Local CLI for fullstack code validation — import directions, migrations, secrets, and more
Project description
validate-tools
Local CLI for fullstack code validation. Runs the same checks as the MCP server without the token overhead — pipe files in, get JSON out.
Installation
pip install validate-tools
# or
uv tool install validate-tools
Usage
validate-tools [--human] [--pretty] COMMAND [OPTIONS]
When stdout is not a TTY (piped to a script or agent), JSON is emitted automatically. No --json flag needed.
Global flags:
| Flag | Description |
|---|---|
--human / -H |
Force rich/table output even when piped |
--pretty |
Indent JSON output (default: compact) |
Exit codes: 0 = clean · 1 = warnings (with --strict) · 2 = violations
Commands
imports — Clean Architecture import directions
grep -rn "^from\|^import" src/ --include="*.py" | validate-tools imports
Rules: domain → no project imports; application → domain only; infrastructure → domain + application; presentation → all layers.
commits — Conventional Commits format
git log --format="%H %s" origin/main..HEAD | validate-tools commits
Checks type(scope)?: description format (required) and ≤72-char subject (recommended).
Allowed types: feat fix docs chore refactor test ci perf build style revert
migration — Alembic migration safety
validate-tools migration alembic/versions/*.py
Flags: drop_column, drop_table, rename_table, rename_column, add_column with nullable=False and no server_default (required); alter_column, execute (recommended).
env — Settings ↔ .env.example completeness
validate-tools env --settings src/config/settings.py --example .env.example
Every UPPER_SNAKE_CASE field in class *Settings* must have a matching KEY= entry in .env.example.
tests — pytest test name quality
validate-tools tests test/unit/test_auth.py
Flags duplicate test_* names (required) and names with fewer than 3 tokens after test_ (recommended).
logs — Logging anti-patterns
validate-tools logs src/application/use_cases/auth_use_case.py
Flags print() calls (required) and f-strings inside logger.*() (recommended).
coverage — Per-layer coverage thresholds
pytest --cov=src --cov-report=xml
validate-tools coverage coverage.xml
Thresholds: domain ≥90% · application ≥85% · infrastructure ≥65% · presentation ≥55%
supply-chain — Dependency manifest risks
validate-tools supply-chain pyproject.toml # or package.json
Flags VCS/URL/local-path sources and wildcard versions (required); pre-release versions (recommended).
sensitive-logging — Sensitive data in logs
validate-tools sensitive-logging src/application/use_cases/auth_use_case.py
Flags passwords, tokens, secrets, API keys, and card numbers passed to log.*() or print().
secrets — Hardcoded credentials
validate-tools secrets src/config/settings.py
Detects Stripe, Slack, GitHub, Google, and AWS key literals; JWT tokens; and sensitive variable assignments (password = "...", secret = "...").
Batch mode (run) — for AI agents
Run multiple validators in a single invocation. Accepts a JSON config on stdin and returns a JSON array — one report per check.
cat <<'EOF' | validate-tools run
{
"imports": "<output of grep -rn ...>",
"commits": "<output of git log --format='%H %s' ...>",
"supply_chain": "<content of pyproject.toml>",
"secrets": [{ "filename": "settings.py", "source": "<file content>" }],
"logs": [{ "filename": "auth.py", "source": "<file content>" }]
}
EOF
Config keys (all optional):
| Key | Value |
|---|---|
imports |
grep output (string) |
commits |
git log output (string) |
migration |
migration file content (string) |
coverage |
coverage.xml content (string) |
supply_chain |
pyproject.toml or package.json content (string) |
env |
{"settings_source": "...", "env_example": "..."} |
tests |
[{"filename": "test_foo.py", "source": "..."}] |
logs |
[{"filename": "foo.py", "source": "..."}] |
sensitive_logging |
[{"filename": "foo.py", "source": "..."}] |
secrets |
[{"filename": "foo.py", "source": "..."}] |
For per-file checks, a plain string is also accepted (filename defaults to source.py).
Output format
Every command emits the same JSON schema:
{
"analysis": "validate_import_directions",
"status": "clean | warnings | violations",
"total_items": 42,
"required_count": 0,
"recommended_count": 0,
"summary": "All 42 file(s) respect the layer dependency rules.",
"findings": [
{
"rule_id": "backend/imports/domain-no-infrastructure",
"severity": "required | recommended",
"location": "src/domain/entities/user.py:12",
"message": "Domain layer must not import from infrastructure layer",
"hint": "Remove the cross-layer import. Domain may only depend on: domain only."
}
]
}
Errors also follow a consistent schema when piped:
{"status": "error", "error": "git_log is empty — run: ...", "analysis": "validate_commit_messages"}
License
MIT
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file validate_tools-0.1.0.tar.gz.
File metadata
- Download URL: validate_tools-0.1.0.tar.gz
- Upload date:
- Size: 17.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ea12b7ffbaeb2117750b5517cc530ea46f3e75ced15e39dc9c623e62bc734cd1
|
|
| MD5 |
5b99c7ea697878aa27b28e34ee1a9bf0
|
|
| BLAKE2b-256 |
3030c5113969162ddee08bb090a463b17852eff6d636f32bab697bf33c95ec35
|
Provenance
The following attestation bundles were made for validate_tools-0.1.0.tar.gz:
Publisher:
publish-cli.yml on scardoso-lu/fullstack-agent-guidelines
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
validate_tools-0.1.0.tar.gz -
Subject digest:
ea12b7ffbaeb2117750b5517cc530ea46f3e75ced15e39dc9c623e62bc734cd1 - Sigstore transparency entry: 1978355093
- Sigstore integration time:
-
Permalink:
scardoso-lu/fullstack-agent-guidelines@eca8720cc06f4236e6f7e13814ea8463e2c51709 -
Branch / Tag:
refs/tags/0.1.0 - Owner: https://github.com/scardoso-lu
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish-cli.yml@eca8720cc06f4236e6f7e13814ea8463e2c51709 -
Trigger Event:
release
-
Statement type:
File details
Details for the file validate_tools-0.1.0-py3-none-any.whl.
File metadata
- Download URL: validate_tools-0.1.0-py3-none-any.whl
- Upload date:
- Size: 26.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
7de3111be68b4644d98fa9a339a400789c5bcc2f35994024d666b5885fd826bd
|
|
| MD5 |
0dbddb6ec49a7d71e7b61540d90ea9f5
|
|
| BLAKE2b-256 |
e1a0f501f051fe2d99d1d1a15f9149ae1937af41b63d79f5f73d2932adad8cf6
|
Provenance
The following attestation bundles were made for validate_tools-0.1.0-py3-none-any.whl:
Publisher:
publish-cli.yml on scardoso-lu/fullstack-agent-guidelines
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
validate_tools-0.1.0-py3-none-any.whl -
Subject digest:
7de3111be68b4644d98fa9a339a400789c5bcc2f35994024d666b5885fd826bd - Sigstore transparency entry: 1978355292
- Sigstore integration time:
-
Permalink:
scardoso-lu/fullstack-agent-guidelines@eca8720cc06f4236e6f7e13814ea8463e2c51709 -
Branch / Tag:
refs/tags/0.1.0 - Owner: https://github.com/scardoso-lu
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish-cli.yml@eca8720cc06f4236e6f7e13814ea8463e2c51709 -
Trigger Event:
release
-
Statement type: