Conversation
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
…9870) * feat(discordsh): cross-platform profile schema + persistence for MUD convergence (#9850) dbmate migration adds 3 columns to discordsh.dungeon_profiles: - skills (JSONB) — SkillProfile, already serialized by bot but not persisted in DB - faction_standing (JSONB) — {faction_id: rep_points} map - auth_user_id (UUID, unique, nullable) — optional FK for isometric game account linking New RPC functions: - service_load_profile_by_auth(UUID) — isometric game loads profile by Supabase JWT Returns empty result if no linked account (guest mode, nothing saved) - service_link_auth(discord_id, auth_user_id) — links Discord profile to Supabase account Updated RPCs: - service_load_profile — now returns skills, faction_standing, auth_user_id - service_upsert_profile — now accepts p_skills and p_faction_standing params Discord bot persistence.rs changes: - DungeonProfile struct gains faction_standing field - save_async sends p_skills + p_faction_standing to upsert RPC - apply_profile_to_player restores faction_standing from JSONB Guest mode: isometric players without a linked auth account get no persistence. Linking happens via service_link_auth RPC (called by edge function or bot command). All 701 tests pass. Migration includes migrate:down for rollback. * fix(ci): add has_test: false to discordsh-bot project MDX (#9865) The discordsh-bot CI manifest entry was missing has_test, which defaults to true in ci-docker.yml. This caused the test job to run `pnpm nx e2e` with an empty project name, resolving to the root @kbve/source which has no e2e target — failing with "Cannot find configuration for task". The bot's tests run via cargo test inside the Docker build, not as a separate Nx e2e project.
* feat(firecracker): add weekly CronJob to refresh pip package cache Rebuilds pip-cache.ext4 every Sunday 04:00 UTC with latest kbve + fudster wheels. Uses atomic mv to prevent partial reads during swap. Reuses rootfs-init network policy label for PyPI egress access. * fix(firecracker): unconfine seccomp to allow jailer pivot_root The default container seccomp profile blocks the pivot_root syscall, causing the jailer to fail with EPERM even with CAP_SYS_ADMIN granted. The mount --make-private fix was necessary but insufficient — seccomp was the actual blocker. Unconfine seccomp for this container since it already requires SYS_ADMIN + SYS_CHROOT + MKNOD for jailer operation. * harden(firecracker): drop all caps, read-only root, resource quota - Drop ALL capabilities, add back only NET_ADMIN/SYS_ADMIN/SYS_CHROOT/MKNOD - readOnlyRootFilesystem: true (tmpfs for /tmp) - automountServiceAccountToken: false (no K8s API access) - ResourceQuota: 10 pods, 4/8 CPU req/limit, 4/8Gi memory req/limit * feat(kube): add Security Profiles Operator + firecracker jailer SeccompProfile Deploy SPO via ArgoCD Helm chart so Talos nodes can use SeccompProfile CRDs instead of Localhost file paths. Adds firecracker-jailer profile that extends the default allowlist with only pivot_root, mount, umount2, unshare, chroot, clone, setns, mknod. The deployment still uses Unconfined until SPO is confirmed healthy, then a follow-up swaps to the SeccompProfile CR reference.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release: Dev → Main
3 atomic commits ready for main
Features
710e7e0)Bug Fixes
ca6f9f1)Chores
dff3546)This PR is automatically maintained by CI — KBVE Studio