Merge remote-tracking branch 'origin/main' into tracker-updates-2026-06

Author: dmytroye

.cursor/rules/scenescape.mdc

@@ -0,0 +1,32 @@
+---
+description: SceneScape Cursor agent router — canonical instructions and workflow
+alwaysApply: true
+---
+
+<!--
+SPDX-FileCopyrightText: (C) 2026 Intel Corporation
+SPDX-License-Identifier: Apache-2.0
+-->
+
+# SceneScape (Cursor)
+
+## Canonical instructions (read first)
+
+For project-wide conventions, read [`.github/copilot-instructions.md`](../../.github/copilot-instructions.md): licensing, security defaults, architecture, Makefile targets, documentation policy, and how skills are organized.
+
+**Do not duplicate** policy from that file or from skills. Use short pointers only in Cursor rules.
+
+## Skills
+
+When the task touches a language, build system, tests, security, or documentation, discover and read the relevant `SKILL.md` under [`.github/skills/`](../../.github/skills/) (browse the directory or follow routing in `copilot-instructions.md`). Do not assume a fixed list of skill files.
+
+## Service guides
+
+Before substantive changes in a component tree, find and read `Agents.md` in that service’s directory (search upward from edited paths or the component root). Not every folder has one; use it when present.
+
+## Cursor workflow
+
+- Prefer root `Makefile` test targets unless a narrower pytest run is explicitly required (details live in skills).
+- Run commands in the real environment; investigate failures before giving up.
+- Commits and pull requests only when the user asks (see user/global Cursor rules).
+- Keep changes minimal and match existing conventions in the touched area.

.github/copilot-instructions.md

@@ -129,33 +129,15 @@ make rebuild-core                  # Clean + build (useful after code changes)
 
 ## Testing Framework
 
-**For comprehensive test creation guidance, see `.github/skills/testing/SKILL.md`** - detailed instructions on creating unit, functional, integration, UI, and smoke tests with both positive and negative cases.
+Testing guidance is intentionally centralized in skills to avoid duplication.
 
-**Test infrastructure** is fully pytest-based. Docker Compose lifecycle is managed by session-scoped fixtures in `tests/conftest.py`. Tests declare their service requirements via a module-level `SCENESCAPE_SPEC` using `FuncTestSpec` + `ServiceProfile`.
+- Canonical test authoring and categorization guidance: `.github/skills/testing/SKILL.md`
+- Canonical runtime verification and completion rules: `.github/skills/test-verification-gate/SKILL.md`
 
-**Running Tests** (from repo root):
+At this level, only rely on high-level routing:
 
-```bash
-make setup-tests                                            # Build test images, secrets, venv
-make run_basic_acceptance_tests                             # Smoke tests (functional + ui + unit + stability)
-make run_standard_tests                                     # Functional + UI + security + stability
-make run_functional_tests                                   # Functional tests only
-make run_ui_tests                                           # UI/Selenium tests only
-make run_unit_tests                                         # Unit tests only (sscape_tests)
-make run_metric_tests                                       # Tracker quality metrics
-make run_performance_tests                                  # Inference performance + geometry
-make run_stability_tests HOURS=24                           # Long-running stability
-```
-
-**Running tests directly with pytest** (from repo root, with tests/.venv activated):
-
-```bash
-pytest tests/sscape_tests                                   # Unit tests
-pytest tests/functional                                     # All functional tests
-pytest tests/functional/test_roi_mqtt.py                    # Single functional test
-pytest tests/ -m basic_acceptance                           # Smoke suite only
-pytest tests/ --junitxml=results.xml 2>&1 | tee output.log  # Save results to file
-```
+- Test infrastructure is pytest-based with Docker Compose lifecycle managed in `tests/conftest.py`.
+- Prefer root `Makefile` test targets for execution unless a narrower, explicit pytest invocation is required.
 
 ### Completion Gate For Test Tasks (Critical)
 

.github/workflows/auto-update.yml

@@ -27,7 +27,7 @@ jobs:
 
     steps:
       - name: "Checkout repository"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
 

.github/workflows/bandit.yml

@@ -40,7 +40,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
       - name: Run Bandit scan

.github/workflows/build-and-publish.yml

@@ -38,10 +38,10 @@ jobs:
           ]
     steps:
       - name: "Set up Docker Buildx"
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
 
       - name: "Checkout code"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           ref: ${{ github.ref }}
           persist-credentials: false
@@ -106,7 +106,7 @@ jobs:
 
       - name: "Log in to DockerHub"
         if: ${{ github.event.inputs.publish == 'true' }}
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           username: scenescape
           password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -134,7 +134,7 @@ jobs:
 
       - name: "Install Cosign"
         if: ${{ github.event.inputs.publish == 'true' }}
-        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
+        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
 
       - name: "Sign Docker images using Cosign (keyless)"
         if: ${{ github.event.inputs.publish == 'true' }}

.github/workflows/cache-update.yml

@@ -26,7 +26,7 @@ jobs:
     timeout-minutes: 60
     steps:
       - name: "Checkout Repository"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           fetch-depth: 0
           persist-credentials: false
@@ -37,7 +37,7 @@ jobs:
           system-prune: "true"
 
       - name: "Log in to GHCR"
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

.github/workflows/clamav.yml

@@ -40,7 +40,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
       - name: Run ClamAV Scan

.github/workflows/clean-runner.yml

@@ -20,7 +20,7 @@ jobs:
         run: |
           sudo rm -rf $GITHUB_WORKSPACE/* || true
       - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
       - name: Cleanup

.github/workflows/codeql.yml

@@ -31,7 +31,7 @@ jobs:
       langs: ${{ steps.detect-langs.outputs.langs }}
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 #6.0.3
         with:
           path: scenescape
           persist-credentials: false
@@ -85,19 +85,19 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 #6.0.3
         with:
           persist-credentials: false
 
       - name: "Initialize CodeQL build mode"
-        uses: github/codeql-action/init@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
+        uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4.36.1
         with:
           languages: ${{ matrix.language }}
           build-mode: none
           source-root: .
 
       - name: "Perform CodeQL analysis"
-        uses: github/codeql-action/analyze@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
+        uses: github/codeql-action/analyze@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4.36.1
         with:
           category: "/language:${{matrix.language}}"
 
@@ -127,21 +127,21 @@ jobs:
         language: [javascript, python] # Add more languages as needed
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
 
       - name: "Initialize CodeQL"
-        uses: github/codeql-action/init@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
+        uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4.36.1
         with:
           languages: ${{ matrix.language }}
           dependency-caching: true
 
       - name: "Autobuild"
-        uses: github/codeql-action/autobuild@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
+        uses: github/codeql-action/autobuild@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4.36.1
 
       - name: "Perform CodeQL Analysis"
-        uses: github/codeql-action/analyze@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
+        uses: github/codeql-action/analyze@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4.36.1
         with:
           category: "/language:${{ matrix.language }}"
 

.github/workflows/coverity.yml

@@ -29,7 +29,7 @@ jobs:
       run-analysis: ${{ steps.changes.outputs.cpp }}
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 #6.0.3
         with:
           persist-credentials: false
           fetch-depth: 0 # Fetch all history for accurate diff
@@ -54,7 +54,7 @@ jobs:
       contents: read
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 #6.0.3
         with:
           persist-credentials: false
           fetch-depth: 0