feat: add storage backend support and CI/CD workflows

.bandit

@@ -0,0 +1,4 @@
+skips:
+  - B105  # hardcoded_password_string - OAuth protocol constants
+  - B106  # hardcoded_password_funcarg - OAuth protocol constants  
+  - B104  # hardcoded_bind_all_interfaces - Intentional for containers

.github/workflows/lint.yml

@@ -0,0 +1,45 @@
+name: Lint
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  workflow_dispatch:
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: "3.11"
+        cache: 'pip'
+
+    - name: Install linting dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install black>=23.0.0 ruff>=0.1.0
+
+    - name: Check code formatting with Black
+      run: |
+        black --check --diff src/ tests/ demo/
+
+    - name: Lint with Ruff
+      run: |
+        ruff check src/ tests/ demo/
+
+    - name: Check for security issues with Bandit
+      run: |
+        pip install bandit[toml]>=1.7.0
+        bandit -r src/ --configfile .bandit -f json -o bandit-report.json || true
+        bandit -r src/ --configfile .bandit
+
+    - name: Type checking with mypy (optional)
+      run: |
+        pip install mypy>=1.0.0 types-PyYAML types-requests
+        mypy src/ --ignore-missing-imports --no-strict-optional || true

.github/workflows/pr-release.yml

@@ -0,0 +1,118 @@
+name: PR Pre-release
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+permissions:
+  contents: write
+  pull-requests: write
+  issues: write
+  packages: write
+  id-token: write
+
+jobs:
+  pre-release:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+        ref: ${{ github.event.pull_request.head.ref }}
+        token: ${{ secrets.PAT_TOKEN || secrets.GITHUB_TOKEN }}
+
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: "3.11"
+        cache: 'pip'
+
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install python-semantic-release
+
+    - name: Configure git
+      run: |
+        git config --global user.name "github-actions[bot]"
+        git config --global user.email "github-actions[bot]@users.noreply.github.com"
+
+    - name: Generate RC version
+      id: version
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+        # Get the current version
+        CURRENT_VERSION=$(python -c "import tomllib; print(tomllib.load(open('pyproject.toml', 'rb'))['project']['version'])")
+
+        # Generate RC version based on PR number
+        RC_VERSION="${CURRENT_VERSION}-rc.${{ github.event.pull_request.number }}"
+        echo "RC_VERSION=${RC_VERSION}" >> $GITHUB_OUTPUT
+
+        # Update version in files
+        sed -i "s/version = \"${CURRENT_VERSION}\"/version = \"${RC_VERSION}\"/" pyproject.toml
+        sed -i "s/__version__ = \"${CURRENT_VERSION}\"/__version__ = \"${RC_VERSION}\"/" src/__init__.py
+
+        # Create pre-release tag (delete if exists)
+        git add pyproject.toml src/__init__.py
+        git commit -m "chore: bump version to ${RC_VERSION} [skip ci]" || echo "No changes to commit"
+
+        # Delete existing tag if it exists (locally and remotely)
+        git tag -d "v${RC_VERSION}" 2>/dev/null || true
+        git push --delete origin "v${RC_VERSION}" 2>/dev/null || true
+
+        # Create new tag
+        git tag -a "v${RC_VERSION}" -m "Pre-release version ${RC_VERSION}"
+
+    - name: Push tag to trigger Docker build
+      run: |
+        git push origin "v${{ steps.version.outputs.RC_VERSION }}"
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Log in to Container Registry
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Build and push Docker image
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        platforms: linux/amd64,linux/arm64
+        push: true
+        tags: ghcr.io/${{ github.repository_owner }}/mcp-oauth-gateway:v${{ steps.version.outputs.RC_VERSION }}
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
+
+    - name: Create GitHub pre-release
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+        gh release create "v${{ steps.version.outputs.RC_VERSION }}" \
+          --title "Pre-release v${{ steps.version.outputs.RC_VERSION }}" \
+          --notes "Pre-release version for PR #${{ github.event.pull_request.number }}" \
+          --prerelease \
+          --target ${{ github.event.pull_request.head.sha }}
+
+    - name: Comment on PR
+      uses: actions/github-script@v7
+      with:
+        script: |
+          const rcVersion = '${{ steps.version.outputs.RC_VERSION }}';
+          const comment = `🚀 **Pre-release version created: \`v${rcVersion}\`**
+
+          This pre-release version can be used for testing this PR.
+
+          **Docker image**: \`ghcr.io/${{ github.repository }}:v${rcVersion}\``;
+
+          github.rest.issues.createComment({
+            issue_number: context.issue.number,
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            body: comment
+          });

.github/workflows/release.yml

@@ -0,0 +1,86 @@
+name: Release
+
+on:
+  push:
+    branches: [ main ]
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  packages: write
+  pull-requests: write
+  issues: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+        token: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: "3.11"
+        cache: 'pip'
+
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install python-semantic-release
+
+    - name: Configure git
+      run: |
+        git config --global user.name "github-actions[bot]"
+        git config --global user.email "github-actions[bot]@users.noreply.github.com"
+
+    - name: Run semantic release
+      id: release
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+        semantic-release version
+        semantic-release publish
+
+        # Get the new version for Docker tagging
+        NEW_VERSION=$(python -c "import tomllib; print(tomllib.load(open('pyproject.toml', 'rb'))['project']['version'])")
+        echo "NEW_VERSION=${NEW_VERSION}" >> $GITHUB_OUTPUT
+
+    - name: Set up Docker Buildx
+      if: steps.release.outputs.NEW_VERSION != ''
+      uses: docker/setup-buildx-action@v3
+
+    - name: Log in to Container Registry
+      if: steps.release.outputs.NEW_VERSION != ''
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Extract Docker metadata
+      if: steps.release.outputs.NEW_VERSION != ''
+      id: meta
+      uses: docker/metadata-action@v5
+      with:
+        images: ghcr.io/${{ github.repository_owner }}/mcp-oauth-gateway
+        tags: |
+          type=semver,pattern={{version}},value=v${{ steps.release.outputs.NEW_VERSION }}
+          type=semver,pattern={{major}}.{{minor}},value=v${{ steps.release.outputs.NEW_VERSION }}
+          type=semver,pattern={{major}},value=v${{ steps.release.outputs.NEW_VERSION }}
+          type=raw,value=latest,enable={{is_default_branch}}
+
+    - name: Build and push Docker image
+      if: steps.release.outputs.NEW_VERSION != ''
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        platforms: linux/amd64,linux/arm64
+        push: true
+        tags: ${{ steps.meta.outputs.tags }}
+        labels: ${{ steps.meta.outputs.labels }}
+        cache-from: type=gha
+        cache-to: type=gha,mode=max

.github/workflows/test.yml

@@ -0,0 +1,39 @@
+name: Tests
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  workflow_dispatch:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.10", "3.11", "3.12"]
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Python ${{ matrix.python-version }}
+      uses: actions/setup-python@v4
+      with:
+        python-version: ${{ matrix.python-version }}
+        cache: 'pip'
+
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install -r requirements-dev.txt
+
+    - name: Run tests with coverage
+      run: |
+        python -m pytest -v --tb=short --cov=src --cov-report=xml --cov-report=term-missing
+
+    - name: Test CLI entry point
+      run: |
+        python -m src.gateway --help
+
+

.gitignore

@@ -341,6 +341,7 @@ data/
 !config/*.example.yaml
 !config/*.example.yml
 !config.example.yaml
+!.github/workflows/*.yml
 
 # =============================================================================
 # Project Specific
@@ -374,7 +375,6 @@ development/
 # =============================================================================
 
 # CI/CD specific files (keep templates)
-.github/workflows/*.yml
 !.github/workflows/*.example.yml
 
 # Coverage reports
@@ -398,3 +398,6 @@ perf.data.old
 .claude/
 
 .ruff_cache/
+
+# Docker compose
+!docker-compose.yml