# lockfiles
Multi-ecosystem lockfile parser that turns lockfile *contents* into normalized,
resolved dependencies keyed by [PURL](https://github.com/package-url/purl-spec).
> [!WARNING]
> **WIP: name reserved, implementation to come.**
> This repository currently contains only the project scaffold (packaging, CI, and
> binding stubs). There is **no parsing logic yet**. The `0.0.1` placeholder releases
> on crates.io, PyPI, and npm exist solely to reserve the `lockfiles` name.
## What it will be
A Rust core (library + CLI) that parses lockfiles from multiple ecosystems and emits
normalized resolved dependencies. It is *content-in*: it consumes lockfile contents,
not paths. Its boundary is **facts, not verdicts**: it reports what a lockfile resolves
to, and leaves policy decisions to downstream tooling.
Bindings expose the same core to other ecosystems:
- **Python** via [PyO3](https://pyo3.rs) / [maturin](https://www.maturin.rs)
- **Node.js** via [napi-rs](https://napi.rs)
## Layout
```
. core crate `lockfiles` (library + CLI)
bindings/python PyO3 + maturin binding -> PyPI: lockfiles
bindings/node napi-rs binding -> npm: lockfiles
```
## Development
```sh
cargo nextest run # tests (or: cargo test)
cargo clippy --all-targets -- -D warnings
cargo fmt --all
```
Bindings are built out of band (they are excluded from the default workspace members):
```sh
# Python (uses uv)
cd bindings/python && uv run --with maturin maturin develop && uv run pytest
# Node
cd bindings/node && npm install && npm run build:debug && npm test
```
## License
Dual-licensed under either of [MIT](LICENSE-MIT) or [Apache-2.0](LICENSE-APACHE), at
your option.