feat: check source formatting in CI

.github/workflows/ci.yml

@@ -34,6 +34,9 @@ jobs:
     - name: Download and verify dependencies
       run: make deps
 
+    - name: Check formatting
+      run: make fmt-check
+
     - name: Install golangci-lint
       run: |
         # binary will be $(go env GOPATH)/bin/golangci-lint

Makefile

@@ -145,6 +145,18 @@ fmt:
 	go fmt ./...
 	@echo "✓ Code formatted!"
 
+# Check formatting (for CI)
+.PHONY: fmt-check
+fmt-check:
+	@echo "Checking code formatting..."
+	@if [ -n "$$(gofmt -l .)" ]; then \
+		echo "The following files are not formatted:"; \
+		gofmt -l .; \
+		echo "Run 'make fmt' to fix formatting."; \
+		exit 1; \
+	fi
+	@echo "✓ All code is properly formatted!"
+
 # Lint code
 .PHONY: lint
 lint:

config/config.go

@@ -56,33 +56,33 @@ func (a AllowStringsArray) Value() []string {
 }
 
 type CliConfig struct {
-	Config                           serpent.YAMLConfigPath `yaml:"-"`
-	AllowListStrings                 serpent.StringArray    `yaml:"allowlist"` // From config file
-	AllowStrings                     AllowStringsArray      `yaml:"-"`         // From CLI flags only
-	LogLevel                         serpent.String         `yaml:"log_level"`
-	LogDir                           serpent.String         `yaml:"log_dir"`
-	ProxyPort                        serpent.Int64          `yaml:"proxy_port"`
-	PprofEnabled                     serpent.Bool           `yaml:"pprof_enabled"`
-	PprofPort                        serpent.Int64          `yaml:"pprof_port"`
-	JailType                         serpent.String         `yaml:"jail_type"`
-	UseRealDNS                       serpent.Bool           `yaml:"use_real_dns"`
-	DisableAuditLogs                 serpent.Bool           `yaml:"disable_audit_logs"`
-	LogProxySocketPath               serpent.String         `yaml:"log_proxy_socket_path"`
+	Config             serpent.YAMLConfigPath `yaml:"-"`
+	AllowListStrings   serpent.StringArray    `yaml:"allowlist"` // From config file
+	AllowStrings       AllowStringsArray      `yaml:"-"`         // From CLI flags only
+	LogLevel           serpent.String         `yaml:"log_level"`
+	LogDir             serpent.String         `yaml:"log_dir"`
+	ProxyPort          serpent.Int64          `yaml:"proxy_port"`
+	PprofEnabled       serpent.Bool           `yaml:"pprof_enabled"`
+	PprofPort          serpent.Int64          `yaml:"pprof_port"`
+	JailType           serpent.String         `yaml:"jail_type"`
+	UseRealDNS         serpent.Bool           `yaml:"use_real_dns"`
+	DisableAuditLogs   serpent.Bool           `yaml:"disable_audit_logs"`
+	LogProxySocketPath serpent.String         `yaml:"log_proxy_socket_path"`
 }
 
 type AppConfig struct {
-	AllowRules                       []string
-	LogLevel                         string
-	LogDir                           string
-	ProxyPort                        int64
-	PprofEnabled                     bool
-	PprofPort                        int64
-	JailType                         JailType
-	UseRealDNS                       bool
-	TargetCMD                        []string
-	UserInfo                         *UserInfo
-	DisableAuditLogs                 bool
-	LogProxySocketPath               string
+	AllowRules         []string
+	LogLevel           string
+	LogDir             string
+	ProxyPort          int64
+	PprofEnabled       bool
+	PprofPort          int64
+	JailType           JailType
+	UseRealDNS         bool
+	TargetCMD          []string
+	UserInfo           *UserInfo
+	DisableAuditLogs   bool
+	LogProxySocketPath string
 }
 
 func NewAppConfigFromCliConfig(cfg CliConfig, targetCMD []string) (AppConfig, error) {
@@ -101,17 +101,17 @@ func NewAppConfigFromCliConfig(cfg CliConfig, targetCMD []string) (AppConfig, er
 	userInfo := GetUserInfo()
 
 	return AppConfig{
-		AllowRules:                       allAllowStrings,
-		LogLevel:                         cfg.LogLevel.Value(),
-		LogDir:                           cfg.LogDir.Value(),
-		ProxyPort:                        cfg.ProxyPort.Value(),
-		PprofEnabled:                     cfg.PprofEnabled.Value(),
-		PprofPort:                        cfg.PprofPort.Value(),
-		JailType:                         jailType,
-		UseRealDNS:                       cfg.UseRealDNS.Value(),
-		TargetCMD:                        targetCMD,
-		UserInfo:                         userInfo,
-		DisableAuditLogs:                 cfg.DisableAuditLogs.Value(),
-		LogProxySocketPath:               cfg.LogProxySocketPath.Value(),
+		AllowRules:         allAllowStrings,
+		LogLevel:           cfg.LogLevel.Value(),
+		LogDir:             cfg.LogDir.Value(),
+		ProxyPort:          cfg.ProxyPort.Value(),
+		PprofEnabled:       cfg.PprofEnabled.Value(),
+		PprofPort:          cfg.PprofPort.Value(),
+		JailType:           jailType,
+		UseRealDNS:         cfg.UseRealDNS.Value(),
+		TargetCMD:          targetCMD,
+		UserInfo:           userInfo,
+		DisableAuditLogs:   cfg.DisableAuditLogs.Value(),
+		LogProxySocketPath: cfg.LogProxySocketPath.Value(),
 	}, nil
 }

nsjail_manager/nsjail/jail.go

@@ -28,9 +28,9 @@ type Config struct {
 
 // LinuxJail implements Jailer using Linux network namespaces
 type LinuxJail struct {
-	logger                           *slog.Logger
-	vethHostName                     string // Host-side veth interface name for iptables rules
-	vethJailName                     string // Jail-side veth interface name for iptables rules
+	logger        *slog.Logger
+	vethHostName  string // Host-side veth interface name for iptables rules
+	vethJailName  string // Jail-side veth interface name for iptables rules
 	httpProxyPort int
 	configDir     string
 	caCertPath    string
@@ -43,7 +43,7 @@ func NewLinuxJail(config Config) (*LinuxJail, error) {
 		httpProxyPort: config.HttpProxyPort,
 		configDir:     config.ConfigDir,
 		caCertPath:    config.CACertPath,
-		useRealDNS:   config.UseRealDNS,
+		useRealDNS:    config.UseRealDNS,
 	}, nil
 }
 

privilege/privilege_linux.go

@@ -95,4 +95,3 @@ func reExecWithPrivileges() error {
 	// Execute and replace current process
 	return syscall.Exec(cmd.Path, cmd.Args, cmd.Env)
 }
-

privilege/privilege_stub.go

@@ -11,4 +11,3 @@ import (
 func EnsurePrivileges() error {
 	return fmt.Errorf("boundary is only supported on Linux, current platform: %s", runtime.GOOS)
 }
-

proxy/connect.go

@@ -1,6 +1,6 @@
 // Package proxy implements HTTP CONNECT method for tunneling HTTPS traffic through a proxy.
 //
-// HTTP CONNECT Method Overview
+// # HTTP CONNECT Method Overview
 //
 // The HTTP CONNECT method is used to establish a tunnel through a proxy server.
 // This is essential for HTTPS proxying because HTTPS requires end-to-end encryption
@@ -19,15 +19,15 @@
 //     to establish a tunnel, then performs the TLS handshake and sends HTTPS
 //     requests through that tunnel.
 //
-// Non-Transparent Proxy
+// # Non-Transparent Proxy
 //
 // This proxy is "non-transparent" because:
 //   - Clients must be explicitly configured to use it (via HTTP_PROXY)
 //   - Clients send CONNECT requests for HTTPS traffic
 //   - The proxy terminates TLS, inspects requests, and re-encrypts to the destination
 //   - Each HTTP request inside the tunnel is processed separately with rule evaluation
 //
-// CONNECT Request Flow
+// # CONNECT Request Flow
 //
 // The following diagram illustrates how CONNECT works:
 //

proxy/proxy_framework_test.go

@@ -251,7 +251,7 @@ func (pt *ProxyTest) ExpectDeny(proxyURL, hostHeader string) {
 	defer resp.Body.Close() //nolint:errcheck
 
 	require.Equal(pt.t, http.StatusForbidden, resp.StatusCode, "Expected 403 Forbidden status")
-	
+
 	body, err := io.ReadAll(resp.Body)
 	require.NoError(pt.t, err, "Failed to read response body")
 

run/run_linux.go

@@ -22,4 +22,3 @@ func Run(ctx context.Context, logger *slog.Logger, cfg config.AppConfig) error {
 		return fmt.Errorf("unknown jail type: %s", cfg.JailType)
 	}
 }
-

run/run_stub.go

@@ -14,4 +14,3 @@ import (
 func Run(ctx context.Context, logger *slog.Logger, cfg config.AppConfig) error {
 	return fmt.Errorf("boundary is only supported on Linux, current platform: %s", runtime.GOOS)
 }
-