slopguard-cli 0.2.0__tar.gz → 0.3.0__tar.gz

{slopguard_cli-0.2.0 → slopguard_cli-0.3.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: slopguard-cli
-Version: 0.2.0
+Version: 0.3.0
 Summary: Defend developers and AI coding agents against slopsquatting (hallucinated package names).
 Project-URL: Homepage, https://github.com/hariomunknownslab/slopguard
 Project-URL: Repository, https://github.com/hariomunknownslab/slopguard
@@ -167,18 +167,19 @@ scoring:
 CLI flags override the file. See [`docs/usage.md`](docs/usage.md) for the full
 reference.
 
-## What it does NOT do (v0.1)
+## What it does NOT do
 
-- No live LLM probing — the hallucination database is a static seed for v0.1.
-- No SaaS dashboard, no auth, no billing, no telemetry to any remote server.
-- No tarpit registry, no defensive package registration.
+- No dashboard, no auth, no accounts, no billing, no telemetry. The
+  CLI is fully offline-capable; `slopguard update` is the only
+  outbound call beyond the npm + PyPI registry probes, and it just
+  fetches a static JSON file from GitHub Pages.
+- No defensive package registration / tarpit.
 - No Cursor / Claude Code / Copilot IDE plugins.
 - No support for crates.io, pkg.go.dev, Maven Central, RubyGems, NuGet —
   Python and JavaScript only.
 - No license scanning, no CVE matching, no SBOM generation.
-- No remote configuration, no SaaS API client.
 
-The full v0.2+ roadmap is tracked in the build spec, section 14.
+Everything is MIT, free forever. Fork it.
 
 ## Privacy & trust
 

{slopguard_cli-0.2.0 → slopguard_cli-0.3.0}/README.md

@@ -129,18 +129,19 @@ scoring:
 CLI flags override the file. See [`docs/usage.md`](docs/usage.md) for the full
 reference.
 
-## What it does NOT do (v0.1)
+## What it does NOT do
 
-- No live LLM probing — the hallucination database is a static seed for v0.1.
-- No SaaS dashboard, no auth, no billing, no telemetry to any remote server.
-- No tarpit registry, no defensive package registration.
+- No dashboard, no auth, no accounts, no billing, no telemetry. The
+  CLI is fully offline-capable; `slopguard update` is the only
+  outbound call beyond the npm + PyPI registry probes, and it just
+  fetches a static JSON file from GitHub Pages.
+- No defensive package registration / tarpit.
 - No Cursor / Claude Code / Copilot IDE plugins.
 - No support for crates.io, pkg.go.dev, Maven Central, RubyGems, NuGet —
   Python and JavaScript only.
 - No license scanning, no CVE matching, no SBOM generation.
-- No remote configuration, no SaaS API client.
 
-The full v0.2+ roadmap is tracked in the build spec, section 14.
+Everything is MIT, free forever. Fork it.
 
 ## Privacy & trust
 

{slopguard_cli-0.2.0 → slopguard_cli-0.3.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "slopguard-cli"
-version = "0.2.0"
+version = "0.3.0"
 description = "Defend developers and AI coding agents against slopsquatting (hallucinated package names)."
 readme = "README.md"
 license = { text = "MIT" }

{slopguard_cli-0.2.0 → slopguard_cli-0.3.0}/slopguard/__init__.py

@@ -2,6 +2,6 @@
 
 from __future__ import annotations
 
-__version__ = "0.2.0"
+__version__ = "0.3.0"
 
 __all__ = ["__version__"]

{slopguard_cli-0.2.0 → slopguard_cli-0.3.0}/slopguard/cli.py

@@ -270,13 +270,6 @@ def scan_cmd(
         int | None, typer.Option("--concurrency", help="Maximum concurrent registry probes.")
     ] = None,
     verbose: Annotated[bool, typer.Option("--verbose", "-v", help="Show debug logs.")] = False,
-    upload: Annotated[
-        bool,
-        typer.Option(
-            "--upload",
-            help="Upload the scan to the SlopGuard SaaS after scanning. Requires `slopguard login`.",
-        ),
-    ] = False,
 ) -> None:
     """Scan a project for slopsquatted / hallucinated dependencies."""
     if verbose:
@@ -311,59 +304,9 @@ def scan_cmd(
     else:
         render_terminal_report(report, duration_seconds=duration)
 
-    if upload:
-        _upload_report(report, duration_ms=int(duration * 1000))
-
     raise typer.Exit(code=report.exit_code)
 
 
-def _upload_report(report: ScanReport, *, duration_ms: int) -> None:
-    """Persist a completed ScanReport to the SaaS via POST /v1/scans."""
-    from slopguard.saas import load_credentials
-    from slopguard.saas.client import ApiError, list_projects, post_scan
-
-    creds = load_credentials()
-    if creds is None:
-        raise _error_exit("upload requires `slopguard login` first.")
-    if creds.organization_id is None:
-        raise _error_exit(
-            "credentials missing organization_id; run `slopguard logout` then `slopguard login` again."
-        )
-
-    try:
-        projects = list_projects(creds.api_url, creds.token, creds.organization_id)
-    except ApiError as exc:
-        raise _error_exit(f"could not list projects: {exc.detail} (status {exc.status})") from exc
-    if not projects:
-        raise _error_exit("no project on this organization; visit the dashboard and create one.")
-    project_id = projects[0]["id"]
-
-    payload: dict[str, object] = {
-        "project_id": project_id,
-        "report": report.model_dump(mode="json"),
-        "source": _detect_runner(),
-        "duration_ms": duration_ms,
-    }
-    try:
-        created = post_scan(creds.api_url, creds.token, payload)
-    except ApiError as exc:
-        raise _error_exit(f"upload failed: {exc.detail} (status {exc.status})") from exc
-
-    Console().print(
-        f"[green]Uploaded[/green] to {creds.api_url}/app/{creds.org_slug}/scans/{created['id']}"
-    )
-
-
-def _detect_runner() -> str:
-    import os
-
-    if os.environ.get("GITHUB_ACTIONS") == "true":
-        return "ci"
-    if os.environ.get("CI") == "true":
-        return "ci"
-    return "cli"
-
-
 @app.command("version")
 def version_cmd() -> None:
     """Print the SlopGuard version and exit 0."""
@@ -372,131 +315,13 @@ def version_cmd() -> None:
 
 @app.command("update")
 def update_cmd() -> None:
-    """Refresh the local hallucination DB from the SlopGuard SaaS feed.
+    """Refresh the local hallucination DB from the public GitHub Pages feed.
 
     No auth required. Downloads the public registry from
-    ``$SLOPGUARD_API_URL/v1/hallucinations`` (default: the SlopGuard SaaS)
-    and caches it at ``~/.cache/slopguard/hallucinations_db.json`` for the
-    next scan to read.
+    ``https://hariomunknownslab.github.io/slopguard/db.json`` (overridable
+    via ``SLOPGUARD_DB_URL``) and caches it at
+    ``~/.cache/slopguard/hallucinations_db.json`` for the next scan to read.
     """
     from slopguard.update import run
 
     raise typer.Exit(code=run())
-
-
-# --- SaaS auth subcommands -------------------------------------------------
-#
-# Free, unauthenticated scanning never touches these — the imports below are
-# deferred so the CLI keeps starting fast and offline.
-
-
-def _resolve_api_url(flag_value: str | None) -> str:
-    """API URL resolution order: --api-url > $SLOPGUARD_API_URL > default."""
-    import os
-
-    from slopguard.saas.client import DEFAULT_API_URL
-
-    return flag_value or os.environ.get("SLOPGUARD_API_URL") or DEFAULT_API_URL
-
-
-@app.command("login")
-def login_cmd(
-    token: Annotated[
-        str | None,
-        typer.Option(
-            "--token",
-            help="API token. If omitted, you'll be prompted (paste hidden).",
-        ),
-    ] = None,
-    api_url: Annotated[
-        str | None,
-        typer.Option(
-            "--api-url",
-            help="SlopGuard API base URL. Defaults to $SLOPGUARD_API_URL or production.",
-        ),
-    ] = None,
-) -> None:
-    """Authenticate the CLI with a SlopGuard API token.
-
-    Mint a token in the dashboard at *<api>/app/<org>/tokens* and paste it
-    here. The token is stored at ``~/.config/slopguard/credentials.toml``
-    with mode 0600.
-    """
-    from slopguard.saas import Credentials, save_credentials
-    from slopguard.saas.client import ApiError, get_me
-
-    api = _resolve_api_url(api_url)
-    plaintext = token or typer.prompt("API token (input hidden)", hide_input=True)
-    if not plaintext.startswith(("sg_live_", "sg_test_")):
-        raise _error_exit(
-            "token must start with sg_live_ or sg_test_; mint one at "
-            f"{api.rstrip('/')}/app/<org-slug>/tokens"
-        )
-
-    try:
-        me = get_me(api, plaintext)
-    except ApiError as exc:
-        raise _error_exit(
-            f"could not verify token against {api}: {exc.detail} (status {exc.status})"
-        ) from exc
-
-    save_credentials(
-        Credentials(
-            api_url=api,
-            token=plaintext,
-            org_slug=me.active_org.slug,
-            organization_id=me.active_org.id,
-            user_email=me.email,
-        )
-    )
-
-    console = Console()
-    console.print(
-        f"[green]Authenticated.[/green] Org: [bold]{me.active_org.name}[/bold] "
-        f"([cyan]{me.active_org.slug}[/cyan], plan: {me.active_org.plan})"
-    )
-    console.print("Credentials saved to ~/.config/slopguard/credentials.toml (mode 600).")
-
-
-@app.command("whoami")
-def whoami_cmd() -> None:
-    """Print the active org context for the saved credentials."""
-    from slopguard.saas import load_credentials
-    from slopguard.saas.client import ApiError, get_me
-
-    creds = load_credentials()
-    if creds is None:
-        raise _error_exit(
-            "not authenticated. Run `slopguard login` first.",
-        )
-
-    try:
-        me = get_me(creds.api_url, creds.token)
-    except ApiError as exc:
-        if exc.status in (401, 403):
-            raise _error_exit(
-                "saved token rejected. Run `slopguard logout` then `slopguard login` again."
-            ) from exc
-        raise _error_exit(f"API call failed: {exc.detail} (status {exc.status})") from exc
-
-    console = Console()
-    console.print(f"[bold]Email:[/bold] {me.email or '—'}")
-    console.print(
-        f"[bold]Active org:[/bold] {me.active_org.name} ([cyan]{me.active_org.slug}[/cyan])"
-    )
-    console.print(f"[bold]Role:[/bold] {me.active_org.role}")
-    console.print(f"[bold]Plan:[/bold] {me.active_org.plan}")
-    console.print(f"[bold]API:[/bold] {creds.api_url}")
-
-
-@app.command("logout")
-def logout_cmd() -> None:
-    """Forget the saved credentials."""
-    from slopguard.saas import delete_credentials
-
-    removed = delete_credentials()
-    console = Console()
-    if removed:
-        console.print("[green]Logged out.[/green] Credentials file removed.")
-    else:
-        console.print("[yellow]Not logged in.[/yellow] No credentials file to remove.")

{slopguard_cli-0.2.0 → slopguard_cli-0.3.0}/slopguard/update.py

@@ -1,7 +1,7 @@
 """``slopguard update`` — refresh the local hallucination DB.
 
-Fetches the curated DB from the SlopGuard GitHub Pages site (no API,
-no account, no auth) and writes a seed-shaped file to
+Fetches the curated DB from the public GitHub Pages site (no API, no
+account, no auth) and writes a seed-shaped file to
 ``~/.cache/slopguard/hallucinations_db.json``. The next ``slopguard
 scan`` prefers this cached file over the bundled seed (see
 ``slopguard.data.load_hallucination_db``).
@@ -13,9 +13,7 @@ Updated daily by the probe-cron GitHub Action; each entry goes through
 PR review before publication (see probe-data/README.md in the repo).
 
 Override the URL with ``SLOPGUARD_DB_URL`` to fetch from a fork or
-mirror. The legacy ``SLOPGUARD_API_URL`` env var still works for the
-0.1.x SaaS endpoint shape — used as a fallback for backward
-compatibility.
+self-hosted mirror.
 """
 
 from __future__ import annotations
@@ -35,18 +33,14 @@ CACHE_PATH = Path.home() / ".cache" / "slopguard" / "hallucinations_db.json"
 def _db_url() -> str:
     """Where to fetch the published DB.
 
-    Precedence: ``SLOPGUARD_DB_URL`` > legacy
-    ``SLOPGUARD_API_URL/v1/hallucinations`` > default GitHub Pages.
+    Override the default GitHub Pages URL with ``SLOPGUARD_DB_URL``
+    when running against a fork or a self-hosted mirror.
     """
-    if explicit := os.environ.get("SLOPGUARD_DB_URL"):
-        return explicit
-    if legacy := os.environ.get("SLOPGUARD_API_URL"):
-        return legacy.rstrip("/") + "/v1/hallucinations"
-    return DEFAULT_DB_URL
+    return os.environ.get("SLOPGUARD_DB_URL") or DEFAULT_DB_URL
 
 
 def _convert(wire: dict[str, Any]) -> dict[str, Any]:
-    """Map the API wire payload to the local seed schema."""
+    """Map the public-feed payload to the local seed schema."""
     entries: list[dict[str, Any]] = []
     for row in wire.get("entries", []):
         entries.append(

slopguard_cli-0.3.0/tests/conftest.py

@@ -0,0 +1,22 @@
+"""Shared pytest fixtures."""
+
+from __future__ import annotations
+
+from pathlib import Path
+
+import pytest
+
+# Force test isolation from the developer's real ~/.cache. If a previous
+# `slopguard update` left an empty/stale cache file, the hallucination DB
+# loader would pick it up and tests asserting on the bundled seed would
+# break. Pointing CACHE_OVERRIDE at /dev/null/missing makes the loader
+# fall back to the seed every time, regardless of host state.
+from slopguard import data as _data
+
+_data.CACHE_OVERRIDE = Path("/__slopguard_test_no_cache__")
+_data.load_hallucination_db.cache_clear()
+
+
+@pytest.fixture
+def fixtures_dir() -> Path:
+    return Path(__file__).parent / "fixtures"

{slopguard_cli-0.2.0 → slopguard_cli-0.3.0}/tests/test_cli.py

@@ -107,7 +107,7 @@ def runner() -> CliRunner:
 def test_version_subcommand(runner: CliRunner) -> None:
     result = runner.invoke(app, ["version"])
     assert result.exit_code == 0
-    assert result.stdout.strip() == "0.2.0"
+    assert result.stdout.strip() == "0.3.0"
 
 
 def test_scan_fixtures_no_network_terminal(runner: CliRunner, fixtures_dir: Path) -> None:
@@ -183,4 +183,4 @@ def test_module_main_runs() -> None:
         check=False,
     )
     assert result.returncode == 0
-    assert result.stdout.strip() == "0.2.0"
+    assert result.stdout.strip() == "0.3.0"

{slopguard_cli-0.2.0 → slopguard_cli-0.3.0}/tests/test_misc.py

@@ -40,8 +40,8 @@ def test_update_writes_cache_when_api_reachable(
     from slopguard import update
 
     monkeypatch.setattr(update, "CACHE_PATH", tmp_path / "h.json")
-    monkeypatch.setenv("SLOPGUARD_API_URL", "http://api.test")
-    respx.get("http://api.test/v1/hallucinations").mock(
+    monkeypatch.setenv("SLOPGUARD_DB_URL", "http://feed.test/db.json")
+    respx.get("http://feed.test/db.json").mock(
         return_value=httpx.Response(
             200,
             json={"generated_at": "2026-05-23T22:00:00Z", "count": 0, "entries": []},

{slopguard_cli-0.2.0 → slopguard_cli-0.3.0}/tests/test_update.py

@@ -22,7 +22,7 @@ def cache_at_tmp(tmp_path: Path, monkeypatch: pytest.MonkeyPatch) -> Path:
 
 @pytest.fixture
 def api_at_test(monkeypatch: pytest.MonkeyPatch) -> None:
-    monkeypatch.setenv("SLOPGUARD_API_URL", "http://api.test")
+    monkeypatch.setenv("SLOPGUARD_DB_URL", "http://feed.test/db.json")
 
 
 @respx.mock
@@ -44,9 +44,7 @@ def test_update_writes_cache(
             }
         ],
     }
-    respx.get("http://api.test/v1/hallucinations").mock(
-        return_value=httpx.Response(200, json=payload)
-    )
+    respx.get("http://feed.test/db.json").mock(return_value=httpx.Response(200, json=payload))
 
     code = update.run()
     assert code == 0
@@ -67,7 +65,7 @@ def test_update_writes_cache(
 def test_update_handles_network_failure(
     cache_at_tmp: Path, api_at_test: None, capsys: pytest.CaptureFixture[str]
 ) -> None:
-    respx.get("http://api.test/v1/hallucinations").mock(side_effect=httpx.ConnectError("nope"))
+    respx.get("http://feed.test/db.json").mock(side_effect=httpx.ConnectError("nope"))
     code = update.run()
     assert code == 1
     assert not cache_at_tmp.exists()
@@ -78,7 +76,7 @@ def test_update_handles_network_failure(
 def test_update_rejects_malformed_payload(
     cache_at_tmp: Path, api_at_test: None, capsys: pytest.CaptureFixture[str]
 ) -> None:
-    respx.get("http://api.test/v1/hallucinations").mock(
+    respx.get("http://feed.test/db.json").mock(
         return_value=httpx.Response(200, json={"entries": [{"name": "x"}]})
     )
     code = update.run()
@@ -88,34 +86,24 @@ def test_update_rejects_malformed_payload(
 
 
 def test_default_db_url_is_github_pages(monkeypatch: pytest.MonkeyPatch) -> None:
-    """When neither override env var is set, fetch from GitHub Pages."""
+    """When SLOPGUARD_DB_URL is not set, fetch from GitHub Pages."""
     monkeypatch.delenv("SLOPGUARD_DB_URL", raising=False)
-    monkeypatch.delenv("SLOPGUARD_API_URL", raising=False)
     assert update._db_url() == update.DEFAULT_DB_URL
     assert update.DEFAULT_DB_URL.startswith("https://hariomunknownslab.github.io/")
 
 
-def test_slopguard_db_url_takes_precedence(monkeypatch: pytest.MonkeyPatch) -> None:
+def test_slopguard_db_url_override(monkeypatch: pytest.MonkeyPatch) -> None:
+    """SLOPGUARD_DB_URL overrides the default Pages URL."""
     monkeypatch.setenv("SLOPGUARD_DB_URL", "https://my.mirror/db.json")
-    monkeypatch.setenv("SLOPGUARD_API_URL", "https://legacy/api")  # should be ignored
     assert update._db_url() == "https://my.mirror/db.json"
 
 
-def test_legacy_api_url_still_works(monkeypatch: pytest.MonkeyPatch) -> None:
-    """0.1.x users with SLOPGUARD_API_URL set keep working — we append
-    /v1/hallucinations the way the SaaS endpoint expected."""
-    monkeypatch.delenv("SLOPGUARD_DB_URL", raising=False)
-    monkeypatch.setenv("SLOPGUARD_API_URL", "https://legacy.example/")
-    assert update._db_url() == "https://legacy.example/v1/hallucinations"
-
-
 @respx.mock
 def test_update_fetches_from_pages_by_default(
     cache_at_tmp: Path, monkeypatch: pytest.MonkeyPatch
 ) -> None:
-    """End-to-end: no env overrides, hits the Pages URL."""
+    """End-to-end: no env override, hits the Pages URL."""
     monkeypatch.delenv("SLOPGUARD_DB_URL", raising=False)
-    monkeypatch.delenv("SLOPGUARD_API_URL", raising=False)
     respx.get(update.DEFAULT_DB_URL).mock(
         return_value=httpx.Response(
             200,

slopguard_cli-0.2.0/slopguard/saas/__init__.py

@@ -1,26 +0,0 @@
-"""SaaS integration: credentials store + HTTP client for the SlopGuard API.
-
-Free, unauthenticated CLI invocations never touch this module. It is only
-imported when the user runs ``slopguard login``, ``slopguard whoami``,
-``slopguard logout``, or ``slopguard scan --upload``.
-"""
-
-from __future__ import annotations
-
-from slopguard.saas.credentials import (
-    DEFAULT_CREDENTIALS_PATH,
-    Credentials,
-    CredentialsError,
-    delete_credentials,
-    load_credentials,
-    save_credentials,
-)
-
-__all__ = [
-    "DEFAULT_CREDENTIALS_PATH",
-    "Credentials",
-    "CredentialsError",
-    "delete_credentials",
-    "load_credentials",
-    "save_credentials",
-]

slopguard_cli-0.2.0/slopguard/saas/client.py

@@ -1,114 +0,0 @@
-"""Tiny HTTP client for the SlopGuard API."""
-
-from __future__ import annotations
-
-from dataclasses import dataclass
-from typing import Any
-
-import httpx
-
-DEFAULT_API_URL = "https://api.slopguard.io"
-
-
-class ApiError(Exception):
-    def __init__(self, status: int, detail: str) -> None:
-        self.status = status
-        self.detail = detail
-        super().__init__(f"API {status}: {detail}")
-
-
-@dataclass(frozen=True)
-class MeOrg:
-    id: str
-    name: str
-    slug: str
-    plan: str
-    role: str
-
-
-@dataclass(frozen=True)
-class MeResponse:
-    user_id: str | None
-    email: str | None
-    principal_kind: str
-    active_org: MeOrg
-
-
-def get_me(api_url: str, token: str, *, timeout: float = 10.0) -> MeResponse:
-    """Synchronous /v1/me call. Used by login/whoami/--upload."""
-    try:
-        response = httpx.get(
-            f"{api_url.rstrip('/')}/v1/me",
-            headers={"Authorization": f"Bearer {token}"},
-            timeout=timeout,
-        )
-    except httpx.RequestError as exc:
-        raise ApiError(0, f"network error: {exc}") from exc
-
-    if response.status_code != 200:
-        detail = _extract_detail(response)
-        raise ApiError(response.status_code, detail)
-    payload = response.json()
-    active = payload["active_organization"]
-    return MeResponse(
-        user_id=payload.get("user_id"),
-        email=payload.get("email"),
-        principal_kind=payload["principal_kind"],
-        active_org=MeOrg(
-            id=active["id"],
-            name=active["name"],
-            slug=active["slug"],
-            plan=active["plan"],
-            role=active["role"],
-        ),
-    )
-
-
-def post_scan(
-    api_url: str, token: str, payload: dict[str, Any], *, timeout: float = 30.0
-) -> dict[str, Any]:
-    """POST /v1/scans. Returns the parsed ScanSummary response."""
-    try:
-        response = httpx.post(
-            f"{api_url.rstrip('/')}/v1/scans",
-            headers={
-                "Authorization": f"Bearer {token}",
-                "Content-Type": "application/json",
-            },
-            json=payload,
-            timeout=timeout,
-        )
-    except httpx.RequestError as exc:
-        raise ApiError(0, f"network error: {exc}") from exc
-    if response.status_code not in (200, 201):
-        raise ApiError(response.status_code, _extract_detail(response))
-    return response.json()  # type: ignore[no-any-return]
-
-
-def list_projects(
-    api_url: str, token: str, organization_id: str, *, timeout: float = 10.0
-) -> list[dict[str, Any]]:
-    try:
-        response = httpx.get(
-            f"{api_url.rstrip('/')}/v1/projects",
-            params={"organization_id": organization_id},
-            headers={"Authorization": f"Bearer {token}"},
-            timeout=timeout,
-        )
-    except httpx.RequestError as exc:
-        raise ApiError(0, f"network error: {exc}") from exc
-    if response.status_code != 200:
-        raise ApiError(response.status_code, _extract_detail(response))
-    return response.json()  # type: ignore[no-any-return]
-
-
-def _extract_detail(response: httpx.Response) -> str:
-    try:
-        body = response.json()
-    except ValueError:
-        body = None
-    if isinstance(body, dict):
-        detail = body.get("detail")
-        if isinstance(detail, str):
-            return detail
-    return response.text[:200] or response.reason_phrase

slopguard_cli-0.2.0/slopguard/saas/credentials.py

@@ -1,118 +0,0 @@
-"""Read/write the CLI credentials file.
-
-Stored at ``~/.config/slopguard/credentials.toml`` with mode 0600 so other
-users on the machine cannot read it (spec §6.6).
-
-Layout::
-
-    [active]
-    api_url = "https://api.slopguard.io"
-    token = "sg_live_..."
-    org_slug = "acme-security"
-    organization_id = "..."
-    user_email = "harry@unknownslab.com"
-
-A future ``slopguard switch`` could let multiple profiles live side-by-
-side; for now only ``[active]`` is read or written.
-"""
-
-from __future__ import annotations
-
-import os
-import tomllib
-from dataclasses import dataclass
-from pathlib import Path
-
-DEFAULT_CREDENTIALS_PATH = Path.home() / ".config" / "slopguard" / "credentials.toml"
-
-
-class CredentialsError(Exception):
-    """Raised when credentials cannot be read or written."""
-
-
-@dataclass(frozen=True)
-class Credentials:
-    api_url: str
-    token: str
-    org_slug: str | None = None
-    organization_id: str | None = None
-    user_email: str | None = None
-
-
-def load_credentials(path: Path | None = None) -> Credentials | None:
-    """Return the active credentials, or None if the file doesn't exist."""
-    if path is None:
-        path = DEFAULT_CREDENTIALS_PATH
-    if not path.exists():
-        return None
-    try:
-        with path.open("rb") as fh:
-            data = tomllib.load(fh)
-    except tomllib.TOMLDecodeError as exc:
-        raise CredentialsError(f"invalid credentials file {path}: {exc}") from exc
-
-    active = data.get("active")
-    if not isinstance(active, dict):
-        return None
-    token = active.get("token")
-    api_url = active.get("api_url")
-    if not isinstance(token, str) or not isinstance(api_url, str):
-        return None
-    return Credentials(
-        api_url=api_url,
-        token=token,
-        org_slug=active.get("org_slug") if isinstance(active.get("org_slug"), str) else None,
-        organization_id=(
-            active.get("organization_id")
-            if isinstance(active.get("organization_id"), str)
-            else None
-        ),
-        user_email=(
-            active.get("user_email") if isinstance(active.get("user_email"), str) else None
-        ),
-    )
-
-
-def save_credentials(creds: Credentials, path: Path | None = None) -> None:
-    """Write ``creds`` to the file at ``path``. Creates parent dirs and chmod 0600."""
-    if path is None:
-        path = DEFAULT_CREDENTIALS_PATH
-    path.parent.mkdir(parents=True, exist_ok=True)
-    body = _render(creds)
-    # Write to a temp sibling then atomic-rename so a crash mid-write can't
-    # leave a half-written credentials file.
-    tmp = path.with_suffix(path.suffix + ".tmp")
-    tmp.write_text(body, encoding="utf-8")
-    os.chmod(tmp, 0o600)
-    tmp.replace(path)
-
-
-def delete_credentials(path: Path | None = None) -> bool:
-    """Remove the credentials file. Returns True if a file was deleted."""
-    if path is None:
-        path = DEFAULT_CREDENTIALS_PATH
-    if not path.exists():
-        return False
-    path.unlink()
-    return True
-
-
-def _render(creds: Credentials) -> str:
-    lines = [
-        "# slopguard CLI credentials — do not share. chmod 600.",
-        "",
-        "[active]",
-        f'api_url = "{_escape(creds.api_url)}"',
-        f'token = "{_escape(creds.token)}"',
-    ]
-    if creds.org_slug:
-        lines.append(f'org_slug = "{_escape(creds.org_slug)}"')
-    if creds.organization_id:
-        lines.append(f'organization_id = "{_escape(creds.organization_id)}"')
-    if creds.user_email:
-        lines.append(f'user_email = "{_escape(creds.user_email)}"')
-    return "\n".join(lines) + "\n"
-
-
-def _escape(value: str) -> str:
-    return value.replace("\\", "\\\\").replace('"', '\\"')

slopguard_cli-0.2.0/tests/conftest.py

@@ -1,12 +0,0 @@
-"""Shared pytest fixtures."""
-
-from __future__ import annotations
-
-from pathlib import Path
-
-import pytest
-
-
-@pytest.fixture
-def fixtures_dir() -> Path:
-    return Path(__file__).parent / "fixtures"

slopguard_cli-0.2.0/tests/test_saas_auth.py

@@ -1,190 +0,0 @@
-"""Tests for the SaaS auth subcommands: login, whoami, logout."""
-
-from __future__ import annotations
-
-import stat
-from pathlib import Path
-
-import pytest
-from typer.testing import CliRunner
-
-from slopguard.cli import app
-from slopguard.saas.credentials import (
-    Credentials,
-    delete_credentials,
-    load_credentials,
-    save_credentials,
-)
-
-
-@pytest.fixture
-def runner() -> CliRunner:
-    return CliRunner()
-
-
-@pytest.fixture
-def cred_path(tmp_path: Path, monkeypatch: pytest.MonkeyPatch) -> Path:
-    path = tmp_path / "credentials.toml"
-    # Redirect the default path used by all three subcommands.
-    monkeypatch.setattr("slopguard.saas.credentials.DEFAULT_CREDENTIALS_PATH", path)
-    monkeypatch.setattr("slopguard.saas.DEFAULT_CREDENTIALS_PATH", path)
-    return path
-
-
-def test_credentials_round_trip(tmp_path: Path) -> None:
-    path = tmp_path / "creds.toml"
-    save_credentials(
-        Credentials(
-            api_url="http://localhost:8000",
-            token="sg_live_" + "x" * 24,
-            org_slug="acme",
-            organization_id="11111111-1111-1111-1111-111111111111",
-            user_email="harry@example.com",
-        ),
-        path=path,
-    )
-    assert path.exists()
-    mode = stat.S_IMODE(path.stat().st_mode)
-    assert mode == 0o600, f"expected 0600, got {oct(mode)}"
-
-    loaded = load_credentials(path)
-    assert loaded is not None
-    assert loaded.api_url == "http://localhost:8000"
-    assert loaded.token == "sg_live_" + "x" * 24
-    assert loaded.org_slug == "acme"
-
-
-def test_load_credentials_missing_returns_none(tmp_path: Path) -> None:
-    assert load_credentials(tmp_path / "nope.toml") is None
-
-
-def test_delete_credentials(tmp_path: Path) -> None:
-    path = tmp_path / "creds.toml"
-    path.write_text('[active]\ntoken="x"\napi_url="y"\n')
-    assert delete_credentials(path) is True
-    assert delete_credentials(path) is False
-
-
-def test_login_rejects_malformed_token(runner: CliRunner, cred_path: Path) -> None:
-    result = runner.invoke(app, ["login", "--token", "not-a-token"])
-    assert result.exit_code == 2
-    assert "must start with sg_live_" in result.stdout or "must start with sg_live_" in (
-        result.stderr or ""
-    )
-    assert not cred_path.exists()
-
-
-def test_login_persists_creds_on_success(
-    runner: CliRunner,
-    cred_path: Path,
-    monkeypatch: pytest.MonkeyPatch,
-) -> None:
-    from slopguard.saas import client as saas_client
-
-    def fake_get_me(api_url: str, token: str, **_: object) -> saas_client.MeResponse:
-        assert token.startswith("sg_live_")
-        return saas_client.MeResponse(
-            user_id="user-1",
-            email="harry@example.com",
-            principal_kind="token",
-            active_org=saas_client.MeOrg(
-                id="org-1",
-                name="Acme",
-                slug="acme",
-                plan="free",
-                role="token",
-            ),
-        )
-
-    monkeypatch.setattr("slopguard.cli.get_me", None, raising=False)
-    monkeypatch.setattr("slopguard.saas.client.get_me", fake_get_me)
-
-    result = runner.invoke(
-        app,
-        ["login", "--token", "sg_live_" + "x" * 24, "--api-url", "http://localhost:8000"],
-    )
-    assert result.exit_code == 0, result.stdout
-    assert "Authenticated" in result.stdout
-    creds = load_credentials(cred_path)
-    assert creds is not None
-    assert creds.org_slug == "acme"
-    assert creds.api_url == "http://localhost:8000"
-
-
-def test_whoami_without_creds_exits_2(runner: CliRunner, cred_path: Path) -> None:
-    result = runner.invoke(app, ["whoami"])
-    assert result.exit_code == 2
-
-
-def test_whoami_with_valid_creds_prints_org(
-    runner: CliRunner,
-    cred_path: Path,
-    monkeypatch: pytest.MonkeyPatch,
-) -> None:
-    save_credentials(
-        Credentials(
-            api_url="http://localhost:8000",
-            token="sg_live_" + "x" * 24,
-            org_slug="acme",
-            organization_id="org-1",
-            user_email="harry@example.com",
-        ),
-        path=cred_path,
-    )
-    from slopguard.saas import client as saas_client
-
-    def fake_get_me(api_url: str, token: str, **_: object) -> saas_client.MeResponse:
-        return saas_client.MeResponse(
-            user_id="user-1",
-            email="harry@example.com",
-            principal_kind="token",
-            active_org=saas_client.MeOrg(
-                id="org-1",
-                name="Acme",
-                slug="acme",
-                plan="free",
-                role="token",
-            ),
-        )
-
-    monkeypatch.setattr("slopguard.saas.client.get_me", fake_get_me)
-    result = runner.invoke(app, ["whoami"])
-    assert result.exit_code == 0, result.stdout
-    assert "Acme" in result.stdout
-    assert "acme" in result.stdout
-
-
-def test_whoami_rejected_token(
-    runner: CliRunner, cred_path: Path, monkeypatch: pytest.MonkeyPatch
-) -> None:
-    save_credentials(
-        Credentials(api_url="http://localhost:8000", token="sg_live_" + "x" * 24),
-        path=cred_path,
-    )
-    from slopguard.saas import client as saas_client
-
-    def fake_get_me(api_url: str, token: str, **_: object) -> saas_client.MeResponse:
-        raise saas_client.ApiError(401, "token not found")
-
-    monkeypatch.setattr("slopguard.saas.client.get_me", fake_get_me)
-    result = runner.invoke(app, ["whoami"])
-    assert result.exit_code == 2
-    assert "logout" in result.stdout or "logout" in (result.stderr or "")
-
-
-def test_logout_removes_creds(runner: CliRunner, cred_path: Path) -> None:
-    save_credentials(
-        Credentials(api_url="http://localhost:8000", token="sg_live_" + "x" * 24),
-        path=cred_path,
-    )
-    assert cred_path.exists()
-    result = runner.invoke(app, ["logout"])
-    assert result.exit_code == 0
-    assert "Logged out" in result.stdout
-    assert not cred_path.exists()
-
-
-def test_logout_when_not_logged_in(runner: CliRunner, cred_path: Path) -> None:
-    result = runner.invoke(app, ["logout"])
-    assert result.exit_code == 0
-    assert "Not logged in" in result.stdout

slopguard_cli-0.2.0/tests/test_saas_client.py

@@ -1,186 +0,0 @@
-"""Tests for the SlopGuard API HTTP client used by login/whoami/--upload."""
-
-from __future__ import annotations
-
-import httpx
-import pytest
-import respx
-
-from slopguard.saas.client import (
-    DEFAULT_API_URL,
-    ApiError,
-    MeOrg,
-    MeResponse,
-    _extract_detail,
-    get_me,
-    list_projects,
-    post_scan,
-)
-
-ME_RESPONSE = {
-    "user_id": "user-1",
-    "email": "harry@example.com",
-    "clerk_id": None,
-    "principal_kind": "token",
-    "active_organization": {
-        "id": "org-1",
-        "name": "Acme Security",
-        "slug": "acme",
-        "plan": "starter",
-        "role": "owner",
-    },
-    "organizations": [
-        {
-            "id": "org-1",
-            "name": "Acme Security",
-            "slug": "acme",
-            "plan": "starter",
-            "role": "owner",
-        }
-    ],
-}
-
-
-def test_default_api_url_is_production() -> None:
-    assert DEFAULT_API_URL.startswith("https://")
-
-
-def test_api_error_message_includes_status_and_detail() -> None:
-    err = ApiError(401, "token revoked")
-    assert "401" in str(err)
-    assert "token revoked" in str(err)
-
-
-@respx.mock
-def test_get_me_returns_parsed_response() -> None:
-    respx.get("http://api.test/v1/me").mock(return_value=httpx.Response(200, json=ME_RESPONSE))
-    me = get_me("http://api.test", "sg_live_" + "x" * 24)
-    assert isinstance(me, MeResponse)
-    assert isinstance(me.active_org, MeOrg)
-    assert me.email == "harry@example.com"
-    assert me.active_org.slug == "acme"
-    assert me.active_org.role == "owner"
-
-
-@respx.mock
-def test_get_me_trims_trailing_slash() -> None:
-    respx.get("http://api.test/v1/me").mock(return_value=httpx.Response(200, json=ME_RESPONSE))
-    # Verify that trailing slash on api_url doesn't double up
-    me = get_me("http://api.test/", "sg_live_" + "x" * 24)
-    assert me.active_org.slug == "acme"
-
-
-@respx.mock
-def test_get_me_raises_api_error_on_401() -> None:
-    respx.get("http://api.test/v1/me").mock(
-        return_value=httpx.Response(401, json={"detail": "token revoked"})
-    )
-    with pytest.raises(ApiError) as exc_info:
-        get_me("http://api.test", "sg_live_" + "x" * 24)
-    assert exc_info.value.status == 401
-    assert "token revoked" in exc_info.value.detail
-
-
-@respx.mock
-def test_get_me_raises_on_network_error() -> None:
-    respx.get("http://api.test/v1/me").mock(side_effect=httpx.ConnectError("refused"))
-    with pytest.raises(ApiError) as exc_info:
-        get_me("http://api.test", "sg_live_" + "x" * 24)
-    assert exc_info.value.status == 0
-    assert "network error" in exc_info.value.detail
-
-
-@respx.mock
-def test_get_me_handles_non_json_detail() -> None:
-    respx.get("http://api.test/v1/me").mock(
-        return_value=httpx.Response(500, text="internal whoops")
-    )
-    with pytest.raises(ApiError) as exc_info:
-        get_me("http://api.test", "sg_live_" + "x" * 24)
-    assert exc_info.value.status == 500
-    assert "internal whoops" in exc_info.value.detail
-
-
-@respx.mock
-def test_post_scan_returns_parsed_summary() -> None:
-    payload = {
-        "project_id": "00000000-0000-0000-0000-000000000001",
-        "report": {"slopguard_version": "0.1.1"},
-        "source": "cli",
-    }
-    respx.post("http://api.test/v1/scans").mock(
-        return_value=httpx.Response(201, json={"id": "scan-1", "summary_total": 14})
-    )
-    result = post_scan("http://api.test", "sg_live_" + "x" * 24, payload)
-    assert result["id"] == "scan-1"
-    assert result["summary_total"] == 14
-
-
-@respx.mock
-def test_post_scan_raises_on_404() -> None:
-    respx.post("http://api.test/v1/scans").mock(
-        return_value=httpx.Response(404, json={"detail": "project not found"})
-    )
-    with pytest.raises(ApiError) as exc_info:
-        post_scan("http://api.test", "sg_live_" + "x" * 24, {"project_id": "x", "report": {}})
-    assert exc_info.value.status == 404
-
-
-@respx.mock
-def test_post_scan_network_error_is_zero_status() -> None:
-    respx.post("http://api.test/v1/scans").mock(side_effect=httpx.TimeoutException("slow"))
-    with pytest.raises(ApiError) as exc_info:
-        post_scan("http://api.test", "sg_live_" + "x" * 24, {"project_id": "x", "report": {}})
-    assert exc_info.value.status == 0
-
-
-@respx.mock
-def test_list_projects_returns_array() -> None:
-    rows = [
-        {"id": "p1", "name": "Default", "organization_id": "org-1"},
-    ]
-    respx.get("http://api.test/v1/projects").mock(return_value=httpx.Response(200, json=rows))
-    result = list_projects("http://api.test", "sg_live_" + "x" * 24, "org-1")
-    assert result == rows
-
-
-@respx.mock
-def test_list_projects_passes_organization_id_param() -> None:
-    route = respx.get("http://api.test/v1/projects").mock(return_value=httpx.Response(200, json=[]))
-    list_projects("http://api.test", "sg_live_" + "x" * 24, "org-zzz")
-    assert route.calls.last.request.url.params.get("organization_id") == "org-zzz"
-
-
-@respx.mock
-def test_list_projects_raises_on_error() -> None:
-    respx.get("http://api.test/v1/projects").mock(
-        return_value=httpx.Response(403, json={"detail": "forbidden"})
-    )
-    with pytest.raises(ApiError) as exc_info:
-        list_projects("http://api.test", "sg_live_" + "x" * 24, "org-1")
-    assert exc_info.value.status == 403
-
-
-@respx.mock
-def test_list_projects_network_error_is_zero_status() -> None:
-    respx.get("http://api.test/v1/projects").mock(side_effect=httpx.ConnectError("nope"))
-    with pytest.raises(ApiError) as exc_info:
-        list_projects("http://api.test", "sg_live_" + "x" * 24, "org-1")
-    assert exc_info.value.status == 0
-
-
-def test_extract_detail_prefers_json_detail() -> None:
-    resp = httpx.Response(400, json={"detail": "bad slug"})
-    assert _extract_detail(resp) == "bad slug"
-
-
-def test_extract_detail_falls_back_to_text() -> None:
-    resp = httpx.Response(500, text="kaboom")
-    assert "kaboom" in _extract_detail(resp)
-
-
-def test_extract_detail_handles_non_string_detail() -> None:
-    resp = httpx.Response(400, json={"detail": ["a", "b"]})
-    # detail isn't a string -> falls back to body text
-    out = _extract_detail(resp)
-    assert isinstance(out, str)