Repo migration

.cspell.json

@@ -270,7 +270,8 @@
     "integ",
     "Integ",
     "jlumbroso",
-    "kubepods"
+    "kubepods",
+    "unanalyzable"
   ],
   "ignoreRegExpList": [
     "/[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}/g",

.devcontainer/Dockerfile

@@ -11,7 +11,7 @@ FROM mcr.microsoft.com/devcontainers/dotnet:1-9.0-bookworm
 ARG TARGETARCH=amd64
 
 # Container labels
-LABEL org.opencontainers.image.source="https://github.com/wallstop/DxMessaging"
+LABEL org.opencontainers.image.source="https://github.com/Ambiguous-Interactive/DxMessaging"
 LABEL org.opencontainers.image.description="DxMessaging development container"
 LABEL org.opencontainers.image.licenses="MIT"
 LABEL unity.support="docker-outside-of-docker"

.github/ISSUE_TEMPLATE/config.yml

@@ -1,5 +1,5 @@
 blank_issues_enabled: false
 contact_links:
   - name: Questions & Discussion
-    url: https://github.com/wallstop/DxMessaging/discussions
+    url: https://github.com/Ambiguous-Interactive/DxMessaging/discussions
     about: Please ask questions and discuss ideas in GitHub Discussions instead of opening an issue.

.github/actionlint.yaml

@@ -0,0 +1,21 @@
+# actionlint configuration.
+# Declares custom self-hosted runner labels that actionlint cannot infer
+# from the workflow files. Without this, actionlint reports
+# "label \"<NAME>\" is unknown" for every job referencing them.
+self-hosted-runner:
+  labels:
+    # Marker label applied to self-hosted Windows runners with 64GB+ RAM,
+    # used by Unity workflows (release.yml, unity-benchmarks.yml,
+    # unity-il2cpp.yml, unity-tests.yml). Add additional custom labels here
+    # as new runner pools are introduced.
+    - RAM-64GB
+    # Speed marker reserved on ELI-MACHINE for future opt-in (e.g.,
+    # hotfix dispatch); no currently-active workflow requests it. The
+    # workflow validator and actionlint both still allow the label so a
+    # future workflow can opt in without churn.
+    - fast
+    # Legacy marker applied to old-linux (documented in .llm/context.md);
+    # reserved here so any future inline `runs-on: [self-hosted, Linux,
+    # ..., old]` does not trip an actionlint false-positive.
+    - old
+config-variables: null

.github/dependabot.yml

@@ -12,10 +12,6 @@ updates:
           - "*"
     labels:
       - "dependencies"
-    assignees:
-      - wallstop
-    reviewers:
-      - wallstop
 
   # NuGet: SourceGenerator project - Roslyn packages pinned for Unity compiler compatibility
   - package-ecosystem: "nuget"
@@ -29,10 +25,6 @@ updates:
           - "*"
     labels:
       - "dependencies"
-    assignees:
-      - wallstop
-    reviewers:
-      - wallstop
     ignore:
       # SourceGenerator Roslyn packages - pinned for Unity compiler compatibility.
       # Unity's embedded compiler requires specific Roslyn versions; updating breaks SourceGenerator loading.
@@ -56,10 +48,6 @@ updates:
           - "*"
     labels:
       - "dependencies"
-    assignees:
-      - wallstop
-    reviewers:
-      - wallstop
     ignore:
       # Shared Roslyn dependencies (pinned for Unity compatibility in SourceGenerator project)
       - dependency-name: "Microsoft.CodeAnalysis*"
@@ -80,7 +68,3 @@ updates:
     labels:
       - "dependencies"
     versioning-strategy: increase
-    assignees:
-      - wallstop
-    reviewers:
-      - wallstop

.github/release-drafter.yml

@@ -1,5 +1,5 @@
-name-template: "$RESOLVED_VERSION"
-tag-template: "$RESOLVED_VERSION"
+name-template: "v$RESOLVED_VERSION"
+tag-template: "v$RESOLVED_VERSION"
 
 categories:
   - title: "🚀 Features"

.github/workflows/actionlint.yml

@@ -4,13 +4,15 @@ on:
   pull_request:
     paths:
       - ".github/workflows/**"
+      - ".github/actionlint.yaml"
       - "scripts/validate-workflows.js"
   push:
     branches:
       - main
       - master
     paths:
       - ".github/workflows/**"
+      - ".github/actionlint.yaml"
       - "scripts/validate-workflows.js"
   workflow_dispatch:
 

.github/workflows/deploy-docs.yml

@@ -3,8 +3,8 @@
 # This workflow builds MkDocs documentation and deploys it to GitHub Pages.
 # It runs on pushes to master (for deployment) and on PRs (for validation only).
 #
-# Badge URL: https://github.com/wallstop/DxMessaging/actions/workflows/deploy-docs.yml/badge.svg
-# Pages URL: https://wallstop.github.io/DxMessaging/
+# Badge URL: https://github.com/Ambiguous-Interactive/DxMessaging/actions/workflows/deploy-docs.yml/badge.svg
+# Pages URL: https://ambiguous-interactive.github.io/DxMessaging/
 
 name: Deploy Documentation
 

.github/workflows/release-drafter.yml

@@ -17,7 +17,7 @@ concurrency:
 
 jobs:
   update-release-draft:
-    if: github.repository == 'wallstop/DxMessaging'
+    if: github.repository == 'Ambiguous-Interactive/DxMessaging'
     runs-on: ubuntu-latest
     steps:
       - name: Checkout

.github/workflows/release.yml

@@ -0,0 +1,235 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "v[0-9]*.[0-9]*.[0-9]*"
+
+concurrency:
+  group: release-${{ github.ref_name }}
+  cancel-in-progress: false
+
+permissions:
+  contents: read
+
+jobs:
+  verify-tag:
+    name: Verify release tag
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    outputs:
+      package-version: ${{ steps.verify.outputs.package-version }}
+      tag: ${{ steps.verify.outputs.tag }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Verify semver tag matches package.json
+        id: verify
+        run: |
+          set -euo pipefail
+          tag="${GITHUB_REF_NAME}"
+          if ! printf '%s\n' "${tag}" | grep -Eq '^v[0-9]+\.[0-9]+\.[0-9]+$'; then
+            echo "::error::Release tags must use vX.Y.Z semver format."
+            exit 1
+          fi
+          PACKAGE_VERSION="$(jq -r '.version // empty' package.json)"
+          if [ -z "${PACKAGE_VERSION}" ]; then
+            echo "::error::package.json version is missing."
+            exit 1
+          fi
+          if [ "${tag}" != "v${PACKAGE_VERSION}" ]; then
+            echo "::error::Tag ${tag} does not match package.json version v${PACKAGE_VERSION}."
+            exit 1
+          fi
+          {
+            echo "package-version=${PACKAGE_VERSION}"
+            echo "tag=${tag}"
+          } >> "${GITHUB_OUTPUT}"
+
+  validate:
+    name: Validate package
+    needs: verify-tag
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    permissions:
+      attestations: write
+      contents: read
+      id-token: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: "22.18.0"
+
+      - name: Install Node dependencies
+        run: |
+          set -euo pipefail
+          if [ -f package-lock.json ]; then
+            npm ci
+          else
+            npm i --no-audit --no-fund
+          fi
+
+      - name: Run release validation
+        run: |
+          set -euo pipefail
+          npm run test:scripts
+          npm run test:unity-contracts
+          npm run validate:npm-meta
+          npm run validate:llms-txt
+          npm run validate:repo-identity
+          npm run validate:all
+
+      - name: Pack npm package
+        id: pack
+        run: |
+          set -euo pipefail
+          mkdir -p .artifacts/release
+          pack_json="$(npm pack --json --provenance=false)"
+          package_file="$(printf '%s' "${pack_json}" | jq -r '.[0].filename')"
+          mv "${package_file}" ".artifacts/release/${package_file}"
+          (cd .artifacts/release && sha256sum "${package_file}" > "${package_file}.sha256")
+          # Single-quoted format contains literal backticks for Markdown code fences;
+          # SC2016 heuristically warns of unintended command substitution.
+          # shellcheck disable=SC2016
+          printf 'Release %s\n\nPackage: `%s`\n' \
+            "${{ needs.verify-tag.outputs.tag }}" \
+            "${package_file}" > .artifacts/release/release-notes.md
+          echo "package-file=${package_file}" >> "${GITHUB_OUTPUT}"
+
+      - name: Upload release artifacts
+        uses: actions/upload-artifact@v7
+        with:
+          name: release-package
+          path: .artifacts/release/
+          if-no-files-found: error
+
+      - name: Attest release package
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-path: .artifacts/release/*.tgz
+
+  unity-checks:
+    name: Trusted Unity release checks
+    needs: verify-tag
+    runs-on: [self-hosted, Windows, RAM-64GB]
+    timeout-minutes: 120
+    concurrency:
+      group: unity-pro-license
+      cancel-in-progress: false
+    steps:
+      - name: Print runner diagnostics
+        shell: bash
+        run: |
+          set -euo pipefail
+          echo "::group::Runner diagnostics"
+          echo "Runner name:           ${RUNNER_NAME:-<unset>}"
+          echo "Runner OS:             ${RUNNER_OS:-<unset>}"
+          echo "Runner arch:           ${RUNNER_ARCH:-<unset>}"
+          echo "Runner workspace:      ${RUNNER_WORKSPACE:-<unset>}"
+          echo "Concurrency group:     unity-pro-license (single-seat Unity Pro license; cross-workflow serialization)"
+          echo "Requested labels:      self-hosted, Windows, RAM-64GB"
+          echo "GitHub workflow:       ${GITHUB_WORKFLOW:-<unset>}"
+          echo "GitHub job:            ${GITHUB_JOB:-<unset>}"
+          echo "GitHub run id/attempt: ${GITHUB_RUN_ID:-<unset>} / ${GITHUB_RUN_ATTEMPT:-<unset>}"
+          echo "GitHub ref:            ${GITHUB_REF:-<unset>} (protected=${GITHUB_REF_PROTECTED:-<unset>})"
+          echo "GitHub event:          ${GITHUB_EVENT_NAME:-<unset>}"
+          echo "::endgroup::"
+
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          lfs: true
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: "22.18.0"
+
+      - name: Run Unity contract checks
+        shell: pwsh
+        env:
+          UNITY_LICENSE: ${{ secrets.UNITY_LICENSE }}
+          UNITY_SERIAL: ${{ secrets.UNITY_SERIAL }}
+          UNITY_EMAIL: ${{ secrets.UNITY_EMAIL }}
+          UNITY_PASSWORD: ${{ secrets.UNITY_PASSWORD }}
+          UNITY_VERSION: "2022.3.45f1"
+          CI: "true"
+        run: |
+          npm run test:unity-contracts
+          ./scripts/unity/run-tests.ps1 `
+            -Platform editmode `
+            -UnityVersion "2022.3.45f1" `
+            -Runner docker `
+            -Results ".artifacts/unity/release-editmode/results.xml"
+
+  publish:
+    name: Publish npm package and GitHub Release
+    needs:
+      - verify-tag
+      - validate
+      - unity-checks
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    permissions:
+      attestations: write
+      contents: write
+      id-token: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: "22.18.0"
+          registry-url: "https://registry.npmjs.org"
+
+      - name: Download release package
+        uses: actions/download-artifact@v7
+        with:
+          name: release-package
+          path: .artifacts/release
+
+      - name: Create or update GitHub Release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+          tag="${{ needs.verify-tag.outputs.tag }}"
+          if gh release view "${tag}" >/dev/null 2>&1; then
+            gh release upload "${tag}" \
+              .artifacts/release/*.tgz \
+              .artifacts/release/*.sha256 \
+              --clobber
+            gh release edit "${tag}" \
+              --title "${tag}" \
+              --notes-file .artifacts/release/release-notes.md \
+              --draft=false
+          else
+            gh release create "${tag}" \
+              .artifacts/release/*.tgz \
+              .artifacts/release/*.sha256 \
+              --title "${tag}" \
+              --notes-file .artifacts/release/release-notes.md \
+              --verify-tag
+          fi
+
+      - name: Publish to npm with provenance
+        run: |
+          set -euo pipefail
+          npx --yes --package=npm@^11.5.1 npm --version
+          package_file="$(find .artifacts/release -maxdepth 1 -name '*.tgz' -print -quit)"
+          if [ -z "${package_file}" ]; then
+            echo "::error::Packed npm package artifact is missing."
+            exit 1
+          fi
+          npx --yes --package=npm@^11.5.1 npm publish "${package_file}" --provenance --access public

.github/workflows/spellcheck.yml

@@ -13,6 +13,7 @@ on:
       - ".github/**"
       - ".llm/**"
       - ".cspell.json"
+      - ".gitignore"
   push:
     branches:
       - main
@@ -28,6 +29,7 @@ on:
       - ".github/**"
       - ".llm/**"
       - ".cspell.json"
+      - ".gitignore"
   workflow_dispatch:
 
 concurrency:
@@ -56,4 +58,5 @@ jobs:
           cache-dependency-path: package.json
 
       - name: Run cspell
-        run: npx --yes cspell@10.0.0 --no-progress --no-summary .
+        # Keep the summary line on failures so CI logs show files-scanned vs. issues count.
+        run: npx --yes cspell@10.0.0 --no-progress .