dayhoff-tools 1.1.14__tar.gz → 1.1.16__tar.gz

{dayhoff_tools-1.1.14 → dayhoff_tools-1.1.16}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: dayhoff-tools
-Version: 1.1.14
+Version: 1.1.16
 Summary: Common tools for all the repos at Dayhoff Labs
 Author: Daniel Martin-Alarcon
 Author-email: dma@dayhofflabs.com

{dayhoff_tools-1.1.14 → dayhoff_tools-1.1.16}/dayhoff_tools/cli/cloud_commands.py

@@ -256,6 +256,32 @@ def _get_adc_status() -> str:
     return "Not configured"
 
 
+def _is_adc_authenticated() -> bool:
+    """Check if Application Default Credentials (ADC) are valid.
+
+    Returns:
+        True if `gcloud auth application-default print-access-token --quiet` succeeds,
+        False otherwise.
+    """
+    try:
+        gcloud_path = _find_executable("gcloud")
+        returncode, _, _ = _run_command(
+            [
+                gcloud_path,
+                "auth",
+                "application-default",
+                "print-access-token",
+                "--quiet",
+            ],
+            capture=True,
+            check=False,
+            suppress_output=True,
+        )
+        return returncode == 0
+    except FileNotFoundError:
+        return False
+
+
 def _is_gcp_user_authenticated() -> bool:
     """Check if the current gcloud user authentication is valid and non-interactive.
 
@@ -347,7 +373,7 @@ def _run_gcloud_login() -> None:
 
 
 def _test_gcp_credentials(user: str, impersonation_sa: str) -> None:
-    """Test GCP credentials. Only prints output on failure (to stderr)."""
+    """Test GCP credentials. Prints output on failure (to stderr) and success (to stdout)."""
     gcloud_path = _find_executable("gcloud")
     user_short = _get_short_name(user)
     impersonation_short = _get_short_name(impersonation_sa)
@@ -363,64 +389,73 @@ def _test_gcp_credentials(user: str, impersonation_sa: str) -> None:
         ]
 
         if impersonation_sa != "None":
+            # Test 1: Access as the user directly (temporarily disable impersonation)
+            print(f"  Testing direct access as user ({user_short})...")
             orig_sa = impersonation_sa
             unset_rc, _, unset_err = _gcloud_unset_config(
                 "auth/impersonate_service_account"
             )
             if unset_rc != 0:
-                # Failure to unset is an error state
                 print(
-                    f"{RED}✗ Test Error: Failed to temporarily disable impersonation: {unset_err}{NC}",
+                    f"    {RED}✗ Test Error: Failed to temporarily disable impersonation: {unset_err}{NC}",
                     file=sys.stderr,
                 )
-
-            user_returncode, _, _ = _run_command(cmd, suppress_output=True, check=False)
-            if user_returncode != 0:
-                # Failure to access as user
-                print(
-                    f"{RED}✗ Test Failure: Cannot access resources directly as user '{user_short}'. Check roles/project.{NC}",
-                    file=sys.stderr,
+                # Even if unsetting fails, attempt to restore and continue with impersonation test
+            else:
+                user_returncode, _, _ = _run_command(
+                    cmd, suppress_output=True, check=False
                 )
+                if user_returncode != 0:
+                    print(
+                        f"    {RED}✗ User Test Failure: Cannot access resources directly as user '{user_short}'. Check roles/project.{NC}",
+                        file=sys.stderr,
+                    )
+                else:
+                    print(
+                        f"    {GREEN}✓ User Test ({user_short}): Direct access OK{NC}"
+                    )
 
+            # Restore impersonation setting
             set_rc, _, set_err = _gcloud_set_config(
                 "auth/impersonate_service_account", orig_sa
             )
             if set_rc != 0:
-                # Failure to restore is an error state
                 print(
-                    f"{RED}✗ Test Error: Failed to restore impersonation config for {impersonation_short}: {set_err}{NC}",
+                    f"    {RED}✗ Test Error: Failed to restore impersonation config for {impersonation_short}: {set_err}{NC}",
                     file=sys.stderr,
                 )
+                # If restoring fails, it's a significant issue for the next test
 
+            # Test 2: Access while impersonating the SA
+            print(f"  Testing access while impersonating SA ({impersonation_short})...")
             impersonation_returncode, _, _ = _run_command(
                 cmd, suppress_output=True, check=False
             )
             if impersonation_returncode != 0:
-                # Failure to access while impersonating
                 print(
-                    f"{RED}✗ Test Failure: Cannot access resources impersonating '{impersonation_short}'. Check permissions/config.{NC}",
+                    f"    {RED}✗ Impersonation Test Failure: Cannot access resources impersonating '{impersonation_short}'. Check permissions/config.{NC}",
                     file=sys.stderr,
                 )
+            else:
+                print(
+                    f"    {GREEN}✓ Impersonation Test ({impersonation_short}): Access OK{NC}"
+                )
 
         else:
             # Test user account directly (no impersonation config)
+            print(f"  Testing direct access as user ({user_short})...")
             returncode, _, _ = _run_command(cmd, suppress_output=True, check=False)
             if returncode != 0:
-                # Failure to access as user
                 print(
-                    f"{RED}✗ Test Failure: Cannot access resources directly as user '{user_short}'. Check roles/project.{NC}",
+                    f"    {RED}✗ User Test Failure: Cannot access resources directly as user '{user_short}'. Check roles/project.{NC}",
                     file=sys.stderr,
                 )
-            # Success: No output
-            # else:
-            #    print(f"{GREEN}✓ Direct access as user {user_short}: OK{NC}")
-            # Correctly indented pass statement if no action needed on success
-            pass
+            else:
+                print(f"    {GREEN}✓ User Test ({user_short}): Direct access OK{NC}")
     else:
-        # If user isn't authenticated at all, maybe print a warning?
-        # print(f"{YELLOW}User not authenticated, skipping credential test.{NC}")
-        # Decided against this to keep output minimal unless actual test fails.
-        pass  # Explicit pass for the outer else
+        print(
+            f"  {YELLOW}User not authenticated, skipping credential access tests.{NC}"
+        )
 
 
 # --- AWS Functions ---
@@ -516,30 +551,54 @@ aws_app = typer.Typer(help="Manage AWS SSO authentication using RC files.")
 # --- GCP Commands ---
 @gcp_app.command("status")
 def gcp_status():
-    """Show active GCP credentials for CLI and Libraries/ADC."""
+    """Show active GCP credentials for CLI and Libraries/ADC, including staleness."""
     cli_user = _get_current_gcp_user()
     cli_impersonation = _get_current_gcp_impersonation()
-    adc_principal = _get_adc_status()
+    adc_principal_raw = _get_adc_status()  # Raw status string, potentially complex
+
+    user_auth_valid = _is_gcp_user_authenticated()
+    adc_auth_valid = _is_adc_authenticated()
 
     # Determine active principal for CLI
     if cli_impersonation != "None":
         cli_active_short = _get_short_name(cli_impersonation)
+        cli_is_impersonating = True
     else:
         cli_active_short = _get_short_name(cli_user)
+        cli_is_impersonating = False
 
-    # Get short name for ADC principal
-    adc_active_short = _get_short_name(adc_principal)
+    adc_active_short = _get_short_name(adc_principal_raw)
 
-    # Define a fixed width for the principal name field
-    name_width = 10
+    print(f"{BLUE}--- GCP CLI Credentials ---{NC}")
+    print(f"  Effective Principal: {GREEN}{cli_active_short}{NC}")
+    print(f"  User Account ({_get_short_name(cli_user)}):")
+    if user_auth_valid:
+        print(f"    └─ Authentication: {GREEN}VALID{NC}")
+    else:
+        print(
+            f"    └─ Authentication: {RED}STALE/EXPIRED{NC} (Hint: run 'dh gcp login')"
+        )
 
-    print(
-        f"Using {GREEN}{cli_active_short:<{name_width}}{NC} for {BLUE}gcloud CLI{NC} (gcloud, gsutil)"
-    )
-    print(
-        f"Using {GREEN}{adc_active_short:<{name_width}}{NC} for {BLUE}Libraries/Tools{NC} (warehouse, Terraform, Python clients)\n"
-    )
+    if cli_is_impersonating:
+        print(
+            f"  Impersonation ({_get_short_name(cli_impersonation)}): {GREEN}Active{NC}"
+        )
+        print(f"    └─ Access Test: (see results below)")
+    else:
+        print(f"  Impersonation: {YELLOW}Not Active{NC}")
+
+    print(f"\n{BLUE}--- GCP Library/ADC Credentials ---{NC}")
+    print(f"  Effective Principal: {GREEN}{adc_active_short}{NC}")
+    if adc_principal_raw in ["Not configured", "Error reading", "Invalid format"]:
+        print(f"    └─ Status: {RED}{adc_principal_raw}{NC}")
+    elif adc_auth_valid:
+        print(f"    └─ Authentication: {GREEN}VALID{NC}")
+    else:
+        print(
+            f"    └─ Authentication: {RED}STALE/EXPIRED{NC} (Hint: run 'dh gcp use-...-adc' or 'gcloud auth application-default login ...')"
+        )
 
+    print(f"\n{BLUE}--- GCP Access Tests (for CLI configuration) ---{NC}")
     # Run tests silently, they will print to stderr only on failure
     _test_gcp_credentials(cli_user, cli_impersonation)
 

{dayhoff_tools-1.1.14 → dayhoff_tools-1.1.16}/dayhoff_tools/cli/utility_commands.py

@@ -6,7 +6,6 @@ import shutil
 import subprocess
 import sys
 from pathlib import Path
-from typing import Optional
 
 import toml
 import typer
@@ -15,6 +14,64 @@ import yaml
 # Import cloud helper lazily inside functions to avoid heavy deps at module load
 
 
+def _warn_if_gcp_default_sa(force_prompt: bool = False) -> None:
+    """Warn the user when the active gcloud principal is the default VM service
+    account.  See detailed docstring later in file (duplicate for early
+    availability)."""
+
+    from dayhoff_tools.cli import cloud_commands as _cc
+
+    try:
+        impersonation = _cc._get_current_gcp_impersonation()
+        user = _cc._get_current_gcp_user()
+        active = impersonation if impersonation != "None" else user
+        short = _cc._get_short_name(active)
+
+        # Determine if user creds are valid
+        auth_valid = _cc._is_gcp_user_authenticated()
+    except Exception:
+        # If any helper errors out, don't block execution
+        return
+
+    problem_type = None  # "default_sa" | "stale"
+    if short == "default VM service account":
+        problem_type = "default_sa"
+    elif not auth_valid:
+        problem_type = "stale"
+
+    if problem_type is None:
+        return  # Everything looks good
+
+    YELLOW = getattr(_cc, "YELLOW", "\033[0;33m")
+    BLUE = getattr(_cc, "BLUE", "\033[0;36m")
+    RED = getattr(_cc, "RED", "\033[0;31m")
+    NC = getattr(_cc, "NC", "\033[0m")
+
+    if problem_type == "default_sa":
+        msg_body = (
+            f"You are currently authenticated as the *default VM service account*.\n"
+            f"   This will block gsutil/DVC access to private buckets (e.g. warehouse)."
+        )
+    else:  # stale creds
+        msg_body = (
+            f"Your GCP credentials appear to be *expired/stale*.\n"
+            f"   Re-authenticate to refresh the access token."
+        )
+
+    print(
+        f"{YELLOW}⚠  {msg_body}{NC}\n"
+        f"{YELLOW}   Run {BLUE}dh gcp login{YELLOW} or {BLUE}dh gcp use-devcon{YELLOW} before retrying.{NC}",
+        file=sys.stderr,
+    )
+
+    if force_prompt and sys.stdin.isatty() and sys.stdout.isatty():
+        import questionary
+
+        if not questionary.confirm("Proceed anyway?", default=False).ask():
+            print(f"{RED}Aborted due to unsafe GCP credentials.{NC}", file=sys.stderr)
+            raise SystemExit(1)
+
+
 def test_github_actions_locally():
     """Run the script test_pytest_in_github_actions_container.sh.sh."""
     script_path = ".devcontainer/scripts/test_pytest_in_github_actions_container.sh"
@@ -571,63 +628,3 @@ def update_dependencies(
 # ----------------------
 # Cloud credential guard
 # ----------------------
-
-
-def _warn_if_gcp_default_sa(force_prompt: bool = False) -> None:
-    """Warn the user when the active gcloud principal is the default VM service
-    account.
-
-    This situation prevents gsutil/DVC from accessing private buckets and is
-    almost never what we want when interacting with the warehouse.  The
-    function prints a coloured warning and, when *force_prompt* is *True* and
-    the session is interactive, asks the user whether to continue or abort the
-    command.
-
-    Parameters
-    ----------
-    force_prompt : bool, default False
-        When *True* and running in an interactive shell (stdin & stdout are
-        TTYs), display a yes/no prompt (via *questionary.confirm*) asking the
-        user whether to proceed.  If the user declines, ``SystemExit(1)`` is
-        raised to stop the CLI command immediately.  In non-interactive
-        contexts the function merely prints the warning without prompting.
-    """
-
-    # Delay heavy import until the function is actually needed
-    from dayhoff_tools.cli import cloud_commands as _cc  # local import to ease testing
-
-    try:
-        impersonation = _cc._get_current_gcp_impersonation()
-        user = _cc._get_current_gcp_user()
-        active = impersonation if impersonation != "None" else user
-        short_name = _cc._get_short_name(active)
-    except Exception:
-        # If gcloud is missing or some other unexpected error occurs, fail
-        # gracefully by doing nothing.
-        return
-
-    if short_name != "default VM service account":
-        # All good – nothing to warn about
-        return
-
-    # Colour constants – fall back to empty strings if not available
-    RED = getattr(_cc, "RED", "\033[0;31m")
-    YELLOW = getattr(_cc, "YELLOW", "\033[0;33m")
-    BLUE = getattr(_cc, "BLUE", "\033[0;36m")
-    NC = getattr(_cc, "NC", "\033[0m")
-
-    warning_msg = (
-        f"{YELLOW}⚠  You are currently authenticated as the *default VM service account*.{NC}\n"
-        f"{YELLOW}   This will block gsutil/DVC access to private buckets (e.g. warehouse).{NC}\n"
-        f"{YELLOW}   Run {BLUE}dh gcp login{YELLOW} or {BLUE}dh gcp use-devcon{YELLOW} before retrying.{NC}"
-    )
-    print(warning_msg, file=sys.stderr)
-
-    interactive = sys.stdin.isatty() and sys.stdout.isatty()
-    if force_prompt and interactive:
-        import questionary
-
-        proceed = questionary.confirm("Proceed anyway?", default=False).ask()
-        if not proceed:
-            print(f"{RED}Aborted due to unsafe GCP credentials.{NC}", file=sys.stderr)
-            raise SystemExit(1)

{dayhoff_tools-1.1.14 → dayhoff_tools-1.1.16}/dayhoff_tools/deployment/processors.py

@@ -409,15 +409,14 @@ class MMSeqsProfileProcessor(Processor):
             self._run_mmseqs_command(
                 [
                     "mmseqs",
-                    "result2flat",
-                    str(profile_db),  # queryDB used in search
-                    str(target_db),  # targetDB
-                    str(result_db),  # resultDB
+                    "createseqfiledb",
+                    str(result_db),  # resultDB containing target hits
+                    str(target_db),  # targetDB containing actual sequences
                     str(intermediate_hits_fasta_file),  # output FASTA
-                    "--use-fasta-header",
-                    "1",
+                    "--db-output",
+                    "1",  # Output in FASTA format
                 ],
-                "Extract hit sequences to FASTA via result2flat",
+                "Extract hit sequences to FASTA via createseqfiledb",
                 run_base_dir,
             )
 

{dayhoff_tools-1.1.14 → dayhoff_tools-1.1.16}/pyproject.toml

@@ -5,7 +5,7 @@ build-backend = "poetry.core.masonry.api"
 
 [project]
 name = "dayhoff-tools"
-version = "1.1.14"
+version = "1.1.16"
 description = "Common tools for all the repos at Dayhoff Labs"
 authors = [
     {name = "Daniel Martin-Alarcon", email = "dma@dayhofflabs.com"}