generic-ml-cache-cli 0.4.0__tar.gz → 0.6.0__tar.gz

{generic_ml_cache_cli-0.4.0 → generic_ml_cache_cli-0.6.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: generic-ml-cache-cli
-Version: 0.4.0
+Version: 0.6.0
 Summary: Terminal UI for generic-ml-cache: the gmlcache command. A thin inbound driver over generic-ml-cache-core -- reads config, provides the data source, maps commands onto the core library.
 Project-URL: Homepage, https://github.com/danielslobozian/generic-ml-cache
 Project-URL: Repository, https://github.com/danielslobozian/generic-ml-cache
@@ -24,7 +24,7 @@ Classifier: Programming Language :: Python :: 3.13
 Classifier: Topic :: Utilities
 Requires-Python: >=3.9
 Requires-Dist: argcomplete<4,>=3
-Requires-Dist: generic-ml-cache-core>=0.4.0
+Requires-Dist: generic-ml-cache-core>=0.6.0
 Provides-Extra: dev
 Requires-Dist: coverage>=7; extra == 'dev'
 Requires-Dist: pytest-cov; extra == 'dev'
@@ -33,7 +33,12 @@ Requires-Dist: ruff>=0.15; extra == 'dev'
 Requires-Dist: vulture>=2; extra == 'dev'
 Description-Content-Type: text/markdown
 
-# gmlcache
+<p align="center">
+<picture>
+  <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/danielslobozian/generic-ml-cache/main/docs/images/gmlcache-lockup-dark.png">
+  <img src="https://raw.githubusercontent.com/danielslobozian/generic-ml-cache/main/docs/images/gmlcache-lockup.png" alt="gmlcache" width="300">
+</picture>
+</p>
 
 #### Detached ML Execution Cache — the terminal client
 
@@ -43,6 +48,11 @@ Description-Content-Type: text/markdown
 `gmlcache` runs, records, and replays detached ML workloads — record a real client (or
 API) call once, replay it forever by its content key, offline and byte-for-byte.
 
+> **Single-user, local — not a gateway.** gmlcache runs on your machine, as you, across the
+> subscriptions and APIs you already hold. It is **not** a multi-user router and **not** a way
+> to share one subscription — see
+> [Positioning](https://github.com/danielslobozian/generic-ml-cache/blob/main/docs/design/positioning.md).
+
 <p align="center">
 <img src="https://raw.githubusercontent.com/danielslobozian/generic-ml-cache/main/docs/images/gmlcache-demo.gif" alt="gmlcache: a miss records the real client call; the same command again is served instantly from cache, byte-identical" width="760">
 </p>
@@ -80,7 +90,7 @@ gmlcache doctor | models | status | init                     # environment & con
 `gmlcache` is the terminal client — one inbound driver over the engine. The whole cache
 logic and every adapter live in
 [`generic-ml-cache-core`](https://github.com/danielslobozian/generic-ml-cache/tree/main/packages/core),
-a **stateless, dependency-free** library. To embed the cache in your own application
+a **stateless** library. To embed the cache in your own application
 instead of driving it from a terminal, depend on the core and inject your own data
 source — you never reimplement the adapters.
 

{generic_ml_cache_cli-0.4.0 → generic_ml_cache_cli-0.6.0}/README.md

@@ -1,4 +1,9 @@
-# gmlcache
+<p align="center">
+<picture>
+  <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/danielslobozian/generic-ml-cache/main/docs/images/gmlcache-lockup-dark.png">
+  <img src="https://raw.githubusercontent.com/danielslobozian/generic-ml-cache/main/docs/images/gmlcache-lockup.png" alt="gmlcache" width="300">
+</picture>
+</p>
 
 #### Detached ML Execution Cache — the terminal client
 
@@ -8,6 +13,11 @@
 `gmlcache` runs, records, and replays detached ML workloads — record a real client (or
 API) call once, replay it forever by its content key, offline and byte-for-byte.
 
+> **Single-user, local — not a gateway.** gmlcache runs on your machine, as you, across the
+> subscriptions and APIs you already hold. It is **not** a multi-user router and **not** a way
+> to share one subscription — see
+> [Positioning](https://github.com/danielslobozian/generic-ml-cache/blob/main/docs/design/positioning.md).
+
 <p align="center">
 <img src="https://raw.githubusercontent.com/danielslobozian/generic-ml-cache/main/docs/images/gmlcache-demo.gif" alt="gmlcache: a miss records the real client call; the same command again is served instantly from cache, byte-identical" width="760">
 </p>
@@ -45,7 +55,7 @@ gmlcache doctor | models | status | init                     # environment & con
 `gmlcache` is the terminal client — one inbound driver over the engine. The whole cache
 logic and every adapter live in
 [`generic-ml-cache-core`](https://github.com/danielslobozian/generic-ml-cache/tree/main/packages/core),
-a **stateless, dependency-free** library. To embed the cache in your own application
+a **stateless** library. To embed the cache in your own application
 instead of driving it from a terminal, depend on the core and inject your own data
 source — you never reimplement the adapters.
 

{generic_ml_cache_cli-0.4.0 → generic_ml_cache_cli-0.6.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "generic-ml-cache-cli"
-version = "0.4.0"
+version = "0.6.0"
 description = "Terminal UI for generic-ml-cache: the gmlcache command. A thin inbound driver over generic-ml-cache-core -- reads config, provides the data source, maps commands onto the core library."
 readme = "README.md"
 requires-python = ">=3.9"
@@ -25,7 +25,7 @@ classifiers = [
   "Programming Language :: Python :: 3.13",
   "Topic :: Utilities",
 ]
-dependencies = ["generic-ml-cache-core>=0.4.0", "argcomplete>=3,<4"]
+dependencies = ["generic-ml-cache-core>=0.6.0", "argcomplete>=3,<4"]
 
 [project.urls]
 Homepage = "https://github.com/danielslobozian/generic-ml-cache"

{generic_ml_cache_cli-0.4.0 → generic_ml_cache_cli-0.6.0}/src/generic_ml_cache_cli/cli.py

@@ -31,6 +31,11 @@ except ImportError:  # completion is a convenience; never let its absence break
     argcomplete = None
 
 from generic_ml_cache_core.adapter.inbound.composition import build_use_cases
+from generic_ml_cache_core.adapter.out.crypto.filesystem_encryption_manifest_store import (
+    FilesystemEncryptionManifestStore,
+)
+from generic_ml_cache_core.adapter.out.crypto.store_encryptor import StoreEncryptor
+from generic_ml_cache_core.adapter.out.persistence.sqlite_store_lock import SqliteStoreLock
 from generic_ml_cache_core.adapter.out.client.registry import registered_names
 from generic_ml_cache_core.application.domain.model.execution.artifact import (
     INPUT_ARTIFACT_TYPES,
@@ -44,7 +49,16 @@ from generic_ml_cache_core.application.port.inbound.run_managed_local_execution_
     RunManagedLocalExecutionCommand,
 )
 from generic_ml_cache_core.application.port.out.base import ClientAdapter
-from generic_ml_cache_core.common.errors import CacheError, CacheMiss, ConfigError, RunInterrupted
+from generic_ml_cache_core.common.errors import (
+    CacheError,
+    CacheMiss,
+    ConfigError,
+    EncryptionStateError,
+    EncryptionTokenRequired,
+    RunInterrupted,
+    StoreLocked,
+    WrongEncryptionToken,
+)
 
 from . import __version__, config
 
@@ -181,14 +195,15 @@ def _cmd_run(args: argparse.Namespace) -> int:
         persistence_depth=persistence_depth,
         record_on_error=args.record_on_error,
         tags=list(getattr(args, "tag", None) or []),
+        session_id=_resolve_session(args),
     )
 
     def executable_override(client: str):
         return config.executable_for(file_cfg, client, flag=args.executable)
 
-    wired = build_use_cases(store_root, executable_override, timeout)
-
+    token = _resolve_token(args)
     try:
+        wired = build_use_cases(store_root, executable_override, timeout, encryption_token=token)
         execution = wired.run_managed.execute(command)
     except RunInterrupted as exc:
         # A requested stop, not a failure: nothing was recorded. Exit 130 is the
@@ -206,6 +221,9 @@ def _cmd_run(args: argparse.Namespace) -> int:
     except CacheMiss as exc:
         print(f"gmlc: {exc}", file=sys.stderr)
         return 3
+    except (EncryptionTokenRequired, WrongEncryptionToken) as exc:
+        print(f"gmlc: {exc} (set --token or GMLCACHE_TOKEN)", file=sys.stderr)
+        return 4
     except CacheError as exc:
         print(f"gmlc: {exc}", file=sys.stderr)
         return 4
@@ -428,6 +446,7 @@ def _cmd_status(args: argparse.Namespace) -> int:
 
     path = config.resolve_config_path()
     loaded = file_cfg.source is not None
+    encryption = FilesystemEncryptionManifestStore(Path(str(settings["store"][0]))).state().value
 
     if args.json:
         import json
@@ -437,6 +456,7 @@ def _cmd_status(args: argparse.Namespace) -> int:
                 {
                     "config_file": str(path),
                     "loaded": loaded,
+                    "encryption": encryption,
                     "settings": {k: {"value": v[0], "source": v[1]} for k, v in settings.items()},
                     "executables": dict(file_cfg.executables),
                 },
@@ -446,6 +466,7 @@ def _cmd_status(args: argparse.Namespace) -> int:
         return 0
 
     print(f"config file : {path}  ({'loaded' if loaded else 'not present'})")
+    print(f"encryption  : {encryption}")
     print("effective settings (no run flags applied):")
     for key in ("mode", "persist", "store", "timeout", "trust_scan", "max_size"):
         value, source = settings[key]
@@ -702,24 +723,30 @@ def _cmd_export(args: argparse.Namespace) -> int:
         print(f"gmlc: {exc}", file=sys.stderr)
         return 4
 
-    wired = build_use_cases(Path(str(settings["store"][0])))
     include = set(getattr(args, "tag", None) or [])
     exclude = set(getattr(args, "exclude_tag", None) or [])
 
     lines = []
     skipped_no_input = 0
-    for summary in wired.repository.current_execution_summaries():
-        tags = wired.repository.tags_for(summary.execution_key)
-        if include and not include & set(tags):
-            continue
-        if exclude and exclude & set(tags):
-            continue
-        execution = wired.repository.find_current(summary.execution_key)
-        # Only DATASET-depth entries carry the input side of the corpus.
-        if execution is None or not execution.input_persisted:
-            skipped_no_input += 1
-            continue
-        lines.append(json.dumps(_export_record(summary, execution, tags, wired.blob_store)))
+    try:
+        wired = build_use_cases(
+            Path(str(settings["store"][0])), encryption_token=_resolve_token(args)
+        )
+        for summary in wired.repository.current_execution_summaries():
+            tags = wired.repository.tags_for(summary.execution_key)
+            if include and not include & set(tags):
+                continue
+            if exclude and exclude & set(tags):
+                continue
+            execution = wired.repository.find_current(summary.execution_key)
+            # Only DATASET-depth entries carry the input side of the corpus.
+            if execution is None or not execution.input_persisted:
+                skipped_no_input += 1
+                continue
+            lines.append(json.dumps(_export_record(summary, execution, tags, wired.blob_store)))
+    except (EncryptionTokenRequired, WrongEncryptionToken) as exc:
+        print(f"gmlc: {exc} (set --token or GMLCACHE_TOKEN)", file=sys.stderr)
+        return 4
 
     if args.output:
         Path(args.output).write_text("".join(line + "\n" for line in lines), encoding="utf-8")
@@ -738,6 +765,184 @@ def _cmd_export(args: argparse.Namespace) -> int:
     return 0
 
 
+# -- encryption -------------------------------------------------------------
+
+
+def _resolve_token(args: argparse.Namespace) -> Optional[str]:
+    """The encryption token for this call: the --token flag, else GMLCACHE_TOKEN.
+    A token is a secret, so it is never read from the config file."""
+    flag = getattr(args, "token", None)
+    return flag if flag else (os.environ.get("GMLCACHE_TOKEN") or None)
+
+
+def _load_cipher():
+    """Build the cipher, with a friendly error if the optional extra is missing."""
+    try:
+        from generic_ml_cache_core.adapter.out.crypto.aesgcm_cipher import AesGcmCipher
+    except ImportError as exc:  # pragma: no cover - exercised only without the extra
+        raise SystemExit(
+            "error: encryption needs an optional dependency — install with "
+            '`pip install "generic-ml-cache-core[encryption]"`'
+        ) from exc
+    return AesGcmCipher()
+
+
+def _store_encryptor(store_root: Path, cipher=None) -> StoreEncryptor:
+    return StoreEncryptor(
+        store_root,
+        FilesystemEncryptionManifestStore(store_root),
+        SqliteStoreLock(store_root),
+        cipher,
+    )
+
+
+def _store_root() -> Optional[Path]:
+    try:
+        return Path(str(config.resolve_settings(config.load())["store"][0]))
+    except ConfigError as exc:
+        print(f"gmlc: {exc}", file=sys.stderr)
+        return None
+
+
+def _cmd_encrypt(args: argparse.Namespace) -> int:
+    store_root = _store_root()
+    if store_root is None:
+        return 4
+    cipher = _load_cipher()
+    token = cipher.generate_token()
+    try:
+        _store_encryptor(store_root, cipher).enable(token)
+    except (EncryptionStateError, StoreLocked) as exc:
+        print(f"gmlc: {exc}", file=sys.stderr)
+        return 4
+    print("encryption enabled. Save this token — it is shown once and cannot be recovered:")
+    print(f"\n    {token}\n")
+    print("Pass it with --token or GMLCACHE_TOKEN to read or write this store.")
+    return 0
+
+
+def _cmd_decrypt(args: argparse.Namespace) -> int:
+    store_root = _store_root()
+    if store_root is None:
+        return 4
+    token = _resolve_token(args)
+    if not token:
+        print("gmlc: provide the token with --token or GMLCACHE_TOKEN", file=sys.stderr)
+        return 4
+    try:
+        _store_encryptor(store_root, _load_cipher()).disable(token)
+    except (WrongEncryptionToken, EncryptionStateError, StoreLocked) as exc:
+        print(f"gmlc: {exc}", file=sys.stderr)
+        return 4
+    print("encryption disabled. The store is now public; no token is needed.")
+    return 0
+
+
+def _cmd_rotate(args: argparse.Namespace) -> int:
+    store_root = _store_root()
+    if store_root is None:
+        return 4
+    old_token = _resolve_token(args)
+    if not old_token:
+        print("gmlc: provide the current token with --token or GMLCACHE_TOKEN", file=sys.stderr)
+        return 4
+    cipher = _load_cipher()
+    new_token = cipher.generate_token()
+    try:
+        _store_encryptor(store_root, cipher).rotate(old_token, new_token)
+    except (WrongEncryptionToken, EncryptionStateError, StoreLocked) as exc:
+        print(f"gmlc: {exc}", file=sys.stderr)
+        return 4
+    print("token rotated. Save the new token — it is shown once:")
+    print(f"\n    {new_token}\n")
+    return 0
+
+
+def _cmd_invalidate(args: argparse.Namespace) -> int:
+    store_root = _store_root()
+    if store_root is None:
+        return 4
+    if not args.yes:
+        print(
+            "gmlc: this permanently wipes the cache (crypto-shred) and cannot be undone. "
+            "Re-run with --yes to confirm.",
+            file=sys.stderr,
+        )
+        return 4
+    try:
+        _store_encryptor(store_root).invalidate()  # no token needed
+    except StoreLocked as exc:
+        print(f"gmlc: {exc}", file=sys.stderr)
+        return 4
+    print("store invalidated: the cache was wiped and is now empty and public.")
+    return 0
+
+
+# -- sessions ---------------------------------------------------------------
+
+
+def _resolve_session(args: argparse.Namespace) -> Optional[str]:
+    """The session id for this run: the --session flag, else GMLCACHE_SESSION. A session
+    groups a workflow's calls; it is journal metadata, never part of the cache key."""
+    flag = getattr(args, "session", None)
+    return flag if flag else (os.environ.get("GMLCACHE_SESSION") or None)
+
+
+def _cmd_session_start(args: argparse.Namespace) -> int:
+    import secrets
+
+    # Print only the id, so it is scriptable: SESSION=$(gmlcache session start)
+    print(secrets.token_hex(8))
+    return 0
+
+
+#: events where a real client call ran (vs. HIT, which replayed, or an offline MISS).
+_EXECUTED_EVENTS = {"record", "run", "would_hit", "would_miss"}
+
+
+def _cmd_session_report(args: argparse.Namespace) -> int:
+    store_root = _store_root()
+    if store_root is None:
+        return 4
+    counts = build_use_cases(store_root).metrics.session_event_counts(args.session_id)
+    invocations = sum(counts.values())
+    executions = sum(n for event, n in counts.items() if event in _EXECUTED_EVENTS)
+    hits = counts.get("hit", 0)
+
+    if args.json:
+        import json
+
+        print(
+            json.dumps(
+                {
+                    "session": args.session_id,
+                    "invocations": invocations,
+                    "executions": executions,
+                    "hits": hits,
+                    "events": counts,
+                },
+                indent=2,
+            )
+        )
+        return 0
+
+    if invocations == 0:
+        print(f"no events recorded for session {args.session_id!r}")
+        return 0
+    print(f"session     : {args.session_id}")
+    print(f"invocations : {invocations}")
+    print(f"executions  : {executions}  (real client calls)")
+    print(f"hits        : {hits}  (served from cache)")
+    breakdown = ", ".join(f"{event}={counts[event]}" for event in sorted(counts))
+    print(f"events      : {breakdown}")
+    return 0
+
+
+def _cmd_session(args: argparse.Namespace) -> int:
+    print("usage: gmlcache session start | gmlcache session report <id>", file=sys.stderr)
+    return 2
+
+
 def _use_color() -> bool:
     """Colour only when writing to a real terminal and NO_COLOR is unset, so piped
     or redirected output never carries escape codes (the conventional contract)."""
@@ -765,34 +970,48 @@ def _paint(text: str, *codes: str) -> str:
 
 
 def render_banner(color: bool = False) -> str:
-    """The boxed gmlcache banner. Width is derived from the content, so any version
-    string or tagline stays aligned. ``color`` adds teal ANSI; off yields plain text."""
+    """The boxed gmlcache banner: the cache mark (four hollow bars; the top one is
+    the accent 'hit') beside the title, version, and tagline. Width is derived from
+    the content so everything stays aligned. ``color`` adds ANSI; off yields plain."""
     title = "gmlcache"
     ver = __version__
-    tag = "record · replay · check · tokens"
+    tag = "record · replay · check · sessions · encryption"
+
+    # The mark: four hollow bars -- thin walls (▏ ▕) around a double-line body (═),
+    # widths echoing the logo. The first bar is the accent ("hit"); the rest are dim.
+    bars = ["▏" + "═" * n + "▕" for n in (11, 7, 10, 5)]
+    bar_w = max(len(b) for b in bars)
 
     if color:
-        rule = _TEAL  # teal box
-        name = _BOLD  # bold title
-        vers = _TEAL_BRIGHT  # bright-teal version
-        sub = _GREY  # dim-grey tagline
-        off = _RESET
+        rule, name, vers, sub, off = _TEAL, _BOLD, _TEAL_BRIGHT, _GREY, _RESET
+        bar_colors = [_GREEN, _GREY, _GREY, _GREY]
     else:
         rule = name = vers = sub = off = ""
+        bar_colors = ["", "", "", ""]
 
+    left_pad, gap = "  ", "  "
+    texts = ["", tag, "", ""]  # the tagline sits on the second bar row
+
+    body_w = max(len(left_pad) + bar_w + len(gap) + len(t) for t in texts)
     left_top = f"─ {title} "
     right_top = f" {ver} ─"
-    inner = max(len(left_top) + 6 + len(right_top), len(tag) + 4)
+    inner = max(len(left_top) + 6 + len(right_top), body_w + 1)
     top_dashes = inner - len(left_top) - len(right_top)
-    pad_right = inner - 2 - len(tag)
 
     top = (
         f"{rule}┌─ {off}{name}{title}{off}"
         f"{rule} {'─' * top_dashes} {off}{vers}{ver}{off}{rule} ─┐{off}"
     )
-    mid = f"{rule}│{off}  {sub}{tag}{off}{' ' * pad_right}{rule}│{off}"
+    rows = []
+    for bar, bar_color, text in zip(bars, bar_colors, texts):
+        bar_cell = f"{bar_color}{bar}{off}" + " " * (bar_w - len(bar))
+        used = len(left_pad) + bar_w + len(gap) + len(text)
+        rows.append(
+            f"{rule}│{off}{left_pad}{bar_cell}{gap}{sub}{text}{off}"
+            f"{' ' * (inner - used)}{rule}│{off}"
+        )
     bot = f"{rule}└{'─' * inner}┘{off}"
-    return "\n".join([top, mid, bot])
+    return "\n".join([top, *rows, bot])
 
 
 class _BannerParser(argparse.ArgumentParser):
@@ -914,6 +1133,12 @@ def build_parser() -> argparse.ArgumentParser:
         help="also cache a call that fails (non-zero exit); default is to store only successes",
     )
     run.add_argument("--executable", help="override the client executable (the seam)")
+    run.add_argument(
+        "--token", help="encryption token for an encrypted store (or set GMLCACHE_TOKEN)"
+    )
+    run.add_argument(
+        "--session", help="group this run under a session id (or set GMLCACHE_SESSION)"
+    )
     run.add_argument(
         "--timeout", type=float, default=None, help="seconds before the real call is killed"
     )
@@ -1071,8 +1296,45 @@ def build_parser() -> argparse.ArgumentParser:
         metavar="FILE",
         help="write JSONL to FILE instead of stdout (a per-record summary still goes to stderr)",
     )
+    exportp.add_argument(
+        "--token", help="encryption token if the store is encrypted (or set GMLCACHE_TOKEN)"
+    )
     exportp.set_defaults(func=_cmd_export)
 
+    encryptp = sub.add_parser(
+        "encrypt", help="enable at-rest encryption of the store (generates and shows a token)"
+    )
+    encryptp.set_defaults(func=_cmd_encrypt)
+
+    decryptp = sub.add_parser(
+        "decrypt", help="disable encryption (decrypts the store back to plaintext; needs the token)"
+    )
+    decryptp.add_argument("--token", help="the encryption token (or set GMLCACHE_TOKEN)")
+    decryptp.set_defaults(func=_cmd_decrypt)
+
+    rotatep = sub.add_parser(
+        "rotate", help="rotate the encryption token (needs the current token; shows the new one)"
+    )
+    rotatep.add_argument("--token", help="the current encryption token (or set GMLCACHE_TOKEN)")
+    rotatep.set_defaults(func=_cmd_rotate)
+
+    invalidatep = sub.add_parser(
+        "invalidate",
+        help="wipe the cache (crypto-shred) — the escape when the token is lost. Needs --yes.",
+    )
+    invalidatep.add_argument("--yes", action="store_true", help="confirm the irreversible wipe")
+    invalidatep.set_defaults(func=_cmd_invalidate)
+
+    session = sub.add_parser("session", help="group a workflow's runs under a session id")
+    session_sub = session.add_subparsers(dest="session_command")
+    session_start = session_sub.add_parser("start", help="generate a new session id and print it")
+    session_start.set_defaults(func=_cmd_session_start)
+    session_report = session_sub.add_parser("report", help="summarise a session's activity")
+    session_report.add_argument("session_id", help="the session id to report on")
+    session_report.add_argument("--json", action="store_true", help="emit machine-readable JSON")
+    session_report.set_defaults(func=_cmd_session_report)
+    session.set_defaults(func=_cmd_session)
+
     init = sub.add_parser(
         "init",
         help="create the config file in the default location (if absent), then show the store",

{generic_ml_cache_cli-0.4.0 → generic_ml_cache_cli-0.6.0}/src/generic_ml_cache_cli/config.py

@@ -13,9 +13,8 @@ Three rules keep this predictable:
   config file, the built-in default. The ``store`` location is the exception -- config file or
   built-in default only, with **no flag and no environment** -- because where the
   stored executions live is the cache's own concern, not a per-call knob.
-* **Zero dependencies.** The format is INI (stdlib :mod:`configparser`) and the
-  per-user location is resolved inline, so nothing beyond the standard library is
-  needed on any supported Python.
+* **Plain INI.** The format is INI (stdlib :mod:`configparser`) and the per-user
+  location is resolved inline.
 
 Location (override everything with ``GMLCACHE_CONFIG=/path/to/file``):
 

{generic_ml_cache_cli-0.4.0 → generic_ml_cache_cli-0.6.0}/tests/conftest.py

@@ -118,7 +118,13 @@ def _isolate_config(monkeypatch, tmp_path):
     monkeypatch.setenv("GMLCACHE_CONFIG", str(tmp_path / "no-such-config.ini"))
     monkeypatch.setenv("XDG_DATA_HOME", str(tmp_path / "xdg-data"))
     monkeypatch.setenv("LOCALAPPDATA", str(tmp_path / "localappdata"))
-    for var in ("GMLCACHE_MODE", "GMLCACHE_PERSIST", "GMLCACHE_TIMEOUT"):
+    for var in (
+        "GMLCACHE_MODE",
+        "GMLCACHE_PERSIST",
+        "GMLCACHE_TIMEOUT",
+        "GMLCACHE_TOKEN",
+        "GMLCACHE_SESSION",
+    ):
         monkeypatch.delenv(var, raising=False)
 
 

{generic_ml_cache_cli-0.4.0 → generic_ml_cache_cli-0.6.0}/tests/test_cli.py

@@ -134,8 +134,11 @@ def test_run_rejects_retired_location_flags(tmp_path):
 def test_render_banner_lines_align():
     from generic_ml_cache_cli.cli import render_banner
 
-    widths = {len(line) for line in render_banner(color=False).splitlines()}
-    assert len(widths) == 1  # all three box lines are the same width
+    lines = render_banner(color=False).splitlines()
+    widths = {len(line) for line in lines}
+    assert len(widths) == 1  # every box line (top, four mark rows, bottom) is one width
+    assert len(lines) == 6  # the mark adds four bar rows inside the box
+    assert "═" in render_banner(color=False)  # the hollow mark renders
 
 
 def test_render_banner_color_is_opt_in():
@@ -162,7 +165,7 @@ def test_bare_invocation_prints_help_not_an_error(capsys):
     out = capsys.readouterr().out
     assert rc == 0
     assert "gmlcache" in out
-    assert "record · replay · check · tokens" in out
+    assert "record · replay · check · sessions · encryption" in out
     assert "usage:" in out
 
 
@@ -176,7 +179,7 @@ def test_help_flag_shows_the_banner(capsys):
     with pytest.raises(SystemExit) as excinfo:
         main(["-h"])
     assert excinfo.value.code == 0
-    assert "record · replay · check · tokens" in capsys.readouterr().out
+    assert "record · replay · check · sessions · encryption" in capsys.readouterr().out
 
 
 # --- list (grouped by client/model) ---------------------------------------

generic_ml_cache_cli-0.6.0/tests/test_encrypted_run.py

@@ -0,0 +1,91 @@
+# SPDX-FileCopyrightText: 2026 Daniel Slobozian
+# SPDX-License-Identifier: Apache-2.0
+"""End-to-end: a managed run against an encrypted store (via build_use_cases)."""
+
+from __future__ import annotations
+
+import pytest
+
+pytest.importorskip("cryptography")
+
+from generic_ml_cache_core.adapter.inbound.composition import build_use_cases  # noqa: E402
+from generic_ml_cache_core.adapter.out.crypto.aesgcm_cipher import AesGcmCipher  # noqa: E402
+from generic_ml_cache_core.adapter.out.crypto.filesystem_encryption_manifest_store import (  # noqa: E402
+    FilesystemEncryptionManifestStore,
+)
+from generic_ml_cache_core.application.domain.model.execution.artifact import (  # noqa: E402
+    ArtifactType,
+)
+from generic_ml_cache_core.application.domain.model.execution.execution_state import (  # noqa: E402
+    ExecutionState,
+)
+from generic_ml_cache_core.application.port.inbound.run_managed_local_execution_command import (  # noqa: E402
+    RunManagedLocalExecutionCommand,
+)
+from generic_ml_cache_core.common.errors import (  # noqa: E402
+    EncryptionTokenRequired,
+    WrongEncryptionToken,
+)
+
+_MARKER = "ENCRYPTME-distinctive-123"
+
+
+def _encrypt_store(store_root, token):
+    manifest, _ = AesGcmCipher().create_envelope(token)
+    FilesystemEncryptionManifestStore(store_root).save(manifest)
+
+
+def _command():
+    return RunManagedLocalExecutionCommand(
+        client="fake", model="m1", effort="high", context="", prompt=f"STDOUT {_MARKER}"
+    )
+
+
+def _blob_bytes(store_root):
+    return b"".join(p.read_bytes() for p in (store_root / "blobs").rglob("*") if p.is_file())
+
+
+def test_encrypted_run_stores_ciphertext_and_replays_with_token(tmp_path):
+    store = tmp_path / "store"
+    token = AesGcmCipher().generate_token()
+    _encrypt_store(store, token)
+
+    execution = build_use_cases(store, encryption_token=token).run_managed.execute(_command())
+    assert execution.execution_state is ExecutionState.SUCCESS
+
+    # the marker must NOT appear in the persisted blobs — they are ciphertext
+    assert _MARKER.encode() not in _blob_bytes(store)
+
+    # replay (a cache hit) with the token decrypts the output correctly
+    served = build_use_cases(store, encryption_token=token).run_managed.execute(_command())
+    stdout = next(a.content for a in served.artifacts if a.artifact_type is ArtifactType.STDOUT)
+    assert _MARKER.encode() in stdout
+
+
+def test_public_store_keeps_plaintext_and_ignores_a_token(tmp_path):
+    store = tmp_path / "store"  # no manifest -> public
+    execution = build_use_cases(store, encryption_token="ignored").run_managed.execute(_command())
+    assert execution.execution_state is ExecutionState.SUCCESS
+    assert _MARKER.encode() in _blob_bytes(store)  # plaintext on disk
+
+
+def test_encrypted_store_without_token_blocks_content_but_not_metadata(tmp_path):
+    store = tmp_path / "store"
+    token = AesGcmCipher().generate_token()
+    _encrypt_store(store, token)
+    recorded = build_use_cases(store, encryption_token=token).run_managed.execute(_command())
+    key = recorded.call_identity.generate_key()
+
+    wired = build_use_cases(store)  # no token
+    # metadata is still readable (it is not encrypted) ...
+    assert wired.repository.find_current(key) is not None
+    # ... but serving the hit must hydrate the blob, which needs the token.
+    with pytest.raises(EncryptionTokenRequired):
+        wired.run_managed.execute(_command())
+
+
+def test_wrong_token_is_rejected_when_opening_the_store(tmp_path):
+    store = tmp_path / "store"
+    _encrypt_store(store, AesGcmCipher().generate_token())
+    with pytest.raises(WrongEncryptionToken):
+        build_use_cases(store, encryption_token=AesGcmCipher().generate_token())

generic_ml_cache_cli-0.6.0/tests/test_encryption_cli.py

@@ -0,0 +1,101 @@
+# SPDX-FileCopyrightText: 2026 Daniel Slobozian
+# SPDX-License-Identifier: Apache-2.0
+"""End-to-end CLI tests for encrypt / decrypt / rotate / invalidate."""
+
+from __future__ import annotations
+
+import pytest
+
+pytest.importorskip("cryptography")
+
+from generic_ml_cache_cli.cli import main  # noqa: E402
+
+_RUN = ["run", "--client", "fake", "--model", "m1", "--effort", "high"]
+
+
+def _token_from(out: str) -> str:
+    """The token is printed on its own indented, space-free line."""
+    for line in out.splitlines():
+        s = line.strip()
+        if s and " " not in s and len(s) >= 20:
+            return s
+    raise AssertionError(f"no token found in:\n{out}")
+
+
+def _enable(capsys) -> str:
+    assert main(["encrypt"]) == 0
+    return _token_from(capsys.readouterr().out)
+
+
+def test_encrypt_then_run_with_token_round_trips(capsys, monkeypatch):
+    token = _enable(capsys)
+    monkeypatch.setenv("GMLCACHE_TOKEN", token)
+
+    assert main(_RUN + ["--prompt", "STDOUT SECRETMARKER"]) == 0
+    assert "SECRETMARKER" in capsys.readouterr().out
+    # offline replay against the encrypted store, with the token
+    assert main(_RUN + ["--prompt", "STDOUT SECRETMARKER", "--offline"]) == 0
+    capsys.readouterr()
+
+    assert main(["status"]) == 0
+    assert "encryption  : encrypted" in capsys.readouterr().out
+
+
+def test_run_without_token_on_encrypted_store_is_blocked(capsys, monkeypatch):
+    token = _enable(capsys)
+    monkeypatch.setenv("GMLCACHE_TOKEN", token)
+    main(_RUN + ["--prompt", "STDOUT hi"])  # record one entry
+    capsys.readouterr()
+
+    monkeypatch.delenv("GMLCACHE_TOKEN", raising=False)
+    rc = main(_RUN + ["--prompt", "STDOUT hi"])  # hit -> hydrate -> needs the token
+    assert rc == 4
+    assert "token" in capsys.readouterr().err.lower()
+
+
+def test_decrypt_returns_store_to_public(capsys):
+    token = _enable(capsys)
+    assert main(["decrypt", "--token", token]) == 0
+    capsys.readouterr()
+    main(["status"])
+    assert "encryption  : public" in capsys.readouterr().out
+
+
+def test_decrypt_with_wrong_token_fails(capsys):
+    _enable(capsys)
+    assert main(["decrypt", "--token", "definitely-not-the-right-token-xyz"]) == 4
+    assert "gmlc:" in capsys.readouterr().err
+
+
+def test_rotate_swaps_the_token(capsys, monkeypatch):
+    run = _RUN + ["--prompt", "STDOUT zz"]
+    old = _enable(capsys)
+    monkeypatch.setenv("GMLCACHE_TOKEN", old)
+    main(run)
+    capsys.readouterr()
+
+    assert main(["rotate", "--token", old]) == 0
+    new = _token_from(capsys.readouterr().out)
+    assert new != old
+
+    monkeypatch.setenv("GMLCACHE_TOKEN", new)
+    assert main(run + ["--offline"]) == 0  # new token reads
+    capsys.readouterr()
+    monkeypatch.setenv("GMLCACHE_TOKEN", old)
+    assert main(run + ["--offline"]) == 4  # old token rejected
+
+
+def test_invalidate_requires_yes_then_wipes_to_public(capsys, monkeypatch):
+    token = _enable(capsys)
+    monkeypatch.setenv("GMLCACHE_TOKEN", token)
+    main(_RUN + ["--prompt", "STDOUT x"])
+    capsys.readouterr()
+
+    assert main(["invalidate"]) == 4  # refused without --yes
+    assert "yes" in capsys.readouterr().err.lower()
+
+    assert main(["invalidate", "--yes"]) == 0
+    capsys.readouterr()
+    monkeypatch.delenv("GMLCACHE_TOKEN", raising=False)
+    main(["status"])
+    assert "encryption  : public" in capsys.readouterr().out

generic_ml_cache_cli-0.6.0/tests/test_session_cli.py

@@ -0,0 +1,97 @@
+# SPDX-FileCopyrightText: 2026 Daniel Slobozian
+# SPDX-License-Identifier: Apache-2.0
+"""CLI tests for sessions: run --session / GMLCACHE_SESSION and `session start`."""
+
+from __future__ import annotations
+
+import glob
+import sqlite3
+
+from generic_ml_cache_cli.cli import main
+
+_RUN = ["run", "--client", "fake", "--model", "m1", "--effort", "high", "--prompt", "STDOUT hi"]
+
+
+def _session_ids(tmp_path):
+    dbs = glob.glob(str(tmp_path / "**" / "registry.sqlite3"), recursive=True)
+    if not dbs:
+        return []
+    conn = sqlite3.connect(dbs[0])
+    try:
+        return [r[0] for r in conn.execute("SELECT session_id FROM access_events ORDER BY id")]
+    finally:
+        conn.close()
+
+
+def test_run_with_session_flag_records_the_session_id(tmp_path, capsys):
+    assert main(_RUN + ["--session", "workflow-1"]) == 0
+    capsys.readouterr()
+    assert _session_ids(tmp_path) == ["workflow-1"]
+
+
+def test_run_reads_session_from_env(tmp_path, capsys, monkeypatch):
+    monkeypatch.setenv("GMLCACHE_SESSION", "env-session")
+    assert main(_RUN) == 0
+    capsys.readouterr()
+    assert _session_ids(tmp_path) == ["env-session"]
+
+
+def test_flag_wins_over_env(tmp_path, capsys, monkeypatch):
+    monkeypatch.setenv("GMLCACHE_SESSION", "env-session")
+    assert main(_RUN + ["--session", "flag-session"]) == 0
+    capsys.readouterr()
+    assert _session_ids(tmp_path) == ["flag-session"]
+
+
+def test_run_without_a_session_records_null(tmp_path, capsys):
+    assert main(_RUN) == 0
+    capsys.readouterr()
+    assert _session_ids(tmp_path) == [None]
+
+
+def test_session_start_prints_a_scriptable_id(capsys):
+    assert main(["session", "start"]) == 0
+    out = capsys.readouterr().out.strip()
+    assert out and " " not in out  # a single bare id, usable as $(gmlcache session start)
+    # two starts yield distinct ids
+    main(["session", "start"])
+    assert capsys.readouterr().out.strip() != out
+
+
+def test_bare_session_shows_usage(capsys):
+    assert main(["session"]) == 2
+    assert "session start" in capsys.readouterr().err
+
+
+def test_session_report_rolls_up_invocations_executions_hits(capsys):
+    run = _RUN + ["--session", "wf"]
+    main(run)  # miss -> record (a real execution)
+    main(run)  # same input -> hit (no execution)
+    capsys.readouterr()
+
+    assert main(["session", "report", "wf"]) == 0
+    out = capsys.readouterr().out
+    assert "invocations : 2" in out
+    assert "executions  : 1" in out
+    assert "hits        : 1" in out
+
+
+def test_session_report_json(capsys):
+    import json
+
+    main(_RUN + ["--session", "wf"])
+    capsys.readouterr()
+    assert main(["session", "report", "wf", "--json"]) == 0
+    data = json.loads(capsys.readouterr().out)
+    assert data == {
+        "session": "wf",
+        "invocations": 1,
+        "executions": 1,
+        "hits": 0,
+        "events": {"record": 1},
+    }
+
+
+def test_session_report_unknown_session_is_clean(capsys):
+    assert main(["session", "report", "nope"]) == 0
+    assert "no events" in capsys.readouterr().out