refactorai-cli 0.1.0__py3-none-any.whl

refactor_cli/model_policy.py

@@ -0,0 +1,171 @@
+"""Model policy resolution and enforcement helpers (R15)."""
+
+from __future__ import annotations
+
+import os
+import shutil
+import subprocess
+from dataclasses import dataclass
+
+from refactor_cli.control_plane import resolve_policy
+
+
+@dataclass
+class ModelDecision:
+    allowed: bool
+    reason_code: str
+    message: str
+    suggested_model_id: str = ""
+    override_applied: bool = False
+
+
+def _read_total_mem_mb() -> int:
+    try:
+        pages = os.sysconf("SC_PHYS_PAGES")
+        page_size = os.sysconf("SC_PAGE_SIZE")
+        total = int((int(pages) * int(page_size)) / (1024 * 1024))
+        return max(0, total)
+    except (ValueError, OSError, AttributeError):
+        return 0
+
+
+def detect_machine_profile() -> dict:
+    mem_mb = _read_total_mem_mb()
+    gpu_vendor = ""
+    if shutil.which("nvidia-smi"):
+        gpu_vendor = "nvidia"
+    elif shutil.which("rocm-smi"):
+        gpu_vendor = "amd"
+    elif shutil.which("system_profiler"):
+        gpu_vendor = "apple"
+    has_gpu = bool(gpu_vendor)
+    profile = "cpu-small"
+    if has_gpu:
+        profile = "gpu-standard"
+    elif mem_mb >= 16 * 1024:
+        profile = "cpu-balanced"
+    return {
+        "profile": profile,
+        "has_gpu": has_gpu,
+        "gpu_vendor": gpu_vendor or "none",
+        "memory_mb": mem_mb,
+    }
+
+
+def get_policy_bundle(*, force_refresh: bool = False) -> dict:
+    return resolve_policy(force_refresh=force_refresh)
+
+
+def _model_policy(policy_bundle: dict) -> dict:
+    return dict((policy_bundle.get("bundle") or {}).get("model_policy") or {})
+
+
+def recommended_model_id(policy_bundle: dict, *, profile: str) -> str:
+    model_policy = _model_policy(policy_bundle)
+    defaults = dict(model_policy.get("default_model_by_profile") or {})
+    return str(defaults.get(profile) or defaults.get("cpu-small") or "")
+
+
+def list_model_entries(policy_bundle: dict) -> list[dict]:
+    model_policy = _model_policy(policy_bundle)
+    allowlist = list(model_policy.get("allowlist") or [])
+    blocklist = list(model_policy.get("blocklist") or [])
+    merged: list[dict] = []
+    for entry in allowlist:
+        item = dict(entry or {})
+        item.setdefault("status", "allowed")
+        merged.append(item)
+    for entry in blocklist:
+        item = dict(entry or {})
+        item.setdefault("status", "blocked")
+        merged.append(item)
+    return merged
+
+
+def evaluate_model(
+    *,
+    model_id: str,
+    policy_bundle: dict,
+    profile: str,
+) -> ModelDecision:
+    wanted = str(model_id or "").strip()
+    if not wanted:
+        return ModelDecision(False, "invalid_model_id", "Model id is required.")
+
+    model_policy = _model_policy(policy_bundle)
+    allowlist = list(model_policy.get("allowlist") or [])
+    blocklist = list(model_policy.get("blocklist") or [])
+    overrides = list(model_policy.get("overrides") or [])
+    suggested = recommended_model_id(policy_bundle, profile=profile)
+
+    override_entry = next((o for o in overrides if str((o or {}).get("model_id") or "") == wanted), None)
+    if override_entry:
+        return ModelDecision(
+            True,
+            "override_allowed",
+            "Model allowed by signed policy override.",
+            suggested_model_id=suggested,
+            override_applied=True,
+        )
+
+    blocked = next((b for b in blocklist if str((b or {}).get("model_id") or "") == wanted), None)
+    if blocked:
+        reason = str((blocked or {}).get("reason_code") or "policy_block")
+        return ModelDecision(
+            False,
+            reason,
+            f"Model '{wanted}' is blocked by policy ({reason}).",
+            suggested_model_id=suggested,
+        )
+
+    allowed = next((a for a in allowlist if str((a or {}).get("model_id") or "") == wanted), None)
+    if not allowed:
+        return ModelDecision(
+            False,
+            "model_unknown",
+            f"Model '{wanted}' is not in the signed allowlist.",
+            suggested_model_id=suggested,
+        )
+
+    requires_gpu = bool((allowed or {}).get("requires_gpu", False))
+    if requires_gpu and not profile.startswith("gpu"):
+        return ModelDecision(
+            False,
+            "hardware_block",
+            f"Model '{wanted}' requires GPU profile.",
+            suggested_model_id=suggested,
+        )
+
+    commercial_allowed = bool((allowed or {}).get("commercial_allowed", False))
+    if not commercial_allowed:
+        return ModelDecision(
+            False,
+            "license_block",
+            f"Model '{wanted}' is not approved for commercial usage.",
+            suggested_model_id=suggested,
+        )
+
+    return ModelDecision(
+        True,
+        "allowed",
+        f"Model '{wanted}' is allowed by signed policy.",
+        suggested_model_id=suggested,
+    )
+
+
+def ollama_installed() -> bool:
+    return bool(shutil.which("ollama"))
+
+
+def probe_ollama_model(model_id: str) -> tuple[bool, str]:
+    if not ollama_installed():
+        return False, "ollama not installed on host."
+    proc = subprocess.run(
+        ["ollama", "show", model_id],
+        capture_output=True,
+        text=True,
+    )
+    text = (proc.stdout or proc.stderr or "").strip()
+    if proc.returncode != 0:
+        return False, text or "model not found"
+    return True, "model is available locally"

refactor_cli/runtime_manager.py

@@ -0,0 +1,241 @@
+"""Local runtime artifact manager for proprietary runtime delivery (R12).
+
+This module manages versioned runtime artifacts under ``~/.refactor/runtime``:
+manifest persistence, checksum verification, activation, rollback pointers, and
+status reporting. It intentionally avoids any code execution semantics and only
+handles artifact state.
+"""
+
+from __future__ import annotations
+
+import hashlib
+import json
+import platform
+from dataclasses import dataclass
+from datetime import datetime, timezone
+from pathlib import Path
+
+import httpx
+
+from refactor_core.paths import ensure_dir, refactor_home
+
+from refactor_cli.control_plane import ensure_lease
+from refactor_cli.credentials import resolve_developer_key
+from refactor_cli.settings import platform_url
+
+RUNTIME_DIR = "runtime"
+VERSIONS_DIR = "versions"
+STATE_FILE = "state.json"
+ARTIFACT_FILE = "refactorai-core.bin"
+MANIFEST_FILE = "manifest.json"
+
+
+@dataclass
+class RuntimeManifest:
+    runtime_version: str
+    artifact_url: str
+    sha256: str
+    signature: str
+    min_cli_version: str | None = None
+
+
+def _now_iso() -> str:
+    return datetime.now(timezone.utc).isoformat()
+
+
+def runtime_root() -> Path:
+    return refactor_home() / RUNTIME_DIR
+
+
+def runtime_versions_dir() -> Path:
+    return runtime_root() / VERSIONS_DIR
+
+
+def runtime_state_path() -> Path:
+    return runtime_root() / STATE_FILE
+
+
+def _default_state() -> dict:
+    return {
+        "active_version": "",
+        "rollback_version": "",
+        "channel": "stable",
+        "updated_at": "",
+        "last_error": "",
+    }
+
+
+def read_runtime_state() -> dict:
+    path = runtime_state_path()
+    if not path.is_file():
+        return _default_state()
+    try:
+        data = json.loads(path.read_text(encoding="utf-8"))
+    except (json.JSONDecodeError, OSError):
+        return _default_state()
+    out = _default_state()
+    out.update({k: data.get(k, v) for k, v in out.items()})
+    return out
+
+
+def write_runtime_state(state: dict) -> None:
+    ensure_dir(runtime_root())
+    merged = _default_state()
+    merged.update(state or {})
+    path = runtime_state_path()
+    tmp = path.with_suffix(path.suffix + ".tmp")
+    tmp.write_text(json.dumps(merged, indent=2), encoding="utf-8")
+    tmp.replace(path)
+
+
+def runtime_version_dir(version: str) -> Path:
+    safe = str(version or "").strip()
+    if not safe:
+        raise ValueError("Runtime version is required")
+    return runtime_versions_dir() / safe
+
+
+def runtime_artifact_path(version: str) -> Path:
+    return runtime_version_dir(version) / ARTIFACT_FILE
+
+
+def runtime_manifest_path(version: str) -> Path:
+    return runtime_version_dir(version) / MANIFEST_FILE
+
+
+def sha256_hex(content: bytes) -> str:
+    return hashlib.sha256(content).hexdigest()
+
+
+def verify_sha256(content: bytes, expected_sha256: str) -> bool:
+    expected = str(expected_sha256 or "").strip().lower()
+    if not expected:
+        return False
+    return sha256_hex(content) == expected
+
+
+def parse_manifest(payload: dict) -> RuntimeManifest:
+    return RuntimeManifest(
+        runtime_version=str(payload.get("runtime_version") or "").strip(),
+        artifact_url=str(payload.get("artifact_url") or "").strip(),
+        sha256=str(payload.get("sha256") or "").strip().lower(),
+        signature=str(payload.get("signature") or "").strip(),
+        min_cli_version=str(payload.get("min_cli_version") or "").strip() or None,
+    )
+
+
+def resolve_runtime_manifest(*, channel: str = "stable", timeout: float = 20.0) -> RuntimeManifest:
+    auth_header = ""
+    try:
+        lease = ensure_lease()
+        auth_header = f"Bearer {lease.token}"
+    except RuntimeError:
+        resolved = resolve_developer_key()
+        if not resolved:
+            raise RuntimeError(
+                "No developer key configured. Run `refactor login`, set REFACTOR_API_KEY, "
+                "or add developer_key to refactor.config."
+            )
+        auth_header = f"Bearer {resolved.key}"
+    os_name = str(platform.system() or "linux").lower()
+    arch = str(platform.machine() or "x86_64").lower()
+    payload = {
+        "cli_version": "0.1.0",
+        "os": os_name,
+        "arch": arch,
+        "channel": channel,
+    }
+    try:
+        response = httpx.post(
+            f"{platform_url()}/v1/runtime/resolve",
+                headers={"Authorization": auth_header, "Content-Type": "application/json"},
+            json=payload,
+            timeout=timeout,
+        )
+    except httpx.HTTPError as exc:
+        raise RuntimeError(f"Could not resolve runtime manifest: {exc}") from exc
+    if response.status_code >= 400:
+        raise RuntimeError(f"Runtime manifest resolve failed ({response.status_code}): {response.text[:500]}")
+    manifest = parse_manifest(response.json() if response.content else {})
+    if not manifest.runtime_version or not manifest.artifact_url or not manifest.sha256:
+        raise RuntimeError("Runtime manifest is missing required fields")
+    return manifest
+
+
+def download_artifact(url: str, *, timeout: float = 60.0) -> bytes:
+    try:
+        response = httpx.get(url, timeout=timeout)
+    except httpx.HTTPError as exc:
+        raise RuntimeError(f"Could not download runtime artifact: {exc}") from exc
+    if response.status_code >= 400:
+        raise RuntimeError(f"Runtime artifact download failed ({response.status_code})")
+    return response.content
+
+
+def activate_runtime(manifest: RuntimeManifest, artifact: bytes, *, channel: str = "stable") -> Path:
+    if not verify_sha256(artifact, manifest.sha256):
+        raise RuntimeError("Runtime artifact checksum verification failed")
+    ensure_dir(runtime_versions_dir())
+    target_dir = ensure_dir(runtime_version_dir(manifest.runtime_version))
+    artifact_path = target_dir / ARTIFACT_FILE
+    manifest_path = target_dir / MANIFEST_FILE
+    artifact_path.write_bytes(artifact)
+    manifest_path.write_text(
+        json.dumps(
+            {
+                "runtime_version": manifest.runtime_version,
+                "artifact_url": manifest.artifact_url,
+                "sha256": manifest.sha256,
+                "signature": manifest.signature,
+                "min_cli_version": manifest.min_cli_version,
+                "activated_at": _now_iso(),
+            },
+            indent=2,
+        ),
+        encoding="utf-8",
+    )
+    state = read_runtime_state()
+    previous = str(state.get("active_version") or "").strip()
+    new_state = {
+        "active_version": manifest.runtime_version,
+        "rollback_version": previous,
+        "channel": channel,
+        "updated_at": _now_iso(),
+        "last_error": "",
+    }
+    write_runtime_state(new_state)
+    return artifact_path
+
+
+def rollback_runtime() -> str:
+    state = read_runtime_state()
+    active = str(state.get("active_version") or "").strip()
+    rollback = str(state.get("rollback_version") or "").strip()
+    if not rollback:
+        raise RuntimeError("No rollback runtime version is available")
+    if not runtime_artifact_path(rollback).is_file():
+        raise RuntimeError(f"Rollback artifact for version '{rollback}' is missing")
+    write_runtime_state(
+        {
+            "active_version": rollback,
+            "rollback_version": active,
+            "channel": state.get("channel", "stable"),
+            "updated_at": _now_iso(),
+            "last_error": "",
+        }
+    )
+    return rollback
+
+
+def runtime_status() -> dict:
+    state = read_runtime_state()
+    active = str(state.get("active_version") or "").strip()
+    active_artifact = runtime_artifact_path(active) if active else None
+    active_exists = bool(active_artifact and active_artifact.is_file())
+    return {
+        "active_version": active,
+        "rollback_version": str(state.get("rollback_version") or "").strip(),
+        "channel": str(state.get("channel") or "stable"),
+        "updated_at": str(state.get("updated_at") or ""),
+        "active_artifact_exists": active_exists,
+    }

refactor_cli/settings.py

@@ -0,0 +1,33 @@
+"""Resolved CLI settings and constants."""
+
+from __future__ import annotations
+
+import os
+
+DEFAULT_PLATFORM_URL = "http://localhost:8000"
+ENV_API_KEY = "REFACTOR_API_KEY"
+ENV_PLATFORM_URL = "REFACTOR_PLATFORM_URL"
+ENV_POLICY_SIGNING_KEY = "REFACTOR_POLICY_SIGNING_KEY"
+
+
+def platform_url() -> str:
+    return os.environ.get(ENV_PLATFORM_URL, DEFAULT_PLATFORM_URL).rstrip("/")
+
+
+def env_api_key() -> str | None:
+    value = os.environ.get(ENV_API_KEY, "").strip()
+    return value or None
+
+
+def policy_signing_key() -> str:
+    value = os.environ.get(ENV_POLICY_SIGNING_KEY, "").strip()
+    return value or "dev-policy-signing-key"
+
+
+def mask_key(key: str) -> str:
+    """Return a masked representation that never reveals the full key."""
+    if not key:
+        return "<none>"
+    if len(key) <= 8:
+        return "*" * len(key)
+    return f"{key[:6]}…{key[-4:]}"