules" \
-          "$app_bin" "$resources_dir/backend/server.bundled.cjs" >"$smoke_log" 2>&1 &
-          backend_pid=$!
-
-          for _ in {1..30}; do
-            if grep -q '^\[BACKEND_PORT\]' "$smoke_log"; then
-              break
-            fi
-            if ! kill -0 "$backend_pid" 2>/dev/null; then
-              break
-            fi
-            sleep 1
-          done
+          node scripts/runtime/smoke-packaged-runtime.cjs \
+            --app "$copied_app" \
+            --require-gatekeeper
 
-          grep -q '^\[BACKEND_PORT\]' "$smoke_log"
+          node scripts/runtime/smoke-packaged-desktop.cjs \
+            --app "$copied_app" \
+            --home "$copied_home" \
+            --launch-in-place \
+            --require-gatekeeper
 
       - name: Clean up Apple API key
         if: always()
@@ -291,47 +320,9 @@ jobs:
             dist-electron/latest-mac.yml
           if-no-files-found: error
 
-  # ── Step 2b: Build Linux (x64) ─────────────────────────────────────
-  build-linux:
-    needs: validate-and-bump
-    runs-on: ubuntu-latest
-    env:
-      SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          ref: ${{ inputs.dry_run == false && needs.validate-and-bump.outputs.tag || github.ref }}
-
-      - uses: oven-sh/setup-bun@v2
-        with:
-          bun-version: 1.2.19
-
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 22
-
-      - name: Install dependencies
-        run: bun install --frozen-lockfile
-
-      - name: Build all
-        run: bun run build:all
-
-      - name: Package Linux (x64)
-        run: bunx electron-builder --linux --publish never
-
-      - uses: actions/upload-artifact@v4
-        with:
-          name: linux
-          path: |
-            dist-electron/*.AppImage
-            dist-electron/*.deb
-            dist-electron/*.blockmap
-            dist-electron/latest-linux.yml
-          if-no-files-found: error
-
   # ── Step 3: Stage a draft GitHub Release with all artifacts ─────────
   create-release:
-    needs: [validate-and-bump, build-macos, build-linux]
+    needs: [validate-and-bump, build-macos]
     if: ${{ inputs.dry_run == false }}
     runs-on: ubuntu-latest
     steps:
@@ -344,7 +335,6 @@ jobs:
           mkdir -p release
           find artifacts -type f \( \
             -name "*.dmg" -o -name "*.zip" -o \
-            -name "*.AppImage" -o -name "*.deb" -o \
             -name "*.blockmap" -o -name "*.yml" \
           \) -exec cp {} release/ \;
           echo "=== Release files ==="
@@ -387,7 +377,15 @@ jobs:
 
       - uses: oven-sh/setup-bun@v2
         with:
-          bun-version: 1.2.19
+          bun-version: ${{ env.BUN_VERSION }}
+
+      - name: Verify Bun version pin
+        run: |
+          package_manager="$(sed -nE 's/.*"packageManager": "bun@([^"]+)".*/\1/p' package.json)"
+          if [[ "$package_manager" != "$BUN_VERSION" ]]; then
+            echo "::error::release workflow BUN_VERSION=$BUN_VERSION but package.json packageManager=bun@$package_manager"
+            exit 1
+          fi
 
       - uses: actions/setup-node@v4
         with:

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -46,9 +46,122 @@ jobs:
       - name: Typecheck (backend)
         run: bun run typecheck:backend
 
+      - name: Typecheck (agent-server)
+        run: bun run typecheck:agent-server
+
       - name: Typecheck & test (cloud-relay)
         run: cd apps/cloud-relay && bun install --frozen-lockfile && bunx tsc --noEmit && bunx vitest run
 
+  runtime-macos:
+    name: Native Runtime Smoke (macOS)
+    runs-on: macos-14
+    timeout-minutes: 20
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: 1.2.19
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Build staged native runtime
+        run: bun run build:runtime
+
+      - name: Validate staged runtime
+        run: bun run validate:runtime
+
+      - name: Smoke source runtime contract
+        run: bun run smoke:runtime-source
+
+      - name: Smoke desktop main runtime contract
+        run: bun run smoke:desktop-main-runtime
+
+      - name: Smoke native runtime executable
+        run: bun run smoke:runtime-native -- --skip-validate
+
+      - name: Smoke packaged runtime resources
+        run: bun run smoke:runtime-resources
+
+      - name: Build Electron desktop outputs
+        run: |
+          bun run build:pencil
+          bun run build
+
+      - name: Select macOS package architecture
+        run: |
+          set -euo pipefail
+          case "$(uname -m)" in
+            arm64)
+              echo "MAC_BUILDER_ARCH=arm64" >> "$GITHUB_ENV"
+              echo "MAC_EXPECTED_ARCH=arm64" >> "$GITHUB_ENV"
+              echo "MAC_APP_PATH=dist-electron/mac-arm64/Deus.app" >> "$GITHUB_ENV"
+              ;;
+            x86_64)
+              echo "MAC_BUILDER_ARCH=x64" >> "$GITHUB_ENV"
+              echo "MAC_EXPECTED_ARCH=x64" >> "$GITHUB_ENV"
+              echo "MAC_APP_PATH=dist-electron/mac/Deus.app" >> "$GITHUB_ENV"
+              ;;
+            *)
+              echo "::error::Unsupported macOS runner architecture: $(uname -m)"
+              exit 1
+              ;;
+          esac
+
+      - name: Package macOS app directory
+        run: bun run package:mac:dir -- --arch "$MAC_BUILDER_ARCH"
+        env:
+          CSC_IDENTITY_AUTO_DISCOVERY: "false"
+
+      - name: Smoke packaged macOS app bundle
+        run: >
+          node scripts/runtime/smoke-packaged-app.cjs
+          --app "$MAC_APP_PATH"
+          --arch "$MAC_EXPECTED_ARCH"
+          --skip-app-signature
+          --run-version-checks
+
+      - name: Smoke packaged runtime executable
+        run: >
+          node scripts/runtime/smoke-packaged-runtime.cjs
+          --app "$MAC_APP_PATH"
+          --skip-app-check
+
+      - name: Smoke packaged Electron desktop
+        run: >
+          node scripts/runtime/smoke-packaged-desktop.cjs
+          --app "$MAC_APP_PATH"
+          --skip-app-check
+
+  desktop-runtime-tests:
+    name: Desktop Runtime Unit Tests
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: 1.2.19
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Run desktop/runtime unit tests
+        run: bun run test:desktop-runtime
+
   backend-tests:
     name: Backend Tests
     runs-on: ubuntu-latest