dh-cli 0.3.2__tar.gz → 0.4.1__tar.gz

{dh_cli-0.3.2 → dh_cli-0.4.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: dh-cli
-Version: 0.3.2
+Version: 0.4.1
 Summary: Dayhoff Labs developer CLI
 Author-email: Dayhoff Labs <dev@dayhofflabs.com>
 License: # PolyForm Noncommercial License 1.0.0

{dh_cli-0.3.2 → dh_cli-0.4.1}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "dh-cli"
-version = "0.3.2"
+version = "0.4.1"
 description = "Dayhoff Labs developer CLI"
 requires-python = ">=3.11"
 readme = "README.md"

dh_cli-0.4.1/src/dh_cli/hz/__init__.py

@@ -0,0 +1,67 @@
+"""dh hz — Horizyn API management commands."""
+
+import os
+from pathlib import Path
+
+import typer
+
+hz_app = typer.Typer(
+    help="Manage Horizyn API: users, deployments, local servers, and tests.",
+    context_settings={"help_option_names": ["-h", "--help"]},
+)
+
+
+def _find_workspace_root() -> Path:
+    root = os.environ.get("WORKSPACE_ROOT")
+    if root:
+        p = Path(root)
+        if p.is_dir():
+            return p
+
+    for child in Path("/workspaces").iterdir():
+        if child.is_dir() and not child.name.startswith("."):
+            return child
+
+    typer.echo("Cannot determine workspace root. Set $WORKSPACE_ROOT.", err=True)
+    raise typer.Exit(1)
+
+
+def require_repo(name: str) -> Path:
+    """Return the path to a cloned repo, or exit with a helpful error."""
+    root = _find_workspace_root()
+    repo = root / name
+    if not repo.is_dir():
+        typer.echo(
+            f"Repository '{name}' not found at {repo}.\n"
+            f"Clone it with: dc clone {name}",
+            err=True,
+        )
+        raise typer.Exit(1)
+    return repo
+
+
+def run_script(script: Path, args: list[str] | None = None, cwd: Path | None = None) -> None:
+    """Run a shell script, streaming output. Exit on failure."""
+    import subprocess
+
+    if not script.exists():
+        typer.echo(f"Script not found: {script}", err=True)
+        raise typer.Exit(1)
+
+    cmd = ["bash", str(script)] + (args or [])
+    result = subprocess.run(cmd, cwd=cwd)
+    if result.returncode != 0:
+        raise typer.Exit(result.returncode)
+
+
+from dh_cli.hz.users import users_app  # noqa: E402
+from dh_cli.hz.deploy import deploy_app  # noqa: E402
+from dh_cli.hz.local import local_app  # noqa: E402
+from dh_cli.hz.test import test_app  # noqa: E402
+from dh_cli.hz.tf import tf_app  # noqa: E402
+
+hz_app.add_typer(users_app, name="users", help="Manage authorized users and tiers.")
+hz_app.add_typer(deploy_app, name="deploy", help="Deploy API, docking, or frontend.")
+hz_app.add_typer(local_app, name="local", help="Run local development servers.")
+hz_app.add_typer(test_app, name="test", help="Run integration test suites.")
+hz_app.add_typer(tf_app, name="tf", help="Terraform apply for Horizyn infrastructure.")

dh_cli-0.4.1/src/dh_cli/hz/deploy.py

@@ -0,0 +1,37 @@
+"""Deploy API server, docking service, or frontend."""
+
+import typer
+
+from dh_cli.hz import require_repo, run_script
+
+deploy_app = typer.Typer(context_settings={"help_option_names": ["-h", "--help"]})
+
+
+@deploy_app.command("api")
+def deploy_api(
+    env: str = typer.Option("prod", "--env", "-e", help="Environment: prod or dev."),
+):
+    """Build and deploy the Horizyn API server."""
+    repo = require_repo("horizyn-api")
+    script = repo / f"server/build-and-push-{env}.sh"
+    run_script(script, cwd=repo)
+
+
+@deploy_app.command("docking")
+def deploy_docking(
+    env: str = typer.Option("prod", "--env", "-e", help="Environment: prod or dev."),
+):
+    """Build and deploy the docking service."""
+    repo = require_repo("horizyn-api")
+    script = repo / f"docking_service/build-and-push-{env}.sh"
+    run_script(script, cwd=repo)
+
+
+@deploy_app.command("frontend")
+def deploy_frontend(
+    env: str = typer.Option("prod", "--env", "-e", help="Environment: prod or dev."),
+):
+    """Build and deploy the Horizyn frontend."""
+    repo = require_repo("horizyn-frontend")
+    script = repo / "scripts/deploy.sh"
+    run_script(script, args=[env], cwd=repo)

dh_cli-0.4.1/src/dh_cli/hz/local.py

@@ -0,0 +1,21 @@
+"""Run local development servers."""
+
+import typer
+
+from dh_cli.hz import require_repo, run_script
+
+local_app = typer.Typer(context_settings={"help_option_names": ["-h", "--help"]})
+
+
+@local_app.command("api")
+def local_api():
+    """Start the local Horizyn API server in Docker."""
+    repo = require_repo("horizyn-api")
+    run_script(repo / "server/run_local_server.sh", cwd=repo)
+
+
+@local_app.command("docking")
+def local_docking():
+    """Start the local docking service in Docker."""
+    repo = require_repo("horizyn-api")
+    run_script(repo / "docking_service/run_local_server.sh", cwd=repo)

dh_cli-0.4.1/src/dh_cli/hz/test.py

@@ -0,0 +1,111 @@
+"""Run integration test suites."""
+
+import re
+from pathlib import Path
+from typing import Optional
+
+import typer
+
+from dh_cli.hz import require_repo, run_script
+
+test_app = typer.Typer(context_settings={"help_option_names": ["-h", "--help"]})
+
+
+def _discover_suites(test_dir: Path) -> list[tuple[int, str, Path]]:
+    """Return sorted list of (number, name, path) for numbered test scripts."""
+    suites = []
+    for f in test_dir.glob("*.sh"):
+        m = re.match(r"^(\d+)_(.+)\.sh$", f.name)
+        if m:
+            suites.append((int(m.group(1)), m.group(2), f))
+    return sorted(suites, key=lambda t: t[0])
+
+
+def _resolve_suites(
+    available: list[tuple[int, str, Path]], selectors: list[str]
+) -> list[tuple[int, str, Path]]:
+    """Match selectors (numbers or name substrings) to available suites."""
+    matched = []
+    for sel in selectors:
+        sel = sel.strip()
+        found = False
+        if sel.isdigit():
+            num = int(sel)
+            for suite in available:
+                if suite[0] == num:
+                    matched.append(suite)
+                    found = True
+                    break
+        if not found:
+            for suite in available:
+                if sel.lower() in suite[1].lower():
+                    matched.append(suite)
+                    found = True
+                    break
+        if not found:
+            typer.echo(f"No suite matching '{sel}'.", err=True)
+            raise typer.Exit(1)
+    return matched
+
+
+@test_app.command("list")
+def list_tests(
+    target: str = typer.Option("local", "--target", "-t", help="local or deployed."),
+):
+    """Show available test suites."""
+    repo = require_repo("horizyn-api")
+    test_dir = repo / f"test/server/{target}"
+    if not test_dir.is_dir():
+        typer.echo(f"Test directory not found: {test_dir}", err=True)
+        raise typer.Exit(1)
+
+    suites = _discover_suites(test_dir)
+    typer.echo(f"\n  {target} test suites:\n")
+    for num, name, path in suites:
+        typer.echo(f"  {num:3d}  {name}")
+    typer.echo()
+
+
+@test_app.command("local")
+def test_local(
+    suites: Optional[list[str]] = typer.Argument(None, help="Suite numbers or names. Omit to run all."),
+):
+    """Run local integration tests."""
+    repo = require_repo("horizyn-api")
+    test_dir = repo / "test/server/local"
+
+    if not suites:
+        run_script(test_dir / "run_all_tests.sh", cwd=test_dir)
+        return
+
+    available = _discover_suites(test_dir)
+    selected = _resolve_suites(available, suites)
+
+    for num, name, path in selected:
+        typer.echo(f"\n{'='*60}")
+        typer.echo(f"  Running: {num}_{name}")
+        typer.echo(f"{'='*60}\n")
+        run_script(path, cwd=test_dir)
+
+
+@test_app.command("deployed")
+def test_deployed(
+    suites: Optional[list[str]] = typer.Argument(None, help="Suite numbers or names. Omit to run all."),
+    env: str = typer.Option("dev", "--env", "-e", help="Environment: dev or prod."),
+):
+    """Run deployed integration tests."""
+    repo = require_repo("horizyn-api")
+    test_dir = repo / "test/server/deployed"
+
+    if not suites:
+        run_script(test_dir / "run_all_tests.sh", args=[env], cwd=test_dir)
+        return
+
+    available = _discover_suites(test_dir)
+    selected = _resolve_suites(available, suites)
+
+    for num, name, path in selected:
+        typer.echo(f"\n{'='*60}")
+        typer.echo(f"  Running: {num}_{name}")
+        typer.echo(f"{'='*60}\n")
+        run_script(path, args=[env], cwd=test_dir)

dh_cli-0.4.1/src/dh_cli/hz/tf.py

@@ -0,0 +1,53 @@
+"""Terraform deployments for Horizyn infrastructure."""
+
+import typer
+
+from dh_cli.hz import require_repo, run_script
+
+tf_app = typer.Typer(context_settings={"help_option_names": ["-h", "--help"]})
+
+TF_MODULES = {
+    ("api", "dev"): "terraform/environments/dev/horizyn_api/api",
+    ("api", "prod"): "terraform/environments/dev/horizyn_api_prod",
+    ("frontend", "dev"): "terraform/environments/dev/horizyn_frontend",
+    ("frontend", "prod"): "terraform/environments/dev/horizyn_frontend_prod",
+    ("docking", "dev"): "terraform/environments/dev/boltz_docking/service",
+    ("docking", "prod"): "terraform/environments/dev/boltz_docking_prod/service",
+}
+
+
+def _run_tf(target: str, env: str, action: str) -> None:
+    repo = require_repo("blueprints")
+    module_path = TF_MODULES.get((target, env))
+    if not module_path:
+        typer.echo(f"Unknown combination: {target} / {env}", err=True)
+        raise typer.Exit(1)
+    script = repo / "scripts/terraform-deploy"
+    run_script(script, args=[module_path, action], cwd=repo)
+
+
+@tf_app.command("api")
+def tf_api(
+    env: str = typer.Option("prod", "--env", "-e", help="Environment: prod or dev."),
+    yolo: bool = typer.Option(False, "--yolo", help="Auto-approve (no confirmation prompt)."),
+):
+    """Terraform apply for the Horizyn API server."""
+    _run_tf("api", env, "yolo" if yolo else "plan")
+
+
+@tf_app.command("frontend")
+def tf_frontend(
+    env: str = typer.Option("prod", "--env", "-e", help="Environment: prod or dev."),
+    yolo: bool = typer.Option(False, "--yolo", help="Auto-approve (no confirmation prompt)."),
+):
+    """Terraform apply for the Horizyn frontend."""
+    _run_tf("frontend", env, "yolo" if yolo else "plan")
+
+
+@tf_app.command("docking")
+def tf_docking(
+    env: str = typer.Option("prod", "--env", "-e", help="Environment: prod or dev."),
+    yolo: bool = typer.Option(False, "--yolo", help="Auto-approve (no confirmation prompt)."),
+):
+    """Terraform apply for the Boltz docking service."""
+    _run_tf("docking", env, "yolo" if yolo else "plan")

dh_cli-0.4.1/src/dh_cli/hz/users.py

@@ -0,0 +1,179 @@
+"""User management via SSM parameters."""
+
+import typer
+
+users_app = typer.Typer(context_settings={"help_option_names": ["-h", "--help"]})
+
+SSM_PARAMS = {
+    "allowed_emails": "/horizyn/{env}/auth/allowed_emails",
+    "allowed_domains": "/horizyn/{env}/auth/allowed_domains",
+    "admin_domains": "/horizyn/{env}/auth/admin_domains",
+    "admin_emails": "/horizyn/{env}/auth/admin_emails",
+    "alpha_emails": "/horizyn/{env}/auth/alpha_emails",
+}
+
+
+def _ssm_client():
+    import boto3
+
+    return boto3.client("ssm", region_name="us-east-1")
+
+
+def _get_param(ssm, name: str) -> str:
+    try:
+        resp = ssm.get_parameter(Name=name)
+        return resp["Parameter"]["Value"]
+    except ssm.exceptions.ParameterNotFound:
+        return ""
+
+
+def _put_param(ssm, name: str, value: str) -> None:
+    ssm.put_parameter(Name=name, Value=value, Type="String", Overwrite=True)
+    typer.echo(f"Updated {name}")
+
+
+def _parse_csv(raw: str) -> set[str]:
+    return {e.strip().lower() for e in raw.split(",") if e.strip()}
+
+
+def _format_csv(emails: set[str]) -> str:
+    return ",".join(sorted(emails))
+
+
+@users_app.command("list")
+def list_users(
+    env: str = typer.Option("prod", "--env", "-e", help="Environment: prod or dev."),
+):
+    """Show all authorized users and their tiers."""
+    ssm = _ssm_client()
+
+    admin_domains = _parse_csv(_get_param(ssm, SSM_PARAMS["admin_domains"].format(env=env)))
+    admin_emails = _parse_csv(_get_param(ssm, SSM_PARAMS["admin_emails"].format(env=env)))
+    alpha_emails = _parse_csv(_get_param(ssm, SSM_PARAMS["alpha_emails"].format(env=env)))
+    allowed_domains = _parse_csv(_get_param(ssm, SSM_PARAMS["allowed_domains"].format(env=env)))
+    allowed_emails = _parse_csv(_get_param(ssm, SSM_PARAMS["allowed_emails"].format(env=env)))
+
+    typer.echo(f"\n  Horizyn users ({env})\n")
+
+    def _print_section(label: str, items: set[str]) -> None:
+        typer.echo(f"  {label}:")
+        if not items:
+            typer.echo("    (none)")
+        else:
+            for item in sorted(items):
+                typer.echo(f"    {item}")
+
+    _print_section("Admin domains", admin_domains)
+    _print_section("Admin emails", admin_emails)
+    _print_section("Alpha emails", alpha_emails)
+    _print_section("Allowed domains", allowed_domains)
+    _print_section("Allowed emails", allowed_emails)
+    typer.echo()
+
+
+@users_app.command("add")
+def add_user(
+    email: str = typer.Argument(help="Email address to add."),
+    env: str = typer.Option("prod", "--env", "-e", help="Environment: prod or dev."),
+    tier: str = typer.Option("beta", "--tier", "-t", help="Tier: beta or alpha."),
+):
+    """Add a user to the authorized emails list (and optionally set tier)."""
+    email = email.strip().lower()
+    ssm = _ssm_client()
+
+    allowed = _parse_csv(_get_param(ssm, SSM_PARAMS["allowed_emails"].format(env=env)))
+    if email in allowed:
+        typer.echo(f"{email} is already in allowed_emails for {env}.")
+    else:
+        allowed.add(email)
+        _put_param(ssm, SSM_PARAMS["allowed_emails"].format(env=env), _format_csv(allowed))
+
+    if tier == "alpha":
+        alphas = _parse_csv(_get_param(ssm, SSM_PARAMS["alpha_emails"].format(env=env)))
+        if email in alphas:
+            typer.echo(f"{email} is already in alpha_emails for {env}.")
+        else:
+            alphas.add(email)
+            _put_param(ssm, SSM_PARAMS["alpha_emails"].format(env=env), _format_csv(alphas))
+
+
+@users_app.command("remove")
+def remove_user(
+    email: str = typer.Argument(help="Email address to remove."),
+    env: str = typer.Option("prod", "--env", "-e", help="Environment: prod or dev."),
+):
+    """Remove a user from all email lists for the given environment."""
+    email = email.strip().lower()
+    ssm = _ssm_client()
+
+    for param_key in ("allowed_emails", "admin_emails", "alpha_emails"):
+        param_name = SSM_PARAMS[param_key].format(env=env)
+        current = _parse_csv(_get_param(ssm, param_name))
+        if email in current:
+            current.discard(email)
+            _put_param(ssm, param_name, _format_csv(current))
+            typer.echo(f"  Removed {email} from {param_key}")
+
+
+@users_app.command("promote")
+def promote_user(
+    email: str = typer.Argument(help="Email address to promote."),
+    tier: str = typer.Option(..., "--tier", "-t", help="Target tier: alpha."),
+    env: str = typer.Option("prod", "--env", "-e", help="Environment: prod or dev."),
+):
+    """Promote a user to a higher tier."""
+    email = email.strip().lower()
+
+    if tier not in ("alpha",):
+        typer.echo("Only --tier alpha is supported. Admin is domain-based.", err=True)
+        raise typer.Exit(1)
+
+    ssm = _ssm_client()
+
+    allowed = _parse_csv(_get_param(ssm, SSM_PARAMS["allowed_emails"].format(env=env)))
+    if email not in allowed:
+        typer.echo(f"{email} is not in allowed_emails for {env}. Add them first.", err=True)
+        raise typer.Exit(1)
+
+    alphas = _parse_csv(_get_param(ssm, SSM_PARAMS["alpha_emails"].format(env=env)))
+    if email in alphas:
+        typer.echo(f"{email} is already alpha in {env}.")
+    else:
+        alphas.add(email)
+        _put_param(ssm, SSM_PARAMS["alpha_emails"].format(env=env), _format_csv(alphas))
+
+
+@users_app.command("find")
+def find_user(
+    email: str = typer.Argument(help="Email address to search for."),
+):
+    """Search for a user across both prod and dev environments."""
+    email = email.strip().lower()
+    ssm = _ssm_client()
+
+    domain = email.split("@")[-1] if "@" in email else ""
+
+    typer.echo(f"\n  Searching for: {email}\n")
+
+    for env in ("prod", "dev"):
+        matches: list[str] = []
+
+        for param_key in SSM_PARAMS:
+            param_name = SSM_PARAMS[param_key].format(env=env)
+            values = _parse_csv(_get_param(ssm, param_name))
+
+            if param_key.endswith("_domains"):
+                if domain and domain in values:
+                    matches.append(f"{param_key} (via @{domain})")
+            else:
+                if email in values:
+                    matches.append(param_key)
+
+        if matches:
+            typer.echo(f"  {env}: found")
+            for m in matches:
+                typer.echo(f"    - {m}")
+        else:
+            typer.echo(f"  {env}: not found")
+
+    typer.echo()

{dh_cli-0.3.2 → dh_cli-0.4.1}/src/dh_cli/main.py

@@ -33,6 +33,11 @@ app.add_typer(gcp_app, name="gcp", help="Manage GCP authentication and impersona
 app.add_typer(aws_app, name="aws", help="Manage AWS SSO authentication.")
 app.add_typer(gh_app, name="gh", help="Manage GitHub authentication.")
 
+# Horizyn API management
+from dh_cli.hz import hz_app
+
+app.add_typer(hz_app, name="hz", help="Manage Horizyn API: users, deployments, tests.")
+
 
 # Engine and Studio commands (v2 - Click-based, passthrough wrapper)
 @app.command(

dh_cli-0.4.1/tests/hz/test_init.py

@@ -0,0 +1,68 @@
+"""Tests for dh hz workspace discovery and repo resolution."""
+
+from pathlib import Path
+from unittest.mock import patch
+
+import pytest
+from click.exceptions import Exit
+
+from dh_cli.hz import _find_workspace_root, require_repo
+
+
+class TestFindWorkspaceRoot:
+    def test_uses_workspace_root_env_var(self, tmp_path):
+        with patch.dict("os.environ", {"WORKSPACE_ROOT": str(tmp_path)}):
+            assert _find_workspace_root() == tmp_path
+
+    def test_falls_back_to_scanning_workspaces(self, tmp_path):
+        user_dir = tmp_path / "alice"
+        user_dir.mkdir()
+
+        with (
+            patch.dict("os.environ", {"WORKSPACE_ROOT": ""}),
+            patch("dh_cli.hz.Path") as mock_path,
+        ):
+            # WORKSPACE_ROOT="" → falsy, so it hits the scan branch
+            # Make Path("/workspaces") return something that iterates to user_dir
+            def path_factory(arg):
+                if arg == "/workspaces":
+                    p = Path(tmp_path)
+                    return p
+                return Path(arg)
+
+            mock_path.side_effect = path_factory
+
+            result = _find_workspace_root()
+            assert result == user_dir
+
+    def test_exits_when_nothing_found(self, tmp_path):
+        empty_ws = tmp_path / "empty_workspaces"
+        empty_ws.mkdir()
+
+        with (
+            patch.dict("os.environ", {"WORKSPACE_ROOT": ""}),
+            patch("dh_cli.hz.Path") as mock_path,
+        ):
+            def path_factory(arg):
+                if arg == "/workspaces":
+                    return Path(empty_ws)
+                return Path(arg)
+
+            mock_path.side_effect = path_factory
+
+            with pytest.raises(Exit):
+                _find_workspace_root()
+
+
+class TestRequireRepo:
+    def test_returns_repo_path(self, tmp_path):
+        repo = tmp_path / "horizyn-api"
+        repo.mkdir()
+
+        with patch("dh_cli.hz._find_workspace_root", return_value=tmp_path):
+            assert require_repo("horizyn-api") == repo
+
+    def test_exits_when_repo_missing(self, tmp_path):
+        with patch("dh_cli.hz._find_workspace_root", return_value=tmp_path):
+            with pytest.raises(Exit):
+                require_repo("horizyn-api")

dh_cli-0.4.1/tests/hz/test_suites.py

@@ -0,0 +1,102 @@
+"""Tests for dh hz test suite discovery and resolution."""
+
+from pathlib import Path
+
+import pytest
+from click.exceptions import Exit
+
+from dh_cli.hz.test import _discover_suites, _resolve_suites
+
+
+@pytest.fixture
+def test_dir(tmp_path):
+    """Create a fake test directory with numbered scripts."""
+    scripts = [
+        "1_fast.sh",
+        "2_full_sets.sh",
+        "3_custom_sets.sh",
+        "10_error_handling.sh",
+        "20_feature_bundle.sh",
+        "common.sh",
+        "run_all_tests.sh",
+    ]
+    for name in scripts:
+        (tmp_path / name).write_text("#!/bin/bash\necho test")
+    return tmp_path
+
+
+class TestDiscoverSuites:
+    def test_finds_numbered_scripts(self, test_dir):
+        suites = _discover_suites(test_dir)
+        numbers = [s[0] for s in suites]
+        assert numbers == [1, 2, 3, 10, 20]
+
+    def test_extracts_names(self, test_dir):
+        suites = _discover_suites(test_dir)
+        names = [s[1] for s in suites]
+        assert "fast" in names
+        assert "full_sets" in names
+        assert "feature_bundle" in names
+
+    def test_excludes_non_numbered_scripts(self, test_dir):
+        suites = _discover_suites(test_dir)
+        names = [s[1] for s in suites]
+        assert "common" not in names
+        assert "run_all_tests" not in names
+
+    def test_returns_correct_paths(self, test_dir):
+        suites = _discover_suites(test_dir)
+        for num, name, path in suites:
+            assert path.exists()
+            assert path.name == f"{num}_{name}.sh"
+
+    def test_sorted_by_number(self, test_dir):
+        suites = _discover_suites(test_dir)
+        numbers = [s[0] for s in suites]
+        assert numbers == sorted(numbers)
+
+    def test_empty_directory(self, tmp_path):
+        assert _discover_suites(tmp_path) == []
+
+
+class TestResolveSuites:
+    @pytest.fixture
+    def available(self, test_dir):
+        return _discover_suites(test_dir)
+
+    def test_resolve_by_number(self, available):
+        result = _resolve_suites(available, ["1"])
+        assert len(result) == 1
+        assert result[0][0] == 1
+
+    def test_resolve_multiple_numbers(self, available):
+        result = _resolve_suites(available, ["1", "3", "20"])
+        assert [s[0] for s in result] == [1, 3, 20]
+
+    def test_resolve_by_name(self, available):
+        result = _resolve_suites(available, ["fast"])
+        assert len(result) == 1
+        assert result[0][1] == "fast"
+
+    def test_resolve_by_name_substring(self, available):
+        result = _resolve_suites(available, ["error"])
+        assert len(result) == 1
+        assert result[0][1] == "error_handling"
+
+    def test_resolve_mixed_numbers_and_names(self, available):
+        result = _resolve_suites(available, ["1", "error"])
+        assert len(result) == 2
+        assert result[0][0] == 1
+        assert result[1][1] == "error_handling"
+
+    def test_unknown_selector_exits(self, available):
+        with pytest.raises(Exit):
+            _resolve_suites(available, ["999"])
+
+    def test_unknown_name_exits(self, available):
+        with pytest.raises(Exit):
+            _resolve_suites(available, ["nonexistent"])
+
+    def test_name_match_is_case_insensitive(self, available):
+        result = _resolve_suites(available, ["FAST"])
+        assert result[0][1] == "fast"

dh_cli-0.4.1/tests/hz/test_users.py

@@ -0,0 +1,208 @@
+"""Tests for dh hz users SSM management."""
+
+from unittest.mock import MagicMock, patch
+
+import pytest
+from click.exceptions import Exit
+
+from dh_cli.hz.users import _format_csv, _parse_csv
+
+
+class TestParseCSV:
+    def test_parses_comma_separated(self):
+        assert _parse_csv("alice@x.com,bob@y.com") == {"alice@x.com", "bob@y.com"}
+
+    def test_strips_whitespace(self):
+        assert _parse_csv(" alice@x.com , bob@y.com ") == {"alice@x.com", "bob@y.com"}
+
+    def test_lowercases(self):
+        assert _parse_csv("Alice@X.COM") == {"alice@x.com"}
+
+    def test_empty_string(self):
+        assert _parse_csv("") == set()
+
+    def test_trailing_comma(self):
+        assert _parse_csv("alice@x.com,") == {"alice@x.com"}
+
+    def test_deduplicates(self):
+        assert _parse_csv("a@x.com,a@x.com") == {"a@x.com"}
+
+
+class TestFormatCSV:
+    def test_sorts_alphabetically(self):
+        assert _format_csv({"bob@y.com", "alice@x.com"}) == "alice@x.com,bob@y.com"
+
+    def test_empty_set(self):
+        assert _format_csv(set()) == ""
+
+    def test_single_email(self):
+        assert _format_csv({"alice@x.com"}) == "alice@x.com"
+
+
+class TestAddUser:
+    def _make_ssm(self, params: dict[str, str]):
+        """Create a mock SSM client with given param values."""
+        ssm = MagicMock()
+
+        not_found = type("ParameterNotFound", (Exception,), {})
+        ssm.exceptions.ParameterNotFound = not_found
+
+        def get_parameter(Name):
+            if Name in params:
+                return {"Parameter": {"Value": params[Name]}}
+            raise not_found()
+
+        ssm.get_parameter.side_effect = get_parameter
+
+        def put_parameter(Name, Value, Type, Overwrite):
+            params[Name] = Value
+
+        ssm.put_parameter.side_effect = put_parameter
+        return ssm
+
+    def test_add_beta_user(self):
+        params = {"/horizyn/prod/auth/allowed_emails": "existing@x.com"}
+        ssm = self._make_ssm(params)
+
+        with patch("dh_cli.hz.users._ssm_client", return_value=ssm):
+            from dh_cli.hz.users import add_user
+
+            # Invoke the typer command's underlying logic
+            ctx = MagicMock()
+            add_user("new@y.com", env="prod", tier="beta")
+
+        assert "new@y.com" in params["/horizyn/prod/auth/allowed_emails"]
+        assert "existing@x.com" in params["/horizyn/prod/auth/allowed_emails"]
+
+    def test_add_alpha_user(self):
+        params = {
+            "/horizyn/prod/auth/allowed_emails": "existing@x.com",
+            "/horizyn/prod/auth/alpha_emails": "",
+        }
+        ssm = self._make_ssm(params)
+
+        with patch("dh_cli.hz.users._ssm_client", return_value=ssm):
+            from dh_cli.hz.users import add_user
+
+            add_user("new@y.com", env="prod", tier="alpha")
+
+        assert "new@y.com" in params["/horizyn/prod/auth/allowed_emails"]
+        assert "new@y.com" in params["/horizyn/prod/auth/alpha_emails"]
+
+    def test_add_existing_user_is_idempotent(self):
+        params = {"/horizyn/prod/auth/allowed_emails": "existing@x.com"}
+        ssm = self._make_ssm(params)
+
+        with patch("dh_cli.hz.users._ssm_client", return_value=ssm):
+            from dh_cli.hz.users import add_user
+
+            add_user("existing@x.com", env="prod", tier="beta")
+
+        ssm.put_parameter.assert_not_called()
+
+
+class TestRemoveUser:
+    def _make_ssm(self, params: dict[str, str]):
+        ssm = MagicMock()
+
+        not_found = type("ParameterNotFound", (Exception,), {})
+        ssm.exceptions.ParameterNotFound = not_found
+
+        def get_parameter(Name):
+            if Name in params:
+                return {"Parameter": {"Value": params[Name]}}
+            raise not_found()
+
+        ssm.get_parameter.side_effect = get_parameter
+
+        def put_parameter(Name, Value, Type, Overwrite):
+            params[Name] = Value
+
+        ssm.put_parameter.side_effect = put_parameter
+        return ssm
+
+    def test_remove_from_all_lists(self):
+        params = {
+            "/horizyn/prod/auth/allowed_emails": "alice@x.com,bob@y.com",
+            "/horizyn/prod/auth/admin_emails": "alice@x.com",
+            "/horizyn/prod/auth/alpha_emails": "alice@x.com",
+        }
+        ssm = self._make_ssm(params)
+
+        with patch("dh_cli.hz.users._ssm_client", return_value=ssm):
+            from dh_cli.hz.users import remove_user
+
+            remove_user("alice@x.com", env="prod")
+
+        assert "alice@x.com" not in params["/horizyn/prod/auth/allowed_emails"]
+        assert "bob@y.com" in params["/horizyn/prod/auth/allowed_emails"]
+        assert "alice@x.com" not in params["/horizyn/prod/auth/admin_emails"]
+        assert "alice@x.com" not in params["/horizyn/prod/auth/alpha_emails"]
+
+    def test_remove_nonexistent_user_is_noop(self):
+        params = {
+            "/horizyn/prod/auth/allowed_emails": "bob@y.com",
+            "/horizyn/prod/auth/admin_emails": "",
+            "/horizyn/prod/auth/alpha_emails": "",
+        }
+        ssm = self._make_ssm(params)
+
+        with patch("dh_cli.hz.users._ssm_client", return_value=ssm):
+            from dh_cli.hz.users import remove_user
+
+            remove_user("ghost@z.com", env="prod")
+
+        ssm.put_parameter.assert_not_called()
+
+
+class TestPromoteUser:
+    def _make_ssm(self, params: dict[str, str]):
+        ssm = MagicMock()
+
+        not_found = type("ParameterNotFound", (Exception,), {})
+        ssm.exceptions.ParameterNotFound = not_found
+
+        def get_parameter(Name):
+            if Name in params:
+                return {"Parameter": {"Value": params[Name]}}
+            raise not_found()
+
+        ssm.get_parameter.side_effect = get_parameter
+
+        def put_parameter(Name, Value, Type, Overwrite):
+            params[Name] = Value
+
+        ssm.put_parameter.side_effect = put_parameter
+        return ssm
+
+    def test_promote_to_alpha(self):
+        params = {
+            "/horizyn/prod/auth/allowed_emails": "alice@x.com",
+            "/horizyn/prod/auth/alpha_emails": "",
+        }
+        ssm = self._make_ssm(params)
+
+        with patch("dh_cli.hz.users._ssm_client", return_value=ssm):
+            from dh_cli.hz.users import promote_user
+
+            promote_user("alice@x.com", tier="alpha", env="prod")
+
+        assert "alice@x.com" in params["/horizyn/prod/auth/alpha_emails"]
+
+    def test_promote_nonexistent_user_exits(self):
+        params = {
+            "/horizyn/prod/auth/allowed_emails": "bob@y.com",
+        }
+        ssm = self._make_ssm(params)
+
+        with patch("dh_cli.hz.users._ssm_client", return_value=ssm):
+            from dh_cli.hz.users import promote_user
+
+            with pytest.raises(Exit):
+                promote_user("ghost@z.com", tier="alpha", env="prod")
+
+    def test_promote_invalid_tier_exits(self):
+        with pytest.raises(Exit):
+            from dh_cli.hz.users import promote_user
+
+            promote_user("alice@x.com", tier="superadmin", env="prod")