add non-interactive template and migrate flows; harden deps freeze; bump deps#35
Open
bsummers-tc wants to merge 9 commits into
Open
add non-interactive template and migrate flows; harden deps freeze; bump deps#35bsummers-tc wants to merge 9 commits into
bsummers-tc wants to merge 9 commits into
Conversation
added initial claude code configuration - WIP
Build - Loosen and bump runtime pins in pyproject.toml: arrow 1.4, black 26.5.1, isort 8.0.1, jmespath 1.1, pydantic 1.10.26, pyyaml 6.0.3, requests 2.34.2, rich 15.0.0, typer >=0.26.7, wrapt 2.2.1; switch fakeredis to >= floor - Bump dev/test tool floors: bandit 1.9.4, pre-commit 4.6.0, pyupgrade 3.21.2, ruff 0.15.16, ty 0.0.43, pytest-cov 7.1.0 - Regenerate uv.lock to match the new constraints Config - Drop the [tool.ty.rules] override block (invalid-attribute-override and invalid-method-override no longer ignored) - Expand the Bash git deny list in .claude/settings.json to block commit, push, pull, merge, rebase, reset, restore, revert, stash, cherry-pick, branch/tag mutation, worktree add/remove/prune, submodule update/deinit, and other history-rewriting commands Submodules - Bump app/config, pleb, requests_tc, and util pointers to their "linting and general cleanup" commits
…ump deps Template - update: honor each template.yaml `template_files` as template-owned and reconcile them against the template hash on every update (restoring local edits), independent of the manifest `last_commit` - update: add `--no-prompt` for a fully non-interactive run; modified non-template files are preserved and reported, never clobbered - template_cli: add `_collect_template_file_keys` (union `template_files` across the parent chain; map `gitignore` -> `.gitignore`) - template_cli: fix `_build_merged_template` so the renamed `.gitignore` manifest entry is computed from the file actually written (manifest/content consistency) - planner: `build()` gains `force_keys`; `apply()` gains `no_prompt` and returns the preserved-file list Migrate - migrate: replace `--update-code` with dry-run-by-default `--apply/--no-apply` (keeps `--update-code` as an alias); preview shows changes without writing - migrate: add `--prompt/--no-prompt` (`--apply --no-prompt` applies all changes unattended) and a scanned/proposed/applied/changed run summary - migrate_cli: skip any dot-directory (.git, .venv, .claude) and skip-dir during the walk; correct the "tcex migrate" exception label Deps - deps_cli: run `pip freeze` via uv/python with `shell=False` list args instead of `shell=True` (B603-justified), removing the shell-injection surface - deps_cli: hard-fail instead of writing an empty requirements.lock; always write a trailing newline Tests - template: add test_template_files_force.py and test_gitignore_merge.py; update test_template_commands.py for the new template-ownership contract - template: refresh tcex-app-templates-v2.zip fixture to add `gitignore` to the _app_common `template_files` (match upstream v2) - migrate: add tests/migrate/test_migrate_cli.py - deps: update test_tcex_deps.py; pin `tcex>=4.0.9` in app_1 requirements Build / Config - bump version 1.0.6-dev2 -> 1.0.6-dev3; refresh uv.lock dependency pins - gitignore: ignore the extracted `tcex-app-templates-2` template directory - settings: clear the `permissions.allow` list - scripts: mark enforce_*.sh executable (100644 -> 100755)
CLI - Add --authenticate opt-in flag to init, list, and update template commands - TemplateCli.__init__ now accepts authenticate (default False); session only applies HTTPBasicAuth when authenticate is True and both GITHUB_USER and GITHUB_PAT are set - Render a warning when --authenticate is passed but credentials are missing, continuing unauthenticated (60 requests/hour limit) - Document GITHUB_USER and GITHUB_PAT in the init/list/update help text Tests - Add TestSessionAuth covering the session auth gating: no auth when authenticate is False, HTTPBasicAuth when authenticate is True with creds, and warning + no auth when a credential is missing Config - Move enforcement hooks from .claude/scripts/ to .claude/hooks/ and repoint the PreToolUse hook commands in settings.json - Drop the CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS env var from settings.json - Add tcex-plan-reviewer agent and update tcex-orchestrator agent Docs - Update CLAUDE.md: Claude never stages (git add) nor commits; leave changes unstaged for the operator to review, stage, and commit - Reflect the new .claude/hooks/ location and add tcex-plan-reviewer to the agents table
Run
- Add app_inputs.d/ multi-config support: RunCli.resolve_config picks an
explicit --config, then app_inputs.json, then a selection menu over
app_inputs.d/*.json; RunCli.run owns resolution and passes the resolved path
to every Launch* arm
- Change run.py --config to default None (typer Option) and thread the raw
value through; expand the command docstring with a Configuration & secrets
section (precedence, ${env.X} and .env BaseSettings fallback, shared .env)
- LaunchPlaybook.validate_inputs: cross-check #App: variable references in
inputs against stage.kvstore before staging; hard-fail (panel) on referenced-
but-unstaged with a "did you mean" suggestion, warn on staged-but-unreferenced
- Exclude tc_playbook_out_variables (declared outputs, not reads) from the
staged-variable check via OUTPUT_VARIABLE_INPUTS
- LaunchABC._validate_env_variables: fail with a panel naming each undefined
${env.NAME} (with difflib "did you mean"); extract shared ENV_VAR_PATTERN and
validate before substitution/json.loads in construct_model_inputs
- Replace the bare print on a malformed config with a Render.panel.failure JSON
error panel naming the config file
Security
- Derive the local AES-CBC key in create_input_config with secrets.choice
instead of random.choice; drop the blanket nosec
- Scope the tc_token nosec to "# nosec B107" with justification
App Inputs / Packaging
- tcex app-inputs writes app_inputs.d/<name>.json (creating the dir) with
typer prompt --name/--description, a path-safe slug, and a top-level
description field; CommonAppInputModel gains optional description
- package: exclude the app_inputs.d/ directory from build (_build_excludes_base)
Render
- Add table_app_inputs_d helper to render the app_inputs.d selection menu
Tests
- Add tests/run, tests/app_input, tests/package packages covering config
resolution + menu, staged-variable and env-variable validation, slug
sanitization, the description field, and the package exclude
…uild fixture
Template
- planner.py: replace the force_keys mechanism with a managed_only mode in
Planner.build(); add _classify_managed_key() — managed runs hash-compare
template-managed entries (skip when identical, else auto_update), skip
non-managed keys, and never delete project files
- planner.py: add NotRequired 'managed' bool to the FileMeta TypedDict
- planner.py: drop no_prompt/preserved from Planner.apply(); it now returns None
- template_cli.py: replace the update() no_prompt parameter with managed; remove
the now-unused _collect_template_file_keys()
- template_cli.py: fix the renamed gitignore merged-manifest entry — compute
sha256 from the file actually written (self.hasher.sha256_file(dest)) instead
of the stray parent '.gitignore' entry, falling back to 'unknown' last_commit
- update.py: replace the --no-prompt option with --managed (silent, non-
interactive update of only template-managed files; nothing deleted)
Run
- launch_abc.py: redact the token value in the using-token setup log line
Tests
- add test_managed.py covering managed-mode plan classification and apply
- remove obsolete test_template_files_force.py (force_keys behavior)
- trim test_template_commands.py and test_gitignore_merge.py of removed
force_keys / no_prompt paths
- conftest.py: collapse TemplateCli construction to a single line
Fixtures / Scripts
- add .claude/scripts/build_template_fixture.py to rebuild the GitHub-style
fixture from git-tracked template files under a single tcex-app-templates-2/
wrapper (dry-run by default, --commit to write)
- rebuild tests/template/fixtures/tcex-app-templates-v2.zip with the correct
single top-level wrapper (was rooted at a leaked absolute path)
Docs / Config
- release_notes.md: reword APP-5299 for --managed; add APP-5305/5306/5307 for
run app_inputs.d multi-config, ${env.VAR} validation, and kvstore input checks
- CLAUDE.md: condense the commit-policy wording
- .claude/agents/tcex-orchestrator.md: expand the orchestrator tools list
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.