dumpling-cli 0.5.0__tar.gz → 0.6.0__tar.gz

{dumpling_cli-0.5.0 → dumpling_cli-0.6.0}/.github/workflows/ci.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Install Rust toolchain
         uses: dtolnay/rust-toolchain@stable

{dumpling_cli-0.5.0 → dumpling_cli-0.6.0}/.github/workflows/docs-pr.yml

@@ -24,7 +24,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Install mdBook
         uses: peaceiris/actions-mdbook@v2

{dumpling_cli-0.5.0 → dumpling_cli-0.6.0}/.github/workflows/docs.yml

@@ -26,7 +26,7 @@ jobs:
       contents: read
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Install mdBook
         uses: peaceiris/actions-mdbook@v2
@@ -37,7 +37,7 @@ jobs:
         run: mdbook build
 
       - name: Upload Pages deployment artifact
-        uses: actions/upload-pages-artifact@v3
+        uses: actions/upload-pages-artifact@v5
         with:
           path: docs/book
 
@@ -53,4 +53,4 @@ jobs:
     steps:
       - name: Deploy docs to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@v5

{dumpling_cli-0.5.0 → dumpling_cli-0.6.0}/.github/workflows/platform-compat-latest.yml

@@ -22,7 +22,7 @@ jobs:
           - windows-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Install Rust toolchain
         uses: dtolnay/rust-toolchain@stable

{dumpling_cli-0.5.0 → dumpling_cli-0.6.0}/.github/workflows/platform-compat-matrix.yml

@@ -20,7 +20,7 @@ jobs:
           - windows-2022
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Install Rust toolchain
         uses: dtolnay/rust-toolchain@stable

{dumpling_cli-0.5.0 → dumpling_cli-0.6.0}/.github/workflows/policy-lint.yml

@@ -32,7 +32,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Install Rust toolchain
         uses: dtolnay/rust-toolchain@stable

{dumpling_cli-0.5.0 → dumpling_cli-0.6.0}/.github/workflows/publish.yml

@@ -32,7 +32,7 @@ jobs:
           - windows-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Install Rust toolchain
         uses: dtolnay/rust-toolchain@stable
@@ -41,7 +41,7 @@ jobs:
         uses: Swatinem/rust-cache@v2
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: "3.12"
 
@@ -52,7 +52,7 @@ jobs:
         run: python -m maturin build --release --out dist
 
       - name: Upload wheel artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: wheels-${{ matrix.os }}
           path: dist/*.whl
@@ -63,10 +63,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: "3.12"
 
@@ -77,7 +77,7 @@ jobs:
         run: python -m maturin sdist --out dist
 
       - name: Upload sdist artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: sdist
           path: dist/*.tar.gz
@@ -96,7 +96,7 @@ jobs:
       id-token: write
     steps:
       - name: Download built distributions
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v8
         with:
           pattern: "*"
           path: dist
@@ -123,7 +123,7 @@ jobs:
       id-token: write
     steps:
       - name: Download built distributions
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v8
         with:
           pattern: "*"
           path: dist

{dumpling_cli-0.5.0 → dumpling_cli-0.6.0}/.github/workflows/release.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Install Rust toolchain
         uses: dtolnay/rust-toolchain@stable

{dumpling_cli-0.5.0 → dumpling_cli-0.6.0}/.github/workflows/tests.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Install Rust toolchain
         uses: dtolnay/rust-toolchain@stable

{dumpling_cli-0.5.0 → dumpling_cli-0.6.0}/CHANGELOG.md

@@ -7,6 +7,18 @@ and this project follows [Semantic Versioning](https://semver.org/spec/v2.0.0.ht
 
 ## [Unreleased]
 
+## [0.6.0] - 2026-05-03
+
+### Added
+
+- **Dump seal** (leading `-- dumpling-seal:` SQL comment): records Dumpling version, security profile, a SHA-256 fingerprint of the resolved policy, and runtime CLI options that affect transforms (`--format`, sorted `--include-table` / `--exclude-table`, effective PRNG seed in standard profile). When the input already begins with a **matching** seal, the remainder is copied through unchanged; stale or unknown seal lines are stripped and the dump is re-processed. See README for full semantics ([#58](https://github.com/ababic/dumpling/pull/58)).
+- **`--stats`**: prints `wall_ms` plus `domain_cache_hits` and `domain_cache_misses` for quick profiling of large runs ([#59](https://github.com/ababic/dumpling/pull/59)).
+- **`CONTRIBUTORS.md`** ([#59](https://github.com/ababic/dumpling/pull/59)).
+
+### Changed
+
+- **Domain-mapped replacement values** use shared `Arc<str>` storage so repeated lookups reuse the same allocation ([#59](https://github.com/ababic/dumpling/pull/59)).
+
 ## [0.5.0] - 2026-05-03
 
 ### Added
@@ -89,6 +101,7 @@ and this project follows [Semantic Versioning](https://semver.org/spec/v2.0.0.ht
 - Configurable output scan severities and per-category thresholds via `[output_scan]`.
 - JSON report section for output scan findings including category, count, threshold, severity, and sample locations.
 
+[0.6.0]: https://github.com/ababic/dumpling/compare/v0.5.0...v0.6.0
 [0.5.0]: https://github.com/ababic/dumpling/compare/v0.4.3...v0.5.0
 [0.4.3]: https://github.com/ababic/dumpling/compare/v0.4.2...v0.4.3
 [0.4.2]: https://github.com/ababic/dumpling/compare/v0.4.1...v0.4.2

dumpling_cli-0.6.0/CONTRIBUTORS.md

@@ -0,0 +1,6 @@
+# Contributors
+
+Thank you to everyone who has helped improve Dumpling.
+
+- **Andy Babic** — creator and maintainer
+- **Jordan Hale** — performance and observability (including AI-assisted patches)

{dumpling_cli-0.5.0 → dumpling_cli-0.6.0}/Cargo.lock

@@ -262,7 +262,7 @@ dependencies = [
 
 [[package]]
 name = "dumpling"
-version = "0.5.0"
+version = "0.6.0"
 dependencies = [
  "anyhow",
  "chrono",

{dumpling_cli-0.5.0 → dumpling_cli-0.6.0}/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "dumpling"
-version = "0.5.0"
+version = "0.6.0"
 edition = "2021"
 readme = "README.md"
 

{dumpling_cli-0.5.0 → dumpling_cli-0.6.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: dumpling-cli
-Version: 0.5.0
+Version: 0.6.0
 Classifier: Development Status :: 4 - Beta
 Classifier: Environment :: Console
 Classifier: Intended Audience :: Developers
@@ -129,6 +129,16 @@ If no configuration is found, Dumpling fails closed by default and exits non-zer
 The error output lists every checked location. Use `--allow-noop` to explicitly
 permit no-op behavior.
 
+### Dump seal (always on)
+
+Every successful run that writes output prefixes the stream with a single-line SQL comment:
+
+`-- dumpling-seal: v=2 version=<semver> profile=<standard|hardened> sha256=<64 hex chars>`
+
+The `sha256` is over canonical JSON that includes the Dumpling version, the active security profile, a stable encoding of the resolved policy (rules, row filters, column cases, sensitive columns, output scan, global salt), and **runtime options** that affect transforms: `--format`, sorted `--include-table` / `--exclude-table` patterns, and the effective `--seed` / `DUMPLING_SEED` value in standard profile (`null` in hardened, where seeds are ignored).
+
+If the **input** already begins with a seal line and it **matches** the current run, Dumpling copies the rest of the file through unchanged. If the line looks like a seal but does **not** match (stale policy, different flags, or older `v=`), that line is **dropped** and the dump is re-processed so you do not end up with two seal lines. `--strict-coverage` cannot be combined with a matching seal (table definitions are not scanned in passthrough mode). `--check` writes no output and therefore emits no seal line.
+
 ---
 
 ## Configuration (TOML)

{dumpling_cli-0.5.0 → dumpling_cli-0.6.0}/README.md

@@ -108,6 +108,16 @@ If no configuration is found, Dumpling fails closed by default and exits non-zer
 The error output lists every checked location. Use `--allow-noop` to explicitly
 permit no-op behavior.
 
+### Dump seal (always on)
+
+Every successful run that writes output prefixes the stream with a single-line SQL comment:
+
+`-- dumpling-seal: v=2 version=<semver> profile=<standard|hardened> sha256=<64 hex chars>`
+
+The `sha256` is over canonical JSON that includes the Dumpling version, the active security profile, a stable encoding of the resolved policy (rules, row filters, column cases, sensitive columns, output scan, global salt), and **runtime options** that affect transforms: `--format`, sorted `--include-table` / `--exclude-table` patterns, and the effective `--seed` / `DUMPLING_SEED` value in standard profile (`null` in hardened, where seeds are ignored).
+
+If the **input** already begins with a seal line and it **matches** the current run, Dumpling copies the rest of the file through unchanged. If the line looks like a seal but does **not** match (stale policy, different flags, or older `v=`), that line is **dropped** and the dump is re-processed so you do not end up with two seal lines. `--strict-coverage` cannot be combined with a matching seal (table definitions are not scanned in passthrough mode). `--check` writes no output and therefore emits no seal line.
+
 ---
 
 ## Configuration (TOML)

{dumpling_cli-0.5.0 → dumpling_cli-0.6.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "maturin"
 
 [project]
 name = "dumpling-cli"
-version = "0.5.0"
+version = "0.6.0"
 description = "Static anonymizer for plain SQL dumps (PostgreSQL, SQLite, SQL Server)."
 readme = "README.md"
 requires-python = ">=3.8"

{dumpling_cli-0.5.0 → dumpling_cli-0.6.0}/src/filter.rs

@@ -219,10 +219,10 @@ fn replacement_to_json_value(repl: &Replacement) -> serde_json::Value {
         return serde_json::Value::Null;
     }
     if repl.force_quoted {
-        return serde_json::Value::String(repl.value.clone());
+        return serde_json::Value::String(repl.value.as_ref().to_string());
     }
-    serde_json::from_str(&repl.value)
-        .unwrap_or_else(|_| serde_json::Value::String(repl.value.clone()))
+    serde_json::from_str(repl.value.as_ref())
+        .unwrap_or_else(|_| serde_json::Value::String(repl.value.as_ref().to_string()))
 }
 
 /// When rewriting JSON at a path, map `Replacement` back into [`serde_json::Value`] while keeping
@@ -238,11 +238,11 @@ fn coerce_json_path_replacement(
     }
     match original {
         serde_json::Value::Bool(_) => {
-            if let Some(b) = parse_loose_json_bool(&repl.value) {
+            if let Some(b) = parse_loose_json_bool(repl.value.as_ref()) {
                 return serde_json::Value::Bool(b);
             }
             if !repl.force_quoted {
-                if let Ok(v) = serde_json::from_str::<serde_json::Value>(&repl.value) {
+                if let Ok(v) = serde_json::from_str::<serde_json::Value>(repl.value.as_ref()) {
                     match v {
                         serde_json::Value::Bool(b) => return serde_json::Value::Bool(b),
                         serde_json::Value::Number(n) => {
@@ -257,27 +257,27 @@ fn coerce_json_path_replacement(
                     }
                 }
             }
-            serde_json::Value::String(repl.value.clone())
+            serde_json::Value::String(repl.value.as_ref().to_string())
         }
         serde_json::Value::Number(_) => {
-            if let Some(n) = parse_loose_json_number(&repl.value) {
+            if let Some(n) = parse_loose_json_number(repl.value.as_ref()) {
                 return serde_json::Value::Number(n);
             }
             if !repl.force_quoted {
                 if let Ok(serde_json::Value::Number(n)) =
-                    serde_json::from_str::<serde_json::Value>(&repl.value)
+                    serde_json::from_str::<serde_json::Value>(repl.value.as_ref())
                 {
                     return serde_json::Value::Number(n);
                 }
             }
-            serde_json::Value::String(repl.value.clone())
+            serde_json::Value::String(repl.value.as_ref().to_string())
         }
         serde_json::Value::String(_) => {
             if repl.force_quoted {
-                serde_json::Value::String(repl.value.clone())
+                serde_json::Value::String(repl.value.as_ref().to_string())
             } else {
-                serde_json::from_str(&repl.value)
-                    .unwrap_or_else(|_| serde_json::Value::String(repl.value.clone()))
+                serde_json::from_str(repl.value.as_ref())
+                    .unwrap_or_else(|_| serde_json::Value::String(repl.value.as_ref().to_string()))
             }
         }
         serde_json::Value::Null => replacement_to_json_value(repl),

{dumpling_cli-0.5.0 → dumpling_cli-0.6.0}/src/main.rs

@@ -1,10 +1,12 @@
 use std::fs::File;
 use std::io::{self, BufRead, BufReader, BufWriter, Write};
+use std::sync::atomic::Ordering;
 
 /// Larger than default 8 KiB to reduce syscall overhead on big dumps.
 const IO_BUF_CAPACITY: usize = 256 * 1024;
 use std::path::{Path, PathBuf};
 use std::process::{Command, Stdio};
+use std::time::Instant;
 
 use clap::{ArgAction, Parser, Subcommand};
 
@@ -13,6 +15,7 @@ mod filter;
 mod lint;
 mod report;
 mod scan;
+mod seal;
 mod settings;
 mod sql;
 mod transform;
@@ -21,9 +24,16 @@ use anyhow::Context;
 use regex::Regex;
 use report::Reporter;
 use scan::{OutputScanner, ScanningWriter};
+use seal::{
+    compute_seal_digest, format_seal_line, read_first_line_for_seal, FirstLineReplayBufRead,
+    SealFirstLine, SealRuntimeParams,
+};
 use settings::ResolvedConfig;
 use sql::{DumpFormat, SqlStreamProcessor};
-use transform::{set_hardened_profile, set_random_seed, AnonymizerRegistry, SecurityProfile};
+use transform::{
+    prng_seed_override_for_fingerprint, set_hardened_profile, set_random_seed, AnonymizerRegistry,
+    SecurityProfile,
+};
 
 #[derive(Parser, Debug)]
 #[command(
@@ -290,6 +300,13 @@ fn run_anonymize(cli: Cli) -> anyhow::Result<()> {
     let include_res = compile_patterns(&cli.include_table)?;
     let exclude_res = compile_patterns(&cli.exclude_table)?;
 
+    let seal_runtime = SealRuntimeParams::new(
+        dump_format,
+        &cli.include_table,
+        &cli.exclude_table,
+        prng_seed_override_for_fingerprint(),
+    );
+
     // Determine IO (optional pg_restore child when --dump-decode)
     let mut pg_restore_child: Option<std::process::Child> = None;
     let (mut reader, input_path_for_inplace): (Box<dyn BufRead>, Option<PathBuf>) = if cli
@@ -429,7 +446,6 @@ fn run_anonymize(cli: Cli) -> anyhow::Result<()> {
         .unwrap_or_else(|| Reporter::new(false));
     reporter.report.security_profile = security_profile_name.to_string();
 
-    // Process SQL stream
     let mut processor = SqlStreamProcessor::new(
         anonymizers,
         resolved_config,
@@ -438,12 +454,65 @@ fn run_anonymize(cli: Cli) -> anyhow::Result<()> {
         Some(&mut reporter),
         dump_format,
     );
+
+    let seal_digest = if cli.check {
+        None
+    } else {
+        Some(compute_seal_digest(
+            processor.config_snapshot(),
+            security_profile_name,
+            &seal_runtime,
+        )?)
+    };
+
     let mut writer = output;
-    let proc_res = if let Some(scanner) = output_scanner.as_mut() {
-        let mut scanning_writer = ScanningWriter::new(&mut writer, scanner);
-        processor.process(&mut reader, &mut scanning_writer)
+
+    let seal_first = read_first_line_for_seal(
+        reader.as_mut(),
+        processor.config_snapshot(),
+        security_profile_name,
+        &seal_runtime,
+    )?;
+
+    if matches!(seal_first, SealFirstLine::TrustedPassthrough) && cli.strict_coverage {
+        anyhow::bail!(
+            "--strict-coverage cannot be used when the input begins with a matching seal; \
+             the dump is passed through without parsing table definitions"
+        );
+    }
+
+    let replay_first = match &seal_first {
+        SealFirstLine::TrustedPassthrough | SealFirstLine::StaleSealStripped => None,
+        SealFirstLine::Replay(v) if v.is_empty() => None,
+        SealFirstLine::Replay(v) => Some(v.clone()),
+    };
+    let mut adapted_reader = FirstLineReplayBufRead::new(reader.as_mut(), replay_first);
+
+    let run_started = Instant::now();
+    let proc_res: anyhow::Result<()> = if matches!(seal_first, SealFirstLine::TrustedPassthrough) {
+        if let Some(ref digest) = seal_digest {
+            writer.write_all(format_seal_line(security_profile_name, digest).as_bytes())?;
+        }
+        if let Some(scanner) = output_scanner.as_mut() {
+            let mut scanning_writer = ScanningWriter::new(&mut writer, scanner);
+            std::io::copy(&mut adapted_reader, &mut scanning_writer)
+                .map(|_| ())
+                .map_err(anyhow::Error::from)
+        } else {
+            std::io::copy(&mut adapted_reader, &mut writer)
+                .map(|_| ())
+                .map_err(anyhow::Error::from)
+        }
     } else {
-        processor.process(&mut reader, &mut writer)
+        if let Some(ref digest) = seal_digest {
+            writer.write_all(format_seal_line(security_profile_name, digest).as_bytes())?;
+        }
+        if let Some(scanner) = output_scanner.as_mut() {
+            let mut scanning_writer = ScanningWriter::new(&mut writer, scanner);
+            processor.process(&mut adapted_reader, &mut scanning_writer)
+        } else {
+            processor.process(&mut adapted_reader, &mut writer)
+        }
     };
 
     if let Some(mut child) = pg_restore_child {
@@ -509,11 +578,23 @@ fn run_anonymize(cli: Cli) -> anyhow::Result<()> {
 
     // Emit stats or report if requested
     if cli.stats {
+        let elapsed_ms = run_started.elapsed().as_millis();
+        let domain_hits = processor
+            .anonymizers()
+            .domain_cache_hits
+            .load(Ordering::Relaxed);
+        let domain_misses = processor
+            .anonymizers()
+            .domain_cache_misses
+            .load(Ordering::Relaxed);
         eprintln!(
-            "dumpling: rows processed={}, rows dropped={}, cells changed={}",
+            "dumpling: rows processed={}, rows dropped={}, cells changed={}, wall_ms={}, domain_cache_hits={}, domain_cache_misses={}",
             reporter.report.total_rows_processed,
             reporter.report.total_rows_dropped,
-            reporter.report.total_cells_changed
+            reporter.report.total_cells_changed,
+            elapsed_ms,
+            domain_hits,
+            domain_misses
         );
     }
     if let Some(path) = cli.report.as_ref() {
@@ -591,7 +672,108 @@ fn has_allowed_extension(path: &Path, allow_exts: &[String]) -> bool {
 mod tests_main {
     use super::{has_allowed_extension, Cli, Commands};
     use clap::Parser;
+    use std::fs;
+    use std::io::Read;
     use std::path::PathBuf;
+    use std::process::Command;
+
+    #[test]
+    fn seal_emit_then_trust_roundtrip() {
+        let exe = match option_env!("CARGO_BIN_EXE_dumpling") {
+            Some(p) => PathBuf::from(p),
+            None => return,
+        };
+        let base =
+            std::env::temp_dir().join(format!("dumpling_seal_integration_{}", std::process::id()));
+        let conf = base.with_extension("toml");
+        let pass1_in = base.with_extension("p1.sql");
+        let pass1_out = base.with_extension("p2.sql");
+        let pass2_out = base.with_extension("p3.sql");
+
+        fs::write(
+            &conf,
+            r#"
+[rules."public.users"]
+email = { strategy = "email" }
+"#,
+        )
+        .unwrap();
+        fs::write(
+            &pass1_in,
+            "INSERT INTO public.users (email) VALUES ('alice@example.com');\n",
+        )
+        .unwrap();
+
+        let s1 = Command::new(&exe)
+            .args([
+                "-c",
+                conf.to_str().unwrap(),
+                "-i",
+                pass1_in.to_str().unwrap(),
+                "-o",
+                pass1_out.to_str().unwrap(),
+                "--seed",
+                "42",
+            ])
+            .output()
+            .unwrap();
+        assert!(
+            s1.status.success(),
+            "pass1 stderr={}",
+            String::from_utf8_lossy(&s1.stderr)
+        );
+
+        let mut sealed = String::new();
+        fs::File::open(&pass1_out)
+            .unwrap()
+            .read_to_string(&mut sealed)
+            .unwrap();
+        let first = sealed.lines().next().unwrap_or("");
+        assert!(
+            first.starts_with("-- dumpling-seal:"),
+            "expected seal prefix, got: {first:?}"
+        );
+        assert!(
+            !sealed.contains("alice@example.com"),
+            "expected anonymization in pass1"
+        );
+
+        let s2 = Command::new(&exe)
+            .args([
+                "-c",
+                conf.to_str().unwrap(),
+                "-i",
+                pass1_out.to_str().unwrap(),
+                "-o",
+                pass2_out.to_str().unwrap(),
+                "--seed",
+                "42",
+            ])
+            .output()
+            .unwrap();
+        assert!(
+            s2.status.success(),
+            "pass2 stderr={}",
+            String::from_utf8_lossy(&s2.stderr)
+        );
+
+        let mut final_out = String::new();
+        fs::File::open(&pass2_out)
+            .unwrap()
+            .read_to_string(&mut final_out)
+            .unwrap();
+        let rest_mid: String = sealed.lines().skip(1).collect::<Vec<_>>().join("\n");
+        let rest_out: String = final_out.lines().skip(1).collect::<Vec<_>>().join("\n");
+        assert_eq!(
+            rest_mid, rest_out,
+            "trusted pass-through should preserve dump body after seal line"
+        );
+
+        let _ = fs::remove_file(&conf);
+        let _ = fs::remove_file(&pass1_in);
+        let _ = fs::remove_file(&pass1_out);
+        let _ = fs::remove_file(&pass2_out);
+    }
 
     #[test]
     fn test_allowed_extensions() {