Remove CHANGELOG

Made-with: Cursor

Author: fraware

.editorconfig

@@ -0,0 +1,21 @@
+# https://editorconfig.org
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.md]
+trim_trailing_whitespace = false
+
+[*.{py,toml,yml,yaml}]
+indent_style = space
+indent_size = 4
+
+[Makefile]
+indent_style = tab
+
+[*.ps1]
+end_of_line = crlf

.gitattributes

@@ -0,0 +1,10 @@
+* text=auto
+
+*.py text eol=lf
+*.toml text eol=lf
+*.yml text eol=lf
+*.yaml text eol=lf
+*.md text eol=lf
+*.sh text eol=lf
+*.json text eol=lf
+*.ps1 text eol=crlf

.github/dependabot.yml

@@ -0,0 +1,21 @@
+version: 2
+updates:
+  - package-ecosystem: "uv"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      uv-patch:
+        patterns:
+          - "*"
+        update-types:
+          - "patch"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      actions:
+        patterns:
+          - "*"

.github/pull_request_template.md

@@ -0,0 +1,15 @@
+## Summary
+
+What does this PR change and why?
+
+## Checklist
+
+- [ ] `uv run ruff check .` and `uv run ruff format --check .` pass
+- [ ] `uv run mypy noisecutter/` passes
+- [ ] `uv run pytest tests/` passes (with coverage if you touched core logic)
+- [ ] Documentation updated (`README.md`, `docs/*` when user-visible)
+- [ ] Typos: CI uses `typos` (`_typos.toml`); run locally if you edit a lot of prose
+
+## Notes for reviewers
+
+Optional: risk areas, follow-ups, or migration notes.

.github/workflows/ci.yml

@@ -0,0 +1,61 @@
+name: CI
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+concurrency:
+  group: ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  lint-test:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ["3.9", "3.11", "3.12", "3.13"]
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Spell check
+        uses: crate-ci/typos@v1
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: pip
+          cache-dependency-path: |
+            pyproject.toml
+            uv.lock
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          version: "0.6.9"
+
+      - name: Sync environment
+        run: uv sync --frozen --extra dev
+
+      - name: Ruff
+        run: uv run ruff check .
+
+      - name: Ruff format (check)
+        run: uv run ruff format --check .
+
+      - name: Mypy
+        run: uv run mypy noisecutter/
+
+      - name: Pytest with coverage
+        run: uv run pytest tests/ --cov=noisecutter --cov-report=term-missing
+
+      - name: Audit locked runtime dependencies
+        run: |
+          uv export --frozen --no-dev --no-hashes --no-emit-project -o /tmp/requirements-audit.txt
+          uvx pip-audit==2.7.3 -r /tmp/requirements-audit.txt --strict

.github/workflows/codeql.yml

@@ -0,0 +1,35 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "24 5 * * 1"
+
+concurrency:
+  group: codeql-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - uses: github/codeql-action/init@v3
+        with:
+          languages: python
+
+      - uses: github/codeql-action/autobuild@v3
+
+      - uses: github/codeql-action/analyze@v3

.github/workflows/dependency-review.yml

@@ -0,0 +1,19 @@
+name: Dependency review
+
+on:
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/dependency-review-action@v4
+        with:
+          fail-on-severity: moderate

.github/workflows/pr.yml

@@ -0,0 +1,89 @@
+name: PR fastpath
+
+on:
+  pull_request:
+    branches: [main]
+
+concurrency:
+  group: pr-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  go-multi-entry:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+          cache: pip
+          cache-dependency-path: uv.lock
+
+      - uses: astral-sh/setup-uv@v5
+        with:
+          version: "0.6.9"
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: "1.22"
+
+      - name: Install Python package
+        run: uv sync --frozen --extra dev
+
+      - name: Install Syft
+        run: bash scripts/install-syft.sh
+        env:
+          SYFT_INSTALL_DIR: ${{ github.workspace }}/bin
+
+      - name: Install govulncheck
+        env:
+          GOBIN: ${{ github.workspace }}/bin
+        run: |
+          mkdir -p "$GOBIN"
+          go install golang.org/x/vuln/cmd/govulncheck@v1.2.0
+
+      - name: Add tools to PATH
+        run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
+
+      - name: Go multi-entry — build and verify goldens
+        working-directory: examples/go-multi-entry
+        env:
+          NOISECUTTER_STRICT_REPRO: "1"
+        run: |
+          make all_artifacts
+          make verify-golden
+
+      - name: Upload SARIF (server)
+        uses: github/codeql-action/upload-sarif@v3
+        if: matrix.os == 'ubuntu-latest'
+        with:
+          sarif_file: examples/go-multi-entry/report.server.sarif
+
+  windows-smoke:
+    runs-on: windows-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+          cache: pip
+          cache-dependency-path: uv.lock
+
+      - uses: astral-sh/setup-uv@v5
+        with:
+          version: "0.6.9"
+
+      - name: Install and test
+        run: |
+          uv sync --frozen --extra dev
+          uv run pytest tests/ -q --cov=noisecutter

.github/workflows/release.yml

@@ -0,0 +1,95 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "v*.*.*"
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  id-token: write
+  packages: write
+  attestations: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    environment: production
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - uses: astral-sh/setup-uv@v5
+        with:
+          version: "0.6.9"
+
+      - name: Set version
+        run: |
+          if [ "${{ github.event_name }}" = "push" ]; then
+            echo "VERSION=${GITHUB_REF_NAME}" >> "$GITHUB_ENV"
+          else
+            echo "VERSION=workflow-${GITHUB_RUN_ID}" >> "$GITHUB_ENV"
+          fi
+
+      - name: Build wheel and sdist
+        run: uv build
+
+      - name: Attest distribution artifacts
+        if: github.event_name == 'push'
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: |
+            dist/*.whl
+            dist/*.tar.gz
+
+      - name: Test wheel installation
+        run: |
+          python -m venv /tmp/nc-venv
+          /tmp/nc-venv/bin/pip install --upgrade pip
+          /tmp/nc-venv/bin/pip install dist/*.whl
+          /tmp/nc-venv/bin/python -m noisecutter --help
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build Docker image
+        run: |
+          docker build -t "ghcr.io/${{ github.repository }}/noisecutter:${{ env.VERSION }}" .
+          docker build -t "ghcr.io/${{ github.repository }}/noisecutter:latest" .
+
+      - name: Test Docker image
+        run: docker run --rm "ghcr.io/${{ github.repository }}/noisecutter:${{ env.VERSION }}" --help
+
+      - name: Log in to GHCR
+        if: github.event_name == 'push'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Push Docker image
+        if: github.event_name == 'push'
+        run: |
+          docker push "ghcr.io/${{ github.repository }}/noisecutter:${{ env.VERSION }}"
+          docker push "ghcr.io/${{ github.repository }}/noisecutter:latest"
+
+      - name: Publish to PyPI
+        if: github.event_name == 'push'
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          packages-dir: dist/
+          skip-existing: true
+
+      - name: Create GitHub Release
+        if: github.event_name == 'push'
+        uses: softprops/action-gh-release@v2
+        with:
+          files: dist/*
+          generate_release_notes: true
+          draft: false
+          prerelease: ${{ contains(github.ref_name, 'alpha') || contains(github.ref_name, 'beta') || contains(github.ref_name, 'rc') }}

.gitignore

@@ -15,5 +15,8 @@ vulns.json
 report.sarif
 .idea/
 .vscode/
-
+.coverage
+.coverage.*
+htmlcov/
+.noisecutter-cache/