PyPI - gwc-pybundle - Versions diffs - 1.1.1__tar.gz → 1.4.1__tar.gz - Mend

gwc-pybundle 1.1.1tar.gz → 1.4.1tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of gwc-pybundle might be problematic. Click here for more details.

Files changed (61) hide show

{gwc_pybundle-1.1.1 → gwc_pybundle-1.4.1}/PKG-INFO RENAMED Viewed

@@ -1,8 +1,8 @@
 Metadata-Version: 2.4
 Name: gwc-pybundle
-Version: 1.1.1
+Version: 1.4.1
 Summary: Deterministic Python project context bundling for humans, automation, and AI
-Author: Jessica Brown
+Author-email: Jessica Brown <jessica@codenamejessica.com>
 License: The MIT License (MIT)
         =====================
@@ -47,7 +47,8 @@ Description-Content-Type: text/markdown
 License-File: LICENSE.md
 Dynamic: license-file
-# 🧳 pybundle [![PyPI version](https://img.shields.io/pypi/v/gwc-pybundle.svg?color=2ea44f)](https://pypi.org/project/gwc-pybundle/)
+# 🧳 pybundle ![PyPI - Version](https://img.shields.io/pypi/v/gwc-pybundle)
 ![GitHub Release Date](https://img.shields.io/github/release-date/girls-whocode/pybundle?color=orange)
 [![Python versions](https://img.shields.io/pypi/pyversions/gwc-pybundle.svg?color=3776AB)](https://pypi.org/project/gwc-pybundle/)
@@ -173,7 +174,7 @@ pytest
 pytest-cov
 bandit
 pip-audit
-gwc-pybundle==1.1.1
+gwc-pybundle==1.3.1
 ```
 Then install:
@@ -210,7 +211,7 @@ See **Usage** for more details.
 #### From GitHub
 ```bash
-pip install "gwc-pybundle @ git+https://github.com/girls-whocode/pybundle.git@v1.1.1"
+pip install "gwc-pybundle @ git+https://github.com/girls-whocode/pybundle.git@v1.3.1"
 ```
 Pinning to a tag ensures reproducible behavior.
@@ -359,6 +360,10 @@ The `analysis` and `debug` profiles run comprehensive quality and security check
 * **ruff** - Fast Python linter and formatter checks
 * **mypy** - Static type checking for type hints
 * **pylance** - Syntax error detection and import analysis
+* **vulture** - Dead code detection (v1.3.0+)
+* **radon** - Cyclomatic complexity and maintainability metrics (v1.3.0+)
+* **interrogate** - Docstring coverage analysis (v1.3.0+)
+* **pylint duplication** - Code duplication detection (v1.3.0+)
 #### Testing & Coverage
 * **pytest** - Test execution and results
@@ -368,13 +373,31 @@ The `analysis` and `debug` profiles run comprehensive quality and security check
 * **bandit** - Security vulnerability scanning for Python code
 * **pip-audit** - Dependency vulnerability checking against known CVEs
+#### Dependency Analysis (v1.3.1+)
+* **pipdeptree** - Full dependency tree with conflict detection
+* **unused dependencies** - Identify installed but unused packages
+* **pip-licenses** - License scanning and compatibility warnings
+* **dependency sizes** - Disk usage analysis per package
+#### Performance Profiling (v1.4.0+)
+* **cProfile** - CPU profiling to identify bottlenecks
+* **import time analysis** - Detect slow module imports
+* **tracemalloc** - Memory profiling (optional, via `--profile-memory`)
+* **line_profiler** - Line-by-line profiling (optional, requires `@profile` decorators and `--enable-line-profiler`)
+#### Test Quality & Coverage Enhancement (v1.4.1+)
+* **Test flakiness detection** - Run tests multiple times to identify non-deterministic failures
+* **Branch coverage** - Enhanced coverage.py integration showing missing branches, not just lines
+* **Slow test identification** - Automatically identify and rank tests exceeding time threshold
+* **Mutation testing** - Optional mutmut integration to measure test suite effectiveness (VERY SLOW - disabled by default)
 #### Pattern Scanning
 * **ripgrep scans** - TODO detection, print statements, bare excepts
 All tools gracefully skip if not installed. Install recommended tools:
 ```bash
-pip install ruff mypy pytest pytest-cov bandit pip-audit
+pip install ruff mypy pytest pytest-cov bandit pip-audit vulture radon interrogate pylint pipdeptree pip-licenses
 ```
 For ripgrep (system dependency):
@@ -445,7 +468,6 @@ Commonly used options:
 * `--outdir PATH` - output directory (default: `<project>/artifacts`)
 * `--name NAME` - override archive name prefix
 * `--strict` - fail with non-zero exit code if any step fails
-* `--no-spinner` - disable spinner output (CI-friendly)
 * `--redact / --no-redact` - control secret redaction
 Tool execution can be selectively disabled:
@@ -533,7 +555,7 @@ When enabled, `pybundle` emits **exactly one JSON object to stdout**, with a **s
 * AI orchestration
 * reproducible analysis
-No human text, spinners, or formatting are mixed into the output.
+No human text or formatting are mixed into the output.
 ### Example
@@ -653,7 +675,118 @@ By default, pybundle:
 Use `--redact / --no-redact` to control behavior.
 ---
+## 🔒 Security Considerations
+**pybundle** is a development tool designed for trusted environments.
+### Threat Model
+* **Environment:** Development machines and CI/CD pipelines
+* **Trust Boundary:** Assumes trusted development environment
+* **Execution Context:** Runs external tools (git, ruff, mypy, pytest, etc.)
+* **Input Sources:** Project files, git repository, installed packages
+### Security Posture
+**Tool Path Resolution:**
+- All external tools use full resolved paths (via `shutil.which()`)
+- Tools are resolved at detection time and stored in `Tooling` dataclass
+- No dynamic PATH manipulation or shell interpretation
+- Eliminates partial path execution vulnerabilities (B607)
+- **Optional strict-paths mode** for enhanced security (v1.2.0+)
+- **Code quality tools** for dead code, complexity, docstrings, and duplication (v1.3.0+)
+- **Dependency intelligence** for conflict detection, license scanning, and size analysis (v1.3.1+)
+**Subprocess Execution:**
+- All subprocess calls use `shell=False` (default, secure)
+- Arguments passed as lists, never as strings
+- No user-controlled command construction
+- Commands are hardcoded in source code
+**Data Handling:**
+- Optional secret redaction for sensitive strings in logs
+- Environment variables and paths logged for reproducibility
+- All file operations respect `.gitignore` rules
+### Strict-Paths Mode (v1.2.0+)
+For high-security environments, enable `--strict-paths` to enforce that all tools must be in trusted system directories:
+```bash
+pybundle run analysis --strict-paths
+```
+**Trusted directories** (configurable via `PYBUNDLE_TRUSTED_PATHS`):
+- `/usr/bin/`, `/usr/local/bin/`, `/bin/`
+- `/opt/homebrew/bin/` (macOS Homebrew)
+- `/snap/bin/` (Ubuntu snaps)
+- Virtual environment paths (`.venv`, `venv`, `.pybundle-venv`)
+Tools outside trusted directories are excluded in strict mode. This prevents:
+- Accidental execution of tools from user-writable directories
+- PATH manipulation attacks
+- Use of potentially compromised tool installations
+**Example:** Verify tool paths before running:
+```bash
+pybundle doctor --strict-paths
+```
+Output shows trust status:
+```
+🔧 Tool Detection:
+git        ✅ /usr/bin/git
+python     ✅ /path/to/venv/bin/python
+npm        ⚠️  /home/user/.nvm/.../npm  (untrusted in strict mode)
+```
+**Configure custom trusted paths:**
+```bash
+export PYBUNDLE_TRUSTED_PATHS="/opt/custom/bin:/company/tools/bin"
+pybundle run debug --strict-paths
+```
+### Known Limitations
+1. **Requires Trusted Environment**
+   - Assumes developer controls their machine and installed tools
+   - Not designed for untrusted code execution or sandboxing
+   - Tool integrity depends on system package management
+2. **Tool Availability**
+   - External tools (git, ruff, mypy) are optional
+   - Missing tools result in SKIP status, not failure
+   - Use `pybundle doctor` to verify available tools
+3. **File System Access**
+   - Reads entire project tree (respecting ignore rules)
+   - Writes to `artifacts/` directory by default
+   - No privilege escalation or system modification
+### For Security Auditors
+**Bandit Security Scan Results:**
+- 33 low-severity findings (all expected for CLI tool)
+- **B404** (subprocess import): Required for tool functionality
+- **B603** (subprocess calls): Using secure pattern (shell=False, full paths)
+- **B112** (try/except/continue): Acceptable error handling pattern
+**Risk Classification:** LOW
+- No user-controlled command injection
+- No untrusted input in command execution
+- Full path resolution prevents PATH manipulation attacks
+- Standard development tool security posture
+**Recommended Usage:**
+```bash
+# Verify tool paths before execution
+pybundle doctor
+# Review what tools will be used
+pybundle doctor analysis --json
+```
+---
 ## 🧩 Why pybundle?
 pybundle is designed for:
@@ -694,7 +827,7 @@ pybundle follows **Semantic Versioning**.
 Pinned Git tags are recommended when used as a dependency:
 ```txt
-gwc-pybundle @ git+https://github.com/girls-whocode/pybundle.git@v1.1.1
+gwc-pybundle @ git+https://github.com/girls-whocode/pybundle.git@v1.3.1
 ```
 ---

{gwc_pybundle-1.1.1 → gwc_pybundle-1.4.1}/README.md RENAMED Viewed

@@ -1,4 +1,5 @@
-# 🧳 pybundle [![PyPI version](https://img.shields.io/pypi/v/gwc-pybundle.svg?color=2ea44f)](https://pypi.org/project/gwc-pybundle/)
+# 🧳 pybundle ![PyPI - Version](https://img.shields.io/pypi/v/gwc-pybundle)
 ![GitHub Release Date](https://img.shields.io/github/release-date/girls-whocode/pybundle?color=orange)
 [![Python versions](https://img.shields.io/pypi/pyversions/gwc-pybundle.svg?color=3776AB)](https://pypi.org/project/gwc-pybundle/)
@@ -124,7 +125,7 @@ pytest
 pytest-cov
 bandit
 pip-audit
-gwc-pybundle==1.1.1
+gwc-pybundle==1.3.1
 ```
 Then install:
@@ -161,7 +162,7 @@ See **Usage** for more details.
 #### From GitHub
 ```bash
-pip install "gwc-pybundle @ git+https://github.com/girls-whocode/pybundle.git@v1.1.1"
+pip install "gwc-pybundle @ git+https://github.com/girls-whocode/pybundle.git@v1.3.1"
 ```
 Pinning to a tag ensures reproducible behavior.
@@ -310,6 +311,10 @@ The `analysis` and `debug` profiles run comprehensive quality and security check
 * **ruff** - Fast Python linter and formatter checks
 * **mypy** - Static type checking for type hints
 * **pylance** - Syntax error detection and import analysis
+* **vulture** - Dead code detection (v1.3.0+)
+* **radon** - Cyclomatic complexity and maintainability metrics (v1.3.0+)
+* **interrogate** - Docstring coverage analysis (v1.3.0+)
+* **pylint duplication** - Code duplication detection (v1.3.0+)
 #### Testing & Coverage
 * **pytest** - Test execution and results
@@ -319,13 +324,31 @@ The `analysis` and `debug` profiles run comprehensive quality and security check
 * **bandit** - Security vulnerability scanning for Python code
 * **pip-audit** - Dependency vulnerability checking against known CVEs
+#### Dependency Analysis (v1.3.1+)
+* **pipdeptree** - Full dependency tree with conflict detection
+* **unused dependencies** - Identify installed but unused packages
+* **pip-licenses** - License scanning and compatibility warnings
+* **dependency sizes** - Disk usage analysis per package
+#### Performance Profiling (v1.4.0+)
+* **cProfile** - CPU profiling to identify bottlenecks
+* **import time analysis** - Detect slow module imports
+* **tracemalloc** - Memory profiling (optional, via `--profile-memory`)
+* **line_profiler** - Line-by-line profiling (optional, requires `@profile` decorators and `--enable-line-profiler`)
+#### Test Quality & Coverage Enhancement (v1.4.1+)
+* **Test flakiness detection** - Run tests multiple times to identify non-deterministic failures
+* **Branch coverage** - Enhanced coverage.py integration showing missing branches, not just lines
+* **Slow test identification** - Automatically identify and rank tests exceeding time threshold
+* **Mutation testing** - Optional mutmut integration to measure test suite effectiveness (VERY SLOW - disabled by default)
 #### Pattern Scanning
 * **ripgrep scans** - TODO detection, print statements, bare excepts
 All tools gracefully skip if not installed. Install recommended tools:
 ```bash
-pip install ruff mypy pytest pytest-cov bandit pip-audit
+pip install ruff mypy pytest pytest-cov bandit pip-audit vulture radon interrogate pylint pipdeptree pip-licenses
 ```
 For ripgrep (system dependency):
@@ -396,7 +419,6 @@ Commonly used options:
 * `--outdir PATH` - output directory (default: `<project>/artifacts`)
 * `--name NAME` - override archive name prefix
 * `--strict` - fail with non-zero exit code if any step fails
-* `--no-spinner` - disable spinner output (CI-friendly)
 * `--redact / --no-redact` - control secret redaction
 Tool execution can be selectively disabled:
@@ -484,7 +506,7 @@ When enabled, `pybundle` emits **exactly one JSON object to stdout**, with a **s
 * AI orchestration
 * reproducible analysis
-No human text, spinners, or formatting are mixed into the output.
+No human text or formatting are mixed into the output.
 ### Example
@@ -604,7 +626,118 @@ By default, pybundle:
 Use `--redact / --no-redact` to control behavior.
 ---
+## 🔒 Security Considerations
+**pybundle** is a development tool designed for trusted environments.
+### Threat Model
+* **Environment:** Development machines and CI/CD pipelines
+* **Trust Boundary:** Assumes trusted development environment
+* **Execution Context:** Runs external tools (git, ruff, mypy, pytest, etc.)
+* **Input Sources:** Project files, git repository, installed packages
+### Security Posture
+**Tool Path Resolution:**
+- All external tools use full resolved paths (via `shutil.which()`)
+- Tools are resolved at detection time and stored in `Tooling` dataclass
+- No dynamic PATH manipulation or shell interpretation
+- Eliminates partial path execution vulnerabilities (B607)
+- **Optional strict-paths mode** for enhanced security (v1.2.0+)
+- **Code quality tools** for dead code, complexity, docstrings, and duplication (v1.3.0+)
+- **Dependency intelligence** for conflict detection, license scanning, and size analysis (v1.3.1+)
+**Subprocess Execution:**
+- All subprocess calls use `shell=False` (default, secure)
+- Arguments passed as lists, never as strings
+- No user-controlled command construction
+- Commands are hardcoded in source code
+**Data Handling:**
+- Optional secret redaction for sensitive strings in logs
+- Environment variables and paths logged for reproducibility
+- All file operations respect `.gitignore` rules
+### Strict-Paths Mode (v1.2.0+)
+For high-security environments, enable `--strict-paths` to enforce that all tools must be in trusted system directories:
+```bash
+pybundle run analysis --strict-paths
+```
+**Trusted directories** (configurable via `PYBUNDLE_TRUSTED_PATHS`):
+- `/usr/bin/`, `/usr/local/bin/`, `/bin/`
+- `/opt/homebrew/bin/` (macOS Homebrew)
+- `/snap/bin/` (Ubuntu snaps)
+- Virtual environment paths (`.venv`, `venv`, `.pybundle-venv`)
+Tools outside trusted directories are excluded in strict mode. This prevents:
+- Accidental execution of tools from user-writable directories
+- PATH manipulation attacks
+- Use of potentially compromised tool installations
+**Example:** Verify tool paths before running:
+```bash
+pybundle doctor --strict-paths
+```
+Output shows trust status:
+```
+🔧 Tool Detection:
+git        ✅ /usr/bin/git
+python     ✅ /path/to/venv/bin/python
+npm        ⚠️  /home/user/.nvm/.../npm  (untrusted in strict mode)
+```
+**Configure custom trusted paths:**
+```bash
+export PYBUNDLE_TRUSTED_PATHS="/opt/custom/bin:/company/tools/bin"
+pybundle run debug --strict-paths
+```
+### Known Limitations
+1. **Requires Trusted Environment**
+   - Assumes developer controls their machine and installed tools
+   - Not designed for untrusted code execution or sandboxing
+   - Tool integrity depends on system package management
+2. **Tool Availability**
+   - External tools (git, ruff, mypy) are optional
+   - Missing tools result in SKIP status, not failure
+   - Use `pybundle doctor` to verify available tools
+3. **File System Access**
+   - Reads entire project tree (respecting ignore rules)
+   - Writes to `artifacts/` directory by default
+   - No privilege escalation or system modification
+### For Security Auditors
+**Bandit Security Scan Results:**
+- 33 low-severity findings (all expected for CLI tool)
+- **B404** (subprocess import): Required for tool functionality
+- **B603** (subprocess calls): Using secure pattern (shell=False, full paths)
+- **B112** (try/except/continue): Acceptable error handling pattern
+**Risk Classification:** LOW
+- No user-controlled command injection
+- No untrusted input in command execution
+- Full path resolution prevents PATH manipulation attacks
+- Standard development tool security posture
+**Recommended Usage:**
+```bash
+# Verify tool paths before execution
+pybundle doctor
+# Review what tools will be used
+pybundle doctor analysis --json
+```
+---
 ## 🧩 Why pybundle?
 pybundle is designed for:
@@ -645,7 +778,7 @@ pybundle follows **Semantic Versioning**.
 Pinned Git tags are recommended when used as a dependency:
 ```txt
-gwc-pybundle @ git+https://github.com/girls-whocode/pybundle.git@v1.1.1
+gwc-pybundle @ git+https://github.com/girls-whocode/pybundle.git@v1.3.1
 ```
 ---

{gwc_pybundle-1.1.1 → gwc_pybundle-1.4.1}/gwc_pybundle.egg-info/PKG-INFO RENAMED Viewed

@@ -1,8 +1,8 @@
 Metadata-Version: 2.4
 Name: gwc-pybundle
-Version: 1.1.1
+Version: 1.4.1
 Summary: Deterministic Python project context bundling for humans, automation, and AI
-Author: Jessica Brown
+Author-email: Jessica Brown <jessica@codenamejessica.com>
 License: The MIT License (MIT)
         =====================
@@ -47,7 +47,8 @@ Description-Content-Type: text/markdown
 License-File: LICENSE.md
 Dynamic: license-file
-# 🧳 pybundle [![PyPI version](https://img.shields.io/pypi/v/gwc-pybundle.svg?color=2ea44f)](https://pypi.org/project/gwc-pybundle/)
+# 🧳 pybundle ![PyPI - Version](https://img.shields.io/pypi/v/gwc-pybundle)
 ![GitHub Release Date](https://img.shields.io/github/release-date/girls-whocode/pybundle?color=orange)
 [![Python versions](https://img.shields.io/pypi/pyversions/gwc-pybundle.svg?color=3776AB)](https://pypi.org/project/gwc-pybundle/)
@@ -173,7 +174,7 @@ pytest
 pytest-cov
 bandit
 pip-audit
-gwc-pybundle==1.1.1
+gwc-pybundle==1.3.1
 ```
 Then install:
@@ -210,7 +211,7 @@ See **Usage** for more details.
 #### From GitHub
 ```bash
-pip install "gwc-pybundle @ git+https://github.com/girls-whocode/pybundle.git@v1.1.1"
+pip install "gwc-pybundle @ git+https://github.com/girls-whocode/pybundle.git@v1.3.1"
 ```
 Pinning to a tag ensures reproducible behavior.
@@ -359,6 +360,10 @@ The `analysis` and `debug` profiles run comprehensive quality and security check
 * **ruff** - Fast Python linter and formatter checks
 * **mypy** - Static type checking for type hints
 * **pylance** - Syntax error detection and import analysis
+* **vulture** - Dead code detection (v1.3.0+)
+* **radon** - Cyclomatic complexity and maintainability metrics (v1.3.0+)
+* **interrogate** - Docstring coverage analysis (v1.3.0+)
+* **pylint duplication** - Code duplication detection (v1.3.0+)
 #### Testing & Coverage
 * **pytest** - Test execution and results
@@ -368,13 +373,31 @@ The `analysis` and `debug` profiles run comprehensive quality and security check
 * **bandit** - Security vulnerability scanning for Python code
 * **pip-audit** - Dependency vulnerability checking against known CVEs
+#### Dependency Analysis (v1.3.1+)
+* **pipdeptree** - Full dependency tree with conflict detection
+* **unused dependencies** - Identify installed but unused packages
+* **pip-licenses** - License scanning and compatibility warnings
+* **dependency sizes** - Disk usage analysis per package
+#### Performance Profiling (v1.4.0+)
+* **cProfile** - CPU profiling to identify bottlenecks
+* **import time analysis** - Detect slow module imports
+* **tracemalloc** - Memory profiling (optional, via `--profile-memory`)
+* **line_profiler** - Line-by-line profiling (optional, requires `@profile` decorators and `--enable-line-profiler`)
+#### Test Quality & Coverage Enhancement (v1.4.1+)
+* **Test flakiness detection** - Run tests multiple times to identify non-deterministic failures
+* **Branch coverage** - Enhanced coverage.py integration showing missing branches, not just lines
+* **Slow test identification** - Automatically identify and rank tests exceeding time threshold
+* **Mutation testing** - Optional mutmut integration to measure test suite effectiveness (VERY SLOW - disabled by default)
 #### Pattern Scanning
 * **ripgrep scans** - TODO detection, print statements, bare excepts
 All tools gracefully skip if not installed. Install recommended tools:
 ```bash
-pip install ruff mypy pytest pytest-cov bandit pip-audit
+pip install ruff mypy pytest pytest-cov bandit pip-audit vulture radon interrogate pylint pipdeptree pip-licenses
 ```
 For ripgrep (system dependency):
@@ -445,7 +468,6 @@ Commonly used options:
 * `--outdir PATH` - output directory (default: `<project>/artifacts`)
 * `--name NAME` - override archive name prefix
 * `--strict` - fail with non-zero exit code if any step fails
-* `--no-spinner` - disable spinner output (CI-friendly)
 * `--redact / --no-redact` - control secret redaction
 Tool execution can be selectively disabled:
@@ -533,7 +555,7 @@ When enabled, `pybundle` emits **exactly one JSON object to stdout**, with a **s
 * AI orchestration
 * reproducible analysis
-No human text, spinners, or formatting are mixed into the output.
+No human text or formatting are mixed into the output.
 ### Example
@@ -653,7 +675,118 @@ By default, pybundle:
 Use `--redact / --no-redact` to control behavior.
 ---
+## 🔒 Security Considerations
+**pybundle** is a development tool designed for trusted environments.
+### Threat Model
+* **Environment:** Development machines and CI/CD pipelines
+* **Trust Boundary:** Assumes trusted development environment
+* **Execution Context:** Runs external tools (git, ruff, mypy, pytest, etc.)
+* **Input Sources:** Project files, git repository, installed packages
+### Security Posture
+**Tool Path Resolution:**
+- All external tools use full resolved paths (via `shutil.which()`)
+- Tools are resolved at detection time and stored in `Tooling` dataclass
+- No dynamic PATH manipulation or shell interpretation
+- Eliminates partial path execution vulnerabilities (B607)
+- **Optional strict-paths mode** for enhanced security (v1.2.0+)
+- **Code quality tools** for dead code, complexity, docstrings, and duplication (v1.3.0+)
+- **Dependency intelligence** for conflict detection, license scanning, and size analysis (v1.3.1+)
+**Subprocess Execution:**
+- All subprocess calls use `shell=False` (default, secure)
+- Arguments passed as lists, never as strings
+- No user-controlled command construction
+- Commands are hardcoded in source code
+**Data Handling:**
+- Optional secret redaction for sensitive strings in logs
+- Environment variables and paths logged for reproducibility
+- All file operations respect `.gitignore` rules
+### Strict-Paths Mode (v1.2.0+)
+For high-security environments, enable `--strict-paths` to enforce that all tools must be in trusted system directories:
+```bash
+pybundle run analysis --strict-paths
+```
+**Trusted directories** (configurable via `PYBUNDLE_TRUSTED_PATHS`):
+- `/usr/bin/`, `/usr/local/bin/`, `/bin/`
+- `/opt/homebrew/bin/` (macOS Homebrew)
+- `/snap/bin/` (Ubuntu snaps)
+- Virtual environment paths (`.venv`, `venv`, `.pybundle-venv`)
+Tools outside trusted directories are excluded in strict mode. This prevents:
+- Accidental execution of tools from user-writable directories
+- PATH manipulation attacks
+- Use of potentially compromised tool installations
+**Example:** Verify tool paths before running:
+```bash
+pybundle doctor --strict-paths
+```
+Output shows trust status:
+```
+🔧 Tool Detection:
+git        ✅ /usr/bin/git
+python     ✅ /path/to/venv/bin/python
+npm        ⚠️  /home/user/.nvm/.../npm  (untrusted in strict mode)
+```
+**Configure custom trusted paths:**
+```bash
+export PYBUNDLE_TRUSTED_PATHS="/opt/custom/bin:/company/tools/bin"
+pybundle run debug --strict-paths
+```
+### Known Limitations
+1. **Requires Trusted Environment**
+   - Assumes developer controls their machine and installed tools
+   - Not designed for untrusted code execution or sandboxing
+   - Tool integrity depends on system package management
+2. **Tool Availability**
+   - External tools (git, ruff, mypy) are optional
+   - Missing tools result in SKIP status, not failure
+   - Use `pybundle doctor` to verify available tools
+3. **File System Access**
+   - Reads entire project tree (respecting ignore rules)
+   - Writes to `artifacts/` directory by default
+   - No privilege escalation or system modification
+### For Security Auditors
+**Bandit Security Scan Results:**
+- 33 low-severity findings (all expected for CLI tool)
+- **B404** (subprocess import): Required for tool functionality
+- **B603** (subprocess calls): Using secure pattern (shell=False, full paths)
+- **B112** (try/except/continue): Acceptable error handling pattern
+**Risk Classification:** LOW
+- No user-controlled command injection
+- No untrusted input in command execution
+- Full path resolution prevents PATH manipulation attacks
+- Standard development tool security posture
+**Recommended Usage:**
+```bash
+# Verify tool paths before execution
+pybundle doctor
+# Review what tools will be used
+pybundle doctor analysis --json
+```
+---
 ## 🧩 Why pybundle?
 pybundle is designed for:
@@ -694,7 +827,7 @@ pybundle follows **Semantic Versioning**.
 Pinned Git tags are recommended when used as a dependency:
 ```txt
-gwc-pybundle @ git+https://github.com/girls-whocode/pybundle.git@v1.1.1
+gwc-pybundle @ git+https://github.com/girls-whocode/pybundle.git@v1.3.1
 ```
 ---

{gwc_pybundle-1.1.1 → gwc_pybundle-1.4.1}/gwc_pybundle.egg-info/SOURCES.txt RENAMED Viewed

@@ -28,15 +28,30 @@ pybundle/steps/compileall.py
 pybundle/steps/context_expand.py
 pybundle/steps/copy_pack.py
 pybundle/steps/coverage.py
+pybundle/steps/cprofile_step.py
+pybundle/steps/dependency_sizes.py
+pybundle/steps/duplication.py
 pybundle/steps/error_refs.py
 pybundle/steps/handoff_md.py
+pybundle/steps/import_time.py
+pybundle/steps/interrogate.py
+pybundle/steps/license_scan.py
+pybundle/steps/line_profiler.py
+pybundle/steps/memory_profile.py
+pybundle/steps/mutation_testing.py
 pybundle/steps/mypy.py
 pybundle/steps/pip_audit.py
+pybundle/steps/pipdeptree.py
 pybundle/steps/pylance.py
 pybundle/steps/pytest.py
+pybundle/steps/radon.py
 pybundle/steps/repro_md.py
 pybundle/steps/rg_scans.py
 pybundle/steps/roadmap.py
 pybundle/steps/ruff.py
 pybundle/steps/shell.py
-pybundle/steps/tree.py
+pybundle/steps/slow_tests.py
+pybundle/steps/test_flakiness.py
+pybundle/steps/tree.py
+pybundle/steps/unused_deps.py
+pybundle/steps/vulture.py

gwc-pybundle 1.1.1__tar.gz → 1.4.1__tar.gz

Potentially problematic release.

gwc-pybundle 1.1.1tar.gz → 1.4.1tar.gz