From 2c407e627a70272c1d098591c2507c21a78b939e Mon Sep 17 00:00:00 2001
From: Wes <wesb@block.xyz>
Date: Mon, 20 Apr 2026 09:04:10 -0700
Subject: [PATCH 1/3] Add server cross-compile and macOS desktop build CI jobs

Restore build capabilities deleted in PR #360: server cross-compilation
for x86_64/aarch64 musl targets and macOS desktop Tauri build. Also adds
desktop-release-build justfile target for local unsigned builds.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ci.yml | 56 ++++++++++++++++++++++++++++++++++++++++
 justfile                 | 10 +++++++
 2 files changed, 66 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 133f43935..a6c75bf60 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -221,3 +221,59 @@ jobs:
       - uses: cashapp/activate-hermit@e49f5cb4dd64ff0b0b659d1d8df499595451155a # v1
       - name: Dependency policy
         run: cargo-deny check
+
+  server-cross-compile:
+    name: Server Cross-Compile
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    permissions:
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        target:
+          - x86_64-unknown-linux-musl
+          - aarch64-unknown-linux-musl
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: cashapp/activate-hermit@e49f5cb4dd64ff0b0b659d1d8df499595451155a # v1
+      - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
+        with:
+          key: ${{ matrix.target }}
+      - name: Install cross
+        uses: taiki-e/install-action@06203676c62f0d3c765be3f2fcfbebbcb02d09f5 # v2
+        with:
+          tool: cross@0.2.5
+      - name: Build server binaries
+        env:
+          TARGET: ${{ matrix.target }}
+        run: |
+          cross build --release --target "$TARGET" \
+            -p sprout-relay \
+            -p sprout-acp \
+            -p sprout-mcp
+
+  desktop-build-macos:
+    name: Desktop Build (macOS)
+    runs-on: macos-latest
+    timeout-minutes: 45
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: cashapp/activate-hermit@e49f5cb4dd64ff0b0b659d1d8df499595451155a # v1
+      - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
+        with:
+          workspaces: desktop/src-tauri
+      - name: Install desktop dependencies
+        run: just desktop-install-ci
+      - name: Create sidecar placeholders
+        run: |
+          TARGET=$(rustc -vV | sed -n 's|host: ||p')
+          mkdir -p desktop/src-tauri/binaries
+          touch "desktop/src-tauri/binaries/sprout-acp-$TARGET"
+          touch "desktop/src-tauri/binaries/sprout-mcp-server-$TARGET"
+      - name: Build Tauri app
+        run: cd desktop && pnpm tauri build
+        env:
+          CMAKE_POLICY_VERSION_MINIMUM: "3.5"
diff --git a/justfile b/justfile
index 00d83e31d..b656cf8b9 100644
--- a/justfile
+++ b/justfile
@@ -95,6 +95,16 @@ desktop-tauri-check:
     touch "desktop/src-tauri/binaries/sprout-mcp-server-$TARGET"
     cargo check --manifest-path {{desktop_tauri_manifest}}
 
+# Build the full desktop Tauri app locally (unsigned, for testing)
+desktop-release-build target="aarch64-apple-darwin":
+    #!/usr/bin/env bash
+    set -euo pipefail
+    TARGET={{target}}
+    mkdir -p desktop/src-tauri/binaries
+    touch "desktop/src-tauri/binaries/sprout-acp-$TARGET"
+    touch "desktop/src-tauri/binaries/sprout-mcp-server-$TARGET"
+    cd {{desktop_dir}} && pnpm install && pnpm tauri build --target {{target}}
+
 # Run desktop checks suitable for CI / pre-push
 desktop-ci: desktop-check desktop-tauri-fmt-check desktop-build desktop-tauri-check
 

From 5fa15ffe8139e87e0a6534816a8a875702a4e080 Mon Sep 17 00:00:00 2001
From: Wes <wesb@block.xyz>
Date: Mon, 20 Apr 2026 11:02:07 -0700
Subject: [PATCH 2/3] Fix zizmor CI security findings: cache poisoning and
 stale SHA

- Add save-if to rust-cache in both new jobs to prevent cache poisoning
  from fork PRs (only save cache on main branch)
- Update taiki-e/install-action SHA to match current v2 tag

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ci.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a6c75bf60..492761592 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -240,8 +240,9 @@ jobs:
       - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
         with:
           key: ${{ matrix.target }}
+          save-if: ${{ github.ref == 'refs/heads/main' }}
       - name: Install cross
-        uses: taiki-e/install-action@06203676c62f0d3c765be3f2fcfbebbcb02d09f5 # v2
+        uses: taiki-e/install-action@055f5df8c3f65ea01cd41e9dc855becd88953486 # v2
         with:
           tool: cross@0.2.5
       - name: Build server binaries
@@ -265,6 +266,7 @@ jobs:
       - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
         with:
           workspaces: desktop/src-tauri
+          save-if: ${{ github.ref == 'refs/heads/main' }}
       - name: Install desktop dependencies
         run: just desktop-install-ci
       - name: Create sidecar placeholders

From 88f1c4573945bdacf7f5d18c6cae414595b36f19 Mon Sep 17 00:00:00 2001
From: Wes <wesb@block.xyz>
Date: Mon, 20 Apr 2026 11:09:26 -0700
Subject: [PATCH 3/3] Remove rust-cache from new CI jobs to fix zizmor cache
 poisoning findings

zizmor flags Swatinem/rust-cache as a cache poisoning vector regardless
of save-if. These are validation-only jobs where caching is nice-to-have,
not critical. Can re-add with actions/cache if build times are painful.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ci.yml | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 492761592..81128e1f6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -237,10 +237,6 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - uses: cashapp/activate-hermit@e49f5cb4dd64ff0b0b659d1d8df499595451155a # v1
-      - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
-        with:
-          key: ${{ matrix.target }}
-          save-if: ${{ github.ref == 'refs/heads/main' }}
       - name: Install cross
         uses: taiki-e/install-action@055f5df8c3f65ea01cd41e9dc855becd88953486 # v2
         with:
@@ -263,10 +259,6 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - uses: cashapp/activate-hermit@e49f5cb4dd64ff0b0b659d1d8df499595451155a # v1
-      - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
-        with:
-          workspaces: desktop/src-tauri
-          save-if: ${{ github.ref == 'refs/heads/main' }}
       - name: Install desktop dependencies
         run: just desktop-install-ci
       - name: Create sidecar placeholders