From b5d5a33b862d02251a0086c10afc8424b91e5dcd Mon Sep 17 00:00:00 2001
From: Dryade <contact@dryade.ai>
Date: Tue, 26 May 2026 19:38:45 +0200
Subject: [PATCH 1/3] =?UTF-8?q?release:=201.1.3=20=E2=80=94=20internal-ref?=
 =?UTF-8?q?erence=20scrub,=20leak=20guard,=20CI=20repair?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-Authored-By: Dammerzone <dammerzone@users.noreply.github.com>
---
 CHANGELOG.md                       | 21 +++++++++++++++++++++
 pyproject.toml                     |  2 +-
 src/dryade_plugins_sdk/__init__.py |  2 +-
 3 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 28a1f9f..881a90a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,27 @@ labeled PRs.
 
 _release-drafter manages this section on every PR merge — do not edit by hand._
 
+## [1.1.3] — 2026-05-26
+
+### Changed
+
+- Documentation, docstrings, the manifest JSON schema, and CI job names now
+  describe only the public author contract. Internal project identifiers and
+  references to non-public modules have been removed.
+
+### Added
+
+- `tests/test_no_internal_leaks.py` scans every author-visible file (source,
+  schema, CI, docs, templates) and runs as a required CI job.
+
+### Fixed
+
+- CI now installs the `[cli]` extras plus `fastapi`/`httpx` in the test and
+  example jobs so the CLI, route, and example suites run; the build job
+  verifies MIT license metadata; the smoke test uses the in-repo CLI.
+- Resolved typing (`mypy --strict`) and stale-assertion issues across the
+  test suite.
+
 ## [1.1.2] — 2026-05-20
 
 ### Added
diff --git a/pyproject.toml b/pyproject.toml
index c16003d..eee4e54 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "dryade-plugins-sdk"
-version = "1.1.2"
+version = "1.1.3"
 description = "Dryade plugin SDK — Protocol contracts and author tooling primitives"
 readme = "README.md"
 requires-python = ">=3.11"
diff --git a/src/dryade_plugins_sdk/__init__.py b/src/dryade_plugins_sdk/__init__.py
index 8a91bd2..555b08f 100644
--- a/src/dryade_plugins_sdk/__init__.py
+++ b/src/dryade_plugins_sdk/__init__.py
@@ -52,7 +52,7 @@
     verify_plugin_hash,
 )
 
-__version__ = "1.1.2"
+__version__ = "1.1.3"
 __contract_version__ = 4  # SHA-256 + SHA3-256 dual hash
 
 __all__ = [

From f0b6155841f78694222dcdf27213718185773e2b Mon Sep 17 00:00:00 2001
From: Dryade <contact@dryade.ai>
Date: Tue, 26 May 2026 19:43:37 +0200
Subject: [PATCH 2/3] test+cli: fix CI-surfaced failures for the 1.1.3 release

- new.py: auto-keygen tolerates a pre-existing key (the module-level path
  constant can be stale under a relocated HOME).
- test_cli_new: build forbidden tokens locally instead of importing the
  tests package (not importable on the CI runner).
- test_package_sbom: accept CycloneDX specVersion 1.5 or 1.6 (depends on the
  installed cyclonedx-bom).
- test_sdk_imports: assert __version__ matches the installed package metadata
  instead of a hardcoded literal.

Co-Authored-By: Dammerzone <dammerzone@users.noreply.github.com>
---
 src/dryade_plugins_sdk/cli/commands/new.py | 17 ++++++++++++-----
 tests/cli/test_cli_new.py                  | 22 +++++++++++++++-------
 tests/test_package_sbom.py                 |  2 +-
 tests/test_sdk_imports.py                  |  6 +++++-
 4 files changed, 33 insertions(+), 14 deletions(-)

diff --git a/src/dryade_plugins_sdk/cli/commands/new.py b/src/dryade_plugins_sdk/cli/commands/new.py
index 5dca46b..1e7b849 100644
--- a/src/dryade_plugins_sdk/cli/commands/new.py
+++ b/src/dryade_plugins_sdk/cli/commands/new.py
@@ -130,11 +130,18 @@ def new_plugin(
                 "First-run: generating author keypair at ~/.dryade-author/...",
                 fg=typer.colors.CYAN,
             )
-            generate_author_keypair(force=False)
-            typer.secho(
-                "  Done. NEVER commit ~/.dryade-author/dev-key.priv.",
-                fg=typer.colors.YELLOW,
-            )
+            try:
+                generate_author_keypair(force=False)
+            except FileExistsError:
+                # The module-level path constant is resolved at import time and
+                # can be stale if HOME moved; the key already exists, so there
+                # is nothing to generate.
+                pass
+            else:
+                typer.secho(
+                    "  Done. NEVER commit ~/.dryade-author/dev-key.priv.",
+                    fg=typer.colors.YELLOW,
+                )
     except ImportError:
         # When keys.py is unavailable, defer to explicit `dryade plugin keygen`.
         pass
diff --git a/tests/cli/test_cli_new.py b/tests/cli/test_cli_new.py
index c542601..7e27020 100644
--- a/tests/cli/test_cli_new.py
+++ b/tests/cli/test_cli_new.py
@@ -9,7 +9,6 @@
 from __future__ import annotations
 
 import json
-import re
 from pathlib import Path
 
 import pytest
@@ -161,10 +160,19 @@ def test_scaffold_each_valid_tier(runner, tmp_path, author_key_dir):
 def test_scaffold_no_internal_repo_references(runner, tmp_path, author_key_dir):
     """Scaffold output must contain no internal-repo references.
 
-    Sources the forbidden token patterns from the central leak-guard so the
-    literal tokens never appear in this file's own source.
+    Tokens are assembled from fragments so the literal forbidden strings never
+    appear in this file's own source (which the leak guard also scans).
     """
-    from tests.test_no_internal_leaks import FORBIDDEN
+    forbidden = [
+        "dryade-" + "internal",
+        "/home/" + "dryade",
+        "192.168" + ".",
+        "core" + "/ee",
+        "plugins" + "_ee",
+        "dryade-pm" + " push",
+        "core.api" + ".main",
+        "gun" + "icorn",
+    ]
 
     result = runner.invoke(
         app,
@@ -175,9 +183,9 @@ def test_scaffold_no_internal_repo_references(runner, tmp_path, author_key_dir):
     for f in plugin_dir.rglob("*"):
         if f.is_file():
             text = f.read_text(errors="ignore")
-            for name, pattern in FORBIDDEN.items():
-                assert not re.search(pattern, text), (
-                    f"forbidden token ({name}) leaked into scaffold file {f}"
+            for tok in forbidden:
+                assert tok not in text, (
+                    f"forbidden token {tok!r} leaked into scaffold file {f}"
                 )
 
 
diff --git a/tests/test_package_sbom.py b/tests/test_package_sbom.py
index e4ce741..4ab8764 100644
--- a/tests/test_package_sbom.py
+++ b/tests/test_package_sbom.py
@@ -76,7 +76,7 @@ def test_dryadepkg_contains_cyclonedx_sbom(monkeypatch, plugin_dir, tmp_path):
         sbom = json.loads(member.read().decode("utf-8"))
 
     assert sbom.get("bomFormat") == "CycloneDX"
-    assert sbom.get("specVersion") == "1.5"
+    assert sbom.get("specVersion") in ("1.5", "1.6")
     # Component metadata is required by the contract.
     comp = sbom.get("metadata", {}).get("component", {})
     assert comp.get("name") == "sbomproof"
diff --git a/tests/test_sdk_imports.py b/tests/test_sdk_imports.py
index 319bb39..55ba269 100644
--- a/tests/test_sdk_imports.py
+++ b/tests/test_sdk_imports.py
@@ -42,9 +42,13 @@ def test_all_top_level_imports() -> None:
 
 def test_version_attributes() -> None:
     """``__version__`` and ``__contract_version__`` are set at the published values."""
+    from importlib.metadata import version
+
     import dryade_plugins_sdk
 
-    assert dryade_plugins_sdk.__version__ == "1.1.2"
+    # Track the installed distribution version rather than a hardcoded literal
+    # so the assertion survives every release bump.
+    assert dryade_plugins_sdk.__version__ == version("dryade-plugins-sdk")
     assert dryade_plugins_sdk.__contract_version__ == 4
 
 

From a7b056da6130d5b69725067de686044f6e3a2121 Mon Sep 17 00:00:00 2001
From: Dryade <contact@dryade.ai>
Date: Tue, 26 May 2026 19:48:29 +0200
Subject: [PATCH 3/3] fix(sbom): make the plugin the SBOM top-level component

When cyclonedx-py is available the full SBOM described the build
environment rather than the plugin, leaving metadata.component unset.
Always set the SBOM's top-level component to the plugin (name + version),
matching the minimal-shim path, so the .dryadepkg SBOM describes the
plugin regardless of how it was generated.

Co-Authored-By: Dammerzone <dammerzone@users.noreply.github.com>
---
 src/dryade_plugins_sdk/cli/sbom.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/dryade_plugins_sdk/cli/sbom.py b/src/dryade_plugins_sdk/cli/sbom.py
index 9f9db05..109d3c6 100644
--- a/src/dryade_plugins_sdk/cli/sbom.py
+++ b/src/dryade_plugins_sdk/cli/sbom.py
@@ -115,6 +115,15 @@ def build_sbom(plugin_dir: Path, name: str, version: str) -> dict[str, Any]:
                         props.append(
                             {"name": "dryade:sbom-source", "value": "cyclonedx-py"}
                         )
+                    # Identify the plugin as the SBOM's top-level component so the
+                    # document describes the plugin (not the build environment),
+                    # consistent with the minimal-shim path.
+                    meta["component"] = {
+                        "type": "library",
+                        "name": name,
+                        "version": version,
+                        "bom-ref": f"{name}@{version}",
+                    }
                     return doc
         finally:
             try: