capsem-admin Internals
capsem-admin is the Python administration package for profiles, service
settings, image plans, image verification, manifests, enforcement packs, and
detection packs. Enterprise admins use the released PyPI package. Developers
use the workspace editable install from bootstrap.
Development Install
Section titled “Development Install”uv syncuv run capsem-admin --versionDo not validate local development changes against the released PyPI package. Bootstrap uses the editable workspace package so CLI changes, Pydantic models, schema generation, and tests all exercise the code in this repo.
Package Layout
Section titled “Package Layout”| Path | Purpose |
|---|---|
src/capsem/admin/cli.py | Public capsem-admin command tree and JSON reports. |
src/capsem/builder/service_settings.py | Service Settings V2 Pydantic model and schema output. |
src/capsem/builder/profiles.py | Profile V2 model, schema, TOML/JSON validation, and profile helpers. |
src/capsem/builder/image_plan.py | Profile-derived image planning. |
src/capsem/builder/image_workspace.py | Build workspace generation. |
src/capsem/builder/image_verify.py | Asset, package, and image inventory verification. |
src/capsem/builder/image_sbom.py | Guest-image SPDX SBOM generation. |
src/capsem/builder/manifest*.py | Manifest generation, signing, versioning, and check/download verification. |
src/capsem/builder/security_packs.py | Enforcement/detection pack validation and compilation helpers. |
src/capsem/builder/doctor.py | Admin/build prerequisite checks. |
Model Boundary
Section titled “Model Boundary”All user-authored JSON crosses a Pydantic boundary:
ProfileV2.model_validate_json(payload)ServiceSettingsV2.model_validate_json(payload)TypeAdapter(SomeReport).validate_json(payload)model.model_dump_json()TOML is parsed once, serialized through the Pydantic adapter, and then
validated through the same model. Do not add raw nested json.loads() /
json.dumps() manipulation for profiles, settings, manifests, image reports,
or rule packs.
Schemas And Fixtures
Section titled “Schemas And Fixtures”Schema artifacts are generated from models:
schemas/capsem.profile.v2.schema.jsonschemas/capsem.service-settings.v2.schema.jsonschemas/capsem.detection-pack.v1.schema.jsonschemas/capsem.detection.ir.v1.schema.jsonValid and invalid fixtures live under schemas/fixtures/ and are shared with
Rust tests. Add fixtures before changing a public field, enum, or validation
rule.
Focused Tests
Section titled “Focused Tests”Use focused tests while developing:
uv run python -m pytest tests/test_service_settings.py -quv run python -m pytest tests/test_profiles.py -quv run python -m pytest tests/test_admin_cli.py -quv run python -m pytest tests/test_image_verify.py -quv run python -m pytest tests/test_security_packs.py -quv run python -m compileall src/capsemRust parity tests cover the same public contracts:
cargo test -p capsem-core service_settingscargo test -p capsem-core profile_schemacargo test -p capsem-security-engineAdding A Command
Section titled “Adding A Command”- Add or extend a Pydantic model first.
- Add valid and invalid fixtures.
- Add the CLI handler in
src/capsem/admin/cli.py. - Emit structured JSON reports through Pydantic
model_dump_json(). - Add Python tests for text and
--jsonoutput. - Add Rust parity tests when the command touches a runtime contract.
- Update the enterprise docs in capsem-admin.
Release Handoff
Section titled “Release Handoff”Release packaging must ship the same admin package that generated the schemas and assets. The S18 gate verifies both paths:
- packaged enterprise use from PyPI;
- developer bootstrap use from the editable workspace.
The two paths must agree on schemas, defaults, validation errors, and JSON report shapes.