skip-trace 0.1.0__py3-none-any.whl → 0.1.1__py3-none-any.whl

skip_trace/reporting/md_reporter.py

@@ -7,7 +7,7 @@ from typing import IO
 from rich.console import Console
 from rich.table import Table
 
-from ..schemas import PackageResult
+from ..schemas import EvidenceKind, EvidenceSource, PackageResult
 
 
 def render(result: PackageResult, file: IO[str] = sys.stdout):
@@ -28,6 +28,12 @@ def render(result: PackageResult, file: IO[str] = sys.stdout):
     )
     console.print("-" * 80)
 
+    # --- Pre-process to find Sigstore evidence ---
+    sigstore_evidence = [
+        ev for ev in result.evidence if ev.source == EvidenceSource.SIGSTORE
+    ]
+    sigstore_evidence_ids = {ev.id for ev in sigstore_evidence}
+
     # --- OWNERS TABLE ---
     if not result.owners:
         console.print("\n[bold]## 🕵️ Owner Candidates[/bold]")
@@ -40,7 +46,7 @@ def render(result: PackageResult, file: IO[str] = sys.stdout):
         owner_table = Table(
             show_header=True,
             header_style="bold magenta",
-            title="Top Owner Candidates",
+            title="Top Owner Candidates (by inferred score)",
             title_style="bold",
         )
         owner_table.add_column("Owner", style="cyan", width=30, no_wrap=True)
@@ -81,14 +87,45 @@ def render(result: PackageResult, file: IO[str] = sys.stdout):
                 else "[italic]No notes.[/italic]"
             )
 
+            # Check if this owner is backed by Sigstore evidence
+            is_verified = bool(sigstore_evidence_ids.intersection(owner.evidence))
+            owner_display_name = f"🛡️ {owner.name}" if is_verified else owner.name
+
             owner_table.add_row(
-                owner.name,
+                owner_display_name,
                 owner.kind.value,
                 f"[{score_style}]{score_str}[/]",
                 contacts_str,
                 key_evidence_str,
             )
         console.print(owner_table)
+        console.print(
+            "[dim]Owners marked with 🛡️ are supported by cryptographic evidence.[/dim]"
+        )
+
+    # --- CRYPTOGRAPHIC EVIDENCE (SIGSTORE) ---
+    if sigstore_evidence:
+        console.print("\n[bold]## 🛡️ Cryptographic Evidence (from Sigstore)[/bold]")
+        sig_table = Table(
+            show_header=True,
+            header_style="bold green",
+            title="Verified Signatures and Provenance",
+            title_style="bold",
+        )
+        sig_table.add_column("Kind", style="cyan", width=25)
+        sig_table.add_column("Identity or Source")
+        sig_table.add_column("Notes")
+
+        for ev in sigstore_evidence:
+            kind_str = ev.kind.value.replace("sigstore-", "").replace("-", " ").title()
+            primary_value = ""
+            if ev.kind == EvidenceKind.SIGSTORE_SIGNER_IDENTITY:
+                primary_value = ev.value.get("identity", "[unknown]")
+            elif ev.kind == EvidenceKind.SIGSTORE_BUILD_PROVENANCE:
+                primary_value = ev.value.get("repo_uri", "[unknown]")
+
+            sig_table.add_row(kind_str, primary_value, ev.notes)
+        console.print(sig_table)
 
     # --- MAINTAINERS TABLE ---
     if result.maintainers:
@@ -96,7 +133,7 @@ def render(result: PackageResult, file: IO[str] = sys.stdout):
         maintainer_table = Table(
             show_header=True,
             header_style="bold cyan",
-            title="Directly Listed Maintainers",
+            title="Directly Listed Maintainers (from PyPI)",
             title_style="bold",
         )
         maintainer_table.add_column("Name", style="cyan")
@@ -112,4 +149,31 @@ def render(result: PackageResult, file: IO[str] = sys.stdout):
 
         console.print(maintainer_table)
 
+    # --- URL STATUS TABLE ---
+    url_status_evidence = [
+        ev for ev in result.evidence if ev.kind == EvidenceKind.URL_STATUS
+    ]
+    if url_status_evidence:
+        console.print("\n[bold]## 🔗 URL Analysis[/bold]")
+        url_table = Table(
+            show_header=True, header_style="bold blue", title="Checked URLs"
+        )
+        url_table.add_column("URL", style="cyan", no_wrap=True)
+        url_table.add_column("HTTP Status", justify="center")
+
+        for ev in sorted(url_status_evidence, key=lambda x: x.locator):
+            status = ev.value.get("status_code", "N/A")
+            status_str = str(status)
+            if status == -1:
+                status_str = "Connection Error"
+                style = "bold red"
+            elif 200 <= status < 300:
+                style = "green"
+            elif 300 <= status < 400:
+                style = "yellow"
+            else:
+                style = "red"
+            url_table.add_row(ev.locator, f"[{style}]{status_str}[/]")
+        console.print(url_table)
+
     console.print("-" * 80)

skip_trace/schemas.py

@@ -2,10 +2,13 @@
 from __future__ import annotations
 
 import datetime
+import logging
 from dataclasses import dataclass, field
 from enum import Enum
 from typing import Any, List, Optional
 
+logger = logging.getLogger(__name__)
+
 # --- Enums for controlled vocabularies ---
 
 
@@ -44,6 +47,8 @@ class EvidenceSource(str, Enum):
     WHOIS = "whois"
     VENV_SCAN = "venv-scan"
     LLM_NER = "llm-ner"
+    URL = "url"  # For evidence from scanned homepages
+    PYPI_ATTESTATION = "pypi-attestation"  # New source
 
 
 class EvidenceKind(str, Enum):
@@ -66,6 +71,12 @@ class EvidenceKind(str, Enum):
     # GitHub profile-specific evidence kinds
     USER_PROFILE = "user-profile"
     USER_COMPANY = "user-company"
+    URL_STATUS = "url-status"  # To track HTTP status of found URLs
+    # Sigstore-specific evidence kinds
+    SIGSTORE_SIGNER_IDENTITY = "sigstore-signer-identity"
+    SIGSTORE_BUILD_PROVENANCE = "sigstore-build-provenance"
+    # PyPI Attestation-specific evidence kind
+    PYPI_PUBLISHER_ATTESTATION = "pypi-publisher-attestation"
 
 
 # --- Core Data Schemas ---
@@ -94,6 +105,16 @@ class EvidenceRecord:
     confidence: float = 0.0
     notes: str = ""
 
+    def __post_init__(self) -> None:
+        """Logs every instantiation."""
+        logger.info(
+            "EvidenceRecord created: id=%s source=%s kind=%s notes=%r",
+            self.id,
+            self.source,
+            self.kind,
+            self.notes,
+        )
+
 
 @dataclass
 class OwnerCandidate:

skip_trace/utils/http_client.py

@@ -1,6 +1,7 @@
 # skip_trace/utils/http_client.py
 from __future__ import annotations
 
+import logging
 from typing import Optional
 
 import httpx
@@ -9,6 +10,7 @@ from ..config import CONFIG
 from ..exceptions import NetworkError
 
 _client: Optional[httpx.Client] = None
+logger = logging.getLogger(__name__)
 
 
 def get_client() -> httpx.Client:
@@ -32,6 +34,7 @@ def make_request(url: str) -> httpx.Response:
     :raises NetworkError: If the request fails due to network issues or an error status code.
     :return: The httpx.Response object.
     """
+    logger.info(f"Looking at {url}")
     client = get_client()
     try:
         response = client.get(url)
@@ -43,3 +46,18 @@ def make_request(url: str) -> httpx.Response:
         raise NetworkError(
             f"Request to {e.request.url} failed with status {e.response.status_code}"
         ) from e
+
+
+def make_request_safe(url: str) -> Optional[httpx.Response]:
+    """
+    Makes a GET request but returns the response even on HTTP error codes,
+    or None if a connection-level error occurs.
+    """
+    logger.info(f"Looking at {url}")
+    client = get_client()
+    try:
+        response = client.get(url)
+        return response
+    except httpx.RequestError as e:
+        logger.warning(f"Network request to {e.request.url} failed: {e}")
+        return None  # Indicate a connection-level error

{skip_trace-0.1.0.dist-info → skip_trace-0.1.1.dist-info}/METADATA

@@ -1,12 +1,15 @@
 Metadata-Version: 2.4
 Name: skip-trace
-Version: 0.1.0
+Version: 0.1.1
 Summary: Ownership Attribution for Python Packages
 Project-URL: Homepage, https://github.com/matthewdeanmartin/skip-trace
 Project-URL: Issues, https://github.com/matthewdeanmartin/skip-trace/issues
 Author-email: Matthew Dean Martin <matthewdeanmartin@gmail.com>
+License-Expression: MIT
 License-File: LICENSE
-Classifier: Development Status :: 1 - Planning
+Keywords: PEP 541,PyPI maintainers,package owners,package provenance,software supply chain
+Classifier: Development Status :: 3 - Alpha
+Classifier: License :: OSI Approved :: MIT License
 Classifier: Operating System :: OS Independent
 Classifier: Programming Language :: Python :: 3
 Classifier: Programming Language :: Python :: 3.9
@@ -16,7 +19,7 @@ Classifier: Programming Language :: Python :: 3.12
 Classifier: Programming Language :: Python :: 3.13
 Classifier: Topic :: Security
 Classifier: Topic :: Software Development :: Quality Assurance
-Requires-Python: >=3.8
+Requires-Python: >=3.13
 Requires-Dist: beautifulsoup4>=4.12.0
 Requires-Dist: email-validator>=2.0.0
 Requires-Dist: en-core-web-sm
@@ -27,6 +30,7 @@ Requires-Dist: pygithub>=1.59.0
 Requires-Dist: python-dotenv
 Requires-Dist: python-dotenv>=1.0.0
 Requires-Dist: python-whois>=0.8.0
+Requires-Dist: pyyaml>=6.0
 Requires-Dist: rich-argparse
 Requires-Dist: rich>=13.0.0
 Requires-Dist: sigstore>=1.0.0

skip_trace-0.1.1.dist-info/RECORD

@@ -0,0 +1,39 @@
+skip_trace/__about__.py,sha256=FsjvZ9_bL7XRX3JSfSw-8MGl8izBdAyC2zBiG2sCT-Q,660
+skip_trace/__init__.py,sha256=t4sAc1NJDDj90Z1o1FwYnPMqpJgV1pDt4hlPuTlpykE,106
+skip_trace/__main__.py,sha256=auCXP2BqRl6sPSrYr-_c5jA8fFKcOKTBTL2J9gMeFl0,144
+skip_trace/cli.py,sha256=kHgr_jXkWWo6rthXU18c4qE5ur0Upc1wywkfzeTg9VA,5492
+skip_trace/config.py,sha256=BHM8TuJ_jWDhr1uz9hAAwA3eJwu_m-pYmAvnx_TcCcw,4735
+skip_trace/exceptions.py,sha256=MnMlTjPYrvtB_1j-CAHwmlggjfNCDiRiThjXyuX70Js,581
+skip_trace/m.py,sha256=pmASLEmxc_V5snLxW90SXdmCQMphuCdcsZ6C399LLLo,10536
+skip_trace/main.py,sha256=pmASLEmxc_V5snLxW90SXdmCQMphuCdcsZ6C399LLLo,10536
+skip_trace/py.typed.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+skip_trace/schemas.py,sha256=jyK4HfJLNJTFfdXnSOKbRX_KQH1kxsLlhpeJ3izFEhA,3874
+skip_trace/analysis/__init__.py,sha256=7bOZj8CbG7Ezl9w_Z9gZCuO456psxecJCmPLxljFiuo,135
+skip_trace/analysis/content_scanner.py,sha256=B22moAVvPrl_IgdILYHVggIuUBYrGuvlqXL8xLIuYJg,6414
+skip_trace/analysis/evidence.py,sha256=OSUS2SAlQCn6V6BJpzCKk_jxU_3Fzqv0EIH5AyRHln4,11661
+skip_trace/analysis/ner.py,sha256=Ckcbyeza7fkDV-oGWTfakowLeWcybTzUpWjJ5bMlIwA,1607
+skip_trace/analysis/scoring.py,sha256=Cfs54CjHjMwrC3y_Ab5CzmGyouf_wqepvGfNrxhfBAM,12312
+skip_trace/analysis/source_scanner.py,sha256=CF3q5hXjSLMQHpQIzjSYlEMnTIJCMnWy24sK6RZN2w8,15272
+skip_trace/collectors/__init__.py,sha256=R3ZEXSqLvecVghzxQ3c-pbTulgVddPVUSEwqFb3hLbU,193
+skip_trace/collectors/github.py,sha256=CIwapS1UO6qLnoVyTHe7vLi159d6qRqCk9YRRk7jb7g,8575
+skip_trace/collectors/github_files.py,sha256=APCavmVJ4ux3pUdSm2Ak2Fmdd6VplISqxqiFI_qj7so,13866
+skip_trace/collectors/package_files.py,sha256=3rCtDMROF25N8anHy1UWLG1tPgSsNhR_zBYeKZ-MuoE,12936
+skip_trace/collectors/pypi.py,sha256=nZVl7sDrnUBTKLsinU1TWbMm_CES6oGVUtQUKS21ues,6200
+skip_trace/collectors/pypi_attestations.py,sha256=gc9_tPgEgyEr29nB0v2qSYGKUmEWsvi-qyukAVaz85Y,5807
+skip_trace/collectors/sigstore.py,sha256=WWzRtx28pSQD-emqu-m6yAKiudOM6F0o49hSRWrwEao,6267
+skip_trace/collectors/urls.py,sha256=XQ-2u48qTxQk175xFUBB4k6XA0t95rr34FBfmUBgV-E,3327
+skip_trace/collectors/whois.py,sha256=tQYI30IbRMlHEwn3FRSdKYX_c2TJLyMUyhLdIxpXU4o,6953
+skip_trace/reporting/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+skip_trace/reporting/json_reporter.py,sha256=VInt34k3Zo41y7SKkOnjxRj_gsB932GaAZsBj93Fvfc,610
+skip_trace/reporting/md_reporter.py,sha256=ZAZW9xm1VxKjgfgei_sFFFEfu5csMTU1ry9Qg75k3Dc,6819
+skip_trace/utils/__init__.py,sha256=Wm-u-aQCpDEGL5wiRHWQ1ZwNQvA2iSLRpDNeb46_2P8,126
+skip_trace/utils/cache.py,sha256=K6k0MXuf3fDr1ecjThV3qhZFHYhgCi0K69i27SoJmAY,2415
+skip_trace/utils/cli_suggestions.py,sha256=pDNqfLhcYWEqvFM4jiOsUGXlqvTZxpWHR_O1hoCvzyM,2886
+skip_trace/utils/http_client.py,sha256=kZwloPE-kXguOL9ZoQ_joT7OB8-AAin17AnqVHX7PPw,1939
+skip_trace/utils/safe_targz.py,sha256=ETOJc5VA9A5KDhlaV9N15tLbTFABA0zSQob9eXnKQPc,5233
+skip_trace/utils/validation.py,sha256=cgPcmkVEoHZ9vkvntycckxpQM5UbrVpUvUCb0S2FZrs,1427
+skip_trace-0.1.1.dist-info/METADATA,sha256=KiJqLaPCUgxXlVHKgflAiN3t-toCcPt_MzaOXNsvNEA,8571
+skip_trace-0.1.1.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+skip_trace-0.1.1.dist-info/entry_points.txt,sha256=zR7je0FG4CxaLIfaONVMi9LgmKfWtbYkrTVLclrTwhg,51
+skip_trace-0.1.1.dist-info/licenses/LICENSE,sha256=CDE_-1UnY5KRaDCIuCdNg7j7lkGCJbtZWTbhB10QeLk,1071
+skip_trace-0.1.1.dist-info/RECORD,,

skip_trace-0.1.0.dist-info/RECORD

@@ -1,33 +0,0 @@
-skip_trace/__about__.py,sha256=aouD5xOQKs7wYRs0yiZysx-VWoCOqWX915NaDSofMR4,468
-skip_trace/__init__.py,sha256=UkTfkLRuPO5XBc9_6IYHDXqGB_t8AfCZSzAdMS8AuyE,129
-skip_trace/__main__.py,sha256=auCXP2BqRl6sPSrYr-_c5jA8fFKcOKTBTL2J9gMeFl0,144
-skip_trace/cli.py,sha256=ylcR_PMRcaCDf2pmrEGbna-q_3DJVlbB0ard1R86yaM,5483
-skip_trace/config.py,sha256=BHM8TuJ_jWDhr1uz9hAAwA3eJwu_m-pYmAvnx_TcCcw,4735
-skip_trace/exceptions.py,sha256=MnMlTjPYrvtB_1j-CAHwmlggjfNCDiRiThjXyuX70Js,581
-skip_trace/main.py,sha256=zcO1KaHB3nWq5oq4vOTraxuSSID9Ey78qYCjPbB0b9E,9907
-skip_trace/py.typed.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-skip_trace/schemas.py,sha256=otxLkn56HtVGlycgOlzI6cTv_Iu_0ICfYYClb2WtPD0,3103
-skip_trace/analysis/__init__.py,sha256=7bOZj8CbG7Ezl9w_Z9gZCuO456psxecJCmPLxljFiuo,135
-skip_trace/analysis/evidence.py,sha256=z8-4AcoxTRTMzr4NhilijfVifjWmybTlBsvGR47evHc,11661
-skip_trace/analysis/ner.py,sha256=Ckcbyeza7fkDV-oGWTfakowLeWcybTzUpWjJ5bMlIwA,1607
-skip_trace/analysis/scoring.py,sha256=K_pyUVwkGUasYOdveNtvrBrTjZ03VbovjMbM0mbA7_s,10328
-skip_trace/analysis/source_scanner.py,sha256=nBE--gCaWfrXxsc-OdU9uhi4deYuF6AodW4w9b64sB8,15277
-skip_trace/collectors/__init__.py,sha256=7wRLLntBWFs-lik7Rr-oPv426zweFyCSKbwit1gXUdU,141
-skip_trace/collectors/github.py,sha256=CIwapS1UO6qLnoVyTHe7vLi159d6qRqCk9YRRk7jb7g,8575
-skip_trace/collectors/package_files.py,sha256=WT1I-WN6MclGGb02SaAE3kUTM5TImDdb9qXvVB_uIPc,6026
-skip_trace/collectors/pypi.py,sha256=OeqKIsg-s7oKxqTfcquqYVjyecmjNSupXVFcqBmKMFU,6205
-skip_trace/collectors/whois.py,sha256=tQYI30IbRMlHEwn3FRSdKYX_c2TJLyMUyhLdIxpXU4o,6953
-skip_trace/reporting/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-skip_trace/reporting/json_reporter.py,sha256=VInt34k3Zo41y7SKkOnjxRj_gsB932GaAZsBj93Fvfc,610
-skip_trace/reporting/md_reporter.py,sha256=V0tR6srTVe4_PVB2J0TrC3B_tB_ZuDTAZ2xLrpMMaRo,4081
-skip_trace/utils/__init__.py,sha256=Wm-u-aQCpDEGL5wiRHWQ1ZwNQvA2iSLRpDNeb46_2P8,126
-skip_trace/utils/cache.py,sha256=K6k0MXuf3fDr1ecjThV3qhZFHYhgCi0K69i27SoJmAY,2415
-skip_trace/utils/cli_suggestions.py,sha256=pDNqfLhcYWEqvFM4jiOsUGXlqvTZxpWHR_O1hoCvzyM,2886
-skip_trace/utils/http_client.py,sha256=3n0c4QBMCXHnIZ6Jn30HZWtFaWYvrq0SNr5Mp2ll_1E,1350
-skip_trace/utils/safe_targz.py,sha256=ETOJc5VA9A5KDhlaV9N15tLbTFABA0zSQob9eXnKQPc,5233
-skip_trace/utils/validation.py,sha256=cgPcmkVEoHZ9vkvntycckxpQM5UbrVpUvUCb0S2FZrs,1427
-skip_trace-0.1.0.dist-info/METADATA,sha256=hij-sg6Pgci3LycgEJpLTZI17RULvlzr22E5cbB53uY,8380
-skip_trace-0.1.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-skip_trace-0.1.0.dist-info/entry_points.txt,sha256=zR7je0FG4CxaLIfaONVMi9LgmKfWtbYkrTVLclrTwhg,51
-skip_trace-0.1.0.dist-info/licenses/LICENSE,sha256=CDE_-1UnY5KRaDCIuCdNg7j7lkGCJbtZWTbhB10QeLk,1071
-skip_trace-0.1.0.dist-info/RECORD,,