fraisier 0.1.1__tar.gz

fraisier-0.1.1/.env.example

@@ -0,0 +1,38 @@
+# Fraisier Environment Configuration
+# Copy this file to .env and update values for your environment
+
+# ============================================================================
+# Database Configuration
+# ============================================================================
+DATABASE_URL=postgresql://fraisier:fraisier_password@postgres:5432/fraisier
+
+# ============================================================================
+# Fraisier Application Settings
+# ============================================================================
+FRAISIER_LOG_LEVEL=INFO
+FRAISIER_WEBHOOK_SECRET=dev-webhook-secret-change-me
+PROMETHEUS_PORT=8001
+
+# ============================================================================
+# Monitoring and Observability
+# ============================================================================
+
+# Grafana Admin Credentials
+GF_SECURITY_ADMIN_USER=admin
+GF_SECURITY_ADMIN_PASSWORD=admin
+
+# Prometheus Configuration
+PROMETHEUS_RETENTION=15d
+
+# Redis Cache (optional, for distributed deployments)
+REDIS_PASSWORD=redis_password
+
+# ============================================================================
+# Development/Production Settings
+# ============================================================================
+
+# Environment: development, staging, production
+ENVIRONMENT=development
+
+# Enable verbose logging for debugging
+DEBUG=false

fraisier-0.1.1/.github/actions/deploy/action.yml

@@ -0,0 +1,188 @@
+name: "Fraisier Deploy"
+description: "Trigger a Fraisier deployment via webhook and poll for completion"
+
+inputs:
+  webhook_url:
+    description: "Fraisier webhook URL (e.g., https://deploy.example.com/webhook)"
+    required: true
+  webhook_secret:
+    description: "Webhook HMAC secret for signature verification"
+    required: true
+  fraise_name:
+    description: "Name of the fraise to deploy"
+    required: true
+  status_url:
+    description: "Base URL for status endpoint (e.g., https://deploy.example.com)"
+    required: true
+  environment:
+    description: "Target environment (development, staging, production)"
+    required: false
+    default: "production"
+  timeout:
+    description: "Max seconds to wait for deployment (0 = use environment default)"
+    required: false
+    default: "0"
+  poll_interval:
+    description: "Seconds between status polls"
+    required: false
+    default: "10"
+  create_issue:
+    description: "Create GitHub Issue on failure (true/false)"
+    required: false
+    default: "true"
+
+outputs:
+  version:
+    description: "Deployed version after successful deployment"
+    value: ${{ steps.poll.outputs.version }}
+  state:
+    description: "Final deployment state"
+    value: ${{ steps.poll.outputs.state }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Trigger deployment
+      shell: bash
+      env:
+        WEBHOOK_URL: ${{ inputs.webhook_url }}
+        WEBHOOK_SECRET: ${{ inputs.webhook_secret }}
+        COMMIT_SHA: ${{ github.sha }}
+        BRANCH: ${{ github.ref_name }}
+      run: |
+        # Compute HMAC-SHA256 signature
+        PAYLOAD='{"ref":"refs/heads/'"$BRANCH"'","after":"'"$COMMIT_SHA"'"}'
+        SIGNATURE="sha256=$(echo -n "$PAYLOAD" | openssl dgst -sha256 -hmac "$WEBHOOK_SECRET" | cut -d' ' -f2)"
+
+        HTTP_CODE=$(curl -sf -o /dev/null -w '%{http_code}' \
+          -X POST "$WEBHOOK_URL" \
+          -H "Content-Type: application/json" \
+          -H "X-GitHub-Event: push" \
+          -H "X-Hub-Signature-256: $SIGNATURE" \
+          -d "$PAYLOAD")
+
+        if [ "$HTTP_CODE" -lt 200 ] || [ "$HTTP_CODE" -ge 300 ]; then
+          echo "::error::Webhook trigger failed with HTTP $HTTP_CODE"
+          exit 1
+        fi
+        echo "Webhook triggered successfully (HTTP $HTTP_CODE)"
+
+    - name: Poll for completion
+      id: poll
+      shell: bash
+      env:
+        STATUS_URL: ${{ inputs.status_url }}/api/status/${{ inputs.fraise_name }}
+        EXPECTED_SHA: ${{ github.sha }}
+        TIMEOUT: ${{ inputs.timeout }}
+        POLL_INTERVAL: ${{ inputs.poll_interval }}
+        ENVIRONMENT: ${{ inputs.environment }}
+      run: |
+        # Use environment default if timeout is 0
+        if [ "$TIMEOUT" = "0" ]; then
+          case "$ENVIRONMENT" in
+            development) TIMEOUT=120 ;;
+            staging)     TIMEOUT=600 ;;
+            *)           TIMEOUT=300 ;;
+          esac
+        fi
+
+        echo "Polling $STATUS_URL (timeout: ${TIMEOUT}s, interval: ${POLL_INTERVAL}s)"
+        DEADLINE=$((SECONDS + TIMEOUT))
+
+        while [ "$SECONDS" -lt "$DEADLINE" ]; do
+          RESPONSE=$(curl -sf "$STATUS_URL" 2>/dev/null) || {
+            echo "Status endpoint unreachable, retrying in ${POLL_INTERVAL}s..."
+            sleep "$POLL_INTERVAL"
+            continue
+          }
+
+          STATE=$(echo "$RESPONSE" | jq -r '.state // empty')
+          SHA=$(echo "$RESPONSE" | jq -r '.commit_sha // empty')
+          VERSION=$(echo "$RESPONSE" | jq -r '.version // empty')
+
+          # Check FAILURE first (key insight: fail fast, don't wait for SHA match)
+          if [ "$STATE" = "failed" ]; then
+            echo "::error::Deployment failed"
+            echo "state=failed" >> "$GITHUB_OUTPUT"
+            exit 1
+          fi
+
+          # Check SUCCESS with SHA match
+          if [ "$STATE" = "success" ] && [ "$SHA" = "$EXPECTED_SHA" ]; then
+            echo "Deployment succeeded: version=$VERSION"
+            echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+            echo "state=success" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          echo "Waiting: state=$STATE sha=${SHA:0:7}..."
+          sleep "$POLL_INTERVAL"
+        done
+
+        echo "::error::Deployment timed out after ${TIMEOUT}s"
+        echo "state=timeout" >> "$GITHUB_OUTPUT"
+        exit 1
+
+    - name: Create issue on failure
+      if: failure() && inputs.create_issue == 'true'
+      shell: bash
+      env:
+        STATUS_URL: ${{ inputs.status_url }}/api/status/${{ inputs.fraise_name }}
+        WEBHOOK_SECRET: ${{ inputs.webhook_secret }}
+        ENVIRONMENT: ${{ inputs.environment }}
+        COMMIT_SHA: ${{ github.sha }}
+        BRANCH: ${{ github.ref_name }}
+        ACTOR: ${{ github.actor }}
+        RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+        GH_TOKEN: ${{ github.token }}
+      run: |
+        # Fetch failure details from authenticated endpoint
+        DETAILS=$(curl -sf "${STATUS_URL}/details" \
+          -H "X-Deployment-Token: ${WEBHOOK_SECRET}" 2>/dev/null) || DETAILS="{}"
+
+        ERROR_MSG=$(echo "$DETAILS" | jq -r '.error_message // "No error details available"')
+        MIGRATION=$(echo "$DETAILS" | jq -r '.migration_report // empty')
+
+        SHORT_SHA="${COMMIT_SHA:0:7}"
+
+        # Build issue body
+        BODY="## Deployment Failure
+
+        | Field | Value |
+        | --- | --- |
+        | Environment | \`${ENVIRONMENT}\` |
+        | Commit | \`${SHORT_SHA}\` (${COMMIT_SHA}) |
+        | Branch | \`${BRANCH}\` |
+        | Triggered by | @${ACTOR} |
+        | Workflow run | [View logs](${RUN_URL}) |
+
+        ## Error Details
+
+        \`\`\`
+        ${ERROR_MSG}
+        \`\`\`"
+
+        if [ -n "$MIGRATION" ] && [ "$MIGRATION" != "null" ]; then
+          BODY="${BODY}
+
+        ## Migration Report
+
+        \`\`\`json
+        ${MIGRATION}
+        \`\`\`"
+        fi
+
+        BODY="${BODY}
+
+        ## Remediation Checklist
+
+        - [ ] Review error details and workflow logs above
+        - [ ] Check database state and migration status
+        - [ ] Fix the root cause in a new commit
+        - [ ] Verify fix deploys successfully
+        - [ ] Close this issue"
+
+        gh issue create \
+          --title "Deploy failed: ${ENVIRONMENT} @ ${SHORT_SHA}" \
+          --label "deployment-failure" \
+          --body "$BODY"

fraisier-0.1.1/.github/workflows/publish.yml

@@ -0,0 +1,197 @@
+name: Publish
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  test:
+    name: Tests (Required for Release)
+    runs-on: ubuntu-latest
+
+    services:
+      postgres:
+        image: postgres:16-alpine
+        env:
+          POSTGRES_USER: fraisier
+          POSTGRES_PASSWORD: fraisier
+          POSTGRES_DB: fraisier_test
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+        ports:
+          - 5432:5432
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.12'
+
+    - name: Install uv
+      uses: astral-sh/setup-uv@v7
+
+    - name: Install dependencies
+      run: |
+        uv venv
+        uv pip install ".[dev]"
+
+    - name: Run tests
+      env:
+        FRAISIER_TEST_PG_URL: postgresql://fraisier:fraisier@localhost:5432/fraisier_test
+      run: |
+        uv run pytest tests/ \
+          --cov=fraisier \
+          --cov-report=xml \
+          --cov-report=term-missing \
+          -v
+
+  lint:
+    name: Lint (Required for Release)
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.12'
+    - name: Install uv
+      uses: astral-sh/setup-uv@v7
+    - name: Install dependencies
+      run: |
+        uv venv
+        uv pip install ruff
+    - name: Run ruff check
+      run: uv run ruff check .
+    - name: Run ruff format check
+      run: uv run ruff format --check .
+
+  type-check:
+    name: Type Check (Advisory)
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.12'
+    - name: Install uv
+      uses: astral-sh/setup-uv@v7
+    - name: Install ty
+      run: uv tool install ty
+    - name: Run ty
+      run: ty check fraisier/ || echo "Type check warnings (non-blocking)"
+
+  security:
+    name: Security (Required for Release)
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.12'
+    - name: Install uv
+      uses: astral-sh/setup-uv@v7
+    - name: Install dependencies
+      run: |
+        uv venv
+        uv pip install bandit
+    - name: Run bandit
+      run: uv run bandit -r fraisier/ -f json || true
+
+  build:
+    name: Build distribution
+    runs-on: ubuntu-latest
+    needs: [test, lint, type-check, security]
+
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+
+    - name: Install uv
+      uses: astral-sh/setup-uv@v7
+
+    - name: Build sdist and wheel
+      run: uv build
+
+    - name: Upload artifacts
+      uses: actions/upload-artifact@v5
+      with:
+        name: dist
+        path: dist/*
+
+  validate:
+    name: Validate built artifacts
+    runs-on: ubuntu-latest
+    needs: [build]
+
+    steps:
+    - name: Download artifacts
+      uses: actions/download-artifact@v5
+      with:
+        name: dist
+        path: dist
+
+    - name: Install validation tools
+      run: pip install twine
+
+    - name: Validate with twine
+      run: twine check dist/*
+
+    - name: List artifacts
+      run: |
+        echo "=== Built Artifacts ==="
+        ls -lh dist/
+
+  publish:
+    name: Publish to PyPI
+    runs-on: ubuntu-latest
+    needs: [validate]
+    environment: release
+    permissions:
+      id-token: write
+
+    steps:
+    - name: Download artifacts
+      uses: actions/download-artifact@v5
+      with:
+        name: dist
+        path: dist
+
+    - name: Install uv
+      uses: astral-sh/setup-uv@v7
+
+    - name: Publish to PyPI
+      run: uv publish --trusted-publishing always
+
+  create-release:
+    name: Create GitHub Release
+    runs-on: ubuntu-latest
+    needs: [publish]
+    permissions:
+      contents: write
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Download artifacts
+      uses: actions/download-artifact@v5
+      with:
+        name: dist
+        path: dist
+
+    - name: Create Release
+      uses: softprops/action-gh-release@v2
+      with:
+        generate_release_notes: true
+        files: dist/*
+        draft: false
+        prerelease: false

fraisier-0.1.1/.github/workflows/python-version-matrix.yml

@@ -0,0 +1,95 @@
+name: Python Version Matrix Tests
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+concurrency:
+  group: python-matrix-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  test-matrix:
+    name: Test Python ${{ matrix.python-version }}
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ['3.11', '3.12', '3.13']
+
+    services:
+      postgres:
+        image: postgres:16-alpine
+        env:
+          POSTGRES_USER: fraisier
+          POSTGRES_PASSWORD: fraisier
+          POSTGRES_DB: fraisier_test
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+        ports:
+          - 5432:5432
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Python ${{ matrix.python-version }}
+      uses: actions/setup-python@v5
+      with:
+        python-version: ${{ matrix.python-version }}
+
+    - name: Install uv
+      uses: astral-sh/setup-uv@v7
+
+    - name: Install dependencies
+      run: |
+        uv venv
+        uv pip install ".[dev]"
+
+    - name: Verify environment
+      run: |
+        uv run python --version
+        pg_isready -h localhost -p 5432 -U fraisier && echo 'PostgreSQL ready' || echo 'PostgreSQL not ready'
+
+    - name: Run tests with coverage
+      env:
+        FRAISIER_TEST_PG_URL: postgresql://fraisier:fraisier@localhost:5432/fraisier_test
+      run: |
+        uv run pytest tests/ \
+          --cov=fraisier \
+          --cov-report=xml \
+          --cov-report=term-missing \
+          -v \
+          --tb=short
+
+    - name: Upload coverage to Codecov
+      uses: codecov/codecov-action@v5
+      with:
+        files: ./coverage.xml
+        flags: python-${{ matrix.python-version }}
+        name: Python-${{ matrix.python-version }}
+        fail_ci_if_error: false
+      continue-on-error: true
+
+  matrix-summary:
+    name: Python Version Matrix Summary
+    runs-on: ubuntu-latest
+    needs: [test-matrix]
+    if: always()
+
+    steps:
+      - name: Check matrix results
+        run: |
+          if [[ "${{ needs.test-matrix.result }}" == "success" ]]; then
+            echo "Python 3.11+ tests passed"
+            exit 0
+          else
+            echo "Python version testing failed"
+            exit 1
+          fi

fraisier-0.1.1/.github/workflows/quality-gate.yml

@@ -0,0 +1,162 @@
+name: Quality Gate
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+concurrency:
+  group: quality-gate-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    name: Tests
+    runs-on: ubuntu-latest
+
+    services:
+      postgres:
+        image: postgres:16-alpine
+        env:
+          POSTGRES_USER: fraisier
+          POSTGRES_PASSWORD: fraisier
+          POSTGRES_DB: fraisier_test
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+        ports:
+          - 5432:5432
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.12'
+
+    - name: Install uv
+      uses: astral-sh/setup-uv@v7
+
+    - name: Install dependencies
+      run: |
+        uv venv
+        uv pip install ".[dev]"
+
+    - name: Verify environment
+      run: |
+        uv run python --version
+        uv run pytest --version
+        pg_isready -h localhost -p 5432 -U fraisier && echo 'PostgreSQL ready' || echo 'PostgreSQL not ready'
+
+    - name: Run tests with coverage
+      env:
+        FRAISIER_TEST_PG_URL: postgresql://fraisier:fraisier@localhost:5432/fraisier_test
+      run: |
+        uv run pytest tests/ \
+          --cov=fraisier \
+          --cov-report=xml \
+          --cov-report=term-missing \
+          -v \
+          --tb=short
+
+    - name: Upload coverage
+      uses: codecov/codecov-action@v5
+      with:
+        files: ./coverage.xml
+        flags: unittests
+        name: Python-3.12
+        fail_ci_if_error: false
+      continue-on-error: true
+
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.12'
+    - name: Install uv
+      uses: astral-sh/setup-uv@v7
+    - name: Install dependencies
+      run: |
+        uv venv
+        uv pip install ruff
+    - name: Run ruff check
+      run: uv run ruff check .
+    - name: Run ruff format check
+      run: uv run ruff format --check .
+
+  type-check:
+    name: Type Check
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.12'
+    - name: Install uv
+      uses: astral-sh/setup-uv@v7
+    - name: Install ty
+      run: uv tool install ty
+    - name: Run ty type check
+      run: ty check fraisier/
+      timeout-minutes: 5
+      continue-on-error: true
+
+  security:
+    name: Security
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.12'
+    - name: Install uv
+      uses: astral-sh/setup-uv@v7
+    - name: Install dependencies
+      run: |
+        uv venv
+        uv pip install bandit
+    - name: Run bandit security scan
+      run: uv run bandit -r fraisier/ -f json || true
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@master
+      with:
+        scan-type: 'fs'
+        scan-ref: '.'
+        format: 'table'
+        severity: 'CRITICAL,HIGH'
+      continue-on-error: true
+
+  quality-gate:
+    name: Quality Gate
+    runs-on: ubuntu-latest
+    needs: [test, lint, type-check, security]
+    if: always()
+    steps:
+      - name: Check quality gate status
+        run: |
+          if [[ "${{ needs.test.result }}" != "success" ]]; then
+            echo "Tests failed"
+            exit 1
+          fi
+          if [[ "${{ needs.lint.result }}" != "success" ]]; then
+            echo "Lint checks failed"
+            exit 1
+          fi
+          if [[ "${{ needs.type-check.result }}" == "failure" ]]; then
+            echo "Type check has warnings (non-blocking)"
+          fi
+          if [[ "${{ needs.security.result }}" != "success" ]]; then
+            echo "Security checks failed"
+            exit 1
+          fi
+          echo "All quality checks passed"

fraisier-0.1.1/.gitignore

@@ -0,0 +1,15 @@
+*.db
+tmp/
+__pycache__/
+*.pyc
+*.pyo
+.pytest_cache/
+.ruff_cache/
+.venv/
+dist/
+*.egg-info/
+.env
+!.env.example
+*.key
+*.pem
+.phases/