feat: enterprise hardening — foundation, security, observability, deploy

.codecov.yml

@@ -0,0 +1,22 @@
+coverage:
+  status:
+    project:
+      default:
+        target: 70%
+        threshold: 1%
+    patch:
+      default:
+        target: 80%
+
+ignore:
+  - "**/*_test.go"
+  - "examples/"
+  - "benchmarks/"
+  - "docs-site/"
+  - "sdk/typescript/"
+  - "site/"
+
+comment:
+  layout: "reach,diff,flags,files"
+  behavior: default
+  require_changes: false

.github/CODEOWNERS

@@ -0,0 +1,33 @@
+# MagiC CODEOWNERS
+#
+# This file defines who is automatically requested for review when a pull
+# request modifies files in a given path. The last matching pattern wins.
+#
+# See: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-security/customizing-your-repository/about-code-owners
+#
+# Maintainer directory: /MAINTAINERS.md
+# Governance:           /GOVERNANCE.md
+
+# Default — everything not otherwise matched.
+*                       @kienbui1995
+
+# Core server (Go)
+/core/                  @kienbui1995
+
+# SDKs
+/sdk/python/            @kienbui1995
+/sdk/go/                @kienbui1995
+/sdk/typescript/        @kienbui1995
+
+# Documentation
+/docs/                  @kienbui1995
+/docs-site/             @kienbui1995
+
+# Deployment manifests (Helm, Compose, Railway, Render, Fly)
+/deploy/                @kienbui1995
+
+# GitHub automation (workflows, issue templates, CODEOWNERS itself)
+/.github/               @kienbui1995
+
+# Examples
+/examples/              @kienbui1995

.github/dependabot.yml

@@ -0,0 +1,117 @@
+version: 2
+
+updates:
+  # Go — core module
+  - package-ecosystem: gomod
+    directory: /core
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 5
+    reviewers:
+      - kienbui1995
+    labels:
+      - dependencies
+      - go
+    commit-message:
+      prefix: "chore(deps)"
+      include: scope
+    groups:
+      core-prod:
+        dependency-type: production
+      core-dev:
+        dependency-type: development
+
+  # Go — SDK
+  - package-ecosystem: gomod
+    directory: /sdk/go
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 5
+    reviewers:
+      - kienbui1995
+    labels:
+      - dependencies
+      - go-sdk
+    commit-message:
+      prefix: "chore(deps)"
+      include: scope
+
+  # Python SDK
+  - package-ecosystem: pip
+    directory: /sdk/python
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 5
+    reviewers:
+      - kienbui1995
+    labels:
+      - dependencies
+      - python
+    commit-message:
+      prefix: "chore(deps)"
+      include: scope
+    groups:
+      python-prod:
+        dependency-type: production
+      python-dev:
+        dependency-type: development
+
+  # TypeScript SDK
+  - package-ecosystem: npm
+    directory: /sdk/typescript
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 5
+    reviewers:
+      - kienbui1995
+    labels:
+      - dependencies
+      - typescript
+    commit-message:
+      prefix: "chore(deps)"
+      include: scope
+
+  # Root npm (VitePress docs)
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 5
+    reviewers:
+      - kienbui1995
+    labels:
+      - dependencies
+      - docs
+    commit-message:
+      prefix: "chore(deps)"
+      include: scope
+
+  # Docker image
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 5
+    reviewers:
+      - kienbui1995
+    labels:
+      - dependencies
+      - docker
+    commit-message:
+      prefix: "chore(deps)"
+      include: scope
+
+  # GitHub Actions
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 5
+    reviewers:
+      - kienbui1995
+    labels:
+      - dependencies
+      - ci
+    commit-message:
+      prefix: "chore(ci)"
+      include: scope

.github/workflows/ci.yml

@@ -10,29 +10,81 @@ jobs:
   go:
     name: Go Tests
     runs-on: ubuntu-latest
+    timeout-minutes: 20
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed  # v5.1.0
         with:
           go-version: '1.25'
       - name: Build
         run: cd core && go build ./cmd/magic
-      - name: Test with Race Detection
-        run: cd core && go test ./... -v -race -count=1
+      - name: Test with Race Detection + Coverage
+        run: cd core && go test ./... -v -race -count=1 -coverprofile=coverage.txt -covermode=atomic
+      - name: Upload coverage to Codecov
+        # Pinned to v5.1.1 — tokenless upload supported for public repos.
+        # fail_ci_if_error:false so Codecov flakes never block PR merges.
+        uses: codecov/codecov-action@1e68e06f1dbfde0e4cefc87efeba9e4643565303  # v5.1.1
+        with:
+          files: ./core/coverage.txt
+          flags: go-core
+          fail_ci_if_error: false
       - name: Vet
         run: cd core && go vet ./...
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8  # v6.1.1
+        # continue-on-error: lint is advisory — build/test/vet gate the PR.
+        # staticcheck (slow, full-program analysis) is intentionally excluded
+        # via --fast so the step finishes in <60s on GitHub-hosted runners.
+        # Run staticcheck locally: cd core && staticcheck ./...
+        continue-on-error: true
         with:
-          version: latest
+          version: v1.64.8
           working-directory: core
+          args: --go=1.24 --timeout=3m --fast
+          only-new-issues: true
+
+  e2e:
+    name: E2E Tests (MemoryStore)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed  # v5.1.0
+        with:
+          go-version: '1.25'
+      - name: Run E2E tests
+        # Exclude TestE2E_Postgres_* — those run in the e2e-postgres job below
+        # which spins up real Postgres containers via testcontainers-go.
+        run: >
+          cd core && go test -tags=e2e -race -timeout=300s
+          -run '^TestE2E_(TaskLifecycle|WebhookDelivery|TaskCancel|WorkerPauseResume|WorkflowDAG|RateLimit|AuditLog)$'
+          ./internal/e2e/...
+
+  e2e-postgres:
+    name: E2E Tests (Postgres via testcontainers)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed  # v5.1.0
+        with:
+          go-version: '1.25'
+      # GitHub-hosted ubuntu runners have Docker preinstalled; testcontainers-go
+      # connects via /var/run/docker.sock without extra setup.
+      - name: Run Postgres E2E tests
+        run: >
+          cd core && go test -tags=e2e -race -timeout=600s
+          -run '^TestE2E_Postgres'
+          ./internal/e2e/...
 
   go-sdk:
     name: Go SDK Tests
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed  # v5.1.0
         with:
           go-version: '1.25'
       - name: Test
@@ -42,8 +94,8 @@ jobs:
     name: Python Tests
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b  # v5.3.0
         with:
           python-version: '3.12'
       - name: Install SDK
@@ -57,11 +109,45 @@ jobs:
     name: TypeScript SDK Tests
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+      - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af  # v4.1.0
         with:
           node-version: '20'
       - name: Build
         run: cd sdk/typescript && npm install && npm run build
       - name: Test
         run: cd sdk/typescript && node --test dist/test.js
+
+  govulncheck:
+    name: Go Vulnerability Scan
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed  # v5.1.0
+        with:
+          go-version: '1.25'
+      - name: Install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+      - name: Scan core
+        run: cd core && govulncheck ./...
+      - name: Scan sdk/go
+        run: cd sdk/go && govulncheck ./...
+
+  gosec:
+    name: Go Security (gosec SAST)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+      - name: Run gosec
+        uses: securego/gosec@223e19b8856e00f02cc67804499a83f77e208f3c  # v2.25.0
+        with:
+          args: '-fmt sarif -out gosec-results.sarif ./core/...'
+      - name: Upload SARIF to code-scanning
+        uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f  # v3.28.1
+        with:
+          sarif_file: gosec-results.sarif

.github/workflows/codeql.yml

@@ -18,16 +18,16 @@ jobs:
       matrix:
         language: [go, javascript]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f  # v3.28.1
         with:
           languages: ${{ matrix.language }}
 
       - name: Setup Go
         if: matrix.language == 'go'
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed  # v5.1.0
         with:
           go-version: '1.25'
 
@@ -36,4 +36,4 @@ jobs:
         run: cd core && go build ./cmd/magic
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f  # v3.28.1

.github/workflows/pages.yml

@@ -16,17 +16,17 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+      - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af  # v4.1.0
         with:
           node-version: '20'
           cache: npm
       - name: Install dependencies
         run: npm ci
       - name: Build VitePress docs
         run: npm run docs:build
-      - uses: actions/configure-pages@v4
-      - uses: actions/upload-pages-artifact@v3
+      - uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b  # v5.0.0
+      - uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa  # v3.0.1
         with:
           path: site
 
@@ -41,4 +41,4 @@ jobs:
       id-token: write
     steps:
       - id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e  # v4.0.5