senzu 0.2.0__tar.gz

senzu-0.2.0/.github/workflows/ci.yml

@@ -0,0 +1,17 @@
+name: CI
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - run: pip install -e ".[dev]"
+      - run: pytest

senzu-0.2.0/.github/workflows/publish.yml

@@ -0,0 +1,40 @@
+name: Publish to PyPI
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+permissions:
+  id-token: write
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Build package
+        run: |
+          pip install hatch
+          hatch build
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+  publish:
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+      - uses: pypa/gh-action-pypi-publish@release/v1

senzu-0.2.0/.github/workflows/release.yml

@@ -0,0 +1,17 @@
+name: Release Please
+
+on:
+  push:
+    branches: [main]
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  release-please:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: googleapis/release-please-action@v4
+        with:
+          release-type: python

senzu-0.2.0/.gitignore

@@ -0,0 +1,210 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[codz]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py.cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# UV
+#   Similar to Pipfile.lock, it is generally recommended to include uv.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#uv.lock
+
+# poetry
+#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
+#poetry.lock
+#poetry.toml
+
+# pdm
+#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
+#   pdm recommends including project-wide configuration in pdm.toml, but excluding .pdm-python.
+#   https://pdm-project.org/en/latest/usage/project/#working-with-version-control
+#pdm.lock
+#pdm.toml
+.pdm-python
+.pdm-build/
+
+# pixi
+#   Similar to Pipfile.lock, it is generally recommended to include pixi.lock in version control.
+#pixi.lock
+#   Pixi creates a virtual environment in the .pixi directory, just like venv module creates one
+#   in the .venv directory. It is recommended not to include this directory in version control.
+.pixi
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.envrc
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# PyCharm
+#  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
+#  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
+#  and can be added to the global gitignore or merged into this file.  For a more nuclear
+#  option (not recommended) you can uncomment the following to ignore the entire idea folder.
+#.idea/
+
+# Abstra
+# Abstra is an AI-powered process automation framework.
+# Ignore directories containing user credentials, local state, and settings.
+# Learn more at https://abstra.io/docs
+.abstra/
+
+# Visual Studio Code
+#  Visual Studio Code specific template is maintained in a separate VisualStudioCode.gitignore 
+#  that can be found at https://github.com/github/gitignore/blob/main/Global/VisualStudioCode.gitignore
+#  and can be added to the global gitignore or merged into this file. However, if you prefer, 
+#  you could uncomment the following to ignore the entire vscode folder
+# .vscode/
+
+# Ruff stuff:
+.ruff_cache/
+
+# PyPI configuration file
+.pypirc
+
+# Cursor
+#  Cursor is an AI-powered code editor. `.cursorignore` specifies files/directories to
+#  exclude from AI features like autocomplete and code analysis. Recommended for sensitive data
+#  refer to https://docs.cursor.com/context/ignore-files
+.cursorignore
+.cursorindexingignore
+
+# Marimo
+marimo/_static/
+marimo/_lsp/
+__marimo__/
+
+# Senzu
+.env.*

senzu-0.2.0/CHANGELOG.md

@@ -0,0 +1,44 @@
+# Changelog
+
+## [0.2.0](https://github.com/philip-730/senzu/compare/v0.1.0...v0.2.0) (2026-03-26)
+
+
+### Features
+
+* show GCP project name in pull, push, and import output ([6e1047f](https://github.com/philip-730/senzu/commit/6e1047f5eb883b0477e0c399b91780b4c1c86578))
+* show project/secret in tables for diff, push, and import output ([fd08dc3](https://github.com/philip-730/senzu/commit/fd08dc3c98769406ef053d27e940961a569bb3c0))
+
+
+### Bug Fixes
+
+* distinguish first pull from update, simplify push confirmation ([645b80a](https://github.com/philip-730/senzu/commit/645b80a6bb439cb4f0d6f4734ac844045bac1b33))
+* flag untracked local-only keys in diff output ([9c964b3](https://github.com/philip-730/senzu/commit/9c964b363cb14c203706dc70915440ac5295e834))
+* pull preserves local-only keys, import shows accurate diff, init supports flags ([c48da77](https://github.com/philip-730/senzu/commit/c48da7772211828b30fc78afc70e485ccddc4096))
+
+
+### Documentation
+
+* update README for pull merge behavior, import diff preview, init flags ([0969cdc](https://github.com/philip-730/senzu/commit/0969cdcc1d24333e25b7028c74d34aefdabe4fdf))
+
+## 0.1.0 (2026-03-24)
+
+
+### Features
+
+* make google-cloud-sdk optional in devShell ([c2bcf25](https://github.com/philip-730/senzu/commit/c2bcf25754217a34bea14bc4f9dcd67db2183081))
+
+
+### Bug Fixes
+
+* deduplicate uv2nix in flake inputs ([bb64e2b](https://github.com/philip-730/senzu/commit/bb64e2bc5722c1d9dbd2a2990686188d749c22cd))
+* lowercase merged keys in SecretManagerSettingsSource to fix field required errors ([cb070b0](https://github.com/philip-730/senzu/commit/cb070b0398d1d2166d43e75344fb397fa3bb58cb))
+* rename secrets_settings to file_secret_settings for pydantic-settings >=2.4 ([0c6d2af](https://github.com/philip-730/senzu/commit/0c6d2afa2ae9465d13df39291bc4382f1ea90798))
+* replace custom _DotEnv with DotEnvSettingsSource to fix field required errors ([74c825f](https://github.com/philip-730/senzu/commit/74c825f4074fd80babc3b5dcb171e062962ea251))
+* wire editables into hatchling editable build inputs ([2dd99fa](https://github.com/philip-730/senzu/commit/2dd99fa4950d6151f1ed22815925179a5d1382de))
+
+
+### Documentation
+
+* add Secret Manager source JSON to nested JSON example ([9fc65bc](https://github.com/philip-730/senzu/commit/9fc65bc14342f94cdb12614ca856dc7f84bdeb81))
+* expand type=raw docs to cover JSON objects, fix nested JSON wording ([aff6417](https://github.com/philip-730/senzu/commit/aff64171a2b78526a0de6136665d3fa00b41aedc))
+* fill in README gaps — status, all-envs behavior, cross-project secrets, nested JSON ([a259bb5](https://github.com/philip-730/senzu/commit/a259bb55bd48d9f96f17c98f10c44f685f476a6d))

senzu-0.2.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 philip-730
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

senzu-0.2.0/PKG-INFO

@@ -0,0 +1,273 @@
+Metadata-Version: 2.4
+Name: senzu
+Version: 0.2.0
+Summary: Secret env sync for GCP teams
+Author: philip-730
+License: MIT
+License-File: LICENSE
+Keywords: dotenv,env,gcp,secret-manager,secrets
+Requires-Python: >=3.10
+Requires-Dist: google-cloud-secret-manager>=2
+Requires-Dist: pydantic-settings>=2
+Requires-Dist: python-dotenv>=1
+Requires-Dist: rich>=13
+Requires-Dist: toml>=0.10
+Requires-Dist: typer>=0.12
+Provides-Extra: dev
+Requires-Dist: pytest-mock>=3; extra == 'dev'
+Requires-Dist: pytest>=8; extra == 'dev'
+Requires-Dist: ruff>=0.4; extra == 'dev'
+Description-Content-Type: text/markdown
+
+# senzu
+
+Stop manually copy-pasting secrets from GCP Secret Manager into `.env` files like an animal. Senzu syncs secrets between GCP Secret Manager and local `.env` files, tracks where every key came from, and won't let you blow up production by pushing stale local changes over remote ones.
+
+It's a CLI + Python library for teams using GCP Secret Manager who need their secrets to actually stay in sync — across multiple environments, multiple secrets, multiple people.
+
+---
+
+## Why it's actually sick
+
+Most teams end up with a shared `.env` in a private Slack channel, a Notion doc, or some other nightmare. If you're using Secret Manager, you're at least in the right place — but the workflow is still garbage. You open the GCP console, copy values one by one, paste them into a file you hope you don't accidentally commit.
+
+Senzu fixes this:
+
+- **`senzu pull`** — fetches all your configured secrets into a local `.env` file in one command. Handles JSON and dotenv formats automatically. Works across multiple secrets per environment. If your local file already has keys that aren't in remote yet, they're preserved — remote wins on conflicts, but local-only keys survive. Use `--overwrite` if you want the remote to fully replace your local file.
+
+- **`senzu push`** — pushes local changes back to Secret Manager. But here's the thing: it actually checks if someone else changed the remote since you last pulled. If they did, it blocks you.
+- **`senzu diff`** — see exactly what's different between your local file and what's in Secret Manager, without touching anything. Pipe it into CI, use it in code review, whatever.
+
+- **Lock file** — after a pull, Senzu writes `senzu.lock` which tracks which key came from which secret and which project. This is what makes push safe. It knows exactly where to send each key back, even if you're pulling from 5 different secrets into one `.env`.
+
+- **`senzu import`** — already have a `.env` file and want to get into Secret Manager without touching the GCP console? `senzu import dev --from .env` creates the secret if it doesn't exist, pushes the keys, and writes `senzu.lock` so you're immediately ready to pull/push. If the secret already has data, it merges — your local keys win. Before confirming, it shows you exactly which keys are new, which are changed, and which are unchanged, so you know what you're actually pushing. If nothing has changed, it exits early.
+
+- **Multiple environments** — `dev`, `staging`, `prod`, whatever you want. Each one can have its own GCP project, its own secrets, its own local file. `senzu pull dev` or `senzu pull prod`, no config flags needed.
+
+- **`SenzuSettings`** — drop-in Pydantic BaseSettings subclass. Automatically reads the right `.env` file based on your `ENV` var, parses nested JSON objects into proper Python dicts/lists, and falls back to reading directly from Secret Manager in Cloud Run by just setting `SENZU_USE_SECRET_MANAGER=true`.
+
+- **`senzu generate`** — auto-generates a typed Pydantic settings class from your actual secrets. You never have to manually write `api_key: str` for every field again.
+
+---
+
+## Install
+
+Senzu isn't on PyPI yet. Install directly from GitHub:
+
+```bash
+pip install git+https://github.com/philip-730/senzu
+# or
+uv add git+https://github.com/philip-730/senzu
+```
+
+Pin to a specific commit or tag if you need stability:
+
+```bash
+pip install git+https://github.com/philip-730/senzu@v0.1.0
+```
+
+To add it to `requirements.txt`:
+
+```
+senzu @ git+https://github.com/philip-730/senzu
+# or pinned:
+senzu @ git+https://github.com/philip-730/senzu@v0.1.0
+```
+
+Requires Python 3.10+. You'll need GCP credentials set up — either `gcloud auth application-default login` locally or a service account in prod.
+
+---
+
+## Setup
+
+Run the init wizard in your project root:
+
+```bash
+senzu init
+
+# or skip the prompts entirely with flags
+senzu init --project my-gcp-project --env dev --file .env.dev --secret app-env
+```
+
+This creates `senzu.toml` and updates `.gitignore` to exclude your `.env.*` files. You don't want those committed. The `--env` flag controls the environment name (defaults to `dev`) — useful if you want to scaffold a non-dev env first.
+
+Or write `senzu.toml` yourself:
+
+```toml
+[envs.dev]
+project = "my-gcp-project-dev"
+file    = ".env.dev"
+secrets = [
+  { secret = "app-env" },
+  { secret = "db-creds", format = "json" },
+]
+
+[envs.prod]
+project = "my-gcp-project-prod"
+file    = ".env.prod"
+secrets = [
+  { secret = "app-env-prod" },
+]
+```
+
+Each secret in the `secrets` array is fetched and merged into the local file. If you want the entire secret stored as a single env var rather than expanded into individual keys, use `type = "raw"`. `env_var` is required — it sets the env var name the value is written under:
+
+```toml
+secrets = [
+  # Scalar value (e.g. a webhook secret string)
+  { secret = "stripe-webhook-secret", type = "raw", env_var = "STRIPE_WEBHOOK_SECRET" },
+
+  # JSON object stored whole — useful when you want one dict, not individual keys
+  { secret = "firebase-sdk", type = "raw", env_var = "FIREBASE_CREDS" },
+]
+```
+
+For the JSON case, Senzu stores it single-quoted in the `.env` file (`FIREBASE_CREDS='{"type":"service_account",...}'`). Declare the field as `dict` in `SenzuSettings` and it's automatically deserialized.
+
+### Cross-project secrets
+
+A secret can pull from a different GCP project than the environment default. This is useful for shared infrastructure secrets owned by a central project:
+
+```toml
+[envs.prod]
+project = "my-app-prod"
+file    = ".env.prod"
+secrets = [
+  { secret = "app-env-prod" },
+  { secret = "datadog-api-key", project = "shared-infra" },
+]
+```
+
+When multiple secrets share a key name, the last secret listed wins. Senzu will emit a warning so you know it happened.
+
+---
+
+## Usage
+
+```bash
+# Bootstrap — import an existing .env into Secret Manager for the first time
+senzu import dev --from .env
+senzu import dev --from .env --secret app-env          # skip interactive routing, send all keys to this secret
+senzu import dev --from .env --keys DB_URL,DB_PASSWORD # specific keys only
+senzu import dev --from .env --format json             # write as JSON instead of dotenv
+
+# Pull secrets to local .env files
+senzu pull              # all environments defined in senzu.toml
+senzu pull dev          # specific environment only
+senzu pull dev --overwrite  # fully replace local file with remote (discards local-only keys)
+
+# See what's different between local and remote
+senzu diff         # all environments
+senzu diff dev     # specific environment only
+
+# Push local changes back to Secret Manager
+senzu push         # all environments (prompts for confirmation per env)
+senzu push dev     # specific environment
+senzu push dev --force  # skip confirmation even if remote has unretrieved changes
+
+# Show all configured environments, their secrets, GCP projects, and local file status
+senzu status
+
+# Generate a typed Pydantic settings class from your secrets
+senzu generate dev --out settings.py
+```
+
+---
+
+## Using in Python
+
+If you have a Python app and want type-safe settings without the manual config:
+
+```python
+from senzu import SenzuSettings
+
+class Settings(SenzuSettings):
+    database_url: str
+    api_key: str
+    firebase_creds: dict  # see note on nested JSON below
+
+settings = Settings()
+```
+
+GCP secrets often store nested JSON objects (service account keys, connection configs, etc.) that can't be written as raw dotenv values. Senzu encodes these as single-quoted strings in the `.env` file:
+
+```json
+// Secret Manager — app-env secret value
+{
+  "database_url": "postgres://...",
+  "api_key": "sk-...",
+  "firebase_creds": { "type": "service_account", "project_id": "my-app" }
+}
+```
+
+```bash
+# .env.dev — what Senzu writes after senzu pull
+DATABASE_URL=postgres://...
+API_KEY=sk-...
+FIREBASE_CREDS='{"type":"service_account","project_id":"my-app"}'
+```
+
+When you declare the field as `dict` (or `list`) in `SenzuSettings`, Senzu automatically deserializes it — so `settings.firebase_creds` is already a Python dict, not a string.
+
+Senzu reads `ENV` or `SENZU_ENV` to figure out which environment you're in, finds the right `.env` file from `senzu.toml`, and loads it. In Cloud Run or any environment where you don't have a file, set `SENZU_USE_SECRET_MANAGER=true` and it reads directly from Secret Manager.
+
+---
+
+## The lock file
+
+After `senzu pull`, you'll have a `senzu.lock` file. This is how Senzu knows which of your 40 env vars came from which of your 5 secrets. Don't delete it — push won't work without it. Commit it — it contains no secret values, just routing metadata (which key lives in which secret), and your teammates need it to push without doing a redundant pull first.
+
+---
+
+## Auth
+
+Senzu uses the standard GCP auth chain via `google-cloud-secret-manager`. Locally, run:
+
+```bash
+gcloud auth application-default login
+```
+
+In CI/CD or Cloud Run, use a service account with `Secret Manager Secret Accessor` role on the relevant secrets.
+
+---
+
+## Development
+
+### With Nix (recommended)
+
+The repo uses [uv2nix](https://github.com/pyproject-nix/uv2nix) to provide a fully reproducible dev environment. Dependencies are pinned in `uv.lock`.
+
+```bash
+nix develop
+```
+
+This drops you into a shell with the right Python version, all deps installed, and senzu itself available as an editable install — changes to the source are reflected immediately without reinstalling. `gcloud` is also available.
+
+To run the CLI directly without entering a shell:
+
+```bash
+nix run
+```
+
+### Without Nix
+
+```bash
+uv sync
+uv run senzu --help
+```
+
+Or with a standard virtualenv:
+
+```bash
+python -m venv .venv
+source .venv/bin/activate
+pip install -e '.[dev]'
+```
+
+### Running tests
+
+```bash
+pytest
+# or inside nix develop:
+pytest tests/
+```