jedarden/pdftract
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
A PDF text extraction library that gets the hard parts right.
157 commits 1 branch 0 tags 7.5 GiB
Rust 83.6%
Python 5.2%
Swift 2.9%
PHP 1.6%
C 1.5%
Other 5%
Find a file
jedarden 40ef091952 docs(pdftract-5s84i): add Phase 6.7 MCP Server Mode coordinator verification note 
This coordinator bead verifies that all 7 child beads for Phase 6.7
MCP Server Mode are complete and meet acceptance criteria:

Child beads closed:
- pdftract-5xq16: JSON-RPC 2.0 framing layer
- pdftract-67tm8: stdio transport
- pdftract-g0ro2: HTTP+SSE transport
- pdftract-24kut: Transport mutual exclusion enforcement
- pdftract-1rami: Tool catalog (10 tools)
- pdftract-6696g: Path-traversal protection
- pdftract-zltqd: Bearer-token auth

Acceptance criteria:
- PASS: Stdio mode responds to tools/list
- WARN: 50 concurrent clients (architecture verified)
- PASS: Transport switching via flag
- PASS: Bearer token required for non-loopback
- PASS: Path-traversal protection via --root
- PASS: All critical tests pass (10 passed)
- PASS: Module structure under crates/pdftract-cli/src/mcp/
- PASS: MCP feature flag and subcommand available

Co-Authored-By: Claude Code <noreply@anthropic.com>
2026-05-23 03:09:55 -04:00
.cargo feat(pdftract-33v): implement property tests and nightly fuzz job 2026-05-22 23:13:13 -04:00
.ci/argo-workflows feat(pdftract-1wfp): implement SHA256SUMS aggregate file generation 2026-05-22 23:57:49 -04:00
.git-hooks fix(pdftract-5z5d8): add pre-commit hook for provenance validation 2026-05-17 23:50:28 -04:00
.github/ISSUE_TEMPLATE docs(pdftract-58kz): add security policy documentation 2026-05-20 19:39:24 -04:00
benches fix(pdftract-60h): fix bugs in benchmark runner script 2026-05-18 01:29:41 -04:00
crates docs(pdftract-6696g): add verification note for --root path-traversal protection 2026-05-23 02:29:26 -04:00
docs docs(plan): SDKs are monorepo members, not separate repos 2026-05-22 07:21:45 -04:00
fuzz fix(pdftract-2a6rk): fix xref.rs u64 literal overflow in proptest 2026-05-22 17:26:27 -04:00
notes docs(pdftract-5s84i): add Phase 6.7 MCP Server Mode coordinator verification note 2026-05-23 03:09:55 -04:00
pdftract-dotnet feat(pdftract-1w22d): implement .NET SDK subprocess wrapper 2026-05-22 19:50:57 -04:00
pdftract-go fix(pdftract-2pyln): add source parameter to invoke methods for BytesSource cleanup 2026-05-20 19:08:14 -04:00
pdftract-java feat(sdks): vendor dotnet/java/node SDKs into the monorepo 2026-05-22 07:20:19 -04:00
pdftract-node feat(sdks): vendor dotnet/java/node SDKs into the monorepo 2026-05-22 07:20:19 -04:00
profiles/builtin docs(pdftract-4iier): complete per-profile README documentation 2026-05-18 00:35:35 -04:00
proptest-regressions feat(pdftract-33v): implement property tests and nightly fuzz job 2026-05-22 23:13:13 -04:00
scripts feat(pdftract-59zz): implement MCP bearer token ingress channels and TH-03 enforcement 2026-05-18 02:47:54 -04:00
src feat(pdftract-2bsfc): implement document catalog parser with PageLabels number tree 2026-05-17 23:45:45 -04:00
templates/sdk-skeleton docs(pdftract-49f8): establish Cargo.lock policy and documentation 2026-05-20 18:13:14 -04:00
tests feat(pdftract-3uu6v): implement LZWDecode with /EarlyChange parameter 2026-05-22 22:38:31 -04:00
tools feat(pdftract-4b0z): implement publish-if-tag step for GitHub Releases 2026-05-20 19:06:16 -04:00
xtask docs(pdftract-4iier): complete per-profile README documentation 2026-05-18 00:19:44 -04:00
.gitignore feat(pdftract-33v): implement property tests and nightly fuzz job 2026-05-22 23:13:13 -04:00
.needle-predispatch-sha feat(pdftract-g0ro2): implement MCP HTTP+SSE transport with integration tests 2026-05-23 00:35:14 -04:00
.nextest.toml feat(pdftract-33v): implement property tests and nightly fuzz job 2026-05-22 23:13:13 -04:00
.renovaterc.json docs(pdftract-49f8): finalize Cargo.lock policy with weekly Renovate schedule 2026-05-20 18:22:03 -04:00
Cargo.lock feat(pdftract-g0ro2): implement MCP HTTP+SSE transport with integration tests 2026-05-23 00:35:14 -04:00
Cargo.toml feat(pdftract-3uu6v): implement LZWDecode with /EarlyChange parameter 2026-05-22 22:38:31 -04:00
CHANGELOG.md feat(pdftract-2w02): implement MSRV gate with CI check 2026-05-20 19:03:53 -04:00
CLAUDE.md chore: update push remote to forgejo 2026-05-19 19:59:18 -04:00
clippy.toml feat(pdftract-2w02): pin MSRV to 1.78 with CI gate 2026-05-20 19:03:53 -04:00
CONTRIBUTING.md docs(pdftract-58kz): add security policy documentation 2026-05-20 19:39:24 -04:00
Dockerfile feat(pdftract-68pe): add Dockerfile with FEATURES build-arg support 2026-05-20 19:17:49 -04:00
mod feat(pdftract-2bsfc): implement document catalog parser with PageLabels number tree 2026-05-17 23:45:45 -04:00
pdftract-test-merged.cdx.json feat(pdftract-67tm8): implement MCP stdio transport with integration tests 2026-05-23 00:16:42 -04:00
README.md docs(pdftract-58kz): add security policy documentation 2026-05-20 19:39:24 -04:00
SECURITY.md docs(pdftract-58kz): add security policy documentation 2026-05-20 19:39:24 -04:00
test_flate.rs docs(pdftract-49f8): establish Cargo.lock policy and documentation 2026-05-20 18:13:14 -04:00

README.md

pdftract

MSRV

A PDF text extraction library that gets the hard parts right.

What it does

  • Correct reading order — layout regions are segmented and sequenced before text is emitted, handling multi-column pages, sidebars, footnotes, and mixed-layout documents without relying on PDF operator order
  • Font encoding recovery — when ToUnicode CMaps are absent, wrong, or incomplete, pdftract works through a layered recovery pipeline: glyph name lookup via the Adobe Glyph List, font fingerprinting against known metrics and embedded checksums, and glyph outline shape matching
  • Structure tree extraction — PDF/UA and PDF/A documents encode their logical structure (headings, paragraphs, lists, tables, reading order) in a StructTree; pdftract reads this directly when present, producing accurate semantic output at no extra cost
  • Per-page hybrid routing — each page is independently classified and routed to the appropriate pipeline: vector text extraction, full OCR, or assisted OCR where vector hints improve raster accuracy
  • Structured output with provenance — the primary output is JSON carrying per-span bounding boxes, font name, size, and confidence score alongside the extracted text, not a flat string dump

Output

{
  "pages": [
    {
      "page": 1,
      "blocks": [
        { "kind": "heading", "text": "Introduction", "bbox": [72, 680, 400, 700] },
        { "kind": "paragraph", "text": "...", "bbox": [72, 640, 540, 670] }
      ],
      "spans": [
        { "text": "Introduction", "bbox": [72, 680, 400, 700], "font": "Times-Bold", "size": 14.0, "confidence": 0.99 }
      ]
    }
  ],
  "metadata": { "title": "...", "author": "...", "page_count": 10 }
}

Usage

pdftract extract invoice.pdf            # structured JSON to stdout
pdftract extract invoice.pdf --text     # plain text to stdout
pdftract extract invoice.pdf --output out.json
pdftract serve --port 8080              # HTTP service: POST /extract

Architecture

Rust core with PyO3 Python bindings and a CLI binary. The same binary runs as a command-line tool or as an HTTP microservice — the container deployment is just pdftract serve.

See docs/research/ for technical deep-dives into the PDF specification, font encoding, glyph Unicode recovery, and tagged PDF structure. See docs/notes/ for SDK invocation examples in Python, Node.js, Go, Ruby, Java, Rust, and Bash.

Verifying Releases

All releases are signed using Sigstore keyless signing with OIDC from the iad-ci cluster. This provides cryptographic proof that artifacts were produced by the official CI/CD pipeline and haven't been tampered with.

Verify Binary Archives

To verify downloaded binary archives:

# Download release artifacts
gh release download vX.Y.Z --dir /tmp/pdftract-release

# Verify the SHA256SUMS signature
cosign verify-blob \
  --certificate-identity-regexp 'https://iad-ci-oidc.ardenone.com.*' \
  --certificate-oidc-issuer 'https://iad-ci-oidc.ardenone.com' \
  --signature SHA256SUMS.sig \
  --certificate SHA256SUMS.pem \
  SHA256SUMS

# Verify individual artifacts against checksums
sha256sum -c SHA256SUMS

Verify Docker Images

To verify Docker images before running them:

# Verify the main image
cosign verify \
  --certificate-identity-regexp 'https://iad-ci-oidc.ardenone.com.*' \
  --certificate-oidc-issuer 'https://iad-ci-oidc.ardenone.com' \
  ghcr.io/jedarden/pdftract:X.Y.Z

# Verify the OCR variant
cosign verify \
  --certificate-identity-regexp 'https://iad-ci-oidc.ardenone.com.*' \
  --certificate-oidc-issuer 'https://iad-ci-oidc.ardenone.com' \
  ghcr.io/jedarden/pdftract:ocr-X.Y.Z

# Verify the full variant
cosign verify \
  --certificate-identity-regexp 'https://iad-ci-oidc.ardenone.com.*' \
  --certificate-oidc-issuer 'https://iad-ci-oidc.ardenone.com' \
  ghcr.io/jedarden/pdftract:full-X.Y.Z

View SLSA Provenance

Each Docker image includes SLSA provenance attestation:

cosign verify-attestation \
  --certificate-identity-regexp 'https://iad-ci-oidc.ardenone.com.*' \
  --certificate-oidc-issuer 'https://iad-ci-oidc.ardenone.com' \
  --type slsaprovenance \
  ghcr.io/jedarden/pdftract:X.Y.Z

The provenance includes the build configuration, source commit, and builder identity.

Security

For responsible disclosure of security vulnerabilities, please email security@jedarden.com. See SECURITY.md for our disclosure policy, supported versions, and PGP key for encrypted reports.

PGP Key: The public key for security@jedarden.com is available at docs/security/pgp-public-key.asc.

NOTE: The PGP key is currently a placeholder. The security contact must generate and publish a 4096-bit RSA key for security@jedarden.com. See docs/security/pgp-public-key.asc for generation instructions.

Status

Early development. See docs/plan/ for the implementation roadmap.