fix(ci): guard package-mode workflows

[NubsCarson]

Summary

Fixes two CI contract breaks that affect package-mode Milady PRs:

1. The shared Agent Review Auth P0 gate assumes a nested eliza/ checkout exists and fails package-mode PRs at cd eliza/packages/core.
2. The Electrobun release workflow drifted from the latest Eliza release contract after Eliza added a shared Whisper model artifact path.

Changes

• Guard Build local eliza runtime plugins with hashFiles('eliza/package.json') != '', matching the existing package-mode guard pattern used by CI jobs.
• Update scripts/ci-bootstrap-contract.test.ts so the Auth P0 workflow contract requires that guard.
• Update scripts/validate-ci-bootstrap-contract.mjs so the standalone CI contract validator also prevents regressing this workflow.
• Add the Whisper model release artifact contract to .github/workflows/release-electrobun.yml:
  • prepare ggml-base.en.bin once in validate-release,
  • upload it as whisper-model-base-en,
  • download/seed it for browser companion and desktop build jobs when validate-release ran.
• Update the Milady Eliza CI patch overlay to generate the current cache-based ensure-whisper-model.sh instead of the older whisper-node package-local model copier.
• Add release workflow contract assertions for the Whisper artifact wiring.
• Refresh the tracked static asset manifest so release-check sees the current public asset set.

Validation

Ran in an isolated worktree based on current develop:

bunx vitest run scripts/ci-bootstrap-contract.test.ts
node scripts/validate-ci-bootstrap-contract.mjs
bunx vitest run scripts/release-workflow-contract.test.mjs scripts/ci-bootstrap-contract.test.ts
bun run test:release:contract
node scripts/generate-static-asset-manifest.mjs
git diff --check

Results:

• ci-bootstrap-contract.test.ts: 8 tests passed.
• Combined workflow contract run: 35 passed, 1 skipped.
• validate-ci-bootstrap-contract.mjs: passed.
• test:release:contract: local wrapper contract passed; local Eliza checkout was absent, so the nested release-check portion was skipped locally exactly as the script reports.
• Static asset manifest regenerated cleanly after the workflow/source refresh.
• Whitespace diff check passed.

Stack Status

Updated 2026-05-19 after #2153 moved to 85335e9cb: merged the new #2153 head into this stack with no manual conflicts. Local verification on b2ce6af0d: bunx vitest run scripts/ci-bootstrap-contract.test.ts scripts/release-workflow-contract.test.mjs apps/app/test/package-mode-aliases.test.ts passed with 46 passed / 1 skipped, node scripts/validate-ci-bootstrap-contract.mjs passed, Biome passed on touched workflow/app contract files, git diff --check passed, and bun run test:release:contract passed with the expected local-eliza/ release-check skip. The PR remains draft because merge order is still #2153 first, then this workflow guard follow-up.

Current stacked diff against #2153 is intentionally narrow:

• .github/workflows/release-electrobun.yml
• scripts/apply-eliza-ci-patches.mjs
• scripts/ci-bootstrap-contract.test.ts
• scripts/release-workflow-contract.test.mjs

Pull Request Target Limitation

After stacking this PR on #2153, the Auth tests (P0 gate) check still fails before running auth tests. The new failing run confirms GitHub is executing the pull_request_target workflow YAML from current develop, not the PR head or stacked base branch. The log still runs the unguarded Build local eliza runtime plugins step and dies at cd eliza/packages/core in package-mode checkout.

That means this PR can validate the workflow contract statically and through normal CI, but the Auth P0 gate itself cannot turn green until the guard exists on develop. Keeping this PR draft is intentional until maintainers decide whether to merge the guard through #2153 / this stack or apply it directly to develop.

GitHub Status After Stack

GitHub Actions on the previous stacked head had the normal package-mode CI lanes green; only Agent Review/Auth checks ran on refreshed draft head b2ce6af0d:

• All Tests Passed: success
• Lint & Format: success
• Type Check: success
• Unit Tests: success
• Build: success
• Release Workflow Contract: success
• CodeQL JS/TS + Python: success
• CodeFactor: success

The remaining red checks are Auth tests (P0 gate) and its aggregate Agent Review Verdict, both caused by pull_request_target using the unguarded workflow from current develop. The failure log dies before auth tests at cd eliza/packages/core in package-mode checkout.

CI Notes

Auth tests (P0 gate) can still fail on this PR until the workflow guard lands on develop, because that job uses pull_request_target; GitHub runs the workflow YAML from base develop, not this PR branch. The failing log confirms it executes the unguarded base workflow and dies at cd eliza/packages/core.

The broader package-mode app lint/typecheck/build failures on this standalone workflow branch are the existing package-mode app surface fixed in #2153. This PR intentionally keeps that separate and focuses on shared CI/workflow contracts.

Impact

Once merged to develop, this should unblock the shared Agent Review/Auth P0 failure currently visible on unrelated open PRs such as #2152, #2153, and #2155. It also keeps the Electrobun release workflow aligned with Eliza's current Whisper model artifact contract, without changing runtime app code.

Note

Guard 'Build local eliza runtime plugins' step and add Whisper model caching to Electrobun release workflow

• Adds a hashFiles('eliza/package.json') != '' condition to the 'Build local eliza runtime plugins' step in agent-review.yml so it is skipped when the eliza submodule is not checked out.
• Adds Whisper model preparation, upload, and cache-seeding steps to release-electrobun.yml, persisting the model as the whisper-model-base-en artifact and restoring it into $HOME/.cache/eliza/whisper/.
• Updates the generated ensure-whisper-model.sh script in apply-eliza-ci-patches.mjs to download models directly via curl/wget into a user cache dir, removing the dependency on whisper-node package paths and whisper.cpp helper scripts.
• Extends contract tests in ci-bootstrap-contract.test.ts and release-workflow-contract.test.mjs to enforce the new guard condition and Whisper artifact steps.

^{Macroscope summarized 79312f9. (Automatic summaries will resume when PR exits draft mode or review begins).}

[macroscopeapp]

Approvability

Verdict: Needs human review

Unable to check for correctness in 79312f9.

^{You can customize Macroscope's approvability policy. Learn more.}

[github-actions]

Credit balance is too low

[github-actions]

Credit balance is too low

[github-actions]

Credit balance is too low

[github-actions]

Credit balance is too low

[github-actions]

Credit balance is too low

[NubsCarson]

Stack follow-up, 2026-05-19: merged #2153 7c61555fc into this stacked branch and pushed f7d78c000. No manual conflicts. Local contract verification passed: bunx vitest run scripts/ci-bootstrap-contract.test.ts scripts/release-workflow-contract.test.mjs (36 passed / 1 skipped) and node scripts/validate-ci-bootstrap-contract.mjs.

[github-actions]

Credit balance is too low

[github-actions]

Credit balance is too low

[github-actions]

Credit balance is too low

[NubsCarson]

Final stack refresh, 2026-05-19: latest head 22da36c8c is refreshed on #2153 e74191831; local lint and workflow contract checks are clean. GitHub review-pr passed; Auth P0 / Agent Review remain red for the same known pull_request_target base-workflow limitation. Keeping draft because merge order remains #2153 first, then this follow-up.

[NubsCarson]

Update 2026-05-19: refreshed this stack onto #2153 head 85335e9cb and pushed b2ce6af0d. The merge from #2153 was clean with no manual conflicts.\n\nLocal validation on b2ce6af0d:\n\n- bun install --frozen-lockfile in the isolated #2158 worktree -> passed\n- bunx vitest run scripts/ci-bootstrap-contract.test.ts scripts/release-workflow-contract.test.mjs apps/app/test/package-mode-aliases.test.ts -> 3 files passed, 46 tests passed, 1 skipped\n- node scripts/validate-ci-bootstrap-contract.mjs -> passed\n- bunx @biomejs/biome check ... on touched workflow/app contract files -> passed\n- git diff --check -> passed\n- bun run test:release:contract -> passed; local eliza/ release-check portion skipped because this package-mode worktree has no nested checkout\n\nThis remains draft intentionally: #2153 should merge first, then this workflow guard follow-up. The Auth P0 / Agent Review caveat is still the same pull_request_target limitation until the guard exists on base develop.

[github-actions]

Credit balance is too low

[NubsCarson]

Status refresh (2026-05-19):

• Head remains b2ce6af0da9178042c529b05f94b2e7efdf1f1d7 on nubs/fix-agent-review-package-mode, stacked on fix(app): stabilize Android local runtime boot #2153.
• The PR is intentionally draft and narrow: it carries the package-mode workflow guard/release-contract follow-up.
• Current red checks are again Auth tests (P0 gate) and aggregate Agent Review Verdict.
• The failure is expected for this PR too because pull_request_target evaluates the workflow file from current base develop, not this stacked head. The guard in this PR cannot affect that gate until merged/applied to develop.

No new source changes pushed to this PR in this refresh; this comment is only a status/maintainer-context update.