Update codeql-config.yml

.github/codeql/codeql-config.yml

@@ -7,7 +7,16 @@ queries:
   - uses: security-and-quality
   - uses: ./.github/codeql/queries
 
+paths-ignore:
+  - "**/tests/**"
+  - "**/test/**"
+  - "**/*_test.rs"
+  - "**/*/tests.rs"
 query-filters:
+  - exclude:
+      tags:
+        - test
+
   - exclude:
       id:
         - rust/unwrap-on-option

.github/workflows/release.yml

@@ -19,104 +19,200 @@ env:
   BINARY_NAME: telemt
 
 jobs:
-  build:
-    name: Build ${{ matrix.target }}
+# ==========================
+# GNU / glibc
+# ==========================
+  build-gnu:
+    name: GNU ${{ matrix.target }}
     runs-on: ubuntu-latest
 
     strategy:
       fail-fast: false
       matrix:
         include:
-          # ===== GNU / glibc =====
           - target: x86_64-unknown-linux-gnu
-            asset_name: telemt-x86_64-linux-gnu
+            asset: telemt-x86_64-linux-gnu
           - target: aarch64-unknown-linux-gnu
-            asset_name: telemt-aarch64-linux-gnu
-
-          # ===== MUSL =====
-          - target: x86_64-unknown-linux-musl
-            asset_name: telemt-x86_64-linux-musl
+            asset: telemt-aarch64-linux-gnu
 
     steps:
       - uses: actions/checkout@v4
 
-      # ---------- Toolchain ----------
       - uses: dtolnay/rust-toolchain@v1
         with:
           toolchain: stable
           targets: |
             x86_64-unknown-linux-gnu
             aarch64-unknown-linux-gnu
-            x86_64-unknown-linux-musl
 
-      # ---------- System deps (bookworm) ----------
-      - name: Install build deps
+      - name: Install deps
         run: |
           sudo apt-get update
-          sudo apt-get install -y --no-install-recommends \
+          sudo apt-get install -y \
             build-essential \
             clang \
             lld \
             pkg-config \
-            musl-tools \
             gcc-aarch64-linux-gnu \
-            g++-aarch64-linux-gnu \
-            ca-certificates
+            g++-aarch64-linux-gnu
 
-      # ---------- Cache ----------
       - uses: actions/cache@v4
         with:
           path: |
             ~/.cargo/registry
             ~/.cargo/git
             target
-          key: ${{ runner.os }}-${{ matrix.target }}-${{ hashFiles('**/Cargo.lock') }}
+          key: gnu-${{ matrix.target }}-${{ hashFiles('**/Cargo.lock') }}
 
-      # ---------- Build ----------
       - name: Build
-        env:
-          CC_x86_64_unknown_linux_gnu: clang
-          CXX_x86_64_unknown_linux_gnu: clang++
-
-          CC_aarch64_unknown_linux_gnu: aarch64-linux-gnu-gcc
-          CXX_aarch64_unknown_linux_gnu: aarch64-linux-gnu-g++
-
-          CC_x86_64_unknown_linux_musl: musl-gcc
-
-          RUSTFLAGS: "-C linker=clang -C link-arg=-fuse-ld=lld"
         run: |
-          case "${{ matrix.target }}" in
-            x86_64-unknown-linux-musl)
-              export RUSTFLAGS="-C target-feature=+crt-static"
-              ;;
-          esac
+          if [ "${{ matrix.target }}" = "aarch64-unknown-linux-gnu" ]; then
+            export CC=aarch64-linux-gnu-gcc
+            export CXX=aarch64-linux-gnu-g++
+            export CC_aarch64_unknown_linux_gnu=aarch64-linux-gnu-gcc
+            export CXX_aarch64_unknown_linux_gnu=aarch64-linux-gnu-g++
+            export RUSTFLAGS="-C linker=aarch64-linux-gnu-gcc"
+          else
+            export CC=clang
+            export CXX=clang++
+            export CC_x86_64_unknown_linux_gnu=clang
+            export CXX_x86_64_unknown_linux_gnu=clang++
+            export RUSTFLAGS="-C linker=clang -C link-arg=-fuse-ld=lld"
+          fi
 
           cargo build --release --target ${{ matrix.target }}
 
-      # ---------- Package ----------
       - name: Package
         run: |
           mkdir -p dist
-
           BIN=target/${{ matrix.target }}/release/${{ env.BINARY_NAME }}
 
           cp "$BIN" dist/${{ env.BINARY_NAME }}-${{ matrix.target }}
 
           cd dist
-          tar -czf ${{ matrix.asset_name }}.tar.gz ${{ env.BINARY_NAME }}-${{ matrix.target }}
-          sha256sum ${{ matrix.asset_name }}.tar.gz > ${{ matrix.asset_name }}.sha256
+          tar -czf ${{ matrix.asset }}.tar.gz ${{ env.BINARY_NAME }}-${{ matrix.target }}
+          sha256sum ${{ matrix.asset }}.tar.gz > ${{ matrix.asset }}.sha256
 
       - uses: actions/upload-artifact@v4
         with:
-          name: ${{ matrix.asset_name }}
+          name: ${{ matrix.asset }}
           path: |
-            dist/${{ matrix.asset_name }}.tar.gz
-            dist/${{ matrix.asset_name }}.sha256
+            dist/${{ matrix.asset }}.tar.gz
+            dist/${{ matrix.asset }}.sha256
 
+# ==========================
+# MUSL
+# ==========================
+  build-musl:
+    name: MUSL ${{ matrix.target }}
+    runs-on: ubuntu-latest
+
+    container:
+      image: rust:slim-bookworm
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - target: x86_64-unknown-linux-musl
+            asset: telemt-x86_64-linux-musl
+          - target: aarch64-unknown-linux-musl
+            asset: telemt-aarch64-linux-musl
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install deps
+        run: |
+          apt-get update
+          apt-get install -y \
+            musl-tools \
+            pkg-config \
+            curl
+
+      - uses: actions/cache@v4
+        if: matrix.target == 'aarch64-unknown-linux-musl'
+        with:
+          path: ~/.musl-aarch64
+          key: musl-toolchain-aarch64-v1
+
+      - name: Install aarch64 musl toolchain
+        if: matrix.target == 'aarch64-unknown-linux-musl'
+        run: |
+          set -e
+
+          TOOLCHAIN_DIR="$HOME/.musl-aarch64"
+          ARCHIVE="aarch64-linux-musl-cross.tgz"
+          URL="https://github.com/telemt/telemt/releases/download/toolchains/$ARCHIVE"
+
+          if [ -x "$TOOLCHAIN_DIR/bin/aarch64-linux-musl-gcc" ]; then
+            echo "✅ MUSL toolchain already installed"
+          else
+            echo "⬇️ Downloading musl toolchain from Telemt GitHub Releases..."
+
+            curl -fL \
+              --retry 5 \
+              --retry-delay 3 \
+              --connect-timeout 10 \
+              --max-time 120 \
+              -o "$ARCHIVE" "$URL"
+
+            mkdir -p "$TOOLCHAIN_DIR"
+            tar -xzf "$ARCHIVE" --strip-components=1 -C "$TOOLCHAIN_DIR"
+          fi
+
+          echo "$TOOLCHAIN_DIR/bin" >> $GITHUB_PATH
+
+      - name: Add rust target
+        run: rustup target add ${{ matrix.target }}
+
+      - uses: actions/cache@v4
+        with:
+          path: |
+            /usr/local/cargo/registry
+            /usr/local/cargo/git
+            target
+          key: musl-${{ matrix.target }}-${{ hashFiles('**/Cargo.lock') }}
+
+      - name: Build
+        run: |
+          if [ "${{ matrix.target }}" = "aarch64-unknown-linux-musl" ]; then
+            export CC=aarch64-linux-musl-gcc
+            export CC_aarch64_unknown_linux_musl=aarch64-linux-musl-gcc
+            export RUSTFLAGS="-C target-feature=+crt-static -C linker=aarch64-linux-musl-gcc"
+          else
+            export CC=musl-gcc
+            export CC_x86_64_unknown_linux_musl=musl-gcc
+            export RUSTFLAGS="-C target-feature=+crt-static"
+          fi
+
+          cargo build --release --target ${{ matrix.target }}
+
+      - name: Package
+        run: |
+          mkdir -p dist
+          BIN=target/${{ matrix.target }}/release/${{ env.BINARY_NAME }}
+
+          cp "$BIN" dist/${{ env.BINARY_NAME }}-${{ matrix.target }}
+
+          cd dist
+          tar -czf ${{ matrix.asset }}.tar.gz ${{ env.BINARY_NAME }}-${{ matrix.target }}
+          sha256sum ${{ matrix.asset }}.tar.gz > ${{ matrix.asset }}.sha256
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: ${{ matrix.asset }}
+          path: |
+            dist/${{ matrix.asset }}.tar.gz
+            dist/${{ matrix.asset }}.sha256
+
+# ==========================
+# Docker
+# ==========================
   docker:
     name: Docker
     runs-on: ubuntu-latest
-    needs: build
+    needs: [build-gnu, build-musl]
     continue-on-error: true
 
     steps:
@@ -147,11 +243,10 @@ jobs:
         id: vars
         run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
 
-      - name: Build & Push prod
+      - name: Build & Push
         uses: docker/build-push-action@v6
         with:
           context: .
-          target: prod
           push: true
           platforms: linux/amd64,linux/arm64
           tags: |
@@ -160,10 +255,13 @@ jobs:
           build-args: |
             BINARY=dist/telemt
 
+# ==========================
+# Release
+# ==========================
   release:
     name: Release
     runs-on: ubuntu-latest
-    needs: build
+    needs: [build-gnu, build-musl]
 
     permissions:
       contents: write

CODE_OF_CONDUCT.md

@@ -1,8 +1,8 @@
 # Code of Conduct
 
-## 1. Purpose
+## Purpose
 
-Telemt exists to solve technical problems.
+**Telemt exists to solve technical problems.**
 
 Telemt is open to contributors who want to learn, improve and build meaningful systems together.
 
@@ -18,27 +18,34 @@ Technology has consequences. Responsibility is inherent.
 
 ---
 
-## 2. Principles
+## Principles
 
 * **Technical over emotional**
+
   Arguments are grounded in data, logs, reproducible cases, or clear reasoning.
 
 * **Clarity over noise**
+
   Communication is structured, concise, and relevant.
 
 * **Openness with standards**
+
   Participation is open. The work remains disciplined.
 
 * **Independence of judgment**
+
   Claims are evaluated on technical merit, not affiliation or posture.
 
 * **Responsibility over capability**
+
   Capability does not justify careless use.
 
 * **Cooperation over friction**
+
   Progress depends on coordination, mutual support, and honest review.
 
 * **Good intent, rigorous method**
+
   Assume good intent, but require rigor.
 
 > **Aussagen gelten nach ihrer Begründung.**
@@ -47,7 +54,7 @@ Technology has consequences. Responsibility is inherent.
 
 ---
 
-## 3. Expected Behavior
+## Expected Behavior
 
 Participants are expected to:
 
@@ -69,7 +76,7 @@ New contributors are welcome. They are expected to grow into these standards. Ex
 
 ---
 
-## 4. Unacceptable Behavior
+## Unacceptable Behavior
 
 The following is not allowed:
 
@@ -89,7 +96,7 @@ Such discussions may be closed, removed, or redirected.
 
 ---
 
-## 5. Security and Misuse
+## Security and Misuse
 
 Telemt is intended for responsible use.
 
@@ -109,15 +116,13 @@ Security is both technical and behavioral.
 
 Telemt is open to contributors of different backgrounds, experience levels, and working styles.
 
-Standards are public, legible, and applied to the work itself.
-
-Questions are welcome. Careful disagreement is welcome. Honest correction is welcome.
-
-Gatekeeping by obscurity, status signaling, or hostility is not.
+- Standards are public, legible, and applied to the work itself.
+- Questions are welcome. Careful disagreement is welcome. Honest correction is welcome.
+- Gatekeeping by obscurity, status signaling, or hostility is not.
 
 ---
 
-## 7. Scope
+## Scope
 
 This Code of Conduct applies to all official spaces:
 
@@ -127,16 +132,19 @@ This Code of Conduct applies to all official spaces:
 
 ---
 
-## 8. Maintainer Stewardship
+## Maintainer Stewardship
 
 Maintainers are responsible for final decisions in matters of conduct, scope, and direction.
 
-This responsibility is stewardship: preserving continuity, protecting signal, maintaining standards, and keeping Telemt workable for others.
+This responsibility is stewardship: 
+- preserving continuity, 
+- protecting signal, 
+- maintaining standards, 
+- keeping Telemt workable for others.
 
 Judgment should be exercised with restraint, consistency, and institutional responsibility.
-
-Not every decision requires extended debate.
-Not every intervention requires public explanation.
+- Not every decision requires extended debate.
+- Not every intervention requires public explanation.
 
 All decisions are expected to serve the durability, clarity, and integrity of Telemt.
 
@@ -146,7 +154,7 @@ All decisions are expected to serve the durability, clarity, and integrity of Te
 
 ---
 
-## 9. Enforcement
+## Enforcement
 
 Maintainers may act to preserve the integrity of Telemt, including by:
 
@@ -156,44 +164,40 @@ Maintainers may act to preserve the integrity of Telemt, including by:
 * Restricting or banning participants
 
 Actions are taken to maintain function, continuity, and signal quality.
-
-Where possible, correction is preferred to exclusion.
-
-Where necessary, exclusion is preferred to decay.
+- Where possible, correction is preferred to exclusion.
+- Where necessary, exclusion is preferred to decay.
 
 ---
 
-## 10. Final
+## Final
 
 Telemt is built on discipline, structure, and shared intent.
+- Signal over noise.
+- Facts over opinion.
+- Systems over rhetoric.
 
-Signal over noise.
-Facts over opinion.
-Systems over rhetoric.
+- Work is collective.
+- Outcomes are shared.
+- Responsibility is distributed.
 
-Work is collective.
-Outcomes are shared.
-Responsibility is distributed.
-
-Precision is learned.
-Rigor is expected.
-Help is part of the work.
+- Precision is learned.
+- Rigor is expected.
+- Help is part of the work.
 
 > **Ordnung ist Voraussetzung der Freiheit.**
 
-If you contribute — contribute with care.
-If you speak — speak with substance.
-If you engage — engage constructively.
+- If you contribute — contribute with care.
+- If you speak — speak with substance.
+- If you engage — engage constructively.
 
 ---
 
-## 11. After All
+## After All
 
 Systems outlive intentions.
-
-What is built will be used.
-What is released will propagate.
-What is maintained will define the future state.
+- What is built will be used.
+- What is released will propagate.
+- What is maintained will define the future state.
 
 There is no neutral infrastructure, only infrastructure shaped well or poorly.
 
@@ -201,8 +205,8 @@ There is no neutral infrastructure, only infrastructure shaped well or poorly.
 
 > Every system carries responsibility.
 
-Stability requires discipline.
-Freedom requires structure.
-Trust requires honesty.
+- Stability requires discipline.
+- Freedom requires structure.
+- Trust requires honesty.
 
-In the end, the system reflects its contributors.
+In the end: the system reflects its contributors.

Dockerfile

@@ -28,9 +28,23 @@ RUN cargo build --release && strip target/release/telemt
 FROM debian:12-slim AS minimal
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    upx \
     binutils \
-    && rm -rf /var/lib/apt/lists/*
+    curl \
+    ca-certificates \
+    && rm -rf /var/lib/apt/lists/* \
+    \
+    # install UPX from Telemt releases
+    && curl -fL \
+        --retry 5 \
+        --retry-delay 3 \
+        --connect-timeout 10 \
+        --max-time 120 \
+        -o /tmp/upx.tar.xz \
+        https://github.com/telemt/telemt/releases/download/toolchains/upx-amd64_linux.tar.xz \
+    && tar -xf /tmp/upx.tar.xz -C /tmp \
+    && mv /tmp/upx*/upx /usr/local/bin/upx \
+    && chmod +x /usr/local/bin/upx \
+    && rm -rf /tmp/upx*
 
 COPY --from=builder /build/target/release/telemt /telemt