Bumps [docker/login-action](https://github.com/docker/login-action) from 3.7.0 to 4.0.0.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](https://github.com/docker/login-action/compare/c94ce9fb468520275223c153574b00df6fe4bcc9...b45d80f862d83dbcd57f89517bcf500b2ab88fb2)

---
updated-dependencies:
- dependency-name: docker/login-action
dependency-version: 4.0.0
dependency-type: direct:production
update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.34.1 to 0.35.0.
- [Release notes](https://github.com/aquasecurity/trivy-action/releases)
- [Commits](https://github.com/aquasecurity/trivy-action/compare/e368e328979b113139d6f9068e03accaed98a518...57a97c7e7821a5776cebc9bb87c984fa69cba8f1)

---
updated-dependencies:
- dependency-name: aquasecurity/trivy-action
dependency-version: 0.35.0
dependency-type: direct:production
update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

- Welcome topic pinned forum-wide, Bug report topic pinned to category + locked
- Moderation action log entries (pin, lock, delete actions)
- Moderation queue items (pending word_filter, approved first_post, rejected spam)
- Word filter populated with sample terms

fix: standardize auto-add workflow, use PROJECT_BOARD_TOKEN

* chore: add .worktrees to .gitignore

* feat(ci): add Docker smoke test to deploy-staging pipeline

Split the monolithic build-and-deploy job into three stages:

1. build: builds and pushes images to GHCR
2. smoke-test: pulls edge images, starts full stack in CI, verifies
all services become healthy and pass smoke-test.sh
3. deploy: only runs if smoke test passes, deploys to VPS

This catches broken Docker images (missing env vars, broken startup,
config issues) before they reach the staging VPS. Previously, broken
images would be deployed and only caught by post-deploy health checks,
requiring a rollback.

Also adds missing barazo-plugins checkout needed by the API Dockerfile.

Closes singi-labs/barazo-workspace#33

The docs site was deployed to /var/www/docs.barazo.forum/ via CI but
Caddy was never configured to serve it, causing TLS handshake failures.
Add a static file server block and bind-mount the directory into the
Caddy container.

Add plugins.json mechanism for declaring plugins, install-plugins.sh
script for container startup installation, and self-hoster documentation.

Adds 7 subcategories under Development (Frontend, Backend, Infrastructure),
Feedback (Feature Requests, Bug Reports), and AT Protocol (Lexicons, Identity)
to match the hierarchical category management added in barazo-web#175.

The seed script was using the old relational schema (body, author_id,
topic_id) that no longer matches the database. Updated all INSERT
statements to use the current AT Protocol-style columns (uri, rkey,
author_did, content, root_uri, parent_uri, depth, community_did, cid).

Also adds a 15-level deep reply thread on the Raspberry Pi topic for
testing deeply nested comment rendering, especially on mobile.

Fixes barazo-forum/barazo-workspace#0

After each staging deploy, run `docker image prune -f` to remove dangling
images left behind by the previous pull. Without this, every deploy
accumulates ~800MB of unreferenced layers, eventually filling the VPS disk
(as happened with 146 images consuming 29GB on a 38GB disk).

Add json-file log rotation (10MB x 3 files) to all services via a shared
x-logging anchor. Docker's default json-file driver has no size limit,
so container logs can grow unbounded on long-running instances.

The staging compose was setting RATE_LIMIT_WINDOW_MS and
RATE_LIMIT_MAX_REQUESTS, but the API reads RATE_LIMIT_READ_ANON,
RATE_LIMIT_READ_AUTH, RATE_LIMIT_WRITE, and RATE_LIMIT_AUTH.

The mismatch meant the intended 1000 req/min limit was never applied,
leaving the default of 100 req/min for anonymous reads. This caused
SSR requests from barazo-web to get 429'd under normal traffic,
showing "Unable to connect to the forum API" on the homepage.

Replace gendered placeholder name (alice) with gender-neutral alternative (jay) in PDS self-hosting documentation. Aligns with project language standards.

Bumps [rollup](https://github.com/rollup/rollup) from 4.57.1 to 4.59.0.
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rollup/rollup/compare/v4.57.1...v4.59.0)

---
updated-dependencies:
- dependency-name: rollup
dependency-version: 4.59.0
dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [minimatch](https://github.com/isaacs/minimatch) from 3.1.2 to 3.1.5.
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](https://github.com/isaacs/minimatch/compare/v3.1.2...v3.1.5)

---
updated-dependencies:
- dependency-name: minimatch
dependency-version: 3.1.5
dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.34.0 to 0.34.1.
- [Release notes](https://github.com/aquasecurity/trivy-action/releases)
- [Commits](https://github.com/aquasecurity/trivy-action/compare/c1824fd6edce30d7ab345a9989de00bbd46ef284...e368e328979b113139d6f9068e03accaed98a518)

---
updated-dependencies:
- dependency-name: aquasecurity/trivy-action
dependency-version: 0.34.1
dependency-type: direct:production
update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.32.3 to 4.32.4.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/9e907b5e64f6b83e7804b09294d44122997950d6...89a39a4e59826350b863aa6b6252a07ad50cf83e)

---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-version: 4.32.4
dependency-type: direct:production
update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Commits](https://github.com/actions/checkout/compare/v4...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
dependency-version: '6'
dependency-type: direct:production
update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Replace outdated drizzle-kit push references with the current
migration-on-startup approach.

During alpha, schema changes use drizzle-kit push, not migrations.
Update docs, env example, PR template, and scripts to reflect this.
MIGRATION_DATABASE_URL is reserved for beta when proper migrations
are introduced.

fix(deploy): use real Bluesky handle in login verification

test.bsky.social doesn't resolve to a DID, so the login endpoint
returns 502. Use bsky.app which is a known-valid handle.

fix(deploy): replace script_stop with set -e and fix login check

script_stop was removed from appleboy/ssh-action v1. Replace with
shell-native `set -e` in scripts that must abort on error. Also fix
login verification to use 127.0.0.1 instead of localhost -- Alpine
containers may not resolve localhost to IPv4.

The deploy workflow only pulled new Docker images but never updated the
compose files, Caddyfile, or .env.example on the VPS. This caused the
VPS to run with stale configuration (missing API_INTERNAL_URL, wrong
CORS origins, etc.) even after code changes were merged.

- Add config file sync step that downloads latest compose files,
Caddyfile, and .env.example from the repo before deploying
- Add CORS_ORIGINS and PUBLIC_URL to docker-compose.yml for the API
service, derived from COMMUNITY_DOMAIN
- Add retry loop to login endpoint verification (supersedes #51)

- Add script_stop: true to pull/deploy step so GHCR auth failures
abort the deploy instead of silently keeping old containers
- Add post-deploy login endpoint verification step
- Include deploy step in rollback failure condition

The AT Protocol OAuth flow requires the PDS to fetch client metadata
from the client_id URL. The Caddyfile only forwarded /api/* to the
API, so /oauth-client-metadata.json and /jwks.json were routed to
Next.js and returned 404. This broke the login flow.

Also fix OAUTH_CLIENT_ID in .env.staging to point to the actual
metadata URL instead of the bare domain.

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

chore: remove broken dev:seed script

The dev:seed script references seed/seed.ts which does not exist.
Removing the dead reference to avoid confusion for new contributors.

docs: sync AGENTS.md from barazo-workspace

- Add forum.barazo.interaction.vote to TAP_COLLECTION_FILTERS
in docker-compose.yml and docker-compose.dev.yml
- Without this, the TAP relay ignores vote records from the firehose,
preventing the vote system (Issue #18) from functioning

* chore(deps): pin exact versions in workspace catalog

Remove ^ prefixes from all catalog entries in pnpm-workspace.yaml
to comply with the project standard of exact version pinning.

* chore(deps): update workspace catalog to latest stable versions

eslint 10.0.1, typescript-eslint 8.56.0, commitlint 20.4.2,
@types/node 25.3.0.

* fix: add node_modules to .gitignore

chore(deps): bump ajv from 6.12.6 to 6.14.0

Brand alignment audit: update shared tagline to "Open-source forum
software... member-owned data, no lock-in."

Bumps [ajv](https://github.com/ajv-validator/ajv) from 6.12.6 to 6.14.0.
- [Release notes](https://github.com/ajv-validator/ajv/releases)
- [Commits](https://github.com/ajv-validator/ajv/compare/v6.12.6...v6.14.0)

---
updated-dependencies:
- dependency-name: ajv
dependency-version: 6.14.0
dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

Automatically pushes to tangled.org on every merge to main,
making Barazo visible in the AT Protocol developer ecosystem.

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.32.3 to 4.32.3.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/f5c2471be782132e47a6e6f9c725e56730d6e9a3...9e907b5e64f6b83e7804b09294d44122997950d6)

---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-version: 4.32.3
dependency-type: direct:production
update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Guido X Jansen <x@gui.do>

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4.3.1...de0fac2e4500dabe0009e67214ff5f5447ce83dd)

---
updated-dependencies:
- dependency-name: actions/checkout
dependency-version: 6.0.2
dependency-type: direct:production
update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Guido X Jansen <x@gui.do>

* fix(ci): extend SESSION_SECRET to meet 32-char minimum

The API validates SESSION_SECRET >= 32 characters. The CI value
"ci_session_secret_not_real" was only 26 characters, causing the
API container to crash on startup during smoke tests.

* fix(ci): use loopback IP and valid OAuth client ID for smoke tests

AT Protocol OAuth validation (RFC 8252) requires:
- Loopback IP (127.0.0.1) instead of "localhost" for redirect URIs
- HTTPS protocol for client_id
- Path component in client_id (e.g. /client-metadata.json)

* fix(ci): use real domain for OAuth client_id

AT Protocol OAuth spec requires client_id to be:
- HTTPS with a real domain (not IP, not loopback)
- Include a path component

Use ci-smoke.barazo.forum subdomain (doesn't need to resolve,
only format-validated by the API on startup).

AGENTS.md is the cross-vendor standard for AI coding agent instructions.
Auto-generated from barazo-workspace/agents-md/ source files.

fix(ci): pin GitHub Actions to commit SHAs

Pin all third-party actions to full-length commit SHAs to prevent
supply-chain attacks via tag repointing. Replace trivy-action@master
with pinned 0.34.0 release.

Resolves code scanning alerts for actions/unpinned-tag.

Add Image Tags section explaining :latest (stable releases),
:edge (staging builds from main), semver tags, and per-build
staging tags. Helps self-hosters pick the right image version.

Dependabot merged several dependency bumps in barazo-api (tap, sentry,
drizzle-kit, testcontainers, scalar). Root lockfile must reflect these.

The deploy workflow now checks out barazo-workspace and copies its
workspace root files (package.json, pnpm-lock.yaml, pnpm-workspace.yaml)
before building Docker images. This makes barazo-workspace the single
source of truth for dependency resolution, eliminating lockfile drift
when Dependabot merges in other repos.

Also adds:
- Self-trigger on push to main (compose/Caddy/env changes)
- Support for barazo-deploy push trigger in ref detection

barazo-api switched to pnpm catalog references (#35), causing
pnpm install --frozen-lockfile to fail during Docker builds.
Regenerated lockfile and synced workspace config.

* docs(readme): document image tag convention (edge vs latest)

Add Image Tags section explaining :latest (stable releases),
:edge (staging builds from main), semver tags, and per-build
staging tags. Helps self-hosters pick the right image version.

* fix(ci): use Docker healthcheck status instead of curl for deploy verification

The staging VPS doesn't expose API/Web ports to the host (only Caddy
ports 80/443 are exposed). The health check was curling 127.0.0.1:3000
which is unreachable, causing every deploy to fail and trigger rollback.

Now uses `docker inspect` to check Docker's own healthcheck status,
which works regardless of port exposure. Also increases API timeout
to 90s to account for the healthcheck start-period (30s) and includes
container logs in failure output for easier debugging.

Reserve :latest for stable releases. Staging deploys now push and pull
:edge tags, preventing staging builds from overwriting release images.

* ci(staging): add automated deploy workflow with rollback

Add GitHub Actions workflow that builds Docker images and deploys to
staging VPS on repository_dispatch from api/web repos. Includes crash
pattern detection in logs, health endpoint verification, and automatic
rollback to previous image digests on failure.

Also adds workspace root files (package.json, pnpm-workspace.yaml,
pnpm-lock.yaml) needed for monorepo Docker build context, and staging
infrastructure documentation.

* fix(ci): pin all third-party Actions to commit SHAs

Address GitHub Advanced Security findings:
- Pin docker/setup-buildx-action, docker/login-action,
docker/build-push-action, and appleboy/ssh-action to
their current commit hashes