feat: cross-platform CI matrix, sandbox hardening, and operator tooling

.clang-tidy

@@ -0,0 +1,10 @@
+---
+Checks: >
+  clang-analyzer-*,
+  bugprone-*,
+  cert-*,
+  -cert-err58-cpp
+WarningsAsErrors: ""
+HeaderFilterRegex: ".*"
+FormatStyle: none
+...

.clangd

@@ -0,0 +1,12 @@
+CompileFlags:
+  CompilationDatabase: build
+  Add:
+    - -I./build/config
+    - -I.
+    - -I./src
+    - -I./src/platform
+    - -I./third_party
+Diagnostics:
+  UnusedIncludes: None
+  Suppress:
+    - pp_file_not_found

.claude/settings.local.json

@@ -0,0 +1,105 @@
+{
+  "permissions": {
+    "allow": [
+      "mcp__github__list_pull_requests",
+      "Bash(cmake -S . -B build -DCMAKE_BUILD_TYPE=Debug)",
+      "Read(//private/tmp/spine-critical-security/**)",
+      "Bash(ls tests/)",
+      "Bash(ls tests/unit/)",
+      "Bash(cmake --build build)",
+      "Bash(ctest --test-dir build --output-on-failure)",
+      "Bash(cmake --build build -j)",
+      "Bash(/bin/ls -1 /tmp/spine-h4-tls)",
+      "Bash(ctest --test-dir build --output-on-failure -R sandbox)",
+      "Bash(/bin/ls /tmp/spine-h4-tls/tests/unit/)",
+      "Bash(/bin/cat /tmp/spine-h4-tls/tests/unit/Makefile)",
+      "Bash(/bin/find /tmp/spine-h4-tls -maxdepth 3 -name \"config.h*\" -o -name \"*.cmake\")",
+      "Bash(/usr/bin/find /tmp/spine-h4-tls -maxdepth 3 -name \"config.h*\")",
+      "Bash(/bin/cat /tmp/spine-h4-tls/config/config.h.cmake.in)",
+      "Bash(/usr/bin/grep -n \"SSL\\\\|MYSQL_OPT\")",
+      "Bash(/usr/bin/grep -rn \"HAS_MYSQL_OPT\\\\|mysql_ssl_set\\\\|mysql_get_ssl_cipher\" /tmp/spine-h4-tls/config/ /tmp/spine-h4-tls/cmake/ /tmp/spine-h4-tls/scripts/)",
+      "Bash(cmake -S . -B build)",
+      "Bash(cmake -S . -B build -DSPINE_BUILD_MAIN=OFF)",
+      "Bash(/usr/bin/grep -n \"HAS_MYSQL\\\\|MYSQL_OPT_SSL\" /tmp/spine-h4-tls/src/common.h /tmp/spine-h4-tls/src/spine.h)",
+      "Bash(/usr/bin/git log *)",
+      "Bash(/usr/bin/git show *)",
+      "Bash(/usr/bin/grep -A 2 \"HAS_MYSQL_OPT\\\\|mysql_opt\")",
+      "Bash(trash build *)",
+      "Bash(/usr/bin/grep -n -i \"MYSQL_OPT\\\\|ssl\")",
+      "Bash(cmake --build . -j4)",
+      "Bash(cmake --build build --target help)",
+      "Bash(cmake --build build --target spine -j 4)",
+      "Bash(cmake ..)",
+      "Bash(cmake --build . --target test_config_parser -j4)",
+      "Bash(./test_config_parser)",
+      "Bash(/usr/bin/which cmake *)",
+      "Bash(cmake --version)",
+      "Bash(/opt/homebrew/bin/brew list *)",
+      "Bash(/usr/bin/grep -iE \"mysql|mariadb|net-snmp\")",
+      "Read(//opt/homebrew/opt/**)",
+      "Bash(/usr/bin/grep -iE \"mysql|mariadb|snmp\")",
+      "Bash(ctest --output-on-failure)",
+      "Bash(/bin/rm -rf /tmp/spine-h4-tls/build)",
+      "Bash(/usr/bin/grep -iE \"mysql_opt|mysql_ssl|mysql_get_ssl|Configuring|Generating|Error\")",
+      "Bash(cmake --build build --target test_sql_tls_fail_close)",
+      "Bash(ctest --test-dir build --output-on-failure -R \"spine_audit|circuit_breaker\")",
+      "Bash(cmake --build build --clean-first)",
+      "Bash(/usr/bin/grep -iE \"warning|error\")",
+      "Bash(/usr/bin/grep -iE \"warning|error:\" /tmp/spine-build.log)",
+      "Bash(/opt/homebrew/bin/cc -I/opt/homebrew/opt/mariadb-connector-c/include/mariadb -I./src -I./build -I./third_party -I./src/platform -DHAS_MYSQL_OPT_SSL_KEY=1 -DHAS_MYSQL_OPT_SSL_VERIFY_SERVER_CERT=1 -DHAS_MYSQL_SSL_SET=1 -DHAS_MYSQL_GET_SSL_CIPHER=1 -c src/sql.c -o /tmp/sql_legacy.o -Wall -Wextra)",
+      "Bash(echo \"---rc=$?\")",
+      "Bash(./test_startup_umask)",
+      "Bash(/opt/homebrew/bin/cc -I/opt/homebrew/opt/mariadb-connector-c/include/mariadb -I./src -I./build -I./third_party -I./src/platform -c src/sql.c -o /tmp/sql_ancient.o -Wall -Wextra)",
+      "Bash(/opt/homebrew/bin/cc -I/opt/homebrew/opt/mysql-client/include/mysql -I./src -I./build -I./third_party -I./src/platform -DHAS_MYSQL_OPT_SSL_KEY=1 -DHAS_MYSQL_OPT_SSL_MODE=1 -DHAS_MYSQL_SSL_SET=1 -DHAS_MYSQL_GET_SSL_CIPHER=1 -c src/sql.c -o /tmp/sql_modern.o -Wall -Wextra)",
+      "Bash(/opt/homebrew/bin/sed -i.bak 's|refusing to connect|will connect anyway|' src/sql.c)",
+      "Bash(ctest --test-dir build --output-on-failure -R sql_tls_fail_close)",
+      "Bash(/bin/mv src/sql.c.bak src/sql.c)",
+      "Bash(/bin/cp src/sql.c /tmp/sql.c.orig)",
+      "Bash(/usr/bin/sed -i.tmp 's|refusing to connect|will connect anyway|g' src/sql.c)",
+      "Bash(/bin/cp /tmp/sql.c.orig src/sql.c)",
+      "Bash(/bin/rm -f src/sql.c.tmp)",
+      "Bash(/usr/bin/grep -c \"refusing to connect\" /tmp/spine-h4-tls/src/sql.c)",
+      "Bash(/usr/bin/grep -c \"refusing to continue\" /tmp/spine-h4-tls/src/sql.c)",
+      "Bash(ctest --test-dir build -R sql_tls_fail_close)",
+      "Bash(/usr/bin/git status *)",
+      "Bash(/usr/bin/git diff *)",
+      "Bash(/usr/bin/git add *)",
+      "Bash(/usr/bin/git commit *)",
+      "Bash(awk '/^typedef struct/{name=$0; print \"---\", NR, name} /snmp_engine_id/{print NR, $0}' src/spine.h)",
+      "Bash(cmake -S . -B build -Wno-dev)",
+      "Bash(cmake -S . -B build -DCMAKE_BUILD_TYPE=Debug -DCMAKE_EXPORT_COMPILE_COMMANDS=ON)",
+      "Bash(awk 'NR>=900 && NR<=1010 {print NR\": \"$0}' src/spine.c)",
+      "Bash(ctest --test-dir build)",
+      "Bash(contrib-ledger --help)",
+      "Bash(git fetch *)",
+      "Bash(contrib-ledger check *)",
+      "Bash(contrib-ledger queue *)",
+      "Bash(contrib-ledger plan *)",
+      "Bash(contrib-ledger requeue *)",
+      "Bash(contrib-ledger record *)",
+      "Bash(contrib-ledger daemon *)",
+      "mcp__github__pull_request_read",
+      "Bash(gh pr *)",
+      "Bash(gh run *)",
+      "Bash(cmake --build build-strict)",
+      "Bash(cmake -S . -B build -DCMAKE_BUILD_TYPE=Debug -DCMAKE_C_FLAGS=\"-Werror=implicit-function-declaration -Werror=incompatible-pointer-types -Wvla -Wshadow -D_FORTIFY_SOURCE=2 -fstack-protector-strong -Wformat-security -Wall -Wextra -Wformat\")",
+      "Bash(cmake -S . -B build_ci -DCMAKE_BUILD_TYPE=Debug '-DCMAKE_C_FLAGS=-Werror=implicit-function-declaration -Werror=incompatible-pointer-types -Wvla -Wshadow -D_FORTIFY_SOURCE=2 -fstack-protector-strong -Wformat-security -Wall -Wextra -Wformat')",
+      "Bash(ctest --test-dir build-strict --output-on-failure)",
+      "Bash(ctest --test-dir build_ci --output-on-failure)",
+      "Bash(git add *)",
+      "Bash(git rebase *)",
+      "Bash(cmake *)",
+      "Bash(ctest *)",
+      "Bash(git *)",
+      "Bash(awk '{print $2}')",
+      "Bash(awk -F'\\\\t' '$2==\"fail\"')",
+      "Bash(contrib-ledger history *)",
+      "Bash(contrib-ledger run *)",
+      "Bash(awk -F'\\\\t' '{print $2}')",
+      "Bash(awk -F'\\\\t' '$2==\"fail\" {print $1}')",
+      "Bash(contrib-ledger cancel *)",
+      "Bash(./build/test_config_parser *)",
+      "Bash(/Users/thomasvincent/Developer/github.com/Cacti/spine/.claude/worktrees/agent-a03ef458/build/test_config_parser *)"
+    ]
+  }
+}

.codespell-ignore-words.txt

@@ -0,0 +1,2 @@
+te
+caf

.devcontainer/devcontainer.json

@@ -0,0 +1,31 @@
+{
+  "name": "spine dev",
+  "image": "mcr.microsoft.com/devcontainers/cpp:ubuntu-24.04",
+  "features": {
+    "ghcr.io/devcontainers/features/common-utils:2": {
+      "installZsh": true
+    },
+    "ghcr.io/devcontainers/features/github-cli:1": {}
+  },
+  "postCreateCommand": "sudo apt-get update && sudo apt-get install -y libsnmp-dev libmariadb-dev-compat libssl-dev libsystemd-dev pkg-config cmake ninja-build cppcheck clang-tools && cmake -G Ninja -S . -B build -DSPINE_BUILD_MAIN=ON && cmake --build build -j",
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "ms-vscode.cpptools",
+        "llvm-vs-code-extensions.vscode-clangd",
+        "twxs.cmake",
+        "ms-vscode.cmake-tools",
+        "github.vscode-github-actions",
+        "github.vscode-pull-request-github"
+      ],
+      "settings": {
+        "C_Cpp.intelliSenseEngine": "disabled",
+        "clangd.arguments": [
+          "--background-index",
+          "--compile-commands-dir=build"
+        ]
+      }
+    }
+  },
+  "remoteUser": "vscode"
+}

.dockerignore

@@ -1,10 +1,19 @@
-# Test fixtures and CI scripts -- not needed for the spine build
-tests/
+# Test fixtures and CI scripts -- allowed for test images
+# tests/
 .git/
-*.md
-config/
+.github/
+.claude/
+.omc/
+.worktrees/
+build/
+build-*/
+# build-reports/
+# *.md
 m4/
 autom4te.cache/
-.omc/
-*.conf.dist
 *.log
+*.o
+*.a
+*.so
+*.dylib
+.php-cs-fixer.cache

.github/ISSUE_TEMPLATE/bug_report.md

@@ -34,7 +34,7 @@ If applicable, add screenshots to help explain your problem.
 **Compiling (please complete the following information):**
 
  - compiler: [e.g. clang or gcc 5.4.0]
- - autoconf: [e.g. autoconf 2.69]
+ - cmake: [e.g. cmake 3.22]
  - glibc: [e.g. 2.23]
  - source: [e.g. release or github]
 

.github/actions/install-apt-deps/action.yml

@@ -0,0 +1,30 @@
+name: Install apt dependencies
+description: Update apt cache and install a whitespace-delimited package list.
+inputs:
+  packages:
+    description: Whitespace-delimited package names to install.
+    required: true
+runs:
+  using: composite
+  steps:
+    - name: Install packages
+      shell: bash
+      env:
+        INSTALL_APT_DEPS_PACKAGES: ${{ inputs.packages }}
+      run: |
+        set -euo pipefail
+        # Reject anything outside the apt-package grammar. Callers pass a
+        # static whitespace-delimited list; this blocks shell metacharacters
+        # even though the input comes from workflow YAML.
+        # tr-d approach: strip allowed chars (alnum, . _ + - space tab);
+        # anything remaining is disallowed. The \- escapes hyphen so it is
+        # not treated as a range specifier by tr.
+        _bad=$(printf '%s' "$INSTALL_APT_DEPS_PACKAGES" | LC_ALL=C tr -d 'A-Za-z0-9._+\- \t')
+        if [ -n "$_bad" ]; then
+          echo "install-apt-deps: rejecting packages string with disallowed characters: $_bad" >&2
+          exit 2
+        fi
+        unset _bad
+        sudo apt-get update
+        # shellcheck disable=SC2086 # intentional word-splitting of validated list
+        sudo apt-get install -y $INSTALL_APT_DEPS_PACKAGES