Skip to content

release: v0.4.0-rc.2 - packaging-correctness + honesty pass#91

Merged
ascender1729 merged 2 commits into
mainfrom
release/v0.4.0-rc.2-packaging
May 28, 2026
Merged

release: v0.4.0-rc.2 - packaging-correctness + honesty pass#91
ascender1729 merged 2 commits into
mainfrom
release/v0.4.0-rc.2-packaging

Conversation

@ascender1729

Copy link
Copy Markdown
Member

Summary

Packaging-correctness and honesty pass for the v0.4.0 release line. No functional changes vs. rc.1 — service code, REST API, MCP tools, conformance benchmarks, and on-disk formats are byte-identical. This PR fixes the two release blockers the ICP funnel evaluation flagged on rc.1.

What changed in the wheel

The pre-rc.2 wheel dropped flat top-level packages into site-packages on every install, polluting every consumer's namespace and forcing the documented import to be from services.X import Y instead of from attestix.services.X import Y. The funnel evaluation found 9 of 12 ICP personas dropped at Integrate because of this.

Before (rc.1) — wheel top-level set:

  • attestix/ (thin shim layer that re-exported from the flat modules)
  • services/, auth/, storage/, signing/, audit/, tenancy/, idempotency/, blockchain/, api/, api.routers/, tools/ (full source code, top-level)
  • main.py, cli.py, config.py, errors.py (top-level py-modules)

After (rc.2) — wheel top-level set:

['api', 'attestix', 'attestix-0.4.0rc2.dist-info', 'audit', 'auth',
 'blockchain', 'cli.py', 'config.py', 'errors.py', 'idempotency',
 'main.py', 'services', 'signing', 'storage', 'tenancy', 'tools']

The canonical source now lives under attestix/ (63 files). The flat entries are all thin deprecation shims that re-export from the canonical namespace and emit a single DeprecationWarning on first import. They are scheduled for removal in v0.5.0.

Canonical-import + deprecation-shim story

Canonical (recommended):

from attestix.services.identity_service import IdentityService
from attestix.signing.inprocess_signer import InProcessSigner
from attestix.auth.crypto import sign_json_payload
from attestix.storage.repository import Repository
from attestix.audit.events import AuditEvent
from attestix.tenancy import TenantContext
from attestix.idempotency.store import IdempotencyStore
from attestix.config import DEFAULT_EXPIRY_DAYS, load_identities
from attestix.errors import ErrorCategory

Legacy (still works in v0.4.0-rc.2; emits DeprecationWarning; removed in v0.5.0):

from services.identity_service import IdentityService   # warns
from signing.inprocess_signer import InProcessSigner    # warns
from auth.crypto import sign_json_payload               # warns

Deployment / console-script updates:

  • uvicorn api.main:appuvicorn attestix.api.main:app
  • python main.pypython -m attestix.main
  • [project.scripts] attestix = "cli:cli""attestix.cli:cli"

Honesty pass

The funnel evaluation flagged pairings of "production-ready" / "Production ready" framework labels with our actual maturity (15 GitHub stars, single maintainer, no third-party security audit). The numbers themselves (481 tests, 91 conformance benchmarks, 47 MCP tools, 9 modules, 44 REST endpoints, real LangChain / OpenAI Agents SDK / CrewAI integrations) are real and are kept — they're now framed honestly as "v0.4.0-rc.2 release candidate, single-maintainer project, community contributions welcome, no independent third-party security audit yet."

Updated locations:

  • README.md — hero, install (now pip install --pre attestix), Python library example, MCP server config example, architecture diagram, standards conformance section.
  • website/src/lib/config.tsx — hero CTA + maturity FAQ answer.
  • website/src/lib/atx-data.ts — header comment + ATX_HERO_STATS test count.
  • website/public/llms.txt — AI-discoverable summary.
  • website/content/docs/guides/{integration-guide,langchain,crewai,openai-agents-sdk}.mdx — descriptions/headings.
  • website/src/components/sections/v2/frameworks.tsx — "Production ready" label → "Real integration".
  • website/src/app/(marketing)/research/page.tsx — test count.
  • attestix/api/main.py — FastAPI app docstring.

Verification

Gate Result
Full test suite 481 passing, 1 skipped (POSIX chmod on Windows). Baseline rc.1: 481 passing. Zero regressions.
RFC / W3C conformance benchmarks 91 / 91 passing
ruff check . clean
Wheel build (python -m build --wheel) Successfully built attestix-0.4.0rc2-py3-none-any.whl
Wheel top-level inspection Asserted in tests/install/test_pip_install_smoke.py
Fresh-venv pip install smoke canonical imports ok
Legacy import emits DeprecationWarning python -W error::DeprecationWarning -c "from services.identity_service import IdentityService" raises with the canonical-namespace message

The install smoke is opt-in (ATTESTIX_RUN_INSTALL_SMOKE=1) because building a wheel + creating a venv is multi-second and needs network + disk; it skips cleanly in environments without python -m build so contributors without it can still run pytest.

Maintainer follow-up (after merge)

Tag the GitHub Release v0.4.0-rc.2 to trigger the existing PyPI publish workflow via the stored token. Verify pip install --pre attestix resolves to attestix-0.4.0rc2 on PyPI and that from attestix.services.identity_service import IdentityService works on a fresh machine.

Test plan

  • pytest — 481 passed, 1 skipped, zero regressions vs. rc.1.
  • pytest tests/benchmarks/ — 91/91 conformance benchmarks pass.
  • ruff check . — clean.
  • python -m build --wheel produces attestix-0.4.0rc2-py3-none-any.whl.
  • Wheel top-level set inspected; only the canonical attestix namespace + the documented deprecation shims.
  • Fresh venv pip install ./dist/attestix-0.4.0rc2-py3-none-any.whl succeeds.
  • In the fresh venv, from attestix.services.identity_service import IdentityService; from attestix.signing.inprocess_signer import InProcessSigner; from attestix.auth.crypto import sign_json_payload returns canonical imports ok.
  • In the fresh venv, python -W error::DeprecationWarning -c "from services.identity_service import IdentityService" raises the v0.5.0-removal-scheduled DeprecationWarning.
  • ATTESTIX_RUN_INSTALL_SMOKE=1 pytest tests/install passes end-to-end.

Packaging-correctness and honesty pass. No functional changes vs. rc.1 - the
service code, REST API, MCP tools, conformance benchmarks, and on-disk formats
are byte-identical. This release fixes the two blockers the ICP funnel
evaluation flagged on rc.1.

JOB 1: proper attestix.* namespace
Pre-rc.2 wheels dropped flat top-level packages (services/, auth/, storage/,
signing/, audit/, tenancy/, idempotency/, blockchain/, api/, tools/, plus
config.py, errors.py, main.py, cli.py) into site-packages on every install.
That polluted every consumer's namespace and forced documented imports to be
'from services.X import Y' instead of 'from attestix.services.X import Y'.
The funnel evaluation found 9/12 ICP personas dropped at Integrate because of
this.

Canonical source has been promoted into the attestix/ package (physical git
mv) so 'git blame' is preserved. The pre-rc.2 flat layout is preserved as thin
deprecation shims at the same paths; each shim re-exports from the canonical
namespace and emits a single DeprecationWarning on first import pointing at
the new path. Shims are scheduled for removal in v0.5.0.

Before/after wheel top-level (excluding dist-info):
  rc.1: 14 flat packages + attestix + 4 flat py-modules (~18 entries)
  rc.2: 1 canonical pkg + 10 shim pkgs + 4 shim py-modules (clean, shims are
        re-exports only)

JOB 2: honesty pass
Funnel eval flagged pairings of 'production-ready' / 'Production ready'
framework labels with actual maturity (15 stars, single maintainer, no
third-party security audit). The real numbers (481 tests, 91 conformance
benchmarks, 47 MCP tools, 9 modules, 44 REST endpoints, real LangChain /
OpenAI Agents SDK / CrewAI integrations) are kept; they're now framed as
'v0.4.0-rc.2 release candidate, single-maintainer project, community
contributions welcome, no independent third-party security audit yet'.

JOB 3: version + changelog
pyproject.toml 0.4.0rc1 -> 0.4.0rc2; attestix/__init__.py __version__ same;
CHANGELOG.md prepends 0.4.0-rc.2 entry covering the packaging fix, the
shim contract, and the v0.5.0 shim-removal schedule.

Verification:
  - 481 tests passing (baseline rc.1: 481). Zero regressions.
  - 91/91 RFC / W3C conformance benchmarks passing.
  - ruff check clean.
  - python -m build --wheel produces a clean wheel.
  - Fresh-venv pip install + canonical-import + DeprecationWarning assertions
    pass. Tested via tests/install/test_pip_install_smoke.py (opt-in via
    ATTESTIX_RUN_INSTALL_SMOKE=1; skips cleanly when 'build' is not installed).
@coderabbitai

coderabbitai Bot commented May 28, 2026

Copy link
Copy Markdown

Important

Review skipped

Too many files!

This PR contains 185 files, which is 35 over the limit of 150.

To get a review, narrow the scope:
• coderabbit review --type committed # exclude uncommitted changes
• coderabbit review --dir # limit to a subdirectory
• coderabbit review --base # compare against a closer base

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 716bcf41-4a31-4faa-8b30-8f1cce1861e4

📥 Commits

Reviewing files that changed from the base of the PR and between 9038891 and c3e94ab.

📒 Files selected for processing (185)
  • CHANGELOG.md
  • MANIFEST.in
  • README.md
  • api/__init__.py
  • api/deps.py
  • api/main.py
  • api/routers/__init__.py
  • api/routers/agent_cards.py
  • api/routers/blockchain.py
  • api/routers/compliance.py
  • api/routers/credentials.py
  • api/routers/delegation.py
  • api/routers/did.py
  • api/routers/identity.py
  • api/routers/provenance.py
  • api/routers/reputation.py
  • attestix/__init__.py
  • attestix/api/__init__.py
  • attestix/api/deps.py
  • attestix/api/main.py
  • attestix/api/routers/__init__.py
  • attestix/api/routers/agent_cards.py
  • attestix/api/routers/blockchain.py
  • attestix/api/routers/compliance.py
  • attestix/api/routers/credentials.py
  • attestix/api/routers/delegation.py
  • attestix/api/routers/did.py
  • attestix/api/routers/identity.py
  • attestix/api/routers/provenance.py
  • attestix/api/routers/reputation.py
  • attestix/audit/__init__.py
  • attestix/audit/emitter.py
  • attestix/audit/events.py
  • attestix/audit/service_hook.py
  • attestix/auth/crypto.py
  • attestix/auth/ssrf.py
  • attestix/auth/token_parser.py
  • attestix/blockchain/abi.py
  • attestix/blockchain/merkle.py
  • attestix/cli.py
  • attestix/config.py
  • attestix/errors.py
  • attestix/idempotency/__init__.py
  • attestix/idempotency/middleware.py
  • attestix/idempotency/store.py
  • attestix/main.py
  • attestix/services/__init__.py
  • attestix/services/agent_card_service.py
  • attestix/services/blockchain_service.py
  • attestix/services/cache.py
  • attestix/services/compliance_service.py
  • attestix/services/credential_service.py
  • attestix/services/delegation_service.py
  • attestix/services/did_service.py
  • attestix/services/identity_service.py
  • attestix/services/provenance_service.py
  • attestix/services/report_service.py
  • attestix/services/reputation_service.py
  • attestix/signing/__init__.py
  • attestix/signing/inprocess_signer.py
  • attestix/signing/signer.py
  • attestix/storage/__init__.py
  • attestix/storage/file_repository.py
  • attestix/storage/memory_repository.py
  • attestix/storage/repository.py
  • attestix/tenancy/__init__.py
  • attestix/tenancy/context.py
  • attestix/tools/__init__.py
  • attestix/tools/agent_card_tools.py
  • attestix/tools/blockchain_tools.py
  • attestix/tools/compliance_tools.py
  • attestix/tools/credential_tools.py
  • attestix/tools/delegation_tools.py
  • attestix/tools/did_tools.py
  • attestix/tools/identity_tools.py
  • attestix/tools/provenance_tools.py
  • attestix/tools/reputation_tools.py
  • audit/__init__.py
  • audit/emitter.py
  • audit/events.py
  • audit/service_hook.py
  • auth/__init__.py
  • auth/crypto.py
  • auth/ssrf.py
  • auth/token_parser.py
  • blockchain/__init__.py
  • blockchain/abi.py
  • blockchain/merkle.py
  • cli.py
  • config.py
  • demo/quick-start/five_min_demo.py
  • demo/scenarios/01-fintech-advisor/run_demo.py
  • demo/scenarios/02-supply-chain-ai/run_demo.py
  • demo/scenarios/03-hr-screening/run_demo.py
  • demo/webapp/app.py
  • errors.py
  • examples/01_basic_identity.py
  • examples/02_full_compliance.py
  • examples/03_delegation_chain.py
  • examples/04_verifiable_credentials.py
  • examples/05_audit_trail.py
  • examples/quickstart.py
  • idempotency/__init__.py
  • idempotency/middleware.py
  • idempotency/store.py
  • integrations/examples/crewai_compliance.py
  • integrations/examples/crewai_real_integration.py
  • integrations/examples/dify_compliance.py
  • integrations/examples/google_adk_compliance.py
  • integrations/examples/langchain_compliance.py
  • integrations/examples/langchain_real_integration.py
  • integrations/examples/openai_agents_compliance.py
  • integrations/examples/openai_agents_real_integration.py
  • integrations/examples/semantic_kernel_compliance.py
  • integrations/examples/strands_compliance.py
  • main.py
  • pyproject.toml
  • services/__init__.py
  • services/agent_card_service.py
  • services/blockchain_service.py
  • services/cache.py
  • services/compliance_service.py
  • services/credential_service.py
  • services/delegation_service.py
  • services/did_service.py
  • services/identity_service.py
  • services/provenance_service.py
  • services/report_service.py
  • services/reputation_service.py
  • signing/__init__.py
  • signing/inprocess_signer.py
  • signing/signer.py
  • simulate_users.py
  • storage/__init__.py
  • storage/file_repository.py
  • storage/memory_repository.py
  • storage/repository.py
  • tenancy/__init__.py
  • tenancy/context.py
  • tests/benchmarks/test_mcp_conformance.py
  • tests/benchmarks/test_performance.py
  • tests/benchmarks/test_rfc8032_ed25519.py
  • tests/benchmarks/test_ucan_conformance.py
  • tests/benchmarks/test_w3c_did_conformance.py
  • tests/conftest.py
  • tests/contract/test_repository_contract.py
  • tests/contract/test_signer_contract.py
  • tests/e2e/test_advanced_personas.py
  • tests/e2e/test_full_validation.py
  • tests/e2e/test_user_personas.py
  • tests/install/__init__.py
  • tests/install/test_pip_install_smoke.py
  • tests/integration/test_framework_integrations.py
  • tests/integration/test_idempotency.py
  • tests/integration/test_idempotency_middleware.py
  • tests/integration/test_service_audit.py
  • tests/integration/test_tenant_isolation.py
  • tests/test_tools.py
  • tests/unit/test_audit_events.py
  • tests/unit/test_blockchain.py
  • tests/unit/test_crypto.py
  • tests/unit/test_delegation.py
  • tests/unit/test_merkle.py
  • tests/unit/test_security_hardening.py
  • tests/unit/test_signer_parity.py
  • tests/unit/test_ssrf.py
  • tools/__init__.py
  • tools/agent_card_tools.py
  • tools/blockchain_tools.py
  • tools/compliance_tools.py
  • tools/credential_tools.py
  • tools/delegation_tools.py
  • tools/did_tools.py
  • tools/identity_tools.py
  • tools/provenance_tools.py
  • tools/reputation_tools.py
  • website/content/docs/guides/crewai.mdx
  • website/content/docs/guides/integration-guide.mdx
  • website/content/docs/guides/langchain.mdx
  • website/content/docs/guides/openai-agents-sdk.mdx
  • website/public/llms.txt
  • website/src/app/(marketing)/research/page.tsx
  • website/src/components/sections/v2/frameworks.tsx
  • website/src/lib/atx-data.ts
  • website/src/lib/config.tsx

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review

Note

.coderabbit.yaml has unrecognized properties

CodeRabbit is using all valid settings from your configuration. Unrecognized properties (listed below) have been ignored and may indicate typos or deprecated fields that can be removed.

⚠️ Parsing warnings (1)
Validation error: Unrecognized key: "ignore"
⚙️ Configuration instructions
  • Please see the configuration documentation for more information.
  • You can also validate your configuration using the online YAML validator.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch release/v0.4.0-rc.2-packaging

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Comment thread attestix/api/main.py Fixed
Comment thread attestix/api/routers/agent_cards.py Dismissed
Comment thread attestix/api/routers/did.py Dismissed
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented May 28, 2026

Copy link
Copy Markdown

Deploying attestix with  Cloudflare Pages  Cloudflare Pages

Latest commit: c3e94ab
Status: ✅  Deploy successful!
Preview URL: https://7bef5bc3.attestix.pages.dev
Branch Preview URL: https://release-v0-4-0-rc-2-packagin.attestix.pages.dev

View logs

Comment thread attestix/api/main.py Fixed
Comment thread attestix/main.py
provenance_tools.register(mcp)
blockchain_tools.register(mcp)

print(f"Attestix MCP server loaded: 47 tools registered", file=sys.stderr)
Comment thread api/__init__.py
stacklevel=2,
)

from attestix.api import * # noqa: F401, F403
Comment thread api/routers/__init__.py
from attestix.api.routers import ...
"""

from attestix.api.routers import * # noqa: F401, F403
Comment thread blockchain/abi.py
# these remain None and the service derives the UID canonically at runtime.
ATTESTIX_SCHEMA_UID_BASE_SEPOLIA: str | None = None
ATTESTIX_SCHEMA_UID_BASE_MAINNET: str | None = None
from attestix.blockchain.abi import * # noqa: F401, F403
f"to make the agent discoverable via A2A protocol."
),
}
from attestix.services.agent_card_service import * # noqa: F401, F403
logger.warning("Agent card generation failed: %s", result["error"])
raise HTTPException(status_code=400, detail="Agent card generation failed")
return result
from attestix.api.routers.agent_cards import * # noqa: F401, F403
Comment thread api/routers/blockchain.py
logger.warning("Anchor cost estimation failed: %s", result["error"])
raise HTTPException(status_code=400, detail="Anchor cost estimation failed")
return result
from attestix.api.routers.blockchain import * # noqa: F401, F403
"estimate_anchor_cost", e, ErrorCategory.BLOCKCHAIN,
)
return {"error": msg}
from attestix.services.blockchain_service import * # noqa: F401, F403
Comment thread services/cache.py
keys_to_remove = [k for k in _cache if k.startswith(prefix)]
for k in keys_to_remove:
del _cache[k]
from attestix.services.cache import * # noqa: F401, F403
…y/clear-text-logging-sensitive-data)

TRUSTED_PROXIES is by design a list of network CIDRs, but env-var values in general can hold secrets. Log only the entry length, never the raw value. Closes the high-severity CodeQL alert flagged on PR #91. The two medium 'stack-trace-exposure' alerts on did.py / agent_cards.py were reviewed and dismissed as false positives: the HTTPException details are hardcoded generic strings; upstream error_msg is used only for internal classification (timeout/http), never returned to the client.
Comment thread attestix/api/main.py
"limiting. Set TRUSTED_PROXIES to the CIDR of your LB/CDN "
"so per-client rate limits work correctly."
)
_TRUSTED_PROXIES_WARNED = True
@ascender1729 ascender1729 merged commit a0aa44d into main May 28, 2026
19 checks passed
@ascender1729 ascender1729 deleted the release/v0.4.0-rc.2-packaging branch May 28, 2026 05:56
ascender1729 added a commit that referenced this pull request May 28, 2026
… guide + install bump (#92)

Every Python snippet in the OSS docs now uses the canonical `attestix.*`
namespace promoted in v0.4.0-rc.2 packaging refactor (#91). The pre-rc.2 flat
top-level packages (`services/`, `auth/`, `storage/`, ...) still resolve via
deprecation shims and emit a DeprecationWarning; they are scheduled for
removal in v0.5.0, so the docs teach the canonical path going forward.

Changes
- website/content/docs/examples.mdx: 17 import statements rewritten to
  `from attestix.services... import ...` across all 11 example sections;
  added a leader callout linking to the new migration guide; install command
  surfaces both `pip install --pre attestix` (rc.2) and `pip install attestix`
  (stable 0.3.0).
- website/content/docs/getting-started.mdx: install block now shows both the
  `--pre` (rc.2) and stable lines with a callout to the migration guide; the
  "Use as Python Library" snippet drops the `sys.path` shim and imports from
  `attestix.services.identity_service` directly.
- website/content/docs/guides/base-l2-anchor.mdx: install block split into
  `--pre` rc.2 and stable; `BlockchainService` snippet now imports from
  `attestix.services.blockchain_service`.
- website/content/docs/guides/integration-guide.mdx: the plain-Python wiring
  example imports all four services from `attestix.services.*`.
- website/content/docs/guides/reputation.mdx: identity/reputation/delegation
  service imports rewritten to canonical namespace.
- website/content/docs/reference/faq.mdx: "Can I use Attestix without MCP?"
  snippet rewritten to canonical namespace.
- website/content/docs/guides/migration-v0.4.0-namespace.mdx: NEW guide
  covering why packaging changed (ICP funnel evaluation), what works in
  rc.2 (both paths, legacy warns), removal timeline (v0.5.0), full
  before/after substitution table, a one-liner ripgrep+sed migration script,
  deployment-string updates (`uvicorn api.main:app` -> `uvicorn
  attestix.api.main:app`), verification commands using
  `-W error::DeprecationWarning`, and `pip install --pre attestix==0.4.0rc2`
  pin instructions. Linked from CHANGELOG.md rc.2 entry plus the touched
  docs.
- website/content/docs/guides/meta.json: register the new migration guide
  in the Fumadocs sidebar.

Validation
- `npx next build` in `website/`: 60/60 static pages, including
  `/docs/guides/migration-v0.4.0-namespace` (built artifact verified at
  `website/out/docs/guides/migration-v0.4.0-namespace.html`).
- Post-edit grep for legacy patterns across `website` + `README.md`
  (excluding the migration guide which intentionally quotes both forms):
  zero literal `from <flat>.X import` Python imports remain in any code
  block. Remaining hits are narrative text (callouts explaining the
  deprecation shim) plus already-canonical `attestix.api.main:app`
  references in README.
- Smoke test in throwaway venv with `pip install --pre attestix==0.4.0rc2`:
    python -c "from attestix.services.identity_service import IdentityService;
               print('canonical ok:', IdentityService.__module__)"
    -> canonical ok: attestix.services.identity_service
    python -W error::DeprecationWarning -c "from attestix.services.identity_service import IdentityService"
    -> exits 0 (no warning, no error)
    python -W error::DeprecationWarning -c "from services.identity_service import IdentityService"
    -> raises DeprecationWarning: "Importing from the top-level `services`
       package is deprecated and will be removed in Attestix v0.5.0. Update
       your imports to `from attestix.services...` (canonical namespace)."

No functional code changed; this PR is documentation-only and ships
alongside the rc.2 packaging fix already on `main`.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants