nono-py 0.1.0__tar.gz

nono_py-0.1.0/.github/workflows/ci.yml

@@ -0,0 +1,145 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+env:
+  CARGO_TERM_COLOR: always
+  PYTHON_VERSION: "3.12"
+
+jobs:
+  lint-rust:
+    name: Lint Rust
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Checkout nono library
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          repository: always-further/nono
+          path: nono
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@4be9e76fd7c4901c61fb841f559994984270fce7 # stable
+        with:
+          components: rustfmt, clippy
+
+      - name: Cache cargo
+        uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
+
+      - name: Check formatting
+        run: cargo fmt --check
+
+      - name: Run clippy
+        run: cargo clippy -- -D warnings
+
+  lint-python:
+    name: Lint Python
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+
+      - name: Install ruff
+        run: pip install ruff
+
+      - name: Check formatting
+        run: ruff format --check python/ tests/
+
+      - name: Run linter
+        run: ruff check python/ tests/
+
+  test:
+    name: Test (${{ matrix.os }})
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+        python-version: ["3.9", "3.10", "3.11", "3.12"]
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Checkout nono library
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          repository: always-further/nono
+          path: nono
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@4be9e76fd7c4901c61fb841f559994984270fce7 # stable
+
+      - name: Cache cargo
+        uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2
+
+      - name: Create virtual environment
+        run: python -m venv .venv
+
+      - name: Install maturin and pytest
+        run: |
+          source .venv/bin/activate
+          pip install maturin pytest
+
+      - name: Build and install
+        run: |
+          source .venv/bin/activate
+          maturin develop
+
+      - name: Run tests
+        run: |
+          source .venv/bin/activate
+          pytest tests/ -v
+
+  typecheck:
+    name: Type Check
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Checkout nono library
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          repository: always-further/nono
+          path: nono
+
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@4be9e76fd7c4901c61fb841f559994984270fce7 # stable
+
+      - name: Cache cargo
+        uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2
+
+      - name: Create virtual environment
+        run: python -m venv .venv
+
+      - name: Install dependencies
+        run: |
+          source .venv/bin/activate
+          pip install maturin mypy
+
+      - name: Build package
+        run: |
+          source .venv/bin/activate
+          maturin develop
+
+      - name: Run mypy
+        run: |
+          source .venv/bin/activate
+          mypy python/nono_py --ignore-missing-imports

nono_py-0.1.0/.github/workflows/docs-dispatch.yml

@@ -0,0 +1,19 @@
+name: Trigger Docs Rebuild
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'docs/**'
+
+jobs:
+  dispatch:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Trigger docs repo rebuild
+        uses: peter-evans/repository-dispatch@v3
+        with:
+          token: ${{ secrets.DOCS_PAT }}
+          repository: always-further/nono-docs
+          event-type: docs-update
+          client-payload: '{"repo": "${{ github.repository }}", "sha": "${{ github.sha }}"}'

nono_py-0.1.0/.github/workflows/publish.yml

@@ -0,0 +1,170 @@
+name: Publish to PyPI
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+    inputs:
+      publish_target:
+        description: 'Publish target'
+        required: true
+        default: 'testpypi'
+        type: choice
+        options:
+          - testpypi
+          - pypi
+
+permissions:
+  contents: read
+
+jobs:
+  build-sdist:
+    name: Build source distribution
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Checkout nono library
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          repository: always-further/nono
+          path: nono
+
+      - name: Fix nono path for CI
+        run: sed -i 's|path = "../nono/crates/nono"|path = "nono/crates/nono"|' Cargo.toml
+
+      - name: Build sdist
+        uses: PyO3/maturin-action@b1bd829e37fef14c63f19162034228a2f3dc1021 # v1.50.0
+        with:
+          command: sdist
+          args: --out dist
+
+      - name: Upload sdist
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: dist-sdist
+          path: dist/*.tar.gz
+
+  build-wheels-linux:
+    name: Build wheels (Linux ${{ matrix.arch }})
+    runs-on: ${{ matrix.runner }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runner: ubuntu-latest
+            arch: x86_64
+            target: x86_64
+          - runner: ubuntu-24.04-arm
+            arch: aarch64
+            target: aarch64
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Checkout nono library
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          repository: always-further/nono
+          path: nono
+
+      - name: Fix nono path for CI
+        run: sed -i 's|path = "../nono/crates/nono"|path = "nono/crates/nono"|' Cargo.toml
+
+      - name: Build wheels
+        uses: PyO3/maturin-action@b1bd829e37fef14c63f19162034228a2f3dc1021 # v1.50.0
+        with:
+          target: ${{ matrix.target }}
+          args: --release --out dist -i python3.9 python3.10 python3.11 python3.12 python3.13
+          manylinux: auto
+          before-script-linux: |
+            if command -v dnf &> /dev/null; then
+              dnf install -y dbus-devel pkgconfig
+            elif command -v yum &> /dev/null; then
+              yum install -y dbus-devel pkgconfig
+            fi
+
+      - name: Upload wheels
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: dist-linux-${{ matrix.arch }}
+          path: dist/*.whl
+
+  build-wheels-macos:
+    name: Build wheels (macOS ${{ matrix.target }})
+    runs-on: macos-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        target: [x86_64-apple-darwin, aarch64-apple-darwin]
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Checkout nono library
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          repository: always-further/nono
+          path: nono
+
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: '3.12'
+
+      - name: Fix nono path for CI
+        run: sed -i '' 's|path = "../nono/crates/nono"|path = "nono/crates/nono"|' Cargo.toml
+
+      - name: Build wheels
+        uses: PyO3/maturin-action@b1bd829e37fef14c63f19162034228a2f3dc1021 # v1.50.0
+        with:
+          target: ${{ matrix.target }}
+          args: --release --out dist -i python3.12
+
+      - name: Upload wheels
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: dist-macos-${{ matrix.target }}
+          path: dist/*.whl
+
+  publish-testpypi:
+    name: Publish to TestPyPI
+    needs: [build-sdist, build-wheels-linux, build-wheels-macos]
+    runs-on: ubuntu-latest
+    if: github.event_name == 'workflow_dispatch' && github.event.inputs.publish_target == 'testpypi'
+    environment:
+      name: testpypi
+      url: https://test.pypi.org/p/nono-py
+    permissions:
+      id-token: write
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        with:
+          pattern: dist-*
+          path: dist
+          merge-multiple: true
+
+      - name: Publish to TestPyPI
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1
+        with:
+          repository-url: https://test.pypi.org/legacy/
+
+  publish-pypi:
+    name: Publish to PyPI
+    needs: [build-sdist, build-wheels-linux, build-wheels-macos]
+    runs-on: ubuntu-latest
+    if: github.event_name == 'release' || (github.event_name == 'workflow_dispatch' && github.event.inputs.publish_target == 'pypi')
+    environment:
+      name: pypi
+      url: https://pypi.org/p/nono-py
+    permissions:
+      id-token: write
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        with:
+          pattern: dist-*
+          path: dist
+          merge-multiple: true
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1

nono_py-0.1.0/.github/workflows/release.yml

@@ -0,0 +1,28 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: write
+
+jobs:
+  create-release:
+    name: Create GitHub Release
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Extract version from tag
+        id: version
+        run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
+
+      - name: Create Release
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
+        with:
+          name: Release v${{ steps.version.outputs.VERSION }}
+          draft: false
+          prerelease: ${{ contains(github.ref, 'alpha') || contains(github.ref, 'beta') || contains(github.ref, 'rc') }}
+          generate_release_notes: true

nono_py-0.1.0/.gitignore

@@ -0,0 +1,38 @@
+# Python-generated files
+__pycache__/
+*.py[oc]
+build/
+dist/
+wheels/
+*.egg-info/
+
+# Virtual environments
+.venv/
+
+# Rust/Cargo artifacts
+target/
+Cargo.lock
+
+# Maturin artifacts
+*.so
+*.dylib
+*.pyd
+
+# IDE
+.idea/
+.vscode/
+*.swp
+*.swo
+*~
+
+# Testing
+.pytest_cache/
+.coverage
+htmlcov/
+.tox/
+
+# Type checking
+.mypy_cache/
+
+# Linting
+.ruff_cache/

nono_py-0.1.0/.python-version

@@ -0,0 +1 @@
+3.12

nono_py-0.1.0/CLAUDE.md

@@ -0,0 +1,67 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## What This Is
+
+nono-py provides Python bindings for the [nono](https://github.com/always-further/nono) Rust capability-based sandboxing library. It uses PyO3/maturin to expose Rust code to Python, supporting Landlock (Linux) and Seatbelt (macOS).
+
+## Build & Development Commands
+
+```bash
+uv sync                          # Install all dependencies (creates venv automatically)
+uv run maturin develop           # Build native module (debug mode)
+uv run maturin develop --release # Build native module (release mode)
+```
+
+## Testing
+
+```bash
+uv run pytest tests/ -v                        # All tests
+uv run pytest tests/test_capability_set.py -v   # Single file
+uv run pytest tests/test_query.py::TestQueryContextPathQueries -v  # Single class
+```
+
+## Linting & Formatting
+
+```bash
+cargo fmt                                    # Format Rust
+cargo clippy -- -D warnings                  # Lint Rust
+uv run ruff format python/ tests/            # Format Python
+uv run ruff check --fix python/ tests/       # Lint Python (autofix)
+uv run mypy python/nono_py                   # Type check (strict mode)
+```
+
+`make ci` runs the full suite: fmt-check, lint, test.
+
+## Architecture
+
+### Binding Layer
+
+`src/lib.rs` is the single Rust source file. It wraps the `nono` crate's types using PyO3 `#[pyclass]`/`#[pymethods]` macros. Each Python class holds an inner Rust type (e.g., `CapabilitySet` wraps `RustCapabilitySet`). Rust `NonoError` variants map to Python exceptions: `FileNotFoundError`, `ValueError`, `OSError`, `RuntimeError`, `PermissionError`.
+
+### Python Package
+
+`python/nono_py/__init__.py` re-exports everything from the native `_nono_py` module. The underscore-prefixed native module is an internal implementation detail.
+
+`python/nono_py/_nono_py.pyi` contains type stubs that must stay in sync with the Rust API. This file is the source of truth for IDE autocompletion and mypy.
+
+### Key Classes
+
+- **CapabilitySet** — mutable builder: `allow_path()`, `allow_file()`, `block_network()`, `allow_command()`, `block_command()`
+- **QueryContext** — test permissions without applying: returns dicts with `status`/`reason` keys
+- **SandboxState** — JSON-serializable snapshot of a CapabilitySet for cross-process transfer
+- **AccessMode** — enum: `READ`, `WRITE`, `READ_WRITE` (frozen)
+- **apply()** — module-level function, **irreversible** OS sandbox enforcement
+
+### Nono Dependency
+
+`Cargo.toml` references the nono library via local path (`../nono/crates/nono`). Both repos must be sibling directories for local development. CI checks out nono as a sibling automatically.
+
+## Conventions
+
+- Python: ruff, line-length 100, target py39, strict mypy
+- Rust: edition 2021, rust-version 1.80, clippy with `-D warnings`
+- Frozen PyO3 classes for immutable types (AccessMode, FsCapability, SupportInfo, CapabilitySource)
+- Path validation happens at add-time in Rust (fail fast)
+- Tests use `conftest.py` fixtures `temp_dir` and `temp_file` for filesystem isolation