PyPI - messagefoundry - Versions diffs - 0.1.0__tar.gz → 0.2.0__tar.gz - Mend

messagefoundry 0.1.0tar.gz → 0.2.0tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (711) hide show

messagefoundry-0.2.0/.dockerignore ADDED Viewed

@@ -0,0 +1,45 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# Copyright (C) 2026 MessageFoundry Organization and contributors
+#
+# Keep the engine image build context small and free of anything sensitive. docker/Dockerfile COPYs
+# only: pyproject.toml, README.md, LICENSE, NOTICE, messagefoundry/, and docker/locks/. Everything
+# else is excluded so it can never end up in an image layer (PHI, secrets, the console, dev tooling).
+# VCS / editor / caches
+**/.git
+**/.gitignore
+**/.venv
+**/__pycache__
+**/*.pyc
+**/.pytest_cache
+**/.mypy_cache
+**/.ruff_cache
+**/.DS_Store
+# Local stores / logs / secrets — never in an image
+*.db
+*.db-wal
+*.db-shm
+*.log
+*.env
+.env
+**/*.pem
+**/*.key
+# Not needed in the engine image (console is host-side; tests/docs/samples/harness are not shipped)
+.claude/
+.github/
+docs/
+tests/
+harness/
+samples/
+scripts/
+environments/
+ide/
+node_modules/
+migration-local/
+out/
+# The console package is GUI-only and must not be baked into the headless engine image. (The wheel
+# build needs the rest of messagefoundry/, so only the console subpackage is excluded.)
+messagefoundry/console/

{messagefoundry-0.1.0 → messagefoundry-0.2.0}/.github/SECURITY.md RENAMED Viewed

@@ -40,6 +40,35 @@ window to ship a fix before any public detail, and we publish details (and credi
 a fix is available**. We'll keep you updated on progress and agree the disclosure timing with you.
 These windows trace to the project's Secure Development Standards (§4.4 RV.2, Appendix A.5).
+## Dependency (third-party) vulnerabilities
+The table above is for vulnerabilities in **MessageFoundry's own code**, clocked from our triage. A
+vulnerability in a **third-party dependency** is a different clock and a different priority signal, so
+it has its own targets (this is deliberately distinct — the dependency fast lane below is ≤72h, which
+is *not* a contradiction of the ≤7-day own-code window above):
+- **Clock starts at upstream-fix availability**, not our triage — we generally cannot patch someone
+  else's library, so the SLA measures how fast we adopt the fix once it exists.
+- **Exploitation pressure sets priority, not CVSS alone.** We triage **KEV-first** (on CISA's
+  Known-Exploited-Vulnerabilities list → patch now), then **EPSS** (≥ 0.7 = imminent), with **CVSS only
+  as a tiebreaker**, and we weigh **reachability** (is the package installed in a shipped profile, wired
+  into a running graph, and egress-reachable? — see
+  [`docs/security/SOUP-DEPENDENCY-HANDLING.md`](../docs/security/SOUP-DEPENDENCY-HANDLING.md)).
+| Class | Trigger | Target (from upstream-fix availability) |
+|---|---|---|
+| **Tier-0 fast lane** | CISA **KEV** *or* **EPSS ≥ 0.7**, and reachable in a shipped profile | **≤ 72 hours** |
+| Critical | CVSS critical, reachable | ≤ 14 days |
+| High | CVSS high, reachable | ≤ 30 days |
+| Medium | CVSS medium | ≤ 60–90 days |
+| Low / unreachable | — | Best-effort; recorded with rationale |
+**No upstream fix yet?** We apply a documented **compensating control** — pin the transitive dep out,
+leave the affected extra uninstalled, or tighten the egress allow-list — and track to the fix. Detection
+feeds this lane automatically: blocking `pip-audit`/`npm-audit` against the hash-locked tree, a **daily**
+`security.yml` cron (a CVE against an unchanged pin is caught in ~24h), and grouped Dependabot security
+PRs. The step-by-step response is [`docs/security/DEP-CVE-RUNBOOK.md`](../docs/security/DEP-CVE-RUNBOOK.md).
 ## Scope notes
 - The engine binds `127.0.0.1` by default and requires authentication; the documented threat

messagefoundry-0.2.0/.github/dependabot.yml ADDED Viewed

@@ -0,0 +1,54 @@
+# Dependabot: surface vulnerable / outdated dependencies and CI actions as PRs (CI-1 / DEP-1).
+# Until a committed lockfile lands, this is the primary signal for a known-CVE dependency.
+version: 2
+updates:
+  # Python deps via the native "uv" ecosystem (was "pip"). The uv ecosystem resolves against
+  # pyproject.toml + uv.lock and REGENERATES uv.lock IN its PRs (version updates GA 2025-03,
+  # security updates GA 2025-12) — the old "pip" ecosystem updated requirements/pyproject but NOT
+  # uv.lock. It still does not re-derive the EXPORTED locks (requirements.lock + docker/locks/*),
+  # which the DEP-1 gate in security.yml byte-diffs; .github/workflows/dependabot-lock-resync.yml
+  # re-exports those on the Dependabot branch so the gate stays green.
+  - package-ecosystem: "uv"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    # Supply-chain cooldown: age a fresh release before opening a ROUTINE update PR, to dodge a
+    # package compromised shortly after publish. Security updates ignore cooldown (Dependabot
+    # behavior), so a real advisory fix still arrives immediately. Pairs with the auto-merge
+    # workflow: routine patches auto-merge AFTER aging; security patches auto-merge now.
+    cooldown:
+      default-days: 3
+      semver-major-days: 7
+    groups:
+      # Version-update grouping (applies-to defaults to version-updates).
+      python-deps:
+        patterns: ["*"]
+      # Security-update grouping: collapse multiple vulnerable-dep fixes into ONE PR so a single
+      # review/merge clears them — faster remediation when several CVEs land together.
+      python-security:
+        applies-to: security-updates
+        patterns: ["*"]
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  # The VS Code extension's npm tree (build-time toolchain — the shipped artifact is the esbuild
+  # bundle). Surfaces a vulnerable/outdated npm dep as a PR, the same DEP-1 surveillance the uv
+  # ecosystem gets; the blocking npm-audit job in security.yml is the fail-closed companion.
+  - package-ecosystem: "npm"
+    directory: "/ide"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    cooldown:
+      default-days: 3
+      semver-major-days: 7
+    groups:
+      ide-deps:
+        patterns: ["*"]
+      ide-security:
+        applies-to: security-updates
+        patterns: ["*"]

{messagefoundry-0.1.0 → messagefoundry-0.2.0}/.github/workflows/benchmark.yml RENAMED Viewed

@@ -27,7 +27,7 @@ jobs:
     name: baseline (sqlite)
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
       - name: Set up Python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
@@ -88,7 +88,7 @@ jobs:
       MEFOR_STORE_ENCRYPT: "false"  # plaintext to the container; the TLS-hardening guard needs the escape
       MEFOR_ALLOW_INSECURE_TLS: "1"
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
       - name: Set up Python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
@@ -155,7 +155,7 @@ jobs:
       MEFOR_STORE_TRUST_SERVER_CERTIFICATE: "true"
       MEFOR_ALLOW_INSECURE_TLS: "1"
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
       - name: Set up Python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:

{messagefoundry-0.1.0 → messagefoundry-0.2.0}/.github/workflows/ci.yml RENAMED Viewed

@@ -11,16 +11,26 @@ concurrency:
   cancel-in-progress: true
 jobs:
-  # Lint + type-check + unit tests. The Python-version matrix runs on Linux
-  # (cheap); Windows Server 2022 + 2025 are added for OS coverage on the exact
-  # versions we deploy to (one Python each to keep Windows minutes down — they
-  # bill at 2x on a private repo).
+  # Lint + type-check + unit tests. Linux carries the cheap breadth — the 3.11
+  # floor plus a fast early-fail leg on the newest 3.14 (1x minutes). Windows
+  # Server 2022 + 2025 is the primary deployment target, so it covers BOTH the
+  # current (3.13) and the new (3.14) deploy Python on each Server SKU, even
+  # though Windows bills at 2x — testing the version we ship on the OS we ship it
+  # on is worth the minutes.
   test:
     name: test (${{ matrix.os }}, py${{ matrix.python-version }})
     runs-on: ${{ matrix.os }}
-    # Backstop for the intermittent py3.11 pytest wedge (BACKLOG #17): bound the leg's wall-clock so a
-    # hang fails in minutes, not the 6h default. The pytest-timeout watchdog (60s/test) should catch the
-    # culprit first; this is the belt-and-suspenders cap if the whole process deadlocks below pytest.
+    # py3.11 is a REQUIRED gate again (BACKLOG #17 RESOLVED in PR #448). The intermittent py3.11-only hang
+    # was root-caused — and reproduced on a Docker py3.11 box — as a CPython 3.11 asyncio cancellation race:
+    # cancelling a task parked in asyncio.Queue.get() can intermittently never complete (fixed in CPython
+    # 3.12, hence py3.13 was always clean and production — one long-lived loop — never hit it). TeeRelay.stop()
+    # tripped it; fixed via a sentinel shutdown in tee/relay.py, validated at 0 hangs across 24 full-suite +
+    # 40 isolated runs in the repro container and green on CI. So the advisory `continue-on-error` is removed
+    # and a py3.11 failure reds the build again. (The dormant `MEFOR_PY311_QUARANTINE` conftest lever stays as
+    # an off-by-default safety net; it is no longer needed.)
+    # Wall-clock backstop: bound each leg so a hung test fails in minutes, not the 6h default. The
+    # pytest-timeout watchdog (60s/test) should catch a culprit first; this is the belt-and-suspenders cap
+    # if a whole process ever deadlocks below pytest (e.g. a future regression of BACKLOG #17).
     timeout-minutes: 15
     strategy:
       fail-fast: false
@@ -28,14 +38,17 @@ jobs:
         include:
           - { os: ubuntu-latest, python-version: "3.11" }
           - { os: ubuntu-latest, python-version: "3.13" }
+          - { os: ubuntu-latest, python-version: "3.14" }
           - { os: windows-2022, python-version: "3.13" }
+          - { os: windows-2022, python-version: "3.14" }
           - { os: windows-2025, python-version: "3.13" }
+          - { os: windows-2025, python-version: "3.14" }
     defaults:
       run:
         shell: bash  # available on all runners (Git Bash on Windows) -> one set of commands
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
@@ -52,10 +65,15 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y libegl1 libgl1 libxkbcommon0 libdbus-1-3
-      - name: Install project (dev + console extras)
+      - name: Install project (dev + console + fhir + dicom extras)
         run: |
           python -m pip install --upgrade pip
-          pip install -e ".[dev,console]"
+          # [fhir] so the FHIR typed-tier tests (incl. the PHI-no-leak invariant, ADR 0022) actually
+          # run their assertions in CI rather than importorskip-skipping (extra-less local runs skip).
+          # [dicom] (pydicom + pynetdicom; ADR 0025) does the same for the DICOM codec + C-STORE SCP
+          # tests, and lets mypy type-check transports/dicom.py + parsing/dicom/ against the real
+          # (py.typed) libraries rather than treating them as Any.
+          pip install -e ".[dev,console,fhir,dicom]"
       - name: Lint (ruff)
         run: ruff check messagefoundry tests
@@ -82,7 +100,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
       - name: Set up Python 3.11
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
@@ -119,7 +137,7 @@ jobs:
       run:
         working-directory: ide
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
       - name: Set up Node
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
@@ -150,18 +168,21 @@ jobs:
   # switch to an always-run job whose heavy steps are step-gated, since the service container starts
   # before steps.)
   changes:
-    name: detect server-DB changes
+    name: detect server-DB + docker changes
     runs-on: ubuntu-latest
     outputs:
       serverdb: ${{ steps.f.outputs.serverdb }}
+      docker: ${{ steps.f.outputs.docker }}
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           fetch-depth: 0
       - id: f
         run: |
           if [ "${{ github.event_name }}" != "pull_request" ]; then
-            echo "serverdb=true" >> "$GITHUB_OUTPUT"; exit 0
+            echo "serverdb=true" >> "$GITHUB_OUTPUT"
+            echo "docker=true" >> "$GITHUB_OUTPUT"
+            exit 0
           fi
           changed=$(git diff --name-only "${{ github.event.pull_request.base.sha }}...HEAD")
           if echo "$changed" | grep -qE '^(messagefoundry/store/|messagefoundry/pipeline/cluster|messagefoundry/transports/database|tests/test_(sqlserver|postgres|cluster|database_connector)|\.github/workflows/ci\.yml)'; then
@@ -169,6 +190,13 @@ jobs:
           else
             echo "serverdb=false" >> "$GITHUB_OUTPUT"
           fi
+          # The container image smoke runs on PRs that touch the image, the per-profile locks, packaging,
+          # or this workflow (engine-wide regressions are already covered by the `test` job + push-to-main).
+          if echo "$changed" | grep -qE '^(docker/|\.dockerignore|pyproject\.toml|requirements\.lock|\.github/workflows/ci\.yml)'; then
+            echo "docker=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "docker=false" >> "$GITHUB_OUTPUT"
+          fi
   # SQL Server service-container leg: runs the gated suites that need a real SQL Server (Linux, so 1x
   # minutes) — the PRODUCTION store backend suite AND the PRODUCTION DATABASE connector round-trip
@@ -178,13 +206,23 @@ jobs:
   # in branch protection so a T-SQL regression can't merge. Exercises the T-SQL + the live aioodbc
   # round-trip the SQLite / faked-driver tests can't.
   sqlserver-store:
-    name: sql server (store + connector)
+    name: sql server (store + connector) ${{ matrix.label }}
     needs: changes
     if: github.event_name != 'pull_request' || needs.changes.outputs.serverdb == 'true'
     runs-on: ubuntu-latest
+    # Matrix the gated suite across every supported SQL Server major (2022 = 16.x, 2025 = 17.x) so a
+    # version-specific T-SQL / engine regression can't merge. fail-fast: false keeps a 2025-only hiccup
+    # from cancelling the 2022 leg (and vice-versa). The `changes` path-filter still gates this on PRs, so
+    # matrixing only doubles the (rate-limited) mcr pulls on server-DB PRs + pushes to main.
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - { image: "mcr.microsoft.com/mssql/server:2022-latest", label: "2022" }
+          - { image: "mcr.microsoft.com/mssql/server:2025-latest", label: "2025" }
     services:
       mssql:
-        image: mcr.microsoft.com/mssql/server:2022-latest
+        image: ${{ matrix.image }}
         env:
           ACCEPT_EULA: "Y"
           MSSQL_SA_PASSWORD: "Str0ng_P@ssw0rd!"
@@ -192,7 +230,7 @@ jobs:
           - 1433:1433
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
       - name: Set up Python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
@@ -211,7 +249,7 @@ jobs:
       - name: Wait for SQL Server and create the database
         run: |
           sqlcmd=/opt/mssql-tools18/bin/sqlcmd
-          for i in $(seq 1 40); do
+          for i in $(seq 1 60); do  # ~120s cap: 2025's first boot can run slower than 2022's
             if "$sqlcmd" -S localhost -U sa -P 'Str0ng_P@ssw0rd!' -C -Q "SELECT 1" > /dev/null 2>&1; then
               echo "SQL Server is up"; break
             fi
@@ -336,7 +374,7 @@ jobs:
           --health-retries 5
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
       - name: Set up Python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
@@ -394,7 +432,7 @@ jobs:
     if: github.event_name != 'pull_request'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
       - name: Set up Python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
@@ -446,19 +484,27 @@ jobs:
   # profile (correctness SLOs strict; drain bound sized for a server DB). Skipped on PRs to save spend —
   # runs on push to main + on-demand (workflow_dispatch). Heavier SQL Server profiles run manually.
   load-test-sqlserver:
-    name: load test (smoke, sqlserver)
+    name: load test (smoke, sqlserver) ${{ matrix.label }}
     if: github.event_name != 'pull_request'
     runs-on: ubuntu-latest
+    # Smoke the end-to-end SQL Server store path on every supported major (2022/2025). Push/dispatch-only,
+    # so no PR cost; fail-fast: false keeps the two legs independent.
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - { image: "mcr.microsoft.com/mssql/server:2022-latest", label: "2022" }
+          - { image: "mcr.microsoft.com/mssql/server:2025-latest", label: "2025" }
     services:
       mssql:
-        image: mcr.microsoft.com/mssql/server:2022-latest
+        image: ${{ matrix.image }}
         env:
           ACCEPT_EULA: "Y"
           MSSQL_SA_PASSWORD: "Str0ng_P@ssw0rd!"
         ports:
           - 1433:1433
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
       - name: Set up Python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
@@ -477,7 +523,7 @@ jobs:
       - name: Wait for SQL Server and create the database (RCSI on, like the store suite)
         run: |
           sqlcmd=/opt/mssql-tools18/bin/sqlcmd
-          for i in $(seq 1 40); do
+          for i in $(seq 1 60); do  # ~120s cap: 2025's first boot can run slower than 2022's
             if "$sqlcmd" -S localhost -U sa -P 'Str0ng_P@ssw0rd!' -C -Q "SELECT 1" > /dev/null 2>&1; then
               echo "SQL Server is up"; break
             fi
@@ -538,29 +584,41 @@ jobs:
   # confirm it was recorded -> stop -> uninstall. Skipped on PRs to save Windows
   # minutes; runs on push to main and on-demand (workflow_dispatch).
   windows-service-smoke:
-    name: windows service smoke (${{ matrix.os }})
+    name: windows service smoke (${{ matrix.os }}, py${{ matrix.python-version }})
     if: github.event_name != 'pull_request'
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
       matrix:
-        os: [windows-2022, windows-2025]
+        # Windows Server 2022 + 2025 on the current deploy Python (3.13); plus the new 3.14 deploy
+        # target on 2025 (newest Server) so the real NSSM install->serve->MLLP path is validated on
+        # the version we will ship. This job is push/dispatch-only, so the extra leg costs no PR time.
+        include:
+          - { os: windows-2022, python-version: "3.13" }
+          - { os: windows-2025, python-version: "3.13" }
+          - { os: windows-2025, python-version: "3.14" }
     defaults:
       run:
         shell: pwsh
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
       - name: Set up Python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
-          python-version: "3.13"
+          python-version: ${{ matrix.python-version }}
-      - name: Install the engine
+      - name: Install the engine (fhir + dicom extras)
         run: |
           python -m pip install --upgrade pip
-          pip install -e .
+          # The samples/config graph this smoke serves uses the FHIR and DICOM connectors, and the
+          # DICOM inbound binds a DIMSE C-STORE SCP at startup (transports/dicom.py imports pynetdicom
+          # eagerly on start) — so a bare `pip install -e .` makes the engine fail-close at wiring with
+          # ModuleNotFoundError and /health never comes up. Install the connector extras the graph needs
+          # (the "real Windows service path" a user running this graph would install). Keep in sync with
+          # the connectors used in samples/config.
+          pip install -e ".[fhir,dicom]"
       # Run the install/uninstall scripts under Windows PowerShell 5.1 (shell: powershell) to
       # match what the console launches on an end-user machine — catches 5.1-only behaviour
@@ -602,17 +660,22 @@ jobs:
           # since no VXU is sent; the non-secret endpoints live in environments/prod.toml (selected by
           # the -Environment prod passed to install-service.ps1 above).
           # `prod` also FAIL-CLOSES on unrestricted egress (a transform could send PHI anywhere): lock it
-          # down (deny_by_default) AND allowlist the samples/config graph's 6 outbound destinations, or the
+          # down (deny_by_default) AND allowlist the samples/config graph's 8 outbound destinations, or the
           # engine refuses to start at wiring. [egress] is SERVICE settings (MEFOR_EGRESS_*), NOT an
           # environments/<env>.toml value; lists are comma-separated host:port matching the resolved
-          # prod.toml endpoints (MLLP->allowed_mllp; X12->allowed_tcp; SOAP->allowed_http; File->allowed_file_dirs).
+          # prod.toml endpoints (MLLP->allowed_mllp; X12->allowed_tcp; SOAP+FHIR->allowed_http; File->allowed_file_dirs).
+          # NOTE keep this list in sync with samples/config when an outbound is added (e.g. OB_FHIR_SERVER) —
+          # the egress check fails fast on the FIRST denied dest, so a missing entry wedges service start.
+          # fhir-prod.example.org is allowlisted HOST-ONLY: its prod URL (https://fhir-prod.example.org/fhir)
+          # has no explicit port, so urlsplit().port is None and a ":443" suffix would NOT match (see
+          # _http_egress_allowed). A bare host matches any port, which is what we want for a default-port URL.
           nssm set MessageFoundry AppEnvironmentExtra `
             "MEFOR_AUTH_ENABLED=false" `
             "MEFOR_STORE_ENCRYPTION_KEY=$storeKey" `
             "MEFOR_EGRESS_DENY_BY_DEFAULT=true" `
-            "MEFOR_EGRESS_ALLOWED_MLLP=receiver-prod.example.org:6661" `
+            "MEFOR_EGRESS_ALLOWED_MLLP=receiver-prod.example.org:6661,powerscribe-prod.example.org:6665" `
             "MEFOR_EGRESS_ALLOWED_TCP=payer-prod.example.org:6662,rte-prod.example.org:6663,rte-result-prod.example.org:6664" `
-            "MEFOR_EGRESS_ALLOWED_HTTP=iis-prod.example.org:8443" `
+            "MEFOR_EGRESS_ALLOWED_HTTP=iis-prod.example.org:8443,fhir-prod.example.org" `
             "MEFOR_EGRESS_ALLOWED_FILE_DIRS=out" `
             "MEFOR_VALUE_REGISTRY_CLIENT_CERT=$cert" `
             "MEFOR_VALUE_REGISTRY_CLIENT_KEY=$key" `
@@ -644,6 +707,7 @@ jobs:
           "messages.total = $($msgs.total)"
       - name: Stop the service (graceful)
+        if: always()
         run: nssm stop MessageFoundry
       - name: Show service logs
@@ -665,6 +729,125 @@ jobs:
         if: always()
         uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
-          name: service-logs-${{ matrix.os }}
+          name: service-logs-${{ matrix.os }}-py${{ matrix.python-version }}
           path: C:\ProgramData\MessageFoundry\logs\
           if-no-files-found: ignore
+  # Container image smoke (the engine's FIRST non-Windows runtime target — it is Windows-service/NSSM
+  # first today). Builds the slim engine image, builds a test-only image that bakes a minimal ADT->file
+  # config + a self-contained MLLP sender (config baked, not mounted, so it is owned by the engine's UID
+  # and not group/world-writable — _assert_safe_config_source refuses otherwise), serves it loopback +
+  # auth-off, sends one synthetic ADT^A01 over the in-container MLLP listener, and asserts it FINALIZES
+  # to PROCESSED (not merely RECEIVED — that distinguishes ACK-on-receipt from final disposition). Then
+  # it verifies a graceful `docker stop`: tini forwards SIGTERM -> uvicorn lifespan -> engine.stop().
+  # Runs on push to main + dispatch always; on PRs only when the image/locks/packaging/this workflow
+  # change (gated by `changes`), so docs/unrelated PRs don't pay the build.
+  docker-smoke:
+    name: docker image smoke (slim, linux)
+    needs: changes
+    if: github.event_name != 'pull_request' || needs.changes.outputs.docker == 'true'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+      - name: Build the slim engine image
+        run: docker build -f docker/Dockerfile -t messagefoundry:ci .
+      - name: Build the -sqlserver variant (ODBC apt layer + sqlserver lock must resolve)
+        # Build-only: it pulls the Microsoft ODBC repo + installs from requirements-sqlserver.lock, so a
+        # broken hashed dep or the Debian/MS-key issue the Dockerfile warns about turns the job red here.
+        run: docker build -f docker/Dockerfile --target runtime-sqlserver -t messagefoundry:sqlserver-ci .
+      - name: Build the test smoke image (baked minimal config + MLLP sender)
+        run: docker build -f docker/smoke/Dockerfile --build-arg BASE=messagefoundry:ci -t messagefoundry:smoke .
+      - name: Serve (loopback, auth off) and assert an MLLP message reaches PROCESSED
+        run: |
+          set -euo pipefail
+          # Bind the API + MLLP to loopback INSIDE the container and drive the test from inside it
+          # (docker exec). A non-loopback bind without TLS would be refused by the startup bind guard
+          # (and auth-off is refused off-loopback regardless of --allow-insecure-bind), so loopback +
+          # in-container traffic is the correct posture for an auth-disabled smoke — no insecure override.
+          docker run -d --name mefor -e MEFOR_AUTH_ENABLED=false messagefoundry:smoke \
+            serve --config /config --env dev --host 127.0.0.1 --port 8765
+          # Readiness: /health is tokenless and always 200 once the listener is up.
+          for _ in $(seq 1 60); do
+            docker exec mefor curl -fsS http://127.0.0.1:8765/health >/dev/null 2>&1 && break || sleep 0.5
+          done
+          docker exec mefor curl -fsS http://127.0.0.1:8765/health
+          # Send one synthetic ADT^A01 over the in-container MLLP listener (loopback:2575); fails on a non-AA ACK.
+          docker exec mefor python /smoke/send_adt.py 127.0.0.1 2575
+          # Poll the disposition via the container's own python (stdlib urllib — no host python/jq needed).
+          total() { docker exec mefor python -c "import urllib.request,json;print(json.load(urllib.request.urlopen('http://127.0.0.1:8765/messages?status=$1'))['total'])"; }
+          processed=0
+          for _ in $(seq 1 60); do
+            # `|| processed=0`: a transient non-zero before the row finalizes must NOT abort the loop under set -e.
+            processed=$(total processed) || processed=0
+            [ "$processed" -ge 1 ] && break || sleep 0.5
+          done
+          received=$(total received) || received=0
+          echo "processed=$processed received=$received"
+          # The whole point of the assert: confirm it FINALIZED, not just that it was acknowledged-on-receipt.
+          if [ "$processed" -lt 1 ]; then
+            echo "FAIL: message did not finalize to PROCESSED (received=$received) — stuck at ACK-on-receipt"
+            exit 1
+          fi
+      - name: Verify graceful shutdown (tini -> SIGTERM -> engine.stop drains)
+        run: |
+          set -euo pipefail
+          docker stop --time 30 mefor
+          code=$(docker inspect -f '{{.State.ExitCode}}' mefor)
+          echo "container exit code: $code"
+          # A fully graceful shutdown exits 0 (uvicorn handles SIGTERM, runs the lifespan, returns); 143
+          # (128+SIGTERM) is acceptable too. 137 = SIGKILL after the grace expired = ungraceful.
+          if [ "$code" = "137" ]; then echo "FAIL: ungraceful shutdown (SIGKILL after grace)"; exit 1; fi
+          docker logs mefor 2>&1 | grep -q "Application shutdown complete" \
+            || { echo "FAIL: no clean-shutdown marker (lifespan shutdown did not complete)"; exit 1; }
+          echo "graceful shutdown verified"
+      - name: Engine log (always)
+        if: always()
+        run: docker logs mefor 2>&1 | tail -60 || true
+      - name: Tear down
+        if: always()
+        run: docker rm -f mefor || true
+  # Single STABLE required status check standing in for the conditional / matrix heavy legs (SQL
+  # Server, Postgres, load, Windows-service smoke). Those legs CANNOT be required directly:
+  #   * the push-only legs (`postgres-store`, `load-test`, `load-test-sqlserver`,
+  #     `windows-service-smoke`) report `skipped` on every PR — never the required context a PR waits
+  #     on — so requiring them either no-ops or wedges; and
+  #   * the matrix legs report an UNEXPANDED name when skipped (`... ${{ matrix.label }}`) but
+  #     EXPANDED names when they run (`... 2022`/`2025`, `(windows-2022, py3.13)`), so no single
+  #     context string matches both the skipped and the run state.
+  # This gate ALWAYS runs (if: always()), so it reports ONE fixed context ("CI gate") regardless of
+  # which legs ran, and fails iff a gated leg actually FAILED or was cancelled — a `skipped` leg
+  # counts as a pass. Require "CI gate" in branch protection INSTEAD of the individual legs; a leg
+  # that does run on a PR (e.g. `sqlserver-store` on a server-DB PR) thus still blocks the merge.
+  # NB: `docker-smoke` is intentionally NOT gated here (out of the named set) — add it to `needs`
+  # below to make a container-smoke failure block merge too.
+  ci-gate:
+    name: CI gate
+    if: always()
+    needs:
+      - changes
+      - sqlserver-store
+      - postgres-store
+      - load-test
+      - load-test-sqlserver
+      - windows-service-smoke
+    runs-on: ubuntu-latest
+    steps:
+      - name: Fail if any gated leg failed or was cancelled
+        if: >-
+          contains(needs.*.result, 'failure') ||
+          contains(needs.*.result, 'cancelled')
+        run: |
+          echo "::error::A gated CI leg failed or was cancelled."
+          echo '${{ toJSON(needs) }}'
+          exit 1
+      - name: Gated legs OK
+        run: echo "All gated CI legs succeeded or were skipped."

messagefoundry-0.2.0/.github/workflows/dependabot-auto-merge.yml ADDED Viewed

@@ -0,0 +1,58 @@
+name: Dependabot auto-merge
+# Scoped auto-merge for Dependabot PRs (A4 of the dependency fast-response plan).
+#
+# SAFE because main's required status checks are the gate: the full pytest suite, pip-audit, the
+# DEP-1 lock-sync check (incl. the A3 lock-resync commit), bandit/semgrep/gitleaks all must pass
+# before GitHub completes the merge. A bad bump turns CI red and never merges — auto-merge only
+# removes the human-latency on the safe, common case, not the safety net.
+#
+# IN SCOPE (auto-merged):
+#   - any PATCH update (incl. security patches — most security fixes are patches)
+#   - MINOR updates of DEV-only dependencies
+# OUT OF SCOPE (left for human review, surfaced same-day by the daily security cron + alerts):
+#   - MINOR/MAJOR updates of runtime deps, and ALL MAJOR updates
+#
+# Fresh-release supply-chain poisoning is handled upstream by the dependabot.yml `cooldown`
+# (routine updates age before a PR opens); SECURITY updates bypass cooldown by design, so a real
+# advisory fix still arrives immediately and (if a patch) auto-merges.
+#
+# Why `pull_request` (not pull_request_target): a Dependabot `pull_request` run gets a read-only
+# GITHUB_TOKEN by default, which the `permissions:` block below elevates to exactly what the merge
+# API needs — no untrusted-code-with-secrets exposure, no GitHub App required. This is the pattern
+# GitHub documents for Dependabot auto-merge.
+on: pull_request
+permissions:
+  contents: write # complete the merge
+  pull-requests: write # enable auto-merge on the PR
+concurrency:
+  group: dependabot-automerge-${{ github.event.pull_request.number }}
+  cancel-in-progress: false
+jobs:
+  auto-merge:
+    runs-on: ubuntu-latest
+    # Only Dependabot's own PRs. pull_request.user.login is the immutable PR author, so an A3
+    # lock-resync `synchronize` (pushed by the App) still satisfies this — the author stays
+    # dependabot[bot] even though the triggering actor is the App.
+    if: github.event.pull_request.user.login == 'dependabot[bot]'
+    timeout-minutes: 10
+    steps:
+      - name: Fetch Dependabot metadata
+        id: meta
+        uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Enable auto-merge for in-scope updates
+        if: >-
+          steps.meta.outputs.update-type == 'version-update:semver-patch' ||
+          (steps.meta.outputs.update-type == 'version-update:semver-minor' &&
+           steps.meta.outputs.dependency-type == 'direct:development')
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

messagefoundry 0.1.0__tar.gz → 0.2.0__tar.gz

messagefoundry 0.1.0tar.gz → 0.2.0tar.gz