urun-cli 0.2.0__tar.gz → 0.3.1__tar.gz

{urun_cli-0.2.0 → urun_cli-0.3.1}/CHANGELOG.md

@@ -1,5 +1,15 @@
 # Changelog
 
+## 0.3.0
+
+- Implement the `urun org` / `urun org id` command: print the caller's org id
+  (resolved via the control-plane org-config endpoint).
+- Implement `urun auth jwks set`: register the org's trusted JWKS for federated
+  identity, via `--jwks-url` or `--jwks-json` (file or stdin), with optional
+  `--issuer`/`--audience`. This registers a trust relationship only; JWTs are
+  issued out of band and the CLI never mints, fetches, or stores one.
+- Add `ApiClient.register_trusted_jwks`, calling `POST /org-config/trusted-jwks`.
+
 ## 0.2.0
 
 - Bumped past 0.1.1/0.1.2 because both filenames were occupied by previously-deleted PyPI artifacts.

{urun_cli-0.2.0 → urun_cli-0.3.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: urun-cli
-Version: 0.2.0
+Version: 0.3.1
 Summary: End-user CLI for deploying apps to urun
 Project-URL: Homepage, https://urun.sh
 Project-URL: Repository, https://github.com/urun-sh/urun-cli

{urun_cli-0.2.0 → urun_cli-0.3.1}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "urun-cli"
-version = "0.2.0"
+version = "0.3.1"
 description = "End-user CLI for deploying apps to urun"
 readme = "README.md"
 requires-python = ">=3.11"

{urun_cli-0.2.0 → urun_cli-0.3.1}/src/urun/api.py

@@ -35,6 +35,15 @@ class ApiClient:
     def org_config(self) -> dict[str, Any]:
         return self._json("GET", "/org-config", None)
 
+    def register_trusted_jwks(self, payload: dict[str, Any]) -> dict[str, Any]:
+        """Register this org's trusted JWKS with the control plane.
+
+        The org is derived server-side from the API key; the payload carries only
+        the trusted key source (jwks_url OR jwks_json) plus optional iss/aud. This
+        records a trust relationship — it does not mint or fetch a JWT.
+        """
+        return self._json("POST", "/org-config/trusted-jwks", payload)
+
     def _json(self, method: str, path: str, body: dict[str, Any] | None) -> dict[str, Any]:
         data = (
             None

{urun_cli-0.2.0 → urun_cli-0.3.1}/src/urun/cli.py

@@ -2,6 +2,7 @@ from __future__ import annotations
 
 import argparse
 import getpass
+import json
 import os
 import re
 import sys
@@ -28,6 +29,10 @@ def main(argv: list[str] | None = None) -> int:
             return deploy(args)
         if args.command == "login":
             return login(args)
+        if args.command == "org":
+            return org(args)
+        if args.command == "auth":
+            return auth(args)
         parser.print_help()
         return 2
     except UrunError as exc:
@@ -65,9 +70,81 @@ def build_parser() -> argparse.ArgumentParser:
         ),
     )
     add_deploy_args(run)
+
+    add_org_parser(sub)
+    add_auth_parser(sub)
     return parser
 
 
+def add_org_parser(sub: argparse._SubParsersAction) -> None:
+    org_parser = sub.add_parser(
+        "org",
+        help="Show the caller's org id",
+        description=(
+            "Print the organization the authenticating API key belongs to "
+            "(resolved via the control plane's org-config endpoint)."
+        ),
+    )
+    org_sub = org_parser.add_subparsers(dest="org_command")
+    id_parser = org_sub.add_parser(
+        "id",
+        help="Print just the org id (machine-readable)",
+        description="Print only the org id on stdout, with no other output.",
+    )
+    add_api_args(id_parser)
+    # Allow `urun org` (bare) to behave like `urun org id`.
+    add_api_args(org_parser)
+
+
+def add_auth_parser(sub: argparse._SubParsersAction) -> None:
+    auth_parser = sub.add_parser(
+        "auth",
+        help="Register the org's trusted JWKS for federated identity",
+        description=(
+            "Register the trusted JWKS the control plane should verify session "
+            "JWTs against for this org. JWTs are issued OUT OF BAND by your IdP; "
+            "this command only REGISTERS A TRUST RELATIONSHIP — it never mints, "
+            "fetches, or stores a JWT, and no new secret is sent."
+        ),
+    )
+    auth_sub = auth_parser.add_subparsers(dest="auth_command")
+    jwks_parser = auth_sub.add_parser(
+        "jwks",
+        help="Manage the org's trusted JWKS",
+        description="Manage the trusted JWKS registered for this org.",
+    )
+    jwks_sub = jwks_parser.add_subparsers(dest="jwks_command")
+    set_parser = jwks_sub.add_parser(
+        "set",
+        help="Register/replace the org's trusted JWKS",
+        description=(
+            "Register (or replace) the trusted key source the control plane "
+            "verifies this org's session JWTs against. Provide EXACTLY ONE of "
+            "--jwks-url (a remote JWK Set endpoint) or --jwks-json (an inline JWK "
+            "Set from a file or '-' for stdin). Optionally pin the expected token "
+            "issuer/audience. This registers trust only; it does not mint a JWT."
+        ),
+    )
+    set_parser.add_argument(
+        "--jwks-url",
+        help="HTTPS URL of the org's JWK Set (e.g. https://idp.example.com/.well-known/jwks.json)",
+    )
+    set_parser.add_argument(
+        "--jwks-json",
+        metavar="FILE",
+        help="Path to an inline JWK Set ({\"keys\":[...]}), or '-' to read from stdin",
+    )
+    set_parser.add_argument(
+        "--issuer",
+        help="Optional expected JWT `iss` claim; tokens whose iss differs are rejected",
+    )
+    set_parser.add_argument(
+        "--audience",
+        help="Optional expected JWT `aud` claim; tokens lacking it are rejected",
+    )
+    add_api_args(set_parser)
+
+
 def add_login_args(parser: argparse.ArgumentParser) -> None:
     parser.add_argument(
         "--api-url",
@@ -132,6 +209,77 @@ def login(args: argparse.Namespace) -> int:
     return 0
 
 
+def org(args: argparse.Namespace) -> int:
+    # `urun org` and `urun org id` both print just the org id. There is no other
+    # `org` subcommand, so a bare `org` defaults to `id`.
+    api_url, api_key = resolve_api_credentials(args)
+    config = ApiClient(api_url, api_key).org_config()
+    print(config_value(config, "org_id"))
+    return 0
+
+
+def auth(args: argparse.Namespace) -> int:
+    if (
+        getattr(args, "auth_command", None) != "jwks"
+        or getattr(args, "jwks_command", None) != "set"
+    ):
+        raise UrunError("usage: urun auth jwks set --jwks-url <url> | --jwks-json <file|->")
+    return auth_jwks_set(args)
+
+
+def auth_jwks_set(args: argparse.Namespace) -> int:
+    jwks_url = string_value(args.jwks_url)
+    jwks_json_arg = string_value(args.jwks_json)
+    if bool(jwks_url) == bool(jwks_json_arg):
+        raise UrunError("provide exactly one of --jwks-url or --jwks-json")
+
+    payload: dict[str, Any] = {}
+    if jwks_url:
+        payload["jwks_url"] = jwks_url
+        issuer = string_value(args.issuer)
+        audience = string_value(args.audience)
+        if issuer:
+            payload["expected_issuer"] = issuer
+        if audience:
+            payload["expected_audience"] = audience
+    else:
+        payload["jwks_json"] = read_jwks_json(jwks_json_arg)
+        issuer = string_value(args.issuer)
+        audience = string_value(args.audience)
+        if issuer:
+            payload["expected_issuer"] = issuer
+        if audience:
+            payload["expected_audience"] = audience
+
+    api_url, api_key = resolve_api_credentials(args)
+    result = ApiClient(api_url, api_key).register_trusted_jwks(payload)
+    org_id = string_value(result.get("org_id")) or "(unknown)"
+    print(f"Registered trusted JWKS for org {org_id}.")
+    print("This registers a trust relationship only; no JWT was minted or fetched.")
+    return 0
+
+
+def read_jwks_json(source: str) -> dict[str, Any]:
+    """Read and validate a JWK Set from a file path, or '-' for stdin."""
+    if source == "-":
+        raw = sys.stdin.read()
+    else:
+        path = Path(source)
+        if not path.is_file():
+            raise UrunError(f"JWKS file not found: {source}")
+        raw = path.read_text(encoding="utf-8")
+    try:
+        parsed = json.loads(raw)
+    except json.JSONDecodeError as exc:
+        raise UrunError(f"invalid JWK Set JSON: {exc}") from exc
+    if not isinstance(parsed, dict):
+        raise UrunError("invalid JWK Set: expected a JSON object")
+    keys = parsed.get("keys")
+    if not isinstance(keys, list) or not keys:
+        raise UrunError('invalid JWK Set: must contain a non-empty "keys" array')
+    return parsed
+
+
 def deploy(args: argparse.Namespace) -> int:
     api_url, api_key = resolve_api_credentials(args)
     if args.poll_interval <= 0:
@@ -141,7 +289,8 @@ def deploy(args: argparse.Namespace) -> int:
 
     project_root = Path.cwd()
     entrypoint, files = discover_main_files(args.entrypoint, project_root)
-    deps, deps_blob, python_version = resolve_deps(project_root)
+    entrypoint_path = (project_root / args.entrypoint).resolve()
+    deps, deps_blob, python_version = resolve_deps(project_root, entrypoint_path)
 
     app_name = args.name or derive_app_name(args.entrypoint)
     all_blobs = files + ([deps_blob] if deps_blob is not None else [])

urun_cli-0.3.1/src/urun/deps.py

@@ -0,0 +1,399 @@
+from __future__ import annotations
+
+import ast
+import tempfile
+from pathlib import Path
+from typing import Any
+
+from .manifest import FileBlob, file_blob
+
+DEFAULT_PYTHON_VERSION = "3.12"
+
+# Sentinel returned when the static evaluator cannot determine a value (e.g. an
+# attribute access into config objects that are not statically resolvable). It
+# behaves as an empty-ish value so unioning deps simply skips it.
+_UNKNOWN = object()
+
+
+class _DepsEvaluator:
+    """A tiny, side-effect-free interpreter over a Python *module* AST.
+
+    It evaluates only the small subset of Python needed to recover the
+    ``Dependencies(python=[...], apt=[...], post_install=[...])`` literal that
+    apps declare on ``@app.function(deps=...)`` — INCLUDING the common
+    indirections used by helios/lingbot:
+
+    * module-level ``CONFIG = dict(..., deps=Dependencies(...))`` then
+      ``@app.function(**CONFIG)`` / ``@app.on(name, **CONFIG)``
+    * ``python=_runtime_python_deps()`` — a no-arg local function that builds a
+      list with literals, ``.extend([...])`` and ``for``/``if``/``continue``
+      filtering using ``str.startswith``.
+
+    It never imports or executes the module; unknown constructs degrade to an
+    ``_UNKNOWN`` sentinel rather than raising, so deps extraction is best-effort
+    and robust.
+    """
+
+    def __init__(self, tree: ast.Module) -> None:
+        self.tree = tree
+        # Module-level symbol table: name -> AST value node (lazily evaluated).
+        self.assignments: dict[str, ast.expr] = {}
+        self.functions: dict[str, ast.FunctionDef] = {}
+        for node in tree.body:
+            if isinstance(node, ast.Assign):
+                for target in node.targets:
+                    if isinstance(target, ast.Name):
+                        self.assignments[target.id] = node.value
+            elif isinstance(node, ast.AnnAssign) and isinstance(node.target, ast.Name):
+                if node.value is not None:
+                    self.assignments[node.target.id] = node.value
+            elif isinstance(node, ast.FunctionDef):
+                self.functions[node.name] = node
+
+    # -- public API --------------------------------------------------------
+
+    def collect_dependencies(self) -> dict[str, list[str]]:
+        """Union ``deps=Dependencies(...)`` across all app function decorators."""
+        out: dict[str, list[str]] = {"python": [], "apt": [], "post_install": []}
+        seen: set[tuple[str, str]] = set()
+        for deps_call in self._find_deps_calls():
+            spec = self._eval_dependencies_call(deps_call)
+            if not isinstance(spec, dict):
+                continue
+            for key in out:
+                for item in spec.get(key, []) or []:
+                    if isinstance(item, str) and (key, item) not in seen:
+                        seen.add((key, item))
+                        out[key].append(item)
+        return out
+
+    # -- decorator discovery ----------------------------------------------
+
+    def _find_deps_calls(self) -> list[ast.Call]:
+        calls: list[ast.Call] = []
+        for node in ast.walk(self.tree):
+            if not isinstance(node, ast.FunctionDef | ast.AsyncFunctionDef):
+                continue
+            for dec in node.decorator_list:
+                if isinstance(dec, ast.Call) and self._is_app_decorator(dec.func):
+                    deps = self._extract_deps_from_call(dec)
+                    if deps is not None:
+                        calls.append(deps)
+        return calls
+
+    @staticmethod
+    def _is_app_decorator(func: ast.expr) -> bool:
+        # Match `app.function(...)`, `app.on(...)`, `something.function(...)`.
+        if isinstance(func, ast.Attribute):
+            return func.attr in {"function", "on"}
+        return False
+
+    def _extract_deps_from_call(self, call: ast.Call) -> ast.Call | None:
+        # Direct keyword: deps=Dependencies(...)
+        for kw in call.keywords:
+            if kw.arg == "deps":
+                return self._as_dependencies_call(kw.value)
+        # Indirection via **CONFIG spread.
+        for kw in call.keywords:
+            if kw.arg is None:  # **spread
+                config = self._resolve(kw.value)
+                if isinstance(config, dict):
+                    deps_val = config.get("deps")
+                    if isinstance(deps_val, ast.AST):
+                        return self._as_dependencies_call(deps_val)
+        return None
+
+    def _as_dependencies_call(self, node: ast.AST) -> ast.Call | None:
+        # node may be a Name pointing at a module-level Dependencies(...) call.
+        node = self._deref(node)
+        if isinstance(node, ast.Call) and self._call_name(node.func) == "Dependencies":
+            return node
+        return None
+
+    # -- Dependencies(...) evaluation -------------------------------------
+
+    def _eval_dependencies_call(self, call: ast.Call) -> dict[str, list[str]]:
+        result: dict[str, list[str]] = {"python": [], "apt": [], "post_install": []}
+        for kw in call.keywords:
+            if kw.arg in result:
+                value = self._eval(kw.value, {})
+                if isinstance(value, list):
+                    result[kw.arg] = [v for v in value if isinstance(v, str)]
+        return result
+
+    # -- name resolution helpers ------------------------------------------
+
+    def _deref(self, node: ast.AST) -> ast.AST:
+        """Follow a module-level Name to its assigned value node."""
+        while isinstance(node, ast.Name) and node.id in self.assignments:
+            node = self.assignments[node.id]
+        return node
+
+    def _resolve(self, node: ast.AST) -> Any:
+        """Resolve a possibly-Name node to an evaluated value (module scope)."""
+        return self._eval(node, {})
+
+    @staticmethod
+    def _call_name(func: ast.expr) -> str | None:
+        if isinstance(func, ast.Name):
+            return func.id
+        if isinstance(func, ast.Attribute):
+            return func.attr
+        return None
+
+    # -- the constrained evaluator ----------------------------------------
+
+    def _eval(self, node: ast.AST, scope: dict[str, Any]) -> Any:
+        if isinstance(node, ast.Constant):
+            return node.value
+        if isinstance(node, ast.Name):
+            if node.id in scope:
+                return scope[node.id]
+            if node.id in self.assignments:
+                return self._eval(self.assignments[node.id], {})
+            return _UNKNOWN
+        if isinstance(node, ast.List | ast.Tuple | ast.Set):
+            out: list[Any] = []
+            for elt in node.elts:
+                if isinstance(elt, ast.Starred):
+                    inner = self._eval(elt.value, scope)
+                    if isinstance(inner, list | tuple | set):
+                        out.extend(inner)
+                else:
+                    out.append(self._eval(elt, scope))
+            return out
+        if isinstance(node, ast.Dict):
+            result: dict[Any, Any] = {}
+            for k, v in zip(node.keys, node.values, strict=True):
+                if k is None:  # **spread
+                    inner = self._eval(v, scope)
+                    if isinstance(inner, dict):
+                        result.update(inner)
+                    continue
+                result[self._eval(k, scope)] = v  # keep value node lazy for dict()
+            return result
+        if isinstance(node, ast.Call):
+            return self._eval_call(node, scope)
+        if isinstance(node, ast.BoolOp):
+            values = [self._eval(v, scope) for v in node.values]
+            if isinstance(node.op, ast.Or):
+                result_bool = False
+                for v in values:
+                    if v is True:
+                        return True
+                    if v is _UNKNOWN:
+                        result_bool = _UNKNOWN  # type: ignore[assignment]
+                return result_bool
+            if isinstance(node.op, ast.And):
+                for v in values:
+                    if v is False:
+                        return False
+                    if v is _UNKNOWN:
+                        return _UNKNOWN
+                return True
+            return _UNKNOWN
+        if isinstance(node, ast.UnaryOp) and isinstance(node.op, ast.Not):
+            inner = self._eval(node.operand, scope)
+            if inner is True:
+                return False
+            if inner is False:
+                return True
+            return _UNKNOWN
+        if isinstance(node, ast.BinOp) and isinstance(node.op, ast.Add):
+            left = self._eval(node.left, scope)
+            right = self._eval(node.right, scope)
+            if isinstance(left, list) and isinstance(right, list):
+                return left + right
+            return _UNKNOWN
+        if isinstance(node, ast.Attribute):
+            return _UNKNOWN
+        return _UNKNOWN
+
+    def _eval_call(self, node: ast.Call, scope: dict[str, Any]) -> Any:
+        name = self._call_name(node.func)
+        # dict(...) -> mapping with value nodes kept lazy (so deps stays an AST).
+        if name == "dict" and isinstance(node.func, ast.Name):
+            mapping: dict[str, Any] = {}
+            for kw in node.keywords:
+                if kw.arg is None:
+                    inner = self._eval(kw.value, scope)
+                    if isinstance(inner, dict):
+                        mapping.update(inner)
+                elif kw.arg == "deps":
+                    mapping["deps"] = kw.value  # keep AST for Dependencies match
+                else:
+                    mapping[kw.arg] = kw.value
+            return mapping
+        # list(x) / list([...])
+        if name == "list" and isinstance(node.func, ast.Name):
+            if not node.args:
+                return []
+            inner = self._eval(node.args[0], scope)
+            if isinstance(inner, list | tuple | set):
+                return list(inner)
+            return _UNKNOWN
+        # str.startswith(prefix) for filtering loops.
+        if isinstance(node.func, ast.Attribute):
+            recv = self._eval(node.func.value, scope)
+            attr = node.func.attr
+            if isinstance(recv, str) and attr == "startswith":
+                args = [self._eval(a, scope) for a in node.args]
+                if args and isinstance(args[0], str):
+                    return recv.startswith(args[0])
+            return _UNKNOWN
+        # No-arg local function call: interpret its body.
+        if isinstance(node.func, ast.Name) and node.func.id in self.functions and not node.args:
+            return self._eval_function(self.functions[node.func.id])
+        return _UNKNOWN
+
+    def _eval_function(self, fn: ast.FunctionDef) -> Any:
+        """Interpret a no-arg function body that builds and returns a list."""
+        scope: dict[str, Any] = {}
+        return self._exec_body(fn.body, scope)
+
+    def _exec_body(self, body: list[ast.stmt], scope: dict[str, Any]) -> Any:
+        for stmt in body:
+            result = self._exec_stmt(stmt, scope)
+            if result is not _NO_RETURN:
+                return result
+        return _UNKNOWN
+
+    def _exec_stmt(self, stmt: ast.stmt, scope: dict[str, Any]) -> Any:
+        if isinstance(stmt, ast.Return):
+            return self._eval(stmt.value, scope) if stmt.value else None
+        if isinstance(stmt, ast.Assign):
+            value = self._eval(stmt.value, scope)
+            for target in stmt.targets:
+                if isinstance(target, ast.Name):
+                    scope[target.id] = value
+            return _NO_RETURN
+        if isinstance(stmt, ast.AnnAssign) and isinstance(stmt.target, ast.Name):
+            if stmt.value is not None:
+                scope[stmt.target.id] = self._eval(stmt.value, scope)
+            return _NO_RETURN
+        if isinstance(stmt, ast.Expr) and isinstance(stmt.value, ast.Call):
+            self._exec_method_call(stmt.value, scope)
+            return _NO_RETURN
+        if isinstance(stmt, ast.For):
+            return self._exec_for(stmt, scope)
+        if isinstance(stmt, ast.If):
+            test = self._eval(stmt.test, scope)
+            branch = stmt.body if test is True else stmt.orelse if test is False else None
+            if branch is not None:
+                return self._exec_body_or_continue(branch, scope)
+            return _NO_RETURN
+        return _NO_RETURN
+
+    def _exec_for(self, stmt: ast.For, scope: dict[str, Any]) -> Any:
+        iterable = self._eval(stmt.iter, scope)
+        if not isinstance(iterable, list | tuple | set):
+            return _NO_RETURN
+        if not isinstance(stmt.target, ast.Name):
+            return _NO_RETURN
+        var = stmt.target.id
+        for item in iterable:
+            scope[var] = item
+            signal = self._exec_loop_body(stmt.body, scope)
+            if signal is _CONTINUE:
+                continue
+            if signal is not _NO_RETURN and signal is not None:
+                return signal
+        return _NO_RETURN
+
+    def _exec_loop_body(self, body: list[ast.stmt], scope: dict[str, Any]) -> Any:
+        for stmt in body:
+            if isinstance(stmt, ast.Continue):
+                return _CONTINUE
+            if isinstance(stmt, ast.If):
+                test = self._eval(stmt.test, scope)
+                branch = stmt.body if test is True else stmt.orelse if test is False else []
+                signal = self._exec_loop_body(branch, scope)
+                if signal is not _NO_RETURN:
+                    return signal
+                continue
+            if isinstance(stmt, ast.Return):
+                return self._eval(stmt.value, scope) if stmt.value else None
+            if isinstance(stmt, ast.Expr) and isinstance(stmt.value, ast.Call):
+                self._exec_method_call(stmt.value, scope)
+                continue
+            if isinstance(stmt, ast.Assign):
+                self._exec_stmt(stmt, scope)
+        return _NO_RETURN
+
+    def _exec_body_or_continue(self, body: list[ast.stmt], scope: dict[str, Any]) -> Any:
+        return self._exec_body(body, scope)
+
+    def _exec_method_call(self, call: ast.Call, scope: dict[str, Any]) -> None:
+        # Handle list.append(x) / list.extend([...]) mutating a scope variable.
+        if not isinstance(call.func, ast.Attribute):
+            return
+        target = call.func.value
+        attr = call.func.attr
+        if not isinstance(target, ast.Name) or target.id not in scope:
+            return
+        container = scope[target.id]
+        if not isinstance(container, list):
+            return
+        if attr == "append" and call.args:
+            container.append(self._eval(call.args[0], scope))
+        elif attr == "extend" and call.args:
+            extra = self._eval(call.args[0], scope)
+            if isinstance(extra, list | tuple | set):
+                container.extend(extra)
+
+
+_NO_RETURN = object()
+_CONTINUE = object()
+
+
+def extract_app_python_deps(entrypoint: Path) -> dict[str, list[str]]:
+    """Statically extract declared app deps from the entrypoint source.
+
+    Returns a mapping with ``python``/``apt``/``post_install`` string lists.
+    Never imports or executes the app; pure ``ast``.
+    """
+    source = entrypoint.read_text(encoding="utf-8")
+    tree = ast.parse(source, filename=str(entrypoint))
+    return _DepsEvaluator(tree).collect_dependencies()
+
+
+def render_requirements_txt(python_deps: list[str]) -> str:
+    """Render requirements.txt content matching Dependencies.to_requirements_txt()."""
+    return "\n".join(python_deps)
+
+
+def resolve_deps(
+    project_root: Path, entrypoint: Path | None = None
+) -> tuple[dict[str, Any], FileBlob | None, str]:
+    """Resolve app dependencies for the deploy manifest.
+
+    Dependencies are declared by the urun app via ``@app.function(deps=...)``.
+    We extract the python list STATICALLY (no import, no subprocess), render it
+    as a requirements.txt, and emit a ``requirements_txt`` deps manifest backed
+    by an uploadable FileBlob. If no python deps are declared, fall back to the
+    ``app`` kind (no blob) so simple apps still deploy.
+    """
+    python_version = DEFAULT_PYTHON_VERSION
+    if entrypoint is None:
+        return {"kind": "app", "python_version": python_version}, None, python_version
+
+    extracted = extract_app_python_deps(entrypoint)
+    python_deps = extracted.get("python", [])
+    if not python_deps:
+        return {"kind": "app", "python_version": python_version}, None, python_version
+
+    text = render_requirements_txt(python_deps)
+    # Materialize to a real file so the existing blob upload path (which reads
+    # blob.source from disk and re-hashes) can ship it.
+    tmp_dir = Path(tempfile.mkdtemp(prefix="urun-deps-"))
+    req_path = tmp_dir / "requirements.txt"
+    req_path.write_text(text, encoding="utf-8")
+    blob = file_blob(req_path, tmp_dir, manifest_path="requirements.txt")
+
+    deps = {
+        "kind": "requirements_txt",
+        "blob_sha256": blob.sha256,
+        "size": blob.size,
+        "python_version": python_version,
+    }
+    return deps, blob, python_version

urun_cli-0.2.0/src/urun/deps.py

@@ -1,13 +0,0 @@
-from __future__ import annotations
-
-from pathlib import Path
-from typing import Any
-
-DEFAULT_PYTHON_VERSION = "3.12"
-
-
-def resolve_deps(_project_root: Path) -> tuple[dict[str, Any], None, str]:
-    # Dependencies are declared by the urun app in app.py, not by project-level
-    # pyproject.toml or requirements.txt files.
-    python_version = DEFAULT_PYTHON_VERSION
-    return {"kind": "app", "python_version": python_version}, None, python_version