BackendStack21
diff --git a/‎.dockerignore‎
Lines changed: 13 additions & 0 deletions b/‎.dockerignore‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎.github/dependabot.yml‎
Lines changed: 30 additions & 0 deletions b/‎.github/dependabot.yml‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 115 additions & 0 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 115 additions & 0 deletions
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 92 additions & 0 deletions b/‎.github/workflows/release.yml‎
Lines changed: 92 additions & 0 deletions
diff --git a/‎.gitignore‎
Lines changed: 16 additions & 0 deletions b/‎.gitignore‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎Dockerfile‎
Lines changed: 41 additions & 0 deletions b/‎Dockerfile‎
Lines changed: 41 additions & 0 deletions
diff --git a/‎LICENSE‎
Lines changed: 21 additions & 0 deletions b/‎LICENSE‎
Lines changed: 21 additions & 0 deletions
@@ -0,0 +1,13 @@
+# Build artifacts and native libs are fetched/built inside the image.
+lib/
+bin/
+coverage.out
+*.out
+*.test
+
+# VCS / local
+.git/
+.gitignore
+
+# Docs / scratch not needed for the build
+*.md
@@ -0,0 +1,30 @@
+version: 2
+updates:
+  # Go module dependencies.
+  - package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: weekly
+
+  # GitHub Actions — keeps the SHA-pinned actions (and their version comments)
+  # up to date.
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+
+  # Base image digests in the Dockerfiles.
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: weekly
+  - package-ecosystem: docker
+    directory: /examples/http-gateway
+    schedule:
+      interval: weekly
+
+  # Pinned Python dependencies for the export / fixture scripts.
+  - package-ecosystem: pip
+    directory: /scripts
+    schedule:
+      interval: weekly
@@ -0,0 +1,115 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ci-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  # cgo links the tokenizer static lib from ./lib (fetched by `make`).
+  CGO_LDFLAGS: -L${{ github.workspace }}/lib
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+        with:
+          go-version: "1.24"
+          cache: true
+
+      - name: Cache native libraries
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        with:
+          path: lib
+          key: native-libs-${{ runner.os }}-${{ hashFiles('Makefile') }}
+
+      - name: Fetch native libraries
+        run: make libtokenizers libonnxruntime
+
+      - name: gofmt
+        run: |
+          unformatted=$(gofmt -l .)
+          if [ -n "$unformatted" ]; then
+            echo "These files are not gofmt-ed:"; echo "$unformatted"; exit 1
+          fi
+
+      - name: go vet
+        run: go vet ./...
+
+      - name: staticcheck
+        uses: dominikh/staticcheck-action@9716614d4101e79b4340dd97b10e54d68234e431 # v1
+        with:
+          version: "2026.1"
+          install-go: false
+
+      - name: go mod verify
+        run: go mod verify
+
+      - name: govulncheck
+        uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1
+        with:
+          go-version-input: "1.24"
+          go-package: ./...
+
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+        with:
+          go-version: "1.24"
+          cache: true
+
+      - name: Cache native libraries
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        with:
+          path: lib
+          key: native-libs-${{ runner.os }}-${{ hashFiles('Makefile') }}
+
+      - name: Fetch native libraries
+        run: make libtokenizers libonnxruntime
+
+      - name: Test (race detector)
+        run: go test -race ./...
+
+      - name: Coverage
+        run: make cover
+
+      - name: Upload coverage profile
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        with:
+          name: coverage
+          path: coverage.out
+          if-no-files-found: ignore
+
+  docker:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
+
+      - name: Build daemon image (no push)
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
+        with:
+          context: .
+          push: false
+
+      - name: Build gateway image (no push)
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
+        with:
+          context: .
+          file: examples/http-gateway/Dockerfile
+          push: false
@@ -0,0 +1,92 @@
+name: Release
+
+on:
+  push:
+    tags: ["v*"]
+
+permissions:
+  contents: write # create the GitHub release
+  packages: write # push images to GHCR
+
+env:
+  CGO_LDFLAGS: -L${{ github.workspace }}/lib
+
+jobs:
+  binaries:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+        with:
+          go-version: "1.24"
+          cache: true
+
+      - name: Build binaries and fetch ONNX Runtime
+        run: make build libonnxruntime VERSION=${{ github.ref_name }}
+
+      - name: Package (linux-amd64)
+        run: |
+          version="${GITHUB_REF_NAME}"
+          name="piguard-${version}-linux-amd64"
+          mkdir -p "dist/${name}"
+          cp bin/piguard bin/piguard-server lib/libonnxruntime.so README.md LICENSE "dist/${name}/"
+          tar -C dist -czf "${name}.tar.gz" "${name}"
+          sha256sum "${name}.tar.gz" > "${name}.tar.gz.sha256"
+
+      - name: Create release
+        uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2
+        with:
+          generate_release_notes: true
+          files: |
+            piguard-*-linux-amd64.tar.gz
+            piguard-*-linux-amd64.tar.gz.sha256
+
+  images:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
+
+      - name: Log in to GHCR
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Metadata (server)
+        id: meta_server
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
+        with:
+          images: ghcr.io/${{ github.repository }}
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+
+      - name: Build and push server image
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta_server.outputs.tags }}
+          labels: ${{ steps.meta_server.outputs.labels }}
+
+      - name: Metadata (gateway)
+        id: meta_gateway
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
+        with:
+          images: ghcr.io/${{ github.repository }}-gateway
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+
+      - name: Build and push gateway image
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
+        with:
+          context: .
+          file: examples/http-gateway/Dockerfile
+          push: true
+          tags: ${{ steps.meta_gateway.outputs.tags }}
+          labels: ${{ steps.meta_gateway.outputs.labels }}
@@ -0,0 +1,16 @@
+# Build output
+/bin/
+
+# Native tokenizers static library (fetched via `make libtokenizers`)
+/lib/
+
+# Go
+*.test
+*.out
+coverage.out
+
+# Exported ONNX model (~735 MB, generated via scripts/export_onnx.py)
+/models/
+
+# Local agent tooling
+/.claude/
@@ -0,0 +1,41 @@
+# syntax=docker/dockerfile:1
+
+# ---- build stage ----
+# cgo is required: the tokenizer bindings link a static library and ONNX Runtime
+# is loaded at runtime. A glibc base is required (the prebuilt libtokenizers.a is
+# a GNU build), so this uses debian-based images rather than Alpine.
+FROM golang:1.24-bookworm@sha256:1a6d4452c65dea36aac2e2d606b01b4a029ec90cc1ae53890540ce6173ea77ac AS builder
+WORKDIR /src
+
+# Cache module downloads.
+COPY go.mod go.sum ./
+RUN go mod download
+
+# Fetch native libs (tokenizers static + ONNX Runtime shared) and build both
+# binaries.
+COPY . .
+RUN make libtokenizers libonnxruntime build
+
+# ---- runtime stage ----
+FROM debian:bookworm-slim@sha256:0104b334637a5f19aa9c983a91b54c89887c0984081f2068983107a6f6c21eeb AS runtime
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends ca-certificates libstdc++6 \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY --from=builder /src/bin/piguard            /usr/local/bin/piguard
+COPY --from=builder /src/bin/piguard-server     /usr/local/bin/piguard-server
+COPY --from=builder /src/lib/libonnxruntime.so  /usr/local/lib/libonnxruntime.so
+
+# The tokenizer code is linked statically; only ONNX Runtime is loaded at
+# runtime, located via ORT_DYLIB_PATH.
+ENV ORT_DYLIB_PATH=/usr/local/lib/libonnxruntime.so
+
+# Run as a non-root user. /run/piguard holds the Unix socket (share it with
+# clients via a volume); /models holds the exported model (mount it read-only).
+RUN useradd --system --uid 10001 piguard \
+    && mkdir -p /run/piguard /models \
+    && chown -R piguard /run/piguard
+USER piguard
+
+ENTRYPOINT ["piguard-server"]
+CMD ["--socket", "/run/piguard/piguard.sock", "--model-dir", "/models"]
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 21no.de
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.