buildai-cli 0.3.46__tar.gz → 0.3.47__tar.gz

{buildai_cli-0.3.46 → buildai_cli-0.3.47}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: buildai-cli
-Version: 0.3.46
+Version: 0.3.47
 Summary: Build AI CLI (Typer)
 Requires-Python: >=3.11
 Requires-Dist: python-dotenv>=1.0.0

buildai_cli-0.3.47/cli/auth_proxy.py

@@ -0,0 +1,99 @@
+"""Helpers for the sanctioned local AlloyDB Auth Proxy lane."""
+
+from __future__ import annotations
+
+import os
+import shutil
+import socket
+import subprocess
+import time
+from pathlib import Path
+
+from infra.settings import Settings
+
+
+def _default_proxy_binary() -> str | None:
+    """Return the preferred AlloyDB Auth Proxy binary path if available."""
+
+    on_path = shutil.which("alloydb-auth-proxy")
+    if on_path:
+        return on_path
+    local_bin = Path.home() / ".local" / "bin" / "alloydb-auth-proxy"
+    if local_bin.is_file():
+        return str(local_bin)
+    return None
+
+
+def proxy_is_listening(*, host: str, port: int) -> bool:
+    """Return True when a TCP listener is already present on the proxy endpoint."""
+
+    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
+        sock.settimeout(0.25)
+        return sock.connect_ex((host, port)) == 0
+
+
+def ensure_alloydb_auth_proxy(
+    *,
+    settings: Settings,
+    target_service_account: str,
+) -> None:
+    """Start the sanctioned AlloyDB Auth Proxy if it is not already running.
+
+    The engineer DB lane should use one explicit transport path across CLI,
+    `psql`, and desktop tools. If the proxy is already listening, leave it
+    alone. Otherwise start it in the background and wait briefly for the port
+    to come up.
+    """
+
+    if not settings.effective_use_alloydb_auth_proxy:
+        return
+
+    host = settings.alloydb_auth_proxy_host
+    port = settings.effective_alloydb_auth_proxy_port
+    if proxy_is_listening(host=host, port=port):
+        return
+
+    proxy_binary = _default_proxy_binary()
+    if proxy_binary is None:
+        raise RuntimeError(
+            "alloydb-auth-proxy is not installed. Re-run ./scripts/setup.sh to provision "
+            "the canonical local DB transport."
+        )
+
+    if not settings.alloydb_instance_uri:
+        raise RuntimeError(
+            "AlloyDB instance URI is not configured, so the local Auth Proxy cannot start."
+        )
+
+    command = [
+        proxy_binary,
+        settings.alloydb_instance_uri,
+        "--address",
+        host,
+        "--port",
+        str(port),
+        "--auto-iam-authn",
+        f"--impersonate-service-account={target_service_account}",
+        "--disable-built-in-telemetry",
+    ]
+    if not settings.use_private_ip:
+        command.append("--public-ip")
+
+    subprocess.Popen(
+        command,
+        stdout=subprocess.DEVNULL,
+        stderr=subprocess.DEVNULL,
+        start_new_session=True,
+        env=os.environ.copy(),
+    )
+
+    deadline = time.monotonic() + 10.0
+    while time.monotonic() < deadline:
+        if proxy_is_listening(host=host, port=port):
+            return
+        time.sleep(0.25)
+
+    raise RuntimeError(
+        f"Timed out waiting for alloydb-auth-proxy on {host}:{port}. "
+        "Run `uv run buildai dev db info` to inspect the expected proxy recipe."
+    )

{buildai_cli-0.3.46 → buildai_cli-0.3.47}/cli/commands/db/migrate.py

@@ -24,6 +24,14 @@ from .common import (
     set_owner_role,
 )
 
+_MIGRATION_WRITE_PROFILES = frozenset(
+    {
+        "internal_admin",
+        "migrations-local",
+        "db-admin-local",
+    }
+)
+
 
 def migrate(
     ctx: typer.Context,
@@ -41,7 +49,11 @@ def migrate(
     """Run the checked-in SQL migrations on the selected DB lane."""
 
     if target is not None and not dry_run:
-        require_write(ctx, "Database migrations")
+        require_write(
+            ctx,
+            "Database migrations",
+            allowed_profiles=_MIGRATION_WRITE_PROFILES,
+        )
     settings: Settings = ctx.obj["settings"]
 
     async def run() -> None:

{buildai_cli-0.3.46 → buildai_cli-0.3.47}/cli/guard.py

@@ -7,20 +7,28 @@ import typer
 from cli.console import error
 
 
-def require_write(ctx: typer.Context, action: str) -> None:
+def require_write(
+    ctx: typer.Context,
+    action: str,
+    *,
+    allowed_profiles: frozenset[str] | None = None,
+) -> None:
     """
     Enforce --write for mutating commands.
 
     Args:
         ctx: Typer context
         action: Short description of the mutation (for error messages)
+        allowed_profiles: CLI profiles allowed to perform the mutation
     """
     ctx_obj = ctx.obj or {}
     allow_write = ctx_obj.get("allow_write", False)
     if not allow_write:
         error(f"{action} is a write operation. Re-run with --write.")
         raise typer.Exit(1)
-    cli_profile = ctx_obj.get("cli_profile", "internal_viewer")
-    if cli_profile != "internal_admin":
-        error(f"{action} requires --profile internal_admin.")
+    cli_profile = ctx_obj.get("cli_profile") or "internal_viewer"
+    required_profiles = allowed_profiles or frozenset({"internal_admin"})
+    if cli_profile not in required_profiles:
+        profile_list = ", ".join(sorted(required_profiles))
+        error(f"{action} requires one of these profiles: {profile_list}.")
         raise typer.Exit(1)

{buildai_cli-0.3.46 → buildai_cli-0.3.47}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "buildai-cli"
-version = "0.3.46"
+version = "0.3.47"
 description = "Build AI CLI (Typer)"
 requires-python = ">=3.11"
 dependencies = [