buildai-cli 0.3.48__tar.gz → 0.3.49__tar.gz

{buildai_cli-0.3.48 → buildai_cli-0.3.49}/.gitignore

@@ -29,6 +29,7 @@ node_modules/
 .next/
 .expect/
 out/
+*.tsbuildinfo
 
 # IDE
 .idea/

{buildai_cli-0.3.48 → buildai_cli-0.3.49}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: buildai-cli
-Version: 0.3.48
+Version: 0.3.49
 Summary: Build AI CLI (Typer)
 Requires-Python: >=3.11
 Requires-Dist: python-dotenv>=1.0.0

{buildai_cli-0.3.48 → buildai_cli-0.3.49}/cli/commands/db/query.py

@@ -10,7 +10,7 @@ from infra.settings import Settings
 from typing_extensions import Annotated
 
 from cli.console import console, dim, error, show_sql, warning
-from cli.context import get_connection
+from cli.context import get_inspection_connection
 from cli.output import Format, format_option, output
 
 QUERY_HINTS = {
@@ -120,7 +120,7 @@ def query(
         typer.Option("--write", help="Allow write queries (requires internal_admin profile)"),
     ] = False,
 ) -> None:
-    """Execute SQL directly against the selected database lane."""
+    """Execute SQL against the selected database lane in inspection mode."""
 
     settings: Settings = ctx.obj["settings"]
 
@@ -157,7 +157,7 @@ def query(
 
         show_sql(sql)
 
-        async with get_connection(settings) as conn:
+        async with get_inspection_connection(settings) as conn:
             try:
                 if _is_select_query(sql):
                     result = await conn.fetch(sql)

{buildai_cli-0.3.48 → buildai_cli-0.3.49}/cli/commands/db/schema.py

@@ -13,7 +13,7 @@ from rich.table import Table
 from typing_extensions import Annotated
 
 from cli.console import console, success, warning
-from cli.context import get_connection
+from cli.context import get_inspection_connection
 
 app = typer.Typer(
     name="schema",
@@ -23,9 +23,9 @@ app = typer.Typer(
 
 
 def _schema_connection(settings):
-    """Use the normal DB connection path for schema introspection."""
+    """Use the direct inspection connection for schema introspection."""
 
-    return get_connection(settings)
+    return get_inspection_connection(settings)
 
 
 @dataclass

{buildai_cli-0.3.48 → buildai_cli-0.3.49}/cli/commands/db/status.py

@@ -12,7 +12,7 @@ from rich.panel import Panel
 from rich.table import Table
 
 from cli.console import console, error, success, warning
-from cli.context import get_connection
+from cli.context import get_inspection_connection
 
 from .common import DatabaseStatus, get_table_row_count
 
@@ -29,7 +29,7 @@ def status(ctx: typer.Context) -> None:
         )
 
         try:
-            async with get_connection(settings) as conn:
+            async with get_inspection_connection(settings) as conn:
                 status_obj.connected = True
                 migration_audit = await audit_migration_tracking(
                     conn,

{buildai_cli-0.3.48 → buildai_cli-0.3.49}/cli/context.py

@@ -1,19 +1,22 @@
-"""CLI context management for database connections and canonical DAL access.
+"""CLI context management for direct DB inspection and scoped DAL access.
 
-This module provides a unified interface for CLI commands to access the database,
-using infra.Database for AlloyDB (dev/prod) and direct asyncpg for test/CI.
+This module exposes two intentionally different database access modes:
+
+- ``get_inspection_connection()`` for direct operator/developer inspection.
+  This uses the selected DB principal plus one explicit internal inspection
+  session contract so RLS-backed tables stay visible without pretending to be
+  a tenant request.
+- ``get_cli_context()`` for DAL-driven commands that do want the CLI-owned
+  scoped session contract.
 
 Usage:
-    # Simple connection (most commands)
-    async with get_connection(settings) as conn:
+    # Direct DB inspection
+    async with get_inspection_connection(settings) as conn:
         result = await conn.fetch("SELECT 1")
 
     # With canonical DAL context (for commands that use dal functions)
     async with get_cli_context(settings) as (db, ctx):
         datasets = await dal.external.datasets.list_datasets(ctx)
-
-    # For raw SQL commands, use get_connection()
-    # For commands that benefit from dal, use get_cli_context()
 """
 
 import os
@@ -35,6 +38,13 @@ logger = get_logger(__name__)
 # Environment variable to force local PostgreSQL (for test/CI)
 USE_LOCAL_DB = os.getenv("USE_LOCAL_DB", "false").lower() == "true"
 _ZERO_UUID = "00000000-0000-0000-0000-000000000000"
+_EMPTY_SCOPE_IDS = "{}"
+_SCOPE_GUCS = (
+    "app.allowed_organization_ids",
+    "app.allowed_site_ids",
+    "app.allowed_source_ids",
+    "app.allowed_dataset_ids",
+)
 _READ_SUFFIXES = (".read", ".search", ".query", ".introspection")
 _READ_PROFILE_SCOPES = frozenset(
     scope
@@ -87,18 +97,44 @@ class AdminConnectionConfig:
     password: str = ""
 
 
-async def _stamp_cli_session_contract(
+async def _stamp_base_cli_session_contract(
     conn: asyncpg.Connection,
     *,
-    profile: str,
+    unrestricted: bool,
 ) -> None:
-    """Stamp the canonical auth GUC contract for DB-direct CLI sessions."""
-    unrestricted = "true" if profile in _UNRESTRICTED_CLI_PROFILES else "false"
+    """Stamp the common CLI session GUCs and clear all known resource scopes."""
     await conn.execute("SELECT set_config('app.principal_id', $1, false)", _ZERO_UUID)
-    await conn.execute("SELECT set_config('app.unrestricted', $1, false)", unrestricted)
-    await conn.execute("SELECT set_config('app.allowed_organization_ids', $1, false)", "{}")
-    await conn.execute("SELECT set_config('app.allowed_site_ids', $1, false)", "{}")
-    await conn.execute("SELECT set_config('app.allowed_dataset_ids', $1, false)", "{}")
+    await conn.execute(
+        "SELECT set_config('app.unrestricted', $1, false)",
+        "true" if unrestricted else "false",
+    )
+    for setting_name in _SCOPE_GUCS:
+        await conn.execute(
+            f"SELECT set_config('{setting_name}', $1, false)",
+            _EMPTY_SCOPE_IDS,
+        )
+
+
+async def _stamp_internal_inspection_session_contract(conn: asyncpg.Connection) -> None:
+    """Stamp the explicit unrestricted contract for direct CLI inspection work.
+
+    ``buildai db ...`` commands are internal inspection tools, not request-parity
+    emulators. The DB principal still caps what the caller can mutate, while the
+    unrestricted flag ensures RLS-backed tables answer truthfully for reads.
+    """
+    await _stamp_base_cli_session_contract(conn, unrestricted=True)
+
+
+async def _stamp_scoped_cli_session_contract(
+    conn: asyncpg.Connection,
+    *,
+    profile: str,
+) -> None:
+    """Stamp the CLI-owned scoped session contract for DAL-oriented commands."""
+    await _stamp_base_cli_session_contract(
+        conn,
+        unrestricted=profile in _UNRESTRICTED_CLI_PROFILES,
+    )
 
 
 def resolve_admin_connection_config(
@@ -174,15 +210,16 @@ async def open_admin_database(settings: Settings) -> Database:
 
 
 @asynccontextmanager
-async def get_connection(
+async def get_inspection_connection(
     settings: Settings | None = None,
 ) -> AsyncGenerator[asyncpg.Connection, None]:
     """
-    Get a database connection for CLI commands.
+    Get a direct DB inspection connection for CLI commands.
 
-    Handles routing between:
-    - AlloyDB (development/production) - via infra.Database
-    - Local PostgreSQL (test/CI) - direct asyncpg
+    This path is for ``buildai db query/status/schema`` style inspection. It
+    does not emulate request-scoped visibility. Instead it stamps the single
+    explicit internal inspection contract so RLS-backed tables remain visible
+    under the chosen DB principal.
 
     Args:
         settings: Optional Settings instance. Uses cached settings if not provided.
@@ -191,26 +228,23 @@ async def get_connection(
         asyncpg.Connection for executing queries
 
     Usage:
-        async with get_connection(settings) as conn:
+        async with get_inspection_connection(settings) as conn:
             result = await conn.fetch("SELECT 1")
     """
-    from cli.config import resolve_cli_profile
-
     if settings is None:
         settings = get_settings()
-    resolved_profile = resolve_cli_profile()
 
     if USE_LOCAL_DB or settings.is_test:
         # Test/CI: use local PostgreSQL
         async with _local_connection(settings) as conn:
-            await _stamp_cli_session_contract(conn, profile=resolved_profile)
+            await _stamp_internal_inspection_session_contract(conn)
             yield conn
     else:
         # Development/Production: use AlloyDB via infra.Database
         db = Database.from_settings(settings)
         try:
             await db.connect()
-            await _stamp_cli_session_contract(db.conn, profile=resolved_profile)
+            await _stamp_internal_inspection_session_contract(db.conn)
             yield db.conn
         finally:
             await db.close()
@@ -219,8 +253,6 @@ async def get_connection(
 @asynccontextmanager
 async def get_admin_connection(
     settings: Settings | None = None,
-    *,
-    profile: str | None = None,
 ) -> AsyncGenerator[asyncpg.Connection, None]:
     """Get a connection using the canonical admin DB identity for this lane.
 
@@ -228,15 +260,12 @@ async def get_admin_connection(
     deployment profile should decide the DB principal instead of the caller's
     personal IAM mapping.
     """
-    from cli.config import resolve_cli_profile
-
     if settings is None:
         settings = get_settings()
-    resolved_profile = resolve_cli_profile(profile)
 
     db = await open_admin_database(settings)
     try:
-        await _stamp_cli_session_contract(db.conn, profile=resolved_profile)
+        await _stamp_internal_inspection_session_contract(db.conn)
         yield db.conn
     finally:
         await db.close()
@@ -305,7 +334,7 @@ async def get_cli_context(
     if USE_LOCAL_DB or settings.is_test:
         # Test/CI: wrap local connection in context
         async with _local_connection(settings) as conn:
-            await _stamp_cli_session_contract(conn, profile=resolved_profile)
+            await _stamp_scoped_cli_session_contract(conn, profile=resolved_profile)
             ctx = Context.for_cli(conn, scopes=scopes_for_cli_profile(resolved_profile))
             yield None, ctx
     else:
@@ -313,7 +342,7 @@ async def get_cli_context(
         db = Database.from_settings(settings)
         try:
             await db.connect()
-            await _stamp_cli_session_contract(db.conn, profile=resolved_profile)
+            await _stamp_scoped_cli_session_contract(db.conn, profile=resolved_profile)
             ctx = Context.for_cli(db, scopes=scopes_for_cli_profile(resolved_profile))
             yield db, ctx
         finally:

{buildai_cli-0.3.48 → buildai_cli-0.3.49}/cli/main.py

@@ -281,7 +281,12 @@ def db_callback(
     ),
     auth: str = typer.Option(None, "--auth", "-a", help="Auth method: iam or password."),
     user: str = typer.Option(None, "--user", "-u", help="Override database user."),
-    profile: str | None = typer.Option(None, "--profile", "-p", help="CLI scope profile."),
+    profile: str | None = typer.Option(
+        None,
+        "--profile",
+        "-p",
+        help="Auth workflow profile.",
+    ),
     write: bool = typer.Option(False, "--write", help="Allow write operations."),
     verbose: bool = typer.Option(False, "--verbose", "-v", help="Verbose logging."),
 ) -> None:

{buildai_cli-0.3.48 → buildai_cli-0.3.49}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "buildai-cli"
-version = "0.3.48"
+version = "0.3.49"
 description = "Build AI CLI (Typer)"
 requires-python = ">=3.11"
 dependencies = [