merge: sync upstream main (59 commits) into dev

Upstream catch-up from volcengine/OpenViking main at a18d4b9.

Auto-merged (24 files): README, bot/config, crates/ov_cli, session/session.py,
session/compressor{,_v2}.py, session/memory_deduplicator.py, memory_extractor.py,
schema_model_generator.py, utils/uri.py, storage/viking_fs.py,
storage/transaction/lock_manager.py, storage/queuefs/semantic_processor.py,
retrieve/hierarchical_retriever.py, server/routers/content.py, server/routers/search.py,
core/directories.py, prompts/templates/memory/preferences.yaml,
examples/openclaw-plugin/{index,text-utils}.ts, examples/ov.conf.example,
openviking_cli/utils/config/{memory_config,open_viking_config}.py,
docs/en/concepts/08-session.md.

Hand-resolved conflicts (14 files):

Memory subsystem:
- entities.yaml: adopt upstream category field + event linking, keep our
  brain-hardening rules (canonical names, Aliases section, one-card-per-entity).
  Removed upstream's Caroline LoCoMo leak.
- events.yaml: adopt upstream year/month/day folder template.
- memory_updater.py: keep dev's two-function _apply_write/_apply_edit structure
  with collision-safe entity writes, port get_year/get_month/get_day helpers
  to ExtractContext for events.yaml template to work.
- session_extract_context_provider.py: keep dev's [Keywords] bug fix
  (_derive_search_keywords) — upstream volcengine#1159 did not address this.
- extract_loop.py: keep dev's small-model extraction path. Dev's hard_cap
  iteration extension is more sophisticated than upstream's version.

Storage:
- collection_schemas.py: combine dev's BGE-M3 truncation (30k chars) with
  upstream volcengine#1301 embed_compat async wrapper.
- queuefs/semantic_dag.py: combine dev's old_summary hash comparison with
  upstream's defensive null check on cached summary.
- queuefs/semantic_queue.py: keep dev's 300-second dedup window with
  _TrackedSemanticRequest dataclass.
- utils/summarizer.py: take upstream — convergent fix, upstream is superset
  of our context_type centralization plus resource cover handling.

Models:
- openai_vlm.py: merge timeout signature (float | None = 60.0).

Plugin (TypeScript):
- config.ts: keep dev's profileInjection/recallFormat/alignment fields,
  add upstream's bypassSessionPatterns deprecation alias.
- client.ts: merge addSessionMessage signature
  (sessionId, role, content, parts?, agentId?, createdAt?), keep dev's
  createSession(), combine body building with optional created_at.
- context-engine.ts: keep dev's driftDetector + alignment, add upstream's
  isBypassedSession helper + bypass early-return in doCommit/afterTurn.
  Drop upstream's inline afterTurn commit block — dev routes through
  doCommitOVSession. Update addSessionMessage call to 6-arg form.
- memory-ranking.ts: keep dev's multi-slot recall + tool-experience
  separation architecture.

Deferred upstream changes:
- volcengine#1221 agfs→ragfs Rust rewrite: new Rust crates land but Python code
  unchanged; pyagfs handles auto-fallback via RAGFS_IMPL env var.
- volcengine#1159 memory_updater unified operations refactor: kept dev's separate
  write/edit function structure to avoid cascading schema changes through
  extract_loop and related files.

Critical security + bug fixes preserved from upstream:
- volcengine#1319 leaked token removed from settings.py
- volcengine#1133 SSRF hardening on HTTP resource ingestion
- volcengine#1297 sanitize and cap recall queries (wraps our plugin recall)
- volcengine#1277 configurable embedding circuit breaker
- volcengine#1279 trusted mode without API key restricted to localhost
- volcengine#1211 PID lock recycle + ownership checks + compressor refs
- volcengine#1182 task API ownership leakage fix in content.py
- volcengine#1301 embedder async contention reduction
- volcengine#1226 prevent VLM blocking startup hang in redo recovery
- volcengine#769/volcengine#792 queuefs dedupe memory semantic parent enqueues

Critical dev fixes preserved:
- [Keywords] placeholder root-cause fix (brain-hardening plan phase 1)
- Episodic memory v2 (retrieval scope, category boosts, archive filter)
- Qwen-9B small-model extraction compatibility
- Plugin recall refactor (tool-experience separation, multi-tier recall)
- Context-type centralized inference (convergent with upstream fix)
- BGE-M3 embedding input truncation
- URI normalization + collision-safe entity writes

Merged on dev-local2 safety branch. Next steps: build + test before
fast-forwarding dev.

Co-Authored-By: claude-flow <ruv@ruv.net>

Author: nvidia

.github/workflows/_build.yml

@@ -237,12 +237,17 @@ jobs:
         mkdir -p openviking/bin
         cp target/${{ matrix.arch == 'aarch64' && 'aarch64-unknown-linux-gnu' || 'x86_64-unknown-linux-gnu' }}/release/ov openviking/bin/
         chmod +x openviking/bin/ov
+
     - name: Clean workspace (force ignore dirty)
       shell: bash
       run: |
+        # Back up pre-built artifacts before cleaning
+        cp -a openviking/bin /tmp/_ov_bin || true
         git reset --hard HEAD
         git clean -fd
         rm -rf openviking/_version.py openviking.egg-info
+        # Restore pre-built artifacts
+        cp -a /tmp/_ov_bin openviking/bin || true
         # Ignore uv.lock changes to avoid dirty state in setuptools_scm
         git update-index --assume-unchanged uv.lock || true
 
@@ -257,6 +262,8 @@ jobs:
         git status --ignored
         echo "=== Check openviking/_version.py ==="
         if [ -f openviking/_version.py ]; then cat openviking/_version.py; else echo "Not found"; fi
+        echo "=== Verify pre-built artifacts survived clean ==="
+        ls -la openviking/bin/ || true
 
     - name: Build package (Wheel Only)
       run: uv build --wheel
@@ -276,11 +283,8 @@ jobs:
     - name: Repair wheels (Linux)
       run: |
         uv pip install auditwheel
-        # Repair wheels and output to a temporary directory
         uv run auditwheel repair dist/*.whl -w dist_fixed
-        # Remove original non-compliant wheels
         rm dist/*.whl
-        # Move repaired wheels back to dist
         mv dist_fixed/*.whl dist/
         rmdir dist_fixed
 
@@ -405,12 +409,17 @@ jobs:
           cp target/release/ov openviking/bin/
           chmod +x openviking/bin/ov
         fi
+
     - name: Clean workspace (force ignore dirty)
       shell: bash
       run: |
+        # Back up pre-built artifacts before cleaning
+        cp -a openviking/bin /tmp/_ov_bin || true
         git reset --hard HEAD
         git clean -fd
         rm -rf openviking/_version.py openviking.egg-info
+        # Restore pre-built artifacts
+        cp -a /tmp/_ov_bin openviking/bin || true
         # Ignore uv.lock changes to avoid dirty state in setuptools_scm
         git update-index --assume-unchanged uv.lock || true
 
@@ -425,6 +434,8 @@ jobs:
         git status --ignored
         echo "=== Check openviking/_version.py ==="
         if [ -f openviking/_version.py ]; then cat openviking/_version.py; else echo "Not found"; fi
+        echo "=== Verify pre-built artifacts survived clean ==="
+        ls -la openviking/bin/ || true
 
     - name: Build package (Wheel Only)
       run: uv build --wheel

.github/workflows/api_test.yml

@@ -1,4 +1,4 @@
-name: 03. API Integration Tests
+name: 06. API Integration Tests
 
 on:
   workflow_dispatch:
@@ -42,10 +42,12 @@ jobs:
   api-tests:
     name: API Integration Tests (${{ matrix.os }})
     runs-on: ${{ matrix.os }}
+    timeout-minutes: 50
     strategy:
       fail-fast: false
+      max-parallel: 2
       matrix:
-        os: [ubuntu-24.04, ubuntu-24.04-arm, macos-14, macos-15-intel, windows-latest]
+        os: ${{ (github.event_name == 'push' && github.ref == 'refs/heads/main') && fromJSON('["ubuntu-24.04", "macos-14", "windows-latest"]') || fromJSON('["ubuntu-24.04"]') }}
 
     steps:
       - uses: actions/checkout@v6
@@ -58,24 +60,17 @@ jobs:
           python-version: '3.10'
 
       - name: Cache Go modules
-        uses: actions/cache@v4
+        uses: actions/cache@v5
+        continue-on-error: true
         with:
           path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          key: ${{ runner.os }}-go-${{ hashFiles('third_party/agfs/**/go.sum') }}
           restore-keys: |
             ${{ runner.os }}-go-
 
-      - name: Cache C++ extensions
-        uses: actions/cache@v4
-        with:
-          path: openviking/pyagfs
-          key: ${{ runner.os }}-cpp-${{ hashFiles('**/CMakeLists.txt', '**/*.cpp', '**/*.h') }}
-          restore-keys: |
-            ${{ runner.os }}-cpp-
-
       - name: Cache Python dependencies (Unix)
         if: runner.os != 'Windows'
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: ~/.cache/pip
           key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt', '**/pyproject.toml') }}
@@ -84,7 +79,7 @@ jobs:
 
       - name: Cache Python dependencies (Windows)
         if: runner.os == 'Windows'
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: ~\AppData\Local\pip\Cache
           key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt', '**/pyproject.toml') }}
@@ -94,7 +89,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v6
         with:
-          go-version: '1.22'
+          go-version: '1.25.1'
 
       - name: Install system dependencies (Ubuntu)
         if: runner.os == 'Linux'
@@ -109,7 +104,7 @@ jobs:
       - name: Install system dependencies (Windows)
         if: runner.os == 'Windows'
         run: |
-          choco install cmake -y
+          echo "cmake is pre-installed on Windows runner and will also be installed via pip"
 
       - name: Install uv
         uses: astral-sh/setup-uv@v7
@@ -415,7 +410,8 @@ jobs:
             echo "Running basic tests only (no VLM/Embedding)"
             uv run python -m pytest . -v --html=api-test-report.html --self-contained-html \
               --ignore=retrieval/ --ignore=resources/test_pack.py --ignore=resources/test_wait_processed.py \
-              --ignore=admin/ --ignore=skills/ --ignore=system/test_system_status.py --ignore=system/test_is_healthy.py --ignore=system/test_system_wait.py -k "not test_observer"
+              --ignore=admin/ --ignore=skills/ --ignore=system/test_system_status.py --ignore=system/test_is_healthy.py --ignore=system/test_system_wait.py \
+              --ignore=scenarios/ -k "not test_observer"
           fi
         continue-on-error: true
 
@@ -433,7 +429,7 @@ jobs:
             uv run python -m pytest . -v --html=api-test-report.html --self-contained-html --ignore=filesystem/
           } else {
             Write-Host "Running basic tests only (no VLM/Embedding, Windows: skipping filesystem tests)"
-            uv run python -m pytest . -v --html=api-test-report.html --self-contained-html --ignore=retrieval/ --ignore=resources/test_pack.py --ignore=resources/test_wait_processed.py --ignore=admin/ --ignore=skills/ --ignore=system/test_system_status.py --ignore=system/test_is_healthy.py --ignore=system/test_system_wait.py --ignore=filesystem/ -k "not test_observer"
+            uv run python -m pytest . -v --html=api-test-report.html --self-contained-html --ignore=retrieval/ --ignore=resources/test_pack.py --ignore=resources/test_wait_processed.py --ignore=admin/ --ignore=skills/ --ignore=system/test_system_status.py --ignore=system/test_is_healthy.py --ignore=system/test_system_wait.py --ignore=filesystem/ --ignore=scenarios/ -k "not test_observer"
           }
         continue-on-error: true
 

.github/workflows/build-docker-image.yml

@@ -8,6 +8,7 @@ on:
         required: true
         type: string
   push:
+    branches: [ main ]
     tags: [ "v*.*.*" ]
 
 env:
@@ -52,41 +53,79 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v4
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
       - name: Extract metadata (tags, labels) for Docker
         id: meta
         uses: docker/metadata-action@v6
         with:
-          images: ${{ env.REGISTRY }}/${{ steps.image-name.outputs.image }}
+          images: |
+            ${{ env.REGISTRY }}/${{ steps.image-name.outputs.image }}
+            docker.io/${{ secrets.DOCKERHUB_USERNAME }}/openviking
           tags: |
             type=raw,value=${{ github.event.inputs.version }},enable=${{ github.event_name == 'workflow_dispatch' }}
             type=ref,event=tag,enable=${{ github.ref_type == 'tag' }}
+            type=raw,value=latest,enable=${{ github.ref_type == 'tag' }}
+            type=raw,value=main,enable=${{ github.ref == 'refs/heads/main' }}
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v4
 
-      - name: Build and push Docker image
-        id: push
+      - name: Build and push Docker image to GHCR
+        id: push-ghcr
+        uses: docker/build-push-action@v7
+        with:
+          context: .
+          platforms: ${{ matrix.platform }}
+          outputs: |
+            type=image,name=${{ env.REGISTRY }}/${{ steps.image-name.outputs.image }},push-by-digest=true,name-canonical=true,push=true
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            # fallback to 0.0.0 if no version is provided
+            OPENVIKING_VERSION=${{ (github.event_name == 'workflow_dispatch' && github.event.inputs.version) || (github.ref_type == 'tag' && github.ref_name) || '0.0.0' }}
+
+      - name: Build and push Docker image to Docker Hub
+        id: push-dockerhub
         uses: docker/build-push-action@v7
         with:
           context: .
           platforms: ${{ matrix.platform }}
-          outputs: type=image,name=${{ env.REGISTRY }}/${{ steps.image-name.outputs.image }},push-by-digest=true,name-canonical=true,push=true
+          outputs: |
+            type=image,name=docker.io/${{ secrets.DOCKERHUB_USERNAME }}/openviking,push-by-digest=true,name-canonical=true,push=true
           labels: ${{ steps.meta.outputs.labels }}
           build-args: |
             # fallback to 0.0.0 if no version is provided
             OPENVIKING_VERSION=${{ (github.event_name == 'workflow_dispatch' && github.event.inputs.version) || (github.ref_type == 'tag' && github.ref_name) || '0.0.0' }}
 
-      - name: Export image digest
+      - name: Export GHCR image digest
         run: |
-          mkdir -p /tmp/digests
-          digest="${{ steps.push.outputs.digest }}"
-          touch "/tmp/digests/${digest#sha256:}"
+          mkdir -p /tmp/digests-ghcr
+          ghcr_digest="${{ steps.push-ghcr.outputs.digest }}"
+          touch "/tmp/digests-ghcr/${ghcr_digest#sha256:}"
 
-      - name: Upload image digest
+      - name: Upload GHCR image digest
         uses: actions/upload-artifact@v7
         with:
-          name: docker-digests-${{ matrix.arch }}
-          path: /tmp/digests/*
+          name: docker-digests-ghcr-${{ matrix.arch }}
+          path: /tmp/digests-ghcr/*
+          if-no-files-found: error
+          retention-days: 1
+
+      - name: Export Docker Hub image digest
+        run: |
+          mkdir -p /tmp/digests-dockerhub
+          dockerhub_digest="${{ steps.push-dockerhub.outputs.digest }}"
+          touch "/tmp/digests-dockerhub/${dockerhub_digest#sha256:}"
+
+      - name: Upload Docker Hub image digest
+        uses: actions/upload-artifact@v7
+        with:
+          name: docker-digests-dockerhub-${{ matrix.arch }}
+          path: /tmp/digests-dockerhub/*
           if-no-files-found: error
           retention-days: 1
 
@@ -117,43 +156,81 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v4
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
       - name: Extract metadata (tags, labels) for Docker
         id: meta
         uses: docker/metadata-action@v6
         with:
-          images: ${{ env.REGISTRY }}/${{ steps.image-name.outputs.image }}
+          images: |
+            ${{ env.REGISTRY }}/${{ steps.image-name.outputs.image }}
+            docker.io/${{ secrets.DOCKERHUB_USERNAME }}/openviking
           tags: |
             type=raw,value=${{ github.event.inputs.version }},enable=${{ github.event_name == 'workflow_dispatch' }}
             type=ref,event=tag,enable=${{ github.ref_type == 'tag' }}
+            type=raw,value=latest,enable=${{ github.ref_type == 'tag' }}
+            type=raw,value=main,enable=${{ github.ref == 'refs/heads/main' }}
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v4
 
-      - name: Download image digests
+      - name: Download GHCR image digests
         uses: actions/download-artifact@v8
         with:
-          pattern: docker-digests-*
-          path: /tmp/digests
+          pattern: docker-digests-ghcr-*
+          path: /tmp/digests-ghcr
+          merge-multiple: true
+
+      - name: Download Docker Hub image digests
+        uses: actions/download-artifact@v8
+        with:
+          pattern: docker-digests-dockerhub-*
+          path: /tmp/digests-dockerhub
           merge-multiple: true
 
       - name: Create multi-arch manifests
         env:
           SOURCE_TAGS: ${{ steps.meta.outputs.tags }}
         run: |
-          image_refs=()
-          for digest_file in /tmp/digests/*; do
+          # Collect image references for both registries
+          ghcr_image_refs=()
+          dockerhub_image_refs=()
+          for digest_file in /tmp/digests-ghcr/*; do
+            [ -e "$digest_file" ] || continue
+            digest="sha256:$(basename "$digest_file")"
+            ghcr_image_refs+=("${{ env.REGISTRY }}/${{ steps.image-name.outputs.image }}@${digest}")
+          done
+          for digest_file in /tmp/digests-dockerhub/*; do
             [ -e "$digest_file" ] || continue
-            image_refs+=("${{ env.REGISTRY }}/${{ steps.image-name.outputs.image }}@sha256:$(basename "$digest_file")")
+            digest="sha256:$(basename "$digest_file")"
+            dockerhub_image_refs+=("docker.io/${{ secrets.DOCKERHUB_USERNAME }}/openviking@${digest}")
           done
 
-          [ ${#image_refs[@]} -gt 0 ] || {
-            echo "No image digests found" >&2
+          [ ${#ghcr_image_refs[@]} -gt 0 ] || {
+            echo "No GHCR image digests found" >&2
+            exit 1
+          }
+          [ ${#dockerhub_image_refs[@]} -gt 0 ] || {
+            echo "No Docker Hub image digests found" >&2
             exit 1
           }
 
+          # Create manifests for all tags
           while IFS= read -r tag; do
             [ -n "$tag" ] || continue
-            docker buildx imagetools create \
-              --tag "$tag" \
-              "${image_refs[@]}"
+
+            # Determine which registry this tag belongs to
+            if [[ "$tag" == ghcr.io/* ]]; then
+              docker buildx imagetools create \
+                --tag "$tag" \
+                "${ghcr_image_refs[@]}"
+            elif [[ "$tag" == docker.io/* ]]; then
+              docker buildx imagetools create \
+                --tag "$tag" \
+                "${dockerhub_image_refs[@]}"
+            fi
           done <<< "$SOURCE_TAGS"

.github/workflows/ci.yml

@@ -23,8 +23,5 @@ permissions:
   security-events: write
 
 jobs:
-  test-full:
-    uses: ./.github/workflows/_test_full.yml
-
   security-scan:
     uses: ./.github/workflows/_codeql.yml