Metadata-Version: 2.4
Name: tesserakit-deps
Version: 0.4.0
Summary: Deps job pack for Tessera: audit dependency manifests for pinning, duplicates, and conflicts.
Project-URL: Homepage, https://github.com/ShaileshRawat1403/tessera
Project-URL: Repository, https://github.com/ShaileshRawat1403/tessera
Project-URL: Issues, https://github.com/ShaileshRawat1403/tessera/issues
Author: Shailesh Rawat
Classifier: Development Status :: 3 - Alpha
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: Programming Language :: Python :: 3
Requires-Python: >=3.10
Requires-Dist: pydantic>=2.7
Requires-Dist: rich>=13.7
Requires-Dist: tesserakit-core>=0.1.0
Requires-Dist: typer>=0.12
Provides-Extra: dev
Requires-Dist: pytest>=8.0; extra == 'dev'
Description-Content-Type: text/markdown

# tesserakit-deps

Audit dependency manifests for pinning discipline, duplicates, and conflicts.

`tessera-deps` parses dependency manifests across ecosystems, classifies how tightly each dependency is pinned, and flags supply-chain hygiene issues. It reads manifests only: no installs, no lockfile resolution, no network.

Where `tessera-repo` lists *that* a manifest declares dependencies, `tessera-deps` analyses *how* they are declared.

## Audit

```bash
tessera deps audit --input . --output ./out/deps_pack
```

Supported manifests: `requirements*.txt`, `pyproject.toml`, `package.json`, `Cargo.toml`, `go.mod`.

Artifacts written:

```text
dependencies.jsonl       one Dependency per declaration (ecosystem, scope, constraint, pinning)
index.md                 the inventory table
validation_report.md     pinning + duplicate + conflict findings
coverage_report.md       counts by pinning / ecosystem / scope
duplicates.md            dependencies declared in more than one manifest
```

## Pinning classification

- **pinned** — an exact version (`==1.2.3`, npm `1.2.3`, cargo `=1.2.3`, go `v1.2.3`)
- **ranged** — a bounded range (`>=`, `~=`, `^`, `~`, ...)
- **unpinned** — no constraint at all, `*`, or `latest`

## Findings

- `unpinned_dependency` — declared with no version constraint
- `duplicate_dependency` — same name declared in multiple manifests (same constraint)
- `conflicting_constraint` — same name declared with *different* constraints across manifests
- `declared_not_locked` — a manifest dependency is absent from the lockfile (the lock is stale)
- `locked_version_mismatch` — a manifest pins an exact version that disagrees with the lockfile
- `lockfile_missing` — npm/cargo deps are declared but no lockfile exists (builds aren't reproducible)
- `no_dependencies` — nothing found

Lockfile parsing covers `package-lock.json`, `yarn.lock`, `poetry.lock`, and `Cargo.lock`.
