arcade-core 3.4.0__py3-none-any.whl → 4.0.0__py3-none-any.whl

arcade_core/auth_tokens.py

@@ -0,0 +1,110 @@
+"""
+Shared access-token utilities used by both the CLI and MCP server.
+"""
+
+from __future__ import annotations
+
+from datetime import datetime, timedelta
+
+import httpx
+from pydantic import BaseModel
+
+from arcade_core.config_model import Config
+from arcade_core.constants import PROD_COORDINATOR_HOST
+
+
+class CLIConfig(BaseModel):
+    """OAuth configuration returned by the Coordinator."""
+
+    client_id: str
+    authorization_endpoint: str
+    token_endpoint: str
+
+
+class TokenResponse(BaseModel):
+    """OAuth token response."""
+
+    access_token: str
+    refresh_token: str
+    expires_in: int
+    token_type: str
+
+
+def fetch_cli_config(coordinator_url: str) -> CLIConfig:
+    """Fetch OAuth configuration from the Coordinator."""
+    url = f"{coordinator_url}/api/v1/auth/cli_config"
+    response = httpx.get(url, timeout=30)
+    response.raise_for_status()
+    return CLIConfig.model_validate(response.json())
+
+
+def refresh_access_token(
+    cli_config: CLIConfig,
+    refresh_token: str,
+) -> TokenResponse:
+    """Refresh the access token using authlib-compatible token endpoint."""
+    response = httpx.post(
+        cli_config.token_endpoint,
+        data={
+            "grant_type": "refresh_token",
+            "refresh_token": refresh_token,
+            "client_id": cli_config.client_id,
+        },
+        timeout=30,
+    )
+    response.raise_for_status()
+    token = response.json()
+    return TokenResponse(
+        access_token=token["access_token"],
+        refresh_token=token.get("refresh_token", refresh_token),
+        expires_in=token["expires_in"],
+        token_type=token["token_type"],
+    )
+
+
+def get_valid_access_token(coordinator_url: str | None = None) -> str:
+    """
+    Get a valid access token, refreshing if necessary.
+
+    Returns:
+        Valid access token
+
+    Raises:
+        ValueError: If not logged in or token refresh fails
+    """
+    try:
+        config = Config.load_from_file()
+    except FileNotFoundError:
+        raise ValueError("Not logged in. Please run 'arcade login' first.")
+
+    resolved_coordinator_url = (
+        coordinator_url
+        or (config.coordinator_url if config.coordinator_url else None)
+        or f"https://{PROD_COORDINATOR_HOST}"
+    )
+
+    if not config.auth:
+        raise ValueError("Not logged in. Please run 'arcade login' first.")
+
+    # Check if token needs refresh
+    if config.is_token_expired():
+        cli_config = fetch_cli_config(resolved_coordinator_url)
+
+        try:
+            new_tokens = refresh_access_token(cli_config, config.auth.refresh_token)
+        except httpx.HTTPError as e:
+            raise ValueError(
+                f"Failed to refresh token: {e}. Please run 'arcade login' to re-authenticate."
+            )
+
+        # Update stored credentials
+        expires_at = datetime.now() + timedelta(seconds=new_tokens.expires_in)
+        config.coordinator_url = resolved_coordinator_url
+        config.auth.access_token = new_tokens.access_token
+        config.auth.refresh_token = new_tokens.refresh_token
+        config.auth.expires_at = expires_at
+        config.save_to_file()
+
+        return new_tokens.access_token
+
+    return config.auth.access_token

arcade_core/config_model.py

@@ -1,4 +1,5 @@
 import os
+from datetime import datetime, timedelta
 from pathlib import Path
 from typing import Any
 
@@ -10,18 +11,22 @@ class BaseConfig(BaseModel):
     model_config = ConfigDict(extra="ignore")
 
 
-class ApiConfig(BaseConfig):
+class AuthConfig(BaseConfig):
     """
-    Arcade API configuration.
+    OAuth authentication configuration.
     """
 
-    key: str
+    access_token: str
     """
-    Arcade API key.
+    OAuth access token (JWT).
     """
-    version: str = "v1"
+    refresh_token: str
     """
-    Arcade API version.
+    OAuth refresh token for obtaining new access tokens.
+    """
+    expires_at: datetime
+    """
+    When the access token expires.
     """
 
 
@@ -36,15 +41,51 @@ class UserConfig(BaseConfig):
     """
 
 
+class ContextConfig(BaseConfig):
+    """
+    Active organization and project context.
+    """
+
+    org_id: str
+    """
+    Active organization ID.
+    """
+    org_name: str
+    """
+    Active organization name.
+    """
+    project_id: str
+    """
+    Active project ID.
+    """
+    project_name: str
+    """
+    Active project name.
+    """
+
+
 class Config(BaseConfig):
     """
-    Configuration for Arcade.
+    Configuration for Arcade CLI.
+    """
+
+    coordinator_url: str | None = None
+    """
+    Base URL of the Arcade Coordinator used for authentication flows.
+    """
+
+    auth: AuthConfig | None = None
+    """
+    OAuth authentication configuration.
     """
 
-    api: ApiConfig
+    # Active org/project context
+    context: ContextConfig | None = None
     """
-    Arcade API configuration.
+    Active organization and project context.
     """
+
+    # User info
     user: UserConfig | None = None
     """
     Arcade user configuration.
@@ -53,6 +94,48 @@ class Config(BaseConfig):
     def __init__(self, **data: Any):
         super().__init__(**data)
 
+    def is_authenticated(self) -> bool:
+        """
+        Check if the user is authenticated (has valid auth config).
+        """
+        return self.auth is not None
+
+    def is_token_expired(self) -> bool:
+        """
+        Check if the access token is expired or will expire within 5 minutes.
+        """
+        if not self.auth:
+            return True
+        # Consider expired if less than 5 minutes remaining
+        buffer_seconds = 300
+        return datetime.now() >= self.auth.expires_at.replace(tzinfo=None) - timedelta(
+            seconds=buffer_seconds
+        )
+
+    def get_access_token(self) -> str | None:
+        """
+        Get the current access token if available.
+        """
+        if self.auth:
+            return self.auth.access_token
+        return None
+
+    def get_active_org_id(self) -> str | None:
+        """
+        Get the active organization ID.
+        """
+        if self.context:
+            return self.context.org_id
+        return None
+
+    def get_active_project_id(self) -> str | None:
+        """
+        Get the active project ID.
+        """
+        if self.context:
+            return self.context.project_id
+        return None
+
     @classmethod
     def get_config_dir_path(cls) -> Path:
         """
@@ -82,16 +165,11 @@ class Config(BaseConfig):
         """
         Load the configuration from the YAML file in the configuration directory.
 
-        If no configuration file exists, this method will create a new one with default values.
-        The default configuration includes:
-        - An empty API configuration
-        - A default Engine configuration (host: "api.arcade.dev", port: None, tls: True)
-        - No user configuration
-
         Returns:
-            Config: The loaded or newly created configuration.
+            Config: The loaded configuration.
 
         Raises:
+            FileNotFoundError: If no configuration file exists.
             ValueError: If the existing configuration file is invalid.
         """
         cls.ensure_config_dir_exists()
@@ -108,13 +186,13 @@ class Config(BaseConfig):
 
         if config_data is None:
             raise ValueError(
-                "Invalid credentials.yaml file. Please ensure it is a valid YAML file or"
+                "Invalid credentials.yaml file. Please ensure it is a valid YAML file or "
                 "run `arcade logout`, then `arcade login` to start from a clean slate."
             )
 
         if "cloud" not in config_data:
             raise ValueError(
-                "Invalid credentials.yaml file. Expected a 'cloud' key."
+                "Invalid credentials.yaml file. Expected a 'cloud' key. "
                 "Run `arcade logout`, then `arcade login` to start from a clean slate."
             )
 
@@ -123,7 +201,6 @@ class Config(BaseConfig):
         except ValidationError as e:
             # Get only the errors with {type:missing} and combine them
             # into a nicely-formatted string message.
-            # Any other errors without {type:missing} should just be str()ed
             missing_field_errors = [
                 ".".join(map(str, error["loc"]))
                 for error in e.errors()
@@ -145,7 +222,15 @@ class Config(BaseConfig):
     def save_to_file(self) -> None:
         """
         Save the configuration to the YAML file in the configuration directory.
+
+        Sets file permissions to 600 (owner read/write only) for security.
         """
         Config.ensure_config_dir_exists()
         config_file_path = Config.get_config_file_path()
-        config_file_path.write_text(yaml.dump(self.model_dump()))
+
+        # Convert to dict, excluding None values for cleaner output
+        data = {"cloud": self.model_dump(exclude_none=True, mode="json")}
+        config_file_path.write_text(yaml.dump(data, default_flow_style=False))
+
+        # Set restrictive permissions (owner read/write only)
+        config_file_path.chmod(0o600)

arcade_core/constants.py

@@ -4,3 +4,8 @@ import os
 ARCADE_CONFIG_PATH = os.path.join(os.path.expanduser(os.getenv("ARCADE_WORK_DIR", "~")), ".arcade")
 # The path to the file containing the user's Arcade-related credentials (e.g., ARCADE_API_KEY).
 CREDENTIALS_FILE_PATH = os.path.join(ARCADE_CONFIG_PATH, "credentials.yaml")
+
+# Host defaults used by both the CLI and MCP server
+PROD_COORDINATOR_HOST = "cloud.arcade.dev"
+PROD_ENGINE_HOST = "api.arcade.dev"
+LOCALHOST = "localhost"

arcade_core/network/__init__.py

@@ -0,0 +1 @@
+# Network utilities shared across Arcade components.

arcade_core/network/org_transport.py

@@ -0,0 +1,99 @@
+"""
+Shared HTTP transport helpers for org-scoped Arcade API access.
+"""
+
+from __future__ import annotations
+
+import httpx
+
+
+def _rewrite_request_path(request: httpx.Request, org_id: str, project_id: str) -> httpx.Request:
+    """Return a request with its path rewritten to include org/project scope."""
+    path = request.url.path
+    if path.startswith("/v1/") and "/v1/orgs/" not in path:
+        scoped_path = path.replace("/v1/", f"/v1/orgs/{org_id}/projects/{project_id}/", 1)
+        scoped_url = request.url.copy_with(path=scoped_path)
+        return httpx.Request(
+            method=request.method,
+            url=scoped_url,
+            headers=request.headers,
+            content=request.content,
+            extensions=request.extensions,
+        )
+    return request
+
+
+class OrgScopedTransport(httpx.BaseTransport):
+    """Sync transport that rewrites requests to include org/project scope."""
+
+    def __init__(
+        self,
+        wrapped_transport: httpx.BaseTransport,
+        org_id: str,
+        project_id: str,
+    ) -> None:
+        self.wrapped = wrapped_transport
+        self.org_id = org_id
+        self.project_id = project_id
+
+    def handle_request(self, request: httpx.Request) -> httpx.Response:
+        scoped_request = _rewrite_request_path(request, self.org_id, self.project_id)
+        return self.wrapped.handle_request(scoped_request)
+
+    def close(self) -> None:
+        self.wrapped.close()
+
+
+class AsyncOrgScopedTransport(httpx.AsyncBaseTransport):
+    """Async transport that rewrites requests to include org/project scope."""
+
+    def __init__(
+        self,
+        wrapped_transport: httpx.AsyncBaseTransport,
+        org_id: str,
+        project_id: str,
+    ) -> None:
+        self.wrapped = wrapped_transport
+        self.org_id = org_id
+        self.project_id = project_id
+
+    async def handle_async_request(self, request: httpx.Request) -> httpx.Response:
+        scoped_request = _rewrite_request_path(request, self.org_id, self.project_id)
+        return await self.wrapped.handle_async_request(scoped_request)
+
+    async def aclose(self) -> None:
+        await self.wrapped.aclose()
+
+
+def build_org_scoped_http_client(
+    org_id: str,
+    project_id: str,
+    *,
+    base_transport: httpx.BaseTransport | None = None,
+    client_kwargs: dict | None = None,
+) -> httpx.Client:
+    """
+    Build a sync httpx.Client that rewrites /v1 requests with org/project scope.
+    """
+    client_kwargs = client_kwargs or {}
+    transport = OrgScopedTransport(
+        base_transport or httpx.HTTPTransport(), org_id=org_id, project_id=project_id
+    )
+    return httpx.Client(transport=transport, **client_kwargs)
+
+
+def build_org_scoped_async_http_client(
+    org_id: str,
+    project_id: str,
+    *,
+    base_transport: httpx.AsyncBaseTransport | None = None,
+    client_kwargs: dict | None = None,
+) -> httpx.AsyncClient:
+    """
+    Build an async httpx.AsyncClient that rewrites /v1 requests with org/project scope.
+    """
+    client_kwargs = client_kwargs or {}
+    transport = AsyncOrgScopedTransport(
+        base_transport or httpx.AsyncHTTPTransport(), org_id=org_id, project_id=project_id
+    )
+    return httpx.AsyncClient(transport=transport, **client_kwargs)

arcade_core/usage/identity.py

@@ -124,34 +124,68 @@ class UsageIdentity:
         return str(data[KEY_ANON_ID])
 
     def get_principal_id(self) -> str | None:
-        """Fetch principal_id from Arcade Cloud API.
+        """Fetch principal_id (account_id) from Arcade Cloud API.
+
+        Prefers any linked principal already stored in usage.json. If not
+        found, attempts to fetch via OAuth access token and falls
+        back to legacy API key validation if present.
 
         Returns:
             str | None: Principal ID if authenticated and API call succeeds, None otherwise
         """
+        # Prefer already-linked principal_id in usage.json
+        data = self.load_or_create()
+        linked_principal_id = data.get(KEY_LINKED_PRINCIPAL_ID)
+        if linked_principal_id:
+            return str(linked_principal_id)
+
         if not os.path.exists(CREDENTIALS_FILE_PATH):
             return None
 
         try:
             with open(CREDENTIALS_FILE_PATH) as f:
-                config = yaml.safe_load(f)
-
-            cloud_config = config.get("cloud", {})
-            api_key = cloud_config.get("api", {}).get("key")
-
-            if not api_key:
-                return None
-
-            response = httpx.get(
-                "https://cloud.arcade.dev/api/v1/auth/validate",
-                headers={"accept": "application/json", "Authorization": f"Bearer {api_key}"},
-                timeout=TIMEOUT_ARCADE_API,
+                config = yaml.safe_load(f) or {}
+
+            cloud_config = config.get("cloud", {}) if isinstance(config, dict) else {}
+
+            # Determine coordinator/authority URL for auth calls
+            coordinator_url = cloud_config.get("coordinator_url") or "https://cloud.arcade.dev"
+            whoami_url = f"{coordinator_url}/api/v1/auth/whoami"
+            validate_url = f"{coordinator_url}/api/v1/auth/validate"
+
+            # OAuth credentials: use access_token to call /whoami
+            auth_config = cloud_config.get("auth", {}) if isinstance(cloud_config, dict) else {}
+            access_token = auth_config.get("access_token")
+            if access_token:
+                response = httpx.get(
+                    whoami_url,
+                    headers={
+                        "accept": "application/json",
+                        "Authorization": f"Bearer {access_token}",
+                    },
+                    timeout=TIMEOUT_ARCADE_API,
+                )
+                if response.status_code == 200:
+                    data = response.json().get("data", {})
+                    principal_id = data.get("account_id") or data.get("principal_id")
+                    if principal_id:
+                        return str(principal_id)
+
+            # Legacy API key credentials (deprecated)
+            api_key = (
+                cloud_config.get("api", {}).get("key") if isinstance(cloud_config, dict) else None
             )
-
-            if response.status_code == 200:
-                data = response.json()
-                principal_id = data.get("data", {}).get("principal_id")
-                return str(principal_id) if principal_id else None
+            if api_key:
+                response = httpx.get(
+                    validate_url,
+                    headers={"accept": "application/json", "Authorization": f"Bearer {api_key}"},
+                    timeout=TIMEOUT_ARCADE_API,
+                )
+                if response.status_code == 200:
+                    data = response.json()
+                    principal_id = data.get("data", {}).get("principal_id")
+                    if principal_id:
+                        return str(principal_id)
 
         except Exception:  # noqa: S110
             # Silent failure - don't disrupt CLI

{arcade_core-3.4.0.dist-info → arcade_core-4.0.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: arcade-core
-Version: 3.4.0
+Version: 4.0.0
 Summary: Arcade Core - Core library for Arcade platform
 Author-email: Arcade <dev@arcade.dev>
 License: MIT
@@ -13,6 +13,7 @@ Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
 Classifier: Programming Language :: Python :: 3.13
 Requires-Python: >=3.10
+Requires-Dist: httpx>=0.27.0
 Requires-Dist: loguru>=0.7.0
 Requires-Dist: packaging>=24.1
 Requires-Dist: pydantic>=2.7.0

{arcade_core-3.4.0.dist-info → arcade_core-4.0.0.dist-info}/RECORD

@@ -1,10 +1,11 @@
 arcade_core/__init__.py,sha256=1heu3AROAjpistehPzY2H-2nkj_IjQEh-vVlVOCRF1E,88
 arcade_core/annotations.py,sha256=Nst6aejLWXlpTu7GwzWETu1gQCG1XVAUR_qcFbNvyRc,198
 arcade_core/auth.py,sha256=flz3UNso5VXiKvrwygapiyQdBmI1Ca6JzFOO2caUSQQ,6145
+arcade_core/auth_tokens.py,sha256=4VAd634lgGigNHezoy2dBpLztliG4Qd2GH8ZBdZVDNo,3169
 arcade_core/catalog.py,sha256=AA13L-ZG4O0S5rB1Fjc-wpLaa6im-dwIBx7GsE2ZW80,43527
 arcade_core/config.py,sha256=e98XQAkYySGW9T_yrJg54BB8Wuq06GPVHp7xqe2d1vU,572
-arcade_core/config_model.py,sha256=78BR6Ch9BDuG4ddWGfpuEKqWcb1fyOF6kxiF4qLFogM,4481
-arcade_core/constants.py,sha256=wakdklI7TyJ0agq9n-Cmb2lbVa95D0oUaMGm30eiv9Y,375
+arcade_core/config_model.py,sha256=EA6XQWj-oJu_e4j0kuVT1K5fbwRvwv-lUYMrctcW2Ws,6504
+arcade_core/constants.py,sha256=E3s22aGDhYDM_vkxdo7PZf8F3pznqM-NqQQzgIjhhD8,531
 arcade_core/context.py,sha256=J2MgbVznhJC2qarHq3dTL72W4NGYOM1pjXdI_YwgkA4,3316
 arcade_core/discovery.py,sha256=PluKGhNtJ7RYjJuPDMB8LCNinQLKzlqoAtc3dwKb6IA,8397
 arcade_core/errors.py,sha256=fsi7m6TQQSsdSNHl4rBoSN_YH3ZV910gjvBFqB207f4,13326
@@ -17,12 +18,14 @@ arcade_core/toolkit.py,sha256=lLlOL6fA6Lmo-dtLTMMcPCzKDf9YQObwxG1LdVADv3E,14431
 arcade_core/utils.py,sha256=_3bM-yfIDFmMVqt-NFYp2Lx1QcNWp7xytGjUQzPs2LY,3255
 arcade_core/version.py,sha256=CpXi3jGlx23RvRyU7iytOMZrnspdWw4yofS8lpP1AJU,18
 arcade_core/converters/openai.py,sha256=4efdgTkvdwT44VGStBhdUmzCnoP5dysceIqPVVPG-vk,7408
+arcade_core/network/__init__.py,sha256=8GEcg6QAr63U8U1n4bnf7cL-F7FrUrc9otHM2J9ODwk,53
+arcade_core/network/org_transport.py,sha256=DZdIYdldtYZ6gtmWA1C8dXmsNuOv7tePhlpBuAvkhRQ,3222
 arcade_core/usage/__init__.py,sha256=SUR5mqF-bjdbl-P-OOHN6OFAjXZu4agXyPhr7xdVXCw,234
 arcade_core/usage/__main__.py,sha256=rSJkE1G9hlV3HRRA6EJE5Lmy3wKyan7rAxBXHX9A1cI,1577
 arcade_core/usage/constants.py,sha256=1FQIhkFFMZUhU-H4A7GvMb7KQ3qLFrNAZb2-LEvSF3k,1052
-arcade_core/usage/identity.py,sha256=2dP1iusI9pE_GrPlz3VXEdz51R5JlNo9_-OXbe6vn7I,6716
+arcade_core/usage/identity.py,sha256=egclRR26jGP1vVvoOoaaZdcS4AtSTZ8fLHpBq1HRgHw,8452
 arcade_core/usage/usage_service.py,sha256=xzWWSEktm58liiNYugBHRactSru8V5foriHcsoH0j1A,3407
 arcade_core/usage/utils.py,sha256=FqBOmlhwT68cbnpI5Vx9ZW6vLRYPVg4FJ0GaMEp8qEM,398
-arcade_core-3.4.0.dist-info/METADATA,sha256=ia0b5S1wwMu5z50qJwsj7wRVRhQOcDIqLTHFlGBf-co,2383
-arcade_core-3.4.0.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
-arcade_core-3.4.0.dist-info/RECORD,,
+arcade_core-4.0.0.dist-info/METADATA,sha256=6JLUpZN5EFPFt6LqXK3dHYMo7xgrWr_8wh_M7ahWBq0,2412
+arcade_core-4.0.0.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
+arcade_core-4.0.0.dist-info/RECORD,,