fix(executor): merge orphaned runtime tests and remove drift

.github/RULESET_BASELINE.md

@@ -0,0 +1,52 @@
+# cliproxyapi-plusplus Ruleset Baseline
+
+Version: 2026-04-02
+Ruleset JSON: `.github/rulesets/main.json`
+
+## Changelog
+
+- 2026-04-02: aligned the checked-in baseline with the repo-local governance wave, safer workflow pins, and the next required-check manifest pass.
+
+This repository now has a checked-in baseline that matches the repaired remote `Main` ruleset.
+
+## Enforced Branch Protection Baseline
+
+- require pull requests before merge on the default branch
+- no branch deletion
+- no force push / non-fast-forward updates
+- require at least 1 approval
+- dismiss stale approvals on new push
+- require code owner review
+- require last push approval before merge
+- require resolved review threads before merge
+- allow merge methods: `merge`, `squash`
+- enable GitHub `copilot_code_review`
+
+## Repo-Local Governance Gates
+
+The repo-local workflow set remains the main CI and policy contract:
+
+- `policy-gate`
+- `pr-path-guard`
+- `pr-test-build`
+- `required-check-names-guard`
+- `quality-gate`
+- `security-guard`
+- `codeql`
+- `sast-quick`
+- `sast-full`
+
+Current required check manifests:
+
+- `.github/required-checks.txt`
+- `.github/release-required-checks.txt`
+- `.github/rulesets/main.json`
+
+Those manifests should drive the next remote ruleset wave once the stable job names are re-verified
+against live workflow output.
+
+## Exception Policy
+
+- only documented billing or quota failures may be excluded from blocking CI evaluation
+- review threads and blocking comments must be resolved before merge
+- PRs must not rely on local `--no-verify` bypasses instead of server-side checks

.github/release-required-checks.txt

@@ -1,4 +1,13 @@
 # workflow_file|job_name
+policy-gate.yml|enforce
+pr-path-guard.yml|ensure-no-translator-changes
+quality-gate.yml|verify
+required-check-names-guard.yml|verify-required-check-names
+security-guard.yml|ggshield-scan
+sast-quick.yml|semgrep
+sast-quick.yml|secrets
+sast-quick.yml|go-quality
+sast-quick.yml|license-check
 pr-test-build.yml|go-ci
 pr-test-build.yml|quality-ci
 pr-test-build.yml|quality-staged-check

.github/required-checks.txt

@@ -1,3 +1,11 @@
 # workflow_file|job_name
-pr-test-build.yml|build
+policy-gate.yml|enforce
 pr-path-guard.yml|ensure-no-translator-changes
+pr-test-build.yml|build
+quality-gate.yml|verify
+required-check-names-guard.yml|verify-required-check-names
+security-guard.yml|ggshield-scan
+sast-quick.yml|semgrep
+sast-quick.yml|secrets
+sast-quick.yml|go-quality
+sast-quick.yml|license-check

.github/rulesets/main.json

@@ -0,0 +1,35 @@
+{
+  "name": "Main",
+  "target": "branch",
+  "enforcement": "active",
+  "conditions": {
+    "ref_name": {
+      "include": ["~DEFAULT_BRANCH"],
+      "exclude": []
+    }
+  },
+  "bypass_actors": [],
+  "rules": [
+    { "type": "deletion" },
+    { "type": "non_fast_forward" },
+    {
+      "type": "pull_request",
+      "parameters": {
+        "required_approving_review_count": 1,
+        "dismiss_stale_reviews_on_push": true,
+        "required_reviewers": [],
+        "require_code_owner_review": true,
+        "require_last_push_approval": true,
+        "required_review_thread_resolution": true,
+        "allowed_merge_methods": ["merge", "squash"]
+      }
+    },
+    {
+      "type": "copilot_code_review",
+      "parameters": {
+        "review_on_push": true,
+        "review_draft_pull_requests": true
+      }
+    }
+  ]
+}

.github/workflows/ci.yml

@@ -1,25 +1,56 @@
 name: CI
+
 on:
   push:
-    branches: [main]
+    branches: [main, feature/*, bugfix/*, docs/*, release/*, hotfix/*]
   pull_request:
     branches: [main]
+
 jobs:
-  ci:
+  test:
     runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        go-version: ['1.21', '1.22']
+
     steps:
       - uses: actions/checkout@v4
+
       - name: Refresh models catalog
         run: |
           git fetch --depth 1 https://github.com/router-for-me/models.git main
-          git show FETCH_HEAD:models.json > internal/registry/models/models.json
-      - uses: actions/setup-go@v5
+          mkdir -p pkg/llmproxy/registry/models
+          git show FETCH_HEAD:models.json > pkg/llmproxy/registry/models/models.json
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ matrix.go-version }}
+
+      - name: Cache Go modules
+        uses: actions/cache@v4
         with:
-          go-version-file: go.mod
-          cache: true
-      - name: Vet
-        run: go vet ./...
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Download dependencies
+        run: go mod download
+
       - name: Build
         run: go build ./...
-      - name: Test
-        run: go test ./...
+
+      - name: Run tests
+        run: go test ./... -v -race -coverprofile=coverage.out
+
+      - name: Upload coverage
+        uses: codecov/codecov-action@v3
+        with:
+          files: ./coverage.out
+
+
+  phenotype-validate:
+    runs-on: ubuntu-latest
+    uses: KooshaPari/phenotypeActions/.github/workflows/validate-governance.yml@main

.github/workflows/sast-full.yml

@@ -0,0 +1,92 @@
+name: SAST Full Analysis
+
+on:
+  schedule:
+    - cron: "0 2 * * *"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  codeql:
+    name: CodeQL Analysis
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    strategy:
+      matrix:
+        language: [go, javascript]
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4
+
+  trivy-repo:
+    name: Trivy Repository Scan
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - uses: actions/checkout@v4
+      - uses: aquasecurity/trivy-action@v0.35.0
+        with:
+          scan-type: fs
+          scan-ref: .
+          format: sarif
+          output: trivy-results.sarif
+      - name: Upload Trivy SARIF
+        uses: github/codeql-action/upload-sarif@v4
+        if: always()
+        with:
+          sarif_file: trivy-results.sarif
+          category: trivy
+
+  full-semgrep:
+    name: Full Semgrep Analysis
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - name: Install Semgrep
+        run: python -m pip install --disable-pip-version-check semgrep==1.157.0
+      - name: Run Semgrep
+        run: |
+          semgrep scan \
+            --config .semgrep-rules/ \
+            --config p/security-audit \
+            --config p/owasp-top-ten \
+            --config p/cwe-top-25 \
+            --error \
+            --sarif \
+            --output semgrep.sarif \
+            .
+
+      - name: Upload SARIF
+        uses: github/codeql-action/upload-sarif@v4
+        if: always()
+        with:
+          sarif_file: semgrep.sarif
+          category: semgrep-full
+
+  full-secrets:
+    name: Full Secret Scan
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: trufflesecurity/trufflehog@v3.94.2
+        with:
+          path: ./
+          extra_args: --only-verified

.github/workflows/sast-quick.yml

@@ -0,0 +1,86 @@
+name: SAST Quick Check
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  semgrep:
+    name: Semgrep Scan
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    # Tier 3: Advisory - security enrichment only
+    continue-on-error: true
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - name: Install Semgrep
+        run: python -m pip install --disable-pip-version-check semgrep==1.157.0
+      - name: Run Semgrep
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+        run: |
+          semgrep scan --sarif --sarif-output=semgrep.sarif --max-target-bytes 1000000 --quiet --config=auto || true
+      - name: Upload SARIF
+        uses: github/codeql-action/upload-sarif@v4
+        if: always()
+        with:
+          sarif_file: semgrep.sarif
+
+  # License Compliance - Tier 3: Advisory
+  license-compliance:
+    name: License Compliance
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    # Tier 3: Advisory - security enrichment only
+    continue-on-error: true
+    steps:
+      - uses: actions/checkout@v4
+      - name: Analyze licenses
+        uses: fsfe/reuse-action@v4
+        continue-on-error: true  # Allow findings but don't fail
+      - name: Check for non-reusable licenses
+        run: |
+          # Check for problematic licenses
+          grep -r "GPL\|AGPL" --include="*.toml" --include="*.json" . || true
+      - name: Check license compliance
+        uses: fsfe/reuse-action@v4
+        continue-on-error: true
+
+  # Secret Scanning - Tier 2: Important (runs in parallel)
+  secrets:
+    name: Secret Scanning
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Run Gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          args: --verbose --redact
+      - name: Run Trivy Secret Scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: repo
+          exit-code: 0
+          format: sarif
+          output: trivy-results.sarif
+        continue-on-error: true
+      - name: Upload Trivy results
+        uses: github/codeql-action/upload-sarif@v4
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'

.github/workflows/security-guard.yml

@@ -1,9 +1,23 @@
-name: security-guard
-on: [workflow_dispatch]
+name: Security Guard
+
+on:
+  workflow_call:
+    secrets:
+      GITGUARDIAN_API_KEY:
+        required: true
+  workflow_dispatch:
+
 jobs:
-  audit:
+  ggshield-scan:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
-      - name: Run security audit
-        run: echo "Security audit placeholder - no script available yet"
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065
+      - name: Install ggshield
+        run: pip install ggshield==1.38.0
+      - name: Run ggshield secret scan
+        env:
+          GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
+        run: ggshield secret scan path . --recursive