mcpcert-cli 0.1.0__py3-none-any.whl

mcpcert/__init__.py

@@ -0,0 +1,3 @@
+"""mcpcert — official CLI for mcpcert.org dev client identities."""
+
+__version__ = "0.1.0"

mcpcert/api.py

@@ -0,0 +1,112 @@
+"""HTTP client over the mcpcert.org API. Mirrors packages/node/src/lib/api.ts."""
+
+from __future__ import annotations
+
+import json
+import urllib.error
+import urllib.request
+from typing import Any
+from urllib.parse import quote
+
+from .contract import CLI_CONTRACT_VERSION, CONTRACT_HEADER
+from .errors import CliError
+
+
+class ApiClient:
+    def __init__(self, base_url: str) -> None:
+        self.base_url = base_url
+        self._preflighted = False
+        self.api_version = "unknown"
+
+    def version(self) -> dict[str, Any]:
+        return self._request("GET", "/api/version")
+
+    def preflight(self) -> None:
+        if self._preflighted:
+            return
+        meta = self.version()
+        self.api_version = str(meta.get("api_version", "unknown"))
+        supported = meta.get("supported_cli_contract_versions") or []
+        if CLI_CONTRACT_VERSION not in supported:
+            raise CliError(
+                "api_version_unsupported",
+                f"This mcpcert CLI (contract {CLI_CONTRACT_VERSION}) is not supported by {self.base_url}. "
+                f"Supported: {', '.join(supported) or 'none'}. Upgrade the CLI.",
+                details={"cli_contract_version": CLI_CONTRACT_VERSION, "supported": supported},
+            )
+        self._preflighted = True
+
+    def provision(self, body: dict[str, Any]) -> dict[str, Any]:
+        self.preflight()
+        return self._request("POST", "/api/dev-registrations", body=body)
+
+    def describe(self, appname: str, token: str) -> dict[str, Any]:
+        self.preflight()
+        return self._request("GET", f"/api/dev-registrations/{quote(appname, safe='')}", token=token)
+
+    def update(self, appname: str, token: str, patch: dict[str, Any]) -> dict[str, Any]:
+        self.preflight()
+        return self._request("PATCH", f"/api/dev-registrations/{quote(appname, safe='')}", token=token, body=patch)
+
+    def conformance_list(self, appname: str, token: str) -> dict[str, Any]:
+        self.preflight()
+        return self._request("GET", f"/api/dev-registrations/{quote(appname, safe='')}/conformance", token=token)
+
+    def conformance_show(self, appname: str, run_id: str, token: str) -> dict[str, Any]:
+        self.preflight()
+        return self._request(
+            "GET",
+            f"/api/dev-registrations/{quote(appname, safe='')}/conformance/{quote(run_id, safe='')}",
+            token=token,
+        )
+
+    def _request(
+        self,
+        method: str,
+        path: str,
+        *,
+        token: str | None = None,
+        body: dict[str, Any] | None = None,
+    ) -> dict[str, Any]:
+        url = f"{self.base_url}{path}"
+        headers = {"accept": "application/json", CONTRACT_HEADER: CLI_CONTRACT_VERSION}
+        if token:
+            headers["authorization"] = f"Bearer {token}"
+        data = None
+        if body is not None:
+            data = json.dumps(body).encode("utf-8")
+            headers["content-type"] = "application/json"
+        request = urllib.request.Request(url, data=data, method=method, headers=headers)
+        try:
+            with urllib.request.urlopen(request) as response:
+                text = response.read().decode("utf-8")
+                return _safe_json(text)
+        except urllib.error.HTTPError as error:
+            raw = error.read().decode("utf-8", errors="replace")
+            payload = _safe_json(raw)
+            if error.code == 426:
+                raise CliError(
+                    "api_version_unsupported",
+                    "Server requires a newer mcpcert CLI. Upgrade the CLI.",
+                    details=payload,
+                ) from None
+            code = payload.get("error") if isinstance(payload.get("error"), str) else "network_error"
+            message = (
+                payload.get("error_description")
+                if isinstance(payload.get("error_description"), str)
+                else f"Request to {path} failed with HTTP {error.code}."
+            )
+            details = payload.get("details") if isinstance(payload.get("details"), dict) else {}
+            raise CliError(code, message, details=details) from None
+        except urllib.error.URLError as error:
+            raise CliError("network_error", f"Could not reach {url}: {error.reason}") from None
+
+
+def _safe_json(text: str) -> dict[str, Any]:
+    if not text:
+        return {}
+    try:
+        parsed = json.loads(text)
+        return parsed if isinstance(parsed, dict) else {"value": parsed}
+    except ValueError:
+        return {}

mcpcert/args.py

@@ -0,0 +1,61 @@
+"""Minimal argument parser mirroring packages/node/src/lib/args.ts for identical flag semantics."""
+
+from __future__ import annotations
+
+from dataclasses import dataclass, field
+
+BOOLEAN_FLAGS = {"json", "no-color", "help", "version", "check", "no-open", "accept-tos"}
+
+
+@dataclass
+class ParsedArgs:
+    positionals: list[str] = field(default_factory=list)
+    options: dict[str, list[str]] = field(default_factory=dict)
+    booleans: set[str] = field(default_factory=set)
+
+
+def parse_args(argv: list[str]) -> ParsedArgs:
+    parsed = ParsedArgs()
+    i = 0
+    while i < len(argv):
+        token = argv[i]
+        if not token.startswith("--"):
+            parsed.positionals.append(token)
+            i += 1
+            continue
+        body = token[2:]
+        if "=" in body:
+            name, _, value = body.partition("=")
+            name = name.strip()
+            if name in BOOLEAN_FLAGS:
+                parsed.booleans.add(name)
+            else:
+                parsed.options.setdefault(name, []).append(value)
+            i += 1
+            continue
+        name = body.strip()
+        if name in BOOLEAN_FLAGS:
+            parsed.booleans.add(name)
+            i += 1
+            continue
+        nxt = argv[i + 1] if i + 1 < len(argv) else None
+        if nxt is None or nxt.startswith("--"):
+            parsed.options.setdefault(name, []).append("")
+            i += 1
+        else:
+            parsed.options.setdefault(name, []).append(nxt)
+            i += 2
+    return parsed
+
+
+def one(args: ParsedArgs, name: str) -> str | None:
+    values = args.options.get(name)
+    return values[-1] if values else None
+
+
+def many(args: ParsedArgs, name: str) -> list[str] | None:
+    return args.options.get(name)
+
+
+def boolean(args: ParsedArgs, name: str) -> bool:
+    return name in args.booleans

mcpcert/cli.py

@@ -0,0 +1,89 @@
+"""mcpcert CLI entry point. Mirrors packages/node/src/cli.ts."""
+
+from __future__ import annotations
+
+import os
+import sys
+
+from . import __version__
+from .args import ParsedArgs, boolean, parse_args
+from .commands import conformance_cmd, info_cmd, init_cmd, update_cmd
+from .context import resolve_api_base_url
+from .contract import CLI_CONTRACT_VERSION
+from .errors import CliError
+from .output import Output
+
+HELP = """mcpcert - provision and test a hosted dev MCP client identity (CIMD).
+
+Usage:
+  mcpcert init [--appname <name>] [--client-name <name>] [--application-type <type>]
+               [--redirect-uri <uri>]... [--accept-tos]
+  mcpcert update [--client-name <name>] [--redirect-uri <uri>]... [--scope <s>] ...
+  mcpcert info [--check]
+  mcpcert conformance run [--sandbox production|local] [--no-open] [--timeout <s>]
+  mcpcert conformance list
+  mcpcert conformance show <runId>
+
+Global flags:
+  --api <url>          API base URL (env MCPCERT_API, default https://mcpcert.org)
+  --config <path>      Explicit config path (.json or .toml)
+  --credentials <path> Explicit credentials file path
+  --json               Emit the JSON envelope
+  --no-color           Disable color (also NO_COLOR)
+  --help               Show help
+  --version            Show version
+
+Promotion to production is done in the web dashboard (https://mcpcert.org/dashboard/promote),
+not via the CLI. Dev identities expire after 60 days and are not renewable."""
+
+COMMANDS = {
+    "init": init_cmd.run,
+    "update": update_cmd.run,
+    "info": info_cmd.run,
+    "conformance": conformance_cmd.run,
+}
+
+
+def main(argv: list[str] | None = None) -> int:
+    # Emit LF (not platform CRLF) and UTF-8 so output is byte-identical to the
+    # Node CLI on every platform (specs/cli-behavior.md §12).
+    for stream in (sys.stdout, sys.stderr):
+        reconfigure = getattr(stream, "reconfigure", None)
+        if reconfigure is not None:
+            try:
+                reconfigure(encoding="utf-8", newline="\n")
+            except (ValueError, OSError):
+                pass
+
+    args = parse_args(list(sys.argv[1:] if argv is None else argv))
+
+    if boolean(args, "version"):
+        sys.stdout.write(f"{__version__} (contract {CLI_CONTRACT_VERSION})\n")
+        return 0
+
+    command = args.positionals[0] if args.positionals else None
+    if not command or boolean(args, "help"):
+        sys.stdout.write(HELP + "\n")
+        return 0
+
+    as_json = boolean(args, "json")
+    color = not boolean(args, "no-color") and not os.environ.get("NO_COLOR")
+    output = Output(as_json, color)
+
+    handler = COMMANDS.get(command)
+    if handler is None:
+        err = CliError("config_invalid", f'Unknown command "{command}". Run `mcpcert --help`.')
+        return output.failure(command, resolve_api_base_url(args, None), err)
+
+    command_args = ParsedArgs(positionals=args.positionals[1:], options=args.options, booleans=args.booleans)
+    try:
+        return handler(command_args, output)
+    except CliError as error:
+        return output.failure(command, resolve_api_base_url(args, None), error)
+    except Exception as error:  # noqa: BLE001 - top-level guard
+        wrapped = CliError("unexpected_error", str(error), exit_code=4)
+        return output.failure(command, resolve_api_base_url(args, None), wrapped)
+
+
+if __name__ == "__main__":
+    sys.exit(main())

mcpcert/commands/conformance_cmd.py

@@ -0,0 +1,128 @@
+"""`mcpcert conformance run|list|show`. Mirrors packages/node/src/commands/conformance.ts."""
+
+from __future__ import annotations
+
+import os
+import sys
+
+from ..api import ApiClient
+from ..args import ParsedArgs, boolean, one
+from ..conformance import normalize_run, run_conformance_flow, run_list_row
+from ..config import discover_config
+from ..context import env_flag, resolve_api_base_url
+from ..contract import promotion_url
+from ..credentials import default_credentials_path, get_identity
+from ..errors import CliError
+from ..output import Output
+
+
+def run(args: ParsedArgs, output: Output) -> int:
+    sub = args.positionals[0] if args.positionals else "list"
+    cwd = os.getcwd()
+    explicit_config = one(args, "config") or os.environ.get("MCPCERT_CONFIG")
+    discovered = discover_config(cwd, explicit_config)
+    if not discovered.config:
+        raise CliError("config_not_found", "No mcpcert development identity is configured here. Run `mcpcert init` first.")
+    config = discovered.config
+    api_base_url = resolve_api_base_url(args, config)
+    creds_path = one(args, "credentials") or os.environ.get("MCPCERT_CREDENTIALS") or default_credentials_path(discovered.project_root)
+    identity = get_identity(creds_path, api_base_url, config["appname"])
+    if not identity:
+        raise CliError("claim_token_missing", "No claim token found for this identity. Conformance access requires the claim token from `mcpcert init`.")
+    api = ApiClient(api_base_url)
+    promote = promotion_url(api_base_url, config["appname"])
+
+    if sub == "list":
+        listing = api.conformance_list(config["appname"], identity["claim_token"])
+        runs = [run_list_row(r) for r in listing.get("runs", [])]
+        lines = ["Run ID                              Started                   Status     Verdict"]
+        for r in runs:
+            lines.append(f"{(r['run_id'] or '').ljust(35)} {(r['started_at'] or '').ljust(25)} {(r['status'] or '').ljust(10)} {r['verdict']}")
+        if not runs:
+            lines.append("(no conformance runs yet - run `mcpcert conformance run`)")
+        output.success(
+            "conformance list",
+            api_base_url,
+            {"appname": config["appname"], "client_id": config["client_id"], "runs": runs, "api_version": api.api_version},
+            lines,
+        )
+        return 0
+
+    if sub == "show":
+        run_id = args.positionals[1] if len(args.positionals) > 1 else None
+        if not run_id:
+            raise CliError("config_invalid", "Usage: mcpcert conformance show <runId>")
+        normalized = normalize_run(api.conformance_show(config["appname"], run_id, identity["claim_token"]))
+        lines = [
+            f"Run ID:   {normalized['run_id']}",
+            f"Started:  {normalized['started_at']}",
+            f"Status:   {normalized['status']}",
+            f"Verdict:  {normalized['verdict']}",
+        ]
+        for step in normalized["steps"]:
+            detail = f": {step['detail']}" if step.get("detail") else ""
+            lines.append(f"  - [{step['status']}] {step['title']}{detail}")
+        output.success("conformance show", api_base_url, {"run": normalized, "api_version": api.api_version}, lines)
+        return 1 if normalized["verdict"] in ("fail", "error") else 0
+
+    if sub == "run":
+        timeout_raw = one(args, "timeout") or os.environ.get("MCPCERT_TIMEOUT") or "180"
+        try:
+            timeout_ms = int(float(timeout_raw) * 1000)
+        except ValueError:
+            timeout_ms = 180000
+        profile_raw = one(args, "sandbox") or os.environ.get("MCPCERT_SANDBOX") or "production"
+        profile = "local" if profile_raw in ("local", "dev") else "production"
+        no_open = boolean(args, "no-open") or env_flag("MCPCERT_NO_OPEN")
+
+        result = run_conformance_flow(
+            config=config,
+            claim_token=identity["claim_token"],
+            api_client=api,
+            api_base_url=api_base_url,
+            profile=profile,
+            dev_origin=one(args, "dev-origin") or os.environ.get("MCPCERT_DEV_ORIGIN"),
+            redirect_uri_flag=one(args, "redirect-uri"),
+            no_open=no_open,
+            timeout_ms=timeout_ms,
+            emit=lambda line: sys.stderr.write(f"{line}\n"),
+        )
+
+        run_obj = result["run"]
+        warnings: list[dict[str, str]] = []
+        data = {
+            "appname": config["appname"],
+            "client_id": config["client_id"],
+            "started_at": result["started_at"],
+            "status": run_obj["status"] if run_obj else "unknown",
+            "verdict": run_obj["verdict"] if run_obj else "incomplete",
+            "summary": run_obj["summary"] if run_obj else {"total": 0, "pass": 0, "fail": 0, "warn": 0, "skip": 0},
+            "promotion_url": promote,
+            "api_version": api.api_version,
+        }
+        if run_obj:
+            data["run_id"] = run_obj["run_id"]
+        if result["run_lookup_timed_out"]:
+            warnings.append(
+                {
+                    "code": "run_lookup_pending",
+                    "message": "The OAuth flow completed but the conformance run was not retrievable before timeout. Try `mcpcert conformance list` shortly.",
+                }
+            )
+        output.success(
+            "conformance run",
+            api_base_url,
+            data,
+            [
+                "Conformance run started",
+                f"Client ID: {config['client_id']}",
+                f"Run:       {run_obj['run_id']}" if run_obj else "Run:       (pending - see `mcpcert conformance list`)",
+                f"Verdict:   {run_obj['verdict'] if run_obj else 'incomplete'}",
+                f"Promote:   {promote}",
+            ],
+            warnings,
+        )
+        verdict = run_obj["verdict"] if run_obj else "incomplete"
+        return 1 if verdict in ("fail", "error") else 0
+
+    raise CliError("config_invalid", f'Unknown conformance subcommand "{sub}". Use run, list, or show.')

mcpcert/commands/info_cmd.py

@@ -0,0 +1,91 @@
+"""`mcpcert info`. Mirrors packages/node/src/commands/info.ts."""
+
+from __future__ import annotations
+
+import json
+import os
+
+from ..api import ApiClient
+from ..args import ParsedArgs, boolean, one
+from ..config import discover_config
+from ..context import resolve_api_base_url
+from ..contract import promotion_url
+from ..credentials import default_credentials_path, get_identity
+from ..errors import CliError
+from ..output import Output
+
+
+def run(args: ParsedArgs, output: Output) -> int:
+    cwd = os.getcwd()
+    explicit_config = one(args, "config") or os.environ.get("MCPCERT_CONFIG")
+    discovered = discover_config(cwd, explicit_config)
+    if not discovered.config:
+        raise CliError("config_not_found", "No mcpcert development identity is configured here. Run `mcpcert init` first.")
+    config = discovered.config
+    api_base_url = resolve_api_base_url(args, config)
+    promote = promotion_url(api_base_url, config["appname"])
+    creds_path = one(args, "credentials") or os.environ.get("MCPCERT_CREDENTIALS") or default_credentials_path(discovered.project_root)
+
+    if not boolean(args, "check"):
+        output.success(
+            "info",
+            api_base_url,
+            {
+                "appname": config["appname"],
+                "environment": config["environment"],
+                "application_type": config["application_type"],
+                "client_name": config["client_name"],
+                "client_id": config["client_id"],
+                "document_urls": config["document_urls"],
+                "expires_at": config["expires_at"],
+                "promotion_url": promote,
+                "config_path": discovered.config_path,
+                "credentials_path": creds_path,
+                "source": "cache",
+            },
+            _human_lines(config["appname"], config["client_id"], config["expires_at"], promote, "cache"),
+        )
+        return 0
+
+    identity = get_identity(creds_path, api_base_url, config["appname"])
+    if not identity:
+        raise CliError("claim_token_missing", "No claim token found for this identity; cannot fetch live state.")
+    api = ApiClient(api_base_url)
+    live = api.describe(config["appname"], identity["claim_token"])
+
+    warnings: list[dict[str, str]] = []
+    if live.get("client_name") != config["client_name"]:
+        warnings.append({"code": "config_drift", "message": f'client_name differs: local "{config["client_name"]}" vs live "{live.get("client_name")}".'})
+    if json.dumps(live.get("redirect_uris")) != json.dumps(config["redirect_uris"]):
+        warnings.append({"code": "config_drift", "message": "redirect_uris differ between local config and live state."})
+
+    output.success(
+        "info",
+        api_base_url,
+        {
+            "appname": live["appname"],
+            "environment": live["environment"],
+            "application_type": live["application_type"],
+            "client_name": live["client_name"],
+            "client_id": live["client_id"],
+            "document_urls": live["document_urls"],
+            "expires_at": live["expires_at"],
+            "promotion_url": promote,
+            "config_path": discovered.config_path,
+            "credentials_path": creds_path,
+            "source": "live",
+        },
+        _human_lines(live["appname"], live["client_id"], live["expires_at"], promote, "live"),
+        warnings,
+    )
+    return 0
+
+
+def _human_lines(appname: str, client_id: str, expires_at: str, promote: str, source: str) -> list[str]:
+    return [
+        f"Development identity ({source})",
+        f"Appname:   {appname}",
+        f"Client ID: {client_id}",
+        f"Expires:   {expires_at}",
+        f"Promote:   {promote}",
+    ]

mcpcert/commands/init_cmd.py

@@ -0,0 +1,148 @@
+"""`mcpcert init`. Mirrors packages/node/src/commands/init.ts."""
+
+from __future__ import annotations
+
+import os
+import sys
+from datetime import datetime, timezone
+
+from ..api import ApiClient
+from ..args import ParsedArgs, boolean, many, one
+from ..config import build_config, choose_write_target, discover_config, resolve_metadata, write_config
+from ..context import is_non_interactive, resolve_api_base_url
+from ..contract import promotion_url
+from ..credentials import default_credentials_path, ensure_gitignore, get_identity, save_identity
+from ..errors import CliError
+from ..output import Output
+
+APP_TYPES = ("native", "web", "spa", "mobile")
+
+
+def run(args: ParsedArgs, output: Output) -> int:
+    cwd = os.getcwd()
+    explicit_config = one(args, "config") or os.environ.get("MCPCERT_CONFIG")
+    discovered = discover_config(cwd, explicit_config)
+
+    if discovered.config:
+        creds_path = one(args, "credentials") or os.environ.get("MCPCERT_CREDENTIALS") or default_credentials_path(discovered.project_root)
+        existing = get_identity(creds_path, discovered.config["api_base_url"], discovered.config["appname"])
+        if existing:
+            raise CliError(
+                "identity_exists",
+                "A mcpcert development identity is already configured for this project. Use `mcpcert update` or promote it in the dashboard.",
+            )
+        raise CliError(
+            "claim_token_missing",
+            "Project config exists but its claim token is missing and cannot be recovered. Remove the stale config to provision a new identity, or restore the credentials file.",
+        )
+
+    api_base_url = resolve_api_base_url(args, None)
+    _acknowledge_tos(args)
+
+    app_type = one(args, "application-type") or "native"
+    if app_type not in APP_TYPES:
+        raise CliError("config_invalid", f"--application-type must be one of: {', '.join(APP_TYPES)}.")
+    redirect_uris = many(args, "redirect-uri") or ["http://127.0.0.1:8080/callback"]
+    explicit_appname = one(args, "appname")
+    meta = resolve_metadata(cwd, one(args, "client-name"), one(args, "project-name"), None)
+
+    body: dict[str, object] = {
+        "application_type": app_type,
+        "client_name": meta.client_name,
+        "redirect_uris": redirect_uris,
+        "tos_acknowledged": True,
+    }
+    if explicit_appname:
+        body["appname"] = explicit_appname
+    else:
+        body["project_slug"] = meta.project_slug
+    for flag in ("client-uri", "logo-uri", "tos-uri", "policy-uri", "scope"):
+        value = one(args, flag)
+        if value:
+            body[flag.replace("-", "_")] = value
+    contacts = many(args, "contact")
+    if contacts:
+        body["contacts"] = contacts
+
+    api = ApiClient(api_base_url)
+    provisioned = api.provision(body)
+
+    target_path, target_fmt = choose_write_target(discovered.project_root, explicit_config)
+    config = build_config(
+        appname=provisioned["appname"],
+        application_type=app_type,
+        client_name=meta.client_name,
+        project_slug=meta.project_slug,
+        redirect_uris=redirect_uris,
+        client_id=provisioned["client_id"],
+        document_urls=provisioned["document_urls"],
+        expires_at=provisioned["expires_at"],
+        api_base_url=api_base_url,
+    )
+    write_config(target_path, target_fmt, config)
+
+    creds_path = one(args, "credentials") or os.environ.get("MCPCERT_CREDENTIALS") or default_credentials_path(discovered.project_root)
+    save_identity(
+        creds_path,
+        {
+            "api_base_url": api_base_url,
+            "appname": provisioned["appname"],
+            "environment": "development",
+            "claim_token": provisioned["claim_token"],
+            "client_id": provisioned["client_id"],
+            "created_at": datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%S.") + f"{datetime.now(timezone.utc).microsecond // 1000:03d}Z",
+            "expires_at": provisioned["expires_at"],
+        },
+    )
+
+    warnings: list[dict[str, str]] = []
+    gi = ensure_gitignore(discovered.project_root)
+    if gi.get("warning"):
+        warnings.append({"code": "gitignore_skipped", "message": gi["warning"]})
+
+    promote = promotion_url(api_base_url, provisioned["appname"])
+    output.success(
+        "init",
+        api_base_url,
+        {
+            "appname": provisioned["appname"],
+            "environment": "development",
+            "application_type": app_type,
+            "client_name": meta.client_name,
+            "client_id": provisioned["client_id"],
+            "document_urls": provisioned["document_urls"],
+            "expires_at": provisioned["expires_at"],
+            "promotion_url": promote,
+            "config_path": target_path,
+            "credentials_path": creds_path,
+            "api_version": api.api_version,
+        },
+        [
+            "Development identity created",
+            f"Appname:     {provisioned['appname']}",
+            f"Client ID:   {provisioned['client_id']}",
+            f"CIMD:        {provisioned['document_urls']['cimd']}",
+            f"Expires:     {provisioned['expires_at']}",
+            f"Promote:     {promote}",
+            f"Config:      {target_path}",
+            f"Credentials: {creds_path}",
+        ],
+        warnings,
+    )
+    return 0
+
+
+def _acknowledge_tos(args: ParsedArgs) -> None:
+    if boolean(args, "accept-tos"):
+        return
+    if is_non_interactive():
+        raise CliError(
+            "tos_not_accepted",
+            "Terms of Service must be accepted to provision an identity. Re-run with --accept-tos in non-interactive environments.",
+        )
+    sys.stderr.write("Review the mcpcert.org Terms of Service: https://mcpcert.org/terms\n")
+    sys.stderr.write("Do you accept the Terms of Service? [y/N] ")
+    sys.stderr.flush()
+    answer = sys.stdin.readline().strip().lower()
+    if answer not in ("y", "yes"):
+        raise CliError("tos_not_accepted", "Terms of Service were not accepted.")