Add language SDKs (Python, Ruby, Go, Node, Haskell) over a JSON-over-FFI core

.github/workflows/claude-code-review.yml

@@ -31,6 +31,15 @@ jobs:
         with:
           fetch-depth: 1
 
+      # Provide the project devenv so the reviewer can build and run tests
+      # (e.g. `devenv shell -- cargo test --all`) instead of reviewing blind.
+      - uses: cachix/install-nix-action@v31
+      - uses: cachix/cachix-action@v16
+        with:
+          name: devenv
+      - name: Install devenv.sh
+        run: nix profile install nixpkgs#devenv
+
       - name: Run Claude Code Review
         id: claude-review
         uses: anthropics/claude-code-action@v1
@@ -51,7 +60,9 @@ jobs:
 
             Be constructive and helpful in your feedback.
 
-          # Optional: pass extra CLI arguments such as a model or tool allowlist
-          # claude_args: |
-          #   --model claude-opus-4-20250514
-          #   --allowedTools "Bash(npm run test),Bash(npm run lint),Bash(npm run typecheck)"
+            The project devenv is available; you can build and run tests with
+            e.g. `devenv shell -- cargo test --all` or `devenv test` to verify
+            suspected issues before reporting them.
+
+          claude_args: |
+            --allowedTools "Bash(devenv:*)"

.github/workflows/ffi-build.yml

@@ -0,0 +1,77 @@
+name: "FFI cdylib"
+
+# Builds the secretspec-ffi C ABI library for each platform the language SDKs
+# bundle. Builds NATIVELY on a per-platform runner rather than cross-compiling,
+# because the crate links system libraries (e.g. dbus/keyring on Linux) that
+# make cross toolchains painful.
+#
+# NOTE: This produces development-grade artifacts. Production packaging
+# (manylinux compliance for Python wheels, macOS code signing/notarization,
+# Windows runtime considerations) is follow-up work tracked with the SDK
+# distribution effort.
+
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - v**
+  # PR runs are scoped to changes in the FFI crate or this workflow. Core
+  # resolver changes are verified on PRs by the devenv-based test.yml and
+  # sdks.yml; the full matrix here still runs on tags and manual dispatch.
+  pull_request:
+    paths:
+      - "secretspec-ffi/**"
+      - ".github/workflows/ffi-build.yml"
+
+jobs:
+  build:
+    name: ${{ matrix.target }}
+    runs-on: ${{ matrix.runner }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - target: x86_64-unknown-linux-gnu
+            runner: ubuntu-latest
+            artifact: libsecretspec_ffi.so
+          - target: aarch64-unknown-linux-gnu
+            runner: ubuntu-24.04-arm
+            artifact: libsecretspec_ffi.so
+          - target: aarch64-apple-darwin
+            runner: macos-latest
+            artifact: libsecretspec_ffi.dylib
+          - target: x86_64-pc-windows-msvc
+            runner: windows-latest
+            artifact: secretspec_ffi.dll
+
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Install Linux system dependencies
+        if: runner.os == 'Linux'
+        run: sudo apt-get update && sudo apt-get install -y libdbus-1-dev pkg-config
+
+      - name: Install Rust (pinned by rust-toolchain.toml)
+        run: rustup toolchain install
+
+      - name: Build cdylib
+        run: cargo build -p secretspec-ffi --release --target ${{ matrix.target }}
+
+      - name: Smoke test the C ABI (Unix)
+        if: runner.os != 'Windows'
+        run: |
+          cc secretspec-ffi/tests/smoke.c \
+            -I secretspec-ffi/include \
+            -L target/${{ matrix.target }}/release \
+            -lsecretspec_ffi -o smoke
+          LD_LIBRARY_PATH=target/${{ matrix.target }}/release \
+          DYLD_LIBRARY_PATH=target/${{ matrix.target }}/release \
+          ./smoke
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: secretspec-ffi-${{ matrix.target }}
+          path: |
+            target/${{ matrix.target }}/release/${{ matrix.artifact }}
+            secretspec-ffi/include/secretspec.h

.github/workflows/go-embed.yml

@@ -0,0 +1,85 @@
+name: "Go embedded lib"
+
+# Builds the per-platform cdylib the Go SDK embeds (go:embed, behind the
+# `embed_lib` build tag) and verifies the embedded build works with no
+# SECRETSPEC_FFI_LIB set. The libraries are uploaded as artifacts and attached to
+# GitHub releases for users who want a self-contained `-tags embed_lib` build;
+# they are never committed to the repo (the Go module proxy does not carry binary
+# assets — see RELEASE.md).
+
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - v**
+  # PR runs are scoped to changes in the Go SDK or this workflow. Core
+  # resolver and FFI changes are verified on PRs by the devenv-based test.yml,
+  # sdks.yml, and ffi-build.yml; the full matrix here still runs on tags and
+  # manual dispatch.
+  pull_request:
+    paths:
+      - "secretspec-go/**"
+      - ".github/workflows/go-embed.yml"
+
+jobs:
+  embed:
+    name: ${{ matrix.target }}
+    runs-on: ${{ matrix.runner }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - { target: linux_amd64, runner: ubuntu-latest }
+          - { target: linux_arm64, runner: ubuntu-24.04-arm }
+          - { target: darwin_arm64, runner: macos-latest }
+          - { target: windows_amd64, runner: windows-latest }
+
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Install Linux system dependencies (dbus for keyring)
+        if: runner.os == 'Linux'
+        run: sudo apt-get update && sudo apt-get install -y libdbus-1-dev pkg-config
+
+      - name: Install Rust (pinned by rust-toolchain.toml)
+        run: rustup toolchain install
+      - uses: actions/setup-go@v5
+        with:
+          go-version: "1.23"
+
+      - name: Stage the embedded cdylib
+        shell: bash
+        run: bash secretspec-go/scripts/stage-cdylib.sh
+
+      - name: Build and smoke test the embedded SDK (no SECRETSPEC_FFI_LIB)
+        shell: bash
+        run: |
+          smoke="$RUNNER_TEMP/embedsmoke"
+          mkdir -p "$smoke"
+          cat > "$smoke/main.go" <<'EOF'
+          package main
+          import (
+            "fmt"
+            secretspec "github.com/cachix/secretspec/secretspec-go"
+          )
+          func main() {
+            v, err := secretspec.ABIVersion()
+            if err != nil { panic(err) }
+            fmt.Println("abi", v)
+          }
+          EOF
+          cat > "$smoke/go.mod" <<EOF
+          module example.com/embedsmoke
+          go 1.23
+          require github.com/cachix/secretspec/secretspec-go v0.0.0
+          replace github.com/cachix/secretspec/secretspec-go => $GITHUB_WORKSPACE/secretspec-go
+          EOF
+          cd "$smoke"
+          go mod tidy
+          unset SECRETSPEC_FFI_LIB
+          go run -tags embed_lib .
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: go-embed-${{ matrix.target }}
+          path: secretspec-go/lib/*

.github/workflows/haskell-build.yml

@@ -0,0 +1,85 @@
+name: "Haskell SDK"
+
+# Builds and tests the Haskell SDK (secretspec-hs) against a freshly built
+# cdylib. The SDK links the secretspec-ffi C ABI at build time via the FFI, so
+# the cdylib's directory goes on both the linker path (--extra-lib-dirs) and the
+# runtime loader path.
+
+on:
+  workflow_dispatch:
+  pull_request:
+    paths:
+      - "secretspec-hs/**"
+      - "secretspec-ffi/**"
+      - "secretspec/**"
+      - ".github/workflows/haskell-build.yml"
+  push:
+    branches: [main]
+    tags:
+      - v**
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      # The cdylib + CLI debug build (AWS/GCP/Bitwarden providers) plus the
+      # Nix store overflows the ~14GB free on a hosted runner.
+      - name: Free up disk space
+        run: |
+          sudo rm -rf /usr/share/dotnet /usr/local/lib/android \
+            /opt/hostedtoolcache/CodeQL /usr/local/.ghcup /opt/ghc \
+            /usr/local/share/boost /usr/local/share/powershell
+          sudo docker image prune --all --force
+          df -h /
+      - uses: cachix/install-nix-action@v31
+      - uses: cachix/cachix-action@v16
+        with:
+          name: devenv
+      - name: Install devenv.sh
+        run: nix profile install nixpkgs#devenv
+      - name: Build cdylib + CLI and run the Haskell SDK test-suite
+        run: |
+          devenv shell -- bash -c '
+            set -euo pipefail
+            cargo build -p secretspec-ffi -p secretspec
+            target_dir="$(cargo metadata --no-deps --format-version 1 \
+              | grep -o "\"target_directory\":\"[^\"]*\"" | head -1 | sed "s/.*:\"\(.*\)\"/\1/")"
+            lib_dir="$target_dir/debug"
+            export SECRETSPEC_BIN="$lib_dir/secretspec"
+            cd secretspec-hs
+            cabal update
+            # --write-ghc-environment-files lets the codegen test compile the
+            # quicktype-generated module; SECRETSPEC_BIN lets it run the CLI.
+            LD_LIBRARY_PATH="$lib_dir:${LD_LIBRARY_PATH:-}" \
+              cabal test --extra-lib-dirs="$lib_dir" \
+                --write-ghc-environment-files=always --test-show-details=streaming
+          '
+
+  publish:
+    name: publish to Hackage
+    if: startsWith(github.ref, 'refs/tags/v')
+    needs: [build]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: cachix/install-nix-action@v31
+      - uses: cachix/cachix-action@v16
+        with:
+          name: devenv
+      - name: Install devenv.sh
+        run: nix profile install nixpkgs#devenv
+      - name: sdist and upload to Hackage
+        # Requires the HACKAGE_TOKEN secret. The package links secretspec-ffi at
+        # build time, so Hackage's build bots cannot compile it (no cdylib); the
+        # upload still succeeds and the README documents the link requirement.
+        env:
+          HACKAGE_TOKEN: ${{ secrets.HACKAGE_TOKEN }}
+        run: |
+          devenv shell -- bash -c '
+            set -euo pipefail
+            cd secretspec-hs
+            cabal sdist
+            cabal upload --publish --token="$HACKAGE_TOKEN" \
+              dist-newstyle/sdist/secretspec-*.tar.gz
+          '

.github/workflows/node-addon.yml

@@ -0,0 +1,59 @@
+name: "Node addon"
+
+# Builds the napi-rs Node addon (secretspec.node) per platform and smoke tests
+# it. The addon embeds the resolver, so the published npm package needs no
+# native build at install time.
+#
+# NOTE: this uploads a per-platform addon artifact. Full npm distribution
+# publishes these as per-platform packages (the pattern @napi-rs/cli automates);
+# that publish wiring is the remaining follow-up.
+
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - v**
+  # PR runs are scoped to changes in the Node SDK or this workflow. Core
+  # resolver changes are verified on PRs by the devenv-based test.yml and
+  # sdks.yml; the full matrix here still runs on tags and manual dispatch.
+  pull_request:
+    paths:
+      - "secretspec-node/**"
+      - ".github/workflows/node-addon.yml"
+
+jobs:
+  addon:
+    name: ${{ matrix.target }}
+    runs-on: ${{ matrix.runner }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - { target: linux-x64, runner: ubuntu-latest }
+          - { target: linux-arm64, runner: ubuntu-24.04-arm }
+          - { target: darwin-arm64, runner: macos-latest }
+          - { target: win32-x64, runner: windows-latest }
+
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Install Linux system dependencies (dbus for keyring)
+        if: runner.os == 'Linux'
+        run: sudo apt-get update && sudo apt-get install -y libdbus-1-dev pkg-config
+
+      - name: Install Rust (pinned by rust-toolchain.toml)
+        run: rustup toolchain install
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "22"
+
+      - name: Build the addon and run the SDK tests
+        shell: bash
+        run: |
+          bash secretspec-node/scripts/build-addon.sh
+          ( cd secretspec-node && node --test )
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: node-addon-${{ matrix.target }}
+          path: secretspec-node/secretspec.node