nab-python 0.0.2__py3-none-any.whl → 0.0.4__py3-none-any.whl

nab_python/_build/env.py

@@ -314,7 +314,7 @@ def _venv_python(venv_path: Path) -> Path:
     r"""Return the venv interpreter path (``Scripts\python.exe`` on Windows)."""
     if sys.platform == "win32":
         return venv_path / "Scripts" / "python.exe"  # pragma: no cover
-    return venv_path / "bin" / "python"
+    return venv_path / "bin" / "python"  # pragma: no cover
 
 
 def _venv_scheme_paths(python_executable: Path) -> dict[str, str]:

nab_python/_build/runner.py

@@ -34,11 +34,13 @@ import pyproject_hooks
 import tomli
 
 from .._vendor.packaging.requirements import Requirement
-from .._vendor.packaging.specifiers import SpecifierSet
+from .._vendor.packaging.specifiers import InvalidSpecifier, SpecifierSet
 from .._vendor.packaging.utils import canonicalize_name
 from .._vendor.packaging.version import InvalidVersion, Version
+from nab_resolver.resolver import ResolutionError
+
 from ..metadata import WheelMetadata
-from .env import NabBuildEnv
+from .env import BuildEnvError, NabBuildEnv
 from .errors import BuildBackendError
 
 if TYPE_CHECKING:
@@ -121,6 +123,9 @@ def run_build_backend(
     except build.BuildBackendException as exc:
         msg = f"build backend {backend!r} failed: {exc}"
         raise BuildBackendError(msg) from exc
+    except (BuildEnvError, ResolutionError) as exc:
+        msg = f"build env setup for {backend!r} failed: {exc}"
+        raise BuildBackendError(msg) from exc
 
 
 def _read_build_system(
@@ -228,7 +233,13 @@ def _parse_metadata(metadata_path: Path) -> WheelMetadata:
         raise BuildBackendError(msg) from exc
 
     requires_python_raw = msg_obj.get("Requires-Python")
-    requires_python = SpecifierSet(requires_python_raw) if requires_python_raw else None
+    try:
+        requires_python = (
+            SpecifierSet(requires_python_raw) if requires_python_raw else None
+        )
+    except InvalidSpecifier as exc:
+        msg = f"backend METADATA has invalid Requires-Python {requires_python_raw!r}: {exc}"
+        raise BuildBackendError(msg) from exc
 
     requires_dist: list[Requirement] = []
     for raw in msg_obj.get_all("Requires-Dist") or ():

nab_python/_conflict_kind.py

@@ -0,0 +1,20 @@
+"""Conflict-kind constants and PEP 508 marker-variable mapping.
+
+A leaf module that :mod:`nab_python.config`, :mod:`nab_python.universal.matrix`,
+and :mod:`nab_python._lockfile.disjointness` can import without forming a
+cycle.  :class:`nab_python.config.ConflictKind` takes its enum values from
+``KIND_EXTRA`` / ``KIND_GROUP`` so a rename here flows to every consumer.
+"""
+
+from __future__ import annotations
+
+KIND_EXTRA = "extra"
+KIND_GROUP = "group"
+
+# Membership of a conflict-fork member emits ``'name' in <variable>`` on
+# the per-package marker; this mapping is the (kind -> variable) contract
+# the universal matrix and the disjointness validator share.
+MARKER_VARIABLE_FOR_KIND = {
+    KIND_EXTRA: "extras",
+    KIND_GROUP: "dependency_groups",
+}

nab_python/_lockfile/builder.py

@@ -9,14 +9,18 @@ be read directly without a second fetch.  This module also owns the
 
 from __future__ import annotations
 
+from collections import defaultdict
 from datetime import datetime, timezone
 from pathlib import Path
 from typing import TYPE_CHECKING, Protocol, overload
+from urllib.parse import urlsplit, urlunsplit
 
 import tomli
 
 from nab_index.client import SdistFile, WheelFile
 
+from .._toml import tool_nab_section
+from .._vendor.packaging.pylock import Pylock, PylockValidationError
 from .._vendor.packaging.utils import canonicalize_name
 
 if TYPE_CHECKING:
@@ -38,8 +42,11 @@ if TYPE_CHECKING:
 
 __all__ = [
     "MissingHashError",
+    "MissingSdistError",
+    "MissingVcsCommitError",
     "build_lock_input_from_provider",
     "read_lockfile_anchor",
+    "read_lockfile_packages",
 ]
 
 
@@ -68,6 +75,12 @@ class LockInputProvider(Protocol):
     may supply a stub without inheriting the full Provider class.
     """
 
+    deps_cache: Mapping[tuple[str, Version], Mapping[str, object]]
+    """Direct dependencies per ``(canonical name, version)``."""
+
+    extra_deps_map: Mapping[tuple[str, Version], Mapping[str, Mapping[str, object]]]
+    """Per-extra dependencies per ``(canonical name, version)``."""
+
     @property
     def coordinator(self) -> _LockInputCoordinator:
         """Coordinator used to look up the index that served a listing."""
@@ -108,6 +121,30 @@ class MissingHashError(ValueError):
     """
 
 
+class MissingSdistError(ValueError):
+    """A ``sdist-install`` package's pinned version has no sdist.
+
+    Under :attr:`~nab_python.provider.DistPolicy.SDIST_INSTALL` the
+    resolver may read a wheel's metadata but the lock must pin only the
+    sdist.  When the pinned version publishes wheels but no sdist, the
+    wheels are dropped and nothing is left to pin.  Surface the package
+    and version so the user can pick a version with an sdist or relax
+    the policy, rather than emitting an empty package the spec rejects.
+    """
+
+
+class MissingVcsCommitError(ValueError):
+    """A VCS source reached the lock writer without a resolved commit SHA.
+
+    PEP 751 requires ``packages.vcs.commit-id`` to be an immutable
+    identifier.  nab records the post-clone SHA on the provider during
+    materialisation, before any version can be pinned, so a missing SHA
+    here means a VCS source was pinned without being cloned.  Surface it
+    loudly rather than emit a branch name or empty string as the commit
+    id, which would silently produce a non-reproducible lock.
+    """
+
+
 def read_lockfile_anchor(path: Path) -> datetime | None:
     """Return the ``[tool.nab].created-at`` timestamp from ``path`` if any.
 
@@ -128,19 +165,60 @@ def read_lockfile_anchor(path: Path) -> datetime | None:
             data = tomli.load(f)
     except (OSError, tomli.TOMLDecodeError):
         return None
-    raw = data.get("tool", {}).get("nab", {}).get("created-at")
+    nab = tool_nab_section(data)
+    raw = nab.get("created-at") if isinstance(nab, dict) else None
     if isinstance(raw, datetime):
         return raw if raw.tzinfo else raw.replace(tzinfo=timezone.utc)
     if isinstance(raw, str):
+        # Python 3.10's fromisoformat rejects a trailing 'Z'; 3.11+ accept it.
+        iso = raw[:-1] + "+00:00" if raw.endswith("Z") else raw
         try:
-            dt = datetime.fromisoformat(raw)
+            dt = datetime.fromisoformat(iso)
         except ValueError:
             return None
         return dt if dt.tzinfo else dt.replace(tzinfo=timezone.utc)
     return None
 
 
-def build_lock_input_from_provider(
+def read_lockfile_packages(path: Path) -> dict[str, Version] | None:
+    """Return the ``name -> version`` map from a prior pylock at ``path``.
+
+    Used by ``nab lock`` to diff a re-lock against the previous result.
+    Packages without a recorded version (direct-reference entries that
+    omit it) are skipped.
+
+    Returns ``None`` when ``path`` does not exist, is not valid TOML,
+    or is not a spec-compliant PEP 751 lockfile; the caller falls back
+    to a no-diff summary line.
+    """
+    if not path.is_file():
+        return None
+    try:
+        with path.open("rb") as f:
+            data = tomli.load(f)
+        pylock = Pylock.from_dict(data)
+    except (OSError, tomli.TOMLDecodeError, PylockValidationError):
+        return None
+    return {
+        str(pkg.name): pkg.version for pkg in pylock.packages if pkg.version is not None
+    }
+
+
+def _strip_userinfo(url: str) -> str:
+    """Return ``url`` with any ``user:password@`` userinfo removed.
+
+    Lockfiles are committed to version control, so an index or VCS
+    URL carrying embedded credentials must not be written verbatim.
+    Only the userinfo is dropped: host case and port are preserved
+    and a ``git+`` scheme prefix is left intact.  A no-op for URLs
+    without credentials.
+    """
+    parts = urlsplit(url)
+    netloc = parts.netloc.rpartition("@")[2]
+    return urlunsplit(parts._replace(netloc=netloc))
+
+
+def build_lock_input_from_provider(  # noqa: PLR0913 - each flag maps to a distinct lockfile field
     provider: LockInputProvider,
     pins: Mapping[str, Version],
     *,
@@ -150,6 +228,7 @@ def build_lock_input_from_provider(
     default_groups: Sequence[str] = (),
     created_by: str = "nab",
     indexes: Sequence[IndexConfig] = (),
+    resolved_keys: Iterable[str] = (),
 ) -> LockInput:
     """Build a :class:`LockInput` from a finished resolve.
 
@@ -162,6 +241,10 @@ def build_lock_input_from_provider(
     were folded into this resolve; ``default_groups`` is the subset
     that a default install (no ``--group`` flag) should apply.
 
+    ``resolved_keys`` is the full set of resolver result keys, including
+    ``name[extra]`` proxies; it is read to find which extras activated
+    so their edges join the forward dependency graph.
+
     All wheels and the sdist for each pinned version are recorded so
     the lockfile is portable across architectures of the same Python.
     """
@@ -176,6 +259,8 @@ def build_lock_input_from_provider(
                 name=canonical,
                 version=str(version),
                 path=str(Path(local_source.path).resolve()),
+                editable=local_source.editable,
+                subdirectory=local_source.subdirectory,
             )
             continue
         vcs_source = provider.vcs_source_for(canonical)
@@ -197,9 +282,53 @@ def build_lock_input_from_provider(
         extras=tuple(extras),
         dependency_groups=tuple(dependency_groups),
         default_groups=tuple(default_groups),
+        dependencies=_forward_dependency_graph(provider, pins, resolved_keys),
     )
 
 
+def _forward_dependency_graph(
+    provider: LockInputProvider,
+    pins: Mapping[str, Version],
+    resolved_keys: Iterable[str],
+) -> dict[str, tuple[str, ...]]:
+    """Build the forward dependency graph among the locked packages.
+
+    Each pinned package maps to the canonical names of its direct
+    dependencies that are themselves pinned.  Base dependencies come
+    from ``deps_cache``; an activated extra (a ``name[extra]`` key in
+    ``resolved_keys``) folds that extra's dependencies in too.  Names
+    not in ``pins`` are dropped so every edge points at a real
+    ``[[packages]]`` entry.
+    """
+    from ..provider import split_extra
+
+    activated_extras: defaultdict[str, set[str]] = defaultdict(set)
+    for key in resolved_keys:
+        base, extra = split_extra(key)
+        if extra is not None:
+            activated_extras[canonicalize_name(base)].add(extra)
+
+    pinned = {canonicalize_name(name) for name in pins}
+    graph: dict[str, tuple[str, ...]] = {}
+    for raw_name, version in pins.items():
+        canonical = canonicalize_name(raw_name)
+        cache_key = (canonical, version)
+        dep_names = {
+            canonicalize_name(split_extra(dep)[0])
+            for dep in provider.deps_cache.get(cache_key, {})
+        }
+        extra_map = provider.extra_deps_map.get(cache_key, {})
+        for extra in activated_extras.get(canonical, ()):
+            dep_names.update(
+                canonicalize_name(split_extra(dep)[0])
+                for dep in extra_map.get(extra, {})
+            )
+        dep_names &= pinned
+        if dep_names:
+            graph[canonical] = tuple(sorted(dep_names))
+    return graph
+
+
 def _index_pin_from_listing(
     provider: LockInputProvider,
     canonical: str,
@@ -212,8 +341,8 @@ def _index_pin_from_listing(
     served the package's listing during the resolve, looked up from
     the coordinator's :class:`InMemoryIndex` (which records the
     serving index by name) and resolved against ``indexes`` for the
-    URL.  When ``indexes`` is empty or the route is unknown the URL
-    falls back to the default Simple-API root.
+    URL.  A pinned package's serving index is always recorded and is
+    one of ``indexes``, so the URL is always known.
 
     Under :attr:`~nab_python.provider.DistPolicy.SDIST_INSTALL` the
     package's wheels stayed in ``versions_cache`` as a possible
@@ -227,6 +356,13 @@ def _index_pin_from_listing(
     files = list(provider.dist_files_for(canonical, version))
     if provider.effective_dist_policy(canonical) is DistPolicy.SDIST_INSTALL:
         files = [f for f in files if not isinstance(f, WheelFile)]
+        if not any(isinstance(f, SdistFile) for f in files):
+            msg = (
+                f"{canonical}=={version} has no sdist, but its dist-policy is "
+                f"'sdist-install'; pick a version that publishes an sdist or "
+                f"change dist-policy for {canonical}"
+            )
+            raise MissingSdistError(msg)
 
     wheels = tuple(
         _build_artifact(canonical, f, WheelArtifact)
@@ -242,17 +378,22 @@ def _index_pin_from_listing(
     requires_python = _common_requires_python(files)
     serving_name = provider.coordinator.index.get_listing_index(canonical)
     by_name = {ix.name: ix.url for ix in indexes}
-
-    if serving_name is not None and serving_name in by_name:
-        index_url = by_name[serving_name]
-    elif indexes:
-        index_url = indexes[0].url
-    else:
+    index_url = by_name.get(serving_name) if serving_name is not None else None
+    if index_url is None:
+        if by_name:
+            # Can't happen for a real pin (the serving index is always
+            # recorded and configured); raise, don't guess.
+            msg = (
+                f"{canonical}: recorded serving index {serving_name!r} is "
+                "not one of the configured indexes"
+            )
+            raise AssertionError(msg)
+        # No indexes configured (unit tests only); use the default root.
         index_url = DEFAULT_INDEX_URL
     return IndexPin(
         name=canonical,
         version=str(version),
-        index=index_url,
+        index=_strip_userinfo(index_url),
         sdist=sdist,
         wheels=wheels,
         requires_python=requires_python,
@@ -282,9 +423,31 @@ def _build_artifact(
         url=source.url,
         hashes=hashes,
         size=source.size,
+        upload_time=_parse_upload_time(source.upload_time),
+        local_path=source.local_path,
     )
 
 
+def _parse_upload_time(raw: str | None) -> datetime | None:
+    """Parse an index ``upload-time`` string to a UTC ``datetime``.
+
+    Accepts the RFC 3339 form the Simple/JSON API serves (``Z`` or an
+    explicit offset) and normalizes it to UTC (PEP 751 requires UTC for
+    the emitted field). Returns ``None`` when the field is absent,
+    unparseable, or has no timezone; the timestamp is informational, so
+    a bad value is dropped rather than fatal.
+    """
+    if raw is None:
+        return None
+    try:
+        parsed = datetime.fromisoformat(raw.replace("Z", "+00:00"))
+    except ValueError:
+        return None
+    if parsed.tzinfo is None:
+        return None
+    return parsed.astimezone(timezone.utc)
+
+
 def _filter_acceptable_hashes(
     canonical: str, filename: str, hashes: tuple[tuple[str, str], ...]
 ) -> tuple[tuple[str, str], ...]:
@@ -332,26 +495,58 @@ def _vcs_pin_from_source(
 ) -> VcsPin:
     """Build a :class:`VcsPin` from a :class:`VcsSource`.
 
-    Prefer ``resolved_sha`` (the post-clone SHA recorded on the
-    provider) over the URL's ``@<ref>``: annotated tags and floating
-    refs only resolve to a commit after the clone runs.  Fall back to
-    the URL ref when the source was never materialised.
+    ``resolved_sha`` is the post-clone SHA recorded on the provider by
+    :func:`~nab_python._provider.sources.materialize_vcs_source`.  A VCS
+    source cannot be pinned without first being materialised, so a
+    ``None`` here is an internal invariant violation: raise
+    :class:`MissingVcsCommitError` rather than emit a branch name or
+    empty string as ``commit_id``.
+
+    ``requested_revision`` is the URL's ``@<ref>``, kept only when it
+    is a named ref that differs from ``commit_id`` (i.e. the user did
+    not pin the bare SHA).  ``subdirectory`` carries the
+    ``#subdirectory=`` fragment so an installer can locate the project
+    inside the repo.
+
+    ``bare_repo_url`` comes from ``parsed.repo_url``, which
+    :meth:`VcsRequest.parse` has already separated from the ref and the
+    fragment.  ``repo_url`` re-pins that bare URL to ``commit_id`` (the
+    ``git+`` prefix, ``@<sha>``, and any ``#subdirectory=`` fragment) so
+    the requirements.txt line installs the locked commit, not the ref
+    the user supplied.
     """
-    from nab_index.vcs import VcsCloneError, VcsRequest
+    from nab_index.vcs import VcsRequest
 
     from ..lockfile import VcsPin
 
-    if resolved_sha is not None:
-        commit_id = resolved_sha
-    else:
-        try:
-            parsed = VcsRequest.parse(source.url)
-            commit_id = parsed.ref
-        except VcsCloneError:
-            commit_id = ""
+    if resolved_sha is None:
+        msg = (
+            f"{canonical}: VCS source pinned without a resolved commit SHA;"
+            " materialize_vcs_source records the post-clone SHA before any"
+            " version can be pinned, so this is an internal invariant"
+            " violation"
+        )
+        raise MissingVcsCommitError(msg)
+    parsed = VcsRequest.parse(source.url)
+    # Keep the named ref only when it differs from the SHA (tag or branch case).
+    requested_revision = (
+        parsed.ref if parsed.ref and parsed.ref != resolved_sha else None
+    )
+
+    # Compose a pinned installable URL from the parsed pieces, not from source.url,
+    # so credentials are stripped and the sha replaces any floating ref.
+    bare_repo_url = _strip_userinfo(parsed.repo_url)
+    repo_url = f"{parsed.scheme}+{bare_repo_url}@{resolved_sha}"
+    if parsed.subdirectory:
+        repo_url += f"#subdirectory={parsed.subdirectory}"
+
     return VcsPin(
         name=canonical,
         version=str(version),
-        repo_url=source.url,
-        commit_id=commit_id,
+        repo_url=repo_url,
+        bare_repo_url=bare_repo_url,
+        commit_id=resolved_sha,
+        subdirectory=parsed.subdirectory or None,
+        requested_revision=requested_revision,
+        vcs_type=parsed.scheme,
     )