tablassert 7.0.0__tar.gz

tablassert-7.0.0/.github/workflows/docs.yml

@@ -0,0 +1,24 @@
+name: Deploy MkDocs
+on:
+  push:
+    branches:
+      - main
+permissions:
+  contents: write
+jobs:
+  deploy-docs:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Install uv
+        uses: astral-sh/setup-uv@v4
+      - name: Build documentation
+        run: uv run --group dev mkdocs build
+      - name: Deploy to GitHub Pages
+        uses: peaceiris/actions-gh-pages@v3
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          publish_dir: ./site
+          user_name: "github-actions[bot]"
+          user_email: "github-actions[bot]@users.noreply.github.com"

tablassert-7.0.0/.github/workflows/pipy.yml

@@ -0,0 +1,19 @@
+name: Deploy to PyPI
+on:
+  push:
+    branches: [main]
+    paths: [pyproject.toml]
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Install uv
+        uses: astral-sh/setup-uv@v4
+      - name: Build package
+        run: uv build
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1

tablassert-7.0.0/.gitignore

@@ -0,0 +1,25 @@
+*.egg-info
+*__pycache__/
+*.logs/
+*.opencode/
+*.ruff_cache/
+*.pytest_cache/
+*plans/
+*CLAUDE.md
+*.claude/
+*.cachassert/
+*.storassert/
+*.logassert/
+*DATALAKE/
+*.onnxassert/
+*.envrc
+*venv/
+*.log
+*.duckdb
+*.ndjson
+*.wal
+*.sh
+*.pyc
+*.tar.gz
+*.whl
+*dist/

tablassert-7.0.0/.planning/PROJECT.md

@@ -0,0 +1,47 @@
+# Tablassert Release Automation
+
+## What This Is
+
+This project defines and automates the release workflow for the Tablassert Python CLI so releases are built consistently with UV and published to PyPI through GitHub Actions. It is for maintainers who currently validate the codebase manually and want a repeatable CI/CD path that matches the repository's real behavior.
+
+## Core Value
+
+A tagged release can be built and published to PyPI reliably from GitHub without manual packaging steps.
+
+## Requirements
+
+### Validated
+
+(None yet — ship to validate)
+
+### Active
+
+- [ ] GitHub Actions workflow builds Tablassert distribution artifacts with UV on release.
+- [ ] GitHub Actions workflow publishes validated artifacts to PyPI.
+- [ ] Release pipeline uses secure authentication and avoids hardcoded credentials.
+
+### Out of Scope
+
+- Docker image publishing — currently paused and intentionally excluded.
+- Additional product features unrelated to release automation — this initialization only covers packaging and publishing flow.
+
+## Context
+
+The codebase already exists and is manually tested; current repository behavior is treated as source of truth for documentation and release decisions. Recent updates migrated project workflows from Nix to UV, and CLI command usage is now `tablassert`.
+
+## Constraints
+
+- **Tooling**: UV-based Python workflow — release build must run via UV tooling to stay consistent with repository standards.
+- **Registry**: PyPI publication target — release outputs must be installable from PyPI.
+- **Security**: CI secrets or trusted publishing only — publishing must not expose credentials in workflow files.
+
+## Key Decisions
+
+| Decision | Rationale | Outcome |
+|----------|-----------|---------|
+| Use GitHub Actions for release automation | Repository already uses GitHub Actions and this keeps release flow in existing CI/CD surface | — Pending |
+| Use UV for build steps | UV is now the project's package and environment tool | — Pending |
+| Publish to PyPI from CI | Removes manual release drift and supports reproducible distribution | — Pending |
+
+---
+*Last updated: 2026-03-17 after initialization*

tablassert-7.0.0/.planning/REQUIREMENTS.md

@@ -0,0 +1,73 @@
+# Requirements: Tablassert Release Automation
+
+**Defined:** 2026-03-17
+**Core Value:** A tagged release can be built and published to PyPI reliably from GitHub without manual packaging steps.
+
+## v1 Requirements
+
+Requirements for initial release automation. Each maps to roadmap phases.
+
+### Triggering and Versioning
+
+- [ ] **TRIG-01**: Maintainer can publish only from release/tag events intended for production releases.
+- [ ] **TRIG-02**: Release workflow validates that package version and release/tag metadata are consistent before publish.
+
+### Build and Artifacts
+
+- [x] **BLD-01**: Release workflow builds both sdist and wheel artifacts using UV.
+- [ ] **BLD-02**: Build job stores immutable artifacts for downstream jobs in the same workflow run.
+- [ ] **BLD-03**: Release workflow fails if artifact metadata is invalid or artifact checks fail.
+
+### Publish and Security
+
+- [x] **PUB-01**: Publish job uploads only artifacts produced by the validated build job.
+- [x] **PUB-02**: Publish job uses PyPI trusted publishing (OIDC) or equivalent secure credentials with no hardcoded secrets in repo files.
+- [ ] **PUB-03**: Publish step is gated by GitHub environment protections for production PyPI publication.
+
+### Operations and Reliability
+
+- [ ] **OPS-01**: Workflow prevents duplicate/racing publish attempts for the same version.
+- [ ] **OPS-02**: Maintainers have documented rollback/mitigation guidance for bad production releases.
+
+## v2 Requirements
+
+Deferred to future release improvements.
+
+### Release Hardening
+
+- **HARD-01**: Maintainer can publish continuously to TestPyPI for pre-production validation.
+- **HARD-02**: Workflow performs post-publish install smoke checks from target index.
+- **HARD-03**: Workflow enforces stronger provenance/attestation policy.
+
+## Out of Scope
+
+| Feature | Reason |
+|---------|--------|
+| Docker image publishing | Explicitly paused by maintainers and not required for PyPI package release |
+| Feature development unrelated to release automation | This scope is limited to CI/CD packaging and publication reliability |
+
+## Traceability
+
+Which phases cover which requirements. Updated during roadmap creation.
+
+| Requirement | Phase | Status |
+|-------------|-------|--------|
+| TRIG-01 | Phase 1 | Pending |
+| TRIG-02 | Phase 1 | Pending |
+| BLD-01 | Phase 1 | Complete |
+| BLD-02 | Phase 2 | Pending |
+| BLD-03 | Phase 2 | Pending |
+| PUB-01 | Phase 3 | Complete |
+| PUB-02 | Phase 3 | Complete |
+| PUB-03 | Phase 3 | Pending |
+| OPS-01 | Phase 2 | Pending |
+| OPS-02 | Phase 4 | Pending |
+
+**Coverage:**
+- v1 requirements: 10 total
+- Mapped to phases: 10
+- Unmapped: 0
+
+---
+*Requirements defined: 2026-03-17*
+*Last updated: 2026-03-17 after roadmap creation*

tablassert-7.0.0/.planning/ROADMAP.md

@@ -0,0 +1,66 @@
+# Roadmap: Tablassert Release Automation
+
+## Overview
+
+This roadmap delivers a secure, reproducible GitHub Actions release path for the Tablassert CLI: first enforce correct release triggers and deterministic UV builds, then validate and preserve artifacts, then publish through protected PyPI trusted publishing, and finally ensure maintainers can recover safely from bad releases.
+
+## Phases
+
+**Phase Numbering:**
+- Integer phases (1, 2, 3): Planned milestone work
+- Decimal phases (2.1, 2.2): Urgent insertions (marked with INSERTED)
+
+- [ ] **Phase 1: Release Preconditions and Deterministic Build** - Production releases only trigger with verified tag/version alignment and UV-built distribution outputs.
+- [ ] **Phase 2: Artifact Validation and Run Reliability** - Built artifacts are validated, preserved for downstream jobs, and protected from duplicate publish races.
+- [ ] **Phase 3: Protected PyPI Publication** - Only validated artifacts are published to PyPI through secure, environment-gated credentials.
+- [ ] **Phase 4: Release Recovery Playbook** - Maintainers can follow documented rollback/mitigation steps for bad production releases.
+
+## Phase Details
+
+### Phase 1: Release Preconditions and Deterministic Build
+**Goal**: Maintainers can trigger production release runs only from intended release events, with version metadata checks and deterministic UV artifact generation in place.
+**Depends on**: Nothing (first phase)
+**Requirements**: TRIG-01, TRIG-02, BLD-01
+**Success Criteria** (what must be TRUE):
+  1. Maintainer can trigger a production release workflow only from approved release/tag events.
+  2. Workflow blocks publication path when tag/release metadata does not match package version.
+  3. Release run produces both wheel and sdist artifacts using UV for the tagged version.
+**Plans**: TBD
+
+### Phase 2: Artifact Validation and Run Reliability
+**Goal**: Artifact integrity is proven before publish by validating build outputs, promoting immutable artifacts across jobs, and preventing racing runs for the same version.
+**Depends on**: Phase 1
+**Requirements**: BLD-02, BLD-03, OPS-01
+**Success Criteria** (what must be TRUE):
+  1. Maintainer can see build artifacts preserved and transferred unchanged between workflow jobs in the same run.
+  2. Workflow fails before publish when artifact metadata/checks are invalid.
+  3. Starting duplicate release runs for the same version does not result in multiple competing publish attempts.
+**Plans**: TBD
+
+### Phase 3: Protected PyPI Publication
+**Goal**: Production publish is a tightly scoped, secure step that uploads only previously validated artifacts through GitHub-protected controls.
+**Depends on**: Phase 2
+**Requirements**: PUB-01, PUB-02, PUB-03
+**Success Criteria** (what must be TRUE):
+  1. Publish job uploads only artifacts produced by the validated build/verify jobs from the same workflow run.
+  2. Maintainer can complete publish without repository-stored static PyPI secrets in workflow files.
+  3. Production publish requires the configured GitHub environment protections before artifact upload proceeds.
+**Plans**: TBD
+
+### Phase 4: Release Recovery Playbook
+**Goal**: Maintainers can quickly mitigate bad releases with clear, repeatable rollback guidance tailored to PyPI release constraints.
+**Depends on**: Phase 3
+**Requirements**: OPS-02
+**Success Criteria** (what must be TRUE):
+  1. Maintainer can find and follow documented mitigation steps when a bad release reaches PyPI.
+  2. Maintainer can execute the documented recovery path (for example yank + corrected release) without ad hoc decision-making.
+**Plans**: TBD
+
+## Progress
+
+| Phase | Plans Complete | Status | Completed |
+|-------|----------------|--------|-----------|
+| 1. Release Preconditions and Deterministic Build | 0/TBD | Not started | - |
+| 2. Artifact Validation and Run Reliability | 0/TBD | Not started | - |
+| 3. Protected PyPI Publication | 0/TBD | Not started | - |
+| 4. Release Recovery Playbook | 0/TBD | Not started | - |

tablassert-7.0.0/.planning/STATE.md

@@ -0,0 +1,79 @@
+---
+gsd_state_version: 1.0
+milestone: v1.0
+milestone_name: milestone
+status: planning
+stopped_at: Completed quick-1-PLAN.md
+last_updated: "2026-03-17T22:02:05.791Z"
+last_activity: 2026-03-17 - Completed quick task 1: Please add a github action that runs UV build and uploads to PiPy
+progress:
+  percent: 0
+---
+
+# Project State
+
+## Project Reference
+
+See: `.planning/PROJECT.md` (updated 2026-03-17)
+
+**Core value:** A tagged release can be built and published to PyPI reliably from GitHub without manual packaging steps.
+**Current focus:** Phase 1 - Release Preconditions and Deterministic Build
+
+## Current Position
+
+Phase: 1 of 4 (Release Preconditions and Deterministic Build)
+Plan: 0 of TBD in current phase
+Status: Ready to plan
+Last activity: 2026-03-17 - Completed quick task 1: Please add a github action that runs UV build and uploads to PiPy
+
+Progress: [░░░░░░░░░░] 0%
+
+## Performance Metrics
+
+**Velocity:**
+- Total plans completed: 0
+- Average duration: 0 min
+- Total execution time: 0.0 hours
+
+**By Phase:**
+
+| Phase | Plans | Total | Avg/Plan |
+|-------|-------|-------|----------|
+| - | - | - | - |
+
+**Recent Trend:**
+- Last 5 plans: -
+- Trend: Stable
+| Phase quick-1-please-add-a-github-action-that-runs-uv- P1 | 1m | 2 tasks | 1 files |
+
+## Accumulated Context
+
+### Decisions
+
+Decisions are logged in `.planning/PROJECT.md` Key Decisions table.
+Recent decisions affecting current work:
+
+- [Phase 1]: Enforce production release triggers and tag/version validation before publish path.
+- [Phase 3]: Use protected trusted publishing flow for PyPI with environment gating.
+- [Phase quick-1-please-add-a-github-action-that-runs-uv-]: Use artifact promotion so publish uploads exactly what build produced.
+- [Phase quick-1-please-add-a-github-action-that-runs-uv-]: Use PyPI trusted publishing via OIDC with pypi environment gating.
+
+### Pending Todos
+
+None yet.
+
+### Blockers/Concerns
+
+- Trusted publisher mapping details must be verified against live PyPI project and GitHub environment configuration before first production publish.
+
+### Quick Tasks Completed
+
+| # | Description | Date | Commit | Directory |
+|---|-------------|------|--------|-----------|
+| 1 | Please add a github action that runs UV build and uploads to PiPy | 2026-03-17 | 6c32765 | [1-please-add-a-github-action-that-runs-uv-](./quick/1-please-add-a-github-action-that-runs-uv-/) |
+
+## Session Continuity
+
+Last session: 2026-03-17T22:02:05.790Z
+Stopped at: Completed quick-1-PLAN.md
+Resume file: None

tablassert-7.0.0/.planning/config.json

@@ -0,0 +1,15 @@
+{
+  "mode": "yolo",
+  "granularity": "coarse",
+  "parallelization": true,
+  "commit_docs": true,
+  "model_profile": "balanced",
+  "workflow": {
+    "research": true,
+    "plan_check": true,
+    "verifier": true,
+    "nyquist_validation": true,
+    "auto_advance": true,
+    "_auto_chain_active": true
+  }
+}

tablassert-7.0.0/.planning/quick/1-please-add-a-github-action-that-runs-uv-/1-PLAN.md

@@ -0,0 +1,90 @@
+---
+phase: quick-1-please-add-a-github-action-that-runs-uv-
+plan: 1
+type: execute
+wave: 1
+depends_on: []
+files_modified:
+  - .github/workflows/release-pypi.yml
+autonomous: true
+requirements:
+  - BLD-01
+  - PUB-01
+  - PUB-02
+must_haves:
+  truths:
+    - "Maintainer can run a release workflow that builds wheel and sdist with UV."
+    - "Built artifacts are the exact inputs used by the publish job."
+    - "PyPI upload is performed by GitHub Actions without hardcoded credentials."
+  artifacts:
+    - path: ".github/workflows/release-pypi.yml"
+      provides: "Release workflow with build and publish jobs"
+      contains: "uv build, upload/download-artifact, pypa/gh-action-pypi-publish"
+  key_links:
+    - from: "build job"
+      to: "publish job"
+      via: "actions/upload-artifact -> actions/download-artifact"
+      pattern: "dist/ artifacts"
+    - from: "release tag"
+      to: "pyproject version"
+      via: "workflow validation step"
+      pattern: "tag equals project.version"
+---
+
+<objective>
+Create a single GitHub Actions release workflow that builds distributions with UV and publishes those artifacts to PyPI.
+
+Purpose: Remove manual packaging/publishing drift and make tagged releases reproducible and secure.
+Output: `.github/workflows/release-pypi.yml` with guarded release trigger, UV build, artifact handoff, and PyPI publish.
+</objective>
+
+<execution_context>
+@/home/skyeav/.config/opencode/get-shit-done/workflows/execute-plan.md
+@/home/skyeav/.config/opencode/get-shit-done/templates/summary.md
+</execution_context>
+
+<context>
+@.planning/STATE.md
+@.planning/PROJECT.md
+@.planning/ROADMAP.md
+@pyproject.toml
+@.github/workflows/docs.yml
+</context>
+
+<tasks>
+
+<task type="auto">
+  <name>Task 1: Create UV release build workflow scaffold</name>
+  <files>.github/workflows/release-pypi.yml</files>
+  <action>Create a new workflow triggered by `release.published` (and optional `workflow_dispatch` for maintainers). Add a `build` job on ubuntu-latest that checks out code, installs UV via `astral-sh/setup-uv`, validates that release tag (strip leading `v`) matches `project.version` in `pyproject.toml`, then runs `uv build` to produce wheel and sdist. Upload `dist/*` as a named artifact for downstream jobs. Do not embed PyPI credentials or tokens in workflow code.</action>
+  <verify>
+    <automated>uv run python -c "import pathlib, yaml; yaml.safe_load(pathlib.Path('.github/workflows/release-pypi.yml').read_text()); print('workflow yaml valid')"</automated>
+  </verify>
+  <done>Workflow file exists with build job, UV build step, tag/version guard, and artifact upload step.</done>
+</task>
+
+<task type="auto">
+  <name>Task 2: Add secure publish job using built artifacts</name>
+  <files>.github/workflows/release-pypi.yml</files>
+  <action>Add a `publish` job that `needs: build`, has minimal permissions (`id-token: write`, `contents: read`), downloads the exact build artifact, and uploads via `pypa/gh-action-pypi-publish` (trusted publishing/OIDC path). Bind the job to a `pypi` environment for protection rules. Ensure publish only runs on successful build and never rebuilds artifacts in this job.</action>
+  <verify>
+    <automated>python -c "import pathlib,re; t=pathlib.Path('.github/workflows/release-pypi.yml').read_text(); assert 'needs: build' in t and 'id-token: write' in t and 'gh-action-pypi-publish' in t; print('publish wiring present')"</automated>
+  </verify>
+  <done>Publish job uses downloaded build artifacts and trusted publishing permissions, with no static credential usage in workflow file.</done>
+</task>
+
+</tasks>
+
+<verification>
+Run a local packaging smoke check and workflow lint-level checks before merge.
+</verification>
+
+<success_criteria>
+1. Tagged release workflow builds both `.whl` and `.tar.gz` with UV.
+2. Publish job consumes artifacts from the build job and uploads to PyPI via `gh-action-pypi-publish`.
+3. Workflow file contains no hardcoded PyPI username/password/token secrets.
+</success_criteria>
+
+<output>
+After completion, create `.planning/quick/1-please-add-a-github-action-that-runs-uv-/1-SUMMARY.md`
+</output>

tablassert-7.0.0/.planning/quick/1-please-add-a-github-action-that-runs-uv-/1-SUMMARY.md

@@ -0,0 +1,80 @@
+---
+phase: quick-1-please-add-a-github-action-that-runs-uv-
+plan: 1
+subsystem: infra
+tags: [github-actions, uv, pypi, oidc, release]
+requires: []
+provides:
+  - Release workflow building wheel and sdist with uv
+  - Artifact handoff from build to publish job
+  - Trusted publishing path to PyPI with OIDC permissions
+affects: [release, packaging, publishing]
+tech-stack:
+  added: []
+  patterns: [release-tag-version-guard, artifact-promotion, trusted-publishing]
+key-files:
+  created: [.planning/quick/1-please-add-a-github-action-that-runs-uv-/1-SUMMARY.md]
+  modified: [.github/workflows/release-pypi.yml]
+key-decisions:
+  - "Use release artifact promotion (upload/download-artifact) so publish never rebuilds outputs"
+  - "Use PyPI trusted publishing (id-token + pypi environment) instead of static credentials"
+patterns-established:
+  - "Release workflow validates tag-to-version parity before building artifacts"
+  - "Publish job consumes build artifacts via needs + download-artifact"
+requirements-completed: [BLD-01, PUB-01, PUB-02]
+duration: 1m
+completed: 2026-03-17
+---
+
+# Phase [quick-1] Plan [1]: Release Workflow Summary
+
+**GitHub Actions now builds Tablassert wheel/sdist with uv and publishes the exact built artifacts to PyPI using OIDC trusted publishing.**
+
+## Performance
+
+- **Duration:** 1m
+- **Started:** 2026-03-17T14:59:57Z
+- **Completed:** 2026-03-17T15:01:11Z
+- **Tasks:** 2
+- **Files modified:** 1
+
+## Accomplishments
+- Added `.github/workflows/release-pypi.yml` with `release.published` and optional `workflow_dispatch` triggers.
+- Implemented build job with `astral-sh/setup-uv`, tag/version validation against `pyproject.toml`, `uv build`, and artifact upload.
+- Added publish job with `needs: build`, `id-token: write`, `contents: read`, `environment: pypi`, artifact download, and `pypa/gh-action-pypi-publish`.
+
+## Task Commits
+
+1. **Task 1: Create UV release build workflow scaffold** - `77fba59` (feat)
+2. **Task 2: Add secure publish job using built artifacts** - `d4fbfec` (feat)
+
+## Files Created/Modified
+- `.github/workflows/release-pypi.yml` - Release workflow with uv build, guarded tag/version check, artifact handoff, and trusted PyPI publish.
+- `.planning/quick/1-please-add-a-github-action-that-runs-uv-/1-SUMMARY.md` - Execution summary and task traceability.
+
+## Decisions Made
+- Use a manual `workflow_dispatch` input for `release_tag` so maintainers can rerun releases with explicit version context.
+- Keep build and publish strictly separated with artifact promotion to guarantee published files are exact build outputs.
+
+## Deviations from Plan
+
+None - plan executed exactly as written.
+
+## Issues Encountered
+
+None.
+
+## User Setup Required
+
+Configure GitHub environment `pypi` and PyPI trusted publisher mapping before first production release.
+
+## Next Phase Readiness
+
+- Release workflow is ready for repository-level environment/protection configuration and first dry-run tag release.
+- Trusted publisher mapping in PyPI remains the only external dependency called out in project state.
+
+## Self-Check: PASSED
+
+- FOUND: `.planning/quick/1-please-add-a-github-action-that-runs-uv-/1-SUMMARY.md`
+- FOUND: `77fba59`
+- FOUND: `d4fbfec`