@palettelab/cli 0.3.31 → 0.3.33

package/README.md

@@ -249,7 +249,13 @@ def upgrade():
     ensure_org_rls(op, "my_app__invoices")
 ```
 
-Use `ctx.repo(Model)` for org-safe CRUD:
+Use `ctx.db` for the full database feature set. It is the real async
+SQLAlchemy session, scoped by Palette to the app schema and current
+organization, so app code can use Core/ORM queries, joins, aggregates,
+transactions, bulk operations, and raw `text()` SQL. Use migrations for schema
+changes such as tables, indexes, constraints, and types.
+
+Use `ctx.repo(Model)` when simple org-safe CRUD is enough:
 
 ```python
 from fastapi import Depends
@@ -269,12 +275,15 @@ async def create_invoice(body: InvoiceIn, ctx: PluginContext = Depends(get_plugi
 
 Backend SDK features for app-owned data:
 
-- `PluginContext` exposes `user_id`, `organization_id`, `plugin_id`, `permissions`, `config`, `storage`, and `ctx.db`.
+- `PluginContext` exposes `user_id`, `organization_id`, `plugin_id`, `permissions`, `config`, `storage`, `ctx.db`, `ctx.redis`, and `ctx.vector`.
+- `ctx.db` is the full scoped SQLAlchemy `AsyncSession` for app-owned database data.
 - `ctx.repo(Model)` gives org-safe CRUD helpers for app tables.
 - `ctx.data_rooms` gives backend access to Palette Data Rooms without importing platform internals.
 - `ctx.has_permission("...")`, `ctx.has_any_permission([...])`, and `ctx.has_all_permissions([...])` check declared permissions.
 - `ctx.config_value("key")` and `ctx.require_config("key")` read app install/config values.
 - `ctx.secret("KEY")` reads app secrets from config or environment variables.
+- `ctx.redis` gives a Redis-backed, plugin/org-scoped Redis API when `"redis"` is declared in `platform_services`.
+- `ctx.vector` gives a Qdrant-backed, plugin/org-scoped vector API when `"vector"` is declared in `platform_services`.
 - `LifecycleHooks` lets apps define install/update/enable/disable/uninstall hooks.
 - `OrgScopedTable` and `PluginBase` keep app data inside the plugin schema model set.
 
@@ -429,6 +438,9 @@ For developer sandboxes where manual approval should not block OS testing, run t
 `pltt sandbox --env staging` is the same hosted preview flow as
 `pltt dev --sandbox --env staging`.
 
+`pltt preview --env staging` is also supported as a developer-friendly alias
+for the same hosted preview flow.
+
 `pltt dev --platform` runs the full Docker `platform-dev` image for internal platform parity testing. App developers should not need it. It pulls `ghcr.io/palette-lab/platform-dev:latest` and mounts your plugin at `/plugins/<your-id>`.
 
 Environment variables:
@@ -453,7 +465,7 @@ Palette secrets are declared in `palette-plugin.json` and resolved through
     "STRIPE_SECRET": { "scope": "plugin", "required": true },
     "DEBUG_PROBE_URL": { "scope": "dev", "required": false }
   },
-  "platform_services": ["llm", "kv", "storage"]
+  "platform_services": ["llm", "redis", "storage", "vector"]
 }
 ```
 
@@ -462,6 +474,7 @@ Commands:
 ```bash
 pltt secrets init
 pltt secrets set STRIPE_SECRET --env staging --value sk_live_...
+pltt secrets rotate STRIPE_SECRET --env staging --value sk_live_...
 pltt secrets list --env staging
 pltt publish --env staging --secrets-file plugin-secrets.env
 ```
@@ -471,6 +484,31 @@ never uploaded. `plugin` secrets are encrypted by the platform and attached to
 the plugin/environment. `install` secrets are filled by the installing org.
 Frontend bundles may only receive public values such as `NEXT_PUBLIC_*`.
 
+Managed platform services do not require developer Redis/Qdrant keys. Declare
+them and use scoped SDK clients:
+
+```python
+await ctx.redis.set("cart:123", {"items": [1, 2]}, ttl=3600)
+cart = await ctx.redis.get("cart:123")
+
+await ctx.vector.upsert_texts(
+    "products",
+    [{"id": "p1", "text": "Red cotton shirt", "metadata": {"category": "clothing"}}],
+)
+matches = await ctx.vector.search("products", query="red shirt", top_k=5)
+```
+
+The platform rewrites Redis keys and vector filters with `plugin_id` and
+`organization_id`, so create/update/delete/list operations cannot reach another
+app or org's data.
+
+For provider-level Redis features, use `ctx.redis.execute(...)`. It forwards to
+Redis after rewriting key arguments into the plugin/org namespace, and blocks
+server/admin commands such as `FLUSHDB`, `CONFIG`, `KEYS`, and cluster
+management. For advanced Qdrant features, use `ctx.vector.client()` with
+`collection_name()`, `scoped_filter()`, `merge_filter()`, `scoped_payload()`,
+and `scoped_point()` so custom calls remain scoped.
+
 ### `pltt login`
 
 Save a Palette sandbox or production environment URL plus token in `~/.palette/config.json` with file mode `0600`. Environment variables still override the stored token when present.

package/backend-sdk/palette_sdk/__init__.py

@@ -3,6 +3,12 @@
 from palette_sdk.plugin_router import PluginRouter
 from palette_sdk.plugin_context import MissingSecretError, PluginContext, get_plugin_context
 from palette_sdk.data_rooms import DataRoomsClient
+from palette_sdk.platform_services import (
+    LocalRedisService,
+    LocalVectorService,
+    PlatformServiceUnavailable,
+    UnavailablePlatformService,
+)
 from palette_sdk.repository import OrgRepository
 from palette_sdk.lifecycle import LifecycleHooks
 from palette_sdk.tool_definition import ToolDefinition
@@ -36,6 +42,10 @@ __all__ = [
     "MissingSecretError",
     "get_plugin_context",
     "DataRoomsClient",
+    "LocalRedisService",
+    "LocalVectorService",
+    "PlatformServiceUnavailable",
+    "UnavailablePlatformService",
     "OrgRepository",
     "LifecycleHooks",
     "ToolDefinition",
@@ -62,4 +72,4 @@ __all__ = [
     "route_permission_issues",
 ]
 
-__version__ = "0.1.6"
+__version__ = "0.1.7"

package/backend-sdk/palette_sdk/manifest.py

@@ -113,7 +113,7 @@ class PluginManifest(BaseModel):
     tools: list[ToolEntry] = Field(default_factory=list)
     permissions: list[str] = Field(default_factory=list)
     secrets: dict[str, SecretSpec] = Field(default_factory=dict)
-    platform_services: list[Literal["llm", "kv", "storage"]] | dict[str, PlatformServiceSpec] = Field(default_factory=list)
+    platform_services: list[Literal["llm", "redis", "storage", "vector"]] | dict[str, PlatformServiceSpec] = Field(default_factory=list)
     rating: float = 0.0
     reviews: int = 0
     featured: bool = False

package/backend-sdk/palette_sdk/platform_services.py

@@ -0,0 +1,377 @@
+"""Platform-managed services exposed to plugin backends."""
+
+from __future__ import annotations
+
+import hashlib
+import math
+import time
+from dataclasses import dataclass, field
+from typing import Any
+
+
+class PlatformServiceUnavailable(RuntimeError):
+    """Raised when a plugin uses a platform service it did not declare."""
+
+
+class UnavailablePlatformService:
+    def __init__(self, name: str):
+        self.name = name
+
+    def __getattr__(self, attr: str) -> Any:
+        raise PlatformServiceUnavailable(
+            f"ctx.{self.name} is unavailable. Declare platform_services: [\"{self.name}\"] in palette-plugin.json."
+        )
+
+
+@dataclass
+class LocalRedisService:
+    """In-memory Redis-style implementation used by pltt dev."""
+
+    _values: dict[str, tuple[Any, float | None]] = field(default_factory=dict)
+
+    def _expired(self, key: str) -> bool:
+        item = self._values.get(key)
+        if item is None:
+            return True
+        _, expires_at = item
+        if expires_at is not None and expires_at <= time.time():
+            self._values.pop(key, None)
+            return True
+        return False
+
+    def _expires_at(self, ttl: int | None = None) -> float | None:
+        return time.time() + ttl if ttl and ttl > 0 else None
+
+    async def get(self, key: str, default: Any = None) -> Any:
+        if self._expired(key):
+            return default
+        return self._values[key][0]
+
+    def scoped_key(self, key: str) -> str:
+        return key
+
+    def unscoped_key(self, key: str) -> str:
+        return key
+
+    async def execute(self, command: str, *args: Any, **kwargs: Any) -> Any:
+        method = getattr(self, command.lower(), None)
+        if method is None:
+            raise NotImplementedError(f"LocalRedisService does not emulate Redis command {command!r}")
+        return await method(*args, **kwargs)
+
+    async def set(self, key: str, value: Any, ttl: int | None = None, *, nx: bool = False, xx: bool = False) -> bool:
+        exists = not self._expired(key)
+        if nx and exists:
+            return False
+        if xx and not exists:
+            return False
+        self._values[key] = (value, self._expires_at(ttl))
+        return True
+
+    async def delete(self, *keys: str) -> int:
+        count = 0
+        for key in keys:
+            if not self._expired(key) and key in self._values:
+                count += 1
+            self._values.pop(key, None)
+        return count
+
+    async def exists(self, key: str) -> bool:
+        return not self._expired(key)
+
+    async def expire(self, key: str, ttl: int) -> bool:
+        if self._expired(key):
+            return False
+        self._values[key] = (self._values[key][0], self._expires_at(ttl))
+        return True
+
+    async def ttl(self, key: str) -> int:
+        if self._expired(key):
+            return -2
+        expires_at = self._values[key][1]
+        if expires_at is None:
+            return -1
+        return max(0, int(expires_at - time.time()))
+
+    async def incr(self, key: str, amount: int = 1) -> int:
+        value = int(await self.get(key, 0)) + amount
+        await self.set(key, value)
+        return value
+
+    async def decr(self, key: str, amount: int = 1) -> int:
+        return await self.incr(key, -amount)
+
+    async def scan(self, prefix: str = "", limit: int = 100) -> list[str]:
+        out: list[str] = []
+        for key in list(self._values):
+            if self._expired(key):
+                continue
+            if key.startswith(prefix):
+                out.append(key)
+            if len(out) >= limit:
+                break
+        return out
+
+    async def hset(self, key: str, field: str, value: Any) -> int:
+        data = await self.get(key, {})
+        if not isinstance(data, dict):
+            data = {}
+        created = 0 if field in data else 1
+        data[field] = value
+        await self.set(key, data)
+        return created
+
+    async def hget(self, key: str, field: str, default: Any = None) -> Any:
+        data = await self.get(key, {})
+        return data.get(field, default) if isinstance(data, dict) else default
+
+    async def hgetall(self, key: str) -> dict[str, Any]:
+        data = await self.get(key, {})
+        return dict(data) if isinstance(data, dict) else {}
+
+    async def hdel(self, key: str, *fields: str) -> int:
+        data = await self.get(key, {})
+        if not isinstance(data, dict):
+            return 0
+        count = 0
+        for field in fields:
+            if field in data:
+                count += 1
+                data.pop(field, None)
+        await self.set(key, data)
+        return count
+
+    async def lpush(self, key: str, *values: Any) -> int:
+        data = await self.get(key, [])
+        if not isinstance(data, list):
+            data = []
+        data = list(values) + data
+        await self.set(key, data)
+        return len(data)
+
+    async def rpush(self, key: str, *values: Any) -> int:
+        data = await self.get(key, [])
+        if not isinstance(data, list):
+            data = []
+        data.extend(values)
+        await self.set(key, data)
+        return len(data)
+
+    async def lpop(self, key: str, default: Any = None) -> Any:
+        data = await self.get(key, [])
+        if not isinstance(data, list) or not data:
+            return default
+        value = data.pop(0)
+        await self.set(key, data)
+        return value
+
+    async def rpop(self, key: str, default: Any = None) -> Any:
+        data = await self.get(key, [])
+        if not isinstance(data, list) or not data:
+            return default
+        value = data.pop()
+        await self.set(key, data)
+        return value
+
+    async def lrange(self, key: str, start: int = 0, stop: int = -1) -> list[Any]:
+        data = await self.get(key, [])
+        if not isinstance(data, list):
+            return []
+        end = None if stop == -1 else stop + 1
+        return data[start:end]
+
+    async def sadd(self, key: str, *values: Any) -> int:
+        data = await self.get(key, [])
+        if not isinstance(data, list):
+            data = []
+        count = 0
+        for value in values:
+            if value not in data:
+                data.append(value)
+                count += 1
+        await self.set(key, data)
+        return count
+
+    async def srem(self, key: str, *values: Any) -> int:
+        data = await self.get(key, [])
+        if not isinstance(data, list):
+            return 0
+        count = 0
+        for value in values:
+            if value in data:
+                data.remove(value)
+                count += 1
+        await self.set(key, data)
+        return count
+
+    async def smembers(self, key: str) -> list[Any]:
+        data = await self.get(key, [])
+        return list(data) if isinstance(data, list) else []
+
+    async def zadd(self, key: str, mapping: dict[str, float]) -> int:
+        data = await self.get(key, {})
+        if not isinstance(data, dict):
+            data = {}
+        created = 0
+        for member, score in mapping.items():
+            if member not in data:
+                created += 1
+            data[member] = float(score)
+        await self.set(key, data)
+        return created
+
+    async def zrange(self, key: str, start: int = 0, stop: int = -1, *, with_scores: bool = False) -> list[Any]:
+        data = await self.get(key, {})
+        if not isinstance(data, dict):
+            return []
+        rows = sorted(data.items(), key=lambda item: item[1])
+        end = None if stop == -1 else stop + 1
+        sliced = rows[start:end]
+        return sliced if with_scores else [member for member, _score in sliced]
+
+    async def zrem(self, key: str, *members: Any) -> int:
+        data = await self.get(key, {})
+        if not isinstance(data, dict):
+            return 0
+        count = 0
+        for member in members:
+            if member in data:
+                data.pop(member, None)
+                count += 1
+        await self.set(key, data)
+        return count
+
+    async def enqueue(self, key: str, value: Any) -> int:
+        return await self.rpush(key, value)
+
+    async def dequeue(self, key: str, default: Any = None) -> Any:
+        return await self.lpop(key, default)
+
+    async def lock(self, key: str, token: str, ttl: int = 30) -> bool:
+        return await self.set(f"lock:{key}", token, ttl=ttl, nx=True)
+
+    async def unlock(self, key: str, token: str) -> bool:
+        lock_key = f"lock:{key}"
+        if await self.get(lock_key) != token:
+            return False
+        await self.delete(lock_key)
+        return True
+
+
+def _text_vector(text: str, dimensions: int = 64) -> list[float]:
+    vector = [0.0] * dimensions
+    for token in text.lower().split():
+        digest = hashlib.sha256(token.encode("utf-8")).digest()
+        vector[int.from_bytes(digest[:4], "big") % dimensions] += 1.0
+    norm = math.sqrt(sum(v * v for v in vector)) or 1.0
+    return [v / norm for v in vector]
+
+
+def _cosine(left: list[float], right: list[float]) -> float:
+    size = min(len(left), len(right))
+    if size == 0:
+        return 0.0
+    return sum(left[i] * right[i] for i in range(size))
+
+
+@dataclass
+class LocalVectorService:
+    """Small in-memory vector store used by pltt dev."""
+
+    _items: dict[str, dict[str, dict[str, Any]]] = field(default_factory=dict)
+
+    async def upsert_vectors(self, index: str, items: list[dict[str, Any]]) -> int:
+        bucket = self._items.setdefault(index, {})
+        for item in items:
+            record_id = str(item["id"])
+            bucket[record_id] = {
+                "id": record_id,
+                "vector": item["vector"],
+                "text": item.get("text", ""),
+                "metadata": item.get("metadata") or {},
+            }
+        return len(items)
+
+    async def upsert_texts(self, index: str, items: list[dict[str, Any]]) -> int:
+        vector_items = [
+            {
+                **item,
+                "vector": _text_vector(str(item.get("text", ""))),
+            }
+            for item in items
+        ]
+        return await self.upsert_vectors(index, vector_items)
+
+    async def search(
+        self,
+        index: str,
+        *,
+        query: str | None = None,
+        vector: list[float] | None = None,
+        top_k: int = 10,
+        filter: dict[str, Any] | None = None,
+    ) -> list[dict[str, Any]]:
+        query_vector = vector or _text_vector(query or "")
+        rows = []
+        for item in self._items.get(index, {}).values():
+            metadata = item.get("metadata") or {}
+            if filter and any(metadata.get(k) != v for k, v in filter.items()):
+                continue
+            rows.append({
+                "id": item["id"],
+                "score": _cosine(query_vector, item["vector"]),
+                "text": item.get("text", ""),
+                "metadata": metadata,
+            })
+        rows.sort(key=lambda row: row["score"], reverse=True)
+        return rows[: max(1, min(top_k, 100))]
+
+    async def get(self, index: str, id: str) -> dict[str, Any] | None:
+        return self._items.get(index, {}).get(str(id))
+
+    async def client(self):
+        return self
+
+    def collection_name(self) -> str:
+        return "local"
+
+    def point_id(self, index: str, id: str) -> str:
+        return f"{index}:{id}"
+
+    def scoped_filter(self, index: str, extra: dict[str, Any] | None = None) -> dict[str, Any]:
+        return {"index": index, **(extra or {})}
+
+    def merge_filter(self, index: str, query_filter: Any | None = None) -> Any:
+        return query_filter or self.scoped_filter(index)
+
+    def scoped_payload(self, index: str, id: str, *, text: str | None = None, metadata: dict[str, Any] | None = None) -> dict[str, Any]:
+        return {"index": index, "record_id": str(id), "text": text or "", "metadata": metadata or {}}
+
+    def scoped_point(
+        self,
+        index: str,
+        *,
+        id: str,
+        vector: list[float],
+        text: str | None = None,
+        metadata: dict[str, Any] | None = None,
+    ) -> dict[str, Any]:
+        return {"id": self.point_id(index, id), "vector": vector, "payload": self.scoped_payload(index, id, text=text, metadata=metadata)}
+
+    async def delete(self, index: str, ids: list[str]) -> int:
+        bucket = self._items.get(index, {})
+        count = 0
+        for record_id in ids:
+            if bucket.pop(str(record_id), None) is not None:
+                count += 1
+        return count
+
+    async def delete_index(self, index: str) -> int:
+        count = len(self._items.get(index, {}))
+        self._items.pop(index, None)
+        return count
+
+    async def stats(self, index: str | None = None) -> dict[str, Any]:
+        if index:
+            return {"index": index, "count": len(self._items.get(index, {}))}
+        return {"indexes": {name: len(items) for name, items in self._items.items()}}

package/backend-sdk/palette_sdk/plugin_context.py

@@ -11,6 +11,7 @@ from fastapi import Depends, Request
 from sqlalchemy.ext.asyncio import AsyncSession
 
 from palette_sdk.data_rooms import DataRoomsClient
+from palette_sdk.platform_services import UnavailablePlatformService
 
 
 class MissingSecretError(KeyError):
@@ -43,6 +44,8 @@ class PluginContext:
     permissions: list[str] = field(default_factory=list)
     storage: Any = None  # Platform storage service injected at runtime
     data_rooms: DataRoomsClient = field(default_factory=DataRoomsClient)
+    redis: Any = field(default_factory=lambda: UnavailablePlatformService("redis"))
+    vector: Any = field(default_factory=lambda: UnavailablePlatformService("vector"))
     config: dict[str, Any] = field(default_factory=dict)
     logger: logging.Logger = field(default_factory=lambda: logging.getLogger("palette_sdk.plugin"))
 
@@ -107,6 +110,8 @@ async def get_plugin_context(request: Request) -> PluginContext:
         permissions=getattr(state, "plugin_permissions", []),
         storage=getattr(state, "storage", None),
         data_rooms=DataRoomsClient(getattr(state, "data_rooms", None)),
+        redis=getattr(state, "redis", None) or UnavailablePlatformService("redis"),
+        vector=getattr(state, "vector", None) or UnavailablePlatformService("vector"),
         config=getattr(state, "plugin_config", {}),
         logger=getattr(state, "plugin_logger", logging.getLogger(f"palette_sdk.plugin.{getattr(state, 'plugin_id', 'unknown')}")),
     )

package/backend-sdk/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "palette-sdk"
-version = "0.1.6"
+version = "0.1.7"
 description = "Palette Platform SDK for building backend plugins"
 readme = "README.md"
 requires-python = ">=3.12"

package/docs/python-backend-sdk.md

@@ -112,6 +112,8 @@ Available context values:
 | `ctx.permissions` | Permissions granted from `palette-plugin.json` |
 | `ctx.storage` | Runtime storage service, when available |
 | `ctx.data_rooms` | Backend Data Room client |
+| `ctx.redis` | Plugin/org-scoped Redis-style service when `platform_services` includes `redis` |
+| `ctx.vector` | Plugin/org-scoped vector service when `platform_services` includes `vector` |
 | `ctx.config` | App install/config values |
 | `ctx.logger` | Runtime logger for backend code |
 | `ctx.repo(Model)` | Org-safe CRUD helper for app-owned tables |
@@ -232,7 +234,16 @@ organization can only access its own rows.
 
 ## 7. Repository CRUD
 
-Use `ctx.repo(Model)` instead of writing repeated org filters.
+Use `ctx.db` for the full database feature set. It is the real SQLAlchemy
+`AsyncSession`, scoped by Palette before your route runs, so you can use normal
+SQLAlchemy Core/ORM operations inside your app schema: `select`, `insert`,
+`update`, `delete`, joins, aggregates, relationships, transactions, bulk
+operations, and raw `text()` SQL. The production runtime sets the app schema,
+uses a low-privilege runtime role, and applies org row-level security; local dev
+uses the same SDK shape against the plugin-local database.
+
+Use `ctx.repo(Model)` when you want a short convenience helper for simple CRUD
+instead of writing repeated org filters.
 
 ```python
 from fastapi import Depends, HTTPException
@@ -309,6 +320,30 @@ await ctx.repo(Model).update(id, **values)
 await ctx.repo(Model).delete(id)
 ```
 
+For anything outside that helper, use `ctx.db` directly:
+
+```python
+from sqlalchemy import select, update, func, text
+
+total = await ctx.db.scalar(select(func.count()).select_from(Invoice))
+
+await ctx.db.execute(
+    update(Invoice)
+    .where(Invoice.status == "draft")
+    .values(status="queued")
+)
+await ctx.db.commit()
+
+rows = (
+    await ctx.db.execute(text("select id, customer_name from finance_tools__invoices"))
+).mappings().all()
+```
+
+Create or change tables, indexes, constraints, and other schema objects through
+Alembic migrations. Route code intentionally has data permissions only; it
+cannot access Palette core tables, another app's schema, or another org's
+RLS-protected rows.
+
 ## 8. Data Rooms From Python
 
 Use `ctx.data_rooms` when backend code needs to create folders, find files, or
@@ -505,6 +540,35 @@ install config, plugin-scope encrypted secrets, or local `.palette/.env.local`
 during `pltt dev`. Undeclared keys still fall back to the process environment
 for local compatibility.
 
+Managed Redis and vector services are declared in the manifest:
+
+```json
+{
+  "platform_services": ["redis", "vector"]
+}
+```
+
+```python
+await ctx.redis.set("cache:summary", {"ready": True}, ttl=600)
+value = await ctx.redis.get("cache:summary")
+
+await ctx.vector.upsert_texts(
+    "knowledge",
+    [{"id": "doc-1", "text": "Palette apps are isolated.", "metadata": {"type": "note"}}],
+)
+hits = await ctx.vector.search("knowledge", query="app isolation", top_k=3)
+```
+
+Palette scopes every Redis key and vector operation by `plugin_id` and
+`organization_id`; hosted previews also include the publish id. Plugin code
+cannot read, list, update, or delete records owned by another app or org.
+
+Advanced provider features are still available through scoped helpers:
+`ctx.redis.execute(...)` forwards Redis data-plane commands after key rewriting,
+while blocking server/admin commands. `ctx.vector.client()` returns the Qdrant
+client for custom calls; combine it with `collection_name()`, `scoped_filter()`,
+`merge_filter()`, `scoped_payload()`, and `scoped_point()` to preserve isolation.
+
 ## 10. Lifecycle Hooks
 
 Lifecycle hooks let an app seed defaults or clean up app-owned data when the

package/lib/cli.js

@@ -22,6 +22,10 @@ const COMMANDS = {
     run: (args, ctx) => dev([...args, "--sandbox"], ctx),
     help: "Publish a no-Docker hosted sandbox preview",
   },
+  preview: {
+    run: (args, ctx) => dev([...args, "--sandbox"], ctx),
+    help: "Alias for sandbox preview publish",
+  },
   login: { run: login, help: "Save a Palette sandbox environment for publish/dev preview" },
   doctor: {
     run: doctor,
@@ -76,12 +80,14 @@ function printHelp() {
   console.log("\nSecrets:")
   console.log("  pltt secrets init")
   console.log("  pltt secrets set NAME --value <secret> --env staging")
+  console.log("  pltt secrets rotate NAME --value <secret> --env staging")
   console.log("  pltt secrets list --env staging")
   console.log("\nExamples:")
   console.log("  pltt init my-app --template database")
   console.log("  pltt login --env staging --url https://sandbox.pltt.ai --token <token>")
   console.log("  cd my-app && pltt dev")
   console.log("  pltt sandbox --env staging")
+  console.log("  pltt preview --env staging")
   console.log("  pltt dev --sandbox --env staging")
   console.log("  pltt package")
   console.log("  pltt publish --env staging")

package/lib/commands/secrets.js

@@ -50,15 +50,17 @@ function loadFileValues(cwd, file) {
 
 async function run(args, { cwd }) {
   const [subcommand, ...tail] = args
-  const manifest = loadManifest(cwd)
-  const declared = declaredSecrets(manifest)
 
   if (!subcommand || subcommand === "help" || subcommand === "--help") {
     console.log("Usage: pltt secrets <init|list|set|rotate> [NAME] [--env staging]")
-    console.log("       pltt secrets set NAME --value <secret> --env staging")
-    console.log("       pltt secrets set NAME --secrets-file plugin-secrets.env --env staging")
-    return
-  }
+     console.log("       pltt secrets set NAME --value <secret> --env staging")
+     console.log("       pltt secrets set NAME --secrets-file plugin-secrets.env --env staging")
+    console.log("       pltt secrets rotate NAME --value <secret> --env staging")
+     return
+   }
+
+  const manifest = loadManifest(cwd)
+  const declared = declaredSecrets(manifest)
 
   if (subcommand === "init") {
     const result = initLocalEnv(cwd, manifest)
@@ -69,7 +71,7 @@ async function run(args, { cwd }) {
   }
 
   const { own, rest } = parseOwnFlags(tail)
-  const { flags } = parseFlags(rest)
+  const { flags, rest: positional } = parseFlags(rest)
   let env
   try {
     env = resolveEnvironment({ cwd, flags })
@@ -96,7 +98,7 @@ async function run(args, { cwd }) {
     process.exit(1)
   }
 
-  const name = rest.find((item) => !item.startsWith("-"))
+  const name = positional[0]
   if (!name) {
     console.error("[pltt] usage: pltt secrets set NAME --value <secret> [--env staging]")
     process.exit(1)

package/lib/dev-simulator.js

@@ -119,11 +119,28 @@ DATABASE_ENABLED = bool(MANIFEST.get("database") or MANIFEST.get("capabilities",
 DATABASE_URL = os.environ.get("PALETTE_DEV_DATABASE_URL", "sqlite+aiosqlite:///${databasePath.replace(/\\/g, "/")}")
 DEV_SECRETS = json.loads(${JSON.stringify(JSON.stringify(devSecrets))})
 
+def _service_enabled(name: str) -> bool:
+    services = MANIFEST.get("platform_services") or []
+    if isinstance(services, list):
+        return name in services
+    if isinstance(services, dict):
+        return name in services
+    return False
+
 if SDK_PATH:
     sys.path.insert(0, SDK_PATH)
 sys.path.insert(0, str(ROOT))
 sys.path.insert(0, str(ENTRY.parent))
 
+DEV_REDIS = None
+DEV_VECTOR = None
+if _service_enabled("redis"):
+    from palette_sdk.platform_services import LocalRedisService
+    DEV_REDIS = LocalRedisService()
+if _service_enabled("vector"):
+    from palette_sdk.platform_services import LocalVectorService
+    DEV_VECTOR = LocalVectorService()
+
 spec = importlib.util.spec_from_file_location("palette_local_backend", ENTRY)
 module = importlib.util.module_from_spec(spec)
 assert spec and spec.loader
@@ -162,6 +179,10 @@ class DevPluginContextMiddleware(BaseHTTPMiddleware):
             "secret_scope": "dev",
         }
         request.state.storage = None
+        if DEV_REDIS is not None:
+            request.state.redis = DEV_REDIS
+        if DEV_VECTOR is not None:
+            request.state.vector = DEV_VECTOR
         if SessionLocal is None:
             request.state.db = None
             return await call_next(request)

package/lib/manifest.js

@@ -146,7 +146,7 @@ function validateSecrets(value, errors) {
 
 function validatePlatformServices(value, errors) {
   if (value === undefined) return
-  const known = new Set(["llm", "kv", "storage"])
+  const known = new Set(["llm", "redis", "storage", "vector"])
   if (Array.isArray(value)) {
     for (const service of value) {
       if (!known.has(service)) errors.push(`platform_services contains unknown service: ${service}`)

package/lib/secrets.js

@@ -31,7 +31,15 @@ function readDotEnvFile(filePath) {
   return parseDotEnv(fs.readFileSync(filePath, "utf8"))
 }
 
-function writeDotEnvFile(filePath, values, manifest) {
+function formatDotEnvValue(value) {
+  if (value === undefined || value === null) return ""
+  const str = String(value)
+  if (!str) return ""
+  if (/[\s#"'\\]/.test(str)) return JSON.stringify(str)
+  return str
+}
+
+function writeDotEnvFile(filePath, values, manifest, secretValues = {}) {
   const lines = [
     "# Palette local developer secrets.",
     "# This file is for pltt dev only and must not be committed.",
@@ -43,7 +51,7 @@ function writeDotEnvFile(filePath, values, manifest) {
     lines.push(`# scope: ${scope || "dev"}`)
     if (meta.label) lines.push(`# label: ${meta.label}`)
     if (meta.help) lines.push(`# help: ${meta.help}`)
-    lines.push(`${name}=`)
+    lines.push(`${name}=${formatDotEnvValue(secretValues[name])}`)
     lines.push("")
   }
   if (Object.keys(values).length === 0 && manifest?.id) {
@@ -118,7 +126,8 @@ function initLocalEnv(cwd, manifest, { overwrite = false } = {}) {
   const declared = declaredSecrets(manifest)
   const localPath = path.join(cwd, LOCAL_ENV_PATH)
   const examplePath = path.join(cwd, EXAMPLE_ENV_PATH)
-  if (overwrite || !fs.existsSync(localPath)) writeDotEnvFile(localPath, declared, manifest)
+  const existingLocal = overwrite ? {} : readDotEnvFile(localPath)
+  writeDotEnvFile(localPath, declared, manifest, existingLocal)
   writeDotEnvFile(examplePath, declared, manifest)
   return { localPath, examplePath, declared }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@palettelab/cli",
-  "version": "0.3.31",
+  "version": "0.3.33",
   "description": "Developer CLI for building Palette platform plugins — no platform source access required.",
   "bin": {
     "pltt": "bin/pltt.js"