MCP-Audit · hello-args · Jun 11, 2026 · Jun 11, 2026 · Jun 11, 2026 · Jun 11, 2026
diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -1,35 +1,136 @@
 name: Bug Report
-description: Report a bug in MCTS
-title: "[Bug]: "
-labels: ["bug", "triage"]
+description: Something in MCTS is broken or behaves unexpectedly
+title: "[BUG]: "
+labels: ["type:bug", "status:triage"]
 body:
   - type: markdown
     attributes:
       value: |
-        For MCTS tool bugs, see [Getting Started](https://github.com/MCP-Audit/MCTS/blob/main/docs/get-started/getting-started.md) and [CLI Reference](https://github.com/MCP-Audit/MCTS/blob/main/docs/platform/cli.md). For vulnerabilities in **MCTS itself**, see [SECURITY.md](https://github.com/MCP-Audit/MCTS/blob/main/SECURITY.md).
+        **Before you submit:** search [open issues](https://github.com/MCP-Audit/MCTS/issues) for duplicates and reproduce on latest `main` or `develop`.
+
+        - [Getting Started](https://github.com/MCP-Audit/MCTS/blob/main/docs/get-started/getting-started.md)
+        - [CLI Reference](https://github.com/MCP-Audit/MCTS/blob/main/docs/platform/cli.md)
+        - Vulnerabilities in **MCTS itself** → [SECURITY.md](https://github.com/MCP-Audit/MCTS/blob/main/SECURITY.md) (not this template)
+
+  - type: checkboxes
+    id: checklist
+    attributes:
+      label: Checklist
+      options:
+        - label: I searched existing issues and did not find a duplicate
+          required: true
+        - label: I reproduced this on the latest `main` or `develop` branch
+          required: true
+
+  - type: textarea
+    id: summary
+    attributes:
+      label: Summary
+      description: One or two sentences describing the bug.
+      placeholder: "`mcts scan` crashes when scanning with `--snapshot` and an empty tools array."
+    validations:
+      required: true
+
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behavior
+      description: What should have happened instead?
+    validations:
+      required: true
+
   - type: textarea
-    id: description
+    id: actual
     attributes:
-      label: What happened?
-      description: Describe the bug and what you expected.
+      label: Actual behavior
+      description: What happened? Include error messages, exit codes, or unexpected output.
     validations:
       required: true
+
   - type: textarea
     id: reproduce
     attributes:
       label: Steps to reproduce
+      description: Exact commands and inputs so a maintainer can replay the issue.
       placeholder: |
-        1. Run `mcts scan ...`
-        2. See error
+        1. `uv sync --all-extras`
+        2. `uv run mcts scan examples/vulnerable-mcp-server/server.py --scoring both`
+        3. See error …
+      render: shell
     validations:
       required: true
+
+  - type: textarea
+    id: evidence
+    attributes:
+      label: Evidence
+      description: Logs, stack traces, config snippets, or file paths. Redact secrets.
+      render: shell
+
+  - type: dropdown
+    id: component
+    attributes:
+      label: Component (suggested)
+      description: Primary area affected. Maintainers may adjust after triage.
+      options:
+        - component:cli
+        - component:api
+        - component:reporting
+        - component:ui
+        - component:sast
+        - component:live-probe
+        - component:fuzz
+        - component:inventory
+        - component:github-action
+        - component:ci
+        - component:scripts
+        - component:release
+        - component:auth
+        - component:docs
+        - component:other (comment in body)
+    validations:
+      required: true
+
+  - type: dropdown
+    id: priority
+    attributes:
+      label: Priority (suggested)
+      description: Your best estimate — maintainers confirm during triage.
+      options:
+        - "priority:P0 — blocks production / data loss / security bypass"
+        - "priority:P1 — major broken workflow or incorrect security result"
+        - "priority:P2 — medium impact; workaround exists"
+        - "priority:P3 — minor / cosmetic / docs polish"
+    validations:
+      required: true
+
   - type: input
     id: version
     attributes:
       label: MCTS version
-      placeholder: 0.1.0
+      description: Output of `mcts --version` or PyPI/git tag.
+      placeholder: "0.1.2 or git commit abc1234"
+
   - type: input
     id: python
     attributes:
       label: Python version
-      placeholder: 3.12
+      placeholder: "3.12"
+
+  - type: input
+    id: platform
+    attributes:
+      label: OS / environment
+      placeholder: "macOS 15, Ubuntu 24.04, GitHub Actions, etc."
+
+  - type: textarea
+    id: impact
+    attributes:
+      label: Impact
+      description: Who is affected and how severely (CLI users, CI, API deployments, etc.)?
+
+  - type: textarea
+    id: references
+    attributes:
+      label: References
+      description: Related issues, PRs, or doc links (optional).
diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1,11 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Security disclosure (MCTS vulnerabilities)
+    url: https://github.com/MCP-Audit/MCTS/blob/main/SECURITY.md
+    about: Do not file public issues for undisclosed security vulnerabilities in MCTS itself.
+  - name: Issue labeling guide
+    url: https://github.com/MCP-Audit/MCTS/blob/main/docs/contributing/issue-labeling.md
+    about: How maintainers label type, priority, component, and status.
+  - name: Contributing guide
+    url: https://github.com/MCP-Audit/MCTS/blob/main/CONTRIBUTING.md
+    about: Development setup, branch workflow, and PR expectations.
diff --git a/.github/ISSUE_TEMPLATE/documentation.yml b/.github/ISSUE_TEMPLATE/documentation.yml
@@ -0,0 +1,79 @@
+name: Documentation
+description: Report incorrect, missing, or unclear documentation
+title: "[DOCS]: "
+labels: ["type:docs", "status:triage"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Docs live under [`docs/`](https://github.com/MCP-Audit/MCTS/tree/main/docs). Entry points: [Getting Started](https://github.com/MCP-Audit/MCTS/blob/main/docs/get-started/getting-started.md), [Glossary](https://github.com/MCP-Audit/MCTS/blob/main/docs/glossary.md), [Documentation index](https://github.com/MCP-Audit/MCTS/blob/main/docs/index.md).
+
+  - type: checkboxes
+    id: checklist
+    attributes:
+      label: Checklist
+      options:
+        - label: I searched existing issues and did not find a duplicate
+          required: true
+
+  - type: textarea
+    id: summary
+    attributes:
+      label: Summary
+      description: What doc is wrong or missing?
+    validations:
+      required: true
+
+  - type: input
+    id: doc_path
+    attributes:
+      label: Doc path or URL
+      description: File path in the repo or section heading.
+      placeholder: "docs/platform/cli.md — mcts scan flags"
+    validations:
+      required: true
+
+  - type: dropdown
+    id: issue_kind
+    attributes:
+      label: Issue type
+      options:
+        - Incorrect — contradicts current behavior
+        - Missing — behavior exists but is undocumented
+        - Unclear — confusing wording or structure
+        - Outdated — references old commands, versions, or branding
+    validations:
+      required: true
+
+  - type: textarea
+    id: problem
+    attributes:
+      label: What's wrong today?
+    validations:
+      required: true
+
+  - type: textarea
+    id: expected
+    attributes:
+      label: What should it say?
+      description: Suggested wording, outline, or link target.
+    validations:
+      required: true
+
+  - type: dropdown
+    id: priority
+    attributes:
+      label: Priority (suggested)
+      options:
+        - "priority:P1 — misleads users on security-critical behavior"
+        - "priority:P2 — causes confusion but workaround is obvious"
+        - "priority:P3 — typo / polish / nice-to-have"
+    validations:
+      required: true
+
+  - type: checkboxes
+    id: contribute
+    attributes:
+      label: Contribution
+      options:
+        - label: I am willing to open a PR with a doc fix
diff --git a/.github/ISSUE_TEMPLATE/feature_request.yml b/.github/ISSUE_TEMPLATE/feature_request.yml
@@ -1,33 +1,105 @@
 name: Feature Request
-description: Suggest a new feature or analyzer
-title: "[Feature]: "
-labels: ["enhancement", "triage"]
+description: Propose new functionality, analyzer, or workflow improvement
+title: "[FEATURE]: "
+labels: ["type:feature", "status:triage"]
 body:
   - type: markdown
     attributes:
       value: |
-        Check the [Product Roadmap](https://github.com/MCP-Audit/MCTS/blob/main/docs/more/roadmap.md) and [Feature Expansion Plan](https://github.com/MCP-Audit/MCTS/blob/main/docs/more/feature-expansion-plan.md) before proposing large features.
+        **Before you submit:** check the [Product Roadmap](https://github.com/MCP-Audit/MCTS/blob/main/docs/more/roadmap.md) and [Feature Expansion Plan](https://github.com/MCP-Audit/MCTS/blob/main/docs/more/feature-expansion-plan.md) for overlapping work.
+
+        Large features should start as an issue before opening a PR. See [CONTRIBUTING.md](https://github.com/MCP-Audit/MCTS/blob/main/CONTRIBUTING.md).
+
+  - type: checkboxes
+    id: checklist
+    attributes:
+      label: Checklist
+      options:
+        - label: I searched existing issues and did not find a duplicate
+          required: true
+        - label: This is not a bug report (use the Bug Report template for broken behavior)
+          required: true
+
+  - type: textarea
+    id: summary
+    attributes:
+      label: Summary
+      description: One or two sentences on what you want and why.
+    validations:
+      required: true
+
   - type: textarea
     id: problem
     attributes:
       label: Problem
-      description: What security gap or workflow pain does this solve?
+      description: What security gap, false-negative class, or workflow pain does this solve today?
     validations:
       required: true
+
   - type: textarea
     id: solution
     attributes:
       label: Proposed solution
+      description: How should MCTS behave? CLI flags, analyzer logic, report output, etc.
     validations:
       required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
+      description: Other approaches you considered and why you prefer this one.
+
   - type: dropdown
-    id: area
+    id: component
+    attributes:
+      label: Component (suggested)
+      options:
+        - component:cli
+        - component:api
+        - component:reporting
+        - component:ui
+        - component:sast
+        - component:live-probe
+        - component:fuzz
+        - component:inventory
+        - component:github-action
+        - component:ci
+        - component:scripts
+        - component:release
+        - component:auth
+        - component:docs
+        - component:other (comment in body)
+    validations:
+      required: true
+
+  - type: dropdown
+    id: priority
+    attributes:
+      label: Priority (suggested)
+      options:
+        - "priority:P0 — blocks production readiness"
+        - "priority:P1 — high value; should land soon"
+        - "priority:P2 — medium value; planned backlog"
+        - "priority:P3 — nice-to-have / future consideration"
+    validations:
+      required: true
+
+  - type: textarea
+    id: acceptance
+    attributes:
+      label: Acceptance criteria
+      description: Checklist of done conditions for maintainers and contributors.
+      placeholder: |
+        - [ ] New analyzer emits MCTS-T-* finding with evidence
+        - [ ] Regression fixture added under tests/fixtures/regression/
+        - [ ] CLI flag documented in docs/platform/cli.md
+    validations:
+      required: true
+
+  - type: checkboxes
+    id: contribute
     attributes:
-      label: Area
+      label: Contribution
       options:
-        - Analyzer
-        - CLI
-        - Reporting
-        - CI/CD Action
-        - Documentation
-        - Other
+        - label: I am willing to open a PR for this (comment on the issue to claim it)