ci(cnb): preflight stability release branches

.cnb.yml

@@ -24,6 +24,56 @@ main:
             apt-get install -y git libdbus-1-dev nodejs pkg-config
             ./scripts/release/check-versions.sh
 
+"work/v*-stability":
+  push:
+    - name: feishu bridge release preflight
+      runner:
+        tags: cnb:arch:amd64
+        cpus: 8
+      docker:
+        image: node:22-bookworm
+      stages:
+        - name: feishu bridge tests
+          script: |
+            set -euo pipefail
+            cd integrations/feishu-bridge
+            npm ci
+            npm run check
+            npm test
+
+    - name: linux release preflight
+      runner:
+        tags: cnb:arch:amd64
+        cpus: 16
+      docker:
+        image: rust:1.88-bookworm
+      stages:
+        - name: install release dependencies
+          script: |
+            set -euo pipefail
+            apt-get update
+            apt-get install -y git libdbus-1-dev nodejs npm pkg-config
+            if command -v rustup >/dev/null 2>&1; then
+              rustup component add rustfmt clippy
+            fi
+
+        - name: rust workspace gates
+          script: |
+            set -euo pipefail
+            ./scripts/release/check-versions.sh
+            cargo fmt --all -- --check
+            cargo check --workspace --all-targets --locked
+            cargo clippy --workspace --all-targets --all-features --locked -- -D warnings
+            cargo test --workspace --all-features --locked
+
+        - name: release binary smoke
+          script: |
+            set -euo pipefail
+            cargo build --release --locked -p deepseek-tui-cli -p deepseek-tui
+            node scripts/release/npm-wrapper-smoke.js
+            ./target/release/deepseek --version
+            ./target/release/deepseek-tui --version
+
 $:
   tag_push:
     - docker:

.github/workflows/sync-cnb.yml

@@ -7,6 +7,7 @@ name: Sync to CNB
 # Triggers:
 #   * push to main              → mirrors that commit to CNB main
 #   * tag matching v*           → mirrors that tag to CNB
+#   * release stability branches→ mirrors release-candidate refs for CNB preflight
 #   * Tencent release branches  → mirrors Feishu/Lighthouse setup branches
 #   * workflow_dispatch         → manual fallback if any of the above fails
 #
@@ -25,6 +26,7 @@ on:
   push:
     branches:
       - main
+      - 'work/v*-stability'
       - 'work/v*-feishu-*'
       - 'work/v*-lighthouse*'
     tags: ['v*']
@@ -110,9 +112,10 @@ jobs:
             push_with_retry "main" HEAD:refs/heads/main --force
           else
             # Tencent release-candidate branches are first-class CNB
-            # sources for Lighthouse/Feishu bootstrap. Mirror the triggering
-            # branch exactly so the CNB clone path stays the default even
-            # before the branch has merged to main or become a release tag.
+            # sources for release preflight and Lighthouse/Feishu bootstrap.
+            # Mirror the triggering branch exactly so the CNB clone path stays
+            # useful before the branch has merged to main or become a release
+            # tag.
             BRANCH="${GITHUB_REF#refs/heads/}"
             push_with_retry "branch ${BRANCH}" "HEAD:refs/heads/${BRANCH}" --force
           fi

docs/CNB_MIRROR.md

@@ -12,14 +12,15 @@ The mirror is maintained by the [`Sync to CNB`](../.github/workflows/sync-cnb.ym
 GitHub Actions workflow:
 
 - **Trigger:** `push` to `main`, `push` of any `v*` tag,
+  release stability branches matching `work/v*-stability`,
   Tencent setup branches matching `work/v*-feishu-*` or
   `work/v*-lighthouse*`, or `workflow_dispatch` for manual recovery.
 - **Auth:** HTTPS basic auth as user `cnb` with the `CNB_GIT_TOKEN`
   repository secret as the password.
 - **Scope:** only the ref that triggered the run is pushed. Tag pushes
   push exactly that tag. Branch pushes mirror `main` or an explicitly
-  matched Tencent setup branch. Other feature branches and dependabot refs
-  are intentionally *not* mirrored.
+  matched release/Tencent setup branch. Other feature branches and dependabot
+  refs are intentionally *not* mirrored.
 - **Concurrency:** runs are serialized via a `cnb-sync` concurrency
   group so the back-to-back `main` push and tag push from
   `auto-tag.yml` cannot race each other.
@@ -45,6 +46,14 @@ This gives users who can reach CNB but not GitHub a CNB-native release path.
 GitHub remains the canonical full release matrix; the CNB tag pipeline is the
 China-friendly Linux x64 fallback.
 
+## Release branch preflight
+
+Release stability branches matching `work/v*-stability` are mirrored to CNB so
+CNB can run Linux/container release preflight before the branch merges. This is
+useful for offloading Linux Rust, npm wrapper, and Feishu bridge checks, but it
+does not replace platform-specific GitHub Actions jobs such as Windows and
+macOS.
+
 ## Verifying the mirror after a release
 
 After `release.yml` completes for a `vX.Y.Z` tag, the CNB mirror