feat: add LICENSE, release workflow, README

Author: chriswessels

.github/workflows/release.yml

@@ -0,0 +1,142 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*.*.*'
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  build:
+    name: Build ${{ matrix.target }}
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        include:
+          # Linux
+          - target: x86_64-unknown-linux-musl
+            os: ubuntu-latest
+            name: bashtion-linux-x86_64.tar.gz
+          - target: aarch64-unknown-linux-musl
+            os: ubuntu-latest
+            name: bashtion-linux-aarch64.tar.gz
+          
+          # macOS
+          - target: x86_64-apple-darwin
+            os: macos-latest
+            name: bashtion-macos-x86_64.tar.gz
+          - target: aarch64-apple-darwin
+            os: macos-latest
+            name: bashtion-macos-aarch64.tar.gz
+          
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    - name: Install Rust
+      uses: dtolnay/rust-toolchain@stable
+      with:
+        targets: ${{ matrix.target }}
+
+    - name: Install cross for musl targets
+      if: contains(matrix.target, 'linux-musl')
+      run: cargo install cross --git https://github.com/cross-rs/cross
+
+    - name: Cache cargo
+      uses: actions/cache@v4
+      with:
+        path: |
+          ~/.cargo/registry/index/
+          ~/.cargo/registry/cache/
+          ~/.cargo/git/db/
+          target/
+        key: ${{ runner.os }}-cargo-${{ matrix.target }}-${{ hashFiles('**/Cargo.lock') }}
+
+    - name: Build binary (cross for musl)
+      if: contains(matrix.target, 'linux-musl')
+      run: cross build --release --target ${{ matrix.target }}
+
+    - name: Build binary (cargo for others)
+      if: "!contains(matrix.target, 'linux-musl')"
+      run: cargo build --release --target ${{ matrix.target }}
+
+    - name: Strip binary (unix)
+      if: "!contains(matrix.target, 'linux-musl')"
+      run: strip target/${{ matrix.target }}/release/bashtion
+
+    - name: Create archive
+      run: |
+        cd target/${{ matrix.target }}/release
+        tar czf ../../../${{ matrix.name }} bashtion
+        cd -
+
+    - name: Generate SHA256 checksum
+      run: |
+        shasum -a 256 ${{ matrix.name }} > ${{ matrix.name }}.sha256
+      shell: bash
+
+    - name: Upload artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: ${{ matrix.name }}
+        path: |
+          ${{ matrix.name }}
+          ${{ matrix.name }}.sha256
+
+  release:
+    name: Create Release
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    - name: Download artifacts
+      uses: actions/download-artifact@v4
+      with:
+        merge-multiple: true
+
+    - name: Extract version from tag
+      id: version
+      run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
+
+    - name: Create Release
+      uses: softprops/action-gh-release@v2
+      with:
+        tag_name: ${{ github.ref_name }}
+        name: Bashtion v${{ steps.version.outputs.VERSION }}
+        body: |
+          # Bashtion v${{ steps.version.outputs.VERSION }}
+
+          Bashtion inspects shell scripts before they reach your interpreter. Pipelines like `curl ... | bashtion` give you AI and static analysis plus a manual confirmation prompt.
+
+          ## 🚀 Quick Install
+
+          ```bash
+          curl -fsSL https://raw.githubusercontent.com/chriswessels/bashtion/${{ github.ref_name }}/install.sh | bash
+          ```
+
+          Or download a platform archive below:
+
+          - `bashtion-linux-x86_64.tar.gz`
+          - `bashtion-linux-aarch64.tar.gz`
+          - `bashtion-macos-x86_64.tar.gz`
+          - `bashtion-macos-aarch64.tar.gz`
+
+          Each archive contains a single `bashtion` (or `bashtion.exe`) binary. Extract, move it into your `$PATH`, and run `bashtion --help`.
+
+          ## 📋 Assets
+
+          All binaries are built with `cargo build --release` (musl for Linux). SHA256 checksums are included for verification.
+
+          ## 🔄 Changes
+
+          See the [commit history](https://github.com/chriswessels/bashtion/commits/${{ github.ref_name }}) for detailed changes in this release.
+        files: |
+          bashtion-*.tar.gz
+          *.sha256
+        draft: false
+        prerelease: false

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Chris Wessels
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,137 @@
+# Bashtion 🛡️
+
+Bashtion intercepts shell scripts before they hit your interpreter. It captures the script, runs static and AI-powered safety analysis, shows you the findings, and only executes after you explicitly confirm. Think of it as "curl | bash" with a security checkpoint.
+
+[![Rust](https://img.shields.io/badge/rust-1.83+-orange.svg)](https://www.rust-lang.org)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
+[![CI](https://github.com/chriswessels/bashtion/workflows/CI/badge.svg)](https://github.com/chriswessels/bashtion/actions)
+[![Release](https://img.shields.io/github/v/release/chriswessels/bashtion)](https://github.com/chriswessels/bashtion/releases)
+
+## ✨ Features
+
+- **🛡️ Double Analysis**: Tree-sitter-based static checks plus LLM intent/risk summaries on every script
+- **🔍 Full Transparency**: Shows exact code snippets for each finding, logs overall risk, and requires your confirmation
+- **💻 Shell-Agnostic**: Supports any `stdin` source (`curl ... | bashtion`) and runs in whatever shell you configure
+- **⚙️ Structured Reports**: Colorized terminal output, structured JSON verdicts, and manual review prompt by default
+- **🧪 Manual Test Scripts**: Sample scripts (`scripts/manual/*.sh`) exercise different detections for easy regression testing
+- **🔌 Configurable Backend**: Works with OpenAI-compatible endpoints (override base URL, key, model, timeouts) and falls back gracefully when AI is unavailable
+- **📦 Installer**: Single `install.sh` fetches the correct binary for macOS/Linux and keeps the repo overrideable via env vars
+
+## 🚀 Quick Start
+
+### Installation
+
+#### 📦 Pre-built Binaries
+
+```bash
+curl -fsSL https://raw.githubusercontent.com/chriswessels/bashtion/main/install.sh | bash
+```
+
+Manual downloads: grab the latest tarball for your platform from the [releases page](https://github.com/chriswessels/bashtion/releases/latest).
+
+#### 🔧 From Source (Rust 1.83+)
+
+```bash
+git clone https://github.com/chriswessels/bashtion
+cd bashtion
+cargo install --path .
+```
+
+#### 📋 Verify Installation
+
+```bash
+bashtion --version
+```
+
+### Basic Usage
+
+```bash
+# Inspect a remote installer before execution
+curl https://example.com/install.sh | bashtion
+
+# Capture stdin but skip execution (print script to stdout)
+curl https://example.com/install.sh | bashtion --no-exec
+
+# Use a custom OpenAI-compatible endpoint
+BASHTION_OPENAI_BASE_URL=https://llm.example.com/v1 \
+BASHTION_OPENAI_API_KEY=sk-... \
+curl https://example.com/install.sh | bashtion
+
+# Force a different shell to execute the approved script
+BASHTION_EXEC_SHELL=/bin/zsh curl https://example.com/install.sh | bashtion
+
+# Analyze a local script non-interactively
+bashtion < scripts/manual/static_eval.sh
+```
+
+During each run Bashtion:
+1. Reads stdin into a bounded buffer (default 500 KB)
+2. Runs static analysis and AI analysis (if configured)
+3. Presents findings + summary
+4. Prompts “[y/N]” before actually executing the script via your shell (unless `--no-exec`)
+
+## ⚙️ Configuration
+
+All settings can be controlled via CLI flags or `BASHTION_*` env vars:
+
+| Flag / Env | Description | Default |
+|------------|-------------|---------|
+| `--no-exec` / `BASHTION_AUTO_EXEC=false` | Skip shell execution; print script instead | auto-exec on |
+| `--exec-shell` / `BASHTION_EXEC_SHELL` | Shell command used to run approved scripts | `/bin/bash` |
+| `--timeout-secs` / `BASHTION_TIMEOUT_SECS` | HTTP timeout for AI calls | 30s |
+| `--buffer-limit` / `BASHTION_BUFFER_LIMIT` | Max bytes read from stdin | 512 KB |
+| `BASHTION_OPENAI_BASE_URL` | OpenAI-compatible endpoint base URL | unset (AI disabled) |
+| `BASHTION_OPENAI_API_KEY` | API key for the endpoint | unset |
+| `BASHTION_OPENAI_MODEL` | Model name sent to the endpoint | `gpt-4o` |
+
+Example:
+```bash
+BASHTION_OPENAI_BASE_URL=http://localhost:8080/v1 \
+BASHTION_OPENAI_API_KEY=dev-secret \
+BASHTION_OPENAI_MODEL=local-mixtral \
+  curl https://example.com/install.sh | bashtion
+```
+
+## 🧪 Manual Test Scripts
+
+Use the bundled scripts to validate detections:
+
+```bash
+# Triggers the eval static rule
+cat scripts/manual/static_eval.sh | bashtion --no-exec
+
+# Shows curl|bash caution
+cat scripts/manual/static_curl_pipe.sh | bashtion --no-exec
+
+# Benign download (AI low risk)
+cat scripts/manual/semantic_download.sh | bashtion --no-exec
+
+# Reverse shell (AI + static high risk)
+cat scripts/manual/semantic_reverse_shell.sh | bashtion --no-exec
+```
+
+## 🤖 AI Backend
+
+- Bashtion sends the captured script to `POST {base_url}/chat/completions` with a structured-output prompt.
+- The model must respond with JSON: `{ "intent": ..., "risk": "low|medium|high", "findings": [...] }`.
+- Responses are retried up to 3 times with exponential backoff, and malformed JSON is auto-repaired with [`llm_json`](https://crates.io/crates/llm_json).
+- If no base URL is configured, AI analysis is skipped (only static findings are shown).
+
+## 📦 Release Artifacts
+
+`install.sh` and the GitHub release workflow publish four archives:
+
+- `bashtion-linux-x86_64.tar.gz`
+- `bashtion-linux-aarch64.tar.gz`
+- `bashtion-macos-x86_64.tar.gz`
+- `bashtion-macos-aarch64.tar.gz`
+
+Each contains a single `bashtion` binary. SHA256 files are provided for integrity checks.
+
+## 📄 License
+
+Bashtion is MIT-licensed. See [LICENSE](LICENSE) for details.
+
+## 🙏 Acknowledgments
+
+Inspired by projects like Nomnom and LIGMA that focus on safe, AI-friendly tooling for developers.