Enhance cookiecutter template with stricter code quality standards #84
Conversation
- Update Python requirement to 3.11+ to match CLAUDE.md standards - Replace mypy with Astral's experimental ty type checker - Add comprehensive ruff.toml with strict code quality constraints: - Cyclomatic complexity ≤ 8 - Max 5 positional args, 12 branches, 6 returns - Google-style docstrings enforced - Add data library option (polars/pandas/none) in cookiecutter.json - Create pre-commit hooks configuration for automated checks - Add CLAUDE.md template with project-specific instructions - Configure pytest to support tests beside code - Update Makefile with common commands (ty, fix, check) - Remove Python 3.9/3.10 from CI matrix These changes align the cookiecutter template with modern Python development practices and enforce stricter code quality standards. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
- Add web_framework choice in cookiecutter.json (fastapi/none) - Include FastAPI and uvicorn dependencies when selected - Create basic FastAPI app template with health check endpoint - Add 'make serve' command to run development server - Update CLAUDE.md to express strong preference for FastAPI over Flask - Configure post-generation hook to remove _app.py if not using FastAPI This enforces the preference for modern async frameworks and explicitly discourages Flask usage in new projects. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
- Fix ty version to 0.0.1a16 (current alpha release) - Remove --strict flag which doesn't exist in ty - Update ty commands to explicitly check src directory - Remove strict=true from pyproject.toml ty config ty is still in early alpha, so we're using the latest available version with basic configuration. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
Apply ruff formatting to fix CI failure. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
Remove the data_library choice (polars/pandas/none) as it's rarely needed for Trail of Bits projects. This simplifies the template and reduces unnecessary options during project creation. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
- Remove FastAPI web framework option to reduce complexity - Consolidate ruff configuration from ruff.toml into pyproject.toml - Fix Makefile redundancies: keep 'fix' and 'format' as aliases - Remove duplicated ty command from lint target - Clean up CLAUDE.md to remove FastAPI references This simplifies the PR to focus on core improvements: stricter code quality standards, ty type checker, and pre-commit hooks. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
The self-test CI workflow expects 'make reformat' to exist. Add it back as an alias alongside 'fix' and 'format'. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
Replace deprecated 'license-files' with proper license field syntax.
Use 'license = {text = "SPDX-ID"}' for standard licenses and
'license = {file = "LICENSE"}' for proprietary licenses.
This fixes the RUF200 parsing error in generated projects.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <[email protected]>
Change 'search_path' to 'src' in [tool.ty] configuration. The ty type checker expects 'src' as the field name, not 'search_path'. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
Remove the [tool.ty] section entirely as ty is in early alpha and the configuration format is not well documented. Let ty use its default configuration which should work for standard project layouts. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
- Replace experimental ty (0.0.1a16) with stable pyright (1.1+) - Configure pyright with standard type checking mode - Make pre-commit pytest less aggressive: only run fast tests (-k "not slow") - Remove -q flag from pytest for better debugging visibility - Clarify CLAUDE.md framework preferences as general guidelines - Add missing newline to pre-commit config - Update all references from ty to pyright in docs and commands This makes the type checking more reliable while maintaining the same strict code quality standards. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
- Remove accidentally included test-pyright directory - Fix pre-commit deprecation: use stages: [pre-commit] instead of [commit] - Change pyright to strict mode for better type safety - Add pyright include paths: ["src", "test"] - Add pytest marker documentation for @pytest.mark.slow - Simplify Makefile: keep 'fix' as primary command, 'reformat' as alias All changes tested locally - lint, fix, reformat, and pre-commit hooks work correctly with strict pyright configuration. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
| - "3.9" | ||
| - "3.10" | ||
| - "3.11" | ||
| - "3.12" |
There was a problem hiding this comment.
For context, we were trying to keep track of active Python versions, as listed here https://devguide.python.org/versions/
Removing Python 3.9 would be fine, since it'll be EOL soon. However, unless we're using Python 3.11 features, I think we should still include Python 3.10. This will ensure compatibility with all supported Python versions by default, and then each project can make the explicit decision to remove compatibility with older versions.
We should add "3.13" while we're here.
| license = {text = "Apache-2.0"} | ||
| {%- elif cookiecutter.license == "AGPL v3" %} | ||
| license = "AGPL-3.0-or-later" | ||
| license = {text = "AGPL-3.0-or-later"} | ||
| {%- elif cookiecutter.license == "Proprietary" %} | ||
| license = "LicenseRef-Proprietary-License" | ||
| license = {file = "LICENSE"} |
There was a problem hiding this comment.
I'm not sure why this was changed. According to the docs, it should just be a SPDX license expression https://packaging.python.org/en/latest/guides/writing-pyproject-toml/#license and the spec is here https://packaging.python.org/en/latest/specifications/pyproject-toml/#pyproject-toml-license
This was the commit that changed it 2fbd39b
I think Claude Code might have outdated information?
Also, the CI outputs a warning https://github.com/trailofbits/cookiecutter-python/actions/runs/16610950158/job/46993781047?pr=84#step:5:299
/home/runner/work/_temp/setup-uv-cache/builds-v0/.tmp5sbQ1m/lib/python3.12/site-packages/setuptools/config/_apply_pyprojecttoml.py:82: SetuptoolsDeprecationWarning: `project.license` as a TOML table is deprecated
!!
********************************************************************************
Please use a simple string containing a SPDX expression for `project.license`. You can also use `project.license-files`. (Both options available on setuptools>=77.0.0).
By 2026-Feb-18, you need to update your project and remove deprecated calls
or your builds will no longer be supported.
See https://packaging.python.org/en/latest/guides/writing-pyproject-toml/#license for details.
********************************************************************************
| # and let Dependabot periodically perform this update. | ||
| "ruff ~= 0.6.2", | ||
| "mypy >= 1.0", | ||
| "pyright >= 1.1", |
There was a problem hiding this comment.
@ESultanik You have experience with Python type checkers. Do you have a preference of mypy over pyright or any other type checker?
| - **Line length**: 100 characters max | ||
| - **Docstrings**: Google style on all public functions/classes | ||
| - **Type hints**: Required for all function signatures | ||
| - **Tests**: Must live beside code (`test_*.py` or `*_test.py`) |
There was a problem hiding this comment.
This looks to contradict the current structure. The current structure has the source files in src/{{cookiecutter.__module_import}}/*.py and tests in test/test_*.py.
I don't think I've seen Python projects with test files next to the source code files. I have seen it for C and C++ projects though, particularly projects from Google.
There was a problem hiding this comment.
After some research, some people are saying that for large projects, it's helpful to have unit tests next to the source code to easily test distributions of the project and also to more easily find tests for functionality in that source file.
Others say that including the test files in the source directory will make distribution packages larger, which may or may not be a concern.
I don't think I have strong opinions on this.
There was a problem hiding this comment.
I've always found it better to have tests in a separate dir, but... whatever works.
| ### Error Handling | ||
| ```python | ||
| from typing import Result # If using result types |
There was a problem hiding this comment.
is this thing real or ai-made up? I've never seen it.
There was a problem hiding this comment.
Good catch. I also get an error when trying to import this under Python 3.13.
The Google style guide has a section on error handling and exceptions https://google.github.io/styleguide/pyguide.html#24-exceptions
Summary
This PR enhances the cookiecutter-python template with stricter code quality standards based on Trail of Bits' engineering practices. The changes enforce consistent, high-quality Python code across all generated projects.
Key Changes
1. Modern Python Tooling
2. Strict Code Quality Standards
Enforces quantitative code complexity limits:
3. Enhanced Developer Experience
ruff formatandruff check --fixpyrightstrict type checkingpytest(fast tests only, excluding@pytest.mark.slow)interrogatedocstring coverage (if enabled)make fix- primary formatter commandmake lint- all quality checksmake typecheck- just type checkingtest_*.pyand*_test.pyin src/4. Project Documentation
5. Configuration Improvements
stages: [commit]tostages: [pre-commit])What Changed From Initial PR
After code review and testing, we:
tywith stablepyrightTest Plan
🤖 Generated with Claude Code