Modernize CI, tooling, and documentation

Made-with: Cursor

Author: fraware

.cargo/config.toml

@@ -0,0 +1,6 @@
+# Workspace-local Cargo config. Keep builds reproducible: avoid global target-cpu=native here.
+
+[target.wasm32-wasi]
+# Add linker flags here if your platform needs them for WASM builds.
+
+[target.wasm32-unknown-unknown]

.github/dependabot.yml

@@ -0,0 +1,19 @@
+version: 2
+updates:
+  - package-ecosystem: "cargo"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "npm"
+    directory: "/bindings/node"
+    schedule:
+      interval: "weekly"

.github/pull_request_template.md

@@ -0,0 +1,16 @@
+## Summary
+
+<!-- What does this PR change and why? -->
+
+## How tested
+
+- [ ] `cargo fmt`, `cargo clippy -D warnings`, `cargo test` (if Rust changed)
+- [ ] `cargo deny check` / `cargo audit` (if dependencies or lockfiles changed)
+- [ ] `lake build` and `lake exe test_rbac`, `test_tenant`, `test_attest` (if Lean changed)
+- [ ] `ruff check`, `pytest tests/` (if Python changed)
+
+## Checklist
+
+- [ ] No secrets or credentials committed
+- [ ] [TRACEABILITY.md](../TRACEABILITY.md) updated if formal spec ↔ code mapping changed
+- [ ] [docs/README.md](../docs/README.md) or [README.md](../README.md) updated if user-facing workflows or layout changed materially

.github/workflows/ci-bindings-go.yml

@@ -0,0 +1,28 @@
+name: Go bindings
+
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main]
+
+jobs:
+  go:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: bindings/go
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: "1.22"
+
+      - name: Vet
+        run: go vet ./...
+
+      - name: Test (no CGO)
+        env:
+          CGO_ENABLED: "0"
+        run: go test ./... -short

.github/workflows/ci-bindings-node.yml

@@ -0,0 +1,37 @@
+name: Node bindings (Rust crate)
+
+# Neon npm CLI is version-sensitive; CI validates the native crate until the JS toolchain is fully wired.
+
+on:
+  push:
+    branches: [main, develop]
+    paths:
+      - "bindings/node/**"
+      - "engine/**"
+      - "Cargo.toml"
+      - "Cargo.lock"
+  pull_request:
+    branches: [main]
+    paths:
+      - "bindings/node/**"
+      - "engine/**"
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: dtolnay/rust-toolchain@stable
+        with:
+          toolchain: 1.88.0
+
+      - uses: Swatinem/rust-cache@v2
+        with:
+          workspaces: ". -> target"
+
+      - name: cargo check (policyengine-node)
+        run: cargo check --manifest-path bindings/node/Cargo.toml

.github/workflows/ci-bindings-python.yml

@@ -0,0 +1,35 @@
+name: Python bindings (PyO3)
+
+on:
+  push:
+    branches: [main, develop]
+    paths:
+      - "bindings/python/**"
+      - "engine/**"
+      - "Cargo.toml"
+      - "Cargo.lock"
+  pull_request:
+    branches: [main]
+    paths:
+      - "bindings/python/**"
+      - "engine/**"
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: dtolnay/rust-toolchain@stable
+        with:
+          toolchain: 1.88.0
+
+      - uses: Swatinem/rust-cache@v2
+        with:
+          workspaces: ". -> target"
+
+      - name: cargo check (policyengine-python)
+        run: cargo check --manifest-path bindings/python/Cargo.toml

.github/workflows/ci-lean.yml

@@ -0,0 +1,31 @@
+name: Lean CI
+
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main]
+
+concurrency:
+  group: lean-ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  lean:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Elan
+        run: |
+          curl https://raw.githubusercontent.com/leanprover/elan/master/elan-init.sh -sSf | sh -s -- -y
+          echo "$HOME/.elan/bin" >> $GITHUB_PATH
+
+      - name: Lake build
+        run: lake build
+
+      - name: Executable smoke tests
+        run: |
+          lake exe test_rbac
+          lake exe test_tenant
+          lake exe test_attest

.github/workflows/ci-python.yml

@@ -0,0 +1,33 @@
+name: Python CI
+
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main]
+
+concurrency:
+  group: python-ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  python:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install project (dev)
+        run: pip install -e ".[dev]"
+
+      - name: Ruff check
+        run: ruff check bundle scripts tests
+
+      - name: Mypy (strict modules)
+        run: mypy bundle/validate_manifest.py tests
+
+      - name: Pytest
+        run: pytest tests -v

.github/workflows/ci-rust.yml

@@ -0,0 +1,65 @@
+name: Rust CI
+
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main]
+
+concurrency:
+  group: rust-ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  rust:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: dtolnay/rust-toolchain@stable
+        with:
+          toolchain: 1.88.0
+          components: rustfmt, clippy
+
+      - uses: Swatinem/rust-cache@v2
+        with:
+          workspaces: ". -> target"
+
+      - name: Format
+        run: cargo fmt --all -- --check
+
+      - name: Clippy
+        run: cargo clippy --workspace --all-targets -- -D warnings
+
+      - name: Install cargo-audit and cargo-deny
+        run: cargo install cargo-audit cargo-deny --locked
+
+      - name: cargo deny (licenses / bans)
+        run: cargo deny check
+
+      - name: cargo audit (RustSec)
+        run: cargo audit
+
+      - name: Test
+        run: cargo test --workspace --verbose
+
+      - name: Build release binaries
+        run: cargo build --workspace --bins --release
+
+  wasm-smoke:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: dtolnay/rust-toolchain@stable
+        with:
+          toolchain: 1.88.0
+          targets: wasm32-wasi
+
+      - uses: Swatinem/rust-cache@v2
+
+      - name: Build WASM (smoke)
+        run: cargo build -p policyengine --target wasm32-wasi --release

.github/workflows/ci-sbom.yml

@@ -0,0 +1,21 @@
+name: SBOM
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  syft:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: anchore/sbom-action@v0
+        with:
+          path: .
+          format: cyclonedx-json
+          artifact-name: sbom-cyclonedx-json