MachineDotDev · leonardosul · Feb 26, 2026 · Feb 24, 2026 · Feb 24, 2026 · Feb 24, 2026
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -0,0 +1,29 @@
+name: Docs
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "docs/**"
+      - "mkdocs.yml"
+      - "README.md"
+      - "*.tf"
+
+permissions:
+  contents: write
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+        with:
+          python-version: "3.12"
+
+      - name: Install mkdocs-material
+        run: pip install mkdocs-material
+
+      - name: Deploy docs
+        run: mkdocs gh-deploy --force
diff --git a/.github/workflows/go-tests.yml b/.github/workflows/go-tests.yml
@@ -0,0 +1,29 @@
+name: Go Tests
+
+on:
+  pull_request:
+    paths:
+      - "cmd/lambda/**"
+  push:
+    branches: [main]
+    paths:
+      - "cmd/lambda/**"
+
+permissions:
+  contents: read
+
+jobs:
+  go-test:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: cmd/lambda
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+        with:
+          go-version-file: cmd/lambda/go.mod
+
+      - name: Test
+        run: go test -v -race ./...
diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml
@@ -0,0 +1,50 @@
+name: Integration Tests
+
+on:
+  pull_request:
+    types: [labeled]
+  workflow_dispatch:
+
+concurrency:
+  group: nat-zero-integration
+  cancel-in-progress: false
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  integration-test:
+    if: >-
+      github.event_name == 'workflow_dispatch' ||
+      github.event.label.name == 'integration-test'
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    environment: integration
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+        with:
+          go-version-file: cmd/lambda/go.mod
+
+      - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3
+        with:
+          terraform_wrapper: false
+
+      - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4
+        with:
+          role-to-assume: ${{ secrets.INTEGRATION_ROLE_ARN }}
+          aws-region: us-east-1
+
+      - name: Build Lambda binary
+        working-directory: cmd/lambda
+        run: |
+          GOOS=linux GOARCH=arm64 CGO_ENABLED=0 go build -tags lambda.norpc -ldflags='-s -w' -o bootstrap
+          zip lambda.zip bootstrap
+          mkdir -p ../../.build
+          cp lambda.zip ../../.build/lambda.zip
+
+      - name: Test
+        working-directory: tests/integration
+        run: go test -v -timeout 10m -count=1
diff --git a/.github/workflows/precommit.yml b/.github/workflows/precommit.yml
@@ -0,0 +1,37 @@
+name: Pre-commit
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+    paths:
+      - "*.tf"
+      - "cmd/lambda/**"
+      - ".pre-commit-config.yaml"
+      - ".terraform-docs.yml"
+
+permissions:
+  contents: read
+
+jobs:
+  precommit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+        with:
+          go-version-file: cmd/lambda/go.mod
+
+      - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3
+
+      - name: Install tools
+        run: |
+          go install honnef.co/go/tools/cmd/staticcheck@latest
+          curl -s https://raw.githubusercontent.com/terraform-linters/tflint/master/install_linux.sh | bash
+
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+        with:
+          python-version: "3.12"
+
+      - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -0,0 +1,58 @@
+name: Release
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  release-please:
+    runs-on: ubuntu-latest
+    outputs:
+      release_created: ${{ steps.release.outputs.release_created }}
+      tag_name: ${{ steps.release.outputs.tag_name }}
+    steps:
+      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4
+        id: release
+        with:
+          config-file: release-please-config.json
+          manifest-file: .release-please-manifest.json
+
+  build-lambda:
+    needs: release-please
+    if: needs.release-please.outputs.release_created == 'true'
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: cmd/lambda
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+        with:
+          go-version-file: cmd/lambda/go.mod
+
+      - name: Build
+        run: GOOS=linux GOARCH=arm64 CGO_ENABLED=0 go build -tags lambda.norpc -ldflags='-s -w' -o bootstrap
+
+      - name: Package
+        run: zip lambda.zip bootstrap
+
+      - name: Upload to versioned release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: gh release upload "${{ needs.release-please.outputs.tag_name }}" lambda.zip --clobber
+
+      - name: Update rolling latest release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh release create nat-zero-lambda-latest \
+            --title "nat-zero Lambda (latest)" \
+            --notes "Auto-built Go Lambda binary from ${{ needs.release-please.outputs.tag_name }}" \
+            --latest=false 2>/dev/null || true
+          gh release upload nat-zero-lambda-latest lambda.zip --clobber
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,29 @@
+# Terraform
+.terraform/
+.terraform.lock.hcl
+*.tfstate
+*.tfstate.backup
+*.tfplan
+
+# Lambda build artifacts
+.build/
+cmd/lambda/lambda
+cmd/lambda/bootstrap
+*.zip
+
+# Go
+vendor/
+
+# Test cache
+.pytest_cache/
+
+# OS
+.DS_Store
+
+# IDE
+.idea/
+.vscode/
+*.swp
+
+# AI
+.claude/
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,47 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.3.0
+    hooks:
+      - id: check-yaml
+        args: ["--unsafe"]
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
+      - id: check-toml
+      - id: check-json
+  - repo: https://github.com/TekWizely/pre-commit-golang
+    rev: v1.0.0-rc.1
+    hooks:
+      - id: go-fmt
+        name: go fmt
+      - id: go-vet-repo-mod
+        name: go vet
+      - id: go-test-mod
+        name: go test
+        exclude: "tests/integration/"
+  - repo: local
+    hooks:
+      - id: go-staticcheck
+        name: go staticcheck
+        language: system
+        entry: bash -c 'export PATH="$HOME/go/bin:$PATH" && cd cmd/lambda && staticcheck ./...'
+        files: '\.go$'
+        exclude: "tests/integration/"
+        pass_filenames: false
+  - repo: https://github.com/zricethezav/gitleaks
+    rev: v8.16.4
+    hooks:
+      - id: gitleaks
+  - repo: https://github.com/antonbabenko/pre-commit-terraform.git
+    rev: v1.77.0
+    hooks:
+      - id: terraform_fmt
+      - id: terraform_tflint
+  - repo: https://github.com/terraform-docs/terraform-docs
+    rev: "v0.16.0"
+    hooks:
+      - id: terraform-docs-go
+        name: terraform-docs (README.md)
+        args: ["--output-mode", "inject", "--output-file", "README.md", "."]
+      - id: terraform-docs-go
+        name: terraform-docs (docs/REFERENCE.md)
+        args: ["-c", ".terraform-docs-reference.yml", "--output-mode", "replace", "--output-file", "docs/REFERENCE.md", "."]
diff --git a/.release-please-manifest.json b/.release-please-manifest.json
@@ -0,0 +1,3 @@
+{
+  ".": "0.0.0"
+}
diff --git a/.terraform-docs-reference.yml b/.terraform-docs-reference.yml
@@ -0,0 +1,5 @@
+formatter: "markdown table"
+
+output:
+  template: |
+    {{ .Content }}
diff --git a/.terraform-docs.yml b/.terraform-docs.yml
@@ -0,0 +1 @@
+formatter: "markdown table"
diff --git a/LICENSE b/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 MachineDotDev contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.