fujin-cli 0.22.2__tar.gz → 0.24.0__tar.gz

{fujin_cli-0.22.2 → fujin_cli-0.24.0}/.github/workflows/publish.yml

@@ -35,6 +35,7 @@ jobs:
           - bitwarden
           - 1password
           - doppler
+          - env
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -169,6 +170,8 @@ jobs:
             artifact: wheels-plugin-1password
           - name: fujin-secrets-doppler
             artifact: wheels-plugin-doppler
+          - name: fujin-secrets-env
+            artifact: wheels-plugin-env
     steps:
       - name: Download artifacts for ${{ matrix.package.name }}
         uses: actions/download-artifact@v4

{fujin_cli-0.22.2 → fujin_cli-0.24.0}/CHANGELOG.md

@@ -4,6 +4,23 @@ All notable changes to this project will be documented in this file.
 
 This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.24.0] - 2026-03-21
+
+### 🚀 Features
+
+- Add env secrets adapter and refactor adapter config
+
+### ⚙️ Miscellaneous Tasks
+
+- Add fujin-secrets-env to publish workflow
+
+## [0.23.0] - 2026-03-21
+
+### 🚀 Features
+
+- Stream .env directly to server instead of bundling
+- Add --bundle-dir option to preserve deployment bundle
+
 ## [0.22.2] - 2026-03-21
 
 ### 🐛 Bug Fixes

{fujin_cli-0.22.2 → fujin_cli-0.24.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: fujin-cli
-Version: 0.22.2
+Version: 0.24.0
 Summary: Get your project up and running in a few minutes on your own vps.
 Project-URL: Documentation, https://github.com/Tobi-De/fujin#readme
 Project-URL: Issues, https://github.com/Tobi-De/fujin/issues

{fujin_cli-0.22.2 → fujin_cli-0.24.0}/plugins/fujin-secrets-1password/pyproject.toml

@@ -4,7 +4,7 @@ requires = [ "uv-build>=0.9.18,<0.10" ]
 
 [project]
 name = "fujin-secrets-1password"
-version = "0.22.2"
+version = "0.24.0"
 description = "1Password secret adapter for Fujin"
 readme = "README.md"
 authors = [
@@ -20,7 +20,7 @@ classifiers = [
   "Programming Language :: Python :: 3.14",
 ]
 dependencies = [
-  "fujin-cli>=0.22.2",
+  "fujin-cli>=0.24",
   "python-dotenv>=1.0.1",
 ]
 

{fujin_cli-0.22.2 → fujin_cli-0.24.0}/plugins/fujin-secrets-bitwarden/README.md

@@ -27,12 +27,14 @@ Add the following to your `fujin.toml` file:
 ```toml
 [secrets]
 adapter = "bitwarden"
+
+[secrets.options]
 password_env = "BW_PASSWORD"
 ```
 
 To unlock the Bitwarden vault, the password is required. Set the `BW_PASSWORD` environment variable in your shell. When Fujin signs in, it will always sync the vault first.
 
-Alternatively, you can set the `BW_SESSION` environment variable. If `BW_SESSION` is present, Fujin will use it directly without signing in or syncing the vault. In this case, the `password_env` configuration is not required.
+Alternatively, you can set the `BW_SESSION` environment variable. If `BW_SESSION` is present, Fujin will use it directly without signing in or syncing the vault. In this case, the `options.password_env` configuration is not required.
 
 ## Usage
 

{fujin_cli-0.22.2 → fujin_cli-0.24.0}/plugins/fujin-secrets-bitwarden/pyproject.toml

@@ -4,7 +4,7 @@ requires = [ "uv-build>=0.9.18,<0.10" ]
 
 [project]
 name = "fujin-secrets-bitwarden"
-version = "0.22.2"
+version = "0.24.0"
 description = "Bitwarden secret adapter for Fujin"
 readme = "README.md"
 authors = [
@@ -20,7 +20,7 @@ classifiers = [
   "Programming Language :: Python :: 3.14",
 ]
 dependencies = [
-  "fujin-cli>=0.22.2",
+  "fujin-cli>=0.24",
   "python-dotenv>=1.0.1",
 ]
 

{fujin_cli-0.22.2 → fujin_cli-0.24.0}/plugins/fujin-secrets-bitwarden/src/fujin_secrets_bitwarden/__init__.py

@@ -54,13 +54,14 @@ def bitwarden(env_content: str, secret_config: SecretConfig) -> str:
     # Authenticate with Bitwarden
     session = os.getenv("BW_SESSION")
     if not session:
-        if not secret_config.password_env:
+        password_env = secret_config.options.get("password_env")
+        if not password_env:
             raise SecretResolutionError(
-                "You need to set the password_env to use the bitwarden adapter "
+                "You need to set options.password_env to use the bitwarden adapter "
                 "or set the BW_SESSION environment variable",
                 adapter="bitwarden",
             )
-        session = _signin(secret_config.password_env)
+        session = _signin(password_env)
 
     # Resolve secrets concurrently
     resolved_secrets = {}

{fujin_cli-0.22.2 → fujin_cli-0.24.0}/plugins/fujin-secrets-doppler/pyproject.toml

@@ -4,7 +4,7 @@ requires = [ "uv-build>=0.9.18,<0.10" ]
 
 [project]
 name = "fujin-secrets-doppler"
-version = "0.22.2"
+version = "0.24.0"
 description = "Doppler secret adapter for Fujin"
 readme = "README.md"
 authors = [
@@ -20,7 +20,7 @@ classifiers = [
   "Programming Language :: Python :: 3.14",
 ]
 dependencies = [
-  "fujin-cli>=0.22.2",
+  "fujin-cli>=0.24",
   "python-dotenv>=1.0.1",
 ]
 

fujin_cli-0.24.0/plugins/fujin-secrets-env/README.md

@@ -0,0 +1,86 @@
+# Fujin Secrets - Environment Variable
+
+Environment variable secret adapter for Fujin deployment tool. Reads secrets from a JSON-formatted environment variable, making it ideal for CI systems like GitHub Actions.
+
+## Installation
+
+```bash
+pip install fujin-secrets-env
+```
+
+Or with uv:
+
+```bash
+uv pip install fujin-secrets-env
+```
+
+## Configuration
+
+Add the following to your `fujin.toml` file:
+
+```toml
+[secrets]
+adapter = "env"
+
+[secrets.options]
+source = "FUJIN_SECRETS"
+```
+
+The `source` option specifies the name of the environment variable containing the JSON-formatted secrets.
+
+## Usage
+
+### GitHub Actions
+
+In your workflow file, pass all secrets as JSON using `toJSON(secrets)`:
+
+```yaml
+- name: Deploy
+  run: uvx --from fujin-cli --with fujin-secrets-env fujin deploy
+  env:
+    FUJIN_SECRETS: ${{ toJSON(secrets) }}
+```
+
+### Environment File
+
+In your environment configuration (via `env` in `fujin.toml`), prefix secret values with `$`:
+
+```env
+DEBUG=False
+SECRET_KEY=$SECRET_KEY
+DATABASE_URL=$DATABASE_URL
+AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
+```
+
+The `$` prefix indicates to Fujin that the value should be resolved from the secrets source.
+
+## How it Works
+
+The adapter:
+1. Reads the JSON string from the configured environment variable
+2. Parses the JSON into a dictionary
+3. For each secret reference (prefixed with `$`), looks up the value in the parsed JSON
+4. Returns the resolved environment variables
+
+## Example
+
+Given this GitHub Actions secret setup:
+- `SECRET_KEY`: `my-secret-key`
+- `DATABASE_URL`: `postgres://...`
+
+And this fujin.toml env configuration:
+```toml
+[[hosts]]
+env = """
+DEBUG=False
+SECRET_KEY=$SECRET_KEY
+DATABASE_URL=$DATABASE_URL
+"""
+```
+
+The adapter will resolve `$SECRET_KEY` and `$DATABASE_URL` from the JSON passed via `FUJIN_SECRETS`.
+
+## Related
+
+- [Fujin Documentation](https://github.com/Tobi-De/fujin)
+- [GitHub Actions Secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets)

fujin_cli-0.24.0/plugins/fujin-secrets-env/pyproject.toml

@@ -0,0 +1,33 @@
+[build-system]
+build-backend = "uv_build"
+requires = [ "uv-build>=0.9.18,<0.10" ]
+
+[project]
+name = "fujin-secrets-env"
+version = "0.23.0"
+description = "Environment variable secret adapter for Fujin"
+readme = "README.md"
+authors = [
+  { name = "Tobi", email = "tobidegnon@proton.me" },
+]
+requires-python = ">=3.10"
+classifiers = [
+  "Programming Language :: Python :: 3 :: Only",
+  "Programming Language :: Python :: 3.10",
+  "Programming Language :: Python :: 3.11",
+  "Programming Language :: Python :: 3.12",
+  "Programming Language :: Python :: 3.13",
+  "Programming Language :: Python :: 3.14",
+]
+dependencies = [
+  "fujin-cli>=0.23",
+  "python-dotenv>=1.0.1",
+]
+
+urls.Homepage = "https://github.com/Tobi-De/fujin"
+urls.Issues = "https://github.com/Tobi-De/fujin/issues"
+urls.Source = "https://github.com/Tobi-De/fujin"
+entry-points."fujin.secrets".env = "fujin_secrets_env:env"
+
+[tool.uv.sources]
+fujin-cli = { workspace = true }

fujin_cli-0.24.0/plugins/fujin-secrets-env/src/fujin_secrets_env/__init__.py

@@ -0,0 +1,95 @@
+"""Environment variable secret adapter for Fujin."""
+
+from __future__ import annotations
+
+import json
+import os
+from contextlib import closing
+from io import StringIO
+
+from dotenv import dotenv_values
+
+from fujin.config import SecretConfig
+from fujin.errors import SecretResolutionError
+
+
+def env(env_content: str, secret_config: SecretConfig) -> str:
+    """Environment variable secret adapter.
+
+    Reads secrets from a JSON-formatted environment variable. Useful for CI
+    systems like GitHub Actions where secrets can be passed as JSON.
+
+    Configuration:
+        [secrets]
+        adapter = "env"
+        source = "FUJIN_SECRETS"  # Name of env var containing JSON secrets
+
+    Example GitHub Actions usage:
+        env:
+          FUJIN_SECRETS: ${{ toJSON(secrets) }}
+
+    Args:
+        env_content: Raw environment file content
+        secret_config: Secret configuration with adapter settings
+
+    Returns:
+        Resolved environment content with secrets replaced
+
+    Raises:
+        SecretResolutionError: If source env var not set or invalid JSON
+    """
+    source = secret_config.options.get("source")
+    if not source:
+        raise SecretResolutionError(
+            "The 'options.source' parameter is required for the env adapter. "
+            "Set it to the name of the environment variable containing secrets JSON.",
+            adapter="env",
+        )
+
+    # Read JSON from source env var
+    secrets_json = os.getenv(source)
+    if not secrets_json:
+        raise SecretResolutionError(
+            f"Environment variable '{source}' is not set or empty.",
+            adapter="env",
+        )
+
+    try:
+        secrets = json.loads(secrets_json)
+    except json.JSONDecodeError as e:
+        raise SecretResolutionError(
+            f"Invalid JSON in '{source}': {e}",
+            adapter="env",
+        ) from e
+
+    if not isinstance(secrets, dict):
+        raise SecretResolutionError(
+            f"'{source}' must contain a JSON object, got {type(secrets).__name__}",
+            adapter="env",
+        )
+
+    # Parse env file
+    with closing(StringIO(env_content)) as buffer:
+        env_dict = dotenv_values(stream=buffer)
+
+    # Identify secrets (values starting with $)
+    secret_refs = {
+        key: value[1:]  # Strip the $ prefix
+        for key, value in env_dict.items()
+        if value and value.startswith("$")
+    }
+
+    if not secret_refs:
+        return env_content
+
+    # Resolve secrets
+    for key, secret_name in secret_refs.items():
+        if secret_name not in secrets:
+            raise SecretResolutionError(
+                f"Secret '{secret_name}' not found in '{source}'",
+                adapter="env",
+                key=key,
+            )
+        env_dict[key] = secrets[secret_name]
+
+    return "\n".join(f'{key}="{value}"' for key, value in env_dict.items())

{fujin_cli-0.22.2 → fujin_cli-0.24.0}/pyproject.toml

@@ -5,7 +5,7 @@ requires = [ "hatchling" ]
 
 [project]
 name = "fujin-cli"
-version = "0.22.2"
+version = "0.24.0"
 description = "Get your project up and running in a few minutes on your own vps."
 readme = "README.md"
 keywords = [
@@ -74,10 +74,12 @@ members = [
   "plugins/fujin-secrets-bitwarden",
   "plugins/fujin-secrets-1password",
   "plugins/fujin-secrets-doppler",
+  "plugins/fujin-secrets-env",
 ]
 
 [tool.uv.sources]
 fujin-secrets-bitwarden = { workspace = true }
+fujin-secrets-env = { workspace = true }
 
 [tool.ruff]
 # Assume Python {{ python_version }}
@@ -149,7 +151,7 @@ markers = [
 ]
 
 [tool.bumpversion]
-current_version = "0.22.2"
+current_version = "0.24.0"
 parse = "(?P<major>\\d+)\\.(?P<minor>\\d+)\\.(?P<patch>\\d+)"
 serialize = [ "{major}.{minor}.{patch}" ]
 search = "{current_version}"

fujin_cli-0.24.0/src/fujin/__init__.py

@@ -0,0 +1 @@
+__version__ = "0.24.0"

{fujin_cli-0.22.2 → fujin_cli-0.24.0}/src/fujin/_installer.py

@@ -135,13 +135,6 @@ def install(
     install_dir = app_dir / ".install"
     install_dir.mkdir(exist_ok=True)
 
-    # Move .env file to .install/
-    env_file = bundle_dir / ".env"
-    if env_file.exists():
-        shutil.move(env_file, install_dir / ".env")
-        env_file = install_dir / ".env"
-        logger.debug("Moved .env to %s", env_file)
-
     # ==========================================================================
     # PHASE 2: INSTALLATION
     # ==========================================================================
@@ -221,7 +214,6 @@ export -f {config.app_name}
     run(f"chown -R {config.deploy_user}:{config.app_user} {install_dir}")
     # Make .install directory group-writable (deploy user can update, app user can read)
     install_dir.chmod(0o775)
-    env_file.chmod(0o640)
 
     # .venv permissions: readable/executable by group, writable by owner
     # Use chmod -R with symbolic modes to traverse once instead of 3 find commands

{fujin_cli-0.22.2 → fujin_cli-0.24.0}/src/fujin/commands/deploy.py

@@ -1,5 +1,6 @@
 from __future__ import annotations
 
+import base64
 import json
 import logging
 import shlex
@@ -8,9 +9,10 @@ import hashlib
 import subprocess
 import tempfile
 import zipapp
+from contextlib import contextmanager
 from dataclasses import dataclass
 from pathlib import Path
-from typing import Annotated
+from typing import Annotated, Generator
 
 import cappa
 from rich.console import Console
@@ -61,6 +63,13 @@ class Deploy(BaseCommand):
             help="Disable automatic rollback on deployment failure",
         ),
     ] = False
+    bundle_dir: Annotated[
+        Path | None,
+        cappa.Arg(
+            long="--bundle-dir",
+            help="Directory to create bundle in (preserved after deploy, fails if exists)",
+        ),
+    ] = None
 
     def __call__(self):
         logger.debug("Starting deployment for %s", self.config.app_name)
@@ -124,7 +133,7 @@ class Deploy(BaseCommand):
         if not self.config.deployed_units:
             raise DeploymentError("No systemd units found, nothing to deploy")
 
-        with tempfile.TemporaryDirectory() as tmpdir:
+        with self._bundle_directory() as tmpdir:
             self.output.info("Preparing deployment bundle...")
             zipapp_dir = Path(tmpdir) / "zipapp_source"
             zipapp_dir.mkdir()
@@ -162,10 +171,9 @@ class Deploy(BaseCommand):
             # Track unresolved variables across all files
             all_unresolved = set()
 
-            # resolve and copy env file
+            # Resolve env file (uploaded separately, not bundled)
             resolved_env, unresolved = safe_format(parsed_env, **context)
             all_unresolved.update(unresolved)
-            (zipapp_dir / ".env").write_text(resolved_env)
 
             logger.debug("Validating and resolving systemd units")
             systemd_dir = zipapp_dir / "systemd"
@@ -351,6 +359,23 @@ class Deploy(BaseCommand):
                     conn.put(str(zipapp_path), remote_bundle_path_q, verify=True)
 
                 self.output.success("Bundle uploaded successfully.")
+
+                # Write .env file directly (not bundled for security)
+                remote_env_path = f"{self.config.install_dir}/.env"
+                remote_env_path_q = shlex.quote(remote_env_path)
+                install_dir_q = shlex.quote(self.config.install_dir)
+                logger.debug("Writing .env to %s", remote_env_path)
+
+                # Use base64 encoding to safely transfer content with special chars
+                encoded_env = base64.b64encode(resolved_env.encode()).decode()
+                conn.run(
+                    f"mkdir -p {install_dir_q} && "
+                    f"echo {shlex.quote(encoded_env)} | base64 -d > {remote_env_path_q} && "
+                    f"chmod 640 {remote_env_path_q} && "
+                    f"chown {self.selected_host.user}:{self.config.app_user} {remote_env_path_q}",
+                    hide=True,
+                )
+
                 self.output.info("Executing remote installation...")
 
                 rollback_ran = False
@@ -425,6 +450,26 @@ class Deploy(BaseCommand):
                 url = f"https://{domain}"
                 self.output.info(f"Application is available at: {url}")
 
+    @contextmanager
+    def _bundle_directory(self) -> Generator[Path, None, None]:
+        """Context manager for bundle directory.
+
+        If bundle_dir is specified, uses that directory (fails if exists).
+        Otherwise, creates a temporary directory that is cleaned up on exit.
+        """
+        if self.bundle_dir:
+            if self.bundle_dir.exists():
+                raise DeploymentError(
+                    f"Bundle directory already exists: {self.bundle_dir}"
+                )
+            self.bundle_dir.mkdir(parents=True)
+            logger.debug("Using bundle directory: %s", self.bundle_dir)
+            yield self.bundle_dir
+            self.output.info(f"Bundle preserved in: {self.bundle_dir}")
+        else:
+            with tempfile.TemporaryDirectory() as tmpdir:
+                yield Path(tmpdir)
+
     def _show_deployment_summary(self, bundle_size: int, bundle_version: str):
         console = Console()
 

{fujin_cli-0.22.2 → fujin_cli-0.24.0}/src/fujin/config.py

@@ -35,7 +35,7 @@ class InstallationMode(StrEnum):
 
 class SecretConfig(msgspec.Struct):
     adapter: str
-    password_env: str | None = None
+    options: dict[str, str] = msgspec.field(default_factory=dict)
 
     def __post_init__(self):
         if not re.match(r"^[a-z0-9_-]+$", self.adapter):

{fujin_cli-0.22.2 → fujin_cli-0.24.0}/uv.lock

@@ -15,6 +15,7 @@ members = [
     "fujin-secrets-1password",
     "fujin-secrets-bitwarden",
     "fujin-secrets-doppler",
+    "fujin-secrets-env",
 ]
 
 [[package]]
@@ -345,7 +346,7 @@ wheels = [
 
 [[package]]
 name = "fujin-cli"
-version = "0.22.0"
+version = "0.23.0"
 source = { editable = "." }
 dependencies = [
     { name = "cappa" },
@@ -401,7 +402,7 @@ docs = [
 
 [[package]]
 name = "fujin-secrets-1password"
-version = "0.22.0"
+version = "0.23.0"
 source = { editable = "plugins/fujin-secrets-1password" }
 dependencies = [
     { name = "fujin-cli" },
@@ -416,7 +417,7 @@ requires-dist = [
 
 [[package]]
 name = "fujin-secrets-bitwarden"
-version = "0.22.0"
+version = "0.23.0"
 source = { editable = "plugins/fujin-secrets-bitwarden" }
 dependencies = [
     { name = "fujin-cli" },
@@ -431,7 +432,7 @@ requires-dist = [
 
 [[package]]
 name = "fujin-secrets-doppler"
-version = "0.22.0"
+version = "0.23.0"
 source = { editable = "plugins/fujin-secrets-doppler" }
 dependencies = [
     { name = "fujin-cli" },
@@ -444,6 +445,21 @@ requires-dist = [
     { name = "python-dotenv", specifier = ">=1.0.1" },
 ]
 
+[[package]]
+name = "fujin-secrets-env"
+version = "0.23.0"
+source = { editable = "plugins/fujin-secrets-env" }
+dependencies = [
+    { name = "fujin-cli" },
+    { name = "python-dotenv" },
+]
+
+[package.metadata]
+requires-dist = [
+    { name = "fujin-cli", editable = "." },
+    { name = "python-dotenv", specifier = ">=1.0.1" },
+]
+
 [[package]]
 name = "gunicorn"
 version = "25.1.0"

fujin_cli-0.22.2/src/fujin/__init__.py

@@ -1 +0,0 @@
-__version__ = "0.22.2"