oto-core 1.6.0__py3-none-any.whl

oto/config.py

@@ -0,0 +1,291 @@
+"""Configuration loader for otomata tools.
+
+Secret resolution order:
+1. Environment variable (always)
+2. Configured provider (sops, file, or scaleway)
+3. Default value
+"""
+
+import os
+import json
+from pathlib import Path
+from typing import Optional, Dict, Any
+
+# Cache for parsed secrets files
+_secrets_cache: Dict[Path, Dict[str, str]] = {}
+_oto_config_cache: Optional[Dict[str, Any]] = None
+
+
+class AmbiguousSecretError(RuntimeError):
+    """The key exists in the vault but with different values across files.
+
+    Raised by get_secret: returning one of the values would be arbitrary
+    (the key is scoped per project/mission file, not transverse)."""
+
+
+def _parse_env_file(path: Path) -> Dict[str, str]:
+    """Parse a .env file into a dictionary."""
+    if path in _secrets_cache:
+        return _secrets_cache[path]
+
+    result = {}
+    if path.exists():
+        with open(path, "r") as f:
+            for line in f:
+                line = line.strip()
+                if not line or line.startswith("#"):
+                    continue
+                if "=" in line:
+                    key, value = line.split("=", 1)
+                    value = value.strip()
+                    # Remove quotes if present
+                    if (value.startswith("'") and value.endswith("'")) or (
+                        value.startswith('"') and value.endswith('"')
+                    ):
+                        value = value[1:-1]
+                    result[key.strip()] = value
+
+    _secrets_cache[path] = result
+    return result
+
+
+def _find_project_secrets() -> Optional[Path]:
+    """Find .otomata/secrets.env in CWD or parent directories."""
+    cwd = Path.cwd()
+
+    # Check CWD and up to 4 parent levels
+    for _ in range(5):
+        secrets_file = cwd / ".otomata" / "secrets.env"
+        if secrets_file.exists():
+            return secrets_file
+        if cwd.parent == cwd:
+            break
+        cwd = cwd.parent
+
+    return None
+
+
+def _get_user_secrets() -> Path:
+    """Get user secrets file path (~/.otomata/secrets.env)."""
+    return Path.home() / ".otomata" / "secrets.env"
+
+
+def _get_oto_config() -> Dict[str, Any]:
+    """Read ~/.otomata/config.yaml. Cached."""
+    global _oto_config_cache
+    if _oto_config_cache is not None:
+        return _oto_config_cache
+
+    config_file = Path.home() / ".otomata" / "config.yaml"
+    if config_file.exists():
+        import yaml
+        with open(config_file) as f:
+            _oto_config_cache = yaml.safe_load(f) or {}
+    else:
+        _oto_config_cache = {}
+    return _oto_config_cache
+
+
+def get_provider() -> str:
+    """Return configured secret provider ('sops', 'file', or 'scaleway').
+
+    `sops` is the new default — secrets decrypted on demand from a SOPS
+    YAML file (see `oto.sops_secrets`). `file` and `scaleway` are kept for
+    backwards compat and migration.
+    """
+    return _get_oto_config().get("secret_provider", "sops")
+
+
+def write_oto_config(config: Dict[str, Any]) -> None:
+    """Write ~/.otomata/config.yaml."""
+    global _oto_config_cache
+    import yaml
+    config_file = get_config_dir() / "config.yaml"
+    with open(config_file, "w") as f:
+        yaml.dump(config, f, default_flow_style=False)
+    _oto_config_cache = config
+
+
+def get_search_provider() -> str:
+    """Return configured search provider ('serper' or 'browser')."""
+    return _get_oto_config().get("search_provider", "serper")
+
+
+_MISSING = object()
+
+
+def _file_provider_lookup(name: str):
+    """Look `name` up in the file provider (project secrets, then user secrets).
+
+    Returns the value, or the `_MISSING` sentinel when not present (so an empty
+    string stored on purpose is distinguishable from "not found").
+    """
+    project_secrets = _find_project_secrets()
+    if project_secrets:
+        secrets = _parse_env_file(project_secrets)
+        if name in secrets:
+            return secrets[name]
+    user_secrets = _get_user_secrets()
+    secrets = _parse_env_file(user_secrets)
+    if name in secrets:
+        return secrets[name]
+    return _MISSING
+
+
+def get_secret(name: str, default: Optional[str] = None) -> Optional[str]:
+    """
+    Get a secret value.
+
+    Resolution order:
+    1. Environment variable (always, highest priority)
+    2. Configured provider (sops / scaleway / file)
+    3. Local file provider as a graceful fallback when the configured provider
+       has no backing store (e.g. fresh/third-party install with sops default
+       but no SOPS repo cloned)
+    4. Default value
+
+    `get_secret` is the soft accessor: it honours its contract and returns
+    `default` when a secret can't be resolved — it never raises just because a
+    provider's store is absent. The hard failure (with guidance) belongs to
+    `require_secret`.
+
+    Exception: a key present in the vault with DIFFERENT values across files
+    raises AmbiguousSecretError — returning one of them would be arbitrary.
+
+    Args:
+        name: Secret name (e.g., 'GROQ_API_KEY', 'SIRENE_API_KEY')
+        default: Default value if not found
+
+    Returns:
+        Secret value or default
+    """
+    # 1. Environment variable (always)
+    env_val = os.environ.get(name)
+    if env_val:
+        return env_val
+
+    # Server hardening (oto-mcp#12) : OTO_CONFIG_DISABLE_SOPS=1 ⇒ le process ne
+    # résout QUE son environnement — ni SOPS, ni ~/.otomata/secrets.env. Les
+    # serveurs (oto-mcp) tirent leurs credentials de leur propre store (DB,
+    # injection) ; une lecture filesystem silencieuse ici contournerait ça.
+    if os.environ.get("OTO_CONFIG_DISABLE_SOPS") == "1":
+        return default
+
+    # 2. Configured provider. `store_missing` marks the case where the provider
+    #    is configured but has no backing store, so we can fall back to the
+    #    local file provider instead of failing.
+    provider = get_provider()
+    store_missing = False
+    if provider == "sops":
+        from oto.sops_secrets import fetch_secrets as _sops_fetch, ambiguous_keys
+        cfg = _get_oto_config()
+        try:
+            secrets = _sops_fetch(
+                path=cfg.get("sops_file"),
+                dir_path=cfg.get("sops_dir"),
+            )
+            if name in secrets:
+                return secrets[name]
+            if name in ambiguous_keys():
+                files = ambiguous_keys()[name]
+                raise AmbiguousSecretError(
+                    f"Secret '{name}' is defined with DIFFERENT values in several "
+                    f"vault files: {', '.join(files)}. It is scoped per file, not "
+                    f"transverse — read the relevant file directly "
+                    f"(`sops -d <file>`) or pass it via the environment."
+                )
+        except FileNotFoundError:
+            store_missing = True
+    elif provider == "scaleway":
+        from oto.scaleway_secrets import fetch_secrets
+        secrets = fetch_secrets()
+        if name in secrets:
+            return secrets[name]
+    else:
+        # File provider is the primary lookup.
+        value = _file_provider_lookup(name)
+        if value is not _MISSING:
+            return value
+
+    # 3. Graceful fallback to local file secrets when the configured provider's
+    #    store is absent (sops default but no SOPS repo on a third-party box).
+    if store_missing:
+        value = _file_provider_lookup(name)
+        if value is not _MISSING:
+            return value
+
+    return default
+
+
+def get_json_secret(name: str) -> Optional[Dict[str, Any]]:
+    """
+    Get a secret that contains JSON data.
+
+    Args:
+        name: Secret name
+
+    Returns:
+        Parsed JSON as dictionary, or None if not found
+    """
+    value = get_secret(name)
+    if value:
+        try:
+            return json.loads(value)
+        except json.JSONDecodeError:
+            return None
+    return None
+
+
+def require_secret(name: str) -> str:
+    """
+    Get a required secret, raise error if not found.
+
+    Args:
+        name: Secret name
+
+    Returns:
+        Secret value
+
+    Raises:
+        ValueError: If secret not found
+    """
+    value = get_secret(name)
+    if value is None:
+        if os.environ.get("OTO_CONFIG_DISABLE_SOPS") == "1":
+            raise ValueError(
+                f"Required secret '{name}' not found — filesystem secret stores are "
+                f"disabled (OTO_CONFIG_DISABLE_SOPS=1, server mode). Provide it via "
+                f"the process environment or the service's credential store (DB)."
+            )
+        provider = get_provider()
+        raise ValueError(
+            f"Required secret '{name}' not found. Set it via:\n"
+            f"  - Environment variable: export {name}='...'  (always wins, simplest)\n"
+            f"  - Local file provider: `oto config provider secrets file`, then add\n"
+            f"    {name}=... to ~/.otomata/secrets.env\n"
+            f"  - SOPS provider (otomata infra): keep `secret_provider: sops` and add the\n"
+            f"    key to your SOPS store\n"
+            f"  (current provider: {provider})"
+        )
+    return value
+
+
+def get_config_dir() -> Path:
+    """Get otomata config directory (~/.otomata/)."""
+    config_dir = Path.home() / ".otomata"
+    config_dir.mkdir(parents=True, exist_ok=True)
+    return config_dir
+
+
+def get_cache_dir() -> Path:
+    """Get otomata cache directory (~/.cache/otomata/)."""
+    cache_dir = Path.home() / ".cache" / "otomata"
+    cache_dir.mkdir(parents=True, exist_ok=True)
+    return cache_dir
+
+
+def get_sessions_dir() -> Path:
+    """Get browser sessions directory (~/.otomata/sessions/)."""
+    sessions_dir = get_config_dir() / "sessions"
+    sessions_dir.mkdir(parents=True, exist_ok=True)
+    return sessions_dir

oto/scaleway_secrets.py

@@ -0,0 +1,131 @@
+"""Scaleway Secret Manager client for oto secrets.
+
+Stores all secrets as a single JSON payload in one Scaleway secret ('otomata-secrets').
+Auth via ~/.config/scw/config.yaml (same as scw CLI).
+"""
+
+import base64
+import json
+from pathlib import Path
+from typing import Dict, Optional
+
+import requests
+
+_SCW_CONFIG = Path.home() / ".config" / "scw" / "config.yaml"
+_BASE_URL = "https://api.scaleway.com/secret-manager/v1beta1/regions/{region}/secrets"
+_SECRET_NAME = "otomata-secrets"
+
+# Module-level cache — one API call per process
+_cache: Optional[Dict[str, str]] = None
+
+
+def _load_scw_credentials() -> dict:
+    """Load Scaleway credentials from ~/.config/scw/config.yaml."""
+    if not _SCW_CONFIG.exists():
+        raise ValueError(
+            f"Scaleway config not found at {_SCW_CONFIG}. "
+            "Run 'scw init' to configure."
+        )
+
+    # Parse YAML manually (top-level key: value lines) to avoid pyyaml dependency here
+    # Full YAML parsing is in config.py where pyyaml is available
+    import yaml
+
+    with open(_SCW_CONFIG) as f:
+        data = yaml.safe_load(f)
+
+    required = ("access_key", "secret_key", "default_project_id")
+    for key in required:
+        if key not in data:
+            raise ValueError(
+                f"Missing '{key}' in {_SCW_CONFIG}. Run 'scw init'."
+            )
+
+    return {
+        "secret_key": data["secret_key"],
+        "project_id": data["default_project_id"],
+        "region": data.get("default_region", "fr-par"),
+    }
+
+
+def _headers(creds: dict) -> dict:
+    return {
+        "X-Auth-Token": creds["secret_key"],
+        "Content-Type": "application/json",
+    }
+
+
+def _base_url(creds: dict) -> str:
+    return _BASE_URL.format(region=creds["region"])
+
+
+def _find_secret_id(creds: dict) -> Optional[str]:
+    """Find the otomata-secrets secret ID, or None."""
+    resp = requests.get(
+        _base_url(creds),
+        headers=_headers(creds),
+        params={"name": _SECRET_NAME, "project_id": creds["project_id"]},
+        timeout=10,
+    )
+    resp.raise_for_status()
+    secrets = resp.json().get("secrets", [])
+    return secrets[0]["id"] if secrets else None
+
+
+def fetch_secrets() -> Dict[str, str]:
+    """Fetch all secrets from Scaleway Secret Manager. Cached per process."""
+    global _cache
+    if _cache is not None:
+        return _cache
+
+    creds = _load_scw_credentials()
+    secret_id = _find_secret_id(creds)
+    if not secret_id:
+        _cache = {}
+        return _cache
+
+    resp = requests.get(
+        f"{_base_url(creds)}/{secret_id}/versions/latest/access",
+        headers=_headers(creds),
+        timeout=10,
+    )
+    resp.raise_for_status()
+
+    raw = base64.b64decode(resp.json()["data"])
+    _cache = json.loads(raw)
+    return _cache
+
+
+def push_secrets(secrets: Dict[str, str]) -> str:
+    """Push secrets dict to Scaleway SM. Creates secret if needed. Returns version ID."""
+    creds = _load_scw_credentials()
+    secret_id = _find_secret_id(creds)
+
+    if not secret_id:
+        resp = requests.post(
+            _base_url(creds),
+            headers=_headers(creds),
+            json={
+                "name": _SECRET_NAME,
+                "project_id": creds["project_id"],
+                "type": "opaque",
+            },
+            timeout=10,
+        )
+        resp.raise_for_status()
+        secret_id = resp.json()["id"]
+
+    payload = base64.b64encode(json.dumps(secrets).encode()).decode()
+    resp = requests.post(
+        f"{_base_url(creds)}/{secret_id}/versions",
+        headers=_headers(creds),
+        json={"data": payload, "disable_previous": True},
+        timeout=10,
+    )
+    resp.raise_for_status()
+
+    # Invalidate cache
+    global _cache
+    _cache = None
+
+    return resp.json()["revision"]

oto/sops_secrets.py

@@ -0,0 +1,149 @@
+"""SOPS provider for oto secret resolution.
+
+Lit un ou plusieurs fichiers YAML chiffrés via SOPS + age. Configurable via
+`~/.otomata/config.yaml` :
+
+- `sops_dir`  : répertoire racine (préféré). Tous les `*.yaml` y sont décryptés
+  récursivement et mergés dans un seul dict plat. Défaut : `~/.otomata/secrets/`
+  (avec auto-détection si la struct contient un sous-dir avec `.sops.yaml`).
+- `sops_file` : un seul fichier (legacy / mono-fichier). Si défini, prioritaire
+  sur `sops_dir` et seul ce fichier est lu.
+
+Layout multi-fichiers (cf. AlexisLaporte/secrets) :
+    secrets/
+    ├── secrets.yaml         # transverse Otomata
+    ├── tuls.yaml            # host
+    ├── legacy.yaml          # orphelins préservés
+    ├── missions/*.yaml      # par mission/client
+    └── projects/*.yaml      # projets internes
+
+Décrypt délégué au CLI `sops` (déjà installé), résultat parsé en YAML plat,
+caché module-level (une seule décryption par process).
+
+Collisions de clés : même valeur ⇒ merge silencieux ; valeurs différentes
+(clé générique scopée par fichier, ex. DATABASE_URL par projet) ⇒ la clé est
+EXCLUE du namespace flat et listée dans `ambiguous_keys()` — `get_secret`
+lève une erreur explicite si on la demande.
+"""
+from __future__ import annotations
+
+import subprocess
+from pathlib import Path
+from typing import Dict, Optional, List
+
+_cache: Optional[Dict[str, str]] = None
+# Clés définies avec des VALEURS DIFFÉRENTES dans plusieurs fichiers (clés
+# génériques scopées par fichier : DATABASE_URL, DB_USER…). Elles sont exclues
+# du namespace flat — les résoudre = lire le fichier scope directement.
+_ambiguous: Dict[str, List[str]] = {}
+
+
+def _candidate_default_dirs() -> List[Path]:
+    """Default candidates for the secrets root directory."""
+    home = Path.home()
+    return [
+        home / ".otomata" / "secrets",
+    ]
+
+
+def _autodetect_dir() -> Optional[Path]:
+    """Find the first candidate dir that contains a .sops.yaml."""
+    for c in _candidate_default_dirs():
+        if (c / ".sops.yaml").is_file():
+            return c
+    return None
+
+
+def _decrypt_file(path: Path) -> Dict[str, str]:
+    try:
+        decrypted = subprocess.run(
+            ["sops", "--decrypt", str(path)],
+            capture_output=True, text=True, check=True,
+        ).stdout
+    except FileNotFoundError as e:
+        raise RuntimeError(
+            "sops CLI not found. Install it: "
+            "https://github.com/getsops/sops/releases"
+        ) from e
+    except subprocess.CalledProcessError as e:
+        raise RuntimeError(
+            f"sops --decrypt failed for {path}. "
+            f"Make sure ~/.config/sops/age/keys.txt matches a recipient in .sops.yaml.\n"
+            f"stderr: {e.stderr}"
+        ) from e
+
+    import yaml
+    data = yaml.safe_load(decrypted) or {}
+    return {str(k): str(v) for k, v in data.items()}
+
+
+def _merge(
+    target: Dict[str, str],
+    origins: Dict[str, str],
+    source: Dict[str, str],
+    source_path: Path,
+) -> None:
+    for k, v in source.items():
+        if k in _ambiguous:
+            _ambiguous[k].append(str(source_path))
+            continue
+        if k in target and target[k] != v:
+            # Valeurs divergentes ⇒ clé scopée par fichier, pas transverse.
+            # On la retire du flat ; get_secret lèvera si on la demande.
+            _ambiguous[k] = [origins.pop(k), str(source_path)]
+            del target[k]
+            continue
+        target[k] = v
+        origins[k] = str(source_path)
+
+
+def ambiguous_keys() -> Dict[str, List[str]]:
+    """Clés exclues du namespace flat (valeurs divergentes), avec leurs fichiers."""
+    return _ambiguous
+
+
+def fetch_secrets(
+    path: Optional[str] = None,
+    dir_path: Optional[str] = None,
+) -> Dict[str, str]:
+    """Decrypt all SOPS files and return a flat dict.
+
+    Args:
+        path: Legacy single-file mode. If set, only this file is read.
+        dir_path: Root directory. All `*.yaml` files (recursive) are decrypted
+                  and merged. If None and `path` is None, autodetects.
+    """
+    global _cache
+    if _cache is not None:
+        return _cache
+
+    merged: Dict[str, str] = {}
+
+    if path:
+        single = Path(path).expanduser()
+        if not single.exists():
+            raise FileNotFoundError(f"SOPS secrets file not found at {single}.")
+        merged = _decrypt_file(single)
+    else:
+        root: Optional[Path] = Path(dir_path).expanduser() if dir_path else _autodetect_dir()
+        if root is None or not root.is_dir():
+            raise FileNotFoundError(
+                f"SOPS secrets dir not found. Tried: {[str(c) for c in _candidate_default_dirs()]}. "
+                f"Clone: git clone git@github.com:AlexisLaporte/secrets ~/.otomata/secrets"
+            )
+        yaml_files = sorted(p for p in root.rglob("*.yaml") if p.name != ".sops.yaml")
+        if not yaml_files:
+            raise FileNotFoundError(f"No .yaml files found under {root}.")
+        origins: Dict[str, str] = {}
+        for f in yaml_files:
+            _merge(merged, origins, _decrypt_file(f), f)
+
+    _cache = merged
+    return _cache
+
+
+def invalidate_cache() -> None:
+    """Force a re-decrypt on next fetch (utile après `sops edit`)."""
+    global _cache
+    _cache = None
+    _ambiguous.clear()

oto/tools/__init__.py

@@ -0,0 +1 @@
+"""Otomata tools."""

oto/tools/anthropic/__init__.py

@@ -0,0 +1,5 @@
+"""Anthropic Admin API client for usage and cost tracking."""
+
+from .client import AnthropicAdminClient
+
+__all__ = ["AnthropicAdminClient"]