From 68ab44f8a44ff233e490dac2b74dbfb7f8495a3f Mon Sep 17 00:00:00 2001
From: stacknil <stacknil@proton.me>
Date: Mon, 29 Jun 2026 19:42:05 +0800
Subject: [PATCH 1/2] chore(security): add repo sentinel hygiene gate

---
 .gitattributes                      |  1 +
 .github/workflows/repo-sentinel.yml | 31 +++++++++++++++++++++++++++++
 .reposentinel.toml                  | 22 ++++++++++++++++++++
 3 files changed, 54 insertions(+)
 create mode 100644 .github/workflows/repo-sentinel.yml
 create mode 100644 .reposentinel.toml

diff --git a/.gitattributes b/.gitattributes
index 7f0f3d3..60f6899 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -5,6 +5,7 @@
 *.h text eol=lf
 *.md text eol=lf
 *.json text eol=lf
+*.toml text eol=lf
 *.yml text eol=lf
 *.yaml text eol=lf
 *.txt text eol=lf
diff --git a/.github/workflows/repo-sentinel.yml b/.github/workflows/repo-sentinel.yml
new file mode 100644
index 0000000..564e0be
--- /dev/null
+++ b/.github/workflows/repo-sentinel.yml
@@ -0,0 +1,31 @@
+name: Repo Sentinel
+
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  repo-sentinel:
+    name: Repo Sentinel
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+
+      - name: Install repo-sentinel-lite
+        run: |
+          python3 -m venv "$RUNNER_TEMP/repo-sentinel-venv"
+          "$RUNNER_TEMP/repo-sentinel-venv/bin/python" -m pip install --upgrade pip
+          "$RUNNER_TEMP/repo-sentinel-venv/bin/python" -m pip install repo-sentinel-lite
+
+      - name: Run repository hygiene gate
+        run: |
+          "$RUNNER_TEMP/repo-sentinel-venv/bin/repo-sentinel" scan \
+            --fail-on-severity error \
+            --format text \
+            .
diff --git a/.reposentinel.toml b/.reposentinel.toml
new file mode 100644
index 0000000..508c3da
--- /dev/null
+++ b/.reposentinel.toml
@@ -0,0 +1,22 @@
+# LogLens uses repo-sentinel-lite as a narrow hygiene gate:
+# required repository files plus accidental sensitive filenames.
+#
+# High-entropy content scanning is intentionally disabled here so fixture logs
+# and C++ build outputs do not affect this gate.
+max_text_file_size = 0
+entropy_threshold = 999.0
+
+ignore_globs = [
+  "build/**",
+  "build_manual*",
+  "out/**",
+  "report.md",
+  "report.json",
+  "*.exe",
+  "CMakeFiles",
+  "CMakeFiles/**",
+  "CMakeCache.txt",
+  "cmake_install.cmake",
+  "compile_commands.json",
+  "*.vcxproj.user",
+]

From f69039553e770199de085aeccc9e51a43a0b71ee Mon Sep 17 00:00:00 2001
From: stacknil <stacknil@proton.me>
Date: Mon, 29 Jun 2026 19:45:37 +0800
Subject: [PATCH 2/2] ci: run repo sentinel gate on Python 3.14

---
 .github/workflows/repo-sentinel.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/repo-sentinel.yml b/.github/workflows/repo-sentinel.yml
index 564e0be..1e7ec92 100644
--- a/.github/workflows/repo-sentinel.yml
+++ b/.github/workflows/repo-sentinel.yml
@@ -17,9 +17,14 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
+      - name: Set up Python
+        uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1  # v6.3.0
+        with:
+          python-version: "3.14"
+
       - name: Install repo-sentinel-lite
         run: |
-          python3 -m venv "$RUNNER_TEMP/repo-sentinel-venv"
+          python -m venv "$RUNNER_TEMP/repo-sentinel-venv"
           "$RUNNER_TEMP/repo-sentinel-venv/bin/python" -m pip install --upgrade pip
           "$RUNNER_TEMP/repo-sentinel-venv/bin/python" -m pip install repo-sentinel-lite