shkit 1.2.0__tar.gz

shkit-1.2.0/.github/workflows/build-wheel.yml

@@ -0,0 +1,154 @@
+name: Build & publish IIC wheel
+
+# v4 distribution: on merge to main, build the wheel and upload it to DBFS as the
+# "latest" agent artifact that clusters install via the init script.
+on:
+  push:
+    branches: [main]
+    tags: ["v*"]
+
+permissions:
+  contents: write   # needed to attach the wheel to a GitHub Release on tags
+
+jobs:
+  build-and-publish:
+    runs-on: ubuntu-latest
+    # Job-level env IS available to a step's `if:` (step-level env is not — that was
+    # the bug). Empty strings when the secrets aren't configured → publish is skipped.
+    env:
+      DATABRICKS_HOST: ${{ secrets.DATABRICKS_HOST }}
+      DATABRICKS_TOKEN: ${{ secrets.DATABRICKS_TOKEN }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Build wheel
+        run: |
+          pip install build
+          python -m build --wheel
+          ls -l dist/
+
+      - name: Verify self-arming packaging (.pth at wheel root + arms on install)
+        run: |
+          set -e
+          WHEEL=$(ls dist/*.whl | head -1)
+          echo "Checking $WHEEL for iic_autoload.pth at archive root..."
+          python -m zipfile -l "$WHEEL" | awk '{print $1}' | grep -qxE 'iic_autoload\.pth' \
+            || { echo "FAIL: iic_autoload.pth not at wheel root"; exit 1; }
+          echo "OK: .pth at wheel root"
+          python -m venv /tmp/iic_smoke_venv
+          /tmp/iic_smoke_venv/bin/pip install --quiet "$WHEEL"
+          echo "Confirming the .pth arms the tripwire at interpreter startup..."
+          /tmp/iic_smoke_venv/bin/python -c "import sys; assert 'iic.runtime.bootstrap' in sys.modules, 'bootstrap not auto-imported'; print('OK: tripwire armed at startup')"
+
+      - name: Self-arming integration smoke (failure → mock webhook gets one card)
+        run: |
+          WHEEL=$(ls dist/*.whl | head -1)
+          python scripts/smoke_local.py "$WHEEL"
+
+      - name: Upload wheel artifact (always)
+        uses: actions/upload-artifact@v4
+        with:
+          name: iic-wheel
+          path: dist/*.whl
+
+      # On every push to main: refresh a rolling "latest" pre-release with the new
+      # wheel and emit the copyable install URL — auto-publish, no tag needed.
+      - name: Publish rolling "latest" release
+        if: github.ref == 'refs/heads/main'
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: latest
+          name: "Latest (rolling — auto-published from main)"
+          prerelease: true
+          files: dist/*.whl
+
+      - name: Latest install URL → summary
+        if: github.ref == 'refs/heads/main'
+        run: |
+          WHEEL=$(ls dist/*.whl | head -1)
+          NAME=$(basename "$WHEEL")
+          URL="https://github.com/${{ github.repository }}/releases/download/latest/${NAME}"
+          echo "==========================================="
+          echo "DATABRICKS INSTALL URL (latest, copy this):"
+          echo "$URL"
+          echo "==========================================="
+          {
+            echo "## 🚀 IIC SDK (latest) — auto-published from main"
+            echo ""
+            echo "**Wheel:** \`${NAME}\`"
+            echo ""
+            echo "### Databricks install URL (copy this):"
+            echo '```'
+            echo "$URL"
+            echo '```'
+            echo ""
+            echo "_Always points at the most recent main build. Install via a cluster"
+            echo "init script \`pip install <url>\` or a notebook \`%pip install <url>\`._"
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      # On a version tag (e.g. v1.0.0): publish the wheel to a GitHub Release and
+      # emit a copyable Databricks install URL — no Databricks dependency, no secrets.
+      - name: Generate Databricks install URL
+        id: url
+        if: startsWith(github.ref, 'refs/tags/')
+        run: |
+          WHEEL=$(ls dist/*.whl | head -1)
+          NAME=$(basename "$WHEEL")
+          URL="https://github.com/${{ github.repository }}/releases/download/${GITHUB_REF_NAME}/${NAME}"
+          {
+            echo "install_url=$URL"
+            echo "wheel_name=$NAME"
+          } >> "$GITHUB_OUTPUT"
+          echo "==========================================="
+          echo "DATABRICKS INSTALL URL (copy this):"
+          echo "$URL"
+          echo "==========================================="
+
+      - name: Publish to GitHub Release
+        if: startsWith(github.ref, 'refs/tags/')
+        uses: softprops/action-gh-release@v2
+        with:
+          files: dist/*.whl
+          body: |
+            ## 🚀 IIC SDK ${{ github.ref_name }}
+
+            **Databricks install URL — copy this:**
+
+            ```
+            ${{ steps.url.outputs.install_url }}
+            ```
+
+            Install on a cluster via a notebook `%pip install <url>` or a cluster
+            init script `pip install <url>`, then restart — the agent
+            auto-bootstraps on import. See `docs/V4_ARCHITECTURE.md`.
+
+      - name: Write job summary
+        if: startsWith(github.ref, 'refs/tags/')
+        run: |
+          {
+            echo "## 🚀 IIC SDK Published — ${GITHUB_REF_NAME}"
+            echo ""
+            echo "**Wheel:** \`${{ steps.url.outputs.wheel_name }}\`"
+            echo ""
+            echo "### Databricks install URL (copy this):"
+            echo '```'
+            echo "${{ steps.url.outputs.install_url }}"
+            echo '```'
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      # Publish to DBFS only when Databricks credentials are configured as repo
+      # secrets. Skipped (not failed) otherwise, so forks/PRs still build cleanly.
+      - name: Set up Databricks CLI
+        if: ${{ env.DATABRICKS_HOST != '' && env.DATABRICKS_TOKEN != '' }}
+        uses: databricks/setup-cli@main
+
+      - name: Publish to DBFS as latest
+        if: ${{ env.DATABRICKS_HOST != '' && env.DATABRICKS_TOKEN != '' }}
+        run: |
+          WHEEL=$(ls dist/*.whl | head -1)
+          echo "Uploading $WHEEL -> dbfs:/libs/iic/latest.whl"
+          databricks fs cp --overwrite "$WHEEL" dbfs:/libs/iic/latest.whl
+          databricks fs cp --overwrite "$WHEEL" "dbfs:/libs/iic/$(basename "$WHEEL")"

shkit-1.2.0/.github/workflows/ci.yml

@@ -0,0 +1,23 @@
+name: CI
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+
+jobs:
+  lint-and-test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - name: Install package
+        run: pip install -e ".[dev]"
+      - name: Lint source code
+        run: ruff check src/ onboarding/ --ignore E501
+      - name: Lint unit tests
+        run: ruff check tests/unit/ --ignore E501
+      - name: Run unit tests
+        run: pytest tests/unit/ -v --tb=short

shkit-1.2.0/.github/workflows/deploy-prod.yml

@@ -0,0 +1,36 @@
+name: Deploy Production
+on:
+  workflow_dispatch:
+    inputs:
+      confirm:
+        description: 'Type "deploy-prod" to confirm'
+        required: true
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    if: github.event.inputs.confirm == 'deploy-prod'
+    environment: production
+    steps:
+      - uses: actions/checkout@v4
+      - uses: databricks/setup-cli@main
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install dbt
+        run: pip install dbt-databricks
+
+      - name: Run dbt build (create/update tables)
+        run: cd dbt_project && dbt build --target prod
+        env:
+          DATABRICKS_HOST: ${{ secrets.DATABRICKS_HOST_PROD }}
+          DATABRICKS_TOKEN: ${{ secrets.DATABRICKS_TOKEN_PROD }}
+          DATABRICKS_HTTP_PATH: ${{ secrets.DATABRICKS_HTTP_PATH_PROD }}
+          DATABRICKS_CATALOG: prod_catalog
+
+      - name: Deploy bundle
+        run: databricks bundle deploy --target prod
+        env:
+          DATABRICKS_HOST: ${{ secrets.DATABRICKS_HOST_PROD }}
+          DATABRICKS_TOKEN: ${{ secrets.DATABRICKS_TOKEN_PROD }}

shkit-1.2.0/.github/workflows/incident-dispatch.yml

@@ -0,0 +1,33 @@
+name: IIC incident detective
+
+# Event-driven ONLY — fires when the in-process agent sends a repository_dispatch
+# after a failure. No schedule, no polling. PAYLOAD-ONLY: the issue is rendered
+# entirely from the self-contained client_payload — GitHub never touches the
+# customer's Databricks workspace, so there are no tenant tokens here.
+on:
+  repository_dispatch:
+    types: [iic_incident]
+
+permissions:
+  contents: read
+  issues: write   # to archive the incident as an issue
+
+jobs:
+  investigate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install IIC
+        run: pip install .
+
+      - name: Archive incident (from payload only)
+        env:
+          IIC_PAYLOAD: ${{ toJSON(github.event.client_payload) }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+        run: python -m iic.runtime.detective

shkit-1.2.0/.github/workflows/publish-tenant.yml

@@ -0,0 +1,70 @@
+name: "[DEPRECATED] Publish IIC to tenant (manual)"
+
+# ⚠️ DEPRECATED (product-model): distribution moved to PyPI (release-pypi.yml) and
+# config moved to a Databricks secret scope (see docs/INSTALL.md + docs/MIGRATION.md).
+# Kept functional for ONE release for migration; will be deleted. This is the only
+# remaining workflow that references the DBX_TOKENS secret.
+#
+# MANUAL ONLY — never auto-runs. You pick a tenant from the dropdown and the wheel
+# is published to THAT tenant's Databricks Volume only. Tenant config (host/volume)
+# comes from the private Access-private repo; the Databricks token comes from the
+# DBX_TOKENS secret (never from the config repo).
+on:
+  workflow_dispatch:
+    inputs:
+      tenant:
+        description: "Tenant to publish for"
+        type: choice
+        required: true
+        options:
+          - zeb
+          # add tenants here as you add folders under Access-private/tenants/
+
+permissions:
+  contents: read
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    # Optional: require an approval before publishing.
+    # environment: production
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Checkout tenant config (Access-private)
+        uses: actions/checkout@v4
+        with:
+          repository: yogasathyandrun/Access-private
+          path: _tenants
+          token: ${{ secrets.CONFIG_REPO_TOKEN }}
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Build wheel
+        run: |
+          pip install build databricks-sdk pyyaml
+          python -m build --wheel
+          ls -l dist/
+
+      - name: Publish to selected tenant
+        env:
+          TENANT: ${{ inputs.tenant }}
+          DBX_TOKENS: ${{ secrets.DBX_TOKENS }}
+        run: python scripts/publish_tenant.py
+
+      - name: Summary
+        if: always()
+        run: |
+          echo "## 📦 IIC published to tenant: \`${{ inputs.tenant }}\`" >> "$GITHUB_STEP_SUMMARY"
+          echo "" >> "$GITHUB_STEP_SUMMARY"
+          echo "Uploaded: **wheel + base_environment.yml → Workspace** (base-env builder can't read Volumes)," >> "$GITHUB_STEP_SUMMARY"
+          echo "and **config.yaml → Volume** (read by the agent at runtime). See job log for exact paths." >> "$GITHUB_STEP_SUMMARY"
+          echo "" >> "$GITHUB_STEP_SUMMARY"
+          echo "➡️ One-time per workspace: **Admin Settings → Workspace base environments for serverless** →" >> "$GITHUB_STEP_SUMMARY"
+          echo "set **Base environment file path** to the uploaded \`/Workspace/.../base_environment.yml\`" >> "$GITHUB_STEP_SUMMARY"
+          echo "(✅ default for new notebooks). It references the Workspace wheel → new serverless" >> "$GITHUB_STEP_SUMMARY"
+          echo "notebooks self-arm automatically. See docs/SELF_ARMING.md. Mute via a \`DISABLED\` file" >> "$GITHUB_STEP_SUMMARY"
+          echo "next to config.yaml in the Volume." >> "$GITHUB_STEP_SUMMARY"

shkit-1.2.0/.github/workflows/pull-antibodies.yml

@@ -0,0 +1,68 @@
+name: "[DEPRECATED] Pull antibodies from tenant (manual)"
+
+# ⚠️ DEPRECATED (product-model): the antibody ledger is now workspace-local and is
+# folded by the in-workspace console notebook (iic.console()); there is no git
+# mirror and no operator sync. Kept one release for migration; will be deleted.
+#
+# MANUAL ONLY. Downloads the tenant's Antibody Ledger + pending occurrence markers
+# from its Databricks Volume, folds the occurrences into the git ledger
+# (Access-private/tenants/<tenant>/antibodies.yaml), commits it, and uploads the
+# merged ledger back to the Volume. A human then fills in `resolution:` values in
+# the committed file via the GitHub web editor; push-antibodies.yml ships them back.
+#
+# NOTE: this commits to the PRIVATE Access-private repo, so CONFIG_REPO_TOKEN must
+# have WRITE (contents) scope on that repo (publish-tenant.yml only needs read).
+on:
+  workflow_dispatch:
+    inputs:
+      tenant:
+        description: "Tenant to pull antibodies from"
+        type: choice
+        required: true
+        options:
+          - zeb
+          # add tenants here as you add folders under Access-private/tenants/
+
+permissions:
+  contents: read
+
+jobs:
+  pull:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Checkout tenant config (Access-private, write scope)
+        uses: actions/checkout@v4
+        with:
+          repository: yogasathyandrun/Access-private
+          path: _tenants
+          token: ${{ secrets.CONFIG_REPO_TOKEN }}
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install
+        run: pip install . databricks-sdk pyyaml
+
+      - name: Pull + fold pending occurrences
+        env:
+          TENANT: ${{ inputs.tenant }}
+          DBX_TOKENS: ${{ secrets.DBX_TOKENS }}
+          CONFIG_DIR: _tenants
+        run: python scripts/sync_antibodies.py --mode pull
+
+      - name: Commit updated ledger to Access-private
+        run: |
+          cd _tenants
+          git config user.name "iic-antibodies-bot"
+          git config user.email "iic-antibodies-bot@users.noreply.github.com"
+          git add "tenants/${{ inputs.tenant }}/antibodies.yaml"
+          if git diff --cached --quiet; then
+            echo "No ledger changes to commit."
+          else
+            git commit -m "antibodies(${{ inputs.tenant }}): fold pending occurrence(s)"
+            git push
+          fi

shkit-1.2.0/.github/workflows/push-antibodies.yml

@@ -0,0 +1,86 @@
+name: "[DEPRECATED] Push antibodies to tenant"
+
+# ⚠️ DEPRECATED (product-model): the antibody ledger is now workspace-local (edited
+# in the workspace via iic.console()), with no git mirror and no operator sync.
+# Kept one release for migration; will be deleted.
+#
+# Ships the human-edited Antibody Ledger from git back to the tenant's Databricks
+# Volume. Runs the merge rule against the CURRENT Volume copy first (so counters
+# that accumulated since the last pull are not clobbered — git only wins on
+# `resolution`), then uploads the result to {volume}/antibodies.yaml.
+#
+# Triggers:
+#   * workflow_dispatch          — manual, pick a tenant.
+#   * repository_dispatch        — fired by a tiny companion workflow in the
+#     (type: antibodies_push)      Access-private repo whenever someone edits
+#                                  tenants/<t>/antibodies.yaml. Cross-repo `push`
+#                                  path filters can't reach this repo directly, so
+#                                  the edit side sends a repository_dispatch.
+#
+# Companion workflow to paste into Access-private (.github/workflows/notify-antibodies.yml):
+#
+#   on:
+#     push:
+#       paths: ["tenants/*/antibodies.yaml"]
+#   jobs:
+#     notify:
+#       runs-on: ubuntu-latest
+#       steps:
+#         - uses: actions/checkout@v4
+#         - name: Fire push for each changed tenant
+#           env:
+#             GH_TOKEN: ${{ secrets.KIT_DISPATCH_TOKEN }}   # repo scope on Self-healing-kit
+#           run: |
+#             for f in $(git diff --name-only HEAD~1 HEAD | grep 'tenants/.*/antibodies.yaml'); do
+#               t=$(echo "$f" | cut -d/ -f2)
+#               gh api repos/yogasathyandrun/Self-healing-kit/dispatches \
+#                 -f event_type=antibodies_push -F client_payload[tenant]="$t"
+#             done
+
+on:
+  workflow_dispatch:
+    inputs:
+      tenant:
+        description: "Tenant to push antibodies to"
+        type: choice
+        required: true
+        options:
+          - zeb
+          # add tenants here as you add folders under Access-private/tenants/
+  repository_dispatch:
+    types: [antibodies_push]
+
+permissions:
+  contents: read
+
+jobs:
+  push:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Resolve tenant
+        id: t
+        run: echo "tenant=${{ inputs.tenant || github.event.client_payload.tenant }}" >> "$GITHUB_OUTPUT"
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Checkout tenant config (Access-private)
+        uses: actions/checkout@v4
+        with:
+          repository: yogasathyandrun/Access-private
+          path: _tenants
+          token: ${{ secrets.CONFIG_REPO_TOKEN }}
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install
+        run: pip install . databricks-sdk pyyaml
+
+      - name: Push ledger to the Volume
+        env:
+          TENANT: ${{ steps.t.outputs.tenant }}
+          DBX_TOKENS: ${{ secrets.DBX_TOKENS }}
+          CONFIG_DIR: _tenants
+        run: python scripts/sync_antibodies.py --mode push

shkit-1.2.0/.github/workflows/release-pypi.yml

@@ -0,0 +1,75 @@
+name: Release to PyPI
+
+# On a version tag (v*): build sdist+wheel, run the FULL gate (lint + unit tests +
+# the .pth-at-wheel-root assertion + the fresh-venv arms-on-install + the
+# self-arming smoke), then publish to PyPI via TRUSTED PUBLISHING (OIDC). No PyPI
+# API token is stored anywhere.
+#
+# ONE-TIME MAINTAINER SETUP (on PyPI, before the first release):
+#   1. Claim the distribution name in pyproject.toml [project].name. `iic` may be
+#      taken — if so, change [project].name (the ONLY place the dist name lives;
+#      the import name stays `iic`) and re-run the grep check in docs/INSTALL.md.
+#   2. Add a PyPI "Trusted Publisher": this repo, workflow `release-pypi.yml`,
+#      environment `pypi`. See https://docs.pypi.org/trusted-publishers/.
+on:
+  push:
+    tags: ["v*"]
+
+permissions:
+  contents: read
+
+jobs:
+  gate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install + lint + unit tests
+        run: |
+          pip install -e ".[dev]"
+          ruff check src/ onboarding/ --ignore E501
+          pytest tests/unit/ -q
+
+      - name: Build sdist + wheel
+        run: |
+          pip install build
+          python -m build
+          ls -l dist/
+
+      - name: Gate — .pth at wheel root + arms on install
+        run: |
+          set -e
+          WHEEL=$(ls dist/*.whl | head -1)
+          python -m zipfile -l "$WHEEL" | awk '{print $1}' | grep -qxE 'iic_autoload\.pth' \
+            || { echo "FAIL: iic_autoload.pth not at wheel root"; exit 1; }
+          python -m venv /tmp/relvenv
+          /tmp/relvenv/bin/pip install --quiet "$WHEEL" 2>/dev/null || /tmp/relvenv/bin/pip install --quiet "$WHEEL"
+          /tmp/relvenv/bin/python -c "import sys; assert 'iic.runtime.bootstrap' in sys.modules, 'bootstrap not auto-imported'; print('OK: tripwire armed at startup')"
+
+      - name: Gate — self-arming smoke (failure → one card)
+        run: |
+          WHEEL=$(ls dist/*.whl | head -1)
+          python scripts/smoke_local.py "$WHEEL"
+
+      - name: Upload dist
+        uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/*
+
+  publish:
+    needs: gate
+    runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      id-token: write   # OIDC for PyPI Trusted Publishing — no API token stored
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist
+      - name: Publish to PyPI (Trusted Publishing / OIDC)
+        uses: pypa/gh-action-pypi-publish@release/v1

shkit-1.2.0/.gitignore

@@ -0,0 +1,15 @@
+__pycache__/
+*.pyc
+*.pyo
+.pytest_cache/
+.ruff_cache/
+dist/
+*.egg-info/
+.env
+config.json
+deployment_manifest.json
+dbt_project/target/
+dbt_project/logs/
+dbt_project/dbt_packages/
+.venv/
+venv/