Naareman
diff --git a/‎LICENSE‎
Lines changed: 0 additions & 21 deletions b/‎LICENSE‎
Lines changed: 0 additions & 21 deletions
diff --git a/‎README.md‎
Lines changed: 24 additions & 12 deletions b/‎README.md‎
Lines changed: 24 additions & 12 deletions
diff --git a/‎SKILL.md‎
Lines changed: 27 additions & 0 deletions b/‎SKILL.md‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎references/07-common-mistakes.md‎
Lines changed: 230 additions & 0 deletions b/‎references/07-common-mistakes.md‎
Lines changed: 230 additions & 0 deletions
@@ -92,20 +92,32 @@ Before diving into details, you should be able to see the whole thing working en
 pyckage/
 ├── SKILL.md                          # Main skill definition (philosophy + routing)
 ├── README.md                         # This file
-├── LICENSE                           # MIT
-└── references/
-    ├── 01-scaffold.md                # Package scaffolding (the "whole game")
-    ├── 02-api-design.md              # Naming, messages, errors
-    ├── 03-testing.md                 # pytest conventions and patterns
-    ├── 04-docs.md                    # Docstrings + mkdocs-material
-    ├── 05-lifecycle.md               # Deprecation ceremony + versioning
-    └── 06-release.md                 # PyPI publishing + GitHub Actions
+├── references/
+│   ├── 01-scaffold.md                # Package scaffolding (the "whole game")
+│   ├── 02-api-design.md              # Naming, messages, errors
+│   ├── 03-testing.md                 # pytest conventions and patterns
+│   ├── 04-docs.md                    # Docstrings + mkdocs-material
+│   ├── 05-lifecycle.md               # Deprecation ceremony + versioning
+│   ├── 06-release.md                 # PyPI publishing + GitHub Actions
+│   └── 07-common-mistakes.md         # Python packaging anti-patterns
+└── scripts/
+    └── count-tokens.py               # Token budget checker
 ```
 
-## Contributing
+## Token Budget
 
-This project is opinionated by design. If you think a convention is wrong, open an issue — but bring a reason, not just a preference. The goal is a *philosophy*, not a menu of options.
+pyckage follows [posit-dev/skills](https://github.com/posit-dev/skills) conventions for skill size:
+
+- SKILL.md description: under 100 tokens
+- SKILL.md body: under 5,000 tokens / 500 lines
+- Reference files: loaded on demand (no hard limit)
+
+Check with:
+```bash
+python3 scripts/count-tokens.py .
+# Install tiktoken for exact counts: pip install tiktoken
+```
 
-## License
+## Contributing
 
-MIT
+This project is opinionated by design. If you think a convention is wrong, open an issue — but bring a reason, not just a preference. The goal is a *philosophy*, not a menu of options.
@@ -139,6 +139,33 @@ When invoked without a subcommand (auto-triggered or plain `/pyckage`), use the
 
 ---
 
+## Common Mistakes — Catch These Early
+
+When reviewing or generating Python package code, watch for these. If you see any, fix them
+immediately and explain why.
+
+| Mistake | Why it's bad | Fix |
+|---|---|---|
+| Flat layout (no `src/`) | Imports source dir instead of installed package — tests pass locally, fail for users | Always use `src/` layout |
+| `from .module import *` in `__init__.py` | Slow imports, polluted namespace, no control over public API | Explicit imports + `__all__` |
+| `--cov=src` in pytest | Measures directory path, not importable module — confusing reports | `--cov=my_package` (the importable name) |
+| `dependencies = ["requests"]` (no version) | Breaking release silently breaks your package | Lower bound: `"requests>=2.28"` |
+| `dependencies = ["requests>=2.28,<3"]` | Blocks users from upgrading — #1 cause of dependency conflicts | Lower bound only for libraries |
+| `requires-python = ">=3.10,<3.13"` | Blocks install on new Python versions that almost certainly work | Lower bound only: `">=3.10"` |
+| `__version__ = "0.1.0"` hardcoded in two places | Version drift between pyproject.toml and code | Use `importlib.metadata.version()` |
+| Missing `py.typed` marker | Type checkers ignore all your annotations for downstream users | `touch src/my_package/py.typed` |
+| `print()` for user messages | Not styled, not catchable, not centralized | Use `_messages.py` with `rich` |
+| `raise Exception("bad")` | Too broad — users can't catch specific errors | Custom exception hierarchy in `errors.py` |
+| Dev deps in `[project] dependencies` | Users get pytest, ruff installed as transitive deps | Use `[dependency-groups]` (PEP 735) |
+| `tests/__init__.py` exists | Confuses package discovery, may ship tests in wheel | Remove it — use `conftest.py` instead |
+| `MANIFEST.in` for wheel contents | MANIFEST.in only affects sdist, not wheels | Use build backend config for wheel contents |
+| Pinned deps in library (`"requests==2.31.0"`) | Impossible to install alongside anything else needing requests | Pins are for apps (lock files), not libraries |
+| `mkdocs.yml` inside `docs/` | `mkdocs serve` looks in project root by default | Keep `mkdocs.yml` at project root |
+
+For the full list with detailed explanations, see [references/07-common-mistakes.md](references/07-common-mistakes.md).
+
+---
+
 ## Tone When Helping
 
 - Be opinionated. This skill exists to have opinions. Don't offer five options when one is right.
 
@@ -0,0 +1,230 @@
+# 07 — Common Mistakes in Python Packaging
+
+These are real-world mistakes that trip up both beginners and experienced developers.
+When reviewing or writing package code, check for these actively.
+
+---
+
+## Table of Contents
+
+- [Project Structure](#project-structure)
+- [pyproject.toml Configuration](#pyprojecttoml-configuration)
+- [Imports](#imports)
+- [Version Management](#version-management)
+- [Dependencies](#dependencies)
+- [Files Missing from Builds](#files-missing-from-builds)
+- [Publishing](#publishing)
+- [Testing](#testing)
+
+---
+
+## Project Structure
+
+### Using flat layout instead of src layout
+```
+# BAD — source is importable from project root
+my-package/
+├── my_package/    ← Python imports this instead of installed version
+├── tests/
+└── pyproject.toml
+
+# GOOD — src layout prevents accidental imports
+my-package/
+├── src/
+│   └── my_package/
+├── tests/
+└── pyproject.toml
+```
+**Why:** The current working directory is first on `sys.path`. Without `src/`, tests pass
+locally but the installed package may be broken (missing files, wrong imports).
+
+### Including tests/ in the wheel
+**Mistake:** Build includes a top-level `tests/` in the wheel.
+**Why:** Writes to `site-packages/tests/`, colliding with other packages.
+**Fix:** With hatchling, use `[tool.hatch.build.targets.wheel] exclude = ["tests"]`.
+
+### Putting `__init__.py` in tests/
+**Why:** Confuses package discovery. Tests should never be importable.
+**Fix:** Remove it. Use `conftest.py` for shared fixtures.
+
+---
+
+## pyproject.toml Configuration
+
+### Missing `[build-system]` table
+**Why:** Build tools fall back to legacy setuptools behavior, which is unpredictable.
+**Fix:** Always include:
+```toml
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+```
+
+### Deprecated license table format
+**Mistake:** `license = {text = "MIT"}` or `license = {file = "LICENSE"}`.
+**Why:** PEP 639 deprecated the table format.
+**Fix:** Use `license = "MIT"` (SPDX string) + `license-files = ["LICENSE"]`.
+
+### Not reinstalling after changing pyproject.toml
+**Why:** `pyproject.toml` is read at install time. Changes are ignored until reinstall.
+**Fix:** Run `uv sync` or `uv pip install -e .` after changes.
+
+---
+
+## Imports
+
+### Running modules directly instead of `python -m`
+**Mistake:** `python src/mypackage/cli.py`
+**Why:** Sets `__package__` to `None`, breaking all relative imports.
+**Fix:** Use `python -m mypackage.cli`, or define entry points:
+```toml
+[project.scripts]
+mycli = "mypackage.cli:main"
+```
+
+### "Import the world" in `__init__.py`
+```python
+# BAD
+from .models import *
+from .utils import *
+from .core import *
+
+# GOOD
+from my_package.core import read_data, write_data
+from my_package.errors import MyPackageError
+
+__all__ = ["read_data", "write_data", "MyPackageError"]
+```
+**Why:** Slows import time, wastes memory, pollutes namespace.
+
+### Missing `__all__` for re-exports
+**Why:** Type checkers (mypy, pyright) treat imports without `__all__` as private.
+Users get "module has no attribute" type errors.
+
+### `TYPE_CHECKING` guard without string annotations
+```python
+# BAD — crashes at runtime
+from typing import TYPE_CHECKING
+if TYPE_CHECKING:
+    from .models import User
+
+def get_user() -> User: ...  # NameError!
+
+# GOOD — use string annotation or future annotations
+from __future__ import annotations
+
+from typing import TYPE_CHECKING
+if TYPE_CHECKING:
+    from .models import User
+
+def get_user() -> User: ...  # works
+```
+
+---
+
+## Version Management
+
+### Version in multiple places
+**Mistake:** Hardcoding in both `pyproject.toml` and `__init__.py`.
+**Fix:** Single source:
+```python
+# src/my_package/__init__.py
+from importlib.metadata import version
+__version__ = version("my-package")
+```
+
+### Dynamic version that isn't a string literal
+**Mistake:** `__version__ = f"{major}.{minor}.{patch}"` or `__version__ = get_version()`.
+**Why:** Build backends parse source statically — they won't execute your code.
+**Fix:** Always a plain string: `__version__ = "1.2.3"` (if not using importlib.metadata).
+
+### importlib.metadata with no fallback
+**Mistake:** Fails when code is copied without installing (Lambda, Docker, vendoring).
+**Fix:**
+```python
+try:
+    from importlib.metadata import version
+    __version__ = version("my-package")
+except Exception:
+    __version__ = "0.0.0"
+```
+
+---
+
+## Dependencies
+
+### No version bounds
+**Mistake:** `dependencies = ["requests", "pydantic"]`
+**Fix:** Lower bounds: `dependencies = ["requests>=2.28", "pydantic>=2.0"]`
+
+### Overly strict upper bounds
+**Mistake:** `dependencies = ["requests>=2.28,<3"]`
+**Why:** When a compatible release comes out, your package blocks users from upgrading.
+This is the single biggest cause of dependency resolution conflicts in Python.
+**Fix:** Lower bounds only for libraries. Reserve upper bounds for *known* incompatibilities.
+
+### Upper bound on `requires-python`
+**Mistake:** `requires-python = ">=3.10,<3.13"`
+**Why:** pip/uv will refuse to install on Python 3.13 even though it almost certainly works.
+**Fix:** `requires-python = ">=3.10"`
+
+### Pinned exact versions in library deps
+**Mistake:** `dependencies = ["requests==2.31.0"]`
+**Why:** Makes it impossible to install alongside other packages needing a different version.
+**Fix:** Pins are for applications (lock files), not libraries.
+
+### Dev deps in `[project] dependencies`
+**Mistake:** pytest, ruff, mypy in `dependencies`.
+**Why:** Users installing your library get all your dev tools as transitive deps.
+**Fix:** Use `[dependency-groups]` (PEP 735):
+```toml
+[dependency-groups]
+dev = ["pytest>=8.0", "ruff>=0.4", "mypy>=1.0"]
+```
+
+---
+
+## Files Missing from Builds
+
+### `py.typed` not shipping in wheel
+**Why:** Type checkers treat your package as untyped and ignore all annotations.
+**Fix:** Verify: `unzip -l dist/*.whl | grep py.typed`
+
+### Non-Python data files missing
+**Mistake:** JSON schemas, templates, SQL files at project root instead of inside package dir.
+**Fix:** Put data files inside `src/my_package/`. Hatchling includes them by default.
+
+### Confusing MANIFEST.in with wheel contents
+**Why:** `MANIFEST.in` only controls sdist (source distribution). Zero effect on wheels.
+**Fix:** Use build backend config for wheel contents.
+
+---
+
+## Publishing
+
+### Not building both sdist and wheel
+**Why:** Without wheel: slow source builds. Without sdist: users can't audit source.
+**Fix:** `uv build` produces both by default.
+
+### Classifiers not matching `requires-python`
+**Mistake:** `requires-python = ">=3.10"` but classifiers only list 3.10, 3.11.
+**Why:** PyPI uses classifiers for search filtering. Not auto-generated.
+**Fix:** Keep classifiers in sync with every Python version you test against.
+
+### Not using Trusted Publishing
+**Mistake:** Long-lived API tokens in CI secrets.
+**Why:** Tokens can leak. Compromised CI = malicious package versions.
+**Fix:** Use PyPI Trusted Publishing (OIDC) with GitHub Actions.
+
+---
+
+## Testing
+
+### Testing source checkout instead of installed package
+**Why:** Missing files, wrong `__init__.py`, broken entry points — none caught.
+**Fix:** src layout + editable install (`uv pip install -e .`) + pytest.
+
+### Importing from conftest.py explicitly
+**Mistake:** `from conftest import some_fixture`
+**Why:** conftest.py is auto-loaded by pytest. Explicit imports cause double-loading.
+**Fix:** Just use fixture names — pytest injects them automatically.