dh-cli 0.4.4__tar.gz → 0.5.0__tar.gz

{dh_cli-0.4.4 → dh_cli-0.5.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: dh-cli
-Version: 0.4.4
+Version: 0.5.0
 Summary: Dayhoff Labs developer CLI
 Author-email: Dayhoff Labs <dev@dayhofflabs.com>
 License: # PolyForm Noncommercial License 1.0.0

{dh_cli-0.4.4 → dh_cli-0.5.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "dh-cli"
-version = "0.4.4"
+version = "0.5.0"
 description = "Dayhoff Labs developer CLI"
 requires-python = ">=3.11"
 readme = "README.md"

{dh_cli-0.4.4 → dh_cli-0.5.0}/src/dh_cli/batch/__init__.py

@@ -12,6 +12,7 @@ import click
 
 from .commands.boltz import boltz
 from .commands.cancel import cancel
+from .commands.orca import orca
 from .commands.clean import clean
 from .commands.embed_t5 import embed_t5
 from .commands.finalize import finalize
@@ -99,6 +100,7 @@ batch_cli.add_command(wait_for, name="wait-for")
 batch_cli.add_command(embed_t5, name="embed-t5")
 batch_cli.add_command(boltz)
 batch_cli.add_command(protmpnn)
+batch_cli.add_command(orca)
 batch_cli.add_command(protmpnn_to_boltz, name="protmpnn-to-boltz")
 batch_cli.add_command(train)
 

dh_cli-0.5.0/src/dh_cli/batch/commands/orca.py

@@ -0,0 +1,352 @@
+"""ORCA quantum chemistry batch pipeline command.
+
+Unlike Boltz/ProtMPNN, ORCA jobs are typically one-per-submission (each
+calculation runs for hours). Multiple .inp files are submitted as separate
+Batch jobs, not as an array job.
+"""
+
+import os
+import shutil
+from pathlib import Path
+
+import click
+
+from ..aws_batch import BatchClient, BatchError, resolve_dependency
+from ..job_id import generate_job_id, get_aws_username
+from ..manifest import (
+    BATCH_JOBS_BASE,
+    BatchConfig,
+    InputConfig,
+    JobManifest,
+    JobStatus,
+    OutputConfig,
+    create_job_directory,
+    save_manifest,
+    save_manifest_s3,
+    save_local_stub,
+)
+from ..s3_transport import s3_job_prefix, upload_directory
+
+DEFAULT_QUEUE = "cpu-ondemand"
+DEFAULT_JOB_DEFINITION = "dayhoff-orca"
+DEFAULT_IMAGE_URI = (
+    "074735440724.dkr.ecr.us-east-1.amazonaws.com/dayhoff:orca-latest"
+)
+DEFAULT_VCPUS = 16
+DEFAULT_MEMORY_MB = 64000
+DEFAULT_TIMEOUT_H = 24
+
+S3_MAX_FILES = 100
+
+
+def _is_primordial_path(path: Path) -> bool:
+    return str(path).startswith("/primordial/")
+
+
+def _find_inp_files(input_path: Path) -> list[Path]:
+    """Find .inp files — either a single file or all files in a directory."""
+    if input_path.is_file() and input_path.suffix == ".inp":
+        return [input_path]
+    if input_path.is_dir():
+        return sorted(input_path.glob("*.inp"))
+    return []
+
+
+@click.command()
+@click.argument("input_path", type=click.Path(exists=True))
+@click.option(
+    "--queue", default=DEFAULT_QUEUE,
+    help=f"Batch queue [default: {DEFAULT_QUEUE}]",
+)
+@click.option(
+    "--vcpus", default=DEFAULT_VCPUS, type=int,
+    help=f"vCPUs per job [default: {DEFAULT_VCPUS}]",
+)
+@click.option(
+    "--memory", default=DEFAULT_MEMORY_MB, type=int,
+    help=f"Memory in MB per job [default: {DEFAULT_MEMORY_MB}]",
+)
+@click.option(
+    "--timeout", "timeout_h", default=DEFAULT_TIMEOUT_H, type=float,
+    help=f"Timeout in hours per job [default: {DEFAULT_TIMEOUT_H}]",
+)
+@click.option(
+    "--local", "run_local", is_flag=True,
+    help="Run ORCA locally in a Docker container instead of Batch",
+)
+@click.option(
+    "--shell", "run_shell", is_flag=True,
+    help="Drop into container shell for debugging",
+)
+@click.option("--dry-run", is_flag=True, help="Show plan without submitting")
+@click.option("--base-path", default=BATCH_JOBS_BASE, help="Base path for job data")
+@click.option(
+    "--after", multiple=True,
+    help="Job ID(s) to wait for before starting",
+)
+def orca(input_path, queue, vcpus, memory, timeout_h, run_local, run_shell,
+         dry_run, base_path, after):
+    """Run ORCA DFT calculations on AWS Batch.
+
+    INPUT_PATH can be a single .inp file or a directory of .inp files.
+    Each .inp file is submitted as a separate Batch job (ORCA calculations
+    are long-running, so array jobs are not used).
+
+    \b
+    Examples:
+      # Submit a single calculation
+      dh batch orca /primordial/calculations/ts_opt.inp
+
+      # Submit all .inp files in a directory
+      dh batch orca /primordial/calculations/
+
+      # Use more CPUs for a heavy job
+      dh batch orca ts_opt.inp --vcpus 32 --memory 128000
+
+      # Test locally in container
+      dh batch orca ts_opt.inp --local
+
+    \b
+    After job completes:
+      dh batch status <job-id>
+      dh batch logs <job-id>
+      dh batch finalize <job-id> --output /primordial/results/
+    """
+    path = Path(input_path).resolve()
+
+    if run_shell:
+        _run_shell_mode(path)
+        return
+
+    if run_local:
+        _run_local_mode(path, vcpus)
+        return
+
+    _submit_batch_jobs(path, queue, vcpus, memory, timeout_h, dry_run,
+                       base_path, after)
+
+
+def _submit_batch_jobs(
+    input_path: Path,
+    queue: str,
+    vcpus: int,
+    memory: int,
+    timeout_h: float,
+    dry_run: bool,
+    base_path: str,
+    after: tuple[str, ...] = (),
+):
+    """Submit ORCA job(s) to AWS Batch."""
+    inp_files = _find_inp_files(input_path)
+
+    if not inp_files:
+        click.echo(
+            click.style("Error: No .inp files found", fg="red"), err=True,
+        )
+        raise SystemExit(1)
+
+    click.echo(f"Found {len(inp_files)} ORCA input file(s)")
+
+    use_s3 = not _is_primordial_path(input_path)
+    if use_s3 and len(inp_files) > S3_MAX_FILES:
+        click.echo(f"Error: {len(inp_files)} files exceeds S3 limit ({S3_MAX_FILES}).")
+        click.echo("Copy inputs to /primordial/ for large jobs.")
+        raise SystemExit(1)
+
+    timeout_s = int(timeout_h * 3600)
+
+    for inp_file in inp_files:
+        job_id = generate_job_id("orca")
+
+        click.echo()
+        click.echo(f"Job ID:          {job_id}")
+        click.echo(f"Input:           {inp_file.name}")
+        click.echo(f"Queue:           {queue}")
+        click.echo(f"vCPUs:           {vcpus}")
+        click.echo(f"Memory:          {memory} MB")
+        click.echo(f"Timeout:         {timeout_h}h")
+        click.echo(f"Job definition:  {DEFAULT_JOB_DEFINITION}")
+        click.echo(f"Storage:         {'S3' if use_s3 else 'Primordial'}")
+
+        if dry_run:
+            click.echo(click.style("  Dry run — not submitted", fg="yellow"))
+            continue
+
+        if len(inp_files) == 1 and not click.confirm("\nSubmit job?", default=True):
+            click.echo("Cancelled.")
+            raise SystemExit(0)
+
+        s3_prefix = s3_job_prefix(job_id) if use_s3 else None
+        job_dir_path = Path(base_path) / job_id
+
+        if use_s3:
+            click.echo("Uploading input to S3...")
+            upload_directory(inp_file.parent, f"{s3_prefix}input/", glob=inp_file.name)
+        else:
+            job_dir_path = create_job_directory(job_id, base_path)
+            inp_dest = job_dir_path / "input"
+            inp_dest.mkdir(parents=True, exist_ok=True)
+            shutil.copy2(inp_file, inp_dest / inp_file.name)
+            click.echo(f"Copied {inp_file.name} to {inp_dest}")
+
+        manifest = JobManifest(
+            job_id=job_id,
+            user=job_id.split("-")[0],
+            pipeline="orca",
+            status=JobStatus.PENDING,
+            image_uri=DEFAULT_IMAGE_URI,
+            storage_mode="s3" if use_s3 else "primordial",
+            s3_prefix=s3_prefix,
+            input=InputConfig(
+                source=str(inp_file),
+                num_sequences=1,
+                num_chunks=1,
+            ),
+            batch=BatchConfig(
+                queue=queue,
+                job_definition=DEFAULT_JOB_DEFINITION,
+                array_size=None,  # Single job, not array
+            ),
+            output=OutputConfig(destination=None, finalized=False),
+            depends_on=list(after) if after else None,
+        )
+
+        if use_s3:
+            save_manifest_s3(manifest)
+            save_local_stub(job_id, s3_prefix)
+        else:
+            save_manifest(manifest, base_path)
+
+        try:
+            resolved = [resolve_dependency(jid, base_path) for jid in after]
+            depends_on = (
+                [{"jobId": aws_id} for aws_id in resolved if aws_id is not None]
+                or None
+            )
+
+            client = BatchClient()
+            environment = {
+                "JOB_DIR": str(job_dir_path),
+                "JOB_ID": job_id,
+                "BATCH_ARRAY_SIZE": "1",
+                "BATCH_NUM_FILES": "1",
+            }
+            if use_s3:
+                environment["STORAGE_MODE"] = "s3"
+                environment["S3_JOB_PREFIX"] = s3_prefix
+
+            batch_job_id = client.submit_job(
+                job_name=job_id,
+                job_definition=DEFAULT_JOB_DEFINITION,
+                job_queue=queue,
+                array_size=None,  # Single job
+                environment=environment,
+                timeout_seconds=timeout_s,
+                retry_attempts=2,
+                depends_on=depends_on,
+                share_identifier=get_aws_username(),
+                vcpus=vcpus,
+                memory_mb=memory,
+            )
+
+            manifest.status = JobStatus.SUBMITTED
+            manifest.batch.job_id = batch_job_id
+            if use_s3:
+                save_manifest_s3(manifest)
+            else:
+                save_manifest(manifest, base_path)
+
+            click.echo()
+            click.echo(click.style("Job submitted!", fg="green"))
+            click.echo(f"  AWS Job ID:  {batch_job_id}")
+            click.echo(f"  Status:      dh batch status {job_id}")
+            click.echo(f"  Logs:        dh batch logs {job_id}")
+
+        except BatchError as e:
+            manifest.status = JobStatus.FAILED
+            manifest.error_message = str(e)
+            if use_s3:
+                save_manifest_s3(manifest)
+            else:
+                save_manifest(manifest, base_path)
+            click.echo(
+                click.style(f"Failed to submit: {e}", fg="red"), err=True,
+            )
+            raise SystemExit(1)
+
+    if dry_run:
+        click.echo()
+        click.echo(click.style("Dry run complete — no jobs submitted", fg="yellow"))
+
+
+def _run_local_mode(input_path: Path, vcpus: int = DEFAULT_VCPUS):
+    """Run ORCA locally in a Docker container."""
+    import subprocess
+
+    inp_files = _find_inp_files(input_path)
+    if not inp_files:
+        click.echo(click.style("Error: No .inp files found", fg="red"), err=True)
+        raise SystemExit(1)
+
+    inp_file = inp_files[0]
+    click.echo(f"Running ORCA locally: {inp_file.name}")
+
+    work_dir = inp_file.parent
+    job_dir = work_dir / ".local_orca_job"
+    inp_dir = job_dir / "input"
+    if job_dir.exists():
+        shutil.rmtree(job_dir)
+    inp_dir.mkdir(parents=True)
+    (job_dir / "output").mkdir()
+    shutil.copy2(inp_file, inp_dir / inp_file.name)
+
+    cmd = [
+        "docker", "run", "--rm",
+        "-v", "/primordial:/primordial:ro",
+        "-v", f"{job_dir}:{job_dir}",
+        "-e", f"JOB_DIR={job_dir}",
+        "-e", "AWS_BATCH_JOB_ARRAY_INDEX=0",
+        "-e", "BATCH_ARRAY_SIZE=1",
+        "-e", "BATCH_NUM_FILES=1",
+        DEFAULT_IMAGE_URI,
+    ]
+
+    click.echo(f"Output: {job_dir / 'output'}")
+    click.echo()
+
+    result = subprocess.run(cmd)
+    if result.returncode != 0:
+        click.echo(
+            click.style(f"Container exited with code {result.returncode}", fg="red"),
+            err=True,
+        )
+        raise SystemExit(result.returncode)
+
+    output_dir = job_dir / "output"
+    outputs = list(output_dir.rglob("*.out"))
+    if outputs:
+        click.echo()
+        click.echo(click.style("ORCA completed!", fg="green"))
+        for f in outputs:
+            click.echo(f"  {f}")
+    else:
+        click.echo(click.style("Warning: No .out files found", fg="yellow"))
+
+
+def _run_shell_mode(input_path: Path):
+    """Drop into container shell for debugging."""
+    import subprocess
+
+    click.echo("Dropping into ORCA container shell...")
+
+    mount_path = input_path if input_path.is_dir() else input_path.parent
+    cmd = [
+        "docker", "run", "--rm", "-it",
+        "-v", "/primordial:/primordial:ro",
+        "-v", f"{mount_path}:/work",
+        "--entrypoint", "/bin/bash",
+        DEFAULT_IMAGE_URI,
+    ]
+
+    click.echo(f"Input available at: /work/")
+    subprocess.run(cmd)

{dh_cli-0.4.4 → dh_cli-0.5.0}/src/dh_cli/cloud_commands.py

@@ -1,9 +1,8 @@
 """CLI commands for cloud provider authentication and management.
 
 This module provides commands for authenticating with GCP and AWS from within
-development containers. It handles both immediate shell environment configuration
-via the --export flag (deprecated for GCP) and persistent configuration via
-shell RC files (AWS only) or gcloud config settings (GCP).
+development containers. It handles persistent configuration via shell RC files
+(AWS only) or gcloud config settings (GCP).
 
 The implementation focuses on:
 1. Unifying cloud authentication with the `dh` CLI tool
@@ -27,7 +26,6 @@ import questionary
 import typer
 
 # --- Configuration ---
-GCP_DEVCON_SA = "devcon@enzyme-discovery.iam.gserviceaccount.com"
 GCP_PROJECT_ID = "enzyme-discovery"
 AWS_DEFAULT_PROFILE = "dev-devaccess"
 AWS_CONFIG_FILE = Path.home() / ".aws" / "config"
@@ -134,26 +132,17 @@ def _get_env_var(variable: str) -> Optional[str]:
 
 # --- GCP Functions ---
 
-# New approach: Use gcloud config settings instead of environment variables
-# for impersonation and project settings. This avoids modifying RC files
-# and the need for `eval "$(dh gcp use-... --export)"`.
-# ADC is updated during the initial `dh gcp login` for the user.
-# Subsequent ADC updates for impersonation or user mode must be done manually
-# if required by libraries, as the underlying gcloud commands can force interaction.
-
 
 def _get_short_name(account: str) -> str:
-    """Extracts a short name ('dma', 'devcon') from a GCP account email.
+    """Extracts a short name ('dma') from a GCP account email.
 
     Args:
         account: The full account string (e.g., 'dma@dayhofflabs.com',
-                 'devcon@...', 'None', 'Not authenticated').
+                 'None', 'Not authenticated').
 
     Returns:
         The short name or the original string if not a recognized email pattern.
     """
-    if account == GCP_DEVCON_SA:
-        return "devcon"
     if "@" in account:
         # Attempt to get the part before @, common for user accounts
         user_part = account.split("@")[0]
@@ -168,7 +157,7 @@ def _gcloud_set_config(key: str, value: str) -> Tuple[int, str, str]:
     """Set a gcloud configuration value using `gcloud config set`.
 
     Args:
-        key: The configuration key (e.g., 'project', 'auth/impersonate_service_account').
+        key: The configuration key (e.g., 'project').
         value: The value to set for the key.
 
     Returns:
@@ -179,20 +168,6 @@ def _gcloud_set_config(key: str, value: str) -> Tuple[int, str, str]:
     return _run_command(cmd, capture=True, check=False, suppress_output=True)
 
 
-def _gcloud_unset_config(key: str) -> Tuple[int, str, str]:
-    """Unset a gcloud configuration value using `gcloud config unset`.
-
-    Args:
-        key: The configuration key to unset.
-
-    Returns:
-        Tuple of (return_code, stdout_str, stderr_str) from _run_command.
-    """
-    gcloud_path = _find_executable("gcloud")
-    cmd = [gcloud_path, "config", "unset", key, "--quiet"]
-    return _run_command(cmd, capture=True, check=False, suppress_output=True)
-
-
 def _get_adc_status() -> str:
     """Check the status and type of Application Default Credentials (ADC).
 
@@ -200,7 +175,7 @@ def _get_adc_status() -> str:
     default GCE metadata server fallback if no explicit config is found.
 
     Returns:
-        A short string describing the ADC principal ('dma', 'devcon',
+        A short string describing the ADC principal ('dma',
         'default VM service account', 'Other/External', 'Not configured', etc.).
     """
     adc_file = (
@@ -221,15 +196,6 @@ def _get_adc_status() -> str:
 
             if cred_type == "authorized_user":
                 return "dma"  # Assuming 'dma' is the likely user
-            elif cred_type == "impersonated_service_account":
-                sa_url = adc_data.get("service_account_impersonation_url", "")
-                sa_match = re.search(r"serviceAccounts/([^:]+)", sa_url)
-                if sa_match and sa_match.group(1) == GCP_DEVCON_SA:
-                    return "devcon"
-                elif sa_match:
-                    return f"Other SA ({_get_short_name(sa_match.group(1))})"
-                else:
-                    return "devcon (?)"  # Likely devcon but failed parse
             elif cred_type == "external_account":
                 return "Other/External"
             elif cred_type == "service_account":
@@ -325,21 +291,6 @@ def _get_current_gcp_user() -> str:
     return "Not authenticated"
 
 
-def _get_current_gcp_impersonation() -> str:
-    """Get the current impersonated service account from gcloud config."""
-    gcloud_path = _find_executable("gcloud")
-    cmd = [
-        gcloud_path,
-        "config",
-        "get-value",
-        "auth/impersonate_service_account",
-        "--quiet",
-    ]
-    returncode, stdout, _ = _run_command(cmd, capture=True, check=False)
-    sa = stdout.strip() if returncode == 0 else ""
-    return sa if sa else "None"
-
-
 def _run_gcloud_login() -> None:
     """Run the gcloud auth login command, updating ADC using device flow.
 
@@ -372,11 +323,10 @@ def _run_gcloud_login() -> None:
     print(f"{GREEN}User authentication complete. ADC updated for user account.{NC}")
 
 
-def _test_gcp_credentials(user: str, impersonation_sa: str) -> None:
+def _test_gcp_credentials(user: str) -> None:
     """Test GCP credentials. Prints output on failure (to stderr) and success (to stdout)."""
     gcloud_path = _find_executable("gcloud")
     user_short = _get_short_name(user)
-    impersonation_short = _get_short_name(impersonation_sa)
 
     if user != "Not authenticated" and "Not authenticated" not in user:
         cmd = [
@@ -388,70 +338,15 @@ def _test_gcp_credentials(user: str, impersonation_sa: str) -> None:
             f"--project={GCP_PROJECT_ID}",
         ]
 
-        if impersonation_sa != "None":
-            # Test 1: Access as the user directly (temporarily disable impersonation)
-            print(f"  Testing direct access as user ({user_short})...")
-            orig_sa = impersonation_sa
-            unset_rc, _, unset_err = _gcloud_unset_config(
-                "auth/impersonate_service_account"
-            )
-            if unset_rc != 0:
-                print(
-                    f"    {RED}✗ Test Error: Failed to temporarily disable impersonation: {unset_err}{NC}",
-                    file=sys.stderr,
-                )
-                # Even if unsetting fails, attempt to restore and continue with impersonation test
-            else:
-                user_returncode, _, _ = _run_command(
-                    cmd, suppress_output=True, check=False
-                )
-                if user_returncode != 0:
-                    print(
-                        f"    {RED}✗ User Test Failure: Cannot access resources directly as user '{user_short}'. Check roles/project.{NC}",
-                        file=sys.stderr,
-                    )
-                else:
-                    print(
-                        f"    {GREEN}✓ User Test ({user_short}): Direct access OK{NC}"
-                    )
-
-            # Restore impersonation setting
-            set_rc, _, set_err = _gcloud_set_config(
-                "auth/impersonate_service_account", orig_sa
-            )
-            if set_rc != 0:
-                print(
-                    f"    {RED}✗ Test Error: Failed to restore impersonation config for {impersonation_short}: {set_err}{NC}",
-                    file=sys.stderr,
-                )
-                # If restoring fails, it's a significant issue for the next test
-
-            # Test 2: Access while impersonating the SA
-            print(f"  Testing access while impersonating SA ({impersonation_short})...")
-            impersonation_returncode, _, _ = _run_command(
-                cmd, suppress_output=True, check=False
+        print(f"  Testing direct access as user ({user_short})...")
+        returncode, _, _ = _run_command(cmd, suppress_output=True, check=False)
+        if returncode != 0:
+            print(
+                f"    {RED}✗ User Test Failure: Cannot access resources directly as user '{user_short}'. Check roles/project.{NC}",
+                file=sys.stderr,
             )
-            if impersonation_returncode != 0:
-                print(
-                    f"    {RED}✗ Impersonation Test Failure: Cannot access resources impersonating '{impersonation_short}'. Check permissions/config.{NC}",
-                    file=sys.stderr,
-                )
-            else:
-                print(
-                    f"    {GREEN}✓ Impersonation Test ({impersonation_short}): Access OK{NC}"
-                )
-
         else:
-            # Test user account directly (no impersonation config)
-            print(f"  Testing direct access as user ({user_short})...")
-            returncode, _, _ = _run_command(cmd, suppress_output=True, check=False)
-            if returncode != 0:
-                print(
-                    f"    {RED}✗ User Test Failure: Cannot access resources directly as user '{user_short}'. Check roles/project.{NC}",
-                    file=sys.stderr,
-                )
-            else:
-                print(f"    {GREEN}✓ User Test ({user_short}): Direct access OK{NC}")
+            print(f"    {GREEN}✓ User Test ({user_short}): Direct access OK{NC}")
     else:
         print(
             f"  {YELLOW}User not authenticated, skipping credential access tests.{NC}"
@@ -561,19 +456,12 @@ aws_app = typer.Typer(
 def gcp_status():
     """Show active GCP credentials for CLI and Libraries/ADC, including staleness."""
     cli_user = _get_current_gcp_user()
-    cli_impersonation = _get_current_gcp_impersonation()
-    adc_principal_raw = _get_adc_status()  # Raw status string, potentially complex
+    adc_principal_raw = _get_adc_status()
 
     user_auth_valid = _is_gcp_user_authenticated()
     adc_auth_valid = _is_adc_authenticated()
 
-    # Determine active principal for CLI
-    if cli_impersonation != "None":
-        cli_active_short = _get_short_name(cli_impersonation)
-        cli_is_impersonating = True
-    else:
-        cli_active_short = _get_short_name(cli_user)
-        cli_is_impersonating = False
+    cli_active_short = _get_short_name(cli_user)
 
     adc_active_short = _get_short_name(adc_principal_raw)
 
@@ -587,14 +475,6 @@ def gcp_status():
             f"    └─ Authentication: {RED}STALE/EXPIRED{NC} (Hint: run 'dh gcp login')"
         )
 
-    if cli_is_impersonating:
-        print(
-            f"  Impersonation ({_get_short_name(cli_impersonation)}): {GREEN}Active{NC}"
-        )
-        print(f"    └─ Access Test: (see results below)")
-    else:
-        print(f"  Impersonation: {YELLOW}Not Active{NC}")
-
     print(f"\n{BLUE}--- GCP Library/ADC Credentials ---{NC}")
     print(f"  Effective Principal: {GREEN}{adc_active_short}{NC}")
     if adc_principal_raw in ["Not configured", "Error reading", "Invalid format"]:
@@ -603,227 +483,30 @@ def gcp_status():
         print(f"    └─ Authentication: {GREEN}VALID{NC}")
     else:
         print(
-            f"    └─ Authentication: {RED}STALE/EXPIRED{NC} (Hint: run 'dh gcp use-...-adc' or 'gcloud auth application-default login ...')"
+            f"    └─ Authentication: {RED}STALE/EXPIRED{NC} (Hint: run 'dh gcp use-user-adc' or 'gcloud auth application-default login ...')"
         )
 
     print(f"\n{BLUE}--- GCP Access Tests (for CLI configuration) ---{NC}")
-    # Run tests silently, they will print to stderr only on failure
-    _test_gcp_credentials(cli_user, cli_impersonation)
+    _test_gcp_credentials(cli_user)
 
 
 @gcp_app.command("login")
 def gcp_login():
-    """Authenticate user & configure CLI to impersonate devcon SA."""
+    """Authenticate user & configure CLI for GCP access."""
     # Step 1: Authenticate the user (updates ADC for user)
     _run_gcloud_login()  # Uses device flow
 
-    # Step 2: Configure gcloud CLI for devcon SA impersonation
-    print(f"\n{BLUE}Configuring gcloud CLI to impersonate {GCP_DEVCON_SA}...{NC}")
-    set_sa_rc, _, set_sa_err = _gcloud_set_config(
-        "auth/impersonate_service_account", GCP_DEVCON_SA
-    )
-    if set_sa_rc != 0:
-        print(
-            f"{RED}Error setting impersonation config: {set_sa_err}{NC}",
-            file=sys.stderr,
-        )
-        print(f"{YELLOW}Warning: CLI impersonation failed to configure.{NC}")
-        # Attempt to show status anyway before exiting command
-        print("\n{BLUE}Current status:{NC}")
-        gcp_status()
-        return
-
     set_proj_rc, _, set_proj_err = _gcloud_set_config("project", GCP_PROJECT_ID)
     if set_proj_rc != 0:
         print(f"{RED}Error setting project config: {set_proj_err}{NC}", file=sys.stderr)
-        # Continue, but warn user
-
-    # Step 3: Print configuration options
-    print(f"\n{GREEN}Login successful. CLI configured for devcon impersonation.{NC}")
-    print(f"{BLUE}--- Common Configuration Commands ---\n{NC}")
 
-    cmd_width = 25  # Adjusted width for dh commands
-
-    print(f"  {BLUE}Set CLI to use User:{NC}")
-    print(f"    {YELLOW}{f'dh gcp use-user':<{cmd_width}}{NC}")
-
-    print(f"  {BLUE}Set CLI to use Devcon SA:{NC}")
-    print(
-        f"    {YELLOW}{f'dh gcp use-devcon':<{cmd_width}}{NC} {GREEN}(Current default after login){NC}"
-    )
-
-    print(f"  {BLUE}Set Libraries/Tools (ADC) to use User:{NC}")
-    print(f"    {YELLOW}{f'dh gcp use-user-adc':<{cmd_width}}{NC}")
-
-    print(f"  {BLUE}Set Libraries/Tools (ADC) to use Devcon SA:{NC}")
-    print(f"    {YELLOW}{f'dh gcp use-devcon-adc':<{cmd_width}}{NC}")
+    print(f"\n{GREEN}Login successful.{NC}")
 
     # Step 4: Show current status automatically
     print(f"\n{BLUE}--- Current Status ---{NC}")
     gcp_status()
 
 
-@gcp_app.command("use-devcon")
-def gcp_use_devcon(
-    export: bool = typer.Option(
-        False,
-        "--export",
-        "-x",
-        help="Deprecated. Has no effect. Settings are applied directly via gcloud config.",
-        hidden=True,
-    ),
-):
-    """Configure gcloud CLI to impersonate the devcon SA.
-
-    This command updates gcloud configuration settings directly.
-    It DOES NOT modify shell RC files or require `eval`.
-    It DOES NOT automatically update Application Default Credentials (ADC) for impersonation.
-
-    Ensures the primary user login is valid first.
-    """
-    if export:
-        print(
-            f"{YELLOW}Warning: --export/-x is deprecated and has no effect. "
-            f"GCP settings are now managed via gcloud config.{NC}",
-            file=sys.stderr,
-        )
-
-    if not _is_gcp_user_authenticated():
-        print(
-            f"{RED}Error: GCP user authentication is invalid or requires interactive login.{NC}",
-            file=sys.stderr,
-        )
-        print(
-            f"{YELLOW}Please run 'dh gcp login' interactively first, then try this command again.{NC}",
-            file=sys.stderr,
-        )
-        sys.exit(1)
-
-    print(f"{BLUE}Configuring gcloud CLI to impersonate {GCP_DEVCON_SA}...{NC}")
-
-    # Set gcloud CLI impersonation via config
-    set_sa_rc, _, set_sa_err = _gcloud_set_config(
-        "auth/impersonate_service_account", GCP_DEVCON_SA
-    )
-    if set_sa_rc != 0:
-        print(
-            f"{RED}Error setting impersonation config: {set_sa_err}{NC}",
-            file=sys.stderr,
-        )
-        sys.exit(1)
-
-    set_proj_rc, _, set_proj_err = _gcloud_set_config("project", GCP_PROJECT_ID)
-    if set_proj_rc != 0:
-        print(f"{RED}Error setting project config: {set_proj_err}{NC}", file=sys.stderr)
-        # Continue, but warn user
-
-    # Check for lingering legacy environment variable
-    if _get_env_var("CLOUDSDK_AUTH_IMPERSONATE_SERVICE_ACCOUNT"):
-        print(
-            f"{YELLOW}Warning: Legacy env var CLOUDSDK_AUTH_IMPERSONATE_SERVICE_ACCOUNT is set.{NC}",
-            file=sys.stderr,
-        )
-        print(
-            f"{YELLOW}         This may override gcloud config. Consider running:{NC}",
-            file=sys.stderr,
-        )
-        print(
-            f"{YELLOW}         unset CLOUDSDK_AUTH_IMPERSONATE_SERVICE_ACCOUNT{NC}",
-            file=sys.stderr,
-        )
-
-    print(f"\n{GREEN}GCP CLI configured to use devcon SA ({GCP_DEVCON_SA}).{NC}")
-    print(f"Project set to: {GCP_PROJECT_ID}")
-    print(
-        f"{YELLOW}NOTE: If libraries/tools (e.g., for DVC, Terraform) need to use impersonation, update Application Default Credentials (ADC) manually:{NC}"
-    )
-    print(
-        f"{YELLOW}        gcloud auth application-default login --impersonate-service-account={GCP_DEVCON_SA}{NC}"
-    )
-    print(f"Run 'dh gcp status' to verify CLI configuration.")
-
-
-@gcp_app.command("use-user")
-def gcp_use_user(
-    export: bool = typer.Option(
-        False,
-        "--export",
-        "-x",
-        help="Deprecated. Has no effect. Settings are applied directly via gcloud config.",
-        hidden=True,
-    ),
-):
-    """Configure gcloud CLI to use the personal user account via gcloud config.
-
-    This command updates gcloud configuration settings directly.
-    It DOES NOT modify shell RC files or require `eval`.
-    It DOES NOT automatically update Application Default Credentials (ADC).
-
-    Ensures the primary user login is valid first.
-    """
-    if export:
-        print(
-            f"{YELLOW}Warning: --export/-x is deprecated and has no effect. "
-            f"GCP settings are now managed via gcloud config.{NC}",
-            file=sys.stderr,
-        )
-
-    if not _is_gcp_user_authenticated():
-        print(
-            f"{RED}Error: GCP user authentication is invalid or requires interactive login.{NC}",
-            file=sys.stderr,
-        )
-        print(
-            f"{YELLOW}Please run 'dh gcp login' interactively first, then try this command again.{NC}",
-            file=sys.stderr,
-        )
-        sys.exit(1)
-
-    print(f"{BLUE}Configuring gcloud CLI to use personal user account...{NC}")
-
-    # Unset gcloud CLI impersonation via config
-    unset_sa_rc, _, unset_sa_err = _gcloud_unset_config(
-        "auth/impersonate_service_account"
-    )
-    if unset_sa_rc != 0:
-        print(
-            f"{RED}Error unsetting impersonation config: {unset_sa_err}{NC}",
-            file=sys.stderr,
-        )
-        # Continue, but warn user
-
-    set_proj_rc, _, set_proj_err = _gcloud_set_config("project", GCP_PROJECT_ID)
-    if set_proj_rc != 0:
-        print(f"{RED}Error setting project config: {set_proj_err}{NC}", file=sys.stderr)
-        # Continue, but warn user
-
-    # Check for lingering legacy environment variable
-    if _get_env_var("CLOUDSDK_AUTH_IMPERSONATE_SERVICE_ACCOUNT"):
-        print(
-            f"{YELLOW}Warning: Legacy env var CLOUDSDK_AUTH_IMPERSONATE_SERVICE_ACCOUNT is set.{NC}",
-            file=sys.stderr,
-        )
-        print(
-            f"{YELLOW}         This may interfere with using your personal account. Consider running:{NC}",
-            file=sys.stderr,
-        )
-        print(
-            f"{YELLOW}         unset CLOUDSDK_AUTH_IMPERSONATE_SERVICE_ACCOUNT{NC}",
-            file=sys.stderr,
-        )
-
-    print(f"\n{GREEN}GCP CLI configured to use personal account.{NC}")
-    print(f"Project set to: {GCP_PROJECT_ID}")
-    print(
-        f"{YELLOW}NOTE: If libraries/tools (e.g., for DVC, Terraform) need to use impersonation, update Application Default Credentials (ADC) manually:{NC}"
-    )
-    print(f"{YELLOW}        gcloud auth application-default login{NC}")
-    print(f"Run 'dh gcp status' to verify CLI configuration.")
-
-
-# === NEW ADC Commands ===
-
-
 @gcp_app.command("use-user-adc")
 def gcp_use_user_adc():
     """Configure Libraries/Tools (ADC) to use your PERSONAL account."""
@@ -863,58 +546,11 @@ def gcp_use_user_adc():
         sys.exit(1)
 
 
-@gcp_app.command("use-devcon-adc")
-def gcp_use_devcon_adc():
-    """Configure Libraries/Tools (ADC) to use the DEVCON service account."""
-    if not _is_gcp_user_authenticated():
-        print(
-            f"{RED}Error: GCP user authentication is invalid or requires interactive login.{NC}",
-            file=sys.stderr,
-        )
-        print(
-            f"{YELLOW}Please run 'dh gcp login' interactively first.{NC}",
-            file=sys.stderr,
-        )
-        sys.exit(1)
-
-    print(f"{BLUE}Attempting to configure ADC for devcon SA ({GCP_DEVCON_SA})...{NC}")
-    print(
-        f"{YELLOW}This may require you to complete a browser authentication flow.{NC}"
-    )
-
-    gcloud_path = _find_executable("gcloud")
-    cmd = [
-        gcloud_path,
-        "auth",
-        "application-default",
-        "login",
-        f"--impersonate-service-account={GCP_DEVCON_SA}",
-    ]
-
-    # Allow interaction, don't capture output
-    returncode, _, _ = _run_command(
-        cmd, capture=False, check=False, suppress_output=False
-    )
-
-    if returncode == 0:
-        print(
-            f"\n{GREEN}Successfully configured ADC for devcon SA ({GCP_DEVCON_SA}).{NC}"
-        )
-        print(f"{BLUE}--- Current Status ---{NC}")
-        gcp_status()  # Show status after successful change
-    else:
-        print(
-            f"{RED}Failed to configure ADC (Return code: {returncode}). Check messages above.{NC}",
-            file=sys.stderr,
-        )
-        sys.exit(1)
-
-
 @gcp_app.command("logout")
 def gcp_logout():
     """Clear all GCP credentials for testing or role switching purposes.
 
-    This removes the active user's gcloud login, disables impersonation,
+    This removes the active user's gcloud login
     and invalidates Application Default Credentials (ADC).
     """
     print(f"{BLUE}Clearing all GCP credentials...{NC}")
@@ -930,20 +566,12 @@ def gcp_logout():
         if revoke_code != 0 and revoke_err:
             errors.append(f"Failed to revoke credentials: {revoke_err}")
 
-        # 2. Unset impersonation config
-        print(f"{BLUE}Disabling service account impersonation...{NC}")
-        unset_code, _, unset_err = _gcloud_unset_config(
-            "auth/impersonate_service_account"
-        )
-        if unset_code != 0 and unset_err:
-            errors.append(f"Failed to unset impersonation: {unset_err}")
-
-        # 3. Revoke ADC
+        # 2. Revoke ADC
         print(f"{BLUE}Revoking Application Default Credentials (ADC)...{NC}")
         adc_cmd = [gcloud_path, "auth", "application-default", "revoke", "--quiet"]
         adc_code, _, adc_err = _run_command(adc_cmd, capture=True, check=False)
 
-        # 4. Additionally remove ADC file if it exists (belt-and-suspenders approach)
+        # 3. Additionally remove ADC file if it exists (belt-and-suspenders approach)
         adc_file = (
             Path.home() / ".config" / "gcloud" / "application_default_credentials.json"
         )
@@ -976,9 +604,6 @@ def gcp_logout():
         print(f"  {YELLOW}gcloud auth application-default revoke{NC}")
 
 
-# === End NEW ADC Commands ===
-
-
 # --- AWS Commands ---
 @aws_app.command("status")
 def aws_status(

{dh_cli-0.4.4 → dh_cli-0.5.0}/src/dh_cli/hz/test.py

@@ -1,5 +1,6 @@
 """Run integration test suites."""
 
+import os
 import re
 from pathlib import Path
 from typing import Optional
@@ -48,6 +49,75 @@ def _resolve_suites(
     return matched
 
 
+def _ensure_jwt_token(env: str, test_dir: Path) -> None:
+    """Ensure HORIZYN_TOKEN is set, prompting interactively if needed.
+
+    Checks (in order): env var with expiry validation, cached token file,
+    then falls back to interactive Cognito passwordless auth.
+    Sets os.environ["HORIZYN_TOKEN"] so child processes inherit it.
+    """
+    import json
+    import subprocess
+    import time
+
+    token_script = test_dir / "get_jwt_token.py"
+    cache_dir = Path.home() / ".horizyn"
+    cache_file = cache_dir / f"token_{env}"
+
+    def _token_valid(token: str) -> bool:
+        """Check JWT expiry without verification (5-minute buffer)."""
+        import base64
+
+        try:
+            payload = token.split(".")[1]
+            padding = 4 - len(payload) % 4
+            if padding != 4:
+                payload += "=" * padding
+            decoded = json.loads(base64.urlsafe_b64decode(payload))
+            return time.time() < (decoded.get("exp", 0) - 300)
+        except Exception:
+            return False
+
+    # 1. Check existing env var
+    existing = os.environ.get("HORIZYN_TOKEN", "")
+    if existing and _token_valid(existing):
+        typer.secho("  Using existing HORIZYN_TOKEN", fg=typer.colors.GREEN)
+        return
+
+    # 2. Check cached token file
+    if cache_file.exists():
+        cached = cache_file.read_text().strip()
+        if cached and _token_valid(cached):
+            os.environ["HORIZYN_TOKEN"] = cached
+            typer.secho(f"  Using cached token from {cache_file}", fg=typer.colors.GREEN)
+            return
+        cache_file.unlink(missing_ok=True)
+
+    # 3. Interactive: run get_jwt_token.py (prompts go to stderr, token to stdout)
+    typer.echo()
+    typer.secho("  No valid token found — starting authentication.", fg=typer.colors.YELLOW)
+    typer.echo()
+
+    result = subprocess.run(
+        ["python3", str(token_script), "--env", env],
+        capture_output=False,
+        stdout=subprocess.PIPE,
+        text=True,
+    )
+
+    if result.returncode != 0 or not result.stdout.strip():
+        typer.secho("  Authentication failed.", fg=typer.colors.RED, err=True)
+        raise typer.Exit(1)
+
+    token = result.stdout.strip()
+    os.environ["HORIZYN_TOKEN"] = token
+
+    # Cache for future runs
+    cache_dir.mkdir(mode=0o700, exist_ok=True)
+    cache_file.write_text(token)
+    cache_file.chmod(0o600)
+
+
 @test_app.command("list")
 def list_tests(
     target: str = typer.Option("local", "--target", "-t", help="local or deployed."),
@@ -98,9 +168,12 @@ def test_deployed(
     test_dir = repo / "test/server/deployed"
 
     if not suites:
+        # run_all_tests.sh handles its own token flow
         run_script(test_dir / "run_all_tests.sh", args=[env], cwd=test_dir)
         return
 
+    _ensure_jwt_token(env, test_dir)
+
     available = _discover_suites(test_dir)
     selected = _resolve_suites(available, suites)
 

{dh_cli-0.4.4 → dh_cli-0.5.0}/src/dh_cli/main.py

@@ -29,7 +29,7 @@ app.command("clean")(delete_local_branch)
 app.command("wget")(get_from_warehouse_typer)
 
 # Cloud commands
-app.add_typer(gcp_app, name="gcp", help="Manage GCP authentication and impersonation.")
+app.add_typer(gcp_app, name="gcp", help="Manage GCP authentication.")
 app.add_typer(aws_app, name="aws", help="Manage AWS SSO authentication.")
 app.add_typer(gh_app, name="gh", help="Manage GitHub authentication.")
 

dh_cli-0.5.0/tests/test_cloud_gcp.py

@@ -0,0 +1,67 @@
+"""Structural tests for GCP commands after service account removal.
+
+These tests verify the interface contract: which commands exist, which
+constants/functions were removed, and that docstrings no longer reference
+service account impersonation. No GCP credentials required.
+"""
+
+import inspect
+
+import pytest
+
+
+def test_gcp_app_has_exactly_four_commands():
+    """After cleanup, gcp_app should have: login, status, use-user-adc, logout."""
+    from dh_cli.cloud_commands import gcp_app
+
+    registered = {
+        cmd_info.name or cmd_info.callback.__name__
+        for cmd_info in gcp_app.registered_commands
+    }
+    expected = {"login", "status", "use-user-adc", "logout"}
+    assert registered == expected, (
+        f"Expected commands {expected}, got {registered}. "
+        f"Extra: {registered - expected}, Missing: {expected - registered}"
+    )
+
+
+def test_devcon_sa_constant_removed():
+    """GCP_DEVCON_SA constant should no longer exist."""
+    import dh_cli.cloud_commands as mod
+
+    assert not hasattr(mod, "GCP_DEVCON_SA"), "GCP_DEVCON_SA should be removed"
+
+
+def test_get_current_gcp_impersonation_removed():
+    """The impersonation helper should no longer exist."""
+    import dh_cli.cloud_commands as mod
+
+    assert not hasattr(mod, "_get_current_gcp_impersonation"), (
+        "_get_current_gcp_impersonation should be removed"
+    )
+
+
+def test_test_gcp_credentials_no_impersonation_param():
+    """_test_gcp_credentials should not accept an impersonation_sa parameter."""
+    from dh_cli.cloud_commands import _test_gcp_credentials
+
+    sig = inspect.signature(_test_gcp_credentials)
+    assert "impersonation_sa" not in sig.parameters, (
+        "_test_gcp_credentials should not have impersonation_sa parameter"
+    )
+
+
+def test_login_docstring_no_impersonation():
+    """Login command docstring should not mention impersonation or devcon."""
+    from dh_cli.cloud_commands import gcp_login
+
+    doc = (gcp_login.__doc__ or "").lower()
+    assert "impersonat" not in doc, f"Docstring still mentions impersonation: {doc}"
+    assert "devcon" not in doc, f"Docstring still mentions devcon: {doc}"
+
+
+def test_gcp_project_id_still_exists():
+    """GCP_PROJECT_ID should still be present (we still need it)."""
+    from dh_cli.cloud_commands import GCP_PROJECT_ID
+
+    assert GCP_PROJECT_ID == "enzyme-discovery"