opencomputer-sdk 0.4.7__tar.gz → 0.4.8__tar.gz

{opencomputer_sdk-0.4.7 → opencomputer_sdk-0.4.8}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: opencomputer-sdk
-Version: 0.4.7
+Version: 0.4.8
 Summary: Python SDK for OpenComputer - cloud sandbox platform
 Project-URL: Homepage, https://github.com/diggerhq/opensandbox
 Project-URL: Repository, https://github.com/diggerhq/opensandbox

opencomputer_sdk-0.4.8/examples/test_secretstore.py

@@ -0,0 +1,241 @@
+#!/usr/bin/env python3
+"""
+Secret Stores & Secrets Test
+
+Tests:
+  1. Create a secret store
+  2. List secret stores
+  3. Get secret store by ID
+  4. Update secret store
+  5. Set secrets on a store
+  6. List secrets (names only, values never returned)
+  7. Create sandbox with secret store (inherits secrets)
+  8. Verify secrets are injected as sealed env vars
+  9. Delete secret
+ 10. Delete secret store
+
+Usage:
+  python examples/test_projects.py
+"""
+
+import asyncio
+import sys
+import time
+
+from opencomputer import Sandbox, SecretStore
+
+GREEN = "\033[32m"
+RED = "\033[31m"
+BOLD = "\033[1m"
+DIM = "\033[2m"
+RESET = "\033[0m"
+
+passed = 0
+failed = 0
+
+
+def green(msg: str) -> None:
+    print(f"{GREEN}\u2713 {msg}{RESET}")
+
+
+def red(msg: str) -> None:
+    print(f"{RED}\u2717 {msg}{RESET}")
+
+
+def bold(msg: str) -> None:
+    print(f"{BOLD}{msg}{RESET}")
+
+
+def dim(msg: str) -> None:
+    print(f"{DIM}  {msg}{RESET}")
+
+
+def check(desc: str, condition: bool, detail: str = "") -> None:
+    global passed, failed
+    if condition:
+        green(desc)
+        passed += 1
+    else:
+        red(f"{desc} ({detail})" if detail else desc)
+        failed += 1
+
+
+async def main() -> None:
+    global passed, failed
+
+    bold("\n\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557")
+    bold("\u2551       Secret Stores & Secrets Test               \u2551")
+    bold("\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\n")
+
+    store_id = None
+    sandbox = None
+    store_name = f"test-store-{int(time.time())}"
+
+    try:
+        # -- Test 1: Create secret store --
+        bold("--- Test 1: Create secret store ---\n")
+
+        store = await SecretStore.create(
+            name=store_name,
+            egress_allowlist=["api.anthropic.com"],
+        )
+
+        store_id = store["id"]
+        check("Store created", bool(store["id"]))
+        check("Name matches", store["name"] == store_name)
+        check("Egress allowlist set", len(store.get("egressAllowlist", [])) == 1)
+        dim(f"Store ID: {store_id}")
+        print()
+
+        # -- Test 2: List secret stores --
+        bold("--- Test 2: List secret stores ---\n")
+
+        stores = await SecretStore.list()
+        check("List returns list", isinstance(stores, list))
+        found = any(s["id"] == store_id for s in stores)
+        check("Created store in list", found)
+        dim(f"Total stores: {len(stores)}")
+        print()
+
+        # -- Test 3: Get secret store --
+        bold("--- Test 3: Get secret store by ID ---\n")
+
+        fetched = await SecretStore.get(store_id)
+        check("Get returns correct store", fetched["id"] == store_id)
+        check("Get has correct name", fetched["name"] == store_name)
+        print()
+
+        # -- Test 4: Update secret store --
+        bold("--- Test 4: Update secret store ---\n")
+
+        updated_name = f"{store_name}-updated"
+        updated = await SecretStore.update(
+            store_id,
+            name=updated_name,
+            egress_allowlist=["api.anthropic.com", "*.openai.com"],
+        )
+        check("Name updated", updated["name"] == updated_name)
+        check("Egress allowlist updated", len(updated.get("egressAllowlist", [])) == 2)
+        print()
+
+        # -- Test 5: Set secrets --
+        bold("--- Test 5: Set secrets ---\n")
+
+        await SecretStore.set_secret(store_id, "TEST_API_KEY", "sk-test-12345")
+        green("Set TEST_API_KEY")
+
+        await SecretStore.set_secret(store_id, "DATABASE_URL", "postgres://localhost/test")
+        green("Set DATABASE_URL")
+
+        await SecretStore.set_secret(store_id, "TEMP_SECRET", "will-be-deleted")
+        green("Set TEMP_SECRET")
+        print()
+
+        # -- Test 6: List secrets --
+        bold("--- Test 6: List secret entries ---\n")
+
+        entries = await SecretStore.list_secrets(store_id)
+        check("Returns list", isinstance(entries, list))
+        names = [e["name"] for e in entries]
+        check("Has TEST_API_KEY", "TEST_API_KEY" in names)
+        check("Has DATABASE_URL", "DATABASE_URL" in names)
+        check("Has TEMP_SECRET", "TEMP_SECRET" in names)
+        check("3 secrets total", len(entries) == 3, f"got {len(entries)}")
+        dim(f"Secret names: {', '.join(names)}")
+        print()
+
+        # -- Test 7: Create sandbox with secret store --
+        bold("--- Test 7: Create sandbox with secret store ---\n")
+
+        sandbox = await Sandbox.create(
+            secret_store=updated_name,
+            timeout=120,
+        )
+        check("Sandbox created", bool(sandbox.sandbox_id))
+        dim(f"Sandbox ID: {sandbox.sandbox_id}")
+        print()
+
+        # -- Test 8: Verify secrets are sealed in sandbox --
+        bold("--- Test 8: Verify secrets sealed in sandbox ---\n")
+
+        # Secrets should be sealed tokens (osb_sealed_*) inside the VM.
+        # The MITM proxy replaces sealed tokens with real values on outbound HTTPS requests,
+        # so the real secret never exists in VM memory.
+        api_key_result = await sandbox.commands.run("echo $TEST_API_KEY")
+        api_key_val = api_key_result.stdout.strip()
+        check("TEST_API_KEY is sealed", api_key_val.startswith("osb_sealed_"),
+              f'got "{api_key_val}"')
+
+        db_url_result = await sandbox.commands.run("echo $DATABASE_URL")
+        db_url_val = db_url_result.stdout.strip()
+        check("DATABASE_URL is sealed", db_url_val.startswith("osb_sealed_"),
+              f'got "{db_url_val}"')
+
+        temp_result = await sandbox.commands.run("echo $TEMP_SECRET")
+        temp_val = temp_result.stdout.strip()
+        check("TEMP_SECRET is sealed", temp_val.startswith("osb_sealed_"),
+              f'got "{temp_val}"')
+        print()
+
+        # -- Test 9: Delete secret --
+        bold("--- Test 9: Delete secret ---\n")
+
+        await SecretStore.delete_secret(store_id, "TEMP_SECRET")
+        green("Deleted TEMP_SECRET")
+
+        after_delete = await SecretStore.list_secrets(store_id)
+        after_names = [e["name"] for e in after_delete]
+        check("TEMP_SECRET removed", "TEMP_SECRET" not in after_names)
+        check("2 secrets remaining", len(after_delete) == 2, f"got {len(after_delete)}")
+        print()
+
+        # -- Test 10: Delete secret store --
+        bold("--- Test 10: Delete secret store ---\n")
+
+        # Kill sandbox first
+        await sandbox.kill()
+        green("Sandbox killed")
+        sandbox = None
+
+        await SecretStore.delete(store_id)
+        green("Secret store deleted")
+
+        # Verify it's gone
+        try:
+            await SecretStore.get(store_id)
+            red("Store should not exist after delete")
+            failed += 1
+        except Exception:
+            green("Store not found after delete (expected)")
+            passed += 1
+        store_id = None
+        print()
+
+    except Exception as e:
+        red(f"Fatal error: {e}")
+        import traceback
+        traceback.print_exc()
+        failed += 1
+    finally:
+        # Cleanup
+        if sandbox:
+            try:
+                await sandbox.kill()
+            except Exception:
+                pass
+        if store_id:
+            try:
+                await SecretStore.delete(store_id)
+            except Exception:
+                pass
+
+    # --- Summary ---
+    bold("========================================")
+    bold(f" Results: {passed} passed, {failed} failed")
+    bold("========================================\n")
+    if failed > 0:
+        sys.exit(1)
+
+
+if __name__ == "__main__":
+    asyncio.run(main())

{opencomputer_sdk-0.4.7 → opencomputer_sdk-0.4.8}/opencomputer/__init__.py

@@ -6,6 +6,8 @@ from opencomputer.filesystem import Filesystem
 from opencomputer.exec import Exec, ProcessResult, ExecSessionInfo
 from opencomputer.image import Image
 from opencomputer.pty import Pty, PtySession
+from opencomputer.template import Template
+from opencomputer.project import SecretStore
 from opencomputer.snapshot import Snapshots
 
 __all__ = [
@@ -21,7 +23,9 @@ __all__ = [
     "Image",
     "Pty",
     "PtySession",
+    "Template",
+    "SecretStore",
     "Snapshots",
 ]
 
-__version__ = "0.5.0"
+__version__ = "0.5.1"

opencomputer_sdk-0.4.8/opencomputer/project.py

@@ -0,0 +1,182 @@
+"""Secret store management — CRUD for secret stores and encrypted secrets."""
+
+from __future__ import annotations
+
+import os
+from typing import Any
+
+import httpx
+
+
+def _get_client(
+    api_key: str | None = None,
+    api_url: str | None = None,
+) -> httpx.AsyncClient:
+    url = api_url or os.environ.get("OPENCOMPUTER_API_URL", "https://app.opencomputer.dev")
+    url = url.rstrip("/")
+    key = api_key or os.environ.get("OPENCOMPUTER_API_KEY", "")
+
+    api_base = url if url.endswith("/api") else f"{url}/api"
+
+    headers: dict[str, str] = {}
+    if key:
+        headers["X-API-Key"] = key
+
+    return httpx.AsyncClient(base_url=api_base, headers=headers, timeout=30.0)
+
+
+class SecretStore:
+    """Static methods for managing secret stores and their secrets."""
+
+    @staticmethod
+    async def create(
+        name: str,
+        egress_allowlist: list[str] | None = None,
+        api_key: str | None = None,
+        api_url: str | None = None,
+    ) -> dict:
+        """Create a new secret store.
+
+        Args:
+            name: Store name (unique per org).
+            egress_allowlist: Allowed egress hosts (e.g. ["api.anthropic.com"]).
+            api_key: API key (or OPENCOMPUTER_API_KEY env var).
+            api_url: API URL (or OPENCOMPUTER_API_URL env var).
+
+        Returns:
+            Secret store info dict with id, name, egressAllowlist, etc.
+        """
+        body: dict[str, Any] = {"name": name}
+        if egress_allowlist:
+            body["egressAllowlist"] = egress_allowlist
+
+        async with _get_client(api_key, api_url) as client:
+            resp = await client.post("/secret-stores", json=body)
+            resp.raise_for_status()
+            return resp.json()
+
+    @staticmethod
+    async def list(
+        api_key: str | None = None,
+        api_url: str | None = None,
+    ) -> list[dict]:
+        """List all secret stores for the authenticated org."""
+        async with _get_client(api_key, api_url) as client:
+            resp = await client.get("/secret-stores")
+            resp.raise_for_status()
+            return resp.json()
+
+    @staticmethod
+    async def get(
+        store_id: str,
+        api_key: str | None = None,
+        api_url: str | None = None,
+    ) -> dict:
+        """Get secret store details by ID."""
+        async with _get_client(api_key, api_url) as client:
+            resp = await client.get(f"/secret-stores/{store_id}")
+            resp.raise_for_status()
+            return resp.json()
+
+    @staticmethod
+    async def update(
+        store_id: str,
+        name: str = "",
+        egress_allowlist: list[str] | None = None,
+        api_key: str | None = None,
+        api_url: str | None = None,
+    ) -> dict:
+        """Update a secret store's configuration.
+
+        Args:
+            store_id: UUID of the store to update.
+            name: New store name (empty = no change).
+            egress_allowlist: New allowed egress hosts (None = no change).
+            api_key: API key (or OPENCOMPUTER_API_KEY env var).
+            api_url: API URL (or OPENCOMPUTER_API_URL env var).
+
+        Returns:
+            Updated secret store info dict.
+        """
+        body: dict[str, Any] = {}
+        if name:
+            body["name"] = name
+        if egress_allowlist is not None:
+            body["egressAllowlist"] = egress_allowlist
+
+        async with _get_client(api_key, api_url) as client:
+            resp = await client.put(f"/secret-stores/{store_id}", json=body)
+            resp.raise_for_status()
+            return resp.json()
+
+    @staticmethod
+    async def delete(
+        store_id: str,
+        api_key: str | None = None,
+        api_url: str | None = None,
+    ) -> None:
+        """Delete a secret store and all its secrets."""
+        async with _get_client(api_key, api_url) as client:
+            resp = await client.delete(f"/secret-stores/{store_id}")
+            resp.raise_for_status()
+
+    # ── Secret Entries ──────────────────────────────────────────────────────
+
+    @staticmethod
+    async def set_secret(
+        store_id: str,
+        name: str,
+        value: str,
+        allowed_hosts: list[str] | None = None,
+        api_key: str | None = None,
+        api_url: str | None = None,
+    ) -> None:
+        """Set (create or update) an encrypted secret in a store.
+
+        Args:
+            store_id: UUID of the secret store.
+            name: Secret name (used as env var name in sandboxes).
+            value: Secret value (encrypted at rest, never returned by API).
+            allowed_hosts: Restrict this secret to specific hosts only.
+            api_key: API key (or OPENCOMPUTER_API_KEY env var).
+            api_url: API URL (or OPENCOMPUTER_API_URL env var).
+        """
+        body: dict[str, Any] = {"value": value}
+        if allowed_hosts:
+            body["allowedHosts"] = allowed_hosts
+
+        async with _get_client(api_key, api_url) as client:
+            resp = await client.put(
+                f"/secret-stores/{store_id}/secrets/{name}",
+                json=body,
+            )
+            resp.raise_for_status()
+
+    @staticmethod
+    async def delete_secret(
+        store_id: str,
+        name: str,
+        api_key: str | None = None,
+        api_url: str | None = None,
+    ) -> None:
+        """Delete a secret from a store."""
+        async with _get_client(api_key, api_url) as client:
+            resp = await client.delete(f"/secret-stores/{store_id}/secrets/{name}")
+            if resp.status_code != 404:
+                resp.raise_for_status()
+
+    @staticmethod
+    async def list_secrets(
+        store_id: str,
+        api_key: str | None = None,
+        api_url: str | None = None,
+    ) -> list[dict]:
+        """List secret entries in a store (names and allowed hosts, no values).
+
+        Returns:
+            List of secret entry dicts with name, allowedHosts, etc.
+        """
+        async with _get_client(api_key, api_url) as client:
+            resp = await client.get(f"/secret-stores/{store_id}/secrets")
+            resp.raise_for_status()
+            return resp.json()

{opencomputer_sdk-0.4.7 → opencomputer_sdk-0.4.8}/opencomputer/sandbox.py

@@ -39,6 +39,7 @@ class Sandbox:
         api_url: str | None = None,
         envs: dict[str, str] | None = None,
         metadata: dict[str, str] | None = None,
+        secret_store: str | None = None,
         image: Image | None = None,
         snapshot: str | None = None,
         on_build_log: Callable[[str], None] | None = None,
@@ -46,12 +47,14 @@ class Sandbox:
         """Create a new sandbox instance.
 
         Args:
-            template: Base template name (default "base").
+            template: Template to use (default "base").
             timeout: Sandbox timeout in seconds (default 300).
             api_key: API key (or OPENCOMPUTER_API_KEY env var).
             api_url: API URL (or OPENCOMPUTER_API_URL env var).
-            envs: Environment variables to inject.
-            metadata: Arbitrary metadata tags.
+            envs: Environment variables to inject. Overrides store secrets.
+            metadata: Custom metadata key-value pairs.
+            secret_store: Secret store name — resolves encrypted secrets
+                and egress allowlist.
             image: Declarative Image definition. The server builds and caches it as a checkpoint.
             snapshot: Name of a pre-built snapshot to create the sandbox from.
             on_build_log: Callback for build log streaming when using image/snapshot.
@@ -83,6 +86,8 @@ class Sandbox:
             body["envs"] = envs
         if metadata:
             body["metadata"] = metadata
+        if secret_store:
+            body["secretStore"] = secret_store
         if image is not None:
             body["image"] = image.to_dict()
         if snapshot is not None:

opencomputer_sdk-0.4.8/opencomputer/template.py

@@ -0,0 +1,75 @@
+"""Template management for custom sandbox environments."""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+
+import httpx
+
+
+@dataclass
+class TemplateInfo:
+    """Template metadata."""
+
+    template_id: str
+    name: str
+    tag: str
+    status: str
+
+
+@dataclass
+class Template:
+    """Template management operations."""
+
+    _client: httpx.AsyncClient
+
+    @classmethod
+    def _from_client(cls, client: httpx.AsyncClient) -> Template:
+        return cls(_client=client)
+
+    async def build(self, name: str, dockerfile: str) -> TemplateInfo:
+        """Build a new template from a Dockerfile."""
+        resp = await self._client.post(
+            "/templates",
+            json={"name": name, "dockerfile": dockerfile},
+            timeout=300.0,
+        )
+        resp.raise_for_status()
+        data = resp.json()
+        return TemplateInfo(
+            template_id=data["templateID"],
+            name=data["name"],
+            tag=data.get("tag", "latest"),
+            status=data.get("status", "ready"),
+        )
+
+    async def list(self) -> list[TemplateInfo]:
+        """List all available templates."""
+        resp = await self._client.get("/templates")
+        resp.raise_for_status()
+        return [
+            TemplateInfo(
+                template_id=t["templateID"],
+                name=t["name"],
+                tag=t.get("tag", "latest"),
+                status=t.get("status", "ready"),
+            )
+            for t in resp.json()
+        ]
+
+    async def get(self, name: str) -> TemplateInfo:
+        """Get template details by name."""
+        resp = await self._client.get(f"/templates/{name}")
+        resp.raise_for_status()
+        data = resp.json()
+        return TemplateInfo(
+            template_id=data["templateID"],
+            name=data["name"],
+            tag=data.get("tag", "latest"),
+            status=data.get("status", "ready"),
+        )
+
+    async def delete(self, name: str) -> None:
+        """Delete a template."""
+        resp = await self._client.delete(f"/templates/{name}")
+        resp.raise_for_status()

{opencomputer_sdk-0.4.7 → opencomputer_sdk-0.4.8}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "opencomputer-sdk"
-version = "0.4.7"
+version = "0.4.8"
 description = "Python SDK for OpenComputer - cloud sandbox platform"
 readme = "README.md"
 requires-python = ">=3.10"