Skip to main content

Mechanically assess whether a proof of concept is transferable, and report it.

Project description

estafette

Can someone who was not involved get this running? Estafette answers that question mechanically.

Estafette makes public-sector proofs of concept transferable — and measurably so. It is a command-line tool that assesses a repository against a transfer manifest and produces a transferability report with a tier verdict. It orchestrates existing, trusted scanners rather than reinventing them.

  • Status: v1 complete — estafette assess produces a bronze verdict and a transferability report. See openspec/project.md for the plan.
  • Example report (SIDN Pioniers annex): estafette assessed on itself — reports/50a9e694a1a4/report.md (bronze, byte-reproducible for that commit).
  • Licence: EUPL-1.2 — public from day one.
  • Python: 3.12+
  • Package/runner: uv

The name estafette is Dutch for a relay race. A proof of concept is the baton: the point is whether it can be handed off cleanly to someone who wasn't there when it was built.

What it does

Given a repository and a transfer manifest, estafette runs a fixed set of mechanical checks and reports, per check:

  • the status (pass / fail),
  • an actionable gap for every failure (e.g. "dependency X is imported in code but not declared"), never a bare red cross, and
  • the evidence it used, so the verdict is auditable.

It then assigns a tier. In v1 the only implemented tier is bronze — the floor that makes reuse conversations possible.

Bronze tier

  1. REUSE-compliant (every file has licence + copyright info)
  2. Declared licence is consistent everywhere it appears
  3. No secrets detected
  4. SBOM generates cleanly and matches declared dependencies
  5. Transfer manifest present and valid
  6. Contact/owner field non-empty

Silver (builds reproducibly in an isolated harness) and gold (third-party deployable, data requirements satisfiable) are specified as roadmap in docs/tiers.md and not yet enforced. The build harness itself is built in v1, and its result is reported informationally ("would this pass silver: yes/no + gaps").

Design principles

Estafette orchestrates, it does not reinvent:

Concern Tool
Licence clarity REUSE
Software bill of materials syft
Secret detection gitleaks
Vulnerabilities trivy (v2)

Estafette's own code is the manifest schema, the build harness, the tier semantics, and the report — nothing else. Full invariants are in openspec/project.md; highlights:

  • Mechanical or it doesn't count — a tier is only ever the output of the engine on a specific commit.
  • Diagnose, don't just fail — the gap report is the product.
  • Untrusted code never runs ambient — the build harness runs in rootless podman with no network in the run stage and strict resource caps.
  • Deterministic and reproducible — same commit + same estafette version → byte-identical report body.
  • No LLM anywhere in the verdict path.

Usage (target)

uvx estafette assess <path-or-git-url> [--manifest path/to/manifest.yaml]

This produces report.json and a human-readable report.md under reports/.

The CLI is under construction. Track progress via the OpenSpec changes in openspec/changes/.

The transfer manifest

The transfer manifest is designed as an extension profile of publiccode.yml, not a competitor: field names align where overlap exists. See docs/manifest-spec.md.

Prerequisites

The static checks orchestrate three external scanners (invariant: orchestrate, don't reinvent). Install them and put them on your PATH:

Tool Used by Install
REUSE licence/copyright coverage shipped as a dev dependency; uv sync provides it
gitleaks secret detection download the release binary
syft SBOM generation curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b ~/.local/bin
podman (optional) build harness / silver preview rootless; absence degrades the silver preview gracefully

If a required scanner is missing, estafette assess exits with a clear error naming it — a missing scanner never reads as a pass. podman is optional: when it is absent or unusable, the informational silver preview reports not assessable and the bronze verdict is unaffected.

Security note: the harness run stage executes assessed code with no network, no host environment, resource caps, and a read-only root filesystem (invariant I4). The build stage currently permits network egress for dependency fetch — see docs/tiers.md.

Development

This project uses the OpenSpec workflow (propose → apply → archive). Proposed and in-progress work lives under openspec/changes/.

uv sync            # install dependencies (incl. reuse)
uv run pytest      # run tests (scanner-dependent tests skip if a tool is absent)
uv run ruff check  # lint

Licence

EUPL-1.2. Copyright the estafette contributors.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

estafette-0.1.0.tar.gz (97.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

estafette-0.1.0-py3-none-any.whl (30.9 kB view details)

Uploaded Python 3

File details

Details for the file estafette-0.1.0.tar.gz.

File metadata

  • Download URL: estafette-0.1.0.tar.gz
  • Upload date:
  • Size: 97.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.15 {"installer":{"name":"uv","version":"0.11.15","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}

File hashes

Hashes for estafette-0.1.0.tar.gz
Algorithm Hash digest
SHA256 ae22ff3e9f0955b3f3ed1633ba5ec11fe374bcd0ca8c88c2527471957e91b52e
MD5 6099e4340c6274b4d2694db6eba9742a
BLAKE2b-256 522afa2a4cfaa78630adf2bd4010b3791a93e8bc7601911e38981b9de361eebb

See more details on using hashes here.

File details

Details for the file estafette-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: estafette-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 30.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.15 {"installer":{"name":"uv","version":"0.11.15","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}

File hashes

Hashes for estafette-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 0c55128c4b664e6898148d5b96b223104d018c8cff300b84d8d5eb0fbc3b8a92
MD5 f8bdce6e5d24653342e737c66bc38a4b
BLAKE2b-256 136d65371082b8c843108d1da53cd8aecb023d2cb4a3d69566154cb55806d0f2

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page