release: v0.8.5

Author: Paul Kyle

.github/workflows/ci.yml

@@ -0,0 +1,126 @@
+# CI pipeline for Palinode — runs on every push and pull_request to any branch.
+#
+# Jobs:
+#   1. unit-tests     — fast feedback on core logic (no external services)
+#   2. integration    — tests/integration/ (may need Ollama; continue-on-error)
+#   3. security-scan  — bandit (code) + pip-audit (dependencies)
+
+name: CI
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  # ---------------------------------------------------------------------------
+  # Unit tests — should never need network access or Ollama.
+  # All embeddings / LLM calls are mocked in the test suite.
+  # ---------------------------------------------------------------------------
+  unit-tests:
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        python-version: ["3.11", "3.12"]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: "pip"
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e ".[dev]"
+
+      - name: Assert palinode resolves to the checked-out tree
+        # Regression guard for editable installs: palinode.__file__ must
+        # resolve under GITHUB_WORKSPACE, not some other site-packages path.
+        run: |
+          RESOLVED=$(python -c "import palinode; print(palinode.__file__)")
+          echo "palinode.__file__ = $RESOLVED"
+          if [[ "$RESOLVED" != "$GITHUB_WORKSPACE"/* ]]; then
+            echo "ERROR: palinode resolves outside the workspace ($GITHUB_WORKSPACE)"
+            echo "       Got: $RESOLVED"
+            exit 1
+          fi
+
+      - name: Run unit tests (excluding integration)
+        run: python -m pytest tests/ -x -q --ignore=tests/integration --ignore=tests/live
+
+  # ---------------------------------------------------------------------------
+  # Integration tests — run against tests/integration/.
+  #
+  # These tests do not require Ollama directly (embeddings are stubbed), but
+  # they do spin up FastAPI in-process and exercise the full save/search loop
+  # against a real SQLite database in a temp directory.
+  #
+  # continue-on-error: true — any test tagged @pytest.mark.slow that needs
+  # a live Ollama instance will fail here; that is expected in CI.
+  # Run the full suite locally against a host with Ollama for full coverage.
+  # ---------------------------------------------------------------------------
+  integration-tests:
+    runs-on: ubuntu-latest
+
+    env:
+      PALINODE_DIR: /tmp/palinode-ci-test
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+          cache: "pip"
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e ".[dev]"
+
+      - name: Run integration tests
+        # Integration tests that need Ollama will be skipped in CI;
+        # run locally against a host with Ollama for full Ollama-backed coverage.
+        run: python -m pytest tests/integration/ -x -q
+        continue-on-error: true
+
+  # ---------------------------------------------------------------------------
+  # Security scans — informational (continue-on-error: true on pip-audit).
+  #
+  # bandit:    static analysis for common Python security issues
+  # pip-audit: checks installed packages against known vulnerability databases
+  # ---------------------------------------------------------------------------
+  security-scan:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+          cache: "pip"
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e ".[dev]"
+          pip install bandit pip-audit
+
+      - name: Run bandit (static security analysis)
+        # -r: recursive, -ll: medium+ severity, -q: quiet output
+        run: bandit -r palinode/ -ll -q
+
+      - name: Run pip-audit (dependency vulnerability check)
+        # continue-on-error: known-vulnerability lists drift; treat as informational
+        run: pip-audit
+        continue-on-error: true

.github/workflows/main-ci.yml

@@ -0,0 +1,131 @@
+# Rationale: Option B (post-merge sweep) from dev#198.
+# Option A (require branch-up-to-date before merge) is enforced
+# in GitHub repo settings → Branches → main branch protection.
+# This file is the backstop if that check is bypassed (admin merge, etc.).
+#
+# Triggered only on push to main (not on PRs — those are covered by ci.yml).
+# On any failure, opens a GitHub issue to flag the regression.
+
+name: Main CI (post-merge sweep)
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+on:
+  push:
+    branches: [main]
+
+jobs:
+  # ---------------------------------------------------------------------------
+  # Unit tests — mirrors ci.yml; catches interaction bugs that slip through
+  # independent-PR CI (the failure mode documented in #198).
+  # ---------------------------------------------------------------------------
+  unit-tests:
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        python-version: ["3.11", "3.12"]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: "pip"
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e ".[dev]"
+
+      - name: Assert palinode resolves to the checked-out tree
+        run: |
+          RESOLVED=$(python -c "import palinode; print(palinode.__file__)")
+          echo "palinode.__file__ = $RESOLVED"
+          if [[ "$RESOLVED" != "$GITHUB_WORKSPACE"/* ]]; then
+            echo "ERROR: palinode resolves outside the workspace ($GITHUB_WORKSPACE)"
+            echo "       Got: $RESOLVED"
+            exit 1
+          fi
+
+      - name: Run unit tests (excluding integration)
+        run: python -m pytest tests/ -x -q --ignore=tests/integration --ignore=tests/live
+
+  # ---------------------------------------------------------------------------
+  # Integration tests — informational backstop on main.
+  # continue-on-error: true because Ollama is not available in CI runners.
+  # ---------------------------------------------------------------------------
+  integration-tests:
+    runs-on: ubuntu-latest
+
+    env:
+      PALINODE_DIR: /tmp/palinode-ci-test
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+          cache: "pip"
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e ".[dev]"
+
+      - name: Run integration tests
+        run: python -m pytest tests/integration/ -x -q
+        continue-on-error: true
+
+  # ---------------------------------------------------------------------------
+  # Security scan — same as ci.yml.
+  # ---------------------------------------------------------------------------
+  security-scan:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+          cache: "pip"
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e ".[dev]"
+          pip install bandit pip-audit
+
+      - name: Run bandit (static security analysis)
+        run: bandit -r palinode/ -ll -q
+
+      - name: Run pip-audit (dependency vulnerability check)
+        run: pip-audit
+        continue-on-error: true
+
+  # ---------------------------------------------------------------------------
+  # Regression reporter — fires only when a job above fails.
+  # Opens a GitHub issue so the regression is visible outside the Actions UI.
+  # ---------------------------------------------------------------------------
+  report-regression:
+    runs-on: ubuntu-latest
+    needs: [unit-tests, integration-tests, security-scan]
+    if: failure()
+
+    steps:
+      - name: Report regression
+        if: failure()
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh issue create \
+            --title "CI regression on main: ${{ github.sha }}" \
+            --body "Commit ${{ github.sha }} broke CI on main. Run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
+            --label "bug"

.gitignore

@@ -61,3 +61,7 @@ nohup.out
 
 # Launch-posts working draft — local-only, not for git
 artifacts/launch-posts.md
+
+# Test-rig deploy-key material (.claude/plans/test-rigs/) — never commit secrets
+.claude/plans/test-rigs/group_vars/all.vault.yml
+.claude/plans/palinode-test-env/group_vars/all.vault.yml

README.md

@@ -16,6 +16,21 @@ Your agent's memory is a folder of markdown files. Palinode indexes them with hy
 
 ---
 
+## Supported Platforms
+
+| Platform | Session Skill Path | MCP Config |
+|----------|--------------------|------------|
+| **Claude Code CLI** | `~/.claude/skills/` | `~/.claude.json` |
+| **Claude Desktop** | `~/.claude/skills/` | `claude_desktop_config.json` |
+| **Cursor** | `.cursor/skills/` | `.cursor/mcp.json` |
+| **VS Code + Claude** (Continue / Cline) | `~/.claude/skills/` | see [MCP-INSTALL-RECIPES.md](docs/MCP-INSTALL-RECIPES.md) |
+| **JetBrains + Claude** | `~/.claude/skills/` | `~/.claude.json` |
+| **Codex CLI** | N/A (no skills) | `~/.codex/config.toml` |
+
+All platforms share the same MCP server — install once on your server, connect from any IDE. See [docs/MCP-SETUP.md](docs/MCP-SETUP.md) and [docs/MCP-INSTALL-RECIPES.md](docs/MCP-INSTALL-RECIPES.md) for per-client config snippets.
+
+---
+
 ## The Idea
 
 Most agent memory is a black box. You can't read it, you can't diff it, you can't `grep` it when the vector DB is down. Palinode bets on **plain files as the source of truth** and builds everything else as a derived index.
@@ -50,12 +65,12 @@ Set up once on a server. Connect from any machine, any IDE, any agent framework.
 ```json
 {
   "mcpServers": {
-    "palinode": { "url": "http://your-server:6341/mcp/" }
+    "palinode": { "type": "http", "url": "http://your-server:6341/mcp/" }
   }
 }
 ```
 
-That's the entire client config. Works with Claude Code, Claude Desktop, Cursor, Windsurf, Zed, and VS Code (Continue/Cline). See [docs/MCP-SETUP.md](docs/MCP-SETUP.md) for editor-specific install recipes.
+That's the entire client config. Works with Claude Code, Claude Desktop, Cursor, Windsurf, Zed, and VS Code (Continue/Cline). `palinode-mcp-sse` serves **streamable-HTTP** at `/mcp/` — the binary name is historical; use `"type": "http"`, not `"type": "sse"`. Always include the trailing slash in the URL. See [docs/MCP-SETUP.md](docs/MCP-SETUP.md) for editor-specific install recipes.
 
 ---
 
@@ -117,7 +132,7 @@ cp /path/to/palinode/palinode.config.yaml.example palinode.config.yaml  # adjust
 # Start services
 PALINODE_DIR=~/.palinode palinode-api        # REST API on :6340
 PALINODE_DIR=~/.palinode palinode-watcher     # auto-indexes on file save
-PALINODE_DIR=~/.palinode palinode-mcp-sse     # MCP server on :6341 (optional)
+PALINODE_DIR=~/.palinode palinode-mcp-sse     # MCP server on :6341 (streamable-HTTP at /mcp/; optional)
 
 # Verify
 curl http://localhost:6340/status
@@ -166,7 +181,7 @@ palinode diff --days 7
 
 ## Tools
 
-21 tools available through every interface:
+25 tools available through every interface:
 
 | Tool | What It Does |
 |------|-------------|