buildai-cli 0.3.45__tar.gz → 0.3.47__tar.gz

{buildai_cli-0.3.45 → buildai_cli-0.3.47}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: buildai-cli
-Version: 0.3.45
+Version: 0.3.47
 Summary: Build AI CLI (Typer)
 Requires-Python: >=3.11
 Requires-Dist: python-dotenv>=1.0.0

buildai_cli-0.3.47/cli/auth_proxy.py

@@ -0,0 +1,99 @@
+"""Helpers for the sanctioned local AlloyDB Auth Proxy lane."""
+
+from __future__ import annotations
+
+import os
+import shutil
+import socket
+import subprocess
+import time
+from pathlib import Path
+
+from infra.settings import Settings
+
+
+def _default_proxy_binary() -> str | None:
+    """Return the preferred AlloyDB Auth Proxy binary path if available."""
+
+    on_path = shutil.which("alloydb-auth-proxy")
+    if on_path:
+        return on_path
+    local_bin = Path.home() / ".local" / "bin" / "alloydb-auth-proxy"
+    if local_bin.is_file():
+        return str(local_bin)
+    return None
+
+
+def proxy_is_listening(*, host: str, port: int) -> bool:
+    """Return True when a TCP listener is already present on the proxy endpoint."""
+
+    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
+        sock.settimeout(0.25)
+        return sock.connect_ex((host, port)) == 0
+
+
+def ensure_alloydb_auth_proxy(
+    *,
+    settings: Settings,
+    target_service_account: str,
+) -> None:
+    """Start the sanctioned AlloyDB Auth Proxy if it is not already running.
+
+    The engineer DB lane should use one explicit transport path across CLI,
+    `psql`, and desktop tools. If the proxy is already listening, leave it
+    alone. Otherwise start it in the background and wait briefly for the port
+    to come up.
+    """
+
+    if not settings.effective_use_alloydb_auth_proxy:
+        return
+
+    host = settings.alloydb_auth_proxy_host
+    port = settings.effective_alloydb_auth_proxy_port
+    if proxy_is_listening(host=host, port=port):
+        return
+
+    proxy_binary = _default_proxy_binary()
+    if proxy_binary is None:
+        raise RuntimeError(
+            "alloydb-auth-proxy is not installed. Re-run ./scripts/setup.sh to provision "
+            "the canonical local DB transport."
+        )
+
+    if not settings.alloydb_instance_uri:
+        raise RuntimeError(
+            "AlloyDB instance URI is not configured, so the local Auth Proxy cannot start."
+        )
+
+    command = [
+        proxy_binary,
+        settings.alloydb_instance_uri,
+        "--address",
+        host,
+        "--port",
+        str(port),
+        "--auto-iam-authn",
+        f"--impersonate-service-account={target_service_account}",
+        "--disable-built-in-telemetry",
+    ]
+    if not settings.use_private_ip:
+        command.append("--public-ip")
+
+    subprocess.Popen(
+        command,
+        stdout=subprocess.DEVNULL,
+        stderr=subprocess.DEVNULL,
+        start_new_session=True,
+        env=os.environ.copy(),
+    )
+
+    deadline = time.monotonic() + 10.0
+    while time.monotonic() < deadline:
+        if proxy_is_listening(host=host, port=port):
+            return
+        time.sleep(0.25)
+
+    raise RuntimeError(
+        f"Timed out waiting for alloydb-auth-proxy on {host}:{port}. "
+        "Run `uv run buildai dev db info` to inspect the expected proxy recipe."
+    )

{buildai_cli-0.3.45 → buildai_cli-0.3.47}/cli/commands/db/migrate.py

@@ -24,6 +24,14 @@ from .common import (
     set_owner_role,
 )
 
+_MIGRATION_WRITE_PROFILES = frozenset(
+    {
+        "internal_admin",
+        "migrations-local",
+        "db-admin-local",
+    }
+)
+
 
 def migrate(
     ctx: typer.Context,
@@ -41,7 +49,11 @@ def migrate(
     """Run the checked-in SQL migrations on the selected DB lane."""
 
     if target is not None and not dry_run:
-        require_write(ctx, "Database migrations")
+        require_write(
+            ctx,
+            "Database migrations",
+            allowed_profiles=_MIGRATION_WRITE_PROFILES,
+        )
     settings: Settings = ctx.obj["settings"]
 
     async def run() -> None:

{buildai_cli-0.3.45 → buildai_cli-0.3.47}/cli/context.py

@@ -22,6 +22,7 @@ from dataclasses import dataclass
 from typing import TYPE_CHECKING, AsyncGenerator
 
 import asyncpg
+from dal import scopes as dal_scopes
 from infra.settings import Settings, get_settings
 
 from infra import Database, get_logger
@@ -34,6 +35,22 @@ logger = get_logger(__name__)
 # Environment variable to force local PostgreSQL (for test/CI)
 USE_LOCAL_DB = os.getenv("USE_LOCAL_DB", "false").lower() == "true"
 _ZERO_UUID = "00000000-0000-0000-0000-000000000000"
+_READ_SUFFIXES = (".read", ".search", ".query", ".introspection")
+_READ_PROFILE_SCOPES = frozenset(
+    scope
+    for scope in dal_scopes.ALL_SCOPES
+    if any(scope.endswith(suffix) for suffix in _READ_SUFFIXES)
+)
+_CLI_PROFILE_SCOPES: dict[str, frozenset[str]] = {
+    "internal_admin": frozenset(dal_scopes.ALL_SCOPES),
+    "internal_viewer": _READ_PROFILE_SCOPES,
+    "engineers-dev": _READ_PROFILE_SCOPES,
+    "developer": frozenset(dal_scopes.ALL_SCOPES),
+    "operator": frozenset(dal_scopes.ALL_SCOPES),
+    "ml_engineer": frozenset(dal_scopes.ALL_SCOPES),
+    "mcp": _READ_PROFILE_SCOPES,
+    "agent": frozenset(dal_scopes.ALL_SCOPES),
+}
 _UNRESTRICTED_CLI_PROFILES = frozenset(
     {
         "internal_admin",
@@ -47,6 +64,14 @@ _UNRESTRICTED_CLI_PROFILES = frozenset(
 )
 
 
+def scopes_for_cli_profile(profile: str) -> frozenset[str]:
+    """Resolve one sanctioned CLI profile to its DAL scope set."""
+    resolved = _CLI_PROFILE_SCOPES.get(profile)
+    if resolved is None:
+        raise ValueError(f"Unknown CLI profile: {profile}")
+    return resolved
+
+
 @dataclass(frozen=True)
 class AdminConnectionConfig:
     """Describe the canonical admin connection the ops-plane CLI should prefer.
@@ -281,7 +306,7 @@ async def get_cli_context(
         # Test/CI: wrap local connection in context
         async with _local_connection(settings) as conn:
             await _stamp_cli_session_contract(conn, profile=resolved_profile)
-            ctx = await Context.for_cli_profile(conn, profile=resolved_profile)
+            ctx = Context.for_cli(conn, scopes=scopes_for_cli_profile(resolved_profile))
             yield None, ctx
     else:
         # Development/Production: use infra.Database
@@ -289,7 +314,7 @@ async def get_cli_context(
         try:
             await db.connect()
             await _stamp_cli_session_contract(db.conn, profile=resolved_profile)
-            ctx = await Context.for_cli_profile(db, profile=resolved_profile)
+            ctx = Context.for_cli(db, scopes=scopes_for_cli_profile(resolved_profile))
             yield db, ctx
         finally:
             await db.close()

{buildai_cli-0.3.45 → buildai_cli-0.3.47}/cli/guard.py

@@ -7,20 +7,28 @@ import typer
 from cli.console import error
 
 
-def require_write(ctx: typer.Context, action: str) -> None:
+def require_write(
+    ctx: typer.Context,
+    action: str,
+    *,
+    allowed_profiles: frozenset[str] | None = None,
+) -> None:
     """
     Enforce --write for mutating commands.
 
     Args:
         ctx: Typer context
         action: Short description of the mutation (for error messages)
+        allowed_profiles: CLI profiles allowed to perform the mutation
     """
     ctx_obj = ctx.obj or {}
     allow_write = ctx_obj.get("allow_write", False)
     if not allow_write:
         error(f"{action} is a write operation. Re-run with --write.")
         raise typer.Exit(1)
-    cli_profile = ctx_obj.get("cli_profile", "internal_viewer")
-    if cli_profile != "internal_admin":
-        error(f"{action} requires --profile internal_admin.")
+    cli_profile = ctx_obj.get("cli_profile") or "internal_viewer"
+    required_profiles = allowed_profiles or frozenset({"internal_admin"})
+    if cli_profile not in required_profiles:
+        profile_list = ", ".join(sorted(required_profiles))
+        error(f"{action} requires one of these profiles: {profile_list}.")
         raise typer.Exit(1)

{buildai_cli-0.3.45 → buildai_cli-0.3.47}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "buildai-cli"
-version = "0.3.45"
+version = "0.3.47"
 description = "Build AI CLI (Typer)"
 requires-python = ">=3.11"
 dependencies = [