feat: Production readiness improvements for WHOOSH council formation

Major security, observability, and configuration improvements:

## Security Hardening
- Implemented configurable CORS (no more wildcards)
- Added comprehensive auth middleware for admin endpoints
- Enhanced webhook HMAC validation
- Added input validation and rate limiting
- Security headers and CSP policies

## Configuration Management
- Made N8N webhook URL configurable (WHOOSH_N8N_BASE_URL)
- Replaced all hardcoded endpoints with environment variables
- Added feature flags for LLM vs heuristic composition
- Gitea fetch hardening with EAGER_FILTER and FULL_RESCAN options

## API Completeness
- Implemented GetCouncilComposition function
- Added GET /api/v1/councils/{id} endpoint
- Council artifacts API (POST/GET /api/v1/councils/{id}/artifacts)
- /admin/health/details endpoint with component status
- Database lookup for repository URLs (no hardcoded fallbacks)

## Observability & Performance
- Added OpenTelemetry distributed tracing with goal/pulse correlation
- Performance optimization database indexes
- Comprehensive health monitoring
- Enhanced logging and error handling

## Infrastructure
- Production-ready P2P discovery (replaces mock implementation)
- Removed unused Redis configuration
- Enhanced Docker Swarm integration
- Added migration files for performance indexes

## Code Quality
- Comprehensive input validation
- Graceful error handling and failsafe fallbacks
- Backwards compatibility maintained
- Following security best practices

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

vendor/golang.org/x/text/secure/bidirule/bidirule.go

@@ -0,0 +1,336 @@
+// Copyright 2016 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package bidirule implements the Bidi Rule defined by RFC 5893.
+//
+// This package is under development. The API may change without notice and
+// without preserving backward compatibility.
+package bidirule
+
+import (
+	"errors"
+	"unicode/utf8"
+
+	"golang.org/x/text/transform"
+	"golang.org/x/text/unicode/bidi"
+)
+
+// This file contains an implementation of RFC 5893: Right-to-Left Scripts for
+// Internationalized Domain Names for Applications (IDNA)
+//
+// A label is an individual component of a domain name.  Labels are usually
+// shown separated by dots; for example, the domain name "www.example.com" is
+// composed of three labels: "www", "example", and "com".
+//
+// An RTL label is a label that contains at least one character of class R, AL,
+// or AN. An LTR label is any label that is not an RTL label.
+//
+// A "Bidi domain name" is a domain name that contains at least one RTL label.
+//
+//  The following guarantees can be made based on the above:
+//
+//  o  In a domain name consisting of only labels that satisfy the rule,
+//     the requirements of Section 3 are satisfied.  Note that even LTR
+//     labels and pure ASCII labels have to be tested.
+//
+//  o  In a domain name consisting of only LDH labels (as defined in the
+//     Definitions document [RFC5890]) and labels that satisfy the rule,
+//     the requirements of Section 3 are satisfied as long as a label
+//     that starts with an ASCII digit does not come after a
+//     right-to-left label.
+//
+//  No guarantee is given for other combinations.
+
+// ErrInvalid indicates a label is invalid according to the Bidi Rule.
+var ErrInvalid = errors.New("bidirule: failed Bidi Rule")
+
+type ruleState uint8
+
+const (
+	ruleInitial ruleState = iota
+	ruleLTR
+	ruleLTRFinal
+	ruleRTL
+	ruleRTLFinal
+	ruleInvalid
+)
+
+type ruleTransition struct {
+	next ruleState
+	mask uint16
+}
+
+var transitions = [...][2]ruleTransition{
+	// [2.1] The first character must be a character with Bidi property L, R, or
+	// AL. If it has the R or AL property, it is an RTL label; if it has the L
+	// property, it is an LTR label.
+	ruleInitial: {
+		{ruleLTRFinal, 1 << bidi.L},
+		{ruleRTLFinal, 1<<bidi.R | 1<<bidi.AL},
+	},
+	ruleRTL: {
+		// [2.3] In an RTL label, the end of the label must be a character with
+		// Bidi property R, AL, EN, or AN, followed by zero or more characters
+		// with Bidi property NSM.
+		{ruleRTLFinal, 1<<bidi.R | 1<<bidi.AL | 1<<bidi.EN | 1<<bidi.AN},
+
+		// [2.2] In an RTL label, only characters with the Bidi properties R,
+		// AL, AN, EN, ES, CS, ET, ON, BN, or NSM are allowed.
+		// We exclude the entries from [2.3]
+		{ruleRTL, 1<<bidi.ES | 1<<bidi.CS | 1<<bidi.ET | 1<<bidi.ON | 1<<bidi.BN | 1<<bidi.NSM},
+	},
+	ruleRTLFinal: {
+		// [2.3] In an RTL label, the end of the label must be a character with
+		// Bidi property R, AL, EN, or AN, followed by zero or more characters
+		// with Bidi property NSM.
+		{ruleRTLFinal, 1<<bidi.R | 1<<bidi.AL | 1<<bidi.EN | 1<<bidi.AN | 1<<bidi.NSM},
+
+		// [2.2] In an RTL label, only characters with the Bidi properties R,
+		// AL, AN, EN, ES, CS, ET, ON, BN, or NSM are allowed.
+		// We exclude the entries from [2.3] and NSM.
+		{ruleRTL, 1<<bidi.ES | 1<<bidi.CS | 1<<bidi.ET | 1<<bidi.ON | 1<<bidi.BN},
+	},
+	ruleLTR: {
+		// [2.6] In an LTR label, the end of the label must be a character with
+		// Bidi property L or EN, followed by zero or more characters with Bidi
+		// property NSM.
+		{ruleLTRFinal, 1<<bidi.L | 1<<bidi.EN},
+
+		// [2.5] In an LTR label, only characters with the Bidi properties L,
+		// EN, ES, CS, ET, ON, BN, or NSM are allowed.
+		// We exclude the entries from [2.6].
+		{ruleLTR, 1<<bidi.ES | 1<<bidi.CS | 1<<bidi.ET | 1<<bidi.ON | 1<<bidi.BN | 1<<bidi.NSM},
+	},
+	ruleLTRFinal: {
+		// [2.6] In an LTR label, the end of the label must be a character with
+		// Bidi property L or EN, followed by zero or more characters with Bidi
+		// property NSM.
+		{ruleLTRFinal, 1<<bidi.L | 1<<bidi.EN | 1<<bidi.NSM},
+
+		// [2.5] In an LTR label, only characters with the Bidi properties L,
+		// EN, ES, CS, ET, ON, BN, or NSM are allowed.
+		// We exclude the entries from [2.6].
+		{ruleLTR, 1<<bidi.ES | 1<<bidi.CS | 1<<bidi.ET | 1<<bidi.ON | 1<<bidi.BN},
+	},
+	ruleInvalid: {
+		{ruleInvalid, 0},
+		{ruleInvalid, 0},
+	},
+}
+
+// [2.4] In an RTL label, if an EN is present, no AN may be present, and
+// vice versa.
+const exclusiveRTL = uint16(1<<bidi.EN | 1<<bidi.AN)
+
+// From RFC 5893
+// An RTL label is a label that contains at least one character of type
+// R, AL, or AN.
+//
+// An LTR label is any label that is not an RTL label.
+
+// Direction reports the direction of the given label as defined by RFC 5893.
+// The Bidi Rule does not have to be applied to labels of the category
+// LeftToRight.
+func Direction(b []byte) bidi.Direction {
+	for i := 0; i < len(b); {
+		e, sz := bidi.Lookup(b[i:])
+		if sz == 0 {
+			i++
+		}
+		c := e.Class()
+		if c == bidi.R || c == bidi.AL || c == bidi.AN {
+			return bidi.RightToLeft
+		}
+		i += sz
+	}
+	return bidi.LeftToRight
+}
+
+// DirectionString reports the direction of the given label as defined by RFC
+// 5893. The Bidi Rule does not have to be applied to labels of the category
+// LeftToRight.
+func DirectionString(s string) bidi.Direction {
+	for i := 0; i < len(s); {
+		e, sz := bidi.LookupString(s[i:])
+		if sz == 0 {
+			i++
+			continue
+		}
+		c := e.Class()
+		if c == bidi.R || c == bidi.AL || c == bidi.AN {
+			return bidi.RightToLeft
+		}
+		i += sz
+	}
+	return bidi.LeftToRight
+}
+
+// Valid reports whether b conforms to the BiDi rule.
+func Valid(b []byte) bool {
+	var t Transformer
+	if n, ok := t.advance(b); !ok || n < len(b) {
+		return false
+	}
+	return t.isFinal()
+}
+
+// ValidString reports whether s conforms to the BiDi rule.
+func ValidString(s string) bool {
+	var t Transformer
+	if n, ok := t.advanceString(s); !ok || n < len(s) {
+		return false
+	}
+	return t.isFinal()
+}
+
+// New returns a Transformer that verifies that input adheres to the Bidi Rule.
+func New() *Transformer {
+	return &Transformer{}
+}
+
+// Transformer implements transform.Transform.
+type Transformer struct {
+	state  ruleState
+	hasRTL bool
+	seen   uint16
+}
+
+// A rule can only be violated for "Bidi Domain names", meaning if one of the
+// following categories has been observed.
+func (t *Transformer) isRTL() bool {
+	const isRTL = 1<<bidi.R | 1<<bidi.AL | 1<<bidi.AN
+	return t.seen&isRTL != 0
+}
+
+// Reset implements transform.Transformer.
+func (t *Transformer) Reset() { *t = Transformer{} }
+
+// Transform implements transform.Transformer. This Transformer has state and
+// needs to be reset between uses.
+func (t *Transformer) Transform(dst, src []byte, atEOF bool) (nDst, nSrc int, err error) {
+	if len(dst) < len(src) {
+		src = src[:len(dst)]
+		atEOF = false
+		err = transform.ErrShortDst
+	}
+	n, err1 := t.Span(src, atEOF)
+	copy(dst, src[:n])
+	if err == nil || err1 != nil && err1 != transform.ErrShortSrc {
+		err = err1
+	}
+	return n, n, err
+}
+
+// Span returns the first n bytes of src that conform to the Bidi rule.
+func (t *Transformer) Span(src []byte, atEOF bool) (n int, err error) {
+	if t.state == ruleInvalid && t.isRTL() {
+		return 0, ErrInvalid
+	}
+	n, ok := t.advance(src)
+	switch {
+	case !ok:
+		err = ErrInvalid
+	case n < len(src):
+		if !atEOF {
+			err = transform.ErrShortSrc
+			break
+		}
+		err = ErrInvalid
+	case !t.isFinal():
+		err = ErrInvalid
+	}
+	return n, err
+}
+
+// Precomputing the ASCII values decreases running time for the ASCII fast path
+// by about 30%.
+var asciiTable [128]bidi.Properties
+
+func init() {
+	for i := range asciiTable {
+		p, _ := bidi.LookupRune(rune(i))
+		asciiTable[i] = p
+	}
+}
+
+func (t *Transformer) advance(s []byte) (n int, ok bool) {
+	var e bidi.Properties
+	var sz int
+	for n < len(s) {
+		if s[n] < utf8.RuneSelf {
+			e, sz = asciiTable[s[n]], 1
+		} else {
+			e, sz = bidi.Lookup(s[n:])
+			if sz <= 1 {
+				if sz == 1 {
+					// We always consider invalid UTF-8 to be invalid, even if
+					// the string has not yet been determined to be RTL.
+					// TODO: is this correct?
+					return n, false
+				}
+				return n, true // incomplete UTF-8 encoding
+			}
+		}
+		// TODO: using CompactClass would result in noticeable speedup.
+		// See unicode/bidi/prop.go:Properties.CompactClass.
+		c := uint16(1 << e.Class())
+		t.seen |= c
+		if t.seen&exclusiveRTL == exclusiveRTL {
+			t.state = ruleInvalid
+			return n, false
+		}
+		switch tr := transitions[t.state]; {
+		case tr[0].mask&c != 0:
+			t.state = tr[0].next
+		case tr[1].mask&c != 0:
+			t.state = tr[1].next
+		default:
+			t.state = ruleInvalid
+			if t.isRTL() {
+				return n, false
+			}
+		}
+		n += sz
+	}
+	return n, true
+}
+
+func (t *Transformer) advanceString(s string) (n int, ok bool) {
+	var e bidi.Properties
+	var sz int
+	for n < len(s) {
+		if s[n] < utf8.RuneSelf {
+			e, sz = asciiTable[s[n]], 1
+		} else {
+			e, sz = bidi.LookupString(s[n:])
+			if sz <= 1 {
+				if sz == 1 {
+					return n, false // invalid UTF-8
+				}
+				return n, true // incomplete UTF-8 encoding
+			}
+		}
+		// TODO: using CompactClass results in noticeable speedup.
+		// See unicode/bidi/prop.go:Properties.CompactClass.
+		c := uint16(1 << e.Class())
+		t.seen |= c
+		if t.seen&exclusiveRTL == exclusiveRTL {
+			t.state = ruleInvalid
+			return n, false
+		}
+		switch tr := transitions[t.state]; {
+		case tr[0].mask&c != 0:
+			t.state = tr[0].next
+		case tr[1].mask&c != 0:
+			t.state = tr[1].next
+		default:
+			t.state = ruleInvalid
+			if t.isRTL() {
+				return n, false
+			}
+		}
+		n += sz
+	}
+	return n, true
+}

vendor/golang.org/x/text/secure/bidirule/bidirule10.0.0.go

@@ -0,0 +1,11 @@
+// Copyright 2016 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build go1.10
+
+package bidirule
+
+func (t *Transformer) isFinal() bool {
+	return t.state == ruleLTRFinal || t.state == ruleRTLFinal || t.state == ruleInitial
+}

vendor/golang.org/x/text/secure/bidirule/bidirule9.0.0.go

@@ -0,0 +1,14 @@
+// Copyright 2016 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build !go1.10
+
+package bidirule
+
+func (t *Transformer) isFinal() bool {
+	if !t.isRTL() {
+		return true
+	}
+	return t.state == ruleLTRFinal || t.state == ruleRTLFinal || t.state == ruleInitial
+}

vendor/golang.org/x/text/secure/precis/class.go

@@ -0,0 +1,36 @@
+// Copyright 2015 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package precis
+
+import (
+	"unicode/utf8"
+)
+
+// TODO: Add contextual character rules from Appendix A of RFC5892.
+
+// A class is a set of characters that match certain derived properties. The
+// PRECIS framework defines two classes: The Freeform class and the Identifier
+// class. The freeform class should be used for profiles where expressiveness is
+// prioritized over safety such as nicknames or passwords. The identifier class
+// should be used for profiles where safety is the first priority such as
+// addressable network labels and usernames.
+type class struct {
+	validFrom property
+}
+
+// Contains satisfies the runes.Set interface and returns whether the given rune
+// is a member of the class.
+func (c class) Contains(r rune) bool {
+	b := make([]byte, 4)
+	n := utf8.EncodeRune(b, r)
+
+	trieval, _ := dpTrie.lookup(b[:n])
+	return c.validFrom <= property(trieval)
+}
+
+var (
+	identifier = &class{validFrom: pValid}
+	freeform   = &class{validFrom: idDisOrFreePVal}
+)

vendor/golang.org/x/text/secure/precis/context.go

@@ -0,0 +1,139 @@
+// Copyright 2016 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package precis
+
+import "errors"
+
+// This file contains tables and code related to context rules.
+
+type catBitmap uint16
+
+const (
+	// These bits, once set depending on the current value, are never unset.
+	bJapanese catBitmap = 1 << iota
+	bArabicIndicDigit
+	bExtendedArabicIndicDigit
+
+	// These bits are set on each iteration depending on the current value.
+	bJoinStart
+	bJoinMid
+	bJoinEnd
+	bVirama
+	bLatinSmallL
+	bGreek
+	bHebrew
+
+	// These bits indicated which of the permanent bits need to be set at the
+	// end of the checks.
+	bMustHaveJapn
+
+	permanent = bJapanese | bArabicIndicDigit | bExtendedArabicIndicDigit | bMustHaveJapn
+)
+
+const finalShift = 10
+
+var errContext = errors.New("precis: contextual rule violated")
+
+func init() {
+	// Programmatically set these required bits as, manually setting them seems
+	// too error prone.
+	for i, ct := range categoryTransitions {
+		categoryTransitions[i].keep |= permanent
+		categoryTransitions[i].accept |= ct.term
+	}
+}
+
+var categoryTransitions = []struct {
+	keep catBitmap // mask selecting which bits to keep from the previous state
+	set  catBitmap // mask for which bits to set for this transition
+
+	// These bitmaps are used for rules that require lookahead.
+	// term&accept == term must be true, which is enforced programmatically.
+	term   catBitmap // bits accepted as termination condition
+	accept catBitmap // bits that pass, but not sufficient as termination
+
+	// The rule function cannot take a *context as an argument, as it would
+	// cause the context to escape, adding significant overhead.
+	rule func(beforeBits catBitmap) (doLookahead bool, err error)
+}{
+	joiningL:          {set: bJoinStart},
+	joiningD:          {set: bJoinStart | bJoinEnd},
+	joiningT:          {keep: bJoinStart, set: bJoinMid},
+	joiningR:          {set: bJoinEnd},
+	viramaModifier:    {set: bVirama},
+	viramaJoinT:       {set: bVirama | bJoinMid},
+	latinSmallL:       {set: bLatinSmallL},
+	greek:             {set: bGreek},
+	greekJoinT:        {set: bGreek | bJoinMid},
+	hebrew:            {set: bHebrew},
+	hebrewJoinT:       {set: bHebrew | bJoinMid},
+	japanese:          {set: bJapanese},
+	katakanaMiddleDot: {set: bMustHaveJapn},
+
+	zeroWidthNonJoiner: {
+		term:   bJoinEnd,
+		accept: bJoinMid,
+		rule: func(before catBitmap) (doLookAhead bool, err error) {
+			if before&bVirama != 0 {
+				return false, nil
+			}
+			if before&bJoinStart == 0 {
+				return false, errContext
+			}
+			return true, nil
+		},
+	},
+	zeroWidthJoiner: {
+		rule: func(before catBitmap) (doLookAhead bool, err error) {
+			if before&bVirama == 0 {
+				err = errContext
+			}
+			return false, err
+		},
+	},
+	middleDot: {
+		term: bLatinSmallL,
+		rule: func(before catBitmap) (doLookAhead bool, err error) {
+			if before&bLatinSmallL == 0 {
+				return false, errContext
+			}
+			return true, nil
+		},
+	},
+	greekLowerNumeralSign: {
+		set:  bGreek,
+		term: bGreek,
+		rule: func(before catBitmap) (doLookAhead bool, err error) {
+			return true, nil
+		},
+	},
+	hebrewPreceding: {
+		set: bHebrew,
+		rule: func(before catBitmap) (doLookAhead bool, err error) {
+			if before&bHebrew == 0 {
+				err = errContext
+			}
+			return false, err
+		},
+	},
+	arabicIndicDigit: {
+		set: bArabicIndicDigit,
+		rule: func(before catBitmap) (doLookAhead bool, err error) {
+			if before&bExtendedArabicIndicDigit != 0 {
+				err = errContext
+			}
+			return false, err
+		},
+	},
+	extendedArabicIndicDigit: {
+		set: bExtendedArabicIndicDigit,
+		rule: func(before catBitmap) (doLookAhead bool, err error) {
+			if before&bArabicIndicDigit != 0 {
+				err = errContext
+			}
+			return false, err
+		},
+	},
+}

vendor/golang.org/x/text/secure/precis/doc.go

@@ -0,0 +1,14 @@
+// Copyright 2015 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package precis contains types and functions for the preparation,
+// enforcement, and comparison of internationalized strings ("PRECIS") as
+// defined in RFC 8264. It also contains several pre-defined profiles for
+// passwords, nicknames, and usernames as defined in RFC 8265 and RFC 8266.
+//
+// BE ADVISED: This package is under construction and the API may change in
+// backwards incompatible ways and without notice.
+package precis // import "golang.org/x/text/secure/precis"
+
+//go:generate go run gen.go gen_trieval.go

vendor/golang.org/x/text/secure/precis/nickname.go

@@ -0,0 +1,72 @@
+// Copyright 2015 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package precis
+
+import (
+	"unicode"
+	"unicode/utf8"
+
+	"golang.org/x/text/transform"
+)
+
+type nickAdditionalMapping struct {
+	// TODO: This transformer needs to be stateless somehow…
+	notStart  bool
+	prevSpace bool
+}
+
+func (t *nickAdditionalMapping) Reset() {
+	t.prevSpace = false
+	t.notStart = false
+}
+
+func (t *nickAdditionalMapping) Transform(dst, src []byte, atEOF bool) (nDst, nSrc int, err error) {
+	// RFC 8266 §2.1.  Rules
+	//
+	// 2.  Additional Mapping Rule: The additional mapping rule consists of
+	//     the following sub-rules.
+	//
+	//     a.  Map any instances of non-ASCII space to SPACE (U+0020); a
+	//         non-ASCII space is any Unicode code point having a general
+	//         category of "Zs", naturally with the exception of SPACE
+	//         (U+0020).  (The inclusion of only ASCII space prevents
+	//         confusion with various non-ASCII space code points, many of
+	//         which are difficult to reproduce across different input
+	//         methods.)
+	//
+	//     b.  Remove any instances of the ASCII space character at the
+	//         beginning or end of a nickname (e.g., "stpeter " is mapped to
+	//         "stpeter").
+	//
+	//     c.  Map interior sequences of more than one ASCII space character
+	//         to a single ASCII space character (e.g., "St  Peter" is
+	//         mapped to "St Peter").
+	for nSrc < len(src) {
+		r, size := utf8.DecodeRune(src[nSrc:])
+		if size == 0 { // Incomplete UTF-8 encoding
+			if !atEOF {
+				return nDst, nSrc, transform.ErrShortSrc
+			}
+			size = 1
+		}
+		if unicode.Is(unicode.Zs, r) {
+			t.prevSpace = true
+		} else {
+			if t.prevSpace && t.notStart {
+				dst[nDst] = ' '
+				nDst += 1
+			}
+			if size != copy(dst[nDst:], src[nSrc:nSrc+size]) {
+				nDst += size
+				return nDst, nSrc, transform.ErrShortDst
+			}
+			nDst += size
+			t.prevSpace = false
+			t.notStart = true
+		}
+		nSrc += size
+	}
+	return nDst, nSrc, nil
+}

vendor/golang.org/x/text/secure/precis/options.go

@@ -0,0 +1,157 @@
+// Copyright 2015 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package precis
+
+import (
+	"golang.org/x/text/cases"
+	"golang.org/x/text/language"
+	"golang.org/x/text/runes"
+	"golang.org/x/text/transform"
+	"golang.org/x/text/unicode/norm"
+)
+
+// An Option is used to define the behavior and rules of a Profile.
+type Option func(*options)
+
+type options struct {
+	// Preparation options
+	foldWidth bool
+
+	// Enforcement options
+	asciiLower    bool
+	cases         transform.SpanningTransformer
+	disallow      runes.Set
+	norm          transform.SpanningTransformer
+	additional    []func() transform.SpanningTransformer
+	width         transform.SpanningTransformer
+	disallowEmpty bool
+	bidiRule      bool
+	repeat        bool
+
+	// Comparison options
+	ignorecase bool
+}
+
+func getOpts(o ...Option) (res options) {
+	for _, f := range o {
+		f(&res)
+	}
+	// Using a SpanningTransformer, instead of norm.Form prevents an allocation
+	// down the road.
+	if res.norm == nil {
+		res.norm = norm.NFC
+	}
+	return
+}
+
+var (
+	// The IgnoreCase option causes the profile to perform a case insensitive
+	// comparison during the PRECIS comparison step.
+	IgnoreCase Option = ignoreCase
+
+	// The FoldWidth option causes the profile to map non-canonical wide and
+	// narrow variants to their decomposition mapping. This is useful for
+	// profiles that are based on the identifier class which would otherwise
+	// disallow such characters.
+	FoldWidth Option = foldWidth
+
+	// The DisallowEmpty option causes the enforcement step to return an error if
+	// the resulting string would be empty.
+	DisallowEmpty Option = disallowEmpty
+
+	// The BidiRule option causes the Bidi Rule defined in RFC 5893 to be
+	// applied.
+	BidiRule Option = bidiRule
+)
+
+var (
+	ignoreCase = func(o *options) {
+		o.ignorecase = true
+	}
+	foldWidth = func(o *options) {
+		o.foldWidth = true
+	}
+	disallowEmpty = func(o *options) {
+		o.disallowEmpty = true
+	}
+	bidiRule = func(o *options) {
+		o.bidiRule = true
+	}
+	repeat = func(o *options) {
+		o.repeat = true
+	}
+)
+
+// TODO: move this logic to package transform
+
+type spanWrap struct{ transform.Transformer }
+
+func (s spanWrap) Span(src []byte, atEOF bool) (n int, err error) {
+	return 0, transform.ErrEndOfSpan
+}
+
+// TODO: allow different types? For instance:
+//     func() transform.Transformer
+//     func() transform.SpanningTransformer
+//     func([]byte) bool  // validation only
+//
+// Also, would be great if we could detect if a transformer is reentrant.
+
+// The AdditionalMapping option defines the additional mapping rule for the
+// Profile by applying Transformer's in sequence.
+func AdditionalMapping(t ...func() transform.Transformer) Option {
+	return func(o *options) {
+		for _, f := range t {
+			sf := func() transform.SpanningTransformer {
+				return f().(transform.SpanningTransformer)
+			}
+			if _, ok := f().(transform.SpanningTransformer); !ok {
+				sf = func() transform.SpanningTransformer {
+					return spanWrap{f()}
+				}
+			}
+			o.additional = append(o.additional, sf)
+		}
+	}
+}
+
+// The Norm option defines a Profile's normalization rule. Defaults to NFC.
+func Norm(f norm.Form) Option {
+	return func(o *options) {
+		o.norm = f
+	}
+}
+
+// The FoldCase option defines a Profile's case mapping rule. Options can be
+// provided to determine the type of case folding used.
+func FoldCase(opts ...cases.Option) Option {
+	return func(o *options) {
+		o.asciiLower = true
+		o.cases = cases.Fold(opts...)
+	}
+}
+
+// The LowerCase option defines a Profile's case mapping rule. Options can be
+// provided to determine the type of case folding used.
+func LowerCase(opts ...cases.Option) Option {
+	return func(o *options) {
+		o.asciiLower = true
+		if len(opts) == 0 {
+			o.cases = cases.Lower(language.Und, cases.HandleFinalSigma(false))
+			return
+		}
+
+		opts = append([]cases.Option{cases.HandleFinalSigma(false)}, opts...)
+		o.cases = cases.Lower(language.Und, opts...)
+	}
+}
+
+// The Disallow option further restricts a Profile's allowed characters beyond
+// what is disallowed by the underlying string class.
+func Disallow(set runes.Set) Option {
+	return func(o *options) {
+		o.disallow = set
+	}
+}

vendor/golang.org/x/text/secure/precis/profile.go

@@ -0,0 +1,412 @@
+// Copyright 2015 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package precis
+
+import (
+	"bytes"
+	"errors"
+	"unicode/utf8"
+
+	"golang.org/x/text/cases"
+	"golang.org/x/text/language"
+	"golang.org/x/text/runes"
+	"golang.org/x/text/secure/bidirule"
+	"golang.org/x/text/transform"
+	"golang.org/x/text/width"
+)
+
+var (
+	errDisallowedRune = errors.New("precis: disallowed rune encountered")
+)
+
+var dpTrie = newDerivedPropertiesTrie(0)
+
+// A Profile represents a set of rules for normalizing and validating strings in
+// the PRECIS framework.
+type Profile struct {
+	options
+	class *class
+}
+
+// NewIdentifier creates a new PRECIS profile based on the Identifier string
+// class. Profiles created from this class are suitable for use where safety is
+// prioritized over expressiveness like network identifiers, user accounts, chat
+// rooms, and file names.
+func NewIdentifier(opts ...Option) *Profile {
+	return &Profile{
+		options: getOpts(opts...),
+		class:   identifier,
+	}
+}
+
+// NewFreeform creates a new PRECIS profile based on the Freeform string class.
+// Profiles created from this class are suitable for use where expressiveness is
+// prioritized over safety like passwords, and display-elements such as
+// nicknames in a chat room.
+func NewFreeform(opts ...Option) *Profile {
+	return &Profile{
+		options: getOpts(opts...),
+		class:   freeform,
+	}
+}
+
+// NewRestrictedProfile creates a new PRECIS profile based on an existing
+// profile.
+// If the parent profile already had the Disallow option set, the new rule
+// overrides the parents rule.
+func NewRestrictedProfile(parent *Profile, disallow runes.Set) *Profile {
+	p := *parent
+	Disallow(disallow)(&p.options)
+	return &p
+}
+
+// NewTransformer creates a new transform.Transformer that performs the PRECIS
+// preparation and enforcement steps on the given UTF-8 encoded bytes.
+func (p *Profile) NewTransformer() *Transformer {
+	var ts []transform.Transformer
+
+	// These transforms are applied in the order defined in
+	// https://tools.ietf.org/html/rfc7564#section-7
+
+	// RFC 8266 §2.1:
+	//
+	//     Implementation experience has shown that applying the rules for the
+	//     Nickname profile is not an idempotent procedure for all code points.
+	//     Therefore, an implementation SHOULD apply the rules repeatedly until
+	//     the output string is stable; if the output string does not stabilize
+	//     after reapplying the rules three (3) additional times after the first
+	//     application, the implementation SHOULD terminate application of the
+	//     rules and reject the input string as invalid.
+	//
+	// There is no known string that will change indefinitely, so repeat 4 times
+	// and rely on the Span method to keep things relatively performant.
+	r := 1
+	if p.options.repeat {
+		r = 4
+	}
+	for ; r > 0; r-- {
+		if p.options.foldWidth {
+			ts = append(ts, width.Fold)
+		}
+
+		for _, f := range p.options.additional {
+			ts = append(ts, f())
+		}
+
+		if p.options.cases != nil {
+			ts = append(ts, p.options.cases)
+		}
+
+		ts = append(ts, p.options.norm)
+
+		if p.options.bidiRule {
+			ts = append(ts, bidirule.New())
+		}
+
+		ts = append(ts, &checker{p: p, allowed: p.Allowed()})
+	}
+
+	// TODO: Add the disallow empty rule with a dummy transformer?
+
+	return &Transformer{transform.Chain(ts...)}
+}
+
+var errEmptyString = errors.New("precis: transformation resulted in empty string")
+
+type buffers struct {
+	src  []byte
+	buf  [2][]byte
+	next int
+}
+
+func (b *buffers) apply(t transform.SpanningTransformer) (err error) {
+	n, err := t.Span(b.src, true)
+	if err != transform.ErrEndOfSpan {
+		return err
+	}
+	x := b.next & 1
+	if b.buf[x] == nil {
+		b.buf[x] = make([]byte, 0, 8+len(b.src)+len(b.src)>>2)
+	}
+	span := append(b.buf[x][:0], b.src[:n]...)
+	b.src, _, err = transform.Append(t, span, b.src[n:])
+	b.buf[x] = b.src
+	b.next++
+	return err
+}
+
+// Pre-allocate transformers when possible. In some cases this avoids allocation.
+var (
+	foldWidthT transform.SpanningTransformer = width.Fold
+	lowerCaseT transform.SpanningTransformer = cases.Lower(language.Und, cases.HandleFinalSigma(false))
+)
+
+// TODO: make this a method on profile.
+
+func (b *buffers) enforce(p *Profile, src []byte, comparing bool) (str []byte, err error) {
+	b.src = src
+
+	ascii := true
+	for _, c := range src {
+		if c >= utf8.RuneSelf {
+			ascii = false
+			break
+		}
+	}
+	// ASCII fast path.
+	if ascii {
+		for _, f := range p.options.additional {
+			if err = b.apply(f()); err != nil {
+				return nil, err
+			}
+		}
+		switch {
+		case p.options.asciiLower || (comparing && p.options.ignorecase):
+			for i, c := range b.src {
+				if 'A' <= c && c <= 'Z' {
+					b.src[i] = c ^ 1<<5
+				}
+			}
+		case p.options.cases != nil:
+			b.apply(p.options.cases)
+		}
+		c := checker{p: p}
+		if _, err := c.span(b.src, true); err != nil {
+			return nil, err
+		}
+		if p.disallow != nil {
+			for _, c := range b.src {
+				if p.disallow.Contains(rune(c)) {
+					return nil, errDisallowedRune
+				}
+			}
+		}
+		if p.options.disallowEmpty && len(b.src) == 0 {
+			return nil, errEmptyString
+		}
+		return b.src, nil
+	}
+
+	// These transforms are applied in the order defined in
+	// https://tools.ietf.org/html/rfc8264#section-7
+
+	r := 1
+	if p.options.repeat {
+		r = 4
+	}
+	for ; r > 0; r-- {
+		// TODO: allow different width transforms options.
+		if p.options.foldWidth || (p.options.ignorecase && comparing) {
+			b.apply(foldWidthT)
+		}
+		for _, f := range p.options.additional {
+			if err = b.apply(f()); err != nil {
+				return nil, err
+			}
+		}
+		if p.options.cases != nil {
+			b.apply(p.options.cases)
+		}
+		if comparing && p.options.ignorecase {
+			b.apply(lowerCaseT)
+		}
+		b.apply(p.norm)
+		if p.options.bidiRule && !bidirule.Valid(b.src) {
+			return nil, bidirule.ErrInvalid
+		}
+		c := checker{p: p}
+		if _, err := c.span(b.src, true); err != nil {
+			return nil, err
+		}
+		if p.disallow != nil {
+			for i := 0; i < len(b.src); {
+				r, size := utf8.DecodeRune(b.src[i:])
+				if p.disallow.Contains(r) {
+					return nil, errDisallowedRune
+				}
+				i += size
+			}
+		}
+		if p.options.disallowEmpty && len(b.src) == 0 {
+			return nil, errEmptyString
+		}
+	}
+	return b.src, nil
+}
+
+// Append appends the result of applying p to src writing the result to dst.
+// It returns an error if the input string is invalid.
+func (p *Profile) Append(dst, src []byte) ([]byte, error) {
+	var buf buffers
+	b, err := buf.enforce(p, src, false)
+	if err != nil {
+		return nil, err
+	}
+	return append(dst, b...), nil
+}
+
+func processBytes(p *Profile, b []byte, key bool) ([]byte, error) {
+	var buf buffers
+	b, err := buf.enforce(p, b, key)
+	if err != nil {
+		return nil, err
+	}
+	if buf.next == 0 {
+		c := make([]byte, len(b))
+		copy(c, b)
+		return c, nil
+	}
+	return b, nil
+}
+
+// Bytes returns a new byte slice with the result of applying the profile to b.
+func (p *Profile) Bytes(b []byte) ([]byte, error) {
+	return processBytes(p, b, false)
+}
+
+// AppendCompareKey appends the result of applying p to src (including any
+// optional rules to make strings comparable or useful in a map key such as
+// applying lowercasing) writing the result to dst. It returns an error if the
+// input string is invalid.
+func (p *Profile) AppendCompareKey(dst, src []byte) ([]byte, error) {
+	var buf buffers
+	b, err := buf.enforce(p, src, true)
+	if err != nil {
+		return nil, err
+	}
+	return append(dst, b...), nil
+}
+
+func processString(p *Profile, s string, key bool) (string, error) {
+	var buf buffers
+	b, err := buf.enforce(p, []byte(s), key)
+	if err != nil {
+		return "", err
+	}
+	return string(b), nil
+}
+
+// String returns a string with the result of applying the profile to s.
+func (p *Profile) String(s string) (string, error) {
+	return processString(p, s, false)
+}
+
+// CompareKey returns a string that can be used for comparison, hashing, or
+// collation.
+func (p *Profile) CompareKey(s string) (string, error) {
+	return processString(p, s, true)
+}
+
+// Compare enforces both strings, and then compares them for bit-string identity
+// (byte-for-byte equality). If either string cannot be enforced, the comparison
+// is false.
+func (p *Profile) Compare(a, b string) bool {
+	var buf buffers
+
+	akey, err := buf.enforce(p, []byte(a), true)
+	if err != nil {
+		return false
+	}
+
+	buf = buffers{}
+	bkey, err := buf.enforce(p, []byte(b), true)
+	if err != nil {
+		return false
+	}
+
+	return bytes.Equal(akey, bkey)
+}
+
+// Allowed returns a runes.Set containing every rune that is a member of the
+// underlying profile's string class and not disallowed by any profile specific
+// rules.
+func (p *Profile) Allowed() runes.Set {
+	if p.options.disallow != nil {
+		return runes.Predicate(func(r rune) bool {
+			return p.class.Contains(r) && !p.options.disallow.Contains(r)
+		})
+	}
+	return p.class
+}
+
+type checker struct {
+	p       *Profile
+	allowed runes.Set
+
+	beforeBits catBitmap
+	termBits   catBitmap
+	acceptBits catBitmap
+}
+
+func (c *checker) Reset() {
+	c.beforeBits = 0
+	c.termBits = 0
+	c.acceptBits = 0
+}
+
+func (c *checker) span(src []byte, atEOF bool) (n int, err error) {
+	for n < len(src) {
+		e, sz := dpTrie.lookup(src[n:])
+		d := categoryTransitions[category(e&catMask)]
+		if sz == 0 {
+			if !atEOF {
+				return n, transform.ErrShortSrc
+			}
+			return n, errDisallowedRune
+		}
+		doLookAhead := false
+		if property(e) < c.p.class.validFrom {
+			if d.rule == nil {
+				return n, errDisallowedRune
+			}
+			doLookAhead, err = d.rule(c.beforeBits)
+			if err != nil {
+				return n, err
+			}
+		}
+		c.beforeBits &= d.keep
+		c.beforeBits |= d.set
+		if c.termBits != 0 {
+			// We are currently in an unterminated lookahead.
+			if c.beforeBits&c.termBits != 0 {
+				c.termBits = 0
+				c.acceptBits = 0
+			} else if c.beforeBits&c.acceptBits == 0 {
+				// Invalid continuation of the unterminated lookahead sequence.
+				return n, errContext
+			}
+		}
+		if doLookAhead {
+			if c.termBits != 0 {
+				// A previous lookahead run has not been terminated yet.
+				return n, errContext
+			}
+			c.termBits = d.term
+			c.acceptBits = d.accept
+		}
+		n += sz
+	}
+	if m := c.beforeBits >> finalShift; c.beforeBits&m != m || c.termBits != 0 {
+		err = errContext
+	}
+	return n, err
+}
+
+// TODO: we may get rid of this transform if transform.Chain understands
+// something like a Spanner interface.
+func (c checker) Transform(dst, src []byte, atEOF bool) (nDst, nSrc int, err error) {
+	short := false
+	if len(dst) < len(src) {
+		src = src[:len(dst)]
+		atEOF = false
+		short = true
+	}
+	nSrc, err = c.span(src, atEOF)
+	nDst = copy(dst, src[:nSrc])
+	if short && (err == transform.ErrShortSrc || err == nil) {
+		err = transform.ErrShortDst
+	}
+	return nDst, nSrc, err
+}

vendor/golang.org/x/text/secure/precis/profiles.go

@@ -0,0 +1,78 @@
+// Copyright 2015 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package precis
+
+import (
+	"unicode"
+
+	"golang.org/x/text/runes"
+	"golang.org/x/text/transform"
+	"golang.org/x/text/unicode/norm"
+)
+
+var (
+	// Implements the Nickname profile specified in RFC 8266.
+	Nickname *Profile = nickname
+
+	// Implements the UsernameCaseMapped profile specified in RFC 8265.
+	UsernameCaseMapped *Profile = usernameCaseMap
+
+	// Implements the UsernameCasePreserved profile specified in RFC 8265.
+	UsernameCasePreserved *Profile = usernameNoCaseMap
+
+	// Implements the OpaqueString profile defined in RFC 8265 for passwords and
+	// other secure labels.
+	OpaqueString *Profile = opaquestring
+)
+
+var (
+	nickname = &Profile{
+		options: getOpts(
+			AdditionalMapping(func() transform.Transformer {
+				return &nickAdditionalMapping{}
+			}),
+			IgnoreCase,
+			Norm(norm.NFKC),
+			DisallowEmpty,
+			repeat,
+		),
+		class: freeform,
+	}
+	usernameCaseMap = &Profile{
+		options: getOpts(
+			FoldWidth,
+			LowerCase(),
+			Norm(norm.NFC),
+			BidiRule,
+		),
+		class: identifier,
+	}
+	usernameNoCaseMap = &Profile{
+		options: getOpts(
+			FoldWidth,
+			Norm(norm.NFC),
+			BidiRule,
+		),
+		class: identifier,
+	}
+	opaquestring = &Profile{
+		options: getOpts(
+			AdditionalMapping(func() transform.Transformer {
+				return mapSpaces
+			}),
+			Norm(norm.NFC),
+			DisallowEmpty,
+		),
+		class: freeform,
+	}
+)
+
+// mapSpaces is a shared value of a runes.Map transformer.
+var mapSpaces transform.Transformer = runes.Map(func(r rune) rune {
+	if unicode.Is(unicode.Zs, r) {
+		return ' '
+	}
+	return r
+})

vendor/golang.org/x/text/secure/precis/transformer.go

@@ -0,0 +1,32 @@
+// Copyright 2015 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package precis
+
+import "golang.org/x/text/transform"
+
+// Transformer implements the transform.Transformer interface.
+type Transformer struct {
+	t transform.Transformer
+}
+
+// Reset implements the transform.Transformer interface.
+func (t Transformer) Reset() { t.t.Reset() }
+
+// Transform implements the transform.Transformer interface.
+func (t Transformer) Transform(dst, src []byte, atEOF bool) (nDst, nSrc int, err error) {
+	return t.t.Transform(dst, src, atEOF)
+}
+
+// Bytes returns a new byte slice with the result of applying t to b.
+func (t Transformer) Bytes(b []byte) []byte {
+	b, _, _ = transform.Bytes(t, b)
+	return b
+}
+
+// String returns a string with the result of applying t to s.
+func (t Transformer) String(s string) string {
+	s, _, _ = transform.String(t, s)
+	return s
+}

vendor/golang.org/x/text/secure/precis/trieval.go

@@ -0,0 +1,64 @@
+// Code generated by running "go generate" in golang.org/x/text. DO NOT EDIT.
+
+package precis
+
+// entry is the entry of a trie table
+// 7..6   property (unassigned, disallowed, maybe, valid)
+// 5..0   category
+type entry uint8
+
+const (
+	propShift = 6
+	propMask  = 0xc0
+	catMask   = 0x3f
+)
+
+func (e entry) property() property { return property(e & propMask) }
+func (e entry) category() category { return category(e & catMask) }
+
+type property uint8
+
+// The order of these constants matter. A Profile may consider runes to be
+// allowed either from pValid or idDisOrFreePVal.
+const (
+	unassigned property = iota << propShift
+	disallowed
+	idDisOrFreePVal // disallowed for Identifier, pValid for FreeForm
+	pValid
+)
+
+// compute permutations of all properties and specialCategories.
+type category uint8
+
+const (
+	other category = iota
+
+	// Special rune types
+	joiningL
+	joiningD
+	joiningT
+	joiningR
+	viramaModifier
+	viramaJoinT // Virama + JoiningT
+	latinSmallL // U+006c
+	greek
+	greekJoinT // Greek + JoiningT
+	hebrew
+	hebrewJoinT // Hebrew + JoiningT
+	japanese    // hirigana, katakana, han
+
+	// Special rune types associated with contextual rules defined in
+	// https://tools.ietf.org/html/rfc5892#appendix-A.
+	// ContextO
+	zeroWidthNonJoiner // rule 1
+	zeroWidthJoiner    // rule 2
+	// ContextJ
+	middleDot                // rule 3
+	greekLowerNumeralSign    // rule 4
+	hebrewPreceding          // rule 5 and 6
+	katakanaMiddleDot        // rule 7
+	arabicIndicDigit         // rule 8
+	extendedArabicIndicDigit // rule 9
+
+	numCategories
+)