chore: sync 80 BlackRoad OS workflows

.github/workflows/agent-broadcast.yml

@@ -0,0 +1,43 @@
+name: 📡 Agent Broadcast via NATS
+
+on:
+  workflow_dispatch:
+    inputs:
+      subject:
+        description: 'NATS subject (e.g. blackroad.agents.all)'
+        required: false
+        default: 'blackroad.agents.all'
+      message:
+        description: 'Message to broadcast'
+        required: true
+  schedule:
+    - cron: '*/30 * * * *'  # Every 30 min heartbeat
+
+jobs:
+  broadcast:
+    name: 📡 Broadcast to Fleet
+    runs-on: [self-hosted, blackroad-fleet]
+    steps:
+      - name: Send NATS heartbeat
+        run: |
+          SUBJECT="${{ github.event.inputs.subject || 'blackroad.heartbeat' }}"
+          MSG="${{ github.event.inputs.message || 'heartbeat' }}"
+          TIMESTAMP=$(date -u +%Y-%m-%dT%H:%M:%SZ)
+
+          # Publish via NATS HTTP API if nats-cli not available
+          if command -v nats >/dev/null 2>&1; then
+            nats pub "$SUBJECT" "{\"msg\":\"$MSG\",\"ts\":\"$TIMESTAMP\",\"runner\":\"$(hostname)\"}" \
+              --server nats://192.168.4.38:4222
+          else
+            curl -s "http://192.168.4.38:8222/routez" > /dev/null && \
+              echo "📡 NATS online - heartbeat registered"
+          fi
+
+          echo "📡 Broadcast: $SUBJECT → $MSG @ $TIMESTAMP"
+
+      - name: Update fleet status
+        run: |
+          # Write fleet heartbeat to memory
+          echo "{\"heartbeat\":\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\",\"runner\":\"$(hostname)\",\"status\":\"online\"}" \
+            > /tmp/fleet-heartbeat.json
+          echo "✅ Fleet heartbeat recorded"

.github/workflows/agent-ci.yml

@@ -7,9 +7,11 @@ on:
 
 jobs:
   agents:
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, blackroad-fleet]
     steps:
       - uses: actions/checkout@v4
+        with:
+          submodules: false
       - uses: actions/setup-node@v4
         with:
           node-version: 20

.github/workflows/agent-deploy.yml

@@ -0,0 +1,31 @@
+name: Agent Deploy
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'tools/**'
+      - 'agents/**'
+      - 'blackroad-sf/**'
+  workflow_dispatch:
+    inputs:
+      target:
+        description: 'Deploy target (worker/sf/pi)'
+        required: true
+        default: 'worker'
+jobs:
+  deploy:
+    runs-on: [self-hosted, blackroad-fleet]
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: false
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+      - name: Log deploy event
+        run: |
+          echo "{\"ts\":\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\",\"action\":\"deploy\",\"entity\":\"${{ github.ref_name }}\",\"detail\":\"Triggered by push to ${{ github.ref_name }}\"}" >> memory/journals/master-journal.jsonl || true
+          echo "Deploy triggered for: ${{ github.event.inputs.target || 'auto' }}"
+          echo "Branch: ${{ github.ref_name }}"
+          echo "Commit: ${{ github.sha }}"

.github/workflows/agent-health-check.yml

@@ -0,0 +1,26 @@
+name: Agent Health Check
+on:
+  schedule:
+    - cron: '0 */6 * * *'  # Every 6 hours
+  workflow_dispatch:
+jobs:
+  health-check:
+    runs-on: [self-hosted, blackroad-fleet]
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: false
+      - name: Check Pi tunnel
+        run: |
+          STATUS=$(curl -s -o /dev/null -w "%{http_code}" https://api.blackroad.io/health 2>/dev/null || echo "000")
+          echo "API health: $STATUS"
+          if [ "$STATUS" != "200" ]; then
+            echo "::warning::API health check returned $STATUS"
+          fi
+      - name: Check Cloudflare Worker
+        run: |
+          STATUS=$(curl -s -o /dev/null -w "%{http_code}" https://blackroad.io 2>/dev/null || echo "000")
+          echo "Main site: $STATUS"
+      - name: Memory journal entry
+        run: |
+          echo "{\"ts\":\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\",\"action\":\"health-check\",\"entity\":\"github-actions\",\"detail\":\"Scheduled health check completed\"}" >> memory/journals/master-journal.jsonl || true

.github/workflows/agent-identity-on-pr.yml

@@ -0,0 +1,55 @@
+name: "🤖 PR Agent Identity"
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+  pull_request_target:
+    types: [opened]
+
+jobs:
+  create-pr-identity:
+    runs-on: [self-hosted, blackroad-fleet]
+    permissions:
+      pull-requests: write
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: false
+      - name: Create PR agent identity
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          PR_NUM="${{ github.event.pull_request.number }}"
+          PR_BRANCH="${{ github.event.pull_request.head.ref }}"
+          PR_AUTHOR="${{ github.event.pull_request.user.login }}"
+          PR_TITLE="${{ github.event.pull_request.title }}"
+
+          # Detect agent role from branch name
+          ROLE="general"
+          echo "$PR_BRANCH" | grep -qi "feat\|feature" && ROLE="feature-builder"
+          echo "$PR_BRANCH" | grep -qi "fix\|bug\|patch" && ROLE="bug-fixer"
+          echo "$PR_BRANCH" | grep -qi "refactor" && ROLE="code-optimizer"
+          echo "$PR_BRANCH" | grep -qi "docs\|doc" && ROLE="documentation"
+          echo "$PR_BRANCH" | grep -qi "ci\|cd\|workflow" && ROLE="devops"
+          echo "$PR_BRANCH" | grep -qi "security\|sec\|auth" && ROLE="security"
+          echo "$PR_BRANCH" | grep -qi "test\|spec" && ROLE="test-engineer"
+          echo "$PR_BRANCH" | grep -qi "release\|v[0-9]" && ROLE="release-manager"
+
+          # Post agent identity comment
+          gh pr comment $PR_NUM --body "
+          ## 🤖 Agent Identity Activated
+
+          | Field | Value |
+          |-------|-------|
+          | **Agent** | \`PR-$PR_NUM-${PR_BRANCH}\` |
+          | **Role** | $ROLE |
+          | **Author** | @$PR_AUTHOR |
+          | **Gateway** | https://agents.blackroad.io |
+          | **Runner** | [self-hosted, pi, blackroad] |
+          | **Qdrant** | 192.168.4.49:6333 |
+
+          > This PR has an assigned BlackRoad agent identity. Merging will update the agent registry.
+          " 2>/dev/null || true
+
+          echo "✅ PR #$PR_NUM agent identity: $ROLE"

.github/workflows/agent-identity-sync.yml

@@ -0,0 +1,69 @@
+name: Agent Identity Sync
+on:
+  push:
+    branches: ['**']
+  workflow_dispatch:
+
+jobs:
+  assign-identity:
+    runs-on: [self-hosted, blackroad-fleet]
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: false
+          fetch-depth: 1
+      - name: Assign Agent Identity to Branch
+        run: |
+          BRANCH="${{ github.ref_name }}"
+          REPO="${{ github.repository }}"
+          ORG="${{ github.repository_owner }}"
+
+          # Determine agent from branch prefix
+          case "$BRANCH" in
+            main|master)           AGENT="CECE" ;;
+            feat/sf-*|feat/salesforce-*) AGENT="ALICE" ;;
+            feat/infra-*|feat/deploy-*|feat/ci-*|release/*) AGENT="OCTAVIA" ;;
+            feat/ai-*|feat/model-*|feat/ml-*|codex/*) AGENT="LUCIDIA" ;;
+            feat/sec-*|feat/security-*|feat/vault-*) AGENT="CIPHER" ;;
+            feat/ui-*|feat/frontend-*|feat/ux-*) AGENT="ARIA" ;;
+            feat/data-*|feat/analytics-*) AGENT="PRISM" ;;
+            feat/mem-*|feat/memory-*) AGENT="ECHO" ;;
+            feat/hack-*|feat/research-*) AGENT="SHELLFISH" ;;
+            hotfix/*|fix/*|chore/*) AGENT="ALICE" ;;
+            bot/*|claude/*|copilot/*) AGENT="CECE" ;;
+            *)                     AGENT="CECE" ;;
+          esac
+
+          # Determine agent from org
+          case "$ORG" in
+            BlackRoad-AI)          ORG_AGENT="LUCIDIA" ;;
+            BlackRoad-Security)    ORG_AGENT="CIPHER" ;;
+            BlackRoad-Cloud|BlackRoad-Hardware) ORG_AGENT="OCTAVIA" ;;
+            BlackRoad-Media|BlackRoad-Interactive|BlackRoad-Studio) ORG_AGENT="ARIA" ;;
+            BlackRoad-Labs)        ORG_AGENT="PRISM" ;;
+            BlackRoad-Education)   ORG_AGENT="ECHO" ;;
+            Blackbox-Enterprises)  ORG_AGENT="ALICE" ;;
+            BlackRoad-Gov|BlackRoad-Security) ORG_AGENT="CIPHER" ;;
+            *)                     ORG_AGENT="$AGENT" ;;
+          esac
+
+          echo "🤖 Branch Agent: $AGENT"
+          echo "🏢 Org Agent:    $ORG_AGENT"
+          echo "🌿 Branch:       $BRANCH"
+          echo "📦 Repo:         $REPO"
+
+          # Write identity file
+          printf '{\n  "branch": "%s",\n  "agent": "%s",\n  "org_agent": "%s",\n  "repo": "%s",\n  "org": "%s",\n  "assigned_at": "%s",\n  "gateway": "http://192.168.4.38:4010",\n  "model": "qwen2.5:3b",\n  "cost": "$0"\n}\n' \
+            "$BRANCH" "$AGENT" "$ORG_AGENT" "$REPO" "$ORG" "$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
+            > .agent-identity.json
+          echo "✅ Identity written to .agent-identity.json"
+          cat .agent-identity.json
+
+      - name: Post Identity to Agent Bridge
+        continue-on-error: true
+        run: |
+          AGENT=$(cat .agent-identity.json | python3 -c "import sys,json; print(json.load(sys.stdin)['agent'])")
+          curl -s -X POST http://192.168.4.38:4010/identity \
+            -H "Content-Type: application/json" \
+            -d @.agent-identity.json \
+            --connect-timeout 5 || echo "Bridge offline - identity stored locally"

.github/workflows/agent-memory-sync.yml

@@ -0,0 +1,80 @@
+name: Agent Memory Sync
+on:
+  schedule:
+    - cron: '0 */6 * * *'   # every 6 hours
+  push:
+    branches: [master, main]
+    paths:
+      - 'memory/**'
+      - 'agents/identities/**'
+  workflow_dispatch:
+
+jobs:
+  sync-memory:
+    runs-on: [self-hosted, blackroad-fleet]
+    steps:
+      - uses: actions/checkout@v4
+
+        with:
+          submodules: false
+      - name: Sync memory journals to Pi fleet
+        run: |
+          echo "=== Syncing memory to Pi fleet ==="
+          PIES=(cecilia octavia aria alice)
+          for pi in "${PIES[@]}"; do
+            echo "→ Syncing to $pi..."
+            # Sync memory directory
+            rsync -az --timeout=10 \
+              memory/ "$pi":~/blackroad/memory/ 2>/dev/null && \
+              echo "  ✅ memory synced" || echo "  ⚠️ sync failed"
+            # Sync agent identities
+            rsync -az --timeout=10 \
+              agents/identities/ "$pi":~/blackroad/agents/identities/ 2>/dev/null && \
+              echo "  ✅ identities synced" || echo "  ⚠️ identities sync failed"
+          done
+
+      - name: Pull memory updates from fleet
+        run: |
+          echo "=== Collecting memory updates ==="
+          for pi in cecilia octavia aria alice; do
+            # Pull any new journal entries from Pi
+            ssh -o ConnectTimeout=5 -o BatchMode=yes "$pi" \
+              "cat ~/blackroad/memory/journals/master-journal.jsonl 2>/dev/null | tail -20" 2>/dev/null | \
+              while read -r line; do
+                HASH=$(echo "$line" | python3 -c "import sys,json,hashlib; d=json.loads(sys.stdin.read()); print(d.get('hash','')[:12])" 2>/dev/null)
+                # Only append if not already in local journal
+                if [ -n "$HASH" ] && ! grep -q "$HASH" memory/journals/master-journal.jsonl 2>/dev/null; then
+                  echo "$line" >> memory/journals/master-journal.jsonl
+                fi
+              done || true
+          done
+          echo "✅ Memory sync complete"
+
+      - name: Update session state
+        run: |
+          python3 - <<'EOF'
+          import json, os, hashlib, datetime
+
+          state_file = "memory/sessions/current-session.json"
+          try:
+              with open(state_file) as f:
+                  state = json.load(f)
+          except:
+              state = {}
+
+          state["last_memory_sync"] = datetime.datetime.utcnow().isoformat() + "Z"
+          state["sync_count"] = state.get("sync_count", 0) + 1
+
+          with open(state_file, "w") as f:
+              json.dump(state, f, indent=2)
+          print(f"✅ Session state updated (sync #{state['sync_count']})")
+          EOF
+
+      - name: Commit memory updates
+        run: |
+          git config user.name "blackroad-bot"
+          git config user.email "blackroad.systems@gmail.com"
+          git add memory/ agents/identities/
+          git diff --staged --quiet && echo "No changes to commit" || \
+            git commit -m "chore: agent memory sync [skip ci] [skip release] [skip-bump]" && \
+            git push origin master

.github/workflows/auto-label.yml

@@ -6,7 +6,7 @@ on:
 
 jobs:
   label:
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, blackroad-fleet]
     steps:
       - uses: actions/github-script@v7
         with:

.github/workflows/auto-merge.yml

@@ -0,0 +1,55 @@
+name: Auto Merge
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, labeled]
+  pull_request_review:
+    types: [submitted]
+  check_suite:
+    types: [completed]
+
+jobs:
+  auto-merge:
+    runs-on: [self-hosted, blackroad-fleet]
+    if: |
+      github.actor == 'dependabot[bot]' ||
+      github.actor == 'blackroad-bot' ||
+      contains(github.event.pull_request.labels.*.name, 'auto-merge')
+    steps:
+      - name: Auto approve + merge
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const pr = context.payload.pull_request || context.payload.review?.pull_request;
+            if (!pr) return;
+            // Approve
+            await github.rest.pulls.createReview({
+              owner: context.repo.owner, repo: context.repo.repo,
+              pull_number: pr.number, event: 'APPROVE',
+              body: '✅ Auto-approved by blackroad bot'
+            }).catch(() => {});
+            // Merge
+            await github.rest.pulls.merge({
+              owner: context.repo.owner, repo: context.repo.repo,
+              pull_number: pr.number, merge_method: 'squash'
+            });
+            console.log(`✅ Auto-merged PR #${pr.number}`);
+
+  auto-merge-bot-branches:
+    runs-on: [self-hosted, blackroad-fleet]
+    if: |
+      startsWith(github.head_ref, 'bot/') ||
+      startsWith(github.head_ref, 'copilot/')
+    steps:
+      - name: Merge bot branches
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const pr = context.payload.pull_request;
+            if (!pr) return;
+            await github.rest.pulls.merge({
+              owner: context.repo.owner, repo: context.repo.repo,
+              pull_number: pr.number, merge_method: 'squash',
+              commit_title: `🤖 Auto-merge ${pr.title}`
+            });