docs(readme): add project banner to README and docs index (#108)

Author: ozeranskii

.github/workflows/release.yml

@@ -161,6 +161,35 @@ jobs:
           compression-level: 6
           if-no-files-found: error
 
+      - name: Prepare SBOM directory
+        run: mkdir -p sbom
+
+      - name: Generate SBOM (CycloneDX)
+        uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
+        with:
+          artifact-name: ${{ env.PACKAGE_NAME }}-${{ needs.prepare.outputs.version }}.cdx.json
+          format: cyclonedx-json
+          output-file: sbom/${{ env.PACKAGE_NAME }}-${{ needs.prepare.outputs.version }}.cdx.json
+          upload-artifact: false
+          upload-release-assets: false
+
+      - name: Generate SBOM (SPDX)
+        uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
+        with:
+          artifact-name: ${{ env.PACKAGE_NAME }}-${{ needs.prepare.outputs.version }}.spdx.json
+          format: spdx-json
+          output-file: sbom/${{ env.PACKAGE_NAME }}-${{ needs.prepare.outputs.version }}.spdx.json
+          upload-artifact: false
+          upload-release-assets: false
+
+      - name: Upload SBOM artifacts
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+        with:
+          name: sbom
+          path: sbom/
+          retention-days: 7
+          if-no-files-found: error
+
   publish-pypi:
     name: Publish to PyPI
     runs-on: ubuntu-latest
@@ -201,12 +230,18 @@ jobs:
         with:
           persist-credentials: false
 
-      - name: Download artifacts
+      - name: Download dist artifacts
         uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: dist
           path: dist/
 
+      - name: Download SBOM artifacts
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        with:
+          name: sbom
+          path: sbom/
+
       - name: Create GitHub Release
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -215,7 +250,7 @@ jobs:
           REPO: ${{ github.repository }}
         run: |-
           gh release create "$TAG" \
-            dist/* \
+            dist/* sbom/* \
             --repo "$REPO" \
             --title "$TAG" \
             --notes "$NOTES"

.github/workflows/scorecard.yml

@@ -0,0 +1,53 @@
+# OpenSSF Scorecard analysis — https://github.com/ossf/scorecard-action
+# Publishes results to the OpenSSF API and updates the README badge.
+name: OpenSSF Scorecard
+
+on:
+  branch_protection_rule:
+  schedule:
+    - cron: '25 8 * * 1'
+  push:
+    branches:
+      - main
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      security-events: write # Required for uploading SARIF results
+      id-token: write # Required for publishing results to the OpenSSF API
+      contents: read # Required for repository checkout
+      actions: read # Required for Token-Permissions check
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+
+      - name: Run OpenSSF Scorecard analysis
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: Upload SARIF results artifact
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      - name: Upload SARIF results to code scanning
+        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4
+        with:
+          sarif_file: results.sarif

CITATION.cff

@@ -0,0 +1,39 @@
+# YAML 1.2
+# Citation File Format v1.2.0 — https://citation-file-format.github.io/
+cff-version: 1.2.0
+message: "If you use httptap in your research or tooling, please cite it using these metadata."
+title: httptap
+abstract: >-
+  httptap is a rich-powered CLI that dissects an HTTP request into every
+  meaningful phase — DNS, TCP connect, TLS handshake, server wait, and
+  body transfer — and renders the results as a timeline table, compact
+  summary, or machine-friendly metrics. It is designed for interactive
+  troubleshooting, regression analysis, and recording of performance
+  baselines.
+type: software
+authors:
+  - family-names: Ozeranskii
+    given-names: Sergei
+    alias: ozeranskii
+version: 0.4.7
+date-released: "2026-03-30"
+license: Apache-2.0
+url: "https://github.com/ozeranskii/httptap"
+repository-code: "https://github.com/ozeranskii/httptap"
+repository-artifact: "https://pypi.org/project/httptap/"
+keywords:
+  - http
+  - https
+  - performance
+  - timing
+  - dns
+  - tls
+  - ssl
+  - networking
+  - monitoring
+  - diagnostics
+  - waterfall
+  - curl
+  - httpx
+  - python
+  - cli

README.md

@@ -1,3 +1,7 @@
+<p align="center">
+  <img src="docs/assets/httptap-banner.svg" alt="httptap" width="100%" />
+</p>
+
 # httptap
 
 <table>
@@ -22,6 +26,9 @@
       <a href="https://github.com/ozeranskii/httptap/actions/workflows/codeql.yml">
         <img src="https://github.com/ozeranskii/httptap/actions/workflows/codeql.yml/badge.svg" alt="CodeQL" />
       </a><br />
+      <a href="https://scorecard.dev/viewer/?uri=github.com/ozeranskii/httptap">
+        <img src="https://api.scorecard.dev/projects/github.com/ozeranskii/httptap/badge" alt="OpenSSF Scorecard" />
+      </a><br />
       <a href="https://codecov.io/github/ozeranskii/httptap">
         <img src="https://codecov.io/github/ozeranskii/httptap/graph/badge.svg?token=OFOHOI1X5J" alt="Coverage" />
       </a><br />
@@ -50,6 +57,39 @@ performance baselines.
 
 ---
 
+## Table of Contents
+
+- [Highlights](#highlights)
+- [How it compares](#how-it-compares)
+- [Requirements](#requirements)
+- [Installation](#installation)
+  - [Using Homebrew (macOS/Linux)](#using-homebrew-macoslinux)
+  - [Using `uv`](#using-uv)
+  - [Using `pip`](#using-pip)
+  - [From source](#from-source)
+  - [Shell completions](#shell-completions)
+- [Quick Start](#quick-start)
+  - [Basic GET Request](#basic-get-request)
+  - [POST Request with Data](#post-request-with-data)
+  - [Other HTTP Methods](#other-http-methods)
+  - [Custom Headers](#custom-headers)
+  - [Redirects and JSON Export](#redirects-and-json-export)
+  - [Output Modes](#output-modes)
+  - [Advanced Usage](#advanced-usage)
+- [Environment Variables](#environment-variables)
+- [Exit Codes](#exit-codes)
+- [Releasing](#releasing)
+- [Sample Output](#sample-output)
+- [JSON Export Structure](#json-export-structure)
+- [Metrics-only scripting](#metrics-only-scripting)
+- [Advanced Usage](#advanced-usage-1)
+- [Development](#development)
+- [Contributing](#contributing)
+- [License](#license)
+- [Acknowledgements](#acknowledgements)
+
+---
+
 ## Highlights
 
 - **Phase-by-phase timing** – precise measurements built from httpcore trace hooks (with sane fallbacks when metal-level
@@ -67,6 +107,33 @@ performance baselines.
 
 ---
 
+## How it compares
+
+| Feature                                  | `httptap` | `curl -w`              | [`httpstat`](https://github.com/reorx/httpstat) | `httpie`          |
+|------------------------------------------|:---------:|:----------------------:|:-----------------------------------------------:|:-----------------:|
+| Phase-by-phase timing (DNS/TCP/TLS/TTFB) | ✅        | ✅ (format str)        | ✅                                              | ❌                |
+| Rich waterfall visualization             | ✅        | ❌                     | ⚠️ text bars                                    | ❌                |
+| Redirect chain with per-step timing      | ✅        | ❌                     | ❌                                              | ❌                |
+| JSON export (machine-readable)           | ✅        | ✅ (`-w '%{json}'`)    | ✅ (`--format json/jsonl`, v1 schema)           | ❌ (no metrics)   |
+| Metrics-only mode for scripting          | ✅        | ✅                     | ✅ (`--format json`)                            | ❌                |
+| SLO threshold checking                   | ❌        | ❌                     | ✅ (`--slo total=500,...`)                      | ❌                |
+| TLS certificate inspection (CN, expiry)  | ✅        | ⚠️ via `-v`            | ❌                                              | ❌                |
+| IPv4/IPv6 reporting                      | ✅ family | ⚠️ IP via `remote_ip`  | ⚠️ IP only (`remote_ip`/`remote_port`)          | ❌                |
+| HTTP/2 support                           | ✅        | ✅                     | ⚠️ via curl passthrough                         | ⚠️ plugin only    |
+| Proxy with source attribution            | ✅        | ⚠️ no attribution      | ⚠️ via curl passthrough                         | ⚠️ no attribution |
+| Custom CA bundle                         | ✅        | ✅                     | ⚠️ via curl passthrough                         | ✅                |
+| Extensible Python API                    | ✅        | ❌ (pycurl ≠ same API) | ❌                                              | ⚠️ via requests   |
+| Curl-compatible flags                    | ✅        | —                      | ✅ (passes through)                             | ❌                |
+| Zero system dependencies                 | ✅        | ✅                      | needs curl                                      | ✅                |
+
+**When to pick what:**
+- **`httptap`** — interactive troubleshooting, regression analysis, and scripted baselines with structured JSON.
+- **`curl -w`** — one-off shell checks where curl is already the dependency.
+- **`httpstat`** — quick visual breakdown on top of an existing curl install.
+- **`httpie`** — general-purpose request/response exploration, not latency profiling.
+
+---
+
 ## Requirements
 
 - Python 3.10-3.15 (CPython)
@@ -158,7 +225,7 @@ Once completions are installed, you can use `Tab` to autocomplete commands and o
 ```shell
 # Complete command options
 httptap --<TAB>
-# Shows: --follow, --timeout, --no-http2, --ignore-ssl, --cacert, --proxy, --header, --compact, --metrics-only, --json, --version, --help
+# Shows: --method, --data, --follow, --timeout, --no-http2, --ignore-ssl, --cacert, --proxy, --header, --compact, --metrics-only, --json, --version, --help
 
 # Complete after typing partial option
 httptap --fol<TAB>
@@ -306,6 +373,54 @@ can confirm what path was used (e.g., `(from arg --proxy)`,
 
 ---
 
+## Environment Variables
+
+httptap reads the following environment variables at runtime. All of them are
+overridable via CLI flags, and the actual source used for each request is
+recorded in the output and JSON export.
+
+| Variable                              | Purpose                                                                                                      | Overridden by         |
+|---------------------------------------|--------------------------------------------------------------------------------------------------------------|-----------------------|
+| `HTTP_PROXY` / `http_proxy`           | Proxy URL used for `http://` targets.                                                                        | `-x/--proxy`          |
+| `HTTPS_PROXY` / `https_proxy`         | Proxy URL used for `https://` targets.                                                                       | `-x/--proxy`          |
+| `ALL_PROXY` / `all_proxy`             | Fallback proxy URL when scheme-specific variables are unset.                                                 | `-x/--proxy`          |
+| `NO_PROXY` / `no_proxy`               | Comma-separated exclusion list (supports `*`, leading `.`, exact matches). Bypassed entries connect direct.  | `--proxy ""`          |
+| `NO_COLOR`                            | Disables ANSI colors in all Rich output (honors the [NO_COLOR](https://no-color.org) convention).            | —                     |
+| `FORCE_COLOR`                         | Forces colored output even when stdout is not a TTY (Rich convention).                                       | —                     |
+| `TERM=dumb`                           | Rich downgrades to plain-text rendering.                                                                     | —                     |
+
+> Precedence for proxy configuration: explicit `-x/--proxy` → `--proxy ""`
+> (disables env) → `HTTPS_PROXY`/`HTTP_PROXY`/`ALL_PROXY` (scheme-matching) →
+> `NO_PROXY` exclusion → direct connection.
+
+---
+
+## Exit Codes
+
+httptap follows the BSD `sysexits.h` convention so it integrates cleanly with
+shell pipelines, CI jobs, and systemd services.
+
+| Code  | Symbol                  | Meaning                                                    |
+|:-----:|-------------------------|------------------------------------------------------------|
+| `0`   | `EX_OK`                 | Success.                                                   |
+| `64`  | `EX_USAGE`              | Invalid command-line arguments.                            |
+| `70`  | `EX_SOFTWARE`           | Internal error (unexpected exception, bug).                |
+| `75`  | `EX_TEMPFAIL`           | Network / TLS error (partial output may still be rendered). |
+| `128 + N` | Signal offset       | Killed by signal `N` (e.g., `130` for `SIGINT` / Ctrl-C).  |
+
+Example — fail a CI job only on usage errors, tolerating transient network
+issues:
+
+```shell
+httptap --metrics-only https://api.example.com/health
+rc=$?
+if [ "$rc" = 64 ] || [ "$rc" = 70 ]; then
+  exit "$rc"
+fi
+```
+
+---
+
 
 ## Releasing
 
@@ -325,8 +440,9 @@ can confirm what path was used (e.g., `(from arg --proxy)`,
    - Commit changes and create a git tag
    - Run full test suite on the tagged version
    - Build wheel and source distribution
+   - Generate SBOM in CycloneDX and SPDX formats via Syft
    - Publish to PyPI via Trusted Publishing (OIDC)
-   - Create GitHub Release with generated notes
+   - Create GitHub Release with wheel, sdist, and SBOM assets
 
 ---
 
@@ -577,6 +693,6 @@ details.
 
 - Built on the shoulders of fantastic
   libraries: [httpx](https://www.python-httpx.org/), [httpcore](https://github.com/encode/httpcore),
-  and [Rich](https://github.com/Textualize/rich).
+  [dnspython](https://www.dnspython.org/), and [Rich](https://github.com/Textualize/rich).
 - Inspired by the tooling ecosystem around web performance (e.g., DevTools waterfalls, `curl --trace`).
 - Special thanks to everyone who opens issues, shares ideas, or contributes patches.

docs/api/overview.md

@@ -37,6 +37,21 @@ analyzer = HTTPTapAnalyzer()
 steps = analyzer.analyze_url("https://httpbin.io")
 ```
 
+`analyze_url` also accepts keyword-only arguments for non-GET requests:
+
+```python
+from httptap import HTTPTapAnalyzer
+from httptap.constants import HTTPMethod
+
+analyzer = HTTPTapAnalyzer(follow_redirects=True, timeout=10.0)
+steps = analyzer.analyze_url(
+    "https://httpbin.io/post",
+    method=HTTPMethod.POST,
+    content=b'{"name": "John"}',
+    headers={"Content-Type": "application/json"},
+)
+```
+
 ### StepMetrics
 
 Data model representing a single request/response cycle.