tenantshield 0.7.0b0__tar.gz

tenantshield-0.7.0b0/.editorconfig

@@ -0,0 +1,15 @@
+root = true
+
+[*]
+indent_style = space
+indent_size = 4
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.{yml,yaml,toml,json}]
+indent_size = 2
+
+[*.md]
+trim_trailing_whitespace = false

tenantshield-0.7.0b0/.gitattributes

@@ -0,0 +1,37 @@
+# Normalize line endings: LF in repo, platform-appropriate on checkout
+* text=auto eol=lf
+
+# Explicit text files
+*.py        text eol=lf
+*.pyi       text eol=lf
+*.toml      text eol=lf
+*.yaml      text eol=lf
+*.yml       text eol=lf
+*.json      text eol=lf
+*.md        text eol=lf
+*.txt       text eol=lf
+*.cfg       text eol=lf
+*.ini       text eol=lf
+*.sh        text eol=lf
+*.env       text eol=lf
+.gitignore  text eol=lf
+.gitattributes text eol=lf
+.editorconfig text eol=lf
+LICENSE     text eol=lf
+
+# Windows-native scripts keep CRLF
+*.ps1       text eol=crlf
+*.bat       text eol=crlf
+*.cmd       text eol=crlf
+
+# Binary
+*.png       binary
+*.jpg       binary
+*.jpeg      binary
+*.gif       binary
+*.ico       binary
+*.pdf       binary
+*.zip       binary
+*.tar.gz    binary
+*.whl       binary
+*.pyc       binary

tenantshield-0.7.0b0/.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,75 @@
+name: Bug report
+description: Report a defect in TenantShield.
+title: "[Bug]: "
+labels: ["bug", "needs-triage"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to file a bug report. Before you submit:
+
+        - Do not include real tenant data, credentials, secrets, or production
+          identifiers in this report. Replace anything sensitive with a
+          placeholder such as `<TENANT_ID>` or `<API_KEY>`.
+        - If you believe this is a security vulnerability, do not file a public
+          issue. Follow the procedure in `SECURITY.md` instead.
+
+  - type: textarea
+    id: description
+    attributes:
+      label: What happened?
+      description: A clear, concise description of the bug.
+    validations:
+      required: true
+
+  - type: textarea
+    id: expected
+    attributes:
+      label: What did you expect to happen?
+    validations:
+      required: true
+
+  - type: textarea
+    id: reproduction
+    attributes:
+      label: Minimal reproduction
+      description: Steps or a minimal code snippet that reproduces the issue.
+      render: python
+    validations:
+      required: true
+
+  - type: input
+    id: version
+    attributes:
+      label: TenantShield version
+      placeholder: "0.0.1a0"
+    validations:
+      required: true
+
+  - type: dropdown
+    id: framework
+    attributes:
+      label: Framework
+      options:
+        - Django
+        - SQLAlchemy
+        - Celery
+        - DRF
+        - Core / None of the above
+    validations:
+      required: true
+
+  - type: input
+    id: python_version
+    attributes:
+      label: Python version
+      placeholder: "3.13.0"
+    validations:
+      required: true
+
+  - type: textarea
+    id: logs
+    attributes:
+      label: Relevant logs or stack trace
+      description: Paste any structured log entries or traceback related to the bug.
+      render: text

tenantshield-0.7.0b0/.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,9 @@
+blank_issues_enabled: false
+
+contact_links:
+  - name: Security Vulnerability Disclosure
+    url: https://github.com/Jhoelperaltap/tenantshield/blob/main/SECURITY.md
+    about: For security issues, please email security@ejsupportit.com privately. Do NOT use public issues.
+  - name: Documentation
+    url: https://jhoelperaltap.github.io/tenantshield/
+    about: Check the official documentation site for guides, ADRs, and API reference.

tenantshield-0.7.0b0/.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,41 @@
+name: Feature request
+description: Propose a new feature or enhancement.
+title: "[Feature]: "
+labels: ["enhancement", "needs-triage"]
+body:
+  - type: textarea
+    id: problem
+    attributes:
+      label: What problem does this solve?
+      description: Describe the user-facing problem or limitation this feature addresses.
+    validations:
+      required: true
+
+  - type: textarea
+    id: proposal
+    attributes:
+      label: Proposed solution or API sketch
+      description: A rough proposal. Code snippets or API shapes welcome.
+    validations:
+      required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
+      description: Other approaches you considered and why they were not chosen.
+
+  - type: dropdown
+    id: scope
+    attributes:
+      label: Scope
+      options:
+        - Core engine
+        - Django adapter
+        - SQLAlchemy adapter
+        - Celery adapter
+        - DRF integration
+        - Tooling / CI
+        - Documentation
+    validations:
+      required: true

tenantshield-0.7.0b0/.github/ISSUE_TEMPLATE/security_disclosure.md

@@ -0,0 +1,22 @@
+---
+name: Security Vulnerability
+about: For security issues, please DO NOT use GitHub issues
+title: ""
+labels: []
+---
+
+## ⚠️ STOP — Security issues require private disclosure
+
+**Do NOT report security vulnerabilities via public GitHub issues.**
+
+Security vulnerabilities should be reported privately to:
+
+**security@ejsupportit.com**
+
+Please see [SECURITY.md](../SECURITY.md) for our security disclosure policy, including:
+
+- What to include in your report
+- Expected response timeline (initial acknowledgement within 72 hours)
+- Coordinated disclosure process
+
+If you continue and submit this template publicly, your issue **will be closed and redacted**.

tenantshield-0.7.0b0/.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,30 @@
+## Summary
+
+<!-- One paragraph describing what this PR does and why. -->
+
+## Type of change
+
+- [ ] feat — new feature
+- [ ] fix — bug fix
+- [ ] docs — documentation only
+- [ ] test — adding or correcting tests
+- [ ] refactor — code change that neither fixes a bug nor adds a feature
+- [ ] perf — performance improvement
+- [ ] chore — tooling, config, or maintenance
+- [ ] build — build system or dependencies
+- [ ] ci — continuous integration
+
+## Checklist
+
+- [ ] Tests added or updated, and passing locally (`uv run pytest`).
+- [ ] Type checks pass (`uv run mypy src/tenantshield` and `uv run pyright src/tenantshield`).
+- [ ] Lint and format pass (`uv run pre-commit run --all-files`).
+- [ ] Coverage has not decreased.
+- [ ] `CHANGELOG.md` updated under `[Unreleased]`.
+- [ ] Documentation updated if applicable.
+- [ ] No `TODO` without an associated issue number.
+- [ ] PR is under 400 lines of net change, or a justification is provided.
+
+## Related issues
+
+<!-- Closes #N, Refs #N, etc. -->

tenantshield-0.7.0b0/.github/dependabot.yml

@@ -0,0 +1,22 @@
+version: 2
+updates:
+  - package-ecosystem: "uv"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "build"
+      prefix-development: "build"
+      include: "scope"
+    labels: ["dependencies", "python"]
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "ci"
+      include: "scope"
+    labels: ["dependencies", "github-actions"]

tenantshield-0.7.0b0/.github/workflows/bench.yml

@@ -0,0 +1,27 @@
+name: bench
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  bench:
+    name: bench
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: astral-sh/setup-uv@v8.1.0
+        with:
+          enable-cache: true
+          cache-dependency-glob: "uv.lock"
+          python-version: "3.13"
+      - run: uv sync --all-extras --dev
+      - name: Run benchmarks (slow markers, strict mode)
+        run: uv run pytest -m slow -v --no-cov
+        env:
+          TENANTSHIELD_BENCH_STRICT: "1"

tenantshield-0.7.0b0/.github/workflows/ci.yml

@@ -0,0 +1,79 @@
+name: ci
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+concurrency:
+  group: ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    name: lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: astral-sh/setup-uv@v8.1.0
+        with:
+          enable-cache: true
+          cache-dependency-glob: "uv.lock"
+          python-version: "3.13"
+      - run: uv sync --all-extras --dev
+      - run: uv run ruff check .
+      - run: uv run ruff format --check .
+
+  typecheck:
+    name: typecheck
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: astral-sh/setup-uv@v8.1.0
+        with:
+          enable-cache: true
+          cache-dependency-glob: "uv.lock"
+          python-version: "3.13"
+      - run: uv sync --all-extras --dev
+      - run: uv run mypy src/tenantshield
+      - run: uv run pyright src/tenantshield
+
+  test:
+    name: test (py${{ matrix.python-version }}, django${{ matrix.django-version }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ["3.11", "3.12", "3.13", "3.14"]
+        django-version: ["4.2", "5.2", "6.0"]
+        exclude:
+          # Django 6.0 requires Python >=3.12; py3.11 combination is
+          # unsatisfiable.
+          - python-version: "3.11"
+            django-version: "6.0"
+          # Django 4.2 LTS predates Python 3.14; django/template/context.py:39
+          # raises AttributeError on Python 3.14's super() / __dict__ semantics.
+          # Upstream issue (not TenantShield code; 10/11 matrix cells pass).
+          # See ADR-0003: Django 4.2 LTS commitment preserved for py3.11-3.13.
+          - python-version: "3.14"
+            django-version: "4.2"
+    steps:
+      - uses: actions/checkout@v6
+      - uses: astral-sh/setup-uv@v8.1.0
+        with:
+          enable-cache: true
+          cache-dependency-glob: "uv.lock"
+          python-version: ${{ matrix.python-version }}
+      - run: uv sync --all-extras --dev
+      - run: uv pip install "django==${{ matrix.django-version }}.*"
+      - run: uv run pytest
+      - uses: actions/upload-artifact@v7
+        if: always()
+        with:
+          name: coverage-py${{ matrix.python-version }}-django${{ matrix.django-version }}
+          path: coverage.xml
+          retention-days: 7

tenantshield-0.7.0b0/.github/workflows/docs.yml

@@ -0,0 +1,31 @@
+name: docs
+
+on:
+  pull_request:
+    branches: [main]
+    paths:
+      - 'docs/**'
+      - 'mkdocs.yml'
+      - 'src/tenantshield/**'
+  push:
+    branches: [main]
+    paths:
+      - 'docs/**'
+      - 'mkdocs.yml'
+      - 'src/tenantshield/**'
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: astral-sh/setup-uv@v8.1.0
+        with:
+          enable-cache: true
+          cache-dependency-glob: "uv.lock"
+          python-version: "3.13"
+      - run: uv sync --all-extras --dev
+      - run: uv run mkdocs build --strict

tenantshield-0.7.0b0/.github/workflows/pages-deploy.yml

@@ -0,0 +1,48 @@
+name: Deploy MkDocs to GitHub Pages
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'docs/**'
+      - 'mkdocs.yml'
+      - 'README.md'
+      - '.github/workflows/pages-deploy.yml'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+
+concurrency:
+  group: pages
+  cancel-in-progress: false
+
+jobs:
+  build:
+    name: Build MkDocs site
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: astral-sh/setup-uv@v8.1.0
+        with:
+          enable-cache: true
+          cache-dependency-glob: "uv.lock"
+          python-version: "3.13"
+      - run: uv sync --all-extras --dev
+      - run: uv run mkdocs build --strict
+      - uses: actions/upload-pages-artifact@v3
+        with:
+          path: site/
+
+  deploy:
+    name: Deploy to GitHub Pages
+    needs: build
+    runs-on: ubuntu-latest
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    steps:
+      - id: deployment
+        uses: actions/deploy-pages@v4

tenantshield-0.7.0b0/.github/workflows/publish-pypi.yml

@@ -0,0 +1,60 @@
+name: Publish to PyPI
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+# Trusted Publishing via OIDC; no PyPI API token in repository secrets.
+# Setup (one-time, browser):
+#   1. Register a pending publisher at
+#      https://pypi.org/manage/account/publishing/ with:
+#        - PyPI project name: tenantshield
+#        - Owner: Jhoelperaltap
+#        - Repository name: tenantshield
+#        - Workflow filename: publish-pypi.yml
+#        - Environment name: pypi
+#   2. In GitHub repo Settings -> Environments, create environment "pypi".
+#      (Optional: add required reviewers if you want a manual gate before
+#      every public publish; without reviewers it auto-publishes on tag push.)
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  build:
+    name: Build distributions
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+      - uses: astral-sh/setup-uv@v8.1.0
+        with:
+          enable-cache: true
+          cache-dependency-glob: "uv.lock"
+          python-version: "3.13"
+      - run: uv sync --all-extras --dev
+      - run: uv build
+      - uses: actions/upload-artifact@v7
+        with:
+          name: dist-pypi
+          path: dist/
+          retention-days: 7
+
+  publish-pypi:
+    name: Publish to PyPI
+    needs: build
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/project/tenantshield/
+    steps:
+      - uses: actions/download-artifact@v5
+        with:
+          name: dist-pypi
+          path: dist/
+      - name: Publish distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          skip-existing: true

tenantshield-0.7.0b0/.github/workflows/publish-testpypi.yml

@@ -0,0 +1,53 @@
+name: Publish to TestPyPI
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+# Trusted Publishing via OIDC; no PyPI API token in repository secrets.
+# Setup: register a pending publisher at
+# https://test.pypi.org/manage/account/publishing/ with the workflow
+# filename above and repository "Jhoelperaltap/tenantshield".
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  build:
+    name: Build distributions
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+      - uses: astral-sh/setup-uv@v8.1.0
+        with:
+          enable-cache: true
+          cache-dependency-glob: "uv.lock"
+          python-version: "3.13"
+      - run: uv sync --all-extras --dev
+      - run: uv build
+      - uses: actions/upload-artifact@v7
+        with:
+          name: dist
+          path: dist/
+          retention-days: 7
+
+  publish-testpypi:
+    name: Publish to TestPyPI
+    needs: build
+    runs-on: ubuntu-latest
+    environment:
+      name: testpypi
+      url: https://test.pypi.org/project/tenantshield/
+    steps:
+      - uses: actions/download-artifact@v5
+        with:
+          name: dist
+          path: dist/
+      - name: Publish distributions to TestPyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          repository-url: https://test.pypi.org/legacy/
+          skip-existing: true

tenantshield-0.7.0b0/.github/workflows/security.yml

@@ -0,0 +1,53 @@
+name: security
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "0 6 * * 1"
+
+permissions:
+  contents: read
+
+jobs:
+  bandit:
+    name: bandit
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: astral-sh/setup-uv@v8.1.0
+        with:
+          enable-cache: true
+          cache-dependency-glob: "uv.lock"
+          python-version: "3.13"
+      - run: uv sync --all-extras --dev
+      - run: uv run bandit -c pyproject.toml -r src/
+
+  pip-audit:
+    name: pip-audit
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: astral-sh/setup-uv@v8.1.0
+        with:
+          enable-cache: true
+          cache-dependency-glob: "uv.lock"
+          python-version: "3.13"
+      - run: uv sync --all-extras --dev
+      - run: uv run pip-audit
+
+  codeql:
+    name: codeql
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@v6
+      - uses: github/codeql-action/init@v4
+        with:
+          languages: python
+      - uses: github/codeql-action/analyze@v4

tenantshield-0.7.0b0/.gitignore

@@ -0,0 +1,60 @@
+# Byte-compiled / cached
+__pycache__/
+*.pyc
+*.pyo
+
+# Distribution / packaging
+*.egg-info/
+build/
+dist/
+
+# Virtual environments
+.venv/
+venv/
+.env
+.envrc
+
+# Tooling caches
+.pytest_cache/
+.mypy_cache/
+.ruff_cache/
+.tox/
+.nox/
+.hypothesis/
+
+# Coverage
+htmlcov/
+.coverage
+coverage.xml
+*.cover
+
+# IDE / OS
+.idea/
+.vscode/
+.DS_Store
+Thumbs.db
+
+# Documentation build output
+site/
+
+# Agent / local-only artifacts (not part of the project)
+CLAUDE.md
+PHASE_*_KICKOFF.md
+PHASE_*_CLOSURE.md
+TENANTSHIELD_ROADMAP.md
+_scratch_*
+.claude/
+.aider*
+.cursor*
+.continue/
+*.local.md
+
+# Django runtime artifacts (for examples/)
+*.sqlite3
+*.sqlite3-journal
+examples/*/staticfiles/
+examples/*/media/
+examples/*/local_settings.py
+
+# Examples lockfiles (each example resolves locally; Phase 2 precedent)
+examples/**/uv.lock