granny-devops 0.8.0__tar.gz → 0.9.1__tar.gz

{granny_devops-0.8.0 → granny_devops-0.9.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: granny-devops
-Version: 0.8.0
+Version: 0.9.1
 Summary: Cloud tools collection -- AWS infrastructure, CDN, and DevOps automation
 Author-email: Martin Wieser <martin.wieser@pseekoo.com>
 License: MIT License
@@ -286,6 +286,12 @@ granny email workmail create-user example.com --email user@example.com
 granny create s3-website example.com --help
 granny create scaleway-container --name my-app --port 3000
 granny create mailjet-dns example.com
+
+# Authentik admin (provider + application + group plumbing)
+granny authentik list providers
+granny authentik rotate-secret my-oauth-provider
+granny authentik add-user-to-group user@example.com     # defaults to dash_admins
+granny authentik api GET /api/v3/core/users/me/        # generic escape hatch
 ```
 
 ## Capability matrix
@@ -302,6 +308,7 @@ granny create mailjet-dns example.com
 | AWS inventory | VPCs, Lambdas |
 | Cross-cloud inventory | GPU instances + reservations, credit balances, MTD spend + forecast (AWS, GCP, Azure) |
 | SSL automation | Bunny, Cloudflare, ACM |
+| SSO / IdP | Authentik (provider, application, group, and user operations) |
 
 ## As a library
 

{granny_devops-0.8.0 → granny_devops-0.9.1}/README.md

@@ -154,6 +154,12 @@ granny email workmail create-user example.com --email user@example.com
 granny create s3-website example.com --help
 granny create scaleway-container --name my-app --port 3000
 granny create mailjet-dns example.com
+
+# Authentik admin (provider + application + group plumbing)
+granny authentik list providers
+granny authentik rotate-secret my-oauth-provider
+granny authentik add-user-to-group user@example.com     # defaults to dash_admins
+granny authentik api GET /api/v3/core/users/me/        # generic escape hatch
 ```
 
 ## Capability matrix
@@ -170,6 +176,7 @@ granny create mailjet-dns example.com
 | AWS inventory | VPCs, Lambdas |
 | Cross-cloud inventory | GPU instances + reservations, credit balances, MTD spend + forecast (AWS, GCP, Azure) |
 | SSL automation | Bunny, Cloudflare, ACM |
+| SSO / IdP | Authentik (provider, application, group, and user operations) |
 
 ## As a library
 

{granny_devops-0.8.0 → granny_devops-0.9.1}/granny/__init__.py

@@ -1,6 +1,6 @@
 """Granny -- Cloud tools collection for AWS infrastructure and DevOps automation."""
 
-__version__ = "0.8.0"
+__version__ = "0.9.1"
 __all__ = [
     "get_secret",
     "load_secrets_into_env",

granny_devops-0.9.1/granny/authentik/__init__.py

@@ -0,0 +1,8 @@
+"""Authentik management — REST API wrapper."""
+
+from granny.authentik.client import AuthentikClient, AuthentikError
+
+__all__ = [
+    "AuthentikClient",
+    "AuthentikError",
+]

granny_devops-0.9.1/granny/authentik/client.py

@@ -0,0 +1,337 @@
+"""Thin wrapper around the Authentik REST API.
+
+Uses ``requests`` (already a granny core dependency) so this module does
+not require any optional extras.
+"""
+
+from __future__ import annotations
+
+import logging
+from typing import Any
+
+import requests
+
+logger = logging.getLogger(__name__)
+
+
+class AuthentikError(RuntimeError):
+    """Raised on non-2xx responses from the Authentik API."""
+
+    def __init__(self, status: int, body: str) -> None:
+        super().__init__(f"HTTP {status}: {body[:400]}")
+        self.status = status
+        self.body = body
+
+
+class AuthentikClient:
+    """Authenticated client for the Authentik v3 REST API.
+
+    Construct directly when you already have the credentials, or use
+    :meth:`from_environment` to resolve via granny's normal env/vault
+    pipeline.
+    """
+
+    def __init__(self, base_url: str, token: str, *, timeout: float = 30.0) -> None:
+        self.base_url = base_url.rstrip("/")
+        self._token = token
+        self._timeout = timeout
+        self._session = requests.Session()
+        self._session.headers.update(
+            {
+                "Authorization": f"Bearer {token}",
+                "Accept": "application/json",
+            }
+        )
+
+    @classmethod
+    def from_environment(cls) -> "AuthentikClient":
+        """Build a client from env vars + Vaultwarden fallback.
+
+        Resolution order for the token (explicit env always wins so a
+        rotated value in ``.env`` is picked up immediately without having
+        to invalidate the vault session cache):
+
+        1. ``AK_TOKEN`` (env / .env / .deploy.env) — short alias matching
+           the standalone Authentik scripts.
+        2. ``AUTHENTIK_API_TOKEN`` (env / .env / .deploy.env or
+           Vaultwarden at ``granny/infra/authentik-api-token``, via the
+           normal :func:`granny.credentials.get_secret` chain).
+
+        For the base URL, ``AUTHENTIK_URL`` wins; default
+        ``https://auth.pseekoo.io``.
+        """
+        import os
+
+        from granny.credentials import get_secret
+
+        token = os.environ.get("AK_TOKEN") or get_secret("AUTHENTIK_API_TOKEN")
+        if not token:
+            raise AuthentikError(
+                0,
+                "AUTHENTIK_API_TOKEN (or AK_TOKEN) is not set. "
+                "Either export it, add it to .env/.deploy.env, or push the "
+                "token to Vaultwarden under granny/infra/authentik-api-token "
+                "and install the [vault] extra.",
+            )
+        base_url = os.environ.get("AUTHENTIK_URL") or "https://auth.pseekoo.io"
+        return cls(base_url=base_url, token=token)
+
+    # ── HTTP plumbing ────────────────────────────────────────────────────
+
+    def request(
+        self,
+        method: str,
+        path: str,
+        *,
+        body: Any = None,
+        params: dict[str, Any] | None = None,
+    ) -> Any:
+        """Execute one API request and return the decoded JSON body.
+
+        Returns ``None`` on 204 / empty bodies.
+        """
+        if not path.startswith("/"):
+            path = "/" + path
+        url = self.base_url + path
+        clean_params = {k: v for k, v in (params or {}).items() if v is not None}
+        resp = self._session.request(
+            method=method.upper(),
+            url=url,
+            params=clean_params or None,
+            json=body,
+            timeout=self._timeout,
+        )
+        if resp.status_code >= 400:
+            raise AuthentikError(resp.status_code, resp.text)
+        if not resp.content:
+            return None
+        try:
+            return resp.json()
+        except ValueError:
+            return resp.text
+
+    def paginate(self, path: str, params: dict[str, Any] | None = None) -> list[dict[str, Any]]:
+        """Walk an Authentik list endpoint, returning all pages concatenated."""
+        out: list[dict[str, Any]] = []
+        page = 1
+        while True:
+            p = dict(params or {})
+            p["page"] = page
+            data = self.request("GET", path, params=p) or {}
+            out.extend(data.get("results", []))
+            if not data.get("pagination", {}).get("next"):
+                break
+            page += 1
+        return out
+
+    # ── High-level lookups ───────────────────────────────────────────────
+
+    def find_flow_pk(self, slug: str) -> str:
+        results = self.request("GET", "/api/v3/flows/instances/", params={"slug": slug}).get(
+            "results", []
+        )
+        for f in results:
+            if f["slug"] == slug:
+                return f["pk"]
+        raise AuthentikError(404, f"No flow with slug={slug!r}")
+
+    def find_signing_key_pk(self, *, prefer_self_signed: bool = True) -> str:
+        """Return the pk of a key pair that can sign tokens."""
+        keys = self.paginate("/api/v3/crypto/certificatekeypairs/")
+        candidates = [k for k in keys if k.get("private_key_available")]
+        if not candidates:
+            raise AuthentikError(404, "No usable signing key pairs found")
+        if prefer_self_signed:
+            for k in candidates:
+                if "self-signed" in k["name"].lower():
+                    return k["pk"]
+        return candidates[0]["pk"]
+
+    def find_scope_mappings(self, scope_names: tuple[str, ...] | list[str]) -> list[str]:
+        """Resolve scope-property-mapping pks by ``scope_name``."""
+        mappings = self.paginate("/api/v3/propertymappings/provider/scope/")
+        by_scope = {m["scope_name"]: m["pk"] for m in mappings}
+        try:
+            return [by_scope[scope] for scope in scope_names]
+        except KeyError as exc:
+            raise AuthentikError(404, f"Scope mapping for {exc.args[0]!r} not found") from exc
+
+    def find_group_by_name(self, name: str) -> dict[str, Any] | None:
+        for g in self.request("GET", "/api/v3/core/groups/", params={"name": name}).get(
+            "results", []
+        ):
+            if g["name"] == name:
+                return g
+        return None
+
+    def find_user_by_username(self, username: str) -> dict[str, Any] | None:
+        for u in self.request("GET", "/api/v3/core/users/", params={"username": username}).get(
+            "results", []
+        ):
+            if u["username"] == username:
+                return u
+        return None
+
+    def find_provider_by_name(self, name: str) -> dict[str, Any] | None:
+        for p in self.request("GET", "/api/v3/providers/oauth2/", params={"name": name}).get(
+            "results", []
+        ):
+            if p["name"] == name:
+                return p
+        return None
+
+    def find_application_by_slug(self, slug: str) -> dict[str, Any] | None:
+        """Look up an application by slug.
+
+        Uses a direct GET on the slug-keyed detail endpoint instead of the
+        list endpoint. Authentik's application list quietly hides records
+        whose policy bindings restrict ``view`` permissions, even for
+        superusers — direct GET by slug bypasses that filter.
+        """
+        try:
+            return self.request("GET", f"/api/v3/core/applications/{slug}/")
+        except AuthentikError as exc:
+            if exc.status == 404:
+                return None
+            raise
+
+    def find_provider_by_pk(self, pk: int | str) -> dict[str, Any] | None:
+        """Look up an OAuth2 provider by primary key (integer)."""
+        try:
+            return self.request("GET", f"/api/v3/providers/oauth2/{pk}/")
+        except AuthentikError as exc:
+            if exc.status == 404:
+                return None
+            raise
+
+    # ── Mutating helpers ─────────────────────────────────────────────────
+
+    def ensure_group(self, name: str) -> dict[str, Any]:
+        """Create a group if missing; return the (existing or new) group dict."""
+        existing = self.find_group_by_name(name)
+        if existing:
+            return existing
+        return self.request("POST", "/api/v3/core/groups/", body={"name": name})
+
+    def add_user_to_group(self, username: str, group_name: str) -> None:
+        user = self.find_user_by_username(username)
+        if not user:
+            raise AuthentikError(404, f"User {username!r} not found")
+        group = self.find_group_by_name(group_name)
+        if not group:
+            raise AuthentikError(
+                404, f"Group {group_name!r} not found — create it with ensure_group first"
+            )
+        self.request(
+            "POST",
+            f"/api/v3/core/groups/{group['pk']}/add_user/",
+            body={"pk": user["pk"]},
+        )
+
+    def remove_user_from_group(self, username: str, group_name: str) -> None:
+        user = self.find_user_by_username(username)
+        if not user:
+            raise AuthentikError(404, f"User {username!r} not found")
+        group = self.find_group_by_name(group_name)
+        if not group:
+            raise AuthentikError(404, f"Group {group_name!r} not found")
+        self.request(
+            "POST",
+            f"/api/v3/core/groups/{group['pk']}/remove_user/",
+            body={"pk": user["pk"]},
+        )
+
+    def rotate_client_secret(self, provider_name: str) -> dict[str, Any]:
+        """Rotate ``client_secret`` on an existing OAuth2 provider.
+
+        Authentik regenerates the secret server-side when we PATCH it to
+        an empty string. The returned dict carries the new value (when
+        the API echoes it back — varies by version).
+        """
+        provider = self.find_provider_by_name(provider_name)
+        if not provider:
+            raise AuthentikError(404, f"Provider {provider_name!r} not found")
+        return self.request(
+            "PATCH",
+            f"/api/v3/providers/oauth2/{provider['pk']}/",
+            body={"client_secret": ""},
+        )
+
+    def create_user(
+        self,
+        username: str,
+        *,
+        name: str | None = None,
+        email: str | None = None,
+        path: str = "users",
+        user_type: str = "internal",
+        is_active: bool = True,
+        attributes: dict[str, Any] | None = None,
+    ) -> dict[str, Any]:
+        """Create an internal Authentik user (idempotent on ``username``).
+
+        If a user with the same ``username`` already exists it is returned
+        unmodified — call ``request("PATCH", …)`` separately if you need to
+        update fields. The default ``path="users"`` puts the user in the
+        regular Authentik directory (not under any LDAP source path), so
+        the user can authenticate against an internal password rather than
+        being bound to Kanidm.
+        """
+        existing = self.find_user_by_username(username)
+        if existing:
+            return existing
+        body: dict[str, Any] = {
+            "username": username,
+            "name": name or username,
+            "is_active": is_active,
+            "type": user_type,
+            "path": path,
+            "groups": [],
+        }
+        if email is not None:
+            body["email"] = email
+        if attributes:
+            body["attributes"] = attributes
+        return self.request("POST", "/api/v3/core/users/", body=body)
+
+    def set_user_password(self, username: str, password: str) -> None:
+        """Set a user's password directly (admin reset, no email)."""
+        user = self.find_user_by_username(username)
+        if not user:
+            raise AuthentikError(404, f"User {username!r} not found")
+        self.request(
+            "POST",
+            f"/api/v3/core/users/{user['pk']}/set_password/",
+            body={"password": password},
+        )
+
+    def delete_user(self, username: str) -> None:
+        """Delete a user by username. No-op if absent."""
+        user = self.find_user_by_username(username)
+        if not user:
+            return
+        self.request("DELETE", f"/api/v3/core/users/{user['pk']}/")
+
+    def generate_recovery_link(self, username: str) -> str:
+        """Mint a one-shot recovery URL for the given user.
+
+        Returns the absolute URL the user opens to set their own password
+        (and enroll MFA if the recovery flow is configured to require it).
+        Authentik invalidates the token after a single use; default TTL is
+        short, set in the recovery flow's stage configuration.
+        """
+        user = self.find_user_by_username(username)
+        if not user:
+            raise AuthentikError(404, f"User {username!r} not found")
+        result = self.request(
+            "POST",
+            f"/api/v3/core/users/{user['pk']}/recovery/",
+        )
+        # Authentik returns {"link": "https://..."} on this endpoint.
+        if isinstance(result, dict) and "link" in result:
+            return result["link"]
+        raise AuthentikError(
+            500,
+            f"Unexpected recovery payload for {username!r}: {result!r}. "
+            "Make sure a recovery flow is configured on the tenant.",
+        )

granny_devops-0.9.1/granny/cli/authentik.py

@@ -0,0 +1,263 @@
+"""``granny authentik`` — manage an Authentik instance via API.
+
+Auth resolution: ``AUTHENTIK_API_TOKEN`` (env / .env / vault) or
+``AK_TOKEN`` (env / .env). See :meth:`AuthentikClient.from_environment`.
+"""
+
+from __future__ import annotations
+
+import json
+import sys
+from typing import Any
+
+import click
+
+from granny.authentik import AuthentikClient, AuthentikError
+
+ADMIN_GROUP_NAME = "dash_admins"
+
+
+@click.group()
+def authentik() -> None:
+    """Manage Authentik via its REST API."""
+
+
+def _client() -> AuthentikClient:
+    try:
+        return AuthentikClient.from_environment()
+    except AuthentikError as exc:
+        click.echo(str(exc), err=True)
+        sys.exit(1)
+
+
+_LIST_ENDPOINTS = {
+    "providers": "/api/v3/providers/oauth2/",
+    "applications": "/api/v3/core/applications/",
+    "groups": "/api/v3/core/groups/",
+    "flows": "/api/v3/flows/instances/",
+    "certs": "/api/v3/crypto/certificatekeypairs/",
+    "scopes": "/api/v3/propertymappings/provider/scope/",
+    "users": "/api/v3/core/users/",
+}
+
+_LIST_COLUMNS = {
+    "providers": ("pk", "name", "client_id"),
+    "applications": ("slug", "name", "provider"),
+    "groups": ("pk", "name", "users_obj"),
+    "flows": ("slug", "name", "designation"),
+    "certs": ("pk", "name", "private_key_available"),
+    "scopes": ("pk", "name", "scope_name"),
+    "users": ("pk", "username", "name"),
+}
+
+
+@authentik.command("list")
+@click.argument("kind", type=click.Choice(sorted(_LIST_ENDPOINTS)))
+@click.option("--json", "as_json", is_flag=True, help="Emit full JSON instead of a table.")
+def list_cmd(kind: str, as_json: bool) -> None:
+    """List Authentik objects."""
+    client = _client()
+    items = client.paginate(_LIST_ENDPOINTS[kind])
+    if as_json:
+        click.echo(json.dumps(items, indent=2, default=str))
+        return
+    cols = _LIST_COLUMNS[kind]
+    for item in items:
+        row_parts = []
+        for col in cols:
+            if col == "users_obj":
+                row_parts.append(f"{len(item.get(col, []))} users")
+            else:
+                row_parts.append(str(item.get(col, ""))[:60])
+        click.echo(" | ".join(row_parts))
+
+
+@authentik.command("get-provider")
+@click.argument("name")
+def get_provider_cmd(name: str) -> None:
+    """Show one OAuth2 provider by name."""
+    client = _client()
+    provider = client.find_provider_by_name(name)
+    if not provider:
+        click.echo(f"Provider {name!r} not found", err=True)
+        sys.exit(1)
+    click.echo(json.dumps(provider, indent=2, default=str))
+
+
+@authentik.command("rotate-secret")
+@click.argument("name")
+def rotate_secret_cmd(name: str) -> None:
+    """Rotate a provider's client_secret."""
+    client = _client()
+    try:
+        updated = client.rotate_client_secret(name)
+    except AuthentikError as exc:
+        click.echo(f"Authentik error: {exc}", err=True)
+        sys.exit(1)
+    new_secret = updated.get("client_secret") or "(not echoed — view via admin UI)"
+    click.echo(f"Rotated. New client_secret: {new_secret}")
+
+
+@authentik.command("ensure-group")
+@click.argument("name", default=ADMIN_GROUP_NAME)
+def ensure_group_cmd(name: str) -> None:
+    """Create a group if it doesn't exist (defaults to dash_admins)."""
+    client = _client()
+    existing = client.find_group_by_name(name)
+    if existing:
+        click.echo(f"Group {name} already exists (pk={existing['pk']})")
+        return
+    group = client.ensure_group(name)
+    click.echo(f"Created group {name} (pk={group['pk']})")
+
+
+@authentik.command("add-user-to-group")
+@click.argument("user")
+@click.argument("group", default=ADMIN_GROUP_NAME)
+def add_user_to_group_cmd(user: str, group: str) -> None:
+    """Add a user to a group by username (group defaults to dash_admins)."""
+    client = _client()
+    try:
+        client.add_user_to_group(user, group)
+    except AuthentikError as exc:
+        click.echo(f"Authentik error: {exc}", err=True)
+        sys.exit(1)
+    click.echo(f"Added {user} to {group}")
+
+
+@authentik.command("remove-user-from-group")
+@click.argument("user")
+@click.argument("group", default=ADMIN_GROUP_NAME)
+def remove_user_from_group_cmd(user: str, group: str) -> None:
+    """Remove a user from a group by username."""
+    client = _client()
+    try:
+        client.remove_user_from_group(user, group)
+    except AuthentikError as exc:
+        click.echo(f"Authentik error: {exc}", err=True)
+        sys.exit(1)
+    click.echo(f"Removed {user} from {group}")
+
+
+@authentik.command("create-user")
+@click.argument("username")
+@click.option("--name", default=None, help="Display name (defaults to username).")
+@click.option("--email", default=None, help="Email address.")
+@click.option(
+    "--group",
+    default=None,
+    help="Group to add the new user to after creation (e.g. dash_admins).",
+)
+@click.option(
+    "--password",
+    default=None,
+    help="Set this password directly. Suppresses --recovery-link.",
+)
+@click.option(
+    "--recovery-link/--no-recovery-link",
+    default=True,
+    help="Print a one-shot recovery URL the user opens to set their own password (default: yes).",
+)
+def create_user_cmd(
+    username: str,
+    name: str | None,
+    email: str | None,
+    group: str | None,
+    password: str | None,
+    recovery_link: bool,
+) -> None:
+    """Create an internal Authentik user (idempotent on username).
+
+    Defaults to printing a one-shot recovery URL so the user sets their
+    own password — pass ``--password`` to skip that and set one inline.
+    """
+    if password is not None:
+        recovery_link = False
+    client = _client()
+    try:
+        existed_before = client.find_user_by_username(username) is not None
+        user = client.create_user(username, name=name, email=email)
+        click.echo(
+            f"User {username} {'already exists' if existed_before else 'created'} (pk={user['pk']})"
+        )
+        if group:
+            client.add_user_to_group(username, group)
+            click.echo(f"Added {username} to {group}")
+        if password is not None:
+            client.set_user_password(username, password)
+            click.echo(f"Password set for {username}")
+        if recovery_link:
+            link = client.generate_recovery_link(username)
+            click.echo("")
+            click.echo("Recovery link (single-use, share over a secure channel):")
+            click.echo(f"  {link}")
+    except AuthentikError as exc:
+        click.echo(f"Authentik error: {exc}", err=True)
+        sys.exit(1)
+
+
+@authentik.command("recovery-link")
+@click.argument("username")
+def recovery_link_cmd(username: str) -> None:
+    """Mint a one-shot recovery URL the user opens to set a password."""
+    client = _client()
+    try:
+        link = client.generate_recovery_link(username)
+    except AuthentikError as exc:
+        click.echo(f"Authentik error: {exc}", err=True)
+        sys.exit(1)
+    click.echo(link)
+
+
+@authentik.command("set-password")
+@click.argument("username")
+@click.option("--password", required=True, help="New password to set.")
+def set_password_cmd(username: str, password: str) -> None:
+    """Set a user's password directly (admin reset)."""
+    client = _client()
+    try:
+        client.set_user_password(username, password)
+    except AuthentikError as exc:
+        click.echo(f"Authentik error: {exc}", err=True)
+        sys.exit(1)
+    click.echo(f"Password updated for {username}")
+
+
+@authentik.command("delete-user")
+@click.argument("username")
+@click.confirmation_option(prompt="Really delete this Authentik user?")
+def delete_user_cmd(username: str) -> None:
+    """Delete an Authentik user. No-op if the user doesn't exist."""
+    client = _client()
+    try:
+        client.delete_user(username)
+    except AuthentikError as exc:
+        click.echo(f"Authentik error: {exc}", err=True)
+        sys.exit(1)
+    click.echo(f"User {username} deleted (or already absent)")
+
+
+@authentik.command("api")
+@click.argument("method")
+@click.argument("path")
+@click.option(
+    "--data",
+    default=None,
+    help="JSON body, or '-' to read from stdin.",
+)
+def api_cmd(method: str, path: str, data: str | None) -> None:
+    """Generic API call — for anything not covered by the named commands."""
+    client = _client()
+    body: Any = None
+    if data is not None:
+        raw = sys.stdin.read() if data == "-" else data
+        body = json.loads(raw) if raw.strip() else None
+    try:
+        result = client.request(method, path, body=body)
+    except AuthentikError as exc:
+        click.echo(f"Authentik error: {exc}", err=True)
+        sys.exit(1)
+    if result is None:
+        click.echo("(no content)", err=True)
+    else:
+        click.echo(json.dumps(result, indent=2, default=str))

{granny_devops-0.8.0 → granny_devops-0.9.1}/granny/cli/main.py

@@ -95,6 +95,11 @@ def _register_commands() -> None:
         cli.add_command(email)
     except ImportError:
         pass
+    try:
+        from granny.cli.authentik import authentik
+        cli.add_command(authentik)
+    except ImportError:
+        pass
 
 
 _register_commands()

{granny_devops-0.8.0 → granny_devops-0.9.1}/granny/cli/serverless.py

@@ -213,11 +213,11 @@ def deploy(
     """Zip ``--source-dir``, upload, sync env vars, and deploy.
 
     Example:
-        granny serverless deploy bessa-wissa-api \\
+        granny serverless deploy my-api \\
             --source-dir backend/dist-bundle \\
-            --namespace bessa-wissa \\
+            --namespace my-app \\
             --env NODE_ENV=production \\
-            --secret STOZ3N_API_TOKEN=$STOZ3N_API_TOKEN
+            --secret API_TOKEN=$API_TOKEN
     """
     c = _client(region)
 

{granny_devops-0.8.0 → granny_devops-0.9.1}/granny/credentials/secrets.py

@@ -168,6 +168,10 @@ SECRET_MAP: dict[str, str] = {
     # GitLab PyPI / Container Registry (for fetching private packages and pushing images)
     "GITLAB_PYPI_USER": "gitlab-pypi-user",
     "GITLAB_PYPI_PASSWORD": "gitlab-pypi-password",
+    # Authentik admin API token for `granny authentik …` commands. Long-lived
+    # superuser-issued token (Authentik UI → Directory → Tokens). Falls back
+    # to AK_TOKEN env var in granny.authentik.AuthentikClient.from_environment.
+    "AUTHENTIK_API_TOKEN": "authentik-api-token",
 }
 
 # Module-level cache so vault is only contacted once per process

{granny_devops-0.8.0 → granny_devops-0.9.1}/pyproject.toml

@@ -1,127 +1,127 @@
-[project]
-name = "granny-devops"
-version = "0.8.0"
-description = "Cloud tools collection -- AWS infrastructure, CDN, and DevOps automation"
-readme = "README.md"
-license = { file = "LICENSE" }
-authors = [{ name = "Martin Wieser", email = "martin.wieser@pseekoo.com" }]
-requires-python = ">=3.13"
-dependencies = [
-    "boto3>=1.38",
-    "click>=8.1",
-    "python-dotenv>=1.1.0",
-    "requests>=2.32",
-]
-
-[project.optional-dependencies]
-# Development and release tooling
-dev = [
-    "hatch>=1.14",
-    "prek>=0.2",
-    "pytest>=8.3",
-    "ruff>=0.11",
-    "twine>=6.1",
-]
-# Vaultwarden-backed credential resolution via Locke. The published wheel
-# leaves this extra empty because PyPI rejects direct Git dependencies; for
-# local editable installs Locke is wired in via `[tool.uv]` dev-dependencies
-# below, so `uv sync` activates vault support automatically.
-vault = []
-# CDN and DNS providers
-cdn = [
-    "cloudflare==4.3.1",
-    "hetzner-dns-api>=1.0.0",
-]
-# Google Cloud (cross-cloud analyze commands: GPUs, credits, costs)
-gcp = [
-    "google-cloud-billing>=1.16",
-    "google-cloud-compute>=1.21",
-    "google-cloud-resource-manager>=1.12",
-]
-# Microsoft Azure (cross-cloud analyze commands: GPUs, credits, costs)
-azure = [
-    "azure-identity>=1.23",
-    "azure-mgmt-billing>=6.1",
-    "azure-mgmt-compute>=33",
-    "azure-mgmt-consumption>=10.0",
-    "azure-mgmt-costmanagement>=4.0",
-    "azure-mgmt-reservations>=2.3",
-    "azure-mgmt-subscription>=3.1",
-]
-# Data processing and export
-data = [
-    "beautifulsoup4~=4.13.4",
-    "gspread>=6.2.1",
-    "openpyxl==3.1.5",
-    "pandas>=2.3.0",
-    "pyairtable~=3.1.1",
-    "pymongo>=4.13",
-]
-# AI/ML integrations
-ml = [
-    "anthropic>=0.54.0",
-    "google-generativeai>=0.8.5",
-    "langchain>=0.3.26",
-    "langchain-openai>=0.3.24",
-    "litellm>=1.73.0",
-    "ollama>=0.5.1",
-    "openai>=1.90.0",
-    "tiktoken>=0.9.0",
-]
-# Browser automation
-browser = [
-    "playwright>=1.52.0",
-    "selenium>=4.33.0",
-    "webdriver-manager>=4.0.2",
-]
-# Full install (everything)
-all = [
-    "granny-devops[cdn,data,ml,browser,gcp,azure]",
-    "azure-identity>=1.23.0",
-    "boto3-stubs>=1.40",
-    "certifi>=2025.6.15",
-    "earthengine-api>=1.5.20",
-    "elasticsearch>=8.0.0,<9.0.0",
-    "elasticsearch-dsl>=8.0.0,<9.0.0",
-    "flask>=3.1.1",
-    "flask-cors>=6.0.1",
-    "google-auth>=2.40.3",
-    "ipython~=9.3.0",
-    "json5>=0.12.0",
-    "jsonschema>=4.0.0",
-    "langdetect>=1.0.9",
-    "matplotlib>=3.10.3",
-    "msoffcrypto-tool>=5.4.2",
-    "numpy>=2.3.1",
-    "pdf2image>=1.17.0",
-    "pillow>=11.2.1",
-    "pydantic>=2.11.7",
-    "pymilvus>=2.5.11",
-    "pypdf>=5.6.1",
-    "pytesseract>=0.3.13",
-    "pyzbar>=0.1.9",
-    "sentinelhub>=3.11.1",
-    "sentry-sdk>=2.30.0",
-    "zxing>=1.0.3",
-]
-
-[project.scripts]
-granny = "granny.cli.main:cli"
-
-[build-system]
-requires = ["hatchling"]
-build-backend = "hatchling.build"
-
-[tool.hatch.build.targets.wheel]
-packages = ["granny"]
-
-[tool.hatch.build.targets.sdist]
-include = ["granny"]
-
-# uv-only configuration. PyPI publishes ignore this section -- it activates
-# vault support (Locke) for local editable installs via `uv sync`, without
-# polluting the published wheel's metadata with a Git URL that PyPI rejects.
-[tool.uv]
-dev-dependencies = [
-    "locke @ git+https://gitlab.com/martin-wieser/locke.git#subdirectory=python",
-]
+[project]
+name = "granny-devops"
+version = "0.9.1"
+description = "Cloud tools collection -- AWS infrastructure, CDN, and DevOps automation"
+readme = "README.md"
+license = { file = "LICENSE" }
+authors = [{ name = "Martin Wieser", email = "martin.wieser@pseekoo.com" }]
+requires-python = ">=3.13"
+dependencies = [
+    "boto3>=1.38",
+    "click>=8.1",
+    "python-dotenv>=1.1.0",
+    "requests>=2.32",
+]
+
+[project.optional-dependencies]
+# Development and release tooling
+dev = [
+    "hatch>=1.14",
+    "prek>=0.2",
+    "pytest>=8.3",
+    "ruff>=0.11",
+    "twine>=6.1",
+]
+# Vaultwarden-backed credential resolution via Locke. The published wheel
+# leaves this extra empty because PyPI rejects direct Git dependencies; for
+# local editable installs Locke is wired in via `[tool.uv]` dev-dependencies
+# below, so `uv sync` activates vault support automatically.
+vault = []
+# CDN and DNS providers
+cdn = [
+    "cloudflare==4.3.1",
+    "hetzner-dns-api>=1.0.0",
+]
+# Google Cloud (cross-cloud analyze commands: GPUs, credits, costs)
+gcp = [
+    "google-cloud-billing>=1.16",
+    "google-cloud-compute>=1.21",
+    "google-cloud-resource-manager>=1.12",
+]
+# Microsoft Azure (cross-cloud analyze commands: GPUs, credits, costs)
+azure = [
+    "azure-identity>=1.23",
+    "azure-mgmt-billing>=6.1",
+    "azure-mgmt-compute>=33",
+    "azure-mgmt-consumption>=10.0",
+    "azure-mgmt-costmanagement>=4.0",
+    "azure-mgmt-reservations>=2.3",
+    "azure-mgmt-subscription>=3.1",
+]
+# Data processing and export
+data = [
+    "beautifulsoup4~=4.13.4",
+    "gspread>=6.2.1",
+    "openpyxl==3.1.5",
+    "pandas>=2.3.0",
+    "pyairtable~=3.1.1",
+    "pymongo>=4.13",
+]
+# AI/ML integrations
+ml = [
+    "anthropic>=0.54.0",
+    "google-generativeai>=0.8.5",
+    "langchain>=0.3.26",
+    "langchain-openai>=0.3.24",
+    "litellm>=1.73.0",
+    "ollama>=0.5.1",
+    "openai>=1.90.0",
+    "tiktoken>=0.9.0",
+]
+# Browser automation
+browser = [
+    "playwright>=1.52.0",
+    "selenium>=4.33.0",
+    "webdriver-manager>=4.0.2",
+]
+# Full install (everything)
+all = [
+    "granny-devops[cdn,data,ml,browser,gcp,azure]",
+    "azure-identity>=1.23.0",
+    "boto3-stubs>=1.40",
+    "certifi>=2025.6.15",
+    "earthengine-api>=1.5.20",
+    "elasticsearch>=8.0.0,<9.0.0",
+    "elasticsearch-dsl>=8.0.0,<9.0.0",
+    "flask>=3.1.1",
+    "flask-cors>=6.0.1",
+    "google-auth>=2.40.3",
+    "ipython~=9.3.0",
+    "json5>=0.12.0",
+    "jsonschema>=4.0.0",
+    "langdetect>=1.0.9",
+    "matplotlib>=3.10.3",
+    "msoffcrypto-tool>=5.4.2",
+    "numpy>=2.3.1",
+    "pdf2image>=1.17.0",
+    "pillow>=11.2.1",
+    "pydantic>=2.11.7",
+    "pymilvus>=2.5.11",
+    "pypdf>=5.6.1",
+    "pytesseract>=0.3.13",
+    "pyzbar>=0.1.9",
+    "sentinelhub>=3.11.1",
+    "sentry-sdk>=2.30.0",
+    "zxing>=1.0.3",
+]
+
+[project.scripts]
+granny = "granny.cli.main:cli"
+
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[tool.hatch.build.targets.wheel]
+packages = ["granny"]
+
+[tool.hatch.build.targets.sdist]
+include = ["granny"]
+
+# uv-only configuration. PyPI publishes ignore this section -- it activates
+# vault support (Locke) for local editable installs via `uv sync`, without
+# polluting the published wheel's metadata with a Git URL that PyPI rejects.
+[tool.uv]
+dev-dependencies = [
+    "locke @ git+https://gitlab.com/martin-wieser/locke.git#subdirectory=python",
+]