Can someone who was not involved get this running? Estafette answers that question mechanically.
Estafette makes public-sector proofs of concept transferable — and measurably so. It is a command-line tool that assesses a repository against a transfer manifest and produces a transferability report with a tier verdict. It orchestrates existing, trusted scanners rather than reinventing them.
- Status: v1 complete —
estafette assessproduces a bronze verdict and a transferability report. Seeopenspec/project.mdfor the plan. - Example report (SIDN Pioniers annex): estafette assessed on itself —
reports/50a9e694a1a4/report.md(bronze, byte-reproducible for that commit). - Licence: EUPL-1.2 — public from day one.
- Python: 3.12+
- Package/runner:
uv
The name estafette is Dutch for a relay race. A proof of concept is the baton: the point is whether it can be handed off cleanly to someone who wasn't there when it was built.
Given a repository and a transfer manifest, estafette runs a fixed set of mechanical checks and reports, per check:
- the status (pass / fail),
- an actionable gap for every failure (e.g. "dependency
Xis imported in code but not declared"), never a bare red cross, and - the evidence it used, so the verdict is auditable.
It then assigns a tier. In v1 the only implemented tier is bronze — the floor that makes reuse conversations possible.
- REUSE-compliant (every file has licence + copyright info)
- Declared licence is consistent everywhere it appears
- No secrets detected
- SBOM generates cleanly and matches declared dependencies
- Transfer manifest present and valid
- Contact/owner field non-empty
Silver (builds reproducibly in an isolated harness) and gold
(third-party deployable, data requirements satisfiable) are specified as
roadmap in docs/tiers.md and not yet enforced. The build
harness itself is built in v1, and its result is reported informationally
("would this pass silver: yes/no + gaps").
Estafette orchestrates, it does not reinvent:
| Concern | Tool |
|---|---|
| Licence clarity | REUSE |
| Software bill of materials | syft |
| Secret detection | gitleaks |
| Vulnerabilities | trivy (v2) |
Estafette's own code is the manifest schema, the build harness, the tier
semantics, and the report — nothing else. Full invariants are in
openspec/project.md; highlights:
- Mechanical or it doesn't count — a tier is only ever the output of the engine on a specific commit.
- Diagnose, don't just fail — the gap report is the product.
- Untrusted code never runs ambient — the build harness runs in rootless
podmanwith no network in the run stage and strict resource caps. - Deterministic and reproducible — same commit + same estafette version → byte-identical report body.
- No LLM anywhere in the verdict path.
uvx estafette assess <path-or-git-url> [--manifest path/to/manifest.yaml]This produces report.json and a human-readable report.md under reports/.
The catalogue shares PoC entries — each a proof of concept that delivered
code, only findings, or both. The transferability verdict is an optional badge,
not a requirement. Entries are YAML files under catalog/ (see
docs/catalog-spec.md); they wrap publiccode.yml
rather than reinventing it, adding only kind and conclusion.
estafette catalogue --catalog catalog --out siteThis writes site/index.html (one row per PoC: name, kind, status, verdict badge
where assessed, conclusion) plus a detail page per entry — plain HTML, no server
or database. A Pages workflow builds it from
catalog/ and deploys to GitHub Pages on every push.
Live catalogue: https://mwest2020.github.io/estafette/
The transfer manifest is designed as an extension profile of
publiccode.yml, not a competitor: field
names align where overlap exists. See
docs/manifest-spec.md.
The static checks orchestrate three external scanners (invariant: orchestrate,
don't reinvent). Install them and put them on your PATH:
| Tool | Used by | Install |
|---|---|---|
| REUSE | licence/copyright coverage | shipped as a dev dependency; uv sync provides it |
gitleaks |
secret detection | download the release binary |
syft |
SBOM generation | curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b ~/.local/bin |
podman (optional) |
build harness / silver preview | rootless; absence degrades the silver preview gracefully |
If a required scanner is missing, estafette assess exits with a clear
error naming it — a missing scanner never reads as a pass. podman is
optional: when it is absent or unusable, the informational silver preview
reports not assessable and the bronze verdict is unaffected.
Security note: the harness run stage executes assessed code with no network, no host environment, resource caps, and a read-only root filesystem (invariant I4). The build stage currently permits network egress for dependency fetch — see
docs/tiers.md.
This project uses the OpenSpec
workflow (propose → apply → archive). Proposed and in-progress work lives under
openspec/changes/.
uv sync # install dependencies (incl. reuse)
uv run pytest # run tests (scanner-dependent tests skip if a tool is absent)
uv run ruff check # lintEUPL-1.2. Copyright the estafette contributors.