Fix PR review findings, CI stabilization, and docs consolidation (#80)

## Summary

- Resolve all CodeRabbit and manual PR review findings across CI,
runtime safety, and documentation
- Stabilize all CI workflows (Linux, macOS, Windows, docs, release) to
pass consistently
- Consolidate CLAUDE.md session learnings into AGENTS.md for all AI
assistants

## Changes

### Security & Runtime Safety
- Prevent XML injection via proper escaping
- Fix integer overflow in VLAN total calculation (u16 → u32 cast before
arithmetic)
- Fix `par_chunks(0)` panic in streaming XML for empty configs
- Fix empty-vec panic in VPN DNS selection
- Remove dead code and unused dependencies

### CI Stabilization
- Add mise installation to Copilot Setup Steps workflow
- Fix Codecov slug (was pointing to wrong repository)
- Fix coverage upload path (`target/lcov.info` → `lcov.info`)
- Fix release.yml SBOM upload typo (`output` → `outputs`)
- Pin `assert_cmd = "=2.0.17"` to avoid deprecation errors under `-D
warnings`
- Normalize Windows `.exe` suffix and temp paths in snapshot tests
- Remove conflicting CodeQL workflow (default setup already enabled)
- Fix mdBook build (remove deprecated `multilingual` field and unused
`mdbook-alerts`)
- Update cargo-dist to 0.30.4 and regenerate release workflow

### Documentation
- Fix LICENSE copyright ("Stringy Contributors" → correct project)
- Fix README license reference (MIT → Apache 2.0)
- Fix VLAN range "1-4094" → "10-4094" across 4 docs files
- Fix Rust version "1.70+" → "1.85+" in installation docs
- Fix broken relative links in 5 docs files
- Remove non-existent CLI flags from output-formats docs
- Remove fake `RUST_GC_THRESHOLD`, `sudo cargo run`, invalid
`--registry` flag
- Add CI/CD lessons learned section to AGENTS.md
- Consolidate all CLAUDE.md learnings into AGENTS.md

### Config & Quality
- Fix deny.toml project name and dev-dependency conflict
- Add null checks in mermaid-init.js
- Fix justfile recipe name typo
- Remove non-functional docs.rs badge from README

## Test plan

- [x] `just ci-check` passes locally (342 tests, all pre-commit hooks)
- [x] All CI workflows green (quality, test, cross-platform, coverage,
release, docs)
- [x] `cargo dist plan` passes after regeneration
- [x] Windows snapshot tests pass with normalized paths

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: UncleSp1d3r <unclespider@protonmail.com>
Signed-off-by: Kent Melton <kent@kmelton.dev>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: unclesp1d3r <251112+unclesp1d3r@users.noreply.github.com>
Co-authored-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: kmelton <kmelton@mac.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: UncleSp1d3r <unclespider@protonmail.com>

Author: 4 people

.gitattributes

@@ -0,0 +1,81 @@
+# Auto detect text files and perform LF normalization
+* text=auto eol=lf
+
+# Rust files
+*.rs text diff=rust
+Cargo.toml text
+Cargo.lock text
+
+# Docker files
+Dockerfile text
+*.dockerfile text
+docker-compose*.yml text
+.dockerignore text
+
+# Documentation
+*.md text diff=markdown
+*.txt text
+*.rst text
+LICENSE text
+
+# Config files
+*.json text
+*.toml text
+*.yml text
+*.yaml text
+*.ini text
+*.cfg text
+*.conf text
+
+# Web files
+*.html text diff=html
+*.html.j2 text diff=html
+*.css text diff=css
+*.js text
+*.jsx text
+*.ts text
+*.tsx text
+*.vue text
+
+# SQL files
+*.sql text
+
+# Binary files
+*.db binary
+*.p binary
+*.pkl binary
+*.pickle binary
+*.pyc binary
+*.pyd binary
+*.pyo binary
+*.pdb binary
+
+# Image files
+*.png binary
+*.jpg binary
+*.jpeg binary
+*.gif binary
+*.ico binary
+*.svg text
+
+# Font files
+*.ttf binary
+*.eot binary
+*.woff binary
+*.woff2 binary
+
+# Archive files
+*.zip binary
+*.7z binary
+*.gz binary
+*.tar binary
+*.tgz binary
+*.rar binary
+
+# Executables
+*.exe binary
+*.dll binary
+*.so binary
+*.dylib binary
+
+.env text=utf-8 eol=lf

.github/CODEOWNERS

@@ -0,0 +1,7 @@
+# .github/actionlint.yaml
+paths:
+    ".github/workflows/release.yml": # This is an autogenerated workflow file and should not be linted. It is regenerated by cargo-dist.
+        ignore:
+            - ".*"
+            - "shellcheck reported issue in this script:.*"
+            - 'context "secrets" is not allowed here.*'

.github/actionlint.yaml

@@ -0,0 +1,38 @@
+# Commit Message Style for OPNsense-config-faker
+
+- **Conventional Commits**: All commits must follow [Conventional Commits](https://www.conventionalcommits.org): `<type>(<scope>): <description>`
+- **Types**: `feat`, `fix`, `docs`, `style`, `refactor`, `perf`, `test`, `build`, `ci`, `chore`
+- **Scopes**: `(cli)`, `(generators)`, `(validators)`, `(network)`, `(xml)`, `(csv)`, `(json)`, `(vlan)`, `(firewall)`, `(interfaces)`, `(routing)`, `(io)`, `(models)`, `(deps)`, `(ci)`, `(build)`, etc. Required for all commits.
+- **Description**:
+  - Imperative mood ("add", not "added")
+  - No period at the end
+  - ≤72 characters, capitalized, clear and specific
+- **Body (optional)**:
+  - Start after a blank line
+  - Use itemized lists for multiple changes
+  - Explain what/why, not how
+- **Footer (optional)**:
+  - Start after a blank line
+  - Use for issue refs (`Closes #123`) or breaking changes (`BREAKING CHANGE:`)
+- **Breaking Changes**:
+  - Add `!` after type/scope (e.g., `feat(cli)!: ...`) or use `BREAKING CHANGE:` in footer
+- **Examples**:
+  - `feat(generators): add VLAN configuration generation with IEEE 802.1Q compliance`
+  - `fix(validators): prevent VLAN ID overflow in batch generation`
+  - `docs(readme): update CLI examples with firewall rule generation`
+  - `refactor(network): simplify IP range generation logic`
+  - `test(cli): add property-based tests for VLAN ID validation`
+  - `chore(deps): update clap to v4.5.2 for better CLI help formatting`
+  - `perf(xml): optimize XML serialization for large configurations`
+  - `feat(firewall): add realistic firewall rule generation with security patterns`
+  - `feat(cli): add --base-network option for custom IP range specification`
+  - `fix(xml): handle malformed OPNsense XML templates gracefully`
+- **CI Compatibility**:
+  - All commits must pass `just ci-check` and network validation
+  - Use `chore:` for meta or maintenance changes
+  - Use `deps:` scope for dependency updates
+- **Network Configuration Specific**:
+  - `feat(vlan): add support for IEEE 802.1Q tag generation`
+  - `fix(firewall): correct rule priority ordering in XML output`
+  - `feat(interfaces): add physical interface configuration generation`
+  - `fix(routing): ensure generated routes have valid next-hop addresses`

.github/commit-instructions.md

@@ -0,0 +1,21 @@
+---
+mode: agent
+model: Auto (copilot)
+tools: [githubRepo, edit, search, new, runCommands, runTasks, usages, vscodeAPI, think, problems, changes, testFailure, openSimpleBrowser, fetch, extensions, todos, memory]
+description: Ensure code changes pass all CI checks before merging.
+---
+
+1. First, run `just ci-check` to identify any failures
+2. Analyze the output to understand what specific checks are failing. If everything passes, you’re done.
+3. Make minimal, targeted fixes to address ONLY the failing checks:
+   - For formatting issues: run `just format`
+   - For linting issues (clippy): fix the specific violations reported (rerun with `just lint-rust` / `just lint-rust-min`)
+   - For compilation/type errors: fix the underlying Rust code until `just check` (or `cargo check`) succeeds
+   - For test failures: fix the failing tests or underlying code (verify with `just test` or `just test-ci`)
+   - For dependency security/advisory issues: run `just audit` (cargo-audit) and/or update `Cargo.toml` then `cargo update`
+   - For license/compliance issues: run `just deny` and address cargo-deny findings
+4. After making fixes, run `just ci-check` again to verify all checks pass
+5. If any checks still fail, repeat steps 2-4 until all checks pass
+6. Provide a summary of what was fixed and confirm that `just ci-check` now passes completely
+
+Keep changes minimal and focused - only fix what's actually causing the CI failures. Do not make unnecessary refactoring or style changes beyond what's required to pass the checks.

.github/prompts/ci_check.prompt.md

@@ -0,0 +1,53 @@
+---
+mode: agent
+model: GPT-5 (copilot)
+tools: [githubRepo, edit, search, new, runCommands, runTasks, usages, vscodeAPI, think, problems, changes, testFailure, openSimpleBrowser, fetch, extensions, todos, memory]
+description: Analyze diff, apply safe internal fixes, report results
+---
+
+Analyze only the changed files (diff scope) and improve them while preserving public APIs. Focus categories: (1) Code Smells (large/duplicate/complex) (2) Design Patterns (traits, builder, newtype, factory) (3) Best Practices (Rust 2024, project conventions) (4) Readability (naming, structure, cohesion) (5) Maintainability (modularization, clarity) (6) Performance (async, redb I/O, allocation, blocking) (7) Type Safety (strong types, avoid needless Option/Result layering) (8) Error Handling (thiserror + anyhow context, no silent failures). Context: OPNsense-config-faker = network configuration generation, OPNsense XML compliance, zero-warnings, CLI-first, realistic test data. Prefer clear + maintainable over clever.
+
+## ACTION WORKFLOW (MANDATORY)
+
+1. Collect diff file list. 2. Analyze per focus category. 3. Classify each finding: `safe-edit` (apply now), `deferred`, `requires-approval`. 4. Auto-apply only `safe-edit` (mechanical, internal, non-breaking, warning removal, correctness, logging consistency, blocking I/O → async). 5. Run `just lint` then `just test`. On failure: isolate failing hunk, revert it, re-run, document skip. 6. Generate report (summary table, applied edits + rationale, deferred backlog, approval-needed with risks, next-step roadmap). 7. Output unified diff (never commit). If zero safe edits: state "No safe automatic edits applied" and still output full report.
+
+## AUTO-EDIT CONSTRAINTS (STRICT)
+
+- Scope: Only diff-related files
+- Gates: Must pass `just lint` + tests
+- User Control: Never commit/stage
+- Public API: No signature/visibility/export changes
+- Validation: Always run quality gates before reporting
+
+## CRITICAL REQUIREMENTS
+
+- Actionable suggestions (code examples when clearer)
+- Auto-apply only clearly safe internal fixes
+- Prioritize runtime correctness, safety, type rigor, security posture
+- Preserve all public APIs (no signature/visibility changes)
+- Avoid cleverness; optimize for clarity & maintainability
+
+## REPO RULES (REINFORCED)
+
+Zero warnings (clippy -D warnings) | No unsafe | Precise typing | Network configuration validity | Trait-based services | `thiserror` + `anyhow` | OPNsense XML schema compliance | CLI-first (`opnsense-config-faker`) | Memory efficient | Realistic test data generation | Network range validation | No hardcoded secrets | rustdoc for all public APIs
+
+---
+
+## EXECUTION CHECKLIST
+
+1 Diff scan 2 Analyze 3 Classify 4 Safe edits applied 5 Gates pass 6 Report (summary/applied/deferred/approval-needed/roadmap) 7 Output diff. On blocker: report + remediation guidance.
+
+## QUICK REFERENCE MATRIX
+
+Category -> Examples of Safe Edits:
+
+- Smells: remove dead code, split oversized internal fn (no visibility change)
+- Patterns: introduce small private helper or trait impl internally
+- Best Practices: replace blocking fs in async with tokio equivalent
+- Readability: rename local vars (non-public), add rustdoc/examples
+- Maintainability: extract internal module (keep re-export stable)
+- Performance: eliminate needless clone, memoize constant, bound Vec growth
+- Type Safety: replace `String` boolean flags with small internal enum (private)
+- Error Handling: add context via `anyhow::Context`, convert generic String errors to structured variants if already internal
+
+If ambiguity arises, default to: classify (deferred) instead of applying.