Skip to content

Credibility pass: README accuracy, first-touch CLI guards, scanner removal, PyPI metadata#29

Merged
vigneshnarayanaswamy merged 4 commits into
mainfrom
vigneshn/hiring-surface-hardening
Jul 3, 2026
Merged

Credibility pass: README accuracy, first-touch CLI guards, scanner removal, PyPI metadata#29
vigneshnarayanaswamy merged 4 commits into
mainfrom
vigneshn/hiring-surface-hardening

Conversation

@vigneshnarayanaswamy

Copy link
Copy Markdown
Collaborator

What

Four self-contained changes that make the public surface match the code:

1. refactor!: remove the scanner module — deprecated in v0.4.0 with removal promised for v0.5.0; survived to v0.7.7. Its replacement (SourceConnector + DataNode + Ledger.add()/connect()) has been the documented path for months. Removes the module, its 35 tests, and the two top-level re-exports.

2. docs: credibility and accuracy pass

  • README: CI + downloads badges, production-scale benchmark callout (28.8k models / 212k events, sub-second, per CHANGELOG v0.7.4), architecture diagram, maintainer credit, SECURITY.md link
  • README's "For organizations" wrongly implied the compliance profiles live in a downstream internal package; they ship in the OSS core (model_ledger.validate: SR 11-7/SR 26-2, EU AI Act Annex IV, NIST AI RMF)
  • All Ledger docs examples now persist to ./ledger.db — the old ./inventory.db name collided with the CLI's legacy Inventory-format default
  • Quickstart history() example claimed chronological order; output is newest-first. Fixed and now CI-asserted via the executable-docs test
  • Stale-reference sweep: MCP tool count 6→8 (docstring, CLAUDE.md), v0.3.0 markers out of SDK docstrings, "Task 11" comments out of rest/app.py, two stale Unreleased CHANGELOG blocks folded into the releases that shipped them (v0.7.3, v0.4.8)
  • New SECURITY.md (GitHub private vulnerability reporting)

3. fix(cli): friendly errors on the three first-touch failure paths

  • Bare install: model-ledger --help no longer tracebacks; prints the pip install "model-ledger[cli]" hint
  • Inventory commands pointed at a Ledger event-log database exit with guidance instead of a raw sqlite error
  • validate --profile <unknown> exits listing available profiles instead of raising

4. chore: PyPI metadata — Development Status Alpha→Beta; keywords add mcp, model-context-protocol, ai-governance, eu-ai-act, nist-ai-rmf, sr-26-2.

Testing

  • Full suite green locally (755 passed, 24 skipped), ruff + mypy clean, mkdocs build --strict clean
  • New regression tests for the ledger-DB guard and unknown-profile exit
  • Bare-install and quickstart-collision paths verified end to end in a fresh venv

🤖 Generated with Claude Code

vigneshnarayanaswamy and others added 4 commits July 3, 2026 08:53
Scanner, InventoryScanner, ModelCandidate, ScanReport and the
ScannerRegistry were deprecated in v0.4.0 with removal promised for
v0.5.0; they survived to v0.7.7. Their replacement is the
SourceConnector protocol with DataNode + Ledger.add()/connect().

Removes the module, its 35 tests, and the two top-level re-exports
(ModelCandidate, Scanner). No other code imported it.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Signed-off-by: Vignesh Narayanaswamy <Vigneshn@squareup.com>
README: CI and downloads badges, production-scale benchmark callout
(28.8k models / 212k events, sub-second — sourced to CHANGELOG v0.7.4),
architecture diagram, security policy link, maintainer credit. The
'For organizations' section now states that the SR 11-7/SR 26-2,
EU AI Act Annex IV, and NIST AI RMF validation profiles ship in the
OSS core (model_ledger.validate) — it previously implied they lived
in a downstream internal package.

Docs: all Ledger examples persist to ./ledger.db instead of
./inventory.db, which collided with the CLI's legacy Inventory-format
default (runtime guard lands in the next commit). Quickstart history()
example now shows newest-first output and CI-asserts the ordering.
Landing page notes the project was born at Block and runs in
production there.

Stale-reference sweep: MCP tool count 6 -> 8 in the server docstring
and CLAUDE.md, v0.3.0 markers out of SDK docstrings, 'Task 11'
comments out of rest/app.py. CHANGELOG: fold two stale Unreleased
blocks into the releases that shipped them (v0.7.3 per PRs #5-#9,
v0.4.8 per its own bump commit) and open a fresh Unreleased section.
Add SECURITY.md (GitHub private vulnerability reporting) and ignore
the .rp1/ workspace directory.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Signed-off-by: Vignesh Narayanaswamy <Vigneshn@squareup.com>
- Bare install (no [cli] extra): 'model-ledger --help' printed a
  ModuleNotFoundError traceback for typer. The cli package now falls
  back to a stub entry point that prints the one-line install hint
  and exits 1.
- Inventory commands pointed at a Ledger event-log database (e.g. the
  quickstart's ledger.db) raised a raw sqlite 'no such table' error.
  _get_inventory now sniffs sqlite_master and exits with guidance
  toward Ledger.from_sqlite() or 'model-ledger mcp'.
- 'model-ledger validate --profile <unknown>' raised a ValueError
  traceback; it now exits 1 listing the available profiles.

Tested end to end in a fresh venv: bare-install --help and the
quickstart-then-list collision both exit cleanly with guidance.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Signed-off-by: Vignesh Narayanaswamy <Vigneshn@squareup.com>
Development Status classifier moves from Alpha to Beta — the package
has had 10 releases, a four-Python CI matrix, and a production-scale
deployment; Alpha undersold it. Keywords gain the terms people
actually search: mcp, model-context-protocol, ai-governance,
eu-ai-act, nist-ai-rmf, sr-26-2.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Signed-off-by: Vignesh Narayanaswamy <Vigneshn@squareup.com>

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 48cd36ac6e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

}
except sqlite3.Error:
return
if "snapshots" in names and "versions" not in names:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Detect ledger DBs even after legacy CLI touched them

When this is run against a Ledger DB that was already pointed at an older model-ledger list/show/... once, the legacy SQLiteBackend will have created an empty versions table before failing (src/model_ledger/backends/sqlite.py:18-37), so this condition no longer matches even though the models table is still the Ledger schema. The command then falls through to Inventory and still raises the raw SELECT data FROM models sqlite error (src/model_ledger/backends/sqlite.py:52-54), which is exactly the quickstart-collision path this guard is meant to fix for users upgrading after seeing the traceback. Consider detecting the Ledger schema by the presence/columns of snapshots/models rather than requiring versions to be absent.

Useful? React with 👍 / 👎.

@vigneshnarayanaswamy vigneshnarayanaswamy merged commit c55dc87 into main Jul 3, 2026
9 checks passed
@vigneshnarayanaswamy vigneshnarayanaswamy deleted the vigneshn/hiring-surface-hardening branch July 3, 2026 16:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant