ozeranskii
diff --git a/‎GOVERNANCE.md‎
Lines changed: 132 additions & 0 deletions b/‎GOVERNANCE.md‎
Lines changed: 132 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 14 additions & 5 deletions b/‎README.md‎
Lines changed: 14 additions & 5 deletions
diff --git a/‎ROADMAP.md‎
Lines changed: 108 additions & 0 deletions b/‎ROADMAP.md‎
Lines changed: 108 additions & 0 deletions
@@ -0,0 +1,132 @@
+# Governance
+
+This document describes how the httptap project is organized, who makes
+decisions, and how those decisions are made. It is intentionally minimal and
+reflects the project's current scale: a small open-source utility maintained
+primarily by a single person.
+
+If the project grows, this document will be updated accordingly — proposals
+to amend governance are themselves accepted as pull requests against this
+file.
+
+## Project Type
+
+httptap is an independent open-source project distributed under the
+[Apache License 2.0](LICENSE). It is not currently part of any foundation,
+company, or consortium.
+
+## Roles
+
+### Maintainer
+
+The maintainer is responsible for the long-term direction of the project,
+has write access to the repository, and is accountable for releases.
+
+- **Current maintainer:** Sergei Ozeranskii
+  ([@ozeranskii](https://github.com/ozeranskii))
+
+Responsibilities:
+
+- Triage issues and pull requests.
+- Review, approve, and merge contributions.
+- Cut releases and publish to PyPI.
+- Respond to vulnerability reports per [SECURITY.md](SECURITY.md).
+- Keep [ROADMAP.md](ROADMAP.md) and project documentation current.
+- Enforce the [Code of Conduct](CODE_OF_CONDUCT.md).
+
+### Reviewer
+
+Reviewers are trusted contributors who review pull requests on behalf of the
+maintainer. Reviewers do **not** have write access; their reviews are
+advisory and must still be accepted by the maintainer before merge.
+
+The project currently has no formal reviewers beyond the maintainer.
+Candidates are invited after a sustained track record of high-quality
+contributions.
+
+### Contributor
+
+Anyone who submits an issue, pull request, or documentation improvement.
+Contribution requirements are documented in
+[CONTRIBUTING.md](CONTRIBUTING.md).
+
+## Decision Making
+
+The project uses a **benevolent dictator for life (BDFL)** model: the
+maintainer has final say on all changes. In practice, most decisions are
+consensus-driven through pull request review, and disagreements are
+resolved by public discussion on GitHub.
+
+- **Day-to-day changes** (bug fixes, documentation, minor features): merged
+  once the maintainer approves the pull request and CI passes.
+- **Significant changes** (new public API, breaking changes, dependency
+  additions): discussed in a GitHub issue before implementation.
+- **Scope changes** (items moving in or out of [ROADMAP.md](ROADMAP.md)):
+  decided by the maintainer after community feedback on the relevant issue.
+- **Governance changes** (this file, CODE_OF_CONDUCT, SECURITY, LICENSE):
+  require explicit maintainer approval of a pull request.
+
+## Contribution Process
+
+See [CONTRIBUTING.md](CONTRIBUTING.md). In short:
+
+1. Open or comment on an issue to signal intent for non-trivial work.
+2. Fork the repository and submit a pull request from a feature branch.
+3. Ensure `uv run pre-commit run --all-files` and `uv run pytest` pass.
+4. Address review feedback; the maintainer merges when ready.
+
+Contributions are accepted under the inbound=outbound licensing model
+(Apache-2.0 for code, CC-BY-4.0 for documentation); no separate Contributor
+License Agreement (CLA) is required.
+
+## Releases
+
+Releases are cut by the maintainer using the automated release workflow in
+[`.github/workflows/release.yml`](.github/workflows/release.yml).
+
+- **Cadence:** as-needed, typically every 2–6 weeks.
+- **Versioning:** [Semantic Versioning 2.0.0](https://semver.org).
+- **Channel:** [PyPI](https://pypi.org/project/httptap/) via OIDC Trusted
+  Publishing (no long-lived API tokens).
+- **Supply chain:** releases are signed with Sigstore keyless signing and
+  ship SLSA v1.0 build provenance attestations via
+  `actions/attest-build-provenance`.
+- **Supported versions:** see [SECURITY.md](SECURITY.md).
+
+## Continuity
+
+To ensure the project can continue with minimal interruption if the current
+maintainer becomes unavailable:
+
+- **Source code** is mirrored to every contributor's fork and to PyPI sdist;
+  the repository can be forked and continued by anyone under Apache-2.0.
+- **Release infrastructure** relies on GitHub-native OIDC Trusted Publishing
+  rather than long-lived secrets; a new maintainer with PyPI project
+  ownership can continue releases without any key handoff.
+- **PyPI project ownership** can be recovered via PyPI's account recovery
+  process (maintainer recovery email is on file with PyPI).
+- **Domain** (`httptap.dev`) and GitHub account recovery are covered by the
+  maintainer's personal credential inheritance plan.
+- **Issue trackers and discussions** continue to work on GitHub without
+  maintainer action.
+
+In the event of prolonged maintainer absence (>30 days with no response),
+the community is encouraged to fork the project under Apache-2.0 and
+self-organize. Such a fork may request transfer of the `httptap` PyPI name
+from the PyPI administrators if the original project is abandoned.
+
+## Code of Conduct
+
+All participants — maintainer, reviewers, contributors, and commenters —
+are expected to follow the [Code of Conduct](CODE_OF_CONDUCT.md).
+
+## Security Reporting
+
+Vulnerabilities are reported privately via GitHub Security Advisories, as
+documented in [SECURITY.md](SECURITY.md). Public issue reports for
+security-sensitive bugs are discouraged.
+
+## Amending This Document
+
+Open a pull request. Non-trivial changes to governance should be discussed
+in an issue first so the community can weigh in.
@@ -7,7 +7,8 @@
 <table>
   <tr>
     <th>Releases</th>
-    <th>CI &amp; Analysis</th>
+    <th>CI &amp; Quality</th>
+    <th>Security</th>
     <th>Project Info</th>
   </tr>
   <tr>
@@ -23,17 +24,25 @@
       <a href="https://github.com/ozeranskii/httptap/actions/workflows/ci.yml">
         <img src="https://github.com/ozeranskii/httptap/actions/workflows/ci.yml/badge.svg" alt="CI" />
       </a><br />
+      <a href="https://codecov.io/github/ozeranskii/httptap">
+        <img src="https://codecov.io/github/ozeranskii/httptap/graph/badge.svg?token=OFOHOI1X5J" alt="Coverage" />
+      </a><br />
+      <a href="https://codspeed.io/ozeranskii/httptap?utm_source=badge">
+        <img src="https://img.shields.io/endpoint?url=https://codspeed.io/badge.json" alt="CodSpeed Badge" />
+      </a>
+    </td>
+    <td>
       <a href="https://github.com/ozeranskii/httptap/actions/workflows/codeql.yml">
         <img src="https://github.com/ozeranskii/httptap/actions/workflows/codeql.yml/badge.svg" alt="CodeQL" />
       </a><br />
       <a href="https://scorecard.dev/viewer/?uri=github.com/ozeranskii/httptap">
         <img src="https://api.scorecard.dev/projects/github.com/ozeranskii/httptap/badge" alt="OpenSSF Scorecard" />
       </a><br />
-      <a href="https://codecov.io/github/ozeranskii/httptap">
-        <img src="https://codecov.io/github/ozeranskii/httptap/graph/badge.svg?token=OFOHOI1X5J" alt="Coverage" />
+      <a href="https://www.bestpractices.dev/projects/12474">
+        <img src="https://www.bestpractices.dev/projects/12474/badge" alt="OpenSSF Best Practices" />
       </a><br />
-      <a href="https://codspeed.io/ozeranskii/httptap?utm_source=badge">
-        <img src="https://img.shields.io/endpoint?url=https://codspeed.io/badge.json" alt="CodSpeed Badge" />
+      <a href="https://www.bestpractices.dev/projects/12474">
+        <img src="https://www.bestpractices.dev/projects/12474/baseline" alt="OpenSSF Baseline" />
       </a>
     </td>
     <td>
 
@@ -0,0 +1,108 @@
+# Roadmap
+
+This document describes what httptap intends to do — and, equally
+importantly, what it does **not** intend to do — over roughly the next
+twelve months. It is intentionally light on dates and heavy on scope: the
+project is maintained by a single person in their spare time, so concrete
+schedules would be misleading.
+
+The roadmap is living. Opening an issue to propose a change is welcome and
+is the preferred way to request scope adjustments. Merged scope changes are
+reflected here in the same pull request.
+
+**Last reviewed:** 2026-04-12
+
+## Mission
+
+`httptap` is a diagnostic command-line tool that dissects a single HTTP
+request into its constituent phases (DNS, TCP connect, TLS handshake,
+server wait, body transfer) and renders those timings in a form suitable
+for humans, logs, or scripts. The mission is to make per-phase HTTP timing
+legible to a developer the same way a browser's waterfall makes it legible
+to a web author — but from the terminal, without a browser, and without
+pulling in a heavyweight framework.
+
+## Current Phase: Maintenance & Polish
+
+The project is stable and in active maintenance. The release cadence is
+dictated by:
+
+- incoming bug reports and security updates,
+- dependency refreshes via Dependabot,
+- small quality-of-life improvements contributed by users or the maintainer.
+
+There is no committed feature list. New functionality is added only when it
+clearly serves the mission and fits within the non-goals below.
+
+## In Scope
+
+The following themes are accepted as potential work. Specific items only
+materialize when the maintainer or a contributor actually picks them up.
+
+- **Core timing accuracy** — refinements to httpcore trace hooks, better
+  handling of HTTP/2 connection reuse, more precise fallbacks when direct
+  timing is unavailable.
+- **Output formats** — additional machine-readable exporters (e.g.,
+  Prometheus text format, OpenTelemetry traces) when driven by a concrete
+  user need.
+- **Protocol support** — minor improvements to HTTP/1.1 and HTTP/2 behavior
+  as upstream (`httpx`, `httpcore`) gains features; potential support for
+  HTTP/3 if and when stable Python support lands.
+- **TLS diagnostics** — additional certificate and handshake details
+  reported by default or under flags.
+- **Supply-chain hardening** — continuing improvements that raise the
+  project's OpenSSF Scorecard and Best Practices posture.
+- **Documentation** — worked examples, troubleshooting recipes, and
+  integration cookbooks.
+
+## Non-Goals
+
+These items are explicitly **out of scope**. Contributions in these
+directions will be declined politely so contributors don't waste effort.
+
+- **Load testing / benchmarking** — httptap measures a single request; tools
+  like `wrk`, `k6`, or `vegeta` already serve the benchmarking use case.
+- **Full curl replacement** — httptap aims for curl-compatible flags on the
+  overlap that makes sense; it does not target feature parity with curl.
+- **Scripting / session runners** — multi-request workflows, cookies,
+  scripting, or chainable request/response assertions belong in tools like
+  `httpie` or `hurl`.
+- **Server-side tooling** — httptap is strictly a client. Proxying,
+  mitmproxy-style interception, or server emulation are out of scope.
+- **GUI or TUI** — terminal output stays as Rich renders; no full-screen
+  TUI and no graphical interface.
+- **Plugin ecosystem** — the Python Protocol interfaces are explicitly
+  supported as a programmatic extension point, but a dynamic plugin loader
+  or plugin registry is not planned.
+- **Non-HTTP protocols** — gRPC, WebSocket, MQTT, etc. are out of scope.
+
+## Deprecation Policy
+
+- Public API and CLI flags follow Semantic Versioning 2.0.0.
+- Breaking changes ship only in a major version bump (`X.0.0`) with
+  migration notes in `CHANGELOG.md` and the release notes.
+- Deprecations are announced at least one minor release before removal and
+  emit a runtime warning where practical.
+
+## Supported Versions
+
+See [SECURITY.md](SECURITY.md) for the currently supported minor series.
+
+## Python Support
+
+The project targets the Python versions currently labelled as supported by
+the [Python release calendar](https://devguide.python.org/versions/) plus
+the current pre-release series (3.10–3.15 at the time of writing). Older
+Python versions are dropped only at major releases and only when required
+by a dependency.
+
+## How to Propose a Change
+
+Open a [GitHub issue](https://github.com/ozeranskii/httptap/issues/new) with
+the "enhancement" label describing the problem, the proposed direction, and
+(if applicable) why it fits within the mission and does not cross a
+non-goal. The maintainer will respond with acceptance, pushback, or a
+request for more detail.
+
+Significant changes are expected to land as a pull request only after the
+proposal has been discussed.