PyPI - frontone - Versions diffs - 0.1.0__py3-none-any.whl - Mend

frontone 0.1.0__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

frontone/__init__.py +1 -0
frontone/analyzer.py +620 -0
frontone/git_utils.py +59 -0
frontone/planner.py +159 -0
frontone/prompts.py +549 -0
frontone/scaffold.py +91 -0
frontone/server.py +90 -0
frontone-0.1.0.dist-info/METADATA +262 -0
frontone-0.1.0.dist-info/RECORD +12 -0
frontone-0.1.0.dist-info/WHEEL +5 -0
frontone-0.1.0.dist-info/entry_points.txt +2 -0
frontone-0.1.0.dist-info/top_level.txt +1 -0

frontone/__init__.py ADDED Viewed

	@@ -0,0 +1 @@
1	+ __version__ = "0.1.0"

frontone/analyzer.py ADDED Viewed

@@ -0,0 +1,620 @@
+from __future__ import annotations
+import re
+import urllib.request
+from collections import Counter, defaultdict
+from pathlib import Path
+from codeintel_cli.core.project import find_project_root
+from codeintel_cli.scanner.scanner import find_all_supported_files
+from codeintel_cli.endpoints.scan import EndpointScanOptions, iter_supported_source_files
+from codeintel_cli.endpoints.java_spring import extract_spring_endpoints
+from codeintel_cli.endpoints.openapi_spec import extract_openapi_endpoints
+from codeintel_cli.context.java_rel import java_fields_and_rels, top_type_name
+from codeintel_cli.lang.java.types import scan_java_types
+from codeintel_cli.lang.java.models import extract_java_models, resolve_inherited_fields
+from codeintel_cli.commands.project.endpoints_cmd import (
+    _detect_spring_security_policy,
+    _norm_path,
+    _display_role_str,
+)
+# ─────────────────────────────────────────────────────────────────────────────
+# Constants
+# ─────────────────────────────────────────────────────────────────────────────
+IGNORE_DIRS = {
+    ".git", ".idea", ".vscode", ".mvn",
+    "__pycache__", ".pytest_cache", ".ruff_cache", ".tox",
+    ".venv", "venv", "env",
+    "node_modules", "dist", "build", "out", "target", ".gradle",
+}
+MODEL_DIRS = {
+    "model", "models", "entity", "entities", "domain", "domains",
+    "core", "aggregate", "aggregates", "persistence", "db", "data",
+    "schema", "pojo", "bean", "beans", "orm", "schemas",
+    "datamodel", "datamodels", "table", "tables", "record", "records",
+    "document", "documents", "dao",
+    "owner", "vet", "pet", "visit",
+}
+SKIP_MODEL_DIRS = {
+    "test", "tests", "controller", "controllers",
+    "service", "services", "repository", "repositories",
+    "config", "configuration", "util", "utils",
+    "exception", "exceptions", "security",
+    "mapper", "mappers", "migration", "migrations", "dto",
+}
+SKIP_MODEL_SUFFIXES = (
+    "Repository", "Mapper", "Dao", "Service", "Controller",
+    "Config", "Configuration", "Util", "Utils", "Helper",
+    "Exception", "Handler", "Interceptor", "Filter",
+    "Listener", "Scheduler", "Validator", "Converter",
+    "Serializer", "Deserializer", "Factory", "Builder", "Specification",
+)
+_ENTITY_ANNOTATIONS = {"Entity", "MappedSuperclass", "Embeddable", "Table", "Document"}
+_BASIC_TYPES = {
+    "String", "Long", "Integer", "int", "long", "double", "Double",
+    "float", "Float", "boolean", "Boolean", "UUID", "BigDecimal",
+    "Date", "LocalDate", "LocalDateTime", "Instant", "Object",
+}
+# Fake endpoint patterns — constructor injections misread as routes
+_FAKE_ENDPOINT_RE = re.compile(
+    r'/api/[^/]+/api/'          # doubled prefix like /api/bank-accounts/api/bank-accounts
+    r'|^/api/api$'              # /api/api
+)
+# ─────────────────────────────────────────────────────────────────────────────
+# Helpers
+# ─────────────────────────────────────────────────────────────────────────────
+def _is_basic_type(name: str) -> bool:
+    return (name or "").strip() in _BASIC_TYPES
+def _walk_java(root: Path):
+    stack = [root]
+    while stack:
+        cur = stack.pop()
+        try:
+            for child in cur.iterdir():
+                if child.is_dir():
+                    if child.name not in IGNORE_DIRS:
+                        stack.append(child)
+                elif child.suffix == ".java":
+                    yield child
+        except (PermissionError, FileNotFoundError):
+            continue
+def _is_model_path(rel: Path) -> bool:
+    parts = [p.lower() for p in rel.parts]
+    if "src" in parts and "test" in parts:
+        return False
+    if any(p in SKIP_MODEL_DIRS for p in parts):
+        return False
+    if any(rel.stem.endswith(s) for s in SKIP_MODEL_SUFFIXES):
+        return False
+    return any(p in MODEL_DIRS for p in parts)
+def _has_entity_annotation(path: Path) -> bool:
+    try:
+        text = path.read_text(encoding="utf-8", errors="ignore")
+        return any(f"@{a}" in text for a in _ENTITY_ANNOTATIONS)
+    except Exception:
+        return False
+# ─────────────────────────────────────────────────────────────────────────────
+# Models
+# ─────────────────────────────────────────────────────────────────────────────
+def _scan_models(project_root: Path) -> list[dict]:
+    pr = project_root.resolve()
+    files = find_all_supported_files(project_root)
+    candidates: list[Path] = []
+    for f in files:
+        if f.suffix.lower() != ".java":
+            continue
+        fr = f.resolve()
+        try:
+            rel = fr.relative_to(pr)
+        except Exception:
+            continue
+        if _is_model_path(rel) or _has_entity_annotation(fr):
+            candidates.append(fr)
+    all_models = []
+    for f in sorted(candidates, key=lambda x: str(x).lower()):
+        all_models.extend(extract_java_models(f, pr))
+    all_models = resolve_inherited_fields(all_models)
+    out: list[dict] = []
+    seen: set[str] = set()
+    for m in all_models:
+        if m.name in seen:
+            continue
+        seen.add(m.name)
+        out.append({
+            "name": m.name,
+            "kind": m.kind,
+            "bases": list(m.bases) if m.bases else [],
+            "file": m.file,
+            "fields": [{"name": fld.name, "type": fld.type} for fld in m.fields],
+        })
+    # Fallback: if models still empty, scan all java files for @Entity
+    if not out:
+        out = _scan_models_fallback(project_root)
+    return out
+def _scan_models_fallback(project_root: Path) -> list[dict]:
+    """Direct AST-free fallback: find @Entity classes and parse their fields."""
+    field_re = re.compile(
+        r'(?:private|protected|public)\s+([\w<>, \[\]]+)\s+(\w+)\s*;'
+    )
+    results = []
+    seen: set[str] = set()
+    for f in project_root.rglob("*.java"):
+        if any(x in f.parts for x in ("test", "target", "build")):
+            continue
+        try:
+            src = f.read_text(encoding="utf-8", errors="ignore")
+        except Exception:
+            continue
+        if not any(f"@{a}" in src for a in _ENTITY_ANNOTATIONS):
+            continue
+        cls = re.search(r'(?:public\s+)?class\s+(\w+)', src)
+        if not cls:
+            continue
+        name = cls.group(1)
+        if name in seen:
+            continue
+        seen.add(name)
+        fields = [
+            {"name": m.group(2), "type": m.group(1).strip()}
+            for m in field_re.finditer(src)
+            if not any(m.group(2).endswith(s) for s in SKIP_MODEL_SUFFIXES)
+        ]
+        results.append({
+            "name": name,
+            "kind": "class",
+            "bases": [],
+            "file": str(f),
+            "fields": fields,
+        })
+    return results
+# ─────────────────────────────────────────────────────────────────────────────
+# Relationships
+# ─────────────────────────────────────────────────────────────────────────────
+def _scan_relationships(project_root: Path) -> dict:
+    files = find_all_supported_files(project_root)
+    pr = project_root.resolve()
+    candidates: list[Path] = []
+    for f in files:
+        if f.suffix.lower() != ".java":
+            continue
+        fr = f.resolve()
+        try:
+            rel = fr.relative_to(pr)
+        except Exception:
+            continue
+        if _is_model_path(rel):
+            candidates.append(fr)
+    edges: list[dict] = []
+    counts: dict[str, int] = defaultdict(int)
+    per_src: dict[str, list[dict]] = defaultdict(list)
+    for f in sorted(candidates, key=lambda x: str(x).lower()):
+        try:
+            raw = f.read_text(encoding="utf-8", errors="ignore")
+        except Exception:
+            continue
+        src_type = top_type_name(raw, fallback=f.stem)
+        _fields, rels = java_fields_and_rels(f)
+        for r in rels:
+            tgt = (r.target or "").strip()
+            if not tgt or _is_basic_type(tgt):
+                continue
+            edge = {"src": src_type, "kind": r.kind, "field": r.field, "target": tgt}
+            edges.append(edge)
+            counts[r.kind] += 1
+            per_src[src_type].append(edge)
+    return {
+        "counts": dict(counts),
+        "total": sum(counts.values()),
+        "edges": edges,
+        "per_src": {k: v for k, v in per_src.items()},
+    }
+# ─────────────────────────────────────────────────────────────────────────────
+# DTOs / Types
+# ─────────────────────────────────────────────────────────────────────────────
+def _scan_types(project_root: Path) -> list[dict]:
+    java_files = sorted(_walk_java(project_root), key=lambda p: str(p).lower())
+    all_defs = scan_java_types(java_files[:500], project_root)
+    if not all_defs:
+        return []
+    # Fallback field extraction if scan_java_types returns empty fields
+    field_re = re.compile(
+        r'(?:private|protected|public)\s+([\w<>, \[\]]+)\s+(\w+)\s*;'
+    )
+    out: list[dict] = []
+    for d in all_defs:
+        fields = [{"name": fld.name, "type": fld.type} for fld in d.fields]
+        # If fields empty, try reading the file directly
+        if not fields:
+            candidates = list(project_root.rglob(f"{d.name}.java"))
+            for cf in candidates:
+                if any(x in cf.parts for x in ("test", "target", "build")):
+                    continue
+                try:
+                    src = cf.read_text(encoding="utf-8", errors="ignore")
+                    fields = [
+                        {"name": m.group(2), "type": m.group(1).strip()}
+                        for m in field_re.finditer(src)
+                    ]
+                    if fields:
+                        break
+                except Exception:
+                    continue
+        out.append({
+            "name": d.name,
+            "kind": d.kind,
+            "category": d.category,
+            "fields": fields,
+        })
+    return out
+# ─────────────────────────────────────────────────────────────────────────────
+# Endpoints
+# ─────────────────────────────────────────────────────────────────────────────
+def _scan_endpoints(project_root: Path) -> list[dict]:
+    opts = EndpointScanOptions(show_hidden=False, use_gitignore=True)
+    files = list(iter_supported_source_files(project_root, opts))
+    files_for_security = [
+        f for f in files
+        if not any(x in _norm_path(str(f)).lower() for x in ("/src/test/", "/target/", "/build/"))
+    ]
+    default_auth, permit_all = _detect_spring_security_policy(files_for_security)
+    all_eps = []
+    for f in files:
+        if f.suffix.lower() != ".java":
+            continue
+        try:
+            src = f.read_text(encoding="utf-8", errors="ignore")
+        except Exception:
+            continue
+        all_eps.extend(extract_spring_endpoints(src, str(f), default_auth=default_auth, permit_all=permit_all))
+    if not any(e.framework == "spring" for e in all_eps):
+        all_eps.extend(extract_openapi_endpoints(project_root))
+    filtered = [
+        e for e in all_eps
+        if "/src/test/" not in _norm_path(e.file)
+        and ("/src/main/" in _norm_path(e.file) or "/main/" in _norm_path(e.file))
+        and not _FAKE_ENDPOINT_RE.search(e.path)   # remove constructor-injection false positives
+    ]
+    seen: set[tuple[str, str]] = set()
+    uniq = []
+    for e in filtered:
+        key = (e.method, e.path)
+        if key not in seen:
+            seen.add(key)
+            uniq.append(e)
+    uniq.sort(key=lambda e: (e.path, e.method))
+    return [
+        {
+            "method": e.method,
+            "path": e.path,
+            "access": _display_role_str(e.path, set(e.roles or []), default_auth=default_auth, permit_all=permit_all),
+            "file": e.file,
+            "handler": e.handler,
+        }
+        for e in uniq
+    ]
+# ─────────────────────────────────────────────────────────────────────────────
+# Swagger
+# ─────────────────────────────────────────────────────────────────────────────
+def detect_swagger(project_root: Path) -> dict:
+    """Check for local swagger files and try to fetch live OpenAPI spec."""
+    local_checks = [
+        "src/main/resources/static/swagger-ui/index.html",
+        "src/main/resources/swagger/openapi.yml",
+        "src/main/resources/swagger/openapi.yaml",
+        "openapi.yml",
+        "openapi.yaml",
+    ]
+    for c in local_checks:
+        if (project_root / c).exists():
+            return {"found": True, "source": "local", "local_path": c}
+    # Try fetching live OpenAPI spec
+    live_urls = [
+        "http://localhost:8080/v3/api-docs",
+        "http://localhost:8080/v2/api-docs",
+        "http://localhost:8080/swagger.json",
+    ]
+    for url in live_urls:
+        try:
+            with urllib.request.urlopen(url, timeout=2) as resp:
+                if resp.status == 200:
+                    import json as _json
+                    spec = _json.loads(resp.read().decode())
+                    return {
+                        "found": True,
+                        "source": "live",
+                        "url": url,
+                        "title": spec.get("info", {}).get("title", ""),
+                        "version": spec.get("info", {}).get("version", ""),
+                        "paths_count": len(spec.get("paths", {})),
+                    }
+        except Exception:
+            continue
+    return {
+        "found": False,
+        "source": "none",
+        "likely_runtime_urls": live_urls,
+        "note": "Start the app and one of these URLs will return the live OpenAPI spec",
+    }
+# ─────────────────────────────────────────────────────────────────────────────
+# Auth
+# ─────────────────────────────────────────────────────────────────────────────
+def _scan_auth(project_root: Path) -> dict:
+    _JWT = [
+        r"JwtAuthenticationFilter", r"JwtTokenProvider", r"TokenProvider",
+        r"Jwts\.", r"JWTVerifier", r"BearerTokenAuthenticationFilter",
+        r"import\s+io\.jsonwebtoken", r"import\s+com\.auth0\.jwt",
+        r"import\s+org\.springframework\.security\.oauth2\.jwt",
+        r"NimbusJwtDecoder", r"NimbusJwtEncoder", r"JwtDecoder",
+        r"JwtEncoder", r"JwtClaimsSet",
+    ]
+    _OAUTH2 = [
+        r"oauth2Login\s*\(", r"@EnableOAuth2Sso", r"@EnableResourceServer",
+        r"@EnableAuthorizationServer",
+        r"import\s+org\.springframework\.security\.oauth2\.client",
+    ]
+    jwt_hits = oauth2_hits = stateless = session_hits = 0
+    for f in project_root.rglob("*.java"):
+        if any(x in f.parts for x in ("test", "target", "build")):
+            continue
+        try:
+            src = f.read_text(encoding="utf-8", errors="ignore")
+        except Exception:
+            continue
+        for p in _JWT:
+            if re.search(p, src):
+                jwt_hits += 1
+        for p in _OAUTH2:
+            if re.search(p, src):
+                oauth2_hits += 1
+        if re.search(r"SessionCreationPolicy\.STATELESS", src):
+            stateless = 1
+        if re.search(r"\.sessionManagement\(|HttpSession", src):
+            session_hits += 1
+    if jwt_hits >= 1:
+        return {"type": "JWT", "token_transport": "Bearer header",
+                "usage": "Authorization: Bearer <token>", "signals": jwt_hits}
+    if oauth2_hits >= 1:
+        return {"type": "OAuth2", "token_transport": "Bearer header",
+                "usage": "Authorization: Bearer <access_token>", "signals": oauth2_hits}
+    if stateless:
+        return {"type": "Stateless", "token_transport": "Bearer header (assumed)",
+                "usage": "SessionCreationPolicy.STATELESS set but no JWT/OAuth2 class found", "signals": 0}
+    if session_hits:
+        return {"type": "Session", "token_transport": "Cookie (JSESSIONID)",
+                "usage": "Browser manages cookie automatically", "signals": session_hits}
+    return {"type": "None", "token_transport": "N/A",
+            "usage": "No Spring Security config detected", "signals": 0}
+# ─────────────────────────────────────────────────────────────────────────────
+# Base Path
+# ─────────────────────────────────────────────────────────────────────────────
+def _scan_base_path(project_root: Path) -> dict:
+    pattern = re.compile(r'@RequestMapping\s*\(\s*["\']([^"\']+)["\']')
+    counter: Counter = Counter()
+    for f in project_root.rglob("*.java"):
+        if any(x in f.parts for x in ("test", "target", "build")):
+            continue
+        try:
+            src = f.read_text(encoding="utf-8", errors="ignore")
+        except Exception:
+            continue
+        if "@Controller" not in src and "@RestController" not in src:
+            continue
+        for m in pattern.finditer(src):
+            val = m.group(1).strip()
+            if not val or "{" in val:
+                continue
+            val = val if val.startswith("/") else "/" + val
+            parts = [p for p in val.split("/") if p]
+            if parts:
+                counter["/" + parts[0]] += 1
+            if len(parts) >= 2:
+                counter["/" + parts[0] + "/" + parts[1]] += 1
+    if not counter:
+        return {"prefix": "/", "axios_base_url": "http://localhost:8080"}
+    top = counter.most_common(1)[0][0]
+    return {"prefix": top, "axios_base_url": f"http://localhost:8080{top}"}
+# ─────────────────────────────────────────────────────────────────────────────
+# Pagination
+# ─────────────────────────────────────────────────────────────────────────────
+def _scan_pagination(project_root: Path) -> dict:
+    pageable_re   = re.compile(r"\bPageable\b")
+    page_re       = re.compile(r"\bPage<")
+    class_map_re  = re.compile(r'@RequestMapping\s*\(\s*["\']([^"\']+)["\']')
+    method_map_re = re.compile(
+        r'@(?:Get|Post|Put|Delete|Patch)Mapping\s*(?:\(\s*(?:value\s*=\s*)?["\']([^"\']*)["\'])?'
+    )
+    paths: set[str] = set()
+    for f in project_root.rglob("*.java"):
+        if any(x in f.parts for x in ("test", "target", "build")):
+            continue
+        try:
+            src = f.read_text(encoding="utf-8", errors="ignore")
+        except Exception:
+            continue
+        if not (pageable_re.search(src) or page_re.search(src)):
+            continue
+        if "@Controller" not in src and "@RestController" not in src:
+            continue
+        base = ""
+        cm = class_map_re.search(src)
+        if cm:
+            base = cm.group(1).strip()
+            base = base if base.startswith("/") else "/" + base
+            base = base.rstrip("/")
+        for m in method_map_re.finditer(src):
+            sub = (m.group(1) or "").strip()
+            if sub and not sub.startswith("/"):
+                sub = "/" + sub
+            full = (base + sub) or "/"
+            snippet = src[m.start(): m.start() + 600]
+            if pageable_re.search(snippet) or page_re.search(snippet):
+                paths.add(full)
+    if paths:
+        return {
+            "used": True,
+            "style": "Spring Data Page",
+            "response_shape": {
+                "content": "T[]",
+                "totalElements": "number",
+                "totalPages": "number",
+                "number": "number (0-based)",
+                "size": "number",
+            },
+            "query_params": "?page=0&size=20&sort=fieldName,asc",
+            "paginated_paths": sorted(paths),
+        }
+    return {"used": False, "style": "None", "paginated_paths": []}
+# ─────────────────────────────────────────────────────────────────────────────
+# Validation
+# ─────────────────────────────────────────────────────────────────────────────
+_ANN_BLOCK_RE = re.compile(
+    r'(@(?:NotNull|NotBlank|NotEmpty|Email|Positive|PositiveOrZero|Negative|NegativeOrZero)'
+    r'|@Size\([^)]*\)|@Min\([^)]*\)|@Max\([^)]*\)|@Pattern\([^)]*\))'
+)
+_FIELD_LINE_RE = re.compile(
+    r'((?:@\w+(?:\([^)]*\))?\s*)+)'
+    r'(?:private|protected|public)\s+[\w<>, \[\]]+\s+(\w+)\s*;'
+)
+def _scan_validation(project_root: Path) -> dict:
+    result: dict = {}
+    for f in project_root.rglob("*.java"):
+        if any(x in f.parts for x in ("test", "target", "build")):
+            continue
+        try:
+            src = f.read_text(encoding="utf-8", errors="ignore")
+        except Exception:
+            continue
+        if not _ANN_BLOCK_RE.search(src):
+            continue
+        cls = re.search(r'class\s+(\w+)', src)
+        class_name = cls.group(1) if cls else f.stem
+        fields: dict = {}
+        for m in _FIELD_LINE_RE.finditer(src):
+            constraints = _ANN_BLOCK_RE.findall(m.group(1))
+            if constraints:
+                fields[m.group(2)] = constraints
+        if fields:
+            result[class_name] = fields
+    return result
+# ─────────────────────────────────────────────────────────────────────────────
+# Enums
+# ─────────────────────────────────────────────────────────────────────────────
+def _scan_enums(project_root: Path) -> dict:
+    enum_re = re.compile(
+        r'(?:public\s+)?enum\s+(\w+)\s*(?:implements[^{]*)?\{([^}]*)\}', re.DOTALL
+    )
+    result: dict = {}
+    for f in project_root.rglob("*.java"):
+        if any(x in f.parts for x in ("test", "target", "build")):
+            continue
+        try:
+            src = f.read_text(encoding="utf-8", errors="ignore")
+        except Exception:
+            continue
+        if "enum " not in src:
+            continue
+        for m in enum_re.finditer(src):
+            constants = [
+                c.strip().split("(")[0].strip()
+                for c in m.group(2).split(";")[0].split(",")
+            ]
+            constants = [c for c in constants if re.match(r'^[A-Z][A-Z0-9_]*$', c)]
+            if constants:
+                result[m.group(1)] = constants
+    return result
+# ─────────────────────────────────────────────────────────────────────────────
+# Main entry point
+# ─────────────────────────────────────────────────────────────────────────────
+def analyze(repo_path: str) -> dict:
+    """
+    Main entry point. Call this from server.py.
+    Returns a clean dict ready to be sent as JSON to any MCP client.
+    """
+    project_root = find_project_root(Path(repo_path))
+    return {
+        "project_root": str(project_root),
+        "models":        _scan_models(project_root),
+        "relationships": _scan_relationships(project_root),
+        "dtos":          _scan_types(project_root),
+        "endpoints":     _scan_endpoints(project_root),
+        "swagger":       detect_swagger(project_root),
+        "auth":          _scan_auth(project_root),
+        "base_path":     _scan_base_path(project_root),
+        "pagination":    _scan_pagination(project_root),
+        "validation":    _scan_validation(project_root),
+        "enums":         _scan_enums(project_root),
+    }

frontone/git_utils.py ADDED Viewed

@@ -0,0 +1,59 @@
+from __future__ import annotations
+import os
+import re
+import shutil
+from pathlib import Path
+from urllib.parse import urlparse
+def _repo_name(repo_url: str) -> str:
+    path = urlparse(repo_url.rstrip("/")).path
+    name = path.rstrip("/").split("/")[-1]
+    name = re.sub(r"\.git$", "", name, flags=re.IGNORECASE)
+    return name or "repo"
+def _build_clone_url(repo_url: str) -> str:
+    token = os.environ.get("GITHUB_TOKEN", "").strip()
+    if not token:
+        return repo_url
+    parsed = urlparse(repo_url)
+    if parsed.scheme in ("http", "https") and "github.com" in (parsed.netloc or ""):
+        authed = parsed._replace(netloc=f"{token}@{parsed.netloc}")
+        return authed.geturl()
+    return repo_url
+def clone_repo(repo_url: str) -> Path:
+    """
+    Clone repo into C:/<repo-name>-frontend.
+    If folder already exists, reuse it (cache).
+    Returns the cloned repo path.
+    """
+    try:
+        import git
+    except ImportError as exc:
+        raise RuntimeError("gitpython is required: pip install gitpython") from exc
+    repo_name = _repo_name(repo_url)
+    dest = Path("C:/") / f"{repo_name}-frontend"
+    if dest.exists():
+        return dest
+    clone_url = _build_clone_url(repo_url)
+    dest.mkdir(parents=True, exist_ok=True)
+    try:
+        git.Repo.clone_from(
+            clone_url,
+            str(dest),
+            depth=1,
+            single_branch=True,
+        )
+    except Exception as exc:
+        shutil.rmtree(dest, ignore_errors=True)
+        raise RuntimeError(f"Failed to clone {repo_url}: {exc}") from exc
+    return dest