chore(release): goreleaser + CI workflows + v2 demo GIFs

Release infrastructure:
- .goreleaser.yml: builds 5-platform binaries (darwin/linux/windows
  x amd64/arm64), SHA-256 checksums, pre-release detection for -rc tags
- .github/workflows/release.yml: runs on any 'v*' tag — test -> build
  -> publish via goreleaser-action
- .github/workflows/ci.yml: test + vet + race detector on every push
  to main / v2-* and every PR
- .gitignore: extended to cover scan artifacts (gods-eye-*.json,
  report-*.json, *.stderr), YAML configs (god-eye.yaml, .god-eye.yaml),
  IDE state (.idea, .vscode, .cursor), Claude Code working notes
  (CLAUDE.md, .claude/), and the /god-eye build artifact

Demo GIFs recorded live against scanme.nmap.org (Nmap's authorized
test host):
- assets/wizard-demo.gif (272 KB): interactive setup walkthrough
- assets/live-scan.gif (37 KB): colorized event stream
- assets/ai-verbose.gif (122 KB): full AI cascade + end-of-scan brief

Legacy v0.1 assets removed:
- assets/demo.gif
- assets/demo-ai.gif

.github/workflows/ci.yml

@@ -0,0 +1,50 @@
+# Continuous integration — runs on every push to main and every PR.
+# Catches regressions early so the Release workflow on tag push doesn't
+# surprise us with a red test run when we least want it.
+
+name: CI
+
+on:
+  push:
+    branches: [ main, 'v2-*' ]
+  pull_request:
+    branches: [ main ]
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    name: Test & vet
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        go-version: [ '1.21' ]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Go ${{ matrix.go-version }}
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ matrix.go-version }}
+
+      - name: Cache Go modules
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ matrix.go-version }}-${{ hashFiles('**/go.sum') }}
+
+      - name: Verify modules
+        run: go mod verify
+
+      - name: Build
+        run: go build ./...
+
+      - name: Vet
+        run: go vet ./...
+
+      - name: Test (race detector)
+        run: go test ./... -race -timeout 180s

.github/workflows/release.yml

@@ -0,0 +1,85 @@
+# Release workflow — runs on any tag that starts with 'v' (e.g. v2.0.0-rc1).
+#
+# Responsibilities:
+#   1. Run the full test suite with the race detector.
+#   2. Build and publish binaries for macOS / Linux / Windows (amd64 + arm64)
+#      via goreleaser-action.
+#   3. Attach them to a GitHub Release whose body comes from .goreleaser.yml
+#      headers + CHANGELOG entries.
+#
+# What you need:
+#   - Nothing beyond the default GITHUB_TOKEN that Actions provides. goreleaser
+#     uses it to create the release.
+#
+# To cut a new release locally:
+#   git tag -a v2.0.0-rc1 -m "v2.0.0 RC1"
+#   git push origin v2.0.0-rc1
+# Then watch the run under "Actions → Release".
+
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: write  # goreleaser needs this to create the release + upload assets.
+
+jobs:
+  test:
+    name: Test with race detector
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.21'
+
+      - name: Cache Go modules
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Verify modules
+        run: go mod verify
+
+      - name: Vet
+        run: go vet ./...
+
+      - name: Test (race detector)
+        run: go test ./... -race -timeout 180s
+
+  release:
+    name: Build & publish binaries
+    needs: test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.21'
+
+      - name: Run goreleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          distribution: goreleaser
+          version: '~> v2'
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -38,11 +38,21 @@ go.work.sum
 *.txt
 /results/
 /output/
+# Scan artifacts anywhere in the tree (defence in depth)
+gods-eye-*.json
+gods-eye-*.stderr
+scan-*.json
+scan-*.csv
+report-*.json
+findings-*.json
 
 # Sensitive files
 secrets.yaml
 config.local.yaml
 .env.*
+god-eye.yaml
+.god-eye.yaml
+/.god-eye/
 
 # Logs
 *.log
@@ -51,3 +61,15 @@ config.local.yaml
 # OS files
 .DS_Store
 Thumbs.db
+
+# Editor / IDE / AI-agent local state
+.idea/
+.vscode/
+# Claude Code working notes — intentionally NOT public
+CLAUDE.md
+.claude/
+.cursor/
+.cursorrules
+
+# Benchmark captures with potentially sensitive output
+BENCHMARK-SCANME.local.md

.goreleaser.yml

@@ -0,0 +1,114 @@
+# goreleaser config for God's Eye v2+
+# Docs: https://goreleaser.com/intro/
+#
+# Local dry-run:   goreleaser release --snapshot --clean --skip=publish
+# Full release:    triggered by a 'v*' tag push, handled by .github/workflows/release.yml
+
+version: 2
+
+project_name: god-eye
+
+before:
+  hooks:
+    - go mod tidy
+
+builds:
+  - id: god-eye
+    main: ./cmd/god-eye
+    binary: god-eye
+    env:
+      - CGO_ENABLED=0
+    flags:
+      - -trimpath
+    ldflags:
+      - -s -w
+    goos:
+      - linux
+      - darwin
+      - windows
+    goarch:
+      - amd64
+      - arm64
+    # Skip combinations that aren't worth shipping — windows/arm64 rarely used,
+    # Go users who need it can `go install`.
+    ignore:
+      - goos: windows
+        goarch: arm64
+
+archives:
+  - id: default
+    name_template: >-
+      {{ .ProjectName }}_{{ .Version }}_
+      {{- if eq .Os "darwin" }}macOS
+      {{- else if eq .Os "linux" }}Linux
+      {{- else if eq .Os "windows" }}Windows
+      {{- else }}{{ .Os }}{{ end }}_
+      {{- if eq .Arch "amd64" }}x86_64
+      {{- else if eq .Arch "arm64" }}arm64
+      {{- else }}{{ .Arch }}{{ end }}
+    format_overrides:
+      - goos: windows
+        format: zip
+    files:
+      - README.md
+      - CHANGELOG.md
+      - LICENSE
+      - SECURITY.md
+      - AI_SETUP.md
+
+checksum:
+  name_template: 'checksums.txt'
+  algorithm: sha256
+
+snapshot:
+  version_template: '{{ incpatch .Version }}-next'
+
+changelog:
+  # We curate the GitHub Release notes from CHANGELOG.md manually; goreleaser's
+  # auto-commit-log groupings add noise on top of that.
+  disable: true
+
+release:
+  github:
+    owner: Vyntral
+    name: god-eye
+  # Release Candidates (v2.0.0-rc1, rc2...) are pre-releases. Final v2.0.0
+  # is not. goreleaser detects '-rc', '-beta', '-alpha' suffixes automatically.
+  prerelease: auto
+  draft: false
+  name_template: "God's Eye {{ .Tag }}"
+  header: |
+    ## God's Eye `{{ .Tag }}`
+
+    AI-powered attack-surface discovery & offensive security — single Go binary, terminal-only, zero cloud.
+
+    **Full changelog**: see [CHANGELOG.md](https://github.com/Vyntral/god-eye/blob/main/CHANGELOG.md).
+
+  footer: |
+    ---
+
+    ### Install
+
+    Grab the binary for your platform from the assets below, or build from source:
+
+    ```bash
+    git clone https://github.com/Vyntral/god-eye && cd god-eye
+    go build -o god-eye ./cmd/god-eye
+    ./god-eye
+    ```
+
+    ### Verify checksums
+
+    ```bash
+    sha256sum -c checksums.txt
+    ```
+
+    ### First run
+
+    Zero flags launches the interactive wizard — picks your AI tier, downloads Ollama models, validates your target, runs the scan with live event stream.
+
+    ```bash
+    ./god-eye
+    ```
+
+    Full walkthrough: [README.md](https://github.com/Vyntral/god-eye/blob/main/README.md) · 14 recipes in [EXAMPLES.md](https://github.com/Vyntral/god-eye/blob/main/EXAMPLES.md).