vaultuner 0.1.6__py3-none-any.whl

vaultuner/__init__.py

@@ -0,0 +1,2 @@
+# ABOUTME: Vaultuner package for Bitwarden Secrets Manager.
+# ABOUTME: Provides CLI with PROJECT/[ENV/]SECRET naming convention.

vaultuner/cli.py

@@ -0,0 +1,434 @@
+# ABOUTME: Typer CLI for Bitwarden Secrets Manager.
+# ABOUTME: Commands for listing, getting, setting, and deleting secrets.
+
+from importlib.metadata import version
+from pathlib import Path
+from typing import Annotated, Literal
+
+import typer
+from rich.console import Console
+from rich.table import Table
+
+from vaultuner.client import find_secret_by_key, get_client, get_or_create_project
+from vaultuner.config import (
+    DEFAULT_PROJECT_NAME,
+    delete_keyring_value,
+    get_keyring_value,
+    get_settings,
+    set_keyring_value,
+)
+from vaultuner.models import (
+    SecretPath,
+    is_deleted,
+    mark_deleted,
+    unmark_deleted,
+)
+
+__version__ = version("vaultuner")
+
+
+def version_callback(value: bool) -> None:
+    if value:
+        print(f"vaultuner {__version__}")
+        raise typer.Exit()
+
+
+app = typer.Typer(
+    help=f"Bitwarden Secrets Manager CLI with PROJECT/[ENV/]SECRET naming. (v{__version__})",
+    no_args_is_help=True,
+)
+config_app = typer.Typer(help="Manage vaultuner credentials stored in system keychain.")
+app.add_typer(config_app, name="config")
+
+
+@app.callback()
+def main(
+    version: Annotated[
+        bool, typer.Option("--version", "-V", callback=version_callback, is_eager=True)
+    ] = False,
+) -> None:
+    """Bitwarden Secrets Manager CLI."""
+
+
+console = Console()
+err_console = Console(stderr=True)
+
+ConfigKey = Literal["access-token", "organization-id"]
+KEYRING_MAP = {
+    "access-token": "bws_access_token",
+    "organization-id": "bws_organization_id",
+}
+
+
+@config_app.command("set")
+def config_set(
+    key: ConfigKey = typer.Argument(..., help="Config key to set"),
+    value: str = typer.Argument(..., help="Value to store"),
+):
+    """Store a credential in the system keychain."""
+    keyring_key = KEYRING_MAP[key]
+    set_keyring_value(keyring_key, value)
+    console.print(f"[green]Stored:[/green] {key}")
+
+
+@config_app.command("show")
+def config_show():
+    """Show current configuration status."""
+    table = Table(show_header=True, header_style="bold")
+    table.add_column("Setting", style="cyan")
+    table.add_column("Status")
+
+    access_token = get_keyring_value(KEYRING_MAP["access-token"])
+    org_id = get_keyring_value(KEYRING_MAP["organization-id"])
+
+    table.add_row(
+        "access-token",
+        "[green]configured[/green]" if access_token else "[red]not set[/red]",
+    )
+    table.add_row(
+        "organization-id",
+        "[green]configured[/green]" if org_id else "[red]not set[/red]",
+    )
+    console.print(table)
+
+
+@config_app.command("delete")
+def config_delete(
+    key: ConfigKey = typer.Argument(..., help="Config key to delete"),
+):
+    """Remove a credential from the system keychain."""
+    keyring_key = KEYRING_MAP[key]
+    delete_keyring_value(keyring_key)
+    console.print(f"[red]Deleted:[/red] {key}")
+
+
+@app.command("list")
+def list_secrets(
+    project: str | None = typer.Option(
+        None, "--project", "-p", help="Filter by project"
+    ),
+    env: str | None = typer.Option(None, "--env", "-e", help="Filter by environment"),
+    deleted: bool = typer.Option(False, "--deleted", "-d", help="Show deleted secrets"),
+):
+    """List secrets. Optionally filter by project and/or environment."""
+    settings = get_settings()
+    client = get_client()
+    response = client.secrets().list(settings.organization_id)
+    if not response.data or not response.data.data:
+        console.print("[dim]No secrets found.[/dim]")
+        return
+
+    table = Table(show_header=True, header_style="bold")
+    table.add_column("Project", style="cyan")
+    table.add_column("Env", style="yellow")
+    table.add_column("Name", style="green")
+    if deleted:
+        table.add_column("Status", style="red")
+
+    count = 0
+    for secret in response.data.data:
+        key = secret.key
+        secret_deleted = is_deleted(key)
+
+        if secret_deleted and not deleted:
+            continue
+
+        display_key = unmark_deleted(key) if secret_deleted else key
+
+        try:
+            path = SecretPath.parse(display_key)
+        except ValueError:
+            continue
+
+        if project and path.project != project:
+            continue
+        if env and path.env != env:
+            continue
+
+        if deleted:
+            status = "[red]deleted[/red]" if secret_deleted else "[green]active[/green]"
+            table.add_row(path.project, path.env or "-", path.name, status)
+        else:
+            table.add_row(path.project, path.env or "-", path.name)
+        count += 1
+
+    if count == 0:
+        console.print("[dim]No secrets found.[/dim]")
+    else:
+        console.print(table)
+
+
+@app.command()
+def get(
+    path: str = typer.Argument(..., help="Secret path: PROJECT/[ENV/]NAME"),
+    value_only: bool = typer.Option(
+        False, "--value", "-v", help="Print only the value"
+    ),
+):
+    """Get a secret by path."""
+    client = get_client()
+    secret_info = find_secret_by_key(client, path)
+    if not secret_info:
+        err_console.print(f"[red]Secret not found:[/red] {path}")
+        raise typer.Exit(1)
+
+    response = client.secrets().get(secret_info["id"])
+    if not response.data:
+        err_console.print(f"[red]Failed to retrieve secret:[/red] {path}")
+        raise typer.Exit(1)
+
+    if value_only:
+        console.print(response.data.value)
+    else:
+        table = Table(show_header=False, box=None)
+        table.add_column("Label", style="dim")
+        table.add_column("Value")
+        table.add_row("Path", f"[cyan]{response.data.key}[/cyan]")
+        table.add_row("Value", f"[green]{response.data.value}[/green]")
+        if response.data.note:
+            table.add_row("Note", f"[dim]{response.data.note}[/dim]")
+        console.print(table)
+
+
+@app.command()
+def set(
+    path: str = typer.Argument(..., help="Secret path: PROJECT/[ENV/]NAME"),
+    value: str = typer.Argument(..., help="Secret value"),
+    note: str | None = typer.Option(None, "--note", "-n", help="Optional note"),
+):
+    """Create or update a secret."""
+    settings = get_settings()
+    client = get_client()
+
+    existing = find_secret_by_key(client, path)
+    if existing:
+        response = client.secrets().update(
+            organization_id=settings.organization_id,
+            id=existing["id"],
+            key=path,
+            value=value,
+            note=note,
+            project_ids=None,
+        )
+        if not response.data:
+            err_console.print("[red]Failed to update secret.[/red]")
+            raise typer.Exit(1)
+        console.print(f"[yellow]Updated:[/yellow] {path}")
+    else:
+        project_id = get_or_create_project(client, DEFAULT_PROJECT_NAME)
+        response = client.secrets().create(
+            organization_id=settings.organization_id,
+            key=path,
+            value=value,
+            note=note,
+            project_ids=[project_id],
+        )
+        if not response.data:
+            err_console.print("[red]Failed to create secret.[/red]")
+            raise typer.Exit(1)
+        console.print(f"[green]Created:[/green] {path}")
+
+
+@app.command()
+def delete(
+    path: str = typer.Argument(..., help="Secret path: PROJECT/[ENV/]NAME"),
+    force: bool = typer.Option(False, "--force", "-f", help="Skip confirmation"),
+    permanent: bool = typer.Option(False, "--permanent", help="Permanently delete"),
+):
+    """Delete a secret (soft-delete by default)."""
+    settings = get_settings()
+    client = get_client()
+    secret_info = find_secret_by_key(client, path)
+    if not secret_info:
+        err_console.print(f"[red]Secret not found:[/red] {path}")
+        raise typer.Exit(1)
+
+    if not force:
+        action = "permanently delete" if permanent else "delete"
+        confirm = typer.confirm(f"{action.capitalize()} secret '{path}'?")
+        if not confirm:
+            raise typer.Abort()
+
+    if permanent:
+        client.secrets().delete([secret_info["id"]])
+        console.print(f"[red]Permanently deleted:[/red] {path}")
+    else:
+        response = client.secrets().get(secret_info["id"])
+        if not response.data:
+            err_console.print("[red]Failed to get secret for deletion.[/red]")
+            raise typer.Exit(1)
+
+        deleted_key = mark_deleted(path)
+        project_ids = (
+            [str(response.data.project_id)] if response.data.project_id else None
+        )
+        client.secrets().update(
+            organization_id=settings.organization_id,
+            id=secret_info["id"],
+            key=deleted_key,
+            value=response.data.value,
+            note=response.data.note,
+            project_ids=project_ids,
+        )
+        console.print(f"[red]Deleted:[/red] {path}")
+
+
+@app.command()
+def restore(
+    path: str = typer.Argument(..., help="Secret path: PROJECT/[ENV/]NAME"),
+):
+    """Restore a soft-deleted secret."""
+    settings = get_settings()
+    client = get_client()
+    deleted_key = mark_deleted(path)
+    secret_info = find_secret_by_key(client, deleted_key)
+    if not secret_info:
+        err_console.print(f"[red]Deleted secret not found:[/red] {path}")
+        raise typer.Exit(1)
+
+    response = client.secrets().get(secret_info["id"])
+    if not response.data:
+        err_console.print("[red]Failed to get secret for restoration.[/red]")
+        raise typer.Exit(1)
+
+    project_ids = [str(response.data.project_id)] if response.data.project_id else None
+    client.secrets().update(
+        organization_id=settings.organization_id,
+        id=secret_info["id"],
+        key=path,
+        value=response.data.value,
+        note=response.data.note,
+        project_ids=project_ids,
+    )
+    console.print(f"[green]Restored:[/green] {path}")
+
+
+@app.command()
+def projects():
+    """List all projects."""
+    settings = get_settings()
+    client = get_client()
+    response = client.projects().list(settings.organization_id)
+    if not response.data or not response.data.data:
+        console.print("[dim]No projects found.[/dim]")
+        return
+
+    table = Table(show_header=True, header_style="bold")
+    table.add_column("Project", style="cyan")
+
+    for project in response.data.data:
+        table.add_row(project.name)
+
+    console.print(table)
+
+
+@app.command()
+def export(
+    project: str | None = typer.Option(
+        None,
+        "--project",
+        "-p",
+        help="Project name (defaults to current directory name)",
+    ),
+    env: str | None = typer.Option(None, "--env", "-e", help="Filter by environment"),
+    output: Path = typer.Option(
+        Path(".env"), "--output", "-o", help="Output file path (default: .env)"
+    ),
+):
+    """Export project secrets to a .env file."""
+    from vaultuner.export import export_secrets
+
+    project_name = project or Path.cwd().name
+    added_count, skipped_count = export_secrets(project_name, output, env)
+
+    if added_count == 0 and skipped_count == 0:
+        console.print(f"[dim]No secrets found for project '{project_name}'.[/dim]")
+    else:
+        console.print(
+            f"[green]Exported to {output}:[/green] {added_count} added, {skipped_count} already present"
+        )
+
+
+@app.command("import")
+def import_env(
+    project: str | None = typer.Option(
+        None,
+        "--project",
+        "-p",
+        help="Project name (defaults to current directory name)",
+    ),
+    env: str | None = typer.Option(None, "--env", "-e", help="Environment for secrets"),
+    input_file: Path = typer.Option(
+        Path(".env"), "--input", "-i", help="Input file path (default: .env)"
+    ),
+    yes: bool = typer.Option(False, "--yes", "-y", help="Import all without prompting"),
+):
+    """Import secrets from a .env file to the secret store."""
+    from vaultuner.import_env import (
+        build_secret_path,
+        env_var_to_secret_name,
+        parse_env_entries,
+    )
+
+    if not input_file.exists():
+        err_console.print(f"[red]File not found:[/red] {input_file}")
+        raise typer.Exit(1)
+
+    project_name = project or Path.cwd().name
+    entries = parse_env_entries(input_file)
+
+    if not entries:
+        console.print(f"[dim]No entries found in {input_file}.[/dim]")
+        return
+
+    settings = get_settings()
+    client = get_client()
+
+    # Phase 1: Collect secrets to import
+    to_import: list[tuple[str, str]] = []
+    skipped_count = 0
+
+    for var_name, value in entries:
+        secret_name = env_var_to_secret_name(var_name)
+        secret_path = build_secret_path(project_name, env, secret_name)
+
+        # Check if secret already exists
+        existing = find_secret_by_key(client, secret_path)
+        if existing:
+            console.print(f"[dim]Already exists:[/dim] {secret_path}")
+            skipped_count += 1
+            continue
+
+        if not yes:
+            console.print(f"\n[cyan]{var_name}[/cyan] [dim]({len(value)} chars)[/dim]")
+            console.print(f"  → [green]{secret_path}[/green]")
+            if not typer.confirm("Store this secret?", default=True):
+                skipped_count += 1
+                continue
+
+        to_import.append((secret_path, value))
+
+    if not to_import:
+        console.print("\n[dim]Nothing to import.[/dim]")
+        return
+
+    # Phase 2: Import all approved secrets
+    console.print(f"\n[cyan]Importing {len(to_import)} secrets...[/cyan]")
+    project_id = get_or_create_project(client, DEFAULT_PROJECT_NAME)
+    created_count = 0
+
+    for secret_path, value in to_import:
+        response = client.secrets().create(
+            organization_id=settings.organization_id,
+            key=secret_path,
+            value=value,
+            note=None,
+            project_ids=[project_id],
+        )
+        if response.data:
+            created_count += 1
+            console.print(f"[green]Created:[/green] {secret_path}")
+
+    console.print(
+        f"\n[green]Import complete:[/green] {created_count} created, {skipped_count} skipped"
+    )

vaultuner/client.py

@@ -0,0 +1,60 @@
+# ABOUTME: Bitwarden Secrets Manager client wrapper.
+# ABOUTME: Handles authentication and provides helper functions for secrets/projects.
+
+import tempfile
+from pathlib import Path
+
+from bitwarden_sdk import BitwardenClient, DeviceType, client_settings_from_dict
+
+from vaultuner.config import get_settings
+
+
+def get_client() -> BitwardenClient:
+    """Create and authenticate a Bitwarden client."""
+    settings = get_settings()
+    client = BitwardenClient(
+        client_settings_from_dict(
+            {
+                "apiUrl": settings.api_url,
+                "identityUrl": settings.identity_url,
+                "deviceType": DeviceType.SDK,
+                "userAgent": "vaultuner",
+            }
+        )
+    )
+    with tempfile.NamedTemporaryFile(
+        mode="w", suffix=".json", delete=False, delete_on_close=False
+    ) as f:
+        state_path = Path(f.name)
+    client.auth().login_access_token(
+        settings.access_token.get_secret_value(), str(state_path)
+    )
+    state_path.unlink(missing_ok=True)
+    return client
+
+
+def get_or_create_project(client: BitwardenClient, project_name: str) -> str:
+    """Get project ID by name, creating it if it doesn't exist."""
+    settings = get_settings()
+    response = client.projects().list(settings.organization_id)
+    if response.data and response.data.data:
+        for project in response.data.data:
+            if project.name == project_name:
+                return str(project.id)
+
+    result = client.projects().create(settings.organization_id, project_name)
+    if not result.data:
+        raise RuntimeError(f"Failed to create project: {project_name}")
+    return str(result.data.id)
+
+
+def find_secret_by_key(client: BitwardenClient, key: str) -> dict | None:
+    """Find a secret by its key name."""
+    settings = get_settings()
+    response = client.secrets().list(settings.organization_id)
+    if not response.data or not response.data.data:
+        return None
+    for secret in response.data.data:
+        if secret.key == key:
+            return {"id": str(secret.id), "key": secret.key}
+    return None

vaultuner/config.py

@@ -0,0 +1,104 @@
+# ABOUTME: Configuration settings for Bitwarden Secrets Manager.
+# ABOUTME: Loads credentials from keychain (preferred) or environment variables.
+
+import sys
+
+import keyring
+from pydantic import SecretStr
+from pydantic_settings import BaseSettings, SettingsConfigDict
+
+SERVICE_NAME = "vaultuner"
+DEFAULT_PROJECT_NAME = "vaultuner"
+
+
+def _require_darwin() -> None:
+    """Ensure we're running on macOS where keyring is supported."""
+    if sys.platform != "darwin":
+        raise SystemExit(
+            "Keyring storage is only supported on macOS. "
+            "Use environment variables BWS_ACCESS_TOKEN and BWS_ORGANIZATION_ID instead."
+        )
+
+
+def get_keyring_value(key: str) -> str | None:
+    """Get a value from the system keychain. Returns None on non-darwin."""
+    if sys.platform != "darwin":
+        return None
+    return keyring.get_password(SERVICE_NAME, key)
+
+
+def set_keyring_value(key: str, value: str) -> None:
+    """Store a value in the system keychain."""
+    _require_darwin()
+    keyring.set_password(SERVICE_NAME, key, value)
+
+
+def delete_keyring_value(key: str) -> None:
+    """Delete a value from the system keychain."""
+    _require_darwin()
+    try:
+        keyring.delete_password(SERVICE_NAME, key)
+    except keyring.errors.PasswordDeleteError:
+        pass
+
+
+class Settings(BaseSettings):
+    model_config = SettingsConfigDict(env_prefix="BWS_")
+
+    access_token: SecretStr
+    organization_id: str
+    api_url: str = "https://vault.bitwarden.com/api"
+    identity_url: str = "https://vault.bitwarden.com/identity"
+
+    @classmethod
+    def settings_customise_sources(
+        cls,
+        settings_cls,
+        init_settings,
+        env_settings,
+        dotenv_settings,
+        file_secret_settings,
+    ):
+        """Load from keychain first, then fall back to env vars."""
+        return (
+            init_settings,
+            KeyringSettingsSource(settings_cls),
+            env_settings,
+            dotenv_settings,
+            file_secret_settings,
+        )
+
+
+class KeyringSettingsSource:
+    """Custom settings source that reads from system keychain."""
+
+    def __init__(self, settings_cls):
+        self.settings_cls = settings_cls
+
+    def __call__(self):
+        values = {}
+        access_token = get_keyring_value("bws_access_token")
+        if access_token:
+            values["access_token"] = access_token
+        org_id = get_keyring_value("bws_organization_id")
+        if org_id:
+            values["organization_id"] = org_id
+        return values
+
+
+_settings: Settings | None = None
+
+
+def get_settings() -> Settings:
+    """Load settings lazily, with helpful error message if not configured."""
+    global _settings
+    if _settings is None:
+        try:
+            _settings = Settings()
+        except Exception:
+            raise SystemExit(
+                "Credentials not configured. Run:\n"
+                "  vaultuner config set access-token <token>\n"
+                "  vaultuner config set organization-id <org-id>"
+            )
+    return _settings

vaultuner/export.py

@@ -0,0 +1,105 @@
+# ABOUTME: Export project secrets to .env file format.
+# ABOUTME: Handles parsing existing .env files and appending new secrets.
+
+from pathlib import Path
+
+from vaultuner.client import get_client
+from vaultuner.config import get_settings
+from vaultuner.models import SecretPath, is_deleted
+
+
+def secret_name_to_env_var(name: str) -> str:
+    """Convert a secret name to an environment variable name."""
+    return name.upper().replace("-", "_")
+
+
+def parse_env_file(path: Path) -> set[str]:
+    """Parse a .env file and return the set of defined variable names."""
+    defined_vars: set[str] = set()
+    if not path.exists():
+        return defined_vars
+
+    for line in path.read_text().splitlines():
+        line = line.strip()
+        if not line or line.startswith("#"):
+            continue
+        if "=" in line:
+            var_name = line.split("=", 1)[0].strip()
+            defined_vars.add(var_name)
+    return defined_vars
+
+
+def export_secrets(
+    project_name: str,
+    output: Path,
+    env: str | None = None,
+) -> tuple[int, int]:
+    """
+    Export secrets for a project to a .env file.
+
+    Returns a tuple of (added_count, skipped_count).
+    """
+    settings = get_settings()
+    client = get_client()
+    response = client.secrets().list(settings.organization_id)
+
+    if not response.data or not response.data.data:
+        return 0, 0
+
+    # Find secrets matching the project (and optionally env)
+    matching_secrets: list[tuple[SecretPath, str]] = []
+    for secret in response.data.data:
+        key = secret.key
+        if is_deleted(key):
+            continue
+
+        try:
+            path = SecretPath.parse(key)
+        except ValueError:
+            continue
+
+        if path.project != project_name:
+            continue
+        if path.env != env:
+            continue
+
+        # Fetch the actual value
+        secret_response = client.secrets().get(secret.id)
+        if secret_response.data:
+            matching_secrets.append((path, secret_response.data.value))
+
+    if not matching_secrets:
+        return 0, 0
+
+    # Parse existing .env to find already-defined variables
+    existing_vars = parse_env_file(output)
+
+    # Build the lines to append
+    lines_to_append: list[str] = []
+    added_count = 0
+    skipped_count = 0
+
+    for path, value in matching_secrets:
+        env_var = secret_name_to_env_var(path.name)
+        escaped_value = value.replace("\\", "\\\\").replace('"', '\\"')
+        env_line = f'{env_var}="{escaped_value}"'
+
+        if env_var in existing_vars:
+            lines_to_append.append(f"# Already defined above, from {path}:")
+            lines_to_append.append(f"# {env_line}")
+            skipped_count += 1
+        else:
+            lines_to_append.append(env_line)
+            existing_vars.add(env_var)
+            added_count += 1
+
+    # Append to file
+    if lines_to_append:
+        with output.open("a") as f:
+            if output.exists() and output.stat().st_size > 0:
+                # Ensure we start on a new line
+                f.write("\n")
+            f.write("\n".join(lines_to_append))
+            f.write("\n")
+
+    return added_count, skipped_count

vaultuner/import_env.py

@@ -0,0 +1,45 @@
+# ABOUTME: Import secrets from .env file to Bitwarden Secrets Manager.
+# ABOUTME: Parses .env files and interactively stores secrets.
+
+from pathlib import Path
+
+
+def env_var_to_secret_name(var_name: str) -> str:
+    """Convert an environment variable name to a secret name.
+
+    This is the inverse of secret_name_to_env_var() from export.py.
+    """
+    return var_name.lower().replace("_", "-")
+
+
+def parse_env_entries(path: Path) -> list[tuple[str, str]]:
+    """Parse a .env file and return list of (name, value) tuples."""
+    entries: list[tuple[str, str]] = []
+    if not path.exists():
+        return entries
+
+    for line in path.read_text().splitlines():
+        line = line.strip()
+        if not line or line.startswith("#"):
+            continue
+        if "=" not in line:
+            continue
+
+        var_name, _, value = line.partition("=")
+        var_name = var_name.strip()
+        value = value.strip()
+
+        # Remove surrounding quotes if present
+        if len(value) >= 2 and value[0] == value[-1] and value[0] in ('"', "'"):
+            value = value[1:-1]
+
+        entries.append((var_name, value))
+
+    return entries
+
+
+def build_secret_path(project: str, env: str | None, name: str) -> str:
+    """Build a secret path from components."""
+    if env:
+        return f"{project}/{env}/{name}"
+    return f"{project}/{name}"

vaultuner/models.py

@@ -0,0 +1,55 @@
+# ABOUTME: Data models for vaultuner.
+# ABOUTME: SecretPath represents the PROJECT/[ENV/]SECRET naming convention.
+
+from pydantic import BaseModel
+
+DELETED_PREFIX = "_deleted_/"
+
+
+def is_deleted(key: str) -> bool:
+    """Check if a secret key is marked as deleted."""
+    return key.startswith(DELETED_PREFIX)
+
+
+def mark_deleted(key: str) -> str:
+    """Mark a secret key as deleted by adding the prefix."""
+    return f"{DELETED_PREFIX}{key}"
+
+
+def unmark_deleted(key: str) -> str:
+    """Remove the deleted prefix from a secret key."""
+    return key.removeprefix(DELETED_PREFIX)
+
+
+class SecretPath(BaseModel):
+    project: str
+    name: str
+    env: str | None = None
+
+    @classmethod
+    def parse(cls, path: str) -> "SecretPath":
+        """Parse a path like 'project/env/name' or 'project/name'."""
+        parts = path.split("/")
+
+        if any(not part for part in parts):
+            raise ValueError(
+                f"Invalid path format: {path}. Path segments cannot be empty."
+            )
+
+        if len(parts) == 3:
+            return cls(project=parts[0], env=parts[1], name=parts[2])
+        elif len(parts) == 2:
+            return cls(project=parts[0], name=parts[1])
+        else:
+            raise ValueError(
+                f"Invalid path format: {path}. Expected PROJECT/[ENV/]NAME"
+            )
+
+    def to_key(self) -> str:
+        """Convert to Bitwarden secret key format."""
+        if self.env:
+            return f"{self.project}/{self.env}/{self.name}"
+        return f"{self.project}/{self.name}"
+
+    def __str__(self) -> str:
+        return self.to_key()

vaultuner-0.1.6.dist-info/METADATA

@@ -0,0 +1,146 @@
+Metadata-Version: 2.3
+Name: vaultuner
+Version: 0.1.6
+Summary: Bitwarden Secrets Manager CLI with PROJECT/[ENV/]SECRET naming
+Keywords: bitwarden,secrets,cli,secrets-manager,devops
+Author: David Poblador
+License: MIT
+Classifier: Development Status :: 4 - Beta
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: MacOS
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security
+Classifier: Topic :: Utilities
+Requires-Dist: bitwarden-sdk>=1.0.0
+Requires-Dist: keyring>=25.7.0
+Requires-Dist: pydantic>=2.12.5
+Requires-Dist: pydantic-settings>=2.12.0
+Requires-Dist: rich>=14.3.2
+Requires-Dist: typer>=0.21.1
+Requires-Python: >=3.11, <3.13
+Description-Content-Type: text/markdown
+
+# vaultuner
+
+[![PyPI version](https://img.shields.io/pypi/v/vaultuner)](https://pypi.org/project/vaultuner/)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+[![Python 3.11-3.12](https://img.shields.io/badge/python-3.11--3.12-blue.svg)](https://www.python.org/downloads/)
+
+**Human-readable secrets for Bitwarden Secrets Manager.**
+
+Vaultuner replaces cryptic UUIDs with intuitive paths like `myapp/prod/db-password`. Your secrets, organized the way you actually think about them.
+
+## The Problem
+
+```bash
+# Bitwarden's default CLI
+bws secret get 550e8400-e29b-41d4-a716-446655440000
+```
+
+You shouldn't need to memorize UUIDs or dig through dashboards to find secrets.
+
+## The Solution
+
+```bash
+# With vaultuner
+vaultuner get myapp/prod/db-password
+```
+
+Secrets organized by project and environment. Instantly memorable. Zero cognitive overhead.
+
+## Features
+
+- **Path-based naming** - `project/env/secret` instead of UUIDs
+- **Environment isolation** - Keep dev, staging, and prod secrets separate
+- **`.env` sync** - Export to and import from `.env` files seamlessly
+- **Soft delete** - Recover accidentally deleted secrets
+- **Keychain storage** - Credentials secured in macOS Keychain
+
+## Quick Start
+
+### Install
+
+```bash
+uv tool install vaultuner
+```
+
+Or run without installing:
+
+```bash
+uvx vaultuner list
+```
+
+### Configure
+
+```bash
+vaultuner config set access-token <your-token>
+vaultuner config set organization-id <your-org-id>
+```
+
+Get credentials from [Bitwarden Secrets Manager](https://vault.bitwarden.com/).
+
+### Use
+
+```bash
+# Create secrets
+vaultuner set myapp/api-key "sk-abc123"
+vaultuner set myapp/prod/db-password "hunter2"
+
+# Retrieve
+vaultuner get myapp/prod/db-password -v
+
+# List everything
+vaultuner list
+
+# Export for local dev
+vaultuner export -p myapp -e dev -o .env
+```
+
+## Commands
+
+| Command | Description |
+|---------|-------------|
+| `list` | List secrets with project/env filtering |
+| `get` | Retrieve a secret value |
+| `set` | Create or update a secret |
+| `delete` | Soft-delete (recoverable) |
+| `restore` | Recover a deleted secret |
+| `export` | Export to `.env` file |
+| `import` | Import from `.env` file |
+| `projects` | List all projects |
+| `config` | Manage stored credentials |
+
+## Naming Convention
+
+```
+PROJECT/SECRET           # Project-level secret
+PROJECT/ENV/SECRET       # Environment-specific secret
+```
+
+Examples:
+```
+myapp/api-key            # Shared across environments
+myapp/prod/db-password   # Production only
+myapp/dev/db-password    # Development only
+```
+
+## Requirements
+
+- Python 3.11 or 3.12 (bitwarden-sdk limitation)
+- macOS (Keychain integration)
+- Bitwarden Secrets Manager account
+
+## Documentation
+
+Full docs at [alltuner.github.io/vaultuner](https://alltuner.github.io/vaultuner)
+
+## License
+
+MIT
+
+---
+
+Built at [All Tuner Labs](https://alltuner.com) by [David Poblador i Garcia](https://davidpoblador.com)

vaultuner-0.1.6.dist-info/RECORD

@@ -0,0 +1,11 @@
+vaultuner/__init__.py,sha256=-3HqB8FyWviChoTlnXIdqc7xneT_vQa2G0P8L7ffpcE,129
+vaultuner/cli.py,sha256=yXvuovmVcZjAB2DsESN7MGwsveL9wzfaGTp7QLkGtek,13772
+vaultuner/client.py,sha256=kJ4JI01MWOfKcmhBf3EqfRA8opMvL3bdIaWy-5Tp35A,2091
+vaultuner/config.py,sha256=12aSjzPuwTG_3CHe8dwj56RkrKRg1_OZS8SWNfGjOq0,3030
+vaultuner/export.py,sha256=U0zhXfdohC__PHLT8hKs0S2M8Ql_7p_ug2sJV-YwtQc,3143
+vaultuner/import_env.py,sha256=XYnm-Tyo9h9a62K6LGibMMSYFNJBHSK3gzOmMqh8kOk,1353
+vaultuner/models.py,sha256=X1oFKZ2171jJdsteIwiL7ZL-gkn_cW4Qxckz8C5vI8g,1595
+vaultuner-0.1.6.dist-info/WHEEL,sha256=5DEXXimM34_d4Gx1AuF9ysMr1_maoEtGKjaILM3s4w4,80
+vaultuner-0.1.6.dist-info/entry_points.txt,sha256=n6WLg_ojVObz5N6rB-w6SVS-4jsKkDBpJAu3IqNJx_Q,49
+vaultuner-0.1.6.dist-info/METADATA,sha256=S3v-ptBya2YbVlzWuuWgBj51x90VjZ5L2yQXSFO67so,3801
+vaultuner-0.1.6.dist-info/RECORD,,

vaultuner-0.1.6.dist-info/WHEEL

@@ -0,0 +1,4 @@
+Wheel-Version: 1.0
+Generator: uv 0.9.29
+Root-Is-Purelib: true
+Tag: py3-none-any

vaultuner-0.1.6.dist-info/entry_points.txt

@@ -0,0 +1,3 @@
+[console_scripts]
+vaultuner = vaultuner.cli:app
+