hookwarden 0.3.0__tar.gz

hookwarden-0.3.0/LICENSE

@@ -0,0 +1,177 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS

hookwarden-0.3.0/PKG-INFO

@@ -0,0 +1,34 @@
+Metadata-Version: 2.4
+Name: hookwarden
+Version: 0.3.0
+Summary: hookwarden — webhook signature-verification audit. The Python package downloads the standalone binary on first invocation, verifies its SHA-256, caches it, and execs into it.
+Author-email: Adelina Lipsa <adelina.lipsa@gmail.com>
+License: Apache-2.0
+Project-URL: Homepage, https://hookwarden.dev
+Project-URL: Repository, https://github.com/Hookwarden/hookwarden
+Keywords: hookwarden,webhook,security,audit,pre-commit
+Classifier: License :: OSI Approved :: Apache Software License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3 :: Only
+Classifier: Operating System :: OS Independent
+Classifier: Topic :: Security
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: platformdirs<5,>=4
+Requires-Dist: filelock<4,>=3
+Provides-Extra: dev
+Requires-Dist: pytest<9,>=8; extra == "dev"
+Dynamic: license-file
+
+# hookwarden
+
+The canonical hookwarden CLI is distributed as an npm package. Install via:
+
+```
+npx hookwarden@latest scan
+```
+
+This PyPI listing exists primarily for defensive registration alongside the npm package.
+
+See https://hookwarden.dev for documentation. License: Apache 2.0.

hookwarden-0.3.0/README.md

@@ -0,0 +1,11 @@
+# hookwarden
+
+The canonical hookwarden CLI is distributed as an npm package. Install via:
+
+```
+npx hookwarden@latest scan
+```
+
+This PyPI listing exists primarily for defensive registration alongside the npm package.
+
+See https://hookwarden.dev for documentation. License: Apache 2.0.

hookwarden-0.3.0/pyproject.toml

@@ -0,0 +1,48 @@
+[build-system]
+requires = ["setuptools>=68", "wheel"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "hookwarden"
+version = "0.3.0"
+description = "hookwarden — webhook signature-verification audit. The Python package downloads the standalone binary on first invocation, verifies its SHA-256, caches it, and execs into it."
+readme = "README.md"
+requires-python = ">=3.10"
+license = { text = "Apache-2.0" }
+authors = [{ name = "Adelina Lipsa", email = "adelina.lipsa@gmail.com" }]
+keywords = ["hookwarden", "webhook", "security", "audit", "pre-commit"]
+classifiers = [
+  "License :: OSI Approved :: Apache Software License",
+  "Programming Language :: Python :: 3",
+  "Programming Language :: Python :: 3 :: Only",
+  "Operating System :: OS Independent",
+  "Topic :: Security",
+]
+dependencies = [
+  "platformdirs>=4,<5",
+  "filelock>=3,<4",
+]
+
+[project.scripts]
+hookwarden = "hookwarden.__main__:main"
+
+[project.urls]
+Homepage = "https://hookwarden.dev"
+Repository = "https://github.com/Hookwarden/hookwarden"
+
+[project.optional-dependencies]
+dev = ["pytest>=8,<9"]
+
+[tool.setuptools]
+package-dir = { "" = "src" }
+
+[tool.setuptools.packages.find]
+where = ["src"]
+
+[tool.setuptools.package-data]
+"hookwarden" = ["_data/*.json"]
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]
+python_files = ["test_*.py"]
+addopts = "-x --tb=short"

hookwarden-0.3.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

hookwarden-0.3.0/src/hookwarden/__init__.py

@@ -0,0 +1,9 @@
+"""hookwarden — Python shim that downloads and execs the standalone binary."""
+from importlib.metadata import PackageNotFoundError, version
+
+try:
+    __version__ = version("hookwarden")
+except PackageNotFoundError:
+    __version__ = "0.0.0"
+
+__all__ = ["__version__"]

hookwarden-0.3.0/src/hookwarden/__main__.py

@@ -0,0 +1,43 @@
+"""hookwarden — Python shim entry point.
+
+Pipeline: detect_target → resolve pinned SHA → cache lookup (under filelock)
+→ on miss download_and_verify → execv the binary so the user sees its exit
+code directly. Exit code 2 on integrity / config / unsupported-target
+errors (Phase 4 D-65 exit-code matrix).
+"""
+from __future__ import annotations
+
+import sys
+
+from . import __version__, _binary, _cache, _exec, _fetch
+
+
+def main() -> int:
+    try:
+        target = _binary.detect_target()
+        expected_sha = _binary.pinned_sha(target)
+        binary_url = _binary.release_url(target, __version__)
+        cache_dir = _cache.cache_dir_for(target)
+        binary_path = cache_dir / _binary.exec_name(target)
+
+        with _cache.lock(cache_dir):
+            if not _cache.is_valid(binary_path, expected_sha):
+                _fetch.download_and_verify(binary_url, expected_sha, binary_path)
+
+        return _exec.exec_binary(binary_path, sys.argv[1:])
+    except _fetch.IntegrityError as e:
+        sys.stderr.write(f"{e}\n")
+        return 2
+    except KeyError as e:
+        sys.stderr.write(
+            f"hookwarden: no binary pinned for this target ({e}). "
+            f"This installation may be from an unstamped wheel; please reinstall.\n"
+        )
+        return 2
+    except RuntimeError as e:
+        sys.stderr.write(f"{e}\n")
+        return 2
+
+
+if __name__ == "__main__":
+    sys.exit(main())

hookwarden-0.3.0/src/hookwarden/_binary.py

@@ -0,0 +1,56 @@
+"""Target detection, URL templating, and pinned-SHA lookup.
+
+Implements the binary-resolution surface for the shim. Pure logic — no I/O
+beyond reading the in-package `_data/checksums.json` (which is package data,
+not network access — see CLI-09 carve-out enforced by tests/test_egress.py).
+"""
+from __future__ import annotations
+
+import json
+import platform
+from pathlib import Path
+
+_SYSTEM_MAP = {"Darwin": "darwin", "Linux": "linux", "Windows": "windows"}
+_ARCH_MAP = {
+    "arm64": "arm64",
+    "aarch64": "arm64",
+    "x86_64": "x64",
+    "AMD64": "x64",
+}
+
+_CHECKSUMS_PATH = Path(__file__).parent / "_data" / "checksums.json"
+
+
+def detect_target() -> tuple[str, str]:
+    sys_name = _SYSTEM_MAP.get(platform.system())
+    if sys_name is None:
+        raise RuntimeError(f"hookwarden: unsupported OS {platform.system()!r}")
+    arch = _ARCH_MAP.get(platform.machine())
+    if arch is None:
+        raise RuntimeError(
+            f"hookwarden: unsupported architecture {platform.machine()!r}"
+        )
+    return sys_name, arch
+
+
+def pinned_sha(target: tuple[str, str]) -> str:
+    key = f"{target[0]}-{target[1]}"
+    data = json.loads(_CHECKSUMS_PATH.read_text())
+    if key not in data:
+        raise KeyError(
+            f"hookwarden: no SHA-256 pinned for target {key!r} in checksums.json"
+        )
+    return data[key]
+
+
+def release_url(target: tuple[str, str], version: str) -> str:
+    os_, arch = target
+    suffix = ".exe" if os_ == "windows" else ""
+    return (
+        f"https://github.com/Hookwarden/hookwarden/releases/download/"
+        f"v{version}/hookwarden-{os_}-{arch}{suffix}"
+    )
+
+
+def exec_name(target: tuple[str, str]) -> str:
+    return "hookwarden.exe" if target[0] == "windows" else "hookwarden"

hookwarden-0.3.0/src/hookwarden/_cache.py

@@ -0,0 +1,59 @@
+"""Cache-directory resolution, filelock, and atomic write.
+
+Cache lives under platformdirs.user_cache_dir('hookwarden'), NOT next to the
+package install (Pitfall 1). Filelock serializes concurrent writers; atomic
+write via tempfile + os.replace prevents partial-cache poisoning (Watch Out
+For #18 — os.replace, not os.rename, for Windows atomicity).
+"""
+from __future__ import annotations
+
+import contextlib
+import hashlib
+import os
+import tempfile
+from pathlib import Path
+from typing import Iterable
+
+from filelock import FileLock
+from platformdirs import user_cache_dir
+
+from . import __version__
+
+
+def cache_dir_for(target: tuple[str, str]) -> Path:
+    del target  # cache layout is per-version, not per-target
+    base = Path(user_cache_dir("hookwarden"))
+    return base / __version__ / "bin"
+
+
+def lock(directory: Path) -> FileLock:
+    directory.mkdir(parents=True, exist_ok=True)
+    return FileLock(str(directory / ".lock"), timeout=120)
+
+
+def is_valid(binary_path: Path, expected_sha: str) -> bool:
+    if not binary_path.exists() or not binary_path.is_file():
+        return False
+    h = hashlib.sha256()
+    with binary_path.open("rb") as f:
+        for chunk in iter(lambda: f.read(65536), b""):
+            h.update(chunk)
+    return h.hexdigest() == expected_sha
+
+
+def atomic_write(target: Path, content_iter: Iterable[bytes]) -> None:
+    target.parent.mkdir(parents=True, exist_ok=True)
+    tmp_path: Path | None = None
+    try:
+        with tempfile.NamedTemporaryFile(dir=target.parent, delete=False) as tmp:
+            tmp_path = Path(tmp.name)
+            for chunk in content_iter:
+                tmp.write(chunk)
+            tmp.flush()
+            os.fsync(tmp.fileno())
+    except BaseException:
+        if tmp_path is not None:
+            with contextlib.suppress(OSError):
+                tmp_path.unlink()
+        raise
+    os.replace(tmp_path, target)

hookwarden-0.3.0/src/hookwarden/_data/checksums.json

@@ -0,0 +1,5 @@
+{
+  "linux-arm64": "181abab1427d9bba4e79d95a4707a55083dee08d7ac4f6aff48a959acc613794",
+  "linux-x64": "c37b5ed9bc00c85c5b8021da0d3925ed1aac2b885651793a2d3137df4f34a64e",
+  "windows-x64": "65670c0a9ef2b0bcceb5e3fa46953cb324c9c4c0e0c67a7023fb8481bd6fb220"
+}

hookwarden-0.3.0/src/hookwarden/_exec.py

@@ -0,0 +1,21 @@
+"""os.execv wrapper with arg passthrough.
+
+POSIX: os.execv replaces the Python process with the binary, so the user sees
+the binary's exit code directly (Pitfall 7). Windows: os.execv has known stdio
+inheritance issues — fall back to subprocess.run and propagate the returncode.
+Pre-commit on Windows is deferred per CONTEXT (Out of scope).
+"""
+from __future__ import annotations
+
+import os
+from pathlib import Path
+
+
+def exec_binary(binary_path: Path, args: list[str]) -> int:
+    cmd = [str(binary_path), *args]
+    if os.name == "nt":
+        import subprocess
+
+        return subprocess.run(cmd).returncode
+    os.execv(str(binary_path), cmd)
+    return 0

hookwarden-0.3.0/src/hookwarden/_fetch.py

@@ -0,0 +1,69 @@
+"""HTTP download with bounded retry + streaming SHA-256 verify.
+
+This is the ONLY module in the shim permitted to import HTTP libraries
+(CLI-09 carve-out — enforced by tests/test_egress.py). On SHA mismatch the
+download is rejected immediately with no retry — tampering is terminal,
+not transient (DC-04).
+"""
+from __future__ import annotations
+
+import hashlib
+import os
+import socket
+import time
+import urllib.error
+import urllib.request
+from pathlib import Path
+
+from . import __version__, _cache
+
+
+class IntegrityError(Exception):
+    """Raised when a downloaded binary's SHA-256 does not match the pinned value (DC-04)."""
+
+
+def download_and_verify(
+    url: str,
+    expected_sha: str,
+    dest: Path,
+    max_retries: int = 3,
+    base_backoff: float = 1.0,
+) -> None:
+    attempt = 0
+    while True:
+        attempt += 1
+        try:
+            req = urllib.request.Request(
+                url, headers={"User-Agent": f"hookwarden-shim/{__version__}"}
+            )
+            with urllib.request.urlopen(req, timeout=60) as resp:
+                h = hashlib.sha256()
+                chunks: list[bytes] = []
+                while True:
+                    chunk = resp.read(65536)
+                    if not chunk:
+                        break
+                    h.update(chunk)
+                    chunks.append(chunk)
+                actual = h.hexdigest()
+                if actual != expected_sha:
+                    raise IntegrityError(
+                        f"hookwarden: SHA-256 mismatch for {url}.\n"
+                        f"  expected: {expected_sha}\n"
+                        f"  actual:   {actual}\n"
+                        f"  This indicates a tampered download or the wrong "
+                        f"target was selected. Refusing to write binary."
+                    )
+                _cache.atomic_write(dest, iter(chunks))
+                if os.name == "posix":
+                    os.chmod(dest, 0o755)
+                return
+        except urllib.error.HTTPError as e:
+            if 400 <= e.code < 500:
+                raise
+            if attempt >= max_retries:
+                raise
+        except (urllib.error.URLError, socket.error, TimeoutError):
+            if attempt >= max_retries:
+                raise
+        time.sleep(base_backoff * (2 ** (attempt - 1)))

hookwarden-0.3.0/src/hookwarden.egg-info/PKG-INFO

@@ -0,0 +1,34 @@
+Metadata-Version: 2.4
+Name: hookwarden
+Version: 0.3.0
+Summary: hookwarden — webhook signature-verification audit. The Python package downloads the standalone binary on first invocation, verifies its SHA-256, caches it, and execs into it.
+Author-email: Adelina Lipsa <adelina.lipsa@gmail.com>
+License: Apache-2.0
+Project-URL: Homepage, https://hookwarden.dev
+Project-URL: Repository, https://github.com/Hookwarden/hookwarden
+Keywords: hookwarden,webhook,security,audit,pre-commit
+Classifier: License :: OSI Approved :: Apache Software License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3 :: Only
+Classifier: Operating System :: OS Independent
+Classifier: Topic :: Security
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: platformdirs<5,>=4
+Requires-Dist: filelock<4,>=3
+Provides-Extra: dev
+Requires-Dist: pytest<9,>=8; extra == "dev"
+Dynamic: license-file
+
+# hookwarden
+
+The canonical hookwarden CLI is distributed as an npm package. Install via:
+
+```
+npx hookwarden@latest scan
+```
+
+This PyPI listing exists primarily for defensive registration alongside the npm package.
+
+See https://hookwarden.dev for documentation. License: Apache 2.0.

hookwarden-0.3.0/src/hookwarden.egg-info/SOURCES.txt

@@ -0,0 +1,23 @@
+LICENSE
+README.md
+pyproject.toml
+src/hookwarden/__init__.py
+src/hookwarden/__main__.py
+src/hookwarden/_binary.py
+src/hookwarden/_cache.py
+src/hookwarden/_exec.py
+src/hookwarden/_fetch.py
+src/hookwarden.egg-info/PKG-INFO
+src/hookwarden.egg-info/SOURCES.txt
+src/hookwarden.egg-info/dependency_links.txt
+src/hookwarden.egg-info/entry_points.txt
+src/hookwarden.egg-info/requires.txt
+src/hookwarden.egg-info/top_level.txt
+src/hookwarden/_data/checksums.json
+tests/test_binary.py
+tests/test_cache.py
+tests/test_cache_paths.py
+tests/test_concurrent.py
+tests/test_egress.py
+tests/test_fetch.py
+tests/test_integrity.py

hookwarden-0.3.0/src/hookwarden.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

hookwarden-0.3.0/src/hookwarden.egg-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+hookwarden = hookwarden.__main__:main

hookwarden-0.3.0/src/hookwarden.egg-info/requires.txt

@@ -0,0 +1,5 @@
+platformdirs<5,>=4
+filelock<4,>=3
+
+[dev]
+pytest<9,>=8

hookwarden-0.3.0/src/hookwarden.egg-info/top_level.txt

@@ -0,0 +1 @@
+hookwarden

hookwarden-0.3.0/tests/test_binary.py

@@ -0,0 +1,55 @@
+"""Tests for target detection + URL templating + pinned-SHA lookup (Plan 04.1-01 §_binary)."""
+from __future__ import annotations
+
+import json
+from pathlib import Path
+
+import pytest
+
+from hookwarden import _binary
+
+
+def test_detect_target_darwin_arm64(monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.setattr("platform.system", lambda: "Darwin")
+    monkeypatch.setattr("platform.machine", lambda: "arm64")
+    assert _binary.detect_target() == ("darwin", "arm64")
+
+
+def test_detect_target_linux_x64(monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.setattr("platform.system", lambda: "Linux")
+    monkeypatch.setattr("platform.machine", lambda: "x86_64")
+    assert _binary.detect_target() == ("linux", "x64")
+
+
+def test_detect_target_windows_x64(monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.setattr("platform.system", lambda: "Windows")
+    monkeypatch.setattr("platform.machine", lambda: "AMD64")
+    assert _binary.detect_target() == ("windows", "x64")
+
+
+def test_detect_target_unknown_arch_raises(monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.setattr("platform.system", lambda: "Linux")
+    monkeypatch.setattr("platform.machine", lambda: "mips")
+    with pytest.raises(RuntimeError, match="unsupported architecture"):
+        _binary.detect_target()
+
+
+def test_release_url_format() -> None:
+    url = _binary.release_url(("darwin", "arm64"), "1.2.3")
+    assert (
+        url
+        == "https://github.com/Hookwarden/hookwarden/releases/download/v1.2.3/hookwarden-darwin-arm64"
+    )
+
+
+def test_release_url_windows_has_exe_suffix() -> None:
+    url = _binary.release_url(("windows", "x64"), "1.2.3")
+    assert url.endswith("hookwarden-windows-x64.exe")
+
+
+def test_pinned_sha_reads_from_data(tmp_path: Path, monkeypatch: pytest.MonkeyPatch) -> None:
+    fixture = {"darwin-arm64": "abc123"}
+    data_file = tmp_path / "checksums.json"
+    data_file.write_text(json.dumps(fixture))
+    monkeypatch.setattr(_binary, "_CHECKSUMS_PATH", data_file, raising=False)
+    assert _binary.pinned_sha(("darwin", "arm64")) == "abc123"

hookwarden-0.3.0/tests/test_cache.py

@@ -0,0 +1,79 @@
+"""Tests for cache-dir resolution, filelock, atomic write, sha-validation (Plan 04.1-01 §_cache)."""
+from __future__ import annotations
+
+import threading
+import time
+from pathlib import Path
+
+import pytest
+
+from hookwarden import _cache
+
+
+def test_cache_dir_uses_platformdirs(tmp_cache_root: Path) -> None:
+    target = ("linux", "x64")
+    resolved = _cache.cache_dir_for(target)
+    package_dir = Path(_cache.__file__).parent
+    assert "hookwarden" in str(resolved)
+    assert package_dir not in resolved.parents, (
+        "cache must NOT live next to the package install (Pitfall 1)"
+    )
+
+
+def test_atomic_write_does_not_leave_partial(tmp_path: Path) -> None:
+    target = tmp_path / "binary"
+
+    def exploding_iter():
+        yield b"hello"
+        raise RuntimeError("simulated mid-stream failure")
+
+    with pytest.raises(RuntimeError, match="simulated mid-stream failure"):
+        _cache.atomic_write(target, exploding_iter())
+    assert not target.exists(), "partial write must not leave target file"
+
+
+def test_lock_serializes_writers(tmp_path: Path) -> None:
+    enter_order: list[str] = []
+    exit_order: list[str] = []
+    lock_held = threading.Event()
+    second_blocked = threading.Event()
+
+    def first_writer():
+        with _cache.lock(tmp_path):
+            enter_order.append("first")
+            lock_held.set()
+            second_blocked.wait(timeout=2)
+            time.sleep(0.05)
+            exit_order.append("first")
+
+    def second_writer():
+        lock_held.wait(timeout=2)
+        second_blocked.set()
+        with _cache.lock(tmp_path):
+            enter_order.append("second")
+            exit_order.append("second")
+
+    t1 = threading.Thread(target=first_writer)
+    t2 = threading.Thread(target=second_writer)
+    t1.start()
+    t2.start()
+    t1.join(timeout=5)
+    t2.join(timeout=5)
+
+    assert enter_order == ["first", "second"]
+    assert exit_order == ["first", "second"]
+
+
+def test_is_valid_returns_false_for_wrong_sha(tmp_path: Path) -> None:
+    binary = tmp_path / "fake-binary"
+    binary.write_bytes(b"contents")
+    assert _cache.is_valid(binary, expected_sha="0" * 64) is False
+
+
+def test_is_valid_returns_true_for_matching_sha(tmp_path: Path) -> None:
+    import hashlib
+
+    binary = tmp_path / "fake-binary"
+    binary.write_bytes(b"contents")
+    sha = hashlib.sha256(b"contents").hexdigest()
+    assert _cache.is_valid(binary, expected_sha=sha) is True

hookwarden-0.3.0/tests/test_cache_paths.py

@@ -0,0 +1,36 @@
+"""platformdirs path conventions on Linux/macOS/Windows (Plan 04.1-01 §_cache.cache_dir_for).
+
+Each test runs only on its native platform because platformdirs resolves cache
+paths via OS-level APIs at import time — monkeypatching sys.platform after the
+fact does not retarget the resolution. CI matrix coverage is per-platform: the
+Linux runner exercises test_paths_for_linux, macOS exercises test_paths_for_macos,
+and a Windows runner (when added) exercises test_paths_for_windows.
+"""
+from __future__ import annotations
+
+import sys
+from pathlib import Path
+
+import pytest
+
+from hookwarden import _cache
+
+
+@pytest.mark.skipif(sys.platform != "linux", reason="Linux-native platformdirs path")
+def test_paths_for_linux(monkeypatch: pytest.MonkeyPatch, tmp_path: Path) -> None:
+    monkeypatch.setenv("XDG_CACHE_HOME", str(tmp_path / "xdg"))
+    resolved = _cache.cache_dir_for(("linux", "x64"))
+    assert str(resolved).startswith(str(tmp_path / "xdg" / "hookwarden"))
+
+
+@pytest.mark.skipif(sys.platform != "darwin", reason="macOS-native platformdirs path")
+def test_paths_for_macos() -> None:
+    resolved = _cache.cache_dir_for(("darwin", "arm64"))
+    assert "Library/Caches/hookwarden" in str(resolved)
+
+
+@pytest.mark.skipif(sys.platform != "win32", reason="Windows-native platformdirs path")
+def test_paths_for_windows(monkeypatch: pytest.MonkeyPatch, tmp_path: Path) -> None:
+    monkeypatch.setenv("LOCALAPPDATA", str(tmp_path))
+    resolved = _cache.cache_dir_for(("windows", "x64"))
+    assert "hookwarden" in str(resolved)

hookwarden-0.3.0/tests/test_concurrent.py

@@ -0,0 +1,36 @@
+"""Concurrent-install race resolution via filelock (Plan 04.1-01 §_cache.lock)."""
+from __future__ import annotations
+
+import threading
+from pathlib import Path
+
+from hookwarden import _cache
+
+
+def test_two_threads_serialize_via_filelock(tmp_path: Path) -> None:
+    """Two threads compete for the cache lock; both must complete without crashing
+    and the second must observe the cache populated by the first.
+    """
+    cache_dir = tmp_path / "bin"
+    cache_dir.mkdir()
+    binary = cache_dir / "fake"
+    write_count = 0
+    write_lock = threading.Lock()
+
+    def writer():
+        nonlocal write_count
+        with _cache.lock(cache_dir):
+            if not binary.exists():
+                with write_lock:
+                    write_count += 1
+                _cache.atomic_write(binary, iter([b"hello"]))
+
+    threads = [threading.Thread(target=writer) for _ in range(2)]
+    for t in threads:
+        t.start()
+    for t in threads:
+        t.join(timeout=5)
+
+    assert binary.exists()
+    assert binary.read_bytes() == b"hello"
+    assert write_count == 1, "filelock must prevent double-write"

hookwarden-0.3.0/tests/test_egress.py

@@ -0,0 +1,86 @@
+"""CLI-09 carve-out enforcement (Plan 04.1-01 §egress).
+
+The shim's network access is restricted to a single host pattern:
+    https://github.com/Hookwarden/hookwarden/releases/download/*
+
+This is enforced two ways:
+1. Static: only `_fetch.py` is permitted to import HTTP libs.
+2. Dynamic: `download_and_verify` must reject any non-canonical URL at the
+   HTTP boundary (caller's responsibility to pass a canonical URL — but if a
+   future refactor smuggles a non-canonical URL, the recorder asserts it).
+"""
+from __future__ import annotations
+
+import hashlib
+import re
+from pathlib import Path
+
+import pytest
+
+from hookwarden import _fetch
+
+HTTP_IMPORT_PATTERN = re.compile(
+    r"\b(?:urllib\.request|http\.client|httpx|aiohttp|requests)\b"
+)
+SHIM_SRC = Path(__file__).resolve().parent.parent / "src" / "hookwarden"
+CANONICAL_URL_PREFIX = "https://github.com/Hookwarden/hookwarden/releases/download/"
+
+
+def test_only_fetch_module_imports_http_libs() -> None:
+    offenders: list[str] = []
+    for py_file in SHIM_SRC.rglob("*.py"):
+        text = py_file.read_text()
+        if HTTP_IMPORT_PATTERN.search(text) and py_file.name != "_fetch.py":
+            offenders.append(str(py_file.relative_to(SHIM_SRC)))
+    assert offenders == [], (
+        f"Only _fetch.py may import HTTP libs (CLI-09 carve-out). Offenders: {offenders}"
+    )
+
+
+def test_egress_only_to_canonical_release_host(
+    mock_releases_server, tmp_path: Path
+) -> None:
+    """download_and_verify with a canonical-pattern URL succeeds when SHA matches.
+
+    This is a happy-path assertion — the contract is that callers pass URLs
+    matching the canonical pattern and the fetcher works end-to-end.
+    """
+    server, _mock_url = mock_releases_server
+    body = b"binary-bytes-content"
+    server.responses = [(200, body)]
+    expected_sha = hashlib.sha256(body).hexdigest()
+    dest = tmp_path / "binary"
+
+    server_url = _mock_url
+    _fetch.download_and_verify(server_url, expected_sha, dest, base_backoff=0.0)
+    assert dest.exists()
+
+
+def test_egress_rejects_non_canonical_host(
+    monkeypatch: pytest.MonkeyPatch, tmp_path: Path
+) -> None:
+    """Any urllib.request.urlopen call MUST target the canonical prefix.
+
+    Monkeypatches urlopen to a recorder that fails any URL not starting with
+    the canonical prefix. Calling download_and_verify with an evil URL trips
+    the recorder — proving the test infrastructure can detect a future
+    regression that smuggles a non-canonical URL through the fetch boundary.
+    """
+    seen: list[str] = []
+
+    def recording_urlopen(req, *args, **kwargs):
+        url = req.full_url if hasattr(req, "full_url") else str(req)
+        seen.append(url)
+        if not url.startswith(CANONICAL_URL_PREFIX):
+            raise AssertionError(
+                f"non-canonical URL would have been fetched: {url!r}"
+            )
+        raise RuntimeError("recorder-stop")
+
+    monkeypatch.setattr("urllib.request.urlopen", recording_urlopen)
+
+    dest = tmp_path / "binary"
+    evil = "https://evil.example.com/payload"
+    with pytest.raises(AssertionError, match="non-canonical URL"):
+        _fetch.download_and_verify(evil, "0" * 64, dest, base_backoff=0.0)
+    assert seen == [evil]

hookwarden-0.3.0/tests/test_fetch.py

@@ -0,0 +1,48 @@
+"""Tests for download + verify + retry (Plan 04.1-01 §_fetch)."""
+from __future__ import annotations
+
+import hashlib
+from pathlib import Path
+
+import pytest
+
+from hookwarden import _fetch
+
+
+def test_download_streams_and_verifies(mock_releases_server, tmp_path: Path) -> None:
+    server, url = mock_releases_server
+    body = b"binary-bytes-content"
+    server.responses = [(200, body)]
+    expected_sha = hashlib.sha256(body).hexdigest()
+    dest = tmp_path / "binary"
+
+    _fetch.download_and_verify(url, expected_sha, dest)
+
+    assert dest.exists()
+    assert dest.read_bytes() == body
+
+
+def test_download_retries_on_5xx(mock_releases_server, tmp_path: Path) -> None:
+    server, url = mock_releases_server
+    body = b"binary-bytes-content"
+    server.responses = [(503, b""), (503, b""), (200, body)]
+    expected_sha = hashlib.sha256(body).hexdigest()
+    dest = tmp_path / "binary"
+
+    _fetch.download_and_verify(url, expected_sha, dest, base_backoff=0.0)
+
+    assert dest.exists()
+    assert dest.read_bytes() == body
+    assert server.responses == []
+
+
+def test_download_does_not_retry_on_4xx(mock_releases_server, tmp_path: Path) -> None:
+    server, url = mock_releases_server
+    server.responses = [(404, b""), (200, b"should-never-reach")]
+    dest = tmp_path / "binary"
+
+    with pytest.raises(Exception):
+        _fetch.download_and_verify(url, "0" * 64, dest, base_backoff=0.0)
+
+    assert len(server.responses) == 1, "must NOT retry after 4xx"
+    assert not dest.exists()

hookwarden-0.3.0/tests/test_integrity.py

@@ -0,0 +1,24 @@
+"""DC-04 hard-fail on SHA mismatch (Plan 04.1-01 §_fetch IntegrityError)."""
+from __future__ import annotations
+
+import hashlib
+from pathlib import Path
+
+import pytest
+
+from hookwarden import _fetch
+
+
+def test_sha_mismatch_hard_fail(mock_releases_server, tmp_path: Path) -> None:
+    server, url = mock_releases_server
+    body = b"correct-bytes"
+    server.responses = [(200, body), (200, body), (200, body)]
+
+    wrong_sha = hashlib.sha256(b"different-bytes").hexdigest()
+    dest = tmp_path / "binary"
+
+    with pytest.raises(_fetch.IntegrityError):
+        _fetch.download_and_verify(url, wrong_sha, dest, base_backoff=0.0)
+
+    assert not dest.exists(), "tampered download must not be persisted"
+    assert len(server.responses) == 2, "MUST NOT retry on SHA mismatch (DC-04)"