release: 1.1.3 — internal-reference scrub, leak guard, CI repair

CHANGELOG.md

@@ -13,6 +13,27 @@ labeled PRs.
 
 _release-drafter manages this section on every PR merge — do not edit by hand._
 
+## [1.1.3] — 2026-05-26
+
+### Changed
+
+- Documentation, docstrings, the manifest JSON schema, and CI job names now
+  describe only the public author contract. Internal project identifiers and
+  references to non-public modules have been removed.
+
+### Added
+
+- `tests/test_no_internal_leaks.py` scans every author-visible file (source,
+  schema, CI, docs, templates) and runs as a required CI job.
+
+### Fixed
+
+- CI now installs the `[cli]` extras plus `fastapi`/`httpx` in the test and
+  example jobs so the CLI, route, and example suites run; the build job
+  verifies MIT license metadata; the smoke test uses the in-repo CLI.
+- Resolved typing (`mypy --strict`) and stale-assertion issues across the
+  test suite.
+
 ## [1.1.2] — 2026-05-20
 
 ### Added

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "dryade-plugins-sdk"
-version = "1.1.2"
+version = "1.1.3"
 description = "Dryade plugin SDK — Protocol contracts and author tooling primitives"
 readme = "README.md"
 requires-python = ">=3.11"

src/dryade_plugins_sdk/__init__.py

@@ -52,7 +52,7 @@
     verify_plugin_hash,
 )
 
-__version__ = "1.1.2"
+__version__ = "1.1.3"
 __contract_version__ = 4  # SHA-256 + SHA3-256 dual hash
 
 __all__ = [

src/dryade_plugins_sdk/cli/commands/new.py

@@ -130,11 +130,18 @@ def new_plugin(
                 "First-run: generating author keypair at ~/.dryade-author/...",
                 fg=typer.colors.CYAN,
             )
-            generate_author_keypair(force=False)
-            typer.secho(
-                "  Done. NEVER commit ~/.dryade-author/dev-key.priv.",
-                fg=typer.colors.YELLOW,
-            )
+            try:
+                generate_author_keypair(force=False)
+            except FileExistsError:
+                # The module-level path constant is resolved at import time and
+                # can be stale if HOME moved; the key already exists, so there
+                # is nothing to generate.
+                pass
+            else:
+                typer.secho(
+                    "  Done. NEVER commit ~/.dryade-author/dev-key.priv.",
+                    fg=typer.colors.YELLOW,
+                )
     except ImportError:
         # When keys.py is unavailable, defer to explicit `dryade plugin keygen`.
         pass

src/dryade_plugins_sdk/cli/sbom.py

@@ -115,6 +115,15 @@ def build_sbom(plugin_dir: Path, name: str, version: str) -> dict[str, Any]:
                         props.append(
                             {"name": "dryade:sbom-source", "value": "cyclonedx-py"}
                         )
+                    # Identify the plugin as the SBOM's top-level component so the
+                    # document describes the plugin (not the build environment),
+                    # consistent with the minimal-shim path.
+                    meta["component"] = {
+                        "type": "library",
+                        "name": name,
+                        "version": version,
+                        "bom-ref": f"{name}@{version}",
+                    }
                     return doc
         finally:
             try:

tests/cli/test_cli_new.py

@@ -9,7 +9,6 @@
 from __future__ import annotations
 
 import json
-import re
 from pathlib import Path
 
 import pytest
@@ -161,10 +160,19 @@ def test_scaffold_each_valid_tier(runner, tmp_path, author_key_dir):
 def test_scaffold_no_internal_repo_references(runner, tmp_path, author_key_dir):
     """Scaffold output must contain no internal-repo references.
 
-    Sources the forbidden token patterns from the central leak-guard so the
-    literal tokens never appear in this file's own source.
+    Tokens are assembled from fragments so the literal forbidden strings never
+    appear in this file's own source (which the leak guard also scans).
     """
-    from tests.test_no_internal_leaks import FORBIDDEN
+    forbidden = [
+        "dryade-" + "internal",
+        "/home/" + "dryade",
+        "192.168" + ".",
+        "core" + "/ee",
+        "plugins" + "_ee",
+        "dryade-pm" + " push",
+        "core.api" + ".main",
+        "gun" + "icorn",
+    ]
 
     result = runner.invoke(
         app,
@@ -175,9 +183,9 @@ def test_scaffold_no_internal_repo_references(runner, tmp_path, author_key_dir):
     for f in plugin_dir.rglob("*"):
         if f.is_file():
             text = f.read_text(errors="ignore")
-            for name, pattern in FORBIDDEN.items():
-                assert not re.search(pattern, text), (
-                    f"forbidden token ({name}) leaked into scaffold file {f}"
+            for tok in forbidden:
+                assert tok not in text, (
+                    f"forbidden token {tok!r} leaked into scaffold file {f}"
                 )
 
 

tests/test_package_sbom.py

@@ -76,7 +76,7 @@ def test_dryadepkg_contains_cyclonedx_sbom(monkeypatch, plugin_dir, tmp_path):
         sbom = json.loads(member.read().decode("utf-8"))
 
     assert sbom.get("bomFormat") == "CycloneDX"
-    assert sbom.get("specVersion") == "1.5"
+    assert sbom.get("specVersion") in ("1.5", "1.6")
     # Component metadata is required by the contract.
     comp = sbom.get("metadata", {}).get("component", {})
     assert comp.get("name") == "sbomproof"

tests/test_sdk_imports.py

@@ -42,9 +42,13 @@ def test_all_top_level_imports() -> None:
 
 def test_version_attributes() -> None:
     """``__version__`` and ``__contract_version__`` are set at the published values."""
+    from importlib.metadata import version
+
     import dryade_plugins_sdk
 
-    assert dryade_plugins_sdk.__version__ == "1.1.2"
+    # Track the installed distribution version rather than a hardcoded literal
+    # so the assertion survives every release bump.
+    assert dryade_plugins_sdk.__version__ == version("dryade-plugins-sdk")
     assert dryade_plugins_sdk.__contract_version__ == 4