redenv 0.2.0__tar.gz → 0.4.0__tar.gz

{redenv-0.2.0 → redenv-0.4.0}/.gitignore

@@ -6,4 +6,6 @@ build
 dist
 .eggs
 __pycache__
-.pytest_cache
+.pytest_cache
+.ruff_cache
+.venv

{redenv-0.2.0 → redenv-0.4.0}/CHANGELOG.md

@@ -2,6 +2,26 @@
 
 All notable changes to this project will be documented in this file.
 
+## [Unreleased]
+
+### Changed
+
+- **Atomic Secret Updates:** Refactored `client.set()` (async and sync) to use a Lua script for atomic "read-modify-write" operations in Redis. This prevents race conditions and data loss during concurrent secret updates.
+- **Cluster-Safe Architecture:** Optimized the update flow to be Redis Cluster compatible by separating metadata retrieval from the atomic write operation, avoiding CROSSSLOT errors.
+
+## [0.3.0] - 2026-01-25
+
+### Added
+
+- **Secret Expansion:** Support for `${VAR_NAME}` syntax for referencing other secrets within values.
+- **Raw Value Access:** Added `.raw` property to `Secrets` object to access unexpanded values.
+- **Recursive Resolution:** Variable expansion supports multi-level recursion with circular dependency detection.
+
+### Changed
+
+- **Safe Access:** Accessing a non-existent secret via `secrets["KEY"]` now returns `None` instead of raising a `KeyError`.
+- **Improved Scoping:** `secrets.scope()` now correctly preserves both expanded and raw values in the resulting subset.
+
 ## [0.2.0] - 2026-01-22
 
 ### Added

{redenv-0.2.0 → redenv-0.4.0}/Makefile

@@ -10,15 +10,18 @@ test:
 
 # Run linting and type checking
 lint:
-	python -m ruff check src tests
+	python -m ruff check src
 	python -m pyright src
 
 # Build the package artifacts
 build:
-	rm -rf dist/ build/
+	rm -rf dist/
 	python -m build
 
 # Clean up build artifacts and caches
 clean:
 	rm -rf dist/ build/ *.egg-info .pytest_cache .ruff_cache
 	find . -type d -name "__pycache__" -exec rm -rf {} +
+
+publish:
+	twine upload dist/*

{redenv-0.2.0 → redenv-0.4.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: redenv
-Version: 0.2.0
+Version: 0.4.0
 Summary: A zero-knowledge, end-to-end encrypted secret management SDK for Python.
 Project-URL: Homepage, https://github.com/redenv-labs/redenv
 Project-URL: Documentation, https://github.com/redenv-labs/redenv/tree/main/packages/python-client
@@ -50,6 +50,7 @@ Provides-Extra: dev
 Requires-Dist: build; extra == 'dev'
 Requires-Dist: pyright; extra == 'dev'
 Requires-Dist: pytest; extra == 'dev'
+Requires-Dist: pytest-asyncio; extra == 'dev'
 Requires-Dist: python-dotenv; extra == 'dev'
 Requires-Dist: ruff; extra == 'dev'
 Requires-Dist: twine; extra == 'dev'
@@ -110,6 +111,12 @@ async def main():
     # 3. Smart Casting
     port = secrets.get("PORT", cast=int)
     debug = secrets.get("DEBUG", cast=bool)
+    
+    # 4. Safe Access (Returns None if missing)
+    missing = secrets["MISSING_KEY"] # None
+
+    # 5. Fallback Values
+    timeout = secrets.get("TIMEOUT", default=30, cast=int)
 
 if __name__ == "__main__":
     asyncio.run(main())
@@ -132,7 +139,30 @@ print(secrets["API_KEY"])
 
 ## Advanced Usage
 
-### 1. Scoping & Validation
+### 1. Secret Expansion (Reference other keys)
+Redenv supports referencing other secrets using the `${VAR_NAME}` syntax. This helps avoid duplication.
+
+**Example Configuration:**
+- `BASE_URL`: `https://api.example.com`
+- `AUTH_URL`: `${BASE_URL}/auth`
+
+**Usage:**
+```python
+secrets = await client.load()
+
+print(secrets["AUTH_URL"]) 
+# Output: https://api.example.com/auth
+```
+
+### 2. Raw Values
+You can access the unexpanded, raw value of a secret using the `.raw` property. This is useful for debugging or editing.
+
+```python
+print(secrets["AUTH_URL"])      # https://api.example.com/auth
+print(secrets.raw["AUTH_URL"])  # ${BASE_URL}/auth
+```
+
+### 3. Scoping & Validation
 Organize large configurations and ensure critical keys exist.
 
 ```python
@@ -149,7 +179,7 @@ print(stripe_config["KEY"])     # Maps to STRIPE_KEY
 print(stripe_config["WEBHOOK"]) # Maps to STRIPE_WEBHOOK
 ```
 
-### 2. Time Travel (Version History)
+### 4. Time Travel (Version History)
 Redenv stores a history of every secret change. You can access older versions for rollbacks or auditing.
 
 ```python

{redenv-0.2.0 → redenv-0.4.0}/README.md

@@ -53,6 +53,12 @@ async def main():
     # 3. Smart Casting
     port = secrets.get("PORT", cast=int)
     debug = secrets.get("DEBUG", cast=bool)
+    
+    # 4. Safe Access (Returns None if missing)
+    missing = secrets["MISSING_KEY"] # None
+
+    # 5. Fallback Values
+    timeout = secrets.get("TIMEOUT", default=30, cast=int)
 
 if __name__ == "__main__":
     asyncio.run(main())
@@ -75,7 +81,30 @@ print(secrets["API_KEY"])
 
 ## Advanced Usage
 
-### 1. Scoping & Validation
+### 1. Secret Expansion (Reference other keys)
+Redenv supports referencing other secrets using the `${VAR_NAME}` syntax. This helps avoid duplication.
+
+**Example Configuration:**
+- `BASE_URL`: `https://api.example.com`
+- `AUTH_URL`: `${BASE_URL}/auth`
+
+**Usage:**
+```python
+secrets = await client.load()
+
+print(secrets["AUTH_URL"]) 
+# Output: https://api.example.com/auth
+```
+
+### 2. Raw Values
+You can access the unexpanded, raw value of a secret using the `.raw` property. This is useful for debugging or editing.
+
+```python
+print(secrets["AUTH_URL"])      # https://api.example.com/auth
+print(secrets.raw["AUTH_URL"])  # ${BASE_URL}/auth
+```
+
+### 3. Scoping & Validation
 Organize large configurations and ensure critical keys exist.
 
 ```python
@@ -92,7 +121,7 @@ print(stripe_config["KEY"])     # Maps to STRIPE_KEY
 print(stripe_config["WEBHOOK"]) # Maps to STRIPE_WEBHOOK
 ```
 
-### 2. Time Travel (Version History)
+### 4. Time Travel (Version History)
 Redenv stores a history of every secret change. You can access older versions for rollbacks or auditing.
 
 ```python

redenv-0.4.0/atomic-write-test.py

@@ -0,0 +1,147 @@
+import asyncio
+import json
+import time
+import os
+from upstash_redis.asyncio import Redis
+from redenv.utils import set_secret
+from redenv.crypto import derive_key, generate_salt, random_bytes, encrypt, buffer_to_hex, decrypt
+from redenv.types import RedenvOptions, UpstashConfig
+
+# Credentials from client/example.ts
+UPSTASH_URL = os.getenv("UPSTASH_URL")
+UPSTASH_TOKEN = os.getenv("UPSTASH_TOKEN")
+
+async def main():
+    if not UPSTASH_URL or not UPSTASH_TOKEN:
+        raise ValueError("UPSTASH_URL and UPSTASH_TOKEN must be set")
+    
+    project_name = f"test-atomic-py-{int(time.time())}"
+    environment = "dev"
+    key = "ATOMIC_KEY_PY"
+    value1 = "value-1"
+    value2 = "value-2"
+    user = "python-integration-test"
+
+    # Direct Redis access for verification
+    redis = Redis(url=UPSTASH_URL, token=UPSTASH_TOKEN)
+
+    # Setup Options object manually since we are testing set_secret util directly
+    options = RedenvOptions(
+        project=project_name,
+        token_id="stk_test",
+        token="redenv_sk_test",
+        upstash=UpstashConfig(url=UPSTASH_URL, token=UPSTASH_TOKEN),
+        environment=environment,
+        log="none"
+    )
+
+    print(f"\n--- Starting Python Real Integration Test ---")
+    print(f"Project: {project_name}")
+
+    try:
+        # 1. Setup Metadata & Keys
+        print("1. Creating project metadata...")
+        
+        # We need a valid PEK encrypted in metadata for get_pek to work
+        # Generate real PEK
+        salt = generate_salt()
+        pek = random_bytes(32) # PEK is 32 bytes (256 bits)
+        
+        # Wrap PEK with our mock service token
+        token_key = derive_key("redenv_sk_test", salt)
+        # Encrypt the HEX representation of PEK
+        encrypted_pek = encrypt(buffer_to_hex(pek), token_key)
+
+        await redis.hset(f"meta@{project_name}", values={
+            "historyLimit": 5,
+            "serviceTokens": json.dumps({
+                "stk_test": {
+                    "salt": buffer_to_hex(salt),
+                    "encryptedPEK": encrypted_pek,
+                    "name": "Test Token"
+                }
+            })
+        })
+
+        # 2. First Write
+        print(f"2. Writing first version: '{value1}'...")
+        await set_secret(redis, options, key, value1)
+        print("   ✓ Write successful")
+
+        # 3. Second Write
+        print(f"3. Writing second version: '{value2}'...")
+        await set_secret(redis, options, key, value2)
+        print("   ✓ Update successful")
+
+        # 4. Verification
+        print("4. Verifying data in Redis...")
+        raw_data = await redis.hget(f"{environment}:{project_name}", key)
+        history = json.loads(raw_data) if isinstance(raw_data, str) else raw_data
+        
+        print(f"   History length: {len(history)} (Expected: 2)")
+        if len(history) != 2:
+            raise Exception(f"History length mismatch! Got {len(history)}")
+
+        # Check V2 (Latest)
+        v2 = history[0]
+        decrypted_v2 = decrypt(v2["value"], pek)
+        print(f"   v{v2['version']} Value: '{decrypted_v2}' (Expected: '{value2}')")
+        if decrypted_v2 != value2:
+            raise Exception("Latest value mismatch!")
+
+        # Check V1
+        v1 = history[1]
+        decrypted_v1 = decrypt(v1["value"], pek)
+        print(f"   v{v1['version']} Value: '{decrypted_v1}' (Expected: '{value1}')")
+        if decrypted_v1 != value1:
+            raise Exception("Previous value mismatch!")
+
+        # 5. Concurrency Test
+        print("\n5. Testing Concurrency (Race Conditions)...")
+        parallel_writes = 5
+        print(f"   Firing {parallel_writes} writes in parallel...")
+
+        tasks = []
+        for i in range(parallel_writes):
+            tasks.append(set_secret(redis, options, key, f"concurrent-{i}"))
+        
+        await asyncio.gather(*tasks)
+        print("   ✓ Parallel writes completed")
+
+        # 6. Verify Concurrency
+        print("6. Verifying concurrency results...")
+        raw_data_concurrent = await redis.hget(f"{environment}:{project_name}", key)
+        history = json.loads(raw_data_concurrent) if isinstance(raw_data_concurrent, str) else raw_data_concurrent
+        
+        # Initial 2 + 5 = 7 total versions created.
+        # But historyLimit is 5.
+        print(f"   History length: {len(history)} (Expected Cap: 5)")
+        if len(history) != 5:
+             raise Exception(f"History should be capped at 5! Got {len(history)}")
+
+        latest_version = history[0]['version']
+        expected_version = 2 + parallel_writes # 7
+        print(f"   Latest Version: {latest_version} (Expected: {expected_version})")
+
+        if latest_version != expected_version:
+            raise Exception(f"Race condition detected! Expected version {expected_version}, got {latest_version}. Updates were lost.")
+
+        # Ensure all versions are unique
+        versions = [h['version'] for h in history]
+        unique_versions = set(versions)
+        if len(versions) != len(unique_versions):
+            raise Exception("Duplicate version numbers detected!")
+
+        print("\n✅ SUCCESS: Python Atomic set_secret is working correctly on real Redis.")
+
+    except Exception as e:
+        print(f"\n❌ FAILED: {e}")
+        import traceback
+        traceback.print_exc()
+    finally:
+        print("\nCleaning up...")
+        await redis.delete(f"meta@{project_name}")
+        await redis.delete(f"{environment}:{project_name}")
+
+if __name__ == "__main__":
+    asyncio.run(main())

{redenv-0.2.0 → redenv-0.4.0}/pyproject.toml

@@ -4,7 +4,6 @@ build-backend = "hatchling.build"
 
 [project]
 name = "redenv"
-version = "0.2.0"
 description = "A zero-knowledge, end-to-end encrypted secret management SDK for Python."
 readme = "README.md"
 requires-python = ">=3.8"
@@ -33,6 +32,11 @@ dependencies = [
     "cachetools>=5.0.0",
 ]
 
+dynamic = ["version"]
+
+[tool.hatch.version]
+  path = "src/redenv/__init__.py"
+
 [project.urls]
 Homepage = "https://github.com/redenv-labs/redenv"
 Documentation = "https://github.com/redenv-labs/redenv/tree/main/packages/python-client"
@@ -42,6 +46,7 @@ Issues = "https://github.com/redenv-labs/redenv/issues"
 [project.optional-dependencies]
 dev = [
     "pytest",
+    "pytest-asyncio",
     "python-dotenv",
     "build",
     "twine",

{redenv-0.2.0 → redenv-0.4.0}/src/redenv/__init__.py

@@ -3,5 +3,5 @@ from .errors import RedenvError
 from .secrets import Secrets
 from .sync import Redenv as RedenvSync
 
-__version__ = "0.2.0"
+__version__ = "0.4.0"
 __all__ = ["Redenv", "RedenvSync", "RedenvError", "Secrets"]

redenv-0.4.0/src/redenv/expand.py

@@ -0,0 +1,45 @@
+import re
+from typing import Dict
+from .errors import RedenvError
+
+# Match ${VAR} not preceded by a backslash
+REFERENCE_REGEX = re.compile(r"(?<!\\)\$\{([a-zA-Z0-9_]+)\}")
+
+def expand_secrets(secrets: Dict[str, str]) -> Dict[str, str]:
+    r"""
+    Expands variable references in a dictionary of secrets.
+    Supports recursion, cycle detection, and escaped references (\${VAR}).
+    """
+    expanded: Dict[str, str] = {}
+    cache: Dict[str, str] = {}
+    stack: list[str] = []
+
+    def resolve(key: str) -> str:
+        if key in cache:
+            return cache[key]
+
+        if key in stack:
+            cycle = " -> ".join(stack + [key])
+            raise RedenvError(f"Circular dependency detected: {cycle}", "INVALID_INPUT")
+
+        stack.append(key)
+        value = secrets[key]
+
+        def replacer(match: re.Match) -> str:
+            ref_key = match.group(1)
+            return resolve(ref_key) if ref_key in secrets else match.group(0)
+
+        # Expand all unescaped references
+        resolved = REFERENCE_REGEX.sub(replacer, value)
+
+        # Convert escaped references \${VAR} -> ${VAR}
+        resolved = resolved.replace(r"\${", "${")
+
+        cache[key] = resolved
+        stack.pop()
+        return resolved
+
+    for key in secrets:
+        expanded[key] = resolve(key)
+
+    return expanded

{redenv-0.2.0 → redenv-0.4.0}/src/redenv/secrets.py

@@ -10,6 +10,18 @@ class Secrets(dict):
     type-casting, scoping, and validation capabilities.
     """
 
+    def __init__(self, data: Optional[dict] = None, raw_data: Optional[dict] = None):
+        super().__init__(data or {})
+        self._raw_data = raw_data or data or {}
+
+    @property
+    def raw(self) -> "Secrets":
+        """
+        Returns a Secrets object containing the raw, unexpanded values.
+        """
+        # Create a new Secrets object with the raw data, but mark it as its own raw
+        return Secrets(self._raw_data, raw_data=self._raw_data)
+
     def get(self, key: str, default: Any = None, cast: Optional[Union[Type[T], Callable[[Any], T]]] = None) -> Union[T, Any]:
         """
         Retrieves a secret and optionally casts it to a specific type.
@@ -46,26 +58,31 @@ class Secrets(dict):
 
     def __getitem__(self, key: str) -> Any:
         """
-        Ensures standard dict access still works but raises a 
-        helpful error if the key is missing.
+        Returns None if the key is not found instead of raising KeyError.
         """
-        try:
-            return super().__getitem__(key)
-        except KeyError:
-            raise KeyError(f"Secret '{key}' not found in Redenv.")
+        return self.get(key)
 
     def scope(self, prefix: str) -> "Secrets":
         """
         Returns a new Secrets object containing only the keys that start with
         the given prefix. The prefix is stripped from the keys in the new object.
         """
-        subset = Secrets()
+        subset_data = {}
+        subset_raw = {}
+        
         for key, value in self.items():
             if key.startswith(prefix):
                 new_key = key[len(prefix):]
                 if new_key:
-                    subset[new_key] = value
-        return subset
+                    subset_data[new_key] = value
+                    
+        for key, value in self._raw_data.items():
+            if key.startswith(prefix):
+                new_key = key[len(prefix):]
+                if new_key:
+                    subset_raw[new_key] = value
+                    
+        return Secrets(subset_data, raw_data=subset_raw)
 
     def require(self, *keys: str) -> "Secrets":
         """

{redenv-0.2.0 → redenv-0.4.0}/src/redenv/sync/utils.py

@@ -7,6 +7,7 @@ from ..crypto import derive_key, decrypt, hex_to_buffer, encrypt
 from ..types import RedenvOptions, CacheEntry
 from ..errors import RedenvError
 from ..secrets import Secrets
+from ..expand import expand_secrets
 from ..utils import log, error
 from cachetools import LRUCache
 
@@ -79,8 +80,17 @@ def fetch_and_decrypt(redis: SyncRedis, options: RedenvOptions) -> Secrets:
             error(f'Failed to decrypt secret "{key}".', options.log)
             continue
 
-    log(f"Successfully loaded {len(secrets)} secrets.", options.log)
-    return secrets
+    # Capture raw decrypted secrets before expansion
+    raw_decrypted = dict(secrets)
+
+    # Expand variables
+    expanded_secrets = expand_secrets(raw_decrypted)
+    
+    # Create final Secrets object with both expanded and raw data
+    result = Secrets(expanded_secrets, raw_data=raw_decrypted)
+
+    log(f"Successfully loaded {len(result)} secrets.", options.log)
+    return result
 
 def populate_env(secrets: Union[Dict[str, str], Secrets], options: RedenvOptions):
     """
@@ -100,14 +110,12 @@ def populate_env(secrets: Union[Dict[str, str], Secrets], options: RedenvOptions
 
 def set_secret(redis: SyncRedis, options: RedenvOptions, key: str, value: str):
     """
-    Sets a secret in Redis with versioning and history.
+    Sets a secret in Redis.
     """
     env_key = f"{options.environment}:{options.project}"
     meta_key = f"meta@{options.project}"
     
-    # Sequential fetch (Simpler for sync, parallel requires threads)
     metadata = redis.hgetall(meta_key)
-    current_history_str = redis.hget(env_key, key)
     
     if not metadata:
         raise RedenvError(f'Project "{options.project}" not found.', "PROJECT_NOT_FOUND")
@@ -116,32 +124,66 @@ def set_secret(redis: SyncRedis, options: RedenvOptions, key: str, value: str):
     
     history_limit = int(metadata.get("historyLimit", 10))
     
-    history = []
-    if current_history_str:
-        history = json.loads(current_history_str) if isinstance(current_history_str, str) else current_history_str
-        
-    if not isinstance(history, list):
-        history = []
-        
-    last_version = history[0]["version"] if len(history) > 0 else 0
-    
     encrypted_value = encrypt(value, pek)
     
     from datetime import datetime, timezone
-    
-    new_version = {
-        "version": last_version + 1,
-        "value": encrypted_value,
-        "user": options.token_id,
-        "createdAt": datetime.now(timezone.utc).isoformat().replace("+00:00", "Z")
+    created_at = datetime.now(timezone.utc).isoformat().replace("+00:00", "Z")
+    
+    script = """
+    local env_key = KEYS[1]
+    local field = ARGV[1]
+    local encrypted_value = ARGV[2]
+    local user = ARGV[3]
+    local created_at = ARGV[4]
+    local history_limit = tonumber(ARGV[5])
+
+    -- Fetch Current History
+    local current_data = redis.call('HGET', env_key, field)
+    local history = {}
+
+    if current_data then
+        local status, res = pcall(cjson.decode, current_data)
+        if status then
+            history = res
+        end
+    end
+
+    -- Determine Next Version
+    local last_version = 0
+    if #history > 0 and history[1] and history[1]['version'] then
+        last_version = history[1]['version']
+    end
+
+    -- Create New Record
+    local new_version = {
+        version = last_version + 1,
+        value = encrypted_value,
+        user = user,
+        createdAt = created_at
     }
+
+    -- Prepend (Newest First)
+    table.insert(history, 1, new_version)
+
+    -- Trim History
+    if history_limit > 0 then
+        while #history > history_limit do
+            table.remove(history)
+        end
+    end
+
+    -- Save and Return
+    local encoded = cjson.encode(history)
+    redis.call('HSET', env_key, field, encoded)
+
+    return encoded
+    """
     
-    history.insert(0, new_version)
-    
-    if history_limit > 0:
-        history = history[:history_limit]
-        
-    return redis.hset(env_key, key, json.dumps(history))
+    return redis.eval(
+        script,
+        [env_key],
+        [key, encrypted_value, options.token_id, created_at, str(history_limit)]
+    )
 
 def get_secret_version(redis: SyncRedis, options: RedenvOptions, cache: LRUCache, key: str, version: int, mode: Literal["id", "index"] = "id") -> Optional[str]:
     """

{redenv-0.2.0 → redenv-0.4.0}/src/redenv/utils.py

@@ -1,9 +1,9 @@
 from .crypto import derive_key, decrypt, hex_to_buffer, encrypt
 from .types import RedenvOptions, LogPreference, CacheEntry
 from .errors import RedenvError
+from .expand import expand_secrets
 from upstash_redis import AsyncRedis
 from .secrets import Secrets
-import asyncio
 import json
 import os
 import time
@@ -114,8 +114,17 @@ async def fetch_and_decrypt(redis: AsyncRedis, options: RedenvOptions) -> Secret
             error(f'Failed to decrypt secret "{key}".', options.log)
             continue
 
-    log(f"Successfully loaded {len(secrets)} secrets.", options.log)
-    return secrets
+    # Capture raw decrypted secrets before expansion
+    raw_decrypted = dict(secrets)
+
+    # Expand variables
+    expanded_secrets = expand_secrets(raw_decrypted)
+    
+    # Create final Secrets object with both expanded and raw data
+    result = Secrets(expanded_secrets, raw_data=raw_decrypted)
+
+    log(f"Successfully loaded {len(result)} secrets.", options.log)
+    return result
 
 async def populate_env(secrets: Union[Dict[str, str], Secrets], options: RedenvOptions):
     """
@@ -135,56 +144,85 @@ async def populate_env(secrets: Union[Dict[str, str], Secrets], options: RedenvO
 
 async def set_secret(redis: AsyncRedis, options: RedenvOptions, key: str, value: str):
     """
-    Sets a secret in Redis with versioning and history.
+    Sets a secret in Redis.
     """
     env_key = f"{options.environment}:{options.project}"
     meta_key = f"meta@{options.project}"
     
-    # Fetch metadata (for PEK & historyLimit) and current history in parallel
-    metadata, current_history = await asyncio.gather(
-        redis.hgetall(meta_key), 
-        redis.hget(env_key, key)
-    )
+    # We do this outside Lua to avoid CROSSSLOT errors in Redis Cluster/Upstash
+    metadata = await redis.hgetall(meta_key)
     
     if not metadata:
         raise RedenvError(f'Project "{options.project}" not found.', "PROJECT_NOT_FOUND")
         
-    # Reuse metadata to get PEK without extra fetch
+    # Reuse metadata to get PEK
     pek = await get_pek(redis, options, metadata)
     
     history_limit = int(metadata.get("historyLimit", 10))
     
-    # Fetch current history for the key
-    history = []
-    if current_history:
-        history = json.loads(current_history) if isinstance(current_history, str) else current_history
-        
-    if not isinstance(history, list):
-        history = []
-        
-    last_version = history[0]["version"] if len(history) > 0 else 0
-    
     # Encrypt new value
     encrypted_value = encrypt(value, pek)
     
     from datetime import datetime, timezone
+    created_at = datetime.now(timezone.utc).isoformat().replace("+00:00", "Z")
     
-    new_version = {
-        "version": last_version + 1,
-        "value": encrypted_value,
-        "user": options.token_id, # Using token_id as the user/auditor
-        "createdAt": datetime.now(timezone.utc).isoformat().replace("+00:00", "Z")
+    # KEYS[1] = env_key
+    # ARGV[1] = field (key), ARGV[2] = encrypted_value, ARGV[3] = user, ARGV[4] = created_at, ARGV[5] = history_limit
+    script = """
+    local env_key = KEYS[1]
+    local field = ARGV[1]
+    local encrypted_value = ARGV[2]
+    local user = ARGV[3]
+    local created_at = ARGV[4]
+    local history_limit = tonumber(ARGV[5])
+
+    -- Fetch Current History
+    local current_data = redis.call('HGET', env_key, field)
+    local history = {}
+
+    if current_data then
+        local status, res = pcall(cjson.decode, current_data)
+        if status then
+            history = res
+        end
+    end
+
+    -- Determine Next Version
+    local last_version = 0
+    if #history > 0 and history[1] and history[1]['version'] then
+        last_version = history[1]['version']
+    end
+
+    -- Create New Record
+    local new_version = {
+        version = last_version + 1,
+        value = encrypted_value,
+        user = user,
+        createdAt = created_at
     }
-    
-    # Prepend new version
-    history.insert(0, new_version)
-    
-    # Trim history
-    if history_limit > 0:
-        history = history[:history_limit]
-        
-    # Write back
-    return await redis.hset(env_key, key, json.dumps(history))
+
+    -- Prepend (Newest First)
+    table.insert(history, 1, new_version)
+
+    -- Trim History
+    if history_limit > 0 then
+        while #history > history_limit do
+            table.remove(history)
+        end
+    end
+
+    -- Save and Return
+    local encoded = cjson.encode(history)
+    redis.call('HSET', env_key, field, encoded)
+
+    return encoded
+    """
+
+    return await redis.eval(
+        script,
+        [env_key],
+        [key, encrypted_value, options.token_id, created_at, str(history_limit)]
+    )
 
 async def get_secret_version(redis: AsyncRedis, options: RedenvOptions, cache: LRUCache, key: str, version: int, mode: Literal["id", "index"] = "id") -> Optional[str]:
     """

redenv-0.4.0/tests/test_client.py

@@ -0,0 +1,144 @@
+import pytest
+import json
+from unittest.mock import AsyncMock, patch
+from redenv import Redenv
+from redenv.crypto import encrypt, derive_key, buffer_to_hex, random_bytes
+
+# --- Test Data Setup ---
+PASSWORD = "masterpassword"
+SALT = random_bytes(16)
+TOKEN_SALT = random_bytes(16)
+TOKEN_SECRET = "redenv_sk_test"
+TOKEN_ID = "stk_test"
+
+# 1. Derive PEK
+PEK = derive_key(PASSWORD, SALT) # Project Encryption Key
+
+# 2. Encrypt PEK with Service Token
+token_key = derive_key(TOKEN_SECRET, TOKEN_SALT)
+encrypted_pek = encrypt(buffer_to_hex(PEK), token_key) # Wait, exportKey not implemented in python utils, we used bytes.
+# In utils.py get_pek: decrypted_pek_hex = decrypt(..., token_key) -> return hex_to_buffer(decrypted_pek_hex)
+# So we need to encrypt the HEX string of the PEK.
+pek_hex = buffer_to_hex(PEK)
+encrypted_pek_str = encrypt(pek_hex, token_key)
+
+# 3. Create Metadata
+METADATA = {
+    "serviceTokens": json.dumps({
+        TOKEN_ID: {
+            "salt": buffer_to_hex(TOKEN_SALT),
+            "encryptedPEK": encrypted_pek_str,
+            "name": "Test Token"
+        }
+    }),
+    "historyLimit": "10"
+}
+
+# 4. Create Secret Data
+SECRET_KEY = "API_KEY"
+SECRET_VAL = "super-secret-value"
+encrypted_secret = encrypt(SECRET_VAL, PEK)
+
+SECRET_HISTORY = [
+    {
+        "version": 1,
+        "value": encrypted_secret,
+        "user": "test-user",
+        "createdAt": "2023-01-01T00:00:00Z"
+    }
+]
+
+ENVIRONMENT_DATA = {
+    SECRET_KEY: json.dumps(SECRET_HISTORY)
+}
+
+# --- Client Setup ---
+@pytest.fixture
+def mock_redis():
+    mock = AsyncMock()
+    # Mock hgetall responses
+    def side_effect(key):
+        if key == "meta@test-project":
+            return METADATA
+        if key == "dev:test-project":
+            return ENVIRONMENT_DATA
+        return {}
+    
+    mock.hgetall.side_effect = side_effect
+    
+    # Mock hget response (for set_secret and get_version)
+    async def hget_side_effect(key, field):
+        if key == "dev:test-project" and field == SECRET_KEY:
+            return json.dumps(SECRET_HISTORY)
+        return None
+        
+    mock.hget.side_effect = hget_side_effect
+    
+    return mock
+
+@pytest.fixture
+def client(mock_redis):
+    with patch("redenv.client.Redis", return_value=mock_redis):
+        client = Redenv({
+            "project": "test-project",
+            "token_id": TOKEN_ID,
+            "token": TOKEN_SECRET,
+            "environment": "dev",
+            "upstash": {"url": "https://mock", "token": "mock"},
+            "log": "none"
+        })
+        return client
+
+@pytest.mark.asyncio
+async def test_load_decrypts_successfully(client, mock_redis):
+    secrets = await client.load()
+    assert secrets[SECRET_KEY] == SECRET_VAL
+    assert mock_redis.hgetall.call_count == 2 # 1 meta, 1 env
+
+@pytest.mark.asyncio
+async def test_caching_behavior(client, mock_redis):
+    # First load
+    await client.load()
+    assert mock_redis.hgetall.call_count == 2
+    
+    # Second load (should hit cache)
+    await client.load()
+    assert mock_redis.hgetall.call_count == 2 # Counts shouldn't increase
+
+@pytest.mark.asyncio
+async def test_write_secret(client, mock_redis):
+    new_val = "new-value"
+    await client.set(SECRET_KEY, new_val)
+    
+    # Verify eval was called (for Lua script)
+    assert mock_redis.eval.called
+    
+    args = mock_redis.eval.call_args
+    script = args[0][0]
+    keys = args[0][1]
+    argv = args[0][2]
+    
+    # Check script content basics
+    assert "local env_key = KEYS[1]" in script
+    assert "redis.call('HSET', env_key, field, encoded)" in script
+    
+    # Check keys
+    assert keys[0] == "dev:test-project"
+    
+    # Check args: [key, encrypted_value, user, created_at, history_limit]
+    assert argv[0] == SECRET_KEY
+    # We can't verify encrypted value exactly without decrypting, but it should be a string
+    assert isinstance(argv[1], str)
+    assert argv[2] == TOKEN_ID
+    # History Limit
+    assert int(argv[4]) == 10
+
+@pytest.mark.asyncio
+async def test_get_version(client, mock_redis):
+    # Version 1 exists in our mock data
+    val = await client.get_version(SECRET_KEY, 1)
+    assert val == SECRET_VAL
+    
+    # Version 99 does not exist
+    val_missing = await client.get_version(SECRET_KEY, 99)
+    assert val_missing is None

redenv-0.4.0/tests/test_expand.py

@@ -0,0 +1,59 @@
+import pytest
+from redenv.expand import expand_secrets
+from redenv.errors import RedenvError
+
+def test_basic_expansion():
+    secrets = {
+        "BASE_URL": "https://api.example.com",
+        "AUTH_URL": "${BASE_URL}/auth"
+    }
+    expanded = expand_secrets(secrets)
+    assert expanded["AUTH_URL"] == "https://api.example.com/auth"
+
+def test_recursive_expansion():
+    secrets = {
+        "A": "value",
+        "B": "${A}",
+        "C": "${B}"
+    }
+    expanded = expand_secrets(secrets)
+    assert expanded["C"] == "value"
+
+def test_multiple_references():
+    secrets = {
+        "PROTOCOL": "https",
+        "DOMAIN": "example.com",
+        "URL": "${PROTOCOL}://${DOMAIN}"
+    }
+    expanded = expand_secrets(secrets)
+    assert expanded["URL"] == "https://example.com"
+
+def test_circular_dependency():
+    secrets = {
+        "A": "${B}",
+        "B": "${A}"
+    }
+    with pytest.raises(RedenvError, match="Circular dependency detected"):
+        expand_secrets(secrets)
+
+def test_missing_reference():
+    secrets = {
+        "A": "${MISSING}"
+    }
+    expanded = expand_secrets(secrets)
+    assert expanded["A"] == "${MISSING}"
+
+def test_escaped_reference():
+    secrets = {
+        "A": r"\${NOT_EXPANDED}"
+    }
+    expanded = expand_secrets(secrets)
+    assert expanded["A"] == "${NOT_EXPANDED}"
+
+def test_mixed_escaped_and_normal():
+    secrets = {
+        "VAR": "value",
+        "A": r"\${VAR} and ${VAR}"
+    }
+    expanded = expand_secrets(secrets)
+    assert expanded["A"] == "${VAR} and value"

redenv-0.4.0/tests/test_secrets.py

@@ -0,0 +1,96 @@
+import pytest
+from redenv.secrets import Secrets
+from redenv.errors import RedenvError
+
+def test_secrets_access():
+    data = {"KEY": "value"}
+    secrets = Secrets(data)
+    assert secrets["KEY"] == "value"
+    assert secrets.get("KEY") == "value"
+    
+    # Missing keys should return None instead of raising KeyError
+    assert secrets["MISSING"] is None
+
+def test_secrets_cast_int():
+    secrets = Secrets({"PORT": "8080", "BAD": "abc"})
+    assert secrets.get("PORT", cast=int) == 8080
+    assert secrets.get("BAD", cast=int) == None # Defaults to None on failure
+    assert secrets.get("BAD", default=0, cast=int) == 0
+
+def test_secrets_cast_bool():
+    secrets = Secrets({
+        "FLAG_TRUE": "true",
+        "FLAG_1": "1",
+        "FLAG_YES": "yes",
+        "FLAG_FALSE": "false",
+        "FLAG_0": "0"
+    })
+    
+    assert secrets.get("FLAG_TRUE", cast=bool) is True
+    assert secrets.get("FLAG_1", cast=bool) is True
+    assert secrets.get("FLAG_YES", cast=bool) is True
+    assert secrets.get("FLAG_FALSE", cast=bool) is False
+    assert secrets.get("FLAG_0", cast=bool) is False
+
+def test_secrets_cast_json():
+    secrets = Secrets({"CONFIG": '{"foo": "bar"}'})
+    config = secrets.get("CONFIG", cast=dict)
+    assert isinstance(config, dict)
+    assert config["foo"] == "bar"
+
+def test_secrets_scoping():
+    secrets = Secrets({
+        "APP_NAME": "MyApp",
+        "STRIPE_KEY": "sk_123",
+        "STRIPE_SECRET": "wh_456"
+    })
+    
+    stripe = secrets.scope("STRIPE_")
+    
+    # Prefix should be stripped
+    assert stripe["KEY"] == "sk_123"
+    assert stripe["SECRET"] == "wh_456"
+    # Unrelated keys should be ignored
+    assert "APP_NAME" not in stripe
+    # Original object should be untouched
+    assert secrets["STRIPE_KEY"] == "sk_123"
+
+def test_secrets_require():
+    secrets = Secrets({"A": "1", "B": "2"})
+    
+    # Should pass (chainable)
+    assert secrets.require("A", "B") is secrets
+    
+    # Should fail
+    with pytest.raises(RedenvError, match="Missing required secrets: C"):
+        secrets.require("A", "C")
+
+def test_secrets_masking():
+    secrets = Secrets({"API_KEY": "secret_value"})
+    output = str(secrets)
+    
+    assert "API_KEY" in output
+    assert "secret_value" not in output
+    assert "********" in output
+
+def test_secrets_raw_access():
+    raw_data = {"BASE": "val", "URL": "${BASE}/path"}
+    expanded_data = {"BASE": "val", "URL": "val/path"}
+    
+    secrets = Secrets(expanded_data, raw_data=raw_data)
+    
+    assert secrets["URL"] == "val/path"
+    assert secrets.raw["URL"] == "${BASE}/path"
+    assert secrets.raw["BASE"] == "val"
+    
+    # Test scoping raw access
+    stripe_raw = {"STRIPE_KEY": "${BASE}/key"}
+    stripe_expanded = {"STRIPE_KEY": "val/key"}
+    full_secrets = Secrets(
+        {**expanded_data, **stripe_expanded},
+        raw_data={**raw_data, **stripe_raw}
+    )
+    
+    stripe_scope = full_secrets.scope("STRIPE_")
+    assert stripe_scope["KEY"] == "val/key"
+    assert stripe_scope.raw["KEY"] == "${BASE}/key"

redenv-0.4.0/tests/test_sync.py

@@ -0,0 +1,135 @@
+import pytest
+import json
+from unittest.mock import MagicMock, patch
+from redenv.sync import Redenv as RedenvSync
+from redenv.crypto import encrypt, derive_key, buffer_to_hex, random_bytes
+
+# --- Test Data Setup (Mirroring test_client.py) ---
+PASSWORD = "masterpassword"
+SALT = random_bytes(16)
+TOKEN_SALT = random_bytes(16)
+TOKEN_SECRET = "redenv_sk_test"
+TOKEN_ID = "stk_test"
+
+# 1. Setup Keys
+PEK = derive_key(PASSWORD, SALT)
+token_key = derive_key(TOKEN_SECRET, TOKEN_SALT)
+pek_hex = buffer_to_hex(PEK)
+encrypted_pek_str = encrypt(pek_hex, token_key)
+
+# 2. Metadata
+METADATA = {
+    "serviceTokens": json.dumps({
+        TOKEN_ID: {
+            "salt": buffer_to_hex(TOKEN_SALT),
+            "encryptedPEK": encrypted_pek_str,
+            "name": "Test Token"
+        }
+    }),
+    "historyLimit": "10"
+}
+
+# 3. Secret Data
+SECRET_KEY = "SYNC_API_KEY"
+SECRET_VAL = "sync-secret-value"
+encrypted_secret = encrypt(SECRET_VAL, PEK)
+
+SECRET_HISTORY = [
+    {
+        "version": 1,
+        "value": encrypted_secret,
+        "user": "sync-user",
+        "createdAt": "2023-01-01T00:00:00Z"
+    }
+]
+
+ENVIRONMENT_DATA = {
+    SECRET_KEY: json.dumps(SECRET_HISTORY)
+}
+
+# --- Sync Client Fixtures ---
+@pytest.fixture
+def mock_redis_sync():
+    mock = MagicMock()
+    
+    # Mock hgetall
+    def hgetall_side_effect(key):
+        if key == "meta@sync-project":
+            return METADATA
+        if key == "prod:sync-project":
+            return ENVIRONMENT_DATA
+        return {}
+    mock.hgetall.side_effect = hgetall_side_effect
+    
+    # Mock hget
+    def hget_side_effect(key, field):
+        if key == "prod:sync-project" and field == SECRET_KEY:
+            return json.dumps(SECRET_HISTORY)
+        return None
+    mock.hget.side_effect = hget_side_effect
+    
+    return mock
+
+@pytest.fixture
+def sync_client(mock_redis_sync):
+    # Important: patch where Redis is IMPORTED in the sync client
+    with patch("redenv.sync.client.Redis", return_value=mock_redis_sync):
+        client = RedenvSync({
+            "project": "sync-project",
+            "token_id": TOKEN_ID,
+            "token": TOKEN_SECRET,
+            "environment": "prod",
+            "upstash": {"url": "https://mock", "token": "mock"},
+            "log": "none"
+        })
+        return client
+
+# --- Sync Tests ---
+def test_sync_load_decrypts(sync_client, mock_redis_sync):
+    secrets = sync_client.load()
+    assert secrets[SECRET_KEY] == SECRET_VAL
+    # Check that it called Redis
+    assert mock_redis_sync.hgetall.called
+
+def test_sync_caching(sync_client, mock_redis_sync):
+    # First load
+    sync_client.load()
+    count_after_first = mock_redis_sync.hgetall.call_count
+    
+    # Second load (should hit cache)
+    sync_client.load()
+    assert mock_redis_sync.hgetall.call_count == count_after_first
+
+def test_sync_set_secret(sync_client, mock_redis_sync):
+    new_val = "new-sync-val"
+    sync_client.set(SECRET_KEY, new_val)
+    
+    # Verify eval was called (for Lua script)
+    assert mock_redis_sync.eval.called
+    
+    args = mock_redis_sync.eval.call_args
+    script = args[0][0]
+    keys = args[0][1]
+    argv = args[0][2]
+    
+    # Check script content basics
+    assert "local env_key = KEYS[1]" in script
+    assert "redis.call('HSET', env_key, field, encoded)" in script
+    
+    # Check keys
+    assert keys[0] == "prod:sync-project"
+    
+    # Check args: [key, encrypted_value, user, created_at, history_limit]
+    assert argv[0] == SECRET_KEY
+    assert isinstance(argv[1], str)
+    assert argv[2] == TOKEN_ID
+    # History Limit
+    assert int(argv[4]) == 10
+
+def test_sync_get_version(sync_client, mock_redis_sync):
+    # Valid version
+    val = sync_client.get_version(SECRET_KEY, 1)
+    assert val == SECRET_VAL
+    
+    # Invalid version
+    assert sync_client.get_version(SECRET_KEY, 999) is None