fix(config): respect HOME env var in default_config_dir for Windows

.cargo/config.toml

@@ -10,3 +10,10 @@ linker = "armv7a-linux-androideabi21-clang"
 
 [target.aarch64-linux-android]
 linker = "aarch64-linux-android21-clang"
+
+# Windows targets — increase stack size for large JsonSchema derives
+[target.x86_64-pc-windows-msvc]
+rustflags = ["-C", "link-args=/STACK:8388608"]
+
+[target.aarch64-pc-windows-msvc]
+rustflags = ["-C", "link-args=/STACK:8388608"]

.coderabbit.yaml

@@ -21,15 +21,14 @@ reviews:
     # Only review PRs targeting these branches
     base_branches:
       - main
-      - develop
+      - dev
     # Skip reviews for draft PRs or WIP
     drafts: false
     # Enable base branch analysis
     base_branch_analysis: true
 
-  # Poem configuration
-  poem:
-    enabled: false
+  # Poem feature toggle (must be a boolean, not an object)
+  poem: false
 
   # Reviewer suggestions
   reviewer:

.editorconfig

@@ -23,3 +23,7 @@ indent_size = 2
 
 [Dockerfile]
 indent_size = 4
+
+[*.nix]
+indent_style = space
+indent_size = 2

.github/CODEOWNERS

@@ -1,28 +1,32 @@
 # Default owner for all files
-* @theonlyhennygod
+* @theonlyhennygod @JordanTheJet @chumyin
 
-# High-risk surfaces
-/src/security/** @willsarg
-/src/runtime/** @theonlyhennygod
-/src/memory/** @theonlyhennygod @chumyin
-/.github/** @theonlyhennygod
-/Cargo.toml @theonlyhennygod
-/Cargo.lock @theonlyhennygod
+# Important functional modules
+/src/agent/** @theonlyhennygod @JordanTheJet @chumyin
+/src/providers/** @theonlyhennygod @JordanTheJet @chumyin
+/src/channels/** @theonlyhennygod @JordanTheJet @chumyin
+/src/tools/** @theonlyhennygod @JordanTheJet @chumyin
+/src/gateway/** @theonlyhennygod @JordanTheJet @chumyin
+/src/runtime/** @theonlyhennygod @JordanTheJet @chumyin
+/src/memory/** @theonlyhennygod @JordanTheJet @chumyin
+/Cargo.toml @theonlyhennygod @JordanTheJet @chumyin
+/Cargo.lock @theonlyhennygod @JordanTheJet @chumyin
 
-# CI
-/.github/workflows/**  @theonlyhennygod @willsarg
-/.github/codeql/**     @willsarg
-/.github/dependabot.yml @willsarg
+# Security / tests / CI-CD ownership
+/src/security/** @theonlyhennygod @JordanTheJet @chumyin
+/tests/** @theonlyhennygod @JordanTheJet @chumyin
+/.github/** @theonlyhennygod @JordanTheJet @chumyin
+/.github/workflows/** @theonlyhennygod @JordanTheJet @chumyin
+/.github/codeql/** @theonlyhennygod @JordanTheJet @chumyin
+/.github/dependabot.yml @theonlyhennygod @JordanTheJet @chumyin
+/SECURITY.md @theonlyhennygod @JordanTheJet @chumyin
+/docs/actions-source-policy.md @theonlyhennygod @JordanTheJet @chumyin
+/docs/ci-map.md @theonlyhennygod @JordanTheJet @chumyin
 
 # Docs & governance
-/docs/**                @chumyin
-/AGENTS.md              @chumyin
-/CLAUDE.md              @chumyin
-/CONTRIBUTING.md        @chumyin
-/docs/pr-workflow.md    @chumyin
-/docs/reviewer-playbook.md @chumyin
-
-# Security / CI-CD governance overrides (last-match wins)
-/SECURITY.md              @willsarg
-/docs/actions-source-policy.md @willsarg
-/docs/ci-map.md           @willsarg
+/docs/** @theonlyhennygod @JordanTheJet @chumyin
+/AGENTS.md @theonlyhennygod @JordanTheJet @chumyin
+/CLAUDE.md @theonlyhennygod @JordanTheJet @chumyin
+/CONTRIBUTING.md @theonlyhennygod @JordanTheJet @chumyin
+/docs/pr-workflow.md @theonlyhennygod @JordanTheJet @chumyin
+/docs/reviewer-playbook.md @theonlyhennygod @JordanTheJet @chumyin

.github/ISSUE_TEMPLATE/config.yml

@@ -3,6 +3,12 @@ contact_links:
   - name: Security vulnerability report
     url: https://github.com/zeroclaw-labs/zeroclaw/security/policy
     about: Please report security vulnerabilities privately via SECURITY.md policy.
+  - name: Private vulnerability report template
+    url: https://github.com/zeroclaw-labs/zeroclaw/blob/main/docs/security/private-vulnerability-report-template.md
+    about: Use this template when filing a private vulnerability report in Security Advisories.
+  - name: 私密漏洞报告模板（中文）
+    url: https://github.com/zeroclaw-labs/zeroclaw/blob/main/docs/security/private-vulnerability-report-template.zh-CN.md
+    about: 使用该中文模板通过 Security Advisories 进行私密漏洞提交。
   - name: Contribution guide
     url: https://github.com/zeroclaw-labs/zeroclaw/blob/main/CONTRIBUTING.md
     about: Please read contribution and PR requirements before opening an issue.

.github/actionlint.yaml

@@ -1,3 +1,7 @@
 self-hosted-runner:
     labels:
         - blacksmith-2vcpu-ubuntu-2404
+        - aws-india
+        - hetzner
+        - Linux
+        - X64

.github/connectivity/probe-contract.json

@@ -0,0 +1,70 @@
+{
+  "version": 1,
+  "description": "Provider/model connectivity probe contract for scheduled CI checks.",
+  "consecutive_transient_failures_to_escalate": 2,
+  "providers": [
+    {
+      "name": "OpenAI",
+      "provider": "openai",
+      "required": true,
+      "secret_env": "OPENAI_API_KEY",
+      "timeout_sec": 90,
+      "retries": 2,
+      "notes": "Primary reference provider; validates baseline OpenAI-compatible path."
+    },
+    {
+      "name": "Anthropic",
+      "provider": "anthropic",
+      "required": true,
+      "secret_env": "ANTHROPIC_API_KEY",
+      "timeout_sec": 90,
+      "retries": 2,
+      "notes": "Checks non-OpenAI provider fetch path and account health."
+    },
+    {
+      "name": "Gemini",
+      "provider": "gemini",
+      "required": true,
+      "secret_env": "GEMINI_API_KEY",
+      "timeout_sec": 90,
+      "retries": 2,
+      "notes": "Validates Google model discovery endpoint availability."
+    },
+    {
+      "name": "OpenRouter",
+      "provider": "openrouter",
+      "required": true,
+      "secret_env": "OPENROUTER_API_KEY",
+      "timeout_sec": 90,
+      "retries": 2,
+      "notes": "Routes across many providers; signal for aggregator-side health."
+    },
+    {
+      "name": "Qwen",
+      "provider": "qwen",
+      "required": false,
+      "secret_env": "DASHSCOPE_API_KEY",
+      "timeout_sec": 90,
+      "retries": 2,
+      "notes": "Regional provider check; optional for global deployments."
+    },
+    {
+      "name": "NVIDIA NIM",
+      "provider": "nvidia",
+      "required": false,
+      "secret_env": "NVIDIA_API_KEY",
+      "timeout_sec": 90,
+      "retries": 2,
+      "notes": "Optional ecosystem endpoint check."
+    },
+    {
+      "name": "OpenAI Codex",
+      "provider": "openai-codex",
+      "required": false,
+      "secret_env": "OPENAI_API_KEY",
+      "timeout_sec": 90,
+      "retries": 2,
+      "notes": "Uses OpenAI-compatible models endpoint to verify Codex-profile discovery path."
+    }
+  ]
+}

.github/connectivity/providers.json

@@ -0,0 +1,77 @@
+{
+  "global_timeout_seconds": 8,
+  "providers": [
+    {
+      "id": "openrouter",
+      "url": "https://openrouter.ai/api/v1/models",
+      "method": "GET",
+      "critical": true
+    },
+    {
+      "id": "openai",
+      "url": "https://api.openai.com/v1/models",
+      "method": "GET",
+      "critical": true
+    },
+    {
+      "id": "anthropic",
+      "url": "https://api.anthropic.com/v1/messages",
+      "method": "POST",
+      "critical": true
+    },
+    {
+      "id": "groq",
+      "url": "https://api.groq.com/openai/v1/models",
+      "method": "GET",
+      "critical": false
+    },
+    {
+      "id": "deepseek",
+      "url": "https://api.deepseek.com/v1/models",
+      "method": "GET",
+      "critical": false
+    },
+    {
+      "id": "moonshot",
+      "url": "https://api.moonshot.ai/v1/models",
+      "method": "GET",
+      "critical": false
+    },
+    {
+      "id": "qwen",
+      "url": "https://dashscope-intl.aliyuncs.com/compatible-mode/v1/models",
+      "method": "GET",
+      "critical": false
+    },
+    {
+      "id": "zai",
+      "url": "https://api.z.ai/api/paas/v4/models",
+      "method": "GET",
+      "critical": false
+    },
+    {
+      "id": "glm",
+      "url": "https://open.bigmodel.cn/api/paas/v4/models",
+      "method": "GET",
+      "critical": false
+    },
+    {
+      "id": "together",
+      "url": "https://api.together.xyz/v1/models",
+      "method": "GET",
+      "critical": false
+    },
+    {
+      "id": "fireworks",
+      "url": "https://api.fireworks.ai/inference/v1/models",
+      "method": "GET",
+      "critical": false
+    },
+    {
+      "id": "cohere",
+      "url": "https://api.cohere.com/v1/models",
+      "method": "GET",
+      "critical": false
+    }
+  ]
+}

.github/dependabot.yml

@@ -5,7 +5,7 @@ updates:
     directory: "/"
     schedule:
       interval: daily
-    target-branch: dev
+    target-branch: main
     open-pull-requests-limit: 3
     labels:
       - "dependencies"
@@ -21,7 +21,7 @@ updates:
     directory: "/"
     schedule:
       interval: daily
-    target-branch: dev
+    target-branch: main
     open-pull-requests-limit: 1
     labels:
       - "ci"
@@ -38,7 +38,7 @@ updates:
     directory: "/"
     schedule:
       interval: daily
-    target-branch: dev
+    target-branch: main
     open-pull-requests-limit: 1
     labels:
       - "ci"

.github/pull_request_template.md

@@ -2,7 +2,7 @@
 
 Describe this PR in 2-5 bullets:
 
-- Base branch target (`dev` for normal contributions; `main` only for `dev` promotion):
+- Base branch target (`main` by default; use `dev` only when maintainers explicitly request integration batching):
 - Problem:
 - Why it matters:
 - What changed:
@@ -27,7 +27,10 @@ Describe this PR in 2-5 bullets:
 - Closes #
 - Related #
 - Depends on # (if stacked)
+- Existing overlapping PR(s) reviewed for this issue (list `#<pr> by @<author>` or `N/A`):
 - Supersedes # (if replacing older PR)
+- Linear issue key(s) (required, e.g. `RMN-123`):
+- Linear issue URL(s):
 
 ## Supersede Attribution (required when `Supersedes #` is used)
 

.github/release/canary-policy.json

@@ -0,0 +1,39 @@
+{
+  "schema_version": "zeroclaw.canary-policy.v1",
+  "release_channel": "stable",
+  "observation_window_minutes": 60,
+  "minimum_sample_size": 500,
+  "cohorts": [
+    {
+      "name": "canary-5pct",
+      "traffic_percent": 5,
+      "duration_minutes": 20
+    },
+    {
+      "name": "canary-20pct",
+      "traffic_percent": 20,
+      "duration_minutes": 20
+    },
+    {
+      "name": "canary-50pct",
+      "traffic_percent": 50,
+      "duration_minutes": 20
+    },
+    {
+      "name": "canary-100pct",
+      "traffic_percent": 100,
+      "duration_minutes": 60
+    }
+  ],
+  "observability_signals": [
+    "error_rate",
+    "crash_rate",
+    "p95_latency_ms",
+    "sample_size"
+  ],
+  "thresholds": {
+    "max_error_rate": 0.02,
+    "max_crash_rate": 0.01,
+    "max_p95_latency_ms": 1200
+  }
+}

.github/release/docs-deploy-policy.json

@@ -0,0 +1,10 @@
+{
+  "schema_version": "zeroclaw.docs-deploy-policy.v1",
+  "production_branch": "main",
+  "allow_manual_production_dispatch": true,
+  "require_preview_evidence_on_manual_production": true,
+  "allow_manual_rollback_dispatch": true,
+  "rollback_ref_must_be_ancestor_of_production_branch": true,
+  "docs_preview_retention_days": 14,
+  "docs_guard_artifact_retention_days": 21
+}

.github/release/ghcr-tag-policy.json

@@ -0,0 +1,18 @@
+{
+  "schema_version": "zeroclaw.ghcr-tag-policy.v1",
+  "release_tag_regex": "^v[0-9]+\\.[0-9]+\\.[0-9]+$",
+  "sha_tag_prefix": "sha-",
+  "sha_tag_length": 12,
+  "latest_tag": "latest",
+  "require_latest_on_release": true,
+  "immutable_tag_classes": [
+    "release",
+    "sha"
+  ],
+  "rollback_priority": [
+    "sha",
+    "release"
+  ],
+  "contract_artifact_retention_days": 21,
+  "scan_artifact_retention_days": 14
+}

.github/release/ghcr-vulnerability-policy.json

@@ -0,0 +1,17 @@
+{
+  "schema_version": "zeroclaw.ghcr-vulnerability-policy.v1",
+  "required_tag_classes": [
+    "release",
+    "sha",
+    "latest"
+  ],
+  "blocking_severities": [
+    "HIGH",
+    "CRITICAL"
+  ],
+  "max_blocking_findings_per_tag": 0,
+  "require_blocking_count_parity": true,
+  "require_artifact_id_parity": true,
+  "scan_artifact_retention_days": 14,
+  "audit_artifact_retention_days": 21
+}