buildlog 0.6.0__tar.gz → 0.6.1__tar.gz

{buildlog-0.6.0 → buildlog-0.6.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: buildlog
-Version: 0.6.0
+Version: 0.6.1
 Summary: Engineering notebook for AI-assisted development
 Project-URL: Homepage, https://github.com/Peleke/buildlog-template
 Project-URL: Repository, https://github.com/Peleke/buildlog-template

{buildlog-0.6.0 → buildlog-0.6.1}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "buildlog"
-version = "0.6.0"
+version = "0.6.1"
 description = "Engineering notebook for AI-assisted development"
 readme = "README.md"
 license = "MIT"

{buildlog-0.6.0 → buildlog-0.6.1}/src/buildlog/cli.py

@@ -921,15 +921,18 @@ def gauntlet_list(output_json: bool):
     """
     import json as json_module
 
-    from buildlog.seeds import load_all_seeds
+    from buildlog.seeds import get_default_seeds_dir, load_all_seeds
 
-    # Find seeds directory
-    buildlog_dir = Path("buildlog")
-    seeds_dir = buildlog_dir / ".buildlog" / "seeds"
+    # Find seeds directory (local overrides > buildlog template > package bundled)
+    seeds_dir = get_default_seeds_dir()
 
-    # Also check .buildlog at repo root (common for installed templates)
-    if not seeds_dir.exists():
-        seeds_dir = Path(".buildlog") / "seeds"
+    if seeds_dir is None:
+        if output_json:
+            click.echo('{"personas": {}, "total_rules": 0, "error": "No seeds found"}')
+        else:
+            click.echo("No seed files found.")
+            click.echo("Seeds are bundled with buildlog - check your installation.")
+        return
 
     seeds = load_all_seeds(seeds_dir)
 
@@ -997,18 +1000,22 @@ def gauntlet_rules(persona: str, fmt: str, output: str | None):
     """
     import json as json_module
 
-    from buildlog.seeds import load_all_seeds
+    from buildlog.seeds import get_default_seeds_dir, load_all_seeds
+
+    # Find seeds directory (local overrides > buildlog template > package bundled)
+    seeds_dir = get_default_seeds_dir()
 
-    # Find seeds directory
-    seeds_dir = Path(".buildlog") / "seeds"
-    if not seeds_dir.exists():
-        seeds_dir = Path("buildlog") / ".buildlog" / "seeds"
+    if seeds_dir is None:
+        click.echo("No seed files found.", err=True)
+        click.echo(
+            "Seeds are bundled with buildlog - check your installation.", err=True
+        )
+        raise SystemExit(1)
 
     seeds = load_all_seeds(seeds_dir)
 
     if not seeds:
-        click.echo("No seed files found.", err=True)
-        click.echo("Initialize with: buildlog init", err=True)
+        click.echo("No seed files found in directory.", err=True)
         raise SystemExit(1)
 
     # Filter personas
@@ -1117,17 +1124,22 @@ def gauntlet_prompt(target: str, persona: tuple[str, ...], output: str | None):
         buildlog gauntlet prompt src/api.py -p security_karen
         buildlog gauntlet prompt . -o review_prompt.md
     """
-    from buildlog.seeds import load_all_seeds
+    from buildlog.seeds import get_default_seeds_dir, load_all_seeds
 
-    # Find seeds directory
-    seeds_dir = Path(".buildlog") / "seeds"
-    if not seeds_dir.exists():
-        seeds_dir = Path("buildlog") / ".buildlog" / "seeds"
+    # Find seeds directory (local overrides > buildlog template > package bundled)
+    seeds_dir = get_default_seeds_dir()
+
+    if seeds_dir is None:
+        click.echo("No seed files found.", err=True)
+        click.echo(
+            "Seeds are bundled with buildlog - check your installation.", err=True
+        )
+        raise SystemExit(1)
 
     seeds = load_all_seeds(seeds_dir)
 
     if not seeds:
-        click.echo("No seed files found.", err=True)
+        click.echo("No seed files found in directory.", err=True)
         raise SystemExit(1)
 
     # Filter personas

buildlog-0.6.1/src/buildlog/data/seeds/security_karen.yaml

@@ -0,0 +1,162 @@
+# Security Karen - Curated Security Rules
+# Source: OWASP Top 10 (2021), CWE, security best practices
+# These rules are defensible - each links to authoritative sources
+
+persona: security_karen
+version: 1
+
+rules:
+  # A01:2021 - Broken Access Control
+  - rule: "Verify authorization on every privileged operation"
+    category: security
+    context: "Any endpoint or function that modifies data or accesses sensitive resources"
+    antipattern: "Checking authentication but not authorization; assuming authenticated = authorized"
+    rationale: "Broken access control is OWASP #1. Users can act outside intended permissions."
+    tags: [access-control, authorization, owasp-a01]
+    references:
+      - url: "https://owasp.org/Top10/A01_2021-Broken_Access_Control/"
+        title: "OWASP A01:2021 Broken Access Control"
+      - url: "https://cwe.mitre.org/data/definitions/862.html"
+        title: "CWE-862: Missing Authorization"
+
+  - rule: "Deny by default for access control decisions"
+    category: security
+    context: "Access control logic, permission checks, authorization middleware"
+    antipattern: "Allowing access unless explicitly denied; missing else clause in auth checks"
+    rationale: "Fail-open access control leads to unauthorized access. Fail-closed is safer."
+    tags: [access-control, authorization, defense-in-depth]
+    references:
+      - url: "https://owasp.org/Top10/A01_2021-Broken_Access_Control/"
+        title: "OWASP A01:2021 Broken Access Control"
+
+  # A02:2021 - Cryptographic Failures
+  - rule: "Never store passwords in plaintext or reversible encryption"
+    category: security
+    context: "User registration, password storage, credential management"
+    antipattern: "Storing raw passwords; using MD5/SHA1 without salt; using encryption instead of hashing"
+    rationale: "Password leaks expose users. Use bcrypt/argon2 with proper work factors."
+    tags: [cryptography, passwords, owasp-a02]
+    references:
+      - url: "https://owasp.org/Top10/A02_2021-Cryptographic_Failures/"
+        title: "OWASP A02:2021 Cryptographic Failures"
+      - url: "https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html"
+        title: "OWASP Password Storage Cheat Sheet"
+
+  - rule: "Use TLS 1.2+ for all data in transit"
+    category: security
+    context: "API calls, database connections, service-to-service communication"
+    antipattern: "HTTP endpoints; TLS 1.0/1.1; self-signed certs in production without pinning"
+    rationale: "Data in transit can be intercepted. TLS provides confidentiality and integrity."
+    tags: [cryptography, tls, owasp-a02]
+    references:
+      - url: "https://owasp.org/Top10/A02_2021-Cryptographic_Failures/"
+        title: "OWASP A02:2021 Cryptographic Failures"
+
+  # A03:2021 - Injection
+  - rule: "Parameterize all database queries"
+    category: security
+    context: "Any code constructing SQL, NoSQL, LDAP, or OS commands from input"
+    antipattern: "String concatenation with user input; f-strings in queries; raw SQL with variables"
+    rationale: "SQL injection allows data theft, modification, or deletion. Parameterization prevents it."
+    tags: [injection, sql, owasp-a03]
+    references:
+      - url: "https://owasp.org/Top10/A03_2021-Injection/"
+        title: "OWASP A03:2021 Injection"
+      - url: "https://cwe.mitre.org/data/definitions/89.html"
+        title: "CWE-89: SQL Injection"
+
+  - rule: "Escape or sanitize all output to prevent XSS"
+    category: security
+    context: "Rendering user-provided content in HTML, JavaScript, or other executable contexts"
+    antipattern: "innerHTML with user data; dangerouslySetInnerHTML; template literals without escaping"
+    rationale: "XSS allows attackers to execute code in users' browsers. Always escape output."
+    tags: [injection, xss, owasp-a03]
+    references:
+      - url: "https://owasp.org/Top10/A03_2021-Injection/"
+        title: "OWASP A03:2021 Injection"
+      - url: "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
+        title: "OWASP XSS Prevention Cheat Sheet"
+
+  # A04:2021 - Insecure Design
+  - rule: "Implement rate limiting on authentication endpoints"
+    category: security
+    context: "Login, registration, password reset, API authentication"
+    antipattern: "Unlimited login attempts; no lockout; no CAPTCHA on repeated failures"
+    rationale: "Credential stuffing and brute force attacks are common. Rate limiting mitigates them."
+    tags: [authentication, rate-limiting, owasp-a04]
+    references:
+      - url: "https://owasp.org/Top10/A04_2021-Insecure_Design/"
+        title: "OWASP A04:2021 Insecure Design"
+      - url: "https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html"
+        title: "OWASP Authentication Cheat Sheet"
+
+  # A05:2021 - Security Misconfiguration
+  - rule: "Never commit secrets to version control"
+    category: security
+    context: "Any code or configuration file that might contain API keys, passwords, tokens"
+    antipattern: "Hardcoded credentials; .env files in git; secrets in docker-compose.yml"
+    rationale: "Git history is forever. Leaked secrets lead to account compromise."
+    tags: [secrets, configuration, owasp-a05]
+    references:
+      - url: "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
+        title: "OWASP A05:2021 Security Misconfiguration"
+
+  - rule: "Disable debug mode and verbose errors in production"
+    category: security
+    context: "Production deployments, error handling, logging configuration"
+    antipattern: "DEBUG=True in production; stack traces in API responses; verbose SQL errors"
+    rationale: "Debug info reveals implementation details useful for attackers."
+    tags: [configuration, errors, owasp-a05]
+    references:
+      - url: "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
+        title: "OWASP A05:2021 Security Misconfiguration"
+
+  # A07:2021 - Identification and Authentication Failures
+  - rule: "Use secure session management with httpOnly and secure flags"
+    category: security
+    context: "Session cookies, JWT storage, authentication tokens"
+    antipattern: "Tokens in localStorage; cookies without httpOnly; missing secure flag"
+    rationale: "Insecure session storage enables session hijacking via XSS."
+    tags: [authentication, sessions, owasp-a07]
+    references:
+      - url: "https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/"
+        title: "OWASP A07:2021 Identification and Authentication Failures"
+      - url: "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"
+        title: "OWASP Session Management Cheat Sheet"
+
+  # A08:2021 - Software and Data Integrity Failures
+  - rule: "Verify integrity of external dependencies"
+    category: security
+    context: "Package installation, CI/CD pipelines, dependency updates"
+    antipattern: "No lockfile; no hash verification; installing from arbitrary URLs"
+    rationale: "Supply chain attacks inject malicious code via dependencies."
+    tags: [dependencies, supply-chain, owasp-a08]
+    references:
+      - url: "https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/"
+        title: "OWASP A08:2021 Software and Data Integrity Failures"
+
+  # A09:2021 - Security Logging and Monitoring Failures
+  - rule: "Log security-relevant events with sufficient context"
+    category: security
+    context: "Authentication, authorization failures, input validation failures"
+    antipattern: "No logging; logging without timestamps; no user/IP context; PII in logs"
+    rationale: "Without logs, breaches go undetected. Logs enable incident response."
+    tags: [logging, monitoring, owasp-a09]
+    references:
+      - url: "https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/"
+        title: "OWASP A09:2021 Security Logging and Monitoring Failures"
+      - url: "https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html"
+        title: "OWASP Logging Cheat Sheet"
+
+  # A10:2021 - Server-Side Request Forgery (SSRF)
+  - rule: "Validate and allowlist URLs for server-side requests"
+    category: security
+    context: "Fetching external URLs, webhooks, image proxies, URL shorteners"
+    antipattern: "Fetching arbitrary user-provided URLs; no protocol/host validation"
+    rationale: "SSRF allows attackers to access internal services or cloud metadata."
+    tags: [ssrf, input-validation, owasp-a10]
+    references:
+      - url: "https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/"
+        title: "OWASP A10:2021 SSRF"
+      - url: "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html"
+        title: "OWASP SSRF Prevention Cheat Sheet"

buildlog-0.6.1/src/buildlog/data/seeds/test_terrorist.yaml

@@ -0,0 +1,280 @@
+persona: test_terrorist
+version: 1
+rules:
+- rule: Tests must not depend on execution order
+  category: isolation
+  context: Test suites with multiple tests, shared fixtures, database state
+  antipattern: Test A creates data that Test B asserts on; tests fail when run individually
+  rationale: Order-dependent tests are flaky and hide real failures. Each test must be hermetic.
+  tags:
+  - isolation
+  - order-independent
+  - hermetic
+  - test_terrorist
+  references:
+  - url: https://testing.googleblog.com/2010/12/test-sizes.html
+    title: Google Testing Blog - Test Sizes
+- rule: Tests must clean up after themselves
+  category: isolation
+  context: Tests using databases, files, external services, global state
+  antipattern: Tests leaving data in shared resources; no teardown; assuming clean state
+  rationale: Test pollution causes cascading failures and makes debugging impossible.
+  tags:
+  - isolation
+  - test_terrorist
+  - cleanup
+  - teardown
+  references:
+  - url: https://testing.googleblog.com/2010/12/test-sizes.html
+    title: Google Testing Blog - Test Sizes
+- rule: Tests should run in under 10 seconds for fast feedback
+  category: anti-patterns
+  context: Unit test suites, developer workflows, pre-commit hooks
+  antipattern: Minute-long test suites; 'just run CI'; tests that require coffee breaks
+  rationale: Slow tests don't get run. Fast feedback enables TDD and catches bugs early.
+  tags:
+  - feedback
+  - anti-patterns
+  - slow-tests
+  - test_terrorist
+  references:
+  - url: https://testing.googleblog.com/2010/12/test-sizes.html
+    title: Google Testing Blog - Test Sizes
+- rule: Every public API must have at least one happy path test
+  category: coverage
+  context: New endpoints, public functions, exported modules
+  antipattern: Shipping code with no tests; 'I'll add tests later'; PRs without test changes
+  rationale: Untested code is legacy code the moment it's merged. Tests are executable documentation.
+  tags:
+  - happy-path
+  - public-api
+  - test_terrorist
+  - coverage
+  references:
+  - url: https://testing.googleblog.com/2015/04/just-say-no-to-more-end-to-end-tests.html
+    title: Google Testing Blog - Just Say No to More E2E Tests
+- rule: New bug fixes must include a regression test
+  category: coverage
+  context: Any bug fix PR or commit
+  antipattern: Fixing bugs without adding tests that would have caught them
+  rationale: A bug that escapes once will escape again. Regression tests prevent recurrence.
+  tags:
+  - regression
+  - bug-fix
+  - test_terrorist
+  - coverage
+  references:
+  - url: https://testing.googleblog.com/2015/04/just-say-no-to-more-end-to-end-tests.html
+    title: Google Testing Blog - Just Say No to More E2E Tests
+- rule: Critical paths require edge case and error path coverage
+  category: coverage
+  context: Payment flows, authentication, data mutations, external integrations
+  antipattern: Only happy path tests for critical code; no error handling tests
+  rationale: Edge cases in critical paths cause production incidents. Murphy's law applies.
+  tags:
+  - test_terrorist
+  - critical-path
+  - edge-cases
+  - coverage
+  references:
+  - url: https://martinfowler.com/articles/practical-test-pyramid.html
+    title: Martin Fowler - Testing Pyramid
+- rule: Assert on behavior, not implementation details
+  category: assertions
+  context: Unit tests, refactoring scenarios
+  antipattern: Asserting on private method calls; testing internal state; mock call counts
+  rationale: Implementation-coupled tests break on refactoring. Test the contract, not the code.
+  tags:
+  - assertions
+  - behavior
+  - test_terrorist
+  - contract
+  references:
+  - url: https://martinfowler.com/articles/practical-test-pyramid.html
+    title: Martin Fowler - Testing Pyramid
+- rule: Mock external dependencies at test boundaries
+  category: isolation
+  context: Tests calling APIs, databases, file systems, network services
+  antipattern: Real network calls in unit tests; tests that require running services
+  rationale: External dependencies make tests slow, flaky, and expensive. Mock at boundaries.
+  tags:
+  - isolation
+  - test_terrorist
+  - mocking
+  - boundaries
+  references:
+  - url: https://martinfowler.com/bliki/TestDouble.html
+    title: Martin Fowler - Test Double
+- rule: Use property-based testing for functions with clear invariants
+  category: property-testing
+  context: Serializers, parsers, encoders/decoders, sorting, mathematical operations
+  antipattern: Only example-based tests for encode/decode pairs; hand-picked edge cases
+  rationale: Property tests generate thousands of examples, finding edge cases humans miss.
+  tags:
+  - invariants
+  - hypothesis
+  - test_terrorist
+  - property
+  references:
+  - url: https://hypothesis.readthedocs.io/en/latest/
+    title: Hypothesis Documentation
+- rule: Define roundtrip properties for serialization code
+  category: property-testing
+  context: JSON, protobuf, custom serializers, data transformation pipelines
+  antipattern: Testing serialize and deserialize separately with fixed examples
+  rationale: decode(encode(x)) == x is a universal property. Hypothesis finds corner cases.
+  tags:
+  - roundtrip
+  - test_terrorist
+  - property
+  - serialization
+  references:
+  - url: https://hypothesis.readthedocs.io/en/latest/
+    title: Hypothesis Documentation
+- rule: Apply metamorphic relations when test oracles are unavailable
+  category: metamorphic-testing
+  context: ML models, search engines, optimization algorithms, complex computations
+  antipattern: No testing because 'we don't know the right answer'; only manual inspection
+  rationale: Metamorphic testing validates input-output relationships without ground truth.
+  tags:
+  - metamorphic
+  - test_terrorist
+  - ml
+  - oracle-free
+  references:
+  - url: https://www.sciencedirect.com/science/article/pii/S0950584918300016
+    title: Metamorphic Testing - Chen et al. Survey
+- rule: Define permutation invariance for order-independent operations
+  category: metamorphic-testing
+  context: Aggregations, set operations, commutative functions
+  antipattern: Testing with single fixed input order; assuming order doesn't matter
+  rationale: sum([1,2,3]) == sum([3,1,2]) is a metamorphic relation that catches bugs.
+  tags:
+  - metamorphic
+  - test_terrorist
+  - permutation
+  - invariance
+  references:
+  - url: https://www.sciencedirect.com/science/article/pii/S0950584918300016
+    title: Metamorphic Testing - Chen et al. Survey
+- rule: Validate data distributions at pipeline boundaries
+  category: statistical-testing
+  context: ETL pipelines, ML feature stores, data ingestion, API responses
+  antipattern: Assuming input data matches expected distribution; no schema validation
+  rationale: Distribution drift breaks models silently. Validate expectations at boundaries.
+  tags:
+  - statistical
+  - drift
+  - test_terrorist
+  - distribution
+  references:
+  - url: https://docs.greatexpectations.io/docs/
+    title: Great Expectations Documentation
+- rule: Define and enforce data contracts with schemas
+  category: statistical-testing
+  context: Data pipelines, API integrations, database migrations
+  antipattern: Implicit schemas; duck typing for data; hoping fields exist
+  rationale: Schema validation catches contract violations before they cause failures.
+  tags:
+  - statistical
+  - contracts
+  - test_terrorist
+  - schema
+  references:
+  - url: https://pandera.readthedocs.io/en/stable/
+    title: Pandera Documentation
+- rule: LLM outputs require structured validation beyond string matching
+  category: llm-testing
+  context: Any code using LLM-generated content in production paths
+  antipattern: No validation; trusting raw LLM output; regex-only validation
+  rationale: '[GAP] Standard test frameworks don''t cover LLM eval. See Guardrails/DeepEval for emerging
+    patterns. This is a known gap requiring specialized tooling.'
+  tags:
+  - test_terrorist
+  - emerging
+  - llm-testing
+  - validation
+  - gap
+  references:
+  - url: https://www.guardrailsai.com/docs/concepts/guard
+    title: Guardrails AI Documentation
+- rule: LLM-based features need evaluation datasets and metrics
+  category: llm-testing
+  context: RAG systems, chatbots, content generation, code assistants
+  antipattern: Vibes-based testing; manual spot checks; no regression tracking
+  rationale: '[GAP] LLM behavior is non-deterministic. Evaluation datasets with metrics enable regression
+    detection. Tooling is immature.'
+  tags:
+  - emerging
+  - llm-testing
+  - evaluation
+  - gap
+  - test_terrorist
+  references:
+  - url: https://docs.confident-ai.com/docs/getting-started
+    title: DeepEval Documentation
+- rule: Every test must have at least one meaningful assertion
+  category: assertions
+  context: All test functions
+  antipattern: Tests that only call code without asserting; assert True; empty test bodies
+  rationale: A test without assertions is not a test. It's a false sense of security.
+  tags:
+  - assertions
+  - no-pass-through
+  - meaningful
+  - test_terrorist
+  references:
+  - url: http://xunitpatterns.com/Test%20Smells.html
+    title: xUnit Test Patterns - Test Smells
+- rule: Follow Arrange-Act-Assert (AAA) pattern
+  category: structure
+  context: All test functions
+  antipattern: Interleaved setup and assertions; multiple acts per test; unclear test phases
+  rationale: AAA makes tests readable and debuggable. One logical assertion per test.
+  tags:
+  - structure
+  - aaa
+  - test_terrorist
+  - readability
+  references:
+  - url: http://xunitpatterns.com/Test%20Smells.html
+    title: xUnit Test Patterns - Test Smells
+- rule: Avoid testing implementation details that change frequently
+  category: anti-patterns
+  context: Refactoring scenarios, internal APIs, private methods
+  antipattern: Tests break on every refactor; testing private method behavior
+  rationale: Fragile tests slow development. Test stable interfaces, not implementation.
+  tags:
+  - fragile
+  - implementation-details
+  - anti-patterns
+  - test_terrorist
+  references:
+  - url: http://xunitpatterns.com/Test%20Smells.html
+    title: xUnit Test Patterns - Test Smells
+- rule: Flaky tests must be fixed or quarantined immediately
+  category: anti-patterns
+  context: CI pipelines, test suites with intermittent failures
+  antipattern: Rerunning CI until green; ignoring flaky tests; 'it works on my machine'
+  rationale: Flaky tests erode trust in the test suite. A flaky test is worse than no test.
+  tags:
+  - anti-patterns
+  - flaky
+  - ci
+  - test_terrorist
+  references:
+  - url: https://testing.googleblog.com/2016/05/flaky-tests-at-google-and-how-we.html
+    title: Google Testing Blog - Test Flakiness
+- rule: Test names should describe the scenario and expected outcome
+  category: structure
+  context: Test function naming
+  antipattern: test_1, test_function, test_it_works; names that don't explain the test
+  rationale: Test names are documentation. A failing test name should tell you what broke.
+  tags:
+  - structure
+  - documentation
+  - test_terrorist
+  - naming
+  references:
+  - url: https://docs.pytest.org/en/stable/explanation/goodpractices.html
+    title: pytest - Good Integration Practices

{buildlog-0.6.0 → buildlog-0.6.1}/src/buildlog/seeds.py

@@ -31,10 +31,13 @@ __all__ = [
     "load_seed_file",
     "load_all_seeds",
     "seeds_to_skills",
+    "get_package_seeds_dir",
+    "get_default_seeds_dir",
 ]
 
 import logging
 from dataclasses import dataclass, field
+from importlib import resources
 from pathlib import Path
 from typing import Any
 
@@ -45,6 +48,53 @@ from buildlog.skills import Skill, _generate_skill_id
 logger = logging.getLogger(__name__)
 
 
+def get_package_seeds_dir() -> Path | None:
+    """Get the path to bundled seed files in the package.
+
+    Returns:
+        Path to the package's data/seeds directory, or None if not found.
+    """
+    try:
+        # Python 3.9+ way to get package resources
+        with resources.as_file(resources.files("buildlog").joinpath("data/seeds")) as p:
+            if p.exists():
+                return p
+    except (TypeError, FileNotFoundError):
+        pass
+
+    # Fallback: try relative to this file
+    fallback = Path(__file__).parent / "data" / "seeds"
+    if fallback.exists():
+        return fallback
+
+    return None
+
+
+def get_default_seeds_dir() -> Path | None:
+    """Get the default seeds directory, checking multiple locations.
+
+    Priority:
+    1. Local .buildlog/seeds/ (project-specific overrides)
+    2. Local buildlog/.buildlog/seeds/ (buildlog template structure)
+    3. Package bundled seeds (installed with pip)
+
+    Returns:
+        Path to the seeds directory with most precedence, or None if none found.
+    """
+    # Check local project seeds first (allows overrides)
+    local_seeds = Path(".buildlog") / "seeds"
+    if local_seeds.exists() and any(local_seeds.glob("*.yaml")):
+        return local_seeds
+
+    # Check buildlog template structure
+    buildlog_seeds = Path("buildlog") / ".buildlog" / "seeds"
+    if buildlog_seeds.exists() and any(buildlog_seeds.glob("*.yaml")):
+        return buildlog_seeds
+
+    # Fall back to package seeds
+    return get_package_seeds_dir()
+
+
 @dataclass
 class SeedReference:
     """A reference/citation for a seed rule."""