tg-bot-plugin-contract-core 0.1.1__tar.gz

tg_bot_plugin_contract_core-0.1.1/.github/workflows/ci.yml

@@ -0,0 +1,50 @@
+name: ci
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version:
+          - "3.11"
+          - "3.13"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          python -m pip install ".[dev]" build
+
+      - name: Run unit tests
+        run: |
+          python -m pytest -q
+
+      - name: Build package
+        run: |
+          python -m build
+
+      - name: Wheel install smoke test
+        run: |
+          python -m venv .venv-smoke
+          . .venv-smoke/bin/activate
+          python -m pip install --upgrade pip
+          python -m pip install --no-deps dist/*.whl
+          python - <<'PY'
+          from tg_bot_plugin_contract_core import __all__
+
+          print("imported symbols:", ", ".join(__all__))
+          PY

tg_bot_plugin_contract_core-0.1.1/.github/workflows/release.yml

@@ -0,0 +1,54 @@
+name: release
+
+on:
+  push:
+    tags:
+      - "v*"
+
+permissions:
+  contents: write
+  id-token: write
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    environment: pypi
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          python -m pip install ".[dev]" build
+
+      - name: Validate tag and version
+        run: |
+          python scripts/check_release_tag.py --tag "${{ github.ref_name }}"
+
+      - name: Run unit tests
+        run: |
+          python -m pytest -q
+
+      - name: Build package
+        run: |
+          python -m build
+
+      - name: Upload build artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: tg-bot-plugin-contract-core-dist
+          path: dist/*
+
+      - name: Publish GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          files: dist/*
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1

tg_bot_plugin_contract_core-0.1.1/.gitignore

@@ -0,0 +1,5 @@
+.venv/
+.pytest_cache/
+__pycache__/
+dist/
+*.pyc

tg_bot_plugin_contract_core-0.1.1/PKG-INFO

@@ -0,0 +1,114 @@
+Metadata-Version: 2.4
+Name: tg-bot-plugin-contract-core
+Version: 0.1.1
+Summary: TG-BOT 插件的共享 manifest、bundle、digest 与 signer 校验合同层。
+Author: Fire Dragons
+License: MIT
+Requires-Python: >=3.11
+Requires-Dist: sigstore>=4.2.0
+Provides-Extra: dev
+Requires-Dist: pytest>=8.3.0; extra == 'dev'
+Description-Content-Type: text/markdown
+
+# tg-bot-plugin-contract-core
+
+`tg-bot-plugin-contract-core` 是 TG-BOT 插件 `manifest` 与 `.tgpkg` bundle 的共享正式合同层。
+
+它提供：
+
+- manifest 规范化与合同校验
+- `artifact_digest` 计算
+- 通过 `package_sha256` 计算 canonical `.tgpkg` 字节身份
+- 可复现 bundle 写入
+- bundle 结构检查
+- Sigstore bundle 验签
+- signer identity 提取与 trusted signer 规则匹配
+
+它有意不提供：
+
+- TG-BOT runtime 加载或插件类实例化
+- trusted signer 文件发现或配置加载
+- 超出 bundle 与 signer 合同范围的平台策略决策
+
+## 安装
+
+```bash
+pip install tg-bot-plugin-contract-core
+```
+
+## 发布与验证
+
+- `pull_request` / `main` 分支会执行：
+  - `pytest`
+  - wheel / sdist 构建
+  - wheel 安装 smoke test
+- `tag push v*` 会额外执行：
+  - `tag == project.version` 校验
+  - PyPI 发布
+  - GitHub Release 附件上传
+
+## 公开 API
+
+```python
+from tg_bot_plugin_contract_core import (
+    compute_artifact_digest,
+    compute_package_sha256,
+    inspect_bundle,
+    match_signer_identity,
+    validate_bundle_same_profile,
+    validate_bundle_target_profile,
+    verify_bundle,
+    write_reproducible_bundle,
+)
+```
+
+## 使用示例
+
+```python
+from pathlib import Path
+
+from tg_bot_plugin_contract_core import (
+    compute_artifact_digest,
+    inspect_bundle,
+    match_signer_identity,
+    verify_bundle,
+)
+
+plugin_dir = Path("plugin-staging")
+manifest_payload = {
+    "plugin_id": "demo",
+    "plugin_version": "1.0.0",
+    "name": "demo",
+    "description": "demo plugin",
+    "category": "utility",
+    "runtime_profile_id": "cpython-3.13-linux-x86_64-gnu",
+    "artifact_digest": "",
+    "entrypoint": {"module_path": "__init__", "symbol": "DemoPlugin"},
+    "config_schema": {},
+    "interaction_schema": {},
+    "declared_scopes": [],
+    "declared_capabilities": [],
+}
+
+artifact_digest = compute_artifact_digest(plugin_dir, manifest_payload)
+inspection = inspect_bundle("dist/plugins/demo/demo-1.0.0-cpython-3.13-linux-x86_64-gnu.tgpkg")
+verification = verify_bundle(inspection, allow_unsigned_dev=False)
+match_result = match_signer_identity(verification, trusted_signer_rules=[
+    {
+        "rule_id": "github-release-main",
+        "issuer": "https://token.actions.githubusercontent.com",
+        "repository_owner": "Fire-Dragons",
+        "repository_name": "demo",
+        "workflow_ref": "Fire-Dragons/demo/.github/workflows/release.yml@refs/heads/main",
+        "reusable_workflow_ref": "Fire-Dragons/tg-bot-plugin-buildkit/.github/workflows/release-plugin.yml@refs/tags/v1",
+        "ref_pattern": "refs/tags/v*",
+        "status": "active",
+    }
+])
+```
+
+## 说明
+
+- `verify_bundle()` 会校验 Sigstore 签名材料，并从签名证书中提取 signer identity。
+- `match_signer_identity()` 会基于已解析的 trusted signer 规则执行平台无关的匹配。
+- `allow_unsigned_dev=True` 仅用于受控的本地开发链路。

tg_bot_plugin_contract_core-0.1.1/README.md

@@ -0,0 +1,102 @@
+# tg-bot-plugin-contract-core
+
+`tg-bot-plugin-contract-core` 是 TG-BOT 插件 `manifest` 与 `.tgpkg` bundle 的共享正式合同层。
+
+它提供：
+
+- manifest 规范化与合同校验
+- `artifact_digest` 计算
+- 通过 `package_sha256` 计算 canonical `.tgpkg` 字节身份
+- 可复现 bundle 写入
+- bundle 结构检查
+- Sigstore bundle 验签
+- signer identity 提取与 trusted signer 规则匹配
+
+它有意不提供：
+
+- TG-BOT runtime 加载或插件类实例化
+- trusted signer 文件发现或配置加载
+- 超出 bundle 与 signer 合同范围的平台策略决策
+
+## 安装
+
+```bash
+pip install tg-bot-plugin-contract-core
+```
+
+## 发布与验证
+
+- `pull_request` / `main` 分支会执行：
+  - `pytest`
+  - wheel / sdist 构建
+  - wheel 安装 smoke test
+- `tag push v*` 会额外执行：
+  - `tag == project.version` 校验
+  - PyPI 发布
+  - GitHub Release 附件上传
+
+## 公开 API
+
+```python
+from tg_bot_plugin_contract_core import (
+    compute_artifact_digest,
+    compute_package_sha256,
+    inspect_bundle,
+    match_signer_identity,
+    validate_bundle_same_profile,
+    validate_bundle_target_profile,
+    verify_bundle,
+    write_reproducible_bundle,
+)
+```
+
+## 使用示例
+
+```python
+from pathlib import Path
+
+from tg_bot_plugin_contract_core import (
+    compute_artifact_digest,
+    inspect_bundle,
+    match_signer_identity,
+    verify_bundle,
+)
+
+plugin_dir = Path("plugin-staging")
+manifest_payload = {
+    "plugin_id": "demo",
+    "plugin_version": "1.0.0",
+    "name": "demo",
+    "description": "demo plugin",
+    "category": "utility",
+    "runtime_profile_id": "cpython-3.13-linux-x86_64-gnu",
+    "artifact_digest": "",
+    "entrypoint": {"module_path": "__init__", "symbol": "DemoPlugin"},
+    "config_schema": {},
+    "interaction_schema": {},
+    "declared_scopes": [],
+    "declared_capabilities": [],
+}
+
+artifact_digest = compute_artifact_digest(plugin_dir, manifest_payload)
+inspection = inspect_bundle("dist/plugins/demo/demo-1.0.0-cpython-3.13-linux-x86_64-gnu.tgpkg")
+verification = verify_bundle(inspection, allow_unsigned_dev=False)
+match_result = match_signer_identity(verification, trusted_signer_rules=[
+    {
+        "rule_id": "github-release-main",
+        "issuer": "https://token.actions.githubusercontent.com",
+        "repository_owner": "Fire-Dragons",
+        "repository_name": "demo",
+        "workflow_ref": "Fire-Dragons/demo/.github/workflows/release.yml@refs/heads/main",
+        "reusable_workflow_ref": "Fire-Dragons/tg-bot-plugin-buildkit/.github/workflows/release-plugin.yml@refs/tags/v1",
+        "ref_pattern": "refs/tags/v*",
+        "status": "active",
+    }
+])
+```
+
+## 说明
+
+- `verify_bundle()` 会校验 Sigstore 签名材料，并从签名证书中提取 signer identity。
+- `match_signer_identity()` 会基于已解析的 trusted signer 规则执行平台无关的匹配。
+- `allow_unsigned_dev=True` 仅用于受控的本地开发链路。

tg_bot_plugin_contract_core-0.1.1/pyproject.toml

@@ -0,0 +1,28 @@
+[build-system]
+requires = ["hatchling>=1.27.0"]
+build-backend = "hatchling.build"
+
+[project]
+name = "tg-bot-plugin-contract-core"
+version = "0.1.1"
+description = "TG-BOT 插件的共享 manifest、bundle、digest 与 signer 校验合同层。"
+readme = "README.md"
+requires-python = ">=3.11"
+license = { text = "MIT" }
+authors = [
+  { name = "Fire Dragons" },
+]
+dependencies = [
+  "sigstore>=4.2.0",
+]
+
+[project.optional-dependencies]
+dev = [
+  "pytest>=8.3.0",
+]
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/tg_bot_plugin_contract_core"]
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]

tg_bot_plugin_contract_core-0.1.1/scripts/check_release_tag.py

@@ -0,0 +1,55 @@
+#!/usr/bin/env python3
+"""校验 Git tag 与 pyproject 中的项目版本一致。"""
+
+from __future__ import annotations
+
+import argparse
+from pathlib import Path
+import sys
+import tomllib
+
+
+def _parse_args() -> argparse.Namespace:
+    parser = argparse.ArgumentParser(description="校验 release tag 与项目版本是否一致。")
+    parser.add_argument("--tag", required=True, help="例如 v0.1.0")
+    parser.add_argument(
+        "--project-root",
+        default=".",
+        help="包含 pyproject.toml 的项目根目录。",
+    )
+    return parser.parse_args()
+
+
+def main() -> int:
+    args = _parse_args()
+    project_root = Path(args.project_root).expanduser().resolve()
+    pyproject_path = project_root / "pyproject.toml"
+    tag = str(args.tag or "").strip()
+    expected_prefix = "v"
+
+    if not pyproject_path.is_file():
+        print(f"missing pyproject.toml: {pyproject_path}", file=sys.stderr)
+        return 1
+    if not tag.startswith(expected_prefix):
+        print(f"release tag must start with '{expected_prefix}': {tag}", file=sys.stderr)
+        return 1
+
+    payload = tomllib.loads(pyproject_path.read_text(encoding="utf-8"))
+    project_version = str(payload.get("project", {}).get("version", "")).strip()
+    tag_version = tag[len(expected_prefix):]
+    if project_version == "":
+        print("project.version is missing in pyproject.toml", file=sys.stderr)
+        return 1
+    if project_version != tag_version:
+        print(
+            f"release tag mismatch: tag={tag_version}, project.version={project_version}",
+            file=sys.stderr,
+        )
+        return 1
+
+    print(f"release tag matches project version: {project_version}")
+    return 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())

tg_bot_plugin_contract_core-0.1.1/src/tg_bot_plugin_contract_core/__init__.py

@@ -0,0 +1,39 @@
+"""TG-BOT 插件 bundle 的共享正式合同辅助接口。"""
+
+from .core import (
+    compute_artifact_digest,
+    compute_package_sha256,
+    inspect_bundle,
+    match_signer_identity,
+    validate_bundle_same_profile,
+    validate_bundle_target_profile,
+    verify_bundle,
+    write_reproducible_bundle,
+)
+from .errors import ContractCoreError
+from .models import (
+    ArtifactDescriptor,
+    BundleInspectionResult,
+    BundleVerificationResult,
+    PluginManifest,
+    SignerIdentity,
+    SignerIdentityMatchResult,
+)
+
+__all__ = [
+    "ArtifactDescriptor",
+    "BundleInspectionResult",
+    "BundleVerificationResult",
+    "ContractCoreError",
+    "PluginManifest",
+    "SignerIdentity",
+    "SignerIdentityMatchResult",
+    "compute_artifact_digest",
+    "compute_package_sha256",
+    "inspect_bundle",
+    "match_signer_identity",
+    "validate_bundle_same_profile",
+    "validate_bundle_target_profile",
+    "verify_bundle",
+    "write_reproducible_bundle",
+]