actionlineage 0.1.0a2__tar.gz

actionlineage-0.1.0a2/.github/ISSUE_TEMPLATE/adapter_request.yml

@@ -0,0 +1,27 @@
+name: Adapter request
+about: Request or scope an optional adapter integration
+body:
+  - type: textarea
+    attributes:
+      label: Adapter target
+      description: Name the framework, protocol, service, or runtime.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Evidence mapping
+      description: Which neutral lifecycle events and evidence links should it emit?
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Dependencies and trust boundary
+      description: List new dependencies, credentials, network access, and redaction concerns.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Acceptance tests
+      description: Include local fixture or mock-server tests.
+    validations:
+      required: true

actionlineage-0.1.0a2/.github/ISSUE_TEMPLATE/bug.yml

@@ -0,0 +1,25 @@
+name: Bug
+about: Report a reproducible defect that is not a sensitive vulnerability
+body:
+  - type: textarea
+    attributes:
+      label: Behavior
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Minimal reproduction
+      description: Use synthetic/local data only.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Expected behavior
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Security impact
+      description: Use private vulnerability reporting instead if sensitive.
+    validations:
+      required: true

actionlineage-0.1.0a2/.github/ISSUE_TEMPLATE/compatibility_report.yml

@@ -0,0 +1,27 @@
+name: Compatibility report
+about: Report journal, schema, API, or CLI compatibility behavior
+body:
+  - type: textarea
+    attributes:
+      label: Compatibility surface
+      description: Event schema, journal fixture, public API import, CLI command, or package extra.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Version and artifact
+      description: Include ActionLineage version and a minimized non-sensitive fixture.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Expected behavior
+      description: Link to the compatibility policy if applicable.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Actual behavior
+      description: Include command output with secrets removed.
+    validations:
+      required: true

actionlineage-0.1.0a2/.github/ISSUE_TEMPLATE/contract_gap.yml

@@ -0,0 +1,27 @@
+name: Contract gap
+about: Report missing or ambiguous telemetry contract coverage
+body:
+  - type: textarea
+    attributes:
+      label: Control or detection dependency
+      description: What requirement cannot currently be expressed or validated?
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Required evidence
+      description: List events, fields, causal links, evidence links, and statuses.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Failure mode
+      description: How should the contract fail when evidence is missing or stale?
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Fixture
+      description: Provide a minimal valid or invalid journal fixture.
+    validations:
+      required: true

actionlineage-0.1.0a2/.github/ISSUE_TEMPLATE/detection_rule.yml

@@ -0,0 +1,27 @@
+name: Detection rule
+about: Propose or improve a sequence detection
+body:
+  - type: textarea
+    attributes:
+      label: Threat behavior
+      description: Describe the behavior and required evidence quality.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Rule logic
+      description: List stages, grouping, time window, suppressions, and unknown semantics.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Fixtures
+      description: Provide positive, benign, ambiguous, and adversarial fixtures.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Robustness expectations
+      description: Include replay or mutation survival expectations.
+    validations:
+      required: true

actionlineage-0.1.0a2/.github/ISSUE_TEMPLATE/feature.yml

@@ -0,0 +1,26 @@
+name: Feature
+about: Propose a bounded feature or capability
+body:
+  - type: textarea
+    attributes:
+      label: Problem
+      description: What user/security problem should be solved?
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Proposed scope
+      description: Include explicit non-goals.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Security and privacy considerations
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Acceptance criteria
+      description: List executable evidence.
+    validations:
+      required: true

actionlineage-0.1.0a2/.github/ISSUE_TEMPLATE/security_report.yml

@@ -0,0 +1,26 @@
+name: Security report
+about: Non-sensitive security hardening issue
+body:
+  - type: markdown
+    attributes:
+      value: |
+        For sensitive vulnerabilities, follow SECURITY.md and report privately.
+        Do not paste live credentials, private data, or exploit payloads here.
+  - type: textarea
+    attributes:
+      label: Area
+      description: Redaction, journal integrity, adapter boundary, policy behavior, service auth, supply chain, or documentation claim.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Risk
+      description: What could go wrong, and what evidence supports the concern?
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Safe reproduction
+      description: Use synthetic/local data only.
+    validations:
+      required: true

actionlineage-0.1.0a2/.github/dependabot.yml

@@ -0,0 +1,46 @@
+version: 2
+updates:
+  - package-ecosystem: "uv"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+      timezone: "America/Chicago"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "python"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:30"
+      timezone: "America/Chicago"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "github-actions"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+
+  - package-ecosystem: "docker"
+    directory: "/deploy/docker"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "10:00"
+      timezone: "America/Chicago"
+    open-pull-requests-limit: 3
+    labels:
+      - "dependencies"
+      - "docker"
+    commit-message:
+      prefix: "chore"
+      include: "scope"

actionlineage-0.1.0a2/.github/pull_request_template.md

@@ -0,0 +1,19 @@
+## Summary
+
+## Scope / non-goals
+
+## Security impact
+
+## Public API or schema impact
+
+## Verification
+
+- [ ] `uv run ruff check .`
+- [ ] `uv run ruff format --check .`
+- [ ] `uv run mypy src`
+- [ ] `uv run pytest`
+- [ ] Security-sensitive negative tests added or reviewed
+- [ ] Documentation/ADR updated where required
+- [ ] No real credentials, incident data, or proprietary material included
+
+## Remaining risks or follow-ups

actionlineage-0.1.0a2/.github/workflows/ci.yml

@@ -0,0 +1,80 @@
+name: ci
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  python:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
+        with:
+          python-version: '3.13'
+      - name: Install uv
+        run: python -m pip install --upgrade uv
+      - name: Sync
+        run: uv sync --all-extras
+      - name: CLI smoke
+        run: |
+          uv run actionlineage version
+          uv run actionlineage doctor
+      - name: Lint
+        run: uv run ruff check .
+      - name: Format check
+        run: uv run ruff format --check .
+      - name: Type check
+        run: uv run mypy src
+      - name: Test
+        run: uv run pytest
+      - name: Claim-language guard
+        run: uv run python scripts/check_claims_language.py .
+      - name: Secret scan
+        run: uv run python scripts/secret_scan.py .
+      - name: Generate SBOM
+        run: uv run python scripts/generate_sbom.py --output /tmp/actionlineage-sbom.json
+      - name: Dependency audit
+        run: uv run pip-audit
+      - name: Build distribution artifacts
+        run: uv build --out-dir /tmp/actionlineage-dist
+      - name: Generate release provenance
+        run: |
+          uv run python scripts/generate_release_provenance.py \
+            --dist-dir /tmp/actionlineage-dist \
+            --output /tmp/actionlineage-release-provenance.json
+
+  container:
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    steps:
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0
+      - name: Build Docker image
+        run: docker build -f deploy/docker/Dockerfile -t actionlineage:ci .
+      - name: CLI smoke in Docker image
+        run: |
+          docker run --rm actionlineage:ci version
+          docker run --rm actionlineage:ci doctor
+      - name: Demo evidence smoke in Docker image
+        run: |
+          rm -rf build/docker-ci
+          mkdir -p build/docker-ci
+          docker run --rm \
+            -v "$PWD/build/docker-ci:/artifacts" \
+            actionlineage:ci demo run --output-dir /artifacts/demo
+          docker run --rm \
+            -v "$PWD/build/docker-ci:/artifacts" \
+            actionlineage:ci journal verify /artifacts/demo/evidence.jsonl
+          docker run --rm \
+            -v "$PWD/build/docker-ci:/artifacts" \
+            actionlineage:ci projection timeline /artifacts/demo/projection.sqlite \
+              --trace-id trace_demo_evidence_plane
+          docker run --rm \
+            -v "$PWD/build/docker-ci:/artifacts" \
+            actionlineage:ci contract validate \
+              /app/contracts/examples/outbound-http.json \
+              /artifacts/demo/evidence.jsonl

actionlineage-0.1.0a2/.github/workflows/codeql.yml

@@ -0,0 +1,36 @@
+name: codeql
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "23 6 * * 1"
+  workflow_dispatch:
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: CodeQL analysis
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e
+        with:
+          languages: python
+          queries: security-and-quality
+
+      - name: Perform CodeQL analysis
+        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e
+        with:
+          category: "/language:python"

actionlineage-0.1.0a2/.github/workflows/dependency-review.yml

@@ -0,0 +1,23 @@
+name: dependency-review
+
+on:
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  dependency-review:
+    name: Dependency review
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0
+
+      - name: Review dependency changes
+        uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294
+        with:
+          fail-on-severity: high
+          deny-licenses: GPL-2.0, GPL-3.0, AGPL-1.0, AGPL-3.0

actionlineage-0.1.0a2/.github/workflows/release.yml

@@ -0,0 +1,143 @@
+name: release
+
+on:
+  push:
+    tags:
+      - "v*"
+  workflow_dispatch:
+    inputs:
+      publish_target:
+        description: "Package index publishing target"
+        required: true
+        default: "none"
+        type: choice
+        options:
+          - "none"
+          - "testpypi"
+          - "pypi"
+
+permissions:
+  contents: read
+
+jobs:
+  verify:
+    name: Verify release candidate
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
+        with:
+          python-version: "3.13"
+      - name: Install uv
+        run: python -m pip install --upgrade uv
+      - name: Sync
+        run: uv sync --locked --all-extras
+      - name: Lint
+        run: uv run ruff check .
+      - name: Format check
+        run: uv run ruff format --check .
+      - name: Type check
+        run: uv run mypy src
+      - name: Test
+        run: uv run pytest
+      - name: Claim-language guard
+        run: uv run python scripts/check_claims_language.py .
+      - name: Secret scan
+        run: uv run python scripts/secret_scan.py .
+      - name: Dependency audit
+        run: uv run pip-audit
+
+  build:
+    name: Build release artifacts
+    runs-on: ubuntu-latest
+    needs: verify
+    steps:
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
+        with:
+          python-version: "3.13"
+      - name: Install uv
+        run: python -m pip install --upgrade uv
+      - name: Sync
+        run: uv sync --locked --all-extras
+      - name: Build wheel and source distribution
+        run: uv build --out-dir dist
+      - name: Generate SBOM
+        run: uv run python scripts/generate_sbom.py --output build/release/actionlineage-sbom.json
+      - name: Generate local release provenance
+        run: |
+          uv run python scripts/generate_release_provenance.py \
+            --dist-dir dist \
+            --output build/release/actionlineage-provenance.json
+      - name: Generate checksums
+        run: sha256sum dist/* build/release/* > build/release/SHA256SUMS.txt
+      - name: Upload release artifacts
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4
+        with:
+          name: actionlineage-release-artifacts
+          path: |
+            dist/*
+            build/release/*
+          if-no-files-found: error
+
+  attest:
+    name: Attest release artifacts
+    runs-on: ubuntu-latest
+    needs: build
+    permissions:
+      attestations: write
+      contents: read
+      id-token: write
+    steps:
+      - name: Download release artifacts
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0
+        with:
+          name: actionlineage-release-artifacts
+          path: release-artifacts
+      - name: Generate artifact attestations
+        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26
+        with:
+          subject-path: "release-artifacts/**"
+
+  publish-testpypi:
+    name: Publish to TestPyPI
+    runs-on: ubuntu-latest
+    needs: attest
+    if: github.event_name == 'workflow_dispatch' && inputs.publish_target == 'testpypi' && startsWith(github.ref, 'refs/tags/v')
+    environment:
+      name: testpypi
+      url: https://test.pypi.org/project/actionlineage/
+    permissions:
+      id-token: write
+    steps:
+      - name: Download release artifacts
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0
+        with:
+          name: actionlineage-release-artifacts
+          path: release-artifacts
+      - name: Publish package distributions to TestPyPI
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b
+        with:
+          packages-dir: release-artifacts/dist
+          repository-url: https://test.pypi.org/legacy/
+
+  publish-pypi:
+    name: Publish to PyPI
+    runs-on: ubuntu-latest
+    needs: attest
+    if: github.event_name == 'workflow_dispatch' && inputs.publish_target == 'pypi' && startsWith(github.ref, 'refs/tags/v')
+    environment:
+      name: pypi
+      url: https://pypi.org/project/actionlineage/
+    permissions:
+      id-token: write
+    steps:
+      - name: Download release artifacts
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0
+        with:
+          name: actionlineage-release-artifacts
+          path: release-artifacts
+      - name: Publish package distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b
+        with:
+          packages-dir: release-artifacts/dist

actionlineage-0.1.0a2/.gitignore

@@ -0,0 +1,40 @@
+__pycache__/
+*.py[cod]
+.pytest_cache/
+.mypy_cache/
+.ruff_cache/
+.coverage
+htmlcov/
+.venv/
+.env
+*.log
+*.db
+*.sqlite
+*.sqlite3
+.journal/
+.dist/
+dist/
+build/
+*.egg-info/
+node_modules/
+.DS_Store
+.idea/
+.vscode/
+
+# Local assistant instructions and scratch prompts.
+AGENTS.md
+CLAUDE.md
+GEMINI.md
+Uplift.md
+.aider*
+.continue/
+.cursor/
+.cursorignore
+.roo/
+.roomodes
+.windsurf/
+.windsurfrules
+.codex-log/
+codex/
+.codex/
+prompts/

actionlineage-0.1.0a2/.pre-commit-config.yaml

@@ -0,0 +1,7 @@
+repos:
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.15.18
+    hooks:
+      - id: ruff
+        args: [--fix]
+      - id: ruff-format

actionlineage-0.1.0a2/.python-version

@@ -0,0 +1 @@
+3.13