feat: refactor sensitive detection runtime

Author: Louis Guthmann

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,69 @@
+name: Bug report
+description: Report a reproducible problem with KeyClaw behavior, docs, or release artifacts.
+title: "[Bug]: "
+labels:
+  - bug
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for filing a bug. Please redact secrets before pasting logs, payloads, or screenshots.
+  - type: textarea
+    id: summary
+    attributes:
+      label: What happened?
+      description: Describe the actual behavior and why it is a problem.
+      placeholder: KeyClaw allowed an AWS key through a proxied request that should have been redacted.
+    validations:
+      required: true
+  - type: textarea
+    id: reproduce
+    attributes:
+      label: How do we reproduce it?
+      description: Provide the smallest reliable repro you can.
+      placeholder: |
+        1. Run `keyclaw proxy`
+        2. Source `~/.keyclaw/env.sh`
+        3. Send this request...
+    validations:
+      required: true
+  - type: dropdown
+    id: tool
+    attributes:
+      label: Which client path is involved?
+      options:
+        - Claude Code
+        - Cursor
+        - aider
+        - Continue
+        - Direct API client
+        - Other
+    validations:
+      required: true
+  - type: textarea
+    id: expected
+    attributes:
+      label: What did you expect instead?
+      placeholder: The request should have been blocked with `invalid_json` / redacted before upload / etc.
+    validations:
+      required: true
+  - type: textarea
+    id: diagnostics
+    attributes:
+      label: Diagnostics
+      description: Include relevant output from `keyclaw doctor`, `cargo --version`, and your platform. Redact secrets first.
+      render: shell
+  - type: input
+    id: version
+    attributes:
+      label: KeyClaw version
+      placeholder: 0.2.1 or git SHA
+  - type: checkboxes
+    id: checks
+    attributes:
+      label: Before submitting
+      options:
+        - label: I confirmed the traffic is actually routed through KeyClaw.
+          required: true
+        - label: I removed or redacted secrets from the issue body.
+          required: true

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,5 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Security report
+    url: https://github.com/GuthL/KeyClaw/security/advisories/new
+    about: Report vulnerabilities privately. Do not open a public issue for security problems.

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,46 @@
+name: Feature request
+description: Propose a new capability, workflow improvement, or docs enhancement.
+title: "[Feature]: "
+labels:
+  - enhancement
+body:
+  - type: textarea
+    id: problem
+    attributes:
+      label: What problem are you trying to solve?
+      placeholder: I want a clearer way to verify that Cursor traffic is being intercepted without manually inspecting logs.
+    validations:
+      required: true
+  - type: textarea
+    id: proposal
+    attributes:
+      label: What change would you like?
+      placeholder: Add a `keyclaw proxy doctor` summary for active intercept counts and trusted-CA status.
+    validations:
+      required: true
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
+      placeholder: I can script this locally today, but it is clumsy and easy to get wrong.
+  - type: dropdown
+    id: area
+    attributes:
+      label: Area
+      options:
+        - Detection
+        - Proxy/runtime
+        - CLI UX
+        - Documentation
+        - Release/distribution
+        - Security hardening
+        - Other
+    validations:
+      required: true
+  - type: checkboxes
+    id: checks
+    attributes:
+      label: Before submitting
+      options:
+        - label: I checked for an existing issue or discussion first.
+          required: true

.github/pull_request_template.md

@@ -0,0 +1,22 @@
+## Summary
+
+- Describe the change and the user or maintainer impact.
+
+## Validation
+
+- [ ] `cargo fmt --check`
+- [ ] `cargo clippy --all-targets --all-features -- -D warnings`
+- [ ] `cargo build --locked`
+- [ ] `cargo test --locked`
+- [ ] `cargo test --locked --test e2e_cli -- --ignored --test-threads=1`
+- [ ] `cargo doc --no-deps`
+
+## Docs
+
+- [ ] README updated if public behavior changed
+- [ ] `docs/` updated if deeper reference material changed
+- [ ] Screenshots or SVG assets updated if the repo-facing experience changed
+
+## Notes
+
+- Call out risks, follow-ups, or release considerations here.

.github/workflows/ci.yml

@@ -0,0 +1,95 @@
+name: CI
+
+on:
+  push:
+    branches: ["master", "main"]
+  pull_request:
+    branches: ["master", "main"]
+
+env:
+  CARGO_TERM_COLOR: always
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  fmt:
+    name: fmt
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+        with:
+          components: rustfmt
+      - uses: Swatinem/rust-cache@v2
+      - name: cargo fmt --check
+        run: cargo fmt --check
+
+  clippy:
+    name: clippy
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+        with:
+          components: clippy
+      - uses: Swatinem/rust-cache@v2
+      - name: cargo clippy --all-targets --all-features -- -D warnings
+        run: cargo clippy --all-targets --all-features -- -D warnings
+
+  build:
+    name: build (${{ matrix.os }})
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: ["ubuntu-latest", "macos-latest"]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+      - uses: Swatinem/rust-cache@v2
+      - name: cargo build --locked
+        run: cargo build --locked
+
+  test:
+    name: test (${{ matrix.os }})
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: ["ubuntu-latest", "macos-latest"]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+      - uses: Swatinem/rust-cache@v2
+      - name: cargo test --locked
+        run: cargo test --locked
+
+  slow-daemon-tests:
+    name: slow daemon tests (${{ matrix.os }})
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: ["ubuntu-latest", "macos-latest"]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+      - uses: Swatinem/rust-cache@v2
+      - name: cargo test --locked --test e2e_cli -- --ignored --test-threads=1
+        run: cargo test --locked --test e2e_cli -- --ignored --test-threads=1
+
+  publish-dry-run:
+    name: publish dry-run
+    runs-on: ubuntu-latest
+    needs: [fmt, clippy, build, test, slow-daemon-tests]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+      - uses: Swatinem/rust-cache@v2
+      - name: cargo publish --dry-run --locked
+        run: cargo publish --dry-run --locked

.github/workflows/release.yml

@@ -12,24 +12,27 @@ permissions:
 
 jobs:
   package:
-    name: Package (${{ matrix.target }})
+    name: package (${{ matrix.target }})
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
+          - os: ubuntu-22.04
             target: x86_64-unknown-linux-gnu
-          - os: macos-latest
+          - os: macos-14
             target: x86_64-apple-darwin
-          - os: macos-latest
+          - os: macos-14
             target: aarch64-apple-darwin
 
     steps:
       - uses: actions/checkout@v4
       - uses: dtolnay/rust-toolchain@stable
         with:
           targets: ${{ matrix.target }}
+      - uses: Swatinem/rust-cache@v2
+        with:
+          shared-key: release-${{ matrix.target }}
       - name: Derive release version
         id: version
         shell: bash
@@ -39,7 +42,7 @@ jobs:
             echo "expected tag in v{version} format, got ${GITHUB_REF_NAME}" >&2
             exit 1
           fi
-          cargo_version="$(sed -n 's/^version = \"\\([^\"]*\\)\"$/\\1/p' Cargo.toml | head -n 1)"
+          cargo_version="$(grep '^version' Cargo.toml | head -1 | sed 's/.*"\(.*\)".*/\1/')"
           if [ "$cargo_version" != "$version" ]; then
             echo "Cargo.toml version ${cargo_version} does not match tag ${version}" >&2
             exit 1
@@ -61,11 +64,12 @@ jobs:
           path: dist/keyclaw-v${{ steps.version.outputs.value }}-${{ matrix.target }}.tar.gz
           if-no-files-found: error
 
-  publish-draft:
-    name: Publish Draft Release
-    runs-on: ubuntu-latest
+  publish-release:
+    name: publish release
+    runs-on: ubuntu-22.04
     needs: package
-
+    outputs:
+      version: ${{ steps.version.outputs.value }}
     steps:
       - uses: actions/checkout@v4
       - name: Derive release version
@@ -86,22 +90,63 @@ jobs:
       - name: Generate SHA256SUMS
         shell: bash
         run: |
-          mapfile -t archives < <(find dist -maxdepth 1 -type f -name "keyclaw-v${{ steps.version.outputs.value }}-*.tar.gz" -printf '%f\n' | sort)
-          if [ "${#archives[@]}" -ne 3 ]; then
-            echo "expected 3 release archives, found ${#archives[@]}" >&2
-            exit 1
-          fi
-          (
-            cd dist
-            sha256sum "${archives[@]}" > SHA256SUMS
-          )
+          cd dist
+          sha256sum keyclaw-v${{ steps.version.outputs.value }}-*.tar.gz > SHA256SUMS
       - name: Verify release artifact contract
         shell: bash
         run: scripts/verify-release-contract.sh "${{ steps.version.outputs.value }}" dist
       - uses: softprops/action-gh-release@v2
         with:
-          draft: true
+          generate_release_notes: true
           files: |
             dist/*.tar.gz
             dist/SHA256SUMS
           fail_on_unmatched_files: true
+
+  publish-homebrew:
+    name: publish homebrew formula
+    runs-on: ubuntu-22.04
+    needs: publish-release
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/download-artifact@v4
+        with:
+          path: dist
+          pattern: release-*
+          merge-multiple: true
+      - name: Generate SHA256SUMS
+        shell: bash
+        run: |
+          cd dist
+          sha256sum keyclaw-v${{ needs.publish-release.outputs.version }}-*.tar.gz > SHA256SUMS
+      - name: Verify release artifact contract
+        shell: bash
+        run: scripts/verify-release-contract.sh "${{ needs.publish-release.outputs.version }}" dist
+      - name: Render Homebrew formula
+        shell: bash
+        run: |
+          scripts/render-homebrew-formula.sh \
+            "${{ needs.publish-release.outputs.version }}" \
+            dist \
+            Formula/keyclaw.rb
+          ruby -c Formula/keyclaw.rb
+      - uses: actions/checkout@v4
+        with:
+          repository: GuthL/homebrew-tap
+          ref: main
+          token: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
+          path: homebrew-tap
+      - name: Update tap formula
+        shell: bash
+        run: |
+          install -D -m 644 Formula/keyclaw.rb homebrew-tap/Formula/keyclaw.rb
+          cd homebrew-tap
+          if git diff --quiet -- Formula/keyclaw.rb; then
+            echo "formula already up to date"
+            exit 0
+          fi
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git add Formula/keyclaw.rb
+          git commit -m "keyclaw ${{ needs.publish-release.outputs.version }}"
+          git push origin HEAD:main

.gitignore

@@ -3,6 +3,7 @@
 *.swp
 *.swo
 *.bak
+*.log
 
 # Environment files
 .env
@@ -13,12 +14,16 @@ target/
 
 # Local binaries
 keyclaw
+dist/
 
 # Generated CA certs (machine-specific)
 certs/
 
+# Local runtime state
+.keyclaw/
+
 # Internal docs
-docs/
+# docs/ is tracked; tests depend on docs/plans/
 
 # Git worktrees
 .worktrees/