envrcctl 0.2.2__tar.gz → 0.2.3__tar.gz

envrcctl-0.2.3/.gitignore

@@ -0,0 +1,15 @@
+
+.venv/
+.agent/
+.rules
+__pycache__/
+*.py[cod]
+.pytest_cache/
+.coverage
+htmlcov/
+.DS_Store
+.envrc
+dist/helper/
+dist/*-arm64.tar.gz
+dist/*-darwin-arm64.tar.gz
+src/*.egg-info/

{envrcctl-0.2.2 → envrcctl-0.2.3}/PKG-INFO

@@ -1,39 +1,19 @@
-Metadata-Version: 2.3
+Metadata-Version: 2.4
 Name: envrcctl
-Version: 0.2.2
+Version: 0.2.3
 Summary: Manage .envrc with managed blocks and OS-backed secrets.
-Author: Rio Fujita
-Author-email: Rio Fujita <rio_github@rio.st>
-License: MIT License
-         
-         Copyright (c) 2026 Rio Fujita
-         
-         Permission is hereby granted, free of charge, to any person obtaining a copy
-         of this software and associated documentation files (the "Software"), to deal
-         in the Software without restriction, including without limitation the rights
-         to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-         copies of the Software, and to permit persons to whom the Software is
-         furnished to do so, subject to the following conditions:
-         
-         The above copyright notice and this permission notice shall be included in all
-         copies or substantial portions of the Software.
-         
-         THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-         IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-         FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-         AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-         LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-         OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-         SOFTWARE.
-Requires-Dist: typer>=0.24.1
-Requires-Dist: pytest>=9 ; extra == 'test'
-Requires-Dist: pytest-cov>=7 ; extra == 'test'
-Requires-Dist: bandit>=1.7.10 ; extra == 'test'
-Requires-Python: >=3.14
 Project-URL: Homepage, https://github.com/rioriost/envrcctl
 Project-URL: Issues, https://github.com/rioriost/envrcctl/issues
 Project-URL: Repository, https://github.com/rioriost/envrcctl
+Author-email: Rio Fujita <rio_github@rio.st>
+License-Expression: MIT
+License-File: LICENSE
+Requires-Python: >=3.14
+Requires-Dist: typer>=0.24.1
 Provides-Extra: test
+Requires-Dist: bandit>=1.7.10; extra == 'test'
+Requires-Dist: pytest-cov>=7; extra == 'test'
+Requires-Dist: pytest>=9; extra == 'test'
 Description-Content-Type: text/markdown
 
 # envrcctl

{envrcctl-0.2.2 → envrcctl-0.2.3}/pyproject.toml

@@ -1,9 +1,9 @@
 [project]
 name = "envrcctl"
-version = "0.2.2"
+version = "0.2.3"
 description = "Manage .envrc with managed blocks and OS-backed secrets."
 readme = { file = "README.md", content-type = "text/markdown" }
-license = { file = "LICENSE" }
+license = "MIT"
 requires-python = ">=3.14"
 authors = [
     { name = "Rio Fujita", email = "rio_github@rio.st" },
@@ -12,10 +12,21 @@ dependencies = [
     "typer>=0.24.1",
 ]
 
-[tool.uv.build-backend]
-module-root = "src"
-source-include = [
+[tool.hatch.build.targets.wheel]
+packages = ["src/envrcctl"]
+
+[tool.hatch.build.targets.sdist]
+include = [
+    "src/**",
+    "tests/**",
+    "scripts/**",
     "completions/**",
+    "README.md",
+    "LICENSE",
+    "pyproject.toml",
+]
+exclude = [
+    "src/envrcctl/envrcctl-macos-auth",
 ]
 
 [project.urls]
@@ -41,8 +52,8 @@ dev = [
 ]
 
 [build-system]
-requires = ["uv_build>=0.9.27,<0.10.0"]
-build-backend = "uv_build"
+requires = ["hatchling>=1.25.0"]
+build-backend = "hatchling.build"
 
 [tool.pytest.ini_options]
 testpaths = ["tests"]

envrcctl-0.2.3/scripts/build_macos_auth_helper.sh

@@ -0,0 +1,48 @@
+#!/bin/sh
+set -eu
+
+SCRIPT_DIR="$(CDPATH= cd -- "$(dirname "$0")" && pwd)"
+REPO_ROOT="$(CDPATH= cd -- "$SCRIPT_DIR/.." && pwd)"
+SWIFT_SOURCE="${1:-$REPO_ROOT/scripts/macos/envrcctl-macos-auth.swift}"
+OUTPUT_PATH="${2:-$REPO_ROOT/src/envrcctl/envrcctl-macos-auth}"
+
+if [ "$(uname -s)" != "Darwin" ]; then
+  echo "This helper can only be built on macOS." >&2
+  exit 1
+fi
+
+if [ "$(uname -m)" != "arm64" ]; then
+  echo "This helper only supports Apple Silicon (arm64) macOS." >&2
+  exit 1
+fi
+
+if ! command -v swiftc >/dev/null 2>&1; then
+  echo "swiftc not found. Install Xcode Command Line Tools first." >&2
+  exit 1
+fi
+
+if [ ! -f "$SWIFT_SOURCE" ]; then
+  echo "Swift source not found: $SWIFT_SOURCE" >&2
+  echo "Pass the source path as the first argument or create scripts/macos/envrcctl-macos-auth.swift." >&2
+  exit 1
+fi
+
+mkdir -p "$(dirname "$OUTPUT_PATH")"
+
+echo "Building macOS auth helper for Apple Silicon (arm64)..."
+echo "  source: $SWIFT_SOURCE"
+echo "  output: $OUTPUT_PATH"
+
+swiftc \
+  -O \
+  -framework LocalAuthentication \
+  -framework Security \
+  "$SWIFT_SOURCE" \
+  -o "$OUTPUT_PATH"
+
+chmod 755 "$OUTPUT_PATH"
+
+echo "Build complete: $OUTPUT_PATH"
+echo
+echo "You can override the helper path at runtime with:"
+echo "  ENVRCCTL_MACOS_AUTH_HELPER=$OUTPUT_PATH"

envrcctl-0.2.3/scripts/generate_completions.py

@@ -0,0 +1,35 @@
+from __future__ import annotations
+
+from pathlib import Path
+
+from click.shell_completion import get_completion_class
+from typer.main import get_command
+
+from envrcctl.cli import app
+
+SHELLS = ("bash", "zsh", "fish")
+
+
+def main() -> None:
+    repo_root = Path(__file__).resolve().parents[1]
+    output_dir = repo_root / "completions"
+    output_dir.mkdir(parents=True, exist_ok=True)
+
+    command = get_command(app)
+    complete_var = "_ENVRCCTL_COMPLETE"
+
+    for shell in SHELLS:
+        comp_cls = get_completion_class(shell)
+        if comp_cls is None:
+            raise RuntimeError(f"Unsupported shell: {shell}")
+        comp = comp_cls(command, {}, "envrcctl", complete_var)
+        content = comp.source()
+        if not content.strip():
+            raise RuntimeError(f"Failed to generate {shell} completion.")
+        if not content.endswith("\n"):
+            content += "\n"
+        (output_dir / f"envrcctl.{shell}").write_text(content, encoding="utf-8")
+
+
+if __name__ == "__main__":
+    main()

envrcctl-0.2.3/scripts/macos/envrcctl-macos-auth.swift

@@ -0,0 +1,340 @@
+import Foundation
+import LocalAuthentication
+import Security
+
+enum HelperError: Error, LocalizedError {
+    case invalidArguments(String)
+    case authenticationUnavailable(String)
+    case authenticationFailed(String)
+    case keychainFailure(String)
+    case decodeFailure
+    case inputReadFailure(String)
+    case outputEncodeFailure
+
+    var errorDescription: String? {
+        switch self {
+        case .invalidArguments(let message):
+            return message
+        case .authenticationUnavailable(let message):
+            return message
+        case .authenticationFailed(let message):
+            return message
+        case .keychainFailure(let message):
+            return message
+        case .decodeFailure:
+            return "Keychain item contains non-UTF-8 data."
+        case .inputReadFailure(let message):
+            return message
+        case .outputEncodeFailure:
+            return "Failed to encode JSON response."
+        }
+    }
+}
+
+struct Arguments {
+    let authorizeOnly: Bool
+    let service: String?
+    let account: String?
+    let inputJSONPath: String?
+    let reason: String
+}
+
+struct BulkRequest: Decodable {
+    let items: [BulkRequestItem]
+}
+
+struct BulkRequestItem: Decodable {
+    let service: String
+    let account: String
+}
+
+struct BulkResponse: Encodable {
+    let items: [BulkResponseItem]
+}
+
+struct BulkResponseItem: Encodable {
+    let service: String
+    let account: String
+    let value: String
+}
+
+private func printErrorAndExit(_ error: Error) -> Never {
+    let message: String
+    if let helperError = error as? LocalizedError, let description = helperError.errorDescription {
+        message = description
+    } else {
+        message = "macOS authentication helper failed."
+    }
+    FileHandle.standardError.write(Data((message + "\n").utf8))
+    exit(1)
+}
+
+private func printHelpAndExit() -> Never {
+    let help = """
+        Usage:
+          envrcctl-macos-auth --authorize-only --reason <text>
+          envrcctl-macos-auth --service <service> --account <account> --reason <text>
+          envrcctl-macos-auth --input-json <path|- > --reason <text>
+
+        Options:
+          --authorize-only   Require device owner authentication only.
+          --service          Keychain service name.
+          --account          Keychain account name.
+          --input-json       JSON file path or '-' for stdin for bulk reads.
+          --reason           Localized reason shown in the auth prompt.
+          --help             Show this help.
+
+        Bulk JSON input:
+          {
+            "items": [
+              { "service": "st.rio.envrcctl", "account": "openai:prod" },
+              { "service": "st.rio.envrcctl", "account": "github:prod" }
+            ]
+          }
+        """
+    print(help)
+    exit(0)
+}
+
+private func parseArguments(_ argv: [String]) throws -> Arguments {
+    var authorizeOnly = false
+    var service: String?
+    var account: String?
+    var inputJSONPath: String?
+    var reason: String?
+
+    var index = 1
+    while index < argv.count {
+        let arg = argv[index]
+        switch arg {
+        case "--authorize-only":
+            authorizeOnly = true
+            index += 1
+        case "--service":
+            guard index + 1 < argv.count else {
+                throw HelperError.invalidArguments("Missing value for --service.")
+            }
+            service = argv[index + 1]
+            index += 2
+        case "--account":
+            guard index + 1 < argv.count else {
+                throw HelperError.invalidArguments("Missing value for --account.")
+            }
+            account = argv[index + 1]
+            index += 2
+        case "--input-json":
+            guard index + 1 < argv.count else {
+                throw HelperError.invalidArguments("Missing value for --input-json.")
+            }
+            inputJSONPath = argv[index + 1]
+            index += 2
+        case "--reason":
+            guard index + 1 < argv.count else {
+                throw HelperError.invalidArguments("Missing value for --reason.")
+            }
+            reason = argv[index + 1]
+            index += 2
+        case "--help", "-h":
+            printHelpAndExit()
+        default:
+            throw HelperError.invalidArguments("Unknown argument: \(arg)")
+        }
+    }
+
+    guard let reason, !reason.trimmingCharacters(in: .whitespacesAndNewlines).isEmpty else {
+        throw HelperError.invalidArguments("A non-empty --reason is required.")
+    }
+
+    if authorizeOnly {
+        if service != nil || account != nil || inputJSONPath != nil {
+            throw HelperError.invalidArguments(
+                "--authorize-only cannot be combined with --service, --account, or --input-json."
+            )
+        }
+        return Arguments(
+            authorizeOnly: true,
+            service: nil,
+            account: nil,
+            inputJSONPath: nil,
+            reason: reason
+        )
+    }
+
+    let hasSingle = service != nil || account != nil
+    let hasBulk = inputJSONPath != nil
+
+    if hasSingle && hasBulk {
+        throw HelperError.invalidArguments(
+            "--input-json cannot be combined with --service or --account."
+        )
+    }
+
+    if hasBulk {
+        return Arguments(
+            authorizeOnly: false,
+            service: nil,
+            account: nil,
+            inputJSONPath: inputJSONPath,
+            reason: reason
+        )
+    }
+
+    guard let service, !service.isEmpty else {
+        throw HelperError.invalidArguments("--service is required.")
+    }
+    guard let account, !account.isEmpty else {
+        throw HelperError.invalidArguments("--account is required.")
+    }
+
+    return Arguments(
+        authorizeOnly: false,
+        service: service,
+        account: account,
+        inputJSONPath: nil,
+        reason: reason
+    )
+}
+
+private func authenticate(reason: String) throws -> LAContext {
+    let context = LAContext()
+    context.localizedCancelTitle = "Cancel"
+
+    var canEvaluateError: NSError?
+    guard context.canEvaluatePolicy(.deviceOwnerAuthentication, error: &canEvaluateError) else {
+        let message =
+            canEvaluateError?.localizedDescription
+            ?? "Device owner authentication is unavailable."
+        throw HelperError.authenticationUnavailable(message)
+    }
+
+    let semaphore = DispatchSemaphore(value: 0)
+    var authError: Error?
+
+    context.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: reason) { success, error in
+        if !success {
+            authError = error ?? HelperError.authenticationFailed("Authentication failed.")
+        }
+        semaphore.signal()
+    }
+
+    semaphore.wait()
+
+    if let authError {
+        if let laError = authError as? LAError {
+            switch laError.code {
+            case .userCancel, .userFallback, .systemCancel, .appCancel:
+                throw HelperError.authenticationFailed("Authentication cancelled.")
+            default:
+                throw HelperError.authenticationFailed(laError.localizedDescription)
+            }
+        }
+        throw HelperError.authenticationFailed(authError.localizedDescription)
+    }
+
+    return context
+}
+
+private func readSecret(service: String, account: String, context: LAContext) throws -> String {
+    let query: [String: Any] = [
+        kSecClass as String: kSecClassGenericPassword,
+        kSecAttrService as String: service,
+        kSecAttrAccount as String: account,
+        kSecReturnData as String: true,
+        kSecMatchLimit as String: kSecMatchLimitOne,
+        kSecUseAuthenticationContext as String: context,
+    ]
+
+    var item: CFTypeRef?
+    let status = SecItemCopyMatching(query as CFDictionary, &item)
+
+    guard status == errSecSuccess else {
+        let message = SecCopyErrorMessageString(status, nil) as String? ?? "Keychain read failed."
+        throw HelperError.keychainFailure(message)
+    }
+
+    guard let data = item as? Data else {
+        throw HelperError.keychainFailure("Keychain returned an unexpected item type.")
+    }
+    guard let value = String(data: data, encoding: .utf8) else {
+        throw HelperError.decodeFailure
+    }
+    return value
+}
+
+private func readBulkRequest(from path: String) throws -> BulkRequest {
+    let data: Data
+    if path == "-" {
+        data = FileHandle.standardInput.readDataToEndOfFile()
+        if data.isEmpty {
+            throw HelperError.inputReadFailure("No JSON input received on stdin.")
+        }
+    } else {
+        let url = URL(fileURLWithPath: path)
+        do {
+            data = try Data(contentsOf: url)
+        } catch {
+            throw HelperError.inputReadFailure("Failed to read JSON input: \(path)")
+        }
+    }
+
+    do {
+        let request = try JSONDecoder().decode(BulkRequest.self, from: data)
+        if request.items.isEmpty {
+            throw HelperError.invalidArguments("Bulk JSON input must include at least one item.")
+        }
+        for item in request.items {
+            if item.service.isEmpty || item.account.isEmpty {
+                throw HelperError.invalidArguments(
+                    "Each bulk request item must include non-empty service and account values."
+                )
+            }
+        }
+        return request
+    } catch let helperError as HelperError {
+        throw helperError
+    } catch {
+        throw HelperError.invalidArguments("Failed to decode bulk JSON input.")
+    }
+}
+
+private func writeBulkResponse(_ response: BulkResponse) throws {
+    let encoder = JSONEncoder()
+    encoder.outputFormatting = [.sortedKeys]
+    guard let data = try? encoder.encode(response) else {
+        throw HelperError.outputEncodeFailure
+    }
+    FileHandle.standardOutput.write(data)
+}
+
+do {
+    let args = try parseArguments(CommandLine.arguments)
+    let context = try authenticate(reason: args.reason)
+
+    if args.authorizeOnly {
+        exit(0)
+    }
+
+    if let inputJSONPath = args.inputJSONPath {
+        let request = try readBulkRequest(from: inputJSONPath)
+        let items = try request.items.map { item in
+            BulkResponseItem(
+                service: item.service,
+                account: item.account,
+                value: try readSecret(
+                    service: item.service, account: item.account, context: context)
+            )
+        }
+        try writeBulkResponse(BulkResponse(items: items))
+        exit(0)
+    }
+
+    guard let service = args.service, let account = args.account else {
+        throw HelperError.invalidArguments("Both --service and --account are required.")
+    }
+
+    let secret = try readSecret(service: service, account: account, context: context)
+    FileHandle.standardOutput.write(Data(secret.utf8))
+    exit(0)
+} catch {
+    printErrorAndExit(error)
+}

envrcctl-0.2.3/scripts/package_for_ship.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+set -eu
+
+echo "scripts/package_for_ship.sh is obsolete." >&2
+echo "Run 'make release-artifacts' from the repository root instead." >&2
+exit 1