Mechanically assess whether a proof of concept is transferable, and report it.
Project description
estafette
Can someone who was not involved get this running? Estafette answers that question mechanically.
Estafette makes public-sector proofs of concept transferable — and measurably so. It is a command-line tool that assesses a repository against a transfer manifest and produces a transferability report with a tier verdict. It orchestrates existing, trusted scanners rather than reinventing them.
- Status: v1 complete —
estafette assessproduces a bronze verdict and a transferability report. Seeopenspec/project.mdfor the plan. - Example report (SIDN Pioniers annex): estafette assessed on itself —
reports/50a9e694a1a4/report.md(bronze, byte-reproducible for that commit). - Licence: EUPL-1.2 — public from day one.
- Python: 3.12+
- Package/runner:
uv
The name estafette is Dutch for a relay race. A proof of concept is the baton: the point is whether it can be handed off cleanly to someone who wasn't there when it was built.
What it does
Given a repository and a transfer manifest, estafette runs a fixed set of mechanical checks and reports, per check:
- the status (pass / fail),
- an actionable gap for every failure (e.g. "dependency
Xis imported in code but not declared"), never a bare red cross, and - the evidence it used, so the verdict is auditable.
It then assigns a tier. In v1 the only implemented tier is bronze — the floor that makes reuse conversations possible.
Bronze tier
- REUSE-compliant (every file has licence + copyright info)
- Declared licence is consistent everywhere it appears
- No secrets detected
- SBOM generates cleanly and matches declared dependencies
- Transfer manifest present and valid
- Contact/owner field non-empty
Silver (builds reproducibly in an isolated harness) and gold
(third-party deployable, data requirements satisfiable) are specified as
roadmap in docs/tiers.md and not yet enforced. The build
harness itself is built in v1, and its result is reported informationally
("would this pass silver: yes/no + gaps").
Design principles
Estafette orchestrates, it does not reinvent:
| Concern | Tool |
|---|---|
| Licence clarity | REUSE |
| Software bill of materials | syft |
| Secret detection | gitleaks |
| Vulnerabilities | trivy (v2) |
Estafette's own code is the manifest schema, the build harness, the tier
semantics, and the report — nothing else. Full invariants are in
openspec/project.md; highlights:
- Mechanical or it doesn't count — a tier is only ever the output of the engine on a specific commit.
- Diagnose, don't just fail — the gap report is the product.
- Untrusted code never runs ambient — the build harness runs in rootless
podmanwith no network in the run stage and strict resource caps. - Deterministic and reproducible — same commit + same estafette version → byte-identical report body.
- No LLM anywhere in the verdict path.
Usage (target)
uvx estafette assess <path-or-git-url> [--manifest path/to/manifest.yaml]
This produces report.json and a human-readable report.md under reports/.
The CLI is under construction. Track progress via the OpenSpec changes in
openspec/changes/.
The transfer manifest
The transfer manifest is designed as an extension profile of
publiccode.yml, not a competitor: field
names align where overlap exists. See
docs/manifest-spec.md.
Prerequisites
The static checks orchestrate three external scanners (invariant: orchestrate,
don't reinvent). Install them and put them on your PATH:
| Tool | Used by | Install |
|---|---|---|
| REUSE | licence/copyright coverage | shipped as a dev dependency; uv sync provides it |
gitleaks |
secret detection | download the release binary |
syft |
SBOM generation | curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b ~/.local/bin |
podman (optional) |
build harness / silver preview | rootless; absence degrades the silver preview gracefully |
If a required scanner is missing, estafette assess exits with a clear
error naming it — a missing scanner never reads as a pass. podman is
optional: when it is absent or unusable, the informational silver preview
reports not assessable and the bronze verdict is unaffected.
Security note: the harness run stage executes assessed code with no network, no host environment, resource caps, and a read-only root filesystem (invariant I4). The build stage currently permits network egress for dependency fetch — see
docs/tiers.md.
Development
This project uses the OpenSpec
workflow (propose → apply → archive). Proposed and in-progress work lives under
openspec/changes/.
uv sync # install dependencies (incl. reuse)
uv run pytest # run tests (scanner-dependent tests skip if a tool is absent)
uv run ruff check # lint
Licence
EUPL-1.2. Copyright the estafette contributors.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file estafette-0.1.0.tar.gz.
File metadata
- Download URL: estafette-0.1.0.tar.gz
- Upload date:
- Size: 97.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.15 {"installer":{"name":"uv","version":"0.11.15","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ae22ff3e9f0955b3f3ed1633ba5ec11fe374bcd0ca8c88c2527471957e91b52e
|
|
| MD5 |
6099e4340c6274b4d2694db6eba9742a
|
|
| BLAKE2b-256 |
522afa2a4cfaa78630adf2bd4010b3791a93e8bc7601911e38981b9de361eebb
|
File details
Details for the file estafette-0.1.0-py3-none-any.whl.
File metadata
- Download URL: estafette-0.1.0-py3-none-any.whl
- Upload date:
- Size: 30.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.15 {"installer":{"name":"uv","version":"0.11.15","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0c55128c4b664e6898148d5b96b223104d018c8cff300b84d8d5eb0fbc3b8a92
|
|
| MD5 |
f8bdce6e5d24653342e737c66bc38a4b
|
|
| BLAKE2b-256 |
136d65371082b8c843108d1da53cd8aecb023d2cb4a3d69566154cb55806d0f2
|