toast-cli 4.0.5__tar.gz → 4.1.2__tar.gz

{toast_cli-4.0.5 → toast_cli-4.1.2}/ARCHITECTURE.md

@@ -38,6 +38,7 @@ toast-cli/
           ├── prompt_plugin.py
           ├── region_plugin.py
           ├── ssm_plugin.py
+          ├── storage.py
           └── utils.py
 ```
 
@@ -102,10 +103,10 @@ Each plugin:
 | am | Show AWS caller identity |
 | cdw | Navigate to workspace directories |
 | ctx | Manage Kubernetes contexts (switch, add EKS clusters, delete) |
-| dot | Manage .env.local files with AWS SSM integration |
+| dot | Manage .env.local files with S3 env-store (SSM transition) |
 | env | Manage AWS profiles |
 | git | Manage Git repositories (clone, branch, pull, push, rm, mirror) |
-| prompt | Manage .prompt.md files with AWS SSM integration |
+| prompt | Manage .prompt.md files with S3 env-store (SSM transition) |
 | region | Set AWS region |
 | ssm | AWS SSM Parameter Store operations (get, put, delete, list) |
 
@@ -127,21 +128,34 @@ Each plugin:
 - Interactive selection of contexts and clusters
 
 #### DotPlugin (dot)
-- Manages .env.local files with AWS SSM Parameter Store
-- Default behavior: `sync` (compare local/remote, show diff, choose upload/download)
+- Manages .env.local files via the S3 env-store (`storage.py`)
+- Default behavior: `sync` (compare local/store, show diff, choose upload/download)
 - Commands: `sync` (default), `up` (upload), `down`/`dn` (download), `ls` (list)
-- Uploads/downloads environment variables as SecureString
-- SSM path: `/toast/local/{org}/{project}/env-local`
+- S3 key: `local/{org}/{project}/env-local` (SSE-KMS)
 - Validates workspace path structure (`workspace/github.com/{org}/{project}`)
 
 #### PromptPlugin (prompt)
-- Manages .prompt.md files with AWS SSM Parameter Store
-- Default behavior: `sync` (compare local/remote, show diff, choose upload/download)
+- Manages .prompt.md files via the S3 env-store (`storage.py`)
+- Default behavior: `sync` (compare local/store, show diff, choose upload/download)
 - Commands: `sync` (default), `up` (upload), `down`/`dn` (download), `ls` (list)
-- Uploads/downloads prompt files as SecureString
-- SSM path: `/toast/local/{org}/{project}/prompt-md`
+- S3 key: `local/{org}/{project}/prompt-md` (SSE-KMS)
 - Validates workspace path structure (`workspace/github.com/{org}/{project}`)
 
+#### Env-store backend (storage.py)
+- Shared storage layer for the dot/prompt plugins
+- Dual-backend during SSM → S3 transition: reads check both S3 and SSM and use
+  the newest copy (ties prefer S3); writes always go to S3
+- SSM is a read-only fallback and is harvested into S3 on the next upload
+- All access uses a dedicated AWS profile (`TOAST_ENV_STORE_PROFILE`, default
+  `{username}-admin`)
+- Profile defaults to the OS username + `-admin`; bucket defaults to
+  `env-store-{account-id}` of that profile (account id via
+  `aws sts get-caller-identity`)
+- Configurable via env vars (`TOAST_ENV_STORE_PROFILE`, `TOAST_ENV_STORE_BUCKET`,
+  `TOAST_ENV_STORE_KMS_KEY`, `TOAST_ENV_STORE_REGION`) or the config file
+  `~/.config/toast/config` (`KEY=VALUE`, created on first run by prompting the
+  user); precedence: env var > config file > default
+
 #### EnvPlugin (env)
 - Manages AWS profiles from `~/.aws/credentials`
 - Interactive selection of profiles

{toast_cli-4.0.5 → toast_cli-4.1.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: toast-cli
-Version: 4.0.5
+Version: 4.1.2
 Summary: A Python-based CLI utility with a plugin architecture for AWS, Kubernetes, Git, and more
 Home-page: https://github.com/opspresso/toast-cli
 Author: nalbam
@@ -59,7 +59,7 @@ Python-based CLI utility with plugin architecture for AWS, Kubernetes, and Git o
 * **Git**: Repository management (clone, branch, pull, push, rm, mirror), organization-specific GitHub hosts
 * **Workspace**: Directory navigation, environment file management (.env.local, .prompt.md)
 * **Interface**: FZF-powered interactive menus, formatted output with Rich
-* **Security**: AWS SSM SecureString storage for sensitive files
+* **Security**: S3 env-store with SSE-KMS for sensitive files (SSM fallback during transition)
 
 ## Architecture
 
@@ -129,16 +129,16 @@ toast ctx                  # Switch contexts
 # Select [Del...] to delete contexts (individual or all)
 
 # Environment Files (.env.local)
-toast dot                  # Compare local and SSM, choose action (default: sync)
-toast dot up               # Upload .env.local to SSM
-toast dot down             # Download .env.local from SSM (alias: dn)
-toast dot ls               # List all .env.local files in SSM
+toast dot                  # Compare local and env-store, choose action (default: sync)
+toast dot up               # Upload .env.local to env-store (S3)
+toast dot down             # Download .env.local from env-store (alias: dn)
+toast dot ls               # List all .env.local files in env-store (S3 + SSM)
 
 # Prompt Files (.prompt.md)
-toast prompt               # Compare local and SSM, choose action (default: sync)
-toast prompt up            # Upload .prompt.md to SSM
-toast prompt down          # Download .prompt.md from SSM (alias: dn)
-toast prompt ls            # List all .prompt.md files in SSM
+toast prompt               # Compare local and env-store, choose action (default: sync)
+toast prompt up            # Upload .prompt.md to env-store (S3)
+toast prompt down          # Download .prompt.md from env-store (alias: dn)
+toast prompt ls            # List all .prompt.md files in env-store (S3 + SSM)
 
 # SSM Parameter Store
 toast ssm                  # Interactive mode: browse and select parameters
@@ -218,16 +218,50 @@ Host myorg-github.com
 - Automatic host detection based on workspace location
 - Seamless switching between GitHub accounts
 
-### AWS SSM Storage Paths
+### Env-store (S3) Storage Paths
 
-Toast-cli stores files in AWS SSM Parameter Store with the following structure:
+The `dot` and `prompt` plugins store files in the S3 env-store bucket. During
+the transition from AWS SSM Parameter Store, reads check both backends and use
+whichever copy is newest; writes always go to S3 (the bucket is the source of
+truth), and SSM copies become stale and are harvested into S3 on the next
+upload.
 
 ```
-/toast/local/{org}/{project}/env-local     # .env.local files
-/toast/local/{org}/{project}/prompt-md     # .prompt.md files
+s3://env-store-{account-id}/local/{org}/{project}/env-local   # .env.local files
+s3://env-store-{account-id}/local/{org}/{project}/prompt-md   # .prompt.md files
+
+/toast/local/{org}/{project}/env-local     # legacy SSM (read-only fallback)
+/toast/local/{org}/{project}/prompt-md     # legacy SSM (read-only fallback)
 ```
 
-Files are stored as SecureString type for encryption at rest.
+S3 objects are written with SSE-KMS encryption. All env-store access uses a
+dedicated AWS profile so it is decoupled from your current default profile.
+
+**Configuration** — precedence: environment variable > config file > default.
+
+Environment variables:
+
+```bash
+TOAST_ENV_STORE_PROFILE   # default: {username}-admin
+TOAST_ENV_STORE_BUCKET    # default: env-store-{account-id of the profile}
+TOAST_ENV_STORE_KMS_KEY   # default: bucket/account default KMS key
+TOAST_ENV_STORE_REGION    # default: profile's region
+```
+
+The profile defaults to your OS username + `-admin`, and the bucket defaults to
+`env-store-` + the AWS account id of that profile (looked up via
+`aws sts get-caller-identity`).
+
+Config file `~/.config/toast/config` (`KEY=VALUE` format). On first run, if it
+is missing, toast prompts for the values and saves them (interactive sessions
+only):
+
+```
+ENV_STORE_BUCKET=env-store-{account-id}
+ENV_STORE_PROFILE={username}-admin
+ENV_STORE_KMS_KEY=
+ENV_STORE_REGION=
+```
 
 ## Creating Plugins
 

{toast_cli-4.0.5 → toast_cli-4.1.2}/README.md

@@ -24,7 +24,7 @@ Python-based CLI utility with plugin architecture for AWS, Kubernetes, and Git o
 * **Git**: Repository management (clone, branch, pull, push, rm, mirror), organization-specific GitHub hosts
 * **Workspace**: Directory navigation, environment file management (.env.local, .prompt.md)
 * **Interface**: FZF-powered interactive menus, formatted output with Rich
-* **Security**: AWS SSM SecureString storage for sensitive files
+* **Security**: S3 env-store with SSE-KMS for sensitive files (SSM fallback during transition)
 
 ## Architecture
 
@@ -94,16 +94,16 @@ toast ctx                  # Switch contexts
 # Select [Del...] to delete contexts (individual or all)
 
 # Environment Files (.env.local)
-toast dot                  # Compare local and SSM, choose action (default: sync)
-toast dot up               # Upload .env.local to SSM
-toast dot down             # Download .env.local from SSM (alias: dn)
-toast dot ls               # List all .env.local files in SSM
+toast dot                  # Compare local and env-store, choose action (default: sync)
+toast dot up               # Upload .env.local to env-store (S3)
+toast dot down             # Download .env.local from env-store (alias: dn)
+toast dot ls               # List all .env.local files in env-store (S3 + SSM)
 
 # Prompt Files (.prompt.md)
-toast prompt               # Compare local and SSM, choose action (default: sync)
-toast prompt up            # Upload .prompt.md to SSM
-toast prompt down          # Download .prompt.md from SSM (alias: dn)
-toast prompt ls            # List all .prompt.md files in SSM
+toast prompt               # Compare local and env-store, choose action (default: sync)
+toast prompt up            # Upload .prompt.md to env-store (S3)
+toast prompt down          # Download .prompt.md from env-store (alias: dn)
+toast prompt ls            # List all .prompt.md files in env-store (S3 + SSM)
 
 # SSM Parameter Store
 toast ssm                  # Interactive mode: browse and select parameters
@@ -183,16 +183,50 @@ Host myorg-github.com
 - Automatic host detection based on workspace location
 - Seamless switching between GitHub accounts
 
-### AWS SSM Storage Paths
+### Env-store (S3) Storage Paths
 
-Toast-cli stores files in AWS SSM Parameter Store with the following structure:
+The `dot` and `prompt` plugins store files in the S3 env-store bucket. During
+the transition from AWS SSM Parameter Store, reads check both backends and use
+whichever copy is newest; writes always go to S3 (the bucket is the source of
+truth), and SSM copies become stale and are harvested into S3 on the next
+upload.
 
 ```
-/toast/local/{org}/{project}/env-local     # .env.local files
-/toast/local/{org}/{project}/prompt-md     # .prompt.md files
+s3://env-store-{account-id}/local/{org}/{project}/env-local   # .env.local files
+s3://env-store-{account-id}/local/{org}/{project}/prompt-md   # .prompt.md files
+
+/toast/local/{org}/{project}/env-local     # legacy SSM (read-only fallback)
+/toast/local/{org}/{project}/prompt-md     # legacy SSM (read-only fallback)
 ```
 
-Files are stored as SecureString type for encryption at rest.
+S3 objects are written with SSE-KMS encryption. All env-store access uses a
+dedicated AWS profile so it is decoupled from your current default profile.
+
+**Configuration** — precedence: environment variable > config file > default.
+
+Environment variables:
+
+```bash
+TOAST_ENV_STORE_PROFILE   # default: {username}-admin
+TOAST_ENV_STORE_BUCKET    # default: env-store-{account-id of the profile}
+TOAST_ENV_STORE_KMS_KEY   # default: bucket/account default KMS key
+TOAST_ENV_STORE_REGION    # default: profile's region
+```
+
+The profile defaults to your OS username + `-admin`, and the bucket defaults to
+`env-store-` + the AWS account id of that profile (looked up via
+`aws sts get-caller-identity`).
+
+Config file `~/.config/toast/config` (`KEY=VALUE` format). On first run, if it
+is missing, toast prompts for the values and saves them (interactive sessions
+only):
+
+```
+ENV_STORE_BUCKET=env-store-{account-id}
+ENV_STORE_PROFILE={username}-admin
+ENV_STORE_KMS_KEY=
+ENV_STORE_REGION=
+```
 
 ## Creating Plugins
 

toast_cli-4.1.2/VERSION

@@ -0,0 +1 @@
+v4.1.2

toast_cli-4.1.2/tests/test_storage.py

@@ -0,0 +1,379 @@
+#!/usr/bin/env python3
+
+"""Unit tests for the env-store backend pure logic (no AWS access)."""
+
+import os
+import tempfile
+import unittest
+from datetime import timezone
+from unittest import mock
+
+from toast.plugins import storage
+
+
+class ParseTimestampTests(unittest.TestCase):
+    def test_iso_with_offset(self):
+        dt = storage.parse_timestamp("2024-01-02T03:04:05+00:00")
+        self.assertEqual(dt.year, 2024)
+        self.assertEqual(dt.tzinfo, timezone.utc)
+
+    def test_iso_with_z(self):
+        dt = storage.parse_timestamp("2024-01-02T03:04:05Z")
+        self.assertEqual(dt.hour, 3)
+        self.assertEqual(dt.tzinfo, timezone.utc)
+
+    def test_iso_fractional(self):
+        dt = storage.parse_timestamp("2024-01-02T03:04:05.123456+00:00")
+        self.assertIsNotNone(dt)
+        self.assertEqual(dt.microsecond, 123456)
+
+    def test_epoch_float(self):
+        dt = storage.parse_timestamp(0)
+        self.assertEqual(dt.year, 1970)
+
+    def test_none(self):
+        self.assertIsNone(storage.parse_timestamp(None))
+
+    def test_blank(self):
+        self.assertIsNone(storage.parse_timestamp("   "))
+
+    def test_ordering(self):
+        older = storage.parse_timestamp("2024-01-01T00:00:00Z")
+        newer = storage.parse_timestamp("2024-02-01T00:00:00+00:00")
+        self.assertLess(older, newer)
+
+
+class DefaultsTests(unittest.TestCase):
+    def test_default_profile(self):
+        with mock.patch.object(storage, "_current_username", return_value="alice"):
+            self.assertEqual(storage.default_profile(), "alice-admin")
+
+    def test_get_account_id_success(self):
+        fake = mock.Mock(returncode=0, stdout="123456789012\n", stderr="")
+        with mock.patch.object(storage.subprocess, "run", return_value=fake):
+            self.assertEqual(storage.get_account_id("p"), "123456789012")
+
+    def test_get_account_id_failure(self):
+        fake = mock.Mock(returncode=255, stdout="", stderr="error")
+        with mock.patch.object(storage.subprocess, "run", return_value=fake):
+            self.assertIsNone(storage.get_account_id("p"))
+
+    def test_default_bucket(self):
+        with mock.patch.object(storage, "get_account_id", return_value="123456789012"):
+            self.assertEqual(storage.default_bucket("p"), "env-store-123456789012")
+
+    def test_default_bucket_none(self):
+        with mock.patch.object(storage, "get_account_id", return_value=None):
+            self.assertIsNone(storage.default_bucket("p"))
+
+
+class ConfigTests(unittest.TestCase):
+    def test_defaults_no_file(self):
+        with tempfile.TemporaryDirectory() as d:
+            path = os.path.join(d, "config")
+            with mock.patch.dict(os.environ, {}, clear=True), mock.patch.object(
+                storage, "_current_username", return_value="bob"
+            ), mock.patch.object(storage, "get_account_id", return_value="111122223333"):
+                c = storage.resolve_config(config_path=path, create=False)
+            self.assertEqual(c.profile, "bob-admin")
+            self.assertEqual(c.bucket, "env-store-111122223333")
+            self.assertIsNone(c.kms_key)
+            self.assertIsNone(c.region)
+
+    def test_bucket_none_on_sts_failure(self):
+        with tempfile.TemporaryDirectory() as d:
+            path = os.path.join(d, "config")
+            with mock.patch.dict(os.environ, {}, clear=True), mock.patch.object(
+                storage, "get_account_id", return_value=None
+            ):
+                c = storage.resolve_config(config_path=path, create=False)
+            self.assertIsNone(c.bucket)
+
+    def test_env_overrides(self):
+        env = {
+            "TOAST_ENV_STORE_BUCKET": "my-bucket",
+            "TOAST_ENV_STORE_PROFILE": "my-profile",
+            "TOAST_ENV_STORE_KMS_KEY": "key-123",
+            "TOAST_ENV_STORE_REGION": "us-west-2",
+        }
+        with tempfile.TemporaryDirectory() as d:
+            path = os.path.join(d, "config")
+            with mock.patch.dict(os.environ, env, clear=True):
+                c = storage.resolve_config(config_path=path, create=False)
+            self.assertEqual(c.bucket, "my-bucket")
+            self.assertEqual(c.profile, "my-profile")
+            self.assertEqual(c.kms_key, "key-123")
+            self.assertEqual(c.region, "us-west-2")
+
+    def test_file_values_used(self):
+        with tempfile.TemporaryDirectory() as d:
+            path = os.path.join(d, "config")
+            with open(path, "w") as f:
+                f.write("ENV_STORE_BUCKET=file-bucket\nENV_STORE_PROFILE=file-profile\n")
+            with mock.patch.dict(os.environ, {}, clear=True):
+                c = storage.resolve_config(config_path=path, create=False)
+            self.assertEqual(c.bucket, "file-bucket")
+            self.assertEqual(c.profile, "file-profile")
+
+    def test_env_beats_file(self):
+        with tempfile.TemporaryDirectory() as d:
+            path = os.path.join(d, "config")
+            with open(path, "w") as f:
+                f.write("ENV_STORE_BUCKET=file-bucket\n")
+            with mock.patch.dict(
+                os.environ, {"TOAST_ENV_STORE_BUCKET": "env-bucket"}, clear=True
+            ):
+                c = storage.resolve_config(config_path=path, create=False)
+            self.assertEqual(c.bucket, "env-bucket")
+
+    def test_prompt_creates_file(self):
+        # Prompt order: profile, region, bucket, kms
+        with tempfile.TemporaryDirectory() as d:
+            path = os.path.join(d, "toast", "config")
+            self.assertFalse(os.path.exists(path))
+            with mock.patch.dict(os.environ, {}, clear=True), mock.patch(
+                "sys.stdin.isatty", return_value=True
+            ), mock.patch.object(
+                storage, "get_account_id", return_value="999988887777"
+            ), mock.patch.object(
+                storage.click, "confirm", return_value=True
+            ), mock.patch.object(
+                storage.click, "prompt", side_effect=["p1", "", "b1", ""]
+            ):
+                c = storage.resolve_config(config_path=path, create=True)
+            self.assertTrue(os.path.exists(path))
+            self.assertEqual(c.profile, "p1")
+            self.assertEqual(c.bucket, "b1")
+            self.assertIsNone(c.kms_key)
+
+    def test_decline_does_not_create(self):
+        with tempfile.TemporaryDirectory() as d:
+            path = os.path.join(d, "toast", "config")
+            with mock.patch.dict(os.environ, {}, clear=True), mock.patch(
+                "sys.stdin.isatty", return_value=True
+            ), mock.patch.object(
+                storage, "get_account_id", return_value="111122223333"
+            ), mock.patch.object(storage.click, "confirm", return_value=False):
+                c = storage.resolve_config(config_path=path, create=True)
+            self.assertFalse(os.path.exists(path))
+            self.assertEqual(c.bucket, "env-store-111122223333")
+
+    def test_no_prompt_when_not_tty(self):
+        with tempfile.TemporaryDirectory() as d:
+            path = os.path.join(d, "toast", "config")
+            with mock.patch.dict(os.environ, {}, clear=True), mock.patch(
+                "sys.stdin.isatty", return_value=False
+            ), mock.patch.object(
+                storage, "get_account_id", return_value="111122223333"
+            ):
+                c = storage.resolve_config(config_path=path, create=True)
+            self.assertFalse(os.path.exists(path))
+            self.assertEqual(c.bucket, "env-store-111122223333")
+
+    def test_render_roundtrip(self):
+        with tempfile.TemporaryDirectory() as d:
+            path = os.path.join(d, "config")
+            with open(path, "w") as f:
+                f.write(storage.render_config("b", "p", "k", "r"))
+            cfg = storage.read_config_file(path)
+            self.assertEqual(cfg["ENV_STORE_BUCKET"], "b")
+            self.assertEqual(cfg["ENV_STORE_PROFILE"], "p")
+            self.assertEqual(cfg["ENV_STORE_REGION"], "r")
+
+    def test_read_skips_comments(self):
+        with tempfile.TemporaryDirectory() as d:
+            path = os.path.join(d, "config")
+            with open(path, "w") as f:
+                f.write("# comment\n\n#ENV_STORE_BUCKET=x\nENV_STORE_PROFILE=p\n")
+            self.assertEqual(storage.read_config_file(path), {"ENV_STORE_PROFILE": "p"})
+
+
+class PathTests(unittest.TestCase):
+    def test_ssm_path(self):
+        self.assertEqual(
+            storage.ssm_path("org", "proj", "env-local"),
+            "/toast/local/org/proj/env-local",
+        )
+
+    def test_s3_key(self):
+        self.assertEqual(
+            storage.s3_key("org", "proj", "prompt-md"),
+            "local/org/proj/prompt-md",
+        )
+
+    def test_parse_s3_key(self):
+        self.assertEqual(
+            storage._parse_s3_key("local/org/proj/env-local"),
+            ("org", "proj", "env-local"),
+        )
+        self.assertIsNone(storage._parse_s3_key("bad/key"))
+        self.assertIsNone(storage._parse_s3_key("other/org/proj/env-local"))
+
+    def test_parse_ssm_name(self):
+        self.assertEqual(
+            storage._parse_ssm_name("/toast/local/org/proj/prompt-md"),
+            ("org", "proj", "prompt-md"),
+        )
+        self.assertIsNone(storage._parse_ssm_name("/foo/bar"))
+
+
+class AwsCommandTests(unittest.TestCase):
+    def test_profile_injected(self):
+        cfg = storage.StoreConfig("b", "myprofile", None, None)
+        cmd = storage._aws(cfg, ["s3api", "list-objects-v2"])
+        self.assertIn("--profile", cmd)
+        self.assertEqual(cmd[cmd.index("--profile") + 1], "myprofile")
+        self.assertNotIn("--region", cmd)
+
+    def test_region_injected(self):
+        cfg = storage.StoreConfig("b", "p", None, "us-west-2")
+        cmd = storage._aws(cfg, ["ssm", "get-parameter"])
+        self.assertEqual(cmd[cmd.index("--region") + 1], "us-west-2")
+
+    def test_s3_put_uses_kms_server_side_encryption(self):
+        cfg = storage.StoreConfig("b", "p", None, None)
+        captured = {}
+
+        def fake_run(cmd, **kw):
+            captured["cmd"] = cmd
+            return mock.Mock(returncode=0, stdout="{}", stderr="")
+
+        with mock.patch.object(storage.subprocess, "run", side_effect=fake_run):
+            ok, err = storage.s3_put(cfg, "local/o/p/env-local", "data")
+
+        self.assertTrue(ok)
+        cmd = captured["cmd"]
+        self.assertIn("--server-side-encryption", cmd)
+        self.assertEqual(cmd[cmd.index("--server-side-encryption") + 1], "aws:kms")
+        # '--sse' is not a valid s3api option (it is the high-level `aws s3` shorthand)
+        self.assertNotIn("--sse", cmd)
+
+    def test_ssm_get_passes_profile_and_region(self):
+        cfg = storage.StoreConfig("b", "myprofile", None, "eu-west-1")
+        with mock.patch.object(
+            storage, "get_ssm_parameter", return_value=("v", "t", None)
+        ) as m:
+            storage.ssm_get(cfg, "/toast/local/o/p/env-local")
+        m.assert_called_once_with(
+            "/toast/local/o/p/env-local", profile="myprofile", region="eu-west-1"
+        )
+
+
+class StoreReadTests(unittest.TestCase):
+    def _cfg(self):
+        return storage.StoreConfig("b", "p", None, None)
+
+    def test_both_s3_newer(self):
+        with mock.patch.object(
+            storage, "s3_get", return_value=("s3val", "2024-02-01T00:00:00Z", None)
+        ), mock.patch.object(
+            storage, "ssm_get", return_value=("ssmval", "2024-01-01T00:00:00Z", None)
+        ):
+            r = storage.store_read(self._cfg(), "o", "p", "env-local")
+            self.assertEqual(r.source, "s3")
+            self.assertEqual(r.value, "s3val")
+            self.assertEqual(r.status, "both")
+
+    def test_both_ssm_newer(self):
+        with mock.patch.object(
+            storage, "s3_get", return_value=("s3val", "2024-01-01T00:00:00Z", None)
+        ), mock.patch.object(
+            storage, "ssm_get", return_value=("ssmval", "2024-02-01T00:00:00Z", None)
+        ):
+            r = storage.store_read(self._cfg(), "o", "p", "env-local")
+            self.assertEqual(r.source, "ssm")
+            self.assertEqual(r.value, "ssmval")
+
+    def test_tie_prefers_s3(self):
+        ts = "2024-01-01T00:00:00Z"
+        with mock.patch.object(
+            storage, "s3_get", return_value=("s3val", ts, None)
+        ), mock.patch.object(storage, "ssm_get", return_value=("ssmval", ts, None)):
+            r = storage.store_read(self._cfg(), "o", "p", "env-local")
+            self.assertEqual(r.source, "s3")
+
+    def test_s3_only(self):
+        with mock.patch.object(
+            storage, "s3_get", return_value=("s3val", "2024-01-01T00:00:00Z", None)
+        ), mock.patch.object(storage, "ssm_get", return_value=(None, None, None)):
+            r = storage.store_read(self._cfg(), "o", "p", "env-local")
+            self.assertEqual(r.source, "s3")
+            self.assertEqual(r.status, "s3_only")
+
+    def test_ssm_only(self):
+        with mock.patch.object(
+            storage, "s3_get", return_value=(None, None, None)
+        ), mock.patch.object(
+            storage, "ssm_get", return_value=("ssmval", "2024-01-01T00:00:00Z", None)
+        ):
+            r = storage.store_read(self._cfg(), "o", "p", "env-local")
+            self.assertEqual(r.source, "ssm")
+            self.assertEqual(r.status, "ssm_only")
+
+    def test_none(self):
+        with mock.patch.object(
+            storage, "s3_get", return_value=(None, None, None)
+        ), mock.patch.object(storage, "ssm_get", return_value=(None, None, None)):
+            r = storage.store_read(self._cfg(), "o", "p", "env-local")
+            self.assertEqual(r.status, "none")
+            self.assertIsNone(r.value)
+            self.assertIsNone(r.source)
+
+    def test_s3_error_falls_back_to_ssm(self):
+        with mock.patch.object(
+            storage, "s3_get", return_value=(None, None, "AccessDenied")
+        ), mock.patch.object(
+            storage, "ssm_get", return_value=("ssmval", "2024-01-01T00:00:00Z", None)
+        ):
+            r = storage.store_read(self._cfg(), "o", "p", "env-local")
+            self.assertEqual(r.source, "ssm")
+            self.assertTrue(any(src == "s3" for src, _ in r.errors))
+
+
+class StoreListTests(unittest.TestCase):
+    def _cfg(self):
+        return storage.StoreConfig("b", "p", None, None)
+
+    def test_merge_and_newest(self):
+        s3_entries = [
+            {"key": "local/org/proj/env-local", "last_modified": "2024-02-01T00:00:00Z"}
+        ]
+        ssm_entries = [
+            {
+                "name": "/toast/local/org/proj/env-local",
+                "last_modified": "2024-01-01T00:00:00Z",
+            },
+            {
+                "name": "/toast/local/org/other/env-local",
+                "last_modified": "2024-01-01T00:00:00Z",
+            },
+        ]
+        with mock.patch.object(
+            storage, "s3_list", return_value=(s3_entries, None)
+        ), mock.patch.object(storage, "ssm_list", return_value=(ssm_entries, None)):
+            rows, errors = storage.store_list(self._cfg(), "env-local")
+
+        self.assertEqual(errors, [])
+        self.assertEqual([r["path"] for r in rows], ["org/other", "org/proj"])
+        by_path = {r["path"]: r for r in rows}
+        # org/proj exists in both; S3 is newer -> current S3, in both backends
+        self.assertEqual(by_path["org/proj"]["source"], "s3")
+        self.assertTrue(by_path["org/proj"]["in_s3"])
+        self.assertTrue(by_path["org/proj"]["in_ssm"])
+        # org/other only in SSM
+        self.assertEqual(by_path["org/other"]["source"], "ssm")
+        self.assertFalse(by_path["org/other"]["in_s3"])
+
+    def test_kind_filter(self):
+        s3_entries = [
+            {"key": "local/org/proj/prompt-md", "last_modified": "2024-02-01T00:00:00Z"}
+        ]
+        with mock.patch.object(
+            storage, "s3_list", return_value=(s3_entries, None)
+        ), mock.patch.object(storage, "ssm_list", return_value=([], None)):
+            rows, _ = storage.store_list(self._cfg(), "env-local")
+        self.assertEqual(rows, [])
+
+
+if __name__ == "__main__":
+    unittest.main()

toast_cli-4.1.2/toast/plugins/dot_plugin.py

@@ -0,0 +1,21 @@
+#!/usr/bin/env python3
+
+import click
+from toast.plugins.base_plugin import BasePlugin
+from toast.plugins.storage import run_file_sync
+
+
+class DotPlugin(BasePlugin):
+    """Plugin for 'dot' command - manages .env.local files."""
+
+    name = "dot"
+    help = "Manage .env.local files"
+
+    @classmethod
+    def get_arguments(cls, func):
+        func = click.argument("command", required=False)(func)
+        return func
+
+    @classmethod
+    def execute(cls, command=None, **kwargs):
+        run_file_sync("env-local", ".env.local", command)