sync: incubation to stable

.github/CODEOWNERS

@@ -0,0 +1,2 @@
+# Default owners for the entire repository
+* @trustyai-explainability/developers

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,88 @@
+name: Bug Report
+description: Report a bug in llama-stack-provider-trustyai-garak
+labels: ["bug"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thank you for reporting a bug. Please fill out the sections below
+        to help us reproduce and fix the issue.
+
+  - type: textarea
+    id: description
+    attributes:
+      label: Bug Description
+      description: A clear and concise description of the bug.
+    validations:
+      required: true
+
+  - type: textarea
+    id: reproduction
+    attributes:
+      label: Steps to Reproduce
+      description: Minimal steps to reproduce the behavior.
+      placeholder: |
+        1. Register benchmark with config...
+        2. Run eval with...
+        3. Observe error...
+    validations:
+      required: true
+
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected Behavior
+      description: What you expected to happen.
+    validations:
+      required: true
+
+  - type: textarea
+    id: actual
+    attributes:
+      label: Actual Behavior
+      description: What actually happened, including any error messages.
+    validations:
+      required: true
+
+  - type: textarea
+    id: logs
+    attributes:
+      label: Error Logs
+      description: Paste relevant logs or stack traces.
+      render: text
+
+  - type: dropdown
+    id: execution-mode
+    attributes:
+      label: Execution Mode
+      options:
+        - Llama Stack Inline (local garak)
+        - Llama Stack Remote (KFP pipelines)
+        - Llama Stack (all modes)
+        - Eval-Hub Simple (direct pod execution)
+        - Eval-Hub KFP (KFP pipeline execution)
+        - Eval-Hub (all modes)
+    validations:
+      required: true
+
+  - type: textarea
+    id: environment
+    attributes:
+      label: Environment
+      description: Provide environment details.
+      placeholder: |
+        - Provider version:
+        - Python version:
+        - Garak version:
+        - Llama Stack version:
+        - OS / Platform:
+        - Kubernetes version (if remote):
+    validations:
+      required: true
+
+  - type: textarea
+    id: config
+    attributes:
+      label: Benchmark / Garak Config
+      description: Paste relevant benchmark config or garak_config if applicable.
+      render: yaml

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,21 @@
+## Summary
+
+<!-- Brief description of what this PR does and why. -->
+
+## Changes
+
+<!-- List the key changes. -->
+
+-
+
+## Testing Checklist
+
+- [ ] Unit tests pass (`make test`)
+- [ ] Linting passes (`make lint`)
+- [ ] New/changed code has test coverage
+- [ ] No breaking changes to existing benchmark configs
+- [ ] Documentation updated (if applicable)
+
+## Related Issues
+
+<!-- Link any related issues: Fixes #123, Relates to #456 -->

.github/workflows/lint.yml

@@ -0,0 +1,33 @@
+name: Lint
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+
+jobs:
+  ruff:
+    name: Ruff Lint & Format Check
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.12'
+
+      - name: Install tools
+        run: pip install ruff mypy
+
+      - name: Ruff check
+        run: ruff check src/ tests/
+
+      - name: Ruff format check
+        run: ruff format --check src/ tests/
+
+      - name: Mypy type check
+        run: mypy src/

.github/workflows/run-tests.yml

@@ -1,4 +1,4 @@
-name: Run Tests
+name: Tier 1 - Unit Tests
 
 on:
   pull_request:
@@ -7,26 +7,32 @@ on:
     branches: [main]
 
 jobs:
-  test:
-    name: Run Tests
+  unit-tests:
+    name: Unit Tests
     runs-on: ubuntu-latest
-    
+
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
 
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.12'
+          python-version: "3.12"
 
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
-          python -m pip install -e ".[dev,remote]"
+          python -m pip install --no-cache-dir -e ".[test]"
+
+      - name: Smoke-test imports
+        run: |
+          python -c "import numpy; print('numpy OK')"
+          python -c "import pandas; print('pandas OK')"
+          python -c "import llama_stack_provider_trustyai_garak; print('provider OK')"
 
       - name: Run tests
         env:
           PYTHONPATH: src
         run: |
-          pytest tests -v
+          pytest tests -v

.github/workflows/security.yml

@@ -10,27 +10,28 @@ jobs:
   trivy-scan:
     name: Trivy Security Scan
     runs-on: ubuntu-latest
+    container:
+      image: registry.access.redhat.com/ubi9/python-312:latest
+      options: --user root
     permissions:
       contents: read
       security-events: write
       actions: read
 
     steps:
+
       - name: Checkout code
         uses: actions/checkout@v4
 
-      - name: Set up Python
-        uses: actions/setup-python@v4
-        with:
-          python-version: '3.12'
-
-      - name: Install dependencies
+      - name: Install runtime deps
         run: |
           python -m pip install --upgrade pip
-          python -m pip install -e ".[dev]"
+          python -m pip install --no-cache-dir \
+            -r requirements.txt
+          python -m pip install --no-cache-dir --no-deps .
 
       - name: Run Trivy filesystem scan
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
         with:
           scan-type: 'fs'
           scan-ref: '.'
@@ -40,7 +41,7 @@ jobs:
           exit-code: '0'  # Don't fail on this scan, we'll check results separately
 
       - name: Run Trivy dependency scan
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
         with:
           scan-type: 'fs'
           scan-ref: '.'
@@ -51,7 +52,7 @@ jobs:
           exit-code: '0'  # Don't fail on this scan, we'll check results separately
 
       - name: Check for critical vulnerabilities
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
         with:
           scan-type: 'fs'
           scan-ref: '.'

.github/workflows/validate-deps.yml

@@ -0,0 +1,108 @@
+name: Validate Dependencies
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+
+permissions:
+  contents: write
+
+jobs:
+  sync-requirements:
+    name: Auto-sync requirements.txt
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout PR branch
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.head_ref }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.12'
+
+      - name: Install uv
+        run: python -m pip install --upgrade pip uv
+
+      - name: Regenerate requirements.txt
+        run: make lock
+
+      - name: Commit if changed
+        run: |
+          git diff --quiet requirements.txt && exit 0
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add requirements.txt
+          git commit -m "chore: auto-sync requirements.txt from pyproject.toml"
+          git push
+
+  check-garak-drift:
+    name: Check garak midstream version drift
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Compare pyproject.toml garak version with latest midstream tag
+        run: |
+          PYPROJECT_VER=$(grep -oP 'garak==\K[^\s"]+' pyproject.toml)
+          echo "pyproject.toml garak version: $PYPROJECT_VER"
+
+          LATEST_TAG=$(git ls-remote --tags \
+            https://github.com/trustyai-explainability/garak.git \
+            | grep 'refs/tags/v' \
+            | grep -v '\^{}' \
+            | sed 's|.*refs/tags/v||' \
+            | sort -V \
+            | tail -1)
+          echo "Latest midstream tag: $LATEST_TAG"
+
+          if [ "$PYPROJECT_VER" != "$LATEST_TAG" ]; then
+            echo "::error::Garak version drift detected!"
+            echo "  pyproject.toml pins: $PYPROJECT_VER"
+            echo "  Latest midstream:    $LATEST_TAG"
+            echo "Update pyproject.toml, regenerate requirements.txt, and commit."
+            exit 1
+          fi
+
+          echo "Garak version is up-to-date with midstream."
+
+  container-build:
+    name: Container Build + Import Validation
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Build container image
+        run: |
+          docker build -f Containerfile -t provider-smoke-test:ci .
+
+      - name: Verify full import chain
+        run: |
+          docker run --rm provider-smoke-test:ci bash -c "\
+            python -c \"import numpy; print('numpy OK')\" && \
+            python -c \"import pandas; print('pandas OK')\" && \
+            python -c \"import garak; print('garak OK')\" && \
+            python -c \"import sdg_hub; print('sdg-hub OK')\" && \
+            python -c \"import llama_stack_provider_trustyai_garak; print('provider OK')\""
+
+      - name: Verify garak version matches pyproject.toml
+        run: |
+          EXPECTED=$(grep -oP 'garak==\K[^\s"]+' pyproject.toml)
+          INSTALLED=$(docker run --rm provider-smoke-test:ci python -c "from importlib.metadata import version; print(version('garak'))")
+          echo "Expected: $EXPECTED"
+          echo "Installed: $INSTALLED"
+          if [ "$EXPECTED" != "$INSTALLED" ]; then
+            echo "::error::Garak version mismatch! Containerfile installs $INSTALLED but pyproject.toml expects $EXPECTED"
+            exit 1
+          fi
+          echo "Garak version in container matches pyproject.toml."

.gitignore

@@ -10,7 +10,13 @@ __pycache__/
 dist/
 .env
 _providers.d/
-
+meta/
+scan_out/
+**.env
+*.csv
+*.ipynb
+*.json
+*.cpu
 # Hermeto outputs (generated during testing)
 hermeto-output*/
 hermeto*.env

.pre-commit-config.yaml

@@ -0,0 +1,23 @@
+repos:
+  - repo: local
+    hooks:
+      - id: sync-requirements
+        name: Regenerate requirements.txt from pyproject.toml
+        entry: make lock
+        language: system
+        files: ^pyproject\.toml$
+        pass_filenames: false
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.11.4
+    hooks:
+      - id: ruff
+        args: [--fix, --exit-non-zero-on-fix]
+      - id: ruff-format
+  - repo: local
+    hooks:
+      - id: mypy
+        name: mypy type check
+        entry: mypy src/
+        language: system
+        pass_filenames: false
+        types: [python]