nab-python 0.0.2__py3-none-any.whl → 0.0.3__py3-none-any.whl

nab_python/_build/env.py

@@ -314,7 +314,7 @@ def _venv_python(venv_path: Path) -> Path:
     r"""Return the venv interpreter path (``Scripts\python.exe`` on Windows)."""
     if sys.platform == "win32":
         return venv_path / "Scripts" / "python.exe"  # pragma: no cover
-    return venv_path / "bin" / "python"
+    return venv_path / "bin" / "python"  # pragma: no cover
 
 
 def _venv_scheme_paths(python_executable: Path) -> dict[str, str]:

nab_python/_lockfile/builder.py

@@ -12,11 +12,13 @@ from __future__ import annotations
 from datetime import datetime, timezone
 from pathlib import Path
 from typing import TYPE_CHECKING, Protocol, overload
+from urllib.parse import urlsplit, urlunsplit
 
 import tomli
 
 from nab_index.client import SdistFile, WheelFile
 
+from .._vendor.packaging.pylock import Pylock, PylockValidationError
 from .._vendor.packaging.utils import canonicalize_name
 
 if TYPE_CHECKING:
@@ -40,6 +42,7 @@ __all__ = [
     "MissingHashError",
     "build_lock_input_from_provider",
     "read_lockfile_anchor",
+    "read_lockfile_packages",
 ]
 
 
@@ -132,14 +135,54 @@ def read_lockfile_anchor(path: Path) -> datetime | None:
     if isinstance(raw, datetime):
         return raw if raw.tzinfo else raw.replace(tzinfo=timezone.utc)
     if isinstance(raw, str):
+        # Python 3.10's fromisoformat rejects a trailing 'Z'; 3.11+ accept it.
+        iso = raw[:-1] + "+00:00" if raw.endswith("Z") else raw
         try:
-            dt = datetime.fromisoformat(raw)
+            dt = datetime.fromisoformat(iso)
         except ValueError:
             return None
         return dt if dt.tzinfo else dt.replace(tzinfo=timezone.utc)
     return None
 
 
+def read_lockfile_packages(path: Path) -> dict[str, Version] | None:
+    """Return the ``name -> version`` map from a prior pylock at ``path``.
+
+    Used by ``nab lock`` to diff a re-lock against the previous result.
+    Packages without a recorded version (direct-reference entries that
+    omit it) are skipped.
+
+    Returns ``None`` when ``path`` does not exist, is not valid TOML,
+    or is not a spec-compliant PEP 751 lockfile; the caller falls back
+    to a no-diff summary line.
+    """
+    if not path.is_file():
+        return None
+    try:
+        with path.open("rb") as f:
+            data = tomli.load(f)
+        pylock = Pylock.from_dict(data)
+    except (OSError, tomli.TOMLDecodeError, PylockValidationError):
+        return None
+    return {
+        str(pkg.name): pkg.version for pkg in pylock.packages if pkg.version is not None
+    }
+
+
+def _strip_userinfo(url: str) -> str:
+    """Return ``url`` with any ``user:password@`` userinfo removed.
+
+    Lockfiles are committed to version control, so an index or VCS
+    URL carrying embedded credentials must not be written verbatim.
+    Only the userinfo is dropped: host case and port are preserved
+    and a ``git+`` scheme prefix is left intact.  A no-op for URLs
+    without credentials.
+    """
+    parts = urlsplit(url)
+    netloc = parts.netloc.rpartition("@")[2]
+    return urlunsplit(parts._replace(netloc=netloc))
+
+
 def build_lock_input_from_provider(
     provider: LockInputProvider,
     pins: Mapping[str, Version],
@@ -176,6 +219,8 @@ def build_lock_input_from_provider(
                 name=canonical,
                 version=str(version),
                 path=str(Path(local_source.path).resolve()),
+                editable=local_source.editable,
+                subdirectory=local_source.subdirectory,
             )
             continue
         vcs_source = provider.vcs_source_for(canonical)
@@ -252,7 +297,7 @@ def _index_pin_from_listing(
     return IndexPin(
         name=canonical,
         version=str(version),
-        index=index_url,
+        index=_strip_userinfo(index_url),
         sdist=sdist,
         wheels=wheels,
         requires_python=requires_python,
@@ -282,9 +327,27 @@ def _build_artifact(
         url=source.url,
         hashes=hashes,
         size=source.size,
+        upload_time=_parse_upload_time(source.upload_time),
+        local_path=source.local_path,
     )
 
 
+def _parse_upload_time(raw: str | None) -> datetime | None:
+    """Parse an index ``upload-time`` string to a ``datetime``.
+
+    Accepts the RFC 3339 form the Simple/JSON API serves (``Z`` or an
+    explicit offset).  Returns ``None`` when the field is absent or
+    unparseable; the timestamp is informational, so a bad value is
+    dropped rather than fatal.
+    """
+    if raw is None:
+        return None
+    try:
+        return datetime.fromisoformat(raw.replace("Z", "+00:00"))
+    except ValueError:
+        return None
+
+
 def _filter_acceptable_hashes(
     canonical: str, filename: str, hashes: tuple[tuple[str, str], ...]
 ) -> tuple[tuple[str, str], ...]:
@@ -336,22 +399,26 @@ def _vcs_pin_from_source(
     provider) over the URL's ``@<ref>``: annotated tags and floating
     refs only resolve to a commit after the clone runs.  Fall back to
     the URL ref when the source was never materialised.
+
+    ``requested_revision`` is the URL's ``@<ref>``, kept only when it
+    is a named ref that differs from ``commit_id`` (i.e. the user did
+    not pin the bare SHA).  An absent or unparseable ref leaves it
+    ``None``.
     """
     from nab_index.vcs import VcsCloneError, VcsRequest
 
     from ..lockfile import VcsPin
 
-    if resolved_sha is not None:
-        commit_id = resolved_sha
-    else:
-        try:
-            parsed = VcsRequest.parse(source.url)
-            commit_id = parsed.ref
-        except VcsCloneError:
-            commit_id = ""
+    try:
+        url_ref = VcsRequest.parse(source.url).ref
+    except VcsCloneError:
+        url_ref = ""
+    commit_id = resolved_sha if resolved_sha is not None else url_ref
+    requested_revision = url_ref if url_ref and url_ref != commit_id else None
     return VcsPin(
         name=canonical,
         version=str(version),
-        repo_url=source.url,
+        repo_url=_strip_userinfo(source.url),
         commit_id=commit_id,
+        requested_revision=requested_revision,
     )

nab_python/_lockfile/pylock.py

@@ -11,6 +11,7 @@ disjointness validation lives in
 
 from __future__ import annotations
 
+import os
 from collections import defaultdict
 from pathlib import Path
 from typing import TYPE_CHECKING, Any
@@ -32,7 +33,6 @@ from .._vendor.packaging.version import Version
 from .disjointness import validate_marker_disjointness
 
 if TYPE_CHECKING:
-    import os
     from collections.abc import Mapping, Sequence
 
     from ..lockfile import (
@@ -57,10 +57,16 @@ def write_lock(
     """Serialise ``lock_input`` to PEP 751 TOML text.
 
     Returns the TOML text.  When ``output_path`` is provided, also
-    writes it atomically; the caller chooses the path (PEP 751 does
-    not mandate one).
+    writes it there; the caller chooses the path (PEP 751 does not
+    mandate one).
+
+    Directory, wheel and sdist paths are written relative to
+    ``output_path``'s parent so the lockfile stays portable between
+    machines (PEP 751 records those paths relative to the lock file).
+    With no ``output_path`` the current directory is the base.
     """
-    pylock = build_pylock(lock_input)
+    lock_dir = Path(output_path).parent if output_path is not None else None
+    pylock = build_pylock(lock_input, lock_dir=lock_dir)
     pylock.validate()
     text = tomli_w.dumps(dict(pylock.to_dict()))
     if output_path is not None:
@@ -68,20 +74,28 @@ def write_lock(
     return text
 
 
-def build_pylock(lock_input: LockInput) -> Pylock:
+def build_pylock(lock_input: LockInput, *, lock_dir: Path | None = None) -> Pylock:
     """Build a :class:`Pylock` from the input shape.
 
     The resolver-side data structures have already been simplified
     when this function runs.  The remaining work is shape conversion:
     ``Pin`` -> ``Package``, plus marker attachment from the per-tuple
     map.
+
+    ``lock_dir`` is the directory the lockfile will be written to;
+    local-directory, wheel and sdist paths are emitted relative to it
+    so the lockfile is portable.  It defaults to the current working
+    directory when the caller has no path in mind (e.g. stdout).
     """
     from ..lockfile import LOCK_VERSION
 
+    base = (lock_dir if lock_dir is not None else Path.cwd()).resolve()
     if lock_input.per_tuple_pins:
-        package_records = _build_per_tuple_packages(lock_input)
+        package_records = _build_per_tuple_packages(lock_input, base)
     else:
-        package_records = [_pin_to_package(pin) for pin in lock_input.pins.values()]
+        package_records = [
+            _pin_to_package(pin, lock_dir=base) for pin in lock_input.pins.values()
+        ]
     package_records.sort(key=_package_sort_key)
     validate_marker_disjointness(
         package_records,
@@ -121,7 +135,29 @@ def build_pylock(lock_input: LockInput) -> Pylock:
     )
 
 
-def _pin_to_package(pin: PinShape, marker: Marker | None = None) -> Package:
+def _relativize_path(target: str | os.PathLike[str], lock_dir: Path) -> str:
+    """Return ``target`` as a POSIX path relative to ``lock_dir``.
+
+    PEP 751 records ``packages.directory.path`` and the wheel/sdist
+    ``path`` fields relative to the lock file so the lockfile stays
+    portable between machines.  :func:`os.path.relpath` is used
+    rather than :meth:`pathlib.Path.relative_to` so a ``target``
+    outside ``lock_dir`` still resolves, to a ``../``-prefixed path.
+    The result uses POSIX separators, which the spec recommends for
+    portable relative paths.
+
+    A Windows cross-drive ValueError falls back to the absolute path.
+    """
+    try:
+        rel = os.path.relpath(target, lock_dir)
+    except ValueError:
+        rel = os.fspath(target)
+    return Path(rel).as_posix()
+
+
+def _pin_to_package(
+    pin: PinShape, marker: Marker | None = None, *, lock_dir: Path
+) -> Package:
     from ..lockfile import IndexPin, LocalPin, VcsPin
 
     if isinstance(pin, IndexPin):
@@ -133,51 +169,92 @@ def _pin_to_package(pin: PinShape, marker: Marker | None = None) -> Package:
                 SpecifierSet(pin.requires_python) if pin.requires_python else None
             ),
             index=pin.index,
-            sdist=_sdist_to_package(pin.sdist) if pin.sdist else None,
-            wheels=tuple(_wheel_to_package(w) for w in pin.wheels) or None,
+            sdist=(
+                _sdist_to_package(pin.sdist, lock_dir=lock_dir) if pin.sdist else None
+            ),
+            wheels=tuple(_wheel_to_package(w, lock_dir=lock_dir) for w in pin.wheels)
+            or None,
         )
     if isinstance(pin, LocalPin):
+        # PEP 751: omit version for directory sources; it is not
+        # deterministic (the source tree may change at install time).
+        # The path is recorded relative to the lock file for portability.
         return Package(
             name=canonicalize_name(pin.name),
-            version=Version(pin.version),
+            version=None,
             marker=marker,
-            directory=PackageDirectory(path=pin.path, editable=False),
+            directory=PackageDirectory(
+                path=_relativize_path(pin.path, lock_dir),
+                editable=pin.editable,
+                subdirectory=pin.subdirectory,
+            ),
         )
     if isinstance(pin, VcsPin):
+        # PEP 751: omit version for VCS sources for the same reason.
         return Package(
             name=canonicalize_name(pin.name),
-            version=Version(pin.version),
+            version=None,
             marker=marker,
             vcs=PackageVcs(
                 type="git",
                 url=pin.repo_url,
                 commit_id=pin.commit_id,
                 subdirectory=pin.subdirectory,
+                requested_revision=pin.requested_revision,
             ),
         )
     msg = f"unknown pin shape: {pin!r}"
     raise TypeError(msg)
 
 
-def _wheel_to_package(wheel: WheelArtifact) -> PackageWheel:
+def _wheel_to_package(wheel: WheelArtifact, *, lock_dir: Path) -> PackageWheel:
+    """Convert a wheel artefact to its PEP 751 ``packages.wheels`` entry.
+
+    A wheel from a local find-links directory carries its on-disk
+    ``local_path``; it is written as a ``path`` relative to the lock
+    file so the lockfile stays portable.  A remote wheel records its
+    ``url`` verbatim.
+    """
+    if wheel.local_path is not None:
+        return PackageWheel(
+            name=wheel.filename,
+            path=_relativize_path(wheel.local_path.resolve(), lock_dir),
+            size=wheel.size,
+            hashes=dict(wheel.hashes),
+            upload_time=wheel.upload_time,
+        )
     return PackageWheel(
         name=wheel.filename,
         url=wheel.url,
         size=wheel.size,
         hashes=dict(wheel.hashes),
+        upload_time=wheel.upload_time,
     )
 
 
-def _sdist_to_package(sdist: SdistArtifact) -> PackageSdist:
+def _sdist_to_package(sdist: SdistArtifact, *, lock_dir: Path) -> PackageSdist:
+    """Convert an sdist artefact to its PEP 751 ``packages.sdist`` entry.
+
+    See :func:`_wheel_to_package` for the ``local_path`` handling.
+    """
+    if sdist.local_path is not None:
+        return PackageSdist(
+            name=sdist.filename,
+            path=_relativize_path(sdist.local_path.resolve(), lock_dir),
+            size=sdist.size,
+            hashes=dict(sdist.hashes),
+            upload_time=sdist.upload_time,
+        )
     return PackageSdist(
         name=sdist.filename,
         url=sdist.url,
         size=sdist.size,
         hashes=dict(sdist.hashes),
+        upload_time=sdist.upload_time,
     )
 
 
-def _build_per_tuple_packages(lock_input: LockInput) -> list[Package]:
+def _build_per_tuple_packages(lock_input: LockInput, lock_dir: Path) -> list[Package]:
     """Collapse per-tuple pins into Package entries with markers.
 
     For each canonical package name:
@@ -200,12 +277,14 @@ def _build_per_tuple_packages(lock_input: LockInput) -> list[Package]:
         groups = _group_pins_by_pin(per_tuple)
         for pins, tuple_labels in groups:
             marker = _build_marker(tuple_labels, lock_input.tuple_markers, total_tuples)
-            out.append(_pin_to_package(_merge_pins_in_group(pins), marker))
+            out.append(
+                _pin_to_package(_merge_pins_in_group(pins), marker, lock_dir=lock_dir)
+            )
     # Pins only present in lock_input.pins (e.g. tuples agreed via the
     # single-source path) emit unconditionally.
     for canonical_name, pin in lock_input.pins.items():
         if canonical_name not in by_name:
-            out.append(_pin_to_package(pin))
+            out.append(_pin_to_package(pin, lock_dir=lock_dir))
     return out
 
 
@@ -242,8 +321,18 @@ def _pin_discriminator(pin: PinShape) -> tuple:
     if isinstance(pin, IndexPin):
         return ("index", pin.version, pin.index)
     if isinstance(pin, LocalPin):
-        return ("local", pin.version, pin.path)
+        # editable and subdirectory change install behaviour, so two
+        # otherwise-identical local pins differing only here are distinct.
+        return (
+            "local",
+            pin.version,
+            pin.path,
+            pin.editable,
+            pin.subdirectory or "",
+        )
     if isinstance(pin, VcsPin):
+        # requested_revision is informational; it does not affect the
+        # checkout, so it is intentionally left out of the discriminator.
         return ("vcs", pin.commit_id, pin.repo_url, pin.subdirectory or "")
     msg = f"unknown pin shape: {pin!r}"
     raise TypeError(msg)

nab_python/_provider/metadata_resolver.py

@@ -430,7 +430,11 @@ def add_classified_dep(
     base_deps: dict[str, VersionRange],
     extra_deps_map: dict[str, dict[str, VersionRange]],
 ) -> None:
-    """Add a classified requirement to the appropriate dep set."""
+    """Add a classified requirement to the appropriate dep set.
+
+    A name appearing on several ``Requires-Dist`` lines is intersected
+    into one range.
+    """
     # Late import: ``pypi`` imports this module at module load.
     from ..provider import join_extra
 
@@ -439,12 +443,12 @@ def add_classified_dep(
     dep_extras: set[str] = req.extras
 
     if not req_extras:
-        base_deps[name] = vi
+        base_deps[name] = base_deps.get(name, VersionRange.full()) & vi
         for re in dep_extras:
             base_deps[join_extra(name, re)] = VersionRange.full()
     else:
         for extra_name in req_extras:
             edeps = extra_deps_map[extra_name]
-            edeps[name] = vi
+            edeps[name] = edeps.get(name, VersionRange.full()) & vi
             for re in dep_extras:
                 edeps[join_extra(name, re)] = VersionRange.full()

nab_python/_provider/sources.py

@@ -57,6 +57,8 @@ def materialize_local_source(
     or looser; raises :class:`UnsupportedSdistError` otherwise.
     """
     path = Path(source.path)
+    if source.subdirectory:
+        path = path / source.subdirectory
     metadata = extract_source_metadata(
         provider,
         path,
@@ -134,6 +136,7 @@ def seed_synthetic_listing(
             else None
         ),
         upload_time=None,
+        local_path=path,
     )
     version = metadata.version
     provider.metadata_cache[(normalized, version)] = metadata

nab_python/_testing/coordinator_fake.py

@@ -13,7 +13,8 @@ import threading
 from typing import TYPE_CHECKING
 from unittest.mock import MagicMock
 
-from nab_python.fetch import InMemoryIndex
+from nab_index.multi_index import IndexConfig
+from nab_python.fetch import DEFAULT_INDEX_NAME, DEFAULT_INDEX_URL, InMemoryIndex
 
 if TYPE_CHECKING:
     from collections.abc import Callable, Mapping, Sequence
@@ -207,7 +208,8 @@ def make_coordinator(  # noqa: PLR0913
     Call sites that need request side effects beyond what this helper
     wires up (for example ``request_sdist_archive``) can reassign
     ``.side_effect`` on the returned mock; the index is exposed at
-    ``coordinator.index`` for direct manipulation.
+    ``coordinator.index`` for direct manipulation.  ``coordinator.indexes``
+    defaults to the single default-PyPI :class:`IndexConfig` list.
     """
     index = InMemoryIndex()
     failures = fetch_failures if fetch_failures is not None else set()
@@ -223,6 +225,7 @@ def make_coordinator(  # noqa: PLR0913
 
     coordinator = MagicMock()
     coordinator.index = index
+    coordinator.indexes = [IndexConfig(DEFAULT_INDEX_NAME, DEFAULT_INDEX_URL)]
 
     resolve_metadata = _make_metadata_resolver(
         metadata_text=metadata_text,

nab_python/_vendor/packaging/PROVENANCE.md

@@ -9,8 +9,8 @@ from an in-flight pull request, vendored so nab can use the public
 - Upstream repository: https://github.com/pypa/packaging
 - Pull request: https://github.com/pypa/packaging/pull/1182
 - Source branch: `notatallshaw/packaging:public-pep440-version-range`
-- Pinned commit: `536a8a7ba0c552b4573522292d1ea63ccb4ad34c`
-- Snapshot date: 2026-05-03
+- Pinned commit: `82799d02ffec2815769d5889062e54686e7c6863`
+- Snapshot date: 2026-05-23
 
 The snapshot is the full `src/packaging/` tree at that commit, plus
 `LICENSE`, `LICENSE.APACHE`, and `LICENSE.BSD` from the repository