diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..8d2c041 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1 @@ +* @DrWheelicus \ No newline at end of file diff --git a/.gitignore b/.gitignore index 5379c74..3ff0037 100644 --- a/.gitignore +++ b/.gitignore @@ -31,4 +31,11 @@ htmlcov/ dist/ build/ - +# Editor files +.cursor/ +.vscode/ +.idea/ +.DS_Store +.env +.env.* +!.env.example diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 3f18628..f96d44f 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -43,6 +43,45 @@ This section guides you through submitting an enhancement suggestion for Encoder - Use `black` for code formatting. - Use `flake8` for linting. +## Releasing (Maintainers) + +Releases are automated via GitHub Actions. To create a new release: + +1. **Update the version** in `encoderize/__init__.py`: + ```python + __version__ = "0.2.0" # Use semantic versioning + ``` + +2. **Commit the version bump**: + ```bash + git add encoderize/__init__.py + git commit -m "chore: bump version to 0.2.0" + git push + ``` + +3. **Create and push a tag** (must match the version with a `v` prefix): + ```bash + git tag v0.2.0 + git push --tags + ``` + +4. The release workflow will automatically: + - Run tests to ensure everything passes + - Build the package (sdist and wheel) + - Publish to PyPI + - Create a GitHub Release with auto-generated release notes + +### First-Time Setup (PyPI Trusted Publishing) + +Before the first automated release, a maintainer must configure trusted publishing on PyPI: + +1. Go to https://pypi.org/manage/project/encoderize/settings/publishing/ +2. Add a new publisher with: + - Owner: `DrWheelicus` + - Repository: `encoderize` + - Workflow name: `release.yml` + - Environment name: `Main Deployment` + ## Any questions? Feel free to reach out if you have questions about contributing. \ No newline at end of file diff --git a/README.md b/README.md index db6c267..296fcf0 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,9 @@

- Encoderize Logo + + + + Encoderize Logo +

diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..36d0724 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,125 @@ +# Security Policy + +## Supported Versions + +I release patches for security vulnerabilities in the following versions: + +| Version | Supported | +| ------- | ------------------ | +| 0.2.x | :white_check_mark: | +| < 0.2 | :x: | + +## Reporting a Vulnerability + +I take the security of Encoderize seriously. If you believe you have found a security vulnerability, please report it as described below. + +### How to Report + +**Please do not report security vulnerabilities through public GitHub issues.** + +Instead, please report them via email to: + +**[haydenpmac@gmail.com](mailto:haydenpmac@gmail.com)** + +Include the following information in your report: + +- Type of vulnerability (e.g., code injection, path traversal, arbitrary file write) +- Full paths of source file(s) related to the manifestation of the vulnerability +- The location of the affected source code (tag/branch/commit or direct URL) +- Any special configuration required to reproduce the issue +- Step-by-step instructions to reproduce the issue +- Proof-of-concept or exploit code (if possible) +- Impact of the vulnerability, including how an attacker might exploit it + +### What to Expect + +After you submit a report, you should expect: + +- **Acknowledgment within 48 hours**: I'll confirm receipt of your vulnerability report +- **Regular updates**: I'll keep you informed about my progress +- **Timeline**: I aim to resolve critical vulnerabilities within 7 days +- **Credit**: I'll acknowledge your responsible disclosure in the fix announcement (unless you prefer to remain anonymous) + +## Security Best Practices + +### For Users + +When using Encoderize, please follow these security best practices: + +1. **Validate Input**: Always validate and sanitize text input before passing it to Encoderize functions +2. **File Permissions**: Be mindful of output directory permissions when generating SVG files +3. **Dependency Management**: Keep Encoderize and its dependencies up to date: + ```bash + pip install --upgrade encoderize + ``` +4. **Ghostscript Security**: Keep Ghostscript updated, as it's a critical dependency for barcode generation + +### For Contributors + +If you're contributing to Encoderize: + +1. **Code Review**: All code changes are reviewed before merging +2. **Dependency Updates**: Report any outdated dependencies with known vulnerabilities +3. **Input Validation**: Ensure all user input is properly validated and sanitized +4. **Path Traversal**: Verify that file operations prevent directory traversal attacks +5. **Testing**: Write security tests for any input handling or file operations + +## Known Security Considerations + +### File System Operations + +Encoderize writes SVG files to disk. Users should: + +- Ensure output directories have appropriate permissions +- Be cautious when specifying output paths +- Validate that generated files are placed in expected locations + +### Ghostscript Dependency + +The `code128_barcode` generator requires Ghostscript, which has had security vulnerabilities in the past: + +- Always use the latest version of Ghostscript +- Be aware that barcode generation executes external Ghostscript processes +- Consider security implications in server environments + +### Input Sanitization + +While Encoderize primarily generates visual representations and doesn't execute code: + +- Long input strings may cause performance issues +- Special characters are processed but should be validated by applications +- SVG output should be treated as user-generated content if serving on web applications + +## Security Update Process + +When a security vulnerability is confirmed: + +1. **Private Fix**: I'll develop a fix in a private repository +2. **Testing**: The fix will be thoroughly tested +3. **Release**: A new version will be released with the security fix +4. **Notification**: Security advisories will be published on GitHub +5. **Documentation**: CHANGELOG and release notes will document the fix + +## Disclosure Policy + +- **Coordinated Disclosure**: I practice coordinated disclosure +- **Public Disclosure**: Security issues will be publicly disclosed after a fix is available +- **Security Advisories**: Critical vulnerabilities will have GitHub Security Advisories created +- **CVE Assignment**: I'll work to obtain CVE identifiers for significant vulnerabilities + +## Additional Resources + +- [Python Security Best Practices](https://python.readthedocs.io/en/stable/library/security_warnings.html) +- [OWASP Python Security](https://owasp.org/www-project-python-security/) +- [GitHub Security Advisories](https://github.com/DrWheelicus/encoderize/security/advisories) + +## Contact + +For security-related questions or concerns, contact: + +**Hayden MacIntyre** +Email: [haydenpmac@gmail.com](mailto:haydenpmac@gmail.com) + +--- + +Thank you for helping keep Encoderize and its users safe! diff --git a/assets/docs/Transparent Logo Dark.png b/assets/docs/Transparent Logo Dark.png new file mode 100644 index 0000000..f4cf054 Binary files /dev/null and b/assets/docs/Transparent Logo Dark.png differ diff --git a/setup.py b/setup.py index 2fd5468..62bba65 100644 --- a/setup.py +++ b/setup.py @@ -1,8 +1,13 @@ +import re from setuptools import setup, find_packages +# Read version from encoderize/__init__.py (single source of truth) +with open("encoderize/__init__.py", "r") as f: + version = re.search(r'__version__ = "([^"]+)"', f.read()).group(1) + setup( name="encoderize", - version="0.1.0", + version=version, keywords="encoderize, encoder, barcode, svg, visualizer", packages=find_packages(), install_requires=[