tend 0.0.1__tar.gz

tend-0.0.1/PKG-INFO

@@ -0,0 +1,15 @@
+Metadata-Version: 2.4
+Name: tend
+Version: 0.0.1
+Summary: Claude-powered CI for GitHub repos
+Project-URL: homepage, https://github.com/max-sixty/tend
+Author-email: Maximilian Roos <m@maxroos.com>
+License-Expression: MIT
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3 :: Only
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Requires-Python: >=3.11
+Requires-Dist: click>=8.0

tend-0.0.1/pyproject.toml

@@ -0,0 +1,32 @@
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[project]
+name = "tend"
+version = "0.0.1"
+description = "Claude-powered CI for GitHub repos"
+license = "MIT"
+requires-python = ">=3.11"
+authors = [{ name = "Maximilian Roos", email = "m@maxroos.com" }]
+classifiers = [
+  "Operating System :: OS Independent",
+  "Programming Language :: Python :: 3",
+  "Programming Language :: Python :: 3.11",
+  "Programming Language :: Python :: 3.12",
+  "Programming Language :: Python :: 3.13",
+  "Programming Language :: Python :: 3 :: Only",
+]
+dependencies = ["click>=8.0"]
+
+[project.scripts]
+tend = "continuous.cli:main"
+
+[project.urls]
+homepage = "https://github.com/max-sixty/tend"
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/continuous"]
+
+[dependency-groups]
+dev = ["pytest>=9.0.2", "pyyaml>=6.0.3"]

tend-0.0.1/src/continuous/checks.py

@@ -0,0 +1,136 @@
+"""Security checks for continuous setup.
+
+Verifies the repository has the security prerequisites described in
+docs/security-model.md: branch protection on the default branch, bot
+permission level, and required secrets.
+
+Uses the `gh` CLI for GitHub API access. Checks degrade gracefully when
+gh is unavailable or the token lacks permission.
+"""
+
+from __future__ import annotations
+
+import json
+import shutil
+import subprocess
+from dataclasses import dataclass
+
+from continuous.config import Config
+
+
+@dataclass
+class CheckResult:
+    name: str
+    passed: bool | None  # None = skipped/error
+    message: str
+
+
+def _gh(*args: str) -> subprocess.CompletedProcess[str] | None:
+    """Run a gh CLI command. Returns None if gh is not installed."""
+    gh = shutil.which("gh")
+    if not gh:
+        return None
+    try:
+        return subprocess.run(
+            [gh, *args], capture_output=True, text=True, timeout=30
+        )
+    except subprocess.TimeoutExpired:
+        return None
+
+
+def detect_repo() -> str | None:
+    """Detect owner/repo from the gh CLI context."""
+    result = _gh("repo", "view", "--json", "nameWithOwner", "--jq", ".nameWithOwner")
+    if result and result.returncode == 0:
+        repo = result.stdout.strip()
+        return repo or None
+    return None
+
+
+def check_branch_protection(repo: str, branch: str) -> CheckResult:
+    """Check if the default branch is protected."""
+    result = _gh("api", f"repos/{repo}/branches/{branch}", "--jq", ".protected")
+    if result is None:
+        return CheckResult("branch-protection", None, "gh CLI not found")
+    if result.returncode != 0:
+        return CheckResult("branch-protection", None, f"API error: {result.stderr.strip()}")
+
+    if result.stdout.strip() == "true":
+        return CheckResult("branch-protection", True, f"Default branch '{branch}' is protected")
+    return CheckResult(
+        "branch-protection",
+        False,
+        f"Default branch '{branch}' is NOT protected. "
+        "The bot must not be able to merge PRs — this is the primary security boundary. "
+        "Add a branch protection rule or ruleset. See docs/security-model.md.",
+    )
+
+
+def check_bot_permission(repo: str, bot_name: str) -> CheckResult:
+    """Check the bot's permission level (should be write, not admin)."""
+    result = _gh("api", f"repos/{repo}/collaborators/{bot_name}/permission", "--jq", ".permission")
+    if result is None:
+        return CheckResult("bot-permission", None, "gh CLI not found")
+    if result.returncode != 0:
+        stderr = result.stderr.strip()
+        if "Not Found" in stderr or "404" in stderr:
+            return CheckResult(
+                "bot-permission", None,
+                f"Bot '{bot_name}' not found as a collaborator — check the bot_name in config",
+            )
+        return CheckResult("bot-permission", None, "Could not check (may require admin access to read)")
+
+    perm = result.stdout.strip()
+    if perm == "admin":
+        return CheckResult(
+            "bot-permission",
+            False,
+            f"Bot '{bot_name}' has admin permission — it can bypass branch protection. "
+            "Downgrade to write access.",
+        )
+    return CheckResult("bot-permission", True, f"Bot '{bot_name}' has '{perm}' permission")
+
+
+def check_secrets(repo: str, expected: list[str]) -> CheckResult:
+    """Check that required secrets exist in the repository."""
+    result = _gh("api", f"repos/{repo}/actions/secrets", "--jq", "[.secrets[].name]")
+    if result is None:
+        return CheckResult("secrets", None, "gh CLI not found")
+    if result.returncode != 0:
+        return CheckResult("secrets", None, "Could not list secrets (may require admin access)")
+
+    try:
+        secret_names = json.loads(result.stdout)
+    except json.JSONDecodeError:
+        return CheckResult("secrets", None, "Could not parse secrets response")
+
+    missing = [s for s in expected if s not in secret_names]
+    if missing:
+        return CheckResult(
+            "secrets",
+            False,
+            f"Missing secrets: {', '.join(missing)}. "
+            "Add them in repo Settings > Secrets and variables > Actions.",
+        )
+    return CheckResult("secrets", True, f"Required secrets present: {', '.join(expected)}")
+
+
+def run_all_checks(cfg: Config, repo: str | None = None) -> list[CheckResult]:
+    """Run all security checks. Auto-detects repo if not provided."""
+    if shutil.which("gh") is None:
+        return [CheckResult("prerequisites", None, "gh CLI not found — install it to run security checks")]
+
+    if repo is None:
+        repo = detect_repo()
+    if repo is None:
+        return [CheckResult(
+            "prerequisites",
+            None,
+            "Could not detect repository. Run from a git repo with a GitHub remote, or pass --repo.",
+        )]
+
+    return [
+        check_branch_protection(repo, cfg.default_branch),
+        check_bot_permission(repo, cfg.bot_name),
+        check_secrets(repo, [cfg.bot_token_secret, cfg.claude_token_secret]),
+    ]

tend-0.0.1/src/continuous/cli.py

@@ -0,0 +1,75 @@
+"""CLI for generating continuous workflow files."""
+
+from __future__ import annotations
+
+from pathlib import Path
+
+import click
+
+from continuous.checks import CheckResult, run_all_checks
+from continuous.config import Config
+from continuous.workflows import generate_all
+
+
+def _print_check_results(results: list[CheckResult]) -> None:
+    """Print check results with pass/fail/skip indicators."""
+    for r in results:
+        if r.passed is True:
+            icon = click.style("PASS", fg="green")
+        elif r.passed is False:
+            icon = click.style("FAIL", fg="red")
+        else:
+            icon = click.style("SKIP", fg="yellow")
+        click.echo(f"  {icon}  {r.name} — {r.message}")
+
+
+@click.group()
+def main() -> None:
+    """Generate Claude-powered CI workflows from .config/continuous.toml."""
+
+
+@main.command()
+@click.option("--config", "-c", "config_path", type=click.Path(exists=True, path_type=Path), default=None)
+@click.option("--dry-run", is_flag=True, help="Print generated files without writing")
+def init(config_path: Path | None, dry_run: bool) -> None:
+    """Generate workflow files from config. Idempotent — always overwrites."""
+    cfg = Config.load(config_path)
+    outdir = Path(".github/workflows")
+
+    workflows = generate_all(cfg)
+    if not workflows:
+        click.echo("No workflows enabled in config.")
+        return
+
+    if not dry_run:
+        outdir.mkdir(parents=True, exist_ok=True)
+
+    for wf in workflows:
+        path = outdir / wf.filename
+        if dry_run:
+            click.echo(f"--- {wf.filename} ---")
+            click.echo(wf.content)
+            continue
+
+        path.write_text(wf.content)
+        click.echo(f"  wrote {path}")
+
+    if not dry_run:
+        click.echo(f"\nGenerated {len(workflows)} workflow files.")
+        click.echo("Run `continuous check` to verify security prerequisites.")
+
+
+@main.command()
+@click.option("--config", "-c", "config_path", type=click.Path(exists=True, path_type=Path), default=None)
+@click.option("--repo", "-r", help="GitHub repo (owner/name). Auto-detected if omitted.")
+def check(config_path: Path | None, repo: str | None) -> None:
+    """Verify security prerequisites (branch protection, bot access, secrets)."""
+    cfg = Config.load(config_path)
+    results = run_all_checks(cfg, repo)
+
+    click.echo("Security checks:")
+    _print_check_results(results)
+
+    failures = [r for r in results if r.passed is False]
+    if failures:
+        raise SystemExit(1)

tend-0.0.1/src/continuous/config.py

@@ -0,0 +1,108 @@
+"""Read and validate .config/continuous.toml."""
+
+from __future__ import annotations
+
+import re
+import tomllib
+from dataclasses import dataclass, field
+from pathlib import Path
+
+import click
+
+KNOWN_WORKFLOWS = {"review", "mention", "triage", "ci-fix", "nightly", "renovate"}
+KNOWN_TOP_LEVEL = {"bot_name", "default_branch", "secrets", "setup", "workflows"}
+_GITHUB_USERNAME = re.compile(r"^[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?$")
+
+
+@dataclass
+class SetupStep:
+    """A single project setup step — either a `uses:` action or a `run:` command."""
+
+    uses: str = ""
+    run: str = ""
+
+
+@dataclass
+class WorkflowConfig:
+    enabled: bool = True
+    prompt: str = ""
+    cron: str = ""
+    watched_workflows: list[str] | None = None
+
+
+@dataclass
+class Config:
+    bot_name: str
+    default_branch: str
+    bot_token_secret: str
+    claude_token_secret: str
+    setup: list[SetupStep]
+    workflows: dict[str, WorkflowConfig]
+
+    @classmethod
+    def load(cls, path: Path | None = None) -> Config:
+        if path is None:
+            path = Path(".config/continuous.toml")
+        if not path.exists():
+            raise click.ClickException(f"Config not found: {path}")
+        with path.open("rb") as f:
+            raw = tomllib.load(f)
+
+        if "bot_name" not in raw:
+            raise click.ClickException("Missing required field: bot_name")
+
+        bot_name = raw["bot_name"]
+        if not bot_name:
+            raise click.ClickException("bot_name must not be empty")
+        if not _GITHUB_USERNAME.match(bot_name):
+            raise click.ClickException(
+                f"bot_name '{bot_name}' is not a valid GitHub username "
+                "(only letters, digits, and hyphens)"
+            )
+
+        default_branch = raw.get("default_branch", "main")
+        if not default_branch:
+            raise click.ClickException("default_branch must not be empty")
+
+        unknown = set(raw.keys()) - KNOWN_TOP_LEVEL
+        for key in sorted(unknown):
+            click.echo(f"Warning: unknown config key '{key}'", err=True)
+
+        secrets = raw.get("secrets", {})
+
+        setup: list[SetupStep] = []
+        setup_raw = raw.get("setup", {})
+        for action in setup_raw.get("uses", []):
+            setup.append(SetupStep(uses=action))
+        for cmd in setup_raw.get("run", []):
+            setup.append(SetupStep(run=cmd))
+
+        workflows: dict[str, WorkflowConfig] = {}
+        for name, wf_raw in raw.get("workflows", {}).items():
+            if name not in KNOWN_WORKFLOWS:
+                click.echo(f"Warning: unknown workflow '{name}' in config (known: {', '.join(sorted(KNOWN_WORKFLOWS))})", err=True)
+            if isinstance(wf_raw, dict):
+                watched = wf_raw.get("watched_workflows")
+                if watched is not None and len(watched) == 0 and name == "ci-fix":
+                    raise click.ClickException(
+                        "watched_workflows = [] is invalid for ci-fix — "
+                        "workflow_run requires at least one workflow name. "
+                        "Disable ci-fix with enabled = false instead."
+                    )
+                workflows[name] = WorkflowConfig(
+                    enabled=wf_raw.get("enabled", True),
+                    prompt=wf_raw.get("prompt", ""),
+                    cron=wf_raw.get("cron", ""),
+                    watched_workflows=watched,
+                )
+            else:
+                workflows[name] = WorkflowConfig(enabled=bool(wf_raw))
+
+        return cls(
+            bot_name=bot_name,
+            default_branch=default_branch,
+            bot_token_secret=secrets.get("bot_token", "BOT_TOKEN"),
+            claude_token_secret=secrets.get("claude_token", "CLAUDE_CODE_OAUTH_TOKEN"),
+            setup=setup,
+            workflows=workflows,
+        )