redenv 0.2.0__tar.gz → 0.3.0__tar.gz

{redenv-0.2.0 → redenv-0.3.0}/CHANGELOG.md

@@ -2,6 +2,19 @@
 
 All notable changes to this project will be documented in this file.
 
+## [0.3.0] - 2026-01-25
+
+### Added
+
+- **Secret Expansion:** Support for `${VAR_NAME}` syntax for referencing other secrets within values.
+- **Raw Value Access:** Added `.raw` property to `Secrets` object to access unexpanded values.
+- **Recursive Resolution:** Variable expansion supports multi-level recursion with circular dependency detection.
+
+### Changed
+
+- **Safe Access:** Accessing a non-existent secret via `secrets["KEY"]` now returns `None` instead of raising a `KeyError`.
+- **Improved Scoping:** `secrets.scope()` now correctly preserves both expanded and raw values in the resulting subset.
+
 ## [0.2.0] - 2026-01-22
 
 ### Added

{redenv-0.2.0 → redenv-0.3.0}/Makefile

@@ -10,15 +10,18 @@ test:
 
 # Run linting and type checking
 lint:
-	python -m ruff check src tests
+	python -m ruff check src
 	python -m pyright src
 
 # Build the package artifacts
 build:
-	rm -rf dist/ build/
+	rm -rf dist/
 	python -m build
 
 # Clean up build artifacts and caches
 clean:
 	rm -rf dist/ build/ *.egg-info .pytest_cache .ruff_cache
 	find . -type d -name "__pycache__" -exec rm -rf {} +
+
+publish:
+	twine upload dist/*

{redenv-0.2.0 → redenv-0.3.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: redenv
-Version: 0.2.0
+Version: 0.3.0
 Summary: A zero-knowledge, end-to-end encrypted secret management SDK for Python.
 Project-URL: Homepage, https://github.com/redenv-labs/redenv
 Project-URL: Documentation, https://github.com/redenv-labs/redenv/tree/main/packages/python-client
@@ -50,6 +50,7 @@ Provides-Extra: dev
 Requires-Dist: build; extra == 'dev'
 Requires-Dist: pyright; extra == 'dev'
 Requires-Dist: pytest; extra == 'dev'
+Requires-Dist: pytest-asyncio; extra == 'dev'
 Requires-Dist: python-dotenv; extra == 'dev'
 Requires-Dist: ruff; extra == 'dev'
 Requires-Dist: twine; extra == 'dev'
@@ -110,6 +111,12 @@ async def main():
     # 3. Smart Casting
     port = secrets.get("PORT", cast=int)
     debug = secrets.get("DEBUG", cast=bool)
+    
+    # 4. Safe Access (Returns None if missing)
+    missing = secrets["MISSING_KEY"] # None
+
+    # 5. Fallback Values
+    timeout = secrets.get("TIMEOUT", default=30, cast=int)
 
 if __name__ == "__main__":
     asyncio.run(main())
@@ -132,7 +139,30 @@ print(secrets["API_KEY"])
 
 ## Advanced Usage
 
-### 1. Scoping & Validation
+### 1. Secret Expansion (Reference other keys)
+Redenv supports referencing other secrets using the `${VAR_NAME}` syntax. This helps avoid duplication.
+
+**Example Configuration:**
+- `BASE_URL`: `https://api.example.com`
+- `AUTH_URL`: `${BASE_URL}/auth`
+
+**Usage:**
+```python
+secrets = await client.load()
+
+print(secrets["AUTH_URL"]) 
+# Output: https://api.example.com/auth
+```
+
+### 2. Raw Values
+You can access the unexpanded, raw value of a secret using the `.raw` property. This is useful for debugging or editing.
+
+```python
+print(secrets["AUTH_URL"])      # https://api.example.com/auth
+print(secrets.raw["AUTH_URL"])  # ${BASE_URL}/auth
+```
+
+### 3. Scoping & Validation
 Organize large configurations and ensure critical keys exist.
 
 ```python
@@ -149,7 +179,7 @@ print(stripe_config["KEY"])     # Maps to STRIPE_KEY
 print(stripe_config["WEBHOOK"]) # Maps to STRIPE_WEBHOOK
 ```
 
-### 2. Time Travel (Version History)
+### 4. Time Travel (Version History)
 Redenv stores a history of every secret change. You can access older versions for rollbacks or auditing.
 
 ```python

{redenv-0.2.0 → redenv-0.3.0}/README.md

@@ -53,6 +53,12 @@ async def main():
     # 3. Smart Casting
     port = secrets.get("PORT", cast=int)
     debug = secrets.get("DEBUG", cast=bool)
+    
+    # 4. Safe Access (Returns None if missing)
+    missing = secrets["MISSING_KEY"] # None
+
+    # 5. Fallback Values
+    timeout = secrets.get("TIMEOUT", default=30, cast=int)
 
 if __name__ == "__main__":
     asyncio.run(main())
@@ -75,7 +81,30 @@ print(secrets["API_KEY"])
 
 ## Advanced Usage
 
-### 1. Scoping & Validation
+### 1. Secret Expansion (Reference other keys)
+Redenv supports referencing other secrets using the `${VAR_NAME}` syntax. This helps avoid duplication.
+
+**Example Configuration:**
+- `BASE_URL`: `https://api.example.com`
+- `AUTH_URL`: `${BASE_URL}/auth`
+
+**Usage:**
+```python
+secrets = await client.load()
+
+print(secrets["AUTH_URL"]) 
+# Output: https://api.example.com/auth
+```
+
+### 2. Raw Values
+You can access the unexpanded, raw value of a secret using the `.raw` property. This is useful for debugging or editing.
+
+```python
+print(secrets["AUTH_URL"])      # https://api.example.com/auth
+print(secrets.raw["AUTH_URL"])  # ${BASE_URL}/auth
+```
+
+### 3. Scoping & Validation
 Organize large configurations and ensure critical keys exist.
 
 ```python
@@ -92,7 +121,7 @@ print(stripe_config["KEY"])     # Maps to STRIPE_KEY
 print(stripe_config["WEBHOOK"]) # Maps to STRIPE_WEBHOOK
 ```
 
-### 2. Time Travel (Version History)
+### 4. Time Travel (Version History)
 Redenv stores a history of every secret change. You can access older versions for rollbacks or auditing.
 
 ```python

{redenv-0.2.0 → redenv-0.3.0}/pyproject.toml

@@ -4,7 +4,6 @@ build-backend = "hatchling.build"
 
 [project]
 name = "redenv"
-version = "0.2.0"
 description = "A zero-knowledge, end-to-end encrypted secret management SDK for Python."
 readme = "README.md"
 requires-python = ">=3.8"
@@ -33,6 +32,11 @@ dependencies = [
     "cachetools>=5.0.0",
 ]
 
+dynamic = ["version"]
+
+[tool.hatch.version]
+  path = "src/redenv/__init__.py"
+
 [project.urls]
 Homepage = "https://github.com/redenv-labs/redenv"
 Documentation = "https://github.com/redenv-labs/redenv/tree/main/packages/python-client"
@@ -42,6 +46,7 @@ Issues = "https://github.com/redenv-labs/redenv/issues"
 [project.optional-dependencies]
 dev = [
     "pytest",
+    "pytest-asyncio",
     "python-dotenv",
     "build",
     "twine",

{redenv-0.2.0 → redenv-0.3.0}/src/redenv/__init__.py

@@ -3,5 +3,5 @@ from .errors import RedenvError
 from .secrets import Secrets
 from .sync import Redenv as RedenvSync
 
-__version__ = "0.2.0"
+__version__ = "0.3.0"
 __all__ = ["Redenv", "RedenvSync", "RedenvError", "Secrets"]

redenv-0.3.0/src/redenv/expand.py

@@ -0,0 +1,45 @@
+import re
+from typing import Dict
+from .errors import RedenvError
+
+# Match ${VAR} not preceded by a backslash
+REFERENCE_REGEX = re.compile(r"(?<!\\)\$\{([a-zA-Z0-9_]+)\}")
+
+def expand_secrets(secrets: Dict[str, str]) -> Dict[str, str]:
+    r"""
+    Expands variable references in a dictionary of secrets.
+    Supports recursion, cycle detection, and escaped references (\${VAR}).
+    """
+    expanded: Dict[str, str] = {}
+    cache: Dict[str, str] = {}
+    stack: list[str] = []
+
+    def resolve(key: str) -> str:
+        if key in cache:
+            return cache[key]
+
+        if key in stack:
+            cycle = " -> ".join(stack + [key])
+            raise RedenvError(f"Circular dependency detected: {cycle}", "INVALID_INPUT")
+
+        stack.append(key)
+        value = secrets[key]
+
+        def replacer(match: re.Match) -> str:
+            ref_key = match.group(1)
+            return resolve(ref_key) if ref_key in secrets else match.group(0)
+
+        # Expand all unescaped references
+        resolved = REFERENCE_REGEX.sub(replacer, value)
+
+        # Convert escaped references \${VAR} -> ${VAR}
+        resolved = resolved.replace(r"\${", "${")
+
+        cache[key] = resolved
+        stack.pop()
+        return resolved
+
+    for key in secrets:
+        expanded[key] = resolve(key)
+
+    return expanded

{redenv-0.2.0 → redenv-0.3.0}/src/redenv/secrets.py

@@ -10,6 +10,18 @@ class Secrets(dict):
     type-casting, scoping, and validation capabilities.
     """
 
+    def __init__(self, data: Optional[dict] = None, raw_data: Optional[dict] = None):
+        super().__init__(data or {})
+        self._raw_data = raw_data or data or {}
+
+    @property
+    def raw(self) -> "Secrets":
+        """
+        Returns a Secrets object containing the raw, unexpanded values.
+        """
+        # Create a new Secrets object with the raw data, but mark it as its own raw
+        return Secrets(self._raw_data, raw_data=self._raw_data)
+
     def get(self, key: str, default: Any = None, cast: Optional[Union[Type[T], Callable[[Any], T]]] = None) -> Union[T, Any]:
         """
         Retrieves a secret and optionally casts it to a specific type.
@@ -46,26 +58,31 @@ class Secrets(dict):
 
     def __getitem__(self, key: str) -> Any:
         """
-        Ensures standard dict access still works but raises a 
-        helpful error if the key is missing.
+        Returns None if the key is not found instead of raising KeyError.
         """
-        try:
-            return super().__getitem__(key)
-        except KeyError:
-            raise KeyError(f"Secret '{key}' not found in Redenv.")
+        return self.get(key)
 
     def scope(self, prefix: str) -> "Secrets":
         """
         Returns a new Secrets object containing only the keys that start with
         the given prefix. The prefix is stripped from the keys in the new object.
         """
-        subset = Secrets()
+        subset_data = {}
+        subset_raw = {}
+        
         for key, value in self.items():
             if key.startswith(prefix):
                 new_key = key[len(prefix):]
                 if new_key:
-                    subset[new_key] = value
-        return subset
+                    subset_data[new_key] = value
+                    
+        for key, value in self._raw_data.items():
+            if key.startswith(prefix):
+                new_key = key[len(prefix):]
+                if new_key:
+                    subset_raw[new_key] = value
+                    
+        return Secrets(subset_data, raw_data=subset_raw)
 
     def require(self, *keys: str) -> "Secrets":
         """

{redenv-0.2.0 → redenv-0.3.0}/src/redenv/sync/utils.py

@@ -7,6 +7,7 @@ from ..crypto import derive_key, decrypt, hex_to_buffer, encrypt
 from ..types import RedenvOptions, CacheEntry
 from ..errors import RedenvError
 from ..secrets import Secrets
+from ..expand import expand_secrets
 from ..utils import log, error
 from cachetools import LRUCache
 
@@ -79,8 +80,17 @@ def fetch_and_decrypt(redis: SyncRedis, options: RedenvOptions) -> Secrets:
             error(f'Failed to decrypt secret "{key}".', options.log)
             continue
 
-    log(f"Successfully loaded {len(secrets)} secrets.", options.log)
-    return secrets
+    # Capture raw decrypted secrets before expansion
+    raw_decrypted = dict(secrets)
+
+    # Expand variables
+    expanded_secrets = expand_secrets(raw_decrypted)
+    
+    # Create final Secrets object with both expanded and raw data
+    result = Secrets(expanded_secrets, raw_data=raw_decrypted)
+
+    log(f"Successfully loaded {len(result)} secrets.", options.log)
+    return result
 
 def populate_env(secrets: Union[Dict[str, str], Secrets], options: RedenvOptions):
     """

{redenv-0.2.0 → redenv-0.3.0}/src/redenv/utils.py

@@ -1,6 +1,7 @@
 from .crypto import derive_key, decrypt, hex_to_buffer, encrypt
 from .types import RedenvOptions, LogPreference, CacheEntry
 from .errors import RedenvError
+from .expand import expand_secrets
 from upstash_redis import AsyncRedis
 from .secrets import Secrets
 import asyncio
@@ -114,8 +115,17 @@ async def fetch_and_decrypt(redis: AsyncRedis, options: RedenvOptions) -> Secret
             error(f'Failed to decrypt secret "{key}".', options.log)
             continue
 
-    log(f"Successfully loaded {len(secrets)} secrets.", options.log)
-    return secrets
+    # Capture raw decrypted secrets before expansion
+    raw_decrypted = dict(secrets)
+
+    # Expand variables
+    expanded_secrets = expand_secrets(raw_decrypted)
+    
+    # Create final Secrets object with both expanded and raw data
+    result = Secrets(expanded_secrets, raw_data=raw_decrypted)
+
+    log(f"Successfully loaded {len(result)} secrets.", options.log)
+    return result
 
 async def populate_env(secrets: Union[Dict[str, str], Secrets], options: RedenvOptions):
     """

redenv-0.3.0/tests/test_client.py

@@ -0,0 +1,135 @@
+import pytest
+import json
+from unittest.mock import AsyncMock, patch
+from redenv import Redenv
+from redenv.crypto import encrypt, derive_key, buffer_to_hex, random_bytes
+
+# --- Test Data Setup ---
+PASSWORD = "masterpassword"
+SALT = random_bytes(16)
+TOKEN_SALT = random_bytes(16)
+TOKEN_SECRET = "redenv_sk_test"
+TOKEN_ID = "stk_test"
+
+# 1. Derive PEK
+PEK = derive_key(PASSWORD, SALT) # Project Encryption Key
+
+# 2. Encrypt PEK with Service Token
+token_key = derive_key(TOKEN_SECRET, TOKEN_SALT)
+encrypted_pek = encrypt(buffer_to_hex(PEK), token_key) # Wait, exportKey not implemented in python utils, we used bytes.
+# In utils.py get_pek: decrypted_pek_hex = decrypt(..., token_key) -> return hex_to_buffer(decrypted_pek_hex)
+# So we need to encrypt the HEX string of the PEK.
+pek_hex = buffer_to_hex(PEK)
+encrypted_pek_str = encrypt(pek_hex, token_key)
+
+# 3. Create Metadata
+METADATA = {
+    "serviceTokens": json.dumps({
+        TOKEN_ID: {
+            "salt": buffer_to_hex(TOKEN_SALT),
+            "encryptedPEK": encrypted_pek_str,
+            "name": "Test Token"
+        }
+    }),
+    "historyLimit": "10"
+}
+
+# 4. Create Secret Data
+SECRET_KEY = "API_KEY"
+SECRET_VAL = "super-secret-value"
+encrypted_secret = encrypt(SECRET_VAL, PEK)
+
+SECRET_HISTORY = [
+    {
+        "version": 1,
+        "value": encrypted_secret,
+        "user": "test-user",
+        "createdAt": "2023-01-01T00:00:00Z"
+    }
+]
+
+ENVIRONMENT_DATA = {
+    SECRET_KEY: json.dumps(SECRET_HISTORY)
+}
+
+# --- Client Setup ---
+@pytest.fixture
+def mock_redis():
+    mock = AsyncMock()
+    # Mock hgetall responses
+    def side_effect(key):
+        if key == "meta@test-project":
+            return METADATA
+        if key == "dev:test-project":
+            return ENVIRONMENT_DATA
+        return {}
+    
+    mock.hgetall.side_effect = side_effect
+    
+    # Mock hget response (for set_secret and get_version)
+    async def hget_side_effect(key, field):
+        if key == "dev:test-project" and field == SECRET_KEY:
+            return json.dumps(SECRET_HISTORY)
+        return None
+        
+    mock.hget.side_effect = hget_side_effect
+    
+    return mock
+
+@pytest.fixture
+def client(mock_redis):
+    with patch("redenv.client.Redis", return_value=mock_redis):
+        client = Redenv({
+            "project": "test-project",
+            "token_id": TOKEN_ID,
+            "token": TOKEN_SECRET,
+            "environment": "dev",
+            "upstash": {"url": "https://mock", "token": "mock"},
+            "log": "none"
+        })
+        return client
+
+@pytest.mark.asyncio
+async def test_load_decrypts_successfully(client, mock_redis):
+    secrets = await client.load()
+    assert secrets[SECRET_KEY] == SECRET_VAL
+    assert mock_redis.hgetall.call_count == 2 # 1 meta, 1 env
+
+@pytest.mark.asyncio
+async def test_caching_behavior(client, mock_redis):
+    # First load
+    await client.load()
+    assert mock_redis.hgetall.call_count == 2
+    
+    # Second load (should hit cache)
+    await client.load()
+    assert mock_redis.hgetall.call_count == 2 # Counts shouldn't increase
+
+@pytest.mark.asyncio
+async def test_write_secret(client, mock_redis):
+    new_val = "new-value"
+    await client.set(SECRET_KEY, new_val)
+    
+    # Verify hset was called
+    args = mock_redis.hset.call_args
+    # hset(key, field, value)
+    assert args[0][0] == "dev:test-project"
+    assert args[0][1] == SECRET_KEY
+    
+    written_json = args[0][2]
+    history = json.loads(written_json)
+    
+    assert len(history) == 2 # Prepend new version
+    assert history[0]["version"] == 2
+    # We can't verify encrypted value easily without decrypting, 
+    # but we assume encrypt() works (tested in unit tests)
+
+@pytest.mark.asyncio
+async def test_get_version(client, mock_redis):
+    # Version 1 exists in our mock data
+    val = await client.get_version(SECRET_KEY, 1)
+    assert val == SECRET_VAL
+    
+    # Version 99 does not exist
+    val_missing = await client.get_version(SECRET_KEY, 99)
+    assert val_missing is None

redenv-0.3.0/tests/test_expand.py

@@ -0,0 +1,59 @@
+import pytest
+from redenv.expand import expand_secrets
+from redenv.errors import RedenvError
+
+def test_basic_expansion():
+    secrets = {
+        "BASE_URL": "https://api.example.com",
+        "AUTH_URL": "${BASE_URL}/auth"
+    }
+    expanded = expand_secrets(secrets)
+    assert expanded["AUTH_URL"] == "https://api.example.com/auth"
+
+def test_recursive_expansion():
+    secrets = {
+        "A": "value",
+        "B": "${A}",
+        "C": "${B}"
+    }
+    expanded = expand_secrets(secrets)
+    assert expanded["C"] == "value"
+
+def test_multiple_references():
+    secrets = {
+        "PROTOCOL": "https",
+        "DOMAIN": "example.com",
+        "URL": "${PROTOCOL}://${DOMAIN}"
+    }
+    expanded = expand_secrets(secrets)
+    assert expanded["URL"] == "https://example.com"
+
+def test_circular_dependency():
+    secrets = {
+        "A": "${B}",
+        "B": "${A}"
+    }
+    with pytest.raises(RedenvError, match="Circular dependency detected"):
+        expand_secrets(secrets)
+
+def test_missing_reference():
+    secrets = {
+        "A": "${MISSING}"
+    }
+    expanded = expand_secrets(secrets)
+    assert expanded["A"] == "${MISSING}"
+
+def test_escaped_reference():
+    secrets = {
+        "A": r"\${NOT_EXPANDED}"
+    }
+    expanded = expand_secrets(secrets)
+    assert expanded["A"] == "${NOT_EXPANDED}"
+
+def test_mixed_escaped_and_normal():
+    secrets = {
+        "VAR": "value",
+        "A": r"\${VAR} and ${VAR}"
+    }
+    expanded = expand_secrets(secrets)
+    assert expanded["A"] == "${VAR} and value"

redenv-0.3.0/tests/test_secrets.py

@@ -0,0 +1,96 @@
+import pytest
+from redenv.secrets import Secrets
+from redenv.errors import RedenvError
+
+def test_secrets_access():
+    data = {"KEY": "value"}
+    secrets = Secrets(data)
+    assert secrets["KEY"] == "value"
+    assert secrets.get("KEY") == "value"
+    
+    # Missing keys should return None instead of raising KeyError
+    assert secrets["MISSING"] is None
+
+def test_secrets_cast_int():
+    secrets = Secrets({"PORT": "8080", "BAD": "abc"})
+    assert secrets.get("PORT", cast=int) == 8080
+    assert secrets.get("BAD", cast=int) == None # Defaults to None on failure
+    assert secrets.get("BAD", default=0, cast=int) == 0
+
+def test_secrets_cast_bool():
+    secrets = Secrets({
+        "FLAG_TRUE": "true",
+        "FLAG_1": "1",
+        "FLAG_YES": "yes",
+        "FLAG_FALSE": "false",
+        "FLAG_0": "0"
+    })
+    
+    assert secrets.get("FLAG_TRUE", cast=bool) is True
+    assert secrets.get("FLAG_1", cast=bool) is True
+    assert secrets.get("FLAG_YES", cast=bool) is True
+    assert secrets.get("FLAG_FALSE", cast=bool) is False
+    assert secrets.get("FLAG_0", cast=bool) is False
+
+def test_secrets_cast_json():
+    secrets = Secrets({"CONFIG": '{"foo": "bar"}'})
+    config = secrets.get("CONFIG", cast=dict)
+    assert isinstance(config, dict)
+    assert config["foo"] == "bar"
+
+def test_secrets_scoping():
+    secrets = Secrets({
+        "APP_NAME": "MyApp",
+        "STRIPE_KEY": "sk_123",
+        "STRIPE_SECRET": "wh_456"
+    })
+    
+    stripe = secrets.scope("STRIPE_")
+    
+    # Prefix should be stripped
+    assert stripe["KEY"] == "sk_123"
+    assert stripe["SECRET"] == "wh_456"
+    # Unrelated keys should be ignored
+    assert "APP_NAME" not in stripe
+    # Original object should be untouched
+    assert secrets["STRIPE_KEY"] == "sk_123"
+
+def test_secrets_require():
+    secrets = Secrets({"A": "1", "B": "2"})
+    
+    # Should pass (chainable)
+    assert secrets.require("A", "B") is secrets
+    
+    # Should fail
+    with pytest.raises(RedenvError, match="Missing required secrets: C"):
+        secrets.require("A", "C")
+
+def test_secrets_masking():
+    secrets = Secrets({"API_KEY": "secret_value"})
+    output = str(secrets)
+    
+    assert "API_KEY" in output
+    assert "secret_value" not in output
+    assert "********" in output
+
+def test_secrets_raw_access():
+    raw_data = {"BASE": "val", "URL": "${BASE}/path"}
+    expanded_data = {"BASE": "val", "URL": "val/path"}
+    
+    secrets = Secrets(expanded_data, raw_data=raw_data)
+    
+    assert secrets["URL"] == "val/path"
+    assert secrets.raw["URL"] == "${BASE}/path"
+    assert secrets.raw["BASE"] == "val"
+    
+    # Test scoping raw access
+    stripe_raw = {"STRIPE_KEY": "${BASE}/key"}
+    stripe_expanded = {"STRIPE_KEY": "val/key"}
+    full_secrets = Secrets(
+        {**expanded_data, **stripe_expanded},
+        raw_data={**raw_data, **stripe_raw}
+    )
+    
+    stripe_scope = full_secrets.scope("STRIPE_")
+    assert stripe_scope["KEY"] == "val/key"
+    assert stripe_scope.raw["KEY"] == "${BASE}/key"

redenv-0.3.0/tests/test_sync.py

@@ -0,0 +1,123 @@
+import pytest
+import json
+from unittest.mock import MagicMock, patch
+from redenv.sync import Redenv as RedenvSync
+from redenv.crypto import encrypt, derive_key, buffer_to_hex, random_bytes
+
+# --- Test Data Setup (Mirroring test_client.py) ---
+PASSWORD = "masterpassword"
+SALT = random_bytes(16)
+TOKEN_SALT = random_bytes(16)
+TOKEN_SECRET = "redenv_sk_test"
+TOKEN_ID = "stk_test"
+
+# 1. Setup Keys
+PEK = derive_key(PASSWORD, SALT)
+token_key = derive_key(TOKEN_SECRET, TOKEN_SALT)
+pek_hex = buffer_to_hex(PEK)
+encrypted_pek_str = encrypt(pek_hex, token_key)
+
+# 2. Metadata
+METADATA = {
+    "serviceTokens": json.dumps({
+        TOKEN_ID: {
+            "salt": buffer_to_hex(TOKEN_SALT),
+            "encryptedPEK": encrypted_pek_str,
+            "name": "Test Token"
+        }
+    }),
+    "historyLimit": "10"
+}
+
+# 3. Secret Data
+SECRET_KEY = "SYNC_API_KEY"
+SECRET_VAL = "sync-secret-value"
+encrypted_secret = encrypt(SECRET_VAL, PEK)
+
+SECRET_HISTORY = [
+    {
+        "version": 1,
+        "value": encrypted_secret,
+        "user": "sync-user",
+        "createdAt": "2023-01-01T00:00:00Z"
+    }
+]
+
+ENVIRONMENT_DATA = {
+    SECRET_KEY: json.dumps(SECRET_HISTORY)
+}
+
+# --- Sync Client Fixtures ---
+@pytest.fixture
+def mock_redis_sync():
+    mock = MagicMock()
+    
+    # Mock hgetall
+    def hgetall_side_effect(key):
+        if key == "meta@sync-project":
+            return METADATA
+        if key == "prod:sync-project":
+            return ENVIRONMENT_DATA
+        return {}
+    mock.hgetall.side_effect = hgetall_side_effect
+    
+    # Mock hget
+    def hget_side_effect(key, field):
+        if key == "prod:sync-project" and field == SECRET_KEY:
+            return json.dumps(SECRET_HISTORY)
+        return None
+    mock.hget.side_effect = hget_side_effect
+    
+    return mock
+
+@pytest.fixture
+def sync_client(mock_redis_sync):
+    # Important: patch where Redis is IMPORTED in the sync client
+    with patch("redenv.sync.client.Redis", return_value=mock_redis_sync):
+        client = RedenvSync({
+            "project": "sync-project",
+            "token_id": TOKEN_ID,
+            "token": TOKEN_SECRET,
+            "environment": "prod",
+            "upstash": {"url": "https://mock", "token": "mock"},
+            "log": "none"
+        })
+        return client
+
+# --- Sync Tests ---
+def test_sync_load_decrypts(sync_client, mock_redis_sync):
+    secrets = sync_client.load()
+    assert secrets[SECRET_KEY] == SECRET_VAL
+    # Check that it called Redis
+    assert mock_redis_sync.hgetall.called
+
+def test_sync_caching(sync_client, mock_redis_sync):
+    # First load
+    sync_client.load()
+    count_after_first = mock_redis_sync.hgetall.call_count
+    
+    # Second load (should hit cache)
+    sync_client.load()
+    assert mock_redis_sync.hgetall.call_count == count_after_first
+
+def test_sync_set_secret(sync_client, mock_redis_sync):
+    new_val = "new-sync-val"
+    sync_client.set(SECRET_KEY, new_val)
+    
+    # Verify hset was called
+    assert mock_redis_sync.hset.called
+    args = mock_redis_sync.hset.call_args
+    assert args[0][0] == "prod:sync-project"
+    assert args[0][1] == SECRET_KEY
+    
+    written_json = args[0][2]
+    history = json.loads(written_json)
+    assert history[0]["version"] == 2
+
+def test_sync_get_version(sync_client, mock_redis_sync):
+    # Valid version
+    val = sync_client.get_version(SECRET_KEY, 1)
+    assert val == SECRET_VAL
+    
+    # Invalid version
+    assert sync_client.get_version(SECRET_KEY, 999) is None