buildai-cli 0.3.67__tar.gz → 0.3.69__tar.gz

{buildai_cli-0.3.67 → buildai_cli-0.3.69}/.gitignore

@@ -54,6 +54,7 @@ Thumbs.db
 .vercel
 
 # Local tool state
+.superpowers/
 .entire/
 .codex/config.toml
 .codex-bin/

{buildai_cli-0.3.67 → buildai_cli-0.3.69}/CLAUDE.md

@@ -14,6 +14,8 @@ Typer-based CLI with two modes: standalone (PyPI, API-backed) and workspace (rep
 ```bash
 buildai auth whoami                                  # API auth inspection
 buildai db query "SELECT count(*) FROM core.clips"   # DB-direct
+buildai db --env staging tunnel                      # IAP/SOCKS route for private staging DB
+buildai db --env staging --all-proxy socks5://127.0.0.1:1080 query "SELECT 1"  # staging query
 buildai db broker status                             # Active local DB broker state
 buildai db schema tables                             # Schema introspection
 buildai db schema describe core.clips                # Table details
@@ -31,7 +33,10 @@ buildai db status                                    # Migration status
 - Writes require `--write` flag.
 - Production migrations prompt for confirmation.
 - Worktree app/runtime targeting comes from explicit env vars and the repo Makefile, not a saved CLI context layer.
-- `buildai db --env` selects the explicit DB lane: `production`, `dev`.
+- `buildai db --env` selects the explicit DB lane: `production`, `staging`, `dev`.
+- Staging is private-IP only. Start an IAP/VPN/SOCKS route first, then pass it
+  with `--all-proxy` so the local AlloyDB broker can reach the private address.
+  The standard route is `buildai db --env staging tunnel`.
 
 ## Reference
 

{buildai_cli-0.3.67 → buildai_cli-0.3.69}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: buildai-cli
-Version: 0.3.67
+Version: 0.3.69
 Summary: Build AI CLI (Typer)
 Requires-Python: >=3.11
 Requires-Dist: httpx>=0.27.0

{buildai_cli-0.3.67 → buildai_cli-0.3.69}/cli/commands/db/__init__.py

@@ -9,6 +9,7 @@ from . import migrate as migrate_mod
 from . import query as query_mod
 from . import schema as schema_mod
 from . import status as status_mod
+from . import tunnel as tunnel_mod
 
 app = typer.Typer(
     name="db",
@@ -19,5 +20,6 @@ app = typer.Typer(
 app.command("query")(query_mod.query)
 app.command("status")(status_mod.status)
 app.command("migrate")(migrate_mod.migrate)
+app.command("tunnel")(tunnel_mod.tunnel)
 app.add_typer(broker_mod.app, name="broker")
 app.add_typer(schema_mod.app, name="schema")

{buildai_cli-0.3.67 → buildai_cli-0.3.69}/cli/commands/db/common.py

@@ -2,6 +2,7 @@
 
 from __future__ import annotations
 
+import re
 from dataclasses import dataclass
 from pathlib import Path
 from typing import Any
@@ -20,6 +21,11 @@ MIGRATIONS_SA_DB_USER = "buildai-migrations-sa@data-470400.iam"
 REPO_ROOT = Path(__file__).resolve().parents[5]
 MIGRATIONS_DIR = REPO_ROOT / "migrations"
 MIGRATIONS_TABLE = "public._migrations"
+_NO_TRANSACTION_MARKER = "-- requires-no-transaction: true"
+_CONCURRENT_DDL_PATTERN = re.compile(
+    r"\b(?:CREATE|DROP|REINDEX|REFRESH)\s+(?:MATERIALIZED\s+VIEW\s+)?(?:INDEX|TABLE|VIEW)?\s*CONCURRENTLY\b",
+    flags=re.IGNORECASE,
+)
 
 
 @dataclass
@@ -140,3 +146,133 @@ def migration_requires_system_admin(path: Path) -> bool:
     """Detect migrations that must run with the DB admin connection."""
 
     return "requires-system-admin" in path.read_text(encoding="utf-8", errors="ignore")
+
+
+def migration_requires_manual_apply(path: Path) -> bool:
+    """Detect migrations that must be explicitly selected by an operator."""
+
+    for line in path.read_text(encoding="utf-8", errors="ignore").splitlines()[:10]:
+        if line.strip().lower() == "-- requires-manual-apply: true":
+            return True
+    return False
+
+
+def migration_requires_no_transaction(path: Path, sql: str) -> bool:
+    """Return whether a migration must be executed statement-by-statement."""
+
+    header = "\n".join(sql.splitlines()[:10]).lower()
+    if _NO_TRANSACTION_MARKER in header:
+        return True
+    return _CONCURRENT_DDL_PATTERN.search(sql) is not None
+
+
+def split_sql_statements(sql: str) -> list[str]:
+    """Split SQL into executable statements while respecting quotes and DO blocks."""
+
+    statements: list[str] = []
+    chunk: list[str] = []
+    in_single_quote = False
+    in_double_quote = False
+    in_line_comment = False
+    in_block_comment = False
+    dollar_tag: str | None = None
+    i = 0
+
+    while i < len(sql):
+        char = sql[i]
+        next_char = sql[i + 1] if i + 1 < len(sql) else ""
+
+        if in_line_comment:
+            chunk.append(char)
+            if char == "\n":
+                in_line_comment = False
+            i += 1
+            continue
+
+        if in_block_comment:
+            chunk.append(char)
+            if char == "*" and next_char == "/":
+                chunk.append(next_char)
+                in_block_comment = False
+                i += 2
+            else:
+                i += 1
+            continue
+
+        if dollar_tag is not None:
+            if sql.startswith(dollar_tag, i):
+                chunk.append(dollar_tag)
+                i += len(dollar_tag)
+                dollar_tag = None
+            else:
+                chunk.append(char)
+                i += 1
+            continue
+
+        if in_single_quote:
+            chunk.append(char)
+            if char == "'" and next_char == "'":
+                chunk.append(next_char)
+                i += 2
+                continue
+            if char == "'":
+                in_single_quote = False
+            i += 1
+            continue
+
+        if in_double_quote:
+            chunk.append(char)
+            if char == '"':
+                in_double_quote = False
+            i += 1
+            continue
+
+        if char == "-" and next_char == "-":
+            chunk.append(char)
+            chunk.append(next_char)
+            in_line_comment = True
+            i += 2
+            continue
+
+        if char == "/" and next_char == "*":
+            chunk.append(char)
+            chunk.append(next_char)
+            in_block_comment = True
+            i += 2
+            continue
+
+        if char == "'":
+            chunk.append(char)
+            in_single_quote = True
+            i += 1
+            continue
+
+        if char == '"':
+            chunk.append(char)
+            in_double_quote = True
+            i += 1
+            continue
+
+        if char == "$":
+            match = re.match(r"\$[A-Za-z_][A-Za-z0-9_]*\$|\$\$", sql[i:])
+            if match:
+                dollar_tag = match.group(0)
+                chunk.append(dollar_tag)
+                i += len(dollar_tag)
+                continue
+
+        if char == ";":
+            statement = "".join(chunk).strip()
+            if statement:
+                statements.append(statement)
+            chunk = []
+            i += 1
+            continue
+
+        chunk.append(char)
+        i += 1
+
+    trailing = "".join(chunk).strip()
+    if trailing:
+        statements.append(trailing)
+    return statements

{buildai_cli-0.3.67 → buildai_cli-0.3.69}/cli/commands/db/migrate.py

@@ -20,8 +20,11 @@ from .common import (
     get_migration_status,
     get_migrations_connection,
     migration_label,
+    migration_requires_manual_apply,
+    migration_requires_no_transaction,
     migration_requires_system_admin,
     set_owner_role,
+    split_sql_statements,
 )
 
 _MIGRATION_WRITE_PROFILES = frozenset(
@@ -125,6 +128,17 @@ def migrate(
                 if target == "all"
                 else [f for f in migration_files if target and target in f.name]
             )
+            if target == "all":
+                manual_apply = [f for f in to_run if migration_requires_manual_apply(f)]
+                if manual_apply:
+                    warning(
+                        "Skipping manual-apply migration(s): "
+                        + ", ".join(item.name for item in manual_apply)
+                    )
+                    to_run = [f for f in to_run if f not in manual_apply]
+            elif any(migration_requires_manual_apply(f) for f in to_run):
+                warning("Selected manual-apply migration explicitly; proceeding.")
+
             if not to_run:
                 success("No migrations to run")
                 return
@@ -157,7 +171,11 @@ def migrate(
                     await conn.execute("SET statement_timeout = '0'")
                 else:
                     await conn.execute(f"SET statement_timeout = '{timeout}s'")
-                await conn.execute(sql, timeout=None)
+                if migration_requires_no_transaction(migration, sql):
+                    for statement in split_sql_statements(sql):
+                        await conn.execute(statement, timeout=None)
+                else:
+                    await conn.execute(sql, timeout=None)
                 await conn.execute(
                     f"INSERT INTO {MIGRATIONS_TABLE} (filename) VALUES ($1) ON CONFLICT DO NOTHING",
                     migration.name,

buildai_cli-0.3.69/cli/commands/db/tunnel.py

@@ -0,0 +1,115 @@
+"""IAP tunnel helpers for private-only DB lanes."""
+
+from __future__ import annotations
+
+import shutil
+import subprocess
+
+import typer
+from infra.settings import Settings
+from typing_extensions import Annotated
+
+from cli.console import error, info, warning
+
+
+def _build_iap_socks_command(
+    *,
+    host: str,
+    project: str,
+    zone: str,
+    local_host: str,
+    local_port: int,
+) -> list[str]:
+    """Build the gcloud command that opens one local SOCKS proxy over IAP SSH."""
+
+    return [
+        "gcloud",
+        "compute",
+        "ssh",
+        host,
+        f"--project={project}",
+        f"--zone={zone}",
+        "--tunnel-through-iap",
+        "--",
+        "-N",
+        "-D",
+        f"{local_host}:{local_port}",
+    ]
+
+
+def tunnel(
+    ctx: typer.Context,
+    local_port: Annotated[
+        int,
+        typer.Option(
+            "--local-port",
+            help="Local SOCKS port for the DB auth proxy to use.",
+        ),
+    ] = 1080,
+    local_host: Annotated[
+        str,
+        typer.Option(
+            "--local-host",
+            help="Local bind address for the SOCKS listener.",
+        ),
+    ] = "127.0.0.1",
+    host: Annotated[
+        str,
+        typer.Option(
+            "--host",
+            help="IAP-reachable VM that can route to the private AlloyDB address.",
+        ),
+    ] = "atlas-control-plane",
+    project: Annotated[
+        str | None,
+        typer.Option(
+            "--project",
+            help="GCP project for the tunnel host. Defaults to the active DB settings project.",
+        ),
+    ] = None,
+    zone: Annotated[
+        str,
+        typer.Option(
+            "--zone",
+            help="Compute zone for the tunnel host.",
+        ),
+    ] = "asia-south1-a",
+) -> None:
+    """Open an IAP-backed SOCKS tunnel for private-only DB access.
+
+    Keep this command running in one terminal, then pass
+    ``--all-proxy socks5://127.0.0.1:1080`` to ``buildai db`` commands in
+    another terminal.
+    """
+
+    settings: Settings = ctx.obj["settings"]
+    resolved_project = project or settings.gcp_project_id
+
+    if shutil.which("gcloud") is None:
+        error("gcloud is not installed or not on PATH.")
+        raise typer.Exit(1)
+
+    if not settings.use_private_ip:
+        warning(
+            "The selected DB lane is not configured for private-IP access. "
+            "This tunnel is normally needed only for staging/private lanes."
+        )
+
+    proxy_url = f"socks5://{local_host}:{local_port}"
+    info(f"Opening IAP SOCKS tunnel on {proxy_url}. Stop with Ctrl-C.")
+    info(
+        "In another terminal, run: "
+        f'uv run buildai db --env {settings.app_env.value} --all-proxy {proxy_url} query "SELECT 1"'
+    )
+
+    command = _build_iap_socks_command(
+        host=host,
+        project=resolved_project,
+        zone=zone,
+        local_host=local_host,
+        local_port=local_port,
+    )
+    try:
+        raise typer.Exit(subprocess.run(command, check=False).returncode)
+    except KeyboardInterrupt:
+        raise typer.Exit(130) from None

{buildai_cli-0.3.67 → buildai_cli-0.3.69}/cli/commands/dev.py

@@ -24,6 +24,11 @@ _DEFAULT_DEV_INSTANCE_URI = (
     "instances/buildai-india-dev-primary"
 )
 _DEFAULT_DEV_DATABASE = "buildai_dev"
+_DEFAULT_STAGING_INSTANCE_URI = (
+    "projects/data-470400/locations/asia-south1/clusters/buildai-india-staging/"
+    "instances/buildai-india-staging-primary"
+)
+_DEFAULT_STAGING_DATABASE = "buildai_staging"
 
 
 def _build_proxy_command(
@@ -54,7 +59,9 @@ def _db_info_payload(
     try:
         resolved_env = Environment(env)
     except ValueError as exc:
-        raise typer.BadParameter("Use one of: development, preview, production, test.") from exc
+        raise typer.BadParameter(
+            "Use one of: development, staging, preview, production, test."
+        ) from exc
 
     profile = resolve_sanctioned_profile(profile_name, service=service, environment=env)
     settings = Settings(app_env=resolved_env, execution_context=ExecutionContext.HUMAN)
@@ -69,6 +76,8 @@ def _db_info_payload(
     except RuntimeError:
         if resolved_env == Environment.DEVELOPMENT:
             instance_uri = _DEFAULT_DEV_INSTANCE_URI
+        elif resolved_env == Environment.STAGING:
+            instance_uri = _DEFAULT_STAGING_INSTANCE_URI
         else:
             raise
 
@@ -77,6 +86,8 @@ def _db_info_payload(
     except RuntimeError:
         if resolved_env == Environment.DEVELOPMENT:
             database_name = _DEFAULT_DEV_DATABASE
+        elif resolved_env == Environment.STAGING:
+            database_name = _DEFAULT_STAGING_DATABASE
         else:
             raise
 
@@ -87,6 +98,12 @@ def _db_info_payload(
             "If you are outside its VPC, run the Auth Proxy through an approved "
             "intermediary path such as ALL_PROXY / PSC / VPN."
         )
+    elif resolved_env == Environment.STAGING:
+        private_only_note = (
+            "The staging AlloyDB cluster is private-only. Run "
+            "`buildai db --env staging tunnel`, then pass "
+            "`--all-proxy socks5://127.0.0.1:1080` to staging DB commands."
+        )
 
     proxy_command = _build_proxy_command(
         instance_uri=instance_uri,
@@ -102,6 +119,10 @@ def _db_info_payload(
         "ALLOYDB_AUTH_PROXY_HOST": proxy_host,
         f"ALLOYDB_AUTH_PROXY_PORT_{suffix}": str(proxy_port),
     }
+    if resolved_env == Environment.STAGING:
+        proxy_env["USE_PRIVATE_IP"] = "true"
+    if all_proxy:
+        proxy_env["ALLOYDB_AUTH_PROXY_ALL_PROXY"] = all_proxy
 
     return {
         "profile": profile.name,

{buildai_cli-0.3.67 → buildai_cli-0.3.69}/cli/db_broker.py

@@ -56,6 +56,7 @@ class BrokerConfig:
     host: str
     port: int
     use_private_ip: bool
+    all_proxy: str | None = None
     password: str = ""
 
     @property
@@ -73,6 +74,7 @@ class BrokerConfig:
             "host": self.host,
             "port": self.port,
             "use_private_ip": self.use_private_ip,
+            "all_proxy": self.all_proxy,
         }
         raw = json.dumps(payload, sort_keys=True, separators=(",", ":"))
         return hashlib.sha256(raw.encode("utf-8")).hexdigest()[:16]
@@ -502,6 +504,10 @@ def _is_matching_proxy_process(process: ListenerProcess, config: BrokerConfig) -
     """Return True when a listener command is the broker this profile needs."""
 
     command = process.command
+    if config.all_proxy:
+        # The proxy transport override is in the child environment, not argv.
+        # Only reuse env-proxied brokers through the machine-global state file.
+        return False
     if not command:
         return False
     executable_name = Path(command[0].strip('"')).name.lower()
@@ -569,6 +575,15 @@ def _proxy_popen_kwargs() -> dict[str, Any]:
     return {"creationflags": creationflags}
 
 
+def _proxy_environment(config: BrokerConfig) -> dict[str, str]:
+    """Return the auth-proxy child environment for this broker config."""
+
+    env = os.environ.copy()
+    if config.all_proxy:
+        env["ALL_PROXY"] = config.all_proxy
+    return env
+
+
 def _recent_broker_log(config: BrokerConfig, *, max_bytes: int = 12000) -> str:
     """Return the recent proxy log text that explains connection resets."""
 
@@ -626,10 +641,16 @@ def _broker_failure_message(config: BrokerConfig, exc: BaseException) -> str:
             "Run `uv run buildai doctor auth` for the exact IAM/auth check."
         )
     elif "tls handshake timeout" in lower_detail or "context deadline exceeded" in lower_detail:
-        lines.append(
-            "Cause: the proxy could not reach Google or AlloyDB before its deadline. "
-            "Check network/VPN connectivity, then retry."
-        )
+        if config.use_private_ip and not config.all_proxy:
+            lines.append(
+                "Cause: this database lane is private-only. Start a VPN/IAP/SOCKS route "
+                "or pass `--all-proxy socks5://HOST:PORT`, then retry."
+            )
+        else:
+            lines.append(
+                "Cause: the proxy could not reach Google or AlloyDB before its deadline. "
+                "Check network/VPN connectivity, then retry."
+            )
     else:
         lines.append(
             "Cause: the local proxy accepted TCP but closed the Postgres startup handshake."
@@ -699,7 +720,7 @@ def ensure_broker(config: BrokerConfig) -> BrokerState:
                 command,
                 stdout=log_file,
                 stderr=log_file,
-                env=os.environ.copy(),
+                env=_proxy_environment(config),
                 **_proxy_popen_kwargs(),
             )
 
@@ -790,6 +811,8 @@ def broker_status(config: BrokerConfig) -> dict[str, Any]:
         "instance_uri": config.instance_uri,
         "host": config.host,
         "port": config.port,
+        "use_private_ip": config.use_private_ip,
+        "all_proxy": config.all_proxy,
         "state_path": str(config.state_path),
         "log_path": state.log_path if state else str(config.log_path),
         "pid": pid,
@@ -831,6 +854,7 @@ def broker_config_for_identity(
         host=settings.alloydb_auth_proxy_host,
         port=_profile_port(settings, profile, db_user=db_user),
         use_private_ip=settings.use_private_ip,
+        all_proxy=(os.getenv("ALLOYDB_AUTH_PROXY_ALL_PROXY") or os.getenv("ALL_PROXY") or None),
         password=password,
     )
 

{buildai_cli-0.3.67 → buildai_cli-0.3.69}/cli/main.py

@@ -289,6 +289,11 @@ def db_callback(
         "-p",
         help="Auth workflow profile.",
     ),
+    all_proxy: str | None = typer.Option(
+        None,
+        "--all-proxy",
+        help="Proxy URL passed to alloydb-auth-proxy for private-only DB lanes.",
+    ),
     write: bool = typer.Option(False, "--write", help="Allow write operations."),
     verbose: bool = typer.Option(False, "--verbose", "-v", help="Verbose logging."),
 ) -> None:
@@ -300,6 +305,7 @@ def db_callback(
     ctx.obj["_env"] = env
     ctx.obj["_auth"] = auth
     ctx.obj["_user"] = user
+    ctx.obj["_all_proxy"] = all_proxy
     ctx.obj["_verbose"] = verbose
     ctx.obj["_ops_ready"] = False
 

{buildai_cli-0.3.67 → buildai_cli-0.3.69}/cli/ops_init.py

@@ -60,6 +60,7 @@ def _apply_default_db_target(*, env_prefix: str) -> None:
         os.environ.setdefault("ALLOYDB_CLUSTER", "buildai-india-staging")
         os.environ.setdefault("ALLOYDB_INSTANCE", "buildai-india-staging-primary")
         os.environ.setdefault("DB_NAME", "buildai_staging")
+        os.environ.setdefault("USE_PRIVATE_IP", "true")
     else:
         os.environ.setdefault("ALLOYDB_CLUSTER", "buildai-india")
         os.environ.setdefault("ALLOYDB_INSTANCE", "buildai-india-primary")
@@ -104,8 +105,12 @@ def init_ops_context(ctx: typer.Context):
     env_flag = ctx.obj.get("_env")
     auth_flag = ctx.obj.get("_auth")
     user_flag = ctx.obj.get("_user")
+    all_proxy_flag = ctx.obj.get("_all_proxy")
     profile = ctx.obj.get("cli_profile") or os.getenv("BUILDAI_CLI_PROFILE") or "engineers-dev"
 
+    if all_proxy_flag:
+        os.environ["ALLOYDB_AUTH_PROXY_ALL_PROXY"] = str(all_proxy_flag)
+
     # --- resolve environment ------------------------------------------------
     if env_flag is not None:
         try:

{buildai_cli-0.3.67 → buildai_cli-0.3.69}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "buildai-cli"
-version = "0.3.67"
+version = "0.3.69"
 description = "Build AI CLI (Typer)"
 requires-python = ">=3.11"
 dependencies = [