Improve OS support

.dockerignore

@@ -1,6 +1,39 @@
-target/
-.git/
-.ruff_cache/
-.vscode/
-services/ws-server/storage/
+# AUTO-GENERATED from .gitignore by 'mise run gen:dockerignore' -- do not edit.
+# Docker reads only this file; patterns are **/-prefixed to match at any depth
+# like .gitignore. Edit .gitignore and regenerate.
+
+**/.claude/
+**/*.wasm
+**/*.onnx
+**/target/
 **/.DS_Store
+services/ws-wasm-agent/pkg/
+services/ws-server/static/models/
+**/.zig-cache/
+**/zig-out/
+**/*.o
+**/*.pem
+**/mprocs.log
+**/__pycache__/
+**/.pytest_cache/
+**/.python-version
+**/uv.lock
+**/node_modules/
+**/pnpm-lock.yaml
+**/.venv/
+# .NET build output. `obj/` is safe globally (nothing tracked is named obj/),
+# but `bin/` is scoped to the module so it never matches a Rust crate's
+# `src/bin/` (e.g. utilities/int-gen/src/bin/).
+**/obj/
+services/ws-modules/dotnet-data1/bin/
+# Editor dir (but keep the shared recommended-extensions list), tool caches, and
+# the ws-server's runtime file storage.
+.vscode/*
+!.vscode/extensions.json
+**/.ruff_cache/
+**/.lycheecache
+services/ws-server/storage/
+**/.git/
+**/Dockerfile*
+README.md
+**/.dockerignore

.dprint.jsonc

@@ -1,36 +1,6 @@
+// dprint anchors its base directory (the tree it formats) to the directory of
+// the config file it discovers. This stub keeps that base at the repo root while
+// the real config lives in config/ alongside the other linter configs.
 {
-  "java": {
-  },
-  "json": {
-  },
-  // Match the repo-wide 120 line-length set in .editorconfig and ruff.toml,
-  // otherwise dprint's bundled ruff would reformat Python files to its
-  // default and fight with `mise run ruff-fmt`.
-  "ruff": {
-    "lineLength": 120,
-  },
-  "malva": {
-  },
-  "markdown": {
-  },
-  "markup": {
-  },
-  "typescript": {
-  },
-  "yaml": {
-  },
-  "excludes": [
-    "**/node_modules",
-    "**/*-lock.json",
-  ],
-  "plugins": [
-    "https://github.com/speakeasy-api/dprint-plugin-java/releases/latest/download/dprint_plugin_java.wasm",
-    "https://plugins.dprint.dev/g-plane/malva-v0.15.2.wasm",
-    "https://plugins.dprint.dev/g-plane/markup_fmt-v0.27.0.wasm",
-    "https://plugins.dprint.dev/g-plane/pretty_yaml-v0.6.0.wasm",
-    "https://plugins.dprint.dev/json-0.21.3.wasm",
-    "https://plugins.dprint.dev/markdown-0.21.1.wasm",
-    "https://plugins.dprint.dev/ruff-0.7.10.wasm",
-    "https://plugins.dprint.dev/typescript-0.95.15.wasm",
-  ],
+  "extends": "config/dprint.jsonc",
 }

.editorconfig

@@ -12,6 +12,12 @@ trim_trailing_whitespace = true
 [*.md]
 indent_size = unset
 
+# OPA/Rego: `conftest fmt` (opa fmt) indents with tabs and isn't configurable, so
+# its canonical formatting needs tabs, not the repo's space default.
+[*.rego]
+indent_style = tab
+indent_size = unset
+
 # License files use the canonical upstream formatting (centred headers, odd
 # indent widths, etc.) — leave them alone.
 [LICENSE-*]

.github/workflows/check.yml → .github/workflows/check.yaml

@@ -27,19 +27,16 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Install mise
         uses: taiki-e/install-action@v2
         with:
-          tool: cargo-binstall,mise
+          tool: cargo-binstall,mise@2026.6.5
 
       - name: Select all language envs
         run: echo "MISE_ENV=$(mise run print-all-langs)" >> "$GITHUB_ENV"
 
-      - name: Install pipx (Windows only — aqua has no Windows build)
-        if: runner.os == 'Windows'
-        run: python -m pip install pipx
-
       # Optional npm backend, installed before the main `mise install`.
       # See [tasks.setup-aube] in .mise/config.toml for the full rationale.
       - name: Install aube (optional npm backend, allowed to fail)
@@ -53,14 +50,7 @@ jobs:
 
       - name: Install mise tools
         run: |
-          mise settings add idiomatic_version_file_enable_tools "[]"
-          mise settings experimental=true
-          mise settings set cargo.binstall true
-          # See test.yml for notes on why conda:openssl is installed up front.
-          mise install conda:openssl
-          # On macOS, lld is needed to compile Rust binary tools from source
-          # (e.g. `cargo:taplo-cli`, see CARGO_TARGET_*_APPLE_DARWIN_RUSTFLAGS).
-          mise install conda:lld
+          mise run preinstall
           mise install
         env:
           GITHUB_TOKEN: ${{ github.token }}
@@ -69,6 +59,12 @@ jobs:
           # doesn't fail the whole `mise install` step.
           MISE_HTTP_TIMEOUT: "120"
 
+      - name: Prefetch Rust dependencies
+        run: mise run prefetch:rust
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+          CARGO_NET_RETRY: "5"
+
       - name: Run checkers
         run: |
           mise run check

.github/workflows/dependencies.yml → .github/workflows/dependencies.yaml

@@ -7,8 +7,9 @@ name: dependencies
       - Cargo.lock
       - Cargo.toml
       - "**/Cargo.toml"
-      - deny.toml
-      - .github/workflows/dependencies.yml
+      - config/deny.toml
+      - config/osv-scanner.toml
+      - .github/workflows/dependencies.yaml
   workflow_dispatch:
 
 permissions:
@@ -22,29 +23,32 @@ defaults:
   run:
     shell: bash
 
-# Deliberately mise-free: the only tools this job needs are the three
-# dep-audit binaries, all of which taiki-e/install-action ships
-# prebuilt. Skipping mise also skips the conda:openssl + workspace
-# tool install path that the main CI flows take ~3 min on, keeping
-# this check fast (~30 s typical).
 jobs:
   dependencies:
     runs-on: ubuntu-latest
     timeout-minutes: 25
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
-      - name: Install dep-audit tools
+      - name: Install tools
         uses: taiki-e/install-action@v2
         with:
-          tool: cargo-deny,cargo-unmaintained,osv-scanner
+          tool: cargo-deny,cargo-unmaintained,mise@2026.6.5,osv-scanner
+
+      - name: Trust mise config
+        run: mise trust
+
+      - name: Generate config/osv-scanner.toml from config/deny.toml
+        run: mise run gen:osv-scanner
 
       - name: cargo deny check
-        run: cargo deny check
+        run: mise run cargo-deny-check
 
       - name: osv-scanner
-        run: osv-scanner --lockfile Cargo.lock
+        run: mise run osv-scanner
 
       # `cargo unmaintained` persists per-repository archival/last-commit
       # lookups under `$XDG_CACHE_HOME/cargo-unmaintained` (default
@@ -68,4 +72,7 @@ jobs:
       - name: cargo unmaintained
         env:
           GITHUB_TOKEN: ${{ github.token }}
-        run: cargo unmaintained
+        run: mise run cargo-unmaintained-check
+
+      - name: Check config/osv-scanner.toml is committed
+        run: git diff --exit-code -- config/osv-scanner.toml

.github/workflows/docker-linux.yaml

@@ -0,0 +1,59 @@
+---
+name: docker-linux
+
+"on":
+  pull_request:
+    paths:
+      - .github/workflows/docker-linux.yaml
+      - Dockerfile
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: "${{ github.workflow }}-${{ github.ref }}"
+  cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      # The image is huge (every language toolchain + prefetched models + a full
+      # debug build, incl. aws-lc-sys's large C objects), and its peak `target/`
+      # overruns a single runner disk. Reclaim the unused preinstalled SDKs and
+      # concatenate the freed root space with /mnt into one LVM volume mounted at
+      # Docker's data dir, then restart Docker so the build uses the combined space.
+      - name: Maximize build space (combine root + /mnt for Docker)
+        uses: easimon/maximize-build-space@v10
+        with:
+          root-reserve-mb: 4096
+          swap-size-mb: 1024
+          remove-dotnet: "true"
+          remove-android: "true"
+          remove-haskell: "true"
+          remove-codeql: "true"
+          remove-docker-images: "true"
+          build-mount-path: /var/lib/docker
+          build-mount-path-ownership: "root:root"
+
+      - name: Restart Docker on the maximized volume
+        run: sudo systemctl restart docker
+
+      - name: Build stage test
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: DOCKER_BUILDKIT=1 docker build --target test --secret id=gh_token,env=GITHUB_TOKEN -t edge-toolkit-test .
+
+      - name: Run the test suite
+        run: docker run --rm edge-toolkit-test

.github/workflows/docker-windows.yaml

@@ -0,0 +1,52 @@
+---
+name: docker-windows
+
+"on":
+  pull_request:
+    paths:
+      - .github/workflows/docker-windows.yaml
+      - Dockerfile.nanoserver
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: "${{ github.workflow }}-${{ github.ref }}"
+  cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  build:
+    runs-on: windows-2022
+    timeout-minutes: 120
+    env:
+      # The classic Windows builder can't substitute build-args into the Dockerfile's RUN,
+      # and mise's prebuilt "latest" zip is stale (2026.3.0, too old for the config).
+      # 2026.6.5 is the first release with auto_env (loads .mise/config.windows.toml).
+      MISE_VERSION: "2026.6.5"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      # Hosted Windows runners don't reliably leave the Docker daemon running, so
+      # the build can fail connecting to the docker_engine pipe. Start it (no-op
+      # if already running) and confirm connectivity before building.
+      - name: Start the Docker daemon
+        run: |
+          sc query docker | grep -q RUNNING || net start docker
+          docker version
+
+      - name: Prepare mise and Github token for the build context
+        run: |
+          v="${{ env.MISE_VERSION }}"
+          curl -fsSL -o mise.zip "https://github.com/jdx/mise/releases/download/v$v/mise-v$v-windows-x64.zip"
+          printf '%s' "${{ github.token }}" > gh_token
+
+      - name: Build stage precompile
+        run: docker build -f Dockerfile.nanoserver --target precompile -t edge-toolkit-windows .