v3.0.0

.github/workflows/ci.yml

@@ -7,8 +7,21 @@ on:
     branches: [main]
 
 jobs:
+  docs-lint:
+    name: Markdown lint (changelog)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20.x
+          cache: npm
+      - run: npm ci
+      - run: npm run lint:md:changelog
+
   test:
     runs-on: ubuntu-latest
+    needs: docs-lint
     strategy:
       matrix:
         node-version: [18.x, 20.x, 22.x]
@@ -75,3 +88,34 @@ jobs:
             echo "FAIL: budget is 15000, got $BYTES"
             exit 1
           fi
+
+  policy-schema-sync:
+    name: Policy schema sync with skill repo
+    runs-on: ubuntu-latest
+    needs: test
+    steps:
+      - uses: actions/checkout@v4
+      - name: Fetch skill repo's mirrored schema
+        run: |
+          HTTP=$(curl -o /tmp/skill-policy.schema.json -w "%{http_code}" -fsSL --retry 3 \
+            https://raw.githubusercontent.com/OpenWonderLabs/openclaw-switchbot-skill/main/examples/policy.schema.json \
+            2>/dev/null || echo "000")
+          if [ "$HTTP" = "404" ] || [ "$HTTP" = "000" ]; then
+            echo "SKIP: skill repo schema not yet published (HTTP $HTTP). Skipping drift check."
+            exit 0
+          fi
+          if [ "$HTTP" != "200" ]; then
+            echo "WARN: unexpected HTTP $HTTP fetching skill schema. Skipping drift check."
+            exit 0
+          fi
+          echo "Fetched skill schema (HTTP $HTTP). Diffing against CLI v0.2 source of truth..."
+          if ! diff -u /tmp/skill-policy.schema.json src/policy/schema/v0.2.json; then
+            echo ""
+            echo "FAIL: policy schema drift detected."
+            echo "  CLI source: src/policy/schema/v0.2.json"
+            echo "  Skill copy: https://github.com/OpenWonderLabs/openclaw-switchbot-skill/blob/main/examples/policy.schema.json"
+            echo ""
+            echo "Sync the skill's examples/policy.schema.json from the CLI file and cut a matching skill release."
+            exit 1
+          fi
+          echo "OK: policy schema matches skill repo."

.github/workflows/keychain-matrix.yml

@@ -0,0 +1,101 @@
+name: Keychain OS Matrix
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'src/credentials/**'
+      - 'src/install/**'
+      - 'tests/credentials/**'
+      - 'tests/install/**'
+  pull_request:
+    branches: [main]
+    paths:
+      - 'src/credentials/**'
+      - 'src/install/**'
+      - 'tests/credentials/**'
+      - 'tests/install/**'
+  workflow_dispatch:
+
+# Each job installs Node, builds, and runs the credential + install-step
+# test suites against the real OS keychain backend. The unit tests (which
+# mock spawn) pass on ubuntu-latest in the main CI; here we verify
+# that the live system commands are available and callable.
+
+jobs:
+  keychain-macos:
+    name: Keychain — macOS
+    runs-on: macos-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20.x
+          cache: npm
+      - run: npm ci
+      - run: npm run build
+
+      # Create and unlock a temporary keychain so the macOS backend can
+      # write entries without prompting the System Keychain.
+      - name: Set up temporary keychain
+        run: |
+          security create-keychain -p "" switchbot-ci.keychain
+          security set-keychain-settings -lut 3600 switchbot-ci.keychain
+          security unlock-keychain -p "" switchbot-ci.keychain
+          security list-keychains -d user -s switchbot-ci.keychain $(security list-keychains -d user | sed s/\"//g)
+          echo "SWITCHBOT_CI_KEYCHAIN=switchbot-ci.keychain" >> "$GITHUB_ENV"
+
+      - name: Run credential + install-step tests
+        run: npm test -- tests/credentials tests/install
+
+      - name: Delete temporary keychain
+        if: always()
+        run: |
+          security delete-keychain switchbot-ci.keychain || true
+
+  keychain-linux:
+    name: Keychain — Linux (libsecret)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20.x
+          cache: npm
+
+      - name: Install libsecret + D-Bus session tooling
+        run: |
+          sudo apt-get update -q
+          sudo apt-get install -y --no-install-recommends \
+            libsecret-tools \
+            gnome-keyring \
+            dbus-x11
+
+      - run: npm ci
+      - run: npm run build
+
+      # Start a D-Bus session and unlock gnome-keyring so secret-tool can
+      # store entries. The keyring is unlocked with an empty password.
+      - name: Run credential + install-step tests inside D-Bus session
+        run: |
+          eval "$(dbus-launch --sh-syntax)"
+          echo "" | gnome-keyring-daemon --daemonize --unlock --components=secrets
+          export DBUS_SESSION_BUS_ADDRESS
+          npm test -- tests/credentials tests/install
+
+  keychain-windows:
+    name: Keychain — Windows (Credential Manager)
+    runs-on: windows-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20.x
+          cache: npm
+      - run: npm ci
+      - run: npm run build
+
+      # Windows Credential Manager is available to any logged-in user on
+      # GitHub-hosted Windows runners; no extra setup required.
+      - name: Run credential + install-step tests
+        run: npm test -- tests/credentials tests/install

.gitignore

@@ -30,3 +30,5 @@ CLAUDE.md
 2026-04-10-155920-command-messageinitcommand-message.txt
 tmp/
 smoke-v3/
+switchbot-skill/
+docs/superpowers/

.markdownlint.jsonc

@@ -0,0 +1,7 @@
+{
+  "default": true,
+  "MD013": false,
+  "MD024": {
+    "siblings_only": true
+  }
+}