android-watcher 1.0.0__tar.gz

android_watcher-1.0.0/.editorconfig

@@ -0,0 +1,24 @@
+root = true
+
+# Tabs, width 4, everywhere by default.
+[*]
+charset = utf-8
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+indent_style = tab
+indent_size = 4
+tab_width = 4
+
+# Python line length matches [tool.ruff]; indentation is tabs (ruff format).
+[*.py]
+max_line_length = 100
+
+# YAML forbids tab indentation (spec), so it must use spaces.
+[*.{yml,yaml}]
+indent_style = space
+indent_size = 2
+
+# Markdown keeps trailing whitespace (two trailing spaces = hard line break).
+[*.md]
+trim_trailing_whitespace = false

android_watcher-1.0.0/.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,45 @@
+name: Bug report
+description: Something isn't working as documented
+labels: [ "bug" ]
+body:
+  - type: markdown
+    attributes:
+      value: Thanks for the report. Please REDACT secrets (SMTP password, Slack bot token, Telegram bot token) and private paths before pasting.
+  - type: textarea
+    id: what-happened
+    attributes:
+      label: What happened?
+      description: What went wrong, and what did you expect instead?
+    validations:
+      required: true
+  - type: textarea
+    id: repro
+    attributes:
+      label: Steps to reproduce
+      placeholder: |
+        1. ...
+        2. ...
+        3. ...
+    validations:
+      required: true
+  - type: input
+    id: version
+    attributes:
+      label: android-watcher version or commit
+      description: "`android-watcher --version` or the installed tag."
+    validations:
+      required: false
+  - type: textarea
+    id: env
+    attributes:
+      label: Environment
+      description: Install method (uv tool / pipx / Homebrew / source), OS, Python version, AI mode (claude_cli / off).
+    validations:
+      required: false
+  - type: textarea
+    id: logs
+    attributes:
+      label: Logs / output
+      description: Relevant output from `android-watcher doctor` or the failing run, with secrets redacted.
+    validations:
+      required: false

android_watcher-1.0.0/.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Question / contact
+    url: https://github.com/krayong/android-watcher#contact
+    about: General questions that aren't bugs or feature requests (email androidwatcher@krayong.com).
+  - name: Security vulnerability
+    url: https://github.com/krayong/android-watcher/security/advisories/new
+    about: Report security issues privately, not as a public issue (see SECURITY.md).

android_watcher-1.0.0/.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,24 @@
+name: Feature request
+description: Suggest an improvement or a new source/channel
+labels: [ "enhancement" ]
+body:
+  - type: textarea
+    id: problem
+    attributes:
+      label: Problem
+      description: What are you trying to do, and what's missing or awkward today?
+    validations:
+      required: true
+  - type: textarea
+    id: proposal
+    attributes:
+      label: Proposed solution
+      description: What you'd like to see. For a new catalog source, link the official page and note its type (RSS feed, sitemap, or content page).
+    validations:
+      required: false
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
+    validations:
+      required: false

android_watcher-1.0.0/.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,14 @@
+## Summary
+
+<!-- What does this PR do and why? -->
+
+## Testing
+
+<!-- Describe how you verified the change. Note: tests run with `uv run pytest` (no live network; recorded fixtures only). -->
+
+## Checklist
+
+- [ ] Tests added or updated for the change
+- [ ] `uv run ruff check .` and `uv run ruff format .` pass with no errors
+- [ ] Comments/docs state facts directly, with no pointers to scratch/planning notes
+- [ ] Follows the guidelines in [CONTRIBUTING.md](../CONTRIBUTING.md)

android_watcher-1.0.0/.github/workflows/ci.yml

@@ -0,0 +1,50 @@
+name: CI
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+permissions:
+  contents: read
+
+jobs:
+  lint-and-test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v3
+
+      - name: Set up Python
+        run: uv python install 3.11
+
+      - name: Sync dependencies
+        run: uv sync --frozen
+
+      - name: Ruff lint
+        run: uv run ruff check .
+
+      - name: Ruff format check
+        run: uv run ruff format --check .
+
+      - name: Pytest
+        run: uv run pytest -q
+
+  secret-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      # Filesystem scan (not a git BASE..HEAD diff): the diff mode errors when
+      # BASE == HEAD, which happens on a single-commit push to main.
+      - name: Install TruffleHog
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh \
+            | sh -s -- -b /usr/local/bin v3.88.1
+
+      - name: Scan for verified secrets
+        run: trufflehog filesystem . --only-verified --fail --no-update

android_watcher-1.0.0/.github/workflows/release.yml

@@ -0,0 +1,112 @@
+name: release
+
+# Manual, bump-driven release. Pick the semver part to bump; the job computes the
+# new version from the current one, commits it to main, publishes to PyPI, refreshes
+# the Homebrew formula, and tags the release last.
+on:
+  workflow_dispatch:
+    inputs:
+      bump:
+        description: "Semver part to bump (relative to the current version)"
+        required: true
+        type: choice
+        options:
+          - patch
+          - minor
+          - major
+
+permissions:
+  contents: write        # push the bump commit, the formula commit, and the tag
+
+concurrency:
+  group: release
+  cancel-in-progress: false
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+
+    environment: prod      # holds the PYPI_TOKEN secret
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: main
+          fetch-depth: 0   # full history so we can push back and tag
+
+      - name: Configure git as the release bot
+        run: |
+          set -euo pipefail
+          git config user.name  "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git fetch --tags --force
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+
+      - name: Set up Python
+        run: uv python install 3.11
+
+      - name: Bump version
+        id: bump
+        run: |
+          uv version --bump "${{ inputs.bump }}"
+          NEW=$(python3 -c "import tomllib; print(tomllib.load(open('pyproject.toml','rb'))['project']['version'])")
+          echo "version=$NEW" >> "$GITHUB_OUTPUT"
+          echo "Bumped ${{ inputs.bump }} -> $NEW"
+
+      - name: Run tests (no live network)
+        run: uv run pytest
+
+      - name: Build sdist and wheel
+        run: uv build
+
+      - name: Commit version bump to main
+        run: |
+          git add pyproject.toml uv.lock
+          git commit -m "chore: bump version to v${{ steps.bump.outputs.version }}"
+          git push origin HEAD:main
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          password: ${{ secrets.PYPI_TOKEN }}
+
+      - name: Update Homebrew formula
+        run: |
+          VERSION="${{ steps.bump.outputs.version }}"
+          # PyPI's JSON index lags publish by a few seconds; poll until the release shows up.
+          for i in $(seq 1 30); do
+            if curl -fsSL "https://pypi.org/pypi/android-watcher/${VERSION}/json" -o /tmp/pypi.json; then
+              break
+            fi
+            echo "Waiting for PyPI to index ${VERSION} (attempt ${i})…"
+            sleep 10
+          done
+          read -r SDIST_URL SDIST_SHA < <(python3 - <<'PY'
+          import json
+          d = json.load(open("/tmp/pypi.json"))
+          s = next(u for u in d["urls"] if u["packagetype"] == "sdist")
+          print(s["url"], s["digests"]["sha256"])
+          PY
+          )
+          # Point the formula at the freshly published sdist + its hash.
+          python3 - "$SDIST_URL" "$SDIST_SHA" <<'PY'
+          import re, sys
+          url, sha = sys.argv[1], sys.argv[2]
+          p = "Formula/android-watcher.rb"
+          s = open(p).read()
+          s = re.sub(r'  url ".*"', f'  url "{url}"', s, count=1)
+          s = re.sub(r'  sha256 ".*"', f'  sha256 "{sha}"', s, count=1)
+          open(p, "w").write(s)
+          PY
+          # Regenerate every pinned dependency `resource` block against this release.
+          brew update-python-resources Formula/android-watcher.rb
+          git add Formula/android-watcher.rb
+          git commit -m "chore: update homebrew formula for v${VERSION}"
+          git push origin HEAD:main
+
+      - name: Tag the release
+        run: |
+          git tag "v${{ steps.bump.outputs.version }}"
+          git push origin "v${{ steps.bump.outputs.version }}"

android_watcher-1.0.0/.github/workflows/seed.yml

@@ -0,0 +1,67 @@
+name: seed
+
+# Regenerate the bundled baseline seed (src/android_watcher/seed/seed.sql.gz).
+# This runs the full, polite, hours-long crawl of the catalog sources, so it is
+# DELIBERATELY kept off the release path (release.yml just bundles whatever seed
+# is committed). Trigger it manually from the Actions tab, or let the weekly
+# schedule refresh it. You can also generate it locally and push:
+#   uv run python scripts/build_seed.py
+on:
+  workflow_dispatch:
+
+  schedule:
+    - cron: "30 23 * * 0"   # Mondays 05:00 IST (Sun 23:30 UTC)
+
+permissions:
+  contents: write          # commit + push the refreshed seed
+
+concurrency:
+  group: seed
+  cancel-in-progress: false
+
+jobs:
+  build-seed:
+    runs-on: ubuntu-latest
+
+    # The crawl is throttled by a per-host crawl delay; bound it well under the
+    # 6h hard limit. The WIP-DB cache lets a re-run resume an interrupted crawl.
+    timeout-minutes: 350
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: main
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+
+      - name: Set up Python
+        run: uv python install 3.11
+
+      - name: Sync dependencies
+        run: uv sync --frozen
+
+      # Persist the partial crawl DB so a retried run continues instead of
+      # restarting (baseline_all skips URLs already baselined).
+      - name: Restore crawl progress
+        uses: actions/cache@v4
+        with:
+          path: .seed-wip.db
+          key: seed-wip-${{ github.run_id }}
+          restore-keys: seed-wip-
+
+      - name: Build the baseline seed
+        run: uv run python scripts/build_seed.py --db .seed-wip.db
+
+      - name: Commit refreshed seed
+        run: |
+          set -euo pipefail
+          git config user.name  "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add src/android_watcher/seed/seed.sql.gz
+          if git diff --staged --quiet; then
+            echo "seed unchanged; nothing to commit"
+          else
+            git commit -m "chore: refresh baseline seed"
+            git push origin HEAD:main
+          fi

android_watcher-1.0.0/.gitignore

@@ -0,0 +1,49 @@
+# Project-specific
+.idea/
+
+# Python bytecode
+__pycache__/
+*.py[cod]
+*$py.class
+
+# Packaging / build
+build/
+dist/
+*.egg
+*.egg-info/
+.eggs/
+wheels/
+
+# Virtual environments
+.venv/
+venv/
+env/
+ENV/
+# NOTE: uv.lock IS committed (pinned deps); do not ignore it.
+
+# Test / coverage / type / lint caches
+.pytest_cache/
+.ruff_cache/
+.mypy_cache/
+.pyright/
+.coverage
+.coverage.*
+coverage.xml
+htmlcov/
+.tox/
+.nox/
+
+# Local env and secrets
+.env
+.env.*
+
+# Editors
+.vscode/
+*.swp
+
+# OS cruft
+.DS_Store
+Thumbs.db
+
+# Planning and design docs (local-only working scratch, not shipped)
+docs/superpowers/

android_watcher-1.0.0/.pre-commit-config.yaml

@@ -0,0 +1,33 @@
+# Local lint + format + hygiene enforcement.
+# Install once with: uv run pre-commit install
+# Run on all files with: uv run pre-commit run --all-files
+# The ruff version here is kept in sync with the pinned dev dependency.
+repos:
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.15.18
+    hooks:
+      - id: ruff
+        name: ruff (lint)
+        args: [ --fix ]
+      - id: ruff-format
+        name: ruff (format)
+
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: trailing-whitespace
+        args: [ --markdown-linebreak-ext=md ]
+      - id: end-of-file-fixer
+      - id: check-json
+      - id: check-yaml
+      - id: check-merge-conflict
+      - id: check-added-large-files
+
+  - repo: https://github.com/trufflesecurity/trufflehog
+    rev: v3.88.1
+    hooks:
+      - id: trufflehog
+        name: Scan for secrets
+        entry: trufflehog git file://. --since-commit HEAD --fail
+        language: golang
+        pass_filenames: false

android_watcher-1.0.0/CLAUDE.md

@@ -0,0 +1,158 @@
+# CLAUDE.md
+
+Implementation guide for `android-watcher`. The rules here are the durable source
+of truth. Build to these, not to memory.
+
+## What this is
+
+A self-hosted Python CLI that watches official Google Android sites, detects
+real (not cosmetic) changes on a schedule, uses Claude to triage and describe
+them, ranks the result, and delivers a digest to email or Slack. Single user per
+install. Configured through a Textual TUI that writes a TOML file and installs a
+native scheduled job.
+
+## Commands
+
+```bash
+uv sync                 # install deps from the lockfile
+uv run pytest           # run tests (no live network; recorded fixtures only)
+uv run pytest path::test -v   # one test
+uv run ruff check .     # lint
+uv run ruff format .    # format
+uv tool install .       # install the CLI locally
+```
+
+## Package layout
+
+```
+src/android_watcher/
+  models.py          # dataclasses, exceptions, Check, SignalType, INTERVAL_DELTA
+  config.py          # Config + load_config (env interpolation, validation)
+  catalog/           # catalog.toml (shipped data) + load_catalog
+  store.py           # SQLite: snapshots, changes, deliveries, digests, seen_feed_items, http_cache, run_state; seed import/export
+  seed/              # bundled baseline seed (seed.sql.gz) + apply_seed_if_empty
+  lock.py            # single-instance run lock
+  fetch.py           # async Fetcher: conditional GET, robots, backoff, sitemap cache
+  registry.py        # generic name->class registry
+  detect/            # base + feed, android_sitemap, sitemap, content
+  rank.py            # scoring, per-source caps, overflow
+  triage/            # base + claude_cli, noop
+  notify/            # base + render, email, slack
+  schedule.py        # launchd / systemd / crontab install/remove/status
+  doctor.py          # health checks
+  run.py             # run_once pipeline
+  cli.py             # `android-watcher` entrypoint
+  tui/               # Textual app + pure config<->TOML module
+tests/               # mirrors src; tests/fixtures/ for recorded data
+```
+
+## Durable invariants
+
+These are the rules that make the tool correct. They were hard-won; do not relax
+them without understanding why they exist.
+
+### Detection: candidate then confirm
+
+- A feed item, a sitemap `lastmod` bump, or a content-hash change is a *candidate*, not a change. Confirm it against the
+  actual fetched page content before recording a change. `lastmod` alone never counts: Google bumps it on bulk
+  regenerations, template edits, and translation passes.
+- A detector never emits a `Change` for a health problem (an empty/JS-only render, a path prefix that matches zero
+  sitemap URLs). It logs a warning and returns nothing; `doctor` surfaces the condition.
+- The content detector refuses to baseline a page whose extracted text is below a small threshold (a client-rendered
+  shell), so it never silently hashes nothing forever.
+- Feed dedupe keys on a stable identity: the Atom `<id>` verbatim, else a normalized link URL. Persist the full
+  seen-set. An existing item counts as changed only when its title+summary hash moves.
+- The `android_sitemap` detector is host-agnostic: it parses a host's sitemap (a `<sitemapindex>` of shards, or a single
+  `<urlset>`) once per run, cached on the `Fetcher` keyed by the sitemap-index URL derived from each source's host (
+  `<scheme>://<host>/sitemap.xml`). Sources on the same host share one download (guarded by an `asyncio.Lock`,
+  conditional GET per shard); different hosts each get their own. It serves developer.android.com, source.android.com,
+  developers.google.com, kotlinlang.org, etc. — never download a host's shards per source.
+- English only: locale-prefixed URLs (`/fr/...`, `/pt-br/...`) and `?hl=<non-en>` query variants are dropped at parse
+  time, so only canonical English pages are watched. Match the leading path segment against an explicit locale
+  allowlist, never a generic two-letter regex. Real sections like `/tv`, `/xr`, `/ai` start with two letters and must
+  not be mistaken for locales.
+- Per-source filters (applied against the shared cached entry list): `path_prefix` (include; `""` = whole host),
+  `exclude_prefixes` (drop subtrees), `require_segment` (keep only URLs with a matching path segment, e.g. `android`),
+  and `reference_mode` (`keep` | `drop` | `index_only`). `index_only` keeps only reference index/summary pages — leaf in
+  `{package-summary, packages, classes, composables, modifiers}`, Kotlin-preferred (a Java reference page is dropped
+  when its `/reference/kotlin/...` twin exists), so the huge per-symbol class/function reference is excluded.
+  Most-specific-prefix-wins (scoped per host) routes a URL to its nested source; a `""` catch-all coexists with curated
+  sources for ranking weights.
+- Version-dedup: URLs differing only by a dotted version segment (`9.4`) or a `?version=`/`?api=` query collapse to the
+  latest. Bare-integer paths (`/about/versions/14` vs `/15`) are untouched: those are distinct releases, not versions of
+  one page.
+- Fetch-free first sight, then new-page detection: when a source has no baseline yet (first run / seed import), a
+  brand-new URL is baselined from its `lastmod` alone (empty `content_hash`, no fetch), with no "everything is new"
+  flood. Once a baseline exists, a never-seen URL is content-confirmed and reported as `Change(change_kind="new")`. An
+  already-baselined URL whose `lastmod` moves is content-confirmed; the first real fetch of a fetch-free baseline is
+  itself a silent capture (`confirm_candidate` treats an empty prior `content_hash` as first sight). `lastmod` alone
+  never emits a `Change`.
+- All XML parsing uses `defusedxml`. Honor `robots.txt`. Send a descriptive User-Agent and a crawl delay.
+
+### Pipeline: the delivery ledger
+
+- `run_once` holds a single-instance lock. Overlapping runs exit immediately.
+- The authoritative digest source is the ledger, never this-run detections. Rank `changes_for_digest(enabled_channels)`:
+  substantive changes not yet delivered to every enabled channel, at most one row per `(source_id, url)` (latest by
+  `detected_at`).
+- `record_change` is idempotent on `(source_id, url, fetched_hash)`: it returns the existing row id and never resets a
+  verdict.
+- `set_verdict` is write-once. Triage only touches rows with `verdict IS NULL`.
+- When a ranked change is delivered, `supersede_older` marks older undelivered rows for the same `(source_id, url)` so a
+  page that changed twice yields one digest line, not a stale one.
+- Delivery is per `(change, channel)`, recorded in `deliveries`. Send, then record the delivery transactionally. A
+  channel that already succeeded is never re-sent; a channel that failed is retried next run.
+- An in-flight `digests` row is opened before sending and reconciled on the next startup: re-deliver the undelivered
+  channels, then commit. This closes the crash-between-send-and-commit window.
+- First run baselines silently (no "everything is new" flood); the first digest after baseline is capped.
+- A fresh DB imports the bundled baseline seed (`seed/seed.sql.gz`) before detecting: `apply_seed_if_empty` loads it
+  only when `snapshot_count() == 0`, via `INSERT OR IGNORE` so user data is never overwritten. The seed carries
+  snapshots + feed seen-set + HTTP validators, tagged with a `seed_date` in `run_state` (never `last_successful_run`).
+  The seed is generated by `scripts/build_seed.py` (the one expensive full-content crawl — run locally or via the `seed`
+  workflow, never in `release.yml`) and committed; the build bundles it via the wheel `artifacts` glob. When absent,
+  import is a no-op and the detectors baseline fetch-free instead. `doctor` surfaces the seed date and snapshot count.
+- An empty "nothing notable" digest is sent at most once per catch-up window.
+- Zero channels enabled: short-circuit before opening a digest, still mark the run successful.
+- A missed cycle (machine asleep) is backfilled via `last_successful_run` and `INTERVAL_DELTA`, not dropped.
+
+### AI / triage
+
+- `claude_cli` shells out to `claude -p --output-format json`, strips a markdown code fence from the result before
+  parsing, and on any failure returns `TriageResult(unavailable=<reason>)` without raising. The digest still goes out,
+  with a visible "AI unavailable" banner.
+- Fetched page content is untrusted. Wrap it in per-run nonce-fenced blocks, length-cap it, and instruct the model to
+  treat it as data, never instructions.
+- `noop` (AI off) marks every change substantive with no description and does not filter.
+
+### Config and secrets
+
+- Paths come from `platformdirs`. The config file is written `0600`.
+- String values support `${ENV_VAR}` interpolation on secret-bearing fields, resolved at load. The TUI editor loads with
+  `expand=False` so it preserves `${...}` literals and never crashes on an unset variable.
+- Source selection: start from catalog entries with `enabled=True`; if the user's `enabled_sources` list is non-empty,
+  intersect with it; an empty or absent list means "use the catalog flags," not "none." Custom sources are always
+  watched; on id collision a custom source overrides the catalog. The TUI writes the reserved id `["__none__"]` to
+  mean "watch no catalog sources."
+- SMTP enforces TLS and fails closed. The Slack bot token is a secret.
+
+### Conventions
+
+- Python 3.11+. Async lives only in `fetch.py` and detectors; everything else is synchronous. `run_once` drives the
+  async detectors with `asyncio.run`.
+- Always `datetime.now(timezone.utc)`; never the naive `utcnow()`. The store coerces to UTC-aware at its boundary.
+- Shared types, the four exceptions (`ConfigError`, `AlreadyRunning`, `Disallowed`, `NotifyError`), `Check`,
+  `SignalType`, and `INTERVAL_DELTA` are defined once in `models.py` and imported everywhere, which keeps the import
+  graph acyclic.
+- Registries store classes. `get(name)` returns the class; callers instantiate it with no arguments. Unknown names raise
+  with a message listing the available ones.
+- TDD: write the failing test first with real assertions, make it pass with the minimal real code, commit. No live
+  network in tests; use recorded fixtures under `tests/fixtures/`. A test must exercise the guarantee, not echo the
+  implementation.
+
+## No Stale Plan References
+
+**IMPORTANT:** After any refactor or new feature, do NOT leave references in code or markdown to what the plan
+was — no "per the plan", no "according to decision N", no plan phase or task numbers, no pointer to the
+planning or design doc. Those planning docs are scratch that won't survive, so a citation to them becomes a
+stale, dangling reference the moment they're deleted. State the fact or rule directly; if a decision's
+rationale matters, write the rationale itself, not a pointer to where it was decided.

android_watcher-1.0.0/CODE_OF_CONDUCT.md

@@ -0,0 +1,41 @@
+# Code of Conduct
+
+## Our pledge
+
+This project adopts the [Contributor Covenant](https://www.contributor-covenant.org),
+version 2.1, as its Code of Conduct. We are committed to providing a welcoming,
+respectful, and harassment-free experience for everyone who participates in this
+project, regardless of background or identity.
+
+The full text of the Contributor Covenant v2.1 is available at:
+https://www.contributor-covenant.org/version/2/1/code_of_conduct/
+
+By participating in this project, you agree to uphold its standards: be
+considerate and respectful in all interactions, welcome differing viewpoints,
+accept constructive feedback gracefully, and focus on what is best for the
+community.
+
+## Scope
+
+This Code of Conduct applies within all project spaces (the repository, issue
+tracker, pull requests, and discussions) and when an individual represents the
+project in public spaces.
+
+## Reporting
+
+If you experience or witness unacceptable behavior, report it confidentially to
+the project maintainers by opening a private/security advisory on the project's
+GitHub repository, or by emailing **androidwatcher@krayong.com**. All reports are
+reviewed and investigated promptly and fairly. Maintainers are obligated to
+respect the privacy and security of anyone who reports an incident.
+
+## Enforcement
+
+Maintainers are responsible for clarifying and enforcing these standards and may
+take appropriate, fair corrective action in response to behavior they deem
+inappropriate, threatening, offensive, or harmful, including removing comments,
+commits, code, and contributions, or temporarily or permanently banning a
+contributor for behaviors they judge to violate this Code of Conduct.
+
+Enforcement follows the Contributor Covenant v2.1 enforcement guidelines, linked
+above.