feat: Add Docker image for capiscio/guard sidecar

.github/workflows/docker.yml

@@ -0,0 +1,97 @@
+name: Docker
+
+on:
+  push:
+    tags:
+      - 'v*'
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Tag to build (e.g., v2.3.0)'
+        required: true
+        type: string
+
+env:
+  REGISTRY: docker.io
+  IMAGE_NAME: capiscio/guard
+
+jobs:
+  build-and-push:
+    name: Build and Push Docker Image
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Extract version
+        id: version
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            VERSION="${{ inputs.tag }}"
+          else
+            VERSION="${GITHUB_REF#refs/tags/}"
+          fi
+          echo "version=${VERSION}" >> $GITHUB_OUTPUT
+          echo "version_short=${VERSION#v}" >> $GITHUB_OUTPUT
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=semver,pattern={{version}},value=${{ steps.version.outputs.version }}
+            type=semver,pattern={{major}}.{{minor}},value=${{ steps.version.outputs.version }}
+            type=semver,pattern={{major}},value=${{ steps.version.outputs.version }}
+            type=raw,value=latest,enable=${{ github.event_name == 'push' }}
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            VERSION=${{ steps.version.outputs.version }}
+            COMMIT=${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Update Docker Hub description
+        uses: peter-evans/dockerhub-description@v4
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          repository: ${{ env.IMAGE_NAME }}
+          short-description: "Security Sidecar for AI Agents - Universal Authority Layer"
+          readme-filepath: ./README.md
+
+  # Verify the image works
+  verify:
+    name: Verify Image
+    needs: build-and-push
+    runs-on: ubuntu-latest
+    steps:
+      - name: Pull and test image
+        run: |
+          docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.build-and-push.outputs.version || 'latest' }}
+          docker run --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.build-and-push.outputs.version || 'latest' }} --version

CHANGELOG.md

@@ -7,6 +7,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [2.4.0] - 2026-01-18
+
+### Added
+- **Docker Image**: Official `capiscio/guard` Docker image for sidecar deployment (~15MB, distroless)
+- **GitHub Actions**: Automated Docker build/push workflow for multi-arch (amd64/arm64)
+- **MCP Service**: Server identity operations via MCP protocol
+
+### Changed
+- Updated badge command and proto definitions
+
 ## [2.3.1] - 2025-01-14
 
 ### Fixed

Dockerfile

@@ -0,0 +1,75 @@
+# syntax=docker/dockerfile:1
+
+# ============================================================================
+# CapiscIO Guard - Security Sidecar for AI Agents
+# ============================================================================
+# Multi-stage build for a minimal, secure container image.
+#
+# Usage:
+#   docker pull capiscio/guard
+#   docker run -p 8080:8080 capiscio/guard \
+#     gateway start --port 8080 --target http://your-agent:3000 --registry-url https://registry.capisc.io
+#
+# Build locally:
+#   docker build -t capiscio/guard .
+#   docker build --build-arg VERSION=v2.3.0 -t capiscio/guard:v2.3.0 .
+# ============================================================================
+
+# -----------------------------------------------------------------------------
+# Stage 1: Build
+# -----------------------------------------------------------------------------
+FROM golang:1.24-alpine AS builder
+
+# Build arguments
+ARG VERSION=dev
+ARG COMMIT=unknown
+
+# Install build dependencies
+RUN apk add --no-cache git ca-certificates
+
+WORKDIR /src
+
+# Cache dependencies
+COPY go.mod go.sum ./
+RUN go mod download
+
+# Copy source
+COPY . .
+
+# Build static binary with version info
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \
+    -ldflags="-w -s -X main.version=${VERSION} -X main.commit=${COMMIT}" \
+    -o /capiscio \
+    ./cmd/capiscio
+
+# -----------------------------------------------------------------------------
+# Stage 2: Runtime (distroless for security)
+# -----------------------------------------------------------------------------
+FROM gcr.io/distroless/static-debian12:nonroot
+
+# Labels for container registry
+LABEL org.opencontainers.image.title="CapiscIO Guard"
+LABEL org.opencontainers.image.description="Security Sidecar for AI Agents - Universal Authority Layer"
+LABEL org.opencontainers.image.url="https://capisc.io"
+LABEL org.opencontainers.image.source="https://github.com/capiscio/capiscio-core"
+LABEL org.opencontainers.image.vendor="CapiscIO"
+LABEL org.opencontainers.image.licenses="Apache-2.0"
+
+# Copy binary from builder
+COPY --from=builder /capiscio /capiscio
+
+# Expose default gateway port
+EXPOSE 8080
+
+# Health check - verify binary is runnable
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
+    CMD ["/capiscio", "--version"]
+
+# Run as non-root user (distroless nonroot = uid 65532)
+USER nonroot:nonroot
+
+# Default entrypoint
+ENTRYPOINT ["/capiscio"]
+
+# Default command (show help)
+CMD ["--help"]

Makefile

@@ -1,7 +1,38 @@
-.PHONY: all build-cli build-python test clean proto docs
+.PHONY: all build-cli build-python test clean proto docs docker docker-build docker-run
 
 all: build-cli build-python
 
+# =============================================================================
+# Docker targets for capiscio/guard
+# =============================================================================
+VERSION ?= $(shell git describe --tags --always --dirty 2>/dev/null || echo "dev")
+COMMIT  ?= $(shell git rev-parse --short HEAD 2>/dev/null || echo "unknown")
+DOCKER_IMAGE := capiscio/guard
+
+docker: docker-build  ## Build Docker image (alias)
+
+docker-build:  ## Build Docker image locally
+	@echo "Building Docker image $(DOCKER_IMAGE):$(VERSION)..."
+	docker build \
+		--build-arg VERSION=$(VERSION) \
+		--build-arg COMMIT=$(COMMIT) \
+		-t $(DOCKER_IMAGE):$(VERSION) \
+		-t $(DOCKER_IMAGE):latest \
+		.
+
+docker-run:  ## Run Docker image locally (example)
+	@echo "Running $(DOCKER_IMAGE):latest..."
+	@echo "Usage: make docker-run TARGET=http://localhost:3000"
+	docker run --rm -p 8080:8080 $(DOCKER_IMAGE):latest \
+		gateway start --port 8080 --target $(TARGET) --registry-url https://registry.capisc.io
+
+docker-push:  ## Push Docker image to registry (requires docker login)
+	docker push $(DOCKER_IMAGE):$(VERSION)
+	docker push $(DOCKER_IMAGE):latest
+
+# =============================================================================
+# Build targets
+# =============================================================================
 proto:
 	@echo "Generating protobuf files..."
 	cd proto && buf generate

README.md

@@ -121,6 +121,69 @@ curl -H "X-Capiscio-Badge: $(cat badge.jwt)" http://localhost:8080/api/v1/agent
 curl http://localhost:8080/api/v1/agent
 ```
 
+## 🐳 Docker
+
+The **CapiscIO Guard** is available as a Docker image for easy deployment:
+
+```bash
+docker pull capiscio/guard
+```
+
+### Quick Start with Docker
+
+```bash
+# Run the gateway in front of your agent
+docker run -p 8080:8080 capiscio/guard \
+  gateway start \
+  --port 8080 \
+  --target http://host.docker.internal:3000 \
+  --registry-url https://registry.capisc.io
+```
+
+### Docker Compose
+
+```yaml
+version: '3.8'
+services:
+  guard:
+    image: capiscio/guard:latest
+    ports:
+      - "8080:8080"
+    command:
+      - gateway
+      - start
+      - --port=8080
+      - --target=http://agent:3000
+      - --registry-url=https://registry.capisc.io
+    depends_on:
+      - agent
+
+  agent:
+    image: your-agent:latest
+    # Your agent runs on internal port 3000
+```
+
+### Available Tags
+
+| Tag | Description |
+|-----|-------------|
+| `latest` | Latest stable release |
+| `vX.Y.Z` | Specific version (e.g., `v2.3.0`) |
+| `vX.Y` | Latest patch for minor version |
+| `vX` | Latest for major version |
+
+### Building Locally
+
+```bash
+# Clone and build
+git clone https://github.com/capiscio/capiscio-core.git
+cd capiscio-core
+make docker-build
+
+# Test locally
+make docker-run TARGET=http://localhost:3000
+```
+
 ### 7. gRPC Server (SDK Integration)
 
 The gRPC server provides programmatic access to all CapiscIO functionality for SDKs in Python, Node.js, and other languages. The SDKs automatically manage the gRPC server process.

cmd/capiscio/badge.go

@@ -88,12 +88,12 @@ var issueCmd = &cobra.Command{
 	Short: "Issue a new Trust Badge",
 	Long: `Issue a new Trust Badge.
 
-Trust Levels:
-  0 - Self-signed (did:key, iss == sub) - implied by --self-sign
-  1 - Domain Validated (DV) - requires registry CA
-  2 - Organization Validated (OV) - requires registry CA  
-  3 - Extended Validated (EV) - requires registry CA
-  4 - Community Vouched (CV) - requires registry CA
+Trust Levels (RFC-002 §5):
+  0 - Self-Signed (SS) - did:key, iss == sub - implied by --self-sign
+  1 - Registered (REG) - account registration with CA
+  2 - Domain Validated (DV) - DNS/HTTP domain ownership proof
+  3 - Organization Validated (OV) - legal entity verification
+  4 - Extended Validated (EV) - manual review + security audit
 
 Examples:
   # Self-signed badge (level 0 implied)
@@ -1283,7 +1283,7 @@ func init() {
 	issueCmd.Flags().StringVar(&issueIssuer, "iss", "did:web:registry.capisc.io", "Issuer DID (auto-set to did:key for level 0)")
 	issueCmd.Flags().StringVar(&issueDomain, "domain", "example.com", "Agent Domain")
 	issueCmd.Flags().DurationVar(&issueExpiry, "exp", 5*time.Minute, "Expiration duration (default 5m per RFC-002)")
-	issueCmd.Flags().StringVar(&issueLevel, "level", "1", "Trust level (0=self-signed, 1=DV, 2=OV, 3=EV, 4=CV)")
+	issueCmd.Flags().StringVar(&issueLevel, "level", "1", "Trust level (0=SS, 1=REG, 2=DV, 3=OV, 4=EV per RFC-002)")
 	issueCmd.Flags().StringVar(&issueAudience, "aud", "", "Audience (comma-separated URLs)")
 	issueCmd.Flags().BoolVar(&issueSelfSign, "self-sign", false, "Issue self-signed badge (implies level 0)")
 	issueCmd.Flags().StringVar(&keyFile, "key", "", "Path to private key file (optional, auto-generates if not provided)")
@@ -1292,7 +1292,7 @@ func init() {
 	keepCmd.Flags().StringVar(&keepAgentID, "agent-id", "", "Agent ID (UUID) to request badges for")
 	keepCmd.Flags().StringVar(&issueDomain, "domain", "", "Agent domain (optional, uses agent's registered domain)")
 	keepCmd.Flags().DurationVar(&issueExpiry, "exp", 5*time.Minute, "Badge expiration duration")
-	keepCmd.Flags().StringVar(&issueLevel, "level", "1", "Trust level (1=DV, 2=OV, 3=EV, 4=CV)")
+	keepCmd.Flags().StringVar(&issueLevel, "level", "1", "Trust level (1=REG, 2=DV, 3=OV, 4=EV per RFC-002)")
 	keepCmd.Flags().StringVar(&keyFile, "key", "", "Path to private key file (required for --self-sign)")
 	keepCmd.Flags().StringVar(&keepOutFile, "out", "badge.jwt", "Output file path for badge")
 	keepCmd.Flags().DurationVar(&keepRenewBefore, "renew-before", 1*time.Minute, "Time before expiry to renew")

cmd/capiscio/main.go

@@ -8,7 +8,7 @@ import (
 	"github.com/spf13/cobra"
 )
 
-var version = "2.3.1"
+var version = "2.4.0"
 
 var rootCmd = &cobra.Command{
 	Use:   "capiscio",

proto/capiscio/v1/badge.proto

@@ -41,14 +41,16 @@ service BadgeService {
   rpc StartKeeper(StartKeeperRequest) returns (stream KeeperEvent);
 }
 
-// Trust level for badges (RFC-002 v1.1)
+// Trust level for badges (RFC-002 §5)
+// NOTE: Proto enum ordinals (1-5) map to RFC-002 level strings ("0"-"4")
+// The badge JWT `vc.credentialSubject.level` uses the RFC string values
 enum TrustLevel {
   TRUST_LEVEL_UNSPECIFIED = 0;
-  TRUST_LEVEL_SELF_SIGNED = 1;  // Self-signed (Level 0, did:key)
-  TRUST_LEVEL_DV = 2;           // Domain Validated (Level 1)
-  TRUST_LEVEL_OV = 3;           // Organization Validated (Level 2)
-  TRUST_LEVEL_EV = 4;           // Extended Validated (Level 3)
-  TRUST_LEVEL_CV = 5;           // Community Vouched (Level 4)
+  TRUST_LEVEL_SELF_SIGNED = 1;  // RFC-002 Level "0": Self-Signed (SS) - did:key, iss == sub
+  TRUST_LEVEL_DV = 2;           // RFC-002 Level "1": Registered (REG) - account registration
+  TRUST_LEVEL_OV = 3;           // RFC-002 Level "2": Domain Validated (DV) - DNS/HTTP proof
+  TRUST_LEVEL_EV = 4;           // RFC-002 Level "3": Organization Validated (OV) - legal entity
+  TRUST_LEVEL_CV = 5;           // RFC-002 Level "4": Extended Validated (EV) - security audit
 }
 
 // Badge claims structure