sdd-plus 0.3.0__tar.gz

sdd_plus-0.3.0/.github/THIRD_PARTY_AUDIT_PROMPT.md

@@ -0,0 +1,101 @@
+# Third-Party Audit Prompt
+
+Copy this prompt into a DIFFERENT AI (Gemini, GPT-4, Codex, etc.) along with the repo files.
+The auditor must NOT be the same AI that built the project.
+
+---
+
+## Prompt
+
+You are an independent code auditor. You did NOT build this project. You have no prior context.
+
+**Project**: SDD+ (Specification-Driven Development Extended)
+**Language**: Python 3.13+
+**Framework**: CLI (Typer) + FastAPI web dashboard
+**Size**: ~2,075 lines of code, 261 tests, 92% coverage
+
+### Audit scope
+
+Review the codebase for:
+
+1. **Architecture & Design**
+   - Is the module structure clean and well-separated?
+   - Are there circular dependencies?
+   - Is the state machine implementation correct and complete?
+   - Are the Pydantic schemas well-designed?
+
+2. **Security**
+   - Are there injection risks in subprocess calls?
+   - Is user input properly validated?
+   - Are file operations safe (path traversal, symlink attacks)?
+   - Is YAML loading safe (yaml.safe_load vs yaml.load)?
+   - Are there secrets or credentials accidentally committed?
+
+3. **Test Quality**
+   - Do tests actually test meaningful behavior, or are they trivial?
+   - Are edge cases covered?
+   - Is mocking appropriate, or does it hide real bugs?
+   - Are there tests that would pass even if the code was broken?
+
+4. **Spec Conformance**
+   - Do the CONTRACT.yaml files match what the code actually does?
+   - Do the SPEC.yaml files match the implementation?
+   - Is the AGENTS.yaml authority matrix actually enforced?
+
+5. **Documentation Accuracy**
+   - Does the README match the actual CLI commands?
+   - Are the install instructions correct?
+   - Is the architecture diagram accurate?
+
+6. **Packaging**
+   - Is pyproject.toml correctly configured?
+   - Will `pip install sdd-plus` work?
+   - Are dependencies pinned appropriately?
+
+7. **Code Quality**
+   - Dead code?
+   - Duplicated logic?
+   - Overly complex functions?
+   - Error handling: is fail-open (try/except pass) appropriate everywhere it's used?
+
+### Output format
+
+Produce a structured audit report:
+
+```
+## Audit Report: SDD+ v0.2.0
+
+### Executive Summary
+[1 paragraph: overall assessment]
+
+### Findings
+
+#### CRITICAL (must fix before release)
+- [Finding] — [File:Line] — [Description]
+
+#### HIGH (should fix)
+- [Finding] — [File:Line] — [Description]
+
+#### MEDIUM (recommended)
+- [Finding] — [File:Line] — [Description]
+
+#### LOW (informational)
+- [Finding] — [File:Line] — [Description]
+
+### Strengths
+- [What's done well]
+
+### Verdict
+[APPROVED / APPROVED WITH CONDITIONS / REJECTED]
+```
+
+### Files to provide
+
+Give the auditor these files (in order of importance):
+1. `sdd/` — all Python source files
+2. `tests/` — all test files
+3. `AGENTS.yaml` — authority matrix
+4. `pyproject.toml` — packaging config
+5. `sdd/artifacts/` — specs, contracts, audits
+6. `README.md`
+7. `CHANGELOG.md`

sdd_plus-0.3.0/.github/workflows/ci.yml

@@ -0,0 +1,81 @@
+name: CI — Tests + Security Audit
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+
+permissions:
+  contents: read
+  security-events: write
+  actions: read
+
+jobs:
+  test:
+    name: Tests + Coverage
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.13", "3.14"]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+      - name: Install dependencies
+        run: pip install -e ".[dev]" build hatchling
+      - name: Run tests
+        run: pytest tests/ -v --cov=sdd --cov-report=term-missing --cov-fail-under=85
+      - name: Build wheel
+        run: |
+          pip install build
+          python -m build --wheel --no-isolation
+
+  security:
+    name: Security Scan (bandit + pip-audit)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+      - name: Install tools
+        run: pip install bandit pip-audit -e .
+      - name: Bandit (security)
+        run: bandit -r sdd/ -f txt -ll
+      - name: pip-audit (CVEs)
+        run: pip-audit --format=columns
+
+  # CodeQL Analysis — enable when repo is public (free) or with GitHub Advanced Security (paid)
+  # codeql:
+  #   name: CodeQL Analysis
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #     - uses: actions/checkout@v4
+  #     - uses: github/codeql-action/init@v3
+  #       with:
+  #         languages: python
+  #     - uses: github/codeql-action/analyze@v3
+
+  quality:
+    name: Code Quality (radon)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+      - name: Install radon
+        run: pip install radon
+      - name: Cyclomatic complexity (fail on E+)
+        run: |
+          radon cc sdd/ -a -nc
+          radon cc sdd/ -a --total-average | grep -E "^Average" | awk '{print $NF}' | tr -d '()' | while read grade; do
+            case "$grade" in
+              E|F) echo "FAIL: Average complexity is $grade"; exit 1 ;;
+              *) echo "OK: Average complexity is $grade" ;;
+            esac
+          done
+      - name: Maintainability index
+        run: radon mi sdd/ -s

sdd_plus-0.3.0/.github/workflows/publish.yml

@@ -0,0 +1,76 @@
+name: Publish to PyPI
+
+on:
+  push:
+    tags:
+      - "v*"
+
+permissions:
+  contents: read
+  id-token: write   # required for OIDC trusted publishing
+
+jobs:
+  build:
+    name: Build distribution
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+
+      - name: Install build tools
+        run: pip install build hatchling
+
+      - name: Build wheel and sdist
+        run: python -m build
+
+      - name: Verify dist contents
+        run: |
+          ls -lh dist/
+          pip install twine
+          twine check dist/*
+
+      - name: Upload dist artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+  publish-pypi:
+    name: Publish to PyPI
+    needs: build
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/sdd-plus
+    steps:
+      - name: Download dist artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+      - name: Publish to PyPI (Trusted Publishing)
+        uses: pypa/gh-action-pypi-publish@release/v1
+
+  publish-testpypi:
+    name: Publish to TestPyPI
+    needs: build
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/v') && contains(github.ref, 'rc')
+    environment:
+      name: testpypi
+      url: https://test.pypi.org/p/sdd-plus
+    steps:
+      - name: Download dist artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+      - name: Publish to TestPyPI (Trusted Publishing)
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          repository-url: https://test.pypi.org/legacy/

sdd_plus-0.3.0/.gitignore

@@ -0,0 +1,41 @@
+__pycache__/
+*.py[cod]
+*$py.class
+*.so
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+pip-wheel-metadata/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+.pytest_cache/
+.coverage
+htmlcov/
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+.idea/
+.vscode/
+*.swp
+*.swo
+*~
+.DS_Store
+.sdd-metrics/
+.sdd-role