release: v0.4.0-rc.2 - packaging-correctness + honesty pass#91
Conversation
Packaging-correctness and honesty pass. No functional changes vs. rc.1 - the
service code, REST API, MCP tools, conformance benchmarks, and on-disk formats
are byte-identical. This release fixes the two blockers the ICP funnel
evaluation flagged on rc.1.
JOB 1: proper attestix.* namespace
Pre-rc.2 wheels dropped flat top-level packages (services/, auth/, storage/,
signing/, audit/, tenancy/, idempotency/, blockchain/, api/, tools/, plus
config.py, errors.py, main.py, cli.py) into site-packages on every install.
That polluted every consumer's namespace and forced documented imports to be
'from services.X import Y' instead of 'from attestix.services.X import Y'.
The funnel evaluation found 9/12 ICP personas dropped at Integrate because of
this.
Canonical source has been promoted into the attestix/ package (physical git
mv) so 'git blame' is preserved. The pre-rc.2 flat layout is preserved as thin
deprecation shims at the same paths; each shim re-exports from the canonical
namespace and emits a single DeprecationWarning on first import pointing at
the new path. Shims are scheduled for removal in v0.5.0.
Before/after wheel top-level (excluding dist-info):
rc.1: 14 flat packages + attestix + 4 flat py-modules (~18 entries)
rc.2: 1 canonical pkg + 10 shim pkgs + 4 shim py-modules (clean, shims are
re-exports only)
JOB 2: honesty pass
Funnel eval flagged pairings of 'production-ready' / 'Production ready'
framework labels with actual maturity (15 stars, single maintainer, no
third-party security audit). The real numbers (481 tests, 91 conformance
benchmarks, 47 MCP tools, 9 modules, 44 REST endpoints, real LangChain /
OpenAI Agents SDK / CrewAI integrations) are kept; they're now framed as
'v0.4.0-rc.2 release candidate, single-maintainer project, community
contributions welcome, no independent third-party security audit yet'.
JOB 3: version + changelog
pyproject.toml 0.4.0rc1 -> 0.4.0rc2; attestix/__init__.py __version__ same;
CHANGELOG.md prepends 0.4.0-rc.2 entry covering the packaging fix, the
shim contract, and the v0.5.0 shim-removal schedule.
Verification:
- 481 tests passing (baseline rc.1: 481). Zero regressions.
- 91/91 RFC / W3C conformance benchmarks passing.
- ruff check clean.
- python -m build --wheel produces a clean wheel.
- Fresh-venv pip install + canonical-import + DeprecationWarning assertions
pass. Tested via tests/install/test_pip_install_smoke.py (opt-in via
ATTESTIX_RUN_INSTALL_SMOKE=1; skips cleanly when 'build' is not installed).
|
Important Review skippedToo many files! This PR contains 185 files, which is 35 over the limit of 150. To get a review, narrow the scope: ⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (185)
You can disable this status message by setting the Use the checkbox below for a quick retry:
Note
|
Deploying attestix with
|
| Latest commit: |
c3e94ab
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://7bef5bc3.attestix.pages.dev |
| Branch Preview URL: | https://release-v0-4-0-rc-2-packagin.attestix.pages.dev |
| provenance_tools.register(mcp) | ||
| blockchain_tools.register(mcp) | ||
|
|
||
| print(f"Attestix MCP server loaded: 47 tools registered", file=sys.stderr) |
| stacklevel=2, | ||
| ) | ||
|
|
||
| from attestix.api import * # noqa: F401, F403 |
| from attestix.api.routers import ... | ||
| """ | ||
|
|
||
| from attestix.api.routers import * # noqa: F401, F403 |
| # these remain None and the service derives the UID canonically at runtime. | ||
| ATTESTIX_SCHEMA_UID_BASE_SEPOLIA: str | None = None | ||
| ATTESTIX_SCHEMA_UID_BASE_MAINNET: str | None = None | ||
| from attestix.blockchain.abi import * # noqa: F401, F403 |
| f"to make the agent discoverable via A2A protocol." | ||
| ), | ||
| } | ||
| from attestix.services.agent_card_service import * # noqa: F401, F403 |
| logger.warning("Agent card generation failed: %s", result["error"]) | ||
| raise HTTPException(status_code=400, detail="Agent card generation failed") | ||
| return result | ||
| from attestix.api.routers.agent_cards import * # noqa: F401, F403 |
| logger.warning("Anchor cost estimation failed: %s", result["error"]) | ||
| raise HTTPException(status_code=400, detail="Anchor cost estimation failed") | ||
| return result | ||
| from attestix.api.routers.blockchain import * # noqa: F401, F403 |
| "estimate_anchor_cost", e, ErrorCategory.BLOCKCHAIN, | ||
| ) | ||
| return {"error": msg} | ||
| from attestix.services.blockchain_service import * # noqa: F401, F403 |
| keys_to_remove = [k for k in _cache if k.startswith(prefix)] | ||
| for k in keys_to_remove: | ||
| del _cache[k] | ||
| from attestix.services.cache import * # noqa: F401, F403 |
…y/clear-text-logging-sensitive-data) TRUSTED_PROXIES is by design a list of network CIDRs, but env-var values in general can hold secrets. Log only the entry length, never the raw value. Closes the high-severity CodeQL alert flagged on PR #91. The two medium 'stack-trace-exposure' alerts on did.py / agent_cards.py were reviewed and dismissed as false positives: the HTTPException details are hardcoded generic strings; upstream error_msg is used only for internal classification (timeout/http), never returned to the client.
| "limiting. Set TRUSTED_PROXIES to the CIDR of your LB/CDN " | ||
| "so per-client rate limits work correctly." | ||
| ) | ||
| _TRUSTED_PROXIES_WARNED = True |
… guide + install bump (#92) Every Python snippet in the OSS docs now uses the canonical `attestix.*` namespace promoted in v0.4.0-rc.2 packaging refactor (#91). The pre-rc.2 flat top-level packages (`services/`, `auth/`, `storage/`, ...) still resolve via deprecation shims and emit a DeprecationWarning; they are scheduled for removal in v0.5.0, so the docs teach the canonical path going forward. Changes - website/content/docs/examples.mdx: 17 import statements rewritten to `from attestix.services... import ...` across all 11 example sections; added a leader callout linking to the new migration guide; install command surfaces both `pip install --pre attestix` (rc.2) and `pip install attestix` (stable 0.3.0). - website/content/docs/getting-started.mdx: install block now shows both the `--pre` (rc.2) and stable lines with a callout to the migration guide; the "Use as Python Library" snippet drops the `sys.path` shim and imports from `attestix.services.identity_service` directly. - website/content/docs/guides/base-l2-anchor.mdx: install block split into `--pre` rc.2 and stable; `BlockchainService` snippet now imports from `attestix.services.blockchain_service`. - website/content/docs/guides/integration-guide.mdx: the plain-Python wiring example imports all four services from `attestix.services.*`. - website/content/docs/guides/reputation.mdx: identity/reputation/delegation service imports rewritten to canonical namespace. - website/content/docs/reference/faq.mdx: "Can I use Attestix without MCP?" snippet rewritten to canonical namespace. - website/content/docs/guides/migration-v0.4.0-namespace.mdx: NEW guide covering why packaging changed (ICP funnel evaluation), what works in rc.2 (both paths, legacy warns), removal timeline (v0.5.0), full before/after substitution table, a one-liner ripgrep+sed migration script, deployment-string updates (`uvicorn api.main:app` -> `uvicorn attestix.api.main:app`), verification commands using `-W error::DeprecationWarning`, and `pip install --pre attestix==0.4.0rc2` pin instructions. Linked from CHANGELOG.md rc.2 entry plus the touched docs. - website/content/docs/guides/meta.json: register the new migration guide in the Fumadocs sidebar. Validation - `npx next build` in `website/`: 60/60 static pages, including `/docs/guides/migration-v0.4.0-namespace` (built artifact verified at `website/out/docs/guides/migration-v0.4.0-namespace.html`). - Post-edit grep for legacy patterns across `website` + `README.md` (excluding the migration guide which intentionally quotes both forms): zero literal `from <flat>.X import` Python imports remain in any code block. Remaining hits are narrative text (callouts explaining the deprecation shim) plus already-canonical `attestix.api.main:app` references in README. - Smoke test in throwaway venv with `pip install --pre attestix==0.4.0rc2`: python -c "from attestix.services.identity_service import IdentityService; print('canonical ok:', IdentityService.__module__)" -> canonical ok: attestix.services.identity_service python -W error::DeprecationWarning -c "from attestix.services.identity_service import IdentityService" -> exits 0 (no warning, no error) python -W error::DeprecationWarning -c "from services.identity_service import IdentityService" -> raises DeprecationWarning: "Importing from the top-level `services` package is deprecated and will be removed in Attestix v0.5.0. Update your imports to `from attestix.services...` (canonical namespace)." No functional code changed; this PR is documentation-only and ships alongside the rc.2 packaging fix already on `main`.
Summary
Packaging-correctness and honesty pass for the v0.4.0 release line. No functional changes vs. rc.1 — service code, REST API, MCP tools, conformance benchmarks, and on-disk formats are byte-identical. This PR fixes the two release blockers the ICP funnel evaluation flagged on rc.1.
What changed in the wheel
The pre-rc.2 wheel dropped flat top-level packages into site-packages on every install, polluting every consumer's namespace and forcing the documented import to be
from services.X import Yinstead offrom attestix.services.X import Y. The funnel evaluation found 9 of 12 ICP personas dropped at Integrate because of this.Before (rc.1) — wheel top-level set:
attestix/(thin shim layer that re-exported from the flat modules)services/,auth/,storage/,signing/,audit/,tenancy/,idempotency/,blockchain/,api/,api.routers/,tools/(full source code, top-level)main.py,cli.py,config.py,errors.py(top-level py-modules)After (rc.2) — wheel top-level set:
The canonical source now lives under
attestix/(63 files). The flat entries are all thin deprecation shims that re-export from the canonical namespace and emit a singleDeprecationWarningon first import. They are scheduled for removal in v0.5.0.Canonical-import + deprecation-shim story
Canonical (recommended):
Legacy (still works in v0.4.0-rc.2; emits
DeprecationWarning; removed in v0.5.0):Deployment / console-script updates:
uvicorn api.main:app→uvicorn attestix.api.main:apppython main.py→python -m attestix.main[project.scripts] attestix = "cli:cli"→"attestix.cli:cli"Honesty pass
The funnel evaluation flagged pairings of "production-ready" / "Production ready" framework labels with our actual maturity (15 GitHub stars, single maintainer, no third-party security audit). The numbers themselves (481 tests, 91 conformance benchmarks, 47 MCP tools, 9 modules, 44 REST endpoints, real LangChain / OpenAI Agents SDK / CrewAI integrations) are real and are kept — they're now framed honestly as "v0.4.0-rc.2 release candidate, single-maintainer project, community contributions welcome, no independent third-party security audit yet."
Updated locations:
README.md— hero, install (nowpip install --pre attestix), Python library example, MCP server config example, architecture diagram, standards conformance section.website/src/lib/config.tsx— hero CTA + maturity FAQ answer.website/src/lib/atx-data.ts— header comment +ATX_HERO_STATStest count.website/public/llms.txt— AI-discoverable summary.website/content/docs/guides/{integration-guide,langchain,crewai,openai-agents-sdk}.mdx— descriptions/headings.website/src/components/sections/v2/frameworks.tsx— "Production ready" label → "Real integration".website/src/app/(marketing)/research/page.tsx— test count.attestix/api/main.py— FastAPI app docstring.Verification
ruff check .python -m build --wheel)Successfully built attestix-0.4.0rc2-py3-none-any.whltests/install/test_pip_install_smoke.pypip installsmokecanonical imports okDeprecationWarningpython -W error::DeprecationWarning -c "from services.identity_service import IdentityService"raises with the canonical-namespace messageThe install smoke is opt-in (
ATTESTIX_RUN_INSTALL_SMOKE=1) because building a wheel + creating a venv is multi-second and needs network + disk; it skips cleanly in environments withoutpython -m buildso contributors without it can still runpytest.Maintainer follow-up (after merge)
Tag the GitHub Release
v0.4.0-rc.2to trigger the existing PyPI publish workflow via the stored token. Verifypip install --pre attestixresolves toattestix-0.4.0rc2on PyPI and thatfrom attestix.services.identity_service import IdentityServiceworks on a fresh machine.Test plan
pytest— 481 passed, 1 skipped, zero regressions vs. rc.1.pytest tests/benchmarks/— 91/91 conformance benchmarks pass.ruff check .— clean.python -m build --wheelproducesattestix-0.4.0rc2-py3-none-any.whl.attestixnamespace + the documented deprecation shims.pip install ./dist/attestix-0.4.0rc2-py3-none-any.whlsucceeds.from attestix.services.identity_service import IdentityService; from attestix.signing.inprocess_signer import InProcessSigner; from attestix.auth.crypto import sign_json_payloadreturnscanonical imports ok.python -W error::DeprecationWarning -c "from services.identity_service import IdentityService"raises the v0.5.0-removal-scheduledDeprecationWarning.ATTESTIX_RUN_INSTALL_SMOKE=1 pytest tests/installpasses end-to-end.