trustgraph-cli 2.4.4__tar.gz → 2.4.6__tar.gz

{trustgraph_cli-2.4.4 → trustgraph_cli-2.4.6}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: trustgraph-cli
-Version: 2.4.4
+Version: 2.4.6
 Summary: TrustGraph provides a means to run a pipeline of flexible AI processing components in a flexible means to achieve a processing pipeline.
 Author-email: "trustgraph.ai" <security@trustgraph.ai>
 Project-URL: Homepage, https://github.com/trustgraph-ai/trustgraph

{trustgraph_cli-2.4.4 → trustgraph_cli-2.4.6}/pyproject.toml

@@ -40,6 +40,20 @@ tg-get-flow-blueprint = "trustgraph.cli.get_flow_blueprint:main"
 tg-get-kg-core = "trustgraph.cli.get_kg_core:main"
 tg-get-document-content = "trustgraph.cli.get_document_content:main"
 tg-graph-to-turtle = "trustgraph.cli.graph_to_turtle:main"
+tg-bootstrap-iam = "trustgraph.cli.bootstrap_iam:main"
+tg-login = "trustgraph.cli.login:main"
+tg-create-user = "trustgraph.cli.create_user:main"
+tg-list-users = "trustgraph.cli.list_users:main"
+tg-disable-user = "trustgraph.cli.disable_user:main"
+tg-enable-user = "trustgraph.cli.enable_user:main"
+tg-delete-user = "trustgraph.cli.delete_user:main"
+tg-change-password = "trustgraph.cli.change_password:main"
+tg-reset-password = "trustgraph.cli.reset_password:main"
+tg-create-api-key = "trustgraph.cli.create_api_key:main"
+tg-list-api-keys = "trustgraph.cli.list_api_keys:main"
+tg-revoke-api-key = "trustgraph.cli.revoke_api_key:main"
+tg-list-workspaces = "trustgraph.cli.list_workspaces:main"
+tg-create-workspace = "trustgraph.cli.create_workspace:main"
 tg-invoke-agent = "trustgraph.cli.invoke_agent:main"
 tg-invoke-document-rag = "trustgraph.cli.invoke_document_rag:main"
 tg-invoke-graph-rag = "trustgraph.cli.invoke_graph_rag:main"

trustgraph_cli-2.4.6/trustgraph/cli/_iam.py

@@ -0,0 +1,75 @@
+"""
+Shared helpers for IAM CLI tools.
+
+All IAM operations go through the gateway's ``/api/v1/iam`` forwarder,
+with the three public auth operations (``login``, ``bootstrap``,
+``change-password``) served via ``/api/v1/auth/...`` instead.  These
+helpers encapsulate the HTTP plumbing so each CLI can stay focused
+on its own argument parsing and output formatting.
+"""
+
+import json
+import os
+import sys
+
+import requests
+
+
+DEFAULT_URL = os.getenv("TRUSTGRAPH_URL", "http://localhost:8088/")
+DEFAULT_TOKEN = os.getenv("TRUSTGRAPH_TOKEN", None)
+
+
+def _fmt_error(resp_json):
+    err = resp_json.get("error", {})
+    if isinstance(err, dict):
+        t = err.get("type", "")
+        m = err.get("message", "")
+        return f"{t}: {m}" if t else m or "error"
+    return str(err)
+
+
+def _post(url, path, token, body):
+    endpoint = url.rstrip("/") + path
+    headers = {"Content-Type": "application/json"}
+    if token:
+        headers["Authorization"] = f"Bearer {token}"
+
+    resp = requests.post(
+        endpoint, headers=headers, data=json.dumps(body),
+    )
+
+    if resp.status_code != 200:
+        try:
+            payload = resp.json()
+            detail = _fmt_error(payload)
+        except Exception:
+            detail = resp.text
+        raise RuntimeError(f"HTTP {resp.status_code}: {detail}")
+
+    body = resp.json()
+    if "error" in body:
+        raise RuntimeError(_fmt_error(body))
+    return body
+
+
+def call_iam(url, token, request):
+    """Forward an IAM request through ``/api/v1/iam``.  ``request`` is
+    the ``IamRequest`` dict shape."""
+    return _post(url, "/api/v1/iam", token, request)
+
+
+def call_auth(url, path, token, body):
+    """Hit one of the public auth endpoints
+    (``/api/v1/auth/login``, ``/api/v1/auth/change-password``, etc.).
+    ``token`` is optional — login and bootstrap don't need one."""
+    return _post(url, path, token, body)
+
+
+def run_main(fn, parser):
+    """Standard error-handling wrapper for CLI main() bodies."""
+    args = parser.parse_args()
+    try:
+        fn(args)
+    except Exception as e:
+        print("Exception:", e, file=sys.stderr, flush=True)
+        sys.exit(1)

trustgraph_cli-2.4.6/trustgraph/cli/bootstrap_iam.py

@@ -0,0 +1,94 @@
+"""
+Bootstraps the IAM service.  Only works when iam-svc is running in
+bootstrap mode with empty tables.  Prints the initial admin API key
+to stdout.
+
+This is a one-time, trust-sensitive operation.  The resulting token
+is shown once and never again — capture it on use.  Rotate and
+revoke it as soon as a real admin API key has been issued.
+"""
+
+import argparse
+import json
+import os
+import sys
+
+import requests
+
+default_url = os.getenv("TRUSTGRAPH_URL", "http://localhost:8088/")
+
+
+def bootstrap(url):
+
+    # Unauthenticated public endpoint — IAM refuses the bootstrap
+    # operation unless the service is running in bootstrap mode with
+    # empty tables, so the safety gate lives on the server side.
+    endpoint = url.rstrip("/") + "/api/v1/auth/bootstrap"
+
+    headers = {"Content-Type": "application/json"}
+
+    resp = requests.post(
+        endpoint,
+        headers=headers,
+        data=json.dumps({}),
+    )
+
+    if resp.status_code != 200:
+        raise RuntimeError(
+            f"HTTP {resp.status_code}: {resp.text}"
+        )
+
+    body = resp.json()
+
+    if "error" in body:
+        raise RuntimeError(
+            f"IAM {body['error'].get('type', 'error')}: "
+            f"{body['error'].get('message', '')}"
+        )
+
+    api_key = body.get("bootstrap_admin_api_key")
+    user_id = body.get("bootstrap_admin_user_id")
+
+    if not api_key:
+        raise RuntimeError(
+            "IAM response did not contain a bootstrap token — the "
+            "service may already be bootstrapped, or may be running "
+            "in token mode."
+        )
+
+    return user_id, api_key
+
+
+def main():
+
+    parser = argparse.ArgumentParser(
+        prog="tg-bootstrap-iam",
+        description=__doc__,
+    )
+
+    parser.add_argument(
+        "-u", "--api-url",
+        default=default_url,
+        help=f"API URL (default: {default_url})",
+    )
+
+    args = parser.parse_args()
+
+    try:
+        user_id, api_key = bootstrap(args.api_url)
+    except Exception as e:
+        print("Exception:", e, file=sys.stderr, flush=True)
+        sys.exit(1)
+
+    # Stdout gets machine-readable output (the key).  Any operator
+    # context goes to stderr.
+    print(f"Admin user id: {user_id}", file=sys.stderr)
+    print(
+        "Admin API key (shown once, capture now):",
+        file=sys.stderr,
+    )
+    print(api_key)
+
+
+if __name__ == "__main__":
+    main()

trustgraph_cli-2.4.6/trustgraph/cli/change_password.py

@@ -0,0 +1,46 @@
+"""
+Change your own password.  Requires the current password.
+"""
+
+import argparse
+import getpass
+
+from ._iam import DEFAULT_URL, DEFAULT_TOKEN, call_auth, run_main
+
+
+def do_change_password(args):
+    current = args.current or getpass.getpass("Current password: ")
+    new = args.new or getpass.getpass("New password: ")
+
+    call_auth(
+        args.api_url, "/api/v1/auth/change-password", args.token,
+        {"current_password": current, "new_password": new},
+    )
+    print("Password changed.")
+
+
+def main():
+    parser = argparse.ArgumentParser(
+        prog="tg-change-password", description=__doc__,
+    )
+    parser.add_argument(
+        "-u", "--api-url", default=DEFAULT_URL,
+        help=f"API URL (default: {DEFAULT_URL})",
+    )
+    parser.add_argument(
+        "-t", "--token", default=DEFAULT_TOKEN,
+        help="Auth token (default: $TRUSTGRAPH_TOKEN)",
+    )
+    parser.add_argument(
+        "--current", default=None,
+        help="Current password (prompted if omitted)",
+    )
+    parser.add_argument(
+        "--new", default=None,
+        help="New password (prompted if omitted)",
+    )
+    run_main(do_change_password, parser)
+
+
+if __name__ == "__main__":
+    main()

trustgraph_cli-2.4.6/trustgraph/cli/create_api_key.py

@@ -0,0 +1,71 @@
+"""
+Create an API key for a user.  Prints the plaintext key to stdout —
+shown once only.
+"""
+
+import argparse
+import sys
+
+from ._iam import DEFAULT_URL, DEFAULT_TOKEN, call_iam, run_main
+
+
+def do_create_api_key(args):
+    key = {
+        "user_id": args.user_id,
+        "name": args.name,
+    }
+    if args.expires:
+        key["expires"] = args.expires
+
+    req = {"operation": "create-api-key", "key": key}
+    if args.workspace:
+        req["workspace"] = args.workspace
+    resp = call_iam(args.api_url, args.token, req)
+
+    plaintext = resp.get("api_key_plaintext", "")
+    rec = resp.get("api_key", {})
+    print(f"Key id: {rec.get('id', '')}", file=sys.stderr)
+    print(f"Name: {rec.get('name', '')}", file=sys.stderr)
+    print(f"Prefix: {rec.get('prefix', '')}", file=sys.stderr)
+    print(
+        "API key (shown once, capture now):", file=sys.stderr,
+    )
+    print(plaintext)
+
+
+def main():
+    parser = argparse.ArgumentParser(
+        prog="tg-create-api-key", description=__doc__,
+    )
+    parser.add_argument(
+        "-u", "--api-url", default=DEFAULT_URL,
+        help=f"API URL (default: {DEFAULT_URL})",
+    )
+    parser.add_argument(
+        "-t", "--token", default=DEFAULT_TOKEN,
+        help="Auth token (default: $TRUSTGRAPH_TOKEN)",
+    )
+    parser.add_argument(
+        "--user-id", required=True,
+        help="Owner user id",
+    )
+    parser.add_argument(
+        "--name", required=True,
+        help="Operator-facing label (e.g. 'laptop', 'ci')",
+    )
+    parser.add_argument(
+        "--expires", default=None,
+        help="ISO-8601 expiry (optional; empty = no expiry)",
+    )
+    parser.add_argument(
+        "-w", "--workspace", default=None,
+        help=(
+            "Target workspace (admin only; defaults to caller's "
+            "assigned workspace)"
+        ),
+    )
+    run_main(do_create_api_key, parser)
+
+
+if __name__ == "__main__":
+    main()

trustgraph_cli-2.4.6/trustgraph/cli/create_user.py

@@ -0,0 +1,87 @@
+"""
+Create a user in the caller's workspace.  Prints the new user id.
+"""
+
+import argparse
+import getpass
+import sys
+
+from ._iam import DEFAULT_URL, DEFAULT_TOKEN, call_iam, run_main
+
+
+def do_create_user(args):
+    password = args.password
+    if not password:
+        password = getpass.getpass(
+            f"Password for new user {args.username}: "
+        )
+
+    user = {
+        "username": args.username,
+        "password": password,
+        "roles": args.roles,
+    }
+    if args.name:
+        user["name"] = args.name
+    if args.email:
+        user["email"] = args.email
+    if args.must_change_password:
+        user["must_change_password"] = True
+
+    req = {"operation": "create-user", "user": user}
+    if args.workspace:
+        req["workspace"] = args.workspace
+    resp = call_iam(args.api_url, args.token, req)
+
+    rec = resp.get("user", {})
+    print(f"User id: {rec.get('id', '')}", file=sys.stderr)
+    print(f"Username: {rec.get('username', '')}", file=sys.stderr)
+    print(f"Roles: {', '.join(rec.get('roles', []))}", file=sys.stderr)
+    print(rec.get("id", ""))
+
+
+def main():
+    parser = argparse.ArgumentParser(
+        prog="tg-create-user", description=__doc__,
+    )
+    parser.add_argument(
+        "-u", "--api-url", default=DEFAULT_URL,
+        help=f"API URL (default: {DEFAULT_URL})",
+    )
+    parser.add_argument(
+        "-t", "--token", default=DEFAULT_TOKEN,
+        help="Auth token (default: $TRUSTGRAPH_TOKEN)",
+    )
+    parser.add_argument(
+        "--username", required=True, help="Username (unique in workspace)",
+    )
+    parser.add_argument(
+        "--password", default=None,
+        help="Password (prompted if omitted)",
+    )
+    parser.add_argument(
+        "--name", default=None, help="Display name",
+    )
+    parser.add_argument(
+        "--email", default=None, help="Email",
+    )
+    parser.add_argument(
+        "--roles", nargs="+", default=["reader"],
+        help="One or more role names (default: reader)",
+    )
+    parser.add_argument(
+        "--must-change-password", action="store_true",
+        help="Force password change on next login",
+    )
+    parser.add_argument(
+        "-w", "--workspace", default=None,
+        help=(
+            "Target workspace (admin only; defaults to caller's "
+            "assigned workspace)"
+        ),
+    )
+    run_main(do_create_user, parser)
+
+
+if __name__ == "__main__":
+    main()

trustgraph_cli-2.4.6/trustgraph/cli/create_workspace.py

@@ -0,0 +1,46 @@
+"""
+Create a workspace (system-level; requires admin).
+"""
+
+import argparse
+
+from ._iam import DEFAULT_URL, DEFAULT_TOKEN, call_iam, run_main
+
+
+def do_create_workspace(args):
+    ws = {"id": args.workspace_id, "enabled": True}
+    if args.name:
+        ws["name"] = args.name
+
+    resp = call_iam(args.api_url, args.token, {
+        "operation": "create-workspace",
+        "workspace_record": ws,
+    })
+    rec = resp.get("workspace", {})
+    print(f"Workspace created: {rec.get('id', '')}")
+
+
+def main():
+    parser = argparse.ArgumentParser(
+        prog="tg-create-workspace", description=__doc__,
+    )
+    parser.add_argument(
+        "-u", "--api-url", default=DEFAULT_URL,
+        help=f"API URL (default: {DEFAULT_URL})",
+    )
+    parser.add_argument(
+        "-t", "--token", default=DEFAULT_TOKEN,
+        help="Auth token (default: $TRUSTGRAPH_TOKEN)",
+    )
+    parser.add_argument(
+        "--workspace-id", required=True,
+        help="New workspace id (must not start with '_')",
+    )
+    parser.add_argument(
+        "--name", default=None, help="Display name",
+    )
+    run_main(do_create_workspace, parser)
+
+
+if __name__ == "__main__":
+    main()

trustgraph_cli-2.4.6/trustgraph/cli/delete_user.py

@@ -0,0 +1,62 @@
+"""
+Delete a user.  Removes the user record, their username lookup,
+and all their API keys.  The freed username becomes available for
+re-use.
+
+Irreversible.  Use tg-disable-user if you want to preserve the
+record (audit trail, username squatting protection).
+"""
+
+import argparse
+
+from ._iam import DEFAULT_URL, DEFAULT_TOKEN, call_iam, run_main
+
+
+def do_delete_user(args):
+    if not args.yes:
+        confirm = input(
+            f"Delete user {args.user_id}?  This is irreversible. "
+            f"[type 'yes' to confirm]: "
+        )
+        if confirm.strip() != "yes":
+            print("Aborted.")
+            return
+
+    req = {"operation": "delete-user", "user_id": args.user_id}
+    if args.workspace:
+        req["workspace"] = args.workspace
+    call_iam(args.api_url, args.token, req)
+    print(f"Deleted user {args.user_id}")
+
+
+def main():
+    parser = argparse.ArgumentParser(
+        prog="tg-delete-user", description=__doc__,
+    )
+    parser.add_argument(
+        "-u", "--api-url", default=DEFAULT_URL,
+        help=f"API URL (default: {DEFAULT_URL})",
+    )
+    parser.add_argument(
+        "-t", "--token", default=DEFAULT_TOKEN,
+        help="Auth token (default: $TRUSTGRAPH_TOKEN)",
+    )
+    parser.add_argument(
+        "--user-id", required=True, help="User id to delete",
+    )
+    parser.add_argument(
+        "-w", "--workspace", default=None,
+        help=(
+            "Target workspace (admin only; defaults to caller's "
+            "assigned workspace)"
+        ),
+    )
+    parser.add_argument(
+        "--yes", action="store_true",
+        help="Skip the interactive confirmation prompt",
+    )
+    run_main(do_delete_user, parser)
+
+
+if __name__ == "__main__":
+    main()

trustgraph_cli-2.4.6/trustgraph/cli/disable_user.py

@@ -0,0 +1,45 @@
+"""
+Disable a user.  Soft-deletes (enabled=false) and revokes all their
+API keys.
+"""
+
+import argparse
+
+from ._iam import DEFAULT_URL, DEFAULT_TOKEN, call_iam, run_main
+
+
+def do_disable_user(args):
+    req = {"operation": "disable-user", "user_id": args.user_id}
+    if args.workspace:
+        req["workspace"] = args.workspace
+    call_iam(args.api_url, args.token, req)
+    print(f"Disabled user {args.user_id}")
+
+
+def main():
+    parser = argparse.ArgumentParser(
+        prog="tg-disable-user", description=__doc__,
+    )
+    parser.add_argument(
+        "-u", "--api-url", default=DEFAULT_URL,
+        help=f"API URL (default: {DEFAULT_URL})",
+    )
+    parser.add_argument(
+        "-t", "--token", default=DEFAULT_TOKEN,
+        help="Auth token (default: $TRUSTGRAPH_TOKEN)",
+    )
+    parser.add_argument(
+        "--user-id", required=True, help="User id to disable",
+    )
+    parser.add_argument(
+        "-w", "--workspace", default=None,
+        help=(
+            "Target workspace (admin only; defaults to caller's "
+            "assigned workspace)"
+        ),
+    )
+    run_main(do_disable_user, parser)
+
+
+if __name__ == "__main__":
+    main()

trustgraph_cli-2.4.6/trustgraph/cli/enable_user.py

@@ -0,0 +1,45 @@
+"""
+Re-enable a previously disabled user.  Does not restore their API
+keys — those must be re-issued by an admin.
+"""
+
+import argparse
+
+from ._iam import DEFAULT_URL, DEFAULT_TOKEN, call_iam, run_main
+
+
+def do_enable_user(args):
+    req = {"operation": "enable-user", "user_id": args.user_id}
+    if args.workspace:
+        req["workspace"] = args.workspace
+    call_iam(args.api_url, args.token, req)
+    print(f"Enabled user {args.user_id}")
+
+
+def main():
+    parser = argparse.ArgumentParser(
+        prog="tg-enable-user", description=__doc__,
+    )
+    parser.add_argument(
+        "-u", "--api-url", default=DEFAULT_URL,
+        help=f"API URL (default: {DEFAULT_URL})",
+    )
+    parser.add_argument(
+        "-t", "--token", default=DEFAULT_TOKEN,
+        help="Auth token (default: $TRUSTGRAPH_TOKEN)",
+    )
+    parser.add_argument(
+        "--user-id", required=True, help="User id to enable",
+    )
+    parser.add_argument(
+        "-w", "--workspace", default=None,
+        help=(
+            "Target workspace (admin only; defaults to caller's "
+            "assigned workspace)"
+        ),
+    )
+    run_main(do_enable_user, parser)
+
+
+if __name__ == "__main__":
+    main()

trustgraph_cli-2.4.6/trustgraph/cli/list_api_keys.py

@@ -0,0 +1,69 @@
+"""
+List the API keys for a user.
+"""
+
+import argparse
+
+import tabulate
+
+from ._iam import DEFAULT_URL, DEFAULT_TOKEN, call_iam, run_main
+
+
+def do_list_api_keys(args):
+    req = {"operation": "list-api-keys", "user_id": args.user_id}
+    if args.workspace:
+        req["workspace"] = args.workspace
+    resp = call_iam(args.api_url, args.token, req)
+
+    keys = resp.get("api_keys", [])
+    if not keys:
+        print("No keys.")
+        return
+
+    rows = [
+        [
+            k.get("id", ""),
+            k.get("name", ""),
+            k.get("prefix", ""),
+            k.get("created", ""),
+            k.get("last_used", "") or "—",
+            k.get("expires", "") or "never",
+        ]
+        for k in keys
+    ]
+    print(tabulate.tabulate(
+        rows,
+        headers=["id", "name", "prefix", "created", "last used", "expires"],
+        tablefmt="pretty",
+        stralign="left",
+    ))
+
+
+def main():
+    parser = argparse.ArgumentParser(
+        prog="tg-list-api-keys", description=__doc__,
+    )
+    parser.add_argument(
+        "-u", "--api-url", default=DEFAULT_URL,
+        help=f"API URL (default: {DEFAULT_URL})",
+    )
+    parser.add_argument(
+        "-t", "--token", default=DEFAULT_TOKEN,
+        help="Auth token (default: $TRUSTGRAPH_TOKEN)",
+    )
+    parser.add_argument(
+        "--user-id", required=True,
+        help="Owner user id",
+    )
+    parser.add_argument(
+        "-w", "--workspace", default=None,
+        help=(
+            "Target workspace (admin only; defaults to caller's "
+            "assigned workspace)"
+        ),
+    )
+    run_main(do_list_api_keys, parser)
+
+
+if __name__ == "__main__":
+    main()