redenv 0.3.0__tar.gz → 0.4.0__tar.gz

{redenv-0.3.0 → redenv-0.4.0}/.gitignore

@@ -6,4 +6,6 @@ build
 dist
 .eggs
 __pycache__
-.pytest_cache
+.pytest_cache
+.ruff_cache
+.venv

{redenv-0.3.0 → redenv-0.4.0}/CHANGELOG.md

@@ -2,6 +2,13 @@
 
 All notable changes to this project will be documented in this file.
 
+## [Unreleased]
+
+### Changed
+
+- **Atomic Secret Updates:** Refactored `client.set()` (async and sync) to use a Lua script for atomic "read-modify-write" operations in Redis. This prevents race conditions and data loss during concurrent secret updates.
+- **Cluster-Safe Architecture:** Optimized the update flow to be Redis Cluster compatible by separating metadata retrieval from the atomic write operation, avoiding CROSSSLOT errors.
+
 ## [0.3.0] - 2026-01-25
 
 ### Added

{redenv-0.3.0 → redenv-0.4.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: redenv
-Version: 0.3.0
+Version: 0.4.0
 Summary: A zero-knowledge, end-to-end encrypted secret management SDK for Python.
 Project-URL: Homepage, https://github.com/redenv-labs/redenv
 Project-URL: Documentation, https://github.com/redenv-labs/redenv/tree/main/packages/python-client

redenv-0.4.0/atomic-write-test.py

@@ -0,0 +1,147 @@
+import asyncio
+import json
+import time
+import os
+from upstash_redis.asyncio import Redis
+from redenv.utils import set_secret
+from redenv.crypto import derive_key, generate_salt, random_bytes, encrypt, buffer_to_hex, decrypt
+from redenv.types import RedenvOptions, UpstashConfig
+
+# Credentials from client/example.ts
+UPSTASH_URL = os.getenv("UPSTASH_URL")
+UPSTASH_TOKEN = os.getenv("UPSTASH_TOKEN")
+
+async def main():
+    if not UPSTASH_URL or not UPSTASH_TOKEN:
+        raise ValueError("UPSTASH_URL and UPSTASH_TOKEN must be set")
+    
+    project_name = f"test-atomic-py-{int(time.time())}"
+    environment = "dev"
+    key = "ATOMIC_KEY_PY"
+    value1 = "value-1"
+    value2 = "value-2"
+    user = "python-integration-test"
+
+    # Direct Redis access for verification
+    redis = Redis(url=UPSTASH_URL, token=UPSTASH_TOKEN)
+
+    # Setup Options object manually since we are testing set_secret util directly
+    options = RedenvOptions(
+        project=project_name,
+        token_id="stk_test",
+        token="redenv_sk_test",
+        upstash=UpstashConfig(url=UPSTASH_URL, token=UPSTASH_TOKEN),
+        environment=environment,
+        log="none"
+    )
+
+    print(f"\n--- Starting Python Real Integration Test ---")
+    print(f"Project: {project_name}")
+
+    try:
+        # 1. Setup Metadata & Keys
+        print("1. Creating project metadata...")
+        
+        # We need a valid PEK encrypted in metadata for get_pek to work
+        # Generate real PEK
+        salt = generate_salt()
+        pek = random_bytes(32) # PEK is 32 bytes (256 bits)
+        
+        # Wrap PEK with our mock service token
+        token_key = derive_key("redenv_sk_test", salt)
+        # Encrypt the HEX representation of PEK
+        encrypted_pek = encrypt(buffer_to_hex(pek), token_key)
+
+        await redis.hset(f"meta@{project_name}", values={
+            "historyLimit": 5,
+            "serviceTokens": json.dumps({
+                "stk_test": {
+                    "salt": buffer_to_hex(salt),
+                    "encryptedPEK": encrypted_pek,
+                    "name": "Test Token"
+                }
+            })
+        })
+
+        # 2. First Write
+        print(f"2. Writing first version: '{value1}'...")
+        await set_secret(redis, options, key, value1)
+        print("   ✓ Write successful")
+
+        # 3. Second Write
+        print(f"3. Writing second version: '{value2}'...")
+        await set_secret(redis, options, key, value2)
+        print("   ✓ Update successful")
+
+        # 4. Verification
+        print("4. Verifying data in Redis...")
+        raw_data = await redis.hget(f"{environment}:{project_name}", key)
+        history = json.loads(raw_data) if isinstance(raw_data, str) else raw_data
+        
+        print(f"   History length: {len(history)} (Expected: 2)")
+        if len(history) != 2:
+            raise Exception(f"History length mismatch! Got {len(history)}")
+
+        # Check V2 (Latest)
+        v2 = history[0]
+        decrypted_v2 = decrypt(v2["value"], pek)
+        print(f"   v{v2['version']} Value: '{decrypted_v2}' (Expected: '{value2}')")
+        if decrypted_v2 != value2:
+            raise Exception("Latest value mismatch!")
+
+        # Check V1
+        v1 = history[1]
+        decrypted_v1 = decrypt(v1["value"], pek)
+        print(f"   v{v1['version']} Value: '{decrypted_v1}' (Expected: '{value1}')")
+        if decrypted_v1 != value1:
+            raise Exception("Previous value mismatch!")
+
+        # 5. Concurrency Test
+        print("\n5. Testing Concurrency (Race Conditions)...")
+        parallel_writes = 5
+        print(f"   Firing {parallel_writes} writes in parallel...")
+
+        tasks = []
+        for i in range(parallel_writes):
+            tasks.append(set_secret(redis, options, key, f"concurrent-{i}"))
+        
+        await asyncio.gather(*tasks)
+        print("   ✓ Parallel writes completed")
+
+        # 6. Verify Concurrency
+        print("6. Verifying concurrency results...")
+        raw_data_concurrent = await redis.hget(f"{environment}:{project_name}", key)
+        history = json.loads(raw_data_concurrent) if isinstance(raw_data_concurrent, str) else raw_data_concurrent
+        
+        # Initial 2 + 5 = 7 total versions created.
+        # But historyLimit is 5.
+        print(f"   History length: {len(history)} (Expected Cap: 5)")
+        if len(history) != 5:
+             raise Exception(f"History should be capped at 5! Got {len(history)}")
+
+        latest_version = history[0]['version']
+        expected_version = 2 + parallel_writes # 7
+        print(f"   Latest Version: {latest_version} (Expected: {expected_version})")
+
+        if latest_version != expected_version:
+            raise Exception(f"Race condition detected! Expected version {expected_version}, got {latest_version}. Updates were lost.")
+
+        # Ensure all versions are unique
+        versions = [h['version'] for h in history]
+        unique_versions = set(versions)
+        if len(versions) != len(unique_versions):
+            raise Exception("Duplicate version numbers detected!")
+
+        print("\n✅ SUCCESS: Python Atomic set_secret is working correctly on real Redis.")
+
+    except Exception as e:
+        print(f"\n❌ FAILED: {e}")
+        import traceback
+        traceback.print_exc()
+    finally:
+        print("\nCleaning up...")
+        await redis.delete(f"meta@{project_name}")
+        await redis.delete(f"{environment}:{project_name}")
+
+if __name__ == "__main__":
+    asyncio.run(main())

{redenv-0.3.0 → redenv-0.4.0}/src/redenv/__init__.py

@@ -3,5 +3,5 @@ from .errors import RedenvError
 from .secrets import Secrets
 from .sync import Redenv as RedenvSync
 
-__version__ = "0.3.0"
+__version__ = "0.4.0"
 __all__ = ["Redenv", "RedenvSync", "RedenvError", "Secrets"]

{redenv-0.3.0 → redenv-0.4.0}/src/redenv/sync/utils.py

@@ -110,14 +110,12 @@ def populate_env(secrets: Union[Dict[str, str], Secrets], options: RedenvOptions
 
 def set_secret(redis: SyncRedis, options: RedenvOptions, key: str, value: str):
     """
-    Sets a secret in Redis with versioning and history.
+    Sets a secret in Redis.
     """
     env_key = f"{options.environment}:{options.project}"
     meta_key = f"meta@{options.project}"
     
-    # Sequential fetch (Simpler for sync, parallel requires threads)
     metadata = redis.hgetall(meta_key)
-    current_history_str = redis.hget(env_key, key)
     
     if not metadata:
         raise RedenvError(f'Project "{options.project}" not found.', "PROJECT_NOT_FOUND")
@@ -126,32 +124,66 @@ def set_secret(redis: SyncRedis, options: RedenvOptions, key: str, value: str):
     
     history_limit = int(metadata.get("historyLimit", 10))
     
-    history = []
-    if current_history_str:
-        history = json.loads(current_history_str) if isinstance(current_history_str, str) else current_history_str
-        
-    if not isinstance(history, list):
-        history = []
-        
-    last_version = history[0]["version"] if len(history) > 0 else 0
-    
     encrypted_value = encrypt(value, pek)
     
     from datetime import datetime, timezone
-    
-    new_version = {
-        "version": last_version + 1,
-        "value": encrypted_value,
-        "user": options.token_id,
-        "createdAt": datetime.now(timezone.utc).isoformat().replace("+00:00", "Z")
+    created_at = datetime.now(timezone.utc).isoformat().replace("+00:00", "Z")
+    
+    script = """
+    local env_key = KEYS[1]
+    local field = ARGV[1]
+    local encrypted_value = ARGV[2]
+    local user = ARGV[3]
+    local created_at = ARGV[4]
+    local history_limit = tonumber(ARGV[5])
+
+    -- Fetch Current History
+    local current_data = redis.call('HGET', env_key, field)
+    local history = {}
+
+    if current_data then
+        local status, res = pcall(cjson.decode, current_data)
+        if status then
+            history = res
+        end
+    end
+
+    -- Determine Next Version
+    local last_version = 0
+    if #history > 0 and history[1] and history[1]['version'] then
+        last_version = history[1]['version']
+    end
+
+    -- Create New Record
+    local new_version = {
+        version = last_version + 1,
+        value = encrypted_value,
+        user = user,
+        createdAt = created_at
     }
+
+    -- Prepend (Newest First)
+    table.insert(history, 1, new_version)
+
+    -- Trim History
+    if history_limit > 0 then
+        while #history > history_limit do
+            table.remove(history)
+        end
+    end
+
+    -- Save and Return
+    local encoded = cjson.encode(history)
+    redis.call('HSET', env_key, field, encoded)
+
+    return encoded
+    """
     
-    history.insert(0, new_version)
-    
-    if history_limit > 0:
-        history = history[:history_limit]
-        
-    return redis.hset(env_key, key, json.dumps(history))
+    return redis.eval(
+        script,
+        [env_key],
+        [key, encrypted_value, options.token_id, created_at, str(history_limit)]
+    )
 
 def get_secret_version(redis: SyncRedis, options: RedenvOptions, cache: LRUCache, key: str, version: int, mode: Literal["id", "index"] = "id") -> Optional[str]:
     """

{redenv-0.3.0 → redenv-0.4.0}/src/redenv/utils.py

@@ -4,7 +4,6 @@ from .errors import RedenvError
 from .expand import expand_secrets
 from upstash_redis import AsyncRedis
 from .secrets import Secrets
-import asyncio
 import json
 import os
 import time
@@ -145,56 +144,85 @@ async def populate_env(secrets: Union[Dict[str, str], Secrets], options: RedenvO
 
 async def set_secret(redis: AsyncRedis, options: RedenvOptions, key: str, value: str):
     """
-    Sets a secret in Redis with versioning and history.
+    Sets a secret in Redis.
     """
     env_key = f"{options.environment}:{options.project}"
     meta_key = f"meta@{options.project}"
     
-    # Fetch metadata (for PEK & historyLimit) and current history in parallel
-    metadata, current_history = await asyncio.gather(
-        redis.hgetall(meta_key), 
-        redis.hget(env_key, key)
-    )
+    # We do this outside Lua to avoid CROSSSLOT errors in Redis Cluster/Upstash
+    metadata = await redis.hgetall(meta_key)
     
     if not metadata:
         raise RedenvError(f'Project "{options.project}" not found.', "PROJECT_NOT_FOUND")
         
-    # Reuse metadata to get PEK without extra fetch
+    # Reuse metadata to get PEK
     pek = await get_pek(redis, options, metadata)
     
     history_limit = int(metadata.get("historyLimit", 10))
     
-    # Fetch current history for the key
-    history = []
-    if current_history:
-        history = json.loads(current_history) if isinstance(current_history, str) else current_history
-        
-    if not isinstance(history, list):
-        history = []
-        
-    last_version = history[0]["version"] if len(history) > 0 else 0
-    
     # Encrypt new value
     encrypted_value = encrypt(value, pek)
     
     from datetime import datetime, timezone
+    created_at = datetime.now(timezone.utc).isoformat().replace("+00:00", "Z")
     
-    new_version = {
-        "version": last_version + 1,
-        "value": encrypted_value,
-        "user": options.token_id, # Using token_id as the user/auditor
-        "createdAt": datetime.now(timezone.utc).isoformat().replace("+00:00", "Z")
+    # KEYS[1] = env_key
+    # ARGV[1] = field (key), ARGV[2] = encrypted_value, ARGV[3] = user, ARGV[4] = created_at, ARGV[5] = history_limit
+    script = """
+    local env_key = KEYS[1]
+    local field = ARGV[1]
+    local encrypted_value = ARGV[2]
+    local user = ARGV[3]
+    local created_at = ARGV[4]
+    local history_limit = tonumber(ARGV[5])
+
+    -- Fetch Current History
+    local current_data = redis.call('HGET', env_key, field)
+    local history = {}
+
+    if current_data then
+        local status, res = pcall(cjson.decode, current_data)
+        if status then
+            history = res
+        end
+    end
+
+    -- Determine Next Version
+    local last_version = 0
+    if #history > 0 and history[1] and history[1]['version'] then
+        last_version = history[1]['version']
+    end
+
+    -- Create New Record
+    local new_version = {
+        version = last_version + 1,
+        value = encrypted_value,
+        user = user,
+        createdAt = created_at
     }
-    
-    # Prepend new version
-    history.insert(0, new_version)
-    
-    # Trim history
-    if history_limit > 0:
-        history = history[:history_limit]
-        
-    # Write back
-    return await redis.hset(env_key, key, json.dumps(history))
+
+    -- Prepend (Newest First)
+    table.insert(history, 1, new_version)
+
+    -- Trim History
+    if history_limit > 0 then
+        while #history > history_limit do
+            table.remove(history)
+        end
+    end
+
+    -- Save and Return
+    local encoded = cjson.encode(history)
+    redis.call('HSET', env_key, field, encoded)
+
+    return encoded
+    """
+
+    return await redis.eval(
+        script,
+        [env_key],
+        [key, encrypted_value, options.token_id, created_at, str(history_limit)]
+    )
 
 async def get_secret_version(redis: AsyncRedis, options: RedenvOptions, cache: LRUCache, key: str, version: int, mode: Literal["id", "index"] = "id") -> Optional[str]:
     """

{redenv-0.3.0 → redenv-0.4.0}/tests/test_client.py

@@ -110,19 +110,28 @@ async def test_write_secret(client, mock_redis):
     new_val = "new-value"
     await client.set(SECRET_KEY, new_val)
     
-    # Verify hset was called
-    args = mock_redis.hset.call_args
-    # hset(key, field, value)
-    assert args[0][0] == "dev:test-project"
-    assert args[0][1] == SECRET_KEY
+    # Verify eval was called (for Lua script)
+    assert mock_redis.eval.called
     
-    written_json = args[0][2]
-    history = json.loads(written_json)
+    args = mock_redis.eval.call_args
+    script = args[0][0]
+    keys = args[0][1]
+    argv = args[0][2]
     
-    assert len(history) == 2 # Prepend new version
-    assert history[0]["version"] == 2
-    # We can't verify encrypted value easily without decrypting, 
-    # but we assume encrypt() works (tested in unit tests)
+    # Check script content basics
+    assert "local env_key = KEYS[1]" in script
+    assert "redis.call('HSET', env_key, field, encoded)" in script
+    
+    # Check keys
+    assert keys[0] == "dev:test-project"
+    
+    # Check args: [key, encrypted_value, user, created_at, history_limit]
+    assert argv[0] == SECRET_KEY
+    # We can't verify encrypted value exactly without decrypting, but it should be a string
+    assert isinstance(argv[1], str)
+    assert argv[2] == TOKEN_ID
+    # History Limit
+    assert int(argv[4]) == 10
 
 @pytest.mark.asyncio
 async def test_get_version(client, mock_redis):

{redenv-0.3.0 → redenv-0.4.0}/tests/test_sync.py

@@ -104,15 +104,27 @@ def test_sync_set_secret(sync_client, mock_redis_sync):
     new_val = "new-sync-val"
     sync_client.set(SECRET_KEY, new_val)
     
-    # Verify hset was called
-    assert mock_redis_sync.hset.called
-    args = mock_redis_sync.hset.call_args
-    assert args[0][0] == "prod:sync-project"
-    assert args[0][1] == SECRET_KEY
+    # Verify eval was called (for Lua script)
+    assert mock_redis_sync.eval.called
     
-    written_json = args[0][2]
-    history = json.loads(written_json)
-    assert history[0]["version"] == 2
+    args = mock_redis_sync.eval.call_args
+    script = args[0][0]
+    keys = args[0][1]
+    argv = args[0][2]
+    
+    # Check script content basics
+    assert "local env_key = KEYS[1]" in script
+    assert "redis.call('HSET', env_key, field, encoded)" in script
+    
+    # Check keys
+    assert keys[0] == "prod:sync-project"
+    
+    # Check args: [key, encrypted_value, user, created_at, history_limit]
+    assert argv[0] == SECRET_KEY
+    assert isinstance(argv[1], str)
+    assert argv[2] == TOKEN_ID
+    # History Limit
+    assert int(argv[4]) == 10
 
 def test_sync_get_version(sync_client, mock_redis_sync):
     # Valid version