isolinear 0.1.0__py3-none-any.whl

isolinear/__main__.py

@@ -0,0 +1,4 @@
+from .app import main
+
+if __name__ == "__main__":
+    main()

isolinear/app.py

@@ -0,0 +1,71 @@
+"""Isolinear — a terminal Databricks secret manager.
+
+The App is the composition root: it builds the infrastructure adapters, wires
+them into the `OnboardingService`, installs the theme, and hands off to
+`MainScreen`. Domain logic lives in `isolinear.domain`, use-cases in
+`isolinear.application`, adapters in `isolinear.infrastructure`; UI in
+`isolinear.interface`.
+"""
+
+from __future__ import annotations
+
+from textual.app import App
+from textual.binding import Binding
+
+from .application import OnboardingService, WorkspaceService
+from .infrastructure import DatabricksCfgProfileStore, DatabricksConnector
+from .interface.screens.main import MainScreen
+from .interface.theme import ISOLINEAR_THEMES
+
+
+class IsolinearApp(App[None]):
+    CSS_PATH = "styles.tcss"
+    TITLE = "Isolinear"
+    BINDINGS = [Binding("q", "quit", "Quit")]
+
+    def __init__(
+        self,
+        onboarding: OnboardingService | None = None,
+        session: WorkspaceService | None = None,
+    ) -> None:
+        super().__init__()
+        self._onboarding = onboarding
+        self._initial_session = session
+
+    def on_mount(self) -> None:
+        for theme in ISOLINEAR_THEMES:
+            self.register_theme(theme)
+        self.theme = "isolinear"
+        onboarding = self._onboarding or OnboardingService(
+            DatabricksConnector(), DatabricksCfgProfileStore()
+        )
+        self.push_screen(MainScreen(onboarding, self._initial_session))
+
+
+_USAGE = """\
+isolinear — a keyboard-driven terminal UI for managing Databricks secrets.
+
+usage: isolinear [--version] [--help]
+
+Run with no arguments to launch the TUI. Inside: ? for help, ctrl+p for the
+command palette, q to quit.
+"""
+
+
+def main() -> None:
+    import sys
+
+    args = sys.argv[1:]
+    if {"-V", "--version"} & set(args):
+        from importlib.metadata import version
+
+        print(f"isolinear {version('isolinear')}")
+        return
+    if {"-h", "--help"} & set(args):
+        print(_USAGE, end="")
+        return
+    IsolinearApp().run()
+
+
+if __name__ == "__main__":
+    main()

isolinear/application/__init__.py

@@ -0,0 +1,16 @@
+"""Application layer — use-cases that orchestrate the domain.
+
+Depends only on `domain`; never on infrastructure or the UI. The read model
+(`WorkspaceCache`) is pure in-memory app state, so it lives here too.
+"""
+
+from .onboarding import Connection, OnboardingService
+from .read_model import WorkspaceCache
+from .workspace import WorkspaceService
+
+__all__ = [
+    "Connection",
+    "OnboardingService",
+    "WorkspaceCache",
+    "WorkspaceService",
+]

isolinear/application/onboarding.py

@@ -0,0 +1,64 @@
+"""OnboardingService — connection/login use-cases.
+
+Depends only on domain ports (`WorkspaceConnector`, `ProfileStore`); the
+composition root injects concrete infrastructure adapters. Produces ready-to-use
+`WorkspaceService` instances so the UI never touches the store or the SDK.
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+
+from ..domain import (
+    AccountSession,
+    AccountWorkspace,
+    ProfileStore,
+    Workspace,
+    WorkspaceConnector,
+)
+from .workspace import WorkspaceService
+
+
+@dataclass
+class Connection:
+    """A live workspace session plus what's needed to persist it as a profile."""
+
+    service: WorkspaceService
+    host: str = ""
+    account_id: str | None = None
+
+
+class OnboardingService:
+    def __init__(self, connector: WorkspaceConnector, profiles: ProfileStore) -> None:
+        self._connector = connector
+        self._profiles = profiles
+
+    # -- saved profiles -------------------------------------------------
+    def saved_workspaces(self) -> list[Workspace]:
+        return self._profiles.discover()
+
+    def save_profile(self, name: str, host: str, account_id: str | None = None) -> None:
+        self._profiles.save(name, host, account_id)
+
+    # -- connection use-cases -------------------------------------------
+    def connect_profile(self, profile: str) -> Connection:
+        c = self._connector.connect_profile(profile)
+        return Connection(WorkspaceService(c.store, c.label))
+
+    def connect_url(self, host: str) -> Connection:
+        c = self._connector.connect_url(host)
+        return Connection(WorkspaceService(c.store, c.label), host=c.host)
+
+    def discover_account(self, cloud_key: str, account_id: str) -> AccountSession:
+        return self._connector.discover_account(cloud_key, account_id)
+
+    def connect_account_workspace(
+        self,
+        session: AccountSession,
+        ws: AccountWorkspace,
+        account_id: str | None = None,
+    ) -> Connection:
+        c = session.connect(ws)
+        return Connection(
+            WorkspaceService(c.store, c.label), host=c.host, account_id=account_id
+        )

isolinear/application/read_model.py

@@ -0,0 +1,73 @@
+"""WorkspaceCache — the in-memory read model the UI renders from.
+
+A projection that the application service warms up front (US-14) and keeps in
+sync on writes. Pure data + bookkeeping; it holds no business rules (those live
+in the domain) and does no I/O.
+
+Strategy (US-14/16):
+  * On connect the service warms scopes -> secret metadata -> ACLs in the
+    background.
+  * Secret *values* are NOT bulk-loaded; they are fetched lazily on reveal and
+    cached thereafter, so sensitive material isn't pulled into memory needlessly.
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass, field
+
+from ..domain import Acl, Identity, Scope, Secret
+
+
+@dataclass
+class WorkspaceCache:
+    label: str
+    identity: Identity = field(default_factory=Identity)
+
+    scopes: list[Scope] = field(default_factory=list)
+    secrets: dict[str, list[Secret]] = field(default_factory=dict)
+    acls: dict[str, list[Acl]] = field(default_factory=dict)
+    values: dict[tuple[str, str], str] = field(default_factory=dict)
+
+    scopes_loaded: bool = False
+    warm_error: str = ""
+
+    # -- lookups ------------------------------------------------------------
+    def secrets_for(self, scope: str) -> list[Secret]:
+        return self.secrets.get(scope, [])
+
+    def acls_for(self, scope: str) -> list[Acl]:
+        return self.acls.get(scope, [])
+
+    def cached_value(self, scope: str, key: str) -> str | None:
+        return self.values.get((scope, key))
+
+    def set_value(self, scope: str, key: str, value: str) -> None:
+        self.values[(scope, key)] = value
+
+    # -- mutation keeping the read model + UI consistent --------------------
+    def upsert_secret(self, secret: Secret) -> None:
+        rows = self.secrets.setdefault(secret.scope, [])
+        for i, existing in enumerate(rows):
+            if existing.key == secret.key:
+                rows[i] = secret
+                break
+        else:
+            rows.append(secret)
+        rows.sort(key=lambda s: s.key.lower())
+
+    def remove_secret(self, scope: str, key: str) -> None:
+        self.secrets[scope] = [s for s in self.secrets.get(scope, []) if s.key != key]
+        self.values.pop((scope, key), None)
+
+    def add_scope(self, scope: Scope) -> None:
+        if not any(s.name == scope.name for s in self.scopes):
+            self.scopes.append(scope)
+            self.scopes.sort(key=lambda s: s.name.lower())
+        self.secrets.setdefault(scope.name, [])
+        self.acls.setdefault(scope.name, [])
+
+    def remove_scope(self, name: str) -> None:
+        self.scopes = [s for s in self.scopes if s.name != name]
+        self.secrets.pop(name, None)
+        self.acls.pop(name, None)
+        self.values = {k: v for k, v in self.values.items() if k[0] != name}

isolinear/application/workspace.py

@@ -0,0 +1,141 @@
+"""WorkspaceService — the application service / use-case layer.
+
+Orchestrates a `SecretStore` (domain port) and the read model, exposing every
+operation the UI needs as a plain, synchronous method. All store/cache
+coordination lives here, so:
+
+  * the UI just calls a method and renders the result (no business logic), and
+  * the whole layer is unit-testable with a fake store and no event loop.
+
+The UI runs these (blocking) methods in worker threads.
+"""
+
+from __future__ import annotations
+
+from collections.abc import Iterator
+
+from ..domain import (
+    Acl,
+    AuthSummary,
+    Identity,
+    Scope,
+    Secret,
+    SecretStore,
+    StoreError,
+    authorization_summary,
+)
+from .read_model import WorkspaceCache
+
+
+class WorkspaceService:
+    def __init__(
+        self, store: SecretStore, label: str, cache: WorkspaceCache | None = None
+    ) -> None:
+        self._store = store
+        # The read model is injectable (decoupled), defaulting to a fresh one.
+        self.cache = cache or WorkspaceCache(label=label)
+
+    @property
+    def label(self) -> str:
+        return self.cache.label
+
+    @property
+    def identity(self) -> Identity:
+        return self.cache.identity
+
+    @property
+    def scopes(self) -> list[Scope]:
+        return self.cache.scopes
+
+    # -- connection / warming -------------------------------------------
+    def authenticate(self) -> Identity:
+        identity = self._store.whoami()
+        self.cache.identity = identity
+        return identity
+
+    def load_scopes(self) -> list[Scope]:
+        scopes = self._store.list_scopes()
+        self.cache.scopes = scopes
+        self.cache.scopes_loaded = True
+        return scopes
+
+    def warm_scope(self, scope: str) -> None:
+        """Pull secret metadata + ACLs for one scope into the read model."""
+        try:
+            self.cache.secrets[scope] = self._store.list_secrets(scope)
+            self.cache.acls[scope] = self._store.list_acls(scope)
+        except StoreError:
+            self.cache.secrets.setdefault(scope, [])
+            self.cache.acls.setdefault(scope, [])
+
+    def warm_all(self) -> Iterator[tuple[int, int, Scope]]:
+        """Warm every scope, yielding (index, total, scope) for progress."""
+        total = len(self.cache.scopes)
+        for i, scope in enumerate(self.cache.scopes, 1):
+            self.warm_scope(scope.name)
+            yield i, total, scope
+
+    # -- reads ----------------------------------------------------------
+    def secrets_for(self, scope: str) -> list[Secret]:
+        return self.cache.secrets_for(scope)
+
+    def acls_for(self, scope: str) -> list[Acl]:
+        return self.cache.acls_for(scope)
+
+    def scope(self, name: str) -> Scope | None:
+        return next((s for s in self.cache.scopes if s.name == name), None)
+
+    def secret(self, scope: str, key: str) -> Secret | None:
+        return next((s for s in self.cache.secrets_for(scope) if s.key == key), None)
+
+    def cached_value(self, scope: str, key: str) -> str | None:
+        return self.cache.cached_value(scope, key)
+
+    def reveal(self, scope: str, key: str) -> str:
+        """Return the secret value, fetching+caching it on first access."""
+        cached = self.cache.cached_value(scope, key)
+        if cached is not None:
+            return cached
+        value = self._store.get_secret_value(scope, key)
+        self.cache.set_value(scope, key, value)
+        return value
+
+    # -- mutations ------------------------------------------------------
+    def put_secret(self, scope: str, key: str, value: str) -> None:
+        self._store.put_secret(scope, key, value)
+        try:  # refresh metadata so the timestamp is accurate
+            self.cache.secrets[scope] = self._store.list_secrets(scope)
+        except StoreError:
+            self.cache.upsert_secret(Secret(scope=scope, key=key))
+        self.cache.set_value(scope, key, value)
+
+    def delete_secret(self, scope: str, key: str) -> None:
+        self._store.delete_secret(scope, key)
+        self.cache.remove_secret(scope, key)
+
+    def create_scope(self, name: str) -> None:
+        self._store.create_scope(name)
+        self.cache.add_scope(Scope(name=name))
+
+    def delete_scope(self, name: str) -> None:
+        self._store.delete_scope(name)
+        self.cache.remove_scope(name)
+
+    def refresh_scope(self, scope: str) -> None:
+        self.warm_scope(scope)
+
+    # -- scope permissions / ACLs (US-11 update, US-12) -----------------
+    def set_acl(self, scope: str, principal: str, permission: str) -> None:
+        """Grant or change a principal's permission (put_acl is an upsert)."""
+        self._store.put_acl(scope, principal, permission)
+        self.cache.acls[scope] = self._store.list_acls(scope)
+
+    def remove_acl(self, scope: str, principal: str) -> None:
+        self._store.delete_acl(scope, principal)
+        self.cache.acls[scope] = self._store.list_acls(scope)
+
+    # -- authorization overview ----------------------------------------
+    def auth_summary(self) -> list[AuthSummary]:
+        return authorization_summary(
+            self.cache.identity, self.cache.scopes, self.cache.acls
+        )

isolinear/domain/__init__.py

@@ -0,0 +1,46 @@
+"""Domain layer — the model, the rules, and the ports. Pure: no Textual, no SDK,
+no asyncio.
+
+Everything here is exercisable in a plain unit test. Infrastructure implements
+the ports defined here; the application orchestrates these pieces.
+"""
+
+from .errors import AuthError, StoreError
+from .host import normalize_host
+from .models import (
+    CLOUDS,
+    AccountWorkspace,
+    Acl,
+    Cloud,
+    Identity,
+    Scope,
+    Secret,
+    Workspace,
+    cloud_by_key,
+)
+from .permissions import AuthSummary, authorization_summary, perm_rank
+from .ports import AccountSession, Connected, ProfileStore, WorkspaceConnector
+from .secret_store import SecretStore
+
+__all__ = [
+    "CLOUDS",
+    "AccountSession",
+    "AccountWorkspace",
+    "Acl",
+    "AuthError",
+    "AuthSummary",
+    "Cloud",
+    "Connected",
+    "Identity",
+    "ProfileStore",
+    "Scope",
+    "Secret",
+    "SecretStore",
+    "StoreError",
+    "Workspace",
+    "WorkspaceConnector",
+    "authorization_summary",
+    "cloud_by_key",
+    "normalize_host",
+    "perm_rank",
+]

isolinear/domain/errors.py

@@ -0,0 +1,12 @@
+"""Domain-level error types — abstractions the application catches without
+knowing (or caring) that the backend is Databricks."""
+
+from __future__ import annotations
+
+
+class StoreError(Exception):
+    """A secret-store operation failed; carries a UI-friendly message."""
+
+
+class AuthError(Exception):
+    """Login / workspace-discovery failure; carries a UI-friendly message."""

isolinear/domain/host.py

@@ -0,0 +1,15 @@
+"""Host — a small domain rule about workspace URLs."""
+
+from __future__ import annotations
+
+from .errors import AuthError
+
+
+def normalize_host(host: str) -> str:
+    """Canonicalize a workspace URL; reject an empty one."""
+    host = (host or "").strip()
+    if not host:
+        raise AuthError("Workspace URL is required.")
+    if not host.startswith(("http://", "https://")):
+        host = "https://" + host
+    return host.rstrip("/")

isolinear/domain/models.py

@@ -0,0 +1,102 @@
+"""Domain model — the ubiquitous language of Isolinear as plain value objects.
+
+No Textual, no Databricks SDK, no I/O. These are the nouns the whole app speaks:
+workspaces, scopes, secrets, ACLs, identity.
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+from datetime import UTC, datetime
+
+
+@dataclass(frozen=True)
+class Workspace:
+    """A connection target — one profile from ~/.databrickscfg."""
+
+    profile: str
+    host: str
+
+    @property
+    def label(self) -> str:
+        host = self.host.replace("https://", "").replace("http://", "").rstrip("/")
+        return f"{self.profile}  ·  {host}" if host else self.profile
+
+
+@dataclass(frozen=True)
+class Cloud:
+    key: str  # aws | azure | gcp
+    label: str
+    account_host: str
+
+
+CLOUDS: list[Cloud] = [
+    Cloud("aws", "AWS", "https://accounts.cloud.databricks.com"),
+    Cloud("azure", "Azure", "https://accounts.azuredatabricks.net"),
+    Cloud("gcp", "GCP", "https://accounts.gcp.databricks.com"),
+]
+
+
+def cloud_by_key(key: str) -> Cloud:
+    return next(c for c in CLOUDS if c.key == key)
+
+
+@dataclass
+class AccountWorkspace:
+    """A workspace discovered via the account-level API (US-1, discovery)."""
+
+    workspace_id: int
+    name: str
+    deployment_name: str = ""
+    status: str = ""
+    cloud: str = ""
+    raw: object = None  # original SDK provisioning.Workspace, for get_workspace_client
+
+    @property
+    def label(self) -> str:
+        status = f"  ·  {self.status}" if self.status else ""
+        return f"{self.name}  ·  id {self.workspace_id}{status}"
+
+
+@dataclass
+class Scope:
+    name: str
+    backend_type: str = "DATABRICKS"
+
+    @property
+    def is_keyvault(self) -> bool:
+        return self.backend_type == "AZURE_KEYVAULT"
+
+    @property
+    def icon(self) -> str:
+        return "☁" if self.is_keyvault else "🔒"
+
+
+@dataclass
+class Secret:
+    scope: str
+    key: str
+    last_updated_ms: int | None = None
+
+    @property
+    def last_updated(self) -> str:
+        if not self.last_updated_ms:
+            return "—"
+        dt = datetime.fromtimestamp(self.last_updated_ms / 1000, tz=UTC)
+        return dt.strftime("%Y-%m-%d %H:%M")
+
+
+@dataclass
+class Acl:
+    principal: str
+    permission: str  # READ | WRITE | MANAGE
+
+
+@dataclass
+class Identity:
+    """Who we are authenticated as in a workspace."""
+
+    user_name: str = ""
+    display_name: str = ""
+    authenticated: bool = False
+    error: str = ""

isolinear/domain/permissions.py

@@ -0,0 +1,58 @@
+"""Authorization rules — a domain service.
+
+The "what can this principal do" logic that used to live on the cache. It's a
+business rule about scopes + ACLs + identity, so it belongs in the domain.
+"""
+
+from __future__ import annotations
+
+from collections.abc import Mapping
+from dataclasses import dataclass
+
+from .models import Acl, Identity, Scope
+
+_PERM_RANK = {"READ": 1, "WRITE": 2, "MANAGE": 3}
+
+
+def perm_rank(permission: str) -> int:
+    return _PERM_RANK.get(permission, 0)
+
+
+@dataclass
+class AuthSummary:
+    """Per-scope authorization picture for the authorization overview screen."""
+
+    scope: str
+    effective: str = "—"  # current user's effective permission
+    acl_count: int = 0
+    can_write: bool = False
+    can_manage: bool = False
+
+
+def authorization_summary(
+    identity: Identity,
+    scopes: list[Scope],
+    acls_by_scope: Mapping[str, list[Acl]],
+) -> list[AuthSummary]:
+    """Compute the current user's effective permission on each scope (US-13)."""
+    me = identity.user_name
+    summaries: list[AuthSummary] = []
+    for scope in scopes:
+        acls = acls_by_scope.get(scope.name, [])
+        effective = "—"
+        best = 0
+        for acl in acls:
+            is_mine = acl.principal in (me, "users", "admins")
+            if is_mine and perm_rank(acl.permission) > best:
+                best = perm_rank(acl.permission)
+                effective = acl.permission
+        summaries.append(
+            AuthSummary(
+                scope=scope.name,
+                effective=effective,
+                acl_count=len(acls),
+                can_write=best >= perm_rank("WRITE"),
+                can_manage=best >= perm_rank("MANAGE"),
+            )
+        )
+    return summaries

isolinear/domain/ports.py

@@ -0,0 +1,50 @@
+"""Ports — the domain's outbound contracts for all I/O.
+
+Infrastructure implements these; the application depends only on them. Together
+with `SecretStore` (in secret_store.py) they are every door out of the domain.
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import Protocol, runtime_checkable
+
+from .models import AccountWorkspace, Workspace
+from .secret_store import SecretStore
+
+
+@dataclass
+class Connected:
+    """The result of establishing a connection: a store plus how to label and
+    (optionally) persist it."""
+
+    store: SecretStore
+    label: str
+    host: str = ""
+
+
+@runtime_checkable
+class AccountSession(Protocol):
+    """A live account-discovery session — lists workspaces and connects to one,
+    reusing a single authenticated session."""
+
+    @property
+    def workspaces(self) -> list[AccountWorkspace]: ...
+    def connect(self, ws: AccountWorkspace) -> Connected: ...
+
+
+@runtime_checkable
+class WorkspaceConnector(Protocol):
+    """Establishes connections to a secret backend (login / discovery)."""
+
+    def connect_profile(self, profile: str) -> Connected: ...
+    def connect_url(self, host: str) -> Connected: ...
+    def discover_account(self, cloud_key: str, account_id: str) -> AccountSession: ...
+
+
+@runtime_checkable
+class ProfileStore(Protocol):
+    """Reads and writes saved connection profiles."""
+
+    def discover(self) -> list[Workspace]: ...
+    def save(self, name: str, host: str, account_id: str | None = None) -> None: ...