nemesis-eval 0.2.0__tar.gz

nemesis_eval-0.2.0/.github/CODEOWNERS

@@ -0,0 +1,6 @@
+# Code owners for nemesis-eval.
+# These owners are automatically requested for review on any pull request.
+# Combined with branch protection (require review from Code Owners), this
+# ensures no change reaches main without the maintainer's review.
+
+*       @LueBangs-coder

nemesis_eval-0.2.0/.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,45 @@
+name: Bug report
+description: Report a problem with Nemesis (a false detection, a crash, wrong output).
+title: "[Bug]: "
+labels: ["bug"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to file a bug. Please fill out the sections below so it can be reproduced.
+  - type: textarea
+    id: what-happened
+    attributes:
+      label: What happened?
+      description: A clear description of the bug, including any error output.
+      placeholder: Tell us what you saw...
+    validations:
+      required: true
+  - type: textarea
+    id: expected
+    attributes:
+      label: What did you expect to happen?
+    validations:
+      required: true
+  - type: textarea
+    id: repro
+    attributes:
+      label: Steps to reproduce
+      description: The exact command(s) you ran, e.g. `nemesis check --repo . --claimed-success`.
+      render: shell
+    validations:
+      required: true
+  - type: input
+    id: version
+    attributes:
+      label: Nemesis version
+      description: From `pip show nemesis-eval` (Version), or the release tag / commit SHA.
+    validations:
+      required: false
+  - type: input
+    id: python
+    attributes:
+      label: Python version
+      placeholder: "3.13.6"
+    validations:
+      required: false

nemesis_eval-0.2.0/.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,5 @@
+blank_issues_enabled: true
+contact_links:
+  - name: Security vulnerability
+    url: https://github.com/LueBangs-coder/nemesis-eval/blob/main/SECURITY.md
+    about: Please report security issues privately by following the security policy, not as a public issue.

nemesis_eval-0.2.0/.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,28 @@
+name: Feature request
+description: Suggest a new detector, capability, or improvement.
+title: "[Feature]: "
+labels: ["enhancement"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        New detectors should trace back to a real, observed agent failure mode. The more concrete the example, the better.
+  - type: textarea
+    id: problem
+    attributes:
+      label: What problem would this solve?
+      description: Is this related to a real agent failure you've observed? Describe it.
+    validations:
+      required: true
+  - type: textarea
+    id: proposal
+    attributes:
+      label: Proposed solution
+    validations:
+      required: true
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
+    validations:
+      required: false

nemesis_eval-0.2.0/.github/dependabot.yml

@@ -0,0 +1,22 @@
+version: 2
+updates:
+  # Keep GitHub Actions (workflows + the composite action.yml) up to date.
+  # Dependabot bumps the pinned commit SHAs and keeps the # vX version comment.
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "ci"
+    groups:
+      actions:
+        patterns:
+          - "*"
+
+  # Keep Python dependencies (pyproject.toml) up to date.
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "deps"

nemesis_eval-0.2.0/.github/pull_request_template.md

@@ -0,0 +1,23 @@
+## Summary
+
+<!-- What does this PR change, and why? -->
+
+## Type of change
+
+- [ ] Bug fix
+- [ ] New detector / feature
+- [ ] Documentation
+- [ ] CI / tooling
+- [ ] Refactor (no behavior change)
+
+## Checklist
+
+- [ ] `pytest` passes locally
+- [ ] `pre-commit run --all-files` passes (ruff + black)
+- [ ] New or changed behavior is covered by tests
+- [ ] Docs / README / CHANGELOG updated if needed
+- [ ] Any new detector traces back to a real failure mode in `data/failure_modes.yaml`
+
+## Related issues
+
+<!-- e.g. Closes #123 -->

nemesis_eval-0.2.0/.github/workflows/ci.yml

@@ -0,0 +1,35 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ["3.11", "3.12", "3.13"]
+
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install the package with dev dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e ".[dev]"
+
+      - name: Run the test suite
+        run: pytest -q
+
+      - name: Run linters and formatters
+        run: pre-commit run --all-files

nemesis_eval-0.2.0/.github/workflows/codeql.yml

@@ -0,0 +1,35 @@
+name: CodeQL
+
+# Static analysis (security + quality) for the Python codebase. Results appear
+# under the repository's Security -> Code scanning alerts.
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "27 4 * * 1" # weekly, Monday 04:27 UTC
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze (python)
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # upload CodeQL results
+      contents: read
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
+        with:
+          languages: python
+          queries: security-and-quality
+
+      - name: Perform CodeQL analysis
+        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2

nemesis_eval-0.2.0/.github/workflows/dependency-review.yml

@@ -0,0 +1,23 @@
+name: Dependency review
+
+# Fails a pull request that introduces a dependency with a known vulnerability
+# or an incompatible license. Runs on the diff only — fast and PR-scoped.
+
+on:
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+
+      - name: Review dependency changes
+        uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v4
+        with:
+          fail-on-severity: moderate

nemesis_eval-0.2.0/.github/workflows/nemesis-check.yml

@@ -0,0 +1,26 @@
+name: Nemesis self-check
+
+# Dogfooding: run the Nemesis action against this repository on every change.
+# It also serves as the integration test for action.yml itself.
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  nemesis:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+
+      - name: Run Nemesis against this repo
+        uses: ./
+        with:
+          repo: "."
+          fail-on-detect: "true"

nemesis_eval-0.2.0/.github/workflows/release-testpypi.yml

@@ -0,0 +1,73 @@
+name: Rehearse release on TestPyPI
+
+# A dry run of the real release against TestPyPI, so the production publish is
+# never the first time the pipeline runs. Triggers on a pre-release (e.g. a
+# tag like v0.2.0rc1 published as a GitHub pre-release) or manually.
+#
+# Same security model as release.yml: Trusted Publishing (OIDC), no token, no
+# secret. Configure a TestPyPI trusted publisher (test.pypi.org -> Publishing)
+# pointing at:
+#   owner: LueBangs-coder   repo: nemesis-eval
+#   workflow: release-testpypi.yml   environment: testpypi
+
+on:
+  release:
+    types: [prereleased]
+  workflow_dispatch:
+
+concurrency:
+  group: release-testpypi-${{ github.ref }}
+  cancel-in-progress: false
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    name: Build & verify distributions
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: "3.x"
+
+      - name: Build sdist and wheel
+        run: |
+          python -m pip install --upgrade pip build twine
+          python -m build
+
+      - name: Verify metadata renders
+        run: python -m twine check dist/*
+
+      - name: Upload distributions as a build artifact
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: dist
+          path: dist/
+
+  publish-testpypi:
+    name: Publish to TestPyPI
+    needs: build
+    runs-on: ubuntu-latest
+    environment:
+      name: testpypi
+      url: https://test.pypi.org/p/nemesis-eval
+    permissions:
+      id-token: write # OIDC token for Trusted Publishing — the only elevated grant.
+    steps:
+      - name: Download the built distributions
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: dist
+          path: dist/
+
+      - name: Publish to TestPyPI via Trusted Publishing
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1
+        with:
+          repository-url: https://test.pypi.org/legacy/
+          # TestPyPI keeps old versions; don't fail a rehearsal on a re-run.
+          skip-existing: true

nemesis_eval-0.2.0/.github/workflows/release.yml

@@ -0,0 +1,84 @@
+name: Release to PyPI
+
+# Publishes nemesis-eval to PyPI when a GitHub Release is published.
+#
+# Security model: PyPI Trusted Publishing (OIDC). There is NO API token and
+# NO secret stored in this repository. The publish job mints a short-lived
+# identity for a single run via OpenID Connect. Configure the trusted
+# publisher once on PyPI (Your account -> Publishing) pointing at:
+#   owner: LueBangs-coder   repo: nemesis-eval
+#   workflow: release.yml    environment: pypi
+
+on:
+  release:
+    types: [published]
+
+# Never run two publishes for the same ref at once.
+concurrency:
+  group: release-${{ github.ref }}
+  cancel-in-progress: false
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    name: Build & verify distributions
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: "3.x"
+
+      - name: Build sdist and wheel
+        run: |
+          python -m pip install --upgrade pip build twine
+          python -m build
+
+      - name: Verify metadata renders on PyPI
+        run: python -m twine check dist/*
+
+      - name: Confirm the build version matches the release tag
+        env:
+          RELEASE_TAG: ${{ github.event.release.tag_name }}
+        run: |
+          set -euo pipefail
+          wheel="$(ls dist/*.whl)"
+          # nemesis_eval-0.2.0-py3-none-any.whl -> 0.2.0
+          build_version="$(basename "$wheel" | cut -d- -f2)"
+          tag_version="${RELEASE_TAG#v}"
+          echo "build=$build_version tag=$tag_version"
+          if [ "$build_version" != "$tag_version" ]; then
+            echo "::error::Release tag ($tag_version) does not match built version ($build_version)."
+            exit 1
+          fi
+
+      - name: Upload distributions as a build artifact
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: dist
+          path: dist/
+
+  publish:
+    name: Publish to PyPI
+    needs: build
+    runs-on: ubuntu-latest
+    # The trusted publisher on PyPI is bound to this environment name.
+    environment:
+      name: pypi
+      url: https://pypi.org/p/nemesis-eval
+    permissions:
+      id-token: write # OIDC token for Trusted Publishing — the only elevated grant.
+    steps:
+      - name: Download the built distributions
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: dist
+          path: dist/
+
+      - name: Publish to PyPI via Trusted Publishing
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1

nemesis_eval-0.2.0/.github/workflows/scorecard.yml

@@ -0,0 +1,47 @@
+name: OpenSSF Scorecard
+
+# Scores the repository's security posture (branch protection, pinned deps,
+# token permissions, etc.) and uploads results to Security -> Code scanning.
+# Enables the public Scorecard badge.
+
+on:
+  branch_protection_rule:
+  schedule:
+    - cron: "23 5 * * 1" # weekly, Monday 05:23 UTC
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # upload the SARIF results
+      id-token: write # publish results for the public badge
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
+
+      - name: Run analysis
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      - name: Upload to code scanning
+        uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
+        with:
+          sarif_file: results.sarif

nemesis_eval-0.2.0/.gitignore

@@ -0,0 +1,39 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# Distribution / packaging
+build/
+dist/
+*.egg-info/
+*.egg
+
+# Virtual environments
+.venv/
+venv/
+env/
+ENV/
+
+# Test / coverage artifacts
+.pytest_cache/
+.coverage
+htmlcov/
+.tox/
+
+# Editor / IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+
+# OS metadata
+.DS_Store
+Thumbs.db
+desktop.ini
+
+# Claude Code per-project state (local-only)
+.claude/
+
+# Internal operational log — local-only, not part of the public product
+WORKLOG.md

nemesis_eval-0.2.0/.pre-commit-config.yaml

@@ -0,0 +1,11 @@
+repos:
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.6.9
+    hooks:
+      - id: ruff
+        args: [--fix]
+
+  - repo: https://github.com/psf/black
+    rev: 24.10.0
+    hooks:
+      - id: black

nemesis_eval-0.2.0/AGENTS.md

@@ -0,0 +1,48 @@
+# AGENTS.md — Nemesis
+
+Operating contract for Codex (and any Codex-family coding agent) working in the Nemesis repo.
+
+**Project:** Nemesis — Python evaluation harness for agentic failure modes.
+**Reference spec:** `BUILD_SPEC.md`.
+**Parent project:** Pantheon (private operating context).
+
+---
+
+## Canonical doctrine
+
+The full doctrine, operating rules, stop conditions, and current-phase definition live in `CLAUDE.md`. **That file is the single source of truth for how any agent operates in this repo.** Codex must apply the same doctrine as Claude Code — no agent gets a softer contract.
+
+Read `CLAUDE.md` end to end before doing anything in this repo. Then read `BUILD_SPEC.md`.
+
+This file (`AGENTS.md`) exists because Codex looks for it by convention. Its job is to point Codex at `CLAUDE.md` and add the Codex-specific notes that don't apply to Claude Code.
+
+---
+
+## Why this file exists at all
+
+Pantheon doctrine, failure mode 14 — *missing root doctrine updates* — and failure mode 20 — *workflow drift across tools* — both reduce to the same root cause: agents on shared substrate operating from different rule sets.
+
+The fix is centralized doctrine in shared root files. `CLAUDE.md` and `AGENTS.md` are pair-files. They cannot drift.
+
+If either file changes, the other must be updated in the same commit, or the change is incomplete.
+
+---
+
+## Codex-specific notes
+
+These supplement `CLAUDE.md`. They do not override it.
+
+- **Codex's tool surface differs from Claude Code's.** Claude Code's `Bash`/`PreToolUse` hook layer is where Terminus enforces boundaries. Codex's sandbox and tool-call surface are where Ananke does the equivalent work. The guardian model is the same; the implementation path is not.
+- **Codex sandbox sessions are ephemeral by default.** State that should persist across sessions must be written to the repo, not to the Codex session. This is the operational shape of failure mode 5 (*old session folders leaking files*) — fix is the same as for Claude Code: explicit archive or cleanup before phase closeout.
+- **Codex's commit behavior:** all commits authored by Codex must be reviewed against the canonical checkout before declaring success. Codex's session report alone is not proof. See `CLAUDE.md` operating rule 7.
+- **Identity stamping (Pantheon's `argus-identity-migration`):** when work moves from Codex to Claude Code or vice versa, the handoff prompt must include: branch, HEAD, upstream parity, worktree status, and a brief stake-in-the-ground description of what is and is not done. Anything weaker is an incomplete handoff and violates failure mode 11.
+
+---
+
+## When Codex finishes a phase
+
+Same closeout as Claude Code (`CLAUDE.md` "When the phase passes"). The phase closes in `CLAUDE.md` *and* in this file. Identity stamping is mandatory on phase boundaries.
+
+---
+
+*Built in the Pantheon's shadow.*