buildai-cli 0.3.34__tar.gz → 0.3.36__tar.gz

{buildai_cli-0.3.34 → buildai_cli-0.3.36}/.gitignore

@@ -27,6 +27,7 @@ test-results/
 # Node
 node_modules/
 .next/
+.expect/
 out/
 
 # IDE
@@ -70,6 +71,7 @@ reference/
 scripts/output/
 scripts/dead_assets.json
 scripts/dead_assets.ids.txt
+scripts/figure_h264_1000h/
 
 # Service account keys
 *-sa-key.json
@@ -85,3 +87,6 @@ scripts/dead_assets.ids.txt
 *.ts.net.key
 test-buildai-data/
 .claude/worktrees/
+
+# Generated multi-service app factory (local dev only)
+_combined_factory.py

buildai_cli-0.3.36/CLAUDE 2.md

@@ -0,0 +1,35 @@
+# BuildAI CLI
+
+Typer-based CLI with two modes: standalone (PyPI, API-backed) and workspace (repo-local, DB-direct).
+
+## Two Planes
+
+| Mode | Install | Auth | DB Access |
+|------|---------|------|-----------|
+| Standalone (`buildai`) | `uv tool install buildai-cli` | API key / JWT | Through API |
+| Workspace (`uv run buildai`) | Repo-local editable install | IAM / password | Direct via `admin` |
+
+## Key Commands
+
+```bash
+buildai query "SELECT count(*) FROM core.clips"        # API-backed
+buildai admin query "SELECT count(*) FROM core.clips"   # DB-direct
+buildai admin schema tables                              # Schema introspection
+buildai admin schema describe core.clips                 # Table details
+buildai admin --write database migrate all               # Run migrations
+buildai admin database diff --from preview --to production  # Migration delta
+```
+
+## Guards
+
+- `admin` subcommands require workspace install + gcloud IAM.
+- Writes require `--write` flag.
+- Production migrations prompt for confirmation.
+- Worktree app/runtime targeting comes from explicit env vars and the repo Makefile, not a saved CLI context layer.
+- `buildai admin --env` selects the explicit DB lane: `production`, `preview`, `dev`.
+- Do not confuse `--env preview` with any old local preset names. The CLI no longer manages worktree deployment profiles.
+
+## Reference
+
+CLI mode guide: `docs/how-to/choose-buildai-mode.md`
+Database roles: `docs/database-roles.md`

{buildai_cli-0.3.34 → buildai_cli-0.3.36}/CLAUDE.md

@@ -16,8 +16,6 @@ buildai query "SELECT count(*) FROM core.clips"        # API-backed
 buildai admin query "SELECT count(*) FROM core.clips"   # DB-direct
 buildai admin schema tables                              # Schema introspection
 buildai admin schema describe core.clips                 # Table details
-uv run buildai dev use local                             # Set this worktree's deployment profile
-uv run buildai dev current                               # Show resolved worktree target
 buildai admin --write database migrate all               # Run migrations
 buildai admin database status                               # Migration status
 ```
@@ -27,7 +25,7 @@ buildai admin database status                               # Migration status
 - `admin` subcommands require workspace install + gcloud IAM.
 - Writes require `--write` flag.
 - Production migrations prompt for confirmation.
-- Worktree app/runtime targeting comes from `uv run buildai dev use <profile>`.
+- Worktree app/runtime targeting comes from explicit env vars and the repo Makefile, not a saved CLI context layer.
 - `buildai admin --env` selects the explicit DB lane: `production`, `dev`.
 
 ## Reference

{buildai_cli-0.3.34 → buildai_cli-0.3.36}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: buildai-cli
-Version: 0.3.34
+Version: 0.3.36
 Summary: Build AI CLI (Typer)
 Requires-Python: >=3.11
 Requires-Dist: buildai-data

{buildai_cli-0.3.34 → buildai_cli-0.3.36}/cli/commands/database.py

@@ -12,7 +12,6 @@ All database operations under one command group:
     buildai admin database discover        # Retired legacy discovery flow
     buildai admin database status          # Overall database health summary
     buildai admin database roles           # Role management
-    buildai admin database roles-setup     # Apply least-privilege roles/grants
     buildai admin database audit           # Permission auditing
     buildai admin database seed            # Run seed data scripts
 """
@@ -26,9 +25,7 @@ from typing import Any, Sequence
 
 import asyncpg
 import typer
-from infra.auth_principal_targets import get_runtime_targets_with_database_access
-from infra.migration_tracking import audit_migration_tracking, load_tracker_policy
-from infra.settings import Settings, switch_environment
+from api.service_catalog import list_api_services
 from rich.panel import Panel
 from rich.syntax import Syntax
 from rich.table import Table
@@ -62,6 +59,8 @@ from cli.context import (
     resolve_admin_connection_config,
 )
 from cli.guard import require_write
+from infra.migration_tracking import audit_migration_tracking, load_tracker_policy
+from infra.settings import Settings, switch_environment
 
 # =============================================================================
 # Constants
@@ -84,7 +83,7 @@ async def _get_admin_connection(settings: Settings):
 
     Resolution order:
     1. ALLOYDB_ADMIN_IAM_USER_* env vars (explicit override)
-    2. deployment_profiles.yaml database_admin section (canonical source of truth)
+    2. explicit ALLOYDB_ADMIN_IAM_USER_* / ALLOYDB_ADMIN_IMPERSONATE_SA_* env wiring
     3. ALLOYDB_PSW_PROD password fallback
     """
     return await open_admin_database(settings)
@@ -227,6 +226,60 @@ class DatabaseStatus:
         return "READY FOR TESTING"
 
 
+@dataclass(frozen=True)
+class _RuntimeDbTarget:
+    service_slug: str
+    gcp_service_account_email: str
+    alloydb_iam_user: str
+
+
+def _runtime_db_targets() -> list[_RuntimeDbTarget]:
+    """Return the current runtime principals that should exist as AlloyDB IAM users."""
+    api_targets = [
+        _RuntimeDbTarget(
+            service_slug=service.service_slug,
+            gcp_service_account_email=service.runtime_service_account,
+            alloydb_iam_user=service.runtime_db_user,
+        )
+        for service in list_api_services()
+    ]
+    worker_targets = [
+        _RuntimeDbTarget(
+            service_slug="mcp",
+            gcp_service_account_email="mcp-sa@data-470400.iam.gserviceaccount.com",
+            alloydb_iam_user="mcp-sa@data-470400.iam",
+        ),
+        _RuntimeDbTarget(
+            service_slug="frame-extractor",
+            gcp_service_account_email="frame-extractor-sa@data-470400.iam.gserviceaccount.com",
+            alloydb_iam_user="frame-extractor-sa@data-470400.iam",
+        ),
+        _RuntimeDbTarget(
+            service_slug="frame-embed",
+            gcp_service_account_email="frame-embed-sa@data-470400.iam.gserviceaccount.com",
+            alloydb_iam_user="frame-embed-sa@data-470400.iam",
+        ),
+        _RuntimeDbTarget(
+            service_slug="frame-inference",
+            gcp_service_account_email="frame-inference-sa@data-470400.iam.gserviceaccount.com",
+            alloydb_iam_user="frame-inference-sa@data-470400.iam",
+        ),
+        _RuntimeDbTarget(
+            service_slug="migrations-runner",
+            gcp_service_account_email="migrations-runner-sa@data-470400.iam.gserviceaccount.com",
+            alloydb_iam_user="migrations-runner-sa@data-470400.iam",
+        ),
+    ]
+    seen: set[str] = set()
+    targets: list[_RuntimeDbTarget] = []
+    for target in [*api_targets, *worker_targets]:
+        if target.gcp_service_account_email in seen:
+            continue
+        seen.add(target.gcp_service_account_email)
+        targets.append(target)
+    return targets
+
+
 def _migration_requires_system_admin(path: Path) -> bool:
     for line in path.read_text(encoding="utf-8").splitlines()[:10]:
         if line.strip().lower() == "-- requires-system-admin: true":
@@ -1392,90 +1445,6 @@ def roles(ctx: typer.Context) -> None:
     asyncio.run(run())
 
 
-@app.command("roles-setup")
-def roles_setup(
-    ctx: typer.Context,
-    dry_run: Annotated[bool, typer.Option("--dry-run", help="Show SQL without executing")] = False,
-    as_admin: Annotated[
-        bool,
-        typer.Option(
-            "--as-admin",
-            help="Connect as postgres user via password auth (requires ALLOYDB_PSW_PROD)",
-        ),
-    ] = False,
-    yes: Annotated[
-        bool, typer.Option("--yes", "-y", help="Skip confirmation for production")
-    ] = False,
-) -> None:
-    """
-    Apply least-privilege role and grant setup.
-
-    Uses scripts/ops/create-db-roles-leastpriv.sql.
-    """
-    settings: Settings = ctx.obj["settings"]
-
-    if not dry_run:
-        require_write(ctx, "Database role setup")
-
-    sql_path = REPO_ROOT / "scripts" / "ops" / "create-db-roles-leastpriv.sql"
-
-    if not sql_path.exists():
-        error(f"SQL file not found: {sql_path}")
-        raise typer.Exit(1)
-
-    sql_content = sql_path.read_text()
-
-    if dry_run:
-        info("SQL to execute:")
-        console.print(Syntax(sql_content, "sql", theme="monokai", line_numbers=False))
-        return
-
-    if settings.is_production and not yes:
-        warning("This will modify PRODUCTION database roles!")
-        if not typer.confirm("Are you sure you want to continue?"):
-            raise typer.Abort()
-
-    async def run() -> None:
-        db = None
-        connection_context = None
-        using_owner_role = False
-
-        try:
-            if as_admin:
-                info("Connecting as postgres (password auth)...")
-                db = await _get_admin_connection(settings)
-                conn = db.conn
-            else:
-                connection_context = get_connection(settings)
-                conn = await connection_context.__aenter__()
-                using_owner_role = await _set_owner_role(conn)
-                if using_owner_role:
-                    dim("Using role: buildai_owner")
-                else:
-                    dim("Role buildai_owner not available, using default permissions")
-
-            await conn.execute(sql_content)
-            success("Role setup completed.")
-
-        except Exception as e:
-            error(f"Role setup failed: {e}")
-            raise typer.Exit(1)
-
-        finally:
-            if using_owner_role:
-                try:
-                    await conn.execute("RESET ROLE")
-                except Exception:
-                    pass
-
-            if db is not None:
-                await db.close()
-            elif connection_context is not None:
-                await connection_context.__aexit__(None, None, None)
-
-    asyncio.run(run())
-
-
 @app.command()
 def audit(
     ctx: typer.Context,
@@ -1502,7 +1471,7 @@ def audit(
 
     # Check IAM roles
     info("Checking GCP IAM roles...")
-    runtime_targets = get_runtime_targets_with_database_access()
+    runtime_targets = _runtime_db_targets()
     required_roles = ["roles/alloydb.client", "roles/alloydb.databaseUser"]
 
     iam_table = Table(title="IAM Role Audit")
@@ -1516,8 +1485,6 @@ def audit(
     for target in runtime_targets:
         sa_email = target.gcp_service_account_email
         db_login = target.alloydb_iam_user
-        if sa_email is None or db_login is None:
-            continue
         sa_name = sa_email.split("@", 1)[0]
         row = [sa_name, db_login]
 

buildai_cli-0.3.36/cli/commands/jobs.py

@@ -0,0 +1,193 @@
+"""CLI commands for jobs (SDK-backed data-plane)."""
+
+from __future__ import annotations
+
+import itertools
+import time
+from typing import Any
+
+import typer
+
+from cli.console import info, success, warning
+from cli.output import Format, format_option, output
+from cli.sdk_client import get_sdk_client
+
+app = typer.Typer(
+    name="jobs",
+    help="Manage processing jobs.",
+    no_args_is_help=True,
+)
+
+
+def _job_row(job: Any) -> dict[str, Any]:
+    return {
+        "job_id": job.job_id,
+        "job_type": job.job_type,
+        "status": job.status,
+        "progress_pct": getattr(job, "progress_pct", 0.0),
+        "total_items": getattr(job, "total_items", None),
+        "chunk_count": getattr(job, "chunk_count", None),
+        "created_at": getattr(job, "created_at", None),
+    }
+
+
+def _launch_job(
+    client: Any,
+    job_id: str,
+    *,
+    max_tasks: int,
+    spot: bool,
+    platform: str,
+    region: str | None,
+    cpu: str,
+    memory: str,
+) -> Any:
+    return client.jobs.submit(
+        job_id,
+        max_tasks=max_tasks,
+        spot=spot,
+        platform=platform,
+        region=region,
+        cpu=cpu,
+        memory=memory,
+    )
+
+
+def _watch_job(client: Any, job_id: str, *, interval: float) -> None:
+    last_line: str | None = None
+    while True:
+        progress = client.jobs.progress(job_id)
+        line = (
+            f"{progress.status} "
+            f"chunks={progress.chunks_succeeded + progress.chunks_failed}/{progress.total_chunks} "
+            f"items={progress.items_succeeded} ok/{progress.items_failed} failed "
+            f"items_per_sec={progress.items_per_second} "
+            f"chunks_per_sec={progress.chunks_per_second} "
+            f"eta_s={progress.eta_seconds}"
+        )
+        if line != last_line:
+            info(f"{job_id}: {line}")
+            last_line = line
+        if progress.status in {"succeeded", "failed", "cancelled"}:
+            if progress.status != "succeeded":
+                failures = client.jobs.failures(job_id, page_size=5)
+                if failures.data:
+                    for failure in failures.data:
+                        warning(
+                            f"{failure.entity_id} | "
+                            f"{failure.error_code or 'error'} | "
+                            f"{failure.error_message or ''}"
+                        )
+            return
+        time.sleep(interval)
+
+
+@app.command("list")
+def jobs_list(
+    status: str | None = typer.Option(None, "--status", "-s", help="Filter by status"),
+    type: str | None = typer.Option(None, "--type", "-t", help="Filter by job type"),
+    limit: int = typer.Option(20, "--limit", "-n"),
+    format: Format | None = format_option(),
+) -> None:
+    """List processing jobs."""
+    client = get_sdk_client()
+    results = list(
+        itertools.islice(
+            client.jobs.iter(status=status, type=type),
+            limit,
+        )
+    )
+    output(
+        [_job_row(job) for job in results],
+        format=format,
+        columns=["job_id", "job_type", "status", "progress_pct", "total_items", "chunk_count"],
+    )
+
+
+@app.command("get")
+def jobs_get(
+    job_id: str = typer.Argument(..., help="Manifest ID"),
+    format: Format | None = format_option(),
+) -> None:
+    """Get details for a single job."""
+    client = get_sdk_client()
+    job = client.jobs.get(job_id)
+    output(job, format=format)
+
+
+@app.command("submit")
+def jobs_submit(
+    ctx: typer.Context,
+    job_id: str = typer.Argument(..., help="Manifest ID"),
+    max_tasks: int = typer.Option(750, "--max-tasks"),
+    spot: bool = typer.Option(True, "--spot/--no-spot"),
+    platform: str = typer.Option("auto", "--platform"),
+    region: str | None = typer.Option(None, "--region"),
+    cpu: str = typer.Option("8", "--cpu"),
+    memory: str = typer.Option("8Gi", "--memory"),
+    watch: bool = typer.Option(False, "--watch"),
+    interval: float = typer.Option(5.0, "--interval"),
+) -> None:
+    """Submit an existing manifest to execution."""
+    del ctx  # API enforces permissions via token scope
+    client = get_sdk_client()
+    result = _launch_job(
+        client,
+        job_id,
+        max_tasks=max_tasks,
+        spot=spot,
+        platform=platform,
+        region=region,
+        cpu=cpu,
+        memory=memory,
+    )
+    success(
+        f"Submitted {job_id} on {result.platform} "
+        f"as {result.batch_job_name} with {result.task_count} tasks"
+    )
+    if watch:
+        _watch_job(client, job_id, interval=interval)
+
+
+@app.command("watch")
+def jobs_watch(
+    job_id: str = typer.Argument(..., help="Manifest ID"),
+    interval: float = typer.Option(5.0, "--interval"),
+) -> None:
+    """Watch a job until completion."""
+    client = get_sdk_client()
+    _watch_job(client, job_id, interval=interval)
+
+
+@app.command("retry")
+def jobs_retry(
+    ctx: typer.Context,
+    job_id: str = typer.Argument(..., help="Manifest ID"),
+    dry_run: bool = typer.Option(False, "--dry-run"),
+) -> None:
+    """Retry a failed job."""
+    if dry_run:
+        info(f"Would retry job {job_id}")
+        return
+
+    del ctx  # API enforces permissions via token scope
+    client = get_sdk_client()
+    client.jobs.retry(job_id)
+    success(f"Retried job {job_id}")
+
+
+@app.command("cancel")
+def jobs_cancel(
+    ctx: typer.Context,
+    job_id: str = typer.Argument(..., help="Manifest ID"),
+    dry_run: bool = typer.Option(False, "--dry-run"),
+) -> None:
+    """Cancel a running job."""
+    if dry_run:
+        info(f"Would cancel job {job_id}")
+        return
+
+    del ctx  # API enforces permissions via token scope
+    client = get_sdk_client()
+    client.jobs.cancel(job_id)
+    success(f"Cancelled job {job_id}")

{buildai_cli-0.3.34 → buildai_cli-0.3.36}/cli/commands/medoid.py

@@ -239,7 +239,7 @@ async def _compute(
 ) -> None:
     from dal.processing import jobs
 
-    from services.load_config import load_service_config, resolve_profile
+    from processing_runtime.profile_catalog import load_runtime_profile, resolve_profile
 
     settings = ctx.obj["settings"]
 
@@ -300,7 +300,7 @@ async def _compute(
             raise typer.Exit(1)
 
         # Get GPU config based on data size for display
-        embedding_config = load_service_config("media_embedding")
+        embedding_config = load_runtime_profile("embedding_runtime")
         batch_config = resolve_profile(
             embedding_config,
             job_type="compute_medoids",

{buildai_cli-0.3.34 → buildai_cli-0.3.36}/cli/config.py

@@ -7,8 +7,6 @@ import os
 from pathlib import Path
 from typing import Any
 
-from cli.dev_context import load_dev_context
-
 CONFIG_DIR = Path.home() / ".buildai"
 CREDENTIALS_PATH = CONFIG_DIR / "credentials.json"
 DEFAULT_API_URL = "https://api.build.ai"
@@ -41,13 +39,6 @@ def clear_credential() -> None:
         CREDENTIALS_PATH.unlink()
 
 
-def _workspace_context() -> dict[str, Any] | None:
-    try:
-        return load_dev_context()
-    except Exception:
-        return None
-
-
 def _clean_str(value: Any) -> str | None:
     if not isinstance(value, str):
         return None
@@ -74,11 +65,6 @@ def resolve_api_url(*, include_workspace: bool = True) -> str:
     env_api_url = os.getenv("BUILDAI_API_URL")
     if env_api_url:
         return env_api_url.rstrip("/")
-    if include_workspace:
-        workspace_context = _workspace_context()
-        workspace_api_url = _clean_str((workspace_context or {}).get("api_url"))
-        if workspace_api_url:
-            return workspace_api_url.rstrip("/")
     api_url = load_credentials().get("api_url")
     if isinstance(api_url, str) and api_url:
         return api_url.rstrip("/")
@@ -109,8 +95,4 @@ def resolve_cli_profile(explicit: str | None = None) -> str:
     env_profile = _clean_str(os.getenv("BUILDAI_CLI_PROFILE"))
     if env_profile:
         return env_profile
-    workspace_context = _workspace_context()
-    workspace_profile = _clean_str((workspace_context or {}).get("cli_access_profile"))
-    if workspace_profile:
-        return workspace_profile
     return "internal_viewer"

{buildai_cli-0.3.34 → buildai_cli-0.3.36}/cli/context.py

@@ -22,9 +22,9 @@ from dataclasses import dataclass
 from typing import TYPE_CHECKING, AsyncGenerator
 
 import asyncpg
-from infra.settings import Settings, get_settings
 
 from infra import Database, get_logger
+from infra.settings import Settings, get_settings
 
 if TYPE_CHECKING:
     from dal.context import Context
@@ -38,7 +38,6 @@ _UNRESTRICTED_CLI_PROFILES = frozenset(
     {
         "internal_admin",
         "internal_viewer",
-        "analyst",
         "developer",
         "operator",
         "ml_engineer",
@@ -82,25 +81,12 @@ def resolve_admin_connection_config(
 ) -> AdminConnectionConfig | None:
     """Resolve the canonical admin DB login for this environment, if one exists.
 
-    Resolution order is explicit env overrides first, then the checked-in
-    deployment profile, then the production password fallback already used by
-    privileged database commands.
+    Resolution order is explicit env overrides first, then the production
+    password fallback already used by privileged database commands.
     """
-    from infra.deployment_profiles import resolve_deployment_profile
-
     admin_iam_user = settings.effective_alloydb_admin_iam_user
     admin_impersonate_sa = settings.effective_alloydb_admin_impersonate_sa
 
-    if not admin_iam_user or not admin_impersonate_sa:
-        try:
-            profile_name = os.environ.get("BUILDAI_DEPLOYMENT_PROFILE", "production")
-            profile = resolve_deployment_profile(profile_name)
-            if profile.database_admin:
-                admin_iam_user = admin_iam_user or profile.database_admin.iam_user
-                admin_impersonate_sa = admin_impersonate_sa or profile.database_admin.impersonate_sa
-        except (ValueError, KeyError):
-            pass
-
     if admin_iam_user and admin_impersonate_sa:
         return AdminConnectionConfig(
             user=admin_iam_user,
@@ -137,8 +123,7 @@ async def open_admin_database(settings: Settings) -> Database:
     if config is None:
         raise RuntimeError(
             "Admin credentials not configured for this environment. "
-            "Set ALLOYDB_ADMIN_IAM_USER_* / ALLOYDB_ADMIN_IMPERSONATE_SA_* or "
-            "define database_admin in deployment_profiles.yaml."
+            "Set ALLOYDB_ADMIN_IAM_USER_* / ALLOYDB_ADMIN_IMPERSONATE_SA_*."
         )
 
     ip_type = "PRIVATE" if settings.use_private_ip else "PUBLIC"

{buildai_cli-0.3.34 → buildai_cli-0.3.36}/cli/main.py

@@ -18,7 +18,6 @@ from cli.commands.api_proxy import api
 from cli.commands.assets_cli import app as assets_app
 from cli.commands.auth_lite import login, logout, whoami
 from cli.commands.clips import app as clips_app
-from cli.commands.dev import app as dev_app
 from cli.commands.inference import app as inference_app
 from cli.commands.jobs import app as jobs_app
 from cli.commands.query_api import query
@@ -208,7 +207,6 @@ Build AI CLI — query data, run inference, sign media URLs.
 
 Get started:
   uv tool install buildai-cli          Install the standalone CLI
-  uv run buildai dev use local         Set this worktree's dev target
   buildai login                         Authenticate (opens browser)
   buildai whoami                        Show your identity and permissions
   buildai query "SELECT count(*) FROM core.clips"
@@ -253,7 +251,6 @@ app.command("whoami")(whoami)
 app.command("logout")(logout)
 app.command("query")(query)
 
-app.add_typer(dev_app, name="dev")
 app.add_typer(clips_app, name="clips")
 app.add_typer(assets_app, name="assets")
 app.add_typer(inference_app, name="inference")
@@ -275,7 +272,7 @@ def admin_callback(
         None,
         "--env",
         "-e",
-        help="Target environment. Defaults to APP_ENV, then worktree context, then production.",
+        help="Target environment. Defaults to APP_ENV, then production.",
     ),
     auth: str = typer.Option(None, "--auth", "-a", help="Auth method: iam or password."),
     user: str = typer.Option(None, "--user", "-u", help="Override database user."),
@@ -306,7 +303,6 @@ if has_core():
     from cli.commands.medoid import app as medoid_app
     from cli.commands.operations import app as operations_app
     from cli.commands.partners import app as partners_app
-    from cli.commands.permissions import app as permissions_app
     from cli.commands.projection import app as projection_app
     from cli.commands.query import query as admin_query
     from cli.commands.schema import app as schema_app
@@ -321,7 +317,6 @@ if has_core():
     admin_app.add_typer(embed_app, name="embeddings")
     admin_app.add_typer(database_app, name="database")
     admin_app.add_typer(external_app, name="external")
-    admin_app.add_typer(permissions_app, name="permissions")
     admin_app.add_typer(projection_app, name="projection")
     admin_app.add_typer(medoid_app, name="medoid")