mainsequence 3.18.2__tar.gz → 3.18.3__tar.gz

{mainsequence-3.18.2 → mainsequence-3.18.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: mainsequence
-Version: 3.18.2
+Version: 3.18.3
 Summary: Main Sequence SDK 
 Author-email: Main Sequence GmbH <dev@main-sequence.io>
 License: MainSequence GmbH SDK License Agreement

{mainsequence-3.18.2 → mainsequence-3.18.3}/mainsequence/cli/api.py

@@ -178,6 +178,28 @@ def refresh_access() -> str:
         NotLoggedIn: if refresh is missing or refresh fails
     """
     refresh = _refresh_token()
+    runtime_mode = (os.environ.get("MAINSEQUENCE_AUTH_MODE") or "").strip().lower() == "runtime_credential"
+
+    if not refresh and runtime_mode:
+        try:
+            from mainsequence.client.utils import RuntimeCredentialAuthProvider
+        except Exception as exc:
+            raise NotLoggedIn(f"Runtime credential auth is unavailable: {exc}") from exc
+
+        token_url = f"{backend_url().rstrip('/')}/orm/api/pods/runtime-credentials/token/"
+        try:
+            RuntimeCredentialAuthProvider(token_url=token_url).refresh(force=True)
+        except Exception as exc:
+            raise NotLoggedIn(f"Runtime credential exchange failed: {exc}") from exc
+
+        access = (os.environ.get("MAINSEQUENCE_ACCESS_TOKEN") or "").strip()
+        if not access:
+            raise NotLoggedIn("Runtime credential exchange did not produce MAINSEQUENCE_ACCESS_TOKEN.")
+
+        tokens = get_tokens()
+        save_tokens(tokens.get("username") or "", access, "")
+        return access
+
     if not refresh:
         raise NotLoggedIn("Not logged in. Run `mainsequence login`.")
 
@@ -422,7 +444,8 @@ def get_logged_user_details() -> dict[str, Any]:
 
     The CLI does not naturally run inside a request context, so this bridge resolves
     the current user id from the authenticated API session and temporarily binds
-    `X-User-ID` into `mainsequence.client.models_user._CURRENT_AUTH_HEADERS`
+    `X-User-ID` plus `Authorization` into
+    `mainsequence.client.models_user._CURRENT_AUTH_HEADERS`
     before calling the SDK method.
     """
     tokens = get_tokens()
@@ -486,7 +509,12 @@ def get_logged_user_details() -> dict[str, Any]:
 
         BaseObjectOrm.ROOT_URL = root_url
         ClientUser.ROOT_URL = root_url
-        headers_token = current_auth_headers.set({"X-User-ID": str(user_id)})
+        headers_token = current_auth_headers.set(
+            {
+                "X-User-ID": str(user_id),
+                "Authorization": f"Bearer {access}",
+            }
+        )
 
         user = ClientUser.get_logged_user()
         if isinstance(user, dict):

{mainsequence-3.18.2 → mainsequence-3.18.3}/mainsequence/cli/cli.py

@@ -756,6 +756,28 @@ def _require_login() -> dict:
         raise typer.Exit(1) from e
 
 
+def _runtime_credential_mode_enabled() -> bool:
+    return (os.environ.get("MAINSEQUENCE_AUTH_MODE") or "").strip().lower() == "runtime_credential"
+
+
+def _exchange_runtime_credential_for_cli_login(backend_url: str) -> str:
+    try:
+        from mainsequence.client.utils import RuntimeCredentialAuthProvider
+    except Exception as exc:
+        raise ApiError(f"Runtime credential auth is unavailable: {exc}") from exc
+
+    token_url = f"{backend_url.rstrip('/')}/orm/api/pods/runtime-credentials/token/"
+    try:
+        RuntimeCredentialAuthProvider(token_url=token_url).refresh(force=True)
+    except Exception as exc:
+        raise ApiError(f"Runtime credential exchange failed: {exc}") from exc
+
+    access = (os.environ.get("MAINSEQUENCE_ACCESS_TOKEN") or "").strip()
+    if not access:
+        raise ApiError("Runtime credential exchange did not produce MAINSEQUENCE_ACCESS_TOKEN.")
+    return access
+
+
 def _resolve_project_dir(project_id: int | None, path: str | None) -> pathlib.Path:
     """
     Resolve project directory by:
@@ -2038,6 +2060,10 @@ def login(
     Interactive login uses browser-based authentication and finishes with
     standard JWT access/refresh tokens persisted by the CLI.
 
+    If `MAINSEQUENCE_AUTH_MODE=runtime_credential`, login exchanges the
+    configured runtime credential for a short-lived access token instead of
+    opening the browser or persisting CLI JWT tokens.
+
     Parameters
     ----------
     backend:
@@ -2066,9 +2092,21 @@ def login(
     mainsequence login --access-token "$TOKEN" --refresh-token "$REFRESH"
     mainsequence login --access-token "$TOKEN" --refresh-token "$REFRESH" --backend http://127.0.0.1:8000 --projects-base mainsequence-dev
     mainsequence login --export
+    MAINSEQUENCE_AUTH_MODE=runtime_credential mainsequence login
     ```
     """
     using_jwt = bool((access_token or "").strip() or (refresh_token or "").strip())
+    using_runtime_credential = _runtime_credential_mode_enabled()
+
+    if using_runtime_credential and using_jwt:
+        error(
+            "Runtime credential login cannot be combined with "
+            "--access-token/--refresh-token."
+        )
+        raise typer.Exit(1)
+
+    if using_runtime_credential and no_open:
+        warn("--no-open is ignored when MAINSEQUENCE_AUTH_MODE=runtime_credential.")
 
     if not using_jwt and backend and "@" in backend:
         error(
@@ -2112,7 +2150,18 @@ def login(
         os.environ["MAIN_SEQUENCE_BACKEND_URL"] = normalized_backend
 
     try:
-        if using_jwt:
+        if using_runtime_credential:
+            access = _exchange_runtime_credential_for_cli_login(normalized_backend or current_backend)
+            persisted = cfg.save_tokens("", access, "")
+            res = {
+                "username": "",
+                "backend": normalized_backend or current_backend,
+                "access": access,
+                "refresh": "",
+                "persisted": bool(persisted),
+                "auth_mode": "runtime_credential",
+            }
+        elif using_jwt:
             os.environ.pop(cfg.ENV_USERNAME, None)
             os.environ.pop(cfg.LEGACY_ENV_USERNAME, None)
             persisted = cfg.save_tokens("", (access_token or "").strip(), (refresh_token or "").strip())
@@ -2122,6 +2171,7 @@ def login(
                 "access": (access_token or "").strip(),
                 "refresh": (refresh_token or "").strip(),
                 "persisted": bool(persisted),
+                "auth_mode": "jwt",
             }
         else:
             def _emit_auth_url(url: str) -> None:
@@ -2150,6 +2200,7 @@ def login(
                 "access": access,
                 "refresh": refresh,
                 "persisted": bool(persisted),
+                "auth_mode": "jwt",
             }
     except BrowserAuthError as e:
         error(f"Browser login failed: {e}")
@@ -2176,8 +2227,12 @@ def login(
         access = (res.get("access") or "").replace('"', '\\"')
         refresh = (res.get("refresh") or "").replace('"', '\\"')
         username = (res.get("username") or "").replace('"', '\\"')
+        auth_mode = (res.get("auth_mode") or "").replace('"', '\\"')
+        if auth_mode:
+            typer.echo(f'export MAINSEQUENCE_AUTH_MODE="{auth_mode}"')
         typer.echo(f'export MAINSEQUENCE_ACCESS_TOKEN="{access}"')
-        typer.echo(f'export MAINSEQUENCE_REFRESH_TOKEN="{refresh}"')
+        if refresh:
+            typer.echo(f'export MAINSEQUENCE_REFRESH_TOKEN="{refresh}"')
         if username:
             typer.echo(f'export MAINSEQUENCE_USERNAME="{username}"')
         return
@@ -2188,11 +2243,16 @@ def login(
     typer.echo("MAIN SEQUENCE")
     if res.get("username"):
         success(f"Signed in as {res['username']} (Backend: {res['backend']})")
+    elif res.get("auth_mode") == "runtime_credential":
+        success(f"Signed in with runtime credential (Backend: {res['backend']})")
     else:
         success(f"Signed in with JWT tokens (Backend: {res['backend']})")
     info(f"Projects base folder: {base}")
     auth_store_label = cfg.auth_persistence_label()
-    if res.get("persisted", True):
+    if res.get("auth_mode") == "runtime_credential":
+        info(f"Runtime credential access token is persisted in {auth_store_label}; no CLI JWT refresh token exists.")
+        info("When the access token expires, CLI will re-exchange the runtime credential automatically.")
+    elif res.get("persisted", True):
         info(f"Auth tokens are persisted in {auth_store_label} for subsequent CLI commands.")
     else:
         warn(f"Could not persist auth tokens in {auth_store_label}. Use --export for shell-based auth.")

{mainsequence-3.18.2 → mainsequence-3.18.3}/mainsequence/cli/config.py

@@ -350,12 +350,13 @@ def get_tokens() -> dict:
     """
     Return auth tokens from environment variables, with persistent-store fallback.
     """
+    runtime_mode = (os.environ.get("MAINSEQUENCE_AUTH_MODE") or "").strip().lower() == "runtime_credential"
     tokens = {
         "username": os.environ.get(ENV_USERNAME) or os.environ.get(LEGACY_ENV_USERNAME, ""),
         "access": os.environ.get(ENV_ACCESS) or os.environ.get(LEGACY_ENV_ACCESS, ""),
         "refresh": os.environ.get(ENV_REFRESH) or os.environ.get(LEGACY_ENV_REFRESH, ""),
     }
-    if tokens["access"] and tokens["refresh"]:
+    if tokens["access"] and (tokens["refresh"] or runtime_mode):
         return tokens
 
     for secret in (_read_secure_tokens(), _read_local_tokens()):
@@ -366,7 +367,7 @@ def get_tokens() -> dict:
             "access": tokens["access"] or secret.get("access", ""),
             "refresh": tokens["refresh"] or secret.get("refresh", ""),
         }
-        if tokens["access"] and tokens["refresh"]:
+        if tokens["access"] and (tokens["refresh"] or runtime_mode):
             break
     return tokens
 

{mainsequence-3.18.2 → mainsequence-3.18.3}/mainsequence/client/utils.py

@@ -86,6 +86,9 @@ def _default_auth_provider_kind() -> str | None:
     has_access = _env_has_value("MAINSEQUENCE_ACCESS_TOKEN")
     has_refresh = _env_has_value("MAINSEQUENCE_REFRESH_TOKEN")
 
+    if mode == "runtime_credential":
+        return "runtime_credential"
+
     if mode == "session_jwt":
         if has_access or has_refresh:
             return "session_jwt"
@@ -176,6 +179,114 @@ class SessionJWTAuthProvider(BaseAuthProvider):
         return None
 
 
+@dataclass
+class RuntimeCredentialAuthProvider(BaseAuthProvider):
+    credential_id: str | None = None
+    credential_secret: str | None = None
+    token_url: str = f"{API_ENDPOINT}/pods/runtime-credentials/token/"
+    token_type: str = "Bearer"
+    refresh_skew_seconds: int = 30
+    timeout: tuple[float, float] = DEFAULT_TIMEOUT
+    expires_at: float | None = None
+    _lock: threading.RLock = field(default_factory=threading.RLock, init=False, repr=False)
+
+    def __post_init__(self):
+        if self.credential_id is None:
+            self.credential_id = os.getenv("MAINSEQUENCE_RUNTIME_CREDENTIAL_ID")
+        if self.credential_secret is None:
+            self.credential_secret = os.getenv("MAINSEQUENCE_RUNTIME_CREDENTIAL_SECRET")
+
+    def _current_access_token(self) -> str | None:
+        return (os.getenv("MAINSEQUENCE_ACCESS_TOKEN") or "").strip() or None
+
+    def _needs_exchange(self) -> bool:
+        access_token = self._current_access_token()
+        if not access_token:
+            return True
+
+        if self.expires_at is not None:
+            return self.expires_at <= time.time() + self.refresh_skew_seconds
+
+        exp = _decode_jwt_exp(access_token)
+        if exp is None:
+            # Access-only JWT behavior: use opaque/uninspectable access until a 401 forces exchange.
+            return False
+
+        return exp <= int(time.time()) + self.refresh_skew_seconds
+
+    def _require_credentials(self) -> tuple[str, str]:
+        credential_id = (self.credential_id or "").strip()
+        credential_secret = (self.credential_secret or "").strip()
+        if not credential_id:
+            raise AuthError(
+                "MAINSEQUENCE_RUNTIME_CREDENTIAL_ID is required when "
+                "MAINSEQUENCE_AUTH_MODE=runtime_credential."
+            )
+        if not credential_secret:
+            raise AuthError(
+                "MAINSEQUENCE_RUNTIME_CREDENTIAL_SECRET is required when "
+                "MAINSEQUENCE_AUTH_MODE=runtime_credential."
+            )
+        return credential_id, credential_secret
+
+    def refresh(
+        self,
+        *,
+        force: bool = False,
+        session: requests.Session | None = None,
+    ) -> None:
+        _ = session
+        with self._lock:
+            if not force and not self._needs_exchange():
+                return
+
+            credential_id, credential_secret = self._require_credentials()
+            response = requests.post(
+                self.token_url,
+                json={
+                    "credential_id": credential_id,
+                    "credential_secret": credential_secret,
+                },
+                headers={"Content-Type": "application/json"},
+                timeout=self.timeout,
+            )
+            if response.status_code < 200 or response.status_code >= 300:
+                raise AuthError(
+                    "Runtime credential exchange failed with status "
+                    f"{response.status_code}."
+                )
+
+            data = response.json()
+            access = str(data.get("access") or "").strip()
+            if not access:
+                raise AuthError("Runtime credential exchange response did not include access token.")
+
+            token_type = str(data.get("token_type") or self.token_type or "Bearer").strip()
+            self.token_type = token_type or "Bearer"
+
+            expires_in_raw = data.get("expires_in")
+            try:
+                expires_in = int(expires_in_raw)
+            except (TypeError, ValueError):
+                expires_in = None
+            self.expires_at = time.time() + expires_in if expires_in and expires_in > 0 else None
+            os.environ["MAINSEQUENCE_ACCESS_TOKEN"] = access
+
+    def get_headers(self) -> CaseInsensitiveDict:
+        if self._needs_exchange():
+            self.refresh(force=False)
+
+        access_token = self._current_access_token()
+        if not access_token:
+            raise AuthError("MAINSEQUENCE_ACCESS_TOKEN is missing after runtime credential exchange.")
+
+        return CaseInsensitiveDict(
+            {
+                "Authorization": f"{self.token_type} {access_token}",
+            }
+        )
+
+
 @dataclass
 class JWTAuthProvider(BaseAuthProvider):
     access_token: str | None = None
@@ -310,6 +421,9 @@ def build_default_auth_provider() -> BaseAuthProvider:
     if provider_kind == "session_jwt":
         return SessionJWTAuthProvider()
 
+    if provider_kind == "runtime_credential":
+        return RuntimeCredentialAuthProvider()
+
     if provider_kind == "jwt":
         return JWTAuthProvider()
 
@@ -330,7 +444,9 @@ class AuthLoaders:
     def _provider(self) -> BaseAuthProvider:
         provider_kind = _default_auth_provider_kind()
 
-        if provider_kind == "session_jwt" and not isinstance(self.provider, SessionJWTAuthProvider):
+        if provider_kind == "runtime_credential" and not isinstance(self.provider, RuntimeCredentialAuthProvider):
+            self.provider = RuntimeCredentialAuthProvider()
+        elif provider_kind == "session_jwt" and not isinstance(self.provider, SessionJWTAuthProvider):
             self.provider = SessionJWTAuthProvider()
         elif provider_kind == "jwt" and not isinstance(self.provider, JWTAuthProvider):
             self.provider = JWTAuthProvider()

{mainsequence-3.18.2 → mainsequence-3.18.3}/mainsequence/logconf.py

@@ -1,27 +1,26 @@
 from __future__ import annotations
 
+import inspect
 import logging
 import logging.config
 import os
+import sys
+import traceback
+from collections.abc import Mapping
 from pathlib import Path
+from typing import Any
 
 import requests
 import structlog
 from requests.structures import CaseInsensitiveDict
+from structlog.contextvars import bind_contextvars, unbind_contextvars
 from structlog.dev import ConsoleRenderer
+from structlog.stdlib import BoundLogger
 
 from .instrumentation import OTelJSONRenderer
 from .runtime_flags import is_running_in_pod
 
 logger = None
-import inspect
-import sys
-import traceback
-from collections.abc import Mapping
-from typing import Any
-
-from structlog.contextvars import bind_contextvars, unbind_contextvars
-from structlog.stdlib import BoundLogger
 
 
 def ensure_dir(file_path):
@@ -85,7 +84,44 @@ def _request_job_startup_state(*, timeout_s: float = 10.0) -> dict[str, Any]:
 
         return headers, False
 
+    def _exchange_runtime_credential() -> bool:
+        credential_id = (os.getenv("MAINSEQUENCE_RUNTIME_CREDENTIAL_ID") or "").strip()
+        credential_secret = (os.getenv("MAINSEQUENCE_RUNTIME_CREDENTIAL_SECRET") or "").strip()
+        if not credential_id or not credential_secret:
+            return False
+
+        try:
+            token_resp = requests.post(
+                f"{_backend_base_url()}/orm/api/pods/runtime-credentials/token/",
+                headers={"Content-Type": "application/json"},
+                json={
+                    "credential_id": credential_id,
+                    "credential_secret": credential_secret,
+                },
+                timeout=timeout_s,
+            )
+        except Exception:
+            return False
+
+        if token_resp.status_code < 200 or token_resp.status_code >= 300:
+            return False
+
+        try:
+            data = token_resp.json()
+        except Exception:
+            return False
+
+        access_token = str(data.get("access") or "").strip()
+        if not access_token:
+            return False
+
+        os.environ["MAINSEQUENCE_ACCESS_TOKEN"] = access_token
+        return True
+
     def _refresh_access_token() -> bool:
+        if auth_mode == "runtime_credential":
+            return _exchange_runtime_credential()
+
         if auth_mode == "session_jwt":
             return False
 
@@ -127,12 +163,15 @@ def _request_job_startup_state(*, timeout_s: float = 10.0) -> dict[str, Any]:
         )
 
     if (
-        auth_mode != "session_jwt"
+        auth_mode == "jwt"
         and not os.getenv("MAINSEQUENCE_ACCESS_TOKEN")
         and os.getenv("MAINSEQUENCE_REFRESH_TOKEN")
     ):
         _refresh_access_token()
 
+    if auth_mode == "runtime_credential" and not os.getenv("MAINSEQUENCE_ACCESS_TOKEN"):
+        _refresh_access_token()
+
     headers, using_jwt = _auth_headers()
 
     job_run_id = (os.getenv("JOB_RUN_ID") or "").strip()

{mainsequence-3.18.2 → mainsequence-3.18.3}/mainsequence.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: mainsequence
-Version: 3.18.2
+Version: 3.18.3
 Summary: Main Sequence SDK 
 Author-email: Main Sequence GmbH <dev@main-sequence.io>
 License: MainSequence GmbH SDK License Agreement

{mainsequence-3.18.2 → mainsequence-3.18.3}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "mainsequence"
-version = "3.18.2"
+version = "3.18.3"
 description = "Main Sequence SDK "
 readme = "README.md"
 requires-python = ">=3.11"