Security:
- Remove `bread modules install github:…`. Remote fetch pulled unreviewed
third-party Lua and ran it with full bread.exec() privileges in an
unsandboxed runtime. Module install is now local-only; parse_source
rejects github:/git: with an explicit message.
bread-sync extracted from the workspace (parked for its own project):
- Removed from workspace members (now excluded); see bread-sync/EXTRACTION.md
- Removed the entire `bread sync` CLI surface and now-unused deps
(bread-sync, reqwest, tar, flate2; tempfile demoted to dev-dependency)
- Removed the sync.status IPC method from breadd plus its integration tests
- Moved the generic `expand_path` helper into bread-shared (with unit tests)
CI now actually runs and gates quality:
- Trigger on master/dev (was `main` — CI had never run, not once)
- Added `cargo fmt --check` and `clippy -D warnings`; fixed 4 clippy warnings
- Dropped the macOS matrix entry (breadd is Linux-only: udev/rtnetlink);
added the libudev-dev system dependency the Linux build needs
Hardening / honesty:
- New ipc test: daemon survives repeated reloads and the event pipeline
resumes (the prior suite only had a single happy-path reload check)
- Docs scrubbed of sync across README/Documentation/Overview/DAEMON
- "production-ready" and "compositor-agnostic" claims reworded to match
reality rather than aspiration
Note: bread-sync/src/export.rs held pre-existing local WIP authored outside
this change set and is intentionally excluded from this commit.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
