buildai-cli 0.3.44__tar.gz → 0.3.46__tar.gz

{buildai_cli-0.3.44 → buildai_cli-0.3.46}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: buildai-cli
-Version: 0.3.44
+Version: 0.3.46
 Summary: Build AI CLI (Typer)
 Requires-Python: >=3.11
 Requires-Dist: python-dotenv>=1.0.0

{buildai_cli-0.3.44 → buildai_cli-0.3.46}/cli/auth_local.py

@@ -95,18 +95,12 @@ class ResolvedLocalAuthProfile:
                     f'export ALLOYDB_IAM_AUTH_{suffix}="true"',
                 ]
             )
-            if self.name == "engineers-dev":
-                exports.extend(
-                    [
-                        f'export ALLOYDB_USE_AUTH_PROXY_{suffix}="true"',
-                        'export ALLOYDB_AUTH_PROXY_HOST="127.0.0.1"',
-                        f'export ALLOYDB_AUTH_PROXY_PORT_{suffix}="5440"',
-                    ]
-                )
-            else:
-                exports.append(
-                    f'export ALLOYDB_RUNTIME_IMPERSONATE_SA_{suffix}="{self.target_service_account}"'
-                )
+            exports.extend(
+                [
+                    f'export ALLOYDB_RUNTIME_IMPERSONATE_SA_{suffix}="{self.target_service_account}"',
+                    f'export ALLOYDB_USE_AUTH_PROXY_{suffix}="false"',
+                ]
+            )
         elif self.name == "db-admin-local" and self.target_db_user and self.target_service_account:
             exports.extend(
                 [
@@ -200,10 +194,11 @@ def sanctioned_auth_profiles() -> tuple[LocalAuthProfile, ...]:
         LocalAuthProfile(
             name="engineers-dev",
             audience="engineers",
-            summary="Use the engineer-facing read-only DB and operator lane.",
+            summary="Use the engineer-facing read-only DB lane.",
             purpose=(
-                "Use this for direct CLI database reads, schema inspection, and desktop SQL "
-                "tooling. Local API runtime parity should use the service-runtime profiles instead."
+                "Use this for direct CLI database reads and schema inspection through the "
+                "engineer-facing service-account identity. Local API runtime parity should "
+                "use the service-runtime profiles instead."
             ),
         ),
         LocalAuthProfile(

{buildai_cli-0.3.44 → buildai_cli-0.3.46}/cli/context.py

@@ -22,6 +22,7 @@ from dataclasses import dataclass
 from typing import TYPE_CHECKING, AsyncGenerator
 
 import asyncpg
+from dal import scopes as dal_scopes
 from infra.settings import Settings, get_settings
 
 from infra import Database, get_logger
@@ -34,6 +35,22 @@ logger = get_logger(__name__)
 # Environment variable to force local PostgreSQL (for test/CI)
 USE_LOCAL_DB = os.getenv("USE_LOCAL_DB", "false").lower() == "true"
 _ZERO_UUID = "00000000-0000-0000-0000-000000000000"
+_READ_SUFFIXES = (".read", ".search", ".query", ".introspection")
+_READ_PROFILE_SCOPES = frozenset(
+    scope
+    for scope in dal_scopes.ALL_SCOPES
+    if any(scope.endswith(suffix) for suffix in _READ_SUFFIXES)
+)
+_CLI_PROFILE_SCOPES: dict[str, frozenset[str]] = {
+    "internal_admin": frozenset(dal_scopes.ALL_SCOPES),
+    "internal_viewer": _READ_PROFILE_SCOPES,
+    "engineers-dev": _READ_PROFILE_SCOPES,
+    "developer": frozenset(dal_scopes.ALL_SCOPES),
+    "operator": frozenset(dal_scopes.ALL_SCOPES),
+    "ml_engineer": frozenset(dal_scopes.ALL_SCOPES),
+    "mcp": _READ_PROFILE_SCOPES,
+    "agent": frozenset(dal_scopes.ALL_SCOPES),
+}
 _UNRESTRICTED_CLI_PROFILES = frozenset(
     {
         "internal_admin",
@@ -47,6 +64,14 @@ _UNRESTRICTED_CLI_PROFILES = frozenset(
 )
 
 
+def scopes_for_cli_profile(profile: str) -> frozenset[str]:
+    """Resolve one sanctioned CLI profile to its DAL scope set."""
+    resolved = _CLI_PROFILE_SCOPES.get(profile)
+    if resolved is None:
+        raise ValueError(f"Unknown CLI profile: {profile}")
+    return resolved
+
+
 @dataclass(frozen=True)
 class AdminConnectionConfig:
     """Describe the canonical admin connection the ops-plane CLI should prefer.
@@ -281,7 +306,7 @@ async def get_cli_context(
         # Test/CI: wrap local connection in context
         async with _local_connection(settings) as conn:
             await _stamp_cli_session_contract(conn, profile=resolved_profile)
-            ctx = await Context.for_cli_profile(conn, profile=resolved_profile)
+            ctx = Context.for_cli(conn, scopes=scopes_for_cli_profile(resolved_profile))
             yield None, ctx
     else:
         # Development/Production: use infra.Database
@@ -289,7 +314,7 @@ async def get_cli_context(
         try:
             await db.connect()
             await _stamp_cli_session_contract(db.conn, profile=resolved_profile)
-            ctx = await Context.for_cli_profile(db, profile=resolved_profile)
+            ctx = Context.for_cli(db, scopes=scopes_for_cli_profile(resolved_profile))
             yield db, ctx
         finally:
             await db.close()

{buildai_cli-0.3.44 → buildai_cli-0.3.46}/cli/ops_init.py

@@ -34,11 +34,12 @@ def _parse_env(value: str) -> str:
 
 
 def _auth_env_prefix(settings_app_env: object) -> str:
-    if str(settings_app_env) == "production":
+    normalized = str(getattr(settings_app_env, "value", settings_app_env)).strip().lower()
+    if normalized == "production":
         return "PROD"
-    if str(settings_app_env) == "development":
+    if normalized == "development":
         return "DEV"
-    if str(settings_app_env) == "test":
+    if normalized == "test":
         return "DEV"
     return "PREVIEW"
 
@@ -160,6 +161,7 @@ def init_ops_context(ctx: typer.Context):
         os.environ[f"ALLOYDB_RUNTIME_IMPERSONATE_SA_{env_prefix}"] = (
             "engineers-dev-sa@data-470400.iam.gserviceaccount.com"
         )
+        os.environ[f"ALLOYDB_USE_AUTH_PROXY_{env_prefix}"] = "false"
         auth_info.append("impersonate=engineers-dev-sa")
 
     # Reload settings with overrides

{buildai_cli-0.3.44 → buildai_cli-0.3.46}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "buildai-cli"
-version = "0.3.44"
+version = "0.3.46"
 description = "Build AI CLI (Typer)"
 requires-python = ">=3.11"
 dependencies = [