Magic-Man-us
diff --git a/‎.clinerules/workflows/scaffolding-guide.md‎
Lines changed: 131 additions & 0 deletions b/‎.clinerules/workflows/scaffolding-guide.md‎
Lines changed: 131 additions & 0 deletions
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 67 additions & 68 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 67 additions & 68 deletions
diff --git a/‎Makefile‎
Lines changed: 2 additions & 2 deletions b/‎Makefile‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎README.md‎
Lines changed: 4 additions & 6 deletions b/‎README.md‎
Lines changed: 4 additions & 6 deletions
@@ -0,0 +1,131 @@
+
+# Scaffold Python Package – Create & Launch New Project
+
+## 🎯 Purpose
+Implement a scaffolding project that allows you to launch new Python packages with full setup: `uv` venv management, `pyproject.toml`, `pytest + coverage`, `Sphinx` docs, Git repo, CI config.
+
+## ✅ Inputs
+- `package_name` — Package name (PEP 8 valid, e.g. `my_cool_pkg`)
+- `target_dir` — Absolute path to parent directory where the project folder will be created
+
+## ✅ Sequence of Tasks
+
+### 1. Validate inputs
+- [ ] Run shell script to check `package_name` matches `[a-zA-Z_][a-zA-Z0-9_]*`
+- [ ] Ensure `target_dir` is an absolute path
+```bash
+set -e
+PKG="${package_name}"
+DIR="${target_dir}"
+python3 - <<'PY'
+import re, sys, os
+pkg=sys.argv[1]; dir_=sys.argv[2]
+if not re.fullmatch(r'[a-zA-Z_][a-zA-Z0-9_]*', pkg):
+    print(f"Invalid package_name: {pkg}"); sys.exit(1)
+if not os.path.isabs(dir_):
+    print(f"target_dir must be absolute: {dir_}"); sys.exit(1)
+print("Inputs OK.")
+PY "$PKG" "$DIR"
+````
+
+### 2. Prepare template workspace
+
+* [ ] Create a temporary workspace `.cline_tmp_pkg_template`
+* [ ] Within it, create directory structure for TEMPLATE:
+
+  * `TEMPLATE/{{PKG}}/`
+  * `TEMPLATE/tests/`
+  * `TEMPLATE/docs/`
+  * `TEMPLATE/.github/workflows/`
+* [ ] Add the following files in TEMPLATE (with placeholder `{{PKG}}` inside):
+
+  * `pyproject.toml`
+  * `README.md`
+  * `LICENSE`
+  * `.gitignore`
+  * `.github/workflows/ci.yaml`
+  * `{{PKG}}/__init__.py`, `{{PKG}}/hello.py`
+  * `tests/test_hello.py`
+  * `docs/conf.py`, `docs/index.rst`
+  * `requirements-dev.txt`
+  * `Makefile`
+  * Optional `setup.cfg` or patch file for dev-extras
+
+### 3. Materialize project & substitute placeholders
+
+* [ ] Compute `DEST="${target_dir}/${package_name}"`
+* [ ] Fail if `DEST` already exists
+* [ ] Copy all files from workspace TEMPLATE to `${DEST}`
+* [ ] Recursively replace placeholder `{{PKG}}` with actual `package_name` in all files
+* [ ] Print “Project created at: ${DEST}”
+
+### 4. Initialize git repository
+
+* [ ] `cd` into `${DEST}`
+* [ ] `git init`
+* [ ] `git add .`
+* [ ] `git commit -m "chore: initial scaffold"`
+* [ ] Print “Git repo initialized.”
+
+### 5. Setup `uv` environment & install dev extras
+
+* [ ] `cd "${DEST}"`
+* [ ] `uv venv`
+ * [ ] `uv sync --all-extras`
+* [ ] Print “Environment ready.”
+
+### 6. Run tests & coverage
+
+* [ ] `cd "${DEST}"`
+* [ ] `uv run pytest --cov="${package_name}" --cov-report=term-missing`
+
+### 7. Build Sphinx documentation
+
+* [ ] `cd "${DEST}"`
+* [ ] `uv run sphinx-build -b html docs docs/_build/html`
+* [ ] Print “Docs built at: docs/_build/html”
+
+### 8. Output summary
+
+* [ ] Print “Scaffold complete.”
+* [ ] Print project path: `${DEST}`
+* [ ] Print next steps:
+
+  ```text
+  cd "${DEST}"
+  source .venv/bin/activate  # (or use uv run)
+  uv run python -c "import ${package_name}; print(${package_name}.hello())"
+  ```
+
+## 📁 Generated Structure
+
+```
+${package_name}/
+  .github/workflows/ci.yaml
+  docs/
+    conf.py
+    index.rst
+    _build/           (after docs build)
+  tests/
+    test_hello.py
+  ${package_name}/
+    __init__.py
+    hello.py
+  .gitignore
+  LICENSE
+  Makefile
+  README.md
+  pyproject.toml
+  requirements-dev.txt
+  setup.cfg
+```
+
+## 📝 Notes
+
+* Uses `uv` for virtualenv management.
+* Configured for `pytest + pytest-cov`.
+* Sphinx docs with theme `furo` (can edit in `docs/conf.py`).
+* Dev extras via `pyproject.toml` optional-deps.
+* CI workflow provided in `.github/workflows/ci.yaml`.
+
+```
@@ -6,13 +6,35 @@ on:
   pull_request:
     branches: [ main ]
 
+# Cancel redundant runs per-branch/PR
+concurrency:
+  group: ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+# Least-privilege for the jobs below
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test / Lint / Typecheck (uv)
     runs-on: ubuntu-latest
+    # Write perms only where needed
+    permissions:
+      contents: read
     strategy:
+      fail-fast: false
       matrix:
-        python-version: ["3.11", "3.12", "3.13", "3.14"]
+        include:
+          - python-version: "3.11"
+            experimental: false
+          - python-version: "3.12"
+            experimental: false
+          - python-version: "3.13"
+            experimental: false
+          - python-version: "3.14"   # treat 3.14 as experimental so CI doesn't block if it breaks
+            experimental: true
+    continue-on-error: ${{ matrix.experimental }}
 
     steps:
       - name: Checkout
@@ -23,29 +45,31 @@ jobs:
         with:
           enable-cache: true
 
-      - name: Set up Python ${{ matrix.python-version }}
+      - name: Set up Python
         run: uv python install ${{ matrix.python-version }}
 
-      - name: Sync dependencies with uv
-        run: uv sync --all-extras
+      # Ensure dev tools (ruff, mypy, pytest, bandit, safety, pytest-cov) are declared in pyproject dev deps.
+      - name: Sync dependencies
+        run: uv sync --all-extras --dev
 
       - name: Lint (ruff)
-        run: uv run ruff check python_project_deployment
+        run: uv run ruff check .
 
       - name: Typecheck (mypy)
-        run: uv run mypy python_project_deployment
+        run: uv run mypy src
 
       - name: Tests (pytest)
         run: uv run pytest --cov --cov-report=xml --cov-report=html
 
-      - name: Security scan for dangerous APIs
+      - name: Dangerous API scan (grep)
+        continue-on-error: true
+        shell: bash
         run: |
           set -euo pipefail
-          if grep -R --line-number -E "\beval\(|\bexec\(|pickle\.loads|yaml\.load|subprocess\.(Popen|call)" python_project_deployment/ tests/ || true; then
-            echo "⚠️  Potentially dangerous API usage detected. Please review before merging." >&2
+          if grep -R --line-number -E "\beval\(|\bexec\(|pickle\.loads|yaml\.load(?!_safe)|subprocess\.(Popen|call)" src/ tests/ || true; then
+            echo "⚠️ Potentially dangerous API usage detected. Please review." >&2
             exit 2
           fi
-        continue-on-error: true
 
       - name: Upload coverage.xml
         uses: actions/upload-artifact@v4
@@ -59,89 +83,65 @@ jobs:
           name: coverage-html-${{ matrix.python-version }}
           path: htmlcov
 
+      # Upload Codecov once to avoid noisy duplicate uploads
+      - name: Upload to Codecov
+        if: matrix.python-version == '3.11'
+        uses: codecov/codecov-action@v4
+        with:
+          files: coverage.xml
+          flags: unittests
+          fail_ci_if_error: false
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+
   security:
-    name: Security Scan
+    name: Security Scan (Bandit + Safety)
     runs-on: ubuntu-latest
+    needs: test
+    # Grant code scanning upload only here
+    permissions:
+      contents: read
+      security-events: write
+
     env:
       SECURITY_FAIL_LEVEL: MEDIUM
+
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout
+        uses: actions/checkout@v4
 
       - name: Install uv
         uses: astral-sh/setup-uv@v4
         with:
           enable-cache: true
 
-      - name: Set up Python 3.11
+      - name: Set up Python
         run: uv python install 3.11
 
-      - name: Sync deps and install security tools
-        run: |
-          uv sync --all-extras
-          uv pip install bandit safety
+      - name: Sync dependencies
+        run: uv sync --all-extras --dev
 
-      - name: Run Bandit and export SARIF
+      - name: Run Bandit (JSON + SARIF)
         run: |
-          uv run bandit -r python_project_deployment/ -f json -o bandit-report.json
-          uv run bandit -r python_project_deployment/ -f sarif -o bandit-report.sarif
-        continue-on-error: true
+          uv run bandit -r src/ -f json  -o bandit-report.json || true
+          uv run bandit -r src/ -f sarif -o bandit-report.sarif || true
 
       - name: Upload Bandit SARIF to GitHub Code Scanning
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: bandit-report.sarif
         continue-on-error: true
 
-      - name: Run Safety (fail on any vulnerability)
-        run: |
-          uv run safety check --json > safety-report.json || true
-          python - <<'PY'
-          import json,sys,os
-          try:
-              data=json.load(open('safety-report.json'))
-              if data.get('vulnerabilities'):
-                  print('Safety reported vulnerabilities')
-                  sys.exit(2)
-              print('No safety vulnerabilities')
-          except Exception as e:
-              print(f'Error parsing safety output: {e}')
-              sys.exit(0)
-          PY
-        continue-on-error: true
+      - name: Run Safety (JSON)
+        run: uv run safety check --json > safety-report.json || true
 
       - name: Apply Bandit threshold
-        run: |
-          python - <<'PY'
-          import json,sys,os
-          level=os.environ.get('SECURITY_FAIL_LEVEL','MEDIUM').upper()
-          try:
-              data=json.load(open('bandit-report.json'))
-              sevs=[issue.get('issue_severity','') for issue in data.get('results',[])]
-              if level=='NONE':
-                  print('SECURITY_FAIL_LEVEL=NONE: not failing on bandit issues')
-                  sys.exit(0)
-              if level=='HIGH':
-                  if 'HIGH' in sevs:
-                      print('Failing on HIGH bandit issues')
-                      sys.exit(2)
-                  else:
-                      print('No HIGH bandit issues')
-                      sys.exit(0)
-              if level=='MEDIUM':
-                  if any(s in ('HIGH','MEDIUM') for s in sevs):
-                      print('Failing on MEDIUM or HIGH bandit issues')
-                      sys.exit(2)
-                  else:
-                      print('No MEDIUM/HIGH bandit issues')
-                      sys.exit(0)
-              print('Unknown SECURITY_FAIL_LEVEL:', level)
-              sys.exit(1)
-          except Exception as e:
-              print(f'Error parsing bandit report: {e}')
-              sys.exit(0)
-          PY
+        run: uv run python scripts/security_bandit_check.py
         continue-on-error: true
 
+      - name: Fail on Safety vulnerabilities
+        run: uv run python scripts/security_safety_check.py
+
       - name: Upload security reports
         if: always()
         uses: actions/upload-artifact@v4
@@ -151,4 +151,3 @@ jobs:
             bandit-report.json
             bandit-report.sarif
             safety-report.json
-              if data.get('vulnerabilities'):
@@ -15,8 +15,8 @@ help:
 
 install:
 	@command -v uv >/dev/null 2>&1 || \
-	  { echo "uv not found. Please install uv in your Python environment. Example:"; \
-	    echo "  python -m pip install --upgrade pip && python -m pip install uv"; exit 1; }
+	  { echo "uv not found. Please install uv. Example:"; \
+	    echo "  curl -LsSf https://astral.sh/uv/install.sh | sh"; exit 1; }
 	uv sync --all-extras
 
 sync:
 
@@ -14,11 +14,9 @@ A modern scaffolding tool for creating new Python packages with best practices b
 ## Installation
 
 ```bash
-# Install with uv
-uv pip install -e .
-
-# Or with pip
-pip install -e .
+# Install (uv-first)
+uv venv
+uv sync --all-extras
 ```
 
 ## Usage
@@ -112,7 +110,7 @@ Direct uv commands:
 ```bash
 # Create a venv and install dev extras
 uv venv
-uv pip install -e ".[dev]"
+uv sync --all-extras
 
 # Run tests
 uv run pytest