chore(deps): Bump github/codeql-action from 3 to 4

.dockerignore

@@ -0,0 +1,24 @@
+.git
+.github
+.cursor
+**/node_modules
+**/dist
+**/__pycache__
+**/*.pyc
+**/.pytest_cache
+**/.mypy_cache
+**/.ruff_cache
+.env
+.env.*
+!.env.example
+data
+*.lance
+**/.DS_Store
+docs/_build
+agent-transcripts
+integrations/airlock-mcp/node_modules
+sdks/typescript/node_modules
+tests
+examples
+*.md
+!README.md

.env.example

@@ -1,16 +1,71 @@
-# LLM Configuration (used only for semantic challenge in Phase 3)
-LITELLM_MODEL=ollama/llama3
-LITELLM_API_BASE=http://localhost:11434
+# Copy to .env and adjust. Compose substitutes ${VAR} from this file automatically.
+# See ROLL_OUT_STATUS.md for the full env reference.
 
-# Gateway Configuration
+# --- Deployment mode ---
+# AIRLOCK_ENV=development
+# production: fail-fast startup (seed, CORS, issuer allowlist, service + session tokens, etc.)
+# AIRLOCK_ENV=production
+
+# --- Required in production ---
+# 64 hex chars = 32-byte Ed25519 seed for the gateway signing identity
+AIRLOCK_GATEWAY_SEED_HEX=
+
+# Bearer for GET /metrics and POST /token/introspect (required when AIRLOCK_ENV=production)
+# AIRLOCK_SERVICE_TOKEN=
+
+# HS256 secret for session viewer JWT (handshake ACK); GET /session + WS require this token
+# (required when AIRLOCK_ENV=production)
+# AIRLOCK_SESSION_VIEW_SECRET=
+
+# --- Protocol / HTTP ---
+AIRLOCK_PROTOCOL_VERSION=0.1.0
+AIRLOCK_SESSION_TTL=180
+AIRLOCK_HEARTBEAT_TTL=60
 AIRLOCK_HOST=0.0.0.0
 AIRLOCK_PORT=8000
+# Host port when using docker compose (maps host:container)
+# AIRLOCK_PUBLISH_PORT=8000
+
+# --- Data ---
+AIRLOCK_LANCEDB_PATH=/app/data/reputation.lance
+
+# --- LLM (semantic challenge) ---
+# AIRLOCK_LITELLM_MODEL=ollama/llama3
+# AIRLOCK_LITELLM_API_BASE=http://localhost:11434
+
+# --- Internal / multi-replica ---
+# Empty = in-process nonce + rate limits (single pod only)
+# AIRLOCK_REDIS_URL=redis://redis:6379/0
+
+# --- Rate limits & replay ---
+# AIRLOCK_NONCE_REPLAY_TTL_SECONDS=600
+# AIRLOCK_RATE_LIMIT_PER_IP_PER_MINUTE=120
+# AIRLOCK_RATE_LIMIT_HANDSHAKE_PER_DID_PER_MINUTE=30
+
+# --- Trust tokens ---
+# AIRLOCK_TRUST_TOKEN_SECRET=
+# AIRLOCK_TRUST_TOKEN_TTL_SECONDS=600
+
+# --- Admin API ---
+# AIRLOCK_ADMIN_TOKEN=
+
+# --- Policy ---
+# AIRLOCK_CORS_ORIGINS=https://your-app.example.com
+# AIRLOCK_VC_ISSUER_ALLOWLIST=
+# AIRLOCK_REGISTER_MAX_PER_IP_PER_HOUR=0
+
+# --- Registry delegation ---
+# AIRLOCK_DEFAULT_REGISTRY_URL=
 
-# Reputation Store
-LANCEDB_PATH=./data/reputation.lance
+# --- Client default (SDK docs) ---
+# AIRLOCK_DEFAULT_GATEWAY_URL=http://127.0.0.1:8000
+# Public URL for A2A agent card / discovery (HTTPS in production)
+# AIRLOCK_PUBLIC_BASE_URL=https://airlock.example.com
 
-# Session TTL (seconds)
-SESSION_TTL=180
+# --- Scaling ---
+# AIRLOCK_EXPECT_REPLICAS=1
+# AIRLOCK_EVENT_BUS_DRAIN_TIMEOUT_SECONDS=30
 
-# Heartbeat TTL (seconds)
-HEARTBEAT_TTL=60
+# --- Observability ---
+# AIRLOCK_LOG_JSON=false
+# AIRLOCK_LOG_LEVEL=INFO

.github/CODEOWNERS

@@ -0,0 +1,17 @@
+# Default owner for everything
+* @shivdeep1
+
+# Crypto module — security-sensitive
+/airlock/crypto/ @shivdeep1
+
+# Protocol engine
+/airlock/engine/ @shivdeep1
+
+# Gateway API
+/airlock/gateway/ @shivdeep1
+
+# CI/CD workflows
+/.github/ @shivdeep1
+
+# Protocol specification
+/docs/ @shivdeep1

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,33 @@
+---
+name: Bug Report
+about: Report a bug in the Airlock protocol or gateway
+labels: bug
+---
+
+## Description
+
+A clear and concise description of the bug.
+
+## Steps to Reproduce
+
+1.
+2.
+3.
+
+## Expected Behavior
+
+What you expected to happen.
+
+## Actual Behavior
+
+What actually happened. Include error messages and tracebacks if applicable.
+
+## Environment
+
+- **Python version:**
+- **OS:**
+- **Airlock version:**
+
+## Additional Context
+
+Any other context, logs, or screenshots relevant to the issue.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,21 @@
+---
+name: Feature Request
+about: Suggest an enhancement to the Airlock protocol
+labels: enhancement
+---
+
+## Problem Statement
+
+A clear description of the problem or limitation this feature would address.
+
+## Proposed Solution
+
+Describe the solution you would like to see implemented.
+
+## Alternatives Considered
+
+Any alternative approaches or workarounds you have considered.
+
+## Additional Context
+
+Any other context, references, or design notes relevant to this request.

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,22 @@
+## Description
+
+**What:**
+
+**Why:**
+
+## Type of Change
+
+- [ ] Bug fix (non-breaking change that fixes an issue)
+- [ ] New feature (non-breaking change that adds functionality)
+- [ ] Breaking change (fix or feature that would cause existing functionality to change)
+- [ ] Documentation update
+
+## Checklist
+
+- [ ] Tests added for new functionality
+- [ ] All tests pass (`pytest`)
+- [ ] Linter clean (`ruff check`)
+- [ ] Type checker clean (`mypy`)
+- [ ] CHANGELOG updated (if user-facing change)
+- [ ] Documentation updated (if needed)
+- [ ] Commits signed off (DCO)

.github/dependabot.yml

@@ -0,0 +1,20 @@
+# Weekly update PRs for dependencies and Actions pin freshness.
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5

.github/workflows/ci.yml

@@ -0,0 +1,161 @@
+name: CI
+
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+    branches: [main, master]
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install
+        run: pip install -e ".[dev]"
+
+      - name: Ruff lint
+        run: ruff check airlock tests examples
+
+      - name: Ruff format
+        run: ruff format --check airlock tests examples
+
+      - name: Mypy
+        run: mypy airlock || echo "::warning::mypy found type errors — see above for details"
+
+  security:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install
+        run: pip install -e ".[dev,redis,a2a]" bandit pip-audit
+
+      - name: Bandit (security linter)
+        run: bandit -r airlock -c pyproject.toml -f sarif -o bandit-results.sarif || true
+
+      - name: Upload Bandit SARIF
+        if: always()
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: bandit-results.sarif
+          category: bandit
+        continue-on-error: true
+
+      - name: Bandit (check for HIGH severity)
+        run: |
+          bandit -r airlock -c pyproject.toml -f json -o bandit-check.json || true
+          python -c "
+          import json, sys
+          with open('bandit-check.json') as f:
+              data = json.load(f)
+          results = data.get('results', [])
+          high = [r for r in results if r['issue_severity'] == 'HIGH']
+          if high:
+              for r in high:
+                  print(f\"HIGH: {r['issue_text']} at {r['filename']}:{r['line_number']}\")
+              print(f'FAIL: {len(high)} HIGH severity findings')
+              sys.exit(1)
+          print(f'OK: No HIGH severity findings ({len(results)} total)')
+          "
+
+      - name: pip-audit (dependency vulnerabilities)
+        run: pip-audit || echo "::warning::pip-audit found vulnerabilities — review output above"
+
+  test:
+    runs-on: ubuntu-latest
+    needs: [lint]
+    strategy:
+      matrix:
+        python-version: ["3.11", "3.12"]
+
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install
+        run: pip install -e ".[dev,redis,a2a]" pytest-cov
+
+      - name: Test with coverage
+        run: python -m pytest tests/ -v --tb=short --cov=airlock --cov-report=term-missing --cov-report=xml
+
+      - name: Upload coverage
+        if: matrix.python-version == '3.12'
+        uses: actions/upload-artifact@v7
+        with:
+          name: coverage-report
+          path: coverage.xml
+
+  dco:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: DCO check
+        run: |
+          base=${{ github.event.pull_request.base.sha }}
+          head=${{ github.event.pull_request.head.sha }}
+          failed=0
+          for sha in $(git rev-list "$base".."$head"); do
+            msg=$(git log -1 --format=%B "$sha")
+            if ! echo "$msg" | grep -qi "Signed-off-by:"; then
+              echo "FAIL: Commit $sha missing Signed-off-by"
+              failed=1
+            fi
+          done
+          if [ "$failed" -eq 1 ]; then
+            echo ""
+            echo "All commits must include a DCO sign-off."
+            echo "Use: git commit -s -m 'your message'"
+            echo "See: https://developercertificate.org/"
+            exit 1
+          fi
+          echo "OK: All commits have DCO sign-off"
+
+  docker-build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Docker build (gateway image)
+        run: docker build -t airlock-gateway:ci .
+
+  js:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: actions/setup-node@v6
+        with:
+          node-version: "20"
+          cache: npm
+
+      - name: Install npm workspaces
+        run: npm ci
+
+      - name: Build TypeScript SDK + MCP
+        run: npm run build:js