eval-protocol 0.0.3__py3-none-any.whl

eval_protocol/packaging.py

@@ -0,0 +1,219 @@
+import os
+import sys
+from pathlib import Path
+from typing import Optional, Tuple
+
+DEFAULT_PYTHON_VERSION = "3.10"
+
+
+def _resolve_module_path_and_name(function_ref: str) -> Optional[Tuple[Path, str, str]]:
+    """
+    Resolves the file system path for the top-level module/package of a function reference
+    and the module path to be copied.
+
+    Args:
+        function_ref: e.g., "my_package.my_module.my_function" or "my_module.my_function"
+
+    Returns:
+        A tuple (path_to_copy, top_level_module_name, relative_path_to_copy_as) if resolvable, else None.
+        - path_to_copy: Absolute path to the directory or file to be copied.
+        - top_level_module_name: The name of the top-level module/package (e.g., "my_package" or "my_module").
+                                 This will be the destination name in the Docker image.
+        - relative_path_to_copy_as: The path to use as the destination in the COPY instruction (e.g. "my_package" or "my_module.py")
+    """
+    parts = function_ref.split(".")
+    if not parts:
+        return None
+
+    # Try to find the module/package in sys.path, prioritizing CWD
+    # This is a simplified approach. A more robust one might involve inspecting __file__
+    # of an imported module, but that requires the module to be importable in the current env.
+
+    # Check CWD first
+    potential_path_str = parts[0]  # e.g. "my_package" or "my_module"
+
+    # Path to check in CWD
+    path_in_cwd_dir = Path(os.getcwd()) / potential_path_str
+    path_in_cwd_file = Path(os.getcwd()) / f"{potential_path_str}.py"
+
+    if path_in_cwd_dir.is_dir() and (path_in_cwd_dir / "__init__.py").exists():  # It's a package
+        return path_in_cwd_dir, potential_path_str, potential_path_str
+    elif path_in_cwd_file.is_file():  # It's a module .py file
+        return path_in_cwd_file, potential_path_str, f"{potential_path_str}.py"
+
+    # Fallback: could search sys.path but that gets complicated for Docker context.
+    # For now, assume the module/package is in CWD or a sub-path accessible from CWD.
+    # If function_ref is like "subdir.module.func", we assume "subdir" is in CWD.
+
+    # If parts[0] is not directly in CWD, it might be a deeper structure.
+    # This simplistic resolver assumes the first part of function_ref is the item to copy from CWD.
+    # e.g. if function_ref is "app.services.rewards.my_func" and "app" is a dir in CWD.
+
+    # A more robust solution for finding the "root" of the user's code might be needed,
+    # or clear instructions on project structure.
+    # For now, this handles simple cases: module.py in CWD or package/ in CWD.
+
+    print(
+        f"Warning: Could not reliably resolve path for '{function_ref}'. "
+        f"Attempting to use '{parts[0]}' as the top-level module/package name from CWD."
+    )
+
+    # If we couldn't find it as a direct file or package, we can't be sure.
+    # This part needs to be more robust or have clearer assumptions.
+    # For now, let's assume if it's not found as above, it's an error for Dockerfile generation.
+    return None
+
+
+def generate_dockerfile_content(
+    function_ref: str,
+    python_version: str = DEFAULT_PYTHON_VERSION,
+    eval_protocol_install_source: str = "eval-protocol",  # e.g., "eval-protocol", "eval-protocol[dev]", or path to local wheel/sdist
+    user_requirements_path: Optional[str] = None,  # Path relative to CWD or absolute
+    inline_requirements_content: Optional[str] = None,  # Direct content for requirements.txt
+    service_port: int = 8080,
+) -> Optional[str]:
+    """
+    Generates the content for a Dockerfile to serve a given reward function.
+
+    Args:
+        function_ref: Python import string for the reward function (e.g., 'my_module.my_reward_func').
+        python_version: The Python version for the base image (e.g., "3.10").
+        eval_protocol_install_source: Pip install string for eval-protocol.
+        user_requirements_path: Optional path to a requirements.txt for user dependencies.
+        inline_requirements_content: Optional string containing the content of requirements.txt.
+        service_port: Port the service inside the container will listen on.
+
+    Returns:
+        The Dockerfile content as a string, or None if user code path cannot be resolved.
+    """
+
+    resolved_code = _resolve_module_path_and_name(function_ref)
+    if not resolved_code:
+        print(
+            f"Error: Could not resolve path for function reference '{function_ref}'. "
+            "Ensure the first part of the reference (e.g., 'my_module' or 'my_package') "
+            "is a Python module (.py file) or package (directory with __init__.py) "
+            "in the current working directory."
+        )
+        return None
+
+    path_to_copy, top_module_name, copy_dest_name = resolved_code
+
+    # Determine the source path for COPY relative to the Docker build context (assumed to be CWD)
+    # If path_to_copy is absolute, we need its name relative to CWD for the COPY instruction.
+    # For simplicity, _resolve_module_path_and_name returns paths that are effectively relative to CWD for copying.
+    # So, copy_source_path will be top_module_name (for a package) or f"{top_module_name}.py" (for a module file).
+    copy_source_path = copy_dest_name  # This is what we determined to copy (e.g. "my_package" or "my_module.py")
+
+    dockerfile_lines = [
+        f"FROM python:{python_version}-slim",
+        "",
+        "WORKDIR /app",
+        "",
+        "# Copy the entire application source (build context)",
+        "COPY . .",  # Copies setup.py, eval_protocol package, user's function module, etc.
+        "",
+        "# Install reward-kit from local source and its dependencies",
+        # This assumes setup.py is configured to install eval_protocol and its deps.
+        # Add [dev] if extra dev dependencies are needed by generic_server itself, though unlikely.
+        "RUN pip install --no-cache-dir .",
+        "",
+    ]
+
+    # The user's reward function module (e.g., dummy_rewards.py) is now copied by "COPY . ."
+    # So, the specific COPY for resolved_code is no longer needed here.
+    # The function_ref in CMD will be resolved from /app.
+
+    # Handle user-specific requirements.txt, if provided
+    # This should be relative to the build context root (copied by "COPY . .")
+    if user_requirements_path:
+        # The user_requirements_path is relative to the build context root.
+        # "COPY . ." will have copied this file into the /app directory.
+        # The RUN command below will install these dependencies if the file exists.
+        dockerfile_lines.extend(
+            [
+                f"# Copy and install user-specific dependencies (if {user_requirements_path} exists in context)",
+                # The file is already copied by "COPY . .". We just need to run pip install.
+                # The path inside the container will be user_requirements_path relative to /app
+                f'RUN if [ -f {user_requirements_path} ]; then pip install --no-cache-dir -r {user_requirements_path}; else echo "User requirements file {user_requirements_path} not found in /app, skipping."; fi',
+                "",
+            ]
+        )
+
+    # Handle inline requirements content, if provided
+    if inline_requirements_content and inline_requirements_content.strip():
+        # Escape backslashes and quotes for the echo command
+        escaped_requirements = inline_requirements_content.replace("\\", "\\\\").replace("'", "'\\''")
+        dockerfile_lines.extend(
+            [
+                "# Create and install dependencies from inline requirements content",
+                f"RUN echo '{escaped_requirements}' > /app/generated_requirements.txt",
+                "RUN pip install --no-cache-dir -r /app/generated_requirements.txt",
+                "",
+            ]
+        )
+
+    dockerfile_lines.extend(
+        [
+            f"ENV PORT {service_port}",
+            f"EXPOSE {service_port}",
+            "",
+            "# Run the generic server, pointing to the user's function",
+            # Using shell form for CMD to allow $PORT expansion
+            f"CMD python -m eval_protocol.generic_server {function_ref} --host 0.0.0.0 --port $PORT",
+        ]
+    )
+
+    return "\n".join(dockerfile_lines)
+
+
+if __name__ == "__main__":
+    # Example Usage
+    print("--- Example 1: Module in CWD ---")
+    # Create dummy my_test_reward_module.py
+    with open("my_test_reward_module.py", "w") as f:
+        f.write("def my_reward_func(): pass\n")
+
+    dockerfile_content_module = generate_dockerfile_content(
+        function_ref="my_test_reward_module.my_reward_func",
+        user_requirements_path="dummy_requirements.txt",  # Test non-existent req file
+    )
+    if dockerfile_content_module:
+        print("\nGenerated Dockerfile (module):")
+        print(dockerfile_content_module)
+    os.remove("my_test_reward_module.py")
+
+    print("\n--- Example 2: Package in CWD ---")
+    # Create dummy package my_test_reward_pkg/
+    pkg_name = "my_test_reward_pkg"
+    Path(pkg_name).mkdir(exist_ok=True)
+    with open(Path(pkg_name) / "__init__.py", "w") as f:
+        f.write("# Package init\n")
+    with open(Path(pkg_name) / "rewards.py", "w") as f:
+        f.write("def complex_reward_func(): pass\n")
+
+    # Create dummy requirements.txt for this package example
+    user_reqs_name = "pkg_requirements.txt"
+    with open(user_reqs_name, "w") as f:
+        f.write("numpy==1.23.0\n")
+
+    dockerfile_content_pkg = generate_dockerfile_content(
+        function_ref="my_test_reward_pkg.rewards.complex_reward_func",
+        user_requirements_path=user_reqs_name,
+    )
+    if dockerfile_content_pkg:
+        print("\nGenerated Dockerfile (package):")
+        print(dockerfile_content_pkg)
+
+    # Cleanup
+    os.remove(Path(pkg_name) / "rewards.py")
+    os.remove(Path(pkg_name) / "__init__.py")
+    Path(pkg_name).rmdir()
+    os.remove(user_reqs_name)
+
+    print("\n--- Example 3: Unresolvable function ref ---")
+    dockerfile_content_bad = generate_dockerfile_content(function_ref="non_existent_module.some_func")
+    if dockerfile_content_bad:
+        print(dockerfile_content_bad)
+    else:
+        print("Dockerfile generation failed as expected for non_existent_module.")

eval_protocol/platform_api.py

@@ -0,0 +1,360 @@
+# eval_protocol/platform_api.py
+import logging
+import sys
+from typing import Any, Dict, Optional
+
+import requests
+from dotenv import find_dotenv, load_dotenv
+
+from eval_protocol.auth import (
+    get_fireworks_account_id,
+    get_fireworks_api_base,
+    get_fireworks_api_key,
+)
+
+logger = logging.getLogger(__name__)
+
+# --- Load .env files ---
+# Attempt to load .env.dev first, then .env as a fallback.
+# This happens when the module is imported.
+# We use override=False (default) so that existing environment variables
+# (e.g., set in the shell) are NOT overridden by .env files.
+ENV_DEV_PATH = find_dotenv(filename=".env.dev", raise_error_if_not_found=False, usecwd=True)
+if ENV_DEV_PATH:
+    load_dotenv(dotenv_path=ENV_DEV_PATH, override=False)
+    logger.info(f"eval_protocol.platform_api: Loaded environment variables from: {ENV_DEV_PATH}")
+else:
+    ENV_PATH = find_dotenv(filename=".env", raise_error_if_not_found=False, usecwd=True)
+    if ENV_PATH:
+        load_dotenv(dotenv_path=ENV_PATH, override=False)
+        logger.info(f"eval_protocol.platform_api: Loaded environment variables from: {ENV_PATH}")
+    else:
+        logger.info(
+            "eval_protocol.platform_api: No .env.dev or .env file found. "
+            "Relying on shell/existing environment variables."
+        )
+# --- End .env loading ---
+
+
+class PlatformAPIError(Exception):
+    """Custom exception for platform API errors."""
+
+    def __init__(
+        self,
+        message: str,
+        status_code: Optional[int] = None,
+        response_text: Optional[str] = None,
+    ):
+        super().__init__(message)
+        self.status_code = status_code
+        self.response_text = response_text
+
+    def __str__(self) -> str:
+        return f"{super().__str__()} (Status: {self.status_code}, Response: {self.response_text or 'N/A'})"
+
+
+def create_or_update_fireworks_secret(
+    account_id: str,
+    key_name: str,  # This is the identifier for the secret, e.g., "my-eval-api-key"
+    secret_value: str,
+    api_key: Optional[str] = None,
+    api_base: Optional[str] = None,
+) -> bool:
+    """
+    Creates a new secret on the Fireworks AI platform or updates it if it already exists.
+    The 'name' of the secret in Fireworks API terms is the resource path, while 'keyName' is the identifier.
+
+    Args:
+        account_id: Fireworks Account ID.
+        key_name: The identifier for the secret (e.g., "WOLFRAM_ALPHA_API_KEY", "my_eval_shim_key").
+        secret_value: The actual secret string.
+        api_key: Fireworks API key for authenticating this request. Resolves from env/config if None.
+        api_base: Fireworks API base URL. Resolves from env/config if None.
+
+    Returns:
+        True if successful, False otherwise.
+    """
+    resolved_api_key = api_key or get_fireworks_api_key()
+    resolved_api_base = api_base or get_fireworks_api_base()
+    resolved_account_id = account_id  # Must be provided
+
+    if not all([resolved_api_key, resolved_api_base, resolved_account_id]):
+        logger.error("Missing Fireworks API key, base URL, or account ID for creating/updating secret.")
+        return False
+
+    headers = {
+        "Authorization": f"Bearer {resolved_api_key}",
+        "Content-Type": "application/json",
+    }
+
+    # The secret_id for GET/PATCH/DELETE operations is the key_name.
+    # The 'name' field in the gatewaySecret model for POST/PATCH is a bit ambiguous.
+    # For POST (create), the body is gatewaySecret, which has 'name', 'keyName', 'value'.
+    # 'name' in POST body is likely just the 'keyName' or 'secret_id' for creation context,
+    # as the full resource name 'accounts/.../secrets/...' is server-generated.
+    # Let's assume for POST, we send 'keyName' and 'value'.
+    # For PATCH, the path contains {secret_id} which is the key_name. The body is also gatewaySecret.
+
+    # Check if secret exists using GET (path uses secret_id which is our key_name)
+    get_url = f"{resolved_api_base.rstrip('/')}/v1/accounts/{resolved_account_id}/secrets/{key_name}"
+    secret_exists = False
+    try:
+        response = requests.get(get_url, headers=headers, timeout=10)
+        if response.status_code == 200:
+            secret_exists = True
+            logger.info(f"Secret '{key_name}' already exists. Will attempt to update.")
+        elif response.status_code == 404:
+            logger.info(f"Secret '{key_name}' does not exist. Will attempt to create.")
+            secret_exists = False
+        elif response.status_code == 500:  # As per user feedback, 500 on GET might mean not found
+            logger.warning(
+                f"Received 500 error when checking for secret '{key_name}'. Assuming it does not exist and will attempt to create. Response: {response.text}"
+            )
+            secret_exists = False
+        else:
+            logger.error(f"Error checking for secret '{key_name}': {response.status_code} - {response.text}")
+            return False
+    except requests.exceptions.RequestException as e:
+        logger.error(f"Request exception while checking for secret '{key_name}': {e}")
+        return False
+
+    if secret_exists:
+        # Update existing secret (PATCH)
+        patch_url = f"{resolved_api_base.rstrip('/')}/v1/accounts/{resolved_account_id}/secrets/{key_name}"
+        # Body for PATCH requires 'keyName' and 'value'.
+        # Transform key_name for payload: uppercase and underscores
+        payload_key_name = key_name.upper().replace("-", "_")
+        # Ensure it starts with an uppercase letter (though .upper() should handle it)
+        if not payload_key_name or not payload_key_name[0].isupper():
+            # This case should be rare if key_name is not empty and contains letters
+            logger.warning(
+                f"Could not transform key_name '{key_name}' to valid starting uppercase for payload. Using default 'EP_SECRET.'"
+            )
+            payload_key_name = "EP_SECRET"  # Fallback, though unlikely needed with .upper()
+
+        payload = {"keyName": payload_key_name, "value": secret_value}
+        try:
+            logger.debug(f"PATCH payload for '{key_name}': {payload}")
+            response = requests.patch(patch_url, headers=headers, json=payload, timeout=30)
+            response.raise_for_status()
+            logger.info(f"Successfully updated secret '{key_name}' on Fireworks platform.")
+            return True
+        except requests.exceptions.HTTPError as e:
+            logger.error(f"HTTP error updating secret '{key_name}': {e.response.status_code} - {e.response.text}")
+            return False
+        except requests.exceptions.RequestException as e:
+            logger.error(f"Request exception updating secret '{key_name}': {e}")
+            return False
+    else:
+        # Create new secret (POST)
+        post_url = f"{resolved_api_base.rstrip('/')}/v1/accounts/{resolved_account_id}/secrets"
+        # Body for POST is gatewaySecret. 'name' field in payload is tricky.
+        # Let's assume for POST, the 'name' in payload can be omitted or is the key_name.
+        # The API should ideally use 'keyName' from URL or a specific 'secretId' in payload for creation if 'name' is server-assigned.
+        # Given the Swagger, 'name' is required in gatewaySecret.
+        # Let's try with 'name' being the 'key_name' for the payload, as the full path is not known yet.
+        # This might need adjustment based on actual API behavior.
+        # Construct the full 'name' path for the POST payload as per Swagger's title for 'name'
+        full_resource_name_for_payload = (
+            f"accounts/{resolved_account_id}/secrets/{key_name}"  # Path uses lowercase-hyphenated key_name
+        )
+
+        # Transform key_name for payload "keyName" field: uppercase and underscores
+        payload_key_name = key_name.upper().replace("-", "_")
+        if not payload_key_name or not payload_key_name[0].isupper():
+            logger.warning(
+                f"Could not transform key_name '{key_name}' to valid starting uppercase for payload. Using default 'EP_SECRET.'"
+            )
+            payload_key_name = "EP_SECRET"
+
+        payload = {
+            "name": full_resource_name_for_payload,  # This 'name' is the resource path
+            "keyName": payload_key_name,  # This 'keyName' is the specific field with new rules
+            "value": secret_value,
+        }
+        try:
+            logger.debug(f"POST payload for '{key_name}': {payload}")
+            response = requests.post(post_url, headers=headers, json=payload, timeout=30)
+            response.raise_for_status()
+            logger.info(
+                f"Successfully created secret '{key_name}' on Fireworks platform. Full name: {response.json().get('name')}"
+            )
+            return True
+        except requests.exceptions.HTTPError as e:
+            logger.error(f"HTTP error creating secret '{key_name}': {e.response.status_code} - {e.response.text}")
+            # If error is due to 'name' field, this log will show it.
+            return False
+        except requests.exceptions.RequestException as e:
+            logger.error(f"Request exception creating secret '{key_name}': {e}")
+            return False
+
+
+def get_fireworks_secret(
+    account_id: str,
+    key_name: str,  # This is the identifier for the secret
+    api_key: Optional[str] = None,
+    api_base: Optional[str] = None,
+) -> Optional[Dict[str, Any]]:
+    """
+    Retrieves a secret from the Fireworks AI platform by its keyName.
+    Note: This typically does not return the secret's actual value for security reasons,
+          but rather its metadata.
+    """
+    resolved_api_key = api_key or get_fireworks_api_key()
+    resolved_api_base = api_base or get_fireworks_api_base()
+    resolved_account_id = account_id
+
+    if not all([resolved_api_key, resolved_api_base, resolved_account_id]):
+        logger.error("Missing Fireworks API key, base URL, or account ID for getting secret.")
+        return None
+
+    headers = {"Authorization": f"Bearer {resolved_api_key}"}
+    url = f"{resolved_api_base.rstrip('/')}/v1/accounts/{resolved_account_id}/secrets/{key_name}"
+
+    try:
+        response = requests.get(url, headers=headers, timeout=10)
+        if response.status_code == 200:
+            logger.info(f"Successfully retrieved secret '{key_name}'.")
+            return response.json()
+        elif response.status_code == 404:
+            logger.info(f"Secret '{key_name}' not found.")
+            return None
+        else:
+            logger.error(f"Error getting secret '{key_name}': {response.status_code} - {response.text}")
+            return None
+    except requests.exceptions.RequestException as e:
+        logger.error(f"Request exception while getting secret '{key_name}': {e}")
+        return None
+
+
+def delete_fireworks_secret(
+    account_id: str,
+    key_name: str,  # This is the identifier for the secret
+    api_key: Optional[str] = None,
+    api_base: Optional[str] = None,
+) -> bool:
+    """
+    Deletes a secret from the Fireworks AI platform by its keyName.
+    """
+    resolved_api_key = api_key or get_fireworks_api_key()
+    resolved_api_base = api_base or get_fireworks_api_base()
+    resolved_account_id = account_id
+
+    if not all([resolved_api_key, resolved_api_base, resolved_account_id]):
+        logger.error("Missing Fireworks API key, base URL, or account ID for deleting secret.")
+        return False
+
+    headers = {"Authorization": f"Bearer {resolved_api_key}"}
+    url = f"{resolved_api_base.rstrip('/')}/v1/accounts/{resolved_account_id}/secrets/{key_name}"
+
+    try:
+        response = requests.delete(url, headers=headers, timeout=30)
+        if response.status_code == 200 or response.status_code == 204:  # 204 No Content is also success for DELETE
+            logger.info(f"Successfully deleted secret '{key_name}'.")
+            return True
+        elif response.status_code == 404:
+            logger.info(f"Secret '{key_name}' not found, nothing to delete.")
+            return True
+        elif (
+            response.status_code == 500
+        ):  # As per user feedback, 500 on GET might mean not found, apply same logic for DELETE
+            logger.warning(
+                f"Received 500 error when deleting secret '{key_name}'. Assuming it might not have existed. Response: {response.text}"
+            )
+            return True  # Consider deletion successful if it results in non-existence
+        else:
+            logger.error(f"Error deleting secret '{key_name}': {response.status_code} - {response.text}")
+            return False
+    except requests.exceptions.RequestException as e:
+        logger.error(f"Request exception while deleting secret '{key_name}': {e}")
+        return False
+
+
+if __name__ == "__main__":
+    # Example usage for manual testing of secret management
+    logging.basicConfig(
+        level=logging.INFO,
+        format="%(asctime)s - %(levelname)s - %(name)s - %(message)s",
+    )
+
+    # Note: .env file loading is now handled at the module level when platform_api.py is imported.
+    # The section that was here for loading .env files specifically for __main__ has been removed
+    # to rely on the module-level loading.
+
+    # These should be set in your .env.dev, .env file (or shell environment) for this test to run
+    # FIREWORKS_API_KEY="your_fireworks_api_key"
+    # FIREWORKS_ACCOUNT_ID="your_fireworks_account_id"
+    # FIREWORKS_API_BASE="https://api.fireworks.ai" # or your dev/staging endpoint
+
+    test_account_id = get_fireworks_account_id()
+    test_api_key = get_fireworks_api_key()  # Not passed directly, functions will resolve
+    test_api_base = get_fireworks_api_base()
+
+    logger.info(f"Attempting to use the following configuration for testing Fireworks secrets API:")
+    logger.info(f"  Resolved FIREWORKS_ACCOUNT_ID: {test_account_id}")
+    logger.info(f"  Resolved FIREWORKS_API_BASE: {test_api_base}")
+    logger.info(
+        f"  Resolved FIREWORKS_API_KEY: {'********' + test_api_key[-4:] if test_api_key and len(test_api_key) > 4 else 'Not set or too short'}"
+    )
+
+    if not test_account_id or not test_api_key or not test_api_base:
+        logger.error(
+            "CRITICAL: FIREWORKS_ACCOUNT_ID, FIREWORKS_API_KEY, and FIREWORKS_API_BASE must be correctly set in environment or .env file to run this test."
+        )
+        import sys  # Make sure sys is imported if using sys.exit
+
+        sys.exit(1)
+
+    test_secret_key_name = "rewardkit-test-secret-delete-me"  # Changed to be valid
+    test_secret_value = "test_secret_value_12345"
+    updated_secret_value = "updated_secret_value_67890"
+
+    logger.info(f"--- Testing Fireworks Secret Management for account: {test_account_id} ---")
+
+    # 1. Ensure it doesn't exist initially (or delete if it does from a previous failed run)
+    logger.info(f"\n[Test Step 0] Attempting to delete '{test_secret_key_name}' if it exists (cleanup)...")
+    delete_fireworks_secret(test_account_id, test_secret_key_name)
+    retrieved = get_fireworks_secret(test_account_id, test_secret_key_name)
+    if retrieved is None:
+        logger.info(f"Confirmed secret '{test_secret_key_name}' does not exist before creation test.")
+    else:
+        logger.error(f"Secret '{test_secret_key_name}' still exists after cleanup attempt. Manual check needed.")
+        # sys.exit(1) # Optional: make it fatal
+
+    # 2. Create secret
+    logger.info(f"\n[Test Step 1] Creating secret '{test_secret_key_name}' with value '{test_secret_value}'...")
+    success_create = create_or_update_fireworks_secret(test_account_id, test_secret_key_name, test_secret_value)
+    logger.info(f"Create operation success: {success_create}")
+
+    # 3. Get secret (to verify creation, though value won't be returned)
+    logger.info(f"\n[Test Step 2] Getting secret '{test_secret_key_name}'...")
+    retrieved_after_create = get_fireworks_secret(test_account_id, test_secret_key_name)
+    if retrieved_after_create:
+        logger.info(f"Retrieved secret metadata: {retrieved_after_create}")
+        # Assert against the transformed keyName that's expected in the payload/response body
+        expected_payload_key_name = test_secret_key_name.upper().replace("-", "_")
+        assert retrieved_after_create.get("keyName") == expected_payload_key_name
+        assert retrieved_after_create.get("value") == test_secret_value  # Also check value if returned
+    else:
+        logger.error(f"Failed to retrieve secret '{test_secret_key_name}' after creation.")
+
+    # 4. Update secret
+    logger.info(f"\n[Test Step 3] Updating secret '{test_secret_key_name}' with value '{updated_secret_value}'...")
+    success_update = create_or_update_fireworks_secret(test_account_id, test_secret_key_name, updated_secret_value)
+    logger.info(f"Update operation success: {success_update}")
+    # (Getting again won't show the value, so we assume PATCH worked if it returned True)
+
+    # 5. Delete secret
+    logger.info(f"\n[Test Step 4] Deleting secret '{test_secret_key_name}'...")
+    success_delete = delete_fireworks_secret(test_account_id, test_secret_key_name)
+    logger.info(f"Delete operation success: {success_delete}")
+
+    # 6. Get secret (to verify deletion)
+    logger.info(f"\n[Test Step 5] Getting secret '{test_secret_key_name}' again to confirm deletion...")
+    retrieved_after_delete = get_fireworks_secret(test_account_id, test_secret_key_name)
+    if retrieved_after_delete is None:
+        logger.info(f"Secret '{test_secret_key_name}' successfully confirmed as deleted.")
+    else:
+        logger.error(f"Secret '{test_secret_key_name}' still exists after delete operation: {retrieved_after_delete}")
+
+    logger.info("\n--- Test script finished ---")