wraith-cli 1.1.0__tar.gz → 1.2.0__tar.gz

wraith_cli-1.2.0/.env.example

@@ -0,0 +1,11 @@
+# Environment Variables Example file
+VIKING_TOKEN=your_token_here
+VIKING_ACCOUNT=default
+VIKING_USER=admin
+
+WRAITH_COMPOSE_PATH=/home/user/example/docker
+
+GITEA_COMPOSE_PATH=/home/user/example/gitea
+GITEA_API_URL="http://your-gitea-instance:3000"
+GITEA_TOKEN="your_personal_access_token"
+GITEA_TEMPLATE_URL="https://gitea.domain.com/user/repo-template.git"

{wraith_cli-1.1.0 → wraith_cli-1.2.0}/.gitea/workflows/test.yml

@@ -1,4 +1,4 @@
-name: Discourse-Bot CI
+name: Wraith-CLI CI
 
 on:
   push:
@@ -9,18 +9,29 @@ jobs:
   test-and-verify:
     runs-on: ghost-runner
     steps:
+
       - name: Check out code
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+
+      - name: Install Wraith-CLI
+        run: |
+          uv pip install --system --break-system-packages -e .
+
       - name: Run Production Tests
         run: |
           chmod +x bin/run_tests.sh
           ./bin/run_tests.sh --no-venv
         env:
-          SOVEREIGN_FORUM_URL: "https://mock.forum"
-          SOVEREIGN_API_KEY: "mock_key"
-          SOVEREIGN_USERNAME: "mock_user"
+          VIKING_TOKEN: "your_token_here"
+          VIKING_ACCOUNT: "default"
+          VIKING_USER: "admin"
+          WRAITH_COMPOSE_PATH: "/home/user/example/docker"
+          GITEA_COMPOSE_PATH: "/home/user/example/gitea"
+          GITEA_API_URL: "http://your-gitea-instance:3000"
+          GITEA_TOKEN: "your_personal_access_token"
+          GITEA_TEMPLATE_URL: "https://gitea.domain.com/user/repo-template.git"
           PYTHONPATH: .
 
   auto-merge:

{wraith_cli-1.1.0 → wraith_cli-1.2.0}/.pre-commit-config.yaml

@@ -14,6 +14,19 @@ repos:
        args: ["--fix"]
     -  id: ruff-format
 
+- repo: https://github.com/pre-commit/mirrors-mypy
+  rev: v1.15.0
+  hooks:
+    - id: mypy
+      additional_dependencies: ['types-requests']
+
+- repo: https://github.com/Yelp/detect-secrets
+  rev: v1.5.0
+  hooks:
+    - id: detect-secrets
+      args: ['--baseline', '.secrets.baseline']
+      exclude: package-lock.json
+
 -   repo: local
     hooks:
     -   id: pytest-coverage

wraith_cli-1.2.0/.secrets.baseline

@@ -0,0 +1,131 @@
+{
+  "version": "1.5.0",
+  "plugins_used": [
+    {
+      "name": "ArtifactoryDetector"
+    },
+    {
+      "name": "AWSKeyDetector"
+    },
+    {
+      "name": "AzureStorageKeyDetector"
+    },
+    {
+      "name": "Base64HighEntropyString",
+      "limit": 4.5
+    },
+    {
+      "name": "BasicAuthDetector"
+    },
+    {
+      "name": "CloudantDetector"
+    },
+    {
+      "name": "DiscordBotTokenDetector"
+    },
+    {
+      "name": "GitHubTokenDetector"
+    },
+    {
+      "name": "GitLabTokenDetector"
+    },
+    {
+      "name": "HexHighEntropyString",
+      "limit": 3.0
+    },
+    {
+      "name": "IbmCloudIamDetector"
+    },
+    {
+      "name": "IbmCosHmacDetector"
+    },
+    {
+      "name": "IPPublicDetector"
+    },
+    {
+      "name": "JwtTokenDetector"
+    },
+    {
+      "name": "KeywordDetector",
+      "keyword_exclude": ""
+    },
+    {
+      "name": "MailchimpDetector"
+    },
+    {
+      "name": "NpmDetector"
+    },
+    {
+      "name": "OpenAIDetector"
+    },
+    {
+      "name": "PrivateKeyDetector"
+    },
+    {
+      "name": "PypiTokenDetector"
+    },
+    {
+      "name": "SendGridDetector"
+    },
+    {
+      "name": "SlackDetector"
+    },
+    {
+      "name": "SoftlayerDetector"
+    },
+    {
+      "name": "SquareOAuthDetector"
+    },
+    {
+      "name": "StripeDetector"
+    },
+    {
+      "name": "TelegramBotTokenDetector"
+    },
+    {
+      "name": "TwilioKeyDetector"
+    }
+  ],
+  "filters_used": [
+    {
+      "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
+    },
+    {
+      "path": "detect_secrets.filters.common.is_baseline_file",
+      "filename": ".secrets.baseline"
+    },
+    {
+      "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
+      "min_level": 2
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_indirect_reference"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_likely_id_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_lock_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_potential_uuid"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_sequential_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_swagger_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_templated_secret"
+    }
+  ],
+  "results": {},
+  "generated_at": "2026-04-02T05:45:06Z"
+}

{wraith_cli-1.1.0 → wraith_cli-1.2.0}/CHANGELOG.md

@@ -1,3 +1,5 @@
+## v1.2.0 (2026-04-02)
+
 ## v1.1.0 (2026-03-31)
 
 ## v0.15.0 (2026-03-31)

{wraith_cli-1.1.0 → wraith_cli-1.2.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: wraith-cli
-Version: 1.1.0
+Version: 1.2.0
 Summary: Sovereign Command Centre for a Ghost Stack
 Project-URL: Homepage, https://git.thomaspeoples.com/thomaspeoples/wraith-cli
 Project-URL: Documentation, https://www.thomaspeoples.com/gitea-repos/wraith-cli/
@@ -38,14 +38,17 @@ Requires-Dist: rich>=13.0.0
 Requires-Dist: typer>=0.9.0
 Provides-Extra: dev
 Requires-Dist: commitizen; extra == 'dev'
+Requires-Dist: detect-secrets; extra == 'dev'
 Requires-Dist: genbadge[coverage]>=1.1.1; extra == 'dev'
 Requires-Dist: mkdocs-material<=10.0; extra == 'dev'
 Requires-Dist: mkdocs<=2.0; extra == 'dev'
+Requires-Dist: mypy; extra == 'dev'
 Requires-Dist: pre-commit; extra == 'dev'
 Requires-Dist: pymdown-extensions>=10.7.0; extra == 'dev'
 Requires-Dist: pytest; extra == 'dev'
 Requires-Dist: pytest-cov; extra == 'dev'
 Requires-Dist: ruff; extra == 'dev'
+Requires-Dist: types-requests; extra == 'dev'
 Description-Content-Type: text/markdown
 
 [![Documentation](https://img.shields.io/badge/docs-live-brightgreen)](https://www.thomaspeoples.com/gitea-repos/wraith-cli/)
@@ -57,68 +60,92 @@ Description-Content-Type: text/markdown
 # 👻 Wraith-CLI
 ### *Sovereign Orchestration for the Ghost Stack*
 
-**Wraith-CLI** is the nervous system of the Ghost Stack. It bridges the gap between high-level containers and bare-metal reality.
+**Wraith-CLI** is the nervous system of the Ghost Stack. It bridges the gap between
+high-level container orchestration and bare-metal reality, providing the "Ghost Factory"
+for instant project scaffolding.
 
 ---
 
-## 🚀 Installation
+## 🏗️ The Ghost Factory (New)
 
-**Wraith-CLI** can be installed via `uv` (recommended) or `pip`:
+The `spawn` command allows you to go from **Idea to Code** in under 5 seconds by
+bleaching a template and provisioning a private Gitea repository automatically.
 
 ```bash
-# Recommended for CLI tools
-uv tool install wraith-cli
-
-# Standard pip
-pip install wraith-cli
+wraith spawn my-new-api
 ```
 
-> **Note:** Ensure ~/.local/bin is in your $PATH.
+1. **🧬 Clones** your `GHOST_TEMPLATE_URL`.
+2. **🧹 Bleaches** all previous git history.
+3. **🌐 Provisions** a new private repo via the Gitea API.
+4. **🚀 Pushes** the clean stack to your Sovereign remote.
 
 ---
 
 ## 🛠️ Operational Manual
 
-| Command | Description |
-| :--- | :--- |
-| wraith ps | Shows all Docker processes in a neat table |
-| wraith status | Heartbeat check for OpenViking (Port 1933). |
-| wraith runner-reset | Wipes and re-registers the Gitea Action Runner. |
-| wraith --help | View the full manifest of available commands. |
+| Command                  | Feature                | Status                                      |
+|--------------------------|------------------------|---------------------------------------------|
+| `wraith spawn <name>`    | **The Ghost Factory**  | 🏗️ Scaffolds new repos via Gitea API.       |
+| `wraith update`          | **Global Update**      | 🟢 PyPI-linked & `uv` powered.              |
+| `wraith ps`              | **Rich Observability** | 🟢 Sovereign Dark styling for Docker.       |
+| `wraith tail <svc>`      | **Flexible Logging**   | 🟢 Supports `--path` & Env Vars.            |
+| `wraith status`          | **Heartbeat**          | 🟢 Monitor OpenViking (Port 1933).          |
+| `wraith runner-reset`    | **Runner Defence**     | 🟢 CI/CD maintenance & registration wipe.  |
+| `wraith --version`       | **Self-Identity**      | 🟢 Eager callback for versioning.           |
 
 ---
 
-## 🏗️ Developer Workspace
+## 🚀 Installation & Updates
 
-We use uv for hermetic environment management.
+**Wraith-CLI** is managed via `uv` for hermetic stability.
 
 ```bash
-### 1. Initialise the Environment
-uv sync --all-extras
-uv run pre-commit install
-
-### 2. The Quality Gate
-uv run pytest
+# Initial Installation
+uv tool install wraith-cli
 
-### 3. Sovereign Deployment
-chmod +x bin/build.sh
-./bin/build.sh
+# Sovereign Update
+wraith update
 ```
 
 ---
 
 ## 🔐 Environment Configuration
 
-Defined in `~/.bashrc` or `.env.private`:
+Defined in your `.env` or system environment. **HTTPS is required** for automated
+Gitea provisioning.
 
-| Variable | Purpose | Default |
-| :--- | :--- | :--- |
-| VIKING_BASE_URL | The API endpoint for the heartbeat check. | http://127.0.0.1:1933/api/v1 |
-| GITEA_COMPOSE_PATH | Path to your Gitea Docker Compose directory. | Required for runner-reset |
+| Variable               | Purpose                                          | Required For    |
+|------------------------|--------------------------------------------------|-----------------|
+| `GITEA_API_URL`        | Base URL (e.g., `https://git.domain.com`)        | `spawn`         |
+| `GITEA_TOKEN`          | Personal Access Token (PAT)                      | `spawn`         |
+| `GITEA_TEMPLATE_URL`   | HTTPS URL of your base `ghost-template`          | `spawn`         |
+| `GITEA_COMPOSE_PATH`   | Path to Gitea Docker directory                   | `runner-reset`  |
+| `VIKING_BASE_URL`      | API endpoint for heartbeat checks                | `status`        |
+| `WRAITH_COMPOSE_PATH`  | Default path for stack logs/ps                   | `tail`, `ps`    |
+
+---
+
+## 🧪 Developer Quality Gate
+
+We use `uv` for hermetic environment management and maintain a strict **>80% coverage**
+requirement.
+
+```bash
+# Initialise the Environment
+uv sync --all-extras
+uv run pre-commit install
+
+# The Quality Gate
+uv run pytest --cov=src
+```
 
 ---
 
 ## 📜 Sovereign Principles
-1. **Distributed Sovereignty:** Available on PyPI for the world, but optimised for local-first, private-registry mirrors
-2. **Atomic Execution:** Use uv run to ensure consistency.
-3. **Hardware First:** Prioritise bare-metal health and container stability.
+
+1. **Distributed Sovereignty:** Available on PyPI for the world, but optimised for
+   local-first, private-registry mirrors.
+2. **Atomic Execution:** Use `uv run` to ensure consistency across the stack.
+3. **Hardware First:** Prioritise bare-metal health and container stability over
+   abstraction.

wraith_cli-1.2.0/README.md

@@ -0,0 +1,98 @@
+[![Documentation](https://img.shields.io/badge/docs-live-brightgreen)](https://www.thomaspeoples.com/gitea-repos/wraith-cli/)
+![PyPI - Version](https://img.shields.io/pypi/v/wraith_cli)
+![PyPI - License](https://img.shields.io/pypi/l/wraith_cli)
+![PyPI - Python Version](https://img.shields.io/pypi/pyversions/wraith_cli)
+
+
+# 👻 Wraith-CLI
+### *Sovereign Orchestration for the Ghost Stack*
+
+**Wraith-CLI** is the nervous system of the Ghost Stack. It bridges the gap between
+high-level container orchestration and bare-metal reality, providing the "Ghost Factory"
+for instant project scaffolding.
+
+---
+
+## 🏗️ The Ghost Factory (New)
+
+The `spawn` command allows you to go from **Idea to Code** in under 5 seconds by
+bleaching a template and provisioning a private Gitea repository automatically.
+
+```bash
+wraith spawn my-new-api
+```
+
+1. **🧬 Clones** your `GHOST_TEMPLATE_URL`.
+2. **🧹 Bleaches** all previous git history.
+3. **🌐 Provisions** a new private repo via the Gitea API.
+4. **🚀 Pushes** the clean stack to your Sovereign remote.
+
+---
+
+## 🛠️ Operational Manual
+
+| Command                  | Feature                | Status                                      |
+|--------------------------|------------------------|---------------------------------------------|
+| `wraith spawn <name>`    | **The Ghost Factory**  | 🏗️ Scaffolds new repos via Gitea API.       |
+| `wraith update`          | **Global Update**      | 🟢 PyPI-linked & `uv` powered.              |
+| `wraith ps`              | **Rich Observability** | 🟢 Sovereign Dark styling for Docker.       |
+| `wraith tail <svc>`      | **Flexible Logging**   | 🟢 Supports `--path` & Env Vars.            |
+| `wraith status`          | **Heartbeat**          | 🟢 Monitor OpenViking (Port 1933).          |
+| `wraith runner-reset`    | **Runner Defence**     | 🟢 CI/CD maintenance & registration wipe.  |
+| `wraith --version`       | **Self-Identity**      | 🟢 Eager callback for versioning.           |
+
+---
+
+## 🚀 Installation & Updates
+
+**Wraith-CLI** is managed via `uv` for hermetic stability.
+
+```bash
+# Initial Installation
+uv tool install wraith-cli
+
+# Sovereign Update
+wraith update
+```
+
+---
+
+## 🔐 Environment Configuration
+
+Defined in your `.env` or system environment. **HTTPS is required** for automated
+Gitea provisioning.
+
+| Variable               | Purpose                                          | Required For    |
+|------------------------|--------------------------------------------------|-----------------|
+| `GITEA_API_URL`        | Base URL (e.g., `https://git.domain.com`)        | `spawn`         |
+| `GITEA_TOKEN`          | Personal Access Token (PAT)                      | `spawn`         |
+| `GITEA_TEMPLATE_URL`   | HTTPS URL of your base `ghost-template`          | `spawn`         |
+| `GITEA_COMPOSE_PATH`   | Path to Gitea Docker directory                   | `runner-reset`  |
+| `VIKING_BASE_URL`      | API endpoint for heartbeat checks                | `status`        |
+| `WRAITH_COMPOSE_PATH`  | Default path for stack logs/ps                   | `tail`, `ps`    |
+
+---
+
+## 🧪 Developer Quality Gate
+
+We use `uv` for hermetic environment management and maintain a strict **>80% coverage**
+requirement.
+
+```bash
+# Initialise the Environment
+uv sync --all-extras
+uv run pre-commit install
+
+# The Quality Gate
+uv run pytest --cov=src
+```
+
+---
+
+## 📜 Sovereign Principles
+
+1. **Distributed Sovereignty:** Available on PyPI for the world, but optimised for
+   local-first, private-registry mirrors.
+2. **Atomic Execution:** Use `uv run` to ensure consistency across the stack.
+3. **Hardware First:** Prioritise bare-metal health and container stability over
+   abstraction.

wraith_cli-1.2.0/docs/architecture.md

@@ -0,0 +1,86 @@
+# 🏛️ Architecture & Decision Records
+
+---
+
+## 1. High-Level Design
+
+Wraith follows a **Functional Core, Imperative Shell** pattern.
+
+- **The Shell (`main.py`):** Handles the "dirty" work of CLI parsing, environment
+  loading, and printing to `stdout`.
+- **The Core (`repo_make.py`, `qol.py`):** Pure logic functions that perform the actual
+  heavy lifting — API calls, Git operations, Docker formatting.
+
+This separation ensures the core remains independently testable without invoking the
+CLI layer, and that the shell stays thin enough to reason about at a glance.
+
+---
+
+## 2. ADR 001 — Tooling Selection
+
+> **Status:** Accepted. These dependencies are intentional and should not be replaced
+> without a corresponding ADR entry.
+
+| Decision           | Choice    | Rationale                                                                                      |
+|--------------------|-----------|------------------------------------------------------------------------------------------------|
+| **CLI Framework**  | `typer`   | Native type-hint support. Built on Click but with significantly less boilerplate.              |
+| **Package Manager**| `uv`      | Rust-based, hermetic, and fast. Replaces `pip`, `poetry`, and `venv` with a single binary.    |
+| **Terminal Output**| `rich`    | First-class Markdown and table rendering. Essential for the Sovereign Dark aesthetic.          |
+| **Testing**        | `pytest`  | Industry standard. Excellent `subprocess` mocking support for hermetic offline tests.          |
+
+---
+
+## 3. ADR 002 — Sovereign Security & Authentication
+
+> **Status:** Accepted. Do not introduce persistent credential storage without
+> revisiting this decision.
+
+**Decision:** Environment-only credential configuration via `.env` or shell exports.
+
+**Rejected alternative:** Storing Gitea credentials in a local SQLite database or
+config file (e.g., `~/.wraith/config`).
+
+**Rationale:** Keeps Wraith stateless between sessions. If a machine is compromised,
+credentials are not sitting in a plaintext config file — they vanish when the shell
+session ends. The attack surface is the user's environment, not Wraith's own storage.
+
+---
+
+## 4. The Quality Gate
+
+We treat **type hints** as a functional requirement, not a suggestion. Because `typer`
+relies on Python 3.12+ annotations to construct its CLI interface, a type error is a
+runtime bug — not a style violation.
+
+### Static Analysis — Ruff
+
+All code is linted and formatted via `ruff` in opinionated mode, enforced at commit
+time via `pre-commit`. This covers style, import ordering, and security anti-patterns
+in a single pass.
+
+### Type Integrity
+
+Type annotations are enforced strictly. Functions accepting a `Path` must not receive
+a `str`; optional environment variables must be handled as `Optional[str]`, not assumed
+present.
+
+### Test Coverage — pytest
+
+We maintain a strict **>80% coverage gate**, with all network and `subprocess` calls
+mocked for offline, hermetic execution.
+
+```bash
+# The Lead Engineer's Pre-Flight Check
+uv run ruff check .      # Linting & security anti-patterns
+uv run ruff format .     # Consistency
+uv run pytest --cov=src  # Logical integrity & coverage gate
+```
+
+---
+
+## 5. Future Roadmap
+
+| Path | Codename            | Description                                                                 |
+|------|---------------------|-----------------------------------------------------------------------------|
+| 3    | **Ghost Watcher**   | Background daemon to monitor stack health via `status` and auto-restart failed runners. |
+| 4    | **Sovereign UI**    | `textual`-based TUI for real-time stack dashboarding.                       |

{wraith_cli-1.1.0 → wraith_cli-1.2.0}/docs/index.md

@@ -1,7 +1,7 @@
 # Wraith CLI
 
 ![Coverage](coverage.svg)
-![Version](https://img.shields.io/badge/version-1.0.1-blue)
+![PyPI - Version](https://img.shields.io/pypi/v/wraith_cli)
 
 ---
 

wraith_cli-1.2.0/docs/reference.md

@@ -0,0 +1,62 @@
+# 🔩 Technical Reference
+
+---
+
+## 🏗️ Architecture
+
+**Wraith** is engineered on **Python 3.12+**. Like its namesake, it is designed for silent, effortless power. It leverages a modern Sovereign stack:
+
+| Concern            | Library      | Role                                                  |
+|--------------------|--------------|-------------------------------------------------------|
+| **Orchestration**  | `typer`      | CLI interface and command routing.                    |
+| **Visuals**        | `rich`       | High-contrast terminal rendering and Markdown support.|
+| **Package Mgmt**   | `uv`         | Lightning-fast, hermetic dependency locking.          |
+| **Networking**     | `requests`   | Gitea API interactions.                               |
+| **System**         | `subprocess` | Low-level Docker and Git execution.                   |
+
+---
+
+## 🧬 Modular Logic
+
+The codebase is partitioned to ensure high testability and separation of concerns:
+
+| Module        | Responsibility                                                          |
+|---------------|-------------------------------------------------------------------------|
+| `main.py`     | **The Switchboard.** CLI routing, UI splash, and env var loading.       |
+| `repo_make.py`| **The Factory.** Gitea API calls and Git "Bleach & Push" logic.         |
+| `qol.py`      | **Quality of Life.** Docker table formatting and version checks.        |
+
+### 🔐 Authentication Logic
+
+Wraith uses **HTTPS Token Injection** to bypass interactive password prompts. When a command requires Gitea access, the logic identifies the protocol and injects credentials as follows:
+
+```
+https://oauth2:{GITEA_TOKEN}@git.domain.com/repo.git
+```
+
+---
+
+## 🚨 Error Codes & Troubleshooting
+
+| Code     | Meaning                  | Resolution                                                     |
+|----------|--------------------------|----------------------------------------------------------------|
+| `0`      | Success                  | Command executed perfectly.                                    |
+| `1`      | Configuration Error      | Missing `.env` variables or 404 API endpoint.                  |
+| `128`    | Git / Auth Error         | Token invalid, or repository already exists on remote.         |
+| `Abort`  | User Cancelled           | Triggered during `runner-reset` if requirements aren't met.    |
+
+---
+
+## 🧪 Test Suite & Quality Gate
+
+We maintain a strict **Sovereign Quality Gate**. No code enters the main branch without passing the full suite.
+
+- **Coverage Target:** >80%, strictly enforced via `pytest-cov`.
+- **Engine:** `pytest` + `coverage.py`.
+- **Mocking:** All network and `subprocess` calls must be mocked under `tests/` to
+  permit offline, hermetic testing.
+
+```bash
+# Run the Gate locally
+uv run pytest --cov=src --cov-report=term-missing
+```

wraith_cli-1.2.0/docs/security.md

@@ -0,0 +1,42 @@
+# 🛡️ Security Policy
+
+---
+
+## 1. The Sovereign Security Model
+
+**Wraith** operates as the nervous system of your stack. Because it handles Personal Access Tokens (PATs) and interacts with Docker sockets, it must be treated as a **High-Privilege Utility**.
+
+> ⚠️ **This software is provided as-is, without warranty of any kind.** Use in production environments is at your own risk. No support, patches, or security updates are guaranteed.
+
+### 🔐 Credential Handling
+
+- **No Persistence:** Wraith does *not* store tokens in its own configuration database. It reads them from the environment (`.env` or shell exports) at runtime.
+- **Memory Safety:** Tokens are used to construct authenticated URLs for Git subprocesses and are not logged to `stdout` or `stderr`.
+- **HTTPS Enforcement:** All Ghost Factory operations require `https://` to ensure tokens are encrypted in transit.
+
+> ⚠️ **Be aware:** On shared hardware, `git clone` URLs containing injected tokens can briefly appear in the system process list (e.g., `ps aux`). See [§3 Hardening](#3-hardening-your-installation) for mitigation.
+
+---
+
+## 2. Reporting a Vulnerability
+
+If you discover a security issue, you are welcome to open a **private Gitea issue** or contact the maintainer directly. However, **no response timeline or resolution is guaranteed.** This project is maintained by a single human puppeteer, on their own terms.
+
+---
+
+## 3. Hardening Your Installation
+
+You downloaded it. You ran it. That makes it your stack now, here's how to keep it clean.
+
+### Token Hygiene
+- **Scope minimally:** Your `GITEA_TOKEN` should carry only the permissions Wraith needs, typically repository read/write. Do not use an admin-scoped token.
+- **Rotate regularly:** Treat PATs like passwords. Rotate on a schedule or immediately following any suspected exposure.
+- **Never commit tokens:** Ensure `.env` is listed in `.gitignore`. The Ghost Factory will not protect you from a pushed credential.
+
+### Environment Isolation
+- Do not run Wraith in environments where `ps aux` or the process environment is visible to untrusted users.
+- Prefer user-scoped shell exports over project-level `.env` files on shared systems.
+
+### Subprocess Awareness
+- Token-injected URLs (e.g., `https://oauth2:{token}@git.domain.com/repo.git`) are passed directly to `git` subprocesses. On shared hardware, these may be transiently visible in the process list.
+- On security-sensitive hosts, consider a **netrc-based credential helper** as an alternative to URL injection, which keeps the token out of the process argument list entirely.