nepher-cli 0.2.0__py3-none-any.whl

nepher_cli/core/credentials.py

@@ -0,0 +1,243 @@
+"""Persistent credential storage for npcli.
+
+Stores API key, JWT access/refresh tokens, and user metadata in
+~/.nepher/credentials.json (or %APPDATA%\\nepher\\credentials.json on Windows).
+
+Sensitive values (tokens) are also mirrored into the system keyring when
+the ``keyring`` package is available, and the JSON file contains only
+non-secret metadata plus the expiry timestamp in that case.
+"""
+
+from __future__ import annotations
+
+import json
+import time
+from pathlib import Path
+from typing import Any
+
+import httpx
+
+try:
+    import keyring as _keyring
+
+    _HAS_KEYRING = True
+except ImportError:  # pragma: no cover
+    _HAS_KEYRING = False
+
+try:
+    from platformdirs import user_config_dir
+
+    def _config_dir() -> Path:
+        return Path(user_config_dir("nepher", appauthor=False))
+
+except ImportError:  # pragma: no cover
+    def _config_dir() -> Path:  # type: ignore[misc]
+        return Path.home() / ".nepher"
+
+
+_KEYRING_SERVICE = "npcli"
+_KEYRING_ACCESS = "access_token"
+_KEYRING_REFRESH = "refresh_token"
+_KEYRING_API_KEY = "api_key"
+
+
+def _cred_path() -> Path:
+    d = _config_dir()
+    d.mkdir(parents=True, exist_ok=True)
+    return d / "credentials.json"
+
+
+def _read_json() -> dict[str, Any]:
+    p = _cred_path()
+    if not p.exists():
+        return {}
+    try:
+        return json.loads(p.read_text(encoding="utf-8"))
+    except (json.JSONDecodeError, OSError):
+        return {}
+
+
+def _write_json(data: dict[str, Any]) -> None:
+    p = _cred_path()
+    p.parent.mkdir(parents=True, exist_ok=True)
+    p.write_text(json.dumps(data, indent=2), encoding="utf-8")
+    try:
+        p.chmod(0o600)
+    except OSError:
+        pass
+
+
+def _kr_get(key: str) -> str | None:
+    if not _HAS_KEYRING:
+        return None
+    try:
+        return _keyring.get_password(_KEYRING_SERVICE, key)
+    except Exception:
+        return None
+
+
+def _kr_set(key: str, value: str) -> bool:
+    if not _HAS_KEYRING:
+        return False
+    try:
+        _keyring.set_password(_KEYRING_SERVICE, key, value)
+        return True
+    except Exception:
+        return False
+
+
+def _kr_delete(key: str) -> None:
+    if not _HAS_KEYRING:
+        return
+    try:
+        _keyring.delete_password(_KEYRING_SERVICE, key)
+    except Exception:
+        pass
+
+
+def save_credentials(
+    *,
+    api_key: str,
+    access_token: str,
+    refresh_token: str,
+    expires_in: int,
+    user: dict[str, Any],
+) -> None:
+    """Persist all credential material after a successful cli-login."""
+    expires_at = int(time.time()) + expires_in
+
+    stored_in_keyring = all([
+        _kr_set(_KEYRING_API_KEY, api_key),
+        _kr_set(_KEYRING_ACCESS, access_token),
+        _kr_set(_KEYRING_REFRESH, refresh_token),
+    ])
+
+    meta: dict[str, Any] = {
+        "expires_at": expires_at,
+        "user": user,
+        "keyring": stored_in_keyring,
+    }
+
+    if not stored_in_keyring:
+        meta["api_key"] = api_key
+        meta["access_token"] = access_token
+        meta["refresh_token"] = refresh_token
+
+    _write_json(meta)
+
+
+def load_credentials() -> dict[str, Any] | None:
+    """Return the stored credential dict or None if nothing is saved."""
+    meta = _read_json()
+    if not meta:
+        return None
+
+    if meta.get("keyring"):
+        meta["api_key"] = _kr_get(_KEYRING_API_KEY)
+        meta["access_token"] = _kr_get(_KEYRING_ACCESS)
+        meta["refresh_token"] = _kr_get(_KEYRING_REFRESH)
+
+    if not meta.get("access_token") and not meta.get("api_key"):
+        return None
+
+    return meta
+
+
+def clear_credentials() -> None:
+    """Delete all stored credential material."""
+    _kr_delete(_KEYRING_API_KEY)
+    _kr_delete(_KEYRING_ACCESS)
+    _kr_delete(_KEYRING_REFRESH)
+    p = _cred_path()
+    if p.exists():
+        p.unlink()
+
+
+def _is_expired(creds: dict[str, Any]) -> bool:
+    expires_at = creds.get("expires_at")
+    if not isinstance(expires_at, (int, float)):
+        return True
+    return time.time() > (expires_at - 60)
+
+
+def _refresh_access_token(refresh_token: str, account_base: str) -> dict[str, Any] | None:
+    """Call /api/v1/auth/refresh and return updated token data, or None on failure."""
+    url = f"{account_base.rstrip('/')}/api/v1/auth/refresh"
+    try:
+        r = httpx.post(url, json={"refresh_token": refresh_token}, timeout=30.0)
+    except httpx.RequestError:
+        return None
+    if r.status_code != 200:
+        return None
+    try:
+        return r.json()
+    except Exception:
+        return None
+
+
+def get_auth_headers(
+    api_key_override: str | None = None,
+    *,
+    account_base: str | None = None,
+) -> dict[str, str]:
+    """Return HTTP auth headers for a request.
+
+    Priority:
+    1. ``api_key_override`` (from ``--api-key`` flag or ``NEPHER_API_KEY`` env var)
+    2. Stored JWT (auto-refreshed if expired)
+    3. Stored API key (fallback when no JWT)
+    4. Empty dict — command must handle the unauthenticated case.
+    """
+    from nepher_cli.config import ACCOUNT_BACKEND
+
+    base = account_base or ACCOUNT_BACKEND
+
+    if api_key_override:
+        return {"X-API-Key": api_key_override}
+
+    creds = load_credentials()
+    if not creds:
+        return {}
+
+    access_token = creds.get("access_token")
+    refresh_token = creds.get("refresh_token")
+    api_key = creds.get("api_key")
+
+    if access_token and not _is_expired(creds):
+        return {"Authorization": f"Bearer {access_token}"}
+
+    if refresh_token:
+        refreshed = _refresh_access_token(refresh_token, base)
+        if refreshed and refreshed.get("access_token"):
+            new_access = refreshed["access_token"]
+            expires_in = refreshed.get("expires_in", 86400)
+            new_expires_at = int(time.time()) + expires_in
+            meta = _read_json()
+            meta["expires_at"] = new_expires_at
+            if meta.get("keyring"):
+                _kr_set(_KEYRING_ACCESS, new_access)
+            else:
+                meta["access_token"] = new_access
+            _write_json(meta)
+            return {"Authorization": f"Bearer {new_access}"}
+
+    if api_key:
+        return {"X-API-Key": api_key}
+
+    return {}
+
+
+def get_stored_api_key() -> str | None:
+    """Return the stored raw API key, or None."""
+    creds = load_credentials()
+    if creds:
+        return creds.get("api_key")
+    return None
+
+
+def whoami_from_cache() -> dict[str, Any] | None:
+    """Return user metadata from the credentials cache without a network call."""
+    creds = load_credentials()
+    if creds:
+        return creds.get("user")
+    return None

nepher_cli/core/http.py

@@ -0,0 +1,76 @@
+"""Shared HTTP helpers."""
+
+from __future__ import annotations
+
+import json
+from typing import Any
+
+import httpx
+
+
+def parse_error_body(text: str) -> str | None:
+    try:
+        data = json.loads(text)
+    except json.JSONDecodeError:
+        return None
+    if not isinstance(data, dict):
+        return None
+    if data.get("message"):
+        return str(data["message"])
+    if "detail" in data:
+        detail = data["detail"]
+        return str(detail) if detail is not None else None
+    if "error" in data:
+        err = data["error"]
+        if err == "http_error" and data.get("message"):
+            return str(data["message"])
+        return str(err) if err is not None else None
+    return None
+
+
+def request_json(
+    client: httpx.Client,
+    method: str,
+    url: str,
+    *,
+    json_body: dict[str, Any] | None = None,
+    headers: dict[str, str] | None = None,
+) -> httpx.Response:
+    return client.request(method, url, json=json_body, headers=headers, timeout=120.0)
+
+
+def authed_get(url: str, *, api_key: str | None = None, params: dict[str, Any] | None = None) -> httpx.Response:
+    """GET with auth headers resolved from credential store or override."""
+    from nepher_cli.core.credentials import get_auth_headers
+
+    headers = get_auth_headers(api_key)
+    with httpx.Client() as client:
+        return client.get(url, headers=headers, params=params, timeout=60.0)
+
+
+def authed_post(
+    url: str,
+    *,
+    api_key: str | None = None,
+    json_body: dict[str, Any] | None = None,
+    data: dict[str, str] | None = None,
+    files: dict[str, Any] | None = None,
+    timeout: float = 120.0,
+) -> httpx.Response:
+    """POST with auth headers resolved from credential store or override."""
+    from nepher_cli.core.credentials import get_auth_headers
+
+    headers = get_auth_headers(api_key)
+    with httpx.Client() as client:
+        if files is not None:
+            return client.post(url, headers=headers, data=data, files=files, timeout=timeout)
+        return client.post(url, headers=headers, json=json_body, timeout=timeout)
+
+
+def authed_delete(url: str, *, api_key: str | None = None) -> httpx.Response:
+    """DELETE with auth headers resolved from credential store or override."""
+    from nepher_cli.core.credentials import get_auth_headers
+
+    headers = get_auth_headers(api_key)
+    with httpx.Client() as client:
+        return client.delete(url, headers=headers, timeout=30.0)

nepher_cli/envhub/__init__.py

@@ -0,0 +1 @@
+"""EnvHub support code shared by ``npcli envhub`` commands."""

nepher_cli/envhub/cache.py

@@ -0,0 +1,56 @@
+"""Local EnvHub bundle cache paths — aligned with the ``nepher`` CLI."""
+
+from __future__ import annotations
+
+import os
+from pathlib import Path
+
+from nepher_cli.envhub.config import DEFAULT_CONFIG, load_config_file
+
+_DEFAULT_CACHE_DIR = Path.home() / ".nepher" / "cache"
+
+
+def _nepher_cache_dir(category: str | None = None) -> Path | None:
+    try:
+        from nepher.config import get_config
+
+        return get_config().get_cache_dir(category=category)
+    except ImportError:
+        return None
+
+
+def resolve_cache_dir(cache_dir: str | Path | None = None, category: str | None = None) -> Path:
+    """Resolve the local bundle cache directory (same rules as ``nepher``)."""
+    if cache_dir:
+        return Path(cache_dir).expanduser().resolve()
+
+    nepher_dir = _nepher_cache_dir(category)
+    if nepher_dir is not None:
+        return nepher_dir
+
+    env_override = os.getenv("NEPHER_CACHE_DIR")
+    if env_override:
+        return Path(env_override).expanduser().resolve()
+
+    config = {**DEFAULT_CONFIG, **load_config_file()}
+    if category:
+        cat_config = config.get("categories", {}).get(category, {})
+        path_str = cat_config.get("cache_dir") or config.get("cache_dir")
+    else:
+        path_str = config.get("cache_dir")
+
+    if path_str:
+        return Path(path_str).expanduser().resolve()
+    return _DEFAULT_CACHE_DIR.resolve()
+
+
+def is_cached_env(path: Path) -> bool:
+    """Return True when ``path`` is a cached environment bundle."""
+    return path.is_dir() and (path / "manifest.yaml").exists()
+
+
+def list_cached_env_dirs(root: Path) -> list[Path]:
+    """List cached environment directories under ``root``."""
+    if not root.exists():
+        return []
+    return sorted(p for p in root.iterdir() if is_cached_env(p))

nepher_cli/envhub/config.py

@@ -0,0 +1,176 @@
+"""EnvHub configuration — aligned with the ``nepher`` CLI."""
+
+from __future__ import annotations
+
+import json
+import os
+from pathlib import Path
+from typing import Any
+
+DEFAULT_CONFIG: dict[str, Any] = {
+    "api_url": "https://envhub-api.nepher.ai",
+    "api_key": None,
+    "cache_dir": "~/.nepher/cache",
+    "default_category": None,
+    "categories": {},
+}
+
+LIST_KEYS = ("api_url", "cache_dir", "default_category")
+
+
+def find_config_file() -> Path | None:
+    """Return the active nepher config file path, if any."""
+    cwd_config = Path.cwd() / ".nepherrc"
+    if cwd_config.exists():
+        return cwd_config
+    home_config = Path.home() / ".nepher" / "config.toml"
+    if home_config.exists():
+        return home_config
+    return None
+
+
+def load_config_file() -> dict[str, Any]:
+    """Load values from the nepher config file (no defaults or env overrides)."""
+    config_file = find_config_file()
+    if not config_file:
+        return {}
+
+    try:
+        if config_file.suffix == ".toml":
+            try:
+                import tomllib
+            except ImportError:
+                try:
+                    import tomli as tomllib  # type: ignore[no-redef]
+                except ImportError:
+                    return {}
+            with open(config_file, "rb") as f:
+                data = tomllib.load(f)
+                return data if isinstance(data, dict) else {}
+        if config_file.suffix == ".json" or config_file.name == ".nepherrc":
+            with open(config_file, encoding="utf-8") as f:
+                data = json.load(f)
+                return data if isinstance(data, dict) else {}
+    except Exception:
+        return {}
+    return {}
+
+
+def _apply_env_overrides(config: dict[str, Any]) -> dict[str, Any]:
+    merged = dict(config)
+    if os.getenv("ENVHUB_API_URL"):
+        merged["api_url"] = os.getenv("ENVHUB_API_URL")
+    if os.getenv("NEPHER_API_KEY"):
+        merged["api_key"] = os.getenv("NEPHER_API_KEY")
+    if os.getenv("NEPHER_CACHE_DIR"):
+        merged["cache_dir"] = os.getenv("NEPHER_CACHE_DIR")
+    return merged
+
+
+def _fallback_get(key: str, default: Any = None) -> Any:
+    config = _apply_env_overrides({**DEFAULT_CONFIG, **load_config_file()})
+    keys = key.split(".")
+    value: Any = config
+    for part in keys:
+        if isinstance(value, dict) and part in value:
+            value = value[part]
+        else:
+            return default
+    return value
+
+
+def get_value(key: str, default: Any = None) -> Any:
+    """Return an effective configuration value."""
+    try:
+        from nepher.config import get_config
+
+        return get_config().get(key, default)
+    except ImportError:
+        return _fallback_get(key, default)
+
+
+def list_values() -> dict[str, Any]:
+    """Return the standard keys shown by ``nepher config list``."""
+    return {key: get_value(key) for key in LIST_KEYS}
+
+
+def parse_config_value(value: str) -> Any:
+    """Parse a CLI string into a config value."""
+    if value.lower() in ("true", "false"):
+        return value.lower() == "true"
+    if value.isdigit():
+        return int(value)
+    if value.replace(".", "", 1).isdigit():
+        return float(value)
+    return value
+
+
+def set_value(key: str, value: Any) -> None:
+    """Persist a configuration value."""
+    try:
+        from nepher.config import set_config
+
+        set_config(key, value, save=True)
+        return
+    except ImportError:
+        pass
+
+    config_path = Path.home() / ".nepher" / "config.toml"
+    config_path.parent.mkdir(parents=True, exist_ok=True)
+    data = load_config_file()
+    parts = key.split(".")
+    target = data
+    for part in parts[:-1]:
+        nested = target.get(part)
+        if not isinstance(nested, dict):
+            nested = {}
+            target[part] = nested
+        target = nested
+    target[parts[-1]] = value
+
+    try:
+        import tomli_w
+
+        with open(config_path, "wb") as f:
+            tomli_w.dump(data, f)
+    except ImportError:
+        with open(config_path.with_suffix(".json"), "w", encoding="utf-8") as f:
+            json.dump(data, f, indent=2)
+
+
+def reset_config() -> bool:
+    """Delete the on-disk config file. Returns True when a file was removed."""
+    try:
+        from nepher.config import get_config
+
+        config = get_config()
+        config_file = getattr(config, "_config_file", None)
+        if config_file and config_file.exists():
+            config_file.unlink()
+            return True
+        return False
+    except ImportError:
+        pass
+
+    removed = False
+    for path in (Path.cwd() / ".nepherrc", Path.home() / ".nepher" / "config.toml"):
+        if path.exists():
+            path.unlink()
+            removed = True
+    json_path = Path.home() / ".nepher" / "config.json"
+    if json_path.exists():
+        json_path.unlink()
+        removed = True
+    return removed
+
+
+def mask_secret(key: str, value: Any) -> Any:
+    """Mask secret keys for display."""
+    if value is None or not isinstance(value, str):
+        return value
+    lower = key.lower()
+    if any(token in lower for token in ("api_key", "secret", "password", "token")):
+        if len(value) < 8:
+            return "***"
+        return f"{value[:4]}...{value[-4:]}"
+    return value

nepher_cli/tournament/__init__.py

@@ -0,0 +1 @@
+# tournament logic package — agent_check, packer, api, wallet

nepher_cli/tournament/agent_check.py

@@ -0,0 +1,60 @@
+"""Local agent directory structure check — no external dependencies."""
+
+from __future__ import annotations
+
+from pathlib import Path
+
+# Required items: relative path → "file" or "directory"
+_REQUIRED: dict[str, str] = {
+    "best_policy": "directory",
+    "best_policy/best_policy.pt": "file",
+    "source": "directory",
+}
+
+# Recommended (absent ones produce warnings, not errors)
+_RECOMMENDED: dict[str, str] = {
+    "scripts/list_envs.py": "file",
+    "scripts/rsl_rl/play.py": "file",
+}
+
+
+def check_agent_structure(
+    agent_path: Path,
+) -> tuple[bool, list[str], list[str]]:
+    """Check whether *agent_path* meets the expected agent layout.
+
+    Returns:
+        (is_valid, errors, warnings)
+
+        * ``is_valid``  – True when all required items are present and correct.
+        * ``errors``    – Required items that are missing or the wrong type.
+        * ``warnings``  – Recommended items that are absent (non-blocking).
+    """
+    errors: list[str] = []
+    warnings: list[str] = []
+
+    if not agent_path.exists():
+        return False, [f"Path does not exist: {agent_path}"], warnings
+
+    if not agent_path.is_dir():
+        return False, [f"Not a directory: {agent_path}"], warnings
+
+    for rel_path, item_type in _REQUIRED.items():
+        full_path = agent_path / rel_path
+        if not full_path.exists():
+            errors.append(f"Required {item_type} missing: {rel_path}")
+        elif item_type == "directory" and not full_path.is_dir():
+            errors.append(f"Expected directory but found file: {rel_path}")
+        elif item_type == "file" and not full_path.is_file():
+            errors.append(f"Expected file but found directory: {rel_path}")
+
+    source_dir = agent_path / "source"
+    if source_dir.exists() and source_dir.is_dir():
+        if not any(d.is_dir() for d in source_dir.iterdir()):
+            errors.append("source/ directory must contain at least one task module subdirectory")
+
+    for rel_path, item_type in _RECOMMENDED.items():
+        if not (agent_path / rel_path).exists():
+            warnings.append(f"Recommended {item_type} missing: {rel_path}")
+
+    return len(errors) == 0, errors, warnings