From f26c4424b0dd71def5ee9f1b42e001918944cfcf Mon Sep 17 00:00:00 2001
From: Charles Green <hello@charles.green>
Date: Mon, 4 May 2026 00:06:00 +0900
Subject: [PATCH 1/2] ci: add markdownlint + htmlhint workflow

Adds a Lint workflow that runs on push to main and on PRs:

- markdownlint-cli2 against content/**/*.md (mirrors `make lint-md`)
- Hugo build + htmlhint against the built site (mirrors `make lint-html`)

This also resolves the Dependabot github_actions ecosystem failure on
main, which was erroring because the dependabot.yml referenced a
github-actions ecosystem with no actual workflows to scan.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/lint.yml | 56 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)
 create mode 100644 .github/workflows/lint.yml

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
new file mode 100644
index 0000000..e4c6824
--- /dev/null
+++ b/.github/workflows/lint.yml
@@ -0,0 +1,56 @@
+name: Lint
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  markdownlint:
+    name: Markdownlint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Set up Node.js
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: '22'
+
+      - name: Install markdownlint-cli2
+        run: npm install -g markdownlint-cli2
+
+      - name: Lint Markdown
+        run: markdownlint-cli2 "content/**/*.md"
+
+  htmlhint:
+    name: HTMLhint (built site)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Set up Hugo
+        uses: peaceiris/actions-hugo@75d2e84710de30f6ff7268e08f310b60ef14033f # v3
+        with:
+          hugo-version: 'latest'
+          extended: true
+
+      - name: Build site
+        run: hugo --minify --environment production
+
+      - name: Set up Node.js
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: '22'
+
+      - name: Install htmlhint
+        run: npm install -g htmlhint
+
+      - name: Lint HTML
+        run: htmlhint "public/**/*.html" --config .htmlhintrc

From 6189fc91b19102492f8636aa4dbd63917dbb6658 Mon Sep 17 00:00:00 2001
From: Charles Green <hello@charles.green>
Date: Mon, 4 May 2026 00:09:13 +0900
Subject: [PATCH 2/2] fix(blog): correct ordered list prefixes (MD029)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The v0.3.3 session persistence blog post used 2./3./4./5. for ordered
list items, which violates the project's markdownlint MD029 rule
(style: 1/1/1 — every numbered item starts with `1.`, Hugo renders
them sequentially anyway). The bug was previously hidden because no
CI ran markdownlint; now the lint workflow added in this PR catches it.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 content/blog/v0.3.3-session-persistence.md | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/content/blog/v0.3.3-session-persistence.md b/content/blog/v0.3.3-session-persistence.md
index 8dda513..5928394 100644
--- a/content/blog/v0.3.3-session-persistence.md
+++ b/content/blog/v0.3.3-session-persistence.md
@@ -103,11 +103,11 @@ rt, err := runtime.NewDistributedRuntime(
 )
 ```
 
-2. **gRPC Streaming**
+1. **gRPC Streaming**
 
 Remote agents now support streaming for long-running operations and real-time responses.
 
-3. **Session Manager Integration**
+1. **Session Manager Integration**
 
 ```go
 // Distributed runtime with sessions
@@ -117,7 +117,7 @@ rt.SetSessionManager(sessionMgr)
 result, _ := rt.CallWithSession(ctx, "remote-agent", msg, sessID)
 ```
 
-4. **Redis Session Backend**
+1. **Redis Session Backend**
 
 For distributed deployments, use Redis for shared session storage:
 
@@ -208,7 +208,7 @@ if err := ValidateDeploymentInputs(platform, region); err != nil {
 }
 ```
 
-2. **G304: Path Traversal Prevention**
+1. **G304: Path Traversal Prevention**
 
 ```go
 // Before: Vulnerable to directory traversal
@@ -228,7 +228,7 @@ func validatePathComponent(s string) error {
 }
 ```
 
-3. **G402: TLS Security**
+1. **G402: TLS Security**
 
 ```go
 // Before: InsecureSkipVerify without warning
@@ -242,7 +242,7 @@ tls.Config{InsecureSkipVerify: true}
 // 3. Never expose to untrusted networks
 ```
 
-4. **G115: Safe Integer Conversions**
+1. **G115: Safe Integer Conversions**
 
 ```go
 // Before: Unsafe conversions
@@ -257,7 +257,7 @@ func safeIntToInt32(v int) (int32, error) {
 }
 ```
 
-5. **G404: Cryptographic Randomness**
+1. **G404: Cryptographic Randomness**
 
 ```go
 // Before: math/rand for security-critical operations