slopguard-cli 0.2.0__tar.gz → 0.4.0__tar.gz

{slopguard_cli-0.2.0 → slopguard_cli-0.4.0}/.gitignore

@@ -52,3 +52,12 @@ out/
 .env
 .env.*
 !.env.example
+
+# Web app local config + build output
+apps/web/.env.local
+apps/web/tsconfig.tsbuildinfo
+apps/web/.next/
+
+# Probe daily JSONLs are written by the cron; the directory is tracked
+# via .gitkeep, individual files aren't.
+probe-data/observations/*.jsonl

{slopguard_cli-0.2.0 → slopguard_cli-0.4.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: slopguard-cli
-Version: 0.2.0
+Version: 0.4.0
 Summary: Defend developers and AI coding agents against slopsquatting (hallucinated package names).
 Project-URL: Homepage, https://github.com/hariomunknownslab/slopguard
 Project-URL: Repository, https://github.com/hariomunknownslab/slopguard
@@ -167,18 +167,19 @@ scoring:
 CLI flags override the file. See [`docs/usage.md`](docs/usage.md) for the full
 reference.
 
-## What it does NOT do (v0.1)
+## What it does NOT do
 
-- No live LLM probing — the hallucination database is a static seed for v0.1.
-- No SaaS dashboard, no auth, no billing, no telemetry to any remote server.
-- No tarpit registry, no defensive package registration.
+- No dashboard, no auth, no accounts, no billing, no telemetry. The
+  CLI is fully offline-capable; `slopguard update` is the only
+  outbound call beyond the npm + PyPI registry probes, and it just
+  fetches a static JSON file from GitHub Pages.
+- No defensive package registration / tarpit.
 - No Cursor / Claude Code / Copilot IDE plugins.
 - No support for crates.io, pkg.go.dev, Maven Central, RubyGems, NuGet —
   Python and JavaScript only.
 - No license scanning, no CVE matching, no SBOM generation.
-- No remote configuration, no SaaS API client.
 
-The full v0.2+ roadmap is tracked in the build spec, section 14.
+Everything is MIT, free forever. Fork it.
 
 ## Privacy & trust
 

{slopguard_cli-0.2.0 → slopguard_cli-0.4.0}/README.md

@@ -129,18 +129,19 @@ scoring:
 CLI flags override the file. See [`docs/usage.md`](docs/usage.md) for the full
 reference.
 
-## What it does NOT do (v0.1)
+## What it does NOT do
 
-- No live LLM probing — the hallucination database is a static seed for v0.1.
-- No SaaS dashboard, no auth, no billing, no telemetry to any remote server.
-- No tarpit registry, no defensive package registration.
+- No dashboard, no auth, no accounts, no billing, no telemetry. The
+  CLI is fully offline-capable; `slopguard update` is the only
+  outbound call beyond the npm + PyPI registry probes, and it just
+  fetches a static JSON file from GitHub Pages.
+- No defensive package registration / tarpit.
 - No Cursor / Claude Code / Copilot IDE plugins.
 - No support for crates.io, pkg.go.dev, Maven Central, RubyGems, NuGet —
   Python and JavaScript only.
 - No license scanning, no CVE matching, no SBOM generation.
-- No remote configuration, no SaaS API client.
 
-The full v0.2+ roadmap is tracked in the build spec, section 14.
+Everything is MIT, free forever. Fork it.
 
 ## Privacy & trust
 

{slopguard_cli-0.2.0 → slopguard_cli-0.4.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "slopguard-cli"
-version = "0.2.0"
+version = "0.4.0"
 description = "Defend developers and AI coding agents against slopsquatting (hallucinated package names)."
 readme = "README.md"
 license = { text = "MIT" }

{slopguard_cli-0.2.0 → slopguard_cli-0.4.0}/slopguard/__init__.py

@@ -2,6 +2,6 @@
 
 from __future__ import annotations
 
-__version__ = "0.2.0"
+__version__ = "0.4.0"
 
 __all__ = ["__version__"]

{slopguard_cli-0.2.0 → slopguard_cli-0.4.0}/slopguard/cli.py

@@ -1,4 +1,4 @@
-"""SlopGuard CLI — ``scan`` + ``version`` subcommands."""
+"""SlopGuard CLI — ``scan``, ``update``, ``login``, ``whoami``, ``logout``, ``version``."""
 
 from __future__ import annotations
 
@@ -274,7 +274,10 @@ def scan_cmd(
         bool,
         typer.Option(
             "--upload",
-            help="Upload the scan to the SlopGuard SaaS after scanning. Requires `slopguard login`.",
+            help=(
+                "After scanning, POST the JSON report to a self-hosted "
+                "SlopGuard instance. Requires `slopguard login --api-url …` first."
+            ),
         ),
     ] = False,
 ) -> None:
@@ -370,14 +373,51 @@ def version_cmd() -> None:
     print(__version__)
 
 
+precommit_app = typer.Typer(
+    name="pre-commit",
+    help="Manage the git pre-commit hook that blocks HALLUCINATED commits.",
+    no_args_is_help=True,
+)
+app.add_typer(precommit_app, name="pre-commit")
+
+
+@precommit_app.command("install")
+def precommit_install_cmd(
+    force: Annotated[
+        bool,
+        typer.Option("--force", help="Overwrite an existing .git/hooks/pre-commit."),
+    ] = False,
+) -> None:
+    """Install a git pre-commit hook that runs ``slopguard scan`` on staged manifests."""
+    from slopguard.precommit import PrecommitError, install
+
+    try:
+        path = install(force=force)
+    except PrecommitError as exc:
+        raise _error_exit(str(exc)) from exc
+    Console().print(f"[green]Installed[/green] {path}")
+
+
+@precommit_app.command("uninstall")
+def precommit_uninstall_cmd() -> None:
+    """Remove the slopguard pre-commit hook (only if we installed it)."""
+    from slopguard.precommit import PrecommitError, uninstall
+
+    try:
+        removed = uninstall()
+    except PrecommitError as exc:
+        raise _error_exit(str(exc)) from exc
+    Console().print("[green]Removed.[/green]" if removed else "[yellow]Nothing to remove.[/yellow]")
+
+
 @app.command("update")
 def update_cmd() -> None:
-    """Refresh the local hallucination DB from the SlopGuard SaaS feed.
+    """Refresh the local hallucination DB from the public GitHub Pages feed.
 
-    No auth required. Downloads the public registry from
-    ``$SLOPGUARD_API_URL/v1/hallucinations`` (default: the SlopGuard SaaS)
-    and caches it at ``~/.cache/slopguard/hallucinations_db.json`` for the
-    next scan to read.
+    No auth required. Default source:
+    ``https://hariomunknownslab.github.io/slopguard/db.json`` (override via
+    ``SLOPGUARD_DB_URL``). Cached at
+    ``~/.cache/slopguard/hallucinations_db.json`` for the next scan.
     """
     from slopguard.update import run
 
@@ -391,12 +431,20 @@ def update_cmd() -> None:
 
 
 def _resolve_api_url(flag_value: str | None) -> str:
-    """API URL resolution order: --api-url > $SLOPGUARD_API_URL > default."""
-    import os
+    """API URL resolution order: --api-url > $SLOPGUARD_API_URL.
 
-    from slopguard.saas.client import DEFAULT_API_URL
+    There is no default endpoint. Self-hosters supply their own URL —
+    SlopGuard does not run a hosted SaaS.
+    """
+    import os
 
-    return flag_value or os.environ.get("SLOPGUARD_API_URL") or DEFAULT_API_URL
+    url = flag_value or os.environ.get("SLOPGUARD_API_URL", "")
+    if not url:
+        raise _error_exit(
+            "no API URL set. Pass --api-url https://your.instance/ or set SLOPGUARD_API_URL. "
+            "SlopGuard is open-source and self-hosted; there is no hosted SaaS."
+        )
+    return url
 
 
 @app.command("login")
@@ -412,27 +460,32 @@ def login_cmd(
         str | None,
         typer.Option(
             "--api-url",
-            help="SlopGuard API base URL. Defaults to $SLOPGUARD_API_URL or production.",
+            help="Self-hosted SlopGuard API base URL. Falls back to $SLOPGUARD_API_URL.",
         ),
     ] = None,
 ) -> None:
-    """Authenticate the CLI with a SlopGuard API token.
+    """Authenticate the CLI with a self-hosted SlopGuard API token.
 
-    Mint a token in the dashboard at *<api>/app/<org>/tokens* and paste it
-    here. The token is stored at ``~/.config/slopguard/credentials.toml``
-    with mode 0600.
+    Run your own instance with ``docker compose up`` from the repo
+    root. Mint a token in your dashboard at
+    ``<your-instance>/app/<org-slug>/tokens`` and paste it here. The
+    token is stored at ``~/.config/slopguard/credentials.toml`` with
+    mode 0600.
     """
     from slopguard.saas import Credentials, save_credentials
     from slopguard.saas.client import ApiError, get_me
 
-    api = _resolve_api_url(api_url)
+    # Validate the token format BEFORE we worry about the API URL —
+    # gives a clearer error if the user pasted gibberish.
     plaintext = token or typer.prompt("API token (input hidden)", hide_input=True)
     if not plaintext.startswith(("sg_live_", "sg_test_")):
         raise _error_exit(
             "token must start with sg_live_ or sg_test_; mint one at "
-            f"{api.rstrip('/')}/app/<org-slug>/tokens"
+            "<your-self-hosted-instance>/app/<org-slug>/tokens"
         )
 
+    api = _resolve_api_url(api_url)
+
     try:
         me = get_me(api, plaintext)
     except ApiError as exc:

slopguard_cli-0.4.0/slopguard/precommit.py

@@ -0,0 +1,121 @@
+"""``slopguard pre-commit install`` — writes a ``.git/hooks/pre-commit``.
+
+The hook runs ``slopguard scan`` on the staged manifest files and
+blocks the commit if it finds a HALLUCINATED dependency. Per
+v2 spec § 10.4.
+
+The hook itself is tiny — it shells out to ``slopguard scan
+--paths <staged-manifests>`` so the scanner logic stays in one place.
+"""
+
+from __future__ import annotations
+
+import os
+import stat
+import subprocess
+import sys
+from pathlib import Path
+
+HOOK_TEMPLATE = """\
+#!/bin/sh
+# Auto-generated by `slopguard pre-commit install`.
+# Aborts the commit on HALLUCINATED package findings in staged manifests.
+# Re-generate by re-running `slopguard pre-commit install`.
+
+set -e
+
+# Find staged manifest files.
+STAGED=$(git diff --cached --name-only --diff-filter=ACMR | tr '\\n' ' ')
+MANIFESTS=""
+for f in $STAGED; do
+    case "$f" in
+        package.json|*/package.json) MANIFESTS="$MANIFESTS $f" ;;
+        package-lock.json|*/package-lock.json) MANIFESTS="$MANIFESTS $f" ;;
+        requirements*.txt|*/requirements*.txt) MANIFESTS="$MANIFESTS $f" ;;
+        pyproject.toml|*/pyproject.toml) MANIFESTS="$MANIFESTS $f" ;;
+        Pipfile|*/Pipfile) MANIFESTS="$MANIFESTS $f" ;;
+    esac
+done
+
+# No manifest changes → nothing to do.
+if [ -z "$MANIFESTS" ]; then
+    exit 0
+fi
+
+# Scan each manifest. Exit on first HALLUCINATED finding.
+for m in $MANIFESTS; do
+    if ! slopguard scan "$m" --fail-on hallucinated; then
+        echo ""
+        echo "slopguard pre-commit: blocked by HALLUCINATED finding."
+        echo "  fix: remove the bad package, then re-stage the manifest."
+        echo "  bypass (NOT recommended): git commit --no-verify"
+        exit 1
+    fi
+done
+"""
+
+
+class PrecommitError(Exception):
+    """Raised when the hook can't be installed (e.g. not in a git repo)."""
+
+
+def _git_dir() -> Path:
+    """Return the ``.git/`` directory of the current repo, or raise."""
+    try:
+        out = subprocess.run(
+            ["git", "rev-parse", "--git-dir"],
+            check=True,
+            capture_output=True,
+            text=True,
+        )
+    except FileNotFoundError as exc:
+        raise PrecommitError("git not found on PATH") from exc
+    except subprocess.CalledProcessError as exc:
+        raise PrecommitError("not inside a git repository") from exc
+    git_dir = Path(out.stdout.strip())
+    if not git_dir.is_absolute():
+        git_dir = Path.cwd() / git_dir
+    return git_dir
+
+
+def install(*, force: bool = False) -> Path:
+    """Write the pre-commit hook into ``.git/hooks/``. Returns its path.
+
+    If a hook already exists and ``force`` is False, leaves it alone
+    and raises ``PrecommitError`` — clobbering a user's existing hook
+    silently would be rude.
+    """
+    git_dir = _git_dir()
+    hook_path = git_dir / "hooks" / "pre-commit"
+    if hook_path.exists() and not force:
+        body = hook_path.read_text(encoding="utf-8", errors="ignore")
+        if "slopguard pre-commit install" in body:
+            # Already ours — overwrite is fine.
+            pass
+        else:
+            raise PrecommitError(f"{hook_path} already exists. Re-run with --force to overwrite.")
+    hook_path.parent.mkdir(parents=True, exist_ok=True)
+    hook_path.write_text(HOOK_TEMPLATE, encoding="utf-8")
+    # chmod +x
+    mode = hook_path.stat().st_mode
+    hook_path.chmod(mode | stat.S_IXUSR | stat.S_IXGRP | stat.S_IXOTH)
+    return hook_path
+
+
+def uninstall() -> bool:
+    """Remove the hook if it was installed by us. Returns True if removed."""
+    git_dir = _git_dir()
+    hook_path = git_dir / "hooks" / "pre-commit"
+    if not hook_path.exists():
+        return False
+    body = hook_path.read_text(encoding="utf-8", errors="ignore")
+    if "slopguard pre-commit install" not in body:
+        # Not ours — refuse to delete.
+        print(
+            f"{hook_path} doesn't look like a slopguard-installed hook; "
+            "leaving alone. Delete it by hand if you want.",
+            file=sys.stderr,
+        )
+        return False
+    os.unlink(hook_path)
+    return True

{slopguard_cli-0.2.0 → slopguard_cli-0.4.0}/slopguard/saas/client.py

@@ -1,4 +1,9 @@
-"""Tiny HTTP client for the SlopGuard API."""
+"""Tiny HTTP client for the SlopGuard API.
+
+There is no canonical hosted SlopGuard API — every user runs their own.
+Set ``SLOPGUARD_API_URL`` or pass ``--api-url`` to point at your
+self-hosted instance.
+"""
 
 from __future__ import annotations
 
@@ -7,7 +12,10 @@ from typing import Any
 
 import httpx
 
-DEFAULT_API_URL = "https://api.slopguard.io"
+# Intentionally empty — no default endpoint. Users must point at their
+# own instance via ``slopguard login --api-url …`` or by setting
+# ``SLOPGUARD_API_URL``.
+DEFAULT_API_URL = ""
 
 
 class ApiError(Exception):

{slopguard_cli-0.2.0 → slopguard_cli-0.4.0}/slopguard/saas/credentials.py

@@ -6,14 +6,20 @@ users on the machine cannot read it (spec §6.6).
 Layout::
 
     [active]
-    api_url = "https://api.slopguard.io"
+    api_url = "https://api.slopguard.example"
     token = "sg_live_..."
     org_slug = "acme-security"
     organization_id = "..."
-    user_email = "harry@unknownslab.com"
+    user_email = "you@example.com"
 
 A future ``slopguard switch`` could let multiple profiles live side-by-
 side; for now only ``[active]`` is read or written.
+
+NOTE: The SaaS endpoints these credentials authenticate against were
+deprecated in v0.2 (see apps/cli/slopguard/update.py). The CLI now
+fetches the hallucination DB from GitHub Pages without auth. The
+``saas`` package is kept for backward compatibility with any 0.1.x
+self-hosted SaaS deployments.
 """
 
 from __future__ import annotations

{slopguard_cli-0.2.0 → slopguard_cli-0.4.0}/slopguard/update.py

@@ -1,7 +1,7 @@
 """``slopguard update`` — refresh the local hallucination DB.
 
-Fetches the curated DB from the SlopGuard GitHub Pages site (no API,
-no account, no auth) and writes a seed-shaped file to
+Fetches the curated DB from the public GitHub Pages site (no API, no
+account, no auth) and writes a seed-shaped file to
 ``~/.cache/slopguard/hallucinations_db.json``. The next ``slopguard
 scan`` prefers this cached file over the bundled seed (see
 ``slopguard.data.load_hallucination_db``).
@@ -13,9 +13,7 @@ Updated daily by the probe-cron GitHub Action; each entry goes through
 PR review before publication (see probe-data/README.md in the repo).
 
 Override the URL with ``SLOPGUARD_DB_URL`` to fetch from a fork or
-mirror. The legacy ``SLOPGUARD_API_URL`` env var still works for the
-0.1.x SaaS endpoint shape — used as a fallback for backward
-compatibility.
+self-hosted mirror.
 """
 
 from __future__ import annotations
@@ -35,18 +33,14 @@ CACHE_PATH = Path.home() / ".cache" / "slopguard" / "hallucinations_db.json"
 def _db_url() -> str:
     """Where to fetch the published DB.
 
-    Precedence: ``SLOPGUARD_DB_URL`` > legacy
-    ``SLOPGUARD_API_URL/v1/hallucinations`` > default GitHub Pages.
+    Override the default GitHub Pages URL with ``SLOPGUARD_DB_URL``
+    when running against a fork or a self-hosted mirror.
     """
-    if explicit := os.environ.get("SLOPGUARD_DB_URL"):
-        return explicit
-    if legacy := os.environ.get("SLOPGUARD_API_URL"):
-        return legacy.rstrip("/") + "/v1/hallucinations"
-    return DEFAULT_DB_URL
+    return os.environ.get("SLOPGUARD_DB_URL") or DEFAULT_DB_URL
 
 
 def _convert(wire: dict[str, Any]) -> dict[str, Any]:
-    """Map the API wire payload to the local seed schema."""
+    """Map the public-feed payload to the local seed schema."""
     entries: list[dict[str, Any]] = []
     for row in wire.get("entries", []):
         entries.append(

slopguard_cli-0.4.0/tests/conftest.py

@@ -0,0 +1,22 @@
+"""Shared pytest fixtures."""
+
+from __future__ import annotations
+
+from pathlib import Path
+
+import pytest
+
+# Force test isolation from the developer's real ~/.cache. If a previous
+# `slopguard update` left an empty/stale cache file, the hallucination DB
+# loader would pick it up and tests asserting on the bundled seed would
+# break. Pointing CACHE_OVERRIDE at /dev/null/missing makes the loader
+# fall back to the seed every time, regardless of host state.
+from slopguard import data as _data
+
+_data.CACHE_OVERRIDE = Path("/__slopguard_test_no_cache__")
+_data.load_hallucination_db.cache_clear()
+
+
+@pytest.fixture
+def fixtures_dir() -> Path:
+    return Path(__file__).parent / "fixtures"

{slopguard_cli-0.2.0 → slopguard_cli-0.4.0}/tests/test_cli.py

@@ -107,7 +107,7 @@ def runner() -> CliRunner:
 def test_version_subcommand(runner: CliRunner) -> None:
     result = runner.invoke(app, ["version"])
     assert result.exit_code == 0
-    assert result.stdout.strip() == "0.2.0"
+    assert result.stdout.strip() == "0.4.0"
 
 
 def test_scan_fixtures_no_network_terminal(runner: CliRunner, fixtures_dir: Path) -> None:
@@ -183,4 +183,4 @@ def test_module_main_runs() -> None:
         check=False,
     )
     assert result.returncode == 0
-    assert result.stdout.strip() == "0.2.0"
+    assert result.stdout.strip() == "0.4.0"

{slopguard_cli-0.2.0 → slopguard_cli-0.4.0}/tests/test_misc.py

@@ -40,8 +40,8 @@ def test_update_writes_cache_when_api_reachable(
     from slopguard import update
 
     monkeypatch.setattr(update, "CACHE_PATH", tmp_path / "h.json")
-    monkeypatch.setenv("SLOPGUARD_API_URL", "http://api.test")
-    respx.get("http://api.test/v1/hallucinations").mock(
+    monkeypatch.setenv("SLOPGUARD_DB_URL", "http://feed.test/db.json")
+    respx.get("http://feed.test/db.json").mock(
         return_value=httpx.Response(
             200,
             json={"generated_at": "2026-05-23T22:00:00Z", "count": 0, "entries": []},

slopguard_cli-0.4.0/tests/test_precommit.py

@@ -0,0 +1,78 @@
+"""Tests for ``slopguard pre-commit install`` / ``uninstall``."""
+
+from __future__ import annotations
+
+import os
+import subprocess
+from pathlib import Path
+
+import pytest
+
+from slopguard.precommit import PrecommitError, install, uninstall
+
+
+@pytest.fixture
+def in_git_repo(tmp_path: Path, monkeypatch: pytest.MonkeyPatch) -> Path:
+    """Create a fresh empty git repo and cd into it."""
+    subprocess.run(["git", "init", "--quiet"], cwd=tmp_path, check=True)
+    monkeypatch.chdir(tmp_path)
+    return tmp_path
+
+
+def test_install_writes_executable_hook(in_git_repo: Path) -> None:
+    path = install()
+    assert path.exists()
+    assert os.access(path, os.X_OK)
+    body = path.read_text()
+    assert "slopguard pre-commit install" in body  # sentinel
+    assert "slopguard scan" in body
+    assert "--fail-on hallucinated" in body
+
+
+def test_install_refuses_to_clobber_foreign_hook(in_git_repo: Path) -> None:
+    hook = in_git_repo / ".git" / "hooks" / "pre-commit"
+    hook.parent.mkdir(parents=True, exist_ok=True)
+    hook.write_text("#!/bin/sh\necho something-else\n")
+    with pytest.raises(PrecommitError, match="already exists"):
+        install()
+
+
+def test_install_force_overwrites(in_git_repo: Path) -> None:
+    hook = in_git_repo / ".git" / "hooks" / "pre-commit"
+    hook.parent.mkdir(parents=True, exist_ok=True)
+    hook.write_text("#!/bin/sh\necho something-else\n")
+    install(force=True)
+    assert "slopguard pre-commit install" in hook.read_text()
+
+
+def test_install_reinstalls_own_hook_without_force(in_git_repo: Path) -> None:
+    """Re-running install on our own hook is fine — it's a refresh."""
+    install()
+    install()  # no PrecommitError
+    hook = in_git_repo / ".git" / "hooks" / "pre-commit"
+    assert "slopguard pre-commit install" in hook.read_text()
+
+
+def test_uninstall_removes_our_hook(in_git_repo: Path) -> None:
+    install()
+    assert uninstall() is True
+    assert not (in_git_repo / ".git" / "hooks" / "pre-commit").exists()
+
+
+def test_uninstall_returns_false_when_absent(in_git_repo: Path) -> None:
+    assert uninstall() is False
+
+
+def test_uninstall_refuses_to_delete_foreign_hook(in_git_repo: Path) -> None:
+    hook = in_git_repo / ".git" / "hooks" / "pre-commit"
+    hook.parent.mkdir(parents=True, exist_ok=True)
+    hook.write_text("#!/bin/sh\necho theirs\n")
+    assert uninstall() is False
+    assert hook.exists()
+
+
+def test_outside_git_repo_errors(tmp_path: Path, monkeypatch: pytest.MonkeyPatch) -> None:
+    # tmp_path has no .git so git rev-parse fails.
+    monkeypatch.chdir(tmp_path)
+    with pytest.raises(PrecommitError, match="not inside a git repository"):
+        install()

{slopguard_cli-0.2.0 → slopguard_cli-0.4.0}/tests/test_saas_auth.py

@@ -39,7 +39,7 @@ def test_credentials_round_trip(tmp_path: Path) -> None:
             token="sg_live_" + "x" * 24,
             org_slug="acme",
             organization_id="11111111-1111-1111-1111-111111111111",
-            user_email="harry@example.com",
+            user_email="dev@example.com",
         ),
         path=path,
     )
@@ -85,7 +85,7 @@ def test_login_persists_creds_on_success(
         assert token.startswith("sg_live_")
         return saas_client.MeResponse(
             user_id="user-1",
-            email="harry@example.com",
+            email="dev@example.com",
             principal_kind="token",
             active_org=saas_client.MeOrg(
                 id="org-1",
@@ -127,7 +127,7 @@ def test_whoami_with_valid_creds_prints_org(
             token="sg_live_" + "x" * 24,
             org_slug="acme",
             organization_id="org-1",
-            user_email="harry@example.com",
+            user_email="dev@example.com",
         ),
         path=cred_path,
     )
@@ -136,7 +136,7 @@ def test_whoami_with_valid_creds_prints_org(
     def fake_get_me(api_url: str, token: str, **_: object) -> saas_client.MeResponse:
         return saas_client.MeResponse(
             user_id="user-1",
-            email="harry@example.com",
+            email="dev@example.com",
             principal_kind="token",
             active_org=saas_client.MeOrg(
                 id="org-1",

{slopguard_cli-0.2.0 → slopguard_cli-0.4.0}/tests/test_saas_client.py

@@ -19,7 +19,7 @@ from slopguard.saas.client import (
 
 ME_RESPONSE = {
     "user_id": "user-1",
-    "email": "harry@example.com",
+    "email": "dev@example.com",
     "clerk_id": None,
     "principal_kind": "token",
     "active_organization": {
@@ -41,8 +41,10 @@ ME_RESPONSE = {
 }
 
 
-def test_default_api_url_is_production() -> None:
-    assert DEFAULT_API_URL.startswith("https://")
+def test_default_api_url_is_empty() -> None:
+    """No hosted SlopGuard SaaS — DEFAULT_API_URL is intentionally empty.
+    Users supply their own via --api-url or $SLOPGUARD_API_URL."""
+    assert DEFAULT_API_URL == ""
 
 
 def test_api_error_message_includes_status_and_detail() -> None:
@@ -57,7 +59,7 @@ def test_get_me_returns_parsed_response() -> None:
     me = get_me("http://api.test", "sg_live_" + "x" * 24)
     assert isinstance(me, MeResponse)
     assert isinstance(me.active_org, MeOrg)
-    assert me.email == "harry@example.com"
+    assert me.email == "dev@example.com"
     assert me.active_org.slug == "acme"
     assert me.active_org.role == "owner"
 

{slopguard_cli-0.2.0 → slopguard_cli-0.4.0}/tests/test_update.py

@@ -22,7 +22,7 @@ def cache_at_tmp(tmp_path: Path, monkeypatch: pytest.MonkeyPatch) -> Path:
 
 @pytest.fixture
 def api_at_test(monkeypatch: pytest.MonkeyPatch) -> None:
-    monkeypatch.setenv("SLOPGUARD_API_URL", "http://api.test")
+    monkeypatch.setenv("SLOPGUARD_DB_URL", "http://feed.test/db.json")
 
 
 @respx.mock
@@ -44,9 +44,7 @@ def test_update_writes_cache(
             }
         ],
     }
-    respx.get("http://api.test/v1/hallucinations").mock(
-        return_value=httpx.Response(200, json=payload)
-    )
+    respx.get("http://feed.test/db.json").mock(return_value=httpx.Response(200, json=payload))
 
     code = update.run()
     assert code == 0
@@ -67,7 +65,7 @@ def test_update_writes_cache(
 def test_update_handles_network_failure(
     cache_at_tmp: Path, api_at_test: None, capsys: pytest.CaptureFixture[str]
 ) -> None:
-    respx.get("http://api.test/v1/hallucinations").mock(side_effect=httpx.ConnectError("nope"))
+    respx.get("http://feed.test/db.json").mock(side_effect=httpx.ConnectError("nope"))
     code = update.run()
     assert code == 1
     assert not cache_at_tmp.exists()
@@ -78,7 +76,7 @@ def test_update_handles_network_failure(
 def test_update_rejects_malformed_payload(
     cache_at_tmp: Path, api_at_test: None, capsys: pytest.CaptureFixture[str]
 ) -> None:
-    respx.get("http://api.test/v1/hallucinations").mock(
+    respx.get("http://feed.test/db.json").mock(
         return_value=httpx.Response(200, json={"entries": [{"name": "x"}]})
     )
     code = update.run()
@@ -88,34 +86,24 @@ def test_update_rejects_malformed_payload(
 
 
 def test_default_db_url_is_github_pages(monkeypatch: pytest.MonkeyPatch) -> None:
-    """When neither override env var is set, fetch from GitHub Pages."""
+    """When SLOPGUARD_DB_URL is not set, fetch from GitHub Pages."""
     monkeypatch.delenv("SLOPGUARD_DB_URL", raising=False)
-    monkeypatch.delenv("SLOPGUARD_API_URL", raising=False)
     assert update._db_url() == update.DEFAULT_DB_URL
     assert update.DEFAULT_DB_URL.startswith("https://hariomunknownslab.github.io/")
 
 
-def test_slopguard_db_url_takes_precedence(monkeypatch: pytest.MonkeyPatch) -> None:
+def test_slopguard_db_url_override(monkeypatch: pytest.MonkeyPatch) -> None:
+    """SLOPGUARD_DB_URL overrides the default Pages URL."""
     monkeypatch.setenv("SLOPGUARD_DB_URL", "https://my.mirror/db.json")
-    monkeypatch.setenv("SLOPGUARD_API_URL", "https://legacy/api")  # should be ignored
     assert update._db_url() == "https://my.mirror/db.json"
 
 
-def test_legacy_api_url_still_works(monkeypatch: pytest.MonkeyPatch) -> None:
-    """0.1.x users with SLOPGUARD_API_URL set keep working — we append
-    /v1/hallucinations the way the SaaS endpoint expected."""
-    monkeypatch.delenv("SLOPGUARD_DB_URL", raising=False)
-    monkeypatch.setenv("SLOPGUARD_API_URL", "https://legacy.example/")
-    assert update._db_url() == "https://legacy.example/v1/hallucinations"
-
-
 @respx.mock
 def test_update_fetches_from_pages_by_default(
     cache_at_tmp: Path, monkeypatch: pytest.MonkeyPatch
 ) -> None:
-    """End-to-end: no env overrides, hits the Pages URL."""
+    """End-to-end: no env override, hits the Pages URL."""
     monkeypatch.delenv("SLOPGUARD_DB_URL", raising=False)
-    monkeypatch.delenv("SLOPGUARD_API_URL", raising=False)
     respx.get(update.DEFAULT_DB_URL).mock(
         return_value=httpx.Response(
             200,

slopguard_cli-0.2.0/tests/conftest.py

@@ -1,12 +0,0 @@
-"""Shared pytest fixtures."""
-
-from __future__ import annotations
-
-from pathlib import Path
-
-import pytest
-
-
-@pytest.fixture
-def fixtures_dir() -> Path:
-    return Path(__file__).parent / "fixtures"