Sentinel-Gate
diff --git a/‎.github/ISSUE_TEMPLATE/bug_report.yml‎
Lines changed: 97 additions & 0 deletions b/‎.github/ISSUE_TEMPLATE/bug_report.yml‎
Lines changed: 97 additions & 0 deletions
diff --git a/‎.github/ISSUE_TEMPLATE/feature_request.yml‎
Lines changed: 55 additions & 0 deletions b/‎.github/ISSUE_TEMPLATE/feature_request.yml‎
Lines changed: 55 additions & 0 deletions
diff --git a/‎.github/PULL_REQUEST_TEMPLATE.md‎
Lines changed: 32 additions & 0 deletions b/‎.github/PULL_REQUEST_TEMPLATE.md‎
Lines changed: 32 additions & 0 deletions
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 134 additions & 0 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 134 additions & 0 deletions
diff --git a/‎.github/workflows/cla.yml‎
Lines changed: 28 additions & 0 deletions b/‎.github/workflows/cla.yml‎
Lines changed: 28 additions & 0 deletions
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 46 additions & 0 deletions b/‎.github/workflows/release.yml‎
Lines changed: 46 additions & 0 deletions
@@ -0,0 +1,97 @@
+name: Bug Report
+description: Report a bug in SentinelGate
+labels: ["bug"]
+body:
+  - type: textarea
+    id: description
+    attributes:
+      label: Description
+      description: What happened? Provide a clear and concise description of the bug.
+      placeholder: A clear description of the bug...
+    validations:
+      required: true
+
+  - type: textarea
+    id: steps
+    attributes:
+      label: Steps to Reproduce
+      description: How can we reproduce this issue?
+      placeholder: |
+        1. Start SentinelGate with config...
+        2. Send request to...
+        3. Observe...
+    validations:
+      required: true
+
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected Behavior
+      description: What should have happened?
+      placeholder: I expected...
+    validations:
+      required: true
+
+  - type: textarea
+    id: actual
+    attributes:
+      label: Actual Behavior
+      description: What actually happened?
+      placeholder: Instead, what happened was...
+    validations:
+      required: true
+
+  - type: input
+    id: version
+    attributes:
+      label: Version
+      description: Output of `sentinel-gate version`
+      placeholder: "v1.0.0"
+    validations:
+      required: true
+
+  - type: dropdown
+    id: installation
+    attributes:
+      label: Installation Method
+      options:
+        - Docker
+        - Binary
+        - Source
+    validations:
+      required: false
+
+  - type: input
+    id: os
+    attributes:
+      label: OS
+      description: Operating system and version
+      placeholder: "e.g. Ubuntu 22.04, macOS 14, Windows 11"
+    validations:
+      required: false
+
+  - type: textarea
+    id: logs
+    attributes:
+      label: Logs
+      description: Relevant log output (sensitive data redacted)
+      render: shell
+    validations:
+      required: false
+
+  - type: textarea
+    id: config
+    attributes:
+      label: Configuration
+      description: Relevant configuration (sensitive data redacted)
+      render: yaml
+    validations:
+      required: false
+
+  - type: checkboxes
+    id: search
+    attributes:
+      label: Due Diligence
+      options:
+        - label: I have searched existing issues for duplicates
+          required: true
@@ -0,0 +1,55 @@
+name: Feature Request
+description: Suggest an improvement for SentinelGate
+labels: ["enhancement"]
+body:
+  - type: textarea
+    id: problem
+    attributes:
+      label: Problem
+      description: What problem does this feature solve?
+      placeholder: I'm always frustrated when...
+    validations:
+      required: true
+
+  - type: textarea
+    id: solution
+    attributes:
+      label: Proposed Solution
+      description: How should it work? Describe the desired behavior.
+      placeholder: It would be great if...
+    validations:
+      required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives Considered
+      description: Other approaches you've considered
+      placeholder: I also thought about...
+    validations:
+      required: false
+
+  - type: dropdown
+    id: component
+    attributes:
+      label: Component
+      description: Which part of SentinelGate does this affect?
+      options:
+        - Core Proxy
+        - Admin UI
+        - Policy Engine
+        - CLI
+        - Docker
+        - Other
+    validations:
+      required: false
+
+  - type: checkboxes
+    id: search
+    attributes:
+      label: Due Diligence
+      options:
+        - label: I have searched existing issues for duplicates
+          required: true
+        - label: "This is NOT a Pro/Enterprise feature (SSO, SIEM, multi-tenant, etc.)"
+          required: false
@@ -0,0 +1,32 @@
+## Summary
+
+<!-- Brief description of what this PR does -->
+
+## Related Issues
+
+<!-- Link related issues: Fixes #123, Closes #456 -->
+
+## Changes
+
+<!-- List the key changes -->
+
+-
+
+## Checklist
+
+- [ ] Tests pass (`go test ./...`)
+- [ ] Lint passes (`golangci-lint run`)
+- [ ] New code has tests
+- [ ] Documentation updated (if applicable)
+- [ ] No breaking changes (or documented below)
+- [ ] CLA signed (required for all contributors)
+
+## Breaking Changes
+
+<!-- If any, describe migration steps -->
+
+None.
+
+## Screenshots
+
+<!-- If UI changes, add before/after screenshots -->
@@ -0,0 +1,134 @@
+name: CI
+
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v6
+        with:
+          version: latest
+          args: --timeout=5m
+
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+      - name: Run tests with race detector and coverage
+        run: |
+          go test -race -coverprofile=coverage.out -covermode=atomic ./...
+      - name: Check coverage on critical packages
+        run: |
+          # Extract coverage for critical packages and enforce 80% threshold
+          CRITICAL_PKGS=(
+            "github.com/Sentinel-Gate/Sentinelgate/internal/adapter/outbound/state"
+            "github.com/Sentinel-Gate/Sentinelgate/internal/domain/proxy"
+            "github.com/Sentinel-Gate/Sentinelgate/internal/service"
+            "github.com/Sentinel-Gate/Sentinelgate/internal/adapter/inbound/admin"
+            "github.com/Sentinel-Gate/Sentinelgate/internal/adapter/outbound/cel"
+          )
+
+          FAIL=0
+          for pkg in "${CRITICAL_PKGS[@]}"; do
+            COV=$(go tool cover -func=coverage.out | grep "^${pkg}/" | tail -1 | awk '{print $NF}' | tr -d '%')
+            if [ -z "$COV" ]; then
+              echo "WARNING: No coverage data for $pkg"
+              continue
+            fi
+            echo "$pkg: ${COV}%"
+            COV_INT=${COV%.*}
+            if [ "$COV_INT" -lt 65 ]; then
+              echo "FAIL: $pkg coverage ${COV}% is below 65% threshold"
+              FAIL=1
+            fi
+          done
+
+          echo ""
+          echo "Overall coverage:"
+          go tool cover -func=coverage.out | tail -1
+
+          if [ "$FAIL" -eq 1 ]; then
+            echo "::error::Coverage below 65% on one or more critical packages"
+            exit 1
+          fi
+      - name: Upload coverage report
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-report
+          path: coverage.out
+
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - goos: linux
+            goarch: amd64
+          - goos: linux
+            goarch: arm64
+          - goos: darwin
+            goarch: amd64
+          - goos: darwin
+            goarch: arm64
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+      - name: Build binary
+        env:
+          GOOS: ${{ matrix.goos }}
+          GOARCH: ${{ matrix.goarch }}
+        run: |
+          go build -ldflags="-s -w" -o sentinel-gate-${{ matrix.goos }}-${{ matrix.goarch }} ./cmd/sentinel-gate
+      - name: Upload binary
+        uses: actions/upload-artifact@v4
+        with:
+          name: sentinel-gate-${{ matrix.goos }}-${{ matrix.goarch }}
+          path: sentinel-gate-${{ matrix.goos }}-${{ matrix.goarch }}
+
+  smoke:
+    name: Smoke Test
+    runs-on: ubuntu-latest
+    needs: [build]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+      - name: Install dependencies
+        run: sudo apt-get update && sudo apt-get install -y jq
+      - name: Run smoke tests
+        run: bash scripts/smoke.sh
+
+  security:
+    name: Security Scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+      - name: Install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+      - name: Run vulnerability scan
+        run: govulncheck ./...
@@ -0,0 +1,28 @@
+name: CLA Assistant
+on:
+  issue_comment:
+    types: [created]
+  pull_request_target:
+    types: [opened, closed, synchronize]
+
+permissions:
+  actions: write
+  contents: read
+  pull-requests: write
+  statuses: write
+
+jobs:
+  cla:
+    runs-on: ubuntu-latest
+    steps:
+      - name: CLA Assistant
+        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
+        uses: contributor-assistant/github-action@v2.6.1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
+        with:
+          path-to-signatures: 'signatures/cla.json'
+          path-to-document: 'https://github.com/Sentinel-Gate/Sentinelgate/blob/main/CLA.md'
+          branch: 'main'
+          allowlist: bot*,dependabot*
@@ -0,0 +1,46 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: write
+  packages: write
+
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+
+      - name: Run tests
+        run: go test ./... -race -count=1
+
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          version: '~> v2'
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}