feat(hawk-sdk-python): production hardening (#1)

* feat(hawk-sdk-python): production hardening — ruff, mypy, version bump

- Added ruff linter config (E, F, W, I, N, UP, B, A, SIM, TCH, RUF rules)
- Added mypy strict type checking config
- Added Makefile with standard targets (test, lint, format, typecheck)
- Bumped version to 0.2.0
- Added pytest strict markers and short traceback config

* feat(hawk-sdk-python): align __version__ with pyproject, add User-Agent, full OSS bootstrap

The prior hardening commit bumped pyproject.toml to 0.2.0 but missed
`src/hawk/_version.py`, which still reported 0.1.0. This commit fixes
that inconsistency and lands the OSS standard files that were missing.

Version surface (fixed + added):
  - src/hawk/_version.py — `__version__ = "0.2.0"` (was 0.1.0).
    pyproject.toml was already 0.2.0.
  - src/hawk/client.py — both `HawkClient._build_headers` and
    `AsyncHawkClient._build_headers` now set
    `User-Agent: hawk-sdk-python/<__version__>`. httpx merges
    client-default headers with per-request overrides, so this also
    covers the streaming endpoint without changing the per-request
    `headers={"Accept": "text/event-stream"}` override.

New OSS files (this is the first PR to add them):
  - CHANGELOG.md — Keep-a-Changelog format with [Unreleased] capturing
    this PR + a backfilled [0.1.0] entry for the initial SDK and prior
    hardening pass.
  - CONTRIBUTING.md — quick start with venv + editable install, branch
    flow (this repo branches from main), conventional commits, code
    standards (mypy --strict, ruff, async-first, Pydantic v2,
    User-Agent rule), testing with respx, and the
    bump-both-version-files procedure.
  - SECURITY.md — vulnerability reporting via GitHub Security
    Advisories, in-scope examples (token leakage, TLS misuse, Pydantic
    deserialization issues, redirect host escape), out-of-scope
    pointers (daemon issues to hawk repo, third-party-package issues
    upstream).
  - CODE_OF_CONDUCT.md — Contributor Covenant 2.1.
  - .gitattributes — LF normalization, binary detection, linguist
    hints to collapse lock files.
  - .editorconfig — UTF-8, LF, 4-space indent for Python (PEP 8),
    2-space for YAML/JSON/TOML, no-trim for Markdown.
  - .github/workflows/ci.yml — pytest matrix on Python 3.9 / 3.10 /
    3.11 / 3.12 / 3.13, ruff (lint + format check), mypy --strict,
    build sdist + wheel + twine check.
  - .github/dependabot.yml — weekly pip + github-actions, pip
    grouped by pydantic and pytest to reduce PR noise.
  - .github/PULL_REQUEST_TEMPLATE.md — Summary / Changes / API impact
    (with bump-both-files reminder) / Daemon compatibility / Async
    compatibility (sync + async kept in lock-step) / Testing /
    Checklist (incl. User-Agent rule).
  - .github/ISSUE_TEMPLATE/bug_report.yml — surface dropdown
    (HawkClient / AsyncHawkClient / streaming / retry / tools /
    agent / workflow / typed errors / build), required SDK + daemon
    + Python versions, package-versions textarea.
  - .github/ISSUE_TEMPLATE/feature_request.yml — kind selector
    covering 9 areas (client method / streaming / retry / errors /
    tools / agent-workflow / pydantic / config / tooling) and
    solo-dev fit checks (incl. 'sync and async kept in lock-step',
    'does not break wire-compatibility with existing daemon
    versions').
  - .github/ISSUE_TEMPLATE/config.yml — routes security to
    advisories, questions to discussions, blocks blank issues.
  - .gitignore — expanded from 6 lines to cover the broader Python
    toolchain (venv dirs, .mypy_cache, .ruff_cache, .pytest_cache,
    .tox, .nox, htmlcov, coverage.xml, .env).

Verification:
  - `pytest` — 65/65 pass (1 pre-existing cosmetic warning in
    test_workflow.py about an unawaited coroutine in a mock; not
    introduced by this PR)
  - `hawk.__version__` returns "0.2.0"
  - `HawkClient._build_headers()` returns
    {'Accept': 'application/json', 'User-Agent': 'hawk-sdk-python/0.2.0'}

* chore: standardize eco-wide infra (versioning, CI, hooks, templates)

- VERSION file as single source of truth
- CODEOWNERS for auto-review routing
- Canonical Makefile with standard targets
- release-please config + workflow
- lefthook/pre-commit hooks (conventional commits, fmt, lint, secrets)
- Canonical CI + release GitHub Actions workflows
- Standardized .editorconfig, .gitattributes, CODE_OF_CONDUCT, SECURITY, CONTRIBUTING
- goreleaser config (where applicable)

Part of hawk-eco standardization sweep.

* feat(hawk-sdk-python): adopt agentscope patterns — toolkit, plan, tracing, eval, discovery, memory

Add 6 new modules inspired by agentscope-ai/agentscope:
- toolkit: tool groups, middleware chain, async background execution
- plan: plan-as-tools with contextual hints for autonomous steering
- tracing: OTel decorator-based tracing (zero-cost when disabled)
- evaluate: agent benchmarking framework with N-run aggregation
- discovery: A2A agent discovery (file, HTTP well-known, composite)
- memory_tools: voluntary record/retrieve/forget as agent tools

Author: Patel230

.editorconfig

@@ -0,0 +1,67 @@
+# EditorConfig — https://editorconfig.org
+# Canonical eco-wide template (.shared-templates/editorconfig.tmpl).
+
+root = true
+
+# Default for everything.
+[*]
+charset = utf-8
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+indent_style = space
+indent_size = 4
+
+# Go uses tabs by convention.
+[*.go]
+indent_style = tab
+indent_size = 4
+
+# Python — PEP 8.
+[*.py]
+indent_size = 4
+
+# TypeScript / JavaScript — 2 spaces, ecosystem default.
+[*.{ts,tsx,js,jsx,mjs,cjs}]
+indent_size = 2
+
+# Web assets.
+[*.{html,css,scss}]
+indent_size = 2
+
+# YAML — 2 spaces (ecosystem standard, GitHub Actions, k8s, etc.).
+[*.{yml,yaml}]
+indent_size = 2
+
+# JSON / JSONC.
+[*.{json,jsonc}]
+indent_size = 2
+
+# TOML.
+[*.toml]
+indent_size = 2
+
+# Markdown — 2 spaces, preserve trailing whitespace (used for line breaks).
+[*.md]
+trim_trailing_whitespace = false
+indent_size = 2
+
+# Shell scripts.
+[*.{sh,bash,zsh,fish}]
+indent_size = 4
+
+# Makefiles must use tabs.
+[{Makefile,*.mk}]
+indent_style = tab
+
+# Dockerfiles.
+[Dockerfile*]
+indent_size = 4
+
+# GitHub Actions workflows — 2 spaces.
+[.github/**/*.{yml,yaml}]
+indent_size = 2
+
+# Config files.
+[*.{cfg,ini,conf}]
+indent_size = 4

.gitattributes

@@ -0,0 +1,86 @@
+# Canonical eco-wide .gitattributes template (.shared-templates/gitattributes.tmpl).
+# Auto-detect text files and normalise line endings to LF.
+
+* text=auto eol=lf
+
+# --- Source code -----------------------------------------------------------
+*.go     text eol=lf diff=golang
+*.py     text eol=lf diff=python
+*.ts     text eol=lf
+*.tsx    text eol=lf
+*.js     text eol=lf
+*.jsx    text eol=lf
+*.mjs    text eol=lf
+*.cjs    text eol=lf
+*.rs     text eol=lf diff=rust
+
+# --- Shell + config --------------------------------------------------------
+*.sh     text eol=lf
+*.bash   text eol=lf
+*.toml   text eol=lf
+*.yaml   text eol=lf
+*.yml    text eol=lf
+*.json   text eol=lf linguist-language=JSON
+*.jsonc  text eol=lf linguist-language=JSON
+*.cff    text eol=lf
+
+# --- Documentation ---------------------------------------------------------
+*.md     text eol=lf diff=markdown
+*.txt    text eol=lf
+
+# --- Build / packaging ----------------------------------------------------
+Makefile        text eol=lf
+*.mk            text eol=lf
+Dockerfile*     text eol=lf
+docker-compose*.yml text eol=lf
+.github/**/*.yml    text eol=lf
+.github/**/*.yaml   text eol=lf
+
+# --- Generated artefacts (mark as such for diffs and language stats) ------
+go.mod          text eol=lf linguist-generated
+go.sum          text eol=lf linguist-generated
+*.pb.go         linguist-generated
+*_generated.go  linguist-generated
+package-lock.json   linguist-generated
+pnpm-lock.yaml      linguist-generated
+yarn.lock           linguist-generated
+
+# --- Vendored / external sources ------------------------------------------
+vendor/**       linguist-vendored
+node_modules/** linguist-vendored
+testdata/**     linguist-vendored
+benchmarks/data/** linguist-vendored
+
+# --- Binary files (do not text-normalise) ---------------------------------
+*.exe    binary
+*.dll    binary
+*.so     binary
+*.dylib  binary
+*.a      binary
+*.o      binary
+*.db     binary
+*.sqlite binary
+*.png    binary
+*.jpg    binary
+*.jpeg   binary
+*.gif    binary
+*.ico    binary
+*.svg    text eol=lf
+*.pdf    binary
+*.zip    binary
+*.tar.gz binary
+*.tgz    binary
+*.whl    binary
+
+# --- Source archive hygiene (excluded from `git archive`) -----------------
+.github         export-ignore
+.shared-templates export-ignore
+.gitattributes  export-ignore
+.gitignore      export-ignore
+.editorconfig   export-ignore
+.golangci.yml   export-ignore
+.goreleaser.yml export-ignore
+.goreleaser.yaml export-ignore
+testdata/       export-ignore
+benchmarks/     export-ignore
+e2e/            export-ignore

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,127 @@
+name: Bug report
+description: Something is broken or behaving unexpectedly.
+title: "bug: <one-line summary>"
+labels: ["bug", "triage"]
+
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to file a bug report. Please fill in as much
+        of the form as you can — the more we know, the faster we can fix it.
+
+        Before submitting:
+        - Search [existing issues](https://github.com/GrayCodeAI/hawk-sdk-python/issues) to avoid duplicates.
+        - If this is a security issue, please **do not** file a public issue. See `SECURITY.md`.
+
+  - type: textarea
+    id: what-happened
+    attributes:
+      label: What happened?
+      description: A clear, concise description of the bug.
+      placeholder: When I call HawkClient.<method>, I expected X but got Y.
+    validations:
+      required: true
+
+  - type: dropdown
+    id: surface
+    attributes:
+      label: Surface
+      description: Which SDK surface is affected?
+      options:
+        - "HawkClient (sync)"
+        - "AsyncHawkClient (async)"
+        - "Streaming (chat_stream / StreamReader)"
+        - "Retry / backoff"
+        - "Tools (chat_with_tools, @tool decorator)"
+        - "Agent / AsyncAgent"
+        - "Workflow / AsyncWorkflow"
+        - "Typed errors (HawkAPIError hierarchy)"
+        - "Build / packaging"
+    validations:
+      required: true
+
+  - type: textarea
+    id: reproduce
+    attributes:
+      label: Steps to reproduce
+      description: Minimal Python snippet that reliably reproduces the problem.
+      render: python
+      placeholder: |
+        from hawk import HawkClient
+        with HawkClient() as c:
+            resp = c.chat("hello")
+        # ^ wrong shape / panic / hang / etc.
+    validations:
+      required: true
+
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behavior
+      description: What did you expect to happen instead?
+    validations:
+      required: true
+
+  - type: input
+    id: sdk-version
+    attributes:
+      label: hawk-sdk version
+      description: Output of `python -c "import hawk; print(hawk.__version__)"`.
+      placeholder: "0.2.0"
+    validations:
+      required: true
+
+  - type: input
+    id: daemon-version
+    attributes:
+      label: hawk daemon version
+      description: Output of `hawk version` (the daemon you're hitting).
+      placeholder: "0.2.0"
+    validations:
+      required: true
+
+  - type: input
+    id: python-version
+    attributes:
+      label: Python version
+      description: Output of `python --version`.
+      placeholder: "Python 3.11.9"
+    validations:
+      required: true
+
+  - type: input
+    id: os
+    attributes:
+      label: Operating system
+      description: e.g. macOS 14.5 (arm64), Ubuntu 24.04 (amd64), Windows 11 (amd64).
+      placeholder: "macOS 14.5 (arm64)"
+    validations:
+      required: true
+
+  - type: textarea
+    id: deps
+    attributes:
+      label: Relevant package versions
+      description: |
+        Paste the output of `pip freeze | grep -E "^(httpx|pydantic|hawk-sdk)"` (or `uv pip list` equivalent).
+      render: shell
+
+  - type: textarea
+    id: logs
+    attributes:
+      label: Logs / traceback
+      description: |
+        Paste any relevant output, including the full traceback.
+        **Redact API tokens, session IDs, and any private data first.**
+      render: shell
+
+  - type: checkboxes
+    id: confirm
+    attributes:
+      label: Confirmation
+      options:
+        - label: I searched existing issues and did not find a duplicate.
+          required: true
+        - label: I redacted any secrets, tokens, or private data from logs.
+          required: true

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Security vulnerability
+    url: https://github.com/GrayCodeAI/hawk-sdk-python/security/advisories/new
+    about: Please report security issues privately via a GitHub Security Advisory. See SECURITY.md.
+  - name: Question / discussion
+    url: https://github.com/GrayCodeAI/hawk-sdk-python/discussions
+    about: Have a question or want to discuss an idea? Open a discussion instead of an issue.

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,75 @@
+name: Feature request
+description: Suggest an improvement or a new SDK capability.
+title: "feat: <one-line summary>"
+labels: ["enhancement", "triage"]
+
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for proposing a feature. hawk-sdk is a thin Python client for
+        the local hawk daemon. Every feature is evaluated against whether it
+        serves **a single developer** running their own hawk daemon — i.e.
+        it improves ergonomics, lowers latency, or simplifies integration.
+
+        Before submitting:
+        - Search [existing issues](https://github.com/GrayCodeAI/hawk-sdk-python/issues) to avoid duplicates.
+        - For new daemon endpoints, the daemon side must land first.
+
+  - type: dropdown
+    id: kind
+    attributes:
+      label: Kind of feature
+      description: What flavour of change is this?
+      options:
+        - "New client method (wraps a daemon endpoint)"
+        - "Streaming / SSE handling"
+        - "Retry / backoff / resilience"
+        - "Typed errors / error categories"
+        - "Tools (chat_with_tools, @tool decorator)"
+        - "Agent / Workflow orchestration"
+        - "Pydantic model / type-hint improvement"
+        - "Configuration (httpx transport, timeouts, etc.)"
+        - "Tooling / CI / docs / packaging"
+    validations:
+      required: true
+
+  - type: textarea
+    id: problem
+    attributes:
+      label: What problem are you trying to solve?
+      description: Describe the user problem first. Solutions can come later.
+      placeholder: When I call <method>, I have to write boilerplate Y because the SDK doesn't expose X.
+    validations:
+      required: true
+
+  - type: textarea
+    id: proposal
+    attributes:
+      label: Proposed solution
+      description: How would you like the SDK to behave? Snippet of API you'd want.
+      render: python
+    validations:
+      required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
+      description: |
+        What did you try? What do other SDKs (`openai-python`,
+        `anthropic-sdk-python`, `langchain`, `llama-index`, `dspy`,
+        `instructor`, `marvin`, `pydantic-ai`, `mirascope`, `magentic`)
+        do? Why isn't that enough?
+
+  - type: checkboxes
+    id: principles
+    attributes:
+      label: Solo-developer fit
+      description: hawk-sdk avoids enterprise scope. Confirm this feature respects that.
+      options:
+        - label: Works with zero configuration (sensible defaults).
+        - label: Does not introduce a third-party network dependency.
+        - label: Does not break wire-compatibility with existing daemon versions.
+        - label: Sync and async variants are kept in lock-step.
+        - label: Has an escape hatch (override via parameter, transport, or env).