* chore: add .worktrees/ to .gitignore

* feat: align content model with site.standard for interop

Three schema changes for standard.site compatibility:

1. Content union: topic.post and topic.reply `content` fields
change from bare string to open union with `$type` discriminator.
Initial type: `forum.barazo.richtext#markdown`. Enables future
content format extensibility.

2. Site field: optional `site` string on topic.post for linking
to a site.standard.publication record (at:// URI or https://).

3. Rename createdAt → publishedAt on topic.post to match
site.standard.document semantics.

New lexicon: forum.barazo.richtext (defines #markdown content type).
New Zod schema: markdownContentSchema with matching validation.

Closes singi-labs/barazo-workspace#80

BREAKING CHANGE: topic.post.content and topic.reply.content are now
union objects with $type discriminator instead of bare strings.
topic.post.createdAt renamed to publishedAt.

* feat(lexicon): add forum.barazo.actor.signature record type

Singleton record (key: self) for user forum signatures.
Portable across all Barazo instances via AT Protocol PDS.
Max 300 graphemes. Used by @barazo/plugin-signatures.

* feat(validation): add Zod schema for actor.signature

TDD: tests written first, then schema implemented.
Uses z.iso.datetime() consistent with existing schemas.

* feat(types): generate TypeScript types for actor.signature

Add ForumBarazoActorSignature to generated types, lexicon schemas,
main exports, LEXICON_IDS, and fixup script.

* fix: make pnpm generate work reliably

Replace broken glob-based generate script with node wrapper that:
- Discovers lexicon files via filesystem (pnpm doesn't expand globs)
- Excludes authForumAccess.json (permission-set type unsupported by lex-cli)
- Auto-confirms lex-cli prompt
- Runs fixup afterward

Make fixup-generated.js dynamic:
- Build index.ts from discovered type files (no hardcoded list)
- Inject excluded lexicons into schemaDict and ids after codegen

Both pre-existing issues (broken glob, lex-cli incompatibility) are now
handled automatically. Adding new lexicons no longer requires manual
script updates.

* chore: bump version to 0.2.0

New lexicon: forum.barazo.actor.signature

* chore(deps): bump the dependencies group with 5 updates

Bumps the dependencies group with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [@atproto/lexicon](https://github.com/bluesky-social/atproto/tree/HEAD/packages/lexicon) | `0.6.1` | `0.6.2` |
| [@atproto/lex-cli](https://github.com/bluesky-social/atproto/tree/HEAD/packages/lex-cli) | `0.9.8` | `0.9.9` |
| [@commitlint/cli](https://github.com/conventional-changelog/commitlint/tree/HEAD/@commitlint/cli) | `20.4.2` | `20.4.3` |
| [@commitlint/config-conventional](https://github.com/conventional-changelog/commitlint/tree/HEAD/@commitlint/config-conventional) | `20.4.2` | `20.4.3` |
| [lint-staged](https://github.com/lint-staged/lint-staged) | `16.3.1` | `16.3.2` |


Updates `@atproto/lexicon` from 0.6.1 to 0.6.2
- [Release notes](https://github.com/bluesky-social/atproto/releases)
- [Changelog](https://github.com/bluesky-social/atproto/blob/main/packages/lexicon/CHANGELOG.md)
- [Commits](https://github.com/bluesky-social/atproto/commits/@atproto/lexicon@0.6.2/packages/lexicon)

Updates `@atproto/lex-cli` from 0.9.8 to 0.9.9
- [Release notes](https://github.com/bluesky-social/atproto/releases)
- [Changelog](https://github.com/bluesky-social/atproto/blob/main/packages/lex-cli/CHANGELOG.md)
- [Commits](https://github.com/bluesky-social/atproto/commits/@atproto/lex-cli@0.9.9/packages/lex-cli)

Updates `@commitlint/cli` from 20.4.2 to 20.4.3
- [Release notes](https://github.com/conventional-changelog/commitlint/releases)
- [Changelog](https://github.com/conventional-changelog/commitlint/blob/master/@commitlint/cli/CHANGELOG.md)
- [Commits](https://github.com/conventional-changelog/commitlint/commits/v20.4.3/@commitlint/cli)

Updates `@commitlint/config-conventional` from 20.4.2 to 20.4.3
- [Release notes](https://github.com/conventional-changelog/commitlint/releases)
- [Changelog](https://github.com/conventional-changelog/commitlint/blob/master/@commitlint/config-conventional/CHANGELOG.md)
- [Commits](https://github.com/conventional-changelog/commitlint/commits/v20.4.3/@commitlint/config-conventional)

Updates `lint-staged` from 16.3.1 to 16.3.2
- [Release notes](https://github.com/lint-staged/lint-staged/releases)
- [Changelog](https://github.com/lint-staged/lint-staged/blob/main/CHANGELOG.md)
- [Commits](https://github.com/lint-staged/lint-staged/compare/v16.3.1...v16.3.2)

---
updated-dependencies:
- dependency-name: "@atproto/lexicon"
dependency-version: 0.6.2
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: dependencies
- dependency-name: "@atproto/lex-cli"
dependency-version: 0.9.9
dependency-type: direct:development
update-type: version-update:semver-patch
dependency-group: dependencies
- dependency-name: "@commitlint/cli"
dependency-version: 20.4.3
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: dependencies
- dependency-name: "@commitlint/config-conventional"
dependency-version: 20.4.3
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: dependencies
- dependency-name: lint-staged
dependency-version: 16.3.2
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>

* fix(deps): regenerate lockfile for pnpm catalog compatibility

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

Dependabot PRs don't receive repo secrets under pull_request events,
causing DEPLOY_PAT to be empty. Switch to pull_request_target which
runs in the base branch context with full secret access. Safe because
the workflow only runs for dependabot[bot] and only executes pnpm
install -- no PR-supplied code is run.

Commits pushed with the default GITHUB_TOKEN don't trigger other
workflows (GitHub's anti-recursion guard). Switch to DEPLOY_PAT so
the lockfile fix commit triggers CI.

Dependabot doesn't handle pnpm catalogs correctly -- it resolves
catalog: specifiers to concrete versions in the lockfile, causing
frozen-lockfile failures in CI. This workflow detects Dependabot PRs
that touch package.json or the lockfile, regenerates pnpm-lock.yaml,
and commits the fix back to the PR branch.

Replace GitHub's default 6-hour timeout with a 10-minute limit on the
check job. This ensures hung builds fail fast instead of consuming
runner minutes.

Triggers barazo-workspace's sync-lockfile workflow on every push to
main, so dependency changes are reflected in the workspace lockfile
immediately instead of waiting for the hourly cron.

* chore(deps): bump the dependencies group across 1 directory with 4 updates

Bumps the dependencies group with 4 updates in the / directory: [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node), [eslint](https://github.com/eslint/eslint), [lint-staged](https://github.com/lint-staged/lint-staged) and [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint).


Updates `@types/node` from 25.3.0 to 25.3.3
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `eslint` from 10.0.1 to 10.0.2
- [Release notes](https://github.com/eslint/eslint/releases)
- [Commits](https://github.com/eslint/eslint/compare/v10.0.1...v10.0.2)

Updates `lint-staged` from 16.2.7 to 16.3.1
- [Release notes](https://github.com/lint-staged/lint-staged/releases)
- [Changelog](https://github.com/lint-staged/lint-staged/blob/main/CHANGELOG.md)
- [Commits](https://github.com/lint-staged/lint-staged/compare/v16.2.7...v16.3.1)

Updates `typescript-eslint` from 8.56.0 to 8.56.1
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.56.1/packages/typescript-eslint)

---
updated-dependencies:
- dependency-name: "@types/node"
dependency-version: 25.3.3
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: dependencies
- dependency-name: eslint
dependency-version: 10.0.2
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: dependencies
- dependency-name: lint-staged
dependency-version: 16.3.1
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: dependencies
- dependency-name: typescript-eslint
dependency-version: 8.56.1
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>

* fix: regenerate lockfile to restore pnpm catalog specifiers

Dependabot incorrectly replaced catalog: specifiers with hardcoded
versions in the lockfile, causing frozen-lockfile installs to fail.

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Guido X Jansen <x@gui.do>

Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Commits](https://github.com/actions/checkout/compare/v4...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
dependency-version: '6'
dependency-type: direct:production
update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [minimatch](https://github.com/isaacs/minimatch) from 9.0.5 to 9.0.8.
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](https://github.com/isaacs/minimatch/compare/v9.0.5...v9.0.8)

---
updated-dependencies:
- dependency-name: minimatch
dependency-version: 9.0.8
dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [rollup](https://github.com/rollup/rollup) from 4.57.1 to 4.59.0.
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rollup/rollup/compare/v4.57.1...v4.59.0)

---
updated-dependencies:
- dependency-name: rollup
dependency-version: 4.59.0
dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Allows consumers to import didRegex instead of duplicating the pattern.

Ref: barazo-forum/barazo-workspace#31

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

The original limit of 5 was conservative without a strong technical
reason. PDS record size is generous and tags are tiny strings. The UI
layer can control how many to display; the lexicon shouldn't be the
gatekeeper.

Community feedback: https://discourse.atprotocol.community/t/624/4

docs: sync AGENTS.md from barazo-workspace

Add knownValues with token definitions (like, heart, thumbsup) to the
reaction type field following AT Protocol conventions. Annotate the
category field with format: "record-key" for machine-readable semantics.
Populate the previously empty defs.json with a reusable communityRef
type. Regenerate TypeScript types, update Zod validation schemas, and
add corresponding tests. Bump version to 0.1.2.

All changes are non-breaking -- backward compatibility tests pass.

* chore(deps): pin exact dependency versions

Remove ^ prefixes from all dependency versions in package.json and
pnpm-workspace.yaml catalog entries to comply with the project standard
of exact version pinning. This ensures reproducible installs without
relying on lockfile-only version resolution.

* chore(deps): update all dependencies to latest stable versions

Update catalog entries: eslint 10.0.1, commitlint 20.4.2,
typescript-eslint 8.56.0, @types/node 25.3.0.
All direct dependencies already at latest.

docs: sync AGENTS.md from barazo-workspace

chore(deps): bump ajv from 6.12.6 to 6.14.0

Brand alignment audit: update shared tagline to "Open-source forum
software... member-owned data, no lock-in." Add forum.barazo.actor.preferences
to Core Record Types (MVP) list.

Automatically pushes to tangled.org on every merge to main,
making Barazo visible in the AT Protocol developer ecosystem.

Bumps [ajv](https://github.com/ajv-validator/ajv) from 6.12.6 to 6.14.0.
- [Release notes](https://github.com/ajv-validator/ajv/releases)
- [Commits](https://github.com/ajv-validator/ajv/compare/v6.12.6...v6.14.0)

---
updated-dependencies:
- dependency-name: ajv
dependency-version: 6.14.0
dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

Standardize CI workflow:
- Add concurrency group with cancel-in-progress
- Add pnpm cache to setup-node action
- Use --frozen-lockfile for reproducible installs

* chore(workspace): extend base configs and remove duplicate tooling

Make tsconfig, eslint, and vitest configs extend workspace base instead
of duplicating settings. Remove per-repo prettier and commitlint configs
in favor of root-level configs.

* fix(workspace): restore commitlint config for standalone repo hooks

Sub-repos need their own commitlint config since each has its own .git
and husky hooks. Removed redundant scope-empty rule.

* fix: restore standalone configs for CI compatibility

Base config extension doesn't work in CI where repos are cloned
independently. Restore self-contained configs. The only remaining
change from this PR is the commitlint cleanup.

refactor(validation): consolidate didRegex into shared patterns module

Extract the duplicated didRegex from topic-post, topic-reply, reaction,
vote, and actor-preferences into a single patterns.ts export. Reduces
five identical definitions to one canonical source.

Add optional `facets` (richtext annotations) and `langs` (BCP 47
language tags) fields to topic.post and topic.reply schemas, following
the Bluesky convention from app.bsky.feed.post.

Add new `forum.barazo.interaction.vote` record type for directional
voting (separate from reactions). Uses knownValues: ["up"] so "down"
can be added later without breaking change.

Changes:
- Vendor app.bsky.richtext.facet lexicon for facets reference
- Add facets + langs to post.json and reply.json (optional)
- Create interaction/vote.json with subject, direction, community
- Add vote to authForumAccess permission set
- Create Zod schemas for facet and vote validation
- Update all exports (generated types, Zod, LEXICON_IDS)
- Add 40 new tests (175 total, up from 135)

All changes are additive (non-breaking).

Fixes barazo-forum/barazo-workspace#30

AT Protocol `enum` rejects unknown values, making it impossible to add
new content formats or maturity levels without breaking existing
validators. `knownValues` is the open-set alternative that allows
extensibility while preserving autocomplete for known values.

Changed fields:
- contentFormat in post.json and reply.json
- maturityLevel in preferences.json

Regenerated TypeScript types and updated tests.

Fixes barazo-forum/barazo-workspace#24

* chore(deps): bump the dependencies group with 2 updates

Bumps the dependencies group with 2 updates: [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) and [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint).


Updates `@types/node` from 25.2.3 to 25.3.0
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `typescript-eslint` from 8.55.0 to 8.56.0
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.56.0/packages/typescript-eslint)

---
updated-dependencies:
- dependency-name: "@types/node"
dependency-version: 25.3.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: dependencies
- dependency-name: typescript-eslint
dependency-version: 8.56.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>

* fix(deps): regenerate lockfile for catalog: specifiers

Dependabot doesn't understand pnpm catalog: references and replaced
them with explicit version specifiers. Regenerate lockfile so the
stored specifiers match the package.json catalog: references.

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Guido X Jansen <x@gui.do>

chore(deps): bump zod from 3.25.76 to 4.3.6

chore(deps): bump multiformats from 9.9.0 to 13.4.2

Bumps [multiformats](https://github.com/multiformats/js-multiformats) from 9.9.0 to 13.4.2.
- [Release notes](https://github.com/multiformats/js-multiformats/releases)
- [Changelog](https://github.com/multiformats/js-multiformats/blob/master/CHANGELOG.md)
- [Commits](https://github.com/multiformats/js-multiformats/compare/v9.9.0...v13.4.2)

---
updated-dependencies:
- dependency-name: multiformats
dependency-version: 13.4.2
dependency-type: direct:production
update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Bumps [zod](https://github.com/colinhacks/zod) from 3.25.76 to 4.3.6.
- [Release notes](https://github.com/colinhacks/zod/releases)
- [Commits](https://github.com/colinhacks/zod/compare/v3.25.76...v4.3.6)

---
updated-dependencies:
- dependency-name: zod
dependency-version: 4.3.6
dependency-type: direct:production
update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* chore(lexicons): add prettier, lint-staged, husky hooks, and commitlint

Add prettier, lint-staged, husky, and commitlint as devDependencies
using pnpm catalog references. Add format/format:check scripts and husky
prepare script. Create prettier config (matching workspace standard),
lint-staged config, commitlint config, prettierignore, and husky
pre-commit/commit-msg hooks for conventional commit enforcement.

* chore(lexicons): add copilot-setup-steps.yml for AI coding agents

Add GitHub Copilot coding agent setup workflow with pnpm install,
typecheck, and test steps. Enables AI agents to work on the lexicons
repo with proper build and test infrastructure.

* fix(lexicons): add prettier and lint-staged to standalone CI catalog

Add prettier and lint-staged version entries to the per-repo
pnpm-workspace.yaml catalog so pnpm install works in standalone CI
environments (without the workspace root).

* fix(lexicons): regenerate lockfile for catalog: specifiers

The lockfile was out of date after adding devDependencies with
catalog: references. Regenerated to include @commitlint/cli,
@commitlint/config-conventional, husky, lint-staged, and prettier.

AGENTS.md is the cross-vendor standard for AI coding agent instructions.
Auto-generated from barazo-workspace/agents-md/ source files.

chore(deps): bump contributor-assistant/github-action from 2.5.2 to 2.6.1

chore(deps): bump peter-evans/repository-dispatch from 3.0.0 to 4.0.1

chore(deps): bump actions/checkout from 4.3.1 to 6.0.2

chore(deps): bump actions/setup-node from 4.4.0 to 6.2.0

Bumps [contributor-assistant/github-action](https://github.com/contributor-assistant/github-action) from 2.5.2 to 2.6.1.
- [Release notes](https://github.com/contributor-assistant/github-action/releases)
- [Commits](https://github.com/contributor-assistant/github-action/compare/fdca7a016082d9130c3cd91a236ddf956ec35f1d...ca4a40a7d1004f18d9960b404b97e5f30a505a08)

---
updated-dependencies:
- dependency-name: contributor-assistant/github-action
dependency-version: 2.6.1
dependency-type: direct:production
update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Bumps [peter-evans/repository-dispatch](https://github.com/peter-evans/repository-dispatch) from 3.0.0 to 4.0.1.
- [Release notes](https://github.com/peter-evans/repository-dispatch/releases)
- [Commits](https://github.com/peter-evans/repository-dispatch/compare/ff45666b9427631e3450c54a1bcbee4d9ff4d7c0...28959ce8df70de7be546dd1250a005dd32156697)

---
updated-dependencies:
- dependency-name: peter-evans/repository-dispatch
dependency-version: 4.0.1
dependency-type: direct:production
update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/34e114876b0b11c390a56381ad16ebd13914f8d5...de0fac2e4500dabe0009e67214ff5f5447ce83dd)

---
updated-dependencies:
- dependency-name: actions/checkout
dependency-version: 6.0.2
dependency-type: direct:production
update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4.4.0 to 6.2.0.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/49933ea5288caeca8642d1e84afbd3f7d6820020...6044e13b5dc448c55e2357c09f80417699197238)

---
updated-dependencies:
- dependency-name: actions/setup-node
dependency-version: 6.2.0
dependency-type: direct:production
update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

ci: add Dependabot monitoring for GitHub Actions

Keeps pinned action SHAs up-to-date automatically when new
versions are released.

fix(ci): pin GitHub Actions to commit SHAs

Pin all third-party actions to full-length commit SHAs to prevent
supply-chain attacks via tag repointing.

Resolves code scanning alerts for actions/unpinned-tag.

Fires repository_dispatch to barazo-deploy when lexicon changes
are merged, triggering a rebuild of both API and Web images.

* chore(deps): use pnpm catalog references for shared dependencies

Replace explicit version specifiers with catalog: for dependencies shared
across the workspace (zod, vitest, typescript, eslint, etc.). Also remove
the Dependabot ignore rule that blocked major version updates.

* chore(deps): add pnpm catalog entries for standalone CI installs

Add pnpm-workspace.yaml with catalog section so catalog: references in
package.json resolve correctly when this repo is installed standalone
(e.g., in CI). The workspace root catalog takes precedence when running
in the full workspace context.

* chore(deps): regenerate lockfile for catalog: specifiers

Update pnpm-lock.yaml to match catalog: references in package.json.
Required for --frozen-lockfile in CI.

test(compat): add backward compatibility test suite

Validates that schema changes never break records already stored on
user PDSes. Tests baseline records against both Zod and lexicon
validators, captures schema structural snapshots (required fields,
property names, field types), and verifies forward compatibility
with unknown fields. Adds test:compat npm script for targeted runs.

Standardize README to match org-wide template