| # Licensed to the Apache Software Foundation (ASF) under one |
| # or more contributor license agreements. See the NOTICE file |
| # distributed with this work for additional information |
| # regarding copyright ownership. The ASF licenses this file |
| # to you under the Apache License, Version 2.0 (the |
| # "License"); you may not use this file except in compliance |
| # with the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, |
| # software distributed under the License is distributed on an |
| # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| # KIND, either express or implied. See the License for the |
| # specific language governing permissions and limitations |
| # under the License. |
| |
| # Root pyproject.toml — frames the framework root as a uv-managed |
| # project so the `[tool.uv] exclude-newer` cooldown below actually |
| # applies to the root-level tooling (currently just `prek`, declared |
| # under `[dependency-groups] dev`). `uv tool install` ignores |
| # pyproject.toml settings, so prek is installed into a uv-managed |
| # environment via `uv sync --group dev` instead. |
| # |
| # Not a Python package — `[tool.uv] package = false` below tells uv |
| # not to try to build a wheel from the framework root. The actual |
| # Python projects live under |
| # `tools/{vulnogram/generate-cve-json,gmail/oauth-draft}/` with their |
| # own pyproject.toml + uv.lock. |
| |
| [project] |
| # Package name matches the project's canonical name. Not published to |
| # PyPI — this name only frames the framework root as a uv-managed project. |
| name = "apache-magpie" |
| version = "0.1.0" |
| description = "Reusable, governance-agnostic framework of agentic skills for maintaining open-source projects." |
| requires-python = ">=3.11" |
| |
| [dependency-groups] |
| # Dev tooling installed at the framework root. |
| # |
| # - `prek` is the static-check / pre-commit runner. CI installs it |
| # via `uv sync --group dev` and invokes `uv run prek …`. |
| # - `ruff`, `mypy`, `pytest` are the shared static-analysis + |
| # test toolchain. They are declared here for root-level ad-hoc |
| # use AND, pinned to the same lower bounds, in every workspace |
| # member's own `[dependency-groups] dev` block — so each |
| # sub-project's environment is self-contained. The workspace |
| # checks run each tool against the member's own project via |
| # `uv run --directory <member> --project . …` (see |
| # `tools/dev/run-workspace-check.sh`), so a member is never |
| # dependent on tools leaking in from the shared root environment. |
| # Keep the version bounds here and in every member in lockstep. |
| # |
| # Lower bounds mirror what individual tools needed at their last |
| # bump; the upper bound is enforced implicitly by the 7-day |
| # `[tool.uv] exclude-newer` cooldown below, so the resolved version |
| # is "the most recent that is at least 7 days old". |
| dev = [ |
| "prek>=0.4.5", |
| "ruff>=0.15.20", |
| "mypy>=2.1.0", |
| "pytest>=9.1.1", |
| ] |
| |
| [tool.uv] |
| # Pin the minimum uv version. Latest at the time of writing — bump |
| # manually when adopting features from newer uv releases. |
| required-version = ">=0.11.8" |
| |
| # 7-day cooldown on dependency-resolution snapshots: a just-released |
| # package version has had a week to settle (retags, withdrawals, |
| # upstream incident reports) before uv will pick it up here. Same |
| # rationale as the 7-day cooldown on the Dependabot updates in |
| # `.github/dependabot.yml`. |
| exclude-newer = "7 days" |
| |
| # This pyproject.toml is purely a settings file; do not build or |
| # install it as a package. |
| package = false |
| |
| # Workspace declaration — `apache-magpie` is the root of a uv |
| # workspace whose members are every Python project under `tools/`. |
| # Adding a new tool is a one-line edit here; everything downstream |
| # (pre-commit hooks, CI matrix, root uv.lock) follows automatically. |
| # See `tools/dev/run-workspace-check.sh` for the iteration helper |
| # and `.github/workflows/tests.yml` for the dynamic CI matrix. |
| # |
| # Trade-off: workspace dependency resolution is shared across |
| # members, so a version conflict between two members becomes a |
| # workspace-level problem (caught at `uv sync` time, not at |
| # per-tool install time). This is desired — drift between tools' |
| # pinned versions is harder to spot when each has its own lock |
| # file. |
| [tool.uv.workspace] |
| members = [ |
| "tools/agent-guard", |
| "tools/agent-isolation", |
| "tools/bitbucket", |
| "tools/egress-gateway", |
| "tools/cve-tool-vulnogram/generate-cve-json", |
| "tools/cve-tool-vulnogram/oauth-api", |
| "tools/github-body-field", |
| "tools/github-rollup", |
| "tools/gmail/oauth-draft", |
| "tools/jira", |
| "tools/maildir", |
| "tools/permission-audit", |
| "tools/pr-management-stats", |
| "tools/preflight-audit", |
| "tools/privacy-llm/checker", |
| "tools/privacy-llm/redactor", |
| "tools/sandbox-lint", |
| "tools/security-tracker-stats-dashboard", |
| "tools/skill-and-tool-validator", |
| "tools/skill-evals", |
| "tools/pilot-report-validator", |
| "tools/spec-inventory", |
| "tools/skill-reconciler-diff", |
| "tools/spec-status-index", |
| "tools/spec-validator", |
| "tools/symlink-lint", |
| "tools/vcs", |
| "tools/vendor-neutrality-score", |
| "tools/fossil", |
| "tools/sourcehut", |
| ] |