Skip to content

fix: repoint scitex_audit -> scitex_security (audit is archived)#359

Open
ywatanabe1989 wants to merge 1 commit into
developfrom
fix/repoint-audit-to-security
Open

fix: repoint scitex_audit -> scitex_security (audit is archived)#359
ywatanabe1989 wants to merge 1 commit into
developfrom
fix/repoint-audit-to-security

Conversation

@ywatanabe1989

Copy link
Copy Markdown
Collaborator

Why

scitex-audit is now a public archive on GitHub per the operator's ruling. The umbrella must not declare or re-export an archived package.

ADR-0002 made scitex-security canonical and reversed ADR-0001's direction — but the reversal was never finished. The umbrella still pinned scitex-audit==0.2.0 in main deps, in [audit], in [security], and lazily resolved scitex.securityscitex_audit.github.

The migration is a no-op — nothing to port

Established by comparing symbols, not filenames, before touching anything: audit has 51 public symbols, security 52. All six audit-only symbols are mirror images, not gaps — and the docstrings settle the direction:

  • audit's _migrate_legacy_security_dir"Per ADR-0001" (security→audit)
  • security's _migrate_legacy_audit_dir"One-shot REVERSE migration… Per ADR-0002" (audit→security)

So audit's uniques are the superseded direction. Porting them in would reimport the very thing being removed. The other two are _cmd-suffix renames; four modules are byte-identical after name normalization.

Verified before changing a published dependency graph

  • scitex-security==0.2.0 is on PyPI (a repoint to an unpublished package would break installs).
  • scitex_security.github carries all five public symbols: check_github_alerts, save_alerts_to_file, format_alerts_report, check_gh_auth, GitHubSecurityError.

Scope: nine lines, all code

file change
pyproject.toml 4 dependency declarations → scitex-security
src/scitex/__init__.py scitex.security external → scitex_security.github
src/scitex/re_export.py "audit" / "security" mappings → scitex_security
src/scitex/cli/audit.py _format import → scitex_security
_skills/scitex/03_python-api.md the mapping table

Historical comments are deliberately untouched. They describe ADR-0001 accurately; rewriting them would make the file misdescribe its own history. (I initially applied a blanket sed, which silently rewrote those comments to claim ADR-0001 routed to scitex_security — false. Reverted and redid it line by line.)

No shim — the operator's ruling is explicit that a re-export shim is itself garbage. And no yank: scitex-audit 0.2.0 stays on PyPI as historical; archiving is not yanking, and yanking breaks installed callers.

Not in scope

scitex_security/_paths.py references scitex-audit by design — those are the reverse-migration's identity strings (.migrated_from_scitex_audit_user, audit/github-alerts). Renaming them would re-fire the one-shot migration on users who already migrated. Left alone.

scitex-audit is now a public archive on GitHub per the operator's
ruling; the umbrella must not declare or re-export it. ADR-0002 made
scitex-security the canonical package, and the reversal was never
finished -- the umbrella still pinned scitex-audit==0.2.0 in main deps,
in [audit], in [security], and lazily resolved scitex.security to
scitex_audit.github.

Nine lines, all code:
  pyproject: 4 dependency declarations -> scitex-security
  __init__:  scitex.security external -> scitex_security.github
  re_export: "audit"/"security" mappings -> scitex_security
  cli/audit: _format import -> scitex_security
  docs:      the mapping table

Verified before changing a published package's dependency graph:
scitex-security 0.2.0 is on PyPI, and scitex_security.github carries
all five public symbols (check_github_alerts, save_alerts_to_file,
format_alerts_report, check_gh_auth, GitHubSecurityError).

Historical comments are deliberately left untouched. They describe
ADR-0001 accurately, and rewriting them would make the file misdescribe
its own history.

No shim: the operator's ruling is explicit that a re-export shim is
itself garbage. scitex-audit 0.2.0 stays on PyPI as historical -- an
archive is not a yank, and yanking would break installed callers.
@ywatanabe1989
ywatanabe1989 force-pushed the fix/repoint-audit-to-security branch from de6ea96 to f6fc17b Compare July 17, 2026 00:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant