Add stricter configuration defaults

- Bump minimum Python to 3.11, remove 3.10 from CI matrix
- Add security pre-commit hooks: shellcheck, actionlint, zizmor
- Add ruff src path and docstring-code-format settings
- Enable branch coverage with standard exclude patterns
- Add pip-audit dependency group for vulnerability scanning

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: dguido

{{cookiecutter.project_slug}}/.github/workflows/tests.yml

@@ -13,7 +13,6 @@ jobs:
     strategy:
       matrix:
         python:
-          - "3.10"
           - "3.11"
           - "3.12"
           - "3.13"

{{cookiecutter.project_slug}}/.pre-commit-config.yaml

@@ -10,6 +10,26 @@ repos:
       - id: check-merge-conflict
       - id: detect-private-key
 
+  # Shell script linting
+  - repo: https://github.com/koalaman/shellcheck-precommit
+    rev: v0.11.0
+    hooks:
+      - id: shellcheck
+        args: [--severity=error]
+
+  # GitHub Actions linting
+  - repo: https://github.com/rhysd/actionlint
+    rev: v1.7.10
+    hooks:
+      - id: actionlint
+
+  # GitHub Actions security audit
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.22.0
+    hooks:
+      - id: zizmor
+        args: [--persona=regular, --min-severity=medium, --min-confidence=medium]
+
   - repo: local
     hooks:
       - id: format

{{cookiecutter.project_slug}}/pyproject.toml

@@ -19,7 +19,7 @@ classifiers = [
     "Programming Language :: Python :: 3",
 ]
 dependencies = []
-requires-python = ">=3.10"
+requires-python = ">=3.11"
 
 [build-system]
 requires = ["uv_build>=0.9.0,<0.10.0"]
@@ -41,10 +41,12 @@ lint = [
     "interrogate",
     {%- endif %}
 ]
+audit = ["pip-audit"]
 dev = [
     {include-group = "doc"},
     {include-group = "test"},
     {include-group = "lint"},
+    {include-group = "audit"},
     "prek",
 ]
 
@@ -60,25 +62,35 @@ Issues = "https://github.com/{{ cookiecutter.github_username }}/{{ cookiecutter.
 Source = "https://github.com/{{ cookiecutter.github_username }}/{{ cookiecutter.project_slug }}"
 
 [tool.coverage.run]
+branch = true
 # don't attempt code coverage for the CLI entrypoints
 omit = ["{{ cookiecutter.__project_src_path }}/_cli.py"]
 
+[tool.coverage.report]
+exclude_lines = [
+    "pragma: no cover",
+    "if TYPE_CHECKING:",
+    "if __name__ == .__main__.:",
+]
+
 [tool.ty.terminal]
 error-on-warning = true
 
 [tool.ty.environment]
-python-version = "3.10"
+python-version = "3.11"
 
 [tool.ty.src]
 include = ["src", "test"]
 
 [tool.ruff]
 line-length = 100
-target-version = "py310"
+target-version = "py311"
+src = ["src"]
 
 [tool.ruff.format]
 line-ending = "lf"
 quote-style = "double"
+docstring-code-format = true
 
 [tool.ruff.lint]
 select = ["ALL"]