Merge remote-tracking branch 'origin/master' into feature/debounce

# Conflicts:
#	packages/lint-framework/src/lint/LintFramework.ts

Author: elijah-potter

.buildkite/commands/build-desktop.sh

@@ -0,0 +1,119 @@
+#!/usr/bin/env bash
+# Buildkite step: build, sign, and notarize harper-desktop.
+# See .buildkite/pipeline.yml.
+
+set -euo pipefail
+
+echo "--- :rubygems: Install gems"
+install_gems
+
+echo "--- :rust: Install Rust toolchain"
+# A8C Mac VMs have no Rust tooling baked in. Install `rustup` non-interactively,
+# then add the targets we need.
+# `--no-modify-path` is intentional: we source `cargo/env` ourselves below so
+# nothing outside this build step picks up cargo on a shared agent.
+if ! command -v rustup >/dev/null 2>&1; then
+	curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs \
+		| sh -s -- -y --no-modify-path --default-toolchain stable --profile minimal
+fi
+# shellcheck disable=SC1091
+. "$HOME/.cargo/env"
+
+# Universal builds (master, tags) need both arches. PR/branch builds run
+# Apple-Silicon-only to skip the x86_64 half of the compile (~4m saved).
+if [ "${BUILDKITE_BRANCH:-}" = "master" ] || [ -n "${BUILDKITE_TAG:-}" ]; then
+	TAURI_TARGET=universal-apple-darwin
+	JUST_RECIPE=build-desktop-macos
+	rustup target add aarch64-apple-darwin x86_64-apple-darwin wasm32-unknown-unknown
+else
+	TAURI_TARGET=aarch64-apple-darwin
+	JUST_RECIPE=build-desktop-macos-arm64
+	rustup target add aarch64-apple-darwin wasm32-unknown-unknown
+fi
+echo "Build target: $TAURI_TARGET (recipe: $JUST_RECIPE)"
+
+echo "--- :floppy_disk: Restore cargo caches"
+# Two cache layers, both keyed off Cargo.lock + rust-toolchain.toml so they
+# invalidate the moment any dep version moves.
+#   1. `~/.cargo/registry` + `~/.cargo/git/db` — downloaded crate sources / git
+#      deps. ~340MB compressed. Saves the crate-download phase on cold builds.
+#   2. `target/` — compiled artifacts. Several GB compressed. Lets cargo's
+#      incremental compilation reuse object files across builds. The target
+#      cache also includes the Tauri target arch in its key, since universal
+#      and arm64-only builds produce disjoint object trees.
+CARGO_DEPS_KEY="$BUILDKITE_PIPELINE_SLUG-cargo-deps-darwin-arm64-$(hash_file Cargo.lock)-$(hash_file rust-toolchain.toml)"
+CARGO_TARGET_KEY="$BUILDKITE_PIPELINE_SLUG-target-darwin-arm64-$TAURI_TARGET-$(hash_file Cargo.lock)-$(hash_file rust-toolchain.toml)"
+restore_cache "$CARGO_DEPS_KEY"
+restore_cache "$CARGO_TARGET_KEY"
+
+echo "--- :package: Install build tools"
+# Without Rust pre-baked there's no `cargo-binstall` either. Use cargo-binstall's
+# own curl installer to pull a prebuilt — about a second, vs ~1m15s of `cargo
+# install --locked` building it from source.
+if ! command -v cargo-binstall >/dev/null 2>&1; then
+	curl -L --proto '=https' --tlsv1.2 -sSf \
+		https://raw.githubusercontent.com/cargo-bins/cargo-binstall/main/install-from-binstall-release.sh \
+		| bash
+fi
+cargo binstall --no-confirm --force just
+cargo binstall --no-confirm --force wasm-pack
+# Skip cargo-binstall'ing `tauri-cli` — Tauri doesn't publish GitHub release
+# prebuilts for the CLI, so binstall always falls back to a source compile
+# (~2 minutes). `@tauri-apps/cli` from npm is the same Rust binary distributed
+# via platform-specific subpackages — it's already a devDependency of
+# `harper-desktop/package.json`, so `pnpm install` in that directory will pick
+# it up. The justfile recipes invoke it as `pnpm tauri build` rather than
+# `cargo tauri build`.
+
+echo "--- :npm: Install pnpm"
+# Node is set up by the `automattic/nvm` Buildkite plugin from `.nvmrc`.
+# `pnpm` is not bundled — install it via `npm install -g`. Pin matches the
+# `packageManager` field in the root `package.json`.
+npm install -g pnpm@10.10.0
+hash -r
+
+echo "--- :key: Fetch Developer ID certificate"
+bundle exec fastlane set_up_signing
+
+echo "--- :hammer: Build harper-desktop (signed)"
+# `just $JUST_RECIPE` runs `pnpm tauri build -b app,dmg --target $TAURI_TARGET`
+# in `harper-desktop/`. With `APPLE_SIGNING_IDENTITY` set, Tauri's bundler signs
+# the produced .app and .dmg. `TAURI_SIGNING_PRIVATE_KEY` enables the minisign
+# updater signing.
+export APPLE_SIGNING_IDENTITY="Developer ID Application: Automattic, Inc. (PZYM8XX95Q)"
+just "$JUST_RECIPE"
+
+echo "--- :floppy_disk: Save cargo caches"
+# `save_cache` is a no-op when the key already exists in S3, so this is cheap on
+# subsequent same-deps builds. Runs after the build (so what gets cached is
+# coherent) but before notarization (a flaky notary shouldn't lose us the
+# cache). The target/ save is the one to watch — several GB of upload on a cold
+# key.
+save_cache "$HOME/.cargo/registry" "$CARGO_DEPS_KEY"
+save_cache "$HOME/.cargo/git/db" "$CARGO_DEPS_KEY-git" || true
+save_cache target "$CARGO_TARGET_KEY"
+
+echo "--- :apple: Notarize and staple"
+# Tauri signs but does not notarize when only APPLE_SIGNING_IDENTITY is set.
+# Notarize the .app and .dmg ourselves so Gatekeeper accepts them with no warning.
+APP_BUNDLE=$(find "target/$TAURI_TARGET/release/bundle/macos" -maxdepth 1 -name '*.app' -type d | head -1)
+DMG_FILE=$(find "target/$TAURI_TARGET/release/bundle/dmg" -maxdepth 1 -name '*.dmg' -type f | head -1)
+
+[ -n "$APP_BUNDLE" ] || { echo "no .app produced"; exit 1; }
+[ -n "$DMG_FILE" ]   || { echo "no .dmg produced"; exit 1; }
+
+bundle exec fastlane notarize_macos package:"$APP_BUNDLE"
+bundle exec fastlane notarize_macos package:"$DMG_FILE"
+
+if [ -n "${BUILDKITE_TAG:-}" ]; then
+	echo "--- :rocket: Publish draft GitHub release"
+	APP_TARBALL=$(find "target/$TAURI_TARGET/release/bundle/macos" -maxdepth 1 -name '*.app.tar.gz' -type f | head -1)
+	APP_SIG=$(find "target/$TAURI_TARGET/release/bundle/macos" -maxdepth 1 -name '*.app.tar.gz.sig' -type f | head -1)
+	[ -n "$APP_TARBALL" ] || { echo "no .app.tar.gz produced"; exit 1; }
+	[ -n "$APP_SIG" ]     || { echo "no .app.tar.gz.sig produced"; exit 1; }
+	bundle exec fastlane create_desktop_github_release \
+		tag:"$BUILDKITE_TAG" \
+		dmg:"$DMG_FILE" \
+		app_tarball:"$APP_TARBALL" \
+		app_signature:"$APP_SIG"
+fi

.buildkite/pipeline.yml

@@ -0,0 +1,23 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/buildkite/pipeline-schema/main/schema.json
+---
+
+agents:
+  queue: mac
+
+env:
+  IMAGE_ID: $IMAGE_ID
+
+steps:
+  - label: ":tauri: Build, sign, notarize harper-desktop"
+    key: build-desktop
+    command: .buildkite/commands/build-desktop.sh
+    plugins: [$CI_TOOLKIT_PLUGIN, $NVM_PLUGIN]
+    artifact_paths:
+      # Branch/PR builds produce `aarch64-apple-darwin` artifacts; master and
+      # tag builds produce `universal-apple-darwin`. Glob both.
+      - target/*-apple-darwin/release/bundle/dmg/*.dmg
+      - target/*-apple-darwin/release/bundle/macos/*.app.tar.gz
+      - target/*-apple-darwin/release/bundle/macos/*.app.tar.gz.sig
+    notify:
+      - github_commit_status:
+          context: "Build, sign, notarize harper-desktop"

.buildkite/shared-pipeline-vars

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+# This file is `source`'d before calling `buildkite-agent pipeline upload`, and can be used
+# to set up some variables that will be interpolated in the `.yml` pipeline before uploading it.
+
+XCODE_VERSION=$(sed -E 's/^~> ?//' .xcode-version)
+CI_TOOLKIT_PLUGIN_VERSION="6.1.0"
+NVM_PLUGIN_VERSION="0.6.0"
+
+export IMAGE_ID="xcode-$XCODE_VERSION"
+export CI_TOOLKIT_PLUGIN="automattic/a8c-ci-toolkit#$CI_TOOLKIT_PLUGIN_VERSION"
+export NVM_PLUGIN="automattic/nvm#$NVM_PLUGIN_VERSION"

.bundle/config

@@ -0,0 +1,2 @@
+---
+BUNDLE_PATH: "vendor/bundle"

.github/ISSUE_TEMPLATE/bug_report.md

@@ -24,7 +24,7 @@ A clear and concise description of what you expected to happen.
 If applicable, add screenshots to help explain your problem.
 
 **Platform**
-What platform has the issue? Is it in Obsidian, Neovim, Visual Studio Code, Chrome, or Firefox? Something else?
+What platform has the issue? Is it in Obsidian, Chrome or Firefox, Visual Studio Code, the Desktop app, Neovim, or something else?
 
 **Additional context**
 Add any other context about the problem here.

.github/dependabot.yml

@@ -8,3 +8,24 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 10
+    groups:
+      actions-minor-patch:
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
+      actions-major:
+        patterns:
+          - "*"
+        update-types:
+          - "major"
+    cooldown:
+      default-days: 7

.github/pull_request_template.md

@@ -13,6 +13,20 @@
 # How Has This Been Tested?
 <!-- Please describe how you tested your changes. -->
 
+# AI Disclosure
+<!-- It helps us review PRs when we know about AI assistance. -->
+- [ ] I am a human and didn't use any AI.
+- [ ] I used LLM features of my editor, but not an agent.
+- [ ] I used an AI agent interactively.
+- [ ] I am an agent or I got an agent to do the work autonomously.
+
+# If Your PR Implements or Enhances a Linter
+<!-- Humans don't always bring ideal test cases, but unlike AIs, they can learn how to find real-world examples -->
+- [ ] I made up the sentences in the unit tests.
+- [ ] The sentences in the unit tests were generated by an AI.
+- [ ] I'm using examples from the bug report / feature request.
+- [ ] I collected real-world sentences for the unit tests.
+
 # Checklist
 <!-- Go over all the following points, and put an `x` in all the boxes that apply -->
 

.github/workflows/binaries.yml

@@ -116,11 +116,13 @@ jobs:
     runs-on: ${{ matrix.platform.os }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6.0.2
       - name: Rust Cache
-        uses: Swatinem/rust-cache@v2.7.8
+        uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
+        with:
+          cache-bin: "true"
       - name: Build binary
-        uses: houseabsolute/actions-rust-cross@v1
+        uses: houseabsolute/actions-rust-cross@fe6ede73c7f0a50412ec05994e2aa5a7bf635eac # v1.0.7
         with:
           command: ${{ matrix.platform.command }}
           target: ${{ matrix.platform.target }}
@@ -138,14 +140,14 @@ jobs:
           fi
           cd -
       - name: Upload Artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: ${{ matrix.platform.bin }}-${{ matrix.platform.target }}
           path: ${{ matrix.platform.name }}
 
       - name: Release artifacts
         if: startsWith(github.ref, 'refs/tags/v')
-        uses: ncipollo/release-action@v1
+        uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1.21.0
         with:
           artifacts: ${{ matrix.platform.name }}
           allowUpdates: true

.github/workflows/build_web.yml

@@ -11,15 +11,15 @@ jobs:
   build-web:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6.0.2
       - name: Setup node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version-file: ".node-version"
       - name: Retrieve version after install
         id: nodenv
         run: echo "node-version=$(node -v | sed 's/^v//')" >> $GITHUB_OUTPUT
-      - uses: redhat-actions/buildah-build@v2
+      - uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13
         with:
           image: web
           containerfiles: |

.github/workflows/chrome_plugin.yml

@@ -15,32 +15,32 @@ jobs:
   chrome-plugin:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: extractions/setup-just@v2
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v6.0.2
+      - uses: extractions/setup-just@53165ef7e734c5c07cb06b3c8e7b647c5aa16db3 # v4.0.0
+      - uses: actions/setup-node@v6
         with:
           node-version-file: ".node-version"
       - name: Enable Corepack
         run: corepack enable
-      - uses: cargo-bins/cargo-binstall@main
+      - uses: cargo-bins/cargo-binstall@f8810ffa11196f23afb38e6fb64716fbf814ad8f # main
       - name: Install `wasm-pack`
         run: cargo binstall wasm-pack --force --no-confirm
       - name: Build Chrome Plugin
         run: just build-chrome-plugin
       - name: Build Firefox Plugin
         run: just build-firefox-plugin
       - name: Upload Chrome extension
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: harper-chrome-plugin.zip
           path: "packages/chrome-plugin/package/harper-chrome-plugin.zip"
       - name: Upload Firefox extension
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: harper-firefox-plugin.zip
           path: "packages/chrome-plugin/package/harper-firefox-plugin.zip"
       - name: Release artifacts
-        uses: ncipollo/release-action@v1
+        uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1.21.0
         if: startsWith(github.ref, 'refs/tags/v')
         with:
           artifacts: "packages/chrome-plugin/package/*.zip"