movitera-cli 0.1.0__tar.gz

movitera_cli-0.1.0/.github/workflows/publish.yml

@@ -0,0 +1,22 @@
+name: Publish to PyPI
+
+on:
+  push:
+    tags: ['v*.*.*']
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: astral-sh/setup-uv@v3
+        with:
+          python-version: "3.13"
+      - run: uv sync
+      - run: uv run pytest
+      - run: uv run mypy movitera_cli/
+      - run: uv build
+      - uses: pypa/gh-action-pypi-publish@release/v1

movitera_cli-0.1.0/.github/workflows/test.yml

@@ -0,0 +1,18 @@
+name: Test
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: astral-sh/setup-uv@v3
+        with:
+          python-version: "3.13"
+      - run: uv sync
+      - run: uv run pytest
+      - run: uv run mypy movitera_cli/

movitera_cli-0.1.0/.gitignore

@@ -0,0 +1,35 @@
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.so
+.Python
+
+# Virtual environments
+.venv/
+venv/
+env/
+
+# Distribution / packaging
+dist/
+build/
+*.egg-info/
+*.egg
+
+# Test / coverage
+.pytest_cache/
+.mypy_cache/
+.coverage
+.coverage.*
+coverage.xml
+htmlcov/
+
+# Editor / OS
+.idea/
+.vscode/
+*.swp
+.DS_Store
+
+# Local env
+.env
+.env.local

movitera_cli-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Movitera
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

movitera_cli-0.1.0/PKG-INFO

@@ -0,0 +1,113 @@
+Metadata-Version: 2.4
+Name: movitera-cli
+Version: 0.1.0
+Summary: Movitera CLI: inject vault secrets as environment variables, generate TOTP codes
+Project-URL: Homepage, https://github.com/joaoheusi/movitera-cli
+Project-URL: Repository, https://github.com/joaoheusi/movitera-cli
+Project-URL: Issues, https://github.com/joaoheusi/movitera-cli/issues
+Author: Movitera
+License-Expression: MIT
+License-File: LICENSE
+Keywords: cli,dotenv,movitera,password-manager,secrets,totp,vault
+Classifier: Development Status :: 5 - Production/Stable
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: Intended Audience :: System Administrators
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Topic :: Security
+Classifier: Topic :: System :: Systems Administration
+Requires-Python: <4,>=3.11
+Requires-Dist: click<9,>=8.1
+Requires-Dist: httpx<1,>=0.28.1
+Requires-Dist: keyring<26,>=25
+Requires-Dist: pyotp<3,>=2.9
+Description-Content-Type: text/markdown
+
+# movitera CLI
+
+Inject Movitera vault secrets as environment variables, render dotenv files, and generate TOTP codes from the terminal. Authenticates with a Movitera vault personal access token (PAT).
+
+## Install
+
+```bash
+pip install movitera-cli
+# or install as an isolated CLI tool (recommended):
+pipx install movitera-cli
+# or with uv:
+uv tool install movitera-cli
+# or run without installing:
+uvx --from movitera-cli movitera --help
+```
+
+## Quick start
+
+```bash
+# 1. Mint a PAT in the web app (Settings → Vault → Access Tokens),
+#    then paste it once:
+movitera login
+
+# 2. Run any command with secrets injected as env vars:
+movitera run --team <teamId> --credential myapp-prod -- npm start
+
+# 3. Or dump as dotenv:
+movitera secrets pull --team <teamId> --credential myapp-prod > .env
+
+# 4. Or generate a TOTP code for a credential:
+movitera totp --team <teamId> <credential-id>
+```
+
+## How it works
+
+`movitera run -- cmd` fetches the dotenv body from
+`GET /vault/credentials/by-name/{name}/env`, then `exec`s the child process
+with those vars merged into its environment. The CLI never writes secrets
+to disk — they exist only in the child process's `environ`.
+
+Tokens are stored in the OS keyring (Keychain on macOS, libsecret on Linux,
+Credential Manager on Windows) with a file fallback under
+`~/.config/movitera/token` (mode `0o600`) if no keyring backend is
+available.
+
+## Config
+
+| Env var | Purpose | Default |
+|---|---|---|
+| `MOVITERA_API_URL` | API base URL | `https://api.movitera.com` |
+| `MOVITERA_TOKEN` | PAT override (skips keyring lookup) | — |
+| `MOVITERA_TEAM` | Default team id (you can omit `--team`) | — |
+
+## Commands
+
+### `movitera login`
+Prompts for a PAT (or reads it from stdin via `--stdin`) and stores it.
+
+### `movitera logout`
+Removes the stored PAT.
+
+### `movitera run --team T --credential N -- <cmd> [args...]`
+Fetches the `ENV_BUNDLE` credential named `N` and execs `<cmd>` with those
+vars in the environment.
+
+### `movitera secrets pull --team T --credential N`
+Writes the dotenv body to stdout. Exits non-zero on resolution failures so
+you can chain `movitera secrets pull ... > .env`.
+
+### `movitera totp --team T <credential-id>`
+Prints the current TOTP code for the credential's `OTPAUTH_URI` field.
+
+### `movitera tokens list --team T` / `movitera tokens revoke <id>`
+Manage your own PATs from the CLI.
+
+## Security model
+
+- PATs have full 256-bit entropy and are stored as SHA-256 on the server,
+  so a server compromise cannot recover the plaintext.
+- Every `movitera run` invocation is audited server-side, but PAT reads
+  are **coalesced per hour per token** (see the backend's
+  `FETCHED_VIA_TOKEN` aggregation) so a hot dev loop doesn't drown the log.
+- Group/team access is re-checked on every request: if your vault scope is
+  revoked, your PAT immediately loses access — no token-cache divergence.

movitera_cli-0.1.0/README.md

@@ -0,0 +1,84 @@
+# movitera CLI
+
+Inject Movitera vault secrets as environment variables, render dotenv files, and generate TOTP codes from the terminal. Authenticates with a Movitera vault personal access token (PAT).
+
+## Install
+
+```bash
+pip install movitera-cli
+# or install as an isolated CLI tool (recommended):
+pipx install movitera-cli
+# or with uv:
+uv tool install movitera-cli
+# or run without installing:
+uvx --from movitera-cli movitera --help
+```
+
+## Quick start
+
+```bash
+# 1. Mint a PAT in the web app (Settings → Vault → Access Tokens),
+#    then paste it once:
+movitera login
+
+# 2. Run any command with secrets injected as env vars:
+movitera run --team <teamId> --credential myapp-prod -- npm start
+
+# 3. Or dump as dotenv:
+movitera secrets pull --team <teamId> --credential myapp-prod > .env
+
+# 4. Or generate a TOTP code for a credential:
+movitera totp --team <teamId> <credential-id>
+```
+
+## How it works
+
+`movitera run -- cmd` fetches the dotenv body from
+`GET /vault/credentials/by-name/{name}/env`, then `exec`s the child process
+with those vars merged into its environment. The CLI never writes secrets
+to disk — they exist only in the child process's `environ`.
+
+Tokens are stored in the OS keyring (Keychain on macOS, libsecret on Linux,
+Credential Manager on Windows) with a file fallback under
+`~/.config/movitera/token` (mode `0o600`) if no keyring backend is
+available.
+
+## Config
+
+| Env var | Purpose | Default |
+|---|---|---|
+| `MOVITERA_API_URL` | API base URL | `https://api.movitera.com` |
+| `MOVITERA_TOKEN` | PAT override (skips keyring lookup) | — |
+| `MOVITERA_TEAM` | Default team id (you can omit `--team`) | — |
+
+## Commands
+
+### `movitera login`
+Prompts for a PAT (or reads it from stdin via `--stdin`) and stores it.
+
+### `movitera logout`
+Removes the stored PAT.
+
+### `movitera run --team T --credential N -- <cmd> [args...]`
+Fetches the `ENV_BUNDLE` credential named `N` and execs `<cmd>` with those
+vars in the environment.
+
+### `movitera secrets pull --team T --credential N`
+Writes the dotenv body to stdout. Exits non-zero on resolution failures so
+you can chain `movitera secrets pull ... > .env`.
+
+### `movitera totp --team T <credential-id>`
+Prints the current TOTP code for the credential's `OTPAUTH_URI` field.
+
+### `movitera tokens list --team T` / `movitera tokens revoke <id>`
+Manage your own PATs from the CLI.
+
+## Security model
+
+- PATs have full 256-bit entropy and are stored as SHA-256 on the server,
+  so a server compromise cannot recover the plaintext.
+- Every `movitera run` invocation is audited server-side, but PAT reads
+  are **coalesced per hour per token** (see the backend's
+  `FETCHED_VIA_TOKEN` aggregation) so a hot dev loop doesn't drown the log.
+- Group/team access is re-checked on every request: if your vault scope is
+  revoked, your PAT immediately loses access — no token-cache divergence.

movitera_cli-0.1.0/movitera_cli/__init__.py

@@ -0,0 +1,25 @@
+"""Movitera CLI for vault secrets, dotenv export, TOTP codes.
+
+Also exposes a small SDK surface for programmatic use:
+
+    from movitera_cli import VaultClient
+    from movitera_cli.token_store import load_token
+
+    client = VaultClient(api_url="https://api.movitera.com", token=load_token())
+    env = client.get_env(team_id="...", name="myapp-prod")  # raw dotenv text
+
+That's intentionally thin — the API itself is the SDK. We don't wrap it in
+domain objects because the surface evolves with the backend and the wire
+shape is small enough to consume directly.
+"""
+
+from movitera_cli.client import AccessTokenSummary, MoviteraError, VaultClient
+
+__version__ = "0.1.0"
+
+__all__ = [
+    "AccessTokenSummary",
+    "MoviteraError",
+    "VaultClient",
+    "__version__",
+]

movitera_cli-0.1.0/movitera_cli/client.py

@@ -0,0 +1,131 @@
+"""HTTP client wrapping the Movitera vault API for the CLI.
+
+Thin wrapper around `httpx` that:
+- Adds the `Authorization: Bearer <pat>` header.
+- Surfaces server `errorCode` strings in raised exceptions so the CLI can
+  print actionable messages (e.g. CREDENTIAL_NAME_NOT_UNIQUE → "try --id").
+- Picks `text/plain` vs JSON correctly per endpoint.
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import Any
+
+import httpx
+
+
+class MoviteraError(Exception):
+    """API call returned a non-2xx response we want to surface to the user."""
+
+    def __init__(
+        self,
+        message: str,
+        *,
+        status_code: int | None = None,
+        error_code: str | None = None,
+    ):
+        super().__init__(message)
+        self.status_code = status_code
+        self.error_code = error_code
+
+
+@dataclass(frozen=True)
+class AccessTokenSummary:
+    id: str
+    name: str
+    prefix: str
+    clientKind: str
+    createdAt: str
+    expiresAt: str | None
+    lastUsedAt: str | None
+
+
+class VaultClient:
+    def __init__(self, api_url: str, token: str, *, timeout: float = 30.0):
+        self._client = httpx.Client(
+            base_url=api_url,
+            headers={"Authorization": f"Bearer {token}"},
+            timeout=timeout,
+        )
+
+    def close(self) -> None:
+        self._client.close()
+
+    def __enter__(self) -> VaultClient:
+        return self
+
+    def __exit__(self, *_: Any) -> None:
+        self.close()
+
+    # ----- env bundle (CLI hot path) ------------------------------------
+
+    def get_env(self, team_id: str, name: str) -> str:
+        """Return raw dotenv text for the named ENV_BUNDLE credential."""
+        response = self._client.get(
+            f"/vault/credentials/by-name/{name}/env",
+            params={"teamId": team_id},
+        )
+        self._raise_for_status(response)
+        return response.text
+
+    # ----- TOTP ----------------------------------------------------------
+
+    def get_totp(self, credential_id: str) -> tuple[str, str]:
+        """Return (code, ISO-8601 expiresAt) from the server-side endpoint."""
+        response = self._client.get(f"/vault/credentials/{credential_id}/totp")
+        self._raise_for_status(response)
+        body = response.json()
+        return body["code"], body["expiresAt"]
+
+    # ----- access tokens (self-service) ---------------------------------
+
+    def list_access_tokens(self, team_id: str) -> list[AccessTokenSummary]:
+        response = self._client.get(
+            "/vault/access-tokens", params={"teamId": team_id}
+        )
+        self._raise_for_status(response)
+        return [
+            AccessTokenSummary(
+                id=item["id"],
+                name=item["name"],
+                prefix=item["prefix"],
+                clientKind=item["clientKind"],
+                createdAt=item["createdAt"],
+                expiresAt=item.get("expiresAt"),
+                lastUsedAt=item.get("lastUsedAt"),
+            )
+            for item in response.json()
+        ]
+
+    def revoke_access_token(self, token_id: str) -> None:
+        response = self._client.delete(f"/vault/access-tokens/{token_id}")
+        self._raise_for_status(response)
+
+    # ----- error handling -----------------------------------------------
+
+    @staticmethod
+    def _raise_for_status(response: httpx.Response) -> None:
+        if response.is_success:
+            return
+        error_code: str | None = None
+        message: str = response.text
+        try:
+            body = response.json()
+            detail = body.get("detail") if isinstance(body, dict) else None
+            if isinstance(detail, dict):
+                error_code = detail.get("errorCode")
+                messages = detail.get("errorMessages") or {}
+                # Prefer en-US; fall back to whatever's there.
+                message = (
+                    messages.get("en-US")
+                    or next(iter(messages.values()), None)
+                    or message
+                )
+        except ValueError:
+            pass
+        raise MoviteraError(
+            message,
+            status_code=response.status_code,
+            error_code=error_code,
+        )

movitera_cli-0.1.0/movitera_cli/config.py

@@ -0,0 +1,22 @@
+from __future__ import annotations
+
+import os
+from dataclasses import dataclass
+
+_DEFAULT_API_URL = "https://api.movitera.com"
+
+
+@dataclass(frozen=True)
+class Settings:
+    api_url: str
+    default_team_id: str | None
+    inline_token: str | None
+
+    @classmethod
+    def from_env(cls) -> Settings:
+        return cls(
+            api_url=os.environ.get("MOVITERA_API_URL", _DEFAULT_API_URL).rstrip("/"),
+            default_team_id=os.environ.get("MOVITERA_TEAM") or None,
+            # MOVITERA_TOKEN lets CI runners skip the keyring entirely.
+            inline_token=os.environ.get("MOVITERA_TOKEN") or None,
+        )