feat: QP Conduit v0.1.0

Internal infrastructure layer for on-premises AI deployments.
Tunnel gets you in. Conduit connects everything inside.

Eight commands for DNS resolution, internal TLS, service routing,
and hardware monitoring. Structured JSON audit logging with
optional Capsule Protocol sealing.

Author: bradleygauthier

.editorconfig

@@ -0,0 +1,42 @@
+# QP Conduit - EditorConfig
+# https://editorconfig.org
+
+root = true
+
+# Default for all files
+[*]
+charset = utf-8
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+indent_style = space
+indent_size = 2
+
+# Shell scripts
+[*.sh]
+indent_size = 2
+
+# Makefile (requires tabs)
+[Makefile]
+indent_style = tab
+
+# YAML
+[*.{yaml,yml}]
+indent_size = 2
+
+# JSON
+[*.json]
+indent_size = 2
+
+# Markdown
+[*.md]
+trim_trailing_whitespace = false
+indent_size = 2
+
+# Caddyfile
+[Caddyfile]
+indent_style = tab
+
+# dnsmasq configuration
+[*.conf]
+indent_size = 2

.env.conduit.example

@@ -0,0 +1,41 @@
+# QP Conduit Configuration
+# Copy to .env.conduit and customize as needed.
+#
+# Copyright 2026 Quantum Pipes Technologies, LLC
+# SPDX-License-Identifier: Apache-2.0
+
+# Application name (used in paths and logs)
+# CONDUIT_APP_NAME=qp-conduit
+
+# Base domain for service DNS entries (e.g., hub.qp.local)
+# CONDUIT_DOMAIN=qp.local
+
+# Configuration directory
+# CONDUIT_CONFIG_DIR=$HOME/.config/qp-conduit
+
+# DNS (dnsmasq) listen port
+# CONDUIT_DNS_PORT=53
+
+# HTTPS reverse proxy listen port (Caddy)
+# CONDUIT_PROXY_PORT=443
+
+# Caddy admin API port
+# CONDUIT_ADMIN_PORT=2019
+
+# Upstream DNS server for non-Conduit queries
+# CONDUIT_UPSTREAM_DNS=1.1.1.1
+
+# Caddy data directory (stores certificates, OCSP, etc.)
+# CONDUIT_CADDY_DATA=$CONDUIT_CONFIG_DIR/caddy-data
+
+# Caddy config directory
+# CONDUIT_CADDY_CONFIG=$CONDUIT_CONFIG_DIR/caddy-config
+
+# Path to generated Caddyfile
+# CONDUIT_CADDYFILE=$CONDUIT_CONFIG_DIR/Caddyfile
+
+# Path to generated dnsmasq config
+# CONDUIT_DNSMASQ_CONF=$CONDUIT_CONFIG_DIR/dnsmasq.conf
+
+# TLS certificates directory
+# CONDUIT_CERTS_DIR=$CONDUIT_CONFIG_DIR/certs

.github/CODEOWNERS

@@ -0,0 +1,20 @@
+# QP Conduit - Code Owners
+# These owners will be requested for review when someone opens a pull request.
+# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+
+# Default owner for everything
+* @quantumpipes/maintainers
+
+# Core library (security-critical)
+/lib/ @quantumpipes/maintainers
+
+# Audit and cryptographic operations
+/lib/audit.sh @quantumpipes/maintainers
+
+# Security and legal
+/SECURITY.md @quantumpipes/maintainers
+/PATENTS.md @quantumpipes/maintainers
+/LICENSE @quantumpipes/maintainers
+
+# CI/CD
+/.github/workflows/ @quantumpipes/maintainers

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,57 @@
+---
+name: Bug Report
+about: Report a bug to help us improve QP Conduit
+title: '[BUG] '
+labels: bug
+assignees: ''
+---
+
+## Description
+
+A clear and concise description of the bug.
+
+## Steps to Reproduce
+
+1. Run `make conduit-setup`
+2. Run `make conduit-register NAME=myservice`
+3. See error
+
+## Expected Behavior
+
+What you expected to happen.
+
+## Actual Behavior
+
+What actually happened.
+
+## Environment
+
+- **OS**: [e.g., Ubuntu 24.04, Debian 12, Alpine 3.20]
+- **Bash version**: [e.g., 5.2.21]
+- **jq version**: [e.g., 1.7.1]
+- **QP Conduit version**: [from VERSION file]
+
+## Logs
+
+```
+Paste relevant logs here (redact any private keys or API tokens)
+```
+
+## Audit Trail (if applicable)
+
+If this bug involves an audit operation, include the relevant audit log entry:
+
+```json
+Paste audit log entry here
+```
+
+## Additional Context
+
+Add any other context about the problem here.
+
+## Checklist
+
+- [ ] I have searched existing issues to ensure this is not a duplicate
+- [ ] I have included all relevant information above
+- [ ] I can reproduce this issue consistently
+- [ ] I have redacted all sensitive information (keys, tokens)

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Documentation
+    url: https://github.com/quantumpipes/conduit/tree/main/docs
+    about: Check the documentation before opening an issue
+  - name: Security Vulnerability
+    url: https://github.com/quantumpipes/conduit/security/advisories/new
+    about: Report security vulnerabilities privately

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,48 @@
+---
+name: Feature Request
+about: Suggest an idea for QP Conduit
+title: '[FEATURE] '
+labels: enhancement
+assignees: ''
+---
+
+## Problem Statement
+
+A clear and concise description of the problem or limitation you're experiencing.
+
+Example: "I want to be able to [...] but currently [...]"
+
+## Proposed Solution
+
+A clear and concise description of what you want to happen.
+
+## Alternatives Considered
+
+A clear and concise description of any alternative solutions or features you've considered.
+
+## Security Impact
+
+Does this feature affect security in any way?
+
+- [ ] This feature maintains the existing security model
+- [ ] This feature does not expose private keys or audit data
+- [ ] This feature respects input validation requirements
+
+## Use Case
+
+Describe your use case and how this feature would help.
+
+```bash
+# Example showing how you'd use this feature
+make conduit-new-feature NAME=example
+```
+
+## Additional Context
+
+Add any other context, diagrams, or examples about the feature request here.
+
+## Checklist
+
+- [ ] I have searched existing issues to ensure this is not a duplicate
+- [ ] I have considered the security implications
+- [ ] I am willing to help implement this feature (optional)

.github/ISSUE_TEMPLATE/service-type-request.md

@@ -0,0 +1,49 @@
+---
+name: Service Type Request
+about: Request support for a new service type or monitoring backend
+title: "[Service Type] "
+labels: enhancement, service-type
+assignees: ''
+---
+
+## Service Type Name
+
+Name of the service type or monitoring backend (e.g., Prometheus, Grafana, StatsD, custom health checker).
+
+## Service Category
+
+- [ ] Monitoring backend (metrics collection and alerting)
+- [ ] Health check provider (service availability verification)
+- [ ] Log aggregator (centralized log collection)
+- [ ] Container orchestrator (Docker/Podman/Kubernetes integration)
+- [ ] Other (describe below)
+
+## Why This Service Type Matters
+
+Explain the use case. Who benefits from this service type and why?
+
+## API Documentation
+
+Links to the service's API docs, CLI reference, or integration guides.
+
+## Are You Willing to Implement It?
+
+- [ ] Yes, I can submit a PR
+- [ ] I can help test but not implement
+- [ ] No, just requesting
+
+## Security Considerations
+
+- Does the service type require storing API keys or credentials?
+- Does it introduce any external network dependencies?
+- How does it handle authentication and key rotation?
+
+## Additional Context
+
+Any other context, diagrams, or examples about the service type request.
+
+## Checklist
+
+- [ ] I have searched existing issues to ensure this is not a duplicate
+- [ ] I have verified the service type has public documentation
+- [ ] I have considered the security implications

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,59 @@
+## Description
+
+Brief description of the changes in this PR.
+
+## Type of Change
+
+- [ ] Bug fix (non-breaking change that fixes an issue)
+- [ ] New feature (non-breaking change that adds functionality)
+- [ ] Breaking change (fix or feature that would cause existing functionality to change)
+- [ ] Documentation update
+- [ ] Refactoring (no functional changes)
+- [ ] Test addition or update
+
+## Related Issue
+
+Fixes #(issue number)
+
+## Changes Made
+
+- Change 1
+- Change 2
+- Change 3
+
+## How Has This Been Tested?
+
+Describe the tests you ran to verify your changes.
+
+```bash
+# Commands used to test
+make test
+make test-smoke
+```
+
+- [ ] Unit tests pass (`make test-unit`)
+- [ ] Integration tests pass (`make test-integration`)
+- [ ] Smoke tests pass (`make test-smoke`)
+- [ ] ShellCheck passes with no warnings
+
+## Security Considerations
+
+- [ ] No private keys are logged, leaked, or improperly permissioned
+- [ ] All inputs are validated against `[a-zA-Z0-9_-]`
+- [ ] No use of `eval`
+- [ ] Audit log is written for all state-changing operations
+- [ ] New files use `umask 077` for key material
+
+## Documentation
+
+- [ ] I have updated the README if adding commands or configuration
+- [ ] I have updated CRYPTO-NOTICE.md if changing cryptographic behavior
+- [ ] I have updated the CHANGELOG.md (if applicable)
+
+## Checklist
+
+- [ ] My code follows the project's style guidelines (`set -euo pipefail`, local vars, quoted expansions)
+- [ ] I have performed a self-review of my code
+- [ ] My changes generate no new ShellCheck warnings
+- [ ] I have added tests that prove my fix/feature works
+- [ ] New and existing tests pass locally with my changes

.github/dependabot.yml

@@ -0,0 +1,11 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "dependencies"
+      - "ci"
+    commit-message:
+      prefix: "ci"