sourcecode 1.54.0__py3-none-any.whl → 1.56.0__py3-none-any.whl

sourcecode/__init__.py

@@ -1,3 +1,3 @@
 """sourcecode — Deterministic codebase context maps for AI coding agents."""
 
-__version__ = "1.54.0"
+__version__ = "1.56.0"

sourcecode/contract_pipeline.py

@@ -634,11 +634,13 @@ def _find_symbol_files(
     try:
         result = subprocess.run(
             [
-                "grep", "-rl",
+                "grep", "-rlF",
                 "--include=*.ts", "--include=*.tsx",
                 "--include=*.js", "--include=*.jsx",
                 "--include=*.py", "--include=*.java",
-                symbol, ".",
+                # -e guards a symbol that begins with '-' from being parsed as a
+                # flag; -- terminates options so the search root can't be either.
+                "-e", symbol, "--", ".",
             ],
             cwd=str(root),
             capture_output=True,

sourcecode/license.py

@@ -45,7 +45,33 @@ _DEFAULT_SUPABASE_URL: str = "https://qkndlmyekvujjdgthtmz.supabase.co"
 # Paste your project's anon key here so `sourcecode activate` works out of the
 # box; env var still overrides for testing against another project.
 _DEFAULT_SUPABASE_ANON_KEY: str = "sb_publishable_qiJFLWjbBbTqjg-fb0mAGA_cl8PBOKH"
-_SUPABASE_URL: str = os.environ.get("SOURCECODE_SUPABASE_URL", _DEFAULT_SUPABASE_URL)
+def _safe_supabase_url(override: "Optional[str]") -> str:
+    """Validate the SOURCECODE_SUPABASE_URL override before trusting it.
+
+    The license key is POSTed to this host, so a plaintext ``http://`` endpoint
+    would expose the credential on the wire. Allow ``https://`` to any host, and
+    ``http://`` only to loopback (Supabase local dev serves on
+    ``http://127.0.0.1:54321``). Anything else is rejected back to the default.
+    """
+    if not override or override == _DEFAULT_SUPABASE_URL:
+        return _DEFAULT_SUPABASE_URL
+    from urllib.parse import urlparse
+
+    parsed = urlparse(override)
+    host = (parsed.hostname or "").lower()
+    is_loopback = host in {"localhost", "127.0.0.1", "::1"}
+    if parsed.scheme == "https" or (parsed.scheme == "http" and is_loopback):
+        return override
+    sys.stderr.write(
+        f"[sourcecode] WARNING: ignoring SOURCECODE_SUPABASE_URL={override!r} — "
+        "must be https:// (or http:// to localhost). Using the default endpoint "
+        "to avoid sending the license key over plaintext.\n"
+    )
+    sys.stderr.flush()
+    return _DEFAULT_SUPABASE_URL
+
+
+_SUPABASE_URL: str = _safe_supabase_url(os.environ.get("SOURCECODE_SUPABASE_URL"))
 _SUPABASE_ANON_KEY: str = os.environ.get(
     "SOURCECODE_SUPABASE_ANON_KEY",
     _DEFAULT_SUPABASE_ANON_KEY,
@@ -152,12 +178,35 @@ _license_data: Optional[dict] = None
 is_pro: bool = False
 
 
+def _secure_dir() -> None:
+    """Create ~/.sourcecode owner-only (0700). Holds the license secret.
+
+    ``mkdir(mode=...)`` is ignored when the dir already exists, so chmod
+    unconditionally. Best-effort: a chmod failure (e.g. Windows) is non-fatal.
+    """
+    try:
+        _LICENSE_DIR.mkdir(parents=True, exist_ok=True)
+        os.chmod(_LICENSE_DIR, 0o700)
+    except OSError:
+        pass
+
+
 def _write_license_file(data: dict) -> None:
-    """Atomically write license data via tmp file + rename."""
+    """Atomically write license data via tmp file + rename, owner-only (0600).
+
+    The payload contains the Pro ``license_key`` and account email, so the file
+    must not be world/group-readable on shared hosts. Permissions are set on the
+    tmp file *before* the rename so there is no readable window at the final path.
+    """
+    _secure_dir()
     payload = json.dumps(data, indent=2, ensure_ascii=False).encode("utf-8")
     tmp = _LICENSE_FILE.with_suffix(".tmp")
     try:
         tmp.write_bytes(payload)
+        try:
+            os.chmod(tmp, 0o600)
+        except OSError:
+            pass
         tmp.replace(_LICENSE_FILE)
     except Exception:
         try:
@@ -192,7 +241,7 @@ def check_delta_free_tier(repo_path: str) -> "tuple[bool, int, int]":
     new_used = used + 1
     runs[key] = new_used
     try:
-        _LICENSE_DIR.mkdir(parents=True, exist_ok=True)
+        _secure_dir()
         tmp = _DELTA_RUNS_FILE.with_suffix(".tmp")
         tmp.write_text(json.dumps(runs, indent=2, ensure_ascii=False), encoding="utf-8")
         tmp.replace(_DELTA_RUNS_FILE)
@@ -506,7 +555,7 @@ def activate_license(license_key: str) -> None:
         _emit_telemetry("activation", feature="key", success=False, error_kind="NotPro")
         _fail("not_pro", "This license is not a Pro license.")
 
-    _LICENSE_DIR.mkdir(parents=True, exist_ok=True)
+    _secure_dir()
     now = datetime.now(timezone.utc).isoformat()
     data = {
         "license_key": license_key,

sourcecode/spring_impact.py

@@ -182,6 +182,25 @@ _INERT_MARKER_SUPERTYPES = frozenset({
     "Externalizable", "java.io.Externalizable",
 })
 
+# Concrete JDK base classes extended for implementation reuse, NOT framework-DI
+# interfaces. `class Foo extends ArrayList` is code reuse, not polymorphic wiring,
+# and consumers that merely hold an ArrayList/InputStream field are not callers of
+# Foo. Validated on BroadleafCommerce: without this, CH-007 mis-recovered consumers
+# of ArrayList/Stack/InputStream as callers of EmptyFilterValues/IdentityUtilContext/
+# ResourceInputStream. Simple-name match (the external type is, by definition, not in-repo).
+_NON_DI_SUPERTYPES = frozenset({
+    # java.util containers
+    "ArrayList", "LinkedList", "Vector", "Stack", "HashMap", "LinkedHashMap",
+    "TreeMap", "HashSet", "LinkedHashSet", "TreeSet", "ArrayDeque", "Properties",
+    "AbstractList", "AbstractMap", "AbstractSet", "AbstractCollection", "EnumMap",
+    # java.io / java.nio streams + readers
+    "InputStream", "OutputStream", "Reader", "Writer", "FilterInputStream",
+    "FilterOutputStream", "ByteArrayInputStream", "ByteArrayOutputStream",
+    # java.lang base classes
+    "Object", "Thread", "Throwable", "Exception", "RuntimeException", "Error",
+    "Number", "Enum", "ClassLoader", "ThreadLocal",
+})
+
 
 def _external_supertypes(cir, class_fqn: str) -> list[str]:
     """Return supertypes of class_fqn that are NOT in-repo symbols.
@@ -212,6 +231,8 @@ def _external_supertypes(cir, class_fqn: str) -> list[str]:
         simple = to.rsplit(".", 1)[1] if "." in to else to
         if simple in _INERT_MARKER_SUPERTYPES or to in _INERT_MARKER_SUPERTYPES:
             continue
+        if simple in _NON_DI_SUPERTYPES:
+            continue  # concrete JDK base extended for reuse, not DI dispatch
         # Internal if it resolves to exactly one in-repo class (exact or simple-name).
         if to in known:
             continue
@@ -246,6 +267,51 @@ def _is_unmodeled_value_type(cir, class_fqn: str, model) -> bool:
     return True
 
 
+# CH-007 — external-interface DI bridge (caller recovery)
+# ---------------------------------------------------------------------------
+# When a class is reachable only through an external interface it implements
+# (the CH-005 blind spot), its consumers inject/reference the *external* type,
+# never the impl — so no reverse-graph edge names the impl and CH-001b (in-repo
+# interface expansion) cannot bridge. The wiring sites are still in-repo, though:
+# the raw dependency edges record `<consumer> -[injects|calls|instantiates|returns]->
+# <external interface>`. Read those to recover the consumer classes, and count how
+# many in-repo classes implement/extend each external supertype: exactly one means
+# the binding is unambiguous (this impl IS the injected bean); several means any
+# could be, so recover all candidates and flag the ambiguity rather than assert.
+_DI_USE_EDGE_TYPES = frozenset({"injects", "calls", "instantiates", "returns"})
+
+
+def _recover_external_iface_callers(
+    cir, external_supertypes: list[str], impl_class_fqn: str
+) -> tuple[list[str], int]:
+    """Recover in-repo wiring/consumer classes for an impl wired via an external
+    interface (CH-007). See module note above.
+
+    Returns ``(recovered_caller_classes, max_impl_count)`` where max_impl_count is
+    the largest number of in-repo implementors across the matched supertypes — 1
+    means the impl→bean binding is unambiguous, >1 means it is not.
+    """
+    deps = getattr(cir, "dependencies", None) or []
+    ext = set(external_supertypes)
+    if not ext:
+        return [], 0
+    recovered: list[str] = []
+    impl_count: dict[str, int] = {e: 0 for e in ext}
+    for edge in deps:
+        to = (edge.get("to") or "").strip()
+        if to not in ext:
+            continue
+        et = edge.get("type")
+        if et in ("implements", "extends"):
+            impl_count[to] = impl_count.get(to, 0) + 1
+        elif et in _DI_USE_EDGE_TYPES:
+            owner = normalize_owner_fqn((edge.get("from") or "").strip())
+            if owner and owner != impl_class_fqn:
+                recovered.append(owner)
+    max_impl = max(impl_count.values()) if impl_count else 0
+    return list(dict.fromkeys(recovered)), max_impl
+
+
 # ---------------------------------------------------------------------------
 # Symbol resolution
 # ---------------------------------------------------------------------------
@@ -846,7 +912,57 @@ class ImpactOrchestrator:
         if empty_blast and class_level_seed:
             external_supertypes = _external_supertypes(cir, resolved_symbol)
         framework_di_blind_spot = bool(external_supertypes)
+
+        # CH-007: external-interface DI bridge. Before treating the empty result as a
+        # blind spot, recover the in-repo wiring/consumer classes that inject the
+        # external supertype (they never name this impl, so the BFS missed them).
+        di_recovered_callers: list[str] = []
+        di_binding_ambiguous = False
         if framework_di_blind_spot:
+            di_recovered_callers, _max_impl = _recover_external_iface_callers(
+                cir, external_supertypes, resolved_symbol
+            )
+            di_binding_ambiguous = _max_impl > 1
+            # Keep only genuinely new caller classes (not seeds / already found).
+            _known = set(seed_fqns) | set(direct_callers) | set(indirect_callers)
+            di_recovered_callers = [c for c in di_recovered_callers if c not in _known]
+
+        di_recovered = bool(di_recovered_callers)
+        if di_recovered:
+            # Merge recovered wiring sites into the chain and recompute the views
+            # that depend on the caller set (endpoints, findings, surfaces, risk).
+            direct_callers = direct_callers + di_recovered_callers
+            empty_blast = False
+            all_callers = direct_callers + indirect_callers
+            endpoints_affected = _collect_endpoints(all_callers, seed_fqns, model)
+            impact_findings_raw = _filter_findings(
+                all_findings, seed_fqns, direct_callers, indirect_callers, endpoints_affected
+            )
+            impact_findings_raw.sort(
+                key=lambda f: (SEVERITY_ORDER.get(f.severity, 9), f.symbol)
+            )
+            impact_findings = [f.to_dict() for f in impact_findings_raw]
+            security_surfaces = _build_security_surfaces(endpoints_affected, impact_findings_raw)
+            risk_level, risk_score = _compute_risk(
+                len(direct_callers), len(indirect_callers),
+                len(endpoints_affected), impact_findings_raw,
+            )
+            _ambig = (
+                " Binding is ambiguous (the external type has multiple in-repo "
+                "implementors); the recovered caller(s) wire one of them — verify "
+                "which bean is configured." if di_binding_ambiguous else ""
+            )
+            warnings.append(
+                f"External-interface DI bridge (CH-007): recovered "
+                f"{len(di_recovered_callers)} in-repo wiring/consumer class(es) that "
+                "inject the external supertype(s) [" + ", ".join(external_supertypes)
+                + "] this class implements. These callers reference the interface, not "
+                "this class directly, so the static call-graph missed them. They reach "
+                "this class only if it is the bean configured for that interface — the "
+                "interface may also have framework/third-party implementations; verify "
+                "the wiring." + _ambig
+            )
+        elif framework_di_blind_spot:
             warnings.append(
                 "Framework/external-interface DI blind spot (CH-005): this class "
                 "implements/extends external type(s) [" + ", ".join(external_supertypes)
@@ -900,6 +1016,10 @@ class ImpactOrchestrator:
         confidence: str
         if resolution == "not_found":
             confidence = "low"
+        elif di_recovered:
+            # Callers recovered structurally via the external-interface DI bridge.
+            # Unambiguous binding (single in-repo impl) → medium; ambiguous → low.
+            confidence = "low" if di_binding_ambiguous else "medium"
         elif framework_di_blind_spot or value_type_blind_spot or unresolved_ref_blind_spot:
             confidence = "low"
         elif resolution == "partial" or confidence_reducing:
@@ -931,11 +1051,14 @@ class ImpactOrchestrator:
                 "model_build_time_ms": model.build_time_ms,
                 "query_time_ms": elapsed_ms,
                 "blind_spots": (
-                    (["framework_di"] if framework_di_blind_spot else [])
+                    # framework_di stops being a blind spot once CH-007 recovers callers
+                    (["framework_di"] if framework_di_blind_spot and not di_recovered else [])
                     + (["value_type"] if value_type_blind_spot else [])
                     + (["unresolved_refs"] if unresolved_ref_blind_spot else [])
                 ),
                 "external_supertypes": external_supertypes,
+                "external_iface_callers_recovered": len(di_recovered_callers),
+                "external_iface_binding_ambiguous": di_binding_ambiguous,
             },
         )
 

{sourcecode-1.54.0.dist-info → sourcecode-1.56.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: sourcecode
-Version: 1.54.0
+Version: 1.56.0
 Summary: Persistent structural context and ultra-fast repeated analysis for AI coding agents
 License-File: LICENSE
 Keywords: agents,ai,codebase,context,developer-tools,llm
@@ -40,7 +40,7 @@ Description-Content-Type: text/markdown
 
 **Persistent structural context and ultra-fast repeated analysis for AI coding agents.**
 
-![Version](https://img.shields.io/badge/version-1.54.0-blue)
+![Version](https://img.shields.io/badge/version-1.56.0-blue)
 ![Python](https://img.shields.io/badge/python-3.9%2B-green)
 
 ---
@@ -459,9 +459,12 @@ Unlike `impact` (which traces the caller graph), `impact-chain` builds on the Sp
 | `impact_findings` | TX-001..005 and SEC-001..003 findings that touch the call chain |
 | `risk_level` | `critical` \| `high` \| `medium` \| `low` |
 | `confidence` | `high` \| `medium` \| `low` — `low` on a detected blind spot, `medium` on partial resolution or capped traversal. Informational interface↔impl expansion notices do **not** lower it, so a clean resolved query stays `high`. |
-| `metadata.blind_spots` | `framework_di` and/or `value_type` when an empty result is unmodeled-edge driven, not real dead code |
+| `metadata.blind_spots` | `framework_di` and/or `value_type` when an empty result is unmodeled-edge driven, not real dead code (CH-007 drops `framework_di` once it recovers the wiring callers) |
+| `metadata.external_iface_callers_recovered` / `external_iface_binding_ambiguous` | CH-007 — count of in-repo wiring callers recovered through an external interface, and whether the impl→bean binding is ambiguous (multiple in-repo implementors) |
 
-**Framework/DI blind spot (CH-005).** An empty blast radius is ambiguous: genuinely unused, or invoked through an edge the static graph does not model. When the target class implements/extends an **external** framework type (e.g. Spring Security's `RedirectStrategy`, a servlet `Filter`) it is typically wired by framework DI/config and invoked polymorphically — no in-repo edge names its methods, so `direct_callers` is `0`. Rather than report that as `risk:low` at high confidence (a dangerous false negative that reads as "safe to change"), `impact-chain` detects the external supertype, drops `confidence` to `low`, lists it in `metadata.external_supertypes`, and emits a `CH-005` warning telling you to search the DI/security/config wiring for the supertype. Inert markers (`Serializable`, `Cloneable`) are excluded.
+**Framework/DI blind spot (CH-005).** An empty blast radius is ambiguous: genuinely unused, or invoked through an edge the static graph does not model. When the target class implements/extends an **external** framework type (e.g. Spring Security's `RedirectStrategy`, a servlet `Filter`) it is typically wired by framework DI/config and invoked polymorphically — no in-repo edge names its methods, so `direct_callers` is `0`. Rather than report that as `risk:low` at high confidence (a dangerous false negative that reads as "safe to change"), `impact-chain` detects the external supertype, drops `confidence` to `low`, lists it in `metadata.external_supertypes`, and emits a `CH-005` warning telling you to search the DI/security/config wiring for the supertype. Inert markers (`Serializable`, `Cloneable`) and concrete JDK base classes extended for reuse (`ArrayList`, `InputStream`, …) are excluded.
+
+**External-interface DI caller recovery (CH-007).** When the target is wired through an external interface, the consumers that inject that interface never name the target, so the static caller graph misses them — but the wiring sites are still in-repo. `impact-chain` reads the dependency edges to recover the in-repo classes that inject/use the external supertype and attributes them as callers (so their endpoints map too). If exactly one in-repo class implements the interface the binding is unambiguous (`confidence:medium`); if several do, `metadata.external_iface_binding_ambiguous` is `true` and confidence stays `low`. `metadata.external_iface_callers_recovered` reports the count. Recovered callers reach the target only if it is the bean configured for that interface (which may also have framework/third-party implementations) — the warning says so. Validated on BroadleafCommerce: querying a `UserDetailsService` implementation recovers the security-config and login-service classes that wire it.
 
 **Caller precision (CH-006).** `implements`/`extends` are structural type declarations, not calls — so they are excluded from the caller graph. Querying a class that implements a high-fanout interface (e.g. a 40-implementor `CustomEndpoint` or a shared `Mapper<E,D>` base) does **not** report its sibling implementors as callers; only real `injects`/`calls` edges count. This prevents a leaf class from being inflated to a large false blast radius.
 

{sourcecode-1.54.0.dist-info → sourcecode-1.56.0.dist-info}/RECORD

@@ -1,4 +1,4 @@
-sourcecode/__init__.py,sha256=LfTE9XTRZtRV8IXTdhYD92vZwvIIvz8cRORq_nAxiD4,103
+sourcecode/__init__.py,sha256=Pkp631Fn1N1LTXdXhECw7jwtP1qHPqYOjr7-FG3sUJc,103
 sourcecode/adaptive_scanner.py,sha256=XffluXKzJUXrMtjEiAOnSNPZnztdIcts17T9ouHeID0,10521
 sourcecode/architecture_analyzer.py,sha256=liCwQmLgb5vplohy8arjYxs_HOIv5C9MjLh_gY6bc5Q,44115
 sourcecode/architecture_summary.py,sha256=z34_6v7cSwy98cof2UVciGho7SCrZ93tiqMmq5WNzRQ,20405
@@ -13,7 +13,7 @@ sourcecode/confidence_analyzer.py,sha256=_jckZSxksV-OU38vbkxfVNBnWCtlCq8Vwfg23x1
 sourcecode/context_scorer.py,sha256=QpChSpsmaAYz91rXA4Ue5xzQmNz_ZboZN09YOHScq1U,14679
 sourcecode/context_summarizer.py,sha256=zlbm8ytdvJToohU108-dwBmEl52xl0gXpf6PZBOW_2A,6540
 sourcecode/contract_model.py,sha256=nRxJKPMs1VHwFTa8AVXhGmaLjti3Lr2sjHDpWgv1bfE,3917
-sourcecode/contract_pipeline.py,sha256=gvTdDniedm_mjq4vaHqnBY2UkQ0s00gtXqzTLILNXHc,28719
+sourcecode/contract_pipeline.py,sha256=bNn9SYtwfI1CGKlYGxewexlp7_IWhpwSCae-BMuuVwQ,28895
 sourcecode/coverage_parser.py,sha256=q0LeZJaX1bnntLu-ImksdBsMlpsVmk_iUfSaB4eaJGo,19702
 sourcecode/dependency_analyzer.py,sha256=qEnRiKFkleZJyLf_DyznJbWD1GJ881iG4RRDqH9oGQ4,61524
 sourcecode/doc_analyzer.py,sha256=05bjTUbDbmnbajD_cgRnACzS8T7xxBKVX4CjkJlhZg8,24411
@@ -29,7 +29,7 @@ sourcecode/fqn_utils.py,sha256=XLU7zDkNBXz_RZkIUNfpPmp1nekWtqP-fxV92tDV1vg,2158
 sourcecode/git_analyzer.py,sha256=JStxTQXNjBWi_wLdwhsZs9mT-v50cSJIz4Agzn6Kh9I,13362
 sourcecode/graph_analyzer.py,sha256=DHR8fY69oU_Pi4SYaWboX6EoEFrctQKB9dsjpqwGMzw,62403
 sourcecode/integration_detector.py,sha256=ZJqrGwvZ4ee2JTGhlazKk67aZi173HxkhNpl8Yntpd8,6503
-sourcecode/license.py,sha256=i_X1bYdobL_z9OVuLiycnWEFSaaNhcKKuTd6G55U3_k,20747
+sourcecode/license.py,sha256=JD-1pnH_2XR9lKr9p9KQZn9U31I9e5o6GYsN1XCVccw,22577
 sourcecode/mcp_nudge.py,sha256=5ELU_ixzh6uA83NXLOZT8h00OhL53okfQdji3jyKOjg,2917
 sourcecode/metrics_analyzer.py,sha256=m0ENgtqKeBL17kUIK3fmGkgo7UfXBNHxCMj0H_Y5K7c,22750
 sourcecode/migrate_check.py,sha256=H8iy7Vk8cGL0dnR3ZkFPS20CtfF5LJWuzQVQE4awQ9s,56192
@@ -55,7 +55,7 @@ sourcecode/semantic_analyzer.py,sha256=4OdG6tTSnTvq3_dSWMbQu8Ad1ndSCKeG-b9qM4hIx
 sourcecode/serializer.py,sha256=TGzftrSKitZrtl6Hh-R05s4KdTOxwTmph_lGDbo2Wzg,125015
 sourcecode/spring_event_topology.py,sha256=5_ON_21Le5zbG-1GRc5GLIi5HJfy_QjcXLVPC5WeUGQ,18055
 sourcecode/spring_findings.py,sha256=G7Or2lKBUQbcTDqudLvSs9XvNg_YoAa-_lBOG_ULs8E,5457
-sourcecode/spring_impact.py,sha256=5ooAVO-gg1rL-wRaT9_V8ra8edq5TAKu-kp4sAEoS_U,46343
+sourcecode/spring_impact.py,sha256=f8XJtOG41f7EHQCs64BBZ0mdMTwU40DRcMoQ59SVprg,53296
 sourcecode/spring_model.py,sha256=zOAgFmrRbG4a6KLm1TJl55aWMyPNsz3OS3FSczqPG6A,16594
 sourcecode/spring_security_audit.py,sha256=XtPJ1SXlZJ8k6VYmaWuAp7Bbir4UmreAL7doIGQ5I7o,20595
 sourcecode/spring_semantic.py,sha256=O1nKSGVzlukuxLHQVuCPxc-XrcrMFxwlHA20_dmEGgM,13307
@@ -102,8 +102,8 @@ sourcecode/telemetry/consent.py,sha256=wLMvGNJeSSyZoNkQXpoUioY6mMv4Qdvuw7S9jAEWn
 sourcecode/telemetry/events.py,sha256=LtzYfaX9Ilckj5PTvAcTpDa9mLqDsYPDUiDkRa58piY,2580
 sourcecode/telemetry/filters.py,sha256=NHa5T-6DaZduQPFuC34jOqHWQgSizM-Ygq8aZ4j19ng,5834
 sourcecode/telemetry/transport.py,sha256=4gGHsq0WeY9VywEZXA3vUxykfiYnw9uuqfjAAec7F8o,1681
-sourcecode-1.54.0.dist-info/METADATA,sha256=IKf3ufkzi2IYGswenS8AADWj8eUsW6YPFFhJl_mT6M4,37049
-sourcecode-1.54.0.dist-info/WHEEL,sha256=QccIxa26bgl1E6uMy58deGWi-0aeIkkangHcxk2kWfw,87
-sourcecode-1.54.0.dist-info/entry_points.txt,sha256=ex3F9rmbXeyDIoFQHtkEqTsKSaJow8F0LrVu8XfIktQ,57
-sourcecode-1.54.0.dist-info/licenses/LICENSE,sha256=7DdHrU9Z_3e7dSvq4ISijZNjnuHo5NIHNiHDouMQ9JU,10491
-sourcecode-1.54.0.dist-info/RECORD,,
+sourcecode-1.56.0.dist-info/METADATA,sha256=3XaX5Y56V_x6f4WkArJ-hXRYyds-FnNpQqBXNrTNdLk,38464
+sourcecode-1.56.0.dist-info/WHEEL,sha256=QccIxa26bgl1E6uMy58deGWi-0aeIkkangHcxk2kWfw,87
+sourcecode-1.56.0.dist-info/entry_points.txt,sha256=ex3F9rmbXeyDIoFQHtkEqTsKSaJow8F0LrVu8XfIktQ,57
+sourcecode-1.56.0.dist-info/licenses/LICENSE,sha256=7DdHrU9Z_3e7dSvq4ISijZNjnuHo5NIHNiHDouMQ9JU,10491
+sourcecode-1.56.0.dist-info/RECORD,,