feat(cloudflare): add cloudflare-api package and fix broken imports

[williaby]

Summary

• Fixes cloudflare-auth package has broken imports (src.config.settings does not exist) #2: cloudflare-auth package has broken imports (src.config.settings does not exist)
• Adds: New cloudflare-api package for Cloudflare API operations
• Adds: Comprehensive test suites for both packages
• Adds: Architecture Decision Records (ADRs) for monorepo design

Changes

cloudflare-auth fixes (Issue #2)

• Created cloudflare_auth/config.py with CloudflareSettings Pydantic settings class
• Created get_cloudflare_settings() factory function with LRU caching
• Updated imports in validators.py, middleware.py, middleware_enhanced.py to use cloudflare_auth.config
• Package can now be used as a standalone Git dependency

New cloudflare-api package

• Cloudflare API client for managing IP lists, firewall rules
• IP group manager for automated IP list synchronization
• Support for AWS, GCP, GitHub, Cloudflare IP ranges
• CLI interface for IP group management
• Comprehensive test coverage (83 tests)

Documentation

• ADR-001: UV Workspace Monorepo Architecture
• ADR-002: Framework-Agnostic Core with Optional Adapters
• ADR-003: Private Package Distribution Strategy
• Updated project planning documents

CI/CD

• Added Artifact Registry publishing workflow
• Added per-file-ignores for package tests
• Fixed CLI file linting rules

Test plan

• cloudflare-auth tests pass (111 tests)
• cloudflare-api tests pass (83 tests)
• Type checking passes (0 errors in cloudflare-auth)
• Lint fixes applied

Related

• Unblocks: ByronWilliamsCPA/homelab-infra PR #54 (remove cloudflare-auth duplication)

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Cloudflare API client, IP groups system, and CLI for previewing/syncing IP lists.
  • New package distribution workflow for publishing to Google Artifact Registry.

• Documentation

  • Added ADRs, tech spec, roadmap, project vision, and publish/secure handoffs.
  • README for Cloudflare API client and IP groups usage.

• Configuration

  • Expanded .env examples and IP groups YAML templates.

• Tests & Quality

  • Extensive tests added and lint/config updates for CI and SonarCloud.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Adds a new cloudflare-api package (client, models, exceptions, settings), an IP-groups subsystem with multi-source fetchers, manager, and CLI; fixes cloudflare-auth broken imports by adding settings; extensive docs/ADRs; CI publishing workflow to Google Artifact Registry; many tests and expanded .env example and lint configs.

Changes

Cohort / File(s)	Summary
Environment & Configuration \.env.example, ip_groups.example.yaml	Expanded .env.example with many Cloudflare, GCP, AI/ML, CI/CD, logging and Sentry variables; added ip_groups.example.yaml describing YAML schema for IP group definitions and multiple source types.
Package Publishing Workflow .github/workflows/publish.yml	New GitHub Actions workflow to publish packages to Google Artifact Registry on tag patterns; validates versions, fetches secrets, authenticates to GCP, builds and publishes wheels.
Documentation — Project & Ops docs/* (many files)	Added/rewrote docs: cloudflare-api handoff, secure publishing guide, project vision, roadmap, tech spec, and ADRs (ADR-001..003); promoted planning docs from drafts to active.
cloudflare-api Package — Public API & Core packages/cloudflare-api/src/cloudflare_api/__init__.py, .../client.py, .../models.py, .../exceptions.py, .../settings.py, packages/cloudflare-api/pyproject.toml, packages/cloudflare-api/README.md	New package providing Cloudflare API client for IP lists (sync, bulk ops), Pydantic models, exception hierarchy, settings via BaseSettings, package metadata and README.
cloudflare-api Package — IP Groups Subsystem packages/cloudflare-api/src/cloudflare_api/ip_groups/__init__.py, .../config.py, .../fetchers.py, .../manager.py, .../cli.py	New IP groups subsystem: YAML config models and loader, multiple source fetchers (Static, URL, GitHub, Google Cloud, AWS, Cloudflare), IP validation/filtering, IPGroupManager with caching, preview/sync/diff logic, and CLI commands.
cloudflare-api Package — Tests packages/cloudflare-api/tests/*	New test suite with fixtures, mocks of Cloudflare SDK, unit/integration tests for client, models, settings, fetchers, manager, and CLI behaviors.
cloudflare-auth Package — Settings & Tests packages/cloudflare-auth/src/cloudflare_auth/settings.py, packages/cloudflare-auth/pyproject.toml, packages/cloudflare-auth/tests/*	Added CloudflareSettings (Pydantic) and singleton accessors to resolve broken imports; updated pyproject to pydantic[email]; expanded tests (conftest and many unit/integration tests).
cloudflare-auth — timezone consistency packages/cloudflare-auth/src/cloudflare_auth/*.py	Replaced UTC alias with timezone.utc across models, rate limiter, sessions, redis sessions, and validators to use timezone-aware datetimes consistently.
Linting & CI config pyproject.toml, sonar-project.properties, .github/workflows/sonarcloud.yml, .github/workflows/validate-cruft.yml	Relaxed/extended ruff rules for package tests and CLIs, added SonarCloud action pin, expanded sonar sources/tests and security exclusions, added workflow permissions read:contents.
Minor test/lint cleanups packages/gemini-image/src/gemini_image/cli.py, packages/gemini-image/tests/*, tests/test_example.py	Removed inline noqa/ruff suppressions from CLI and test files (lint-only changes).

Sequence Diagram(s)

sequenceDiagram
    participant Config as YAML Config
    participant Manager as IPGroupManager
    participant Fetcher as IP Fetcher
    participant Cache as Cache Layer
    participant Client as Cloudflare API Client
    participant CF as Cloudflare API

    Config->>Manager: from_config(path)
    Manager->>Manager: load groups

    Manager->>Manager: fetch_group_ips(group)
    loop for each source
        Manager->>Cache: check cached result
        alt cache hit
            Cache-->>Manager: return cached IPs
        else cache miss
            Manager->>Fetcher: fetch(source_config)
            Fetcher->>Fetcher: retrieve, parse, validate, filter
            Fetcher-->>Manager: IP list
            Manager->>Cache: store result
        end
    end
    Manager->>Manager: dedupe & aggregate IPs

    Manager->>Client: list_ip_lists()
    Client->>CF: GET /lists
    CF-->>Client: lists
    Client-->>Manager: IPList objects

    Manager->>Manager: compute diff (to_add/to_remove)
    alt list exists
        Manager->>Client: replace_ip_list_items(list_id, items)
    else create list
        Manager->>Client: create_ip_list(name)
        Manager->>Client: add_ip_list_items(list_id, items)
    end

    Client->>CF: POST bulk operation
    CF-->>Client: operation id
    loop poll
        Client->>CF: GET operation status
        CF-->>Client: status
    end
    Client-->>Manager: final BulkOperation result
    Manager->>Manager: record SyncResult

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Areas to focus review on:

• packages/cloudflare-api/src/cloudflare_api/client.py — error mappings, bulk operation polling, retry/timeout behavior.
• packages/cloudflare-api/src/cloudflare_api/ip_groups/fetchers.py — parsing logic (JSON path extraction, heuristics), provider-specific filters and deduplication.
• packages/cloudflare-api/src/cloudflare_api/ip_groups/manager.py — cache invalidation, diffing logic, dry-run vs apply paths, error propagation.
• packages/cloudflare-api/src/cloudflare_api/settings.py & cloudflare-auth settings — environment mappings, singleton/reset behavior, and sensitive value handling.
• CI workflows: .github/workflows/publish.yml and secret handling (Infisical/GCP auth and version verification).

Possibly related PRs

• feat: add GCP Artifact Registry publishing workflow #1 — similar GitHub Actions workflow for publishing Python packages to Google Artifact Registry with tag-driven builds and version validation.

"🐰 I hopped through code with nimble paws,
New lists and fetchers, no breaking laws.
Docs stacked like carrots in a neat row,
Tests all green — oh what a glow!
A twirl of commits, a celebratory nose-twitch. 🥕"

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat(cloudflare): add cloudflare-api package and fix broken imports' accurately describes the main changes: adding a new cloudflare-api package and fixing the broken imports in cloudflare-auth.
Linked Issues check	✅ Passed	The PR successfully addresses Issue #2 by creating cloudflare_auth/settings.py with CloudflareSettings and get_cloudflare_settings(), updating all three files (validators.py, middleware.py, middleware_enhanced.py) to import from the new module, and adding comprehensive tests.
Out of Scope Changes check	✅ Passed	All changes are within scope: cloudflare-api package development, cloudflare-auth import fixes, comprehensive testing, ADRs, documentation, and supporting CI/CD updates are all aligned with PR objectives.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/assured-oss-artifact-registry

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

✅ FIPS Compatibility Check

Metric	Count
Errors	0
Warnings	0
Info	3

Status: ✅ PASSED

What is FIPS?

FIPS 140-2/140-3 is a US government standard for cryptographic modules.
Systems running Ubuntu LTS with fips-updates or similar configurations
restrict cryptographic algorithms to NIST-approved ones.

Common issues:

• Using hashlib.md5() without usedforsecurity=False
• Dependencies using non-approved algorithms (bcrypt, DES, RC4)
• Weak cipher configurations

To address the issue and avoid substring matching, we can update the test so that it checks for the complete, expected warning message, rather than searching for the substring "gmail.com" anywhere in the warning. This assumes that the warning message format is deterministic. Specifically, replace:

assert any("gmail.com" in w for w in warnings)

with

assert "Public email domain detected: gmail.com" in warnings

If the message format may vary or contain additional content, another approach is to match messages that start with or equal the expected warning. The test only needs to assert that the expected warning is present. This change will fully resolve the warning, avoid substring checks, and maintain functional equivalence for the test.

No additional imports or package installations are required.

---

[codecov]

Codecov Report

❌ Patch coverage is 50.00000% with 8 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
...loudflare-auth/src/cloudflare_auth/rate_limiter.py	14.28%	6 Missing ⚠️
...udflare-auth/src/cloudflare_auth/redis_sessions.py	50.00%	1 Missing ⚠️
.../cloudflare-auth/src/cloudflare_auth/validators.py	50.00%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!

[github-actions]

✅ Mutation Testing Results

Metric	Value
Mutation Score	100.0%
Threshold	80%
Status	Passed

What is Mutation Testing?

Mutation testing introduces small changes (mutations) to your code and checks if your tests detect them. A high mutation score indicates your tests are effective at catching bugs.

• Killed mutants: Tests detected the change
• Survived mutants: Tests did not detect the change (potential gap)

[coderabbitai]

Actionable comments posted: 29

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

packages/gemini-image/src/gemini_image/cli.py (1)

159-176: Consider sending error messages to stderr

The FileNotFoundError is surfaced clearly via print(f"Error: {e}"), which is fine for interactive use. For better scriptability, you might route error output to stderr:

-        except FileNotFoundError as e:
-            print(f"Error: {e}")
+        except FileNotFoundError as e:
+            print(f"Error: {e}", file=sys.stderr)

This keeps stdout reserved for normal output while still exiting with code 1.

.env.example (1)

164-167: Avoid shell-style default expansion in .env example

SENTRY_ENVIRONMENT=${ENVIRONMENT:-development} assumes shell-style expansion, but many .env loaders treat this as a literal string. Consider either setting a plain default:

SENTRY_ENVIRONMENT=development

or documenting that this expression only makes sense when interpreted by a shell.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 31a9ddd and 2d84e06.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock, !**/*.lock

📒 Files selected for processing (44)

• .env.example (1 hunks)
• .github/workflows/publish.yml (1 hunks)
• docs/cloudflare-api-handoff.md (1 hunks)
• docs/planning/adr/README.md (1 hunks)
• docs/planning/adr/adr-001-monorepo-architecture.md (1 hunks)
• docs/planning/adr/adr-002-framework-agnostic-design.md (1 hunks)
• docs/planning/adr/adr-003-distribution-strategy.md (1 hunks)
• docs/planning/project-vision.md (2 hunks)
• docs/planning/roadmap.md (2 hunks)
• docs/planning/tech-spec.md (2 hunks)
• docs/secure.md (1 hunks)
• ip_groups.example.yaml (1 hunks)
• packages/cloudflare-api/README.md (1 hunks)
• packages/cloudflare-api/pyproject.toml (1 hunks)
• packages/cloudflare-api/src/cloudflare_api/__init__.py (1 hunks)
• packages/cloudflare-api/src/cloudflare_api/client.py (1 hunks)
• packages/cloudflare-api/src/cloudflare_api/exceptions.py (1 hunks)
• packages/cloudflare-api/src/cloudflare_api/ip_groups/__init__.py (1 hunks)
• packages/cloudflare-api/src/cloudflare_api/ip_groups/cli.py (1 hunks)
• packages/cloudflare-api/src/cloudflare_api/ip_groups/config.py (1 hunks)
• packages/cloudflare-api/src/cloudflare_api/ip_groups/fetchers.py (1 hunks)
• packages/cloudflare-api/src/cloudflare_api/ip_groups/manager.py (1 hunks)
• packages/cloudflare-api/src/cloudflare_api/models.py (1 hunks)
• packages/cloudflare-api/src/cloudflare_api/settings.py (1 hunks)
• packages/cloudflare-api/tests/__init__.py (1 hunks)
• packages/cloudflare-api/tests/conftest.py (1 hunks)
• packages/cloudflare-api/tests/test_client.py (1 hunks)
• packages/cloudflare-api/tests/test_ip_groups.py (1 hunks)
• packages/cloudflare-api/tests/test_models.py (1 hunks)
• packages/cloudflare-api/tests/test_settings.py (1 hunks)
• packages/cloudflare-auth/pyproject.toml (1 hunks)
• packages/cloudflare-auth/src/cloudflare_auth/settings.py (1 hunks)
• packages/cloudflare-auth/tests/conftest.py (1 hunks)
• packages/cloudflare-auth/tests/test_integration.py (1 hunks)
• packages/cloudflare-auth/tests/test_models.py (1 hunks)
• packages/cloudflare-auth/tests/test_sessions.py (1 hunks)
• packages/cloudflare-auth/tests/test_settings.py (1 hunks)
• packages/cloudflare-auth/tests/test_whitelist.py (1 hunks)
• packages/gemini-image/src/gemini_image/cli.py (4 hunks)
• packages/gemini-image/tests/test_generator.py (0 hunks)
• packages/gemini-image/tests/test_models.py (0 hunks)
• packages/gemini-image/tests/test_utils.py (0 hunks)
• pyproject.toml (2 hunks)
• tests/test_example.py (0 hunks)

💤 Files with no reviewable changes (4)

• packages/gemini-image/tests/test_generator.py
• packages/gemini-image/tests/test_utils.py
• packages/gemini-image/tests/test_models.py
• tests/test_example.py

🧰 Additional context used

📓 Path-based instructions (5)

**/*.md

📄 CodeRabbit inference engine (CLAUDE.md)

Use 120 character line length for Markdown documentation files

Files:

• packages/cloudflare-api/README.md
• docs/planning/adr/adr-002-framework-agnostic-design.md
• docs/planning/roadmap.md
• docs/planning/adr/adr-003-distribution-strategy.md
• docs/planning/project-vision.md
• docs/planning/tech-spec.md
• docs/planning/adr/adr-001-monorepo-architecture.md
• docs/secure.md
• docs/planning/adr/README.md
• docs/cloudflare-api-handoff.md

**/*.{yaml,yml}

📄 CodeRabbit inference engine (CLAUDE.md)

Use 2-space indentation for YAML configuration files with 120 character line length

Files:

• ip_groups.example.yaml

**/*.py

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.py: Use Ruff formatting with 88 character line length for Python code
Use Ruff linting with PyStrict-aligned rules including BLE, EM, SLF, INP, ISC, PGH, RSE, TID, YTT, FA, T10, and G rules
Tag assumptions with #CRITICAL, #ASSUME, or #EDGE comments including category and reason for verification

Files:

• packages/cloudflare-api/src/cloudflare_api/models.py
• packages/cloudflare-api/src/cloudflare_api/ip_groups/__init__.py
• packages/cloudflare-auth/tests/test_integration.py
• packages/cloudflare-api/tests/test_models.py
• packages/cloudflare-api/src/cloudflare_api/exceptions.py
• packages/cloudflare-auth/tests/test_settings.py
• packages/cloudflare-auth/tests/test_whitelist.py
• packages/cloudflare-api/src/cloudflare_api/ip_groups/config.py
• packages/cloudflare-api/tests/test_client.py
• packages/cloudflare-auth/tests/test_sessions.py
• packages/cloudflare-api/src/cloudflare_api/settings.py
• packages/cloudflare-auth/tests/conftest.py
• packages/cloudflare-api/src/cloudflare_api/ip_groups/manager.py
• packages/cloudflare-api/src/cloudflare_api/ip_groups/cli.py
• packages/cloudflare-api/src/cloudflare_api/__init__.py
• packages/cloudflare-api/tests/test_ip_groups.py
• packages/cloudflare-auth/tests/test_models.py
• packages/cloudflare-api/tests/test_settings.py
• packages/cloudflare-auth/src/cloudflare_auth/settings.py
• packages/cloudflare-api/src/cloudflare_api/client.py
• packages/cloudflare-api/tests/__init__.py
• packages/gemini-image/src/gemini_image/cli.py
• packages/cloudflare-api/tests/conftest.py
• packages/cloudflare-api/src/cloudflare_api/ip_groups/fetchers.py

.github/workflows/**

⚙️ CodeRabbit configuration file

.github/workflows/**: Review GitHub Actions workflows for:

• Security best practices (minimal permissions, pinned actions)
• Proper secret handling
• Efficient caching strategies
• Clear job dependencies

Files:

• .github/workflows/publish.yml

pyproject.toml

⚙️ CodeRabbit configuration file

pyproject.toml: Review dependency changes for:

• Version constraint appropriateness
• Security implications of new dependencies
• License compatibility

Files:

• pyproject.toml

🧠 Learnings (5)

📚 Learning: 2025-12-14T22:54:23.007Z

Learnt from: CR
Repo: ByronWilliamsCPA/python-libs PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-14T22:54:23.007Z
Learning: Applies to src/**/*.py : Use centralized exception hierarchy from src/python_libs/core/exceptions.py for all error handling

Applied to files:

• packages/cloudflare-api/src/cloudflare_api/exceptions.py

📚 Learning: 2025-12-14T22:53:58.927Z

Learnt from: CR
Repo: ByronWilliamsCPA/python-libs PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2025-12-14T22:53:58.927Z
Learning: Applies to src/python_libs/**/*.py : Ensure exceptions are specific and appropriate for the failure mode; verify error messages are actionable and user-friendly; check retry mechanisms have proper backoff and limits

Applied to files:

• packages/cloudflare-api/src/cloudflare_api/exceptions.py

📚 Learning: 2025-12-14T22:54:23.007Z

Learnt from: CR
Repo: ByronWilliamsCPA/python-libs PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-14T22:54:23.007Z
Learning: Applies to src/python_libs/core/config.py : Use Pydantic Settings for environment-based configuration with .env files

Applied to files:

• packages/cloudflare-api/src/cloudflare_api/settings.py
• packages/cloudflare-auth/src/cloudflare_auth/settings.py

📚 Learning: 2025-12-14T22:54:23.007Z

Learnt from: CR
Repo: ByronWilliamsCPA/python-libs PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-14T22:54:23.007Z
Learning: Applies to tests/**/*.py : Use pytest fixtures defined in tests/conftest.py for test setup and teardown

Applied to files:

• packages/cloudflare-api/tests/conftest.py

📚 Learning: 2025-12-14T22:54:23.007Z

Learnt from: CR
Repo: ByronWilliamsCPA/python-libs PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-14T22:54:23.007Z
Learning: Applies to **/*.py : Use Ruff linting with PyStrict-aligned rules including BLE, EM, SLF, INP, ISC, PGH, RSE, TID, YTT, FA, T10, and G rules

Applied to files:

• pyproject.toml

🧬 Code graph analysis (13)

packages/cloudflare-api/src/cloudflare_api/ip_groups/__init__.py (2)

packages/cloudflare-api/src/cloudflare_api/ip_groups/config.py (4)

• IPGroupConfig (64-83)
• IPSourceConfig (26-61)
• SourceType (14-23)
• load_config (107-128)

packages/cloudflare-api/src/cloudflare_api/ip_groups/fetchers.py (6)

• AWSIPFetcher (380-455)
• GitHubIPFetcher (273-322)
• GoogleCloudIPFetcher (325-377)
• IPFetcher (27-92)
• StaticIPFetcher (95-114)
• URLIPFetcher (117-270)

packages/cloudflare-auth/tests/test_integration.py (4)

packages/cloudflare-auth/src/cloudflare_auth/models.py (4)

• CloudflareJWTClaims (28-106)
• CloudflareUser (109-266)
• from_jwt_claims (163-197)
• model_dump_safe (251-266)

packages/cloudflare-auth/src/cloudflare_auth/sessions.py (2)

• SimpleSessionManager (28-321)
• get_session_info (257-281)

packages/cloudflare-auth/src/cloudflare_auth/settings.py (3)

• CloudflareSettings (11-94)
• reset_settings (108-111)
• is_email_allowed (87-94)

packages/cloudflare-auth/src/cloudflare_auth/whitelist.py (5)

• EmailWhitelistValidator (157-512)
• UserTier (50-99)
• is_authorized (254-287)
• get_user_tier (327-379)
• is_admin (289-311)

packages/cloudflare-api/tests/test_models.py (1)

packages/cloudflare-api/src/cloudflare_api/models.py (7)

• BulkOperation (73-86)
• BulkOperationStatus (22-28)
• IPList (49-70)
• IPListItem (31-46)
• IPListItemInput (89-109)
• ListKind (13-19)
• to_api_dict (100-109)

packages/cloudflare-auth/tests/test_settings.py (1)

packages/cloudflare-auth/src/cloudflare_auth/settings.py (6)

• CloudflareSettings (11-94)
• get_cloudflare_settings (100-105)
• reset_settings (108-111)
• issuer (75-80)
• certs_url (83-85)
• is_email_allowed (87-94)

packages/cloudflare-auth/tests/test_whitelist.py (1)

packages/cloudflare-auth/src/cloudflare_auth/whitelist.py (15)

• EmailWhitelistConfig (119-154)
• EmailWhitelistValidator (157-512)
• UserTier (50-99)
• WhitelistManager (515-731)
• create_validator_from_env (734-787)
• from_string (64-81)
• is_authorized (254-287)
• is_admin (289-311)
• get_user_role (313-325)
• get_user_tier (327-379)
• get_whitelist_stats (411-431)
• validate_whitelist_config (497-512)
• add_email (644-677)
• remove_email (679-714)
• check_email (716-731)

packages/cloudflare-api/tests/test_client.py (4)

packages/cloudflare-api/src/cloudflare_api/exceptions.py (5)

• CloudflareAuthError (51-55)
• CloudflareBulkOperationError (140-167)
• CloudflareConflictError (170-176)
• CloudflareNotFoundError (84-111)
• CloudflareValidationError (114-137)

packages/cloudflare-api/src/cloudflare_api/models.py (2)

• BulkOperationStatus (22-28)
• ListKind (13-19)

packages/cloudflare-api/src/cloudflare_api/settings.py (1)

• CloudflareAPISettings (10-109)

packages/cloudflare-api/tests/conftest.py (4)

• mock_env_vars (24-33)
• mock_cloudflare_client (37-42)
• sample_ip_list_response (46-57)
• sample_ip_list_item_response (61-69)

packages/cloudflare-auth/tests/test_sessions.py (2)

packages/cloudflare-auth/src/cloudflare_auth/sessions.py (2)

• SimpleSessionManager (28-321)
• get_session_info (257-281)

packages/cloudflare-auth/tests/test_integration.py (1)

• session_manager (39-41)

packages/cloudflare-api/src/cloudflare_api/ip_groups/cli.py (1)

packages/cloudflare-api/src/cloudflare_api/ip_groups/manager.py (6)

• IPGroupManager (68-466)
• from_config (104-119)
• preview_group (234-274)
• list_groups (408-427)
• _get_group (429-447)
• fetch_group_ips (197-232)

packages/cloudflare-api/src/cloudflare_api/__init__.py (4)

packages/cloudflare-api/src/cloudflare_api/ip_groups/manager.py (1)

• client (122-126)

packages/cloudflare-api/src/cloudflare_api/exceptions.py (6)

• CloudflareAPIError (9-48)
• CloudflareAuthError (51-55)
• CloudflareBulkOperationError (140-167)
• CloudflareNotFoundError (84-111)
• CloudflareRateLimitError (58-81)
• CloudflareValidationError (114-137)

packages/cloudflare-api/src/cloudflare_api/models.py (2)

• BulkOperation (73-86)
• ListKind (13-19)

packages/cloudflare-api/src/cloudflare_api/settings.py (3)

• CloudflareAPISettings (10-109)
• get_cloudflare_api_settings (115-127)
• reset_settings (130-133)

packages/cloudflare-api/tests/test_settings.py (2)

packages/cloudflare-api/src/cloudflare_api/settings.py (4)

• CloudflareAPISettings (10-109)
• get_cloudflare_api_settings (115-127)
• reset_settings (130-133)
• get_token_value (103-109)

packages/cloudflare-api/tests/conftest.py (1)

• mock_env_vars (24-33)

packages/cloudflare-auth/src/cloudflare_auth/settings.py (1)

packages/cloudflare-api/src/cloudflare_api/settings.py (1)

• reset_settings (130-133)

packages/cloudflare-api/src/cloudflare_api/client.py (3)

packages/cloudflare-api/src/cloudflare_api/exceptions.py (5)

• CloudflareAPIError (9-48)
• CloudflareAuthError (51-55)
• CloudflareNotFoundError (84-111)
• CloudflareRateLimitError (58-81)
• CloudflareValidationError (114-137)

packages/cloudflare-api/src/cloudflare_api/models.py (7)

• BulkOperation (73-86)
• BulkOperationStatus (22-28)
• IPList (49-70)
• IPListItem (31-46)
• IPListItemInput (89-109)
• ListKind (13-19)
• to_api_dict (100-109)

packages/cloudflare-api/src/cloudflare_api/settings.py (3)

• CloudflareAPISettings (10-109)
• get_cloudflare_api_settings (115-127)
• get_token_value (103-109)

packages/cloudflare-api/src/cloudflare_api/ip_groups/fetchers.py (1)

packages/cloudflare-api/src/cloudflare_api/ip_groups/config.py (2)

• IPSourceConfig (26-61)
• SourceType (14-23)

🪛 GitHub Actions: CI

packages/cloudflare-auth/tests/test_integration.py

[warning] 46-46: DTZ005 datetime.datetime.now() called without a tz argument. Pass a datetime.timezone object to the tz parameter.

---

[warning] 59-59: DTZ005 datetime.datetime.now() called without a tz argument. Pass a datetime.timezone object to the tz parameter.

---

[warning] 109-109: DTZ005 datetime.datetime.now() called without a tz argument. Pass a datetime.timezone object to the tz parameter.

---

[warning] 143-143: DTZ005 datetime.datetime.now() called without a tz argument. Pass a datetime.timezone object to the tz parameter.

packages/cloudflare-auth/tests/test_whitelist.py

[warning] 258-258: PT011 pytest.raises(ValueError) is too broad, set the match parameter or use a more specific exception.

packages/cloudflare-auth/tests/test_sessions.py

[warning] 116-116: DTZ005 datetime.datetime.now() called without a tz argument. Pass a datetime.timezone object to the tz parameter.

packages/cloudflare-auth/tests/conftest.py

[warning] 32-32: DTZ005 datetime.datetime.now() called without a tz argument. Pass a datetime.timezone object to the tz parameter.

---

[warning] 46-46: DTZ005 datetime.datetime.now() called without a tz argument. Pass a datetime.timezone object to the tz parameter.

packages/cloudflare-auth/tests/test_models.py

[warning] 56-56: DTZ005 datetime.datetime.now() called without a tz argument. Pass a datetime.timezone object to the tz parameter.

---

[warning] 64-64: DTZ005 datetime.datetime.now() called without a tz argument. Pass a datetime.timezone object to the tz parameter.

packages/cloudflare-auth/src/cloudflare_auth/settings.py

[warning] 102-102: PLW0603 Using the global statement to update _settings_instance is discouraged.

---

[warning] 110-110: PLW0603 Using the global statement to update _settings_instance is discouraged.

🪛 GitHub Check: CodeQL

packages/cloudflare-auth/tests/test_whitelist.py

[failure] 221-221: Incomplete URL substring sanitization
The string gmail.com may be at an arbitrary position in the sanitized URL.

.github/workflows/publish.yml

[warning] 58-58: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Publish Package' step Uses Step uses 'Infisical/secrets-action' with ref 'v1.0.7', not a pinned commit hash

🪛 LanguageTool

docs/planning/tech-spec.md

[uncategorized] ~274-~274: If this is a compound adjective that modifies the following noun, use a hyphen.
Context: ... API changes - Minor: New features, backward compatible - Patch: Bug fixes, backward compat...

(EN_COMPOUND_ADJECTIVE_INTERNAL)

docs/secure.md

[uncategorized] ~110-~110: The official name of this software platform is spelled with a capital “H”.
Context: ...### 2.2 Add Publishing Workflow Create .github/workflows/publish.yml with this conten...

(GITHUB)

---

[style] ~383-~383: Consider an alternative verb to strengthen your wording.
Context: ...n) Start with gcs-utilities since it has no import issues: ```bash # Ensure you...

(IF_YOU_HAVE_THIS_PROBLEM)

---

[uncategorized] ~470-~470: The official name of this software platform is spelled with a capital “H”.
Context: ...te Workflow Add the new tag pattern to .github/workflows/publish.yml: ```yaml on: ...

(GITHUB)

docs/cloudflare-api-handoff.md

[uncategorized] ~93-~93: The official name of this software platform is spelled with a capital “H”.
Context: ...- SourceType - Enum: static, url, github, google_cloud, aws, azure, `clou...

(GITHUB)

---

[style] ~592-~592: As an alternative to the over-used intensifier ‘very’, consider replacing this phrase.
Context: ...handled with error) 3. Large Lists: Very large IP lists (>10,000 items) may hit API li...

(EN_WEAK_ADJECTIVE)

🪛 markdownlint-cli2 (0.18.1)

docs/planning/adr/adr-002-framework-agnostic-design.md

115-115: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

docs/planning/adr/adr-001-monorepo-architecture.md

117-117: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

docs/secure.md

17-17: Bare URL used

(MD034, no-bare-urls)

---

36-36: Bare URL used

(MD034, no-bare-urls)

---

98-98: Bare URL used

(MD034, no-bare-urls)

---

523-523: Bare URL used

(MD034, no-bare-urls)

---

539-539: Bare URL used

(MD034, no-bare-urls)

---

540-540: Files should end with a single newline character

(MD047, single-trailing-newline)

docs/cloudflare-api-handoff.md

117-117: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Mutation Testing / Mutation Testing

🔇 Additional comments (52)

packages/gemini-image/src/gemini_image/cli.py (3)

17-25: list_models output is clear and CLI-friendly

The updated prints produce a readable, structured listing of available models; behavior is appropriate for a CLI tool.

---

181-186: Story-parts validation message is appropriate

The validation of args.story_parts < 2 with a concise error message and non‑zero exit code is correct for guarding misuse of the flag.

---

216-221: Draft completion banner is helpful UX

The multi-line draft completion banner gives clear, actionable next steps to users and stays within CLI-friendly formatting limits. No issues from a linting or behavior perspective.

packages/cloudflare-api/tests/__init__.py (1)

1-1: LGTM!

The test package docstring is appropriate and follows Python conventions.

pyproject.toml (2)

312-333: LGTM!

The per-file-ignores for package test files correctly mirrors the relaxed rules applied to root-level tests, ensuring consistent linting behavior across all test suites.

---

356-359: LGTM!

The CLI-specific rule allowing print statements (T20) is appropriate, as CLI tools legitimately use print for user output.

packages/cloudflare-auth/src/cloudflare_auth/settings.py (4)

1-21: LGTM!

The module structure and Pydantic settings configuration are well-designed. The hybrid approach of reading from environment while accepting injected settings provides good flexibility.

Based on learnings, this correctly uses Pydantic Settings for environment-based configuration with .env files.

---

62-72: LGTM!

The comma-separated string parser is well-implemented with proper handling of edge cases (empty strings, None values, already-parsed lists).

---

74-94: LGTM!

The derived properties and email validation logic are well-implemented:

• Safe URL construction with protocol handling
• Case-insensitive domain comparison
• Proper handling of missing configuration

---

97-111: Singleton pattern is appropriate; linter warnings are expected.

The global variable pattern for implementing a settings singleton is a widely-accepted approach in Python. The PLW0603 warnings from the linter are expected and can be safely ignored in this context.

Alternative patterns (e.g., @lru_cache(maxsize=1)) exist but the current implementation is clear and idiomatic. The reset_settings() function for testing is a good practice.

docs/planning/adr/adr-003-distribution-strategy.md (1)

1-181: LGTM!

This ADR is well-structured and comprehensive. It clearly documents:

• The two-phase distribution approach (Git → Artifact Registry)
• Rationale with pros/cons for each option
• Implementation guidance with concrete examples
• Validation criteria and review schedule

The code examples properly include language identifiers for all fenced code blocks.

docs/planning/adr/README.md (1)

30-32: LGTM!

The ADR index is correctly updated with the three new architecture decision records. The table formatting is consistent and the links, statuses, and dates are accurate.

packages/cloudflare-auth/pyproject.toml (1)

27-27: The [email] extra is appropriately included and actively used.

Verification confirms the package uses Pydantic's EmailStr type (imported in models.py and applied to email fields in CloudflareJWTClaims and AuthenticatedUser classes), and directly imports email_validator in whitelist.py for email normalization and validation. The [email] extra is necessary to ensure email validation functionality works as designed.

packages/cloudflare-api/tests/conftest.py (1)

16-88: Good fixture design and test isolation

Autouse settings reset, environment patching, and the shared Cloudflare client mock give clean test isolation and align with the repo’s convention of centralizing fixtures in tests/conftest.py.

packages/cloudflare-api/pyproject.toml (1)

1-71: Package configuration looks coherent

Project metadata, wheel build target, script entry point, and semantic-release tag format are consistent with the new cloudflare_api package layout.

packages/cloudflare-api/README.md (1)

1-142: README examples align with the exposed API surface

Configuration, client usage, and async operation examples match the described cloudflare_api settings and client APIs and provide enough detail for first-time users.

packages/cloudflare-api/tests/test_models.py (1)

14-149: Model tests cover key contracts and defaults

Enum values, model defaults, and IPListItemInput.to_api_dict behavior are exercised in both minimal and populated cases, giving good guardrails around the cloudflare_api.models surface.

docs/planning/project-vision.md (1)

14-112: Project vision doc is clear and aligned with current scope

The updated vision, scope, and success metrics sections are concrete and consistent with the monorepo/UV workspace and private-distribution strategy described elsewhere in the planning docs.

ip_groups.example.yaml (1)

1-144: Example IP groups configuration looks solid

Structure, indentation, and field naming align with the ip_groups config models; nothing blocking here.

packages/cloudflare-api/tests/test_ip_groups.py (1)

1-488: Comprehensive IP groups tests look good

Configuration, fetchers, and manager behaviors are well covered, including error and edge scenarios; no issues found.

packages/cloudflare-api/src/cloudflare_api/models.py (1)

13-123: Pydantic models for IP lists and bulk operations look solid

Enum values, field types/defaults, and IPListItemInput.to_api_dict() behavior all align with the intended Cloudflare IP list API usage. I don’t see correctness or typing issues here.

packages/cloudflare-api/tests/test_settings.py (1)

18-118: Settings test suite thoroughly exercises configuration behavior

These tests do a good job covering required env vars, defaults, validation (including case‑insensitive list kinds), and the singleton/reset semantics. The env patching pattern looks correct and isolated.

packages/cloudflare-api/src/cloudflare_api/__init__.py (1)

1-73: Cloudflare API package initializer exports a clear, cohesive public surface

The __all__ list cleanly re-exports the client, core models, settings helpers, and exceptions, and the docstring examples are consistent with that API. __version__ wiring also looks appropriate for a 0.1.0 initial release.

packages/cloudflare-auth/tests/test_integration.py (1)

6-6: No action needed. The code already implements the suggested fix: timezone is imported at line 6, and all five datetime.now() calls at lines 46, 59, 109, 143, and 338 already use datetime.now(tz=timezone.utc) to create timezone-aware timestamps. There are no DTZ005 violations in the current code.

Likely an incorrect or invalid review comment.

packages/cloudflare-api/src/cloudflare_api/ip_groups/cli.py (4)

15-26: LGTM!

The logging setup is appropriate for a CLI application. Using basicConfig with configurable verbosity is a clean approach.

---

227-238: LGTM with minor observation.

The exception handling is appropriate for a CLI entry point. Catching specific exceptions (FileNotFoundError, ValueError) before the broad Exception is good practice. Using logging.exception for unexpected errors ensures full tracebacks are logged for debugging.

---

29-60: LGTM!

The cmd_sync function correctly handles both single-group and all-groups sync scenarios, provides clear user feedback with appropriate status indicators, and returns meaningful exit codes.

---

63-100: LGTM!

The cmd_preview and cmd_list functions provide well-structured output with both JSON and human-readable formats. The preview truncation logic (showing first 10 items) is sensible for large IP lists.

Also applies to: 103-130

packages/cloudflare-api/src/cloudflare_api/settings.py (4)

10-31: LGTM!

Well-structured settings class using Pydantic BaseSettings with appropriate configuration. The model_config correctly specifies .env file support, case-insensitive env vars, and populate_by_name=True for alias support. Based on learnings, this aligns with the project pattern for environment-based configuration.

---

33-55: Good security practice with SecretStr.

Using SecretStr for cloudflare_api_token and cloudflare_api_key prevents accidental logging or serialization of sensitive credentials.

---

93-101: LGTM!

The validator correctly normalizes the list kind to lowercase and provides a clear error message with valid options.

---

112-133: LGTM!

The singleton pattern with reset_settings() for testing is a pragmatic approach. The lazy initialization ensures settings are only loaded when first accessed.

packages/cloudflare-api/src/cloudflare_api/exceptions.py (3)

9-48: Well-designed base exception class.

The CloudflareAPIError provides comprehensive error context with code, errors, and response attributes. The __str__ implementation concatenates relevant details for actionable error messages. Based on learnings, this aligns with the centralized exception hierarchy pattern.

---

58-81: Good inclusion of retry_after for rate limiting.

The retry_after attribute enables callers to implement proper backoff strategies when rate limited, following best practices for resilient API clients.

---

84-111: LGTM!

The specialized exception classes (CloudflareNotFoundError, CloudflareValidationError, CloudflareBulkOperationError, CloudflareConflictError) provide appropriate context attributes for each error type. This enables callers to handle errors specifically and extract relevant debugging information.

Also applies to: 114-137, 140-167, 170-176

packages/cloudflare-api/src/cloudflare_api/ip_groups/manager.py (5)

128-138: MD5 usage is acceptable for cache key generation.

Using MD5 here is appropriate since it's solely for cache key generation, not for security purposes. The truncation to 8 characters is sufficient for cache differentiation.

---

367-374: Error handling appropriately returns SyncResult with error context.

Catching exceptions and returning a SyncResult with the error message allows the caller to process partial results from sync_all. This is a good pattern for batch operations where individual failures shouldn't halt the entire process.

---

88-126: LGTM!

The constructor and factory method are well-designed. The from_config classmethod provides a convenient way to instantiate from a config file, and the lazy client initialization via property is appropriate.

---

197-232: LGTM!

The fetch_group_ips method properly aggregates IPs from multiple sources, deduplicates using a set, and provides informative logging. Re-raising exceptions after logging allows callers to handle failures appropriately.

---

234-274: LGTM!

The preview_group, sync_all, and list_groups methods are well-implemented with clear logic, appropriate logging, and comprehensive return values.

Also applies to: 376-406, 408-427

packages/cloudflare-auth/tests/test_models.py (2)

11-80: LGTM!

Comprehensive test coverage for CloudflareJWTClaims including required/optional fields, timestamp properties, expiration checks, and audience handling. The tests are well-structured with clear assertions.

---

83-208: LGTM!

Excellent test coverage for CloudflareUser model including user creation, tier handling, domain/username properties, premium access checks, role properties, and the model_dump_safe security behavior. The test correctly verifies that sensitive claims are excluded from the safe dump.

packages/cloudflare-api/src/cloudflare_api/ip_groups/fetchers.py (5)

1-25: LGTM on imports and constants.

The module structure is clean with appropriate imports, logging setup, and well-documented provider URL constants.

---

95-115: LGTM!

StaticIPFetcher correctly validates IPs, logs warnings for invalid entries, and applies version filtering.

---

273-323: LGTM!

GitHubIPFetcher correctly handles service filtering with sensible defaults, validates IPs, deduplicates results, and provides informative logging.

---

325-378: LGTM!

GoogleCloudIPFetcher correctly handles region/service filtering, extracts both IPv4 and IPv6 prefixes, and deduplicates results.

---

380-456: LGTM!

AWSIPFetcher correctly processes both IPv4 and IPv6 prefixes with region/service filtering. The _matches_filters helper provides clean separation of concerns.

packages/cloudflare-api/src/cloudflare_api/client.py (5)

1-40: LGTM on imports and module setup.

Clean organization with SDK exceptions mapped to custom domain exceptions, proper model imports, and appropriate logging configuration.

---

63-85: LGTM on initialization.

Clean dependency injection pattern with sensible defaults. The truncated account ID logging is appropriate for security while maintaining debuggability.

---

376-437: LGTM on bulk item operations.

Clean implementation with proper async operation handling, conflict detection for pending operations, and consistent logging. The item conversion logic handles both IPListItemInput and dict inputs gracefully.

---

583-626: LGTM on bulk operation waiting logic.

Proper timeout handling, clear status logging, and appropriate error propagation. The polling approach with configurable interval is suitable for synchronous operation.

---

657-676: LGTM on convenience methods.

ensure_ip_list provides a clean get-or-create pattern, and sync_ip_list offers a simplified interface for full list replacement with optional per-IP comments.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add languages to fenced code blocks to satisfy MD040

Some fenced code blocks (e.g., the package/file trees under “Package Structure”, “Core Package Files”, and “Configuration Examples”) use bare triple backticks without a language, which triggers MD040. Consider annotating them as plain text:

```text
# tree listing...

This keeps markdownlint happy and improves editor/tooling support.  



Also applies to: 510-533, 536-538

<details>
<summary>🤖 Prompt for AI Agents</summary>

In docs/cloudflare-api-handoff.md around lines 26 to 47 (and also at the other
flagged ranges 510-533 and 536-538), several fenced code blocks are missing a
language tag which triggers MD040; update each triple-backtick fence for
file/dir trees and other plain text blocks to use a language identifier (e.g.,

ensuring all fenced code blocks in those ranges include the language tag.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add language identifier to fenced code block.

The directory structure code block should specify a language identifier for proper syntax highlighting and to satisfy linting rules.

Apply this diff:

-```
+```text
 python-libs/
 ├── pyproject.toml              # Workspace root
 ├── packages/

Based on coding guidelines, Markdown files should use proper code block language identifiers.

🧰 Tools

🪛 markdownlint-cli2 (0.18.1)

117-117: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents

In docs/planning/adr/adr-001-monorepo-architecture.md around lines 117 to 128,
the fenced code block showing the directory structure lacks a language
identifier; update the opening fence from ``` to ```text (and ensure the
matching closing fence remains) so the block becomes ```text ... ``` to satisfy
linting and provide correct syntax highlighting.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add language identifier to fenced code block.

The directory structure code block should specify a language identifier for proper syntax highlighting and to satisfy linting rules.

Apply this diff:

-```
+```text
 cloudflare-auth/
 ├── src/cloudflare_auth/
 │   ├── __init__.py           # Public API

Based on coding guidelines, Markdown files should use proper code block language identifiers.

🧰 Tools

🪛 markdownlint-cli2 (0.18.1)

115-115: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents

In docs/planning/adr/adr-002-framework-agnostic-design.md around lines 115 to
129 the fenced code block showing the directory tree lacks a language
identifier; update the opening fence from ``` to ```text so the block becomes
```text and leave the rest unchanged, ensuring the code block uses the "text"
language identifier for proper highlighting and to satisfy linters.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Wrap TL;DR to respect 120‑character Markdown line limit

The TL;DR line is very long; consider wrapping for readability and guideline compliance.

-### TL;DR
-
-Consolidate shared utilities into python-libs across 4 phases: Foundation (complete existing packages), Stabilization (tests, docs, first consumers), Consolidation (refactor for reusability), Expansion (add new packages from pattern analysis), Distribution (Artifact Registry + cookiecutter integration).
+### TL;DR
+
+Consolidate shared utilities into python-libs across 4 phases:
+- Foundation (complete existing packages)
+- Stabilization (tests, docs, first consumers)
+- Consolidation (refactor for reusability)
+- Expansion (add new packages from pattern analysis)
+- Distribution (Artifact Registry + cookiecutter integration)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	### TL;DR
	1. Open Claude Code in this project directory
	2. Describe your project concept
	3. Run: `/plan <your project description>`
	Consolidate shared utilities into python-libs across 4 phases: Foundation (complete existing packages), Stabilization (tests, docs, first consumers), Consolidation (refactor for reusability), Expansion (add new packages from pattern analysis), Distribution (Artifact Registry + cookiecutter integration).
	### TL;DR
	Consolidate shared utilities into python-libs across 4 phases:
	- Foundation (complete existing packages)
	- Stabilization (tests, docs, first consumers)
	- Consolidation (refactor for reusability)
	- Expansion (add new packages from pattern analysis)
	- Distribution (Artifact Registry + cookiecutter integration)

🤖 Prompt for AI Agents

In docs/planning/roadmap.md around lines 18 to 21, the TL;DR header paragraph is
a single overly long line; reflow it so no line exceeds 120 characters by
breaking the sentence into multiple Markdown lines at sensible word boundaries
(e.g., after commas or phase names) while preserving the original wording and
Markdown formatting, ensuring each new line is ≤120 chars and the paragraph
renders as a single Markdown paragraph.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Good coverage; consider minimizing sleep-based timing in tests

The session expiration and security tests are thorough. If test runtime ever becomes a concern, you could reduce reliance on real time.sleep(...) (e.g., inject a clock or use a shorter timeout/sleep) while keeping the same behavioral coverage, especially in test_get_session_expired and test_session_id_is_secure.

Also applies to: 245-260

🧰 Tools

🪛 GitHub Actions: CI

[warning] 116-116: DTZ005 datetime.datetime.now() called without a tz argument. Pass a datetime.timezone object to the tz parameter.

🤖 Prompt for AI Agents

In packages/cloudflare-auth/tests/test_sessions.py around lines 74-152 (and
similarly at 245-260), the tests rely on real time.sleep calls to trigger
session expiry which makes tests slow and flaky; change the tests to avoid real
sleeping by either (a) using a configurable clock injected into the
SessionManager (or passing a time function) and advancing/mock the clock in
tests, or (b) monkeypatching/time-freezing time.time (or using freezegun) so you
can simulate expiry instantly, or (c) reduce the session timeout in the
short_timeout_manager fixture to a much smaller value and shorten sleeps
accordingly; update the fixtures and tests to use one of these approaches and
remove long sleep calls so tests remain fast and deterministic.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Avoid duplicating settings reset logic between fixture and teardown

If the autouse reset_settings_after_test fixture in conftest.py is active for this module, this teardown_method becomes redundant. Keeping only one reset mechanism reduces maintenance overhead and avoids surprises if reset behavior changes.

🤖 Prompt for AI Agents

In packages/cloudflare-auth/tests/test_settings.py around lines 146 to 171, the
teardown_method that calls reset_settings() duplicates the autouse
reset_settings_after_test fixture from conftest.py; remove the teardown_method
entirely so the module relies on the single autouse fixture to reset state
between tests, or if you prefer test-local control, disable the autouse fixture
and keep the teardown_method—ensure only one reset mechanism remains to avoid
double resets.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Align other errors with stderr usage (optional)

As with the earlier FileNotFoundError block, you may want to send these ValueError/ImportError messages to stderr to make it easier for callers to separate errors from normal output:

-    except (ValueError, ImportError) as e:
-        print(f"Error: {e}")
+    except (ValueError, ImportError) as e:
+        print(f"Error: {e}", file=sys.stderr)

This is an optional CLI-hardening improvement; behavior is otherwise fine.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	except (ValueError, ImportError) as e:
	print(f"Error: {e}") # noqa: T201
	print(f"Error: {e}")
	sys.exit(1)
	except (ValueError, ImportError) as e:
	print(f"Error: {e}", file=sys.stderr)
	sys.exit(1)

🤖 Prompt for AI Agents

In packages/gemini-image/src/gemini_image/cli.py around lines 224 to 226, the
exception handler prints ValueError/ImportError messages to stdout; change the
print call to write to stderr instead (e.g., use print(..., file=sys.stderr) or
equivalent) so error output is separated from normal output, then exit as before
with sys.exit(1).

[sonarqubecloud]

Quality Gate failed

Failed conditions
60 Security Hotspots
C Reliability Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

[coderabbitai]

Actionable comments posted: 9

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

sonar-project.properties (1)

78-78: Consolidate duplicate sonar.issue.ignore.multicriteria definitions.

The property is defined twice (line 78 and line 95), and the second definition overrides the first. In properties files, only the last value is active. Consolidate into a single definition to avoid confusion and reduce maintenance burden.

Apply this diff:

  # Ignore specific rules for certain files
  # Format: sonar.issue.ignore.multicriteria.<key>.ruleKey=<rule>
  #         sonar.issue.ignore.multicriteria.<key>.resourceKey=<pattern>
  
- # Example: Ignore complexity warnings in __init__.py files
- sonar.issue.ignore.multicriteria=e1,e2,e3
+ # Example: Ignore complexity warnings in __init__.py files
+ sonar.issue.ignore.multicriteria=e1,e2,e3,e4,e5,e6,e7
  
  sonar.issue.ignore.multicriteria.e1.ruleKey=python:S1192
  sonar.issue.ignore.multicriteria.e1.resourceKey=**/__init__.py
  
  # Example: Ignore string duplication in test files
  sonar.issue.ignore.multicriteria.e2.ruleKey=python:S1192
  sonar.issue.ignore.multicriteria.e2.resourceKey=**/tests/**
  
  # Example: Ignore too-many-arguments in test fixtures
  sonar.issue.ignore.multicriteria.e3.ruleKey=python:S107
  sonar.issue.ignore.multicriteria.e3.resourceKey=**/conftest.py
  
- # =============================================================================
- # Security Hotspot Exclusions for Test Files
- # =============================================================================
- # Test files intentionally use hardcoded IPs, HTTP URLs, etc. for testing
- sonar.issue.ignore.multicriteria=e1,e2,e3,e4,e5,e6,e7
  
  # Ignore hardcoded IP addresses in test files (S1313)
  sonar.issue.ignore.multicriteria.e4.ruleKey=python:S1313
  sonar.issue.ignore.multicriteria.e4.resourceKey=**/tests/**
  
  # Ignore HTTP protocol warnings in test files (S5332)
  sonar.issue.ignore.multicriteria.e5.ruleKey=python:S5332
  sonar.issue.ignore.multicriteria.e5.resourceKey=**/tests/**
  
  # Ignore hardcoded credentials in test files (S2068)
  sonar.issue.ignore.multicriteria.e6.ruleKey=python:S2068
  sonar.issue.ignore.multicriteria.e6.resourceKey=**/tests/**
  
  # Ignore hardcoded secrets in test files (S6418)
  sonar.issue.ignore.multicriteria.e7.ruleKey=python:S6418
  sonar.issue.ignore.multicriteria.e7.resourceKey=**/tests/**

Also applies to: 95-95

packages/cloudflare-auth/src/cloudflare_auth/validators.py (1)

22-22: Outdated docstring reference.

The docstring still references src.config.settings but the import was updated to cloudflare_auth.config. Update for consistency:

-    - src.config.settings: For Cloudflare configuration
+    - cloudflare_auth.config: For Cloudflare configuration

packages/cloudflare-auth/src/cloudflare_auth/models.py (1)

148-151: Inconsistent timezone handling for authenticated_at.

default_factory=datetime.now creates naive (timezone-unaware) datetimes, while the rest of the module uses timezone.utc. This inconsistency can cause comparison issues.

     authenticated_at: datetime = Field(
-        default_factory=datetime.now,
+        default_factory=lambda: datetime.now(tz=timezone.utc),
         description="Timestamp when user was authenticated",
     )

♻️ Duplicate comments (3)

packages/cloudflare-auth/src/cloudflare_auth/settings.py (1)

22-24: Consider making required fields truly required to prevent silent misconfiguration.

The cloudflare_team_domain and cloudflare_audience_tag fields have empty string defaults, which can hide misconfiguration. The issuer property (lines 77-80) checks for empty strings and returns "", leading to silent failures rather than explicit validation errors at startup.

Removing the default values will cause Pydantic to raise clear validation errors if these environment variables are missing:

-    cloudflare_team_domain: str = Field(default="", alias="CLOUDFLARE_TEAM_DOMAIN")
-    cloudflare_audience_tag: str = Field(default="", alias="CLOUDFLARE_AUDIENCE_TAG")
+    cloudflare_team_domain: str = Field(alias="CLOUDFLARE_TEAM_DOMAIN")
+    cloudflare_audience_tag: str = Field(alias="CLOUDFLARE_AUDIENCE_TAG")

packages/cloudflare-auth/tests/test_whitelist.py (1)

256-260: Add match parameter to pytest.raises for precise error assertion.

The test should assert the specific error message to satisfy PT011 and align with best practices.

     def test_add_email_invalid_format(self, manager):
         """Test adding invalid email format."""
-        with pytest.raises(ValueError):
+        with pytest.raises(ValueError, match="Invalid email format"):
             manager.add_email("invalid-email")

packages/cloudflare-api/src/cloudflare_api/ip_groups/manager.py (1)

64-66: Critical: Naive datetime causes TypeError in cache validation.

Line 65 uses datetime.now without timezone, creating a naive datetime. However, line 158 compares this with datetime.now(tz=timezone.utc), which will raise TypeError: can't subtract offset-naive and offset-aware datetimes when the default factory is used.

Apply this diff to use timezone-aware datetime consistently:

-    fetched_at: datetime = field(default_factory=datetime.now)
+    fetched_at: datetime = field(default_factory=lambda: datetime.now(tz=timezone.utc))

This ensures all datetime operations throughout the cache validation logic (lines 158, 190) use timezone-aware datetimes consistently.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2d84e06 and f80e6d2.

📒 Files selected for processing (16)

• .github/workflows/publish.yml (1 hunks)
• .github/workflows/sonarcloud.yml (1 hunks)
• .github/workflows/validate-cruft.yml (1 hunks)
• packages/cloudflare-api/src/cloudflare_api/ip_groups/manager.py (1 hunks)
• packages/cloudflare-auth/src/cloudflare_auth/models.py (4 hunks)
• packages/cloudflare-auth/src/cloudflare_auth/rate_limiter.py (7 hunks)
• packages/cloudflare-auth/src/cloudflare_auth/redis_sessions.py (3 hunks)
• packages/cloudflare-auth/src/cloudflare_auth/sessions.py (7 hunks)
• packages/cloudflare-auth/src/cloudflare_auth/settings.py (1 hunks)
• packages/cloudflare-auth/src/cloudflare_auth/validators.py (2 hunks)
• packages/cloudflare-auth/tests/conftest.py (1 hunks)
• packages/cloudflare-auth/tests/test_integration.py (1 hunks)
• packages/cloudflare-auth/tests/test_models.py (1 hunks)
• packages/cloudflare-auth/tests/test_whitelist.py (1 hunks)
• pyproject.toml (3 hunks)
• sonar-project.properties (2 hunks)

🧰 Additional context used

📓 Path-based instructions (3)

.github/workflows/**

⚙️ CodeRabbit configuration file

.github/workflows/**: Review GitHub Actions workflows for:

• Security best practices (minimal permissions, pinned actions)
• Proper secret handling
• Efficient caching strategies
• Clear job dependencies

Files:

• .github/workflows/validate-cruft.yml
• .github/workflows/sonarcloud.yml
• .github/workflows/publish.yml

**/*.py

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.py: Use Ruff formatting with 88 character line length for Python code
Use Ruff linting with PyStrict-aligned rules including BLE, EM, SLF, INP, ISC, PGH, RSE, TID, YTT, FA, T10, and G rules
Tag assumptions with #CRITICAL, #ASSUME, or #EDGE comments including category and reason for verification

Files:

• packages/cloudflare-auth/src/cloudflare_auth/redis_sessions.py
• packages/cloudflare-auth/src/cloudflare_auth/rate_limiter.py
• packages/cloudflare-auth/src/cloudflare_auth/sessions.py
• packages/cloudflare-auth/src/cloudflare_auth/settings.py
• packages/cloudflare-auth/tests/test_whitelist.py
• packages/cloudflare-auth/tests/conftest.py
• packages/cloudflare-auth/src/cloudflare_auth/validators.py
• packages/cloudflare-auth/tests/test_models.py
• packages/cloudflare-auth/tests/test_integration.py
• packages/cloudflare-auth/src/cloudflare_auth/models.py
• packages/cloudflare-api/src/cloudflare_api/ip_groups/manager.py

pyproject.toml

⚙️ CodeRabbit configuration file

pyproject.toml: Review dependency changes for:

• Version constraint appropriateness
• Security implications of new dependencies
• License compatibility

Files:

• pyproject.toml

🧠 Learnings (4)

📚 Learning: 2025-12-14T22:54:23.007Z

Learnt from: CR
Repo: ByronWilliamsCPA/python-libs PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-14T22:54:23.007Z
Learning: Applies to src/python_libs/core/config.py : Use Pydantic Settings for environment-based configuration with .env files

Applied to files:

• packages/cloudflare-auth/src/cloudflare_auth/settings.py

📚 Learning: 2025-12-14T22:53:58.927Z

Learnt from: CR
Repo: ByronWilliamsCPA/python-libs PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2025-12-14T22:53:58.927Z
Learning: Applies to src/python_libs/**/*.py : Ensure exceptions are specific and appropriate for the failure mode; verify error messages are actionable and user-friendly; check retry mechanisms have proper backoff and limits

Applied to files:

• packages/cloudflare-auth/tests/test_whitelist.py

📚 Learning: 2025-12-14T22:54:23.007Z

Learnt from: CR
Repo: ByronWilliamsCPA/python-libs PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-14T22:54:23.007Z
Learning: Applies to **/*.py : Use Ruff linting with PyStrict-aligned rules including BLE, EM, SLF, INP, ISC, PGH, RSE, TID, YTT, FA, T10, and G rules

Applied to files:

• sonar-project.properties
• pyproject.toml

📚 Learning: 2025-12-14T22:53:58.927Z

Learnt from: CR
Repo: ByronWilliamsCPA/python-libs PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2025-12-14T22:53:58.927Z
Learning: Applies to src/python_libs/**/*.py : Ensure code is self-documenting through clear naming; replace magic numbers with named constants; verify complexity is appropriate and could not be simplified

Applied to files:

• pyproject.toml

🧬 Code graph analysis (4)

packages/cloudflare-auth/src/cloudflare_auth/settings.py (1)

packages/cloudflare-api/src/cloudflare_api/settings.py (1)

• reset_settings (130-133)

packages/cloudflare-auth/tests/test_whitelist.py (1)

packages/cloudflare-auth/src/cloudflare_auth/whitelist.py (15)

• EmailWhitelistConfig (119-154)
• EmailWhitelistValidator (157-512)
• UserTier (50-99)
• WhitelistManager (515-731)
• create_validator_from_env (734-787)
• from_string (64-81)
• is_authorized (254-287)
• is_admin (289-311)
• get_user_role (313-325)
• get_user_tier (327-379)
• get_whitelist_stats (411-431)
• validate_whitelist_config (497-512)
• add_email (644-677)
• remove_email (679-714)
• check_email (716-731)

packages/cloudflare-auth/tests/conftest.py (4)

packages/cloudflare-auth/tests/test_integration.py (1)

• settings (20-26)

packages/cloudflare-auth/src/cloudflare_auth/settings.py (1)

• reset_settings (108-111)

packages/cloudflare-api/src/cloudflare_api/settings.py (1)

• reset_settings (130-133)

packages/cloudflare-api/tests/conftest.py (1)

• reset_settings_after_test (17-20)

packages/cloudflare-auth/tests/test_models.py (4)

packages/cloudflare-auth/src/cloudflare_auth/models.py (13)

• CloudflareJWTClaims (28-106)
• CloudflareUser (109-266)
• issued_at (72-78)
• expires_at (81-87)
• is_expired (90-96)
• get_audience_list (98-106)
• from_jwt_claims (163-197)
• email_domain (200-206)
• email_username (209-215)
• has_email_domain (217-231)
• can_access_premium_models (234-240)
• role (243-249)
• model_dump_safe (251-266)

packages/cloudflare-auth/src/cloudflare_auth/whitelist.py (4)

• UserTier (50-99)
• is_admin (289-311)
• can_access_premium_models (84-90)
• can_access_premium_models (381-394)

packages/cloudflare-auth/tests/conftest.py (1)

• sample_jwt_payload (17-26)

packages/cloudflare-auth/tests/test_integration.py (1)

• sample_claims (44-54)

🪛 GitHub Check: CodeQL

packages/cloudflare-auth/tests/test_whitelist.py

[failure] 221-221: Incomplete URL substring sanitization
The string gmail.com may be at an arbitrary position in the sanitized URL.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Compatibility Summary
• GitHub Check: Mutation Testing / Mutation Testing

🔇 Additional comments (18)

.github/workflows/validate-cruft.yml (1)

13-14: LGTM! Security best practice: minimal permissions.

Explicitly setting permissions: contents: read follows the principle of least privilege by limiting this workflow to read-only repository access. Since the workflow only checks template synchronization and runs validation scripts without modifying the repository, this minimal permission scope is appropriate and improves security posture.

sonar-project.properties (2)

16-16: Configuration correctly expanded to include packages.

The additions to sonar.sources and sonar.tests are appropriate for the monorepo structure with per-package tests under packages/*/tests/.

Also applies to: 19-19

---

91-112: Security hotspot exclusions for tests are appropriate.

The rules appropriately suppress warnings for test-specific security patterns (hardcoded IPs, HTTP URLs, test credentials, secrets) that are expected and safe in test contexts.

packages/cloudflare-auth/src/cloudflare_auth/validators.py (1)

32-32: LGTM!

The import fix from src.config.settings to cloudflare_auth.config addresses the broken imports issue. The timezone change to timezone.utc is consistent with Python's stdlib and aligns with the broader refactoring across the package.

Also applies to: 38-38, 270-270

packages/cloudflare-auth/src/cloudflare_auth/redis_sessions.py (1)

40-40: LGTM!

Timezone handling is now consistent with timezone.utc across all session timestamp operations. The ISO format serialization preserves timezone information for Redis storage.

Also applies to: 177-178, 224-224

packages/cloudflare-auth/src/cloudflare_auth/models.py (1)

78-78: LGTM!

Timezone-aware datetime handling is correctly implemented for JWT timestamp properties using timezone.utc.

Also applies to: 87-87, 96-96

packages/cloudflare-auth/src/cloudflare_auth/sessions.py (1)

22-22: LGTM!

Consistent timezone-aware datetime handling throughout the session lifecycle operations.

Also applies to: 104-105, 151-151, 186-186, 200-200, 279-279

packages/cloudflare-auth/src/cloudflare_auth/rate_limiter.py (1)

26-26: LGTM!

Timezone handling is consistent across all rate limiter operations. Thread-safe implementation with Lock is properly maintained.

Also applies to: 76-76, 96-97, 127-127, 150-151, 178-179, 203-204

packages/cloudflare-auth/tests/conftest.py (1)

3-61: LGTM! Excellent test fixture organization.

The test fixtures are well-structured with:

• Timezone-aware datetime usage (addressing DTZ005)
• Reusable test constants for consistency
• Valid and expired JWT payload fixtures for comprehensive testing
• Autouse fixture ensuring singleton state cleanup between tests

packages/cloudflare-auth/tests/test_whitelist.py (2)

214-221: CodeQL false positive – the test correctly validates the warning message.

The CodeQL alert about "Incomplete URL substring sanitization" for gmail.com on line 221 is a false positive. This test verifies that the validator emits a security warning when public email domains like @gmail.com are included in the whitelist configuration, which is the intended behavior.

---

1-320: LGTM! Comprehensive whitelist test coverage.

The test suite thoroughly covers:

• UserTier enum behavior and properties
• Email normalization and configuration
• Authorization logic for individual emails and domain patterns
• Admin detection and tier assignment
• Whitelist manager operations (add/remove/check)
• Environment-based validator creation

packages/cloudflare-auth/tests/test_integration.py (1)

1-359: LGTM! Excellent integration test coverage.

The integration tests provide comprehensive end-to-end validation:

• Complete authentication flows for admin, full, limited, and unauthorized users
• Session lifecycle management (create, retrieve, refresh, invalidate)
• Settings integration with whitelist validators
• User tier propagation across components
• Security aspects (constant-time comparison, session ID uniqueness, safe data dumping)

All datetime usage is timezone-aware, and the tests properly exercise interactions between settings, validators, sessions, and user models.

packages/cloudflare-auth/tests/test_models.py (1)

1-208: LGTM! Thorough model test coverage with timezone-aware datetimes.

The test suite comprehensively validates:

• CloudflareJWTClaims: required/optional fields, datetime properties, expiration logic, audience handling
• CloudflareUser: creation from claims, tier-based permissions, email domain checks, safe data dumping

All datetime operations correctly use timezone.utc (lines 56, 64), addressing the previous DTZ005 linting issues.

packages/cloudflare-api/src/cloudflare_api/ip_groups/manager.py (1)

129-140: LGTM: Proper use of MD5 for cache key generation.

The use of usedforsecurity=False (line 140) correctly documents that MD5 is used only for cache key generation, not cryptographic purposes. The inline comment reinforces this intent.

.github/workflows/sonarcloud.yml (1)

134-134: Excellent security improvement!

Pinning the SonarCloud Quality Gate action to a specific commit SHA follows GitHub Actions security best practices and prevents potential supply chain attacks from tag manipulation.

pyproject.toml (3)

266-269: LGTM - correct compatibility handling.

Ignoring UP017 is appropriate since datetime.UTC was introduced in Python 3.11 and the project supports Python 3.10+.

---

315-338: Good consistency with existing test rules.

The relaxed lint rules for package tests mirror the existing root test configuration, ensuring consistent test code standards across the monorepo. The additions of PT011 (pytest.raises match) and F841 (unused variables in test setup) are reasonable for package test contexts.

---

361-364: LGTM - appropriate exception for CLI tools.

Allowing print statements in CLI files is correct since command-line interfaces use print() for user-facing output.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Add timeout to prevent indefinite hangs.

The determine-package job lacks a timeout-minutes setting. While this job is quick, adding a timeout prevents resource waste if the job hangs unexpectedly.

Apply this diff:

 jobs:
   determine-package:
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     outputs:

🤖 Prompt for AI Agents

In .github/workflows/publish.yml around lines 24 to 48 the determine-package job
has no timeout-minutes set, which can let it hang indefinitely; add a
timeout-minutes entry (e.g., timeout-minutes: 5) directly under the
determine-package: or runs-on: ubuntu-latest line (with the same indentation
level as runs-on) to enforce a short max runtime and prevent resource waste if
the job hangs.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Add timeout to prevent indefinite publishing jobs.

The build-and-publish job lacks a timeout-minutes setting. Publishing workflows should have timeouts to prevent indefinite hangs, especially when interacting with external registries.

Apply this diff:

   build-and-publish:
     needs: determine-package
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:

🤖 Prompt for AI Agents

.github/workflows/publish.yml lines 50-72: the build-and-publish job is missing
a timeout-minutes setting which can allow the workflow to hang indefinitely; add
a timeout-minutes: 60 (or your preferred minute value) at the same indentation
level as runs-on (under the job name) to ensure the job is automatically
cancelled after the specified time, keeping the value as an integer and
preserving YAML indentation.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Consider using a TOML parser for more robust version extraction.

The sed command assumes specific formatting and could break with comments, different quote styles, or whitespace variations. Using a proper TOML parser would be more reliable.

Consider this alternative using Python's built-in TOML support:

       - name: Verify version matches tag
         working-directory: ${{ needs.determine-package.outputs.package_dir }}
         run: |
-          TOML_VERSION=$(grep '^version = ' pyproject.toml | sed 's/version = "\(.*\)"/\1/')
+          TOML_VERSION=$(uv run python -c "import tomllib; print(tomllib.load(open('pyproject.toml', 'rb'))['project']['version'])")
           TAG_VERSION="${{ needs.determine-package.outputs.version }}"

Note: tomllib is available in Python 3.11+. For Python 3.10, you'd need tomli.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Verify version matches tag
	working-directory: ${{ needs.determine-package.outputs.package_dir }}
	run: |
	TOML_VERSION=$(grep '^version = ' pyproject.toml | sed 's/version = "\(.*\)"/\1/')
	TAG_VERSION="${{ needs.determine-package.outputs.version }}"
	if [[ "$TOML_VERSION" != "$TAG_VERSION" ]]; then
	echo "::error::Version mismatch! pyproject.toml=$TOML_VERSION, tag=$TAG_VERSION"
	exit 1
	fi
	- name: Verify version matches tag
	working-directory: ${{ needs.determine-package.outputs.package_dir }}
	run: |
	TOML_VERSION=$(uv run python -c "import tomllib; print(tomllib.load(open('pyproject.toml', 'rb'))['project']['version'])")
	TAG_VERSION="${{ needs.determine-package.outputs.version }}"
	if [[ "$TOML_VERSION" != "$TAG_VERSION" ]]; then
	echo "::error::Version mismatch! pyproject.toml=$TOML_VERSION, tag=$TAG_VERSION"
	exit 1
	fi

🤖 Prompt for AI Agents

.github/workflows/publish.yml around lines 74 to 82: the current grep/sed
approach brittlely parses pyproject.toml and can fail with different
formatting/comments/quotes; replace the shell text-extraction with a small
Python invocation that reads pyproject.toml and uses a real TOML parser to
extract the [project]/version (use tomllib on Python 3.11+ and fall back to
tomli if not available), print that version to stdout for comparison with the
tag, and keep the existing exit-on-mismatch logic; ensure the action still runs
in the same working-directory and add a short comment noting the parser
fallback.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

git ls-files .github/workflows/publish.yml

Repository: ByronWilliamsCPA/python-libs

Length of output: 101

---

🏁 Script executed:

cat -n .github/workflows/publish.yml | sed -n '80,105p'

Repository: ByronWilliamsCPA/python-libs

Length of output: 1370

---

🌐 Web query:

keyrings.google-artifactregistry-auth latest version PyPI

💡 Result:

Latest PyPI version: 1.1.2 — uploaded Mar 1, 2023. [1]

Source: PyPI project page for keyrings.google-artifactregistry-auth. [1]

---

Pin the keyring package version for supply chain security.

Installing keyrings.google-artifactregistry-auth without a version constraint creates a supply chain risk. The package version could change between workflow runs, potentially introducing vulnerabilities or breaking changes.

Apply this diff to pin to the latest stable version:

       - name: Install keyring for Artifact Registry
-        run: pip install keyrings.google-artifactregistry-auth
+        run: pip install keyrings.google-artifactregistry-auth==1.1.2

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Install keyring for Artifact Registry
	run: pip install keyrings.google-artifactregistry-auth
	- name: Install keyring for Artifact Registry
	run: pip install keyrings.google-artifactregistry-auth==1.1.2

🤖 Prompt for AI Agents

.github/workflows/publish.yml around lines 89-90: the workflow installs
keyrings.google-artifactregistry-auth without a version pin; replace the
unconstrained pip install with a pinned install (pip install
keyrings.google-artifactregistry-auth==<tested-stable-version>) using the
specific version you validated for this repo (or reference a repo
constant/variable), commit that change and update any workflow docs noting the
chosen version.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Consider adding package verification before publishing.

Publishing immediately after building without verification is risky. Consider adding a validation step to check package metadata and catch issues before they reach the registry.

Add a verification step between build and publish:

       - name: Build package
         working-directory: ${{ needs.determine-package.outputs.package_dir }}
         run: uv build

+      - name: Verify package
+        working-directory: ${{ needs.determine-package.outputs.package_dir }}
+        run: |
+          # Check that dist files were created
+          ls -lh dist/
+          # Verify package metadata (requires twine)
+          uv run pip install twine
+          uv run twine check dist/*

       - name: Publish to Artifact Registry

🤖 Prompt for AI Agents

In .github/workflows/publish.yml around lines 92 to 98, add a verification step
between the Build package and Publish to Artifact Registry steps that runs
package validation in the same working-directory (${{
needs.determine-package.outputs.package_dir }}); the step should validate
package metadata (e.g., version, manifest, checksums), run any lightweight
post-build checks (lint/verify or unit smoke tests), and fail the job on errors
so publishing is blocked when verification fails.

---

🧹 Nitpick | 🔵 Trivial

Consider uploading build artifacts for audit trail.

Uploading the built distributions as workflow artifacts provides an audit trail and allows manual inspection if issues arise. This is particularly valuable for published packages.

Add after the build step:

       - name: Build package
         working-directory: ${{ needs.determine-package.outputs.package_dir }}
         run: uv build

+      - name: Upload build artifacts
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        with:
+          name: dist-${{ needs.determine-package.outputs.package_name }}-${{ needs.determine-package.outputs.version }}
+          path: ${{ needs.determine-package.outputs.package_dir }}/dist/
+          retention-days: 90

       - name: Publish to Artifact Registry

🤖 Prompt for AI Agents

.github/workflows/publish.yml around lines 92 to 98: after the "Build package"
step, add a step to upload the built distribution artifacts (e.g., the dist or
build output directory from ${{ needs.determine-package.outputs.package_dir }})
using actions/upload-artifact so the workflow retains a copy for auditing and
manual inspection; specify a clear artifact name (like package-build) and set
the artifact path to the build output directory (and optionally a retention-days
value) to ensure the built files are stored before publishing.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Consider adding assumption tags per coding guidelines.

The coding guidelines require tagging assumptions with #CRITICAL, #ASSUME, or #EDGE comments. Consider adding these tags to document implicit assumptions, particularly:

• Line 140: #ASSUME: MD5 collision risk acceptable for cache keys
• Line 216: #EDGE: Catch-all for unexpected fetcher failures
• Line 158: #ASSUME: TTL validation expects reasonable cache_ttl_seconds range

Based on coding guidelines, this helps with verification during reviews and maintenance.

🤖 Prompt for AI Agents

packages/cloudflare-api/src/cloudflare_api/ip_groups/manager.py lines ~140,
~158, ~216: add the required assumption/edge tags as inline comments at the
noted locations to satisfy coding guidelines; specifically insert "#ASSUME: MD5
collision risk acceptable for cache keys" next to the MD5 usage (around the
_get_source_hash definition/MD5 call), insert "#ASSUME: TTL validation expects
reasonable cache_ttl_seconds range" near the TTL/check in _is_cache_valid, and
insert "#EDGE: Catch-all for unexpected fetcher failures" on the except block in
fetch_group_ips; keep comments short, on their own line or trailing the existing
line, and do not change logic.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Consider adding a clarifying comment for dict.fromkeys usage.

The use of dict.fromkeys(new_ips, f"Managed by {group.name}") on line 342 is correct but might benefit from a brief inline comment explaining that this creates a comment mapping for the Cloudflare API where all IPs receive the same comment value.

For example:

-            comments = dict.fromkeys(new_ips, f"Managed by {group.name}")
+            # Create uniform comment for all IPs in this group
+            comments = dict.fromkeys(new_ips, f"Managed by {group.name}")

🤖 Prompt for AI Agents

In packages/cloudflare-api/src/cloudflare_api/ip_groups/manager.py around line
342, add a brief inline comment explaining the use of dict.fromkeys(new_ips,
f"Managed by {group.name}") — note that it creates a mapping of each new IP to
the same comment string for the Cloudflare API — so future readers understand
why fromkeys is used rather than a comprehension or loop.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Dead code: unused expression.

This line computes a datetime but discards the result. Either remove it or assign it to a variable if it was intended to be used.

-        datetime.now(tz=timezone.utc)

🤖 Prompt for AI Agents

In packages/cloudflare-auth/src/cloudflare_auth/sessions.py around line 289,
there is a dead expression "datetime.now(tz=timezone.utc)" whose result is
discarded; remove the line if the current time is not needed, or assign it to a
variable (e.g., now = datetime.now(tz=timezone.utc)) and use that variable where
intended (for timestamping, comparisons, or logging) so the expression is not
unused.