Fix release packaging for macOS and Linux

[zvadaadam]

Summary

• stage Linux x64 runtime, agent CLIs, and GitHub CLI alongside macOS artifacts
• enable Linux electron-builder packaging and release uploads for AppImage/deb
• fix cross-arch macOS packaging by installing missing @napi-rs/canvas native payloads from the lockfile
• keep runtime validation platform-aware for macOS signing checks and Linux ELF checks

Verification

• bun run typecheck
• bun run build:runtime
• bun run validate:runtime
• bun run smoke:runtime-source
• bun run smoke:runtime-resources
• bun run smoke:desktop-main-runtime
• file dist/runtime/electron/bin/linux-x64/*

Notes

• Local Vitest hangs under this machine's Node 25/Bun 1.3 toolchain before emitting test output; CI uses Node 22/Bun 1.2.19.
• Local smoke:runtime-native is blocked by macOS Gatekeeper provenance on ad-hoc generated Mach-O binaries; static packaged resource smoke passed.

Summary by CodeRabbit

• New Features

  • Linux desktop app support (AppImage & DEB) added, with Linux agent/CLI binaries and generalized runtime handling/verification across macOS and Linux.

• Tests

  • Native Linux runtime smoke tests added; unit tests expanded to cover Linux packaging, pruning, path resolution, and runtime env behavior.

• Chores

  • Release workflow updated to build/publish Linux artifacts alongside macOS and CLI.
  • CLI publishing switched to Bun for public releases.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: cd7cb587-77e0-4645-84a6-058a0e0e6b2e

📥 Commits

Reviewing files that changed from the base of the PR and between 1ac713a and 92e6cc4.

📒 Files selected for processing (7)

• apps/desktop/main/backend-process.ts
• apps/desktop/main/runtime-env.ts
• apps/runtime/index.ts
• shared/lib/cli-path.ts
• test/unit/desktop/backend-process.test.ts
• test/unit/desktop/runtime-env.test.ts
• test/unit/shared/cli-path.test.ts

✅ Files skipped from review due to trivial changes (1)

• shared/lib/cli-path.ts

---

📝 Walkthrough

Walkthrough

Adds linux-x64 as a packaged desktop target: updates runtime contracts, makes executable inspection format-aware (ELF vs Mach-O), generalizes runtimeKey-based staging/pruning, provisions platform-specific native deps, and adds CI/release/test jobs to build, validate, and release Linux Electron artifacts.

Changes

Linux x64 Runtime Build and Packaging

Layer / File(s)	Summary
Runtime contracts and packaging configuration scripts/runtime/gh-cli-contract.json, scripts/runtime/agent-clis.ts, electron-builder.yml, package.json	GH CLI, agent CLI, and native runtime build contracts now include Linux x64 target definitions with ELF executable format and tar.gz archive metadata. Electron builder configuration maps prebuilt Linux CLI binaries into the packaged bundle. Linux packaging script is enabled in package.json.
CI/release workflows and test jobs .github/workflows/release.yml, .github/workflows/test.yml	Release workflow adds a build-linux job on Ubuntu x64 that packages Linux Electron artifacts and verifies them, with create-release now depending on both build-macos and build-linux. Test workflow adds runtime-linux job to validate packaged Linux runtime binaries. CLI publishing switched to bun publish.
GH CLI staging and extraction scripts/prepare-gh-cli.mjs	GH CLI staging now respects per-target archiveExtension and fileFormat, extracts zip and tar.gz appropriately, and gates macOS codesign verification to darwin runtime keys.
Format-aware executable inspection and agent CLI preparation scripts/runtime/agent-clis.ts, scripts/runtime/validate.ts	Executable inspection generalized to accept fileFormat and fileArch; agent CLI targets include Linux x64 and inspection/validation now check ELF vs Mach-O and require expected architecture strings.
Prune, prebuild, and external-module provisioning scripts/prune-pencil-cli-binaries.cjs	Introduces runtimeKey lookup tables, runtime-key-aware pruning for node-pty/canvas/better-sqlite3, centralized verifyExecutableFileFormat, canvas package recovery from bun.lock, and ensureLinuxNodePtyRuntimePrebuild; afterPack calls ensure steps and new helpers are exported.
Electron beforePack and native runtime build scripts/runtime/electron-builder-before-pack.cjs, scripts/runtime/native-runtime.ts	beforePack computes runtimeKey from platform+arch and validates allowed combos; native runtime targets add linux-x64, macOS-only inspections/signing are gated, and manifests optionally include otoolOutput when applicable.
Unit test updates test/unit/runtime/electron-builder-before-pack.test.ts, test/unit/runtime/prune-pencil-cli-binaries.test.ts, test/unit/desktop/*, test/unit/shared/*	Tests updated to include arch in context and to assert Linux x64 allow-case, unknown-arch rejection for Linux, Win32 rejection, new fixture/tests for Linux node-pty prebuild promotion/pruning, desktop packaged-backend/env tests parameterized for darwin/linux, and CLI-path Linux x64 resolution tests.

Sequence Diagram(s)

sequenceDiagram
  participant ReleaseWF as Release Workflow
  participant Validate as validate-and-bump
  participant BuildMacOS as build-macos
  participant BuildLinux as build-linux
  participant CreateRelease as create-release
  participant PublishCLI as publish-cli

  Validate->>BuildMacOS: trigger macOS packaging
  Validate->>BuildLinux: trigger Linux packaging
  BuildMacOS->>CreateRelease: upload macOS artifacts
  BuildLinux->>CreateRelease: upload Linux artifacts
  CreateRelease->>CreateRelease: collect release files (include .AppImage/.deb)
  CreateRelease->>PublishCLI: trigger CLI publish
  PublishCLI->>PublishCLI: bun publish --access public

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~75 minutes

Possibly related PRs

• zvadaadam/deus-machine#287: Related work touching Linux desktop packaging/testing flow and release jobs.
• zvadaadam/deus-machine#268: Related changes focused on Linux packaging and deterministic packaged candidate discovery.

Poem

🐰 I hopped from darwin to elf-land bright,
I packed AppImage under moonlight,
I fetched canvas tarballs, grepped the hash,
Promoted prebuilds, removed stale trash,
Now Linux joins macOS — builds take flight.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: enabling release packaging for both macOS and Linux platforms, which is the primary objective across multiple workflow and configuration files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch san-juan-v7

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Around line 359-363: Update the "Package Linux (x64)" job so it runs runtime
contract validation and runtime smoke checks before packaging: insert steps to
run the npm scripts via bun (e.g. "bun run validate:runtime" and "bun run
validate:runtime-smoke") prior to "bun run build:all" and the existing "bunx
electron-builder --linux --publish never", and ensure any failure from these
validation commands fails the job so artifacts are not published.

In `@scripts/prune-pencil-cli-binaries.cjs`:
- Around line 549-551: The curl and tar invocations inside
ensureCanvasRuntimePackage() can hang indefinitely; add a timeout option to both
execFileSync calls to avoid stalling the job. Update the two execFileSync calls
that run "curl" (with args ["-fsSL", url, "-o", tarballPath]) and "tar"
(["-xzf", tarballPath, "-C", tempRoot]) to include a timeout value in the
options (e.g., { stdio: ["ignore","pipe","pipe"], timeout: 120000 }) or pull a
configurable timeout constant and use that so both downloads and extraction will
abort after the configured ms.

In `@scripts/runtime/electron-builder-before-pack.cjs`:
- Around line 216-218: The allowlist guard currently treats an unmapped builder
arch as "omitted" and returns early; update the condition in the check using
SUPPORTED_PACKAGED_RUNTIME_KEYS, ARCH_BY_BUILDER_VALUE and the local arch so
that only a known, mapped arch that is present in supportedArches causes an
early return (i.e., require arch to be truthy before checking
supportedArches.has(arch)); this ensures assertPackagedRuntimePlatform({
electronPlatformName: "linux", arch: 99 }) and similar cases do not bypass the
platform check and instead fall through to the proper error handling in
beforePack.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9c3327ac-fe59-4f4b-a755-a5df3f67ad41

📥 Commits

Reviewing files that changed from the base of the PR and between 7ee079f and e899f78.

📒 Files selected for processing (12)

• .github/workflows/release.yml
• .github/workflows/test.yml
• electron-builder.yml
• package.json
• scripts/prepare-gh-cli.mjs
• scripts/prune-pencil-cli-binaries.cjs
• scripts/runtime/agent-clis.ts
• scripts/runtime/electron-builder-before-pack.cjs
• scripts/runtime/gh-cli-contract.json
• scripts/runtime/native-runtime.ts
• scripts/runtime/validate.ts
• test/unit/runtime/electron-builder-before-pack.test.ts

[zvadaadam]

Greenlight — Round 3

Fixed all three CodeRabbit findings in 7aa675c:

• Linux release packaging now validates the runtime contract and runs the source runtime smoke before publishing artifacts.
• Canvas native-package recovery now has bounded curl and tar calls.
• The electron-builder runtime guard now rejects unknown arch values for supported platforms and has test coverage.

Local verification: bun test test/unit/runtime/electron-builder-before-pack.test.ts, node -c for touched packaging scripts, git diff --check, bun run build:runtime, bun run validate:runtime, bun run smoke:runtime-source.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fc65a2b60e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Allow packaged Linux startup before publishing artifacts

Enabling package:linux produces AppImage/deb files, but the packaged desktop still refuses to start on Linux: resolveRuntimeEntries() in apps/desktop/main/backend-process.ts throws whenever app.isPackaged and process.platform !== "darwin". In any packaged Linux build from this script or the new release job, the app will abort before spawning the backend, so the Linux artifacts are not usable until that guard/runtime path is updated.

Useful? React with 👍 / 👎.

[zvadaadam]

Fixed in 92e6cc4. Packaged startup now permits darwin and linux, and the backend spawn test covers packaged Linux launching through Resources/bin/deus-runtime with the bundled bin directory on PATH.

[chatgpt-codex-connector]

Fix Linux source-runtime CLI discovery before gating release

On the new Ubuntu release job this smoke runs after staging the Linux CLIs, but the source runtime only treats darwin-arm64/darwin-x64 as dev-staged runtime keys (apps/runtime/index.ts and shared/lib/cli-path.ts never return linux-x64). As a result smoke:runtime-source starts agent-server without DEUS_BUNDLED_BIN_DIR, cannot emit the required bundled claude/codex paths, and the Linux release job times out/fails before packaging can be uploaded.

Useful? React with 👍 / 👎.

[zvadaadam]

Fixed in 92e6cc4. Source-runtime CLI discovery now recognizes linux-x64 in both apps/runtime/index.ts and shared/lib/cli-path.ts; the shared CLI path test covers staged Linux dev binaries.

[chatgpt-codex-connector]

Preserve npm provenance when publishing the CLI

This replaces the previous npm publish --provenance with bun publish --access public, so releases from this workflow will no longer publish the CLI package with npm provenance even though the job still requests id-token: write. I checked bun publish --help; it lists publish flags like --access, --tag, --otp, and --auth-type, but no provenance flag, so this command drops the supply-chain attestation that the old workflow produced.

Useful? React with 👍 / 👎.

[zvadaadam]

Declined intentionally. The repo instructions require Bun for package operations and explicitly say never npm/yarn; local bun publish --help does not support --provenance, so keeping npm publish --provenance would violate the project command policy. The workflow still uses the pinned Bun version for release consistency.

[zvadaadam]

Greenlight — Round 10

Fixed the two Linux runtime blockers in 92e6cc4:

• Packaged Linux desktop startup now uses the bundled deus-runtime instead of rejecting non-macOS packages.
• Source-runtime CLI discovery now recognizes staged linux-x64 runtime binaries.

Decision: declined the npm provenance suggestion because this repo’s release instructions require Bun-only package operations and Bun does not expose a provenance flag here.

Local verification: bun run typecheck, git diff --check. The configured Vitest runner still hangs locally without output in this environment, so the desktop/runtime tests are being verified by CI.