Skip to content

chore(deps): bump ggml-org/llama.cpp from d0cd0c4 to 13f6175 in /server#115

Closed
dependabot[bot] wants to merge 20 commits into
developfrom
dependabot/docker/server/ggml-org/llama.cpp-d0cd0c4
Closed

chore(deps): bump ggml-org/llama.cpp from d0cd0c4 to 13f6175 in /server#115
dependabot[bot] wants to merge 20 commits into
developfrom
dependabot/docker/server/ggml-org/llama.cpp-d0cd0c4

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps ggml-org/llama.cpp from d0cd0c4 to 13f6175.

Commits

dvcdsys and others added 15 commits June 23, 2026 12:04
Our flow is feature -> develop (dev/manual tests) -> main (release), but
Dependabot defaulted to the repo default branch (main), so weekly version
bumps landed straight on main, bypassing develop. Set target-branch:
"develop" on all five update blocks (gomod x2, npm, docker, github-actions)
so scheduled version PRs go to develop.

Note: Dependabot reads this config from the default branch (main), so the
change only takes effect once it reaches main. Security (alert-triggered)
updates still target the default branch by platform design.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
* docs: add reindex-after-upgrade disclaimer to README

* chore(deps): bump the go group in /server with 6 updates

Bumps the go group in /server with 6 updates:

| Package | From | To |
| --- | --- | --- |
| [github.com/getkin/kin-openapi](https://github.com/getkin/kin-openapi) | `0.135.0` | `0.140.0` |
| [github.com/go-chi/chi/v5](https://github.com/go-chi/chi) | `5.2.4` | `5.3.0` |
| [github.com/oapi-codegen/runtime](https://github.com/oapi-codegen/runtime) | `1.4.0` | `1.4.2` |
| [golang.org/x/crypto](https://github.com/golang/crypto) | `0.52.0` | `0.53.0` |
| [golang.org/x/sync](https://github.com/golang/sync) | `0.20.0` | `0.21.0` |
| [modernc.org/sqlite](https://gitlab.com/cznic/sqlite) | `1.34.1` | `1.53.0` |


Updates `github.com/getkin/kin-openapi` from 0.135.0 to 0.140.0
- [Release notes](https://github.com/getkin/kin-openapi/releases)
- [Commits](getkin/kin-openapi@v0.135.0...v0.140.0)

Updates `github.com/go-chi/chi/v5` from 5.2.4 to 5.3.0
- [Release notes](https://github.com/go-chi/chi/releases)
- [Changelog](https://github.com/go-chi/chi/blob/master/CHANGELOG.md)
- [Commits](go-chi/chi@v5.2.4...v5.3.0)

Updates `github.com/oapi-codegen/runtime` from 1.4.0 to 1.4.2
- [Release notes](https://github.com/oapi-codegen/runtime/releases)
- [Commits](oapi-codegen/runtime@v1.4.0...v1.4.2)

Updates `golang.org/x/crypto` from 0.52.0 to 0.53.0
- [Commits](golang/crypto@v0.52.0...v0.53.0)

Updates `golang.org/x/sync` from 0.20.0 to 0.21.0
- [Commits](golang/sync@v0.20.0...v0.21.0)

Updates `modernc.org/sqlite` from 1.34.1 to 1.53.0
- [Changelog](https://gitlab.com/cznic/sqlite/blob/master/CHANGELOG.md)
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.34.1...v1.53.0)

---
updated-dependencies:
- dependency-name: github.com/getkin/kin-openapi
  dependency-version: 0.140.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: github.com/go-chi/chi/v5
  dependency-version: 5.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: github.com/oapi-codegen/runtime
  dependency-version: 1.4.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go
- dependency-name: golang.org/x/crypto
  dependency-version: 0.53.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: golang.org/x/sync
  dependency-version: 0.21.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: modernc.org/sqlite
  dependency-version: 1.53.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
...

Signed-off-by: dependabot[bot] <support@github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Anton Tribulkevich <dvcdsys@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
… in the go group (#97)

* docs: add reindex-after-upgrade disclaimer to README

* chore(deps): bump github.com/spf13/cobra in /cli in the go group

Bumps the go group in /cli with 1 update: [github.com/spf13/cobra](https://github.com/spf13/cobra).


Updates `github.com/spf13/cobra` from 1.8.0 to 1.10.2
- [Release notes](https://github.com/spf13/cobra/releases)
- [Commits](spf13/cobra@v1.8.0...v1.10.2)

---
updated-dependencies:
- dependency-name: github.com/spf13/cobra
  dependency-version: 1.10.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
...

Signed-off-by: dependabot[bot] <support@github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Anton Tribulkevich <dvcdsys@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…shboard (#103)

* docs: add reindex-after-upgrade disclaimer to README

* chore(deps-dev): bump @babel/core in /server/dashboard

Bumps [@babel/core](https://github.com/babel/babel/tree/HEAD/packages/babel-core) from 7.29.0 to 7.29.7.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.29.7/packages/babel-core)

---
updated-dependencies:
- dependency-name: "@babel/core"
  dependency-version: 7.29.7
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Anton Tribulkevich <dvcdsys@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* docs: add reindex-after-upgrade disclaimer to README

* chore(deps): bump alpine from 3.20 to 3.24 in /server

Bumps alpine from 3.20 to 3.24.

---
updated-dependencies:
- dependency-name: alpine
  dependency-version: '3.24'
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Anton Tribulkevich <dvcdsys@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* docs: add reindex-after-upgrade disclaimer to README

* chore(deps): bump actions/setup-go from 5 to 6

Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5 to 6.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@v5...v6)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Anton Tribulkevich <dvcdsys@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* docs: add reindex-after-upgrade disclaimer to README

* chore(deps): bump softprops/action-gh-release from 2 to 3

Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release) from 2 to 3.
- [Release notes](https://github.com/softprops/action-gh-release/releases)
- [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md)
- [Commits](softprops/action-gh-release@v2...v3)

---
updated-dependencies:
- dependency-name: softprops/action-gh-release
  dependency-version: '3'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Anton Tribulkevich <dvcdsys@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* docs: add reindex-after-upgrade disclaimer to README

* chore(deps): bump docker/login-action from 3 to 4

Bumps [docker/login-action](https://github.com/docker/login-action) from 3 to 4.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](docker/login-action@v3...v4)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-version: '4'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Anton Tribulkevich <dvcdsys@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
The Docker Hub repo had grown past 150 GB — Docker Hub never prunes tags,
so every release (~1 GB CUDA) plus scout/test/dev scan tags accumulated
forever (53 tags, ~44 of them stale).

Add server/scripts/dockerhub-prune.sh: a deny-by-default retention policy
that keeps the floating tags (latest, cu128, develop-cu128) + the newest
KEEP_RELEASES (default 3) semver versions, and deletes everything else
(scout-*, *-cu130/-cu126, go-*, *-dev*, ci-test-*, unprefixed 0.x, old
releases). DRY_RUN=true by default; portable across GNU + BSD (macOS) sort.

Enforce it automatically:
- release-server.yml: prune job after each release push (keep newest 3).
- cleanup-dockerhub.yml: weekly sweep + manual dispatch (dry-run default).

Both reuse the existing DOCKER_USERNAME / DOCKER_PASSWORD secrets. Deleted
release tags remain rebuildable via the release workflow_dispatch path.

Also fix portainer-stack-cuda.yml: it still referenced the obsolete
`go-cu128` floating tag (renamed to `cu128` long ago) — a future redeploy
from that file would have failed to pull once go-cu128 is pruned.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
* docs: add reindex-after-upgrade disclaimer to README

* chore(deps): bump actions/upload-artifact from 4 to 7

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4 to 7.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@v4...v7)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Anton Tribulkevich <dvcdsys@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* docs: add reindex-after-upgrade disclaimer to README

* chore(deps): bump actions/download-artifact from 4 to 8

Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4 to 8.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](actions/download-artifact@v4...v8)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-version: '8'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Anton Tribulkevich <dvcdsys@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…101)

* docs: add reindex-after-upgrade disclaimer to README

* chore(deps): bump golang from 1.25-alpine to 1.26-alpine in /server

Bumps golang from 1.25-alpine to 1.26-alpine.

---
updated-dependencies:
- dependency-name: golang
  dependency-version: 1.26-alpine
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Anton Tribulkevich <dvcdsys@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…106)

* feat(cowork): cix in Claude Cowork via MCP connector + skills plugin

Claude Cowork doesn't load Claude Code plugins/hooks/slash-commands and
doesn't shell out to the cix CLI, so cix was unreachable there — exactly
where it's most useful (large cross-repo research). Expose it over MCP.

Two-step, server-centric, multi-server:

- `cix mcp`: stdio MCP server subcommand (cli/cmd/mcp.go, mcp_tools.go) as a
  thin front-end over the existing internal/client HTTP client. 11 tools —
  list servers/projects/workspaces, cross-project workspace_search, and
  per-project search/definitions/references/symbols/files/summary. No cwd
  inference and no "current project"; project (host_path) and workspace are
  explicit, server is an optional per-call selector resolved against a cached
  serverRegistry.
- `cix mcp connect claude`: one-command installer (cli/cmd/mcp_connect.go)
  that registers this binary in claude_desktop_config.json via the official
  mcpServers mechanism — absolute path, preserves other servers, writes .bak,
  idempotent, --print dry-run, disconnect to undo, no secrets.
- cli/mcpb/: optional .mcpb desktop-extension bundle (make mcpb) for
  redistributing the connector to machines without cix.
- plugins/cix-cowork/: skills-only marketplace plugin (2nd entry) — the cix
  and cix-workspace skills adapted from the CLI to the cix_* MCP tools
  (workspace uses sequential cix_search drill-down, no sub-agent; trust-rules
  + troubleshooting in references/). Install after connecting the server.
- doc/COWORK_MCP.md, marketplace 2nd entry, go.mod (MCP SDK), Makefile mcpb.
- fix(plugin): quote the cix-workspace-investigator description so strict
  `claude plugin validate` passes (unquoted "Do not use for:" colon).

The Claude Code `cix` plugin is unchanged (CLI + hooks); this is its Cowork
counterpart over the same cix server.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* docs: slim README to a landing page; add credits, Voyage, team-deploy guide

Cut README from ~790 to ~320 lines by de-duplicating repeated notes
(bootstrap admin, reindex-after-upgrade, drift, GPU) and relocating
reference material into focused docs. No content lost — moved, not deleted.

New docs:
- doc/CLI_REFERENCE.md   — full CLI surface + per-project config
- doc/DASHBOARD.md       — pages, auth, authorization model, drift
- doc/TROUBLESHOOTING.md — common issues + search-quality tuning
- doc/TEAM_DEPLOYMENT.md — self-hosting cix for a team (DevOps guide)

README also gains an Embedding providers section (local / Voyage AI /
OpenAI-compatible — Voyage was already a first-class provider but nearly
invisible) and an Acknowledgements section crediting upstreams.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* refactor(cowork): MCP install/uninstall seam, drop .mcpb, fix min_score & partial-status

Revise the Cowork MCP integration and fix three review findings.

Connector UX & packaging:
- Rename `cix mcp connect|disconnect claude` → `install|uninstall claude-desktop`
  behind a host-registry seam (mcpHosts/lookupHost), so adding hosts
  (e.g. Codex/TOML) is a table entry, not a new command.
- Drop the `.mcpb` desktop-extension path (build.sh/manifest.json, Makefile
  target) — MCP connector + marketplace skills only.
- Rewrite doc/COWORK_MCP.md and plugin docs to match.

Review fixes (MCP must mirror the CLI — it is just another CLI surface):
- cix_search: apply the documented default min_score 0.4 when omitted instead
  of silently sending nothing (server default 0.2). Single source of truth via
  searchDefaultMinScore, shared by the `cix search` flag and the MCP tool.
  min_score is now *float64 — omit → 0.4, explicit (incl 0) → passthrough.
- cix_workspace_search: add the missing min_score parameter (the skill docs
  promise it and the agent errored without it). Thread it through
  client.WorkspaceSearch (server already supports ?min_score=); add a matching
  `cix ws search --min-score` flag for CLI parity.
- formatWorkspaceSearch: surface status=="partial_failure" with a banner, the
  way the CLI renderSearch does, so partial results aren't read as complete.

Add TestRegisterCixTools_SchemaReflection guarding the *float64 schema
reflection. go test ./... green.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* fix(cowork): tighten host-config perms & warn on empty partial_failure

- mcp install/uninstall: preserve the host config's file mode and create a
  fresh one private (0o600) instead of 0o644 — it sits next to other MCP
  servers' secret env values; chmod even on overwrite so an already
  world-readable config is tightened rather than left as-is.
- formatWorkspaceSearch: check partial_failure BEFORE the empty-result
  shortcut (like the CLI's renderSearch) so an empty result caused by repo
  failures warns about incomplete coverage instead of reading as "no matches".
- test: cover the empty partial_failure case.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
The Go tree-sitter binding cix's AST chunking first grew from. Credit where
the head start came from.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The acknowledgements covered the server stack but omitted two whole
categories. Add them:

- CLI: Cobra, Charm (Bubble Tea/Bubbles/Lip Gloss), the MCP Go SDK (which
  the Cowork integration stands on), rjeczalik/notify, and koanf.
- Dashboard: React + Vite, Radix UI + Tailwind (shadcn/ui pattern), TanStack
  Query, openapi-typescript, lucide, and sonner.

Also point the closing note at server/dashboard/package.json for the full
frontend dependency list.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@dependabot @github

dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: docker. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 29, 2026
dvcdsys and others added 5 commits July 2, 2026 12:14
…cts (#120)

* feat(server): read file + list directory endpoints for external projects

Add two read-only, external-project-only capabilities so agents (Claude
Code, and especially Cowork which has no local filesystem) can inspect the
actual contents and file tree of workspace / external repos the harness
cannot see locally:

- POST /api/v1/projects/{path}/file — read a file whole or by line range
- POST /api/v1/projects/{path}/tree — list a directory (one level, ls-like)

Both read from the server-side git worktree (the source of truth; the index
stores only chunks). Gated to EXTERNAL (GitHub-backed) projects via the
existing access.IsProjectExternal helper — local projects return 409 with a
hint to use native filesystem tools. Access is GroupRead (requireProjectAccess).

Safety + concurrency:
- safeJoin rejects path traversal (.., absolute, symlink escape)
- new internal/repolocks package: per-repo RWMutex shared between the file
  read handlers (read-lock) and the clone worker's worktree rewrite
  (write-lock around CloneOrFetch), so a read never observes a mid-reset tree
- size/line/entry caps with truncated flags

Surfaced across all interfaces:
- CLI: cix file <f> [--lines N:M], cix tree [dir]
- MCP: cix_file, cix_tree (external-only, described)
- skills: file/dir section in the three cix SKILL.md + cix-workspace notes,
  new /cix:file and /cix:tree plugin commands

Tests: internal/httpapi/file_test.go covers gating (local 409, uncloned 409,
unauthorized 404, group-shared 200), path traversal, line ranges, tree
listing, and a required concurrency test (5 readers vs a non-atomic writer,
green under -race).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* fix(server): block .git via /file, honest empty-range signal, fail loud past byte cap

Addresses review findings on the file/tree endpoints:

- safeJoin now rejects the repo-root .git segment, so git metadata is
  unreadable via /file too (it was already hidden from /tree). First-segment
  check targets exactly the clone's own .git.
- CLI and MCP renderers decide "no lines" on end_line < start_line (the
  server's authoritative signal) instead of Content == "", which wrongly
  swallowed a legitimate single-blank-line file.
- ReadProjectFile returns 400 with an actionable detail when a line range
  begins past the 2 MiB read cap, instead of a confusing empty 200.

Tests: .git paths added to the traversal test; new TestReadProjectFile_RangePastByteCap.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* fix(server): address PR #120 review — lock ordering, panic-safe locks, honest total_lines

- file.go: take the per-repo read-lock BEFORE path validation so a concurrent
  clone can't swap in an escaping symlink between check and open (TOCTOU)
- file.go: reject inverted line ranges (end<start) with 422 instead of silently
  clamping — enforced server-side for MCP/raw callers, not just the CLI
- file.go: /tree now 400s on a malformed body instead of silently listing root
- file.go: total_lines counts the whole file on disk (streams past the 2 MiB
  content cap) instead of just the buffered slice
- repojobs: run the indexer's worktree walk under the per-repo read-lock so a
  concurrent clone reset can't tear the index across two revisions
- repolocks: add panic-safe WithWrite/WithRead helpers (defer-unlock); the clone
  worker used a plain unlock that leaked the lock forever on a recovered panic
- tests: symlink-swap TOCTOU guard, /tree access-gating, byte-cap total_lines,
  inverted-range 422, malformed-body 400, repolocks panic + mutual-exclusion,
  handleIndex-takes-read-lock, and a FileContent/DirectoryListing wire golden

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* test(cli): file/tree client + MCP compatibility tests; fix(cli): raw-mode truncation warning

- cmd/file.go: emit the truncation warning to stderr in --raw mode too, so
  `cix file … --raw > copy` no longer silently drops capped content
- client/file_test: parse the server's FileContent/DirectoryListing wire shape
  (twin golden of the server-side contract test), assert 422/409/404/400 surface
  as errors, and that an unset range omits start/end from the request body
- cmd/mcp_tools_test: formatFileContent/formatTree rendering, incl. the
  empty-range (end<start) and truncated signals the MCP tools rely on
- cmd/file_test: raw-mode truncation-warning coverage (stdout vs stderr)

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
…ync in CI

#120 added the `cix tree`/`cix file` guidance block to the plugin copy of
the cix-workspace skill (and to skills/cix/SKILL.md and both cix-cowork
skills) but missed the canonical skills/cix-workspace/SKILL.md — so
sync-skills.sh --check drifted, and a plain `sync-skills.sh` run would have
overwritten the plugin copy and deleted #120's addition.

- Forward-port the block into canonical skills/cix-workspace/SKILL.md
  (plugin was ahead; copy plugin → canonical to restore byte-identity).
- Align the investigator agent `description` quoting (canonical → quoted,
  matching the plugin bundle).
- Wire sync-skills.sh --check into ci-plugin.yml and broaden its path
  triggers to plugins/** and skills/** so a canonical-only edit runs the
  drift check — previously only plugins/cix/** triggered it, the exact gap
  that let #120 drift through unnoticed.
- Validate the cix-cowork plugin manifest in the jq step too.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Upstream ghcr.io/ggml-org/llama.cpp:server-cuda moved past the pinned
digest. Bump to the current digest reported by the weekly pin-freshness
workflow:

  2ea4be9… → d0cd0c4563e046f6ad0c8c27fe78280376d0d645cc3fef7a1ab87c75de08377b

The runtime stage copies all /app/*.so* so a shared-lib layout change
stays robust, but `make scout-cuda` must still rebuild + scan (and
confirm /app/llama-server resolves its libs) before promoting to prod —
release-server.yml runs that scan at tag time.

Closes #108

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
… the key input

On plain-HTTP deploys (e.g. http://<lan-ip>:21847) the API-key "created"
popup runs in a non-secure context, so navigator.clipboard is unavailable
and both Copy buttons fall through to the document.execCommand('copy')
fallback (legacyCopy).

That fallback was fragile on WebKit: the reveal screen auto-selects the
"Full key" input on mount, and the copy textarea was hidden with opacity:0.
WebKit refuses execCommand('copy') on effectively-invisible nodes, so the
copy silently read the still-selected key input instead — which made the
"Connect the cix CLI" button copy the bare key instead of the CLI command.

Harden legacyCopy:
- blur the previously focused/selected element so a stale selection can't win
- position the textarea off-screen instead of opacity:0 (a real rendered node)
- setSelectionRange after select() for iOS/older Safari

Verified in Chromium that the copy source is the intended textarea for both
buttons. Frontend-only; no CLI/server change.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Bumps [ggml-org/llama.cpp](https://github.com/ggml-org/llama.cpp) from `d0cd0c4` to `13f6175`.
- [Release notes](https://github.com/ggml-org/llama.cpp/releases)
- [Commits](https://github.com/ggml-org/llama.cpp/commits)

---
updated-dependencies:
- dependency-name: ggml-org/llama.cpp
  dependency-version: server-cuda
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the base branch from main to develop July 2, 2026 14:25
@dependabot dependabot Bot force-pushed the dependabot/docker/server/ggml-org/llama.cpp-d0cd0c4 branch from 2bc2334 to 2245ce6 Compare July 2, 2026 14:25
@dependabot dependabot Bot changed the title chore(deps): bump ggml-org/llama.cpp from 2ea4be9 to d0cd0c4 in /server chore(deps): bump ggml-org/llama.cpp from d0cd0c4 to 13f6175 in /server Jul 2, 2026

- name: Create develop release
uses: softprops/action-gh-release@v2
uses: softprops/action-gh-release@v3

- name: Login to Docker Hub
uses: docker/login-action@v3
uses: docker/login-action@v4

- name: Create GitHub release
uses: softprops/action-gh-release@v2
uses: softprops/action-gh-release@v3

- name: Login to Docker Hub
uses: docker/login-action@v3
uses: docker/login-action@v4

- name: Login to Docker Hub
uses: docker/login-action@v3
uses: docker/login-action@v4

- name: Create GitHub release
uses: softprops/action-gh-release@v2
uses: softprops/action-gh-release@v3
return
}

info, err := os.Stat(full)
}

// Read at most maxFileBytes+1 so we can detect (and flag) oversize files.
f, err := os.Open(full)
return
}

info, err := os.Stat(full)
return
}

dirEntries, err := os.ReadDir(full)
@dvcdsys

dvcdsys commented Jul 2, 2026

Copy link
Copy Markdown
Owner

Closing: this branch is stale (cut from a pre-#120 develop) — merging it would revert alpine 3.24→3.20, golang 1.26→1.25 and the whole #120 CLI/plugin/doc set. It also bumps the llama.cpp CUDA digest, which is DELIBERATELY pinned in Dockerfile.cuda and must be moved manually via make scout-cuda + GPU E2E (upstream .so-layout refactors have taken prod down before). Adding an ignore rule for ggml-org/llama.cpp to dependabot.yml so this image is managed by the check-llama-pin.sh warn job instead of Dependabot.

@dvcdsys dvcdsys closed this Jul 2, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dvcdsys dvcdsys deleted the dependabot/docker/server/ggml-org/llama.cpp-d0cd0c4 branch July 2, 2026 15:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants