skrift 0.1.0a1__tar.gz → 0.1.0a5__tar.gz

{skrift-0.1.0a1 → skrift-0.1.0a5}/.gitignore

@@ -20,5 +20,8 @@ wheels/
 
 # App configuration (generated by setup wizard)
 app.yaml
+app.*.yaml
 app.bak.yaml
 app.yaml.backup.*
+app.*.yaml.backup.*
+site/

{skrift-0.1.0a1 → skrift-0.1.0a5}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: skrift
-Version: 0.1.0a1
+Version: 0.1.0a5
 Summary: A lightweight async Python CMS for crafting modern websites
 Requires-Python: >=3.13
 Requires-Dist: advanced-alchemy>=0.26.0
@@ -15,6 +15,8 @@ Requires-Dist: pyyaml>=6.0.0
 Requires-Dist: ruamel-yaml>=0.18.0
 Requires-Dist: sqlalchemy[asyncio]>=2.0.36
 Requires-Dist: uvicorn>=0.34.0
+Provides-Extra: docs
+Requires-Dist: zensical>=0.0.19; extra == 'docs'
 Description-Content-Type: text/markdown
 
 # Skrift

{skrift-0.1.0a1 → skrift-0.1.0a5}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "skrift"
-version = "0.1.0a1"
+version = "0.1.0a5"
 description = "A lightweight async Python CMS for crafting modern websites"
 readme = "README.md"
 requires-python = ">=3.13"
@@ -20,8 +20,7 @@ dependencies = [
 ]
 
 [project.scripts]
-skrift = "skrift.__main__:main"
-skrift-db = "skrift.cli:db"
+skrift = "skrift.cli:cli"
 
 [tool.uv]
 package = true
@@ -30,6 +29,11 @@ package = true
 requires = ["hatchling"]
 build-backend = "hatchling.build"
 
+[dependency-groups]
+docs = [
+    "zensical>=0.0.19",
+]
+
 [tool.hatch.build]
 include = [
     "skrift/**/*.py",
@@ -45,6 +49,9 @@ exclude = [
     "*.db",
 ]
 
+[project.optional-dependencies]
+docs = ["zensical>=0.0.19"]
+
 [tool.ruff]
 line-length = 100
 target-version = "py313"

skrift-0.1.0a5/skrift/__main__.py

@@ -0,0 +1,12 @@
+"""Entry point for the skrift package."""
+
+from skrift.cli import cli
+
+
+def main():
+    """Run the Skrift CLI."""
+    cli()
+
+
+if __name__ == "__main__":
+    main()

{skrift-0.1.0a1 → skrift-0.1.0a5}/skrift/alembic/env.py

@@ -12,6 +12,7 @@ from skrift.config import get_settings
 from skrift.db.base import Base
 
 # Import all models to ensure they're registered with Base.metadata
+from skrift.db.models.oauth_account import OAuthAccount  # noqa: F401
 from skrift.db.models.user import User  # noqa: F401
 from skrift.db.models.page import Page  # noqa: F401
 from skrift.db.models.role import Role, RolePermission  # noqa: F401
@@ -31,7 +32,7 @@ def get_url() -> str:
     """Get database URL from settings or alembic.ini."""
     try:
         settings = get_settings()
-        return settings.database_url
+        return settings.db.url
     except Exception:
         # Fall back to alembic.ini config if settings can't be loaded
         return config.get_main_option("sqlalchemy.url", "")

skrift-0.1.0a5/skrift/alembic/versions/20260129_add_oauth_accounts.py

@@ -0,0 +1,134 @@
+"""add oauth_accounts table
+
+Revision ID: 1a2b3c4d5e6f
+Revises: 8f3a5c2d1e0b
+Create Date: 2026-01-29 10:00:00.000000
+
+This migration:
+1. Creates the oauth_accounts table to store multiple OAuth identities per user
+2. Migrates existing oauth data from users table to oauth_accounts
+3. Makes users.email nullable (for providers like Twitter that don't provide email)
+4. Removes oauth_provider and oauth_id columns from users table
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+from advanced_alchemy.types import GUID, DateTimeUTC
+
+
+# revision identifiers, used by Alembic.
+revision: str = '1a2b3c4d5e6f'
+down_revision: Union[str, None] = '8f3a5c2d1e0b'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    # Step 1: Create oauth_accounts table
+    op.create_table(
+        'oauth_accounts',
+        sa.Column('id', GUID(length=16), nullable=False),
+        sa.Column('created_at', DateTimeUTC(timezone=True), nullable=False),
+        sa.Column('updated_at', DateTimeUTC(timezone=True), nullable=False),
+        sa.Column('sa_orm_sentinel', sa.Integer(), nullable=True),
+        sa.Column('provider', sa.String(length=50), nullable=False),
+        sa.Column('provider_account_id', sa.String(length=255), nullable=False),
+        sa.Column('provider_email', sa.String(length=255), nullable=True),
+        sa.Column('user_id', GUID(length=16), nullable=False),
+        sa.PrimaryKeyConstraint('id', name=op.f('pk_oauth_accounts')),
+        sa.ForeignKeyConstraint(
+            ['user_id'], ['users.id'],
+            name=op.f('fk_oauth_accounts_user_id_users'),
+            ondelete='CASCADE'
+        ),
+        sa.UniqueConstraint(
+            'provider', 'provider_account_id',
+            name='uq_oauth_provider_account'
+        ),
+    )
+    op.create_index(
+        op.f('ix_oauth_accounts_user_id'),
+        'oauth_accounts',
+        ['user_id'],
+        unique=False
+    )
+    op.create_index(
+        op.f('ix_oauth_accounts_provider_account'),
+        'oauth_accounts',
+        ['provider', 'provider_account_id'],
+        unique=True
+    )
+
+    # Step 2: Migrate existing data from users to oauth_accounts
+    # Generate binary UUIDs (16 bytes) for new records and copy oauth data
+    conn = op.get_bind()
+    conn.execute(sa.text("""
+        INSERT INTO oauth_accounts (id, created_at, updated_at, provider, provider_account_id, provider_email, user_id)
+        SELECT
+            randomblob(16),
+            created_at,
+            updated_at,
+            oauth_provider,
+            oauth_id,
+            email,
+            id
+        FROM users
+        WHERE oauth_provider IS NOT NULL AND oauth_id IS NOT NULL
+    """))
+
+    # Step 3: Make email nullable on users table
+    # SQLite doesn't support ALTER COLUMN, so we need to recreate the table
+    # For SQLite, we'll use batch_alter_table
+    with op.batch_alter_table('users', schema=None) as batch_op:
+        # Drop the unique constraint on oauth_id
+        batch_op.drop_constraint('uq_users_oauth_id', type_='unique')
+        # Drop the oauth columns
+        batch_op.drop_column('oauth_provider')
+        batch_op.drop_column('oauth_id')
+        # Make email nullable - this requires recreating the column in SQLite
+        batch_op.alter_column('email',
+                              existing_type=sa.String(length=255),
+                              nullable=True)
+
+
+def downgrade() -> None:
+    # Step 1: Add back oauth columns to users table
+    with op.batch_alter_table('users', schema=None) as batch_op:
+        batch_op.add_column(sa.Column('oauth_provider', sa.String(length=50), nullable=True))
+        batch_op.add_column(sa.Column('oauth_id', sa.String(length=255), nullable=True))
+        batch_op.alter_column('email',
+                              existing_type=sa.String(length=255),
+                              nullable=False)
+
+    # Step 2: Migrate data back from oauth_accounts to users
+    # Only migrate the first oauth account per user
+    conn = op.get_bind()
+    conn.execute(sa.text("""
+        UPDATE users
+        SET oauth_provider = (
+            SELECT provider FROM oauth_accounts
+            WHERE oauth_accounts.user_id = users.id
+            LIMIT 1
+        ),
+        oauth_id = (
+            SELECT provider_account_id FROM oauth_accounts
+            WHERE oauth_accounts.user_id = users.id
+            LIMIT 1
+        )
+    """))
+
+    # Step 3: Make oauth columns non-nullable and add unique constraint
+    with op.batch_alter_table('users', schema=None) as batch_op:
+        batch_op.alter_column('oauth_provider',
+                              existing_type=sa.String(length=50),
+                              nullable=False)
+        batch_op.alter_column('oauth_id',
+                              existing_type=sa.String(length=255),
+                              nullable=False)
+        batch_op.create_unique_constraint('uq_users_oauth_id', ['oauth_id'])
+
+    # Step 4: Drop oauth_accounts table
+    op.drop_index(op.f('ix_oauth_accounts_provider_account'), table_name='oauth_accounts')
+    op.drop_index(op.f('ix_oauth_accounts_user_id'), table_name='oauth_accounts')
+    op.drop_table('oauth_accounts')

{skrift-0.1.0a1 → skrift-0.1.0a5}/skrift/alembic.ini

@@ -1,8 +1,8 @@
 # Alembic Configuration File
 
 [alembic]
-# Path to migration scripts
-script_location = alembic
+# Path to migration scripts (relative to this file)
+script_location = %(here)s/alembic
 
 # Template used to generate migration files
 file_template = %%(year)d%%(month).2d%%(day).2d_%%(hour).2d%%(minute).2d%%(second).2d_%%(rev)s_%%(slug)s

{skrift-0.1.0a1 → skrift-0.1.0a5}/skrift/asgi.py

@@ -29,7 +29,7 @@ from litestar.static_files import create_static_files_router
 from litestar.template import TemplateConfig
 from litestar.types import ASGIApp, Receive, Scope, Send
 
-from skrift.config import get_settings, is_config_valid
+from skrift.config import get_config_path, get_settings, is_config_valid
 from skrift.db.base import Base
 from skrift.db.services.setting_service import (
     load_site_settings_cache,
@@ -45,7 +45,7 @@ from skrift.lib.exceptions import http_exception_handler, internal_server_error_
 
 def load_controllers() -> list:
     """Load controllers from app.yaml configuration."""
-    config_path = Path.cwd() / "app.yaml"
+    config_path = get_config_path()
 
     if not config_path.exists():
         return []
@@ -196,12 +196,7 @@ class AppDispatcher:
             await self.setup_app(scope, receive, send)
             return
 
-        # For /auth/* during setup, route to setup app (OAuth callbacks)
-        if path.startswith("/auth"):
-            await self.setup_app(scope, receive, send)
-            return
-
-        # Non-setup path: check if setup is complete in DB
+        # Check if setup is complete in DB
         if await self._is_setup_complete_in_db():
             # Setup complete - try to get/create main app
             main_app = await self._get_or_create_main_app()
@@ -215,8 +210,13 @@ class AppDispatcher:
                     f"Setup complete but cannot start application: {self._main_app_error}"
                 )
         else:
-            # Setup not complete - redirect to /setup
-            await self._redirect(send, "/setup")
+            # Setup not complete
+            # Route /auth/* to setup app for OAuth callbacks during setup
+            if path.startswith("/auth"):
+                await self.setup_app(scope, receive, send)
+            else:
+                # Redirect other paths to /setup
+                await self._redirect(send, "/setup")
 
     async def _is_setup_complete_in_db(self) -> bool:
         """Check if setup is complete in the database."""
@@ -270,6 +270,10 @@ def create_app() -> Litestar:
     This app has all routes for normal operation. It is used by the dispatcher
     after setup is complete.
     """
+    # CRITICAL: Check for dummy auth in production BEFORE anything else
+    from skrift.setup.providers import validate_no_dummy_auth_in_production
+    validate_no_dummy_auth_in_production()
+
     settings = get_settings()
 
     # Load controllers from app.yaml
@@ -404,7 +408,7 @@ def create_setup_app() -> Litestar:
 
     # Also try to get the raw db URL from config (before env var resolution)
     if not db_url:
-        config_path = Path.cwd() / "app.yaml"
+        config_path = get_config_path()
         if config_path.exists():
             try:
                 with open(config_path, "r") as f:
@@ -493,6 +497,10 @@ def create_dispatcher() -> ASGIApp:
     This is the main entry point. The dispatcher handles routing between
     setup and main apps, with lazy creation of the main app after setup completes.
     """
+    # CRITICAL: Check for dummy auth in production BEFORE anything else
+    from skrift.setup.providers import validate_no_dummy_auth_in_production
+    validate_no_dummy_auth_in_production()
+
     global _dispatcher
     from skrift.setup.state import get_database_url_from_yaml
 

skrift-0.1.0a5/skrift/cli.py

@@ -0,0 +1,143 @@
+"""CLI commands for Skrift."""
+
+import base64
+import os
+import re
+import secrets
+import sys
+from pathlib import Path
+
+import click
+
+
+@click.group()
+@click.version_option(package_name="skrift")
+def cli():
+    """Skrift - A lightweight async Python CMS."""
+    pass
+
+
+@cli.command()
+@click.option("--host", default="127.0.0.1", help="Host to bind to")
+@click.option("--port", default=8080, type=int, help="Port to bind to")
+@click.option("--reload", is_flag=True, help="Enable auto-reload for development")
+@click.option("--workers", default=1, type=int, help="Number of worker processes")
+@click.option(
+    "--log-level",
+    default="info",
+    type=click.Choice(["debug", "info", "warning", "error"]),
+    help="Logging level",
+)
+def serve(host, port, reload, workers, log_level):
+    """Run the Skrift server."""
+    import uvicorn
+
+    uvicorn.run(
+        "skrift.asgi:app",
+        host=host,
+        port=port,
+        reload=reload,
+        workers=workers if not reload else 1,
+        log_level=log_level,
+    )
+
+
+@cli.command()
+@click.option(
+    "--write",
+    type=click.Path(),
+    default=None,
+    help="Write SECRET_KEY to a .env file",
+)
+@click.option(
+    "--format",
+    "fmt",
+    default="urlsafe",
+    type=click.Choice(["urlsafe", "hex", "base64"]),
+    help="Output format for the secret key",
+)
+@click.option("--length", default=32, type=int, help="Number of random bytes")
+def secret(write, fmt, length):
+    """Generate a secure secret key."""
+    # Generate key based on format
+    if fmt == "urlsafe":
+        key = secrets.token_urlsafe(length)
+    elif fmt == "hex":
+        key = secrets.token_hex(length)
+    else:  # base64
+        key = base64.b64encode(secrets.token_bytes(length)).decode("ascii")
+
+    if write:
+        env_path = Path(write)
+        env_content = ""
+
+        # Read existing content if file exists
+        if env_path.exists():
+            env_content = env_path.read_text()
+
+        # Update or add SECRET_KEY
+        secret_key_pattern = re.compile(r"^SECRET_KEY=.*$", re.MULTILINE)
+        new_line = f"SECRET_KEY={key}"
+
+        if secret_key_pattern.search(env_content):
+            # Replace existing SECRET_KEY
+            env_content = secret_key_pattern.sub(new_line, env_content)
+        else:
+            # Add SECRET_KEY at the end
+            if env_content and not env_content.endswith("\n"):
+                env_content += "\n"
+            env_content += new_line + "\n"
+
+        env_path.write_text(env_content)
+        click.echo(f"SECRET_KEY written to {env_path}")
+    else:
+        click.echo(key)
+
+
+@cli.command(
+    context_settings=dict(
+        ignore_unknown_options=True,
+        allow_extra_args=True,
+    )
+)
+@click.pass_context
+def db(ctx):
+    """Run database migrations via Alembic.
+
+    \b
+    Examples:
+        skrift db upgrade head     # Apply all migrations
+        skrift db downgrade -1     # Rollback one migration
+        skrift db current          # Show current revision
+        skrift db history          # Show migration history
+        skrift db revision -m "description" --autogenerate  # Create new migration
+    """
+    from alembic.config import main as alembic_main
+
+    # Always run from the project root (where app.yaml and .env are)
+    # This ensures database paths like ./app.db resolve correctly
+    project_root = Path.cwd()
+    if not (project_root / "app.yaml").exists():
+        # If not in project root, try parent directory
+        project_root = Path(__file__).parent.parent
+    os.chdir(project_root)
+
+    # Find alembic.ini - check project root first, then skrift package directory
+    alembic_ini = project_root / "alembic.ini"
+    if not alembic_ini.exists():
+        skrift_dir = Path(__file__).parent
+        alembic_ini = skrift_dir / "alembic.ini"
+
+        if not alembic_ini.exists():
+            click.echo("Error: Could not find alembic.ini", err=True)
+            click.echo("Make sure you're running from the project root directory.", err=True)
+            sys.exit(1)
+
+    # Build argv for alembic: ['-c', '/path/to/alembic.ini', ...extra_args]
+    alembic_argv = ["-c", str(alembic_ini)] + ctx.args
+
+    sys.exit(alembic_main(alembic_argv))
+
+
+if __name__ == "__main__":
+    cli()

{skrift-0.1.0a1 → skrift-0.1.0a5}/skrift/config.py

@@ -9,13 +9,38 @@ from pydantic import BaseModel
 from pydantic_settings import BaseSettings, SettingsConfigDict
 
 # Load .env file early so env vars are available for YAML interpolation
-# Use explicit path to handle subprocess spawning (uvicorn workers)
-_env_file = Path(__file__).parent.parent / ".env"
+# Load from current working directory (where app.yaml lives)
+_env_file = Path.cwd() / ".env"
 load_dotenv(_env_file)
 
 # Pattern to match $VAR_NAME environment variable references
 ENV_VAR_PATTERN = re.compile(r"\$([A-Z_][A-Z0-9_]*)")
 
+# Environment configuration
+SKRIFT_ENV = "SKRIFT_ENV"
+DEFAULT_ENVIRONMENT = "production"
+
+
+def get_environment() -> str:
+    """Get the current environment name, normalized to lowercase.
+
+    Reads from SKRIFT_ENV environment variable. Defaults to "production".
+    """
+    env = os.environ.get(SKRIFT_ENV, DEFAULT_ENVIRONMENT)
+    return env.lower().strip()
+
+
+def get_config_path() -> Path:
+    """Get the path to the environment-specific config file.
+
+    Production -> app.yaml
+    Other envs -> app.{env}.yaml (e.g., app.dev.yaml)
+    """
+    env = get_environment()
+    if env == "production":
+        return Path.cwd() / "app.yaml"
+    return Path.cwd() / f"app.{env}.yaml"
+
 
 def interpolate_env_vars(value, strict: bool = True):
     """Recursively replace $VAR_NAME with os.environ values.
@@ -54,10 +79,10 @@ def load_app_config(interpolate: bool = True, strict: bool = True) -> dict:
     Returns:
         Parsed configuration dictionary
     """
-    config_path = Path.cwd() / "app.yaml"
+    config_path = get_config_path()
 
     if not config_path.exists():
-        raise FileNotFoundError(f"app.yaml not found at {config_path}")
+        raise FileNotFoundError(f"{config_path.name} not found at {config_path}")
 
     with open(config_path, "r") as f:
         config = yaml.safe_load(f)
@@ -69,7 +94,7 @@ def load_app_config(interpolate: bool = True, strict: bool = True) -> dict:
 
 def load_raw_app_config() -> dict | None:
     """Load app.yaml without any processing. Returns None if file doesn't exist."""
-    config_path = Path.cwd() / "app.yaml"
+    config_path = get_config_path()
 
     if not config_path.exists():
         return None
@@ -98,11 +123,40 @@ class OAuthProviderConfig(BaseModel):
     tenant_id: str | None = None
 
 
+class DummyProviderConfig(BaseModel):
+    """Dummy provider configuration (no credentials required)."""
+
+    pass
+
+
+# Union type for provider configs - dummy has no required fields
+ProviderConfig = OAuthProviderConfig | DummyProviderConfig
+
+
 class AuthConfig(BaseModel):
     """Authentication configuration."""
 
     redirect_base_url: str = "http://localhost:8000"
-    providers: dict[str, OAuthProviderConfig] = {}
+    providers: dict[str, ProviderConfig] = {}
+
+    @classmethod
+    def _parse_provider(cls, name: str, config: dict) -> ProviderConfig:
+        """Parse a provider config, using the appropriate model based on provider name."""
+        if name == "dummy":
+            return DummyProviderConfig(**config)
+        return OAuthProviderConfig(**config)
+
+    def __init__(self, **data):
+        # Convert raw provider dicts to appropriate config objects
+        if "providers" in data and isinstance(data["providers"], dict):
+            parsed_providers = {}
+            for name, config in data["providers"].items():
+                if isinstance(config, dict):
+                    parsed_providers[name] = self._parse_provider(name, config)
+                else:
+                    parsed_providers[name] = config
+            data["providers"] = parsed_providers
+        super().__init__(**data)
 
     def get_redirect_uri(self, provider: str) -> str:
         """Get the OAuth callback URL for a provider."""
@@ -137,7 +191,7 @@ def is_config_valid() -> tuple[bool, str | None]:
     try:
         config = load_raw_app_config()
         if config is None:
-            return False, "app.yaml not found"
+            return False, f"{get_config_path().name} not found"
 
         # Check database URL
         db_config = config.get("db", {})