ossplate 0.1.9__py3-none-win_amd64.whl

ossplate/__init__.py

@@ -0,0 +1,3 @@
+from .cli import cli, get_binary_path, get_packaged_binary_path, main
+
+__all__ = ["cli", "get_binary_path", "get_packaged_binary_path", "main"]

ossplate/cli.py

@@ -0,0 +1,55 @@
+from __future__ import annotations
+
+import os
+import platform
+import subprocess
+import sys
+from importlib import resources
+from pathlib import Path
+
+ENV_OVERRIDE = "OSSPLATE_BINARY"
+TEMPLATE_ROOT_ENV = "OSSPLATE_TEMPLATE_ROOT"
+TARGETS = {
+    ("Darwin", "arm64"): ("darwin-arm64", "ossplate"),
+    ("Darwin", "x86_64"): ("darwin-x64", "ossplate"),
+    ("Linux", "x86_64"): ("linux-x64", "ossplate"),
+    ("Windows", "AMD64"): ("win32-x64", "ossplate.exe"),
+}
+
+
+def get_packaged_binary_path(base_dir: Path | None = None) -> str:
+    base_dir = base_dir or Path(resources.files("ossplate"))
+    env_override = os.environ.get(ENV_OVERRIDE)
+    if env_override:
+        return env_override
+
+    system = platform.system()
+    machine = platform.machine()
+    target = TARGETS.get((system, machine))
+    if target is None:
+        raise RuntimeError(f"Unsupported platform/arch: {system}/{machine}")
+
+    folder, executable = target
+    binary_path = base_dir / "bin" / folder / executable
+    if not binary_path.exists():
+        raise RuntimeError(f"Bundled ossplate binary not found at {binary_path}")
+    return str(binary_path)
+
+
+def get_binary_path() -> str:
+    return get_packaged_binary_path()
+
+
+def cli(args: tuple[str, ...]) -> int:
+    env = os.environ.copy()
+    env.setdefault(TEMPLATE_ROOT_ENV, str(Path(resources.files("ossplate")) / "scaffold"))
+    result = subprocess.run([get_binary_path(), *args], check=False, env=env)
+    return result.returncode
+
+
+def main() -> None:
+    raise SystemExit(cli(tuple(sys.argv[1:])))
+
+
+if __name__ == "__main__":
+    main()

ossplate/scaffold/.github/workflows/ci.yml

@@ -0,0 +1,111 @@
+# ossplate:workflow-name:start
+name: Ossplate CI
+# ossplate:workflow-name:end
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  template-readiness:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: dtolnay/rust-toolchain@stable
+      - uses: actions/setup-node@v5
+        with:
+          node-version: '24'
+      - run: cargo run --quiet --manifest-path core-rs/Cargo.toml -- validate
+      - run: cargo run --quiet --manifest-path core-rs/Cargo.toml -- sync --check
+      - run: node --test ./scripts/validate-template-readiness.test.mjs
+
+  rust:
+    needs: template-readiness
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: dtolnay/rust-toolchain@stable
+      - run: cargo fmt --check
+        working-directory: ./core-rs
+      - run: cargo clippy -- -D warnings
+        working-directory: ./core-rs
+      - run: cargo test
+        working-directory: ./core-rs
+
+  js:
+    needs: template-readiness
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: dtolnay/rust-toolchain@stable
+      - uses: actions/setup-node@v5
+        with:
+          node-version: '24'
+          cache: npm
+          cache-dependency-path: ./wrapper-js/package-lock.json
+      - run: npm ci
+        working-directory: ./wrapper-js
+      - run: npm run build
+        working-directory: ./wrapper-js
+      - run: npm test
+        working-directory: ./wrapper-js
+      - run: npm pack --dry-run
+        working-directory: ./wrapper-js
+
+  python:
+    needs: template-readiness
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: dtolnay/rust-toolchain@stable
+      - uses: actions/setup-node@v5
+        with:
+          node-version: '24'
+      - uses: actions/setup-python@v6
+        with:
+          python-version: '3.11'
+      - name: Test and build
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e .
+          pip install build
+          python -m unittest discover -s tests -p 'test_*.py'
+        working-directory: ./wrapper-py
+
+  python-wheel:
+    needs: template-readiness
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runner: ubuntu-latest
+            target: linux-x64
+          - runner: macos-14
+            target: darwin-arm64
+          - runner: macos-15-intel
+            target: darwin-x64
+          - runner: windows-latest
+            target: win32-x64
+    runs-on: ${{ matrix.runner }}
+    steps:
+      - uses: actions/checkout@v5
+      - uses: dtolnay/rust-toolchain@stable
+      - uses: actions/setup-node@v5
+        with:
+          node-version: '24'
+      - uses: actions/setup-python@v6
+        with:
+          python-version: '3.11'
+      - name: Build core binary
+        run: cargo build --manifest-path core-rs/Cargo.toml
+      - name: Validate wheel artifact
+        env:
+          OSSPLATE_PY_TARGET: ${{ matrix.target }}
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e .
+          pip install build
+          python -m unittest discover -s tests -p 'test_*.py'
+        working-directory: ./wrapper-py

ossplate/scaffold/.github/workflows/publish-npm.yml

@@ -0,0 +1,72 @@
+# ossplate:workflow-name:start
+name: Ossplate publish-npm
+# ossplate:workflow-name:end
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+jobs:
+  publish-npm:
+    if: >
+      github.event_name == 'workflow_dispatch' ||
+      github.event_name == 'release'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-node@v5
+        with:
+          node-version: '24'
+          registry-url: 'https://registry.npmjs.org'
+          cache: npm
+          cache-dependency-path: ./wrapper-js/package-lock.json
+      - name: Detect published version
+        id: published
+        working-directory: ./wrapper-js
+        run: |
+          NAME=$(node -p "require('./package.json').name")
+          VERSION=$(node -p "require('./package.json').version")
+          echo "name=$NAME" >> "$GITHUB_OUTPUT"
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+          if npm view "$NAME@$VERSION" version >/dev/null 2>&1; then
+            echo "already=true" >> "$GITHUB_OUTPUT"
+            echo "::notice title=npm::${NAME}@${VERSION} is already published; skipping."
+          else
+            echo "already=false" >> "$GITHUB_OUTPUT"
+          fi
+      - if: steps.published.outputs.already != 'true'
+        run: npm ci
+        working-directory: ./wrapper-js
+      - name: Publish to npm
+        if: steps.published.outputs.already != 'true'
+        working-directory: ./wrapper-js
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: |
+          logfile=$(mktemp)
+          cleanup() {
+            rm -f "$logfile"
+          }
+          trap cleanup EXIT
+          set +e
+          npm publish --access public --provenance 2>&1 | tee "$logfile"
+          status=${PIPESTATUS[0]}
+          set -e
+          if [ "$status" -eq 0 ]; then
+            echo "::notice title=npm::published with OIDC trusted publishing."
+            exit 0
+          fi
+          if [ -z "${NODE_AUTH_TOKEN:-}" ]; then
+            echo "::error title=npm::OIDC publish failed and NPM_TOKEN is not configured."
+            exit "$status"
+          fi
+          if grep -qiE "already exists|cannot publish over|previously published" "$logfile"; then
+            echo "::notice title=npm::package version already exists; skipping."
+            exit 0
+          fi
+          echo "::warning title=npm::OIDC publish failed; retrying with NPM_TOKEN fallback."
+          npm publish --access public

ossplate/scaffold/.github/workflows/publish.yml

@@ -0,0 +1,173 @@
+# ossplate:workflow-name:start
+name: Ossplate publishing
+# ossplate:workflow-name:end
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+jobs:
+  build-pypi-wheel:
+    if: >
+      github.event_name == 'workflow_dispatch' ||
+      github.event_name == 'release'
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runner: ubuntu-latest
+            target: linux-x64
+          - runner: macos-14
+            target: darwin-arm64
+          - runner: macos-15-intel
+            target: darwin-x64
+          - runner: windows-latest
+            target: win32-x64
+    runs-on: ${{ matrix.runner }}
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v5
+      - uses: dtolnay/rust-toolchain@stable
+      - uses: actions/setup-node@v5
+        with:
+          node-version: '24'
+      - uses: actions/setup-python@v6
+        with:
+          python-version: '3.11'
+      - name: Build core binary
+        run: cargo build --manifest-path core-rs/Cargo.toml
+      - name: Build wheel
+        env:
+          OSSPLATE_PY_TARGET: ${{ matrix.target }}
+        run: |
+          python -m pip install --upgrade pip
+          pip install build
+          python -m build --wheel --outdir dist/${{ matrix.target }}
+        working-directory: ./wrapper-py
+      - uses: actions/upload-artifact@v4
+        with:
+          name: pypi-wheel-${{ matrix.target }}
+          path: ./wrapper-py/dist/${{ matrix.target }}/*.whl
+
+  build-pypi-sdist:
+    if: >
+      github.event_name == 'workflow_dispatch' ||
+      github.event_name == 'release'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-python@v6
+        with:
+          python-version: '3.11'
+      - name: Build sdist
+        run: |
+          python -m pip install --upgrade pip
+          pip install build
+          python -m build --sdist --outdir dist/sdist
+        working-directory: ./wrapper-py
+      - uses: actions/upload-artifact@v4
+        with:
+          name: pypi-sdist
+          path: ./wrapper-py/dist/sdist/*.tar.gz
+
+  publish-pypi:
+    if: >
+      github.event_name == 'workflow_dispatch' ||
+      github.event_name == 'release'
+    needs:
+      - build-pypi-wheel
+      - build-pypi-sdist
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          pattern: pypi-*
+          path: ./dist
+          merge-multiple: true
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          packages-dir: ./dist/
+          skip-existing: true
+          attestations: false
+
+  publish-cargo:
+    if: >
+      github.event_name == 'workflow_dispatch' ||
+      github.event_name == 'release'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@v5
+      - uses: dtolnay/rust-toolchain@stable
+      - name: Authenticate with crates.io via OIDC
+        id: auth
+        continue-on-error: true
+        uses: rust-lang/crates-io-auth-action@v1
+      - name: Detect published crate version
+        id: version
+        working-directory: ./core-rs
+        run: |
+          CRATE_NAME=$(python3 - <<'PY'
+          import tomllib
+          with open("Cargo.toml", "rb") as f:
+              data = tomllib.load(f)
+          print(data["package"]["name"])
+          PY
+          )
+          CRATE_VERSION=$(python3 - <<'PY'
+          import tomllib
+          with open("Cargo.toml", "rb") as f:
+              data = tomllib.load(f)
+          print(data["package"]["version"])
+          PY
+          )
+          echo "name=$CRATE_NAME" >> "$GITHUB_OUTPUT"
+          echo "version=$CRATE_VERSION" >> "$GITHUB_OUTPUT"
+          if curl -fsSL "https://crates.io/api/v1/crates/${CRATE_NAME}/${CRATE_VERSION}" >/dev/null 2>&1; then
+            echo "already=true" >> "$GITHUB_OUTPUT"
+            echo "::notice title=cargo::${CRATE_NAME} ${CRATE_VERSION} is already published; skipping."
+          else
+            echo "already=false" >> "$GITHUB_OUTPUT"
+          fi
+      - name: Publish to crates.io
+        if: steps.version.outputs.already != 'true'
+        working-directory: ./core-rs
+        env:
+          CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token || secrets.CARGO_TOKEN }}
+        run: |
+          logfile=$(mktemp)
+          cleanup() {
+            rm -f "$logfile"
+          }
+          trap cleanup EXIT
+          if [ -n "${{ steps.auth.outputs.token }}" ]; then
+            echo "::notice title=cargo::using crates.io OIDC token from trusted publishing."
+          else
+            echo "::notice title=cargo::OIDC token unavailable; falling back to CARGO_TOKEN secret."
+          fi
+          set +e
+          cargo publish 2>&1 | tee "$logfile"
+          status=${PIPESTATUS[0]}
+          set -e
+          if [ "$status" -eq 0 ]; then
+            exit 0
+          fi
+          if grep -q "status 429 Too Many Requests" "$logfile"; then
+            echo "::warning title=cargo::crates.io rate limit hit. Treating this publish attempt as non-blocking."
+            exit 0
+          fi
+          if grep -qi "already exists on crates.io index" "$logfile"; then
+            echo "::notice title=cargo::crate version already exists; skipping."
+            exit 0
+          fi
+          exit "$status"

ossplate/scaffold/.github/workflows/release.yml

@@ -0,0 +1,117 @@
+# ossplate:workflow-name:start
+name: Ossplate release
+# ossplate:workflow-name:end
+
+on:
+  workflow_run:
+    workflows: ["Ossplate CI"]
+    types: [completed]
+  workflow_dispatch:
+
+concurrency:
+  group: release-main
+  cancel-in-progress: false
+
+permissions:
+  actions: write
+  contents: write
+
+jobs:
+  release:
+    if: >
+      github.event_name == 'workflow_dispatch' ||
+      (
+        github.event_name == 'workflow_run' &&
+        github.event.workflow_run.conclusion == 'success' &&
+        github.event.workflow_run.head_branch == 'main'
+      )
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          ref: main
+          fetch-depth: 0
+      - uses: actions/setup-node@v5
+        with:
+          node-version: '24'
+      - name: Ensure release matches the validated commit
+        id: validated
+        run: |
+          HEAD_SHA=$(git rev-parse HEAD)
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            echo "::notice title=release::manual dispatch requested; validating current main HEAD."
+            echo "validated_sha=$HEAD_SHA" >> "$GITHUB_OUTPUT"
+            echo "proceed=true" >> "$GITHUB_OUTPUT"
+          else
+            if [ "$HEAD_SHA" != "${{ github.event.workflow_run.head_sha }}" ]; then
+              echo "::notice title=release::main advanced beyond the validated commit; waiting for the newer CI run."
+              echo "proceed=false" >> "$GITHUB_OUTPUT"
+            else
+              echo "validated_sha=${{ github.event.workflow_run.head_sha }}" >> "$GITHUB_OUTPUT"
+              echo "proceed=true" >> "$GITHUB_OUTPUT"
+            fi
+          fi
+      - name: Skip release commits
+        id: commit
+        if: steps.validated.outputs.proceed == 'true'
+        run: |
+          SUBJECT=$(git log -1 --pretty=%s "${{ steps.validated.outputs.validated_sha }}")
+          echo "subject=$SUBJECT" >> "$GITHUB_OUTPUT"
+          if echo "$SUBJECT" | grep -q '^Release ossplate '; then
+            echo "skip=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "skip=false" >> "$GITHUB_OUTPUT"
+          fi
+      - name: Plan version bump
+        if: steps.validated.outputs.proceed == 'true' && steps.commit.outputs.skip != 'true'
+        id: plan
+        run: |
+          PLAN=$(node ./scripts/release-plan.mjs)
+          echo "$PLAN"
+          echo "should_release=$(printf '%s' "$PLAN" | node -e "process.stdout.write(String(JSON.parse(require('fs').readFileSync(0, 'utf8')).shouldRelease))")" >> "$GITHUB_OUTPUT"
+          echo "next_version=$(printf '%s' "$PLAN" | node -e "process.stdout.write(JSON.parse(require('fs').readFileSync(0, 'utf8')).nextVersion)")" >> "$GITHUB_OUTPUT"
+      - name: Set up git identity
+        if: steps.validated.outputs.proceed == 'true' && steps.commit.outputs.skip != 'true' && steps.plan.outputs.should_release == 'true'
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+      - name: Bump versions
+        if: steps.validated.outputs.proceed == 'true' && steps.commit.outputs.skip != 'true' && steps.plan.outputs.should_release == 'true'
+        run: node ./scripts/bump-version.mjs "${{ steps.plan.outputs.next_version }}"
+      - name: Install JavaScript dependencies
+        if: steps.validated.outputs.proceed == 'true' && steps.commit.outputs.skip != 'true' && steps.plan.outputs.should_release == 'true'
+        run: npm ci --prefix wrapper-js
+      - name: Verify release state
+        if: steps.validated.outputs.proceed == 'true' && steps.commit.outputs.skip != 'true' && steps.plan.outputs.should_release == 'true'
+        run: ./scripts/verify.sh
+      - name: Commit and tag release
+        if: steps.validated.outputs.proceed == 'true' && steps.commit.outputs.skip != 'true' && steps.plan.outputs.should_release == 'true'
+        run: |
+          VERSION="${{ steps.plan.outputs.next_version }}"
+          git add -A
+          git commit -m "Release ossplate ${VERSION} [skip ci]"
+          git tag "v${VERSION}"
+          git push origin main
+          git push origin "v${VERSION}"
+      - name: Create GitHub release
+        if: steps.validated.outputs.proceed == 'true' && steps.commit.outputs.skip != 'true' && steps.plan.outputs.should_release == 'true'
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          VERSION="${{ steps.plan.outputs.next_version }}"
+          if gh release view "v${VERSION}" >/dev/null 2>&1; then
+            echo "::notice title=release::GitHub release v${VERSION} already exists; skipping."
+            exit 0
+          fi
+          gh release create "v${VERSION}" \
+            --title "v${VERSION}" \
+            --notes "Automated release for ossplate ${VERSION}."
+      - name: Dispatch publish workflows
+        if: steps.validated.outputs.proceed == 'true' && steps.commit.outputs.skip != 'true' && steps.plan.outputs.should_release == 'true'
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          VERSION="${{ steps.plan.outputs.next_version }}"
+          gh workflow run publish.yml --ref main
+          gh workflow run publish-npm.yml --ref main
+          echo "::notice title=release::dispatched publish workflows for v${VERSION}."

ossplate/scaffold/.gitignore

@@ -0,0 +1,9 @@
+.DS_Store
+.venv/
+__pycache__/
+*.pyc
+.tmp-*/
+dist/
+build/
+node_modules/
+target/

ossplate/scaffold/.pre-commit-config.yaml

@@ -0,0 +1,9 @@
+repos:
+  - repo: local
+    hooks:
+      - id: ossplate-verify
+        name: ossplate verify
+        entry: ./scripts/verify.sh
+        language: system
+        pass_filenames: false
+        stages: [pre-push]

ossplate/scaffold/CONTRIBUTING.md

@@ -0,0 +1,53 @@
+# Contributing
+
+Use the root verification flow before committing changes:
+
+```bash
+./scripts/verify.sh
+```
+
+Optional local hook setup:
+
+```bash
+python -m pip install pre-commit
+pre-commit install --hook-type pre-push
+```
+
+That enables a local `pre-push` hook which runs `./scripts/verify.sh`.
+
+That script mirrors the local release-confidence gate:
+
+- Rust format, clippy, and tests
+- `ossplate validate` and `ossplate sync --check`
+- JavaScript wrapper tests and package dry-run
+- Python wrapper tests
+
+Useful operator commands:
+
+```bash
+cargo run --manifest-path core-rs/Cargo.toml -- validate
+cargo run --manifest-path core-rs/Cargo.toml -- sync --check
+cargo run --manifest-path core-rs/Cargo.toml -- sync
+```
+
+Release bump rules:
+
+- `feat:` triggers a minor bump
+- `fix:`, `docs:`, `refactor:`, `test:`, `chore:`, `build:`, `ci:` and similar commits trigger a patch bump
+- `!` in a conventional commit header or `BREAKING CHANGE` in the body triggers a major bump
+- `[major]`, `[minor]`, and `[patch]` override the inferred bump level
+
+Read this next:
+
+- [`docs/architecture.md`](./docs/architecture.md)
+- [`docs/testing.md`](./docs/testing.md)
+- [`docs/releases.md`](./docs/releases.md)
+- [`docs/adrs/0002-sync-owns-bounded-identity.md`](./docs/adrs/0002-sync-owns-bounded-identity.md)
+
+Current ownership model:
+
+- `ossplate.toml` is the canonical identity source
+- `sync` owns Rust/npm/Python metadata surfaces
+- `sync` owns the root `README.md` identity block between `ossplate:readme-identity` markers
+- `sync` owns the top-level workflow display names between `ossplate:workflow-name` markers
+- workflow logic, auth, triggers, and job structure remain manual

ossplate/scaffold/LICENSE

@@ -0,0 +1,9 @@
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or distribute this software, either in source code form or as a compiled binary, for any purpose, commercial or non-commercial, and by any means.
+
+In jurisdictions that recognize copyright laws, the author or authors of this software dedicate any and all copyright interest in the software to the public domain. We make this dedication for the benefit of the public at large and to the detriment of our heirs and successors. We intend this dedication to be an overt act of relinquishment in perpetuity of all present and future rights to this software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to <http://unlicense.org/>