python-checkup 0.0.1__py3-none-any.whl

python_checkup/config.py

@@ -0,0 +1,87 @@
+from __future__ import annotations
+
+from dataclasses import dataclass, field
+from pathlib import Path
+
+import tomllib
+
+from python_checkup.models import Category
+
+DEFAULT_WEIGHTS: dict[str, int] = {
+    "quality": 25,
+    "types": 20,
+    "security": 20,
+    "complexity": 15,
+    "dead_code": 10,
+    "dependencies": 10,
+}
+
+DEFAULT_THRESHOLDS: dict[str, int] = {
+    "healthy": 75,
+    "needs_work": 50,
+}
+
+# Map config weight keys to Category enum
+WEIGHT_KEY_TO_CATEGORY: dict[str, Category] = {
+    "quality": Category.QUALITY,
+    "types": Category.TYPE_SAFETY,
+    "security": Category.SECURITY,
+    "complexity": Category.COMPLEXITY,
+    "dead_code": Category.DEAD_CODE,
+    "dependencies": Category.DEPENDENCIES,
+}
+
+
+@dataclass
+class CheckupConfig:
+    """Resolved configuration for a python-checkup run."""
+
+    weights: dict[str, int] = field(default_factory=lambda: dict(DEFAULT_WEIGHTS))
+    thresholds: dict[str, int] = field(default_factory=lambda: dict(DEFAULT_THRESHOLDS))
+    ignore_rules: list[str] = field(default_factory=list)
+    ignore_files: list[str] = field(default_factory=list)
+    timeout: int = 60  # seconds, per analyzer
+    min_confidence: int = 80  # Vulture confidence threshold
+
+
+def load_config(project_root: Path) -> CheckupConfig:
+    """Load [tool.python-checkup] from pyproject.toml, with defaults.
+
+    Config discovery: looks for pyproject.toml in project_root,
+    then walks up parent directories (matching Ruff/mypy behavior).
+    """
+    config_path = _find_pyproject(project_root)
+    if config_path is None:
+        return CheckupConfig()
+
+    try:
+        with open(config_path, "rb") as f:
+            data = tomllib.load(f)
+    except (OSError, tomllib.TOMLDecodeError):
+        return CheckupConfig()
+
+    user_config = data.get("tool", {}).get("python-checkup", {})
+    if not user_config:
+        return CheckupConfig()
+
+    return CheckupConfig(
+        weights=user_config.get("weights", dict(DEFAULT_WEIGHTS)),
+        thresholds=user_config.get("thresholds", dict(DEFAULT_THRESHOLDS)),
+        ignore_rules=user_config.get("ignore", {}).get("rules", []),
+        ignore_files=user_config.get("ignore", {}).get("files", []),
+        timeout=user_config.get("timeout", 60),
+        min_confidence=user_config.get("min_confidence", 80),
+    )
+
+
+def _find_pyproject(start: Path) -> Path | None:
+    """Walk up from start directory to find pyproject.toml."""
+    current = start.resolve()
+    while True:
+        candidate = current / "pyproject.toml"
+        if candidate.is_file():
+            return candidate
+        parent = current.parent
+        if parent == current:
+            return None
+        current = parent

python_checkup/dedup.py

@@ -0,0 +1,119 @@
+from __future__ import annotations
+
+from pathlib import Path
+
+from python_checkup.models import Diagnostic
+
+# Mapping of Ruff S-prefix rules to their Bandit B-prefix equivalents.
+RUFF_TO_BANDIT: dict[str, str] = {
+    "S101": "B101",
+    "S102": "B102",
+    "S103": "B103",
+    "S104": "B104",
+    "S105": "B105",
+    "S106": "B106",
+    "S107": "B107",
+    "S108": "B108",
+    "S110": "B110",
+    "S112": "B112",
+    "S113": "B113",
+    "S301": "B301",
+    "S302": "B302",
+    "S303": "B303",
+    "S304": "B304",
+    "S305": "B305",
+    "S306": "B306",
+    "S307": "B307",
+    "S308": "B308",
+    "S310": "B310",
+    "S311": "B311",
+    "S312": "B312",
+    "S313": "B313",
+    "S314": "B314",
+    "S315": "B315",
+    "S316": "B316",
+    "S317": "B317",
+    "S318": "B318",
+    "S319": "B319",
+    "S320": "B320",
+    "S321": "B321",
+    "S323": "B323",
+    "S324": "B324",
+    "S501": "B501",
+    "S502": "B502",
+    "S503": "B503",
+    "S504": "B504",
+    "S505": "B505",
+    "S506": "B506",
+    "S507": "B507",
+    "S508": "B508",
+    "S509": "B509",
+    "S601": "B601",
+    "S602": "B602",
+    "S603": "B603",
+    "S604": "B604",
+    "S605": "B605",
+    "S606": "B606",
+    "S607": "B607",
+    "S608": "B608",
+    "S609": "B609",
+    "S610": "B610",
+    "S611": "B611",
+    "S612": "B612",
+    "S701": "B701",
+    "S702": "B702",
+}
+
+BANDIT_TO_RUFF: dict[str, str] = {v: k for k, v in RUFF_TO_BANDIT.items()}
+
+# Tool priority order: lower index = higher priority
+TOOL_PRIORITY: dict[str, int] = {
+    "ruff": 0,
+    "bandit": 1,
+    "mypy": 2,
+    "radon": 3,
+    "vulture": 4,
+}
+
+
+def deduplicate(diagnostics: list[Diagnostic]) -> list[Diagnostic]:
+    """Remove duplicate findings from overlapping tools.
+
+    Rules:
+    1. Ruff takes priority over Bandit for overlapping rules
+    2. Same tool, same file, same line, same rule = deduplicate
+    3. Bandit-unique rules (not in BANDIT_TO_RUFF) are never deduplicated
+
+    Dedup key: (file_path, line, normalized_rule_id)
+    """
+    # Sort by tool priority -- Ruff findings are processed first
+    prioritized = sorted(
+        diagnostics,
+        key=lambda d: TOOL_PRIORITY.get(d.tool, 99),
+    )
+
+    seen: set[tuple[Path, int, str]] = set()
+    result: list[Diagnostic] = []
+
+    for d in prioritized:
+        # Normalize the rule ID so S101 and B101 map to the same key
+        normalized = _normalize_rule(d.tool, d.rule_id)
+        key = (d.file_path, d.line, normalized)
+
+        if key not in seen:
+            seen.add(key)
+            result.append(d)
+
+    return result
+
+
+def _normalize_rule(tool: str, rule_id: str) -> str:
+    """Normalize a rule ID for deduplication.
+
+    Maps Bandit B-prefix rules to their Ruff S-prefix equivalents
+    so that S101 and B101 produce the same dedup key.
+    Bandit-unique rules keep their original ID.
+    """
+    if tool == "bandit" and rule_id in BANDIT_TO_RUFF:
+        return BANDIT_TO_RUFF[rule_id]
+    return rule_id

python_checkup/dependencies/discovery.py

@@ -0,0 +1,192 @@
+from __future__ import annotations
+
+import json
+from dataclasses import dataclass
+from pathlib import Path
+
+import tomllib
+
+
+@dataclass(frozen=True)
+class LockedPackage:
+    """A concrete package version found in a dependency source."""
+
+    name: str
+    version: str
+
+
+@dataclass(frozen=True)
+class DependencySource:
+    """A project dependency source, preferably lockfile-backed."""
+
+    kind: str
+    path: Path
+    is_locked: bool
+    packages: list[LockedPackage]
+
+
+def discover_dependency_source(project_root: Path) -> DependencySource | None:
+    """Discover the strongest available dependency source for a project.
+
+    Priority: uv.lock > poetry.lock > Pipfile.lock > requirements.txt > pyproject.toml
+    """
+    uv_lock = project_root / "uv.lock"
+    if uv_lock.is_file():
+        packages = _parse_uv_lock(uv_lock)
+        return DependencySource("uv-lock", uv_lock, True, packages)
+
+    poetry_lock = project_root / "poetry.lock"
+    if poetry_lock.is_file():
+        packages = _parse_poetry_lock(poetry_lock)
+        if packages:
+            return DependencySource("poetry-lock", poetry_lock, True, packages)
+
+    pipfile_lock = project_root / "Pipfile.lock"
+    if pipfile_lock.is_file():
+        packages = _parse_pipfile_lock(pipfile_lock)
+        if packages:
+            return DependencySource("pipfile-lock", pipfile_lock, True, packages)
+
+    requirements = project_root / "requirements.txt"
+    if requirements.is_file():
+        packages = _parse_requirements(requirements)
+        if packages:
+            return DependencySource("requirements", requirements, True, packages)
+
+    pyproject = project_root / "pyproject.toml"
+    if pyproject.is_file():
+        packages = _parse_pyproject_dependencies(pyproject)
+        if packages:
+            return DependencySource("pyproject", pyproject, False, packages)
+
+    return None
+
+
+def _parse_uv_lock(path: Path) -> list[LockedPackage]:
+    with path.open("rb") as handle:
+        data = tomllib.load(handle)
+
+    packages: list[LockedPackage] = []
+    raw = data.get("package", [])
+    if not isinstance(raw, list):
+        return packages
+
+    for item in raw:
+        if not isinstance(item, dict):
+            continue
+        source = item.get("source")
+        if isinstance(source, dict) and source.get("virtual") == ".":
+            continue
+
+        name = item.get("name")
+        version = item.get("version")
+        if isinstance(name, str) and isinstance(version, str):
+            packages.append(LockedPackage(name=name, version=version))
+
+    return packages
+
+
+def _parse_requirements(path: Path) -> list[LockedPackage]:
+    packages: list[LockedPackage] = []
+    for line in path.read_text(errors="ignore").splitlines():
+        stripped = line.strip()
+        if not stripped or stripped.startswith("#"):
+            continue
+        if "==" not in stripped:
+            continue
+        name, version = stripped.split("==", 1)
+        name = name.strip()
+        version = version.strip()
+        if name and version:
+            packages.append(LockedPackage(name=name, version=version))
+    return packages
+
+
+def _parse_pyproject_dependencies(path: Path) -> list[LockedPackage]:
+    """Parse direct dependencies from pyproject.toml when no lockfile exists."""
+    with path.open("rb") as handle:
+        data = tomllib.load(handle)
+
+    project = data.get("project", {})
+    if not isinstance(project, dict):
+        return []
+
+    raw_dependencies = project.get("dependencies", [])
+    if not isinstance(raw_dependencies, list):
+        return []
+
+    packages: list[LockedPackage] = []
+    for item in raw_dependencies:
+        if not isinstance(item, str):
+            continue
+        name = item.split(";", 1)[0].strip()
+        for separator in ("==", ">=", "<=", "~=", "!=", ">", "<"):
+            if separator in name:
+                pkg, version = name.split(separator, 1)
+                packages.append(
+                    LockedPackage(name=pkg.strip(), version=version.strip())
+                )
+                break
+        else:
+            packages.append(LockedPackage(name=name, version=""))
+
+    return packages
+
+
+def _parse_poetry_lock(path: Path) -> list[LockedPackage]:
+    """Parse packages from a poetry.lock file.
+
+    poetry.lock is TOML with ``[[package]]`` entries, each having
+    ``name`` and ``version`` string fields.
+    """
+    with path.open("rb") as handle:
+        data = tomllib.load(handle)
+
+    packages: list[LockedPackage] = []
+    raw = data.get("package", [])
+    if not isinstance(raw, list):
+        return packages
+
+    for item in raw:
+        if not isinstance(item, dict):
+            continue
+        name = item.get("name")
+        version = item.get("version")
+        if isinstance(name, str) and isinstance(version, str):
+            packages.append(LockedPackage(name=name, version=version))
+
+    return packages
+
+
+def _parse_pipfile_lock(path: Path) -> list[LockedPackage]:
+    """Parse packages from a Pipfile.lock file.
+
+    Pipfile.lock is JSON with ``"default"`` and optional ``"develop"``
+    sections.  Each key is a package name and the value contains a
+    ``"version"`` field like ``"==2.31.0"``.
+    """
+    try:
+        data = json.loads(path.read_text(errors="ignore"))
+    except (json.JSONDecodeError, OSError):
+        return []
+
+    if not isinstance(data, dict):
+        return []
+
+    packages: list[LockedPackage] = []
+    for section in ("default", "develop"):
+        deps = data.get(section)
+        if not isinstance(deps, dict):
+            continue
+        for name, info in deps.items():
+            if not isinstance(info, dict):
+                continue
+            version_str = info.get("version", "")
+            if isinstance(version_str, str) and version_str.startswith("=="):
+                version = version_str[2:]
+            else:
+                version = str(version_str) if version_str else ""
+            if name and version:
+                packages.append(LockedPackage(name=name, version=version))
+
+    return packages

python_checkup/detection.py

@@ -0,0 +1,298 @@
+from __future__ import annotations
+
+import importlib.metadata
+import logging
+from collections.abc import Callable
+from dataclasses import dataclass
+from pathlib import Path
+
+logger = logging.getLogger("python_checkup")
+
+
+@dataclass
+class FrameworkInfo:
+    """Detected framework with version and confidence."""
+
+    name: str  # "django", "fastapi", "flask"
+    version: str | None
+    confidence: float  # 0.0 - 1.0
+
+
+# Directories to skip during file sampling and detection scans.
+_EXCLUDED_DIRS = frozenset(
+    {
+        ".venv",
+        "venv",
+        ".env",
+        "__pycache__",
+        ".git",
+        "node_modules",
+        ".tox",
+        ".mypy_cache",
+        ".ruff_cache",
+        "site-packages",
+        ".eggs",
+        "dist",
+        "build",
+    }
+)
+
+# Confidence threshold — below this we don't activate framework rules.
+_CONFIDENCE_THRESHOLD = 0.5
+
+
+def detect_framework(project_root: Path) -> FrameworkInfo | None:
+    """Detect the primary web framework using multiple signals.
+
+    Signals are weighted by reliability:
+    - Installed package (strongest): +0.5
+    - Config files/patterns: +0.2-0.3
+    - Import analysis: +0.1
+    - Dependency declarations: +0.3
+
+    Returns None if no framework has confidence >= 0.5.
+    """
+    candidates: dict[str, float] = {}
+    versions: dict[str, str | None] = {}
+
+    for name, detector in _FRAMEWORK_DETECTORS.items():
+        score, version = detector(project_root)
+        if score > 0:
+            candidates[name] = score
+            versions[name] = version
+
+    if not candidates:
+        return None
+
+    # Pick the highest-confidence framework
+    best = max(candidates, key=lambda k: candidates[k])
+    if candidates[best] < _CONFIDENCE_THRESHOLD:
+        return None
+
+    version = versions.get(best)
+    version_str = f"{best}-{version}" if version else best
+    logger.info(
+        "Detected framework: %s (confidence: %.1f)", version_str, candidates[best]
+    )
+
+    return FrameworkInfo(
+        name=best, version=version, confidence=min(candidates[best], 1.0)
+    )
+
+
+# Individual framework detectors
+
+
+def _detect_django(root: Path) -> tuple[float, str | None]:
+    score = 0.0
+    version: str | None = None
+
+    # Signal 1: Installed package (strongest — 0.5)
+    try:
+        version = importlib.metadata.version("django")
+        score += 0.5
+    except importlib.metadata.PackageNotFoundError:
+        pass
+
+    # Signal 2: manage.py exists (0.3)
+    if (root / "manage.py").exists():
+        score += 0.3
+
+    # Signal 3: settings.py pattern (0.1)
+    settings_files = [f for f in root.rglob("settings.py") if not _is_excluded(f, root)]
+    if settings_files:
+        score += 0.1
+
+    # Signal 4: DJANGO_SETTINGS_MODULE in any Python file (0.2)
+    for py_file in _sample_py_files(root, limit=20):
+        try:
+            content = py_file.read_text(errors="ignore")
+            if "DJANGO_SETTINGS_MODULE" in content:
+                score += 0.2
+                break
+        except OSError:
+            continue
+
+    # Signal 5: In requirements/pyproject dependencies (0.3)
+    if _in_dependency_files(root, "django"):
+        score += 0.3
+
+    # Signal 6: Import analysis (sample files) (0.1)
+    if _has_imports(root, ["from django", "import django"]):
+        score += 0.1
+
+    return score, version
+
+
+def _detect_fastapi(root: Path) -> tuple[float, str | None]:
+    score = 0.0
+    version: str | None = None
+
+    # Signal 1: Installed package (0.5)
+    try:
+        version = importlib.metadata.version("fastapi")
+        score += 0.5
+    except importlib.metadata.PackageNotFoundError:
+        pass
+
+    # Signal 2: uvicorn installed (common companion) (0.2)
+    try:
+        importlib.metadata.version("uvicorn")
+        score += 0.2
+    except importlib.metadata.PackageNotFoundError:
+        pass
+
+    # Signal 3: main.py/app.py with FastAPI() (0.3)
+    for name in ("main.py", "app.py", "api.py"):
+        f = root / name
+        if f.exists():
+            try:
+                content = f.read_text(errors="ignore")
+                if "FastAPI()" in content or "from fastapi" in content:
+                    score += 0.3
+                    break
+            except OSError:
+                continue
+
+    # Signal 4: In dependency files (0.3)
+    if _in_dependency_files(root, "fastapi"):
+        score += 0.3
+
+    # Signal 5: Import analysis (0.1)
+    if _has_imports(root, ["from fastapi", "import fastapi"]):
+        score += 0.1
+
+    return score, version
+
+
+def _detect_flask(root: Path) -> tuple[float, str | None]:
+    score = 0.0
+    version: str | None = None
+
+    # Signal 1: Installed package (0.5)
+    try:
+        version = importlib.metadata.version("flask")
+        score += 0.5
+    except importlib.metadata.PackageNotFoundError:
+        pass
+
+    # Signal 2: .flaskenv or .env with FLASK_APP (0.3)
+    for env_file in (".flaskenv", ".env"):
+        path = root / env_file
+        if path.exists():
+            try:
+                content = path.read_text(errors="ignore")
+                if "FLASK_APP" in content:
+                    score += 0.3
+                    break
+            except OSError:
+                continue
+
+    # Signal 3: app.py with Flask(__name__) (0.3)
+    for name in ("app.py", "application.py", "wsgi.py"):
+        f = root / name
+        if f.exists():
+            try:
+                content = f.read_text(errors="ignore")
+                if "Flask(__name__)" in content or "from flask" in content:
+                    score += 0.3
+                    break
+            except OSError:
+                continue
+
+    # Signal 4: In dependency files (0.3)
+    if _in_dependency_files(root, "flask"):
+        score += 0.3
+
+    # Signal 5: Import analysis (0.1)
+    if _has_imports(root, ["from flask", "import flask"]):
+        score += 0.1
+
+    return score, version
+
+
+# Detector registry
+
+
+_FRAMEWORK_DETECTORS: dict[str, Callable[[Path], tuple[float, str | None]]] = {
+    "django": _detect_django,
+    "fastapi": _detect_fastapi,
+    "flask": _detect_flask,
+}
+
+
+# Helpers
+
+
+def _is_excluded(path: Path, root: Path) -> bool:
+    try:
+        parts = path.relative_to(root).parts
+    except ValueError:
+        return True
+    return any(part in _EXCLUDED_DIRS for part in parts)
+
+
+def _sample_py_files(root: Path, limit: int = 20) -> list[Path]:
+    files: list[Path] = []
+    for py_file in root.rglob("*.py"):
+        if _is_excluded(py_file, root):
+            continue
+        files.append(py_file)
+        if len(files) >= limit:
+            break
+    return files
+
+
+def _in_dependency_files(root: Path, package: str) -> bool:
+    """Check if package appears in requirements.txt or pyproject.toml."""
+    pkg_lower = package.lower()
+
+    # requirements.txt variants
+    for req_name in (
+        "requirements.txt",
+        "requirements/base.txt",
+        "requirements/main.txt",
+        "requirements/prod.txt",
+    ):
+        req_path = root / req_name
+        if req_path.exists():
+            try:
+                content = req_path.read_text(errors="ignore").lower()
+                if pkg_lower in content:
+                    return True
+            except OSError:
+                continue
+
+    # pyproject.toml
+    pyproject = root / "pyproject.toml"
+    if pyproject.exists():
+        try:
+            content = pyproject.read_text(errors="ignore").lower()
+            if f'"{pkg_lower}' in content or f"'{pkg_lower}" in content:
+                return True
+        except OSError:
+            pass
+
+    # Pipfile
+    pipfile = root / "Pipfile"
+    if pipfile.exists():
+        try:
+            content = pipfile.read_text(errors="ignore").lower()
+            if pkg_lower in content:
+                return True
+        except OSError:
+            pass
+
+    return False
+
+
+def _has_imports(root: Path, patterns: list[str]) -> bool:
+    for py_file in _sample_py_files(root, limit=20):
+        try:
+            content = py_file.read_text(errors="ignore")
+            for pattern in patterns:
+                if pattern in content:
+                    return True
+        except OSError:
+            continue
+    return False