chore: fix GitHub repo config — CI, dependabot, templates, changelog

CI:
- Standardize Go version to 1.24 across all jobs (waf was 1.22)
- npm audit now fails on critical vulns (was silently passing with || true)
- Update waf-go/go.mod from go 1.21 to go 1.24

Dependabot:
- Remove dead pip entries for /backend and /waf (Python paths don't exist)
- Add /backend-go gomod tracking (was missing entirely)

Workflows:
- Remove defunct feat/fastapi-migration branch from docs.yml triggers

GitHub templates:
- Add bug report issue template (version, logs, deployment method)
- Add feature request issue template (area selector)
- Add PR template with test checklist
- Add CODEOWNERS (@fabriziosalmi for all files)

Changelog:
- Add v3.3.0 (performance) and v3.3.1 (caching overhaul) entries

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: fabriziosalmi

.github/CODEOWNERS

@@ -0,0 +1,2 @@
+# Default owner for everything
+* @fabriziosalmi

.github/ISSUE_TEMPLATE/bug.yml

@@ -0,0 +1,45 @@
+name: Bug Report
+description: Report a bug or unexpected behavior
+labels: ["bug"]
+body:
+  - type: textarea
+    id: description
+    attributes:
+      label: Description
+      description: What happened? What did you expect instead?
+    validations:
+      required: true
+
+  - type: textarea
+    id: steps
+    attributes:
+      label: Steps to reproduce
+      description: Minimal steps to trigger the issue
+      placeholder: |
+        1. Go to Settings
+        2. Enable aggressive caching
+        3. Click "Reload Config"
+        4. See error in logs
+
+  - type: textarea
+    id: logs
+    attributes:
+      label: Relevant logs
+      description: Paste backend/proxy/browser console output
+      render: shell
+
+  - type: input
+    id: version
+    attributes:
+      label: Version
+      description: Output of the sidebar version badge (e.g. 3.3.1 go)
+      placeholder: "3.3.1"
+
+  - type: dropdown
+    id: deployment
+    attributes:
+      label: Deployment method
+      options:
+        - Docker Compose (default)
+        - Manual / bare metal
+        - Other

.github/ISSUE_TEMPLATE/feature.yml

@@ -0,0 +1,32 @@
+name: Feature Request
+description: Suggest a new feature or improvement
+labels: ["enhancement"]
+body:
+  - type: textarea
+    id: problem
+    attributes:
+      label: Problem or use case
+      description: What are you trying to do? Why is the current behavior insufficient?
+    validations:
+      required: true
+
+  - type: textarea
+    id: solution
+    attributes:
+      label: Proposed solution
+      description: How should it work? Include config examples, UI mockups, or API shapes if relevant.
+
+  - type: dropdown
+    id: area
+    attributes:
+      label: Area
+      options:
+        - Dashboard / UI
+        - Proxy (Squid)
+        - WAF
+        - DNS (dnsmasq)
+        - Backend API
+        - Settings / Configuration
+        - CI / Deployment
+        - Documentation
+        - Other

.github/dependabot.yml

@@ -9,21 +9,12 @@ updates:
         patterns:
           - "*"
 
-  - package-ecosystem: "pip"
-    directory: "/backend"
-    schedule:
-      interval: "weekly"
-    groups:
-      backend-dependencies:
-        patterns:
-          - "*"
-
-  - package-ecosystem: "pip"
-    directory: "/waf"
+  - package-ecosystem: "gomod"
+    directory: "/backend-go"
     schedule:
       interval: "weekly"
     groups:
-      waf-dependencies:
+      backend-go-dependencies:
         patterns:
           - "*"
 

.github/pull_request_template.md

@@ -0,0 +1,19 @@
+## Summary
+
+<!-- What does this PR do? Why? -->
+
+## Changes
+
+- 
+
+## Test plan
+
+- [ ] `go test ./...` passes (backend-go)
+- [ ] `go test ./...` passes (waf-go)
+- [ ] `npm run build && npm test` passes (ui)
+- [ ] `docker compose build` succeeds
+- [ ] Manual smoke test on local stack
+
+## Related issues
+
+<!-- Closes #123 -->

.github/workflows/ci.yml

@@ -49,7 +49,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
-          go-version: '1.22'
+          go-version: '1.24'
           cache-dependency-path: waf-go/go.sum
       - run: go build -v ./...
         working-directory: waf-go
@@ -82,7 +82,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
-          go-version: '1.22'
+          go-version: '1.24'
           cache-dependency-path: waf-go/go.sum
       - run: go test -v -race -count=1 ./...
         working-directory: waf-go
@@ -113,7 +113,7 @@ jobs:
         working-directory: ui
         run: |
           npm ci
-          npm audit --audit-level=high || true
+          npm audit --audit-level=critical
 
   # ── 7. Docker build verification ──────────────────────────────────────
   docker-build:

.github/workflows/docs.yml

@@ -4,7 +4,6 @@ on:
   push:
     branches:
       - main
-      - feat/fastapi-migration
     paths:
       - 'docs/**'
       - '.github/workflows/docs.yml'

CHANGELOG.md

@@ -5,6 +5,44 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.3.1] - 2026-04-08
+
+### Fixed
+
+- **Real cache statistics**: `GET /api/cache/statistics` now queries live Squid metrics via `squidclient mgr:info` (Docker exec) instead of returning hardcoded zeros
+- **Cache clear works**: `POST /api/maintenance/clear-cache` uses `squid -k purge` via Docker exec instead of posting to a non-existent HTTP endpoint
+- **Config generation no longer overridden**: `custom_squid.conf` auto-migrated to `custom_squid_extra.conf` (append-only); all cache/memory/performance settings from the UI are now applied
+- **`aggressive_caching_enabled` toggle functional**: writes override-expire refresh patterns for static assets, packages, media files
+- **`cache_bypass_domains` functional**: comma-separated domain list in Settings generates Squid ACL + `cache deny` rules
+- **`enable_offline_mode` functional**: enables `offline_mode on` + aggressive stale serving
+- **Duplicate refresh patterns removed**: single consistent set in generated squid.conf
+- **Added `cachemgr_passwd`** directive so squidclient can access cache manager stats
+
+### Added
+
+- `ExecContainer` method in Docker client (full Docker API exec flow with stream mux header stripping)
+- Settings handler writes toggle files + `cache_bypass_domains.txt` for Squid
+
+## [3.3.0] - 2026-04-08
+
+### Performance
+
+- **SQLite WAL mode fix**: `modernc.org/sqlite` driver now correctly activates WAL mode (`_pragma=` syntax), eliminating `database is locked` errors
+- **WebSocket/CORS origin fix**: IP-based access now works for WebSocket and CORS headers
+- **DashboardSummary optimized**: 8 separate COUNT queries consolidated into single aggregate query
+- **Bubble sort replaced**: `sort.Slice` in ShadowIT handler (O(n^2) to O(n log n))
+- **CIDR networks pre-compiled**: rate limiter no longer parses 4 CIDR strings per request
+- **Log tailer buffered**: `bufio.Scanner` replaces `io.ReadAll`, preventing unbounded memory usage
+- **GDPR setting cached**: 30s TTL cache eliminates per-row database query
+- **HTTP client pooling**: WAF/proxy clients reused instead of allocated per request
+- **readAll optimized**: `bytes.Buffer` for efficient memory allocation
+- **Import timestamp pre-formatted**: single format call instead of per-entry
+
+### Frontend
+
+- Reduced API polling: Dashboard 10s to 30s, ThreatIntel 15s to 30s, staleTime 10s to 60s
+- Sidebar health check skips when tab is hidden, interval 15s to 30s
+
 ## [3.2.2] - 2026-04-07
 
 ### Added

waf-go/go.mod

@@ -1,5 +1,5 @@
 module secure-proxy-waf
 
-go 1.21
+go 1.24
 
 require github.com/go-icap/icap v0.0.0-20151011115316-ca4fad4ebb28