From d9709b8c0edd457979294d86332cca976f24d133 Mon Sep 17 00:00:00 2001
From: Zach Kipp <zach.kipp@coder.com>
Date: Wed, 4 Feb 2026 13:46:29 -0700
Subject: [PATCH 1/2] feat: check formatting in CI

---
 .github/workflows/ci.yml |  3 +++
 Makefile                 | 12 ++++++++++++
 2 files changed, 15 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b8f9d775..1d20d64e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -34,6 +34,9 @@ jobs:
     - name: Download and verify dependencies
       run: make deps
 
+    - name: Check formatting
+      run: make fmt-check
+
     - name: Install golangci-lint
       run: |
         # binary will be $(go env GOPATH)/bin/golangci-lint
diff --git a/Makefile b/Makefile
index 200a97e6..f3635db1 100644
--- a/Makefile
+++ b/Makefile
@@ -145,6 +145,18 @@ fmt:
 	go fmt ./...
 	@echo "✓ Code formatted!"
 
+# Check formatting (for CI)
+.PHONY: fmt-check
+fmt-check:
+	@echo "Checking code formatting..."
+	@if [ -n "$$(gofmt -l .)" ]; then \
+		echo "The following files are not formatted:"; \
+		gofmt -l .; \
+		echo "Run 'make fmt' to fix formatting."; \
+		exit 1; \
+	fi
+	@echo "✓ All code is properly formatted!"
+
 # Lint code
 .PHONY: lint
 lint:

From 6d0d0638984327b6010cc73fb82e0c5a3b228e01 Mon Sep 17 00:00:00 2001
From: Zach Kipp <zach.kipp@coder.com>
Date: Wed, 4 Feb 2026 13:48:09 -0700
Subject: [PATCH 2/2] chore: go fmt all code

---
 config/config.go              | 72 +++++++++++++++++------------------
 nsjail_manager/nsjail/jail.go |  8 ++--
 privilege/privilege_linux.go  |  1 -
 privilege/privilege_stub.go   |  1 -
 proxy/connect.go              |  6 +--
 proxy/proxy_framework_test.go |  2 +-
 run/run_linux.go              |  1 -
 run/run_stub.go               |  1 -
 8 files changed, 44 insertions(+), 48 deletions(-)

diff --git a/config/config.go b/config/config.go
index 5d9feec3..29ce3c24 100644
--- a/config/config.go
+++ b/config/config.go
@@ -56,33 +56,33 @@ func (a AllowStringsArray) Value() []string {
 }
 
 type CliConfig struct {
-	Config                           serpent.YAMLConfigPath `yaml:"-"`
-	AllowListStrings                 serpent.StringArray    `yaml:"allowlist"` // From config file
-	AllowStrings                     AllowStringsArray      `yaml:"-"`         // From CLI flags only
-	LogLevel                         serpent.String         `yaml:"log_level"`
-	LogDir                           serpent.String         `yaml:"log_dir"`
-	ProxyPort                        serpent.Int64          `yaml:"proxy_port"`
-	PprofEnabled                     serpent.Bool           `yaml:"pprof_enabled"`
-	PprofPort                        serpent.Int64          `yaml:"pprof_port"`
-	JailType                         serpent.String         `yaml:"jail_type"`
-	UseRealDNS                       serpent.Bool           `yaml:"use_real_dns"`
-	DisableAuditLogs                 serpent.Bool           `yaml:"disable_audit_logs"`
-	LogProxySocketPath               serpent.String         `yaml:"log_proxy_socket_path"`
+	Config             serpent.YAMLConfigPath `yaml:"-"`
+	AllowListStrings   serpent.StringArray    `yaml:"allowlist"` // From config file
+	AllowStrings       AllowStringsArray      `yaml:"-"`         // From CLI flags only
+	LogLevel           serpent.String         `yaml:"log_level"`
+	LogDir             serpent.String         `yaml:"log_dir"`
+	ProxyPort          serpent.Int64          `yaml:"proxy_port"`
+	PprofEnabled       serpent.Bool           `yaml:"pprof_enabled"`
+	PprofPort          serpent.Int64          `yaml:"pprof_port"`
+	JailType           serpent.String         `yaml:"jail_type"`
+	UseRealDNS         serpent.Bool           `yaml:"use_real_dns"`
+	DisableAuditLogs   serpent.Bool           `yaml:"disable_audit_logs"`
+	LogProxySocketPath serpent.String         `yaml:"log_proxy_socket_path"`
 }
 
 type AppConfig struct {
-	AllowRules                       []string
-	LogLevel                         string
-	LogDir                           string
-	ProxyPort                        int64
-	PprofEnabled                     bool
-	PprofPort                        int64
-	JailType                         JailType
-	UseRealDNS                       bool
-	TargetCMD                        []string
-	UserInfo                         *UserInfo
-	DisableAuditLogs                 bool
-	LogProxySocketPath               string
+	AllowRules         []string
+	LogLevel           string
+	LogDir             string
+	ProxyPort          int64
+	PprofEnabled       bool
+	PprofPort          int64
+	JailType           JailType
+	UseRealDNS         bool
+	TargetCMD          []string
+	UserInfo           *UserInfo
+	DisableAuditLogs   bool
+	LogProxySocketPath string
 }
 
 func NewAppConfigFromCliConfig(cfg CliConfig, targetCMD []string) (AppConfig, error) {
@@ -101,17 +101,17 @@ func NewAppConfigFromCliConfig(cfg CliConfig, targetCMD []string) (AppConfig, er
 	userInfo := GetUserInfo()
 
 	return AppConfig{
-		AllowRules:                       allAllowStrings,
-		LogLevel:                         cfg.LogLevel.Value(),
-		LogDir:                           cfg.LogDir.Value(),
-		ProxyPort:                        cfg.ProxyPort.Value(),
-		PprofEnabled:                     cfg.PprofEnabled.Value(),
-		PprofPort:                        cfg.PprofPort.Value(),
-		JailType:                         jailType,
-		UseRealDNS:                       cfg.UseRealDNS.Value(),
-		TargetCMD:                        targetCMD,
-		UserInfo:                         userInfo,
-		DisableAuditLogs:                 cfg.DisableAuditLogs.Value(),
-		LogProxySocketPath:               cfg.LogProxySocketPath.Value(),
+		AllowRules:         allAllowStrings,
+		LogLevel:           cfg.LogLevel.Value(),
+		LogDir:             cfg.LogDir.Value(),
+		ProxyPort:          cfg.ProxyPort.Value(),
+		PprofEnabled:       cfg.PprofEnabled.Value(),
+		PprofPort:          cfg.PprofPort.Value(),
+		JailType:           jailType,
+		UseRealDNS:         cfg.UseRealDNS.Value(),
+		TargetCMD:          targetCMD,
+		UserInfo:           userInfo,
+		DisableAuditLogs:   cfg.DisableAuditLogs.Value(),
+		LogProxySocketPath: cfg.LogProxySocketPath.Value(),
 	}, nil
 }
diff --git a/nsjail_manager/nsjail/jail.go b/nsjail_manager/nsjail/jail.go
index 3e0f9a7c..6c1ebe6c 100644
--- a/nsjail_manager/nsjail/jail.go
+++ b/nsjail_manager/nsjail/jail.go
@@ -28,9 +28,9 @@ type Config struct {
 
 // LinuxJail implements Jailer using Linux network namespaces
 type LinuxJail struct {
-	logger                           *slog.Logger
-	vethHostName                     string // Host-side veth interface name for iptables rules
-	vethJailName                     string // Jail-side veth interface name for iptables rules
+	logger        *slog.Logger
+	vethHostName  string // Host-side veth interface name for iptables rules
+	vethJailName  string // Jail-side veth interface name for iptables rules
 	httpProxyPort int
 	configDir     string
 	caCertPath    string
@@ -43,7 +43,7 @@ func NewLinuxJail(config Config) (*LinuxJail, error) {
 		httpProxyPort: config.HttpProxyPort,
 		configDir:     config.ConfigDir,
 		caCertPath:    config.CACertPath,
-		useRealDNS:   config.UseRealDNS,
+		useRealDNS:    config.UseRealDNS,
 	}, nil
 }
 
diff --git a/privilege/privilege_linux.go b/privilege/privilege_linux.go
index f724dd45..0846900a 100644
--- a/privilege/privilege_linux.go
+++ b/privilege/privilege_linux.go
@@ -95,4 +95,3 @@ func reExecWithPrivileges() error {
 	// Execute and replace current process
 	return syscall.Exec(cmd.Path, cmd.Args, cmd.Env)
 }
-
diff --git a/privilege/privilege_stub.go b/privilege/privilege_stub.go
index 54d9d1a5..bc1bd120 100644
--- a/privilege/privilege_stub.go
+++ b/privilege/privilege_stub.go
@@ -11,4 +11,3 @@ import (
 func EnsurePrivileges() error {
 	return fmt.Errorf("boundary is only supported on Linux, current platform: %s", runtime.GOOS)
 }
-
diff --git a/proxy/connect.go b/proxy/connect.go
index 3db62555..49e90be9 100644
--- a/proxy/connect.go
+++ b/proxy/connect.go
@@ -1,6 +1,6 @@
 // Package proxy implements HTTP CONNECT method for tunneling HTTPS traffic through a proxy.
 //
-// HTTP CONNECT Method Overview
+// # HTTP CONNECT Method Overview
 //
 // The HTTP CONNECT method is used to establish a tunnel through a proxy server.
 // This is essential for HTTPS proxying because HTTPS requires end-to-end encryption
@@ -19,7 +19,7 @@
 //     to establish a tunnel, then performs the TLS handshake and sends HTTPS
 //     requests through that tunnel.
 //
-// Non-Transparent Proxy
+// # Non-Transparent Proxy
 //
 // This proxy is "non-transparent" because:
 //   - Clients must be explicitly configured to use it (via HTTP_PROXY)
@@ -27,7 +27,7 @@
 //   - The proxy terminates TLS, inspects requests, and re-encrypts to the destination
 //   - Each HTTP request inside the tunnel is processed separately with rule evaluation
 //
-// CONNECT Request Flow
+// # CONNECT Request Flow
 //
 // The following diagram illustrates how CONNECT works:
 //
diff --git a/proxy/proxy_framework_test.go b/proxy/proxy_framework_test.go
index b294224b..dbfee2bc 100644
--- a/proxy/proxy_framework_test.go
+++ b/proxy/proxy_framework_test.go
@@ -251,7 +251,7 @@ func (pt *ProxyTest) ExpectDeny(proxyURL, hostHeader string) {
 	defer resp.Body.Close() //nolint:errcheck
 
 	require.Equal(pt.t, http.StatusForbidden, resp.StatusCode, "Expected 403 Forbidden status")
-	
+
 	body, err := io.ReadAll(resp.Body)
 	require.NoError(pt.t, err, "Failed to read response body")
 
diff --git a/run/run_linux.go b/run/run_linux.go
index b73579ea..f67d82ba 100644
--- a/run/run_linux.go
+++ b/run/run_linux.go
@@ -22,4 +22,3 @@ func Run(ctx context.Context, logger *slog.Logger, cfg config.AppConfig) error {
 		return fmt.Errorf("unknown jail type: %s", cfg.JailType)
 	}
 }
-
diff --git a/run/run_stub.go b/run/run_stub.go
index 895fb5fc..14dd6bd2 100644
--- a/run/run_stub.go
+++ b/run/run_stub.go
@@ -14,4 +14,3 @@ import (
 func Run(ctx context.Context, logger *slog.Logger, cfg config.AppConfig) error {
 	return fmt.Errorf("boundary is only supported on Linux, current platform: %s", runtime.GOOS)
 }
-