shipguard-ai 0.1.1__tar.gz

shipguard_ai-0.1.1/.env.example

@@ -0,0 +1,4 @@
+SHIPGUARD_LLM_BASE_URL=
+SHIPGUARD_LLM_API_KEY=
+SHIPGUARD_LLM_MODEL=
+SHIPGUARD_GITHUB_TOKEN=

shipguard_ai-0.1.1/.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,45 @@
+---
+name: Bug report
+about: Report a reproducible problem in ShipGuard
+title: "[Bug] "
+labels: ""
+assignees: ""
+---
+
+## Summary
+
+Describe the problem and its impact.
+
+## Environment
+
+- ShipGuard version or commit:
+- Python version:
+- Operating system:
+- Command used:
+- Analysis type: local diff / GitHub PR
+
+## Steps to reproduce
+
+1.
+2.
+3.
+
+## Expected behavior
+
+What did you expect to happen?
+
+## Actual behavior
+
+What happened instead?
+
+## Logs or sample input
+
+Provide the smallest sanitized example that reproduces the issue.
+
+Do not include API keys, tokens, private repository content, private URLs, or
+other sensitive data.
+
+## Additional context
+
+Include any relevant diff size, file type, model endpoint behavior, or
+workaround.

shipguard_ai-0.1.1/.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,33 @@
+---
+name: Feature request
+about: Propose an improvement to ShipGuard
+title: "[Feature] "
+labels: ""
+assignees: ""
+---
+
+## Maintainer problem
+
+What release-review or pull request workflow problem should ShipGuard solve?
+
+## Proposed outcome
+
+Describe the behavior or result you would like.
+
+## Example
+
+Provide a sanitized, synthetic example of the input and expected output when
+possible.
+
+## Alternatives considered
+
+How is this handled today, and what other approaches did you consider?
+
+## Scope and risks
+
+Does the proposal affect prompts, risk scoring, report schemas, GitHub
+permissions, comments, privacy, or compatibility?
+
+## Contribution
+
+Are you interested in implementing or testing this change?

shipguard_ai-0.1.1/.github/pull_request_template.md

@@ -0,0 +1,36 @@
+## Summary
+
+Describe the change and the maintainer or user problem it addresses.
+
+## Changes
+
+- Describe the main changes here.
+
+## Verification
+
+List the commands run and relevant results.
+
+```text
+python -m unittest discover -s tests
+python -m compileall shipguard scripts tests
+```
+
+## Release-risk review
+
+- [ ] No public API, output schema, or CLI behavior changes.
+- [ ] No database or state migration is required.
+- [ ] No new environment variables, permissions, or secrets are required.
+- [ ] No dependency or model-provider behavior changes.
+- [ ] Tests cover the changed behavior.
+- [ ] Rollback is straightforward or explained below.
+
+Explain any unchecked item:
+
+## Contributor checklist
+
+- [ ] I kept this pull request focused.
+- [ ] I added or updated tests where behavior changed.
+- [ ] I updated documentation for command, configuration, or output changes.
+- [ ] I added a user-visible change to `CHANGELOG.md` when applicable.
+- [ ] I removed secrets, private repository data, and sensitive logs.
+- [ ] I have read and followed `CONTRIBUTING.md` and the Code of Conduct.

shipguard_ai-0.1.1/.github/workflows/ci.yml

@@ -0,0 +1,48 @@
+name: CI
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  validation:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version:
+          - "3.11"
+          - "3.12"
+
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Upgrade pip
+        run: python -m pip install --upgrade pip
+
+      - name: Install ShipGuard
+        run: python -m pip install -e .
+
+      - name: Run unit tests
+        run: python -m unittest discover -s tests
+
+      - name: Compile Python sources
+        run: python -m compileall shipguard scripts tests
+
+      - name: Check CLI help
+        run: |
+          python -m shipguard --help
+          python -m shipguard analyze --help
+          python -m shipguard analyze-pr --help
+          python -m shipguard clear-comments --help

shipguard_ai-0.1.1/.github/workflows/publish-pypi.yml

@@ -0,0 +1,55 @@
+name: Publish Python Package
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install build tools
+        run: python -m pip install build twine
+
+      - name: Build package distributions
+        run: python -m build
+
+      - name: Check package metadata
+        run: python -m twine check dist/*
+
+      - name: Upload package distributions
+        uses: actions/upload-artifact@v4
+        with:
+          name: python-package-distributions
+          path: dist/
+
+  publish:
+    needs: build
+    runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Download package distributions
+        uses: actions/download-artifact@v4
+        with:
+          name: python-package-distributions
+          path: dist/
+
+      # Configure a PyPI Trusted Publisher for this repository, workflow, and
+      # the "pypi" GitHub environment before this step can publish.
+      - name: Publish package distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1

shipguard_ai-0.1.1/.github/workflows/shipguard.yml

@@ -0,0 +1,59 @@
+name: ShipGuard Release Risk Review
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  shipguard:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out trusted action source
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.base.sha }}
+
+      - name: Check model configuration
+        id: model-secrets
+        shell: bash
+        env:
+          SHIPGUARD_LLM_BASE_URL: ${{ secrets.SHIPGUARD_LLM_BASE_URL }}
+          SHIPGUARD_LLM_API_KEY: ${{ secrets.SHIPGUARD_LLM_API_KEY }}
+          SHIPGUARD_LLM_MODEL: ${{ secrets.SHIPGUARD_LLM_MODEL }}
+        run: |
+          set -euo pipefail
+
+          if [[ -n "$SHIPGUARD_LLM_BASE_URL" \
+            && -n "$SHIPGUARD_LLM_API_KEY" \
+            && -n "$SHIPGUARD_LLM_MODEL" ]]; then
+            echo "available=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "available=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Run ShipGuard
+        if: ${{ steps.model-secrets.outputs.available == 'true' }}
+        uses: ./
+        with:
+          pr_url: ${{ github.event.pull_request.html_url }}
+          github_token: ${{ github.token }}
+          upload_artifacts: "true"
+          html: "true"
+          dry_run_comments: "false"
+          post_comment: "false"
+          post_inline_comments: "false"
+          request_changes: "false"
+        env:
+          SHIPGUARD_LLM_BASE_URL: ${{ secrets.SHIPGUARD_LLM_BASE_URL }}
+          SHIPGUARD_LLM_API_KEY: ${{ secrets.SHIPGUARD_LLM_API_KEY }}
+          SHIPGUARD_LLM_MODEL: ${{ secrets.SHIPGUARD_LLM_MODEL }}
+
+      - name: Explain skipped ShipGuard review
+        if: ${{ steps.model-secrets.outputs.available != 'true' }}
+        shell: bash
+        run: |
+          echo "ShipGuard review skipped: all three SHIPGUARD_LLM_* secrets must be configured."

shipguard_ai-0.1.1/.gitignore

@@ -0,0 +1,225 @@
+.DS_Store
+sample-app/
+.shipguard/memory/
+.shipguard/reports/
+
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[codz]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#   Usually these files are written by a python script from a template
+#   before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py.cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+# Pipfile.lock
+
+# UV
+#   Similar to Pipfile.lock, it is generally recommended to include uv.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+# uv.lock
+
+# poetry
+#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
+# poetry.lock
+# poetry.toml
+
+# pdm
+#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
+#   pdm recommends including project-wide configuration in pdm.toml, but excluding .pdm-python.
+#   https://pdm-project.org/en/latest/usage/project/#working-with-version-control
+# pdm.lock
+# pdm.toml
+.pdm-python
+.pdm-build/
+
+# pixi
+#   Similar to Pipfile.lock, it is generally recommended to include pixi.lock in version control.
+# pixi.lock
+#   Pixi creates a virtual environment in the .pixi directory, just like venv module creates one
+#   in the .venv directory. It is recommended not to include this directory in version control.
+.pixi
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# Redis
+*.rdb
+*.aof
+*.pid
+
+# RabbitMQ
+mnesia/
+rabbitmq/
+rabbitmq-data/
+
+# ActiveMQ
+activemq-data/
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.env.*
+!.env.example
+.envrc
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# PyCharm
+#   JetBrains specific template is maintained in a separate JetBrains.gitignore that can
+#   be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
+#   and can be added to the global gitignore or merged into this file.  For a more nuclear
+#   option (not recommended) you can uncomment the following to ignore the entire idea folder.
+# .idea/
+
+# Abstra
+#   Abstra is an AI-powered process automation framework.
+#   Ignore directories containing user credentials, local state, and settings.
+#   Learn more at https://abstra.io/docs
+.abstra/
+
+# Visual Studio Code
+#   Visual Studio Code specific template is maintained in a separate VisualStudioCode.gitignore 
+#   that can be found at https://github.com/github/gitignore/blob/main/Global/VisualStudioCode.gitignore
+#   and can be added to the global gitignore or merged into this file. However, if you prefer, 
+#   you could uncomment the following to ignore the entire vscode folder
+# .vscode/
+# Temporary file for partial code execution
+tempCodeRunnerFile.py
+
+# Ruff stuff:
+.ruff_cache/
+
+# PyPI configuration file
+.pypirc
+
+# Marimo
+marimo/_static/
+marimo/_lsp/
+__marimo__/
+
+# Streamlit
+.streamlit/secrets.toml

shipguard_ai-0.1.1/CHANGELOG.md

@@ -0,0 +1,40 @@
+# Changelog
+
+All notable changes to ShipGuard will be documented in this file.
+
+The project intends to follow [Keep a
+Changelog](https://keepachangelog.com/en/1.1.0/) and semantic versioning once a
+stable release process is established.
+
+## [Unreleased]
+
+### Added
+
+- Standard open-source governance and contribution documentation.
+- GitHub issue and pull request templates.
+- A maintainer-oriented roadmap.
+- GitHub Actions validation for tests, compilation, and CLI help on supported
+  Python versions.
+- Maintainer backlog guidance with suggested labels and actionable issue
+  drafts.
+- A proposed, design-only GitHub Action integration covering safety,
+  permissions, artifacts, failures, and privacy.
+- An initial advisory composite GitHub Action wrapper that runs PR analysis and
+  uploads Release Passport artifacts.
+- GitHub Action usage documentation covering secrets, permissions, limitations,
+  artifact privacy, and troubleshooting.
+- A read-only, secret-gated dogfooding workflow for advisory pull request
+  Release Passport artifacts.
+- Documentation for verifying the dogfooding workflow with a small pull
+  request.
+- A PyPI Trusted Publishing workflow that builds, checks, and publishes package
+  distributions without an API token.
+- PyPI release documentation for local validation and repository setup.
+
+### Changed
+
+- Reframed the README around pull request release-risk review, current
+  capabilities, limitations, and supported workflows.
+- Changed the intended PyPI distribution name to `shipguard-ai` and bumped the
+  package version to `0.1.1`, while preserving the `shipguard` import namespace
+  and CLI command.

shipguard_ai-0.1.1/CODE_OF_CONDUCT.md

@@ -0,0 +1,58 @@
+# Contributor Covenant Code of Conduct
+
+## Our pledge
+
+We pledge to make participation in the ShipGuard community a harassment-free
+experience for everyone, regardless of age, body size, disability, ethnicity,
+sex characteristics, gender identity and expression, level of experience,
+education, socioeconomic status, nationality, personal appearance, race,
+religion, or sexual identity and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our standards
+
+Examples of behavior that contributes to a positive community include:
+
+- demonstrating empathy and kindness;
+- respecting differing opinions, viewpoints, and experiences;
+- giving and accepting constructive feedback;
+- taking responsibility, apologizing, and learning from mistakes; and
+- focusing on what is best for the community.
+
+Unacceptable behavior includes:
+
+- sexualized language or attention;
+- insulting, derogatory, or inflammatory comments;
+- public or private harassment;
+- publishing another person's private information without permission; and
+- other conduct that could reasonably be considered inappropriate in a
+  professional setting.
+
+## Enforcement responsibilities
+
+Project maintainers are responsible for clarifying and enforcing these
+standards. They may remove, edit, or reject comments, commits, code, issues, and
+other contributions that do not align with this Code of Conduct.
+
+## Scope
+
+This Code of Conduct applies in project spaces and when an individual is
+officially representing the project in public spaces.
+
+## Reporting and enforcement
+
+Report conduct concerns privately to a maintainer using a private contact
+listed on their GitHub profile. If no private contact is available, open a
+non-sensitive issue asking how to report the concern privately. Do not publish
+personal or sensitive details in the issue.
+
+Maintainers will respect the privacy and safety of reporters as far as
+reasonably possible. Enforcement may include a correction, warning, temporary
+restriction, or permanent ban, depending on the impact and pattern of behavior.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant, version
+2.1](https://www.contributor-covenant.org/version/2/1/code_of_conduct.html).