feat(sdk/python): API parity with sdk/rust + guest-agent (0.5.4b1)#695
Draft
Leechael wants to merge 7 commits into
Draft
feat(sdk/python): API parity with sdk/rust + guest-agent (0.5.4b1)#695Leechael wants to merge 7 commits into
Leechael wants to merge 7 commits into
Conversation
Replace the hard-coded "0.5.2" string in dstack_client.py with
importlib.metadata.version("dstack-sdk") so the User-Agent header always
matches the installed pyproject version. Falls back to "0.0.0+unknown"
when running uninstalled.
Expose the two AppInfo proto fields (15, 16) added on dstack OS >= 0.5.7 so Python callers can identify the cloud provider that hosts the CVM. Both default to empty string for backward compatibility with older guest agents that omit them. Mirrors the JS SDK change in f5ad5be.
Extend get_tls_key with the three GetTlsKeyArgs proto fields (6/7/8) added on dstack OS >= 0.5.7. New params are kw-only so positional call sites keep working unchanged. When any new option is provided, the SDK probes the Version RPC first and raises a clear error on older OS images that lack it (same gating pattern as ed25519 key derivation). Mirrors the JS SDK change in dc5fc21.
Replace the stub (always returned None) with a real secp256k1 + Keccak256 implementation backed by eth-keys + eth-utils. Adds the timestamped signature_v1 path the KMS now emits to defeat replay, while keeping a verify_env_encrypt_public_key_legacy fallback (with DeprecationWarning) for older KMS builds. BREAKING CHANGES: - verify_env_encrypt_public_key now requires a `timestamp: int` arg and performs real signature recovery. Callers using the old 3-arg form must switch to verify_env_encrypt_public_key_legacy (deprecated). - verify_signature_simple has been removed. It was an always-True placeholder that did no real verification. eth-keys and eth-utils are added to core dependencies (both pure-Python, already used by vmm-cli for the same flow). Round-trip and known-vector tests cover signature length, timestamp expiry/skew, custom max_age, malformed app_id, and tamper detection. Mirrors the JS SDK behavior in 3539db3 + 24eccb4.
ethereum.py only imports eth_account. Pulling all of web3 (aiohttp, websockets, requests, urllib3, ...) for one helper is wasteful — drop ~780 lines from the lockfile by depending on eth-account directly. Users still get the same to_account / to_account_secure entrypoint with no API change. The 'all' / 'eth' / 'ethereum' extras now resolve to eth-account>=0.13.0.
Rebuild the README around the current capability set, matching the recently-rewritten JS README (7536c6c). Highlights: - Installation extras table (ethereum, solana, all + aliases). - New surface coverage: attest, sign/verify, version, is_reachable, emit_event, cloud_vendor/cloud_product on info, not_before/not_after/ with_app_info on get_tls_key (with version-gating note). - KMS env-encrypt section walks through the signature_v1 timestamp flow with a legacy fallback, replacing the stub-era guidance. - Adds a Compatibility table tying each feature to its required dstack OS version. Reviewed for AI slop, passive voice, redundant phrases, and sentence length per the doc-review/copy rule set.
Test release covering the API-parity work in this PR: - importlib.metadata-backed __version__ - cloud_vendor / cloud_product on InfoResponse - not_before / not_after / with_app_info on get_tls_key (0.5.7+ gated) - real ECDSA recovery in verify_env_encrypt_public_key, with timestamp v1 + legacy fallback (BREAKING: 4th positional arg required; the old no-op verify_signature_simple is removed) - ethereum extras now resolve to eth-account instead of full web3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Stacked on #690. Base branch:
feat/sdk-release-workflows.Brings the Python SDK in line with
sdk/rustand theguest-agent0.5.7 proto, mirroring the JS work that landed in #690.Atomic commits
chore(sdk/python): read __version__ from package metadata— drops the hard-coded"0.5.2"that was drifting frompyproject.toml; usesimportlib.metadata.feat(sdk/python): surface cloud_vendor and cloud_product on InfoResponse— exposesAppInfoproto fields 15/16 (dstack OS >= 0.5.7).feat(sdk/python): add not_before/not_after/with_app_info TLS key options— kw-only params backed by aVersion-RPC gate, same pattern as ed25519 algorithm gating.feat(sdk/python)!: real ECDSA recovery for verify_env_encrypt_public_key— breaking change:verify_env_encrypt_public_keynow requires atimestamp: intarg and performs real secp256k1 + Keccak256 recovery (eth-keys + eth-utils).verify_env_encrypt_public_key_legacy(DeprecationWarning) for old KMS builds.verify_signature_simple(was an always-True stub).eth-keys+eth-utilsto core deps (pure Python; vmm-cli already ships them).chore(sdk/python): trim ethereum extras from web3 to eth-account—ethereum.pyonly ever usedeth_account; drops ~780 lines from the lockfile.docs(sdk/python): rewrite README for 0.5.4b1 API surface— covers the new API surface and adds a Compatibility table tying each feature to its required OS version.chore(sdk/python): bump to 0.5.4b1 for API parity beta— test release.Breaking changes
Two surface-level breaks, both isolated to the env-encrypt verification helper:
verify_env_encrypt_public_key(public_key, signature, app_id)verify_env_encrypt_public_key(public_key, signature, app_id, timestamp, *, max_age_seconds=300)verify_signature_simple(...)Callers stuck on legacy non-timestamped signatures can use the new
verify_env_encrypt_public_key_legacy()helper (emits aDeprecationWarning).Test plan
sdk/pythonjobpytest tests/test_verify_env_encrypt_public_key.py— 17 passed locallypytest tests/test_client.py::test_get_tls_key_*— 3 mock-based payload tests passedpdm install(default group only, no extras)