baobab-auth-api 0.9.0__tar.gz

baobab_auth_api-0.9.0/.cursor/rules/000-core.mdc

@@ -0,0 +1,23 @@
+---
+description: Règles de développement du projet (source unique de vérité)
+globs:
+alwaysApply: true
+---
+
+# Règles de développement
+
+La **source unique de vérité** des règles de ce projet est le fichier [`AGENTS.md`](../../AGENTS.md)
+à la racine du dépôt. **Lis-le et applique-le intégralement.** Ne duplique pas son contenu.
+
+Rappels prioritaires (le détail complet est dans `AGENTS.md`) :
+
+- **Python ≥ 3.11, orienté objet.** 1 classe = 1 fichier (module nommé d'après la classe).
+- **PEP 8** + **PEP 20** ; en cas de conflit, **PEP 8 prime**.
+- **Type hints obligatoires** ; `ruff` (lint+format) ; `mypy` strict.
+- **Docstrings en reStructuredText**, avec `:spec: <ID>`.
+- **Tests `pytest` en arborescence miroir** ; 1 classe testée = 1 classe de test ;
+  classe abstraite testée via une classe concrète de test ; **couverture ≥ 90 %**.
+- Doc **Sphinx/RST** ; dossier `docs/guides/` obligatoire.
+- Environnement virtuel **`.venv`** (`python -m venv .venv`), non versionné.
+- Aucun secret en clair (`.env` gitignoré + `.env.example`).
+- **Conventional Commits** + chaîne d'ID **US-001 / FEAT-001.1 / TASK-001.1.1**.

baobab_auth_api-0.9.0/.editorconfig

@@ -0,0 +1,18 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+indent_style = space
+
+[*.py]
+indent_size = 4
+max_line_length = 100
+
+[*.{rst,md,yml,yaml,toml,cfg}]
+indent_size = 2
+
+[Makefile]
+indent_style = tab

baobab_auth_api-0.9.0/.env.example

@@ -0,0 +1,20 @@
+# Copiez ce fichier en `.env` et renseignez vos valeurs.
+# `.env` est gitignoré : n'y mettez jamais de secret dans le dépôt.
+# Chargé et validé via pydantic-settings (AuthApiSettings dans config.py).
+
+BAOBAB_AUTH_DATABASE_URL=postgresql+asyncpg://auth:auth@localhost:5432/auth
+BAOBAB_AUTH_ISSUER=baobab-auth
+BAOBAB_AUTH_AUDIENCE=baobab-api
+BAOBAB_AUTH_ACCESS_TOKEN_TTL_SECONDS=900
+BAOBAB_AUTH_REFRESH_TOKEN_TTL_SECONDS=2592000
+BAOBAB_AUTH_JWT_ALGORITHM=RS256
+BAOBAB_AUTH_PASSWORD_MIN_LENGTH=12
+BAOBAB_AUTH_LOG_LEVEL=INFO
+BAOBAB_AUTH_ENVIRONMENT=dev
+BAOBAB_AUTH_DEBUG=false
+
+# CORS (liste JSON) — laisser vide en production sans validation explicite
+# BAOBAB_AUTH_CORS_ORIGINS=["http://localhost:3000"]
+
+# Trusted Hosts — laisser vide pour désactiver
+# BAOBAB_AUTH_TRUSTED_HOSTS=["localhost","127.0.0.1"]

baobab_auth_api-0.9.0/.gitattributes

@@ -0,0 +1,18 @@
+# Normalise les fins de ligne : LF dans le dépôt, quel que soit l'OS du dev.
+* text=auto eol=lf
+
+# Scripts Windows : conserver CRLF (requis par cmd.exe).
+*.bat text eol=crlf
+*.cmd text eol=crlf
+
+# Fichiers binaires : aucune normalisation.
+*.png  binary
+*.jpg  binary
+*.jpeg binary
+*.gif  binary
+*.ico  binary
+*.pdf  binary
+*.zip  binary
+*.gz   binary
+*.woff  binary
+*.woff2 binary

baobab_auth_api-0.9.0/.github/ISSUE_TEMPLATE/01-user-story.yml

@@ -0,0 +1,32 @@
+name: "📘 User Story"
+description: "Décrire un besoin utilisateur (US)"
+title: "[US-XXX] "
+labels: ["type:us"]
+body:
+  - type: input
+    id: id
+    attributes:
+      label: Identifiant
+      placeholder: "US-001"
+    validations:
+      required: true
+  - type: textarea
+    id: story
+    attributes:
+      label: Récit
+      description: "En tant que… je veux… afin de…"
+      placeholder: "En tant qu'utilisateur, je veux …, afin de …"
+    validations:
+      required: true
+  - type: textarea
+    id: acceptance
+    attributes:
+      label: Critères d'acceptation
+      placeholder: "- [ ] …"
+    validations:
+      required: true
+  - type: input
+    id: spec
+    attributes:
+      label: Spécification (RST)
+      placeholder: "docs/specifications/us/US-001-.../index.rst"

baobab_auth_api-0.9.0/.github/ISSUE_TEMPLATE/02-feature.yml

@@ -0,0 +1,32 @@
+name: "🧩 Feature"
+description: "Découper une US en fonctionnalité (FEAT)"
+title: "[FEAT-XXX.Y] "
+labels: ["type:feat"]
+body:
+  - type: input
+    id: id
+    attributes:
+      label: Identifiant
+      placeholder: "FEAT-001.1"
+    validations:
+      required: true
+  - type: input
+    id: parent
+    attributes:
+      label: US parente
+      placeholder: "US-001 (#numéro de l'issue)"
+    validations:
+      required: true
+  - type: textarea
+    id: description
+    attributes:
+      label: Description
+    validations:
+      required: true
+  - type: textarea
+    id: acceptance
+    attributes:
+      label: Critères d'acceptation
+      placeholder: "- [ ] …"
+    validations:
+      required: true

baobab_auth_api-0.9.0/.github/ISSUE_TEMPLATE/03-task.yml

@@ -0,0 +1,34 @@
+name: "🔧 Task (backlog)"
+description: "Tâche concrète rattachée à une Feature"
+title: "[TASK-XXX.Y.Z] "
+labels: ["type:task"]
+body:
+  - type: input
+    id: id
+    attributes:
+      label: Identifiant
+      placeholder: "TASK-001.1.1"
+    validations:
+      required: true
+  - type: input
+    id: parent
+    attributes:
+      label: Feature parente
+      placeholder: "FEAT-001.1 (#numéro de l'issue)"
+    validations:
+      required: true
+  - type: textarea
+    id: description
+    attributes:
+      label: Description / étapes
+    validations:
+      required: true
+  - type: checkboxes
+    id: dod
+    attributes:
+      label: Definition of Done
+      options:
+        - label: "Code POO, 1 classe/fichier, type hints complets"
+        - label: "ruff + mypy strict passent"
+        - label: "Test miroir présent, couverture ≥ 90 %"
+        - label: "Docstrings RST / guide à jour si besoin"

baobab_auth_api-0.9.0/.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1 @@
+blank_issues_enabled: false

baobab_auth_api-0.9.0/.github/dependabot.yml

@@ -0,0 +1,20 @@
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    labels:
+      - "type:task"
+      - "dependencies"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "ci"

baobab_auth_api-0.9.0/.github/pull_request_template.md

@@ -0,0 +1,21 @@
+## Description
+
+<!-- Que fait cette PR ? Rattachez l'ID spec. -->
+
+Closes #
+
+## Type de changement
+
+- [ ] `feat` — nouvelle fonctionnalité
+- [ ] `fix` — correction de bug
+- [ ] `docs` — documentation
+- [ ] `refactor` / `test` / `chore`
+
+## Checklist (Definition of Done)
+
+- [ ] 1 classe = 1 fichier ; type hints complets ; docstrings RST avec `:spec:`
+- [ ] Test miroir présent (classe abstraite testée via classe concrète de test)
+- [ ] `ruff` + `mypy` strict passent
+- [ ] Couverture ≥ 90 %
+- [ ] Doc / guide mis à jour si le comportement public change
+- [ ] Commits en Conventional Commits avec ID

baobab_auth_api-0.9.0/.github/workflows/ci.yml

@@ -0,0 +1,145 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+# Annule les runs obsolètes sur une même branche/PR.
+concurrency:
+  group: ci-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0   # hatch-vcs a besoin de l'historique/tags
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+          cache: pip
+      - run: pip install -e ".[dev]"
+      - name: Ruff (lint)
+        run: ruff check .
+      - name: Ruff (format)
+        run: ruff format --check .
+
+  type:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+          cache: pip
+      - run: pip install -e ".[dev]"
+      - name: Mypy (strict)
+        run: mypy
+
+  security:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write   # publier le SARIF dans l'onglet Security
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+          cache: pip
+      - run: pip install -e ".[dev]"
+      - name: Bandit (génère le SARIF)
+        run: bandit -c pyproject.toml -r src -f sarif -o bandit.sarif
+        continue-on-error: true
+      - name: Publier le SARIF dans l'onglet Security
+        if: always()
+        continue-on-error: true   # tolère repo privé sans GitHub Advanced Security
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: bandit.sarif
+      - name: Bandit (gate)
+        run: bandit -c pyproject.toml -r src
+      - name: pip-audit (dépendances)
+        run: pip-audit
+
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - name: Build sdist + wheel (validation packaging)
+        run: |
+          python -m pip install --upgrade build
+          python -m build
+      - uses: actions/upload-artifact@v4
+        with:
+          name: dist-ci
+          path: dist/
+          retention-days: 7
+
+  docs:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+          cache: pip
+      - run: pip install -e ".[docs]"
+      - name: Build Sphinx (validation stricte)
+        run: sphinx-build -b html -W docs docs/_build/html
+      - name: Upload doc HTML (aperçu, sans hébergement)
+        uses: actions/upload-artifact@v4
+        with:
+          name: docs-html
+          path: docs/_build/html/
+          retention-days: 14
+
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ["3.12", "3.13"]
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: pip
+      - run: pip install -e ".[dev]"
+      - name: Tests + coverage (JUnit + HTML)
+        run: pytest --junitxml=junit-${{ matrix.python-version }}.xml --cov-report=html
+      - name: Upload rapports (couverture HTML + JUnit)
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: reports-py${{ matrix.python-version }}
+          path: |
+            junit-${{ matrix.python-version }}.xml
+            htmlcov/
+          retention-days: 14
+      - name: Upload coverage to Codecov
+        if: matrix.python-version == '3.12'
+        uses: codecov/codecov-action@v4
+        with:
+          files: coverage.xml
+          fail_ci_if_error: false

baobab_auth_api-0.9.0/.github/workflows/release.yml

@@ -0,0 +1,114 @@
+name: Release
+
+# Déclenché par un tag de version créé par le Release Manager (ex. v1.2.0).
+# Tag de pré-release (ex. v1.2.0rc1) → TestPyPI ; tag final → PyPI public.
+on:
+  push:
+    tags: ["v*"]
+
+permissions:
+  contents: read
+
+jobs:
+  meta:
+    runs-on: ubuntu-latest
+    outputs:
+      prerelease: ${{ steps.detect.outputs.prerelease }}
+    steps:
+      - id: detect
+        run: |
+          if [[ "${GITHUB_REF_NAME}" =~ (rc|a|b|alpha|beta|dev)[0-9]*$ ]]; then
+            echo "prerelease=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "prerelease=false" >> "$GITHUB_OUTPUT"
+          fi
+
+  build:
+    needs: meta
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write       # attestation de provenance
+      attestations: write
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0     # tag complet requis pour hatch-vcs
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - name: Build sdist + wheel
+        run: |
+          python -m pip install --upgrade build
+          python -m build
+      - name: Attestation de provenance (supply chain)
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: "dist/*"
+      - uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+  publish-testpypi:
+    needs: [meta, build]
+    if: needs.meta.outputs.prerelease == 'true'
+    runs-on: ubuntu-latest
+    environment: testpypi
+    permissions:
+      id-token: write       # Trusted Publishing (OIDC)
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+      - name: Publish to TestPyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          repository-url: https://test.pypi.org/legacy/
+
+  publish-pypi:
+    needs: [meta, build]
+    if: needs.meta.outputs.prerelease == 'false'
+    runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      id-token: write       # Trusted Publishing (OIDC) — aucun token stocké
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+
+  github-release:
+    needs: [meta, build]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write       # créer la Release + attacher les assets
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0     # hatch-vcs (install du paquet pour le SBOM)
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+      - name: Générer le SBOM (CycloneDX)
+        run: |
+          python -m pip install pip-audit .
+          pip-audit -f cyclonedx-json -o sbom.json
+        continue-on-error: true
+      - name: Create GitHub Release (dist + SBOM attachés)
+        uses: softprops/action-gh-release@v2
+        with:
+          files: |
+            dist/*
+            sbom.json
+          generate_release_notes: true
+          prerelease: ${{ needs.meta.outputs.prerelease == 'true' }}
+          body: "Voir le CHANGELOG.md pour le détail des changements."

baobab_auth_api-0.9.0/.gitignore

@@ -0,0 +1,52 @@
+# Environnement virtuel (jamais versionné)
+.venv/
+venv/
+env/
+
+# Secrets
+.env
+.env.*
+!.env.example
+
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.egg-info/
+.eggs/
+build/
+dist/
+*.egg
+
+# Tests & couverture
+.pytest_cache/
+.coverage
+.coverage.*
+htmlcov/
+coverage.xml
+junit*.xml
+.tox/
+.nox/
+
+# Rapports d'analyse (générés en CI)
+bandit.sarif
+sbom.json
+
+# Typage / lint caches
+.mypy_cache/
+.ruff_cache/
+.dmypy.json
+
+# Documentation construite
+docs/_build/
+docs/api/_autosummary/
+
+# IDE / OS
+.idea/
+.vscode/
+.DS_Store
+Thumbs.db
+
+# Claude Code (local uniquement)
+CLAUDE.local.md
+.claude/settings.local.json

baobab_auth_api-0.9.0/.pre-commit-config.yaml

@@ -0,0 +1,46 @@
+# Garde-fous mécaniques : appliqués quoi que l'IA décide.
+# Installation : pre-commit install
+default_language_version:
+  python: python3
+
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.6.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-toml
+      - id: check-added-large-files
+      - id: detect-private-key
+
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.6.9
+    hooks:
+      - id: ruff           # lint
+        args: [--fix]
+      - id: ruff-format    # format
+
+  - repo: https://github.com/pre-commit/mirrors-mypy
+    rev: v1.11.2
+    hooks:
+      - id: mypy
+        additional_dependencies: ["pydantic-settings"]
+        args: [--strict]
+
+  - repo: https://github.com/PyCQA/bandit
+    rev: 1.7.10
+    hooks:
+      - id: bandit
+        args: ["-c", "pyproject.toml"]
+        additional_dependencies: ["bandit[toml]"]
+
+  - repo: local
+    hooks:
+      - id: pytest-cov-90
+        name: pytest (couverture >= 90%)
+        entry: pytest
+        language: system
+        pass_filenames: false
+        always_run: true
+        stages: [pre-push]