ci: add GitHub Actions CI/release, cargo-deny, rustfmt, clippy, Renovate

- CI workflow: fmt check, clippy -D warnings, cargo-deny (advisories +
  licenses + sources), cargo test (matrix: ubuntu + macos), frontend
  lint + vitest + playwright, Tauri build check. All actions hash-pinned.
- Release workflow: triggered on v* tags, builds Tauri desktop bundles
  (macOS aarch64/x86_64 .dmg, Linux .deb/.AppImage, Windows .msi) and
  standalone CLI tarballs with SHA256 checksums via GitHub Releases.
- cargo-deny: license allowlist, advisory exemptions for portable-pty
  transitive deps (async-std, serial), source registry lockdown.
- rustfmt.toml + clippy.toml: enforce consistent formatting and lints.
- renovate.json: automated dependency updates with GitHub Actions
  auto-merge, vulnerability alerts enabled.
- Fix license mismatch: workspace Cargo.toml said MIT, now Apache-2.0
  matching the LICENSE file. All crates inherit license.workspace.
- Apply cargo fmt across entire workspace (formatting-only changes).
- Update README: add CI/release badges, replace non-existent brew/winget
  install methods with GitHub Releases + from-source instructions, update
  test counts (1,400+), add contributing build/test commands, update
  roadmap to reflect v0.1.0 actual state vs aspirational features.
- Update .gitignore: target/, .DS_Store, test artifacts.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: h4x0r

.github/workflows/ci.yml

@@ -0,0 +1,112 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+env:
+  CARGO_TERM_COLOR: always
+  RUSTFLAGS: "-Dwarnings"
+
+jobs:
+  fmt:
+    name: Rustfmt
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 # stable
+        with:
+          toolchain: stable
+          components: rustfmt
+      - run: cargo fmt --all -- --check
+
+  clippy:
+    name: Clippy
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 # stable
+        with:
+          toolchain: stable
+          components: clippy
+      - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            target
+          key: clippy-${{ runner.os }}-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: clippy-${{ runner.os }}-
+      - run: cargo clippy --workspace --all-targets -- -D warnings
+
+  deny:
+    name: Cargo Deny
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: EmbarkStudios/cargo-deny-action@34899fc7ba81ca6268d5947a7a16b4649013fea1 # v2.0.11
+        with:
+          command: check advisories licenses sources
+
+  test:
+    name: Test (${{ matrix.os }})
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 # stable
+        with:
+          toolchain: stable
+      - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            target
+          key: test-${{ runner.os }}-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: test-${{ runner.os }}-
+      - run: cargo test --workspace
+
+  frontend:
+    name: Frontend (lint + test + build)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version: 20
+          cache: npm
+      - run: npm ci
+      - run: npx tsc --noEmit
+      - run: npx vitest run
+      - run: npx playwright install --with-deps chromium
+      - run: npx playwright test
+
+  # Ensure the Tauri app compiles (without bundling)
+  tauri-build:
+    name: Tauri build check
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 # stable
+        with:
+          toolchain: stable
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version: 20
+          cache: npm
+      - run: npm ci
+      - name: Install system dependencies (Linux)
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev patchelf
+      - run: npm run build
+      - run: cargo build --manifest-path src-tauri/Cargo.toml

.github/workflows/release.yml

@@ -0,0 +1,146 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "v*"
+
+permissions:
+  contents: write
+
+jobs:
+  create-release:
+    name: Create GitHub Release
+    runs-on: ubuntu-latest
+    outputs:
+      release_id: ${{ steps.create.outputs.id }}
+      upload_url: ${{ steps.create.outputs.upload_url }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Create release
+        id: create
+        uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2
+        with:
+          draft: true
+          generate_release_notes: true
+
+  build-tauri:
+    name: Build Tauri (${{ matrix.platform }})
+    needs: create-release
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - platform: macos-latest
+            target: aarch64-apple-darwin
+          - platform: macos-latest
+            target: x86_64-apple-darwin
+          - platform: ubuntu-22.04
+            target: x86_64-unknown-linux-gnu
+          - platform: windows-latest
+            target: x86_64-pc-windows-msvc
+    runs-on: ${{ matrix.platform }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 # stable
+        with:
+          toolchain: stable
+          targets: ${{ matrix.target }}
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version: 20
+          cache: npm
+      - run: npm ci
+
+      - name: Install system dependencies (Linux)
+        if: runner.os == 'Linux'
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev patchelf
+
+      - name: Build Tauri app
+        uses: tauri-apps/tauri-action@42a8e7afed21ef2e1b5d4e3bdd3b7e075e1f52d2 # v0.5.18
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          releaseId: ${{ needs.create-release.outputs.release_id }}
+          args: --target ${{ matrix.target }}
+
+  build-cli:
+    name: Build CLI (${{ matrix.target }})
+    needs: create-release
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: macos-latest
+            target: aarch64-apple-darwin
+            binary: shepherd
+          - os: macos-latest
+            target: x86_64-apple-darwin
+            binary: shepherd
+          - os: ubuntu-22.04
+            target: x86_64-unknown-linux-gnu
+            binary: shepherd
+          - os: windows-latest
+            target: x86_64-pc-windows-msvc
+            binary: shepherd.exe
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 # stable
+        with:
+          toolchain: stable
+          targets: ${{ matrix.target }}
+      - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            target
+          key: cli-${{ matrix.target }}-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: cli-${{ matrix.target }}-
+
+      - name: Build CLI binaries
+        run: |
+          cargo build --release --target ${{ matrix.target }} --package shepherd-cli
+          cargo build --release --target ${{ matrix.target }} --package shepherd-server
+
+      - name: Package CLI (Unix)
+        if: runner.os != 'Windows'
+        run: |
+          mkdir -p dist
+          cp target/${{ matrix.target }}/release/shepherd dist/
+          cp target/${{ matrix.target }}/release/shep dist/
+          cp target/${{ matrix.target }}/release/shepherd-server dist/
+          cd dist && tar czf shepherd-cli-${{ matrix.target }}.tar.gz shepherd shep shepherd-server
+          shasum -a 256 shepherd-cli-${{ matrix.target }}.tar.gz > shepherd-cli-${{ matrix.target }}.tar.gz.sha256
+
+      - name: Package CLI (Windows)
+        if: runner.os == 'Windows'
+        shell: pwsh
+        run: |
+          New-Item -ItemType Directory -Force -Path dist
+          Copy-Item target/${{ matrix.target }}/release/shepherd.exe dist/
+          Copy-Item target/${{ matrix.target }}/release/shep.exe dist/
+          Copy-Item target/${{ matrix.target }}/release/shepherd-server.exe dist/
+          Compress-Archive -Path dist/shepherd.exe,dist/shep.exe,dist/shepherd-server.exe -DestinationPath dist/shepherd-cli-${{ matrix.target }}.zip
+          Get-FileHash dist/shepherd-cli-${{ matrix.target }}.zip -Algorithm SHA256 | Format-List Hash > dist/shepherd-cli-${{ matrix.target }}.zip.sha256
+
+      - name: Upload CLI artifacts
+        uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2
+        with:
+          files: |
+            dist/shepherd-cli-*
+
+  publish-release:
+    name: Publish release
+    needs: [build-tauri, build-cli]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Publish release (remove draft)
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh release edit ${{ github.ref_name }} --draft=false

.gitignore

@@ -4,3 +4,8 @@ node_modules/
 dist/
 src-tauri/target/
 src-tauri/gen/
+target/
+.DS_Store
+tarpaulin-report.json
+test-results/
+playwright-report/

Cargo.toml

@@ -12,7 +12,7 @@ exclude = [
 [workspace.package]
 version = "0.1.0"
 edition = "2021"
-license = "MIT"
+license = "Apache-2.0"
 
 [workspace.dependencies]
 shepherd-core = { path = "crates/shepherd-core" }

README.md

@@ -20,10 +20,11 @@
 </p>
 
 <p align="center">
+  <a href="https://github.com/SecurityRonin/Shepherd/actions/workflows/ci.yml"><img src="https://github.com/SecurityRonin/Shepherd/actions/workflows/ci.yml/badge.svg" alt="CI" /></a>
+  <a href="https://github.com/SecurityRonin/Shepherd/releases"><img src="https://img.shields.io/github/v/release/SecurityRonin/Shepherd?include_prereleases&label=release" alt="Release" /></a>
   <a href="https://github.com/sponsors/h4x0r"><img src="https://img.shields.io/badge/sponsor-♥-ea4aaa" alt="Sponsor" /></a>
   <img src="https://img.shields.io/badge/status-alpha-orange" alt="Status: Alpha" />
   <img src="https://img.shields.io/badge/license-Apache%202.0-green" alt="License: Apache 2.0" />
-  <img src="https://img.shields.io/badge/binary-~600KB-blue" alt="Binary: ~600KB" />
   <img src="https://img.shields.io/badge/platform-macOS%20·%20Linux%20·%20Windows-lightgrey" alt="Platforms" />
 </p>
 
@@ -42,14 +43,13 @@ Shepherd fixes that.
 **Install:**
 
 ```bash
-# macOS
-brew install shepherd-codes/tap/shepherd
+# Download a pre-built release (macOS, Linux, Windows)
+# → https://github.com/SecurityRonin/Shepherd/releases
 
-# Linux / from source
-curl -fsSL https://shepherd.codes/install.sh | sh
-
-# Windows
-winget install shepherd-codes.shepherd
+# Or build from source
+git clone https://github.com/SecurityRonin/Shepherd.git
+cd Shepherd && cargo build --release
+# Binaries: target/release/shepherd, target/release/shep, target/release/shepherd-server
 ```
 
 Installs both `shepherd` and `shep` (same binary, your choice).
@@ -348,21 +348,34 @@ AGENTS (your existing tools, unchanged)
 
 <h2 id="install">Install</h2>
 
-See **[Get started in 60 seconds](#get-started-in-60-seconds)** at the top for the full quickstart.
+### Pre-built releases (recommended)
 
-```bash
-# macOS
-brew install shepherd-codes/tap/shepherd
+Download the latest release for your platform from [GitHub Releases](https://github.com/SecurityRonin/Shepherd/releases).
 
-# Linux
-curl -fsSL https://shepherd.codes/install.sh | sh
+Each release includes:
 
-# Windows
-winget install shepherd-codes.shepherd
+| Platform | Desktop App | CLI-only |
+|----------|-------------|----------|
+| macOS (Apple Silicon) | `.dmg` | `shepherd-cli-aarch64-apple-darwin.tar.gz` |
+| macOS (Intel) | `.dmg` | `shepherd-cli-x86_64-apple-darwin.tar.gz` |
+| Linux (x86_64) | `.deb`, `.AppImage` | `shepherd-cli-x86_64-unknown-linux-gnu.tar.gz` |
+| Windows (x86_64) | `.msi` | `shepherd-cli-x86_64-pc-windows-msvc.zip` |
 
-# From source (installs both `shepherd` and `shep`)
+The CLI tarball contains `shepherd`, `shep` (alias), and `shepherd-server`. Put them on your PATH.
+
+### From source
+
+```bash
 git clone https://github.com/SecurityRonin/Shepherd.git
-cd Shepherd && bash scripts/install.sh && npm install && npm run build
+cd Shepherd
+
+# CLI only (no GUI)
+cargo build --release
+# → target/release/shepherd, target/release/shep, target/release/shepherd-server
+
+# Desktop app (requires Node.js + Tauri prerequisites)
+npm install && npm run build
+cargo tauri build
 ```
 
 Both `shepherd` and `shep` are installed — they're the same binary. Use whichever you prefer. Most examples in this README use `shep`.
@@ -430,9 +443,11 @@ Restart Shepherd. Your agent shows up in the New Task dropdown.
 
 ## Roadmap
 
-**v1.0** (current): Core engine, Kanban board, 9 agents, YOLO engine, quality gates, PR pipeline, CLI with shell completions, LLM client (OpenAI/Anthropic/Ollama), name generator, logo generator, North Star PMF wizard, contextual triggers, nono.sh sandbox, ecosystem auto-install (Superpowers + context-mode + Alaya), new project wizard, iTerm2 session adoption (9 agents, session picker, permission prompt detection, bridge script). 1,100+ tests.
+**v0.1.0** (current): Core engine with embedded Axum server, task dispatch loop, PTY agent execution, session monitoring, YOLO rules engine, Kanban board (React + Zustand + xterm.js), WebSocket real-time events, CLI with auto-server-spawn and shell completions, 9 agent adapters, iTerm2 session adoption, quality gates, name/logo generators, North Star PMF wizard, nono.sh sandbox, ecosystem auto-install. 1,400+ tests. 99.7% Rust code coverage. CI with fmt, clippy, cargo-deny, Vitest, and Playwright.
 
-**v1.1**: Best-of-N (run same task on multiple agents, compare outputs). Issue tracker integration (Linear, GitHub Issues, Jira). Event-driven automations.
+**v0.2**: Full multi-agent coordination (concurrent dispatch, agent-to-agent handoff). One-click PR pipeline. Docker isolation mode. Homebrew tap + winget package.
+
+**v1.0**: Best-of-N (run same task on multiple agents, compare outputs). Issue tracker integration (Linear, GitHub Issues, Jira). Event-driven automations. Cloud sync (Shepherd Pro).
 
 **v2.0**: Mobile monitoring (push notifications, approve from phone). Team dashboards. Browser UI for remote access. Adapter registry.
 
@@ -443,11 +458,25 @@ Shepherd is Apache 2.0 licensed and built in the open.
 ```bash
 git clone https://github.com/SecurityRonin/Shepherd.git
 cd Shepherd
-cargo build
-npm install && npm run dev
+
+# Backend
+cargo fmt --all -- --check      # formatting
+cargo clippy --workspace        # lints
+cargo deny check                # license + advisory audit
+cargo test --workspace          # 1,350+ Rust tests
+
+# Frontend
+npm install
+npx tsc --noEmit                # type check
+npx vitest run                  # 187 unit tests
+npx playwright test             # 8 e2e browser tests
+
+# Run the desktop app in dev mode
+npm run dev                     # starts Vite on :1420
+cargo tauri dev                 # launches Tauri with hot reload
 ```
 
-PRs welcome. Check [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
+PRs welcome. CI enforces fmt, clippy, cargo-deny, and all test suites.
 
 If you find Shepherd useful, star the repo. It helps others find it.