skrift 0.1.0a1__tar.gz → 0.1.0a3__tar.gz

{skrift-0.1.0a1 → skrift-0.1.0a3}/.gitignore

@@ -20,5 +20,8 @@ wheels/
 
 # App configuration (generated by setup wizard)
 app.yaml
+app.*.yaml
 app.bak.yaml
 app.yaml.backup.*
+app.*.yaml.backup.*
+site/

{skrift-0.1.0a1 → skrift-0.1.0a3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: skrift
-Version: 0.1.0a1
+Version: 0.1.0a3
 Summary: A lightweight async Python CMS for crafting modern websites
 Requires-Python: >=3.13
 Requires-Dist: advanced-alchemy>=0.26.0
@@ -15,6 +15,8 @@ Requires-Dist: pyyaml>=6.0.0
 Requires-Dist: ruamel-yaml>=0.18.0
 Requires-Dist: sqlalchemy[asyncio]>=2.0.36
 Requires-Dist: uvicorn>=0.34.0
+Provides-Extra: docs
+Requires-Dist: zensical>=0.0.19; extra == 'docs'
 Description-Content-Type: text/markdown
 
 # Skrift

{skrift-0.1.0a1 → skrift-0.1.0a3}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "skrift"
-version = "0.1.0a1"
+version = "0.1.0a3"
 description = "A lightweight async Python CMS for crafting modern websites"
 readme = "README.md"
 requires-python = ">=3.13"
@@ -30,6 +30,11 @@ package = true
 requires = ["hatchling"]
 build-backend = "hatchling.build"
 
+[dependency-groups]
+docs = [
+    "zensical>=0.0.19",
+]
+
 [tool.hatch.build]
 include = [
     "skrift/**/*.py",
@@ -45,6 +50,9 @@ exclude = [
     "*.db",
 ]
 
+[project.optional-dependencies]
+docs = ["zensical>=0.0.19"]
+
 [tool.ruff]
 line-length = 100
 target-version = "py313"

{skrift-0.1.0a1 → skrift-0.1.0a3}/skrift/alembic/env.py

@@ -12,6 +12,7 @@ from skrift.config import get_settings
 from skrift.db.base import Base
 
 # Import all models to ensure they're registered with Base.metadata
+from skrift.db.models.oauth_account import OAuthAccount  # noqa: F401
 from skrift.db.models.user import User  # noqa: F401
 from skrift.db.models.page import Page  # noqa: F401
 from skrift.db.models.role import Role, RolePermission  # noqa: F401
@@ -31,7 +32,7 @@ def get_url() -> str:
     """Get database URL from settings or alembic.ini."""
     try:
         settings = get_settings()
-        return settings.database_url
+        return settings.db.url
     except Exception:
         # Fall back to alembic.ini config if settings can't be loaded
         return config.get_main_option("sqlalchemy.url", "")

skrift-0.1.0a3/skrift/alembic/versions/20260129_add_oauth_accounts.py

@@ -0,0 +1,134 @@
+"""add oauth_accounts table
+
+Revision ID: 1a2b3c4d5e6f
+Revises: 8f3a5c2d1e0b
+Create Date: 2026-01-29 10:00:00.000000
+
+This migration:
+1. Creates the oauth_accounts table to store multiple OAuth identities per user
+2. Migrates existing oauth data from users table to oauth_accounts
+3. Makes users.email nullable (for providers like Twitter that don't provide email)
+4. Removes oauth_provider and oauth_id columns from users table
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+from advanced_alchemy.types import GUID, DateTimeUTC
+
+
+# revision identifiers, used by Alembic.
+revision: str = '1a2b3c4d5e6f'
+down_revision: Union[str, None] = '8f3a5c2d1e0b'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    # Step 1: Create oauth_accounts table
+    op.create_table(
+        'oauth_accounts',
+        sa.Column('id', GUID(length=16), nullable=False),
+        sa.Column('created_at', DateTimeUTC(timezone=True), nullable=False),
+        sa.Column('updated_at', DateTimeUTC(timezone=True), nullable=False),
+        sa.Column('sa_orm_sentinel', sa.Integer(), nullable=True),
+        sa.Column('provider', sa.String(length=50), nullable=False),
+        sa.Column('provider_account_id', sa.String(length=255), nullable=False),
+        sa.Column('provider_email', sa.String(length=255), nullable=True),
+        sa.Column('user_id', GUID(length=16), nullable=False),
+        sa.PrimaryKeyConstraint('id', name=op.f('pk_oauth_accounts')),
+        sa.ForeignKeyConstraint(
+            ['user_id'], ['users.id'],
+            name=op.f('fk_oauth_accounts_user_id_users'),
+            ondelete='CASCADE'
+        ),
+        sa.UniqueConstraint(
+            'provider', 'provider_account_id',
+            name='uq_oauth_provider_account'
+        ),
+    )
+    op.create_index(
+        op.f('ix_oauth_accounts_user_id'),
+        'oauth_accounts',
+        ['user_id'],
+        unique=False
+    )
+    op.create_index(
+        op.f('ix_oauth_accounts_provider_account'),
+        'oauth_accounts',
+        ['provider', 'provider_account_id'],
+        unique=True
+    )
+
+    # Step 2: Migrate existing data from users to oauth_accounts
+    # Generate binary UUIDs (16 bytes) for new records and copy oauth data
+    conn = op.get_bind()
+    conn.execute(sa.text("""
+        INSERT INTO oauth_accounts (id, created_at, updated_at, provider, provider_account_id, provider_email, user_id)
+        SELECT
+            randomblob(16),
+            created_at,
+            updated_at,
+            oauth_provider,
+            oauth_id,
+            email,
+            id
+        FROM users
+        WHERE oauth_provider IS NOT NULL AND oauth_id IS NOT NULL
+    """))
+
+    # Step 3: Make email nullable on users table
+    # SQLite doesn't support ALTER COLUMN, so we need to recreate the table
+    # For SQLite, we'll use batch_alter_table
+    with op.batch_alter_table('users', schema=None) as batch_op:
+        # Drop the unique constraint on oauth_id
+        batch_op.drop_constraint('uq_users_oauth_id', type_='unique')
+        # Drop the oauth columns
+        batch_op.drop_column('oauth_provider')
+        batch_op.drop_column('oauth_id')
+        # Make email nullable - this requires recreating the column in SQLite
+        batch_op.alter_column('email',
+                              existing_type=sa.String(length=255),
+                              nullable=True)
+
+
+def downgrade() -> None:
+    # Step 1: Add back oauth columns to users table
+    with op.batch_alter_table('users', schema=None) as batch_op:
+        batch_op.add_column(sa.Column('oauth_provider', sa.String(length=50), nullable=True))
+        batch_op.add_column(sa.Column('oauth_id', sa.String(length=255), nullable=True))
+        batch_op.alter_column('email',
+                              existing_type=sa.String(length=255),
+                              nullable=False)
+
+    # Step 2: Migrate data back from oauth_accounts to users
+    # Only migrate the first oauth account per user
+    conn = op.get_bind()
+    conn.execute(sa.text("""
+        UPDATE users
+        SET oauth_provider = (
+            SELECT provider FROM oauth_accounts
+            WHERE oauth_accounts.user_id = users.id
+            LIMIT 1
+        ),
+        oauth_id = (
+            SELECT provider_account_id FROM oauth_accounts
+            WHERE oauth_accounts.user_id = users.id
+            LIMIT 1
+        )
+    """))
+
+    # Step 3: Make oauth columns non-nullable and add unique constraint
+    with op.batch_alter_table('users', schema=None) as batch_op:
+        batch_op.alter_column('oauth_provider',
+                              existing_type=sa.String(length=50),
+                              nullable=False)
+        batch_op.alter_column('oauth_id',
+                              existing_type=sa.String(length=255),
+                              nullable=False)
+        batch_op.create_unique_constraint('uq_users_oauth_id', ['oauth_id'])
+
+    # Step 4: Drop oauth_accounts table
+    op.drop_index(op.f('ix_oauth_accounts_provider_account'), table_name='oauth_accounts')
+    op.drop_index(op.f('ix_oauth_accounts_user_id'), table_name='oauth_accounts')
+    op.drop_table('oauth_accounts')

{skrift-0.1.0a1 → skrift-0.1.0a3}/skrift/alembic.ini

@@ -1,8 +1,8 @@
 # Alembic Configuration File
 
 [alembic]
-# Path to migration scripts
-script_location = alembic
+# Path to migration scripts (relative to this file)
+script_location = %(here)s/alembic
 
 # Template used to generate migration files
 file_template = %%(year)d%%(month).2d%%(day).2d_%%(hour).2d%%(minute).2d%%(second).2d_%%(rev)s_%%(slug)s

{skrift-0.1.0a1 → skrift-0.1.0a3}/skrift/asgi.py

@@ -29,7 +29,7 @@ from litestar.static_files import create_static_files_router
 from litestar.template import TemplateConfig
 from litestar.types import ASGIApp, Receive, Scope, Send
 
-from skrift.config import get_settings, is_config_valid
+from skrift.config import get_config_path, get_settings, is_config_valid
 from skrift.db.base import Base
 from skrift.db.services.setting_service import (
     load_site_settings_cache,
@@ -45,7 +45,7 @@ from skrift.lib.exceptions import http_exception_handler, internal_server_error_
 
 def load_controllers() -> list:
     """Load controllers from app.yaml configuration."""
-    config_path = Path.cwd() / "app.yaml"
+    config_path = get_config_path()
 
     if not config_path.exists():
         return []
@@ -196,12 +196,7 @@ class AppDispatcher:
             await self.setup_app(scope, receive, send)
             return
 
-        # For /auth/* during setup, route to setup app (OAuth callbacks)
-        if path.startswith("/auth"):
-            await self.setup_app(scope, receive, send)
-            return
-
-        # Non-setup path: check if setup is complete in DB
+        # Check if setup is complete in DB
         if await self._is_setup_complete_in_db():
             # Setup complete - try to get/create main app
             main_app = await self._get_or_create_main_app()
@@ -215,8 +210,13 @@ class AppDispatcher:
                     f"Setup complete but cannot start application: {self._main_app_error}"
                 )
         else:
-            # Setup not complete - redirect to /setup
-            await self._redirect(send, "/setup")
+            # Setup not complete
+            # Route /auth/* to setup app for OAuth callbacks during setup
+            if path.startswith("/auth"):
+                await self.setup_app(scope, receive, send)
+            else:
+                # Redirect other paths to /setup
+                await self._redirect(send, "/setup")
 
     async def _is_setup_complete_in_db(self) -> bool:
         """Check if setup is complete in the database."""
@@ -270,6 +270,10 @@ def create_app() -> Litestar:
     This app has all routes for normal operation. It is used by the dispatcher
     after setup is complete.
     """
+    # CRITICAL: Check for dummy auth in production BEFORE anything else
+    from skrift.setup.providers import validate_no_dummy_auth_in_production
+    validate_no_dummy_auth_in_production()
+
     settings = get_settings()
 
     # Load controllers from app.yaml
@@ -404,7 +408,7 @@ def create_setup_app() -> Litestar:
 
     # Also try to get the raw db URL from config (before env var resolution)
     if not db_url:
-        config_path = Path.cwd() / "app.yaml"
+        config_path = get_config_path()
         if config_path.exists():
             try:
                 with open(config_path, "r") as f:
@@ -493,6 +497,10 @@ def create_dispatcher() -> ASGIApp:
     This is the main entry point. The dispatcher handles routing between
     setup and main apps, with lazy creation of the main app after setup completes.
     """
+    # CRITICAL: Check for dummy auth in production BEFORE anything else
+    from skrift.setup.providers import validate_no_dummy_auth_in_production
+    validate_no_dummy_auth_in_production()
+
     global _dispatcher
     from skrift.setup.state import get_database_url_from_yaml
 

{skrift-0.1.0a1 → skrift-0.1.0a3}/skrift/cli.py

@@ -19,24 +19,33 @@ def db() -> None:
     """
     from alembic.config import main as alembic_main
 
-    # Ensure we're running from the project root where alembic.ini is located
-    # If alembic.ini is not in cwd, check common locations
-    alembic_ini = Path.cwd() / "alembic.ini"
-
+    import os
+
+    # Always run from the project root (where app.yaml and .env are)
+    # This ensures database paths like ./app.db resolve correctly
+    project_root = Path.cwd()
+    if not (project_root / "app.yaml").exists():
+        # If not in project root, try parent directory
+        project_root = Path(__file__).parent.parent
+    os.chdir(project_root)
+
+    # Find alembic.ini - check project root first, then skrift package directory
+    alembic_ini = project_root / "alembic.ini"
     if not alembic_ini.exists():
-        # Try to find alembic.ini relative to this module
-        module_dir = Path(__file__).parent.parent
-        alembic_ini = module_dir / "alembic.ini"
-
-        if alembic_ini.exists():
-            # Change to the directory containing alembic.ini
-            import os
-            os.chdir(module_dir)
-        else:
+        skrift_dir = Path(__file__).parent
+        alembic_ini = skrift_dir / "alembic.ini"
+
+        if not alembic_ini.exists():
             print("Error: Could not find alembic.ini", file=sys.stderr)
             print("Make sure you're running from the project root directory.", file=sys.stderr)
             sys.exit(1)
 
+    # Build argv with config path at the beginning (before any subcommand)
+    # Original argv: ['skrift-db', 'upgrade', 'head']
+    # New argv: ['skrift-db', '-c', '/path/to/alembic.ini', 'upgrade', 'head']
+    new_argv = [sys.argv[0], "-c", str(alembic_ini)] + sys.argv[1:]
+    sys.argv = new_argv
+
     # Pass through all CLI arguments to Alembic
     sys.exit(alembic_main(sys.argv[1:]))
 

{skrift-0.1.0a1 → skrift-0.1.0a3}/skrift/config.py

@@ -16,6 +16,31 @@ load_dotenv(_env_file)
 # Pattern to match $VAR_NAME environment variable references
 ENV_VAR_PATTERN = re.compile(r"\$([A-Z_][A-Z0-9_]*)")
 
+# Environment configuration
+SKRIFT_ENV = "SKRIFT_ENV"
+DEFAULT_ENVIRONMENT = "production"
+
+
+def get_environment() -> str:
+    """Get the current environment name, normalized to lowercase.
+
+    Reads from SKRIFT_ENV environment variable. Defaults to "production".
+    """
+    env = os.environ.get(SKRIFT_ENV, DEFAULT_ENVIRONMENT)
+    return env.lower().strip()
+
+
+def get_config_path() -> Path:
+    """Get the path to the environment-specific config file.
+
+    Production -> app.yaml
+    Other envs -> app.{env}.yaml (e.g., app.dev.yaml)
+    """
+    env = get_environment()
+    if env == "production":
+        return Path.cwd() / "app.yaml"
+    return Path.cwd() / f"app.{env}.yaml"
+
 
 def interpolate_env_vars(value, strict: bool = True):
     """Recursively replace $VAR_NAME with os.environ values.
@@ -54,10 +79,10 @@ def load_app_config(interpolate: bool = True, strict: bool = True) -> dict:
     Returns:
         Parsed configuration dictionary
     """
-    config_path = Path.cwd() / "app.yaml"
+    config_path = get_config_path()
 
     if not config_path.exists():
-        raise FileNotFoundError(f"app.yaml not found at {config_path}")
+        raise FileNotFoundError(f"{config_path.name} not found at {config_path}")
 
     with open(config_path, "r") as f:
         config = yaml.safe_load(f)
@@ -69,7 +94,7 @@ def load_app_config(interpolate: bool = True, strict: bool = True) -> dict:
 
 def load_raw_app_config() -> dict | None:
     """Load app.yaml without any processing. Returns None if file doesn't exist."""
-    config_path = Path.cwd() / "app.yaml"
+    config_path = get_config_path()
 
     if not config_path.exists():
         return None
@@ -98,11 +123,40 @@ class OAuthProviderConfig(BaseModel):
     tenant_id: str | None = None
 
 
+class DummyProviderConfig(BaseModel):
+    """Dummy provider configuration (no credentials required)."""
+
+    pass
+
+
+# Union type for provider configs - dummy has no required fields
+ProviderConfig = OAuthProviderConfig | DummyProviderConfig
+
+
 class AuthConfig(BaseModel):
     """Authentication configuration."""
 
     redirect_base_url: str = "http://localhost:8000"
-    providers: dict[str, OAuthProviderConfig] = {}
+    providers: dict[str, ProviderConfig] = {}
+
+    @classmethod
+    def _parse_provider(cls, name: str, config: dict) -> ProviderConfig:
+        """Parse a provider config, using the appropriate model based on provider name."""
+        if name == "dummy":
+            return DummyProviderConfig(**config)
+        return OAuthProviderConfig(**config)
+
+    def __init__(self, **data):
+        # Convert raw provider dicts to appropriate config objects
+        if "providers" in data and isinstance(data["providers"], dict):
+            parsed_providers = {}
+            for name, config in data["providers"].items():
+                if isinstance(config, dict):
+                    parsed_providers[name] = self._parse_provider(name, config)
+                else:
+                    parsed_providers[name] = config
+            data["providers"] = parsed_providers
+        super().__init__(**data)
 
     def get_redirect_uri(self, provider: str) -> str:
         """Get the OAuth callback URL for a provider."""
@@ -137,7 +191,7 @@ def is_config_valid() -> tuple[bool, str | None]:
     try:
         config = load_raw_app_config()
         if config is None:
-            return False, "app.yaml not found"
+            return False, f"{get_config_path().name} not found"
 
         # Check database URL
         db_config = config.get("db", {})