onetool-mcp 1.0.0rc2__py3-none-any.whl → 1.0.0rc3__py3-none-any.whl

ot/config/secrets.py

@@ -1,192 +1,243 @@
-"""Secrets loading for OneTool.
-
-Loads secrets from secrets.yaml (gitignored) separate from committed configuration.
-Secrets are passed to workers via JSON-RPC, not exposed as environment variables.
-
-The secrets file path is resolved in order:
-1. Explicit path passed to get_secrets()
-2. OT_SECRETS_FILE environment variable
-3. Config's secrets_file setting (if config loaded and file exists)
-4. Default locations: project (.onetool/config/secrets.yaml) then global (~/.onetool/config/secrets.yaml)
-
-Example secrets.yaml:
-
-    BRAVE_API_KEY: "your-brave-api-key"
-    OPENAI_API_KEY: "sk-..."
-    DATABASE_URL: "postgresql://..."
-"""
-
-from __future__ import annotations
-
-import os
-from pathlib import Path
-
-import yaml
-from loguru import logger
-
-# Single global secrets cache
-_secrets: dict[str, str] | None = None
-
-
-def load_secrets(secrets_path: Path | str | None = None) -> dict[str, str]:
-    """Load secrets from YAML file.
-
-    Args:
-        secrets_path: Path to secrets file. If None or doesn't exist,
-            returns empty dict (no secrets).
-
-    Returns:
-        Dictionary of secret name -> value
-
-    Raises:
-        ValueError: If YAML is invalid
-    """
-    if secrets_path is None:
-        logger.debug("No secrets path provided")
-        return {}
-
-    secrets_path = Path(secrets_path)
-
-    if not secrets_path.exists():
-        logger.debug(f"Secrets file not found: {secrets_path}")
-        return {}
-
-    logger.debug(f"Loading secrets from {secrets_path}")
-
-    try:
-        with secrets_path.open() as f:
-            raw_data = yaml.safe_load(f)
-    except yaml.YAMLError as e:
-        raise ValueError(f"Invalid YAML in secrets file {secrets_path}: {e}") from e
-    except OSError as e:
-        raise ValueError(f"Error reading secrets file {secrets_path}: {e}") from e
-
-    if raw_data is None:
-        return {}
-
-    if not isinstance(raw_data, dict):
-        raise ValueError(
-            f"Secrets file {secrets_path} must be a YAML mapping, not {type(raw_data).__name__}"
-        )
-
-    # Values are literal - no env var expansion
-    secrets: dict[str, str] = {}
-    for key, value in raw_data.items():
-        if not isinstance(key, str):
-            logger.warning(f"Ignoring non-string secret key: {key}")
-            continue
-
-        if value is None:
-            continue
-
-        # Store as literal string - no ${VAR} expansion
-        secrets[key] = str(value)
-
-    logger.info(f"Loaded {len(secrets)} secrets")
-    return secrets
-
-
-def _load_from_default_locations() -> dict[str, str]:
-    """Load secrets from default project and global locations.
-
-    Searches in order (first found wins):
-    1. Project: {effective_cwd}/.onetool/config/secrets.yaml
-    2. Global: ~/.onetool/config/secrets.yaml
-
-    Returns:
-        Dictionary of secret name -> value (empty if no secrets found)
-    """
-    # Import here to avoid circular imports at module level
-    from ot.paths import CONFIG_SUBDIR, get_effective_cwd, get_global_dir
-
-    # Try project secrets first, then global
-    paths_to_try = [
-        get_effective_cwd() / ".onetool" / CONFIG_SUBDIR / "secrets.yaml",
-        get_global_dir() / CONFIG_SUBDIR / "secrets.yaml",
-    ]
-
-    for secrets_path in paths_to_try:
-        if secrets_path.exists():
-            try:
-                return load_secrets(secrets_path)
-            except ValueError as e:
-                # Silent during bootstrap - don't spam logs
-                logger.debug(f"Error loading secrets from {secrets_path}: {e}")
-                continue
-
-    return {}
-
-
-def get_secrets(
-    secrets_path: Path | str | None = None, reload: bool = False
-) -> dict[str, str]:
-    """Get or load the cached secrets.
-
-    Resolution order (first match wins):
-    1. Explicit secrets_path argument
-    2. OT_SECRETS_FILE environment variable
-    3. Config's secrets_file setting (if config loaded and file exists)
-    4. Default locations (.onetool/config/secrets.yaml)
-
-    Args:
-        secrets_path: Path to secrets file (only used on first load or reload).
-        reload: Force reload secrets from disk.
-
-    Returns:
-        Dictionary of secret name -> value
-    """
-    global _secrets
-
-    if _secrets is None or reload:
-        # Resolution chain: explicit > env var > config (if loaded) > defaults
-        if secrets_path is None:
-            # Check OT_SECRETS_FILE env var first (highest priority after explicit path)
-            env_path = os.getenv("OT_SECRETS_FILE")
-            if env_path:
-                secrets_path = env_path
-
-        if secrets_path is None:
-            # WARNING: Do NOT call get_config() here!
-            # =========================================
-            # This function is called during config loading via:
-            #   get_config() → load_config() → expand_secrets() → get_early_secret() → get_secrets()
-            #
-            # If we call get_config() here, it triggers config loading again → infinite recursion.
-            # Instead, we check _config directly - if it's None, config is still loading.
-            try:
-                import ot.config.loader
-
-                if ot.config.loader._config is not None:
-                    config_path = ot.config.loader._config.get_secrets_file_path()
-                    if config_path.exists():
-                        secrets_path = config_path
-            except Exception:
-                pass  # Module not loaded yet, fall through
-
-        # Try default locations if still no path
-        if secrets_path is None:
-            loaded = _load_from_default_locations()
-            if loaded:
-                _secrets = loaded
-                return _secrets
-
-        _secrets = load_secrets(secrets_path)
-
-    return _secrets
-
-
-def get_secret(name: str) -> str | None:
-    """Get a single secret value by name.
-
-    Args:
-        name: Secret name (e.g., "BRAVE_API_KEY")
-
-    Returns:
-        Secret value, or None if not found
-    """
-    return get_secrets().get(name)
-
-
-# Alias for backward compatibility and semantic clarity during config loading
-# Both functions now use the same unified cache
-get_early_secret = get_secret
+"""Secrets loading for OneTool V2 (global-only).
+
+Loads secrets from secrets.yaml (gitignored) separate from committed configuration.
+Secrets are passed to workers via JSON-RPC, not exposed as environment variables.
+
+The secrets file path is resolved in order:
+1. Explicit path passed to load_secrets()
+2. OT_SECRETS_FILE environment variable
+3. Global location: ~/.onetool/config/secrets.yaml
+
+Example secrets.yaml:
+
+    BRAVE_API_KEY: "your-brave-api-key"
+    OPENAI_API_KEY: "sk-..."
+    DATABASE_URL: "postgresql://..."
+"""
+
+from __future__ import annotations
+
+import os
+import re
+from pathlib import Path
+
+import yaml
+from loguru import logger
+
+# Single global secrets cache
+_secrets: dict[str, str] | None = None
+
+# Pre-compiled regex for variable expansion (avoids recompilation on each call)
+_VAR_PATTERN = re.compile(r"\$\{([^}:]+)(?::-([^}]*))?\}")
+
+
+def load_secrets(secrets_path: Path | str | None = None) -> dict[str, str]:
+    """Load secrets from YAML file.
+
+    Args:
+        secrets_path: Path to secrets file. If None or doesn't exist,
+            returns empty dict (no secrets).
+
+    Returns:
+        Dictionary of secret name -> value
+
+    Raises:
+        ValueError: If YAML is invalid
+    """
+    if secrets_path is None:
+        logger.debug("No secrets path provided")
+        return {}
+
+    secrets_path = Path(secrets_path)
+
+    if not secrets_path.exists():
+        logger.debug(f"Secrets file not found: {secrets_path}")
+        return {}
+
+    logger.debug(f"Loading secrets from {secrets_path}")
+
+    try:
+        with secrets_path.open() as f:
+            raw_data = yaml.safe_load(f)
+    except yaml.YAMLError as e:
+        raise ValueError(f"Invalid YAML in secrets file {secrets_path}: {e}") from e
+    except OSError as e:
+        raise ValueError(f"Error reading secrets file {secrets_path}: {e}") from e
+
+    if raw_data is None:
+        return {}
+
+    if not isinstance(raw_data, dict):
+        raise ValueError(
+            f"Secrets file {secrets_path} must be a YAML mapping, not {type(raw_data).__name__}"
+        )
+
+    # Values are literal - no env var expansion
+    secrets: dict[str, str] = {}
+    for key, value in raw_data.items():
+        if not isinstance(key, str):
+            logger.warning(f"Ignoring non-string secret key: {key}")
+            continue
+
+        if value is None:
+            continue
+
+        # Store as literal string - no ${VAR} expansion
+        secrets[key] = str(value)
+
+    logger.info(f"Loaded {len(secrets)} secrets")
+    return secrets
+
+
+def _resolve_secrets_path(secrets_path: Path | str | None) -> Path | str | None:
+    """Resolve secrets path from explicit path, env var, or global location.
+
+    Resolution order (first match wins):
+    1. Explicit secrets_path argument
+    2. OT_SECRETS_FILE environment variable
+    3. Global location (~/.onetool/config/secrets.yaml)
+
+    Args:
+        secrets_path: Explicit path to secrets file (may be None).
+
+    Returns:
+        Resolved path or None if no secrets file found.
+    """
+    if secrets_path is not None:
+        return secrets_path
+
+    env_path = os.getenv("OT_SECRETS_FILE")
+    if env_path:
+        return env_path
+
+    # Check global default location
+    from ot.paths import CONFIG_SUBDIR, get_global_dir
+
+    global_path = get_global_dir() / CONFIG_SUBDIR / "secrets.yaml"
+    if global_path.exists():
+        return global_path
+
+    return None
+
+
+def get_secrets(
+    secrets_path: Path | str | None = None, reload: bool = False
+) -> dict[str, str]:
+    """Get or load the cached secrets.
+
+    Resolution order (first match wins):
+    1. Explicit secrets_path argument
+    2. OT_SECRETS_FILE environment variable
+    3. Global location (~/.onetool/config/secrets.yaml)
+
+    Args:
+        secrets_path: Path to secrets file (only used on first load or reload).
+        reload: Force reload secrets from disk.
+
+    Returns:
+        Dictionary of secret name -> value
+    """
+    global _secrets
+
+    if _secrets is not None and not reload:
+        return _secrets
+
+    resolved_path = _resolve_secrets_path(secrets_path)
+    _secrets = load_secrets(resolved_path)
+    return _secrets
+
+
+def get_secret(name: str) -> str | None:
+    """Get a single secret value by name.
+
+    Args:
+        name: Secret name (e.g., "BRAVE_API_KEY")
+
+    Returns:
+        Secret value, or None if not found
+    """
+    return get_secrets().get(name)
+
+
+def expand_vars(value: str) -> str:
+    """Expand ${VAR} patterns from secrets.yaml first, then config env: section.
+
+    Variable resolution order (first match wins):
+    1. secrets.yaml (sensitive, user-specific values)
+    2. config env: section (non-sensitive, shared values)
+    3. Default value if provided via ${VAR:-default} syntax
+    4. ValueError if no match found
+
+    Supports ${VAR_NAME} and ${VAR_NAME:-default} syntax.
+    No os.environ - all values must be explicit in config.
+
+    When to use:
+        - Tool configuration values that may reference secrets or env vars
+        - Subprocess environment variables (after root env + server env merge)
+        - Any config value that needs runtime expansion
+
+    Args:
+        value: String potentially containing ${VAR} patterns.
+
+    Returns:
+        String with variables expanded.
+
+    Raises:
+        ValueError: If variable not found and no default provided.
+    """
+    missing_vars: list[str] = []
+
+    def replace(match: re.Match[str]) -> str:
+        var_name = match.group(1)
+        default_value = match.group(2)
+
+        # 1. Check secrets first (sensitive, user-specific)
+        secret_value = get_secret(var_name)
+        if secret_value is not None:
+            return secret_value
+
+        # 2. Check config env: section (non-sensitive, shared)
+        try:
+            # Import here to avoid circular dependency
+            from ot.config.loader import get_config
+
+            config = get_config()
+            env_value = config.env.get(var_name)
+            if env_value is not None:
+                return env_value
+        except Exception:
+            # Config not loaded yet or no env section
+            pass
+
+        # 3. Use default if provided
+        if default_value is not None:
+            return default_value
+
+        # 4. Error - variable not found
+        missing_vars.append(var_name)
+        return match.group(0)
+
+    result = _VAR_PATTERN.sub(replace, value)
+
+    if missing_vars:
+        raise ValueError(
+            f"Missing variables: {', '.join(missing_vars)}. "
+            f"Add them to secrets.yaml or env: section in config, "
+            f"or use ${{VAR:-default}} syntax."
+        )
+
+    return result
+
+
+# Alias for backward compatibility with external code
+expand_secrets = expand_vars
+
+
+def reset() -> None:
+    """Clear secrets cache for reload.
+
+    Use this as part of the config reload flow to force secrets to be
+    reloaded from disk on next access.
+    """
+    global _secrets
+    _secrets = None

ot/executor/tool_loader.py

@@ -40,7 +40,7 @@ def _get_bundled_tools_dir() -> Path | None:
 
 
 if TYPE_CHECKING:
-    from ot.config.loader import OneToolConfig
+    from ot.config import OneToolConfig
 
 
 @dataclass
@@ -394,3 +394,12 @@ def load_tool_functions(tools_dir: Path | None = None) -> dict[str, Any]:
         Dictionary mapping function names to callable functions.
     """
     return load_tool_registry(tools_dir).functions
+
+
+def reset() -> None:
+    """Clear tool loader module cache for reload.
+
+    Use this as part of the config reload flow to force tools to be
+    reloaded from disk on next access.
+    """
+    _module_cache.clear()

ot/executor/validator.py

@@ -48,7 +48,7 @@ from functools import lru_cache
 from typing import TYPE_CHECKING, Any
 
 if TYPE_CHECKING:
-    from ot.config.loader import SecurityConfig
+    from ot.config.models import SecurityConfig
 
 
 @dataclass
@@ -835,3 +835,13 @@ def get_security_summary() -> dict[str, Any]:
         },
         "tool_namespaces": sorted(tool_namespaces),
     }
+
+
+def reset() -> None:
+    """Clear validator caches for reload.
+
+    Use this as part of the config reload flow to force security config
+    and tool namespaces to be reloaded on next access.
+    """
+    _get_security_config.cache_clear()
+    _get_tool_namespaces.cache_clear()