zeno-cli 0.3.7__tar.gz → 0.3.8__tar.gz

{zeno_cli-0.3.7 → zeno_cli-0.3.8}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: zeno-cli
-Version: 0.3.7
+Version: 0.3.8
 Summary: Zeno CLI - measure the supervision cost of AI-assisted work
 Project-URL: Homepage, https://zeno.center
 Project-URL: Repository, https://github.com/Marwan01/zeno

{zeno_cli-0.3.7 → zeno_cli-0.3.8}/_vendor_build/zeno_sdk/_generated/client.py

@@ -574,6 +574,20 @@ class ZenoApiClient:
             headers=headers,
         )
 
+    def capture_recent(self, *, limit: str | None = None) -> dict[str, Any]:
+        """GET /v1/capture/recent"""
+        query: dict[str, str] | None = None
+        headers: dict[str, str] | None = None
+        query = {}
+        if limit is not None:
+            query["limit"] = str(limit)
+        return self._request(
+            "GET",
+            "/v1/capture/recent",
+            query=query,
+            headers=headers,
+        )
+
     def capture_stream(self) -> dict[str, Any]:
         """GET /v1/capture/stream"""
         query: dict[str, str] | None = None

{zeno_cli-0.3.7 → zeno_cli-0.3.8}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "zeno-cli"
-version = "0.3.7"
+version = "0.3.8"
 description = "Zeno CLI - measure the supervision cost of AI-assisted work"
 readme = "README.md"
 requires-python = ">=3.12"

{zeno_cli-0.3.7 → zeno_cli-0.3.8}/src/zeno_cli/_hooks/cc_bridge.py

@@ -279,13 +279,21 @@ def _idempotency_key(body: dict) -> str:
     return f"{body['device_id']}:{body['session_id']}:{entity}"
 
 
-def _post_ingest(body: dict, timeout_s: float, token: str | None = None) -> bool:
+# Sentinel for "token not supplied -> resolve it here", distinct from a resolved
+# None ("no token, tailnet path"). Lets _maybe_push pass the once-resolved value
+# (str OR None) down so neither the public nor the Mini path re-reads the keyring
+# per drained line.
+_UNSET = object()
+
+
+def _post_ingest(body: dict, timeout_s: float, token=_UNSET) -> bool:
     """POST one ingest body. Returns True on a 2xx, False on any failure. Never
     raises (all exceptions -> False). urllib + an explicit socket timeout only.
 
     ``token`` is the pre-resolved bearer (see _maybe_push); pass it so a drain of
     many spooled lines does not re-read the OS keyring per line. When omitted
-    (direct callers/tests) it is resolved once here.
+    (_UNSET; direct callers/tests) it is resolved once here. An explicit None means
+    "no token" (tailnet path) and is used as-is without re-resolving.
     """
     url = _api_base_url() + SYNC_PATH
     data = json.dumps(body).encode("utf-8")
@@ -296,10 +304,9 @@ def _post_ingest(body: dict, timeout_s: float, token: str | None = None) -> bool
     # Attach the Clerk bearer token when one is available so the push authenticates
     # against a public API (Cloud Run). Absent it (tailnet Mini), the push relies on
     # the identity header the `tailscale serve` proxy injects - unchanged behavior.
-    if token is None:
-        token = _api_token()
-    if token:
-        headers["Authorization"] = "Bearer " + token
+    resolved = _api_token() if token is _UNSET else token
+    if resolved:
+        headers["Authorization"] = "Bearer " + resolved
     req = urllib.request.Request(
         url,
         data=data,
@@ -348,7 +355,7 @@ def _trim_outbox(path: Path) -> None:
         _debug(f"trim_outbox failed: {exc}")
 
 
-def _drain_outbox(timeout_s: float, token: str | None = None) -> None:
+def _drain_outbox(timeout_s: float, token=_UNSET) -> None:
     """After a live push, best-effort + time-boxed drain of a few spooled lines.
     Pushes oldest-first; stops at the budget, the line cap, or the first failure
     (so an offline window doesn't re-spin). Rewrites the outbox with the remainder.

{zeno_cli-0.3.7 → zeno_cli-0.3.8}/src/zeno_cli/login.py

@@ -18,17 +18,17 @@ apps/api/src/zeno_api/auth.py).
 
 The security control on the callback today is the CSRF `state` token (browser +
 loopback, state-CSRF) - NOT PKCE. The bridge returns the token directly in the
-redirect; there is no authorization-code-for-token exchange, so a PKCE verifier
-would be unused theater. TODO: when the dashboard `/cli/authorize` bridge ships,
-implement a real OAuth code-for-token exchange (PKCE S256: send a code_challenge,
-receive a short-lived auth code on the callback, then POST code + code_verifier
-to the bridge to redeem the JWT) instead of receiving the token in the URL.
-
-OUT OF SCOPE / FOLLOW-UP: the dashboard `/cli/authorize` bridge page and the
-Clerk `zeno-api` JWT template do NOT exist yet. They are the only missing
-pieces for an end-to-end login. This module is fully unit-testable without them
-because `authorize_url` is injectable (env `ZENO_LOGIN_AUTHORIZE_URL`, flag
-`--authorize-url`) and the loopback leg is driven by a fake "browser" in tests.
+redirect to the localhost loopback; there is no authorization-code-for-token
+exchange, so a PKCE verifier would be unused theater. FOLLOW-UP (hardening): a
+real OAuth code-for-token exchange (PKCE S256: send a code_challenge, receive a
+short-lived auth code on the callback, then POST code + code_verifier to the
+bridge to redeem the JWT) instead of receiving the token in the URL.
+
+LIVE: the dashboard `/cli/authorize` bridge page (apps/cognition-dashboard) and
+the Clerk `zeno-api` JWT template both exist; `DEFAULT_AUTHORIZE_URL` points at
+the deployed bridge. The module stays fully unit-testable because `authorize_url`
+is injectable (env `ZENO_LOGIN_AUTHORIZE_URL`, flag `--authorize-url`) and the
+loopback leg is driven by a fake "browser" in tests.
 """
 
 from __future__ import annotations