pandoraspec 0.1.1__py3-none-any.whl → 0.2.7__py3-none-any.whl

pandoraspec-0.2.7.dist-info/METADATA

@@ -0,0 +1,200 @@
+Metadata-Version: 2.4
+Name: pandoraspec
+Version: 0.2.7
+Summary: DORA Compliance Auditor for OpenAPI Specs
+Author-email: Ulises Merlan <ulimerlan@gmail.com>
+License: MIT
+Requires-Python: >=3.9
+Description-Content-Type: text/markdown
+Requires-Dist: schemathesis==4.9.1
+Requires-Dist: typer[all]
+Requires-Dist: rich
+Requires-Dist: weasyprint
+Requires-Dist: requests
+Requires-Dist: pydantic
+Provides-Extra: dev
+Requires-Dist: pytest; extra == "dev"
+Requires-Dist: responses; extra == "dev"
+
+# PanDoraSpec
+
+**The Open DORA Compliance Engine for OpenAPI Specs.**
+
+PanDoraSpec is a CLI tool that performs deep technical due diligence on APIs to verify compliance with **DORA (Digital Operational Resilience Act)** requirements. It compares OpenAPI/Swagger specifications against real-world implementation to detect schema drift, resilience gaps, and security issues.
+
+---
+
+## 📦 Installation
+
+```bash
+pip install pandoraspec
+```
+
+### System Requirements
+The PDF report generation requires `weasyprint`, which depends on **Pango**.
+
+  
+## 🚀 Usage
+
+Run the audit directly from your terminal.
+
+### Basic Scan
+```bash
+pandoraspec https://petstore.swagger.io/v2/swagger.json
+```
+
+### JSON Output (CI/CD)
+To generate a machine-readable JSON report for automated pipelines:
+```bash
+pandoraspec https://api.example.com/spec.json --format json --output report.json
+```
+This outputs a file like `report.json` containing the full audit results and compliance score.
+
+**Included CI/CD Resources:**
+- [`scripts/check_compliance.py`](scripts/check_compliance.py): Script to parse the JSON report and exit with error if non-compliant.
+- [`examples/github_pipeline.yml`](examples/github_pipeline.yml): Example GitHub Actions workflow.
+
+### With Options
+```bash
+pandoraspec https://api.example.com/spec.json --vendor "Stripe" --key "sk_live_..."
+```
+
+### Local File
+```bash
+pandoraspec ./openapi.yaml
+```
+
+### Override Base URL
+If your OpenAPI spec uses variables (e.g. `https://{env}.api.com`) or you want to audit a specific target:
+```bash
+pandoraspec https://api.example.com/spec.json --base-url https://staging.api.example.com
+```
+
+---
+
+## 🏎️ Zero-Config Testing (DORA Compliance)
+
+For standard **DORA compliance**, you simply need to verify that your API implementation matches its specification. **No configuration is required.**
+
+```bash
+pandoraspec https://petstore.swagger.io/v2/swagger.json
+```
+
+This runs a **fuzzing** audit where random data is generated based on your schema types (e.g., sending random integers for IDs). 
+- **Value:** This is sufficient to prove that your API correctly handles unexpected inputs and adheres to the basic contract (e.g., returning 400 Bad Request instead of 500 Server Error).
+- **Limitation:** Detailed business logic requiring valid IDs (e.g., `GET /user/{id}` where `{id}` must exist) may return `404 Not Found`. This is acceptable for a compliance scan but may not fully exercise deeper code paths.
+
+---
+
+## 🧠 Advanced Testing with Seed Data
+
+To test **specific business workflows** (e.g., successfully retrieving a user profile), you can provide "Seed Data". This tells PanDoraSpec to use known, valid values instead of random fuzzing data.
+
+```bash
+pandoraspec https://petstore.swagger.io/v2/swagger.json --config seed_parameters.yaml
+```
+
+### Configuration Hierarchy
+You can define seed values at three levels of specificity. The engine resolves values in this order: **Endpoints > Verbs > General**.
+
+```yaml
+seed_data:
+  # 1. General: Applies to EVERYTHING (path params, query params, headers)
+  general:
+    username: "test_user"
+    limit: 50
+
+  # 2. Verbs: Applies only to specific HTTP methods (Overwrites General)
+  verbs:
+    POST:
+      username: "admin_user" # Creation requests use a different user
+
+  # 3. Endpoints: Applies only to specific routes (Overwrites Everything)
+  endpoints:
+    /users/me:
+      GET:
+        limit: 10
+```
+
+### 🔗 Dynamic Seed Data (Recursive Chaining)
+You can even test **dependency chains** where one endpoint requires data from another. PanDoraSpec handles **recursion** automatically: if Endpoint A needs data from B, and B needs data from C, it will resolve the entire chain in order.
+
+**Supported Features:**
+- **Recursive Resolution:** Automatically resolves upstream dependencies (chains of `from_endpoint`).
+- **Deep Extraction:** Extract values from nested JSON using dot notation, including list indices (e.g., `data.items.0.id`).
+- **Parameter Interpolation:** Use `{param}` in the dependency URL to chain multiple steps.
+- **Smart Logging:** Fuzzed values are masked as `random` in logs to keep output clean, while your seeded values are shown clearly.
+
+```yaml
+endpoints:
+  # Level 1: Get the current user ID
+  /user/me:
+    GET:
+      authorization: "Bearer static-token"
+
+  # Level 2: Use that ID to get their orders
+  /users/{userId}/orders:
+    GET:
+      userId:
+        from_endpoint: "GET /user/me"
+        extract: "data.id"  # JSON extraction
+
+  # Level 3: Get details of the FIRST order from that list (Recursive!)
+  /orders/{orderId}:
+    GET:
+      orderId:
+        # This calls Level 2 first (which calls Level 1), then extracts the first order ID
+        from_endpoint: "GET /users/{userId}/orders"
+        extract: "data.items.0.id" # Supports list index '0'
+```
+
+---
+
+## 🛠️ Development Setup
+
+To run the CLI locally without reinstalling after every change:
+
+1. **Clone & CD**:
+```bash
+git clone ...
+cd pandoraspec
+```
+
+2. **Create & Activate Virtual Environment**:
+It's recommended to use a virtual environment to keep dependencies isolated.
+```bash
+python3 -m venv venv
+source venv/bin/activate  # On Windows: venv\Scripts\activate
+```
+
+3. **Editable Install**:
+```bash
+pip install -e .
+```
+This links the `pandoraspec` command directly to your source code. Any changes you make will be reflected immediately.
+
+## 🛡️ What It Checks
+
+### Module A: The Integrity Test (Drift)
+Checks if your API implementation matches your documentation.
+- **Why?** DORA requires you to monitor if the service effectively supports your critical functions. If the API behaves differently than documented, it's a risk.
+
+### Module B: The Resilience Test
+Stress tests the API to ensure it handles invalid inputs gracefully (`4xx` vs `5xx`).
+- **Why?** DORA Article 25 calls for "Digital operational resilience testing".
+
+### Module C: Security Hygiene
+Checks for common security headers and configurations.
+
+### Module D: The Report
+Generates a PDF report: **"DORA ICT Third-Party Technical Risk Assessment"**.
+Alternatively, use `--format json` to get a structured JSON object for:
+- CI/CD Gates (e.g., fail build if `is_compliant` is false).
+- Custom Dashboards.
+- Archival purposes.
+
+---
+
+## 📄 License
+
+MIT

pandoraspec-0.2.7.dist-info/RECORD

@@ -0,0 +1,23 @@
+pandoraspec/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+pandoraspec/cli.py,sha256=a4T9sIzwqjyS6NO9XyfQq9g0m25H31zp9xV_X5Gqx4A,3526
+pandoraspec/config.py,sha256=CVfHxxR_VEm2UOZkuOHLlAUDaJr-ooZxIgJWnvRyj3Q,857
+pandoraspec/constants.py,sha256=JWCglaqqEf6581pLK0EzySP1vrLJn49Tnza1L5rb0AA,422
+pandoraspec/core.py,sha256=DUq5JFDL5O3mtehxVQX7cQm7GXhFl3n9gC5AJaQb7oo,3635
+pandoraspec/orchestrator.py,sha256=NQJGdSU0hRFVUw68tz2PFEKLFxv9aS0pYnXdWgYs8q4,2021
+pandoraspec/seed.py,sha256=CJzpm3Oci5Dr0cSnWTLTxV4ePAe8tG7cbF0Vwv5qO4A,7547
+pandoraspec/modules/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+pandoraspec/modules/drift.py,sha256=8a8psZLnd3BO-fTp72LiBko0CPuhn0GbNtqdXFRjWsU,8502
+pandoraspec/modules/resilience.py,sha256=XcdWgiJ4M6PL1fadPsnwBujoH889aS5E6e2RIdP1B_A,6348
+pandoraspec/modules/security.py,sha256=9uEZaqyL6jp5JYwYgFe_si3vjjbQcgb-hKdSGl9ysrI,8310
+pandoraspec/reporting/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+pandoraspec/reporting/generator.py,sha256=khFJw7cJB3lRgE3zHBSQ2vfH8jtQQgvk0k7Y-PjAjYo,4255
+pandoraspec/reporting/templates.py,sha256=k81vZEVqG18xxKGnSMHdk6R5iQ1j15qY7Oz0IOKp05g,6246
+pandoraspec/utils/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+pandoraspec/utils/logger.py,sha256=MC7JEQcSFvUIYLwjhiM1nq0gccGUSNt_KhZiA_tSJWg,644
+pandoraspec/utils/parsing.py,sha256=hdptWR4Bh-IZqs5LsJ0U7kn8t9j-yMz4_D5WqcPjXCo,1008
+pandoraspec/utils/url.py,sha256=1KD6F0aa0-lNbHR2OdHY_w5dSnX_NF12qLn5Cs3gc-c,799
+pandoraspec-0.2.7.dist-info/METADATA,sha256=Q1h1rIdR0JWP4N0i6Oqit7NoZwu2WX8gr_3HSRsKzfs,6718
+pandoraspec-0.2.7.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+pandoraspec-0.2.7.dist-info/entry_points.txt,sha256=6sqB0v21PGWnZXD74EK5jPbFAdZd7IWyfO7QHKiXWm8,53
+pandoraspec-0.2.7.dist-info/top_level.txt,sha256=8It7kimNf30-5ZUI7CZl6kCBeImIG8H49ZjSU26dRuc,12
+pandoraspec-0.2.7.dist-info/RECORD,,

pandoraspec-0.2.7.dist-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+pandoraspec = pandoraspec.cli:main

pandoraspec-0.1.1.dist-info/METADATA

@@ -1,72 +0,0 @@
-Metadata-Version: 2.4
-Name: pandoraspec
-Version: 0.1.1
-Summary: DORA Compliance Auditor for OpenAPI Specs
-Author-email: Ulises Merlan <ulimerlan@gmail.com>
-License: MIT
-Requires-Python: >=3.9
-Description-Content-Type: text/markdown
-Requires-Dist: fastapi
-Requires-Dist: schemathesis==4.9.1
-Requires-Dist: typer[all]
-Requires-Dist: rich
-Requires-Dist: weasyprint
-Requires-Dist: jinja2
-Requires-Dist: requests
-
-# PanDoraSpec
-
-**The Open DORA Compliance Engine for OpenAPI Specs.**
-
-PanDoraSpec is a CLI tool that performs deep technical due diligence on your APIs to verify compliance with **DORA (Digital Operational Resilience Act)** requirements. It compares your OpenAPI/Swagger specifications against real-world implementation to detect schema drift, resilience gaps, and security issues.
-
----
-
-## 📦 Installation
-
-```bash
-pip install pandoraspec
-```
-
-## 🚀 Usage
-
-Run the audit directly from your terminal.
-
-### Basic Scan
-```bash
-pandoraspec https://petstore.swagger.io/v2/swagger.json
-```
-
-### With Options
-```bash
-pandoraspec https://api.example.com/spec.json --vendor "Stripe" --key "sk_live_..."
-```
-
-### Local File
-```bash
-pandoraspec ./openapi.yaml
-```
-
----
-
-## 🛡️ What It Checks
-
-### Module A: The Integrity Test (Drift)
-Checks if your API implementation matches your documentation.
-- **Why?** DORA requires you to monitor if the service effectively supports your critical functions. If the API behaves differently than documented, it's a risk.
-
-### Module B: The Resilience Test
-Stress tests the API to ensure it handles invalid inputs gracefully (`4xx` vs `5xx`).
-- **Why?** DORA Article 25 calls for "Digital operational resilience testing".
-
-### Module C: Security Hygiene
-Checks for common security headers and configurations.
-
-### Module D: The Report
-Generates a branded PDF report: **"DORA ICT Third-Party Technical Risk Assessment"**.
-
----
-
-## 📄 License
-
-MIT

pandoraspec-0.1.1.dist-info/RECORD

@@ -1,9 +0,0 @@
-pandoraspec/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-pandoraspec/cli.py,sha256=sJsVHMmQ_UHQf_lap--aLuf99_HUS_0rOAA5nTAxF54,3087
-pandoraspec/core.py,sha256=bKoPYSfqQa4Yn7CxOX6QPCZXCLMLoiagD8aMfzLtC6o,16059
-pandoraspec/reporting.py,sha256=aAFImWkhi5Ho6AQUCANJy-9MpIbzCJlsCWBSRmivOSQ,8804
-pandoraspec-0.1.1.dist-info/METADATA,sha256=-YMhZl-uwnYuBS64UhgYZrr0oQgluAqCOiZR-w5Jq8k,1892
-pandoraspec-0.1.1.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-pandoraspec-0.1.1.dist-info/entry_points.txt,sha256=gmXGBQNpfy0IeOjB_SqunmaitLbyFsUZdgfwQOto2P0,52
-pandoraspec-0.1.1.dist-info/top_level.txt,sha256=8It7kimNf30-5ZUI7CZl6kCBeImIG8H49ZjSU26dRuc,12
-pandoraspec-0.1.1.dist-info/RECORD,,

pandoraspec-0.1.1.dist-info/entry_points.txt

@@ -1,2 +0,0 @@
-[console_scripts]
-pandoraspec = pandoraspec.cli:app