chore: OSS hardening — community files, gitignore, scratch cleanup

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,80 @@
+name: Bug report
+description: The SDK does something unexpected, crashes, or contradicts its docs.
+labels: ["bug"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for the report. Please fill in everything you can — the more
+        reproducible the bug, the faster it gets fixed.
+
+        **For security issues, please use [Private Vulnerability Reporting](https://github.com/TexasCoding/kalshi-python-sdk/security/advisories/new) instead.**
+
+  - type: input
+    id: sdk_version
+    attributes:
+      label: SDK version
+      description: Output of `python -c "import kalshi; print(kalshi.__version__)"`.
+      placeholder: "2.0.0"
+    validations:
+      required: true
+
+  - type: input
+    id: python_version
+    attributes:
+      label: Python version
+      placeholder: "3.12.10"
+    validations:
+      required: true
+
+  - type: dropdown
+    id: environment
+    attributes:
+      label: Kalshi environment
+      options:
+        - demo
+        - production
+        - unknown / both
+      default: 0
+    validations:
+      required: true
+
+  - type: textarea
+    id: what_happened
+    attributes:
+      label: What happened?
+      description: What did the SDK do? What did you expect instead?
+    validations:
+      required: true
+
+  - type: textarea
+    id: reproduce
+    attributes:
+      label: Minimal reproducer
+      description: |
+        A short script we can run to see the bug. Redact any keys / IDs.
+        Wrap in a Python code fence.
+      render: python
+    validations:
+      required: true
+
+  - type: textarea
+    id: traceback
+    attributes:
+      label: Traceback or relevant log output
+      description: Full traceback if any. Redact URLs that contain tokens.
+      render: shell
+    validations:
+      required: false
+
+  - type: checkboxes
+    id: checks
+    attributes:
+      label: Pre-flight checks
+      options:
+        - label: I searched existing issues for duplicates.
+          required: true
+        - label: I'm on the latest published version (`pip install --upgrade kalshi-sdk`), or noted my version above if not.
+          required: true
+        - label: This is not a security issue (those go through Private Vulnerability Reporting).
+          required: true

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,11 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Security vulnerability (private disclosure)
+    url: https://github.com/TexasCoding/kalshi-python-sdk/security/advisories/new
+    about: Report a vulnerability privately. Do NOT open a public issue for security issues.
+  - name: Question / discussion
+    url: https://github.com/TexasCoding/kalshi-python-sdk/discussions
+    about: For usage questions and design discussions that aren't bugs or feature requests.
+  - name: Kalshi API itself
+    url: https://kalshi.com/support
+    about: For issues with the Kalshi API (not the SDK), please contact Kalshi support directly.

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,60 @@
+name: Feature request
+description: Suggest a new SDK capability, ergonomics improvement, or API surface change.
+labels: ["enhancement"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for the suggestion. Please describe the *user need* first,
+        then a proposal — solutions are easier to discuss when the
+        underlying problem is clear.
+
+  - type: textarea
+    id: problem
+    attributes:
+      label: What problem does this solve?
+      description: |
+        What are you trying to do that's awkward or impossible today?
+        Avoid jumping to a specific API design — describe the use case.
+    validations:
+      required: true
+
+  - type: textarea
+    id: proposal
+    attributes:
+      label: Proposed solution
+      description: |
+        Concrete suggestion if you have one — an API sketch, a code
+        example of how it would feel to use, etc.
+      render: python
+    validations:
+      required: false
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
+      description: What workarounds have you tried? Why aren't they enough?
+    validations:
+      required: false
+
+  - type: input
+    id: spec_link
+    attributes:
+      label: Kalshi API reference (if applicable)
+      description: |
+        Link to the relevant endpoint in https://docs.kalshi.com or the
+        OpenAPI / AsyncAPI spec.
+      placeholder: "https://docs.kalshi.com/openapi.yaml#/markets/get"
+    validations:
+      required: false
+
+  - type: checkboxes
+    id: checks
+    attributes:
+      label: Pre-flight checks
+      options:
+        - label: I searched existing issues for duplicates or related discussions.
+          required: true
+        - label: This is in scope for an SDK (i.e. wraps or improves access to the Kalshi API rather than reimplementing exchange logic).
+          required: true

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,44 @@
+<!--
+Thanks for the PR! A few things to make review fast:
+
+- Title: one-line summary in conventional-commit style (e.g. `fix(ws): ...`).
+- Body: the WHY of the change. The diff shows the WHAT.
+- Link issues with `Closes #N` so they auto-close on merge.
+- For security-sensitive changes, see SECURITY.md.
+-->
+
+## Summary
+
+<!-- One paragraph: what does this PR do, and why? -->
+
+## Changes
+
+<!-- Bullet list of the substantive changes. Skip if the summary covers it. -->
+
+-
+
+## Test plan
+
+- [ ] `uv run pytest tests/ --ignore=tests/integration -q` — unit
+- [ ] `uv run ruff check .` — lint
+- [ ] `uv run mypy kalshi/` — type-check
+- [ ] If touching live endpoints: `uv run pytest tests/integration/` against demo
+- [ ] If adding a new endpoint: registered in `tests/_contract_support.py::METHOD_ENDPOINT_MAP`
+
+## Notes for reviewers
+
+<!--
+Anything reviewers should know that isn't obvious from the diff?
+- Behavior changes (call them out in CHANGELOG too)
+- Non-obvious design decisions
+- Things deferred to a follow-up
+-->
+
+## Issue links
+
+<!--
+Use `Closes #N` to auto-close on merge, or `Refs #N` for partial work.
+Delete this section if the PR doesn't reference an issue.
+-->
+
+Closes #<!-- N -->

.github/workflows/release.yml

@@ -10,10 +10,10 @@ jobs:
     name: Build sdist and wheel
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v6
+        uses: astral-sh/setup-uv@bd01e18f51369d5a26f1651c3cb451d3417e3bba  # v6.3.1
 
       - name: Set up Python
         run: uv python install 3.12
@@ -33,7 +33,7 @@ jobs:
       - name: Check artifacts
         run: uv run --with twine twine check dist/*
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
         with:
           name: dist
           path: dist/
@@ -49,13 +49,13 @@ jobs:
       id-token: write  # required for PyPI trusted publishing + attestations (OIDC)
       attestations: write  # required to upload sigstore attestations
     steps:
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093  # v4.3.0
         with:
           name: dist
           path: dist/
 
       - name: Publish to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b  # v1.14.0
         with:
           attestations: true
 
@@ -66,11 +66,11 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           fetch-depth: 0  # full history so we can extract the tag's CHANGELOG section
 
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093  # v4.3.0
         with:
           name: dist
           path: dist/
@@ -92,7 +92,7 @@ jobs:
           fi
 
       - name: Create GitHub Release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda  # v2.2.1
         with:
           files: dist/*
           body_path: release_notes.md

.gitignore

@@ -16,6 +16,7 @@ wheels/
 
 # Virtual environments
 .venv
+.venv.stale*
 
 # UV lock
 uv.lock
@@ -35,3 +36,12 @@ specs/asyncapi.yaml
 
 # MkDocs build output
 site/
+
+# OS noise
+**/.DS_Store
+
+# Internal planning / audit scratch (kept local, not part of the public repo)
+.planning/
+
+# Agent worktrees (claude-code's isolation: "worktree" mode)
+.claude/worktrees/