feat(ci): add engram CI workflow to build and publish linux/amd64 binary

Triggers on push to main/dev when engram/** changes. Downloads the El SDK
from Artifact Registry, builds engram using elb, and publishes the binary
as package 'engram' (SHA version + latest tag) to foundation-dev.

.gitea/workflows/engram-ci.yaml

@@ -0,0 +1,132 @@
+name: Engram CI
+
+on:
+  push:
+    branches:
+      - main
+      - dev
+    paths:
+      - 'engram/**'
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install build dependencies
+        run: |
+          apt-get update -qq
+          apt-get install -y gcc libcurl4-openssl-dev apt-transport-https ca-certificates
+          echo "deb [trusted=yes] https://packages.cloud.google.com/apt cloud-sdk main" \
+            > /etc/apt/sources.list.d/google-cloud-sdk.list
+          apt-get update -qq && apt-get install -y google-cloud-cli
+
+      - name: Download El SDK from Artifact Registry
+        env:
+          GCP_SA_KEY: ${{ secrets.GCP_SA_KEY }}
+        run: |
+          echo "${GCP_SA_KEY}" > /tmp/gcp-key.json
+          gcloud auth activate-service-account --key-file=/tmp/gcp-key.json
+          gcloud config set project neuron-785695
+
+          rm -rf /opt/el/dist /opt/el/runtime
+          mkdir -p /opt/el/dist/platform /opt/el/dist/bin /opt/el/runtime
+
+          get_latest() {
+            gcloud artifacts versions list \
+              --repository=foundation-dev \
+              --location=us-central1 \
+              --project=neuron-785695 \
+              --package="$1" \
+              --sort-by="~createTime" \
+              --limit=1 \
+              --format="value(name)" 2>/dev/null | awk -F/ '{print $NF}'
+          }
+
+          ELC_VER=$(get_latest el-elc)
+          ELB_VER=$(get_latest el-elb)
+          RC_VER=$(get_latest el-runtime-c)
+          RH_VER=$(get_latest el-runtime-h)
+
+          echo "Downloading elc@${ELC_VER} elb@${ELB_VER} runtime-c@${RC_VER} runtime-h@${RH_VER}"
+
+          gcloud artifacts generic download \
+            --repository=foundation-dev --location=us-central1 --project=neuron-785695 \
+            --package=el-elc --version="${ELC_VER}" \
+            --destination=/opt/el/dist/platform/
+
+          gcloud artifacts generic download \
+            --repository=foundation-dev --location=us-central1 --project=neuron-785695 \
+            --package=el-elb --version="${ELB_VER}" \
+            --destination=/opt/el/dist/bin/
+
+          gcloud artifacts generic download \
+            --repository=foundation-dev --location=us-central1 --project=neuron-785695 \
+            --package=el-runtime-c --version="${RC_VER}" \
+            --destination=/opt/el/runtime/
+
+          gcloud artifacts generic download \
+            --repository=foundation-dev --location=us-central1 --project=neuron-785695 \
+            --package=el-runtime-h --version="${RH_VER}" \
+            --destination=/opt/el/runtime/
+
+          mv /opt/el/dist/platform/elc* /opt/el/dist/platform/elc 2>/dev/null || true
+          mv /opt/el/dist/bin/elb*       /opt/el/dist/bin/elb      2>/dev/null || true
+          mv /opt/el/runtime/el_runtime.c* /opt/el/runtime/el_runtime.c 2>/dev/null || true
+          mv /opt/el/runtime/el_runtime.h* /opt/el/runtime/el_runtime.h 2>/dev/null || true
+
+          chmod +x /opt/el/dist/platform/elc /opt/el/dist/bin/elb
+          echo "El SDK ready"
+
+      - name: Build engram binary (linux/amd64)
+        run: |
+          ELB=/opt/el/dist/bin/elb
+          ELC=/opt/el/dist/platform/elc
+          RUNTIME=/opt/el/runtime
+
+          # elb reads manifest.el from the working directory.
+          # engram/dist/engram.c is the pre-compiled C translation of src/server.el.
+          # elb compiles dist/engram.c + el_runtime.c → dist/engram binary.
+          cd engram
+          "$ELB" --elc="$ELC" --runtime="$RUNTIME"
+          ls -lh dist/engram
+          file dist/engram
+
+      - name: Smoke test
+        run: |
+          file engram/dist/engram
+          timeout 3 engram/dist/engram --help 2>&1 || true
+          echo "smoke test complete"
+
+      - name: Publish engram binary to Artifact Registry
+        if: github.event_name == 'push'
+        env:
+          GCP_SA_KEY: ${{ secrets.GCP_SA_KEY }}
+        run: |
+          VERSION="${GITHUB_SHA:0:8}"
+
+          gcloud artifacts generic upload \
+            --repository=foundation-dev \
+            --location=us-central1 \
+            --project=neuron-785695 \
+            --package=engram \
+            --version="${VERSION}" \
+            --source=engram/dist/engram
+
+          # Re-upload as "latest" — Artifact Registry generic artifacts don't
+          # support moving tags, so we upload again. The newest upload wins.
+          gcloud artifacts generic upload \
+            --repository=foundation-dev \
+            --location=us-central1 \
+            --project=neuron-785695 \
+            --package=engram \
+            --version="latest" \
+            --source=engram/dist/engram \
+            2>/dev/null || true
+
+          echo "Published engram@${VERSION} and engram@latest"
+          rm -f /tmp/gcp-key.json