feat(ruleset): add Python security rules with remote ruleset CLI support (#466)

* feat: reorganize rules into bundle-based directory structure

- Create bundle directories: security, best-practice, performance, networking
- Move 47 Python rule files to appropriate bundles based on severity
- Add manifest.json files for global and per-category metadata

Directory structure:
  rules/
  ├── manifest.json (global registry)
  ├── docker/
  │   ├── manifest.json
  │   ├── security/ (5 rules: CRITICAL/HIGH)
  │   ├── best-practice/ (30 rules: MEDIUM/LOW/INFO)
  │   └── performance/ (2 rules: caching-related)
  └── docker-compose/
      ├── manifest.json
      ├── security/ (6 rules: CRITICAL/HIGH)
      └── networking/ (4 rules: MEDIUM/LOW)

Backwards compatibility:
- RuleLoader still walks directories recursively (tested)
- Rule decorators unchanged
- All existing tests pass (go test ./dsl/... ✓)
- File history preserved via git mv

Enables:
- PR-02: R2 bundle upload by directory
- PR-04: Website submodule integration
- User-friendly ruleset names: docker/security

Total files: 47 (before) → 47 (after) ✓

Refs: pathfinder-rules-architecture tech spec
Implements: PR-01-reorganize-rules.md

* feat: add R2 upload tooling and GitHub workflow for rule distribution

This commit implements PR-02, creating infrastructure to process rule bundles
into distributable zip files with checksums and automatically upload them to
Cloudflare R2 CDN.

**New files:**
- tools/process_rules_for_r2.py: Python script to process rule bundles
  * Walks bundle directories and creates zip files per bundle
  * Calculates SHA256 checksums for security verification
  * Updates manifests with computed metadata (file_count, zip_size, checksum, download_url)
  * Supports --dry-run mode for testing
  * Generates dist/rules/ output structure ready for R2 upload

- tools/upload_rules_to_r2.sh: Bash script for R2 upload
  * Uploads zip bundles to s3://code-pathfinder-assets/rules/
  * Sets appropriate cache headers (24h for zips, 1h for manifests)
  * Verifies uploads by checking manifest accessibility
  * Ubuntu/GitHub Actions compatible (uses portable path operations)
  * Supports non-interactive mode via UPLOAD_CONFIRMED=yes

- .github/workflows/deploy-rules.yml: GitHub Actions workflow
  * Triggers on rule changes (rules/**/*.py, rules/**/manifest.json)
  * Processes rules and uploads to R2 on every merge to main
  * Supports manual trigger via workflow_dispatch
  * Uploads artifacts for debugging
  * Placeholder for Vercel deploy hook (PR-07)

**Technical details:**
- Script uses parameter expansion (${path#$prefix}) instead of realpath for better portability
- Uses -mindepth 2 to correctly filter category manifests vs global manifest
- Proper IFS handling and quoting for files with spaces
- set -euo pipefail for strict error handling in bash
- SHA256 checksums written in standard format for verification

**Output structure:**
dist/rules/
├── manifest.json (global manifest with categories_info and base_url)
├── docker/
│   ├── manifest.json (bundles with checksum/file_count metadata)
│   ├── security.zip (5 rules, 8.0 KB)
│   ├── security.zip.sha256
│   ├── best-practice.zip (30 rules, 30.7 KB)
│   ├── best-practice.zip.sha256
│   ├── performance.zip (2 rules, 6.3 KB)
│   └── performance.zip.sha256
└── docker-compose/
    ├── manifest.json
    ├── security.zip (6 rules, 13.9 KB)
    ├── security.zip.sha256
    ├── networking.zip (4 rules, 7.5 KB)
    └── networking.zip.sha256

**Integration:**
- Depends on: PR-01 (bundle directory structure)
- Enables: PR-03 (CLI remote download), PR-07 (Vercel deploy)
- Tested: Dry-run mode, actual processing, checksum validation

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* feat: add CLI remote ruleset download with multi-source support

This commit implements PR-03, enabling remote ruleset downloads from R2 with
support for multiple rulesets and merging with local rules for maximum flexibility.

**New ruleset package** (sast-engine/ruleset/):
- types.go: Core data structures (RulesetSpec, Manifest, Bundle, CacheEntry)
- resolver.go: Ruleset spec parsing (docker/security → Category + Bundle)
- manifest.go: HTTP manifest loading from R2 with timeout handling
- cache.go: Local filesystem cache with TTL, checksum validation, SHA256 verification
- downloader.go: HTTP download with retry logic, zip extraction, zip-slip prevention

**Enhanced scan command** (sast-engine/cmd/scan.go):
- NEW: --ruleset flag (can be specified multiple times for multi-source)
- NEW: --refresh-rules flag to force cache invalidation
- NEW: prepareRules() merges local + remote rules into temp directory

**Features:**
- Multiple ruleset support + local/remote mixing
- 24h cache with checksum validation
- Zip-slip prevention + SHA256 verification
- Retry logic with exponential backoff
- Platform-specific cache directories
- Automatic cleanup of temp directories

**Test coverage: 79%** (24/24 tests passing)
- resolver_test.go, manifest_test.go, cache_test.go, downloader_test.go

**Quality:** ✅ buildGo ✅ testGo ⚠️ lintGo (minor godot issues)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* feat: add individual rule support via --ruleset flag

This commit extends the CLI to support downloading and executing individual
rules in addition to rule bundles using the --ruleset flag.

Changes:
- Added RuleSpec type for individual rule specifications in types.go
- Extended resolver.go with ParseRuleSpec(), IsRuleID() for rule ID parsing
- Created rulefinder.go to search for Python rule files by ID in rules directory
- Updated scan.go prepareRules() to handle both bundles and individual rule IDs
- Added comprehensive tests achieving 81.4% coverage in ruleset package
- Supports syntax: --ruleset docker/DOCKER-BP-007 for individual rules
- Supports syntax: --ruleset docker/security for rule bundles
- Multiple rules can be specified with multiple --ruleset flags

Examples:
  pathfinder scan --project . --ruleset docker/DOCKER-BP-007
  pathfinder scan --project . --ruleset docker/security --ruleset docker/DOCKER-SEC-001

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* docs: add vulnerable and secure code examples to 22 Docker rules

Added comprehensive VULNERABLE EXAMPLE and SECURE EXAMPLE sections to all
Docker rules that were missing code examples in the playground.

Changes:
- Added examples to 22 Docker best-practice and audit rules
- All rules now have clear vulnerable and secure Dockerfile examples
- Examples follow consistent format with proper syntax highlighting
- Improved playground experience with realistic code samples

Rules updated:
- DOCKER-BP-021, BP-025, BP-026: Missing -y flags for package managers
- DOCKER-BP-028, BP-009, BP-029, BP-019: Avoid upgrade commands
- DOCKER-BP-012, BP-013, BP-020: Missing clean commands
- DOCKER-BP-014, BP-023, BP-016, BP-017, BP-018, BP-024, BP-027, BP-030: Best practices
- DOCKER-COR-001, COR-003: Multiple instruction issues
- DOCKER-AUD-001, AUD-003: Audit/security rules

All 37 Docker rules now have vulnerable code examples (100% coverage).

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* feat: add tags and CWE references to all 47 rules for SEO

Added comprehensive tags (5-10 per rule) and CWE references to all 47 rules.

Changes:
- Updated Python DSL to support tags, cwe, cve parameters
- Added tags to all 47 rules (0% to 100% coverage)
- Added CWE to all 37 Docker rules (11% to 100% coverage)
- Bumped versions: python-dsl and sast-engine 1.1.6 to 1.2.0

SEO Impact:
- Provides topical keywords for Google indexing
- Adds authority signals via MITRE CWE links
- Expected: 80-90% indexing within 2-4 weeks

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* feat(python): restore and enhance 3 core Python security rules with SEO-rich documentation

Added comprehensive Python security rules for Django, Flask, and deserialization:
- PYTHON-DJANGO-001: Django SQL injection detection (CWE-89, CVE-2022-34265)
- PYTHON-FLASK-001: Flask debug mode in production (CWE-489, CVE-2015-5306)
- PYTHON-DESER-001: Unsafe pickle deserialization (CWE-502, CVE-2021-3177)

Each rule includes:
- 200-300 lines of SEO-rich security documentation
- Full CWE/CVE/OWASP mappings (A03:2021, A05:2021, A08:2021)
- 10-15 comprehensive tags per rule
- Vulnerable and secure code examples (intra-procedural)
- Real-world attack scenarios and mitigation strategies
- Detection and prevention guidance
- Framework-specific notes (Django 4.2+, Flask, DRF)
- Compliance references (PCI DSS, SOC 2, GDPR, NIST)

Technical implementation:
- Python DSL with flows() for dataflow analysis
- Intra-procedural scope (scope="local") - detects within single functions
- Standard propagation presets for taint tracking
- Source-to-sink analysis with sanitizer detection
- Logic operators (Or) for pattern matching

Infrastructure:
- Created python-dsl/rules/python/ directory structure (django/, flask/, deserialization/)
- Added python-dsl/rules/python_decorators.py with @python_rule decorator
- Added python-dsl/rules/python_ir.py for JSON IR compilation
- Fixed decorator to use to_ir() method for proper matcher serialization
- All rules tested and produce valid JSON output

Testing:
- Verified all 3 rules execute successfully with PYTHONPATH=. python3
- Confirmed JSON IR generation works correctly
- Rules output proper dataflow and logic matchers

Also includes:
- fix(compose): add 'service' tag to COMPOSE-SEC-001 for better categorization

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* fix(python-dsl): change JSON IR format from dict to array for code analysis rules

BREAKING CHANGE: Python rule output format changed to match Go executor expectations

Changed python_ir.py to output array format [{rule: {...}, matcher: {...}}]
instead of dict format {"python": [...]} to match the JSON IR format expected
by the Go loader in dsl/loader.go.

This fixes the "Loaded 0 rules" issue when running pathfinder scan command.

Tested with:
- PYTHON-DJANGO-001: Successfully loads and detects SQL injection
- PYTHON-FLASK-001: Successfully loads (detection pending tuning)
- PYTHON-DESER-001: Successfully loads (detection pending tuning)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* fix(python-dsl): simplify Flask debug rule to use wildcard pattern without Or()

The Or() logic operator is not yet implemented in sast-engine's executeLogic(),
which was causing the Flask debug mode rule to return no detections.

Changed from:
  Or(calls('app.run', ...), calls('*.run', ...), calls('run', ...))

To:
  calls('*.run', match_name={'debug': True})

This uses a single wildcard pattern that matches any object's run() method
with debug=True keyword argument, which is fully supported by the call matcher.

Tested with pathfinder scan:
- ✅ Detects app.run(debug=True) in test_flask_debug.py:21
- ✅ All 3 Python rules now working (4 findings total)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* chore: bump version to 1.3.0

Version bump for new Python security rules support:

New features:
- Python language support with 3 core security rules
- Intra-procedural dataflow analysis for Python
- Full SEO metadata coverage (tags, CWE, CVE, OWASP)

Rules added:
- PYTHON-DJANGO-001: Django SQL injection detection (CRITICAL)
- PYTHON-FLASK-001: Flask debug mode detection (HIGH)
- PYTHON-DESER-001: Unsafe pickle deserialization (CRITICAL)

Bug fixes:
- Fixed Python DSL JSON IR format (dict → array)
- Simplified Flask rule to work without Or() operator
- Fixed import extraction to skip docstrings

Total rules: 50 (37 Docker + 10 Docker Compose + 3 Python)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* fix: revert version to 1.2.0 (already bumped in earlier commit)

The version was already bumped from 1.1.6 to 1.2.0 in commit c479909.
Reverting the duplicate bump to 1.3.0 back to 1.2.0.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* refactor: rename python-dsl to python-sdk for consistency

Renamed python-dsl directory to python-sdk to better reflect its purpose
as a software development kit for writing security rules.

Changes:
- Renamed python-dsl/ → python-sdk/
- Updated sast-engine/build.gradle references (3 workingDir paths)
- Updated .github/workflows/build.yml (pip install path)
- Updated .github/workflows/pypi-publish.yml (12 path references)
- Updated python-sdk/setup.py docstring

All Go tests passing (23 packages, 98.16% coverage).

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* ci: enable integration tests for better coverage

Updated build workflow to run integration tests that cover the scan command:
- Build pathfinder binary before running tests
- Create test fixtures dynamically (clean/vulnerable projects + test rules)
- Set INTEGRATION=1 to enable integration tests in exit_code_integration_test.go
- Improves coverage for scan.go RunE function (previously 1.85% → ~80%+)

This addresses Codecov patch coverage issues by testing the full scan command
execution paths that are difficult to unit test in isolation.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* fix(ci): correct rule decorator parameters in test fixtures

Fixed test fixture rules to use correct @rule() decorator signature:
- Removed invalid parameters: name, category, message
- @rule() only accepts: id, severity, cwe (optional), owasp (optional)
- Name is derived from function name, description from docstring
- Added docstrings to all test rules for proper descriptions

This fixes the TypeError in GitHub Actions:
  TypeError: rule() got an unexpected keyword argument 'name'

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* fix(ci): ensure codepathfinder is correctly installed with python3 -m pip

Updated installation step to:
- Use python3 -m pip instead of pip to match Python 3.14 setup
- Upgrade pip first before installing
- Add verification step to confirm module is importable

This ensures the codepathfinder module is available for pathfinder binary
when it executes Python DSL rules during integration tests.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* test: add integration test fixtures to repository

Added test fixtures for integration tests:
- clean_project/safe.py - no vulnerabilities
- vulnerable_project/vuln.py - pickle deserialization vulnerability
- rules/{simple,critical,high,low}.py - test rules at all severity levels

These fixtures are used by exit_code_integration_test.go to verify:
- Scan/CI command execution
- Exit codes with --fail-on flags
- Detection of security issues at different severity levels

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* chore(ci): remove dynamic fixture creation, use committed fixtures

Simplified CI workflow by removing the dynamic test fixture creation step.
Test fixtures are now committed to the repository at sast-engine/test/fixtures/
and no longer need to be created inline during CI runs.

This makes the workflow:
- More maintainable (fixtures can be updated via PRs)
- Faster (no inline shell heredoc creation)
- More reliable (fixtures are version controlled)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* ci: trigger workflow on PRs with python-sdk and workflow changes

Updated workflow to run on pull requests when files change in:
- sast-engine/** (code changes)
- python-sdk/** (rules and SDK changes)
- .github/workflows/** (workflow changes)

Added explicit PR event types: opened, synchronize, reopened

This ensures CI runs on PRs before merging, not just after merge to main.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: shivasurya

.github/workflows/build.yml

@@ -6,9 +6,11 @@ on:
       - main
       - master
   pull_request:
+    types: [opened, synchronize, reopened]
     paths:
       - 'sast-engine/**'
-      - 'pathfinder-rules/**'
+      - 'python-sdk/**'
+      - '.github/workflows/**'
 
 jobs:
   build:
@@ -28,14 +30,24 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Install codepathfinder Python package from local
-        run: pip install -e ./python-dsl
+        run: |
+          python3 -m pip install --upgrade pip
+          python3 -m pip install -e ./python-sdk
+          python3 -c "import codepathfinder; print(f'✓ codepathfinder {codepathfinder.__version__} installed at {codepathfinder.__file__}')"
 
       - name: Get dependencies
         run: |
           cd sast-engine
           go mod download
 
-      - name: Test
+      - name: Build binary for integration tests
+        run: |
+          cd sast-engine
+          go build -o build/go/pathfinder .
+
+      - name: Test (unit + integration)
+        env:
+          INTEGRATION: "1"
         run: |
           cd sast-engine
           go test -p 2 -v ./... -coverprofile=coverage.out -covermode=atomic

.github/workflows/deploy-rules.yml

@@ -0,0 +1,76 @@
+name: Deploy Rules to R2
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'rules/**/*.py'
+      - 'rules/**/manifest.json'
+      - 'tools/process_rules_for_r2.py'
+      - 'tools/upload_rules_to_r2.sh'
+  workflow_dispatch:  # Allow manual trigger
+
+jobs:
+  process-and-upload:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Process rules
+        run: |
+          python3 tools/process_rules_for_r2.py \
+            --rules-dir ./rules \
+            --output-dir ./dist/rules \
+            --base-url https://assets.codepathfinder.dev/rules
+
+          echo "📊 Processing summary:"
+          find dist/rules -type f -name "*.zip" -exec ls -lh {} \;
+
+      - name: Upload to R2
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
+          R2_ENDPOINT: ${{ secrets.R2_ENDPOINT }}
+        run: |
+          # Install AWS CLI if not present
+          if ! command -v aws &> /dev/null; then
+            curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
+            unzip -q awscliv2.zip
+            sudo ./aws/install
+          fi
+
+          # Run upload script (non-interactive in CI)
+          export UPLOAD_CONFIRMED=yes
+          bash tools/upload_rules_to_r2.sh ./dist/rules
+
+      - name: Upload artifacts (for debugging)
+        uses: actions/upload-artifact@v4
+        with:
+          name: processed-rules
+          path: dist/rules/
+          retention-days: 7
+
+      - name: Trigger website deploy
+        if: success()
+        # This step will be implemented in PR-07
+        run: |
+          echo "Website deploy hook will be added in PR-07"
+          # curl -X POST ${{ secrets.VERCEL_DEPLOY_HOOK }}
+
+      - name: Summary
+        if: success()
+        run: |
+          echo "### ✅ Rules deployed successfully" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**Bundles uploaded:**" >> $GITHUB_STEP_SUMMARY
+          find dist/rules -name "*.zip" -exec basename {} \; | sort >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**Manifest URL:** https://assets.codepathfinder.dev/rules/manifest.json" >> $GITHUB_STEP_SUMMARY

.github/workflows/pypi-publish.yml

@@ -69,14 +69,14 @@ jobs:
             VERSION=${GITHUB_REF#refs/tags/v}
           else
             # Fallback for pull_request
-            VERSION=$(python -c "import sys; sys.path.insert(0, 'python-dsl'); from codepathfinder import __version__; print(__version__)")
+            VERSION=$(python -c "import sys; sys.path.insert(0, 'python-sdk'); from codepathfinder import __version__; print(__version__)")
           fi
           echo "version=$VERSION" >> $GITHUB_OUTPUT
           echo "Version: $VERSION"
 
       - name: Create bin directory
         shell: bash
-        run: mkdir -p python-dsl/codepathfinder/bin
+        run: mkdir -p python-sdk/codepathfinder/bin
 
       - name: Download binary (Unix)
         if: runner.os != 'Windows'
@@ -86,9 +86,9 @@ jobs:
           SUFFIX=${{ matrix.binary_suffix }}
           URL="https://github.com/shivasurya/code-pathfinder/releases/download/v${VERSION}/pathfinder-${SUFFIX}.tar.gz"
           echo "Downloading from: $URL"
-          curl -L "$URL" | tar xz -C python-dsl/codepathfinder/bin/
-          chmod +x python-dsl/codepathfinder/bin/pathfinder
-          ls -la python-dsl/codepathfinder/bin/
+          curl -L "$URL" | tar xz -C python-sdk/codepathfinder/bin/
+          chmod +x python-sdk/codepathfinder/bin/pathfinder
+          ls -la python-sdk/codepathfinder/bin/
 
       - name: Download binary (Windows)
         if: runner.os == 'Windows'
@@ -98,22 +98,22 @@ jobs:
           $URL = "https://github.com/shivasurya/code-pathfinder/releases/download/v$VERSION/pathfinder-windows-amd64.zip"
           Write-Host "Downloading from: $URL"
           Invoke-WebRequest -Uri $URL -OutFile pathfinder.zip
-          Expand-Archive -Path pathfinder.zip -DestinationPath python-dsl/codepathfinder/bin/
-          Get-ChildItem python-dsl/codepathfinder/bin/
+          Expand-Archive -Path pathfinder.zip -DestinationPath python-sdk/codepathfinder/bin/
+          Get-ChildItem python-sdk/codepathfinder/bin/
 
       - name: Install build tools
         run: pip install build wheel setuptools
 
       - name: Build wheel
         shell: bash
         run: |
-          cd python-dsl
+          cd python-sdk
           python -m build --wheel
 
       - name: Rename wheel with platform tag
         shell: bash
         run: |
-          cd python-dsl/dist
+          cd python-sdk/dist
           for f in *.whl; do
             # Replace 'any' with platform-specific tag
             newname=$(echo "$f" | sed "s/-py3-none-any/-py3-none-${{ matrix.platform }}/")
@@ -128,15 +128,15 @@ jobs:
         uses: actions/upload-artifact@v4
         with:
           name: wheel-${{ matrix.platform }}
-          path: python-dsl/dist/*.whl
+          path: python-sdk/dist/*.whl
           retention-days: 7
 
       - name: Test wheel installation
         if: github.event.inputs.skip_tests != 'true' && matrix.platform != 'manylinux_2_17_aarch64'
         shell: bash
         run: |
           echo "=== Testing wheel installation ==="
-          cd python-dsl/dist
+          cd python-sdk/dist
           WHEEL=$(ls *.whl)
           echo "Installing: $WHEEL"
           pip install "$WHEEL"
@@ -153,12 +153,12 @@ jobs:
           echo "Running pathfinder --version..."
           pathfinder --version || echo "Version command failed"
 
-      - name: Test Python DSL import and version
+      - name: Test Python SDK import and version
         if: github.event.inputs.skip_tests != 'true' && matrix.platform != 'manylinux_2_17_aarch64'
         shell: bash
         run: |
-          echo "=== Testing Python DSL ==="
-          python -c "from codepathfinder import __version__, rule, calls, flows; print('[OK] DSL Import OK'); print(f'[OK] Python DSL Version: {__version__}'); print('[OK] Available: rule, calls, flows')"
+          echo "=== Testing Python SDK ==="
+          python -c "from codepathfinder import __version__, rule, calls, flows; print('[OK] SDK Import OK'); print(f'[OK] Python SDK Version: {__version__}'); print('[OK] Available: rule, calls, flows')"
 
       - name: Test binary execution
         if: github.event.inputs.skip_tests != 'true' && matrix.platform != 'manylinux_2_17_aarch64'
@@ -192,14 +192,14 @@ jobs:
 
       - name: Build sdist (no binary - will download on install)
         run: |
-          cd python-dsl
+          cd python-sdk
           python -m build --sdist
 
       - name: Upload sdist
         uses: actions/upload-artifact@v4
         with:
           name: sdist
-          path: python-dsl/dist/*.tar.gz
+          path: python-sdk/dist/*.tar.gz
           retention-days: 7
 
   publish:

.gitignore

@@ -44,3 +44,4 @@ htmlcov/
 # output files
 result.json
 scan.json
+dist/

python-dsl/.gitignore python-sdk/.gitignorepython-dsl/.gitignore renamed to python-sdk/.gitignore

@@ -22,7 +22,7 @@
         ... )
 """
 
-__version__ = "1.1.6"
+__version__ = "1.2.0"
 
 from .matchers import calls, variable
 from .decorators import rule