urun-cli 0.3.1__tar.gz → 0.4.1__tar.gz

{urun_cli-0.3.1 → urun_cli-0.4.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: urun-cli
-Version: 0.3.1
+Version: 0.4.1
 Summary: End-user CLI for deploying apps to urun
 Project-URL: Homepage, https://urun.sh
 Project-URL: Repository, https://github.com/urun-sh/urun-cli

{urun_cli-0.3.1 → urun_cli-0.4.1}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "urun-cli"
-version = "0.3.1"
+version = "0.4.1"
 description = "End-user CLI for deploying apps to urun"
 readme = "README.md"
 requires-python = ">=3.11"

{urun_cli-0.3.1 → urun_cli-0.4.1}/src/urun/api.py

@@ -5,6 +5,7 @@ import time
 import urllib.error
 import urllib.parse
 import urllib.request
+from collections.abc import Callable
 from concurrent.futures import ThreadPoolExecutor, as_completed
 from typing import Any
 
@@ -171,13 +172,36 @@ def require_safe_url(raw_url: str, label: str) -> None:
     raise UrunError(f"{label} must use HTTPS except for localhost development")
 
 
+# Terminal build states reported by the control plane's deployment-status document.
+# The build worker transitions a deployment queued -> building -> ready|failed and
+# records the actual build stderr/reason in the `error` field on failure.
+TERMINAL_STATES = {"ready", "failed"}
+
+# Human-readable progress lines for non-terminal states, so the CLI streams what the
+# builder is doing instead of blocking silently until ready/failed.
+_STATE_PROGRESS = {
+    "queued": "queued (waiting for a build slot)",
+    "building": "building (installing deps + materializing app)",
+    "not_found": "waiting for the control plane to register the build",
+}
+
+
 def poll_until_done(
     client: ApiClient,
     manifest_hash: str,
     interval: float = 2.0,
     timeout: float = 1800.0,
     not_found_grace: float = 30.0,
+    on_state: Callable[[str], None] | None = None,
 ) -> dict[str, Any]:
+    """Poll the control plane for the real build outcome of a deployment.
+
+    Streams each new build state via ``on_state`` (so callers can show
+    queued -> building -> ... progress) and returns the terminal status
+    document (status ``ready`` or ``failed``). The ``failed`` document carries
+    the actual build error under ``error`` for the caller to surface. Raises
+    ``UrunError`` on timeout.
+    """
     deadline = time.time() + timeout
     not_found_deadline = time.time() + min(not_found_grace, timeout)
     last_state = "unknown"
@@ -186,16 +210,25 @@ def poll_until_done(
             status = client.deployment_status(manifest_hash)
         except ApiError as exc:
             if exc.status == 404 and time.time() < not_found_deadline:
+                if last_state != "not_found" and on_state is not None:
+                    on_state("not_found")
                 last_state = "not_found"
                 time.sleep(interval)
                 continue
             raise
-        state = status.get("status")
-        last_state = str(state)
-        if state in {"ready", "failed"}:
+        state = str(status.get("status"))
+        if state != last_state and on_state is not None:
+            on_state(state)
+        last_state = state
+        if state in TERMINAL_STATES:
             return status
         if time.time() >= deadline:
             raise UrunError(
                 f"timed out waiting for deployment {manifest_hash} (last status: {last_state})"
             )
         time.sleep(interval)
+
+
+def progress_line(state: str) -> str:
+    """Render a human-readable progress line for a build state."""
+    return _STATE_PROGRESS.get(state, state)

{urun_cli-0.3.1 → urun_cli-0.4.1}/src/urun/cli.py

@@ -11,7 +11,13 @@ from pathlib import Path
 from typing import Any
 
 from . import __version__
-from .api import DEFAULT_API_URL, ApiClient, poll_until_done, upload_missing_blobs
+from .api import (
+    DEFAULT_API_URL,
+    ApiClient,
+    poll_until_done,
+    progress_line,
+    upload_missing_blobs,
+)
 from .config import load_credentials, save_credentials
 from .deps import resolve_deps
 from .discovery import derive_app_name, discover_main_files
@@ -120,9 +126,21 @@ def add_auth_parser(sub: argparse._SubParsersAction) -> None:
         description=(
             "Register (or replace) the trusted key source the control plane "
             "verifies this org's session JWTs against. Provide EXACTLY ONE of "
-            "--jwks-url (a remote JWK Set endpoint) or --jwks-json (an inline JWK "
-            "Set from a file or '-' for stdin). Optionally pin the expected token "
-            "issuer/audience. This registers trust only; it does not mint a JWT."
+            "--workos-client-id (templates the WorkOS AuthKit JWKS for you), "
+            "--jwks-url (a remote JWK Set endpoint), or --jwks-json (an inline "
+            "JWK Set from a file or '-' for stdin). Optionally pin the expected "
+            "token issuer/audience. This registers trust only; it does not mint a JWT."
+        ),
+    )
+    set_parser.add_argument(
+        "--workos-client-id",
+        metavar="CLIENT_ID",
+        help=(
+            "WorkOS Client ID (client_...). Templates the WorkOS AuthKit JWKS "
+            "endpoint and access-token issuer for you, so you do not have to "
+            "supply raw JWKS URLs: --jwks-url becomes "
+            "https://api.workos.com/sso/jwks/<client_id> and --issuer defaults to "
+            "https://api.workos.com. Override either with --issuer/--audience."
         ),
     )
     set_parser.add_argument(
@@ -136,7 +154,11 @@ def add_auth_parser(sub: argparse._SubParsersAction) -> None:
     )
     set_parser.add_argument(
         "--issuer",
-        help="Optional expected JWT `iss` claim; tokens whose iss differs are rejected",
+        help=(
+            "Optional expected JWT `iss` claim; tokens whose iss differs are "
+            "rejected. With --workos-client-id this defaults to "
+            "https://api.workos.com (pass to override, e.g. a custom AuthKit domain)."
+        ),
     )
     set_parser.add_argument(
         "--audience",
@@ -223,38 +245,81 @@ def auth(args: argparse.Namespace) -> int:
         getattr(args, "auth_command", None) != "jwks"
         or getattr(args, "jwks_command", None) != "set"
     ):
-        raise UrunError("usage: urun auth jwks set --jwks-url <url> | --jwks-json <file|->")
+        raise UrunError(
+            "usage: urun auth jwks set "
+            "--workos-client-id <client_...> | --jwks-url <url> | --jwks-json <file|->"
+        )
     return auth_jwks_set(args)
 
 
+# WorkOS publishes one JWK Set per OAuth client at this unauthenticated endpoint;
+# it hosts the public key used to verify AuthKit / User Management access tokens.
+WORKOS_JWKS_URL_TEMPLATE = "https://api.workos.com/sso/jwks/{client_id}"
+# A WorkOS AuthKit (User Management) access token's `iss` claim is the static
+# WorkOS API host (NOT a per-client URL). It becomes your custom AuthKit domain
+# only when one is configured, which is why --issuer can override this default.
+WORKOS_ACCESS_TOKEN_ISSUER = "https://api.workos.com"
+# A WorkOS client id looks like `client_<base32-ish>`.
+WORKOS_CLIENT_ID_RE = re.compile(r"^client_[0-9A-Za-z]+$")
+
+
+def workos_jwks_template(client_id: str) -> dict[str, str]:
+    """Template the WorkOS AuthKit trust anchor from just the WorkOS Client ID.
+
+    Returns the JWKS endpoint URL and the expected access-token issuer for the
+    given WorkOS client so callers never have to hand-build raw WorkOS URLs.
+
+    Note (deliberately omitted): WorkOS AuthKit *access tokens* do NOT carry an
+    `aud` claim by default, so no audience is templated — pin one with
+    --audience only if your AuthKit config actually sets it (pinning a wrong
+    audience would silently 401 every real token).
+    """
+    if not WORKOS_CLIENT_ID_RE.fullmatch(client_id):
+        raise UrunError(
+            "invalid WorkOS client id; expected client_<alphanumeric> (e.g. client_01ABC...)"
+        )
+    return {
+        "jwks_url": WORKOS_JWKS_URL_TEMPLATE.format(client_id=client_id),
+        "expected_issuer": WORKOS_ACCESS_TOKEN_ISSUER,
+    }
+
+
 def auth_jwks_set(args: argparse.Namespace) -> int:
     jwks_url = string_value(args.jwks_url)
     jwks_json_arg = string_value(args.jwks_json)
-    if bool(jwks_url) == bool(jwks_json_arg):
-        raise UrunError("provide exactly one of --jwks-url or --jwks-json")
+    workos_client_id = string_value(getattr(args, "workos_client_id", None))
+    issuer = string_value(args.issuer)
+    audience = string_value(args.audience)
+
+    sources = [s for s in (workos_client_id, jwks_url, jwks_json_arg) if s]
+    if len(sources) != 1:
+        raise UrunError("provide exactly one of --workos-client-id, --jwks-url, or --jwks-json")
 
     payload: dict[str, Any] = {}
-    if jwks_url:
+    if workos_client_id:
+        # Template the WorkOS well-known structure from the client id so the
+        # caller never supplies raw URLs. --issuer/--audience still override.
+        template = workos_jwks_template(workos_client_id)
+        payload["jwks_url"] = template["jwks_url"]
+        issuer = issuer or template.get("expected_issuer")
+    elif jwks_url:
         payload["jwks_url"] = jwks_url
-        issuer = string_value(args.issuer)
-        audience = string_value(args.audience)
-        if issuer:
-            payload["expected_issuer"] = issuer
-        if audience:
-            payload["expected_audience"] = audience
     else:
         payload["jwks_json"] = read_jwks_json(jwks_json_arg)
-        issuer = string_value(args.issuer)
-        audience = string_value(args.audience)
-        if issuer:
-            payload["expected_issuer"] = issuer
-        if audience:
-            payload["expected_audience"] = audience
+
+    if issuer:
+        payload["expected_issuer"] = issuer
+    if audience:
+        payload["expected_audience"] = audience
 
     api_url, api_key = resolve_api_credentials(args)
     result = ApiClient(api_url, api_key).register_trusted_jwks(payload)
     org_id = string_value(result.get("org_id")) or "(unknown)"
     print(f"Registered trusted JWKS for org {org_id}.")
+    if workos_client_id:
+        print(f"  WorkOS client: {workos_client_id}")
+        print(f"  JWKS URL:      {payload['jwks_url']}")
+        print(f"  Expected iss:  {payload.get('expected_issuer', '(unset)')}")
     print("This registers a trust relationship only; no JWT was minted or fetched.")
     return 0
 
@@ -326,17 +391,43 @@ def deploy(args: argparse.Namespace) -> int:
             print(f"Status: {status_url}")
         return 0
 
-    status = poll_until_done(client, mh, args.poll_interval, args.timeout)
+    print("Waiting for build to complete (--no-wait to skip)")
+    status = poll_until_done(
+        client,
+        mh,
+        args.poll_interval,
+        args.timeout,
+        on_state=lambda state: print(f"  build: {progress_line(state)}"),
+    )
     if status.get("status") == "failed":
-        err = status.get("error") or {}
-        code = err.get("code")
-        message = err.get("message")
-        detail = f"{code}: {message}" if code and message else (message or code or "unknown error")
-        raise UrunError(f"deployment failed: {detail}")
+        print_build_failure(status)
+        return 1
     print_ready(status)
     return 0
 
 
+def print_build_failure(status: dict[str, Any]) -> None:
+    """Surface the REAL build failure (e.g. the uv/git/torch error) to stderr.
+
+    The control plane records the build worker's terminal error under
+    ``error`` as ``{code, message}`` where ``message`` is the actual build
+    stderr/reason. We print the full message verbatim so callers no longer have
+    to kubectl into the cluster to learn why a build failed.
+    """
+    err = status.get("error") or {}
+    code = string_value(err.get("code"))
+    message = string_value(err.get("message"))
+    print("Deployment failed: build did not succeed", file=sys.stderr)
+    if code:
+        print(f"  reason: {code}", file=sys.stderr)
+    if message:
+        print("  build error:", file=sys.stderr)
+        for line in message.rstrip().splitlines() or [message]:
+            print(f"    {line}", file=sys.stderr)
+    if not code and not message:
+        print("  (no error detail recorded by the build worker)", file=sys.stderr)
+
+
 def resolve_api_credentials(args: argparse.Namespace) -> tuple[str, str]:
     api_key = args.api_key or os.getenv("URUN_API_KEY")
     api_url = args.api_url or os.getenv("URUN_API_URL")

{urun_cli-0.3.1 → urun_cli-0.4.1}/src/urun/discovery.py

@@ -133,8 +133,21 @@ def resolve_relative_import(node: ast.ImportFrom, source: Path, project_root: Pa
 def module_path_candidates(base: Path, parts: list[str]) -> set[Path]:
     if not parts:
         return set()
-    path = base.joinpath(*parts)
     candidates: set[Path] = set()
+    # Every INTERMEDIATE package __init__.py along the dotted path must ship
+    # too: importing pkg.sub.mod executes pkg/__init__.py and pkg/sub/__init__.py.
+    # Resolving only the leaf dropped those when nothing imported the package
+    # name bare — in the pod the package degrades to an implicit NAMESPACE
+    # package, so the import still "succeeds" while every module-level
+    # definition in the dropped __init__ is silently gone (caught in-pod by the
+    # spmd-canary bundle-completeness gate, urun-infra run 27303509334).
+    prefix = base
+    for part in parts[:-1]:
+        prefix = prefix / part
+        intermediate_init = prefix / "__init__.py"
+        if intermediate_init.is_file():
+            candidates.add(intermediate_init.resolve())
+    path = base.joinpath(*parts)
     module_file = path.with_suffix(".py")
     package_init = path / "__init__.py"
     if module_file.is_file():