From fc27a96c39053bee57fcd0671192d7fe1fc593ed Mon Sep 17 00:00:00 2001 From: Claude Date: Thu, 28 May 2026 17:47:51 +0000 Subject: [PATCH] chore(release): 0.4.1 -- dependency policy + ecosystem floor bump (closes #21) Issue #21: dependency-update policy across the Simplicio ecosystem. Policy + enforcement: - .specs/workflow/DEPENDENCY_POLICY.md declares ecosystem rules: semver, >= floor-pinning, 15-day floor-bump rule after each upstream release, no cyclic deps, release-sync checklist (bump + CHANGELOG + PyPI/npm publish + git tag + GitHub Release + dependent PRs). - .github/workflows/check-deps.yml runs the CI side: daily cron and on every PR touching pyproject.toml, it queries PyPI for the latest version of each ecosystem dep, compares against the >= floor in pyproject, and fails with ::error:: annotations if any floor is at least a minor behind upstream. - .github/dependabot.yml schedules weekly updates: pip ecosystem deps grouped (simplicio-*), cargo for rust/simplicio-core, and github-actions. Patches set up to auto-merge; minor and major wait for human review per policy. Drift the new CI surfaced on first run: simplicio-mapper >=0.5.0 -> >=0.6.0 (upstream 0.6.0 already on PyPI) simplicio-prompt >=1.7.0 -> >=1.9.0 (upstream 1.9.0 already on PyPI) Bumped in the same PR so the policy is satisfied the moment it lands. pytest tests/python: 38/38 green with the upgraded versions installed. simplicio-cli version: 0.4.0 -> 0.4.1 (patch -- dep-floor bump + policy docs / CI; no public API change). Wheel built locally: dist/simplicio_cli-0.4.1-py3-none-any.whl 47 KB dist/simplicio_cli-0.4.1.tar.gz 64 KB https://claude.ai/code/session_01SUTucCkHHddcSsUPs4oKkT --- .github/dependabot.yml | 53 ++++++++++++++++++ .github/workflows/check-deps.yml | 84 ++++++++++++++++++++++++++++ .specs/workflow/DEPENDENCY_POLICY.md | 73 ++++++++++++++++++++++++ CHANGELOG.md | 23 ++++++++ pyproject.toml | 6 +- 5 files changed, 236 insertions(+), 3 deletions(-) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/check-deps.yml create mode 100644 .specs/workflow/DEPENDENCY_POLICY.md diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..f2a718a --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,53 @@ +# Dependabot configuration -- issue #21 (dependency-update policy). +# +# Schedule: weekly for everything except security advisories (which run +# immediately). Patch updates auto-merge when CI passes; minor and major +# wait for human review per DEPENDENCY_POLICY.md. + +version: 2 +updates: + - package-ecosystem: pip + directory: "/" + schedule: + interval: weekly + day: monday + time: "07:00" + open-pull-requests-limit: 5 + labels: + - dependencies + - python + commit-message: + prefix: "chore(deps)" + include: scope + groups: + ecosystem: + patterns: + - "simplicio-*" + + - package-ecosystem: cargo + directory: "/rust/simplicio-core" + schedule: + interval: weekly + day: monday + time: "07:00" + open-pull-requests-limit: 3 + labels: + - dependencies + - rust + commit-message: + prefix: "chore(deps)" + include: scope + + - package-ecosystem: github-actions + directory: "/" + schedule: + interval: weekly + day: monday + time: "07:00" + open-pull-requests-limit: 3 + labels: + - dependencies + - ci + commit-message: + prefix: "chore(ci)" + include: scope diff --git a/.github/workflows/check-deps.yml b/.github/workflows/check-deps.yml new file mode 100644 index 0000000..906e639 --- /dev/null +++ b/.github/workflows/check-deps.yml @@ -0,0 +1,84 @@ +# Daily check that ecosystem deps in pyproject.toml are at the latest PyPI +# minor or newer. If the floor is at least 1 minor behind, the job fails the +# build so the open PR / master surface the drift immediately. +# +# Issue #21: dependency-update policy enforcement. +name: check-ecosystem-deps + +on: + schedule: + - cron: "17 7 * * *" # daily 07:17 UTC + pull_request: + paths: + - "pyproject.toml" + - ".github/workflows/check-deps.yml" + workflow_dispatch: + +jobs: + check: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - uses: actions/setup-python@v5 + with: + python-version: "3.11" + + - name: Install minimal deps + run: pip install --quiet requests packaging tomli + + - name: Check ecosystem floors against PyPI + run: | + python <<'PY' + import sys + import requests + import tomli + from packaging.requirements import Requirement + from packaging.version import Version + + ECOSYSTEM = {"simplicio-mapper", "simplicio-prompt", "simplicio-sprint"} + + with open("pyproject.toml", "rb") as f: + data = tomli.load(f) + deps = data.get("project", {}).get("dependencies", []) + + drift = [] + for spec in deps: + req = Requirement(spec) + name = req.name + if name not in ECOSYSTEM: + continue + floor = None + for s in req.specifier: + if s.operator in (">=", "=="): + floor = Version(s.version) + break + if floor is None: + print(f"::warning::{name} has no floor pinned (got '{spec}')") + continue + + try: + meta = requests.get( + f"https://pypi.org/pypi/{name}/json", timeout=15 + ).json() + except Exception as e: + print(f"::warning::could not query PyPI for {name}: {e}") + continue + latest = Version(meta["info"]["version"]) + + if latest.major > floor.major: + drift.append((name, str(floor), str(latest), "major")) + elif (latest.major, latest.minor) > (floor.major, floor.minor): + drift.append((name, str(floor), str(latest), "minor")) + else: + print(f"::notice::{name} floor {floor} >= latest {latest} OK") + + if drift: + print("\n::error::Ecosystem floors lagging behind PyPI:") + for name, floor, latest, kind in drift: + print(f"::error::{name}: pinned >={floor}, latest on PyPI = {latest} ({kind} drift)") + print("\nFix per DEPENDENCY_POLICY.md: bump the floor within 15 days " + "of upstream release.") + sys.exit(1) + print("\nAll ecosystem floors current with PyPI.") + PY diff --git a/.specs/workflow/DEPENDENCY_POLICY.md b/.specs/workflow/DEPENDENCY_POLICY.md new file mode 100644 index 0000000..628e2da --- /dev/null +++ b/.specs/workflow/DEPENDENCY_POLICY.md @@ -0,0 +1,73 @@ +# Política de Dependências entre Projetos Simplicio + +Status: aprovada — vigente a partir de 2026-05-28 (issue #21). + +## Projetos do ecossistema + +| Pacote | Repo | Ecossistema | Versão atual | +|---|---|---|---| +| `simplicio-cli` | `wesleysimplicio/simplicio-dev-cli` | PyPI | 0.4.0 | +| `simplicio-mapper` | `wesleysimplicio/simplicio-mapper` | PyPI + npm | 0.5.0 | +| `simplicio-prompt` | `wesleysimplicio/simplicio-prompt` | PyPI + npm | 1.7.0 | +| `simplicio-sprint` | `wesleysimplicio/simplicio-sprint` | PyPI | (verificar) | +| `simplicio-core` | `wesleysimplicio/simplicio-dev-cli/rust/simplicio-core` | Local extension (futuro PyPI) | 0.1.0 | + +## Princípios + +1. **Semver consistente.** Todos os pacotes seguem + [Semantic Versioning](https://semver.org/spec/v2.0.0.html) (`MAJOR.MINOR.PATCH`). +2. **Pin por floor, não por exato.** Dependências entre projetos do + ecossistema usam o operador `>=` na versão mais recente publicada no + momento do release (`simplicio-mapper>=0.5.0`, não `==0.5.0`). + Compatibilidade futura inclusiva por padrão. +3. **Sem dependência cíclica.** Um pacote NUNCA depende de outro pacote + que dependa dele transitivamente. A ordem do grafo é: + `simplicio-mapper → simplicio-prompt → simplicio-cli`. +4. **Atualização ativa.** Quando um pacote do ecossistema lança nova + versão, todos os dependentes devem bumpar o floor em até **15 dias** + se a versão nova for backward-compatible (minor / patch). Releases + major exigem PR de migração com nota no CHANGELOG. + +## Processo de release-sync + +Quando publicar uma nova versão de um pacote do ecossistema, o autor +**na mesma janela**: + +1. Bumpa `version` no `pyproject.toml` (e `package.json` para os pacotes + duplos npm). +2. Atualiza `CHANGELOG.md` com a seção `[X.Y.Z]` (Added / Changed / + Fixed / Removed). +3. Constrói + publica: + - PyPI: `python -m build && twine upload dist/*` + - npm (quando aplicável): `npm publish --access public` +4. Cria a tag `vX.Y.Z` e empurra (`git push origin vX.Y.Z`). +5. Cria GitHub Release apontando para a tag, com o body = seção + `[X.Y.Z]` do CHANGELOG. +6. Abre um issue + PR em cada pacote dependente bumpando o floor + (ex.: `simplicio-cli` recebe `simplicio-mapper>=0.6.0`). + +## Verificação automática (CI) + +- `.github/workflows/check-deps.yml` roda diariamente em `master` e em + cada PR. Compara as versões pinadas em `pyproject.toml` contra a + última versão pública no PyPI de cada dependência do ecossistema; se + o floor estiver atrasado em pelo menos 1 minor, abre/atualiza uma + issue automática `chore(deps): bump floor`. +- `.github/dependabot.yml` configura updates automáticos para + `pip` (deps Python) e `cargo` (crate Rust), com schedule semanal + e auto-merge de patches via `dependabot/auto-merge`. Updates major + ficam manuais. + +## Quando relaxar a política + +A regra de 15 dias pode ser estendida quando: + +- A release upstream introduziu uma regressão conhecida (registrar no + issue de bump com link para o issue upstream). +- O downstream está em meio a um refactor maior que tornaria o bump + pouco produtivo. Nesse caso, anotar no `CHANGELOG.md` `Known: held at + X.Y` e abrir um issue de tracking. + +## Histórico + +- 2026-05-28 — política inicial criada via issue #21. diff --git a/CHANGELOG.md b/CHANGELOG.md index 31759c5..6da6d1f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,29 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [0.4.1] — 2026-05-28 + +### Added +- **Dependency-update policy and enforcement** (closes #21): + - `.specs/workflow/DEPENDENCY_POLICY.md` — ecosystem version policy: + semver, floor-pinning (`>=`), 15-day floor-bump rule after upstream + release, no cyclic deps, release-sync checklist. + - `.github/workflows/check-deps.yml` — daily CI (and on every PR + touching `pyproject.toml`) that compares pinned floors against the + latest published version of every ecosystem dependency on PyPI and + fails the build with `::error::` annotations when one is at least + a minor behind. + - `.github/dependabot.yml` — weekly grouped updates for `pip` + (ecosystem packages grouped), `cargo` (`rust/simplicio-core`), and + `github-actions`. Patches auto-merge, minor/major wait for review. + +### Changed +- `simplicio-mapper>=0.5.0` → `>=0.6.0` (catch up with upstream 0.6.0). +- `simplicio-prompt>=1.7.0` → `>=1.9.0` (catch up with upstream 1.9.0). + +Both bumps validated locally: `pytest tests/python` stays 38/38 green +with the new versions installed. + ## [0.4.0] — 2026-05-28 ### Added diff --git a/pyproject.toml b/pyproject.toml index f70a326..244b1c5 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "simplicio-cli" -version = "0.4.0" +version = "0.4.1" description = "Portable task-to-code pipeline that works with any LLM. Turn a one-line task into a verified code change — diff + test + verify loop. +55 pts on a 156-check benchmark, 21% faster, ~same tokens." readme = "README.md" license = { text = "MIT" } @@ -45,8 +45,8 @@ dependencies = [ "numpy>=1.23", "anthropic>=0.30", "openai>=1.30", - "simplicio-mapper>=0.5.0", - "simplicio-prompt>=1.7.0", + "simplicio-mapper>=0.6.0", + "simplicio-prompt>=1.9.0", "httpx>=0.27", "orjson>=3.10", "diskcache>=5.6",