otdf-python 0.3.2__tar.gz → 0.3.4__tar.gz

{otdf_python-0.3.2 → otdf_python-0.3.4}/.github/check_entitlements.sh

@@ -17,7 +17,6 @@ echo ""
 
 get_token() {
     curl -k --location "$TOKEN_URL" \
-    --header "X-VirtruPubKey;" \
     --header "Content-Type: application/x-www-form-urlencoded" \
     --data-urlencode "grant_type=client_credentials" \
     --data-urlencode "client_id=$OTDF_CLIENT" \

{otdf_python-0.3.2 → otdf_python-0.3.4}/.github/workflows/build-python.yaml

@@ -1,9 +1,6 @@
 # Build otdf-python wheel using uv and output the wheel path for downstream workflows
 name: "Build Python Wheel"
 on:
-  push:
-    branches:
-      - chore/rewrite
   pull_request:
 
 jobs:

{otdf_python-0.3.2 → otdf_python-0.3.4}/.pre-commit-config.yaml

@@ -34,7 +34,7 @@ repos:
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
     # Ruff version.
-    rev: v0.12.12
+    rev: v0.13.3
     hooks:
       # Run the linter.
       - id: ruff-check

otdf_python-0.3.4/.release-please-manifest.json

@@ -0,0 +1,3 @@
+{
+    ".": "0.3.4"
+}

{otdf_python-0.3.2 → otdf_python-0.3.4}/CHANGELOG.md

@@ -1,5 +1,23 @@
 # Changelog
 
+## [0.3.4](https://github.com/b-long/opentdf-python-sdk/compare/otdf-python-v0.3.3...otdf-python-v0.3.4) (2025-10-04)
+
+### Chores
+
+* chore: remove placeholders  ([#110](https://github.com/b-long/opentdf-python-sdk/issues/110)) 
+
+
+### Bug Fixes
+
+* update ruff ([#108](https://github.com/b-long/opentdf-python-sdk/issues/108)) ([5e4c796](https://github.com/b-long/opentdf-python-sdk/commit/5e4c796a8c1fc10b206cd2769f7c8548903ad3c1))
+
+## [0.3.3](https://github.com/b-long/opentdf-python-sdk/compare/otdf-python-v0.3.2...otdf-python-v0.3.3) (2025-09-17)
+
+
+### Bug Fixes
+
+* improve docs ([#106](https://github.com/b-long/opentdf-python-sdk/issues/106)) ([49aa4ae](https://github.com/b-long/opentdf-python-sdk/commit/49aa4aea5e576c20b3e26c852331de8b0469742f))
+
 ## [0.3.2](https://github.com/b-long/opentdf-python-sdk/compare/otdf-python-v0.3.1...otdf-python-v0.3.2) (2025-09-12)
 
 

{otdf_python-0.3.2 → otdf_python-0.3.4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: otdf-python
-Version: 0.3.2
+Version: 0.3.4
 Summary: Unofficial OpenTDF SDK for Python
 Author-email: b-long <b-long@users.noreply.github.com>
 License-File: LICENSE
@@ -102,8 +102,6 @@ with open("encrypted.tdf", "wb") as f:
 ### Decrypt Data
 
 ```python
-from otdf_python.tdf import TDFReaderConfig
-
 # Read encrypted TDF file
 with open("encrypted.tdf", "rb") as f:
     encrypted_data = f.read()
@@ -116,8 +114,6 @@ decrypted_data = tdf_reader.payload
 with open("decrypted.txt", "wb") as f:
     f.write(decrypted_data)
 
-# Don't forget to close the SDK when done
-sdk.close()
 ```
 
 ## Project Structure

{otdf_python-0.3.2 → otdf_python-0.3.4}/README.md

@@ -83,8 +83,6 @@ with open("encrypted.tdf", "wb") as f:
 ### Decrypt Data
 
 ```python
-from otdf_python.tdf import TDFReaderConfig
-
 # Read encrypted TDF file
 with open("encrypted.tdf", "rb") as f:
     encrypted_data = f.read()
@@ -97,8 +95,6 @@ decrypted_data = tdf_reader.payload
 with open("decrypted.txt", "wb") as f:
     f.write(decrypted_data)
 
-# Don't forget to close the SDK when done
-sdk.close()
 ```
 
 ## Project Structure

otdf_python-0.3.4/docs/CONNECT_RPC.md

@@ -0,0 +1,156 @@
+# Connect RPC in OpenTDF Python SDK
+
+This document describes the Connect RPC implementation in the OpenTDF Python SDK, which provides a modern HTTP-friendly alternative to traditional gRPC.
+
+## Overview
+
+Connect RPC is a protocol that brings the benefits of RPC to HTTP APIs. It's designed to be:
+- **HTTP-compatible**: Works with standard HTTP infrastructure
+- **Type-safe**: Generated from Protocol Buffer definitions
+- **Efficient**: Binary protocol with JSON fallback
+- **Simple**: Easy to debug and integrate
+
+## Architecture
+
+The SDK uses a two-module structure for protocol buffer generation:
+
+- **Main SDK**: `src/otdf_python/` - Core SDK functionality
+- **Protocol Generation**: `otdf-python-proto/` - Generated Connect RPC and protobuf files
+
+### Generated Files
+
+Connect RPC generates the following files in `otdf-python-proto/src/otdf_python_proto/`:
+
+- `*_connect.py` - Connect RPC client implementations (recommended)
+- `*_pb2.py` - Protocol buffer message definitions
+- `legacy_grpc/*_pb2_grpc.py` - Traditional gRPC clients (backward compatibility)
+
+## Usage
+
+### Client Creation
+
+Connect RPC clients are created using the generated `*_connect.py` modules:
+
+```python
+from otdf_python_proto.kas import kas_connect
+from otdf_python_proto.policy import policy_connect
+
+# Create Connect RPC clients
+kas_client = kas_connect.KeyAccessServiceClient(base_url="https://example.com")
+policy_client = policy_connect.PolicyServiceClient(base_url="https://your-policy-endpoint")
+```
+
+### Authentication
+
+Connect RPC clients support standard HTTP authentication:
+
+```python
+import httpx
+
+# Create authenticated HTTP client, assuming `token` holds your auth token
+http_client = httpx.Client(
+    headers={"Authorization": f"Bearer {token}"}
+)
+
+# Use with Connect RPC client
+kas_client = kas_connect.KeyAccessServiceClient(
+    base_url="https://example.com",
+    http_client=http_client
+)
+```
+
+## Regenerating Connect RPC Files
+
+To regenerate the Connect RPC and protobuf files:
+
+```bash
+cd otdf-python-proto
+uv run python scripts/generate_connect_proto.py
+```
+
+### Download Fresh Proto Files
+
+To download the latest protocol definitions:
+
+```bash
+cd otdf-python-proto
+uv run python scripts/generate_connect_proto.py --download
+```
+
+### Requirements
+
+- `buf` tool: `brew install bufbuild/buf/buf` (or see [official installation guide](https://buf.build/docs/installation))
+- Python dependencies managed by `uv`
+
+## Benefits Over gRPC
+
+1. **HTTP Compatibility**: Works with load balancers, proxies, and other HTTP infrastructure
+2. **Debugging**: Easy to inspect with standard HTTP tools
+3. **Flexibility**: Supports both binary and JSON encoding
+4. **Simplicity**: No special HTTP/2 requirements
+
+## Migration from gRPC
+
+If migrating from legacy gRPC clients:
+
+1. Replace `*_pb2_grpc.py` imports with `*_connect.py`
+2. Update client instantiation to use base URLs instead of channels
+3. Leverage HTTP client features for authentication and configuration
+
+## Testing
+
+Connect RPC clients can be easily mocked and tested using standard HTTP testing tools:
+
+```python
+import httpx
+import respx
+from otdf_python_proto.kas import kas_pb2, kas_connect
+
+@respx.mock
+def test_connect_rpc_client():
+    # 1. Create a sample protobuf response message
+    expected_response = kas_pb2.RewrapResponse(
+        entity_wrapped_key=b'some-unwrapped-key'
+    )
+
+    # 2. Mock the correct Connect RPC endpoint URL
+    respx.post("https://example.com/kas.AccessService/Rewrap").mock(
+        return_value=httpx.Response(
+            200,
+            # 3. Return the serialized protobuf message as content
+            content=expected_response.SerializeToString(),
+            headers={'Content-Type': 'application/proto'}
+        )
+    )
+
+    client = kas_connect.KeyAccessServiceClient(base_url="https://example.com")
+    # Test client calls...
+```
+
+## Error Handling
+
+Connect RPC provides structured error handling through standard HTTP status codes and error details:
+
+```python
+from connectrpc import ConnectError
+
+try:
+    # Assuming `kas_client` and `request` are defined as in previous examples
+    response = kas_client.rewrap(request)
+except ConnectError as e:
+    print(f"Connect RPC error: {e.code} - {e.message}")
+    # Handle specific error types
+```
+
+## Performance Considerations
+
+- Use connection pooling with `httpx.Client` for better performance
+- Configure appropriate timeouts for your use case
+- Consider using binary encoding for high-throughput scenarios
+
+## Additional Resources
+
+For more information, see:
+- [Connect RPC Documentation](https://connectrpc.com/docs/)
+- [Connect Python Repository](https://github.com/connectrpc/connect-python)
+- [OpenTDF Platform](https://github.com/opentdf/platform)

{otdf_python-0.3.2 → otdf_python-0.3.4}/otdf-python-proto/README.md

@@ -12,12 +12,12 @@ This project now supports **Connect RPC**, a modern HTTP-friendly alternative to
 - 🚀 **Simplified deployment** - No special gRPC infrastructure required
 - 📊 **Better observability** - Standard HTTP status codes and headers
 
-See [CONNECT_RPC_MIGRATION.md](../CONNECT_RPC_MIGRATION.md) for migration guide and examples.
+See [CONNECT_RPC.md](../docs/CONNECT_RPC.md) for additional information.
 
 ## Structure
 
 - `proto-files/`: Contains the raw .proto files downloaded from the OpenTDF platform
-- `generated/`: Contains the generated Python protobuf and Connect RPC client files
+- `src/otdf_python_proto/`: Contains the generated Python protobuf and Connect RPC client files
 - `scripts/`: Contains build scripts for generating protobuf and Connect RPC files
 - `buf.yaml`: Buf configuration for proto validation and management
 - `buf.gen.yaml`: Buf generation configuration for Connect RPC and protobuf
@@ -40,10 +40,10 @@ Or use the convenience script:
 ```
 
 This generates:
-- `generated/*_connect.py` - Connect RPC clients (preferred)
-- `generated/*_pb2.py` - Standard protobuf classes
-- `generated/*_pb2.pyi` - Type stubs for better IDE support
-- `generated/legacy_grpc/*_pb2_grpc.py` - Legacy gRPC clients (backward compatibility)
+- `src/otdf_python_proto/**/*_connect.py` - Connect RPC clients (preferred)
+- `src/otdf_python_proto/**/*_pb2.py` - Standard protobuf classes
+- `src/otdf_python_proto/**/*_pb2.pyi` - Type stubs for better IDE support
+- `src/otdf_python_proto/legacy_grpc/**/*_pb2_grpc.py` - Legacy gRPC clients (backward compatibility)
 
 ### Legacy gRPC Generation
 
@@ -158,7 +158,7 @@ response = client.GetPolicy(request)
 
 If you're migrating from traditional gRPC clients to Connect RPC:
 
-1. Read the [Connect RPC Migration Guide](../CONNECT_RPC_MIGRATION.md)
+1. Read the [Connect RPC Migration Guide](../docs/CONNECT_RPC.md)
 2. Run the Connect RPC generation: `./scripts/build_connect_proto.sh` (or from the submodule: `cd otdf-python-proto && uv run python scripts/generate_connect_proto.py`)
 3. Update your client code to use `*_connect.py` modules
 4. Test with your authentication and deployment setup

{otdf_python-0.3.2 → otdf_python-0.3.4}/otdf-python-proto/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "otdf-python-proto"
-version = "0.3.2"
+version = "0.3.4"
 description = "Generated protobuf files for OpenTDF Python SDK"
 readme = "README.md"
 authors = [

{otdf_python-0.3.2 → otdf_python-0.3.4}/otdf-python-proto/scripts/build_connect_proto.sh

@@ -87,7 +87,7 @@ if [[ $? -eq 0 ]]; then
     echo "  python examples/connect_rpc_client_example.py"
     echo ""
     echo "For more information, see:"
-    echo "  - CONNECT_RPC_MIGRATION.md"
+    echo "  - docs/CONNECT_RPC.md"
     echo "  - https://connectrpc.com/docs/"
 else
     echo "✗ Connect RPC generation failed!"

{otdf_python-0.3.2 → otdf_python-0.3.4}/otdf-python-proto/scripts/generate_connect_proto.py

@@ -96,10 +96,10 @@ def copy_opentdf_proto_files(proto_gen_dir: Path) -> bool:
                     print(f"  Copying {relative_path}...")
 
                     # Copy the file content
-                    with open(proto_file) as src:
+                    with proto_file.open() as src:
                         content = src.read()
 
-                    with open(dest_path, "w") as dst:
+                    with dest_path.open("w") as dst:
                         dst.write(content)
 
                     copied_files += 1
@@ -155,7 +155,7 @@ def run_buf_generate(proto_gen_dir: Path) -> bool:
 
         # Update buf.gen.yaml with the correct path
         buf_gen_path = proto_gen_dir / "buf.gen.yaml"
-        with open(buf_gen_path) as f:
+        with buf_gen_path.open() as f:
             content = f.read()
 
         # Replace the local plugin path
@@ -163,7 +163,7 @@ def run_buf_generate(proto_gen_dir: Path) -> bool:
             "- local: protoc-gen-connect_python", f"- local: {connect_plugin_path}"
         )
 
-        with open(buf_gen_path, "w") as f:
+        with buf_gen_path.open("w") as f:
             f.write(updated_content)
 
         # Run buf generate
@@ -221,7 +221,7 @@ def _fix_ignore_if_default_value(proto_files_dir):
     # Iterate all .proto files in the directory
     for proto_file in proto_files_dir.glob("**/*.proto"):
         try:
-            with open(proto_file, "r") as file:  # noqa: UP015
+            with proto_file.open("r") as file:
                 content = file.read()
 
             # Replace the old enum value with the new one
@@ -230,7 +230,7 @@ def _fix_ignore_if_default_value(proto_files_dir):
             )
 
             # Write the updated content back to the file
-            with open(proto_file, "w") as file:
+            with proto_file.open("w") as file:
                 file.write(updated_content)
 
             print(f"Updated {proto_file.name} to use IGNORE_IF_ZERO_VALUE")

{otdf_python-0.3.2 → otdf_python-0.3.4}/otdf-python-proto/uv.lock

@@ -481,7 +481,7 @@ wheels = [
 
 [[package]]
 name = "otdf-python-proto"
-version = "0.3.2"
+version = "0.3.4"
 source = { editable = "." }
 dependencies = [
     { name = "connect-python", extra = ["compiler"] },

{otdf_python-0.3.2 → otdf_python-0.3.4}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "otdf-python"
-version = "0.3.2"
+version = "0.3.4"
 description = "Unofficial OpenTDF SDK for Python"
 readme = "README.md"
 authors = [
@@ -73,6 +73,7 @@ lint.select = [
     "I",
     # Performance-related rules
     "PERF",      # Ruff's performance rules
+    "PTH",       # pathlib (path handling)
     # Additional useful rules
     "UP",        # pyupgrade (modern Python features)
     "SIM",       # flake8-simplify (simplifications)

{otdf_python-0.3.2 → otdf_python-0.3.4}/src/otdf_python/auth_headers.py

@@ -10,7 +10,7 @@ class AuthHeaders:
     """
 
     auth_header: str
-    dpop_header: str
+    dpop_header: str = ""
 
     def get_auth_header(self) -> str:
         """Returns the authorization header."""
@@ -19,3 +19,15 @@ class AuthHeaders:
     def get_dpop_header(self) -> str:
         """Returns the DPoP header."""
         return self.dpop_header
+
+    def to_dict(self) -> dict[str, str]:
+        """
+        Convert authentication headers to a dictionary for use with HTTP clients.
+
+        Returns:
+            Dictionary with 'Authorization' header and optionally 'DPoP' header
+        """
+        headers = {"Authorization": self.auth_header}
+        if self.dpop_header:
+            headers["DPoP"] = self.dpop_header
+        return headers

{otdf_python-0.3.2 → otdf_python-0.3.4}/src/otdf_python/cli.py

@@ -88,7 +88,7 @@ def load_client_credentials(creds_file_path: str) -> tuple[str, str]:
                 "CRITICAL", f"Credentials file does not exist: {creds_file_path}"
             )
 
-        with open(creds_path) as f:
+        with creds_path.open() as f:
             creds = json.load(f)
 
         client_id = creds.get("clientId")
@@ -223,13 +223,13 @@ def cmd_encrypt(args):
 
     try:
         # Read input file
-        with open(input_path, "rb") as input_file:
+        with input_path.open("rb") as input_file:
             payload = input_file.read()
 
         # Determine output
         if args.output:
             output_path = Path(args.output)
-            with open(output_path, "wb") as output_file:
+            with output_path.open("wb") as output_file:
                 try:
                     # Create appropriate config based on container type
                     container_type = getattr(args, "container_type", "tdf")
@@ -247,7 +247,7 @@ def cmd_encrypt(args):
                         logger.debug("Creating TDF")
                         config = create_tdf_config(sdk, args)
                         output_stream = BytesIO()
-                        manifest, size, _ = sdk.create_tdf(
+                        _manifest, size, _ = sdk.create_tdf(
                             BytesIO(payload), config, output_stream
                         )
                         output_file.write(output_stream.getvalue())
@@ -274,7 +274,7 @@ def cmd_encrypt(args):
                 logger.debug("Creating TDF")
                 config = create_tdf_config(sdk, args)
                 output_stream = BytesIO()
-                manifest, size, _ = sdk.create_tdf(
+                _manifest, size, _ = sdk.create_tdf(
                     BytesIO(payload), config, output_stream
                 )
                 output_file.write(output_stream.getvalue())
@@ -296,13 +296,13 @@ def cmd_decrypt(args):
 
     try:
         # Read encrypted file
-        with open(input_path, "rb") as input_file:
+        with input_path.open("rb") as input_file:
             encrypted_data = input_file.read()
 
         # Determine output
         if args.output:
             output_path = Path(args.output)
-            with open(output_path, "wb") as output_file:
+            with output_path.open("wb") as output_file:
                 try:
                     # Try to determine if it's a NanoTDF or regular TDF
                     # NanoTDFs have a specific header format, regular TDFs are ZIP files
@@ -359,7 +359,7 @@ def cmd_inspect(args):
 
         try:
             # Read encrypted file
-            with open(input_path, "rb") as input_file:
+            with input_path.open("rb") as input_file:
                 encrypted_data = input_file.read()
 
             if encrypted_data.startswith(b"PK"):
@@ -400,7 +400,7 @@ def cmd_inspect(args):
     except Exception as e:
         # If we can't inspect due to auth issues, show what we can
         logger.warning(f"Limited inspection due to: {e}")
-        with open(input_path, "rb") as input_file:
+        with input_path.open("rb") as input_file:
             encrypted_data = input_file.read()
 
         file_type = "TDF" if encrypted_data.startswith(b"PK") else "NanoTDF"

{otdf_python-0.3.2 → otdf_python-0.3.4}/src/otdf_python/header.py

@@ -51,7 +51,7 @@ class Header:
         # MAGIC_NUMBER_AND_VERSION (3 bytes)
         offset += 3
         # ResourceLocator
-        kas_locator, kas_size = ResourceLocator.from_bytes_with_size(buffer[offset:])
+        _kas_locator, kas_size = ResourceLocator.from_bytes_with_size(buffer[offset:])
         offset += kas_size
         # ECC mode (1 byte)
         ecc_mode = ECCMode(buffer[offset])
@@ -59,7 +59,7 @@ class Header:
         # Payload config (1 byte)
         offset += 1
         # PolicyInfo
-        policy_info, policy_size = PolicyInfo.from_bytes_with_size(
+        _policy_info, policy_size = PolicyInfo.from_bytes_with_size(
             buffer[offset:], ecc_mode
         )
         offset += policy_size

{otdf_python-0.3.2 → otdf_python-0.3.4}/src/otdf_python/kas_connect_rpc_client.py

@@ -9,6 +9,8 @@ import urllib3
 from otdf_python_proto.kas import kas_pb2
 from otdf_python_proto.kas.kas_pb2_connect import AccessServiceClient
 
+from otdf_python.auth_headers import AuthHeaders
+
 from .sdk_exceptions import SDKException
 
 
@@ -69,7 +71,11 @@ class KASConnectRPCClient:
             Dictionary with authentication headers or None
         """
         if access_token:
-            return {"Authorization": f"Bearer {access_token}"}
+            auth_headers = AuthHeaders(
+                auth_header=f"Bearer {access_token}",
+                dpop_header="",  # Empty for now, ready for future DPoP support
+            )
+            return auth_headers.to_dict()
         return None
 
     def get_public_key(self, normalized_kas_url, kas_info, access_token=None):

{otdf_python-0.3.2 → otdf_python-0.3.4}/src/otdf_python/nanotdf.py

@@ -300,7 +300,7 @@ class NanoTDF:
         iv, ciphertext = self._encrypt_payload(payload, key)
 
         # Wrap key if needed
-        wrapped_key, kas_public_key = self._wrap_key_if_needed(key, config)
+        wrapped_key, _kas_public_key = self._wrap_key_if_needed(key, config)
 
         # Compose the complete NanoTDF: [IV][CIPHERTEXT][WRAPPED_KEY][WRAPPED_KEY_LEN]
         if wrapped_key: