repak 0.1.0__tar.gz

repak-0.1.0/PKG-INFO

@@ -0,0 +1,8 @@
+Metadata-Version: 2.4
+Name: repak
+Version: 0.1.0
+Summary: Transfer a local directory across a network boundary via a synthetic PyPI wheel
+Requires-Python: >=3.9
+Requires-Dist: twine>=4.0
+Provides-Extra: dev
+Requires-Dist: pytest>=7.0; extra == "dev"

repak-0.1.0/pyproject.toml

@@ -0,0 +1,25 @@
+[build-system]
+requires = ["setuptools>=61.0"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "repak"
+version = "0.1.0"
+description = "Transfer a local directory across a network boundary via a synthetic PyPI wheel"
+requires-python = ">=3.9"
+dependencies = ["twine>=4.0"]
+
+[project.optional-dependencies]
+dev = ["pytest>=7.0"]
+
+[project.scripts]
+repak = "repak.cli:main"
+
+[tool.setuptools.packages.find]
+where = ["src"]
+
+[tool.setuptools.package-data]
+repak = ["unpak_template.py"]
+
+[tool.pytest.ini_options]
+markers = ["slow: end-to-end tests that build venvs and install wheels"]

repak-0.1.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

repak-0.1.0/src/repak/__init__.py

@@ -0,0 +1,5 @@
+"""repak: package a local directory as a synthetic PyPI wheel for transport."""
+
+__all__ = ["__version__"]
+
+__version__ = "0.1.0"

repak-0.1.0/src/repak/archive.py

@@ -0,0 +1,64 @@
+"""Build a deterministic ``tar.gz`` of a directory's contents + checksum."""
+
+from __future__ import annotations
+
+import gzip
+import hashlib
+import io
+import os
+import tarfile
+from dataclasses import dataclass
+from pathlib import Path
+from typing import List
+
+VCS_DIRS = {".git", ".hg", ".svn", ".bzr"}
+
+# Fixed timestamp so identical trees produce identical archives (helps make
+# uploads/tests reproducible). 2020-01-01 UTC.
+_FIXED_MTIME = 1577836800
+
+
+@dataclass
+class Archive:
+    data: bytes
+    sha256: str
+    size: int  # compressed size in bytes
+
+
+def _iter_files(root: Path) -> List[Path]:
+    collected: List[Path] = []
+    for dirpath, dirnames, filenames in os.walk(root):
+        # Prune VCS directories in-place so os.walk does not descend.
+        dirnames[:] = sorted(d for d in dirnames if d not in VCS_DIRS)
+        for name in sorted(filenames):
+            collected.append(Path(dirpath) / name)
+    return collected
+
+
+def build_archive(source_dir: str | os.PathLike) -> Archive:
+    """Tar (gzip) the *contents* of ``source_dir`` at the archive root.
+
+    VCS directories are excluded. The archive and its SHA-256 are
+    deterministic for a given set of file contents and relative paths.
+    """
+    root = Path(source_dir).resolve()
+    if not root.is_dir():
+        raise NotADirectoryError(f"{root} is not a directory")
+
+    raw = io.BytesIO()
+    with tarfile.open(fileobj=raw, mode="w") as tar:
+        for path in _iter_files(root):
+            rel = path.relative_to(root).as_posix()
+            info = tar.gettarinfo(str(path), arcname=rel)
+            info.mtime = _FIXED_MTIME
+            info.uid = info.gid = 0
+            info.uname = info.gname = ""
+            if info.isreg():
+                with open(path, "rb") as fh:
+                    tar.addfile(info, fh)
+            else:
+                tar.addfile(info)
+
+    compressed = gzip.compress(raw.getvalue(), compresslevel=9, mtime=0)
+    digest = hashlib.sha256(compressed).hexdigest()
+    return Archive(data=compressed, sha256=digest, size=len(compressed))

repak-0.1.0/src/repak/cli.py

@@ -0,0 +1,143 @@
+"""repak command-line entry point (upload side)."""
+
+from __future__ import annotations
+
+import argparse
+import os
+import sys
+import tempfile
+from pathlib import Path
+
+from . import naming, pypi, versioning
+from .archive import build_archive
+from .wheel import WheelTooLarge, build_wheel
+
+TOKEN_ENV_VARS = ("PYPI_TOKEN", "TWINE_PASSWORD")
+
+
+def _get_token() -> str:
+    for var in TOKEN_ENV_VARS:
+        val = os.environ.get(var)
+        if val:
+            return val
+    raise SystemExit(
+        "ERROR: no PyPI token found. Set the PYPI_TOKEN environment variable "
+        "to a PyPI API token (passed via the environment, never as a flag, "
+        "so it stays out of shell history and process listings)."
+    )
+
+
+def _confirm(prompt: str, assume_yes: bool) -> bool:
+    if assume_yes:
+        return True
+    try:
+        answer = input(f"{prompt} [y/N] ").strip().lower()
+    except EOFError:
+        return False
+    return answer in ("y", "yes")
+
+
+def _parse_args(argv):
+    parser = argparse.ArgumentParser(
+        prog="repak",
+        description="Package a local directory as a synthetic PyPI wheel and "
+        "upload it to public PyPI for transport into an isolated mirror.",
+    )
+    parser.add_argument(
+        "--path",
+        default=".",
+        help="Directory to package (default: current directory).",
+    )
+    parser.add_argument(
+        "--yes",
+        "-y",
+        action="store_true",
+        help="Skip confirmation prompts (for non-interactive use).",
+    )
+    return parser.parse_args(argv)
+
+
+def main(argv=None) -> int:
+    args = _parse_args(argv)
+
+    source = Path(args.path).resolve()
+    if not source.is_dir():
+        sys.stderr.write(f"ERROR: {source} is not a directory.\n")
+        return 1
+
+    try:
+        pypi_name = naming.pypi_name(source.name)
+    except naming.NameError_ as exc:
+        sys.stderr.write(f"ERROR: {exc}\n")
+        return 1
+
+    token = _get_token()
+
+    info = pypi.query(pypi_name)
+    if info.exists and not info.is_repak:
+        sys.stderr.write(
+            f"ERROR: '{pypi_name}' already exists on PyPI but was not created "
+            "by repak (no repak marker). Refusing to collide with an "
+            "unrelated package. Rename the source folder and retry.\n"
+        )
+        return 1
+
+    try:
+        version = versioning.next_version(info.versions if info.exists else None)
+    except versioning.VersionExhausted as exc:
+        sys.stderr.write(f"ERROR: {exc}\n")
+        return 1
+
+    if not info.exists:
+        print(f"Creating new package {pypi_name} at version {version}")
+    else:
+        latest = info.versions[-1] if info.versions else "?"
+        print(
+            f"Warning: {pypi_name} already exists at version {latest}\n"
+            f"This upload will create version {version}."
+        )
+        if not _confirm("Proceed?", args.yes):
+            print("Aborted.")
+            return 1
+
+    archive = build_archive(source)
+    print(
+        f"Archived contents of {source} "
+        f"({archive.size / (1024 * 1024):.2f} MiB compressed, "
+        f"sha256 {archive.sha256[:16]}...)"
+    )
+
+    with tempfile.TemporaryDirectory() as tmp:
+        try:
+            wheel = build_wheel(source.name, version, archive, tmp)
+        except WheelTooLarge as exc:
+            sys.stderr.write(f"ERROR: {exc}\n")
+            return 1
+
+        print(
+            f"Built wheel {wheel.filename} "
+            f"({wheel.size / (1024 * 1024):.2f} MiB)"
+        )
+        if not _confirm(f"Upload {wheel.filename} to public PyPI?", args.yes):
+            print("Aborted.")
+            return 1
+
+        try:
+            pypi.upload(wheel.path, token)
+        except pypi.UploadError as exc:
+            sys.stderr.write(f"ERROR: {exc}\n")
+            return 1
+
+    script = naming.console_script(source.name)
+    print(
+        f"\nUploaded {pypi_name} {version} to public PyPI.\n"
+        "Note: propagation to the internal mirror is NOT immediate; there is "
+        "an unknown sync lag before it becomes installable in the isolated "
+        "environment.\n"
+        f"Once available: pip install {pypi_name} && {script} /target/folder"
+    )
+    return 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())

repak-0.1.0/src/repak/naming.py

@@ -0,0 +1,43 @@
+"""Folder name -> PyPI package name / Python module name normalization."""
+
+from __future__ import annotations
+
+import re
+
+REPAK_PREFIX = "repak"
+
+
+class NameError_(ValueError):
+    """Raised when a folder name cannot be normalized to a valid name."""
+
+
+def normalize(folder_name: str) -> str:
+    """Normalize a folder basename to a PEP 503-style component.
+
+    Lowercase, runs of non-alphanumeric characters collapse to a single
+    hyphen, leading/trailing hyphens stripped.
+    """
+    lowered = folder_name.strip().lower()
+    collapsed = re.sub(r"[^a-z0-9]+", "-", lowered)
+    stripped = collapsed.strip("-")
+    if not stripped:
+        raise NameError_(
+            f"folder name {folder_name!r} does not contain any characters "
+            "usable in a PyPI package name"
+        )
+    return stripped
+
+
+def pypi_name(folder_name: str) -> str:
+    """Return the public PyPI distribution name: ``repak-{normalized}``."""
+    return f"{REPAK_PREFIX}-{normalize(folder_name)}"
+
+
+def module_name(folder_name: str) -> str:
+    """Return the import package name: ``repak_{normalized_with_underscores}``."""
+    return f"{REPAK_PREFIX}_{normalize(folder_name).replace('-', '_')}"
+
+
+def console_script(folder_name: str) -> str:
+    """Return the destination-side console command: ``unpak-{normalized}``."""
+    return f"unpak-{normalize(folder_name)}"

repak-0.1.0/src/repak/pypi.py

@@ -0,0 +1,75 @@
+"""PyPI interaction: version query, repak-marker detection, twine upload."""
+
+from __future__ import annotations
+
+import json
+import subprocess
+import sys
+import urllib.error
+import urllib.request
+from dataclasses import dataclass
+from pathlib import Path
+from typing import List, Optional
+
+from .wheel import MARKER
+
+PYPI_JSON_URL = "https://pypi.org/pypi/{name}/json"
+
+
+@dataclass
+class PackageInfo:
+    exists: bool
+    versions: List[str]
+    is_repak: bool  # True only if an existing package carries the repak marker
+
+
+class UploadError(RuntimeError):
+    pass
+
+
+def query(pypi_name: str, *, timeout: float = 15.0) -> PackageInfo:
+    """Look up ``pypi_name`` on public PyPI.
+
+    A 404 means the name is free. If it exists, the repak marker keyword
+    distinguishes a package repak itself created from an unrelated public
+    package that merely shares the name.
+    """
+    url = PYPI_JSON_URL.format(name=pypi_name)
+    try:
+        with urllib.request.urlopen(url, timeout=timeout) as resp:
+            payload = json.loads(resp.read().decode("utf-8"))
+    except urllib.error.HTTPError as exc:
+        if exc.code == 404:
+            return PackageInfo(exists=False, versions=[], is_repak=False)
+        raise
+
+    versions = sorted((payload.get("releases") or {}).keys())
+    info = payload.get("info") or {}
+    keywords = (info.get("keywords") or "").lower()
+    is_repak = MARKER in keywords
+    return PackageInfo(exists=True, versions=versions, is_repak=is_repak)
+
+
+def upload(wheel_path: str | Path, token: str, *, repository_url: Optional[str] = None) -> None:
+    """Upload a wheel with ``twine`` using token auth.
+
+    The token is passed via the environment (``TWINE_PASSWORD`` with
+    ``TWINE_USERNAME=__token__``) so it never appears in argv or shell
+    history.
+    """
+    env = {
+        "TWINE_USERNAME": "__token__",
+        "TWINE_PASSWORD": token,
+    }
+    import os
+
+    full_env = {**os.environ, **env}
+    cmd = [sys.executable, "-m", "twine", "upload", str(wheel_path)]
+    if repository_url:
+        cmd[4:4] = ["--repository-url", repository_url]
+    result = subprocess.run(cmd, env=full_env, capture_output=True, text=True)
+    if result.returncode != 0:
+        raise UploadError(
+            "twine upload failed:\n"
+            f"{result.stdout}\n{result.stderr}".strip()
+        )

repak-0.1.0/src/repak/unpak_template.py

@@ -0,0 +1,102 @@
+"""Self-contained extractor embedded into every repak-generated wheel.
+
+This module ships *inside* the synthetic wheel as ``<pkg>/_unpak.py`` and is
+wired to the ``unpak-{name}`` console script. It must depend only on the
+Python standard library: repak is not installed on the destination side.
+"""
+
+from __future__ import annotations
+
+import argparse
+import hashlib
+import io
+import os
+import sys
+import tarfile
+from importlib import resources
+from pathlib import Path
+
+PAYLOAD = "payload.tar.gz"
+CHECKSUM = "payload.sha256"
+
+
+def _read_resource(name: str) -> bytes:
+    return resources.files(__package__).joinpath(name).read_bytes()
+
+
+def _safe_members(tar: tarfile.TarFile, dest: Path):
+    """Yield only members that extract safely under ``dest``.
+
+    Rejects absolute paths and ``..`` traversal; restricts to regular files
+    and directories (mirrors the intent of tarfile's ``data`` filter while
+    remaining compatible with Python 3.9).
+    """
+    dest = dest.resolve()
+    for member in tar.getmembers():
+        name = member.name
+        if name.startswith("/") or os.path.isabs(name):
+            raise ValueError(f"unsafe absolute path in archive: {name!r}")
+        target = (dest / name).resolve()
+        if target != dest and dest not in target.parents:
+            raise ValueError(f"unsafe path traversal in archive: {name!r}")
+        if member.isdir() or member.isreg():
+            yield member
+        else:
+            raise ValueError(
+                f"archive contains unsupported entry {name!r} "
+                f"(type {member.type!r})"
+            )
+
+
+def _extract(data: bytes, dest: Path) -> None:
+    dest.mkdir(parents=True, exist_ok=True)
+    with tarfile.open(fileobj=io.BytesIO(data), mode="r:gz") as tar:
+        members = list(_safe_members(tar, dest))
+        for member in members:
+            out = dest / member.name
+            if member.isdir():
+                out.mkdir(parents=True, exist_ok=True)
+                continue
+            out.parent.mkdir(parents=True, exist_ok=True)
+            src = tar.extractfile(member)
+            if src is None:
+                continue
+            with open(out, "wb") as fh:
+                fh.write(src.read())
+            os.chmod(out, member.mode & 0o777)
+
+
+def main(argv=None) -> int:
+    parser = argparse.ArgumentParser(
+        prog=f"unpak ({__package__})",
+        description="Verify and extract a repak-transported directory.",
+    )
+    parser.add_argument(
+        "target",
+        help="Destination folder; created if missing. Existing unrelated "
+        "files are left untouched (overwrite/merge).",
+    )
+    args = parser.parse_args(argv)
+
+    data = _read_resource(PAYLOAD)
+    expected = _read_resource(CHECKSUM).decode("ascii").strip()
+    actual = hashlib.sha256(data).hexdigest()
+    if actual != expected:
+        sys.stderr.write(
+            "ERROR: checksum verification failed; the payload is corrupt "
+            "and nothing was written.\n"
+            f"  expected: {expected}\n"
+            f"  actual:   {actual}\n"
+        )
+        return 1
+
+    dest = Path(args.target)
+    _extract(data, dest)
+    sys.stdout.write(
+        f"Verified SHA-256 and extracted contents to {dest.resolve()}\n"
+    )
+    return 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())

repak-0.1.0/src/repak/versioning.py

@@ -0,0 +1,47 @@
+"""Version scheme: 0.N where N is an integer 1..99.
+
+Sequence: 0.1, 0.2, ... 0.9, 0.10, 0.11, ... 0.99 (99 uploads per package).
+"""
+
+from __future__ import annotations
+
+import re
+from typing import Iterable, Optional
+
+_VERSION_RE = re.compile(r"^0\.(\d+)$")
+
+MIN_MINOR = 1
+MAX_MINOR = 99
+
+
+class VersionExhausted(RuntimeError):
+    """Raised when the 0.99 ceiling has been reached for a package."""
+
+
+def next_version(existing: Optional[Iterable[str]]) -> str:
+    """Return the next ``0.N`` version string.
+
+    ``None`` or an empty iterable means the package does not exist yet, so
+    versioning starts at ``0.1``. Otherwise the next version is one greater
+    than the highest ``0.N`` already published; non-conforming version
+    strings are ignored.
+    """
+    if not existing:
+        return f"0.{MIN_MINOR}"
+
+    minors = [
+        int(m.group(1))
+        for m in (_VERSION_RE.match(v.strip()) for v in existing)
+        if m is not None
+    ]
+    if not minors:
+        return f"0.{MIN_MINOR}"
+
+    current = max(minors)
+    nxt = current + 1
+    if nxt > MAX_MINOR:
+        raise VersionExhausted(
+            f"package has reached the maximum version 0.{MAX_MINOR}; "
+            "no further uploads are possible under this package name"
+        )
+    return f"0.{nxt}"

repak-0.1.0/src/repak/wheel.py

@@ -0,0 +1,108 @@
+"""Hand-built synthetic wheel: a transport container, not a real package."""
+
+from __future__ import annotations
+
+import base64
+import hashlib
+import zipfile
+from dataclasses import dataclass
+from importlib import resources
+from pathlib import Path
+from typing import Dict
+
+from . import naming
+from .archive import Archive
+from .unpak_template import CHECKSUM, PAYLOAD
+
+MARKER = "repak-transport-container"
+
+# PyPI's default per-file upload limit.
+MAX_WHEEL_BYTES = 100 * 1024 * 1024
+
+
+class WheelTooLarge(RuntimeError):
+    def __init__(self, size: int):
+        self.size = size
+        super().__init__(
+            f"generated wheel is {size / (1024 * 1024):.2f} MiB, which "
+            f"exceeds PyPI's {MAX_WHEEL_BYTES // (1024 * 1024)} MiB per-file "
+            "limit. Reduce the directory size and try again."
+        )
+
+
+@dataclass
+class BuiltWheel:
+    path: Path
+    size: int
+    filename: str
+
+
+def _record_hash(data: bytes) -> str:
+    digest = hashlib.sha256(data).digest()
+    b64 = base64.urlsafe_b64encode(digest).rstrip(b"=").decode("ascii")
+    return f"sha256={b64}"
+
+
+def _unpak_source() -> str:
+    return resources.files("repak").joinpath("unpak_template.py").read_text(
+        encoding="utf-8"
+    )
+
+
+def build_wheel(
+    folder_name: str,
+    version: str,
+    archive: Archive,
+    out_dir: str | Path,
+) -> BuiltWheel:
+    """Write ``repak_{name}-{version}-py3-none-any.whl`` into ``out_dir``."""
+    pkg = naming.module_name(folder_name)
+    dist_name = naming.pypi_name(folder_name)
+    script = naming.console_script(folder_name)
+    dist_info = f"{pkg}-{version}.dist-info"
+
+    metadata = (
+        "Metadata-Version: 2.1\n"
+        f"Name: {dist_name}\n"
+        f"Version: {version}\n"
+        "Summary: Directory payload transported by repak.\n"
+        f"Keywords: {MARKER}\n"
+    )
+    wheel_meta = (
+        "Wheel-Version: 1.0\n"
+        "Generator: repak\n"
+        "Root-Is-Purelib: true\n"
+        "Tag: py3-none-any\n"
+    )
+    entry_points = f"[console_scripts]\n{script} = {pkg}._unpak:main\n"
+
+    files: Dict[str, bytes] = {
+        f"{pkg}/__init__.py": b"",
+        f"{pkg}/_unpak.py": _unpak_source().encode("utf-8"),
+        f"{pkg}/{PAYLOAD}": archive.data,
+        f"{pkg}/{CHECKSUM}": archive.sha256.encode("ascii") + b"\n",
+        f"{dist_info}/METADATA": metadata.encode("utf-8"),
+        f"{dist_info}/WHEEL": wheel_meta.encode("utf-8"),
+        f"{dist_info}/entry_points.txt": entry_points.encode("utf-8"),
+    }
+
+    record_lines = [
+        f"{name},{_record_hash(data)},{len(data)}"
+        for name, data in files.items()
+    ]
+    record_path = f"{dist_info}/RECORD"
+    record_lines.append(f"{record_path},,")
+    files[record_path] = ("\n".join(record_lines) + "\n").encode("utf-8")
+
+    filename = f"{pkg}-{version}-py3-none-any.whl"
+    out_path = Path(out_dir) / filename
+    with zipfile.ZipFile(out_path, "w", zipfile.ZIP_DEFLATED) as zf:
+        for name, data in files.items():
+            zf.writestr(name, data)
+
+    size = out_path.stat().st_size
+    if size > MAX_WHEEL_BYTES:
+        out_path.unlink(missing_ok=True)
+        raise WheelTooLarge(size)
+
+    return BuiltWheel(path=out_path, size=size, filename=filename)

repak-0.1.0/src/repak.egg-info/PKG-INFO

@@ -0,0 +1,8 @@
+Metadata-Version: 2.4
+Name: repak
+Version: 0.1.0
+Summary: Transfer a local directory across a network boundary via a synthetic PyPI wheel
+Requires-Python: >=3.9
+Requires-Dist: twine>=4.0
+Provides-Extra: dev
+Requires-Dist: pytest>=7.0; extra == "dev"

repak-0.1.0/src/repak.egg-info/SOURCES.txt

@@ -0,0 +1,22 @@
+pyproject.toml
+src/repak/__init__.py
+src/repak/archive.py
+src/repak/cli.py
+src/repak/naming.py
+src/repak/pypi.py
+src/repak/unpak_template.py
+src/repak/versioning.py
+src/repak/wheel.py
+src/repak.egg-info/PKG-INFO
+src/repak.egg-info/SOURCES.txt
+src/repak.egg-info/dependency_links.txt
+src/repak.egg-info/entry_points.txt
+src/repak.egg-info/requires.txt
+src/repak.egg-info/top_level.txt
+tests/test_archive.py
+tests/test_e2e.py
+tests/test_extract.py
+tests/test_naming.py
+tests/test_pypi.py
+tests/test_versioning.py
+tests/test_wheel.py

repak-0.1.0/src/repak.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

repak-0.1.0/src/repak.egg-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+repak = repak.cli:main

repak-0.1.0/src/repak.egg-info/requires.txt

@@ -0,0 +1,4 @@
+twine>=4.0
+
+[dev]
+pytest>=7.0

repak-0.1.0/src/repak.egg-info/top_level.txt

@@ -0,0 +1 @@
+repak

repak-0.1.0/tests/test_archive.py

@@ -0,0 +1,32 @@
+import hashlib
+import io
+import tarfile
+
+from repak.archive import build_archive
+
+
+def _names(data: bytes):
+    with tarfile.open(fileobj=io.BytesIO(data), mode="r:gz") as tar:
+        return sorted(tar.getnames())
+
+
+def test_excludes_vcs_and_keeps_contents(sample_tree):
+    arc = build_archive(sample_tree)
+    names = _names(arc.data)
+    assert "a.txt" in names
+    assert "sub/b.bin" in names
+    assert "sub/nested/c.txt" in names
+    assert not any(n.startswith(".git") for n in names)
+
+
+def test_checksum_matches_data(sample_tree):
+    arc = build_archive(sample_tree)
+    assert arc.sha256 == hashlib.sha256(arc.data).hexdigest()
+    assert arc.size == len(arc.data)
+
+
+def test_deterministic(sample_tree):
+    a = build_archive(sample_tree)
+    b = build_archive(sample_tree)
+    assert a.sha256 == b.sha256
+    assert a.data == b.data

repak-0.1.0/tests/test_e2e.py

@@ -0,0 +1,85 @@
+"""End-to-end: build a wheel, pip install it into a venv, run unpak."""
+
+import subprocess
+import sys
+import venv
+import zipfile
+from pathlib import Path
+
+import pytest
+
+from repak.archive import build_archive
+from repak.wheel import build_wheel
+
+
+def _venv_bin(env_dir: Path) -> Path:
+    scripts = "Scripts" if sys.platform == "win32" else "bin"
+    return env_dir / scripts
+
+
+@pytest.mark.slow
+def test_install_and_unpak_roundtrip(sample_tree, tmp_path):
+    arc = build_archive(sample_tree)
+    built = build_wheel("MyProject", "0.1", arc, tmp_path)
+
+    env_dir = tmp_path / "venv"
+    venv.create(env_dir, with_pip=True)
+    bin_dir = _venv_bin(env_dir)
+    py = bin_dir / ("python.exe" if sys.platform == "win32" else "python")
+
+    subprocess.run(
+        [str(py), "-m", "pip", "install", "--no-index", str(built.path)],
+        check=True,
+        capture_output=True,
+    )
+
+    target = tmp_path / "landing"
+    script = bin_dir / "unpak-myproject"
+    result = subprocess.run(
+        [str(script), str(target)], capture_output=True, text=True
+    )
+    assert result.returncode == 0, result.stderr
+    assert (target / "a.txt").read_text() == "hello\n"
+    assert (target / "sub" / "nested" / "c.txt").read_text() == "deep\n"
+    assert not (target / ".git").exists()
+
+    # Idempotent re-run.
+    r2 = subprocess.run(
+        [str(script), str(target)], capture_output=True, text=True
+    )
+    assert r2.returncode == 0
+    assert (target / "a.txt").read_text() == "hello\n"
+
+
+@pytest.mark.slow
+def test_tampered_payload_fails_checksum(sample_tree, tmp_path):
+    arc = build_archive(sample_tree)
+    built = build_wheel("MyProject", "0.1", arc, tmp_path)
+
+    # Rewrite the wheel with a corrupted payload but original checksum.
+    tampered = tmp_path / built.filename
+    with zipfile.ZipFile(built.path) as zin:
+        items = {n: zin.read(n) for n in zin.namelist()}
+    items["repak_myproject/payload.tar.gz"] += b"corruption"
+    with zipfile.ZipFile(tampered, "w") as zout:
+        for n, d in items.items():
+            zout.writestr(n, d)
+
+    env_dir = tmp_path / "venv"
+    venv.create(env_dir, with_pip=True)
+    bin_dir = _venv_bin(env_dir)
+    py = bin_dir / ("python.exe" if sys.platform == "win32" else "python")
+    subprocess.run(
+        [str(py), "-m", "pip", "install", "--no-index", str(tampered)],
+        check=True,
+        capture_output=True,
+    )
+
+    target = tmp_path / "landing"
+    script = bin_dir / "unpak-myproject"
+    result = subprocess.run(
+        [str(script), str(target)], capture_output=True, text=True
+    )
+    assert result.returncode == 1
+    assert "checksum verification failed" in result.stderr
+    assert not target.exists() or not any(target.iterdir())

repak-0.1.0/tests/test_extract.py

@@ -0,0 +1,53 @@
+import io
+import tarfile
+
+import pytest
+
+from repak import unpak_template as ut
+
+
+def _make_tar(entries):
+    raw = io.BytesIO()
+    with tarfile.open(fileobj=raw, mode="w:gz") as tar:
+        for name, data in entries:
+            info = tarfile.TarInfo(name)
+            info.size = len(data)
+            tar.addfile(info, io.BytesIO(data))
+    return raw.getvalue()
+
+
+def test_extract_creates_target_and_files(tmp_path):
+    data = _make_tar([("a.txt", b"A"), ("d/b.txt", b"B")])
+    dest = tmp_path / "out"
+    ut._extract(data, dest)
+    assert (dest / "a.txt").read_bytes() == b"A"
+    assert (dest / "d" / "b.txt").read_bytes() == b"B"
+
+
+def test_overwrite_merge_idempotent(tmp_path):
+    dest = tmp_path / "out"
+    dest.mkdir()
+    (dest / "unrelated.txt").write_text("keep me")
+
+    data = _make_tar([("a.txt", b"v1")])
+    ut._extract(data, dest)
+    ut._extract(data, dest)  # idempotent
+    assert (dest / "a.txt").read_bytes() == b"v1"
+    assert (dest / "unrelated.txt").read_text() == "keep me"
+
+    data2 = _make_tar([("a.txt", b"v2")])
+    ut._extract(data2, dest)  # overwrite in place
+    assert (dest / "a.txt").read_bytes() == b"v2"
+    assert (dest / "unrelated.txt").read_text() == "keep me"
+
+
+def test_rejects_path_traversal(tmp_path):
+    data = _make_tar([("../evil.txt", b"x")])
+    with pytest.raises(ValueError):
+        ut._extract(data, tmp_path / "out")
+
+
+def test_rejects_absolute_path(tmp_path):
+    data = _make_tar([("/etc/evil", b"x")])
+    with pytest.raises(ValueError):
+        ut._extract(data, tmp_path / "out")

repak-0.1.0/tests/test_naming.py

@@ -0,0 +1,29 @@
+import pytest
+
+from repak import naming
+
+
+@pytest.mark.parametrize(
+    "folder,expected",
+    [
+        ("MyProject", "myproject"),
+        ("my_project", "my-project"),
+        ("My.Cool  Project!!", "my-cool-project"),
+        ("--weird--", "weird"),
+        ("a___b...c", "a-b-c"),
+    ],
+)
+def test_normalize(folder, expected):
+    assert naming.normalize(folder) == expected
+
+
+def test_pypi_module_script_names():
+    assert naming.pypi_name("My_Proj") == "repak-my-proj"
+    assert naming.module_name("My_Proj") == "repak_my_proj"
+    assert naming.console_script("My_Proj") == "unpak-my-proj"
+
+
+@pytest.mark.parametrize("bad", ["", "   ", "!!!", "---"])
+def test_invalid_names_rejected(bad):
+    with pytest.raises(naming.NameError_):
+        naming.normalize(bad)

repak-0.1.0/tests/test_pypi.py

@@ -0,0 +1,95 @@
+import io
+import json
+import urllib.error
+
+import pytest
+
+from repak import pypi
+from repak.wheel import MARKER
+
+
+class _Resp(io.BytesIO):
+    def __enter__(self):
+        return self
+
+    def __exit__(self, *a):
+        self.close()
+
+
+def _fake_urlopen(payload):
+    def _open(url, timeout=0):
+        return _Resp(json.dumps(payload).encode())
+
+    return _open
+
+
+def test_query_not_found(monkeypatch):
+    def _raise(url, timeout=0):
+        raise urllib.error.HTTPError(url, 404, "nf", {}, None)
+
+    monkeypatch.setattr(pypi.urllib.request, "urlopen", _raise)
+    info = pypi.query("repak-missing")
+    assert info.exists is False and info.is_repak is False
+
+
+def test_query_existing_repak(monkeypatch):
+    payload = {
+        "releases": {"0.1": [], "0.2": []},
+        "info": {"keywords": f"foo, {MARKER}"},
+    }
+    monkeypatch.setattr(
+        pypi.urllib.request, "urlopen", _fake_urlopen(payload)
+    )
+    info = pypi.query("repak-thing")
+    assert info.exists and info.is_repak
+    assert info.versions == ["0.1", "0.2"]
+
+
+def test_query_existing_unrelated(monkeypatch):
+    payload = {"releases": {"1.0": []}, "info": {"keywords": "other"}}
+    monkeypatch.setattr(
+        pypi.urllib.request, "urlopen", _fake_urlopen(payload)
+    )
+    info = pypi.query("repak-thing")
+    assert info.exists and not info.is_repak
+
+
+def test_upload_passes_token_via_env(monkeypatch, tmp_path):
+    wheel = tmp_path / "x.whl"
+    wheel.write_bytes(b"data")
+    captured = {}
+
+    class _Result:
+        returncode = 0
+        stdout = ""
+        stderr = ""
+
+    def _run(cmd, env=None, capture_output=False, text=False):
+        captured["cmd"] = cmd
+        captured["env"] = env
+        return _Result()
+
+    monkeypatch.setattr(pypi.subprocess, "run", _run)
+    pypi.upload(wheel, "pypi-secret-token")
+
+    assert "twine" in captured["cmd"]
+    assert str(wheel) in captured["cmd"]
+    assert "pypi-secret-token" not in captured["cmd"]
+    assert captured["env"]["TWINE_USERNAME"] == "__token__"
+    assert captured["env"]["TWINE_PASSWORD"] == "pypi-secret-token"
+
+
+def test_upload_error(monkeypatch, tmp_path):
+    wheel = tmp_path / "x.whl"
+    wheel.write_bytes(b"data")
+
+    class _Result:
+        returncode = 1
+        stdout = "boom"
+        stderr = "fail"
+
+    monkeypatch.setattr(
+        pypi.subprocess, "run", lambda *a, **k: _Result()
+    )
+    with pytest.raises(pypi.UploadError):
+        pypi.upload(wheel, "tok")

repak-0.1.0/tests/test_versioning.py

@@ -0,0 +1,31 @@
+import pytest
+
+from repak import versioning
+
+
+def test_new_package_starts_at_0_1():
+    assert versioning.next_version(None) == "0.1"
+    assert versioning.next_version([]) == "0.1"
+
+
+def test_increment_single_digit():
+    assert versioning.next_version(["0.1"]) == "0.2"
+
+
+def test_increment_rolls_into_two_digits():
+    assert versioning.next_version(["0.8", "0.9"]) == "0.10"
+    assert versioning.next_version(["0.10", "0.11"]) == "0.12"
+
+
+def test_picks_max_existing():
+    assert versioning.next_version(["0.3", "0.1", "0.12", "0.2"]) == "0.13"
+
+
+def test_non_conforming_versions_ignored():
+    assert versioning.next_version(["1.0", "0.0.1", "garbage"]) == "0.1"
+    assert versioning.next_version(["1.0", "0.5"]) == "0.6"
+
+
+def test_ceiling_raises():
+    with pytest.raises(versioning.VersionExhausted):
+        versioning.next_version(["0.99"])

repak-0.1.0/tests/test_wheel.py

@@ -0,0 +1,68 @@
+import base64
+import hashlib
+import zipfile
+
+import pytest
+
+from repak import wheel
+from repak.archive import build_archive
+
+
+def _build(sample_tree, tmp_path, version="0.1"):
+    arc = build_archive(sample_tree)
+    return wheel.build_wheel("MyProject", version, arc, tmp_path), arc
+
+
+def test_wheel_structure(sample_tree, tmp_path):
+    built, arc = _build(sample_tree, tmp_path)
+    assert built.filename == "repak_myproject-0.1-py3-none-any.whl"
+
+    with zipfile.ZipFile(built.path) as zf:
+        names = set(zf.namelist())
+        assert "repak_myproject/_unpak.py" in names
+        assert "repak_myproject/payload.tar.gz" in names
+        assert "repak_myproject/payload.sha256" in names
+
+        ep = zf.read(
+            "repak_myproject-0.1.dist-info/entry_points.txt"
+        ).decode()
+        assert ep == "[console_scripts]\nunpak-myproject = repak_myproject._unpak:main\n"
+
+        meta = zf.read("repak_myproject-0.1.dist-info/METADATA").decode()
+        assert "Name: repak-myproject" in meta
+        assert f"Keywords: {wheel.MARKER}" in meta
+
+        payload = zf.read("repak_myproject/payload.tar.gz")
+        assert payload == arc.data
+        checksum = zf.read("repak_myproject/payload.sha256").decode().strip()
+        assert checksum == arc.sha256
+
+
+def test_record_hashes_valid(sample_tree, tmp_path):
+    built, _ = _build(sample_tree, tmp_path)
+    with zipfile.ZipFile(built.path) as zf:
+        record = zf.read(
+            "repak_myproject-0.1.dist-info/RECORD"
+        ).decode().splitlines()
+        entries = {}
+        for line in record:
+            path, h, size = line.rsplit(",", 2)
+            entries[path] = (h, size)
+
+        for path, (h, size) in entries.items():
+            if path.endswith("RECORD"):
+                assert h == "" and size == ""
+                continue
+            data = zf.read(path)
+            expected = base64.urlsafe_b64encode(
+                hashlib.sha256(data).digest()
+            ).rstrip(b"=").decode()
+            assert h == f"sha256={expected}"
+            assert size == str(len(data))
+
+
+def test_size_limit(monkeypatch, sample_tree, tmp_path):
+    monkeypatch.setattr(wheel, "MAX_WHEEL_BYTES", 10)
+    arc = build_archive(sample_tree)
+    with pytest.raises(wheel.WheelTooLarge):
+        wheel.build_wheel("MyProject", "0.1", arc, tmp_path)