dh-cli 0.7.1__tar.gz → 0.8.0__tar.gz

{dh_cli-0.7.1 → dh_cli-0.8.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: dh-cli
-Version: 0.7.1
+Version: 0.8.0
 Summary: Dayhoff Labs developer CLI
 Author-email: Dayhoff Labs <dev@dayhofflabs.com>
 License: # PolyForm Noncommercial License 1.0.0

{dh_cli-0.7.1 → dh_cli-0.8.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "dh-cli"
-version = "0.7.1"
+version = "0.8.0"
 description = "Dayhoff Labs developer CLI"
 requires-python = ">=3.11"
 readme = "README.md"

{dh_cli-0.7.1 → dh_cli-0.8.0}/src/dh_cli/batch/aws_batch.py

@@ -124,7 +124,7 @@ class BatchClient:
                 resource_requirements.append({"type": "VCPU", "value": str(vcpus)})
             if memory_mb is not None:
                 resource_requirements.append({"type": "MEMORY", "value": str(memory_mb)})
-            if gpus is not None:
+            if gpus not in (None, 0):
                 resource_requirements.append({"type": "GPU", "value": str(gpus)})
 
             container_overrides: dict[str, Any] = {}

{dh_cli-0.7.1 → dh_cli-0.8.0}/src/dh_cli/batch/commands/submit.py

@@ -71,7 +71,7 @@ def submit(
       queue: t4-1x-spot
       memory: 30G
       vcpus: 8
-      gpus: 1
+      gpus: 1              # omit, set to 0, or null for CPU-only
       array: 10
       retry: 3
       timeout: 6h
@@ -113,11 +113,12 @@ def submit(
     timeout_seconds = _parse_timeout(job_timeout)
 
     # Show plan
+    gpus_display = "no GPUs" if job_gpus in (None, 0) else f"{job_gpus} GPUs"
     click.echo()
     click.echo(f"Job ID:      {job_id}")
     click.echo(f"Command:     {job_command}")
     click.echo(f"Queue:       {job_queue}")
-    click.echo(f"Resources:   {job_vcpus} vCPUs, {job_memory} memory, {job_gpus} GPUs")
+    click.echo(f"Resources:   {job_vcpus} vCPUs, {job_memory} memory, {gpus_display}")
     click.echo(f"Array Size:  {job_array}")
     click.echo(f"Retry:       {job_retry}")
     click.echo(f"Timeout:     {job_timeout} ({timeout_seconds}s)")

dh_cli-0.8.0/src/dh_cli/github_commands.py

@@ -0,0 +1,275 @@
+"""CLI commands for GitHub authentication.
+
+This module provides commands for authenticating with GitHub from within
+development containers using the GitHub CLI (gh).
+
+The implementation:
+1. Wraps `gh auth login` with sensible defaults for devcontainer environments
+2. Automatically configures git to use GitHub CLI for credential management
+3. Uses HTTPS protocol and device flow authentication (works in headless envs)
+"""
+
+import shutil
+import subprocess
+import sys
+from typing import List, Tuple
+
+import typer
+
+# --- Configuration ---
+# OAuth scopes to request during login:
+# - repo: Full access to private/public repositories
+# - read:org: Read-only access to organization membership
+# - workflow: Ability to update GitHub Actions workflow files
+GITHUB_SCOPES = "repo,read:org,workflow"
+GITHUB_PROTOCOL = "https"
+
+# --- Color constants for formatted output ---
+RED = "\033[0;31m"
+GREEN = "\033[0;32m"
+YELLOW = "\033[0;33m"
+BLUE = "\033[0;36m"
+NC = "\033[0m"  # No Color
+
+
+# --- Helper Functions ---
+def _find_executable(name: str) -> str:
+    """Find the full path to an executable in PATH."""
+    path = shutil.which(name)
+    if not path:
+        raise FileNotFoundError(f"{name} command not found. Please ensure it's installed.")
+    return path
+
+
+def _run_command(
+    cmd_list: List[str],
+    capture: bool = False,
+    check: bool = True,
+    suppress_output: bool = False,
+) -> Tuple[int, str, str]:
+    """Run a command and return its result.
+
+    Args:
+        cmd_list: List of command arguments
+        capture: Whether to capture output
+        check: Whether to raise on non-zero exit code
+        suppress_output: Whether to hide output even if not captured
+
+    Returns:
+        Tuple of (return_code, stdout_str, stderr_str)
+    """
+    stdout_opt = subprocess.PIPE if capture else subprocess.DEVNULL if suppress_output else None
+    stderr_opt = subprocess.PIPE if capture else subprocess.DEVNULL if suppress_output else None
+
+    try:
+        result = subprocess.run(cmd_list, stdout=stdout_opt, stderr=stderr_opt, check=check, text=True)
+        return (
+            result.returncode,
+            result.stdout if capture else "",
+            result.stderr if capture else "",
+        )
+    except subprocess.CalledProcessError as e:
+        if capture:
+            return (e.returncode, e.stdout or "", e.stderr or "")
+        return (e.returncode, "", "")
+
+
+def _is_gh_authenticated() -> bool:
+    """Check if GitHub CLI is authenticated.
+
+    Returns:
+        True if `gh auth status` succeeds, False otherwise.
+    """
+    try:
+        gh_path = _find_executable("gh")
+        returncode, _, _ = _run_command(
+            [gh_path, "auth", "status"],
+            capture=True,
+            check=False,
+            suppress_output=True,
+        )
+        return returncode == 0
+    except FileNotFoundError:
+        return False
+
+
+def _get_gh_user() -> str:
+    """Get the currently authenticated GitHub username.
+
+    Returns:
+        The username or 'Not authenticated' if not logged in.
+    """
+    try:
+        gh_path = _find_executable("gh")
+        returncode, stdout, _ = _run_command(
+            [gh_path, "auth", "status", "--show-token"],
+            capture=True,
+            check=False,
+            suppress_output=True,
+        )
+        if returncode != 0:
+            return "Not authenticated"
+
+        # Parse the output to find the logged in account
+        # Format: "Logged in to github.com account username (keyring)"
+        for line in stdout.split("\n"):
+            if "Logged in to" in line and "account" in line:
+                parts = line.split("account")
+                if len(parts) > 1:
+                    # Extract username from "account username (keyring)" or similar
+                    user_part = parts[1].strip().split()[0]
+                    return user_part
+        return "Unknown"
+    except FileNotFoundError:
+        return "gh CLI not found"
+
+
+def _get_gh_scopes() -> str:
+    """Get the OAuth scopes for the current GitHub authentication.
+
+    Returns:
+        Comma-separated list of scopes or 'Unknown' if not available.
+    """
+    try:
+        gh_path = _find_executable("gh")
+        returncode, stdout, _ = _run_command(
+            [gh_path, "auth", "status"],
+            capture=True,
+            check=False,
+            suppress_output=True,
+        )
+        if returncode != 0:
+            return "N/A"
+
+        # Parse output for scopes - format varies by gh version
+        # Look for lines containing "Token scopes:" or similar
+        for line in stdout.split("\n"):
+            if "scopes" in line.lower():
+                # Extract everything after the colon
+                if ":" in line:
+                    scopes = line.split(":", 1)[1].strip()
+                    return scopes if scopes else "none"
+        return "Unknown"
+    except FileNotFoundError:
+        return "N/A"
+
+
+# --- Typer Application ---
+gh_app = typer.Typer(
+    help="Manage GitHub authentication using the gh CLI.",
+    context_settings={"help_option_names": ["-h", "--help"]},
+)
+
+
+@gh_app.command("status")
+def gh_status():
+    """Show current GitHub authentication status."""
+    print(f"{BLUE}--- GitHub Authentication Status ---{NC}")
+
+    try:
+        gh_path = _find_executable("gh")
+    except FileNotFoundError:
+        print(f"{RED}Error: GitHub CLI (gh) is not installed.{NC}")
+        print(f"Install it with: {YELLOW}brew install gh{NC} (Mac) or see https://cli.github.com")
+        sys.exit(1)
+
+    if _is_gh_authenticated():
+        user = _get_gh_user()
+        print(f"  Status: {GREEN}Authenticated{NC}")
+        print(f"  User: {GREEN}{user}{NC}")
+
+        # Show detailed status
+        print(f"\n{BLUE}Detailed status:{NC}")
+        _run_command([gh_path, "auth", "status"], check=False)
+    else:
+        print(f"  Status: {RED}Not authenticated{NC}")
+        print("\nTo authenticate, run:")
+        print(f"  {YELLOW}dh gh login{NC}")
+
+
+@gh_app.command("login")
+def gh_login():
+    """Authenticate with GitHub and configure git credential helper.
+
+    This command:
+    1. Authenticates with GitHub using device flow (works in headless environments)
+    2. Requests scopes: repo, read:org, workflow
+    3. Configures git to use the GitHub CLI for credential management
+    """
+    try:
+        gh_path = _find_executable("gh")
+    except FileNotFoundError:
+        print(f"{RED}Error: GitHub CLI (gh) is not installed.{NC}")
+        print(f"Install it with: {YELLOW}brew install gh{NC} (Mac) or see https://cli.github.com")
+        sys.exit(1)
+
+    # Step 1: Authenticate with GitHub
+    print(f"{BLUE}Authenticating with GitHub...{NC}")
+    print(f"{YELLOW}Requesting scopes: {GITHUB_SCOPES}{NC}")
+    print(f"{YELLOW}Using protocol: {GITHUB_PROTOCOL}{NC}")
+    print()
+
+    login_cmd = [
+        gh_path,
+        "auth",
+        "login",
+        "--web",  # Use device flow (works in devcontainers)
+        "--git-protocol",
+        GITHUB_PROTOCOL,
+        "--scopes",
+        GITHUB_SCOPES,
+    ]
+
+    returncode, _, _ = _run_command(login_cmd, capture=False, check=False)
+
+    if returncode != 0:
+        print(f"\n{RED}Authentication failed. Please check the output above.{NC}")
+        sys.exit(1)
+
+    # Step 2: Configure git credential helper
+    print(f"\n{BLUE}Configuring git to use GitHub CLI for credentials...{NC}")
+    setup_cmd = [gh_path, "auth", "setup-git"]
+    setup_rc, _, setup_err = _run_command(setup_cmd, capture=True, check=False)
+
+    if setup_rc != 0:
+        print(f"{YELLOW}Warning: Failed to configure git credential helper: {setup_err}{NC}")
+        print(f"You may need to run manually: {YELLOW}gh auth setup-git{NC}")
+    else:
+        print(f"{GREEN}Git credential helper configured.{NC}")
+
+    # Step 3: Show final status
+    print(f"\n{GREEN}GitHub authentication complete!{NC}")
+    print(f"\n{BLUE}--- Current Status ---{NC}")
+    gh_status()
+
+
+@gh_app.command("logout")
+def gh_logout():
+    """Log out from GitHub and clear credentials.
+
+    This removes the GitHub authentication token and unconfigures
+    the git credential helper.
+    """
+    try:
+        gh_path = _find_executable("gh")
+    except FileNotFoundError:
+        print(f"{RED}Error: GitHub CLI (gh) is not installed.{NC}")
+        sys.exit(1)
+
+    if not _is_gh_authenticated():
+        print(f"{YELLOW}Not currently authenticated with GitHub.{NC}")
+        return
+
+    print(f"{BLUE}Logging out from GitHub...{NC}")
+
+    # Log out from github.com
+    logout_cmd = [gh_path, "auth", "logout", "--hostname", "github.com"]
+    returncode, _, _ = _run_command(logout_cmd, capture=False, check=False)
+
+    if returncode != 0:
+        print(f"{RED}Logout may have failed. Check the output above.{NC}")
+        sys.exit(1)
+
+    print(f"\n{GREEN}Successfully logged out from GitHub.{NC}")
+    print(f"\n{BLUE}To log back in:{NC}")
+    print(f"  {YELLOW}dh gh login{NC}")

dh_cli-0.8.0/tests/batch/test_aws_batch_resources.py

@@ -0,0 +1,92 @@
+"""Tests for BatchClient resource-requirement construction.
+
+These tests mock only boto3.client("batch") and assert on the
+submit_args passed to submit_job. They pin the GPU-handling contract:
+gpus=None and gpus=0 both mean "no GPU requirement"; positive values
+are forwarded verbatim.
+"""
+
+from unittest.mock import MagicMock, patch
+
+
+def _make_client():
+    """Construct a BatchClient with mocked boto3 batch/logs clients."""
+    with patch("dh_cli.batch.aws_batch.boto3") as mock_boto3:
+        mock_batch = MagicMock()
+        mock_logs = MagicMock()
+        mock_boto3.client.side_effect = [mock_batch, mock_logs]
+        mock_batch.submit_job.return_value = {"jobId": "aws-uuid"}
+
+        from dh_cli.batch.aws_batch import BatchClient
+
+        client = BatchClient()
+        return client, mock_batch
+
+
+def _get_gpu_resource(submit_args):
+    """Extract the GPU resourceRequirement entry from submit_args, or None."""
+    overrides = submit_args.get("containerOverrides", {})
+    for req in overrides.get("resourceRequirements", []):
+        if req.get("type") == "GPU":
+            return req
+    return None
+
+
+class TestGpuResourceRequirement:
+    """gpus=None and gpus=0 must both omit the GPU resource requirement."""
+
+    def test_gpus_none_omits_gpu_resource(self):
+        client, mock_batch = _make_client()
+        client.submit_job(
+            job_name="j",
+            job_definition="dayhoff-generic",
+            job_queue="cpu-spot",
+            vcpus=4,
+            memory_mb=8192,
+            gpus=None,
+            command=["sh", "-c", "echo hi"],
+        )
+        submit_args = mock_batch.submit_job.call_args[1]
+        assert _get_gpu_resource(submit_args) is None
+
+    def test_gpus_zero_omits_gpu_resource(self):
+        client, mock_batch = _make_client()
+        client.submit_job(
+            job_name="j",
+            job_definition="dayhoff-generic",
+            job_queue="cpu-spot",
+            vcpus=4,
+            memory_mb=8192,
+            gpus=0,
+            command=["sh", "-c", "echo hi"],
+        )
+        submit_args = mock_batch.submit_job.call_args[1]
+        assert _get_gpu_resource(submit_args) is None
+
+    def test_gpus_one_includes_gpu_resource(self):
+        client, mock_batch = _make_client()
+        client.submit_job(
+            job_name="j",
+            job_definition="dayhoff-generic",
+            job_queue="t4-1x-spot",
+            vcpus=4,
+            memory_mb=8192,
+            gpus=1,
+            command=["sh", "-c", "echo hi"],
+        )
+        submit_args = mock_batch.submit_job.call_args[1]
+        assert _get_gpu_resource(submit_args) == {"type": "GPU", "value": "1"}
+
+    def test_gpus_two_includes_gpu_resource(self):
+        client, mock_batch = _make_client()
+        client.submit_job(
+            job_name="j",
+            job_definition="dayhoff-generic",
+            job_queue="t4-1x-spot",
+            vcpus=4,
+            memory_mb=8192,
+            gpus=2,
+            command=["sh", "-c", "echo hi"],
+        )
+        submit_args = mock_batch.submit_job.call_args[1]
+        assert _get_gpu_resource(submit_args) == {"type": "GPU", "value": "2"}

dh_cli-0.8.0/tests/batch/test_submit_cpu_only.py

@@ -0,0 +1,162 @@
+"""Tests for CPU-only submission paths through the CLI.
+
+Uses Click's CliRunner with BatchClient.submit_job mocked. Pins the
+contract: users can express "no GPU" via --gpus 0, YAML gpus: 0, or
+YAML gpus: null; the implicit --gpus 1 default still applies when
+nothing is specified; and the dry-run echo reads "no GPUs" rather
+than "None GPUs" or "0 GPUs".
+"""
+
+from unittest.mock import MagicMock, patch
+
+import pytest
+import yaml
+from click.testing import CliRunner
+
+
+@pytest.fixture
+def cli_runner():
+    return CliRunner()
+
+
+def _invoke(cli_runner, args, tmp_path):
+    """Invoke submit with BatchClient mocked and base-path tucked under tmp_path."""
+    base = tmp_path / "jobs"
+    with (
+        patch("dh_cli.batch.commands.submit.get_aws_username", return_value="jason"),
+        patch("dh_cli.batch.commands.submit.BatchClient") as mock_batch_cls,
+        patch(
+            "dh_cli.batch.commands.submit.generate_job_id",
+            return_value="jason-batch-20260511-cpu00001",
+        ),
+    ):
+        mock_client = MagicMock()
+        mock_client.submit_job.return_value = "aws-uuid-cpu"
+        mock_batch_cls.return_value = mock_client
+
+        from dh_cli.batch.commands.submit import submit
+
+        result = cli_runner.invoke(submit, args + ["--base-path", str(base)])
+        return result, mock_client
+
+
+class TestCpuOnlySubmissionPaths:
+    """--gpus 0, YAML gpus: 0, and YAML gpus: null must all submit with no GPU."""
+
+    def test_cli_gpus_zero_sends_no_gpu_requirement(self, cli_runner, tmp_path):
+        result, mock_client = _invoke(
+            cli_runner,
+            ["--command", "echo hi", "--queue", "cpu-spot", "--gpus", "0"],
+            tmp_path,
+        )
+        assert result.exit_code == 0, result.output
+        call_kwargs = mock_client.submit_job.call_args[1]
+        assert call_kwargs["gpus"] == 0
+
+    def test_yaml_gpus_zero_sends_no_gpu_requirement(self, cli_runner, tmp_path):
+        config_path = tmp_path / "job.yaml"
+        config_path.write_text(
+            yaml.dump(
+                {
+                    "command": "echo hi",
+                    "queue": "cpu-spot",
+                    "gpus": 0,
+                }
+            )
+        )
+        result, mock_client = _invoke(cli_runner, ["-f", str(config_path)], tmp_path)
+        assert result.exit_code == 0, result.output
+        call_kwargs = mock_client.submit_job.call_args[1]
+        assert call_kwargs["gpus"] == 0
+
+    def test_yaml_gpus_null_sends_no_gpu_requirement(self, cli_runner, tmp_path):
+        config_path = tmp_path / "job.yaml"
+        config_path.write_text(
+            yaml.dump(
+                {
+                    "command": "echo hi",
+                    "queue": "cpu-spot",
+                    "gpus": None,
+                }
+            )
+        )
+        result, mock_client = _invoke(cli_runner, ["-f", str(config_path)], tmp_path)
+        assert result.exit_code == 0, result.output
+        call_kwargs = mock_client.submit_job.call_args[1]
+        assert call_kwargs["gpus"] is None
+
+
+class TestGpuDefaultPreserved:
+    """Omitting --gpus and YAML gpus still gives the implicit GPU=1 default."""
+
+    def test_cli_gpus_omitted_gets_implicit_one(self, cli_runner, tmp_path):
+        result, mock_client = _invoke(cli_runner, ["--command", "echo hi"], tmp_path)
+        assert result.exit_code == 0, result.output
+        call_kwargs = mock_client.submit_job.call_args[1]
+        assert call_kwargs["gpus"] == 1
+
+    def test_cli_gpus_one_still_works(self, cli_runner, tmp_path):
+        result, mock_client = _invoke(cli_runner, ["--command", "echo hi", "--gpus", "1"], tmp_path)
+        assert result.exit_code == 0, result.output
+        call_kwargs = mock_client.submit_job.call_args[1]
+        assert call_kwargs["gpus"] == 1
+
+    def test_yaml_gpus_one_still_works(self, cli_runner, tmp_path):
+        config_path = tmp_path / "job.yaml"
+        config_path.write_text(yaml.dump({"command": "echo hi", "gpus": 1}))
+        result, mock_client = _invoke(cli_runner, ["-f", str(config_path)], tmp_path)
+        assert result.exit_code == 0, result.output
+        call_kwargs = mock_client.submit_job.call_args[1]
+        assert call_kwargs["gpus"] == 1
+
+
+class TestCliBeatsYamlOnZero:
+    """--gpus 0 on the CLI must beat YAML gpus: 1."""
+
+    def test_cli_gpus_zero_overrides_yaml_one(self, cli_runner, tmp_path):
+        config_path = tmp_path / "job.yaml"
+        config_path.write_text(yaml.dump({"command": "echo hi", "gpus": 1}))
+        result, mock_client = _invoke(cli_runner, ["-f", str(config_path), "--gpus", "0"], tmp_path)
+        assert result.exit_code == 0, result.output
+        call_kwargs = mock_client.submit_job.call_args[1]
+        assert call_kwargs["gpus"] == 0
+
+
+class TestDryRunEcho:
+    """The dry-run plan line must read 'no GPUs' or 'N GPUs', never 'None'/'0 GPUs'."""
+
+    def test_dry_run_echo_reads_no_gpus_when_gpus_zero(self, cli_runner, tmp_path):
+        result, _ = _invoke(
+            cli_runner,
+            [
+                "--command",
+                "echo hi",
+                "--queue",
+                "cpu-spot",
+                "--gpus",
+                "0",
+                "--dry-run",
+            ],
+            tmp_path,
+        )
+        assert result.exit_code == 0, result.output
+        assert "no GPUs" in result.output
+        assert "None GPUs" not in result.output
+        assert "0 GPUs" not in result.output
+
+    def test_dry_run_echo_reads_no_gpus_when_yaml_gpus_null(self, cli_runner, tmp_path):
+        config_path = tmp_path / "job.yaml"
+        config_path.write_text(yaml.dump({"command": "echo hi", "queue": "cpu-spot", "gpus": None}))
+        result, _ = _invoke(cli_runner, ["-f", str(config_path), "--dry-run"], tmp_path)
+        assert result.exit_code == 0, result.output
+        assert "no GPUs" in result.output
+        assert "None GPUs" not in result.output
+
+    def test_dry_run_echo_reads_n_gpus_when_gpus_positive(self, cli_runner, tmp_path):
+        result, _ = _invoke(
+            cli_runner,
+            ["--command", "echo hi", "--gpus", "2", "--dry-run"],
+            tmp_path,
+        )
+        assert result.exit_code == 0, result.output
+        assert "2 GPUs" in result.output

dh_cli-0.7.1/src/dh_cli/_identity.py

@@ -1,82 +0,0 @@
-"""Identity resolution for `dh` commands that read per-developer secrets.
-
-The `github_commands` and (future) `bedrock` commands both key per-user
-Secrets Manager entries on the caller's Dayhoff handle. This module
-resolves that handle from the current SSO session in a way that matches
-the server-side resource policy (which keys on
-`aws:PrincipalTag/Email`).
-
-Design note — why not session tags directly?
-
-    AWS Secrets Manager resource policies evaluate
-    `aws:PrincipalTag/Email` automatically because IAM Identity Center
-    attaches an `Email` principal tag to DeveloperAccess sessions. But
-    there is no SDK API that lets a session read its own principal
-    tags back — session tags are visible *only* to IAM condition
-    evaluation, not to callers. The closest observable we have is the
-    assumed-role ARN's RoleSessionName, which Identity Center sets to
-    the user's email by default.
-
-    So the resolution below extracts the RoleSessionName and strips the
-    `@<domain>` suffix if present. This matches what the policy's
-    `aws:PrincipalTag/Email` condition will also evaluate to at
-    GetSecretValue time — i.e. "which secret can I read?" and "what
-    handle am I?" are answered by the same identity fact by
-    construction.
-
-CANARY (resolve pre-code-freeze, plan §"Pre-implementation canaries"
-Canary 1): confirm the RoleSessionName on DeveloperAccess is
-`<handle>@dayhoff.com` and not `<handle>@dayhofflabs.com`. The
-DEFAULT_DOMAIN constant below is the single place to flip that.
-"""
-from __future__ import annotations
-
-import re
-
-DEFAULT_DOMAIN = "dayhoff.com"
-
-_SSO_ASSUMED_ROLE_RE = re.compile(
-    r"^arn:aws:sts::\d+:assumed-role/AWSReservedSSO_[^/]+/(?P<session>.+)$"
-)
-
-
-class HandleResolutionError(RuntimeError):
-    """Raised when the current session's handle can't be determined.
-
-    The caller is expected to turn this into a user-facing error
-    pointing at `awslogin dev-devaccess`.
-    """
-
-
-def resolve_handle_from_session(session, *, domain: str = DEFAULT_DOMAIN) -> str:
-    """Return the dev handle matching the SSO session's Email principal tag.
-
-    Args:
-        session: a boto3 Session configured with the caller's SSO
-            credentials. The function calls `sts:GetCallerIdentity` on
-            it; if that call would fall through to the engine instance
-            role instead of the dev's SSO creds, the caller must have
-            already detected and errored on that before getting here
-            (see `github_commands._sso_session`).
-        domain: email domain to strip from the session name. Defaults to
-            `dayhoff.com` to match `cursor_bedrock_role.tf`'s tag.
-
-    Returns:
-        The handle (e.g. `"dma"`).
-
-    Raises:
-        HandleResolutionError: the caller's ARN doesn't look like an
-            Identity Center DeveloperAccess session.
-    """
-    arn = session.client("sts").get_caller_identity()["Arn"]
-    match = _SSO_ASSUMED_ROLE_RE.match(arn)
-    if not match:
-        raise HandleResolutionError(
-            f"Caller ARN does not look like an AWS SSO session: {arn}. "
-            f"Run `awslogin dev-devaccess` (or pass --handle explicitly)."
-        )
-    session_name = match.group("session")
-    suffix = f"@{domain}"
-    if session_name.endswith(suffix):
-        return session_name[: -len(suffix)]
-    return session_name