veris-cli 2.26.0__tar.gz → 2.27.1__tar.gz

{veris_cli-2.26.0 → veris_cli-2.27.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: veris-cli
-Version: 2.26.0
+Version: 2.27.1
 Summary: CLI to connect local agents to the Veris backend
 Project-URL: Homepage, https://github.com/veris-ai/veris-cli
 Project-URL: Bug Tracker, https://github.com/veris-ai/veris-cli/issues
@@ -8,6 +8,7 @@ Author: Veris
 Requires-Python: >=3.11
 Requires-Dist: click>=8.1.7
 Requires-Dist: httpx>=0.27.0
+Requires-Dist: jinja2>=3.1.0
 Requires-Dist: pathspec>=0.12.0
 Requires-Dist: pydantic>=2.6
 Requires-Dist: pyyaml>=6.0.1
@@ -57,34 +58,48 @@ veris login YOUR_API_KEY
 
 This saves your credentials to `~/.veris/config.yaml`.
 
-### 2. Create an Environment
+### 2. Submit Your Agent (Managed Onboarding)
 
 ```bash
-veris env create --name my-agent-env --agent-name "My Agent"
+cd ~/my-agent
+veris env submit
 ```
 
-This scaffolds a `.veris/` directory and registers your environment on Veris:
-- **`Dockerfile.sandbox`** — Agent image definition
-- **`veris.yaml`** — Simulation configuration (services, persona, agent settings)
-- **`.dockerignore`** — Files excluded from image build
+This is the **only command you need** to onboard a new agent. It packages
+your repo, uploads it to Veris, and lets the platform generate
+`Dockerfile.sandbox` and `veris.yaml` for you. You'll receive an email
+when your environment is `ready` — typically the same business day.
 
-The `--name` you pass is the agent's display name. The CLI slugifies it to create a target/env name: `"My Agent"` becomes `my-agent-env`. This name is used as the top-level key in `veris.yaml` and as the backend environment name.
+No prior `veris env create` is required. If there is no env yet, `env
+submit` creates one (using `--name`, `--target`, or the current directory
+name).
 
-### 3. Configure Your Agent
-
-Edit `.veris/Dockerfile.sandbox` and `.veris/veris.yaml` to match your agent. Set secrets:
+### 3. Set Any Secrets
 
 ```bash
 veris env vars set OPENAI_API_KEY=sk-your-key --secret
 ```
 
-### 4. Build and Push
+You can set secrets at any point — before or after the env reaches `ready`.
+
+### 4. Iterate After Release
+
+Once your env is `ready`, pull the generated config and iterate locally:
 
 ```bash
-veris env push
+veris env config pull   # Pull generated .veris/Dockerfile.sandbox + veris.yaml
+veris env push          # Build and push a new image tag
 ```
 
-When only one target is defined, the CLI uses it automatically — no flags needed.
+Re-running `veris env push` after each code change is fast. Only re-run
+`veris env submit` when something structural changes (new agent entry
+point, new service dependency, etc.).
+
+> **Stack flows** — agents with non-trivial integration requirements
+> (e.g. nemoclaw) use `veris env create --stack <name>`. Run `veris env
+> create` without `--stack` to see the picker, which lets you choose a
+> registered stack or route into `veris env submit` (the default for
+> plain agents).
 
 ### 5. Generate Scenarios
 

{veris_cli-2.26.0 → veris_cli-2.27.1}/README.md

@@ -33,34 +33,48 @@ veris login YOUR_API_KEY
 
 This saves your credentials to `~/.veris/config.yaml`.
 
-### 2. Create an Environment
+### 2. Submit Your Agent (Managed Onboarding)
 
 ```bash
-veris env create --name my-agent-env --agent-name "My Agent"
+cd ~/my-agent
+veris env submit
 ```
 
-This scaffolds a `.veris/` directory and registers your environment on Veris:
-- **`Dockerfile.sandbox`** — Agent image definition
-- **`veris.yaml`** — Simulation configuration (services, persona, agent settings)
-- **`.dockerignore`** — Files excluded from image build
+This is the **only command you need** to onboard a new agent. It packages
+your repo, uploads it to Veris, and lets the platform generate
+`Dockerfile.sandbox` and `veris.yaml` for you. You'll receive an email
+when your environment is `ready` — typically the same business day.
 
-The `--name` you pass is the agent's display name. The CLI slugifies it to create a target/env name: `"My Agent"` becomes `my-agent-env`. This name is used as the top-level key in `veris.yaml` and as the backend environment name.
+No prior `veris env create` is required. If there is no env yet, `env
+submit` creates one (using `--name`, `--target`, or the current directory
+name).
 
-### 3. Configure Your Agent
-
-Edit `.veris/Dockerfile.sandbox` and `.veris/veris.yaml` to match your agent. Set secrets:
+### 3. Set Any Secrets
 
 ```bash
 veris env vars set OPENAI_API_KEY=sk-your-key --secret
 ```
 
-### 4. Build and Push
+You can set secrets at any point — before or after the env reaches `ready`.
+
+### 4. Iterate After Release
+
+Once your env is `ready`, pull the generated config and iterate locally:
 
 ```bash
-veris env push
+veris env config pull   # Pull generated .veris/Dockerfile.sandbox + veris.yaml
+veris env push          # Build and push a new image tag
 ```
 
-When only one target is defined, the CLI uses it automatically — no flags needed.
+Re-running `veris env push` after each code change is fast. Only re-run
+`veris env submit` when something structural changes (new agent entry
+point, new service dependency, etc.).
+
+> **Stack flows** — agents with non-trivial integration requirements
+> (e.g. nemoclaw) use `veris env create --stack <name>`. Run `veris env
+> create` without `--stack` to see the picker, which lets you choose a
+> registered stack or route into `veris env submit` (the default for
+> plain agents).
 
 ### 5. Generate Scenarios
 

{veris_cli-2.26.0 → veris_cli-2.27.1}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "veris-cli"
-version = "2.26.0"
+version = "2.27.1"
 description = "CLI to connect local agents to the Veris backend"
 readme = "README.md"
 requires-python = ">=3.11"
@@ -16,6 +16,7 @@ dependencies = [
     "pyyaml>=6.0.1",
     "pydantic>=2.6",
     "tenacity>=8.2.0",
+    "jinja2>=3.1.0",
 ]
 
 [project.scripts]
@@ -57,6 +58,7 @@ asyncio_mode = "auto"
 include = [
   "src/veris_cli/**",
   "src/veris_cli/scripts/*.sh",
+  "src/veris_cli/stacks/nemoclaw/scripts/*.sh",
   "README.md",
   "pyproject.toml",
 ]

{veris_cli-2.26.0 → veris_cli-2.27.1}/src/veris_cli/api.py

@@ -17,13 +17,29 @@ from veris_cli.config import Config
 class APIError(Exception):
     """Raised when the backend returns an error response with details."""
 
-    def __init__(self, status_code: int, detail: str, url: str):
+    def __init__(
+        self,
+        status_code: int,
+        detail: str,
+        url: str,
+        retry_after: float | None = None,
+    ):
         self.status_code = status_code
         self.detail = detail
         self.url = url
+        self.retry_after = retry_after
         super().__init__(f"[{status_code}] {detail} ({url})")
 
 
+def _parse_retry_after(value: object) -> float | None:
+    if not isinstance(value, str):
+        return None
+    try:
+        return float(value)
+    except ValueError:
+        return None
+
+
 def _raise_for_status(response: httpx.Response) -> None:
     """Like response.raise_for_status() but includes the response body."""
     if response.is_success:
@@ -33,23 +49,36 @@ def _raise_for_status(response: httpx.Response) -> None:
         detail = body.get("detail", response.text)
     except Exception:
         detail = response.text or response.reason_phrase
-    raise APIError(response.status_code, detail, str(response.url))
+    raise APIError(
+        response.status_code,
+        detail,
+        str(response.url),
+        retry_after=_parse_retry_after(response.headers.get("Retry-After")),
+    )
 
 
-_RETRYABLE_STATUSES = frozenset({502, 503, 504})
+_RETRYABLE_STATUSES = frozenset({429, 502, 503, 504})
+_RETRY_AFTER_CAP_SECONDS = 60.0
+_exp_wait = wait_exponential(multiplier=1, min=1, max=10)
 
 
 def _is_transient_api_error(exc: BaseException) -> bool:
     return isinstance(exc, APIError) and exc.status_code in _RETRYABLE_STATUSES
 
 
-# Retries transient failures (network errors, 502/503/504). Only applied to
-# idempotent reads — mutating calls (POST/PUT/DELETE) are left alone to avoid
-# duplicate side effects on retry.
+def _wait_with_retry_after(retry_state) -> float:
+    exc = retry_state.outcome.exception() if retry_state.outcome else None
+    if isinstance(exc, APIError) and exc.retry_after is not None:
+        return min(exc.retry_after, _RETRY_AFTER_CAP_SECONDS)
+    return _exp_wait(retry_state)
+
+
+# Retries transient failures on idempotent reads. Mutating calls
+# (POST/PUT/DELETE) are left alone to avoid duplicate side effects.
 _retry_transient = retry(
     reraise=True,
     stop=stop_after_attempt(5),
-    wait=wait_exponential(multiplier=1, min=1, max=10),
+    wait=_wait_with_retry_after,
     retry=(
         retry_if_exception_type(httpx.TransportError) | retry_if_exception(_is_transient_api_error)
     ),
@@ -79,13 +108,35 @@ class VerisAPI:
         return {"Authorization": f"Bearer {self.api_key}"}
 
     # Environments
-    def create_environment(self, name: str, description: Optional[str] = None) -> dict[str, Any]:
-        """Create a new environment (one-time setup)."""
+    def create_environment(
+        self,
+        name: str,
+        description: Optional[str] = None,
+        stack: Optional[str] = None,
+        skip_managed_onboarding: bool = False,
+    ) -> dict[str, Any]:
+        """Create a new environment (one-time setup).
+
+        `stack` records which `veris env create --stack <name>` scaffold
+        flow produced this env (e.g. "nemoclaw").  Backend stores it on
+        the environment row for analytics + per-stack base-image hints.
+
+        `skip_managed_onboarding=True` opts this env out of managed
+        onboarding — backend stamps it directly into the released state
+        (status='ready', onboard_status='completed') and the build gate
+        doesn't apply. Used by `veris env create --self-serve`. Default
+        False keeps SDK / scripted callers on the managed-onboarding
+        path so they stay protected.
+        """
         payload: dict[str, Any] = {"name": name, "description": description}
         if self.organization_id:
             payload["organization_id"] = self.organization_id
         else:
             payload["personal"] = True
+        if stack is not None:
+            payload["stack"] = stack
+        if skip_managed_onboarding:
+            payload["skip_managed_onboarding"] = True
         with httpx.Client(
             base_url=self.base_url, headers=self._headers(), timeout=self.DEFAULT_TIMEOUT
         ) as client:
@@ -93,6 +144,87 @@ class VerisAPI:
             _raise_for_status(response)
             return response.json()
 
+    # Recipes — stack scaffold templates
+    @_retry_transient
+    def get_recipe_bundle(
+        self,
+        stack: str,
+        environment_name: Optional[str] = None,
+        agent_name: Optional[str] = None,
+        provider_key: Optional[str] = None,
+        provider_base_url: Optional[str] = None,
+    ) -> dict[str, Any]:
+        """Fetch the full recipe bundle for `stack` (file contents + metadata).
+
+        Backend renders Jinja templates server-side with the supplied query
+        params.  sandbox-base digest is resolved later by `snapshot.sh` and
+        patched into the rendered Dockerfile directly — not picked here.
+
+        `provider_key` selects which LLM provider's apiKey + baseUrl gets
+        patched at agent boot (via veris-agent-entrypoint.sh reading the
+        rendered NEMOCLAW_PROVIDER_* env vars).  `provider_base_url` is the
+        public hostname Veris's DNS aliases route to llm-proxy; omit to use
+        the manifest's default for `provider_key`.
+
+        Used by `veris env create --stack <name>` to scaffold `.veris/`.
+        """
+        params: dict[str, str] = {}
+        if environment_name:
+            params["environment_name"] = environment_name
+        if agent_name:
+            params["agent_name"] = agent_name
+        if provider_key:
+            params["provider_key"] = provider_key
+        if provider_base_url:
+            params["provider_base_url"] = provider_base_url
+        with httpx.Client(
+            base_url=self.base_url, headers=self._headers(), timeout=self.DEFAULT_TIMEOUT
+        ) as client:
+            response = client.get(f"/v1/recipes/{stack}", params=params)
+            _raise_for_status(response)
+            return response.json()
+
+    @_retry_transient
+    def get_recipe_metadata(self, stack: str) -> dict[str, Any]:
+        """Fetch just the recipe metadata for `stack`.
+
+        Used by `veris env push` to surface an upgrade advisory when the
+        customer's pinned template version drifts behind the current one.
+        """
+        with httpx.Client(
+            base_url=self.base_url, headers=self._headers(), timeout=self.DEFAULT_TIMEOUT
+        ) as client:
+            response = client.get(f"/v1/recipes/{stack}/latest")
+            _raise_for_status(response)
+            return response.json()
+
+    @_retry_transient
+    def get_recipe_providers(self, stack: str) -> dict[str, Any]:
+        """Fetch the supported LLM providers for `stack`.
+
+        Used by `veris env create --stack <name>` to show choices in the
+        provider prompt. Customer can also pass `--provider custom
+        --provider-base-url <url>` to bypass the list.
+        """
+        with httpx.Client(
+            base_url=self.base_url, headers=self._headers(), timeout=self.DEFAULT_TIMEOUT
+        ) as client:
+            response = client.get(f"/v1/recipes/{stack}/providers")
+            _raise_for_status(response)
+            return response.json()
+
+    def get_llm_providers(self) -> dict[str, Any]:
+        """Fetch the canonical list of LLM providers Veris's llm-proxy
+        intercepts. Stack-agnostic — used by ``veris env submit`` and the
+        stack-less ``veris env create`` to populate the API-key picker.
+        """
+        with httpx.Client(
+            base_url=self.base_url, headers=self._headers(), timeout=self.DEFAULT_TIMEOUT
+        ) as client:
+            response = client.get("/v1/llm-providers")
+            _raise_for_status(response)
+            return response.json()
+
     @_retry_transient
     def list_environments(
         self, status: Optional[str] = None, limit: int = 20, offset: int = 0

{veris_cli-2.26.0 → veris_cli-2.27.1}/src/veris_cli/build_context.py

@@ -3,9 +3,11 @@
 Packages the project root into a .tar.gz, respecting .dockerignore patterns.
 """
 
+import io
 import os
 import tarfile
 import tempfile
+import time
 from pathlib import Path
 
 import pathspec
@@ -32,6 +34,7 @@ def create_build_context(
     output_path: Path | None = None,
     dockerfile: Path | str | None = None,
     require_dockerfile: bool = True,
+    file_overrides: dict[str, str] | None = None,
 ) -> tuple[Path, int]:
     """Create a tar.gz build context from the project root.
 
@@ -46,6 +49,13 @@ def create_build_context(
             to `.veris/Dockerfile.sandbox` when None.
         require_dockerfile: If False, skip Dockerfile validation and inclusion.
             Used by ``env submit`` where no Dockerfile exists yet.
+        file_overrides: Optional arcname → content map. For each entry the
+            given content is written into the tarball at the arcname,
+            replacing any on-disk file at the same path and bypassing
+            `.dockerignore`. The customer's working tree is never modified.
+            Used by ``env submit`` to inject the per-target single-target
+            hint into ``.veris/veris.yaml`` without rewriting the on-disk
+            (possibly multi-target) file.
 
     Returns:
         Tuple of (tarball_path, size_bytes).
@@ -54,6 +64,7 @@ def create_build_context(
         ValueError: If tarball exceeds the size cap or the Dockerfile is missing.
     """
     spec = _load_dockerignore(project_root)
+    overrides = file_overrides or {}
 
     if output_path is None:
         fd, tmp = tempfile.mkstemp(suffix=".tar.gz", prefix="veris-build-")
@@ -97,6 +108,12 @@ def create_build_context(
                 if rel_path == ".":
                     rel_path = f
 
+                # Overrides win and bypass dockerignore — defer to the
+                # post-walk loop so they're written exactly once with the
+                # override content.
+                if rel_path in overrides:
+                    continue
+
                 # Skip ignored files (but always include the selected Dockerfile)
                 if spec.match_file(rel_path) and rel_path != dockerfile_rel:
                     continue
@@ -112,6 +129,20 @@ def create_build_context(
             tar.add(str(dockerfile_path), arcname=dockerfile_rel)
             file_count += 1
 
+        # Write overrides last so they always land regardless of ignore rules.
+        # We build a TarInfo by hand instead of going through ``tar.add`` —
+        # the override content lives only in memory, not on disk.
+        now = int(time.time())
+        for arcname, content in overrides.items():
+            data = content.encode("utf-8")
+            info = tarfile.TarInfo(name=arcname)
+            info.size = len(data)
+            info.mode = 0o644
+            info.mtime = now
+            info.type = tarfile.REGTYPE
+            tar.addfile(info, io.BytesIO(data))
+            file_count += 1
+
     size = output_path.stat().st_size
     if size > MAX_TARBALL_SIZE:
         output_path.unlink()