selectel-sm 0.1.0__tar.gz

selectel_sm-0.1.0/.claude/settings.local.json

@@ -0,0 +1,13 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(uv --version)",
+      "Bash(echo \"uv: $\\(uv --version 2>&1\\)\")",
+      "Bash(git -C /home/flacy/prj/selectel-sm remote -v)",
+      "Bash(uv sync *)",
+      "Bash(uv run *)",
+      "Bash(uv build *)",
+      "Bash(python3 -c \"import zipfile,glob; w=sorted\\(glob.glob\\('dist/*.whl'\\)\\)[-1]; print\\(w\\); [print\\(' ',n\\) for n in zipfile.ZipFile\\(w\\).namelist\\(\\) if n.endswith\\(\\('.py','py.typed'\\)\\)]\")"
+    ]
+  }
+}

selectel_sm-0.1.0/.gitignore

@@ -0,0 +1,223 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[codz]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#   Usually these files are written by a python script from a template
+#   before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py.cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+# Pipfile.lock
+
+# UV
+#   Similar to Pipfile.lock, it is generally recommended to include uv.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+# uv.lock
+
+# poetry
+#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
+# poetry.lock
+# poetry.toml
+
+# pdm
+#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
+#   pdm recommends including project-wide configuration in pdm.toml, but excluding .pdm-python.
+#   https://pdm-project.org/en/latest/usage/project/#working-with-version-control
+# pdm.lock
+# pdm.toml
+.pdm-python
+.pdm-build/
+
+# pixi
+#   Similar to Pipfile.lock, it is generally recommended to include pixi.lock in version control.
+# pixi.lock
+#   Pixi creates a virtual environment in the .pixi directory, just like venv module creates one
+#   in the .venv directory. It is recommended not to include this directory in version control.
+.pixi
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# Redis
+*.rdb
+*.aof
+*.pid
+
+# RabbitMQ
+mnesia/
+rabbitmq/
+rabbitmq-data/
+
+# ActiveMQ
+activemq-data/
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.envrc
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# PyCharm
+#   JetBrains specific template is maintained in a separate JetBrains.gitignore that can
+#   be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
+#   and can be added to the global gitignore or merged into this file.  For a more nuclear
+#   option (not recommended) you can uncomment the following to ignore the entire idea folder.
+# .idea/
+
+# Abstra
+#   Abstra is an AI-powered process automation framework.
+#   Ignore directories containing user credentials, local state, and settings.
+#   Learn more at https://abstra.io/docs
+.abstra/
+
+# Visual Studio Code
+#   Visual Studio Code specific template is maintained in a separate VisualStudioCode.gitignore 
+#   that can be found at https://github.com/github/gitignore/blob/main/Global/VisualStudioCode.gitignore
+#   and can be added to the global gitignore or merged into this file. However, if you prefer, 
+#   you could uncomment the following to ignore the entire vscode folder
+# .vscode/
+# Temporary file for partial code execution
+tempCodeRunnerFile.py
+
+# Ruff stuff:
+.ruff_cache/
+
+# PyPI configuration file
+.pypirc
+
+# Marimo
+marimo/_static/
+marimo/_lsp/
+__marimo__/
+
+# Streamlit
+.streamlit/secrets.toml
+
+# Local-only real API responses (contain real account/project IDs and secret names).
+# Sanitized/representative copies live under tests/fixtures/.
+/response.json
+/response-list.json

selectel_sm-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Andrew Krylov
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

selectel_sm-0.1.0/PKG-INFO

@@ -0,0 +1,204 @@
+Metadata-Version: 2.4
+Name: selectel-sm
+Version: 0.1.0
+Summary: Python client for Selectel Secrets Manager (sync + async)
+Project-URL: Homepage, https://github.com/Flacy/selectel-sm
+Project-URL: Repository, https://github.com/Flacy/selectel-sm
+Author-email: Andrew Krylov <luntiqes@gmail.com>
+License: MIT License
+        
+        Copyright (c) 2026 Andrew Krylov
+        
+        Permission is hereby granted, free of charge, to any person obtaining a copy
+        of this software and associated documentation files (the "Software"), to deal
+        in the Software without restriction, including without limitation the rights
+        to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+        copies of the Software, and to permit persons to whom the Software is
+        furnished to do so, subject to the following conditions:
+        
+        The above copyright notice and this permission notice shall be included in all
+        copies or substantial portions of the Software.
+        
+        THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+        IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+        FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+        AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+        LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+        OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+        SOFTWARE.
+License-File: LICENSE
+Keywords: httpx,secrets,secrets-manager,selectel,vault
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Topic :: Security
+Classifier: Typing :: Typed
+Requires-Python: >=3.12
+Requires-Dist: httpx>=0.27
+Provides-Extra: cli
+Requires-Dist: rich>=13.0; extra == 'cli'
+Requires-Dist: typer>=0.12; extra == 'cli'
+Description-Content-Type: text/markdown
+
+# selectel-sm
+
+A typed Python client for [Selectel Secrets Manager](https://docs.selectel.ru/api/secrets-manager/),
+with both **synchronous and asynchronous** clients sharing a single transport-agnostic core.
+
+> ## ⚠️ Disclaimer
+>
+> This is a **non-commercial, community project built out of pure enthusiasm**. I am **not** an
+> employee of Selectel and have no affiliation with them whatsoever. I built this simply because
+> I couldn't find a maintained library for working with Selectel's Secrets Manager.
+
+## Installation
+
+```bash
+pip install selectel-sm          # library
+pip install "selectel-sm[cli]"   # + CLI (typer + rich)
+```
+
+Requires Python 3.12+.
+
+## Authentication
+
+Secrets Manager requires a **project-scoped** IAM token. (The public docs mention an
+account-scoped token, but in practice SM rejects it — a project-scoped token is required.) The
+library obtains one for you from service-user credentials, caches it, and refreshes it before
+expiry:
+
+```python
+from selectel_sm import SecretsManagerClient
+
+with SecretsManagerClient.from_credentials(
+    region="ru-7",
+    account_id="123456",
+    username="my-service-user",
+    password="...",
+    project_name="my-project",
+) as client:
+    secret = client.secrets.get("database_password")
+    print(secret.value)  # -> b"..."
+```
+
+Or bring your own project-scoped token (the client introspects it to discover the service
+catalog):
+
+```python
+client = SecretsManagerClient.from_token(region="ru-7", token="gAAAAAB...")
+```
+
+The async client mirrors the same API:
+
+```python
+from selectel_sm import AsyncSecretsManagerClient
+
+async with AsyncSecretsManagerClient.from_credentials(region="ru-7", ...) as client:
+    secret = await client.secrets.get("database_password")
+```
+
+## Endpoint resolution
+
+The Secrets Manager URL is **not hardcoded**. After authenticating, the library reads the
+service catalog returned in the Keystone token and resolves the `secrets-manager` endpoint for
+the configured `region` and `interface` (default `public`). Set `sm_base_url` on the client to
+bypass catalog resolution (e.g. for testing).
+
+## Usage
+
+All operations live under `client.secrets` (and identically on the async client with `await`).
+
+### Secrets
+
+```python
+# Create a secret with its first version. `value` is plain data (bytes or str);
+# it is base64-encoded for you before being sent.
+client.secrets.create("api_key", "s3cr3t", description="Third-party API key")
+
+# Read the current value.
+secret = client.secrets.get("api_key")
+secret.value          # b"s3cr3t"
+secret.description    # "Third-party API key"  ("" from the API becomes None)
+secret.version        # the current SecretVersion
+
+# Update / clear the description (None clears it).
+client.secrets.update_description("api_key", "Rotated key")
+
+# List all secrets (metadata only — no values).
+for summary in client.secrets.list():
+    print(summary.name, summary.type, summary.description, summary.created_at)
+
+# Delete a secret and all of its versions.
+client.secrets.delete("api_key")
+```
+
+### Versions
+
+```python
+# Add a new version. Pass activate=True to make it the current version.
+client.secrets.create_version("api_key", "rotated-secret", activate=True)
+
+# The secret plus metadata for all of its versions (no values).
+sv = client.secrets.get_versions("api_key")
+sv.versions           # tuple[SecretVersion, ...]
+sv.current            # the version flagged is_current, if any
+
+# A single version, including its value.
+version = client.secrets.get_version("api_key", version_id=1)
+version.value         # b"..."
+
+# Make a specific version current.
+client.secrets.activate_version("api_key", version_id=1)
+```
+
+### Error handling
+
+Every error derives from `SelectelSMError`, so you can catch broadly or narrowly:
+
+```python
+from selectel_sm import NotFoundError, SelectelSMError
+
+try:
+    client.secrets.get("does-not-exist")
+except NotFoundError:
+    ...
+except SelectelSMError:
+    ...
+```
+
+HTTP statuses map to `BadRequestError` (400), `ForbiddenError` (403), `NotFoundError` (404),
+`ConflictError` (409), and `ServerError` (5xx). Authentication and endpoint-resolution problems
+raise `AuthenticationError` and `EndpointNotFoundError` respectively.
+
+## A note on quirks
+
+Selectel's Secrets Manager API has a few undocumented behaviors this client handles for you,
+for example:
+
+- Listing requires a `?list=<any value>` flag **and** a trailing slash (`/v1/?list=true`),
+  otherwise it returns `404 page not found`.
+- Secret values must be valid base64 — the client always encodes plain input for you.
+- `activate version` is documented as `204 No Content` but actually returns `200` with the
+  version's metadata.
+
+## Support & maintenance
+
+Because I don't work with Selectel, **I may not be aware of the latest changes to their API, and
+something could break unexpectedly.** I do my best to keep this library up to date, but that
+isn't always possible. Contributions, bug reports, and help with its development are very
+welcome — please open an issue or a pull request.
+
+## Development
+
+```bash
+uv sync
+uv run ruff check . && uv run ruff format --check .
+uv run mypy selectel_sm
+uv run pytest
+```
+
+## License
+
+[MIT](LICENSE) © Andrew Krylov

selectel_sm-0.1.0/README.md

@@ -0,0 +1,160 @@
+# selectel-sm
+
+A typed Python client for [Selectel Secrets Manager](https://docs.selectel.ru/api/secrets-manager/),
+with both **synchronous and asynchronous** clients sharing a single transport-agnostic core.
+
+> ## ⚠️ Disclaimer
+>
+> This is a **non-commercial, community project built out of pure enthusiasm**. I am **not** an
+> employee of Selectel and have no affiliation with them whatsoever. I built this simply because
+> I couldn't find a maintained library for working with Selectel's Secrets Manager.
+
+## Installation
+
+```bash
+pip install selectel-sm          # library
+pip install "selectel-sm[cli]"   # + CLI (typer + rich)
+```
+
+Requires Python 3.12+.
+
+## Authentication
+
+Secrets Manager requires a **project-scoped** IAM token. (The public docs mention an
+account-scoped token, but in practice SM rejects it — a project-scoped token is required.) The
+library obtains one for you from service-user credentials, caches it, and refreshes it before
+expiry:
+
+```python
+from selectel_sm import SecretsManagerClient
+
+with SecretsManagerClient.from_credentials(
+    region="ru-7",
+    account_id="123456",
+    username="my-service-user",
+    password="...",
+    project_name="my-project",
+) as client:
+    secret = client.secrets.get("database_password")
+    print(secret.value)  # -> b"..."
+```
+
+Or bring your own project-scoped token (the client introspects it to discover the service
+catalog):
+
+```python
+client = SecretsManagerClient.from_token(region="ru-7", token="gAAAAAB...")
+```
+
+The async client mirrors the same API:
+
+```python
+from selectel_sm import AsyncSecretsManagerClient
+
+async with AsyncSecretsManagerClient.from_credentials(region="ru-7", ...) as client:
+    secret = await client.secrets.get("database_password")
+```
+
+## Endpoint resolution
+
+The Secrets Manager URL is **not hardcoded**. After authenticating, the library reads the
+service catalog returned in the Keystone token and resolves the `secrets-manager` endpoint for
+the configured `region` and `interface` (default `public`). Set `sm_base_url` on the client to
+bypass catalog resolution (e.g. for testing).
+
+## Usage
+
+All operations live under `client.secrets` (and identically on the async client with `await`).
+
+### Secrets
+
+```python
+# Create a secret with its first version. `value` is plain data (bytes or str);
+# it is base64-encoded for you before being sent.
+client.secrets.create("api_key", "s3cr3t", description="Third-party API key")
+
+# Read the current value.
+secret = client.secrets.get("api_key")
+secret.value          # b"s3cr3t"
+secret.description    # "Third-party API key"  ("" from the API becomes None)
+secret.version        # the current SecretVersion
+
+# Update / clear the description (None clears it).
+client.secrets.update_description("api_key", "Rotated key")
+
+# List all secrets (metadata only — no values).
+for summary in client.secrets.list():
+    print(summary.name, summary.type, summary.description, summary.created_at)
+
+# Delete a secret and all of its versions.
+client.secrets.delete("api_key")
+```
+
+### Versions
+
+```python
+# Add a new version. Pass activate=True to make it the current version.
+client.secrets.create_version("api_key", "rotated-secret", activate=True)
+
+# The secret plus metadata for all of its versions (no values).
+sv = client.secrets.get_versions("api_key")
+sv.versions           # tuple[SecretVersion, ...]
+sv.current            # the version flagged is_current, if any
+
+# A single version, including its value.
+version = client.secrets.get_version("api_key", version_id=1)
+version.value         # b"..."
+
+# Make a specific version current.
+client.secrets.activate_version("api_key", version_id=1)
+```
+
+### Error handling
+
+Every error derives from `SelectelSMError`, so you can catch broadly or narrowly:
+
+```python
+from selectel_sm import NotFoundError, SelectelSMError
+
+try:
+    client.secrets.get("does-not-exist")
+except NotFoundError:
+    ...
+except SelectelSMError:
+    ...
+```
+
+HTTP statuses map to `BadRequestError` (400), `ForbiddenError` (403), `NotFoundError` (404),
+`ConflictError` (409), and `ServerError` (5xx). Authentication and endpoint-resolution problems
+raise `AuthenticationError` and `EndpointNotFoundError` respectively.
+
+## A note on quirks
+
+Selectel's Secrets Manager API has a few undocumented behaviors this client handles for you,
+for example:
+
+- Listing requires a `?list=<any value>` flag **and** a trailing slash (`/v1/?list=true`),
+  otherwise it returns `404 page not found`.
+- Secret values must be valid base64 — the client always encodes plain input for you.
+- `activate version` is documented as `204 No Content` but actually returns `200` with the
+  version's metadata.
+
+## Support & maintenance
+
+Because I don't work with Selectel, **I may not be aware of the latest changes to their API, and
+something could break unexpectedly.** I do my best to keep this library up to date, but that
+isn't always possible. Contributions, bug reports, and help with its development are very
+welcome — please open an issue or a pull request.
+
+## Development
+
+```bash
+uv sync
+uv run ruff check . && uv run ruff format --check .
+uv run mypy selectel_sm
+uv run pytest
+```
+
+## License
+
+[MIT](LICENSE) © Andrew Krylov

selectel_sm-0.1.0/pyproject.toml

@@ -0,0 +1,69 @@
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[project]
+name = "selectel-sm"
+version = "0.1.0"
+description = "Python client for Selectel Secrets Manager (sync + async)"
+readme = "README.md"
+requires-python = ">=3.12"
+license = { file = "LICENSE" }
+authors = [{ name = "Andrew Krylov", email = "luntiqes@gmail.com" }]
+keywords = ["selectel", "secrets-manager", "secrets", "vault", "httpx"]
+classifiers = [
+    "Development Status :: 3 - Alpha",
+    "Intended Audience :: Developers",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+    "Topic :: Security",
+    "Typing :: Typed",
+]
+dependencies = ["httpx>=0.27"]
+
+[project.optional-dependencies]
+cli = ["typer>=0.12", "rich>=13.0"]
+
+[project.urls]
+Homepage = "https://github.com/Flacy/selectel-sm"
+Repository = "https://github.com/Flacy/selectel-sm"
+
+[project.scripts]
+selectel-sm = "selectel_sm.cli.app:app"
+
+[dependency-groups]
+dev = [
+    "mypy>=1.11",
+    "ruff>=0.6",
+    "pytest>=8.0",
+    "pytest-asyncio>=0.24",
+    "assertpy>=1.1",
+    # CLI deps are needed to type-check and test the cli package.
+    "typer>=0.12",
+    "rich>=13.0",
+]
+
+[tool.hatch.build.targets.wheel]
+packages = ["selectel_sm"]
+
+[tool.ruff]
+line-length = 99
+target-version = "py312"
+
+[tool.ruff.lint]
+select = ["E", "F", "I", "UP", "B", "SIM", "TCH", "RUF"]
+
+[tool.ruff.lint.per-file-ignores]
+"tests/*" = ["B011"]
+
+[tool.mypy]
+python_version = "3.12"
+strict = true
+warn_unused_ignores = true
+warn_redundant_casts = true
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]
+asyncio_mode = "auto"
+addopts = "-ra"