chore: release pipeline, testing helper, docs, dev-loop hardening

[hampsterx]

Summary

• Add a tag-driven PyPI release path: version from the git tag via hatch-vcs, plus a publish.yml workflow that builds and publishes through OIDC trusted publishing (no API token). Documented in RELEASING.md.
• Ship snowflake_sql_api.testing so downstream code can test against the client with no network and no Snowflake account: a FakeSnowflake (httpx.MockTransport) registry, make_client/make_async_client, and pytest fixtures auto-registered via a pytest11 entry point. Adds an http_client= passthrough on both clients (no new runtime dependency; httpx is already core).
• Enforce the coverage gate that was previously only a comment (fail_under = 89), and run coverage via coverage run -m pytest so tracing starts before the shipped pytest plugin imports.
• Add .pre-commit-config.yaml (ruff, black, mypy, detect-private-key), pinned to a Python-3.9-compatible black so the dev toolchain matches the runtime floor.
• Add user docs under docs/ (getting-started, authentication, cli, testing, troubleshooting) and supply-chain hygiene: SECURITY.md, Dependabot (pip + actions), and issue/PR templates.

Backwards compatibility

Additive only. No public API removed or changed; the sole public-surface addition is http_client= (optional) on both clients and the new snowflake_sql_api.testing module. The version is now derived from the git tag (was a hardcoded __version__); installed behaviour is unchanged.

Review

Internal (bugs + polish) and external cross-family review (Codex + Kimi-agentic) before push. Fixed: a pre-1970 sub-second timestamp encoder off-by-one in the testing helper, a Decimal scientific-notation encoding crash, out-of-range partition fetches now raise, and a py3.9 with-syntax / black-version compatibility issue. Each fixed bug has a regression test.

Changes

 .github/ISSUE_TEMPLATE/bug_report.md      |  35 ++
 .github/ISSUE_TEMPLATE/feature_request.md |  24 ++
 .github/PULL_REQUEST_TEMPLATE.md          |  22 +
 .github/dependabot.yml                    |  20 +
 .github/workflows/ci.yml                  |   9 +-
 .github/workflows/publish.yml             |  77 ++++
 .pre-commit-config.yaml                   |  39 ++
 AGENTS.md                                 |  89 +++-
 CONTRIBUTING.md                           |  17 +-
 RELEASING.md                              |  70 ++++
 SECURITY.md                               |  31 ++
 docs/authentication.md                    | 115 ++++++
 docs/cli.md                               |  58 +++
 docs/getting-started.md                   | 128 ++++++
 docs/testing.md                           | 159 ++++++++
 docs/troubleshooting.md                   | 102 +++++
 pyproject.toml                            |  25 +-
 snowflake_sql_api/__init__.py             |  14 +-
 snowflake_sql_api/aclient.py              |   4 +
 snowflake_sql_api/client.py               |   4 +
 snowflake_sql_api/testing.py              | 657 ++++++++++++++++++++++++++++++
 tests/support.py                          |  66 +--
 tests/test_testing.py                     | 335 +++++++++++++++
 23 files changed, 2037 insertions(+), 63 deletions(-)

Test plan

• coverage run -m pytest && coverage report green (175 passed, 5 skipped, 94%; gate 89%)
• pre-commit run --all-files clean (ruff, black, mypy, detect-private-key)
• python -m build + twine check dist/* pass; wheel version derives from the git tag
• Sync + async clients driven through FakeSnowflake with no network, no respx
• Changed files parse under Python 3.9 grammar (ast.parse(feature_version=(3,9)))
• First PyPI publish once the trusted publisher + pypi environment are exercised by a tag

Summary by CodeRabbit

Release Notes

• New Features

  • Added testing module with FakeSnowflake for mocking Snowflake queries without network access.
  • Added support for custom HTTP clients in sync and async Snowflake clients.

• Documentation

  • Comprehensive guides now available: authentication, CLI, getting started, testing, and troubleshooting.

• Chores

  • Automated release workflow via git tags and version management.
  • Enhanced development tooling and CI/CD infrastructure.

[coderabbitai]

Warning

Review limit reached

@hampsterx, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 46 minutes and 11 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e4732802-9558-447a-ad4d-359eb1be07da

📥 Commits

Reviewing files that changed from the base of the PR and between f34da9d and d2a6abc.

📒 Files selected for processing (23)

• .github/ISSUE_TEMPLATE/bug_report.md
• .github/ISSUE_TEMPLATE/feature_request.md
• .github/PULL_REQUEST_TEMPLATE.md
• .github/dependabot.yml
• .github/workflows/ci.yml
• .github/workflows/publish.yml
• .pre-commit-config.yaml
• AGENTS.md
• CONTRIBUTING.md
• RELEASING.md
• SECURITY.md
• docs/authentication.md
• docs/cli.md
• docs/getting-started.md
• docs/testing.md
• docs/troubleshooting.md
• pyproject.toml
• snowflake_sql_api/__init__.py
• snowflake_sql_api/aclient.py
• snowflake_sql_api/client.py
• snowflake_sql_api/testing.py
• tests/support.py
• tests/test_testing.py

📝 Walkthrough

Walkthrough

Adds snowflake_sql_api/testing.py with FakeSnowflake (an httpx.MockTransport-backed SQL API fake with wire encoding, DML/error registration, polling simulation, client factories, and pytest fixtures), injects an optional http_client parameter into both client constructors, switches to VCS-derived versioning via hatch-vcs, adds a PyPI publish workflow, pre-commit config, Dependabot, GitHub community templates, RELEASING.md, SECURITY.md, and a full user-facing and contributor documentation suite.

Changes

FakeSnowflake testing module and client http_client injection

Layer / File(s)	Summary
http_client injection into sync and async clients snowflake_sql_api/client.py, snowflake_sql_api/aclient.py	Adds httpx import and an optional http_client constructor parameter to both SnowflakeClient and AsyncSnowflakeClient, forwarding it into their underlying Transport instances.
pyproject.toml: pytest11 entry point, VCS versioning, and coverage threshold pyproject.toml	Registers snowflake_sql_api.testing as a pytest11 plugin, switches Hatch versioning to hatch-vcs with _version.py output, adds coverage[toml] and pre-commit to dev deps, and sets fail_under = 89.
__init__.py VCS version fallback chain snowflake_sql_api/__init__.py	Replaces hardcoded __version__ with a three-level fallback: build-generated _version module → importlib.metadata → "0.0.0.dev0".
testing.py: response builders, wire encoding, and registry snowflake_sql_api/testing.py	Defines __all__, ok_body/running_body envelope builders, epoch/time wire-format helpers, native-value type inference, cell-level SQL API wire encoding, and internal registry/partition-building data structures.
testing.py: FakeSnowflake request routing and polling snowflake_sql_api/testing.py	Implements FakeSnowflake as an httpx.MockTransport handler routing statement submissions to exact/predicate SQL lookups, simulating errors, managing async polling state, handling partition GETs, and assembling result envelopes.
testing.py: client factories and pytest fixtures snowflake_sql_api/testing.py	Provides a cached throwaway RSA key generator, make_client/make_async_client factory functions, and optional auto-registered pytest fixtures (fake_snowflake, snowflake_client, async_snowflake_client) managing client lifecycle.
tests/support.py refactor and test_testing.py tests/support.py, tests/test_testing.py	Refactors tests/support.py to re-export ok_body/running_body from snowflake_sql_api.testing; adds test_testing.py covering sync/async queries, DML, errors, polling, native-value round-trips including pre-epoch timestamps, and fixture-driven tests.
docs/testing.md and docs/troubleshooting.md docs/testing.md, docs/troubleshooting.md	Adds full testing module documentation (quick-start, registration, DML/error injection, multi-partition, async-submit, pytest fixtures, drop-in transport wiring, assertion inspection) and troubleshooting documentation for the error hierarchy, auth failures, long-running statements, retries, and network errors.

Repository infrastructure, CI/CD, tooling, and user-facing docs

Layer / File(s)	Summary
CI coverage update, publish workflow, Dependabot, and pre-commit .github/workflows/ci.yml, .github/workflows/publish.yml, .github/dependabot.yml, .pre-commit-config.yaml	Switches CI to coverage run -m pytest; adds publish.yml with lint/test/publish jobs using OIDC trusted publishing; configures Dependabot for pip and github-actions ecosystems; defines pre-commit hooks for ruff, black, mypy, and standard quality checks.
GitHub community files, RELEASING.md, and SECURITY.md .github/ISSUE_TEMPLATE/*, .github/PULL_REQUEST_TEMPLATE.md, RELEASING.md, SECURITY.md	Adds bug report and feature request issue templates, PR template, RELEASING.md documenting tag-based release flow with hatch-vcs and OIDC publishing, and SECURITY.md defining vulnerability reporting, security scope, and secret-handling guidance.
User documentation: getting-started, authentication, and CLI docs/getting-started.md, docs/authentication.md, docs/cli.md	Adds getting-started guide with install, auth setup, sync/async client examples, and parameter binding; authentication guide with keypair generation, account-locator region rules, and token lifetime; CLI guide with env var config, query usage, JSON output, and exit codes.
AGENTS.md and CONTRIBUTING.md developer guidance updates AGENTS.md, CONTRIBUTING.md	Updates AGENTS.md to add testing.py to the module table, rewrite development commands with coverage run / pre-commit, expand known quirks and common mistakes; updates CONTRIBUTING.md with pre-commit install step and corrected coverage workflow.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• hampsterx/snowflake-sql-api#1: Implements the core SnowflakeClient/AsyncSnowflakeClient and Transport/AsyncTransport wiring that this PR extends with the optional http_client injection parameter.

Poem

🐇 Hoppity-hop, the fake Snowflake is here,
No real account needed, no latency to fear!
FakeSnowflake stubs SQL with wire-encoded rows,
Pre-commit and OIDC keep the pipeline in flows.
coverage run -m pytest—get the timing just right,
The rabbit ships docs and CI in one moonlit night! 🌙

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 37.10% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly and concisely summarizes the three main categories of changes: release pipeline setup, testing helper infrastructure, and documentation/developer tooling improvements.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/maturity-hardening

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (5)

.github/workflows/publish.yml (2)

12-29: ⚡ Quick win

Restrict permissions for lint and test jobs to read-only.

The lint and test jobs inherit default write permissions but only need read access to the repository. Explicitly setting permissions: contents: read follows the principle of least privilege.

🛡️ Proposed fix

Add to both jobs:

   lint:
     name: Lint and type-check
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:

   test:
     name: Test (py${{ matrix.python-version }})
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:

Also applies to: 31-51

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish.yml around lines 12 - 29, The lint and test GitHub
Actions jobs currently inherit default write permissions but should be
restricted to read-only access following the principle of least privilege. Add a
permissions section with contents set to read to both the lint job (starting
with name: Lint and type-check) and the test job (mentioned in the Also applies
to section). This explicitly grants only read access to the repository content,
which is all that is needed for linting, type-checking, and testing operations.

---

16-17: ⚖️ Poor tradeoff

Consider pinning GitHub Actions to commit SHAs for supply-chain security.

Using version tags like @v4 or @v5 allows action maintainers to update the code behind the tag, which could introduce malicious changes. Pinning to commit SHAs (with a comment showing the version) prevents this attack vector.

🔐 Example: Pin actions/checkout@v4 to SHA

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4

Note: This is a defense-in-depth measure; assess whether it fits the project's risk tolerance. Tools like Dependabot can automate SHA updates.

Also applies to: 39-40, 61-65, 77-77

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish.yml around lines 16 - 17, The GitHub Actions in
the publish.yml workflow are using version tags like `@v4` and `@v5` for
actions/checkout and actions/setup-python, which poses a supply-chain security
risk since maintainers can update the code behind these tags. Replace each
version tag with a pinned commit SHA (format: `@COMMIT_SHA`) and add a comment
above each line indicating the version it corresponds to (e.g., # v4, # v5).
Apply this fix to all instances of GitHub Actions throughout the file, including
the ones mentioned in lines 39-40, 61-65, and 77-77.

CONTRIBUTING.md (1)

43-43: ⚡ Quick win

Checklist item omits timezone and schema from hardcoding guidance.

Line 43 lists only "account/region/role/warehouse"; per the coding guidelines and AGENTS.md (line 87–89), the full set is "account, region, role, warehouse, timezone, schema". Developers reading only CONTRIBUTING.md before opening a PR might miss the latter two. Consider adding them for consistency.

✨ Proposed fix

- [ ] No hardcoded account/region/role/warehouse values - configuration is generic.
+ [ ] No hardcoded account/region/role/warehouse/timezone/schema values - configuration is generic.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@CONTRIBUTING.md` at line 43, The checklist item for hardcoded configuration
values on line 43 is incomplete and should include all configuration items per
the AGENTS.md guidelines. Update the checkbox item that currently reads "No
hardcoded account/region/role/warehouse values" to also explicitly include
timezone and schema in the list of prohibited hardcoded values, ensuring
consistency with the full set of configuration items documented in AGENTS.md
lines 87-89.

Source: Coding guidelines

docs/getting-started.md (1)

99-99: 💤 Low value

Minor style: consider "username" instead of "user name".

Per static analysis, the single-word form is now more common.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/getting-started.md` at line 99, In the documentation table entry for the
SNOWFLAKE_USER environment variable, change the description from "user name
(required)" to "username (required)" to align with modern style conventions
where "username" is now the standard single-word form.

Source: Linters/SAST tools

docs/testing.md (1)

20-25: ⚡ Quick win

Use a context manager in quick-start to avoid leaking client resources.

The first example should demonstrate closing the client cleanly.

✍️ Suggested doc edit

-client = make_client(fake)
-assert client.query("SELECT id, name FROM users") == [
-    {"ID": 1, "NAME": "alice"},
-    {"ID": 2, "NAME": "bob"},
-]
+with make_client(fake) as client:
+    assert client.query("SELECT id, name FROM users") == [
+        {"ID": 1, "NAME": "alice"},
+        {"ID": 2, "NAME": "bob"},
+    ]

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/testing.md` around lines 20 - 25, The quick-start example in the testing
documentation creates a client using make_client(fake) but does not demonstrate
proper resource cleanup, which can lead to resource leaks. Refactor the code
example to use a context manager (with statement) to wrap the client creation
and query execution, ensuring the client is automatically closed after the
example completes. This demonstrates best practices for resource management in
the documentation.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/publish.yml:
- Line 16: The checkout actions in the publish workflow are missing the
persist-credentials configuration, which leaves git credentials in .git/config
and poses a security risk. Add persist-credentials: false to all three instances
of the actions/checkout@v4 action in the workflow file to prevent credential
leakage from potentially compromised dependencies or build steps that run during
publishing.

In `@snowflake_sql_api/testing.py`:
- Around line 576-577: Remove the hardcoded default values for the account and
user parameters in the factory function. The account parameter currently
defaults to "testorg-testaccount" and the user parameter currently defaults to
"TEST_USER" at lines 576-577 and again at lines 600-601. Instead, make these
parameters required by removing their default values, or alternatively source
these values from environment variables or configuration objects passed as
parameters. This ensures the public factory API does not contain hardcoded
sensitive configuration values as per the coding guidelines.
- Around line 579-594: The function accepts **kwargs documented as pass-through
to the SnowflakeClient constructor, but explicitly sets private_key,
http_client, and poll_interval as named arguments. If these reserved keywords
are passed in **kwargs, it will cause a duplicate keyword argument TypeError.
Add validation before the SnowflakeClient instantiation to check if private_key,
http_client, or poll_interval are present in the kwargs dictionary, and raise a
clear error message explaining that these parameters cannot be passed through
**kwargs as they are managed by the factory function. Apply the same guard to
the similar function at lines 603-615.

---

Nitpick comments:
In @.github/workflows/publish.yml:
- Around line 12-29: The lint and test GitHub Actions jobs currently inherit
default write permissions but should be restricted to read-only access following
the principle of least privilege. Add a permissions section with contents set to
read to both the lint job (starting with name: Lint and type-check) and the test
job (mentioned in the Also applies to section). This explicitly grants only read
access to the repository content, which is all that is needed for linting,
type-checking, and testing operations.
- Around line 16-17: The GitHub Actions in the publish.yml workflow are using
version tags like `@v4` and `@v5` for actions/checkout and actions/setup-python,
which poses a supply-chain security risk since maintainers can update the code
behind these tags. Replace each version tag with a pinned commit SHA (format:
`@COMMIT_SHA`) and add a comment above each line indicating the version it
corresponds to (e.g., # v4, # v5). Apply this fix to all instances of GitHub
Actions throughout the file, including the ones mentioned in lines 39-40, 61-65,
and 77-77.

In `@CONTRIBUTING.md`:
- Line 43: The checklist item for hardcoded configuration values on line 43 is
incomplete and should include all configuration items per the AGENTS.md
guidelines. Update the checkbox item that currently reads "No hardcoded
account/region/role/warehouse values" to also explicitly include timezone and
schema in the list of prohibited hardcoded values, ensuring consistency with the
full set of configuration items documented in AGENTS.md lines 87-89.

In `@docs/getting-started.md`:
- Line 99: In the documentation table entry for the SNOWFLAKE_USER environment
variable, change the description from "user name (required)" to "username
(required)" to align with modern style conventions where "username" is now the
standard single-word form.

In `@docs/testing.md`:
- Around line 20-25: The quick-start example in the testing documentation
creates a client using make_client(fake) but does not demonstrate proper
resource cleanup, which can lead to resource leaks. Refactor the code example to
use a context manager (with statement) to wrap the client creation and query
execution, ensuring the client is automatically closed after the example
completes. This demonstrates best practices for resource management in the
documentation.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5af72f03-4468-4076-bfdb-c49fd3b529fd

📥 Commits

Reviewing files that changed from the base of the PR and between 50205b0 and f34da9d.

📒 Files selected for processing (23)

• .github/ISSUE_TEMPLATE/bug_report.md
• .github/ISSUE_TEMPLATE/feature_request.md
• .github/PULL_REQUEST_TEMPLATE.md
• .github/dependabot.yml
• .github/workflows/ci.yml
• .github/workflows/publish.yml
• .pre-commit-config.yaml
• AGENTS.md
• CONTRIBUTING.md
• RELEASING.md
• SECURITY.md
• docs/authentication.md
• docs/cli.md
• docs/getting-started.md
• docs/testing.md
• docs/troubleshooting.md
• pyproject.toml
• snowflake_sql_api/__init__.py
• snowflake_sql_api/aclient.py
• snowflake_sql_api/client.py
• snowflake_sql_api/testing.py
• tests/support.py
• tests/test_testing.py