Skip to main content

Kanon (Kanon Package Manager) CLI tool

Project description

Kanon (Kanon Package Manager)

A standalone Python CLI for managing versioned DevOps automation packages via declarative manifests.

License: Apache 2.0


Table of Contents


Quick Start: Find and Add Dependencies

The following five-step workflow shows how to discover, inspect, add, and install a dependency from a remote manifest catalog -- using the placeholder URL https://example.com/org/manifest-repo.git@main throughout.

Step 1: Discover available packages.

kanon list --catalog-source 'https://example.com/org/manifest-repo.git@main'

Lists every package declared in the remote catalog so you can see what is available.

Step 2: Inspect a package.

kanon list my-package \
  --catalog-source 'https://example.com/org/manifest-repo.git@main' \
  --detail

Shows the full metadata for my-package -- version history, description, and source URL.

Step 3: Add the package at a pinned version.

kanon add 'my-package@==1.2.3' \
  --catalog-source 'https://example.com/org/manifest-repo.git@main'

Writes my-package@==1.2.3 into your .kanon manifest file. The == prefix pins to an exact version; PEP 440 range constraints (e.g., ~=1.2.0, >=1.0.0,<2.0.0) are also accepted.

Step 4: Install (first run writes .kanon.lock).

kanon install

Resolves all declared packages against the catalog, clones them into .kanon-data/sources/, aggregates symlinks under .packages/, and writes .kanon.lock with exact resolved versions so every subsequent install is reproducible.

Step 5: Commit both .kanon and .kanon.lock.

git add .kanon .kanon.lock
git commit -m "feat: add my-package 1.2.3"

Committing both files ensures the entire team installs the same resolved package versions. Never commit .packages/ or .kanon-data/ -- these are ephemeral and are gitignored automatically by kanon install.


Tab Completion

Kanon ships built-in shell completion for bash and zsh via the kanon completion <shell> subcommand. Run eval "$(kanon completion bash)" (or zsh) once in your shell session, or add it to your shell RC file, to enable tab-completion of subcommand names, flags, and catalog entries. For persistent installation and advanced options including fish support and system-wide setup, see docs/shell-completion.md.


Subcommands

Subcommand Summary Doc
kanon list List packages available in a catalog or show detail for one docs/list-and-add.md
kanon add Add a package (with optional version constraint) to .kanon docs/list-and-add.md
kanon remove Remove a package from .kanon docs/list-and-add.md
kanon outdated Show packages in .kanon that have newer versions available docs/outdated-and-why.md
kanon why Explain why a specific package version was resolved docs/outdated-and-why.md
kanon install Resolve, clone, and symlink all packages; writes .kanon.lock docs/lockfile.md
kanon doctor Diagnose the local Kanon installation and report problems docs/doctor.md
kanon catalog audit Audit a catalog for missing or malformed entries docs/catalog-author-guide.md
kanon validate xml Validate XML manifests under repo-specs/ docs/repo/manifest-format.md
kanon validate marketplace Validate marketplace XML manifests under repo-specs/ docs/repo/manifest-format.md
kanon validate metadata Validate catalog entry metadata docs/catalog-author-guide.md
kanon clean Remove all synced packages and Kanon state directories docs/lifecycle.md
kanon repo Low-level manifest-driven repo sync subsystem docs/repo/README.md
kanon completion Emit a shell completion script for bash or zsh docs/shell-completion.md
kanon bootstrap deprecated; see kanon add / kanon list -- scaffold a project from a catalog entry docs/migration-bootstrap-to-add.md
kanon bootstrap list deprecated; see kanon list -- list available catalog entries docs/migration-bootstrap-to-add.md

Git Authentication

Kanon uses the git binary for all remote operations and never prompts for credentials or caches them itself -- authentication is delegated entirely to the operator's git client (SSH keys, credential helpers, GIT_TOKEN, etc.). For setup instructions covering SSH key forwarding, HTTPS token helpers, and URL rewriting for private Git hosts, see docs/git-auth-setup.md.


Migration from kanon bootstrap

The kanon bootstrap subcommand is deprecated. Its catalog-discovery and project-scaffolding responsibilities have been replaced by kanon list (discover and inspect packages) and kanon add (add a pinned dependency to .kanon). If your workflow currently uses kanon bootstrap <entry>, the docs/migration-bootstrap-to-add.md guide walks through the equivalent kanon list + kanon add + kanon install steps and explains the lockfile model that replaces hand-editing .kanon.


What is Kanon?

Kanon is a DevOps Platform Dependency Manager that brings version-controlled, reproducible automation to your projects through declarative manifests. Kanon enables you to centralize, version, and share automation across your organization without replacing your existing tools.

Solves a common problem: Organizations have quality automation and operational knowledge scattered across teams -- build conventions, linting rules, security scanning, test frameworks, local dev tooling, and shared markdown documentation that work well but are not widely adopted because they are hard to discover, version, test, and distribute. Kanon enables you to package this automation and share it across projects in a tested, reproducible way.

Fully customizable

  • Public or Private -- Use public repositories or host everything privately within your organization
  • Your Infrastructure -- Point to your own Git repositories and package sources
  • Your Standards -- Define your own manifests, packages, and automation
  • Portable -- Teams retain access to automation even after external partnerships end

Core Purpose

  • Platform Dependency Management -- Centralize and version your DevOps automation, shared knowledge, dependencies, and standards
  • Flexible Overlay -- Works alongside your preferred build tools and dependency managers, or standalone with no task runner at all
  • Team Standards -- Share tested, versioned automation, tasks, and approaches across teams dynamically
  • Tool Agnostic -- Adapts to your workflow, not the other way around

Use Cases

Unify Disparate Automation

Your organization has quality automation scattered across teams -- testing frameworks, linting configs, deployment scripts, security scans -- but they are not widely adopted because they are hard to find, version, and integrate. Kanon lets you package this automation, version it, and make it available to all teams through simple manifests.

Platform Engineering

Provide golden paths and paved roads to development teams. Package your organization's standards, policies, automation, and shared operational knowledge as versioned dependencies that teams can pull into their projects.

This can include CI/CD workflows, security policies, deployment automation, coding standards, architecture guidance, operational runbooks, and shared markdown knowledge bases used by both developers and AI coding agents.

Multi-Project Consistency

Ensure the same testing, linting, security scanning, and deployment automation across projects without copy-pasting or manual synchronization.


Quick Start

Prerequisites

  • Python 3.11+
  • pipx on PATH (python3 -m pip install --user pipx && pipx ensurepath)
  • Git
  • If authenticating with Git via SSH, see SSH Authentication Setup

Install the Kanon CLI

kanon-cli is published to PyPI. The recommended install method depends on the use case:

Production / general use -- isolated CLI install via pipx:

pipx install kanon-cli

Local development on this repository -- editable install into the project's virtualenv:

pip install -e .

(Editable mode lets local source edits take effect immediately without reinstalling. CI uses pip install kanon-cli for ephemeral runners; see docs/pipeline-integration.md.)

Standalone Usage (No Task Runner Required)

Kanon works directly from the command line. No task runner is needed.

1. Bootstrap a project:

kanon bootstrap kanon        # Copy .kanon and readme (template)
kanon bootstrap list         # See all available catalog entry packages

2. Edit .kanon -- Set GITBASE, KANON_MARKETPLACE_INSTALL, and source variables for your organization.

3. Install (sync all packages):

kanon install

This syncs all packages to .packages/, creates source workspaces in .kanon-data/sources/, and adds .packages/ and .kanon-data/ to .gitignore.

4. Clean (full teardown):

Tip: Use a remote catalog for pre-configured entries that require no placeholder editing. See Usage with Remote Catalogs below.

kanon clean

This removes all synced packages, Kanon state directories, and optionally uninstalls marketplace plugins.

Important: All synced files in .packages/ and .kanon-data/ are ephemeral and should not be committed. Only commit the catalog entry files and .kanon to your repository.

Usage with Remote Catalogs (Optional)

Remote catalogs provide pre-configured .kanon files that require no placeholder editing. Set KANON_CATALOG_SOURCE or pass --catalog-source to bootstrap from a remote repository:

# Set once in your shell rc file -- pin to current major version
export KANON_CATALOG_SOURCE='https://github.com/your-org/your-catalog-repo.git@>=2.0.0,<3.0.0'

# Bootstrap a pre-configured entry
kanon bootstrap <entry-name>

# Or pass the catalog source inline
kanon bootstrap <entry-name> \
  --catalog-source 'https://github.com/your-org/catalog.git@~=2.0.0'

The @<ref> portion accepts a branch name, a tag, the special value latest (which resolves to the highest semver tag), or a PEP 440 version constraint (e.g., ~=2.0.0, >=2.0.0,<3.0.0). Version constraints are resolved against the repository's git tags via git ls-remote. The remote repo must have a catalog/ directory at its root, with each subdirectory being a catalog entry.

Manifest repositories should use semantic versioning for git tags. Pinning to a major version range (e.g., >=2.0.0,<3.0.0) allows automatic pickup of minor and patch releases while preventing unexpected breaking changes.

Use --output-dir DIR to bootstrap into a different directory.

Integrating with Task Runners (Optional)

Kanon works standalone via kanon install and kanon clean. You can wrap these commands in any build tool or task runner by creating targets that delegate to the CLI.

Tab Completion

Kanon ships with built-in shell completion for bash and zsh via the kanon completion <shell> subcommand. The generated script enables tab-completion of subcommand names and flags in your shell session.

Quick setup:

# bash -- add to ~/.bashrc or source once in your current session
eval "$(kanon completion bash)"

# zsh -- add to ~/.zshrc
eval "$(kanon completion zsh)"

For persistent installation and advanced options (fish, system-wide install, oh-my-zsh), see docs/shell-completion.md.


CLI Reference

kanon --help                              # Top-level help
kanon --version                           # Show version

kanon bootstrap

Scaffolds a new Kanon project from a catalog entry package, including a pre-configured .kanon.

kanon bootstrap list                 # List available catalog entry packages
kanon bootstrap kanon                # Scaffold standalone (.kanon only)
kanon bootstrap kanon --output-dir proj   # Scaffold into proj/
kanon bootstrap <entry> \
  --catalog-source 'https://github.com/org/repo.git@>=2.0.0,<3.0.0'

Options:

--output-dir DIR Target directory (default: current directory). The parent of DIR must already exist; bootstrap fails fast if it does not.

--catalog-source SOURCE Remote catalog as <git_url>@<ref> (branch, tag, latest, or PEP 440 constraint). Overrides KANON_CATALOG_SOURCE env var. Default: bundled catalog.

kanon install

Executes the full install lifecycle.

kanon install                     # Auto-discover .kanon by walking up from cwd
kanon install .kanon              # Explicit path to .kanon file

Steps performed:

  1. For each source (alphabetical order): kanon repo init, kanon repo envsubst, kanon repo sync
  2. Aggregates symlinks from .kanon-data/sources/<name>/.packages/ into .packages/
  3. Detects package name collisions across sources (fail-fast)
  4. Updates .gitignore
  5. If KANON_MARKETPLACE_INSTALL=true: runs the marketplace install lifecycle

kanon clean

Executes the full teardown lifecycle.

kanon clean                       # Auto-discover .kanon by walking up from cwd
kanon clean .kanon                # Explicit path to .kanon file

Steps performed:

  1. Resolves .kanon symlinks so teardown targets the real project directory even when .kanon is a symlink
  2. If KANON_MARKETPLACE_INSTALL=true: uninstalls plugins, removes marketplace directory
  3. Removes .packages/ directory
  4. Removes .kanon-data/ directory

The order is critical: plugins are uninstalled before files are removed to ensure the registry is cleaned while paths are still resolvable.

kanon validate xml

Validates all XML manifest files under repo-specs/.

kanon validate xml                        # Validate in current repo
kanon validate xml --repo-root /path      # Validate with explicit repo root

Checks performed:

  • Well-formed XML
  • Required attributes on <project> (name, path, remote, revision)
  • Required attributes on <remote> (name, fetch)
  • <include> references point to existing files

kanon validate marketplace

Validates marketplace XML manifests under repo-specs/.

kanon validate marketplace                # Validate in current repo
kanon validate marketplace --repo-root /path

Checks performed:

  • <linkfile dest> uses ${CLAUDE_MARKETPLACES_DIR}/ prefix
  • Include chains are unbroken
  • Project paths are unique across manifests
  • Revision attributes follow valid formats (refs/tags, constraints, branches)

.kanon Variable Reference

The .kanon file is a shell-compatible KEY=VALUE configuration file that drives the Kanon lifecycle. Lines starting with # are comments. Values can reference environment variables using ${VAR} syntax (e.g., ${HOME}/.claude-marketplaces). Every .kanon variable can be overridden by an environment variable of the same name, enabling CI/CD pipelines to customize behavior without modifying the file.

Core Variables

GITBASE (Required) Base Git URL for kanon repo envsubst (e.g., https://github.com/your-org/).

CLAUDE_MARKETPLACES_DIR (Conditional) Directory for marketplace symlinks. Required when KANON_MARKETPLACE_INSTALL=true.

KANON_MARKETPLACE_INSTALL (Optional, default: false) Boolean toggle for marketplace lifecycle.

Source Variables

Sources are auto-discovered from KANON_SOURCE_<name>_URL variable patterns and processed in alphabetical order by name. Each source requires three variables:

KANON_SOURCE_<name>_URL (Required) Git URL for the named source's manifest repository.

KANON_SOURCE_<name>_REVISION (Required) Branch, exact tag, or PEP 440 constraint (e.g. refs/tags/~=1.1.0) for the named source.

KANON_SOURCE_<name>_PATH (Required) Path to the entry-point manifest XML for the named source.

Environment Variables

KANON_CATALOG_SOURCE Remote catalog source for kanon bootstrap as <git_url>@<ref> where ref is a branch, tag, latest, or PEP 440 constraint (e.g., >=2.0.0,<3.0.0). Overridden by --catalog-source flag.

Example .kanon

# Shared env vars for envsubst
GITBASE=https://github.com/your-org/
CLAUDE_MARKETPLACES_DIR=${HOME}/.claude-marketplaces

# Marketplace install toggle
KANON_MARKETPLACE_INSTALL=true

# Source: build -- build tooling packages
KANON_SOURCE_build_URL=https://github.com/your-org/kanon-manifests.git
KANON_SOURCE_build_REVISION=main
KANON_SOURCE_build_PATH=repo-specs/build/meta.xml

# Source: marketplaces -- plugin marketplaces
KANON_SOURCE_marketplaces_URL=https://github.com/your-org/kanon-manifests.git
KANON_SOURCE_marketplaces_REVISION=main
KANON_SOURCE_marketplaces_PATH=repo-specs/marketplaces/meta.xml

Architecture

                    ┌─────────────────────────┐
                    │     Kanon CLI           │
                    │  (install / clean /     │
                    │   bootstrap / validate) │
                    └───────────┬─────────────┘
                                │
               defines          │            uses
                                v
              ┌────────────────────────────────────────┐
              │       Manifest Repository              │
              │  - Top-level dependency manifests      │
              │  - Declares relationships between      │
              │    domain and automation repos         │
              └──────────────────┬─────────────────────┘
                                 │
        references               │                references
                                 │
             v                                       v
┌───────────────────────┐                ┌────────────────────────┐
│  Package Repositories │                │ Automation Repositories│
│ (build conventions,   │                │ (shared tasks,         │
│  linting, security)   │                │  validation, scanning) │
└────────────┬──────────┘                └───────────┬────────────┘
             │                                       │
             └───────────────────┬───────────────────┘
                                 │
                                 v
                   ┌────────────────────────────┐
                   │   kanon repo subsystem     │
                   │ (manifest-driven sync with │
                   │  envsubst + PEP 440)       │
                   │ Executes manifests, syncs  │
                   │ repos, manages workspace   │
                   └────────────────────────────┘

How It Works

Kanon's kanon repo subsystem orchestrates dependencies across Git repositories via XML manifests. Manifests define what to clone, where to place it, and how to wire it together.

The install lifecycle follows three steps per source:

  1. kanon repo init -- Clones the manifest repository. ${VARIABLE} placeholders remain as-is in the XML.
  2. kanon repo envsubst -- Reads variables from .kanon (e.g., GITBASE) and replaces ${VARIABLE} placeholders in all manifest XML files.
  3. kanon repo sync -- Clones packages using the now-resolved URLs into .packages/.

After all sources are synced, Kanon aggregates their packages into a single .packages/ directory using symlinks, giving consumers a unified view regardless of which source provided each package.

Directory Structure After Install

project/
  .kanon                            # Configuration (committed)
  ...                               # Other catalog entry files (committed)
  .kanon-data/                      # Kanon state (gitignored)
    sources/
      build/                        # Isolated source workspace
        .repo/
        .packages/
          my-build-conventions/
      marketplaces/                 # Isolated source workspace
        .repo/
        .packages/
          my-marketplace-plugin/
  .packages/                        # Aggregated symlinks (gitignored)
    my-build-conventions -> \
      ../.kanon-data/sources/build/.packages/my-build-conventions
    my-marketplace-plugin -> \
      ../.kanon-data/sources/marketplaces/.packages/my-marketplace-plugin

Multi-Source Isolation

Each source is initialized and synced in its own isolated directory under .kanon-data/sources/<name>/. Sources cannot interfere with each other -- each gets its own kanon repo init / kanon repo sync cycle. If two sources produce a package with the same name, Kanon detects the collision and fails immediately with an actionable error message.

Environment Variable Portability (envsubst)

The envsubst feature makes manifests portable across organizations. Instead of hard-coding Git URLs in manifest XML, you use ${GITBASE} placeholders:

<!-- Portable -- resolved from .kanon at install time -->
<remote name="origin" fetch="${GITBASE}"/>

Adopting Kanon for a different organization means changing one line in .kanon:

GITBASE=https://github.com/your-company/

CI/CD pipelines can override this via environment variables without modifying .kanon:

GITBASE=https://git.internal.company.com/ kanon install

For full documentation, see docs/how-it-works.md.


Creating a Manifest Repository

A manifest repository contains repo-specs/ with XML manifests that define what packages to sync, from which repositories, and at which versions. See docs/repo/manifest-format.md for the full XML schema.

Structure

my-manifest-repo/
  repo-specs/
    git-connection/
      remote.xml             # Git remotes with ${GITBASE} placeholders
    my-archetype/
      meta.xml               # Entry-point: includes remote.xml + packages.xml
      packages.xml           # Package repos with pinned versions

remote.xml -- Git Remote Definition

Defines where packages are hosted using ${GITBASE} for portability:

<manifest>
  <remote name="origin" fetch="${GITBASE}" />
  <default remote="origin" revision="refs/tags/1.0.0" />
</manifest>

packages.xml -- Package Declarations

Lists each package repository, its local path, and the pinned version:

<manifest>
  <include name="repo-specs/git-connection/remote.xml" />

  <project name="my-build-conventions"
           path=".packages/my-build-conventions"
           remote="origin"
           revision="refs/tags/1.0.0" />

  <project name="my-lint-config"
           path=".packages/my-lint-config"
           remote="origin"
           revision="refs/tags/2.1.0" />
</manifest>

meta.xml -- Entry Point

Combines all includes into a single entry point referenced by .kanon:

<manifest>
  <include name="repo-specs/my-archetype/packages.xml" />
</manifest>

Include Chains for Hierarchy

Manifests can include other manifests via <include> tags, forming a hierarchy. This enables cascading configurations where common packages are defined once and specialized packages are layered on top:

meta.xml
  └── packages.xml (leaf -- e.g., specific project type)
        └── packages.xml (framework level)
              └── packages.xml (language level)
                    └── packages.xml (common/base)

Each level includes its parent and adds its own package entries. The repo tool recursively resolves all includes, accumulating a unified set of packages.

Updating Package Versions

  1. Tag the package repository with the new semver version
  2. Update the revision attribute in the corresponding packages.xml
  3. Run kanon validate xml to verify manifests remain valid
  4. Tag and push the manifest repository

Projects pick up the new versions on next kanon install.

For more details, see CONTRIBUTING.md.


Creating Packages

A package is a Git repository containing automation scripts (configuration files, shell scripts, etc.) tagged with semver versions. Kanon syncs packages to .packages/ where build tools can discover and apply them.

Package Structure

my-package/
  automation-script.sh        # Shell scripts, config files, etc.
  config/                     # Optional: configuration files
  README.md                   # Package documentation
  CHANGELOG.md                # Version history

Versioning

Use semantic versioning with Git tags:

  • MAJOR -- Breaking changes (renamed tasks, removed config, changed behavior)
  • MINOR -- New features (new tasks, new config options)
  • PATCH -- Bug fixes (corrected config, fixed task behavior)
git tag -a 1.0.0 -m "Release 1.0.0"
git push origin 1.0.0

Registering a Package

Add the package to a manifest's packages.xml:

<project name="my-package"
         path=".packages/my-package"
         remote="origin"
         revision="refs/tags/1.0.0" />

Symlinks via linkfile

Some packages contain assets (configuration files, templates) that tools expect at conventional paths. The <linkfile> element creates symlinks from the package directory to the project root:

<project name="my-lint-config"
         path=".packages/my-lint-config"
         remote="origin"
         revision="refs/tags/1.0.0">
  <linkfile src="config/checkstyle/checkstyle.xml"
            dest="config/checkstyle/checkstyle.xml" />
</project>

After kanon repo sync, the project has config/checkstyle/checkstyle.xml as a symlink pointing into .packages/. These symlinked paths should be gitignored since they are regenerated by kanon install.


Creating Marketplace Packages

Marketplace packages use <linkfile> symlinks to expose plugins to Claude Code. They follow a cascading manifest hierarchy where each level includes its parent, enabling shared tools across project types while adding specialized plugins at each level.

Marketplace Manifest Structure

<manifest>
  <!-- Include shared remote definitions -->
  <include name="repo-specs/git-connection/remote.xml" />

  <!-- Add this level's marketplace project -->
  <project name="my-marketplace-packages"
           path=".packages/my-marketplace-dev-lint"
           remote="origin"
           revision="refs/tags/development/dev-lint/1.0.0">
    <linkfile src="development/dev-lint"
              dest="${CLAUDE_MARKETPLACES_DIR}/my-marketplace-dev-lint" />
  </project>
</manifest>

Key Requirements

  • All <linkfile dest> attributes must start with ${CLAUDE_MARKETPLACES_DIR}/
  • Each <project path> must be unique across all manifests
  • The KANON_MARKETPLACE_INSTALL flag in .kanon must be set to true
  • CLAUDE_MARKETPLACES_DIR must be defined in .kanon

Naming Convention

Marketplace manifest files must be named *-marketplace.xml (e.g., claude-history-marketplace.xml, immutable-audit-trail-marketplace.xml). The kanon validate marketplace command discovers files matching this pattern under repo-specs/.

Cascading Includes

Manifests support cascading <include> chains where each level includes its parent. This enables shared remote definitions, common project entries, and layered composition across project types. Currently marketplace manifests use a flat structure (each manifest includes remote.xml directly), but cascading hierarchies are fully supported when needed.

Validation

kanon validate marketplace

This checks linkfile destination prefixes, include chain integrity, project path uniqueness, and revision format validity.

For full documentation, see docs/claude-marketplaces-guide.md.


Manifest Features (PEP 440 Constraints)

Kanon adds the following capabilities to manifest-driven sync:

PEP 440 Version Constraints in Manifests

<project revision> accepts PEP 440 version constraint syntax in addition to a branch, tag, or commit SHA. Constraints resolve to the best matching tag at sync time.

How It Works

The resolver splits the revision attribute at the last / into a tag-path prefix and a constraint. It filters available tags by that prefix, evaluates the constraint, and returns the highest matching version.

revision="refs/tags/example/development/dev-lint/~=1.2.0"
         |------------- prefix ----------------| |- constraint -|

1. Filter tags starting with  refs/tags/example/development/dev-lint/
2. Parse version suffixes:    1.0.0, 1.2.0, 1.2.3, 1.3.0, 2.0.0
3. Evaluate ~=1.2.0:          1.2.0   1.2.3   (others excluded)
4. Return highest match:      refs/tags/example/development/dev-lint/1.2.3

Supported Constraint Types

Operator Syntax Meaning
Patch-compatible ~=1.2.0 >=1.2.0, <1.3.0 (any patch in 1.2.x)
Range >=1.0.0,<2.0.0 Any version up to (not including) 2.0.0
Wildcard * Any available version (selects the latest)
Exact ==1.2.3 Only version 1.2.3
Minimum >=1.0.0 1.0.0 or higher
Exclusion !=1.0.1 Any version except 1.0.1

XML Escaping

Certain characters are reserved in XML and must be escaped inside attribute values. The most common case is < in range constraints:

Character Escape When required
< &lt; Always (reserved XML character)
& &amp; Always (reserved XML character)
" &quot; Inside " delimited attributes
' &apos; Inside ' delimited attributes
> &gt; Optional (> also valid in attributes)

Example with range constraint:

<project name="my-package"
         path=".packages/my-package"
         remote="origin"
         revision="refs/tags/my-package/>=1.0.0,&lt;2.0.0" />

PEP 440 Version Resolution in .kanon

The CLI supports PEP 440 constraint syntax in KANON_SOURCE_<name>_REVISION entries in .kanon. Constraints are resolved against available git tags before being passed to the sync engine.

Supported Operators

Operator Syntax Meaning
Compatible release ~=1.2.0 >=1.2.0, <1.3.0
Range >=1.0.0,<2.0.0 Any version in range
Exact ==1.2.3 Only 1.2.3
Minimum >=1.0.0 1.0.0 or higher
Exclusion !=1.0.1 Any version except 1.0.1
Wildcard * Latest available

Plain strings without PEP 440 operators pass through unchanged.

Prefixed Constraints (KANON_SOURCE_<name>_REVISION)

Source revisions support an optional refs/tags/ prefix. This is recommended because the resolved value is passed to kanon repo init -b, which accepts full ref paths:

# Resolves to refs/tags/1.1.2 -- works directly with kanon repo init -b
KANON_SOURCE_build_REVISION=refs/tags/~=1.1.0

# Namespaced -- only considers tags under that path
KANON_SOURCE_build_REVISION=refs/tags/dev/python/my-lib/~=1.2.0

# Also supported -- resolves against all tags
KANON_SOURCE_build_REVISION=~=1.1.0

For full details, see docs/version-resolution.md.

Absolute Linkfile Destinations

<linkfile dest> accepts absolute paths after envsubst expansion, enabling marketplace symlinks to directories outside the project (e.g., ${CLAUDE_MARKETPLACES_DIR}/...).


SSH Authentication Setup

Kanon uses HTTPS Git URLs internally. If you authenticate with GitHub via SSH instead of HTTPS tokens, configure Git to rewrite HTTPS URLs to SSH globally:

git config --global url."git@github.com:".insteadOf "https://github.com/"

This tells Git to use SSH for all github.com requests, which Kanon's git clone, git ls-remote, and kanon repo commands will then use automatically.

Note: The --global flag is required. Using --local will not work because kanon repo operates in its own working directories with their own local Git configuration.

For other Git hosts, adjust the URL accordingly:

git config --global url."git@gitlab.com:".insteadOf "https://gitlab.com/"
git config --global \
  url."git@bitbucket.org:".insteadOf "https://bitbucket.org/"

To verify the configuration:

git config --global --get-regexp url

Developer Setup

Prerequisites

  • Python 3.11+
  • uv

Install from Source

make install-dev

Set Up Git Hooks

make install-hooks

Run Tests

make test              # All tests with coverage
make test-unit         # Unit tests only
make test-integration  # Integration tests (modules end-to-end)
make test-functional   # Functional tests (CLI via subprocess)
make test-scenarios    # End-to-end scenario tests
make test-cov          # Tests with coverage report

Build

make publish       # Clean, build, and check distribution

Project Structure

src/kanon_cli/
  cli.py              # Entry point
  commands/           # Subcommand implementations
  core/               # Core logic (install, clean, kanon parsing)
  catalog/            # Bundled catalog (fallback templates)
  repo/               # kanon repo subsystem (manifest sync, PEP 440)
tests/                # Unit and functional tests
docs/                 # Configuration, lifecycle, version resolution docs
pyproject.toml        # Package config (hatchling, entry point: kanon)

Contributing

See CONTRIBUTING.md for commit conventions, PR process, and how the automated release pipeline works.

CI/CD Pipeline

This project uses a fully automated SDLC pipeline:

  1. PR Validation -- Lint, build, test (90% coverage), security scan on every PR
  2. Main Branch Validation -- Full validation + CodeQL on merge to main
  3. Manual QA Approval -- Human gate before release
  4. Automated Release -- Semantic versioning from conventional commit prefixes, changelog generation, tagging
  5. PyPI Publishing -- Automated publish via OIDC trusted publishing

PR titles must follow Conventional Commits format (e.g., feat: add feature, fix: resolve bug) as they drive automatic version bumps.


Documentation


License

Apache 2.0. See LICENSE.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

kanon_cli-2.0.0.tar.gz (2.8 MB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

kanon_cli-2.0.0-py3-none-any.whl (519.1 kB view details)

Uploaded Python 3

File details

Details for the file kanon_cli-2.0.0.tar.gz.

File metadata

  • Download URL: kanon_cli-2.0.0.tar.gz
  • Upload date:
  • Size: 2.8 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for kanon_cli-2.0.0.tar.gz
Algorithm Hash digest
SHA256 0c6241da05333409e451ec726e134f93835b4e1774388b4c8c3333f756776229
MD5 38257328c31a5bffd7689d4be093a86e
BLAKE2b-256 b668c9cfcb934bd8ea5a916c3f694fa1c468bca0c60fafb83292c4e030893e09

See more details on using hashes here.

File details

Details for the file kanon_cli-2.0.0-py3-none-any.whl.

File metadata

  • Download URL: kanon_cli-2.0.0-py3-none-any.whl
  • Upload date:
  • Size: 519.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for kanon_cli-2.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 eb7c88b696dddac942460d522b2af1bef67de1d110a910a9778759c708f68895
MD5 7f392587792a28fb78b6d60b47225019
BLAKE2b-256 8dca93e73a7a5542e0889982ede18912853d37691047ee3ce3d52c26fd8fb434

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page