veris-cli 2.27.1__tar.gz → 2.28.0__tar.gz

{veris_cli-2.27.1 → veris_cli-2.28.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: veris-cli
-Version: 2.27.1
+Version: 2.28.0
 Summary: CLI to connect local agents to the Veris backend
 Project-URL: Homepage, https://github.com/veris-ai/veris-cli
 Project-URL: Bug Tracker, https://github.com/veris-ai/veris-cli/issues

{veris_cli-2.27.1 → veris_cli-2.28.0}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "veris-cli"
-version = "2.27.1"
+version = "2.28.0"
 description = "CLI to connect local agents to the Veris backend"
 readme = "README.md"
 requires-python = ">=3.11"

{veris_cli-2.27.1 → veris_cli-2.28.0}/src/veris_cli/api.py

@@ -252,7 +252,7 @@ class VerisAPI:
             return response.json()
 
     def create_image_tag(self, environment_id: str, tag: str) -> dict[str, Any]:
-        """Register an image tag. Returns push config including pull_credentials if external registry."""
+        """Register an image tag. Returns push config including build_credentials if external registry."""
         with httpx.Client(
             base_url=self.base_url, headers=self._headers(), timeout=self.DEFAULT_TIMEOUT
         ) as client:
@@ -263,6 +263,20 @@ class VerisAPI:
             _raise_for_status(response)
             return response.json()
 
+    def download_service_wheels(self, environment_id: str) -> bytes:
+        """Download the exact entitled service wheels for a local (BYOC) build.
+
+        Returns the raw bytes of a zip containing services.lock.json plus
+        wheels/*.whl. The backend fetches the wheels with its own registry
+        credential, so none is exposed to the client.
+        """
+        with httpx.Client(
+            base_url=self.base_url, headers=self._headers(), timeout=self.DEFAULT_TIMEOUT
+        ) as client:
+            response = client.get(f"/v1/environments/{environment_id}/service-wheels")
+            _raise_for_status(response)
+            return response.content
+
     # Builds (Cloud Build)
     def create_build(self, environment_id: str, tag: str = "latest") -> dict[str, Any]:
         """Create a build and get a signed upload URL."""

{veris_cli-2.27.1 → veris_cli-2.28.0}/src/veris_cli/commands/env.py

@@ -82,6 +82,89 @@ def _check_sync_guard(
     return action
 
 
+def _install_services_wrap(env_id: str, image_uri: str, api: VerisAPI):
+    """Install the org's entitled packaged services into a just-built image.
+
+    Local counterpart of the Cloud Build install-wrap (see veris-sandbox
+    backend/app/services/cloud_build.py), but credential-free: the backend
+    serves exactly the entitled wheels from GET /service-wheels (fetched with
+    Veris's own registry credential), so the customer never touches the wheel
+    repo. We extract the served wheels into the build context, bind-mount them
+    plus the sealed services.lock.json, and run /usr/local/bin/install_services.sh
+    (baked into the Veris base image, so it's present in the FROM-derived image),
+    which installs offline with --find-links and asserts the entitled set.
+    """
+    import io
+    import os
+    import shutil
+    import subprocess
+    import tempfile
+    import zipfile
+
+    output.print_info("Fetching entitled service packages...")
+    try:
+        zip_bytes = api.download_service_wheels(env_id)
+    except APIError as e:
+        output.print_error(f"Failed to fetch service packages: {e.detail}")
+        sys.exit(1)
+
+    # The wrap bind-mounts the served wheels dir + the sealed lockfile (both
+    # shipped in the served zip — services.lock.json is authoritative from the
+    # backend). install_services.sh installs from --find-links with --no-index.
+    run_line = (
+        "RUN --mount=type=bind,source=service-wheels,target=/tmp/service-wheels "
+        "--mount=type=bind,source=services.lock.json,target=/tmp/services.lock.json "
+        "/usr/local/bin/install_services.sh"
+    )
+
+    ctx_dir = tempfile.mkdtemp(prefix="veris-wrap-")
+    try:
+        # Unpack the served zip into the build context: services.lock.json at the
+        # root and wheels/*.whl -> service-wheels/. ZipFile.extract sanitizes
+        # member paths (strips leading slashes / .. ) so a malformed entry can't
+        # escape ctx_dir.
+        wheels_dir = os.path.join(ctx_dir, "service-wheels")
+        os.makedirs(wheels_dir, exist_ok=True)
+        with zipfile.ZipFile(io.BytesIO(zip_bytes)) as zf:
+            for member in zf.namelist():
+                if member.endswith("/"):
+                    continue
+                name = os.path.basename(member)
+                if member == "services.lock.json":
+                    with open(os.path.join(ctx_dir, "services.lock.json"), "wb") as f:
+                        f.write(zf.read(member))
+                elif member.startswith("wheels/") and name.endswith(".whl"):
+                    with open(os.path.join(wheels_dir, name), "wb") as f:
+                        f.write(zf.read(member))
+
+        output.print_info("Installing entitled service packages...")
+        wrap_dockerfile = os.path.join(ctx_dir, ".services-install.Dockerfile")
+        with open(wrap_dockerfile, "w") as f:
+            f.write(f"FROM {image_uri}\n{run_line}\n")
+
+        proc = subprocess.run(
+            [
+                "docker",
+                "build",
+                "--platform",
+                "linux/amd64",
+                "-t",
+                image_uri,
+                "-f",
+                wrap_dockerfile,
+                ctx_dir,
+            ],
+            env={**os.environ, "DOCKER_BUILDKIT": "1"},
+            text=True,
+        )
+        if proc.returncode != 0:
+            output.print_error("Service package install failed")
+            sys.exit(1)
+        output.print_success("Service packages installed")
+    finally:
+        shutil.rmtree(ctx_dir, ignore_errors=True)
+
+
 def _env_push_local(
     env_id: str,
     tag: str,
@@ -92,10 +175,12 @@ def _env_push_local(
     """Build locally and push to the customer's external registry."""
     import subprocess
 
-    pull_creds = tag_result["pull_credentials"]
+    build_creds = tag_result.get("build_credentials") or {}
+    pull_creds = build_creds["pull_credentials"]
     image_uri = tag_result["image_uri"]
     base_image = tag_result["base_image"]
     registry_host = pull_creds["registry_url"]
+    api = VerisAPI(profile=profile)
 
     try:
         # Step 1: Login to Veris AR to pull base image
@@ -137,6 +222,15 @@ def _env_push_local(
             sys.exit(1)
         output.print_success("Image built")
 
+        # Step 2.5: install the org's entitled packaged services. The base image
+        # ships zero packaged services, so this wrap is what actually puts them
+        # in the image — identical contents to the Cloud Build path. Skipped
+        # when the sealed manifest has no pip-installable services. The wheels
+        # are fetched from the backend (credential-free), not a registry token.
+        services_lock = build_creds.get("services_lock") or []
+        if any(e.get("source") == "package" for e in services_lock):
+            _install_services_wrap(env_id, image_uri, api)
+
         # Step 3: Push to customer's registry
         # Customer must already be authenticated to their own registry (e.g. aws ecr get-login-password)
         output.print_info(f"Pushing to {image_uri}...")
@@ -388,6 +482,59 @@ def _try_load_veris_yaml(path: Path) -> VerisYaml | None:
     return _maybe_migrate_shape_a(path, parsed)
 
 
+def _offer_existing_unconfigured_target(
+    profile: str | None,
+) -> tuple[str, str | None, str | None]:
+    """Interactive offer to bind a backend env to an existing veris.yaml target.
+
+    Restores the v2.26.0 entry point that the managed-only onboarding rewrite
+    (#161) dropped: if .veris/veris.yaml defines target(s) that aren't yet bound
+    to a backend env on this profile, let the user pick one rather than forcing
+    net-new onboarding.
+
+    Returns a ``(action, target_name, agent_name)`` tuple:
+      - ``("pick", <target>, <agent name or None>)`` — user chose an existing target.
+      - ``("cancel", None, None)`` — user aborted the prompt; caller should return.
+      - ``("new", None, None)`` — no offer applies, or user chose "create new";
+        caller should fall through to net-new onboarding.
+
+    Assumes the caller already gated on an interactive TTY.
+    """
+    veris_yaml_path = Path.cwd() / ".veris" / "veris.yaml"
+    if not veris_yaml_path.exists():
+        return ("new", None, None)
+    parsed = _try_load_veris_yaml(veris_yaml_path)
+    if not (parsed and parsed.targets):
+        return ("new", None, None)
+
+    unconfigured = [
+        t
+        for t in parsed.target_names
+        if not ProjectConfig(profile=profile, target=t).get_environment_id()
+    ]
+    if not unconfigured:
+        return ("new", None, None)
+
+    import questionary
+
+    _NEW = "__new__"
+    choices = [questionary.Choice(title=t, value=t) for t in unconfigured] + [
+        questionary.Choice(title="Create a new environment instead", value=_NEW)
+    ]
+    selected = questionary.select(
+        "Existing targets found in .veris/veris.yaml. Create an environment for:",
+        choices=choices,
+    ).ask()
+    if selected is None:
+        return ("cancel", None, None)
+    if selected == _NEW:
+        return ("new", None, None)
+
+    target_obj = parsed.get_target(selected)
+    agent_name = target_obj.agent.name if (target_obj.agent and target_obj.agent.name) else None
+    return ("pick", selected, agent_name)
+
+
 def _print_recipe_upgrade_advisory(api: VerisAPI, veris_dir: Path) -> None:
     """Compare pinned recipe version in .veris/config.yaml vs /recipes/<stack>/latest.
 
@@ -690,6 +837,26 @@ def env_create(
         output.print_error("--self-serve and --stack are mutually exclusive.")
         sys.exit(1)
 
+    # Restore the v2.26.0 behavior (regressed by the managed-only onboarding
+    # rewrite in #161): when the repo already has a .veris/veris.yaml whose
+    # target(s) aren't yet bound to a backend env on this profile, offer to
+    # create an env for one of those instead of treating this as net-new
+    # onboarding. Picking an existing target binds a backend env to the user's
+    # hand-authored config (a self-serve operation), pre-filling name + agent
+    # name from the target block. Only fires interactively with no explicit
+    # --name / --stack / --self-serve, so scripted and stack flows are unchanged.
+    from_existing_target = False
+    if not name and not stack and not self_serve and sys.stdin.isatty():
+        action, picked_name, picked_agent_name = _offer_existing_unconfigured_target(profile)
+        if action == "cancel":
+            return
+        if action == "pick":
+            name = picked_name
+            self_serve = True
+            from_existing_target = True
+            if not agent_name:
+                agent_name = picked_agent_name
+
     # Interactive picker when neither --stack nor --self-serve was passed.
     # Three branches: managed (default), self-serve, or one of the
     # registered stacks. Net-new envs without an explicit choice land
@@ -743,7 +910,7 @@ def env_create(
             sys.exit(1)
 
     if self_serve:
-        _create_env_self_serve(profile, name, agent_name)
+        _create_env_self_serve(profile, name, agent_name, from_existing_target=from_existing_target)
         return
 
     # Every reachable path here leaves ``stack`` set. Stack flows own
@@ -763,6 +930,7 @@ def _create_env_self_serve(
     profile: str | None,
     name: str | None,
     agent_name: str | None,
+    from_existing_target: bool = False,
 ) -> None:
     """`veris env create --self-serve` — scaffold .veris/ locally, create
     a backend env in released state.
@@ -858,8 +1026,13 @@ def _create_env_self_serve(
     # the backend today). Refuse and tell the customer how to recover.
     # Detected BEFORE _scaffold_veris_dir so the function's
     # no-op-on-existing-block path doesn't mask this.
+    #
+    # `from_existing_target` flips this off: when the caller deliberately
+    # picked an already-present target block to bind a backend env to (the
+    # restored v2.26.0 flow), the existing block is expected, not a failed
+    # retry — binding it is the whole point.
     veris_yaml_path = veris_dir / "veris.yaml"
-    if veris_yaml_path.exists():
+    if veris_yaml_path.exists() and not from_existing_target:
         existing = _try_load_veris_yaml(veris_yaml_path)
         if existing and env_name in existing.targets:
             output.print_error(
@@ -1966,14 +2139,23 @@ def env_push(
         _auto_snapshot_for_stack(pinned_stack, Path.cwd())
 
     # On-prem clusters route through the customer's external registry instead of Cloud Build.
-    try:
-        if env_info.get("image_registry_url"):
+    if env_info.get("image_registry_url"):
+        tag_result = None
+        try:
             tag_result = api.create_image_tag(env_id, tag)
-            if tag_result.get("pull_credentials"):
-                _env_push_local(env_id, tag, tag_result, profile, dockerfile=dockerfile_rel)
-                return
-    except Exception:
-        pass  # Fall through to Cloud Build
+        except APIError as e:
+            # Entitlement / unknown-service errors are sealed server-side. Surface
+            # them directly — a Cloud Build fallback can't reach the customer's
+            # registry anyway, so masking them would only confuse.
+            if e.status_code in (400, 403):
+                output.print_error(str(e.detail))
+                sys.exit(1)
+            raise
+        except Exception:
+            tag_result = None  # transient — fall through to Cloud Build below
+        if tag_result and tag_result.get("build_credentials"):
+            _env_push_local(env_id, tag, tag_result, profile, dockerfile=dockerfile_rel)
+            return
 
     _env_push_remote(env_id, tag, profile, dockerfile=dockerfile_rel)