dap-cli 0.3.0__py3-none-any.whl

dap_cli/__init__.py

@@ -0,0 +1 @@
+__version__ = "0.3.0"

dap_cli/__main__.py

@@ -0,0 +1,99 @@
+"""Typer entrypoint — `dap` CLI."""
+
+from __future__ import annotations
+
+import typer
+
+from dap_cli import __version__
+from dap_cli.commands.init import init_command
+from dap_cli.commands.project import project_app
+from dap_cli.commands.start import start_command
+from dap_cli.commands.status import status_command
+from dap_cli.commands.stop import stop_command
+from dap_cli.paths import DEFAULT_DASHBOARD_PORT, DEFAULT_ENGINE_PORT
+
+app = typer.Typer(
+    name="dap",
+    help="Deterministic Agent Pipeline — local launcher",
+    no_args_is_help=True,
+    add_completion=False,
+)
+
+app.add_typer(project_app, name="project")
+
+
+def _version_callback(value: bool) -> None:
+    if value:
+        typer.echo(__version__)
+        raise typer.Exit()
+
+
+@app.callback()
+def root(
+    version: bool = typer.Option(
+        False,
+        "--version",
+        "-v",
+        callback=_version_callback,
+        is_eager=True,
+        help="Show version and exit",
+    ),
+) -> None:
+    """Deterministic Agent Pipeline — local launcher."""
+
+
+@app.command("init")
+def cmd_init(
+    force: bool = typer.Option(False, "--force", "-f", help="Overwrite existing .dap/"),
+    admin_email: str | None = typer.Option(
+        None,
+        "--admin-email",
+        help="Admin user email. Prompted interactively when omitted.",
+    ),
+    admin_password: str | None = typer.Option(
+        None,
+        "--admin-password",
+        help=(
+            "Admin password (lands in shell history — use for local dev only). "
+            "Prefer --admin-password-stdin in automation."
+        ),
+    ),
+    admin_password_stdin: bool = typer.Option(
+        False,
+        "--admin-password-stdin",
+        help="Read the admin password from stdin (kubectl-style).",
+    ),
+) -> None:
+    """Initialize DAP project + bootstrap admin user."""
+    init_command(
+        force=force,
+        admin_email=admin_email,
+        admin_password=admin_password,
+        admin_password_stdin=admin_password_stdin,
+    )
+
+
+@app.command("start")
+def cmd_start(
+    port: int = typer.Option(DEFAULT_DASHBOARD_PORT, "--port", "-p", help="Dashboard port"),
+    engine_port: int = typer.Option(DEFAULT_ENGINE_PORT, "--engine-port", help="Engine port"),
+    headless: bool = typer.Option(False, "--headless", help="Do not open browser"),
+) -> None:
+    """Start engine + dashboard, open browser."""
+    start_command(port=port, engine_port=engine_port, headless=headless)
+
+
+@app.command("stop")
+def cmd_stop() -> None:
+    """Stop running engine + dashboard."""
+    stop_command()
+
+
+@app.command("status")
+def cmd_status() -> None:
+    """Show DAP project status."""
+    status_command()
+
+
+if __name__ == "__main__":
+    app()

dap_cli/_dashboard/.gitkeep

@@ -0,0 +1,5 @@
+# Placeholder so the directory always exists for hatchling's
+# force-include. The dashboard bundle (server.js, .next/, etc.)
+# is staged here on demand by scripts/build-dashboard-bundle.sh
+# and is gitignored — see the gitignore entry for
+# apps/cli/src/dap_cli/_dashboard/.

dap_cli/_dashboard/BUNDLE_INFO.txt

@@ -0,0 +1,3 @@
+DAP dashboard bundle
+Built at: 2026-05-12T15:42:00Z
+Git SHA:  3121895

dap_cli/_dashboard/package.json

@@ -0,0 +1,52 @@
+{
+  "name": "dap-dashboard",
+  "version": "0.0.1",
+  "private": true,
+  "scripts": {
+    "dev": "next dev",
+    "build": "next build",
+    "start": "next start",
+    "typecheck": "tsc --noEmit",
+    "lint": "eslint .",
+    "gen:api": "openapi-typescript http://127.0.0.1:7333/openapi.json -o src/lib/api/types.gen.ts",
+    "clean": "rm -rf .next dist .turbo node_modules",
+    "test": "vitest run"
+  },
+  "dependencies": {
+    "@hookform/resolvers": "4.1.3",
+    "@radix-ui/react-dialog": "1.1.15",
+    "@radix-ui/react-label": "2.1.1",
+    "@radix-ui/react-slot": "1.2.4",
+    "@radix-ui/react-tabs": "^1.1.13",
+    "@radix-ui/react-toast": "1.2.4",
+    "@tanstack/react-query": "5.100.9",
+    "@xyflow/react": "12.3.6",
+    "class-variance-authority": "0.7.1",
+    "clsx": "2.1.1",
+    "dagre": "^0.8.5",
+    "lucide-react": "0.469.0",
+    "next": "15.1.4",
+    "react": "19.0.0",
+    "react-dom": "19.0.0",
+    "react-hook-form": "7.54.2",
+    "tailwind-merge": "2.6.0",
+    "tailwindcss-animate": "1.0.7",
+    "zod": "3.24.1"
+  },
+  "devDependencies": {
+    "@eslint/eslintrc": "3.3.5",
+    "@types/dagre": "^0.7.54",
+    "@types/node": "25.6.2",
+    "@types/react": "19.0.7",
+    "@types/react-dom": "19.0.3",
+    "@vitest/coverage-v8": "^4.1.5",
+    "autoprefixer": "10.4.20",
+    "eslint": "9.39.4",
+    "eslint-config-next": "15.5.15",
+    "openapi-typescript": "7.5.2",
+    "postcss": "8.4.49",
+    "tailwindcss": "3.4.17",
+    "typescript": "5.9.3",
+    "vitest": "^4.1.5"
+  }
+}

dap_cli/_dashboard/server.js

@@ -0,0 +1,38 @@
+const path = require('path')
+
+const dir = path.join(__dirname)
+
+process.env.NODE_ENV = 'production'
+process.chdir(__dirname)
+
+const currentPort = parseInt(process.env.PORT, 10) || 3000
+const hostname = process.env.HOSTNAME || '0.0.0.0'
+
+let keepAliveTimeout = parseInt(process.env.KEEP_ALIVE_TIMEOUT, 10)
+const nextConfig = {"env":{"NEXT_PUBLIC_DAP_ENGINE_URL":"http://127.0.0.1:7333"},"webpack":null,"eslint":{"ignoreDuringBuilds":true},"typescript":{"ignoreBuildErrors":false,"tsconfigPath":"tsconfig.json"},"distDir":"./.next","cleanDistDir":true,"assetPrefix":"","cacheMaxMemorySize":52428800,"configOrigin":"next.config.ts","useFileSystemPublicRoutes":true,"generateEtags":true,"pageExtensions":["tsx","ts","jsx","js"],"poweredByHeader":true,"compress":true,"images":{"deviceSizes":[640,750,828,1080,1200,1920,2048,3840],"imageSizes":[16,32,48,64,96,128,256,384],"path":"/_next/image","loader":"default","loaderFile":"","domains":[],"disableStaticImages":false,"minimumCacheTTL":60,"formats":["image/webp"],"dangerouslyAllowSVG":false,"contentSecurityPolicy":"script-src 'none'; frame-src 'none'; sandbox;","contentDispositionType":"attachment","remotePatterns":[],"unoptimized":false},"devIndicators":{"appIsrStatus":true,"buildActivity":true,"buildActivityPosition":"bottom-right"},"onDemandEntries":{"maxInactiveAge":60000,"pagesBufferLength":5},"amp":{"canonicalBase":""},"basePath":"","sassOptions":{},"trailingSlash":false,"i18n":null,"productionBrowserSourceMaps":false,"excludeDefaultMomentLocales":true,"serverRuntimeConfig":{},"publicRuntimeConfig":{},"reactProductionProfiling":false,"reactStrictMode":true,"reactMaxHeadersLength":6000,"httpAgentOptions":{"keepAlive":true},"logging":{},"expireTime":31536000,"staticPageGenerationTimeout":60,"output":"standalone","modularizeImports":{"@mui/icons-material":{"transform":"@mui/icons-material/{{member}}"},"lodash":{"transform":"lodash/{{member}}"}},"outputFileTracingRoot":"/home/runner/work/dap/dap/apps/dashboard","experimental":{"cacheLife":{"default":{"stale":300,"revalidate":900,"expire":4294967294},"seconds":{"stale":0,"revalidate":1,"expire":60},"minutes":{"stale":300,"revalidate":60,"expire":3600},"hours":{"stale":300,"revalidate":3600,"expire":86400},"days":{"stale":300,"revalidate":86400,"expire":604800},"weeks":{"stale":300,"revalidate":604800,"expire":2592000},"max":{"stale":300,"revalidate":2592000,"expire":4294967294}},"cacheHandlers":{},"cssChunking":true,"multiZoneDraftMode":false,"appNavFailHandling":false,"prerenderEarlyExit":true,"serverMinification":true,"serverSourceMaps":false,"linkNoTouchStart":false,"caseSensitiveRoutes":false,"clientSegmentCache":false,"preloadEntriesOnStart":true,"clientRouterFilter":true,"clientRouterFilterRedirects":false,"fetchCacheKeyPrefix":"","middlewarePrefetch":"flexible","optimisticClientCache":true,"manualClientBasePath":false,"cpus":3,"memoryBasedWorkersCount":false,"imgOptConcurrency":null,"imgOptTimeoutInSeconds":7,"imgOptMaxInputPixels":268402689,"imgOptSequentialRead":null,"isrFlushToDisk":true,"workerThreads":false,"optimizeCss":false,"nextScriptWorkers":false,"scrollRestoration":false,"externalDir":false,"disableOptimizedLoading":false,"gzipSize":true,"craCompat":false,"esmExternals":true,"fullySpecified":false,"swcTraceProfiling":false,"forceSwcTransforms":false,"largePageDataBytes":128000,"turbo":{"root":"/home/runner/work/dap/dap/apps/dashboard"},"typedRoutes":false,"typedEnv":false,"parallelServerCompiles":false,"parallelServerBuildTraces":false,"ppr":false,"authInterrupts":false,"reactOwnerStack":false,"webpackMemoryOptimizations":false,"optimizeServerReact":true,"useEarlyImport":false,"staleTimes":{"dynamic":0,"static":300},"serverComponentsHmrCache":true,"staticGenerationMaxConcurrency":8,"staticGenerationMinPagesPerWorker":25,"dynamicIO":false,"inlineCss":false,"optimizePackageImports":["lucide-react","date-fns","lodash-es","ramda","antd","react-bootstrap","ahooks","@ant-design/icons","@headlessui/react","@headlessui-float/react","@heroicons/react/20/solid","@heroicons/react/24/solid","@heroicons/react/24/outline","@visx/visx","@tremor/react","rxjs","@mui/material","@mui/icons-material","recharts","react-use","effect","@effect/schema","@effect/platform","@effect/platform-node","@effect/platform-browser","@effect/platform-bun","@effect/sql","@effect/sql-mssql","@effect/sql-mysql2","@effect/sql-pg","@effect/sql-squlite-node","@effect/sql-squlite-bun","@effect/sql-squlite-wasm","@effect/sql-squlite-react-native","@effect/rpc","@effect/rpc-http","@effect/typeclass","@effect/experimental","@effect/opentelemetry","@material-ui/core","@material-ui/icons","@tabler/icons-react","mui-core","react-icons/ai","react-icons/bi","react-icons/bs","react-icons/cg","react-icons/ci","react-icons/di","react-icons/fa","react-icons/fa6","react-icons/fc","react-icons/fi","react-icons/gi","react-icons/go","react-icons/gr","react-icons/hi","react-icons/hi2","react-icons/im","react-icons/io","react-icons/io5","react-icons/lia","react-icons/lib","react-icons/lu","react-icons/md","react-icons/pi","react-icons/ri","react-icons/rx","react-icons/si","react-icons/sl","react-icons/tb","react-icons/tfi","react-icons/ti","react-icons/vsc","react-icons/wi"],"trustHostHeader":false,"isExperimentalCompile":false},"bundlePagesRouterDependencies":false,"configFileName":"next.config.ts"}
+
+process.env.__NEXT_PRIVATE_STANDALONE_CONFIG = JSON.stringify(nextConfig)
+
+require('next')
+const { startServer } = require('next/dist/server/lib/start-server')
+
+if (
+  Number.isNaN(keepAliveTimeout) ||
+  !Number.isFinite(keepAliveTimeout) ||
+  keepAliveTimeout < 0
+) {
+  keepAliveTimeout = undefined
+}
+
+startServer({
+  dir,
+  isDev: false,
+  config: nextConfig,
+  hostname,
+  port: currentPort,
+  allowRetry: false,
+  keepAliveTimeout,
+}).catch((err) => {
+  console.error(err);
+  process.exit(1);
+});

dap_cli/bootstrap.py

@@ -0,0 +1,262 @@
+"""Admin-user bootstrap for ``dap init`` (#302 sub-D4).
+
+Creates (or promotes) an admin user on the engine's local SQLite
+database without going through the HTTP API — the engine doesn't have
+to be running. Re-uses ``fastapi-users``' password hasher (Argon2id
+via pwdlib) so the resulting row is indistinguishable from one
+created by ``/auth/register``.
+
+Idempotent: if a user with the given email already exists, their
+``is_superuser`` flag is set to ``True`` and the row is returned
+unchanged otherwise.
+
+The function writes ``.dap/bootstrap.json`` (chmod 600) with metadata
+the operator (and ``dap status``) can inspect later — `email`,
+`user_id`, `created_at`, `created_existing` flag.
+"""
+
+from __future__ import annotations
+
+import contextlib
+import datetime as _dt
+import json
+import re
+import secrets
+import uuid
+from dataclasses import dataclass
+from pathlib import Path
+from typing import Any
+
+# Engine internals — same workspace, no public-API surface needed.
+from dap_engine.app import EngineConfig
+from dap_engine.persistence.db import create_engine_for_sqlite
+from dap_engine.persistence.migrations import apply_migrations
+from dap_engine.persistence.models import UserORM
+from fastapi_users.password import PasswordHelper
+from sqlalchemy import select
+from sqlalchemy.orm import Session
+
+# Engine-side password policy lives in ``UserManager.validate_password``;
+# mirror it here so the CLI rejects bad passwords before they touch
+# the DB. Keeping the value in lockstep with sub-A1's MIN_PASSWORD_LENGTH
+# is a maintenance burden, but the engine module isn't importable
+# without bootstrapping its DB — we accept the duplication for now.
+MIN_PASSWORD_LENGTH = 8
+
+# Generated random passwords. 22 base64url chars = 132 bits of entropy —
+# plenty for any policy and short enough to read off a terminal.
+GENERATED_PASSWORD_LENGTH = 22
+
+# RFC 5322 covers an enormous surface; this regex catches typos
+# (missing @, missing TLD) without claiming full RFC compliance. The
+# engine's ``EmailStr`` validator catches the rest at register time
+# if anyone gets through this guard.
+_EMAIL_RE = re.compile(r"^[^@\s]+@[^@\s]+\.[^@\s]+$")
+
+
+@dataclass(frozen=True, slots=True)
+class BootstrapResult:
+    """What ``ensure_admin_user`` did, surfaced to the caller for UI."""
+
+    user_id: uuid.UUID
+    email: str
+    generated_password: str | None
+    """The password the caller should print *once* (when ``dap init``
+    generated it). ``None`` when the operator supplied one — we never
+    echo a user-typed password."""
+    promoted_existing: bool
+    """True when the email already had a row and we flipped
+    ``is_superuser`` to True. False when we inserted a fresh row."""
+
+
+def validate_email(value: str) -> str:
+    """Return a normalised email or raise ``ValueError``.
+
+    Leading/trailing whitespace is stripped; the local part keeps
+    case (RFC says it's case-sensitive, although every mail server
+    in practice treats it case-insensitive). Email-validator
+    boundary cases (IDN, comments) aren't supported — the engine's
+    register endpoint has the full validator if needed.
+    """
+    candidate = value.strip()
+    if not _EMAIL_RE.match(candidate):
+        raise ValueError(f"not an email-looking value: {candidate!r}")
+    return candidate
+
+
+def validate_password(value: str) -> None:
+    """Raise ``ValueError`` if the password violates the policy."""
+    if len(value) < MIN_PASSWORD_LENGTH:
+        raise ValueError(f"password must be at least {MIN_PASSWORD_LENGTH} characters")
+
+
+def generate_password() -> str:
+    """Cryptographically-secure random password suitable for printing."""
+    return secrets.token_urlsafe(GENERATED_PASSWORD_LENGTH)
+
+
+def ensure_admin_user(
+    db_path: Path,
+    *,
+    email: str,
+    password: str | None,
+) -> BootstrapResult:
+    """Create or promote the admin user.
+
+    ``password`` ``None`` → ``ensure_admin_user`` generates one. When
+    the caller supplies a password, the function never returns it
+    (so the calling code can't accidentally log the secret).
+
+    Operates on the engine's local SQLite file directly. Migrations
+    are applied first so a fresh ``.dap/state.db`` becomes
+    structurally valid before the row write.
+    """
+    email = validate_email(email)
+    generated: str | None = None
+    if password is None or password == "":
+        password = generate_password()
+        generated = password
+    validate_password(password)
+
+    # Need a JWT secret on the EngineConfig to instantiate
+    # ``create_engine_for_sqlite`` cleanly — the value doesn't matter
+    # for the bootstrap operation (no token signing happens here),
+    # but the engine refuses to construct an app without one. A
+    # throwaway random keeps the helper standalone.
+    EngineConfig(
+        db_path=str(db_path),
+        auth_jwt_secret=secrets.token_urlsafe(32),
+    )
+
+    db_path.parent.mkdir(parents=True, exist_ok=True)
+    engine = create_engine_for_sqlite(str(db_path))
+    apply_migrations(engine)
+
+    hasher = PasswordHelper()
+    hashed_password = hasher.hash(password)
+
+    with Session(engine) as session:
+        # ``.unique()`` is required because ``UserORM`` declares a
+        # joined eager-load on ``oauth_identities`` (a collection) —
+        # without de-duplication SQLAlchemy refuses to materialise a
+        # single row from the multi-row JOIN result.
+        existing = (
+            session.scalars(
+                select(UserORM).where(UserORM.email == email)  # type: ignore[arg-type]
+            )
+            .unique()
+            .one_or_none()
+        )
+        if existing is not None:
+            # ``promoted_existing`` means "we found an existing row and
+            # left/forced it to admin", not "we flipped is_superuser
+            # this call" — operators care about idempotency, not the
+            # exact prior state. Keep this stable on re-runs.
+            existing.is_superuser = True
+            existing.is_active = True
+            existing.deleted_at = None
+            # Password-reset path (sub-E3 Copilot review): when the
+            # operator supplied an **explicit** password (not the
+            # auto-generate flow), apply it on the existing row. This
+            # is the documented lost-admin-password recovery flow —
+            # ``dap init --force --admin-email=X --admin-password=Y``
+            # both promotes X to admin AND sets Y as the password.
+            # We deliberately do *not* apply auto-generated passwords
+            # to existing users; on re-run with no ``--admin-password``,
+            # the existing credentials stay intact (silently rotating
+            # to a fresh random would break the operator's working
+            # login). ``generated is None`` is the unambiguous signal
+            # for "operator supplied this value explicitly".
+            if generated is None:
+                existing.hashed_password = hashed_password
+            session.commit()
+            return BootstrapResult(
+                user_id=existing.id,
+                email=email,
+                # Never expose a generated password for an existing
+                # user — we didn't apply it, so returning it would
+                # mislead the operator into thinking the password
+                # changed.
+                generated_password=None,
+                promoted_existing=True,
+            )
+
+        now = _dt.datetime.now(_dt.UTC)
+        user = UserORM(
+            id=uuid.uuid4(),
+            email=email,
+            hashed_password=hashed_password,
+            is_active=True,
+            is_superuser=True,
+            is_verified=True,
+            created_at=now,
+            updated_at=now,
+            deleted_at=None,
+            last_login_at=None,
+        )
+        session.add(user)
+        session.commit()
+        return BootstrapResult(
+            user_id=user.id,
+            email=email,
+            generated_password=generated,
+            promoted_existing=False,
+        )
+
+
+def write_bootstrap_marker(path: Path, result: BootstrapResult) -> None:
+    """Persist a small ``bootstrap.json`` next to ``state.db`` so
+    ``dap status`` can show "admin user X created on Y".
+
+    No secret material in the file — the generated password (when
+    present) is only printed to stdout, never written.
+    """
+    payload = {
+        "email": result.email,
+        "user_id": str(result.user_id),
+        "created_at": _dt.datetime.now(_dt.UTC).isoformat(),
+        "promoted_existing": result.promoted_existing,
+    }
+    path.write_text(json.dumps(payload, indent=2) + "\n", encoding="utf-8")
+    # ``chmod 600`` — the file contains no secrets, but locking down
+    # the permissions establishes the right reflex for any future
+    # additions (e.g. recovery tokens). Best-effort on Windows where
+    # POSIX modes don't apply.
+    with contextlib.suppress(OSError, NotImplementedError):
+        path.chmod(0o600)
+
+
+def read_bootstrap_marker(path: Path) -> dict[str, Any] | None:
+    """Read the bootstrap marker if it exists. ``None`` on missing /
+    corrupt — caller treats either as "no bootstrap yet".
+
+    Returns ``dict[str, Any]`` because the payload mixes strings
+    (email, user_id, created_at) with booleans (``promoted_existing``).
+    """
+    if not path.is_file():
+        return None
+    try:
+        data = json.loads(path.read_text(encoding="utf-8"))
+    except (OSError, json.JSONDecodeError):
+        return None
+    if not isinstance(data, dict):
+        return None
+    return data
+
+
+def bootstrap_marker_path(dap_dir: Path) -> Path:
+    return dap_dir / "bootstrap.json"
+
+
+__all__ = [
+    "GENERATED_PASSWORD_LENGTH",
+    "MIN_PASSWORD_LENGTH",
+    "BootstrapResult",
+    "bootstrap_marker_path",
+    "ensure_admin_user",
+    "generate_password",
+    "read_bootstrap_marker",
+    "validate_email",
+    "validate_password",
+    "write_bootstrap_marker",
+]