GT AI OS Community Edition v2.0.33

Security hardening release addressing CodeQL and Dependabot alerts:

- Fix stack trace exposure in error responses
- Add SSRF protection with DNS resolution checking
- Implement proper URL hostname validation (replaces substring matching)
- Add centralized path sanitization to prevent path traversal
- Fix ReDoS vulnerability in email validation regex
- Improve HTML sanitization in validation utilities
- Fix capability wildcard matching in auth utilities
- Update glob dependency to address CVE
- Add CodeQL suppression comments for verified false positives

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,39 @@
+---
+name: Bug Report
+about: Report a bug to help us improve GT AI OS
+title: '[Bug] '
+labels: bug
+assignees: ''
+---
+
+## Describe the Bug
+A clear and concise description of what the bug is.
+
+## Steps to Reproduce
+1. Go to '...'
+2. Click on '...'
+3. See error
+
+## Expected Behavior
+A clear and concise description of what you expected to happen.
+
+## Actual Behavior
+What actually happened instead.
+
+## Screenshots
+If applicable, add screenshots to help explain your problem.
+
+## Environment
+- **OS:** [e.g., macOS 14.0, Ubuntu 22.04]
+- **Architecture:** [e.g., ARM64/Apple Silicon, x86_64]
+- **Docker Version:** [e.g., 24.0.0]
+- **GT AI OS Version:** [e.g., v2.0.33]
+
+## Container Logs
+If relevant, include logs from the affected container:
+```
+docker compose logs <service-name> --tail=50
+```
+
+## Additional Context
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,26 @@
+---
+name: Feature Request
+about: Suggest a new feature for GT AI OS
+title: '[Feature] '
+labels: enhancement
+assignees: ''
+---
+
+## Problem Statement
+A clear and concise description of the problem this feature would solve.
+Ex. "I'm always frustrated when [...]"
+
+## Proposed Solution
+A clear and concise description of what you want to happen.
+
+## Alternatives Considered
+A clear and concise description of any alternative solutions or features you've considered.
+
+## Use Case
+Describe the use case(s) this feature would enable:
+- Who would use this feature?
+- How often would it be used?
+- What workflow does it improve?
+
+## Additional Context
+Add any other context, mockups, or screenshots about the feature request here.

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,15 @@
+## ⚠️ Pull Requests Not Accepted
+
+GT AI OS Community is a **read-only distribution** of GT AI OS.
+
+**We do not accept pull requests.** This PR will be closed without review.
+
+---
+
+### How to Contribute
+
+- **Bug reports:** [Open an issue](https://github.com/GT-Edge-AI-Internal/gt-ai-os-community/issues/new?template=bug_report.md)
+- **Feature requests:** [Open an issue](https://github.com/GT-Edge-AI-Internal/gt-ai-os-community/issues/new?template=feature_request.md)
+- **Questions:** [Start a discussion](https://github.com/GT-Edge-AI-Internal/gt-ai-os-community/discussions)
+
+Thank you for your interest in GT AI OS!

.github/workflows/build-images.yml

@@ -0,0 +1,201 @@
+name: Build and Push Multi-Arch Docker Images
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - 'v*'
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
+
+jobs:
+  build-amd64:
+    name: Build ${{ matrix.service }} (amd64)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      fail-fast: false
+      matrix:
+        service:
+          - control-panel-backend
+          - control-panel-frontend
+          - tenant-backend
+          - tenant-app
+          - resource-cluster
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GHCR_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.service }}
+          tags: |
+            type=ref,event=branch,suffix=-amd64
+            type=ref,event=pr,suffix=-amd64
+            type=semver,pattern={{version}},suffix=-amd64
+            type=sha,prefix={{branch}}-,suffix=-amd64
+
+      - name: Build and push (amd64)
+        uses: docker/build-push-action@v5
+        with:
+          context: apps/${{ matrix.service }}
+          file: apps/${{ matrix.service }}/Dockerfile
+          platforms: linux/amd64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha,scope=${{ matrix.service }}-amd64
+          cache-to: type=gha,mode=max,scope=${{ matrix.service }}-amd64
+          provenance: false
+
+  build-arm64:
+    name: Build ${{ matrix.service }} (arm64)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      fail-fast: false
+      matrix:
+        service:
+          - control-panel-backend
+          - control-panel-frontend
+          - tenant-backend
+          - tenant-app
+          - resource-cluster
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+        with:
+          platforms: arm64
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GHCR_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.service }}
+          tags: |
+            type=ref,event=branch,suffix=-arm64
+            type=ref,event=pr,suffix=-arm64
+            type=semver,pattern={{version}},suffix=-arm64
+            type=sha,prefix={{branch}}-,suffix=-arm64
+
+      - name: Build and push (arm64)
+        uses: docker/build-push-action@v5
+        with:
+          context: apps/${{ matrix.service }}
+          file: apps/${{ matrix.service }}/Dockerfile
+          platforms: linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha,scope=${{ matrix.service }}-arm64
+          cache-to: type=gha,mode=max,scope=${{ matrix.service }}-arm64
+          provenance: false
+
+  create-manifest:
+    name: Create multi-arch manifest for ${{ matrix.service }}
+    runs-on: ubuntu-latest
+    needs: [build-amd64, build-arm64]
+    if: github.event_name != 'pull_request'
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      fail-fast: false
+      matrix:
+        service:
+          - control-panel-backend
+          - control-panel-frontend
+          - tenant-backend
+          - tenant-app
+          - resource-cluster
+    steps:
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GHCR_TOKEN }}
+
+      - name: Determine tags
+        id: tags
+        run: |
+          # Get branch/tag name
+          if [[ "${{ github.ref }}" == refs/tags/* ]]; then
+            TAG="${{ github.ref_name }}"
+          elif [[ "${{ github.ref }}" == refs/heads/* ]]; then
+            TAG="${GITHUB_REF#refs/heads/}"
+          else
+            TAG="${{ github.sha }}"
+          fi
+          echo "tag=${TAG}" >> $GITHUB_OUTPUT
+
+          # Set latest tag only for main branch
+          if [[ "${TAG}" == "main" ]]; then
+            echo "latest=true" >> $GITHUB_OUTPUT
+          else
+            echo "latest=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Create and push multi-arch manifest
+        run: |
+          # Lowercase the repository name (Docker requires lowercase)
+          REPO_LOWER=$(echo "${{ github.repository }}" | tr '[:upper:]' '[:lower:]')
+          IMAGE="${{ env.REGISTRY }}/${REPO_LOWER}/${{ matrix.service }}"
+          TAG="${{ steps.tags.outputs.tag }}"
+
+          # Create manifest from arch-specific images
+          docker buildx imagetools create -t ${IMAGE}:${TAG} \
+            ${IMAGE}:${TAG}-amd64 \
+            ${IMAGE}:${TAG}-arm64
+
+          # Also tag as latest if on main
+          if [[ "${{ steps.tags.outputs.latest }}" == "true" ]]; then
+            docker buildx imagetools create -t ${IMAGE}:latest \
+              ${IMAGE}:${TAG}-amd64 \
+              ${IMAGE}:${TAG}-arm64
+          fi
+
+          # If this is a version tag, also create version manifest
+          if [[ "${{ github.ref }}" == refs/tags/v* ]]; then
+            VERSION="${{ github.ref_name }}"
+            docker buildx imagetools create -t ${IMAGE}:${VERSION} \
+              ${IMAGE}:${TAG}-amd64 \
+              ${IMAGE}:${TAG}-arm64
+          fi