dominus-sdk-python 3.0.2__py3-none-any.whl → 3.0.4__py3-none-any.whl

dominus/__init__.py

@@ -111,6 +111,8 @@ from .namespaces.jobs import JobsNamespace
 from .namespaces.processor import ProcessorNamespace
 from .namespaces.sync import SyncNamespace
 from .namespaces.authority import AuthorityNamespace
+from .namespaces.deployer import DeployerNamespace
+from .namespaces.warden import WardenNamespace
 
 # Export AI namespace for agent-runtime operations
 from .namespaces.ai import (
@@ -211,6 +213,8 @@ __all__ = [
     "ProcessorNamespace",
     "SyncNamespace",
     "AuthorityNamespace",
+    "DeployerNamespace",
+    "WardenNamespace",
     # AI namespace for agent-runtime operations
     "AiNamespace",
     "RagSubNamespace",

dominus/config/endpoints.py

@@ -2,13 +2,17 @@
 Dominus SDK Endpoints
 
 Gateway URL for service routing and health checks.
-JWT URL for authentication (JWT minting).
+JWT URL for authentication (JWT minting) — defaults to the same host as the gateway.
 Logs URL for log ingestion.
 Base URL for SDK requests (defaults to gateway).
 
+Defaults always target the production gateway. They do not depend on the caller’s
+git branch, PyPI package variant, or deployment environment. Override only with
+DOMINUS_* env vars for local or advanced routing.
+
 Configuration:
     Set DOMINUS_GATEWAY_URL to override the gateway URL.
-    Set DOMINUS_JWT_URL to override the JWT minting URL.
+    Set DOMINUS_JWT_URL to override the JWT minting URL (defaults to gateway URL).
     Set DOMINUS_LOGS_URL to override the logs URL.
     Set DOMINUS_BASE_URL to override the SDK request base URL.
     Example: export DOMINUS_BASE_URL=http://localhost:5000
@@ -18,23 +22,21 @@ Usage:
 """
 import os
 
-# Default URLs - Cloudflare Workers
+# Production gateway (Cloudflare Worker). Canonical default for all SDK HTTP traffic.
 _DEFAULT_GATEWAY_URL = "https://gateway.getdominus.app"
-_DEFAULT_JWT_URL = "https://jwt.getdominus.app"
 _DEFAULT_LOGS_URL = "https://logs.getdominus.app"
-_DEFAULT_BASE_URL = _DEFAULT_GATEWAY_URL
 
 # Gateway URL for service routing (can be overridden via DOMINUS_GATEWAY_URL)
 GATEWAY_URL = os.environ.get("DOMINUS_GATEWAY_URL", _DEFAULT_GATEWAY_URL)
 
-# JWT URL for authentication (can be overridden via DOMINUS_JWT_URL)
-JWT_URL = os.environ.get("DOMINUS_JWT_URL", _DEFAULT_JWT_URL)
+# JWT mint/JWKS: same host as gateway by default (matches Node SDK).
+JWT_URL = os.environ.get("DOMINUS_JWT_URL", GATEWAY_URL)
 
 # Logs URL for log ingestion (can be overridden via DOMINUS_LOGS_URL)
 LOGS_URL = os.environ.get("DOMINUS_LOGS_URL", _DEFAULT_LOGS_URL)
 
-# Base URL for SDK requests (can be overridden via DOMINUS_BASE_URL environment variable)
-BASE_URL = os.environ.get("DOMINUS_BASE_URL", _DEFAULT_BASE_URL)
+# Base URL for non-gateway SDK paths defaults to the same resolved gateway URL.
+BASE_URL = os.environ.get("DOMINUS_BASE_URL", GATEWAY_URL)
 
 # Legacy aliases retained as gateway-first aliases.
 SOVEREIGN_URL = BASE_URL
@@ -77,12 +79,11 @@ def get_gateway_url() -> str:
 
 def get_jwt_url() -> str:
     """
-    Get the JWT worker URL for authentication (JWT minting/validation).
+    Get the base URL for JWT mint/JWKS (defaults to the same host as the gateway).
 
-    Returns the value of DOMINUS_JWT_URL environment variable if set,
-    otherwise returns the default Cloudflare Worker URL.
+    Returns DOMINUS_JWT_URL if set, otherwise the same resolution as get_gateway_url().
     """
-    return os.environ.get("DOMINUS_JWT_URL", _DEFAULT_JWT_URL)
+    return os.environ.get("DOMINUS_JWT_URL", get_gateway_url())
 
 
 def get_logs_url() -> str:
@@ -99,10 +100,9 @@ def get_base_url() -> str:
     """
     Get the SDK request base URL.
 
-    Returns the value of DOMINUS_BASE_URL environment variable if set,
-    otherwise returns the default gateway URL.
+    Returns DOMINUS_BASE_URL if set, otherwise the same resolution as get_gateway_url().
     """
-    return os.environ.get("DOMINUS_BASE_URL", _DEFAULT_BASE_URL)
+    return os.environ.get("DOMINUS_BASE_URL", get_gateway_url())
 
 
 # DEPRECATED - use get_base_url()

dominus/namespaces/__init__.py

@@ -15,6 +15,8 @@ from .jobs import JobsNamespace
 from .processor import ProcessorNamespace
 from .sync import SyncNamespace
 from .authority import AuthorityNamespace
+from .deployer import DeployerNamespace
+from .warden import WardenNamespace
 from .ai import (
     AiNamespace,
     RagSubNamespace,
@@ -40,6 +42,8 @@ __all__ = [
     "ProcessorNamespace",
     "SyncNamespace",
     "AuthorityNamespace",
+    "DeployerNamespace",
+    "WardenNamespace",
     "AiNamespace",
     "RagSubNamespace",
     "ArtifactsSubNamespace",

dominus/namespaces/authority.py

@@ -37,6 +37,17 @@ def _compact(payload: Mapping[str, Any]) -> Dict[str, Any]:
     return out
 
 
+def _normalize_run_kind_token(raw: Optional[str]) -> str:
+    if not raw:
+        return ""
+    s = str(raw).strip().lower().replace(".", "_").replace("-", "_")
+    return s
+
+
+def _is_company_bootstrap_run_kind(run_kind: Optional[str]) -> bool:
+    return _normalize_run_kind_token(run_kind) == "company_bootstrap"
+
+
 def _query_string(params: Mapping[str, Any]) -> str:
     cleaned = {k: v for k, v in params.items() if v is not None and v != ""}
     if not cleaned:
@@ -110,17 +121,37 @@ class AuthorityNamespace:
     ) -> Dict[str, Any]:
         out: Dict[str, Any] = {}
         if app_slug:
-            out["project_slug"] = app_slug
+            out["app_slug"] = app_slug
         if env:
-            out["environment"] = env
+            out["env"] = env
         if target_org_id:
-            out["target_project_id"] = target_org_id
+            out["target_org_id"] = target_org_id
         if target_app_slug:
-            out["target_project_slug"] = target_app_slug
+            out["target_app_slug"] = target_app_slug
         if target_env:
-            out["target_environment"] = target_env
+            out["target_env"] = target_env
         return out
 
+    def _target_query_params(
+        self,
+        target_org_id: Optional[str],
+        target_env: Optional[str],
+    ) -> tuple[Optional[str], Optional[str]]:
+        """
+        Omit target_org_id / target_env from GET query strings when they
+        duplicate the JWT gateway org/env (selected-scope MCP and operators).
+        """
+        client = self._client
+        gw_org = getattr(client, "_gateway_org_id", None)
+        gw_env = getattr(client, "_gateway_env", None)
+        tid = target_org_id
+        tev = target_env
+        if tid is not None and gw_org is not None and str(tid) == str(gw_org):
+            tid = None
+        if tev is not None and gw_env is not None and str(tev) == str(gw_env):
+            tev = None
+        return tid, tev
+
     @staticmethod
     def _http_timeout(explicit: Optional[float], default: float) -> float:
         """Use explicit client timeout when provided; otherwise the historical SDK default."""
@@ -135,6 +166,9 @@ class AuthorityNamespace:
         *,
         workflow_id: Optional[str] = None,
         workflow_ref: Optional[str] = None,
+        run_kind: Optional[str] = None,
+        company_slug: Optional[str] = None,
+        slug: Optional[str] = None,
         instance_id: Optional[str] = None,
         instance_key: Optional[str] = None,
         group: Optional[str] = None,
@@ -149,6 +183,18 @@ class AuthorityNamespace:
         env: Optional[str] = None,
         target_org_id: Optional[str] = None,
         target_env: Optional[str] = None,
+        target_app_slug: Optional[str] = None,
+        shared_app_slug: Optional[str] = None,
+        execution_mode: Optional[str] = None,
+        region: Optional[str] = None,
+        system: Optional[str] = None,
+        github_mode: Optional[str] = None,
+        overwrite_existing: Optional[bool] = None,
+        owner_email: Optional[str] = None,
+        include: Optional[Dict[str, Any]] = None,
+        metadata: Optional[Dict[str, Any]] = None,
+        display_name: Optional[str] = None,
+        description: Optional[str] = None,
         initiator_type: Optional[str] = None,
         initiator_id: Optional[str] = None,
         idempotency_key: Optional[str] = None,
@@ -158,30 +204,79 @@ class AuthorityNamespace:
         Ensure (and optionally launch) an Authority-backed workflow run.
 
         Calls ``POST /api/authority/runs/ensure``.
+
+        For company bootstrap, pass ``run_kind="company.bootstrap"`` (or ``company_bootstrap``) plus
+        ``company``, ``company_slug``, or ``slug``. Optional bootstrap fields mirror
+        ``bootstrap_company`` (``execution_mode``, ``region``, …).
         """
-        if not workflow_id and not workflow_ref:
-            raise ValueError("ensure_run requires workflow_id or workflow_ref")
+        bootstrap = _is_company_bootstrap_run_kind(run_kind)
+        if not bootstrap and not workflow_id and not workflow_ref:
+            raise ValueError(
+                "ensure_run requires workflow_id or workflow_ref unless run_kind is "
+                "company.bootstrap / company_bootstrap"
+            )
+        if bootstrap:
+            co = (company_slug or slug or company or "").strip()
+            if not co:
+                raise ValueError(
+                    "ensure_run with run_kind company.bootstrap requires company, company_slug, or slug"
+                )
         if mode == "streaming":
             raise ValueError(
                 "Authority runs do not support streaming mode; "
                 "use blocking, async, or ensure_only"
             )
-        body = _compact({
-            "workflow_id": workflow_id,
-            "workflow_ref": workflow_ref,
-            "instance_id": instance_id,
-            "instance_key": instance_key,
-            "group": group,
-            "owner": owner,
-            "subject": subject,
-            "company": company,
-            "mode": mode,
-            "bindings": bindings,
-            "inputs": inputs,
-            "context": context,
-            **self._initiator(initiator_type, initiator_id, idempotency_key),
-            **self._scope(app_slug, env, target_org_id, target_env),
-        })
+
+        initiator = self._initiator(initiator_type, initiator_id, idempotency_key)
+        scope = self._scope(app_slug, env, target_org_id, target_env, target_app_slug=target_app_slug)
+
+        if bootstrap:
+            body = _compact({
+                "run_kind": run_kind,
+                "workflow_id": workflow_id,
+                "workflow_ref": workflow_ref,
+                "instance_id": instance_id,
+                "instance_key": instance_key,
+                "group": group,
+                "owner": owner,
+                "subject": subject,
+                "company": company,
+                "company_slug": company_slug,
+                "slug": slug,
+                "bindings": bindings,
+                "inputs": inputs,
+                "context": context,
+                "execution_mode": execution_mode,
+                "region": region,
+                "system": system,
+                "github_mode": github_mode,
+                "overwrite_existing": overwrite_existing,
+                "owner_email": owner_email,
+                "include": include,
+                "metadata": metadata,
+                "display_name": display_name,
+                "description": description,
+                "shared_app_slug": shared_app_slug,
+                **initiator,
+                **scope,
+            })
+        else:
+            body = _compact({
+                "workflow_id": workflow_id,
+                "workflow_ref": workflow_ref,
+                "instance_id": instance_id,
+                "instance_key": instance_key,
+                "group": group,
+                "owner": owner,
+                "subject": subject,
+                "company": company,
+                "mode": mode,
+                "bindings": bindings,
+                "inputs": inputs,
+                "context": context,
+                **initiator,
+                **scope,
+            })
         return await self._post(
             "/api/authority/runs/ensure",
             body,
@@ -213,15 +308,16 @@ class AuthorityNamespace:
         timeout: Optional[float] = None,
     ) -> Dict[str, Any]:
         """List Authority-backed runs. ``GET /api/authority/runs``."""
+        tid, tev = self._target_query_params(target_org_id, target_env)
         qs = _query_string({
             "workflow_id": workflow_id,
             "status": status,
             "group": group,
             "owner": owner,
-            "project_slug": app_slug,
-            "environment": env,
-            "target_project_id": target_org_id,
-            "target_environment": target_env,
+            "app_slug": app_slug,
+            "env": env,
+            "target_org_id": tid,
+            "target_env": tev,
             "limit": limit,
             "offset": offset,
         })
@@ -418,14 +514,15 @@ class AuthorityNamespace:
         offset: int = 0,
     ) -> Dict[str, Any]:
         """List Authority workflow bindings. ``GET /api/authority/workflow-bindings``."""
+        tid, tev = self._target_query_params(target_org_id, target_env)
         qs = _query_string({
             "workflow_ref": workflow_ref,
             "workflow_id": workflow_id,
             "status": status,
-            "project_slug": app_slug,
-            "environment": env,
-            "target_project_id": target_org_id,
-            "target_environment": target_env,
+            "app_slug": app_slug,
+            "env": env,
+            "target_org_id": tid,
+            "target_env": tev,
             "limit": limit,
             "offset": offset,
         })
@@ -444,13 +541,14 @@ class AuthorityNamespace:
         offset: int = 0,
     ) -> Dict[str, Any]:
         """List Authority workflow publications. ``GET /api/authority/workflow-publications``."""
+        tid, tev = self._target_query_params(target_org_id, target_env)
         qs = _query_string({
             "workflow_ref": workflow_ref,
             "status": status,
-            "project_slug": app_slug,
-            "environment": env,
-            "target_project_id": target_org_id,
-            "target_environment": target_env,
+            "app_slug": app_slug,
+            "env": env,
+            "target_org_id": tid,
+            "target_env": tev,
             "limit": limit,
             "offset": offset,
         })
@@ -510,11 +608,12 @@ class AuthorityNamespace:
         """Get an Authority company. ``GET /api/authority/companies/{company}``."""
         if not company_slug:
             raise ValueError("company_slug is required")
+        tid, tev = self._target_query_params(target_org_id, target_env)
         qs = _query_string({
-            "project_slug": app_slug,
-            "environment": env,
-            "target_project_id": target_org_id,
-            "target_environment": target_env,
+            "app_slug": app_slug,
+            "env": env,
+            "target_org_id": tid,
+            "target_env": tev,
         })
         return await self._get(
             f"/api/authority/companies/{quote(company_slug, safe='')}{qs}",
@@ -534,11 +633,12 @@ class AuthorityNamespace:
         timeout: Optional[float] = None,
     ) -> Dict[str, Any]:
         """List Authority companies. ``GET /api/authority/companies``."""
+        tid, tev = self._target_query_params(target_org_id, target_env)
         qs = _query_string({
-            "project_slug": app_slug,
-            "environment": env,
-            "target_project_id": target_org_id,
-            "target_environment": target_env,
+            "app_slug": app_slug,
+            "env": env,
+            "target_org_id": tid,
+            "target_env": tev,
             "status": status,
             "limit": limit,
             "offset": offset,
@@ -584,7 +684,7 @@ class AuthorityNamespace:
             "action": action,
             "run_id": run_id,
             "reason": reason,
-            "shared_project_slug": shared_app_slug,
+            "shared_app_slug": shared_app_slug,
             "region": region,
             "system": system,
             "github_mode": github_mode,
@@ -625,8 +725,8 @@ class AuthorityNamespace:
         if not company_slug:
             raise ValueError("company_slug is required")
         qs = _query_string({
-            "project_slug": app_slug,
-            "environment": env,
+            "app_slug": app_slug,
+            "env": env,
             "run_id": run_id,
         })
         return await self._get(
@@ -647,11 +747,12 @@ class AuthorityNamespace:
         """Get full Authority dossier for a company. ``GET /api/authority/dossiers/company/{company}``."""
         if not company_slug:
             raise ValueError("company_slug is required")
+        tid, tev = self._target_query_params(target_org_id, target_env)
         qs = _query_string({
-            "project_slug": app_slug,
-            "environment": env,
-            "target_project_id": target_org_id,
-            "target_environment": target_env,
+            "app_slug": app_slug,
+            "env": env,
+            "target_org_id": tid,
+            "target_env": tev,
         })
         return await self._get(
             f"/api/authority/dossiers/company/{quote(company_slug, safe='')}{qs}",
@@ -726,11 +827,12 @@ class AuthorityNamespace:
         timeout: Optional[float] = None,
     ) -> Dict[str, Any]:
         """List deploys. ``GET /api/authority/deploys``."""
+        tid, tev = self._target_query_params(target_org_id, target_env)
         qs = _query_string({
-            "project_slug": app_slug,
-            "environment": env,
-            "target_project_id": target_org_id,
-            "target_environment": target_env,
+            "app_slug": app_slug,
+            "env": env,
+            "target_org_id": tid,
+            "target_env": tev,
             "repo_full_name": repo_full_name,
             "status": status,
             "limit": limit,
@@ -753,6 +855,8 @@ class AuthorityNamespace:
         company: Optional[str] = None,
         subject: Optional[str] = None,
         metadata: Optional[Dict[str, Any]] = None,
+        force: Optional[bool] = None,
+        allow_duplicate_sha: Optional[bool] = None,
         app_slug: Optional[str] = None,
         env: Optional[str] = None,
         target_org_id: Optional[str] = None,
@@ -774,6 +878,8 @@ class AuthorityNamespace:
             "company": company,
             "subject": subject,
             "metadata": metadata,
+            "force": force,
+            "allow_duplicate_sha": allow_duplicate_sha,
             **self._initiator(initiator_type, initiator_id, idempotency_key),
             **self._scope(app_slug, env, target_org_id, target_env),
         })
@@ -882,7 +988,7 @@ class AuthorityNamespace:
         *,
         variant_slug: str,
         version: str,
-        manifest_path: str,
+        manifest_path: Optional[str] = None,
         status: str = "published",
         storage_app_slug: Optional[str] = None,
         storage_env: Optional[str] = None,
@@ -898,19 +1004,29 @@ class AuthorityNamespace:
         idempotency_key: Optional[str] = None,
         timeout: Optional[float] = None,
     ) -> Dict[str, Any]:
-        """Publish a managed-client release. ``POST /api/authority/clients/releases``."""
+        """
+        Create or upsert a managed-client release.
+
+        ``POST /api/authority/clients/releases``.
+
+        Use ``status="proposed"`` to start the release FSM without publishing;
+        ``manifest_path`` may be omitted for proposed releases. Use
+        ``approve_client_release`` → ``publish_approved_client_release`` →
+        ``distribute_client_release`` for staged rollout.
+        """
         if not variant_slug:
             raise ValueError("publish_client_release requires variant_slug")
         if not version:
             raise ValueError("publish_client_release requires version")
-        if not manifest_path:
-            raise ValueError("publish_client_release requires manifest_path")
+        status_eff = str(status or "published").strip().lower()
+        if not manifest_path and status_eff != "proposed":
+            raise ValueError("publish_client_release requires manifest_path unless status is proposed")
         body = _compact({
             "variant_slug": variant_slug,
             "version": version,
             "status": status,
-            "storage_project_slug": storage_app_slug,
-            "storage_environment": storage_env,
+            "storage_app_slug": storage_app_slug,
+            "storage_env": storage_env,
             "storage_category": storage_category,
             "manifest_path": manifest_path,
             "bootstrapper_path": bootstrapper_path,
@@ -926,6 +1042,95 @@ class AuthorityNamespace:
             timeout=self._http_timeout(timeout, 30.0),
         )
 
+    async def get_client_release(
+        self,
+        release_id: str,
+        *,
+        app_slug: Optional[str] = None,
+        env: Optional[str] = None,
+        timeout: Optional[float] = None,
+    ) -> Dict[str, Any]:
+        """Fetch one release by id. ``GET /api/authority/clients/releases/{release_id}``."""
+        if not release_id:
+            raise ValueError("get_client_release requires release_id")
+        qs = _query_string({"app_slug": app_slug, "env": env})
+        return await self._get(
+            f"/api/authority/clients/releases/{quote(release_id, safe='')}{qs}",
+            timeout=self._http_timeout(timeout, 30.0),
+        )
+
+    async def approve_client_release(
+        self,
+        release_id: str,
+        *,
+        app_slug: Optional[str] = None,
+        env: Optional[str] = None,
+        initiator_type: Optional[str] = None,
+        initiator_id: Optional[str] = None,
+        idempotency_key: Optional[str] = None,
+        timeout: Optional[float] = None,
+    ) -> Dict[str, Any]:
+        """Approve a proposed release. ``POST /api/authority/clients/releases/{id}/approve``."""
+        if not release_id:
+            raise ValueError("approve_client_release requires release_id")
+        body = _compact({
+            **self._initiator(initiator_type, initiator_id, idempotency_key),
+            **self._scope(app_slug, env, None, None),
+        })
+        return await self._post(
+            f"/api/authority/clients/releases/{quote(release_id, safe='')}/approve",
+            body,
+            timeout=self._http_timeout(timeout, 30.0),
+        )
+
+    async def publish_approved_client_release(
+        self,
+        release_id: str,
+        *,
+        app_slug: Optional[str] = None,
+        env: Optional[str] = None,
+        initiator_type: Optional[str] = None,
+        initiator_id: Optional[str] = None,
+        idempotency_key: Optional[str] = None,
+        timeout: Optional[float] = None,
+    ) -> Dict[str, Any]:
+        """Publish an approved release (gateway health handshake). ``POST .../publish``."""
+        if not release_id:
+            raise ValueError("publish_approved_client_release requires release_id")
+        body = _compact({
+            **self._initiator(initiator_type, initiator_id, idempotency_key),
+            **self._scope(app_slug, env, None, None),
+        })
+        return await self._post(
+            f"/api/authority/clients/releases/{quote(release_id, safe='')}/publish",
+            body,
+            timeout=self._http_timeout(timeout, 30.0),
+        )
+
+    async def distribute_client_release(
+        self,
+        release_id: str,
+        *,
+        app_slug: Optional[str] = None,
+        env: Optional[str] = None,
+        initiator_type: Optional[str] = None,
+        initiator_id: Optional[str] = None,
+        idempotency_key: Optional[str] = None,
+        timeout: Optional[float] = None,
+    ) -> Dict[str, Any]:
+        """Mark a published release as distributed. ``POST .../distribute``."""
+        if not release_id:
+            raise ValueError("distribute_client_release requires release_id")
+        body = _compact({
+            **self._initiator(initiator_type, initiator_id, idempotency_key),
+            **self._scope(app_slug, env, None, None),
+        })
+        return await self._post(
+            f"/api/authority/clients/releases/{quote(release_id, safe='')}/distribute",
+            body,
+            timeout=self._http_timeout(timeout, 30.0),
+        )
+
     async def create_client_bootstrap_session(
         self,
         *,
@@ -987,8 +1192,8 @@ class AuthorityNamespace:
     ) -> Dict[str, Any]:
         """List managed client installations. ``GET /api/authority/clients/installations``."""
         qs = _query_string({
-            "project_slug": app_slug,
-            "environment": env,
+            "app_slug": app_slug,
+            "env": env,
             "status": status,
             "variant_slug": variant_slug,
             "company": company,

dominus/namespaces/db.py

@@ -449,7 +449,7 @@ class DbNamespace:
     async def provision_neon_complete(
         self,
         *,
-        project_slug: str,
+        app_slug: str,
         region: Optional[str] = None,
         timeout: float = 300.0,
     ) -> Dict[str, Any]:
@@ -459,7 +459,7 @@ class DbNamespace:
             endpoint="/api/provision/complete",
             method="POST",
             body={
-                "project_slug": project_slug,
+                "app_slug": app_slug,
                 "region": region or "aws-us-east-1",
             },
             use_gateway=True,
@@ -469,7 +469,7 @@ class DbNamespace:
     async def provision_neon_delete(
         self,
         *,
-        project_slug: str,
+        app_slug: str,
         timeout: float = 120.0,
     ) -> Dict[str, Any]:
         """Neon teardown via ``DELETE /api/provision/delete``."""
@@ -477,7 +477,7 @@ class DbNamespace:
         return await self._client._request(
             endpoint="/api/provision/delete",
             method="DELETE",
-            body={"project_slug": project_slug},
+            body={"app_slug": app_slug},
             use_gateway=True,
             timeout=cap,
         )

dominus/namespaces/deployer.py

@@ -0,0 +1,39 @@
+"""Thin Deployer control-plane namespace."""
+from typing import Any, Dict, Optional, TYPE_CHECKING
+
+if TYPE_CHECKING:
+    from ..start import Dominus
+
+
+def _normalize_deployer_path(path: str) -> str:
+    trimmed = path.strip()
+    normalized = trimmed if trimmed.startswith("/") else f"/{trimmed}"
+    if normalized == "/svc/deployer" or normalized.startswith("/svc/deployer/"):
+        return normalized
+    if normalized == "/api/deployer" or normalized.startswith("/api/deployer/"):
+        return normalized
+    return f"/svc/deployer{normalized}"
+
+
+class DeployerNamespace:
+    """Deployer operator control-plane routes used by Mothership and MCP."""
+
+    def __init__(self, client: "Dominus"):
+        self._client = client
+
+    async def request(
+        self,
+        path: str,
+        *,
+        method: str = "GET",
+        body: Any = None,
+        headers: Optional[Dict[str, str]] = None,
+        timeout: float = 30.0,
+    ) -> Any:
+        return await self._client.gateway_fetch(
+            _normalize_deployer_path(path),
+            method=method,
+            body=body,
+            headers=headers,
+            timeout=timeout,
+        )

dominus/namespaces/secrets.py

@@ -199,7 +199,7 @@ class SecretsNamespace:
             endpoint="/api/warden/secrets",
             body={
                 "action": "list-all-environments",
-                "project_id": infisical_project_id,
+                "infisical_project_id": infisical_project_id,
             },
             use_gateway=True,
         )

dominus/namespaces/sync.py

@@ -1,7 +1,7 @@
 """
 Sync Namespace - KV synchronization operations.
 
-Provides manual trigger for KV sync (token + project metadata)
+Provides manual trigger for KV sync (token + app metadata)
 from database to Cloudflare KV. Routes through gateway to sync-worker.
 
 The sync worker also runs automatically at 4AM UTC via cron.
@@ -11,7 +11,7 @@ Usage:
 
     # Trigger manual sync (admin only)
     result = await dominus.sync.trigger_sync()
-    print(f"Synced {result['tokens_synced']} tokens, {result['projects_synced']} projects")
+    print(f"Synced {result['tokens_synced']} tokens, {result['apps_synced']} apps")
 
     # Health check
     health = await dominus.sync.get_health()
@@ -26,7 +26,7 @@ class SyncNamespace:
     """
     KV sync namespace.
 
-    Admin-only operations that synchronize token hashes and project
+    Admin-only operations that synchronize token hashes and app
     metadata from the database into Cloudflare KV. Purges stale
     entries and re-seeds current data.
     """
@@ -54,15 +54,15 @@ class SyncNamespace:
         """
         Trigger a manual KV sync. Requires admin system level.
 
-        Synchronizes token hashes and project metadata from the database
+        Synchronizes token hashes and app metadata from the database
         into Cloudflare KV. Purges stale entries and re-seeds current data.
 
         Args:
             timeout: Request timeout in seconds (default 60; Mothership uses 180).
 
         Returns:
-            {tokens_synced, projects_synced, tokens_deleted,
-             projects_deleted, errors, duration_ms, triggered_at}
+            {tokens_synced, apps_synced, tokens_deleted,
+             apps_deleted, errors, duration_ms, triggered_at}
         """
         return await self._api(
             "/api/sync/",

dominus/namespaces/warden.py

@@ -0,0 +1,39 @@
+"""Thin Warden control-plane namespace."""
+from typing import Any, Dict, Optional, TYPE_CHECKING
+
+if TYPE_CHECKING:
+    from ..start import Dominus
+
+
+def _normalize_warden_path(path: str) -> str:
+    trimmed = path.strip()
+    normalized = trimmed if trimmed.startswith("/") else f"/{trimmed}"
+    if normalized == "/svc/warden" or normalized.startswith("/svc/warden/"):
+        return normalized
+    if normalized == "/api/warden" or normalized.startswith("/api/warden/"):
+        return normalized
+    return f"/svc/warden{normalized}"
+
+
+class WardenNamespace:
+    """Warden operator control-plane routes used by Mothership and MCP."""
+
+    def __init__(self, client: "Dominus"):
+        self._client = client
+
+    async def request(
+        self,
+        path: str,
+        *,
+        method: str = "GET",
+        body: Any = None,
+        headers: Optional[Dict[str, str]] = None,
+        timeout: float = 30.0,
+    ) -> Any:
+        return await self._client.gateway_fetch(
+            _normalize_warden_path(path),
+            method=method,
+            body=body,
+            headers=headers,
+            timeout=timeout,
+        )

dominus/namespaces/workflow.py

@@ -246,9 +246,9 @@ class WorkflowNamespace:
         if instance_id:
             body["instance_id"] = instance_id
         if target_project_id:
-            body["target_project_id"] = target_project_id
+            body["target_org_id"] = target_project_id
         if target_environment:
-            body["target_environment"] = target_environment
+            body["target_env"] = target_environment
         return self._authority_mutation_body(
             body,
             idempotency_key=idempotency_key,
@@ -1035,9 +1035,9 @@ class WorkflowNamespace:
         if status:
             params.append(f"status={status}")
         if target_project_id:
-            params.append(f"target_project_id={target_project_id}")
+            params.append(f"target_org_id={target_project_id}")
         if target_environment:
-            params.append(f"target_environment={target_environment}")
+            params.append(f"target_env={target_environment}")
 
         result = await self._api(
             endpoint=f"/api/authority/runs?{'&'.join(params)}",
@@ -1114,9 +1114,9 @@ class WorkflowNamespace:
             if trigger_artifact:
                 body["trigger_artifact"] = trigger_artifact
             if target_project_id:
-                body["target_project_id"] = target_project_id
+                body["target_org_id"] = target_project_id
             if target_environment:
-                body["target_environment"] = target_environment
+                body["target_env"] = target_environment
             return await self._api(
                 endpoint=f"/api/authority/runs/{workflow_id}/nudge",
                 body=self._authority_mutation_body(
@@ -1202,9 +1202,9 @@ class WorkflowNamespace:
             if trigger_artifact:
                 body["trigger_artifact"] = trigger_artifact
             if target_project_id:
-                body["target_project_id"] = target_project_id
+                body["target_org_id"] = target_project_id
             if target_environment:
-                body["target_environment"] = target_environment
+                body["target_env"] = target_environment
             return await self._api(
                 endpoint=f"/api/authority/runs/{workflow_id}/retry",
                 body=self._authority_mutation_body(
@@ -1385,9 +1385,9 @@ class WorkflowNamespace:
         if self._is_authority_run_id(execution_id):
             body: Dict[str, Any] = {}
             if target_project_id:
-                body["target_project_id"] = target_project_id
+                body["target_org_id"] = target_project_id
             if target_environment:
-                body["target_environment"] = target_environment
+                body["target_env"] = target_environment
             return await self._api(
                 endpoint=f"/api/authority/runs/{execution_id}/cancel",
                 body=self._authority_mutation_body(

dominus/start.py

@@ -172,6 +172,12 @@ class Dominus:
         from .namespaces.authority import AuthorityNamespace
         self.authority = AuthorityNamespace(self)
 
+        # Thin operator control-plane namespaces (Mothership / MCP parity)
+        from .namespaces.deployer import DeployerNamespace
+        from .namespaces.warden import WardenNamespace
+        self.deployer = DeployerNamespace(self)
+        self.warden = WardenNamespace(self)
+
         # Cache for JWT public key
         self._public_key_cache = None
 
@@ -475,6 +481,131 @@ class Dominus:
 
         return result.get("data", {})
 
+    async def gateway_fetch(
+        self,
+        path: str,
+        *,
+        method: str = "GET",
+        body: Optional[Dict[str, Any]] = None,
+        headers: Optional[Dict[str, str]] = None,
+        timeout: float = 30.0,
+    ) -> Any:
+        """Gateway `/svc/*` fetch with mixed JSON/base64 wire handling.
+
+        Mirrors the Node SDK `DominusClient.gatewayFetch()` contract so Python
+        callers can use the same remaining operator control-plane surfaces.
+        """
+        await self._ensure_ready()
+        from .helpers.core import _ensure_valid_jwt
+        jwt = await _ensure_valid_jwt(_TOKEN, _BASE_URL)
+
+        path = path.strip()
+        if not path.startswith("/"):
+            path = f"/{path}"
+
+        is_base64 = (
+            "/svc/warden/secrets" in path
+            or "/svc/secrets/" in path
+            or "/svc/admin/" in path
+        )
+        decode_base64 = (
+            is_base64
+            or "/svc/database/" in path
+            or "/svc/sync/" in path
+            or "/svc/authority/" in path
+        )
+        is_get = method.upper() in {"GET", "HEAD"}
+
+        from .helpers.trace import get_current_trace_id, get_current_span_id
+
+        req_headers = {
+            "Authorization": f"Bearer {jwt}",
+            "X-Trace-Id": get_current_trace_id(),
+            "X-Parent-Span-Id": get_current_span_id(),
+        }
+        if headers:
+            req_headers.update(headers)
+
+        request_content = None
+        request_json = None
+        if not is_get and body is not None:
+            if is_base64:
+                req_headers["Content-Type"] = "text/plain"
+                request_content = base64.b64encode(json.dumps(body).encode()).decode()
+            else:
+                req_headers["Content-Type"] = "application/json"
+                request_json = body
+
+        try:
+            async with httpx.AsyncClient(base_url=_GATEWAY_URL, headers=req_headers, timeout=timeout) as client:
+                response = await client.request(
+                    method.upper(),
+                    path,
+                    content=request_content,
+                    json=request_json,
+                )
+        except httpx.TimeoutException as exc:
+            raise DominusTimeoutError("Request timed out", endpoint=path) from exc
+        except httpx.NetworkError as exc:
+            raise DominusConnectionError(f"Request failed: {exc}", endpoint=path) from exc
+
+        def _decode_error_payload(text: str) -> Dict[str, Any]:
+            if not text:
+                return {}
+            try:
+                from .helpers.core import _decode_json_or_b64_json
+
+                decoded = _decode_json_or_b64_json(text)
+                return decoded if isinstance(decoded, dict) else {"detail": decoded}
+            except Exception:
+                return {"detail": text}
+
+        if response.is_error:
+            error_payload = _decode_error_payload(response.text)
+            nested = error_payload.get("error")
+            nested_err: Dict[str, Any] = nested if isinstance(nested, dict) else {}
+            error_message = (
+                error_payload.get("message")
+                or (nested_err.get("message") if nested_err else None)
+                or (nested if isinstance(nested, str) else None)
+                or error_payload.get("error")
+                or error_payload.get("detail")
+                or f"HTTP {response.status_code}"
+            )
+            error_details = error_payload.get("details")
+            if not isinstance(error_details, dict):
+                error_details = {}
+            for src in (error_payload, nested_err):
+                for key in ("code", "category", "retryable", "trace_id", "request_id"):
+                    if key in src and key not in error_details:
+                        error_details[key] = src[key]
+            raise_for_status(response.status_code, str(error_message), error_details, path)
+
+        text = response.text.strip()
+        if not text:
+            return {}
+
+        if decode_base64:
+            decoded = base64.b64decode(text.encode("utf-8")).decode("utf-8")
+            result = json.loads(decoded)
+        else:
+            try:
+                result = json.loads(text)
+            except json.JSONDecodeError:
+                return text
+
+        if isinstance(result, dict) and result.get("success") is False:
+            error_msg = result.get("error") or result.get("message") or "Unknown error"
+            error_details = result.get("details")
+            if not isinstance(error_details, dict):
+                error_details = {}
+            for key in ("code", "category", "retryable", "trace_id", "request_id"):
+                if key in result:
+                    error_details[key] = result[key]
+            raise DominusError(str(error_msg), details=error_details, endpoint=path)
+
+        return result
+
     async def _stream_request(
         self,
         endpoint: str,

{dominus_sdk_python-3.0.2.dist-info → dominus_sdk_python-3.0.4.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: dominus-sdk-python
-Version: 3.0.2
+Version: 3.0.4
 Summary: Python SDK for the Dominus gateway-first platform
 Author-email: CareBridge Systems <dev@carebridge.io>
 License: Proprietary
@@ -41,7 +41,7 @@ Async Python SDK for the Dominus gateway-first service plane.
 - Namespace-first API with a small root shortcut surface
 - Gateway-scoped client mode for MCP and other user-JWT sessions
 - Local helpers for JWT verification, trace propagation, retries, and console capture
-- Current package version: `3.0.2`
+- Current package version: `3.0.4`
 
 ## Install
 
@@ -95,6 +95,7 @@ JWT and selected scope headers directly through Gateway.
 
 ## Transport Model
 
+- Default HTTP targets are the production gateway (`https://gateway.getdominus.app`); they do not change based on your app’s git branch or PyPI package variant. Set `DOMINUS_GATEWAY_URL` (or `DOMINUS_BASE_URL` / `DOMINUS_JWT_URL`) only for local or custom routing.
 - `DOMINUS_TOKEN` is exchanged for a JWT through `POST /jwt/mint`
 - Service JWTs are cached for 14 minutes with a 60-second refresh window
 - Auth-required worker routes still send base64-encoded JSON bodies as `text/plain`
@@ -125,6 +126,8 @@ JWT and selected scope headers directly through Gateway.
 | `processor` | Processor | Batch and single-job processing |
 | `sync` | Sync Worker | KV synchronization |
 | `authority` | Dominus Authority | Runs, companies, deploys, managed clients, context |
+| `deployer` | Deployer | Thin operator control-plane request surface |
+| `warden` | Warden | Thin operator control-plane request surface |
 | `fastapi` | Local decorators | `@jwt`, `@psk`, `@scopes(...)` |
 
 ## Root Shortcuts

{dominus_sdk_python-3.0.2.dist-info → dominus_sdk_python-3.0.4.dist-info}/RECORD

@@ -1,8 +1,8 @@
-dominus/__init__.py,sha256=krEGWdgI_zBFT-v0wW_k-L7OfACx0bjnpLOzGpZZm9o,6778
+dominus/__init__.py,sha256=iUwZcODXPT-6xyyB6izXFLvhfhZzlsKoLIbfVhpMhDE,6924
 dominus/errors.py,sha256=NthcR-o1Q1nQsE3ZSHStcW_RdZ8LQ06mPDSenY1txgM,8547
-dominus/start.py,sha256=wegzHQJKKLiKdNJ4t1TaY02X1h5Tw9L2PcN8TwHg-Bs,43541
+dominus/start.py,sha256=bmnIXJEYw5uEQGkwEVV2iiR_B07GhbQEiLMLIlyjsZc,48694
 dominus/config/__init__.py,sha256=nvLLNh4dM_MCqcfF3XFS2NnVn44q0RYHEfAPP-2G5To,434
-dominus/config/endpoints.py,sha256=U9ry8yHobLHlQ_uq0hNIMiX9mlt2gghCAMzeLnWxeH4,3970
+dominus/config/endpoints.py,sha256=IFioVY3jQ5Mqy65L6rNbEXyPUfYTaXRQkfyGdKv33A8,4140
 dominus/helpers/__init__.py,sha256=cyoBvw1QJugtGt0gYitIz1yxOaMmBa-wMXqbh-fi4PU,61
 dominus/helpers/auth.py,sha256=IVZLelikaGIAZvyc-q7EoPd8fBNVlGffGXQkTP4x5Fk,633
 dominus/helpers/cache.py,sha256=L8eW2JC_EHiO48eJ4SMcIF2SR22Xp9htK0PRZxamfKs,5947
@@ -11,15 +11,16 @@ dominus/helpers/core.py,sha256=l3pCXFIYo6LH3Ef6qY3LcZtqEI6DZ_bqc_0QebrVfSg,38115
 dominus/helpers/crypto.py,sha256=R1yZittVykTQzGVJdb_uMQuF3Y1uGuQRJHZ1BTWT9lU,3014
 dominus/helpers/sse.py,sha256=eZspL8CEIShU9hLzfT3tvRYDxBDkmtLP1RChnAfrvHY,3886
 dominus/helpers/trace.py,sha256=i0dRYR4Y46LAnQr0Cm5htbyZ0VA4UQCLMx-q2CQQXSc,2686
-dominus/namespaces/__init__.py,sha256=J7wc2LuUQwdbo464xRWlT66fzLo3vmaCbBQULoKmgVQ,1246
+dominus/namespaces/__init__.py,sha256=Y26ac5kwZaJvZ3EqWPyZH5470Vei_kIYuTUWjZFYTlg,1370
 dominus/namespaces/admin.py,sha256=qkGoteAJ6cqdNub4zL1mtyxAQtsM3-nUplRSgw2fMZY,1640
 dominus/namespaces/ai.py,sha256=Kr_eY-SkEfC-b1fhVVv40pXn_GHkxRzMGD47WoTgu9M,48555
 dominus/namespaces/artifacts.py,sha256=MgjkjSmUP_5XGTAFU2UQ1VU3Vju3kVuvDqxChosP2J0,22246
 dominus/namespaces/auth.py,sha256=aCsdLxLTRlZPi8wy0HDxstYtXjbW6W1y-n5TxQ-mCDg,67510
-dominus/namespaces/authority.py,sha256=eicstU5TGC7VE2f0QTn-OU97OwIwQCVkaBsi_X_-V6Y,42950
+dominus/namespaces/authority.py,sha256=P0FIG4SMoGHHdxO7gwejozLElublIvHlsa4suTSp4UQ,50954
 dominus/namespaces/courier.py,sha256=7ZuwTWzVGBPTnqPV1VqPdme6PkPyhQOddwaI1wxrlE8,8324
-dominus/namespaces/db.py,sha256=Nywnx7M8r8MC6bodbLuBL7E8msWaDmHjUxM-NcLNKGY,15181
+dominus/namespaces/db.py,sha256=dv4IZACziub7OE8i_4q_Z31uVYJglE12TFkFIbFnYjw,15157
 dominus/namespaces/ddl.py,sha256=NTpd3V3595qcBheUZfFq4tQiAZsyYH9O8GR9OZ_czK8,25844
+dominus/namespaces/deployer.py,sha256=HbaCgfB_uunHEZxKcjh-XKzIWiOS2F0Y_KMpgiaUu7w,1159
 dominus/namespaces/fastapi.py,sha256=AZOjUIJ5tznJVLkpctNa606XRTv5IEkjvrINEHgkeuE,8745
 dominus/namespaces/files.py,sha256=ueBMv7Wa8wCDUmF-A_JgXKdXHxIZx-sjUfYIUzWCEbI,13720
 dominus/namespaces/health.py,sha256=sa2A7JdCk0pEq9VqRiwEAXEBbtWUz7QXaA6zS531BUo,1377
@@ -28,12 +29,13 @@ dominus/namespaces/logs.py,sha256=8EtUBChdKii34wUYID9YUEtujUBJypPSVjKlYKZbv0A,14
 dominus/namespaces/portal.py,sha256=vf0Vu_12yS4_fto7sVCau5vQtghml7Wh7J2-XJnO2zA,15595
 dominus/namespaces/processor.py,sha256=gk-vvWfBTU9LkV34OaB4VdftArhTE67tfhlUtY0YglI,2678
 dominus/namespaces/redis.py,sha256=RWIaL9X9srVUJ1hxEX_i6SAJKeA0P2nLdohSMRlScZg,12335
-dominus/namespaces/secrets.py,sha256=55hqV-ioXfjHbnBFIA6U27Bu8YvPGgx9EKRXkBZWYD8,6243
+dominus/namespaces/secrets.py,sha256=od8AKgENwW6U-kVfIX3DSphXKeJA6XC-SxbGqsxhhUk,6253
 dominus/namespaces/secure.py,sha256=9idGY5R6k7b-JM1SAF_1Gt-YV5OempyxFBflgLJieLo,7168
-dominus/namespaces/sync.py,sha256=4W11ehCfIaqH8PzkQEi_or6lCdr7CYLZAemmlUIYYEk,2226
-dominus/namespaces/workflow.py,sha256=QE7zy6IplEGOi4ztHtWOBCncYtXXRnWW8TsKc0j4rAE,47264
+dominus/namespaces/sync.py,sha256=mGwMNwc_iWoKgS94n1staPdsKBHNvliMG7omokl7Qmk,2198
+dominus/namespaces/warden.py,sha256=ebbCeBJJwK9uALEj2aDbvWJ5HTlOXOpXJOwzokH1cso,1139
+dominus/namespaces/workflow.py,sha256=1LMzlYoVImtdpnuenJDtpx7dB2wdNVE3tSBFn-ZAyJA,47204
 dominus/services/__init__.py,sha256=LQl5sx6DHhX1xCN3MRoUgffxqwm3Mfm525hijyFods8,43
-dominus_sdk_python-3.0.2.dist-info/METADATA,sha256=_EhVtGqMyj7sSZMHSBL3SSv8TT-ucexOsj2bWGRHU2o,5560
-dominus_sdk_python-3.0.2.dist-info/WHEEL,sha256=aeYiig01lYGDzBgS8HxWXOg3uV61G9ijOsup-k9o1sk,91
-dominus_sdk_python-3.0.2.dist-info/top_level.txt,sha256=515zxMIbX0DpheRbjvNqKIt_AFqdFjX41jtyp_SqLf4,8
-dominus_sdk_python-3.0.2.dist-info/RECORD,,
+dominus_sdk_python-3.0.4.dist-info/METADATA,sha256=YqcpYKHa6yIDbVquZoaUlaILlULRMl_66UBBLuJ3jRc,5967
+dominus_sdk_python-3.0.4.dist-info/WHEEL,sha256=aeYiig01lYGDzBgS8HxWXOg3uV61G9ijOsup-k9o1sk,91
+dominus_sdk_python-3.0.4.dist-info/top_level.txt,sha256=515zxMIbX0DpheRbjvNqKIt_AFqdFjX41jtyp_SqLf4,8
+dominus_sdk_python-3.0.4.dist-info/RECORD,,