Harden security

AGENTS.md

@@ -2,7 +2,7 @@
 
 ## Overview
 
-GIA is a multi-transport communication platform bridging Signal, WhatsApp, XMPP, and Instagram through a Django web interface. It provides message relay, AI-powered workspace analysis, compose UX, and OSINT search. Stack: Python 3.11, Django 4.x, HTMX, Bulma CSS, SQLite, Redis, Docker Compose. Async runtime uses asyncio + uvloop.
+GIA is a multi-transport communication platform bridging Signal, WhatsApp, XMPP, and Instagram through a Django web interface. It provides message relay, AI-powered workspace analysis, compose UX, and OSINT search. Stack: Python 3.11, Django 4.x, HTMX, Bulma CSS, SQLite, Redis, Podman. Async runtime uses asyncio + uvloop.
 
 ## Structure
 
@@ -45,8 +45,8 @@ GIA/
 │   ├── templates/        # Django templates (75 files, partials/ heavy)
 │   ├── management/commands/ # ur (unified router), scheduling
 │   └── util/logs.py      # Custom colored logger — use logs.get_logger("name")
-├── Makefile              # Docker Compose orchestration commands
-├── docker-compose.yml    # Services: app, asgi, ur, scheduling, redis, signal-cli
+├── Makefile              # Podman + quadlet orchestration commands
+├── scripts/quadlet/      # Podman lifecycle scripts and unit rendering
 ├── Dockerfile            # Python 3.11, venv at /venv
 ├── requirements.txt      # Pinned deps (django, openai, neonize, slixmpp, etc.)
 ├── stack.env             # Runtime env vars (from stack.env.example)
@@ -56,14 +56,11 @@ GIA/
 ## Commands
 
 ```bash
-# All commands run via Docker Compose with stack.env
+# All commands run via Podman + quadlet with stack.env
 make build                          # Build Docker images
 make run                            # Start all services (quadlet manager)
 make stop                           # Stop all services
 make log                            # Tail logs
-make compose-run                    # Start via docker-compose directly
-make compose-stop                   # Stop via docker-compose
-make compose-log                    # Tail via docker-compose
 
 # Database
 make migrate                        # Run Django migrations
@@ -80,8 +77,8 @@ python manage.py test core.tests.test_foo.TestBar -v 2  # Single class
 python manage.py test core.tests.test_foo.TestBar.test_method -v 2  # Single test
 
 # Service restarts after code changes
-docker-compose restart ur           # Restart unified router
-docker-compose restart scheduling   # Restart scheduler
+podman restart ur_gia               # Restart unified router
+podman restart scheduling_gia       # Restart scheduler
 # uWSGI auto-reloads for app/core code changes
 ```
 
@@ -169,5 +166,5 @@ docker-compose restart scheduling   # Restart scheduler
 - **Unified Router** (`core/modules/router.py`): Management command `python manage.py ur` runs the event loop with all transport clients. Each client inherits `ClientBase` ABC.
 - **Transport Layer** (`core/clients/transport.py`): Shared cache-backed runtime state, command queuing, and attachment prep. All outbound media goes through `prepare_outbound_attachments()`.
 - **Settings Chain**: `app/settings.py` → imports `app/local_settings.py` (wildcard `*`) → env vars from `stack.env`. Feature flags: `WHATSAPP_ENABLED`, `INSTAGRAM_ENABLED`, `COMPOSE_WS_ENABLED`.
-- **Services in docker-compose**: `app` (uWSGI), `asgi` (uvicorn for WebSockets), `ur` (unified router), `scheduling` (APScheduler), `redis`, `signal-cli-rest-api`.
+- **Services in podman stack**: `app` (uWSGI), `asgi` (uvicorn for WebSockets), `ur` (unified router), `scheduling` (APScheduler), `redis`, `signal-cli-rest-api`.
 - **No test suite currently**: `core/tests.py` is empty scaffold; `core/tests/` has only `__init__.py`. Tests run via `make test MODULES=...` but need to be written.