dh-cli 0.5.1__tar.gz → 0.6.3__tar.gz

{dh_cli-0.5.1 → dh_cli-0.6.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: dh-cli
-Version: 0.5.1
+Version: 0.6.3
 Summary: Dayhoff Labs developer CLI
 Author-email: Dayhoff Labs <dev@dayhofflabs.com>
 License: # PolyForm Noncommercial License 1.0.0

{dh_cli-0.5.1 → dh_cli-0.6.3}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "dh-cli"
-version = "0.5.1"
+version = "0.6.3"
 description = "Dayhoff Labs developer CLI"
 requires-python = ">=3.11"
 readme = "README.md"

dh_cli-0.6.3/src/dh_cli/bedrock/__init__.py

@@ -0,0 +1,4 @@
+"""`dh bedrock` command group — key delivery + per-user cost reporting."""
+from .commands import bedrock
+
+__all__ = ["bedrock"]

dh_cli-0.6.3/src/dh_cli/bedrock/commands.py

@@ -0,0 +1,414 @@
+"""`dh bedrock` command group.
+
+Two user-facing commands:
+
+- `dh bedrock key`   — fetch the per-developer Cursor Bedrock key from
+  Secrets Manager (`cursor-bedrock/<handle>`). Replaces the
+  `aws secretsmanager get-secret-value … | jq` one-liner.
+- `dh bedrock cost`  — run the per-user Bedrock cost reporter against
+  the log bucket. Wraps `cost_report.build_report` with sensible
+  defaults so devs don't have to remember bucket/account/region.
+
+Both commands default to reading the caller's identity via STS to
+resolve their own handle, so the common case is parameter-free.
+"""
+from __future__ import annotations
+
+import datetime as dt
+import json
+import sys
+from typing import Optional
+
+import click
+
+from . import cost_report as cr
+
+# Hard-coded for the dev account. Kept here (not as user-facing flags)
+# because they never change in practice and making every dev remember
+# them is the whole reason this command exists.
+_DEFAULT_BUCKET = "dayhoff-bedrock-logs-074735440724"
+_DEFAULT_ACCOUNT = "074735440724"
+_DEFAULT_REGION = "us-east-1"
+_SECRET_PREFIX = "cursor-bedrock/"
+
+
+@click.group()
+def bedrock():
+    """Bedrock key delivery and per-user cost reporting.
+
+    \b
+    Commands:
+      key    Fetch your personal Cursor Bedrock access key from Secrets Manager.
+      cost   Query per-user Bedrock spend from invocation logs.
+
+    \b
+    Examples:
+      dh bedrock key                         # print your key JSON
+      dh bedrock key --export                # `export AWS_...` for eval
+      dh bedrock cost                        # last 7 days, grouped by user
+      dh bedrock cost --me                   # just your own spend
+      dh bedrock cost --days 30 --group-by model
+      dh bedrock cost --format markdown      # pipe-table for Slack/docs
+    """
+
+
+# --------------------------------------------------------------------------
+# Shared helpers
+# --------------------------------------------------------------------------
+
+
+def _resolve_handle_from_sts() -> str:
+    """Pull the developer handle from the current SSO session.
+
+    A DeveloperAccess SSO caller identity looks like::
+
+        arn:aws:sts::074735440724:assumed-role/AWSReservedSSO_DeveloperAccess_<id>/<handle>
+
+    We return `<handle>`. Raises ClickException if STS fails or the ARN
+    shape isn't recognisable.
+    """
+    import boto3
+
+    try:
+        sts = boto3.client("sts")
+        arn = sts.get_caller_identity()["Arn"]
+    except Exception as exc:
+        raise click.ClickException(
+            f"Could not call sts:GetCallerIdentity to resolve your handle: {exc}\n"
+            "Run `awslogin dev-devaccess` (or pass --handle explicitly)."
+        )
+
+    principal = cr.classify_arn(arn)
+    if principal.principal_type in ("claude-code", "cursor"):
+        return principal.principal_name
+    raise click.ClickException(
+        f"Couldn't infer a developer handle from your identity ({arn}). "
+        "Pass --handle explicitly."
+    )
+
+
+# --------------------------------------------------------------------------
+# `dh bedrock key`
+# --------------------------------------------------------------------------
+
+
+@bedrock.command("key")
+@click.option(
+    "--handle",
+    "-u",
+    default=None,
+    help="Developer handle (e.g. 'dma'). Defaults to your SSO caller identity.",
+)
+@click.option(
+    "--region",
+    default=_DEFAULT_REGION,
+    show_default=True,
+    help="AWS region for the Secrets Manager secret.",
+)
+@click.option(
+    "--export",
+    "mode",
+    flag_value="export",
+    help="Print `export AWS_ACCESS_KEY_ID=… AWS_SECRET_ACCESS_KEY=…` for shell eval.",
+)
+@click.option(
+    "--json",
+    "mode",
+    flag_value="json",
+    default=True,
+    help="Print the full secret JSON (default).",
+)
+def bedrock_key(handle: Optional[str], region: str, mode: str):
+    """Fetch your Cursor Bedrock access key from Secrets Manager.
+
+    Paste the output into Cursor → Settings → Models → AWS Bedrock.
+
+    \b
+    Examples:
+      dh bedrock key
+      dh bedrock key --handle jason           # pull someone else's key (will 403)
+      eval "$(dh bedrock key --export)"       # export into current shell
+    """
+    import boto3
+
+    resolved = handle or _resolve_handle_from_sts()
+    secret_id = f"{_SECRET_PREFIX}{resolved}"
+
+    try:
+        sm = boto3.client("secretsmanager", region_name=region)
+        resp = sm.get_secret_value(SecretId=secret_id)
+    except Exception as exc:
+        raise click.ClickException(
+            f"Could not read secret `{secret_id}`: {exc}\n"
+            "Check that you're logged in (`awslogin dev-devaccess`), that your "
+            "handle matches (use --handle <you>), and that MFA is fresh."
+        )
+
+    try:
+        payload = json.loads(resp["SecretString"])
+    except (KeyError, json.JSONDecodeError) as exc:
+        raise click.ClickException(f"Secret `{secret_id}` is not valid JSON: {exc}")
+
+    if mode == "export":
+        ak = payload.get("access_key_id", "")
+        sk = payload.get("secret_access_key", "")
+        if not ak or not sk:
+            raise click.ClickException(
+                f"Secret `{secret_id}` is missing access_key_id/secret_access_key fields."
+            )
+        click.echo(f"export AWS_ACCESS_KEY_ID='{ak}'")
+        click.echo(f"export AWS_SECRET_ACCESS_KEY='{sk}'")
+        click.echo(f"export AWS_DEFAULT_REGION='{payload.get('region', region)}'")
+    else:
+        click.echo(json.dumps(payload, indent=2))
+
+
+# --------------------------------------------------------------------------
+# `dh bedrock cost`
+# --------------------------------------------------------------------------
+
+
+def _parse_date(_ctx, _param, value: Optional[str]) -> Optional[dt.date]:
+    if value is None:
+        return None
+    try:
+        return dt.datetime.strptime(value, "%Y-%m-%d").date()
+    except ValueError as exc:
+        raise click.BadParameter(f"Expected YYYY-MM-DD, got {value!r}: {exc}")
+
+
+@bedrock.command("cost")
+@click.option(
+    "--start",
+    callback=_parse_date,
+    default=None,
+    help="Start date, UTC (YYYY-MM-DD, inclusive). Defaults to `--days` ago.",
+)
+@click.option(
+    "--end",
+    callback=_parse_date,
+    default=None,
+    help="End date, UTC (YYYY-MM-DD, inclusive). Defaults to today (UTC).",
+)
+@click.option(
+    "--days",
+    default=7,
+    show_default=True,
+    type=int,
+    help="Look-back window in days when --start is not given.",
+)
+@click.option(
+    "--group-by",
+    type=click.Choice(sorted(cr._VALID_GROUP_BY)),
+    default="user",
+    show_default=True,
+    help=(
+        "Aggregation key. 'user' → top-spender view; 'user+model' → per "
+        "person × model; 'model' → Opus-vs-Sonnet split; 'principal_type' "
+        "→ Cursor/Claude-Code/service-role split."
+    ),
+)
+@click.option(
+    "--me",
+    is_flag=True,
+    default=False,
+    help="Only show rows for your own handle (resolved from STS).",
+)
+@click.option(
+    "--bucket",
+    default=_DEFAULT_BUCKET,
+    show_default=True,
+    help="S3 bucket holding Bedrock invocation logs.",
+)
+@click.option(
+    "--account",
+    default=_DEFAULT_ACCOUNT,
+    show_default=True,
+    help="AWS account ID that owns the logs.",
+)
+@click.option(
+    "--region",
+    default=_DEFAULT_REGION,
+    show_default=True,
+    help="AWS region that produced the logs.",
+)
+@click.option(
+    "--pricing",
+    "pricing_path",
+    default=None,
+    type=click.Path(exists=True, dir_okay=False),
+    help="Override the bundled pricing.yaml.",
+)
+@click.option(
+    "--no-reconcile",
+    is_flag=True,
+    default=False,
+    help="Skip the Cost Explorer reconciliation call (faster, no ce:GetCostAndUsage).",
+)
+@click.option(
+    "--format",
+    "output_format",
+    type=click.Choice(["pretty", "markdown", "csv"]),
+    default="pretty",
+    show_default=True,
+    help="pretty = aligned terminal table (default); markdown = pipe-table "
+    "for Slack/docs; csv = machine-readable, full column set.",
+)
+def bedrock_cost(
+    start: Optional[dt.date],
+    end: Optional[dt.date],
+    days: int,
+    group_by: str,
+    me: bool,
+    bucket: str,
+    account: str,
+    region: str,
+    pricing_path: Optional[str],
+    no_reconcile: bool,
+    output_format: str,
+):
+    """Print per-user Bedrock spend from invocation logs.
+
+    \b
+    Examples:
+      dh bedrock cost                                # last 7 days, by user
+      dh bedrock cost --me                           # just your own rows
+      dh bedrock cost --days 30 --group-by model     # monthly Opus vs Sonnet
+      dh bedrock cost --start 2026-04-20 --end 2026-04-25 --group-by user+model
+      dh bedrock cost --format markdown > report.md  # paste into Slack/docs
+      dh bedrock cost --format csv | csvlook         # further analysis
+
+    Exit codes:
+      0   success (within 10% of Cost Explorer, or --no-reconcile)
+      1   unknown model ID, bad pricing file, or S3 read error
+      2   reconciliation drift > 10% AND absolute gap >= $1
+    """
+    # Defaults use UTC dates to match the S3 day-partition layout
+    # (`…/BedrockModelInvocationLogs/us-east-1/YYYY/MM/DD/`). Using
+    # local time here would silently exclude "today so far" from
+    # developers in tz < UTC, which is the whole point of running
+    # `dh bedrock cost --me` during a workday. Including today is
+    # fine because walk_logs happily iterates the current day's
+    # S3 prefix as it's populated in near-real-time.
+    today_utc = dt.datetime.now(dt.timezone.utc).date()
+    if end is None:
+        end = today_utc
+    if start is None:
+        start = end - dt.timedelta(days=days - 1)
+    if start > end:
+        raise click.BadParameter(
+            f"--start ({start}) must be on or before --end ({end})."
+        )
+
+    pricing_file = pricing_path or cr.default_pricing_path()
+    try:
+        pricing = cr.load_pricing(pricing_file)
+    except Exception as exc:
+        click.echo(f"error: failed to load pricing: {exc}", err=True)
+        sys.exit(1)
+
+    import boto3
+
+    s3 = boto3.client("s3")
+
+    my_handle: Optional[str] = None
+    if me:
+        my_handle = _resolve_handle_from_sts()
+
+    try:
+        records = cr.walk_logs(
+            s3,
+            bucket=bucket,
+            account=account,
+            region=region,
+            start=start,
+            end=end,
+        )
+        if my_handle is not None:
+            # Filter records upstream so --me works for every --group-by
+            # mode, including 'model' and 'principal_type' which collapse
+            # principal_name to "" in the output rows.
+            records = (
+                rec for rec in records
+                if cr.classify_arn(
+                    rec.get("identity", {}).get("arn", "")
+                ).principal_name == my_handle
+            )
+        report = cr.build_report(records, pricing, group_by=group_by)
+    except cr.UnknownModel as exc:
+        click.echo(f"error: {exc}", err=True)
+        sys.exit(1)
+    except Exception as exc:
+        click.echo(f"error: failed to process logs: {exc}", err=True)
+        sys.exit(1)
+
+    # Header is only useful for humans — skip in csv mode so the output
+    # is a clean csv stream that can be piped.
+    if output_format != "csv":
+        subject = f" ({my_handle})" if my_handle else ""
+        click.echo(f"Bedrock spend {start} → {end}  group_by={group_by}{subject}")
+        click.echo("")
+
+    if output_format == "markdown":
+        click.echo(cr.render_markdown(report), nl=False)
+    elif output_format == "csv":
+        click.echo(cr.render_csv(report), nl=False)
+    else:
+        click.echo(cr.render_pretty(report, group_by=group_by), nl=False)
+
+    estimate_total = sum(r.estimated_cost_usd for r in report.rows)
+
+    if no_reconcile:
+        sys.exit(0)
+
+    # Cost Explorer is always at least a few hours behind real-time
+    # (sometimes a full day). Reconciling a window that includes today
+    # (or a not-yet-closed UTC day) produces misleading "drift" because
+    # the S3 logs are near-real-time but CE hasn't posted the matching
+    # charges yet. Skip the CE call in that case — the estimate row
+    # above is the authoritative answer.
+    if end >= today_utc:
+        msg = (
+            f"\nSkipping Cost Explorer reconcile: window ends {end} (UTC today "
+            f"or later); CE lag makes same-day comparison noisy. Re-run with "
+            f"`--end {today_utc - dt.timedelta(days=2)}` (or earlier) for a "
+            f"meaningful reconcile."
+        )
+        if output_format == "pretty":
+            click.echo(msg)
+        else:
+            click.echo(msg, err=True)
+        sys.exit(0)
+
+    try:
+        ce_total = cr.fetch_cost_explorer_total(start, end)
+    except Exception as exc:
+        click.echo(
+            f"\nwarning: could not fetch Cost Explorer total: {exc}",
+            err=True,
+        )
+        sys.exit(0)
+
+    result = cr.reconcile_with_cost_explorer(estimate_total, ce_total)
+    # Keep reconcile output minimal in csv/markdown modes so the body
+    # of the output stays pipe-friendly — stderr, not stdout.
+    stream_err = output_format in ("csv", "markdown")
+    delta_pct = (
+        f"{result.delta_fraction * 100:.1f}%"
+        if result.delta_fraction != float("inf")
+        else "n/a"
+    )
+    status = "OK" if result.ok else "DRIFT"
+    reconcile_line = (
+        f"\nReconcile: estimate ${estimate_total:,.2f}  "
+        f"Cost Explorer ${ce_total:,.2f}  "
+        f"delta {delta_pct}  [{status}]"
+    )
+    click.echo(reconcile_line, err=stream_err)
+    # Absolute-dollar floor on the drift exit code: below $1 of discrepancy,
+    # ratio drift is noise (a 50% delta on 2 cents vs. 3 cents doesn't
+    # mean anything). ReconcileResult still reports ok=False so
+    # programmatic callers can see the state.
+    if not result.ok and abs(ce_total - estimate_total) >= 1.00:
+        sys.exit(2)
+    sys.exit(0)