Aharoni-Lab · dependabot · Jun 12, 2026 · Jun 12, 2026 · Jun 13, 2026
@@ -0,0 +1,13 @@
+# Bandit security scanner configuration.
+#
+# Tightening guidance: do NOT add `skips` here without project-level approval.
+# Each #nosec comment in source must name the test ID + a brief rationale.
+#
+# Usage:
+#   bandit -r STIMscope/STIMViewer_CRISPI/ -c .bandit -ll
+#
+# Note: bandit's --exclude flag uses substring matching on full paths.
+
+exclude_dirs:
+  - tests
+  - .git
@@ -0,0 +1,49 @@
+# Git metadata
+.git
+.gitignore
+
+# IDE and editor files
+.vscode/
+.idea/
+*.swp
+.DS_Store
+Thumbs.db
+
+# Secrets and credentials
+.env
+.env.*
+*.pem
+*.key
+*.p12
+credentials*
+secrets*
+id_rsa*
+id_ed25519*
+
+# Claude Code / developer-local
+.claude/
+CLAUDE.md
+setup-claude-memory.sh
+setup-claude-settings.sh
+setup-remote-jetson.sh
+
+# Data outputs (mounted at runtime, not baked into image)
+data/
+
+# Media files
+*.mp4
+*.avi
+*.mov
+
+# Python bytecode
+__pycache__/
+*.pyc
+*.pyo
+
+# OS files
+Thumbs.db
+.DS_Store
+
+# Temp files
+*.log
+*.tmp
@@ -0,0 +1,31 @@
+# CODEOWNERS — GitHub auto-requests these owners as reviewers when
+# a PR touches matching paths. Branch protection (requires GitHub Pro
+# for private repos) can additionally REQUIRE their approval; without
+# protection this is advisory only.
+#
+# Syntax: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+
+# Catch-all — owner reviews any change that no later rule overrides.
+*                               @wimaan3
+
+# Core utilities + scaffolding for the preprint's future closed-loop
+# inference extension point (preprint Discussion).
+/STIMscope/STIMViewer_CRISPI/CS/core/                                @wimaan3
+
+# CI / build / release tooling.
+/.github/                       @wimaan3
+/Dockerfile                     @wimaan3
+/docker-compose.yml             @wimaan3
+/build.sh                       @wimaan3
+/entrypoint.sh                  @wimaan3
+/Makefile                       @wimaan3
+
+# Hardware drivers — review with hardware in hand if possible.
+/STIMscope/ZMQ_sender_mask/     @wimaan3
+/STIMscope/STIMViewer_CRISPI/camera.py                              @wimaan3
+/STIMscope/STIMViewer_CRISPI/calibration.py                         @wimaan3
+
+# Licensing + citation — any change here is consequential.
+/LICENSE                        @wimaan3
+/NOTICE                         @wimaan3
+/CITATION.cff                   @wimaan3
@@ -0,0 +1,97 @@
+name: Bug report
+description: Report a defect in the STIMscope / CRISPI platform.
+title: "[bug] "
+labels: ["bug"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for reporting. Please include enough detail that someone
+        without your hardware can reason about the failure.
+
+  - type: textarea
+    id: summary
+    attributes:
+      label: Summary
+      description: One paragraph describing what went wrong and what you expected.
+    validations:
+      required: true
+
+  - type: textarea
+    id: reproduction
+    attributes:
+      label: Reproduction steps
+      description: Exact commands or GUI clicks. Include CLI flags / config values.
+      placeholder: |
+        1. `sudo -E docker-compose up gui`
+        2. Click "Calibrate"
+        3. Observe …
+    validations:
+      required: true
+
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behavior
+    validations:
+      required: true
+
+  - type: textarea
+    id: actual
+    attributes:
+      label: Actual behavior + logs
+      description: |
+        Paste any traceback / error message. For runtime failures,
+        attach `/tmp/crispi-latest.log` or relevant excerpt.
+      render: shell
+    validations:
+      required: true
+
+  - type: dropdown
+    id: layer
+    attributes:
+      label: Which layer
+      description: Where in the stack did the failure happen.
+      options:
+        - "GUI (STIMViewer_CRISPI)"
+        - "Camera (IDS Peak)"
+        - "Projector / DMD / I²C"
+        - "Calibration"
+        - "Recording / TIFF / mp4"
+        - "Live trace extraction"
+        - "Docker / build"
+        - "Tests / CI"
+        - "Documentation"
+        - "Other / not sure"
+    validations:
+      required: true
+
+  - type: input
+    id: jetpack
+    attributes:
+      label: JetPack version
+      placeholder: "JP6 (L4T R36.x) or JP5 (L4T R35.x)"
+
+  - type: input
+    id: jetson
+    attributes:
+      label: Jetson model
+      placeholder: "AGX Orin / Xavier NX / Orin Nano / …"
+
+  - type: input
+    id: commit
+    attributes:
+      label: Commit SHA
+      description: Output of `git rev-parse HEAD` in the repo.
+
+  - type: dropdown
+    id: hardware
+    attributes:
+      label: Hardware mode
+      options:
+        - "Simulation only (no hardware)"
+        - "Camera only"
+        - "Camera + projector"
+        - "Full hardware loop (camera + projector + LEDs)"
+    validations:
+      required: true
@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Architecture overview
+    url: https://github.com/Aharoni-Lab/STIMscope/blob/main/docs/IMPLEMENTATION_NOTES.md
+    about: Two-stack architecture, file tour, how to add a CS backend.
+  - name: Citation
+    url: https://github.com/Aharoni-Lab/STIMscope/blob/main/CITATION.cff
+    about: How to cite STIMscope / CRISPI in publications.
@@ -0,0 +1,45 @@
+name: Feature request
+description: Propose a new capability or workflow improvement.
+title: "[feature] "
+labels: ["enhancement"]
+body:
+  - type: textarea
+    id: motivation
+    attributes:
+      label: Motivation
+      description: What problem would this solve? Who needs it?
+    validations:
+      required: true
+
+  - type: textarea
+    id: proposal
+    attributes:
+      label: Proposed approach
+      description: |
+        How you'd implement it. Doesn't have to be fully spec'd —
+        rough sketch is fine.
+    validations:
+      required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
+      description: Other paths and why they're less attractive.
+
+  - type: dropdown
+    id: scope
+    attributes:
+      label: Scope
+      options:
+        - "Small (single function / a few lines)"
+        - "Medium (one module / one mixin)"
+        - "Large (cross-cutting / new subsystem)"
+        - "Not sure"
+    validations:
+      required: true
+
+  - type: textarea
+    id: notes
+    attributes:
+      label: Additional notes
@@ -0,0 +1,38 @@
+## Summary
+
+<!-- One or two sentences describing what this PR does and why. -->
+
+## Type of change
+
+- [ ] Bug fix (non-breaking, restores intended behavior)
+- [ ] Feature (non-breaking, adds new capability)
+- [ ] Refactor (non-breaking, no functional change)
+- [ ] Breaking change (changes existing API / config / wire format)
+- [ ] Documentation only
+- [ ] CI / build / dev tooling only
+
+## Linked issue
+
+<!-- Closes #NNN, or "n/a" if no tracked issue. -->
+
+## Test plan
+
+<!-- What you ran locally. Tick what applies; list what was skipped and why. -->
+
+- [ ] `pytest -q tests/L1_algorithms/` — passes
+- [ ] `pytest -q tests/L2_orchestration/` — passes
+- [ ] `pytest -q tests/L3_hardware/` (mocked) — passes
+- [ ] `pytest -q tests/L3_5_split_first/` — passes (Qt offscreen)
+- [ ] `pytest -q tests/L5_UI/` — passes (Qt offscreen)
+- [ ] `make bandit` — clean at medium+
+- [ ] Manual smoke test in the GUI on the Jetson
+- [ ] Hardware regression check (only if PR touches camera / projector / calibration / recording)
+
+## Notes for the reviewer
+
+<!--
+Anything non-obvious:
+- Why this approach was chosen over the alternative
+- Any hardware-only behavior that wasn't reproduced in CI
+- Any open follow-up tracked in docs/IMPLEMENTATION_NOTES.md or as a new issue
+-->
@@ -0,0 +1,53 @@
+# Dependabot auto-PR config.
+#
+# What this gives us:
+#   1) Weekly version-bump PRs for direct pip dependencies (no transitive
+#      churn). Grouped per ecosystem so we get one PR/week instead of dozens.
+#   2) Weekly Docker base-image bump PRs.
+#   3) Weekly GitHub Actions version bumps.
+#   4) Security-fix PRs are exempt from grouping and open immediately when
+#      a new advisory drops (this is Dependabot's default for vulnerability
+#      alerts and doesn't need to be enumerated here).
+#
+# Set open-pull-requests-limit conservatively — the platform is a research
+# codebase, not a service. Bumps should be reviewed by a human before
+# anything ships in a Docker image.
+
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    groups:
+      runtime:
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
+    labels:
+      - "dependencies"
+      - "pip"
+
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 2
+    labels:
+      - "dependencies"
+      - "docker"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 2
+    labels:
+      - "dependencies"
+      - "github-actions"