dev → main: v0.1.0 governance hardening, Phase 2 daemon, e2e showcase, dependabot bumps

.dockerignore

@@ -1,17 +1,52 @@
-.git
-__pycache__
-*.pyc
-*.pyo
-.pytest_cache
-.ruff_cache
-.mypy_cache
-site/
-media/
-reports/
-tooling/
-*.egg-info
-.venv
+# Dockerignore for Ardur builds
+
+# Python
+__pycache__/
+*.py[cod]
+*.egg-info/
+.venv/
+venv/
+dist/
+build/
+*.egg
+
+# Go
+go/bin/
+go/pkg/mod/
+
+# Git
+.git/
+.gitignore
+.gitattributes
+
+# CI/CD
+.github/
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+
+# Agent state (local-only)
+.ardur/
+.vibap/
+.context/
+.agents/
+.ai-context/
+.agent-context/
+.codex/
+.claude/
+.local-skills/
+
+# Tests
+.pytest_cache/
+.coverage
+htmlcov/
+python/tests/test-results/
+
+# Misc
+node_modules/
 *.log
-*.jsonl
-*.jsonl.gz
 .env
+.env.*

.github/workflows/codeql.yml

@@ -30,7 +30,7 @@ jobs:
     outputs:
       languages: ${{ steps.detect.outputs.languages }}
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - id: detect
         name: Detect supported languages present in the tree
@@ -62,13 +62,13 @@ jobs:
       matrix:
         language: ${{ fromJSON(needs.detect-languages.outputs.languages) }}
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       # v3 is an annotated tag (tag-object 865f5f5c... → commit ce64ddcb...).
       # Pin to the commit SHA per the same discipline as the other
       # workflows; comment shows the human-readable version.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a  # v3 (commit)
+        uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa  # v3 (commit)
         with:
           languages: ${{ matrix.language }}
           # `security-and-quality` is the broadest pack — covers
@@ -79,9 +79,9 @@ jobs:
           queries: security-and-quality
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a  # v3 (commit)
+        uses: github/codeql-action/autobuild@7211b7c8077ea37d8641b6271f6a365a22a5fbfa  # v3 (commit)
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a  # v3 (commit)
+        uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa  # v3 (commit)
         with:
           category: "/language:${{ matrix.language }}"

.github/workflows/hugo-site.yml

@@ -31,7 +31,7 @@ jobs:
       HUGO_VERSION: 0.161.1
       HUGO_PARAMS_SOURCEREF: ${{ github.sha }}
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Verify source-backed Hugo mirrors
         run: |

.github/workflows/link-check.yml

@@ -16,10 +16,10 @@ jobs:
   lychee:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Restore lychee cache
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830  # v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae  # v5.0.5
         with:
           path: .lycheecache
           key: cache-lychee-${{ github.sha }}

.github/workflows/secret-scan.yml

@@ -15,7 +15,7 @@ jobs:
   local-agent-private-paths:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Ensure local-only agent and skill paths are not tracked
         run: |
@@ -31,7 +31,7 @@ jobs:
   gitleaks:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           fetch-depth: 0
 
@@ -43,7 +43,7 @@ jobs:
   forbidden-terms:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Scan for forbidden internal terms
         run: |
@@ -68,7 +68,7 @@ jobs:
   llm-model-names:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Scan for specific LLM model identifiers
         run: |

.github/workflows/tests.yml

@@ -11,18 +11,61 @@ permissions:
   contents: read
 
 jobs:
+  python-lint:
+    name: Python lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
+        with:
+          python-version: "3.13"
+
+      - name: Install ruff
+        run: python -m pip install ruff==0.13.0
+
+      - name: Run ruff check on new hardening tests
+        run: |
+          python -m ruff check \
+            python/tests/test_proxy.py \
+            python/tests/test_examples_governance_integration.py
+
+  go-lint:
+    name: Go lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+
+      - name: Set up Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c  # v6.4.0
+        with:
+          # Must match the `go` directive in go/go.mod (currently 1.26.0).
+          go-version: '1.26.0'
+          cache: true
+          cache-dependency-path: go/go.sum
+
+      - name: Install golangci-lint with Go 1.26
+        working-directory: go
+        run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.5.0
+
+      - name: Run golangci-lint on hardening packages
+        working-directory: go
+        run: $(go env GOPATH)/bin/golangci-lint run ./pkg/credential ./pkg/policy
+
   python:
     name: Python
     runs-on: ubuntu-latest
+    timeout-minutes: 20
     strategy:
       fail-fast: false
       matrix:
         python-version: ["3.10", "3.13"]
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Set up Python
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5.6.0
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
         with:
           python-version: ${{ matrix.python-version }}
 
@@ -32,22 +75,40 @@ jobs:
           python -m pip install --upgrade pip
           python -m pip install -e '.[dev]'
 
-      - name: Run pytest
+      - name: Run pytest with coverage
+        working-directory: python
+        timeout-minutes: 15
+        env:
+          PYTHONFAULTHANDLER: "1"
+        run: python -m pytest tests/ -q --tb=short --durations=20 --cov=vibap --cov-report=term --cov-report=xml
+
+      - name: Show coverage summary
         working-directory: python
-        run: python -m pytest tests/ -q --tb=short
+        run: |
+          python -m coverage report --fail-under=0
+          echo "::notice:: Aspirational targets: vibap=80%%, cli=60%%, integrations=70%%"
+
+      - name: Upload coverage artifact
+        if: always()
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
+        with:
+          name: python-coverage-${{ matrix.python-version }}
+          path: python/coverage.xml
+          if-no-files-found: warn
+          retention-days: 14
 
   go:
     name: Go
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Set up Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5  # v5.5.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c  # v6.4.0
         with:
-          # Must match the `go` directive in go/go.mod (currently 1.25.9).
+          # Must match the `go` directive in go/go.mod (currently 1.26.0).
           # If you bump go.mod, bump this string in the same PR.
-          go-version: '1.25.9'
+          go-version: '1.26.0'
           cache: true
           cache-dependency-path: go/go.sum
 
@@ -58,3 +119,95 @@ jobs:
       - name: Run go vet
         working-directory: go
         run: go vet ./...
+
+  rwt-phase1:
+    name: "RWT Phase 1 (fresh-user)"
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
+        with:
+          python-version: "3.13"
+
+      - name: Run RWT Phase 1
+        run: python scripts/run-rwt-phase1-fresh-user.py --allow-dirty
+
+  examples-smoke:
+    name: "Examples smoke"
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
+        with:
+          python-version: "3.13"
+
+      - name: Install ardur
+        working-directory: python
+        run: python -m pip install -e '.[dev]'
+
+      - name: Install langchain-core for governed-tool integration tests
+        run: python -m pip install langchain-core
+
+      - name: Run governance integration tests (demo code paths)
+        working-directory: python
+        run: python -m pytest tests/test_examples_governance_integration.py tests/test_examples_smoke.py -v --tb=short
+
+  latency-bench:
+    name: "Latency benchmarks (informational)"
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+    continue-on-error: true
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
+        with:
+          python-version: "3.13"
+
+      - name: Install ardur
+        working-directory: python
+        run: python -m pip install -e '.[dev]'
+
+      - name: Run latency benchmarks
+        working-directory: python
+        env:
+          ARDUR_RUN_LATENCY_BENCH: "1"
+        run: python -m pytest tests/test_claude_code_hook_latency.py -v -s
+
+  e2e-showcase:
+    name: "E2E Showcase (real Ollama)"
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+    continue-on-error: true
+    if: github.event_name == 'workflow_dispatch' || github.ref == 'refs/heads/main'
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
+        with:
+          python-version: "3.13"
+
+      - name: Install ardur with dev extras
+        working-directory: python
+        run: python -m pip install -e '.[dev]'
+
+      - name: Run E2E showcase
+        working-directory: python
+        env:
+          ARDUR_OLLAMA_API_KEY: ${{ secrets.ARDUR_OLLAMA_API_KEY }}
+          ARDUR_OLLAMA_CLOUD_MODEL: ${{ vars.ARDUR_OLLAMA_CLOUD_MODEL }}
+        run: python -m pytest tests/test_e2e_showcase.py -v -s --tb=short

.github/workflows/validate-formats.yml

@@ -23,7 +23,7 @@ jobs:
     name: JSON
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Validate every JSON file
         run: |
@@ -41,7 +41,7 @@ jobs:
     name: YAML
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Validate every YAML file
         run: |
@@ -75,7 +75,7 @@ jobs:
     # on any drift.
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Compare every embedded schema to its canonical doc
         # Round 4 (FIX-R4-10, 2026-04-28): generalized from a single