Skip to main content

Cross-repo invariant verifier for the zyplux organization

Project description

cerberus

Verifies repository invariants — CI workflow structure, justfile and dependency conventions, CODEOWNERS, and release-version bumps — as a per-repo linter against a checkout.

Requirements

  • uv and Python 3.14

The justfile check shells out to just, which ships with the package (via rust-just) — no separate install.

Lint a repo

uv run cerberus            # lint the current directory
uv run cerberus PATH       # lint a checkout at PATH

Runs every check and exits non-zero on any failure or error, so it drops into CI like any linter. Run cerberus list to see every check, its scope, and what it verifies.

Option Description
--check NAME Limit to named check(s); repeatable
--config PATH Use a cerberus.toml other than the bundled
--fix Auto-fix fixable problems (e.g. trailing whitespace)

A repo opts out of specific checks with [tool.cerberus] disable = ["check-id", ...] in its pyproject.toml.

Checks

ID Scope Verifies
justfile content Canonical baseline block (byte-exact, --fixable), recipe names, aliases, check pipeline, local cerberus run, wrapped tool calls, no trailing whitespace
zyplux-latest content Every @zyplux/* npm package, zyplux-* PyPI distribution, and ghcr.io/zyplux image is used at its latest release
ci-workflow content ci.yml exists, exposes a ci check, runs on PRs (push to main recommended)
ci-sequence content ci.yml runs the canonical check sequence per stack, in the org container
cerberus-step content A CI workflow runs cerberus to self-verify org invariants
workflow-tooling content Workflows set up only the workspace toolchain (uv, bun), not extra tools
pyrefly-config content All code, tests included, type-checks under strict pyrefly with no relaxations
ruff-config content ruff runs standalone in preview with select = ["ALL"]; relaxations stay sanctioned
line-length content ruff line-length and prettier printWidth are both 120
rumdl-config content .rumdl.toml carries the org-canonical rule config (per-repo exclude allowed)
vitest-runner content TypeScript tests run on vitest, never bun's built-in test runner (package.json, justfile, CI)
ts-project-references content TypeScript typecheck runs via project references (tsc -b), not a per-package fan-out
catalog-discipline content Every workspace package.json dependency pins via catalog: or workspace:
story-tests-py content tests/**/stories/*.md criteria have a matching, title-matched pytest test
story-tests-ts content tests/**/stories/*.md criteria have a matching, title-matched vitest test
cli-ts-tests content CLI apps export only the root seam; story tests reach workspace code via fixture aliases
lib-ts-tests content Libraries export only the root seam; story tests reach workspace code via fixture aliases
cli-py-tests content CLI apps' story tests import only their root module or cli entry module
lib-py-tests content Libraries' story tests import only their root module
release-bumps git-history A published target's version is bumped whenever its release surface changes
codeowners content CODEOWNERS present and covers /.github/
pytest-coverage content pyproject.toml [tool.coverage.report] fail_under is set to at least 90%
vitest-coverage content The root vitest.config.* coverage.thresholds are all set to at least 90%

The justfile baseline

Every repo's justfile must start with the line # BASELINE, carry the canonical block from baseline.just byte-for-byte, and close it with a # CUSTOM line. Everything after # CUSTOM is the repo's own (extra aliases, recipes, set/mod statements, variables). With both markers present, --fix restores a drifted baseline region and leaves the custom tail untouched; the zyplux repo's own justfile mirrors the packaged canonical, and cerberus keeps the two identical.

Config

Policy — required recipes and aliases, the canonical CI sequence — lives in cerberus.toml. Override it with --config PATH.

zyplux-latest queries npm, PyPI, and GHCR at lint time; a failed lookup is reported as an error, never a silent pass. It has no --fix — run just upgrade to catch up.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

zyplux_cerberus-0.11.0.tar.gz (46.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

zyplux_cerberus-0.11.0-py3-none-any.whl (71.1 kB view details)

Uploaded Python 3

File details

Details for the file zyplux_cerberus-0.11.0.tar.gz.

File metadata

  • Download URL: zyplux_cerberus-0.11.0.tar.gz
  • Upload date:
  • Size: 46.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: uv/0.11.27 {"installer":{"name":"uv","version":"0.11.27","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for zyplux_cerberus-0.11.0.tar.gz
Algorithm Hash digest
SHA256 a857749eb32307974013421e299317ffdc0572c0ef51ba7aeb0911ef0bf49145
MD5 6085e5cf8fd849961e08db2ada087ac1
BLAKE2b-256 6fb1b3e2e90d4ee3141f623bf7198918c83e32600acf8dc9a8a7f11345a3ebf2

See more details on using hashes here.

File details

Details for the file zyplux_cerberus-0.11.0-py3-none-any.whl.

File metadata

  • Download URL: zyplux_cerberus-0.11.0-py3-none-any.whl
  • Upload date:
  • Size: 71.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: uv/0.11.27 {"installer":{"name":"uv","version":"0.11.27","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for zyplux_cerberus-0.11.0-py3-none-any.whl
Algorithm Hash digest
SHA256 ad6a4c4da8fd8d0618c28c69208a4019eb61f12b91f1625d3135baebc6c0c360
MD5 8ce79f292b1d872fc9479f93c2b47e8c
BLAKE2b-256 cbd2f5b7a765da92f5127cd0f6a23c66f0fe9a147ccaa14a2e15299e640512c1

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page