blob: 13c78289db01ed6b03ab00af85522b424e33bf94 [file]
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
# Root pyproject.toml — frames the framework root as a uv-managed
# project so the `[tool.uv] exclude-newer` cooldown below actually
# applies to the root-level tooling (currently just `prek`, declared
# under `[dependency-groups] dev`). `uv tool install` ignores
# pyproject.toml settings, so prek is installed into a uv-managed
# environment via `uv sync --group dev` instead.
#
# Not a Python package — `[tool.uv] package = false` below tells uv
# not to try to build a wheel from the framework root. The actual
# Python projects live under
# `tools/{vulnogram/generate-cve-json,gmail/oauth-draft}/` with their
# own pyproject.toml + uv.lock.
[project]
# Package name matches the project's canonical name. Not published to
# PyPI — this name only frames the framework root as a uv-managed project.
name = "apache-magpie"
version = "0.1.0"
description = "Reusable, governance-agnostic framework of agentic skills for maintaining open-source projects."
requires-python = ">=3.11"
[dependency-groups]
# Dev tooling installed at the framework root.
#
# - `prek` is the static-check / pre-commit runner. CI installs it
# via `uv sync --group dev` and invokes `uv run prek …`.
# - `ruff`, `mypy`, `pytest` are the shared static-analysis +
# test toolchain. They are declared here for root-level ad-hoc
# use AND, pinned to the same lower bounds, in every workspace
# member's own `[dependency-groups] dev` block — so each
# sub-project's environment is self-contained. The workspace
# checks run each tool against the member's own project via
# `uv run --directory <member> --project . …` (see
# `tools/dev/run-workspace-check.sh`), so a member is never
# dependent on tools leaking in from the shared root environment.
# Keep the version bounds here and in every member in lockstep.
#
# Lower bounds mirror what individual tools needed at their last
# bump; the upper bound is enforced implicitly by the 7-day
# `[tool.uv] exclude-newer` cooldown below, so the resolved version
# is "the most recent that is at least 7 days old".
dev = [
"prek>=0.4.5",
"ruff>=0.15.20",
"mypy>=2.1.0",
"pytest>=9.1.1",
]
[tool.uv]
# Pin the minimum uv version. Latest at the time of writing — bump
# manually when adopting features from newer uv releases.
required-version = ">=0.11.8"
# 7-day cooldown on dependency-resolution snapshots: a just-released
# package version has had a week to settle (retags, withdrawals,
# upstream incident reports) before uv will pick it up here. Same
# rationale as the 7-day cooldown on the Dependabot updates in
# `.github/dependabot.yml`.
exclude-newer = "7 days"
# This pyproject.toml is purely a settings file; do not build or
# install it as a package.
package = false
# Workspace declaration — `apache-magpie` is the root of a uv
# workspace whose members are every Python project under `tools/`.
# Adding a new tool is a one-line edit here; everything downstream
# (pre-commit hooks, CI matrix, root uv.lock) follows automatically.
# See `tools/dev/run-workspace-check.sh` for the iteration helper
# and `.github/workflows/tests.yml` for the dynamic CI matrix.
#
# Trade-off: workspace dependency resolution is shared across
# members, so a version conflict between two members becomes a
# workspace-level problem (caught at `uv sync` time, not at
# per-tool install time). This is desired — drift between tools'
# pinned versions is harder to spot when each has its own lock
# file.
[tool.uv.workspace]
members = [
"tools/agent-guard",
"tools/agent-isolation",
"tools/bitbucket",
"tools/egress-gateway",
"tools/cve-tool-vulnogram/generate-cve-json",
"tools/cve-tool-vulnogram/oauth-api",
"tools/github-body-field",
"tools/github-rollup",
"tools/gmail/oauth-draft",
"tools/jira",
"tools/maildir",
"tools/permission-audit",
"tools/pr-management-stats",
"tools/preflight-audit",
"tools/privacy-llm/checker",
"tools/privacy-llm/redactor",
"tools/sandbox-lint",
"tools/security-tracker-stats-dashboard",
"tools/skill-and-tool-validator",
"tools/skill-evals",
"tools/pilot-report-validator",
"tools/spec-inventory",
"tools/skill-reconciler-diff",
"tools/spec-status-index",
"tools/spec-validator",
"tools/symlink-lint",
"tools/vcs",
"tools/vendor-neutrality-score",
"tools/fossil",
"tools/sourcehut",
]