Skip to content

Decouple from direct-mongo plugin, harden Mongo handling, and modernize CI#21

Merged
jotelha merged 9 commits into
mainfrom
25_webapp_integration
Jun 17, 2026
Merged

Decouple from direct-mongo plugin, harden Mongo handling, and modernize CI#21
jotelha merged 9 commits into
mainfrom
25_webapp_integration

Conversation

@pastewka

@pastewka pastewka commented Dec 5, 2025
edited by jotelha
Loading

Copy link
Copy Markdown
Contributor

Summary

Makes the dependency-graph plugin self-contained and brings its query
handling, build, and CI up to date. Originally scoped to dropping the
direct-mongo-plugin dependency; it now also covers the readme_parsed
traversal fix, Mongo query hardening, the flit build switch, and a CI
modernization onto the jic-dtool plugin repositories.

Changes

Decouple from other plugins

  • Remove the runtime dependency on dserver-direct-mongo-plugin; vendor the
    needed _dict_to_mongo_query helpers into utils.py. register_dataset
    is now a no-op — the plugin only reads the search collection.

Dependency-graph correctness

  • Traverse dependencies via readme_parsed.derived_from.uuid instead of
    readme.*. String READMEs broke graph queries; the parsed view is the
    reliable source. Requires the modernized search/retrieve plugins that
    populate readme_parsed.

Hardening & robustness

  • Obfuscate Mongo credentials (MONGO_URI/MONGO_DB/MONGO_COLLECTION) in
    the /config/info route.
  • Reject JavaScript-executing Mongo operators ($where, $function,
    $accumulator) in raw queries; covered by test_raw_query_hardening.py.
  • Use timezone-aware UTC datetimes for view bookkeeping.

Build

  • Switch the build backend to flit_scm.

Docs

  • Correct the README route paths (/graph/lookup/graph/uuids).
  • Add CLAUDE.md (build/test commands + architecture overview).

CI

  • Install dservercore, search and retrieve plugins from the jic-dtool
    mains (they carry readme_parsed and the utils_auth JWT helpers this
    branch imports). Drop the direct-mongo-plugin install entirely.
  • Bump actions: checkout v6, setup-python v6, mongodb-github-action 1.12.1,
    upload-artifact v7, download-artifact v8, sigstore v3.4.0.
  • Matrix → Python 3.10–3.13 × MongoDB 6.0/7.0/8.0; requires-python raised
    to >=3.10 (jic-dtool/dservercore now requires it).

Verification

Full CI matrix run locally with act: all 12 cells (Python 3.10–3.13 ×
MongoDB 6.0/7.0/8.0) pass, 11 tests each.

Coordinated dependencies

Depends on unreleased upstream work: jic-dtool/dservercore (≥0.22, for the
utils_auth JWT helpers) and the jic-dtool search/retrieve mongo plugins
that emit readme_parsed.

@pastewka pastewka marked this pull request as draft December 5, 2025 13:03
pastewka and others added 7 commits December 7, 2025 23:25
@pastewka
BUILD: Switched build system to flit
652501f
@pastewka
MAINT: Mongo configuration
4d201d6
@pastewka
BUG: Traverse dependencies via readme_parsed (string READMEs broke gr…
9f10189 
…aph queries); obfuscate Mongo credentials in config route; reject JS-executing Mongo operators; timezone-aware datetimes
@pastewka
TST: Exclude server-stamped upload provenance fields from graph respo…
f52c083 
…nse comparisons
@jotelha @claude
DOC: Correct graph route paths in README (/graph/lookup -> /graph/uuids)
8e6f8d5 
The blueprint registers the dependency-graph endpoints under
/graph/uuids/<uuid> (see dserver_dependency_graph_plugin/__init__.py),
but the README documented a non-existent /graph/lookup/<uuid> path in
all three curl examples.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@jotelha @claude
CI: Modernize workflows and target jic-dtool plugin repositories
e387117 
Install dservercore, the search and the retrieve plugin from the
jic-dtool mains, which carry the coordinated readme_parsed feature and
the dservercore.utils_auth JWT helpers this branch relies on. Drop the
dserver-direct-mongo-plugin install entirely: the dependency was removed
in 8c317d2 and, as a custom extension, it overwrites the readme_parsed
field and breaks the graph queries.

Bump actions to current majors: checkout v6, setup-python v6,
mongodb-github-action 1.12.1, upload-artifact v7, download-artifact v8,
sigstore v3.4.0.

Update the test matrix to Python 3.10-3.13 x MongoDB 6.0/7.0/8.0 and
raise requires-python to >=3.10. Python 3.9 (and the EOL MongoDB 4.2-5.0)
are dropped because jic-dtool/dservercore now requires Python >=3.10.

Verified locally with act across the full matrix: all 12 cells
(3.10-3.13 x 6.0/7.0/8.0) pass, 11 tests each.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@jotelha @claude
DOC: Add CLAUDE.md with build/test commands and architecture overview
00f1135 
Guidance file for Claude Code sessions: how to run the suite (MongoDB
required), the dependency-view/bookkeeping architecture, the readme_parsed
dependency keys, and the JS-operator query hardening boundary.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@jotelha jotelha changed the title MAINT: Remove dependency on direct Mongo plugin Decouple from direct-mongo plugin, harden Mongo handling, and modernize CI Jun 17, 2026
@jotelha jotelha marked this pull request as ready for review June 17, 2026 07:36
@jotelha @claude
BUILD: Stop tracking setuptools_scm-generated version.py
e3fa22b 
version.py is the setuptools_scm write_to target and is regenerated on
every build, so it does not belong in VCS. Remove it from the index and
add it to .gitignore.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@jotelha jotelha merged commit af01ae2 into main Jun 17, 2026
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pastewka @jotelha