conformare 0.1.0__tar.gz

conformare-0.1.0/.github/workflows/ci.yml

@@ -0,0 +1,90 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+jobs:
+  # Code quality: Ruff lint + format check (pinned so a new Ruff release can't break
+  # CI unexpectedly).
+  lint:
+    name: lint (ruff)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-python@v6
+        with:
+          python-version: "3.11"
+      - run: python -m pip install --upgrade pip
+      - run: pip install "ruff>=0.15,<0.16"
+      - run: ruff check .
+      - run: ruff format --check .
+
+  # Core suite across every supported Python (3.10+). No Spark/JVM and no
+  # great-expectations here: those tests skip automatically (pytest.importorskip),
+  # so this stays fast and runs on the newest interpreters too.
+  test:
+    name: test (py${{ matrix.python-version }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"]
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-python@v6
+        with:
+          python-version: ${{ matrix.python-version }}
+      - run: python -m pip install --upgrade pip
+      - run: pip install -e ".[test]"
+      - run: python -m pytest -q
+
+  # Full coverage: Java + PySpark + Great Expectations so the Spark and GX tests run too.
+  full:
+    name: full (spark + great-expectations)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-java@v5
+        with:
+          distribution: temurin
+          java-version: "17"
+      - uses: actions/setup-python@v6
+        with:
+          python-version: "3.11"
+      - run: python -m pip install --upgrade pip
+      - run: pip install -e ".[spark,gx,test]"
+      - run: python -m pytest -q
+
+  # Multi-process Spark: local-cluster launches real executor JVMs (serialization,
+  # shuffle, networking). These tests are deselected by default, so run them
+  # explicitly with -m cluster. Linux only (reliable; teardown noise is harmless).
+  cluster:
+    name: cluster (multi-process spark)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-java@v5
+        with:
+          distribution: temurin
+          java-version: "17"
+      - uses: actions/setup-python@v6
+        with:
+          python-version: "3.11"
+      - run: python -m pip install --upgrade pip
+      - run: pip install -e ".[spark,test]"
+      - run: python -m pytest -q -m cluster
+
+  # Verify the package builds (sdist + wheel) and the metadata is valid.
+  build:
+    name: build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-python@v6
+        with:
+          python-version: "3.11"
+      - run: python -m pip install --upgrade pip build twine
+      - run: python -m build
+      - run: python -m twine check dist/*

conformare-0.1.0/.github/workflows/pages.yml

@@ -0,0 +1,79 @@
+name: Deploy docs site
+
+# Builds the public docs site (landing page + live example reports) and publishes
+# it to the SEPARATE public Pages repo, so the source repo can stay private.
+#
+# One-time setup:
+#   1. Create a public repo, e.g. kaelonlloyd/conformare-docs.
+#   2. Generate a deploy key:  ssh-keygen -t ed25519 -C conformare-docs -f gh-pages-key -N ""
+#   3. In conformare-docs:  Settings > Deploy keys > add `gh-pages-key.pub`, ALLOW WRITE.
+#   4. In THIS (private) repo: Settings > Secrets and variables > Actions >
+#      add secret PAGES_DEPLOY_KEY = contents of the private `gh-pages-key`.
+#      (The deploy step below strips CR / fixes the trailing newline, so a paste
+#      with Windows line endings still works.)
+#   5. In conformare-docs:  Settings > Pages > deploy from branch `gh-pages` / root.
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: pages-deploy
+  cancel-in-progress: true
+
+jobs:
+  build-and-deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-java@v5
+        with:
+          distribution: temurin
+          java-version: "17"
+      - uses: actions/setup-python@v6
+        with:
+          python-version: "3.11"
+      - run: python -m pip install --upgrade pip
+      # Spark + GX so the full set of live reports is generated.
+      - run: pip install -e ".[spark,gx]"
+      - run: python docs/build_site.py          # writes ./site (Jekyll source + reports)
+
+      # Build the site ourselves so the published output is plain static HTML and
+      # never depends on GitHub's branch-build behaviour.
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: "3.3"
+          bundler-cache: true
+          working-directory: site
+      - run: bundle exec jekyll build          # site/ -> site/_site
+        working-directory: site
+
+      # Manual SSH push so we can SANITIZE the deploy key first: the recurring
+      # `ssh-add ... error in libcrypto` is caused by CR characters / a missing
+      # trailing newline in the pasted secret. Stripping \r and re-adding a newline
+      # makes it robust regardless of how the secret was pasted.
+      - name: Publish to public Pages repo (SSH)
+        env:
+          DEPLOY_KEY: ${{ secrets.PAGES_DEPLOY_KEY }}
+        run: |
+          set -euo pipefail
+          mkdir -p "$HOME/.ssh"
+          printf '%s\n' "$DEPLOY_KEY" | tr -d '\r' | sed -e '/^$/d' > "$HOME/.ssh/deploy_key"
+          printf '\n' >> "$HOME/.ssh/deploy_key"        # guarantee single trailing newline
+          chmod 600 "$HOME/.ssh/deploy_key"
+          ssh-keyscan github.com >> "$HOME/.ssh/known_hosts" 2>/dev/null
+          # Fail early with a clear message if the key still won't load.
+          ssh-keygen -y -f "$HOME/.ssh/deploy_key" > /dev/null
+          export GIT_SSH_COMMAND="ssh -i $HOME/.ssh/deploy_key -o IdentitiesOnly=yes -o UserKnownHostsFile=$HOME/.ssh/known_hosts"
+          cd site/_site
+          touch .nojekyll                               # already-built site; serve as-is
+          git init -q -b gh-pages
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add -A
+          git commit -q -m "docs: deploy site from ${GITHUB_SHA}"
+          git push -f "git@github.com:kaelonlloyd/conformare-docs.git" gh-pages

conformare-0.1.0/.github/workflows/publish.yml

@@ -0,0 +1,74 @@
+name: Publish
+
+# Builds the distribution once, then publishes via PyPI Trusted Publishing (OIDC) -
+# no API tokens stored anywhere.
+#
+#   * Manual run (workflow_dispatch)  -> TestPyPI   (environment: testpypi)
+#   * Publishing a GitHub Release     -> PyPI        (environment: pypi)
+#
+# One-time Trusted Publisher setup (pending publisher is fine before the first run):
+#   TestPyPI -> https://test.pypi.org/manage/account/publishing/
+#   PyPI     -> https://pypi.org/manage/account/publishing/
+#   Use these values:
+#     PyPI Project Name: conformare
+#     Owner:             kaelonlloyd
+#     Repository name:   conformare
+#     Workflow name:     publish.yml
+#     Environment name:  testpypi   (for TestPyPI)  /  pypi   (for PyPI)
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    name: Build distribution
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-python@v6
+        with:
+          python-version: "3.11"
+      - run: python -m pip install --upgrade pip build twine
+      - run: python -m build
+      - run: python -m twine check dist/*
+      - uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+  testpypi:
+    name: Publish to TestPyPI
+    needs: build
+    if: github.event_name == 'workflow_dispatch'
+    runs-on: ubuntu-latest
+    environment: testpypi
+    permissions:
+      id-token: write          # required for trusted publishing
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+      - uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          repository-url: https://test.pypi.org/legacy/
+
+  pypi:
+    name: Publish to PyPI
+    needs: build
+    if: github.event_name == 'release'
+    runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      id-token: write          # required for trusted publishing
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+      - uses: pypa/gh-action-pypi-publish@release/v1

conformare-0.1.0/.gitignore

@@ -0,0 +1,38 @@
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.egg-info/
+.eggs/
+build/
+dist/
+*.so
+
+# Tooling caches
+.pytest_cache/
+.mypy_cache/
+.ruff_cache/
+.coverage
+htmlcov/
+
+# Virtual environments
+.venv/
+venv/
+env/
+
+# Generated example reports (examples write here; regenerate by running examples/)
+output/
+*.html
+
+# Built docs site (docs/build_site.py; published to the public Pages repo by CI)
+site/
+
+# Pages deploy keypair (the private half is a secret; never commit it)
+gh-pages-key
+gh-pages-key.pub
+
+# Editors / OS
+.vscode/
+.idea/
+.DS_Store
+Thumbs.db

conformare-0.1.0/.pre-commit-config.yaml

@@ -0,0 +1,13 @@
+# Local code-quality hooks. Install once with:
+#     pip install pre-commit && pre-commit install
+# Then Ruff lint + format run on every commit. Run on everything with:
+#     pre-commit run --all-files
+#
+# This mirrors the CI `lint` job (Ruff lint + format check).
+repos:
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.15.18
+    hooks:
+      - id: ruff
+        args: [--fix]
+      - id: ruff-format

conformare-0.1.0/CHANGELOG.md

@@ -0,0 +1,31 @@
+# Changelog
+
+All notable changes to Conformare are documented here. The format is based on
+[Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and Conformare follows
+[Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+While in `0.x`, breaking changes may land in a **minor** release (`0.1 -> 0.2`); the
+move to `1.0.0` signals a commitment to backward compatibility.
+
+## [Unreleased]
+
+## [0.1.0] - 2026-06-21
+
+Initial public release.
+
+### Added
+- Lineage capture of the authored dataframe pipeline across three backends:
+  `trackNarwhals()`, `trackSpark()` (PySpark, zero code change) and `trackPandas()`.
+- Per-step profilers: `rowCount`, `columnCount`, `dataSize`, `histogram`,
+  `nullFraction`, `iqrOutliers`, optional `greatExpectations` and `whylogs`.
+- Governance context: `describe()` / `risk()` / `describe_process()`, a built-in risk
+  catalog with `register_risk()`, mitigation/owner tracking and a governance ranking.
+- Data-sensitivity detection (name-based heuristics + manual `mark_sensitive`) with an
+  exfiltration check for columns that reach a written output.
+- Outputs: self-contained interactive HTML report (`to_html`), `to_mermaid`, `to_json`,
+  and a formal, sign-off-ready Markdown risk checklist (`to_risk_checklist`).
+- Non-intrusive modes: docstring tagging and `bootstrap()` for unmodified scripts.
+- `conformare.__version__` exposed from package metadata.
+
+[Unreleased]: https://github.com/kaelonlloyd/conformare/compare/v0.1.0...HEAD
+[0.1.0]: https://github.com/kaelonlloyd/conformare/releases/tag/v0.1.0

conformare-0.1.0/LICENSE

@@ -0,0 +1,77 @@
+# PolyForm Noncommercial License 1.0.0
+
+<https://polyformproject.org/licenses/noncommercial/1.0.0>
+
+Required Notice: Copyright 2026 Kaelon Lloyd
+
+For a commercial license, contact Kaelon Lloyd <kaelonlloyd@gmail.com>.
+
+## Acceptance
+
+In order to get any license under these terms, you must agree to them as both strict obligations and conditions to all your licenses.
+
+## Copyright License
+
+The licensor grants you a copyright license for the software to do everything you might do with the software that would otherwise infringe the licensor's copyright in it for any permitted purpose.  However, you may only distribute the software according to [Distribution License](#distribution-license) and make changes or new works based on the software according to [Changes and New Works License](#changes-and-new-works-license).
+
+## Distribution License
+
+The licensor grants you an additional copyright license to distribute copies of the software.  Your license to distribute covers distributing the software with changes and new works permitted by [Changes and New Works License](#changes-and-new-works-license).
+
+## Notices
+
+You must ensure that anyone who gets a copy of any part of the software from you also gets a copy of these terms or the URL for them above, as well as copies of any plain-text lines beginning with `Required Notice:` that the licensor provided with the software.  For example:
+
+> Required Notice: Copyright Yoyodyne, Inc. (http://example.com)
+
+## Changes and New Works License
+
+The licensor grants you an additional copyright license to make changes and new works based on the software for any permitted purpose.
+
+## Patent License
+
+The licensor grants you a patent license for the software that covers patent claims the licensor can license, or becomes able to license, that you would infringe by using the software.
+
+## Noncommercial Purposes
+
+Any noncommercial purpose is a permitted purpose.
+
+## Personal Uses
+
+Personal use for research, experiment, and testing for the benefit of public knowledge, personal study, private entertainment, hobby projects, amateur pursuits, or religious observance, without any anticipated commercial application, is use for a permitted purpose.
+
+## Noncommercial Organizations
+
+Use by any charitable organization, educational institution, public research organization, public safety or health organization, environmental protection organization, or government institution is use for a permitted purpose regardless of the source of funding or obligations resulting from the funding.
+
+## Fair Use
+
+You may have "fair use" rights for the software under the law. These terms do not limit them.
+
+## No Other Rights
+
+These terms do not allow you to sublicense or transfer any of your licenses to anyone else, or prevent the licensor from granting licenses to anyone else.  These terms do not imply any other licenses.
+
+## Patent Defense
+
+If you make any written claim that the software infringes or contributes to infringement of any patent, your patent license for the software granted under these terms ends immediately. If your company makes such a claim, your patent license ends immediately for work on behalf of your company.
+
+## Violations
+
+The first time you are notified in writing that you have violated any of these terms, or done anything with the software not covered by your licenses, your licenses can nonetheless continue if you come into full compliance with these terms, and take practical steps to correct past violations, within 32 days of receiving notice.  Otherwise, all your licenses end immediately.
+
+## No Liability
+
+***As far as the law allows, the software comes as is, without any warranty or condition, and the licensor will not be liable to you for any damages arising out of these terms or the use or nature of the software, under any kind of legal claim.***
+
+## Definitions
+
+The **licensor** is the individual or entity offering these terms, and the **software** is the software the licensor makes available under these terms.
+
+**You** refers to the individual or entity agreeing to these terms.
+
+**Your company** is any legal entity, sole proprietorship, or other kind of organization that you work for, plus all organizations that have control over, are under the control of, or are under common control with that organization.  **Control** means ownership of substantially all the assets of an entity, or the power to direct its management and policies by vote, contract, or otherwise.  Control can be direct or indirect.
+
+**Your licenses** are all the licenses granted to you for the software under these terms.
+
+**Use** means anything you do with the software requiring one of your licenses.