From f4a8bcaeac4ef9ec7f3991f4a16901b55fc3193c Mon Sep 17 00:00:00 2001 From: Lakshman Patel Date: Sun, 21 Jun 2026 14:18:07 +0530 Subject: [PATCH 1/2] ci: guard sdk-python consumer boundaries --- .github/workflows/ci.yml | 2 ++ Makefile | 7 +++++-- README.md | 7 +++++++ scripts/check-consumer-boundaries.sh | 22 ++++++++++++++++++++++ 4 files changed, 36 insertions(+), 2 deletions(-) create mode 100644 scripts/check-consumer-boundaries.sh diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6e5672e..bb53e92 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -56,6 +56,8 @@ jobs: run: ruff check . - name: ruff format --check run: ruff format --check . + - name: consumer boundary guard + run: bash ./scripts/check-consumer-boundaries.sh - name: examples compile (anti-rot) run: python -m compileall examples diff --git a/Makefile b/Makefile index 5d1765b..97a3277 100644 --- a/Makefile +++ b/Makefile @@ -19,7 +19,7 @@ PIP ?= $(PYTHON) -m pip # --------------------------------------------------------------------------- # Phony declarations (alphabetical). # --------------------------------------------------------------------------- -.PHONY: all bench build ci clean cover fmt help install lint lint-fix \ +.PHONY: all bench boundary-guard build ci clean cover fmt help install lint lint-fix \ release security test test-race tidy version vet # --------------------------------------------------------------------------- @@ -63,6 +63,9 @@ fmt: ## Format with ruff. vet: ## Type-check with mypy. $(PYTHON) -m mypy src/ +boundary-guard: ## Fail if the SDK references support engines or Hawk private packages. + bash ./scripts/check-consumer-boundaries.sh + lint: ## Lint with ruff. $(PYTHON) -m ruff check . @@ -84,7 +87,7 @@ tidy: ## No-op for Python (lockfile management is via pyproject.toml). # --------------------------------------------------------------------------- # Composite gate used by CI and pre-push. # --------------------------------------------------------------------------- -ci: fmt vet lint test security ## Run everything CI runs. +ci: fmt vet boundary-guard lint test security ## Run everything CI runs. @echo "All CI checks passed." # --------------------------------------------------------------------------- diff --git a/README.md b/README.md index 50d32a3..d2bfc96 100644 --- a/README.md +++ b/README.md @@ -66,6 +66,13 @@ with HawkClient() as client: See the [examples/](examples/) directory for complete runnable examples. +## Ecosystem Boundaries + +- `hawk-sdk-python` is a consumer of Hawk public APIs and contracts. +- Do not couple the SDK to support engine repos such as `eyrie`, `yaad`, `tok`, `trace`, `sight`, or `inspect`. +- Do not reference `hawk/internal/*` or removed legacy path `hawk/shared/types`. +- If a capability is needed across repos, expose it through Hawk or `hawk-core-contracts`, not engine internals. + ## Contributing Contributions are welcome — please read [CONTRIBUTING.md](CONTRIBUTING.md) before opening a pull request. diff --git a/scripts/check-consumer-boundaries.sh b/scripts/check-consumer-boundaries.sh new file mode 100644 index 0000000..6798245 --- /dev/null +++ b/scripts/check-consumer-boundaries.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env bash +set -euo pipefail + +ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" +cd "$ROOT_DIR" + +violations="$( + grep -RInE \ + --include='*.py' --include='*.md' --include='*.yaml' --include='*.yml' --include='*.toml' \ + 'github\.com/GrayCodeAI/(eyrie|inspect|sight|tok|trace|yaad)(/|")|github\.com/GrayCodeAI/hawk/(internal/|shared/types)' \ + src tests README.md docs api pyproject.toml 2>/dev/null || true +)" + +if [[ -n "${violations}" ]]; then + echo "forbidden Hawk consumer references found:" + echo "${violations}" + echo + echo "hawk-sdk-python must depend on Hawk public APIs/contracts only; do not reference support engine repos, hawk/internal, or removed hawk/shared/types" + exit 1 +fi + +echo "consumer boundary guard passed" From c43ad4327b66e86c96080250e84fab3f78e2c8a3 Mon Sep 17 00:00:00 2001 From: Lakshman Patel Date: Sun, 21 Jun 2026 15:36:03 +0530 Subject: [PATCH 2/2] chore: strip Co-authored-by trailers in lefthook hooks --- lefthook.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 lefthook.yml diff --git a/lefthook.yml b/lefthook.yml new file mode 100644 index 0000000..2dbf45f --- /dev/null +++ b/lefthook.yml @@ -0,0 +1,14 @@ +# Install: lefthook install +# Skip once: LEFTHOOK=0 git commit -m "..." + +prepare-commit-msg: + commands: + strip-co-authored-by: + run: | + sed '/^[Cc]o-[Aa]uthored-[Bb]y:/d' "{1}" > "{1}.tmp" && mv "{1}.tmp" "{1}" + +commit-msg: + commands: + strip-co-authored-by: + run: | + sed '/^[Cc]o-[Aa]uthored-[Bb]y:/d' "{1}" > "{1}.tmp" && mv "{1}.tmp" "{1}"