feat: federated multi-package template with crane and nix2container

.beads/.gitignore

@@ -0,0 +1,48 @@
+# SQLite databases
+*.db
+*.db?*
+*.db-journal
+*.db-wal
+*.db-shm
+
+# Daemon runtime files
+daemon.lock
+daemon.log
+daemon.pid
+bd.sock
+sync-state.json
+last-touched
+
+# Local version tracking (prevents upgrade notification spam after git ops)
+.local_version
+
+# Legacy database files
+db.sqlite
+bd.db
+
+# Worktree redirect file (contains relative path to main repo's .beads/)
+# Must not be committed as paths would be wrong in other clones
+redirect
+
+# Merge artifacts (temporary files from 3-way merge)
+beads.base.jsonl
+beads.base.meta.json
+beads.left.jsonl
+beads.left.meta.json
+beads.right.jsonl
+beads.right.meta.json
+
+# Sync state (local-only, per-machine)
+# These files are machine-specific and should not be shared across clones
+.sync.lock
+sync_base.jsonl
+
+# .beads
+README.md
+config.yaml
+
+# NOTE: Do NOT add negation patterns (e.g., !issues.jsonl) here.
+# They would override fork protection in .git/info/exclude, allowing
+# contributors to accidentally commit upstream issue databases.
+# The JSONL files (issues.jsonl, interactions.jsonl) and config files
+# are tracked by git by default since no pattern above ignores them.

.beads/metadata.json

@@ -0,0 +1,4 @@
+{
+  "database": "beads.db",
+  "jsonl_export": "issues.jsonl"
+}

.gitattributes

@@ -3,3 +3,6 @@ flake.lock linguist-generated=true
 uv.lock linguist-generated=true
 pixi.lock linguist-generated=true
 yarn.lock linguist-generated=true
+
+# Use bd merge for beads JSONL files
+.beads/issues.jsonl merge=beads

.github/actions/cached-ci-job/action.yaml

@@ -0,0 +1,183 @@
+name: Cached CI Job
+description: Execute job only if not already successful for this commit SHA
+
+inputs:
+  check-name:
+    description: Full check run name (defaults to github.job, include matrix values for matrix jobs)
+    required: false
+    default: ${{ github.job }}
+  hash-sources:
+    description: |
+      Glob patterns for files to hash (one per line or space-separated).
+      Used to compute content-addressed cache key.
+      Example: '**/*.nix flake.lock justfile'
+      The workflow file is automatically included.
+    required: false
+    default: ''
+  force-run:
+    description: Force execution even if already successful
+    required: false
+    default: 'false'
+
+outputs:
+  should-run:
+    description: Whether job should execute (true/false)
+    value: ${{ steps.decide.outputs.should-run }}
+  cache-source:
+    description: 'Where cache hit occurred (actions-cache or none)'
+    value: ${{ steps.decide.outputs.cache-source }}
+  cache-key:
+    description: 'Content-addressed cache key'
+    value: ${{ steps.compute-hash.outputs.cache-key }}
+  cache-path:
+    description: 'Cache directory path for job result marker'
+    value: ${{ steps.compute-hash.outputs.cache-path }}
+
+runs:
+  using: composite
+  steps:
+    - name: Compute content-addressed cache key
+      id: compute-hash
+      shell: bash
+      env:
+        CHECK_NAME: ${{ inputs.check-name }}
+        HASH_SOURCES: ${{ inputs.hash-sources }}
+      run: |
+        # Sanitize check name
+        SANITIZED=$(echo "$CHECK_NAME" | tr -d '()' | tr ', ' '-' | tr -s '-')
+
+        # Get workflow file path (automatically included in hash)
+        WORKFLOW_FILE=$(echo "$GITHUB_WORKFLOW_REF" | sed 's|^[^/]*/[^/]*/||' | sed 's|@.*||')
+        echo "Workflow file: $WORKFLOW_FILE"
+
+        # Auto-include the composite action itself
+        CACHE_ACTION=".github/actions/cached-ci-job/action.yaml"
+
+        # Combine user sources + workflow file + cache action
+        if [ -n "$HASH_SOURCES" ]; then
+          ALL_SOURCES="$HASH_SOURCES $WORKFLOW_FILE $CACHE_ACTION"
+        else
+          ALL_SOURCES="$WORKFLOW_FILE $CACHE_ACTION"
+        fi
+
+        echo "Hash sources: $ALL_SOURCES"
+
+        # Compute content hash of all source files
+        # Disable glob expansion to preserve patterns for manual processing
+        set -f
+        CONTENT_HASH=""
+        for pattern in $ALL_SOURCES; do
+          if [ -f "$pattern" ]; then
+            case "$pattern" in
+              docs/notes/*)
+                continue
+                ;;
+            esac
+            FILE_HASH=$(git hash-object "$pattern" 2>/dev/null || echo "missing")
+            CONTENT_HASH="${CONTENT_HASH}${FILE_HASH}"
+          elif [[ "$pattern" == *"*"* ]]; then
+            if [[ "$pattern" == *"/"* ]]; then
+              BASE_DIR="${pattern%%/**}"
+              FILE_PATTERN="${pattern##*/}"
+            else
+              BASE_DIR="."
+              FILE_PATTERN="$pattern"
+            fi
+
+            if [[ "$pattern" == "**/"* ]]; then
+              BASE_DIR="."
+              FILE_PATTERN="${pattern#**/}"
+            fi
+
+            if [ -d "$BASE_DIR" ]; then
+              while IFS= read -r file; do
+                case "$file" in
+                  docs/notes/*)
+                    continue
+                    ;;
+                esac
+                FILE_HASH=$(git hash-object "$file" 2>/dev/null || echo "missing")
+                CONTENT_HASH="${CONTENT_HASH}${FILE_HASH}"
+              done < <(find "$BASE_DIR" -type f -name "$FILE_PATTERN" 2>/dev/null | sort)
+            else
+              echo "::warning::Pattern base directory not found: $BASE_DIR (pattern: $pattern)"
+            fi
+          else
+            echo "::warning::Source file not found: $pattern"
+          fi
+        done
+        set +f
+
+        FINAL_HASH=$(echo -n "$CONTENT_HASH" | sha256sum | cut -c1-12)
+        CACHE_KEY="job-result-${SANITIZED}-${FINAL_HASH}"
+        CACHE_PATH=".cache/job-results/${SANITIZED}"
+
+        echo "Content hash: $FINAL_HASH"
+        echo "Cache key: $CACHE_KEY"
+        echo "Cache path: $CACHE_PATH"
+
+        echo "cache-key=$CACHE_KEY" >> $GITHUB_OUTPUT
+        echo "cache-path=$CACHE_PATH" >> $GITHUB_OUTPUT
+        echo "content-hash=$FINAL_HASH" >> $GITHUB_OUTPUT
+
+    - name: Prepare cache restore keys
+      id: cache-result
+      shell: bash
+      env:
+        CHECK_NAME: ${{ inputs.check-name }}
+      run: |
+        SANITIZED=$(echo "$CHECK_NAME" | tr -d '()' | tr ', ' '-' | tr -s '-')
+        RESTORE_KEYS="job-result-${SANITIZED}-"
+        echo "Restore keys pattern: ${RESTORE_KEYS}*"
+        echo "restore-keys=$RESTORE_KEYS" >> $GITHUB_OUTPUT
+
+    - name: Lookup job result in actions/cache
+      id: cache-lookup
+      uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5
+      with:
+        path: ${{ steps.compute-hash.outputs.cache-path }}
+        key: ${{ steps.compute-hash.outputs.cache-key }}
+        restore-keys: ${{ steps.cache-result.outputs.restore-keys }}
+        lookup-only: true
+
+    - name: Make execution decision
+      id: decide
+      shell: bash
+      env:
+        FORCE: ${{ inputs.force-run }}
+        CACHE_HIT: ${{ steps.cache-lookup.outputs.cache-hit || 'false' }}
+        CACHE_KEY: ${{ steps.compute-hash.outputs.cache-key }}
+        CHECK_NAME: ${{ inputs.check-name }}
+      run: |
+        echo "=== Execution Decision ==="
+        echo "Force run: $FORCE"
+        echo "Cache key: $CACHE_KEY"
+        echo "Actions cache hit: $CACHE_HIT"
+        echo ""
+
+        SANITIZED_NAME=$(echo "$CHECK_NAME" | tr -d '()' | tr ', ' '-' | tr -s '-')
+
+        if [ "$FORCE" = "true" ]; then
+          echo "should-run=true" >> $GITHUB_OUTPUT
+          if [ "$CACHE_HIT" = "true" ]; then
+            echo "cache-source=actions-cache" >> $GITHUB_OUTPUT
+          else
+            echo "cache-source=none" >> $GITHUB_OUTPUT
+          fi
+          echo "::notice title=CI Cache | ${SANITIZED_NAME}::RUN | ${CACHE_KEY} | Forced"
+          echo "Decision: RUN (forced by input)"
+          exit 0
+        fi
+
+        if [ "$CACHE_HIT" = "true" ]; then
+          echo "should-run=false" >> $GITHUB_OUTPUT
+          echo "cache-source=actions-cache" >> $GITHUB_OUTPUT
+          echo "::notice title=CI Cache | ${SANITIZED_NAME}::SKIP | ${CACHE_KEY} | Cached"
+          echo "Decision: SKIP (cached result found)"
+          exit 0
+        fi
+
+        echo "should-run=true" >> $GITHUB_OUTPUT
+        echo "cache-source=none" >> $GITHUB_OUTPUT
+        echo "::notice title=CI Cache | ${SANITIZED_NAME}::RUN | ${CACHE_KEY} | Cache miss"
+        echo "Decision: RUN (no cached result found)"