SentinelGate v2.1

Author: Sentinel-Gate

.githooks/pre-commit

@@ -0,0 +1,16 @@
+#!/bin/sh
+# Pre-commit hook: runs golangci-lint on staged Go files.
+# Install via: scripts/install-hooks.sh
+
+# Check if there are staged Go files.
+STAGED_GO=$(git diff --cached --name-only --diff-filter=ACM | grep '\.go$' || true)
+if [ -z "$STAGED_GO" ]; then
+    exit 0
+fi
+
+echo "pre-commit: running golangci-lint..."
+if ! golangci-lint run ./...; then
+    echo ""
+    echo "pre-commit: lint failed. Fix the issues above before committing."
+    exit 1
+fi

.githooks/pre-push

@@ -0,0 +1,10 @@
+#!/bin/sh
+# Pre-push hook: runs tests with race detector.
+# Install via: scripts/install-hooks.sh
+
+echo "pre-push: running tests with race detector..."
+if ! go test -race -count=1 -timeout 300s ./...; then
+    echo ""
+    echo "pre-push: tests failed. Fix the issues above before pushing."
+    exit 1
+fi

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,97 @@
+name: Bug Report
+description: Report a bug in SentinelGate
+labels: ["bug"]
+body:
+  - type: textarea
+    id: description
+    attributes:
+      label: Description
+      description: What happened? Provide a clear and concise description of the bug.
+      placeholder: A clear description of the bug...
+    validations:
+      required: true
+
+  - type: textarea
+    id: steps
+    attributes:
+      label: Steps to Reproduce
+      description: How can we reproduce this issue?
+      placeholder: |
+        1. Start SentinelGate with config...
+        2. Send request to...
+        3. Observe...
+    validations:
+      required: true
+
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected Behavior
+      description: What should have happened?
+      placeholder: I expected...
+    validations:
+      required: true
+
+  - type: textarea
+    id: actual
+    attributes:
+      label: Actual Behavior
+      description: What actually happened?
+      placeholder: Instead, what happened was...
+    validations:
+      required: true
+
+  - type: input
+    id: version
+    attributes:
+      label: Version
+      description: Output of `sentinel-gate version`
+      placeholder: "v1.1.0"
+    validations:
+      required: true
+
+  - type: dropdown
+    id: installation
+    attributes:
+      label: Installation Method
+      options:
+        - Docker
+        - Binary
+        - Source
+    validations:
+      required: false
+
+  - type: input
+    id: os
+    attributes:
+      label: OS
+      description: Operating system and version
+      placeholder: "e.g. Ubuntu 22.04, macOS 14, Windows 11"
+    validations:
+      required: false
+
+  - type: textarea
+    id: logs
+    attributes:
+      label: Logs
+      description: Relevant log output (sensitive data redacted)
+      render: shell
+    validations:
+      required: false
+
+  - type: textarea
+    id: config
+    attributes:
+      label: Configuration
+      description: Relevant configuration (sensitive data redacted)
+      render: yaml
+    validations:
+      required: false
+
+  - type: checkboxes
+    id: search
+    attributes:
+      label: Due Diligence
+      options:
+        - label: I have searched existing issues for duplicates
+          required: true

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,55 @@
+name: Feature Request
+description: Suggest an improvement for SentinelGate
+labels: ["enhancement"]
+body:
+  - type: textarea
+    id: problem
+    attributes:
+      label: Problem
+      description: What problem does this feature solve?
+      placeholder: I'm always frustrated when...
+    validations:
+      required: true
+
+  - type: textarea
+    id: solution
+    attributes:
+      label: Proposed Solution
+      description: How should it work? Describe the desired behavior.
+      placeholder: It would be great if...
+    validations:
+      required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives Considered
+      description: Other approaches you've considered
+      placeholder: I also thought about...
+    validations:
+      required: false
+
+  - type: dropdown
+    id: component
+    attributes:
+      label: Component
+      description: Which part of SentinelGate does this affect?
+      options:
+        - Core Proxy
+        - Admin UI
+        - Policy Engine
+        - CLI
+        - Docker
+        - Other
+    validations:
+      required: false
+
+  - type: checkboxes
+    id: search
+    attributes:
+      label: Due Diligence
+      options:
+        - label: I have searched existing issues for duplicates
+          required: true
+        - label: "This is NOT a Pro/Enterprise feature (SSO, SIEM, multi-tenant, etc.)"
+          required: false

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,32 @@
+## Summary
+
+<!-- Brief description of what this PR does -->
+
+## Related Issues
+
+<!-- Link related issues: Fixes #123, Closes #456 -->
+
+## Changes
+
+<!-- List the key changes -->
+
+-
+
+## Checklist
+
+- [ ] Tests pass (`go test ./...`)
+- [ ] Lint passes (`golangci-lint run`)
+- [ ] New code has tests
+- [ ] Documentation updated (if applicable)
+- [ ] No breaking changes (or documented below)
+- [ ] CLA signed (required for all contributors)
+
+## Breaking Changes
+
+<!-- If any, describe migration steps -->
+
+None.
+
+## Screenshots
+
+<!-- If UI changes, add before/after screenshots -->

.github/workflows/ci.yml

@@ -0,0 +1,172 @@
+name: CI
+
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v7
+        with:
+          version: v2.10
+          args: --timeout=5m
+
+  test:
+    name: Test (${{ matrix.os }})
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+      - name: Run tests with race detector
+        shell: bash
+        run: go test -race -coverprofile=coverage.out -covermode=atomic ./...
+      - name: Check coverage on critical packages
+        continue-on-error: true
+        if: matrix.os == 'ubuntu-latest'
+        run: |
+          # Extract coverage for critical packages and enforce 80% threshold
+          CRITICAL_PKGS=(
+            "github.com/Sentinel-Gate/Sentinelgate/internal/adapter/outbound/state"
+            "github.com/Sentinel-Gate/Sentinelgate/internal/domain/proxy"
+            "github.com/Sentinel-Gate/Sentinelgate/internal/service"
+            "github.com/Sentinel-Gate/Sentinelgate/internal/adapter/inbound/admin"
+            "github.com/Sentinel-Gate/Sentinelgate/internal/adapter/outbound/cel"
+          )
+
+          FAIL=0
+          for pkg in "${CRITICAL_PKGS[@]}"; do
+            COV=$(go tool cover -func=coverage.out | grep "^${pkg}/" | tail -1 | awk '{print $NF}' | tr -d '%')
+            if [ -z "$COV" ]; then
+              echo "WARNING: No coverage data for $pkg"
+              continue
+            fi
+            echo "$pkg: ${COV}%"
+            COV_INT=${COV%.*}
+            if [ "$COV_INT" -lt 50 ]; then
+              echo "FAIL: $pkg coverage ${COV}% is below 50% threshold"
+              FAIL=1
+            fi
+          done
+
+          echo ""
+          echo "Overall coverage:"
+          go tool cover -func=coverage.out | tail -1
+
+          if [ "$FAIL" -eq 1 ]; then
+            echo "::error::Coverage below 50% on one or more critical packages"
+            exit 1
+          fi
+      - name: Upload coverage report
+        if: matrix.os == 'ubuntu-latest'
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-report
+          path: coverage.out
+
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - goos: linux
+            goarch: amd64
+          - goos: linux
+            goarch: arm64
+          - goos: darwin
+            goarch: amd64
+          - goos: darwin
+            goarch: arm64
+          - goos: windows
+            goarch: amd64
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+      - name: Build binary
+        env:
+          GOOS: ${{ matrix.goos }}
+          GOARCH: ${{ matrix.goarch }}
+        run: |
+          go build -ldflags="-s -w" -o sentinel-gate-${{ matrix.goos }}-${{ matrix.goarch }} ./cmd/sentinel-gate
+      - name: Upload binary
+        uses: actions/upload-artifact@v4
+        with:
+          name: sentinel-gate-${{ matrix.goos }}-${{ matrix.goarch }}
+          path: sentinel-gate-${{ matrix.goos }}-${{ matrix.goarch }}
+
+  smoke:
+    name: Smoke Test
+    runs-on: ubuntu-latest
+    needs: [build]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+      - name: Install dependencies
+        run: sudo apt-get update && sudo apt-get install -y jq
+      - name: Run smoke tests
+        continue-on-error: true
+        run: bash scripts/smoke.sh
+
+  security:
+    name: Security Scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # gitleaks needs full history
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+
+      # Dependency vulnerability scanning
+      - name: Install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+      - name: govulncheck — dependency CVEs
+        run: govulncheck ./...
+
+      # SAST — security bugs in Go code
+      - name: Install gosec
+        run: go install github.com/securego/gosec/v2/cmd/gosec@latest
+      - name: gosec — Go security analysis
+        run: gosec -exclude-generated -exclude=G115,G118,G124,G204,G301,G304,G703 -severity medium ./...
+
+      # Secret scanning — leaked credentials in git history
+      - name: gitleaks — secret detection
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  fuzz:
+    name: Fuzz Tests
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+      - name: Fuzz MCP message parser (30s)
+        run: go test -fuzz=FuzzDecodeMessage -fuzztime=30s ./pkg/mcp/
+      - name: Fuzz JSON-RPC validation (30s)
+        run: go test -fuzz=FuzzMessageValidator -fuzztime=30s ./internal/domain/validation/