feat(inspect): production hardening — re-baseline to v0.2.0 + OSS hygiene

.editorconfig

@@ -0,0 +1,67 @@
+# EditorConfig — https://editorconfig.org
+# Canonical eco-wide template (.shared-templates/editorconfig.tmpl).
+
+root = true
+
+# Default for everything.
+[*]
+charset = utf-8
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+indent_style = space
+indent_size = 4
+
+# Go uses tabs by convention.
+[*.go]
+indent_style = tab
+indent_size = 4
+
+# Python — PEP 8.
+[*.py]
+indent_size = 4
+
+# TypeScript / JavaScript — 2 spaces, ecosystem default.
+[*.{ts,tsx,js,jsx,mjs,cjs}]
+indent_size = 2
+
+# Web assets.
+[*.{html,css,scss}]
+indent_size = 2
+
+# YAML — 2 spaces (ecosystem standard, GitHub Actions, k8s, etc.).
+[*.{yml,yaml}]
+indent_size = 2
+
+# JSON / JSONC.
+[*.{json,jsonc}]
+indent_size = 2
+
+# TOML.
+[*.toml]
+indent_size = 2
+
+# Markdown — 2 spaces, preserve trailing whitespace (used for line breaks).
+[*.md]
+trim_trailing_whitespace = false
+indent_size = 2
+
+# Shell scripts.
+[*.{sh,bash,zsh,fish}]
+indent_size = 4
+
+# Makefiles must use tabs.
+[{Makefile,*.mk}]
+indent_style = tab
+
+# Dockerfiles.
+[Dockerfile*]
+indent_size = 4
+
+# GitHub Actions workflows — 2 spaces.
+[.github/**/*.{yml,yaml}]
+indent_size = 2
+
+# Config files.
+[*.{cfg,ini,conf}]
+indent_size = 4

.gitattributes

@@ -0,0 +1,86 @@
+# Canonical eco-wide .gitattributes template (.shared-templates/gitattributes.tmpl).
+# Auto-detect text files and normalise line endings to LF.
+
+* text=auto eol=lf
+
+# --- Source code -----------------------------------------------------------
+*.go     text eol=lf diff=golang
+*.py     text eol=lf diff=python
+*.ts     text eol=lf
+*.tsx    text eol=lf
+*.js     text eol=lf
+*.jsx    text eol=lf
+*.mjs    text eol=lf
+*.cjs    text eol=lf
+*.rs     text eol=lf diff=rust
+
+# --- Shell + config --------------------------------------------------------
+*.sh     text eol=lf
+*.bash   text eol=lf
+*.toml   text eol=lf
+*.yaml   text eol=lf
+*.yml    text eol=lf
+*.json   text eol=lf linguist-language=JSON
+*.jsonc  text eol=lf linguist-language=JSON
+*.cff    text eol=lf
+
+# --- Documentation ---------------------------------------------------------
+*.md     text eol=lf diff=markdown
+*.txt    text eol=lf
+
+# --- Build / packaging ----------------------------------------------------
+Makefile        text eol=lf
+*.mk            text eol=lf
+Dockerfile*     text eol=lf
+docker-compose*.yml text eol=lf
+.github/**/*.yml    text eol=lf
+.github/**/*.yaml   text eol=lf
+
+# --- Generated artefacts (mark as such for diffs and language stats) ------
+go.mod          text eol=lf linguist-generated
+go.sum          text eol=lf linguist-generated
+*.pb.go         linguist-generated
+*_generated.go  linguist-generated
+package-lock.json   linguist-generated
+pnpm-lock.yaml      linguist-generated
+yarn.lock           linguist-generated
+
+# --- Vendored / external sources ------------------------------------------
+vendor/**       linguist-vendored
+node_modules/** linguist-vendored
+testdata/**     linguist-vendored
+benchmarks/data/** linguist-vendored
+
+# --- Binary files (do not text-normalise) ---------------------------------
+*.exe    binary
+*.dll    binary
+*.so     binary
+*.dylib  binary
+*.a      binary
+*.o      binary
+*.db     binary
+*.sqlite binary
+*.png    binary
+*.jpg    binary
+*.jpeg   binary
+*.gif    binary
+*.ico    binary
+*.svg    text eol=lf
+*.pdf    binary
+*.zip    binary
+*.tar.gz binary
+*.tgz    binary
+*.whl    binary
+
+# --- Source archive hygiene (excluded from `git archive`) -----------------
+.github         export-ignore
+.shared-templates export-ignore
+.gitattributes  export-ignore
+.gitignore      export-ignore
+.editorconfig   export-ignore
+.golangci.yml   export-ignore
+.goreleaser.yml export-ignore
+.goreleaser.yaml export-ignore
+testdata/       export-ignore
+benchmarks/     export-ignore
+e2e/            export-ignore

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,108 @@
+name: Bug report
+description: Something is broken or behaving unexpectedly.
+title: "bug: <one-line summary>"
+labels: ["bug", "triage"]
+
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to file a bug report. Please fill in as much
+        of the form as you can — the more we know, the faster we can fix it.
+
+        Before submitting:
+        - Search [existing issues](https://github.com/GrayCodeAI/inspect/issues) to avoid duplicates.
+        - If this is a security issue, please **do not** file a public issue. See `SECURITY.md`.
+
+  - type: textarea
+    id: what-happened
+    attributes:
+      label: What happened?
+      description: A clear, concise description of the bug.
+      placeholder: When I scan <URL or directory>, I expected X but got Y.
+    validations:
+      required: true
+
+  - type: dropdown
+    id: surface
+    attributes:
+      label: Surface
+      description: How are you using inspect?
+      options:
+        - "Library API (`inspect.Scan`, `inspect.NewScanner`, etc.)"
+        - "MCP (`inspect_scan`, `inspect_scan_dir` tools)"
+        - "GitHub Action (`.github/action.yml`)"
+        - "SARIF output"
+        - "Browser-based checks (`browser/` sub-module)"
+        - "CVE / dependency database"
+    validations:
+      required: true
+
+  - type: textarea
+    id: reproduce
+    attributes:
+      label: Steps to reproduce
+      description: |
+        Minimal Go snippet, MCP call, or scan target that reliably
+        reproduces the problem. **Use a synthetic test site or a public
+        URL — never include credentials or private URLs.**
+      render: go
+      placeholder: |
+        report, err := inspect.Scan(ctx, "https://example.com", inspect.Standard)
+        // ^ wrong finding / missed finding / panic / SSRF / etc.
+    validations:
+      required: true
+
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behavior
+      description: What did you expect to happen instead?
+    validations:
+      required: true
+
+  - type: textarea
+    id: false-positive
+    attributes:
+      label: If this is a false positive / false negative
+      description: |
+        Paste the relevant finding (or the missing one), and explain why
+        you think the verdict is wrong. Include the snippet of the page
+        / response that triggered (or should have triggered) it.
+
+  - type: input
+    id: inspect-version
+    attributes:
+      label: inspect version
+      description: Output of `inspect version` or the git SHA you built from.
+      placeholder: "0.2.0"
+    validations:
+      required: true
+
+  - type: input
+    id: go-version
+    attributes:
+      label: Go version
+      description: Output of `go version`.
+      placeholder: "go version go1.26.1 darwin/arm64"
+    validations:
+      required: true
+
+  - type: textarea
+    id: logs
+    attributes:
+      label: Logs / output
+      description: |
+        Paste relevant output. **Redact any secrets, internal URLs, or
+        identifying info first.**
+      render: shell
+
+  - type: checkboxes
+    id: confirm
+    attributes:
+      label: Confirmation
+      options:
+        - label: I searched existing issues and did not find a duplicate.
+          required: true
+        - label: I redacted any secrets, internal URLs, or PII from logs and reproductions.
+          required: true

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Security vulnerability
+    url: https://github.com/GrayCodeAI/inspect/security/advisories/new
+    about: Please report security issues privately via a GitHub Security Advisory. See SECURITY.md.
+  - name: Question / discussion
+    url: https://github.com/GrayCodeAI/inspect/discussions
+    about: Have a question or want to discuss an idea? Open a discussion instead of an issue.

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,72 @@
+name: Feature request
+description: Suggest an improvement, a new check, or a new integration.
+title: "feat: <one-line summary>"
+labels: ["enhancement", "triage"]
+
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for proposing a feature. inspect is a security/quality scanner
+        for websites and dependencies. Every feature is evaluated against
+        whether it serves **a single developer** running their coding agent
+        locally — i.e. it improves precision/recall, lowers latency, or
+        simplifies integration.
+
+        Before submitting:
+        - Search [existing issues](https://github.com/GrayCodeAI/inspect/issues) to avoid duplicates.
+        - For new check categories, please open a discussion first.
+
+  - type: dropdown
+    id: kind
+    attributes:
+      label: Kind of feature
+      description: What flavour of change is this?
+      options:
+        - "Security check (header, TLS, cookies, SSRF, mixed-content, etc.)"
+        - "Accessibility check (WCAG, ARIA, contrast)"
+        - "SEO / structured-data check"
+        - "Performance check"
+        - "Browser-based / dynamic check (`browser/`)"
+        - "Output format (JSON, SARIF, JUnit, HTML, terminal)"
+        - "Configuration (`.inspect.toml`, options)"
+        - "MCP server / GitHub Action / tooling"
+    validations:
+      required: true
+
+  - type: textarea
+    id: problem
+    attributes:
+      label: What problem are you trying to solve?
+      description: Describe the user problem first. Solutions can come later.
+      placeholder: When I scan <type of site>, inspect misses Y / surfaces too many Z.
+    validations:
+      required: true
+
+  - type: textarea
+    id: proposal
+    attributes:
+      label: Proposed solution
+      description: How would you like inspect to behave? Library snippet, MCP tool shape, config sample.
+    validations:
+      required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
+      description: |
+        What did you try? What do other scanners (gosec, trivy, snyk, grype,
+        osv-scanner, bearer, gitleaks, trufflehog, checkov, tfsec) do? Why
+        isn't that enough?
+
+  - type: checkboxes
+    id: principles
+    attributes:
+      label: Solo-developer fit
+      description: inspect avoids enterprise scope. Confirm this feature respects that.
+      options:
+        - label: Works with zero configuration (sensible defaults).
+        - label: Does not require a network call beyond the scan target itself.
+        - label: Does not weaken SSRF / egress protections.
+        - label: Has an escape hatch (override via option, env, or config).