Merge dev into main: accept production-hardened code

Author: Patel230

.editorconfig

@@ -1,9 +1,9 @@
-# EditorConfig - https://editorconfig.org
-# Consistent coding styles across editors and IDEs
+# EditorConfig — https://editorconfig.org
+# Canonical eco-wide template (.shared-templates/editorconfig.tmpl).
 
 root = true
 
-# Default settings for all files
+# Default for everything.
 [*]
 charset = utf-8
 end_of_line = lf
@@ -12,55 +12,56 @@ trim_trailing_whitespace = true
 indent_style = space
 indent_size = 4
 
-# Go files - tabs per Go convention
+# Go uses tabs by convention.
 [*.go]
 indent_style = tab
 indent_size = 4
 
-# YAML files
+# Python — PEP 8.
+[*.py]
+indent_size = 4
+
+# TypeScript / JavaScript — 2 spaces, ecosystem default.
+[*.{ts,tsx,js,jsx,mjs,cjs}]
+indent_size = 2
+
+# Web assets.
+[*.{html,css,scss}]
+indent_size = 2
+
+# YAML — 2 spaces (ecosystem standard, GitHub Actions, k8s, etc.).
 [*.{yml,yaml}]
 indent_size = 2
 
-# TOML files
-[*.toml]
+# JSON / JSONC.
+[*.{json,jsonc}]
 indent_size = 2
 
-# JSON files
-[*.json]
+# TOML.
+[*.toml]
 indent_size = 2
 
-# Markdown files
+# Markdown — 2 spaces, preserve trailing whitespace (used for line breaks).
 [*.md]
 trim_trailing_whitespace = false
 indent_size = 2
 
-# Shell scripts
-[*.sh]
+# Shell scripts.
+[*.{sh,bash,zsh,fish}]
 indent_size = 4
 
-# Makefiles - must use tabs
-[Makefile]
-indent_style = tab
-
-[*.mk]
+# Makefiles must use tabs.
+[{Makefile,*.mk}]
 indent_style = tab
 
-# Docker files
+# Dockerfiles.
 [Dockerfile*]
 indent_size = 4
 
-# GitHub Actions
-[.github/**/*.yml]
+# GitHub Actions workflows — 2 spaces.
+[.github/**/*.{yml,yaml}]
 indent_size = 2
 
-# Config files
+# Config files.
 [*.{cfg,ini,conf}]
 indent_size = 4
-
-# HTML/CSS/JS (for dashboard)
-[*.{html,css,js,ts}]
-indent_size = 2
-
-# Git config
-[.git*]
-indent_size = 4

.gitattributes

@@ -1,76 +1,86 @@
-# Auto detect text files and perform LF normalization
-* text=auto eol=lf
-
-# Go source files
-*.go text eol=lf diff=golang
-
-# Shell scripts
-*.sh text eol=lf
+# Canonical eco-wide .gitattributes template (.shared-templates/gitattributes.tmpl).
+# Auto-detect text files and normalise line endings to LF.
 
-# Makefiles
-Makefile text eol=lf
+* text=auto eol=lf
 
-# Documentation
-*.md text eol=lf diff=markdown
-*.txt text eol=lf
+# --- Source code -----------------------------------------------------------
+*.go     text eol=lf diff=golang
+*.py     text eol=lf diff=python
+*.ts     text eol=lf
+*.tsx    text eol=lf
+*.js     text eol=lf
+*.jsx    text eol=lf
+*.mjs    text eol=lf
+*.cjs    text eol=lf
+*.rs     text eol=lf diff=rust
 
-# Config files
-*.toml text eol=lf
-*.yaml text eol=lf
-*.yml text eol=lf
-*.json text eol=lf linguist-language=JSON
-*.cff text eol=lf
+# --- Shell + config --------------------------------------------------------
+*.sh     text eol=lf
+*.bash   text eol=lf
+*.toml   text eol=lf
+*.yaml   text eol=lf
+*.yml    text eol=lf
+*.json   text eol=lf linguist-language=JSON
+*.jsonc  text eol=lf linguist-language=JSON
+*.cff    text eol=lf
 
-# Go module files
-go.mod text eol=lf linguist-generated
-go.sum text eol=lf linguist-generated
+# --- Documentation ---------------------------------------------------------
+*.md     text eol=lf diff=markdown
+*.txt    text eol=lf
 
-# Docker
-Dockerfile text eol=lf
+# --- Build / packaging ----------------------------------------------------
+Makefile        text eol=lf
+*.mk            text eol=lf
+Dockerfile*     text eol=lf
 docker-compose*.yml text eol=lf
+.github/**/*.yml    text eol=lf
+.github/**/*.yaml   text eol=lf
 
-# GitHub Actions
-.github/**/*.yml text eol=lf
-
-# Binary files
-*.exe binary
-*.dll binary
-*.so binary
-*.dylib binary
-*.db binary
-*.sqlite binary
-*.png binary
-*.jpg binary
-*.jpeg binary
-*.gif binary
-*.ico binary
-*.pdf binary
-*.zip binary
-*.tar.gz binary
-*.tgz binary
+# --- Generated artefacts (mark as such for diffs and language stats) ------
+go.mod          text eol=lf linguist-generated
+go.sum          text eol=lf linguist-generated
+*.pb.go         linguist-generated
+*_generated.go  linguist-generated
+package-lock.json   linguist-generated
+pnpm-lock.yaml      linguist-generated
+yarn.lock           linguist-generated
 
-# Test data
-tests/testdata/** linguist-vendored
+# --- Vendored / external sources ------------------------------------------
+vendor/**       linguist-vendored
+node_modules/** linguist-vendored
+testdata/**     linguist-vendored
 benchmarks/data/** linguist-vendored
-OSS-REF/** linguist-vendored
-
-# Vendor (if used)
-vendor/** linguist-vendored
 
-# Generated files
-*_generated.go linguist-generated
-*.pb.go linguist-generated
+# --- Binary files (do not text-normalise) ---------------------------------
+*.exe    binary
+*.dll    binary
+*.so     binary
+*.dylib  binary
+*.a      binary
+*.o      binary
+*.db     binary
+*.sqlite binary
+*.png    binary
+*.jpg    binary
+*.jpeg   binary
+*.gif    binary
+*.ico    binary
+*.svg    text eol=lf
+*.pdf    binary
+*.zip    binary
+*.tar.gz binary
+*.tgz    binary
+*.whl    binary
 
-# Export ignore (not included in source archives)
-.github export-ignore
-.gitattributes export-ignore
-.gitignore export-ignore
-.editorconfig export-ignore
-.golangci.yml export-ignore
-OSS-REF/ export-ignore
-benchmarks/ export-ignore
-tests/ export-ignore
-docs/DEEP_COMPETITIVE_ANALYSIS.md export-ignore
-docs/COMPREHENSIVE_OSS_COMPETITORS.md export-ignore
-docs/COMPETITOR_SUMMARY.md export-ignore
-MASTER_TASK_LIST.md export-ignore
+# --- Source archive hygiene (excluded from `git archive`) -----------------
+.github         export-ignore
+.shared-templates export-ignore
+.gitattributes  export-ignore
+.gitignore      export-ignore
+.editorconfig   export-ignore
+.golangci.yml   export-ignore
+.goreleaser.yml export-ignore
+.goreleaser.yaml export-ignore
+testdata/       export-ignore
+benchmarks/     export-ignore
+e2e/            export-ignore

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,97 @@
+name: Bug report
+description: Something is broken or behaving unexpectedly.
+title: "bug: <one-line summary>"
+labels: ["bug", "triage"]
+
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to file a bug report. Please fill in as much
+        of the form as you can — the more we know, the faster we can fix it.
+
+        Before submitting:
+        - Search [existing issues](https://github.com/GrayCodeAI/tok/issues) to avoid duplicates.
+        - If this is a security issue, please **do not** file a public issue. See `SECURITY.md`.
+
+  - type: textarea
+    id: what-happened
+    attributes:
+      label: What happened?
+      description: A clear, concise description of the bug.
+      placeholder: When I run `tok ...` (or call `tok.Compress(...)`), I expected X but got Y.
+    validations:
+      required: true
+
+  - type: textarea
+    id: reproduce
+    attributes:
+      label: Steps to reproduce
+      description: Minimal steps that reliably reproduce the problem.
+      placeholder: |
+        1. Run `tok ...`
+        2. Pipe in `...`
+        3. See output `...` (expected `...`)
+    validations:
+      required: true
+
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behavior
+      description: What did you expect to happen instead?
+    validations:
+      required: true
+
+  - type: textarea
+    id: input-sample
+    attributes:
+      label: Minimal input sample (if compression-related)
+      description: |
+        If the bug is about compression output / ratio / a specific filter, paste a small,
+        self-contained input that reproduces it. **Redact any secrets, tokens, or private data first.**
+      render: text
+
+  - type: input
+    id: tok-version
+    attributes:
+      label: tok version
+      description: Output of `tok --version` or the git SHA you built from.
+      placeholder: "0.2.0"
+    validations:
+      required: true
+
+  - type: input
+    id: os
+    attributes:
+      label: Operating system
+      description: e.g. macOS 14.5 (arm64), Ubuntu 24.04 (amd64), Windows 11 (amd64).
+      placeholder: "macOS 14.5 (arm64)"
+    validations:
+      required: true
+
+  - type: input
+    id: go-version
+    attributes:
+      label: Go version (if building from source)
+      description: Output of `go version`. Skip if you installed a pre-built binary.
+      placeholder: "go version go1.26.1 darwin/arm64"
+
+  - type: textarea
+    id: logs
+    attributes:
+      label: Logs / output
+      description: |
+        Paste any relevant output. Re-run with `--verbose` if applicable.
+        **Redact any secrets, tokens, or private data first.**
+      render: shell
+
+  - type: checkboxes
+    id: confirm
+    attributes:
+      label: Confirmation
+      options:
+        - label: I searched existing issues and did not find a duplicate.
+          required: true
+        - label: I redacted any secrets, API keys, or private data from logs.
+          required: true

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Security vulnerability
+    url: https://github.com/GrayCodeAI/tok/security/advisories/new
+    about: Please report security issues privately via a GitHub Security Advisory. See SECURITY.md.
+  - name: Question / discussion
+    url: https://github.com/GrayCodeAI/tok/discussions
+    about: Have a question or want to discuss an idea? Open a discussion instead of an issue.