Cohesix Python Support (0.9.0-beta As-Built)

The cohesix Python client is a thin, non-authoritative wrapper over existing Cohesix console and filesystem semantics. It does not introduce new control-plane behavior; it mirrors the same verbs, bounds, and error rules enforced by cohsh and Secure9P.

This document reflects the 0.9.0-beta release line (Milestones 25c/25e/25g plus TCP/auth hardening).

Milestone 25e adds offline integration kit examples that validate and export evidence packs for CI and SIEM ingestion.

Concise real-world examples

These are intentionally short, copy/paste commands that map to production activities.

1) Run a release-control dry run for a large Mac fleet

cohesix-playbook --playbook mac-release-factory --dry-run --mock

Outcome: validates scheduler/approval orchestration and emits a report/audit pair you can inspect before live rollout.

2) Drive Jetson traffic safety orchestration through the REST gateway

cohesix-playbook \
  --playbook jetson-traffic-safety \
  --auth-token "$HIVE_GATEWAY_REQUEST_AUTH_TOKEN" \
  --rest-url http://127.0.0.1:8080

Outcome: executes bounded control writes (schedule + lease) and captures auditable results under out/examples/playbooks/.

3) Run a closed-loop mixed-fleet AI factory plan

cohesix-playbook --playbook mixed-closed-loop-ai-factory --dry-run --mock

Outcome: validates Mac-train + Jetson-infer coordination logic without touching live control files.

4) Programmatically enqueue schedule + lease controls from Python

from cohesix import CohesixOrchestrator, ScheduleRequest, LeaseRequest

with CohesixOrchestrator.from_env() as orch:
    orch.enqueue_schedule([
        ScheduleRequest("sched-edge-1", "worker-gpu", priority=6, ticks=6, budget_ms=180)
    ])
    orch.apply_leases([
        LeaseRequest(
            op="grant",
            lease_id="lease-edge-1",
            subject="queen",
            resource="gpu0",
            ttl_s=300,
            priority=6,
        )
    ])

Outcome: integrates directly into existing Python jobs without inventing new control semantics.

5) Pull host integration telemetry snapshot and ship it through the playbook flow

from cohesix.integrations import collect_host_snapshot, snapshot_to_ndjson

snapshot = collect_host_snapshot(
    systemd_services=["cohesix-agent.service"],
    include_docker=True,
    include_k8s=True,
    include_nvml=True,
    include_peft=True,
)
print(snapshot_to_ndjson(snapshot))

Outcome: gives one normalized snapshot envelope for service health, containers, pods, GPU state, and PEFT runtime readiness.

Scope and guarantees

• Non-authoritative: all behavior maps to existing console/9P semantics.
• Bounded: limits are derived from manifest-backed defaults generated by coh-rtc.
• Host-side only: the client runs outside the VM.

Related docs

• docs/HOST_TOOLS.md — host tool semantics, policy gates, mounts, and interdependencies.
• docs/API_GUIDELINES.md — REST gateway scope and connectivity checks.
• docs/OPERATOR_WALKTHROUGH.md — operator lifecycle and recovery flow.
• tools/cohesix-py/README.md — Python quickstart and copy/paste examples.

Where it lives

• Source tree: tools/cohesix-py/
• Release bundle: python/cohesix-py/ (see bundle QUICKSTART.md)
• Examples: tools/cohesix-py/examples/ (bundle: python/cohesix-py/examples/)

Examples below use bundle paths (./bin/<tool>). In the source tree, replace ./bin with out/cohesix/host-tools (staged) or target/<profile> (manual).

Backends

• TcpBackend: connects to the TCP console (AUTH + ATTACH) and issues console verbs.
• FilesystemBackend: operates on a mounted Secure9P namespace (via coh mount).
• RestBackend: uses the hive-gateway REST projection (host-only).
• MockBackend: deterministic in-memory filesystem for tests/examples.

Orchestration APIs (Milestone 25c / 25g)

• CohesixOrchestrator: typed wrappers for /actions/queue, /queen/schedule/ctl, /queen/lease/ctl, and /queen/export/ctl.
• read_proc_snapshot(): bounded reads for /proc/schedule/* and /proc/lease/*.
• from_env(): backend auto-discovery using environment variables.
• playbooks: built-in high-impact playbooks and an execution helper that can push host snapshots into telemetry.
• HostTicketRequest: typed host control ticket payloads for /host/tickets/spec (host-ticket/v1).
• K8sRbacIntent: RBAC-scoped K8s coexistence intents translated to ticket actions (k8s.cordon, k8s.drain, k8s.lease.sync).
• enqueue_host_tickets() and enqueue_k8s_rbac_tickets(): bounded, append-only host ticket writers with manifest/default guardrails.

Ticket translation example:

from cohesix import CohesixOrchestrator, K8sRbacIntent

with CohesixOrchestrator.from_env() as orch:
    orch.enqueue_k8s_rbac_tickets(
        [
            K8sRbacIntent(
                intent_id="intent-node-1-cordon",
                subject="ops-user",
                namespace="edge-a",
                node="node-1",
                verb="cordon",
            )
        ]
    )

Host integration adapters (Milestone 25c)

• systemd service probes (systemctl show).
• Docker container probes (SDK-first, CLI fallback).
• Kubernetes pod probes (SDK-first, kubectl fallback).
• NVML/NVIDIA probes (pynvml first, nvidia-smi fallback).
• PEFT runtime package probes (torch, transformers, peft, accelerate, bitsandbytes).

Backend matrix

| Backend | Requires | Best for | Notes | | — | — | — | — | | TcpBackend | QEMU + TCP console | Direct console automation | Single-client console. Do not run cohsh, swarmui, or hive-gateway concurrently. | | RestBackend | QEMU + hive-gateway | HTTP clients and OpenAPI tooling | Gateway itself holds the console. | | FilesystemBackend | coh mount (FUSE) | Air-gapped or file-shaped integrations | Mount is long-running and stays in the foreground. | | MockBackend | None | CI, demos, first-run validation | No VM involved; uses an in-process backend. |

Choosing a backend

• Use MockBackend for CI, demos, and first-run validation.
• Use TcpBackend for direct console access (same semantics as cohsh).
• Use FilesystemBackend for air-gapped workflows that rely on a mounted Secure9P namespace.
• Use RestBackend when you need HTTP access without adding new semantics.

Operational interdependencies (read first for live runs)

• The TCP console is single-client. If a tool already holds it, other TCP clients will block or fail.
• The REST gateway is a console client. Do not run it concurrently with cohsh, swarmui, or TcpBackend.
• Policy gating may require approvals in /actions/queue before writes to /queen/ctl.
• /gpu/* appears only after gpu-bridge-host --publish runs; /host/* appears only after host-sidecar-bridge runs.
• Mock mode does not talk to the VM. Do not mix --mock with live flags in the same session.

Install

Source tree (editable):

python3 -m pip install -e tools/cohesix-py

Source tree (editable + integration extras):

python3 -m pip install -e 'tools/cohesix-py[integrations]'

Source tree (editable + PEFT extras):

python3 -m pip install -e 'tools/cohesix-py[ml]'

Release bundle:

python3 -m pip install ./python/cohesix-py

Per-host .venv setup (macOS/Linux)

Create an isolated environment in the repo root before running tests/examples:

python3 -m venv .venv
source .venv/bin/activate
python -m pip install --upgrade pip setuptools wheel
python -m pip install -e 'tools/cohesix-py[dev]'

If you need host integration and ML adapters:

python -m pip install -e 'tools/cohesix-py[dev,integrations,ml]'

Quick verification:

.venv/bin/python -m pytest tools/cohesix-py/tests/test_auth.py -q

Notes:

• zsh users should keep extras quoted (for example, 'tools/cohesix-py[dev]').
• Python >=3.11 is required.

Playbook CLI

The package now ships cohesix-playbook for one-command orchestration templates:

cohesix-playbook --list
cohesix-playbook --playbook mixed-closed-loop-ai-factory --dry-run --mock
cohesix-playbook --playbook jetson-traffic-safety --tcp-host 127.0.0.1 --tcp-port 31337

Reports are written under out/examples/playbooks/<playbook-id>/.

Common example flags

All bundled examples share the same backend arguments:

• --mock and --mock-root (default mock root: out/examples/mockfs)
• --mount-root (FilesystemBackend)
• --rest http://127.0.0.1:8080 (examples) or --rest-url http://127.0.0.1:8080 (cohesix-playbook) for RestBackend
• --tcp-host and --tcp-port (TcpBackend)
• --auth-token (for TCP: explicit token override; otherwise resolve queen secret from manifest, then COH_AUTH_TOKEN, then COHSH_AUTH_TOKEN; placeholder changeme is rejected; for REST: request-auth override)
• --role and --ticket
• --timeout-s and --max-retries (--max-retries applies to TCP auth/attach loops; REST uses manifest/default retry policy)
• --out to override out/examples/ Notes:
• Use only one backend flag group at a time. Do not combine --mock with --tcp-host, --rest, or --mount-root.
• With --rest, --auth-token is used as the gateway request-auth token.
• If --rest is used and --auth-token is not set, RestBackend checks HIVE_GATEWAY_REQUEST_AUTH_TOKEN, COHSH_REST_AUTH_TOKEN, then COH_REST_AUTH_TOKEN.
• For TCP token discovery, manifest candidates are checked first using COH_RTC_MANIFEST, COH_MANIFEST, COHESIX_MANIFEST, then default paths configs/root_task.toml and configs/root_task_regression.toml.
• In live runs, ensure QEMU is running and the console port matches your --tcp-port.

Quickstart (mock mode)

--mock runs the client against a deterministic in-memory backend. It is fast, requires no QEMU, and is ideal for CI and first-run demos.

python3 tools/cohesix-py/examples/lease_run.py --mock
python3 tools/cohesix-py/examples/peft_roundtrip.py --mock
python3 tools/cohesix-py/examples/telemetry_write_pull.py --mock

Artifacts land under out/examples/ unless --out is provided.

Evidence pack integration kits (Milestone 25e)

These examples operate on an evidence pack directory produced by coh evidence pack. Once the pack exists, they run offline (no VM or network required).

cargo run -p coh -- --mock evidence pack --out out/evidence/mock
python3 tools/cohesix-py/examples/ci_evidence_pack.py --pack out/evidence/mock \
  --out out/evidence/mock/ci_summary.json
python3 tools/cohesix-py/examples/siem_export_ndjson.py --pack out/evidence/mock \
  --out out/evidence/mock/siem.ndjson

Live connection requirements (no --mock)

To run against a live Queen, you need:

• A running QEMU VM: scripts/qemu-run.sh (bundle: ./qemu/run.sh)
• A valid console auth token (pass --auth-token, or provide a manifest queen secret via COH_RTC_MANIFEST / COH_MANIFEST / COHESIX_MANIFEST, or set COHSH_AUTH_TOKEN / COH_AUTH_TOKEN)
• Any required host integrations (e.g., GPU bridge if using /gpu)

If policy gating is enabled (see /policy/rules), queue approvals before any control writes to /queen/ctl:

./bin/cohsh --transport tcp --tcp-host 127.0.0.1 --tcp-port 31337 --role queen <<'COH'
echo {"id":"approve-1","target":"/queen/ctl","decision":"approve"} > /actions/queue
COH

Live TCP backend (Queen running)

1) Boot the VM (Mac host, source tree):

scripts/qemu-run.sh

2) Run a Python example against the TCP console:

python3 tools/cohesix-py/examples/lease_run.py \
  --tcp-host 127.0.0.1 --tcp-port 31337

If token resolution is ambiguous, pass --auth-token explicitly.

Note: the TCP console is single-client. Do not attach cohsh, swarmui, or hive-gateway while using the TCP backend.

REST backend (hive-gateway)

1) Start the REST gateway on the host:

COH_TCP_HOST=127.0.0.1 COH_TCP_PORT=31337 COH_AUTH_TOKEN="$COH_AUTH_TOKEN" \
  HIVE_GATEWAY_REQUEST_AUTH_TOKEN=replace-with-real-token \
  COH_ROLE=queen HIVE_GATEWAY_BIND=127.0.0.1:8080 \
  ./bin/hive-gateway

2) Point a Python example at the gateway:

python3 tools/cohesix-py/examples/lease_run.py \
  --rest http://127.0.0.1:8080 \
  --auth-token "$HIVE_GATEWAY_REQUEST_AUTH_TOKEN"

3) (Optional) Verify bounds:

curl -sS http://127.0.0.1:8080/v1/meta/bounds | jq .

Note: the gateway is itself a console client; avoid attaching cohsh or swarmui at the same time. RestBackend retries transient failures by default (429/500/502/503/504 and transient connection errors), using exponential backoff with a Retry-After floor when present.

Filesystem backend (Secure9P mount)

1) Mount the namespace on the host (requires coh mount):

./bin/coh --host 127.0.0.1 --port 31337 mount --at /tmp/coh-mount

2) Use the filesystem backend against that mount:

python3 tools/cohesix-py/examples/lease_run.py --mount-root /tmp/coh-mount

Notes:

• Live mounts require FUSE (a FUSE runtime installed and coh built with FUSE enabled; default on Linux, macOS requires --features fuse plus MacFUSE).
• The mount root is constrained by the manifest allowlist in out/coh_policy.toml.
• The mount process stays in the foreground; use a second terminal or run it in the background.

Bounds and defaults

The client enforces manifest-derived defaults emitted by coh-rtc and embedded in tools/cohesix-py/cohesix/generated.py. These include:

• secure9p.msize, walk depth, and console line/JSON limits
• telemetry ingest caps
• registry and path allowlists

manifest_sha256 from generated defaults is exported in receipts/evidence and can be cross-checked with REST /v1/meta/bounds. Drift prevention is enforced in build/CI by regenerating artifacts from manifest IR (coh-rtc), rather than runtime manifest reloading.

Connectivity checklist (live)

• ping and ls / succeed via your chosen backend.
• /v1/meta/bounds returns manifest_sha256 when using REST.
• /proc/lifecycle/state (or another read-only /proc node) is readable.
• For GPU workflows, /gpu is populated after gpu-bridge-host --publish.
• For host telemetry, /host is populated after host-sidecar-bridge runs.

Tests (parity)

The parity tests verify the Python client matches cohsh behavior byte-for-byte:

python3 -m pytest -k cohesix_parity tools/cohesix-py/tests/test_parity.py

Orchestration/integration/playbook tests:

python3 -m pytest tools/cohesix-py/tests/test_orchestration.py -q
python3 -m pytest tools/cohesix-py/tests/test_integrations.py -q
python3 -m pytest tools/cohesix-py/tests/test_playbooks.py -q

Troubleshooting

• ERR AUTH: set COH_AUTH_TOKEN (or COHSH_AUTH_TOKEN) or pass --auth-token.
• authentication rejected: connection closed before AUTH response: the server closed/reset before returning AUTH status (commonly invalid token or console contention). Verify token source and single-client ownership.
• auth timed out waiting for AUTH response: AUTH frame was sent but no terminal response arrived before retries/timeout.
• ERR ATTACH: your role requires a ticket; pass --ticket or mint one with cohsh --mint-ticket.
• ERR ECHO reason=policy ... EPERM: policy gating requires an approval in /actions/queue.
• Empty /gpu: ensure the host GPU bridge integration is running; use ./bin/gpu-bridge-host --mock --list for mock demos.
• Non-mock PEFT flows require /gpu/models to be visible; run ./bin/gpu-bridge-host --publish ... or coh peft import --publish to refresh the live registry.
• Filesystem backend mount errors: ensure FUSE is installed and coh was built with FUSE enabled.
• REST errors: confirm hive-gateway is running and reachable at /v1/meta/bounds; transient 429/5xx and short network failures are retried automatically.

Real-world use-case playbooks (1k+ workers)

The built-in playbook catalog covers all high-impact use cases defined for Milestone 25d discussions:

• mac-release-factory
• mac-private-peft-grid
• mac-endpoint-compliance
• jetson-traffic-safety
• jetson-manufacturing-safety
• jetson-critical-infra
• mixed-closed-loop-ai-factory
• mixed-medical-edge-ai
• mixed-logistics-digital-twin

Dry-run any playbook with no control writes:

cohesix-playbook --playbook mac-release-factory --dry-run --mock

Run through the example wrapper:

python3 tools/cohesix-py/examples/use_case_playbook.py --playbook mixed-logistics-digital-twin --dry-run --mock

Design alignment

This client exists to lower adoption friction while preserving Cohesix’s core guarantees:

• no new protocols
• no hidden control planes
• deterministic, auditable behavior