wraith-cli 1.2.0__tar.gz → 1.3.0__tar.gz

{wraith_cli-1.2.0 → wraith_cli-1.3.0}/.env.example

@@ -9,3 +9,5 @@ GITEA_COMPOSE_PATH=/home/user/example/gitea
 GITEA_API_URL="http://your-gitea-instance:3000"
 GITEA_TOKEN="your_personal_access_token"
 GITEA_TEMPLATE_URL="https://gitea.domain.com/user/repo-template.git"
+
+SCRUTINY_URL=http://127.0.0.1:8090

{wraith_cli-1.2.0 → wraith_cli-1.3.0}/.gitea/workflows/pages.yml

@@ -1,5 +1,6 @@
 name: Deploy Gitea Pages
 on:
+  workflow_dispatch:
   push:
     branches:
       - main

{wraith_cli-1.2.0 → wraith_cli-1.3.0}/.gitignore

@@ -165,3 +165,4 @@ cython_debug/
 #  and can be added to the global gitignore or merged into this file.  For a more nuclear
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
 #.idea/
+.aider*

{wraith_cli-1.2.0 → wraith_cli-1.3.0}/.pre-commit-config.yaml

@@ -14,11 +14,14 @@ repos:
        args: ["--fix"]
     -  id: ruff-format
 
-- repo: https://github.com/pre-commit/mirrors-mypy
-  rev: v1.15.0
+- repo: local
   hooks:
-    - id: mypy
-      additional_dependencies: ['types-requests']
+    - id: ty
+      name: ty
+      entry: uv run ty check
+      language: system
+      types: [python]
+      pass_filenames: false
 
 - repo: https://github.com/Yelp/detect-secrets
   rev: v1.5.0

{wraith_cli-1.2.0 → wraith_cli-1.3.0}/CHANGELOG.md

@@ -1,3 +1,5 @@
+## v1.3.0 (2026-04-04)
+
 ## v1.2.0 (2026-04-02)
 
 ## v1.1.0 (2026-03-31)

{wraith_cli-1.2.0 → wraith_cli-1.3.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: wraith-cli
-Version: 1.2.0
+Version: 1.3.0
 Summary: Sovereign Command Centre for a Ghost Stack
 Project-URL: Homepage, https://git.thomaspeoples.com/thomaspeoples/wraith-cli
 Project-URL: Documentation, https://www.thomaspeoples.com/gitea-repos/wraith-cli/
@@ -42,19 +42,19 @@ Requires-Dist: detect-secrets; extra == 'dev'
 Requires-Dist: genbadge[coverage]>=1.1.1; extra == 'dev'
 Requires-Dist: mkdocs-material<=10.0; extra == 'dev'
 Requires-Dist: mkdocs<=2.0; extra == 'dev'
-Requires-Dist: mypy; extra == 'dev'
 Requires-Dist: pre-commit; extra == 'dev'
 Requires-Dist: pymdown-extensions>=10.7.0; extra == 'dev'
 Requires-Dist: pytest; extra == 'dev'
 Requires-Dist: pytest-cov; extra == 'dev'
 Requires-Dist: ruff; extra == 'dev'
+Requires-Dist: ty; extra == 'dev'
 Requires-Dist: types-requests; extra == 'dev'
 Description-Content-Type: text/markdown
 
 [![Documentation](https://img.shields.io/badge/docs-live-brightgreen)](https://www.thomaspeoples.com/gitea-repos/wraith-cli/)
-![PyPI - Version](https://img.shields.io/pypi/v/wraith_cli)
-![PyPI - License](https://img.shields.io/pypi/l/wraith_cli)
-![PyPI - Python Version](https://img.shields.io/pypi/pyversions/wraith_cli)
+![PyPI - Version](https://img.shields.io/pypi/v/wraith-cli)
+![PyPI - License](https://img.shields.io/pypi/l/wraith-cli)
+![PyPI - Python Version](https://img.shields.io/pypi/pyversions/wraith-cli)
 
 
 # 👻 Wraith-CLI

{wraith_cli-1.2.0 → wraith_cli-1.3.0}/README.md

@@ -1,7 +1,7 @@
 [![Documentation](https://img.shields.io/badge/docs-live-brightgreen)](https://www.thomaspeoples.com/gitea-repos/wraith-cli/)
-![PyPI - Version](https://img.shields.io/pypi/v/wraith_cli)
-![PyPI - License](https://img.shields.io/pypi/l/wraith_cli)
-![PyPI - Python Version](https://img.shields.io/pypi/pyversions/wraith_cli)
+![PyPI - Version](https://img.shields.io/pypi/v/wraith-cli)
+![PyPI - License](https://img.shields.io/pypi/l/wraith-cli)
+![PyPI - Python Version](https://img.shields.io/pypi/pyversions/wraith-cli)
 
 
 # 👻 Wraith-CLI

{wraith_cli-1.2.0 → wraith_cli-1.3.0}/mkdocs.yml

@@ -20,6 +20,8 @@ nav:
   - Home: index.md
   - Usage: usage.md
   - Technical Reference: reference.md
+  - Architecture Reference: architecture.md
+  - Security Statement: security.md
 
 plugins:
   - search

{wraith_cli-1.2.0 → wraith_cli-1.3.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "wraith-cli"
-version = "1.2.0"
+version = "1.3.0"
 description = "Sovereign Command Centre for a Ghost Stack"
 readme = "README.md"
 requires-python = ">=3.12"
@@ -41,11 +41,11 @@ wraith = "wraith_cli.main:app"
 [project.optional-dependencies]
 dev = [
     "ruff",
+    "ty",
     "pytest",
     "pytest-cov",
     "pre-commit",
     "commitizen",
-    "mypy",
     "types-requests",
     "detect-secrets",
     "mkdocs<=2.0",
@@ -56,34 +56,22 @@ dev = [
 
 [tool.pytest.ini_options]
 xfail_strict = true
-addopts = ["--cov=src", "--cov-report=term-missing", "--tb=short"]
+addopts = ["--cov=wraith_cli", "--cov-report=term-missing", "--tb=short"]
 pythonpath = ["src"]
 
 [tool.ruff]
 line-length = 79
 target-version = "py312"
+preview = true
 
 [tool.ruff.lint]
-select = ["E", "F", "I"]
+select = ["E", "F", "I", "N", "UP", "B"]
 ignore = []
 
 [tool.ruff.format]
 quote-style = "double"
 indent-style = "space"
 
-[tool.mypy]
-# The "Strict" setting enforces type hints everywhere
-strict = true
-python_version = "3.12"
-
-# Don't moan about missing stubs for libraries that don't have them
-ignore_missing_imports = true
-
-# Make sure we don't accidentally leave 'any' types in the code
-disallow_untyped_defs = true
-disallow_incomplete_defs = true
-warn_unused_ignores = true
-
 [tool.hatch.build.targets.wheel]
 packages = ["src/wraith_cli"]
 

{wraith_cli-1.2.0 → wraith_cli-1.3.0}/src/wraith_cli/main.py

@@ -2,7 +2,7 @@ import os
 import subprocess
 from importlib.metadata import version as get_local_version
 from pathlib import Path
-from typing import Optional
+from typing import Annotated
 
 import requests
 import typer
@@ -12,7 +12,22 @@ from rich.markdown import Markdown
 from rich.panel import Panel
 from rich.text import Text
 
-from wraith_cli import qol, repo_make
+from wraith_cli import qol, repo_make, shield
+
+SOVEREIGN_ADVISORY = """
+## 🛡️ Sovereign Security Advisory – Please Read
+
+**Wraith-CLI** is your stack’s nervous system and has sharp edges.
+The commands in this toolkit can wipe runner data (`runner-reset`),
+view across all containers (`ps`), and expose sensitive stack paths.
+
+**A bad config or unintended command can destabilise your core stack.**
+
+Recommended baseline:
+- Use strong passphrases on private keys if exposed to Wraith.
+- Sandboxed execution where possible for third-party modules.
+- Audit environment variable scope (`GITEA_COMPOSE_PATH`, etc.)
+"""
 
 # Load environment variables from .env
 load_dotenv()
@@ -42,22 +57,6 @@ def version_callback(value: bool):
         raise typer.Exit()
 
 
-SECURITY_WARNING = """
-## 🛡️ Sovereign Security Advisory – Please Read
-
-**Wraith-CLI** is your stack’s nervous system and has sharp edges.
-The commands in this toolkit can wipe runner data (`runner-reset`),
-view across all containers (`ps`), and expose sensitive stack paths.
-
-**A bad config or unintended command can destabilise your core stack.**
-
-Recommended baseline:
-- Use strong passphrases on private keys if exposed to Wraith.
-- Sandboxed execution where possible for third-party modules.
-- Audit environment variable scope (`GITEA_COMPOSE_PATH`, etc.)
-"""
-
-
 def print_wraith_welcome():  # pragma: no cover
     """Renders the definitive OpenClaw-inspired Sovereign splash."""
     console = qol.console
@@ -85,27 +84,14 @@ def print_wraith_welcome():  # pragma: no cover
     )
     console.print("\n")
 
-    SOVEREIGN_ADVISORY = """
-## Sovereign Security Advisory – Please Read
-
-**Wraith-CLI** is your stack’s nervous system and has sharp edges.
-The commands in this toolkit can wipe runner data (`runner-reset`),
-view across all containers (`ps`), and expose sensitive stack paths.
-
-**A bad config or unintended command can destabilise your core stack.**
-
-Recommended baseline:
-- Use strong passphrases on private keys if exposed to Wraith.
-- Sandboxed execution where possible for third-party modules.
-- Audit environment variable scope (`GITEA_COMPOSE_PATH`, etc.)
-"""
     md = Markdown(SOVEREIGN_ADVISORY)
 
     panel = Panel(
         md,
-        title=f"""
-Wraith Orchestrator – [bright_black]v{local_v} Advisory[/bright_black]
-""",
+        title=(
+            "Wraith Orchestrator – "
+            f"[bright_black]v{local_v} Advisory[/bright_black]"
+        ),
         border_style="bright_black",
         padding=(1, 2),
     )
@@ -117,13 +103,15 @@ Wraith Orchestrator – [bright_black]v{local_v} Advisory[/bright_black]
 @app.callback(invoke_without_command=True)
 def main(
     ctx: typer.Context,
-    version: Optional[bool] = typer.Option(
-        None,
-        "--version",
-        callback=version_callback,
-        is_eager=True,
-        help="Show version and exit.",
-    ),
+    version: Annotated[
+        bool | None,
+        typer.Option(
+            "--version",
+            callback=version_callback,
+            is_eager=True,
+            help="Show version and exit.",
+        ),
+    ] = None,
 ):
     """
     [bold green]Wraith-CLI[/bold green]
@@ -174,7 +162,9 @@ def update():
 
 @app.command()
 def ps(
-    all: bool = typer.Option(False, "--all", "-a", help="Show all containers"),
+    all: Annotated[
+        bool, typer.Option("--all", "-a", help="Show all containers")
+    ] = False,
 ):
     """View Docker process list with Sovereign styling."""
     cmd = ["docker", "ps"]
@@ -198,13 +188,15 @@ def tail(
     service: str = typer.Argument(
         ..., help="Service name (e.g., ollama, gitea)"
     ),
-    path: Optional[Path] = typer.Option(
-        None,
-        "--path",
-        "-p",
-        envvar="WRAITH_COMPOSE_PATH",
-        help="Path to the directory containing docker-compose.yml",
-    ),
+    path: Annotated[
+        Path | None,
+        typer.Option(
+            "--path",
+            "-p",
+            envvar="WRAITH_COMPOSE_PATH",
+            help="Path to directory with docker-compose.yml.",
+        ),
+    ] = None,
 ):
     """Tail logs for any service in your stack.
     Priority:
@@ -270,6 +262,10 @@ def spawn(
         )
         raise typer.Exit(1)
 
+    assert GITEA_API_URL is not None
+    assert GITEA_TOKEN is not None
+    assert GITEA_TEMPLATE_URL is not None
+
     target_dir = Path.cwd() / repo_name
     typer.echo(f"👻 Spawning '{repo_name}' from Repo Factory...")
 
@@ -294,11 +290,50 @@ def spawn(
 
     except FileExistsError as e:
         typer.secho(f"❌ Error: {e}", fg="red")
-        raise typer.Exit(1)
+        raise typer.Exit(1) from e
     except Exception as e:
         typer.secho(f"❌ Critical Failure: {e}", fg="red")
-        raise typer.Exit(1)
+        raise typer.Exit(1) from e
+
+
+@app.command()
+def logs(
+    health: Annotated[
+        bool,
+        typer.Option(
+            "--health", help="Pull SMART data summary from Scrutiny API"
+        ),
+    ] = False,
+):
+    """View stack logs or bare-metal health status."""
+    if health:
+        typer.echo("🔍 Polling Bare-Metal SMART data via Scrutiny...")
+        health_table = shield.get_scrutiny_health()
+        qol.console.print(health_table)
+    else:
+        typer.echo(
+            "Use 'wraith tail <service>' for container logs. Pass --health for drive health."
+        )
+
+
+@app.command()
+def mesh():
+    """Checks Tailscale status and lists active peers in the Ghost Mesh."""
+    typer.echo("🌐 Querying Ghost Mesh (Tailscale)...")
+    mesh_table = shield.get_tailscale_mesh()
+    qol.console.print(mesh_table)
+
+
+@app.command()
+def audit():
+    """
+    Checks for containers running as root or exposed ports not in your
+    Registry Spec.
+    """
+    typer.echo("🛡️ Initiating Sovereign Security Audit...")
+    audit_table = shield.run_security_audit()
+    qol.console.print(audit_table)
 
 
-if __name__ == "__main__":
+if __name__ == "__main__":  # pragma: no cover
     app()

wraith_cli-1.3.0/src/wraith_cli/shield.py

@@ -0,0 +1,187 @@
+import json
+import os
+import subprocess
+import requests
+from rich.table import Table
+
+# Pull from .env, fallback to the Ghost Stack default port
+SCRUTINY_URL = os.getenv("SCRUTINY_URL", "http://127.0.0.1:8090")
+
+def get_scrutiny_health() -> Table:
+    """Fetches SMART data from the Scrutiny API and formats it.
+
+    Returns:
+        Table: A rich Table object containing device health information.
+    """
+    table = Table(
+        title="Scrutiny SMART Health",
+        border_style="bright_black",
+        header_style="bold green",
+    )
+    table.add_column("Device")
+    table.add_column("Capacity")
+    table.add_column("Temp")
+    table.add_column("Status")
+
+    try:
+        # Scrutiny summary API endpoint
+        response = requests.get(f"{SCRUTINY_URL}/api/summary", timeout=5)
+        response.raise_for_status()
+        data = response.json()
+        
+        devices = data.get("data", {}).get("summary", {})
+        if not devices:
+            table.add_row("No devices found.", "-", "-", "-")
+            return table
+
+        for wwn, device in devices.items():
+            name = device.get("device", {}).get("name", "Unknown")
+            capacity_bytes = device.get("device", {}).get("capacity", 0)
+            capacity_tb = f"{(capacity_bytes / (10**12)):.1f} TB" if capacity_bytes else "Unknown"
+            
+            temp = str(device.get("smart", {}).get("temp", "N/A")) + "°C"
+            status = device.get("smart", {}).get("status", "Unknown")
+            
+            # Sovereign styling for status
+            status_color = "green" if status.lower() == "passed" else "red"
+            formatted_status = f"[{status_color}]{status.upper()}[/{status_color}]"
+            
+            table.add_row(name, capacity_tb, temp, formatted_status)
+            
+    except requests.exceptions.RequestException as e:
+        table.add_row(f"[red]API Error: {e}[/red]", "-", "-", "-")
+
+    return table
+
+
+def get_tailscale_mesh() -> Table:
+    """Pulls Tailscale status via JSON and formats active peers.
+
+    Returns:
+        Table: A rich Table object containing Tailscale mesh peer status.
+    """
+    table = Table(
+        title="Ghost Mesh (Tailscale)",
+        border_style="bright_black",
+        header_style="bold green",
+    )
+    table.add_column("Hostname")
+    table.add_column("Tailscale IP")
+    table.add_column("OS")
+    table.add_column("Status")
+
+    try:
+        result = subprocess.run(
+            ["tailscale", "status", "--json"],
+            capture_output=True,
+            text=True,
+            check=True,
+        )
+        data = json.loads(result.stdout)
+        
+        peers = data.get("Peer", {})
+        for peer_id, peer_data in peers.items():
+            hostname = peer_data.get("HostName", "Unknown")
+            ip = peer_data.get("TailscaleIPs", ["Unknown"])[0]
+            os_name = peer_data.get("OS", "Unknown")
+            is_online = peer_data.get("Online", False)
+
+            status_str = (
+                "[green]Online[/green]"
+                if is_online
+                else "[bright_black]Offline[/bright_black]"
+            )
+
+            table.add_row(hostname, ip, os_name, status_str)
+            
+    except Exception as e:
+        table.add_row(f"[red]Mesh Error: {e}[/red]", "-", "-", "-")
+
+    return table
+
+
+def run_security_audit() -> Table:
+    """Checks for containers running as root or highly exposed ports.
+
+    Returns:
+        Table: A rich Table object with security audit results.
+    """
+    table = Table(
+        title="Sovereign Security Audit",
+        border_style="bright_black",
+        header_style="bold green",
+    )
+    table.add_column("Container")
+    table.add_column("User")
+    table.add_column("Exposed Ports")
+    table.add_column("Verdict")
+
+    try:
+        # Get all running container IDs
+        ps_result = subprocess.run(
+            ["docker", "ps", "-q"],
+            capture_output=True,
+            text=True,
+            check=True,
+        )
+        container_ids = [cid for cid in ps_result.stdout.split("\n") if cid]
+
+        if not container_ids:
+            table.add_row("No running containers.", "-", "-", "-")
+            return table
+
+        # Inspect all at once
+        inspect_result = subprocess.run(
+            ["docker", "inspect"] + container_ids,
+            capture_output=True,
+            text=True,
+            check=True,
+        )
+        containers = json.loads(inspect_result.stdout)
+
+        for c in containers:
+            name = c["Name"].lstrip("/")
+            
+            # Check User
+            user = c["Config"].get("User", "")
+            if not user or user == "0" or user == "root":
+                user_disp = "[red]ROOT[/red]"
+                is_root = True
+            else:
+                user_disp = f"[green]{user}[/green]"
+                is_root = False
+                
+            # Check Ports (Simplified: grabs bindings)
+            ports = c["NetworkSettings"].get("Ports", {})
+            exposed = []
+            for port, bindings in ports.items():
+                if bindings:
+                    for b in bindings:
+                        host_ip = b.get("HostIp", "")
+                        host_port = b.get("HostPort", "")
+                        # Flag if exposed globally (0.0.0.0) vs. locally.
+                        if host_ip == "0.0.0.0" or host_ip == "":
+                            exposed.append(
+                                f"[yellow]{host_port}->{port} (Global)[/yellow]"
+                            )
+                        else:
+                            exposed.append(f"{host_port}->{port}")
+            
+            port_disp = ", ".join(exposed) if exposed else "Internal Only"
+            
+            # Determine Verdict
+            if is_root and "Global" in port_disp:
+                verdict = "[red]CRITICAL: Root + Global Port[/red]"
+            elif is_root:
+                verdict = "[yellow]WARNING: Root Context[/yellow]"
+            elif "Global" in port_disp:
+                verdict = "[yellow]WARNING: Global Exposure[/yellow]"
+            else:
+                verdict = "[green]SECURE[/green]"
+
+            table.add_row(name, user_disp, port_disp, verdict)
+
+    except Exception as e:
+        table.add_row(f"[red]Audit Error: {e}[/red]", "-", "-", "-")
+
+    return table