chore: standardize eco-wide infra (versioning, CI, hooks, templates)

- VERSION file as single source of truth
- CODEOWNERS for auto-review routing
- Canonical Makefile with standard targets
- release-please config + workflow
- lefthook/pre-commit hooks (conventional commits, fmt, lint, secrets)
- Canonical CI + release GitHub Actions workflows
- Standardized .editorconfig, .gitattributes, CODE_OF_CONDUCT, SECURITY, CONTRIBUTING
- goreleaser config (where applicable)

Part of hawk-eco standardization sweep.

Author: Patel230

.editorconfig

@@ -1,29 +1,67 @@
+# EditorConfig — https://editorconfig.org
+# Canonical eco-wide template (.shared-templates/editorconfig.tmpl).
+
 root = true
 
+# Default for everything.
 [*]
 charset = utf-8
 end_of_line = lf
 insert_final_newline = true
 trim_trailing_whitespace = true
 indent_style = space
-indent_size = 2
-
-# Python: 4 spaces (PEP 8).
-[*.py]
-indent_style = space
 indent_size = 4
-max_line_length = 100
 
-# Makefile-likes use tabs by language convention.
-[{Makefile,*.mk,**.mk}]
+# Go uses tabs by convention.
+[*.go]
 indent_style = tab
 indent_size = 4
 
-# YAML / JSON / TOML: 2 spaces.
-[*.{yml,yaml,json,toml}]
-indent_style = space
+# Python — PEP 8.
+[*.py]
+indent_size = 4
+
+# TypeScript / JavaScript — 2 spaces, ecosystem default.
+[*.{ts,tsx,js,jsx,mjs,cjs}]
+indent_size = 2
+
+# Web assets.
+[*.{html,css,scss}]
+indent_size = 2
+
+# YAML — 2 spaces (ecosystem standard, GitHub Actions, k8s, etc.).
+[*.{yml,yaml}]
+indent_size = 2
+
+# JSON / JSONC.
+[*.{json,jsonc}]
+indent_size = 2
+
+# TOML.
+[*.toml]
 indent_size = 2
 
-# Markdown: trailing whitespace can be significant (line break with two spaces).
+# Markdown — 2 spaces, preserve trailing whitespace (used for line breaks).
 [*.md]
 trim_trailing_whitespace = false
+indent_size = 2
+
+# Shell scripts.
+[*.{sh,bash,zsh,fish}]
+indent_size = 4
+
+# Makefiles must use tabs.
+[{Makefile,*.mk}]
+indent_style = tab
+
+# Dockerfiles.
+[Dockerfile*]
+indent_size = 4
+
+# GitHub Actions workflows — 2 spaces.
+[.github/**/*.{yml,yaml}]
+indent_size = 2
+
+# Config files.
+[*.{cfg,ini,conf}]
+indent_size = 4

.gitattributes

@@ -1,38 +1,86 @@
-# Default: normalize line endings to LF on commit, leave the working copy alone.
+# Canonical eco-wide .gitattributes template (.shared-templates/gitattributes.tmpl).
+# Auto-detect text files and normalise line endings to LF.
+
 * text=auto eol=lf
 
-# Explicitly LF for source, scripts, and config — never CRLF.
-*.py     text eol=lf
-*.md     text eol=lf
-*.yml    text eol=lf
-*.yaml   text eol=lf
-*.json   text eol=lf
-*.toml   text eol=lf
-*.cfg    text eol=lf
-*.ini    text eol=lf
+# --- Source code -----------------------------------------------------------
+*.go     text eol=lf diff=golang
+*.py     text eol=lf diff=python
+*.ts     text eol=lf
+*.tsx    text eol=lf
+*.js     text eol=lf
+*.jsx    text eol=lf
+*.mjs    text eol=lf
+*.cjs    text eol=lf
+*.rs     text eol=lf diff=rust
+
+# --- Shell + config --------------------------------------------------------
 *.sh     text eol=lf
-Makefile text eol=lf
+*.bash   text eol=lf
+*.toml   text eol=lf
+*.yaml   text eol=lf
+*.yml    text eol=lf
+*.json   text eol=lf linguist-language=JSON
+*.jsonc  text eol=lf linguist-language=JSON
+*.cff    text eol=lf
+
+# --- Documentation ---------------------------------------------------------
+*.md     text eol=lf diff=markdown
+*.txt    text eol=lf
+
+# --- Build / packaging ----------------------------------------------------
+Makefile        text eol=lf
+*.mk            text eol=lf
+Dockerfile*     text eol=lf
+docker-compose*.yml text eol=lf
+.github/**/*.yml    text eol=lf
+.github/**/*.yaml   text eol=lf
 
-# Windows-only files keep CRLF.
-*.bat    text eol=crlf
-*.cmd    text eol=crlf
-*.ps1    text eol=crlf
+# --- Generated artefacts (mark as such for diffs and language stats) ------
+go.mod          text eol=lf linguist-generated
+go.sum          text eol=lf linguist-generated
+*.pb.go         linguist-generated
+*_generated.go  linguist-generated
+package-lock.json   linguist-generated
+pnpm-lock.yaml      linguist-generated
+yarn.lock           linguist-generated
 
-# Binary files — never diffed, never EOL-normalized.
+# --- Vendored / external sources ------------------------------------------
+vendor/**       linguist-vendored
+node_modules/** linguist-vendored
+testdata/**     linguist-vendored
+benchmarks/data/** linguist-vendored
+
+# --- Binary files (do not text-normalise) ---------------------------------
+*.exe    binary
+*.dll    binary
+*.so     binary
+*.dylib  binary
+*.a      binary
+*.o      binary
+*.db     binary
+*.sqlite binary
 *.png    binary
 *.jpg    binary
 *.jpeg   binary
 *.gif    binary
 *.ico    binary
+*.svg    text eol=lf
+*.pdf    binary
 *.zip    binary
-*.tar    binary
 *.tar.gz binary
-*.gz     binary
-*.pdf    binary
+*.tgz    binary
 *.whl    binary
 
-# Generated / lock files — collapse in PR diffs (GitHub linguist hint).
-poetry.lock        linguist-generated=true
-Pipfile.lock       linguist-generated=true
-uv.lock            linguist-generated=true
-requirements*.txt  linguist-generated=true
+# --- Source archive hygiene (excluded from `git archive`) -----------------
+.github         export-ignore
+.shared-templates export-ignore
+.gitattributes  export-ignore
+.gitignore      export-ignore
+.editorconfig   export-ignore
+.golangci.yml   export-ignore
+.goreleaser.yml export-ignore
+.goreleaser.yaml export-ignore
+testdata/       export-ignore
+benchmarks/     export-ignore
+e2e/            export-ignore

.github/workflows/ci.yml

@@ -1,3 +1,6 @@
+# Canonical CI workflow for hawk-eco Python repos.
+# Source of truth: .shared-templates/workflows/python-ci.yml.tmpl
+
 name: CI
 
 on:
@@ -9,9 +12,13 @@ on:
 permissions:
   contents: read
 
+concurrency:
+  group: ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   test:
-    name: Test (Python ${{ matrix.python-version }})
+    name: test (Python ${{ matrix.python-version }})
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
@@ -31,7 +38,7 @@ jobs:
         run: pytest --strict-markers --tb=short
 
   lint:
-    name: Lint (ruff)
+    name: lint (ruff)
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -49,7 +56,7 @@ jobs:
         run: ruff format --check .
 
   typecheck:
-    name: Type check (mypy --strict)
+    name: typecheck (mypy --strict)
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -64,8 +71,24 @@ jobs:
       - name: mypy
         run: mypy src/
 
+  security:
+    name: security (pip-audit)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+          cache: pip
+      - name: Install
+        run: |
+          python -m pip install --upgrade pip pip-audit
+          pip install -e ".[dev]"
+      - name: pip-audit
+        run: pip-audit
+
   build:
-    name: Build sdist + wheel
+    name: build (sdist + wheel)
     runs-on: ubuntu-latest
     needs: [test, lint, typecheck]
     steps:
@@ -74,10 +97,9 @@ jobs:
         with:
           python-version: "3.12"
           cache: pip
-      - name: Install build
+      - name: Install build tools
         run: |
-          python -m pip install --upgrade pip
-          pip install build twine
+          python -m pip install --upgrade pip build twine
       - name: Build
         run: python -m build
       - name: Twine check

.github/workflows/release-please.yml

@@ -0,0 +1,43 @@
+# Canonical release-please workflow for hawk-eco repos.
+# Opens / updates a release PR on every push to main; on merge of that PR,
+# tags the new release. The tag triggers goreleaser (separate workflow).
+#
+# Source of truth: .shared-templates/release-please.yml.tmpl at the eco root.
+
+name: release-please
+
+on:
+  push:
+    branches: [main]
+
+permissions:
+  contents: write
+  pull-requests: write
+  issues: write
+
+concurrency:
+  group: release-please-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  release-please:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Run release-please
+        id: release
+        uses: googleapis/release-please-action@v4
+        with:
+          config-file: release-please-config.json
+          manifest-file: .release-please-manifest.json
+          token: ${{ secrets.RELEASE_PLEASE_TOKEN || secrets.GITHUB_TOKEN }}
+
+      - name: Summary
+        if: always()
+        run: |
+          if [[ "${{ steps.release.outputs.release_created }}" == "true" ]]; then
+            echo "Released ${{ steps.release.outputs.tag_name }}." >> $GITHUB_STEP_SUMMARY
+          elif [[ "${{ steps.release.outputs.pr }}" != "" ]]; then
+            echo "Updated release PR: ${{ steps.release.outputs.pr }}" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "No release-relevant changes detected." >> $GITHUB_STEP_SUMMARY
+          fi

.github/workflows/release.yml

@@ -0,0 +1,41 @@
+# Canonical PyPI publish workflow for hawk-eco Python repos.
+# Triggered by release-please when it pushes a v* tag.
+# Source of truth: .shared-templates/workflows/python-release.yml.tmpl
+#
+# Uses PyPI Trusted Publishing (OIDC) — no API tokens stored in GitHub.
+# Configure once at https://pypi.org/manage/account/publishing/
+
+name: release
+
+on:
+  push:
+    tags: ["v*"]
+
+permissions:
+  contents: read
+  id-token: write   # required for PyPI Trusted Publishing
+
+jobs:
+  build-and-publish:
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/hawk-sdk
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install build tooling
+        run: |
+          python -m pip install --upgrade pip build
+
+      - name: Build sdist + wheel
+        run: python -m build
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          packages-dir: dist/

.pre-commit-config.yaml

@@ -0,0 +1,43 @@
+# Canonical pre-commit config for hawk-eco Python repos.
+# Source of truth: .shared-templates/pre-commit-config.yaml.tmpl
+#
+# Install:    pip install pre-commit
+# Activate:   pre-commit install --install-hooks
+# Run all:    pre-commit run --all-files
+
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.6.0
+    hooks:
+      - id: trailing-whitespace
+        exclude: '\.md$'           # markdown uses trailing whitespace for line breaks
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-toml
+      - id: check-json
+      - id: check-merge-conflict
+      - id: check-added-large-files
+        args: [--maxkb=512]
+      - id: detect-private-key
+      - id: mixed-line-ending
+        args: [--fix=lf]
+
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.8.0
+    hooks:
+      - id: ruff
+        args: [--fix, --exit-non-zero-on-fix]
+      - id: ruff-format
+
+  - repo: https://github.com/pre-commit/mirrors-mypy
+    rev: v1.13.0
+    hooks:
+      - id: mypy
+        additional_dependencies: [pydantic>=2.0, httpx>=0.25]
+        args: [--strict, --ignore-missing-imports]
+
+  - repo: https://github.com/commitizen-tools/commitizen
+    rev: v3.30.1
+    hooks:
+      - id: commitizen
+        stages: [commit-msg]