tool-compass 2.2.1__tar.gz → 2.3.0__tar.gz

tool_compass-2.3.0/.dockerignore

@@ -0,0 +1,84 @@
+# Git
+.git
+.gitignore
+
+# Docker
+Dockerfile
+docker-compose.yml
+.dockerignore
+
+# Python
+__pycache__
+*.py[cod]
+*$py.class
+*.so
+.Python
+venv/
+.venv/
+ENV/
+env/
+.eggs/
+*.egg-info/
+*.egg
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+
+# Testing
+.pytest_cache/
+.coverage
+htmlcov/
+.tox/
+.hypothesis/
+.benchmarks/
+
+# Build artifacts
+dist/
+build/
+*.manifest
+*.spec
+
+# OS files
+.DS_Store
+Thumbs.db
+
+# Local development files
+*.local.json
+.env.local
+.env*
+
+# Gradio cache
+flagged/
+
+# Keep db directory structure but not contents
+db/*.db
+db/*.hnsw
+!db/.gitkeep
+
+# Sources that don't belong in the production image (CT-B-004).
+# These are intentionally excluded so a future regression to
+# `COPY . .` doesn't silently ship them.
+tests/
+docs/
+site/
+archive/
+.github/
+.claude/
+# Translation READMEs (re-run on TranslateGemma 12B; not runtime artifacts)
+README.ja.md
+README.zh.md
+README.es.md
+README.fr.md
+README.hi.md
+README.it.md
+README.pt-BR.md
+# Audit / governance docs — not needed at runtime
+SCORECARD.md
+SHIP_GATE.md
+CODE_OF_CONDUCT.md
+CONTRIBUTING.md
+SECURITY.md
+CHANGELOG.md

tool_compass-2.3.0/.github/dependabot.yml

@@ -0,0 +1,89 @@
+version: 2
+updates:
+  # =============================================================================
+  # pip — Python runtime + dev dependencies
+  # =============================================================================
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    open-pull-requests-limit: 3
+    groups:
+      # Minor + patch only so breaking majors open as SEPARATE PRs.
+      # (Avoids the ollama-intern PR #4 incident where 5 breaking majors
+      # shipped bundled under a wildcard group.)
+      all-pip:
+        patterns: ["*"]
+        update-types: ["minor", "patch"]
+
+  # Daily security-only overlay (CT-B-006) — CVE updates from the GitHub
+  # Advisory Database don't wait the monthly cadence. open-pull-requests-limit
+  # raised to 10 since these are infrequent and load-bearing.
+  # NOTE: Dependabot security advisories are auto-emitted; this second entry
+  # exists to give them their own schedule/labels/PR cap independent of the
+  # monthly version-update entry above. The `allow: dependency-type: all`
+  # block scopes this entry to all dependencies; security advisories are
+  # always opened regardless of the version-update grouping rules.
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 10
+    allow:
+      - dependency-type: "all"
+    labels:
+      - "security"
+      - "dependencies"
+
+  # =============================================================================
+  # github-actions — workflow file action references
+  # =============================================================================
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    open-pull-requests-limit: 3
+    groups:
+      all-github-actions:
+        patterns: ["*"]
+        update-types: ["minor", "patch"]
+
+  # Daily security-only overlay for actions (CT-B-006).
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 10
+    allow:
+      - dependency-type: "all"
+    labels:
+      - "security"
+      - "dependencies"
+
+  # =============================================================================
+  # docker — Dockerfile base-image FROM directives (CT-B-005)
+  # =============================================================================
+  # Pairs with the digest-pinned `FROM python:3.11-slim@sha256:...` in
+  # Dockerfile (CT-B-003). Without this ecosystem entry the digest pin
+  # would become a stale anchor with no machine-readable refresh path.
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    open-pull-requests-limit: 2
+    groups:
+      all-docker:
+        patterns: ["*"]
+        update-types: ["minor", "patch"]
+
+  # Daily security-only overlay for docker base images (CT-B-006).
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 10
+    allow:
+      - dependency-type: "all"
+    labels:
+      - "security"
+      - "dependencies"

{tool_compass-2.2.1 → tool_compass-2.3.0}/.github/workflows/ci.yml

@@ -35,9 +35,16 @@ on:
     - cron: '0 9 * * 1,3,5'
   workflow_dispatch:
 
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
+# NOTE: concurrency is intentionally NOT set at the workflow level.
+# A workflow-level cancel-in-progress would cancel the whole run when a
+# new push lands on the same ref — including the pages-deploy job that
+# carries its own concurrency: pages / cancel-in-progress: false. The
+# job-level setting cannot override workflow-level cancellation because
+# the entire run is cancelled before per-job concurrency takes effect.
+# Each test/lint/integration/docker job below carries its own
+# concurrency block scoped to PR refs only (push events on main are
+# never cancelled). The pages-build / pages-deploy jobs keep their
+# dedicated concurrency: pages group with cancel-in-progress: false.
 
 # Default least-privilege; individual jobs that need more elevate explicitly.
 permissions:
@@ -47,6 +54,13 @@ jobs:
   lint:
     name: Org URL sanity check
     runs-on: ubuntu-latest
+    # CT-B-011: lint is a sub-30-second shell check; 5 min is generous.
+    timeout-minutes: 5
+    # PR-scoped concurrency: a newer push to the same PR cancels the
+    # older run, but pushes to main never cancel themselves.
+    concurrency:
+      group: lint-${{ github.event.pull_request.number || github.run_id }}
+      cancel-in-progress: ${{ github.event_name == 'pull_request' }}
     permissions:
       contents: read
     steps:
@@ -56,6 +70,22 @@ jobs:
       - name: Check for stale org/user URLs
         run: bash scripts/check-org-urls.sh
 
+      - name: Set up Python (pre-commit)
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
+        with:
+          python-version: '3.11'
+
+      # CT-B-018: run the pre-commit hooks (ruff format + ruff check +
+      # standard hygiene + gitleaks). Same hooks the contributor runs
+      # locally; this is the CI-side enforcement. Soft-fail for the first
+      # cycle to surface formatting drift without blocking PRs while
+      # contributors install pre-commit locally.
+      # TODO(swarm): flip continue-on-error to false after one full release
+      # cycle so the pre-commit gate becomes blocking.
+      - name: Run pre-commit hooks
+        continue-on-error: true
+        uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
+
       # CDS-FT-001: SCORECARD drift guard. Soft-fail for now — shipcheck
       # markdown output is still settling. Flip continue-on-error to false
       # once the format stabilizes.
@@ -69,9 +99,32 @@ jobs:
             echo "Makefile verify-scorecard target missing — skipping"
           fi
 
+      # CT-B-008 cross-domain: verify that /metrics emits the expected
+      # Four Golden Signals surface. Soft-fail because the saturation
+      # gauges land in BE-B-002 (backend domain); flip to fatal once that
+      # work merges.
+      - name: Verify metrics surface (Four Golden Signals)
+        continue-on-error: true
+        run: |
+          if [ -f Makefile ] && grep -q "^verify-metrics:" Makefile; then
+            python -m pip install --upgrade pip
+            pip install -r requirements.txt || true
+            make verify-metrics || true
+          else
+            echo "Makefile verify-metrics target missing — skipping"
+          fi
+
   test:
     name: Python ${{ matrix.python-version }} on ${{ matrix.os }}
     runs-on: ${{ matrix.os }}
+    # CT-B-011: per-matrix-cell budget. pytest has its own 30s per-test cap
+    # (pyproject.toml [tool.pytest.ini_options]); 15 min envelope covers
+    # install + coverage + pip-audit with headroom for a slow runner.
+    timeout-minutes: 15
+    # PR-scoped concurrency (see workflow-top NOTE).
+    concurrency:
+      group: test-${{ matrix.python-version }}-${{ github.event.pull_request.number || github.run_id }}
+      cancel-in-progress: ${{ github.event_name == 'pull_request' }}
     permissions:
       contents: read
 
@@ -116,6 +169,9 @@ jobs:
           name: junit-reports-${{ matrix.python-version }}
           path: junit-${{ matrix.python-version }}.xml
           if-no-files-found: warn
+          # CT-B-012: JUnit reports are short-lived diagnostic data — only
+          # useful for the most recent few runs. Default 90d is wasted.
+          retention-days: 14
 
       - name: Run tests with coverage
         if: matrix.python-version == '3.11' && matrix.os == 'ubuntu-latest'
@@ -142,6 +198,9 @@ jobs:
           name: pip-audit-report
           path: pip-audit-report.json
           if-no-files-found: ignore
+          # CT-B-012: CVE diagnostic snapshot — 14d aligns with the JUnit
+          # retention and is plenty of window for incident response.
+          retention-days: 14
 
       - name: Audit dependencies for vulnerabilities
         if: matrix.python-version == '3.11' && matrix.os == 'ubuntu-latest'
@@ -157,6 +216,9 @@ jobs:
     name: Nightly Hypothesis fuzz
     if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
     runs-on: ubuntu-latest
+    # CT-B-011: Hypothesis nightly profile is deliberately slow — 45 min cap
+    # is wider than the test job because fuzz examples are unbounded.
+    timeout-minutes: 45
     permissions:
       contents: read
       issues: write
@@ -184,9 +246,10 @@ jobs:
 
       - name: Open tracking issue on failure
         if: failure() && steps.fuzz.conclusion == 'failure'
-        # TODO(swarm): pin actions/github-script to SHA once nightly-fuzz run
-        # history confirms the job shape is stable.
-        uses: actions/github-script@v7
+        # SHA-pinned per SLSA L3 supply-chain hygiene (CT-B-001). nightly-fuzz
+        # carries issues:write, so a compromised v7 mutable tag would inherit
+        # issue-creation capability. Bump via dependabot's github-actions sweep.
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             const title = `[nightly-fuzz] Hypothesis failures on ${context.sha}`;
@@ -212,6 +275,13 @@ jobs:
     name: Integration Tests
     runs-on: ubuntu-latest
     needs: test  # Only run after unit tests pass
+    # CT-B-011: Ollama install + nomic-embed-text pull + integration suite
+    # dominates; 25 min envelope covers the cold-start pull path.
+    timeout-minutes: 25
+    # PR-scoped concurrency (see workflow-top NOTE).
+    concurrency:
+      group: integration-${{ github.event.pull_request.number || github.run_id }}
+      cancel-in-progress: ${{ github.event_name == 'pull_request' }}
     permissions:
       contents: read
 
@@ -271,6 +341,12 @@ jobs:
     name: Docker Build
     runs-on: ubuntu-latest
     needs: test
+    # CT-B-011: docker buildx + gha cache; 20 min covers a cold-cache build.
+    timeout-minutes: 20
+    # PR-scoped concurrency (see workflow-top NOTE).
+    concurrency:
+      group: docker-${{ github.event.pull_request.number || github.run_id }}
+      cancel-in-progress: ${{ github.event_name == 'pull_request' }}
     permissions:
       contents: read
 
@@ -299,6 +375,8 @@ jobs:
     name: Build site
     if: github.ref == 'refs/heads/main' && github.event_name == 'push'
     runs-on: ubuntu-latest
+    # CT-B-011: Starlight npm ci + Astro build; 10 min is generous.
+    timeout-minutes: 10
     permissions:
       contents: read
     steps:
@@ -308,6 +386,12 @@ jobs:
         with:
           node-version: 22
 
+      # CT-B-016: read repo-level Pages configuration so the build is not
+      # silently dependent on Settings → Pages UI state. configure-pages
+      # is idempotent and exposes the base path to downstream steps.
+      - name: Configure Pages
+        uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6.0.0
+
       - name: Install site dependencies
         working-directory: site
         run: npm ci
@@ -325,6 +409,9 @@ jobs:
     if: github.ref == 'refs/heads/main' && github.event_name == 'push'
     needs: pages-build
     runs-on: ubuntu-latest
+    # CT-B-011: deploy is a metadata operation against the Pages backend;
+    # 5 min is the fail-fast budget.
+    timeout-minutes: 5
     # Dedicated concurrency group so a long deploy is never cancelled by a
     # newer CI run (CDS-A-012).
     concurrency:

{tool_compass-2.2.1 → tool_compass-2.3.0}/.github/workflows/publish.yml

@@ -20,6 +20,10 @@ jobs:
   build:
     name: Build package
     runs-on: ubuntu-latest
+    # CT-B-011: fail-fast budgets per SRE 'fail fast' (Google SRE Book ch.21).
+    # Default GitHub timeout is 360 min; a wedged dependency install or twine
+    # check is well outside the legitimate envelope at 10 min.
+    timeout-minutes: 10
 
     steps:
       - name: Checkout repository
@@ -46,14 +50,26 @@ jobs:
         with:
           name: dist
           path: dist/
+          # CT-B-012: dist/ is an ephemeral build-to-publish handoff; the
+          # canonical artifacts live at PyPI + GHCR after publish completes.
+          # Keep the workflow copy around 7 days for incident-response replays.
+          retention-days: 7
 
   publish-pypi:
     name: Publish to PyPI
     runs-on: ubuntu-latest
     needs: build
     environment: pypi
+    # CT-B-011: PyPI upload + propagation; 10 min covers retries.
+    timeout-minutes: 10
     permissions:
       id-token: write
+      # CT-B-009: attestations:write enables SLSA provenance attestations on
+      # the published wheel + sdist via pypa/gh-action-pypi-publish v1.13+.
+      # Combined with `attestations: true` below, PyPI surfaces a verifiable
+      # build attestation tied to this commit + workflow run.
+      attestations: write
+      contents: read
 
     steps:
       - name: Download build artifacts
@@ -64,6 +80,12 @@ jobs:
 
       - name: Publish to PyPI
         uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
+        with:
+          # CT-B-009: emit SLSA build provenance attestations for the wheel
+          # and sdist. PyPI verifies the attestation against the workflow's
+          # OIDC identity; downstream consumers can audit the chain from a
+          # specific commit -> workflow run -> published artifact.
+          attestations: true
 
   docker:
     name: Publish to GHCR
@@ -71,9 +93,16 @@ jobs:
     # PyPI ships first (CDS-B-005). If PyPI fails, Docker must not ship a
     # half-release; if PyPI succeeds, Docker becomes the recoverable tail.
     needs: publish-pypi
+    # CT-B-011: multi-arch buildx (linux/amd64 + linux/arm64) + push to GHCR
+    # is the longest leg; 30 min covers the warm cache path with headroom.
+    timeout-minutes: 30
     permissions:
       contents: read
       packages: write
+      # CT-B-009: id-token + attestations enable buildx SLSA provenance
+      # mode=max on the image manifest below.
+      id-token: write
+      attestations: write
 
     steps:
       - name: Checkout repository
@@ -99,8 +128,10 @@ jobs:
 
       # QEMU is required to cross-build linux/arm64 from an amd64 runner.
       - name: Set up QEMU
-        # TODO(swarm): pin docker/setup-qemu-action by SHA on next dependabot sweep.
-        uses: docker/setup-qemu-action@v3
+        # SHA-pinned per SLSA L3 supply-chain hygiene (CT-B-002). publish job
+        # carries packages:write — a compromised mutable v3 tag would inherit
+        # GHCR write capability during a release window. Bump via dependabot.
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
@@ -115,11 +146,21 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
+          # CT-B-009: SLSA provenance mode=max emits buildx provenance
+          # attestation (including all input source digests) attached to the
+          # image manifest. sbom: true emits an SPDX SBOM attestation in the
+          # same manifest. Both consumable via `cosign verify-attestation`
+          # or `docker buildx imagetools inspect`.
+          provenance: mode=max
+          sbom: true
 
   release-smoke:
     name: Release smoke test
     runs-on: ubuntu-latest
     needs: [publish-pypi, docker]
+    # CT-B-011: PyPI propagation retry loop + docker pull + version handshake.
+    # 15 min is the propagation-retry window plus headroom.
+    timeout-minutes: 15
     permissions:
       contents: read
       packages: read
@@ -141,14 +182,22 @@ jobs:
         run: |
           set -euo pipefail
           VERSION="${{ steps.ver.outputs.version }}"
-          # PyPI propagation is fast but not instant; retry briefly.
+          # PyPI propagation is fast but not instant; retry briefly. If no
+          # iteration succeeds the loop falls through and the subsequent
+          # `tool-compass --version` invocation fails with a clear "command
+          # not found", which is the desired loud failure mode (CT-B-014).
+          install_ok=0
           for _ in $(seq 1 12); do
             if pip install "tool-compass==${VERSION}"; then
+              install_ok=1
               break
             fi
             sleep 10
           done
-          pip install "tool-compass==${VERSION}"
+          if [ "$install_ok" -ne 1 ]; then
+            echo "::error::PyPI smoke failed: tool-compass==${VERSION} did not become installable in the propagation window"
+            exit 1
+          fi
           OUT="$(tool-compass --version 2>&1 || true)"
           echo "tool-compass --version → $OUT"
           echo "$OUT" | grep -Fq "${VERSION}" || {