moncpipelib 0.39.4__tar.gz

moncpipelib-0.39.4/.github/workflows/ci.yml

@@ -0,0 +1,60 @@
+# Public CI for moncpipelib. Standalone -- no internal reusable workflows.
+# Generated into the public tree by scripts/oss-export/export.py; do not hand-edit
+# in the public repo (re-generate from the private export tooling instead).
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  leak-scan:
+    name: Leak scan (gitleaks)
+    runs-on: ubuntu-latest
+    env:
+      # gitleaks-action requires a paid license for org-owned repos; the CLI
+      # does not. Run the pinned binary directly instead.
+      GITLEAKS_VERSION: "8.30.1"
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install gitleaks
+        run: |
+          base="https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}"
+          file="gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
+          curl -fsSL "$base/$file" -o "$file"
+          curl -fsSL "$base/gitleaks_${GITLEAKS_VERSION}_checksums.txt" -o checksums.txt
+          grep "$file" checksums.txt | sha256sum -c -
+          tar -xzf "$file" gitleaks
+      - name: Scan
+        run: ./gitleaks dir . --config .gitleaks.toml --no-banner --redact
+
+  quality:
+    name: Lint, type-check, test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          enable-cache: true
+
+      - name: Set up Python
+        run: uv python install 3.11
+
+      - name: Sync dependencies
+        run: uv sync --all-extras --dev
+
+      - name: Ruff lint
+        run: uv run ruff check src tests scripts
+
+      - name: Mypy
+        run: uv run mypy src
+
+      - name: Pytest
+        run: uv run pytest -q

moncpipelib-0.39.4/.github/workflows/publish-pypi.yml

@@ -0,0 +1,59 @@
+# Publishes moncpipelib to PyPI via Trusted Publishing (OIDC) -- no API token.
+#
+# Runs in the PUBLIC repo (a non-EMU org). Generated into the public tree by
+# the private export tooling; do not hand-edit in the public repo.
+#
+# One-time PyPI setup (https://pypi.org/manage/project/moncpipelib/settings/publishing/):
+#   Add a Trusted Publisher:
+#     Owner:        model-oncology-public
+#     Repository:   moncpipelib
+#     Workflow:     publish-pypi.yml
+#     Environment:  pypi
+#
+# Release flow: bump the version in the internal repo -> publish the mirror ->
+# create a GitHub Release in the public repo (tag vX.Y.Z) -> this runs and
+# uploads. PyPI rejects re-uploading an existing version, so each publish needs
+# a new version.
+name: Publish to PyPI
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    name: Build distributions
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          version: "latest"
+      - name: Build sdist + wheel
+        run: uv build
+      - uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+  publish:
+    name: Publish to PyPI
+    needs: build
+    runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      id-token: write # OIDC token for Trusted Publishing
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+      - name: Publish
+        # NOTE: pin to the COMMIT sha, not the annotated-tag-object sha, or
+        # Actions mis-resolves it to a non-existent ghcr.io image tag.
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0

moncpipelib-0.39.4/.gitignore

@@ -0,0 +1,218 @@
+# Claude Worktrees
+.claude/
+
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[codz]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py.cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# UV
+#   Similar to Pipfile.lock, it is generally recommended to include uv.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#uv.lock
+
+# poetry
+#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
+#poetry.lock
+#poetry.toml
+
+# pdm
+#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
+#   pdm recommends including project-wide configuration in pdm.toml, but excluding .pdm-python.
+#   https://pdm-project.org/en/latest/usage/project/#working-with-version-control
+#pdm.lock
+#pdm.toml
+.pdm-python
+.pdm-build/
+
+# pixi
+#   Similar to Pipfile.lock, it is generally recommended to include pixi.lock in version control.
+#pixi.lock
+#   Pixi creates a virtual environment in the .pixi directory, just like venv module creates one
+#   in the .venv directory. It is recommended not to include this directory in version control.
+.pixi
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.envrc
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# PyCharm
+#  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
+#  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
+#  and can be added to the global gitignore or merged into this file.  For a more nuclear
+#  option (not recommended) you can uncomment the following to ignore the entire idea folder.
+#.idea/
+
+# Abstra
+# Abstra is an AI-powered process automation framework.
+# Ignore directories containing user credentials, local state, and settings.
+# Learn more at https://abstra.io/docs
+.abstra/
+
+# Visual Studio Code
+#  Visual Studio Code specific template is maintained in a separate VisualStudioCode.gitignore 
+#  that can be found at https://github.com/github/gitignore/blob/main/Global/VisualStudioCode.gitignore
+#  and can be added to the global gitignore or merged into this file. However, if you prefer, 
+#  you could uncomment the following to ignore the entire vscode folder
+# .vscode/
+
+# Ruff stuff:
+.ruff_cache/
+
+# PyPI configuration file
+.pypirc
+
+# Cursor
+#  Cursor is an AI-powered code editor. `.cursorignore` specifies files/directories to
+#  exclude from AI features like autocomplete and code analysis. Recommended for sensitive data
+#  refer to https://docs.cursor.com/context/ignore-files
+.cursorignore
+.cursorindexingignore
+
+# Marimo
+marimo/_static/
+marimo/_lsp/
+__marimo__/
+
+# Cookbook build artifacts
+.cookbook_artifacts.json
+
+# scripts/bench_*.py per-run output (work_mem #294, upsert staging-merge #375).
+# Trailing wildcard matters: result files carry suffixes after "results"
+# (e.g. bench_work_mem_results_58m_256mb.json), which bench_*_results.json missed.
+bench_*results*.json

moncpipelib-0.39.4/.gitleaks.toml

@@ -0,0 +1,99 @@
+# gitleaks configuration for the PUBLIC moncpipelib repository.
+#
+# This ships into the public tree as `.gitleaks.toml` and is run by the public
+# CI on every push/PR. It is the ongoing "suspenders" -- the export-time
+# scan.py is the "belt". Keep the custom rules here in sync with
+# scripts/oss-export/scan.py in the private repo.
+
+title = "moncpipelib leak-scan config"
+
+[extend]
+useDefault = true
+
+[[rules]]
+id = "mo-azure-cus-resource"
+description = "Internal Azure resource name (-cus-npe/prd/prod)"
+regex = '''\b[a-z][a-z0-9]*-cus-(npe|prd|prod)\b'''
+tags = ["internal", "model-oncology"]
+
+[[rules]]
+id = "mo-pg-flex-server"
+description = "Internal Postgres flexible server name"
+regex = '''\bsrv-psgrsdb[\w-]*\b'''
+tags = ["internal", "model-oncology"]
+
+[[rules]]
+id = "mo-storage-account"
+description = "Internal Azure storage account name"
+regex = '''\bstadatalake[\w-]*\b'''
+tags = ["internal", "model-oncology"]
+
+[[rules]]
+id = "mo-internal-db-name"
+description = "Internal database name"
+regex = '''\boncalytics\b'''
+tags = ["internal", "model-oncology"]
+
+[[rules]]
+id = "mo-employee-handle"
+description = "Employee handle"
+regex = '''\bahaight[\w-]*\b'''
+tags = ["internal", "model-oncology"]
+
+[[rules]]
+id = "mo-internal-email-domain"
+description = "Internal email domain"
+regex = '''\boncologyhealthpartners\.com\b'''
+tags = ["internal", "model-oncology"]
+
+[[rules]]
+id = "mo-azure-pg-fqdn"
+description = "Azure Postgres FQDN"
+regex = '''\b[a-z0-9-]+\.postgres\.database\.azure\.com\b'''
+tags = ["internal", "model-oncology"]
+
+[[rules]]
+id = "mo-azure-sql-fqdn"
+description = "Azure SQL FQDN"
+regex = '''\b[a-z0-9-]+\.database\.windows\.net\b'''
+tags = ["internal", "model-oncology"]
+
+[[rules]]
+id = "mo-azure-storage-fqdn"
+description = "Azure storage FQDN (blob/dfs/file/queue/table)"
+regex = '''\b[a-z0-9]+\.(?:blob|dfs|file|queue|table)\.core\.windows\.net\b'''
+tags = ["internal", "model-oncology"]
+
+[[rules]]
+id = "mo-azure-artifacts-feed"
+description = "Internal Azure Artifacts package feed"
+regex = '''\bpkgs\.dev\.azure\.com\b'''
+tags = ["internal", "model-oncology"]
+
+# Detect a subscription GUID by CONTEXT rather than embedding the real values
+# (this file is public). The precise known-ID check lives in the private
+# export-time scanner (scripts/oss-export/scan.py), which is never published.
+[[rules]]
+id = "mo-azure-subscription"
+description = "Azure subscription id appearing in a subscription context"
+regex = '''(?i)subscription["'\s:=/_-]+[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'''
+tags = ["internal", "model-oncology"]
+
+[[rules]]
+id = "mo-azure-id-context"
+description = "Azure tenant/client/object/app id appearing in context"
+regex = '''(?i)\b(?:tenant|client[_-]?id|object[_-]?id|app[_-]?id)\b["'\s:=/_-]+[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'''
+tags = ["internal", "model-oncology"]
+
+[allowlist]
+description = "Known-safe placeholders and synthetic example values"
+# Match allowlist regexes against the full match (not the capture/secret), so
+# placeholder hosts like examplestorageacct.dfs.core.windows.net are suppressed.
+regexTarget = "match"
+regexes = [
+  '''example\.com''',
+  '''examplestorageacct''',
+  '''\bpg-(nonprod|prod)\b''',
+  '''\blaw-(nonprod|prod)\b''',
+  '''\bbench_user\b''',
+]

moncpipelib-0.39.4/.pre-commit-config.yaml

@@ -0,0 +1,51 @@
+---
+exclude: |
+  (?x)^(
+      .*cache.*/.*|
+      .*venv.*/.*
+  )$
+fail_fast: true
+default_language_version:
+  python: python3.13
+repos:
+  # ----------------------------- Security ----------------------------------- #
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.30.1
+    hooks:
+      - id: gitleaks
+        name: "Detect hardcoded secrets"
+
+  # ----------------------------- Python ------------------------------------- #
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.15.14
+    hooks:
+      - id: ruff-format
+        name: "Format with Ruff"
+      - id: ruff
+        name: "Lint with Ruff"
+        args: [--fix, --exit-non-zero-on-fix]
+
+  # ----------------------------- YAML --------------------------------------- #
+  - repo: https://github.com/adrienverge/yamllint
+    rev: v1.38.0
+    hooks:
+      - id: yamllint
+        name: "Lint YAML files"
+        args: [-d, relaxed]
+
+  # ----------------------------- Filesystem / Git --------------------------- #
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v6.0.0
+    hooks:
+      - id: check-merge-conflict
+        name: "Detect conflict markers"
+      - id: end-of-file-fixer
+        name: "Fix end of file"
+      - id: trailing-whitespace
+        name: "Trim trailing whitespace"
+      - id: check-added-large-files
+        name: "Block large file commits"
+        args: ["--maxkb=5000"]
+      - id: no-commit-to-branch
+        name: "Protect main branch"
+        args: ["--branch", "main"]

moncpipelib-0.39.4/CODE_OF_CONDUCT.md

@@ -0,0 +1,72 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, religion, or sexual identity and
+orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+- Demonstrating empathy and kindness toward other people
+- Being respectful of differing opinions, viewpoints, and experiences
+- Giving and gracefully accepting constructive feedback
+- Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+- Focusing on what is best not just for us as individuals, but for the overall
+  community
+
+Examples of unacceptable behavior include:
+
+- The use of sexualized language or imagery, and sexual attention or advances of
+  any kind
+- Trolling, insulting or derogatory comments, and personal or political attacks
+- Public or private harassment
+- Publishing others' private information, such as a physical or email address,
+  without their explicit permission
+- Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement at
+engineering@modeloncology.com. All complaints will be reviewed and investigated
+promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.1, available at
+https://www.contributor-covenant.org/version/2/1/code_of_conduct.html.
+
+[homepage]: https://www.contributor-covenant.org

moncpipelib-0.39.4/CONTRIBUTING.md

@@ -0,0 +1,82 @@
+# Contributing to moncpipelib
+
+Thanks for your interest in contributing.
+
+`moncpipelib` is maintained by Model Oncology and developed primarily against
+our internal data-pipeline needs. We welcome issues and pull requests from the
+community.
+
+## How this repository is maintained
+
+This public repository is a **one-way mirror** generated from an internal
+repository. The `main` branch is republished (force-pushed) on each release, so
+**commits pushed directly to `main` here do not persist**. That does not mean
+your contribution is unwelcome -- it changes the mechanics:
+
+- **Issues and discussions** are the best way to report bugs and propose
+  changes; we triage them directly.
+- **Pull requests** are reviewed here. When we accept one, we reincorporate the
+  change into the internal source and it lands in the public repo on the next
+  sync (with attribution preserved). Your PR branch is the unit of review; the
+  public `main` is not a durable merge target.
+
+If this workflow ever becomes a friction point, open an issue -- we would rather
+adjust the process than lose a good contribution.
+
+## Development setup
+
+This project uses [uv](https://docs.astral.sh/uv/) for environment and
+dependency management.
+
+```bash
+uv sync --all-extras --dev
+```
+
+## Before you open a pull request
+
+Run the full local check suite -- CI runs the same steps:
+
+```bash
+uv run ruff check src tests scripts
+uv run ruff format --check src tests scripts
+uv run mypy src
+uv run pytest
+```
+
+If you change anything under `tests/cookbook/`, regenerate the cookbook docs
+(CI fails if they are stale):
+
+```bash
+uv run pytest tests/cookbook/ --cookbook-collect
+uv run python scripts/generate_cookbook.py
+```
+
+## Guidelines
+
+- Target Python 3.11+. The codebase is fully typed and checked under mypy
+  strict mode -- new code must type-check cleanly.
+- I/O at boundaries (blob storage, database, archive, network, filesystem)
+  must stream by default. Methods that return whole payloads as `bytes` are
+  reserved for content that is contractually bounded to a few MB, and the
+  docstring must say so.
+- Keep changes focused and include tests.
+- **Test fixtures must be synthetic.** Never derive a fixture from a real data
+  extract. All sample data (identifiers, names, dates, claims, etc.) must be
+  fabricated. PRs that add fixtures resembling real records will be rejected.
+  Do not add binary fixtures (e.g. `.parquet`) without prior discussion in an
+  issue.
+
+## Code of Conduct
+
+This project adheres to a [Code of Conduct](CODE_OF_CONDUCT.md). By
+participating, you are expected to uphold it.
+
+## Security
+
+Please do not file public issues for security vulnerabilities. See
+[SECURITY.md](SECURITY.md) for the disclosure process.
+
+## License
+
+By contributing, you agree that your contributions will be licensed under the
+Apache License 2.0, consistent with the rest of the project.