PyPI - getbased-agent-stack - Versions diffs - 0.4.0__tar.gz → 0.5.0__tar.gz - Mend

getbased-agent-stack 0.4.0tar.gz → 0.5.0tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (24) hide show

{getbased_agent_stack-0.4.0/src/getbased_agent_stack.egg-info → getbased_agent_stack-0.5.0}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: getbased-agent-stack
-Version: 0.4.0
+Version: 0.5.0
 Summary: One-command install of the full getbased agent stack — getbased-mcp + getbased-rag + getbased-dashboard
 License-Expression: GPL-3.0-only
 Requires-Python: >=3.10
@@ -26,7 +26,18 @@ Part of the [getbased-agents monorepo](https://github.com/elkimek/getbased-agent
 ## Install
 ```bash
-pipx install "getbased-agent-stack[full]"
+pipx install --include-deps "getbased-agent-stack[full]"
+```
+The `--include-deps` flag is required — it exposes `getbased-mcp`, `lens`, and `getbased-dashboard` alongside `getbased-stack` on your PATH. Without it, pipx only links the stack's own entry point and the MCP/rag/dashboard binaries stay hidden inside the venv.
+`uv` users: install each package as its own tool instead, since `uv tool` has no `--include-deps` equivalent yet:
+```bash
+uv tool install getbased-mcp
+uv tool install "getbased-rag[full]"
+uv tool install getbased-dashboard
+uv tool install "getbased-agent-stack[full]"
 ```
 Pulls:

{getbased_agent_stack-0.4.0 → getbased_agent_stack-0.5.0}/README.md RENAMED Viewed

@@ -7,7 +7,18 @@ Part of the [getbased-agents monorepo](https://github.com/elkimek/getbased-agent
 ## Install
 ```bash
-pipx install "getbased-agent-stack[full]"
+pipx install --include-deps "getbased-agent-stack[full]"
+```
+The `--include-deps` flag is required — it exposes `getbased-mcp`, `lens`, and `getbased-dashboard` alongside `getbased-stack` on your PATH. Without it, pipx only links the stack's own entry point and the MCP/rag/dashboard binaries stay hidden inside the venv.
+`uv` users: install each package as its own tool instead, since `uv tool` has no `--include-deps` equivalent yet:
+```bash
+uv tool install getbased-mcp
+uv tool install "getbased-rag[full]"
+uv tool install getbased-dashboard
+uv tool install "getbased-agent-stack[full]"
 ```
 Pulls:

{getbased_agent_stack-0.4.0 → getbased_agent_stack-0.5.0}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 [project]
 name = "getbased-agent-stack"
-version = "0.4.0"
+version = "0.5.0"
 description = "One-command install of the full getbased agent stack — getbased-mcp + getbased-rag + getbased-dashboard"
 readme = "README.md"
 license = "GPL-3.0-only"

{getbased_agent_stack-0.4.0 → getbased_agent_stack-0.5.0}/src/getbased_agent_stack/__init__.py RENAMED Viewed

@@ -5,4 +5,4 @@ plus a small CLI that proxies to the real binaries. Everything
 interesting lives in the sibling repos.
 """
-__version__ = "0.4.0"
+__version__ = "0.4.1"

{getbased_agent_stack-0.4.0 → getbased_agent_stack-0.5.0}/src/getbased_agent_stack/cli.py RENAMED Viewed

@@ -86,7 +86,14 @@ def _yesno(msg: str, default: bool = True) -> bool:
 def cmd_init(args: argparse.Namespace) -> int:
+    # --yes / -y runs the full flow with defaults and no prompts. Intended
+    # for scripted installs (curl | bash) where stdin is unavailable and
+    # the EOF-returns-default path still triggers a getpass echo warning.
+    non_interactive = getattr(args, "yes", False)
     print("getbased-stack init — one-time setup")
+    if non_interactive:
+        print("Running non-interactive (--yes) — takes default answers on every prompt.")
     print(
         "Writes ~/.config/getbased/env, (optionally) installs + starts systemd\n"
         "user units for rag and dashboard. Idempotent: safe to re-run."
@@ -98,11 +105,15 @@ def cmd_init(args: argparse.Namespace) -> int:
     current_token = existing.get("GETBASED_TOKEN", "")
     masked = "****" + current_token[-4:] if current_token else "(unset)"
     print(f"[1/4] getbased sync token (current: {masked})")
-    token = _prompt(
-        "Paste GETBASED_TOKEN (press Enter to keep current / skip)",
-        default=current_token,
-        secret=True,
-    )
+    if non_interactive:
+        token = current_token
+        print("  keeping current value (set with `getbased-stack set GETBASED_TOKEN=…` later).")
+    else:
+        token = _prompt(
+            "Paste GETBASED_TOKEN (press Enter to keep current / skip)",
+            default=current_token,
+            secret=True,
+        )
     # 2. API key
     key_path = Path(existing.get("LENS_API_KEY_FILE", str(_default_api_key_file())))
@@ -127,7 +138,10 @@ def cmd_init(args: argparse.Namespace) -> int:
     # 4. install units
     print("\n[4/4] install systemd user units?")
-    if _yesno("install + start getbased-rag + getbased-dashboard?", default=True):
+    install_units = True if non_interactive else _yesno(
+        "install + start getbased-rag + getbased-dashboard?", default=True
+    )
+    if install_units:
         mgr = units.UnitManager()
         for line in mgr.install(enable=True, start=True):
             print(f"  {line}")
@@ -304,7 +318,15 @@ def build_parser() -> argparse.ArgumentParser:
     )
     sub = p.add_subparsers(dest="command")
-    sub.add_parser("init", help="Interactive one-time setup (token, API key, units).")
+    pinit = sub.add_parser(
+        "init", help="Interactive one-time setup (token, API key, units)."
+    )
+    pinit.add_argument(
+        "-y",
+        "--yes",
+        action="store_true",
+        help="Non-interactive: take defaults on every prompt. Use for scripted installs.",
+    )
     pi = sub.add_parser("install", help="Install + start the systemd user units.")
     pi.add_argument("--no-enable", action="store_true", help="Copy files only; don't enable.")

{getbased_agent_stack-0.4.0 → getbased_agent_stack-0.5.0}/src/getbased_agent_stack/systemd/getbased-dashboard.service RENAMED Viewed

@@ -16,7 +16,9 @@ ExecStart=%h/.local/bin/getbased-dashboard serve
 Restart=always
 RestartSec=5s
-# Hardening — the dashboard is a localhost-only HTTP server.
+# User-mode-compatible hardening only — see getbased-rag.service for
+# the list of CAP_SYS_ADMIN-requiring directives that fail with
+# 218/CAPABILITIES under `systemctl --user` and are deliberately omitted.
 NoNewPrivileges=true
 ProtectSystem=strict
 ProtectHome=read-only
@@ -24,13 +26,7 @@ ProtectHome=read-only
 # the shared env file when the user edits the token in the MCP tab.
 ReadWritePaths=%h/.local/state/getbased %h/.config/getbased
 PrivateTmp=true
-ProtectKernelTunables=true
-ProtectKernelModules=true
-ProtectControlGroups=true
-RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
-RestrictNamespaces=true
 LockPersonality=true
-RestrictRealtime=true
 [Install]
 WantedBy=default.target

{getbased_agent_stack-0.4.0 → getbased_agent_stack-0.5.0}/src/getbased_agent_stack/systemd/getbased-rag.service RENAMED Viewed

@@ -22,20 +22,19 @@ ExecStart=%h/.local/bin/lens serve
 Restart=always
 RestartSec=5s
-# Hardening — the server only needs its data dir + a network socket.
+# User-mode-compatible hardening only. Directives that require
+# CAP_SYS_ADMIN (ProtectKernelTunables, ProtectKernelModules,
+# ProtectControlGroups, RestrictNamespaces, RestrictAddressFamilies,
+# RestrictRealtime, MemoryDenyWriteExecute) fail with 218/CAPABILITIES
+# under `systemctl --user` on a non-privileged bus and are omitted.
+# For a hardened system-service deployment, promote this unit to
+# /etc/systemd/system/ and re-add those directives.
 NoNewPrivileges=true
 ProtectSystem=strict
 ProtectHome=read-only
 ReadWritePaths=%h/.local/share/getbased
 PrivateTmp=true
-ProtectKernelTunables=true
-ProtectKernelModules=true
-ProtectControlGroups=true
-RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
-RestrictNamespaces=true
 LockPersonality=true
-MemoryDenyWriteExecute=false  # ONNX Runtime needs W^X exception
-RestrictRealtime=true
 [Install]
 WantedBy=default.target

{getbased_agent_stack-0.4.0 → getbased_agent_stack-0.5.0/src/getbased_agent_stack.egg-info}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: getbased-agent-stack
-Version: 0.4.0
+Version: 0.5.0
 Summary: One-command install of the full getbased agent stack — getbased-mcp + getbased-rag + getbased-dashboard
 License-Expression: GPL-3.0-only
 Requires-Python: >=3.10
@@ -26,7 +26,18 @@ Part of the [getbased-agents monorepo](https://github.com/elkimek/getbased-agent
 ## Install
 ```bash
-pipx install "getbased-agent-stack[full]"
+pipx install --include-deps "getbased-agent-stack[full]"
+```
+The `--include-deps` flag is required — it exposes `getbased-mcp`, `lens`, and `getbased-dashboard` alongside `getbased-stack` on your PATH. Without it, pipx only links the stack's own entry point and the MCP/rag/dashboard binaries stay hidden inside the venv.
+`uv` users: install each package as its own tool instead, since `uv tool` has no `--include-deps` equivalent yet:
+```bash
+uv tool install getbased-mcp
+uv tool install "getbased-rag[full]"
+uv tool install getbased-dashboard
+uv tool install "getbased-agent-stack[full]"
 ```
 Pulls:

{getbased_agent_stack-0.4.0 → getbased_agent_stack-0.5.0}/src/getbased_agent_stack.egg-info/SOURCES.txt RENAMED Viewed

@@ -18,4 +18,5 @@ tests/test_cli.py
 tests/test_env_file.py
 tests/test_integration.py
 tests/test_mcp_configs.py
+tests/test_systemd_units.py
 tests/test_units.py

{getbased_agent_stack-0.4.0 → getbased_agent_stack-0.5.0}/tests/test_cli.py RENAMED Viewed

@@ -295,6 +295,57 @@ def test_init_reuses_existing_api_key(stack_home, fake_shell, monkeypatch):
     assert key_path.read_text().strip() == "preexisting_key"
+def test_init_yes_flag_skips_all_prompts(stack_home, fake_shell, monkeypatch):
+    """`init --yes` must not call input() or getpass() at all. Scripted
+    installers (curl | bash) can't service prompts and the EOF fallback
+    triggers a Python getpass echo warning that pollutes output.
+    Strict assertion: any prompt call fails the test."""
+    def _forbid_input(*a, **kw):
+        raise AssertionError("input() called under --yes")
+    def _forbid_getpass(*a, **kw):
+        raise AssertionError("getpass() called under --yes")
+    monkeypatch.setattr("builtins.input", _forbid_input)
+    monkeypatch.setattr("getpass.getpass", _forbid_getpass)
+    rc, out, _ = _run(["init", "--yes"])
+    assert rc == 0
+    # Banner reflects the mode so the user sees what happened
+    assert "non-interactive" in out.lower()
+    # Env file + units still land
+    assert env_file.env_file_path().exists()
+    assert (stack_home / "config" / "systemd" / "user" / "getbased-rag.service").exists()
+def test_init_yes_installs_units_without_asking(stack_home, fake_shell, monkeypatch):
+    """Default for the install-units prompt is Yes, so --yes must also
+    install + start. If this regressed to skip, install.sh would
+    silently leave services off."""
+    monkeypatch.setattr("builtins.input", lambda *a, **kw: "")
+    monkeypatch.setattr("getpass.getpass", lambda *a, **kw: "")
+    _run(["init", "--yes"])
+    # UnitManager.install() writes service files under XDG_CONFIG_HOME
+    assert (stack_home / "config" / "systemd" / "user" / "getbased-rag.service").exists()
+    assert (stack_home / "config" / "systemd" / "user" / "getbased-dashboard.service").exists()
+def test_init_yes_preserves_existing_token(stack_home, fake_shell, monkeypatch):
+    """Non-interactive mode must not nuke a previously-saved token —
+    it takes the 'keep current' default, same as pressing Enter."""
+    env_file.write_env_file(
+        {"GETBASED_TOKEN": "keep_me", "GETBASED_STACK_MANAGED": "1"}
+    )
+    # No input/getpass expected, but stub defensively in case a future
+    # code path adds an unguarded prompt — test still catches it.
+    monkeypatch.setattr("builtins.input", lambda *a, **kw: (_ for _ in ()).throw(AssertionError("input under --yes")))
+    monkeypatch.setattr("getpass.getpass", lambda *a, **kw: (_ for _ in ()).throw(AssertionError("getpass under --yes")))
+    _run(["init", "-y"])
+    assert env_file.read_env_file()["GETBASED_TOKEN"] == "keep_me"
 def test_init_is_reentrant(stack_home, fake_shell, monkeypatch):
     """Running init twice in a row must not break anything — second call
     should be a cheap idempotent update, not a destructive rewrite."""

getbased_agent_stack-0.5.0/tests/test_systemd_units.py ADDED Viewed

@@ -0,0 +1,109 @@
+"""Regression tests for the bundled systemd unit files.
+Found during the Hermes 0.4.0 clean-install smoke test: several hardening
+directives (ProtectKernelTunables, RestrictNamespaces, etc.) require
+CAP_SYS_ADMIN and fail with 218/CAPABILITIES under `systemctl --user`.
+Inline `# comment` on a directive line also breaks parsing (systemd
+appends the comment to the value).
+These tests lock in both fixes by asserting on unit-file content."""
+from __future__ import annotations
+import pytest
+from getbased_agent_stack import units
+# Capability-requiring directives that fail under `systemctl --user`.
+# Any of these in a bundled unit would bring back the CAPABILITIES 218
+# error on a user install.
+FORBIDDEN_USER_MODE_DIRECTIVES = (
+    "ProtectKernelTunables",
+    "ProtectKernelModules",
+    "ProtectControlGroups",
+    "RestrictNamespaces",
+    "RestrictAddressFamilies",
+    "RestrictRealtime",
+    "MemoryDenyWriteExecute",
+    "SystemCallFilter",
+    "SystemCallArchitectures",
+    "CapabilityBoundingSet",
+    "AmbientCapabilities",
+)
+def _directive_values(text: str) -> "list[tuple[str, str]]":
+    """Return (key, value) pairs for every `KEY=VALUE` line that is not a
+    comment, preserving order. Section headers excluded."""
+    out: "list[tuple[str, str]]" = []
+    for line in text.splitlines():
+        stripped = line.strip()
+        if not stripped or stripped.startswith(("#", "[")):
+            continue
+        if "=" not in stripped:
+            continue
+        key, _, val = stripped.partition("=")
+        out.append((key.strip(), val))
+    return out
+@pytest.mark.parametrize("name,text", units.bundled_units())
+def test_no_user_mode_forbidden_directives(name, text):
+    """Capability-requiring directives must not appear in bundled units —
+    they're incompatible with `systemctl --user` and prevent first start."""
+    for key, _ in _directive_values(text):
+        assert key not in FORBIDDEN_USER_MODE_DIRECTIVES, (
+            f"{name} has {key}= which fails under systemctl --user "
+            f"(needs CAP_SYS_ADMIN, causes 218/CAPABILITIES)"
+        )
+@pytest.mark.parametrize("name,text", units.bundled_units())
+def test_no_inline_comments_on_directives(name, text):
+    """systemd does not strip inline `# comments` from directive values.
+    A line like `MemoryDenyWriteExecute=false  # needed for ONNX` parses
+    the full string (including '# needed for ONNX') as the value, which
+    breaks boolean directives and was a real Hermes install bug."""
+    for key, val in _directive_values(text):
+        # An '#' AFTER meaningful content on a directive line is an inline
+        # comment. Leading-# lines were filtered already by _directive_values.
+        assert "#" not in val, (
+            f"{name} directive {key}= has an inline comment; systemd won't "
+            f"strip it. Move the comment to its own line."
+        )
+@pytest.mark.parametrize("name,text", units.bundled_units())
+def test_restart_always_not_on_failure(name, text):
+    """Restart=always (not on-failure) so a clean SIGTERM triggers restart.
+    `on-failure` was the exact bug that kept lens-rag.service dead on Hermes
+    for 5 hours — don't regress that."""
+    restart_values = [val for key, val in _directive_values(text) if key == "Restart"]
+    assert restart_values, f"{name} has no Restart= directive"
+    assert restart_values[-1] == "always", (
+        f"{name} has Restart={restart_values[-1]}; must be `always` so clean "
+        f"SIGTERM still brings the service back."
+    )
+@pytest.mark.parametrize("name,text", units.bundled_units())
+def test_reads_shared_env_file(name, text):
+    """Every unit must source the shared env file via EnvironmentFile=
+    so the GETBASED_STACK_MANAGED flag + token + paths are available."""
+    values = [val for key, val in _directive_values(text) if key == "EnvironmentFile"]
+    assert any(
+        "getbased/env" in v for v in values
+    ), f"{name} does not source %h/.config/getbased/env via EnvironmentFile="
+@pytest.mark.parametrize("name,text", units.bundled_units())
+def test_sets_stack_managed_flag(name, text):
+    """The opt-in flag must be set via Environment= so the Python loader
+    inside the binary picks up the shared file. Without this, services
+    run without the shared config and every user has to duplicate env
+    into the unit file manually."""
+    envs = [val for key, val in _directive_values(text) if key == "Environment"]
+    flag_set = any(e.startswith("GETBASED_STACK_MANAGED=1") for e in envs)
+    assert flag_set, (
+        f"{name} does not set GETBASED_STACK_MANAGED=1 via Environment="
+    )