Bryan-Roe · Bryan-Roe · Jun 21, 2026 · Jun 20, 2026 · Jun 20, 2026 · Jun 20, 2026
@@ -180,7 +180,7 @@
 ## ✅ Sign-Off
 
 | Role | Name | Date | Signature |
-|------|------|------|-----------|
+| --- | --- | --- | --- |
 | Release Lead | — | 2026-06-01 | ✓ |
 | Architecture | — | 2026-06-01 | ✓ |
 | QA | — | 2026-06-01 | ✓ |

@@ -417,7 +417,7 @@ az monitor metrics alert create \
 ## Contact & Escalation
 
 | Role | Contact | Availability |
-|------|---------|--------------|
+| --- | --- | --- |
 | On-Call Engineer | #oncall Slack | 24/7 |
 | Platform Lead | — | Business hours |
 | Architecture | — | Business hours + on-call |

@@ -27,7 +27,10 @@
 import subprocess
 import sys
 import tempfile
-import tomllib
+try:
+    import tomllib
+except ModuleNotFoundError:  # Python < 3.11
+    import tomli as tomllib
 from typing import Any
 
 _REQ_PATTERN = re.compile(r"requirements[^/]*\.txt$|pyproject\.toml$", re.IGNORECASE)

@@ -1,8 +1,8 @@
 name: AGI persistence prune (daily)

 on:
  schedule:
    - cron: '0 3 * * *' # daily at 03:00 UTC
  workflow_dispatch:

 defaults:
@@ -59,7 +59,7 @@
          QAI_AGI_PERSIST_PATH: ${{ secrets.QAI_AGI_PERSIST_PATH }}
          PRUNE_KEEP_ROWS: ${{ secrets.PRUNE_KEEP_ROWS }}
          PRUNE_DRY_RUN: ${{ secrets.PRUNE_DRY_RUN }}
        run: |
          set -euo pipefail
          python -m pip install --upgrade pip
          if [ -f requirements.txt ]; then
@@ -69,10 +69,10 @@
           DRY=${PRUNE_DRY_RUN:-true}
           ARGS=()
           if [ -n "${QAI_AGI_PERSIST_DB:-}" ]; then
-            ARGS+=("--sqlite" "${QAI_AGI_PERSIST_DB}")
+            ARGS="$ARGS --sqlite ${QAI_AGI_PERSIST_DB} --keep-rows ${KEEP}"
           fi
           if [ -n "${QAI_AGI_PERSIST_PATH:-}" ]; then
-            ARGS+=("--jsonl" "${QAI_AGI_PERSIST_PATH}")
+            ARGS="$ARGS --jsonl ${QAI_AGI_PERSIST_PATH} --keep-last ${KEEP}"
           fi
           if [ -z "${QAI_AGI_PERSIST_DB:-}" ] && [ -z "${QAI_AGI_PERSIST_PATH:-}" ]; then
             echo "No persistence target configured (QAI_AGI_PERSIST_DB or QAI_AGI_PERSIST_PATH). Skipping."

@@ -1,8 +1,8 @@
 name: AGI smoke tests
 
 on:
   pull_request:
-    branches: [ main ]
+    branches: [main]
   workflow_dispatch:
 
 permissions:
@@ -12,8 +12,19 @@
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
   HARDEN_RUNNER_SHA: 0634a2670c59f64b4a01f0f96f84700a4088b9f0  # v2.12.2
   CHECKOUT_SHA: 11bd71901bbe5b1630ceea73d27597364c9af683      # v4.2.2
-  SETUP_PYTHON_SHA: a26af69be951a213d495a4c3e4e4022e16d87065    # v5.6.0
+  SETUP_PYTHON_SHA: a26af69be951a213d495a4c3e4e4022e16d87065  # v5.6.0
   UPLOAD_ARTIFACT_SHA: 65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+  AGI_SMOKE_TESTS: >-
+    tests/test_agi_smoke.py
+    tests/test_local_agi_sse_integration.py
+    tests/test_agi_persistence_endpoint.py
+    tests/test_agi_persistence_auth.py
+    tests/test_agi_prune.py
+    tests/test_lmstudio_agi_integration.py
+    tests/test_lmstudio_mcp_agi_tools.py
+    tests/test_agi_stream_utils_js.py
+    tests/test_function_app_endpoints.py::TestChatWebAssets
+    tests/test_function_app_endpoints.py::TestAgiEndpoints
 
 concurrency:
   group: agi-smoke-${{ github.event.pull_request.number || github.ref }}
@@ -49,20 +60,10 @@
         timeout-minutes: 15
         run: |
           set -euo pipefail
-          pytest --collect-only \
-            tests/test_agi_smoke.py \
-            tests/test_local_agi_sse_integration.py \
-            tests/test_agi_persistence_endpoint.py \
-            tests/test_agi_persistence_auth.py \
-            tests/test_agi_prune.py \
-            -q
-          pytest \
-            tests/test_agi_smoke.py \
-            tests/test_local_agi_sse_integration.py \
-            tests/test_agi_persistence_endpoint.py \
-            tests/test_agi_persistence_auth.py \
-            tests/test_agi_prune.py \
-            -v --tb=short --timeout=10 --maxfail=1 \
+          read -r -a _smoke_tests <<< "${AGI_SMOKE_TESTS}"
+          pytest --collect-only "${_smoke_tests[@]}" -q
+          pytest "${_smoke_tests[@]}" \
+            -v --tb=short --timeout=30 --maxfail=1 \
             --junitxml=agi-smoke-junit.xml
 
       - name: Upload AGI smoke artifacts

@@ -1,4 +1,4 @@
 name: API Health Smoke

 on:
  pull_request:
@@ -24,7 +24,7 @@
      - ".github/actions/setup-python-env/**"
      - ".github/workflows/api-health-smoke.yml"
  schedule:
    - cron: "30 4 * * *" # Daily 04:30 UTC
  workflow_dispatch:

 concurrency:
@@ -40,7 +40,7 @@
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
  HARDEN_RUNNER_SHA: 0634a2670c59f64b4a01f0f96f84700a4088b9f0  # v2.12.2
  CHECKOUT_SHA: 11bd71901bbe5b1630ceea73d27597364c9af683      # v4.2.2
  UPLOAD_ARTIFACT_SHA: 65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
  PYTHON_UNBUFFERED: "1"
  PYTHONDONTWRITEBYTECODE: "1"
  PIP_DISABLE_PIP_VERSION_CHECK: "1"
@@ -146,7 +146,7 @@

      - name: Summary
        if: always()
        run: |
          set -euo pipefail
          {
            echo "## API Health Smoke"
@@ -173,18 +173,16 @@
                 echo "| strict smoke output | \`data_out/integration_smoke/status-strict.json\` |"
               } >> "$GITHUB_STEP_SUMMARY"
             else
-              echo "| integration_smoke.py --strict-endpoints | ❌ failed |" >> "$GITHUB_STEP_SUMMARY"
+              echo "| integration_smoke.py --strict-endpoints | ⊘ skipped (non-scheduled) |"
             fi
-          else
-            echo "| integration_smoke.py --strict-endpoints | ⊘ skipped (non-scheduled) |" >> "$GITHUB_STEP_SUMMARY"
-          fi
 
-          # contract_tests
-          if [ "${{ steps.contract_tests.outcome }}" = "success" ]; then
-            echo "| ci_orchestrator --integration-contract-tests | ✅ passed |" >> "$GITHUB_STEP_SUMMARY"
-          else
-            echo "| ci_orchestrator --integration-contract-tests | ❌ failed |" >> "$GITHUB_STEP_SUMMARY"
-          fi
+            # contract_tests
+            if [ "${{ steps.contract_tests.outcome }}" = "success" ]; then
+              echo "| ci_orchestrator --integration-contract-tests | ✅ passed |"
+            else
+              echo "| ci_orchestrator --integration-contract-tests | ❌ failed |"
+            fi
+          } >> "$GITHUB_STEP_SUMMARY"
 
           # Evaluate overall status and fail if any required test failed
           if [ "${{ steps.integration_smoke.outcome }}" != "success" ] || [ "${{ steps.contract_tests.outcome }}" != "success" ]; then
@@ -202,5 +200,7 @@
             exit 1
           fi
 
-          echo "" >> "$GITHUB_STEP_SUMMARY"
-          echo "### ✅ All API health checks passed." >> "$GITHUB_STEP_SUMMARY"
+          {
+            echo ""
+            echo "### ✅ All API health checks passed."
+          } >> "$GITHUB_STEP_SUMMARY"
@@ -6,29 +6,35 @@ on:
   pull_request:
     branches: ["main", "master"]
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Run tests
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          persist-credentials: false
 
       - name: Set up Python
         uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065
         with:
-          python-version: '3.10'
+          python-version: '3.11'
 
       - name: Install dependencies
         run: |
+          set -euo pipefail
           python -m pip install --upgrade pip
           if [ -f requirements.txt ]; then
             python -m pip install -r requirements.txt
-          else
-            python -m pip install pytest
           fi
+          python -m pip install pytest
 
       - name: Run pytest
         run: |
-          python -m pytest -q tests/test_aria_bot.py
+          set -euo pipefail
+          python -m pytest tests -q --maxfail=5
@@ -12,7 +12,7 @@
 # Note: More comprehensive but slower than e2e-tests.yml
 # =============================================================================

 name: Aria E2E Tests

 env:
  HARDEN_RUNNER_SHA: 0634a2670c59f64b4a01f0f96f84700a4088b9f0
@@ -28,7 +28,7 @@
 defaults:
  run:
    shell: bash
 on:
  push:
    branches: [main, develop]
    paths:
@@ -43,7 +43,7 @@
      - 'tests/test_*aria*.py'
      - 'tests/test_*ui*.py'
      - '.github/workflows/aria-tests.yml'
  workflow_dispatch: # Manual trigger

 permissions:
  contents: read
@@ -114,7 +114,8 @@
         uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0
         with:
           egress-policy: audit
-          disable-sudo: true
+          # Playwright --with-deps installs browser system packages via apt (sudo).
+          disable-sudo: false
 
       - name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
@@ -237,7 +238,7 @@
             libxfixes3 \
             libxrandr2 \
             libgbm1 \
-            libasound2
+            libasound2t64
 
       - name: Install Python dependencies
         run: |
@@ -315,7 +316,7 @@
         ports:
           - 4444:4444
           - 5900:5900
-        options: --shm-size=2gb
+        options: --shm-size=2gb --add-host=host.docker.internal:host-gateway
     steps:
       - name: Harden runner
         uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0
@@ -350,6 +351,7 @@
           echo $! > /tmp/aria_server.pid
         env:
           PYTHONPATH: ${{ github.workspace }}
+          ARIA_HOST: 0.0.0.0
 
       - name: Wait for server
         run: |
@@ -392,7 +394,7 @@
           pytest tests/test_ui_selenium.py -v --tb=short
         env:
           PYTHONPATH: ${{ github.workspace }}
-          ARIA_SERVER_URL: http://localhost:8080
+          ARIA_SERVER_URL: http://host.docker.internal:8080
           SELENIUM_REMOTE_URL: http://localhost:4444/wd/hub
 
       - name: Stop Aria server

@@ -43,9 +43,6 @@ jobs:
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
-            // Required helpers
-            const core = require('@actions/core');
-
             const pr = context.payload.pull_request;
             if (!pr) {
               core.info('No pull request context found; exiting.');

@@ -48,7 +48,7 @@ jobs:
       - name: Validate numeric inputs
         run: |
           set -euo pipefail
-          
+
           validate_threshold() {
             local value=$1
             local name=$2
@@ -67,7 +67,7 @@ jobs:
               exit 1
             fi
           }
-          
+
           validate_threshold "${{ inputs.fitness_threshold }}" "fitness_threshold"
           validate_threshold "${{ inputs.stability_threshold }}" "stability_threshold"
           echo "✓ All inputs validated successfully"
@@ -110,20 +110,20 @@ jobs:
             // Parse and validate inputs
             const fitness = Math.random() * 100;
             const stability = Math.random() * 100;
-            
+
             const parsedFitnessThreshold = Number(process.env.FITNESS_THRESHOLD);
             const parsedStabilityThreshold = Number(process.env.STABILITY_THRESHOLD);
-            
+
             if (!Number.isFinite(parsedFitnessThreshold) || parsedFitnessThreshold < 0 || parsedFitnessThreshold > 100) {
               throw new Error(`Invalid FITNESS_THRESHOLD: ${process.env.FITNESS_THRESHOLD}. Must be a number between 0 and 100.`);
             }
             if (!Number.isFinite(parsedStabilityThreshold) || parsedStabilityThreshold < 0 || parsedStabilityThreshold > 100) {
               throw new Error(`Invalid STABILITY_THRESHOLD: ${process.env.STABILITY_THRESHOLD}. Must be a number between 0 and 100.`);
             }
-            
+
             const fitnessThreshold = parsedFitnessThreshold;
             const stabilityThreshold = parsedStabilityThreshold;
-            
+
             const forceEvolutionStr = (process.env.FORCE_EVOLUTION || 'false').toLowerCase().trim();
             if (!['true', 'false'].includes(forceEvolutionStr)) {
               throw new Error(`Invalid FORCE_EVOLUTION: ${process.env.FORCE_EVOLUTION}. Must be 'true' or 'false'.`);
@@ -150,7 +150,7 @@ jobs:
             out.push(`fitness=${fitness.toFixed(4)}`);
             out.push(`stability=${stability.toFixed(4)}`);
             out.push(`reason=${reason}`);
-            
+
             fs.appendFileSync(githubOutput, out.join('\n') + '\n');
             console.log('✓ Evaluation outputs written successfully');
           } catch (error) {

@@ -311,6 +311,7 @@
     permissions:
       contents: write
       pull-requests: write
+      workflows: write
 
     steps:
       - name: Harden runner
@@ -329,19 +330,21 @@
           REF_NAME: ${{ github.ref_name }}
         run: |
           set -euo pipefail
-          ref_value=""
-          repo_value=""
-          can_push_value="false"
-          if [ "$EVENT_NAME" = "pull_request" ]; then
-            ref_value="$PR_HEAD_REF"
-            repo_value="$PR_HEAD_REPO"
-            if [ "$PR_HEAD_REPO" = "$REPOSITORY" ]; then
-              can_push_value="true"
+          {
+            if [ "$EVENT_NAME" = "pull_request" ]; then
+              echo "ref=$PR_HEAD_REF"
+              echo "repo=$PR_HEAD_REPO"
+              if [ "$PR_HEAD_REPO" = "$REPOSITORY" ]; then
+                echo "can_push=true"
+              else
+                echo "can_push=false"
+              fi
+            else
+              echo "ref=$REF_NAME"
+              echo "repo=$REPOSITORY"
+              echo "can_push=false"
             fi
-          else
-            ref_value="$REF_NAME"
-            repo_value="$REPOSITORY"
-          fi
+          } >> "$GITHUB_OUTPUT"
 
           {
             echo "ref=$ref_value"

@@ -227,7 +227,7 @@ jobs:
             else
               echo "MISSING: $f" >&3
             fi
-          done
+          done >> "$REPORT"
 
           echo >&3
 

@@ -85,7 +85,8 @@ jobs:
         uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0
         with:
           egress-policy: audit
-          disable-sudo: true
+          # Playwright --with-deps installs browser system packages via apt (sudo).
+          disable-sudo: false
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           persist-credentials: false

@@ -157,7 +157,7 @@ jobs:
 
       - name: Start local Functions host (for endpoint checks)
         id: start-func
-        if: runner.os == 'Linux'
+        if: runner.os == 'Linux' && steps.mode.outputs.strict == 'true'
         env:
           INTEGRATION_AI_STATUS_ENDPOINT: ${{ env.INTEGRATION_AI_STATUS_ENDPOINT }}
           RETRY_COUNT: ${{ env.RETRY_COUNT }}
@@ -183,7 +183,7 @@ jobs:
               echo "AI status endpoint reachable: ${INTEGRATION_AI_STATUS_ENDPOINT}"
               exit 0
             fi
-            ((++i))
+            i=$((i + 1))
             echo "Attempt ${i}/${RETRY_COUNT} — endpoint not ready yet; sleeping ${RETRY_INTERVAL}s"
             sleep "${RETRY_INTERVAL}"
           done
-Original file line number
+Diff line change
@@ Expand Up / @@ -227,7 +227,7 @@ jobs: @@
                 else
                   echo "MISSING: $f" >&3
                 fi
-              done
+              done >> "$REPORT"
               echo >&3
@@ Expand Down @@