28 KiB
MLSysBook CLI (binder) — Architecture & Reference
The ./book/binder CLI is the single source of truth for building, checking, fixing, and formatting MLSysBook. Every book-check-* pre-commit hook dispatches through ./book/binder check <group>; CI uses the same commands.
User-facing command reference: book/docs/BINDER.md (check/fix tables, pre-commit mapping, examples).
This file covers implementation: architecture, scope registry, pre-commit contract, EPUB layers, and how to add new checks.
Architecture
cli/
├── main.py # CLI router, help system (Rich UI)
├── core/
│ ├── config.py # Quarto config management (symlinks, switching)
│ └── discovery.py # Chapter/file discovery, fuzzy matching
├── commands/
│ ├── build.py # Build HTML/PDF/EPUB (full book or chapters)
│ ├── preview.py # Live dev server with hot reload
│ ├── validate.py # Check router: dispatches scopes → cli/checks or inline
│ ├── formatting.py # Auto-formatters (format group)
│ ├── reference_check.py # Bibliography verification (Crossref/DOI)
│ ├── _epub_checks.py # EPUB hygiene / smoke / epubcheck primitives
│ ├── bib.py # Bibliography management
│ └── …
├── checks/ # Check implementations (canonical home — grow here)
│ ├── cli_contract.py # cli --scope contract (public command surface)
│ ├── lego_dead_code.py # code --scope lego-dead-code (LEGO liveness)
│ ├── math_canonical.py # math --scope canonical (LEGO fmt discipline)
│ └── math_multiplier_style.py # math --scope multiplier-style (prose × rules)
├── formats/ # Format-specific handlers
└── utils/ # Shared utilities
Check implementation layout
Goal: every ./book/binder check … scope is backed by code under book/cli/,
not by loading arbitrary scripts from book/tools/ at runtime.
| Layer | Location | Status |
|---|---|---|
| Router + inline checks | commands/validate.py |
~75 scopes (regex walks, graphs) live here today |
| Extracted check modules | cli/checks/*.py |
Preferred home for new checks and migrations |
| Shared primitives | commands/_epub_checks.py, reference_check.py, core/*.py |
Native CLI modules |
| Fix / maintenance | commands/maintenance.py |
Self-contained (no script delegation) |
Anti-pattern (being phased out): importlib or subprocess from Binder into
book/tools/scripts/*.py or book/tools/bib_lint.py. Older files may remain
temporarily as standalone CLIs, but Binder-owned behavior should live in
cli/checks/ or cli/core/ and be imported normally.
Migrated examples:
cli --scope contract->cli/checks/cli_contract.pymath --scope canonical->cli/checks/math_canonical.pymath --scope multiplier-style->cli/checks/math_multiplier_style.pycode --scope lego-dead-code->cli/checks/lego_dead_code.pybib mechanical->cli/core/bib_mechanical.pybib hygiene/style->cli/checks/bib_lint.pyclean artifacts->cli/core/artifacts.py
Still transitional: bib update (reviewed betterbib helper), several
table/image scopes, spelling scopes, and audit.checks.* adapters. Bib
publication scopes such as bib --scope hygiene, bib --scope style,
bib --scope integrity, bib --scope orphans, and bib --scope key-content
run through Binder and emit ValidationIssue records directly.
Script Ownership Rules
To keep the CLI clean:
- User-facing book automation belongs in Binder:
check,fix,format,bib,render,audit,layout,clean,doctor,build,preview. - Pre-commit and CI integrations should call
./book/binder ...for book workflows. Do not add new hooks that invokepython3 book/tools/...directly. - Standalone scripts are allowed only when they are one of:
- Quarto post-render hooks that Quarto itself calls;
- cross-repository/shared-site tools outside the book CLI's ownership;
- explicitly documented one-off research/release audit tools;
- temporary migration shims with a documented removal path.
- New checks start in
book/cli/checks/unless they are tiny enough to keep as an inline_run_*invalidate.py.
Do not add new pre-commit hooks that call python3 book/tools/... directly.
Use the full "Adding a new check" flow below so implementation, diagnostics,
examples, and pre-commit behavior stay in one contract.
Public Command Taxonomy
Binder uses verbs for workflow ownership. Keep new commands inside this shape:
| Verb | Implementation home | Rule |
|---|---|---|
build, preview |
commands/build.py, commands/preview.py |
Render outputs and run live authoring. |
check |
commands/validate.py + cli/checks/ |
Read-only validation; pre-commit/CI entry point. |
format |
commands/formatting.py |
Deterministic source formatting; support --check for hooks. |
fix |
commands/maintenance.py |
Targeted maintenance that may write source files. |
bib |
commands/bib.py + cli/core/bib_* |
Bibliography lifecycle and §5 normalization. |
clean |
commands/clean.py + cli/core/artifacts.py |
Remove generated artifacts/local build state only. |
reset |
commands/reset.py + commands/build.py reset primitive |
Restore build YAML manifests after scoped builds. |
info |
commands/info.py |
Read-only reports and inventories. |
render |
commands/render.py |
Generate derived assets such as plot galleries. |
audit |
commands/audit.py |
Heavier or ledgered audits outside normal commit checks. |
doctor, status, list, setup, switch, debug, layout, headings |
main router or focused modules | Environment, state, diagnostics, and specialized maintenance. |
Prefer canonical verbs in documentation and automation. validate -> check and
maintain -> fix remain compatibility aliases; do not add new aliases unless
there is a migration plan and a removal date.
Command Groups
Build & Preview
./binder build pdf --vol1 # Build Volume I PDF
./binder build pdf --vol1 --layout # Build Volume I PDF, then emit auto-layout plan
./binder build html --vol2 # Build Volume II website
./binder build pdf intro # Single chapter PDF
./binder reset pdf --vol1 # Reset Volume I PDF YAML after scoped builds
./binder reset all # Reset all build YAML configs
./binder preview # Live dev server (full book)
./binder preview intro # Live dev server (single chapter)
Layout (PDF auto-layout)
Layout is a rendered-PDF workflow. Keep the high-level planner and the low-level scanners separate:
./binder layout --vol1 # Build PDF, then emit one layout plan
./binder layout --vol1 --no-build # Reuse existing PDF for the plan
./binder layout --vol1 --no-build --json /tmp/layout-plan.json
./binder layout check <pdf> --csv # Main-flow whitespace scanner only
./binder layout margins <pdf> --csv # Native margin-geometry scanner only
Implementation contract:
commands/layout.pyowns both the high-level planner and the scanner primitives. Avoid one-off scripts for layout repair logic.- The planner emits rows with
phase,channel,strategy,confidence,automatable,deferred,ready, source coordinates, andsuggested_fix. 1-main-flowis always repaired before2-margin-calibration; margin rows can be reported while main flow is unstable, but they are deferred.main-flowstrategies cover callouts, tables, figures, paragraphs, and structural accepts.margin-geometrystrategies cover footnote[offset=...], in-block.column-margin\vspace*, and margin stack solving.- Source-writing should be explicit and iterative: plan, apply only ready high-confidence rows in the active phase, rebuild, re-plan.
Check (Validation)
All validation lives in validate.py. Each check belongs to a group and has a scope. Each scope carries a default flag that controls whether it runs in the curated set (pre-commit / CI) or only on demand.
./binder check <group> # default=True scopes only
./binder check <group> --scope <name> # one specific scope
./binder check <group> --all-scopes # every scope, including default=False
./binder check all # every group's default=True scopes
./binder check all --vol1 # ... scoped to Volume I
./binder check <group> help # per-group scope listing
./binder check cli # read-only Binder command contract
How scopes are discovered
./binder check (no args) prints the full group catalogue. Scopes marked with * are default=False — opt-in only, reachable via --scope or --all-scopes. Per-group help (./binder check <group> help) prints the same catalogue with one row per scope, plus the runner method name and a one-line note.
The authoritative list is the GROUPS dict in book/cli/commands/validate.py. That dict is the only place a new scope needs to be wired; pre-commit, CI, and ad-hoc invocations all read from it.
Bibliography checks
Bibliography publication gates belong under ./binder check bib, not under
table/prose/image hooks and not in standalone scripts. The curated bib set runs:
hygiene: §5 BibTeX schema and MIT Press field hygiene.style: baseline-ratcheted metadata warnings/info, including suspicious title case, initials-only authors, missing journal volumes, acronym-only venues, and non-canonical publishers.integrity: every book citation resolves in the bibliography used for that volume; cross-volume leaks fail even if the key exists elsewhere.
Opt-in bib cleanup scopes are:
orphans: unused volume BibTeX entries; each finding says remove, cite, or document as canonical background.key-content: citekey author/year drift; each finding says whether to rename the key/update citations or correct the entry body/year.
The pre-commit hook triggers on book/quarto/contents/**/*.qmd and .bib
changes because citation integrity depends on both prose and bibliography
source. hygiene and style use reviewed baselines under book/tools/ so
known debt is documented but new debt fails. Use ./binder check bib --json
for structured fix output.
Default vs. opt-in: the contract
A scope is default=True when it should run on every commit. Reasons to mark a scope default=False:
- It currently fails on dev (corpus debt; opt in to find the cleanup work, then flip the flag).
- It is intentionally heavy — slow (
math/render-audit, ~10 min) or external (references/hallucinator, network calls;spelling/*requires aspell;epub/epubcheckrequires JRE). - It is a manual-stage check (
render-auditis also wired to pre-commit's[manual]stage).
Flipping default=False → default=True once dev is clean is a one-line edit in validate.py. No YAML change needed.
Format (Auto-formatters)
./binder format blanks # Collapse extra blank lines
./binder format python # Format Python blocks (Black, 70 chars)
./binder format lists # Fix list spacing
./binder format divs # Fix div/callout spacing
./binder format tables # Format grid tables
./binder format prettify # Align pipe table columns
./binder format all # Run all formatters
Other Commands
./binder info stats --vol1 # Word counts, figure counts
./binder info figures --vol1 # Extract figure list
./binder info concepts --vol1 # Extract concept list
./binder bib sync --vol1 # Sync bibliography
./binder render plots --vol1 # Render matplotlib plots to PNG
./binder clean # Remove build artifacts
./binder doctor # Comprehensive health check
./binder debug pdf --vol1 # Find failing chapter in PDF build
Pre-commit Integration
Every book-* pre-commit hook routes through ./book/binder. The hook tree mirrors the binder command tree one-to-one: there is one hook per check group (book-check-refs, book-check-prose, book-check-footnotes, ...). Each hook runs the curated default scopes for its group; opt-in scopes are reachable on the CLI via --scope or --all-scopes.
- id: book-check-<group>
entry: ./book/binder check <group>
language: system
pass_filenames: false
files: ^book/quarto/contents/.*\.qmd$
Structural exceptions, all documented inline in .pre-commit-config.yaml:
-
CLI contract hook (
book-check-cli-contract) — always runs./book/binder check clibecause it guards help text, removed command aliases, and reset/build command shape. It is read-only and does not inspect staged files. -
Per-scope split for
labels— theorphansscope is currently clean only on Vol I (Vol II has forward references to unwritten chapters). The split lets the universally-cleanduplicatesscope cover both volumes whileorphansstays vol1-only:Group Scope hook Vol coverage labels book-check-labels-orphansvol1 only (vol2 forward refs to unwritten chapters) labels book-check-labels-duplicatesboth vols (fig+tbl+lst by binder default) Collapse back to a single
book-check-labelsonce Vol II's chapter list is complete. -
Format-vs-content split (
book-check-tablesrunsbinder check tablesfor content;book-check-tables-formatrunsbinder format tables --checkfor whitespace) — these are different binder commands.
No inline bash scripts. One CLI, one validation framework, one error format. Retired-hook context belongs in the commit or PR that removes the hook, not in a repo-side graveyard file.
Adding a new check
The flow that a future maintainer should mimic:
- Implement the runner in
book/cli/commands/validate.pyas_run_<scope>(self, root: Path) -> ValidationRunResult. For per-file regex checks, walkself._qmd_files(root). For graph / corpus checks, build the model once and emitValidationIssueentries. If the logic is reusable or more than a few lines, put it inbook/cli/checks/and have the runner adapt those structured results to Binder'sValidationIssueformat. - Register the scope by adding a
Scope("<name>", "_run_<scope>", default=...)entry to the right group in theGROUPSdict at the top of the file. Markdefault=Falseif the scope still fails on dev or is intentionally opt-in. - Document examples in the code and CLI docs: every new check module should include bad/good source examples in its module docstring, one example per error code. User-facing scopes should also add the same examples to
book/docs/BINDER.mdor the relevant Binder doc page. The goal is that a maintainer, author, or automated repair pass can open either the checker or CLI docs and immediately see what mistake it is looking for and what the canonical fix looks like. - Surface any new flags in the argparse block in
ValidateCommand.run(), and dispatch them in_run_groupif the runner needs them as kwargs. - Stop. Pre-commit picks up the new scope automatically because the existing
book-check-<group>hook already runs every default-True scope in the group. You only add a new pre-commit hook for a brand-new group, or to pass a scope-specific flag (the vol1 / format-check exceptions above).
When you flip a scope from default=False → default=True, that single edit in validate.py ships the scope to every developer's pre-commit and to CI on the next push.
Diagnostic output contract
Binder check failures should be easy to fix from the CLI output alone. Each ValidationIssue should include:
| Field | Purpose |
|---|---|
file + line |
Exact source location to edit. |
code |
Stable machine-readable error code, such as body_multiplier_suffix. |
message |
One-sentence diagnosis of what is wrong. |
context |
The offending source line or narrow snippet. Human output prints this as source:. |
suggestion |
Optional canonical rewrite guidance. Human output prints this as fix: and JSON includes it when present. |
Use cli/checks/cli_contract.py and cli/checks/math_multiplier_style.py as
models for example-rich diagnostics.
CLI contract examples:
| Error code | Bad source / command surface | Fix guidance |
|---|---|---|
cli_contract_exit |
./book/binder pdf reset --vol1 exits 0, or help paths exit 1 |
Preserve the public CLI contract: help returns 0; removed commands and parse errors return 1. |
cli_contract_missing_output |
./book/binder check no longer lists cli / contract |
Update help text and docs when the command tree intentionally changes. |
cli_contract_unexpected_output |
./book/binder build --help still mentions build reset |
Remove stale help; YAML reset is ./book/binder reset <fmt|all>. |
Math multiplier examples:
| Error code | Bad source | Fix guidance |
|---|---|---|
body_multiplier_suffix |
speedup_str = fmt(speedup, suffix="×") |
Use speedup_mult_str = fmt_multiple(speedup, ...); prose uses `{python} speedup_mult_str` by itself. |
mult_double_glyph |
`{python} speedup_mult_str`$\times$ |
Remove the prose glyph; fmt_multiple / fmt_multiple_range already emit ×. |
unicode_times_in_prose |
A100 × H100 |
Use A100 $\times$ H100 in rendered prose; raw × only in plain-text contexts. |
times_product_spacing |
`{python} a_str`$\times$`{python} b_str` |
Use spaces around product operators: `{python} a_str` $\times$ `{python} b_str`. Computed prose multipliers use *_mult_str. |
fmt_sci_math_context |
MarkdownStr(f"${fmt_sci(flops)}$") |
Use fmt_math(sci_latex(...)) for prose math; keep fmt_sci() for plain text. |
EPUB Checks — Two Layers, One CLI Surface
EPUB validation exists in two layers that both sit inside the binder CLI. Developers and CI exercise identical code paths, so there is no drift between "what pre-commit runs" and "what CI enforces."
./binder check epub # all scopes (default)
./binder check epub --scope hygiene # layer 1 — source-level, pre-commit grade
./binder check epub --scope epubcheck # layer 2 — post-build W3C validator
./binder check epub --scope epubcheck \
--max-fatal 0 --max-errors 0 # tighten thresholds (CI-style)
./binder check epub --json # machine-readable output (tools, CI)
Implementation: book/cli/commands/validate.py (_run_epub_hygiene, _run_epubcheck native methods) and the shared primitives in book/cli/commands/_epub_checks.py.
Layer 1 — hygiene (source-level, fast)
Runs in <1s across all SVG and BibTeX files under book/quarto/contents/. No EPUB build required. Wired into the pre-commit hook book-epub-hygiene.
Catches the four source-level patterns that historically broke builds in April 2026 (issues #1014, #1052, #1148):
| Code | What it catches | Symptom at epubcheck time |
|---|---|---|
svg-c0 |
C0 control characters (U+00–U+1F except TAB/LF/CR) inside SVG aria-label="..." values. Produced by matplotlib rendering titles that contain raw-bytes representations. |
FATAL(RSC-016) — EPUB fails to load in Kindle and ClearView. |
svg-dupe-marker |
Duplicate <marker id="X"/> inside a single SVG's <defs>. Produced by copy-paste during figure editing. |
ERROR(RSC-005) — figure may not render. |
bib-url-escape-underscore |
\_ inside a url= or http-bearing doi= BibTeX field. BibTeX's LaTeX escape leaks through citeproc. |
ERROR(RSC-020) — Kindle's URL validator rejects the href. |
bib-url-escape-percent |
\% inside the same URL fields. |
ERROR(RSC-020). |
bib-url-raw-angle |
Raw < or > inside URL fields (legal in SICI DOIs but forbidden by strict URI syntax). |
ERROR(RSC-020). |
If one of these triggers during commit, the fix is almost always at source:
- SVG C0 chars — open the matplotlib script that produced the plot and find the
plt.title(...)/ax.set_xlabel(...)call with arepr(bytes)or similar. Replace with the decoded string. - Duplicate SVG markers — open the SVG in a text editor and delete the duplicate
<marker>element. The compact one-line form and the multi-line expanded form are two common duplicates; keep one. - BibTeX URL escapes — edit the
.bibentry: replace\_with_,\%with%,</>with%3C/%3E. These escapes are LaTeX-only; BibTeXurl = { ... }fields do not require them.
Layer 2 — smoke (built-EPUB, no Java)
Runs in <1s against every EPUB under _build/epub-vol*/. Catches reader-compatibility issues that epubcheck does not, because it enforces EPUB 3 spec conformance while readers enforce a stricter subset:
| Code | What it catches | Symptom |
|---|---|---|
smoke-css-custom-property-decl |
--var-name: value; declarations in packaged CSS. |
ClearView / Tolino (pre-2023 firmware) silently fail to load the EPUB. |
smoke-css-custom-property-use |
var(--x) references. |
Same readers render the default fallback, producing visual regressions. |
smoke-external-resource |
src="https://..." / <link href="https://..."> in any XHTML. |
EPUB readers do not fetch remote assets; image shows as broken-icon on every reader. |
Fix at source in every case — there is no legitimate reason a packaged EPUB should reference external assets, and CSS custom properties should be inlined (or post-processed away) for the packaged stylesheet.
Useful when Java is not installed locally and epubcheck is unavailable; the other two layers still provide real coverage.
Layer 3 — epubcheck (built-EPUB, full spec)
Runs the W3C epubcheck validator against every EPUB discovered under book/quarto/_build/epub-vol*/. Emits ValidationIssue records with file, line, column, RSC/OPF code, severity, and human-readable message. When running under GitHub Actions, also emits ::error file=...,line=...:: annotations so findings show up inline on PR diffs.
Requires the epubcheck Python package (pinned in book/tools/dependencies/requirements.txt) plus a Java runtime (JRE 8+). If neither python -m epubcheck nor the epubcheck system binary is available, the check emits an epubcheck-missing issue with install instructions rather than silently passing.
Thresholds (from the command line, environment variables, or the CI workflow). Two modes:
-
Flat thresholds (for local use or simple CI):
--max-fatal N— fail if FATAL count exceeds N (default: 0). Kindle and ClearView reject any EPUB with FATAL, so 0 is the correct production threshold.--max-errors N— fail if ERROR count exceeds N (default: unlimited). Tighten to 0 once the baseline is clean.
-
Baseline ratchet (preferred in CI):
--baseline PATH— fail only if per-volume counts increase over what is recorded atPATH(JSON). Doesn't cliff-fail during incremental cleanup.--update-baseline— rewrite the baseline file to the current counts. Run after a cleanup lands; commit the updated file in the same PR. This is how you lower the ceiling.- When
--baselineis supplied, the flat thresholds are ignored.
The canonical baseline lives at book/tools/audit/epubcheck-baseline.json. The CI workflow (book-validate-dev.yml) uses the ratchet by default — a PR cannot land if epubcheck counts regress past that file. Initial state (April 2026) is 0/0/0 for both volumes, so any new FATAL, ERROR, or WARNING blocks the PR.
Defense in depth
The three layers exist because none alone is sufficient:
- Hygiene alone is a whitelist of known patterns. It cannot catch a category of error epubcheck invents in a future version, nor renderer-emitted markup (bare
<br>,--in TikZ comments) that only appears after Quarto + post-process have run. - Epubcheck alone takes ~7 seconds per volume and requires a full EPUB build. Developers under time pressure will find ways around it.
The rendered-EPUB layer also gets belt-and-suspenders support from book/quarto/scripts/epub_postprocess.py, a Quarto post-render hook that sanitizes XHTML/SVG/OPF in the built EPUB (strips -- from HTML comments, closes bare <br> tags, strips C0 chars from SVG aria-labels, normalizes URL escapes, aligns the nav item's mathml OPF property with the rendered nav content). So a regression caught at source by hygiene, missed there, rescued by post-process, and missed again is still caught by epubcheck in CI. Three independent nets.
EPUB — How This Integrates with the Book Workflow
Three layers of defense, each invoked automatically at the moment it adds value:
Author workflow (writing and committing)
- Write normally. No new constraints on QMD content. The EPUB checks only fire on SVG and BibTeX source — prose changes pass through untouched.
- Commit. The
book-epub-hygienepre-commit hook runs./binder check epub --scope hygieneif you touched SVG, BibTeX, or the check implementation. Fails in <1s if an SVG has duplicate<marker>ids or a bib URL has\_escapes. The failure message tells you to auto-repair with./binder check epub --scope hygiene --fix. - Build locally.
./binder build epub --vol1runs:- Hygiene preflight (fast-fail on source issues, ~100ms).
- Quarto render (~2 minutes).
- Post-render sanitizer (fixes renderer-emitted issues).
- Smoke + epubcheck post-flight (~7s) — verifies the final EPUB against the same CI baseline.
- Push. CI builds both volumes and re-runs
./binder check epub --scope epubcheck --baseline …. Any regression past the recorded counts blocks the PR.
Release workflow (preparing an EPUB for readers)
- Build:
./binder build epub --all(or per-volume). Post-flight already validates — if the final line is✓ smokeand✓ epubcheck, the file is ready. - Visual spot-check: open the file in Sigil or Calibre Editor. Structural checks don't guarantee aesthetic quality.
- Ship: upload the file from
book/quarto/_build/epub-vol*/.
When CI (or local post-flight) blocks you
The failure line names the volume, severity, and delta:
epubcheck: regression against baseline (2 FATAL, 15 ERROR total)
• vol1 FATAL: 2 > baseline 0 (+2)
Two dispositions:
- Real regression: fix the underlying issue.
./binder check epub helpmaps every error code to a source-level fix../binder check epub --scope hygiene --fixauto-repairs the four mechanical classes. - Accepted increase (e.g., a Quarto upgrade introduced a new warning class you're OK living with):
./binder check epub --scope epubcheck --baseline book/tools/audit/epubcheck-baseline.json --update-baseline— commit the updated JSON in the same PR so the audit trail is clear.
Escape hatches
Rare but real cases where you need to build anyway:
./binder build epub --vol1 --skip-hygiene— bypass pre-render hygiene (e.g., debugging a source-level issue that's triggering the check you're trying to investigate)../binder build epub --vol1 --skip-validate— bypass post-render validation (e.g., iterating on a known-broken build; no Java locally).
Both are loud about being bypassed — the skipped step prints a yellow warning so the bypass is never silent.
Onboarding
A new contributor runs ./binder doctor once. The EPUB section reports Java availability, epubcheck availability, existing EPUB artifacts, and source hygiene in one table, with install commands inline if anything is missing. No separate EPUB setup document to hunt for.
Script Delegation
Some commands still delegate to scripts under book/tools/scripts/ (spelling, image formats, table formatting, Python formatting). These will be migrated to native CLI modules over time. EPUB checks have already been migrated: the hygiene and epubcheck scopes live in book/cli/commands/_epub_checks.py as pure Python, not subprocess-to-script.