cloudcap-cli 0.1.1__py3-none-any.whl

cloudcap/__init__.py

@@ -0,0 +1,3 @@
+"""CloudCap terminal client (HTTP API)."""
+
+__version__ = "0.1.1"

cloudcap/__main__.py

@@ -0,0 +1,4 @@
+from cloudcap.cli import main
+
+if __name__ == "__main__":
+    raise SystemExit(main())

cloudcap/cli.py

@@ -0,0 +1,1090 @@
+"""
+CloudCap CLI — terminal-first workflow against the HTTP API.
+
+Config: ~/.cloudcap/config.json (mode 0600): url, token, org_id, environment_id.
+Override with CLOUDCAP_URL, CLOUDCAP_TOKEN, CLOUDCAP_ORG_ID, CLOUDCAP_ENV_ID.
+"""
+from __future__ import annotations
+
+import argparse
+import json
+import os
+import sys
+from pathlib import Path
+from typing import Any
+from uuid import UUID
+
+import httpx
+
+from cloudcap import __version__
+
+CONFIG_DIR = Path.home() / ".cloudcap"
+CONFIG_PATH = CONFIG_DIR / "config.json"
+
+
+def _wants_json(args: argparse.Namespace) -> bool:
+    return getattr(args, "cli_output", "text") == "json"
+
+
+def _dump_json(obj: Any, *, compact: bool) -> str:
+    if compact:
+        return json.dumps(obj, separators=(",", ":"), default=str)
+    return json.dumps(obj, indent=2, default=str)
+
+
+def _stdout_json(obj: Any) -> None:
+    print(_dump_json(obj, compact=True))
+
+
+def _load_config() -> dict[str, Any]:
+    if not CONFIG_PATH.is_file():
+        return {}
+    try:
+        return json.loads(CONFIG_PATH.read_text(encoding="utf-8"))
+    except json.JSONDecodeError:
+        return {}
+
+
+def _save_config(cfg: dict[str, Any]) -> None:
+    CONFIG_DIR.mkdir(parents=True, exist_ok=True)
+    CONFIG_PATH.write_text(json.dumps(cfg, indent=2), encoding="utf-8")
+    try:
+        os.chmod(CONFIG_PATH, 0o600)
+    except OSError:
+        pass
+
+
+def _client() -> tuple[httpx.Client, dict[str, Any]]:
+    cfg = _load_config()
+    base = (cfg.get("url") or os.environ.get("CLOUDCAP_URL") or "http://localhost:8000/v1").rstrip("/")
+    token = cfg.get("token") or os.environ.get("CLOUDCAP_TOKEN") or ""
+    headers = {}
+    if token:
+        headers["Authorization"] = f"Bearer {token}"
+    return httpx.Client(base_url=base, headers=headers, timeout=120.0), cfg
+
+
+def cmd_login(args: argparse.Namespace) -> int:
+    base = (args.url or os.environ.get("CLOUDCAP_URL") or "http://localhost:8000/v1").rstrip("/")
+    want_json = _wants_json(args)
+    if getattr(args, "employee", False):
+        slug = (args.org_slug or "").strip()
+        email = (args.email or "").strip()
+        if not slug or not email:
+            print("Employee login requires --org-slug and --email", file=sys.stderr)
+            return 1
+        r = httpx.post(
+            f"{base}/login/employee",
+            json={"org_slug": slug, "email": email},
+            timeout=30.0,
+        )
+        if r.status_code != 200:
+            try:
+                detail = r.json().get("detail")
+            except Exception:
+                detail = r.text
+            print(f"Employee login failed ({r.status_code}): {detail}", file=sys.stderr)
+            return 1
+        data = r.json()
+        token = data.get("token")
+        org_id = data.get("org_id")
+        if not token:
+            print("Login returned no token", file=sys.stderr)
+            return 1
+        cfg = _load_config()
+        cfg.update({"url": base, "token": token, "org_id": org_id})
+        _save_config(cfg)
+        if want_json:
+            _stdout_json(
+                {
+                    "ok": True,
+                    "mode": "employee",
+                    "config_path": str(CONFIG_PATH),
+                    "org_id": str(org_id) if org_id else None,
+                    "email": email,
+                }
+            )
+        else:
+            print(f"Logged in as {email} (employee session). org_id={org_id}")
+            print(f"Config written to {CONFIG_PATH}")
+        return 0
+    if args.demo:
+        r = httpx.post(f"{base}/demo/session/start", json={}, timeout=30.0)
+        r.raise_for_status()
+        data = r.json()
+        token = data.get("token")
+        org_id = data.get("org_id")
+        if not token:
+            print("Demo session returned no token", file=sys.stderr)
+            return 1
+        cfg = _load_config()
+        cfg.update({"url": base, "token": token, "org_id": org_id})
+        _save_config(cfg)
+        if want_json:
+            _stdout_json(
+                {
+                    "ok": True,
+                    "mode": "demo",
+                    "config_path": str(CONFIG_PATH),
+                    "org_id": str(org_id) if org_id else None,
+                }
+            )
+        else:
+            print(f"Logged in (demo). org_id={org_id}")
+            print(f"Config written to {CONFIG_PATH}")
+        return 0
+    if not args.token:
+        print("Provide --demo or --token", file=sys.stderr)
+        return 1
+    cfg = _load_config()
+    cfg.update({"url": base, "token": args.token.strip()})
+    if args.org_id:
+        cfg["org_id"] = args.org_id.strip()
+    _save_config(cfg)
+    probe = httpx.Client(base_url=base, headers={"Authorization": f"Bearer {args.token.strip()}"}, timeout=30.0)
+    try:
+        check = probe.get("/auth/me")
+    finally:
+        probe.close()
+    if check.status_code == 401:
+        print("Login failed: invalid or expired CloudCap credentials.", file=sys.stderr)
+        return 1
+    if check.status_code != 200:
+        if check.status_code >= 500:
+            print("Login failed: server error while verifying token.", file=sys.stderr)
+        else:
+            try:
+                body = check.json()
+                detail = body.get("detail")
+                if isinstance(detail, str):
+                    print(f"Login failed: {detail}", file=sys.stderr)
+                else:
+                    print("Login failed: invalid or rejected credentials.", file=sys.stderr)
+            except Exception:
+                print("Login failed: invalid or rejected credentials.", file=sys.stderr)
+        return 1
+    if want_json:
+        _stdout_json({"ok": True, "mode": "token", "config_path": str(CONFIG_PATH)})
+    else:
+        print(f"Token verified. Config: {CONFIG_PATH}")
+    return 0
+
+
+def cmd_whoami(args: argparse.Namespace) -> int:
+    client, cfg = _client()
+    r = client.get("/auth/me")
+    if r.status_code != 200:
+        if r.status_code == 401:
+            print("Invalid or expired CloudCap credentials.", file=sys.stderr)
+        else:
+            print(r.text, file=sys.stderr)
+        return 1
+    me = r.json()
+    if isinstance(me, dict):
+        org_raw = me.get("org_id")
+        if not org_raw:
+            org_raw = cfg.get("org_id") or os.environ.get("CLOUDCAP_ORG_ID")
+        if org_raw:
+            try:
+                ro = client.get(
+                    "/onboarding/operator-aws-readiness",
+                    params={"organization_id": str(org_raw).strip()},
+                )
+                if ro.status_code == 200:
+                    data = ro.json()
+                    if isinstance(data, dict):
+                        me["operator_aws_readiness"] = {
+                            "ready": data.get("ready"),
+                            "reasons": data.get("reasons") or [],
+                        }
+            except (OSError, ValueError, TypeError):
+                pass
+    print(_dump_json(me, compact=_wants_json(args)))
+    return 0
+
+
+def cmd_savings_list(args: argparse.Namespace) -> int:
+    client, _ = _client()
+    r = client.get("/savings/events")
+    if r.status_code != 200:
+        _print_api_error(r)
+        return 1
+    print(_dump_json(r.json(), compact=_wants_json(args)))
+    return 0
+
+
+def cmd_savings_show(args: argparse.Namespace) -> int:
+    client, _ = _client()
+    eid = str(args.event_id).strip()
+    r = client.get(f"/savings/events/{eid}")
+    if r.status_code != 200:
+        _print_api_error(r)
+        return 1
+    print(_dump_json(r.json(), compact=_wants_json(args)))
+    return 0
+
+
+def cmd_savings_breakdown(args: argparse.Namespace) -> int:
+    client, _ = _client()
+    eid = str(args.event_id).strip()
+    ev = client.get(f"/savings/events/{eid}")
+    if ev.status_code != 200:
+        _print_api_error(ev)
+        return 1
+    sm = client.get(f"/savings/events/{eid}/samples", params={"limit": 500})
+    if sm.status_code != 200:
+        _print_api_error(sm)
+        return 1
+    body = {"event": ev.json(), "samples": sm.json()}
+    print(_dump_json(body, compact=_wants_json(args)))
+    return 0
+
+
+def cmd_savings_download(args: argparse.Namespace) -> int:
+    client, _ = _client()
+    eid = str(args.event_id).strip()
+    ev = client.get(f"/savings/events/{eid}")
+    pr = client.get(f"/savings/events/{eid}/proofs")
+    sm = client.get(f"/savings/events/{eid}/samples", params={"limit": 2000})
+    if ev.status_code != 200 or pr.status_code != 200 or sm.status_code != 200:
+        for label, resp in (("event", ev), ("proofs", pr), ("samples", sm)):
+            if resp.status_code != 200:
+                print(f"{label}:", file=sys.stderr)
+                _print_api_error(resp)
+        return 1
+    bundle = {"event": ev.json(), "proofs": pr.json(), "samples": sm.json()}
+    text = _dump_json(bundle, compact=False)
+    out_file = (getattr(args, "output_file", None) or "").strip()
+    if out_file:
+        Path(out_file).write_text(text, encoding="utf-8")
+        if _wants_json(args):
+            _stdout_json({"ok": True, "path": str(Path(out_file).resolve())})
+        else:
+            print(f"Wrote {out_file}")
+    else:
+        print(_dump_json(bundle, compact=_wants_json(args)))
+    return 0
+
+
+def cmd_pipeline_status(args: argparse.Namespace) -> int:
+    run_id = (getattr(args, "run_id", None) or args.run_id_opt or "").strip()
+    if not run_id:
+        print("Provide RUN_ID or --run-id", file=sys.stderr)
+        return 1
+    client, _ = _client()
+    rd = client.get(f"/pipeline/runs/{run_id}/detail")
+    if rd.status_code == 401:
+        print("Invalid or expired CloudCap credentials.", file=sys.stderr)
+        return 1
+    if rd.status_code != 200:
+        _print_api_error(rd)
+        return 1
+    detail = rd.json()
+    er = detail.get("execution_readiness") or {}
+    tr = client.get("/system/terraform-runtime")
+    if tr.status_code == 200:
+        tf_body: dict[str, Any] = tr.json() if isinstance(tr.json(), dict) else {}
+    else:
+        tf_body = {"http_error": tr.status_code, "body": (tr.text or "")[:500]}
+
+    as_json = _wants_json(args) or getattr(args, "emit_json", False)
+    if as_json:
+        out: dict[str, Any] = {
+            "pipeline_run_id": run_id,
+            "execution_readiness": er,
+            "terraform_runtime": tf_body,
+        }
+        ss = client.get("/health/system-status/detailed")
+        if ss.status_code == 200 and isinstance(ss.json(), dict):
+            out["system_status_operator_execution"] = (ss.json() or {}).get("operator_execution")
+        print(_dump_json(out, compact=_wants_json(args)))
+        return 0
+
+    print(f"Pipeline run {run_id}")
+    print(f"  can_apply_backend_terraform: {er.get('can_apply_backend_terraform')}")
+    print(f"  backend_apply_globally_configured: {er.get('backend_apply_globally_configured')}")
+    print(f"  pipeline_execution_mode: {er.get('pipeline_execution_mode')}")
+    print(
+        "  plan_binary / workspace / bundle_consistent: "
+        f"{er.get('terraform_plan_binary_present')} / {er.get('terraform_workspace_zip_present')} / {er.get('terraform_deploy_bundle_consistent')}"
+    )
+    blockers = er.get("blockers") or []
+    if blockers:
+        print("  Blockers:")
+        for b in blockers:
+            code = b.get("code")
+            msg = b.get("message")
+            print(f"    - [{code}] {msg}")
+            rem = b.get("remediation")
+            if rem:
+                print(f"      → {rem}")
+    else:
+        print("  Blockers: (none)")
+
+    print("Terraform runtime (GET …/system/terraform-runtime):")
+    print(
+        f"  terraform_available: {tf_body.get('terraform_available')}  "
+        f"terraform_version_ok: {tf_body.get('terraform_version_ok')}  "
+        f"workdir_writable: {tf_body.get('workdir_writable')}"
+    )
+    if tf_body.get("terraform_version_line"):
+        print(f"  version: {tf_body.get('terraform_version_line')}")
+
+    ss = client.get("/health/system-status/detailed")
+    if ss.status_code == 200 and isinstance(ss.json(), dict):
+        oe = (ss.json() or {}).get("operator_execution") or {}
+        if oe:
+            print("System operator_execution (GET …/health/system-status/detailed):")
+            print(f"  backend_apply_globally_configured: {oe.get('backend_apply_globally_configured')}")
+            print(f"  pipeline_execution_mode: {oe.get('pipeline_execution_mode')}")
+    return 0
+
+
+def cmd_context_set(args: argparse.Namespace) -> int:
+    cfg = _load_config()
+    if args.org_id:
+        cfg["org_id"] = args.org_id.strip()
+    if args.environment_id:
+        cfg["environment_id"] = args.environment_id.strip()
+    _save_config(cfg)
+    payload = {k: cfg.get(k) for k in ("url", "org_id", "environment_id")}
+    print(_dump_json(payload, compact=_wants_json(args)))
+    return 0
+
+
+def cmd_context_show(args: argparse.Namespace) -> int:
+    cfg = _load_config()
+    print(_dump_json(cfg, compact=_wants_json(args)))
+    return 0
+
+
+def _require_org(cfg: dict[str, Any]) -> UUID:
+    raw = cfg.get("org_id") or os.environ.get("CLOUDCAP_ORG_ID")
+    if not raw:
+        print("Set org via cloudcap context set --org-id ... or CLOUDCAP_ORG_ID", file=sys.stderr)
+        raise SystemExit(1)
+    return UUID(str(raw))
+
+
+def _resolve_org_id(client: httpx.Client, cfg: dict[str, Any]) -> UUID:
+    try:
+        r = client.get("/auth/me")
+        if r.status_code == 200:
+            data = r.json()
+            raw = data.get("org_id")
+            if raw:
+                return UUID(str(raw))
+    except (ValueError, TypeError):
+        pass
+    return _require_org(cfg)
+
+
+def _print_api_error(response: httpx.Response) -> None:
+    print(f"HTTP {response.status_code}", file=sys.stderr)
+    try:
+        err = response.json()
+        detail = err.get("detail")
+        if isinstance(detail, str):
+            print(detail, file=sys.stderr)
+            return
+        if isinstance(detail, list):
+            for item in detail:
+                if isinstance(item, dict) and item.get("msg"):
+                    loc = item.get("loc") or ()
+                    prefix = f"{' '.join(str(x) for x in loc)}: " if loc else ""
+                    print(f"{prefix}{item['msg']}", file=sys.stderr)
+                else:
+                    print(item, file=sys.stderr)
+            return
+    except Exception:
+        pass
+    print(response.text, file=sys.stderr)
+
+
+def _check_operator_aws_readiness(client: httpx.Client, org_id: UUID) -> None:
+    r = client.get(
+        "/onboarding/operator-aws-readiness",
+        params={"organization_id": str(org_id)},
+    )
+    if r.status_code != 200:
+        print(r.text, file=sys.stderr)
+        raise SystemExit(1)
+    data = r.json()
+    if not isinstance(data, dict):
+        print(f"Unexpected operator-aws-readiness response (expected object): {data!r}", file=sys.stderr)
+        raise SystemExit(1)
+    if not data.get("ready"):
+        print(
+            "AWS operator onboarding is not complete for this organization. "
+            "In the web app, add a cloud account with encrypted operator credentials and region, then retry.",
+            file=sys.stderr,
+        )
+        for reason in data.get("reasons") or []:
+            print(f"  - {reason}", file=sys.stderr)
+        raise SystemExit(1)
+
+
+def _evaluate_hints(out: dict[str, Any]) -> list[str]:
+    hints: list[str] = []
+    dep = out.get("deploy_eligible")
+    ev_only = out.get("terraform_evaluate_only")
+    bcons = out.get("terraform_deploy_bundle_consistent")
+    if dep:
+        hints.append(
+            "Run is deploy-capable: use cloudcap deploy after approval (if required)."
+        )
+    elif ev_only:
+        hints.append(
+            "Evaluate-only run: add --plan-binary and --workspace-zip for deploy-capable run (see docs/pipeline-cli.md)."
+        )
+    elif bcons is False:
+        hints.append(
+            "Deploy bundle incomplete: workspace zip must include .terraform.lock.hcl next to main.tf, or fix artifact consistency."
+        )
+    return hints
+
+
+def cmd_evaluate(args: argparse.Namespace) -> int:
+    want_json = _wants_json(args)
+    client, cfg = _client()
+    org_id = _resolve_org_id(client, cfg)
+    _check_operator_aws_readiness(client, org_id)
+    plan_path = Path(args.plan)
+    if not plan_path.is_file():
+        print(f"Not found: {plan_path}", file=sys.stderr)
+        return 1
+
+    env_id = args.environment_id or cfg.get("environment_id") or os.environ.get("CLOUDCAP_ENV_ID")
+    cloud_account_id = args.cloud_account_id or cfg.get("cloud_account_id")
+
+    body: dict[str, Any] = {
+        "organization_id": str(org_id),
+        "source": "cli",
+    }
+    if env_id:
+        body["environment_id"] = str(env_id).strip()
+    if cloud_account_id:
+        body["cloud_account_id"] = str(cloud_account_id).strip()
+
+    r = client.post("/pipeline/runs", json=body)
+    if r.status_code != 201:
+        print(r.text, file=sys.stderr)
+        return 1
+    run = r.json()
+    run_id = run["id"]
+    log: list[str] = []
+    if not want_json:
+        print(f"Run {run_id} created")
+
+    mime = "application/json" if plan_path.suffix.lower() == ".json" else "application/octet-stream"
+    art_type = "terraform_plan_json" if "json" in plan_path.suffix.lower() else "terraform_plan_binary"
+    files = {"file": (plan_path.name, plan_path.read_bytes(), mime)}
+    data = {"artifact_type": art_type, "metadata_json": "{}"}
+    r2 = client.post(f"/pipeline/runs/{run_id}/artifacts", data=data, files=files)
+    if r2.status_code != 200:
+        print(r2.text, file=sys.stderr)
+        return 1
+    if not want_json:
+        print("Artifact uploaded")
+
+    eval_body: dict[str, Any] = {"region": args.region, "requested_by": "cloudcap-cli"}
+    if args.environment_id:
+        eval_body["environment_id"] = str(args.environment_id).strip()
+    if getattr(args, "workload_id", None):
+        eval_body["workload_id"] = str(args.workload_id).strip()
+    plan_binary = getattr(args, "plan_binary", None)
+    if plan_binary:
+        pb = Path(plan_binary)
+        if not pb.is_file():
+            print(f"Not found: {pb}", file=sys.stderr)
+            return 1
+        files_b = {"file": (pb.name, pb.read_bytes(), "application/octet-stream")}
+        data_b = {"artifact_type": "terraform_plan_binary", "metadata_json": "{}"}
+        r2b = client.post(f"/pipeline/runs/{run_id}/artifacts", data=data_b, files=files_b)
+        if r2b.status_code != 200:
+            _print_api_error(r2b)
+            return 1
+        if not want_json:
+            print("Binary plan artifact uploaded")
+
+    workspace_zip = getattr(args, "workspace_zip", None)
+    if workspace_zip:
+        wz = Path(workspace_zip)
+        if not wz.is_file():
+            print(f"Not found: {wz}", file=sys.stderr)
+            return 1
+        files_w = {"file": (wz.name, wz.read_bytes(), "application/zip")}
+        data_w = {"artifact_type": "terraform_workspace_zip", "metadata_json": "{}"}
+        rw = client.post(f"/pipeline/runs/{run_id}/artifacts", data=data_w, files=files_w)
+        if rw.status_code != 200:
+            _print_api_error(rw)
+            return 1
+        if not want_json:
+            print("Terraform workspace zip uploaded (main.tf + .terraform.lock.hcl)", file=sys.stderr)
+
+    r3 = client.post(f"/pipeline/runs/{run_id}/evaluate", json=eval_body)
+    if r3.status_code != 200:
+        _print_api_error(r3)
+        return 1
+    out = r3.json()
+    hints = _evaluate_hints(out) if isinstance(out, dict) else []
+
+    if want_json:
+        payload: dict[str, Any] = {
+            "pipeline_run_id": run_id,
+            "evaluation": out,
+            "hints": hints,
+        }
+        _stdout_json(payload)
+    else:
+        print(json.dumps(out, indent=2))
+        print("", file=sys.stderr)
+        for h in hints:
+            print(h, file=sys.stderr)
+    return 0
+
+
+def cmd_deploy(args: argparse.Namespace) -> int:
+    want_json = _wants_json(args)
+    client, cfg = _client()
+    org_id = _resolve_org_id(client, cfg)
+    _check_operator_aws_readiness(client, org_id)
+    run_id = (args.run_id_opt or args.run_id_arg or "").strip()
+    if not run_id:
+        print(
+            "cloudcap deploy: error: RUN_ID (positional) or --run-id is required",
+            file=sys.stderr,
+        )
+        return 2
+
+    messages: list[str] = []
+
+    r0 = client.get(f"/pipeline/runs/{run_id}")
+    if r0.status_code != 200:
+        _print_api_error(r0)
+        return 1
+    run_data = r0.json()
+
+    plan_binary = getattr(args, "plan_binary", None)
+    if plan_binary:
+        pb = Path(plan_binary)
+        if not pb.is_file():
+            print(f"Not found: {pb}", file=sys.stderr)
+            return 1
+        if not run_data.get("terraform_plan_binary_present"):
+            files_b = {"file": (pb.name, pb.read_bytes(), "application/octet-stream")}
+            data_b = {"artifact_type": "terraform_plan_binary", "metadata_json": "{}"}
+            r_up = client.post(f"/pipeline/runs/{run_id}/artifacts", data=data_b, files=files_b)
+            if r_up.status_code != 200:
+                _print_api_error(r_up)
+                return 1
+            messages.append("Binary plan artifact uploaded")
+        else:
+            messages.append("Run already has a Terraform plan binary; skipped --plan-binary upload.")
+
+    workspace_zip = getattr(args, "workspace_zip", None)
+    if workspace_zip:
+        wz = Path(workspace_zip)
+        if not wz.is_file():
+            print(f"Not found: {wz}", file=sys.stderr)
+            return 1
+        r0w = client.get(f"/pipeline/runs/{run_id}")
+        if r0w.status_code != 200:
+            _print_api_error(r0w)
+            return 1
+        wd = r0w.json()
+        if not wd.get("terraform_workspace_zip_present"):
+            files_w = {"file": (wz.name, wz.read_bytes(), "application/zip")}
+            data_w = {"artifact_type": "terraform_workspace_zip", "metadata_json": "{}"}
+            r_upw = client.post(f"/pipeline/runs/{run_id}/artifacts", data=data_w, files=files_w)
+            if r_upw.status_code != 200:
+                _print_api_error(r_upw)
+                return 1
+            messages.append("Terraform workspace zip uploaded")
+        else:
+            messages.append("Run already has terraform_workspace_zip; skipped --workspace-zip upload.")
+
+    r0b = client.get(f"/pipeline/runs/{run_id}")
+    if r0b.status_code == 200:
+        rd = r0b.json()
+        if not rd.get("terraform_plan_binary_present"):
+            messages.append(
+                "This run has no binary Terraform plan — upload with cloudcap deploy --plan-binary if needed."
+            )
+        elif not rd.get("deploy_eligible"):
+            if rd.get("terraform_plan_binary_present") and not rd.get("terraform_workspace_zip_present"):
+                messages.append("Terraform workspace zip required for backend apply — use --workspace-zip.")
+            else:
+                messages.append(
+                    "Deploy not eligible yet (approval, policy, or execution settings). See GET /pipeline/runs/{id}."
+                )
+
+    r = client.post(f"/pipeline/runs/{run_id}/apply")
+    if r.status_code != 200:
+        _print_api_error(r)
+        if r.status_code >= 500:
+            print(
+                "If this persists, check API logs (e.g. docker compose logs backend --tail=80) for the traceback.",
+                file=sys.stderr,
+            )
+        return 1
+    apply_body = r.json()
+    exit_code = 0
+    detail_json: Any = None
+    rd = client.get(f"/pipeline/runs/{run_id}/detail")
+    if rd.status_code != 200:
+        messages.append(f"Could not GET /pipeline/runs/{run_id}/detail (HTTP {rd.status_code}).")
+    else:
+        detail_json = rd.json()
+        exs = detail_json.get("executions") or []
+        ui = detail_json.get("execution_ui_status")
+        if exs:
+            last = exs[-1]
+            st = last.get("status")
+            messages.append(f"Terraform execution: status={st} ui={ui}")
+            fr = (last.get("failure_reason") or "").strip()
+            fc = (last.get("metadata_json") or {}).get("failure_code")
+            if st in ("failed", "blocked") and fr:
+                if fc:
+                    messages.append(f"Terraform failure code: {fc}")
+                clipped = fr if len(fr) <= 8000 else fr[:8000] + "\n… (truncated; see GET …/detail)"
+                messages.append(f"Terraform failure: {clipped}")
+            if st in ("failed", "blocked"):
+                exit_code = 1
+        else:
+            base = str(client.base_url).rstrip("/")
+            messages.append(
+                "Warning: no terraform execution rows for this run. "
+                f"CLOUDCAP_URL should include /v1 (this CLI uses {base})."
+            )
+
+    if want_json:
+        _stdout_json(
+            {
+                "pipeline_run_id": run_id,
+                "apply_response": apply_body,
+                "detail": detail_json,
+                "messages": messages,
+                "exit_code": exit_code,
+            }
+        )
+    else:
+        print(json.dumps(apply_body, indent=2))
+        for m in messages:
+            print(m, file=sys.stderr)
+    return exit_code
+
+
+def cmd_optimize_list(args: argparse.Namespace) -> int:
+    client, cfg = _client()
+    rid = args.run_id.strip()
+    params: dict[str, Any] = {"context_type": "pipeline", "context_id": rid}
+    if cfg.get("org_id"):
+        params["org_id"] = str(cfg["org_id"]).strip()
+    r = client.get("/optimization/techniques", params=params)
+    if r.status_code == 404:
+        print("Run not found or no access.", file=sys.stderr)
+        return 1
+    if r.status_code != 200:
+        print(r.text, file=sys.stderr)
+        return 1
+    rows = r.json()
+    if not rows:
+        if _wants_json(args):
+            _stdout_json([])
+        else:
+            print("No recommendations for this run.")
+        return 0
+    if _wants_json(args):
+        _stdout_json(rows)
+        return 0
+    for i, t in enumerate(rows, start=1):
+        if not isinstance(t, dict):
+            continue
+        print(
+            f"{i}.\t{t.get('id')}\t{t.get('technique_id')}\t"
+            f"${float(t.get('estimated_monthly_savings') or 0):,.2f}/mo\t"
+            f"estimate={t.get('estimate_type') or 'n/a'}\t"
+            f"approval={'yes' if t.get('requires_approval') else 'no'}\t"
+            f"{t.get('title', '')[:60]}"
+        )
+    return 0
+
+
+def cmd_optimize_show(args: argparse.Namespace) -> int:
+    client, _ = _client()
+    rid = args.run_id.strip()
+    ref = args.recommendation.strip()
+    params: dict[str, Any] = {"context_type": "pipeline", "context_id": rid}
+    r = client.get("/optimization/techniques", params=params)
+    if r.status_code != 200:
+        print(r.text, file=sys.stderr)
+        return 1
+    rows = [x for x in r.json() if isinstance(x, dict)]
+    pick: dict[str, Any] | None = None
+    if ref.isdigit():
+        idx = int(ref) - 1
+        if 0 <= idx < len(rows):
+            pick = rows[idx]
+    else:
+        for x in rows:
+            if str(x.get("id")) == ref:
+                pick = x
+                break
+    if not pick:
+        print("Recommendation not found (use list index or UUID).", file=sys.stderr)
+        return 1
+    detail = client.get(f"/optimization/techniques/{pick['id']}")
+    if detail.status_code != 200:
+        print(detail.text, file=sys.stderr)
+        return 1
+    print(_dump_json(detail.json(), compact=_wants_json(args)))
+    return 0
+
+
+def _parse_recommendation_refs(ref: str, rows: list[dict[str, Any]]) -> tuple[dict[str, Any] | None, list[str]]:
+    parts = [p.strip() for p in ref.split(",") if p.strip()]
+    if not parts:
+        return None, []
+    picks: list[dict[str, Any]] = []
+    for p in parts:
+        row: dict[str, Any] | None = None
+        if p.isdigit():
+            idx = int(p) - 1
+            if 0 <= idx < len(rows):
+                row = rows[idx]
+        else:
+            for x in rows:
+                if str(x.get("id")) == p:
+                    row = x
+                    break
+        if row is None:
+            return None, []
+        picks.append(row)
+    primary = picks[0]
+    merge_ids = [str(x["id"]) for x in picks[1:]]
+    return primary, merge_ids
+
+
+def cmd_optimize_apply(args: argparse.Namespace) -> int:
+    want_json = _wants_json(args)
+    client, _ = _client()
+    rid = args.run_id.strip()
+    ref = args.recommendation.strip()
+    params: dict[str, Any] = {"context_type": "pipeline", "context_id": rid}
+    r = client.get("/optimization/techniques", params=params)
+    if r.status_code != 200:
+        print(r.text, file=sys.stderr)
+        return 1
+    rows = [x for x in r.json() if isinstance(x, dict)]
+    pick, merge_ids = _parse_recommendation_refs(ref, rows)
+    if not pick:
+        print("Recommendation not found.", file=sys.stderr)
+        return 1
+    tech_id = pick["id"]
+    needs = bool(pick.get("requires_approval"))
+    path = f"/optimization/techniques/{tech_id}/approve" if needs else f"/optimization/techniques/{tech_id}/apply"
+    body: dict[str, Any] = {"approved_by": args.approved_by or "cli"}
+    if merge_ids:
+        body["merge_candidate_ids"] = merge_ids
+    r2 = client.post(path, json=body)
+    if r2.status_code == 400:
+        _print_api_error(r2)
+        return 2
+    if r2.status_code == 428:
+        print("This recommendation requires approval via API approve endpoint.", file=sys.stderr)
+        return 1
+    if r2.status_code not in (200, 201):
+        print(r2.text, file=sys.stderr)
+        return 1
+    data = r2.json()
+    child = data.get("reevaluation_pipeline_run_id") if isinstance(data, dict) else None
+    if want_json:
+        out = dict(data) if isinstance(data, dict) else {"result": data}
+        if child:
+            out["follow_up_pipeline_run_id"] = child
+        _stdout_json(out)
+    else:
+        print(json.dumps(data, indent=2))
+        if child:
+            print(f"\nFollow-up pipeline run: {child}", file=sys.stderr)
+    return 0
+
+
+def cmd_optimize_download(args: argparse.Namespace) -> int:
+    client, _ = _client()
+    rid = args.run_id.strip()
+    ref = args.recommendation.strip()
+    out_dir = Path(args.output_dir).expanduser().resolve()
+    out_dir.mkdir(parents=True, exist_ok=True)
+    params: dict[str, Any] = {"context_type": "pipeline", "context_id": rid}
+    r = client.get("/optimization/techniques", params=params)
+    if r.status_code != 200:
+        print(r.text, file=sys.stderr)
+        return 1
+    rows = [x for x in r.json() if isinstance(x, dict)]
+    pick: dict[str, Any] | None = None
+    if ref.isdigit():
+        idx = int(ref) - 1
+        if 0 <= idx < len(rows):
+            pick = rows[idx]
+    else:
+        for x in rows:
+            if str(x.get("id")) == ref:
+                pick = x
+                break
+    if not pick:
+        print("Recommendation not found.", file=sys.stderr)
+        return 1
+    exp = client.get(f"/pipeline/runs/{rid}/candidates/{pick['id']}/export")
+    if exp.status_code != 200:
+        print(exp.text, file=sys.stderr)
+        return 1
+    path = out_dir / f"candidate-{pick['id']}-export.json"
+    path.write_text(json.dumps(exp.json(), indent=2), encoding="utf-8")
+    if _wants_json(args):
+        _stdout_json({"ok": True, "path": str(path)})
+    else:
+        print(f"Wrote {path}")
+    return 0
+
+
+def cmd_optimize_download_bundle(args: argparse.Namespace) -> int:
+    client, _ = _client()
+    bid = args.bundle_id.strip()
+    out_dir = Path(args.output_dir).expanduser().resolve()
+    out_dir.mkdir(parents=True, exist_ok=True)
+    r = client.get(f"/optimization/bundles/{bid}/zip")
+    if r.status_code != 200:
+        print(r.text, file=sys.stderr)
+        return 1
+    path = out_dir / f"optimization-bundle-{bid}.zip"
+    path.write_bytes(r.content)
+    if _wants_json(args):
+        _stdout_json({"ok": True, "path": str(path)})
+    else:
+        print(f"Wrote {path}")
+    return 0
+
+
+def cmd_aws_test(args: argparse.Namespace) -> int:
+    client, _ = _client()
+    aid = args.account_id.strip()
+    r = client.post(f"/cloud/accounts/{aid}/test-operator-connection")
+    if r.status_code != 200:
+        print(r.text, file=sys.stderr)
+        return 1
+    print(_dump_json(r.json(), compact=_wants_json(args)))
+    return 0
+
+
+def main(argv: list[str] | None = None) -> int:
+    parser = argparse.ArgumentParser(
+        prog="cloudcap",
+        description="CloudCap terminal client — call the HTTP API from your shell.",
+        formatter_class=argparse.ArgumentDefaultsHelpFormatter,
+        epilog=(
+            "Environment variables (override ~/.cloudcap/config.json): "
+            "CLOUDCAP_URL (API base, include /v1), CLOUDCAP_TOKEN, CLOUDCAP_ORG_ID, CLOUDCAP_ENV_ID."
+        ),
+    )
+    parser.add_argument(
+        "--version",
+        action="version",
+        version=f"%(prog)s {__version__}",
+    )
+    parser.add_argument(
+        "--output",
+        choices=("text", "json"),
+        default="text",
+        dest="cli_output",
+        help="json: single JSON object on stdout for scripting/CI; errors still on stderr",
+    )
+    sub = parser.add_subparsers(dest="command", required=True)
+
+    p_login = sub.add_parser("login", help="Save API token (or start demo / employee session)")
+    p_login.add_argument("--url", default=None, help="API base including /v1")
+    p_login.add_argument(
+        "--demo",
+        action="store_true",
+        help="POST /v1/demo/session/start (requires ENABLE_DEMO_SCENARIOS=true and fixture orgs; see README)",
+    )
+    p_login.add_argument(
+        "--employee",
+        action="store_true",
+        help="POST /login/employee (org_slug + email; local/demo only; requires organization_members row)",
+    )
+    p_login.add_argument("--org-slug", default=None, help="With --employee: organization slug")
+    p_login.add_argument("--email", default=None, help="With --employee: member email")
+    p_login.add_argument("--token", default=None, help="Bearer token to store")
+    p_login.add_argument("--org-id", default=None, help="Organization UUID (with --token)")
+    p_login.set_defaults(func=cmd_login)
+
+    p_who = sub.add_parser("whoami", help="GET /auth/me")
+    p_who.set_defaults(func=cmd_whoami)
+
+    p_pipe = sub.add_parser("pipeline", help="Pipeline run probes")
+    pipe_sub = p_pipe.add_subparsers(dest="pipe_cmd", required=True)
+    p_pstat = pipe_sub.add_parser(
+        "status",
+        help="Execution readiness for a run + terraform-runtime preflight",
+    )
+    p_pstat.add_argument("run_id", nargs="?", metavar="RUN_ID", help="Pipeline run UUID")
+    p_pstat.add_argument("--run-id", dest="run_id_opt", default=None, help="Pipeline run UUID (alternative to positional)")
+    p_pstat.add_argument(
+        "--json",
+        action="store_true",
+        dest="emit_json",
+        help="Same as --output json (deprecated; prefer global --output json)",
+    )
+    p_pstat.set_defaults(func=cmd_pipeline_status)
+
+    p_cs = sub.add_parser("context", help="Show or set default org/environment")
+    cs_sub = p_cs.add_subparsers(dest="ctx_cmd", required=True)
+    p_show = cs_sub.add_parser("show")
+    p_show.set_defaults(func=cmd_context_show)
+    p_set = cs_sub.add_parser("set")
+    p_set.add_argument("--org-id", default=None)
+    p_set.add_argument("--environment-id", default=None)
+    p_set.set_defaults(func=cmd_context_set)
+
+    p_ev = sub.add_parser(
+        "evaluate",
+        help="Create run, upload plan artifact(s), run policy evaluation",
+        formatter_class=argparse.RawDescriptionHelpFormatter,
+        epilog=(
+            "Evaluate-only: pass plan.json (or a single .tfplan) alone for policy/cost evaluation.\n"
+            "Deploy-capable (backend terraform apply): pass plan.json, then --plan-binary pointing to the .tfplan "
+            "from the same terraform root, and --workspace-zip containing main.tf and .terraform.lock.hcl "
+            "from that root. Both --plan-binary and --workspace-zip are required together for deploy-capable runs.\n"
+            "See docs/pipeline-cli.md and docs/pipeline-deploy-approval.md."
+        ),
+    )
+    p_ev.add_argument("plan", help="Path to plan.json or .tfplan (first artifact)")
+    p_ev.add_argument("--region", default="us-east-1")
+    p_ev.add_argument(
+        "--environment-id",
+        default=None,
+        help="Default environment for the pipeline run and evaluation scope (optional)",
+    )
+    p_ev.add_argument(
+        "--workload-id",
+        default=None,
+        help="Workload for policy/predeploy scope; default workload is used if omitted",
+    )
+    p_ev.add_argument("--cloud-account-id", default=None)
+    p_ev.add_argument(
+        "--plan-binary",
+        default=None,
+        metavar="PATH",
+        help="Binary tfplan from terraform plan -out= (pair with --workspace-zip for deploy-capable)",
+    )
+    p_ev.add_argument(
+        "--workspace-zip",
+        default=None,
+        metavar="PATH",
+        help="Zip of terraform root: main.tf, .terraform.lock.hcl, and other .tf files (pair with --plan-binary)",
+    )
+    p_ev.set_defaults(func=cmd_evaluate)
+
+    p_dep = sub.add_parser("deploy", help="POST /pipeline/runs/{id}/apply (backend terraform)")
+    p_dep.add_argument(
+        "run_id_arg",
+        nargs="?",
+        metavar="RUN_ID",
+        help="Pipeline run UUID (optional if --run-id is set)",
+    )
+    p_dep.add_argument("--run-id", dest="run_id_opt", default=None, help="Pipeline run UUID")
+    p_dep.add_argument(
+        "--plan-binary",
+        default=None,
+        metavar="PATH",
+        help="If the run has no binary plan yet, upload this .tfplan then apply",
+    )
+    p_dep.add_argument(
+        "--workspace-zip",
+        default=None,
+        metavar="PATH",
+        help="If the run has no workspace zip yet, upload this zip (main.tf + lock file) then apply",
+    )
+    p_dep.set_defaults(func=cmd_deploy)
+
+    p_opt = sub.add_parser("optimize", help="List, apply, and download pipeline optimizations")
+    opt_sub = p_opt.add_subparsers(dest="opt_cmd", required=True)
+
+    p_opt_list = opt_sub.add_parser("list", help="List recommendations for a pipeline run")
+    p_opt_list.add_argument("--run-id", required=True, help="Pipeline run UUID")
+    p_opt_list.set_defaults(func=cmd_optimize_list)
+
+    p_opt_show = opt_sub.add_parser("show", help="Show one recommendation by index (1-based) or UUID")
+    p_opt_show.add_argument("--run-id", required=True)
+    p_opt_show.add_argument(
+        "--recommendation",
+        required=True,
+        help="Index from list or optimization candidate UUID",
+    )
+    p_opt_show.set_defaults(func=cmd_optimize_show)
+
+    p_opt_apply = opt_sub.add_parser("apply", help="Apply recommendation (creates optimized run + bundle)")
+    p_opt_apply.add_argument("--run-id", required=True)
+    p_opt_apply.add_argument(
+        "--recommendation",
+        required=True,
+        help="Index or UUID; comma-separated for merged apply (e.g. 1,3 or uuid,uuid)",
+    )
+    p_opt_apply.add_argument("--approved-by", default="cli", dest="approved_by")
+    p_opt_apply.set_defaults(func=cmd_optimize_apply)
+
+    p_opt_dl = opt_sub.add_parser(
+        "download",
+        help="Download candidate export JSON (original vs revised delta)",
+    )
+    p_opt_dl.add_argument("--run-id", required=True)
+    p_opt_dl.add_argument("--recommendation", required=True)
+    p_opt_dl.add_argument("--output-dir", required=True)
+    p_opt_dl.set_defaults(func=cmd_optimize_download)
+
+    p_opt_bdl = opt_sub.add_parser(
+        "download-bundle",
+        help="Download ZIP of optimization bundle artifacts",
+    )
+    p_opt_bdl.add_argument("--bundle-id", required=True)
+    p_opt_bdl.add_argument("--output-dir", required=True)
+    p_opt_bdl.set_defaults(func=cmd_optimize_download_bundle)
+
+    p_sav = sub.add_parser("savings", help="Savings events, samples, and reconciliation")
+    sav_sub = p_sav.add_subparsers(dest="sav_cmd", required=True)
+    p_sav_list = sav_sub.add_parser("list", help="GET /savings/events")
+    p_sav_list.set_defaults(func=cmd_savings_list)
+    p_sav_show = sav_sub.add_parser("show", help="GET /savings/events/{id}")
+    p_sav_show.add_argument("--event-id", required=True)
+    p_sav_show.set_defaults(func=cmd_savings_show)
+    p_sav_br = sav_sub.add_parser("breakdown", help="Event detail + sample table JSON")
+    p_sav_br.add_argument("--event-id", required=True)
+    p_sav_br.set_defaults(func=cmd_savings_breakdown)
+    p_sav_dl = sav_sub.add_parser("download", help="Bundle event + proofs + samples (stdout or --output-file)")
+    p_sav_dl.add_argument("--event-id", required=True)
+    p_sav_dl.add_argument(
+        "--output-file",
+        default="",
+        dest="output_file",
+        help="Write JSON to this file instead of stdout",
+    )
+    p_sav_dl.set_defaults(func=cmd_savings_download)
+
+    p_aws = sub.add_parser("aws", help="AWS helpers")
+    aws_sub = p_aws.add_subparsers(dest="aws_cmd", required=True)
+    p_test = aws_sub.add_parser("test-connection", help="Live STS for stored operator credentials")
+    p_test.add_argument("--account-id", required=True)
+    p_test.set_defaults(func=cmd_aws_test)
+
+    args = parser.parse_args(argv)
+    fn = getattr(args, "func", None)
+    if fn is None:
+        parser.print_help()
+        return 1
+    return fn(args)
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())

cloudcap_cli-0.1.1.dist-info/METADATA

@@ -0,0 +1,66 @@
+Metadata-Version: 2.4
+Name: cloudcap-cli
+Version: 0.1.1
+Summary: CloudCap CLI — terminal client for the CloudCap HTTP API
+Author: CloudCap
+License: Proprietary
+Keywords: cloudcap,cli,terraform,cloud
+Classifier: Development Status :: 4 - Beta
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Topic :: Utilities
+Requires-Python: >=3.11
+Description-Content-Type: text/markdown
+Requires-Dist: httpx>=0.27.0
+Provides-Extra: dev
+Requires-Dist: pytest>=8.2.0; extra == "dev"
+Requires-Dist: build>=1.2.0; extra == "dev"
+
+# cloudcap (PyPI)
+
+Terminal client for the CloudCap HTTP API: evaluate Terraform plans, deploy, optimize, and manage context from your shell.
+
+## Install
+
+```bash
+pipx install cloudcap-cli
+# or
+pip install cloudcap-cli
+```
+
+Requires **Python 3.11+**. Only dependency: **httpx**.
+
+## Quick start
+
+```bash
+export CLOUDCAP_URL="https://your-api.example.com/v1"
+cloudcap login --token "YOUR_BEARER_OR_PAT"
+cloudcap whoami
+cloudcap evaluate plan.json --region us-east-1
+```
+
+Machine-readable output:
+
+```bash
+cloudcap --output json whoami
+cloudcap --output json pipeline status RUN_ID
+```
+
+Full documentation: [docs/cli-install.md](../docs/cli-install.md) in the CloudCap repo.
+
+## Configuration
+
+- File: `~/.cloudcap/config.json` (created by `cloudcap login`)
+- Env overrides: `CLOUDCAP_URL`, `CLOUDCAP_TOKEN`, `CLOUDCAP_ORG_ID`, `CLOUDCAP_ENV_ID`
+
+## Docker (CI)
+
+See `Dockerfile` in this directory; build with a wheel or pin `pip install cloudcap-cli==VERSION`.
+
+## Server package
+
+The API server is published separately as **`cloudcap-backend`**. Install the CLI with `pip install cloudcap-cli` without pulling server dependencies. The command on PATH remains **`cloudcap`**.

cloudcap_cli-0.1.1.dist-info/RECORD

@@ -0,0 +1,8 @@
+cloudcap/__init__.py,sha256=SxV54EJhZYEQPgu-gpKOsow8Aec92_ZjHvFjSMGPygU,66
+cloudcap/__main__.py,sha256=od4Kh2VAfhyaEMP2JyBYk39XzvP_oSshuOyErv29R1k,87
+cloudcap/cli.py,sha256=tyzkBftsKaHHJU8BMmO5CT5mHXfjlxMavbbdGwbNMwE,41179
+cloudcap_cli-0.1.1.dist-info/METADATA,sha256=ogYXTO3InqpzgIRfbVwmxJSZYmCewjygDi6xZpnLzcQ,1933
+cloudcap_cli-0.1.1.dist-info/WHEEL,sha256=aeYiig01lYGDzBgS8HxWXOg3uV61G9ijOsup-k9o1sk,91
+cloudcap_cli-0.1.1.dist-info/entry_points.txt,sha256=Izqnma61C2Vgej0KX_yxMSnqM-o2nyA6aQ0DEcUCM_8,47
+cloudcap_cli-0.1.1.dist-info/top_level.txt,sha256=yFx9-Mtm09ABXokvV8GQHwMfXWAw46FUQAYYqx-elC4,9
+cloudcap_cli-0.1.1.dist-info/RECORD,,

cloudcap_cli-0.1.1.dist-info/WHEEL

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (82.0.1)
+Root-Is-Purelib: true
+Tag: py3-none-any
+

cloudcap_cli-0.1.1.dist-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+cloudcap = cloudcap.cli:main

cloudcap_cli-0.1.1.dist-info/top_level.txt

@@ -0,0 +1 @@
+cloudcap