envdrift 4.2.1__py3-none-any.whl

envdrift/cli_commands/encryption_helpers.py

@@ -0,0 +1,93 @@
+"""Helpers for resolving encryption backends from config."""
+
+from __future__ import annotations
+
+import logging
+import tomllib
+from pathlib import Path
+from typing import TYPE_CHECKING
+
+from envdrift.config import ConfigNotFoundError, find_config, load_config
+from envdrift.encryption import EncryptionProvider, get_encryption_backend
+
+if TYPE_CHECKING:
+    from envdrift.config import EncryptionConfig
+    from envdrift.encryption.base import EncryptionBackend
+
+logger = logging.getLogger(__name__)
+
+
+def resolve_encryption_backend(
+    config_file: Path | None,
+) -> tuple[EncryptionBackend, EncryptionProvider, EncryptionConfig | None]:
+    """
+    Resolve the encryption backend using an explicit config file or auto-discovery.
+
+    Returns the instantiated backend, selected provider, and the encryption config
+    (if available).
+    """
+    config_path = None
+    if config_file is not None and config_file.suffix.lower() == ".toml":
+        config_path = config_file
+    elif config_file is None:
+        config_path = find_config()
+
+    envdrift_config = None
+    if config_path:
+        try:
+            envdrift_config = load_config(config_path)
+        except (ConfigNotFoundError, tomllib.TOMLDecodeError) as exc:
+            logger.warning("Failed to load config from %s: %s", config_path, exc)
+            envdrift_config = None
+
+    encryption_config = getattr(envdrift_config, "encryption", None) if envdrift_config else None
+    backend_name = encryption_config.backend if encryption_config else "dotenvx"
+    provider = EncryptionProvider(backend_name)
+
+    backend_config: dict[str, object] = {}
+    if provider == EncryptionProvider.DOTENVX:
+        backend_config["auto_install"] = (
+            encryption_config.dotenvx_auto_install if encryption_config else False
+        )
+    else:
+        backend_config["auto_install"] = (
+            encryption_config.sops_auto_install if encryption_config else False
+        )
+        if encryption_config:
+            if encryption_config.sops_config_file:
+                backend_config["config_file"] = encryption_config.sops_config_file
+            if encryption_config.sops_age_key_file:
+                backend_config["age_key_file"] = encryption_config.sops_age_key_file
+
+    backend = get_encryption_backend(provider, **backend_config)
+    return backend, provider, encryption_config
+
+
+def build_sops_encrypt_kwargs(encryption_config: EncryptionConfig | None) -> dict[str, str]:
+    """Build SOPS encryption kwargs from config."""
+    if not encryption_config:
+        return {}
+
+    kwargs: dict[str, str] = {}
+    if encryption_config.sops_age_recipients:
+        kwargs["age_recipients"] = encryption_config.sops_age_recipients
+    if encryption_config.sops_kms_arn:
+        kwargs["kms_arn"] = encryption_config.sops_kms_arn
+    if encryption_config.sops_gcp_kms:
+        kwargs["gcp_kms"] = encryption_config.sops_gcp_kms
+    if encryption_config.sops_azure_kv:
+        kwargs["azure_kv"] = encryption_config.sops_azure_kv
+    return kwargs
+
+
+def is_encrypted_content(
+    provider: EncryptionProvider,
+    backend: EncryptionBackend,
+    content: str,
+) -> bool:
+    """Determine if file content is encrypted for the selected backend."""
+    if backend.has_encrypted_header(content):
+        return True
+    if provider == EncryptionProvider.DOTENVX:
+        return "encrypted:" in content.lower()
+    return False

envdrift/cli_commands/hook.py

@@ -0,0 +1,75 @@
+"""Pre-commit hook command for envdrift."""
+
+from __future__ import annotations
+
+from typing import Annotated
+
+import typer
+
+from envdrift.output.rich import console, print_error, print_success
+
+
+def hook(
+    install: Annotated[
+        bool, typer.Option("--install", "-i", help="Install pre-commit hook")
+    ] = False,
+    show_config: Annotated[
+        bool, typer.Option("--config", help="Show pre-commit config snippet")
+    ] = False,
+) -> None:
+    """
+    Manage the pre-commit hook integration by showing a sample config or installing hooks.
+
+    When invoked with --config or without --install, prints a pre-commit configuration snippet for envdrift hooks.
+    When invoked with --install, attempts to install the hooks using the pre-commit integration and prints success on completion.
+
+    Parameters:
+        install (bool): If True, install the pre-commit hooks into the project (--install / -i).
+        show_config (bool): If True, print the sample pre-commit configuration snippet (--config).
+
+    Raises:
+        typer.Exit: If installation is requested but the pre-commit integration is unavailable.
+    """
+    if show_config or (not install):
+        hook_config = """# Add to .pre-commit-config.yaml
+repos:
+  - repo: local
+    hooks:
+      - id: envdrift-validate
+        name: Validate env files
+        entry: envdrift validate --ci
+        language: system
+        files: ^\\.env\\.(production|staging|development)$
+        pass_filenames: true
+
+      - id: envdrift-encryption
+        name: Check env encryption
+        entry: envdrift encrypt --check
+        language: system
+        files: ^\\.env\\.(production|staging)$
+        pass_filenames: true
+
+      # Optional: Verify encryption keys match vault (prevents key drift)
+      # - id: envdrift-vault-verify
+      #   name: Verify vault key can decrypt
+      #   entry: envdrift decrypt --verify-vault -p azure --vault-url https://myvault.vault.azure.net --secret myapp-dotenvx-key --ci
+      #   language: system
+      #   files: ^\\.env\\.production$
+      #   pass_filenames: true
+"""
+        console.print(hook_config)
+
+        if not install:
+            console.print("[dim]Use --install to add hooks to .pre-commit-config.yaml[/dim]")
+            return
+
+    if install:
+        try:
+            from envdrift.integrations.precommit import install_hooks
+
+            install_hooks()
+            print_success("Pre-commit hooks installed")
+        except ImportError:
+            print_error("Pre-commit integration not available")
+            console.print("Copy the config above to .pre-commit-config.yaml manually")
+            raise typer.Exit(code=1) from None

envdrift/cli_commands/init_cmd.py

@@ -0,0 +1,117 @@
+"""Schema generation command for envdrift."""
+
+from __future__ import annotations
+
+from pathlib import Path
+from typing import Annotated
+
+import typer
+
+from envdrift.core.encryption import EncryptionDetector
+from envdrift.core.parser import EnvParser
+from envdrift.output.rich import console, print_error, print_success
+
+
+def init(
+    env_file: Annotated[
+        Path, typer.Argument(help="Path to .env file to generate schema from")
+    ] = Path(".env"),
+    output: Annotated[
+        Path, typer.Option("--output", "-o", help="Output file for Settings class")
+    ] = Path("settings.py"),
+    class_name: Annotated[
+        str, typer.Option("--class-name", "-c", help="Name for the Settings class")
+    ] = "Settings",
+    detect_sensitive: Annotated[
+        bool, typer.Option("--detect-sensitive", help="Auto-detect sensitive variables")
+    ] = True,
+) -> None:
+    """
+    Generate a Pydantic BaseSettings subclass from variables in an .env file.
+
+    Writes a Python module containing a Pydantic `BaseSettings` subclass with fields
+    inferred from the .env variables. Detected sensitive variables are annotated
+    with `json_schema_extra={"sensitive": True}` and fields without a sensible
+    default are left required.
+
+    Parameters:
+        env_file (Path): Path to the source .env file.
+        output (Path): Path to write the generated Python module (e.g., settings.py).
+        class_name (str): Name to use for the generated `BaseSettings` subclass.
+        detect_sensitive (bool): If true, attempt to auto-detect sensitive variables
+            (by name and value) and mark them in the generated fields.
+    """
+    if not env_file.exists():
+        print_error(f"ENV file not found: {env_file}")
+        raise typer.Exit(code=1)
+
+    # Parse env file
+    parser = EnvParser()
+    env = parser.parse(env_file)
+
+    # Detect sensitive variables if requested
+    detector = EncryptionDetector()
+    sensitive_vars = set()
+    if detect_sensitive:
+        for var_name, env_var in env.variables.items():
+            is_name_sens = detector.is_name_sensitive(var_name)
+            is_val_susp = detector.is_value_suspicious(env_var.value)
+            if is_name_sens or is_val_susp:
+                sensitive_vars.add(var_name)
+
+    # Generate settings class
+    lines = [
+        '"""Auto-generated Pydantic Settings class."""',
+        "",
+        "from pydantic import Field",
+        "from pydantic_settings import BaseSettings, SettingsConfigDict",
+        "",
+        "",
+        f"class {class_name}(BaseSettings):",
+        f'    """Settings generated from {env_file}."""',
+        "",
+        "    model_config = SettingsConfigDict(",
+        f'        env_file="{env_file}",',
+        '        extra="forbid",',
+        "    )",
+        "",
+    ]
+
+    for var_name, env_var in sorted(env.variables.items()):
+        is_sensitive = var_name in sensitive_vars
+
+        # Try to infer type from value
+        value = env_var.value
+        if value.lower() in ("true", "false"):
+            type_hint = "bool"
+            default_val = value.lower() == "true"
+        elif value.isdigit():
+            type_hint = "int"
+            default_val = int(value)
+        else:
+            type_hint = "str"
+            default_val = None  # Will be required
+
+        # Build field
+        if is_sensitive:
+            extra = 'json_schema_extra={"sensitive": True}'
+            if default_val is not None:
+                lines.append(
+                    f"    {var_name}: {type_hint} = Field(default={default_val!r}, {extra})"
+                )
+            else:
+                lines.append(f"    {var_name}: {type_hint} = Field({extra})")
+        else:
+            if default_val is not None:
+                lines.append(f"    {var_name}: {type_hint} = {default_val!r}")
+            else:
+                lines.append(f"    {var_name}: {type_hint}")
+
+    lines.append("")
+
+    # Write output
+    output.write_text("\n".join(lines))
+    print_success(f"Generated {output}")
+
+    if sensitive_vars:
+        console.print(f"[dim]Detected {len(sensitive_vars)} sensitive variable(s)[/dim]")

envdrift/cli_commands/partial.py

@@ -0,0 +1,222 @@
+"""CLI commands for partial encryption functionality."""
+
+from __future__ import annotations
+
+from typing import Annotated
+
+import typer
+from rich.panel import Panel
+
+from envdrift.config import load_config
+from envdrift.core.partial_encryption import (
+    PartialEncryptionError,
+    pull_partial_encryption,
+    push_partial_encryption,
+)
+from envdrift.output.rich import console, print_error, print_success, print_warning
+
+
+def push(
+    env: Annotated[
+        str | None,
+        typer.Option("--env", "-e", help="Environment name (e.g., production, staging)"),
+    ] = None,
+) -> None:
+    """
+    Encrypt secret files and combine with clear files (prepare for commit).
+
+    This command:
+    1. Encrypts .env.{env}.secret files using dotenvx
+    2. Combines .env.{env}.clear + encrypted .secret → .env.{env}
+    3. Adds warning header to generated file
+
+    The generated .env.{env} file should be committed to git.
+
+    Examples:
+        # Push all environments
+        envdrift push
+
+        # Push specific environment
+        envdrift push --env production
+    """
+    # Load config
+    try:
+        config = load_config()
+    except Exception as e:
+        print_error(f"Failed to load configuration: {e}")
+        raise typer.Exit(code=1) from None
+
+    if not config.partial_encryption.enabled:
+        print_error("Partial encryption is not enabled in configuration")
+        console.print("\nTo enable partial encryption, add to your envdrift.toml:")
+        console.print(
+            "[cyan][[partial_encryption.environments]][/cyan]\n"
+            '[cyan]name = "production"[/cyan]\n'
+            '[cyan]clear_file = ".env.production.clear"[/cyan]\n'
+            '[cyan]secret_file = ".env.production.secret"[/cyan]\n'
+            '[cyan]combined_file = ".env.production"[/cyan]'
+        )
+        raise typer.Exit(code=1)
+
+    # Filter environments
+    envs_to_process = config.partial_encryption.environments
+    if env:
+        envs_to_process = [e for e in envs_to_process if e.name == env]
+        if not envs_to_process:
+            print_error(f"No partial encryption configuration found for environment '{env}'")
+            raise typer.Exit(code=1)
+
+    console.print()
+    console.print("[bold]Push[/bold] - Encrypting and combining env files")
+    console.print(f"[dim]Environments: {len(envs_to_process)}[/dim]")
+    console.print()
+
+    total_encrypted = 0
+    total_combined = 0
+    errors = []
+
+    for env_config in envs_to_process:
+        console.print(f"[bold cyan]→[/bold cyan] {env_config.name}")
+
+        try:
+            stats = push_partial_encryption(env_config)
+
+            console.print(
+                f"  [green]✓[/green] Generated {env_config.combined_file} "
+                f"[dim]({stats['clear_lines']} clear + {stats['secret_vars']} encrypted)[/dim]"
+            )
+
+            total_combined += 1
+            total_encrypted += stats["secret_vars"]
+
+        except PartialEncryptionError as e:
+            console.print(f"  [red]✗[/red] {e}")
+            errors.append(f"{env_config.name}: {e}")
+        except Exception as e:
+            console.print(f"  [red]✗[/red] Unexpected error: {e}")
+            errors.append(f"{env_config.name}: {e}")
+
+    # Summary
+    console.print()
+    summary_lines = [
+        f"Combined: {total_combined}/{len(envs_to_process)}",
+        f"Total encrypted vars: {total_encrypted}",
+    ]
+    if errors:
+        summary_lines.append(f"Errors: {len(errors)}")
+
+    console.print(Panel("\n".join(summary_lines), title="Push Summary", expand=False))
+
+    if errors:
+        console.print()
+        print_warning("Some environments had errors:")
+        for error in errors:
+            console.print(f"  • {error}")
+        raise typer.Exit(code=1)
+
+    console.print()
+    print_success("Push complete! Combined files are ready to commit.")
+    console.print()
+    console.print(
+        "[dim]Remember to edit source files (.clear and .secret), not the combined file.[/dim]"
+    )
+
+
+def pull_cmd(
+    env: Annotated[
+        str | None,
+        typer.Option("--env", "-e", help="Environment name (e.g., production, staging)"),
+    ] = None,
+) -> None:
+    """
+    Decrypt secret files for editing (pull operation).
+
+    This command:
+    1. Decrypts .env.{env}.secret files in-place using dotenvx
+    2. Makes them available for editing
+
+    After pulling, you can edit:
+    - .env.{env}.clear (non-sensitive variables)
+    - .env.{env}.secret (sensitive variables, now decrypted)
+
+    Run 'envdrift push' before committing to re-encrypt and combine.
+
+    Examples:
+        # Pull all environments
+        envdrift pull-partial
+
+        # Pull specific environment
+        envdrift pull-partial --env production
+    """
+    # Load config
+    try:
+        config = load_config()
+    except Exception as e:
+        print_error(f"Failed to load configuration: {e}")
+        raise typer.Exit(code=1) from None
+
+    if not config.partial_encryption.enabled:
+        print_error("Partial encryption is not enabled in configuration")
+        raise typer.Exit(code=1)
+
+    # Filter environments
+    envs_to_process = config.partial_encryption.environments
+    if env:
+        envs_to_process = [e for e in envs_to_process if e.name == env]
+        if not envs_to_process:
+            print_error(f"No partial encryption configuration found for environment '{env}'")
+            raise typer.Exit(code=1)
+
+    console.print()
+    console.print("[bold]Pull[/bold] - Decrypting secret files")
+    console.print(f"[dim]Environments: {len(envs_to_process)}[/dim]")
+    console.print()
+
+    decrypted_count = 0
+    skipped_count = 0
+    errors = []
+
+    for env_config in envs_to_process:
+        console.print(f"[bold cyan]→[/bold cyan] {env_config.name}")
+
+        try:
+            was_decrypted = pull_partial_encryption(env_config)
+
+            if was_decrypted:
+                console.print(f"  [green]✓[/green] Decrypted {env_config.secret_file}")
+                decrypted_count += 1
+            else:
+                console.print(
+                    f"  [dim]=[/dim] {env_config.secret_file} [dim](already decrypted)[/dim]"
+                )
+                skipped_count += 1
+
+        except PartialEncryptionError as e:
+            console.print(f"  [red]✗[/red] {e}")
+            errors.append(f"{env_config.name}: {e}")
+        except Exception as e:
+            console.print(f"  [red]✗[/red] Unexpected error: {e}")
+            errors.append(f"{env_config.name}: {e}")
+
+    # Summary
+    console.print()
+    summary_lines = [
+        f"Decrypted: {decrypted_count}",
+        f"Skipped: {skipped_count}",
+    ]
+    if errors:
+        summary_lines.append(f"Errors: {len(errors)}")
+
+    console.print(Panel("\n".join(summary_lines), title="Pull Summary", expand=False))
+
+    if errors:
+        console.print()
+        print_warning("Some environments had errors:")
+        for error in errors:
+            console.print(f"  • {error}")
+        raise typer.Exit(code=1)
+
+    console.print()
+    print_success("Pull complete! Secret files are now decrypted for editing.")
+    console.print()
+    console.print("[dim]Remember to run 'envdrift push' before committing.[/dim]")