Source code for constellation_utils.secrets.models

"""Frozen Pydantic models for resolved credential values.

The shape of ``R2Secrets`` deliberately matches the credential subset of
``data-engine/uploader/r2_client.py:R2Settings`` (endpoint, access_key_id,
secret_access_key, bucket, region) so the uploader's ``settings_from_config``
can build its full ``R2Settings`` by spreading these into the constructor.

Non-credential transport/retry fields (multipart_threshold_bytes, etc.)
intentionally do NOT live here — they belong in the uploader's YAML
config since they're not secrets.
"""

from __future__ import annotations

from pydantic import BaseModel, ConfigDict, Field



[docs]
class R2Secrets(BaseModel):
    """Cloudflare R2 credentials for one bucket."""

    model_config = ConfigDict(frozen=True, extra="forbid")

    endpoint: str = Field(..., description="R2 S3 endpoint URL.")
    access_key_id: str = Field(..., description="R2 access key ID.")
    secret_access_key: str = Field(..., description="R2 secret access key.")
    bucket: str = Field(..., description="R2 bucket name.")
    region: str = Field(default="auto", description="R2 region (always 'auto').")




[docs]
class CloudflareSecrets(BaseModel):
    """Cloudflare account API credentials.

    Used by tooling that talks to the Cloudflare API directly (Pages
    deploys, DNS automation, Workers). Distinct from ``R2Secrets``,
    which is bucket-scoped S3-compatible auth.
    """

    model_config = ConfigDict(frozen=True, extra="forbid")

    api_token: str = Field(..., description="Cloudflare API token (account-scoped).")
    account_id: str = Field(..., description="Cloudflare account ID.")