feat: ja4-platform monorepo — 5 services unified, tests & RPM builds standardized

Services:
- ja4sentinel: TLS/JA4 fingerprint capture daemon (Go, libpcap)
- logcorrelator: JA4 log correlation engine (Go, ClickHouse)
- mod_reqin_log: Apache module (C, JSON request logging)
- bot_detector: ML bot detection pipeline (Python)
- dashboard: FastAPI/Streamlit analytics UI (Python)

Shared libraries:
- shared/go/ja4common: logger, config, shutdown, ipfilter (Go module)
- shared/python/ja4_common: ClickHouseClient, ClickHouseSettings (Python package)
- shared/clickhouse/: canonical SQL migrations (10 files)

Build & packaging:
- Unified 3-stage Dockerfile.package for Go RPMs (el8/el9/el10)
- go.work workspace linking sentinel, correlator, ja4common
- Makefile with test-all, build-all, rpm-* targets

Fixes applied:
- go.work: 1.21 → 1.24.6 (required by sentinel)
- correlator Dockerfiles: golang:1.21 → golang:1.24
- replace directives in go.mod for ja4common local path
- pyproject.toml: setuptools.backends → setuptools.build_meta
- Removed static libpcap linking (unavailable on Rocky 9)
- Fixed data races in output/writers_test.go (sync.Mutex + atomic.Int32)
- Rewrote corrupted test files (logger_test.go × 2)

Test coverage:
- correlator: 67.1% total (unixsocket 80.5%, config 91.7%, app 83.3%, multi 87.7%, stdout 100%)
- sentinel: all 10 packages pass (api, capture, config, fingerprint, ipfilter, logging, output, tlsparse)

Documentation:
- README.md + docs/ (architecture, development, 5 services, shared libs, DB schema & migrations)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

services/sentinel/config.yml.example

@@ -0,0 +1,57 @@
+# Sample configuration file for ja4sentinel
+# Copy to config.yml and adjust as needed
+
+core:
+  # Network interface to capture traffic from
+  # "any" captures on all interfaces (default, recommended)
+  # Or specify a specific interface (e.g., eth0, ens192, etc.)
+  interface: any
+
+  # TCP ports to monitor for TLS handshakes
+  listen_ports:
+    - 443
+    - 8443
+
+  # Optional BPF filter (leave empty for auto-generated filter based on listen_ports and local_ips)
+  bpf_filter: ""
+
+  # Local IP addresses to monitor (traffic destined to these IPs will be captured)
+  # Leave empty for auto-detection (recommended) - excludes loopback addresses
+  # Or specify manually: ["192.168.1.10", "10.0.0.5", "2001:db8::1"]
+  local_ips: []
+
+  # Source IP addresses or CIDR ranges to exclude from capture
+  # Useful for filtering out internal traffic, health checks, or monitoring systems
+  # Examples: ["10.0.0.0/8", "192.168.1.1", "172.16.0.0/12"]
+  exclude_source_ips: []
+
+  # Timeout in seconds for TLS handshake extraction (default: 30)
+  flow_timeout_sec: 30
+
+  # Buffer size for packet channel (default: 1000, increase for high-traffic environments)
+  packet_buffer_size: 1000
+
+  # Log level: debug, info, warn, error (default: info)
+  # Can be overridden by JA4SENTINEL_LOG_LEVEL environment variable
+  log_level: info
+
+outputs:
+  # Output to UNIX socket (for systemd/journald or other consumers)
+  # Only JSON LogRecord data is sent - no diagnostic logs
+  - type: unix_socket
+    enabled: true
+    params:
+      socket_path: /var/run/logcorrelator/network.socket
+
+  # Output to stdout (JSON lines)
+  # Diagnostic logs (error, debug, warning) should go here
+  # - type: stdout
+  #   enabled: false
+  #   params: {}
+
+  # Output to file
+  # Only JSON LogRecord data is sent - no diagnostic logs
+  # - type: file
+  #   enabled: false
+  #   params:
+  #     path: /var/log/ja4sentinel/ja4.log