Initial release: SBproxy v0.1.0

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: rickcrawford

.github/CODEOWNERS

@@ -0,0 +1,2 @@
+# Default: require review from Rick for all changes
+*       @rickcrawford

.github/dependabot.yml

@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: weekly
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly

.github/workflows/ci.yml

@@ -0,0 +1,32 @@
+name: CI
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.25.5'
+      - name: Build with version info
+        run: |
+          VERSION=$(cat VERSION)
+          GIT_HASH=$(git rev-parse --short HEAD)
+          BUILD_DATE=$(date -u +%Y-%m-%dT%H:%M:%SZ)
+          go build -ldflags "-s -w \
+            -X github.com/soapbucket/sbproxy/internal/version.Version=${VERSION} \
+            -X github.com/soapbucket/sbproxy/internal/version.BuildHash=${GIT_HASH} \
+            -X github.com/soapbucket/sbproxy/internal/version.BuildDate=${BUILD_DATE}" \
+            ./...
+      - run: go vet ./...
+      - run: go test ./... -count=1 -timeout 300s -race
+      - name: Install and run golangci-lint
+        run: |
+          go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
+          golangci-lint run ./...
+      - run: make check

.github/workflows/release.yml

@@ -0,0 +1,127 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: write
+  packages: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.25.5'
+
+      - name: Login to GHCR
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v7
+        with:
+          version: latest
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  update-homebrew:
+    needs: release
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Get version from tag
+        id: version
+        run: echo "version=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT"
+
+      - name: Download release artifacts and compute hashes
+        id: hashes
+        run: |
+          VERSION=${{ steps.version.outputs.version }}
+          BASE_URL="https://github.com/soapbucket/sbproxy/releases/download/v${VERSION}"
+
+          for platform in darwin_arm64 darwin_amd64 linux_arm64 linux_amd64; do
+            archive="sbproxy_${platform}.tar.gz"
+            echo "Downloading ${archive}..."
+            curl -fsSL "${BASE_URL}/${archive}" -o "/tmp/${archive}" || {
+              echo "WARN: ${archive} not available"
+              continue
+            }
+            hash=$(sha256sum "/tmp/${archive}" | awk '{print $1}')
+            echo "${platform}=${hash}" >> "$GITHUB_OUTPUT"
+            echo "  ${platform}: ${hash}"
+          done
+
+      - name: Update Homebrew formula
+        uses: actions/checkout@v4
+        with:
+          repository: soapbucket/homebrew-sbproxy
+          token: ${{ secrets.HOMEBREW_TAP_TOKEN }}
+          path: homebrew-sbproxy
+
+      - name: Write updated formula
+        run: |
+          VERSION=${{ steps.version.outputs.version }}
+          cat > homebrew-sbproxy/sbproxy.rb << 'FORMULA'
+          class Sbproxy < Formula
+            desc "High-performance reverse proxy and AI gateway"
+            homepage "https://sbproxy.dev"
+            license "Apache-2.0"
+            version "VERSION_PLACEHOLDER"
+
+            on_macos do
+              if Hardware::CPU.arm?
+                url "https://github.com/soapbucket/sbproxy/releases/download/v#{version}/sbproxy_darwin_arm64.tar.gz"
+                sha256 "DARWIN_ARM64_PLACEHOLDER"
+              else
+                url "https://github.com/soapbucket/sbproxy/releases/download/v#{version}/sbproxy_darwin_amd64.tar.gz"
+                sha256 "DARWIN_AMD64_PLACEHOLDER"
+              end
+            end
+
+            on_linux do
+              if Hardware::CPU.arm?
+                url "https://github.com/soapbucket/sbproxy/releases/download/v#{version}/sbproxy_linux_arm64.tar.gz"
+                sha256 "LINUX_ARM64_PLACEHOLDER"
+              else
+                url "https://github.com/soapbucket/sbproxy/releases/download/v#{version}/sbproxy_linux_amd64.tar.gz"
+                sha256 "LINUX_AMD64_PLACEHOLDER"
+              end
+            end
+
+            def install
+              bin.install "sbproxy"
+            end
+
+            test do
+              assert_match version.to_s, shell_output("#{bin}/sbproxy --version")
+            end
+          end
+          FORMULA
+
+          # Replace placeholders
+          sed -i "s/VERSION_PLACEHOLDER/${VERSION}/" homebrew-sbproxy/sbproxy.rb
+          sed -i "s/DARWIN_ARM64_PLACEHOLDER/${{ steps.hashes.outputs.darwin_arm64 }}/" homebrew-sbproxy/sbproxy.rb
+          sed -i "s/DARWIN_AMD64_PLACEHOLDER/${{ steps.hashes.outputs.darwin_amd64 }}/" homebrew-sbproxy/sbproxy.rb
+          sed -i "s/LINUX_ARM64_PLACEHOLDER/${{ steps.hashes.outputs.linux_arm64 }}/" homebrew-sbproxy/sbproxy.rb
+          sed -i "s/LINUX_AMD64_PLACEHOLDER/${{ steps.hashes.outputs.linux_amd64 }}/" homebrew-sbproxy/sbproxy.rb
+
+          # Fix indentation (heredoc adds leading spaces)
+          sed -i 's/^          //' homebrew-sbproxy/sbproxy.rb
+
+      - name: Commit and push formula
+        working-directory: homebrew-sbproxy
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add sbproxy.rb
+          git commit -m "sbproxy ${{ steps.version.outputs.version }}"
+          git push

.gitignore

@@ -0,0 +1,39 @@
+# Binaries
+bin/
+/sbproxy
+*.exe
+*.dll
+*.so
+*.dylib
+
+# Test
+*.test
+*.out
+coverage.txt
+coverage.html
+
+# Benchmarks
+new.txt
+
+# IDE
+.idea/
+.vscode/
+*.swp
+*.swo
+*~
+
+# Generated certs (use make certs to regenerate)
+certs/
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Build
+dist/
+
+# Temporary
+tmp/
+*.tmp
+*.log
+e2e/servers/echo-server

.golangci.yml

@@ -0,0 +1,17 @@
+run:
+  timeout: 5m
+
+linters:
+  enable:
+    - errcheck
+    - govet
+    - staticcheck
+    - unused
+    - gosimple
+    - ineffassign
+
+issues:
+  exclude-rules:
+    - path: _test\.go
+      linters:
+        - errcheck

.goreleaser.yml

@@ -0,0 +1,44 @@
+version: 2
+
+builds:
+  - main: ./cmd/sbproxy
+    binary: sbproxy
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+    ldflags:
+      - -s -w
+      - -X github.com/soapbucket/sbproxy/internal/version.Version={{.Version}}
+      - -X github.com/soapbucket/sbproxy/internal/version.BuildHash={{.ShortCommit}}
+      - -X github.com/soapbucket/sbproxy/internal/version.BuildDate={{.Date}}
+
+archives:
+  - formats:
+      - tar.gz
+    name_template: "sbproxy_{{ .Os }}_{{ .Arch }}"
+
+dockers:
+  - image_templates:
+      - "ghcr.io/soapbucket/sbproxy:{{ .Tag }}"
+      - "ghcr.io/soapbucket/sbproxy:latest"
+    dockerfile: Dockerfile.goreleaser
+    extra_files: []
+    build_flag_templates:
+      - "--pull"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title=sbproxy"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - "^docs:"
+      - "^test:"
+      - "^ci:"

AGENTS.md

@@ -0,0 +1,116 @@
+# AGENTS.md - AI Agent Instructions for SBproxy
+
+## Project Overview
+
+SBproxy is a reverse proxy and AI gateway written in Go. Single binary, Caddy-style plugin architecture, 18-layer compiled handler chain.
+
+- **Source:** https://github.com/soapbucket/sbproxy
+- **Docs:** https://sbproxy.dev/docs
+- **License:** Apache 2.0
+
+## Repository Structure
+
+```
+cmd/sbproxy/       Binary entry point
+pkg/               Public API (plugin interfaces, config types, events)
+internal/          Private implementation
+  config/          Config loading, validation, compilation (compiler.go is key)
+  engine/          HTTP pipeline (middleware, handlers, transport)
+  modules/         Plugin modules (action/, auth/, policy/, transform/)
+  middleware/      Per-origin middleware (callback, cors, waf, modifier, etc.)
+  ai/              AI gateway (providers, routing, guardrails)
+  extension/       Scripting (CEL, Lua, MCP)
+  observe/         Logging, metrics, telemetry, events
+  loader/          Config lifecycle, feature flags
+  platform/        Infrastructure (circuit breaker, DNS, health, messenger)
+  request/         Request context (reqctx, session, rate limit)
+  security/        Crypto, cert pinning, PII, signatures
+  cache/           Response and object caching
+  service/         Server lifecycle
+examples/          16 working config examples (all use test.sbproxy.dev)
+docs/              Architecture, configuration, scripting docs
+```
+
+## Build and Test
+
+```bash
+go build ./...                                    # build
+go test ./...                                     # test all
+go test ./internal/config/ -count=1 -timeout 120s # config tests
+go test ./internal/modules/... -v                 # module tests
+go vet ./...                                      # lint
+go test -race ./... -count=1 -timeout 180s        # race detector
+```
+
+## Key Architectural Concepts
+
+### Plugin System
+Modules register via `init()` into `pkg/plugin` registry. Five interfaces:
+- `ActionHandler` - what to do with a request (proxy, redirect, static, AI, etc.)
+- `AuthProvider` - who can access (api_key, jwt, basic_auth, etc.)
+- `PolicyEnforcer` - rules and limits (rate_limit, waf, cel expression, etc.)
+- `TransformHandler` - modify response body (json_projection, html, lua, etc.)
+- `RequestEnricher` - enrich request context (GeoIP, UA parsing - enterprise only)
+
+### Compiled Handler Chain
+`internal/config/compiler.go: CompileOrigin()` builds an 18-layer handler chain per origin. Built inside-out, executes outside-in. Zero per-request allocation.
+
+### Config Format
+YAML config (sb.yml) with `proxy:` (global) and `origins:` (per-hostname) top-level keys. Each origin has sibling fields: `action`, `authentication`, `policies`, `transforms`, `request_modifiers`, `response_modifiers`, `forward_rules`, `response_cache`, `on_request`, `on_response`, `compression`, `cors`, `error_pages`.
+
+**Critical rule:** `authentication`, `policies`, `transforms`, etc. are SIBLINGS of `action`, never nested inside it.
+
+### Header Normalization
+Two systems with different rules:
+- **CEL expressions:** lowercase, hyphens preserved, bracket notation: `request.headers["x-api-key"]`
+- **Mustache templates:** lowercase, hyphens to underscores, dot notation: `{{ request.headers.x_api_key }}`
+
+### Enterprise Boundary
+- OSS code must NEVER import enterprise packages
+- Enterprise code imports only `sbproxy/pkg/*` (never `sbproxy/internal/*`)
+- Enterprise features: canary, shadow, geo-blocking, OAuth, WASM, guardrails, semantic cache
+- Enterprise modules register via the same `plugin.Register*()` pattern
+
+## Code Style
+
+- Standard `gofmt`
+- Explicit `if err != nil` error handling, no panics in production
+- All exported types and functions must have Go doc comments
+- Add logical section comments at decision points, not on every line
+- Use `// --- Section Name ---` dividers in larger files
+- Do NOT use em dashes in any content
+- Do NOT expose internal implementation details in marketing content
+- All documentation files must have `*Last modified: YYYY-MM-DD*` after the title
+
+## When Making Changes
+
+1. Read the existing code before modifying
+2. Follow existing patterns in the package
+3. Run `go build ./...` after every change
+4. Run `go vet ./...` before committing
+5. Run `go test` for affected packages
+6. All examples use test.sbproxy.dev as the backend
+7. Do NOT include enterprise features in OSS code
+
+## Adding a New Module
+
+1. Create package under `internal/modules/{type}/{name}/`
+2. Implement the appropriate `pkg/plugin` interface
+3. Register via `plugin.Register*()` in `init()`
+4. Add blank import to `internal/modules/imports.go`
+5. Write tests
+6. Run full build and test suite
+
+## Important Files
+
+| File | Purpose |
+|---|---|
+| `internal/config/compiler.go` | Origin compilation (18-layer handler chain) |
+| `pkg/plugin/registry.go` | Plugin registration |
+| `pkg/plugin/services.go` | ServiceProvider interface |
+| `pkg/plugin/enricher.go` | RequestEnricher interface |
+| `internal/engine/middleware/middleware.go` | Global middleware chain and origin routing |
+| `internal/modules/imports.go` | Module activation via blank imports |
+| `internal/service/service.go` | Server startup sequence |
+| `internal/request/reqctx/types.go` | RequestData struct |
+| `internal/template/resolver.go` | Template resolution (9-namespace model) |