aethis-cli 0.3.0__py3-none-any.whl

aethis_cli/__init__.py

@@ -0,0 +1,3 @@
+"""aethis-cli — CLI for the Aethis developer API."""
+
+__version__ = "0.1.0"

aethis_cli/__main__.py

@@ -0,0 +1,4 @@
+"""Enable `python -m aethis_cli`."""
+from aethis_cli.main import app
+
+app()

aethis_cli/_version.py

@@ -0,0 +1,3 @@
+"""Version info — updated per release."""
+__version__ = "0.3.0"
+

aethis_cli/auth.py

@@ -0,0 +1,203 @@
+"""Browser-based OAuth/PKCE authentication with Clerk for CLI key creation."""
+
+from __future__ import annotations
+
+import base64
+import hashlib
+import secrets
+import threading
+import time
+import webbrowser
+from http.server import BaseHTTPRequestHandler, HTTPServer
+from typing import Optional
+from urllib.parse import parse_qs, urlencode, urlparse
+
+import httpx
+
+from aethis_cli.errors import AuthenticationError
+
+_CALLBACK_PORT = 9876
+_SUCCESS_HTML = """\
+<!DOCTYPE html>
+<html><head><title>Aethis CLI</title></head>
+<body style="font-family:system-ui;display:flex;justify-content:center;align-items:center;height:90vh">
+<div style="text-align:center">
+<h2>&#10003; Sign-in received</h2>
+<p>Return to your terminal to complete setup.</p>
+</div></body></html>"""
+
+
+def generate_pkce_pair() -> tuple[str, str]:
+    """Generate (code_verifier, code_challenge) per RFC 7636."""
+    verifier = secrets.token_urlsafe(64)[:128]
+    digest = hashlib.sha256(verifier.encode("ascii")).digest()
+    challenge = base64.urlsafe_b64encode(digest).rstrip(b"=").decode("ascii")
+    return verifier, challenge
+
+
+class _AuthHTTPServer(HTTPServer):
+    """HTTPServer subclass with typed auth attributes."""
+
+    auth_code: Optional[str] = None
+    auth_state: Optional[str] = None
+    auth_error: Optional[str] = None
+
+
+class _CallbackHandler(BaseHTTPRequestHandler):
+    """Handler that captures the OAuth callback, ignoring other requests (e.g. favicon)."""
+
+    server: _AuthHTTPServer
+
+    def do_GET(self) -> None:  # noqa: N802
+        parsed = urlparse(self.path)
+        if parsed.path != "/callback":
+            # Ignore favicon and other requests
+            self.send_response(404)
+            self.end_headers()
+            return
+        qs = parse_qs(parsed.query)
+        self.server.auth_code = qs.get("code", [None])[0]
+        self.server.auth_state = qs.get("state", [None])[0]
+        self.server.auth_error = qs.get("error", [None])[0]
+        self.send_response(200)
+        self.send_header("Content-Type", "text/html")
+        self.end_headers()
+        self.wfile.write(_SUCCESS_HTML.encode())
+
+    def log_message(self, format: str, *args: object) -> None:  # noqa: A002
+        pass  # Suppress request logging
+
+
+class OAuthCallbackServer:
+    """Ephemeral HTTP server on 127.0.0.1 to catch Clerk's redirect."""
+
+    def __init__(self) -> None:
+        self._server: Optional[_AuthHTTPServer] = None
+        self.port: int = 0
+
+    def _serve_until_auth(self) -> None:
+        """Handle requests until we get the auth callback or server is closed."""
+        assert self._server is not None
+        while not (self._server.auth_code or self._server.auth_error):
+            self._server.handle_request()
+
+    def start(self) -> int:
+        """Bind to port 9876 and start serving in a background thread.
+
+        Returns the port number. Uses a fixed port to match the redirect URI
+        registered with the OAuth provider.
+        """
+        port = _CALLBACK_PORT
+        try:
+            self._server = _AuthHTTPServer(("127.0.0.1", port), _CallbackHandler)
+            self._server.timeout = 5.0  # Per-request timeout for the loop
+            self.port = port
+            thread = threading.Thread(target=self._serve_until_auth, daemon=True)
+            thread.start()
+            return port
+        except OSError:
+            raise AuthenticationError(
+                f"Port {port} is already in use. Close the process using it and try again."
+            )
+
+    def result(self, timeout: float) -> tuple[Optional[str], Optional[str], Optional[str]]:
+        """Wait for the callback and return (code, state, error)."""
+        if not self._server:
+            raise AuthenticationError("Server not started")
+
+        deadline = time.monotonic() + timeout
+        while time.monotonic() < deadline:
+            code = self._server.auth_code
+            state = self._server.auth_state
+            error = self._server.auth_error
+            if code or error:
+                return code, state, error
+            time.sleep(0.2)
+        return None, None, None
+
+    def shutdown(self) -> None:
+        if self._server:
+            self._server.server_close()
+
+
+def authenticate_with_clerk(
+    clerk_domain: str,
+    client_id: str,
+    timeout: int = 120,
+) -> str:
+    """Run full OAuth/PKCE flow and return an access token.
+
+    Opens the user's browser to the Clerk sign-in page. After authentication,
+    Clerk redirects to a localhost callback. The authorization code is exchanged
+    for an access token.
+
+    Raises AuthenticationError on failure or timeout.
+    """
+    verifier, challenge = generate_pkce_pair()
+    state = secrets.token_urlsafe(32)
+
+    server = OAuthCallbackServer()
+    port = server.start()
+
+    redirect_uri = f"http://127.0.0.1:{port}/callback"
+    authorize_url = f"https://{clerk_domain}/oauth/authorize?" + urlencode({
+        "response_type": "code",
+        "client_id": client_id,
+        "redirect_uri": redirect_uri,
+        "scope": "profile email",
+        "code_challenge": challenge,
+        "code_challenge_method": "S256",
+        "state": state,
+    })
+
+    try:
+        opened = webbrowser.open(authorize_url)
+        if not opened:
+            raise OSError("webbrowser.open returned False")
+    except OSError:
+        # Headless / SSH fallback
+        from aethis_cli.output import console
+
+        console.print("\n[yellow]Could not open browser automatically.[/yellow]")
+        console.print("Open this URL in your browser:\n")
+        console.print(f"  [bold]{authorize_url}[/bold]\n")
+
+    code, returned_state, error = server.result(timeout)
+    server.shutdown()
+
+    if error:
+        raise AuthenticationError(f"Clerk returned error: {error}")
+    if not code:
+        raise AuthenticationError(
+            f"Authentication timed out after {timeout}s. "
+            "Run the command again or use 'aethis login' to paste a key directly."
+        )
+    if returned_state != state:
+        raise AuthenticationError("State mismatch — possible CSRF attack. Aborting.")
+
+    # Exchange authorization code for access token
+    token_url = f"https://{clerk_domain}/oauth/token"
+    resp = httpx.post(
+        token_url,
+        data={
+            "grant_type": "authorization_code",
+            "code": code,
+            "redirect_uri": redirect_uri,
+            "client_id": client_id,
+            "code_verifier": verifier,
+        },
+        timeout=15.0,
+    )
+
+    if resp.status_code != 200:
+        raise AuthenticationError(
+            f"Token exchange failed (HTTP {resp.status_code}). "
+            "Check your Clerk OAuth configuration and try again."
+        )
+
+    token_data = resp.json()
+    access_token = token_data.get("access_token")
+    if not access_token:
+        raise AuthenticationError("No access_token in token response")
+
+    return access_token

aethis_cli/client.py

@@ -0,0 +1,181 @@
+"""Thin HTTP client for the Aethis developer API."""
+
+from __future__ import annotations
+
+from pathlib import Path
+from typing import Any, Optional
+
+import httpx
+
+from aethis_cli.errors import AethisAPIError
+
+
+class AethisClient:
+    """Synchronous client wrapping all Aethis API endpoints."""
+
+    def __init__(
+        self,
+        api_key: str,
+        base_url: str = "https://api.aethis.ai",
+        anthropic_key: Optional[str] = None,
+    ) -> None:
+        headers: dict[str, str] = {"X-API-Key": api_key}
+        if anthropic_key:
+            headers["X-Anthropic-Key"] = anthropic_key
+        self._client = httpx.Client(
+            base_url=base_url,
+            headers=headers,
+            timeout=60.0,
+            verify=True,
+        )
+
+    def close(self) -> None:
+        self._client.close()
+
+    def __enter__(self) -> "AethisClient":
+        return self
+
+    def __exit__(self, *args: Any) -> None:
+        self.close()
+
+    def _request(self, method: str, path: str, **kwargs: Any) -> Any:
+        resp = self._client.request(method, path, **kwargs)
+        if resp.status_code >= 400:
+            try:
+                detail = resp.json().get("detail", resp.text)
+            except (ValueError, KeyError):
+                detail = resp.text or f"HTTP {resp.status_code}"
+            raise AethisAPIError(resp.status_code, detail)
+        if resp.status_code == 204:
+            return {}
+        return resp.json()
+
+    # -- Decision API --
+
+    def decide(self, bundle_id: str, field_values: dict, **opts: Any) -> dict:
+        return self._request("POST", "/api/v1/public/decide", json={
+            "bundle_id": bundle_id,
+            "field_values": field_values,
+            **opts,
+        })
+
+    def whoami(self) -> dict:
+        """Return metadata for the current API key."""
+        return self._request("GET", "/api/v1/public/me")
+
+    def get_schema(self, bundle_id: str) -> dict:
+        return self._request("GET", f"/api/v1/public/bundles/{bundle_id}/schema")
+
+    def explain(self, bundle_id: str) -> dict:
+        return self._request("GET", f"/api/v1/public/bundles/{bundle_id}/explain")
+
+    def get_source(self, bundle_id: str) -> dict:
+        return self._request("GET", f"/api/v1/public/bundles/{bundle_id}/source")
+
+    # -- Projects API --
+
+    def create_project(self, name: str, section_id: str, domain: str = "") -> dict:
+        return self._request("POST", "/api/v1/public/projects/", json={
+            "name": name,
+            "section_id": section_id,
+            "domain": domain,
+        })
+
+    def list_projects(self, include_archived: bool = False) -> list[dict]:
+        params: dict[str, str] = {}
+        if include_archived:
+            params["include_archived"] = "true"
+        return self._request("GET", "/api/v1/public/projects/", params=params)
+
+    def get_project(self, project_id: str) -> dict:
+        return self._request("GET", f"/api/v1/public/projects/{project_id}")
+
+    def add_guidance(
+        self,
+        project_id: str,
+        guidance_text: str,
+        source: str = "human",
+        process_type: str = "rule_generation",
+    ) -> dict:
+        return self._request("POST", f"/api/v1/public/projects/{project_id}/guidance", json={
+            "guidance_text": guidance_text,
+            "source": source,
+            "process_type": process_type,
+        })
+
+    def list_guidance(self, project_id: str) -> list:
+        return self._request("GET", f"/api/v1/public/projects/{project_id}/guidance")
+
+    def export_guidance(self, project_id: str) -> dict:
+        return self._request("GET", f"/api/v1/public/projects/{project_id}/guidance/export")
+
+    def deactivate_guidance(self, project_id: str, hint_id: str) -> dict:
+        return self._request("DELETE", f"/api/v1/public/projects/{project_id}/guidance/{hint_id}")
+
+    def update_guidance(self, project_id: str, hint_id: str, guidance_text: str) -> dict:
+        return self._request("PATCH", f"/api/v1/public/projects/{project_id}/guidance/{hint_id}", json={
+            "guidance_text": guidance_text,
+        })
+
+    def upload_sources(self, project_id: str, files: list[Path]) -> dict:
+        file_tuples = [
+            ("files", (f.name, f.read_bytes(), "application/octet-stream"))
+            for f in files
+        ]
+        return self._request("POST", f"/api/v1/public/projects/{project_id}/sources", files=file_tuples)
+
+    def add_tests(self, project_id: str, test_cases: list[dict]) -> dict:
+        return self._request("POST", f"/api/v1/public/projects/{project_id}/tests", json={
+            "test_cases": test_cases,
+        })
+
+    def generate(self, project_id: str) -> dict:
+        return self._request("POST", f"/api/v1/public/projects/{project_id}/generate")
+
+    def get_status(self, project_id: str) -> dict:
+        return self._request("GET", f"/api/v1/public/projects/{project_id}/status")
+
+    def run_tests(self, project_id: str) -> dict:
+        return self._request("POST", f"/api/v1/public/projects/{project_id}/test-run")
+
+    def publish(self, project_id: str, *, slug: str | None = None) -> dict:
+        body: dict = {}
+        if slug is not None:
+            body["slug"] = slug
+        kwargs: dict = {}
+        if body:
+            kwargs["json"] = body
+        return self._request(
+            "POST",
+            f"/api/v1/public/projects/{project_id}/publish",
+            **kwargs,
+        )
+
+    def list_bundles(self, project_id: str, status: str | None = None) -> list[dict]:
+        params: dict[str, str] = {}
+        if status:
+            params["status"] = status
+        return self._request("GET", f"/api/v1/public/projects/{project_id}/bundles", params=params)
+
+    def archive_project(self, project_id: str) -> dict:
+        return self._request("POST", f"/api/v1/public/projects/{project_id}/archive")
+
+    def archive_bundle(self, bundle_id: str) -> dict:
+        return self._request("POST", f"/api/v1/public/bundles/{bundle_id}/archive")
+
+    # -- Domain guidance API --
+
+    def add_domain_guidance(
+        self,
+        domain: str,
+        guidance_text: str,
+        process_type: str = "rule_generation",
+        notes: Optional[str] = None,
+    ) -> dict:
+        body: dict[str, Any] = {"guidance_text": guidance_text, "process_type": process_type}
+        if notes:
+            body["notes"] = notes
+        return self._request("POST", f"/api/v1/public/domains/{domain}/guidance", json=body)
+
+    def list_domain_guidance(self, domain: str) -> list:
+        return self._request("GET", f"/api/v1/public/domains/{domain}/guidance")

aethis_cli/commands/account_cmd.py

@@ -0,0 +1,280 @@
+"""aethis account — manage API keys via browser-based Clerk sign-in."""
+
+from __future__ import annotations
+
+import os
+from typing import List, Optional
+
+import httpx
+import typer
+
+from aethis_cli.auth import authenticate_with_clerk
+from aethis_cli.commands.login_cmd import _save_to_keyring, _save_to_file
+from aethis_cli.config import DEFAULT_BASE_URL
+from aethis_cli.errors import AuthenticationError
+from aethis_cli.output import console, info, success
+
+CLERK_DOMAIN = os.environ.get("AETHIS_CLERK_DOMAIN", "clerk.aethis.legal")
+CLERK_CLIENT_ID = os.environ.get("AETHIS_CLERK_CLIENT_ID", "cwH009p1vPtyy1EG")
+
+VALID_SCOPES = {
+    "decide",
+    "bundles:read",
+    "bundles:explain",
+    "bundles:write",
+    "keys:manage",
+    "projects:read",
+    "projects:write",
+    "rulebooks:read",
+    "rulebooks:write",
+}
+VALID_TIERS = {"free", "starter", "pro"}
+DEFAULT_SCOPES = ["decide", "projects:read", "projects:write", "bundles:read", "bundles:explain", "bundles:write"]
+
+account_app = typer.Typer(
+    name="account",
+    help="Manage your Aethis account and API keys (browser sign-in).",
+    no_args_is_help=True,
+    pretty_exceptions_enable=False,
+)
+
+
+def _format_api_error(resp: httpx.Response) -> str:
+    try:
+        data = resp.json()
+    except Exception:
+        return resp.text
+
+    detail = data.get("detail") if isinstance(data, dict) else data
+    if isinstance(detail, dict):
+        reason = detail.get("reason_code", "unknown")
+        action = detail.get("action", "unknown")
+        missing = detail.get("missing_permissions", [])
+        missing_str = ", ".join(missing) if isinstance(missing, list) else str(missing)
+        msg = detail.get("message") or detail.get("error") or "Request denied"
+        return f"{msg} (reason={reason}, action={action}, missing={missing_str})"
+    if isinstance(detail, str):
+        return detail
+    return str(detail)
+
+
+def _fetch_permissions(base_url: str) -> tuple[list[dict], set[str]]:
+    try:
+        resp = httpx.get(f"{base_url}/api/v1/public/permissions", timeout=10.0)
+    except httpx.HTTPError:
+        return [], set(VALID_SCOPES)
+
+    if resp.status_code != 200:
+        return [], set(VALID_SCOPES)
+
+    try:
+        items = resp.json()
+    except Exception:
+        return [], set(VALID_SCOPES)
+
+    if not isinstance(items, list):
+        return [], set(VALID_SCOPES)
+
+    permissions: set[str] = set()
+    parsed_items: list[dict] = []
+    for item in items:
+        if not isinstance(item, dict):
+            continue
+        req = item.get("required_permissions", [])
+        if isinstance(req, list):
+            for p in req:
+                if isinstance(p, str) and p:
+                    permissions.add(p)
+        parsed_items.append(item)
+
+    if not permissions:
+        permissions = set(VALID_SCOPES)
+    return parsed_items, permissions
+
+
+def _get_clerk_config() -> tuple[str, str]:
+    """Return (domain, client_id), raising if not configured."""
+    domain = CLERK_DOMAIN
+    client_id = CLERK_CLIENT_ID
+    if not client_id:
+        console.print(
+            "[red]Clerk OAuth client_id not configured.[/red]\n"
+            "Set AETHIS_CLERK_CLIENT_ID environment variable.\n"
+            "Or use 'aethis login' to paste an existing API key."
+        )
+        raise typer.Exit(code=1)
+    return domain, client_id
+
+
+def _clerk_auth(timeout: int) -> str:
+    """Run Clerk OAuth flow, return access token."""
+    domain, client_id = _get_clerk_config()
+    info("Opening browser for sign-in...")
+    console.print(f"Waiting for authentication ({timeout}s timeout)...\n")
+    try:
+        return authenticate_with_clerk(domain, client_id, timeout)
+    except AuthenticationError as e:
+        console.print(f"[red]{e}[/red]")
+        raise typer.Exit(code=1) from None
+
+
+@account_app.command()
+def generate(
+    name: str = typer.Option("cli-generated", "--name", "-n", help="Key name"),
+    scopes: Optional[List[str]] = typer.Option(None, "--scope", "-s", help="Key scopes (repeatable)"),
+    tier: str = typer.Option("free", "--tier", "-t", help="Rate limit tier: free|starter|pro"),
+    no_save: bool = typer.Option(False, "--no-save", help="Print key but don't save"),
+    timeout: int = typer.Option(120, "--timeout", help="Browser auth timeout in seconds"),
+) -> None:
+    """Create a new API key by signing in through your browser."""
+    base_url = os.environ.get("AETHIS_BASE_URL", DEFAULT_BASE_URL)
+    if scopes is None:
+        scopes = list(DEFAULT_SCOPES)
+
+    _, available_permissions = _fetch_permissions(base_url)
+
+    # Validate inputs
+    invalid_scopes = set(scopes) - available_permissions
+    if invalid_scopes:
+        console.print(f"[red]Invalid scope(s): {', '.join(invalid_scopes)}[/red]")
+        console.print(f"Valid scopes: {', '.join(sorted(available_permissions))}")
+        raise typer.Exit(code=1)
+
+    if tier not in VALID_TIERS:
+        console.print(f"[red]Invalid tier: {tier}[/red]. Must be one of: {', '.join(sorted(VALID_TIERS))}")
+        raise typer.Exit(code=1)
+
+    access_token = _clerk_auth(timeout)
+    success("Authenticated successfully.")
+
+    # Create API key via the key management endpoint
+    info("Creating API key...")
+    try:
+        resp = httpx.post(
+            f"{base_url}/api/v1/keys/",
+            headers={"Authorization": f"Bearer {access_token}"},
+            json={"name": name, "scopes": scopes, "rate_limit_tier": tier},
+            timeout=15.0,
+        )
+    except httpx.HTTPError as e:
+        console.print(f"[red]Could not reach API at {base_url}: {e}[/red]")
+        raise typer.Exit(code=1) from None
+
+    if resp.status_code != 201:
+        console.print(f"[red]Key creation failed (HTTP {resp.status_code}): {_format_api_error(resp)}[/red]")
+        raise typer.Exit(code=1)
+
+    data = resp.json()
+    full_key = data.get("full_key")
+    if not full_key:
+        console.print("[red]Unexpected API response: missing 'full_key'.[/red]")
+        raise typer.Exit(code=1)
+
+    console.print()
+    success("API key created:")
+    console.print(f"  Key ID:   {data.get('key_id', 'unknown')}")
+    console.print(f"  Name:     {data.get('name', name)}")
+    console.print(f"  Scopes:   {', '.join(data.get('scopes', scopes))}")
+    console.print(f"  Tier:     {data.get('rate_limit_tier', tier)}")
+    console.print()
+    console.print("[bold yellow]Full key (shown once only):[/bold yellow]")
+    console.print(f"  {full_key}")
+    console.print()
+
+    if no_save:
+        info("--no-save specified. Key not saved to credential store.")
+    else:
+        if _save_to_keyring(full_key):
+            success("API key saved to system keychain.")
+        else:
+            _save_to_file(full_key)
+            success("API key saved to credentials file.")
+
+
+@account_app.command()
+def keys(
+    timeout: int = typer.Option(120, "--timeout", help="Browser auth timeout in seconds"),
+) -> None:
+    """List your API keys (requires browser sign-in)."""
+    base_url = os.environ.get("AETHIS_BASE_URL", DEFAULT_BASE_URL)
+    access_token = _clerk_auth(timeout)
+    success("Authenticated successfully.")
+
+    try:
+        resp = httpx.get(
+            f"{base_url}/api/v1/keys/",
+            headers={"Authorization": f"Bearer {access_token}"},
+            timeout=15.0,
+        )
+    except httpx.HTTPError as e:
+        console.print(f"[red]Could not reach API at {base_url}: {e}[/red]")
+        raise typer.Exit(code=1) from None
+
+    if resp.status_code != 200:
+        console.print(f"[red]Failed to list keys (HTTP {resp.status_code}): {_format_api_error(resp)}[/red]")
+        raise typer.Exit(code=1)
+
+    data = resp.json()
+    if not data:
+        info("No API keys found.")
+        return
+
+    from rich.table import Table
+
+    table = Table(title="API Keys")
+    table.add_column("Key ID", style="bold")
+    table.add_column("Name")
+    table.add_column("Scopes")
+    table.add_column("Tier")
+    table.add_column("Created")
+    table.add_column("Revoked")
+
+    for key in data:
+        table.add_row(
+            key.get("key_id", ""),
+            key.get("name", ""),
+            ", ".join(key.get("scopes", [])),
+            key.get("rate_limit_tier", ""),
+            key.get("created_at", "")[:10] if key.get("created_at") else "",
+            "yes" if key.get("revoked") else "",
+        )
+
+    console.print(table)
+
+
+@account_app.command()
+def revoke(
+    key_id: str = typer.Argument(..., help="Key ID to revoke (ak_...)"),
+    timeout: int = typer.Option(120, "--timeout", help="Browser auth timeout in seconds"),
+    yes: bool = typer.Option(False, "--yes", "-y", help="Skip confirmation"),
+) -> None:
+    """Revoke an API key (requires browser sign-in)."""
+    base_url = os.environ.get("AETHIS_BASE_URL", DEFAULT_BASE_URL)
+    if not yes:
+        confirmed = typer.confirm(f"Revoke key {key_id}? This cannot be undone")
+        if not confirmed:
+            raise typer.Abort()
+
+    access_token = _clerk_auth(timeout)
+    success("Authenticated successfully.")
+
+    try:
+        resp = httpx.delete(
+            f"{base_url}/api/v1/keys/{key_id}",
+            headers={"Authorization": f"Bearer {access_token}"},
+            timeout=15.0,
+        )
+    except httpx.HTTPError as e:
+        console.print(f"[red]Could not reach API at {base_url}: {e}[/red]")
+        raise typer.Exit(code=1) from None
+
+    if resp.status_code == 204:
+        success(f"Key {key_id} revoked.")
+    elif resp.status_code == 404:
+        console.print(f"[red]Key {key_id} not found.[/red]")
+        raise typer.Exit(code=1)
+    else:
+        console.print(f"[red]Revoke failed (HTTP {resp.status_code}): {_format_api_error(resp)}[/red]")
+        raise typer.Exit(code=1)
+
+