feat: selective merge from main

- Keep our CI/CD workflows and uv-based setup
- Adopt Dockerfile improvements from main (better cleanup, security)
- Remove poetry.lock (we use uv)
- Add renovate.json5 for automated dependency updates
- Update other minor improvements from main branch

Author: kzndotsh

.github/renovate.json

@@ -0,0 +1,41 @@
+{
+    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+    "extends": [
+        "config:best-practices"
+    ],
+    "schedule": [
+        "* */12 * * *"
+    ],
+    "ignoreDeps": [
+        "basedpyright" // see pyproject.toml
+    ],
+    "lockFileMaintenance": {
+        "enabled": true,
+        "automerge": true
+    },
+    "packageRules": [
+        {
+            // these will fail tests if they are broken
+            // idk if this works with python, either way it doesnt matter
+            //"matchDepTypes": [
+            //    "devDependencies"
+            //],
+            "matchPackageNames": [
+                "pre-commit",
+                "ruff",
+                "poetry",
+                "pytest"
+            ],
+            "automerge": true
+        },
+        {
+            // no breaking changes
+            "matchUpdateTypes": [
+                "minor",
+                "patch"
+            ],
+            "matchCurrentVersion": "!/^0/",
+            "automerge": true
+        }
+    ]
+}

.github/renovate.json5

@@ -1,2 +1,2 @@
 [tools]
-python = "3.13.5"
+python = "3.13.7"

.mise.toml

@@ -1 +1 @@
-3.13.5
+3.13.7

.python-version

@@ -43,7 +43,7 @@
 # Size Impact: ~150MB (Python slim + runtime deps)
 # ==============================================================================
 
-FROM python:3.13.5-slim@sha256:4c2cf9917bd1cbacc5e9b07320025bdb7cdf2df7b0ceaccb55e9dd7e30987419 AS base
+FROM python:3.13.7-slim@sha256:27f90d79cc85e9b7b2560063ef44fa0e9eaae7a7c3f5a9f74563065c5477cc24 AS base
 
 # OCI Labels for container metadata and registry compliance
 # These labels provide important metadata for container registries and tools
@@ -81,13 +81,12 @@ RUN echo 'path-exclude /usr/share/doc/*' > /etc/dpkg/dpkg.cfg.d/01_nodoc && \
 RUN apt-get update && \
     apt-get upgrade -y && \
     apt-get install -y --no-install-recommends --no-install-suggests \
-        ffmpeg=7:5.1.6-0+deb12u1 \
-        git=1:2.39.5-0+deb12u2 \
-        libcairo2=1.16.0-7 \
-        libgdk-pixbuf2.0-0=2.40.2-2 \
-        libpango1.0-0=1.50.12+ds-1 \
-        libpangocairo-1.0-0=1.50.12+ds-1 \
-        shared-mime-info=2.2-1 \
+        git=1:2.47.2-0.2 \
+        libcairo2=1.18.4-1+b1 \
+        libgdk-pixbuf-2.0-0=2.42.12+dfsg-4 \
+        libpango-1.0-0=1.56.3-1 \
+        libpangocairo-1.0-0=1.56.3-1 \
+        shared-mime-info=2.4-5+b2 \
     # Cleanup package manager caches to reduce layer size
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
@@ -108,7 +107,7 @@ ENV PYTHONUNBUFFERED=1 \
 # ==============================================================================
 # BUILD STAGE - Development Tools and Dependency Installation
 # ==============================================================================
-# Purpose: Installs build tools, Uv, and application dependencies
+# Purpose: Installs build tools, Poetry, and application dependencies
 # Contains: Compilers, headers, build tools, complete Python environment
 # Size Impact: ~1.3GB (includes all build dependencies and Python packages)
 # ==============================================================================
@@ -122,21 +121,37 @@ RUN apt-get update && \
     apt-get upgrade -y && \
     apt-get install -y --no-install-recommends \
         # GCC compiler and build essentials for native extensions
-        build-essential=12.9 \
+        build-essential=12.12 \
         # Additional utilities required by some Python packages
-        findutils=4.9.0-4 \
+        findutils=4.10.0-3 \
         # Development headers for graphics libraries
-        libcairo2-dev=1.16.0-7 \
+        libcairo2-dev=1.18.4-1+b1 \
         # Foreign Function Interface library for Python extensions
-        libffi-dev=3.4.4-1 \
+        libffi8=3.4.8-2 \
     # Cleanup to reduce intermediate layer size
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 
-ENV UV_VERSION=0.8.0
+# Poetry configuration for dependency management
+# These settings optimize Poetry for containerized builds
 
-# Install Uv using pip
-RUN pip install uv==$UV_VERSION
+# POETRY_NO_INTERACTION=1        : Disables interactive prompts for CI/CD
+# POETRY_VIRTUALENVS_CREATE=1    : Ensures virtual environment creation
+# POETRY_VIRTUALENVS_IN_PROJECT=1: Creates .venv in project directory
+# POETRY_CACHE_DIR=/tmp/poetry_cache: Uses temporary directory for cache
+# POETRY_INSTALLER_PARALLEL=true : Enables parallel package installation
+
+ENV POETRY_VERSION=2.1.1 \
+    POETRY_NO_INTERACTION=1 \
+    POETRY_VIRTUALENVS_CREATE=1 \
+    POETRY_VIRTUALENVS_IN_PROJECT=1 \
+    POETRY_CACHE_DIR=/tmp/poetry_cache \
+    POETRY_INSTALLER_PARALLEL=true
+
+# Install Poetry using pip with BuildKit cache mount for efficiency
+# Cache mount prevents re-downloading Poetry on subsequent builds
+RUN --mount=type=cache,target=/root/.cache \
+    pip install poetry==$POETRY_VERSION
 
 # Set working directory for all subsequent operations
 WORKDIR /app
@@ -148,13 +163,15 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 # Copy dependency files first for optimal Docker layer caching
 # Changes to these files will invalidate subsequent layers
 # OPTIMIZATION: This pattern maximizes cache hits during development
-COPY pyproject.toml uv.lock ./
+COPY pyproject.toml poetry.lock ./
 
-# Install dependencies
-RUN --mount=type=cache,target=/root/.cache/uv \
-    --mount=type=bind,source=uv.lock,target=uv.lock \
-    --mount=type=bind,source=pyproject.toml,target=pyproject.toml \
-    uv sync --locked --no-install-project
+# Install Python dependencies using Poetry
+# PERFORMANCE: Cache mount speeds up subsequent builds
+# SECURITY: --only main excludes development dependencies from production
+# NOTE: Install dependencies only first, package itself will be installed later with git context
+RUN --mount=type=cache,target=$POETRY_CACHE_DIR \
+    --mount=type=cache,target=/root/.cache/pip \
+    poetry install --only main --no-root --no-directory
 
 # Copy application files in order of change frequency (Docker layer optimization)
 # STRATEGY: Files that change less frequently are copied first to maximize cache reuse
@@ -163,16 +180,13 @@ RUN --mount=type=cache,target=/root/.cache/uv \
 # These are typically static configuration that changes infrequently
 COPY config/ ./config/
 
-# 2. Database migration files (change infrequently)
-# Alembic migrations are relatively stable
-COPY src/tux/database/migrations/ ./src/tux/database/migrations/
+# 2. Database schema files (change infrequently)
+# Prisma schema and migrations are relatively stable
+COPY prisma/ ./prisma/
 
 # 3. Main application code (changes more frequently)
 # The core bot code is most likely to change during development
-# Copy the entire src tree so Poetry can find packages from "src"
-COPY src/ ./src/
-# Keep runtime path stable at /app/tux for later stages and health checks
-RUN cp -a src/tux ./tux
+COPY tux/ ./tux/
 
 # 4. Root level files needed for installation
 # These include metadata and licensing information
@@ -201,9 +215,12 @@ RUN set -eux; \
     fi; \
     echo "Building version: $(cat /app/VERSION)"
 
-# Sync the project
-RUN --mount=type=cache,target=/root/.cache/uv \
-    uv sync --locked
+# Install the application and generate Prisma client
+# COMPLEXITY: This step requires multiple operations that must be done together
+RUN --mount=type=cache,target=$POETRY_CACHE_DIR \
+    --mount=type=cache,target=/root/.cache \
+    # Install the application package itself
+    poetry install --only main
 
 # ==============================================================================
 # DEVELOPMENT STAGE - Development Environment
@@ -232,7 +249,7 @@ RUN set -eux; \
         chsh -s /usr/bin/zsh && \
         apt-get clean && \
         rm -rf /var/lib/apt/lists/*; \
-    fi
+    fi; \
 # Fix ownership of all application files for non-root user
 # SECURITY: Ensures the application runs with proper permissions
 COPY --from=build --chown=nonroot:nonroot /app /app
@@ -241,21 +258,22 @@ RUN set -eux; \
     # Create application cache and temporary directories
     # These directories are used by the bot for caching and temporary files
     mkdir -p /app/.cache/tldr /app/temp; \
-    # Create user cache directories (fixes permission issues for npm and other tools)
+    # Create user cache directories (fixes permission issues for Prisma/npm)
     mkdir -p /home/nonroot/.cache /home/nonroot/.npm; \
-    # Ensure correct ownership for nonroot user to write into these directories
-    chown -R nonroot:nonroot /app/.cache /app/temp /home/nonroot/.cache /home/nonroot/.npm
 # Switch to non-root user for all subsequent operations
 # SECURITY: Follows principle of least privilege
 USER nonroot
 
-# Install development dependencies
+# Install development dependencies and setup Prisma
 # DEVELOPMENT: These tools are needed for linting, testing, and development workflow
-RUN uv sync --dev
+RUN poetry install --only dev --no-root --no-directory && \
+    poetry run prisma py fetch && \
+    poetry run prisma generate
 
 # Development container startup command
-# WORKFLOW: Starts the bot in development mode with automatic database migrations
-CMD ["uv", "run", "tux", "--dev", "start"]
+# WORKFLOW: Regenerates Prisma client and starts the bot in development mode
+# This ensures the database client is always up-to-date with schema changes
+CMD ["sh", "-c", "poetry run prisma generate && exec poetry run tux --dev start"]
 
 # ==============================================================================
 # PRODUCTION STAGE - Minimal Runtime Environment
@@ -266,7 +284,7 @@ CMD ["uv", "run", "tux", "--dev", "start"]
 # Size Impact: ~440MB (73% reduction from development image)
 # ==============================================================================
 
-FROM python:3.13.5-slim@sha256:4c2cf9917bd1cbacc5e9b07320025bdb7cdf2df7b0ceaccb55e9dd7e30987419 AS production
+FROM python:3.13.7-slim@sha256:27f90d79cc85e9b7b2560063ef44fa0e9eaae7a7c3f5a9f74563065c5477cc24 AS production
 
 # Duplicate OCI labels for production image metadata
 # COMPLIANCE: Ensures production images have proper metadata for registries
@@ -293,17 +311,18 @@ RUN echo 'path-exclude /usr/share/doc/*' > /etc/dpkg/dpkg.cfg.d/01_nodoc && \
     echo 'path-exclude /usr/share/man/*' >> /etc/dpkg/dpkg.cfg.d/01_nodoc && \
     echo 'path-exclude /usr/share/groff/*' >> /etc/dpkg/dpkg.cfg.d/01_nodoc && \
     echo 'path-exclude /usr/share/info/*' >> /etc/dpkg/dpkg.cfg.d/01_nodoc && \
-    echo 'path-exclude /usr/share/lintian/*' >> /etc/dpkg/dpkg.cfg.d/01_nodoc
+    echo 'path-exclude /usr/share/lintian/*' >> /etc/dpkg/dpkg.cfg.d/01_nodoc && \
+    echo 'path-exclude /usr/share/linda/*' >> /etc/dpkg/dpkg.cfg.d/01_nodoc
 
 # Install ONLY runtime dependencies (minimal subset of base stage)
 # SECURITY: Update all packages first, then install minimal runtime dependencies
 # SIZE: Significantly smaller than build stage dependencies
 RUN apt-get update && \
     apt-get upgrade -y && \
     apt-get install -y --no-install-recommends --no-install-suggests \
-        libcairo2=1.16.0-7 \
-        libffi8=3.4.4-1 \
-        coreutils=9.1-1 \
+        libcairo2=1.18.4-1+b1 \
+        libffi8=3.4.8-2 \
+        coreutils=9.7-3 \
     # Aggressive cleanup to minimize image size
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/* \
@@ -336,7 +355,7 @@ ENV VIRTUAL_ENV=/app/.venv \
 # EFFICIENCY: Only copies what's needed for runtime
 COPY --from=build --chown=nonroot:nonroot /app/.venv /app/.venv
 COPY --from=build --chown=nonroot:nonroot /app/tux /app/tux
-
+COPY --from=build --chown=nonroot:nonroot /app/prisma /app/prisma
 COPY --from=build --chown=nonroot:nonroot /app/config /app/config
 COPY --from=build --chown=nonroot:nonroot /app/pyproject.toml /app/pyproject.toml
 COPY --from=build --chown=nonroot:nonroot /app/VERSION /app/VERSION
@@ -353,32 +372,35 @@ RUN set -eux; \
   rm -rf /home/nonroot/.npm/_cacache_; \
   chown nonroot:nonroot /app/.cache /app/temp /home/nonroot/.cache /home/nonroot/.npm
 
-# Switch to non-root user for final optimizations
+# Switch to non-root user and finalize Prisma binaries
 USER nonroot
+RUN /app/.venv/bin/python -m prisma py fetch \
+ && /app/.venv/bin/python -m prisma generate
 
 USER root
-# Aggressive cleanup and optimization
+# Aggressive cleanup and optimization after Prisma setup
 # PERFORMANCE: Single RUN reduces layer count and enables atomic cleanup
-# SIZE: Removes unnecessary files to minimize final image size
+# SIZE: Removes unnecessary files to minimize final image size but preserves Prisma binaries
 RUN set -eux; \
     # VIRTUAL ENVIRONMENT CLEANUP
     # The following operations remove unnecessary files from the Python environment
     # This can reduce the size by 30-50MB without affecting functionality
     # Remove Python bytecode files (will be regenerated as needed)
     find /app/.venv -name "*.pyc" -delete; \
     find /app/.venv -name "__pycache__" -type d -exec rm -rf {} + 2>/dev/null || true; \
-    # Remove test directories from installed packages
+    # Remove test directories from installed packages (but preserve prisma binaries)
     # These directories contain test files that are not needed in production
-    for test_dir in tests testing "*test*"; do \
-      find /app/.venv -name "$test_dir" -type d -exec rm -rf {} + 2>/dev/null || true; \
+    for test_dir in tests testing "test*"; do \
+      find /app/.venv -name "$test_dir" -type d -not -path "*/prisma*" -exec rm -rf {} + 2>/dev/null || true; \
     done; \
-    # Remove documentation files from installed packages
+    # Remove documentation files from installed packages (but preserve prisma docs)
     # These files take up significant space and are not needed in production
     for doc_pattern in "*.md" "*.txt" "*.rst" "LICENSE*" "NOTICE*" "COPYING*" "CHANGELOG*" "README*" "HISTORY*" "AUTHORS*" "CONTRIBUTORS*"; do \
-      find /app/.venv -name "$doc_pattern" -delete 2>/dev/null || true; \
+      find /app/.venv -name "$doc_pattern" -not -path "*/prisma*" -delete 2>/dev/null || true; \
     done; \
     # Remove large development packages that are not needed in production
     # These packages (pip, setuptools, wheel) are only needed for installing packages
+    # NOTE: Preserving packages that Prisma might need
     for pkg in setuptools wheel pkg_resources; do \
       rm -rf /app/.venv/lib/python3.13/site-packages/${pkg}* 2>/dev/null || true; \
       rm -rf /app/.venv/bin/${pkg}* 2>/dev/null || true; \
@@ -387,7 +409,7 @@ RUN set -eux; \
     # Compile Python bytecode for performance optimization
     # PERFORMANCE: Pre-compiled bytecode improves startup time
     # Note: Some compilation errors are expected and ignored
-    /app/.venv/bin/python -m compileall -b -q /app/src/tux /app/.venv/lib/python3.13/site-packages 2>/dev/null || true
+    /app/.venv/bin/python -m compileall -b -q /app/tux /app/.venv/lib/python3.13/site-packages 2>/dev/null || true
 
 # Switch back to non-root user for runtime
 USER nonroot
@@ -396,7 +418,7 @@ USER nonroot
 # MONITORING: Allows Docker/Kubernetes to monitor application health
 # RELIABILITY: Enables automatic restart of unhealthy containers
 HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
-    CMD python -c "import tux.cli.core; import tux.shared.config.env; print('Health check passed')" || exit 1
+    CMD python -c "import tux.cli.core; import tux.utils.env; print('Health check passed')" || exit 1
 
 # --interval=30s    : Check health every 30 seconds
 # --timeout=10s     : Allow 10 seconds for health check to complete

Dockerfile

@@ -35,7 +35,7 @@ async def handle_harmful_message(message: discord.Message) -> None:
         None
         """
 
-        if message.author.bot:
+        if message.author.bot and message.webhook_id not in CONFIG.BRIDGE_WEBHOOK_IDS:
             return
 
         stripped_content = strip_formatting(message.content)